aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--community/bpftrace/APKBUILD2
-rw-r--r--community/cbindgen/APKBUILD4
-rw-r--r--community/ceph/32-fix_ceph_thread_timeout.patch74
-rw-r--r--community/ceph/42-no-virtualenvs.patch2
-rw-r--r--community/ceph/44-missing-include.patch14
-rw-r--r--community/ceph/44-signal_handler.patch16
-rw-r--r--community/ceph/APKBUILD24
-rw-r--r--community/cloudi/APKBUILD2
-rw-r--r--community/containerd/APKBUILD8
-rw-r--r--community/dino/APKBUILD8
-rw-r--r--community/drupal7/APKBUILD6
-rw-r--r--community/exiv2/APKBUILD20
-rw-r--r--community/exiv2/CVE-2021-29463.patch120
-rw-r--r--community/exiv2/CVE-2021-29470.patch21
-rw-r--r--community/exiv2/CVE-2021-29473.patch21
-rw-r--r--community/exiv2/CVE-2021-29623.patch26
-rw-r--r--community/exiv2/CVE-2021-32617.patch125
-rw-r--r--community/ffmpeg/APKBUILD12
-rw-r--r--community/ffmpeg/CVE-2020-35965.patch28
-rw-r--r--community/file-roller/APKBUILD14
-rw-r--r--community/file-roller/CVE-2020-36314.patch218
-rw-r--r--community/firefox-esr/APKBUILD12
-rw-r--r--community/firefox/APKBUILD21
-rw-r--r--community/firefox/disable-minidump.patch34
-rw-r--r--community/fluidsynth/APKBUILD10
-rw-r--r--community/frr/APKBUILD4
-rw-r--r--community/git-metafile/APKBUILD10
-rw-r--r--community/git-metafile/minimize-size.patch10
-rw-r--r--community/go-ipfs/APKBUILD9
-rw-r--r--community/graphicsmagick/APKBUILD11
-rw-r--r--community/hivex/APKBUILD18
-rw-r--r--community/hivex/CVE-2021-3504.patch72
-rw-r--r--community/ifstate/APKBUILD4
-rw-r--r--community/imagemagick/APKBUILD23
-rw-r--r--community/jool-modules-lts/APKBUILD2
-rw-r--r--community/libgrss/APKBUILD14
-rw-r--r--community/libgrss/CVE-2016-20011.patch101
-rw-r--r--community/libmad/APKBUILD2
-rw-r--r--community/libyang/APKBUILD24
-rw-r--r--community/libyang/CVE-2021-28903.patch69
-rw-r--r--community/libyang/CVE-2021-28904.patch26
-rw-r--r--community/libyang/CVE-2021-28905.patch263
-rw-r--r--community/libyang/CVE-2021-28906.patch65
-rw-r--r--community/mozjs78/APKBUILD11
-rw-r--r--community/mpv/APKBUILD12
-rw-r--r--community/mpv/CVE-2021-30145.patch87
-rw-r--r--community/mrxvt/APKBUILD14
-rw-r--r--community/mrxvt/CVE-2021-33477.patch41
-rw-r--r--community/mtr/APKBUILD10
-rw-r--r--community/mupdf/APKBUILD16
-rw-r--r--community/mupdf/CVE-2021-3407.patch45
-rw-r--r--community/mupdf/bug-fix-overflow.patch41
-rw-r--r--community/mupdf/harden-pupulate-ui-against-unexpecter-repairs.patch102
-rw-r--r--community/networkmanager-elogind/APKBUILD14
-rw-r--r--community/networkmanager-elogind/CVE-2021-20297.patch13
-rw-r--r--community/networkmanager/APKBUILD14
-rw-r--r--community/networkmanager/CVE-2021-20297.patch13
-rw-r--r--community/nextcloud/APKBUILD19
-rw-r--r--community/nextcloud19/APKBUILD19
-rw-r--r--community/nss/APKBUILD10
-rw-r--r--community/orca/APKBUILD4
-rw-r--r--community/php7-pecl-imagick/APKBUILD4
-rw-r--r--community/php7/APKBUILD6
-rw-r--r--community/php8-pecl-imagick/APKBUILD4
-rw-r--r--community/php8/APKBUILD6
-rw-r--r--community/pmbootstrap/APKBUILD4
-rw-r--r--community/py3-django/APKBUILD10
-rw-r--r--community/py3-pyroute2/APKBUILD4
-rw-r--r--community/rpm/APKBUILD1
-rw-r--r--community/rtl8821ce-lts/APKBUILD2
-rw-r--r--community/rtpengine-lts/APKBUILD2
-rw-r--r--community/runc/APKBUILD10
-rw-r--r--community/rxvt-unicode/APKBUILD16
-rw-r--r--community/rxvt-unicode/CVE-2021-33477.patch20
-rw-r--r--community/salt/APKBUILD10
-rw-r--r--community/ssh-ldap-pubkey/APKBUILD10
-rw-r--r--community/synapse/APKBUILD10
-rw-r--r--community/synapse/relax-crypto-dep.patch10
-rw-r--r--community/tor/APKBUILD8
-rw-r--r--community/vault/APKBUILD10
-rw-r--r--community/wireshark/APKBUILD10
-rw-r--r--community/wireshark/fix-udpdump.patch6
-rw-r--r--community/xpdf/APKBUILD11
-rw-r--r--community/xrdp/APKBUILD21
-rw-r--r--community/xrdp/openssl.conf46
-rw-r--r--community/xrdp/xrdp.post-install13
-rw-r--r--community/zabbix/APKBUILD4
-rw-r--r--community/zbar/APKBUILD2
-rw-r--r--main/ansible/APKBUILD8
-rw-r--r--main/apache2/APKBUILD19
-rw-r--r--main/apk-tools/APKBUILD10
-rw-r--r--main/aspell/APKBUILD12
-rw-r--r--main/aspell/CVE-2019-25051.patch96
-rw-r--r--main/avahi/APKBUILD14
-rw-r--r--main/avahi/CVE-2021-3468.patch37
-rw-r--r--main/avahi/CVE-2021-36217.patch148
-rw-r--r--main/bind/APKBUILD2
-rw-r--r--main/botan/APKBUILD12
-rw-r--r--main/botan/CVE-2021-24115.patch818
-rw-r--r--main/cifs-utils/APKBUILD10
-rw-r--r--main/curl/APKBUILD17
-rw-r--r--main/cyrus-sasl/APKBUILD2
-rw-r--r--main/dahdi-linux-lts/APKBUILD2
-rw-r--r--main/dhcp/APKBUILD19
-rw-r--r--main/dhcpcd/APKBUILD10
-rw-r--r--main/dovecot/APKBUILD25
-rw-r--r--main/dovecot/fix-libssl_iostream_openssl.patch14
-rw-r--r--main/dovecot/fix-oauth2-jwt.c.patch55
-rw-r--r--main/dovecot/test-imap-client-hibernate.patch14
-rw-r--r--main/git/APKBUILD2
-rw-r--r--main/graphviz/APKBUILD14
-rw-r--r--main/graphviz/CVE-2020-18032.patch40
-rw-r--r--main/haproxy/APKBUILD8
-rw-r--r--main/intel-ucode/APKBUILD4
-rw-r--r--main/jansson/APKBUILD4
-rw-r--r--main/kamailio/APKBUILD4
-rw-r--r--main/kamailio/mohqueue-1.8.patch485
-rw-r--r--main/krb5/APKBUILD12
-rw-r--r--main/libgcrypt/APKBUILD8
-rw-r--r--main/libx11/APKBUILD8
-rw-r--r--main/libxml2/APKBUILD19
-rw-r--r--main/libxml2/CVE-2019-20388.patch12
-rw-r--r--main/libxml2/CVE-2020-24977.patch40
-rw-r--r--main/libxml2/libxml2-CVE-2020-7595.patch32
-rw-r--r--main/linux-lts/APKBUILD4
-rw-r--r--main/mariadb/APKBUILD11
-rw-r--r--main/musl/APKBUILD11
-rw-r--r--main/musl/syscall-cp-epoll.patch16
-rw-r--r--main/nano/APKBUILD4
-rw-r--r--main/nginx/APKBUILD14
-rw-r--r--main/nginx/CVE-2021-23017.patch25
-rw-r--r--main/nginx/nginx.post-upgrade11
-rw-r--r--main/nginx/nginx.pre-upgrade9
-rw-r--r--main/nikto/APKBUILD16
-rw-r--r--main/nikto/CVE-2018-11652.patch101
-rw-r--r--main/nodejs/APKBUILD12
-rw-r--r--main/nodejs/npm-ssri-CVE-2021-27290.patch82
-rw-r--r--main/nspr/APKBUILD8
-rw-r--r--main/open-iscsi/APKBUILD4
-rw-r--r--main/open-iscsi/iscsid.initd2
-rw-r--r--main/openrc/APKBUILD15
-rw-r--r--main/openrc/CVE-2018-21269.patch244
-rw-r--r--main/openvpn/APKBUILD3
-rw-r--r--main/patch/APKBUILD12
-rw-r--r--main/patch/CVE-2019-20633.patch26
-rw-r--r--main/perl-convert-asn1/APKBUILD44
-rw-r--r--main/postfix/APKBUILD8
-rw-r--r--main/putty/APKBUILD12
-rw-r--r--main/putty/fix-ppc64le-disable-werror.patch13
-rw-r--r--main/py3-cryptography/APKBUILD2
-rw-r--r--main/redis/APKBUILD15
-rw-r--r--main/rssh/APKBUILD21
-rw-r--r--main/rssh/check-command-line-after-chroot.patch30
-rw-r--r--main/rssh/verify-scp-options.patch89
-rw-r--r--main/rsync/APKBUILD13
-rw-r--r--main/rsync/Fix-regression-with---delay-updates.patch26
-rw-r--r--main/rsync/rsyncd.logrotate2
-rw-r--r--main/rsyslog/APKBUILD10
-rw-r--r--main/rsyslog/rsyslog.conf10
-rw-r--r--main/speedtest-cli/APKBUILD12
-rw-r--r--main/speedtest-cli/invalid_literal_fix.patch13
-rw-r--r--main/spice/APKBUILD12
-rw-r--r--main/spice/CVE-2021-20201.patch36
-rw-r--r--main/squid/APKBUILD13
-rw-r--r--main/unzip/APKBUILD12
-rw-r--r--main/unzip/CVE-2018-18384.patch13
-rw-r--r--main/varnish/APKBUILD10
-rw-r--r--main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch83
-rw-r--r--main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch58
-rw-r--r--main/xen/APKBUILD40
-rw-r--r--main/xen/xsa373-4.14-1.patch120
-rw-r--r--main/xen/xsa373-4.14-2.patch102
-rw-r--r--main/xen/xsa373-4.14-3.patch163
-rw-r--r--main/xen/xsa373-4.14-4.patch81
-rw-r--r--main/xen/xsa373-4.14-5.patch143
-rw-r--r--main/xen/xsa375.patch50
-rw-r--r--main/xen/xsa377.patch27
-rw-r--r--main/xtables-addons-lts/APKBUILD2
-rw-r--r--main/zfs-lts/APKBUILD2
-rw-r--r--main/zstd/APKBUILD21
180 files changed, 5540 insertions, 748 deletions
diff --git a/community/bpftrace/APKBUILD b/community/bpftrace/APKBUILD
index 581e9b526b..1e7f426827 100644
--- a/community/bpftrace/APKBUILD
+++ b/community/bpftrace/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Adam Jensen <acjensen@gmail.com>
pkgname=bpftrace
pkgver=0.11.4
-pkgrel=0
+pkgrel=1
_llvmver=10
pkgdesc="High-level tracing language for Linux eBPF"
url="https://github.com/iovisor/bpftrace"
diff --git a/community/cbindgen/APKBUILD b/community/cbindgen/APKBUILD
index a4875900c0..37638fc4eb 100644
--- a/community/cbindgen/APKBUILD
+++ b/community/cbindgen/APKBUILD
@@ -3,7 +3,7 @@
pkgname=cbindgen
# Please be VERY careful bumping this - Firefox regularly fails to build
# with new versions!
-pkgver=0.18.0
+pkgver=0.19.0
pkgrel=0
pkgdesc="Tool to generate C bindings from Rust code"
url="https://github.com/eqrion/cbindgen"
@@ -27,4 +27,4 @@ package() {
install -Dm0755 target/release/cbindgen -t "$pkgdir"/usr/bin
}
-sha512sums="5d09c5720f5157239228f8570b18c33057cfd7e68f453d9e31bd5eb69541e21a348bbe9116c3387a00425803c6ae8eab9b2b97359fb275f5a7fb982974008909 cbindgen-0.18.0.tar.gz"
+sha512sums="dc31896c75d43fa7efb6256b861b7d4a51b9b0e4dc605bcaf769b32cba2dc0b7a5c49b01f0ff48ada08488ad8c020c3bbb645d6796046caf0bd7d9eaae25a962 cbindgen-0.19.0.tar.gz"
diff --git a/community/ceph/32-fix_ceph_thread_timeout.patch b/community/ceph/32-fix_ceph_thread_timeout.patch
deleted file mode 100644
index 6740332644..0000000000
--- a/community/ceph/32-fix_ceph_thread_timeout.patch
+++ /dev/null
@@ -1,74 +0,0 @@
---- a/src/pybind/ceph_argparse.py
-+++ b/src/pybind/ceph_argparse.py
-@@ -564,11 +564,11 @@
- raise ArgumentFormat("{0} not a hex integer".format(val))
- try:
- int(val)
-- except:
-+ except ValueError:
- raise ArgumentFormat('can\'t convert {0} to integer'.format(val))
- try:
- int(bits)
-- except:
-+ except ValueError:
- raise ArgumentFormat('can\'t convert {0} to integer'.format(bits))
- self.val = s
-
-@@ -1077,15 +1077,12 @@
- # Have an arg; validate it
- try:
- validate_one(myarg, desc)
-- valid = True
- except ArgumentError as e:
-- valid = False
--
- # argument mismatch
- if not desc.req:
- # if not required, just push back; it might match
- # the next arg
-- save_exception = [ myarg, e ]
-+ save_exception = [myarg, e]
- myargs.insert(0, myarg)
- break
- else:
-@@ -1171,9 +1168,9 @@
- # (relies on a cmdsig being key,val where val is a list of len 1)
-
- def grade(cmd):
-- # prefer optional arguments over required ones
-- sigs = cmd['sig']
-- return sum(map(lambda sig: sig.req, sigs))
-+ # prefer optional arguments over required ones
-+ sigs = cmd['sig']
-+ return sum(map(lambda sig: sig.req, sigs))
-
- bestcmds_sorted = sorted(bestcmds, key=grade)
- if verbose:
-@@ -1227,7 +1224,6 @@
- return valid_dict
-
-
--
- def find_cmd_target(childargs):
- """
- Using a minimal validation, figure out whether the command
-@@ -1312,14 +1308,15 @@
-
-
- def run_in_thread(func, *args, **kwargs):
-- interrupt = False
- timeout = kwargs.pop('timeout', 0)
- if timeout == 0 or timeout == None:
- # python threading module will just get blocked if timeout is `None`,
- # otherwise it will keep polling until timeout or thread stops.
-- # wait for INT32_MAX, as python 3.6.8 use int32_t to present the
-- # timeout in integer when converting it to nanoseconds
-- timeout = (1 << (32 - 1)) - 1
-+ # timeout in integer when converting it to nanoseconds, but since
-+ # python3 uses `int64_t` for the deadline before timeout expires,
-+ # we have to use a safe value which does not overflow after being
-+ # added to current time in microseconds.
-+ timeout = 24 * 60 * 60
- t = RadosThread(func, *args, **kwargs)
-
- # allow the main thread to exit (presumably, avoid a join() on this
diff --git a/community/ceph/42-no-virtualenvs.patch b/community/ceph/42-no-virtualenvs.patch
index 66175596dd..828e4a6338 100644
--- a/community/ceph/42-no-virtualenvs.patch
+++ b/community/ceph/42-no-virtualenvs.patch
@@ -59,7 +59,7 @@
- OUTPUT "${mgr-dashboard-nodeenv-dir}/bin/npm"
- COMMAND ${CMAKE_SOURCE_DIR}/src/tools/setup-virtualenv.sh --python=${MGR_PYTHON_EXECUTABLE} ${mgr-dashboard-nodeenv-dir}
- COMMAND ${mgr-dashboard-nodeenv-dir}/bin/pip install nodeenv
-- COMMAND ${mgr-dashboard-nodeenv-dir}/bin/nodeenv -p --node=10.18.1
+- COMMAND ${mgr-dashboard-nodeenv-dir}/bin/nodeenv --verbose -p --node=10.18.1
+ OUTPUT "/usr/bin/npm"
+ COMMAND /usr/bin/nodeenv -p --node=system
WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
diff --git a/community/ceph/44-missing-include.patch b/community/ceph/44-missing-include.patch
deleted file mode 100644
index eaa6f949af..0000000000
--- a/community/ceph/44-missing-include.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Taken from Arch Linux
-upstream MR https://github.com/ceph/ceph/commit/f16ac13c13eceed7adb5a4a04a3372b921e63031
-
---- a/src/tools/rbd/action/Bench.cc
-+++ b/src/tools/rbd/action/Bench.cc
-@@ -9,6 +9,8 @@
- #include "common/ceph_mutex.h"
- #include "include/types.h"
- #include "global/signal_handler.h"
-+#include <atomic>
-+#include <chrono>
- #include <iostream>
- #include <boost/accumulators/accumulators.hpp>
- #include <boost/accumulators/statistics/stats.hpp>
diff --git a/community/ceph/44-signal_handler.patch b/community/ceph/44-signal_handler.patch
deleted file mode 100644
index 723b31503e..0000000000
--- a/community/ceph/44-signal_handler.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-submitted upstream as: https://github.com/ceph/ceph/pull/39689
-
---- a/src/global/signal_handler.h
-+++ b/src/global/signal_handler.h
-@@ -20,9 +20,9 @@
-
- typedef void (*signal_handler_t)(int);
-
--#ifdef HAVE_SIGDESCR_NP
-+#if defined(HAVE_SIGDESCR_NP)
- # define sig_str(signum) sigdescr_np(signum)
--#elif HAVE_REENTRANT_STRSIGNAL
-+#elif defined(HAVE_REENTRANT_STRSIGNAL)
- # define sig_str(signum) strsignal(signum)
- #else
- # define sig_str(signum) sys_siglist[signum]
diff --git a/community/ceph/APKBUILD b/community/ceph/APKBUILD
index 1574bae9fb..32f1b558d3 100644
--- a/community/ceph/APKBUILD
+++ b/community/ceph/APKBUILD
@@ -3,8 +3,8 @@
# Contributor: Duncan Bellamy <dunk@denkimushi.com>
# Maintainer: Duncan Bellamy <dunk@denkimushi.com>
pkgname=ceph
-pkgver=15.2.10
-pkgrel=0
+pkgver=15.2.13
+pkgrel=1
pkgdesc="Ceph is a distributed object store and file system"
pkgusers="ceph"
pkggroups="ceph"
@@ -106,7 +106,6 @@ source="https://download.ceph.com/tarballs/ceph_$pkgver.orig.tar.gz
20-pci.patch
30-32bit_fix.patch.noauto
31-32bit_fix_tests.patch.noauto
- 32-fix_ceph_thread_timeout.patch
34-fix_cpu_detection.patch
35-fix_ErasureCodeShec.patch
36-fix_librbd_duplicate.patch
@@ -115,8 +114,6 @@ source="https://download.ceph.com/tarballs/ceph_$pkgver.orig.tar.gz
41-test-uint.patch
42-no-virtualenvs.patch
43-aarch64-erasure.patch
- 44-missing-include.patch
- 44-signal_handler.patch
"
subpackages="
@@ -198,6 +195,10 @@ build() {
export CFLAGS="$CFLAGS -DBOOST_ASIO_USE_TS_EXECUTOR_AS_DEFAULT"
export CXXFLAGS="$CXXFLAGS -DBOOST_ASIO_USE_TS_EXECUTOR_AS_DEFAULT"
+ # strip debug info when compiling so does not run out of space
+ export CFLAGS="$CFLAGS -s"
+ export CXXFLAGS="$CXXFLAGS -s"
+
cmake -B build \
-DALLOCATOR=libc \
-DCMAKE_INSTALL_PREFIX=/usr \
@@ -229,8 +230,8 @@ package() {
# Remove the upstream init file and put in openrc ones
rm -f "$pkgdir"/etc/init.d/ceph
- install -D -m 0744 "$srcdir"/"$pkgname".initd "$pkgdir"/etc/init.d/ceph
- install -D -m 0744 "$srcdir"/"$pkgname".confd "$pkgdir"/etc/conf.d/ceph
+ install -D -m 0755 "$srcdir"/"$pkgname".initd "$pkgdir"/etc/init.d/ceph
+ install -D -m 0644 "$srcdir"/"$pkgname".confd "$pkgdir"/etc/conf.d/ceph
# Move mount.* binaries to /sbin
mkdir -p "$pkgdir"/sbin
@@ -543,21 +544,20 @@ _pkg() {
done
}
-sha512sums="20202c07a068f99d5ce56b1969f703f996ad34c201ea3ab9bb05ea278afac71ccba43fb03e9de641dc3ab9692eecfcc6f52ff1ac03e13a1dc2f939bd8159fc2d ceph_15.2.10.orig.tar.gz
+sha512sums="
+bde28c331c489db0845959f65c425146c317466a7793f56a83e2827dec35b8cd6f600bf9056151c1e6926cc0155deebbc8681c240ac9f37ad876b9a6afae96da ceph_15.2.13.orig.tar.gz
110bdbcb40216c7ed155a8d23020784741b4992d895f4f04a146d275506e4e68053854d3b063b41e9c9b3e3e4f95b6b90602f92c185c853c0d8f47ad0c6b7121 ceph.confd
ce5f162501f6b67fe254546dddf880d1a5b1d1a0fa69e0b1918de17e8da45c5c6124512b8cbd98b76f29d931403de0d11c5ffd330ed8ee1f4dc75bb04baecae3 ceph.initd
c608f11cf358d76daf5281467a4ea941a81474fbe7f5faa41f7f4d0abaf9136a01576bbb1ab24bdd7bc91a49f66bd7f0a84717de5ec27250d74dd1e47e3b5dd3 10-musl-fixes.patch
427ab410aeb02d49c5caa8ff68c7b8df325229823d625b7069cd48c66dd9e129e742270850fb2be2238eb6fa12b8256845b4d94426ca96b2a9187b2726e78423 20-pci.patch
29161e75e7bff5a1394c5eb27e0fd5dc8044d2e144e311accbac5257bb4aa7ebf8f58293e98de8cbbd629923301b24bdaff165fa4027a79538b4e8e9c2c7c2ed 30-32bit_fix.patch.noauto
f974ab36cd6fa49c1d4613203a4f2152723e4952a185dfb6349bc4ca8ee1a7a9d0477bea136c54248271de30a4e584734ba41e8ec41bf274b04074622888ae39 31-32bit_fix_tests.patch.noauto
-26ecf3dd0220d878ccf98cac2adbc201e5be31b1b966698d95a7058a8bd6c3640520764e85b2a1645fd1474be576ed03f80811f8ccc96bada71b05fe51b06ef8 32-fix_ceph_thread_timeout.patch
62ef2e7e10978e9e0eef4a094bc63d9890f0d7e71eba0f0e15baede0597ea179a77924f6dbd4d4a9c9b151c9ae934f4c10d7f2a17ee960b017f942ec57c7af35 34-fix_cpu_detection.patch
8a3e902309238ae6917b4c5fe9fa371dad3ba8e01848f462a9b67ad8d69b8370a8957f6c88462a7016319fd323eb6d6c31415734db56485a8a8b279d2705aff5 35-fix_ErasureCodeShec.patch
ec8aec40fa04fd475834801232d644ff3baf0777b59dcede36a6caa0d63b2c379292253babc3678baee6a54935575cf9e4a622f4d16078ef8d3ac3c3d6502ad1 36-fix_librbd_duplicate.patch
60ea21b17640edf5bd644c23fa27abcf166a709795ad29bb917a38e59f069dceb4666479819626421340f7c70dd76545a4f1fbee8b2db781cadb9c061cdb7728 37-fix_tests.patch
92b5776925587c9c1491e975d49fe1a980cf65a1d556c22dd8547ff012e1a8a01c8cd04eedacdfa208e56aa9c260a8d8c0896c607bfc8079cfa38e8f1ece1a8a 40-uint.patch
445f3ca5c582e0fe02c18061c98cd13358684091c8a45262552c8af75d1c52320de538f6b71765e8267d326402a14c21dc27fd0781c997ab491bd3cdecc2e49f 41-test-uint.patch
-270e214292fab2d6a7a0a0a6e3df9ee6b2e2d37397607329f19822fe41f18cec0f4365adca9b78647d0aa78e9a22a7c95300fa71390a7885716e52991fbb8ecc 42-no-virtualenvs.patch
+c9af66d374682d5671abfca27c426f5958889dc6734e90572f3998333ba2bd69a70b2ab13961f4d5222db6b17b3104d170c950aa2e87aac957352797b66e0117 42-no-virtualenvs.patch
aea43c2a99f16f7fccf33aeca3565077bb2274816ca68db64b672addc85bde5c479bc9ad0fb33dbde79c9390f9acf1d98545e20e311e40dd428dad5ed02f0651 43-aarch64-erasure.patch
-fd6d008dbd62db03299d5562eb15c76cf4a6a58b8f2d872c298254777bd6ab8484ec884d3b24c5e9f40a3118af391e24b1eff835b6370921b5f81b4d25d8b9d2 44-missing-include.patch
-12019e8af8f9ce53e66c9acbe6ed8f1e3d3efbbd8bf924beb13d5fbe250053fb4185a6ef46193137ca636a5dda4d19a931e8060a4dd217cdcad77dc9db42065c 44-signal_handler.patch"
+"
diff --git a/community/cloudi/APKBUILD b/community/cloudi/APKBUILD
index be8424372a..47c94f27dc 100644
--- a/community/cloudi/APKBUILD
+++ b/community/cloudi/APKBUILD
@@ -29,7 +29,7 @@
pkgname=cloudi
pkgver=2.0.1
-pkgrel=0
+pkgrel=1
pkgdesc="Cloud computing framework for efficient, scalable, and stable soft-realtime event processing."
url="https://cloudi.org/"
license="MIT"
diff --git a/community/containerd/APKBUILD b/community/containerd/APKBUILD
index 5c477bb293..3624751105 100644
--- a/community/containerd/APKBUILD
+++ b/community/containerd/APKBUILD
@@ -3,8 +3,8 @@
pkgname=containerd
# NOTE: containerd's Makefile tries to get REVISION from git, but we're building from a tarball.
-_commit=05f951a3781f4f2c1911b05e61c160e9c30eaa8e
-pkgver=1.4.4
+_commit=7eba5930496d9bbe375fdf71603e610ad737d2b2
+pkgver=1.4.8
pkgrel=0
pkgdesc="An open and reliable container runtime"
url="https://containerd.io"
@@ -24,6 +24,8 @@ source="containerd-$pkgver.tar.gz::https://github.com/containerd/containerd/arch
builddir="$srcdir/src/github.com/containerd/containerd"
# secfixes:
+# 1.4.8-r0:
+# - CVE-2021-32760
# 1.4.4-r0:
# - CVE-2021-21334
# 1.4.3-r0:
@@ -95,6 +97,6 @@ stress() {
amove usr/bin/containerd-stress
}
-sha512sums="f09930d19f53381d86cf522954458ecc949f15a0c6a49f990bdb61fe19afee075356338998ed84bd756f16ba85211f55f9c638de8b7083d71e24d8e87335e070 containerd-1.4.4.tar.gz
+sha512sums="3c4c52a7a1b3fb76f7837ef7260024e25df14e86ccaea351a0811dd9b7335eddc94019e3fb7e6acb4a41a3dee9c18387d0b44ea406c3534c64e8a4b3dee6a45b containerd-1.4.8.tar.gz
21a9888b684913138ec4a342b0b69e40e9c773ecd329c4e2401a807365586468cb19035583a4fc8b0f86138f5ee4c7fb911c75495263e4b43d2886ea11e0e271 containerd.confd
2818cb9e062a6b75c5e2ad6a076eb26edc9fd9b70356b37f9306d082dc360a2d7bd802531afd8e73998cc0fdaa6ad34cd7a0a1d67bd98ee1bb7f30bab16d6084 containerd.initd"
diff --git a/community/dino/APKBUILD b/community/dino/APKBUILD
index 901792d300..f6bdaa95d1 100644
--- a/community/dino/APKBUILD
+++ b/community/dino/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Galen Abell <galen@galenabell.com>
# Maintainer: Galen Abell <galen@galenabell.com>
pkgname=dino
-pkgver=0.2.0
+pkgver=0.2.1
pkgrel=0
pkgdesc="Modern Jabber/XMPP client"
url="https://dino.im"
@@ -29,6 +29,10 @@ source="
mobile-ui.patch
"
+# secfixes:
+# 0.2.1-r0:
+# - CVE-2021-33896
+
build() {
./configure \
--build=$CBUILD \
@@ -49,5 +53,5 @@ check() {
package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="296576f91d45a4dd8c548a7ca5b47bcaf847f6ff0f8e5dbafaa4eb49a2d4f1ed7e2bbfac94f1b32e22f5ec61b23748ac76b12bb4ceb710889aff166953ca7a2e dino-0.2.0.tar.gz
+sha512sums="b71497ec115945eadf7d33bb973f68465a20284aa75f37f1ae25fc30c1c423ce28cb10f7e9123c47f82e77e97170b8fa72c75389dacc3a2aa3d487a9c9610d49 dino-0.2.1.tar.gz
924c83719fb0b7093bccd3ba27ecef6e8a4b88bc17e88f826b79ca59e3e80f936a7e3d31ad90812cccebac6094e89a398182016598483620bc1ce3a1591c97e0 mobile-ui.patch"
diff --git a/community/drupal7/APKBUILD b/community/drupal7/APKBUILD
index afa5a729e9..8d5ec544db 100644
--- a/community/drupal7/APKBUILD
+++ b/community/drupal7/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
# Maintainer: Andy Postnikov <apostnikov@gmail.com>
pkgname=drupal7
-pkgver=7.78
+pkgver=7.81
pkgrel=0
pkgdesc="An open source content management platform"
url="https://www.drupal.org/"
@@ -36,6 +36,8 @@ builddir="$srcdir/drupal-$pkgver"
options="!check" # This package not have testsuite
# secfixes:
+# 7.81-r0:
+# - CVE-2020-13672
# 7.78-r0:
# - CVE-2020-36193
# 7.75-r0:
@@ -96,4 +98,4 @@ package() {
"$pkgdir"/var/lib/$pkgname/sites/default/files
}
-sha512sums="405ed053c0b73e8768ee2a8dda9fb7257e8c8664cbf76025dd58d34ed16bfd0c9e853b92cfee03e85b38e9d6d9c578d52c6943e804224ce73cf7be414f4cfb91 drupal-7.78.tar.gz"
+sha512sums="2ce8f727796ea54b9a71e1af57d3a9da50b45c841e461864f42298a6391b5fc9e234b595dcd1c75c8081504a05806a6a3df91cc231813a4c72cf396e8ef1c1d0 drupal-7.81.tar.gz"
diff --git a/community/exiv2/APKBUILD b/community/exiv2/APKBUILD
index 024dcd6a02..831a490106 100644
--- a/community/exiv2/APKBUILD
+++ b/community/exiv2/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=exiv2
pkgver=0.27.3
-pkgrel=1
+pkgrel=2
pkgdesc="Exif and Iptc metadata manipulation library and tools."
url="https://exiv2.org"
arch="all"
@@ -13,7 +13,12 @@ subpackages="$pkgname-dev $pkgname-doc"
source="https://exiv2.org/builds/exiv2-$pkgver-Source.tar.gz
CVE-2021-3482.patch
CVE-2021-29457.patch
- CVE-2021-29458.patch"
+ CVE-2021-29458.patch
+ CVE-2021-29463.patch
+ CVE-2021-29470.patch
+ CVE-2021-29473.patch
+ CVE-2021-29623.patch
+ CVE-2021-32617.patch"
builddir="$srcdir"/$pkgname-$pkgver-Source
prepare() {
@@ -29,6 +34,12 @@ prepare() {
}
# secfixes:
+# 0.27.3-r2:
+# - CVE-2021-29463
+# - CVE-2021-29470
+# - CVE-2021-29473
+# - CVE-2021-29623
+# - CVE-2021-32617
# 0.27.3-r1:
# - CVE-2021-3482
# - CVE-2021-29457
@@ -68,4 +79,9 @@ sha512sums="
9c3f52881df19ca2be9a66480642f5fb91d4be0dd3e513902ec4336536736ec37447df452a775dd933dc011de9d8c4ca3760e3c7545ab5d150876d9dab64bd06 CVE-2021-3482.patch
27c187c1eb1b3118e8dc3342c1ba7700a522f6e05083b3a4540c2490580320f3e59eb06a1f6abc98ad28f6a3ccb91351ee56caaa9befbb2dc6c5ea1567c711f2 CVE-2021-29457.patch
d892622c53b1ba5ac48c33a599f37853c8471cce82ae14679d33df17f1251b2e353ce2436c1c730a9a8d1e8bfd9175f7b79263e9b402ecf3ac024db69d10c0e0 CVE-2021-29458.patch
+e885b5bb23b317a7050869b2bcb244fd8744ce2f6019285c8bf5dc2f16c37cb4fc76b9e214fe0fff14529bd49c63d968c8c04908841c5c9cf74c5bb9a6eb9363 CVE-2021-29463.patch
+5fac2406f45439983cc6334968c238952e6ce1d84b6f665114a2dfee306bbafc02279ebcb6bda06dd22ac47117496126d9e2e1ff9882e0c03794bce781670c33 CVE-2021-29470.patch
+fcb726d7fb2de1709f7f7a43ceb55b29c18c3f55f4872671e13874af219c563a05aa0d6b87c7e86b9e544d618e9ea3638cf3e830f597587b5ae0736222cccc80 CVE-2021-29473.patch
+fbe5daabbcedd40474d4a5bdf79886408325768dd3cd81ab0f6332efca48e26239a600ff770788461b825146e2ad97ec334f74ea8e2d4121e8204bd95f3bfabb CVE-2021-29623.patch
+565a43fb1fef12d82adc77f01ffbb90a410c8061b1cf20e1fe95faece9727274ebaa3ba3b50c4d08a6e8e7b9b5daf624198d32b02e9d88c2b8f01bf93bd9046b CVE-2021-32617.patch
"
diff --git a/community/exiv2/CVE-2021-29463.patch b/community/exiv2/CVE-2021-29463.patch
new file mode 100644
index 0000000000..5ab64a7d3e
--- /dev/null
+++ b/community/exiv2/CVE-2021-29463.patch
@@ -0,0 +1,120 @@
+From 783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Mon, 19 Apr 2021 18:06:00 +0100
+Subject: [PATCH] Improve bound checking in WebPImage::doWriteMetadata()
+
+---
+ src/webpimage.cpp | 41 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 11 deletions(-)
+
+diff --git a/src/webpimage.cpp b/src/webpimage.cpp
+index 4ddec544c..fee110bca 100644
+--- a/src/webpimage.cpp
++++ b/src/webpimage.cpp
+@@ -145,7 +145,7 @@ namespace Exiv2 {
+ DataBuf chunkId(WEBP_TAG_SIZE+1);
+ chunkId.pData_ [WEBP_TAG_SIZE] = '\0';
+
+- io_->read(data, WEBP_TAG_SIZE * 3);
++ readOrThrow(*io_, data, WEBP_TAG_SIZE * 3, Exiv2::kerCorruptedMetadata);
+ uint64_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian);
+
+ /* Set up header */
+@@ -185,13 +185,20 @@ namespace Exiv2 {
+ case we have any exif or xmp data, also check
+ for any chunks with alpha frame/layer set */
+ while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
+- io_->read(chunkId.pData_, WEBP_TAG_SIZE);
+- io_->read(size_buff, WEBP_TAG_SIZE);
+- long size = Exiv2::getULong(size_buff, littleEndian);
++ readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
++ readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
++
++ // Check that `size_u32` is safe to cast to `long`.
++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
++ Exiv2::kerCorruptedMetadata);
++ const long size = static_cast<long>(size_u32);
+ DataBuf payload(size);
+- io_->read(payload.pData_, payload.size_);
+- byte c;
+- if ( payload.size_ % 2 ) io_->read(&c,1);
++ readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
++ if ( payload.size_ % 2 ) {
++ byte c;
++ readOrThrow(*io_, &c, 1, Exiv2::kerCorruptedMetadata);
++ }
+
+ /* Chunk with information about features
+ used in the file. */
+@@ -199,6 +206,7 @@ namespace Exiv2 {
+ has_vp8x = true;
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_size) {
++ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[WEBP_TAG_SIZE];
+
+@@ -227,6 +235,7 @@ namespace Exiv2 {
+ }
+ #endif
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_size) {
++ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[2];
+
+@@ -244,11 +253,13 @@ namespace Exiv2 {
+
+ /* Chunk with with lossless image data. */
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_alpha) {
++ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+ if ((payload.pData_[4] & WEBP_VP8X_ALPHA_BIT) == WEBP_VP8X_ALPHA_BIT) {
+ has_alpha = true;
+ }
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_size) {
++ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf_w[2];
+ byte size_buf_h[3];
+@@ -276,11 +287,13 @@ namespace Exiv2 {
+
+ /* Chunk with animation frame. */
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_alpha) {
++ enforce(size >= 6, Exiv2::kerCorruptedMetadata);
+ if ((payload.pData_[5] & 0x2) == 0x2) {
+ has_alpha = true;
+ }
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_size) {
++ enforce(size >= 12, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[WEBP_TAG_SIZE];
+
+@@ -309,16 +322,22 @@ namespace Exiv2 {
+
+ io_->seek(12, BasicIo::beg);
+ while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
+- io_->read(chunkId.pData_, 4);
+- io_->read(size_buff, 4);
++ readOrThrow(*io_, chunkId.pData_, 4, Exiv2::kerCorruptedMetadata);
++ readOrThrow(*io_, size_buff, 4, Exiv2::kerCorruptedMetadata);
++
++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
+
+- long size = Exiv2::getULong(size_buff, littleEndian);
++ // Check that `size_u32` is safe to cast to `long`.
++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
++ Exiv2::kerCorruptedMetadata);
++ const long size = static_cast<long>(size_u32);
+
+ DataBuf payload(size);
+- io_->read(payload.pData_, size);
++ readOrThrow(*io_, payload.pData_, size, Exiv2::kerCorruptedMetadata);
+ if ( io_->tell() % 2 ) io_->seek(+1,BasicIo::cur); // skip pad
+
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X)) {
++ enforce(size >= 1, Exiv2::kerCorruptedMetadata);
+ if (has_icc){
+ payload.pData_[0] |= WEBP_VP8X_ICC_BIT;
+ } else {
diff --git a/community/exiv2/CVE-2021-29470.patch b/community/exiv2/CVE-2021-29470.patch
new file mode 100644
index 0000000000..6d9b165e92
--- /dev/null
+++ b/community/exiv2/CVE-2021-29470.patch
@@ -0,0 +1,21 @@
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 0de088d..6310c08 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
+ DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+ int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+ int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+ Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
+ int32_t length = getLong((byte*)&pBox->length, bigEndian);
++ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+ int32_t count = sizeof (Jp2BoxHeader);
+ char* p = (char*) boxBuf.pData_;
+ bool bWroteColor = false ;
+
+ while ( count < length || !bWroteColor ) {
++ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+ Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+
+ // copy data. pointer could be into a memory mapped file which we will decode!
diff --git a/community/exiv2/CVE-2021-29473.patch b/community/exiv2/CVE-2021-29473.patch
new file mode 100644
index 0000000000..685dec010f
--- /dev/null
+++ b/community/exiv2/CVE-2021-29473.patch
@@ -0,0 +1,21 @@
+From e6a0982f7cd9282052b6e3485a458d60629ffa0b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 23 Apr 2021 11:44:44 +0100
+Subject: [PATCH 2/2] Add bounds check in Jp2Image::doWriteMetadata().
+
+---
+ src/jp2image.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 1694fed27..ca8c9ddbb 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -908,6 +908,7 @@ static void boxes_check(size_t b,size_t m)
+
+ case kJp2BoxTypeUuid:
+ {
++ enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata);
+ if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0)
+ {
+ #ifdef EXIV2_DEBUG_MESSAGES
diff --git a/community/exiv2/CVE-2021-29623.patch b/community/exiv2/CVE-2021-29623.patch
new file mode 100644
index 0000000000..120d5f7801
--- /dev/null
+++ b/community/exiv2/CVE-2021-29623.patch
@@ -0,0 +1,26 @@
+From 82e46b5524fb904e6660dadd2c6d8e5e47375a1a Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Tue, 11 May 2021 12:14:33 +0100
+Subject: [PATCH] Use readOrThrow to check error conditions of iIo.read().
+
+---
+ src/webpimage.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/webpimage.cpp b/src/webpimage.cpp
+index 7c64ff3d7..ca26e514a 100644
+--- a/src/webpimage.cpp
++++ b/src/webpimage.cpp
+@@ -754,9 +754,9 @@ namespace Exiv2 {
+ byte webp[len];
+ byte data[len];
+ byte riff[len];
+- iIo.read(riff, len);
+- iIo.read(data, len);
+- iIo.read(webp, len);
++ readOrThrow(iIo, riff, len, Exiv2::kerCorruptedMetadata);
++ readOrThrow(iIo, data, len, Exiv2::kerCorruptedMetadata);
++ readOrThrow(iIo, webp, len, Exiv2::kerCorruptedMetadata);
+ bool matched_riff = (memcmp(riff, RiffImageId, len) == 0);
+ bool matched_webp = (memcmp(webp, WebPImageId, len) == 0);
+ iIo.seek(-12, BasicIo::cur);
diff --git a/community/exiv2/CVE-2021-32617.patch b/community/exiv2/CVE-2021-32617.patch
new file mode 100644
index 0000000000..8ec91b765a
--- /dev/null
+++ b/community/exiv2/CVE-2021-32617.patch
@@ -0,0 +1,125 @@
+From c261fbaa2567687eec6a595d3016212fd6ae648d Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Sun, 16 May 2021 15:05:08 +0100
+Subject: [PATCH] Fix quadratic complexity performance bug.
+
+---
+ xmpsdk/src/XMPMeta-Parse.cpp | 57 +++++++++++++++++++++++-------------
+ 1 file changed, 36 insertions(+), 21 deletions(-)
+
+diff --git a/xmpsdk/src/XMPMeta-Parse.cpp b/xmpsdk/src/XMPMeta-Parse.cpp
+index 9f66fe8..f9c37d7 100644
+--- a/xmpsdk/src/XMPMeta-Parse.cpp
++++ b/xmpsdk/src/XMPMeta-Parse.cpp
+@@ -976,12 +976,26 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
+ {
+ const XMP_Uns8 * bufEnd = buffer + length;
+
+- const XMP_Uns8 * spanStart = buffer;
+ const XMP_Uns8 * spanEnd;
+-
+- for ( spanEnd = spanStart; spanEnd < bufEnd; ++spanEnd ) {
+
+- if ( (0x20 <= *spanEnd) && (*spanEnd <= 0x7E) && (*spanEnd != '&') ) continue; // A regular ASCII character.
++ // `buffer` is copied into this std::string. If `buffer` only
++ // contains valid UTF-8 and no escape characters, then the copy
++ // will be identical to the original, but invalid characters are
++ // replaced - usually with a space character. This std::string was
++ // added as a performance fix for:
++ // https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj
++ // Previously, the code was repeatedly calling
++ // `xmlParser->ParseBuffer()`, which turned out to have quadratic
++ // complexity, because expat kept reparsing the entire string from
++ // the beginning.
++ std::string copy;
++
++ for ( spanEnd = buffer; spanEnd < bufEnd; ++spanEnd ) {
++
++ if ( (0x20 <= *spanEnd) && (*spanEnd <= 0x7E) && (*spanEnd != '&') ) {
++ copy.push_back(*spanEnd);
++ continue; // A regular ASCII character.
++ }
+
+ if ( *spanEnd >= 0x80 ) {
+
+@@ -992,21 +1006,20 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
+ if ( uniLen > 0 ) {
+
+ // A valid UTF-8 character, keep it as-is.
++ copy.append((const char*)spanEnd, uniLen);
+ spanEnd += uniLen - 1; // ! The loop increment will put back the +1.
+
+ } else if ( (uniLen < 0) && (! last) ) {
+
+ // Have a partial UTF-8 character at the end of the buffer and more input coming.
+- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
++ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), false );
+ return (spanEnd - buffer);
+
+ } else {
+
+ // Not a valid UTF-8 sequence. Replace the first byte with the Latin-1 equivalent.
+- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+ const char * replacement = kReplaceLatin1 [ *spanEnd - 0x80 ];
+- xmlParser->ParseBuffer ( replacement, strlen ( replacement ), false );
+- spanStart = spanEnd + 1; // ! The loop increment will do "spanEnd = spanStart".
++ copy.append ( replacement );
+
+ }
+
+@@ -1014,11 +1027,12 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
+
+ // Replace ASCII controls other than tab, LF, and CR with a space.
+
+- if ( (*spanEnd == kTab) || (*spanEnd == kLF) || (*spanEnd == kCR) ) continue;
++ if ( (*spanEnd == kTab) || (*spanEnd == kLF) || (*spanEnd == kCR) ) {
++ copy.push_back(*spanEnd);
++ continue;
++ }
+
+- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+- xmlParser->ParseBuffer ( " ", 1, false );
+- spanStart = spanEnd + 1; // ! The loop increment will do "spanEnd = spanStart".
++ copy.push_back(' ');
+
+ } else {
+
+@@ -1030,18 +1044,21 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
+ if ( escLen < 0 ) {
+
+ // Have a partial numeric escape in this buffer, wait for more input.
+- if ( last ) continue; // No more buffers, not an escape, absorb as normal input.
+- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
++ if ( last ) {
++ copy.push_back('&');
++ continue; // No more buffers, not an escape, absorb as normal input.
++ }
++ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), false );
+ return (spanEnd - buffer);
+
+ } else if ( escLen > 0 ) {
+
+ // Have a complete numeric escape to replace.
+- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+- xmlParser->ParseBuffer ( " ", 1, false );
+- spanStart = spanEnd + escLen;
+- spanEnd = spanStart - 1; // ! The loop continuation will increment spanEnd!
++ copy.push_back(' ');
++ spanEnd = spanEnd + escLen - 1; // ! The loop continuation will increment spanEnd!
+
++ } else {
++ copy.push_back('&');
+ }
+
+ }
+@@ -1050,8 +1067,8 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
+
+ XMP_Assert ( spanEnd == bufEnd );
+
+- if ( spanStart < bufEnd ) xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+- if ( last ) xmlParser->ParseBuffer ( " ", 1, true );
++ copy.push_back(' ');
++ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), true );
+
+ return length;
+
diff --git a/community/ffmpeg/APKBUILD b/community/ffmpeg/APKBUILD
index 8fbdbc3e99..365aa99738 100644
--- a/community/ffmpeg/APKBUILD
+++ b/community/ffmpeg/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ffmpeg
pkgver=4.3.1
-pkgrel=3
+pkgrel=4
pkgdesc="Complete and free Internet live audio and video broadcasting solution for Linux/Unix"
url="https://ffmpeg.org/"
arch="all"
@@ -46,9 +46,12 @@ source="https://ffmpeg.org/releases/ffmpeg-$pkgver.tar.xz
0001-libavutil-clean-up-unused-FF_SYMVER-macro.patch
3e098cca6e51db0f19928c12d0348deaa17137b3.patch
7c59e1b0f285cd7c7b35fcd71f49c5fd52cf9315.patch
+ CVE-2020-35965.patch
"
# secfixes:
+# 4.3.1-r4:
+# - CVE-2020-35965
# 4.3.1-r0:
# - CVE-2020-14212
# 4.3-r0:
@@ -191,7 +194,10 @@ libs() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr
}
-sha512sums="64e1052c45145e27726e43d4fe49c9a92058e55562d34fd3b3adf54d3506e6bd680f016b748828215e1bfc8ce19aa85b6f7e4eb05fafe21479118a4ad528a81f ffmpeg-4.3.1.tar.xz
+sha512sums="
+64e1052c45145e27726e43d4fe49c9a92058e55562d34fd3b3adf54d3506e6bd680f016b748828215e1bfc8ce19aa85b6f7e4eb05fafe21479118a4ad528a81f ffmpeg-4.3.1.tar.xz
1047a23eda51b576ac200d5106a1cd318d1d5291643b3a69e025c0a7b6f3dbc9f6eb0e1e6faa231b7e38c8dd4e49a54f7431f87a93664da35825cc2e9e8aedf4 0001-libavutil-clean-up-unused-FF_SYMVER-macro.patch
7151e98829c215619b82e27fdff98b9a0d6a778f499170f3688e111a8bf7b2cc8895f09aa49bcb812ba5b5f06dd0243ebc79c31af246420f7d0869859b4a0241 3e098cca6e51db0f19928c12d0348deaa17137b3.patch
-acf4b34feaa1c57f621d5a8f56967e6d77ebe1d6288d94b853b513d6b2339debbaa38063ec11900258f31753cf24fef81bd60225149af45c03bfddf0b231f881 7c59e1b0f285cd7c7b35fcd71f49c5fd52cf9315.patch"
+acf4b34feaa1c57f621d5a8f56967e6d77ebe1d6288d94b853b513d6b2339debbaa38063ec11900258f31753cf24fef81bd60225149af45c03bfddf0b231f881 7c59e1b0f285cd7c7b35fcd71f49c5fd52cf9315.patch
+ab5006a99af6e0402e1a2bc13a76f55b13144fcd7b71124fe3f82989d03bf1e1c306b66da7ce63662b6dfbdbb3edebef2cf280c08ac793fc3b983bd65c0f0ad5 CVE-2020-35965.patch
+"
diff --git a/community/ffmpeg/CVE-2020-35965.patch b/community/ffmpeg/CVE-2020-35965.patch
new file mode 100644
index 0000000000..b3ecc45b63
--- /dev/null
+++ b/community/ffmpeg/CVE-2020-35965.patch
@@ -0,0 +1,28 @@
+From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 24 Oct 2020 22:21:48 +0200
+Subject: [PATCH] avcodec/exr: Check ymin vs. h
+
+Fixes: out of array access
+Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
+Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavcodec/exr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/exr.c b/libavcodec/exr.c
+index e907c5c46401..8b701d1cd298 100644
+--- a/libavcodec/exr.c
++++ b/libavcodec/exr.c
+@@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
+ // Zero out the start if ymin is not 0
+ for (i = 0; i < planes; i++) {
+ ptr = picture->data[i];
+- for (y = 0; y < s->ymin; y++) {
++ for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
+ memset(ptr, 0, out_line_size);
+ ptr += picture->linesize[i];
+ }
diff --git a/community/file-roller/APKBUILD b/community/file-roller/APKBUILD
index 72a7b7d7fa..784e7a9bd8 100644
--- a/community/file-roller/APKBUILD
+++ b/community/file-roller/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Rasmus Thomsen <oss@cogitri.dev>
pkgname=file-roller
pkgver=3.38.0
-pkgrel=0
+pkgrel=1
pkgdesc="File Roller is an archive manager for the GNOME desktop "
url="https://wiki.gnome.org/Apps/FileRoller"
arch="all !s390x !mips !mips64" # blocked by nautilus-dev
@@ -11,7 +11,12 @@ depends="cpio"
makedepends="meson glib-dev gtk+3.0-dev json-glib-dev libnotify-dev libarchive-dev
itstool nautilus-dev"
subpackages="$pkgname-lang"
-source="https://download.gnome.org/sources/file-roller/${pkgver%.*}/file-roller-$pkgver.tar.xz"
+source="https://download.gnome.org/sources/file-roller/${pkgver%.*}/file-roller-$pkgver.tar.xz
+ CVE-2020-36314.patch"
+
+# secfixes:
+# 3.38.0-r1:
+# - CVE-2020-36314
build() {
abuild-meson \
@@ -29,4 +34,7 @@ package() {
DESTDIR="$pkgdir" meson install --no-rebuild -C output
}
-sha512sums="9c2e3c105397bceb08e30c9796b9242633fe49772aed2e7f67461c34a51be1493e922301b1fc29bdcb0fa50d220f4a7db2ee7642f629007ce2bef00334d7110e file-roller-3.38.0.tar.xz"
+sha512sums="
+9c2e3c105397bceb08e30c9796b9242633fe49772aed2e7f67461c34a51be1493e922301b1fc29bdcb0fa50d220f4a7db2ee7642f629007ce2bef00334d7110e file-roller-3.38.0.tar.xz
+aa39e3a8b829e9831fcb658fccb1e01532a01fb7b94babb31553b4a9624cb0a66eec29f7d03f8cbc6b8e71022e1859ef3e526cd85ee39be235ba2fc7ec073187 CVE-2020-36314.patch
+"
diff --git a/community/file-roller/CVE-2020-36314.patch b/community/file-roller/CVE-2020-36314.patch
new file mode 100644
index 0000000000..3a9c07f0e2
--- /dev/null
+++ b/community/file-roller/CVE-2020-36314.patch
@@ -0,0 +1,218 @@
+From e970f4966bf388f6e7c277357c8b186c645683ae Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 11 Mar 2021 16:24:35 +0100
+Subject: [PATCH] libarchive: Skip files with symlinks in parents
+
+Currently, it is still possible that some files are extracted outside of
+the destination dir in case of malicious archives. The checks from commit
+21dfcdbf can be still bypassed in certain cases. See GNOME/file-roller#108
+for more details. After some investigation, I am convinced that it would be
+best to simply disallow symlinks in parents. For example, `tar` fails to
+extract such files with the `ENOTDIR` error. Let's do the same here.
+
+Fixes: https://gitlab.gnome.org/GNOME/file-roller/-/issues/108
+---
+ src/fr-archive-libarchive.c | 136 ++++++------------------------------
+ 1 file changed, 20 insertions(+), 116 deletions(-)
+
+diff --git a/src/fr-archive-libarchive.c b/src/fr-archive-libarchive.c
+index 4f698ee4..e61f8821 100644
+--- a/src/fr-archive-libarchive.c
++++ b/src/fr-archive-libarchive.c
+@@ -697,115 +697,12 @@ _g_output_stream_add_padding (ExtractData *extract_data,
+ return success;
+ }
+
+-
+-static gboolean
+-_symlink_is_external_to_destination (GFile *file,
+- const char *symlink,
+- GFile *destination,
+- GHashTable *external_links);
+-
+-
+-static gboolean
+-_g_file_is_external_link (GFile *file,
+- GFile *destination,
+- GHashTable *external_links)
+-{
+- GFileInfo *info;
+- gboolean external;
+-
+- if (g_hash_table_lookup (external_links, file) != NULL)
+- return TRUE;
+-
+- info = g_file_query_info (file,
+- G_FILE_ATTRIBUTE_STANDARD_IS_SYMLINK "," G_FILE_ATTRIBUTE_STANDARD_SYMLINK_TARGET,
+- G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
+- NULL,
+- NULL);
+-
+- if (info == NULL)
+- return FALSE;
+-
+- external = FALSE;
+-
+- if (g_file_info_get_is_symlink (info)) {
+- if (_symlink_is_external_to_destination (file,
+- g_file_info_get_symlink_target (info),
+- destination,
+- external_links))
+- {
+- g_hash_table_insert (external_links, g_object_ref (file), GINT_TO_POINTER (1));
+- external = TRUE;
+- }
+- }
+-
+- g_object_unref (info);
+-
+- return external;
+-}
+-
+-
+ static gboolean
+-_symlink_is_external_to_destination (GFile *file,
+- const char *symlink,
+- GFile *destination,
+- GHashTable *external_links)
++_g_file_contains_symlinks_in_path (const char *relative_path,
++ GFile *destination,
++ GHashTable *symlinks)
+ {
+- gboolean external = FALSE;
+- GFile *parent;
+- char **components;
+- int i;
+-
+- if ((file == NULL) || (symlink == NULL))
+- return FALSE;
+-
+- if (symlink[0] == '/')
+- return TRUE;
+-
+- parent = g_file_get_parent (file);
+- components = g_strsplit (symlink, "/", -1);
+- for (i = 0; components[i] != NULL; i++) {
+- char *name = components[i];
+- GFile *tmp;
+-
+- if ((name[0] == 0) || ((name[0] == '.') && (name[1] == 0)))
+- continue;
+-
+- if ((name[0] == '.') && (name[1] == '.') && (name[2] == 0)) {
+- if (g_file_equal (parent, destination)) {
+- external = TRUE;
+- break;
+- }
+- else {
+- tmp = g_file_get_parent (parent);
+- g_object_unref (parent);
+- parent = tmp;
+- }
+- }
+- else {
+- tmp = g_file_get_child (parent, components[i]);
+- g_object_unref (parent);
+- parent = tmp;
+- }
+-
+- if (_g_file_is_external_link (parent, destination, external_links)) {
+- external = TRUE;
+- break;
+- }
+- }
+-
+- g_strfreev (components);
+- g_object_unref (parent);
+-
+- return external;
+-}
+-
+-
+-static gboolean
+-_g_path_is_external_to_destination (const char *relative_path,
+- GFile *destination,
+- GHashTable *external_links)
+-{
+- gboolean external = FALSE;
++ gboolean contains_symlinks = FALSE;
+ GFile *parent;
+ char **components;
+ int i;
+@@ -828,8 +725,8 @@ _g_path_is_external_to_destination (const char *relative_path,
+ g_object_unref (parent);
+ parent = tmp;
+
+- if (_g_file_is_external_link (parent, destination, external_links)) {
+- external = TRUE;
++ if (g_hash_table_contains (symlinks, parent)) {
++ contains_symlinks = TRUE;
+ break;
+ }
+ }
+@@ -837,7 +734,7 @@ _g_path_is_external_to_destination (const char *relative_path,
+ g_strfreev (components);
+ g_object_unref (parent);
+
+- return external;
++ return contains_symlinks;
+ }
+
+
+@@ -851,7 +748,7 @@ extract_archive_thread (GSimpleAsyncResult *result,
+ GHashTable *checked_folders;
+ GHashTable *created_files;
+ GHashTable *folders_created_during_extraction;
+- GHashTable *external_links;
++ GHashTable *symlinks;
+ struct archive *a;
+ struct archive_entry *entry;
+ int r;
+@@ -868,7 +765,7 @@ extract_archive_thread (GSimpleAsyncResult *result,
+ checked_folders = g_hash_table_new_full (g_file_hash, (GEqualFunc) g_file_equal, g_object_unref, NULL);
+ created_files = g_hash_table_new_full (g_file_hash, (GEqualFunc) g_file_equal, g_object_unref, g_object_unref);
+ folders_created_during_extraction = g_hash_table_new_full (g_file_hash, (GEqualFunc) g_file_equal, g_object_unref, NULL);
+- external_links = g_hash_table_new_full (g_file_hash, (GEqualFunc) g_file_equal, g_object_unref, NULL);
++ symlinks = g_hash_table_new_full (g_file_hash, (GEqualFunc) g_file_equal, g_object_unref, NULL);
+ fr_archive_progress_set_total_files (load_data->archive, extract_data->n_files_to_extract);
+
+ while ((r = archive_read_next_header (a, &entry)) == ARCHIVE_OK) {
+@@ -902,7 +799,14 @@ extract_archive_thread (GSimpleAsyncResult *result,
+ continue;
+ }
+
+- if (_g_path_is_external_to_destination (relative_path, extract_data->destination, external_links)) {
++ /* Symlinks in parents are dangerous as it can easily happen
++ * that files are written outside of the destination. The tar
++ * cmd fails to extract such archives with ENOTDIR. Let's skip
++ * those files here for sure. This is most probably malicious,
++ * or corrupted archive.
