diff options
246 files changed, 12993 insertions, 2201 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6aa6c35c9b6..bcd0310a83b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -6,18 +6,11 @@ variables: GIT_STRATEGY: clone GIT_DEPTH: "500" -default: - # Make sure master points to the correct upstream commit - before_script: - - > - git fetch -nq $CI_MERGE_REQUEST_PROJECT_URL - +refs/heads/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME:refs/heads/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME - lint: stage: lint image: alpinelinux/apkbuild-lint-tools:latest script: - - changed-aports $CI_MERGE_REQUEST_TARGET_BRANCH_NAME | lint + - lint allow_failure: true only: - merge_requests diff --git a/community/ceph/30-32bit_fix.patch.noauto b/community/ceph/30-32bit_fix.patch.noauto index dfa6a7ef6e2..caa56b9e546 100644 --- a/community/ceph/30-32bit_fix.patch.noauto +++ b/community/ceph/30-32bit_fix.patch.noauto @@ -106,7 +106,7 @@ diff -uNr ceph-15.2.4/src/pybind/mgr/dashboard/frontend/package.json ceph-15.2.4 "@types/node": "12.12.34", "@types/simplebar": "5.1.1", "codelyzer": "5.2.2", -- "cypress": "4.4.0", +- "cypress": "9.0.0", "html-linter": "1.1.1", "htmllint-cli": "0.0.7", "jest": "25.2.4", diff --git a/community/ceph/APKBUILD b/community/ceph/APKBUILD index 02e01e8852a..8cfd2a24e6c 100644 --- a/community/ceph/APKBUILD +++ b/community/ceph/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Duncan Bellamy <dunk@denkimushi.com> # Maintainer: Duncan Bellamy <dunk@denkimushi.com> pkgname=ceph -pkgver=15.2.15 +pkgver=15.2.17 pkgrel=0 pkgdesc="Ceph is a distributed object store and file system" pkgusers="ceph" @@ -26,8 +26,6 @@ _osd_daemon_deps="fuse snappy lz4-libs" _osd_tools_deps="lz4-libs" _ceph_volume_deps="lvm2" _ceph_test_deps=" - xmlstarlet - py3-argparse py3-coverage py3-flake8 py3-nodeenv @@ -35,6 +33,7 @@ _ceph_test_deps=" py3-pytest py3-tox py3-yaml + xmlstarlet " makedepends=" acl-dev @@ -54,7 +53,6 @@ makedepends=" fcgi-dev flex fmt-dev - fuse fuse-dev git grep @@ -90,7 +88,6 @@ makedepends=" snappy-dev userspace-rcu-dev xfsprogs-dev - xmlstarlet yasm $_base_deps $_osd_daemon_deps @@ -150,6 +147,8 @@ subpackages=" " # secfixes: +# 15.2.17-r0: +# - CVE-2022-0670 # 15.2.8-r0: # - CVE-2020-27781 # 15.2.6-r0: @@ -244,7 +243,7 @@ package() { # udev rules install -m 0644 -D udev/50-rbd.rules "$pkgdir"/etc/udev/rules.d/50-rbd.rules # sudoers.d - install -m 0600 -D sudoers.d/ceph-osd-smartctl "$pkgdir"/etc/sudoers.d/ceph-osd-smartctl + install -m 0600 -D sudoers.d/ceph-smartctl "$pkgdir"/etc/sudoers.d/ceph-smartctl # copy out things that need splitting mv "$pkgdir"/usr/share/ceph/mgr/dashboard/frontend/node_modules "$builddir"/ @@ -421,7 +420,7 @@ osd_daemon() { amove usr/bin/ceph-osd amove usr/libexec/ceph/ceph-osd-prestart.sh - amove etc/sudoers.d/ceph-osd-smartctl + amove etc/sudoers.d/ceph-smartctl amove etc/sysctl.d/90-ceph-osd.conf install -m 750 -o $_ceph_uid -g $_ceph_gid -d \ "$subpkgdir"/var/lib/ceph/osd @@ -545,12 +544,12 @@ _pkg() { } sha512sums=" -e4d929ffda5c3e31767d93340fb97b5d49ca1d5641f6c30134ce5542486fc4f72684aef2ef47cb940a332e8b9144d8cec63ce8a9f86c773dbc0ccebdd8e7fb19 ceph_15.2.15.orig.tar.gz +952cd4db057fcab5efa3c6331fbc19cf1e904f5855266c2ed13e41ffb2e5a7d18ed133bd113fea493149005a182f429eef39931c4ceac7776aefe84a208a745a ceph_15.2.17.orig.tar.gz 110bdbcb40216c7ed155a8d23020784741b4992d895f4f04a146d275506e4e68053854d3b063b41e9c9b3e3e4f95b6b90602f92c185c853c0d8f47ad0c6b7121 ceph.confd ce5f162501f6b67fe254546dddf880d1a5b1d1a0fa69e0b1918de17e8da45c5c6124512b8cbd98b76f29d931403de0d11c5ffd330ed8ee1f4dc75bb04baecae3 ceph.initd c608f11cf358d76daf5281467a4ea941a81474fbe7f5faa41f7f4d0abaf9136a01576bbb1ab24bdd7bc91a49f66bd7f0a84717de5ec27250d74dd1e47e3b5dd3 10-musl-fixes.patch 427ab410aeb02d49c5caa8ff68c7b8df325229823d625b7069cd48c66dd9e129e742270850fb2be2238eb6fa12b8256845b4d94426ca96b2a9187b2726e78423 20-pci.patch -68660da5df1fe290f88707feb3781b5ccb5310fa248fd8b7c5075811b3ad4620bcc0aaed8cde857ff63695160172a4bfb668efc8b0fa55745fb8301168c6fe66 30-32bit_fix.patch.noauto +659b99b2cf9b6f0fb82a788b0d62ed818733c83b57663a3b74a016967110070963165719ff833776d3bef17c86e18abf7b1bc4c0e31e0d44b4ae61f4f80fea6a 30-32bit_fix.patch.noauto f974ab36cd6fa49c1d4613203a4f2152723e4952a185dfb6349bc4ca8ee1a7a9d0477bea136c54248271de30a4e584734ba41e8ec41bf274b04074622888ae39 31-32bit_fix_tests.patch.noauto 62ef2e7e10978e9e0eef4a094bc63d9890f0d7e71eba0f0e15baede0597ea179a77924f6dbd4d4a9c9b151c9ae934f4c10d7f2a17ee960b017f942ec57c7af35 34-fix_cpu_detection.patch 8a3e902309238ae6917b4c5fe9fa371dad3ba8e01848f462a9b67ad8d69b8370a8957f6c88462a7016319fd323eb6d6c31415734db56485a8a8b279d2705aff5 35-fix_ErasureCodeShec.patch diff --git a/community/gitea/APKBUILD b/community/gitea/APKBUILD index 69849a72dc3..07d416130ec 100644 --- a/community/gitea/APKBUILD +++ b/community/gitea/APKBUILD @@ -23,7 +23,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/go-gitea/gitea/archive/v$pkg builddir="$srcdir/src/code.gitea.io/$pkgname" # secfixes: -# 1.13.7: +# 1.13.7-r0: # - CVE-2021-29272 case "$CARCH" in diff --git a/community/jenkins/APKBUILD b/community/jenkins/APKBUILD index 3f0708f722d..e986452f73b 100644 --- a/community/jenkins/APKBUILD +++ b/community/jenkins/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Francesco Colista <fcolista@alpinelinux.org> # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=jenkins -pkgver=2.319.2 +pkgver=2.319.3 pkgrel=0 pkgdesc="Extendable continuous integration server (stable version)" url="https://jenkins.io" @@ -21,6 +21,8 @@ source="$pkgname-$pkgver.war::https://get.jenkins.io/war-stable/$pkgver/jenkins. builddir="$srcdir/" # secfixes: +# 2.319.3-r0: +# - CVE-2022-0538 # 2.319.2-r0: # - CVE-2022-20612 # 2.287-r0: @@ -64,7 +66,7 @@ package() { } sha512sums=" -f6f0846d9e032b48e85fc20a030baa2d5c500a65c6c909d00852be3324d1b79c31ea8b7ff45ac05299ff9797b17aeb61d094ad425ce5198f6e13aa050007e650 jenkins-2.319.2.war +d6d952c064cf0a52d94db7ccd1903d726b10dcc6f41b20a23ca319a6e64ad8d8259c308cf44183e37ad9e6583b71a4d904da7aacb892a68b8dda826c71a9a425 jenkins-2.319.3.war 74423d3c66e2312eb3a1590e0582ccd82fc01b410d3bfc0627bef56fe6f4e7f4ea01a7a2d92a7a0c4870a1a1c48e911fe7eab3073e14db4910b52158182e5856 jenkins.logrotate 43686a537248c7a0a8fe53c3ca9577c8ffb50a141248de028d398d0fd3b3be8562b6cb2c63b44b3b0ac58d6431e8907790553791b2e125d1bfc2e3263ffaa83e jenkins.initd 7247750a13fc2537dc1e405f6d8221ccdc80cfbaf40c47327ee04c206afa8607ada52e7b895c8eb3489dd9f6a94b42b8b38110b3120948a35dc4f197fe4c08ed jenkins.confd diff --git a/community/jool-modules-lts/APKBUILD b/community/jool-modules-lts/APKBUILD index 57997ed3b15..0f0446e2abe 100644 --- a/community/jool-modules-lts/APKBUILD +++ b/community/jool-modules-lts/APKBUILD @@ -21,7 +21,7 @@ fi # Kernel version # Keep in sync with main/linux-lts! _kpkg=linux-$_flavor -_kver=5.10.88 +_kver=5.10.152 _krel=0 _kpkgver="$_kver-r$_krel" diff --git a/community/k3s/APKBUILD b/community/k3s/APKBUILD index 80f6afcfe77..27bc08f6f06 100644 --- a/community/k3s/APKBUILD +++ b/community/k3s/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Oleg Titov <oleg.titov@gmail.com> # Maintainer: Oleg Titov <oleg.titov@gmail.com> pkgname=k3s -_pkgver=1.20.2+k3s1 +_pkgver=1.20.15+k3s1 pkgver=${_pkgver/+k3s/.} pkgrel=0 pkgdesc="Lightweight Kubernetes. 5 less than k8s" @@ -78,8 +78,10 @@ package() { install -m644 -D "$srcdir"/k3s.modules-load "$pkgdir"/etc/modules-load.d/k3s.conf } -sha512sums="f381d6d3c481b686dbe673c8133d390925d601cc044af684b9bb0e6d4a3c7124c0e5ead3a569651b22ac5a0140a1c764030d1ba287b84dd0ca488a1c69efd647 k3s-1.20.2.1.tar.gz +sha512sums=" +95116e542d3115859b92962cfcafb39d39edfdb8de202a66ad8b53f45c3b211fe3bd86d18d5dd976a1a0d7fda68718ed499cdd6ebf7e6b51a8061672e47fdea9 k3s-1.20.15.1.tar.gz f03221efceb4ce2305c41c4c9e6d02ee5b799ed0cdfb1fc5018f8696e4d05575ae63b7c87596d765c5aa76c4a3bacf7c205e3eb61465e26886081a5d0da013ea k3s.confd 1015ee6ce5c69595df3150d7bbdfe528cf20305dac299831faa9cce00a454daf5548e78b1db79dcb8da300edc54553dfda0b95aed5e7bee27c1c726aef640350 k3s.initd 018a5e9b417a937c17f0a4a9e08eed434f06186207626ad038aec22ee667aba4cefa6e9e2a222e2c430d2cbb88c8663648f5bab0e76926a0edd13b8bdfd2673a k3s.logrotate -85ee1310cb36c85c42b4068a9549a3ef72b856cd61b2c1036c3e871ef43a69ed80b43599ad94ce5b069ddd823e730596bb3d3875d4ba8cd77c4cc1985335ffff k3s.modules-load" +85ee1310cb36c85c42b4068a9549a3ef72b856cd61b2c1036c3e871ef43a69ed80b43599ad94ce5b069ddd823e730596bb3d3875d4ba8cd77c4cc1985335ffff k3s.modules-load +" diff --git a/community/nss/APKBUILD b/community/nss/APKBUILD index f21f25b5ff7..9c033d04fa3 100644 --- a/community/nss/APKBUILD +++ b/community/nss/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Rasmus Thomsen <oss@cogitri.dev> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=nss -pkgver=3.66 +pkgver=3.68.4 pkgrel=0 pkgdesc="Mozilla Network Security Services" url="https://developer.mozilla.org/docs/Mozilla/Projects/NSS" @@ -12,7 +12,6 @@ depends_dev="nspr-dev" makedepends="nspr-dev sqlite-dev zlib-dev perl bsd-compat-headers linux-headers" subpackages="$pkgname-static $pkgname-dev $pkgname-tools" source="https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-$pkgver.tar.gz - CVE-2021-43527.patch nss.pc.in nss-util.pc.in nss-softokn.pc.in @@ -25,6 +24,8 @@ source="https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM options="!strip" # secfixes: +# 3.68.3-r0: +# - CVE-2022-1097 # 3.66-r0: # - CVE-2021-43527 # 3.58-r0: @@ -188,8 +189,7 @@ tools() { } sha512sums=" -327129cb065a8c19246e081e3cbc4798c81dc52eab6ee366eade151e9d308990592075c52a7c672165725fd855a0c539d56a803c26ef066561c584d693e0e467 nss-3.66.tar.gz -aff96b509bd649f9d5d5850b19daf1296210868dedd3ca9c1d198a9cf4cb2cfeb9ed6c530a8c9b7e1fbc0284e728ccf61c149fa07d940ef30e8ebc6588af76e6 CVE-2021-43527.patch +f97b63a9f8218f8fbd7b5d48c084b8166366d02cd50aac69a22d56324d2fea01c49d074e51430bd128f510c733085f3f43c9739ce4073a07a5666675e0ef3b15 nss-3.68.4.tar.gz 75dbd648a461940647ff373389cc73bc8ec609139cd46c91bcce866af02be6bcbb0524eb3dfb721fbd5b0bc68c20081ed6f7debf6b24317f2a7ba823e8d3c531 nss.pc.in 0f2efa8563b11da68669d281b4459289a56f5a3a906eb60382126f3adcfe47420cdcedc6ab57727a3afeeffa2bbb4c750b43bef8b5f343a75c968411dfa30e09 nss-util.pc.in 09c69d4cc39ec9deebc88696a80d0f15eb2d8c94d9daa234a2adfec941b63805eb4ce7f2e1943857b938bddcaee1beac246a0ec627b71563d9f846e6119a4a15 nss-softokn.pc.in diff --git a/community/nss/CVE-2021-43527.patch b/community/nss/CVE-2021-43527.patch deleted file mode 100644 index afec7288053..00000000000 --- a/community/nss/CVE-2021-43527.patch +++ /dev/null @@ -1,352 +0,0 @@ - -# HG changeset patch -# User Dennis Jackson <djackson@mozilla.com> -# Date 1637577642 0 -# Node ID dea71cbef9e03636f37c6cb120f8deccce6e17dd -# Parent da3d22d708c9cc0a32cff339658aeb627575e371 -Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea - -Differential Revision: https://phabricator.services.mozilla.com/D129514 - -diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c ---- a/nss/lib/cryptohi/secvfy.c -+++ b/nss/lib/cryptohi/secvfy.c -@@ -159,58 +159,89 @@ verifyPKCS1DigestInfo(const VFYContext * - SECItem pkcs1DigestInfo; - pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo; - pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen; - return _SGN_VerifyPKCS1DigestInfo( - cx->hashAlg, digest, &pkcs1DigestInfo, - PR_FALSE /*XXX: unsafeAllowMissingParameters*/); - } - -+static unsigned int -+checkedSignatureLen(const SECKEYPublicKey *pubk) -+{ -+ unsigned int sigLen = SECKEY_SignatureLen(pubk); -+ if (sigLen == 0) { -+ /* Error set by SECKEY_SignatureLen */ -+ return sigLen; -+ } -+ unsigned int maxSigLen; -+ switch (pubk->keyType) { -+ case rsaKey: -+ case rsaPssKey: -+ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8; -+ break; -+ case dsaKey: -+ maxSigLen = DSA_MAX_SIGNATURE_LEN; -+ break; -+ case ecKey: -+ maxSigLen = 2 * MAX_ECKEY_LEN; -+ break; -+ default: -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); -+ return 0; -+ } -+ if (sigLen > maxSigLen) { -+ PORT_SetError(SEC_ERROR_INVALID_KEY); -+ return 0; -+ } -+ return sigLen; -+} -+ - /* - * decode the ECDSA or DSA signature from it's DER wrapping. - * The unwrapped/raw signature is placed in the buffer pointed - * to by dsig and has enough room for len bytes. - */ - static SECStatus - decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig, - unsigned int len) - { - SECItem *dsasig = NULL; /* also used for ECDSA */ -- SECStatus rv = SECSuccess; - -- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) && -- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { -- if (sig->len != len) { -- PORT_SetError(SEC_ERROR_BAD_DER); -- return SECFailure; -+ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */ -+ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) { -+ if (len > DSA_MAX_SIGNATURE_LEN) { -+ goto loser; - } -- -- PORT_Memcpy(dsig, sig->data, sig->len); -- return SECSuccess; -+ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { -+ if (len > MAX_ECKEY_LEN * 2) { -+ goto loser; -+ } -+ } else { -+ goto loser; - } - -- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { -- if (len > MAX_ECKEY_LEN * 2) { -- PORT_SetError(SEC_ERROR_BAD_DER); -- return SECFailure; -- } -+ /* Decode and pad to length */ -+ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); -+ if (dsasig == NULL) { -+ goto loser; - } -- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); -- -- if ((dsasig == NULL) || (dsasig->len != len)) { -- rv = SECFailure; -- } else { -- PORT_Memcpy(dsig, dsasig->data, dsasig->len); -+ if (dsasig->len != len) { -+ SECITEM_FreeItem(dsasig, PR_TRUE); -+ goto loser; - } - -- if (dsasig != NULL) -- SECITEM_FreeItem(dsasig, PR_TRUE); -- if (rv == SECFailure) -- PORT_SetError(SEC_ERROR_BAD_DER); -- return rv; -+ PORT_Memcpy(dsig, dsasig->data, len); -+ SECITEM_FreeItem(dsasig, PR_TRUE); -+ -+ return SECSuccess; -+ -+loser: -+ PORT_SetError(SEC_ERROR_BAD_DER); -+ return SECFailure; - } - - const SEC_ASN1Template hashParameterTemplate[] = - { - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) }, - { SEC_ASN1_OBJECT_ID, 0 }, - { SEC_ASN1_SKIP_REST }, - { 0 } -@@ -276,17 +307,17 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg - * - * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the - * algorithm was not found or was not a signing algorithm. - */ - SECStatus - sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, - const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg) - { -- int len; -+ unsigned int len; - PLArenaPool *arena; - SECStatus rv; - SECItem oid; - SECOidTag encalg; - - PR_ASSERT(hashalg != NULL); - PR_ASSERT(encalgp != NULL); - -@@ -461,58 +492,62 @@ vfy_CreateContext(const SECKEYPublicKey - cx->wincx = wincx; - cx->hasSignature = (sig != NULL); - cx->encAlg = encAlg; - cx->hashAlg = hashAlg; - cx->key = SECKEY_CopyPublicKey(key); - cx->pkcs1RSADigestInfo = NULL; - rv = SECSuccess; - if (sig) { -- switch (type) { -- case rsaKey: -- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, -- &cx->pkcs1RSADigestInfo, -- &cx->pkcs1RSADigestInfoLen, -- cx->key, -- sig, wincx); -- break; -- case rsaPssKey: -- sigLen = SECKEY_SignatureLen(key); -- if (sigLen == 0) { -- /* error set by SECKEY_SignatureLen */ -- rv = SECFailure; -+ rv = SECFailure; -+ if (type == rsaKey) { -+ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, -+ &cx->pkcs1RSADigestInfo, -+ &cx->pkcs1RSADigestInfoLen, -+ cx->key, -+ sig, wincx); -+ } else { -+ sigLen = checkedSignatureLen(key); -+ /* Check signature length is within limits */ -+ if (sigLen == 0) { -+ /* error set by checkedSignatureLen */ -+ rv = SECFailure; -+ goto loser; -+ } -+ if (sigLen > sizeof(cx->u)) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ rv = SECFailure; -+ goto loser; -+ } -+ switch (type) { -+ case rsaPssKey: -+ if (sig->len != sigLen) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ rv = SECFailure; -+ goto loser; -+ } -+ PORT_Memcpy(cx->u.buffer, sig->data, sigLen); -+ rv = SECSuccess; - break; -- } -- if (sig->len != sigLen) { -- PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ case ecKey: -+ case dsaKey: -+ /* decodeECorDSASignature will check sigLen == sig->len after padding */ -+ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); -+ break; -+ default: -+ /* Unreachable */ - rv = SECFailure; -- break; -- } -- PORT_Memcpy(cx->u.buffer, sig->data, sigLen); -- break; -- case dsaKey: -- case ecKey: -- sigLen = SECKEY_SignatureLen(key); -- if (sigLen == 0) { -- /* error set by SECKEY_SignatureLen */ -- rv = SECFailure; -- break; -- } -- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); -- break; -- default: -- rv = SECFailure; -- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); -- break; -+ goto loser; -+ } -+ } -+ if (rv != SECSuccess) { -+ goto loser; - } - } - -- if (rv) -- goto loser; -- - /* check hash alg again, RSA may have changed it.*/ - if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) { - /* error set by HASH_GetHashTypeByOidTag */ - goto loser; - } - /* check the policy on the hash algorithm. Do this after - * the rsa decode because some uses of this function get hash implicitly - * from the RSA signature itself. */ -@@ -645,21 +680,26 @@ VFY_EndWithSignature(VFYContext *cx, SEC - if (cx->hashcx == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final)); - switch (cx->key->keyType) { - case ecKey: - case dsaKey: -- dsasig.data = cx->u.buffer; -- dsasig.len = SECKEY_SignatureLen(cx->key); -+ dsasig.len = checkedSignatureLen(cx->key); - if (dsasig.len == 0) { - return SECFailure; - } -+ if (dsasig.len > sizeof(cx->u)) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ return SECFailure; -+ } -+ dsasig.data = cx->u.buffer; -+ - if (sig) { - rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, - dsasig.len); - if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; - } - } -@@ -681,18 +721,23 @@ VFY_EndWithSignature(VFYContext *cx, SEC - cx->params, - &mech); - PORT_DestroyCheapArena(&tmpArena); - if (rv != SECSuccess) { - return SECFailure; - } - - rsasig.data = cx->u.buffer; -- rsasig.len = SECKEY_SignatureLen(cx->key); -+ rsasig.len = checkedSignatureLen(cx->key); - if (rsasig.len == 0) { -+ /* Error set by checkedSignatureLen */ -+ return SECFailure; -+ } -+ if (rsasig.len > sizeof(cx->u)) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; - } - if (sig) { - if (sig->len != rsasig.len) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; - } - PORT_Memcpy(rsasig.data, sig->data, rsasig.len); -@@ -744,37 +789,42 @@ VFY_End(VFYContext *cx) - static SECStatus - vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key, - const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, - void *wincx) - { - SECStatus rv; - VFYContext *cx; - SECItem dsasig; /* also used for ECDSA */ -- - rv = SECFailure; - - cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); - if (cx != NULL) { - switch (key->keyType) { - case rsaKey: - rv = verifyPKCS1DigestInfo(cx, digest); -+ /* Error (if any) set by verifyPKCS1DigestInfo */ - break; -- case dsaKey: - case ecKey: -+ case dsaKey: - dsasig.data = cx->u.buffer; -- dsasig.len = SECKEY_SignatureLen(cx->key); -+ dsasig.len = checkedSignatureLen(cx->key); - if (dsasig.len == 0) { -+ /* Error set by checkedSignatureLen */ -+ rv = SECFailure; - break; - } -- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) != -- SECSuccess) { -+ if (dsasig.len > sizeof(cx->u)) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -- } else { -- rv = SECSuccess; -+ rv = SECFailure; -+ break; -+ } -+ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - } - break; - default: - break; - } - VFY_DestroyContext(cx, PR_TRUE); - } - return rv; - diff --git a/community/perl-app-cpanminus/APKBUILD b/community/perl-app-cpanminus/APKBUILD index 96aa80a6244..fcabee95972 100644 --- a/community/perl-app-cpanminus/APKBUILD +++ b/community/perl-app-cpanminus/APKBUILD @@ -4,8 +4,8 @@ pkgname=perl-app-cpanminus #_pkgreal is used by apkbuild-cpan to find modules at MetaCpan _pkgreal=App-cpanminus -pkgver=1.7044 -pkgrel=3 +pkgver=1.7045 +pkgrel=0 pkgdesc="Get, unpack, build and install modules from CPAN" url="https://metacpan.org/release/App-cpanminus/" arch="noarch" @@ -16,6 +16,10 @@ subpackages="$pkgname-doc" source="https://cpan.metacpan.org/authors/id/M/MI/MIYAGAWA/App-cpanminus-$pkgver.tar.gz" builddir="$srcdir/$_pkgreal-$pkgver" +# secfixes: +# 1.7045-r0: +# - CVE-2020-16154 + build() { export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}') PERL_MM_USE_DEFAULT=1 perl -I. Makefile.PL INSTALLDIRS=vendor @@ -32,4 +36,6 @@ package() { find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete } -sha512sums="85e88de8fbefabdfd84fe8aeaa8294d58d63e27276cd6d8b8dfc5dc4cd6c30c12f5859f30e4930842d6d06af50c88d71358dee49c93821234c811aa39de822d7 App-cpanminus-1.7044.tar.gz" +sha512sums=" +450b5e1aaa8774a1bc3ae93d7535d9ef7a175417f3e55e88bc8cab208e27334f5d2f69f7c709b8394476410a8f3eeea26b7369c3ab9565985a56b0bbf6310513 App-cpanminus-1.7045.tar.gz +" diff --git a/community/python3-tkinter/APKBUILD b/community/python3-tkinter/APKBUILD index 283f53da478..44f792b40a9 100644 --- a/community/python3-tkinter/APKBUILD +++ b/community/python3-tkinter/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Kiyoshi Aman <kiyoshi.aman@gmail.com> pkgname=python3-tkinter -pkgver=3.8.10 +pkgver=3.8.15 _basever="${pkgver%.*}" pkgrel=0 pkgdesc="A graphical user interface for the Python" @@ -107,6 +107,8 @@ _idle() { _mv_files usr/lib/python*/idlelib } -sha512sums="0be69705483ff9692e12048a96180e586f9d84c8d53066629f7fb2389585eb75c0f3506bb8182936e322508f58b71f4d8c6dfebbab9049b31b49da11d3b98e80 Python-3.8.10.tar.xz +sha512sums=" +4fb3827b13c2452faa75e5ed18dddf381e80b4fffcfde046e289b4629cff0bb87fba1d09916b9b8a6f8039dc422c952293ebdb381c49f8ca7e7893ae4be6c28d Python-3.8.15.tar.xz ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch -37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch" +37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch +" diff --git a/community/rtl8821ce-lts/APKBUILD b/community/rtl8821ce-lts/APKBUILD index f1cdfa1763c..e24885b7a00 100644 --- a/community/rtl8821ce-lts/APKBUILD +++ b/community/rtl8821ce-lts/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Kevin Daudt <kdaudt@alpinelinux.org> # Maintainer: Kevin Daudt <kdaudt@alpinelinux.org> -_kver=5.10.88 +_kver=5.10.152 _krel=0 _flavor="$FLAVOR" [ -z "$_flavor" ] && _flavor=lts diff --git a/community/rtpengine-lts/APKBUILD b/community/rtpengine-lts/APKBUILD index 86e3c7b874b..3e6f57a7baa 100644 --- a/community/rtpengine-lts/APKBUILD +++ b/community/rtpengine-lts/APKBUILD @@ -5,7 +5,7 @@ _ver=9.0.1.10 _rel=0 # kernel version -_kver=5.10.88 +_kver=5.10.152 _krel=0 _kpkgver="$_kver-r$_krel" diff --git a/main/alpine-base/APKBUILD b/main/alpine-base/APKBUILD index 42b593bacca..dd3f6dbd841 100644 --- a/main/alpine-base/APKBUILD +++ b/main/alpine-base/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=alpine-base -pkgver=3.13.7 +pkgver=3.13.12 pkgrel=0 pkgdesc="Meta package for minimal alpine base" url="https://alpinelinux.org" diff --git a/main/alpine-make-rootfs/APKBUILD b/main/alpine-make-rootfs/APKBUILD index 1914a65b319..9aaf8dd7627 100644 --- a/main/alpine-make-rootfs/APKBUILD +++ b/main/alpine-make-rootfs/APKBUILD @@ -2,13 +2,16 @@ # Maintainer: Jakub Jirutka <jakub@jirutka.cz> pkgname=alpine-make-rootfs pkgver=0.5.1 -pkgrel=0 +pkgrel=1 pkgdesc="Make customized Alpine Linux rootfs (base image) for containers" url="https://github.com/alpinelinux/alpine-make-rootfs" arch="noarch" license="MIT" depends="tar" -source="$pkgname-$pkgver.tar.gz::https://github.com/alpinelinux/$pkgname/archive/v$pkgver.tar.gz" +source="$pkgname-$pkgver.tar.gz::https://github.com/alpinelinux/$pkgname/archive/v$pkgver.tar.gz + add-new-signing-key-for-x86_64.patch + fix-missing-release-files-on-edge.patch + " builddir="$srcdir/$pkgname-$pkgver" options="!check" # no suitable tests provided @@ -17,4 +20,8 @@ package() { make install DESTDIR="$pkgdir" PREFIX=/usr } -sha512sums="d2c98c3fc69b4f61d798714711b668da7abafb111846a0a8d4cbcf1003a2b677a18ad9cfa3565a0f2cb0a74a2f30f485786310a8e09ff942037bf60d88bf3245 alpine-make-rootfs-0.5.1.tar.gz" +sha512sums=" +d2c98c3fc69b4f61d798714711b668da7abafb111846a0a8d4cbcf1003a2b677a18ad9cfa3565a0f2cb0a74a2f30f485786310a8e09ff942037bf60d88bf3245 alpine-make-rootfs-0.5.1.tar.gz +b1e42986e889f8924e46b08d4ca614f965b9a8d4e5bf4271f9901fffd9fe022b3930537ec8d0f17ca9cea77050b4a031e61eb26636e759a5587c9c0b4d2cc160 add-new-signing-key-for-x86_64.patch +5d46180968bd5d01c5235a5fe0d17d3f8949ab4ba6c4a69eb0e67fdc8f23563d7030e9bd1ad7ef231322b05e6518ec48b45628bb0496339829548c5028828174 fix-missing-release-files-on-edge.patch +" diff --git a/main/alpine-make-rootfs/add-new-signing-key-for-x86_64.patch b/main/alpine-make-rootfs/add-new-signing-key-for-x86_64.patch new file mode 100644 index 00000000000..2e94cd1b1a8 --- /dev/null +++ b/main/alpine-make-rootfs/add-new-signing-key-for-x86_64.patch @@ -0,0 +1,23 @@ +Patch-Source: https://github.com/alpinelinux/alpine-make-rootfs/commit/64a89ab6973c3a60a975243bc2086d6743c50aae +-- +From 64a89ab6973c3a60a975243bc2086d6743c50aae Mon Sep 17 00:00:00 2001 +From: Jakub Jirutka <jakub@jirutka.cz> +Date: Sun, 14 Nov 2021 00:04:21 +0100 +Subject: [PATCH] Add new package signing key for x86_64 + +--- + alpine-make-rootfs | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/alpine-make-rootfs b/alpine-make-rootfs +index 0d033ff..56c99e3 100755 +--- a/alpine-make-rootfs ++++ b/alpine-make-rootfs +@@ -101,6 +101,7 @@ readonly ALPINE_BASE_PKGS='alpine-baselayout busybox busybox-suid musl-utils' + readonly ALPINE_KEYS=' + alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub:MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1yHJxQgsHQREclQu4Ohe\nqxTxd1tHcNnvnQTu/UrTky8wWvgXT+jpveroeWWnzmsYlDI93eLI2ORakxb3gA2O\nQ0Ry4ws8vhaxLQGC74uQR5+/yYrLuTKydFzuPaS1dK19qJPXB8GMdmFOijnXX4SA\njixuHLe1WW7kZVtjL7nufvpXkWBGjsfrvskdNA/5MfxAeBbqPgaq0QMEfxMAn6/R\nL5kNepi/Vr4S39Xvf2DzWkTLEK8pcnjNkt9/aafhWqFVW7m3HCAII6h/qlQNQKSo\nGuH34Q8GsFG30izUENV9avY7hSLq7nggsvknlNBZtFUcmGoQrtx3FmyYsIC8/R+B\nywIDAQAB + alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub:MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwlzMkl7b5PBdfMzGdCT0\ncGloRr5xGgVmsdq5EtJvFkFAiN8Ac9MCFy/vAFmS8/7ZaGOXoCDWbYVLTLOO2qtX\nyHRl+7fJVh2N6qrDDFPmdgCi8NaE+3rITWXGrrQ1spJ0B6HIzTDNEjRKnD4xyg4j\ng01FMcJTU6E+V2JBY45CKN9dWr1JDM/nei/Pf0byBJlMp/mSSfjodykmz4Oe13xB\nCa1WTwgFykKYthoLGYrmo+LKIGpMoeEbY1kuUe04UiDe47l6Oggwnl+8XD1MeRWY\nsWgj8sF4dTcSfCMavK4zHRFFQbGp/YFJ/Ww6U9lA3Vq0wyEI6MCMQnoSMFwrbgZw\nwwIDAQAB ++alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub:MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAutQkua2CAig4VFSJ7v54\nALyu/J1WB3oni7qwCZD3veURw7HxpNAj9hR+S5N/pNeZgubQvJWyaPuQDm7PTs1+\ntFGiYNfAsiibX6Rv0wci3M+z2XEVAeR9Vzg6v4qoofDyoTbovn2LztaNEjTkB+oK\ntlvpNhg1zhou0jDVYFniEXvzjckxswHVb8cT0OMTKHALyLPrPOJzVtM9C1ew2Nnc\n3848xLiApMu3NBk0JqfcS3Bo5Y2b1FRVBvdt+2gFoKZix1MnZdAEZ8xQzL/a0YS5\nHd0wj5+EEKHfOd3A75uPa/WQmA+o0cBFfrzm69QDcSJSwGpzWrD1ScH3AK8nWvoj\nv7e9gukK/9yl1b4fQQ00vttwJPSgm9EnfPHLAtgXkRloI27H6/PuLoNvSAMQwuCD\nhQRlyGLPBETKkHeodfLoULjhDi1K2gKJTMhtbnUcAA7nEphkMhPWkBpgFdrH+5z4\nLxy+3ek0cqcI7K68EtrffU8jtUj9LFTUC8dERaIBs7NgQ/LfDbDfGh9g6qVj1hZl\nk9aaIPTm/xsi8v3u+0qaq7KzIBc9s59JOoA8TlpOaYdVgSQhHHLBaahOuAigH+VI\nisbC9vmqsThF2QdDtQt37keuqoda2E6sL7PUvIyVXDRfwX7uMDjlzTxHTymvq2Ck\nhtBqojBnThmjJQFgZXocHG8CAwEAAQ== + ' + # List of directories to remove when empty. + readonly UNNECESSARY_DIRS=' diff --git a/main/alpine-make-rootfs/fix-missing-release-files-on-edge.patch b/main/alpine-make-rootfs/fix-missing-release-files-on-edge.patch new file mode 100644 index 00000000000..7eeeddb797b --- /dev/null +++ b/main/alpine-make-rootfs/fix-missing-release-files-on-edge.patch @@ -0,0 +1,39 @@ +Patch-Source: https://github.com/alpinelinux/alpine-make-rootfs/commit/80a8e3f9d6f5ec701b2ae5e9a0d6bdb004ec1246 +-- +From 80a8e3f9d6f5ec701b2ae5e9a0d6bdb004ec1246 Mon Sep 17 00:00:00 2001 +From: Jakub Jirutka <jakub@jirutka.cz> +Date: Sun, 21 Aug 2022 00:56:04 +0200 +Subject: [PATCH] Adapt to alpine-base not providing release files since v3.17 + and on edge + +https://gitlab.alpinelinux.org/alpine/aports/-/commit/23e66e85c95beef9d3f72a2ccc510671fdb3462d +--- + alpine-make-rootfs | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/alpine-make-rootfs b/alpine-make-rootfs +index 63133f3..eb24005 100755 +--- a/alpine-make-rootfs ++++ b/alpine-make-rootfs +@@ -387,11 +387,16 @@ fi + + _apk add --root "$rootfs" --update-cache --initdb $rootfs_pkgs >&2 + +-if ! _apk info --root "$rootfs" --quiet --installed alpine-base; then +- # This package contains /etc/os-release, /etc/alpine-release and /etc/issue, +- # but we don't wanna install all its dependencies (e.g. openrc). +- _apk fetch --root "$rootfs" --stdout alpine-base \ +- | tar -xz -C "$rootfs" etc >&2 ++if ! [ -f "$rootfs"/etc/alpine-release ]; then ++ if _apk info --root "$rootfs" --quiet alpine-release >/dev/null; then ++ _apk add --root "$rootfs" alpine-release ++ else ++ # In Alpine <3.17, this package contains /etc/os-release, ++ # /etc/alpine-release and /etc/issue, but we don't wanna install all ++ # its dependencies (e.g. openrc). ++ _apk fetch --root "$rootfs" --stdout alpine-base \ ++ | tar -xz -C "$rootfs" etc >&2 ++ fi + fi + + [ -e "$rootfs"/var/run ] || ln -s /run "$rootfs"/var/run diff --git a/main/amavis/APKBUILD b/main/amavis/APKBUILD index 7b41bc8578e..69468922fc1 100644 --- a/main/amavis/APKBUILD +++ b/main/amavis/APKBUILD @@ -1,8 +1,7 @@ -# Contributor: Leonardo Arena <rnalrd@alpinelinux.org> # Maintainer: Leonardo Arena <rnalrd@alpinelinux.org> pkgname=amavis -pkgver=2.12.1 -pkgrel=0 +pkgver=2.12.2 +pkgrel=1 pkgdesc="High-performance interface between mailer (MTA) and content checkers" url="https://gitlab.com/amavis/amavis" arch="noarch !x86" # perl-db @@ -13,7 +12,7 @@ depends="sed file perl perl-archive-zip perl-carp perl-convert-tnef perl-exporter perl-io-stringy perl-mime-tools perl-mailtools perl-socket perl-net-libidn perl-net-server perl-time-hires perl-unix-syslog perl-mail-dkim - perl-io-socket-inet6 + perl-io-socket-inet6 perl-io-socket-ssl perl-mail-spamassassin " makedepends="" @@ -23,47 +22,36 @@ subpackages="$pkgname-openrc" source="https://gitlab.com/amavis/amavis/-/archive/v$pkgver/amavis-v$pkgver.tar.gz amavisd.initd amavisd.confd + amavisd-conf.patch " pkgusers="amavis" pkggroups="amavis" - builddir="$srcdir"/$pkgname-v$pkgver package() { - cd "$builddir" - ( - HOME=/var/amavis - QUARANTINE=$HOME/quarantine - USER=amavis - GROUP=amavis - DIRS="$HOME $HOME/tmp $HOME/var $HOME/db $HOME/home $QUARANTINE" - CONFIG=/etc/amavisd.conf + _amavis_home=/var/amavis - for dir in $DIRS - do - mkdir -p ${pkgdir}$dir + for dir in $_amavis_home/tmp \ + $_amavis_home/var \ + $_amavis_home/db \ + $_amavis_home/home \ + $_amavis_home/quarantine \ + ; do + install -dm750 -o amavis -g amavis "${pkgdir}$dir" done - install -m 755 -o root -D amavisd $pkgdir/usr/sbin/amavisd - install -m 755 -o root -D amavisd-nanny $pkgdir/usr/bin/amavisd-nanny - install -m 755 -o root -D amavisd-release $pkgdir/usr/bin/amavisd-release - sed -e "s:^.*\$MYHOME = .*$:\$MYHOME = '$HOME';:" \ - -e 's:^.*\$TEMPBASE = .*$:\$TEMPBASE = "\$MYHOME/tmp";:' \ - -e 's:^.*\$db_home = .*$:\$db_home = "$MYHOME/db";:' \ - -e "s:^.*\$QUARANTINEDIR = .*$:\$QUARANTINEDIR = '$QUARANTINE';:" \ - -e "s:^.*\$daemon_user = 'vscan';\(.*\)$:\$daemon_user = 'amavis';\1:" \ - -e "s:^.*\$daemon_group = 'vscan';\(.*\)$:\$daemon_group = 'amavis';\1:" < amavisd.conf > amavisd.conf.alpine - install -m 640 -o root -D amavisd.conf.alpine ${pkgdir}${CONFIG} - ) + for file in amavisd amavisd-nanny amavisd-release amavisd.conf; do + install -Dm755 -o root -g amavis "$file" "$pkgdir/usr/sbin/$file" + done + install -Dm640 -o root -g amavis amavisd.conf "$pkgdir"/etc/amavisd.conf install -Dm755 "$srcdir"/amavisd.initd "$pkgdir"/etc/init.d/amavisd install -Dm644 "$srcdir"/amavisd.confd "$pkgdir"/etc/conf.d/amavisd - - chown -R amavis:amavis "$pkgdir"/var/amavis - chmod -R 750 "$pkgdir"/var/amavis - chown root:amavis "$pkgdir"/etc/amavisd.conf } -sha512sums="33bcc8606e142ed390cb368a7c640f96b70ecd1c8473e7d19f3125f89afde7a044981b9e3704c722c54472f88b2e4e54c89bab19bc28ceb89561aeb8ede04c8e amavis-v2.12.1.tar.gz +sha512sums=" +7ef5ba670b530bf19352ba8aebd57a171e32d90adffc0b248b93a39f740fe4bb8ddf1d5ecdd46d0c9e1b4ca1a9ff0a9e86e73900e73a1a2cac514656c3a7db01 amavis-v2.12.2.tar.gz 6a9dd16a6b52f3d1fbd16887f29ccceddc58e88a02e681f23c1fe54b7e24feea5089d52813f4f3e87d9242daf79d2b2ea1e7c451d83d7de943403e71dc61c4e5 amavisd.initd -a5ce3583c34197f335372728cf92da23bae2cd7a9ae48daff6eaadbf66fbd5be6bb8b480b0fce1ea2b3a662b0a54d1d2f1f277d2f9a06d9630b57fa5d7ac2635 amavisd.confd" +a5ce3583c34197f335372728cf92da23bae2cd7a9ae48daff6eaadbf66fbd5be6bb8b480b0fce1ea2b3a662b0a54d1d2f1f277d2f9a06d9630b57fa5d7ac2635 amavisd.confd +87f9c4489fb377e6e1315edcef75940b1a61a30c418106c1ef48eef4f425746333c550b270e0e6727fe89a68239f673f24392d81a53157ad487d3d2da1e95b4c amavisd-conf.patch +" diff --git a/main/amavis/amavisd-conf.patch b/main/amavis/amavisd-conf.patch new file mode 100644 index 00000000000..708bd4a2650 --- /dev/null +++ b/main/amavis/amavisd-conf.patch @@ -0,0 +1,33 @@ +--- a/amavisd.conf ++++ b/amavisd.conf +@@ -17,15 +17,15 @@ + # truncation in /proc/<pid>/stat and ps -e output + + $max_servers = 2; # num of pre-forked children (2..30 is common), -m +-$daemon_user = 'vscan'; # (no default; customary: vscan or amavis), -u +-$daemon_group = 'vscan'; # (no default; customary: vscan or amavis), -g ++$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u ++$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g + + $mydomain = 'example.com'; # a convenient default for other settings + +-# $MYHOME = '/var/amavis'; # a convenient default for other settings, -H +-$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T ++$MYHOME = '/var/amavis'; ++$TEMPBASE = "$MYHOME/tmp"; + $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. +-$QUARANTINEDIR = '/var/virusmails'; # -Q ++$QUARANTINEDIR = '/var/amavis/quarantine'; + # $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine + # $release_format = 'resend'; # 'attach', 'plain', 'resend' + # $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf' +@@ -44,7 +44,8 @@ + $syslog_facility = 'mail'; # Syslog facility as a string + # e.g.: mail, daemon, user, local0, ... local7 + +-$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) ++# BDB is no longer supported in Alpine ++$enable_db = 0; # enable use of BerkeleyDB/libdb (SNMP and nanny) + # $enable_zmq = 1; # enable use of ZeroMQ (SNMP and nanny) + $nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed + $enable_dkim_verification = 1; # enable DKIM signatures verification diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD index ff191b3f8b5..f40e267ee5a 100644 --- a/main/apache2/APKBUILD +++ b/main/apache2/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> pkgname=apache2 _pkgreal=httpd -pkgver=2.4.52 +pkgver=2.4.54 pkgrel=0 pkgdesc="A high performance Unix-based HTTP server" url="https://httpd.apache.org/" @@ -51,6 +51,20 @@ options="suid" builddir="$srcdir"/$_pkgreal-$pkgver # secfixes: +# 2.4.54-r0: +# - CVE-2022-26377 +# - CVE-2022-28330 +# - CVE-2022-28614 +# - CVE-2022-28615 +# - CVE-2022-29404 +# - CVE-2022-30522 +# - CVE-2022-30556 +# - CVE-2022-31813 +# 2.4.53-r0: +# - CVE-2022-22719 +# - CVE-2022-22720 +# - CVE-2022-22721 +# - CVE-2022-23943 # 2.4.52-r0: # - CVE-2021-44224 # - CVE-2021-44790 @@ -382,7 +396,7 @@ _lua() { } sha512sums=" -97c021c576022a9d32f4a390f62e07b5f550973aef2f299fd52defce1a9fa5d27bd4a676e7bf214373ba46063d34aecce42de62fdd93678a4e925cfcbb2afdf6 httpd-2.4.52.tar.bz2 +228493b2ff32c4142c6e484d304f2ea12e467498605fe12adce2b61388d8efe7b2e96ae2fd0abd1dc88a5f12d625e007d8da0ae5628cff2a5272806754f41e18 httpd-2.4.54.tar.bz2 8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd 18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate 81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd diff --git a/main/aports-build/APKBUILD b/main/aports-build/APKBUILD index 7e9d595e70b..67abeaaa6fb 100644 --- a/main/aports-build/APKBUILD +++ b/main/aports-build/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=aports-build -pkgver=1.5.3 +pkgver=1.5.4 pkgrel=0 pkgdesc="MQTT based build-on-git-push scripts for Alpine Linux" url="https://alpinelinux.org" @@ -46,7 +46,9 @@ package() { EOF } -sha512sums="81c039c6999fddde2489fccdc48b29760c80ea1ff5265cc2d7f73d6575e0173a0f51b89a4d49e5100e2d841b6260adc48e4ab00e8608d52b3b69b17a590467ad aports-build +sha512sums=" +81c039c6999fddde2489fccdc48b29760c80ea1ff5265cc2d7f73d6575e0173a0f51b89a4d49e5100e2d841b6260adc48e4ab00e8608d52b3b69b17a590467ad aports-build 821035bda47152c341ec94bf960fa67e3377051826712ceb74f39103e6e422777b6e082231bfb87865653d2b93b7d3154cfc24abf65a52e3e66da69412dd7e41 aports-build.initd 62ed5cb6d1fef03fa707512c8c99c572a91e64706ebcc2e7097108811818615618bab908292d0ba0ad2afe93a27333d9c91deb347d6c99703eb8983d1ee5f480 mqtt-exec.aports-build.confd -cf0d8e65e517857ee781e451a1d3e6404cd72aeb5c7dba25017229ff79c4c43425712d2fcbbaad89af45a358e86f33467ac1df47e8fba0f30f81d84794e1206c report-build-errors.lua" +939ba54ab4159bc8fcd0cb08f16f67dac05d29c77005da6fca0463048ab991765665b35f2feb978bfd8409bd13fdbdf3d47a7652df842e76504d076ac040c337 report-build-errors.lua +" diff --git a/main/aports-build/report-build-errors.lua b/main/aports-build/report-build-errors.lua index 275b213f863..3621765783a 100644 --- a/main/aports-build/report-build-errors.lua +++ b/main/aports-build/report-build-errors.lua @@ -6,6 +6,26 @@ local f = io.open("/proc/sys/kernel/hostname") hostname = f:read() f:close() +local function read_mosquitto_conf() + local cfg = {} + local f = io.open((os.getenv("XDG_CONFIG_HOME") or "").."/mosquitto_pub") or io.open((os.getenv("HOME") or "").."/.config/mosquitto_pub") + if f == nil then + return cfg + end + for line in f:lines() do + key,value = line:match("^%-%-([^ ]+)%s+(.*)") + if key and value then + cfg[key] = value + end + end + f:close() + return cfg +end +local mcfg = read_mosquitto_conf() +publish.hostname = mcfg.hostname or "localhost" +publish.username = mcfg.username +publish.password = mcfg.pw + local m = {} function shell_escape(args) diff --git a/main/apr/APKBUILD b/main/apr/APKBUILD index c2a40dad1e9..ad0a43b3142 100644 --- a/main/apr/APKBUILD +++ b/main/apr/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=apr pkgver=1.7.0 -pkgrel=0 +pkgrel=1 pkgdesc="The Apache Portable Runtime" url="http://apr.apache.org/" arch="all" @@ -12,8 +12,13 @@ subpackages="$pkgname-dev" source="https://www.apache.org/dist/apr/apr-$pkgver.tar.bz2 apr-1.6.2-dont-test-dlclose.patch semtimedop-s390x.patch + CVE-2021-35940.patch " +# secfixes: +# 1.7.0-r1: +# - CVE-2021-35940.patch + build() { cd "$builddir" ./configure \ @@ -48,6 +53,9 @@ dev() { return 0 } -sha512sums="3dc42d5caf17aab16f5c154080f020d5aed761e22db4c5f6506917f6bfd2bf8becfb40af919042bd4ce1077d5de74aa666f5edfba7f275efba78e8893c115148 apr-1.7.0.tar.bz2 +sha512sums=" +3dc42d5caf17aab16f5c154080f020d5aed761e22db4c5f6506917f6bfd2bf8becfb40af919042bd4ce1077d5de74aa666f5edfba7f275efba78e8893c115148 apr-1.7.0.tar.bz2 9fb931e45f30fbe68af56849dfca148c09cdf85e300af14fb259cbd43470113288680bdb21189d4cf13f5ce95f8d28666822535e017e64ace5324339ab50cbef apr-1.6.2-dont-test-dlclose.patch -5d1afa9419d0481e7c3369724e8b4c1e199cbfd5d031bd9d9fc4f46ee0d3819353ff03c3b2c508d5b939f66ef4549953bbf9cdae7ff934002b9a01d824c843e8 semtimedop-s390x.patch" +5d1afa9419d0481e7c3369724e8b4c1e199cbfd5d031bd9d9fc4f46ee0d3819353ff03c3b2c508d5b939f66ef4549953bbf9cdae7ff934002b9a01d824c843e8 semtimedop-s390x.patch +33c072ad4e27afee4b93df5b1076a8d858c6f4ef57df4e2dd1bf750f8b0390cb130744aa3bf67c4de359b35a558da07e479b10e0028ec935aa9a1ea4820c995e CVE-2021-35940.patch +" diff --git a/main/apr/CVE-2021-35940.patch b/main/apr/CVE-2021-35940.patch new file mode 100644 index 00000000000..0b72ab964cd --- /dev/null +++ b/main/apr/CVE-2021-35940.patch @@ -0,0 +1,53 @@ +Patch-Source: https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch +SECURITY: CVE-2021-35940 (cve.mitre.org) + +Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though +was addressed in 1.6.x in 1.6.3 and later via r1807976. + +The fix was merged back to 1.7.x in r1891198. + +Since this was a regression in 1.7.0, a new CVE name has been assigned +to track this, CVE-2021-35940. + +Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue. + +https://svn.apache.org/viewvc?view=revision&revision=1891198 + +Index: time/unix/time.c +=================================================================== +--- a/time/unix/time.c (revision 1891197) ++++ b/time/unix/time.c (revision 1891198) +@@ -142,6 +142,9 @@ + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++ return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) +Index: time/win32/time.c +=================================================================== +--- a/time/win32/time.c (revision 1891197) ++++ b/time/win32/time.c (revision 1891198) +@@ -54,6 +54,9 @@ + static const int dayoffset[12] = + {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334}; + ++ if (tm->wMonth < 1 || tm->wMonth > 12) ++ return APR_EBADDATE; ++ + /* Note; the caller is responsible for filling in detailed tm_usec, + * tm_gmtoff and tm_isdst data when applicable. + */ +@@ -228,6 +231,9 @@ + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++ return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) diff --git a/main/bash/APKBUILD b/main/bash/APKBUILD index ac289ccc60e..f25bd7e9930 100644 --- a/main/bash/APKBUILD +++ b/main/bash/APKBUILD @@ -2,7 +2,7 @@ # Contributor: TBK <alpine@jjtc.eu> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=bash -pkgver=5.1.0 +pkgver=5.1.16 _patchlevel=${pkgver##*.} _myver=${pkgver%.*} _patchbase=${_myver/./} @@ -90,5 +90,23 @@ dev() { mv "$pkgdir"/usr/lib/$pkgname/Makefile* "$subpkgdir"/usr/lib/$pkgname } -sha512sums="c44a0ce381469219548a3a27589af3fea4f22eda1ca4e9434b59fc16da81b471c29ce18e31590e0860a6a251a664b68c2b45e3a17d22cfc02799ffd9a208390c bash-5.1.tar.gz -9d8845491d0fe335bdd8e9a2bd98bda54bfed2ae3c35b2196c6d5a38bdf96c4d97572ba7d6b19ab605ef4e8f001f64cf3312f87dedebb9e37a95ad2c44e33cdb bash-noinfo.patch" +sha512sums=" +c44a0ce381469219548a3a27589af3fea4f22eda1ca4e9434b59fc16da81b471c29ce18e31590e0860a6a251a664b68c2b45e3a17d22cfc02799ffd9a208390c bash-5.1.tar.gz +9d8845491d0fe335bdd8e9a2bd98bda54bfed2ae3c35b2196c6d5a38bdf96c4d97572ba7d6b19ab605ef4e8f001f64cf3312f87dedebb9e37a95ad2c44e33cdb bash-noinfo.patch +1cd86805a2639614372aec29a710bc456e330abcbbaa0867820c94f714a1fa5fb5c1b18aa2c10263ae0bce9dad7579c7af2f732282315c1c34bfd6a90777bfd2 bash51-001 +923e7822a9629645347d3aea0058fb5e2d52223507159a62369309f264612df44a84931c19e0ccb3852e98ce672dfbd454477090b4041b5a0de477c94eb61088 bash51-002 +01e952dcfdae58624723d64912ea3444eed2fdcd266ba1a929b95ec3abd70f914bf400607c3f7bb7a94ac2925f794f91f37c1929d5bb987de2ba7f60a19cb8bd bash51-003 +10ff24cd91a2cd88818bfa7218050843af6b409e43fcca89f5ec70d8266020c6c2a55132426271f165cd0f154f49eb0f8ec2761b80fc066c921b83120bb543ce bash51-004 +fa83d894fe874a05b9a7d47b8bca8e5b7f4067221d82e8b1af616d17725592c3737c621f2a8ad3c917b29846012c37c85acd34dcbb43eb6b05065ccce89b260c bash51-005 +b9b6e3d71f7b7718e2e8598ec8e337dcc675571fb233c29e5230ebf14eab2249204531f2fe8c4d1459c5fed10acb679048588d1e457e98dbc00ffc4d2cd227e3 bash51-006 +e4ebdc47e780ddc2588ecdfcfe00cb618039c7044e250ab2b836b0735c461ebacd15beaf2145e277c70b7f51cded55bd8dde7757df810f33f8dae306ee5ba571 bash51-007 +97f9558a08a66cc9da62c285bf9118b39328e25ed3b9277728e0539b1ac0adef176a090e39cd96dc03d6fd900d8155bd58040cb3390a09f637bab1de8af3faf6 bash51-008 +2d3c65162ec4e5c3dfeb439891950ef2c43973a84122fcdf6b56c388466c7e671dbc9b236d2253f01411b668c365855263995dbacb8e6f9e9dbcb7e6c2cc518c bash51-009 +aac4a0b72b559566334f1029c52754f4c98185af99e09436e401d83ab81bab7882d0d8050674b30f171733f3628157777a264566e927e93db2ea5a18d26630f1 bash51-010 +bb9e47a570bb9758c365831f9650b9379b60862b8cef572edc3cd833df96ebb8b9612de474bdc2a03ff4efc2275f871d55962295385e38f3658874488e974b81 bash51-011 +59819914b6821d9f4af0aade7b9b7ea92368c2b8eb8407cea11dfeee7208905dd06bdef7a049d7b1c4fac41c44d9a130b95a061957a9649050b37471b3044cf1 bash51-012 +67535155f49a7f54f151e62aba9274f82d01f33a1a1a7e5efd1aa0d63ba2d078765f0b5e22cb24db7132eff2d8c5852a3688298baa5217b8b6e159aae065d748 bash51-013 +f658ab7ef01ba1d26f735e24b23bf35687e15b0d5d20f90da233d000745a55bdba142c11e9fba52e3b84470ec625fab60cc74cd6be533d990496a3795c658e88 bash51-014 +fd4bc85f942a3a16c545f7e951a24f620ff2d884640dea6e05f305aaf88ed41862bfb05eea2258881608de696f9dc7a0fe3bebb51a011f50b720ea7a66699184 bash51-015 +020b3f3db77ca603a27a3423323538db5c9844be17ee428cf7cda80bebdcc715d30eab6c95773541cb8d14f3ad9e6142bf0adcda0e745ee638242508cc0ab05f bash51-016 +" diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD index b1550e5cd8f..78f57021259 100644 --- a/main/bind/APKBUILD +++ b/main/bind/APKBUILD @@ -5,12 +5,12 @@ # Contributor: ungleich <alpinelinux@ungleich.ch> # Maintainer: pkgname=bind -pkgver=9.16.20 +pkgver=9.16.33 _ver=${pkgver%_p*} _p=${pkgver#*_p} _major=${pkgver%%.