aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2019-07-21 02:35:49 -0300
committerNatanael Copa <ncopa@alpinelinux.org>2019-07-22 11:48:40 +0200
commit1e378edcf6caaa3ed5646459e4c8a47234afa01a (patch)
treed8f4342a0d27fb8900ff2bc398f0c07ee1a559df
parent63295e4a667669a5dadf360d6a5e0d3ca67af2c1 (diff)
downloadaports-1e378edcf6caaa3ed5646459e4c8a47234afa01a.tar.gz
aports-1e378edcf6caaa3ed5646459e4c8a47234afa01a.tar.bz2
aports-1e378edcf6caaa3ed5646459e4c8a47234afa01a.tar.xz
main/libcroco: fix a few CVEs
- CVE-2017-7960 - CVE-2017-7961 - CVE-2017-8834 - CVE-2017-8871 Fixes https://gitlab.alpinelinux.org/alpine/aports/issues/10566
-rw-r--r--main/libcroco/APKBUILD24
-rw-r--r--main/libcroco/CVE-2017-7960.patch59
-rw-r--r--main/libcroco/CVE-2017-7961.patch43
-rw-r--r--main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch29
4 files changed, 149 insertions, 6 deletions
diff --git a/main/libcroco/APKBUILD b/main/libcroco/APKBUILD
index ef28628b1e..fa44fa8066 100644
--- a/main/libcroco/APKBUILD
+++ b/main/libcroco/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libcroco
pkgver=0.6.12
-pkgrel=0
+pkgrel=1
pkgdesc="GNOME CSS2 parsing and manipulation toolkit"
url="http://www.gnome.org"
arch="all"
@@ -9,11 +9,20 @@ license="LGPL"
subpackages="$pkgname-dev"
depends=
makedepends="glib-dev libxml2-dev"
-source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz"
+source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz
+ CVE-2017-7960.patch
+ CVE-2017-7961.patch
+ CVE-2017-8871-and-CVE-2017-8834.patch
+ "
-depends_dev="glib-dev libxml2-dev pkgconfig"
+# secfixes:
+# 0.6.12-r1:
+# - CVE-2017-7960
+# - CVE-2017-7961
+# - CVE-2017-8871
+# - CVE-2017-8834
-builddir="$srcdir/$pkgname-$pkgver"
+depends_dev="glib-dev libxml2-dev pkgconfig"
build() {
cd "$builddir"
@@ -28,6 +37,9 @@ build() {
package() {
cd "$builddir"
- make DESTDIR="$pkgdir" install || return 1
+ make DESTDIR="$pkgdir" install
}
-sha512sums="af9a171d5ccded255b57f170576e67155f12fa0f61ab3e379e907975f77afc37e82e22772c6019b2897cffc15b2425faf3ccfda92b1a45b23eda2519debabeb6 libcroco-0.6.12.tar.xz"
+sha512sums="af9a171d5ccded255b57f170576e67155f12fa0f61ab3e379e907975f77afc37e82e22772c6019b2897cffc15b2425faf3ccfda92b1a45b23eda2519debabeb6 libcroco-0.6.12.tar.xz
+e6a799e5547c60a317602aa5b537b27ecbc47de84ceb9ef109586370406cd8151c7ab1e7c27f346becf3c10f0524bfc7ac98dcf3160089880c2ac189ee4e7176 CVE-2017-7960.patch
+a1820039d23793ac53ba3acb771f487fe7fed839b298734435e168fecb5cd8b2b20b2fd08b4f827d0ed7eb0b5e76c9290ba912533b95acbf1be7cda5fd604da6 CVE-2017-7961.patch
+568ad8205f5c2ab1eb949ef664671069fad5991e43992e35092738c1a741289303dba343c8002caec817d1c27fe5645dc2a861573fb4d91074aef59ff41f3d27 CVE-2017-8871-and-CVE-2017-8834.patch"
diff --git a/main/libcroco/CVE-2017-7960.patch b/main/libcroco/CVE-2017-7960.patch
new file mode 100644
index 0000000000..cd8dbaafa4
--- /dev/null
+++ b/main/libcroco/CVE-2017-7960.patch
@@ -0,0 +1,59 @@
+From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:13:43 +0200
+Subject: [PATCH] input: check end of input before reading a byte
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+---
+ src/cr-input.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 49000b1..3b63a88 100644
+--- a/src/cr-input.c
++++ b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc)
+ *we should free buf here because it's own by CRInput.
+ *(see the last parameter of cr_input_new_from_buf().
+ */
+- buf = NULL ;
++ buf = NULL;
+ }
+
+ cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++ gulong nb_bytes_left = 0;
++
+ g_return_val_if_fail (a_this && PRIVATE (a_this)
+ && a_byte, CR_BAD_PARAM_ERROR);
+
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ if (PRIVATE (a_this)->end_of_input == TRUE)
+ return CR_END_OF_INPUT_ERROR;
+
++ nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++ if (nb_bytes_left < 1) {
++ return CR_END_OF_INPUT_ERROR;
++ }
++
+ *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+
+ if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+ if (*a_char == '\n') {
+ PRIVATE (a_this)->end_of_line = TRUE;
+ }
+-
+ }
+
+ return status;
+--
+2.21.0
+
+
diff --git a/main/libcroco/CVE-2017-7961.patch b/main/libcroco/CVE-2017-7961.patch
new file mode 100644
index 0000000000..bb0236e6a5
--- /dev/null
+++ b/main/libcroco/CVE-2017-7961.patch
@@ -0,0 +1,43 @@
+From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:56:09 +0200
+Subject: [PATCH] tknzr: support only max long rgb values
+
+This fixes a possible out of bound when reading rgbs which
+are longer than the support MAXLONG
+---
+ src/cr-tknzr.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c
+index 1a7cfeb..1548c35 100644
+--- a/src/cr-tknzr.c
++++ b/src/cr-tknzr.c
+@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+ status = cr_tknzr_parse_num (a_this, &num);
+ ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+
++ if (num->val > G_MAXLONG) {
++ status = CR_PARSING_ERROR;
++ goto error;
++ }
++
+ red = num->val;
+ cr_num_destroy (num);
+ num = NULL;
+@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+ status = cr_tknzr_parse_num (a_this, &num);
+ ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+
++ if (num->val > G_MAXLONG) {
++ status = CR_PARSING_ERROR;
++ goto error;
++ }
++
+ PEEK_BYTE (a_this, 1, &next_bytes[0]);
+ if (next_bytes[0] == '%') {
+ SKIP_CHARS (a_this, 1);
+--
+2.21.0
+
+
diff --git a/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch
new file mode 100644
index 0000000000..f65c6a9748
--- /dev/null
+++ b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch
@@ -0,0 +1,29 @@
+From deda38539f5b25616aa294d8b19d33ebf8e175ff Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@alum.wpi.edu>
+Date: Thu, 2 May 2019 10:54:43 -0500
+Subject: [PATCH] cr_utils_read_char_from_utf8_buf: move past invalid UTF-8
+
+Otherwise, the offending character is never consumed, possibly leading
+to an infinite loop.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=782647
+---
+ src/cr-utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cr-utils.c b/src/cr-utils.c
+index 2420cec..6cf4849 100644
+--- a/src/cr-utils.c
++++ b/src/cr-utils.c
+@@ -505,6 +505,7 @@ cr_utils_read_char_from_utf8_buf (const guchar * a_in,
+
+ } else {
+ /*BAD ENCODING */
++ nb_bytes_2_decode = 1;
+ goto end;
+ }
+
+--
+2.20.1
+
+