aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-12-13 01:15:47 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-12-13 03:21:16 -0300
commit2674bcece0f4941722192a7d4d57cab30d595b79 (patch)
treed453dce9ce8452e3abf249d90cbc0acb7cbc8a53
parent72270cc2f96ec216426779cc2542633af60feb48 (diff)
downloadaports-2674bcece0f4941722192a7d4d57cab30d595b79.tar.gz
aports-2674bcece0f4941722192a7d4d57cab30d595b79.tar.bz2
aports-2674bcece0f4941722192a7d4d57cab30d595b79.tar.xz
-rw-r--r--main/p11-kit/APKBUILD15
-rw-r--r--main/p11-kit/backport-CVE-2020-29361-2-3.patch226
2 files changed, 238 insertions, 3 deletions
diff --git a/main/p11-kit/APKBUILD b/main/p11-kit/APKBUILD
index 61d5ff1e16..48829498f8 100644
--- a/main/p11-kit/APKBUILD
+++ b/main/p11-kit/APKBUILD
@@ -2,14 +2,22 @@
# Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
pkgname=p11-kit
pkgver=0.23.18.1
-pkgrel=0
+pkgrel=1
pkgdesc="Library for loading and sharing PKCS#11 modules"
url="https://p11-glue.freedesktop.org/"
arch="all"
license="BSD-3-Clause"
makedepends="libtasn1-dev libffi-dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-trust $pkgname-server"
-source="https://github.com/p11-glue/p11-kit/releases/download/$pkgver/p11-kit-$pkgver.tar.gz"
+source="https://github.com/p11-glue/p11-kit/releases/download/$pkgver/p11-kit-$pkgver.tar.gz
+ backport-CVE-2020-29361-2-3.patch
+ "
+
+# secfixes:
+# 0.23.18.1-r1:
+# - CVE-2020-29361
+# - CVE-2020-29362
+# - CVE-2020-29363
build() {
cd "$builddir"
@@ -62,4 +70,5 @@ server() {
"$subpkgdir"/usr/libexec/p11-kit
}
-sha512sums="941996aea75025dad5dfc6f9b4609bc92bc0888d5b2b58de0d498d6cf75d059421405d9c3bad51122108b6ad1e41e434609ead23404efe635cdb806836ccadbd p11-kit-0.23.18.1.tar.gz"
+sha512sums="941996aea75025dad5dfc6f9b4609bc92bc0888d5b2b58de0d498d6cf75d059421405d9c3bad51122108b6ad1e41e434609ead23404efe635cdb806836ccadbd p11-kit-0.23.18.1.tar.gz
+4fd8919a73870d63aed338e78ae5c9ca495898e41be6d3a565d802cad509e9cba8e4d65b71197e79c659ef5156cd2c25f7948db37e9ac12472bd8fdb3fbdbfef backport-CVE-2020-29361-2-3.patch"
diff --git a/main/p11-kit/backport-CVE-2020-29361-2-3.patch b/main/p11-kit/backport-CVE-2020-29361-2-3.patch
new file mode 100644
index 0000000000..8269146431
--- /dev/null
+++ b/main/p11-kit/backport-CVE-2020-29361-2-3.patch
@@ -0,0 +1,226 @@
+Meshed up:
+https://github.com/p11-glue/p11-kit/commit/bb3a3cb1cb4ae8341fa1cf1cc4e9f282c7c74b76
+https://github.com/p11-glue/p11-kit/commit/69d751ca9df9ac101adfb1e5aa7e83e3358106ba
+https://github.com/p11-glue/p11-kit/commit/7625cfcebccf1c02d17e9295e1d883ea688ea264
+https://github.com/p11-glue/p11-kit/commit/6c1c94bd2360f5778beb397ba5508d5084b7f0ee
+https://github.com/p11-glue/p11-kit/commit/7f032183dfd36c1f91d2400ceb5bbc90376a310c
+
+Should fix CVE-2020-29361 CVE-2020-29362 CVE-2020-29363
+
+diff --git a/common/compat.c b/common/compat.c
+index 8b14658..3570770 100644
+--- a/common/compat.c
++++ b/common/compat.c
+@@ -496,8 +496,8 @@ reallocarray (void *ptr,
+ size_t nmemb,
+ size_t size)
+ {
+- assert (nmemb > 0 && size > 0);
+- if (SIZE_MAX / nmemb < size) {
++ assert (nmemb >= 0 && size >= 0);
++ if (nmemb != 0 && SIZE_MAX / nmemb < size) {
+ errno = ENOMEM;
+ return NULL;
+ }
+diff --git a/p11-kit/iter.c b/p11-kit/iter.c
+index d26cd71..766dd9a 100644
+--- a/p11-kit/iter.c
++++ b/p11-kit/iter.c
+@@ -545,7 +545,7 @@ move_next_session (P11KitIter *iter)
