aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAriadne Conill <ariadne@dereferenced.org>2020-11-20 00:37:38 -0700
committerAriadne Conill <ariadne@dereferenced.org>2020-11-20 00:37:38 -0700
commit908046ad5f96c4c1df5541ff4b0251767e110c85 (patch)
treee1bf9619b332fc40f68e3535d3da85aa097f637f
parentb8bf3e2fefc867e3679a1a02577c23179f42118d (diff)
downloadaports-908046ad5f96c4c1df5541ff4b0251767e110c85.tar.gz
aports-908046ad5f96c4c1df5541ff4b0251767e110c85.tar.bz2
aports-908046ad5f96c4c1df5541ff4b0251767e110c85.tar.xz
main/musl: security fix for CVE-2020-28928
-rw-r--r--main/musl/APKBUILD10
-rw-r--r--main/musl/wcsnrtombs-cve-2020-28928.diff65
2 files changed, 73 insertions, 2 deletions
diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD
index e00c18db4c..bd128c3586 100644
--- a/main/musl/APKBUILD
+++ b/main/musl/APKBUILD
@@ -1,8 +1,8 @@
-# Contributor:
+# Contributor: Ariadne Conill <ariadne@dereferenced.org>
# Maintainer: Timo Teräs <timo.teras@iki.fi>
pkgname=musl
pkgver=1.1.24
-pkgrel=9
+pkgrel=10
pkgdesc="the musl c library (libc) implementation"
url="https://musl.libc.org/"
arch="all"
@@ -12,6 +12,7 @@ subpackages="$pkgname-libintl:libintl:noarch
$pkgname-dbg
libc6-compat:compat:noarch
"
+options="lib64"
case "$BOOTSTRAP" in
nocc) pkgname="musl-dev"; subpackages="";;
nolibc) ;;
@@ -37,6 +38,8 @@ source="https://musl.libc.org/releases/musl-$pkgver.tar.gz
0003-cut-down-size-of-some-libc-struct-members.patch
0004-restore-lock-skipping-for-processes-that-return-to-s.patch
+ wcsnrtombs-cve-2020-28928.diff
+
ldconfig
__stack_chk_fail_local.c
getconf.c
@@ -45,6 +48,8 @@ source="https://musl.libc.org/releases/musl-$pkgver.tar.gz
"
# secfixes:
+# 1.1.24-r10:
+# - CVE-2020-28928
# 1.1.23-r2:
# - CVE-2019-14697
# 1.1.15-r4:
@@ -195,6 +200,7 @@ dd46ef77b71d34b6207611be59dd4555b4e53fd7169732b9e5ee9a66f1e8da69fcca6634f895b9d3
c6cd692359961c382b7382c6eb819bf93ca8d687b7bd71e4d992acabc7003bd8388b22898059b6ac5abdf08c07020c8cbd2a5f908802258418079e096cdbc058 0002-don-t-use-libc.threads_minus_1-as-relaxed-atomic-for.patch
416aa17d4211ebbca97b4ce47eea8d8375ac5e0b602a4806175bc172be21b8291ac08fdaf39203e3a083a067bbbfa999cfb875f739d5fa07871885ac02eba75a 0003-cut-down-size-of-some-libc-struct-members.patch
f0e5ab79a793152c5e6c1c560b409ef062c8f9232c893b36c58b9667e5e0e86969555d8e2e9e17b59835ec7ed3c926a6ccce453824561ad82e47364c44374549 0004-restore-lock-skipping-for-processes-that-return-to-s.patch
+35dc5df28d90d1c84f9100116b63ba9e7fd44a20f512d12760da5e01f1aec4e799f726cbafb586bae568ff4f6d5a70948f1bf9fb901f1ca7dfcdf35c5d7510a6 wcsnrtombs-cve-2020-28928.diff
8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f ldconfig
062bb49fa54839010acd4af113e20f7263dde1c8a2ca359b5fb2661ef9ed9d84a0f7c3bc10c25dcfa10bb3c5a4874588dff636ac43d5dbb3d748d75400756d0b __stack_chk_fail_local.c
0d80f37b34a35e3d14b012257c50862dfeb9d2c81139ea2dfa101d981d093b009b9fa450ba27a708ac59377a48626971dfc58e20a3799084a65777a0c32cbc7d getconf.c
diff --git a/main/musl/wcsnrtombs-cve-2020-28928.diff b/main/musl/wcsnrtombs-cve-2020-28928.diff
new file mode 100644
index 0000000000..8465f9422a
--- /dev/null
+++ b/main/musl/wcsnrtombs-cve-2020-28928.diff
@@ -0,0 +1,65 @@
+diff --git a/src/multibyte/wcsnrtombs.c b/src/multibyte/wcsnrtombs.c
+index 676932b5..95e25e70 100644
+--- a/src/multibyte/wcsnrtombs.c
++++ b/src/multibyte/wcsnrtombs.c
+@@ -1,41 +1,33 @@
+ #include <wchar.h>
++#include <limits.h>
++#include <string.h>
+
+ size_t wcsnrtombs(char *restrict dst, const wchar_t **restrict wcs, size_t wn, size_t n, mbstate_t *restrict st)
+ {
+- size_t l, cnt=0, n2;
+- char *s, buf[256];
+ const wchar_t *ws = *wcs;
+- const wchar_t *tmp_ws;
+-
+- if (!dst) s = buf, n = sizeof buf;
+- else s = dst;
+-
+- while ( ws && n && ( (n2=wn)>=n || n2>32 ) ) {
+- if (n2>=n) n2=n;
+- tmp_ws = ws;
+- l = wcsrtombs(s, &ws, n2, 0);
+- if (!(l+1)) {
+- cnt = l;
+- n = 0;
++ size_t cnt = 0;
++ if (!dst) n=0;
++ while (ws && wn) {
++ char tmp[MB_LEN_MAX];
++ size_t l = wcrtomb(n<MB_LEN_MAX ? tmp : dst, *ws, 0);
++ if (l==-1) {
++ cnt = -1;
+ break;
+ }
+- if (s != buf) {
+- s += l;
++ if (dst) {
++ if (n<MB_LEN_MAX) {
++ if (l>n) break;
++ memcpy(dst, tmp, l);
++ }
++ dst += l;
+ n -= l;
+ }
+- wn = ws ? wn - (ws - tmp_ws) : 0;
+- cnt += l;
+- }
+- if (ws) while (n && wn) {
+- l = wcrtomb(s, *ws, 0);
+- if ((l+1)<=1) {
+- if (!l) ws = 0;
+- else cnt = l;
++ if (!*ws) {
++ ws = 0;
+ break;
+ }
+- ws++; wn--;
+- /* safe - this loop runs fewer than sizeof(buf) times */
+- s+=l; n-=l;
++ ws++;
++ wn--;
+ cnt += l;
+ }
+ if (dst) *wcs = ws;