diff options
author | Ariadne Conill <ariadne@dereferenced.org> | 2021-07-01 17:18:31 -0600 |
---|---|---|
committer | Ariadne Conill <ariadne@dereferenced.org> | 2021-07-01 17:18:47 -0600 |
commit | 194e42bfe62c80ce34ef3180c0f10b3c6eac3e65 (patch) | |
tree | 6161b8acb7e65f76e772da7c682e559d7057f1f4 | |
parent | cd4179a946fc12de62b71d92b067455a8dc34aef (diff) |
community/csync2: add mitigations for CVE-2019-15522 and CVE-2019-15523
-rw-r--r-- | community/csync2/APKBUILD | 21 | ||||
-rw-r--r-- | community/csync2/CVE-2019-15522.patch | 21 | ||||
-rw-r--r-- | community/csync2/CVE-2019-15523.patch | 101 |
3 files changed, 138 insertions, 5 deletions
diff --git a/community/csync2/APKBUILD b/community/csync2/APKBUILD index c012b1b5ba9..1f965155b99 100644 --- a/community/csync2/APKBUILD +++ b/community/csync2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Jakub Jirutka <jakub@jirutka.cz> pkgname=csync2 pkgver=2.0 -pkgrel=2 +pkgrel=3 pkgdesc="Cluster synchronization tool" url="http://oss.linbit.com/csync2/" arch="all" @@ -13,9 +13,16 @@ depends="bash" subpackages="$pkgname-doc $pkgname-openrc" source="https://github.com/LINBIT/$pkgname/archive/$pkgname-$pkgver.tar.gz $pkgname.initd - fix-build-ppc64le.patch" + fix-build-ppc64le.patch + CVE-2019-15522.patch + CVE-2019-15523.patch" builddir="$srcdir/$pkgname-$pkgname-$pkgver" +# secfixes: +# 2.0-r3: +# - CVE-2019-15522 +# - CVE-2019-15523 + prepare() { default_prepare @@ -38,10 +45,14 @@ build() { package() { cd "$builddir" - make DESTDIR="$pkgdir" install + make DESTDIR="$pkgdir" -j1 install install -m 755 -D "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname } -sha512sums="7555e2d958d6213e29cfa8b3b7415eea9a9868036865c519d724ae404006d913fba4aeeb61a916d3fc95669a6ca12160d4f52dc7d15bd59403e8a7de50ee8094 csync2-2.0.tar.gz +sha512sums=" +7555e2d958d6213e29cfa8b3b7415eea9a9868036865c519d724ae404006d913fba4aeeb61a916d3fc95669a6ca12160d4f52dc7d15bd59403e8a7de50ee8094 csync2-2.0.tar.gz e2df7f2993781709dadd0ce24bc31e16259382c8b3c432c47c3790f78b37124d38fb5036e87a06747538d864fdf68b8984bf2d4bce09158cddd58c10f4411d9f csync2.initd -4566ba1139615e5011c881e670d8976d3b5226e27521fd6ced126a5a3687683c145931fa89a9b6b0ab967f982bf778c33148e6c9f7ee29ef5154593ae02efb2a fix-build-ppc64le.patch" +4566ba1139615e5011c881e670d8976d3b5226e27521fd6ced126a5a3687683c145931fa89a9b6b0ab967f982bf778c33148e6c9f7ee29ef5154593ae02efb2a fix-build-ppc64le.patch +f36e46630e39bfae536884bfa0c4f585b3b93e4b7fd9d1c134f5b777ff10609378a47bbd4db96b6eed9c985fab8482781db5d3a0481e7e2f7e086a74f34a204b CVE-2019-15522.patch +a2b26fcb8f76451b898b2e6858ca5b6b93a16d54d188f75eac18d84b4f226fb0e4ade77c1c338f012a4e573e3bbd4ec88f0dd1dde78504237dca5d7806774288 CVE-2019-15523.patch +" diff --git a/community/csync2/CVE-2019-15522.patch b/community/csync2/CVE-2019-15522.patch new file mode 100644 index 00000000000..b608a897e10 --- /dev/null +++ b/community/csync2/CVE-2019-15522.patch @@ -0,0 +1,21 @@ +From 416f1de878ef97e27e27508914f7ba8599a0be22 Mon Sep 17 00:00:00 2001 +From: Malte Kraus <malte.kraus@suse.com> +Date: Tue, 13 Aug 2019 11:25:57 +0200 +Subject: [PATCH] fail HELLO command when SSL is required + +--- + daemon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/daemon.c b/daemon.c +index 2d8407d..2a1a8af 100644 +--- a/daemon.c ++++ b/daemon.c +@@ -747,6 +747,7 @@ void csync_daemon_session() + goto conn_without_ssl_ok; + } + cmd_error = conn_response(CR_ERR_SSL_EXPECTED); ++ peer = NULL; + } + conn_without_ssl_ok:; + #endif diff --git a/community/csync2/CVE-2019-15523.patch b/community/csync2/CVE-2019-15523.patch new file mode 100644 index 00000000000..575bee0dafa --- /dev/null +++ b/community/csync2/CVE-2019-15523.patch @@ -0,0 +1,101 @@ +From 92742544a56bcbcd9ec99ca15f898b31797e39e2 Mon Sep 17 00:00:00 2001 +From: Malte Kraus <malte.kraus@suse.com> +Date: Tue, 13 Aug 2019 13:36:26 +0200 +Subject: [PATCH] repeat gnutls_handshake() call in case of warnings + +that's what the semantics of this call require +--- + conn.c | 71 ++++++++++++++++++++++++++++++++-------------------------- + 1 file changed, 39 insertions(+), 32 deletions(-) + +diff --git a/conn.c b/conn.c +index be26f72..c013860 100644 +--- a/conn.c ++++ b/conn.c +@@ -276,6 +276,7 @@ int conn_activate_ssl(int server_role) + char *ssl_keyfile; + char *ssl_certfile; + int err; ++ int handshake_repeat = 0; + + if (csync_conn_usessl) + return 0; +@@ -333,40 +334,46 @@ int conn_activate_ssl(int server_role) + (gnutls_transport_ptr_t)(long)conn_fd_out + ); + +- err = gnutls_handshake(conn_tls_session); +- switch(err) { +- case GNUTLS_E_SUCCESS: +- break; +- +- case GNUTLS_E_WARNING_ALERT_RECEIVED: +- alrt = gnutls_alert_get(conn_tls_session); +- fprintf( +- csync_debug_out, +- "SSL: warning alert received from peer: %d (%s).\n", +- alrt, gnutls_alert_get_name(alrt) +- ); +- break; +- +- case GNUTLS_E_FATAL_ALERT_RECEIVED: +- alrt = gnutls_alert_get(conn_tls_session); +- fprintf( +- csync_debug_out, +- "SSL: fatal alert received from peer: %d (%s).\n", +- alrt, gnutls_alert_get_name(alrt) +- ); + +- default: +- gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR); +- gnutls_deinit(conn_tls_session); +- gnutls_certificate_free_credentials(conn_x509_cred); +- gnutls_global_deinit(); ++ do { ++ handshake_repeat = 0; ++ err = gnutls_handshake(conn_tls_session); ++ switch(err) { ++ case GNUTLS_E_SUCCESS: ++ break; + +- csync_fatal( +- "SSL: handshake failed: %s (%s)\n", +- gnutls_strerror(err), +- gnutls_strerror_name(err) +- ); +- } ++ case GNUTLS_E_WARNING_ALERT_RECEIVED: ++ alrt = gnutls_alert_get(conn_tls_session); ++ fprintf( ++ csync_debug_out, ++ "SSL: warning alert received from peer: %d (%s).\n", ++ alrt, gnutls_alert_get_name(alrt) ++ ); ++ handshake_repeat = 1; ++ break; ++ ++ case GNUTLS_E_FATAL_ALERT_RECEIVED: ++ alrt = gnutls_alert_get(conn_tls_session); ++ fprintf( ++ csync_debug_out, ++ "SSL: fatal alert received from peer: %d (%s).\n", ++ alrt, gnutls_alert_get_name(alrt) ++ ); ++ // fall-through! ++ ++ default: ++ gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR); ++ gnutls_deinit(conn_tls_session); ++ gnutls_certificate_free_credentials(conn_x509_cred); ++ gnutls_global_deinit(); ++ ++ csync_fatal( ++ "SSL: handshake failed: %s (%s)\n", ++ gnutls_strerror(err), ++ gnutls_strerror_name(err) ++ ); ++ } ++ } while (handshake_repeat); + + csync_conn_usessl = 1; + |