++ */
++ if (_g_file_contains_symlinks_in_path (relative_path, extract_data->destination, symlinks)) {
++ g_warning ("Skipping '%s' file as it has symlink in parents.", relative_path);
+ fr_archive_progress_inc_completed_files (load_data->archive, 1);
+ fr_archive_progress_inc_completed_bytes (load_data->archive, archive_entry_size_is_set (entry) ? archive_entry_size (entry) : 0);
+ archive_read_data_skip (a);
+@@ -1123,8 +1027,8 @@ extract_archive_thread (GSimpleAsyncResult *result,
+ load_data->error = g_error_copy (local_error);
+ g_clear_error (&local_error);
+ }
+- if ((load_data->error == NULL) && _symlink_is_external_to_destination (file, archive_entry_symlink (entry), extract_data->destination, external_links))
+- g_hash_table_insert (external_links, g_object_ref (file), GINT_TO_POINTER (1));
++ if (load_data->error == NULL)
++ g_hash_table_add (symlinks, g_object_ref (file));
+ archive_read_data_skip (a);
+ break;
+
+@@ -1159,7 +1063,7 @@ extract_archive_thread (GSimpleAsyncResult *result,
+ g_hash_table_unref (folders_created_during_extraction);
+ g_hash_table_unref (created_files);
+ g_hash_table_unref (checked_folders);
+- g_hash_table_unref (external_links);
++ g_hash_table_unref (symlinks);
+ archive_read_free (a);
+ extract_data_free (extract_data);
+ }
+--
+GitLab
+
diff --git a/community/firefox-esr/APKBUILD b/community/firefox-esr/APKBUILD
index c80461cab8..112943b2f9 100644
--- a/community/firefox-esr/APKBUILD
+++ b/community/firefox-esr/APKBUILD
@@ -2,9 +2,9 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=firefox-esr
-pkgver=78.10.0
+pkgver=78.11.0
# Date of release, YY-MM-DD for metainfo file (see package())
-_releasedate=2021-04-19
+_releasedate=2021-06-01
pkgrel=0
pkgdesc="Firefox web browser - Extended Support Release"
url="https://www.mozilla.org/en-US/firefox/organizations/"
@@ -86,6 +86,8 @@ _mozappdir=/usr/lib/firefox
ldpath="$_mozappdir"
# secfixes:
+# 78.11.0-r0:
+# - CVE-2021-29967
# 78.10.0-r0:
# - CVE-2021-23961
# - CVE-2021-23994
@@ -450,7 +452,8 @@ npapi() {
amove usr/lib/firefox/gtk2
}
-sha512sums="5e2cf137dc781855542c29df6152fa74ba749801640ade3cf01487ce993786b87a4f603d25c0af9323e67c7e15c75655523428c1c1426527b8623c7ded9f5946 firefox-78.10.0esr.source.tar.xz
+sha512sums="
+d02fc2eda587155b1c54ca12a6c5cde220a29f41f154f1c9b71ae8f966d8cc9439201a5b241e03fc0795b74e2479f7aa5d6b69f70b7639432e5382f321f7a6f4 firefox-78.11.0esr.source.tar.xz
0b3f1e4b9fdc868e4738b5c81fd6c6128ce8885b260affcb9a65ff9d164d7232626ce1291aaea70132b3e3124f5e13fef4d39326b8e7173e362a823722a85127 stab.h
2f4f15974d52de4bb273b62a332d13620945d284bbc6fe6bd0a1f58ff7388443bc1d3bf9c82cc31a8527aad92b0cd3a1bc41d0af5e1800e0dcbd7033e58ffd71 fix-fortify-system-wrappers.patch
4510fb92653d0fdcfbc6d30e18087c0d22d4acd5eb53be7d0a333abe087a9e0bf9e58e56bafe96e1e1b28ebd1fd33b8926dbb70c221007e335b33d1468755c66 fix-tools.patch
@@ -465,4 +468,5 @@ f3b7c3e804ce04731012a46cb9e9a6b0769e3772aef9c0a4a8c7520b030fdf6cd703d5e9ff49275f
bb75b2abda86e455d81571052a2cfec5a9d858ffa91c50a7217b4b6c02cbfc0400e9114a27bd54ce78d7d3a44e9b03927cf0317654d98c0f39d26c63c9670117 remove-faulty-libvpx-check.patch
f963fcdba7307a0b1712dfb95ceba4ab49f449f60e550bb69d15d50272e6df9add90862251ee561e4ea5fd171a2703552ffa7aade92996f5f0b3e577f1544a6d disable-neon-in-aom.patch
4911ddb41bef8d9f6d6200159cde465627e940fe1c09099be55769d21a5a52a3f737e1bf803daa96126c035b091aea880fbc5d2e6cf5da96ddd17322461a72d6 sandbox-fork.patch
-db26757b2ebf9f567962e32294b4ae48b3a5d0378a7589dfe650fe3a179ff58befbab5082981c68e1c25fb9e56b2db1e4e510d4bca17c3e3aedbf9a2f21806eb sandbox-sched_setscheduler.patch"
+db26757b2ebf9f567962e32294b4ae48b3a5d0378a7589dfe650fe3a179ff58befbab5082981c68e1c25fb9e56b2db1e4e510d4bca17c3e3aedbf9a2f21806eb sandbox-sched_setscheduler.patch
+"
diff --git a/community/firefox/APKBUILD b/community/firefox/APKBUILD
index 9153aa8021..1b7609f625 100644
--- a/community/firefox/APKBUILD
+++ b/community/firefox/APKBUILD
@@ -2,9 +2,9 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Rasmus Thomsen <oss@cogitri.dev>
pkgname=firefox
-pkgver=88.0
+pkgver=89.0.1
# Date of release, YY-MM-DD for metainfo file (see package())
-_releasedate=2021-04-19
+_releasedate=2021-06-17
pkgrel=0
pkgdesc="Firefox web browser"
url="https://www.firefox.com/"
@@ -81,7 +81,6 @@ source="https://ftp.mozilla.org/pub/firefox/releases/$pkgver/source/firefox-$pkg
sandbox-largefile.patch
avoid-redefinition.patch
- disable-minidump.patch
"
subpackages="$pkgname-npapi"
@@ -92,6 +91,17 @@ _mozappdir=/usr/lib/firefox
ldpath="$_mozappdir"
# secfixes:
+# 89.0-r0:
+# - CVE-2021-29959
+# - CVE-2021-29960
+# - CVE-2021-29961
+# - CVE-2021-29962
+# - CVE-2021-29963
+# - CVE-2021-29965
+# - CVE-2021-29966
+# - CVE-2021-29967
+# 88.0.1-r0:
+# - CVE-2021-29952
# 88.0-r0:
# - CVE-2021-23994
# - CVE-2021-23995
@@ -454,7 +464,8 @@ npapi() {
amove usr/lib/firefox/gtk2
}
-sha512sums="f58f44f2f0d0f54eae5ab4fa439205feb8b9209b1bf2ea2ae0c9691e9e583bae2cbd4033edb5bdf4e37eda5b95fca688499bed000fe26ced8ff4bbc49347ce31 firefox-88.0.source.tar.xz
+sha512sums="
+67da387b3b6c5a110c83208f9a15d6064adf423bbebfb0fcad2d85f6c4b615b27da0cbd5486b817f0d5e040bc3e70d74d9af72599b24384397fef1dd153bd3f3 firefox-89.0.1.source.tar.xz
0b3f1e4b9fdc868e4738b5c81fd6c6128ce8885b260affcb9a65ff9d164d7232626ce1291aaea70132b3e3124f5e13fef4d39326b8e7173e362a823722a85127 stab.h
2f4f15974d52de4bb273b62a332d13620945d284bbc6fe6bd0a1f58ff7388443bc1d3bf9c82cc31a8527aad92b0cd3a1bc41d0af5e1800e0dcbd7033e58ffd71 fix-fortify-system-wrappers.patch
4510fb92653d0fdcfbc6d30e18087c0d22d4acd5eb53be7d0a333abe087a9e0bf9e58e56bafe96e1e1b28ebd1fd33b8926dbb70c221007e335b33d1468755c66 fix-tools.patch
@@ -471,4 +482,4 @@ f3b7c3e804ce04731012a46cb9e9a6b0769e3772aef9c0a4a8c7520b030fdf6cd703d5e9ff49275f
db26757b2ebf9f567962e32294b4ae48b3a5d0378a7589dfe650fe3a179ff58befbab5082981c68e1c25fb9e56b2db1e4e510d4bca17c3e3aedbf9a2f21806eb sandbox-sched_setscheduler.patch
b7d0a6126bdf6c0569f80aabf5b37ed2c7a35712eb8a0404a2d85381552f5555d4f97d213ea26cec6a45dc2785f22439376ed5f8e78b4fd664ef0223307b333e sandbox-largefile.patch
b1cb2db3122634f66d2bae7066e76f2dcd455c464e021db4de3b0a08314df95cb667846081682db549dd2af8a00831cabe44a2420c66cdfb5e3b5fa7e6bd21d3 avoid-redefinition.patch
-03d89aad52cc28c0159acc4f11de3f623b063a34f3796fcf0a4279c72c774cd1525f1f0f9775f89d0a12d73efc3c41a1b09c054c11e9ca5b1a39b565ed166a05 disable-minidump.patch"
+"
diff --git a/community/firefox/disable-minidump.patch b/community/firefox/disable-minidump.patch
deleted file mode 100644
index c9b0796c86..0000000000
--- a/community/firefox/disable-minidump.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Enables itself even when --disable-backtrace is set,
-and doesn't build on musl or ppc* (not tested).
-
-diff --git Cargo.toml Cargo.toml
-index 4076a60577..945f26f638 100644
---- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -13,7 +13,6 @@ members = [
- "netwerk/test/http3server",
- "security/manager/ssl/osclientcerts",
- "testing/geckodriver",
-- "toolkit/crashreporter/rust_minidump_writer_linux",
- "toolkit/library/gtest/rust",
- "toolkit/library/rust/",
- "toolkit/mozapps/defaultagent/rust",
-@@ -79,7 +78,6 @@ spirv_cross = { git = "https://github.com/kvark/spirv_cross", branch = "wgpu4" }
- # failure's backtrace feature might break our builds, see bug 1608157.
- failure = { git = "https://github.com/badboy/failure", rev = "64af847bc5fdcb6d2438bec8a6030812a80519a5" }
- failure_derive = { git = "https://github.com/badboy/failure", rev = "64af847bc5fdcb6d2438bec8a6030812a80519a5" }
--minidump_writer_linux = { git = "https://github.com/msirringhaus/minidump_writer_linux.git", rev = "01c7a0da8d34059f7dae8ab9e7512529ff16347a" }
-
- [patch.crates-io.cranelift-codegen]
- git = "https://github.com/mozilla-spidermonkey/wasmtime"
-diff --git toolkit/moz.configure toolkit/moz.configure
-index 806576b1ef..43ef8309f1 100644
---- a/toolkit/moz.configure
-+++ b/toolkit/moz.configure
-@@ -2487,8 +2487,6 @@ set_define("MOZ_USE_NATIVE_POPUP_WINDOWS", True, when="MOZ_USE_NATIVE_POPUP_WIND
- # ==============================================================
- @depends(target)
- def oxidized_breakpad(target):
-- if target.kernel == "Linux" and target.os != "Android":
-- return target.cpu in ("x86", "x86_64")
- return False
diff --git a/community/fluidsynth/APKBUILD b/community/fluidsynth/APKBUILD
index 9e3383d60b..399ce9bb7b 100644
--- a/community/fluidsynth/APKBUILD
+++ b/community/fluidsynth/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Bart Ribbers <bribbers@disroot.org>
# Maintainer: Bart Ribbers <bribbers@disroot.org>
pkgname=fluidsynth
-pkgver=2.1.6
+pkgver=2.1.8
pkgrel=0
arch="all"
url="http://www.fluidsynth.org"
@@ -23,6 +23,10 @@ makedepends="$depends_dev
source="https://github.com/fluidsynth/fluidsynth/archive/v$pkgver/fluidsynth-v$pkgver.tar.gz"
subpackages="$pkgname-dev $pkgname-doc"
+# secfixes:
+# 2.1.8-r0:
+# - CVE-2021-21417
+
build() {
cmake -B build \
-DCMAKE_BUILD_TYPE=None \
@@ -41,4 +45,6 @@ package() {
DESTDIR="$pkgdir" cmake --build build --target install
}
-sha512sums="168c882167089b067ec2056c92b19134136f574ca1f793473662274bdb0ae73236711d38ff75a84a738dd866a0f6dd790412d801ecf847e4416d4fb5cd20ae45 fluidsynth-v2.1.6.tar.gz"
+sha512sums="
+34f87ea1577b1e89146a1589c67771262961bb18d0c8b21aaa9a1315e18dffc984f18f21cc8a96cc52dca9e94fcad1bdec2b62678c5f2f3434a4faba713854a6 fluidsynth-v2.1.8.tar.gz
+"
diff --git a/community/frr/APKBUILD b/community/frr/APKBUILD
index d29c6571cd..442a1057b5 100644
--- a/community/frr/APKBUILD
+++ b/community/frr/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Daniel Corbe <daniel@corbe.net>
pkgname=frr
-pkgver=7.5
+pkgver=7.5.1
pkgrel=0
pkgdesc="Free Range Routing is a fork of Quagga"
pkgusers="frr"
@@ -125,6 +125,6 @@ snmp() {
mv "$pkgdir"/usr/lib/frr/libfrrsnmp.* "$subpkgdir/usr/lib/frr"
}
-sha512sums="d0d3c0bc0d30e2ebb93e20906768a996d21db23b23118c8e3c50d238e7bfdee7a789b4a90c9d7dbdc842d857f60bd44f0922b01b0c2c8b289ac860f008a430a9 frr-7.5.tar.gz
+sha512sums="cf20316abd39a2d96bb377bd594464ae74c20ad70c60246409fe9f04f0177fcd8891a8da54d83bee962f589a00e71f7b51e78f9729c8680e6265ddd548e0464e frr-7.5.1.tar.gz
b495b2be9f2cbb065104ccc0c3474471e870b53ac62ed4fba40020c8d50866e637a99ef3d7af5de1018ff659c4757baac4f40d7648a9de99ed14db33c8992b54 frr.initd
8c4e498d9a0496d23e2a95a1004e062f6838007a1c0eb52d7873e675c5587b69b51cbff73202e38231221d164c75f7a1e25b0621b20c78a5e7635aaa0c586053 allow-invalid-nlri-attributes.patch"
diff --git a/community/git-metafile/APKBUILD b/community/git-metafile/APKBUILD
index c3c45ac0e4..b8a60694ae 100644
--- a/community/git-metafile/APKBUILD
+++ b/community/git-metafile/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=git-metafile
-pkgver=0.2.0
+pkgver=0.2.1
pkgrel=0
pkgdesc="Store and restore files metadata in a git repository"
url="https://github.com/jirutka/git-metafile"
@@ -12,7 +12,6 @@ license="MIT"
depends="git"
makedepends="cargo rust"
source="https://github.com/jirutka/$pkgname/archive/v$pkgver/$pkgname-$pkgver.tar.gz
- minimize-size.patch
post-checkout
pre-commit
git-etc-init
@@ -43,9 +42,10 @@ package() {
ln -s post-checkout "$sharedir"/hooks/post-rewrite
}
-sha512sums="949b1a695211eb9d3ada3dab8b7c2479a3719f588c17825699c886faad3b025ef0bfab1a6bd7f28372a43d41e94bac7ff811732a84c3e9c0188406be35b53103 git-metafile-0.2.0.tar.gz
-9195370c073c20c91ea1492e59c4303c1df96a378bd8a0f1295a483e774ac91cb8150c5bf54ab71aef99ff2f3ab0736d6c265cc5172553a6cb926f098e6815ff minimize-size.patch
+sha512sums="
+d82ca14a37b873e8c7cabf9ef254686e1acecf2812abf5739c4bfba94bf9fac6fcdca5bc067c77f5370f55477d5b7eaa8947d2e89cd09a2500e522b4994ffbaa git-metafile-0.2.1.tar.gz
4bd2120071e11a8e9005491ad13ef9065cdb295eed11c3d168d511b93e3acabafc47f07b3463dd14ecd7147d41ce24dcc58eee2131c5656e8f2036eb4ab907f2 post-checkout
af36b28793d94e0c4d73020e50346ee3dcc981082b8304a2e224207ed5c0ea6ea8a4c59e2160f20f4d08e1d94104ee102f32d07d75f96ff88454f2fecb49a074 pre-commit
b45f9adf07bfbde958b7bdb8bfa18c18ee1d67110d8a1228c020a94cdcf8bd72e1e85714529968de6dc1a49016b5b31c30c3aff9fbcc1b6d9ccc8bf175369bce git-etc-init
-35edd88ec44f3eaadd64cb324e33f443295bf48c32b280f8aaae103c1c00df9d801c277c3987d19dbd5c71893a0504862f4f724251d81d1c404147d7d7c31abe gitignore"
+35edd88ec44f3eaadd64cb324e33f443295bf48c32b280f8aaae103c1c00df9d801c277c3987d19dbd5c71893a0504862f4f724251d81d1c404147d7d7c31abe gitignore
+"
diff --git a/community/git-metafile/minimize-size.patch b/community/git-metafile/minimize-size.patch
deleted file mode 100644
index e74211b969..0000000000
--- a/community/git-metafile/minimize-size.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -19,4 +19,7 @@
- nix = "^0.8.0"
-
- [profile.release]
-+codegen-units = 1
- lto = true
-+opt-level = "z"
-+panic = "abort"
diff --git a/community/go-ipfs/APKBUILD b/community/go-ipfs/APKBUILD
index 8052b6ee32..0e13ad73cd 100644
--- a/community/go-ipfs/APKBUILD
+++ b/community/go-ipfs/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Oleg Titov <oleg.titov@gmail.com>
# Maintainer: Oleg Titov <oleg.titov@gmail.com>
pkgname=go-ipfs
-pkgver=0.7.0
+pkgver=0.8.0
pkgrel=0
pkgdesc="Inter Platnetary File System (IPFS), a peer-to-peer hypermedia distribution protocol"
url="https://ipfs.io/"
@@ -18,6 +18,11 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/ipfs/go-ipfs/archive/v$pkgve
ipfs.confd"
builddir="$srcdir/src/github.com/ipfs/go-ipfs"
+# secfixes:
+# 0.8.0-r0:
+# - CVE-2020-26279
+# - CVE-2020-26283
+
prepare() {
export GOPATH="$srcdir"
@@ -58,6 +63,6 @@ bashcomp() {
"$subpkgdir"/usr/share/bash-completion/completions/$pkgname
}
-sha512sums="68c104609765ab90dabff8ea6af44b0a04fdbb9240febc5fafe3d092ec51a6e0fd9e0e9b3e8308b908e4aa912b4ad910ab2b495a23321891a93e5d284c9c0b3f go-ipfs-0.7.0.tar.gz
+sha512sums="b8b21852cf433c225a0d7e820ba5ac97a54abffb5ad228635632d7a2bec02c5c113b639355fbad741d04bc482655e0b8846d2a08bc088ace680f9a50670875bf go-ipfs-0.8.0.tar.gz
3e51e9a3dca1b991e8549f8354f7c2cfd1bb9b73d7a59557878d5c9ab4189988676d789172af3ba1fd57193ec48ca9125919507b0de7d0400ce0d6166622e556 ipfs.initd
c55afeb3efe381d18258ddf00f58325b77156375cf223fb2daa049df056efe22e9139cce0f81dc4c73759dad5097af5f3201414beb5950bd894df9ae8c7c4ed1 ipfs.confd"
diff --git a/community/graphicsmagick/APKBUILD b/community/graphicsmagick/APKBUILD
index 6318a971bc..6822925dcb 100644
--- a/community/graphicsmagick/APKBUILD
+++ b/community/graphicsmagick/APKBUILD
@@ -104,17 +104,6 @@ builddir="$srcdir"/GraphicsMagick-$pkgver
# - CVE-2017-10799
# - CVE-2017-10800
# 1.3.25-r2:
-# - CVE-2016-7800
-# - CVE-2016-7996
-# - CVE-2016-7997
-# - CVE-2016-8682
-# - CVE-2016-8683
-# - CVE-2016-8684
-# - CVE-2016-9830
-# - CVE-2017-6335
-# - CVE-2017-10794
-# - CVE-2017-10799
-# - CVE-2017-10800
# - CVE-2017-11403
# 1.3.25-r0:
# - CVE-2016-7447
diff --git a/community/hivex/APKBUILD b/community/hivex/APKBUILD
index 41fb932298..18af62b00f 100644
--- a/community/hivex/APKBUILD
+++ b/community/hivex/APKBUILD
@@ -2,15 +2,20 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=hivex
pkgver=1.3.19
-pkgrel=0
-pkgdesc="System for extracting the contents of Windows Registry."
-url="http://libguestfs.org"
+pkgrel=1
+pkgdesc="System for extracting the contents of Windows Registry"
+url="https://libguestfs.org/"
arch="all"
license="LGPL-2.1"
makedepends="libxml2-dev readline-dev perl-dev"
checkdepends="bash"
subpackages="$pkgname-dev $pkgname-doc"
-source="http://libguestfs.org/download/hivex/hivex-$pkgver.tar.gz"
+source="https://libguestfs.org/download/hivex/hivex-$pkgver.tar.gz
+CVE-2021-3504.patch"
+
+# secfixes:
+# 1.3.19-r1:
+# - CVE-2021-3504
build() {
./configure \
@@ -34,4 +39,7 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="dc271349c6efa7b55ba144617e57fe4e7ce855ec1f4ef9f84ee86eeefd3a34cb6b26078786e1568f3008b922a31b758ff2c2734e599b67e0e210aa72e9f41177 hivex-1.3.19.tar.gz"
+sha512sums="
+dc271349c6efa7b55ba144617e57fe4e7ce855ec1f4ef9f84ee86eeefd3a34cb6b26078786e1568f3008b922a31b758ff2c2734e599b67e0e210aa72e9f41177 hivex-1.3.19.tar.gz
+fed79bdff539596275ef1081a2e071898b35b19494aac04d473ded3328d570d40ea6c720f0660c7ebd60625efa3f559e9f21bde600fb2eeca9354a90dffc2525 CVE-2021-3504.patch
+"
diff --git a/community/hivex/CVE-2021-3504.patch b/community/hivex/CVE-2021-3504.patch
new file mode 100644
index 0000000000..e6523993ab
--- /dev/null
+++ b/community/hivex/CVE-2021-3504.patch
@@ -0,0 +1,72 @@
+From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 15 Apr 2021 15:50:13 +0100
+Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
+ (CVE-2021-3504)
+
+Hives are encoded as fixed-sized pages containing smaller variable-
+length blocks:
+
+ +-------------------+-------------------+-------------------+--
+ | header |[ blk ][blk][ blk ]|[blk][blk][blk] |
+ +-------------------+-------------------+-------------------+--
+
+Blocks should not straddle a page boundary. However because blocks
+contain a 32 bit length field it is possible to construct an invalid
+hive where the last block in a page overlaps either the next page or
+the end of the file:
+
+ +-------------------+-------------------+
+ | header |[ blk ][blk][ blk ..... ]
+ +-------------------+-------------------+
+
+Hivex lacked a bounds check and would process the registry. Because
+the rest of the code assumes this situation can never happen it was
+possible to have a block containing some field (eg. a registry key
+name) which would extend beyond the end of the file. Hivex mmaps or
+mallocs the file, causing hivex to read memory beyond the end of the
+mapped region, resulting in reading other memory structures or a
+crash. (Writing beyond the end of the mapped region seems to be
+impossible because we always allocate a new page before writing.)
+
+This commit adds a check which rejects the malformed registry on
+hivex_open.
+
+Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: CVE-2021-3504
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
+---
+ lib/handle.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 88b1563..2e4231a 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
+ #pragma GCC diagnostic pop
+ if (is_root || !h->unsafe) {
+ SET_ERRNO (ENOTSUP,
+- "%s, the block at 0x%zx has invalid size %" PRIu32
+- ", bad registry",
++ "%s, the block at 0x%zx size %" PRIu32
++ " <= 4 or not a multiple of 4, bad registry",
+ filename, blkoff, le32toh (block->seg_len));
+ goto error;
+ } else {
+@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
+ }
+ }
+
++ if (blkoff + seg_len > off + page_size) {
++ SET_ERRNO (ENOTSUP,
++ "%s, the block at 0x%zx size %" PRIu32
++ " extends beyond the current page, bad registry",
++ filename, blkoff, le32toh (block->seg_len));
++ goto error;
++ }
++
+ if (h->msglvl >= 2) {
+ unsigned char *id = (unsigned char *) block->id;
+ int id0 = id[0], id1 = id[1];
diff --git a/community/ifstate/APKBUILD b/community/ifstate/APKBUILD
index a555072201..a6cd93f843 100644
--- a/community/ifstate/APKBUILD
+++ b/community/ifstate/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Thomas Liske <thomas@fiasko-nw.net>
pkgname=ifstate
-pkgver=1.5.1
+pkgver=1.5.2
pkgrel=0
pkgdesc="Manage host interface settings in a declarative manner"
url="https://ifstate.net/"
@@ -25,6 +25,6 @@ package() {
install -Dm755 "$srcdir"/ifstate.initd "$pkgdir"/etc/init.d/ifstate
}
-sha512sums="aa6eee99f8e2b314469c45edc9b0bc0b3c23c26f37ee6fdb9ca5b07edc7fba4758bf6654a50efa9804fc55702dedd2b5d6da9aba01cd920b0e9397aacbed4528 ifstate-1.5.1.tar.gz
+sha512sums="ca6533f2fbe1bedce7fa1ba4dfa4da8d55ac4e9966516f4b008f672d98bb34bd4f4e87dfcd7bcd1930686d693d998ae5d34ae46aa200be46c9638738cf98e4c0 ifstate-1.5.2.tar.gz
dfc31dc7452c63ec18d368803ffb3bef1cd96d98345d0c5ef1baeb8b2819130b504d3e6e82d99ee86fa18d4576b7927d0b80d6d79f9f20e388e07faa09a87285 ifstate.conf
e583c764c65dbf00ce6a4269cef5d8a78c2ec47851671cc25bbebd2d6095c42f0a10eccfd021728e05b3b67d8b950f9e4359da63226da551b8dc5ebd5d8aa0ef ifstate.initd"
diff --git a/community/imagemagick/APKBUILD b/community/imagemagick/APKBUILD
index 8e50fad86c..594335f2a7 100644
--- a/community/imagemagick/APKBUILD
+++ b/community/imagemagick/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=imagemagick
_pkgname=ImageMagick
-pkgver=7.0.10.57
+pkgver=7.0.11.13
pkgrel=0
_pkgver=${pkgver%.*}-${pkgver##*.}
_abiver=7
@@ -38,6 +38,21 @@ source="$_pkgname-$_pkgver.tar.gz::https://github.com/ImageMagick/ImageMagick/ar
builddir="$srcdir/$_pkgname-$_pkgver"
# secfixes:
+# 7.0.11.13-r0:
+# - CVE-2021-20241
+# - CVE-2021-20243
+# - CVE-2021-20244
+# - CVE-2021-20245
+# - CVE-2021-20246
+# - CVE-2021-20309
+# - CVE-2021-20310
+# - CVE-2021-20311
+# - CVE-2021-20312
+# - CVE-2021-20313
+# 7.0.10.57-r0:
+# - CVE-2021-20176
+# 7.0.10.48-r0:
+# - CVE-2020-27829
# 7.0.10.42-r0:
# - CVE-2020-29599
# 7.0.10.35-r0:
@@ -179,5 +194,7 @@ _perlmagick_doc() {
make -j1 DESTDIR="$subpkgdir" doc_vendor_install
}
-sha512sums="404d78d8b2c8018e07eda39799d16ddf7e48e1daeb8356692ba5770cf6edda83541de859c2b19710c1ceddd526683e6c14b8f3a984f9f4b987be2c02862b84f7 ImageMagick-7.0.10-57.tar.gz
-58afb2da075a6208b6a990ff297b3a827d260687c3355198a8b4d987e1596c0b0cd78aff6f0be0e1896e537fbe44a3d467473183f5f149664ea6e6fb3d3291a9 disable-avaraging-tests.patch"
+sha512sums="
+de66df70b7a7dc72ffef1e1dd5ed3c92b5a4bbbe2454a8e1436c3f16254a11e3c37946af79d49214945f24d9350ebe5b3423800fb5983b6ef43d550e397372d1 ImageMagick-7.0.11-13.tar.gz
+58afb2da075a6208b6a990ff297b3a827d260687c3355198a8b4d987e1596c0b0cd78aff6f0be0e1896e537fbe44a3d467473183f5f149664ea6e6fb3d3291a9 disable-avaraging-tests.patch
+"
diff --git a/community/jool-modules-lts/APKBUILD b/community/jool-modules-lts/APKBUILD
index f56cb388ff..3914476030 100644
--- a/community/jool-modules-lts/APKBUILD
+++ b/community/jool-modules-lts/APKBUILD
@@ -21,7 +21,7 @@ fi
# Kernel version
# Keep in sync with main/linux-lts!
_kpkg=linux-$_flavor
-_kver=5.10.36
+_kver=5.10.38
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/community/libgrss/APKBUILD b/community/libgrss/APKBUILD
index adcbecdabd..1003279c8b 100644
--- a/community/libgrss/APKBUILD
+++ b/community/libgrss/APKBUILD
@@ -2,14 +2,19 @@
# Maintainer: Rasmus Thomsen <oss@cogitri.dev>
pkgname=libgrss
pkgver=0.7.0
-pkgrel=0
+pkgrel=1
pkgdesc="Glib library for feeds"
url="https://wiki.gnome.org/Projects/Libgrss"
arch="all"
license="LGPL-3.0-or-later"
makedepends="glib-dev gtk-doc libxml2-dev libsoup-dev gobject-introspection-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="https://download.gnome.org/sources/libgrss/${pkgver%.*}/libgrss-$pkgver.tar.xz"
+source="https://download.gnome.org/sources/libgrss/${pkgver%.*}/libgrss-$pkgver.tar.xz
+ CVE-2016-20011.patch"
+
+# secfixes:
+# 0.7.0-r1:
+# - CVE-2016-20011
build() {
./configure \
@@ -31,4 +36,7 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="22a4f13ee979932575c6efd25bfd2fb184ea113aa34254d9e4bfb64cfbbd9b277dd235b8c9be037baf8c85bea7ba3bc1478ec3c7a3c87e63aeddb1774959c780 libgrss-0.7.0.tar.xz"
+sha512sums="
+22a4f13ee979932575c6efd25bfd2fb184ea113aa34254d9e4bfb64cfbbd9b277dd235b8c9be037baf8c85bea7ba3bc1478ec3c7a3c87e63aeddb1774959c780 libgrss-0.7.0.tar.xz
+d80ce2a39993a4559d88282082256a3382c9c68cc0a1df538a8fdc6a47a99275752f7f69a18fd486b45916b98929d149dbcaf0319f764a3f30ce0b595438c436 CVE-2016-20011.patch
+"
diff --git a/community/libgrss/CVE-2016-20011.patch b/community/libgrss/CVE-2016-20011.patch
new file mode 100644
index 0000000000..b7de681475
--- /dev/null
+++ b/community/libgrss/CVE-2016-20011.patch
@@ -0,0 +1,101 @@
+From 2c6ea642663e2a44efc8583fae7c54b7b98f72b3 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Mon, 7 Jun 2021 18:51:07 -0600
+Subject: [PATCH] Ensure the ssl-use-system-ca-file property is set to true on
+ all SoupSessions.
+
+The default SoupSessionSync and SoupSessionAsync behaviour does not perform any
+TLS certificate validation, unless the ssl-use-system-ca-file property is set
+to true.
+
+This mitigates CVE-2016-20011.
+---
+ src/feed-channel.c | 2 ++
+ src/feed-enclosure.c | 4 ++++
+ src/feeds-pool.c | 1 +
+ src/feeds-publisher.c | 4 +++-
+ src/feeds-subscriber.c | 4 +++-
+ 5 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/feed-channel.c b/src/feed-channel.c
+index 19ca7b2..d2d51b9 100644
+--- a/src/feed-channel.c
++++ b/src/feed-channel.c
+@@ -973,6 +973,8 @@ quick_and_dirty_parse (GrssFeedChannel *channel, SoupMessage *msg, GList **save_
+ static void
+ init_soup_session (SoupSession *session, GrssFeedChannel *channel)
+ {
++ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
++
+ if (channel->priv->jar != NULL)
+ soup_session_add_feature (session, SOUP_SESSION_FEATURE (channel->priv->jar));
+ if (channel->priv->gzip == TRUE)
+diff --git a/src/feed-enclosure.c b/src/feed-enclosure.c
+index 68ebbfe..2cd8f9e 100644
+--- a/src/feed-enclosure.c
++++ b/src/feed-enclosure.c
+@@ -220,6 +220,8 @@ grss_feed_enclosure_fetch (GrssFeedEnclosure *enclosure, GError **error)
+ url = grss_feed_enclosure_get_url (enclosure);
+
+ session = soup_session_sync_new ();
++ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
++
+ msg = soup_message_new ("GET", url);
+ status = soup_session_send_message (session, msg);
+
+@@ -282,6 +284,8 @@ grss_feed_enclosure_fetch_async (GrssFeedEnclosure *enclosure, GAsyncReadyCallba
+
+ task = g_task_new (enclosure, NULL, callback, user_data);
+ session = soup_session_async_new ();
++ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
++
+ msg = soup_message_new ("GET", grss_feed_enclosure_get_url (enclosure));
+ soup_session_queue_message (session, msg, enclosure_downloaded, task);
+ }
+diff --git a/src/feeds-pool.c b/src/feeds-pool.c
+index f18f3cd..7b33956 100644
+--- a/src/feeds-pool.c
++++ b/src/feeds-pool.c
+@@ -178,6 +178,7 @@ grss_feeds_pool_init (GrssFeedsPool *node)
+ memset (node->priv, 0, sizeof (GrssFeedsPoolPrivate));
+ node->priv->parser = grss_feed_parser_new ();
+ node->priv->soupsession = soup_session_async_new ();
++ g_object_set (G_OBJECT (node->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
+ }
+
+ /**
+diff --git a/src/feeds-publisher.c b/src/feeds-publisher.c
+index 427a54f..500cd96 100644
+--- a/src/feeds-publisher.c
++++ b/src/feeds-publisher.c
+@@ -888,8 +888,10 @@ create_and_run_server (GrssFeedsPublisher *pub)
+ {
+ SoupAddress *soup_addr;
+
+- if (pub->priv->soupsession == NULL)
++ if (pub->priv->soupsession == NULL) {
+ pub->priv->soupsession = soup_session_async_new ();
++ g_object_set (G_OBJECT (pub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
++ }
+
+ soup_addr = soup_address_new_any (SOUP_ADDRESS_FAMILY_IPV4, pub->priv->port);
+ pub->priv->server = soup_server_new ("port", pub->priv->port, "interface", soup_addr, NULL);
+diff --git a/src/feeds-subscriber.c b/src/feeds-subscriber.c
+index 259f891..0f63f83 100644
+--- a/src/feeds-subscriber.c
++++ b/src/feeds-subscriber.c
+@@ -513,8 +513,10 @@ init_run_server (GrssFeedsSubscriber *sub)
+ {
+ GInetAddress *addr;
+
+- if (sub->priv->soupsession == NULL)
++ if (sub->priv->soupsession == NULL) {
+ sub->priv->soupsession = soup_session_async_new ();
++ g_object_set (G_OBJECT (sub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
++ }
+
+ /*
+ Flow:
+--
+GitLab
+
diff --git a/community/libmad/APKBUILD b/community/libmad/APKBUILD
index d9dc9ba2c6..df80e6a945 100644
--- a/community/libmad/APKBUILD
+++ b/community/libmad/APKBUILD
@@ -26,6 +26,8 @@ source="https://downloads.sourceforge.net/sourceforge/mad/libmad-$pkgver.tar.gz
# - CVE-2017-8372
# - CVE-2017-8373
# - CVE-2017-8374
+# - CVE-2017-11552
+# - CVE-2018-7263
prepare() {
update_config_sub
diff --git a/community/libyang/APKBUILD b/community/libyang/APKBUILD
index fc53109cf5..926aed66b6 100644
--- a/community/libyang/APKBUILD
+++ b/community/libyang/APKBUILD
@@ -2,14 +2,26 @@
# Maintainer: Christian Franke <nobody@nowhere.ws>
pkgname=libyang
pkgver=1.0.184
-pkgrel=0
+pkgrel=1
pkgdesc="YANG data modelling language parser and toolkit"
url="https://github.com/CESNET/libyang"
arch="all"
license="BSD-3-Clause-Clear"
makedepends="bison cmake cmocka-dev flex pcre-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="$pkgname-$pkgver.tar.gz::https://github.com/CESNET/libyang/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/CESNET/libyang/archive/v$pkgver.tar.gz
+ CVE-2021-28903.patch
+ CVE-2021-28904.patch
+ CVE-2021-28905.patch
+ CVE-2021-28906.patch"
+
+# secfixes:
+# 1.0.184-r1:
+# - CVE-2021-28902
+# - CVE-2021-28903
+# - CVE-2021-28904
+# - CVE-2021-28905
+# - CVE-2021-28906
build() {
if [ "$CBUILD" != "$CHOST" ]; then
@@ -35,4 +47,10 @@ package() {
make -C build DESTDIR="$pkgdir" install
}
-sha512sums="bb1c396b6048d848ea844cc462f1ee9f14b0dad848c7618ec0f9bd239d28db8a94f94550c5439ca07e01824a910a748ec6be699c58150b34072c2f9b76acd95c libyang-1.0.184.tar.gz"
+sha512sums="
+bb1c396b6048d848ea844cc462f1ee9f14b0dad848c7618ec0f9bd239d28db8a94f94550c5439ca07e01824a910a748ec6be699c58150b34072c2f9b76acd95c libyang-1.0.184.tar.gz
+fd51bba07f817b1186566bee324655c089f7a901015abc0e3583ba351691e14b71b8cd1512d2f0bf7be1f6770ddf237cda508df9f0a8c971b79cecb4f74d93b0 CVE-2021-28903.patch
+73c351587fab0a11f9a738e09167fc99695f9df5aca77780145c14112c1ae04baf3ba72f49a2838fcc10e9324d027d6535ded01b9df0e1ba83ffb330ac8d8885 CVE-2021-28904.patch
+c7502d18a97471c1412082adcb785e36e241223a1025839105cf8d6cba3403b47bbd843a68e1a80c4355700a06c7c8e7268f344130acbebca7196c31bd1f85cd CVE-2021-28905.patch
+746ce394985f0cb3983cce8a1789ee86041e8fa40bc53d858c6cc7093f69b343d103eb0e7d76b819a3546d69f47426090eefa711a93cae767df72a405084a3d4 CVE-2021-28906.patch
+"
diff --git a/community/libyang/CVE-2021-28903.patch b/community/libyang/CVE-2021-28903.patch
new file mode 100644
index 0000000000..51bed30033
--- /dev/null
+++ b/community/libyang/CVE-2021-28903.patch
@@ -0,0 +1,69 @@
+From 298b30ea4ebee137226acf9bb38678bd82704582 Mon Sep 17 00:00:00 2001
+From: Michal Vasko <mvasko@cesnet.cz>
+Date: Mon, 8 Mar 2021 14:32:58 +0100
+Subject: [PATCH] common FEATURE add a hard limit for recursion
+
+Fixes #1453
+---
+ src/common.h.in | 3 +++
+ src/xml.c | 12 +++++++++---
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/common.h.in b/src/common.h.in
+index a5bf2b038..624beba9f 100644
+--- a/src/common.h.in
++++ b/src/common.h.in
+@@ -53,6 +53,9 @@
+ /* how many bytes add when enlarging buffers */
+ #define LY_BUF_STEP 128
+
++/* hard limit on recursion for cases with theoretical unlimited recursion */
++#define LY_RECURSION_LIMIT 10000
++
+ /* internal logging options */
+ enum int_log_opts {
+ ILO_LOG = 0, /* log normally */
+diff --git a/src/xml.c b/src/xml.c
+index 1bc4fdfa5..7e4760976 100644
+--- a/src/xml.c
++++ b/src/xml.c
+@@ -943,7 +943,8 @@ parse_attr(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml
+
+ /* logs directly */
+ struct lyxml_elem *
+-lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml_elem *parent, int options)
++lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct lyxml_elem *parent, int options,
++ int bt_count)
+ {
+ const char *c = data, *start, *e;
+ const char *lws; /* leading white space for handling mixed content */
+@@ -958,6 +959,11 @@ lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct
+
+ *len = 0;
+
++ if (bt_count > LY_RECURSION_LIMIT) {
++ LOGVAL(ctx, LYE_XML_INVAL, LY_VLOG_NONE, NULL, "Recursion limit %d reached", LY_RECURSION_LIMIT);
++ return NULL;
++ }
++
+ if (*c != '<') {
+ return NULL;
+ }
+@@ -1141,7 +1147,7 @@ lyxml_parse_elem(struct ly_ctx *ctx, const char *data, unsigned int *len, struct
+ lyxml_add_child(ctx, elem, child);
+ elem->flags |= LYXML_ELEM_MIXED;
+ }
+- child = lyxml_parse_elem(ctx, c, &size, elem, options);
++ child = lyxml_parse_elem(ctx, c, &size, elem, options, bt_count + 1);
+ if (!child) {
+ goto error;
+ }
+@@ -1295,7 +1301,7 @@ lyxml_parse_mem(struct ly_ctx *ctx, const char *data, int options)
+ }
+ }
+
+- root = lyxml_parse_elem(ctx, c, &len, NULL, options);
++ root = lyxml_parse_elem(ctx, c, &len, NULL, options, 0);
+ if (!root) {
+ goto error;
+ } else if (!first) {
diff --git a/community/libyang/CVE-2021-28904.patch b/community/libyang/CVE-2021-28904.patch
new file mode 100644
index 0000000000..df87f28e76
--- /dev/null
+++ b/community/libyang/CVE-2021-28904.patch
@@ -0,0 +1,26 @@
+From 59a0bff1a5a2f0a0eac07e4bf94d4aea9dd3708d Mon Sep 17 00:00:00 2001
+From: Michal Vasko <mvasko@cesnet.cz>
+Date: Mon, 8 Mar 2021 09:20:30 +0100
+Subject: [PATCH] plugins BUGFIX handle empty revision correctly
+
+Fixes #1451
+---
+ src/plugins.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins.c b/src/plugins.c
+index 7e6fdf358..fa62ce76c 100644
+--- a/src/plugins.c
++++ b/src/plugins.c
+@@ -457,9 +457,8 @@ ext_get_plugin(const char *name, const char *module, const char *revision)
+ assert(module);
+
+ for (u = 0; u < ext_plugins_count; u++) {
+- if (!strcmp(name, ext_plugins[u].name) &&
+- !strcmp(module, ext_plugins[u].module) &&
+- (!ext_plugins[u].revision || !strcmp(revision, ext_plugins[u].revision))) {
++ if (!strcmp(name, ext_plugins[u].name) && !strcmp(module, ext_plugins[u].module) &&
++ ((!revision && !ext_plugins[u].revision) || (revision && !strcmp(revision, ext_plugins[u].revision)))) {
+ /* we have the match */
+ return ext_plugins[u].plugin;
+ }
diff --git a/community/libyang/CVE-2021-28905.patch b/community/libyang/CVE-2021-28905.patch
new file mode 100644
index 0000000000..89e620720c
--- /dev/null
+++ b/community/libyang/CVE-2021-28905.patch
@@ -0,0 +1,263 @@
+From 5ce30801f9ccc372bbe9b7c98bb5324b15fb010a Mon Sep 17 00:00:00 2001
+From: Michal Vasko <mvasko@cesnet.cz>
+Date: Mon, 8 Mar 2021 09:34:04 +0100
+Subject: [PATCH] schema tree BUGFIX freeing nodes with no module set
+
+Context must be passed explicitly for these cases.
+Fixes #1452
+---
+ src/parser_yin.c | 24 ++++++++++++------------
+ src/resolve.c | 2 +-
+ src/tree_internal.h | 4 +++-
+ src/tree_schema.c | 27 +++++++++++----------------
+ 4 files changed, 27 insertions(+), 30 deletions(-)
+
+diff --git a/src/parser_yin.c b/src/parser_yin.c
+index d545a6d26..275991644 100644
+--- a/src/parser_yin.c
++++ b/src/parser_yin.c
+@@ -4213,7 +4213,7 @@ read_yin_case(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+
+ return NULL;
+ }
+@@ -4420,7 +4420,7 @@ read_yin_choice(struct lys_module *module, struct lys_node *parent, struct lyxml
+
+ error:
+ lyxml_free(ctx, dflt);
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+@@ -4581,7 +4581,7 @@ read_yin_anydata(struct lys_module *module, struct lys_node *parent, struct lyxm
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+@@ -4803,7 +4803,7 @@ read_yin_leaf(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+@@ -5117,7 +5117,7 @@ read_yin_leaflist(struct lys_module *module, struct lys_node *parent, struct lyx
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+@@ -5490,7 +5490,7 @@ read_yin_list(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+
+ error:
+
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -5714,7 +5714,7 @@ read_yin_container(struct lys_module *module, struct lys_node *parent, struct ly
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -5859,7 +5859,7 @@ read_yin_grouping(struct lys_module *module, struct lys_node *parent, struct lyx
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -6035,7 +6035,7 @@ read_yin_input_output(struct lys_module *module, struct lys_node *parent, struct
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -6216,7 +6216,7 @@ read_yin_notif(struct lys_module *module, struct lys_node *parent, struct lyxml_
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -6368,7 +6368,7 @@ read_yin_rpc_action(struct lys_module *module, struct lys_node *parent, struct l
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ while (root.child) {
+ lyxml_free(ctx, root.child);
+ }
+@@ -6522,7 +6522,7 @@ read_yin_uses(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+diff --git a/src/resolve.c b/src/resolve.c
+index 21293ebc2..29862187f 100644
+--- a/src/resolve.c
++++ b/src/resolve.c
+@@ -5654,7 +5654,7 @@ resolve_uses(struct lys_node_uses *uses, struct unres_schema *unres)
+
+ fail:
+ LY_TREE_FOR_SAFE(uses->child, next, iter) {
+- lys_node_free(iter, NULL, 0);
++ lys_node_free(ctx, iter, NULL, 0);
+ }
+ free(refine_nodes);
+ return -1;
+diff --git a/src/tree_internal.h b/src/tree_internal.h
+index 497c62c4d..36e94f5c5 100644
+--- a/src/tree_internal.h
++++ b/src/tree_internal.h
+@@ -368,12 +368,14 @@ void lys_node_unlink(struct lys_node *node);
+ /**
+ * @brief Free the schema node structure, includes unlinking it from the tree
+ *
++ * @param[in] ctx libang context to use, @p node may not have it filled (in groupings, for example).
+ * @param[in] node Schema tree node to free. Do not use the pointer after calling this function.
+ * @param[in] private_destructor Optional destructor function for private objects assigned
+ * to the nodes via lys_set_private(). If NULL, the private objects are not freed by libyang.
+ * @param[in] shallow Whether to do a shallow free only (on a shallow copy of a node).
+ */
+-void lys_node_free(struct lys_node *node, void (*private_destructor)(const struct lys_node *node, void *priv), int shallow);
++void lys_node_free(struct ly_ctx *ctx, struct lys_node *node,
++ void (*private_destructor)(const struct lys_node *node, void *priv), int shallow);
+
+ /**
+ * @brief Free (and unlink it from the context) the specified schema.
+diff --git a/src/tree_schema.c b/src/tree_schema.c
+index 43b19039f..fb4c85f3f 100644
+--- a/src/tree_schema.c
++++ b/src/tree_schema.c
+@@ -942,7 +942,7 @@ lys_node_addchild(struct lys_node *parent, struct lys_module *module, struct lys
+ iter->next = NULL;
+ iter->prev = iter;
+ iter->parent = NULL;
+- lys_node_free(iter, NULL, 0);
++ lys_node_free(ctx, iter, NULL, 0);
+ } else {
+ if (shortcase) {
+ /* create the implicit case to allow it to serve as a target of the augments,
+@@ -2464,7 +2464,7 @@ lys_augment_free(struct ly_ctx *ctx, struct lys_node_augment *aug,
+ /* children from a resolved augment are freed under the target node */
+ if (!aug->target || (aug->flags & LYS_NOTAPPLIED)) {
+ LY_TREE_FOR_SAFE(aug->child, next, sub) {
+- lys_node_free(sub, private_destructor, 0);
++ lys_node_free(ctx, sub, private_destructor, 0);
+ }
+ }
+
+@@ -2722,11 +2722,11 @@ lys_deviation_free(struct lys_module *module, struct lys_deviation *dev,
+
+ LY_TREE_DFS_END(dev->orig_node, next, elem);
+ }
+- lys_node_free(dev->orig_node, NULL, 0);
++ lys_node_free(ctx, dev->orig_node, NULL, 0);
+ } else {
+ /* it's just a shallow copy, freeing one node */
+ dev->orig_node->module = module;
+- lys_node_free(dev->orig_node, NULL, 1);
++ lys_node_free(ctx, dev->orig_node, NULL, 1);
+ }
+ }
+
+@@ -2798,20 +2798,15 @@ lys_uses_free(struct ly_ctx *ctx, struct lys_node_uses *uses,
+ }
+
+ void
+-lys_node_free(struct lys_node *node, void (*private_destructor)(const struct lys_node *node, void *priv), int shallow)
++lys_node_free(struct ly_ctx *ctx, struct lys_node *node,
++ void (*private_destructor)(const struct lys_node *node, void *priv), int shallow)
+ {
+- struct ly_ctx *ctx;
+ struct lys_node *sub, *next;
+
+ if (!node) {
+ return;
+ }
+
+- assert(node->module);
+- assert(node->module->ctx);
+-
+- ctx = node->module->ctx;
+-
+ /* remove private object */
+ if (node->priv && private_destructor) {
+ private_destructor(node, node->priv);
+@@ -2827,7 +2822,7 @@ lys_node_free(struct lys_node *node, void (*private_destructor)(const struct lys
+
+ if (!shallow && !(node->nodetype & (LYS_LEAF | LYS_LEAFLIST))) {
+ LY_TREE_FOR_SAFE(node->child, next, sub) {
+- lys_node_free(sub, private_destructor, 0);
++ lys_node_free(ctx, sub, private_destructor, 0);
+ }
+ }
+
+@@ -2942,7 +2937,7 @@ module_free_common(struct lys_module *module, void (*private_destructor)(const s
+ * are placed in the main module altogether */
+ if (!module->type) {
+ LY_TREE_FOR_SAFE(module->data, next, iter) {
+- lys_node_free(iter, private_destructor, 0);
++ lys_node_free(ctx, iter, private_destructor, 0);
+ }
+ }
+
+@@ -3507,7 +3502,7 @@ lys_node_dup_recursion(struct lys_module *module, struct lys_node *parent, const
+ return retval;
+
+ error:
+- lys_node_free(retval, NULL, 0);
++ lys_node_free(ctx, retval, NULL, 0);
+ return NULL;
+ }
+
+@@ -5149,7 +5144,7 @@ lys_submodule_module_data_free(struct lys_submodule *submodule)
+ /* remove parsed data */
+ LY_TREE_FOR_SAFE(submodule->belongsto->data, next, elem) {
+ if (elem->module == (struct lys_module *)submodule) {
+- lys_node_free(elem, NULL, 0);
++ lys_node_free(submodule->ctx, elem, NULL, 0);
+ }
+ }
+ }
+@@ -5546,7 +5541,7 @@ lys_extension_instances_free(struct ly_ctx *ctx, struct lys_ext_instance **e, un
+ case LY_STMT_USES:
+ pp = (void**)&((struct lys_ext_instance_complex *)e[i])->content[substmt[j].offset];
+ LY_TREE_FOR_SAFE((struct lys_node *)(*pp), snext, siter) {
+- lys_node_free(siter, NULL, 0);
++ lys_node_free(ctx, siter, NULL, 0);
+ }
+ *pp = NULL;
+ break;
diff --git a/community/libyang/CVE-2021-28906.patch b/community/libyang/CVE-2021-28906.patch
new file mode 100644
index 0000000000..6b0529084b
--- /dev/null
+++ b/community/libyang/CVE-2021-28906.patch
@@ -0,0 +1,65 @@
+From a3917d95d516e3de267d3cfa5d4d3715a90e8777 Mon Sep 17 00:00:00 2001
+From: Michal Vasko <mvasko@cesnet.cz>
+Date: Mon, 8 Mar 2021 14:08:05 +0100
+Subject: [PATCH] yin parser BUGFIX invalid memory access
+
+... in case there were some unresolved
+extensions.