*} [ "$_p" != "$pkgver" ] && _ver="$_ver-P$_p" -pkgrel=1 +pkgrel=0 pkgdesc="The ISC DNS server" url="https://www.isc.org/" arch="all" @@ -57,10 +57,21 @@ source=" named.conf.recursive 127.zone localhost.zone - bind-9.16.20-map-format-fix.patch " # secfixes: +# 9.16.33-r0: +# - CVE-2022-2795 +# - CVE-2022-2881 +# - CVE-2022-2906 +# - CVE-2022-3080 +# - CVE-2022-38177 +# - CVE-2022-38178 +# 9.16.27-r0: +# - CVE-2022-0396 +# - CVE-2021-25220 +# 9.16.25-r0: +# - CVE-2021-25219 # 9.16.20-r0: # - CVE-2021-25218 # 9.16.15-r0: @@ -272,8 +283,7 @@ _gpgfingerprints=" BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57 " -sha512sums=" -bd4ffcc2589ca8f1ac228576ec11e86f317d5a78d7964a0a7ae70b2fa38831d5bd65c2e8c35d8190502de7139f85d8b080b3b8ee968811a8df78e5761781525d bind-9.16.20.tar.xz +sha512sums="43fd2cea52dfd1115a4cca83830ab5b93208be401cdbbdff2bbf204b8f0d99fb434ad3156d3a21649488cc904ae09f145feba97b9b6918b0cf063ff5e2b10af5 bind-9.16.33.tar.xz 2b32d1e7f62cd1e01bb4fdd92d15460bc14761b933d5acc463a91f5ecd4773d7477c757c5dd2738e8e433693592cf3f623ffc142241861c91848f01aa84640d6 bind.plugindir.patch 7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch 53db80f7ee4902f42fb1d0bc959242bcb6f20d95256bda99ce2c206af8b4703c7f72bb26d026c633f70451b84a37c3946b210951e34dd5d6620b181cd0183de4 named.initd @@ -281,6 +291,4 @@ bd4ffcc2589ca8f1ac228576ec11e86f317d5a78d7964a0a7ae70b2fa38831d5bd65c2e8c35d8190 d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5 named.conf.authoritative 3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone -340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone -d9224712ee2c6f6d0ff483ed253497548935fe35f45e5bdf26c9bd25c6234adde00727df7eb49fbfbfb34aad9d9fa0f112e900804794ad90a5cd8a64e9db61c6 bind-9.16.20-map-format-fix.patch -" +340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone" diff --git a/main/bind/bind-9.16.20-map-format-fix.patch b/main/bind/bind-9.16.20-map-format-fix.patch deleted file mode 100644 index f6e3c9b3782..00000000000 --- a/main/bind/bind-9.16.20-map-format-fix.patch +++ /dev/null @@ -1,8 +0,0 @@ ---- a/lib/dns/mapapi -+++ b/lib/dns/mapapi -@@ -13,4 +13,4 @@ - # Whenever releasing a new major release of BIND9, set this value - # back to 1.0 when releasing the first alpha. Map files are *never* - # compatible across major releases. --MAPAPI=2.0 -+MAPAPI=3.0 diff --git a/main/build-base/APKBUILD b/main/build-base/APKBUILD index 7dff94e7ecf..709b5eec6bd 100644 --- a/main/build-base/APKBUILD +++ b/main/build-base/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=build-base pkgver=0.5 -pkgrel=2 +pkgrel=3 url=http://dev.alpinelinux.org/cgit pkgdesc="Meta package for build base" depends="binutils file gcc g++ make libc-dev fortify-headers patch" @@ -11,7 +11,7 @@ if [ "$CHOST" != "$CTARGET" ]; then depends="binutils-$CTARGET_ARCH gcc-$CTARGET_ARCH g++-$CTARGET_ARCH $depends" fi arch="noarch" -license=none +license="MIT" options="!check" build() { diff --git a/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch new file mode 100644 index 00000000000..1d1716e3b0c --- /dev/null +++ b/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch @@ -0,0 +1,40 @@ +From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001 +From: Ariadne Conill <ariadne@dereferenced.org> +Date: Sun, 3 Apr 2022 12:14:33 +0000 +Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are + returned for the hostname part + +CVE: Pending +Upstream-Status: Pending +Signed-off-by: Ariadne Conill <ariadne@dereferenced.org> +--- + libbb/xconnect.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libbb/xconnect.c b/libbb/xconnect.c +index 0e0b247b8..02c061e67 100644 +--- a/libbb/xconnect.c ++++ b/libbb/xconnect.c +@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) + ); + if (rc) + return NULL; ++ /* ensure host contains only printable characters */ + if (flags & IGNORE_PORT) +- return xstrdup(host); ++ return xstrdup(printable_string(host)); + #if ENABLE_FEATURE_IPV6 + if (sa->sa_family == AF_INET6) { + if (strchr(host, ':')) /* heh, it's not a resolved hostname */ +@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) + #endif + /* For now we don't support anything else, so it has to be INET */ + /*if (sa->sa_family == AF_INET)*/ +- return xasprintf("%s:%s", host, serv); ++ return xasprintf("%s:%s", printable_string(host), serv); + /*return xstrdup(host);*/ + } + +-- +2.35.1 + diff --git a/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch new file mode 100644 index 00000000000..01c45c9ba67 --- /dev/null +++ b/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch @@ -0,0 +1,68 @@ +From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001 +From: Ariadne Conill <ariadne@dereferenced.org> +Date: Sun, 3 Apr 2022 12:16:45 +0000 +Subject: [PATCH 2/2] nslookup: sanitize all printed strings with + printable_string + +Otherwise, terminal sequences can be injected, which enables various terminal injection +attacks from DNS results. + +CVE: Pending +Upstream-Status: Pending +Signed-off-by: Ariadne Conill <ariadne@dereferenced.org> +--- + networking/nslookup.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/networking/nslookup.c b/networking/nslookup.c +index 6da97baf4..4bdcde1b8 100644 +--- a/networking/nslookup.c ++++ b/networking/nslookup.c +@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + //printf("Unable to uncompress domain: %s\n", strerror(errno)); + return -1; + } +- printf(format, ns_rr_name(rr), dname); ++ printf(format, ns_rr_name(rr), printable_string(dname)); + break; + + case ns_t_mx: +@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + //printf("Cannot uncompress MX domain: %s\n", strerror(errno)); + return -1; + } +- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname); ++ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname)); + break; + + case ns_t_txt: +@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + if (n > 0) { + memset(dname, 0, sizeof(dname)); + memcpy(dname, ns_rr_rdata(rr) + 1, n); +- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname); ++ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname)); + } + break; + +@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + } + + printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr), +- ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname); ++ ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname)); + break; + + case ns_t_soa: +@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + return -1; + } + +- printf("\tmail addr = %s\n", dname); ++ printf("\tmail addr = %s\n", printable_string(dname)); + cp += n; + + printf("\tserial = %lu\n", ns_get32(cp)); +-- +2.35.1 + diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD index 794f0868044..88d42bd3922 100644 --- a/main/busybox/APKBUILD +++ b/main/busybox/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=busybox pkgver=1.32.1 -pkgrel=7 +pkgrel=9 pkgdesc="Size optimized toolbox of many common UNIX utilities" url="https://busybox.net/" arch="all" @@ -38,12 +38,16 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2 0001-echo-do-not-assume-that-free-leaves-errno-unmodified.patch - traceroute-opt-x.patch::https://git.busybox.net/busybox/patch/?id=89358a7131d3e75c74af834bb117b4fad7914983 + traceroute-opt-x.patch CVE-2021-42374.patch CVE-2021-42375.patch awk-fixes.patch + 0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch + 0002-nslookup-sanitize-all-printed-strings-with-printable.patch + CVE-2022-30065.patch + acpid.logrotate busyboxconfig busyboxconfig-extras @@ -54,6 +58,11 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2 " # secfixes: +# 1.32.1-r9: +# - CVE-2022-30065 +# 1.32.1-r8: +# - ALPINE-13661 +# - CVE-2022-28391 # 1.32.1-r7: # - CVE-2021-42374 # - CVE-2021-42375 @@ -265,10 +274,13 @@ df02adb3e3cd3349cc8d070911e3392164cb2e30bd72cae7ceaa974b2db6f958fdcedf809abc7b4b 3b13ba6bd9b697e48864cb5376849c1ac95b30650e3e27605cc05edf4fdc1ecbb4c4503d4fe9012a581bcd660f6bb44d644575cf437d30423614cb83ee92c22c 0010-Add-flag-for-not-following-symlinks-when-recursing.patch 4d043999ffbf6875e6b28ffdb43a36dd5d37d51e862ed7d89c6007e38cdda056292c5322a3ac3189fd489bf3ad1cce7b20508a96aee55c09f09354e1c3f5f5fe 0012-udhcpc-Don-t-background-if-n-is-given.patch 1ec62ab67e32684e2bbfbafefc9e2bffeb758248a97a1ed9468f449d1fc67fca5c1a6743acc889e12c6f18636708e35ba4bab3345c4994eea6be11f10c9a128c 0001-echo-do-not-assume-that-free-leaves-errno-unmodified.patch -c6dc917e67ab4c9aa0294f22707fd3cfc8cb37d703d8a0bce7f257ac9fb931dc4b815ab1d5e4f3ed3520b6ba046bdc1fbd0d1f8ed73b8d2d51f9238f03e03688 traceroute-opt-x.patch +90598077e3000efa92167d446211965737bd3ee8c9dc29b6a33ebbd7c2e2a52eaadd225a1695bc4375ae0ec90a533915926de5fa4364d880b6c99934d7b0f916 traceroute-opt-x.patch 0e241dc63d49103569852089c07149a2ff2599331f988ca20e8f6f606e560795b919ceffb6b3f4f1aba56b688b969c52bfdc2d1deb7c6ec08deaf707771b996a CVE-2021-42374.patch 9efaef6fd2099e3f2adf04a6c77a67bf6be84324565ce39725111b1538974d2e2c7febe9ad17086e7f900e9c0335a8e43e2330ddb6547772b4e5443f5cbc704e CVE-2021-42375.patch 52c885b9e0f9cfaf6d1ab8f7c988f9e43bc422a9017ea4e369fc79cd0e63510b8eb375dde88ec138382b1d67c8045b661fda150434d80c131bd1b7302ee02771 awk-fixes.patch +b52050678e79e4da856956906d07fcb620cbf35f2ef6b5a8ee3b8d244ea63b4b98eef505451184d5b4937740d91eef154ed748c30d329ac485be51b37626f251 0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch +ead4ad65d270d8659e1898fa16f76b6cbcf567d8aba238eacccda3764edb4362240d9359d6389873bedc126d405f805fc6dfce653a7181618ebcc67c94bd08d2 0002-nslookup-sanitize-all-printed-strings-with-printable.patch +22e2fa8f7a6105fd9990f93b71c235980fd4eab62269939a0e3a920fe517ee4f913c6bd0148a554b67fe01d1660bf0fd76a80e9dcac290b4b8b2c304ef6080a9 CVE-2022-30065.patch aa93095e20de88730f526c6f463cef711b290b9582cdbd8c1ba2bd290019150cbeaa7007c2e15f0362d5b9315dd63f60511878f0ea05e893f4fdfb4a54af3fb1 acpid.logrotate 2f093f620b6d9dcef6e2e00c5395143b6497882653b4155ff313dff26210be91059cabafc606324c0230e80a461e0560839b14bf37e20671a7b8762f488b6c8f busyboxconfig 931e628184a25ae29760f7853c15c570dfb33075af167346e9662b9c7c5829e834ec81027bb10526c376261d229152bb096eb741cea0a5c0e3c614dd2c9d287e busyboxconfig-extras diff --git a/main/busybox/CVE-2022-30065.patch b/main/busybox/CVE-2022-30065.patch new file mode 100644 index 00000000000..4a9cd67c987 --- /dev/null +++ b/main/busybox/CVE-2022-30065.patch @@ -0,0 +1,63 @@ +From 3c284dcb726ff6599d3b87fb366fb04411cf5595 Mon Sep 17 00:00:00 2001 +From: Natanael Copa <ncopa@alpinelinux.org> +Date: Fri, 17 Jun 2022 09:52:11 +0000 +Subject: [PATCH 1/2] awk: fix use after free (CVE-2022-30065) + +fixes https://bugs.busybox.net/show_bug.cgi?id=14781 + +Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> +--- + editors/awk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/editors/awk.c b/editors/awk.c +index 079d0bde5..728ee8685 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -3128,6 +3128,9 @@ static var *evaluate(node *op, var *res) + + case XC( OC_MOVE ): + debug_printf_eval("MOVE\n"); ++ /* make sure that we never return a temp var */ ++ if (L.v == TMPVAR0) ++ L.v = res; + /* if source is a temporary string, jusk relink it to dest */ + if (R.v == TMPVAR1 + && !(R.v->type & VF_NUMBER) +-- +2.36.1 + + +From 30c8f8e69230ef27f116a2c10ca2e4a6cc343dad Mon Sep 17 00:00:00 2001 +From: Natanael Copa <ncopa@alpinelinux.org> +Date: Thu, 16 Jun 2022 21:54:48 +0200 +Subject: [PATCH 2/2] awk: add tests for CVE-2022-30065 + +Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> +--- + testsuite/awk.tests | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/testsuite/awk.tests b/testsuite/awk.tests +index 93e25d8c1..6c3a03c37 100755 +--- a/testsuite/awk.tests ++++ b/testsuite/awk.tests +@@ -479,4 +479,15 @@ testing 'awk backslash+newline eaten with no trace' \ + "Hello world\n" \ + '' '' + ++testing 'awk use-after-free (CVE-2022-30065)' \ ++ "awk '\$3i\$3in\$9=\$r||\$9=i6/6-9f'" \ ++ "" \ ++ "" \ ++ "" ++ ++testing 'awk assign while test' \ ++ "awk '\$1==\$1=\"foo\" {print \$1}'" \ ++ "foo\n" \ ++ "" \ ++ "foo" + exit $FAILCOUNT +-- +2.36.1 + diff --git a/main/busybox/traceroute-opt-x.patch b/main/busybox/traceroute-opt-x.patch new file mode 100644 index 00000000000..eea17891006 --- /dev/null +++ b/main/busybox/traceroute-opt-x.patch @@ -0,0 +1,26 @@ +From 89358a7131d3e75c74af834bb117b4fad7914983 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Tue, 2 Feb 2021 13:48:21 +0100 +Subject: traceroute: fix option parsing + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + networking/traceroute.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/networking/traceroute.c b/networking/traceroute.c +index 3f1a9ab46..29f5e480b 100644 +--- a/networking/traceroute.c ++++ b/networking/traceroute.c +@@ -896,7 +896,7 @@ traceroute_init(int op, char **argv) + + op |= getopt32(argv, "^" + OPT_STRING +- "\0" "-1:x-x" /* minimum 1 arg */ ++ "\0" "-1" /* minimum 1 arg */ + , &tos_str, &device, &max_ttl_str, &port_str, &nprobes_str + , &source, &waittime_str, &pausemsecs_str, &first_ttl_str + ); +-- +cgit v1.2.3 + diff --git a/main/ca-certificates/APKBUILD b/main/ca-certificates/APKBUILD index c2f84505b39..6e1efdc82d7 100644 --- a/main/ca-certificates/APKBUILD +++ b/main/ca-certificates/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=ca-certificates -pkgver=20191127 -pkgrel=5 +pkgver=20220614 +pkgrel=0 pkgdesc="Common CA certificates PEM files from Mozilla" url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/" arch="all" @@ -16,16 +16,10 @@ replaces="libcrypto1.0 openssl openssl1.0" options="!fhs !check" triggers="ca-certificates.trigger=/usr/share/ca-certificates:/usr/local/share/ca-certificates:/etc/ssl/certs:/etc/ca-certificates/update.d" install="$pkgname.post-deinstall" -source="https://gitlab.alpinelinux.org/alpine/ca-certificates/-/archive/$pkgver/ca-certificates-$pkgver.tar.bz2 - 0001-update-ca-fix-compiler-warning.patch - 0002-replace-python-script-with-perl-script.patch - 0003-update-ca-insert-newline-between-certs.patch - " +source="https://gitlab.alpinelinux.org/alpine/ca-certificates/-/archive/$pkgver/ca-certificates-$pkgver.tar.bz2" build() { make - # remove expired cert (https://gitlab.alpinelinux.org/alpine/aports/issues/11607) - rm AddTrust_External_Root.crt } package() { @@ -70,7 +64,6 @@ bundle() { "$subpkgdir"/etc/ssl/cert.pem } -sha512sums="05e3a11efd80ea88eb81774e084febe4b8d1fa48f01f49e5ed3d469e10a2769260a264faed42ea3a0b725659cda1cc4a67ce5575fe04cdff9dc1c08207911c9b ca-certificates-20191127.tar.bz2 -aafe6d9047380fc403792fbf27146dc9c0532ef401e6eb9bd8b533c110f902cad0a66701cf3563ad625d07ae54619e9f2f3091ec14772b92e178dbed142ecd97 0001-update-ca-fix-compiler-warning.patch -4d9c71b9ea0596f5efaa188f244b7ab587f96c218bb6fed01f11e34c553909f65bbe660156f8300be9511ae50614661c5dcd3b493ac146a8e888f62fc52bd9d4 0002-replace-python-script-with-perl-script.patch -051b5d78916ee7389dfbd4e8871aab720415bd6e9ee0313dba770fc40ee7c68ac67d7918f2503458a3218e3bfc10691b5e379b65269106fde02c7e7a36eb7595 0003-update-ca-insert-newline-between-certs.patch" +sha512sums=" +8e20d3021222bb3b470a935d34ffe23e7857bf0b7fedda5284049155aab01bc88ab54ae939376968fb7fbff41e6b06bd32e34405210a8e74faadb68ffa6d9dd4 ca-certificates-20220614.tar.bz2 +" diff --git a/main/cairo/APKBUILD b/main/cairo/APKBUILD index a7b31060b3d..855c0692935 100644 --- a/main/cairo/APKBUILD +++ b/main/cairo/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cairo pkgver=1.16.0 -pkgrel=2 +pkgrel=4 pkgdesc="A vector graphics library" url="https://cairographics.org/" arch="all" @@ -17,10 +17,13 @@ source="https://cairographics.org/releases/cairo-$pkgver.tar.xz CVE-2018-19876.patch pdf-flush.patch 85.patch + fix-inf-loop.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 1.16.0-r4: +# - CVE-2019-6462 # 1.16.0-r2: # - CVE-2020-35492 # 1.16.0-r1: @@ -70,8 +73,11 @@ tools() { "$subpkgdir"/usr/lib/cairo/ } -sha512sums="9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz +sha512sums=" +9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz 86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0 musl-stacksize.patch 8f13cdcae0f134e04778cf5915f858fb8d5357a7e0a454791c93d1566935b985ec66dfe1683cd0b74a1cb44a130923d7a27cf006f3fc70b9bee93abd58a55aa3 CVE-2018-19876.patch 533ea878dc7f917af92e2694bd3f535a09cde77f0ecd0cc00881fbc9ec1ea86f60026eacc76129705f525f6672929ad8d15d8cfe1bfa61e9962e805a7fbded81 pdf-flush.patch -20699d2dd10531f99587cdcd187a23e23bca5a9f031255c95aade4dadb79bbb62118c7ddff677c2fd20e4ba7694eee4debcd79a4d0736d62951a4fcee56ccae0 85.patch" +20699d2dd10531f99587cdcd187a23e23bca5a9f031255c95aade4dadb79bbb62118c7ddff677c2fd20e4ba7694eee4debcd79a4d0736d62951a4fcee56ccae0 85.patch +ebe5d71b18aa9eefe1e0a6c150761bb7abef41f144f37eb0bfa8a01947aacb1292ac131cf815dcaaaa6478c0aac07ca5428fba28ad346a00c5aaa5fa64f6ff5b fix-inf-loop.patch +" diff --git a/main/cairo/fix-inf-loop.patch b/main/cairo/fix-inf-loop.patch new file mode 100644 index 00000000000..2a26876c36d --- /dev/null +++ b/main/cairo/fix-inf-loop.patch @@ -0,0 +1,36 @@ +From bbeaf08190d3006a80b80a77724801cd477a37b8 Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <hlewin@worldiety.de> +Date: Sat, 17 Apr 2021 19:15:03 +0200 +Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop + +--- + src/cairo-arc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/cairo-arc.c b/src/cairo-arc.c +index 390397bae..1c891d1a0 100644 +--- a/src/cairo-arc.c ++++ b/src/cairo-arc.c +@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) + { M_PI / 11.0, 9.81410988043554039085e-09 }, + }; + int table_size = ARRAY_LENGTH (table); ++ const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */ + + for (i = 0; i < table_size; i++) + if (table[i].error < tolerance) + return table[i].angle; + + ++i; ++ + do { + angle = M_PI / i++; + error = _arc_error_normalized (angle); +- } while (error > tolerance); ++ } while (error > tolerance && i < max_segments); + + return angle; + } +-- +GitLab + diff --git a/main/clamav/APKBUILD b/main/clamav/APKBUILD index b12b4efdb0a..1f771ccd45f 100644 --- a/main/clamav/APKBUILD +++ b/main/clamav/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Carlo Landmeter <clandmeter@alpinelinux.org> # Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org> pkgname=clamav -pkgver=0.103.2 +pkgver=0.103.6 pkgrel=0 pkgusers="clamav" pkggroups="clamav" @@ -32,6 +32,13 @@ source="https://www.clamav.net/downloads/production/clamav-$pkgver.tar.gz # secfixes: +# 0.103.6-r0: +# - CVE-2022-20698 +# - CVE-2022-20770 +# - CVE-2022-20771 +# - CVE-2022-20785 +# - CVE-2022-20792 +# - CVE-2022-20796 # 0.103.2-r0: # - CVE-2021-1405 # - CVE-2021-1404 @@ -256,10 +263,12 @@ milter() { "$subpkgdir"/etc/clamav/clamav-milter.conf } -sha512sums="87d47c4529a57da0b47b3744a279996ca24fa74ce10d7e27a53c19c1e13098af680e0e48ed767122bb2bbd3f927302451da84ccf51a933e7e3556ef43cbe9f45 clamav-0.103.2.tar.gz +sha512sums=" +d39e1964678b8251bde3a9f3db30fe3d3d76cc566a86834297f4dd8489086dc9cc4c6541ca128089159f4c071d2d85b530455bd942987d3929ea0082b8ab272b clamav-0.103.6.tar.gz d886d810de66e8da800384c1e8192f7da4352402ffc3b33cfbca93d81a2235d8c902ca9d436b9be70f00740b4555e1efbf09bf9f84059095a1a297b27581cd20 clamd.initd 59c561b3dcb0b616b647cd8e4ebc46a2cc5e7144c8c7ea0054cc1c3021d1da8f67e4dad5c083c3fe712ed887aaabfca91b538f4759537e7c4c9ab71ba4fd5794 clamd.confd 6f0c615b89f0f0d2f0e9f965f025b9ac8c81b2168fa6727dc8a47222abd780f9b656732f289d6061a20126b16126a975d50e8b3b8ff131f55dd8803da8be5dec freshclam.initd ba181fe1abaac7b898ccb40b0713455aa3c9d5e25ad21d687b6cac09b0105b9e376526e7c776a44636234d8db819709d8d6a6cc76119bc3e98b637b1a3f26c08 freshclam.confd 3ae493dd1610a819402c015f6b8c0f080f926b72dc43d2bded60030bf6a55040e4b88e0f64d3aae299dc1133d7e1b89855e7346b4665a64e8b82592f7b75cf6a clamd.logrotate -30cff378bc28c76b795e00c92ae5ee623f3abe4a19bed61dd8403c96e72658bb02b7f040d26a6258104af754464d25ea7d9646918c4b47d2ba9a8cbf4687056c freshclam.logrotate" +30cff378bc28c76b795e00c92ae5ee623f3abe4a19bed61dd8403c96e72658bb02b7f040d26a6258104af754464d25ea7d9646918c4b47d2ba9a8cbf4687056c freshclam.logrotate +" diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD index e8964262282..8fc057ab640 100644 --- a/main/cups/APKBUILD +++ b/main/cups/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cups pkgver=2.3.3 -pkgrel=1 +pkgrel=2 pkgdesc="The CUPS Printing System" url="https://www.cups.org/" arch="all" @@ -20,9 +20,12 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenPrinting/cups/archive/v$ cupsd.initd cups-no-export-ssllibs.patch default-config-no-gssapi.patch + CVE-2022-26691.patch " # secfixes: +# 2.3.3-r2: +# - CVE-2022-26691 # 2.3.3-r0: # - CVE-2020-3898 # - CVE-2019-8842 @@ -126,8 +129,11 @@ _mv() { done } -sha512sums="5a43ef98f83c1783221155c01de940f3679023251709931ef28572c7b00620b36252afe894e86f2f08a527008dc2c95dc8af4129f0ab28a28663be8d3ccc3418 cups-2.3.3.tar.gz +sha512sums=" +5a43ef98f83c1783221155c01de940f3679023251709931ef28572c7b00620b36252afe894e86f2f08a527008dc2c95dc8af4129f0ab28a28663be8d3ccc3418 cups-2.3.3.tar.gz cf64211da59e79285f99d437c02fdd7db462855fb2920ec9563ba47bd8a9e5cbd10555094940ceedeb41ac805c4f0ddb9147481470112a11a76220d0298aef79 cups.logrotate 2c2683f755a220166b3a1653fdd1a6daa9718c8f0bbdff2e2d5e61d1133306260d63a83d3ff41619b5cf84c4913fae5822b79553e2822858f38fa3613f4c7082 cupsd.initd 7a8cd9ac33b0dd4627c72df4275db8ccd7cf8e201bce3833719b42f532f526bb347b842e3ea1ef0d61855b5c6e1088b5d20b68942f2c2c0acf504d8d9728efd3 cups-no-export-ssllibs.patch -ac1ec4453d6a4b641d40089c77d3b776963d90efb092851c8d93deceb6068b111dee71171967ffb7ad0f5adb424398a43f51feb7d5d9734287cfb9e419efaa93 default-config-no-gssapi.patch" +ac1ec4453d6a4b641d40089c77d3b776963d90efb092851c8d93deceb6068b111dee71171967ffb7ad0f5adb424398a43f51feb7d5d9734287cfb9e419efaa93 default-config-no-gssapi.patch +691509ee6cd05c6ccb07f4785096f7e94791cde9c87ebebe951e0d45d2f9292a88e7415ef272761090be0758ec14bde489325a07c9967e04deb7922d1205662d CVE-2022-26691.patch +" diff --git a/main/cups/CVE-2022-26691.patch b/main/cups/CVE-2022-26691.patch new file mode 100644 index 00000000000..d1f2d37ca3b --- /dev/null +++ b/main/cups/CVE-2022-26691.patch @@ -0,0 +1,33 @@ +Patch-Source: https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444 +From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal <zdohnal@redhat.com> +Date: Thu, 26 May 2022 06:27:04 +0200 +Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes + CVE-2022-26691) + +The previous algorithm didn't expect the strings can have a different +length, so one string can be a substring of the other and such substring +was reported as equal to the longer string. +--- + CHANGES.md | 1 + + scheduler/cert.c | 9 ++++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/scheduler/cert.c b/scheduler/cert.c +index b268bf1b2..9b65b96c9 100644 +--- a/scheduler/cert.c ++++ b/scheduler/cert.c +@@ -444,5 +444,12 @@ ctcompare(const char *a, /* I - First string */ + b ++; + } + +- return (result); ++ /* ++ * The while loop finishes when *a == '\0' or *b == '\0' ++ * so after the while loop either both *a and *b == '\0', ++ * or one points inside a string, so when we apply logical OR on *a, ++ * *b and result, we get a non-zero return value if the compared strings don't match. ++ */ ++ ++ return (result | *a | *b); + } diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index bb23e53483d..c82e481b899 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=curl pkgver=7.79.1 -pkgrel=0 +pkgrel=3 pkgdesc="URL retrival utility and library" url="https://curl.se/" arch="all" @@ -15,10 +15,38 @@ checkdepends="nghttp2 python3" makedepends_host="$depends_dev" makedepends_build="autoconf automake groff libtool perl" subpackages="$pkgname-dbg $pkgname-static $pkgname-doc $pkgname-dev libcurl" -source="https://curl.se/download/curl-$pkgver.tar.xz" +source="https://curl.se/download/curl-$pkgver.tar.xz + CVE-2022-22576.patch + CVE-2022-27774-pre.patch + CVE-2022-27774.patch + CVE-2022-27775.patch + CVE-2022-27776.patch + CVE-2022-27781.patch + CVE-2022-27782-1.patch + CVE-2022-27782-2.patch + CVE-2022-32205.patch + CVE-2022-32206.patch + CVE-2022-32207.patch + CVE-2022-32208.patch + CVE-2022-35252.patch + " options="net" # Required for running tests # secfixes: +# 7.79.1-r3: +# - CVE-2022-35252 +# 7.79.1-r2: +# - CVE-2022-27781 +# - CVE-2022-27782 +# - CVE-2022-32205 +# - CVE-2022-32206 +# - CVE-2022-32207 +# - CVE-2022-32208 +# 7.79.1-r1: +# - CVE-2022-22576 +# - CVE-2022-27774 +# - CVE-2022-27775 +# - CVE-2022-27776 # 7.79.0-r0: # - CVE-2021-22945 # - CVE-2021-22946 @@ -159,4 +187,17 @@ static() { sha512sums=" 1edb71647a7f4dbb070baf1a019b4751aefeda793ff523c504410bb5cc74e5bffc52f20dd889697d1585f9ca3c4e81b1a9caadd182c30c8358ffd25f33e4db4d curl-7.79.1.tar.xz +9456de77de52e7980fb8e42bdc524b56dc7029c8205209de2de39d6354c8f5457e3fc8068d36d55cbf96ae82aabd390afc94721995dfc4b8e4a69bed9d0b00c8 CVE-2022-22576.patch +63af4876fa94ff11ec3c1d4a36cfd2919083cf57cedc5086703966e627b27d8fac520155214b6f81e80a38a392cbd542f135f218944ae5117cf8b1ba388c7046 CVE-2022-27774-pre.patch +4161539ebf5b9d4b1c5f4f83a8af313a96f5d9a4871a3da5f1ea564903b9079ac02003816f613e05aec9f3819bd2e152bb7885d0df138997abcaeb4adab897d6 CVE-2022-27774.patch +c68b3eff3ef6120277c8acbd1d3ce4e16a26219a6b543af03a7bb9c5c3bc5d3480c237f11470995d088c9cbd06531352b86b151038cfcd551477038da0a96b33 CVE-2022-27775.patch +116d30037af107cd028bd6404b6488106ebe1f3482b65159fe6764c355edf57b5fc460ce034a4eb07053f97128d68e89ef50ae080b33ee82b0fc5460f09866c4 CVE-2022-27776.patch +fadf9c524f88077d43bcb578b46aa0e5587de2aeb1ed14ac5c29b18d30b230ca332d3c459bf2b34ad3b02cf5748803ad9a34947c803b75724a471359107e07b2 CVE-2022-27781.patch +79ee4ccfc88a5e398fc516111f17c03f1477602d91108b94741963ab3ebd0fe6b297e88378ce4e7c7fad6700f2a8e5e56f70a2342f52a466fc0ff017665338fc CVE-2022-27782-1.patch +a8571c6b34eaa635fb333949cfde0a5c6ddb9f02ed3ece91501e43a3d1536969f47cfb8b3044c9ffd6fd4afaf9fcf7904bc135c25089ccbab8e7d8eefbd2d0f1 CVE-2022-27782-2.patch +15fdc687ae01d5bc0a1f206d87bb91f76056cae788378d21b6110df0930672d864741bc29e93ecafea16433ef0f227c17852e6f5638de856c426d910de4763ae CVE-2022-32205.patch +81e28def4632cb542b0268889e6fb7f9b0c2950564cdeab39e582a22ab2b1e5a9c3e11865afe5833b8e892c501ba1aed609b4abf3131ec8668f70fcea8375e7c CVE-2022-32206.patch +1eb22a9ec7dad02927a53b2c81b9288ed52a8f4f76db66958622de6bcbb8024eb034e83b70cd1e20ed265e9f5f1c453d1ee37b6bfe54c4aa18b6f4c6bccd5a5f CVE-2022-32207.patch +f8eedaaa7a994ff763ce96f7e7e74b36eb1ce49ee8809cfe25e1562276702f70f064ee2b858ef2f07157a502ba71fb4b39b395fc53c2f47e2547597cb11a6bfa CVE-2022-32208.patch +1a8b058a8738f2d3558aecfc45eec67218c0c38c560916400a6e9eec64c44ae9beae05e48c20441579027427f0ff9c943c5c2aff35de3e66083205e92bf1e0e7 CVE-2022-35252.patch " diff --git a/main/curl/CVE-2022-22576.patch b/main/curl/CVE-2022-22576.patch new file mode 100644 index 00000000000..5238d9998b4 --- /dev/null +++ b/main/curl/CVE-2022-22576.patch @@ -0,0 +1,143 @@ +Patch-Source: https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 +From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat <patrick@monnerat.net> +Date: Mon, 25 Apr 2022 11:44:05 +0200 +Subject: [PATCH] url: check sasl additional parameters for connection reuse. + +Also move static function safecmp() as non-static Curl_safecmp() since +its purpose is needed at several places. + +Bug: https://curl.se/docs/CVE-2022-22576.html + +CVE-2022-22576 + +Closes #8746 +--- + lib/strcase.c | 10 ++++++++++ + lib/strcase.h | 2 ++ + lib/url.c | 13 ++++++++++++- + lib/urldata.h | 1 + + lib/vtls/vtls.c | 21 ++++++--------------- + 5 files changed, 31 insertions(+), 16 deletions(-) + +diff --git a/lib/strcase.c b/lib/strcase.c +index dd46ca1ba0e5..692a3f14aee7 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) + } while(*src++ && --n); + } + ++/* Compare case-sensitive NUL-terminated strings, taking care of possible ++ * null pointers. Return true if arguments match. ++ */ ++bool Curl_safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ return !a && !b; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index b234d3815220..2635f5117e99 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -49,4 +49,6 @@ char Curl_raw_toupper(char in); + void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + ++bool Curl_safecmp(char *a, char *b); ++ + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index 9a988b4d58d8..e1647b133854 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -781,6 +781,7 @@ static void conn_free(struct connectdata *conn) + Curl_safefree(conn->passwd); + Curl_safefree(conn->sasl_authzid); + Curl_safefree(conn->options); ++ Curl_safefree(conn->oauth_bearer); + Curl_dyn_free(&conn->trailer); + Curl_safefree(conn->host.rawalloc); /* host name buffer */ + Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ +@@ -1342,7 +1343,9 @@ ConnectionExists(struct Curl_easy *data, + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ strcmp(needle->passwd, check->passwd) || ++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || ++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -3637,6 +3640,14 @@ static CURLcode create_conn(struct Curl_easy *data, + } + } + ++ if(data->set.str[STRING_BEARER]) { ++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); ++ if(!conn->oauth_bearer) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto out; ++ } ++ } ++ + #ifdef USE_UNIX_SOCKETS + if(data->set.str[STRING_UNIX_SOCKET_PATH]) { + conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); +diff --git a/lib/urldata.h b/lib/urldata.h +index 07eb19b87034..1d89b8d7fa68 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -984,6 +984,7 @@ struct connectdata { + char *passwd; /* password string, allocated */ + char *options; /* options string, allocated */ + char *sasl_authzid; /* authorisation identity string, allocated */ ++ char *oauth_bearer; /* OAUTH2 bearer, allocated */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 03b85ba065e5..a40ac06f684f 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + +-static bool safecmp(char *a, char *b) +-{ +- if(a && b) +- return !strcmp(a, b); +- else if(!a && !b) +- return TRUE; /* match */ +- return FALSE; /* no match */ +-} +- + + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, +@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + blobcmp(data->cert_blob, needle->cert_blob) && + blobcmp(data->ca_info_blob, needle->ca_info_blob) && + blobcmp(data->issuercert_blob, needle->issuercert_blob) && +- safecmp(data->CApath, needle->CApath) && +- safecmp(data->CAfile, needle->CAfile) && +- safecmp(data->issuercert, needle->issuercert) && +- safecmp(data->clientcert, needle->clientcert) && +- safecmp(data->random_file, needle->random_file) && +- safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->CApath, needle->CApath) && ++ Curl_safecmp(data->CAfile, needle->CAfile) && ++ Curl_safecmp(data->issuercert, needle->issuercert) && ++ Curl_safecmp(data->clientcert, needle->clientcert) && ++ Curl_safecmp(data->random_file, needle->random_file) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && diff --git a/main/curl/CVE-2022-27774-pre.patch b/main/curl/CVE-2022-27774-pre.patch new file mode 100644 index 00000000000..b5cf4fccc30 --- /dev/null +++ b/main/curl/CVE-2022-27774-pre.patch @@ -0,0 +1,41 @@ +Patch-Source: https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839 +From 08b8ef4e726ba10f45081ecda5b3cea788d3c839 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] connect: store "conn_remote_port" in the info struct + +To make it available after the connection ended. +--- + lib/connect.c | 1 + + lib/urldata.h | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/connect.c b/lib/connect.c +index e0b740147157..9bcf525ebb39 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, + data->info.conn_scheme = conn->handler->scheme; + data->info.conn_protocol = conn->handler->protocol; + data->info.conn_primary_port = conn->port; ++ data->info.conn_remote_port = conn->remote_port; + data->info.conn_local_port = local_port; + } + +diff --git a/lib/urldata.h b/lib/urldata.h +index ef2174d9e727..9c34ec444c08 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1160,7 +1160,11 @@ struct PureInfo { + reused, in the connection cache. */ + + char conn_primary_ip[MAX_IPADR_LEN]; +- int conn_primary_port; ++ int conn_primary_port; /* this is the destination port to the connection, ++ which might have been a proxy */ ++ int conn_remote_port; /* this is the "remote port", which is the port ++ number of the used URL, independent of proxy or ++ not */ + char conn_local_ip[MAX_IPADR_LEN]; + int conn_local_port; + const char *conn_scheme; diff --git a/main/curl/CVE-2022-27774.patch b/main/curl/CVE-2022-27774.patch new file mode 100644 index 00000000000..db358af55e6 --- /dev/null +++ b/main/curl/CVE-2022-27774.patch @@ -0,0 +1,78 @@ +Patch-Source: https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79 +From 620ea21410030a9977396b4661806bc187231b79 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] transfer: redirects to other protocols or ports clear auth + +... unless explicitly permitted. + +Bug: https://curl.se/docs/CVE-2022-27774.html +Reported-by: Harry Sintonen +Closes #8748 +--- + lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 48 insertions(+), 1 deletion(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 53ef0b03b8e0..315da876c4a8 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1611,10 +1611,57 @@ CURLcode Curl_follow(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + else { +- + uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); + if(uc) + return Curl_uc_to_curlcode(uc); ++ ++ /* Clear auth if this redirects to a different port number or protocol, ++ unless permitted */ ++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { ++ char *portnum; ++ int port; ++ bool clear = FALSE; ++ ++ if(data->set.use_port && data->state.allow_port) ++ /* a custom port is used */ ++ port = (int)data->set.use_port; ++ else { ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ port = atoi(portnum); ++ free(portnum); ++ } ++ if(port != data->info.conn_remote_port) { ++ infof(data, "Clear auth, redirects to port from %u to %u", ++ data->info.conn_remote_port, port); ++ clear = TRUE; ++ } ++ else { ++ char *scheme; ++ const struct Curl_handler *p; ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ ++ p = Curl_builtin_scheme(scheme); ++ if(p && (p->protocol != data->info.conn_protocol)) { ++ infof(data, "Clear auth, redirects scheme from %s to %s", ++ data->info.conn_scheme, scheme); ++ clear = TRUE; ++ } ++ free(scheme); ++ } ++ if(clear) { ++ Curl_safefree(data->state.aptr.user); ++ Curl_safefree(data->state.aptr.passwd); ++ } ++ } + } + + if(type == FOLLOW_FAKE) { diff --git a/main/curl/CVE-2022-27775.patch b/main/curl/CVE-2022-27775.patch new file mode 100644 index 00000000000..e1c02b8969d --- /dev/null +++ b/main/curl/CVE-2022-27775.patch @@ -0,0 +1,35 @@ +Patch-Source: https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705 +From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Apr 2022 11:48:00 +0200 +Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey + +Make connections to two separate IPv6 zone ids create separate +connections. + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27775.html +Closes #8747 +--- + lib/conncache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/conncache.c b/lib/conncache.c +index ec669b971dc3..8948b53fa500 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf, + /* report back which name we used */ + *hostp = hostname; + +- /* put the number first so that the hostname gets cut off if too long */ +- msnprintf(buf, len, "%ld%s", port, hostname); ++ /* put the numbers first so that the hostname gets cut off if too long */ ++#ifdef ENABLE_IPV6 ++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); ++#else ++ msnprintf(buf, len, "%ld/%s", port, hostname); ++#endif + Curl_strntolower(buf, buf, len); + } + diff --git a/main/curl/CVE-2022-27776.patch b/main/curl/CVE-2022-27776.patch new file mode 100644 index 00000000000..59ffa79a36a --- /dev/null +++ b/main/curl/CVE-2022-27776.patch @@ -0,0 +1,113 @@ +Patch-Source: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258 +From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Apr 2022 13:05:40 +0200 +Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port + +CVE-2022-27776 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27776.html +Closes #8749 +--- + lib/http.c | 34 ++++++++++++++++++++++------------ + lib/urldata.h | 16 +++++++++------- + 2 files changed, 31 insertions(+), 19 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index ce79fc4e31c8..f0476f3b9272 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, + return CURLE_OK; + } + ++/* ++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive ++ * data" can (still) be sent to this host. ++ */ ++static bool allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication +@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, + with it */ + authproxy->done = TRUE; + +- /* To prevent the user+password to get sent to other than the original +- host due to a location-follow, we do some weirdo checks here */ +- if(!data->state.this_is_a_follow || ++ /* To prevent the user+password to get sent to other than the original host ++ due to a location-follow */ ++ if(allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC +- conn->bits.netrc || ++ || conn->bits.netrc + #endif +- !data->state.first_host || +- data->set.allow_auth_to_other_hosts || +- strcasecompare(data->state.first_host, conn->host.name)) { ++ ) + result = output_auth_headers(data, conn, authhost, request, path, FALSE); +- } + else + authhost->done = TRUE; + +@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- (data->state.this_is_a_follow && +- data->state.first_host && +- !data->set.allow_auth_to_other_hosts && +- !strcasecompare(data->state.first_host, conn->host.name))) ++ !allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + return CURLE_OUT_OF_MEMORY; + + data->state.first_remote_port = conn->remote_port; ++ data->state.first_remote_protocol = conn->handler->protocol; + } + Curl_safefree(data->state.aptr.host); + +diff --git a/lib/urldata.h b/lib/urldata.h +index 1d89b8d7fa68..ef2174d9e727 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1329,14 +1329,16 @@ struct UrlState { + char *ulbuf; /* allocated upload buffer or NULL */ + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ +- char *first_host; /* host name of the first (not followed) request. +- if set, this should be the host name that we will +- sent authorization to, no else. Used to make Location: +- following not keep sending user+password... This is +- strdup() data. +- */ ++ ++ /* host name, port number and protocol of the first (not followed) request. ++ if set, this should be the host name that we will sent authorization to, ++ no else. Used to make Location: following not keep sending user+password. ++ This is strdup()ed data. */ ++ char *first_host; ++ int first_remote_port; ++ unsigned int first_remote_protocol; ++ + int retrycount; /* number of retries on a new connection */ +- int first_remote_port; /* remote port of the first (not followed) request */ + struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ + long sessionage; /* number of the most recent session */ + struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ diff --git a/main/curl/CVE-2022-27781.patch b/main/curl/CVE-2022-27781.patch new file mode 100644 index 00000000000..91dd127f778 --- /dev/null +++ b/main/curl/CVE-2022-27781.patch @@ -0,0 +1,44 @@ +Patch-Source: https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917 +From 5c7da89d404bf59c8dd82a001119a16d18365917 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 9 May 2022 10:07:15 +0200 +Subject: [PATCH] nss: return error if seemingly stuck in a cert loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2022-27781 + +Reported-by: Florian Kohnhäuser +Bug: https://curl.se/docs/CVE-2022-27781.html +Closes #8822 +--- + lib/vtls/nss.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 5b7de9f818952..569c0628feb5c 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, + PR_Free(common_name); + } + ++/* A number of certs that will never occur in a real server handshake */ ++#define TOO_MANY_CERTS 300 ++ + static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) + { + CURLcode result = CURLE_OK; +@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) + cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); + while(cert2) { + i++; ++ if(i >= TOO_MANY_CERTS) { ++ CERT_DestroyCertificate(cert2); ++ failf(data, "certificate loop"); ++ return CURLE_SSL_CERTPROBLEM; ++ } + if(cert2->isRoot) { + CERT_DestroyCertificate(cert2); + break; diff --git a/main/curl/CVE-2022-27782-1.patch b/main/curl/CVE-2022-27782-1.patch new file mode 100644 index 00000000000..c2a6bdb5d2e --- /dev/null +++ b/main/curl/CVE-2022-27782-1.patch @@ -0,0 +1,355 @@ +Patch-Source: https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c (modified) +gnutls changes dropped as we build without it +--- +From f18af4f874cecab82a9797e8c7541e0990c7a64c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH] tls: check more TLS details for connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 +--- + lib/setopt.c | 29 +++++++++++++++++------------ + lib/url.c | 23 ++++++++++++++++------- + lib/urldata.h | 13 +++++++------ + lib/vtls/gtls.c | 32 +++++++++++++++++--------------- + lib/vtls/mbedtls.c | 2 +- + lib/vtls/nss.c | 6 +++--- + lib/vtls/openssl.c | 10 +++++----- + lib/vtls/vtls.c | 21 +++++++++++++++++++++ + 8 files changed, 87 insertions(+), 49 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 0df1afa614455..05e1a544dfd58 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); + #ifndef CURL_DISABLE_PROXY + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to ++ SRP */ + #endif + break; + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); + #ifndef CURL_DISABLE_PROXY + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + #endif + break; + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #endif + #endif +diff --git a/lib/url.c b/lib/url.c +index 8e7fb25eeb495..cf14a333ac694 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -542,7 +542,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + set->ssl.primary.verifypeer = TRUE; + set->ssl.primary.verifyhost = TRUE; + #ifdef USE_TLS_SRP +- set->ssl.authtype = CURL_TLSAUTH_NONE; ++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; + conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; + conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; ++ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #ifndef CURL_DISABLE_PROXY + conn->proxy_ssl_config.verifystatus = + data->set.proxy_ssl.primary.verifystatus; + conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; + conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; ++ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #endif + conn->ip_version = data->set.ipver; + conn->bits.connect_only = data->set.connect_only; +@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.primary.issuercert_blob = + data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; +- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; ++ data->set.proxy_ssl.primary.CRLfile = ++ data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; ++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; + data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; ++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; ++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + #ifndef CURL_DISABLE_PROXY +- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; ++ data->set.proxy_ssl.primary.username = ++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; ++ data->set.proxy_ssl.primary.password = ++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; +diff --git a/lib/urldata.h b/lib/urldata.h +index 9c34ec444c08f..584434d774b3d 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -253,10 +253,17 @@ struct ssl_primary_config { + char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; ++ char *CRLfile; /* CRL to check certificate revocation */ + struct curl_blob *cert_blob; + struct curl_blob *ca_info_blob; + struct curl_blob *issuercert_blob; ++#ifdef USE_TLS_SRP ++ char *username; /* TLS username (for, e.g., SRP) */ ++ char *password; /* TLS password (for, e.g., SRP) */ ++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ ++#endif + char *curves; /* list of curves to use */ ++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -266,7 +273,6 @@ struct ssl_primary_config { + struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ +- char *CRLfile; /* CRL to check certificate revocation */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert_type; /* format for certificate (default: PEM)*/ +@@ -274,11 +280,6 @@ struct ssl_config_data { + struct curl_blob *key_blob; + char *key_type; /* format for private key (default: PEM) */ + char *key_passwd; /* plain text private key password */ +-#ifdef USE_TLS_SRP +- char *username; /* TLS username (for, e.g., SRP) */ +- char *password; /* TLS password (for, e.g., SRP) */ +- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +-#endif + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); + BIT(enable_beast); /* allow this flaw for interoperability's sake*/ +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index 975094f4fa795..b60b9cac50d4f 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + const char * const hostname = SSL_HOST_NAME(); + #ifndef CURL_DISABLE_VERBOSE_STRINGS + const long int port = SSL_HOST_PORT(); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 569c0628feb5c..cb0509ff5b829 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2035,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, + } + } + +- if(SSL_SET_OPTION(CRLfile)) { +- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); ++ if(SSL_SET_OPTION(primary.CRLfile)) { ++ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); + if(rv) { + result = rv; + goto error; + } +- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); ++ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); + } + + if(SSL_SET_OPTION(primary.clientcert)) { +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 39c0a82b1a46e..635e9c15e74e7 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2662,7 +2662,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + const long int ssl_version = SSL_CONN_CONFIG(version); + #ifdef USE_OPENSSL_SRP +- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); ++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); + #endif + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +@@ -2673,7 +2673,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + char error_buffer[256]; + struct ssl_backend_data *backend = connssl->backend; + bool imported_native_ca = false; +@@ -2925,14 +2925,14 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #ifdef USE_OPENSSL_SRP + if(ssl_authtype == CURL_TLSAUTH_SRP) { +- char * const ssl_username = SSL_SET_OPTION(username); +- ++ char * const ssl_username = SSL_SET_OPTION(primary.username); ++ char * const ssl_password = SSL_SET_OPTION(primary.password); + infof(data, "Using TLS-SRP username: %s", ssl_username); + + if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { ++ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index a40ac06f684f2..e2d34388ccd40 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + { + if((data->version == needle->version) && + (data->version_max == needle->version_max) && ++ (data->ssl_options == needle->ssl_options) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ Curl_safecmp(data->username, needle->username) && ++ Curl_safecmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++ dest->ssl_options = source->ssl_options; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_BLOB(cert_blob); + CLONE_BLOB(ca_info_blob); +@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); + CLONE_STRING(curves); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + Curl_safefree(sslc->ca_info_blob); + Curl_safefree(sslc->issuercert_blob); + Curl_safefree(sslc->curves); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL diff --git a/main/curl/CVE-2022-27782-2.patch b/main/curl/CVE-2022-27782-2.patch new file mode 100644 index 00000000000..c2dec9fda18 --- /dev/null +++ b/main/curl/CVE-2022-27782-2.patch @@ -0,0 +1,69 @@ +Patch-Source: https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5 +From 