community/csync2: add mitigations for CVE-2019-15522 and CVE-2019-15523

3 files changed, 138 insertions, 5 deletions

diff --git a/community/csync2/APKBUILD b/community/csync2/APKBUILD
index c012b1b5ba9..1f965155b99 100644
--- a/community/csync2/APKBUILD
+++ b/community/csync2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Jakub Jirutka <jakub@jirutka.cz>
 pkgname=csync2
 pkgver=2.0
-pkgrel=2
+pkgrel=3
 pkgdesc="Cluster synchronization tool"
 url="http://oss.linbit.com/csync2/"
 arch="all"
@@ -13,9 +13,16 @@ depends="bash"
 subpackages="$pkgname-doc $pkgname-openrc"
 source="https://github.com/LINBIT/$pkgname/archive/$pkgname-$pkgver.tar.gz
 	$pkgname.initd
-	fix-build-ppc64le.patch"
+	fix-build-ppc64le.patch
+	CVE-2019-15522.patch
+	CVE-2019-15523.patch"
 builddir="$srcdir/$pkgname-$pkgname-$pkgver"
 
+# secfixes:
+#   2.0-r3:
+#     - CVE-2019-15522
+#     - CVE-2019-15523
+
 prepare() {
 	default_prepare
 
@@ -38,10 +45,14 @@ build() {
 package() {
 	cd "$builddir"
 
-	make DESTDIR="$pkgdir" install
+	make DESTDIR="$pkgdir" -j1 install
 	install -m 755 -D "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname
 }
 