+Fixes #1454
+Fixes #1455
+---
+ src/parser_yin.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/parser_yin.c b/src/parser_yin.c
+index 275991644..256325415 100644
+--- a/src/parser_yin.c
++++ b/src/parser_yin.c
+@@ -4572,7 +4572,7 @@ read_yin_anydata(struct lys_module *module, struct lys_node *parent, struct lyxm
+
+ for (r = 0; r < retval->ext_size; ++r) {
+ /* set flag, which represent LYEXT_OPT_VALID */
+- if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+ retval->flags |= LYS_VALID_EXT;
+ break;
+ }
+@@ -4794,7 +4794,7 @@ read_yin_leaf(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+
+ for (r = 0; r < retval->ext_size; ++r) {
+ /* set flag, which represent LYEXT_OPT_VALID */
+- if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+ retval->flags |= LYS_VALID_EXT;
+ break;
+ }
+@@ -5108,7 +5108,7 @@ read_yin_leaflist(struct lys_module *module, struct lys_node *parent, struct lyx
+
+ for (r = 0; r < retval->ext_size; ++r) {
+ /* set flag, which represent LYEXT_OPT_VALID */
+- if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+ retval->flags |= LYS_VALID_EXT;
+ break;
+ }
+@@ -5477,7 +5477,7 @@ read_yin_list(struct lys_module *module, struct lys_node *parent, struct lyxml_e
+
+ for (r = 0; r < retval->ext_size; ++r) {
+ /* set flag, which represent LYEXT_OPT_VALID */
+- if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
+ retval->flags |= LYS_VALID_EXT;
+ if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {
+ retval->flags |= LYS_VALID_EXT_SUBTREE;
+@@ -5701,8 +5701,9 @@ read_yin_container(struct lys_module *module, struct lys_node *parent, struct ly
+ }
+
+ for (r = 0; r < retval->ext_size; ++r) {
+- /* set flag, which represent LYEXT_OPT_VALID */
+- if (retval->ext[r]->flags & LYEXT_OPT_VALID) {
++ /* extension instance may not yet be resolved */
++ if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {
++ /* set flag, which represent LYEXT_OPT_VALID */
+ retval->flags |= LYS_VALID_EXT;
+ if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {
+ retval->flags |= LYS_VALID_EXT_SUBTREE;
diff --git a/community/mozjs78/APKBUILD b/community/mozjs78/APKBUILD
index 86fa5ede0d..d4df64f266 100644
--- a/community/mozjs78/APKBUILD
+++ b/community/mozjs78/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Rasmus Thomsen <oss@cogitri.dev>
# Maintainer: Rasmus Thomsen <oss@cogitri.dev>
pkgname=mozjs78
-pkgver=78.10.0
+pkgver=78.12.0
pkgrel=0
pkgdesc="Standalone Mozilla JavaScript engine"
url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey"
@@ -40,6 +40,9 @@ builddir="$srcdir"/firefox-$pkgver
_builddir="$builddir/js/src"
# secfixes:
+# 78.12.0-r0:
+# - CVE-2021-29976
+# - CVE-2021-29967
# 78.10.0-r0:
# - CVE-2021-29945
# 78.9.0-r0:
@@ -120,9 +123,11 @@ package() {
rm -f "$pkgdir"/usr/lib/*.ajs
}
-sha512sums="5e2cf137dc781855542c29df6152fa74ba749801640ade3cf01487ce993786b87a4f603d25c0af9323e67c7e15c75655523428c1c1426527b8623c7ded9f5946 firefox-78.10.0esr.source.tar.xz
+sha512sums="
+646eb803e0d0e541773e3111708c7eaa85e784e4bae6e4a77dcecdc617ee29e2e349c9ef16ae7e663311734dd7491aebd904359124dda62672dbc18bfb608f0a firefox-78.12.0esr.source.tar.xz
f7e5bee97cfa495d491dac4b8b98e5d3081346d920700e8bb6d077543e18245e5c82201a9981036ec0bf16d9fbdd42fd76e8cf6d90bb811e7338261204020149 0001-silence-sandbox-violations.patch
4f2cb93f91e798218d83cb3ac4c60b61a3658c5b269bfe250f4c4875aedaacbd77598d8d20e3a868626e49988b2073a2404e37d6918b11def774c25db68dd08d disable-jslint.patch
60845dcb034b2c4459c30f7d5f25c8176cf42df794e2cc0e86c3e2abb6541c24b962f3a16ca70a288d4d6f377b68d00b2904b22463108559612053d835d9bff1 fd6847c9416f9eebde636e21d794d25d1be8791d.patch
bc91c2fb15eb22acb8acc36d086fb18fbf6f202b4511d138769b5ecaaed4a673349c55f808270c762616fafa42e3b01e74dc0af1dcbeea1289e043926e2750c8 fix-musl-build.patch
-c397bd594428b009d1533922a3728a0ec74403714417f4b90c38c1b7751749b0585d48e77c79efa05c6c22a0d9a8ac04d535eb5bb8deb51684852c03c05d94cd fix-rust-target.patch"
+c397bd594428b009d1533922a3728a0ec74403714417f4b90c38c1b7751749b0585d48e77c79efa05c6c22a0d9a8ac04d535eb5bb8deb51684852c03c05d94cd fix-rust-target.patch
+"
diff --git a/community/mpv/APKBUILD b/community/mpv/APKBUILD
index 1b6aa051f2..a2fe91b780 100644
--- a/community/mpv/APKBUILD
+++ b/community/mpv/APKBUILD
@@ -5,7 +5,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mpv
pkgver=0.33.0
-pkgrel=0
+pkgrel=1
pkgdesc="Video player based on MPlayer/mplayer2"
url="https://mpv.io/"
arch="all"
@@ -60,9 +60,12 @@ subpackages="
$pkgname-zsh-completion:zshcomp:noarch
"
options="net" # downloads a waf tarball
-source="mpv-$pkgver.tar.gz::https://github.com/mpv-player/mpv/archive/v$pkgver.tar.gz"
+source="mpv-$pkgver.tar.gz::https://github.com/mpv-player/mpv/archive/v$pkgver.tar.gz
+ CVE-2021-30145.patch"
# secfixes:
+# 0.33.0-r1:
+# - CVE-2021-30145
# 0.27.0-r3:
# - CVE-2018-6360
@@ -122,4 +125,7 @@ zshcomp() {
amove usr/share/zsh/site-functions
}
-sha512sums="5a4af74ba2c9656c6b61adcf944c734923c7b4527a49cd79ec63a0617911629438a138d887dfbd4b6c0c9c53e2c68c18839d98d9765179e52cc5675d0682e077 mpv-0.33.0.tar.gz"
+sha512sums="
+5a4af74ba2c9656c6b61adcf944c734923c7b4527a49cd79ec63a0617911629438a138d887dfbd4b6c0c9c53e2c68c18839d98d9765179e52cc5675d0682e077 mpv-0.33.0.tar.gz
+53033657588e8e13e8b1191440fcecc2f45dc3e41f4182d00243c8c012774e2f78bff17d2025467f7f516bda745cfdc6ead5d71e329743e17ae6c7cdddfcbc77 CVE-2021-30145.patch
+"
diff --git a/community/mpv/CVE-2021-30145.patch b/community/mpv/CVE-2021-30145.patch
new file mode 100644
index 0000000000..b02036042c
--- /dev/null
+++ b/community/mpv/CVE-2021-30145.patch
@@ -0,0 +1,87 @@
+From d0c530919d8cd4d7a774e38ab064e0fabdae34e6 Mon Sep 17 00:00:00 2001
+From: "Avi Halachmi (:avih)" <avihpit@yahoo.com>
+Date: Sun, 4 Apr 2021 14:11:15 +0300
+Subject: [PATCH] demux_mf: improve format string processing
+
+Before this commit, the user could specify a printf format string
+which wasn't verified, and could result in:
+- Undefined behavior due to missing or non-matching arguments.
+- Buffer overflow due to untested result length.
+
+The offending code was added at commit 103a9609 (2002, mplayer svn):
+git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@4566 b3059339-0415-0410-9bf9-f77b7e298cf2
+
+It moved around but was not modified meaningfully until now.
+
+Now we reject all conversion specifiers at the format except %%
+and a simple subset of the valid specifiers. Also, we now use
+snprintf to avoid buffer overflow.
+
+The format string is provided by the user as part of mf:// URI.
+
+Report and initial patch by Stefan Schiller.
+Patch reviewed by @jeeb, @sfan5, Stefan Schiller.
+---
+ demux/demux_mf.c | 39 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/demux/demux_mf.c b/demux/demux_mf.c
+index 424821b965f..40f94f4e4ed 100644
+--- a/demux/demux_mf.c
++++ b/demux/demux_mf.c
+@@ -121,7 +121,8 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename
+ goto exit_mf;
+ }
+
+- char *fname = talloc_size(mf, strlen(filename) + 32);
++ size_t fname_avail = strlen(filename) + 32;
++ char *fname = talloc_size(mf, fname_avail);
+
+ #if HAVE_GLOB
+ if (!strchr(filename, '%')) {
+@@ -148,10 +149,44 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename
+ }
+ #endif
+
++ // We're using arbitrary user input as printf format with 1 int argument.
++ // Any format which uses exactly 1 int argument would be valid, but for
++ // simplicity we reject all conversion specifiers except %% and simple
++ // integer specifier: %[.][NUM]d where NUM is 1-3 digits (%.d is valid)
++ const char *f = filename;
++ int MAXDIGS = 3, nspec = 0, bad_spec = 0, c;
++
++ while (nspec < 2 && (c = *f++)) {
++ if (c != '%')
++ continue;
++ if (*f != '%') {
++ nspec++; // conversion specifier which isn't %%
++ if (*f == '.')
++ f++;
++ for (int ndig = 0; mp_isdigit(*f) && ndig < MAXDIGS; ndig++, f++)
++ /* no-op */;
++ if (*f != 'd') {
++ bad_spec++; // not int, or beyond our validation capacity
++ break;
++ }
++ }
++ // *f is '%' or 'd'
++ f++;
++ }
++
++ // nspec==0 (zero specifiers) is rejected because fname wouldn't advance.
++ if (bad_spec || nspec != 1) {
++ mp_err(log, "unsupported expr format: '%s'\n", filename);
++ goto exit_mf;
++ }
++
+ mp_info(log, "search expr: %s\n", filename);
+
+ while (error_count < 5) {
+- sprintf(fname, filename, count++);
++ if (snprintf(fname, fname_avail, filename, count++) >= fname_avail) {
++ mp_err(log, "format result too long: '%s'\n", filename);
++ goto exit_mf;
++ }
+ if (!mp_path_exists(fname)) {
+ error_count++;
+ mp_verbose(log, "file not found: '%s'\n", fname);
diff --git a/community/mrxvt/APKBUILD b/community/mrxvt/APKBUILD
index 739c694fd0..3dacad3ceb 100644
--- a/community/mrxvt/APKBUILD
+++ b/community/mrxvt/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Mark Constable <markc@renta.net>
pkgname=mrxvt
pkgver=0.5.4
-pkgrel=8
+pkgrel=9
pkgdesc="A multi-tabbed X terminal emulator based on rxvt code"
url="http://materm.sourceforge.net/wiki/pmwiki.php"
arch="all"
@@ -13,9 +13,14 @@ source="https://downloads.sourceforge.net/sourceforge/materm/mrxvt-$pkgver.tar.g
mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch
musl-fix-includes.patch
gcc-10.patch
+ CVE-2021-33477.patch
mrxvt.desktop
"
+# secfixes:
+# 0.5.4-r9:
+# - CVE-2021-33477
+
prepare() {
default_prepare
update_config_sub
@@ -49,8 +54,11 @@ package() {
install -Dm644 ../mrxvt.desktop $pkgdir/usr/share/applications/mrxvt.desktop
}
-sha512sums="572bb4dda9f9b9dcb597f3185922646523bce34003f536acca82992f68f8f7c1a5f2778d626f805ea2cd061e8451fbbf12010e5d655221f76b83440825c80992 mrxvt-0.5.4.tar.gz
+sha512sums="
+572bb4dda9f9b9dcb597f3185922646523bce34003f536acca82992f68f8f7c1a5f2778d626f805ea2cd061e8451fbbf12010e5d655221f76b83440825c80992 mrxvt-0.5.4.tar.gz
27d8a9775a5ea6e5e0e588d84ab5c76cc76aaa4ebeb473950e8f6b3dbf660a380c2d2385356ab9bd12d2e00b98c467f99f8e1aac16c91f8ffa4e29a38124340a mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch
4f2cf06484b1b364f7eb9f2acc629d2e600d4e614071fca5035d3654b083347f00162d2077496626fe4184dcac938b0b91f3ffe23f259b53ed475c4b8e85dbb0 musl-fix-includes.patch
1cb5ad1a64f105da63914ee321dcc9753887d8584a8f99d7d8ee1326fdb1d94fb188854393003b33097c00bfe509af3eb12c92564cddce46fccd4cf00c1bf7b6 gcc-10.patch
-04e0f2e93449d2656e55bdbdf6742d50c625c86ba8e64062e40f447a077b3a01f457ea855a99df39b4a099b30517d4a8cc45e91de6300023d0072ee76ae2b375 mrxvt.desktop"
+0b299ba3c049e91619a59df4c53053cdea0b3000e633495843518d1676b146214fea567fa1d441aca023e8c6ef0447cd43c7a4c4c0a498121e562d3afbafc59f CVE-2021-33477.patch
+04e0f2e93449d2656e55bdbdf6742d50c625c86ba8e64062e40f447a077b3a01f457ea855a99df39b4a099b30517d4a8cc45e91de6300023d0072ee76ae2b375 mrxvt.desktop
+"
diff --git a/community/mrxvt/CVE-2021-33477.patch b/community/mrxvt/CVE-2021-33477.patch
new file mode 100644
index 0000000000..b1c6185a08
--- /dev/null
+++ b/community/mrxvt/CVE-2021-33477.patch
@@ -0,0 +1,41 @@
+--- mrxvt-0.5.4/src/command.c.orig
++++ mrxvt-0.5.4/src/command.c
+@@ -207,7 +207,9 @@
+ int rxvt_privcases (rxvt_t*, int, int, uint32_t);
+ void rxvt_process_terminal_mode (rxvt_t*, int, int, int, unsigned int, const int*);
+ void rxvt_process_sgr_mode (rxvt_t*, int, unsigned int, const int*);
++#if 0
+ void rxvt_process_graphics (rxvt_t*, int);
++#endif
+ void rxvt_process_getc (rxvt_t*, int, unsigned char);
+ /*--------------------------------------------------------------------*
+ * END `INTERNAL' ROUTINE PROTOTYPES *
+@@ -5029,10 +5031,12 @@
+ rxvt_scr_add_lines(r, page, (const unsigned char *)"\n\r", 1, 2);
+ break;
+
++#if 0
+ /* kidnapped escape sequence: Should be 8.3.48 */
+ case C1_ESA: /* ESC G */
+ rxvt_process_graphics(r, page);
+ break;
++#endif
+
+ /* 8.3.63: CHARACTER TABULATION SET */
+ case C1_HTS: /* ESC H */
+@@ -6671,6 +6675,7 @@
+ }
+ /*}}} */
+
++#if 0
+ /*{{{ process Rob Nation's own graphics mode sequences */
+ /* INTPROTO */
+ void
+@@ -6707,6 +6712,7 @@
+ printable characters. */
+ }
+ /*}}} */
++#endif
+
+ /* ------------------------------------------------------------------------- */
+
diff --git a/community/mtr/APKBUILD b/community/mtr/APKBUILD
index 90c96918f5..8f50d1b76c 100644
--- a/community/mtr/APKBUILD
+++ b/community/mtr/APKBUILD
@@ -2,13 +2,13 @@
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
pkgname=mtr
pkgver=0.94
-pkgrel=0
+pkgrel=1
pkgdesc="Full screen ncurses traceroute tool"
options="!check" # Tests require pyhton2
url="http://www.bitwizard.nl/mtr/"
arch="all"
license="GPL-2.0-only"
-makedepends="ncurses-dev autoconf gtk+2.0-dev libcap-dev"
+makedepends="ncurses-dev autoconf gtk+2.0-dev libcap-dev jansson-dev"
options="suid"
subpackages="$pkgname-doc $pkgname-gtk $pkgname-bash-completion:bashcomp:noarch"
source="ftp://ftp.bitwizard.nl/mtr/mtr-$pkgver.tar.gz
@@ -62,5 +62,7 @@ bashcomp() {
rm -rf "$pkgdir"/usr/share/bash-completion
}
-sha512sums="82d7f3c3a692800739a37c95b0a561cb3897e18db7b8b6e4e43c7cba997488e811d82e92ad3f0e97712633627020c7be81e3053c0444f4cc4bd3d9b87fde2aa7 mtr-0.94.tar.gz
-ecf7543e0125fad6d3f17c30f29f1fc8a3b1e2e477802fe8464e436c3cdfa30d0630b8543cc3f022c475228e94ac8f92981df4d8fb08fe01d004be3d78d6da77 mtr-gtk.desktop"
+sha512sums="
+82d7f3c3a692800739a37c95b0a561cb3897e18db7b8b6e4e43c7cba997488e811d82e92ad3f0e97712633627020c7be81e3053c0444f4cc4bd3d9b87fde2aa7 mtr-0.94.tar.gz
+ecf7543e0125fad6d3f17c30f29f1fc8a3b1e2e477802fe8464e436c3cdfa30d0630b8543cc3f022c475228e94ac8f92981df4d8fb08fe01d004be3d78d6da77 mtr-gtk.desktop
+"
diff --git a/community/mupdf/APKBUILD b/community/mupdf/APKBUILD
index 9daad1dc89..ccb3cc961f 100644
--- a/community/mupdf/APKBUILD
+++ b/community/mupdf/APKBUILD
@@ -29,9 +29,9 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-x11:_x11
options="!check"
source="https://mupdf.com/downloads/archive/mupdf-$pkgver-source.tar.xz
shared-lib.patch
- https://github.com/ArtifexSoftware/mupdf/commit/32e4e8b4bcbacbf92af7c.patch
- https://github.com/ArtifexSoftware/mupdf/commit/b82e9b6d6b46877e5c376.patch
- CVE-2021-3407.patch::https://github.com/ArtifexSoftware/mupdf/commit/cee7cefc610d42fd383b3c80c12cbc675443176a.patch
+ bug-fix-overflow.patch
+ harden-pupulate-ui-against-unexpecter-repairs.patch
+ CVE-2021-3407.patch
"
# FIXME: shared linking of /usr/lib/libmupdf.so.0
@@ -111,8 +111,10 @@ _tools() {
"$subpkgdir"/usr/bin/
}
-sha512sums="7551f18b9bac6e2dc1cf073741cbc975ce3a16dc7e37c9d5a58254c67bf2c07bb36185d6585e435d4126f3ae351f67d7432d19a986c9b47b15105ca43db0edb8 mupdf-1.18.0-source.tar.xz
+sha512sums="
+7551f18b9bac6e2dc1cf073741cbc975ce3a16dc7e37c9d5a58254c67bf2c07bb36185d6585e435d4126f3ae351f67d7432d19a986c9b47b15105ca43db0edb8 mupdf-1.18.0-source.tar.xz
a87c52da91b0fe14c952dc1f83f4492cf1d31d135fc66bc6fb5dcce622af8c740248e10392d7cdba7409373b81e24744aafd46dc1fe5fdfcc54c77555e27420c shared-lib.patch
-1d836c1a3f37c21ed349da799d5cb0c57d3fc275a632a42343cda81aae76394273c06230fc9c22a6d5366498b51a057d5a11797376a4b2af96b937618ba31e11 32e4e8b4bcbacbf92af7c.patch
-91620d0d429d2f4068e1834ec9466d9e9f9bfb363fba33247636e38651196580a89bd36785e42b31328070c42bd2210585ddabea8a0a970d72e7066e61804d6c b82e9b6d6b46877e5c376.patch
-67f5af701b2ea6a91346feaf6d12a91201af8d346a2cbc112503ada09f414dc13673a6b6f57e9ca03d20191e14f1e3fe46f484e2079b37a76e0be4249396f563 CVE-2021-3407.patch"
+811530c31c8af252b4fb4c9658d6378d004535bbf837e74c8538ff740bd3c8c293e050e05acb8745064cc82b7f514006323718933544623fd0abe245c5c27ff4 bug-fix-overflow.patch
+c7870dec59c935f4d0a147a155583c8725ccccc72b1df8b26d0ba1a8c3062d000a386b6021b40d16ebd9936f396b1d2a1a5c4849642248a3fb32d4d8ca32268b harden-pupulate-ui-against-unexpecter-repairs.patch
+4751a9ecb01063197c190a04efd51a0e62cd8bc59acda1dc75e04e35fd7640d825f6ebd51b92a2f458384a671eb9c5a56452f2185a820d26eae722996c187149 CVE-2021-3407.patch
+"
diff --git a/community/mupdf/CVE-2021-3407.patch b/community/mupdf/CVE-2021-3407.patch
new file mode 100644
index 0000000000..b5161ef566
--- /dev/null
+++ b/community/mupdf/CVE-2021-3407.patch
@@ -0,0 +1,45 @@
+From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Fri, 22 Jan 2021 17:05:15 +0000
+Subject: [PATCH] Bug 703366: Fix double free of object during linearization.
+
+This appears to happen because we parse an illegal object from
+a broken file and assign it to object 0, which is defined to
+be free.
+
+Here, we fix the parsing code so this can't happen.
+---
+ source/pdf/pdf-parse.c | 6 ++++++
+ source/pdf/pdf-xref.c | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
+index 7abc8c3d41..5761c33517 100644
+--- a/source/pdf/pdf-parse.c
++++ b/source/pdf/pdf-parse.c
+@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
+ fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num);
+ }
+ gen = buf->i;
++ if (gen < 0 || gen >= 65536)
++ {
++ if (try_repair)
++ *try_repair = 1;
++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen);
++ }
+
+ tok = pdf_lex(ctx, file, buf);
+ if (tok != PDF_TOK_OBJ)
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 1b2bdcd59d..30197b4b85 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ {
+ ofs = fz_tell(ctx, doc->file);
+ trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL);
++ if (num == 0)
++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n");
+ }
+ fz_catch(ctx)
+ {
diff --git a/community/mupdf/bug-fix-overflow.patch b/community/mupdf/bug-fix-overflow.patch
new file mode 100644
index 0000000000..acca0275d3
--- /dev/null
+++ b/community/mupdf/bug-fix-overflow.patch
@@ -0,0 +1,41 @@
+From 32e4e8b4bcbacbf92af7c88337efae21986d9603 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 8 Oct 2020 18:10:28 +0100
+Subject: [PATCH] Bug 702958: Fix overflow in fz_clear_pixmap_with_value.
+
+---
+ source/fitz/pixmap.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index 66873d2146..80d8bb62fa 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -555,7 +555,8 @@ void
+ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
+ {
+ unsigned char *s;
+- int w, h, n, stride, len;
++ int w, h, n;
++ ptrdiff_t stride, len;
+ int alpha = pix->alpha;
+
+ w = pix->w;
+@@ -572,7 +573,7 @@ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
+
+ n = pix->n;
+ stride = pix->stride;
+- len = w * n;
++ len = (ptrdiff_t)w * n;
+
+ s = pix->samples;
+ if (value == 255 || !alpha)
+@@ -584,7 +585,7 @@ fz_clear_pixmap_with_value(fz_context *ctx, fz_pixmap *pix, int value)
+ }
+ while (h--)
+ {
+- memset(s, value, (unsigned int)len);
++ memset(s, value, len);
+ s += stride;
+ }
+ }
diff --git a/community/mupdf/harden-pupulate-ui-against-unexpecter-repairs.patch b/community/mupdf/harden-pupulate-ui-against-unexpecter-repairs.patch
new file mode 100644
index 0000000000..890a939067
--- /dev/null
+++ b/community/mupdf/harden-pupulate-ui-against-unexpecter-repairs.patch
@@ -0,0 +1,102 @@
+From b82e9b6d6b46877e5c3763cc3bc641c66fa7eb54 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 8 Oct 2020 16:15:40 +0100
+Subject: [PATCH] Bug 701297: Harden populate_ui against unexpected repairs.
+
+We count the number of layers, and allocate space for them in
+an array. We then walk the tree reading details of those layers
+in. If we hit a problem that causes a repair while reading the
+information, the number of layers can magically increase. In
+the existing code we run off the end of the array.
+
+In the new code we watch for hitting the end of the array and
+realloc as required.
+---
+ source/pdf/pdf-layer.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
+index 177f0c9476..b8e9d7cad0 100644
+--- a/source/pdf/pdf-layer.c
++++ b/source/pdf/pdf-layer.c
+@@ -104,10 +104,27 @@ count_entries(fz_context *ctx, pdf_obj *obj)
+ }
+
+ static pdf_ocg_ui *
+-populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *order, int depth, pdf_obj *rbgroups, pdf_obj *locked)
++get_ocg_ui(fz_context *ctx, pdf_ocg_descriptor *desc, int fill)
++{
++ if (fill == desc->num_ui_entries)
++ {
++ /* Number of layers changed while parsing;
++ * probably due to a repair. */
++ int newsize = desc->num_ui_entries * 2;
++ if (newsize == 0)
++ newsize = 4; /* Arbitrary non-zero */
++ desc->ui = fz_realloc_array(ctx, desc->ui, newsize, pdf_ocg_ui);
++ desc->num_ui_entries = newsize;
++ }
++ return &desc->ui[fill];
++}
++
++static int
++populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, int fill, pdf_obj *order, int depth, pdf_obj *rbgroups, pdf_obj *locked)
+ {
+ int len = pdf_array_len(ctx, order);
+ int i, j;
++ pdf_ocg_ui *ui;
+
+ for (i = 0; i < len; i++)
+ {
+@@ -118,7 +135,7 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+ continue;
+
+ fz_try(ctx)
+- ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
++ fill = populate_ui(ctx, desc, fill, o, depth+1, rbgroups, locked);
+ fz_always(ctx)
+ pdf_unmark_obj(ctx, o);
+ fz_catch(ctx)
+@@ -126,14 +143,14 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+
+ continue;
+ }
+- ui->depth = depth;
+ if (pdf_is_string(ctx, o))
+ {
++ ui = get_ocg_ui(ctx, desc, fill++);
++ ui->depth = depth;
+ ui->ocg = -1;
+ ui->name = pdf_to_str_buf(ctx, o);
+ ui->button_flags = PDF_LAYER_UI_LABEL;
+ ui->locked = 1;
+- ui++;
+ continue;
+ }
+
+@@ -144,13 +161,14 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
+ }
+ if (j == desc->len)
+ continue; /* OCG not found in main list! Just ignore it */
++ ui = get_ocg_ui(ctx, desc, fill++);
++ ui->depth = depth;
+ ui->ocg = j;
+ ui->name = pdf_dict_get_string(ctx, o, PDF_NAME(Name), NULL);
+ ui->button_flags = pdf_array_contains(ctx, o, rbgroups) ? PDF_LAYER_UI_RADIOBOX : PDF_LAYER_UI_CHECKBOX;
+ ui->locked = pdf_array_contains(ctx, o, locked);
+- ui++;
+ }
+- return ui;
++ return fill;
+ }
+
+ static void
+@@ -188,7 +206,7 @@ load_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_obj *ocprops, pdf_obj *oc
+ desc->ui = Memento_label(fz_calloc(ctx, count, sizeof(pdf_ocg_ui)), "pdf_ocg_ui");
+ fz_try(ctx)
+ {
+- (void)populate_ui(ctx, desc, desc->ui, order, 0, rbgroups, locked);
++ desc->num_ui_entries = populate_ui(ctx, desc, 0, order, 0, rbgroups, locked);
+ }
+ fz_catch(ctx)
+ {
diff --git a/community/networkmanager-elogind/APKBUILD b/community/networkmanager-elogind/APKBUILD
index 00a35e63e8..958aeef2d2 100644
--- a/community/networkmanager-elogind/APKBUILD
+++ b/community/networkmanager-elogind/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Rasmus Thomsen <oss@cogitri.dev>
pkgname=networkmanager-elogind
pkgver=1.26.6
-pkgrel=0
+pkgrel=1
pkgdesc="Network Management daemon (with elogind hibernation support)"
url="https://wiki.gnome.org/Projects/NetworkManager"
arch="all !mips !mips64 !s390x" # polkit
@@ -57,6 +57,7 @@ source="$pkgname-$pkgver.tar.xz::https://download.gnome.org/sources/NetworkManag
musl-no-drand.patch
py3.patch
reallocarray.patch
+ CVE-2021-20297.patch
"
options="!check" # fail to compile on musl
provides="networkmanager"
@@ -65,6 +66,10 @@ install_if="networkmanager elogind"
builddir="$srcdir"/NetworkManager-$pkgver
+# secfixes:
+# 1.26.6-r1:
+# - CVE-2021-20297
+
build() {
abuild-meson \
-Dsystemdsystemunitdir=no \
@@ -144,7 +149,8 @@ bashcomp() {
amove usr/share/bash-completion
}
-sha512sums="f43869473bf625be270e3781a77310a877a8e945df08a6f9e668bb66fe173615e990fd9b3011c1c7b3aa23a9007db99c2f06c67f1185f7547771a816b06caf64 networkmanager-elogind-1.26.6.tar.xz
+sha512sums="
+f43869473bf625be270e3781a77310a877a8e945df08a6f9e668bb66fe173615e990fd9b3011c1c7b3aa23a9007db99c2f06c67f1185f7547771a816b06caf64 networkmanager-elogind-1.26.6.tar.xz
0f79016bf717dea43830962f524deae8d1cedc274376e40bd912ebe63208c5b1c3b7a5aa14379da19020c587dbd5588df2f0066ca1540070a226983a43e4159b networkmanager.conf
5ac6d11b588c479de9c7e1fef79ed0a2c04dc159a2173636a6a77a2867c839cc1609860756109e9e794f23a02238a6d94834d8fb6fcb81a6be3ef1dbf4a34e6f networkmanager.initd
9820ed2ead0af689644842de57657bb10330a1eaff0e85b21ae9913f55e399e47d8b41b0a12956f30de80272b4424c6e55f33acbc88e156879003a260bf576f6 networkmanager.rules
@@ -156,4 +162,6 @@ b5cd94928ca3ba1fb71aec28d9ff66f319f6d23131e02c90f1dfbfaf16c537935228a9981c95f29f
634377674691b52da80ca4c445a727d39cd40269f7deef0d3ccc1e1041cc262e8bc1423200e9a2b0cf1804e9950059ebbbc827f1200c6a97c58bc76080a6d6d2 musl-compar.patch
342fb3eef0e7057b6d8f1a00687af17dc633387d8a25d475e3e9c8de5712221eec8ada634a189e3458dcbb12b20625b99b552acda3927b5baa61b960ce5740eb musl-no-drand.patch
8f7bb0128881cd281f4f9b2335d9788cde715d9fc29c295bad234b97a2df9e5ed99061da4806702d9ab8aa163711ffa283e82216ea8d714bb54d2b37aa2607cb py3.patch
-423c97e0c08c53959f94c6e4de6388a0295b57f2d6404dca748bde82985e3eb25d1061ecb29ef7b568aa292b0169478c85f3c350206c34aafaa2ee99c4a6dc5f reallocarray.patch"
+423c97e0c08c53959f94c6e4de6388a0295b57f2d6404dca748bde82985e3eb25d1061ecb29ef7b568aa292b0169478c85f3c350206c34aafaa2ee99c4a6dc5f reallocarray.patch
+a59bf394d643e6570991e93c466c012a968415e27d9614ea26826d701a79a5e0b0a4acc6b4307caf6a48e381e4980cdca7518666cf340ee91ec20157305660af CVE-2021-20297.patch
+"
diff --git a/community/networkmanager-elogind/CVE-2021-20297.patch b/community/networkmanager-elogind/CVE-2021-20297.patch
new file mode 100644
index 0000000000..5906c2a534
--- /dev/null
+++ b/community/networkmanager-elogind/CVE-2021-20297.patch
@@ -0,0 +1,13 @@
+diff -urN NetworkManager-1.26.6.orig/src/nm-core-utils.c NetworkManager-1.26.6/src/nm-core-utils.c
+--- NetworkManager-1.26.6.orig/src/nm-core-utils.c 2021-06-03 14:10:00.375398397 -0600
++++ NetworkManager-1.26.6/src/nm-core-utils.c 2021-06-03 14:10:35.298882064 -0600
+@@ -1759,7 +1759,8 @@
+
+ _pattern_parse (patterns[i], &p, &is_inverted, &is_mandatory);
+
+- match = (fnmatch (p, str, 0) == 0);
++ match = (fnmatch (p, str ?: "", 0) == 0);
++
+ if (is_inverted)
+ match = !match;
+
diff --git a/community/networkmanager/APKBUILD b/community/networkmanager/APKBUILD
index f532a2d580..6c22e810a2 100644
--- a/community/networkmanager/APKBUILD
+++ b/community/networkmanager/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Rasmus Thomsen <oss@cogitri.dev>
pkgname=networkmanager
pkgver=1.26.6
-pkgrel=0
+pkgrel=1
pkgdesc="Network Management daemon"
url="https://wiki.gnome.org/Projects/NetworkManager"
arch="all !mips !mips64 !s390x" # polkit
@@ -55,11 +55,16 @@ source="https://download.gnome.org/sources/NetworkManager/${pkgver:0:4}/NetworkM
musl-no-drand.patch
py3.patch
reallocarray.patch
+ CVE-2021-20297.patch
"
options="!check" # fail to compile on musl
builddir="$srcdir"/NetworkManager-$pkgver
+# secfixes:
+# 1.26.6-r1:
+# - CVE-2021-20297
+
build() {
abuild-meson \
-Dsystemdsystemunitdir=no \
@@ -120,7 +125,8 @@ bashcomp() {
amove usr/share/bash-completion
}
-sha512sums="f43869473bf625be270e3781a77310a877a8e945df08a6f9e668bb66fe173615e990fd9b3011c1c7b3aa23a9007db99c2f06c67f1185f7547771a816b06caf64 NetworkManager-1.26.6.tar.xz
+sha512sums="
+f43869473bf625be270e3781a77310a877a8e945df08a6f9e668bb66fe173615e990fd9b3011c1c7b3aa23a9007db99c2f06c67f1185f7547771a816b06caf64 NetworkManager-1.26.6.tar.xz
0f79016bf717dea43830962f524deae8d1cedc274376e40bd912ebe63208c5b1c3b7a5aa14379da19020c587dbd5588df2f0066ca1540070a226983a43e4159b networkmanager.conf
5ac6d11b588c479de9c7e1fef79ed0a2c04dc159a2173636a6a77a2867c839cc1609860756109e9e794f23a02238a6d94834d8fb6fcb81a6be3ef1dbf4a34e6f networkmanager.initd
9820ed2ead0af689644842de57657bb10330a1eaff0e85b21ae9913f55e399e47d8b41b0a12956f30de80272b4424c6e55f33acbc88e156879003a260bf576f6 networkmanager.rules
@@ -131,4 +137,6 @@ b5cd94928ca3ba1fb71aec28d9ff66f319f6d23131e02c90f1dfbfaf16c537935228a9981c95f29f
634377674691b52da80ca4c445a727d39cd40269f7deef0d3ccc1e1041cc262e8bc1423200e9a2b0cf1804e9950059ebbbc827f1200c6a97c58bc76080a6d6d2 musl-compar.patch
342fb3eef0e7057b6d8f1a00687af17dc633387d8a25d475e3e9c8de5712221eec8ada634a189e3458dcbb12b20625b99b552acda3927b5baa61b960ce5740eb musl-no-drand.patch
8f7bb0128881cd281f4f9b2335d9788cde715d9fc29c295bad234b97a2df9e5ed99061da4806702d9ab8aa163711ffa283e82216ea8d714bb54d2b37aa2607cb py3.patch
-423c97e0c08c53959f94c6e4de6388a0295b57f2d6404dca748bde82985e3eb25d1061ecb29ef7b568aa292b0169478c85f3c350206c34aafaa2ee99c4a6dc5f reallocarray.patch"
+423c97e0c08c53959f94c6e4de6388a0295b57f2d6404dca748bde82985e3eb25d1061ecb29ef7b568aa292b0169478c85f3c350206c34aafaa2ee99c4a6dc5f reallocarray.patch
+a59bf394d643e6570991e93c466c012a968415e27d9614ea26826d701a79a5e0b0a4acc6b4307caf6a48e381e4980cdca7518666cf340ee91ec20157305660af CVE-2021-20297.patch
+"
diff --git a/community/networkmanager/CVE-2021-20297.patch b/community/networkmanager/CVE-2021-20297.patch
new file mode 100644
index 0000000000..5906c2a534
--- /dev/null
+++ b/community/networkmanager/CVE-2021-20297.patch
@@ -0,0 +1,13 @@
+diff -urN NetworkManager-1.26.6.orig/src/nm-core-utils.c NetworkManager-1.26.6/src/nm-core-utils.c
+--- NetworkManager-1.26.6.orig/src/nm-core-utils.c 2021-06-03 14:10:00.375398397 -0600
++++ NetworkManager-1.26.6/src/nm-core-utils.c 2021-06-03 14:10:35.298882064 -0600
+@@ -1759,7 +1759,8 @@
+
+ _pattern_parse (patterns[i], &p, &is_inverted, &is_mandatory);
+
+- match = (fnmatch (p, str, 0) == 0);
++ match = (fnmatch (p, str ?: "", 0) == 0);
++
+ if (is_inverted)
+ match = !match;
+
diff --git a/community/nextcloud/APKBUILD b/community/nextcloud/APKBUILD
index 91ba1f9ec8..903899b5f9 100644
--- a/community/nextcloud/APKBUILD
+++ b/community/nextcloud/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=nextcloud
-pkgver=20.0.9
+pkgver=20.0.11
pkgrel=0
pkgdesc="A safe home for all your data"
url="http://nextcloud.com"
@@ -245,7 +245,22 @@ _package_app() {
mv "$pkgdir"/$_appsdir/$appname "$subpkgdir"/$_appsdir/
}
-sha512sums="965d24626e42c9e8a896f715761dfce77a173895252f804ee57712e02391f8a775dac3edb64e92f5dd7767aa587123ce426435973f8ae4db80e897a3bcdff0cb nextcloud-20.0.9.zip
+sha512sums="
+7490191ca05a9fffce49e6c4076a188d03c4a8223283b8966e637eadd0ad74b51340e0508aa29454e4e7f06693cf179d71d73754724ecaa975c2470abdbe2ff7 nextcloud-20.0.10.zip
+aea0adb2c3a48ec6af2958c6ccfe13adff86316a56084e763b7e6df9e21aa3435b13305b7c15cc2b795e83c9388b05006862f6465c29e3dc2c1fbd8eb8befcb9 nextcloud19-dont-chmod.patch
+2d03b90c1e2f3d96001f31f1bbf902e4c411c8de7dc5a4f956fa8297533324cb12092d3ad2198f2e02ff4835dc22febee2d49e449b003caef5b990d9dcff1e70 nextcloud-app-encryption-info-add-mcrypt.patch
+aef3c92497d738d6968e0f0b0d415b4953500db24ae14af41ef972665cf7eff00cb6c53dc953845fdbb389c3c965a75b8b14b9247513c05cf4130fe1cfc61731 dont-update-htaccess.patch
+d2100a837fef1eeae5f706650ab4c985d9e00f61efa5526ef76c7c1f5811c3906eb6c3c13c151eff9677a0c303faab64411a5a84d6792728bc520d2c618d7d5b disable-integrity-check-as-default.patch
+3fc3e06580a619d81b12f448976ffac34f0bb80fc73e9443fa213a73f160ba4b9bd14a26c134258ee12c04d8e103b46f4de10d7b11e4544a328878e57d436055 iconv-ascii-translit-not-supported.patch
+df1a16414a278c205876ec86c210a02a9009954e2d4f9033ff3c9b76c371e2764ef3587db5a4b8f76302655c6c8688c8729d1685279a77d279d3839cc359fbcd use-external-docs-if-local-not-avail.patch
+5f73cd9399fa484ef15bd47e803c93381deffbc7699eceadbb5c27e43b20156806d74e5021a64d28f0165ef87b519e962780651711a37bceb9f0b04455dfdce1 nextcloud-config.php
+7388458a9e8b7afd3d3269718306410ffa59c3c23da4bef367a4d7f6d2570136fae9dd421b19c1441e7ffb15a5405e18bb5da67b1a15f9f45e8b98d3fda532ba nextcloud.logrotate
+dcc57735d7d4af4a7ebbdd1186d301e51d2ae4675022aea6bf1111222dfa188a3a490ebd6e7c8a7ac30046cb7d93f81cec72a51acbc60d0c10b7fb64630c637a nextcloud.confd
+edb699ea6127b231793254115b334006c2d50a0d2ecc846188c3521ddffc3c0e19c5e2944f03cae81e6c645c859258380691081b1c522a22d40939b31db36e8a nextcloud.cron
+ee9073a6df4286cba2d1d855cf40863968f20677729b2c7848ab50a70d4915b8e84c957a850a03a707231256c11312e5792e7817dd50afbf73efe767fef2112d fpm-pool.conf
+959852e34f010e635470829d66713f3e22c47717ec2c6487759eed2b6aeff9fd1421fe0271d494a02781bd1c98beb2823583623ee2cf03057cd5db794627d6c2 occ
+"
+sha512sums="1373e3491d6f5a0d3c7cffdc9794e3972f6bf067ac622be07da966dd31e7905486d5725594dab7e404ff82c1d3af60f3b230259bbaf488bf60b604375c11c993 nextcloud-20.0.11.zip
aea0adb2c3a48ec6af2958c6ccfe13adff86316a56084e763b7e6df9e21aa3435b13305b7c15cc2b795e83c9388b05006862f6465c29e3dc2c1fbd8eb8befcb9 nextcloud19-dont-chmod.patch
2d03b90c1e2f3d96001f31f1bbf902e4c411c8de7dc5a4f956fa8297533324cb12092d3ad2198f2e02ff4835dc22febee2d49e449b003caef5b990d9dcff1e70 nextcloud-app-encryption-info-add-mcrypt.patch
aef3c92497d738d6968e0f0b0d415b4953500db24ae14af41ef972665cf7eff00cb6c53dc953845fdbb389c3c965a75b8b14b9247513c05cf4130fe1cfc61731 dont-update-htaccess.patch
diff --git a/community/nextcloud19/APKBUILD b/community/nextcloud19/APKBUILD
index 3ec826ff48..ba8fdf15d9 100644
--- a/community/nextcloud19/APKBUILD
+++ b/community/nextcloud19/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=nextcloud19
_pkgname=nextcloud
-pkgver=19.0.10
+pkgver=19.0.13
pkgrel=0
pkgdesc="Transitional package to allow nextcloud upgrade from v18->v20 for Alpine 3.12->3.13"
url="http://nextcloud.com"
@@ -240,7 +240,22 @@ _package_app() {
mv "$pkgdir"/$_appsdir/$appname "$subpkgdir"/$_appsdir/
}
-sha512sums="41b28494dc916e2f2c06b757c0d8dcf3e0dbcaa554ee04af9b5063e7ff338f1f56c0a148117a3249f947b2b1084808ea02a73c09ff3af7c5b9c8c4775c111910 nextcloud-19.0.10.zip
+sha512sums="
+2405380cfd91814312b4c515b7e0c873872c6eb0579cf9a5143b70cafde5ed4d467963eef7716d399bd5473aba0a30ab0c71a11d9504e97c9b16d03404b1b00d nextcloud-19.0.12.zip
+aea0adb2c3a48ec6af2958c6ccfe13adff86316a56084e763b7e6df9e21aa3435b13305b7c15cc2b795e83c9388b05006862f6465c29e3dc2c1fbd8eb8befcb9 nextcloud19-dont-chmod.patch
+56b187b5410452c5375b0503cfc154f86b8662f9590638c6975457675848b4251a8b1ed530741d815adfb4494ca44acc0ffea10471296be73026dcb4279aca60 nextcloud17-app-encryption-info-add-mcrypt.patch
+aef3c92497d738d6968e0f0b0d415b4953500db24ae14af41ef972665cf7eff00cb6c53dc953845fdbb389c3c965a75b8b14b9247513c05cf4130fe1cfc61731 dont-update-htaccess.patch
+d2100a837fef1eeae5f706650ab4c985d9e00f61efa5526ef76c7c1f5811c3906eb6c3c13c151eff9677a0c303faab64411a5a84d6792728bc520d2c618d7d5b disable-integrity-check-as-default.patch
+3fc3e06580a619d81b12f448976ffac34f0bb80fc73e9443fa213a73f160ba4b9bd14a26c134258ee12c04d8e103b46f4de10d7b11e4544a328878e57d436055 iconv-ascii-translit-not-supported.patch
+df1a16414a278c205876ec86c210a02a9009954e2d4f9033ff3c9b76c371e2764ef3587db5a4b8f76302655c6c8688c8729d1685279a77d279d3839cc359fbcd use-external-docs-if-local-not-avail.patch
+5f73cd9399fa484ef15bd47e803c93381deffbc7699eceadbb5c27e43b20156806d74e5021a64d28f0165ef87b519e962780651711a37bceb9f0b04455dfdce1 nextcloud19-config.php
+7388458a9e8b7afd3d3269718306410ffa59c3c23da4bef367a4d7f6d2570136fae9dd421b19c1441e7ffb15a5405e18bb5da67b1a15f9f45e8b98d3fda532ba nextcloud19.logrotate
+dcc57735d7d4af4a7ebbdd1186d301e51d2ae4675022aea6bf1111222dfa188a3a490ebd6e7c8a7ac30046cb7d93f81cec72a51acbc60d0c10b7fb64630c637a nextcloud19.confd
+edb699ea6127b231793254115b334006c2d50a0d2ecc846188c3521ddffc3c0e19c5e2944f03cae81e6c645c859258380691081b1c522a22d40939b31db36e8a nextcloud19.cron
+ee9073a6df4286cba2d1d855cf40863968f20677729b2c7848ab50a70d4915b8e84c957a850a03a707231256c11312e5792e7817dd50afbf73efe767fef2112d fpm-pool.conf
+959852e34f010e635470829d66713f3e22c47717ec2c6487759eed2b6aeff9fd1421fe0271d494a02781bd1c98beb2823583623ee2cf03057cd5db794627d6c2 occ
+"
+sha512sums="0dc53bb3202d0ad40c3f2ff475b0eb8c33a30d3633bb0964dbdf1e8cdbb5935e273ac78dd4db0efa2e4e4698add4eb5d273a40f834a59941f57927d257bfaa80 nextcloud-19.0.13.zip
aea0adb2c3a48ec6af2958c6ccfe13adff86316a56084e763b7e6df9e21aa3435b13305b7c15cc2b795e83c9388b05006862f6465c29e3dc2c1fbd8eb8befcb9 nextcloud19-dont-chmod.patch
56b187b5410452c5375b0503cfc154f86b8662f9590638c6975457675848b4251a8b1ed530741d815adfb4494ca44acc0ffea10471296be73026dcb4279aca60 nextcloud17-app-encryption-info-add-mcrypt.patch
aef3c92497d738d6968e0f0b0d415b4953500db24ae14af41ef972665cf7eff00cb6c53dc953845fdbb389c3c965a75b8b14b9247513c05cf4130fe1cfc61731 dont-update-htaccess.patch
diff --git a/community/nss/APKBUILD b/community/nss/APKBUILD
index 0c003517a7..194fb63406 100644
--- a/community/nss/APKBUILD
+++ b/community/nss/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Rasmus Thomsen <oss@cogitri.dev>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=nss
-pkgver=3.63
-pkgrel=1
+pkgver=3.66
+pkgrel=0
pkgdesc="Mozilla Network Security Services"
url="https://developer.mozilla.org/docs/Mozilla/Projects/NSS"
arch="all"
@@ -184,8 +184,10 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="2f1f75dce7fd049453cbcf53263a3d9d4d9e62ad2cc2fef4dd0d5645fe14dad4ce47ed64aae507a09214d7fccbe83c142844121f55b44783e5a1bcfe24ea671c nss-3.63.tar.gz
+sha512sums="
+327129cb065a8c19246e081e3cbc4798c81dc52eab6ee366eade151e9d308990592075c52a7c672165725fd855a0c539d56a803c26ef066561c584d693e0e467 nss-3.66.tar.gz
75dbd648a461940647ff373389cc73bc8ec609139cd46c91bcce866af02be6bcbb0524eb3dfb721fbd5b0bc68c20081ed6f7debf6b24317f2a7ba823e8d3c531 nss.pc.in
0f2efa8563b11da68669d281b4459289a56f5a3a906eb60382126f3adcfe47420cdcedc6ab57727a3afeeffa2bbb4c750b43bef8b5f343a75c968411dfa30e09 nss-util.pc.in
09c69d4cc39ec9deebc88696a80d0f15eb2d8c94d9daa234a2adfec941b63805eb4ce7f2e1943857b938bddcaee1beac246a0ec627b71563d9f846e6119a4a15 nss-softokn.pc.in
-2971669e128f06a9af40a5ba88218fa7c9eecfeeae8b0cf42e14f31ed12bf6fa4c5ce60289e078f50e2669a9376b56b45d7c29d726a7eac69ebe1d1e22dc710b nss-config.in"
+2971669e128f06a9af40a5ba88218fa7c9eecfeeae8b0cf42e14f31ed12bf6fa4c5ce60289e078f50e2669a9376b56b45d7c29d726a7eac69ebe1d1e22dc710b nss-config.in
+"
diff --git a/community/orca/APKBUILD b/community/orca/APKBUILD
index 770e5031e5..2cb7f864b9 100644
--- a/community/orca/APKBUILD
+++ b/community/orca/APKBUILD
@@ -14,6 +14,10 @@ makedepends="intltool py3-gobject3-dev at-spi2-atk-dev gstreamer-dev itstool
subpackages="$pkgname-lang $pkgname-doc"
source="https://download.gnome.org/sources/orca/${pkgver%.*}/orca-$pkgver.tar.xz"
+# secfixes:
+# 0:
+# - CVE-2020-9298
+
build() {
./configure \
--build=$CBUILD \
diff --git a/community/php7-pecl-imagick/APKBUILD b/community/php7-pecl-imagick/APKBUILD
index 84187e1f3a..6ff2d96f8a 100644
--- a/community/php7-pecl-imagick/APKBUILD
+++ b/community/php7-pecl-imagick/APKBUILD
@@ -3,10 +3,10 @@
pkgname=php7-pecl-imagick
_extname=imagick
pkgver=3.4.4
-pkgrel=7
+pkgrel=8
pkgdesc="PHP 7 extension provides a wrapper to the ImageMagick library - PECL"
url="https://pecl.php.net/package/imagick"
-arch="all"
+arch="all !x86" # https://gitlab.alpinelinux.org/alpine/aports/-/issues/12537
license="PHP-3.01"
depends="php7-common imagemagick"
checkdepends="ghostscript-fonts"
diff --git a/community/php7/APKBUILD b/community/php7/APKBUILD
index ad994e5ffc..e8075bc8f2 100644
--- a/community/php7/APKBUILD
+++ b/community/php7/APKBUILD
@@ -25,7 +25,7 @@
pkgname=php7
_pkgreal=php
-pkgver=7.4.19
+pkgver=7.4.21
pkgrel=0
_apiver=20190902
_suffix=${pkgname#php}
@@ -174,6 +174,8 @@ done
subpackages="$subpackages $pkgname-common::noarch"
# secfixes:
+# 7.4.21-r0:
+# - CVE-2021-21705
# 7.4.15-r0:
# - CVE-2021-21702
# 7.4.14-r0:
@@ -677,7 +679,7 @@ _mv() {
mv "$@"
}
-sha512sums="2ac51b9920069ebe8ac68a94f8e9aac2b3d44d69668f340aba95f8303632fe1bfc4c3f2ce398cc7e2c2ea48583d8e04dedfc66f7147c1f4470a55417554d0071 php-7.4.19.tar.xz
+sha512sums="778ddbfe614fdc6a00bc82c61f4c636bdbe815ce3398415a29bd24a2fd4ca2113b3b804303585d8830242e04b0c202bbc7c725a46c9bad79b070a0e896e5e681 php-7.4.21.tar.xz
1c708de82d1086f272f484faf6cf6d087af7c31750cc2550b0b94ed723961b363f28a947b015b2dfc0765caea185a75f5d2c2f2b099c948b65c290924f606e4f php7-fpm.initd
cacce7bf789467ff40647b7319e3760c6c587218720538516e8d400baa75651f72165c4e28056cd0c1dc89efecb4d00d0d7823bed80b29136262c825ce816691 php7-fpm.logrotate
274bd7b0b2b7002fa84c779640af37b59258bb37b05cb7dd5c89452977d71807f628d91b523b5039608376d1f760f3425d165242ca75ee5129b2730e71c4e198 php7-module.conf
diff --git a/community/php8-pecl-imagick/APKBUILD b/community/php8-pecl-imagick/APKBUILD
index 6f5e72603f..21d3909148 100644
--- a/community/php8-pecl-imagick/APKBUILD
+++ b/community/php8-pecl-imagick/APKBUILD
@@ -3,10 +3,10 @@
pkgname=php8-pecl-imagick
_extname=imagick
pkgver=3.4.4
-pkgrel=0
+pkgrel=1
pkgdesc="PHP 8 extension provides a wrapper to the ImageMagick library - PECL"
url="https://pecl.php.net/package/imagick"
-arch="all"
+arch="all !x86" # https://gitlab.alpinelinux.org/alpine/aports/-/issues/12537
license="PHP-3.01"
depends="php8-common imagemagick"
checkdepends="ghostscript-fonts"
diff --git a/community/php8/APKBUILD b/community/php8/APKBUILD
index 0fd6381de0..5bf4977457 100644
--- a/community/php8/APKBUILD
+++ b/community/php8/APKBUILD
@@ -25,7 +25,7 @@
pkgname=php8
_pkgreal=php
-pkgver=8.0.6
+pkgver=8.0.8
pkgrel=0
_apiver=20200930
_suffix=${pkgname#php}
@@ -172,6 +172,8 @@ done
subpackages="$subpackages $pkgname-common::noarch"
# secfixes:
+# 8.0.8-r0:
+# - CVE-2021-21705
# 8.0.2-r0:
# - CVE-2021-21702
@@ -609,7 +611,7 @@ _mv() {
mv "$@"
}
-sha512sums="4915b9b5024ce1fb7bc3ba7c1a00831841bc970ebb68b6b1e6a00cbec4d8dcbbca3ca043882ffd9c4719a988d08275f77f9cee07ff3d45a71402dfc51bd31e04 php-8.0.6.tar.xz
+sha512sums="1f8b94083b64705e24365af57169f8ff08115f31a7471238d9ed7a24b692e46c789f3fc00ff2bef2205243b9cd9c4736831e995a004afc7fc4127f3b74932428 php-8.0.8.tar.xz
8a9a63cddfd9bdde23db85a7be0711e14688bab35b580abd0184d370c54de80b72cbdeb369570cd23927154984f024eaad5d222d53d9e19130fb2e8758dd4540 php8-fpm.initd
cd3a96d3febde3b6657ed80ff58945641443e84e5e0fd3d9df29e640e9549bc452a3412f1999fa02ae1ee2b64c08040998fa75805f67e0252741c376e26e1c3c php8-fpm.logrotate
95f536addfbb28fbca8b14da46d95a3595369d6e98d345f55f0fda1b12bdefd1579a27505424e7d1088a987d330798253cec9bd42b544bb567189cba746217c7 php8-module.conf
diff --git a/community/pmbootstrap/APKBUILD b/community/pmbootstrap/APKBUILD
index 2d94cd6f00..4fcc12190a 100644
--- a/community/pmbootstrap/APKBUILD
+++ b/community/pmbootstrap/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Bart Ribbers <bribbers@disroot.org>
# Maintainer: Oliver Smith <ollieparanoid@postmarketos.org>
pkgname=pmbootstrap
-pkgver=1.32.0
+pkgver=1.33.0
pkgrel=0
pkgdesc="Sophisticated chroot/build/flash tool to develop and install postmarketOS"
url="https://gitlab.com/postmarketOS/pmbootstrap"
@@ -29,6 +29,6 @@ package() {
}
sha512sums="
-87af9c2e8280ad32516d1f87e2293ff836b86f0da79cca0a6431013d563c16e6a404718b68b81c8c4393a14bc934fb0464f43374888c2185bd10add8af38119f pmbootstrap-1.32.0.tar.gz
+5bfa1967329e0cae52b261413d5e046955c8b97d164a67ebdfcae34c5648bcca1d4152ae3181788f2e8ff8dd78fb26115f036b21906763802abaf17f19ffc3a4 pmbootstrap-1.33.0.tar.gz
f8026ab32234b885e69252459047f70160c54319113bc449000aa7c05bd016f00a46cee05c8f5251682f967ab44a12c06fbbb3c02d0a57ccb836cff810ce1a40 modules-load.conf
"
diff --git a/community/py3-django/APKBUILD b/community/py3-django/APKBUILD
index 375b5db858..cb0512ddd7 100644
--- a/community/py3-django/APKBUILD
+++ b/community/py3-django/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=py3-django
_pkgname=Django
-pkgver=3.1.8
+pkgver=3.1.13
pkgrel=0
pkgdesc="A high-level Python3 Web framework"
url="https://djangoproject.com/"
@@ -18,6 +18,10 @@ replaces="py-django" # Backwards compatibility
provides="py-django=$pkgver-r$pkgrel" # Backwards compatibility
# secfixes:
+# 3.1.13-r0:
+# - CVE-2021-33203
+# - CVE-2021-33571
+# - CVE-2021-35042
# 3.1.8-r0:
# - CVE-2021-28658
# 3.1.7-r0:
@@ -81,4 +85,6 @@ package() {
ln -s django-admin "$pkgdir"/usr/bin/django-admin-3
}
-sha512sums="2b4df8595778b1436fe0077514f3a51d3e298fcdfb7751c8ba8bb7125ece3199a8269b2da96cdcdb230a39707e122a6d8f48444598fb624d5f5c312b12c2d7cc Django-3.1.8.tar.gz"
+sha512sums="
+55b1ceb24b6e0ba542a96319f63b138439532cf4b00971a8432baaab4a8ee219cc9fbb31d457ba7da9e932c919df83da9630866d909df4a5d432866b158098d7 Django-3.1.13.tar.gz
+"
diff --git a/community/py3-pyroute2/APKBUILD b/community/py3-pyroute2/APKBUILD
index 10f12e2b83..5064ffc1dc 100644
--- a/community/py3-pyroute2/APKBUILD
+++ b/community/py3-pyroute2/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Thomas Liske <thomas@fiasko-nw.net>
pkgname=py3-pyroute2
_pkgname=pyroute2
-pkgver=0.5.14
+pkgver=0.5.19
pkgrel=0
pkgdesc="Python Netlink library"
url="https://github.com/svinota/pyroute2"
@@ -26,4 +26,4 @@ package() {
rm -rf "${pkgdir:?}/usr/bin"
}
-sha512sums="081152662fa12398876e0b4a886cc7f79a9e664c8c4c256b6079251c046808c538c0e0b7c1717e04067c8827be0705ade1c2320fb51434d5d50df21f579f3186 pyroute2-0.5.14.tar.gz"
+sha512sums="bd60e2adf59b8438ff4f6abf2d41cf18eb60dcef3072577648488db45ffe89bd9c7207c4eccc38eb9256533ea2950e7f20b82ae4940b1207ba71d0f261e83f6d pyroute2-0.5.19.tar.gz"
diff --git a/community/rpm/APKBUILD b/community/rpm/APKBUILD
index d4d1211913..ed4afe0be6 100644
--- a/community/rpm/APKBUILD
+++ b/community/rpm/APKBUILD
@@ -19,6 +19,7 @@ source="http://ftp.rpm.org/releases/rpm-${pkgver%.*.*}.x/rpm-$pkgver.tar.bz2
# secfixes:
# 4.16.1.3-r0:
# - CVE-2021-3421
+# - CVE-2021-20266
# - CVE-2021-20271
prepare() {
diff --git a/community/rtl8821ce-lts/APKBUILD b/community/rtl8821ce-lts/APKBUILD
index e627717bbc..a111e3efc7 100644
--- a/community/rtl8821ce-lts/APKBUILD
+++ b/community/rtl8821ce-lts/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Kevin Daudt <kdaudt@alpinelinux.org>
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
-_kver=5.10.36
+_kver=5.10.38
_krel=0
_flavor="$FLAVOR"
[ -z "$_flavor" ] && _flavor=lts
diff --git a/community/rtpengine-lts/APKBUILD b/community/rtpengine-lts/APKBUILD
index 25ac839b3a..eecbc51630 100644
--- a/community/rtpengine-lts/APKBUILD
+++ b/community/rtpengine-lts/APKBUILD
@@ -5,7 +5,7 @@ _ver=9.0.1.10
_rel=0
# kernel version
-_kver=5.10.36
+_kver=5.10.38
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/community/runc/APKBUILD b/community/runc/APKBUILD
index e53a1f88d1..72cc2dc998 100644
--- a/community/runc/APKBUILD
+++ b/community/runc/APKBUILD
@@ -5,8 +5,8 @@ pkgname=runc
pkgdesc="CLI tool for spawning and running containers according to the OCI specification"
url="https://www.opencontainers.org"
-_commit=12644e614e25b05da6fd08a38ffa0cfe1903fdec
-pkgver=1.0.0_rc93
+_commit=b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
+pkgver=1.0.0_rc95
pkgrel=0
_ver=v${pkgver/_rc/-rc}
@@ -22,6 +22,8 @@ builddir="$srcdir/src/github.com/opencontainers/runc"
options="!check"
# secfixes:
+# 1.0.0_rc95-r0:
+# - CVE-2021-30465
# 1.0.0_rc10-r0:
# - CVE-2019-19921
# 1.0.0_rc9-r0:
@@ -45,4 +47,6 @@ package() {
install -Dm644 "$builddir"/man/man8/* "$pkgdir"/usr/share/man/man8/
}
-sha512sums="087becdf3882818b7c8d05ac0192928695b35033d72e5ce584d5b8291310f4ba35b1cc78299fc8f17dc7ee425a94817b989890f4108444cc3c45927740b2d378 runc-v1.0.0-rc93.tar.gz"
+sha512sums="
+c802a6e5f16cc0321642fc7adffe33819867c1779420f76b2cabd532edb5ac8c852beadcbcf6a3e895fe274f111c5623be5dcc822fef96e7e5259bf532174ba1 runc-v1.0.0-rc95.tar.gz
+"
diff --git a/community/rxvt-unicode/APKBUILD b/community/rxvt-unicode/APKBUILD
index ab280b612b..402b08fca2 100644
--- a/community/rxvt-unicode/APKBUILD
+++ b/community/rxvt-unicode/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=rxvt-unicode
pkgver=9.22
-pkgrel=9
+pkgrel=10
pkgdesc="rxvt fork with improved unicode support"
url="http://software.schmorp.de/pkg/rxvt-unicode.html"
arch="all"
@@ -14,11 +14,16 @@ depends="$pkgname-terminfo"
makedepends="libx11-dev libxft-dev ncurses fontconfig-dev
gdk-pixbuf-dev libxrender-dev perl-dev startup-notification-dev"
subpackages="$pkgname-doc $pkgname-terminfo::noarch"
-source="http://dist.schmorp.de/rxvt-unicode/rxvt-unicode-$pkgver.tar.bz2
+source="http://dist.schmorp.de/rxvt-unicode/Attic/rxvt-unicode-$pkgver.tar.bz2
gentables.patch
rxvt-unicode-kerning.patch
+ CVE-2021-33477.patch
"
+# secfixes:
+# 9.22-r10:
+# - CVE-2021-33477
+
build() {
./configure \
--build=$CBUILD \
@@ -65,6 +70,9 @@ terminfo() {
"$subpkgdir"/usr/share/terminfo/
}
-sha512sums="b39f1b2cbe6dd3fbd2a0ad6a9d391a2b6f49d7c5e67bc65fe44a9c86937f8db379572c67564c6e21ff6e09b447cdfd4e540544e486179e94da0e0db679c04dd9 rxvt-unicode-9.22.tar.bz2
+sha512sums="
+b39f1b2cbe6dd3fbd2a0ad6a9d391a2b6f49d7c5e67bc65fe44a9c86937f8db379572c67564c6e21ff6e09b447cdfd4e540544e486179e94da0e0db679c04dd9 rxvt-unicode-9.22.tar.bz2
2a973e001dacf900895d0c1045dfffd5a1ca7650669853bd5fdf09819b19a750bb59d913f8bdc83b103e5e0e7cce7f0d2b6184f36a29c1bac86e90c08ae6a475 gentables.patch
-d2fb68b3e11a78328ded4d2d646ffbaae657e9f23f3b4b81e11bc4350dd3e1e7585eeaeee47a70246bdfb7e12fbb667e40a7766989154235064f56ed4ad0a987 rxvt-unicode-kerning.patch"
+d2fb68b3e11a78328ded4d2d646ffbaae657e9f23f3b4b81e11bc4350dd3e1e7585eeaeee47a70246bdfb7e12fbb667e40a7766989154235064f56ed4ad0a987 rxvt-unicode-kerning.patch
+2c1cb4dad04b0fdf9212949337a37b402ed86638b26390d18f00620a71a80e91894eb624ec8058e10b7c18e1c369d8e6af91a7cd26ca6c2b221a0cf060aa0950 CVE-2021-33477.patch
+"
diff --git a/community/rxvt-unicode/CVE-2021-33477.patch b/community/rxvt-unicode/CVE-2021-33477.patch
new file mode 100644
index 0000000000..e315fb1309
--- /dev/null
+++ b/community/rxvt-unicode/CVE-2021-33477.patch
@@ -0,0 +1,20 @@
+--- rxvt-unicode/src/command.C 2016/07/14 05:33:26 1.582
++++ rxvt-unicode/src/command.C 2017/05/18 02:43:18 1.583
+@@ -2695,7 +2695,7 @@
+ /* kidnapped escape sequence: Should be 8.3.48 */
+ case C1_ESA: /* ESC G */
+ // used by original rxvt for rob nations own graphics mode
+- if (cmd_getc () == 'Q')
++ if (cmd_getc () == 'Q' && option (Opt_insecure))
+ tt_printf ("\033G0\012"); /* query graphics - no graphics */
+ break;
+
+@@ -2914,7 +2914,7 @@
+ break;
+
+ case CSI_CUB: /* 8.3.18: (1) CURSOR LEFT */
+- case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */
++ case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */
+ #ifdef ISO6429
+ arg[0] = -arg[0];
+ #else /* emulate common DEC VTs */
diff --git a/community/salt/APKBUILD b/community/salt/APKBUILD
index 43023c7006..ca5f20b30d 100644
--- a/community/salt/APKBUILD
+++ b/community/salt/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Will Sinatra <wpsinatra@gmail.com>
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
pkgname=salt
-pkgver=3002.5
+pkgver=3003
pkgrel=0
pkgdesc="A parallel remote execution system"
url="https://github.com/saltstack/salt"
@@ -34,6 +34,8 @@ source="https://pypi.io/packages/source/s/salt/salt-$pkgver.tar.gz
options="!check" # depends on pytestsalt
# secfixes:
+# 3003-r0:
+# - CVE-2021-31607
# 3002.5-r0:
# - CVE-2021-25281
# - CVE-2021-25282
@@ -168,7 +170,8 @@ _conf_copy() {
cp -r "$builddir"/conf/$type* "$subpkgdir"/etc/salt/
}
-sha512sums="dda2caa338f646ec51d2de6b0df10fbb27eceddbe8c797ae192b9ef1312d566ae71a243a3a95918fa375b125089aa29a73b1b908c5cc1b0451dccb582a4978a1 salt-3002.5.tar.gz
+sha512sums="
+7f631466372f303c03f2852a5cfba1ee5c6ba1636a6fe1e1622e90d0b1376ef9f670aa1b4754f3d9c8c7fe1b99fe1b4c49e140dc86d90d157a1ec1e73ba43c38 salt-3003.tar.gz
975ba2f5e681fbd62045da61cc3dc065b148683a07b5df7eca9f131e47314eb6bfa8660ca1c06a3bd93683c7097d0ff9f8e514273dd24d82fb2de6a255e6b275 salt-api.confd
435d399bfecf431d0c713031e2ae57ce25b5c6edc98b62f33bd7a4ff1c587e3cdeb988445ae0c3e9ffc1911555c3694654d98815f9562b8a14bf0688ec1ebea6 salt-api.initd
cfbbeb8023a383e7c42d84e3346edfd068c9ec7650c4ddc3caa38534da325a67497e1f06ca02cc1f0941b7348a3af6d1dca7cd6f2bcb3612ca10e1ec98997e5a salt-master.confd
@@ -177,4 +180,5 @@ cfbbeb8023a383e7c42d84e3346edfd068c9ec7650c4ddc3caa38534da325a67497e1f06ca02cc1f
31521a7bf9455a805652ebb2c2a258148d654169caed500dbf1fe0c26baf26b330217117fe84a13706ded75a9eedadc0bbd671ede0957ed4d60d1e766fea6b39 salt-minion.initd
bafc6ea10cdafd0aef868feb35aecbe4ae6a7dff0ae42862bded85715ad763eb89e1ed27437866a7e5f2b9f7064e3c2a3fb59814487744ba4227238d95cf3818 salt-syndic.confd
d71133e834685304e0167554035ebbc861252f972bbe981cc71e45b70f15d94a28a02a369463c9a641372919689f96b62a0408b14f824ad986d536e52b1e5ec0 salt-syndic.initd
-7df577b4a7befc6a37644cbe3e909df29f626f9ccc84d05245c5d2b6a4daeb3ad6bb95b9b3a82de70d50ddc27d15956b016c44c8ad9f878c760d388da86cacbe fix-cryptodome-dependency.patch"
+7df577b4a7befc6a37644cbe3e909df29f626f9ccc84d05245c5d2b6a4daeb3ad6bb95b9b3a82de70d50ddc27d15956b016c44c8ad9f878c760d388da86cacbe fix-cryptodome-dependency.patch
+"
diff --git a/community/ssh-ldap-pubkey/APKBUILD b/community/ssh-ldap-pubkey/APKBUILD
index b962f1474a..ce1f1764f3 100644
--- a/community/ssh-ldap-pubkey/APKBUILD
+++ b/community/ssh-ldap-pubkey/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=ssh-ldap-pubkey
-pkgver=1.3.2
-pkgrel=1
+pkgver=1.3.3
+pkgrel=0
pkgdesc="Utility to manage SSH public keys stored in LDAP"
url="https://github.com/jirutka/ssh-ldap-pubkey"
arch="noarch"
@@ -38,5 +38,7 @@ package() {
cp README.md etc/openssh-lpk.schema "$pkgdir"/usr/share/doc/$pkgname/
}
-sha512sums="8475715151f331017850c094a50bd285574533fa6266341effc83f758ca30af9b9c24b54fce8c3eac5441c5cf18b0d7aa91bb04829b71efc4b8dcacba3642415 ssh-ldap-pubkey-1.3.2.tar.gz
-5b96dd8b1150eb62db7d33d1eee5ed9b28ebaf487c6a8cab6ba1d66d14496c2fdb1c73c1c0959ccd99ea53359b8d82861b7416dc0351bfa22ccfe59b5f530564 ldap.conf.patch"
+sha512sums="
+b52d4de3e0704817e8ea0fb316c21646da1bac74ed226812c03f9ee5ae449a86e5ef4c679633d212db05382e216b254a185e29d4a2244318ad5de288b909254a ssh-ldap-pubkey-1.3.3.tar.gz
+5b96dd8b1150eb62db7d33d1eee5ed9b28ebaf487c6a8cab6ba1d66d14496c2fdb1c73c1c0959ccd99ea53359b8d82861b7416dc0351bfa22ccfe59b5f530564 ldap.conf.patch
+"
diff --git a/community/synapse/APKBUILD b/community/synapse/APKBUILD
index 7c911a72eb..dc9af70c11 100644
--- a/community/synapse/APKBUILD
+++ b/community/synapse/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Leo <thinkabit.ukim@gmail.com>
# Maintainer: Leo <thinkabit.ukim@gmail.com>
pkgname=synapse
-pkgver=1.30.1
+pkgver=1.34.0
pkgrel=0
pkgdesc="Matrix reference homeserver"
url="https://github.com/matrix-org/synapse"
@@ -57,6 +57,8 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/matrix-org/synapse/archive/v
"
# secfixes:
+# 1.34.0-r0:
+# - CVE-2021-29471
# 1.30.1-r0:
# - CVE-2021-3449
# 1.24.0-r0:
@@ -88,7 +90,9 @@ package() {
install -Dm644 "$srcdir"/synapse.confd "$pkgdir"/etc/conf.d/synapse
}
-sha512sums="6d697507bafba7685ba26c5dec93bec36ab20bc6d71585788c746da326d7be1ab3ac514b29dca09b70dcec7e68a68e092372f861e1c28e1f9b3aeb46d0f8185a synapse-1.30.1.tar.gz
+sha512sums="
+3b67725ac6ebc4b3b42bd46228f49d400eb41a71fd8b9dbbc8b1efad05e04c38ba6b51758c43d3d3c56df136ff91b59c22283d5766f4774d8d8e10ba8c5fa986 synapse-1.34.0.tar.gz
4fa4a7bdd80e3b1af0f546723a64cec3b6014c5d52cfb296c41e831f73f72489bd90a3938831c0fd25cdcb03b6e27b54dfd222e325fb30525c39f5c6996687ff synapse.initd
7c022f0e00c8ac363d6d2e003b6389fb06a3934f68390ebac156cb46bc1366585e6b6cda07b15176bc62a00f5bf21bfda153ff5418b07331257a7075102a6f83 synapse.confd
-a5ea37535b81da9371329faa5791fb025980ba3b7df70fe8c8cfe770625b128f8ecb406a89474e74396d01d70d4e7a62bcef7ff16f0ac92e6acc1291797ca175 relax-crypto-dep.patch"
+15c17c21fb11f536c6c8307751c5836ac9377dd71af2284d06586abe7776d4d3decb8d04baec019a3f06ac08bd89e510e4c42a619679f20150daaf005a5e0369 relax-crypto-dep.patch
+"
diff --git a/community/synapse/relax-crypto-dep.patch b/community/synapse/relax-crypto-dep.patch
index a5195039af..6d0e3c78ca 100644
--- a/community/synapse/relax-crypto-dep.patch
+++ b/community/synapse/relax-crypto-dep.patch
@@ -1,12 +1,16 @@
+Upstream: Not applicable
+Reason: relax dependency requirements as our version of cryptography
+ even if it is old does not bundle a vulnerable 'openssl'