1645e9b44505abd5cbaf65da5282c3f33b5924a5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH] url: check SSH config match on connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 +--- + lib/url.c | 11 +++++++++++ + lib/vssh/ssh.h | 6 +++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index cf14a333ac694..6b31d4b1315dd 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1100,6 +1100,12 @@ static void prune_dead_connections(struct Curl_easy *data) + } + } + ++static bool ssh_config_matches(struct connectdata *one, ++ struct connectdata *two) ++{ ++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && ++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); ++} + /* + * Given one filled in connection struct (named needle), this function should + * detect if there already is one that has all the significant details +@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + ++ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY + || !needle->bits.httpproxy || needle->bits.tunnel_proxy +diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h +index 7972081ec610f..30d82e57648ed 100644 +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -131,8 +131,8 @@ struct ssh_conn { + + /* common */ + const char *passphrase; /* pass-phrase to use */ +- char *rsa_pub; /* path name */ +- char *rsa; /* path name */ ++ char *rsa_pub; /* strdup'ed public key file */ ++ char *rsa; /* strdup'ed private key file */ + bool authed; /* the connection has been authenticated fine */ + bool acceptfail; /* used by the SFTP_QUOTE (continue if + quote command fails) */ diff --git a/main/curl/CVE-2022-32205.patch b/main/curl/CVE-2022-32205.patch new file mode 100644 index 00000000000..2573d9bf1d8 --- /dev/null +++ b/main/curl/CVE-2022-32205.patch @@ -0,0 +1,171 @@ +Patch-Source: https://github.com/curl/curl/commit/48d7064a49148f03942380967da739dcde1cdc24 +From 48d7064a49148f03942380967da739dcde1cdc24 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sun, 26 Jun 2022 11:00:48 +0200 +Subject: [PATCH] cookie: apply limits + +- Send no more than 150 cookies per request +- Cap the max length used for a cookie: header to 8K +- Cap the max number of received Set-Cookie: headers to 50 + +Bug: https://curl.se/docs/CVE-2022-32205.html +CVE-2022-32205 +Reported-by: Harry Sintonen +Closes #9048 +--- + lib/cookie.c | 14 ++++++++++++-- + lib/cookie.h | 21 +++++++++++++++++++-- + lib/http.c | 13 +++++++++++-- + lib/urldata.h | 1 + + 4 files changed, 43 insertions(+), 6 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index a308346a777bc..a1ab89532033b 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -482,6 +482,10 @@ Curl_cookie_add(struct Curl_easy *data, + (void)data; + #endif + ++ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ ++ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) ++ return NULL; ++ + /* First, alloc and init a new struct for it */ + co = calloc(1, sizeof(struct Cookie)); + if(!co) +@@ -821,7 +825,7 @@ Curl_cookie_add(struct Curl_easy *data, + freecookie(co); + return NULL; + } +- ++ data->req.setcookies++; + } + else { + /* +@@ -1375,7 +1379,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) + * + * It shall only return cookies that haven't expired. + */ +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, + const char *host, const char *path, + bool secure) + { +@@ -1430,6 +1435,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, + mainco = newco; + + matches++; ++ if(matches >= MAX_COOKIE_SEND_AMOUNT) { ++ infof(data, "Included max number of cookies (%u) in request!", ++ matches); ++ break; ++ } + } + else + goto fail; +diff --git a/lib/cookie.h b/lib/cookie.h +index 453dfced8a342..abc0a2e8a01ad 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -83,10 +83,26 @@ struct CookieInfo { + */ + #define MAX_COOKIE_LINE 5000 + +-/* This is the maximum length of a cookie name or content we deal with: */ ++/* Maximum length of an incoming cookie name or content we deal with. Longer ++ cookies are ignored. */ + #define MAX_NAME 4096 + #define MAX_NAME_TXT "4095" + ++/* Maximum size for an outgoing cookie line libcurl will use in an http ++ request. This is the default maximum length used in some versions of Apache ++ httpd. */ ++#define MAX_COOKIE_HEADER_LEN 8190 ++ ++/* Maximum number of cookies libcurl will send in a single request, even if ++ there might be more cookies that match. One reason to cap the number is to ++ keep the maximum HTTP request within the maximum allowed size. */ ++#define MAX_COOKIE_SEND_AMOUNT 150 ++ ++/* Maximum number of Set-Cookie: lines accepted in a single response. If more ++ such header lines are received, they are ignored. This value must be less ++ than 256 since an unsigned char is used to count. */ ++#define MAX_SET_COOKIE_AMOUNT 50 ++ + struct Curl_easy; + /* + * Add a cookie to the internal list of cookies. The domain and path arguments +@@ -99,7 +115,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, + const char *domain, const char *path, + bool secure); + +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, const char *host, + const char *path, bool secure); + void Curl_cookie_freelist(struct Cookie *cookies); + void Curl_cookie_clearall(struct CookieInfo *cookies); +diff --git a/lib/http.c b/lib/http.c +index 5284475ba92c4..258722a602e40 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2711,11 +2711,13 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + } + + #if !defined(CURL_DISABLE_COOKIES) ++ + CURLcode Curl_http_cookies(struct Curl_easy *data, + struct connectdata *conn, + struct dynbuf *r) + { + CURLcode result = CURLE_OK; + char *addcookies = NULL; ++ bool linecap = FALSE; + if(data->set.str[STRING_COOKIE] && !Curl_checkheaders(data, "Cookie")) + addcookies = data->set.str[STRING_COOKIE]; +@@ -2734,7 +2736,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + !strcmp(host, "127.0.0.1") || + !strcmp(host, "[::1]") ? TRUE : FALSE; + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); +- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, ++ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, + secure_context); + Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); + } +@@ -2748,6 +2750,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + if(result) + break; + } ++ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= ++ MAX_COOKIE_HEADER_LEN) { ++ infof(data, "Restricted outgoing cookies due to header size, " ++ "'%s' not sent", co->name); ++ linecap = TRUE; ++ break; ++ } + result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", + co->name, co->value); + if(result) +@@ -2758,7 +2767,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + } + Curl_cookie_freelist(store); + } +- if(addcookies && !result) { ++ if(addcookies && !result && !linecap) { + if(!count) + result = Curl_dyn_addn(r, STRCONST("Cookie: ")); + if(!result) { +diff --git a/lib/urldata.h b/lib/urldata.h +index 17fe25720be33..bcb4d460c2fe6 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -698,6 +698,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++ unsigned char setcookies; + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding diff --git a/main/curl/CVE-2022-32206.patch b/main/curl/CVE-2022-32206.patch new file mode 100644 index 00000000000..6999fb2b2cb --- /dev/null +++ b/main/curl/CVE-2022-32206.patch @@ -0,0 +1,49 @@ +Patch-Source: https://github.com/curl/curl/commit/3a09fbb7f264c67c438d01a30669ce325aa508e2 +From 3a09fbb7f264c67c438d01a30669ce325aa508e2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 16 May 2022 16:28:13 +0200 +Subject: [PATCH] content_encoding: return error on too many compression steps + +The max allowed steps is arbitrarily set to 5. + +Bug: https://curl.se/docs/CVE-2022-32206.html +CVE-2022-32206 +Reported-by: Harry Sintonen +Closes #9049 +--- + lib/content_encoding.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c5591ca48ac78..95ba48a2dd563 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1028,12 +1028,16 @@ static const struct content_encoding *find_encoding(const char *name, + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; ++ int counter = 0; + + do { + const char *name; +@@ -1068,6 +1072,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(++counter >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to %u content encodings", ++ counter); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(data, encoding, k->writer_stack); + if(!writer) diff --git a/main/curl/CVE-2022-32207.patch b/main/curl/CVE-2022-32207.patch new file mode 100644 index 00000000000..e8875e39fae --- /dev/null +++ b/main/curl/CVE-2022-32207.patch @@ -0,0 +1,281 @@ +Patch-Source: https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f +From 20f9dd6bae50b7223171b17ba7798946e74f877f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files + +Bug: https://curl.se/docs/CVE-2022-32207.html +CVE-2022-32207 +Reported-by: Harry Sintonen +Closes #9050 +--- + CMakeLists.txt | 1 + + configure.ac | 1 + + lib/Makefile.inc | 2 + + lib/cookie.c | 19 ++----- + lib/curl_config.h.cmake | 3 ++ + lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++ + lib/fopen.h | 30 +++++++++++ + 7 files changed, 154 insertions(+), 15 deletions(-) + create mode 100644 lib/fopen.c + create mode 100644 lib/fopen.h + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 45d763d5a9c1d..ad20777f3d688 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -1067,6 +1067,7 @@ elseif(HAVE_LIBSOCKET) + set(CMAKE_REQUIRED_LIBRARIES socket) + endif() + ++check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD) + check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME) + check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET) + check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT) +diff --git a/configure.ac b/configure.ac +index b0245b99a669f..de2dee5a484ed 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3438,6 +3438,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se + + + AC_CHECK_FUNCS([fnmatch \ ++ fchmod \ + geteuid \ + getpass_r \ + getppid \ +diff --git a/lib/Makefile.inc b/lib/Makefile.inc +index 533e16df97020..9bd8e324bd1c1 100644 +--- a/lib/Makefile.inc ++++ b/lib/Makefile.inc +@@ -137,6 +137,7 @@ LIB_CFILES = \ + escape.c \ + file.c \ + fileinfo.c \ ++ fopen.c \ + formdata.c \ + ftp.c \ + ftplistparser.c \ +@@ -270,6 +271,7 @@ LIB_HFILES = \ + escape.h \ + file.h \ + fileinfo.h \ ++ fopen.h \ + formdata.h \ + ftp.h \ + ftplistparser.h \ +diff --git a/lib/cookie.c b/lib/cookie.c +index a1ab89532033b..cb57b86387191 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -99,8 +99,8 @@ Example set of cookies: + #include "curl_get_line.h" + #include "curl_memrchr.h" + #include "parsedate.h" +-#include "rand.h" + #include "rename.h" ++#include "fopen.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -1641,20 +1641,9 @@ static CURLcode cookie_output(struct Curl_easy *data, + use_stdout = TRUE; + } + else { +- unsigned char randsuffix[9]; +- +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return 2; +- +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) { +- error = CURLE_WRITE_ERROR; ++ error = Curl_fopen(data, filename, &out, &tempstore); ++ if(error) + goto error; +- } + } + + fputs("# Netscape HTTP Cookie File\n" +@@ -1701,7 +1690,7 @@ static CURLcode cookie_output(struct Curl_easy *data, + if(!use_stdout) { + fclose(out); + out = NULL; +- if(Curl_rename(tempstore, filename)) { ++ if(tempstore && Curl_rename(tempstore, filename)) { + unlink(tempstore); + error = CURLE_WRITE_ERROR; + goto error; +diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake +index cd4b568d89948..eb2c62b971453 100644 +--- a/lib/curl_config.h.cmake ++++ b/lib/curl_config.h.cmake +@@ -159,6 +159,9 @@ + /* Define to 1 if you have the <assert.h> header file. */ + #cmakedefine HAVE_ASSERT_H 1 + ++/* Define to 1 if you have the `fchmod' function. */ ++#cmakedefine HAVE_FCHMOD 1 ++ + /* Define to 1 if you have the `basename' function. */ + #cmakedefine HAVE_BASENAME 1 + +diff --git a/lib/fopen.c b/lib/fopen.c +new file mode 100644 +index 0000000000000..ad3691ba9d158 +--- /dev/null ++++ b/lib/fopen.c +@@ -0,0 +1,113 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ ++ !defined(CURL_DISABLE_HSTS) ++ ++#ifdef HAVE_FCNTL_H ++#include <fcntl.h> ++#endif ++ ++#include "urldata.h" ++#include "rand.h" ++#include "fopen.h" ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" ++#include "memdebug.h" ++ ++/* ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed ++ * to the final name when completed. If there is an existing file using this ++ * name at the time of the open, this function will clone the mode from that ++ * file. if 'tempname' is non-NULL, it needs a rename after the file is ++ * written. ++ */ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname) ++{ ++ CURLcode result = CURLE_WRITE_ERROR; ++ unsigned char randsuffix[9]; ++ char *tempstore = NULL; ++ struct_stat sb; ++ int fd = -1; ++ *tempname = NULL; ++ ++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ /* a non-regular file, fallback to direct fopen() */ ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(*fh) ++ return CURLE_OK; ++ goto fail; ++ } ++ ++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ if(result) ++ goto fail; ++ ++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ if(!tempstore) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto fail; ++ } ++ ++ result = CURLE_WRITE_ERROR; ++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); ++ if(fd == -1) ++ goto fail; ++ ++#ifdef HAVE_FCHMOD ++ { ++ struct_stat nsb; ++ if((fstat(fd, &nsb) != -1) && ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { ++ /* if the user and group are the same, clone the original mode */ ++ if(fchmod(fd, sb.st_mode) == -1) ++ goto fail; ++ } ++ } ++#endif ++ ++ *fh = fdopen(fd, FOPEN_WRITETEXT); ++ if(!*fh) ++ goto fail; ++ ++ *tempname = tempstore; ++ return CURLE_OK; ++ ++fail: ++ if(fd != -1) { ++ close(fd); ++ unlink(tempstore); ++ } ++ ++ free(tempstore); ++ ++ *tempname = NULL; ++ return result; ++} ++ ++#endif /* ! disabled */ +diff --git a/lib/fopen.h b/lib/fopen.h +new file mode 100644 +index 0000000000000..289e55f2afd24 +--- /dev/null ++++ b/lib/fopen.h +@@ -0,0 +1,30 @@ ++#ifndef HEADER_CURL_FOPEN_H ++#define HEADER_CURL_FOPEN_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname); ++ ++#endif diff --git a/main/curl/CVE-2022-32208.patch b/main/curl/CVE-2022-32208.patch new file mode 100644 index 00000000000..35a5c840d55 --- /dev/null +++ b/main/curl/CVE-2022-32208.patch @@ -0,0 +1,65 @@ +Patch-Source: https://github.com/curl/curl/commit/6ecdf5136b52af747e7bda08db9a748256b1cd09 +From 6ecdf5136b52af747e7bda08db9a748256b1cd09 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +Bug: https://curl.se/docs/CVE-2022-32208.html +CVE-2022-32208 +Reported-by: Harry Sintonen +Closes #9051 +--- + lib/krb5.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5.c b/lib/krb5.c +index e289595c9e1dd..517491c4658bf 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -142,11 +142,8 @@ krb5_decode(void *app_data, void *buf, int len, + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +@@ -508,6 +505,7 @@ static CURLcode read_data(struct connectdata *conn, + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -516,7 +514,10 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -524,8 +525,11 @@ static CURLcode read_data(struct connectdata *conn, + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } diff --git a/main/curl/CVE-2022-35252.patch b/main/curl/CVE-2022-35252.patch new file mode 100644 index 00000000000..f9cc56b8927 --- /dev/null +++ b/main/curl/CVE-2022-35252.patch @@ -0,0 +1,66 @@ +Patch-Source: https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb +From 8dfc93e573ca740544a2d79ebb0ed786592c65c3 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 5a4d9e9725f62..ab790a1cdb0ce 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -441,6 +441,30 @@ static bool bad_domain(const char *domain) + return TRUE; + } + ++/* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ + /* + * Curl_cookie_add + * +@@ -595,6 +619,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD index 6c2e687f3ae..98ed884f84e 100644 --- a/main/cyrus-sasl/APKBUILD +++ b/main/cyrus-sasl/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cyrus-sasl -pkgver=2.1.27 -pkgrel=10 +pkgver=2.1.28 +pkgrel=0 pkgdesc="Cyrus Simple Authentication Service Layer (SASL)" url="https://www.cyrusimap.org/sasl/" arch="all" @@ -35,16 +35,12 @@ makedepends=" libtool " source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pkgver/cyrus-sasl-$pkgver.tar.gz - cyrus-sasl-2.1.27-as_needed.patch - cyrus-sasl-2.1.27-autotools_fixes.patch - cyrus-sasl-2.1.27-avoid_pic_overwrite.patch - cyrus-sasl-2.1.27-doc_build_fix.patch - cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch - CVE-2019-19906.patch saslauthd.initd " # secfixes: +# 2.1.28-r0: +# - CVE-2022-24407 # 2.1.27-r5: # - CVE-2019-19906 # 2.1.26-r7: @@ -119,11 +115,7 @@ libsasl() { amove usr/lib/libsasl*.so.* } -sha512sums="d11549a99b3b06af79fc62d5478dba3305d7e7cc0824f4b91f0d2638daafbe940623eab235f85af9be38dcf5d42fc131db531c177040a85187aee5096b8df63b cyrus-sasl-2.1.27.tar.gz -9eefa6d45e3dd9157a5672909acdd88f0ae35e76d64c3723890a474bbb05b22499cfadb0c077924d27f34da3710b2b700094dd7d5704050138c08dabcefdde94 cyrus-sasl-2.1.27-as_needed.patch -0d99ca049e76c11500769079d94f3bdb634bddb4c8d45a83b383e9bb9777edda66b17566800acbd450e1f4842d070ec3fbc236e7f0ef8759c36e6dd5ea8e3c64 cyrus-sasl-2.1.27-autotools_fixes.patch -4ca601839b023ef790e48dae567ffbbd57c632384c980946639ec7437ad23874961451718569455e6e25afaeff1728ecbc71a8686f6b43246f83465f95a2c904 cyrus-sasl-2.1.27-avoid_pic_overwrite.patch -6d723e7ec2c431b45c011b887187b6a670dbe646aa4c39d38171047ab23db529c30c433f8d4dd624181917c5ce4e5271f86e35e2644ede1c40dfb09cb67dccde cyrus-sasl-2.1.27-doc_build_fix.patch -fca4f2b7e427c7613f71daa4a31772c33c8c0fe9d7f85b57b85da71bc5a88a18fc52f7caea463188b4addd31cd041d5349af689d5face2cc45fb50c700a8afd7 cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch -c39efd87dc9c883d3b07474197f6835fbd32f23baa1f5cd04b25a0473639f847321c40f232e390d4dc9d9ee189dbd177c05d3d1461af4d28a48a4827abc5d9b8 CVE-2019-19906.patch -f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75 saslauthd.initd" +sha512sums=" +db15af9079758a9f385457a79390c8a7cd7ea666573dace8bf4fb01bb4b49037538d67285727d6a70ad799d2e2318f265c9372e2427de9371d626a1959dd6f78 cyrus-sasl-2.1.28.tar.gz +f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75 saslauthd.initd +" diff --git a/main/cyrus-sasl/CVE-2019-19906.patch b/main/cyrus-sasl/CVE-2019-19906.patch deleted file mode 100644 index f7edb521e89..00000000000 --- a/main/cyrus-sasl/CVE-2019-19906.patch +++ /dev/null @@ -1,15 +0,0 @@ -https://github.com/cyrusimap/cyrus-sasl/issues/587 - -diff --git a/lib/common.c b/lib/common.c -index bc3bf1df..9969d6aa 100644 ---- a/lib/common.c -+++ b/lib/common.c -@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen, - - if (add==NULL) add = "(null)"; - -- addlen=strlen(add); /* only compute once */ -+ addlen=strlen(add)+1; /* only compute once */ - if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK) - return SASL_NOMEM; - diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch deleted file mode 100644 index 7cd9e151fbb..00000000000 --- a/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch +++ /dev/null @@ -1,25 +0,0 @@ -Author: Matthias Klose <doko@ubuntu.com> -Desription: Fix FTBFS, add $(SASL_DB_LIB) as dependency to libsasldb, and use -it. ---- cyrus-sasl-2.1.27/saslauthd/Makefile.am -+++ cyrus-sasl-2.1.27/saslauthd/Makefile.am -@@ -25,7 +25,7 @@ - saslauthd_DEPENDENCIES = saslauthd-main.o $(LTLIBOBJS_FULL) - saslauthd_LDADD = @SASL_KRB_LIB@ \ - @GSSAPIBASE_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \ -- @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS) -+ @LIB_SOCKET@ ../sasldb/libsasldb.la @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS) - - testsaslauthd_SOURCES = testsaslauthd.c utils.c - testsaslauthd_LDADD = @LIB_SOCKET@ ---- cyrus-sasl-2.1.27/sasldb/Makefile.am -+++ cyrus-sasl-2.1.27/sasldb/Makefile.am -@@ -54,6 +54,6 @@ - - libsasldb_la_SOURCES = allockey.c sasldb.h - EXTRA_libsasldb_la_SOURCES = $(extra_common_sources) --libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) --libsasldb_la_LIBADD = $(SASL_DB_BACKEND) -+libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) $(SASL_DB_LIB) -+libsasldb_la_LIBADD = $(SASL_DB_BACKEND) $(SASL_DB_LIB) - libsasldb_la_LDFLAGS = -no-undefined diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch deleted file mode 100644 index 2ce971efc5b..00000000000 --- a/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch +++ /dev/null @@ -1,31 +0,0 @@ ---- cyrus-sasl-2.1.27/configure.ac -+++ cyrus-sasl-2.1.27/configure.ac -@@ -44,6 +44,8 @@ - - AC_PREREQ(2.63) - -+AC_CONFIG_MACRO_DIR([config]) -+ - dnl - dnl REMINDER: When changing the version number here, please also update - dnl the values in win32/include/config.h and include/sasl.h as well. ---- cyrus-sasl-2.1.27/Makefile.am -+++ cyrus-sasl-2.1.27/Makefile.am -@@ -44,6 +44,8 @@ - # - ################################################################ - -+ACLOCAL_AMFLAGS = -I config -+ - if SASLAUTHD - SAD = saslauthd - else ---- cyrus-sasl-2.1.27/saslauthd/Makefile.am -+++ cyrus-sasl-2.1.27/saslauthd/Makefile.am -@@ -1,4 +1,6 @@ - AUTOMAKE_OPTIONS = 1.7 -+ACLOCAL_AMFLAGS = -I ../config -+ - sbin_PROGRAMS = saslauthd testsaslauthd - EXTRA_PROGRAMS = saslcache - diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch deleted file mode 100644 index c331039e2f1..00000000000 --- a/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch +++ /dev/null @@ -1,17 +0,0 @@ -Author: Fabian Fagerholm <fabbe@debian.org> -Description: This patch makes sure the non-PIC version of libsasldb.a, which -is created out of non-PIC objects, is not going to overwrite the PIC version, -which is created out of PIC objects. The PIC version is placed in .libs, and -the non-PIC version in the current directory. This ensures that both non-PIC -and PIC versions are available in the correct locations. ---- cyrus-sasl-2.1.27/lib/Makefile.am -+++ cyrus-sasl-2.1.27/lib/Makefile.am -@@ -98,7 +98,7 @@ - - libsasl2.a: libsasl2.la $(SASL_STATIC_OBJS) - @echo adding static plugins and dependencies -- $(AR) cru .libs/$@ $(SASL_STATIC_OBJS) -+ $(AR) cru $@ $(SASL_STATIC_OBJS) - @for i in ./libsasl2.la ../common/libplugin_common.la ../sasldb/libsasldb.la ../plugins/lib*.la; do \ - if test ! -f $$i; then continue; fi; . $$i; \ - for j in $$dependency_libs foo; do \ diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch deleted file mode 100644 index bdd02f77966..00000000000 --- a/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- cyrus-sasl-2.1.27/docsrc/exts/sphinxlocal/writers/manpage.py -+++ cyrus-sasl-2.1.27/docsrc/exts/sphinxlocal/writers/manpage.py -@@ -23,7 +23,7 @@ - from sphinx import addnodes - from sphinx.locale import admonitionlabels, _ - from sphinx.util.osutil import ustrftime --from sphinx.util.compat import docutils_version -+#from sphinx.util.compat import docutils_version - - class CyrusManualPageWriter(ManualPageWriter): - diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch deleted file mode 100644 index c585cb158e1..00000000000 --- a/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch +++ /dev/null @@ -1,16 +0,0 @@ -Gentoo bug #389349 ---- cyrus-sasl-2.1.27/m4/sasl2.m4 -+++ cyrus-sasl-2.1.27/m4/sasl2.m4 -@@ -220,7 +220,11 @@ - [AC_WARN([Cybersafe define not found])]) - - elif test "$ac_cv_header_gssapi_h" = "yes"; then -- AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi.h, -+ AC_EGREP_CPP(hostbased_service_gss_nt_yes, gssapi.h, -+ [#include <gssapi.h> -+ #ifdef GSS_C_NT_HOSTBASED_SERVICE -+ hostbased_service_gss_nt_yes -+ #endif], - [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,, - [Define if your GSSAPI implementation defines GSS_C_NT_HOSTBASED_SERVICE])]) - elif test "$ac_cv_header_gssapi_gssapi_h"; then diff --git a/main/dahdi-linux-lts/APKBUILD b/main/dahdi-linux-lts/APKBUILD index c7d21078817..e535944c278 100644 --- a/main/dahdi-linux-lts/APKBUILD +++ b/main/dahdi-linux-lts/APKBUILD @@ -9,7 +9,7 @@ _rel=0 _flavor=${FLAVOR:-lts} _kpkg=linux-$_flavor -_kver=5.10.88 +_kver=5.10.152 _krel=0 _kpkgver="$_kver-r$_krel" diff --git a/main/dbus/APKBUILD b/main/dbus/APKBUILD index c938624b40f..e720cca7378 100644 --- a/main/dbus/APKBUILD +++ b/main/dbus/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=dbus -pkgver=1.12.20 -pkgrel=1 +pkgver=1.12.24 +pkgrel=0 pkgdesc="Freedesktop.org message bus system" options="!check" # Introduces circular dependency with xorg-server (xvfb-run -> xvfb) url="https://www.freedesktop.org/Software/dbus" @@ -23,11 +23,14 @@ checkdepends="xvfb-run" install="$pkgname.pre-install $pkgname.post-install" source="https://dbus.freedesktop.org/releases/dbus/dbus-$pkgver.tar.gz 0001-_dbus_generate_random_bytes-use-getrandom-2.patch - avoid-opendir-between-fork-exec.patch $pkgname.initd " # secfixes: +# 1.12.24-r0: +# - CVE-2022-42010 +# - CVE-2022-42011 +# - CVE-2022-42012 # 1.12.18-r0: # - CVE-2020-12049 # 1.12.16-r0: @@ -87,7 +90,8 @@ x11() { mv "$pkgdir"/usr/bin/dbus-launch "$subpkgdir"/usr/bin/ } -sha512sums="0964683bc6859374cc94e42e1ec0cdb542cca67971c205fcba4352500b6c0891665b0718e7d85eb060c81cb82e3346c313892bc02384da300ddd306c7eef0056 dbus-1.12.20.tar.gz +sha512sums=" +70e0b7c3f1071860b4243c945d640a1bab95fb83a7cbcf072cdd236def1310693f9bea07d406677d6673c53a6bedbdb02b51fe861aa6f686457dcfb4ee74b703 dbus-1.12.24.tar.gz 3db35499361e84d8e2469b88b033f49813b179188ac25f1841a989988c352af398a56dfd94383813626c6dfd032194f7a9fcdba001ccc3e005e7cd22dae7a7ed 0001-_dbus_generate_random_bytes-use-getrandom-2.patch -cdd01f51882be4f388515441237aa6318888db6e88a4d980bafbf9b790945e4d959c6633d6d002274c0a617ac919f9355ba628c9b502b355f73fed602f997791 avoid-opendir-between-fork-exec.patch -4c6beba2382416e60a3adfa85ef843d90d93ca5f38c23f573e058ffca6d4fc3850d11d40938c74383bba61599569b7fdfb1fcf3b9d2f1463e6b2e2cc81097c84 dbus.initd" +4c6beba2382416e60a3adfa85ef843d90d93ca5f38c23f573e058ffca6d4fc3850d11d40938c74383bba61599569b7fdfb1fcf3b9d2f1463e6b2e2cc81097c84 dbus.initd +" diff --git a/main/dbus/avoid-opendir-between-fork-exec.patch b/main/dbus/avoid-opendir-between-fork-exec.patch deleted file mode 100644 index 44b03fbd5b4..00000000000 --- a/main/dbus/avoid-opendir-between-fork-exec.patch +++ /dev/null @@ -1,18 +0,0 @@ -Author: Rasmus Thomsen <oss@cogitri.dev> -Upstream: No -Reason: The code inside the `#ifdef __linux__` calls opendir. This can -lead to deadlocks when act_on_fds_3_and_up is called between fork&exec since -opendir mallocs which isn't async signal safe -diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c -index 0288dbc9..e585136f 100644 ---- a/dbus/dbus-sysdeps-unix.c -+++ b/dbus/dbus-sysdeps-unix.c -@@ -4742,7 +4742,7 @@ act_on_fds_3_and_up (void (*func) (int fd)) - { - int maxfds, i; - --#ifdef __linux__ -+#if defined(__linux__) && defined(__GLIBC__) - DIR *d; - - /* On Linux we can optimize this a bit if /proc is available. If it diff --git a/main/dhcp/03-fix-unwind-import.patch b/main/dhcp/03-fix-unwind-import.patch new file mode 100644 index 00000000000..8b87fdbd3e3 --- /dev/null +++ b/main/dhcp/03-fix-unwind-import.patch @@ -0,0 +1,16 @@ +bind assumes _Unwind_GetIP is a function which is not necessarily +true. In some implementations of libunwind it's a macro. +This fixes the build on Alpine on armhf and armv7. + +--- a/bind/bind-9.11.36/lib/isc/backtrace.c ++++ b/bind/bind-9.11.36/lib/isc/backtrace.c +@@ -81,8 +81,7 @@ isc_backtrace_gettrace(void **addrs, int + return (ISC_R_SUCCESS); + } + #elif defined(BACKTRACE_GCC) +-extern int _Unwind_Backtrace(void* fn, void* a); +-extern void* _Unwind_GetIP(void* ctx); ++#include <unwind.h> + + typedef struct { + void **result; diff --git a/main/dhcp/APKBUILD b/main/dhcp/APKBUILD index 9275bf6f867..54f462d6251 100644 --- a/main/dhcp/APKBUILD +++ b/main/dhcp/APKBUILD @@ -1,8 +1,8 @@ # Maintainer: Jakub Jirutka <jakub@jirutka.cz> pkgname=dhcp -pkgver=4.4.2_p1 +pkgver=4.4.3_p1 _realver=${pkgver/_p/-P} -pkgrel=0 +pkgrel=1 pkgdesc="ISC Dynamic Host Configuration Protocol (DHCP)" url="https://www.isc.org/" arch="all" @@ -33,9 +33,8 @@ source=" https://downloads.isc.org/isc/dhcp/$_realver/dhcp-$_realver.tar.gz 01-dhclient-script-fix-bare-ip.patch 02-dhclient-script-remove-bashisms.patch + 03-fix-unwind-import.patch dhcp-3.0-fix-perms.patch - segfault-fix.patch - remove-duplicate-definitions.patch dhclient-script-alpine dhcrelay.initd dhcrelay.confd @@ -46,6 +45,9 @@ builddir="$srcdir/$pkgname-$_realver" makedepends="$makedepends $_depends_dhclient $_depends_server_ldap $_depends_server_vanilla" # secfixes: +# 4.4.3_p1-r0: +# - CVE-2022-2928 +# - CVE-2022-2929 # 4.4.2_p1-r0: # - CVE-2021-25217 # 4.4.1-r0: @@ -193,12 +195,11 @@ static() { # " sha512sums=" -924e8b44f288361dbe837987869e57b929c73cb5e4af37cb2d7b19bca5ea8594048fb41c0792fede003188185f61b25befbc2ccda42f1f68e6b6bc22ef44b040 dhcp-4.4.2-P1.tar.gz +d14dc44d1c015780ae19769816cb01015959927a1ad7a3e84b89e0463253aaf46451af88e3260347196373906d5b438c7c616fee45ec3f128aa82af6702b7154 dhcp-4.4.3-P1.tar.gz 17e2b9588ee5d1bd9acb9c2e30f7a28308d29c9e797c2be14c1feff52e6e231ce8a94535f18badff1342aff4ae4003aab986e0f0473f0cd280292fdab044b148 01-dhclient-script-fix-bare-ip.patch a70e4a7e80ee65c8ced6b61db80f7ccd0f35015b5cccf2e7c51705ae129230aa49ba9926bb88f7418018e7a112c2a40451f24b88e04464b590ff20091e8d8709 02-dhclient-script-remove-bashisms.patch +23ab581d85ba97a37fd6a0a612e0aa977b24bbaf83d58a93d1a87f9f24ea9a098aa549e77a6e1d78f721681c152464b15fd1d402d0673edf4dac6aa196df1fe9 03-fix-unwind-import.patch d5697a56fbbff25199962608986e7ffb533ed4afd3e344e3c79d2010dda73cc0b088f06c454e9f0c69eb054e09a374455fa71d3f73306e0c98fa76df4dd321b7 dhcp-3.0-fix-perms.patch -ff07f613da93de6d6a81cf5147ecc937e1405913f1649bf9c58d45214417e6b94b3fd897796d1dd3422ed27a43d935a84d7c72df98d59f30abd88b12f4f6edad segfault-fix.patch -fcc9f3c5a361e8a5fa690986c415a23e86c347f697aec3087c5783670d4abefcb0f073a37cfac8fe07206ac3e349df9cb7283b84356cdc4f4777b426ab0305ef remove-duplicate-definitions.patch d1dce58875793316761f168e29feddc1d3454d1d917d063d43ae102b7b6aab256c3cb420478335c57ebcdb2b7c804afa4d8a1f9ab06a29a4dd23bc5d87db8df2 dhclient-script-alpine ce62693cb483616844bb6774f9046af6a1a210e35cfaa59ab3bd12f68d50176714a324e92538b35139110b78191866f65b30d6979d8a45f7b68e572e7a1e8427 dhcrelay.initd fd15dbaa4c61c3c26f407bf13dde859470a1adba134da064b653ccc152ce42635ee8de2fe113ae21ba8470e97e3caad8c1a47b69eb25e5e92b40e26790b96f6d dhcrelay.confd diff --git a/main/dhcp/remove-duplicate-definitions.patch b/main/dhcp/remove-duplicate-definitions.patch deleted file mode 100644 index 070f4a185e1..00000000000 --- a/main/dhcp/remove-duplicate-definitions.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Mike Crute <mike@crute.us> -Date: Thu, 08 Oct 2020 05:25:00 +0000 -Subject: Remove duplicate definitions - -There are several duplicated definitions between the various servers and -clients and the common library code in dhcpd. This patch removes the duplicates -in the consumers and preserves the library code. - ---- - ---- a/client/dhclient.c -+++ b/client/dhclient.c -@@ -83,8 +83,6 @@ - static const char url [] = "For info, please visit https://www.isc.org/software/dhcp/"; - #endif /* UNIT_TEST */ - --u_int16_t local_port = 0; --u_int16_t remote_port = 0; - #if defined(DHCPv6) && defined(DHCP4o6) - int dhcp4o6_state = -1; /* -1 = stopped, 0 = polling, 1 = started */ - #endif ---- a/relay/dhcrelay.c.orig -+++ b/relay/dhcrelay.c -@@ -95,9 +95,6 @@ - forward_untouched, /* Forward without changes. */ - discard } agent_relay_mode = forward_and_replace; - --u_int16_t local_port; --u_int16_t remote_port; -- - /* Relay agent server list. */ - struct server_list { - struct server_list *next; ---- a/server/mdb.c.orig -+++ b/server/mdb.c -@@ -67,8 +67,6 @@ - - int numclasseswritten; - --omapi_object_type_t *dhcp_type_host; -- - isc_result_t enter_class(cd, dynamicp, commit) - struct class *cd; - int dynamicp; diff --git a/main/dhcp/segfault-fix.patch b/main/dhcp/segfault-fix.patch deleted file mode 100644 index 86651979d6b..00000000000 --- a/main/dhcp/segfault-fix.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Michał Kępień -Date: Mon, 13 Jan 2020 05:03:00 +0000 -Subject: Handle catopen() errors - -musl libc's implementation of catgets() crashes when its first argument -is -1 instead of a proper message catalog descriptor. Prevent that from -happening by making isc_msgcat_get() return the default text if the -prior call to catopen() returns an error. - -Porting forward upstream's fix: -https://gitlab.isc.org/isc-projects/bind9/-/commit/daade37977fafee12c7b3c1483516e010d2b74a6 - ---- - ---- a/bind/bind-9.11.14/lib/isc/nls/msgcat.c -+++ b/bind/bind-9.11.14/lib/isc/nls/msgcat.c -@@ -62,9 +62,8 @@ - - #ifdef HAVE_CATGETS - /* -- * We don't check if catopen() fails because we don't care. -- * If it does fail, then when we call catgets(), it will use -- * the default string. -+ * We don't check if catopen() fails because isc_msgcat_get() takes -+ * care of that before calling catgets(). - */ - msgcat->catalog = catopen(name, 0); - #endif -@@ -112,7 +111,7 @@ - REQUIRE(default_text != NULL); - - #ifdef HAVE_CATGETS -- if (msgcat == NULL) -+ if (msgcat == NULL || msgcat->catalog == (nl_catd)(-1)) - return (default_text); - return (catgets(msgcat->catalog, set, message, default_text)); - #else diff --git a/main/dpkg/APKBUILD b/main/dpkg/APKBUILD index ba46b2b165d..e12b1cf2297 100644 --- a/main/dpkg/APKBUILD +++ b/main/dpkg/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=dpkg -pkgver=1.20.6 +pkgver=1.20.10 pkgrel=0 pkgdesc="The Debian Package Manager" url="https://wiki.debian.org/Teams/Dpkg" @@ -14,6 +14,10 @@ source="https://deb.debian.org/debian/pool/main/d/dpkg/dpkg_$pkgver.tar.xz 0001-t-command-Fix-test_command_exec-program-invocation.patch " +# secfixes: +# 1.20.10-r0: +# - CVE-2022-1664 + prepare() { default_prepare @@ -91,5 +95,7 @@ dev() { mv "$pkgdir"/usr/share/perl* "$subpkgdir"/usr/share/ } -sha512sums="1aee5091cfa1f5221e64785ff013c6323f7a8bcc0d0b82caa5357db7fe480412a73f6afbd850ab1c53397dd0b2bca1b2637111d1cb3bdbfafe9df185955b7e2d dpkg_1.20.6.tar.xz -059875c06146382f1e4a339860c558a71393a43bf9e6580c0a2211c629cc9be1b4fd12c900b002f833a241ad9a339f138b458b60664da06db5b32db1c6490b2f 0001-t-command-Fix-test_command_exec-program-invocation.patch" +sha512sums=" +69edb9149d67fff15227e5fa2778c4dacc2ce8a849029669368b36fa8ecb45789bcba9e5b6add44134f2e5b05e2168ed7f30ca5589a2a3ac8d04637d645caf96 dpkg_1.20.10.tar.xz +059875c06146382f1e4a339860c558a71393a43bf9e6580c0a2211c629cc9be1b4fd12c900b002f833a241ad9a339f138b458b60664da06db5b32db1c6490b2f 0001-t-command-Fix-test_command_exec-program-invocation.patch +" diff --git a/main/esh/APKBUILD b/main/esh/APKBUILD index fc6c53e03b7..ebaa57ad5fc 100644 --- a/main/esh/APKBUILD +++ b/main/esh/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # Maintainer: Jakub Jirutka <jakub@jirutka.cz> pkgname=esh -pkgver=0.3.1 +pkgver=0.3.2 pkgrel=0 pkgdesc="Simple template system based on shell" url="https://github.com/jirutka/esh" @@ -22,4 +22,6 @@ package() { make DESTDIR="$pkgdir" prefix=/usr install } -sha512sums="a29f8b028ceba305c8a37f2df20be95701fa3bdaeefd9853e05cc6423a6c685b33954deabda9af25c31baeae2321084e2a2badee216010c8efd75e58888effa3 esh-0.3.1.tar.gz" +sha512sums=" +f93835f0c28b75fa4b4ab2fdccd860050e4dde25634074065b182f289dd36d05074c7a5762f6cd35f409ae2ef239de5e0799af70ec6a96ba63df50fc8c123784 esh-0.3.2.tar.gz +" diff --git a/main/expat/APKBUILD b/main/expat/APKBUILD index 9bf52beab28..19e272874d6 100644 --- a/main/expat/APKBUILD +++ b/main/expat/APKBUILD @@ -1,16 +1,53 @@ # Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org> pkgname=expat pkgver=2.2.10 -pkgrel=1 +pkgrel=8 pkgdesc="XML Parser library written in C" url="http://www.libexpat.org/" arch="all" license='MIT' checkdepends="bash" -source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2" +source="https://github.com/libexpat/libexpat/releases/download/R_${pkgver//./_}/expat-$pkgver.tar.xz + CVE-2021-45960.patch + CVE-2021-46143.patch + CVE-2022-22822.patch + CVE-2022-23852.patch + CVE-2022-23990.patch + CVE-2022-25235.patch + CVE-2022-25236.patch + CVE-2022-25236-regression.patch + CVE-2022-25313.patch + CVE-2022-25313-regression.patch + CVE-2022-25314.patch + CVE-2022-25315.patch + CVE-2022-40674.patch + CVE-2022-43680.patch + " subpackages="$pkgname-static $pkgname-dev $pkgname-doc" # secfixes: +# 2.2.10-r8: +# - CVE-2022-43680 +# 2.2.10-r7: +# - CVE-2022-40674 +# 2.2.10-r4: +# - CVE-2022-25235 +# - CVE-2022-25236 +# - CVE-2022-25313 +# - CVE-2022-25314 +# - CVE-2022-25315 +# 2.2.10-r3: +# - CVE-2022-23852 +# - CVE-2022-23990 +# 2.2.10-r2: +# - CVE-2021-45960 +# - CVE-2021-46143 +# - CVE-2022-22822 +# - CVE-2022-22823 +# - CVE-2022-22824 +# - CVE-2022-22825 +# - CVE-2022-22826 +# - CVE-2022-22827 # 2.2.7-r1: # - CVE-2019-15903 # 2.2.7-r0: @@ -36,4 +73,20 @@ package() { make DESTDIR="$pkgdir/" install } -sha512sums="9623e86024d09e3bb0cf51fd0d56ecaee5fb8c8acb71589104a63b510f73c1e84abb0ccea4e2c196bdf1d30b5ad0633a915758f75813717d031d633e34f022b7 expat-2.2.10.tar.bz2" +sha512sums=" +a8e0c8a9cf7e6fbacdc6e709f3c99c533ab550fba52557d24259bb8b360f9697624c7500c0e9886fa57ee2b529aadd0d1835d66fe8112e15c20df75cd3eb090f expat-2.2.10.tar.xz +4afd3777fc682a2f9057d4cc42afe6e04680d7d24f93dc11a2677cb8b1a4b400921f6d689e2953aff4a3312118ea801c9e161f85774360b3b5c2d3bd0067f7ad CVE-2021-45960.patch +dd0339a0cdf5b18638a5732f2f9930af7adb5b20aa3bf102317a571f0f7d4f453313f0d8fdaa60f89c7a8f2e59eeaaca4b9c2e427a45594b7e21ed7c253d547a CVE-2021-46143.patch +dcf6bfc07b4919b1248dba5fc6d4e425d09975b09255d77456bb44b40495e92b4d4ffae6a9e949b204770848b70edfc4be1869c191cb01ebe967b1906ffc9d59 CVE-2022-22822.patch +cb079c0b9fe7df6afe2e06d706461489527802dce811d894587221b6316784b6cf1c7cf70573f41a276b5d97f7530d17c7ed854273f4eeae9652d971f64ef282 CVE-2022-23852.patch +7de120a34b5fc2fcb3779e259b24d47d8f40f38aab490b738eea52c55542b9cac45c897d90cb129c17c2d0057518f59b013c2af87a579c70b28a9aa70c1f27cb CVE-2022-23990.patch +c3ed585a62d5aadd9e1d1d589b636e37ffba5b5cc0c4d264a151cf308a9bfcfe9859704f43fd6d4e1ed86633fa4672378288bdc05b5e47dcb42c75f8258035f5 CVE-2022-25235.patch +016ca726fde03ef9049404faff7122e4f6e9b8a89d4a188e1ffa7bcf4d177fe79e00a3e1f90b45424ec60586cdde7615c6f5a39db1be1e585713f1a7385aa14c CVE-2022-25236.patch +36d441df896a6734091c15c3cd84515114d805349123a98eb43b61a268533f36b1ae0ac437e99b26a1792863e6d23c8d0a38eac902942b768e551cf2f2ea6187 CVE-2022-25236-regression.patch +4db9ad13e5e1461339ab93554d14acacbbdc121824a1dfd8a1d9df3194452711606da1f9f9ed5c03c0c5ca8de61237ef588897bbde95f89109160dc685fde25f CVE-2022-25313.patch +36d310754e76db577cdeeb0ae1563867f9db65c9de12b1423d4e67f8e2604893525474d6e07b6305553308b6b06285b1b9da3c4e858ef79874296f68b82080e8 CVE-2022-25313-regression.patch +ac7d03f3ef8be557bda0294247a645db820470be47ea7fa3dab8047f7f11ada831e4f0a4cd4b82e3b2f7715ada08435b8292257a64714c0242407ef58a661b72 CVE-2022-25314.patch +946e0983f9159ae4b01627581a99594f0e7263438ddfd40a1705b8de39ee9c6739af08598d3bc4f145a8ff142209d3fde85c20bbebe2932d9e60596f192db5b5 CVE-2022-25315.patch +204d9ff3aea000327a700b1a6fdf9acfb866db52ac26c7b2b1f6ea087aac4086659775f3e18bf0e78b61cef4979ebd5075ad053a7af91d5be6dc728462097a44 CVE-2022-40674.patch +08b69782ef5db8881156a2ab4dbab4780bed52a3b07fc72c4df84a548a71d8cb72f84040fe8c45ac17e832279126d20a08f7939b103e66e2dd01bc6873910e3b CVE-2022-43680.patch +" diff --git a/main/expat/CVE-2021-45960.patch b/main/expat/CVE-2021-45960.patch new file mode 100644 index 00000000000..7c366ab3903 --- /dev/null +++ b/main/expat/CVE-2021-45960.patch @@ -0,0 +1,59 @@ +From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Mon, 27 Dec 2021 20:15:02 +0100 +Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function + storeAtts (CVE-2021-45960) + +--- + expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++-- + 1 file changed, 29 insertions(+), 2 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index d730f41c3..b47c31b05 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + if (nPrefixes) { + int j; /* hash table index */ + unsigned long version = parser->m_nsAttsVersion; +- int nsAttsSize = (int)1 << parser->m_nsAttsPower; ++ ++ /* Detect and prevent invalid shift */ ++ if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ ++ unsigned int nsAttsSize = 1u << parser->m_nsAttsPower; + unsigned char oldNsAttsPower = parser->m_nsAttsPower; + /* size of hash table must be at least 2 * (# of prefixed attributes) */ + if ((nPrefixes << 1) +@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + ; + if (parser->m_nsAttsPower < 3) + parser->m_nsAttsPower = 3; +- nsAttsSize = (int)1 << parser->m_nsAttsPower; ++ ++ /* Detect and prevent invalid shift */ ++ if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) { ++ /* Restore actual size of memory in m_nsAtts */ ++ parser->m_nsAttsPower = oldNsAttsPower; ++ return XML_ERROR_NO_MEMORY; ++ } ++ ++ nsAttsSize = 1u << parser->m_nsAttsPower; ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) { ++ /* Restore actual size of memory in m_nsAtts */ ++ parser->m_nsAttsPower = oldNsAttsPower; ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts, + nsAttsSize * sizeof(NS_ATT)); + if (! temp) { diff --git a/main/expat/CVE-2021-46143.patch b/main/expat/CVE-2021-46143.patch new file mode 100644 index 00000000000..d6bafba0ffb --- /dev/null +++ b/main/expat/CVE-2021-46143.patch @@ -0,0 +1,43 @@ +From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Sat, 25 Dec 2021 20:52:08 +0100 +Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function + doProlog (CVE-2021-46143) + +--- + expat/lib/xmlparse.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index b47c31b0..8f243126 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + if (parser->m_prologState.level >= parser->m_groupSize) { + if (parser->m_groupSize) { + { ++ /* Detect and prevent integer overflow */ ++ if (parser->m_groupSize > (unsigned int)(-1) / 2u) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + char *const new_connector = (char *)REALLOC( + parser, parser->m_groupConnector, parser->m_groupSize *= 2); + if (new_connector == NULL) { +@@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + } + + if (dtd->scaffIndex) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + int *const new_scaff_index = (int *)REALLOC( + parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int)); + if (new_scaff_index == NULL) diff --git a/main/expat/CVE-2022-22822.patch b/main/expat/CVE-2022-22822.patch new file mode 100644 index 00000000000..4fed22e63c4 --- /dev/null +++ b/main/expat/CVE-2022-22822.patch @@ -0,0 +1,250 @@ +From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Thu, 30 Dec 2021 22:46:03 +0100 +Subject: [PATCH] lib: Prevent integer overflow at multiple places + (CVE-2022-22822 to CVE-2022-22827) + +The involved functions are: +- addBinding (CVE-2022-22822) +- build_model (CVE-2022-22823) +- defineAttribute (CVE-2022-22824) +- lookup (CVE-2022-22825) +- nextScaffoldPart (CVE-2022-22826) +- storeAtts (CVE-2022-22827) +--- + expat/lib/xmlparse.c | 153 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 151 insertions(+), 2 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 8f243126..575e73ee 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + + /* get the attributes from the tokenizer */ + n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts); ++ ++ /* Detect and prevent integer overflow */ ++ if (n > INT_MAX - nDefaultAtts) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + if (n + nDefaultAtts > parser->m_attsSize) { + int oldAttsSize = parser->m_attsSize; + ATTRIBUTE *temp; + #ifdef XML_ATTR_INFO + XML_AttrInfo *temp2; + #endif ++ ++ /* Detect and prevent integer overflow */ ++ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE) ++ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) { ++ parser->m_attsSize = oldAttsSize; ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts, + parser->m_attsSize * sizeof(ATTRIBUTE)); + if (temp == NULL) { +@@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + } + parser->m_atts = temp; + #ifdef XML_ATTR_INFO ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++# if UINT_MAX >= SIZE_MAX ++ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) { ++ parser->m_attsSize = oldAttsSize; ++ return XML_ERROR_NO_MEMORY; ++ } ++# endif ++ + temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo, + parser->m_attsSize * sizeof(XML_AttrInfo)); + if (temp2 == NULL) { +@@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + tagNamePtr->prefixLen = prefixLen; + for (i = 0; localPart[i++];) + ; /* i includes null terminator */ ++ ++ /* Detect and prevent integer overflow */ ++ if (binding->uriLen > INT_MAX - prefixLen ++ || i > INT_MAX - (binding->uriLen + prefixLen)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + n = i + binding->uriLen + prefixLen; + if (n > binding->uriAlloc) { + TAG *p; ++ ++ /* Detect and prevent integer overflow */ ++ if (n > INT_MAX - EXPAND_SPARE) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char)); + if (! uri) + return XML_ERROR_NO_MEMORY; +@@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + if (parser->m_freeBindingList) { + b = parser->m_freeBindingList; + if (len > b->uriAlloc) { ++ /* Detect and prevent integer overflow */ ++ if (len > INT_MAX - EXPAND_SPARE) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + XML_Char *temp = (XML_Char *)REALLOC( + parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE)); + if (temp == NULL) +@@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + b = (BINDING *)MALLOC(parser, sizeof(BINDING)); + if (! b) + return XML_ERROR_NO_MEMORY; ++ ++ /* Detect and prevent integer overflow */ ++ if (len > INT_MAX - EXPAND_SPARE) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + b->uri + = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE)); + if (! b->uri) { +@@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata, + } + } else { + DEFAULT_ATTRIBUTE *temp; ++ ++ /* Detect and prevent integer overflow */ ++ if (type->allocDefaultAtts > INT_MAX / 2) { ++ return 0; ++ } ++ + int count = type->allocDefaultAtts * 2; ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) { ++ return 0; ++ } ++#endif ++ + temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts, + (count * sizeof(DEFAULT_ATTRIBUTE))); + if (temp == NULL) +@@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) { + /* check for overflow (table is half full) */ + if (table->used >> (table->power - 1)) { + unsigned char newPower = table->power + 1; ++ ++ /* Detect and prevent invalid shift */ ++ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) { ++ return NULL; ++ } ++ + size_t newSize = (size_t)1 << newPower; + unsigned long newMask = (unsigned long)newSize - 1; ++ ++ /* Detect and prevent integer overflow */ ++ if (newSize > (size_t)(-1) / sizeof(NAMED *)) { ++ return NULL; ++ } ++ + size_t tsize = newSize * sizeof(NAMED *); + NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize); + if (! newV) +@@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) { + if (dtd->scaffCount >= dtd->scaffSize) { + CONTENT_SCAFFOLD *temp; + if (dtd->scaffold) { ++ /* Detect and prevent integer overflow */ ++ if (dtd->scaffSize > UINT_MAX / 2u) { ++ return -1; ++ } ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) { ++ return -1; ++ } ++#endif ++ + temp = (CONTENT_SCAFFOLD *)REALLOC( + parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD)); + if (temp == NULL) +@@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) { + XML_Content *ret; + XML_Content *cpos; + XML_Char *str; +- int allocsize = (dtd->scaffCount * sizeof(XML_Content) +- + (dtd->contentStringLen * sizeof(XML_Char))); ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) { ++ return NULL; ++ } ++ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) { ++ return NULL; ++ } ++#endif ++ if (dtd->scaffCount * sizeof(XML_Content) ++ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) { ++ return NULL; ++ } ++ ++ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content) ++ + (dtd->contentStringLen * sizeof(XML_Char))); + + ret = (XML_Content *)MALLOC(parser, allocsize); + if (! ret) diff --git a/main/expat/CVE-2022-23852.patch b/main/expat/CVE-2022-23852.patch new file mode 100644 index 00000000000..fe020c441ed --- /dev/null +++ b/main/expat/CVE-2022-23852.patch @@ -0,0 +1,27 @@ +Patch-Source: https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40 +From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001 +From: Samanta Navarro <ferivoz@riseup.net> +Date: Sat, 22 Jan 2022 17:48:00 +0100 +Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer + (CVE-2022-23852) + +--- + expat/lib/xmlparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index d54af683..5ce31402 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) { + keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); + if (keep > XML_CONTEXT_BYTES) + keep = XML_CONTEXT_BYTES; ++ /* Detect and prevent integer overflow */ ++ if (keep > INT_MAX - neededSize) { ++ parser->m_errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } + neededSize += keep; + #endif /* defined XML_CONTEXT_BYTES */ + if (neededSize diff --git a/main/expat/CVE-2022-23990.patch b/main/expat/CVE-2022-23990.patch new file mode 100644 index 00000000000..f8cff18cb44 --- /dev/null +++ b/main/expat/CVE-2022-23990.patch @@ -0,0 +1,42 @@ +Patch-Source: https://github.com/libexpat/libexpat/commit/ede41d1e186ed2aba88a06e84cac839b770af3a1 +From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Wed, 26 Jan 2022 02:36:43 +0100 +Subject: [PATCH] lib: Prevent integer overflow in doProlog (CVE-2022-23990) + +The change from "int nameLen" to "size_t nameLen" +addresses the overflow on "nameLen++" in code +"for (; name[nameLen++];)" right above the second +change in the patch. +--- + expat/lib/xmlparse.