aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2019-07-21 02:35:49 -0300
committerNatanael Copa <ncopa@alpinelinux.org>2019-07-22 09:44:51 +0000
commit3753b9e3f39d049e7c6c6664bbed67a0f2bef958 (patch)
tree3001e6421ce8f507ea89464c4a0f8c6244663ddc
parent50e76a2dd93dff1d8d3b59616a822459fbfd08d7 (diff)
downloadaports-3753b9e3f39d049e7c6c6664bbed67a0f2bef958.tar.bz2
aports-3753b9e3f39d049e7c6c6664bbed67a0f2bef958.tar.xz
main/libcroco: fix a few CVEs
- CVE-2017-8834 - CVE-2017-8871 Also add comments for: - CVE-2017-7960 - CVE-2017-7961
-rw-r--r--main/libcroco/APKBUILD16
-rw-r--r--main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch29
2 files changed, 42 insertions, 3 deletions
diff --git a/main/libcroco/APKBUILD b/main/libcroco/APKBUILD
index 0949144415..7e9e34d4f2 100644
--- a/main/libcroco/APKBUILD
+++ b/main/libcroco/APKBUILD
@@ -1,14 +1,23 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libcroco
pkgver=0.6.13
-pkgrel=0
+pkgrel=1
pkgdesc="GNOME CSS2 parsing and manipulation toolkit"
url="http://www.gnome.org"
arch="all"
license="LGPL-2.1-only"
subpackages="$pkgname-dev $pkgname-doc"
makedepends="glib-dev libxml2-dev"
-source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz"
+source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz
+ CVE-2017-8871-and-CVE-2017-8834.patch
+ "
+
+# secfixes:
+# 0.6.13-r1:
+# - CVE-2017-7960
+# - CVE-2017-7961
+# - CVE-2017-8871
+# - CVE-2017-8834
build() {
cd "$builddir"
@@ -29,4 +38,5 @@ package() {
cd "$builddir"
make DESTDIR="$pkgdir" install
}
-sha512sums="038a3ac9d160a8cf86a8a88c34367e154ef26ede289c93349332b7bc449a5199b51ea3611cebf3a2416ae23b9e45ecf8f9c6b24ea6d16a5519b796d3c7e272d4 libcroco-0.6.13.tar.xz"
+sha512sums="038a3ac9d160a8cf86a8a88c34367e154ef26ede289c93349332b7bc449a5199b51ea3611cebf3a2416ae23b9e45ecf8f9c6b24ea6d16a5519b796d3c7e272d4 libcroco-0.6.13.tar.xz
+568ad8205f5c2ab1eb949ef664671069fad5991e43992e35092738c1a741289303dba343c8002caec817d1c27fe5645dc2a861573fb4d91074aef59ff41f3d27 CVE-2017-8871-and-CVE-2017-8834.patch"
diff --git a/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch
new file mode 100644
index 0000000000..f65c6a9748
--- /dev/null
+++ b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch
@@ -0,0 +1,29 @@
+From deda38539f5b25616aa294d8b19d33ebf8e175ff Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@alum.wpi.edu>
+Date: Thu, 2 May 2019 10:54:43 -0500
+Subject: [PATCH] cr_utils_read_char_from_utf8_buf: move past invalid UTF-8
+
+Otherwise, the offending character is never consumed, possibly leading
+to an infinite loop.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=782647
+---
+ src/cr-utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cr-utils.c b/src/cr-utils.c
+index 2420cec..6cf4849 100644
+--- a/src/cr-utils.c
++++ b/src/cr-utils.c
+@@ -505,6 +505,7 @@ cr_utils_read_char_from_utf8_buf (const guchar * a_in,
+
+ } else {
+ /*BAD ENCODING */
++ nb_bytes_2_decode = 1;
+ goto end;
+ }
+
+--
+2.20.1
+
+