+
diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py
-index 14ddaed..b279101 100644
+index 989523c..19a4167 100644
--- a/synapse/python_dependencies.py
+++ b/synapse/python_dependencies.py
-@@ -84,7 +84,7 @@ REQUIREMENTS = [
+@@ -86,7 +86,7 @@ REQUIREMENTS = [
"typing-extensions>=3.7.4",
# We enforce that we have a `cryptography` version that bundles an `openssl`
# with the latest security patches.
-- "cryptography>=3.4.7;python_version>='3.6'",
+- "cryptography>=3.4.7",
+ "cryptography",
]
diff --git a/community/tor/APKBUILD b/community/tor/APKBUILD
index fc6613d0c2..c8ddbb2ed0 100644
--- a/community/tor/APKBUILD
+++ b/community/tor/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Christine Dodrill <me@christine.website>
# Maintainer:
pkgname=tor
-pkgver=0.4.4.8
+pkgver=0.4.4.9
pkgrel=0
pkgdesc="Anonymous network connectivity"
url="https://www.torproject.org/"
@@ -26,6 +26,10 @@ case "$CARCH" in
esac
# secfixes:
+# 0.4.4.9-r0:
+# - CVE-2021-28548
+# - CVE-2021-28549
+# - CVE-2021-28550
# 0.4.4.8-r0:
# - CVE-2021-28089
# - CVE-2021-28090
@@ -70,7 +74,7 @@ package() {
"$pkgdir"/etc/conf.d/$pkgname
}
-sha512sums="5a0063afa7ab89e4b3a8ec281650e947c445fbad709fb79aa155ae6a487a8131b98ed6246f0a6c2902c8bb6749551c1e80016f710e3cb3d3a380d3f8b365d8c3 tor-0.4.4.8.tar.gz
+sha512sums="c2864c8c81c5bf0c6825841bfd6be3c1879e29b4796921b12304f094c9e889fbc60c3e0c2ca23838ecc9e153b7c9ba47052f3d692ce2e0f408f0a7b708961877 tor-0.4.4.9.tar.gz
6de4ada16ba58264a247da70343eabd763e992d6b6683977fc1c67b7b4a9731748a7ec9751e869ad4b4ae9c72cf71b2e12dc289bb6e2aee499917f7663f4a735 tor.initd
2b0de119bfdf9eb57e13317b7392190b1b8272c8f96023c71d3fc29215d887e9a3d0ffcef37cdb50b18d34e4b2251f75a739e258e0bb72aabd3339418b22fd67 tor.confd
da386ff7e387312e647f04d360517a1f4cb1efbee36f4a3a6feb89a979bb12fa350fe6dfed49af0cb076ae30bb0c527b5d54127683eaa5aa45d6940dddd89dfb torrc.sample.patch"
diff --git a/community/vault/APKBUILD b/community/vault/APKBUILD
index 81e9235658..b019f069e5 100644
--- a/community/vault/APKBUILD
+++ b/community/vault/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Christian Kampka <christian@kampka.net>
# Maintainer: Gennady Feldman <gena01@gmail.com>
pkgname=vault
-pkgver=1.5.8
+pkgver=1.5.9
pkgrel=0
pkgdesc="Vault is a tool for securely accessing secrets"
url="https://www.vaultproject.io/"
@@ -21,6 +21,8 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/hashicorp/vault/archive/v$pk
"
# secfixes:
+# 1.5.9-r0:
+# - CVE-2021-32923
# 1.5.8-r0:
# - CVE-2021-27668
# 1.5.7-r0:
@@ -62,8 +64,10 @@ package() {
install -m750 -o vault -g vault -d "$pkgdir/var/lib/$pkgname"
}
-sha512sums="db522b3a05851b32856ece9c8acf98aa2fbd20a4e4095ae9d63a99c1fb07ac03ad1d9ab72f18d865f872fb429a9019dc83049ae2f86cf85823655521f41f072d vault-1.5.8.tar.gz
+sha512sums="
+de5dfa9cb0ca41514fa5652d2cd3dacc312b1a6d9f2311823a1634dadb6bc4430d8124ac9089dd93f7277ff44f3fee37354b3ae48f8ece839ba859c89655510b vault-1.5.9.tar.gz
e551aa366287ca86436b14c72c254d739c2492dec7a877da135ba81bf2170bbe694f2ac98798d5855004a0aca406a27c1bdf0c791844f1bd330ea3a1160c6327 static-assets.patch
6f3f30e5c9d9dd5117f18fce0e669f0cd752a6be4910405d6b394f15273372731ee887a5ba4c700293e5b8bc2bf40fd69d4337156f77b03549d2dc2c0a666bec vault.confd
eed200a6db0686a9f9948a2fce151340125cddc209522b4b6de22c447c78296eaf948c80ee8fd241e0093df6409477f2de1aea23edb97f27a4427396fe03ad2f vault.hcl
-9a1846a10eff015cf7d4c8c2c20540c125213302925e54bdfae1c1ec9c43bf0e97b3433c041615c9fdc7d5e9468a0f606321991c597af3be92025bd5042c08df vault.initd"
+9a1846a10eff015cf7d4c8c2c20540c125213302925e54bdfae1c1ec9c43bf0e97b3433c041615c9fdc7d5e9468a0f606321991c597af3be92025bd5042c08df vault.initd
+"
diff --git a/community/wireshark/APKBUILD b/community/wireshark/APKBUILD
index 0345804009..544ae28f2b 100644
--- a/community/wireshark/APKBUILD
+++ b/community/wireshark/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=wireshark
# 3.3.x is an experimental release for 3.4.x, stay on stable
-pkgver=3.4.5
+pkgver=3.4.6
pkgrel=0
pkgdesc="Network protocol analyzer"
url="https://www.wireshark.org"
@@ -42,6 +42,10 @@ source="https://www.wireshark.org/download/src/wireshark-$pkgver.tar.xz
"
# secfixes:
+# 3.4.6-r0:
+# - CVE-2021-22222
+# 3.4.5-r0:
+# - CVE-2021-22207
# 3.4.4-r0:
# - CVE-2021-22191
# 3.4.3-r0:
@@ -304,6 +308,6 @@ tshark() {
mv "$pkgdir"/usr/bin/tshark "$subpkgdir"/usr/bin/tshark
}
-sha512sums="f54d9287a48f09bbc085170791b5ca2dcc84cda55040f45f2c4a6abbe828548391e4a931536163c781e69843765a598bd29a240ad43276d0d1bb42d1cd23972a wireshark-3.4.5.tar.xz
-287159576be76fc8afbce450a53f969bbd519321e038c812b96857ca08c352052dbbfaa9208d54ed30d7a0c9ca4192b83c8865de60562c4490d99d75c61ede0b fix-udpdump.patch
+sha512sums="eac358bb6457ba704db364a8a8431652e8427f17f5a69d92195fe00afb8db028b92a6a36e216ee5f692621b1ad35ea2f6cebdb08076f091e76a04e048192b89d wireshark-3.4.6.tar.xz
+fb7594ee632174d12ab070a68f2d6070026e3111c164fc5815c03066efe960b31cde801b205087c672782f04aaabedd23979a4fb071db233879a820350a7c9d3 fix-udpdump.patch
3c907a037504d39a56766db37eecc9d5f968fdcb90c431e099b3f77e4ffc52fb65cb6c3896406aa939a846d526daf5676693ae5c2ff933e1d878e39ac074417a disable-tests.patch"
diff --git a/community/wireshark/fix-udpdump.patch b/community/wireshark/fix-udpdump.patch
index 08d11d3eec..4ae8ac0c21 100644
--- a/community/wireshark/fix-udpdump.patch
+++ b/community/wireshark/fix-udpdump.patch
@@ -1,8 +1,8 @@
--- a/extcap/udpdump.c
+++ b/extcap/udpdump.c
-@@ -50,6 +50,10 @@
- #include <wsutil/inet_addr.h>
- #include <wsutil/filesystem.h>
+@@ -45,6 +45,10 @@
+
+ #include <cli_main.h>
+#ifdef HAVE_SYS_TIME_H
+ #include <sys/time.h>
diff --git a/community/xpdf/APKBUILD b/community/xpdf/APKBUILD
index b71fdfede3..07684cab3d 100644
--- a/community/xpdf/APKBUILD
+++ b/community/xpdf/APKBUILD
@@ -1,10 +1,10 @@
# Contributor: Isaac Dunham <ibid.ag@gmail.com>
# Maintainer: Isaac Dunham <ibid.ag@gmail.com>
pkgname=xpdf
-pkgver=4.02
+pkgver=4.03
pkgrel=0
pkgdesc="The classic X11 PDF viewer"
-url="https://www.xpdfreader.com"
+url="https://www.xpdfreader.com/"
arch="all"
license="GPL-2.0-or-later OR GPL-3.0-or-later"
depends="ghostscript-fonts"
@@ -13,6 +13,11 @@ subpackages="$pkgname-doc"
source="https://dl.xpdfreader.com/xpdf-$pkgver.tar.gz
permissions.patch"
+# secfixes:
+# 4.03-r0:
+# - CVE-2020-25725
+# - CVE-2020-35376
+
build() {
if [ "$CBUILD" != "$CHOST" ]; then
CMAKE_CROSSOPTS="-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_HOST_SYSTEM_NAME=Linux"
@@ -41,5 +46,5 @@ package() {
install -Dm644 doc/sample-xpdfrc "$pkgdir"/etc/xpdfrc
}
-sha512sums="72c9413fc7241dde5288137ca8a68c837d2a68e95e909dbe2afe8f374b5a7c92af4edf82918963d1c6388c947057fcf5f0ae1e6fbb2b31c3d5eb9a07d3c74ddc xpdf-4.02.tar.gz
+sha512sums="5f8478c2c4863a3c50f9b45a6fec73c7e67a74adbeaa651dd2e29982ea4cf050740874ee670672f985a323c12c28c968c16238c4238aeb52810a45e2728d622f xpdf-4.03.tar.gz
cf56bf9b4ccecc85fd34805454513b921bfe044442dad129178cde6f9ff2fae322bf0d71aaa69b9456aa0f41d639bc3a6aa2c7dcaae177013ac45e92f9fc3125 permissions.patch"
diff --git a/community/xrdp/APKBUILD b/community/xrdp/APKBUILD
index 495d81eeef..07fc925cc2 100644
--- a/community/xrdp/APKBUILD
+++ b/community/xrdp/APKBUILD
@@ -2,11 +2,12 @@
# Maintainer: Alan Lacerda <alacerda@alpinelinux.org>
pkgname=xrdp
pkgver=0.9.15
-pkgrel=0
+pkgrel=1
pkgdesc="Open source RDP server"
url="https://www.xrdp.org/"
arch="all"
license="Apache-2.0"
+install="$pkgname.post-install"
makedepends="autoconf automake libtool openssl-dev libx11-dev
libxfixes-dev libxrandr-dev libjpeg-turbo-dev fuse-dev linux-headers
nasm"
@@ -15,9 +16,12 @@ source="https://github.com/neutrinolabs/xrdp/releases/download/v$pkgver/xrdp-$pk
xrdp.initd
dynamic-link.patch
remove-werror.patch
+ openssl.conf
"
# secfixes:
+# 0.9.15-r1:
+# - CVE-2021-36158
# 0.9.13.1-r0:
# - CVE-2020-4044
@@ -47,12 +51,23 @@ build() {
package() {
make DESTDIR="$pkgdir" install
+ install -Dm0644 "$srcdir"/openssl.conf -t "$pkgdir"/etc/xrdp
+
install -m755 -D "$srcdir"/$pkgname.initd \
"$pkgdir"/etc/init.d/$pkgname
ln -s $pkgname $pkgdir/etc/init.d/$pkgname-sesman
+
+ # Remove keys and its configuration generated during the
+ # build process
+ rm -f \
+ "$pkgdir"/etc/xrdp/*.pem \
+ "$pkgdir"/etc/xrdp/rsakeys.ini
}
-sha512sums="5adc9f1ed2046d0c8c96e3ac4701b2e12b303fcb4ba22708e78398d4be32220b91a38d9425ddfebfad76045e14ed2d7886ed2b644971678101349b0ea0c479a6 xrdp-0.9.15.tar.gz
+sha512sums="
+5adc9f1ed2046d0c8c96e3ac4701b2e12b303fcb4ba22708e78398d4be32220b91a38d9425ddfebfad76045e14ed2d7886ed2b644971678101349b0ea0c479a6 xrdp-0.9.15.tar.gz
22b44398f4014ee67831051d1a1a859c6f4a601d75a03b33142ce7ea1e3f00082134337efb7da69e964f4a369d2b22114973221be2131f384f9459cc8e82fc13 xrdp.initd
c20de35c4623bcdeae2ba8a740f965b5f320c506ff9a7b9444ec0c8300af518fd3a84b8c28f6e775b7bab73bdac7433be9261d133fc767d953ac54cb2d3b0afd dynamic-link.patch
-e22d17ad3d7116707bd4259592960175cf7586637228f8c37d92e60430ae38bf71d10667688e2d1db123709a074480b1f2e4e6f279c6ef421cc1c20688cde816 remove-werror.patch"
+e22d17ad3d7116707bd4259592960175cf7586637228f8c37d92e60430ae38bf71d10667688e2d1db123709a074480b1f2e4e6f279c6ef421cc1c20688cde816 remove-werror.patch
+c06de34e3f926d3d580a54a95a97c0fb3069c9fbade65b23bf424609aabb2a42db68eaeaa9540716b93b8d96bc3e75616612eedfa6cd55e736eee3b79c585d4f openssl.conf
+"
diff --git a/community/xrdp/openssl.conf b/community/xrdp/openssl.conf
new file mode 100644
index 0000000000..faa269c379
--- /dev/null
+++ b/community/xrdp/openssl.conf
@@ -0,0 +1,46 @@
+[req]
+distinguished_name = req_distinguished_name
+# The extensions to add to the self signed cert
+x509_extensions = v3_ca
+# Run non-interactively
+prompt = no
+
+[req_distinguished_name]
+# Certificate subject
+#countryName = US
+#stateOrProvinceName = CA
+#localityName = Sunnyvale
+#organizationName = xrdp
+#organizationalUnitName =
+commonName = XRDP
+#emailAddress =
+
+[v3_ca]
+# Extensions for a typical CA - PKIX recommendation.
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical, CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+#keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+#nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+#subjectAltName = email:copy
+# Copy issuer details
+#issuerAltName = issuer:copy
+
+# DER hex encoding of an extension: experts only!
+#obj = DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+#basicConstraints = critical, DER:30:03:01:01:FF
diff --git a/community/xrdp/xrdp.post-install b/community/xrdp/xrdp.post-install
new file mode 100644
index 0000000000..0f3b702ab7
--- /dev/null
+++ b/community/xrdp/xrdp.post-install
@@ -0,0 +1,13 @@
+#!/bin/sh
+if [ ! -s /etc/xrdp/rsakeys.ini ]; then
+ (umask 377; touch /etc/xrdp/rsakeys.ini; /usr/bin/xrdp-keygen xrdp /etc/xrdp/rsakeys.ini)
+fi
+
+if [ ! -s /etc/xrdp/cert.pem ]; then
+ (umask 377; openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
+ -keyout /etc/xrdp/key.pem \
+ -out /etc/xrdp/cert.pem \
+ -config /etc/xrdp/openssl.conf)
+fi
+
+exit 0
diff --git a/community/zabbix/APKBUILD b/community/zabbix/APKBUILD
index 9fdbba4b17..08f8c9e6fd 100644
--- a/community/zabbix/APKBUILD
+++ b/community/zabbix/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
pkgname=zabbix
-pkgver=5.2.6
+pkgver=5.2.7
pkgrel=0
pkgdesc="Enterprise-class open source distributed monitoring"
url="https://www.zabbix.com/"
@@ -254,7 +254,7 @@ agent2_openrc() {
"$subpkgdir"/etc/init.d/zabbix-agent2
}
-sha512sums="fc26bfc993a35c2976b1b8fd82d17472bd23c7497f4eec0b410aca439a6400e3466784edc95a3d2ccc0c764003aac9aa9f70c9246645ddb76f6ee086eba93578 zabbix-5.2.6.tar.gz
+sha512sums="7faa77fe387ac2589c0b28585c5c87b59f5324053eb3786f25860c237d67c10ca1afab7d8f8727eb9fb9d1c419a09b9565149a9d39e955fcc254eae18751a05a zabbix-5.2.7.tar.gz
9998ee172a28002d98bacc3f76038ff52b8cf2b206e101418d76b4ca3de94afaf92cb4f7a6235ecf177f74beb9dd3ea1f3983c4f164b4f60bb601acba65aa175 zabbix-server.initd
9c06527bf653c40585fa7eeb3f7a0b2fc454031d24cd0d1633aed87b78a681c5227a193c5b9fcfcea0839135874e27ba7dd9b198573f905f680a2856f79e9512 zabbix-server.confd
7beca0fc6e254c1692e0e74deb9eb3d06ac78f5f6b08f3ab0491861e11e09f00f57bb4d22e11517dab86456e87bd13110805bfb38a715d2f1e68549937b29c76 zabbix-agentd.initd
diff --git a/community/zbar/APKBUILD b/community/zbar/APKBUILD
index 068f87e8ce..d6496b0e83 100644
--- a/community/zbar/APKBUILD
+++ b/community/zbar/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Diego Queiroz <diego.queiroz@gmail.com>
pkgname=zbar
pkgver=0.23.1
-pkgrel=1
+pkgrel=2
pkgdesc="Port of ZBAR BAR CODE READER"
url="http://zbar.sourceforge.net/"
arch="all"
diff --git a/main/ansible/APKBUILD b/main/ansible/APKBUILD
index c327018fb9..f7e327866b 100644
--- a/main/ansible/APKBUILD
+++ b/main/ansible/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Takuya Noguchi <takninnovationresearch@gmail.com>
# Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
pkgname=ansible
-pkgver=2.10.6
+pkgver=2.10.7
pkgrel=0
pkgdesc="A configuration-management, deployment, task-execution, and multinode orchestration framework"
url="https://ansible.com/"
@@ -15,6 +15,8 @@ makedepends="py3-setuptools"
source="https://pypi.python.org/packages/source/a/ansible/ansible-$pkgver.tar.gz"
# secfixes:
+# 2.10.7-r0:
+# - CVE-2021-20191
# 2.10.1-r0:
# - CVE-2020-25646
@@ -26,4 +28,6 @@ package() {
python3 setup.py install --prefix=/usr --root="$pkgdir"
}
-sha512sums="d5d2af728f3f6ff281e078fd4791c7278819d79d6c734f8e9d01fa549f0db25241045456d6aa6e8ccbceab4905039e7431c9db3aaaa89acb01ca599186963e24 ansible-2.10.6.tar.gz"
+sha512sums="
+7a6522bcc57c178c9c6e87e313f6f175d5c74ac0d1b9dd0cad5506c7fa0efb16d4a627dc2d9c73f988177544bd9ccfdbec162d0feacc757edeb20280d7414191 ansible-2.10.7.tar.gz
+"
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index 449d4a851e..dde873aec7 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=apache2
_pkgreal=httpd
-pkgver=2.4.46
-pkgrel=3
+pkgver=2.4.48
+pkgrel=0
pkgdesc="A high performance Unix-based HTTP server"
url="https://httpd.apache.org/"
arch="all"
@@ -51,6 +51,15 @@ options="suid"
builddir="$srcdir"/$_pkgreal-$pkgver
# secfixes:
+# 2.4.48-r0:
+# - CVE-2019-17657
+# - CVE-2020-13938
+# - CVE-2020-13950
+# - CVE-2020-35452
+# - CVE-2021-26690
+# - CVE-2021-26691
+# - CVE-2021-30641
+# - CVE-2021-31618
# 2.4.46-r0:
# - CVE-2020-9490
# - CVE-2020-11984
@@ -357,7 +366,8 @@ _lua() {
"$subpkgdir"/usr/lib/apache2/
_load_mods
}
-sha512sums="5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 httpd-2.4.46.tar.bz2
+sha512sums="
+6c250626f1e7d10428a92d984fd48ff841effcc8705f7816ab71b681bbd51d0012ad158dcd13763fe7d630311f2de258b27574603140d648be42796ab8326724 httpd-2.4.48.tar.bz2
8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd
18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate
81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd
@@ -375,4 +385,5 @@ a3936713f8ffcbf2bb633035873249b94fa8ace9fdb758405264f075f755fbcfec4d08794f79e469
eb09b3bcbab70f6a48d5efe8fc4bd62cc2b3f46def97c09d8454b846a065c02d18bd846313c421897c8d13be728e4b2ca790e2a5c5c6add3821d9e572bacfab2 0011-httpd.conf-IncludeOptional.patch
695742f569720d7bad9306acc40456de3a12ff2ff3a108499afc3fed2e8b13883027c6e14a3fac3efe387a70386b958605b5bbfd0147ec06bb87fad30f3b66fa 0012-httpd.conf-MIMEMagicFile.patch
efbba3c3475bebe5c63ce8d6eaf153cf2c46188e282a65830571c8b7dbc1e657ab9ce160dc82e331097ac483fe632f5201fde6f3f5de32fe5c52dcc7dee66216 0013-httpd-.conf-IfModule.patch
-56e7bb9743d153416b15c32bb5435e4cf85d84204a02f28767c8dcba08eec1ac302521d57ce74154d3e9f7a3644ab3f8a9318150e21f8559eb67e387087a0821 0014-httpd-.conf-LoadModule.patch"
+56e7bb9743d153416b15c32bb5435e4cf85d84204a02f28767c8dcba08eec1ac302521d57ce74154d3e9f7a3644ab3f8a9318150e21f8559eb67e387087a0821 0014-httpd-.conf-LoadModule.patch
+"
diff --git a/main/apk-tools/APKBUILD b/main/apk-tools/APKBUILD
index 586eb7a7ed..63660ecf8b 100644
--- a/main/apk-tools/APKBUILD
+++ b/main/apk-tools/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=apk-tools
-pkgver=2.12.5
+pkgver=2.12.6
pkgrel=0
pkgdesc="Alpine Package Keeper - package manager for alpine"
arch="all"
@@ -25,6 +25,8 @@ source="https://gitlab.alpinelinux.org/alpine/$pkgname/-/archive/v$pkgver/$pkgna
builddir="$srcdir/$pkgname-v$pkgver"
# secfixes:
+# 2.12.6-r0:
+# - CVE-2021-36159
# 2.12.5-r0:
# - CVE-2021-30139
# 2.7.2-r0:
@@ -83,5 +85,7 @@ luaapk() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr/lib/
}
-sha512sums="478137f14617e97bdf79cd431812116b94270107d1473313fa94d5c258ed55c11234ad80cb6ba74e0134b0de0f25356d60f77966ecc5dbe5175415768718d1d8 apk-tools-v2.12.5.tar.gz
-102e6d01a984fb7a84c9432f797e4d8d2c90e9570dd26208b8485569ab471ea88a2cc81eabd3b3f7e4c9685a37afc458dec172a65b03c19c78a7efb598c54f45 _apk"
+sha512sums="
+ebdda710ed11ef404cf0e68a3842fcb7f12b329e870f1341039b3f1a0de12dfcad31228f59bc291e0542f1c1cf4e587e1613478f0d0fd930900bb689fbf52251 apk-tools-v2.12.6.tar.gz
+102e6d01a984fb7a84c9432f797e4d8d2c90e9570dd26208b8485569ab471ea88a2cc81eabd3b3f7e4c9685a37afc458dec172a65b03c19c78a7efb598c54f45 _apk
+"
diff --git a/main/aspell/APKBUILD b/main/aspell/APKBUILD
index 76612044f1..32023f5591 100644
--- a/main/aspell/APKBUILD
+++ b/main/aspell/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=aspell
pkgver=0.60.8
-pkgrel=0
+pkgrel=1
pkgdesc="A spell checker designed to eventually replace Ispell"
url="http://aspell.net/"
arch="all"
@@ -11,9 +11,12 @@ subpackages="$pkgname-compat::noarch $pkgname-utils $pkgname-dev $pkgname-doc
$pkgname-lang $pkgname-libs"
depends_dev="$pkgname-utils"
makedepends="ncurses-dev perl gettext-dev"
-source="https://ftp.gnu.org/gnu/aspell/aspell-$pkgver.tar.gz"
+source="https://ftp.gnu.org/gnu/aspell/aspell-$pkgver.tar.gz
+ CVE-2019-25051.patch"
# secfixes:
+# 0.60.8-r1:
+# - CVE-2019-25051
# 0.60.8-r0:
# - CVE-2019-17544
@@ -63,4 +66,7 @@ libs() {
rm -fr "$pkgdir"/usr/lib
}
-sha512sums="8ef4952c553b6234dfe777240d2d97beb13ef9201e18d56bee3b5068d13525db3625b7130d9f5122f7c529da0ccb0c70eb852a81472a7d15fb7c4ee5ba21cd29 aspell-0.60.8.tar.gz"
+sha512sums="
+8ef4952c553b6234dfe777240d2d97beb13ef9201e18d56bee3b5068d13525db3625b7130d9f5122f7c529da0ccb0c70eb852a81472a7d15fb7c4ee5ba21cd29 aspell-0.60.8.tar.gz
+529f3f4737d2e19f7571f4c8666b1cd089cc4e9dfdaa52dc468919f01ce9f8f8112d8fe8afda295b3dfb92f5e0c2bbd79bf1ec69f06c163c32eb28f0168ab263 CVE-2019-25051.patch
+"
diff --git a/main/aspell/CVE-2019-25051.patch b/main/aspell/CVE-2019-25051.patch
new file mode 100644
index 0000000000..2f15d380ec
--- /dev/null
+++ b/main/aspell/CVE-2019-25051.patch
@@ -0,0 +1,96 @@
+From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson <kevina@gnu.org>
+Date: Sat, 21 Dec 2019 20:32:47 +0000
+Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
+ to prevent a buffer overflow
+
+Bug found using OSS-Fuze.
+---
+ common/objstack.hpp | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/common/objstack.hpp b/common/objstack.hpp
+index 3997bf7..bd97ccd 100644
+--- a/common/objstack.hpp
++++ b/common/objstack.hpp
+@@ -5,6 +5,7 @@
+ #include "parm_string.hpp"
+ #include <stdlib.h>
+ #include <assert.h>
++#include <stddef.h>
+
+ namespace acommon {
+
+@@ -26,6 +27,12 @@ class ObjStack
+ byte * temp_end;
+ void setup_chunk();
+ void new_chunk();
++ bool will_overflow(size_t sz) const {
++ return offsetof(Node,data) + sz > chunk_size;
++ }
++ void check_size(size_t sz) {
++ assert(!will_overflow(sz));
++ }
+
+ ObjStack(const ObjStack &);
+ void operator=(const ObjStack &);
+@@ -56,7 +63,7 @@ class ObjStack
+ void * alloc_bottom(size_t size) {
+ byte * tmp = bottom;
+ bottom += size;
+- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
+ return tmp;
+ }
+ // This alloc_bottom will insure that the object is aligned based on the
+@@ -66,7 +73,7 @@ class ObjStack
+ align_bottom(align);
+ byte * tmp = bottom;
+ bottom += size;
+- if (bottom > top) {new_chunk(); goto loop;}
++ if (bottom > top) {check_size(size); new_chunk(); goto loop;}
+ return tmp;
+ }
+ char * dup_bottom(ParmString str) {
+@@ -79,7 +86,7 @@ class ObjStack
+ // always be aligned as such.
+ void * alloc_top(size_t size) {
+ top -= size;
+- if (top < bottom) {new_chunk(); top -= size;}
++ if (top < bottom) {check_size(size); new_chunk(); top -= size;}
+ return top;
+ }
+ // This alloc_top will insure that the object is aligned based on
+@@ -88,7 +95,7 @@ class ObjStack
+ {loop:
+ top -= size;
+ align_top(align);
+- if (top < bottom) {new_chunk(); goto loop;}
++ if (top < bottom) {check_size(size); new_chunk(); goto loop;}
+ return top;
+ }
+ char * dup_top(ParmString str) {
+@@ -117,6 +124,7 @@ class ObjStack
+ void * alloc_temp(size_t size) {
+ temp_end = bottom + size;
+ if (temp_end > top) {
++ check_size(size);
+ new_chunk();
+ temp_end = bottom + size;
+ }
+@@ -131,6 +139,7 @@ class ObjStack
+ } else {
+ size_t s = temp_end - bottom;
+ byte * p = bottom;
++ check_size(size);
+ new_chunk();
+ memcpy(bottom, p, s);
+ temp_end = bottom + size;
+@@ -150,6 +159,7 @@ class ObjStack
+ } else {
+ size_t s = temp_end - bottom;
+ byte * p = bottom;
++ check_size(size);
+ new_chunk();
+ memcpy(bottom, p, s);
+ temp_end = bottom + size;
diff --git a/main/avahi/APKBUILD b/main/avahi/APKBUILD
index 87f02f9a66..e66c6af1ce 100644
--- a/main/avahi/APKBUILD
+++ b/main/avahi/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=avahi
pkgver=0.8
-pkgrel=2
+pkgrel=4
pkgdesc="A multicast/unicast DNS-SD framework"
url="https://www.avahi.org/"
arch="all"
@@ -20,9 +20,15 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-tools $pkgname-glib
$pkgname-compat-libdns_sd:lidns_sd $pkgname-lang
"
source="https://github.com/lathiat/avahi/releases/download/v$pkgver/avahi-$pkgver.tar.gz
+ CVE-2021-3468.patch
+ CVE-2021-36217.patch
"
# secfixes:
+# 0.8-r4:
+# - CVE-2021-36217
+# 0.8-r3:
+# - CVE-2021-3468
# 0.7-r2:
# - CVE-2017-6519
# - CVE-2018-1000845
@@ -118,4 +124,8 @@ lidns_sd() {
"$subpkgdir"/usr/lib/
}
-sha512sums="c6ba76feb6e92f70289f94b3bf12e5f5c66c11628ce0aeb3cadfb72c13a5d1a9bd56d71bdf3072627a76cd103b9b056d9131aa49ffe11fa334c24ab3b596c7de avahi-0.8.tar.gz"
+sha512sums="
+c6ba76feb6e92f70289f94b3bf12e5f5c66c11628ce0aeb3cadfb72c13a5d1a9bd56d71bdf3072627a76cd103b9b056d9131aa49ffe11fa334c24ab3b596c7de avahi-0.8.tar.gz
+743430a532b8ec246672cd0997b7831efc15c461cbfe0461faac5d6525293297efb7c06f759b2bcd71d1842ba165464fd334508534e6c247211d613061c49da5 CVE-2021-3468.patch
+9e4688ffd8e512c0f614fd24fff2a2a1c66e009069229a6f81dcd382edfff5a8635e0551533c7f9271973a87e62e199fdb34a5560dab27c0a328f531c94f757d CVE-2021-36217.patch
+"
diff --git a/main/avahi/CVE-2021-3468.patch b/main/avahi/CVE-2021-3468.patch
new file mode 100644
index 0000000000..3e0725a602
--- /dev/null
+++ b/main/avahi/CVE-2021-3468.patch
@@ -0,0 +1,37 @@
+From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <sirmy15@gmail.com>
+Date: Fri, 26 Mar 2021 11:50:24 +0100
+Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
+ client_work
+
+If a client fills the input buffer, client_work() disables the
+AVAHI_WATCH_IN event, thus preventing the function from executing the
+`read` syscall the next times it is called. However, if the client then
+terminates the connection, the socket file descriptor receives a HUP
+event, which is not handled, thus the kernel keeps marking the HUP event
+as occurring. While iterating over the file descriptors that triggered
+an event, the client file descriptor will keep having the HUP event and
+the client_work() function is always called with AVAHI_WATCH_HUP but
+without nothing being done, thus entering an infinite loop.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
+---
+ avahi-daemon/simple-protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
+index 3e0ebb11..6c0274d6 100644
+--- a/avahi-daemon/simple-protocol.c
++++ b/avahi-daemon/simple-protocol.c
+@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
+ }
+ }
+
++ if (events & AVAHI_WATCH_HUP) {
++ client_free(c);
++ return;
++ }
++
+ c->server->poll_api->watch_update(
+ watch,
+ (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
diff --git a/main/avahi/CVE-2021-36217.patch b/main/avahi/CVE-2021-36217.patch
new file mode 100644
index 0000000000..7b0449a2e4
--- /dev/null
+++ b/main/avahi/CVE-2021-36217.patch
@@ -0,0 +1,148 @@
+From 9d31939e55280a733d930b15ac9e4dda4497680c Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Date: Mon, 8 Feb 2021 11:04:43 +0200
+Subject: [PATCH] Fix NULL pointer crashes from #175
+
+avahi-daemon is crashing when running "ping .local".
+The crash is due to failing assertion from NULL pointer.
+Add missing NULL pointer checks to fix it.