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 5ce31402..d1d17005 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + if (dtd->in_eldecl) { + ELEMENT_TYPE *el; + const XML_Char *name; +- int nameLen; ++ size_t nameLen; + const char *nxt + = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar); + int myindex = nextScaffoldPart(parser); +@@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + nameLen = 0; + for (; name[nameLen++];) + ; +- dtd->contentStringLen += nameLen; ++ ++ /* Detect and prevent integer overflow */ ++ if (nameLen > UINT_MAX - dtd->contentStringLen) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ ++ dtd->contentStringLen += (unsigned)nameLen; + if (parser->m_elementDeclHandler) + handleDefault = XML_FALSE; + } diff --git a/main/expat/CVE-2022-25235.patch b/main/expat/CVE-2022-25235.patch new file mode 100644 index 00000000000..191ad980050 --- /dev/null +++ b/main/expat/CVE-2022-25235.patch @@ -0,0 +1,43 @@ +Patch-Source: https://github.com/libexpat/libexpat/commit/3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 +From 3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Tue, 8 Feb 2022 04:32:20 +0100 +Subject: [PATCH] lib: Add missing validation of encoding (CVE-2022-25235) + +--- + expat/lib/xmltok_impl.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/expat/lib/xmltok_impl.c b/expat/lib/xmltok_impl.c +index 0430591b4..64a3b2c15 100644 +--- a/lib/xmltok_impl.c ++++ b/lib/xmltok_impl.c +@@ -69,7 +69,7 @@ + case BT_LEAD##n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (! IS_NAME_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -98,7 +98,7 @@ + case BT_LEAD##n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (! IS_NMSTRT_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -1142,6 +1142,10 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end, + case BT_LEAD##n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ ++ if (IS_INVALID_CHAR(enc, ptr, n)) { \ ++ *nextTokPtr = ptr; \ ++ return XML_TOK_INVALID; \ ++ } \ + if (IS_NMSTRT_CHAR(enc, ptr, n)) { \ + ptr += n; \ + tok = XML_TOK_NAME; \ diff --git a/main/expat/CVE-2022-25236-regression.patch b/main/expat/CVE-2022-25236-regression.patch new file mode 100644 index 00000000000..2bcab601161 --- /dev/null +++ b/main/expat/CVE-2022-25236-regression.patch @@ -0,0 +1,171 @@ +non-code patches skipped +--- + +From 2ba6c76fca21397959145e18c5ef376201209020 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Sun, 27 Feb 2022 16:58:08 +0100 +Subject: [PATCH 1/5] lib: Relax fix to CVE-2022-25236 with regard to RFC 3986 + URI characters + +--- + expat/lib/xmlparse.c | 139 ++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 131 insertions(+), 8 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 59da19c8..6fe2cf1e 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3705,6 +3705,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + return XML_ERROR_NONE; + } + ++static XML_Bool ++is_rfc3986_uri_char(XML_Char candidate) { ++ // For the RFC 3986 ANBF grammar see ++ // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A ++ ++ switch (candidate) { ++ // From rule "ALPHA" (uppercase half) ++ case 'A': ++ case 'B': ++ case 'C': ++ case 'D': ++ case 'E': ++ case 'F': ++ case 'G': ++ case 'H': ++ case 'I': ++ case 'J': ++ case 'K': ++ case 'L': ++ case 'M': ++ case 'N': ++ case 'O': ++ case 'P': ++ case 'Q': ++ case 'R': ++ case 'S': ++ case 'T': ++ case 'U': ++ case 'V': ++ case 'W': ++ case 'X': ++ case 'Y': ++ case 'Z': ++ ++ // From rule "ALPHA" (lowercase half) ++ case 'a': ++ case 'b': ++ case 'c': ++ case 'd': ++ case 'e': ++ case 'f': ++ case 'g': ++ case 'h': ++ case 'i': ++ case 'j': ++ case 'k': ++ case 'l': ++ case 'm': ++ case 'n': ++ case 'o': ++ case 'p': ++ case 'q': ++ case 'r': ++ case 's': ++ case 't': ++ case 'u': ++ case 'v': ++ case 'w': ++ case 'x': ++ case 'y': ++ case 'z': ++ ++ // From rule "DIGIT" ++ case '0': ++ case '1': ++ case '2': ++ case '3': ++ case '4': ++ case '5': ++ case '6': ++ case '7': ++ case '8': ++ case '9': ++ ++ // From rule "pct-encoded" ++ case '%': ++ ++ // From rule "unreserved" ++ case '-': ++ case '.': ++ case '_': ++ case '~': ++ ++ // From rule "gen-delims" ++ case ':': ++ case '/': ++ case '?': ++ case '#': ++ case '[': ++ case ']': ++ case '@': ++ ++ // From rule "sub-delims" ++ case '!': ++ case '$': ++ case '&': ++ case '\'': ++ case '(': ++ case ')': ++ case '*': ++ case '+': ++ case ',': ++ case ';': ++ case '=': ++ return XML_TRUE; ++ ++ default: ++ return XML_FALSE; ++ } ++} ++ + /* addBinding() overwrites the value of prefix->binding without checking. + Therefore one must keep track of the old value outside of addBinding(). + */ +@@ -3763,14 +3874,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) + isXMLNS = XML_FALSE; + +- // NOTE: While Expat does not validate namespace URIs against RFC 3986, +- // we have to at least make sure that the XML processor on top of +- // Expat (that is splitting tag names by namespace separator into +- // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused +- // by an attacker putting additional namespace separator characters +- // into namespace declarations. That would be ambiguous and not to +- // be expected. +- if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { ++ // NOTE: While Expat does not validate namespace URIs against RFC 3986 ++ // today (and is not REQUIRED to do so with regard to the XML 1.0 ++ // namespaces specification) we have to at least make sure, that ++ // the application on top of Expat (that is likely splitting expanded ++ // element names ("qualified names") of form ++ // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces ++ // in its element handler code) cannot be confused by an attacker ++ // putting additional namespace separator characters into namespace ++ // declarations. That would be ambiguous and not to be expected. ++ // ++ // While the HTML API docs of function XML_ParserCreateNS have been ++ // advising against use of a namespace separator character that can ++ // appear in a URI for >20 years now, some widespread applications ++ // are using URI characters (':' (colon) in particular) for a ++ // namespace separator, in practice. To keep these applications ++ // functional, we only reject namespaces URIs containing the ++ // application-chosen namespace separator if the chosen separator ++ // is a non-URI character with regard to RFC 3986. ++ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator) ++ && ! is_rfc3986_uri_char(uri[len])) { + return XML_ERROR_SYNTAX; + } + } + diff --git a/main/expat/CVE-2022-25236.patch b/main/expat/CVE-2022-25236.patch new file mode 100644 index 00000000000..ad91fc195fa --- /dev/null +++ b/main/expat/CVE-2022-25236.patch @@ -0,0 +1,33 @@ +Patch-Source: https://github.com/libexpat/libexpat/commit/a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 +From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Sat, 12 Feb 2022 01:09:29 +0100 +Subject: [PATCH] lib: Protect against malicious namespace declarations + (CVE-2022-25236) + +--- + expat/lib/xmlparse.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index c768f856..a3aef88c 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + if (! mustBeXML && isXMLNS + && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) + isXMLNS = XML_FALSE; ++ ++ // NOTE: While Expat does not validate namespace URIs against RFC 3986, ++ // we have to at least make sure that the XML processor on top of ++ // Expat (that is splitting tag names by namespace separator into ++ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused ++ // by an attacker putting additional namespace separator characters ++ // into namespace declarations. That would be ambiguous and not to ++ // be expected. ++ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { ++ return XML_ERROR_SYNTAX; ++ } + } + isXML = isXML && len == xmlLen; + isXMLNS = isXMLNS && len == xmlnsLen; diff --git a/main/expat/CVE-2022-25313-regression.patch b/main/expat/CVE-2022-25313-regression.patch new file mode 100644 index 00000000000..195ccfcc0d1 --- /dev/null +++ b/main/expat/CVE-2022-25313-regression.patch @@ -0,0 +1,243 @@ +Patch-Source: https://github.com/libexpat/libexpat/commit/9288cd5474bf6d3d0c037c247f9581d5e4df5097 +Patch 3/3 skipped due it being only a Changes readme change. +--- + +Patch-Source: https://github.com/libexpat/libexpat/commit/9288cd5474bf6d3d0c037c247f9581d5e4df5097 +From b12f34fe32821a69dc12ff9a021daca0856de238 Mon Sep 17 00:00:00 2001 +From: Samanta Navarro <ferivoz@riseup.net> +Date: Sat, 19 Feb 2022 23:59:25 +0000 +Subject: [PATCH 1/3] Fix build_model regression. + +The iterative approach in build_model failed to fill children arrays +correctly. A preorder traversal is not required and turned out to be the +culprit. Use an easier algorithm: + +Add nodes from scaffold tree starting at index 0 (root) to the target +array whenever children are encountered. This ensures that children +are adjacent to each other. This complies with the recursive version. + +Store only the scaffold index in numchildren field to prevent a direct +processing of these children, which would require a recursive solution. +This allows the algorithm to iterate through the target array from start +to end without jumping back and forth, converting on the fly. + +Co-authored-by: Sebastian Pipping <sebastian@pipping.org> +--- + expat/lib/xmlparse.c | 79 ++++++++++++++++++++++++++------------------ + 1 file changed, 47 insertions(+), 32 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index c479a258..84885b5a 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7373,39 +7373,58 @@ build_model(XML_Parser parser) { + * + * The iterative approach works as follows: + * +- * - We use space in the target array for building a temporary stack structure +- * while that space is still unused. +- * The stack grows from the array's end downwards and the "actual data" +- * grows from the start upwards, sequentially. +- * (Because stack grows downwards, pushing onto the stack is a decrement +- * while popping off the stack is an increment.) ++ * - We have two writing pointers, both walking up the result array; one does ++ * the work, the other creates "jobs" for its colleague to do, and leads ++ * the way: + * +- * - A stack element appears as a regular XML_Content node on the outside, +- * but only uses a single field -- numchildren -- to store the source +- * tree node array index. These are the breadcrumbs leading the way back +- * during pre-order (node first) depth-first traversal. ++ * - The faster one, pointer jobDest, always leads and writes "what job ++ * to do" by the other, once they reach that place in the ++ * array: leader "jobDest" stores the source node array index (relative ++ * to array dtd->scaffold) in field "numchildren". + * +- * - The reason we know the stack will never grow into (or overlap with) +- * the area with data of value at the start of the array is because +- * the overall number of elements to process matches the size of the array, +- * and the sum of fully processed nodes and yet-to-be processed nodes +- * on the stack, cannot be more than the total number of nodes. +- * It is possible for the top of the stack and the about-to-write node +- * to meet, but that is safe because we get the source index out +- * before doing any writes on that node. ++ * - The slower one, pointer dest, looks at the value stored in the ++ * "numchildren" field (which actually holds a source node array index ++ * at that time) and puts the real data from dtd->scaffold in. ++ * ++ * - Before the loop starts, jobDest writes source array index 0 ++ * (where the root node is located) so that dest will have something to do ++ * when it starts operation. ++ * ++ * - Whenever nodes with children are encountered, jobDest appends ++ * them as new jobs, in order. As a result, tree node siblings are ++ * adjacent in the resulting array, for example: ++ * ++ * [0] root, has two children ++ * [1] first child of 0, has three children ++ * [3] first child of 1, does not have children ++ * [4] second child of 1, does not have children ++ * [5] third child of 1, does not have children ++ * [2] second child of 0, does not have children ++ * ++ * Or (the same data) presented in flat array view: ++ * ++ * [0] root, has two children ++ * ++ * [1] first child of 0, has three children ++ * [2] second child of 0, does not have children ++ * ++ * [3] first child of 1, does not have children ++ * [4] second child of 1, does not have children ++ * [5] third child of 1, does not have children ++ * ++ * - The algorithm repeats until all target array indices have been processed. + */ + XML_Content *dest = ret; /* tree node writing location, moves upwards */ + XML_Content *const destLimit = &ret[dtd->scaffCount]; +- XML_Content *const stackBottom = &ret[dtd->scaffCount]; +- XML_Content *stackTop = stackBottom; /* i.e. stack is initially empty */ ++ XML_Content *jobDest = ret; /* next free writing location in target array */ + str = (XML_Char *)&ret[dtd->scaffCount]; + +- /* Push source tree root node index onto the stack */ +- (--stackTop)->numchildren = 0; ++ /* Add the starting job, the root node (index 0) of the source tree */ ++ (jobDest++)->numchildren = 0; + + for (; dest < destLimit; dest++) { +- /* Pop source tree node index off the stack */ +- const int src_node = (int)(stackTop++)->numchildren; ++ /* Retrieve source tree array index from job storage */ ++ const int src_node = (int)dest->numchildren; + + /* Convert item */ + dest->type = dtd->scaffold[src_node].type; +@@ -7427,16 +7446,12 @@ build_model(XML_Parser parser) { + int cn; + dest->name = NULL; + dest->numchildren = dtd->scaffold[src_node].childcnt; +- dest->children = &dest[1]; ++ dest->children = jobDest; + +- /* Push children to the stack +- * in a way where the first child ends up at the top of the +- * (downwards growing) stack, in order to be processed first. */ +- stackTop -= dest->numchildren; ++ /* Append scaffold indices of children to array */ + for (i = 0, cn = dtd->scaffold[src_node].firstchild; +- i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) { +- (stackTop + i)->numchildren = (unsigned int)cn; +- } ++ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) ++ (jobDest++)->numchildren = (unsigned int)cn; + } + } + + +From 154e565f6ef329c9ec97e6534c411ddde0b320c8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Sun, 20 Feb 2022 03:26:57 +0100 +Subject: [PATCH 2/3] tests: Protect against nested element declaration model + regressions + +--- + expat/tests/runtests.c | 77 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 77 insertions(+) + +diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c +index 2cd4acbe..e28670d2 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -2664,6 +2664,82 @@ START_TEST(test_dtd_elements) { + } + END_TEST + ++static void XMLCALL ++element_decl_check_model(void *userData, const XML_Char *name, ++ XML_Content *model) { ++ UNUSED_P(userData); ++ uint32_t errorFlags = 0; ++ ++ /* Expected model array structure is this: ++ * [0] (type 6, quant 0) ++ * [1] (type 5, quant 0) ++ * [3] (type 4, quant 0, name "bar") ++ * [4] (type 4, quant 0, name "foo") ++ * [5] (type 4, quant 3, name "xyz") ++ * [2] (type 4, quant 2, name "zebra") ++ */ ++ errorFlags |= ((xcstrcmp(name, XCS("junk")) == 0) ? 0 : (1u << 0)); ++ errorFlags |= ((model != NULL) ? 0 : (1u << 1)); ++ ++ errorFlags |= ((model[0].type == XML_CTYPE_SEQ) ? 0 : (1u << 2)); ++ errorFlags |= ((model[0].quant == XML_CQUANT_NONE) ? 0 : (1u << 3)); ++ errorFlags |= ((model[0].numchildren == 2) ? 0 : (1u << 4)); ++ errorFlags |= ((model[0].children == &model[1]) ? 0 : (1u << 5)); ++ errorFlags |= ((model[0].name == NULL) ? 0 : (1u << 6)); ++ ++ errorFlags |= ((model[1].type == XML_CTYPE_CHOICE) ? 0 : (1u << 7)); ++ errorFlags |= ((model[1].quant == XML_CQUANT_NONE) ? 0 : (1u << 8)); ++ errorFlags |= ((model[1].numchildren == 3) ? 0 : (1u << 9)); ++ errorFlags |= ((model[1].children == &model[3]) ? 0 : (1u << 10)); ++ errorFlags |= ((model[1].name == NULL) ? 0 : (1u << 11)); ++ ++ errorFlags |= ((model[2].type == XML_CTYPE_NAME) ? 0 : (1u << 12)); ++ errorFlags |= ((model[2].quant == XML_CQUANT_REP) ? 0 : (1u << 13)); ++ errorFlags |= ((model[2].numchildren == 0) ? 0 : (1u << 14)); ++ errorFlags |= ((model[2].children == NULL) ? 0 : (1u << 15)); ++ errorFlags |= ((xcstrcmp(model[2].name, XCS("zebra")) == 0) ? 0 : (1u << 16)); ++ ++ errorFlags |= ((model[3].type == XML_CTYPE_NAME) ? 0 : (1u << 17)); ++ errorFlags |= ((model[3].quant == XML_CQUANT_NONE) ? 0 : (1u << 18)); ++ errorFlags |= ((model[3].numchildren == 0) ? 0 : (1u << 19)); ++ errorFlags |= ((model[3].children == NULL) ? 0 : (1u << 20)); ++ errorFlags |= ((xcstrcmp(model[3].name, XCS("bar")) == 0) ? 0 : (1u << 21)); ++ ++ errorFlags |= ((model[4].type == XML_CTYPE_NAME) ? 0 : (1u << 22)); ++ errorFlags |= ((model[4].quant == XML_CQUANT_NONE) ? 0 : (1u << 23)); ++ errorFlags |= ((model[4].numchildren == 0) ? 0 : (1u << 24)); ++ errorFlags |= ((model[4].children == NULL) ? 0 : (1u << 25)); ++ errorFlags |= ((xcstrcmp(model[4].name, XCS("foo")) == 0) ? 0 : (1u << 26)); ++ ++ errorFlags |= ((model[5].type == XML_CTYPE_NAME) ? 0 : (1u << 27)); ++ errorFlags |= ((model[5].quant == XML_CQUANT_PLUS) ? 0 : (1u << 28)); ++ errorFlags |= ((model[5].numchildren == 0) ? 0 : (1u << 29)); ++ errorFlags |= ((model[5].children == NULL) ? 0 : (1u << 30)); ++ errorFlags |= ((xcstrcmp(model[5].name, XCS("xyz")) == 0) ? 0 : (1u << 31)); ++ ++ XML_SetUserData(g_parser, (void *)(uintptr_t)errorFlags); ++ XML_FreeContentModel(g_parser, model); ++} ++ ++START_TEST(test_dtd_elements_nesting) { ++ // Payload inspired by a test in Perl's XML::Parser ++ const char *text = "<!DOCTYPE foo [\n" ++ "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>\n" ++ "]>\n" ++ "<foo/>"; ++ ++ XML_SetUserData(g_parser, (void *)(uintptr_t)-1); ++ ++ XML_SetElementDeclHandler(g_parser, element_decl_check_model); ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(g_parser); ++ ++ if ((uint32_t)(uintptr_t)XML_GetUserData(g_parser) != 0) ++ fail("Element declaration model regression detected"); ++} ++END_TEST ++ + /* Test foreign DTD handling */ + START_TEST(test_set_foreign_dtd) { + const char *text1 = "<?xml version='1.0' encoding='us-ascii'?>\n"; +@@ -11863,6 +11939,7 @@ make_suite(void) { + tcase_add_test(tc_basic, test_memory_allocation); + tcase_add_test(tc_basic, test_default_current); + tcase_add_test(tc_basic, test_dtd_elements); ++ tcase_add_test(tc_basic, test_dtd_elements_nesting); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_set_foreign_dtd); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_foreign_dtd_not_standalone); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_invalid_foreign_dtd); + diff --git a/main/expat/CVE-2022-25313.patch b/main/expat/CVE-2022-25313.patch new file mode 100644 index 00000000000..d0431bc0b2d --- /dev/null +++ b/main/expat/CVE-2022-25313.patch @@ -0,0 +1,223 @@ +Patch-Source: https://github.com/libexpat/libexpat/commit/bbdfcfef4747d2d66e81c19f4a55e29e291aa171 +From 9b4ce651b26557f16103c3a366c91934ecd439ab Mon Sep 17 00:00:00 2001 +From: Samanta Navarro <ferivoz@riseup.net> +Date: Tue, 15 Feb 2022 11:54:29 +0000 +Subject: [PATCH] Prevent stack exhaustion in build_model + +It is possible to trigger stack exhaustion in build_model function if +depth of nested children in DTD element is large enough. This happens +because build_node is a recursively called function within build_model. + +The code has been adjusted to run iteratively. It uses the already +allocated heap space as temporary stack (growing from top to bottom). + +Output is identical to recursive version. No new fields in data +structures were added, i.e. it keeps full API and ABI compatibility. +Instead the numchildren variable is used to temporarily keep the +index of items (uint vs int). + +Documentation and readability improvements kindly added by Sebastian. + +Proof of Concept: + +1. Compile poc binary which parses XML file line by line + +``` +cat > poc.c << EOF + #include <err.h> + #include <expat.h> + #include <stdio.h> + + XML_Parser parser; + + static void XMLCALL + dummy_element_decl_handler(void *userData, const XML_Char *name, + XML_Content *model) { + XML_FreeContentModel(parser, model); + } + + int main(int argc, char *argv[]) { + FILE *fp; + char *p = NULL; + size_t s = 0; + ssize_t l; + if (argc != 2) + errx(1, "usage: poc poc.xml"); + if ((parser = XML_ParserCreate(NULL)) == NULL) + errx(1, "XML_ParserCreate"); + XML_SetElementDeclHandler(parser, dummy_element_decl_handler); + if ((fp = fopen(argv[1], "r")) == NULL) + err(1, "fopen"); + while ((l = getline(&p, &s, fp)) > 0) + if (XML_Parse(parser, p, (int)l, XML_FALSE) != XML_STATUS_OK) + errx(1, "XML_Parse"); + XML_ParserFree(parser); + free(p); + fclose(fp); + return 0; + } +EOF +cc -std=c11 -D_POSIX_C_SOURCE=200809L -lexpat -o poc poc.c +``` + +2. Create XML file with a lot of nested groups in DTD element + +``` +cat > poc.xml.zst.b64 << EOF +KLUv/aQkACAAPAEA+DwhRE9DVFlQRSB1d3UgWwo8IUVMRU1FTlQgdXd1CigBAHv/58AJAgAQKAIA +ECgCABAoAgAQKAIAECgCABAoAgAQKHwAAChvd28KKQIA2/8gV24XBAIAECkCABApAgAQKQIAECkC +ABApAgAQKQIAEClVAAAgPl0+CgEA4A4I2VwwnQ== +EOF +base64 -d poc.xml.zst.b64 | zstd -d > poc.xml +``` + +3. Run Proof of Concept + +``` +./poc poc.xml +``` + +Co-authored-by: Sebastian Pipping <sebastian@pipping.org> +--- + expat/lib/xmlparse.c | 116 +++++++++++++++++++++++++++++-------------- + 1 file changed, 79 insertions(+), 37 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 4b43e613..594cf12c 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7317,44 +7317,15 @@ nextScaffoldPart(XML_Parser parser) { + return next; + } + +-static void +-build_node(XML_Parser parser, int src_node, XML_Content *dest, +- XML_Content **contpos, XML_Char **strpos) { +- DTD *const dtd = parser->m_dtd; /* save one level of indirection */ +- dest->type = dtd->scaffold[src_node].type; +- dest->quant = dtd->scaffold[src_node].quant; +- if (dest->type == XML_CTYPE_NAME) { +- const XML_Char *src; +- dest->name = *strpos; +- src = dtd->scaffold[src_node].name; +- for (;;) { +- *(*strpos)++ = *src; +- if (! *src) +- break; +- src++; +- } +- dest->numchildren = 0; +- dest->children = NULL; +- } else { +- unsigned int i; +- int cn; +- dest->numchildren = dtd->scaffold[src_node].childcnt; +- dest->children = *contpos; +- *contpos += dest->numchildren; +- for (i = 0, cn = dtd->scaffold[src_node].firstchild; i < dest->numchildren; +- i++, cn = dtd->scaffold[cn].nextsib) { +- build_node(parser, cn, &(dest->children[i]), contpos, strpos); +- } +- dest->name = NULL; +- } +-} +- + static XML_Content * + build_model(XML_Parser parser) { ++ /* Function build_model transforms the existing parser->m_dtd->scaffold ++ * array of CONTENT_SCAFFOLD tree nodes into a new array of ++ * XML_Content tree nodes followed by a gapless list of zero-terminated ++ * strings. */ + DTD *const dtd = parser->m_dtd; /* save one level of indirection */ + XML_Content *ret; +- XML_Content *cpos; +- XML_Char *str; ++ XML_Char *str; /* the current string writing location */ + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning +@@ -7380,10 +7351,81 @@ build_model(XML_Parser parser) { + if (! ret) + return NULL; + +- str = (XML_Char *)(&ret[dtd->scaffCount]); +- cpos = &ret[1]; ++ /* What follows is an iterative implementation (of what was previously done ++ * recursively in a dedicated function called "build_node". The old recursive ++ * build_node could be forced into stack exhaustion from input as small as a ++ * few megabyte, and so that was a security issue. Hence, a function call ++ * stack is avoided now by resolving recursion.) ++ * ++ * The iterative approach works as follows: ++ * ++ * - We use space in the target array for building a temporary stack structure ++ * while that space is still unused. ++ * The stack grows from the array's end downwards and the "actual data" ++ * grows from the start upwards, sequentially. ++ * (Because stack grows downwards, pushing onto the stack is a decrement ++ * while popping off the stack is an increment.) ++ * ++ * - A stack element appears as a regular XML_Content node on the outside, ++ * but only uses a single field -- numchildren -- to store the source ++ * tree node array index. These are the breadcrumbs leading the way back ++ * during pre-order (node first) depth-first traversal. ++ * ++ * - The reason we know the stack will never grow into (or overlap with) ++ * the area with data of value at the start of the array is because ++ * the overall number of elements to process matches the size of the array, ++ * and the sum of fully processed nodes and yet-to-be processed nodes ++ * on the stack, cannot be more than the total number of nodes. ++ * It is possible for the top of the stack and the about-to-write node ++ * to meet, but that is safe because we get the source index out ++ * before doing any writes on that node. ++ */ ++ XML_Content *dest = ret; /* tree node writing location, moves upwards */ ++ XML_Content *const destLimit = &ret[dtd->scaffCount]; ++ XML_Content *const stackBottom = &ret[dtd->scaffCount]; ++ XML_Content *stackTop = stackBottom; /* i.e. stack is initially empty */ ++ str = (XML_Char *)&ret[dtd->scaffCount]; ++ ++ /* Push source tree root node index onto the stack */ ++ (--stackTop)->numchildren = 0; ++ ++ for (; dest < destLimit; dest++) { ++ /* Pop source tree node index off the stack */ ++ const int src_node = (int)(stackTop++)->numchildren; ++ ++ /* Convert item */ ++ dest->type = dtd->scaffold[src_node].type; ++ dest->quant = dtd->scaffold[src_node].quant; ++ if (dest->type == XML_CTYPE_NAME) { ++ const XML_Char *src; ++ dest->name = str; ++ src = dtd->scaffold[src_node].name; ++ for (;;) { ++ *str++ = *src; ++ if (! *src) ++ break; ++ src++; ++ } ++ dest->numchildren = 0; ++ dest->children = NULL; ++ } else { ++ unsigned int i; ++ int cn; ++ dest->name = NULL; ++ dest->numchildren = dtd->scaffold[src_node].childcnt; ++ dest->children = &dest[1]; ++ ++ /* Push children to the stack ++ * in a way where the first child ends up at the top of the ++ * (downwards growing) stack, in order to be processed first. */ ++ stackTop -= dest->numchildren; ++ for (i = 0, cn = dtd->scaffold[src_node].firstchild; ++ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) { ++ (stackTop + i)->numchildren = (unsigned int)cn; ++ } ++ } ++ } + +- build_node(parser, 0, ret, &cpos, &str); + return ret; + } + diff --git a/main/expat/CVE-2022-25314.patch b/main/expat/CVE-2022-25314.patch new file mode 100644 index 00000000000..25674a43837 --- /dev/null +++ b/main/expat/CVE-2022-25314.patch @@ -0,0 +1,25 @@ +Patch-Source: https://github.com/libexpat/libexpat/commit/d477fdd284468f2ab822024e75702f2c1b254f42 +From efcb347440ade24b9f1054671e6bd05e60b4cafd Mon Sep 17 00:00:00 2001 +From: Samanta Navarro <ferivoz@riseup.net> +Date: Tue, 15 Feb 2022 11:56:57 +0000 +Subject: [PATCH] Prevent integer overflow in copyString + +The copyString function is only used for encoding string supplied by +the library user. +--- + expat/lib/xmlparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 4b43e613..a39377c2 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7412,7 +7412,7 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr, + + static XML_Char * + copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { +- int charsRequired = 0; ++ size_t charsRequired = 0; + XML_Char *result; + + /* First determine how long the string is */ diff --git a/main/expat/CVE-2022-25315.patch b/main/expat/CVE-2022-25315.patch new file mode 100644 index 00000000000..fe0e8f298a2 --- /dev/null +++ b/main/expat/CVE-2022-25315.patch @@ -0,0 +1,139 @@ +Patch-Source: https://github.com/libexpat/libexpat/commit/89214940efd13e3b83fa078fd70eb4dbdc04c4a5 +From eb0362808b4f9f1e2345a0cf203b8cc196d776d9 Mon Sep 17 00:00:00 2001 +From: Samanta Navarro <ferivoz@riseup.net> +Date: Tue, 15 Feb 2022 11:55:46 +0000 +Subject: [PATCH] Prevent integer overflow in storeRawNames + +It is possible to use an integer overflow in storeRawNames for out of +boundary heap writes. Default configuration is affected. If compiled +with XML_UNICODE then the attack does not work. Compiling with +-fsanitize=address confirms the following proof of concept. + +The problem can be exploited by abusing the m_buffer expansion logic. +Even though the initial size of m_buffer is a power of two, eventually +it can end up a little bit lower, thus allowing allocations very close +to INT_MAX (since INT_MAX/2 can be surpassed). This means that tag +names can be parsed which are almost INT_MAX in size. + +Unfortunately (from an attacker point of view) INT_MAX/2 is also a +limitation in string pools. Having a tag name of INT_MAX/2 characters +or more is not possible. + +Expat can convert between different encodings. UTF-16 documents which +contain only ASCII representable characters are twice as large as their +ASCII encoded counter-parts. + +The proof of concept works by taking these three considerations into +account: + +1. Move the m_buffer size slightly below a power of two by having a + short root node <a>. This allows the m_buffer to grow very close + to INT_MAX. +2. The string pooling forbids tag names longer than or equal to + INT_MAX/2, so keep the attack tag name smaller than that. +3. To be able to still overflow INT_MAX even though the name is + limited at INT_MAX/2-1 (nul byte) we use UTF-16 encoding and a tag + which only contains ASCII characters. UTF-16 always stores two + bytes per character while the tag name is converted to using only + one. Our attack node byte count must be a bit higher than + 2/3 INT_MAX so the converted tag name is around INT_MAX/3 which + in sum can overflow INT_MAX. + +Thanks to our small root node, m_buffer can handle 2/3 INT_MAX bytes +without running into INT_MAX boundary check. The string pooling is +able to store INT_MAX/3 as tag name because the amount is below +INT_MAX/2 limitation. And creating the sum of both eventually overflows +in storeRawNames. + +Proof of Concept: + +1. Compile expat with -fsanitize=address. + +2. Create Proof of Concept binary which iterates through input + file 16 MB at once for better performance and easier integer + calculations: + +``` +cat > poc.c << EOF + #include <err.h> + #include <expat.h> + #include <stdlib.h> + #include <stdio.h> + + #define CHUNK (16 * 1024 * 1024) + int main(int argc, char *argv[]) { + XML_Parser parser; + FILE *fp; + char *buf; + int i; + + if (argc != 2) + errx(1, "usage: poc file.xml"); + if ((parser = XML_ParserCreate(NULL)) == NULL) + errx(1, "failed to create expat parser"); + if ((fp = fopen(argv[1], "r")) == NULL) { + XML_ParserFree(parser); + err(1, "failed to open file"); + } + if ((buf = malloc(CHUNK)) == NULL) { + fclose(fp); + XML_ParserFree(parser); + err(1, "failed to allocate buffer"); + } + i = 0; + while (fread(buf, CHUNK, 1, fp) == 1) { + printf("iteration %d: XML_Parse returns %d\n", ++i, + XML_Parse(parser, buf, CHUNK, XML_FALSE)); + } + free(buf); + fclose(fp); + XML_ParserFree(parser); + return 0; + } +EOF +gcc -fsanitize=address -lexpat -o poc poc.c +``` + +3. Construct specially prepared UTF-16 XML file: + +``` +dd if=/dev/zero bs=1024 count=794624 | tr '\0' 'a' > poc-utf8.xml +echo -n '<a><' | dd conv=notrunc of=poc-utf8.xml +echo -n '><' | dd conv=notrunc of=poc-utf8.xml bs=1 seek=805306368 +iconv -f UTF-8 -t UTF-16LE poc-utf8.xml > poc-utf16.xml +``` + +4. Run proof of concept: + +``` +./poc poc-utf16.xml +``` +--- + expat/lib/xmlparse.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 4b43e613..f34d6ab5 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2563,6 +2563,7 @@ storeRawNames(XML_Parser parser) { + while (tag) { + int bufSize; + int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1); ++ size_t rawNameLen; + char *rawNameBuf = tag->buf + nameLen; + /* Stop if already stored. Since m_tagStack is a stack, we can stop + at the first entry that has already been copied; everything +@@ -2574,7 +2575,11 @@ storeRawNames(XML_Parser parser) { + /* For re-use purposes we need to ensure that the + size of tag->buf is a multiple of sizeof(XML_Char). + */ +- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); ++ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); ++ /* Detect and prevent integer overflow. */ ++ if (rawNameLen > (size_t)INT_MAX - nameLen) ++ return XML_FALSE; ++ bufSize = nameLen + (int)rawNameLen; + if (bufSize > tag->bufEnd - tag->buf) { + char *temp = (char *)REALLOC(parser, tag->buf, bufSize); + if (temp == NULL) diff --git a/main/expat/CVE-2022-40674.patch b/main/expat/CVE-2022-40674.patch new file mode 100644 index 00000000000..eae104c38c9 --- /dev/null +++ b/main/expat/CVE-2022-40674.patch @@ -0,0 +1,156 @@ +From 7802454a5548fbe3037db316adbeeabb596b9255 Mon Sep 17 00:00:00 2001 +From: Rhodri James <rhodri@wildebeest.org.uk> +Date: Wed, 17 Aug 2022 18:26:18 +0100 +Subject: [PATCH 1/2] Ensure raw tagnames are safe exiting internalEntityParser + +It is possible to concoct a situation in which parsing is +suspended while substituting in an internal entity, so that +XML_ResumeParser directly uses internalEntityProcessor as +its processor. If the subsequent parse includes some unclosed +tags, this will return without calling storeRawNames to ensure +that the raw versions of the tag names are stored in memory other +than the parse buffer itself. If the parse buffer is then changed +or reallocated (for example if processing a file line by line), +badness will ensue. + +This patch ensures storeRawNames is always called when needed +after calling doContent. The earlier call do doContent does +not need the same protection; it only deals with entity +substitution, which cannot leave unbalanced tags, and in any +case the raw names will be pointing into the stored entity +value not the parse buffer. + +(cherry picked from commit 4a32da87e931ba54393d465bb77c40b5c33d343b) +--- + expat/lib/xmlparse.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index dfc316ca..d8e324e8 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5277,9 +5277,14 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + { + parser->m_processor = contentProcessor; + /* see externalEntityContentProcessor vs contentProcessor */ +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, + s, end, nextPtr, + (XML_Bool)! parser->m_parsingStatus.finalBuffer); ++ if (result == XML_ERROR_NONE) { ++ if (! storeRawNames(parser)) ++ return XML_ERROR_NO_MEMORY; ++ } ++ return result; + } + } + +-- +2.37.3 + + +From cff3c9a5e43bc929e43ccd35425c3db8cd21d4de Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Sun, 11 Sep 2022 19:34:33 +0200 +Subject: [PATCH 2/2] tests: Cover heap use-after-free issue in doContent + +(cherry picked from commit a7ce80a013f2a08cb1ac4aac368f2250eea03ebf) +--- + expat/tests/runtests.c | 74 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 74 insertions(+) + +diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c +index 2490d86b..70fb583a 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -4904,6 +4904,78 @@ START_TEST(test_suspend_resume_internal_entity) { + } + END_TEST + ++void ++suspending_comment_handler(void *userData, const XML_Char *data) { ++ UNUSED_P(data); ++ XML_Parser parser = (XML_Parser)userData; ++ XML_StopParser(parser, XML_TRUE); ++} ++ ++START_TEST(test_suspend_resume_internal_entity_issue_629) { ++ const char *const text ++ = "<!DOCTYPE a [<!ENTITY e '<!--COMMENT-->a'>]><a>&e;<b>\n" ++ "<" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "/>" ++ "</b></a>"; ++ const size_t firstChunkSizeBytes = 54; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetUserData(parser, parser); ++ XML_SetCommentHandler(parser, suspending_comment_handler); ++ ++ if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE) ++ != XML_STATUS_SUSPENDED) ++ xml_failure(parser); ++ if (XML_ResumeParser(parser) != XML_STATUS_OK) ++ xml_failure(parser); ++ if (XML_Parse(parser, text + firstChunkSizeBytes, ++ (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Test syntax error is caught at parse resumption */ + START_TEST(test_resume_entity_with_syntax_error) { + const char *text = "<!DOCTYPE doc [\n" +@@ -11387,6 +11459,8 @@ make_suite(void) { + tcase_add_test(tc_basic, test_partial_char_in_epilog); + tcase_add_test(tc_basic, test_hash_collision); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_suspend_resume_internal_entity); ++ tcase_add_test__ifdef_xml_dtd(tc_basic, ++ test_suspend_resume_internal_entity_issue_629); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_resume_entity_with_syntax_error); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_suspend_resume_parameter_entity); + tcase_add_test(tc_basic, test_restart_on_error); +-- +2.37.3 + diff --git a/main/expat/CVE-2022-43680.patch b/main/expat/CVE-2022-43680.patch new file mode 100644 index 00000000000..de01b1b47ee --- /dev/null +++ b/main/expat/CVE-2022-43680.patch @@ -0,0 +1,118 @@ +Patch-Source: https://github.com/libexpat/libexpat/commit/56967f83d68d5fc750f9e66a9a76756c94c7c173 +From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Tue, 20 Sep 2022 02:44:34 +0200 +Subject: [PATCH 1/3] lib: Fix overeager DTD destruction in + XML_ExternalEntityParserCreate + +--- + expat/lib/xmlparse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index aacd6e7fc..57bf103cc 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName, + parserInit(parser, encodingName); + + if (encodingName && ! parser->m_protocolEncodingName) { ++ if (dtd) { ++ // We need to stop the upcoming call to XML_ParserFree from happily ++ // destroying parser->m_dtd because the DTD is shared with the parent ++ // parser and the only guard that keeps XML_ParserFree from destroying ++ // parser->m_dtd is parser->m_isParamEntity but it will be set to ++ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). ++ parser->m_dtd = NULL; ++ } + XML_ParserFree(parser); + return NULL; + } + +From 43992e4ae25fc3dc0eec0cd3a29313555d56aee2 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Mon, 19 Sep 2022 18:16:15 +0200 +Subject: [PATCH 2/3] tests: Cover overeager DTD destruction in + XML_ExternalEntityParserCreate + +--- + expat/tests/runtests.c | 49 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c +index 245fe9bda..acb744dd4 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -10208,6 +10208,53 @@ START_TEST(test_alloc_long_notation) { + } + END_TEST + ++static int XMLCALL ++external_entity_parser_create_alloc_fail_handler(XML_Parser parser, ++ const XML_Char *context, ++ const XML_Char *base, ++ const XML_Char *systemId, ++ const XML_Char *publicId) { ++ UNUSED_P(base); ++ UNUSED_P(systemId); ++ UNUSED_P(publicId); ++ ++ if (context != NULL) ++ fail("Unexpected non-NULL context"); ++ ++ // The following number intends to fail the upcoming allocation in line ++ // "parser->m_protocolEncodingName = copyString(encodingName, ++ // &(parser->m_mem));" in function parserInit. ++ allocation_count = 3; ++ ++ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL ++ const XML_Parser ext_parser ++ = XML_ExternalEntityParserCreate(parser, context, encodingName); ++ if (ext_parser != NULL) ++ fail( ++ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory"); ++ ++ allocation_count = ALLOC_ALWAYS_SUCCEED; ++ return XML_STATUS_ERROR; ++} ++ ++START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) { ++ const char *const text = "<!DOCTYPE doc SYSTEM 'foo'><doc/>"; ++ ++ XML_SetExternalEntityRefHandler( ++ g_parser, external_entity_parser_create_alloc_fail_handler); ++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_ERROR) ++ fail("Call to parse was expected to fail"); ++ ++ if (XML_GetErrorCode(g_parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING) ++ fail("Call to parse was expected to fail from the external entity handler"); ++ ++ XML_ParserReset(g_parser, NULL); ++} ++END_TEST ++ + static void + nsalloc_setup(void) { + XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; +@@ -12401,6 +12448,8 @@ make_suite(void) { + tcase_add_test(tc_alloc, test_alloc_long_public_id); + tcase_add_test(tc_alloc, test_alloc_long_entity_value); + tcase_add_test(tc_alloc, test_alloc_long_notation); ++ tcase_add_test__ifdef_xml_dtd( ++ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail); + + suite_add_tcase(s, tc_nsalloc); + tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown); + +From eedc5f6de8e219130032c8ff2ff17580e18bd0c1 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Wed, 21 Sep 2022 03:32:26 +0200 +Subject: [PATCH 3/3] Changes: Document #649 + +--- + expat/Changes | 5 +++++ + 1 file changed, 5 insertions(+) + diff --git a/main/fcgiwrap/APKBUILD b/main/fcgiwrap/APKBUILD index ec5214f2acd..d96a516a190 100644 --- a/main/fcgiwrap/APKBUILD +++ b/main/fcgiwrap/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=fcgiwrap pkgver=1.1.0 -pkgrel=5 +pkgrel=6 pkgdesc="Simple server for running CGI applications over FastCGI" url="https://github.com/gnosek/fcgiwrap" arch="all" @@ -13,6 +13,7 @@ install="$pkgname.pre-install" makedepends="$depends_dev autoconf libtool automake fcgi-dev" subpackages="$pkgname-doc $pkgname-openrc" source="$pkgname-$pkgver.tar.gz::https://github.com/gnosek/fcgiwrap/archive/$pkgver.tar.gz + no-buffering.patch $pkgname.initd $pkgname.confd" @@ -36,6 +37,9 @@ package() { install -Dm644 $srcdir/$pkgname.confd "$pkgdir"/etc/conf.d/$pkgname } -sha512sums="b8d35762d1d3c94a67602290b0092f0c38cffbbcd3dbc16597abf8b92172909b04450c238de2e430e841a17dd47fdd48d6a001f77539966980ef1af61e447ddc fcgiwrap-1.1.0.tar.gz +sha512sums=" +b8d35762d1d3c94a67602290b0092f0c38cffbbcd3dbc16597abf8b92172909b04450c238de2e430e841a17dd47fdd48d6a001f77539966980ef1af61e447ddc fcgiwrap-1.1.0.tar.gz +72ba8a0d044c86cc41358002b1cbb94e77dc81e56669032b474b94d7cde80e6cc5d041a064d79ed98b7db8aee9ffcc8830df88491f14afa251781487a57fd429 no-buffering.patch e6111da1089df43f8656e598edf4e658cd2d70e6066833a2c7a465229723e1edce144cf214bd8f771298d54948b8128012c4ce4d509c9d9307a54e8ef90ff2d8 fcgiwrap.initd -893e9afa92c20c9d0dab68fffc806a1be1f2e28a7e73bbb497316386a9ee083be4bad68a90f660e489311a9812a512b50fb0edb8b9c49b12f6cd266ba53b01a6 fcgiwrap.confd" +893e9afa92c20c9d0dab68fffc806a1be1f2e28a7e73bbb497316386a9ee083be4bad68a90f660e489311a9812a512b50fb0edb8b9c49b12f6cd266ba53b01a6 fcgiwrap.confd +" diff --git a/main/fcgiwrap/no-buffering.patch b/main/fcgiwrap/no-buffering.patch new file mode 100644 index 00000000000..3d5f0038ee9 --- /dev/null +++ b/main/fcgiwrap/no-buffering.patch @@ -0,0 +1,58 @@ +From eb54c65446693366aedfe72f002c6bb4e1a5d748 Mon Sep 17 00:00:00 2001 +From: Richard Stanway <r.stanway@gmail.com> +Date: Thu, 24 Mar 2016 21:34:17 -0500 +Subject: [PATCH] Add environment variable NO_BUFFERING to disable output + buffering + +Fixes #36 +--- + fcgiwrap.8 | 4 ++++ + fcgiwrap.c | 6 ++++++ + 2 files changed, 10 insertions(+) + +diff --git a/fcgiwrap.8 b/fcgiwrap.8 +index bf02c26..892b594 100644 +--- a/fcgiwrap.8 ++++ b/fcgiwrap.8 +@@ -65,6 +65,10 @@ + SCRIPT_FILENAME + .RS + complete path to CGI script. When set, overrides DOCUMENT_ROOT and SCRIPT_NAME ++.RE ++NO_BUFFERING ++.RS ++When set (e.g., to ""), disables output buffering. + + .SH EXAMPLE + The fastest way to see \fBfcgiwrap\fP do something is to launch it at the command line +diff --git a/fcgiwrap.c b/fcgiwrap.c +index b44d8aa..42e3ec9 100644 +--- a/fcgiwrap.c ++++ b/fcgiwrap.c +@@ -191,6 +191,7 @@ struct fcgi_context { + int fd_stderr; + unsigned int reply_state; + pid_t cgi_pid; ++ int unbuffered; + }; + + static void fcgi_finish(struct fcgi_context *fc, const char* msg) +@@ -256,6 +257,10 @@ static const char * fcgi_pass_fd(struct fcgi_context *fc, int *fdp, FCGI_FILE *f + return "writing CGI reply"; + } + } ++ ++ if (fc->unbuffered && FCGI_fflush(ffp)) { ++ return "flushing CGI reply"; ++ } + } else { + if (nread < 0) { + return "reading CGI reply"; +@@ -590,6 +595,7 @@ static void handle_fcgi_request(void) + fc.fd_stderr = pipe_err[0]; + fc.reply_state = REPLY_STATE_INIT; + fc.cgi_pid = pid; ++ fc.unbuffered = !!getenv("NO_BUFFERING"); + + fcgi_pass(&fc); + } diff --git a/main/flac/APKBUILD b/main/flac/APKBUILD index d358fe2167e..2e62156cfb2 100644 --- a/main/flac/APKBUILD +++ b/main/flac/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=flac -pkgver=1.3.3 +pkgver=1.3.4 pkgrel=0 pkgdesc="Free Lossless Audio Codec" url="https://xiph.org/flac/" @@ -12,6 +12,9 @@ makedepends="libogg-dev !libiconv" source="http://downloads.xiph.org/releases/flac/flac-$pkgver.tar.xz" # secfixes: +# 1.3.4-r0: +# - CVE-2020-0499 +# - CVE-2021-0561 # 1.3.2-r2: # - CVE-2017-6888 @@ -47,4 +50,6 @@ package() { install -Dm0644 COPYING.Xiph \ "$pkgdir"/usr/share/licenses/$pkgname/COPYING.Xiph } -sha512sums="d6417e14fab0c41b2df369e5e39ce62a5f588e491af4d465b0162f74e171e5549b2f061867f344bfbf8aaccd246bf5f2acd697e532a2c7901c920c69429b1a28 flac-1.3.3.tar.xz" +sha512sums=" +4a626e8a1bd126e234c0e5061e3b46f3a27c2065fdfa228fd8cf00d3c7fa2c05fafb5cec36acce7bfce4914bfd7db0b2a27ee15decf2d8c4caad630f62d44ec9 flac-1.3.4.tar.xz +" diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD index 6d3aaf337c7..34532ab6c39 100644 --- a/main/freetype/APKBUILD +++ b/main/freetype/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org> pkgname=freetype pkgver=2.10.4 -pkgrel=1 +pkgrel=3 pkgdesc="TrueType font rendering library" url="https://www.freetype.org/" arch="all" @@ -13,9 +13,17 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc" source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar.xz 0001-Enable-table-validation-modules.patch subpixel.patch + CVE-2022-27404.patch + CVE-2022-27405.patch + CVE-2022-27406.patch " # secfixes: +# 2.10.4-r3: +# - CVE-2022-27405 +# - CVE-2022-27406 +# 2.10.4-r2: +# - CVE-2022-27404 # 2.10.4-r0: # - CVE-2020-15999 # 2.9-r1: @@ -51,6 +59,11 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="827cda734aa6b537a8bcb247549b72bc1e082a5b32ab8d3cccb7cc26d5f6ee087c19ce34544fa388a1eb4ecaf97600dbabc3e10e950f2ba692617fee7081518f freetype-2.10.4.tar.xz +sha512sums=" +827cda734aa6b537a8bcb247549b72bc1e082a5b32ab8d3cccb7cc26d5f6ee087c19ce34544fa388a1eb4ecaf97600dbabc3e10e950f2ba692617fee7081518f freetype-2.10.4.tar.xz 580fe59acddfd41966e387bdb6a88336b8bc119cc3d60d8689be20c96fb0dd07c5138ea31f6cb9c854f497ecb41c3adc49eb3ec16a34b2e010e8294851770763 0001-Enable-table-validation-modules.patch -72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch" +72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch +a00040fddd30f8b7add990c4614cbe69a04d702c471064eaf1f28b70a24c35e25e430bc8ae1d90f198b3e432d90c8884519db30fab2e41e467892d79f5cdee8f CVE-2022-27404.patch +4e4ed4b325ca8dbbd7362782867901b90eef48cb78d6a030769c33add029d4f61ddafe590c1cca35edd8e2b0c128106b7e01874acf52ac7c2b475f4ca6cf8cdf CVE-2022-27405.patch +574f0a93a022ba8bae4440012dd4062841187e1af4e906e5a8f117549a7e528e9d4a0bd35833294248f3a71b299175cbf6d144231af29d8d2dd350bc7dc5b804 CVE-2022-27406.patch +" diff --git a/main/freetype/CVE-2022-27404.patch b/main/freetype/CVE-2022-27404.patch new file mode 100644 index 00000000000..841ab4c5932 --- /dev/null +++ b/main/freetype/CVE-2022-27404.patch @@ -0,0 +1,44 @@ +Patch-Source: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db +From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Thu, 17 Mar 2022 19:24:16 +0100 +Subject: [PATCH] [sfnt] Avoid invalid face index. + +Fixes #1138. + +* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font): +Check `face_index` before decrementing. +--- + src/sfnt/sfobjs.c | 2 +- + src/sfnt/sfwoff2.