-sha512sums="7555e2d958d6213e29cfa8b3b7415eea9a9868036865c519d724ae404006d913fba4aeeb61a916d3fc95669a6ca12160d4f52dc7d15bd59403e8a7de50ee8094  csync2-2.0.tar.gz
+sha512sums="
+7555e2d958d6213e29cfa8b3b7415eea9a9868036865c519d724ae404006d913fba4aeeb61a916d3fc95669a6ca12160d4f52dc7d15bd59403e8a7de50ee8094  csync2-2.0.tar.gz
 e2df7f2993781709dadd0ce24bc31e16259382c8b3c432c47c3790f78b37124d38fb5036e87a06747538d864fdf68b8984bf2d4bce09158cddd58c10f4411d9f  csync2.initd
-4566ba1139615e5011c881e670d8976d3b5226e27521fd6ced126a5a3687683c145931fa89a9b6b0ab967f982bf778c33148e6c9f7ee29ef5154593ae02efb2a  fix-build-ppc64le.patch"
+4566ba1139615e5011c881e670d8976d3b5226e27521fd6ced126a5a3687683c145931fa89a9b6b0ab967f982bf778c33148e6c9f7ee29ef5154593ae02efb2a  fix-build-ppc64le.patch
+f36e46630e39bfae536884bfa0c4f585b3b93e4b7fd9d1c134f5b777ff10609378a47bbd4db96b6eed9c985fab8482781db5d3a0481e7e2f7e086a74f34a204b  CVE-2019-15522.patch
+a2b26fcb8f76451b898b2e6858ca5b6b93a16d54d188f75eac18d84b4f226fb0e4ade77c1c338f012a4e573e3bbd4ec88f0dd1dde78504237dca5d7806774288  CVE-2019-15523.patch
+"
diff --git a/community/csync2/CVE-2019-15522.patch b/community/csync2/CVE-2019-15522.patch
new file mode 100644
index 00000000000..b608a897e10
--- /dev/null
+++ b/community/csync2/CVE-2019-15522.patch
@@ -0,0 +1,21 @@
+From 416f1de878ef97e27e27508914f7ba8599a0be22 Mon Sep 17 00:00:00 2001
+From: Malte Kraus <malte.kraus@suse.com>
+Date: Tue, 13 Aug 2019 11:25:57 +0200
+Subject: [PATCH] fail HELLO command when SSL is required
+
+---
+ daemon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/daemon.c b/daemon.c
+index 2d8407d..2a1a8af 100644
+--- a/daemon.c
++++ b/daemon.c
+@@ -747,6 +747,7 @@ void csync_daemon_session()
+ 						goto conn_without_ssl_ok;
+ 				}
+ 				cmd_error = conn_response(CR_ERR_SSL_EXPECTED);
++				peer = NULL;
+ 			}
+ conn_without_ssl_ok:;
+ #endif
diff --git a/community/csync2/CVE-2019-15523.patch b/community/csync2/CVE-2019-15523.patch
new file mode 100644
index 00000000000..575bee0dafa
--- /dev/null
+++ b/community/csync2/CVE-2019-15523.patch
@@ -0,0 +1,101 @@
+From 92742544a56bcbcd9ec99ca15f898b31797e39e2 Mon Sep 17 00:00:00 2001
+From: Malte Kraus <malte.kraus@suse.com>
+Date: Tue, 13 Aug 2019 13:36:26 +0200
+Subject: [PATCH] repeat gnutls_handshake() call in case of warnings
+
+that's what the semantics of this call require
+---
+ conn.c | 71 ++++++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 39 insertions(+), 32 deletions(-)
+
+diff --git a/conn.c b/conn.c
+index be26f72..c013860 100644
+--- a/conn.c
++++ b/conn.c
+@@ -276,6 +276,7 @@ int conn_activate_ssl(int server_role)
+ 	char *ssl_keyfile;
+ 	char *ssl_certfile;
+ 	int err;
++	int handshake_repeat = 0;
+ 
+ 	if (csync_conn_usessl)
+ 		return 0;
+@@ -333,40 +334,46 @@ int conn_activate_ssl(int server_role)
+ 		(gnutls_transport_ptr_t)(long)conn_fd_out
+ 	);
+ 
+-	err = gnutls_handshake(conn_tls_session);
+-	switch(err) {
+-	case GNUTLS_E_SUCCESS:
+-		break;
+-
+-	case GNUTLS_E_WARNING_ALERT_RECEIVED:
+-		alrt = gnutls_alert_get(conn_tls_session);
+-		fprintf(
+-			csync_debug_out,
+-			"SSL: warning alert received from peer: %d (%s).\n",
+-			alrt, gnutls_alert_get_name(alrt)
+-		);
+-		break;
+-
+-	case GNUTLS_E_FATAL_ALERT_RECEIVED:
+-		alrt = gnutls_alert_get(conn_tls_session);
+-		fprintf(
+-			csync_debug_out,
+-			"SSL: fatal alert received from peer: %d (%s).\n",
+-			alrt, gnutls_alert_get_name(alrt)
+-		);
+ 
+-	default:
+-		gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR);
+-		gnutls_deinit(conn_tls_session);
+-		gnutls_certificate_free_credentials(conn_x509_cred);
+-		gnutls_global_deinit();
++	do {
++		handshake_repeat = 0;
++		err = gnutls_handshake(conn_tls_session);
++		switch(err) {
++		case GNUTLS_E_SUCCESS:
++			break;
+ 
+-		csync_fatal(
+-			"SSL: handshake failed: %s (%s)\n",
+-			gnutls_strerror(err),
+-			gnutls_strerror_name(err)
+-		);
+-	}
++		case GNUTLS_E_WARNING_ALERT_RECEIVED:
++			alrt = gnutls_alert_get(conn_tls_session);
++			fprintf(
++				csync_debug_out,
++				"SSL: warning alert received from peer: %d (%s).\n",
++				alrt, gnutls_alert_get_name(alrt)
++			);
++			handshake_repeat = 1;
++			break;
++
++		case GNUTLS_E_FATAL_ALERT_RECEIVED:
++			alrt = gnutls_alert_get(conn_tls_session);
++			fprintf(
++				csync_debug_out,
++				"SSL: fatal alert received from peer: %d (%s).\n",
++				alrt, gnutls_alert_get_name(alrt)
++			);
++			// fall-through!
++
++		default:
++			gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR);
++			gnutls_deinit(conn_tls_session);
++			gnutls_certificate_free_credentials(conn_x509_cred);
++			gnutls_global_deinit();
++
++			csync_fatal(
++				"SSL: handshake failed: %s (%s)\n",
++				gnutls_strerror(err),
++				gnutls_strerror_name(err)
++			);
++		}
++	} while (handshake_repeat);
+ 
+ 	csync_conn_usessl = 1;
+