+
+Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd
+---
+ avahi-core/browse-dns-server.c | 5 ++++-
+ avahi-core/browse-domain.c | 5 ++++-
+ avahi-core/browse-service-type.c | 3 +++
+ avahi-core/browse-service.c | 3 +++
+ avahi-core/browse.c | 3 +++
+ avahi-core/resolve-address.c | 5 ++++-
+ avahi-core/resolve-host-name.c | 5 ++++-
+ avahi-core/resolve-service.c | 5 ++++-
+ 8 files changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/avahi-core/browse-dns-server.c b/avahi-core/browse-dns-server.c
+index 049752e9..c2d914fa 100644
+--- a/avahi-core/browse-dns-server.c
++++ b/avahi-core/browse-dns-server.c
+@@ -343,7 +343,10 @@ AvahiSDNSServerBrowser *avahi_s_dns_server_browser_new(
+ AvahiSDNSServerBrowser* b;
+
+ b = avahi_s_dns_server_browser_prepare(server, interface, protocol, domain, type, aprotocol, flags, callback, userdata);
++ if (!b)
++ return NULL;
++
+ avahi_s_dns_server_browser_start(b);
+
+ return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/browse-domain.c b/avahi-core/browse-domain.c
+index f145d56a..06fa70c0 100644
+--- a/avahi-core/browse-domain.c
++++ b/avahi-core/browse-domain.c
+@@ -253,7 +253,10 @@ AvahiSDomainBrowser *avahi_s_domain_browser_new(
+ AvahiSDomainBrowser *b;
+
+ b = avahi_s_domain_browser_prepare(server, interface, protocol, domain, type, flags, callback, userdata);
++ if (!b)
++ return NULL;
++
+ avahi_s_domain_browser_start(b);
+
+ return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/browse-service-type.c b/avahi-core/browse-service-type.c
+index fdd22dcd..b1fc7af8 100644
+--- a/avahi-core/browse-service-type.c
++++ b/avahi-core/browse-service-type.c
+@@ -171,6 +171,9 @@ AvahiSServiceTypeBrowser *avahi_s_service_type_browser_new(
+ AvahiSServiceTypeBrowser *b;
+
+ b = avahi_s_service_type_browser_prepare(server, interface, protocol, domain, flags, callback, userdata);
++ if (!b)
++ return NULL;
++
+ avahi_s_service_type_browser_start(b);
+
+ return b;
+diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
+index 5531360c..63e0275a 100644
+--- a/avahi-core/browse-service.c
++++ b/avahi-core/browse-service.c
+@@ -184,6 +184,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_new(
+ AvahiSServiceBrowser *b;
+
+ b = avahi_s_service_browser_prepare(server, interface, protocol, service_type, domain, flags, callback, userdata);
++ if (!b)
++ return NULL;
++
+ avahi_s_service_browser_start(b);
+
+ return b;
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index 2941e579..e8a915e9 100644
+--- a/avahi-core/browse.c
++++ b/avahi-core/browse.c
+@@ -634,6 +634,9 @@ AvahiSRecordBrowser *avahi_s_record_browser_new(
+ AvahiSRecordBrowser *b;
+
+ b = avahi_s_record_browser_prepare(server, interface, protocol, key, flags, callback, userdata);
++ if (!b)
++ return NULL;
++
+ avahi_s_record_browser_start_query(b);
+
+ return b;
+diff --git a/avahi-core/resolve-address.c b/avahi-core/resolve-address.c
+index ac0b29b1..e61dd242 100644
+--- a/avahi-core/resolve-address.c
++++ b/avahi-core/resolve-address.c
+@@ -286,7 +286,10 @@ AvahiSAddressResolver *avahi_s_address_resolver_new(
+ AvahiSAddressResolver *b;
+
+ b = avahi_s_address_resolver_prepare(server, interface, protocol, address, flags, callback, userdata);
++ if (!b)
++ return NULL;
++
+ avahi_s_address_resolver_start(b);
+
+ return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/resolve-host-name.c b/avahi-core/resolve-host-name.c
+index 808b0e72..4e8e5973 100644
+--- a/avahi-core/resolve-host-name.c
++++ b/avahi-core/resolve-host-name.c
+@@ -318,7 +318,10 @@ AvahiSHostNameResolver *avahi_s_host_name_resolver_new(
+ AvahiSHostNameResolver *b;
+
+ b = avahi_s_host_name_resolver_prepare(server, interface, protocol, host_name, aprotocol, flags, callback, userdata);
++ if (!b)
++ return NULL;
++
+ avahi_s_host_name_resolver_start(b);
+
+ return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/resolve-service.c b/avahi-core/resolve-service.c
+index 66bf3cae..43771763 100644
+--- a/avahi-core/resolve-service.c
++++ b/avahi-core/resolve-service.c
+@@ -519,7 +519,10 @@ AvahiSServiceResolver *avahi_s_service_resolver_new(
+ AvahiSServiceResolver *b;
+
+ b = avahi_s_service_resolver_prepare(server, interface, protocol, name, type, domain, aprotocol, flags, callback, userdata);
++ if (!b)
++ return NULL;
++
+ avahi_s_service_resolver_start(b);
+
+ return b;
+-}
+\ No newline at end of file
++}
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index f71cf28a90..1cded17a4f 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -108,6 +108,8 @@ source="
# - CVE-2016-9131
# - CVE-2016-9147
# - CVE-2016-9444
+# 0:
+# - CVE-2019-6470
prepare() {
default_prepare
diff --git a/main/botan/APKBUILD b/main/botan/APKBUILD
index 7e50c9fbfb..58c7c54ebf 100644
--- a/main/botan/APKBUILD
+++ b/main/botan/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=botan
pkgver=2.11.0
-pkgrel=5
+pkgrel=6
pkgdesc="Crypto and TLS for C++11"
url="https://botan.randombit.net/"
arch="all"
@@ -10,10 +10,13 @@ license="BSD-2-Clause"
depends_dev="boost-dev bzip2-dev openssl-dev sqlite-dev xz-dev zlib-dev"
makedepends="$depends_dev python3"
subpackages="$pkgname-dev $pkgname-doc $pkgname-libs"
-source="https://botan.randombit.net/releases/Botan-$pkgver.tar.xz"
+source="https://botan.randombit.net/releases/Botan-$pkgver.tar.xz
+ CVE-2021-24115.patch"
builddir="$srcdir/Botan-$pkgver"
# secfixes:
+# 2.11.0-r6:
+# - CVE-2021-24115
# 2.9.0-r0:
# - CVE-2018-20187
# 2.7.0-r0:
@@ -51,4 +54,7 @@ package() {
rm -rf "$pkgdir"/usr/lib/python*
}
-sha512sums="a697a7f29788afc561cde35431e65e2f37e40fd45af89a6d060bf9988d28089905c6a1c005f9b23fb377547cd7a96a41f62c8d2f61a7f80d1ca1b9ccf857a2ce Botan-2.11.0.tar.xz"
+sha512sums="
+a697a7f29788afc561cde35431e65e2f37e40fd45af89a6d060bf9988d28089905c6a1c005f9b23fb377547cd7a96a41f62c8d2f61a7f80d1ca1b9ccf857a2ce Botan-2.11.0.tar.xz
+41fd0beab7aaf8965272129cdc6741e16061f754412c8c4bd9b4e56b29a3f375790aed6fc9bef11ad246ed46230ea4fcc7b3b5d6403c0f9d4cb6e9c9728c6764 CVE-2021-24115.patch
+"
diff --git a/main/botan/CVE-2021-24115.patch b/main/botan/CVE-2021-24115.patch
new file mode 100644
index 0000000000..8726df6b43
--- /dev/null
+++ b/main/botan/CVE-2021-24115.patch
@@ -0,0 +1,818 @@
+From 8f7846f60b2bee43990a27f4e725980742bbb48f Mon Sep 17 00:00:00 2001
+From: Jack Lloyd <jack@randombit.net>
+Date: Tue, 15 Dec 2020 06:59:08 -0500
+Subject: [PATCH] Backport of #2543 to release-2
+
+---
+ src/lib/codec/base32/base32.cpp | 167 ++++++++++++++++---------------
+ src/lib/codec/base58/base58.cpp | 129 +++++++++++++-----------
+ src/lib/codec/base64/base64.cpp | 172 ++++++++++++++++++--------------
+ src/lib/codec/hex/hex.cpp | 107 ++++++++++----------
+ src/lib/utils/ct_utils.h | 24 +++++
+ 5 files changed, 332 insertions(+), 267 deletions(-)
+
+diff --git a/src/lib/codec/base32/base32.cpp b/src/lib/codec/base32/base32.cpp
+index fc9883c86..224dae991 100644
+--- a/src/lib/codec/base32/base32.cpp
++++ b/src/lib/codec/base32/base32.cpp
+@@ -1,7 +1,7 @@
+ /*
+ * Base32 Encoding and Decoding
+ * (C) 2018 Erwan Chaussy
+-* (C) 2018 Jack Lloyd
++* (C) 2018,2020 Jack Lloyd
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ */
+@@ -9,6 +9,7 @@
+ #include <botan/base32.h>
+ #include <botan/internal/codec_base.h>
+ #include <botan/internal/rounding.h>
++#include <botan/internal/ct_utils.h>
+
+ namespace Botan {
+
+@@ -58,45 +59,11 @@ class Base32 final
+ return (round_up(input_length, m_encoding_bytes_out) * m_encoding_bytes_in) / m_encoding_bytes_out;
+ }
+
+- static void encode(char out[8], const uint8_t in[5]) noexcept
+- {
+- out[0] = Base32::m_bin_to_base32[(in[0] & 0xF8) >> 3];
+- out[1] = Base32::m_bin_to_base32[((in[0] & 0x07) << 2) | (in[1] >> 6)];
+- out[2] = Base32::m_bin_to_base32[((in[1] & 0x3E) >> 1)];
+- out[3] = Base32::m_bin_to_base32[((in[1] & 0x01) << 4) | (in[2] >> 4)];
+- out[4] = Base32::m_bin_to_base32[((in[2] & 0x0F) << 1) | (in[3] >> 7)];
+- out[5] = Base32::m_bin_to_base32[((in[3] & 0x7C) >> 2)];
+- out[6] = Base32::m_bin_to_base32[((in[3] & 0x03) << 3) | (in[4] >> 5)];
+- out[7] = Base32::m_bin_to_base32[in[4] & 0x1F];
+- }
++ static void encode(char out[8], const uint8_t in[5]) noexcept;
+
+- static inline uint8_t lookup_binary_value(char input) noexcept
+- {
+- return Base32::m_base32_to_bin[static_cast<uint8_t>(input)];
+- }
++ static uint8_t lookup_binary_value(char input) noexcept;
+
+- static inline bool check_bad_char(uint8_t bin, char input, bool ignore_ws)
+- {
+- if(bin <= 0x1F)
+- {
+- return true;
+- }
+- else if(!(bin == 0x81 || (bin == 0x80 && ignore_ws)))
+- {
+- std::string bad_char(1, input);
+- if(bad_char == "\t")
+- { bad_char = "\\t"; }
+- else if(bad_char == "\n")
+- { bad_char = "\\n"; }
+- else if(bad_char == "\r")
+- { bad_char = "\\r"; }
+-
+- throw Invalid_Argument(
+- std::string("base32_decode: invalid base32 character '") +
+- bad_char + "'");
+- }
+- return false;
+- }
++ static bool check_bad_char(uint8_t bin, char input, bool ignore_ws);
+
+ static void decode(uint8_t* out_ptr, const uint8_t decode_buf[8])
+ {
+@@ -116,55 +83,97 @@ class Base32 final
+ static const size_t m_encoding_bits = 5;
+ static const size_t m_remaining_bits_before_padding = 6;
+
+-
+ static const size_t m_encoding_bytes_in = 5;
+ static const size_t m_encoding_bytes_out = 8;
++ };
+
++namespace {
+
+- static const uint8_t m_bin_to_base32[32];
+- static const uint8_t m_base32_to_bin[256];
+- };
++char lookup_base32_char(uint8_t x)
++ {
++ BOTAN_DEBUG_ASSERT(x < 32);
++
++ const auto in_AZ = CT::Mask<uint8_t>::is_lt(x, 26);
++
++ const char c_AZ = 'A' + x;
++ const char c_27 = '2' + (x - 26);
++
++ return in_AZ.select(c_AZ, c_27);
++ }
++
++}
+
+-const uint8_t Base32::m_bin_to_base32[32] =
++//static
++void Base32::encode(char out[8], const uint8_t in[5]) noexcept
+ {
+- 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
+- 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
+- '2', '3', '4', '5', '6', '7'
+- };
++ const uint8_t b0 = (in[0] & 0xF8) >> 3;
++ const uint8_t b1 = ((in[0] & 0x07) << 2) | (in[1] >> 6);
++ const uint8_t b2 = ((in[1] & 0x3E) >> 1);
++ const uint8_t b3 = ((in[1] & 0x01) << 4) | (in[2] >> 4);
++ const uint8_t b4 = ((in[2] & 0x0F) << 1) | (in[3] >> 7);
++ const uint8_t b5 = ((in[3] & 0x7C) >> 2);
++ const uint8_t b6 = ((in[3] & 0x03) << 3) | (in[4] >> 5);
++ const uint8_t b7 = in[4] & 0x1F;
++
++ out[0] = lookup_base32_char(b0);
++ out[1] = lookup_base32_char(b1);
++ out[2] = lookup_base32_char(b2);
++ out[3] = lookup_base32_char(b3);
++ out[4] = lookup_base32_char(b4);
++ out[5] = lookup_base32_char(b5);
++ out[6] = lookup_base32_char(b6);
++ out[7] = lookup_base32_char(b7);
++ }
+
+-/*
+-* base32 Decoder Lookup Table
+-* Warning: assumes ASCII encodings
+-*/
+-const uint8_t Base32::m_base32_to_bin[256] =
++//static
++uint8_t Base32::lookup_binary_value(char input) noexcept
+ {
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80,
+- 0x80, 0xFF, 0xFF, 0x80, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0x80, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0x81, 0xFF, 0xFF, 0xFF, 0x00, 0x01, 0x02, 0x03, 0x04,
+- 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E,
+- 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+- 0x19, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+- };
++ const uint8_t c = static_cast<uint8_t>(input);
++
++ const auto is_alpha_upper = CT::Mask<uint8_t>::is_within_range(c, uint8_t('A'), uint8_t('Z'));
++ const auto is_decimal = CT::Mask<uint8_t>::is_within_range(c, uint8_t('2'), uint8_t('7'));
++
++ const auto is_equal = CT::Mask<uint8_t>::is_equal(c, uint8_t('='));
++ const auto is_whitespace = CT::Mask<uint8_t>::is_any_of(c, {
++ uint8_t(' '), uint8_t('\t'), uint8_t('\n'), uint8_t('\r')
++ });
++
++ const uint8_t c_upper = c - uint8_t('A');
++ const uint8_t c_decim = c - uint8_t('2') + 26;
++
++ uint8_t ret = 0xFF; // default value
++
++ ret = is_alpha_upper.select(c_upper, ret);
++ ret = is_decimal.select(c_decim, ret);
++ ret = is_equal.select(0x81, ret);
++ ret = is_whitespace.select(0x80, ret);
++
++ return ret;
++ }
++
++//static
++bool Base32::check_bad_char(uint8_t bin, char input, bool ignore_ws)
++ {
++ if(bin <= 0x1F)
++ {
++ return true;
++ }
++ else if(!(bin == 0x81 || (bin == 0x80 && ignore_ws)))
++ {
++ std::string bad_char(1, input);
++ if(bad_char == "\t")
++ { bad_char = "\\t"; }
++ else if(bad_char == "\n")
++ { bad_char = "\\n"; }
++ else if(bad_char == "\r")
++ { bad_char = "\\r"; }
++
++ throw Invalid_Argument(
++ std::string("base32_decode: invalid base32 character '") +
++ bad_char + "'");
++ }
++ return false;
++ }
+
+ }
+
+diff --git a/src/lib/codec/base58/base58.cpp b/src/lib/codec/base58/base58.cpp
+index 5aa9441d3..a6d509012 100644
+--- a/src/lib/codec/base58/base58.cpp
++++ b/src/lib/codec/base58/base58.cpp
+@@ -1,5 +1,5 @@
+ /*
+-* (C) 2018 Jack Lloyd
++* (C) 2018,2020 Jack Lloyd
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ */
+@@ -9,6 +9,7 @@
+ #include <botan/bigint.h>
+ #include <botan/divide.h>
+ #include <botan/loadstor.h>
++#include <botan/internal/ct_utils.h>
+ #include <botan/hash.h>
+
+ namespace Botan {
+@@ -30,73 +31,52 @@ uint32_t sha256_d_checksum(const uint8_t input[], size_t input_length)
+ return load_be<uint32_t>(checksum.data(), 0);
+ }
+
+-class Character_Table
++char lookup_base58_char(uint8_t x)
+ {
+- public:
+- // This must be a literal constant
+- Character_Table(const char* alphabet) :
+- m_alphabet(alphabet)
+- {
+- const size_t alpha_len = std::strlen(alphabet);
+-
+- // 128 or up would flow into 0x80 invalid bit
+- if(alpha_len == 0 || alpha_len >= 128)
+- throw Invalid_Argument("Bad Character_Table string");
+-
+- m_alphabet_len = static_cast<uint8_t>(alpha_len);
+-
+- set_mem(m_tab, 256, 0x80);
+-
+- for(size_t i = 0; m_alphabet[i]; ++i)
+- {
+- const uint8_t b = static_cast<uint8_t>(m_alphabet[i]);
+- BOTAN_ASSERT(m_tab[b] == 0x80, "No duplicate chars");
+- m_tab[b] = static_cast<uint8_t>(i);
+- }
+- }
+-
+- uint8_t radix() const { return m_alphabet_len; }
+-
+- char operator[](size_t i) const
+- {
+- BOTAN_ASSERT(i < m_alphabet_len, "Character in range");
+- return m_alphabet[i];
+- }
+-
+- uint8_t code_for(char c) const
+- {
+- return m_tab[static_cast<uint8_t>(c)];
+- }
+-
+- private:
+- const char* m_alphabet;
+- uint8_t m_alphabet_len;
+- uint8_t m_tab[256];
+- };
+-
+-static const Character_Table& BASE58_ALPHA()
+- {
+- static const Character_Table base58_alpha("123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz");
+- return base58_alpha;
++ // "123456789 ABCDEFGH JKLMN PQRSTUVWXYZ abcdefghijk mnopqrstuvwxyz"
++ BOTAN_DEBUG_ASSERT(x < 58);
++
++ const auto is_dec_19 = CT::Mask<uint8_t>::is_lte(x, 8);
++ const auto is_alpha_AH = CT::Mask<uint8_t>::is_within_range(x, 9, 16);
++ const auto is_alpha_JN = CT::Mask<uint8_t>::is_within_range(x, 17, 21);
++ const auto is_alpha_PZ = CT::Mask<uint8_t>::is_within_range(x, 22, 32);
++ const auto is_alpha_ak = CT::Mask<uint8_t>::is_within_range(x, 33, 43);
++ // otherwise in 'm'-'z'
++
++ const char c_19 = '1' + x;
++ const char c_AH = 'A' + (x - 9);
++ const char c_JN = 'J' + (x - 17);
++ const char c_PZ = 'P' + (x - 22);
++ const char c_ak = 'a' + (x - 33);
++ const char c_mz = 'm' + (x - 44);
++
++ char ret = c_mz;
++ ret = is_dec_19.select(c_19, ret);
++ ret = is_alpha_AH.select(c_AH, ret);
++ ret = is_alpha_JN.select(c_JN, ret);
++ ret = is_alpha_PZ.select(c_PZ, ret);
++ ret = is_alpha_ak.select(c_ak, ret);
++
++ return ret;
+ }
+
+ std::string base58_encode(BigInt v, size_t leading_zeros)
+ {
+- const auto base58 = BASE58_ALPHA();
++ const uint8_t radix = 58;
+
+ std::string result;
+ BigInt q;
+- uint8_t r;
+
+ while(v.is_nonzero())
+ {
+- ct_divide_u8(v, base58.radix(), q, r);
+- result.push_back(base58[r]);
++ uint8_t r;
++ ct_divide_u8(v, radix, q, r);
++ result.push_back(lookup_base58_char(r));
+ v.swap(q);
+ }
+
+ for(size_t i = 0; i != leading_zeros; ++i)
+- result.push_back(base58[0]);
++ result.push_back('1'); // 'zero' byte
+
+ return std::string(result.rbegin(), result.rend());
+ }
+@@ -112,6 +92,39 @@ size_t count_leading_zeros(const T input[], size_t input_length, Z zero)
+ return leading_zeros;
+ }
+
++uint8_t base58_value_of(char input)
++ {
++ // "123456789 ABCDEFGH JKLMN PQRSTUVWXYZ abcdefghijk mnopqrstuvwxyz"
++
++ const uint8_t c = static_cast<uint8_t>(input);
++
++ const auto is_dec_19 = CT::Mask<uint8_t>::is_within_range(c, uint8_t('1'), uint8_t('9'));
++ const auto is_alpha_AH = CT::Mask<uint8_t>::is_within_range(c, uint8_t('A'), uint8_t('H'));
++ const auto is_alpha_JN = CT::Mask<uint8_t>::is_within_range(c, uint8_t('J'), uint8_t('N'));
++ const auto is_alpha_PZ = CT::Mask<uint8_t>::is_within_range(c, uint8_t('P'), uint8_t('Z'));
++
++ const auto is_alpha_ak = CT::Mask<uint8_t>::is_within_range(c, uint8_t('a'), uint8_t('k'));
++ const auto is_alpha_mz = CT::Mask<uint8_t>::is_within_range(c, uint8_t('m'), uint8_t('z'));
++
++ const uint8_t c_dec_19 = c - uint8_t('1');
++ const uint8_t c_AH = c - uint8_t('A') + 9;
++ const uint8_t c_JN = c - uint8_t('J') + 17;
++ const uint8_t c_PZ = c - uint8_t('P') + 22;
++
++ const uint8_t c_ak = c - uint8_t('a') + 33;
++ const uint8_t c_mz = c - uint8_t('m') + 44;
++
++ uint8_t ret = 0xFF; // default value
++
++ ret = is_dec_19.select(c_dec_19, ret);
++ ret = is_alpha_AH.select(c_AH, ret);
++ ret = is_alpha_JN.select(c_JN, ret);
++ ret = is_alpha_PZ.select(c_PZ, ret);
++ ret = is_alpha_ak.select(c_ak, ret);
++ ret = is_alpha_mz.select(c_mz, ret);
++ return ret;
++ }
++
+ }
+
+ std::string base58_encode(const uint8_t input[], size_t input_length)
+@@ -130,9 +143,7 @@ std::string base58_check_encode(const uint8_t input[], size_t input_length)
+
+ std::vector<uint8_t> base58_decode(const char input[], size_t input_length)
+ {
+- const auto base58 = BASE58_ALPHA();
+-
+- const size_t leading_zeros = count_leading_zeros(input, input_length, base58[0]);
++ const size_t leading_zeros = count_leading_zeros(input, input_length, '1');
+
+ BigInt v;
+
+@@ -143,12 +154,12 @@ std::vector<uint8_t> base58_decode(const char input[], size_t input_length)
+ if(c == ' ' || c == '\n')
+ continue;
+
+- const size_t idx = base58.code_for(c);
++ const uint8_t idx = base58_value_of(c);
+
+- if(idx == 0x80)
++ if(idx == 0xFF)
+ throw Decoding_Error("Invalid base58");
+
+- v *= base58.radix();
++ v *= 58;
+ v += idx;
+ }
+
+diff --git a/src/lib/codec/base64/base64.cpp b/src/lib/codec/base64/base64.cpp
+index b4f78bca0..bb286cc6e 100644
+--- a/src/lib/codec/base64/base64.cpp
++++ b/src/lib/codec/base64/base64.cpp
+@@ -1,6 +1,6 @@
+ /*
+ * Base64 Encoding and Decoding
+-* (C) 2010,2015 Jack Lloyd
++* (C) 2010,2015,2020 Jack Lloyd
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ */
+@@ -9,6 +9,7 @@
+ #include <botan/internal/codec_base.h>
+ #include <botan/exceptn.h>
+ #include <botan/internal/rounding.h>
++#include <botan/internal/ct_utils.h>
+
+ namespace Botan {
+
+@@ -58,41 +59,11 @@ class Base64 final
+ return (round_up(input_length, m_encoding_bytes_out) * m_encoding_bytes_in) / m_encoding_bytes_out;
+ }
+
+- static void encode(char out[8], const uint8_t in[5]) noexcept
+- {
+- out[0] = Base64::m_bin_to_base64[(in[0] & 0xFC) >> 2];
+- out[1] = Base64::m_bin_to_base64[((in[0] & 0x03) << 4) | (in[1] >> 4)];
+- out[2] = Base64::m_bin_to_base64[((in[1] & 0x0F) << 2) | (in[2] >> 6)];
+- out[3] = Base64::m_bin_to_base64[in[2] & 0x3F];
+- }
++ static void encode(char out[8], const uint8_t in[5]) noexcept;
+
+- static inline uint8_t lookup_binary_value(char input) noexcept
+- {
+- return Base64::m_base64_to_bin[static_cast<uint8_t>(input)];
+- }
++ static uint8_t lookup_binary_value(char input) noexcept;
+
+- static inline bool check_bad_char(uint8_t bin, char input, bool ignore_ws)
+- {
+- if(bin <= 0x3F)
+- {
+- return true;
+- }
+- else if(!(bin == 0x81 || (bin == 0x80 && ignore_ws)))
+- {
+- std::string bad_char(1, input);
+- if(bad_char == "\t")
+- { bad_char = "\\t"; }
+- else if(bad_char == "\n")
+- { bad_char = "\\n"; }
+- else if(bad_char == "\r")
+- { bad_char = "\\r"; }
+-
+- throw Invalid_Argument(
+- std::string("base64_decode: invalid base64 character '") +
+- bad_char + "'");
+- }
+- return false;
+- }
++ static bool check_bad_char(uint8_t bin, char input, bool ignore_ws);
+
+ static void decode(uint8_t* out_ptr, const uint8_t decode_buf[4])
+ {
+@@ -110,57 +81,104 @@ class Base64 final
+ static const size_t m_encoding_bits = 6;
+ static const size_t m_remaining_bits_before_padding = 8;
+
+-
+ static const size_t m_encoding_bytes_in = 3;
+ static const size_t m_encoding_bytes_out = 4;
++ };
+
++char lookup_base64_char(uint8_t x)
++ {
++ BOTAN_DEBUG_ASSERT(x < 64);
++
++ const auto in_az = CT::Mask<uint8_t>::is_within_range(x, 26, 51);
++ const auto in_09 = CT::Mask<uint8_t>::is_within_range(x, 52, 61);
++ const auto eq_plus = CT::Mask<uint8_t>::is_equal(x, 62);
++ const auto eq_slash = CT::Mask<uint8_t>::is_equal(x, 63);
++
++ const char c_AZ = 'A' + x;
++ const char c_az = 'a' + (x - 26);
++ const char c_09 = '0' + (x - 2*26);
++ const char c_plus = '+';
++ const char c_slash = '/';
++
++ char ret = c_AZ;
++ ret = in_az.select(c_az, ret);
++ ret = in_09.select(c_09, ret);
++ ret = eq_plus.select(c_plus, ret);
++ ret = eq_slash.select(c_slash, ret);
++
++ return ret;
++ }
+
+- static const uint8_t m_bin_to_base64[64];
+- static const uint8_t m_base64_to_bin[256];
+- };
++//static
++void Base64::encode(char out[8], const uint8_t in[5]) noexcept
++ {
++ const uint8_t b0 = (in[0] & 0xFC) >> 2;
++ const uint8_t b1 = ((in[0] & 0x03) << 4) | (in[1] >> 4);
++ const uint8_t b2 = ((in[1] & 0x0F) << 2) | (in[2] >> 6);
++ const uint8_t b3 = in[2] & 0x3F;
++ out[0] = lookup_base64_char(b0);
++ out[1] = lookup_base64_char(b1);
++ out[2] = lookup_base64_char(b2);
++ out[3] = lookup_base64_char(b3);
++ }
+
+-const uint8_t Base64::m_bin_to_base64[64] =
++//static
++uint8_t Base64::lookup_binary_value(char input) noexcept
+ {
+- 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
+- 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
+- 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
+- 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
+- '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/'
+- };
++ const uint8_t c = static_cast<uint8_t>(input);
++ const auto is_alpha_upper = CT::Mask<uint8_t>::is_within_range(c, uint8_t('A'), uint8_t('Z'));
++ const auto is_alpha_lower = CT::Mask<uint8_t>::is_within_range(c, uint8_t('a'), uint8_t('z'));
++ const auto is_decimal = CT::Mask<uint8_t>::is_within_range(c, uint8_t('0'), uint8_t('9'));
++
++ const auto is_plus = CT::Mask<uint8_t>::is_equal(c, uint8_t('+'));
++ const auto is_slash = CT::Mask<uint8_t>::is_equal(c, uint8_t('/'));
++ const auto is_equal = CT::Mask<uint8_t>::is_equal(c, uint8_t('='));
++
++ const auto is_whitespace = CT::Mask<uint8_t>::is_any_of(c, {
++ uint8_t(' '), uint8_t('\t'), uint8_t('\n'), uint8_t('\r')
++ });
++
++ const uint8_t c_upper = c - uint8_t('A');
++ const uint8_t c_lower = c - uint8_t('a') + 26;
++ const uint8_t c_decim = c - uint8_t('0') + 2*26;
++
++ uint8_t ret = 0xFF; // default value
++
++ ret = is_alpha_upper.select(c_upper, ret);
++ ret = is_alpha_lower.select(c_lower, ret);
++ ret = is_decimal.select(c_decim, ret);
++ ret = is_plus.select(62, ret);
++ ret = is_slash.select(63, ret);
++ ret = is_equal.select(0x81, ret);
++ ret = is_whitespace.select(0x80, ret);
++
++ return ret;
++ }
+
+-/*
+-* base64 Decoder Lookup Table
+-* Warning: assumes ASCII encodings
+-*/
+-const uint8_t Base64::m_base64_to_bin[256] =
++//static
++bool Base64::check_bad_char(uint8_t bin, char input, bool ignore_ws)
+ {
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80,
+- 0x80, 0xFF, 0xFF, 0x80, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0x80, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0x3E, 0xFF, 0xFF, 0xFF, 0x3F, 0x34, 0x35,
+- 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0xFF, 0xFF,
+- 0xFF, 0x81, 0xFF, 0xFF, 0xFF, 0x00, 0x01, 0x02, 0x03, 0x04,
+- 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E,
+- 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+- 0x19, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x1A, 0x1B, 0x1C,
+- 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26,
+- 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30,
+- 0x31, 0x32, 0x33, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+- };
++ if(bin <= 0x3F)
++ {
++ return true;
++ }
++ else if(!(bin == 0x81 || (bin == 0x80 && ignore_ws)))
++ {
++ std::string bad_char(1, input);
++ if(bad_char == "\t")
++ { bad_char = "\\t"; }
++ else if(bad_char == "\n")
++ { bad_char = "\\n"; }
++ else if(bad_char == "\r")
++ { bad_char = "\\r"; }
++
++ throw Invalid_Argument(
++ std::string("base64_decode: invalid base64 character '") +
++ bad_char + "'");
++ }
++ return false;
++ }
++
+ }
+
+ size_t base64_encode(char out[],
+diff --git a/src/lib/codec/hex/hex.cpp b/src/lib/codec/hex/hex.cpp
+index 6bbd7c28e..1ae21f398 100644
+--- a/src/lib/codec/hex/hex.cpp
++++ b/src/lib/codec/hex/hex.cpp
+@@ -1,6 +1,6 @@
+ /*
+ * Hex Encoding and Decoding
+-* (C) 2010 Jack Lloyd
++* (C) 2010,2020 Jack Lloyd
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ */
+@@ -8,29 +8,38 @@
+ #include <botan/hex.h>
+ #include <botan/mem_ops.h>
+ #include <botan/exceptn.h>
++#include <botan/internal/ct_utils.h>
+
+ namespace Botan {
+
++namespace {
++
++char hex_encode_nibble(uint8_t n, bool uppercase)
++ {
++ BOTAN_DEBUG_ASSERT(n <= 15);
++
++ const auto in_09 = CT::Mask<uint8_t>::is_lt(n, 10);
++
++ const char c_09 = n + '0';
++ const char c_af = n + (uppercase ? 'A' : 'a') - 10;
++
++ return in_09.select(c_09, c_af);
++ }
++
++}
++
+ void hex_encode(char output[],
+ const uint8_t input[],
+ size_t input_length,
+ bool uppercase)
+ {
+- static const uint8_t BIN_TO_HEX_UPPER[16] = {
+- '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
+- 'A', 'B', 'C', 'D', 'E', 'F' };
+-
+- static const uint8_t BIN_TO_HEX_LOWER[16] = {
+- '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
+- 'a', 'b', 'c', 'd', 'e', 'f' };
+-
+- const uint8_t* tbl = uppercase ? BIN_TO_HEX_UPPER : BIN_TO_HEX_LOWER;
+-
+ for(size_t i = 0; i != input_length; ++i)
+ {
+- uint8_t x = input[i];
+- output[2*i ] = tbl[(x >> 4) & 0x0F];
+- output[2*i+1] = tbl[(x ) & 0x0F];
++ const uint8_t n0 = (input[i] >> 4) & 0xF;
++ const uint8_t n1 = (input[i] ) & 0xF;
++
++ output[2*i ] = hex_encode_nibble(n0, uppercase);
++ output[2*i+1] = hex_encode_nibble(n1, uppercase);
+ }
+ }
+
+@@ -46,49 +55,43 @@ std::string hex_encode(const uint8_t input[],
+ return output;
+ }
+
++namespace {
++
++uint8_t hex_char_to_bin(char input)
++ {
++ const uint8_t c = static_cast<uint8_t>(input);
++
++ const auto is_alpha_upper = CT::Mask<uint8_t>::is_within_range(c, uint8_t('A'), uint8_t('F'));
++ const auto is_alpha_lower = CT::Mask<uint8_t>::is_within_range(c, uint8_t('a'), uint8_t('f'));
++ const auto is_decimal = CT::Mask<uint8_t>::is_within_range(c, uint8_t('0'), uint8_t('9'));
++
++ const auto is_whitespace = CT::Mask<uint8_t>::is_any_of(c, {
++ uint8_t(' '), uint8_t('\t'), uint8_t('\n'), uint8_t('\r')
++ });
++
++ const uint8_t c_upper = c - uint8_t('A') + 10;
++ const uint8_t c_lower = c - uint8_t('a') + 10;
++ const uint8_t c_decim = c - uint8_t('0');
++
++ uint8_t ret = 0xFF; // default value
++
++ ret = is_alpha_upper.select(c_upper, ret);
++ ret = is_alpha_lower.select(c_lower, ret);
++ ret = is_decimal.select(c_decim, ret);
++ ret = is_whitespace.select(0x80, ret);
++
++ return ret;
++ }
++
++}
++
++
+ size_t hex_decode(uint8_t output[],
+ const char input[],
+ size_t input_length,
+ size_t& input_consumed,
+ bool ignore_ws)
+ {
+- /*
+- * Mapping of hex characters to either their binary equivalent
+- * or to an error code.
+- * If valid hex (0-9 A-F a-f), the value.
+- * If whitespace, then 0x80
+- * Otherwise 0xFF
+- * Warning: this table assumes ASCII character encodings
+- */
+-
+- static const uint8_t HEX_TO_BIN[256] = {
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80,
+- 0x80, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0x80, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x01,
+- 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E,
+- 0x0F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0A, 0x0B, 0x0C,
+- 0x0D, 0x0E, 0x0F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
+-
+ uint8_t* out_ptr = output;
+ bool top_nibble = true;
+
+@@ -96,7 +99,7 @@ size_t hex_decode(uint8_t output[],
+
+ for(size_t i = 0; i != input_length; ++i)
+ {
+- const uint8_t bin = HEX_TO_BIN[static_cast<uint8_t>(input[i])];
++ const uint8_t bin = hex_char_to_bin(input[i]);
+
+ if(bin >= 0x10)
+ {
+diff --git a/src/lib/utils/ct_utils.h b/src/lib/utils/ct_utils.h
+index 17737a97c..f2e745293 100644
+--- a/src/lib/utils/ct_utils.h
++++ b/src/lib/utils/ct_utils.h
+@@ -183,6 +183,30 @@ class Mask
+ return ~Mask<T>::is_lt(x, y);
+ }
+
++ static Mask<T> is_within_range(T v, T l, T u)
++ {
++ //return Mask<T>::is_gte(v, l) & Mask<T>::is_lte(v, u);
++
++ const T v_lt_l = v^((v^l) | ((v-l)^v));
++ const T v_gt_u = u^((u^v) | ((u-v)^u));
++ const T either = v_lt_l | v_gt_u;
++ return ~Mask<T>(expand_top_bit(either));
++ }
++
++ static Mask<T> is_any_of(T v, std::initializer_list<T> accepted)
++ {
++ T accept = 0;
++
++ for(auto a: accepted)
++ {
++ const T diff = a ^ v;
++ const T eq_zero = ~diff & (diff - 1);
++ accept |= eq_zero;
++ }
++
++ return Mask<T>(expand_top_bit(accept));
++ }
++
+ /**
+ * AND-combine two masks
+ */
+--
+2.31.1
+
diff --git a/main/cifs-utils/APKBUILD b/main/cifs-utils/APKBUILD
index 836599ab17..ebfb0afccc 100644
--- a/main/cifs-utils/APKBUILD
+++ b/main/cifs-utils/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=cifs-utils
-pkgver=6.12
+pkgver=6.13
pkgrel=0
pkgdesc="CIFS filesystem user-space tools"
url="https://wiki.samba.org/index.php/LinuxCIFS_utils"
@@ -17,6 +17,8 @@ source="https://ftp.samba.org/pub/linux-cifs/cifs-utils/cifs-utils-$pkgver.tar.b
options="suid"
# secfixes:
+# 6.13-r0:
+# - CVE-2021-20208
# 6.11-r0:
# - CVE-2020-14342 (Not affected, requires --with-systemd)
@@ -44,6 +46,8 @@ package() {
chmod +s $pkgdir/sbin/mount.cifs
}
-sha512sums="2f2e1cba8d56c9039fc28236fa63812a09f07f14931c3bd7bd5ae3e6aeb372130c5a059569d8714fb973bea87eba394fd30228fbaeabe700961bba400dd01ca6 cifs-utils-6.12.tar.bz2
+sha512sums="
+1337ac4b69f0c3e8d0241eb608207ba81dfa35f84c661649d25da78637882c4d73467b0f632be0bd120362e0b786e40eb340bffcf21c8a09629c441100fd10de cifs-utils-6.13.tar.bz2
99a2fab05bc2f14a600f89526ae0ed2c183cfa179fe386cb327075f710aee3aed5ae823f7c2f51913d1217c2371990d6d4609fdb8d80288bd3a6139df3c8aebe musl-fix-includes.patch
-2a9366ec1ddb0389c535d2fa889f63287cb8374535a47232de102c7e50b6874f67a3d5ef3318df23733300fd8459c7ec4b11f3211508aca7800b756119308e98 xattr_size_max.patch"
+2a9366ec1ddb0389c535d2fa889f63287cb8374535a47232de102c7e50b6874f67a3d5ef3318df23733300fd8459c7ec4b11f3211508aca7800b756119308e98 xattr_size_max.patch
+"
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index d68e224c2c..5976f05ee0 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
-pkgver=7.76.1
+pkgver=7.78.0
pkgrel=0
pkgdesc="URL retrival utility and library"
url="https://curl.se/"
@@ -19,6 +19,14 @@ source="https://curl.se/download/curl-$pkgver.tar.xz"
options="net" # Required for running tests
# secfixes:
+# 7.78.0-r0:
+# - CVE-2021-22922
+# - CVE-2021-22923
+# - CVE-2021-22924
+# - CVE-2021-22925
+# 7.77.0-r0:
+# - CVE-2021-22898
+# - CVE-2021-22901
# 7.76.0-r0:
# - CVE-2021-22876
# - CVE-2021-22890
@@ -97,6 +105,8 @@ options="net" # Required for running tests
# 7.36.0-r0:
# - CVE-2014-0138
# - CVE-2014-0139
+# 0:
+# - CVE-2021-22897
prepare() {
default_prepare
@@ -111,6 +121,7 @@ build() {
--enable-ipv6 \
--enable-unix-sockets \
--enable-static \
+ --with-openssl \
--without-libidn \
--without-libidn2 \
--with-nghttp2 \
@@ -142,4 +153,6 @@ static() {
mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib
}
-sha512sums="5fe85d2e776789aa8117c57fe7648e375b7fa92d5ead5d69855f19ca9a2624d77a1f9ab91766ecb72bbc17e82862248cd07e48917884d6fd856b93fb00d83e28 curl-7.76.1.tar.xz"
+sha512sums="
+f72e822a0b5e28320ef547c7a441c07f3b4870579a70ab4c428751baba435a1385cb89a22b9ed4b84a7fafecf620f155911e4131e3463ec1bdad80ecde47bb7a curl-7.78.0.tar.xz
+"
diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD
index 9865dbe5bd..6c2e687f3a 100644
--- a/main/cyrus-sasl/APKBUILD
+++ b/main/cyrus-sasl/APKBUILD
@@ -49,6 +49,8 @@ source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pk
# - CVE-2019-19906
# 2.1.26-r7:
# - CVE-2013-4122
+# 0:
+# - CVE-2020-8032
prepare() {
diff --git a/main/dahdi-linux-lts/APKBUILD b/main/dahdi-linux-lts/APKBUILD
index f62f895201..6817d0f15c 100644
--- a/main/dahdi-linux-lts/APKBUILD
+++ b/main/dahdi-linux-lts/APKBUILD
@@ -9,7 +9,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.36
+_kver=5.10.38
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/dhcp/APKBUILD b/main/dhcp/APKBUILD
index 736011a6de..9275bf6f86 100644
--- a/main/dhcp/APKBUILD
+++ b/main/dhcp/APKBUILD
@@ -1,8 +1,8 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=dhcp
-pkgver=4.4.2
+pkgver=4.4.2_p1
_realver=${pkgver/_p/-P}
-pkgrel=3
+pkgrel=0
pkgdesc="ISC Dynamic Host Configuration Protocol (DHCP)"
url="https://www.isc.org/"
arch="all"
@@ -18,10 +18,10 @@ pkggroups="dhcp"
makedepends="krb5-dev linux-headers openldap-dev perl"
install="$pkgname.pre-install"
subpackages="
+ $pkgname-dbg
$pkgname-doc
$pkgname-openrc
$pkgname-libs-static
- $pkgname-dbg
$pkgname-dev
dhclient
dhcrelay
@@ -30,7 +30,7 @@ subpackages="
$pkgname-server-ldap:server_ldap
"
source="
- http://downloads.isc.org/isc/$pkgname/$_realver/$pkgname-$_realver.tar.gz
+ https://downloads.isc.org/isc/dhcp/$_realver/dhcp-$_realver.tar.gz
01-dhclient-script-fix-bare-ip.patch
02-dhclient-script-remove-bashisms.patch
dhcp-3.0-fix-perms.patch
@@ -42,11 +42,14 @@ source="
dhcpd.confd
dhcpd.initd
"
-
+builddir="$srcdir/$pkgname-$_realver"
makedepends="$makedepends $_depends_dhclient $_depends_server_ldap $_depends_server_vanilla"
# secfixes:
+# 4.4.2_p1-r0:
+# - CVE-2021-25217
# 4.4.1-r0:
+# - CVE-2019-6470
# - CVE-2018-5732
# - CVE-2018-5733
@@ -189,7 +192,8 @@ static() {
# BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57
# "
-sha512sums="c3dee2cf6e4b43d519d4bc89e9b8b12a6e3747d8c4edc0f83d4a88355a483b91a5f7d2353a3c0a2f37f88704fd2f64478ac5161ca72b10c42cebcb92907afa40 dhcp-4.4.2.tar.gz
+sha512sums="
+924e8b44f288361dbe837987869e57b929c73cb5e4af37cb2d7b19bca5ea8594048fb41c0792fede003188185f61b25befbc2ccda42f1f68e6b6bc22ef44b040 dhcp-4.4.2-P1.tar.gz
17e2b9588ee5d1bd9acb9c2e30f7a28308d29c9e797c2be14c1feff52e6e231ce8a94535f18badff1342aff4ae4003aab986e0f0473f0cd280292fdab044b148 01-dhclient-script-fix-bare-ip.patch
a70e4a7e80ee65c8ced6b61db80f7ccd0f35015b5cccf2e7c51705ae129230aa49ba9926bb88f7418018e7a112c2a40451f24b88e04464b590ff20091e8d8709 02-dhclient-script-remove-bashisms.patch
d5697a56fbbff25199962608986e7ffb533ed4afd3e344e3c79d2010dda73cc0b088f06c454e9f0c69eb054e09a374455fa71d3f73306e0c98fa76df4dd321b7 dhcp-3.0-fix-perms.patch
@@ -199,4 +203,5 @@ d1dce58875793316761f168e29feddc1d3454d1d917d063d43ae102b7b6aab256c3cb420478335c5
ce62693cb483616844bb6774f9046af6a1a210e35cfaa59ab3bd12f68d50176714a324e92538b35139110b78191866f65b30d6979d8a45f7b68e572e7a1e8427 dhcrelay.initd
fd15dbaa4c61c3c26f407bf13dde859470a1adba134da064b653ccc152ce42635ee8de2fe113ae21ba8470e97e3caad8c1a47b69eb25e5e92b40e26790b96f6d dhcrelay.confd
7b7a77b7826b475a4113ebeee54501ce417cc56e85754301a82a185d88b4713d198f615a366e63e0e2b0aef988c8137dcd1e18c4036d993378257079da17693d dhcpd.confd
-1f78c4f64a891012b4de029c50934b284ad80313959e06b0f29416f33a9e4f0deca8b61e9224a683a92faf8a08e8b7c075bc6e833ab73b6305c0d6d9712d0baf dhcpd.initd"
+1f78c4f64a891012b4de029c50934b284ad80313959e06b0f29416f33a9e4f0deca8b61e9224a683a92faf8a08e8b7c075bc6e833ab73b6305c0d6d9712d0baf dhcpd.initd
+"
diff --git a/main/dhcpcd/APKBUILD b/main/dhcpcd/APKBUILD
index d4b5a1251c..26ddd3aa32 100644
--- a/main/dhcpcd/APKBUILD
+++ b/main/dhcpcd/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dhcpcd
-pkgver=8.1.6
-pkgrel=1
+pkgver=8.1.9
+pkgrel=0
pkgdesc="RFC2131 compliant DHCP client"
url="https://roy.marples.name/projects/dhcpcd"
arch="all"
@@ -44,8 +44,10 @@ package() {
"$pkgdir"/etc/init.d/dhcpcd
}
-sha512sums="f4d7ea5f4c139a2735e795e13be68f6edac89d86d97589c2cdd67f89b890a093675dcc207c681332e2163b1094da8ce75bda2ee614c19bafd01410d9fadf19df dhcpcd-8.1.6.tar.xz
+sha512sums="
+40ac106ffca60b32362aacdfae0fa3a2993a3eed72bf452322412a912f594aaade1c24b862233455033158a6e453ec75d6d14fa52df6b4c5ae435dd6ceb29f2a dhcpcd-8.1.9.tar.xz
692b2c8c75166fabd512a7cc69c650f9391e0f682ce9cbe1771bfa44e82dcf09e322c46493c45ca75000f479d3cddde306754ba31d28a798a15e2b79a56045f0 busybox-logger.patch
1c19eed0f7a008ee96ea392beb327169ff8c83fc27fed20f65f05c9125f60629ebe3474c5e6a7cf4aeeea448fde4264c9b84916efacd67d47ab908c47b1fc3a5 fix-chrony-conf-location.patch
dc3b30295dbe5310526443736e60ccc53621d465d512639e8ea20efe598037ff33730e46964e4e7bc32d4ce88aaecf3b9bb9a4ceab892d8bff3423e0374ccae1 dhcpcd.initd
-082aa80798476917e2a86003cb95136212cbb9b8da986e7d8186d7f3d857e81a4cb03af56296484e035e5006d36c695ef57f571ea9c1fd18b4200a9cf745a6b4 musl.patch"
+082aa80798476917e2a86003cb95136212cbb9b8da986e7d8186d7f3d857e81a4cb03af56296484e035e5006d36c695ef57f571ea9c1fd18b4200a9cf745a6b4 musl.patch
+"
diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD
index 18361d7778..ac96c2a00b 100644
--- a/main/dovecot/APKBUILD
+++ b/main/dovecot/APKBUILD
@@ -4,12 +4,10 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dovecot
-pkgver=2.3.13
+pkgver=2.3.15
_pkgverminor=${pkgver%.*}
-_pkgvermajor=${_pkgverminor%.*}
pkgrel=0
-_pigeonholever=0.5.13
-_pigeonholevermajor=${_pigeonholever%.*}
+_pigeonholever=0.5.15
pkgdesc="IMAP and POP3 server"
url="https://www.dovecot.org/"
arch="all"
@@ -56,18 +54,22 @@ subpackages="
$pkgname-fts-lucene:_fts_lucene
"
source="https://www.dovecot.org/releases/$_pkgverminor/dovecot-$pkgver.tar.gz
- https://pigeonhole.dovecot.org/releases/$_pkgverminor/$pkgname-$_pkgverminor-pigeonhole-$_pigeonholever.tar.gz
+ https://pigeonhole.dovecot.org/releases/$_pkgverminor/dovecot-$_pkgverminor-pigeonhole-$_pigeonholever.tar.gz
skip-iconv-check.patch
split-protocols.patch
default-config.patch
- fix-oauth2-jwt.c.patch
fix-out-of-memory-test.patch
+ fix-libssl_iostream_openssl.patch
+ test-imap-client-hibernate.patch
dovecot.logrotate
dovecot.initd
"
_builddir_pigeonhole="$srcdir/$pkgname-$_pkgverminor-pigeonhole-$_pigeonholever"
# secfixes:
+# 2.3.15-r0:
+# - CVE-2021-29157
+# - CVE-2021-33515
# 2.3.13-r0:
# - CVE-2020-24386
# - CVE-2020-25275
@@ -315,12 +317,15 @@ _submv() {
done
}
-sha512sums="758a169fba8925637ed18fa7522a6f06c9fe01a1707b1ca0d0a4d8757c578a8e117c91733e8314403839f9a484bbcac71ce3532c82379eb583b480756d556a95 dovecot-2.3.13.tar.gz
-fcbc13d71af4e6dd4e34192484e203d755e5015da76a4774b11a79182b2baad36cab5a471346093111ace36a7775dfe8294555f8b777786dde386820b3ec5cd3 dovecot-2.3-pigeonhole-0.5.13.tar.gz
+sha512sums="
+75bbdbeac663da109f78dba06c42bb5193e911c6b3c64f055fc4473ae9afaf0c8304c49fc7f06c5c6b61e67dd13dc21fbed6ff160a99f38f547c88ba05e6b03a dovecot-2.3.15.tar.gz
+521070080802bf2a50cd0ff0af5dc991c04d70b807abc2cd9aa567444a4869f5f42800f19d9b740a519bd4069437139e70ca6ae4b905479fcec8faa133ac5f54 dovecot-2.3-pigeonhole-0.5.15.tar.gz
fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch
794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5 split-protocols.patch
0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07 default-config.patch
-7f428b0f14323a5dda00aef93f4835c2c38a7b780a939a47f759d31df4636e86055f95d17e2358cb37a2704ea022dfad602c7ed4568cba644347f20fd1e15e3b fix-oauth2-jwt.c.patch
733cdbfb7f6b2608470bd30a0f9190ec86099d4c8e48b7fb92d7b595be665bf749976889033e1ad438edd3f99f2e0d496dd0d667291915c80df82f7e62483f59 fix-out-of-memory-test.patch
+0fb56eb9c7fae8d8b1d794928ce2ba58d03c102cd7c3f959799c62c5d838ff535ecccb64bc1970d960f67d49388c880773e9eac5aed3bcf92e6efed3b56cc837 fix-libssl_iostream_openssl.patch
+33c6eefaaca755c7766c74cb1afdc54fa9241b3d75b1db6b1167615061b5d79b85d759746c2d1793f4a3669d493489236e89ca4278dd38dd681f537c83e81a20 test-imap-client-hibernate.patch
9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0 dovecot.logrotate
-d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70 dovecot.initd"
+d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70 dovecot.initd
+"
diff --git a/main/dovecot/fix-libssl_iostream_openssl.patch b/main/dovecot/fix-libssl_iostream_openssl.patch
new file mode 100644
index 0000000000..5c4cbb6263
--- /dev/null
+++ b/main/dovecot/fix-libssl_iostream_openssl.patch
@@ -0,0 +1,14 @@
+diff --git a/src/lib-dcrypt/Makefile.am b/src/lib-dcrypt/Makefile.am
+index e9e5116953..718d451c4f 100644
+--- a/src/lib-dcrypt/Makefile.am
++++ b/src/lib-dcrypt/Makefile.am
+@@ -20,7 +20,8 @@ libdcrypt_la_CFLAGS = $(AM_CPPFLAGS) \
+ if BUILD_DCRYPT_OPENSSL
+ pkglib_LTLIBRARIES += libdcrypt_openssl.la
+ libdcrypt_openssl_la_SOURCES = dcrypt-openssl.c
+-libdcrypt_openssl_la_LDFLAGS = -module -avoid-version ../lib-ssl-iostream/libssl_iostream_openssl.la
++libdcrypt_openssl_la_LDFLAGS = -module -avoid-version ../lib-ssl-iostream/libssl_iostream.la \
++ ../lib-ssl-iostream/libssl_iostream_openssl.la
+ libdcrypt_openssl_la_LIBADD = $(SSL_LIBS)
+ libdcrypt_openssl_la_DEPENDENCIES = ../lib-ssl-iostream/libssl_iostream_openssl.la
+ libdcrypt_openssl_la_CFLAGS = $(AM_CPPFLAGS) \
diff --git a/main/dovecot/fix-oauth2-jwt.c.patch b/main/dovecot/fix-oauth2-jwt.c.patch
deleted file mode 100644
index b3755f6993..0000000000
--- a/main/dovecot/fix-oauth2-jwt.c.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 42c37d2473116bf4a7fcafcaf94de83947fe80bc Mon Sep 17 00:00:00 2001
-From: Aki Tuomi <aki.tuomi@open-xchange.com>
-Date: Thu, 13 Aug 2020 20:01:41 +0300
-Subject: [PATCH] oauth2-jwt: Use int64_t instead time_t for portability
-
-
-diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
-index a68875e57..0adf612d9 100644
---- a/src/lib-oauth2/oauth2-jwt.c
-+++ b/src/lib-oauth2/oauth2-jwt.c
-@@ -31,18 +31,25 @@ static const char *get_field(const struct json_tree *tree, const char *key)
- }
-
- static int get_time_field(const struct json_tree *tree, const char *key,
-- long *value_r)
-+ int64_t *value_r)
- {
-+ time_t tvalue;
- const char *value = get_field(tree, key);
- int tz_offset ATTR_UNUSED;
- if (value == NULL)
- return 0;
-- if ((str_to_long(value, value_r) < 0 &&
-- !iso8601_date_parse((const unsigned char*)value, strlen(value),
-- value_r, &tz_offset)) ||
-- *value_r < 0)
-- return -1;
-- return 1;
-+ if (str_to_int64(value, value_r) == 0) {
-+ if (*value_r < 0)
-+ return -1;
-+ return 1;
-+ } else if (iso8601_date_parse((const unsigned char*)value, strlen(value),
-+ &tvalue, &tz_offset)) {
-+ if (tvalue < 0)
-+ return -1;
-+ *value_r = tvalue;
-+ return 1;
-+ }
-+ return -1;
- }
-
- static int oauth2_lookup_hmac_key(const struct oauth2_settings *set,
-@@ -283,9 +290,9 @@ oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg, cons
- const char *sub = get_field(tree, "sub");
-
- int ret;
-- long t0 = time(NULL);
-+ int64_t t0 = time(NULL);
- /* default IAT and NBF to now */
-- long iat, nbf, exp;
-+ int64_t iat, nbf, exp;
- int tz_offset ATTR_UNUSED;
-
- if (sub == NULL) {
diff --git a/main/dovecot/test-imap-client-hibernate.patch b/main/dovecot/test-imap-client-hibernate.patch
new file mode 100644
index 0000000000..ce6584c032
--- /dev/null
+++ b/main/dovecot/test-imap-client-hibernate.patch
@@ -0,0 +1,14 @@
+submitted as https://github.com/dovecot/core/pull/159
+reduce filename length
+
+--- a/src/imap/test-imap-client-hibernate.c
++++ b/src/imap/test-imap-client-hibernate.c
+@@ -19,7 +19,7 @@
+
+ #include <sys/stat.h>
+
+-#define TEMP_DIRNAME ".test-imap-client-hibernate"
++#define TEMP_DIRNAME ".test-ich"
+
+ #define EVILSTR "\t\r\n\001"
+
diff --git a/main/git/APKBUILD b/main/git/APKBUILD
index 913457e4e3..eac08ff51d 100644
--- a/main/git/APKBUILD
+++ b/main/git/APKBUILD
@@ -25,6 +25,8 @@
# - CVE-2018-11235
# 2.14.1-r0:
# - CVE-2017-1000117
+# 0:
+# - CVE-2021-29468
pkgname=git
pkgver=2.30.2
diff --git a/main/graphviz/APKBUILD b/main/graphviz/APKBUILD
index ad12e8322d..d70226b2b7 100644
--- a/main/graphviz/APKBUILD
+++ b/main/graphviz/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=graphviz
pkgver=2.44.0
-pkgrel=1
+pkgrel=2
pkgdesc="Graph Visualization Tools"
url="https://www.graphviz.org/"
arch="all"
@@ -20,8 +20,13 @@ subpackages="$pkgname-dev $pkgname-doc py3-gv:_py3 lua$_luaver-$pkgname:_lua
$pkgname-graphs::noarch"
source="https://gitlab.com/graphviz/graphviz/-/archive/$pkgver/graphviz-$pkgver.tar.gz
0001-clone-nameclash.patch
+ CVE-2020-18032.patch
"
+# secfixes:
+# 2.44.0-r2:
+# - CVE-2020-18032
+
prepare() {
default_prepare
./autogen.sh NOCONFIG
@@ -112,5 +117,8 @@ graphs() {
"$subpkgdir"/usr/share/graphviz/
}
-sha512sums="07e9776fc2fc3b8e17cd4ed6e6f2cd69330d4aa6592a77a39b7b55c4402440096c5eec2918a335c29f32c9f93c6d569b706bf1e503df5914607637bf71c47397 graphviz-2.44.0.tar.gz
-aa4cbc341906a949a6bf78cadd96c437d6bcc90369941fe03519aa4447731ecbf6063a0dd0366d3e7aaadf22b69e4bcab3f8632a7da7a01f8e08a3be05c2bc5d 0001-clone-nameclash.patch"
+sha512sums="
+07e9776fc2fc3b8e17cd4ed6e6f2cd69330d4aa6592a77a39b7b55c4402440096c5eec2918a335c29f32c9f93c6d569b706bf1e503df5914607637bf71c47397 graphviz-2.44.0.tar.gz
+aa4cbc341906a949a6bf78cadd96c437d6bcc90369941fe03519aa4447731ecbf6063a0dd0366d3e7aaadf22b69e4bcab3f8632a7da7a01f8e08a3be05c2bc5d 0001-clone-nameclash.patch
+d4b818a3349a1c733177db0d4455004d47670ef1f07a670428d7c025edd6604e8342ff6906faa48abdd8e4abc0c42feb58cb1fdf116ae98fade5dbcb965d0843 CVE-2020-18032.patch
+"
diff --git a/main/graphviz/CVE-2020-18032.patch b/main/graphviz/CVE-2020-18032.patch
new file mode 100644
index 0000000000..b3b0ab9889
--- /dev/null
+++ b/main/graphviz/CVE-2020-18032.patch
@@ -0,0 +1,40 @@
+From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Sat, 25 Jul 2020 19:31:01 -0700
+Subject: [PATCH] fix: out-of-bounds write on invalid label
+
+When the label for a node cannot be parsed (due to it being malformed), it falls
+back on the symbol name of the node itself. I.e. the default label the node
+would have had if it had no label attribute at all. However, this is applied by
+dynamically altering the node's label to "\N", a shortcut for the symbol name of
+the node. All of this is fine, however if the hand written label itself is
+shorter than the literal string "\N", not enough memory would have been
+allocated to write "\N" into the label text.
+
+Here we account for the possibility of error during label parsing, and assume
+that the label text may need to be overwritten with "\N" after the fact. Fixes
+issue #1700.
+---
+ lib/common/shapes.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/common/shapes.c b/lib/common/shapes.c
+index 0a0635fc3..9dca9ba6e 100644
+--- a/lib/common/shapes.c
++++ b/lib/common/shapes.c
+@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
+ reclblp = ND_label(n)->text;
+ len = strlen(reclblp);
+ /* For some forgotten reason, an empty label is parsed into a space, so
+- * we need at least two bytes in textbuf.
++ * we need at least two bytes in textbuf, as well as accounting for the
++ * error path involving "\\N" below.
+ */
+- len = MAX(len, 1);
++ len = MAX(MAX(len, 1), (int)strlen("\\N"));
+ textbuf = N_NEW(len + 1, char);
+ if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
+ agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
+--
+GitLab
+
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index b93eafdc05..cd3b9e540a 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -4,7 +4,7 @@
pkgname=haproxy
# NOTE: Upgrade only to LTS versions announced on upstream site url!
# Using LTS versions is easier to keep it in good shape for stable releases
-pkgver=2.2.14
+pkgver=2.2.15
_pkgmajorver=${pkgver%.*}
pkgrel=0
pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
@@ -57,6 +57,8 @@ package() {
"$pkgdir"/etc/haproxy/haproxy.cfg
}
-sha512sums="ec5e2bf0c38a9af878f69f062e81e096b849c3ae93957bbcddc32f7c0e972d678136c8f06a16e594b60b7e2f41228e8179e93b4b0a3478ab775bece6745db877 haproxy-2.2.14.tar.gz
+sha512sums="
+ef77cb2201ea61e7ac085acca8db6e9ee43ce1db2e8c5366d49cad9ace654eb81809a70f96b20a6f6f549061f8a73012ad1805a009c3e1c6fa5cd195af795012 haproxy-2.2.15.tar.gz
4aa8fc812079baf1d17cf9484a9b44568c3dd94f35243a57a4a7868e7f88146a4e94c80ea8ab86f1b08a524567e269a3ec119b67fc679f6bd0d9f1c70ce4f080 haproxy.initd
-26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg"
+26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg
+"
diff --git a/main/intel-ucode/APKBUILD b/main/intel-ucode/APKBUILD
index b3a3c1f0df..00bb0b57aa 100644
--- a/main/intel-ucode/APKBUILD
+++ b/main/intel-ucode/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Marian Buschsieweke <marian.buschsieweke@ovgu.de>
pkgname=intel-ucode
-pkgver=20210216
+pkgver=20210608
pkgrel=0
pkgdesc="Microcode update files for Intel CPUs"
arch="x86 x86_64"
@@ -25,4 +25,4 @@ package() {
install -Dm644 license "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
-sha512sums="211ed90a248c891224bb8c569e24c04410d3f67ecc6daee41dc025042bd51c257baaba0da1ac5327df76352d2b53d812e81f06cc8726e43b95ea2f8898bc00bf microcode-20210216.tar.gz"
+sha512sums="61acd2e76aa019fa0002fbf56c503791080a937ff93d81e020f8f0cc089dc08928b4c7e9884f713b886e2f9d4a8409fea59e39f628ef534a588515e1c3fc861d microcode-20210608.tar.gz"
diff --git a/main/jansson/APKBUILD b/main/jansson/APKBUILD
index 2e29bdae5f..13fc0c3b14 100644
--- a/main/jansson/APKBUILD
+++ b/main/jansson/APKBUILD
@@ -10,6 +10,10 @@ checkdepends="bash"
subpackages="$pkgname-dev"
source="http://www.digip.org/jansson/releases/jansson-$pkgver.tar.bz2"
+# secfixes:
+# 0:
+# - CVE-2020-36325
+
build() {
./configure \
--build=$CBUILD \
diff --git a/main/kamailio/APKBUILD b/main/kamailio/APKBUILD
index d457da0053..2c55c1644c 100644
--- a/main/kamailio/APKBUILD
+++ b/main/kamailio/APKBUILD
@@ -5,7 +5,7 @@
pkgname=kamailio
pkgver=5.4.2
-pkgrel=2
+pkgrel=3
# If building from a git snapshot, specify the gitcommit
# If building a proper release, leave gitcommit blank or commented
@@ -34,6 +34,7 @@ makedepends="bison db-dev flex freeradius-client-dev expat-dev
# librdkafka-dev dnssec-tools-dev
source="kamailio-${pkgver}$_suffix.tar.gz::https://github.com/kamailio/kamailio/archive/$_gitcommit.tar.gz
tm-proper-fill-of-From-To-URI-tag-values-using-parsed.patch
+ mohqueue-1.8.patch
kamailio.initd
"
@@ -560,4 +561,5 @@ sipdump() {
sha512sums="944eb54fe5ec1408def842f3f1f909002ba274863ea68baa85fc70aa9abd7331647f75813ccd264ed659a794570c6d8b9c89108684de603e90b0713f33412502 kamailio-5.4.2.tar.gz
b82dc389dc294cc09b0089ef2e846d308b937a9984a53574f0a434180341725dc025222d2bd9d9b0bb01b05bebd106412cfaf81e3150e338393a6a4012f1deb0 tm-proper-fill-of-From-To-URI-tag-values-using-parsed.patch
+bfd0c3462cc95145b3eedf2e4e66ef856c503392d330c204291f5dae16e29803b05f2f1b3627cad85fd7505a58a34952fb1fa198c22e48ed245fd0a6bd731714 mohqueue-1.8.patch
0c87bfb78481568c03e603049eb8597a90d24ae2941fc81694181b2326fa9db89fbddaaa3cf08c7bc2f5fa0e7ffac4cf4e2d010d08c4faa6cf6df98593432539 kamailio.initd"
diff --git a/main/kamailio/mohqueue-1.8.patch b/main/kamailio/mohqueue-1.8.patch
new file mode 100644
index 0000000000..1f490a08c3
--- /dev/null
+++ b/main/kamailio/mohqueue-1.8.patch
@@ -0,0 +1,485 @@
+From c576631b899ded661bbfede48fa92fd03dbc7e88 Mon Sep 17 00:00:00 2001
+From: Robert Boisvert <Robert.Boisvert@sequentialtech.com>
+Date: Mon, 22 Mar 2021 10:43:12 -0400
+Subject: [PATCH] mohqueue: use ptime
+
+- version 1.7
+- match ptime of incoming call; otherwise, default to 20ms
+- update copyright dates
+---
+ src/modules/mohqueue/README | 2 +-
+ src/modules/mohqueue/doc/mohqueue.xml | 2 +-
+ src/modules/mohqueue/doc/mohqueue_admin.xml | 11 +-
+ src/modules/mohqueue/mohq_common.h | 2 +-
+ src/modules/mohqueue/mohq_db.c | 2 +-
+ src/modules/mohqueue/mohq_db.h | 2 +-
+ src/modules/mohqueue/mohq_funcs.c | 112 +++++++++++++-------
+ src/modules/mohqueue/mohq_funcs.h | 2 +-
+ src/modules/mohqueue/mohq_locks.c | 2 +-
+ src/modules/mohqueue/mohq_locks.h | 2 +-
+ src/modules/mohqueue/mohqueue_mod.c | 4 +-
+ src/modules/mohqueue/mohqueue_mod.h | 2 +-
+ 12 files changed, 93 insertions(+), 52 deletions(-)
+
+diff --git a/src/modules/mohqueue/README b/src/modules/mohqueue/README
+index fa845da0f8..a0f30357ae 100644
+--- a/src/modules/mohqueue/README
++++ b/src/modules/mohqueue/README
+@@ -2,7 +2,7 @@ mohqueue Module
+
+ Robert Boisvert
+
+- Copyright © 2013-2019 Robert Boisvert, rdbprog@gmail.com
++ Copyright © 2013-2021 Robert Boisvert, rdbprog@gmail.com
+ __________________________________________________________________
+
+ Table of Contents
+diff --git a/src/modules/mohqueue/doc/mohqueue.xml b/src/modules/mohqueue/doc/mohqueue.xml
+index e4c1563c66..5498c1b57b 100644
+--- a/src/modules/mohqueue/doc/mohqueue.xml
++++ b/src/modules/mohqueue/doc/mohqueue.xml
+@@ -21,7 +21,7 @@
+ </author>
+ </authorgroup>
+ <copyright>
+- <year>2013-2019</year>
++ <year>2013-2021</year>
+ <holder>Robert Boisvert, rdbprog@gmail.com</holder>
+ </copyright>
+ </bookinfo>
+diff --git a/src/modules/mohqueue/doc/mohqueue_admin.xml b/src/modules/mohqueue/doc/mohqueue_admin.xml
+index 112b1f4fa4..37cc02e1a0 100644
+--- a/src/modules/mohqueue/doc/mohqueue_admin.xml
++++ b/src/modules/mohqueue/doc/mohqueue_admin.xml
+@@ -387,10 +387,13 @@ Duplicate names are not allowed.