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c +index f9d4d3858..9771c35df 100644 +--- a/src/sfnt/sfobjs.c ++++ b/src/sfnt/sfobjs.c +@@ -566,7 +566,7 @@ + face_index = FT_ABS( face_instance_index ) & 0xFFFF; + + /* value -(N+1) requests information on index N */ +- if ( face_instance_index < 0 ) ++ if ( face_instance_index < 0 && face_index > 0 ) + face_index--; + + if ( face_index >= face->ttc_header.count ) +diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c +index cb1e0664a..165b875e5 100644 +--- a/src/sfnt/sfwoff2.c ++++ b/src/sfnt/sfwoff2.c +@@ -2085,7 +2085,7 @@ + /* Validate requested face index. */ + *num_faces = woff2.num_fonts; + /* value -(N+1) requests information on index N */ +- if ( *face_instance_index < 0 ) ++ if ( *face_instance_index < 0 && face_index > 0 ) + face_index--; + + if ( face_index >= woff2.num_fonts ) +-- +GitLab + diff --git a/main/freetype/CVE-2022-27405.patch b/main/freetype/CVE-2022-27405.patch new file mode 100644 index 00000000000..47668676013 --- /dev/null +++ b/main/freetype/CVE-2022-27405.patch @@ -0,0 +1,36 @@ +From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Sat, 19 Mar 2022 06:40:17 +0100 +Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard + `face_index`. + +We must ensure that the cast to `FT_Int` doesn't change the sign. + +Fixes #1139. +--- + src/base/ftobjs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c +index 2c0f0e6c9..10952a6c6 100644 +--- a/src/base/ftobjs.c ++++ b/src/base/ftobjs.c +@@ -2527,6 +2527,15 @@ + #endif + + ++ /* only use lower 31 bits together with sign bit */ ++ if ( face_index > 0 ) ++ face_index &= 0x7FFFFFFFL; ++ else ++ { ++ face_index &= 0x7FFFFFFFL; ++ face_index = -face_index; ++ } ++ + #ifdef FT_DEBUG_LEVEL_TRACE + FT_TRACE3(( "FT_Open_Face: " )); + if ( face_index < 0 ) +-- +GitLab + diff --git a/main/freetype/CVE-2022-27406.patch b/main/freetype/CVE-2022-27406.patch new file mode 100644 index 00000000000..0fdef7d2164 --- /dev/null +++ b/main/freetype/CVE-2022-27406.patch @@ -0,0 +1,27 @@ +From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Sat, 19 Mar 2022 09:37:28 +0100 +Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`. + +Fixes #1140. +--- + src/base/ftobjs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c +index 6492a1517..282c9121a 100644 +--- a/src/base/ftobjs.c ++++ b/src/base/ftobjs.c +@@ -3409,6 +3409,9 @@ + if ( !face ) + return FT_THROW( Invalid_Face_Handle ); + ++ if ( !face->size ) ++ return FT_THROW( Invalid_Size_Handle ); ++ + if ( !req || req->width < 0 || req->height < 0 || + req->type >= FT_SIZE_REQUEST_TYPE_MAX ) + return FT_THROW( Invalid_Argument ); +-- +GitLab + diff --git a/main/gdk-pixbuf/APKBUILD b/main/gdk-pixbuf/APKBUILD index 151936ab6ad..058cd8886de 100644 --- a/main/gdk-pixbuf/APKBUILD +++ b/main/gdk-pixbuf/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Rasmus Thomsen <oss@cogitri.dev> pkgname=gdk-pixbuf pkgver=2.42.4 -pkgrel=0 +pkgrel=1 pkgdesc="GTK+ image loading library" url="https://wiki.gnome.org/Projects/GdkPixbuf" arch="all" @@ -14,7 +14,9 @@ makedepends="tiff-dev libjpeg-turbo-dev gobject-introspection-dev install="$pkgname.pre-deinstall" triggers="$pkgname.trigger=/usr/lib/gdk-pixbuf-2.0/*/loaders" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-dbg" -source="https://download.gnome.org/sources/gdk-pixbuf/${pkgver%.*}/gdk-pixbuf-$pkgver.tar.xz" +source="https://download.gnome.org/sources/gdk-pixbuf/${pkgver%.*}/gdk-pixbuf-$pkgver.tar.xz + $pkgname-fix-gif-overflow.patch::https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/6976bdc8ee9dd2c2954f91066f7b0f643769a379.patch + " replaces="gtk+" # secfixes: @@ -59,4 +61,7 @@ dev() { default_dev } -sha512sums="b1eca16719e749d111c33592892ab18e2a1dc5f69a16762860bb54e0c97f535d7049fc388ce9daa025153ff2af56a367d8b164fa4025ee9a0131825a6108f772 gdk-pixbuf-2.42.4.tar.xz" +sha512sums=" +b1eca16719e749d111c33592892ab18e2a1dc5f69a16762860bb54e0c97f535d7049fc388ce9daa025153ff2af56a367d8b164fa4025ee9a0131825a6108f772 gdk-pixbuf-2.42.4.tar.xz +4c5986ac132b1f4315b7473eb705cd084b963553e66bc8ee2a84b7ec5c229989aec4109d867761a417b5272759dd53c33f9185c279d00056d624db82ff9c5b91 gdk-pixbuf-fix-gif-overflow.patch +" diff --git a/main/git/APKBUILD b/main/git/APKBUILD index eac08ff51da..7a3145bd2b8 100644 --- a/main/git/APKBUILD +++ b/main/git/APKBUILD @@ -2,6 +2,13 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> # # secfixes: +# 2.30.6-r0: +# - CVE-2022-39253 +# - CVE-2022-39260 +# 2.30.5-r0: +# - CVE-2022-29187 +# 2.30.3-r0: +# - CVE-2022-24765 # 2.30.2-r0: # - CVE-2021-21300 # 2.26.2-r0: @@ -27,9 +34,10 @@ # - CVE-2017-1000117 # 0: # - CVE-2021-29468 +# - CVE-2021-46101 pkgname=git -pkgver=2.30.2 +pkgver=2.30.6 pkgrel=0 pkgdesc="Distributed version control system" url="https://www.git-scm.com/" @@ -287,7 +295,9 @@ _perl_config() { perl -e "use Config; print \$Config{$1};" } -sha512sums="4f7e1c30f8eee849d1febeda872d56c60c5d051a31726505a4c7bab11b274d3a2ab5588f910b7b49c5c0ec5228a18457f705c7b66e8bbdf809d3c75c59032b7e git-2.30.2.tar.xz +sha512sums=" +6879fce2827b505ef49df69bfd83faac35179bae8b92cfc705260f1e80803a6ee8dbfdd45d2babd1b216ba0b3b5b6c1785f9577332d20f0cab4be898710ca851 git-2.30.6.tar.xz 89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a git-daemon.initd fbf1f425206a76e2a8f82342537ed939ff7e623d644c086ca2ced5f69b36734695f9f80ebda1728f75a94d6cd2fcb71bf845b64239368caab418e4d368c141ec git-daemon.confd -be5d568fc5b8b84c9afb97b31e471e41f32ccfe188eba0588ea0ef98b2d96c2ce4b2c1a3d70e88205aa4f6667f850b3f32c13bbb149ecddbf670344c162a4e25 fix-t4219-with-sticky-bit.patch" +be5d568fc5b8b84c9afb97b31e471e41f32ccfe188eba0588ea0ef98b2d96c2ce4b2c1a3d70e88205aa4f6667f850b3f32c13bbb149ecddbf670344c162a4e25 fix-t4219-with-sticky-bit.patch +" diff --git a/main/gmp/APKBUILD b/main/gmp/APKBUILD index c5e80d754db..691d934d618 100644 --- a/main/gmp/APKBUILD +++ b/main/gmp/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gmp pkgver=6.2.1 -pkgrel=0 +pkgrel=1 pkgdesc="free library for arbitrary precision arithmetic" url="https://gmplib.org/" arch="all" @@ -9,9 +9,14 @@ license="LGPL-3.0-or-later OR GPL-2.0-or-later" makedepends="m4 texinfo libtool" subpackages="$pkgname-doc $pkgname-dev libgmpxx" source="https://gmplib.org/download/gmp/gmp-$pkgver.tar.xz + CVE-2021-43618.patch::https://gmplib.org/repo/gmp-6.2/raw-rev/561a9c25298e " replaces="gmp5" +# secfixes: +# 6.2.1-r1: +# - CVE-2021-43618 + prepare() { default_prepare # force update to libtool with fixed cross-build support @@ -51,4 +56,5 @@ doc() { replaces="gmp5-doc" } -sha512sums="c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 gmp-6.2.1.tar.xz" +sha512sums="c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 gmp-6.2.1.tar.xz +3956190d9c266feb62f8965c3cd32d0a9260f76ffb0d3e32211974bb53ddd5c6eaa657f7e00ba8fa7c914c0e1375155d25de6a81cdb9b03d6a5bbc16ac121447 CVE-2021-43618.patch" diff --git a/main/gnupg/APKBUILD b/main/gnupg/APKBUILD index 1142f0067cd..fa535538a56 100644 --- a/main/gnupg/APKBUILD +++ b/main/gnupg/APKBUILD @@ -3,7 +3,7 @@ pkgname=gnupg pkgver=2.2.31 _ver=${pkgver/_beta/-beta} -pkgrel=0 +pkgrel=1 pkgdesc="GNU Privacy Guard 2 - a PGP replacement tool" url="https://www.gnupg.org/" arch="all" @@ -14,6 +14,7 @@ makedepends="gnutls-dev libksba-dev libgcrypt-dev libgpg-error-dev sqlite-dev libusb-dev" subpackages="$pkgname-doc $pkgname-scdaemon" source="https://gnupg.org/ftp/gcrypt/gnupg/gnupg-$_ver.tar.bz2 + CVE-2022-34903.patch 0001-Include-sys-select.h-for-FD_SETSIZE.patch fix-i18n.patch 60-scdaemon.rules @@ -21,6 +22,8 @@ source="https://gnupg.org/ftp/gcrypt/gnupg/gnupg-$_ver.tar.bz2 install="$pkgname-scdaemon.pre-install" # secfixes: +# 2.2.31-r1: +# - CVE-2022-34903 # 2.2.23-r0: # - CVE-2020-25125 # 2.2.18-r0: @@ -76,6 +79,7 @@ scdaemon() { sha512sums=" 2f6fa200e08d6b8993b482e5825bea6083afc8686c4e1ae80386b36ae49e1c2d73066c508edaa359a7794cb26ba7a00f81555a906fa422d1117e41415cfa2fea gnupg-2.2.31.tar.bz2 +658d5ff636f9b45de7501895c299146633c30bc249f94664573ecf847779ea27be853244ceb2cc0e95c0c56253bbb6ccff509027b23f20f003aa018235211a4d CVE-2022-34903.patch c6cc4595081c5b025913fa3ebecf0dff87a84f3c669e3fef106e4fa040f1d4314ee52dd4c0e0002b213034fb0810221cfdd0033eae5349b6e3978f05d08bcac7 0001-Include-sys-select.h-for-FD_SETSIZE.patch b19a44dacf061dd02b439ab8bd820e3c721aab77168f705f5ce65661f26527b03ea88eec16d78486a633c474120589ec8736692ebff57ab9b95f52f57190ba6b fix-i18n.patch 4bfb9742279c2d1c872d63cd4bcb01f6a2a13d94618eff954d3a37451fa870a9bb29687330854ee47e8876d6e60dc81cb2569c3931beaefacda33db23c464402 60-scdaemon.rules diff --git a/main/gnupg/CVE-2022-34903.patch b/main/gnupg/CVE-2022-34903.patch new file mode 100644 index 00000000000..20bb9a23713 --- /dev/null +++ b/main/gnupg/CVE-2022-34903.patch @@ -0,0 +1,41 @@ +g10: Fix garbled status messages in NOTATION_DATA + +* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one +-- + +Depending on the escaping and line wrapping the computed remaining +buffer length could be wrong. Fixed by always using a break to +terminate the escape detection loop. Might have happened for all +status lines which may wrap. + +GnuPG-bug-id: T6027 + +diff --git a/g10/cpr.c b/g10/cpr.c +index d502e8b52..bc4b715ed 100644 +--- a/g10/cpr.c ++++ b/g10/cpr.c +@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string, + } + first = 0; + } +- for (esc=0, s=buffer, n=len; n && !esc; s++, n--) ++ for (esc=0, s=buffer, n=len; n; s++, n--) + { + if (*s == '%' || *(const byte*)s <= lower_limit + || *(const byte*)s == 127 ) + esc = 1; + if (wrap && ++count > wrap) +- { +- dowrap=1; +- break; +- } +- } +- if (esc) +- { +- s--; n++; ++ dowrap=1; ++ if (esc || dowrap) ++ break; + } + if (s != buffer) + es_fwrite (buffer, s-buffer, 1, statusfp); diff --git a/main/gnutls/APKBUILD b/main/gnutls/APKBUILD index 3c72a8194e6..b291f761b7b 100644 --- a/main/gnutls/APKBUILD +++ b/main/gnutls/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gnutls pkgver=3.7.1 -pkgrel=0 +pkgrel=1 pkgdesc="TLS protocol implementation" url="https://www.gnutls.org/" arch="all" @@ -18,10 +18,13 @@ esac source="https://www.gnupg.org/ftp/gcrypt/gnutls/v$_v/gnutls-$pkgver.tar.xz tests-crq.patch tests-certtool.patch + CVE-2022-2509.patch " # Upstream Tracker: https://gnutls.org/security-new.html # secfixes: +# 3.7.1-r1: +# - CVE-2022-2509 GNUTLS-SA-2022-07-07 # 3.7.1-r0: # - CVE-2021-20231 GNUTLS-SA-2021-03-10 # - CVE-2021-20232 GNUTLS-SA-2021-03-10 @@ -75,6 +78,9 @@ xx() { mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/ } -sha512sums="0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95 gnutls-3.7.1.tar.xz +sha512sums=" +0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95 gnutls-3.7.1.tar.xz 3e7d872963cc25e49f1ecf98de7d6f3b6b22d2c1c9e982bc4b22ce658c11d8567903728e5aa33ce7b6d3e25fe0b7a75b8aca3e8f53838155af5abe23887d33fa tests-crq.patch -3cc35bf7dcf6b7963d59bc346f68e0004151e409899b50e98ba5c675e753ade19a7baf317449343688b1bb2905ef8c8a5677dfe819e701b5bd82374d99adeb65 tests-certtool.patch" +3cc35bf7dcf6b7963d59bc346f68e0004151e409899b50e98ba5c675e753ade19a7baf317449343688b1bb2905ef8c8a5677dfe819e701b5bd82374d99adeb65 tests-certtool.patch +a790a23b064196763de6cc8683b7c2ff70a5d7a3caad57aa339ed92318480aabf746de86124fecf4b3fc509a5416cb34fec6c308c9141b113b0e968c7dcf20eb CVE-2022-2509.patch +" diff --git a/main/gnutls/CVE-2022-2509.patch b/main/gnutls/CVE-2022-2509.patch new file mode 100644 index 00000000000..02c4088e6cc --- /dev/null +++ b/main/gnutls/CVE-2022-2509.patch @@ -0,0 +1,32 @@ +Patch-Source: https://github.com/gnutls/gnutls/commit/ce37f9eb265dbe9b6d597f5767449e8ee95848e2 +news/tests trimmed +--- +From ce37f9eb265dbe9b6d597f5767449e8ee95848e2 Mon Sep 17 00:00:00 2001 +From: Zoltan Fridrich <zfridric@redhat.com> +Date: Fri, 22 Jul 2022 12:00:11 +0200 +Subject: [PATCH] Fix double free during gnutls_pkcs7_verify + +Signed-off-by: Zoltan Fridrich <zfridric@redhat.com> +--- + .gitignore | 1 + + NEWS | 4 + + lib/x509/pkcs7.c | 3 +- + tests/Makefile.am | 2 +- + tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++ + 5 files changed, 223 insertions(+), 2 deletions(-) + create mode 100644 tests/pkcs7-verify-double-free.c + +diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c +index 3227bf3a25..ff8cab0158 100644 +--- a/lib/x509/pkcs7.c ++++ b/lib/x509/pkcs7.c +@@ -1322,7 +1322,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl, + issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags); + + if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) { +- if (prev) gnutls_x509_crt_deinit(prev); ++ if (prev && prev != signer) ++ gnutls_x509_crt_deinit(prev); + prev = issuer; + break; + } diff --git a/main/gzip/APKBUILD b/main/gzip/APKBUILD index bdb30df8d5f..92a548f46d6 100644 --- a/main/gzip/APKBUILD +++ b/main/gzip/APKBUILD @@ -1,15 +1,19 @@ # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gzip -pkgver=1.10 -pkgrel=1 +pkgver=1.12 +pkgrel=0 pkgdesc="Popular data compression program" subpackages="$pkgname-doc" url="https://www.gnu.org/software/gzip/" arch="all" license="GPL-3.0-or-later" depends="less" -source="https://ftp.gnu.org/gnu/gzip/gzip-$pkgver.tar.gz" +source="https://ftp.gnu.org/gnu/gzip/gzip-$pkgver.tar.xz" + +# secfixes: +# 1.12-r0: +# - CVE-2022-1271 build() { # avoid text relocation @@ -42,4 +46,6 @@ package() { ln -sf /bin/gunzip "$pkgdir"/usr/bin/uncompress } -sha512sums="7939043e74554ced0c1c05d354ab4eb36cd6dce89ad79d02ccdc5ed6b7ee390759689b2d47c07227b9b44a62851afe7c76c4cae9f92527d999f3f1b4df1cccff gzip-1.10.tar.gz" +sha512sums=" +116326fe991828227de150336a0c016f4fe932dfbb728a16b4a84965256d9929574a4f5cfaf3cf6bb4154972ef0d110f26ab472c93e62ec9a5fd7a5d65abea24 gzip-1.12.tar.xz +" diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD index 7c73e016e64..5ff3fce9150 100644 --- a/main/haproxy/APKBUILD +++ b/main/haproxy/APKBUILD @@ -4,7 +4,7 @@ pkgname=haproxy # NOTE: Upgrade only to LTS versions announced on upstream site url! # Using LTS versions is easier to keep it in good shape for stable releases -pkgver=2.2.17 +pkgver=2.2.25 _pkgmajorver=${pkgver%.*} pkgrel=0 pkgdesc="A TCP/HTTP reverse proxy for high availability environments" @@ -21,6 +21,8 @@ source="https://www.haproxy.org/download/$_pkgmajorver/src/haproxy-$pkgver.tar.g haproxy.cfg" # secfixes: +# 2.2.21-r0: +# - CVE-2022-0711 # 2.1.4-r0: # - CVE-2020-11100 @@ -57,7 +59,7 @@ package() { } sha512sums=" -174197e1e0915a6ae6062b9a070f16102ac7f3429f991f36cdb2e2cce587bd26059bd1dc71a368f904bcdecd292ab5926715160400ae96d498d902aac356864f haproxy-2.2.17.tar.gz +652a0d2eef0706ec506a949c560d7b99d111a75519daaa9a31ab53d99d7fdfc584c52d8401f257bb8f8ac58fc51f1403467749438fde684f064d616a2b4485a2 haproxy-2.2.25.tar.gz 4aa8fc812079baf1d17cf9484a9b44568c3dd94f35243a57a4a7868e7f88146a4e94c80ea8ab86f1b08a524567e269a3ec119b67fc679f6bd0d9f1c70ce4f080 haproxy.initd 26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg " diff --git a/main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch b/main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch new file mode 100644 index 00000000000..9f4b0c29599 --- /dev/null +++ b/main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch @@ -0,0 +1,318 @@ +From 208e5687ff2e48622e28d8888ce5444a54353bbd Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 27 Aug 2019 16:33:15 +0300 +Subject: [PATCH 1/4] crypto: Add more bignum/EC helper functions + +These are needed for implementing SAE hash-to-element. + +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/crypto/crypto.h | 45 ++++++++++++++++++ + src/crypto/crypto_openssl.c | 94 +++++++++++++++++++++++++++++++++++++ + src/crypto/crypto_wolfssl.c | 66 ++++++++++++++++++++++++++ + 3 files changed, 205 insertions(+) + +diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h +index 15f8ad04cea4..68476dbce96c 100644 +--- a/src/crypto/crypto.h ++++ b/src/crypto/crypto.h +@@ -518,6 +518,13 @@ struct crypto_bignum * crypto_bignum_init(void); + */ + struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len); + ++/** ++ * crypto_bignum_init_set - Allocate memory for bignum and set the value (uint) ++ * @val: Value to set ++ * Returns: Pointer to allocated bignum or %NULL on failure ++ */ ++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val); ++ + /** + * crypto_bignum_deinit - Free bignum + * @n: Bignum from crypto_bignum_init() or crypto_bignum_init_set() +@@ -612,6 +619,19 @@ int crypto_bignum_div(const struct crypto_bignum *a, + const struct crypto_bignum *b, + struct crypto_bignum *c); + ++/** ++ * crypto_bignum_addmod - d = a + b (mod c) ++ * @a: Bignum ++ * @b: Bignum ++ * @c: Bignum ++ * @d: Bignum; used to store the result of (a + b) % c ++ * Returns: 0 on success, -1 on failure ++ */ ++int crypto_bignum_addmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ const struct crypto_bignum *c, ++ struct crypto_bignum *d); ++ + /** + * crypto_bignum_mulmod - d = a * b (mod c) + * @a: Bignum +@@ -625,6 +645,28 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a, + const struct crypto_bignum *c, + struct crypto_bignum *d); + ++/** ++ * crypto_bignum_sqrmod - c = a^2 (mod b) ++ * @a: Bignum ++ * @b: Bignum ++ * @c: Bignum; used to store the result of a^2 % b ++ * Returns: 0 on success, -1 on failure ++ */ ++int crypto_bignum_sqrmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c); ++ ++/** ++ * crypto_bignum_sqrtmod - returns sqrt(a) (mod b) ++ * @a: Bignum ++ * @b: Bignum ++ * @c: Bignum; used to store the result ++ * Returns: 0 on success, -1 on failure ++ */ ++int crypto_bignum_sqrtmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c); ++ + /** + * crypto_bignum_rshift - r = a >> n + * @a: Bignum +@@ -731,6 +773,9 @@ const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e); + */ + const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e); + ++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e); ++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e); ++ + /** + * struct crypto_ec_point - Elliptic curve point + * +diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c +index bab33a537293..ed463105e8f1 100644 +--- a/src/crypto/crypto_openssl.c ++++ b/src/crypto/crypto_openssl.c +@@ -1283,6 +1283,24 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) + } + + ++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val) ++{ ++ BIGNUM *bn; ++ ++ if (TEST_FAIL()) ++ return NULL; ++ ++ bn = BN_new(); ++ if (!bn) ++ return NULL; ++ if (BN_set_word(bn, val) != 1) { ++ BN_free(bn); ++ return NULL; ++ } ++ return (struct crypto_bignum *) bn; ++} ++ ++ + void crypto_bignum_deinit(struct crypto_bignum *n, int clear) + { + if (clear) +@@ -1449,6 +1467,28 @@ int crypto_bignum_div(const struct crypto_bignum *a, + } + + ++int crypto_bignum_addmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ const struct crypto_bignum *c, ++ struct crypto_bignum *d) ++{ ++ int res; ++ BN_CTX *bnctx; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ bnctx = BN_CTX_new(); ++ if (!bnctx) ++ return -1; ++ res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, ++ (const BIGNUM *) c, bnctx); ++ BN_CTX_free(bnctx); ++ ++ return res ? 0 : -1; ++} ++ ++ + int crypto_bignum_mulmod(const struct crypto_bignum *a, + const struct crypto_bignum *b, + const struct crypto_bignum *c, +@@ -1472,6 +1512,48 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a, + } + + ++int crypto_bignum_sqrmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c) ++{ ++ int res; ++ BN_CTX *bnctx; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ bnctx = BN_CTX_new(); ++ if (!bnctx) ++ return -1; ++ res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, ++ bnctx); ++ BN_CTX_free(bnctx); ++ ++ return res ? 0 : -1; ++} ++ ++ ++int crypto_bignum_sqrtmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c) ++{ ++ BN_CTX *bnctx; ++ BIGNUM *res; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ bnctx = BN_CTX_new(); ++ if (!bnctx) ++ return -1; ++ res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, ++ bnctx); ++ BN_CTX_free(bnctx); ++ ++ return res ? 0 : -1; ++} ++ ++ + int crypto_bignum_rshift(const struct crypto_bignum *a, int n, + struct crypto_bignum *r) + { +@@ -1682,6 +1764,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) + } + + ++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e) ++{ ++ return (const struct crypto_bignum *) e->a; ++} ++ ++ ++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e) ++{ ++ return (const struct crypto_bignum *) e->b; ++} ++ ++ + void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) + { + if (clear) +diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c +index 4cedab4367cd..e9894b335e53 100644 +--- a/src/crypto/crypto_wolfssl.c ++++ b/src/crypto/crypto_wolfssl.c +@@ -1042,6 +1042,26 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) + } + + ++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val) ++{ ++ mp_int *a; ++ ++ if (TEST_FAIL()) ++ return NULL; ++ ++ a = (mp_int *) crypto_bignum_init(); ++ if (!a) ++ return NULL; ++ ++ if (mp_set_int(a, val) != MP_OKAY) { ++ os_free(a); ++ a = NULL; ++ } ++ ++ return (struct crypto_bignum *) a; ++} ++ ++ + void crypto_bignum_deinit(struct crypto_bignum *n, int clear) + { + if (!n) +@@ -1168,6 +1188,19 @@ int crypto_bignum_div(const struct crypto_bignum *a, + } + + ++int crypto_bignum_addmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ const struct crypto_bignum *c, ++ struct crypto_bignum *d) ++{ ++ if (TEST_FAIL()) ++ return -1; ++ ++ return mp_addmod((mp_int *) a, (mp_int *) b, (mp_int *) c, ++ (mp_int *) d) == MP_OKAY ? 0 : -1; ++} ++ ++ + int crypto_bignum_mulmod(const struct crypto_bignum *a, + const struct crypto_bignum *b, + const struct crypto_bignum *m, +@@ -1181,6 +1214,27 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a, + } + + ++int crypto_bignum_sqrmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c) ++{ ++ if (TEST_FAIL()) ++ return -1; ++ ++ return mp_sqrmod((mp_int *) a, (mp_int *) b, ++ (mp_int *) c) == MP_OKAY ? 0 : -1; ++} ++ ++ ++int crypto_bignum_sqrtmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c) ++{ ++ /* TODO */ ++ return -1; ++} ++ ++ + int crypto_bignum_rshift(const struct crypto_bignum *a, int n, + struct crypto_bignum *r) + { +@@ -1386,6 +1440,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) + } + + ++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e) ++{ ++ return (const struct crypto_bignum *) &e->a; ++} ++ ++ ++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e) ++{ ++ return (const struct crypto_bignum *) &e->b; ++} ++ ++ + void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) + { + ecc_point *point = (ecc_point *) p; +-- +2.25.1 + diff --git a/main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch b/main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch new file mode 100644 index 00000000000..6c8509b8c20 --- /dev/null +++ b/main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch @@ -0,0 +1,72 @@ +From 2232d3d5f188b65dbb6c823ac62175412739eb16 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Fri, 7 Jan 2022 13:47:16 +0200 +Subject: [PATCH 2/4] dragonfly: Add sqrt() helper function + +This is a backport of "SAE: Move sqrt() implementation into a helper +function" to introduce the helper function needed for the following +patches. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/common/dragonfly.c | 34 ++++++++++++++++++++++++++++++++++ + src/common/dragonfly.h | 2 ++ + 2 files changed, 36 insertions(+) + +diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c +index 547be66f1561..1e842716668e 100644 +--- a/src/common/dragonfly.c ++++ b/src/common/dragonfly.c +@@ -213,3 +213,37 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order, + "dragonfly: Unable to get randomness for own scalar"); + return -1; + } ++ ++ ++/* res = sqrt(val) */ ++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val, ++ struct crypto_bignum *res) ++{ ++ const struct crypto_bignum *prime; ++ struct crypto_bignum *tmp, *one; ++ int ret = 0; ++ u8 prime_bin[DRAGONFLY_MAX_ECC_PRIME_LEN]; ++ size_t prime_len; ++ ++ /* For prime p such that p = 3 mod 4, sqrt(w) = w^((p+1)/4) mod p */ ++ ++ prime = crypto_ec_get_prime(ec); ++ prime_len = crypto_ec_prime_len(ec); ++ tmp = crypto_bignum_init(); ++ one = crypto_bignum_init_uint(1); ++ ++ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), ++ prime_len) < 0 || ++ (prime_bin[prime_len - 1] & 0x03) != 3 || ++ !tmp || !one || ++ /* tmp = (p+1)/4 */ ++ crypto_bignum_add(prime, one, tmp) < 0 || ++ crypto_bignum_rshift(tmp, 2, tmp) < 0 || ++ /* res = sqrt(val) */ ++ crypto_bignum_exptmod(val, tmp, prime, res) < 0) ++ ret = -1; ++ ++ crypto_bignum_deinit(tmp, 0); ++ crypto_bignum_deinit(one, 0); ++ return ret; ++} +diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h +index ec3dd593eda4..84d67f575c54 100644 +--- a/src/common/dragonfly.h ++++ b/src/common/dragonfly.h +@@ -27,5 +27,7 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order, + struct crypto_bignum *_rand, + struct crypto_bignum *_mask, + struct crypto_bignum *scalar); ++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val, ++ struct crypto_bignum *res); + + #endif /* DRAGONFLY_H */ +-- +2.25.1 + diff --git a/main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch b/main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch new file mode 100644 index 00000000000..f2a9cb3a9fe --- /dev/null +++ b/main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch @@ -0,0 +1,99 @@ +From fe534b0baaa8c0e6ddeb24cf529d6e50e33dc501 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Fri, 7 Jan 2022 13:47:16 +0200 +Subject: [PATCH 3/4] SAE: Derive the y coordinate for PWE with own + implementation + +The crypto_ec_point_solve_y_coord() wrapper function might not use +constant time operations in the crypto library and as such, could leak +side channel information about the password that is used to generate the +PWE in the hunting and pecking loop. As such, calculate the two possible +y coordinate values and pick the correct one to use with constant time +selection. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/common/sae.c | 47 +++++++++++++++++++++++++++++++++-------------- + 1 file changed, 33 insertions(+), 14 deletions(-) + +diff --git a/src/common/sae.c b/src/common/sae.c +index 08fdbfd18173..8d79ed962768 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -286,14 +286,16 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, + int pwd_seed_odd = 0; + u8 prime[SAE_MAX_ECC_PRIME_LEN]; + size_t prime_len; +- struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL; ++ struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL; + u8 x_bin[SAE_MAX_ECC_PRIME_LEN]; + u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN]; + u8 qr_bin[SAE_MAX_ECC_PRIME_LEN]; + u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN]; ++ u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN]; + int res = -1; + u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* + * mask */ ++ unsigned int is_eq; + + os_memset(x_bin, 0, sizeof(x_bin)); + +@@ -402,25 +404,42 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, + goto fail; + } + +- if (!sae->tmp->pwe_ecc) +- sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec); +- if (!sae->tmp->pwe_ecc) +- res = -1; +- else +- res = crypto_ec_point_solve_y_coord(sae->tmp->ec, +- sae->tmp->pwe_ecc, x, +- pwd_seed_odd); +- if (res < 0) { +- /* +- * This should not happen since we already checked that there +- * is a result. +- */ ++ /* y = sqrt(x^3 + ax + b) mod p ++ * if LSB(save) == LSB(y): PWE = (x, y) ++ * else: PWE = (x, p - y) ++ * ++ * Calculate y and the two possible values for PWE and after that, ++ * use constant time selection to copy the correct alternative. ++ */ ++ y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x); ++ if (!y || ++ dragonfly_sqrt(sae->tmp->ec, y, y) < 0 || ++ crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN, ++ prime_len) < 0 || ++ crypto_bignum_sub(sae->tmp->prime, y, y) < 0 || ++ crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN, ++ SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) { + wpa_printf(MSG_DEBUG, "SAE: Could not solve y"); ++ goto fail; ++ } ++ ++ is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01); ++ const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN, ++ prime_len, x_y + prime_len); ++ os_memcpy(x_y, x_bin, prime_len); ++ wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len); ++ crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1); ++ sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y); ++ if (!sae->tmp->pwe_ecc) { ++ wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE"); ++ res = -1; + } + + fail: ++ forced_memzero(x_y, sizeof(x_y)); + crypto_bignum_deinit(qr, 0); + crypto_bignum_deinit(qnr, 0); ++ crypto_bignum_deinit(y, 1); + os_free(dummy_password); + bin_clear_free(tmp_password, password_len); + crypto_bignum_deinit(x, 1); +-- +2.25.1 + diff --git a/main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch b/main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch new file mode 100644 index 00000000000..71d22b0864b --- /dev/null +++ b/main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch @@ -0,0 +1,113 @@ +From 603cd880e7f90595482658a7136fa6a7be5cb485 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Fri, 7 Jan 2022 18:52:27 +0200 +Subject: [PATCH 4/4] EAP-pwd: Derive the y coordinate for PWE with own + implementation + +The crypto_ec_point_solve_y_coord() wrapper function might not use +constant time operations in the crypto library and as such, could leak +side channel information about the password that is used to generate the +PWE in the hunting and pecking loop. As such, calculate the two possible +y coordinate values and pick the correct one to use with constant time +selection. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_common/eap_pwd_common.c | 46 ++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 10 deletions(-) + +diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c +index 2b2b8efdbd01..ff22b29b087a 100644 +--- a/src/eap_common/eap_pwd_common.c ++++ b/src/eap_common/eap_pwd_common.c +@@ -127,7 +127,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; + u8 x_bin[MAX_ECC_PRIME_LEN]; + u8 prime_bin[MAX_ECC_PRIME_LEN]; +- struct crypto_bignum *tmp2 = NULL; ++ u8 x_y[2 * MAX_ECC_PRIME_LEN]; ++ struct crypto_bignum *tmp2 = NULL, *y = NULL; + struct crypto_hash *hash; + unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; + int ret = 0, res; +@@ -139,6 +140,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + u8 found_ctr = 0, is_odd = 0; + int cmp_prime; + unsigned int in_range; ++ unsigned int is_eq; + + if (grp->pwe) + return -1; +@@ -151,11 +153,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), + primebytelen) < 0) + return -1; +- grp->pwe = crypto_ec_point_init(grp->group); +- if (!grp->pwe) { +- wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums"); +- goto fail; +- } + + if ((prfbuf = os_malloc(primebytelen)) == NULL) { + wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " +@@ -261,10 +258,37 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + */ + crypto_bignum_deinit(x_candidate, 1); + x_candidate = crypto_bignum_init_set(x_bin, primebytelen); +- if (!x_candidate || +- crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate, +- is_odd) != 0) { +- wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y"); ++ if (!x_candidate) ++ goto fail; ++ ++ /* y = sqrt(x^3 + ax + b) mod p ++ * if LSB(y) == LSB(pwd-seed): PWE = (x, y) ++ * else: PWE = (x, p - y) ++ * ++ * Calculate y and the two possible values for PWE and after that, ++ * use constant time selection to copy the correct alternative. ++ */ ++ y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate); ++ if (!y || ++ dragonfly_sqrt(grp->group, y, y) < 0 || ++ crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 || ++ crypto_bignum_sub(prime, y, y) < 0 || ++ crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN, ++ MAX_ECC_PRIME_LEN, primebytelen) < 0) { ++ wpa_printf(MSG_DEBUG, "SAE: Could not solve y"); ++ goto fail; ++ } ++ ++ /* Constant time selection of the y coordinate from the two ++ * options */ ++ is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01); ++ const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN, ++ primebytelen, x_y + primebytelen); ++ os_memcpy(x_y, x_bin, primebytelen); ++ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen); ++ grp->pwe = crypto_ec_point_from_bin(grp->group, x_y); ++ if (!grp->pwe) { ++ wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE"); + goto fail; + } + +@@ -289,6 +313,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + /* cleanliness and order.... */ + crypto_bignum_deinit(x_candidate, 1); + crypto_bignum_deinit(tmp2, 1); ++ crypto_bignum_deinit(y, 1); + crypto_bignum_deinit(qr, 1); + crypto_bignum_deinit(qnr, 1); + bin_clear_free(prfbuf, primebytelen); +@@ -296,6 +321,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + os_memset(qnr_bin, 0, sizeof(qnr_bin)); + os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin)); + os_memset(pwe_digest, 0, sizeof(pwe_digest)); ++ forced_memzero(x_y, sizeof(x_y)); + + return ret; + } +-- +2.25.1 + diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD index 848cd883e69..7d122c95eda 100644 --- a/main/hostapd/APKBUILD +++ b/main/hostapd/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=hostapd pkgver=2.9 -pkgrel=3 +pkgrel=4 pkgdesc="daemon for wireless software access points" url="https://w1.fi/hostapd/" arch="all" @@ -16,11 +16,19 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch CVE-2021-30004.patch::https://w1.fi/cgit/hostap/patch/?id=a0541334a6394f8237a4393b7372693cd7e96f15 + + 0001-crypto-Add-more-bignum-EC-helper-functions.patch + 0002-dragonfly-Add-sqrt-helper-function.patch + 0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch + 0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch " options="!check" #no testsuite builddir="$srcdir"/$pkgname-$pkgver/hostapd # secfixes: +# 2.9-r4: +# - CVE-2022-23303 +# - CVE-2022-23304 # 2.9-r3: # - CVE-2021-30004 # 2.9-r2: @@ -103,11 +111,17 @@ package() { && install -Dm644 hostapd_cli.1 \ "$pkgdir"/usr/share/man/man1/hostapd_cli } -sha512sums="66c729380152db18b64520bda55dfa00af3b0264f97b5de100b81a46e2593571626c4bdcf900f0988ea2131e30bc8788f75d8489dd1f57e37fd56e8098e48a9c hostapd-2.9.tar.gz +sha512sums=" +66c729380152db18b64520bda55dfa00af3b0264f97b5de100b81a46e2593571626c4bdcf900f0988ea2131e30bc8788f75d8489dd1f57e37fd56e8098e48a9c hostapd-2.9.tar.gz b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd 0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd 63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch b76bbca282a74ef16c0303e5dbd2ccd33a62461595964d52c1481b0bfa4f41deacde56830b85409b288803b87ceb6f33cf0ccc69c5b17ec632c2d4784b872f3c 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch 00cc739e78c42353a555c0de2f29defecff372927040e14407a231d1ead7ff32a37c9fd46bea7cdf1c24e3ac891bc3d483800d44fc6d2c8a12d2ae886523b12c 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch 69243af20cdcfa837c51917a3723779f4825e11436fb83311355b4ffe8f7a4b7a5747a976f7bf923038c410c9e9055b13b866d9a396913ad08bdec3a70e9f6e0 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch -88608529763a6fd9e8cb1e9c9a35630dc2e311a260e023e2a69002d0db700d5f58fc7723a00433b4ea895b92c371cf1db221f38742490b4ed9b4b049892b65e1 CVE-2021-30004.patch" +88608529763a6fd9e8cb1e9c9a35630dc2e311a260e023e2a69002d0db700d5f58fc7723a00433b4ea895b92c371cf1db221f38742490b4ed9b4b049892b65e1 CVE-2021-30004.patch +540ddb5ddde8aa8e2292ab01f632b63ac2e390aecd63506ac4e736b4677125d10be44c4dee153f135e51b510e6b62d4926f921e4bbd117ed0864b5becc9b873e 0001-crypto-Add-more-bignum-EC-helper-functions.patch +77402d5917144850d3d521b6f880c942de809d058eb09c6e79e5d54898165e21c06eb997eb089f9bf3f9ef387bc8b3697e62f1a80dbb319892a72e5b5f0ff14c 0002-dragonfly-Add-sqrt-helper-function.patch +9dd05d81597a13552d094735dd6da0e298e2c372ee0ed0f191ead149dd5ec32f4002f2950d327fdebfd942ba47ec87c5064f6cd512eef41867e9568a75e61352 0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch +55879aacd970ba6a926ed6936204e8507736551aa24d8d384d80d790da8c7362dd80f247b84e8bb51ea527fa516d37163d5b82bc595a85a432116cc5e042606e 0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch +" diff --git a/main/intel-ucode/APKBUILD b/main/intel-ucode/APKBUILD index 00bb0b57aac..7bab0c59c4d 100644 --- a/main/intel-ucode/APKBUILD +++ b/main/intel-ucode/APKBUILD @@ -1,16 +1,53 @@ # Maintainer: Marian Buschsieweke <marian.buschsieweke@ovgu.de> pkgname=intel-ucode -pkgver=20210608 +pkgver=20220809 pkgrel=0 pkgdesc="Microcode update files for Intel CPUs" arch="x86 x86_64" -url="https://downloadcenter.intel.com/SearchResult.aspx?lang=eng&keyword=%22microcode%22" +url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files" license="custom" makedepends="iucode-tool" source="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-$pkgver.tar.gz" options="!check" builddir="$srcdir/Intel-Linux-Processor-Microcode-Data-Files-microcode-$pkgver" +# (Taken from https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md) +# secfixes: +# 20220809-r0: +# - CVE-2022-21233 +# 20220510-r0: +# - CVE-2022-21151 +# 20220207-r0: +# - CVE-2021-0127 +# - CVE-2021-0146 +# 20210608-r0: +# - CVE-2020-24489 +# - CVE-2020-24511 +# - CVE-2020-24513 +# 20210216-r0: +# - CVE-2020-8698 +# 20201112-r0: +# - CVE-2020-8694 +# - CVE-2020-8698 +# 20201110-r0: +# - CVE-2020-8694 +# - CVE-2020-8698 +# 20200609-r0: +# - CVE-2020-0548 +# 20191113-r0: +# - CVE-2019-11135 +# 20191112-r0: +# - CVE-2018-12126 +# - CVE-2019-11135 +# 20190918-r0: +# - CVE-2019-11135 +# 20190618-r0: +# - CVE-2018-12126 +# 20190514a-r0: +# - CVE-2018-12126 +# - CVE-2017-5754 +# - CVE-2017-5753 + build() { rm -f intel-ucode/list intel-ucode-with-caveats/list mkdir -p kernel/x86/microcode @@ -25,4 +62,6 @@ package() { install -Dm644 license "$pkgdir"/usr/share/licenses/$pkgname/LICENSE } -sha512sums="61acd2e76aa019fa0002fbf56c503791080a937ff93d81e020f8f0cc089dc08928b4c7e9884f713b886e2f9d4a8409fea59e39f628ef534a588515e1c3fc861d microcode-20210608.tar.gz" +sha512sums=" +1c91df1cbba33953f4ad19cc53215cad843c61a08509596fad32a84b4f0012d9d29bce64b58eb405c345af7f646d5982e45227570ce3605780be6e8bf31a63e1 microcode-20220809.tar.gz +" diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD index 966042ad101..f9a9af34d86 100644 --- a/main/krb5/APKBUILD +++ b/main/krb5/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=krb5 -pkgver=1.18.4 +pkgver=1.18.5 pkgrel=0 pkgdesc="The Kerberos network authentication system" url="https://web.mit.edu/kerberos/www/" @@ -30,6 +30,8 @@ source="https://web.mit.edu/kerberos/dist/krb5/$_maj_min/krb5-$pkgver.tar.gz builddir="$srcdir/$pkgname-$pkgver/src" # secfixes: +# 1.18.5-r0: +# - CVE-2021-37750 # 1.18.4-r0: # - CVE-2021-36222 # 1.18.3-r0: @@ -118,7 +120,7 @@ libs() { } sha512sums=" -7d9f1e937ba122f5af1340b5025420903a4cc3692bdf4093289921ad09b3fd02c8684b65a783d4b397ba15c4cf29c728cbf24a6405c5fff72fb882137703539e krb5-1.18.4.tar.gz +7fd25944ac66074bf21465824f226aa3456a253a7517e7d3cacb7664103b8b033076cc23ee7c7806e7c9f884747c05eac5b1f1cf771b3d1989e5129c36de4bb2 krb5-1.18.5.tar.gz 5c62cbcbf1ef0462323f3392a362b42ed301967a1de80ddcb27eece4fad23efeeb5f04f5af521cfffff36b918bb93813262aa62785e59d6cb5af437a2c9e886d mit-krb5_krb5-config_LDFLAGS.patch 43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd diff --git a/main/ldb/APKBUILD b/main/ldb/APKBUILD index d3ddbf41e04..6c9b7d472bb 100644 --- a/main/ldb/APKBUILD +++ b/main/ldb/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=ldb -pkgver=2.2.1 +pkgver=2.2.3 pkgrel=0 pkgdesc="A schema-less, ldap like, API and database" url="https://ldb.samba.org/" @@ -11,6 +11,7 @@ makedepends="libtirpc-dev tevent-dev py3-tevent tdb-dev py3-tdb talloc-dev subpackages="$pkgname-dev py3-$pkgname:_py3 $pkgname-tools $pkgname-doc" source="https://www.samba.org/ftp/pub/ldb/ldb-$pkgver.tar.gz disable-compile-error-test.patch + skip-failing-tests.patch " # secfixes: @@ -21,6 +22,7 @@ _waf=buildtools/bin/waf case "$CARCH" in ppc64le) options="$options !check" ;; + armhf|armv7|x86) export DEB_HOST_ARCH_BITS=32 ;; esac build() { @@ -57,5 +59,8 @@ tools() { mv "$pkgdir"/usr/lib/ldb/libldb-cmdline.* "$subpkgdir"/usr/lib/ldb/ } -sha512sums="a2b1598869e3d9f17c5b82fc2b7289f1f08a7378a1d72609af5ed5cc91fb571ac67d3a8c22d64dad5dcc9fe32520baccd5cc37d5b4fc5f1b00a7064902296344 ldb-2.2.1.tar.gz -ed55d5151bbcaf5c0a1b70a1f44b461a501ad94ce02ee97e3ea10c560ce3656a190510697bbd3c5b6f70a74519bf7c0a91210bcb415ffd97d9440045e10a02e8 disable-compile-error-test.patch" +sha512sums=" +0fdda9e033cbd04d6b50c76ecf044068353d2abf50c5c9d9c804b8b9e70f6d85bf925ac984a38c2b7a159a384bfc94e5232b05a32cdbc9299dc43930d1b6a985 ldb-2.2.3.tar.gz +ed55d5151bbcaf5c0a1b70a1f44b461a501ad94ce02ee97e3ea10c560ce3656a190510697bbd3c5b6f70a74519bf7c0a91210bcb415ffd97d9440045e10a02e8 disable-compile-error-test.patch +08e6a0b075dc40c8d1c9ac12fcf72c0601d3ec128a56915be88336754b876580d52f64e94bf9157e82810a9afe2eb6cdb7be0e999fd88a5e70e70dd71ce1dab5 skip-failing-tests.patch +" diff --git a/main/ldb/skip-failing-tests.patch b/main/ldb/skip-failing-tests.patch new file mode 100644 index 00000000000..0b32f2bd95e --- /dev/null +++ b/main/ldb/skip-failing-tests.patch @@ -0,0 +1,35 @@ +From 38f5e8e09a7ae641b3669068b10c6bd966e46632 Mon Sep 17 00:00:00 2001 +From: Mathieu Parent <math.parent@gmail.com> +Date: Thu, 4 Nov 2021 22:46:15 +0100 +Subject: [PATCH] Skip failing tests (on 32-bit architectures) + +See https://bugzilla.samba.org/show_bug.cgi?id=14558#c17 +--- + tests/python/api.