+ if (rv != CKR_OK)
+ return finish_iterating (iter, rv);
+
+- iter->slots = realloc (iter->slots, sizeof (CK_SLOT_ID) * (num_slots + 1));
++ iter->slots = reallocarray (iter->slots, num_slots + 1, sizeof (CK_SLOT_ID));
+ return_val_if_fail (iter->slots != NULL, CKR_HOST_MEMORY);
+
+ rv = (iter->module->C_GetSlotList) (CK_TRUE, iter->slots, &num_slots);
+@@ -698,7 +698,7 @@ p11_kit_iter_next (P11KitIter *iter)
+ for (;;) {
+ if (iter->max_objects - iter->num_objects == 0) {
+ iter->max_objects = iter->max_objects ? iter->max_objects * 2 : 64;
+- iter->objects = realloc (iter->objects, iter->max_objects * sizeof (CK_ULONG));
++ iter->objects = reallocarray (iter->objects, iter->max_objects, sizeof (CK_ULONG));
+ return_val_if_fail (iter->objects != NULL, CKR_HOST_MEMORY);
+ }
+
+diff --git a/p11-kit/lists.c b/p11-kit/lists.c
+index 5804be2..365a6d8 100644
+--- a/p11-kit/lists.c
++++ b/p11-kit/lists.c
+@@ -64,6 +64,8 @@ hex_encode (const unsigned char *data,
+ size_t i;
+ size_t o;
+
++ if ((SIZE_MAX - 1) / 3 < n_data)
++ return NULL;
+ result = malloc (n_data * 3 + 1);
+ if (result == NULL)
+ return NULL;
+diff --git a/p11-kit/log.c b/p11-kit/log.c
+index 19377b2..58bc5f4 100644
+--- a/p11-kit/log.c
++++ b/p11-kit/log.c
+@@ -726,7 +726,7 @@ log_token_info (p11_buffer *buf,
+ (unsigned int)info->firmwareVersion.minor);
+ p11_buffer_add (buf, temp, -1);
+ p11_buffer_add (buf, "\n\tutcTime: ", -1);
+- p11_buffer_add (buf, (info->flags & CKF_CLOCK_ON_TOKEN) ? (const char*)info->utcTime : "", -1);
++ p11_buffer_add (buf, (info->flags & CKF_CLOCK_ON_TOKEN) ? (const char*)info->utcTime : "", sizeof (info->utcTime));
+ p11_buffer_add (buf, "\n }\n", -1);
+ }
+ }
+diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
+index 643bf4e..8066c84 100644
+--- a/p11-kit/proxy.c
++++ b/p11-kit/proxy.c
+@@ -278,7 +278,7 @@ proxy_list_slots (Proxy *py, Mapping *mappings, unsigned int n_mappings)
+ return_val_if_fail (count == 0 || slots != NULL, CKR_GENERAL_ERROR);
+
+ if (count > 0) {
+- py->mappings = realloc (py->mappings, sizeof (Mapping) * (py->n_mappings + count));
++ py->mappings = reallocarray (py->mappings, (py->n_mappings + count), sizeof (Mapping));
+ return_val_if_fail (py->mappings != NULL, CKR_HOST_MEMORY);
+
+ /* And now add a mapping for each of those slots */
+diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
+index 672d1c7..fad569e 100644
+--- a/p11-kit/rpc-message.c
++++ b/p11-kit/rpc-message.c
+@@ -43,6 +43,7 @@
+ #include "rpc-message.h"
+
+ #include <assert.h>
++#include <errno.h>
+ #include <string.h>
+
+ #define ELEMS(x) (sizeof (x) / sizeof (x[0]))
+@@ -114,6 +115,18 @@ p11_rpc_message_alloc_extra (p11_rpc_message *msg,
+ return (void *)(data + 1);
+ }
+
++void *
++p11_rpc_message_alloc_extra_array (p11_rpc_message *msg,
++ size_t nmemb,
++ size_t size)
++{
++ if (nmemb != 0 && (SIZE_MAX - sizeof (void *)) / nmemb < size) {
++ errno = ENOMEM;
++ return NULL;
++ }
++ return p11_rpc_message_alloc_extra (msg, nmemb * size);
++}
++
+ bool
+ p11_rpc_message_prep (p11_rpc_message *msg,
+ int call_id,
+@@ -744,7 +757,7 @@ p11_rpc_buffer_get_byte_array (p11_buffer *buf,
+ return false;
+ }
+
+- if (buf->len < len || *offset > buf->len - len) {
++ if (buf->len < len || off > buf->len - len) {
+ p11_buffer_fail (buf);
+ return false;
+ }
+@@ -1212,7 +1225,7 @@ p11_rpc_buffer_get_attribute (p11_buffer *buffer,