+ </listitem>
+ <listitem>
+ <emphasis>uri</emphasis> (100-character string, required): the URI of
+-the queue. It should not include any parameters or headers (e.g.
+-"sip:user@host;maddr=239.255.255.1" or "sip:user@host?subject=project")
+-although it will match any RURI that contains this URI even if the
+-RURI has parameters or headers. Duplicates are not allowed.
++the queue. Duplicates are not allowed. It should not include any parameters
++or headers (e.g. "sip:user@host;maddr=239.255.255.1" or
++"sip:user@host?subject=project") although it will match any RURI that
++contains this URI even if the RURI has parameters or headers. The server
++name of the URI must uniquely identify the server. If the RURI server name
++does not uniquely identify the server then it should be rewritten to one
++the does before calling mohq_send ().
+ </listitem>
+ <listitem>
+ <emphasis>mohdir</emphasis> (100-character string, optional): path to
+diff --git a/src/modules/mohqueue/mohq_common.h b/src/modules/mohqueue/mohq_common.h
+index 88fed7fc51..228587cc98 100644
+--- a/src/modules/mohqueue/mohq_common.h
++++ b/src/modules/mohqueue/mohq_common.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013-19 Robert Boisvert
++ * Copyright (C) 2013-21 Robert Boisvert
+ *
+ * This file is part of the mohqueue module for Kamailio, a free SIP server.
+ *
+diff --git a/src/modules/mohqueue/mohq_db.c b/src/modules/mohqueue/mohq_db.c
+index 3f70b0bf11..7c62ee6d4c 100644
+--- a/src/modules/mohqueue/mohq_db.c
++++ b/src/modules/mohqueue/mohq_db.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013-19 Robert Boisvert
++ * Copyright (C) 2013-21 Robert Boisvert
+ *
+ * This file is part of the mohqueue module for Kamailio, a free SIP server.
+ *
+diff --git a/src/modules/mohqueue/mohq_db.h b/src/modules/mohqueue/mohq_db.h
+index 41b0a3f24c..565f0ae141 100644
+--- a/src/modules/mohqueue/mohq_db.h
++++ b/src/modules/mohqueue/mohq_db.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013-19 Robert Boisvert
++ * Copyright (C) 2013-21 Robert Boisvert
+ *
+ * This file is part of the mohqueue module for Kamailio, a free SIP server.
+ *
+diff --git a/src/modules/mohqueue/mohq_funcs.c b/src/modules/mohqueue/mohq_funcs.c
+index 54ee87486c..c9c8d6704e 100644
+--- a/src/modules/mohqueue/mohq_funcs.c
++++ b/src/modules/mohqueue/mohq_funcs.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013-19 Robert Boisvert
++ * Copyright (C) 2013-21 Robert Boisvert
+ *
+ * This file is part of the mohqueue module for Kamailio, a free SIP server.
+ *
+@@ -32,7 +32,7 @@
+ #define ALLOWHDR "Allow: INVITE, ACK, BYE, CANCEL, NOTIFY, PRACK"
+ #define CLENHDR "Content-Length"
+ #define SIPEOL "\r\n"
+-#define USRAGNT "Kamailio MOH Queue v1.6"
++#define USRAGNT "Kamailio MOH Queue v1.7"
+
+ /**********
+ * local constants
+@@ -122,17 +122,6 @@ char prefermsg [] =
+ "Referred-By: <%s>" SIPEOL
+ };
+
+-char preinvitemsg [] =
+- {
+- "%s"
+- "Max-Forwards: 70" SIPEOL
+- "Contact: <%s>" SIPEOL
+- ALLOWHDR SIPEOL
+- "Supported: 100rel" SIPEOL
+- "Accept-Language: en" SIPEOL
+- "Content-Type: application/sdp" SIPEOL
+- };
+-
+ char prtpsdp [] =
+ {
+ "v=0" SIPEOL
+@@ -185,7 +174,6 @@ void ack_msg (sip_msg_t *pmsg, call_lst *pcall)
+ char *pfncname = "ack_msg: ";
+ struct cell *ptrans;
+ tm_api_t *ptm = pmod_data->ptm;
+-tm_cell_t *t = 0;
+ if (pcall->call_state != CLSTA_INVITED)
+ {
+ /**********
+@@ -203,9 +191,7 @@ if (pcall->call_state != CLSTA_INVITED)
+ }
+
+ /**********
+-* o release INVITE transaction
+-* o save SDP address info
+-* o put in queue
++* release INVITE transaction
+ **********/
+
+ if (ptm->t_lookup_ident (&ptrans, pcall->call_hash, pcall->call_label) < 0)
+@@ -216,28 +202,39 @@ if (ptm->t_lookup_ident (&ptrans, pcall->call_hash, pcall->call_label) < 0)
+ }
+ else
+ {
+- t = ptm->t_gett();
+- if (t==NULL || t==T_UNDEFINED)
++ /**********
++ * create new transaction if current missing
++ **********/
++
++ tm_cell_t *ptcell;
++ ptcell = ptm->t_gett ();
++ if ((ptcell == NULL) || (ptcell == T_UNDEFINED))
+ {
+- if (ptm->t_newtran(pmsg)<0)
+- {
+- LM_ERR("cannot create the transaction\n");
+- return;
+- }
+- t = ptm->t_gett();
+- if (t==NULL || t==T_UNDEFINED)
+- {
+- LM_ERR("cannot lookup the transaction\n");
+- return;
+- }
++ if (ptm->t_newtran (pmsg) < 0)
++ {
++ LM_ERR ("%sUnable to create temporary transaction!\n", pfncname);
++ return;
++ }
++ ptcell = ptm->t_gett ();
++ if ((ptcell == NULL) || (ptcell == T_UNDEFINED))
++ {
++ LM_ERR ("%sUnable to find temporary transaction!\n", pfncname);
++ return;
++ }
+ }
+- if (ptm->t_release_transaction(t) < 0)
++ if (ptm->t_release (ptcell) < 0)
+ {
+ LM_ERR ("%sRelease transaction failed for call (%s)!\n",
+ pfncname, pcall->call_from);
+ return;
+ }
+ }
++
++/**********
++* o save SDP address info
++* o put in queue
++**********/
++
+ pcall->call_hash = pcall->call_label = 0;
+ sprintf (pcall->call_addr, "%s %s",
+ pmsg->rcv.dst_ip.af == AF_INET ? "IP4" : "IP6",
+@@ -538,14 +535,19 @@ int
+ create_call (sip_msg_t *pmsg, call_lst *pcall, int ncall_idx, int mohq_idx)
+
+ {
++char *pfncname = "create_call: ";
++char *pbuf;
++str *pstr;
++
+ /**********
+ * add values to new entry
++* o call ID
++* o from
+ **********/
+
+-char *pfncname = "create_call: ";
+ pcall->pmohq = &pmod_data->pmohq_lst [mohq_idx];
+-str *pstr = &pmsg->callid->body;
+-char *pbuf = pcall->call_buffer;
++pstr = &pmsg->callid->body;
++pbuf = pcall->call_buffer;
+ pcall->call_buflen = sizeof (pcall->call_buffer);
+ pcall->call_id = pbuf;
+ if (!addstrbfr (pstr->s, pstr->len, &pbuf, &pcall->call_buflen, 1))
+@@ -1036,7 +1038,6 @@ char *pfncname = "first_invite_msg: ";
+ /**********
+ * o SDP exists?
+ * o accepts REFER?
+-* o send RTP offer
+ **********/
+
+ if (!(pmsg->msg_flags & FL_SDP_BODY))
+@@ -1069,6 +1070,11 @@ if (pmsg->allow)
+ return;
+ }
+ }
++
++/**********
++* send RTP offer
++**********/
++
+ mohq_debug (pcall->pmohq,
+ "%sMaking offer for RTP link for call (%s) from queue (%s)",
+ pfncname, pcall->call_from, pcall->pmohq->mohq_name);
+@@ -2146,6 +2152,38 @@ struct sip_msg pnmsg [1];
+ build_sip_msg_from_buf (pnmsg, pbuf->s, pbuf->len, 0);
+ memcpy (&pnmsg->rcv, &pmsg->rcv, sizeof (struct receive_info));
+
++/**********
++* ptime set?
++**********/
++
++int nsession;
++sdp_session_cell_t *psession;
++char pflagbuf [5];
++strcpy (pflagbuf, "z20");
++fparam_t pzflag [1] = {0, FPARAM_STRING, {pflagbuf}, 0};
++for (nsession = 0; (psession = get_sdp_session (pmsg, nsession)); nsession++)
++ {
++ int nstream;
++ sdp_stream_cell_t *pstream;
++ for (nstream = 0; (pstream = get_sdp_stream (pmsg, nsession, nstream));
++ nstream++)
++ {
++ /**********
++ * ptime set?
++ **********/
++
++ if ((pstream->ptime.len < 1) || (pstream->ptime.len > 3))
++ { continue; }
++ strncpy (&pzflag->v.asciiz [1], pstream->ptime.s, pstream->ptime.len);
++ pzflag->v.asciiz [pstream->ptime.len + 1] = 0;
++ mohq_debug (pcall->pmohq,
++ "%sSet ptime (%s) for RTP link for call (%s) from queue (%s)",
++ pfncname,
++ &pzflag->v.asciiz [1], pcall->call_from, pcall->pmohq->mohq_name);
++ break;
++ }
++ }
++
+ /**********
+ * o send RTP answer
+ * o form stream file
+@@ -2154,7 +2192,7 @@ memcpy (&pnmsg->rcv, &pmsg->rcv, sizeof (struct receive_info));
+
+ mohq_debug (pcall->pmohq, "%sAnswering RTP link for call (%s)",
+ pfncname, pcall->call_from);
+-if (pmod_data->fn_rtp_answer (pnmsg, 0, 0) != 1)
++if (pmod_data->fn_rtp_answer (pnmsg, (char *) pzflag, 0) != 1)
+ {
+ LM_ERR ("%srtpproxy_answer refused for call (%s)!\n",
+ pfncname, pcall->call_from);
+@@ -2961,4 +2999,4 @@ if (pmod_data->ptm->t_relay (pmsg, 0, 0) < 0)
+ return -1;
+ }
+ return 1;
+-}
++}
+\ No newline at end of file
+diff --git a/src/modules/mohqueue/mohq_funcs.h b/src/modules/mohqueue/mohq_funcs.h
+index cc99185306..35d55edaa0 100644
+--- a/src/modules/mohqueue/mohq_funcs.h
++++ b/src/modules/mohqueue/mohq_funcs.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013-19 Robert Boisvert
++ * Copyright (C) 2013-21 Robert Boisvert
+ *
+ * This file is part of the mohqueue module for Kamailio, a free SIP server.
+ *
+diff --git a/src/modules/mohqueue/mohq_locks.c b/src/modules/mohqueue/mohq_locks.c
+index 080dd39486..b31e052cb8 100644
+--- a/src/modules/mohqueue/mohq_locks.c
++++ b/src/modules/mohqueue/mohq_locks.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013-19 Robert Boisvert
++ * Copyright (C) 2013-21 Robert Boisvert
+ *
+ * This file is part of the mohqueue module for Kamailio, a free SIP server.
+ *
+diff --git a/src/modules/mohqueue/mohq_locks.h b/src/modules/mohqueue/mohq_locks.h
+index 2ae41b7192..20deed8b02 100644
+--- a/src/modules/mohqueue/mohq_locks.h
++++ b/src/modules/mohqueue/mohq_locks.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013-19 Robert Boisvert
++ * Copyright (C) 2013-21 Robert Boisvert
+ *
+ * This file is part of the mohqueue module for Kamailio, a free SIP server.
+ *
+diff --git a/src/modules/mohqueue/mohqueue_mod.c b/src/modules/mohqueue/mohqueue_mod.c
+index a9ec155097..8a17dfc45e 100644
+--- a/src/modules/mohqueue/mohqueue_mod.c
++++ b/src/modules/mohqueue/mohqueue_mod.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013-19 Robert Boisvert
++ * Copyright (C) 2013-21 Robert Boisvert
+ *
+ * This file is part of the mohqueue module for Kamailio, a free SIP server.
+ *
+@@ -313,7 +313,7 @@ int mod_child_init (int rank)
+
+ {
+ /**********
+-* o make sure DB initialized
++* make sure DB initialized
+ **********/
+
+ if (rank == PROC_INIT || rank == PROC_TCP_MAIN || rank == PROC_MAIN)
+diff --git a/src/modules/mohqueue/mohqueue_mod.h b/src/modules/mohqueue/mohqueue_mod.h
+index b783b03f40..61d2f98c9c 100644
+--- a/src/modules/mohqueue/mohqueue_mod.h
++++ b/src/modules/mohqueue/mohqueue_mod.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013-19 Robert Boisvert
++ * Copyright (C) 2013-21 Robert Boisvert
+ *
+ * This file is part of the mohqueue module for Kamailio, a free SIP server.
+ *
+From 1001e9e1dbfdec525f4a5f96f7dd3fcc22e51888 Mon Sep 17 00:00:00 2001
+From: Robert Boisvert <rdboisvert@gmail.com>
+Date: Wed, 24 Mar 2021 12:17:20 -0400
+Subject: [PATCH] mohqueue: use ptime
+
+ - version 1.7
+ - match ptime of incoming call; otherwise, default to 20ms
+ - update copyright dates
+---
+ src/modules/mohqueue/mohq_funcs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/modules/mohqueue/mohq_funcs.c b/src/modules/mohqueue/mohq_funcs.c
+index c9c8d6704e..dd9f105bfc 100644
+--- a/src/modules/mohqueue/mohq_funcs.c
++++ b/src/modules/mohqueue/mohq_funcs.c
+@@ -222,7 +222,7 @@ else
+ return;
+ }
+ }
+- if (ptm->t_release (ptcell) < 0)
++ if (ptm->t_release_transaction (ptcell) < 0)
+ {
+ LM_ERR ("%sRelease transaction failed for call (%s)!\n",
+ pfncname, pcall->call_from);
+@@ -2160,7 +2160,7 @@ int nsession;
+ sdp_session_cell_t *psession;
+ char pflagbuf [5];
+ strcpy (pflagbuf, "z20");
+-fparam_t pzflag [1] = {0, FPARAM_STRING, {pflagbuf}, 0};
++fparam_t pzflag [1] = {"", FPARAM_STRING, {pflagbuf}, 0};
+ for (nsession = 0; (psession = get_sdp_session (pmsg, nsession)); nsession++)
+ {
+ int nstream;
+From c7781edcb37a35193ccdb9414183919aaa614d3a Mon Sep 17 00:00:00 2001
+From: Sergey Safarov <s.safarov@gmail.com>
+Date: Tue, 27 Apr 2021 12:58:49 +0300
+Subject: [PATCH] mohqueue: fixed compiler warning about array initialization
+
+---
+ src/modules/mohqueue/mohq_funcs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/modules/mohqueue/mohq_funcs.c b/src/modules/mohqueue/mohq_funcs.c
+index dd9f105bfc..1f72c58c5a 100644
+--- a/src/modules/mohqueue/mohq_funcs.c
++++ b/src/modules/mohqueue/mohq_funcs.c
+@@ -2160,7 +2160,9 @@ int nsession;
+ sdp_session_cell_t *psession;
+ char pflagbuf [5];
+ strcpy (pflagbuf, "z20");
+-fparam_t pzflag [1] = {"", FPARAM_STRING, {pflagbuf}, 0};
++fparam_t pzflag [1] = {
++ {"", FPARAM_STRING, {pflagbuf}, 0}
++};
+ for (nsession = 0; (psession = get_sdp_session (pmsg, nsession)); nsession++)
+ {
+ int nstream;
+From 0e51ce1075f206a4441333f72c69fcc56f8d6855 Mon Sep 17 00:00:00 2001
+From: Robert Boisvert <rdboisvert@gmail.com>
+Date: Wed, 19 May 2021 16:19:24 -0400
+Subject: [PATCH] modules/mohqueue: force RTP to follow SDP
+
+ - version 1.8
+ - use rtpproxy r flag to force RTP to follow SDP
+ - fixed compiler warnings
+---
+ src/modules/mohqueue/mohq_funcs.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/modules/mohqueue/mohq_funcs.c b/src/modules/mohqueue/mohq_funcs.c
+index 1f72c58c5a..c46cb51a75 100644
+--- a/src/modules/mohqueue/mohq_funcs.c
++++ b/src/modules/mohqueue/mohq_funcs.c
+@@ -32,7 +32,7 @@
+ #define ALLOWHDR "Allow: INVITE, ACK, BYE, CANCEL, NOTIFY, PRACK"
+ #define CLENHDR "Content-Length"
+ #define SIPEOL "\r\n"
+-#define USRAGNT "Kamailio MOH Queue v1.7"
++#define USRAGNT "Kamailio MOH Queue v1.8"
+
+ /**********
+ * local constants
+@@ -1075,10 +1075,11 @@ if (pmsg->allow)
+ * send RTP offer
+ **********/
+
++fparam_t rflag = {.orig="", .type=FPARAM_STRING, {.asciiz="r"}, .fixed=0};
+ mohq_debug (pcall->pmohq,
+ "%sMaking offer for RTP link for call (%s) from queue (%s)",
+ pfncname, pcall->call_from, pcall->pmohq->mohq_name);
+-if (pmod_data->fn_rtp_offer (pmsg, 0, 0) != 1)
++if (pmod_data->fn_rtp_offer (pmsg, (char *) &rflag, 0) != 1)
+ {
+ if (pmod_data->psl->freply (pmsg, 486, presp_busy) < 0)
+ {
+@@ -2160,9 +2161,8 @@ int nsession;
+ sdp_session_cell_t *psession;
+ char pflagbuf [5];
+ strcpy (pflagbuf, "z20");
+-fparam_t pzflag [1] = {
+- {"", FPARAM_STRING, {pflagbuf}, 0}
+-};
++fparam_t zflag = {.orig="", .type=FPARAM_STRING, {.asciiz=pflagbuf}, .fixed=0};
++fparam_t *pzflag = &zflag;
+ for (nsession = 0; (psession = get_sdp_session (pmsg, nsession)); nsession++)
+ {
+ int nstream;
diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD
index d2bf4b2d13..966042ad10 100644
--- a/main/krb5/APKBUILD
+++ b/main/krb5/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=krb5
-pkgver=1.18.3
-pkgrel=1
+pkgver=1.18.4
+pkgrel=0
pkgdesc="The Kerberos network authentication system"
url="https://web.mit.edu/kerberos/www/"
arch="all"
@@ -30,6 +30,8 @@ source="https://web.mit.edu/kerberos/dist/krb5/$_maj_min/krb5-$pkgver.tar.gz
builddir="$srcdir/$pkgname-$pkgver/src"
# secfixes:
+# 1.18.4-r0:
+# - CVE-2021-36222
# 1.18.3-r0:
# - CVE-2020-28196
# 1.15.4-r0:
@@ -115,8 +117,10 @@ libs() {
amove usr/lib
}
-sha512sums="cf0bf6cf8f622fa085954e6da998d952cf64dc7ccc319972ed81ea0542089cabf2d0e8243df84da01ad6f40584768ca2f02d108630c6741fa7b3d7d98c887c01 krb5-1.18.3.tar.gz
+sha512sums="
+7d9f1e937ba122f5af1340b5025420903a4cc3692bdf4093289921ad09b3fd02c8684b65a783d4b397ba15c4cf29c728cbf24a6405c5fff72fb882137703539e krb5-1.18.4.tar.gz
5c62cbcbf1ef0462323f3392a362b42ed301967a1de80ddcb27eece4fad23efeeb5f04f5af521cfffff36b918bb93813262aa62785e59d6cb5af437a2c9e886d mit-krb5_krb5-config_LDFLAGS.patch
43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd
ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd
-45be0d421efd41e9dd056125a750c90856586e990317456b68170d733b03cba9ecd18ab87603b20e49575e7839fb4a6d628255533f2631f9e8ddb7f3cc493a90 krb5kpropd.initd"
+45be0d421efd41e9dd056125a750c90856586e990317456b68170d733b03cba9ecd18ab87603b20e49575e7839fb4a6d628255533f2631f9e8ddb7f3cc493a90 krb5kpropd.initd
+"
diff --git a/main/libgcrypt/APKBUILD b/main/libgcrypt/APKBUILD
index d6beb14b33..e578b56927 100644
--- a/main/libgcrypt/APKBUILD
+++ b/main/libgcrypt/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libgcrypt
-pkgver=1.8.7
+pkgver=1.8.8
pkgrel=0
pkgdesc="general purpose crypto library based on the code used in GnuPG"
url="https://www.gnupg.org/"
@@ -12,6 +12,8 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
source="https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-$pkgver.tar.bz2"
# secfixes:
+# 1.8.8-r0:
+# - CVE-2021-33560
# 1.8.5-r0:
# - CVE-2019-13627
# 1.8.4-r2:
@@ -61,4 +63,6 @@ static() {
mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/
}
-sha512sums="6309d17624d8029848990d225d5924886c951cef691266c8e010fbbb7f678972cee70cbb91d370ad0bcdc8c8761402a090c2c853c9427ec79293624a59da5060 libgcrypt-1.8.7.tar.bz2"
+sha512sums="
+9861f3b5da3cb013eb79efbf2859864f8c2c11b41484b051c981c45cc0bf1569202838226da10ebddeb7a7b7f39ebd3a95f107b9bf6f908074ccc9a51ea94db8 libgcrypt-1.8.8.tar.bz2
+"
diff --git a/main/libx11/APKBUILD b/main/libx11/APKBUILD
index cd6e1b7b5c..fde7da2c01 100644
--- a/main/libx11/APKBUILD
+++ b/main/libx11/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libx11
-pkgver=1.7.0
+pkgver=1.7.1
pkgrel=0
pkgdesc="X11 client-side library"
url="http://xorg.freedesktop.org/"
@@ -13,6 +13,8 @@ source="https://www.x.org/releases/individual/lib/libX11-$pkgver.tar.bz2"
builddir="$srcdir"/libX11-$pkgver
# secfixes:
+# 1.7.1-r0:
+# - CVE-2021-31535
# 1.6.12-r0:
# - CVE-2020-14363
# 1.6.10-r0:
@@ -43,4 +45,6 @@ package() {
install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
-sha512sums="f661ca90350fd8a94f054b00f12f5122cea068ebff706acfd399462236c189a296a2358d17d16166635101cf56cc19303dd407873a159932d093c9f33556f9fb libX11-1.7.0.tar.bz2"
+sha512sums="
+a76f0a82fce6f9b50646a7cd7ec5ee046650f225816050226068a7548fa083ef07d146d40faaf44e033c59c17b0fda5ffdee3a127dac3ab56cee02133819aa3d libX11-1.7.1.tar.bz2
+"
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index 75091d1821..45362268c6 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=libxml2
-pkgver=2.9.10
-pkgrel=6
+pkgver=2.9.12
+pkgrel=0
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
arch="all"
@@ -18,14 +18,17 @@ if [ -z "$BOOTSTRAP" ]; then
fi
options="!strip"
source="http://xmlsoft.org/sources/libxml2-$pkgver.tar.gz
- CVE-2019-20388.patch
- libxml2-CVE-2020-7595.patch
revert-Make-xmlFreeNodeList-non-recursive.patch
libxml2-2.9.8-python3-unicode-errors.patch
- CVE-2020-24977.patch
"
# secfixes:
+# 2.9.11-r0:
+# - CVE-2021-3541
+# 2.9.10-r7:
+# - CVE-2021-3517
+# - CVE-2021-3518
+# - CVE-2021-3537
# 2.9.10-r5:
# - CVE-2020-24977
# 2.9.10-r4:
@@ -99,10 +102,8 @@ utils() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="0adfd12bfde89cbd6296ba6e66b6bed4edb814a74b4265bda34d95c41d9d92c696ee7adb0c737aaf9cc6e10426a31a35079b2a23d26c074e299858da12c072ed libxml2-2.9.10.tar.gz
-46ade1189ef24cb56bd38c2c58aaacc8f3e8404656b9976754e9ec9bfe17f71e9a1fdb6febd02947f6120b5ce320cbc7391baf8d0cb042877bcf81553010ad04 CVE-2019-20388.patch
-90db832e60c700e971669f57a54fdb297660c42602089b4e77e013a7051c880f380f0c98c059d9f54de99855b2d9be78fcf0639443f3765a925b52fc093fb4d9 libxml2-CVE-2020-7595.patch
+sha512sums="
+df1c6486e80f0fcf3c506f3599bcfb94b620c00d0b5d26831bc983daa78d58ec58b5057b1ec7c1a26c694f40199c6234ee2a6dcabf65abfa10c447cb5705abbd libxml2-2.9.12.tar.gz
347178e432379d543683cba21b902e7305202c03e8dbd724ae395963d677096a5cfc4e345e208d498163ca5174683c167610fc2b297090476038bc2bb7c84b4f revert-Make-xmlFreeNodeList-non-recursive.patch
a205c97fa1488fb8907cfa08b5f82e2055c80b86213dc3cc5c4b526fe6aa786bcc4e4eeb226c44635a1d021307b39e3940f706c42fb60e9e3e9b490a84164df7 libxml2-2.9.8-python3-unicode-errors.patch
-b25a49cfb51569799ada41bad0efaf2666d70b9efb380987c3d5678fd943ada5d0baa18a3db5efa58dac65db8e2d2915ab5c6bac850d0c610656c89734853fd5 CVE-2020-24977.patch
"
diff --git a/main/libxml2/CVE-2019-20388.patch b/main/libxml2/CVE-2019-20388.patch
deleted file mode 100644
index 164b54ba2f..0000000000
--- a/main/libxml2/CVE-2019-20388.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/xmlschemas.c b/xmlschemas.c
-index 301c84499d4185ca3a760b512daeca8760edaf05..39d92182f51ff723413cb41a0101d97b6647cdee 100644
---- a/xmlschemas.c
-+++ b/xmlschemas.c
-@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
- vctxt->nberrors = 0;
- vctxt->depth = -1;
- vctxt->skipDepth = -1;
-- vctxt->xsiAssemble = 0;
- vctxt->hasKeyrefs = 0;
- #ifdef ENABLE_IDC_NODE_TABLES_TEST
- vctxt->createIDCNodeTables = 1;
diff --git a/main/libxml2/CVE-2020-24977.patch b/main/libxml2/CVE-2020-24977.patch
deleted file mode 100644
index 9633641ae4..0000000000
--- a/main/libxml2/CVE-2020-24977.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 3 Aug 2020 17:30:41 +0200
-Subject: [PATCH] Fix integer overflow when comparing schema dates
-
-Found by OSS-Fuzz.
----
- xmlschemastypes.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/xmlschemastypes.c b/xmlschemastypes.c
-index 4249d7000..d6b9f924e 100644
---- a/xmlschemastypes.c
-+++ b/xmlschemastypes.c
-@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
- minday = 0;
- maxday = 0;
- } else {
-+ if (myear > LONG_MAX / 366)
-+ return -2;
- /* FIXME: This doesn't take leap year exceptions every 100/400 years
- into account. */
- maxday = 365 * myear + (myear + 3) / 4;
-@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
- if ((x == NULL) || (y == NULL))
- return -2;
-
-+ if ((x->value.date.year > LONG_MAX / 366) ||
-+ (x->value.date.year < LONG_MIN / 366) ||
-+ (y->value.date.year > LONG_MAX / 366) ||
-+ (y->value.date.year < LONG_MIN / 366)) {
-+ /* Possible overflow when converting to days. */
-+ return -2;
-+ }
-+
- if (x->value.date.tz_flag) {
-
- if (!y->value.date.tz_flag) {
---
-GitLab \ No newline at end of file
diff --git a/main/libxml2/libxml2-CVE-2020-7595.patch b/main/libxml2/libxml2-CVE-2020-7595.patch
deleted file mode 100644
index 3dd6774976..0000000000
--- a/main/libxml2/libxml2-CVE-2020-7595.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
-From: Zhipeng Xie <xiezhipeng1@huawei.com>
-Date: Thu, 12 Dec 2019 17:30:55 +0800
-Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
-
-When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
-return NULL which cause a infinite loop in xmlStringLenDecodeEntities
-
-Found with libFuzzer.
-
-Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
----
- parser.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/parser.c b/parser.c
-index d1c31963..a34bb6cd 100644
---- a/parser.c
-+++ b/parser.c
-@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
- else
- c = 0;
- while ((c != 0) && (c != end) && /* non input consuming loop */
-- (c != end2) && (c != end3)) {
-+ (c != end2) && (c != end3) &&
-+ (ctxt->instate != XML_PARSER_EOF)) {
-
- if (c == 0) break;
- if ((c == '&') && (str[1] == '#')) {
---
-2.24.1
-
diff --git a/main/linux-lts/APKBUILD b/main/linux-lts/APKBUILD
index 12ed9dcb0d..375d10d9ea 100644
--- a/main/linux-lts/APKBUILD
+++ b/main/linux-lts/APKBUILD
@@ -2,7 +2,7 @@
_flavor=lts
pkgname=linux-${_flavor}
-pkgver=5.10.36
+pkgver=5.10.38
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=$pkgver;;
@@ -247,4 +247,4 @@ d161d930d556b9f83aba1975800b2afb794b015187b8222d8a2e05c9eea191f615da52fde1e330a6
018cfa22e53690b8649f646659dfa2108650acc476057cfb20f023c8332765407d42f543a2ff841035f678da6605e0e7f8e1c383edb508693d9a23de0e214b56 config-virt.ppc64le
00e8f614094d0f9a5270cdbedccda3dd55cc03f3045e9c0b1a6d5de91595cc204a960a57cd274da7c3708521b1dedcfa333f81ecf23198fb29165247aad74b24 config-virt.x86
105d8f70e497f9ccb66533ddea7e591a3a2cbbe9ae3f73e168b03e783efb07ddb085af8904d7a83404bf90c3c55d5b45b557f99ef906afbff286df19df311519 config-virt.x86_64
-badb51b4b3a163d67df9d7c77218b46ac69d8445eaa20db28529eb6594d525f14a27e87c4a174b96bed2b17f901928a15b6f982f00d5423c3719b9b49f2d6173 patch-5.10.36.xz"
+3829c94628b30d2bf76c667f7be1331c07f4a0aec1949f5299d65935429eafda1d2fc317ff582baeb7a5e7b3af5a3d80823616d1b77819aec9e88850c32f01eb patch-5.10.38.xz"
diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD
index 062842f478..492ca79c67 100644
--- a/main/mariadb/APKBUILD
+++ b/main/mariadb/APKBUILD
@@ -7,7 +7,7 @@
# Contributor: Jake Buchholz <tomalok@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mariadb
-pkgver=10.5.9
+pkgver=10.5.11
pkgrel=0
pkgdesc="A fast SQL database server"
url="https://www.mariadb.org/"
@@ -45,6 +45,9 @@ source="https://downloads.mariadb.org/interstitial/mariadb-$pkgver/source/mariad
"
# secfixes:
+# 10.5.10-r0:
+# - CVE-2021-2154
+# - CVE-2021-2166
# 10.5.9-r0:
# - CVE-2021-27928
# 10.5.8-r0:
@@ -452,8 +455,10 @@ _plugin_rocksdb() {
"$subpkgdir"/usr/lib/mariadb/plugin/ha_rocksdb.so
}
-sha512sums="d23d5bf8510b3c36a6521fb3244cf323ef0f5d100ba379ed7b5bbc2acae1765a5b46c17bd929f0b27b28923eb1b5975314abdf7ffb96905cf7a93a5c8837294e mariadb-10.5.9.tar.gz
+sha512sums="
+5ccb3f3d7cedf5ff79dd8d9304f0b7f3eb99a5558b446d1baf24cabe20c709360e2c99a737024793918fd6c23fc5a9bb83ffddfb5549310774d07294a3bbddf4 mariadb-10.5.11.tar.gz
c352969f6665b0ffa387f7b185a5dea7751f4b16c12c809627857b27321efa09159369d7dd5c852d6159a9f173cb895fb601f0c52a1fa6e3527899520030964c mariadb.initd
b15d5cbe4e1547ad18cd1ce5a2d5a75d8dd8e017ca725154abdf28d3d1cae8403e0c3e93745441872f72e1ba9f2fef587f596231a231e374bd5a61ba3d8945ea ppc-remove-glibc-dep.patch
598490b4bb45c9f7be46086d25c2b6c601d417c45f11aa519c2290065e7d6e98a7519f9860b823e67a8fd3e6ce3b4728af73ec3a2c66eec32b42fd4ad7cc07f7 disable-failing-test.patch
-4965275371e6d5e08e32a16fcfff2e68dfdcf6f4c30e5beffe18dcf56b503cbf373feeda814694e048964b16165ad65156c32fe27e974bed47201e8cf60736c6 have_stacktrace.patch"
+4965275371e6d5e08e32a16fcfff2e68dfdcf6f4c30e5beffe18dcf56b503cbf373feeda814694e048964b16165ad65156c32fe27e974bed47201e8cf60736c6 have_stacktrace.patch
+"
diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD
index 34cba6c2fa..b6f28b1202 100644
--- a/main/musl/APKBUILD
+++ b/main/musl/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Timo Teräs <timo.teras@iki.fi>
pkgname=musl
pkgver=1.2.2
-pkgrel=0
+pkgrel=1
pkgdesc="the musl c library (libc) implementation"
url="https://musl.libc.org/"
arch="all"
@@ -25,6 +25,8 @@ source="musl-$commit.tar.gz::https://git.musl-libc.org/cgit/musl/snapshot/$commi
revert-faccessat2.patch
+ syscall-cp-epoll.patch
+
ldconfig
__stack_chk_fail_local.c
getconf.c
@@ -167,11 +169,14 @@ compat() {
done
}
-sha512sums="7240550ab45cb6b410d65013c92f1f1de0f274322e7ba10e3cf9ce0464a1a833337c2fde39d2fc8c25af1d60599a5bb0ec0d9fb3723c098df3a72e82251bb3eb musl-v1.2.2.tar.gz
+sha512sums="
+7240550ab45cb6b410d65013c92f1f1de0f274322e7ba10e3cf9ce0464a1a833337c2fde39d2fc8c25af1d60599a5bb0ec0d9fb3723c098df3a72e82251bb3eb musl-v1.2.2.tar.gz
a76f79b801497ad994746cf82bb6eaf86f9e1ae646e6819fbae8532a7f4eee53a96ac1d4e789ec8f66aea2a68027b0597f7a579b3369e01258da8accfce41370 handle-aux-at_base.patch
76de7511fa1ae44aa513a11d306a691172342c04cdd524bcc2f70d0e646744de832ef3254cdd3d409efa4581d601eee7e02a70af11f5530f6bacd59f1e65a979 revert-faccessat2.patch
+d256ba7857c98d39b86aa73674eda5d45ab8134dde3fac2bc48ebb6ba9a824c20c43f2cdc6af54d2a45c162d1e4ec6517c36400992bba10496bcc51b374cbcd0 syscall-cp-epoll.patch
8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f ldconfig
062bb49fa54839010acd4af113e20f7263dde1c8a2ca359b5fb2661ef9ed9d84a0f7c3bc10c25dcfa10bb3c5a4874588dff636ac43d5dbb3d748d75400756d0b __stack_chk_fail_local.c
0d80f37b34a35e3d14b012257c50862dfeb9d2c81139ea2dfa101d981d093b009b9fa450ba27a708ac59377a48626971dfc58e20a3799084a65777a0c32cbc7d getconf.c
378d70e65bcc65bb4e1415354cecfa54b0c1146dfb24474b69e418cdbf7ad730472cd09f6f103e1c99ba6c324c9560bccdf287f5889bbc3ef0bdf0e08da47413 getent.c
-9d42d66fb1facce2b85dad919be5be819ee290bd26ca2db00982b2f8e055a0196290a008711cbe2b18ec9eee8d2270e3b3a4692c5a1b807013baa5c2b70a2bbf iconv.c"
+9d42d66fb1facce2b85dad919be5be819ee290bd26ca2db00982b2f8e055a0196290a008711cbe2b18ec9eee8d2270e3b3a4692c5a1b807013baa5c2b70a2bbf iconv.c
+"
diff --git a/main/musl/syscall-cp-epoll.patch b/main/musl/syscall-cp-epoll.patch
new file mode 100644
index 0000000000..338620a373
--- /dev/null
+++ b/main/musl/syscall-cp-epoll.patch
@@ -0,0 +1,16 @@
+diff --git a/src/linux/epoll.c b/src/linux/epoll.c
+index deff5b10..93baa814 100644
+--- a/src/linux/epoll.c
++++ b/src/linux/epoll.c
+@@ -24,9 +24,9 @@ int epoll_ctl(int fd, int op, int fd2, struct epoll_event *ev)
+
+ int epoll_pwait(int fd, struct epoll_event *ev, int cnt, int to, const sigset_t *sigs)
+ {
+- int r = __syscall(SYS_epoll_pwait, fd, ev, cnt, to, sigs, _NSIG/8);
++ int r = __syscall_cp(SYS_epoll_pwait, fd, ev, cnt, to, sigs, _NSIG/8);
+ #ifdef SYS_epoll_wait
+- if (r==-ENOSYS && !sigs) r = __syscall(SYS_epoll_wait, fd, ev, cnt, to);
++ if (r==-ENOSYS && !sigs) r = __syscall_cp(SYS_epoll_wait, fd, ev, cnt, to);
+ #endif
+ return __syscall_ret(r);
+ }
diff --git a/main/nano/APKBUILD b/main/nano/APKBUILD
index d2e9c01e47..61cbcc12df 100644
--- a/main/nano/APKBUILD
+++ b/main/nano/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=nano
pkgver=5.4
-pkgrel=1
+pkgrel=3
pkgdesc="Enhanced clone of the Pico text editor"
url="https://www.nano-editor.org"
arch="all"
@@ -44,7 +44,7 @@ syntax() {
pkgdesc="Syntax highlighting definitions for $pkgname"
mkdir -p "$subpkgdir"/usr/share/$pkgname/
- mv "$pkgdir"/usr/share/$pkgname/*.nanorc \
+ mv "$pkgdir"/usr/share/$pkgname/* \
"$subpkgdir"/usr/share/$pkgname/
}
diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD
index 3889f56fa4..b76bc2703c 100644
--- a/main/nginx/APKBUILD
+++ b/main/nginx/APKBUILD
@@ -4,6 +4,8 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 1.18.0-r14:
+# - CVE-2021-23017
# 1.16.1-r6:
# - CVE-2019-20372
# 1.16.1-r0:
@@ -21,7 +23,7 @@ pkgname=nginx
# NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)!
# Odd-numbered versions are mainline (development) versions.
pkgver=1.18.0
-pkgrel=13
+pkgrel=15
# Revision of nginx-tests to use for check().
_tests_hgrev=4e0644119341
_njs_ver=0.5.0
@@ -59,11 +61,12 @@ pkgusers="nginx"
_grp_ngx="nginx"
_grp_www="www-data"
pkggroups="$_grp_ngx $_grp_www"
-install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade"
+install="$pkgname.pre-install $pkgname.post-install $pkgname.pre-upgrade $pkgname.post-upgrade"
subpackages="$pkgname-debug $pkgname-doc $pkgname-openrc $pkgname-vim::noarch"
source="https://nginx.org/download/$pkgname-$pkgver.tar.gz
$pkgname-tests-$_tests_hgrev.tar.gz::https://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz
$pkgname-njs-$_njs_ver.tar.gz::https://hg.nginx.org/njs/archive/$_njs_ver.tar.gz
+ CVE-2021-23017.patch
nginx-module-vts~01-938c19d.patch::https://github.com/vozlt/nginx-module-vts/commit/938c19d2e49d5f3355df5375725982d15f1270c4.patch
nginx-module-vts~02-ad40022.patch::https://github.com/vozlt/nginx-module-vts/commit/ad4002262c19e81390f518a14f99bb594862c575.patch
nginx-module-vts~03-c08781c.patch::https://github.com/vozlt/nginx-module-vts/commit/c08781c5095d9e6090c47176bdea322ce983ecb6.patch
@@ -421,9 +424,11 @@ getvar() {
eval "printf '%s\n' \"\${$1:-$2}\""
}
-sha512sums="8c21eeb62ab6e32e436932500f700bd2fb99fd2d29e43c08a5bfed4714c189c29c7141db551fcd5d2437303b7439f71758f7407dfd3e801e704e45e7daa78ddb nginx-1.18.0.tar.gz
+sha512sums="
+8c21eeb62ab6e32e436932500f700bd2fb99fd2d29e43c08a5bfed4714c189c29c7141db551fcd5d2437303b7439f71758f7407dfd3e801e704e45e7daa78ddb nginx-1.18.0.tar.gz
98718e5dd6f3478397f57bb0368a159993ece27b16ab3447b9b11739a49baf908ccb4619cdf03d4a1f62208ea75db18ff72aa308cb64900a23a0bbff41482dba nginx-tests-4e0644119341.tar.gz
f90e894ae477bfb0fe28f24ce26f64d83749832ca45e5b3ac61d6df2c25f1a330842f13bf801cf08875c6c3006332afe3ec66d72d234dc26e5f527fb17f96370 nginx-njs-0.5.0.tar.gz
+b8ed5dedc55f4e1c60f3c0b97836096e83a9f928b13c125fe568f5d369bb35535224c7def05677f04adc9733a983ac9cc8aa2c7af94468085eb3121c1817dc45 CVE-2021-23017.patch
fa96e91f495e9891c03730bcafd948e597e7c5d74f2d30df0a8483ae04f7b30c89065a994a0baa5245470f8991db5844b26da925b23ff26c178a384f5f1a887c nginx-module-vts~01-938c19d.patch
1c37e58921478325bb4dd608900588cda49d608e859127f45a1df73176b228b060bf71d9530dc1ad434a287c7a3225e8fe307fcf1bd15758f327436283db6fb9 nginx-module-vts~02-ad40022.patch
9f9cda2f3f163654100adf9cde892b26f80d3de30ffec9fcdb0b3c1a42856f9219ebb024fd4c156fd8c4c4a6c7b17faca89e16916128da232d9f3bc825d716ff nginx-module-vts~03-c08781c.patch
@@ -466,4 +471,5 @@ d7aac69b5eceeb1b0db4741201159ade1e0e7f6f7c3e8c4afa2f8959c6c00c3b5285d5185747c2fb
5b0800ffb98ae69d3505d9046bc7f660defa14d21b74a4e425a4b07db917e39fd9a324851be8c424f5b4b4ef83997e09d9053eb8aa9e9f1889513dd742b5abba ngx_http_untar_module-1.0.tar.gz
54a0aae25a80f285e76344e6d0759e9a1b707be4bc0755abf4b7e48918c8e37092b7b259d052215d875be447d79717c0626797ea449677c492aa1e473cc448fd ngx_upstream_jdomain-1.1.5.tar.gz
352cc3d033cc67ee34209f958dac13ada2147de429f4dd3da301c865d52970d80c8aa3c193f7fb28cf4854b88baff07b6efc3bae1fb813fe53d5956a87dfc81a nginx_cookie_flag_module-1.1.0.tar.gz
-7c9fa9b76bc7cd2473ceae6d5ffb8de26993be9293ea967908d6c4550e086affa7016df4c936fb0b79f1142dc0aa1a5f2058d417e6433b5a3497a45d7e866e84 array-var-nginx-module-0.05.tar.gz"
+7c9fa9b76bc7cd2473ceae6d5ffb8de26993be9293ea967908d6c4550e086affa7016df4c936fb0b79f1142dc0aa1a5f2058d417e6433b5a3497a45d7e866e84 array-var-nginx-module-0.05.tar.gz
+"
diff --git a/main/nginx/CVE-2021-23017.patch b/main/nginx/CVE-2021-23017.patch
new file mode 100644
index 0000000000..9d551c26d6
--- /dev/null
+++ b/main/nginx/CVE-2021-23017.patch
@@ -0,0 +1,25 @@
+Patch-Source: http://nginx.org/download/patch.2021.resolver.txt
+
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -4008,15 +4008,15 @@ done:
+ n = *src++;
+
+ } else {
++ if (dst != name->data) {
++ *dst++ = '.';
++ }
++
+ ngx_strlow(dst, src, n);
+ dst += n;
+ src += n;
+
+ n = *src++;
+-
+- if (n != 0) {
+- *dst++ = '.';
+- }
+ }
+
+ if (n == 0) {
diff --git a/main/nginx/nginx.post-upgrade b/main/nginx/nginx.post-upgrade
index 8404e1ceb3..8b6cddf9de 100644
--- a/main/nginx/nginx.post-upgrade
+++ b/main/nginx/nginx.post-upgrade
@@ -62,4 +62,15 @@ if [ "$(apk version -t "$ver_old" '1.18.0-r13')" = '<' ]; then
EOF
fi
+# Handle trasition from /var/tmp/nginx to /var/lib/nginx/tmp
+# https://gitlab.alpinelinux.org/alpine/aports/-/issues/11204
+if [ -d /var/lib/nginx/tmp ]; then
+ for i in /var/tmp/nginx/*; do
+ if [ -e "$i" ]; then
+ mv $i /var/lib/nginx/tmp/
+ fi
+ done
+ rmdir /var/tmp/nginx 2>/dev/null
+fi
+
exit 0
diff --git a/main/nginx/nginx.pre-upgrade b/main/nginx/nginx.pre-upgrade
new file mode 100644
index 0000000000..67d540f185
--- /dev/null
+++ b/main/nginx/nginx.pre-upgrade
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# symlink to directory confuses apk. remove it before the upgrade
+# https://gitlab.alpinelinux.org/alpine/aports/-/issues/11204
+
+if [ "$(readlink /var/lib/nginx/tmp)" = "/var/tmp/nginx" ]; then
+ rm /var/lib/nginx/tmp
+fi
+
diff --git a/main/nikto/APKBUILD b/main/nikto/APKBUILD
index 432fd2c473..711226779f 100644
--- a/main/nikto/APKBUILD
+++ b/main/nikto/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Fabio Aires <fabioaires.web@gmail.com>
pkgname=nikto
pkgver=2.1.6
-pkgrel=1
+pkgrel=2
pkgdesc="A web application security scanner"
url="https://www.cirt.net/Nikto2"
arch="noarch"
@@ -10,9 +10,14 @@ license="GPL-2.0"
options="!check" # No test suite
depends="perl nmap openssl"
source="$pkgname-$pkgver.tar.gz::https://github.com/sullo/nikto/archive/$pkgver.tar.gz
- nikto.conf.base"
+ nikto.conf.base
+ CVE-2018-11652.patch"
builddir="$srcdir/$pkgname-$pkgver/program"
+# secfixes:
+# 2.1.6-r2:
+# - CVE-2018-11652
+
build() {
cd "$builddir"
return 0
@@ -29,5 +34,8 @@ package() {
install -m 755 nikto.pl "$pkgdir"/usr/bin
}
-sha512sums="13632018ef6862de7dc53c674d7266fcfb7e164bcf3070327c103cbf8737720ffb710ccc8949acc920a6e0a85da1bb7575d073ee245bc2ba3a8a292ad1695e69 nikto-2.1.6.tar.gz
-d6e349bd20428e45d6ef49db91630e1c6d65d4cf2107a1f4c58e697d8fceeb428fb90c247fbbf8a8ad6f9d27672790d07040079b94c2480dd77dc445fccd6f69 nikto.conf.base"
+sha512sums="
+13632018ef6862de7dc53c674d7266fcfb7e164bcf3070327c103cbf8737720ffb710ccc8949acc920a6e0a85da1bb7575d073ee245bc2ba3a8a292ad1695e69 nikto-2.1.6.tar.gz
+d6e349bd20428e45d6ef49db91630e1c6d65d4cf2107a1f4c58e697d8fceeb428fb90c247fbbf8a8ad6f9d27672790d07040079b94c2480dd77dc445fccd6f69 nikto.conf.base
+c8be4198d6112f7cdcf21ca9a11baff39c0e7f6f63ff364b6bece8362beb4d1393ba0ed1f88ed9273fcf6bad7f8c81e46d73566cb56f0ee017898ddef799cae0 CVE-2018-11652.patch
+"
diff --git a/main/nikto/CVE-2018-11652.patch b/main/nikto/CVE-2018-11652.patch
new file mode 100644
index 0000000000..b6d561798e
--- /dev/null
+++ b/main/nikto/CVE-2018-11652.patch
@@ -0,0 +1,101 @@
+From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001
+From: sullo <sullo@cirt.net>
+Date: Thu, 31 May 2018 23:30:03 -0400
+Subject: [PATCH] Fix CSV injection issue if server responds with a malicious
+ Server string & CSV output is opened in Excel or other spreadsheet app.
+ Potentially malicious cell start characters are now prefaced with a ' mark.
+ Thanks to Adam (@bytesoverbombs) for letting me know!
+
+Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split().
+---
+ program/plugins/nikto_outdated.plugin | 2 +-
+ program/plugins/nikto_report_csv.plugin | 41 +++++++++++++++----------
+ 2 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/program/plugins/nikto_outdated.plugin b/program/plugins/nikto_outdated.plugin
+index 219505ce..08562c5d 100644
+--- program/plugins/nikto_outdated.plugin
++++ program/plugins/nikto_outdated.plugin
+@@ -88,7 +88,7 @@ sub nikto_outdated {
+ $sepr = substr($sepr, (length($sepr) - 1), 1);
+
+ # break up ID string on $sepr
+- my @T = split(/$sepr/, $mark->{'banner'});
++ my @T = split(/\\$sepr/, $mark->{'banner'});
+
+ # assume last is version...