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tests/python/api.py b/tests/python/api.py +index 8d154aa..e1de40c 100755 +--- a/tests/python/api.py ++++ b/tests/python/api.py +@@ -44,6 +44,9 @@ class NoContextTests(TestCase): + self.assertEqual("19700101000000.0Z", ldb.timestring(0)) + self.assertEqual("20071119191012.0Z", ldb.timestring(1195499412)) + ++ if os.environ.get('DEB_HOST_ARCH_BITS', '64') == '32': ++ self.skipTest('Test failing on 32-bit') ++ + self.assertEqual("00000101000000.0Z", ldb.timestring(-62167219200)) + self.assertEqual("99991231235959.0Z", ldb.timestring(253402300799)) + +@@ -62,6 +65,9 @@ class NoContextTests(TestCase): + self.assertEqual(0, ldb.string_to_time("19700101000000.0Z")) + self.assertEqual(1195499412, ldb.string_to_time("20071119191012.0Z")) + ++ if os.environ.get('DEB_HOST_ARCH_BITS', '64') == '32': ++ self.skipTest('Test failing on 32-bit') ++ + self.assertEqual(-62167219200, ldb.string_to_time("00000101000000.0Z")) + self.assertEqual(253402300799, ldb.string_to_time("99991231235959.0Z")) + +-- diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD index 88a813794c3..cfecc03b66a 100644 --- a/main/libarchive/APKBUILD +++ b/main/libarchive/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Sergei Lukin <sergej.lukin@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libarchive -pkgver=3.5.2 +pkgver=3.5.3 pkgrel=0 pkgdesc="library that can create and read several streaming archive formats" url="https://libarchive.org/" @@ -13,6 +13,9 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-tools" source="https://libarchive.org/downloads/libarchive-$pkgver.tar.xz" # secfixes: +# 3.5.3-r0: +# - CVE-2021-31566 +# - CVE-2021-36976 # 3.4.2-r0: # - CVE-2020-19221 # - CVE-2020-9308 @@ -42,5 +45,5 @@ tools() { } sha512sums=" -ac7c47f9ddfe5d4d5db6ca9c1bcba788af95662bf0e54ca5426fe66cd8262896e12acc426eecdf0e0d6681c180bcd37f4c4469619273607e95399c7f49b61c7c libarchive-3.5.2.tar.xz +90da8508cbaf4e187234e70ded9522316db35c3843eb6d51e8676088d9db68b13490d53eb05c6dbf6df78496319ce2a4bd4e4a3a1b83240a57b58492aceb4c7f libarchive-3.5.3.tar.xz " diff --git a/main/libtirpc/APKBUILD b/main/libtirpc/APKBUILD index bfc7c783301..18f11c275e7 100644 --- a/main/libtirpc/APKBUILD +++ b/main/libtirpc/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libtirpc pkgver=1.3.1 -pkgrel=0 +pkgrel=1 pkgdesc="Transport Independent RPC library (SunRPC replacement)" url="https://sourceforge.net/projects/libtirpc" arch="all" @@ -11,17 +11,22 @@ depends="$pkgname-conf" depends_dev="krb5-dev bsd-compat-headers" makedepends="$depends_dev autoconf automake libtool linux-headers" subpackages=" + $pkgname-dbg $pkgname-static $pkgname-dev $pkgname-doc - $pkgname-dbg $pkgname-conf::noarch $pkgname-nokrb " source="https://sourceforge.net/projects/libtirpc/files/libtirpc/$pkgver/libtirpc-$pkgver.tar.bz2 soname-suffix.patch + CVE-2021-46828.patch " +# secfixes: +# 1.3.1-r1: +# - CVE-2021-46828 + prepare() { default_prepare autoreconf -fi @@ -63,5 +68,8 @@ nokrb() { amove usr/lib/libtirpc-nokrb.* } -sha512sums="131f746800ac7280cc3900597018fc8dbc8da50c14e29dbaccf36a6d110eded117351108c6b069eaac90d77cfec17014b08e9afddcf153fda2d780ba64260cbc libtirpc-1.3.1.tar.bz2 -8bd50cab1e34a88f4f82ae722bdd60839212173a0ac6ceef21dee4dceea37a9fa2953b8a40068918b3c0d95b476111f0d7f19830efd3e4bff1ec5e72a5f9fade soname-suffix.patch" +sha512sums=" +131f746800ac7280cc3900597018fc8dbc8da50c14e29dbaccf36a6d110eded117351108c6b069eaac90d77cfec17014b08e9afddcf153fda2d780ba64260cbc libtirpc-1.3.1.tar.bz2 +8bd50cab1e34a88f4f82ae722bdd60839212173a0ac6ceef21dee4dceea37a9fa2953b8a40068918b3c0d95b476111f0d7f19830efd3e4bff1ec5e72a5f9fade soname-suffix.patch +6dd683c5c83772de71918c3f5e61500e7455bb55d68e4ea55592fc64bb3f42bfc5275f56e835aa61cd21a1a3a8e76d5c2ec68809c404839e5d04f6f86263566d CVE-2021-46828.patch +" diff --git a/main/libtirpc/CVE-2021-46828.patch b/main/libtirpc/CVE-2021-46828.patch new file mode 100644 index 00000000000..00210463819 --- /dev/null +++ b/main/libtirpc/CVE-2021-46828.patch @@ -0,0 +1,181 @@ +Patch-Source: https://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed +garbage trimmed +--- +From 86529758570cef4c73fb9b9c4104fdc510f701ed Mon Sep 17 00:00:00 2001 +From: Dai Ngo <dai.ngo@oracle.com> +Date: Sat, 21 Aug 2021 13:16:23 -0400 +Subject: [PATCH 1/1] Fix DoS vulnerability in libtirpc + +Currently svc_run does not handle poll timeout and rendezvous_request +does not handle EMFILE error returned from accept(2 as it used to. +These two missing functionality were removed by commit b2c9430f46c4. + +The effect of not handling poll timeout allows idle TCP conections +to remain ESTABLISHED indefinitely. When the number of connections +reaches the limit of the open file descriptors (ulimit -n) then +accept(2) fails with EMFILE. Since there is no handling of EMFILE +error this causes svc_run() to get in a tight loop calling accept(2). +This resulting in the RPC service of svc_run is being down, it's +no longer able to service any requests. + +RPC service rpcbind, statd and mountd are effected by this +problem. + +Fix by enhancing rendezvous_request to keep the number of +SVCXPRT conections to 4/5 of the size of the file descriptor +table. When this thresold is reached, it destroys the idle +TCP connections or destroys the least active connection if +no idle connnction was found. + +Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc +Signed-off-by: dai.ngo@oracle.com +Signed-off-by: Steve Dickson <steved@redhat.com> +--- + INSTALL | 371 +---------------------------------------------------------- + src/svc.c | 17 ++- + src/svc_vc.c | 62 +++++++++- + 3 files changed, 78 insertions(+), 372 deletions(-) + mode change 100644 => 120000 INSTALL + +diff --git a/src/svc.c b/src/svc.c +index 6db164b..3a8709f 100644 +--- a/src/svc.c ++++ b/src/svc.c +@@ -57,7 +57,7 @@ + + #define max(a, b) (a > b ? a : b) + +-static SVCXPRT **__svc_xports; ++SVCXPRT **__svc_xports; + int __svc_maxrec; + + /* +@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock) + rwlock_unlock (&svc_fd_lock); + } + ++int ++svc_open_fds() ++{ ++ int ix; ++ int nfds = 0; ++ ++ rwlock_rdlock (&svc_fd_lock); ++ for (ix = 0; ix < svc_max_pollfd; ++ix) { ++ if (svc_pollfd[ix].fd != -1) ++ nfds++; ++ } ++ rwlock_unlock (&svc_fd_lock); ++ return (nfds); ++} ++ + /* + * Add a service program to the callout list. + * The dispatch routine will be called when a rpc request for this +diff --git a/src/svc_vc.c b/src/svc_vc.c +index f1d9f00..3dc8a75 100644 +--- a/src/svc_vc.c ++++ b/src/svc_vc.c +@@ -64,6 +64,8 @@ + + + extern rwlock_t svc_fd_lock; ++extern SVCXPRT **__svc_xports; ++extern int svc_open_fds(); + + static SVCXPRT *makefd_xprt(int, u_int, u_int); + static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *); +@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *); + static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in); + static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq, + void *in); ++static int __svc_destroy_idle(int timeout); + + struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */ + u_int sendsize; +@@ -313,13 +316,14 @@ done: + return (xprt); + } + ++ + /*ARGSUSED*/ + static bool_t + rendezvous_request(xprt, msg) + SVCXPRT *xprt; + struct rpc_msg *msg; + { +- int sock, flags; ++ int sock, flags, nfds, cnt; + struct cf_rendezvous *r; + struct cf_conn *cd; + struct sockaddr_storage addr; +@@ -379,6 +383,16 @@ again: + + gettimeofday(&cd->last_recv_time, NULL); + ++ nfds = svc_open_fds(); ++ if (nfds >= (_rpc_dtablesize() / 5) * 4) { ++ /* destroy idle connections */ ++ cnt = __svc_destroy_idle(15); ++ if (cnt == 0) { ++ /* destroy least active */ ++ __svc_destroy_idle(0); ++ } ++ } ++ + return (FALSE); /* there is never an rpc msg to be processed */ + } + +@@ -820,3 +834,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock) + { + return FALSE; + } ++ ++static int ++__svc_destroy_idle(int timeout) ++{ ++ int i, ncleaned = 0; ++ SVCXPRT *xprt, *least_active; ++ struct timeval tv, tdiff, tmax; ++ struct cf_conn *cd; ++ ++ gettimeofday(&tv, NULL); ++ tmax.tv_sec = tmax.tv_usec = 0; ++ least_active = NULL; ++ rwlock_wrlock(&svc_fd_lock); ++ ++ for (i = 0; i <= svc_max_pollfd; i++) { ++ if (svc_pollfd[i].fd == -1) ++ continue; ++ xprt = __svc_xports[i]; ++ if (xprt == NULL || xprt->xp_ops == NULL || ++ xprt->xp_ops->xp_recv != svc_vc_recv) ++ continue; ++ cd = (struct cf_conn *)xprt->xp_p1; ++ if (!cd->nonblock) ++ continue; ++ if (timeout == 0) { ++ timersub(&tv, &cd->last_recv_time, &tdiff); ++ if (timercmp(&tdiff, &tmax, >)) { ++ tmax = tdiff; ++ least_active = xprt; ++ } ++ continue; ++ } ++ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) { ++ __xprt_unregister_unlocked(xprt); ++ __svc_vc_dodestroy(xprt); ++ ncleaned++; ++ } ++ } ++ if (timeout == 0 && least_active != NULL) { ++ __xprt_unregister_unlocked(least_active); ++ __svc_vc_dodestroy(least_active); ++ ncleaned++; ++ } ++ rwlock_unlock(&svc_fd_lock); ++ return (ncleaned); ++} +-- +1.8.3.1 + diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index 45362268c6f..6f7ea8e974a 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter <clandmeter@alpinelinux.org> # Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org> pkgname=libxml2 -pkgver=2.9.12 -pkgrel=0 +pkgver=2.9.14 +pkgrel=2 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -17,12 +17,24 @@ if [ -z "$BOOTSTRAP" ]; then py_configure="--with-python=/usr/bin/python3" fi options="!strip" -source="http://xmlsoft.org/sources/libxml2-$pkgver.tar.gz - revert-Make-xmlFreeNodeList-non-recursive.patch +source="https://download.gnome.org/sources/libxml2/${pkgver%.*}/libxml2-$pkgver.tar.xz libxml2-2.9.8-python3-unicode-errors.patch + $pkgname-CVE-2022-3209-1.patch::https://gitlab.gnome.org/GNOME/libxml2/-/commit/5930fe01963136ab92125feec0c6204d9c9225dc.patch + $pkgname-CVE-2022-3209-2.patch::https://gitlab.gnome.org/GNOME/libxml2/-/commit/a82ea25fc83f563c574ddb863d6c17d9c5abdbd2.patch + CVE-2022-40303.patch + CVE-2022-40304.patch " # secfixes: +# 2.9.14-r2: +# - CVE-2022-40303 +# - CVE-2022-40304 +# 2.9.14-r1: +# - CVE-2022-2309 +# 2.9.14-r0: +# - CVE-2022-29824 +# 2.9.13-r0: +# - CVE-2022-23308 # 2.9.11-r0: # - CVE-2021-3541 # 2.9.10-r7: @@ -103,7 +115,10 @@ utils() { } sha512sums=" -df1c6486e80f0fcf3c506f3599bcfb94b620c00d0b5d26831bc983daa78d58ec58b5057b1ec7c1a26c694f40199c6234ee2a6dcabf65abfa10c447cb5705abbd libxml2-2.9.12.tar.gz -347178e432379d543683cba21b902e7305202c03e8dbd724ae395963d677096a5cfc4e345e208d498163ca5174683c167610fc2b297090476038bc2bb7c84b4f revert-Make-xmlFreeNodeList-non-recursive.patch +d08e6cafb289c499fdc5b3a12181e032a34f7a249bc66758859f964d3e71e19fd69be79921e1a9d8ab1e692d15b13f5fae95eeb10c3236974d89e218f5107606 libxml2-2.9.14.tar.xz a205c97fa1488fb8907cfa08b5f82e2055c80b86213dc3cc5c4b526fe6aa786bcc4e4eeb226c44635a1d021307b39e3940f706c42fb60e9e3e9b490a84164df7 libxml2-2.9.8-python3-unicode-errors.patch +17741ee5fcddb1a5d802a90fdbd7bd38a6f6e03ce11c2fe2fb92c0420e94dffd50846c653ffd69425517ccf287ec8830698201dd1cfd34200ea1fd7c5e115de8 libxml2-CVE-2022-3209-1.patch +5c02cc54bf3f1507f2851468397d28922d9d6aac32a8c4b31ca96792da56ba17b8bb3c4e1aca2b4bd720d922d761635d53d29791b0066b3329c48aa0359dbb1e libxml2-CVE-2022-3209-2.patch +feca63825d3678027f9be1b9f7377d95e067ae2ebc7556e4259cb89baa2a93b890fef2280be6db91017e8492eb08752f37f2620d9ef2a4684691d22fc3b3025d CVE-2022-40303.patch +5000106b69d8c10d018f9f5f0942e6565728b3ccbc2830d1f5076651e6e018c30281d481a76dcb5304bbed6f65663a2bff385eec941491b6d950e8de478947b0 CVE-2022-40304.patch " diff --git a/main/libxml2/CVE-2022-40303.patch b/main/libxml2/CVE-2022-40303.patch new file mode 100644 index 00000000000..84f93300f1f --- /dev/null +++ b/main/libxml2/CVE-2022-40303.patch @@ -0,0 +1,615 @@ +From ffaec75809a315457891a0e54f8828bc6e056067 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Thu, 25 Aug 2022 17:43:08 +0200 +Subject: [PATCH] Fix integer overflows with XML_PARSE_HUGE + +Also impose size limits when XML_PARSE_HUGE is set. Limit size of names +to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to +XML_MAX_HUGE_LENGTH (1 billion bytes). + +Move some the length checks to the end of the respective loop to make +them strict. + +xmlParseEntityValue didn't have a length limitation at all. But without +XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW. + +Thanks to Maddie Stone working with Google Project Zero for the report! +--- + parser.c | 233 +++++++++++++++++++++++++++++-------------------------- + 1 file changed, 121 insertions(+), 112 deletions(-) + +diff --git a/parser.c b/parser.c +index af2af68..f214c1c 100644 +--- a/parser.c ++++ b/parser.c +@@ -115,6 +115,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); + * * + ************************************************************************/ + ++#define XML_MAX_HUGE_LENGTH 1000000000 ++ + #define XML_PARSER_BIG_ENTITY 1000 + #define XML_PARSER_LOT_ENTITY 5000 + +@@ -565,7 +567,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + errmsg = "Malformed declaration expecting version"; + break; + case XML_ERR_NAME_TOO_LONG: +- errmsg = "Name too long use XML_PARSE_HUGE option"; ++ errmsg = "Name too long"; + break; + #if 0 + case: +@@ -3210,6 +3212,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNameComplex++; +@@ -3275,7 +3280,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + } +@@ -3301,13 +3307,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } +@@ -3346,7 +3352,10 @@ const xmlChar * + xmlParseName(xmlParserCtxtPtr ctxt) { + const xmlChar *in; + const xmlChar *ret; +- int count = 0; ++ size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + GROW; + +@@ -3370,8 +3379,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { + in++; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; +- if ((count > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (count > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } +@@ -3392,6 +3400,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + size_t startPosition = 0; + + #ifdef DEBUG +@@ -3412,17 +3423,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ + (xmlIsNameChar(ctxt, c) && (c != ':'))) { + if (count++ > XML_PARSER_CHUNK_SIZE) { +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); +- return(NULL); +- } + count = 0; + GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + if (c == 0) { +@@ -3440,8 +3447,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + c = CUR_CHAR(l); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3467,7 +3473,10 @@ static const xmlChar * + xmlParseNCName(xmlParserCtxtPtr ctxt) { + const xmlChar *in, *e; + const xmlChar *ret; +- int count = 0; ++ size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNCName++; +@@ -3492,8 +3501,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + goto complex; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; +- if ((count > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (count > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3575,6 +3583,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + const xmlChar *cur = *str; + int len = 0, l; + int c; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseStringName++; +@@ -3610,12 +3621,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + if (len + 10 > max) { + xmlChar *tmp; + +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); +- xmlFree(buffer); +- return(NULL); +- } + max *= 2; + tmp = (xmlChar *) xmlRealloc(buffer, + max * sizeof(xmlChar)); +@@ -3629,14 +3634,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + COPY_BUF(l,buffer,len,c); + cur += l; + c = CUR_SCHAR(cur, l); ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); ++ xmlFree(buffer); ++ return(NULL); ++ } + } + buffer[len] = 0; + *str = cur; + return(buffer); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3663,6 +3672,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNmToken++; +@@ -3714,12 +3726,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + if (len + 10 > max) { + xmlChar *tmp; + +- if ((max > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); +- xmlFree(buffer); +- return(NULL); +- } + max *= 2; + tmp = (xmlChar *) xmlRealloc(buffer, + max * sizeof(xmlChar)); +@@ -3733,6 +3739,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + COPY_BUF(l,buffer,len,c); + NEXTL(l); + c = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); ++ xmlFree(buffer); ++ return(NULL); ++ } + } + buffer[len] = 0; + return(buffer); +@@ -3740,8 +3751,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + } + if (len == 0) + return(NULL); +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); + return(NULL); + } +@@ -3767,6 +3777,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; + int c, l; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + xmlChar stop; + xmlChar *ret = NULL; + const xmlChar *cur = NULL; +@@ -3826,6 +3839,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + GROW; + c = CUR_CHAR(l); + } ++ ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, ++ "entity value too long\n"); ++ goto error; ++ } + } + buf[len] = 0; + if (ctxt->instate == XML_PARSER_EOF) +@@ -3913,6 +3932,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + xmlChar *rep = NULL; + size_t len = 0; + size_t buf_size = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int c, l, in_space = 0; + xmlChar *current = NULL; + xmlEntityPtr ent; +@@ -3944,16 +3966,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + while (((NXT(0) != limit) && /* checked */ + (IS_CHAR(c)) && (c != '<')) && + (ctxt->instate != XML_PARSER_EOF)) { +- /* +- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE +- * special option is given +- */ +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, +- "AttValue length too long\n"); +- goto mem_error; +- } + if (c == '&') { + in_space = 0; + if (NXT(1) == '#') { +@@ -4101,6 +4113,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } + GROW; + c = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, ++ "AttValue length too long\n"); ++ goto mem_error; ++ } + } + if (ctxt->instate == XML_PARSER_EOF) + goto error; +@@ -4122,16 +4139,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else + NEXT; + +- /* +- * There we potentially risk an overflow, don't allow attribute value of +- * length more than INT_MAX it is a very reasonable assumption ! +- */ +- if (len >= INT_MAX) { +- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, +- "AttValue length too long\n"); +- goto mem_error; +- } +- + if (attlen != NULL) *attlen = (int) len; + return(buf); + +@@ -4202,6 +4209,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; + int cur, l; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar stop; + int state = ctxt->instate; + int count = 0; +@@ -4229,13 +4239,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + if (len + 5 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); +- xmlFree(buf); +- ctxt->instate = (xmlParserInputState) state; +- return(NULL); +- } + size *= 2; + tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); + if (tmp == NULL) { +@@ -4264,6 +4267,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + SHRINK; + cur = CUR_CHAR(l); + } ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); ++ xmlFree(buf); ++ ctxt->instate = (xmlParserInputState) state; ++ return(NULL); ++ } + } + buf[len] = 0; + ctxt->instate = (xmlParserInputState) state; +@@ -4291,6 +4300,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar cur; + xmlChar stop; + int count = 0; +@@ -4318,12 +4330,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + if (len + 1 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); +- xmlFree(buf); +- return(NULL); +- } + size *= 2; + tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); + if (tmp == NULL) { +@@ -4351,6 +4357,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + SHRINK; + cur = CUR; + } ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); ++ xmlFree(buf); ++ return(NULL); ++ } + } + buf[len] = 0; + if (cur != stop) { +@@ -4750,6 +4761,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + int r, rl; + int cur, l; + size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int inputid; + + inputid = ctxt->input->id; +@@ -4795,13 +4809,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + if ((r == '-') && (q == '-')) { + xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment too big found", NULL); +- xmlFree (buf); +- return; +- } + if (len + 5 >= size) { + xmlChar *new_buf; + size_t new_size; +@@ -4839,6 +4846,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + GROW; + cur = CUR_CHAR(l); + } ++ ++ if (len > maxLength) { ++ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment too big found", NULL); ++ xmlFree (buf); ++ return; ++ } + } + buf[len] = 0; + if (cur == 0) { +@@ -4883,6 +4897,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + size_t size = XML_PARSER_BUFFER_SIZE; + size_t len = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + xmlParserInputState state; + const xmlChar *in; + size_t nbchar = 0; +@@ -4966,8 +4983,7 @@ get_more: + buf[len] = 0; + } + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, + "Comment too big found", NULL); + xmlFree (buf); +@@ -5167,6 +5183,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + size_t len = 0; + size_t size = XML_PARSER_BUFFER_SIZE; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int cur, l; + const xmlChar *target; + xmlParserInputState state; +@@ -5242,14 +5261,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + return; + } + count = 0; +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +- "PI %s too big found", target); +- xmlFree(buf); +- ctxt->instate = state; +- return; +- } + } + COPY_BUF(l,buf,len,cur); + NEXTL(l); +@@ -5259,15 +5270,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + GROW; + cur = CUR_CHAR(l); + } ++ if (len > maxLength) { ++ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, ++ "PI %s too big found", target); ++ xmlFree(buf); ++ ctxt->instate = state; ++ return; ++ } + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +- "PI %s too big found", target); +- xmlFree(buf); +- ctxt->instate = state; +- return; +- } + buf[len] = 0; + if (cur != '?') { + xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +@@ -8959,6 +8969,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + const xmlChar *in = NULL, *start, *end, *last; + xmlChar *ret = NULL; + int line, col; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + + GROW; + in = (xmlChar *) CUR_PTR; +@@ -8998,8 +9011,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + start = in; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9012,8 +9024,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + if ((*in++ == 0x20) && (*in == 0x20)) break; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9046,16 +9057,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + last = last + delta; + } + end = ctxt->input->end; +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); + } + } + } +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9068,8 +9077,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + col++; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9077,8 +9085,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + } + } + last = in; +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9768,6 +9775,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + int s, sl; + int cur, l; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + + /* Check 2.6.0 was NXT(0) not RAW */ + if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { +@@ -9801,13 +9811,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + if (len + 5 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, +- "CData section too big found", NULL); +- xmlFree (buf); +- return; +- } + tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); + if (tmp == NULL) { + xmlFree(buf); +@@ -9834,6 +9837,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + } + NEXTL(l); + cur = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, ++ "CData section too big found\n"); ++ xmlFree(buf); ++ return; ++ } + } + buf[len] = 0; + ctxt->instate = XML_PARSER_CONTENT; diff --git a/main/libxml2/CVE-2022-40304.patch b/main/libxml2/CVE-2022-40304.patch new file mode 100644 index 00000000000..a2cf68a5e60 --- /dev/null +++ b/main/libxml2/CVE-2022-40304.patch @@ -0,0 +1,101 @@ +From 644a89e080bced793295f61f18aac8cfad6bece2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Wed, 31 Aug 2022 22:11:25 +0200 +Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity + reference cycles + +When an entity reference cycle is detected, the entity content is +cleared by setting its first byte to zero. But the entity content might +be allocated from a dict. In this case, the dict entry becomes corrupted +leading to all kinds of logic errors, including memory errors like +double-frees. + +Stop storing entity content, orig, ExternalID and SystemID in a dict. +These values are unlikely to occur multiple times in a document, so they +shouldn't have been stored in a dict in the first place. + +Thanks to Ned Williamson and Nathan Wachholz working with Google Project +Zero for the report! +--- + entities.c | 55 ++++++++++++++++-------------------------------------- + 1 file changed, 16 insertions(+), 39 deletions(-) + +diff --git a/entities.c b/entities.c +index 7876f708..063a02fa 100644 +--- a/entities.c ++++ b/entities.c +@@ -129,36 +129,19 @@ xmlFreeEntity(xmlEntityPtr entity) + if ((entity->children) && (entity->owner == 1) && + (entity == (xmlEntityPtr) entity->children->parent)) + xmlFreeNodeList(entity->children); +- if (dict != NULL) { +- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) +- xmlFree((char *) entity->name); +- if ((entity->ExternalID != NULL) && +- (!xmlDictOwns(dict, entity->ExternalID))) +- xmlFree((char *) entity->ExternalID); +- if ((entity->SystemID != NULL) && +- (!xmlDictOwns(dict, entity->SystemID))) +- xmlFree((char *) entity->SystemID); +- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) +- xmlFree((char *) entity->URI); +- if ((entity->content != NULL) +- && (!xmlDictOwns(dict, entity->content))) +- xmlFree((char *) entity->content); +- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) +- xmlFree((char *) entity->orig); +- } else { +- if (entity->name != NULL) +- xmlFree((char *) entity->name); +- if (entity->ExternalID != NULL) +- xmlFree((char *) entity->ExternalID); +- if (entity->SystemID != NULL) +- xmlFree((char *) entity->SystemID); +- if (entity->URI != NULL) +- xmlFree((char *) entity->URI); +- if (entity->content != NULL) +- xmlFree((char *) entity->content); +- if (entity->orig != NULL) +- xmlFree((char *) entity->orig); +- } ++ if ((entity->name != NULL) && ++ ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) ++ xmlFree((char *) entity->name); ++ if (entity->ExternalID != NULL) ++ xmlFree((char *) entity->ExternalID); ++ if (entity->SystemID != NULL) ++ xmlFree((char *) entity->SystemID); ++ if (entity->URI != NULL) ++ xmlFree((char *) entity->URI); ++ if (entity->content != NULL) ++ xmlFree((char *) entity->content); ++ if (entity->orig != NULL) ++ xmlFree((char *) entity->orig); + xmlFree(entity); + } + +@@ -194,18 +177,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, + ret->SystemID = xmlStrdup(SystemID); + } else { + ret->name = xmlDictLookup(dict, name, -1); +- if (ExternalID != NULL) +- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); +- if (SystemID != NULL) +- ret->SystemID = xmlDictLookup(dict, SystemID, -1); ++ ret->ExternalID = xmlStrdup(ExternalID); ++ ret->SystemID = xmlStrdup(SystemID); + } + if (content != NULL) { + ret->length = xmlStrlen(content); +- if ((dict != NULL) && (ret->length < 5)) +- ret->content = (xmlChar *) +- xmlDictLookup(dict, content, ret->length); +- else +- ret->content = xmlStrndup(content, ret->length); ++ ret->content = xmlStrndup(content, ret->length); + } else { + ret->length = 0; + ret->content = NULL; +-- +GitLab + diff --git a/main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch b/main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch deleted file mode 100644 index 102abdb3134..00000000000 --- a/main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch +++ /dev/null @@ -1,64 +0,0 @@ -This is a revert of -https://github.com/GNOME/libxml2/commit/0762c9b69ba01628f72eada1c64ff3d361fb5716 - -This fixes perl-xml-libxslt test suite -https://bugzilla.suse.com/show_bug.cgi?id=1157450 - -diff --git a/tree.c b/tree.c -index 08b1a50..f2b1457 100644 ---- a/tree.c -+++ b/tree.c -@@ -3664,9 +3664,7 @@ xmlNextElementSibling(xmlNodePtr node) { - void - xmlFreeNodeList(xmlNodePtr cur) { - xmlNodePtr next; -- xmlNodePtr parent; - xmlDictPtr dict = NULL; -- size_t depth = 0; - - if (cur == NULL) return; - if (cur->type == XML_NAMESPACE_DECL) { -@@ -3682,21 +3680,16 @@ xmlFreeNodeList(xmlNodePtr cur) { - return; - } - if (cur->doc != NULL) dict = cur->doc->dict; -- while (1) { -- while ((cur->children != NULL) && -- (cur->type != XML_DTD_NODE) && -- (cur->type != XML_ENTITY_REF_NODE)) { -- cur = cur->children; -- depth += 1; -- } -- -+ while (cur != NULL) { - next = cur->next; -- parent = cur->parent; - if (cur->type != XML_DTD_NODE) { - - if ((__xmlRegisterCallbacks) && (xmlDeregisterNodeDefaultValue)) - xmlDeregisterNodeDefaultValue(cur); - -+ if ((cur->children != NULL) && -+ (cur->type != XML_ENTITY_REF_NODE)) -+ xmlFreeNodeList(cur->children); - if (((cur->type == XML_ELEMENT_NODE) || - (cur->type == XML_XINCLUDE_START) || - (cur->type == XML_XINCLUDE_END)) && -@@ -3727,16 +3720,7 @@ xmlFreeNodeList(xmlNodePtr cur) { - DICT_FREE(cur->name) - xmlFree(cur); - } -- -- if (next != NULL) { -- cur = next; -- } else { -- if ((depth == 0) || (parent == NULL)) -- break; -- depth -= 1; -- cur = parent; -- cur->children = NULL; -- } -+ cur = next; - } - } - diff --git a/main/libxslt/APKBUILD b/main/libxslt/APKBUILD index 18e3a9782f9..defc4a03d0c 100644 --- a/main/libxslt/APKBUILD +++ b/main/libxslt/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> # Contributor: Francesco Colista <fcolista@alpinelinux.org> pkgname=libxslt -pkgver=1.1.34 +pkgver=1.1.35 pkgrel=0 pkgdesc="XML stylesheet transformation library" url="http://xmlsoft.org/XSLT/" @@ -9,9 +9,11 @@ arch="all" license="custom" makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev" subpackages="$pkgname-dev $pkgname-doc" -source="http://xmlsoft.org/sources/libxslt-$pkgver.tar.gz" +source="https://download.gnome.org/sources/libxslt/${pkgver%.*}/libxslt-$pkgver.tar.xz" # secfixes: +# 1.1.35-r0: +# - CVE-2021-30560 # 1.1.34-r0: # - CVE-2019-13117 # - CVE-2019-13118 @@ -43,4 +45,6 @@ package() { make DESTDIR="$pkgdir" install install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -sha512sums="1516a11ad608b04740674060d2c5d733b88889de5e413b9a4e8bf8d1a90d712149df6d2b1345b615f529d7c7d3fa6dae12e544da828b39c7d415e54c0ee0776b libxslt-1.1.34.tar.gz" +sha512sums=" +9dd4a699235f50ae9b75b25137e387471635b4b2da0a4e4380879cd49f1513470fcfbfd775269b066eac513a1ffa6860c77ec42747168e2348248f09f60c8c96 libxslt-1.1.35.tar.xz +" diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD index a546b9c8dc9..f8212d3dda2 100644 --- a/main/lighttpd/APKBUILD +++ b/main/lighttpd/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=lighttpd -pkgver=1.4.57 +pkgver=1.4.64 pkgrel=0 pkgdesc="Secure, fast, compliant and very flexible web-server" url="https://www.lighttpd.net" @@ -12,7 +12,7 @@ pkgusers="lighttpd" pkggroups="lighttpd" makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua5.3-dev automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev - bsd-compat-headers" + bsd-compat-headers pcre2-dev" subpackages="$pkgname-doc $pkgname-dbg $pkgname-openrc $pkgname-mod_auth $pkgname-mod_webdav" source="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-$pkgver.tar.xz @@ -25,6 +25,10 @@ source="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-$pkgver.t mod_fastcgi.conf mod_fastcgi_fpm.conf" +# secfixes: +# 1.4.64-r0: +# - CVE-2022-22707 + build() { ./configure \ --build=$CBUILD \ @@ -95,7 +99,8 @@ mod_webdav() { _mv_mod mod_webdav } -sha512sums="d6b04b8c75674241e5606305ad34f61941f4bb26f635aa73375c13dbacdccea1415e3aece42ffb32f0c11e0da891459cc4d845a8d4679d357271193657e28567 lighttpd-1.4.57.tar.xz +sha512sums=" +8e2ad0830ff80fcebf0c33600caafb5ab4e9ff6b5073c12572f88a44fdfe85f777fa8b22b2fc2964fecbeb556997ad660867dcee80efb224d63329c8b18ea936 lighttpd-1.4.64.tar.xz f2f3c5c7731550237fd75a8de66275f427eaf897cffff7ac7ef44178328ad8fad6c4ec6654759bfc665cbaf7991ddcdf0aaa916831c8b6aa440192d57b242038 lighttpd.initd 9d2ab5deb7353ebf290e90936b511941df440859c78589d0bcf130ef69a5e9c79e4d318548b6b118df002083c46f7476230a28954b7a10a9dbd05040e02b1291 lighttpd.confd 0536b4f21d2e8659f7831b45998c13d9f6051ae7ecde13be01f372f837d255bfc4e211de48a7686cc743d53aa9c08ab3f10ec19788896dcf8356b90053ca7a16 lighttpd.logrotate @@ -103,4 +108,5 @@ f2f3c5c7731550237fd75a8de66275f427eaf897cffff7ac7ef44178328ad8fad6c4ec6654759bfc a3f2f5763885d7e4f510491b24164e34aaf62bb02daa12991575dc64335c12668355af5bb8d6ce191eb4e9cce95324b1f7c9ba61b323b4e7b50a1e03e021afcf mime-types.conf 27cc638d8068dcf47bd9db44943d1db6c6f4e8e6abd6b42af7cea004b1c093440068541d98c68f8bea70b956713adaf8ed59a4b642dea826ee8620a05f8cfde5 mod_cgi.conf 1d15b84c03fb648a0e67ab5c5411b85478b4454c44bc2959cc96d1700eeadd7ff429520a5f1550db6527267646622dccd3d47d3fd1258869fccaf5c22d4ad4b2 mod_fastcgi.conf -f9efc4b70d825600f5356c30e57d0b6cac11c01739337f7192c09c2cfd96cb76c8328b11d818ea4c2addc1a6d253975b84700106ae75854d55d0df73e220bd2b mod_fastcgi_fpm.conf" +f9efc4b70d825600f5356c30e57d0b6cac11c01739337f7192c09c2cfd96cb76c8328b11d818ea4c2addc1a6d253975b84700106ae75854d55d0df73e220bd2b mod_fastcgi_fpm.conf +" diff --git a/main/linux-lts/APKBUILD b/main/linux-lts/APKBUILD index 87fa348f83a..a0a594a6399 100644 --- a/main/linux-lts/APKBUILD +++ b/main/linux-lts/APKBUILD @@ -2,7 +2,7 @@ _flavor=lts pkgname=linux-${_flavor} -pkgver=5.10.88 +pkgver=5.10.152 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=$pkgver;; @@ -235,16 +235,16 @@ d19365fe94431008768c96a2c88955652f70b6df6677457ee55ee95246a64fdd2c6fed9b3bef37c2 ca5aafac37e0b5f3fcbaf801e12f98beb58ffaf1d8c88f76caff22b059831869b4094e7fdcb6d6860422d6b2d036e072caff460e1feb84bd04d10740ad56265b 0007-pci-hotplug-declare-IDT-bridge-as-hotpluggabl-bridge.patch cbe85cf34e8420c91d2276c2d2aa0ab5023af68e57a1fa613f073f16a76766c67f585eda71c28f232bd0625e0dc8275a9eddc95f49409205dc0dbcc28c9fac1c 0008-pci-spr2803-quirk-to-fix-class-ID.patch 16b2d5b0255b37075ba894fc797673d633395907ce0b93400c5a8bd05b512b5cd040b91000fa41f9240d42afc664a69206597d1e3f754a1aa64b9be21a67f5c6 ampere-mt-jade.patch -89934520a6acb51b20f403cdf0531c54c9bd96ea51ae71597bd7bbb230d0e4cc4e213e6f4abdbdac70770f9d571e6dab18f15a7d205fccc2b0e01a29539f397f config-lts.aarch64 -7586c2c14e3e5d1733ba6b10f9e505884e69ebd73f5660a83d6e0a229067be10bd74fdd3c39f3e86a6d370713e3c515023a98a590804f46092ff8ae7c069b657 config-lts.armv7 -2e1191008bb2e73af4863152cdcd28f8b5ad7e8c383712de32c389b8b34e8cb5453a1875999e035e17e6adc3620372716e0dad2d89f63d4a7f9d4a4c1563f311 config-lts.x86 -7229889327c3aa205956a59266ce7c4ea7a7935e6bd8a833718bfa5c53bd3390214f4e094009f89cf9d53ab7ef71ebd4ea8c9f7d4ce85c321c43bf368ee49f24 config-lts.x86_64 -9f35e146fd04ac383306eef06214da9991dc452f941b53acc6d8922452fbbb432098a0b1eb65a206a69b84f26e1dc21dc6542f74f7f472714e9a9fc50807f6a6 config-lts.ppc64le -2ff28ec6132d54a843a8d83d48d6264622ccaf0bf5b8dfba052328c7370b177bb89a74bcc4c1fbde13a5966dbc76e563b7568747d3319a329f399e45aa73ce3b config-lts.s390x -c3f71766203e547c0bc4390de0389b6593c6cce2a36618a9c683af2cf09e0ec10dec288c0e6bd58eab0c0e1b1d0afceb13c7d8a7a1ef68a5689955a714654567 config-lts.mips64 -a351ed481a3d8346811869fd72ea62541d4e7a5019154022061c9c90765fe33d73ea1c8981acda6d19f57aa796b8450bb0379c2357fd708bc9a97522e428279c config-virt.aarch64 -59d622fc8425995da40bc600fe0013c4e1fabd4d5ffff03de075d798e11d575fc061ce602ec2950f4aacae00b4f61a3195152d3bdf015d7d511609ec451b91d6 config-virt.armv7 -c666e9c8e2b9981cd5bba8196610c4ec364e512935d6f094e41b27189f23568f749562e146b67c8f06f196e235c428f11c5ee78ab5af5e0c42cfdad081b26267 config-virt.ppc64le -dbfec3bbdd6a2920ffeb677d672dc85f0bc7b76a4a10eca5c092799b22cf887c441ee5db314f65e1634ec9f6a625a99bf289864989172d0cbb8f2a8042d3cb9e config-virt.x86 -0968137fe44b8200095f9c72d42dd87a6456087350622928790a5d5f46182d285b4f2214f7d57d30aefeeb8a373487b92eb717ed8914612e23d288ac8ce1dce2 config-virt.x86_64 -ff571d7a15a2fbcfaef10f226b71c5c614a627841db9b2d5cc90036ee8fe02930d832fe38db323e582863439d0578d3ab85d25fbcc98a8953579a5b90133ab55 patch-5.10.88.xz" +04e77eec5e4cbf8e06603732e37fe0b12508ab9a230bff96c7db69c97aa87c38c06ae99da699bf61a5d581d174ff20c0b8ed2b088f444804c53b86819ec1d620 config-lts.aarch64 +4128829f32d5989e3d3cd98b58aa6f1a3a5b1bbfa1ef216bd9095b5ce7db9dac08c79291d1fc3f7a551fa1db0c08911a7e864c692f949db69e47e0c347a92e10 config-lts.armv7 +0cd73a668d501621628abeb38c6b2fe102d3b2ccd574a1484ceeb24edc5c404007d950f1ea8f8a3f13be46e041ced5532b9a4f281c4f60e07e338de7f1987eb5 config-lts.x86 +c78baca77df2565a372f979994baacf924d2e15214d3b8119f1c0f53c0402a74a8a242482b72a32b5fde52ea9f253a6e3369a15b32f1e17755cd28f767249ebb config-lts.x86_64 +e95af61f8475440befde14fa467ff97885b7c6cf1de34e28bd2de1b850f1b6a71474afaa3028bfedfba9d41f241a998632ccca90576da93f7032c1bb9e3840e3 config-lts.ppc64le +fb08461e28756ce77d24df4b1ad8371f181f9929e8f7a0efd3bd3504f20215a72aaa8a9cf46e0eee46b5f63fed2b0b95d187327f9eb4e4a1afd3b999db54510e config-lts.s390x +ff7a360c837191b84d5939ea0ec210385bbe7cc21b0b8d313757d8b635e9797fabc35e8d864fdae6045b93fae6c4beb954c631f1580d4b871cac53916c761b25 config-lts.mips64 +d47270163d926f673348144b33b70136ad0ffe97dc01daed12c8908b3a7760fa8a51da9515dbdf3e2a2eb6d18aa0b228e7a4e36bd34587593ce5eaa05ff50738 config-virt.aarch64 +6f662e21699d41ffaadf471cb5b4adc49d3e2fefa80475b03309b157fcb626183950c1c6be5ead91ee742286d9dea0398905a178af1faff058057cf844b06ee0 config-virt.armv7 +3a466ee82ae5e8647696022e1dae2fa64fea89aecbb9f2bfa1c856f03eaa3eeb9c0713df1ee15ca87b097ab9c0b9f843fa6ad69f477bf55b4b76d440880b0616 config-virt.ppc64le +fa1da5eaa799e3e2062e01eed9aa7dc68cd356cc65515361851396e177f365151e7549ce3e98150a099ee2eb204870d350265e1db1234af7b0941606e20ce9dc config-virt.x86 +25fc991d6cf69d4b7671431dd0f0ed746e2596a68864751a5fa05c735287180cfd591842bebc3945118418f3f4dbaa188d48df522f856db80ec6af613fd8c898 config-virt.x86_64 +7a484b59e6ec83859b659cf305dfab9805622c8d54304c050d8029cfa37ea434e597a40b7c00954ed4b951ff8cabe809542771eaf5c1bc681186ae60cc4e8420 patch-5.10.152.xz" diff --git a/main/linux-lts/config-lts.aarch64 b/main/linux-lts/config-lts.aarch64 index dc9f07cad92..440cac7aff9 100644 --- a/main/linux-lts/config-lts.aarch64 +++ b/main/linux-lts/config-lts.aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.10.61 Kernel Configuration +# Linux/arm64 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -218,6 +218,7 @@ CONFIG_BPF_SYSCALL=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y @@ -353,6 +354,7 @@ CONFIG_ARM64_ERRATUM_1286807=y CONFIG_ARM64_ERRATUM_1463225=y CONFIG_ARM64_ERRATUM_1542419=y CONFIG_ARM64_ERRATUM_1508412=y +CONFIG_ARM64_ERRATUM_2457168=y CONFIG_CAVIUM_ERRATUM_22375=y CONFIG_CAVIUM_ERRATUM_23144=y CONFIG_CAVIUM_ERRATUM_23154=y @@ -413,6 +415,7 @@ CONFIG_XEN_DOM0=y CONFIG_XEN=y CONFIG_FORCE_MAX_ZONEORDER=11 CONFIG_UNMAP_KERNEL_AT_EL0=y +CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY=y CONFIG_RODATA_FULL_DEFAULT_ENABLED=y # CONFIG_ARM64_SW_TTBR0_PAN is not set CONFIG_ARM64_TAGGED_ADDR_ABI=y @@ -796,6 +799,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -3541,7 +3548,6 @@ CONFIG_MISDN_AVMFRITZ=m # CONFIG_MISDN_W6692 is not set # CONFIG_MISDN_NETJET is not set CONFIG_MISDN_IPAC=m -# CONFIG_NVM is not set # # Input device support @@ -3955,10 +3961,9 @@ CONFIG_TCG_XEN=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -5743,7 +5748,6 @@ CONFIG_DRM_AMD_ACP=y # CONFIG_DRM_AMD_DC=y # CONFIG_DRM_AMD_DC_HDCP is not set -# CONFIG_DRM_AMD_DC_SI is not set # end of Display Engine Configuration # CONFIG_HSA_AMD is not set @@ -6069,6 +6073,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y @@ -6627,7 +6632,7 @@ CONFIG_I2C_HID=m CONFIG_USB_OHCI_LITTLE_ENDIAN=y CONFIG_USB_SUPPORT=y -CONFIG_USB_COMMON=y +CONFIG_USB_COMMON=m CONFIG_USB_LED_TRIG=y CONFIG_USB_ULPI_BUS=m CONFIG_USB_CONN_GPIO=m @@ -7570,6 +7575,7 @@ CONFIG_ASHMEM=y # CONFIG_FIREWIRE_SERIAL is not set # CONFIG_GS_FPGABOOT is not set # CONFIG_UNISYSSPAR is not set +# CONFIG_COMMON_CLK_XLNX_CLKWZRD is not set # CONFIG_FB_TFT is not set CONFIG_FSL_DPAA2=y CONFIG_FSL_DPAA2_ETHSW=m @@ -9057,6 +9063,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -9227,26 +9237,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9 -CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_ALLWINNER=y CONFIG_CRYPTO_DEV_SUN4I_SS=m @@ -9348,6 +9338,28 @@ CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y CONFIG_INDIRECT_PIO=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=m CONFIG_CRC16=m CONFIG_CRC_T10DIF=y diff --git a/main/linux-lts/config-lts.armv7 b/main/linux-lts/config-lts.armv7 index 7f995d6650b..d13f3e76abc 100644 --- a/main/linux-lts/config-lts.armv7 +++ b/main/linux-lts/config-lts.armv7 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 5.10.61 Kernel Configuration +# Linux/arm 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -195,6 +195,7 @@ CONFIG_ELF_CORE=y CONFIG_BASE_FULL=y CONFIG_FUTEX=y CONFIG_FUTEX_PI=y +CONFIG_HAVE_FUTEX_CMPXCHG=y CONFIG_EPOLL=y CONFIG_SIGNALFD=y CONFIG_TIMERFD=y @@ -208,6 +209,7 @@ CONFIG_KALLSYMS=y CONFIG_KALLSYMS_ALL=y CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_BPF_SYSCALL=y +# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set CONFIG_USERMODE_DRIVER=y # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set @@ -491,6 +493,7 @@ CONFIG_SWP_EMULATE=y # CONFIG_CPU_BPREDICT_DISABLE is not set CONFIG_CPU_SPECTRE=y CONFIG_HARDEN_BRANCH_PREDICTOR=y +CONFIG_HARDEN_BRANCH_HISTORY=y CONFIG_KUSER_HELPERS=y CONFIG_VDSO=y CONFIG_OUTER_CACHE=y @@ -568,7 +571,6 @@ CONFIG_SCHED_HRTICK=y CONFIG_ARM_PATCH_IDIV=y CONFIG_AEABI=y # CONFIG_OABI_COMPAT is not set -CONFIG_ARCH_HAS_HOLES_MEMORYMODEL=y CONFIG_ARCH_SELECT_MEMORY_MODEL=y CONFIG_ARCH_FLATMEM_ENABLE=y CONFIG_ARCH_SPARSEMEM_ENABLE=y @@ -585,6 +587,7 @@ CONFIG_ALIGNMENT_TRAP=y CONFIG_PARAVIRT=y CONFIG_PARAVIRT_TIME_ACCOUNTING=y # CONFIG_XEN is not set +CONFIG_STACKPROTECTOR_PER_TASK=y # end of Kernel Features # @@ -846,6 +849,11 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set +CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK=y # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -1887,6 +1895,7 @@ CONFIG_DEBUG_DEVRES=y # CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set # CONFIG_TEST_ASYNC_DRIVER_PROBE is not set CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_GENERIC_CPU_VULNERABILITIES=y CONFIG_SOC_BUS=y CONFIG_REGMAP=y CONFIG_REGMAP_I2C=m @@ -2818,7 +2827,6 @@ CONFIG_IEEE802154_MCR20A=m # CONFIG_NETDEVSIM is not set CONFIG_NET_FAILOVER=m # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -3189,9 +3197,8 @@ CONFIG_HW_RANDOM_TPM=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set # CONFIG_XILLYBUS is not set -# end of Character devices - # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -5061,6 +5068,7 @@ CONFIG_HDMI=y # CONFIG_DUMMY_CONSOLE=y CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y @@ -5535,7 +5543,7 @@ CONFIG_I2C_HID=m CONFIG_USB_OHCI_LITTLE_ENDIAN=y CONFIG_USB_SUPPORT=y -CONFIG_USB_COMMON=y +CONFIG_USB_COMMON=m CONFIG_USB_LED_TRIG=y # CONFIG_USB_ULPI_BUS is not set # CONFIG_USB_CONN_GPIO is not set @@ -6315,6 +6323,7 @@ CONFIG_ASHMEM=y # CONFIG_LTE_GDM724X is not set CONFIG_GS_FPGABOOT=m # CONFIG_UNISYSSPAR is not set +# CONFIG_COMMON_CLK_XLNX_CLKWZRD is not set CONFIG_FB_TFT=m # CONFIG_FB_TFT_AGM1264K_FL is not set # CONFIG_FB_TFT_BD663474 is not set @@ -7617,6 +7626,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -7787,27 +7799,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9 -CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_ALLWINNER=y CONFIG_CRYPTO_DEV_SUN4I_SS=m @@ -7884,6 +7875,29 @@ CONFIG_RATIONAL=y CONFIG_GENERIC_PCI_IOMAP=y CONFIG_STMP_DEVICE=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=m CONFIG_CRC16=m CONFIG_CRC_T10DIF=y diff --git a/main/linux-lts/config-lts.mips64 b/main/linux-lts/config-lts.mips64 index 752c6940f5f..efc1ba0e29e 100644 --- a/main/linux-lts/config-lts.mips64 +++ b/main/linux-lts/config-lts.mips64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/mips 5.10.61 Kernel Configuration +# Linux/mips 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -192,6 +192,7 @@ CONFIG_KALLSYMS=y # CONFIG_KALLSYMS_ALL is not set CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_BPF_SYSCALL=y +# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_KCMP=y @@ -541,6 +542,10 @@ CONFIG_HAVE_SPARSE_SYSCALL_NR=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -1761,7 +1766,6 @@ CONFIG_USB_NET_DRIVERS=y # CONFIG_VMXNET3 is not set # CONFIG_NET_FAILOVER is not set # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -1933,9 +1937,8 @@ CONFIG_DEVMEM=y CONFIG_DEVPORT=y # CONFIG_TCG_TPM is not set # CONFIG_XILLYBUS is not set -# end of Character devices - # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -3157,6 +3160,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -3313,24 +3319,6 @@ CONFIG_CRYPTO_JITTERENTROPY=m # CONFIG_CRYPTO_USER_API_RNG is not set # CONFIG_CRYPTO_USER_API_AEAD is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=2 -CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y @@ -3363,6 +3351,26 @@ CONFIG_NO_GENERIC_PCI_IOPORT_MAP=y CONFIG_GENERIC_PCI_IOMAP=y CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=2 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/main/linux-lts/config-lts.ppc64le b/main/linux-lts/config-lts.ppc64le index 27feb876ce7..22260ed54ab 100644 --- a/main/linux-lts/config-lts.ppc64le +++ b/main/linux-lts/config-lts.ppc64le @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/powerpc 5.10.61 Kernel Configuration +# Linux/powerpc 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -205,6 +205,7 @@ CONFIG_KALLSYMS=y CONFIG_KALLSYMS_ALL=y CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_BPF_SYSCALL=y +# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_CALLBACKS=y @@ -589,6 +590,9 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -1514,6 +1518,7 @@ CONFIG_PARPORT_PC=m CONFIG_BLK_DEV=y # CONFIG_BLK_DEV_NULL_BLK is not set CONFIG_BLK_DEV_FD=m +# CONFIG_BLK_DEV_FD_RAWCMD is not set CONFIG_CDROM=y # CONFIG_PARIDE is not set # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set @@ -1863,6 +1868,7 @@ CONFIG_WIREGUARD=m # CONFIG_WIREGUARD_DEBUG is not set # CONFIG_EQUALIZER is not set # CONFIG_NET_FC is not set +# CONFIG_IFB is not set # CONFIG_NET_TEAM is not set CONFIG_MACVLAN=m CONFIG_MACVTAP=m @@ -2190,7 +2196,6 @@ CONFIG_USB_NET_DRIVERS=m # CONFIG_NETDEVSIM is not set CONFIG_NET_FAILOVER=m # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -2411,10 +2416,9 @@ CONFIG_DEVPORT=y # CONFIG_HANGCHECK_TIMER is not set # CONFIG_TCG_TPM is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -2834,7 +2838,6 @@ CONFIG_DRM_AMDGPU=m CONFIG_DRM_AMD_DC=y CONFIG_DRM_AMD_DC_DCN=y # CONFIG_DRM_AMD_DC_HDCP is not set -# CONFIG_DRM_AMD_DC_SI is not set # end of Display Engine Configuration # CONFIG_HSA_AMD is not set @@ -3011,6 +3014,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y @@ -4192,6 +4196,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -4363,24 +4370,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=1 -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_NX=y CONFIG_CRYPTO_DEV_NX_COMPRESS=y @@ -4431,6 +4420,26 @@ CONFIG_GENERIC_PCI_IOMAP=y CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=1 +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=m CONFIG_CRC16=y CONFIG_CRC_T10DIF=y diff --git a/main/linux-lts/config-lts.s390x b/main/linux-lts/config-lts.s390x index e80306c09de..f4053a5f6a3 100644 --- a/main/linux-lts/config-lts.s390x +++ b/main/linux-lts/config-lts.s390x @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/s390 5.10.61 Kernel Configuration +# Linux/s390 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -206,6 +206,7 @@ CONFIG_KALLSYMS_ALL=y CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_BPF_SYSCALL=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y +# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_KCMP=y @@ -446,6 +447,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -2083,7 +2088,6 @@ CONFIG_CCWGROUP=m # CONFIG_VMXNET3 is not set # CONFIG_NETDEVSIM is not set CONFIG_NET_FAILOVER=m -# CONFIG_NVM is not set # # Input device support @@ -2236,10 +2240,9 @@ CONFIG_MONREADER=m CONFIG_MONWRITER=m CONFIG_S390_VMUR=m # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -3018,6 +3021,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -3190,24 +3196,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=1 -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y CONFIG_ZCRYPT=m # CONFIG_ZCRYPT_DEBUG is not set @@ -3261,6 +3249,26 @@ CONFIG_GENERIC_FIND_FIRST_BIT=y CONFIG_CORDIC=m # CONFIG_PRIME_NUMBERS is not set CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=1 +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=y CONFIG_CRC16=y CONFIG_CRC_T10DIF=y diff --git a/main/linux-lts/config-lts.x86 b/main/linux-lts/config-lts.x86 index 983cdccde0b..860c07e8acd 100644 --- a/main/linux-lts/config-lts.x86 +++ b/main/linux-lts/config-lts.x86 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.61 Kernel Configuration +# Linux/x86 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -221,6 +221,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_BPF_SYSCALL=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y @@ -296,7 +297,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set CONFIG_X86_BIGSMP=y CONFIG_X86_EXTENDED_PLATFORM=y @@ -451,6 +451,10 @@ CONFIG_HOTPLUG_CPU=y CONFIG_MODIFY_LDT_SYSCALL=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_RETPOLINE=y +# CONFIG_RETHUNK is not set CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y # @@ -793,6 +797,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -2135,6 +2143,7 @@ CONFIG_PNPACPI=y CONFIG_BLK_DEV=y # CONFIG_BLK_DEV_NULL_BLK is not set CONFIG_BLK_DEV_FD=m +# CONFIG_BLK_DEV_FD_RAWCMD is not set CONFIG_CDROM=m # CONFIG_PARIDE is not set CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m @@ -3453,7 +3462,6 @@ CONFIG_MISDN_AVMFRITZ=m # CONFIG_MISDN_W6692 is not set # CONFIG_MISDN_NETJET is not set CONFIG_MISDN_IPAC=m -# CONFIG_NVM is not set # # Input device support @@ -3879,10 +3887,9 @@ CONFIG_TCG_CRB=m # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TELCLOCK=m # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -5774,6 +5781,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y @@ -8356,6 +8364,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -8530,24 +8542,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=1 -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m @@ -8613,6 +8607,26 @@ CONFIG_GENERIC_PCI_IOMAP=y CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=1 +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=m CONFIG_CRC16=m CONFIG_CRC_T10DIF=y diff --git a/main/linux-lts/config-lts.x86_64 b/main/linux-lts/config-lts.x86_64 index 6e07b4e7af3..4bf26fdc99c 100644 --- a/main/linux-lts/config-lts.x86_64 +++ b/main/linux-lts/config-lts.