+ size_t *offset,
+ CK_ATTRIBUTE *attr)
+ {
+- uint32_t type, length;
++ uint32_t type, length, decode_length;
+ unsigned char validity;
+ p11_rpc_attribute_serializer *serializer;
+ p11_rpc_value_type value_type;
+@@ -1242,8 +1255,13 @@ p11_rpc_buffer_get_attribute (p11_buffer *buffer,
+ assert (serializer != NULL);
+ if (!serializer->decode (buffer, offset, attr->pValue, &attr->ulValueLen))
+ return false;
+- if (!attr->pValue)
++ if (!attr->pValue) {
++ decode_length = attr->ulValueLen;
+ attr->ulValueLen = length;
++ if (decode_length > length) {
++ return false;
++ }
++ }
+ attr->type = type;
+ return true;
+ }
+diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
+index 989bbc0..62e7b18 100644
+--- a/p11-kit/rpc-message.h
++++ b/p11-kit/rpc-message.h
+@@ -255,6 +255,10 @@ void p11_rpc_message_clear (p11_rpc_message *msg);
+ void * p11_rpc_message_alloc_extra (p11_rpc_message *msg,
+ size_t length);
+
++void * p11_rpc_message_alloc_extra_array (p11_rpc_message *msg,
++ size_t nmemb,
++ size_t size);
++
+ bool p11_rpc_message_prep (p11_rpc_message *msg,
+ int call_id,
+ p11_rpc_message_type type);
+diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
+index 846ee94..dfdb76d 100644
+--- a/p11-kit/rpc-server.c
++++ b/p11-kit/rpc-server.c
+@@ -88,7 +88,7 @@ proto_read_byte_buffer (p11_rpc_message *msg,
+ if (length == 0)
+ return CKR_OK;
+
+- *buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_BYTE));
++ *buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_BYTE));
+ if (*buffer == NULL)
+ return CKR_DEVICE_MEMORY;
+
+@@ -186,7 +186,7 @@ proto_read_ulong_buffer (p11_rpc_message *msg,
+ if (length == 0)
+ return CKR_OK;
+
+- *buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_ULONG));
++ *buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_ULONG));
+ if (!*buffer)
+ return CKR_DEVICE_MEMORY;
+
+@@ -246,7 +246,7 @@ proto_read_attribute_buffer (p11_rpc_message *msg,
+ return PARSE_ERROR;
+
+ /* Allocate memory for the attribute structures */
+- attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE));
++ attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE));
+ if (attrs == NULL)
+ return CKR_DEVICE_MEMORY;
+
+@@ -300,7 +300,7 @@ proto_read_attribute_array (p11_rpc_message *msg,
+ return PARSE_ERROR;
+
+ /* Allocate memory for the attribute structures */
+- attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE));
++ attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE));
+ if (attrs == NULL)
+ return CKR_DEVICE_MEMORY;
+
+diff --git a/trust/index.c b/trust/index.c
+index 2d1da29..795c67f 100644
+--- a/trust/index.c
++++ b/trust/index.c
+@@ -271,7 +271,7 @@ bucket_insert (index_bucket *bucket,
+ if (bucket->num + 1 > alloc) {
+ alloc = alloc ? alloc * 2 : 1;
+ return_if_fail (alloc != 0);
+- bucket->elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE));
++ bucket->elem = reallocarray (bucket->elem, alloc, sizeof (CK_OBJECT_HANDLE));
+ }
+
+ return_if_fail (bucket->elem != NULL);
+@@ -291,7 +291,7 @@ bucket_push (index_bucket *bucket,
+ if (bucket->num + 1 > alloc) {
+ alloc = alloc ? alloc * 2 : 1;
+ return_val_if_fail (alloc != 0, false);
+- bucket->elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE));
++ bucket->elem = reallocarray (bucket->elem, alloc, sizeof (CK_OBJECT_HANDLE));
+ }
+
+ return_val_if_fail (bucket->elem != NULL, false);