+ for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; }
+diff --git a/program/plugins/nikto_report_csv.plugin b/program/plugins/nikto_report_csv.plugin
+index ce65cfef..76bdb3fd 100644
+--- program/plugins/nikto_report_csv.plugin
++++ program/plugins/nikto_report_csv.plugin
+@@ -53,10 +53,11 @@ sub csv_host_start {
+ my ($handle, $mark) = @_;
+ $mark->{'banner'} =~ s/"/\\"/g;
+ my $hostname = $mark->{'vhost'} ? $mark->{'vhost'} : $mark->{'hostname'};
+- print $handle "\"$hostname\","
+- . "\"$mark->{'ip'}\","
+- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\","
+- . "\"$mark->{'banner'}\"\n";
++ print $handle "\"" . csv_safecell($hostname) . "\","
++ . "\"" . csv_safecell($mark->{'ip'}) . "\","
++ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\","
++ #. "\"" . $mark->{'banner'} . "\"\n";
++ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n";
+ return;
+ }
+
+@@ -67,33 +68,41 @@ sub csv_item {
+ foreach my $uri (split(' ', $item->{'uri'})) {
+ my $line = '';
+ my $hostname = $item->{'mark'}->{'vhost'} ? $item->{'mark'}->{'vhost'} : $item->{'mark'}->{'hostname'};
+- $line .= "\"$hostname\",";
+- $line .= "\"$item->{'mark'}->{'ip'}\",";
+- $line .= "\"$item->{'mark'}->{'port'}\",";
++ $line .= "\"" . csv_safecell($hostname) . "\",";
++ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \",";
++ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\",";
+
+ $line .= "\"";
+ if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; }
+ $line .= "\",";
+
+ $line .= "\"";
+- if ($item->{'method'} ne '') { $line .= $item->{'method'}; }
++ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); }
+ $line .= "\",";
+
+ $line .= "\"";
+ if (($uri ne '') && ($mark->{'root'} ne '') && ($uri !~ /^$mark->{'root'}/))
+- { $line .= $mark->{'root'} . $uri; }
+- else { $line .= $uri; }
++ { $line .= csv_safecell($mark->{'root'}) . $uri; }
++ else { $line .= csv_safecell($uri); }
+ $line .= "\",";
+
+- my $msg = $item->{'message'};
+- $uri=quotemeta($uri);
+- my $root = quotemeta($mark->{'root'});
+- $msg =~ s/^$uri:\s//;
+- $msg =~ s/^$root$uri:\s//;
++ my $msg = $item->{'message'};
++ $uri=quotemeta($uri);
++ my $root = quotemeta($mark->{'root'});
++ $msg =~ s/^$uri:\s//;
++ $msg =~ s/^$root$uri:\s//;
+ $msg =~ s/"/\\"/g;
+- $line .= "\"$msg\"";
++ $line .= "\"" . csv_safecell($msg) ."\"";
+ print $handle "$line\n";
+ }
+ }
+
++###############################################################################
++# prevent CSV injection attacks
++sub csv_safecell {
++ my $celldata = $_[0] || return;
++ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; }
++ return $celldata;
++}
++
+ 1;
diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD
index cde22fc12d..a580235022 100644
--- a/main/nodejs/APKBUILD
+++ b/main/nodejs/APKBUILD
@@ -6,6 +6,8 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 14.17.3-r0:
+# - CVE-2021-22918
# 14.16.1-r1:
# - CVE-2021-27290
# 14.16.1-r0:
@@ -69,8 +71,8 @@
pkgname=nodejs
# Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
# Odd-numbered versions are supported only for 9 months by upstream.
-pkgver=14.16.1
-pkgrel=1
+pkgver=14.17.3
+pkgrel=0
pkgdesc="JavaScript runtime built on V8 engine - LTS version"
url="https://nodejs.org/"
arch="all !mips64 !mips64el"
@@ -92,7 +94,6 @@ replaces="nodejs-current nodejs-lts" # nodejs-lts for backward compatibility
source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz
disable-running-gyp-on-shared-deps.patch
link-with-libatomic-on-mips32.patch
- npm-ssri-CVE-2021-27290.patch
"
builddir="$srcdir/node-v$pkgver"
@@ -184,7 +185,8 @@ npm() {
mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/
}
-sha512sums="40843674584c2010958b4faf12290b525f3e5b13d37e52e3b41d50691de16cc0a29ed1fbc81912a0f76f48648c603dfb726242d232e4542f46ab957a4042c05d node-v14.16.1.tar.gz
+sha512sums="
+0ceeddd2b93ed1f7c40912b6533879f7401aaafd27f54230c65ec0454b2eb860abe855c73428a43aa440502302b31fd4a6fa700f5cb0b00702cd2ef522dbf496 node-v14.17.3.tar.gz
dbe8167b61518f8f59176759d69834d57bf3e6a5a5fd3dfc2359cafe0325da08b27f8220d278ed77f50c9f63a03313eabbbb0eaca3e592e5bb4e0d5be0ced373 disable-running-gyp-on-shared-deps.patch
44e81fbf254bd79e38b813f7f5a1336df854588939cba50aaec600660495f9b7745a7049a99eb59d15a51100b3a44f66892a902d7fc32e1399b51883ad4c02cf link-with-libatomic-on-mips32.patch
-c36fc3dfa60ef35c3a319d55bfbe32088e9ad63ee79345a6621cf5f65ab285a567963c687fb46783bba7c43d511cab4d734788c2a7b1d47872eb1ce2f928b928 npm-ssri-CVE-2021-27290.patch"
+"
diff --git a/main/nodejs/npm-ssri-CVE-2021-27290.patch b/main/nodejs/npm-ssri-CVE-2021-27290.patch
deleted file mode 100644
index ff0445460b..0000000000
--- a/main/nodejs/npm-ssri-CVE-2021-27290.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 63b5c56c5203c8965c8ddeff28f2a65010b40b7c Mon Sep 17 00:00:00 2001
-From: Ruy Adorno <ruyadorno@hotmail.com>
-Date: Thu, 8 Apr 2021 15:26:34 -0400
-Subject: [PATCH] ssri@6.0.2
-
-Patch-Source: https://github.com/npm/cli/pull/3054
-
---- a/deps/npm/node_modules/ssri/index.js
-+++ b/deps/npm/node_modules/ssri/index.js
-@@ -8,7 +8,7 @@ const SPEC_ALGORITHMS = ['sha256', 'sha384', 'sha512']
-
- const BASE64_REGEX = /^[a-z0-9+/]+(?:=?=?)$/i
- const SRI_REGEX = /^([^-]+)-([^?]+)([?\S*]*)$/
--const STRICT_SRI_REGEX = /^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/
-+const STRICT_SRI_REGEX = /^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)?$/
- const VCHAR_REGEX = /^[\x21-\x7E]+$/
-
- const SsriOpts = figgyPudding({
---- a/deps/npm/node_modules/ssri/package.json
-+++ b/deps/npm/node_modules/ssri/package.json
-@@ -1,31 +1,32 @@
- {
-- "_from": "ssri@latest",
-- "_id": "ssri@6.0.1",
-+ "_from": "ssri@6.0.2",
-+ "_id": "ssri@6.0.2",
- "_inBundle": false,
-- "_integrity": "sha512-3Wge10hNcT1Kur4PDFwEieXSCMCJs/7WvSACcrMYrNp+b8kDL1/0wJch5Ni2WrtwEa2IO8OsVfeKIciKCDx/QA==",
-+ "_integrity": "sha512-cepbSq/neFK7xB6A50KHN0xHDotYzq58wWCa5LeWqnPrHG8GzfEjO/4O8kpmcGW+oaxkvhEJCWgbgNk4/ZV93Q==",
- "_location": "/ssri",
- "_phantomChildren": {},
- "_requested": {
-- "type": "tag",
-+ "type": "version",
- "registry": true,
-- "raw": "ssri@latest",
-+ "raw": "ssri@6.0.2",
- "name": "ssri",
- "escapedName": "ssri",
-- "rawSpec": "latest",
-+ "rawSpec": "6.0.2",
- "saveSpec": null,
-- "fetchSpec": "latest"
-+ "fetchSpec": "6.0.2"
- },
- "_requiredBy": [
- "#USER",
- "/",
- "/cacache",
-+ "/libnpmpublish",
- "/make-fetch-happen",
- "/pacote"
- ],
-- "_resolved": "https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz",
-- "_shasum": "2a3c41b28dd45b62b63676ecb74001265ae9edd8",
-- "_spec": "ssri@latest",
-- "_where": "/Users/zkat/Documents/code/work/npm",
-+ "_resolved": "https://registry.npmjs.org/ssri/-/ssri-6.0.2.tgz",
-+ "_shasum": "157939134f20464e7301ddba3e90ffa8f7728ac5",
-+ "_spec": "ssri@6.0.2",
-+ "_where": "/Users/ruyadorno/Documents/workspace/cli/legacy",
- "author": {
- "name": "Kat Marchán",
- "email": "kzm@sykosomatic.org"
-@@ -89,5 +90,5 @@
- "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'",
- "update-contrib": "weallcontribute -o . && git add CONTRIBUTING.md && git commit -m 'docs(contributing): updated CONTRIBUTING.md'"
- },
-- "version": "6.0.1"
-+ "version": "6.0.2"
- }
---- a/deps/npm/package.json
-+++ b/deps/npm/package.json
-@@ -132,7 +132,7 @@
- "slide": "~1.1.6",
- "sorted-object": "~2.0.1",
- "sorted-union-stream": "~2.1.3",
-- "ssri": "^6.0.1",
-+ "ssri": "^6.0.2",
- "stringify-package": "^1.0.1",
- "tar": "^4.4.13",
- "text-table": "~0.2.0",
diff --git a/main/nspr/APKBUILD b/main/nspr/APKBUILD
index a6fc6a0cbf..88f3166af9 100644
--- a/main/nspr/APKBUILD
+++ b/main/nspr/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=nspr
-pkgver=4.29
+pkgver=4.31
pkgrel=0
pkgdesc="Netscape Portable Runtime"
url="https://www.mozilla.org/projects/nspr/"
@@ -59,6 +59,8 @@ package() {
"$pkgdir"/usr/include/nspr/md
}
-sha512sums="ba5ac275fe0beb69d7a7674c9ee9e4429bd5761daed285edd975ccc829af30d062bf4a0f5e44361e3bd191f21b1905f96ab146d53b55324020f13ecb3c05609b nspr-4.29.tar.gz
+sha512sums="
+1f37d04721335288dd8a5cf700ead5a56cee73365e619f3da90f6067830b78a050a525950686bcdd14fcf61faffd1141ec46d4180a0dd10375f7e9fef6eac6ed nspr-4.31.tar.gz
7062cc03e38541282226781e67c886c78ca693f7ee96df96509c9429470d294ca6b87ebe05ea809920b9ef78eaa0a0d21ae575a1ac438f148d0c1dc915424613 fix-getproto.patch
-69e804907d1a8867912511818d9827e4d7fd36ff44253cb21f4a5527610076874ddf5aada87717ef6454162c21248c9f7c3395376c585129134950c12f90ac0f fix-sgidefs-usage.patch"
+69e804907d1a8867912511818d9827e4d7fd36ff44253cb21f4a5527610076874ddf5aada87717ef6454162c21248c9f7c3395376c585129134950c12f90ac0f fix-sgidefs-usage.patch
+"
diff --git a/main/open-iscsi/APKBUILD b/main/open-iscsi/APKBUILD
index 8385a1456e..d589e02106 100644
--- a/main/open-iscsi/APKBUILD
+++ b/main/open-iscsi/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
pkgname=open-iscsi
pkgver=2.1.3
-pkgrel=0
+pkgrel=1
pkgdesc="High performance, transport independent, multi-platform iSCSI initiator"
url="https://www.open-iscsi.com"
arch="all"
@@ -38,7 +38,7 @@ package() {
}
sha512sums="0de417dc45b765458c5a1f09029b5df9b5c18d45d7a8fb6b38d539b7013f512a3c8731d5046f554611eccc77b93fea0df30fe4932d79cea44776ac944c398a52 open-iscsi-2.1.3.tar.gz
-febf67065c133fd2f79d5aff509891d557af25739b700e961d2289a941b447099021b01fa29817bcd057147adad3a3f8948049d4f8ff3590cb7255a0fa0d715c iscsid.initd
+4f0f157e1bb366138c429cfa5a0ea86e40995c9d493c8fb72b8beffd3166dc4c867a131aff858952f4a2fe376d6a4581aa5e1b2ebfe370218f2fc5aa3c2c6259 iscsid.initd
075bb9cb783be7ccbc799947e0e042b85310d40b3045141dc1be40ca84ed1cc0e1e54559df501c512c179e28375314b27a03c15d9a6d4b1cabd428b2279985d3 iscsid.confd
4cc7c1923047616d908806aab96d468cb7b99ff9f8a9e02a039866b66db4ae856bd9f414854712d8a57c21614674f4468736bce26a4199c2ff054a165bca26e0 iscsid.conf
1b89ffd6de0dc7bb63fc2702a97e49df4369158c66ee609acfc041b1677c07fbd964b7a709f1f324fa51a9842d4d3e11611d9783e18d526372d468163c0ac8db musl-fixes.patch
diff --git a/main/open-iscsi/iscsid.initd b/main/open-iscsi/iscsid.initd
index c0bea59b7f..f48eacc0e5 100644
--- a/main/open-iscsi/iscsid.initd
+++ b/main/open-iscsi/iscsid.initd
@@ -32,7 +32,7 @@ checkconfig() {
fi
if [ ! -e ${INITIATORNAME_FILE} -o -z "${InitiatorName}" ]; then
ewarn "${INITIATORNAME_FILE} should contain a string with your initiatior name."
- local IQN=$(/usr/sbin/iscsi-iname)
+ local IQN=$(/sbin/iscsi-iname)
ebegin "Creating InitiatorName ${IQN} in ${INITIATORNAME_FILE}"
echo "InitiatorName=${IQN}" >> "${INITIATORNAME_FILE}"
eend $?
diff --git a/main/openrc/APKBUILD b/main/openrc/APKBUILD
index 2b1547333d..f0e855736e 100644
--- a/main/openrc/APKBUILD
+++ b/main/openrc/APKBUILD
@@ -2,7 +2,7 @@
pkgname=openrc
pkgver=0.42.1
_ver=${pkgver/_git*/}
-pkgrel=19
+pkgrel=20
pkgdesc="OpenRC manages the services, startup and shutdown of a host"
url="https://github.com/OpenRC/openrc"
arch="all"
@@ -30,6 +30,8 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve
0013-fix-osclock.patch
0014-time_t-64bit.patch
+ CVE-2018-21269.patch
+
openrc.logrotate
hostname.initd
hwdrivers.initd
@@ -44,6 +46,10 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve
test-networking.sh
"
+# secfixes:
+# 0.42.1-r20:
+# - CVE-2018-21269
+
prepare() {
default_prepare
sed -i -e '/^sed/d' "$builddir"/pkgconfig/Makefile
@@ -129,7 +135,8 @@ zshcomp() {
rm -rf "$pkgdir"/usr/share/zsh
}
-sha512sums="579b9bfbb151b945a364a2c12b037d2e15991820ca99a07ac18e9bdc50074e67fbf0dcf9865aa4deabe2bf82092e4623be51c9e0b4014384951e0a92ac1e7646 openrc-0.42.1.tar.gz
+sha512sums="
+579b9bfbb151b945a364a2c12b037d2e15991820ca99a07ac18e9bdc50074e67fbf0dcf9865aa4deabe2bf82092e4623be51c9e0b4014384951e0a92ac1e7646 openrc-0.42.1.tar.gz
71fce711adbcb411189a089f1d49567c50348e12c42b7a9c9b582dae5d18051f88ccf81c768337e87d6792d953e84d1e8b93d7978a1947d7d20ef3b1cd330875 0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch
b1cedd38badda4fc308decdff06f9644b96fe35617792da8d6d62407409841705fd71b5b57d1804a6395095604a70898f80830c76395ec99f715038a0809d815 0002-force-root-be-rw-before-localmount.patch
d54630d40a2d6b10a325cb012d4efcda997a60c008ca953ce5d60059d3f267308a59dabddf93a5fc0d301aa91967137d144effbe5f574394af768ce4ebc48738 0004-hide-error-when-migrating-var-run-to-run.patch
@@ -143,6 +150,7 @@ ff9bf2f6e4f55633a9641385398f70a2e591e2b3b56b1903f168a97b07bd56dc5a65d151deeab942
24c665098475c8a1dca75677b48864dc554930f8039900785d8f73c4ebab857255607297fdcbce6249f18f2b97bd7804a35a782721d4658a1c7a7b7b985418ff 0012-gcc-10.patch
4dca5fb25dc9cf356716042650e3b50969b4749f4e839505f87054d45ca074931ac9ef9aca6b6be4f36cc82c46e838a9e9122ee27154de703d8d9eb7b6f6273b 0013-fix-osclock.patch
af0d5a3e6bdd09abd65174a0292450ebb79116a6be50ad4dc368e7ade497020bf4f7d55487335eb32067616603c7d9c3f8596228064c93bfd47596fb12ef7215 0014-time_t-64bit.patch
+715016b4f481a6d4d2ab37d23659e6cacc023b02fa6908b566391ee2744369076ea74e54f0fe576e2cc1d3371d4d9e3818395ca3f417233358fc70a9edc4dba6 CVE-2018-21269.patch
12bb6354e808fbf47bbab963de55ee7901738b4a912659982c57ef2777fff9a670e867fcb8ec316a76b151032c92dc89a950d7d1d835ef53f753a8f3b41d2cec openrc.logrotate
493f27d588e64bb2bb542b32493ed05873f4724e8ad1751002982d7b4e07963cfb72f93603b2d678f305177cf9556d408a87b793744c6b7cd46cf9be4b744c02 hostname.initd
c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55 hwdrivers.initd
@@ -154,4 +162,5 @@ d76c75c58e6f4b0801edac4e081b725ef3d50a9a8c9bbb5692bf4d0f804af7d383bf71a73d5d03ed
990855f875513a85c2b737685ac5bfdfa86f8dadacf00c1826a456547f99b69d4ecf1b9a09c0ce002f1df618b44b1febabe53f95a2c0cd02b504d565bccb50c8 firstboot.initd
2d5f9f6d41b7c0a8643cfdee1ce3c399bfe4ebff54421f33ab1e74c1c4c1b96a49e54b5cd69f0339a060342e4e5a11067bbff68c39fa487919259d73e8e46ed1 sysctl.initd
35682e1742196133b79e4a0b21fe8df039a982ba4fdd0181b1e3872f3885e40726179d4996fec83a1da11ff314d71f8910609c1c05acb3d0f9b923147e2f1d55 machine-id.initd
-af17947aa3954e317dc06580da829200e0b0f2ddc37ce842c3fc7fc0d8ca2f40220e4f4665f61b4b5ec47c96416db0127e2ed979b9421bf21df89d4c4f998b7f test-networking.sh"
+af17947aa3954e317dc06580da829200e0b0f2ddc37ce842c3fc7fc0d8ca2f40220e4f4665f61b4b5ec47c96416db0127e2ed979b9421bf21df89d4c4f998b7f test-networking.sh
+"
diff --git a/main/openrc/CVE-2018-21269.patch b/main/openrc/CVE-2018-21269.patch
new file mode 100644
index 0000000000..9975d7bf81
--- /dev/null
+++ b/main/openrc/CVE-2018-21269.patch
@@ -0,0 +1,244 @@
+From 577f00abe5f8ec6da40ac79d77df3e514593090d Mon Sep 17 00:00:00 2001
+From: William Hubbs <w.d.hubbs@gmail.com>
+Date: Wed, 11 Nov 2020 10:28:50 -0600
+Subject: [PATCH] checkpath: fix CVE-2018-21269
+
+This walks the directory path to the file we are going to manipulate to make
+sure that when we create the file and change the ownership and permissions
+we are working on the same file.
+Also, all non-terminal symbolic links must be owned by root. This will
+keep a non-root user from making a symbolic link as described in the
+bug. If root creates the symbolic link, it is assumed to be trusted.
+
+On non-linux platforms, we no longer follow non-terminal symbolic links
+by default. If you need to do that, add the -s option on the checkpath
+command line, but keep in mind that this is not secure.
+
+This fixes #201.
+---
+ man/openrc-run.8 | 6 +++
+ src/rc/checkpath.c | 103 ++++++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 102 insertions(+), 7 deletions(-)
+
+diff --git a/man/openrc-run.8 b/man/openrc-run.8
+index 1102daaa..ec4b88de 100644
+--- a/man/openrc-run.8
++++ b/man/openrc-run.8
+@@ -461,6 +461,7 @@ Mark the service as inactive.
+ .Op Fl p , -pipe
+ .Op Fl m , -mode Ar mode
+ .Op Fl o , -owner Ar owner
++.Op Fl s , -symlinks
+ .Op Fl W , -writable
+ .Op Fl q , -quiet
+ .Ar path ...
+@@ -481,6 +482,11 @@ or with names, and are separated by a colon.
+ The truncate options (-D and -F) cause the directory or file to be
+ cleared of all contents.
+ .Pp
++If -s is not specified on a non-linux platform, checkpath will refuse to
++allow non-terminal symbolic links to exist in the path. This is for
++security reasons so that a non-root user can't create a symbolic link to
++a root-owned file and take ownership of that file.
++.Pp
+ If -W is specified, checkpath checks to see if the first path given on
+ the command line is writable. This is different from how the test
+ command in the shell works, because it also checks to make sure the file
+diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c
+index 448c9cf8..ff54a892 100644
+--- a/src/rc/checkpath.c
++++ b/src/rc/checkpath.c
+@@ -16,6 +16,7 @@
+ * except according to the terms contained in the LICENSE file.
+ */
+
++#define _GNU_SOURCE
+ #include <sys/types.h>
+ #include <sys/stat.h>
+
+@@ -23,6 +24,7 @@
+ #include <fcntl.h>
+ #include <getopt.h>
+ #include <grp.h>
++#include <libgen.h>
+ #include <pwd.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -44,7 +46,7 @@ typedef enum {
+
+ const char *applet = NULL;
+ const char *extraopts ="path1 [path2] [...]";
+-const char *getoptstring = "dDfFpm:o:W" getoptstring_COMMON;
++const char *getoptstring = "dDfFpm:o:sW" getoptstring_COMMON;
+ const struct option longopts[] = {
+ { "directory", 0, NULL, 'd'},
+ { "directory-truncate", 0, NULL, 'D'},
+@@ -53,6 +55,7 @@ const struct option longopts[] = {
+ { "pipe", 0, NULL, 'p'},
+ { "mode", 1, NULL, 'm'},
+ { "owner", 1, NULL, 'o'},
++ { "symlinks", 0, NULL, 's'},
+ { "writable", 0, NULL, 'W'},
+ longopts_COMMON
+ };
+@@ -64,15 +67,92 @@ const char * const longopts_help[] = {
+ "Create a named pipe (FIFO) if not exists",
+ "Mode to check",
+ "Owner to check (user:group)",
++ "follow symbolic links (irrelivent on linux)",
+ "Check whether the path is writable or not",
+ longopts_help_COMMON
+ };
+ const char *usagestring = NULL;
+
++static int get_dirfd(char *path, bool symlinks) {
++ char *ch;
++ char *item;
++ char *linkpath = NULL;
++ char *path_dupe;
++ char *str;
++ int components = 0;
++ int dirfd;
++ int flags = 0;
++ int new_dirfd;
++ struct stat st;
++ ssize_t linksize;
++
++ if (!path || *path != '/')
++ eerrorx("%s: empty or relative path", applet);
++ dirfd = openat(dirfd, "/", O_RDONLY);
++ if (dirfd == -1)
++ eerrorx("%s: unable to open the root directory: %s",
++ applet, strerror(errno));
++ path_dupe = xstrdup(path);
++ ch = path_dupe;
++ while (*ch) {
++ if (*ch == '/')
++ components++;
++ ch++;
++ }
++ item = strtok(path_dupe, "/");
++#ifdef O_PATH
++ flags |= O_PATH;
++#endif
++ if (!symlinks)
++ flags |= O_NOFOLLOW;
++ flags |= O_RDONLY;
++ while (dirfd > 0 && item && components > 1) {
++ str = xstrdup(linkpath ? linkpath : item);
++ new_dirfd = openat(dirfd, str, flags);
++ if (new_dirfd == -1)
++ eerrorx("%s: %s: could not open %s: %s", applet, path, str,
++ strerror(errno));
++ if (fstat(new_dirfd, &st) == -1)
++ eerrorx("%s: %s: unable to stat %s: %s", applet, path, item,
++ strerror(errno));
++ if (S_ISLNK(st.st_mode) ) {
++ if (st.st_uid != 0)
++ eerrorx("%s: %s: synbolic link %s not owned by root",
++ applet, path, str);
++ linksize = st.st_size+1;
++ if (linkpath)
++ free(linkpath);
++ linkpath = xmalloc(linksize);
++ memset(linkpath, 0, linksize);
++ if (readlinkat(new_dirfd, "", linkpath, linksize) != st.st_size)
++ eerrorx("%s: symbolic link destination changed", applet);
++ /*
++ * now follow the symlink.
++ */
++ close(new_dirfd);
++ } else {
++ close(dirfd);
++ dirfd = new_dirfd;
++ free(linkpath);
++ linkpath = NULL;
++ item = strtok(NULL, "/");
++ components--;
++ }
++ }
++ free(path_dupe);
++ if (linkpath) {
++ free(linkpath);
++ linkpath = NULL;
++ }
++ return dirfd;
++}
++
+ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
+- inode_t type, bool trunc, bool chowner, bool selinux_on)
++ inode_t type, bool trunc, bool chowner, bool symlinks, bool selinux_on)
+ {
+ struct stat st;
++ char *name = NULL;
++ int dirfd;
+ int fd;
+ int flags;
+ int r;
+@@ -93,14 +173,16 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
+ #endif
+ if (trunc)
+ flags |= O_TRUNC;
+- readfd = open(path, readflags);
++ xasprintf(&name, "%s", basename_c(path));
++ dirfd = get_dirfd(path, symlinks);
++ readfd = openat(dirfd, name, readflags);
+ if (readfd == -1 || (type == inode_file && trunc)) {
+ if (type == inode_file) {
+ einfo("%s: creating file", path);
+ if (!mode) /* 664 */
+ mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH;
+ u = umask(0);
+- fd = open(path, flags, mode);
++ fd = openat(dirfd, name, flags, mode);
+ umask(u);
+ if (fd == -1) {
+ eerror("%s: open: %s", applet, strerror(errno));
+@@ -122,7 +204,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
+ strerror (errno));
+ return -1;
+ }
+- readfd = open(path, readflags);
++ readfd = openat(dirfd, name, readflags);
+ if (readfd == -1) {
+ eerror("%s: unable to open directory: %s", applet,
+ strerror(errno));
+@@ -140,7 +222,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
+ strerror (errno));
+ return -1;
+ }
+- readfd = open(path, readflags);
++ readfd = openat(dirfd, name, readflags);
+ if (readfd == -1) {
+ eerror("%s: unable to open fifo: %s", applet,
+ strerror(errno));
+@@ -259,6 +341,7 @@ int main(int argc, char **argv)
+ int retval = EXIT_SUCCESS;
+ bool trunc = false;
+ bool chowner = false;
++ bool symlinks = false;
+ bool writable = false;
+ bool selinux_on = false;
+
+@@ -293,6 +376,11 @@ int main(int argc, char **argv)
+ eerrorx("%s: owner `%s' not found",
+ applet, optarg);
+ break;
++ case 's':
++#ifndef O_PATH
++ symlinks = true;
++#endif
++ break;
+ case 'W':
+ writable = true;
+ break;
+@@ -320,7 +408,8 @@ int main(int argc, char **argv)
+ while (optind < argc) {
+ if (writable)
+ exit(!is_writable(argv[optind]));
+- if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner, selinux_on))
++ if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner,
++ symlinks, selinux_on))
+ retval = EXIT_FAILURE;
+ optind++;
+ }
diff --git a/main/openvpn/APKBUILD b/main/openvpn/APKBUILD
index 4e86eda722..89eadfccaf 100644
--- a/main/openvpn/APKBUILD
+++ b/main/openvpn/APKBUILD
@@ -26,6 +26,9 @@ source="https://swupdate.openvpn.net/community/releases/openvpn-$pkgver.tar.xz
# - CVE-2020-11810
# 2.4.6-r0:
# - CVE-2018-9336
+# 0:
+# - CVE-2020-7224
+# - CVE-2020-27569
build() {
./configure \
diff --git a/main/patch/APKBUILD b/main/patch/APKBUILD
index efbfa03409..c87fd38beb 100644
--- a/main/patch/APKBUILD
+++ b/main/patch/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=patch
pkgver=2.7.6
-pkgrel=6
+pkgrel=7
pkgdesc="Utility to apply diffs to files"
url="https://www.gnu.org/software/patch/patch.html"
arch="all"
@@ -20,10 +20,13 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
CVE-2019-13636.patch
CVE-2019-13638.patch
+ CVE-2019-20633.patch
"
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
+# 2.7.6-r7:
+# - CVE-2019-20633
# 2.7.6-r6:
# - CVE-2018-1000156
# - CVE-2019-13638
@@ -66,10 +69,13 @@ package() {
rmdir -p "$pkgdir"/usr/lib 2>/dev/null || true
}
-sha512sums="fcca87bdb67a88685a8a25597f9e015f5e60197b9a269fa350ae35a7991ed8da553939b4bbc7f7d3cfd863c67142af403b04165633acbce4339056a905e87fbd patch-2.7.6.tar.xz
+sha512sums="
+fcca87bdb67a88685a8a25597f9e015f5e60197b9a269fa350ae35a7991ed8da553939b4bbc7f7d3cfd863c67142af403b04165633acbce4339056a905e87fbd patch-2.7.6.tar.xz
db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0 CVE-2018-6951.patch
5d2eaef629bae92e5b4e5e57d140c24a73e2811306d5f2854858f846646b034d2da315071f478bcf6f8d856a065b9bb073f76322e8e3a42616bc212281ce6945 CVE-2018-6952.patch
33e8a82f5ee6b896fd434e7de1ca9e16e8d317941a021bea8c53afd5bf210774e8727df22f8d8f63f255de10de5a26428047bc710b033423d1e7a459cbbaf83a 0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch
d0d46e28c5fdcd5fe16826cbcf39d5a74fdf2593375d5206aa7bad759f16dbebeca3bf259239f99c13344579044a3de1000d705065cc19e917266bca6e5c0630 0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
029b92bb899d0b1165cfe7f55b5a4c2d7090852f52e5c85a6bb1cf5913c914a5c68c6c34517e84f0a020a56d21814f8c18b934c8ebe059ba4eddece78a3a258c CVE-2019-13636.patch
-d60f8c2364fca9b73aa73b5914cfd6571d11528d13fa7703ccfa93730cbdf8a6e4c9ca04cb7d02a40d33c38075890790b490052d5217e728b0948991da937980 CVE-2019-13638.patch"
+d60f8c2364fca9b73aa73b5914cfd6571d11528d13fa7703ccfa93730cbdf8a6e4c9ca04cb7d02a40d33c38075890790b490052d5217e728b0948991da937980 CVE-2019-13638.patch
+e988836c90946282e70fca0fe29a52405a357b14bfdc8fce3afb680d7d1b25c4bf9d9cbc5612e3bb2d9379192635d7f1bf1b7b16c23b13d77450ec87dc5e3fe4 CVE-2019-20633.patch
+"
diff --git a/main/patch/CVE-2019-20633.patch b/main/patch/CVE-2019-20633.patch
new file mode 100644
index 0000000000..a528e1ad0d
--- /dev/null
+++ b/main/patch/CVE-2019-20633.patch
@@ -0,0 +1,26 @@
+From 15b158db3ae11cb835f2eb8d2eb48e09d1a4af48 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 19:10:02 +0200
+Subject: Avoid invalid memory access in context format diffs
+
+* src/pch.c (another_hunk): Avoid invalid memory access in context format
+diffs.
+---
+ src/pch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pch.c b/src/pch.c
+index a500ad9..cb54e03 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -1328,6 +1328,7 @@ another_hunk (enum diff difftype, bool rev)
+ ptrn_prefix_context = context;
+ ptrn_suffix_context = context;
+ if (repl_beginning
++ || p_end <= 0
+ || (p_end
+ != p_ptrn_lines + 1 + (p_Char[p_end - 1] == '\n')))
+ {
+--
+cgit v1.2.1
+
diff --git a/main/perl-convert-asn1/APKBUILD b/main/perl-convert-asn1/APKBUILD
index e59f24f912..8d9ccb7bb5 100644
--- a/main/perl-convert-asn1/APKBUILD
+++ b/main/perl-convert-asn1/APKBUILD
@@ -1,39 +1,41 @@
-# Automatically generated by apkbuild-cpan, template 1
+# Automatically generated by apkbuild-cpan, template 3
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=perl-convert-asn1
+#_pkgreal is used by apkbuild-cpan to find modules at MetaCpan
_pkgreal=Convert-ASN1
-pkgver=0.27
-pkgrel=2
+pkgver=0.29
+pkgrel=0
pkgdesc="Convert between perl data structures and ASN.1 encoded packets"
url="https://metacpan.org/release/Convert-ASN1/"
arch="noarch"
-license="GPL PerlArtistic"
-cpandepends=""
-cpanmakedepends=" "
-depends="$cpandepends"
-makedepends="perl-dev $cpanmakedepends"
+license="GPL-1.0-or-later OR Artistic-1.0-Perl"
+depends="perl"
+makedepends="perl-dev"
subpackages="$pkgname-doc"
-source="https://cpan.metacpan.org/authors/id/G/GB/GBARR/$_pkgreal-$pkgver.tar.gz"
+source="https://cpan.metacpan.org/authors/id/T/TI/TIMLEGGE/Convert-ASN1-$pkgver.tar.gz"
+builddir="$srcdir/$_pkgreal-$pkgver"
-_builddir="$srcdir/$_pkgreal-$pkgver"
+# secfixes:
+# 0.29-r0:
+# - CVE-2013-7488
-prepare() {
- cd "$_builddir"
- export CFLAGS=`perl -MConfig -E 'say $Config{ccflags}'`
- PERL_MM_USE_DEFAULT=1 perl Makefile.PL INSTALLDIRS=vendor
+build() {
+ export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}')
+ PERL_MM_USE_DEFAULT=1 perl -I. Makefile.PL INSTALLDIRS=vendor
+ make
}
-build() {
- cd "$_builddir"
- export CFLAGS=`perl -MConfig -E 'say $Config{ccflags}'`
- make && make test
+check() {
+ export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}')
+ make test
}
package() {
- cd "$_builddir"
- make DESTDIR="$pkgdir" install || return 1
+ make DESTDIR="$pkgdir" install
find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete
}
-sha512sums="253bc0c1b2919841497a95bcbd05825217a3013c7f789fd9f3d389808fb015daca91f5c149797574bf32d38e94efb7f1d8df62e9e4c13928ec3b978cc9fd6fe8 Convert-ASN1-0.27.tar.gz"
+sha512sums="
+3a4906a3df33ee2070a718508bc58335c5e8fb334859782c4d47aa44efe500fa9c7e3bd27f9604a46bdf7123451a94fd6abcdae09eb3fd53a385dcae1a0fe4d0 Convert-ASN1-0.29.tar.gz
+"
diff --git a/main/postfix/APKBUILD b/main/postfix/APKBUILD
index f2d915b923..d232a6833f 100644
--- a/main/postfix/APKBUILD
+++ b/main/postfix/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=postfix
-pkgver=3.5.10
+pkgver=3.5.12
pkgrel=0
pkgdesc="Secure and fast drop-in replacement for Sendmail (MTA)"
url="http://www.postfix.org/"
@@ -196,7 +196,9 @@ stone() {
find src/smtpstone -mindepth 1 -perm 0755 -exec cp {} "$subpkgdir"/usr/bin \;
}
-sha512sums="5845701d3dcdaaea376a44810a84dbe908e96e5ff54921cd40fd2d5c5643ed8e4add5936e149237fea4cb69c1ffb4ceb4171d1e779be096aa21a6e5021b604da postfix-3.5.10.tar.gz
+sha512sums="
+8f545e79031689b41122cd8ea87512968bcdc8e06ef836a648a9eb8f2e664009c84ba42f14294b5b215d4efd5a2138acb4d0b0f97552eff45dadafcea518cda6 postfix-3.5.12.tar.gz
2752e69c4e1857bdcf29444ffb458bca818bc60b9c77c20823c5f5b87c36cb5e0f3217a625a7fe5788d5bfcef7570a1f2149e1233fcd23ccf7ee14190aff47a2 postfix.initd
25cd34f23ca909d4e33aaf3239d1e397260abc7796d9a4456dee4f005682fd3a58aab8106126e5218c95bdddae415a3ef7e2223cd3b0d7b1e2bd76158bb7eaf8 postfix-install.patch
-0769e2e503486f8dd6fa21f2c534ad7df7a9f1bb57dde2f0ad61863a3e615d0a6dc18132b27796eb28cd81afb2b4e97c65c9d490a391f835aa3b7b18e74252c5 lmdb-default.patch"
+0769e2e503486f8dd6fa21f2c534ad7df7a9f1bb57dde2f0ad61863a3e615d0a6dc18132b27796eb28cd81afb2b4e97c65c9d490a391f835aa3b7b18e74252c5 lmdb-default.patch
+"
diff --git a/main/putty/APKBUILD b/main/putty/APKBUILD
index b546dfd457..2322e98ae4 100644
--- a/main/putty/APKBUILD
+++ b/main/putty/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Jeff Bilyk <jbilyk@alpinelinux.org>
pkgname=putty
-pkgver=0.74
+pkgver=0.76
pkgrel=0
pkgdesc="SSH and telnet client"
url="https://www.chiark.greenend.org.uk/~sgtatham/putty/"
@@ -9,11 +9,12 @@ license="MIT"
depends="ncurses-terminfo-base"
makedepends="linux-headers"
subpackages="$pkgname-doc"
-source="http://the.earth.li/~sgtatham/putty/$pkgver/putty-$pkgver.tar.gz
- fix-ppc64le-disable-werror.patch"
+source="http://the.earth.li/~sgtatham/putty/$pkgver/putty-$pkgver.tar.gz"
options="!check" # no test suite
# secfixes:
+# 0.76-r0:
+# - CVE-2021-36367
# 0.74-r0:
# - CVE-2020-14002
# 0.73-r0:
@@ -37,5 +38,6 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="0da86849ea764cd88643bd2c1984ac7211ae72dd7c41232307b1960a29ca9518044b022d87c60272d6db71a3357026862a112bedb90ee732b41494fca3acde9b putty-0.74.tar.gz
-b10b2332ca0592db5664311d1bba7549ded79f16f6eef13dab3caca21626d97657f31e8603766e00b1a06f42cf229107eb53929730fe48e97cfc9216093fcc4c fix-ppc64le-disable-werror.patch"
+sha512sums="
+4576b359593928c6eba923f2d7b66ac0f2cf00e0c217cdbbb124471c3b35feb090e623847bfc507a4ef106cb3067aac47419e241b11dd8bf4ae554061fa93c25 putty-0.76.tar.gz
+"
diff --git a/main/putty/fix-ppc64le-disable-werror.patch b/main/putty/fix-ppc64le-disable-werror.patch
deleted file mode 100644
index 2dba28bdb7..0000000000
--- a/main/putty/fix-ppc64le-disable-werror.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/configure b/configure
-index d68c382..5db360e 100755
---- a/configure
-+++ b/configure
-@@ -5995,7 +5995,7 @@ fi
-
- if test "x$GCC" = "xyes"; then
- :
-- WARNINGOPTS='-Wall -Werror -Wpointer-arith -Wvla'
-+ WARNINGOPTS='-Wall -Wpointer-arith -Wvla'
-
- else
- :
diff --git a/main/py3-cryptography/APKBUILD b/main/py3-cryptography/APKBUILD
index 92277d480f..b02b0545e6 100644
--- a/main/py3-cryptography/APKBUILD
+++ b/main/py3-cryptography/APKBUILD
@@ -20,7 +20,7 @@ provides="py-cryptography=$pkgver-r$pkgrel" # Backwards compatibility
# secfixes:
# 3.3.2-r0:
-# - CVE-2020-25659
+# - CVE-2020-36242
# 3.2.1-r0:
# - CVE-2020-25659
diff --git a/main/redis/APKBUILD b/main/redis/APKBUILD
index 653f11f9d1..76c2e98396 100644
--- a/main/redis/APKBUILD
+++ b/main/redis/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Eivind Uggedal <eu@eju.no>
# Maintainer: TBK <alpine@jjtc.eu>
pkgname=redis
-pkgver=6.0.11
+pkgver=6.0.15
pkgrel=0
pkgdesc="Advanced key-value store"
url="https://redis.io/"
@@ -26,6 +26,12 @@ source="https://download.redis.io/releases/redis-$pkgver.tar.gz
"
# secfixes:
+# 6.0.13-r0:
+# - CVE-2021-32761
+# 6.0.14-r0:
+# - CVE-2021-32625
+# 6.0.13-r0:
+# - CVE-2021-29477
# 6.0.11-r0:
# - CVE-2021-21309
# 6.0.9-r0:
@@ -55,6 +61,7 @@ build() {
make PREFIX=/usr \
INSTALL_BIN="$pkgdir"/usr/bin \
MALLOC=libc \
+ USE_SYSTEMD=no \
FINAL_LIBS="-lm -ldl -pthread $_libatomic" \
all
}
@@ -83,7 +90,8 @@ package() {
var/log/redis
}
-sha512sums="13b08a98c2d89c2c53c9a80fe27acc98dbc9fd8e93d7baabed381c401877bd8672cf4472b17d8843edda674c41849859b90a722a3c99d99cfdc3769ae5e0a979 redis-6.0.11.tar.gz
+sha512sums="
+e7ba123798a11e1c68dd6d3ebb0586bed4f2bb33755871f1577f7e0229f826b468c2130c31bcc85a64ce7ff54e280df0a7c60e0882f3ed2a11d43e7819fe8b9e redis-6.0.15.tar.gz
006716439828981ab56bd8837e67d0a99a775e07a80a761903fa762c91571f5e5ffc1a99f0b518a944cbd8635609952ded838f342d5563345199f8e6e6579efd makefile-dont-duplicate-binary.patch
05a35246ee5136f10f1873eb91a267cf31d206d298ff8ac105efc501bbab7f44b50d4e4d92874701c81e105bd72a0ac73f5e810610de8e3769544e7c36a23748 redis.conf.patch
a5dc411c2bd7edf61400e29accb375275dd888fda72a8f7e3889be475010c695a22f536be818ef9441e47285c00b451966db924362a7f56806586078c9e3ff8c sentinel.conf.patch
@@ -91,4 +99,5 @@ f6dcdad1edd6b5fb6aa28ba774bfc8aba035f316695da261fb2ad291b76f00f177479f9d74434d06
6752e99df632b14d62a3266929e80c3d667be5c270e4f34e0dcf2b7f9b1754fe0ce9d4569fa413dbbe207e406ff2848a64e0c47629997536ae1d14ca84ebd56b redis.confd
e7a60a090df53eef05d58d73709f07536135a93efb34e48ad933e3859d3d1c0f476975a3232df18f57476bf7fc3b0548471e1c86445878457ac8507b3da71384 redis-sentinel.initd
bf2def2077a989047e9bfff8a7f754bcdf96e020fd4a470f8967ee1fca601e11f044cfb3742f00e932cc013e0d0b199045d78c8878a0e529715c9f77786d353f redis.logrotate
-e29fb36a43dbd991aa46f469d49f76d6c22354abf11abcfe91c2cc8254c0fe9f997e51288ca37e3d184b89b49cd9ffb42483f8ec35b99aee829bf3ee5b4c5163 musl-zmalloc.patch"
+e29fb36a43dbd991aa46f469d49f76d6c22354abf11abcfe91c2cc8254c0fe9f997e51288ca37e3d184b89b49cd9ffb42483f8ec35b99aee829bf3ee5b4c5163 musl-zmalloc.patch
+"
diff --git a/main/rssh/APKBUILD b/main/rssh/APKBUILD
index 4be25a4140..7e1d00f4d8 100644
--- a/main/rssh/APKBUILD
+++ b/main/rssh/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=rssh
pkgver=2.3.4
-pkgrel=1
+pkgrel=2
pkgdesc="Restricted shell for use with OpenSSH, allowing only scp, sftp, and/or rsync"
url="http://www.pizzashack.org/rssh/"
arch="all"
@@ -14,9 +14,18 @@ subpackages="$pkgname-doc"
source="https://prdownloads.sourceforge.net/rssh/rssh-$pkgver.tar.gz
makefile.patch
fix-error-message-for-invalid-option.patch
- handle-rsync-v3-e-option.patch"
+ handle-rsync-v3-e-option.patch
+ verify-scp-options.patch
+ check-command-line-after-chroot.patch"
options="suid"
+# secfixes:
+# 2.3.4-r2:
+# - CVE-2019-3463
+# - CVE-2019-1000018
+# 2.3.4-r1:
+# - CVE-2019-3464
+
build() {
./configure \
--build=$CBUILD \
@@ -33,7 +42,11 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="c1a77abdf4abe5f936fb1c9c008fc81fabf7b624d69ed31fe2ae5619dfa4a79f1d4a4f2daa5291a36d40353fa2168e74e5ba61294230d702fcdc88ae0d520487 rssh-2.3.4.tar.gz
+sha512sums="
+c1a77abdf4abe5f936fb1c9c008fc81fabf7b624d69ed31fe2ae5619dfa4a79f1d4a4f2daa5291a36d40353fa2168e74e5ba61294230d702fcdc88ae0d520487 rssh-2.3.4.tar.gz
7b1120b47a1c5d251f002d4196ffac66bcc4518b34284831932d7ef0aae839777c8188cb2addacb57241b6208c03c5b14f1845a50bb5b72461f80a7f943ef051 makefile.patch
abad4a707f7851c60549d6073c331a4a2b47bdcf97956d5cbad3af9bcb83d6ad33694ac3270df5c7df6ec709026e0253c49024fa20a33a453524547031df77aa fix-error-message-for-invalid-option.patch
-942dd8e0495cf13bbb679332cab6c1781560e32ade0905527fe71e5399f930edfe0c442653deb218a182b11e49599c3bd78d0fc715de45cf9aa078e6a586b9c7 handle-rsync-v3-e-option.patch"
+942dd8e0495cf13bbb679332cab6c1781560e32ade0905527fe71e5399f930edfe0c442653deb218a182b11e49599c3bd78d0fc715de45cf9aa078e6a586b9c7 handle-rsync-v3-e-option.patch
+1be9e3be58e44359e51ad16e10fa3674bf322059131a93ed44487f0fefa89130806f7851d725e20eeff5af40f5b5558ca471ab5eba932a8ce654b25845a7328e verify-scp-options.patch
+d4d8518b109c6d2d99a8c9a3a49f4df1b29e621f9826e80c599aa2c991ca9c4b6fe683d2475da7935e375e5049a8c33e8dd9019e83ed2111804bba02e03c6f48 check-command-line-after-chroot.patch
+"
diff --git a/main/rssh/check-command-line-after-chroot.patch b/main/rssh/check-command-line-after-chroot.patch
new file mode 100644
index 0000000000..8ef515d475
--- /dev/null
+++ b/main/rssh/check-command-line-after-chroot.patch
@@ -0,0 +1,30 @@
+From: Russ Allbery <rra@debian.org>
+Date: Mon, 28 Jan 2019 20:15:30 -0800
+Subject: Check command line after chroot
+
+When a command was configured with a chroot, rssh did not check
+the safety of the command line after chroot, allowing various
+vectors of remote code execution inside the chroot environment.
+Perform the same check after chroot as is performed before running
+the command when a chroot is not configured.
+---
+ rssh_chroot_helper.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/rssh_chroot_helper.c b/rssh_chroot_helper.c
+index 8a35cdc..73d8c7b 100644
+--- a/rssh_chroot_helper.c
++++ b/rssh_chroot_helper.c
+@@ -218,6 +218,12 @@ int main( int argc, char **argv )
+ ch_fatal_error("build_arg_vector()", argv[2],
+ "bad expansion");
+
++ /* check the command for safety */
++ if ( !check_command_line(argvec, &opts) ){
++ fprintf(stderr, "\n");
++ exit(1);
++ }
++
+ /*
+ * This is the old way to figure out what program to run. Since we're
+ * re-parsing the config file in rssh_chroot helper, we could get rid
diff --git a/main/rssh/verify-scp-options.patch b/main/rssh/verify-scp-options.patch
new file mode 100644
index 0000000000..3b256966b8
--- /dev/null
+++ b/main/rssh/verify-scp-options.patch
@@ -0,0 +1,89 @@
+From: Russ Allbery <rra@debian.org>
+Date: Thu, 17 Jan 2019 19:21:40 -0800
+Subject: Verify scp command options
+
+ESnet discovered a security vulnerability in the scp backend for
+rssh. Since the arguments to scp on the server side were not
+checked, the client could pass in arbitrary scp command-line flags,
+including setting arbitrary scp options. This allows setting the
+option PKCS11Provider, which loads and executes code from a shared
+module.
+
+Even if the -o flag is blocked, this is still possible via -F to
+load an already-uploaded ssh configuration file, or, if .ssh/config
+is writable, by just uploading that configuration file directly
+first.
+
+Attempt to protect against this attack by checking the command line
+of scp and only allowing the options that are passed to the server
+end of the connection. Require either -f or -t be given, which
+disables scp's attempts to connect to a remote host. Allow these as
+-pf and -pt, which are sent by libssh2.
+
+Debian Bug#919623
+---
+ util.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 42 insertions(+), 2 deletions(-)
+
+diff --git a/util.c b/util.c
+index dc8c8fb..4203eac 100644
+--- a/util.c
++++ b/util.c
+@@ -266,6 +266,43 @@ static int rsync_okay( char **vec )
+ }
+
+
++/*
++ * scp_okay() - take the command line and check that it is a hopefully-safe scp
++ * server command line, accepting only very specific options.
++ * Returns FALSE if the command line should not be allowed, TRUE
++ * if it is okay.
++ */
++static int scp_okay( char **vec )
++{
++ int saw_f_or_t = FALSE;
++
++ for ( vec++; vec && *vec; vec++ ){
++ /* Allowed options. */
++ if ( strcmp(*vec, "-v") == 0 ) continue;
++ if ( strcmp(*vec, "-r") == 0 ) continue;
++ if ( strcmp(*vec, "-p") == 0 ) continue;
++ if ( strcmp(*vec, "-d") == 0 ) continue;
++ if ( strcmp(*vec, "-f") == 0 || strcmp(*vec, "-pf") == 0 ){
++ saw_f_or_t = TRUE;
++ continue;
++ }
++ if ( strcmp(*vec, "-t") == 0 || strcmp(*vec, "-pt") == 0 ){
++ saw_f_or_t = TRUE;
++ continue;
++ }
++
++ /* End of arguments. */
++ if ( strcmp(*vec, "--") == 0 ) break;
++
++ /* Any other argument is not allowed. */
++ if ( *vec[0] == '-' ) return FALSE;
++ }
++
++ /* Either -f or -t must have been given. */
++ return saw_f_or_t;
++}
++
++
+ /*
+ * check_command_line() - take the command line passed to rssh, and verify
+ * that the specified command is one the user is
+@@ -281,8 +318,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts )
+ return PATH_SFTP_SERVER;
+
+ if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){
+- /* filter -S option */
+- if ( opt_filter(cl, 'S') ) return NULL;
++ if ( !scp_okay(cl) ){
++ fprintf(stderr, "\ninsecure scp option not allowed.");
++ log_msg("insecure scp option in scp command line");
++ return NULL;
++ }
+ return PATH_SCP;
+ }
+
diff --git a/main/rsync/APKBUILD b/main/rsync/APKBUILD
index 8e3a061f86..5529cd1199 100644
--- a/main/rsync/APKBUILD
+++ b/main/rsync/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=rsync
pkgver=3.2.3
-pkgrel=1
+pkgrel=4
pkgdesc="A file transfer program to keep remote files in sync"
url="https://rsync.samba.org/"
arch="all"
@@ -9,6 +9,7 @@ license="GPL-3.0-or-later"
makedepends="perl acl-dev attr-dev popt-dev zlib-dev zstd-dev"
subpackages="$pkgname-doc $pkgname-openrc rrsync"
source="https://download.samba.org/pub/rsync/rsync-$pkgver.tar.gz
+ Fix-regression-with---delay-updates.patch
rsyncd.initd
rsyncd.confd
rsyncd.conf
@@ -25,6 +26,9 @@ source="https://download.samba.org/pub/rsync/rsync-$pkgver.tar.gz
prepare() {
default_prepare
rm testsuite/itemize.test
+
+ # Prevent the aports version being used
+ printf '#!/bin/sh\n\necho "#define RSYNC_GITVER RSYNC_VERSION" >git-version.h\n' >mkgitver
}
build() {
@@ -74,8 +78,11 @@ rrsync() {
install -D -m 755 ./support/rrsync "$subpkgdir"/usr/bin/rrsync
}
-sha512sums="48b68491f3ef644dbbbfcaec5ab90a1028593e02d50367ce161fd9d3d0bd0a3628bc57c5e5dec4be3a1d213f784f879b8a8fcdfd789ba0f99837cba16e1ae70e rsync-3.2.3.tar.gz
+sha512sums="
+48b68491f3ef644dbbbfcaec5ab90a1028593e02d50367ce161fd9d3d0bd0a3628bc57c5e5dec4be3a1d213f784f879b8a8fcdfd789ba0f99837cba16e1ae70e rsync-3.2.3.tar.gz
+01a8560419e536c4987a6954b51d0751bce77e041f2d75157067156c0e197178e25e7a6b0ca29cca5d4474f5671ac36500079dba1ed1737cea18f1d663570321 Fix-regression-with---delay-updates.patch
b9bf1aa02f96e4294642ead5751bd529ca1267c08e83a16342fba5736c3a8ec89568feb11fb737e974cb1bee7e00e7a8898d25844892366c6167b9ea8d1e647c rsyncd.initd
d91337cfb57e6e3b2a8ba1e24f7d851dd927bfc327da2212b9eb0acda0e1ca2f24987f6dcc4903eccc3bf170e0f115172b3cfa5a172700495296f26302c834d7 rsyncd.confd
3db8a2b364fc89132af6143af90513deb6be3a78c8180d47c969e33cb5edde9db88aad27758a6911f93781e3c9846aeadc80fffc761c355d6a28358853156b62 rsyncd.conf
-b8d6c0bb467a5c963317dc55478d2c10874564cd264d943d4a42037e2fce134fe001fabc92af5c6b5775e84dc310b1c8da147afaa61c99e5663c36580d8651a5 rsyncd.logrotate"
+e7ff164926785c4eff2ea641c7ce2d270b25f1c26d93a6108bb6ff2c0207a28ebfd93dca39596243446ce41aceaeae62fc2b34084eb9c9086fcdbc03a657eed8 rsyncd.logrotate
+"
diff --git a/main/rsync/Fix-regression-with---delay-updates.patch b/main/rsync/Fix-regression-with---delay-updates.patch
new file mode 100644
index 0000000000..d914d14dec
--- /dev/null
+++ b/main/rsync/Fix-regression-with---delay-updates.patch
@@ -0,0 +1,26 @@
+From 5a4ea7e468ae53c09b98803da3519727becb48ad Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Thu, 22 Jul 2021 13:30:17 +0200
+Subject: [PATCH] Fix regression with --delay-updates (#192)
+
+Fixes regression introduced with commit 3a7bf54ad520 (A resumed
+partial-dir file is transferred in-place.)
+
+Fixes https://github.com/WayneD/rsync/issues/192
+---
+ receiver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/receiver.c b/receiver.c
+index e85c4779..b5020d07 100644
+--- a/receiver.c
++++ b/receiver.c
+@@ -881,7 +881,7 @@ int recv_files(int f_in, int f_out, char *local_name)
+ do_unlink(partialptr);
+ handle_partial_dir(partialptr, PDIR_DELETE);
+ }
+- } else if (keep_partial && partialptr && !one_inplace) {
++ } else if (keep_partial && partialptr && (!one_inplace || delay_updates)) {
+ if (!handle_partial_dir(partialptr, PDIR_CREATE)) {
+ rprintf(FERROR,
+ "Unable to create partial-dir for %s -- discarding %s.\n",
diff --git a/main/rsync/rsyncd.logrotate b/main/rsync/rsyncd.logrotate
index 34bcf72d21..ec8a98284e 100644
--- a/main/rsync/rsyncd.logrotate
+++ b/main/rsync/rsyncd.logrotate
@@ -2,7 +2,7 @@
compress
maxage 365
rotate 7
- size=+1024k
+ size 1024k
notifempty
missingok
copytruncate
diff --git a/main/rsyslog/APKBUILD b/main/rsyslog/APKBUILD
index fc8cbc7777..209b42f3c1 100644
--- a/main/rsyslog/APKBUILD
+++ b/main/rsyslog/APKBUILD
@@ -6,7 +6,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=rsyslog
pkgver=8.2012.0
-pkgrel=0
+pkgrel=1
pkgdesc="Enhanced multi-threaded syslogd with database support and more"
url="https://www.rsyslog.com/"
arch="all !s390x" # limited by czmq
@@ -187,9 +187,11 @@ _plugin() {
done
}
-sha512sums="78a6f8499340a18b71da22788bb3323ac12f804725b2bb00e939ef6bd4cb6b803e5384a179ddee7db99bf49f2b963419fc26b1bf2d875f6aff7b58fdd4d254b2 rsyslog-8.2012.0.tar.gz
+sha512sums="
+78a6f8499340a18b71da22788bb3323ac12f804725b2bb00e939ef6bd4cb6b803e5384a179ddee7db99bf49f2b963419fc26b1bf2d875f6aff7b58fdd4d254b2 rsyslog-8.2012.0.tar.gz
bcd63c8df2ac63b80f3cb51ba7f544988df6cd875f4e81020e762dff30d7537f21b72c95a4b1c08baf15f4ed5f03defbf3f061673aabada5841f45ab9f579374 rsyslog.initd
198ad8f617b9edb93c9231118a9b3bb80b1e00e6517d2a79c393cbfef4417b8f0d08f231fb33843f8e9b09c7f9bc69dd501057ffe9eef583108af34996fee59d rsyslog.logrotate
-9702ca98b5228058e5a45565cb5d39f3ee565f7ec0612ddb93eb5e8c045f3f2fded93ea822311daf79366f0fa571cbd8a894cdfc8ce97af1d6cff2373922971f rsyslog.conf
+451b861dc82d7a2810e6c9ff8f80b2c5149cc6b440baf5901149e7b6524a1179826787a924c84403c2e9d8fa7d4df2c909e7f0877ac0cd4e6faf2e37cba7c6c1 rsyslog.conf
15745c8cdb730ae548d038ca4c04f9f48ef55c6e04949a8e86df356877563c0fcb9660445e47d3f9530925092d6dd80b2b2fc3f64a114ee85103d137327524cb musl-fix.patch
-ef2e000b1c42cb5beffb26393952c2a692791e78972ee4b6f187ca53e338122b2004cc5216381c042195f12cc58f37f186a04e12a65b5bdfdcdf76b73393efb7 queue.patch"
+ef2e000b1c42cb5beffb26393952c2a692791e78972ee4b6f187ca53e338122b2004cc5216381c042195f12cc58f37f186a04e12a65b5bdfdcdf76b73393efb7 queue.patch
+"
diff --git a/main/rsyslog/rsyslog.conf b/main/rsyslog/rsyslog.conf
index 8319b99a97..a279fdd09a 100644
--- a/main/rsyslog/rsyslog.conf
+++ b/main/rsyslog/rsyslog.conf
@@ -35,6 +35,10 @@ module(load="imuxsock")
# Reads kernel messages.
module(load="imklog")
+#### Config files ####
+
+# Include all config files in /etc/rsyslog.d/.
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
#### Rules ####
@@ -63,12 +67,6 @@ cron.* -/var/log/cron.log
#kern.* /dev/console
-#### Config files ####
-
-# Include all config files in /etc/rsyslog.d/.