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.88 Kernel Configuration +# Linux/x86_64 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -238,6 +238,7 @@ CONFIG_BPF_SYSCALL=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y @@ -317,7 +318,6 @@ CONFIG_X86_FEATURE_NAMES=y CONFIG_X86_X2APIC=y CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set CONFIG_X86_EXTENDED_PLATFORM=y # CONFIG_X86_NUMACHIP is not set @@ -478,6 +478,14 @@ CONFIG_HAVE_LIVEPATCH=y CONFIG_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CPU_IBPB_ENTRY=y +CONFIG_CPU_IBRS_ENTRY=y CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_USE_PERCPU_NUMA_NODE_ID=y @@ -2254,6 +2262,7 @@ CONFIG_PNPACPI=y CONFIG_BLK_DEV=y # CONFIG_BLK_DEV_NULL_BLK is not set CONFIG_BLK_DEV_FD=m +# CONFIG_BLK_DEV_FD_RAWCMD is not set CONFIG_CDROM=m # CONFIG_PARIDE is not set CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m @@ -3565,7 +3574,6 @@ CONFIG_MISDN_AVMFRITZ=m # CONFIG_MISDN_W6692 is not set # CONFIG_MISDN_NETJET is not set CONFIG_MISDN_IPAC=m -# CONFIG_NVM is not set # # Input device support @@ -3998,10 +4006,9 @@ CONFIG_TCG_CRB=m # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TELCLOCK=m # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -5879,6 +5886,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y @@ -8533,7 +8541,6 @@ CONFIG_KEY_DH_OPERATIONS=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_SECURITY_INFINIBAND is not set # CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_PATH=y @@ -8771,28 +8778,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m @@ -8858,6 +8843,30 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=m CONFIG_CRC16=m CONFIG_CRC_T10DIF=y diff --git a/main/linux-lts/config-virt.aarch64 b/main/linux-lts/config-virt.aarch64 index 83ac3ffe326..a57a2b6f2e7 100644 --- a/main/linux-lts/config-virt.aarch64 +++ b/main/linux-lts/config-virt.aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.10.61 Kernel Configuration +# Linux/arm64 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -211,6 +211,7 @@ CONFIG_BPF_SYSCALL=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y @@ -346,6 +347,7 @@ CONFIG_ARM64_ERRATUM_1286807=y CONFIG_ARM64_ERRATUM_1463225=y CONFIG_ARM64_ERRATUM_1542419=y CONFIG_ARM64_ERRATUM_1508412=y +CONFIG_ARM64_ERRATUM_2457168=y CONFIG_CAVIUM_ERRATUM_22375=y CONFIG_CAVIUM_ERRATUM_23144=y CONFIG_CAVIUM_ERRATUM_23154=y @@ -404,6 +406,7 @@ CONFIG_PARAVIRT=y # CONFIG_XEN is not set CONFIG_FORCE_MAX_ZONEORDER=11 CONFIG_UNMAP_KERNEL_AT_EL0=y +CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY=y CONFIG_RODATA_FULL_DEFAULT_ENABLED=y # CONFIG_ARM64_SW_TTBR0_PAN is not set CONFIG_ARM64_TAGGED_ADDR_ABI=y @@ -766,6 +769,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -2528,7 +2535,6 @@ CONFIG_VMXNET3=m # CONFIG_NETDEVSIM is not set CONFIG_NET_FAILOVER=m # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -2670,10 +2676,9 @@ CONFIG_DEVMEM=y # CONFIG_DEVPORT is not set # CONFIG_TCG_TPM is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -3406,6 +3411,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # end of Console display driver support @@ -4512,6 +4518,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -4682,26 +4692,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9 -CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_DEV_ATMEL_ECC is not set # CONFIG_CRYPTO_DEV_ATMEL_SHA204A is not set @@ -4765,6 +4755,28 @@ CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y # CONFIG_INDIRECT_PIO is not set + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=m CONFIG_CRC16=m CONFIG_CRC_T10DIF=y diff --git a/main/linux-lts/config-virt.armv7 b/main/linux-lts/config-virt.armv7 index 78b577091ac..f43295dd2b3 100644 --- a/main/linux-lts/config-virt.armv7 +++ b/main/linux-lts/config-virt.armv7 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 5.10.61 Kernel Configuration +# Linux/arm 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -192,6 +192,7 @@ CONFIG_ELF_CORE=y CONFIG_BASE_FULL=y CONFIG_FUTEX=y CONFIG_FUTEX_PI=y +CONFIG_HAVE_FUTEX_CMPXCHG=y CONFIG_EPOLL=y CONFIG_SIGNALFD=y CONFIG_TIMERFD=y @@ -207,6 +208,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_BPF_SYSCALL=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y @@ -395,6 +397,7 @@ CONFIG_SWP_EMULATE=y # CONFIG_CPU_BPREDICT_DISABLE is not set CONFIG_CPU_SPECTRE=y CONFIG_HARDEN_BRANCH_PREDICTOR=y +CONFIG_HARDEN_BRANCH_HISTORY=y CONFIG_KUSER_HELPERS=y CONFIG_VDSO=y CONFIG_OUTER_CACHE=y @@ -486,6 +489,7 @@ CONFIG_ALIGNMENT_TRAP=y CONFIG_PARAVIRT=y # CONFIG_PARAVIRT_TIME_ACCOUNTING is not set # CONFIG_XEN is not set +CONFIG_STACKPROTECTOR_PER_TASK=y # end of Kernel Features # @@ -716,6 +720,11 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set +CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK=y # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -1658,6 +1667,7 @@ CONFIG_ALLOW_DEV_COREDUMP=y # CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set # CONFIG_TEST_ASYNC_DRIVER_PROBE is not set CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_GENERIC_CPU_VULNERABILITIES=y CONFIG_REGMAP=y CONFIG_REGMAP_MMIO=y CONFIG_DMA_SHARED_BUFFER=y @@ -2383,7 +2393,6 @@ CONFIG_VMXNET3=m # CONFIG_NETDEVSIM is not set CONFIG_NET_FAILOVER=m # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -2526,9 +2535,8 @@ CONFIG_DEVMEM=y # CONFIG_DEVPORT is not set # CONFIG_TCG_TPM is not set # CONFIG_XILLYBUS is not set -# end of Character devices - # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -3258,6 +3266,7 @@ CONFIG_HDMI=y # CONFIG_DUMMY_CONSOLE=y CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # end of Console display driver support @@ -4321,6 +4330,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -4488,26 +4500,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9 -CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_DEV_HIFN_795X is not set # CONFIG_CRYPTO_DEV_ATMEL_ECC is not set @@ -4555,6 +4547,28 @@ CONFIG_CORDIC=m CONFIG_RATIONAL=y CONFIG_GENERIC_PCI_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=m CONFIG_CRC16=m CONFIG_CRC_T10DIF=y diff --git a/main/linux-lts/config-virt.ppc64le b/main/linux-lts/config-virt.ppc64le index c2cad0fbd9a..6b7ba8263cc 100644 --- a/main/linux-lts/config-virt.ppc64le +++ b/main/linux-lts/config-virt.ppc64le @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/powerpc 5.10.61 Kernel Configuration +# Linux/powerpc 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -207,6 +207,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_BPF_SYSCALL=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_CALLBACKS=y @@ -583,6 +584,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -2265,7 +2270,6 @@ CONFIG_SLIP_MODE_SLIP6=y # CONFIG_NETDEVSIM is not set CONFIG_NET_FAILOVER=m # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -2410,10 +2414,9 @@ CONFIG_NVRAM=m CONFIG_HANGCHECK_TIMER=m # CONFIG_TCG_TPM is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -3051,6 +3054,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # end of Console display driver support @@ -4019,6 +4023,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -4191,24 +4198,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=1 -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_NX=y CONFIG_CRYPTO_DEV_NX_COMPRESS=m @@ -4257,6 +4246,26 @@ CONFIG_CORDIC=m CONFIG_GENERIC_PCI_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=1 +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=m CONFIG_CRC16=m CONFIG_CRC_T10DIF=y diff --git a/main/linux-lts/config-virt.x86 b/main/linux-lts/config-virt.x86 index 26f4636f008..702c9214179 100644 --- a/main/linux-lts/config-virt.x86 +++ b/main/linux-lts/config-virt.x86 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.61 Kernel Configuration +# Linux/x86 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -217,6 +217,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_BPF_SYSCALL=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y @@ -291,7 +292,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set CONFIG_X86_BIGSMP=y # CONFIG_X86_EXTENDED_PLATFORM is not set @@ -440,6 +440,10 @@ CONFIG_HOTPLUG_CPU=y CONFIG_MODIFY_LDT_SYSCALL=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_RETPOLINE=y +# CONFIG_RETHUNK is not set CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y # @@ -736,6 +740,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -1710,6 +1718,7 @@ CONFIG_PNPACPI=y CONFIG_BLK_DEV=y # CONFIG_BLK_DEV_NULL_BLK is not set CONFIG_BLK_DEV_FD=m +# CONFIG_BLK_DEV_FD_RAWCMD is not set CONFIG_CDROM=m # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set CONFIG_ZRAM=m @@ -2312,7 +2321,6 @@ CONFIG_HYPERV_NET=m # CONFIG_NETDEVSIM is not set CONFIG_NET_FAILOVER=m # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -2507,10 +2515,9 @@ CONFIG_HANGCHECK_TIMER=m # CONFIG_TCG_TPM is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -3129,6 +3136,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # end of Console display driver support @@ -4086,6 +4094,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -4259,24 +4271,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=1 -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m @@ -4339,6 +4333,26 @@ CONFIG_GENERIC_PCI_IOMAP=y CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=1 +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=m CONFIG_CRC16=m CONFIG_CRC_T10DIF=y diff --git a/main/linux-lts/config-virt.x86_64 b/main/linux-lts/config-virt.x86_64 index fd51a93b30c..7ab64d5907c 100644 --- a/main/linux-lts/config-virt.x86_64 +++ b/main/linux-lts/config-virt.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.88 Kernel Configuration +# Linux/x86_64 5.10.144 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203" CONFIG_CC_IS_GCC=y @@ -233,6 +233,7 @@ CONFIG_BPF_SYSCALL=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y # CONFIG_BPF_PRELOAD is not set # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y @@ -312,7 +313,6 @@ CONFIG_X86_FEATURE_NAMES=y CONFIG_X86_X2APIC=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -453,6 +453,14 @@ CONFIG_MODIFY_LDT_SYSCALL=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CPU_IBPB_ENTRY=y +CONFIG_CPU_IBRS_ENTRY=y CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y @@ -1777,6 +1785,7 @@ CONFIG_PNPACPI=y CONFIG_BLK_DEV=y # CONFIG_BLK_DEV_NULL_BLK is not set CONFIG_BLK_DEV_FD=m +# CONFIG_BLK_DEV_FD_RAWCMD is not set CONFIG_CDROM=m # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set CONFIG_ZRAM=m @@ -2382,7 +2391,6 @@ CONFIG_HYPERV_NET=m # CONFIG_NETDEVSIM is not set CONFIG_NET_FAILOVER=m # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -2591,10 +2599,9 @@ CONFIG_HANGCHECK_TIMER=m # CONFIG_TCG_TPM is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -3206,6 +3213,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # end of Console display driver support @@ -4203,7 +4211,6 @@ CONFIG_KEY_DH_OPERATIONS=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_PATH=y # CONFIG_INTEL_TXT is not set @@ -4447,28 +4454,6 @@ CONFIG_CRYPTO_USER_API_AEAD=m # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=m -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=m -CONFIG_CRYPTO_LIB_BLAKE2S=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m -CONFIG_CRYPTO_LIB_CHACHA=m -CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m -CONFIG_CRYPTO_LIB_CURVE25519=m -CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m -CONFIG_CRYPTO_LIB_POLY1305=m -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m -CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m @@ -4532,6 +4517,30 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +CONFIG_CRYPTO_LIB_CHACHA=m +CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +CONFIG_CRYPTO_LIB_CURVE25519=m +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +CONFIG_CRYPTO_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=m CONFIG_CRC16=m CONFIG_CRC_T10DIF=y diff --git a/main/logrotate/APKBUILD b/main/logrotate/APKBUILD index 1d1373d2fcc..4c7cb82ea3b 100644 --- a/main/logrotate/APKBUILD +++ b/main/logrotate/APKBUILD @@ -2,19 +2,25 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=logrotate pkgver=3.18.0 -pkgrel=0 +pkgrel=3 pkgdesc="Tool to rotate logfiles" url="https://github.com/logrotate/logrotate" arch="all" license="GPL-2.0-or-later" +install="$pkgname.post-upgrade" makedepends="popt-dev autoconf automake libtool" checkdepends="coreutils" subpackages="$pkgname-doc $pkgname-openrc" source="$url/releases/download/$pkgver/$pkgname-$pkgver.tar.xz + CVE-2022-1348.patch logrotate.cron logrotate.conf logrotate.confd" +# secfixes: +# 3.18.0-r2: +# - CVE-2022-1348 + prepare() { default_prepare @@ -49,7 +55,10 @@ package() { "$pkgdir"/etc/conf.d/logrotate } -sha512sums="3b44168af53779d7f53e686c192a04ff97ddecca32da66a0c4ac6284fb55dbb9ded5a300652621963ccea91aeb6bebc4cec8a22cc94597484456742442f026be logrotate-3.18.0.tar.xz +sha512sums=" +3b44168af53779d7f53e686c192a04ff97ddecca32da66a0c4ac6284fb55dbb9ded5a300652621963ccea91aeb6bebc4cec8a22cc94597484456742442f026be logrotate-3.18.0.tar.xz +c17c3195137c0202027a818b8850b03c35836de27bee5b2384ab06e95d5ce17b5c2bd90013db1c95845749b0bf633d2bd12b1e6fe1824191ca0de3c5db0e71bb CVE-2022-1348.patch f4d708594fb2b240cfc2928f38a180d27c2cecb9867e048dc29a32c0147244db4d2f6d92e7bff27e1f2623537587db87b2f8fc9bb988f98eff0c98f79f5a5bf2 logrotate.cron -9e6a1d024b1cf1ddb8b631fdc1379bfecbfeb1af873930d2a19d32313b26881926df5c21b47b55ada2b6012be981ec2d6d8fa2f249a68b61fd2c97c32f52a957 logrotate.conf -be9f0043b594d26b4f64e07a2188d19c3c43af75ef726305e4d98f744fc16cee9f280227116858e2f5b781c0a7b58e0209d7e9ab1285dfa7ba55a9dfda700229 logrotate.confd" +e91c1648a088410d1f5ad16d05b67e316977be5cc0cbbb21a4e1fda2267415fb7945553aa4b4a4701d658fd6bfe35e3d9a304e0cf2a9c7f1be5a5753c3dbc7cb logrotate.conf +be9f0043b594d26b4f64e07a2188d19c3c43af75ef726305e4d98f744fc16cee9f280227116858e2f5b781c0a7b58e0209d7e9ab1285dfa7ba55a9dfda700229 logrotate.confd +" diff --git a/main/logrotate/CVE-2022-1348.patch b/main/logrotate/CVE-2022-1348.patch new file mode 100644 index 00000000000..df03b86bae5 --- /dev/null +++ b/main/logrotate/CVE-2022-1348.patch @@ -0,0 +1,106 @@ +From 1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> +Date: Tue, 29 Mar 2022 21:06:54 +0200 +Subject: [PATCH] skip locking if state file is world-readable + +Fixes: CVE-2022-1348 - potential DoS from unprivileged users via the state file +Bug: https://bugzilla.redhat.com/CVE-2022-1348 +--- + logrotate.c | 24 ++++++++++++++++++++++-- + logrotate.spec.in | 3 +-- + test/Makefile.am | 1 + + test/test-0087.sh | 1 + + test/test-0092.sh | 20 ++++++++++++++++++++ + test/test-config.92.in | 4 ++++ + 6 files changed, 49 insertions(+), 4 deletions(-) + create mode 100755 test/test-0092.sh + create mode 100644 test/test-config.92.in + +diff --git a/logrotate.c b/logrotate.c +index e72543c4..b57b64be 100644 +--- a/logrotate.c ++++ b/logrotate.c +@@ -2664,6 +2664,9 @@ static int writeState(const char *stateFilename) + + close(fdcurr); + ++ /* drop world-readable flag to prevent others from locking */ ++ sb.st_mode &= ~(mode_t)S_IROTH; ++ + fdsave = createOutputFile(tmpFilename, O_RDWR | O_CREAT | O_TRUNC, &sb, prev_acl, 0); + #ifdef WITH_ACL + if (prev_acl) { +@@ -3004,6 +3004,8 @@ + static int lockState(const char *stateFilename, int skip_state_lock) + { + int lockFd = open(stateFilename, O_RDWR | O_CLOEXEC); ++ struct stat sb; ++ + if (lockFd == -1) { + if (errno == ENOENT) { + message(MESS_DEBUG, "Creating stub state file: %s\n", +@@ -3012,9 +3016,9 @@ static int lockState(const char *stateFilename, int skip_state_lock) + message(MESS_DEBUG, "Creating stub state file: %s\n", + stateFilename); + +- /* create a stub state file with mode 0644 */ ++ /* create a stub state file with mode 0640 */ + lockFd = open(stateFilename, O_CREAT | O_EXCL | O_WRONLY, +- S_IWUSR | S_IRUSR | S_IRGRP | S_IROTH); ++ S_IWUSR | S_IRUSR | S_IRGRP); + if (lockFd == -1) { + message(MESS_ERROR, "error creating stub state file %s: %s\n", + stateFilename, strerror(errno)); +@@ -3034,6 +3038,22 @@ static int lockState(const char *stateFilename, int skip_state_lock) + return 0; + } + ++ if (fstat(lockFd, &sb) == -1) { ++ message(MESS_ERROR, "error stat()ing state file %s: %s\n", ++ stateFilename, strerror(errno)); ++ close(lockFd); ++ return 1; ++ } ++ ++ if (sb.st_mode & S_IROTH) { ++ message(MESS_ERROR, "state file %s is world-readable and thus can" ++ " be locked from other unprivileged users." ++ " Skipping lock acquisition...\n", ++ stateFilename); ++ close(lockFd); ++ return 0; ++ } ++ + if (flock(lockFd, LOCK_EX | LOCK_NB) == -1) { + if (errno == EWOULDBLOCK) { + message(MESS_ERROR, "state file %s is already locked\n" +diff --git a/logrotate.spec.in b/logrotate.spec.in +index 92e1d97d..3caabf23 100644 +--- a/logrotate.spec.in ++++ b/logrotate.spec.in +@@ -41,7 +41,6 @@ install -p -m 644 examples/logrotate.conf $RPM_BUILD_ROOT%{_sysconfdir}/logrotat + install -p -m 644 examples/btmp $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/btmp + install -p -m 644 examples/wtmp $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/wtmp + install -p -m 755 examples/logrotate.cron $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily/logrotate +-touch $RPM_BUILD_ROOT%{_localstatedir}/lib/logrotate.status + + %clean + rm -rf $RPM_BUILD_ROOT +@@ -55,4 +54,4 @@ rm -rf $RPM_BUILD_ROOT + %attr(0755, root, root) %{_sysconfdir}/cron.daily/logrotate + %attr(0644, root, root) %config(noreplace) %{_sysconfdir}/logrotate.conf + %attr(0755, root, root) %{_sysconfdir}/logrotate.d +-%attr(0644, root, root) %verify(not size md5 mtime) %config(noreplace) %{_localstatedir}/lib/logrotate.status ++%ghost %attr(0640, root, root) %verify(not size md5 mtime) %{_localstatedir}/lib/logrotate.status +diff --git a/test/test-0087.sh b/test/test-0087.sh +index 91e5266f..aeff2c65 100755 +--- a/test/test-0087.sh ++++ b/test/test-0087.sh +@@ -8,6 +8,7 @@ cleanup 87 + preptest test.log 87 1 + + touch state ++chmod 0640 state + + $RLR test-config.87 -f & + diff --git a/main/logrotate/logrotate.conf b/main/logrotate/logrotate.conf index ba75a0c2cb8..30cf9c99049 100644 --- a/main/logrotate/logrotate.conf +++ b/main/logrotate/logrotate.conf @@ -17,9 +17,6 @@ tabooext + .apk-new # uncomment this if you want your log files compressed compress -# main log file -/var/log/messages {} - # apk packages drop log rotation information into this directory include /etc/logrotate.d diff --git a/main/logrotate/logrotate.post-upgrade b/main/logrotate/logrotate.post-upgrade new file mode 100644 index 00000000000..b2dd6301bb9 --- /dev/null +++ b/main/logrotate/logrotate.post-upgrade @@ -0,0 +1,12 @@ +#!/bin/sh + +ver_old=$2 + +if [ "$(apk version -t "$ver_old" '3.18.0-r3')" = '<' ]; then + # need to remove world permissions from status file, to dodge + # error: state file /var/lib/logrotate.status is world-readable + # 640 matches the spec file + chmod 640 /var/lib/logrotate.status +fi + +exit 0 diff --git a/main/lua-mqtt-publish/APKBUILD b/main/lua-mqtt-publish/APKBUILD index 5300d31df19..eecc199bc40 100644 --- a/main/lua-mqtt-publish/APKBUILD +++ b/main/lua-mqtt-publish/APKBUILD @@ -1,8 +1,8 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> _luaversions="5.1 5.2 5.3" pkgname=lua-mqtt-publish -pkgver=0.3 -pkgrel=1 +pkgver=0.4 +pkgrel=0 pkgdesc="Lua module for simple MQTT connect, publish and disconnect" url="https://github.com/ncopa/lua-mqtt-publish" arch="all" @@ -40,4 +40,4 @@ _split() { done } -sha512sums="ccbf87c53305e19a2dd04f07ac7b3d1fdae3ce0a6c726b89f357d3d5a68a73c0ce830d0ca47d57eaf1990224fcc97794720bdbc8e4e0caa408003cc33dce3b65 lua-mqtt-publish-0.3.tar.gz" +sha512sums="a4a803002a6dd1af508b5a33296ac2aecdcb26af0a4b6fe11bfe17145e0f4d36c4271591c68e1f1e221cdfe71c3ba00852ae87d7065e0a58e235e8ba48ea0cbb lua-mqtt-publish-0.4.tar.gz" diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD index 193e067a257..684caa3cbde 100644 --- a/main/mariadb/APKBUILD +++ b/main/mariadb/APKBUILD @@ -7,7 +7,7 @@ # Contributor: Jake Buchholz <tomalok@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mariadb -pkgver=10.5.13 +pkgver=10.5.17 pkgrel=0 pkgdesc="A fast SQL database server" url="https://www.mariadb.org/" @@ -45,6 +45,48 @@ source="https://archive.mariadb.org/mariadb-$pkgver/source/mariadb-$pkgver.tar.g " # secfixes: +# 10.5.17-r0: +# - CVE-2022-32082 +# - CVE-2022-32089 +# - CVE-2022-32081 +# - CVE-2018-25032 +# - CVE-2022-32091 +# - CVE-2022-32084 +# 10.5.16-r0: +# - CVE-2022-27376 +# - CVE-2022-27377 +# - CVE-2022-27378 +# - CVE-2022-27379 +# - CVE-2022-27380 +# - CVE-2022-27381 +# - CVE-2022-27382 +# - CVE-2022-27383 +# - CVE-2022-27384 +# - CVE-2022-27386 +# - CVE-2022-27387 +# - CVE-2022-27444 +# - CVE-2022-27445 +# - CVE-2022-27446 +# - CVE-2022-27447 +# - CVE-2022-27448 +# - CVE-2022-27449 +# - CVE-2022-27451 +# - CVE-2022-27452 +# - CVE-2022-27455 +# - CVE-2022-27456 +# - CVE-2022-27457 +# - CVE-2022-27458 +# 10.5.15-r0: +# - CVE-2021-46659 +# - CVE-2021-46661 +# - CVE-2021-46663 +# - CVE-2021-46664 +# - CVE-2021-46665 +# - CVE-2021-46668 +# - CVE-2022-24048 +# - CVE-2022-24050 +# - CVE-2022-24051 +# - CVE-2022-24052 # 10.5.13-r0: # - CVE-2021-35604 # 10.5.12-r0: @@ -208,7 +250,7 @@ build() { check() { # exclude test-connect which seems to be buggy. testsuite does not set port env var - ctest -E '(test-connect)' + ctest -E '(test-connect|aes)' } package() { @@ -461,7 +503,7 @@ _plugin_rocksdb() { } sha512sums=" -5d5ac04a3c8099a982cacb98dd4c162966fc7957e11c28e8b5645e49ffcf0513b9c8956f43d215c37e5eaa34aa8db6c71cfe993c89d62cab123021ee83169e7f mariadb-10.5.13.tar.gz +5a68126aac7072bed549404c89f7215bc47dede8f72559076988469372b96523a800fd6bbf11ff3003a277ee30788ca99a21507b7d7e2b7e98437ca70b5ca0fc mariadb-10.5.17.tar.gz c352969f6665b0ffa387f7b185a5dea7751f4b16c12c809627857b27321efa09159369d7dd5c852d6159a9f173cb895fb601f0c52a1fa6e3527899520030964c mariadb.initd b15d5cbe4e1547ad18cd1ce5a2d5a75d8dd8e017ca725154abdf28d3d1cae8403e0c3e93745441872f72e1ba9f2fef587f596231a231e374bd5a61ba3d8945ea ppc-remove-glibc-dep.patch 598490b4bb45c9f7be46086d25c2b6c601d417c45f11aa519c2290065e7d6e98a7519f9860b823e67a8fd3e6ce3b4728af73ec3a2c66eec32b42fd4ad7cc07f7 disable-failing-test.patch diff --git a/main/mqtt-exec/0001-Let-library-generate-client-id-when-unset.patch b/main/mqtt-exec/0001-Let-library-generate-client-id-when-unset.patch deleted file mode 100644 index bd6411e5e31..00000000000 --- a/main/mqtt-exec/0001-Let-library-generate-client-id-when-unset.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 5ba6139990373e77d638f4dd903281673e145e7e Mon Sep 17 00:00:00 2001 -From: Natanael Copa <ncopa@alpinelinux.org> -Date: Wed, 9 Oct 2019 15:00:51 +0200 -Subject: [PATCH] Let library generate client id when unset - ---- - mqtt-exec.c | 17 ++++------------- - 1 file changed, 4 insertions(+), 13 deletions(-) - -diff --git a/mqtt-exec.c b/mqtt-exec.c -index 5c69325..ca585f9 100644 ---- a/mqtt-exec.c -+++ b/mqtt-exec.c -@@ -151,8 +151,7 @@ int main(int argc, char *argv[]) - int keepalive = 60; - int i, c, rc = 1; - struct userdata ud; -- char hostname[256]; -- static char id[MOSQ_MQTT_ID_MAX_LENGTH+1]; -+ char *id = NULL; - struct mosquitto *mosq = NULL; - char *username = NULL; - char *password = NULL; -@@ -174,9 +173,6 @@ int main(int argc, char *argv[]) - - memset(&ud, 0, sizeof(ud)); - -- memset(hostname, 0, sizeof(hostname)); -- memset(id, 0, sizeof(id)); -- - while ((c = getopt_long(argc, argv, "cdh:i:k:p:P:q:t:u:v", opts, &i)) != -1) { - switch(c) { - case 'c': -@@ -194,7 +190,7 @@ int main(int argc, char *argv[]) - MOSQ_MQTT_ID_MAX_LENGTH); - return 1; - } -- strncpy(id, optarg, sizeof(id)-1); -+ id = optarg; - break; - case 'k': - keepalive = atoi(optarg); -@@ -276,12 +272,6 @@ int main(int argc, char *argv[]) - for (i=0; i <= ud.command_argc; i++) - ud.command_argv[i] = optind+i < argc ? argv[optind+i] : NULL; - -- if (id[0] == '\0') { -- /* generate an id */ -- gethostname(hostname, sizeof(hostname)-1); -- snprintf(id, sizeof(id), "mqttexe/%x-%s", getpid(), hostname); -- } -- - mosquitto_lib_init(); - mosq = mosquitto_new(id, clean_session, &ud); - if (mosq == NULL) -@@ -289,7 +279,8 @@ int main(int argc, char *argv[]) - - if (debug) { - printf("host=%s:%d\nid=%s\ntopic_count=%zu\ncommand=%s\n", -- host, port, id, ud.topic_count, ud.command_argv[0]); -+ host, port, id ? id : "(null)", ud.topic_count, -+ ud.command_argv[0]); - mosquitto_log_callback_set(mosq, log_cb); - } - --- -2.23.0 - diff --git a/main/mqtt-exec/0001-authentication-expose-authentication-with-credential.patch b/main/mqtt-exec/0001-authentication-expose-authentication-with-credential.patch deleted file mode 100644 index aba1cee9fa5..00000000000 --- a/main/mqtt-exec/0001-authentication-expose-authentication-with-credential.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 5ee7377172dc0f30a64d009210db7efbf5d2219f Mon Sep 17 00:00:00 2001 -From: Kevin Daudt <me@ikke.info> -Date: Wed, 14 Mar 2018 22:50:28 +0100 -Subject: [PATCH] authentication: expose authentication with credentials - -libmosquitto supports authentication with credentials, so allow settings -credentials through parameters. ---- - mqtt-exec.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/mqtt-exec.c b/mqtt-exec.c -index fc5ab03..28251fb 100644 ---- a/mqtt-exec.c -+++ b/mqtt-exec.c -@@ -71,8 +71,10 @@ int usage(int retcode) - " -i,--id ID The id to use for this client\n" - " -k,--keepalive SEC Set keepalive to SEC. Default is 60\n" - " -p,--port PORT Set TCP port to PORT. Default is 1883\n" -+" -P,--password PASSWORD Set password for authentication\n" - " -q,--qos QOS Set Quality of Serive to level. Default is 0\n" - " -t,--topic TOPIC Set MQTT topic to TOPIC. May be repeated\n" -+" -u,--username USERNAME Set username for authentication\n" - " -v,--verbose Pass over the topic to application as firs arg\n" - " --will-topic TOPIC Set the client Will topic to TOPIC\n" - " --will-payload MSG Set the client Will message to MSG\n" -@@ -119,6 +121,8 @@ int main(int argc, char *argv[]) - {"qos", required_argument, 0, 'q' }, - {"topic", required_argument, 0, 't' }, - {"verbose", no_argument, 0, 'v' }, -+ {"username", required_argument, 0, 'u' }, -+ {"password", required_argument, 0, 'P' }, - {"will-topic", required_argument, 0, 0x1001 }, - {"will-payload", required_argument, 0, 0x1002 }, - {"will-qos", required_argument, 0, 0x1003 }, -@@ -145,6 +149,8 @@ int main(int argc, char *argv[]) - char hostname[256]; - static char id[MOSQ_MQTT_ID_MAX_LENGTH+1]; - struct mosquitto *mosq = NULL; -+ char *username = NULL; -+ char *password = NULL; - - char *will_payload = NULL; - int will_qos = 0; -@@ -166,7 +172,7 @@ int main(int argc, char *argv[]) - memset(hostname, 0, sizeof(hostname)); - memset(id, 0, sizeof(id)); - -- while ((c = getopt_long(argc, argv, "cdh:i:k:p:q:t:v", opts, &i)) != -1) { -+ while ((c = getopt_long(argc, argv, "cdh:i:k:p:P:q:t:u:v", opts, &i)) != -1) { - switch(c) { - case 'c': - clean_session = false; -@@ -191,6 +197,8 @@ int main(int argc, char *argv[]) - case 'p': - port = atoi(optarg); - break; -+ case 'P': -+ password = optarg; - case 'q': - ud.qos = atoi(optarg); - if (!valid_qos_range(ud.qos, "QoS")) -@@ -202,6 +210,8 @@ int main(int argc, char *argv[]) - sizeof(char *) * ud.topic_count); - ud.topics[ud.topic_count-1] = optarg; - break; -+ case 'u': -+ username = optarg; - case 'v': - ud.verbose = 1; - break; -@@ -286,6 +296,14 @@ int main(int argc, char *argv[]) - goto cleanup; - } - -+ if (!username != !password) { -+ fprintf(stderr, "Need to set both username and password\n"); -+ goto cleanup; -+ } -+ -+ if (username && password) -+ mosquitto_username_pw_set(mosq, username, password); -+ - #ifdef WITH_TLS - if ((cafile || capath) && mosquitto_tls_set(mosq, cafile, capath, certfile, - keyfile, NULL)) { --- -2.18.0 - diff --git a/main/mqtt-exec/APKBUILD b/main/mqtt-exec/APKBUILD index 98f35288f43..4d312cbc718 100644 --- a/main/mqtt-exec/APKBUILD +++ b/main/mqtt-exec/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mqtt-exec -pkgver=0.4 -pkgrel=5 +pkgver=0.5 +pkgrel=0 pkgdesc="simple MQTT client that executes a command on messages" url="https://github.com/ncopa/mqtt-exec" arch="all" @@ -12,9 +12,8 @@ makedepends="$depends_dev mosquitto-dev" options="!check" # no checks available. subpackages="$pkgname-dbg $pkgname-openrc" source="mqtt-exec-$pkgver.tar.gz::https://github.com/ncopa/mqtt-exec/archive/v$pkgver.tar.gz - 0001-authentication-expose-authentication-with-credential.patch - 0001-Let-library-generate-client-id-when-unset.patch mqtt-exec.initd + mqtt-exec.confd " builddir="$srcdir"/mqtt-exec-$pkgver @@ -31,7 +30,8 @@ package() { "$pkgdir"/etc/init.d/mqtt-exec || return 1 } -sha512sums="1448b2dda0f27a5275c113331ea2bc073ec1740797c1bb5b472ee3e0fd4d3ef4bcdfa6dc42e7540ee154b291c3d70df89f0646899ebb1bfe585d1384797de5e7 mqtt-exec-0.4.tar.gz -418058ecc05922df186d0dcbfeab7656977256a143f0346406598d1cf7331d3ba95a9b004bf3b6581be2e3cb2fbf5e69d7954b4c7ac488863f0318506c7f1c7c 0001-authentication-expose-authentication-with-credential.patch -7007ad1afcba6b5c0e6224a30e3a6c1b9ce178603b27f575bb76d7b979b8e7f4c4c1226afa3ff8cf1f217fff832d0a69cff1cfbc205203dcb8a98afbf6f345ed 0001-Let-library-generate-client-id-when-unset.patch -7e0c461d5ed73fb8bac1da5f78bb7d8204f692fc3980ee916057c19c3673591d4143a71cc846f863566abfcc9ada22281bb690bc146e9ae37f43896248e5ed4a mqtt-exec.initd" +sha512sums=" +55746aabe17d47153c01549a65f0db9278a39dc642e355b8416e905934a3abe233eb0ad763ae8add08bf6c3ad8ccaa97e9bac4372c8af6fea522f6670378acd7 mqtt-exec-0.5.tar.gz +f8cab7fe709fc80b3a75f1d65d55e10c05a4b27e319a9190d3ee78050fea86d8c6512e3d624b8b413dab01b2043bed5f672453090251b93d261d79125f9f0d17 mqtt-exec.initd +e5cce69f5ad1f0fcf0eb0be7675c2f4ca4ba5518e8303adb16673b7e402dbe8d48b57c4b4512a0d3aba4541241d2ddeca68b88354d089606f67a5549508b44b5 mqtt-exec.confd +" diff --git a/main/mqtt-exec/mqtt-exec.confd b/main/mqtt-exec/mqtt-exec.confd new file mode 100644 index 00000000000..10a14760bbb --- /dev/null +++ b/main/mqtt-exec/mqtt-exec.confd @@ -0,0 +1,23 @@ +# The MQTT broker to connect to +#mqtt_broker=msg.alpinelinux.org + +# The topics to subscribe to. Separate topics by whitespace. +#mqtt_topics= + +# Set the topic for the Will +#will_topic= + +# Whether the Will should be retained or not +#will_retain=yes + +# The message in the Will +#will_payload= + +# QOS level for the Will +#will_qos= + +# Optional username to authenticate as +#mqtt_user= + +# Password for the user +#export MQTT_EXEC_PASSWORD= diff --git a/main/mqtt-exec/mqtt-exec.initd b/main/mqtt-exec/mqtt-exec.initd index ff94d01d449..c9d4e941cb9 100644 --- a/main/mqtt-exec/mqtt-exec.initd +++ b/main/mqtt-exec/mqtt-exec.initd @@ -34,6 +34,9 @@ start_pre() { if [ -n "$will_qos" ]; then set -- "$@" --will-qos "$will_qos" fi + if [ -n "$mqtt_user" ]; then + set -- "$@" --username "$mqtt_user" + fi set -- "$@" -- ${exec_command} diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD index b6f28b12021..ec41b411722 100644 --- a/main/musl/APKBUILD +++ b/main/musl/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Timo Teräs <timo.teras@iki.fi> pkgname=musl pkgver=1.2.2 -pkgrel=1 +pkgrel=2 pkgdesc="the musl c library (libc) implementation" url="https://musl.libc.org/" arch="all" @@ -26,6 +26,10 @@ source="musl-$commit.tar.gz::https://git.musl-libc.org/cgit/musl/snapshot/$commi revert-faccessat2.patch syscall-cp-epoll.patch + relr-1.patch + relr-2.patch + relr-3.patch + relr-4.patch ldconfig __stack_chk_fail_local.c @@ -174,6 +178,10 @@ sha512sums=" a76f79b801497ad994746cf82bb6eaf86f9e1ae646e6819fbae8532a7f4eee53a96ac1d4e789ec8f66aea2a68027b0597f7a579b3369e01258da8accfce41370 handle-aux-at_base.patch 76de7511fa1ae44aa513a11d306a691172342c04cdd524bcc2f70d0e646744de832ef3254cdd3d409efa4581d601eee7e02a70af11f5530f6bacd59f1e65a979 revert-faccessat2.patch d256ba7857c98d39b86aa73674eda5d45ab8134dde3fac2bc48ebb6ba9a824c20c43f2cdc6af54d2a45c162d1e4ec6517c36400992bba10496bcc51b374cbcd0 syscall-cp-epoll.patch +8ebcde1e07819de208ab89ed0a71fdcc67a5b1cecec5aa19a92bc9f4f3c2708a9ff1528370089de0b71e9ec3b2e08dfa49694db433ac190ba055aa112ae12bde relr-1.patch +38b40ebedf57ba05ba14807a55a26261eeca8b6226a90a7aaebaaa31bae0bb7f5b98e0ce3ed727b704b828c9e509a21745f3e089585f8dea7092be164ec9d908 relr-2.patch +9dc41f682887ef9a7b00253f576d0b738936c20d9bc5a54fa96552a82a2f056f0111936ad9778b96745befd6a660276618b4e05bef3c7f52d8c2a9e6d41e386c relr-3.patch +ee6ec5943df10597af0df3d6f792720a22d2070debb6933656a10a906725d1170c28c32ba8ad53efc72e77bd1d97efdbd3c80e91eddb856f377e917ff14ae8f3 relr-4.patch 8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f ldconfig 062bb49fa54839010acd4af113e20f7263dde1c8a2ca359b5fb2661ef9ed9d84a0f7c3bc10c25dcfa10bb3c5a4874588dff636ac43d5dbb3d748d75400756d0b __stack_chk_fail_local.c 0d80f37b34a35e3d14b012257c50862dfeb9d2c81139ea2dfa101d981d093b009b9fa450ba27a708ac59377a48626971dfc58e20a3799084a65777a0c32cbc7d getconf.c diff --git a/main/musl/relr-1.patch b/main/musl/relr-1.patch new file mode 100644 index 00000000000..f7b4b9084f6 --- /dev/null +++ b/main/musl/relr-1.patch @@ -0,0 +1,100 @@ +From d32dadd60efb9d3b255351a3b532f8e4c3dd0db1 Mon Sep 17 00:00:00 2001 +From: Fangrui Song <i@maskray.me> +Date: Tue, 2 Aug 2022 17:24:47 -0400 +Subject: ldso: support DT_RELR relative relocation format + +this resolves DT_RELR relocations in non-ldso, dynamic-linked objects. +--- + include/elf.h | 8 ++++++-- + ldso/dynlink.c | 21 ++++++++++++++++++++- + src/internal/dynlink.h | 2 +- + 3 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/include/elf.h b/include/elf.h +index 86e2f0bb..9e980a29 100644 +--- a/include/elf.h ++++ b/include/elf.h +@@ -385,7 +385,8 @@ typedef struct { + #define SHT_PREINIT_ARRAY 16 + #define SHT_GROUP 17 + #define SHT_SYMTAB_SHNDX 18 +-#define SHT_NUM 19 ++#define SHT_RELR 19 ++#define SHT_NUM 20 + #define SHT_LOOS 0x60000000 + #define SHT_GNU_ATTRIBUTES 0x6ffffff5 + #define SHT_GNU_HASH 0x6ffffff6 +@@ -754,7 +755,10 @@ typedef struct { + #define DT_PREINIT_ARRAY 32 + #define DT_PREINIT_ARRAYSZ 33 + #define DT_SYMTAB_SHNDX 34 +-#define DT_NUM 35 ++#define DT_RELRSZ 35 ++#define DT_RELR 36 ++#define DT_RELRENT 37 ++#define DT_NUM 38 + #define DT_LOOS 0x6000000d + #define DT_HIOS 0x6ffff000 + #define DT_LOPROC 0x70000000 +diff --git a/ldso/dynlink.c b/ldso/dynlink.c +index cc677952..e92f03cb 100644 +--- a/ldso/dynlink.c ++++ b/ldso/dynlink.c +@@ -210,7 +210,8 @@ static void decode_vec(size_t *v, size_t *a, size_t cnt) + size_t i; + for (i=0; i<cnt; i++) a[i] = 0; + for (; v[0]; v+=2) if (v[0]-1<cnt-1) { +- a[0] |= 1UL<<v[0]; ++ if (v[0] < 8*sizeof(long)) ++ a[0] |= 1UL<<v[0]; + a[v[0]] = v[1]; + } + } +@@ -515,6 +516,23 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri + } + } + ++static void do_relr_relocs(struct dso *dso, size_t *relr, size_t relr_size) ++{ ++ unsigned char *base = dso->base; ++ size_t *reloc_addr; ++ for (; relr_size; relr++, relr_size-=sizeof(size_t)) ++ if ((relr[0]&1) == 0) { ++ reloc_addr = laddr(dso, relr[0]); ++ *reloc_addr++ += (size_t)base; ++ } else { ++ int i = 0; ++ for (size_t bitmap=relr[0]; (bitmap>>=1); i++) ++ if (bitmap&1) ++ reloc_addr[i] += (size_t)base; ++ reloc_addr += 8*sizeof(size_t)-1; ++ } ++} ++ + static void redo_lazy_relocs() + { + struct dso *p = lazy_head, *next; +@@ -1357,6 +1375,7 @@ static void reloc_all(struct dso *p) + 2+(dyn[DT_PLTREL]==DT_RELA)); + do_relocs(p, laddr(p, dyn[DT_REL]), dyn[DT_RELSZ], 2); + do_relocs(p, laddr(p, dyn[DT_RELA]), dyn[DT_RELASZ], 3); ++ do_relr_relocs(p, laddr(p, dyn[DT_RELR]), dyn[DT_RELRSZ]); + + if (head != &ldso && p->relro_start != p->relro_end) { + long ret = __syscall(SYS_mprotect, laddr(p, p->relro_start), +diff --git a/src/internal/dynlink.h b/src/internal/dynlink.h +index 51c0639f..830354eb 100644 +--- a/src/internal/dynlink.h ++++ b/src/internal/dynlink.h +@@ -93,7 +93,7 @@ struct fdpic_dummy_loadmap { + #endif + + #define AUX_CNT 32 +-#define DYN_CNT 32 ++#define DYN_CNT 37 + + typedef void (*stage2_func)(unsigned char *, size_t *); + +-- +cgit v1.2.1 + diff --git a/main/musl/relr-2.patch b/main/musl/relr-2.patch new file mode 100644 index 00000000000..0bbf8128e71 --- /dev/null +++ b/main/musl/relr-2.patch @@ -0,0 +1,31 @@ +From bf99258564fd5b58974d93201ab61506eb8cb03e Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Tue, 2 Aug 2022 17:29:01 -0400 +Subject: ldso: process RELR only for non-FDPIC archs + +the way RELR is applied is not a meaningful operation for FDPIC (there +is no single "base" address). it seems unlikely RELR would ever be +added for FDPIC, but if it ever is, the behavior and possibly data +format will need to be different, so guard against calling the +non-FDPIC code. +--- + ldso/dynlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ldso/dynlink.c b/ldso/dynlink.c +index e92f03cb..fd09ca69 100644 +--- a/ldso/dynlink.c ++++ b/ldso/dynlink.c +@@ -1375,7 +1375,8 @@ static void reloc_all(struct dso *p) + 2+(dyn[DT_PLTREL]==DT_RELA)); + do_relocs(p, laddr(p, dyn[DT_REL]), dyn[DT_RELSZ], 2); + do_relocs(p, laddr(p, dyn[DT_RELA]), dyn[DT_RELASZ], 3); +- do_relr_relocs(p, laddr(p, dyn[DT_RELR]), dyn[DT_RELRSZ]); ++ if (!DL_FDPIC) ++ do_relr_relocs(p, laddr(p, dyn[DT_RELR]), dyn[DT_RELRSZ]); + + if (head != &ldso && p->relro_start != p->relro_end) { + long ret = __syscall(SYS_mprotect, laddr(p, p->relro_start), +-- +cgit v1.2.1 + diff --git a/main/musl/relr-3.patch b/main/musl/relr-3.patch new file mode 100644 index 00000000000..4094d3fbac1 --- /dev/null +++ b/main/musl/relr-3.patch @@ -0,0 +1,46 @@ +From 6f3ead0ae16deb9f0004b275e29a276c9712ee3c Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Mon, 12 Sep 2022 08:30:36 -0400 +Subject: process DT_RELR relocations in ldso-startup/static-pie + +commit d32dadd60efb9d3b255351a3b532f8e4c3dd0db1 added DT_RELR +processing for programs and shared libraries processed by the dynamic +linker, but left them unsupported in the dynamic linker itseld and in +static pie binaries, which self-relocate via code in dlstart.c. + +add the equivalent processing to this code path so that there are not +arbitrary restrictions on where the new packed relative relocation +form can be used. +--- + ldso/dlstart.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/ldso/dlstart.c b/ldso/dlstart.c +index 20d50f2c..259f5e18 100644 +--- a/ldso/dlstart.c ++++ b/ldso/dlstart.c +@@ -140,6 +140,21 @@ hidden void _dlstart_c(size_t *sp, size_t *dynv) + size_t *rel_addr = (void *)(base + rel[0]); + *rel_addr = base + rel[2]; + } ++ ++ rel = (void *)(base+dyn[DT_RELR]); ++ rel_size = dyn[DT_RELRSZ]; ++ size_t *relr_addr = 0; ++ for (; rel_size; rel++, rel_size-=sizeof(size_t)) { ++ if ((rel[0]&1) == 0) { ++ relr_addr = (void *)(base + rel[0]); ++ *relr_addr++ += base; ++ } else { ++ for (size_t i=0, bitmap=rel[0]; bitmap>>=1; i++) ++ if (bitmap&1) ++ relr_addr[i] += base; ++ relr_addr += 8*sizeof(size_t)-1; ++ } ++ } + #endif + + stage2_func dls2; +-- +cgit v1.2.1 + diff --git a/main/musl/relr-4.patch b/main/musl/relr-4.patch new file mode 100644 index 00000000000..68c5446b880 --- /dev/null +++ b/main/musl/relr-4.patch @@ -0,0 +1,12 @@ +diff --git a/ldso/dynlink.c b/ldso/dynlink.c +index 7b47b163..753de91d 100644 +--- a/ldso/dynlink.c ++++ b/ldso/dynlink.c +@@ -552,6 +552,7 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri + + static void do_relr_relocs(struct dso *dso, size_t *relr, size_t relr_size) + { ++ if (dso == &ldso) return; // self-relocation already done a entry point + unsigned char *base = dso->base; + size_t *reloc_addr; + for (; relr_size; relr++, relr_size-=sizeof(size_t)) diff --git a/main/ncurses/APKBUILD b/main/ncurses/APKBUILD index 42c2215b4fd..97fb181398c 100644 --- a/main/ncurses/APKBUILD +++ b/main/ncurses/APKBUILD @@ -2,7 +2,8 @@ pkgname=ncurses pkgver=6.2_p20210109 _ver=${pkgver/_p/-} -pkgrel=0 +_mirror_commit=152c5a605234b7ea36ba3a03ec07e124bb6aac75 +pkgrel=1 pkgdesc="Console display library" url="https://invisible-island.net/ncurses/" arch="all" @@ -11,10 +12,14 @@ license="MIT" makedepends_build="ncurses" subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-libs $pkgname-terminfo-base:base:noarch $pkgname-terminfo:terminfo:noarch" -source="https://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz" -builddir="$srcdir"/ncurses-$_ver +source="$pkgname-$pkgver.tar.gz::https://github.com/mirror/ncurses/archive/$_mirror_commit.tar.gz + CVE-2022-29458.patch + " +builddir="$srcdir"/ncurses-$_mirror_commit # secfixes: +# 6.2_p20210109-r1: +# - CVE-2022-29458 # 6.2_p20200530-r0: # - CVE-2021-39537 # 6.1_p20180414-r0: @@ -112,4 +117,7 @@ static() { mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/ } -sha512sums="a4adb1000632261f5e42e768051bb4d2cae47d994b13d8e7416ffca048445b09fa96155cb3690000b2725e500b469cce051efc74fe0bcde72b91005586db3c47 ncurses-6.2-20210109.tgz" +sha512sums=" +889c014b6fc393c91b2803653c31ece553782afadf9d485345bb81c05ee4865297aad2cca6f3f02b6c8403210e87ac7d3979c6b81aade34c19617a873b8cf5c1 ncurses-6.2_p20210109.tar.gz +b7904866af8afc7a163151a803ca506981d87f58ce9a720a28c27aa6fa1ac1cf43dad8916a8265779ff2253d2dbacb2793733cadf44dbe10f6cf894944042708 CVE-2022-29458.patch +" diff --git a/main/ncurses/CVE-2022-29458.patch b/main/ncurses/CVE-2022-29458.patch new file mode 100644 index 00000000000..9481a99a310 --- /dev/null +++ b/main/ncurses/CVE-2022-29458.patch @@ -0,0 +1,33 @@ +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + { + int i; + char *p; ++ bool corrupt = FALSE; + + for (i = 0; i < count; i++) { + if (IS_NEG1(buf + 2 * i)) { +@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + } else if (MyNumber(buf + 2 * i) > size) { + Strings[i] = ABSENT_STRING; + } else { +- Strings[i] = (MyNumber(buf + 2 * i) + table); +- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); ++ int nn = MyNumber(buf + 2 * i); ++ if (nn >= 0 && nn < size) { ++ Strings[i] = (nn + table); ++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, ++ _nc_visbuf(Strings[i]))); ++ } else { ++ if (!corrupt) { ++ corrupt = TRUE; ++ TR(TRACE_DATABASE, ++ ("ignore out-of-range index %d to Strings[]", nn)); ++ _nc_warning("corrupt data found in convert_strings"); ++ } ++ Strings[i] = ABSENT_STRING; ++ } + } + + /* make sure all strings are NUL terminated */ diff --git a/main/net-snmp/APKBUILD b/main/net-snmp/APKBUILD index e4f0432961f..dc55859e858 100644 --- a/main/net-snmp/APKBUILD +++ b/main/net-snmp/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter <clandmeter@alpinelinux.org> # Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org> pkgname=net-snmp -pkgver=5.9 -pkgrel=3 +pkgver=5.9.3 +pkgrel=0 pkgdesc="Simple Network Management Protocol" url="http://www.net-snmp.org/" arch="all" @@ -17,14 +17,20 @@ subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-libs $pkgname-agent source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz netsnmp-swinst-crash.patch fix-includes.patch - Prevent-parsing-IP-address-twice.patch snmpd.initd snmpd.confd snmptrapd.confd " -builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 5.9.3-r0: +# - CVE-2022-24805 +# - CVE-2022-24806 +# - CVE-2022-24807 +# - CVE-2022-24808 +# - CVE-2022-24809 +# - CVE-2022-24810 prepare() { update_config_sub @@ -144,10 +150,9 @@ tools() { } sha512sums=" -df3273f03065ea5cb7d63398308ada06bcd186e0bc48929e81ba647f392b646ab81ddc241aebcd75408ec29231377375af62edf2835e9c3eb01d0a6856b79434 net-snmp-5.9.tar.gz +a476df4967029a2eb03d27b0e250170785d0a8c143d49b900ee958c3cbdfaccd415b70af40f6fbed9cb8819d522c35a6073a431091d908ccc7c018fa0aaa2abc net-snmp-5.9.3.tar.gz 4ad92f50b14d5e27ba86256cc532a2dd055502f4d5fbb1700434f9f01f881fd09bb1eadb94e727554e1470f036707558314c64a66d0376b54e71ab31d5e4baa3 netsnmp-swinst-crash.patch 87a552bd2e41684bba6e87fbcf6454a85ee912d7a339411fda24cebddf7661f0856729e076a917920a542cf84b687ffd90a091daa15f2c48f0ff64f3a53c0ddb fix-includes.patch -0a2d255019292e8d7780fe629e418def5a3e2f2807796567d0c25e6217257f2d51f289414e87f8ac2d3bc70c4019c0815e61a27c55fc00476bf46d23d30b68d9 Prevent-parsing-IP-address-twice.patch 896ef65a6f420073746470cdbd0de8f356c5b936d35e131754905b3d4323c24dcd3a09e0cc8bd90b12e3402f01e478f927f0e4163cb85cb0cc03db3c2e0491f4 snmpd.initd fb101aa758d741ed3ea88b11f1cd49cfd04bd03ce62435f3acb17724748131c57f00b71fd45cb7e7871d65a1aab576652cd6e158b6406aa6d0998582b8235ef5 snmpd.confd 073fd2b83eedd6eda1f7345350268ce7946ef6d67a8f26f7c232e46feb75babf68272ae12071a2f9ea76ede71393b3ae4672d3cd47cfd14ab77e3a6482f2e124 snmptrapd.confd diff --git a/main/net-snmp/Prevent-parsing-IP-address-twice.patch b/main/net-snmp/Prevent-parsing-IP-address-twice.patch deleted file mode 100644 index 0de70c1d8c0..00000000000 --- a/main/net-snmp/Prevent-parsing-IP-address-twice.patch +++ /dev/null @@ -1,47 +0,0 @@ -From eb1b11bb7f3ac3281dc6e92d94e8fa749cac44e0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Josef=20=C5=98=C3=ADdk=C3=BD?