-include(file="/etc/rsyslog.d/*.conf" mode="optional")
-
-
### Examples ####
# Send all logs to remote syslog via UDP.
diff --git a/main/speedtest-cli/APKBUILD b/main/speedtest-cli/APKBUILD
index ea734970e6..846db8461a 100644
--- a/main/speedtest-cli/APKBUILD
+++ b/main/speedtest-cli/APKBUILD
@@ -1,15 +1,14 @@
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=speedtest-cli
-pkgver=2.1.2
-pkgrel=3
+pkgver=2.1.3
+pkgrel=0
pkgdesc="Command line interface for testing internet bandwidth using speedtest.net"
url="https://github.com/sivel/speedtest-cli"
arch="noarch"
license="Apache-2.0"
depends="python3 py3-setuptools"
-source="$pkgname-$pkgver.tar.gz::https://github.com/sivel/speedtest-cli/archive/v$pkgver.tar.gz
- invalid_literal_fix.patch"
+source="$pkgname-$pkgver.tar.gz::https://github.com/sivel/speedtest-cli/archive/v$pkgver.tar.gz"
build() {
python3 setup.py build
@@ -23,5 +22,6 @@ package() {
python3 setup.py install --prefix=/usr --root="$pkgdir"
}
-sha512sums="f2eb125116f42075d3248e1c0590cce4f822f383ff7c54c158504b16de72bf35b35d55a78014413a95a5f5bafa98c71c3ea011f20f480f1db272d6e8800c40bd speedtest-cli-2.1.2.tar.gz
-924a1931b4b61723ed0b41e694ec663cf5f721cc624f6e1c17386dc4c3347aef178651de4127b5e919eba37ee70c766c741a448211fe1f410705ae137b190e7c invalid_literal_fix.patch"
+sha512sums="
+e2ecd9b4eea95e3641045c3da217ec5a39846b26c1f773fdd31c6ffe3cb5e35341320fc1992f865af48afd1a704c4d4224f9ec4048abb69131ee2f32385ae94c speedtest-cli-2.1.3.tar.gz
+"
diff --git a/main/speedtest-cli/invalid_literal_fix.patch b/main/speedtest-cli/invalid_literal_fix.patch
deleted file mode 100644
index 927e418213..0000000000
--- a/main/speedtest-cli/invalid_literal_fix.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/speedtest.py b/speedtest.py
-index 92a2be0b93..23d8ddbe4e 100755
---- a/speedtest.py
-+++ b/speedtest.py
-@@ -1171,7 +1171,7 @@ class Speedtest(object):
- client = get_attributes_by_tag_name(root, 'client')
-
- ignore_servers = list(
-- map(int, server_config['ignoreids'].split(','))
-+ map(int, server_config['ignoreids'].split(',') if len(server_config['ignoreids']) else [])
- )
-
- ratio = int(upload['ratio'])
diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD
index 8bea1a928a..ec58faffd7 100644
--- a/main/spice/APKBUILD
+++ b/main/spice/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=spice
pkgver=0.14.3
-pkgrel=0
+pkgrel=1
pkgdesc="Implements the SPICE protocol"
url="http://www.spice-space.org/"
arch="all"
@@ -28,9 +28,12 @@ makedepends="
subpackages="$pkgname-static $pkgname-dev $pkgname-server"
source="https://www.spice-space.org/download/releases/spice-server/spice-$pkgver.tar.bz2
failing-tests.patch
+ CVE-2021-20201.patch
"
# secfixes:
+# 0.14.3-r1:
+# - CVE-2021-20201
# 0.14.1-r4:
# - CVE-2019-3813
# 0.14.1-r0:
@@ -66,5 +69,8 @@ server() {
mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/
}
-sha512sums="9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4 spice-0.14.3.tar.bz2
-10104feb05ce9d70074cad58efb9772cc8521666ea1c694bedf5c3ecfaa15a755324ac989b94d3be61e69be4286ab8369b900452fe98864596dcbc45d4a896b5 failing-tests.patch"
+sha512sums="
+9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4 spice-0.14.3.tar.bz2
+10104feb05ce9d70074cad58efb9772cc8521666ea1c694bedf5c3ecfaa15a755324ac989b94d3be61e69be4286ab8369b900452fe98864596dcbc45d4a896b5 failing-tests.patch
+f7584c07c2c521c1454d1a7bc49aba4fd17553b96ce5107114e9bb02d58439cabd1471dd6e6e639a3f783255efecbd1a17cd543672a8021c9d59f68acb4fcbb7 CVE-2021-20201.patch
+"
diff --git a/main/spice/CVE-2021-20201.patch b/main/spice/CVE-2021-20201.patch
new file mode 100644
index 0000000000..9c633c89e2
--- /dev/null
+++ b/main/spice/CVE-2021-20201.patch
@@ -0,0 +1,36 @@
+From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
+Date: Wed, 2 Dec 2020 13:39:27 +0100
+Subject: [PATCH] With OpenSSL 1.1: Disable client-initiated renegotiation.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes issue #49
+Fixes BZ#1904459
+
+Signed-off-by: Julien Ropé <jrope@redhat.com>
+Reported-by: BlackKD
+Acked-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ server/reds.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/server/reds.c b/server/reds.c
+index fe69508e..f61086cb 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2753,6 +2753,10 @@ static int reds_init_ssl(RedsState *reds)
+ * When some other SSL/TLS version becomes obsolete, add it to this
+ * variable. */
+ long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
++#ifdef SSL_OP_NO_RENEGOTIATION
++ // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier
++ ssl_options |= SSL_OP_NO_RENEGOTIATION;
++#endif
+
+ /* Global system initialization*/
+ openssl_global_init();
+--
+GitLab
+
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index 5f499843cd..7f81264951 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=squid
-pkgver=5.0.5
+pkgver=5.0.6
pkgrel=0
pkgdesc="A full-featured Web proxy cache server."
url="http://www.squid-cache.org"
@@ -25,9 +25,16 @@ source="http://www.squid-cache.org/Versions/v${pkgver%%.*}/squid-$pkgver.tar.xz
"
pkgusers="squid"
pkggroups="squid"
-options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox
# secfixes:
+# 5.0.6-r0:
+# - CVE-2021-28651
+# - CVE-2021-28652
+# - CVE-2021-28662
+# - CVE-2021-31806
+# - CVE-2021-31807
+# - CVE-2021-31808
+# - GHSA-572g-rvwr-6c7f
# 5.0.5-r0:
# - CVE-2020-25097
# 4.13.0-r0:
@@ -113,7 +120,7 @@ squid_kerb_auth() {
install -d "$subpkgdir"/usr/lib/squid
mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/
}
-sha512sums="e0f816296d9d32fc97b98249dde077b321651dac70c212fe8eb9566003ce04f13a83665e387531e06bffbab1ec21277e3e0549a16caee426b6a749e18bf77991 squid-5.0.5.tar.xz
+sha512sums="97300844145ea5488a88a531fc0fbbf3c96051169eb20f8b95ba9a4c37f73edfbbedb69ee446e81f45b663e5c7c9a82e2978239c2613da7e5da2365fdaeceb6e squid-5.0.6.tar.xz
8320820c02c824ed96065e0b66cabdd80b11c23e911880a42f5bd7e3f6e7a5c1c6def910a1843cca810c62a7dc8ccdb9ae82c0cf52bf08259c3b50058232132d squid.initd
7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd
89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate"
diff --git a/main/unzip/APKBUILD b/main/unzip/APKBUILD
index 2fad42a7b4..4728573ff2 100644
--- a/main/unzip/APKBUILD
+++ b/main/unzip/APKBUILD
@@ -3,7 +3,7 @@
pkgname=unzip
pkgver=6.0
_pkgver=${pkgver//./}
-pkgrel=8
+pkgrel=9
pkgdesc="Extract PKZIP-compatible .zip files"
url="http://www.info-zip.org/UnZip.html"
arch="all"
@@ -23,10 +23,13 @@ source="https://dev.alpinelinux.org/archive/unzip/unzip$_pkgver.tgz
CVE-2018-1000035.patch
fix-CVE-2014-8139.patch
CVE-2019-13232.patch
+ CVE-2018-18384.patch
"
builddir="$srcdir/$pkgname$_pkgver"
# secfixes:
+# 6.0-r9:
+# - CVE-2018-18384
# 6.0-r7:
# - CVE-2019-13232
# 6.0-r3:
@@ -56,7 +59,8 @@ package() {
"$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
-sha512sums="0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d unzip60.tgz
+sha512sums="
+0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d unzip60.tgz
9d2914f22fb0075a2b6f72825c235f46eafd8d47b6fb6fcc8303fc69336e256b15923c002d2615bb6af733344c2315e4a8504d77bae301e10c11d4736faa2c81 10-unzip-handle-pkware-verify.patch
57699582e9056af0817dcb67f8db67e6a1ff8208c137fbebcf559429e5f12b471b75d7e1ef938e5bbb5416074a51ac7342e4ce8057f4bbdcb0bf079b8d7832af 20-unzip-uidgid-fix.patch
b0b745cff474756447e699a13ff003871b33a4f7a24a91150e5a947eba5132fd90fbacf7580379fc13c5f638483b25cbc226f85b9cac9c7662b2f91927eb2bb3 unzip-6.0-heap-overflow-infloop.patch
@@ -67,4 +71,6 @@ b0b745cff474756447e699a13ff003871b33a4f7a24a91150e5a947eba5132fd90fbacf7580379fc
8c4a4313072ff0d87eadb0f5472eb48f2802b835dd282305811a96de87a41fed48be60fbdd434e6b6359418f0559f7793deaa1d68161a0c0ead9f8574bb9f14c CVE-2016-9844.patch
6f757385a23fe6a034f676df6bf233243afa8743761e3d715e532d066fcd7dc8f8dcd6192be693258f3855837e5534490784378768abe7ce710fb869258d49b7 CVE-2018-1000035.patch
13f9c54fcdde478c4afe391c8e7ef9c31b03228aaace5da38382612951cbfd60710fd3d931569297953be32b2c5906715aed4b1c05e28cc8fccbb27f38b57550 fix-CVE-2014-8139.patch
-d11758bda3b022f1adb4031bfbc770c6391e3470f3126ec5a4d3d2800d5452245eee26256f539d60adee33f01ba8ba8345299736cd9568da1242f6f739e4a598 CVE-2019-13232.patch"
+d11758bda3b022f1adb4031bfbc770c6391e3470f3126ec5a4d3d2800d5452245eee26256f539d60adee33f01ba8ba8345299736cd9568da1242f6f739e4a598 CVE-2019-13232.patch
+1edd66fbca3cfbfad7b19db0b1564b93f13b27b10ff157cf9907228184b56f1f4c87c2dd2a09afc1307ee86622f3aaeea46f8336c249249c8452304cf4d25272 CVE-2018-18384.patch
+"
diff --git a/main/unzip/CVE-2018-18384.patch b/main/unzip/CVE-2018-18384.patch
new file mode 100644
index 0000000000..ad28f8c499
--- /dev/null
+++ b/main/unzip/CVE-2018-18384.patch
@@ -0,0 +1,13 @@
+diff --git a/list.c b/list.c
+index f7359c3..4c3d703 100644
+--- a/list.c
++++ b/list.c
+@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type error code */
+ {
+ int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+- char sgn, cfactorstr[10];
++ char sgn, cfactorstr[13];
+ int longhdr=(uO.vflag>1);
+ #endif
+ int date_format;
diff --git a/main/varnish/APKBUILD b/main/varnish/APKBUILD
index f402c509ed..47030bdb32 100644
--- a/main/varnish/APKBUILD
+++ b/main/varnish/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: V.Krishn <vkrishn4@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=varnish
-pkgver=6.5.1
+pkgver=6.5.2
pkgrel=0
pkgdesc="High-performance HTTP accelerator"
url="https://www.varnish-cache.org/"
@@ -31,6 +31,8 @@ source="https://varnish-cache.org/_downloads/varnish-$pkgver.tgz
# secfixes:
+# 6.5.2-r0:
+# - CVE-2021-36740
# 6.2.1-r0:
# - CVE-2019-15892
# 5.2.1-r0:
@@ -95,7 +97,8 @@ geoip() {
"$subpkgdir"/usr/lib/varnish/plugins/maxminddb.vcl
}
-sha512sums="0f34f2c6fe68bfcdba488cda40cc387b3c10343923a75a6a1791c890d20e79c64069697c45720cd5f0cba666d506d3ab6bb814ef4f9120cf0c8519a01144844f varnish-6.5.1.tgz
+sha512sums="
+31673eaa95e5d3413cd3a4a6fb324c1f0ad2efb22b75409fc0e02c61446787eb167bd530ee5b0a199da4fc76cc36f3603984d86781f856cc6a4aac48260fe4ef varnish-6.5.2.tgz
2123668169b055f2d88f9b5b8e0877ca8b3cbfcd61e03d91fd7d0513b3267e4ef01a4d858cc6a3298cca0a49aaea2f92ff4fd9c0baf52a6c67b452a53f7e54d0 musl-include-vpf.patch
c51c8964880990c2b01807b2a38d886b146736a918bda9ea2e032c50085bf6745cab3cccb4ee4c561ab936a8b7cfb278cfcb758543ea6c605c15b8973c9f10ce musl-include-vsb.patch
5ac7867e85cbd721f903c524ed4b524423d9dada4acfeefb0e543214a208828df5cc4efe2f012991bea6b38c2b223c24b17d3890ec4ed2c57d2b441b8e5a6900 varnishd.initd
@@ -105,4 +108,5 @@ c67a7898f40849989edcbe74e1a418e196f48e178ca30126bc13db226e4f4c2c2ba74d9d0650ef68
e0b7d67bbd710f0a17b77837c581f128e6b746eff2b12e81d03d1ad040037e95bb00fb8007d89bc6dab18cfa659456078f310ac268f104774ef85ad068efecca varnishncsa.initd
a5426ff66b89d2afb6273f05e4117b3eec5ce0162a624d52c92b418960f72e58bd01224165613221af76ec241bd98e1eb985b2ef7b83a5b615e9ece67234dcc8 varnishncsa.confd
51cc6d46ff7439de93977ab87dfb0af399458c1e446475696f73342ae7a0c1a8ca8fc6e79e593659f1af30716a5f8a1ee5e3b1f5e7b35df40b45d47e7b0f2ffd varnishd.logrotate
-69f088819cff6d4441813be284f4117f232d08908515bd15d96bd5bb9d41ba7100657a52fd408d44c396d004366062ae22fbf08e2a983cd8023b554539ccf596 maxminddb.vcl"
+69f088819cff6d4441813be284f4117f232d08908515bd15d96bd5bb9d41ba7100657a52fd408d44c396d004366062ae22fbf08e2a983cd8023b554539ccf596 maxminddb.vcl
+"
diff --git a/main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch b/main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch
new file mode 100644
index 0000000000..a5289a821a
--- /dev/null
+++ b/main/xen/0001-xen-arm-Create-dom0less-domUs-earlier.patch
@@ -0,0 +1,83 @@
+From f98c20aaaf909be04ada5cb6cb88c14b9bc75e15 Mon Sep 17 00:00:00 2001
+From: Julien Grall <jgrall@amazon.com>
+Date: Mon, 17 May 2021 17:47:13 +0100
+Subject: [PATCH 1/2] xen/arm: Create dom0less domUs earlier
+
+In a follow-up patch we will need to unallocate the boot modules
+before heap_init_late() is called.
+
+The modules will contain the domUs kernel and initramfs. Therefore Xen
+will need to create extra domUs (used by dom0less) before heap_init_late().
+
+This has two consequences on dom0less:
+ 1) Domains will not be unpaused as soon as they are created but
+ once all have been created. However, Xen doesn't guarantee an order
+ to unpause, so this is not something one could rely on.
+
+ 2) The memory allocated for a domU will not be scrubbed anymore when an
+ admin select bootscrub=on. This is not something we advertised, but if
+ this is a concern we can introduce either force scrub for all domUs or
+ a per-domain flag in the DT. The behavior for bootscrub=off and
+ bootscrub=idle (default) has not changed.
+
+This is part of XSA-372 / CVE-2021-28693.
+
+Signed-off-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Tested-by: Stefano Stabellini <sstabellini@kernel.org>
+---
+ xen/arch/arm/domain_build.c | 2 --
+ xen/arch/arm/setup.c | 9 +++++----
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
+index e824ba34b012..b07461f5d376 100644
+--- a/xen/arch/arm/domain_build.c
++++ b/xen/arch/arm/domain_build.c
+@@ -2515,8 +2515,6 @@ void __init create_domUs(void)
+
+ if ( construct_domU(d, node) != 0 )
+ panic("Could not set up domain %s\n", dt_node_name(node));
+-
+- domain_unpause_by_systemcontroller(d);
+ }
+ }
+
+diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
+index 7968cee47d05..1f26080b30bf 100644
+--- a/xen/arch/arm/setup.c
++++ b/xen/arch/arm/setup.c
+@@ -779,7 +779,7 @@ void __init start_xen(unsigned long boot_phys_offset,
+ int cpus, i;
+ const char *cmdline;
+ struct bootmodule *xen_bootmodule;
+- struct domain *dom0;
++ struct domain *dom0, *d;
+ struct xen_domctl_createdomain dom0_cfg = {
+ .flags = XEN_DOMCTL_CDF_hvm | XEN_DOMCTL_CDF_hap,
+ .max_evtchn_port = -1,
+@@ -962,6 +962,8 @@ void __init start_xen(unsigned long boot_phys_offset,
+ if ( construct_dom0(dom0) != 0)
+ panic("Could not set up DOM0 guest OS\n");
+
++ create_domUs();
++
+ heap_init_late();
+
+ init_trace_bufs();
+@@ -975,9 +977,8 @@ void __init start_xen(unsigned long boot_phys_offset,
+
+ system_state = SYS_STATE_active;
+
+- create_domUs();
+-
+- domain_unpause_by_systemcontroller(dom0);
++ for_each_domain( d )
++ domain_unpause_by_systemcontroller(d);
+
+ /* Switch on to the dynamically allocated stack for the idle vcpu
+ * since the static one we're running on is about to be freed. */
+--
+2.17.1
+
diff --git a/main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch b/main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
new file mode 100644
index 0000000000..3ed62f360e
--- /dev/null
+++ b/main/xen/0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
@@ -0,0 +1,58 @@
+From e7e475c1a3dc6b149252413589eebaa4ae138824 Mon Sep 17 00:00:00 2001
+From: Julien Grall <jgrall@amazon.com>
+Date: Sat, 17 Apr 2021 17:38:28 +0100
+Subject: [PATCH 2/2] xen/arm: Boot modules should always be scrubbed if
+ bootscrub={on, idle}
+
+The function to initialize the pages (see init_heap_pages()) will request
+scrub when the admin request idle bootscrub (default) and state ==
+SYS_STATE_active. When bootscrub=on, Xen will scrub any free pages in
+heap_init_late().
+
+Currently, the boot modules (e.g. kernels, initramfs) will be discarded/
+freed after heap_init_late() is called and system_state switched to
+SYS_STATE_active. This means the pages associated with the boot modules
+will not get scrubbed before getting re-purposed.
+
+If the memory is assigned to an untrusted domU, it may be able to
+retrieve secrets from the modules.
+
+This is part of XSA-372 / CVE-2021-28693.
+
+Fixes: 1774e9b1df27 ("xen/arm: introduce create_domUs")
+Signed-off-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Tested-by: Stefano Stabellini <sstabellini@kernel.org>
+---
+ xen/arch/arm/setup.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
+index 1f26080b30bf..34b1c1a11ef6 100644
+--- a/xen/arch/arm/setup.c
++++ b/xen/arch/arm/setup.c
+@@ -75,7 +75,6 @@ static __used void init_done(void)
+ /* Must be done past setting system_state. */
+ unregister_init_virtual_region();
+
+- discard_initial_modules();
+ free_init_memory();
+ startup_cpu_idle_loop();
+ }
+@@ -964,6 +963,12 @@ void __init start_xen(unsigned long boot_phys_offset,
+
+ create_domUs();
+
++ /*
++ * This needs to be called **before** heap_init_late() so modules
++ * will be scrubbed (unless suppressed).
++ */
++ discard_initial_modules();
++
+ heap_init_late();
+
+ init_trace_bufs();
+--
+2.17.1
+
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 179569c004..220bc2c4a4 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xen
pkgver=4.14.1
-pkgrel=2
+pkgrel=3
pkgdesc="Xen hypervisor"
url="https://www.xenproject.org/"
arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8
@@ -18,6 +18,9 @@ options="!strip"
# Follow security issues on: https://xenbits.xen.org/xsa/
# secfixes:
+# 0:
+# - CVE-2020-29568
+# - CVE-2020-29569
# 4.7.0-r0:
# - CVE-2016-6258 XSA-182
# - CVE-2016-6259 XSA-183
@@ -122,7 +125,7 @@ options="!strip"
# - CVE-2018-10981 XSA-262
# 4.11.0-r0:
# - CVE-2018-3639 XSA-263
-# - CVE-2018-128911 XSA-264
+# - CVE-2018-12891 XSA-264
# - CVE-2018-12893 XSA-265
# - CVE-2018-12892 XSA-266
# - CVE-2018-3665 XSA-267
@@ -214,6 +217,11 @@ options="!strip"
# - CVE-2021-3308 XSA-360
# 4.14.1-r2:
# - CVE-2021-26933 XSA-364
+# 4.14.1-r3:
+# - CVE-2021-28693 XSA-372
+# - CVE-2021-28692 XSA-373
+# - CVE-2021-0089 XSA-375
+# - CVE-2021-28690 XSA-377
case "$CARCH" in
@@ -275,6 +283,19 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
xsa360-4.14.patch
xsa364.patch
+ 0001-xen-arm-Create-dom0less-domUs-earlier.patch
+ 0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
+
+ xsa373-4.14-1.patch
+ xsa373-4.14-2.patch
+ xsa373-4.14-3.patch
+ xsa373-4.14-4.patch
+ xsa373-4.14-5.patch
+
+ xsa375.patch
+
+ xsa377.patch
+
qemu-xen-time64.patch
gcc10-etherboot-enum.patch
@@ -501,7 +522,8 @@ EOF
}
-sha512sums="c75cbec82793435f5a7026626ffdb2e9a2166b42d2be4b2f1194240e0312458124f0ebd53eeb02ce7330c22afe402a28a96b32f8af66e41e9416fe94535724c9 xen-4.14.1.tar.gz
+sha512sums="
+c75cbec82793435f5a7026626ffdb2e9a2166b42d2be4b2f1194240e0312458124f0ebd53eeb02ce7330c22afe402a28a96b32f8af66e41e9416fe94535724c9 xen-4.14.1.tar.gz
2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz
@@ -521,6 +543,15 @@ f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2
8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch
f39ae56876f61ed224073985dda83037e75e6f2ab0cd0b0f920186812c6d1e6ec52494b3fd0f25cd9d6606d85061a6555cb952719d084cf8e256ef93080b75f9 xsa360-4.14.patch
aea8b37ae5c772c4928f8b644dadc59891e7d0e0d50461c66ca106b391fd984e2b8def089d01954f88675ddc93c114d4d27c0ccb7384ff9a1807f081f33805e5 xsa364.patch
+57bae240ac94fd35e8a2a39a06fdc4178a1cf0782832a77fd768ca3c773d8b27d76692703ac481733874e5a0198ef20d7319ea504c6b7836d4edd0a198adede1 0001-xen-arm-Create-dom0less-domUs-earlier.patch
+2b47e612c23c8bb65a2432f93a877f592b75b8de2ae97d5a22ed37588594a38b740f5c3e0694dd7ceff5f949e24ff38113e543038d5ae22e8c1dc142c3e8d1b3 0002-xen-arm-Boot-modules-should-always-be-scrubbed-if-bo.patch
+7010225962e7c22d6aa2e14d10e5091b3876a76f195e9725e7f175b108f933ea9ad5a080663d27279ccd20e2d4e344620ec414e17437d971a8f3cb9420520696 xsa373-4.14-1.patch
+7db22cb16dea81dc393a01e1bd911847457e23c6ba6bfe4ac0d26a66d1f879bdf66c9a28af82d159e395c6547ca29e7ebbed21ea0967d4a5594502e8f9c5410b xsa373-4.14-2.patch
+b3008572e75025cbe00e5a22451394af84f29eea8914ce1ddf7d5379fe76f6362f79f2e8f908060b227debc61e712ba92b1fa2815b683cc47efe1065c700cd6c xsa373-4.14-3.patch
+a7ff44901cdadbb455f845489b5cf82bfcd4e0bdc079ba928310a72a863372c7998174e26174daa6f490e7599843eb6414a029524d7a706d41c38c0809f367bd xsa373-4.14-4.patch
+d43f6a0b15fbc653c1e5634a9910f779de05646197d7ddc5ebbb94b9e6c9f33c985c76a9b0be1103e7658d552f408698dde70072e2b91a995bd558b16bb43611 xsa373-4.14-5.patch
+59f706d2ce623d59ba0e3edc3081d14bd466fa2401ac1666fca33568022a159501aa972a2c556d8558c2701294a2f153ee0b7b487167ede49f8652bacf69b32d xsa375.patch
+9c104793facd9d595a1cbca21034d700e7e25398cad1440131258a349cd60d6145e5847e9c4bd066a5d63a63aceb8995456126a51b6d3ca872cd90717ebc2dbe xsa377.patch
231b5d0abf6420722534bf48b4f263bdf70dd258f5f34b344f230b4e166edb3ebaf769592f40653ea5836b4431ef951ebcf1995f09e2beb4a591edd3b024a652 qemu-xen-time64.patch
e72ae17cb80c78412996845b996e442cdc21ee4b840c8b7ebacca101619b3d47104bf6b6330520aecf0d7ccf2699826b4f2a649c729b21d5ac81b37f7fc505fc gcc10-etherboot-enum.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
@@ -534,4 +565,5 @@ bdbe15c924071cdc2d0f23e53ba8e3f837d4b5369bfb218abd3405f9bef25d105269aaf0784baeb6
8475119369409efb8ad930c7735cd3d782191d18fab4fc322a51120c395162ff88e381182876036d1078afd30079dbf3f94a3568689e9b52ba235adead4b97d3 xenqemu.initd
85afec835a374aac3d307b3226eee7a08a676b1daac7e39bb7463d564ef72438dc27dd188a871cfd031e80c6992b756951f26bdca0d445e07eab6dba5245de46 xendriverdomain.initd
a46337bebce24337f00adbe08095b9f5128c1f440e2033329e5ace9fd817a31fb772d75c0ecc7cc06f34b1522ebf8b21874ee4d0881a0f29851b1c1235f29cf3 xen-pci.initd
-2db5fa6edeeb028236460029b976a849f22b3a15d3929acc3911dc41f365b471c2b815eb111639bc230a69528b1571f3c2e9e8e1e81a6679e55387e39355aa99 xen-pci.confd"
+2db5fa6edeeb028236460029b976a849f22b3a15d3929acc3911dc41f365b471c2b815eb111639bc230a69528b1571f3c2e9e8e1e81a6679e55387e39355aa99 xen-pci.confd
+"
diff --git a/main/xen/xsa373-4.14-1.patch b/main/xen/xsa373-4.14-1.patch
new file mode 100644
index 0000000000..ee5229a11c
--- /dev/null
+++ b/main/xen/xsa373-4.14-1.patch
@@ -0,0 +1,120 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: VT-d: size qinval queue dynamically
+
+With the present synchronous model, we need two slots for every
+operation (the operation itself and a wait descriptor). There can be
+one such pair of requests pending per CPU. To ensure that under all
+normal circumstances a slot is always available when one is requested,
+size the queue ring according to the number of present CPUs.
+
+This is part of XSA-373 / CVE-2021-28692.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Paul Durrant <paul@xen.org>
+
+--- a/xen/drivers/passthrough/vtd/iommu.h
++++ b/xen/drivers/passthrough/vtd/iommu.h
+@@ -450,17 +450,9 @@ struct qinval_entry {
+ }q;
+ };
+
+-/* Order of queue invalidation pages(max is 8) */
+-#define QINVAL_PAGE_ORDER 2
+-
+-#define QINVAL_ARCH_PAGE_ORDER (QINVAL_PAGE_ORDER + PAGE_SHIFT_4K - PAGE_SHIFT)
+-#define QINVAL_ARCH_PAGE_NR ( QINVAL_ARCH_PAGE_ORDER < 0 ? \
+- 1 : \
+- 1 << QINVAL_ARCH_PAGE_ORDER )
+-
+ /* Each entry is 16 bytes, so 2^8 entries per page */
+ #define QINVAL_ENTRY_ORDER ( PAGE_SHIFT - 4 )
+-#define QINVAL_ENTRY_NR (1 << (QINVAL_PAGE_ORDER + 8))
++#define QINVAL_MAX_ENTRY_NR (1u << (7 + QINVAL_ENTRY_ORDER))
+
+ /* Status data flag */
+ #define QINVAL_STAT_INIT 0
+--- a/xen/drivers/passthrough/vtd/qinval.c
++++ b/xen/drivers/passthrough/vtd/qinval.c
+@@ -31,6 +31,9 @@
+
+ #define VTD_QI_TIMEOUT 1
+
++static unsigned int __read_mostly qi_pg_order;
++static unsigned int __read_mostly qi_entry_nr;
++
+ static int __must_check invalidate_sync(struct vtd_iommu *iommu);
+
+ static void print_qi_regs(struct vtd_iommu *iommu)
+@@ -55,7 +58,7 @@ static unsigned int qinval_next_index(st
+ tail >>= QINVAL_INDEX_SHIFT;
+
+ /* (tail+1 == head) indicates a full queue, wait for HW */
+- while ( ( tail + 1 ) % QINVAL_ENTRY_NR ==
++ while ( ((tail + 1) & (qi_entry_nr - 1)) ==
+ ( dmar_readq(iommu->reg, DMAR_IQH_REG) >> QINVAL_INDEX_SHIFT ) )
+ cpu_relax();
+
+@@ -68,7 +71,7 @@ static void qinval_update_qtail(struct v
+
+ /* Need hold register lock when update tail */
+ ASSERT( spin_is_locked(&iommu->register_lock) );
+- val = (index + 1) % QINVAL_ENTRY_NR;
++ val = (index + 1) & (qi_entry_nr - 1);
+ dmar_writeq(iommu->reg, DMAR_IQT_REG, (val << QINVAL_INDEX_SHIFT));
+ }
+
+@@ -403,8 +406,28 @@ int enable_qinval(struct vtd_iommu *iomm
+
+ if ( iommu->qinval_maddr == 0 )
+ {
+- iommu->qinval_maddr = alloc_pgtable_maddr(QINVAL_ARCH_PAGE_NR,
+- iommu->node);
++ if ( !qi_entry_nr )
++ {
++ /*
++ * With the present synchronous model, we need two slots for every
++ * operation (the operation itself and a wait descriptor). There
++ * can be one such pair of requests pending per CPU. One extra
++ * entry is needed as the ring is considered full when there's
++ * only one entry left.
++ */
++ BUILD_BUG_ON(CONFIG_NR_CPUS * 2 >= QINVAL_MAX_ENTRY_NR);
++ qi_pg_order = get_order_from_bytes((num_present_cpus() * 2 + 1) <<
++ (PAGE_SHIFT -
++ QINVAL_ENTRY_ORDER));
++ qi_entry_nr = 1u << (qi_pg_order + QINVAL_ENTRY_ORDER);
++
++ dprintk(XENLOG_INFO VTDPREFIX,
++ "QI: using %u-entry ring(s)\n", qi_entry_nr);
++ }
++
++ iommu->qinval_maddr =
++ alloc_pgtable_maddr(qi_entry_nr >> QINVAL_ENTRY_ORDER,
++ iommu->node);
+ if ( iommu->qinval_maddr == 0 )
+ {
+ dprintk(XENLOG_WARNING VTDPREFIX,
+@@ -418,15 +441,16 @@ int enable_qinval(struct vtd_iommu *iomm
+
+ spin_lock_irqsave(&iommu->register_lock, flags);
+
+- /* Setup Invalidation Queue Address(IQA) register with the
+- * address of the page we just allocated. QS field at
+- * bits[2:0] to indicate size of queue is one 4KB page.
+- * That's 256 entries. Queued Head (IQH) and Queue Tail (IQT)
+- * registers are automatically reset to 0 with write
+- * to IQA register.
++ /*
++ * Setup Invalidation Queue Address (IQA) register with the address of the
++ * pages we just allocated. The QS field at bits[2:0] indicates the size
++ * (page order) of the queue.
++ *
++ * Queued Head (IQH) and Queue Tail (IQT) registers are automatically
++ * reset to 0 with write to IQA register.
+ */
+ dmar_writeq(iommu->reg, DMAR_IQA_REG,
+- iommu->qinval_maddr | QINVAL_PAGE_ORDER);
++ iommu->qinval_maddr | qi_pg_order);
+
+ dmar_writeq(iommu->reg, DMAR_IQT_REG, 0);
+
diff --git a/main/xen/xsa373-4.14-2.patch b/main/xen/xsa373-4.14-2.patch
new file mode 100644
index 0000000000..773cbfd555
--- /dev/null
+++ b/main/xen/xsa373-4.14-2.patch
@@ -0,0 +1,102 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: AMD/IOMMU: size command buffer dynamically
+
+With the present synchronous model, we need two slots for every
+operation (the operation itself and a wait command). There can be one
+such pair of commands pending per CPU. To ensure that under all normal
+circumstances a slot is always available when one is requested, size the
+command ring according to the number of present CPUs.
+
+This is part of XSA-373 / CVE-2021-28692.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Paul Durrant <paul@xen.org>
+
+--- a/xen/drivers/passthrough/amd/iommu-defs.h
++++ b/xen/drivers/passthrough/amd/iommu-defs.h
+@@ -20,9 +20,6 @@
+ #ifndef AMD_IOMMU_DEFS_H
+ #define AMD_IOMMU_DEFS_H
+
+-/* IOMMU Command Buffer entries: in power of 2 increments, minimum of 256 */
+-#define IOMMU_CMD_BUFFER_DEFAULT_ENTRIES 512
+-
+ /* IOMMU Event Log entries: in power of 2 increments, minimum of 256 */
+ #define IOMMU_EVENT_LOG_DEFAULT_ENTRIES 512
+
+@@ -164,8 +161,8 @@ struct amd_iommu_dte {
+ #define IOMMU_CMD_BUFFER_LENGTH_MASK 0x0F000000
+ #define IOMMU_CMD_BUFFER_LENGTH_SHIFT 24
+
+-#define IOMMU_CMD_BUFFER_ENTRY_SIZE 16
+-#define IOMMU_CMD_BUFFER_POWER_OF2_ENTRIES_PER_PAGE 8
++#define IOMMU_CMD_BUFFER_ENTRY_ORDER 4
++#define IOMMU_CMD_BUFFER_MAX_ENTRIES (1u << 15)
+
+ #define IOMMU_CMD_OPCODE_MASK 0xF0000000
+ #define IOMMU_CMD_OPCODE_SHIFT 28
+--- a/xen/drivers/passthrough/amd/iommu_cmd.c
++++ b/xen/drivers/passthrough/amd/iommu_cmd.c
+@@ -24,7 +24,7 @@ static int queue_iommu_command(struct am
+ {
+ uint32_t tail, head;
+
+- tail = iommu->cmd_buffer.tail + IOMMU_CMD_BUFFER_ENTRY_SIZE;
++ tail = iommu->cmd_buffer.tail + sizeof(cmd_entry_t);
+ if ( tail == iommu->cmd_buffer.size )
+ tail = 0;
+
+@@ -33,7 +33,7 @@ static int queue_iommu_command(struct am
+ if ( head != tail )
+ {
+ memcpy(iommu->cmd_buffer.buffer + iommu->cmd_buffer.tail,
+- cmd, IOMMU_CMD_BUFFER_ENTRY_SIZE);
++ cmd, sizeof(cmd_entry_t));
+
+ iommu->cmd_buffer.tail = tail;
+ return 1;
+--- a/xen/drivers/passthrough/amd/iommu_init.c
++++ b/xen/drivers/passthrough/amd/iommu_init.c
+@@ -118,7 +118,7 @@ static void register_iommu_cmd_buffer_in
+ writel(entry, iommu->mmio_base + IOMMU_CMD_BUFFER_BASE_LOW_OFFSET);
+
+ power_of2_entries = get_order_from_bytes(iommu->cmd_buffer.size) +
+- IOMMU_CMD_BUFFER_POWER_OF2_ENTRIES_PER_PAGE;
++ PAGE_SHIFT - IOMMU_CMD_BUFFER_ENTRY_ORDER;
+
+ entry = 0;
+ iommu_set_addr_hi_to_reg(&entry, addr_hi);
+@@ -1022,9 +1022,31 @@ static void *__init allocate_ring_buffer
+ static void * __init allocate_cmd_buffer(struct amd_iommu *iommu)
+ {
+ /* allocate 'command buffer' in power of 2 increments of 4K */
++ static unsigned int __read_mostly nr_ents;
++
++ if ( !nr_ents )
++ {
++ unsigned int order;
++
++ /*
++ * With the present synchronous model, we need two slots for every
++ * operation (the operation itself and a wait command). There can be
++ * one such pair of requests pending per CPU. One extra entry is
++ * needed as the ring is considered full when there's only one entry
++ * left.
++ */
++ BUILD_BUG_ON(CONFIG_NR_CPUS * 2 >= IOMMU_CMD_BUFFER_MAX_ENTRIES);
++ order = get_order_from_bytes((num_present_cpus() * 2 + 1) <<
++ IOMMU_CMD_BUFFER_ENTRY_ORDER);
++ nr_ents = 1u << (order + PAGE_SHIFT - IOMMU_CMD_BUFFER_ENTRY_ORDER);
++
++ AMD_IOMMU_DEBUG("using %u-entry cmd ring(s)\n", nr_ents);
++ }
++
++ BUILD_BUG_ON(sizeof(cmd_entry_t) != (1u << IOMMU_CMD_BUFFER_ENTRY_ORDER));
++
+ return allocate_ring_buffer(&iommu->cmd_buffer, sizeof(cmd_entry_t),
+- IOMMU_CMD_BUFFER_DEFAULT_ENTRIES,
+- "Command Buffer", false);
++ nr_ents, "Command Buffer", false);
+ }
+
+ static void * __init allocate_event_log(struct amd_iommu *iommu)
diff --git a/main/xen/xsa373-4.14-3.patch b/main/xen/xsa373-4.14-3.patch
new file mode 100644
index 0000000000..fe345466fd
--- /dev/null
+++ b/main/xen/xsa373-4.14-3.patch
@@ -0,0 +1,163 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: VT-d: eliminate flush related timeouts
+
+Leaving an in-progress operation pending when it appears to take too
+long is problematic: If e.g. a QI command completed later, the write to
+the "poll slot" may instead be understood to signal a subsequently
+started command's completion. Also our accounting of the timeout period
+was actually wrong: We included the time it took for the command to
+actually make it to the front of the queue, which could be heavily
+affected by guests other than the one for which the flush is being
+performed.
+
+Do away with all timeout detection on all flush related code paths.
+Log excessively long processing times (with a progressive threshold) to
+have some indication of problems in this area.
+
+Additionally log (once) if qinval_next_index() didn't immediately find
+an available slot. Together with the earlier change sizing the queue(s)
+dynamically, we should now have a guarantee that with our fully
+synchronous model any demand for slots can actually be satisfied.
+
+This is part of XSA-373 / CVE-2021-28692.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Paul Durrant <paul@xen.org>
+
+--- a/xen/drivers/passthrough/vtd/dmar.h
++++ b/xen/drivers/passthrough/vtd/dmar.h
+@@ -127,6 +127,34 @@ do {
+ } \
+ } while (0)
+
++#define IOMMU_FLUSH_WAIT(what, iommu, offset, op, cond, sts) \
++do { \
++ static unsigned int __read_mostly threshold = 1; \
++ s_time_t start = NOW(); \
++ s_time_t timeout = start + DMAR_OPERATION_TIMEOUT * threshold; \
++ \
++ for ( ; ; ) \
++ { \
++ sts = op(iommu->reg, offset); \
++ if ( cond ) \
++ break; \
++ if ( timeout && NOW() > timeout ) \
++ { \
++ threshold |= threshold << 1; \
++ printk(XENLOG_WARNING VTDPREFIX \
++ " IOMMU#%u: %s flush taking too long\n", \
++ iommu->index, what); \
++ timeout = 0; \
++ } \
++ cpu_relax(); \
++ } \
++ \
++ if ( !timeout ) \
++ printk(XENLOG_WARNING VTDPREFIX \
++ " IOMMU#%u: %s flush took %lums\n", \
++ iommu->index, what, (NOW() - start) / 10000000); \
++} while ( false )
++
+ int vtd_hw_check(void);
+ void disable_pmr(struct vtd_iommu *iommu);
+ int is_igd_drhd(struct acpi_drhd_unit *drhd);
+--- a/xen/drivers/passthrough/vtd/iommu.c
++++ b/xen/drivers/passthrough/vtd/iommu.c
+@@ -326,8 +326,8 @@ static void iommu_flush_write_buffer(str
+ dmar_writel(iommu->reg, DMAR_GCMD_REG, val | DMA_GCMD_WBF);
+
+ /* Make sure hardware complete it */
+- IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, dmar_readl,
+- !(val & DMA_GSTS_WBFS), val);
++ IOMMU_FLUSH_WAIT("write buffer", iommu, DMAR_GSTS_REG, dmar_readl,
++ !(val & DMA_GSTS_WBFS), val);
+
+ spin_unlock_irqrestore(&iommu->register_lock, flags);
+ }
+@@ -376,8 +376,8 @@ int vtd_flush_context_reg(struct vtd_iom
+ dmar_writeq(iommu->reg, DMAR_CCMD_REG, val);
+
+ /* Make sure hardware complete it */
+- IOMMU_WAIT_OP(iommu, DMAR_CCMD_REG, dmar_readq,
+- !(val & DMA_CCMD_ICC), val);
++ IOMMU_FLUSH_WAIT("context", iommu, DMAR_CCMD_REG, dmar_readq,
++ !(val & DMA_CCMD_ICC), val);
+
+ spin_unlock_irqrestore(&iommu->register_lock, flags);
+ /* flush context entry will implicitly flush write buffer */
+@@ -454,8 +454,8 @@ int vtd_flush_iotlb_reg(struct vtd_iommu
+ dmar_writeq(iommu->reg, tlb_offset + 8, val);
+
+ /* Make sure hardware complete it */
+- IOMMU_WAIT_OP(iommu, (tlb_offset + 8), dmar_readq,
+- !(val & DMA_TLB_IVT), val);
++ IOMMU_FLUSH_WAIT("iotlb", iommu, (tlb_offset + 8), dmar_readq,
++ !(val & DMA_TLB_IVT), val);
+ spin_unlock_irqrestore(&iommu->register_lock, flags);
+
+ /* check IOTLB invalidation granularity */
+--- a/xen/drivers/passthrough/vtd/qinval.c
++++ b/xen/drivers/passthrough/vtd/qinval.c
+@@ -29,8 +29,6 @@
+ #include "extern.h"
+ #include "../ats.h"
+
+-#define VTD_QI_TIMEOUT 1
+-
+ static unsigned int __read_mostly qi_pg_order;
+ static unsigned int __read_mostly qi_entry_nr;
+
+@@ -60,7 +58,11 @@ static unsigned int qinval_next_index(st
+ /* (tail+1 == head) indicates a full queue, wait for HW */
+ while ( ((tail + 1) & (qi_entry_nr - 1)) ==
+ ( dmar_readq(iommu->reg, DMAR_IQH_REG) >> QINVAL_INDEX_SHIFT ) )
++ {
++ printk_once(XENLOG_ERR VTDPREFIX " IOMMU#%u: no QI slot available\n",
++ iommu->index);
+ cpu_relax();
++ }
+
+ return tail;
+ }
+@@ -180,23 +182,32 @@ static int __must_check queue_invalidate
+ /* Now we don't support interrupt method */
+ if ( sw )
+ {
+- s_time_t timeout;
+-
+- /* In case all wait descriptor writes to same addr with same data */
+- timeout = NOW() + MILLISECS(flush_dev_iotlb ?
+- iommu_dev_iotlb_timeout : VTD_QI_TIMEOUT);
++ static unsigned int __read_mostly threshold = 1;
++ s_time_t start = NOW();
++ s_time_t timeout = start + (flush_dev_iotlb
++ ? iommu_dev_iotlb_timeout
++ : 100) * MILLISECS(threshold);
+
+ while ( ACCESS_ONCE(*this_poll_slot) != QINVAL_STAT_DONE )
+ {
+- if ( NOW() > timeout )
++ if ( timeout && NOW() > timeout )
+ {
+- print_qi_regs(iommu);
++ threshold |= threshold << 1;
+ printk(XENLOG_WARNING VTDPREFIX
+- " Queue invalidate wait descriptor timed out\n");
+- return -ETIMEDOUT;
++ " IOMMU#%u: QI%s wait descriptor taking too long\n",
++ iommu->index, flush_dev_iotlb ? " dev" : "");
++ print_qi_regs(iommu);
++ timeout = 0;
+ }
+ cpu_relax();
+ }
++
++ if ( !timeout )
++ printk(XENLOG_WARNING VTDPREFIX
++ " IOMMU#%u: QI%s wait descriptor took %lums\n",
++ iommu->index, flush_dev_iotlb ? " dev" : "",
++ (NOW() - start) / 10000000);
++
+ return 0;
+ }
+
diff --git a/main/xen/xsa373-4.14-4.patch b/main/xen/xsa373-4.14-4.patch
new file mode 100644
index 0000000000..a1f186b25e
--- /dev/null
+++ b/main/xen/xsa373-4.14-4.patch
@@ -0,0 +1,81 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: AMD/IOMMU: wait for command slot to be available
+
+No caller cared about send_iommu_command() indicating unavailability of
+a slot. Hence if a sufficient number prior commands timed out, we did
+blindly assume that the requested command was submitted to the IOMMU
+when really it wasn't. This could mean both a hanging system (waiting
+for a command to complete that was never seen by the IOMMU) or blindly
+propagating success back to callers, making them believe they're fine
+to e.g. free previously unmapped pages.
+
+Fold the three involved functions into one, add spin waiting for an
+available slot along the lines of VT-d's qinval_next_index(), and as a
+consequence drop all error indicator return types/values.
+
+This is part of XSA-373 / CVE-2021-28692.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Paul Durrant <paul@xen.org>
+
+--- a/xen/drivers/passthrough/amd/iommu_cmd.c
++++ b/xen/drivers/passthrough/amd/iommu_cmd.c
+@@ -20,43 +20,32 @@
+ #include "iommu.h"
+ #include "../ats.h"
+
+-static int queue_iommu_command(struct amd_iommu *iommu, u32 cmd[])
++static void send_iommu_command(struct amd_iommu *iommu,
++ const uint32_t cmd[4])
+ {
+- uint32_t tail, head;
++ uint32_t tail;
+
+ tail = iommu->cmd_buffer.tail + sizeof(cmd_entry_t);
+ if ( tail == iommu->cmd_buffer.size )
+ tail = 0;
+
+- head = readl(iommu->mmio_base +
+- IOMMU_CMD_BUFFER_HEAD_OFFSET) & IOMMU_RING_BUFFER_PTR_MASK;
+- if ( head != tail )
++ while ( tail == (readl(iommu->mmio_base +
++ IOMMU_CMD_BUFFER_HEAD_OFFSET) &
++ IOMMU_RING_BUFFER_PTR_MASK) )
+ {
+- memcpy(iommu->cmd_buffer.buffer + iommu->cmd_buffer.tail,
+- cmd, sizeof(cmd_entry_t));
+-
+- iommu->cmd_buffer.tail = tail;
+- return 1;
++ printk_once(XENLOG_ERR
++ "AMD IOMMU %04x:%02x:%02x.%u: no cmd slot available\n",
++ iommu->seg, PCI_BUS(iommu->bdf),
++ PCI_SLOT(iommu->bdf), PCI_FUNC(iommu->bdf));
++ cpu_relax();
+ }
+
+- return 0;
+-}
+-
+-static void commit_iommu_command_buffer(struct amd_iommu *iommu)
+-{
+- writel(iommu->cmd_buffer.tail,
+- iommu->mmio_base + IOMMU_CMD_BUFFER_TAIL_OFFSET);
+-}
++ memcpy(iommu->cmd_buffer.buffer + iommu->cmd_buffer.tail,
++ cmd, sizeof(cmd_entry_t));
+
+-static int send_iommu_command(struct amd_iommu *iommu, u32 cmd[])
+-{
+- if ( queue_iommu_command(iommu, cmd) )
+- {
+- commit_iommu_command_buffer(iommu);
+- return 1;
+- }
++ iommu->cmd_buffer.tail = tail;
+
+- return 0;
++ writel(tail, iommu->mmio_base + IOMMU_CMD_BUFFER_TAIL_OFFSET);
+ }
+
+ static void flush_command_buffer(struct amd_iommu *iommu)
diff --git a/main/xen/xsa373-4.14-5.patch b/main/xen/xsa373-4.14-5.patch
new file mode 100644
index 0000000000..01556a87f1
--- /dev/null
+++ b/main/xen/xsa373-4.14-5.patch
@@ -0,0 +1,143 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: AMD/IOMMU: drop command completion timeout
+
+First and foremost - such timeouts were not signaled to callers, making
+them believe they're fine to e.g. free previously unmapped pages.
+
+Mirror VT-d's behavior: A fixed number of loop iterations is not a
+suitable way to detect timeouts in an environment (CPU and bus speeds)
+independent manner anyway. Furthermore, leaving an in-progress operation
+pending when it appears to take too long is problematic: If a command
+completed later, the signaling of its completion may instead be
+understood to signal a subsequently started command's completion.
+
+Log excessively long processing times (with a progressive threshold) to
+have some indication of problems in this area. Allow callers to specify
+a non-default timeout bias for this logging, using the same values as
+VT-d does, which in particular means a (by default) much larger value
+for device IO TLB invalidation.
+
+This is part of XSA-373 / CVE-2021-28692.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Paul Durrant <paul@xen.org>
+
+--- a/xen/drivers/passthrough/amd/iommu_cmd.c
++++ b/xen/drivers/passthrough/amd/iommu_cmd.c
+@@ -48,10 +48,12 @@ static void send_iommu_command(struct am
+ writel(tail, iommu->mmio_base + IOMMU_CMD_BUFFER_TAIL_OFFSET);
+ }
+
+-static void flush_command_buffer(struct amd_iommu *iommu)
++static void flush_command_buffer(struct amd_iommu *iommu,
++ unsigned int timeout_base)
+ {
+- unsigned int cmd[4], status, loop_count;
+- bool comp_wait;
++ uint32_t cmd[4];
++ s_time_t start, timeout;
++ static unsigned int __read_mostly threshold = 1;
+
+ /* RW1C 'ComWaitInt' in status register */
+ writel(IOMMU_STATUS_COMP_WAIT_INT,
+@@ -67,22 +69,31 @@ static void flush_command_buffer(struct
+ IOMMU_COMP_WAIT_I_FLAG_SHIFT, &cmd[0]);
+ send_iommu_command(iommu, cmd);
+
+- /* Make loop_count long enough for polling completion wait bit */
+- loop_count = 1000;
+- do {
+- status = readl(iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET);
+- comp_wait = status & IOMMU_STATUS_COMP_WAIT_INT;
+- --loop_count;
+- } while ( !comp_wait && loop_count );
+-
+- if ( comp_wait )
++ start = NOW();
++ timeout = start + (timeout_base ?: 100) * MILLISECS(threshold);
++ while ( !(readl(iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET) &
++ IOMMU_STATUS_COMP_WAIT_INT) )
+ {
+- /* RW1C 'ComWaitInt' in status register */
+- writel(IOMMU_STATUS_COMP_WAIT_INT,
+- iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET);
+- return;
++ if ( timeout && NOW() > timeout )
++ {
++ threshold |= threshold << 1;
++ printk(XENLOG_WARNING
++ "AMD IOMMU %04x:%02x:%02x.%u: %scompletion wait taking too long\n",
++ iommu->seg, PCI_BUS(iommu->bdf),
++ PCI_SLOT(iommu->bdf), PCI_FUNC(iommu->bdf),
++ timeout_base ? "iotlb " : "");
++ timeout = 0;
++ }
++ cpu_relax();
+ }
+- AMD_IOMMU_DEBUG("Warning: ComWaitInt bit did not assert!\n");
++
++ if ( !timeout )
++ printk(XENLOG_WARNING
++ "AMD IOMMU %04x:%02x:%02x.%u: %scompletion wait took %lums\n",
++ iommu->seg, PCI_BUS(iommu->bdf),
++ PCI_SLOT(iommu->bdf), PCI_FUNC(iommu->bdf),
++ timeout_base ? "iotlb " : "",
++ (NOW() - start) / 10000000);
+ }
+
+ /* Build low level iommu command messages */
+@@ -294,7 +305,7 @@ void amd_iommu_flush_iotlb(u8 devfn, con
+ /* send INVALIDATE_IOTLB_PAGES command */
+ spin_lock_irqsave(&iommu->lock, flags);
+ invalidate_iotlb_pages(iommu, maxpend, 0, queueid, daddr, req_id, order);
+- flush_command_buffer(iommu);
++ flush_command_buffer(iommu, iommu_dev_iotlb_timeout);
+ spin_unlock_irqrestore(&iommu->lock, flags);
+ }
+
+@@ -331,7 +342,7 @@ static void _amd_iommu_flush_pages(struc
+ {
+ spin_lock_irqsave(&iommu->lock, flags);
+ invalidate_iommu_pages(iommu, daddr, dom_id, order);
+- flush_command_buffer(iommu);
++ flush_command_buffer(iommu, 0);
+ spin_unlock_irqrestore(&iommu->lock, flags);
+ }
+
+@@ -355,7 +366,7 @@ void amd_iommu_flush_device(struct amd_i
+ ASSERT( spin_is_locked(&iommu->lock) );
+
+ invalidate_dev_table_entry(iommu, bdf);
+- flush_command_buffer(iommu);
++ flush_command_buffer(iommu, 0);
+ }
+
+ void amd_iommu_flush_intremap(struct amd_iommu *iommu, uint16_t bdf)
+@@ -363,7 +374,7 @@ void amd_iommu_flush_intremap(struct amd
+ ASSERT( spin_is_locked(&iommu->lock) );
+
+ invalidate_interrupt_table(iommu, bdf);
+- flush_command_buffer(iommu);
++ flush_command_buffer(iommu, 0);
+ }
+
+ void amd_iommu_flush_all_caches(struct amd_iommu *iommu)
+@@ -371,7 +382,7 @@ void amd_iommu_flush_all_caches(struct a
+ ASSERT( spin_is_locked(&iommu->lock) );
+
+ invalidate_iommu_all(iommu);
+- flush_command_buffer(iommu);
++ flush_command_buffer(iommu, 0);
+ }
+
+ void amd_iommu_send_guest_cmd(struct amd_iommu *iommu, u32 cmd[])
+@@ -381,7 +392,8 @@ void amd_iommu_send_guest_cmd(struct amd
+ spin_lock_irqsave(&iommu->lock, flags);
+
+ send_iommu_command(iommu, cmd);
+- flush_command_buffer(iommu);
++ /* TBD: Timeout selection may require peeking into cmd[]. */
++ flush_command_buffer(iommu, 0);
+
+ spin_unlock_irqrestore(&iommu->lock, flags);
+ }
diff --git a/main/xen/xsa375.patch b/main/xen/xsa375.patch
new file mode 100644
index 0000000000..aa2e5ad467
--- /dev/null
+++ b/main/xen/xsa375.patch
@@ -0,0 +1,50 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/spec-ctrl: Protect against Speculative Code Store Bypass
+
+Modern x86 processors have far-better-than-architecturally-guaranteed self
+modifying code detection. Typically, when a write hits an instruction in
+flight, a Machine Clear occurs to flush stale content in the frontend and
+backend.
+
+For self modifying code, before a write which hits an instruction in flight
+retires, the frontend can speculatively decode and execute the old instruction
+stream. Speculation of this form can suffer from type confusion in registers,
+and potentially leak data.
+
+Furthermore, updates are typically byte-wise, rather than atomic. Depending
+on timing, speculation can race ahead multiple times between individual
+writes, and execute the transiently-malformed instruction stream.
+
+Xen has stubs which are used in certain cases for emulation purposes. Inhibit
+speculation between updating the stub and executing it.
+
+This is XSA-375 / CVE-2021-0089.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
+index 8889509d2a..11467a1e3a 100644
+--- a/xen/arch/x86/pv/emul-priv-op.c
++++ b/xen/arch/x86/pv/emul-priv-op.c
+@@ -138,6 +138,8 @@ static io_emul_stub_t *io_emul_stub_setup(struct priv_op_ctxt *ctxt, u8 opcode,
+ /* Runtime confirmation that we haven't clobbered an adjacent stub. */
+ BUG_ON(STUB_BUF_SIZE / 2 < (p - ctxt->io_emul_stub));
+
++ block_speculation(); /* SCSB */
++
+ /* Handy function-typed pointer to the stub. */
+ return (void *)stub_va;
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index c25d88d0d8..f42ff2a837 100644
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1257,6 +1257,7 @@ static inline int mkec(uint8_t e, int32_t ec, ...)
+ # define invoke_stub(pre, post, constraints...) do { \
+ stub_exn.info = (union stub_exception_token) { .raw = ~0 }; \
+ stub_exn.line = __LINE__; /* Utility outweighs livepatching cost */ \
++ block_speculation(); /* SCSB */ \
+ asm volatile ( pre "\n\tINDIRECT_CALL %[stub]\n\t" post "\n" \
+ ".Lret%=:\n\t" \
+ ".pushsection .fixup,\"ax\"\n" \
diff --git a/main/xen/xsa377.patch b/main/xen/xsa377.patch
new file mode 100644
index 0000000000..1a1887b60e
--- /dev/null
+++ b/main/xen/xsa377.patch
@@ -0,0 +1,27 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/spec-ctrl: Mitigate TAA after S3 resume
+
+The user chosen setting for MSR_TSX_CTRL needs restoring after S3.
+
+All APs get the correct setting via start_secondary(), but the BSP was missed
+out.
+
+This is XSA-377 / CVE-2021-28690.
+
+Fixes: 8c4330818f6 ("x86/spec-ctrl: Mitigate the TSX Asynchronous Abort sidechannel")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c
+index 91a8c4d0bd..31a56f02d0 100644
+--- a/xen/arch/x86/acpi/power.c
++++ b/xen/arch/x86/acpi/power.c
+@@ -288,6 +288,8 @@ static int enter_state(u32 state)
+
+ microcode_update_one();
+
++ tsx_init(); /* Needs microcode. May change HLE/RTM feature bits. */
++
+ if ( !recheck_cpu_features(0) )
+ panic("Missing previously available feature(s)\n");
+
diff --git a/main/xtables-addons-lts/APKBUILD b/main/xtables-addons-lts/APKBUILD
index e7f02f09a6..3e8ba97e7d 100644
--- a/main/xtables-addons-lts/APKBUILD
+++ b/main/xtables-addons-lts/APKBUILD
@@ -7,7 +7,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.36
+_kver=5.10.38
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/zfs-lts/APKBUILD b/main/zfs-lts/APKBUILD
index fe330db0d2..752caa1c40 100644
--- a/main/zfs-lts/APKBUILD
+++ b/main/zfs-lts/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.36
+_kver=5.10.38
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/zstd/APKBUILD b/main/zstd/APKBUILD
index fca027a8bc..9372cbd922 100644
--- a/main/zstd/APKBUILD
+++ b/main/zstd/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: stef <l0ls0fo2i@ctrlc.hu>
# Maintainer: André Klitzing <aklitzing@gmail.com>
pkgname=zstd
-pkgver=1.4.5
-pkgrel=3
+pkgver=1.4.9
+pkgrel=0
pkgdesc="Zstandard - Fast real-time compression algorithm"
url="https://www.zstd.net"
arch="all"
@@ -14,9 +14,22 @@ source="zstd-$pkgver.tar.gz::https://github.com/facebook/zstd/archive/v$pkgver.t
"
# secfixes:
+# 1.4.9-r0:
+# - CVE-2021-24032
# 1.3.8-r0:
# - CVE-2019-11922
+unset CPPFLAGS
+export CFLAGS="$CFLAGS -O2 -fno-strict-aliasing -fPIC"
+case "$CARCH" in
+ # avoid memory copy hack that violates C standard
+ armhf) export CFLAGS="$CFLAGS -DMEM_FORCE_MEMORY_ACCESS=0" ;;
+esac
+
+case "$CARCH" in
+ arm*) options="!check" ;;
+esac
+
build() {
unset CPPFLAGS
local _moreflags="-O2 -fno-strict-aliasing"
@@ -49,4 +62,6 @@ pzstd() {
make -C "$builddir"/contrib/pzstd install PREFIX=/usr DESTDIR="$subpkgdir"
}
-sha512sums="b03c497c3e0590c3d384cb856e3024f144b2bfac0d805d80e68deafa612c68237f12a2d657416d476a28059e80936c79f099fc42331464b417593895ea214387 zstd-1.4.5.tar.gz"
+sha512sums="
+f529db9c094f9ae26428bf1fdfcc91c6d783d400980e0f0d802d2cf13c2be2931465ef568907e03841ff76a369a1447e7371f8799d8526edb9a513ba5c6db133 zstd-1.4.9.tar.gz
+"