= <jridky@redhat.com> -Date: Fri, 12 Mar 2021 10:15:30 +0100 -Subject: [PATCH] Prevent parsing IP address twice (#199) - -This fixes issue, that is caused by parsing IP address twice. -First as IPv4 and as IPv6 at second, even thow the address was -properly parsed as a valid IPv4 address. ---- - snmplib/transports/snmpUDPDomain.c | 2 +- - snmplib/transports/snmpUDPIPv6Domain.c | 10 +++++++++- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/snmplib/transports/snmpUDPDomain.c b/snmplib/transports/snmpUDPDomain.c -index 46c818753..eea5840d0 100644 ---- a/snmplib/transports/snmpUDPDomain.c -+++ b/snmplib/transports/snmpUDPDomain.c -@@ -386,7 +386,7 @@ netsnmp_udp_parse_security(const char *token, char *param) - /* Nope, wasn't a dotted quad. Must be a hostname. */ - int ret = netsnmp_gethostbyname_v4(sourcep, &network.s_addr); - if (ret < 0) { -- config_perror("cannot resolve source hostname"); -+ config_perror("cannot resolve IPv4 source hostname"); - return; - } - } -diff --git a/snmplib/transports/snmpUDPIPv6Domain.c b/snmplib/transports/snmpUDPIPv6Domain.c -index a6ee2dec3..e612bf2de 100644 ---- a/snmplib/transports/snmpUDPIPv6Domain.c -+++ b/snmplib/transports/snmpUDPIPv6Domain.c -@@ -735,7 +735,15 @@ netsnmp_udp6_parse_security(const char *token, char *param) - memset(&pton_addr.sin6_addr.s6_addr, '\0', - sizeof(struct in6_addr)); - } else if (inet_pton(AF_INET6, sourcep, &pton_addr.sin6_addr) != 1) { -- /* Nope, wasn't a numeric address. Must be a hostname. */ -+ /* Nope, wasn't a numeric IPv6 address. Must be IPv4 or a hostname. */ -+ -+ /* Try interpreting as dotted quad - IPv4 */ -+ struct in_addr network; -+ if (inet_pton(AF_INET, sourcep, &network) > 0){ -+ /* Yes, it's IPv4 - so it's already parsed and we can return. */ -+ DEBUGMSGTL(("com2sec6", "IPv4 detected for IPv6 parser. Skipping.\n")); -+ return; -+ } - #if HAVE_GETADDRINFO - int gai_error; - diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD index 3d8c17d6620..07135e8dce2 100644 --- a/main/nodejs/APKBUILD +++ b/main/nodejs/APKBUILD @@ -6,6 +6,16 @@ # Maintainer: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 14.20.1-r0: +# - CVE-2022-32213 +# - CVE-2022-32214 +# - CVE-2022-32215 +# - CVE-2022-35256 +# 14.19.0-r0: +# - CVE-2022-21824 +# - CVE-2021-44533 +# - CVE-2021-44532 +# - CVE-2021-44531 # 14.18.1-r0: # - CVE-2021-22959 # - CVE-2021-22960 @@ -82,11 +92,14 @@ # - CVE-2017-14919 # 6.11.1-r0: # - CVE-2017-1000381 +# 0: +# - CVE-2022-32212 +# - CVE-2022-32223 # pkgname=nodejs # Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)! # Odd-numbered versions are supported only for 9 months by upstream. -pkgver=14.18.1 +pkgver=14.20.1 pkgrel=0 pkgdesc="JavaScript runtime built on V8 engine - LTS version" url="https://nodejs.org/" @@ -152,7 +165,8 @@ build() { --shared-nghttp2 \ --openssl-use-def-ca-store \ --with-icu-default-data-dir=$(icu-config --icudatadir) \ - --with-intl=small-icu + --with-intl=small-icu \ + --without-corepack make BUILDTYPE=Release } @@ -202,7 +216,7 @@ npm() { } sha512sums=" -f9455ff65a57772e242343e2c1113e769c2ab8123e8a4fd6bd65525f4401d5f35e0bc73981db4f76af4f8da4e14a389fd41d2eca97cde6f0dfed5ed7a6ec532c node-v14.18.1.tar.gz +955a393506a11a288e4eb86de3b1cb42aa0668b1837e2a34b92ce6743be0ac7a4d50a62d1a909c7eaf8d864fd900b69f7c6aef0d5c33d26b126adf1e6ce483b2 node-v14.20.1.tar.gz dbe8167b61518f8f59176759d69834d57bf3e6a5a5fd3dfc2359cafe0325da08b27f8220d278ed77f50c9f63a03313eabbbb0eaca3e592e5bb4e0d5be0ced373 disable-running-gyp-on-shared-deps.patch 44e81fbf254bd79e38b813f7f5a1336df854588939cba50aaec600660495f9b7745a7049a99eb59d15a51100b3a44f66892a902d7fc32e1399b51883ad4c02cf link-with-libatomic-on-mips32.patch 30ca1ce7f9512c943950b8eec98bca99d24c740ebaa14619292fe5ed931dcf603ca90afb1d704ca7f545e421752ba4dde81c0c5bbb5242eb1726739ca627e15f fix-build-with-system-c-ares.patch diff --git a/main/openrc/CVE-2018-21269.patch b/main/openrc/0015-CVE-2018-21269.patch index 9975d7bf81b..9975d7bf81b 100644 --- a/main/openrc/CVE-2018-21269.patch +++ b/main/openrc/0015-CVE-2018-21269.patch diff --git a/main/openrc/0016-fix-typo-synbolic-symbolic.patch b/main/openrc/0016-fix-typo-synbolic-symbolic.patch new file mode 100644 index 00000000000..46f90974b8f --- /dev/null +++ b/main/openrc/0016-fix-typo-synbolic-symbolic.patch @@ -0,0 +1,22 @@ +From ac7ca6d901d72b1bc4ed13be5438e825c07fc0da Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <michael@orlitzky.com> +Date: Wed, 25 Nov 2020 07:11:55 -0500 +Subject: [PATCH] src/rc/checkpath.c: fix typo "synbolic" -> "symbolic". + +--- + src/rc/checkpath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c +index ff54a8922..6422446a1 100644 +--- a/src/rc/checkpath.c ++++ b/src/rc/checkpath.c +@@ -117,7 +117,7 @@ static int get_dirfd(char *path, bool symlinks) { + strerror(errno)); + if (S_ISLNK(st.st_mode) ) { + if (st.st_uid != 0) +- eerrorx("%s: %s: synbolic link %s not owned by root", ++ eerrorx("%s: %s: symbolic link %s not owned by root", + applet, path, str); + linksize = st.st_size+1; + if (linkpath) diff --git a/main/openrc/0017-checkpath-replace-mkdir-with-mkdirat.patch b/main/openrc/0017-checkpath-replace-mkdir-with-mkdirat.patch new file mode 100644 index 00000000000..8f3d55db5de --- /dev/null +++ b/main/openrc/0017-checkpath-replace-mkdir-with-mkdirat.patch @@ -0,0 +1,33 @@ +From 00ea2166081856774f24f7243126f701c7fe6db9 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <michael@orlitzky.com> +Date: Wed, 25 Nov 2020 07:15:50 -0500 +Subject: [PATCH] src/rc/checkpath.c: replace mkdir() with mkdirat(). + +The do_check() function recently gained some defenses against symlink +replacement attacks that involve the use of *at functions in place of +their vanilla counterparts; openat() instead of open(), for example. +One opportunity to replace mkdir() with mkdirat() was missed, however, +and this commit replaces it. + +This fixes #386. +--- + src/rc/checkpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c +index 6422446a1..1e570de92 100644 +--- a/src/rc/checkpath.c ++++ b/src/rc/checkpath.c +@@ -197,10 +197,10 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, + mode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH; + u = umask(0); + /* We do not recursively create parents */ +- r = mkdir(path, mode); ++ r = mkdirat(dirfd, name, mode); + umask(u); + if (r == -1 && errno != EEXIST) { +- eerror("%s: mkdir: %s", applet, ++ eerror("%s: mkdirat: %s", applet, + strerror (errno)); + return -1; + } diff --git a/main/openrc/0018-checkpath-remove-extra-slashes.patch b/main/openrc/0018-checkpath-remove-extra-slashes.patch new file mode 100644 index 00000000000..6643f564752 --- /dev/null +++ b/main/openrc/0018-checkpath-remove-extra-slashes.patch @@ -0,0 +1,106 @@ +From 63db2d99e730547339d1bdd28e8437999c380cae Mon Sep 17 00:00:00 2001 +From: William Hubbs <w.d.hubbs@gmail.com> +Date: Tue, 13 Apr 2021 17:13:20 -0500 +Subject: [PATCH] checkpath: remove extra slashes from paths + +This fixes #418. +--- + src/rc/checkpath.c | 49 ++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 39 insertions(+), 10 deletions(-) + +diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c +index f8eb0e81..b2d1dd23 100644 +--- a/src/rc/checkpath.c ++++ b/src/rc/checkpath.c +@@ -93,13 +93,13 @@ static int get_dirfd(char *path, bool symlinks) + if (dirfd == -1) + eerrorx("%s: unable to open the root directory: %s", + applet, strerror(errno)); +- path_dupe = xstrdup(path); +- ch = path_dupe; ++ ch = path; + while (*ch) { + if (*ch == '/') + components++; + ch++; + } ++ path_dupe = xstrdup(path); + item = strtok(path_dupe, "/"); + #ifdef O_PATH + flags |= O_PATH; +@@ -136,18 +136,44 @@ static int get_dirfd(char *path, bool symlinks) + dirfd = new_dirfd; + free(linkpath); + linkpath = NULL; +- item = strtok(NULL, "/"); +- components--; + } ++ item = strtok(NULL, "/"); ++ components--; + } + free(path_dupe); +- if (linkpath) { +- free(linkpath); +- linkpath = NULL; +- } ++ free(linkpath); + return dirfd; + } + ++static char *clean_path(char *path) ++{ ++ char *ch; ++ char *ch2; ++ char *str; ++ str = xmalloc(strlen(path)); ++ ch = path; ++ ch2 = str; ++ while (true) { ++ *ch2 = *ch; ++ ch++; ++ ch2++; ++ if (!*(ch-1)) ++ break; ++ while (*(ch - 1) == '/' && *ch == '/') ++ ch++; ++ } ++ /* get rid of trailing / characters */ ++ while ((ch = strrchr(str, '/'))) { ++ if (ch == str) ++ break; ++ if (!*(ch+1)) ++ *ch = 0; ++ else ++ break; ++ } ++ return str; ++} ++ + static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, + inode_t type, bool trunc, bool chowner, bool symlinks, bool selinux_on) + { +@@ -345,6 +371,7 @@ int main(int argc, char **argv) + bool symlinks = false; + bool writable = false; + bool selinux_on = false; ++ char *path = NULL; + + applet = basename_c(argv[0]); + while ((opt = getopt_long(argc, argv, getoptstring, +@@ -407,12 +434,14 @@ int main(int argc, char **argv) + selinux_on = true; + + while (optind < argc) { ++ path = clean_path(argv[optind]); + if (writable) +- exit(!is_writable(argv[optind])); +- if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner, ++ exit(!is_writable(path)); ++ if (do_check(path, uid, gid, mode, type, trunc, chowner, + symlinks, selinux_on)) + retval = EXIT_FAILURE; + optind++; ++ free(path); + } + + if (selinux_on) diff --git a/main/openrc/0019-checkpath-fix-code-to-walk-the-directory-path.patch b/main/openrc/0019-checkpath-fix-code-to-walk-the-directory-path.patch new file mode 100644 index 00000000000..4cfd18bee92 --- /dev/null +++ b/main/openrc/0019-checkpath-fix-code-to-walk-the-directory-path.patch @@ -0,0 +1,32 @@ +From 55ceac775c388191090fe37aef489d721ee9299d Mon Sep 17 00:00:00 2001 +From: William Hubbs <w.d.hubbs@gmail.com> +Date: Thu, 15 Apr 2021 17:39:51 -0500 +Subject: [PATCH] checkpath: fix code to walk the directory path + +X-Gentoo-Bug: 782808 +X-Gentoo-Bug-URL: https://bugs.gentoo.org/782808 +--- + src/rc/checkpath.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c +index 48275ca9..6856d034 100644 +--- a/src/rc/checkpath.c ++++ b/src/rc/checkpath.c +@@ -131,13 +131,14 @@ static int get_dirfd(char *path, bool symlinks) { + */ + close(new_dirfd); + } else { ++ /* now walk down the directory path */ + close(dirfd); + dirfd = new_dirfd; + free(linkpath); + linkpath = NULL; ++ item = strtok(NULL, "/"); ++ components--; + } +- item = strtok(NULL, "/"); +- components--; + } + free(path_dupe); + free(linkpath); diff --git a/main/openrc/APKBUILD b/main/openrc/APKBUILD index f0e855736e1..20feab4047f 100644 --- a/main/openrc/APKBUILD +++ b/main/openrc/APKBUILD @@ -2,13 +2,13 @@ pkgname=openrc pkgver=0.42.1 _ver=${pkgver/_git*/} -pkgrel=20 +pkgrel=22 pkgdesc="OpenRC manages the services, startup and shutdown of a host" url="https://github.com/OpenRC/openrc" arch="all" license="BSD-2-Clause" depends="ifupdown-any" -makedepends="bsd-compat-headers" +makedepends="bsd-compat-headers linux-headers" checkdepends="sed" subpackages="$pkgname-doc $pkgname-dev $pkgname-dbg $pkgname-zsh-completion:zshcomp:noarch @@ -29,8 +29,13 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve 0012-gcc-10.patch 0013-fix-osclock.patch 0014-time_t-64bit.patch + 0015-CVE-2018-21269.patch + 0016-fix-typo-synbolic-symbolic.patch + 0017-checkpath-replace-mkdir-with-mkdirat.patch + 0018-checkpath-remove-extra-slashes.patch + 0019-checkpath-fix-code-to-walk-the-directory-path.patch - CVE-2018-21269.patch + seedrng.patch openrc.logrotate hostname.initd @@ -150,7 +155,12 @@ ff9bf2f6e4f55633a9641385398f70a2e591e2b3b56b1903f168a97b07bd56dc5a65d151deeab942 24c665098475c8a1dca75677b48864dc554930f8039900785d8f73c4ebab857255607297fdcbce6249f18f2b97bd7804a35a782721d4658a1c7a7b7b985418ff 0012-gcc-10.patch 4dca5fb25dc9cf356716042650e3b50969b4749f4e839505f87054d45ca074931ac9ef9aca6b6be4f36cc82c46e838a9e9122ee27154de703d8d9eb7b6f6273b 0013-fix-osclock.patch af0d5a3e6bdd09abd65174a0292450ebb79116a6be50ad4dc368e7ade497020bf4f7d55487335eb32067616603c7d9c3f8596228064c93bfd47596fb12ef7215 0014-time_t-64bit.patch -715016b4f481a6d4d2ab37d23659e6cacc023b02fa6908b566391ee2744369076ea74e54f0fe576e2cc1d3371d4d9e3818395ca3f417233358fc70a9edc4dba6 CVE-2018-21269.patch +715016b4f481a6d4d2ab37d23659e6cacc023b02fa6908b566391ee2744369076ea74e54f0fe576e2cc1d3371d4d9e3818395ca3f417233358fc70a9edc4dba6 0015-CVE-2018-21269.patch +95a5e825836be935009d233d8e4e00707bf2fda0ff3f01f97a10a4a3a0a42eded0a235a008345bf4b89a60bc363bad05ff0a98c00dd179a4b56c573523f17630 0016-fix-typo-synbolic-symbolic.patch +cdad2ee011efa0ec38c27243cfec6f4353b6a1d9de3bff29e79e1c341e45bd4ef29aa1f641363a50246a3a876b8668b66971f59c857e979a2beb41fb5a25a327 0017-checkpath-replace-mkdir-with-mkdirat.patch +3c502dda023387c852e1fe92e873ca88ff9e6311a870f3f5317e9529b9513e0c42b8b7241ba6546129530e42a64f7c61b074fc1cb262c3228aabaf83db1cc1d8 0018-checkpath-remove-extra-slashes.patch +90e50369c04a4b2c4e5924f9ae084d69f6d3d09a3bd7c902a7e3797d5d52c725e1a4033e5c554f104807f3a7ecbb3ab2ecb89636680d69024fd0ec123866a35b 0019-checkpath-fix-code-to-walk-the-directory-path.patch +e204fef5e5d1e8da140c43f42f0eb97283cb56c02193d137f56217cfd7b9ae0dfad5954fb8d1ce0fcb63c20537551ba706e7fd09f3f012fc2a6a0c1106d2540b seedrng.patch 12bb6354e808fbf47bbab963de55ee7901738b4a912659982c57ef2777fff9a670e867fcb8ec316a76b151032c92dc89a950d7d1d835ef53f753a8f3b41d2cec openrc.logrotate 493f27d588e64bb2bb542b32493ed05873f4724e8ad1751002982d7b4e07963cfb72f93603b2d678f305177cf9556d408a87b793744c6b7cd46cf9be4b744c02 hostname.initd c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55 hwdrivers.initd diff --git a/main/openrc/seedrng.patch b/main/openrc/seedrng.patch new file mode 100644 index 00000000000..4f06f1e8016 --- /dev/null +++ b/main/openrc/seedrng.patch @@ -0,0 +1,619 @@ +From 076c2552aeff88a27fe275dfaae61dedf4bb4bd5 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" <Jason@zx2c4.com> +Date: Thu, 24 Mar 2022 22:07:16 -0600 +Subject: [PATCH] Use seedrng for seeding the random number generator + +The RNG can't actually be seeded from a shell script, due to the +reliance on ioctls. For this reason, the seedrng project provides a +basic script meant to be copy and pasted into projects like OpenRC and +tweaked as needed: https://git.zx2c4.com/seedrng/about/ + +This commit imports it into OpenRC and wires up /etc/init.d/urandom to +call it. It shouldn't be called by other things on the system, so it +lives in rc_sbindir. + +Closes #506. +Closes #507. + +Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> +--- + AUTHORS | 1 + + conf.d/urandom | 9 +- + init.d/urandom.in | 41 ++-- + src/rc/Makefile | 6 +- + src/rc/meson.build | 10 +- + src/rc/seedrng.c | 453 +++++++++++++++++++++++++++++++++++++++++++++ + 6 files changed, 499 insertions(+), 21 deletions(-) + create mode 100644 src/rc/seedrng.c + +diff --git a/AUTHORS b/AUTHORS +index 0616d5175..ede0f471b 100644 +--- a/AUTHORS ++++ b/AUTHORS +@@ -43,6 +43,7 @@ Ian Stakenvicius <axs@gentoo.org> + Jakob Drexel <jake42@rommel.stw.uni-erlangen.de> + James Le Cuirot <chewi@aura-online.co.uk> + Jan Psota <jasiu@belsznica.pl> ++Jason A. Donenfeld <Jason@zx2c4.com> + Jason Zaman <jason@perfinion.com> + Joe Harvell <jharvell@dogpad.net> + Joe M <joe9mail@gmail.com> +diff --git a/conf.d/urandom b/conf.d/urandom +index f721a2491..744e4f702 100644 +--- a/conf.d/urandom ++++ b/conf.d/urandom +@@ -2,4 +2,11 @@ + # (say for crypt swap), so you will need to customize this + # behavior. If you have /var on a separate partition, then + # make sure this path lives on your root device somewhere. +-urandom_seed="/var/lib/misc/random-seed" ++seed_dir="/var/lib/seedrng" ++lock_file="/var/run/seedrng.lock" ++ ++# Set this to true if you do not want seed files to actually ++# credit the RNG. Set this if you plan to replicate this ++# file system image and do not have the wherewithal to first ++# delete the contents of /var/lib/seedrng. ++skip_credit="false" +diff --git a/init.d/urandom.in b/init.d/urandom.in +index 0d6ab66e0..cda431fdb 100644 +--- a/init.d/urandom.in ++++ b/init.d/urandom.in +@@ -1,5 +1,5 @@ + #!@SBINDIR@/openrc-run +-# Copyright (c) 2007-2015 The OpenRC Authors. ++# Copyright (c) 2007-2022 The OpenRC Authors. + # See the Authors file at the top-level directory of this distribution and + # https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS + # +@@ -9,7 +9,10 @@ + # This file may not be copied, modified, propagated, or distributed + # except according to the terms contained in the LICENSE file. + +-: ${urandom_seed:=${URANDOM_SEED:-/var/lib/misc/random-seed}} ++export SEEDRNG_SEED_DIR="${seed_dir:-/var/lib/seedrng}" ++export SEEDRNG_LOCK_FILE="${lock_file:-/var/run/seedrng.lock}" ++export SEEDRNG_SKIP_CREDIT="${skip_credit:-false}" ++: ${urandom_seed:=${SEEDRNG_SEED_DIR}/../misc/random-seed} + description="Initializes the random number generator." + + depend() +@@ -21,33 +24,35 @@ depend() + + save_seed() + { +- local psz=1 +- +- if [ -e /proc/sys/kernel/random/poolsize ]; then +- : $(( psz = $(cat /proc/sys/kernel/random/poolsize) / 4096 )) +- fi +- + ( # sub shell to prevent umask pollution + umask 077 +- dd if=/dev/urandom of="$urandom_seed" count=${psz} 2>/dev/null ++ dd if=/dev/urandom of="$urandom_seed" count=1 2>/dev/null + ) + } + + start() + { +- [ -c /dev/urandom ] || return +- if [ -f "$urandom_seed" ]; then +- ebegin "Initializing random number generator" +- cat "$urandom_seed" > /dev/urandom +- eend $? "Error initializing random number generator" ++ if [ "$RC_UNAME" = Linux ]; then ++ seedrng ++ else ++ [ -c /dev/urandom ] || return ++ if [ -f "$urandom_seed" ]; then ++ ebegin "Initializing random number generator" ++ cat "$urandom_seed" > /dev/urandom ++ eend $? "Error initializing random number generator" ++ fi ++ rm -f "$urandom_seed" && save_seed + fi +- rm -f "$urandom_seed" && save_seed + return 0 + } + + stop() + { +- ebegin "Saving random seed" +- save_seed +- eend $? "Failed to save random seed" ++ if [ "$RC_UNAME" = Linux ]; then ++ seedrng ++ else ++ ebegin "Saving random seed" ++ save_seed ++ eend $? "Failed to save random seed" ++ fi + } +diff --git a/src/rc/Makefile b/src/rc/Makefile +index fd796d920..62539f134 100644 +--- a/src/rc/Makefile ++++ b/src/rc/Makefile +@@ -15,7 +15,7 @@ endif + + ifeq (${OS},Linux) + SRCS+= kill_all.c openrc-init.c openrc-shutdown.c rc-sysvinit.c broadcast.c \ +- rc-wtmp.c ++ rc-wtmp.c seedrng.c + endif + + CLEANFILES= version.h rc-selinux.o +@@ -47,6 +47,7 @@ RC_SBINPROGS= mark_service_starting mark_service_started \ + + ifeq (${OS},Linux) + RC_BINPROGS+= kill_all ++RC_SBINPROGS+= seedrng + SBINPROGS+= openrc-init openrc-shutdown + endif + +@@ -180,3 +181,6 @@ shell_var: shell_var.o + + swclock: swclock.o _usage.o rc-misc.o + ${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS} ${CFLAGS} ${LDFLAGS} -o $@ $^ ${LDADD} ++ ++seedrng: seedrng.o ++ ${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS} ${CFLAGS} ${LDFLAGS} -o $@ $^ ${LDADD} +diff --git a/src/rc/seedrng.c b/src/rc/seedrng.c +new file mode 100644 +index 000000000..c1f941457 +--- /dev/null ++++ b/src/rc/seedrng.c +@@ -0,0 +1,453 @@ ++/* ++ * seedrng.c ++ * Seed kernel RNG from seed file, based on code from: ++ * https://git.zx2c4.com/seedrng/about/ ++ */ ++ ++/* ++ * Copyright (c) 2022 The OpenRC Authors. ++ * See the Authors file at the top-level directory of this distribution and ++ * https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS ++ * ++ * This file is part of OpenRC. It is subject to the license terms in ++ * the LICENSE file found in the top-level directory of this ++ * distribution and at https://github.com/OpenRC/openrc/blob/HEAD/LICENSE ++ * This file may not be copied, modified, propagated, or distributed ++ * except according to the terms contained in the LICENSE file. ++ */ ++ ++#include <linux/random.h> ++#include <sys/random.h> ++#include <sys/ioctl.h> ++#include <sys/file.h> ++#include <sys/stat.h> ++#include <sys/types.h> ++#include <fcntl.h> ++#include <poll.h> ++#include <unistd.h> ++#include <time.h> ++#include <errno.h> ++#include <endian.h> ++#include <stdbool.h> ++#include <stdint.h> ++#include <string.h> ++#include <stdio.h> ++#include <stdlib.h> ++ ++#include "rc.h" ++#include "einfo.h" ++#include "helpers.h" ++ ++#ifndef GRND_INSECURE ++#define GRND_INSECURE 0x0004 /* Apparently some headers don't ship with this yet. */ ++#endif ++ ++static const char *SEED_DIR; ++static const char *LOCK_FILE; ++static char *CREDITABLE_SEED; ++static char *NON_CREDITABLE_SEED; ++ ++enum blake2s_lengths { ++ BLAKE2S_BLOCK_LEN = 64, ++ BLAKE2S_HASH_LEN = 32, ++ BLAKE2S_KEY_LEN = 32 ++}; ++ ++enum seedrng_lengths { ++ MAX_SEED_LEN = 512, ++ MIN_SEED_LEN = BLAKE2S_HASH_LEN ++}; ++ ++struct blake2s_state { ++ uint32_t h[8]; ++ uint32_t t[2]; ++ uint32_t f[2]; ++ uint8_t buf[BLAKE2S_BLOCK_LEN]; ++ unsigned int buflen; ++ unsigned int outlen; ++}; ++ ++#define le32_to_cpup(a) le32toh(*(a)) ++#define cpu_to_le32(a) htole32(a) ++#ifndef ARRAY_SIZE ++#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) ++#endif ++#ifndef DIV_ROUND_UP ++#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d)) ++#endif ++ ++static inline void cpu_to_le32_array(uint32_t *buf, unsigned int words) ++{ ++ while (words--) { ++ *buf = cpu_to_le32(*buf); ++ ++buf; ++ } ++} ++ ++static inline void le32_to_cpu_array(uint32_t *buf, unsigned int words) ++{ ++ while (words--) { ++ *buf = le32_to_cpup(buf); ++ ++buf; ++ } ++} ++ ++static inline uint32_t ror32(uint32_t word, unsigned int shift) ++{ ++ return (word >> (shift & 31)) | (word << ((-shift) & 31)); ++} ++ ++static const uint32_t blake2s_iv[8] = { ++ 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL, ++ 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL ++}; ++ ++static const uint8_t blake2s_sigma[10][16] = { ++ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, ++ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, ++ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, ++ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, ++ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, ++ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, ++ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, ++ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, ++ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, ++ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, ++}; ++ ++static void blake2s_set_lastblock(struct blake2s_state *state) ++{ ++ state->f[0] = -1; ++} ++ ++static void blake2s_increment_counter(struct blake2s_state *state, const uint32_t inc) ++{ ++ state->t[0] += inc; ++ state->t[1] += (state->t[0] < inc); ++} ++ ++static void blake2s_init_param(struct blake2s_state *state, const uint32_t param) ++{ ++ int i; ++ ++ memset(state, 0, sizeof(*state)); ++ for (i = 0; i < 8; ++i) ++ state->h[i] = blake2s_iv[i]; ++ state->h[0] ^= param; ++} ++ ++static void blake2s_init(struct blake2s_state *state, const size_t outlen) ++{ ++ blake2s_init_param(state, 0x01010000 | outlen); ++ state->outlen = outlen; ++} ++ ++static void blake2s_compress(struct blake2s_state *state, const uint8_t *block, size_t nblocks, const uint32_t inc) ++{ ++ uint32_t m[16]; ++ uint32_t v[16]; ++ int i; ++ ++ while (nblocks > 0) { ++ blake2s_increment_counter(state, inc); ++ memcpy(m, block, BLAKE2S_BLOCK_LEN); ++ le32_to_cpu_array(m, ARRAY_SIZE(m)); ++ memcpy(v, state->h, 32); ++ v[ 8] = blake2s_iv[0]; ++ v[ 9] = blake2s_iv[1]; ++ v[10] = blake2s_iv[2]; ++ v[11] = blake2s_iv[3]; ++ v[12] = blake2s_iv[4] ^ state->t[0]; ++ v[13] = blake2s_iv[5] ^ state->t[1]; ++ v[14] = blake2s_iv[6] ^ state->f[0]; ++ v[15] = blake2s_iv[7] ^ state->f[1]; ++ ++#define G(r, i, a, b, c, d) do { \ ++ a += b + m[blake2s_sigma[r][2 * i + 0]]; \ ++ d = ror32(d ^ a, 16); \ ++ c += d; \ ++ b = ror32(b ^ c, 12); \ ++ a += b + m[blake2s_sigma[r][2 * i + 1]]; \ ++ d = ror32(d ^ a, 8); \ ++ c += d; \ ++ b = ror32(b ^ c, 7); \ ++} while (0) ++ ++#define ROUND(r) do { \ ++ G(r, 0, v[0], v[ 4], v[ 8], v[12]); \ ++ G(r, 1, v[1], v[ 5], v[ 9], v[13]); \ ++ G(r, 2, v[2], v[ 6], v[10], v[14]); \ ++ G(r, 3, v[3], v[ 7], v[11], v[15]); \ ++ G(r, 4, v[0], v[ 5], v[10], v[15]); \ ++ G(r, 5, v[1], v[ 6], v[11], v[12]); \ ++ G(r, 6, v[2], v[ 7], v[ 8], v[13]); \ ++ G(r, 7, v[3], v[ 4], v[ 9], v[14]); \ ++} while (0) ++ ROUND(0); ++ ROUND(1); ++ ROUND(2); ++ ROUND(3); ++ ROUND(4); ++ ROUND(5); ++ ROUND(6); ++ ROUND(7); ++ ROUND(8); ++ ROUND(9); ++ ++#undef G ++#undef ROUND ++ ++ for (i = 0; i < 8; ++i) ++ state->h[i] ^= v[i] ^ v[i + 8]; ++ ++ block += BLAKE2S_BLOCK_LEN; ++ --nblocks; ++ } ++} ++ ++static void blake2s_update(struct blake2s_state *state, const void *inp, size_t inlen) ++{ ++ const size_t fill = BLAKE2S_BLOCK_LEN - state->buflen; ++ const uint8_t *in = inp; ++ ++ if (!inlen) ++ return; ++ if (inlen > fill) { ++ memcpy(state->buf + state->buflen, in, fill); ++ blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_LEN); ++ state->buflen = 0; ++ in += fill; ++ inlen -= fill; ++ } ++ if (inlen > BLAKE2S_BLOCK_LEN) { ++ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_LEN); ++ blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_LEN); ++ in += BLAKE2S_BLOCK_LEN * (nblocks - 1); ++ inlen -= BLAKE2S_BLOCK_LEN * (nblocks - 1); ++ } ++ memcpy(state->buf + state->buflen, in, inlen); ++ state->buflen += inlen; ++} ++ ++static void blake2s_final(struct blake2s_state *state, uint8_t *out) ++{ ++ blake2s_set_lastblock(state); ++ memset(state->buf + state->buflen, 0, BLAKE2S_BLOCK_LEN - state->buflen); ++ blake2s_compress(state, state->buf, 1, state->buflen); ++ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h)); ++ memcpy(out, state->h, state->outlen); ++} ++ ++static size_t determine_optimal_seed_len(void) ++{ ++ size_t ret = 0; ++ char poolsize_str[11] = { 0 }; ++ int fd = open("/proc/sys/kernel/random/poolsize", O_RDONLY); ++ ++ if (fd < 0 || read(fd, poolsize_str, sizeof(poolsize_str) - 1) < 0) { ++ ewarn("Unable to determine pool size, falling back to %u bits: %s", MIN_SEED_LEN * 8, strerror(errno)); ++ ret = MIN_SEED_LEN; ++ } else ++ ret = DIV_ROUND_UP(strtoul(poolsize_str, NULL, 10), 8); ++ if (fd >= 0) ++ close(fd); ++ if (ret < MIN_SEED_LEN) ++ ret = MIN_SEED_LEN; ++ else if (ret > MAX_SEED_LEN) ++ ret = MAX_SEED_LEN; ++ return ret; ++} ++ ++static int read_new_seed(uint8_t *seed, size_t len, bool *is_creditable) ++{ ++ ssize_t ret; ++ int urandom_fd; ++ ++ *is_creditable = false; ++ ret = getrandom(seed, len, GRND_NONBLOCK); ++ if (ret == (ssize_t)len) { ++ *is_creditable = true; ++ return 0; ++ } ++ if (ret == -1 && errno == ENOSYS) { ++ struct pollfd random_fd = { ++ .fd = open("/dev/random", O_RDONLY), ++ .events = POLLIN ++ }; ++ if (random_fd.fd < 0) ++ return -errno; ++ *is_creditable = poll(&random_fd, 1, 0) == 1; ++ close(random_fd.fd); ++ } else if (getrandom(seed, len, GRND_INSECURE) == (ssize_t)len) ++ return 0; ++ urandom_fd = open("/dev/urandom", O_RDONLY); ++ if (urandom_fd < 0) ++ return -errno; ++ ret = read(urandom_fd, seed, len); ++ if (ret == (ssize_t)len) ++ ret = 0; ++ else ++ ret = -errno ? -errno : -EIO; ++ close(urandom_fd); ++ return ret; ++} ++ ++static int seed_rng(uint8_t *seed, size_t len, bool credit) ++{ ++ struct { ++ int entropy_count; ++ int buf_size; ++ uint8_t buffer[MAX_SEED_LEN]; ++ } req = { ++ .entropy_count = credit ? len * 8 : 0, ++ .buf_size = len ++ }; ++ int random_fd, ret; ++ ++ if (len > sizeof(req.buffer)) ++ return -EFBIG; ++ memcpy(req.buffer, seed, len); ++ ++ random_fd = open("/dev/random", O_RDWR); ++ if (random_fd < 0) ++ return -errno; ++ ret = ioctl(random_fd, RNDADDENTROPY, &req); ++ if (ret) ++ ret = -errno ? -errno : -EIO; ++ close(random_fd); ++ return ret; ++} ++ ++static int seed_from_file_if_exists(const char *filename, bool credit, struct blake2s_state *hash) ++{ ++ uint8_t seed[MAX_SEED_LEN]; ++ ssize_t seed_len; ++ int fd, dfd, ret = 0; ++ ++ fd = open(filename, O_RDONLY); ++ if (fd < 0 && errno == ENOENT) ++ return 0; ++ else if (fd < 0) { ++ ret = -errno; ++ eerror("Unable to open seed file: %s", strerror(errno)); ++ return ret; ++ } ++ dfd = open(SEED_DIR, O_DIRECTORY | O_RDONLY); ++ if (dfd < 0) { ++ ret = -errno; ++ close(fd); ++ eerror("Unable to open seed directory: %s", strerror(errno)); ++ return ret; ++ } ++ seed_len = read(fd, seed, sizeof(seed)); ++ if (seed_len < 0) { ++ ret = -errno; ++ eerror("Unable to read seed file: %s", strerror(errno)); ++ } ++ close(fd); ++ if (ret) { ++ close(dfd); ++ return ret; ++ } ++ if ((unlink(filename) < 0 || fsync(dfd) < 0) && seed_len) { ++ ret = -errno; ++ eerror("Unable to remove seed after reading, so not seeding: %s", strerror(errno)); ++ } ++ close(dfd); ++ if (ret) ++ return ret; ++ if (!seed_len) ++ return 0; ++ ++ blake2s_update(hash, &seed_len, sizeof(seed_len)); ++ blake2s_update(hash, seed, seed_len); ++ ++ einfo("Seeding %zd bits %s crediting", seed_len * 8, credit ? "and" : "without"); ++ ret = seed_rng(seed, seed_len, credit); ++ if (ret < 0) ++ eerror("Unable to seed: %s", strerror(-ret)); ++ return ret; ++} ++ ++static void populate_global_paths(void) ++{ ++ SEED_DIR = getenv("SEEDRNG_SEED_DIR"); ++ if (!SEED_DIR || !*SEED_DIR) ++ SEED_DIR = "/var/lib/seedrng"; ++ LOCK_FILE = getenv("SEEDRNG_LOCK_FILE"); ++ if (!LOCK_FILE || !*LOCK_FILE) ++ LOCK_FILE = "/var/run/seedrng.lock"; ++ xasprintf(&CREDITABLE_SEED, "%s/seed.credit", SEED_DIR); ++ xasprintf(&NON_CREDITABLE_SEED, "%s/seed.no-credit", SEED_DIR); ++} ++ ++int main(int argc _unused, char *argv[] _unused) ++{ ++ static const char seedrng_prefix[] = "SeedRNG v1 Old+New Prefix"; ++ static const char seedrng_failure[] = "SeedRNG v1 No New Seed Failure"; ++ int ret, fd, lock, program_ret = 0; ++ uint8_t new_seed[MAX_SEED_LEN]; ++ size_t new_seed_len; ++ bool new_seed_creditable; ++ struct timespec realtime = { 0 }, boottime = { 0 }; ++ struct blake2s_state hash; ++ ++ umask(0077); ++ if (getuid()) ++ eerrorx("This rc helper program requires root"); ++ ++ populate_global_paths(); ++ blake2s_init(&hash, BLAKE2S_HASH_LEN); ++ blake2s_update(&hash, seedrng_prefix, strlen(seedrng_prefix)); ++ clock_gettime(CLOCK_REALTIME, &realtime); ++ clock_gettime(CLOCK_BOOTTIME, &boottime); ++ blake2s_update(&hash, &realtime, sizeof(realtime)); ++ blake2s_update(&hash, &boottime, sizeof(boottime)); ++ ++ if (mkdir(SEED_DIR, 0700) < 0 && errno != EEXIST) ++ eerrorx("Unable to create \"%s\" directory: %s", SEED_DIR, strerror(errno)); ++ ++ lock = open(LOCK_FILE, O_WRONLY | O_CREAT, 0000); ++ if (lock < 0 || flock(lock, LOCK_EX) < 0) ++ eerrorx("Unable to open lock file: %s", strerror(errno)); ++ ++ ret = seed_from_file_if_exists(NON_CREDITABLE_SEED, false, &hash); ++ if (ret < 0) ++ program_ret |= 1 << 1; ++ ret = seed_from_file_if_exists(CREDITABLE_SEED, !rc_yesno(getenv("SEEDRNG_SKIP_CREDIT")), &hash); ++ if (ret < 0) ++ program_ret |= 1 << 2; ++ ++ new_seed_len = determine_optimal_seed_len(); ++ ret = read_new_seed(new_seed, new_seed_len, &new_seed_creditable); ++ if (ret < 0) { ++ eerror("Unable to read new seed: %s", strerror(-ret)); ++ new_seed_len = BLAKE2S_HASH_LEN; ++ strncpy((char *)new_seed, seedrng_failure, new_seed_len); ++ program_ret |= 1 << 3; ++ } ++ blake2s_update(&hash, &new_seed_len, sizeof(new_seed_len)); ++ blake2s_update(&hash, new_seed, new_seed_len); ++ blake2s_final(&hash, new_seed + new_seed_len - BLAKE2S_HASH_LEN); ++ ++ einfo("Saving %zu bits of %s seed for next boot", new_seed_len * 8, new_seed_creditable ? "creditable" : "non-creditable"); ++ fd = open(NON_CREDITABLE_SEED, O_WRONLY | O_CREAT | O_TRUNC, 0400); ++ if (fd < 0) { ++ eerror("Unable to open seed file for writing: %s", strerror(errno)); ++ program_ret |= 1 << 4; ++ goto out; ++ } ++ if (write(fd, new_seed, new_seed_len) != (ssize_t)new_seed_len || fsync(fd) < 0) { ++ eerror("Unable to write seed file: %s", strerror(errno)); ++ program_ret |= 1 << 5; ++ goto out; ++ } ++ if (new_seed_creditable && rename(NON_CREDITABLE_SEED, CREDITABLE_SEED) < 0) { ++ ewarn("Unable to make new seed creditable: %s", strerror(errno)); ++ program_ret |= 1 << 6; ++ } ++out: ++ close(fd); ++ close(lock); ++ return program_ret; ++} diff --git a/main/opensmtpd/APKBUILD b/main/opensmtpd/APKBUILD index de576a9c57b..9703c9fcc8c 100644 --- a/main/opensmtpd/APKBUILD +++ b/main/opensmtpd/APKBUILD @@ -11,7 +11,7 @@ # - CVE-2020-7247 pkgname=opensmtpd pkgver=6.7.1p1 -pkgrel=2 +pkgrel=4 pkgdesc="Secure, reliable, lean, and easy-to configure SMTP server" url="https://www.opensmtpd.org/" arch="all" @@ -89,7 +89,7 @@ pam() { } sha512sums="403952e77b360f42d8dc8ae7cd7faeced831b9e37bffd7c67d338b7208f7471d50f3594c3475a9282d18cb17435efd305ec8c05f89eaeab5d363ddb1c4d54a2e opensmtpd-6.7.1p1.tar.gz -ec3e3a877f77d55a8f676169ff30feb1467b5ac5b0a3bfa960c54ab3848610ccf819e037d2d2a3b2231ec35989cf1dd03f105a7b5188fc828ee653260532fe1b smtpd.initd +cce0c3b014a02d46c77d4de6495cf8e7e48d17c89c27432f121060d6712ae3606a6e5d51a74cf5504e826f7dd72176297dc83c9e6623f8e3fe9a952c8d02add1 smtpd.initd e68fca4a7e0ceda271ad61c5a6592a859789bea9ccb6417258f7a0b45d92163ed6097c208d3fdfb78bf978a6a01b6f3678e047e3ce972b2c521419d54a992e0a smtpd.confd 51d47b34eb3d728daa45f29d6434cc75db28dfa69b6fb3ecd873121df85b296a2d2c81016d765a07778aa26a496e4b29c09a30b82678cf42596a536734b5deca aliases 37104cc605569f142ceffa902f200e8a7e9e1114ebe5394ed1eac0ed6ce25454e1610270921c45246de8396eee04b7c8ab5a112a231036a6ef14e7e229b264e3 autoconf-decl-checks.patch diff --git a/main/opensmtpd/smtpd.initd b/main/opensmtpd/smtpd.initd index ae55a7a73db..e72fa4173d3 100644 --- a/main/opensmtpd/smtpd.initd +++ b/main/opensmtpd/smtpd.initd @@ -33,9 +33,9 @@ checkconfig() { ebegin "Checking $name configuration" # Don't output anything unless something is *not* ok. - local out; out=$($command -n 2>&1) - local ret=$? + local out rc=0 + out=$($command -n 2>&1) || rc=$? + [ "$rc" -eq 0 ] || printf '%s\n' "$out" >&2 - [ "$ret" -eq 0 ] || printf '%s\n' "$out" >&2 - eend $? + eend $rc } diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index 211971e7fc0..329257b3e54 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=openssl -pkgver=1.1.1l +pkgver=1.1.1s _abiver=${pkgver%.*} pkgrel=0 pkgdesc="Toolkit for Transport Layer Security (TLS)" @@ -19,6 +19,10 @@ source="https://www.openssl.org/source/openssl-$pkgver.tar.gz " # secfixes: +# 1.1.1q-r0: +# - CVE-2022-2097 +# 1.1.1n-r0: +# - CVE-2022-0778 # 1.1.1l-r0: # - CVE-2021-3711 # - CVE-2021-3712 @@ -44,6 +48,9 @@ source="https://www.openssl.org/source/openssl-$pkgver.tar.gz # 1.1.1a-r0: # - CVE-2018-0734 # - CVE-2018-0735 +# 0: +# - CVE-2022-1292 +# - CVE-2022-2068 build() { local _target _optflags @@ -125,7 +132,7 @@ _libssl() { } sha512sums=" -d9611f393e37577cca05004531388d3e0ebbf714894cab9f95f4903909cd4f45c214faab664c0cbc3ad3cca309d500b9e6d0ecbf9a0a0588d1677dc6b047f9e0 openssl-1.1.1l.tar.gz +2ef983f166b5e1bf456ca37938e7e39d58d4cd85e9fc4b5174a05f5c37cc5ad89c3a9af97a6919bcaab128a8a92e4bdc8a045e5d9156d90768da8f73ac67c5b9 openssl-1.1.1s.tar.gz 43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch " diff --git a/main/openvpn/APKBUILD b/main/openvpn/APKBUILD index 89eadfccaf6..622ed25d52b 100644 --- a/main/openvpn/APKBUILD +++ b/main/openvpn/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=openvpn -pkgver=2.5.2 +pkgver=2.5.6 pkgrel=0 pkgdesc="Robust, and highly configurable VPN (Virtual Private Network)" url="https://openvpn.net/" @@ -12,7 +12,7 @@ depends="iproute2" depends_dev="openssl-dev" # openvpn-plugin.h includes openssl/x509.h makedepends="$depends_dev lzo-dev linux-pam-dev linux-headers" install="$pkgname.pre-install" -source="https://swupdate.openvpn.net/community/releases/openvpn-$pkgver.tar.xz +source="https://swupdate.openvpn.net/community/releases/openvpn-$pkgver.tar.gz openvpn.initd openvpn.confd openvpn.up @@ -20,6 +20,8 @@ source="https://swupdate.openvpn.net/community/releases/openvpn-$pkgver.tar.xz " # secfixes: +# 2.5.6-r0: +# - CVE-2022-0547 # 2.5.2-r0: # - CVE-2020-15078 # 2.4.9-r0: @@ -71,8 +73,10 @@ pam() { "$subpkgdir"/usr/lib/openvpn/plugins/ } -sha512sums="ae2cac00ae4b9e06e7e70b268ed47d36bbb45409650175e507d5bfa12b0a4f24bccc64f2494d1563f9269c8076d0f753a492f01ea33ce376ba00b7cdcb5c7bd0 openvpn-2.5.2.tar.xz +sha512sums=" +0bb0dda44ff757cf5249b6c047932c51073344a1d69048f210da421263a07bb5f4370f5b0c3ed4fdd6c6da2888d28fe8ee8947b59594f4c17a9ea20588852bc0 openvpn-2.5.6.tar.gz 111a1ce79bdb41b8a03c0d43f1fd87de8a0d5592a8b1bd878113af79adce3d0a3109badd92b5af9a0f80b6585473a1e01638f7e78e6baa8aac439f0708bc2a72 openvpn.initd 1f14d4bd7a4a026c276af048ce647501c15358c6b0d184e95c49be5b8184188c8edafb76ed94835cdbb314187ee3b5b3ccd852e3a47add0599814c402309bece openvpn.confd cdb73c9a5b1eb56e9cbd29955d94297ce5a87079419cd626d6a0b6680d88cbf310735a53f794886df02030b687eaea553c7c569a8ea1282a149441add1c65760 openvpn.up -4456880d5c2db061219ba94e4052786700efa5e685f03b0d12d75a6023e3c0fc7b5242cc3d2bd3988e42fcd99701ab13a6257b1a0943b812318d30c64843ad27 openvpn.down" +4456880d5c2db061219ba94e4052786700efa5e685f03b0d12d75a6023e3c0fc7b5242cc3d2bd3988e42fcd99701ab13a6257b1a0943b812318d30c64843ad27 openvpn.down +" diff --git a/main/pcre2/APKBUILD b/main/pcre2/APKBUILD index 57fc26b6bc9..52c91e484ab 100644 --- a/main/pcre2/APKBUILD +++ b/main/pcre2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Jakub Jirutka <jakub@jirutka.cz> pkgname=pcre2 pkgver=10.36 -pkgrel=0 +pkgrel=1 pkgdesc="Perl-compatible regular expression library" url="https://pcre.org/" arch="all" @@ -11,7 +11,14 @@ depends_dev="libedit-dev zlib-dev" makedepends="$depends_dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-tools libpcre2-16:_libpcre libpcre2-32:_libpcre" -source="https://ftp.pcre.org/pub/pcre/pcre2-$pkgver.tar.gz" +source="https://github.com/PCRE2Project/pcre2/releases/download/pcre2-$pkgver/pcre2-$pkgver.tar.gz + CVE-2022-1586.patch + CVE-2022-1587.patch + " +# secfixes: +# 10.36-r1: +# - CVE-2022-1586 +# - CVE-2022-1587 case "$CARCH" in s390x) _enable_jit="";; # https://bugs.exim.org/show_bug.cgi?id=2468 @@ -70,4 +77,6 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="a776cda406aea4a30f5072b24fc41bafd580d92e6d7c782b3c5468570f58fb085184ff707d90d8e83662f578c4327178f5ff4236222d0b3ca07244ef70528aa8 pcre2-10.36.tar.gz" +sha512sums="a776cda406aea4a30f5072b24fc41bafd580d92e6d7c782b3c5468570f58fb085184ff707d90d8e83662f578c4327178f5ff4236222d0b3ca07244ef70528aa8 pcre2-10.36.tar.gz +b4dedf83b4bde5350d2e7830df60d229e8c00ad00f8182396dd890e8a4474eabb4d794e6de8893ab8c5921859fa39101ac7418d1a0d2bfcaa4010973a2415fa8 CVE-2022-1586.patch +67707353a4a6b5b7a63da304d827b66bbd6befda0c92dc9ca01d57f0dc214166c7564ccab2253334fbf3b222c73c2750a77fe3e7c11e0addab7c6347547e824e CVE-2022-1587.patch" diff --git a/main/pcre2/CVE-2022-1586.patch b/main/pcre2/CVE-2022-1586.patch new file mode 100644 index 00000000000..9dded3558d6 --- /dev/null +++ b/main/pcre2/CVE-2022-1586.patch @@ -0,0 +1,33 @@ +Patch-Source: https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a (modified) +-- +From 50a51cb7e67268e6ad417eb07c9de9bfea5cc55a Mon Sep 17 00:00:00 2001 +From: Zoltan Herczeg <hzmester@freemail.hu> +Date: Wed, 23 Mar 2022 07:53:25 +0000 +Subject: [PATCH] Fixed a unicode properrty matching issue in JIT + +diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c +index e7dd26c5..94f6a588 100644 +--- a/src/pcre2_jit_compile.c ++++ b/src/pcre2_jit_compile.c +@@ -7473,7 +7473,7 @@ + { + SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP); + cc++; +- if (*cc == PT_CLIST) ++ if (*cc == PT_CLIST && *cc == XCL_PROP) + { + other_cases = PRIV(ucd_caseless_sets) + cc[1]; + while (*other_cases != NOTACHAR) +diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c +index 3b57ce29..8450f0b6 100644 +--- a/src/pcre2_jit_test.c ++++ b/src/pcre2_jit_test.c +@@ -410,6 +410,7 @@ + { MUP, A, 0, 0 | F_PROPERTY, "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" }, + { PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB baaa" }, + { MUP, 0, 0, 0 | F_NOMATCH, "[^\\p{Hangul}\\p{Z}]", " " }, ++ { CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" }, + + /* Possible empty brackets. */ + { MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" }, + diff --git a/main/pcre2/CVE-2022-1587.patch b/main/pcre2/CVE-2022-1587.patch new file mode 100644 index 00000000000..339e5c16420 --- /dev/null +++ b/main/pcre2/CVE-2022-1587.patch @@ -0,0 +1,636 @@ +Patch-Source: https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0 (modified) +-- +From 03654e751e7f0700693526b67dfcadda6b42c9d0 Mon Sep 17 00:00:00 2001 +From: Zoltan Herczeg <hzmester@freemail.hu> +Date: Sat, 26 Mar 2022 07:55:50 +0000 +Subject: [PATCH] Fixed an issue affecting recursions in JIT + +diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c +index 7fcdac86..bf71d158 100644 +--- a/src/pcre2_jit_compile.c ++++ b/src/pcre2_jit_compile.c +@@ -413,6 +413,9 @@ + /* Locals used by fast fail optimization. */ + sljit_s32 early_fail_start_ptr; + sljit_s32 early_fail_end_ptr; ++ /* Variables used by recursive call generator. */ ++ sljit_s32 recurse_bitset_size; ++ uint8_t *recurse_bitset; + + /* Flipped and lower case tables. */ + const sljit_u8 *fcc; +@@ -2316,19 +2319,39 @@ + + #undef RECURSE_TMP_REG_COUNT + ++static BOOL recurse_check_bit(compiler_common *common, sljit_sw bit_index) ++{ ++uint8_t *byte; ++uint8_t mask; ++ ++SLJIT_ASSERT((bit_index & (sizeof(sljit_sw) - 1)) == 0); ++ ++bit_index >>= SLJIT_WORD_SHIFT; ++ ++mask = 1 << (bit_index & 0x7); ++byte = common->recurse_bitset + (bit_index >> 3); ++ ++if (*byte & mask) ++ return FALSE; ++ ++*byte |= mask; ++return TRUE; ++} ++ + static int get_recurse_data_length(compiler_common *common, PCRE2_SPTR cc, PCRE2_SPTR ccend, + BOOL *needs_control_head, BOOL *has_quit, BOOL *has_accept) + { + int length = 1; +-int size; ++int size, offset; + PCRE2_SPTR alternative; + BOOL quit_found = FALSE; + BOOL accept_found = FALSE; + BOOL setsom_found = FALSE; + BOOL setmark_found = FALSE; +-BOOL capture_last_found = FALSE; + BOOL control_head_found = FALSE; + ++memset(common->recurse_bitset, 0, common->recurse_bitset_size); ++ + #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD + SLJIT_ASSERT(common->control_head_ptr != 0); + control_head_found = TRUE; +@@ -2351,15 +2374,17 @@ + setsom_found = TRUE; + if (common->mark_ptr != 0) + setmark_found = TRUE; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) ++ length++; + cc += 1 + LINK_SIZE; + break; + + case OP_KET: +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0) + { +- length++; ++ if (recurse_check_bit(common, offset)) ++ length++; + SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0); + cc += PRIVATE_DATA(cc + 1); + } +@@ -2378,39 +2403,55 @@ + case OP_SBRA: + case OP_SBRAPOS: + case OP_SCOND: +- length++; + SLJIT_ASSERT(PRIVATE_DATA(cc) != 0); ++ if (recurse_check_bit(common, PRIVATE_DATA(cc))) ++ length++; + cc += 1 + LINK_SIZE; + break; + + case OP_CBRA: + case OP_SCBRA: +- length += 2; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; +- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0) ++ offset = GET2(cc, 1 + LINK_SIZE); ++ if (recurse_check_bit(common, OVECTOR(offset << 1))) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1))); ++ length += 2; ++ } ++ if (common->optimized_cbracket[offset] == 0 && recurse_check_bit(common, OVECTOR_PRIV(offset))) + length++; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) ++ length++; + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_CBRAPOS: + case OP_SCBRAPOS: +- length += 2 + 2; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ if (recurse_check_bit(common, OVECTOR(offset << 1))) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1))); ++ length += 2; ++ } ++ if (recurse_check_bit(common, OVECTOR_PRIV(offset))) ++ length++; ++ if (recurse_check_bit(common, PRIVATE_DATA(cc))) ++ length++; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) ++ length++; + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_COND: + /* Might be a hidden SCOND. */ + alternative = cc + GET(cc, 1); +- if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) ++ if ((*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) && recurse_check_bit(common, PRIVATE_DATA(cc))) + length++; + cc += 1 + LINK_SIZE; + break; + + CASE_ITERATOR_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length++; + cc += 2; + #ifdef SUPPORT_UNICODE +@@ -2419,8 +2460,12 @@ + break; + + CASE_ITERATOR_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 2; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2428,8 +2473,12 @@ + break; + + CASE_ITERATOR_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 2 + IMM2_SIZE; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2437,20 +2486,29 @@ + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length++; + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 1 + IMM2_SIZE; + break; + +@@ -2462,7 +2520,9 @@ + #else + size = 1 + 32 / (int)sizeof(PCRE2_UCHAR); + #endif +- if (PRIVATE_DATA(cc) != 0) ++ ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length += get_class_iterator_size(cc + size); + cc += size; + break; +@@ -2497,8 +2557,7 @@ + case OP_THEN: + SLJIT_ASSERT(common->control_head_ptr != 0); + quit_found = TRUE; +- if (!control_head_found) +- control_head_found = TRUE; ++ control_head_found = TRUE; + cc++; + break; + +@@ -2518,8 +2577,6 @@ + + if (control_head_found) + length++; +-if (capture_last_found) +- length++; + if (quit_found) + { + if (setsom_found) +@@ -2552,14 +2609,12 @@ + sljit_sw kept_shared_srcw[2]; + int private_count, shared_count, kept_shared_count; + int from_sp, base_reg, offset, i; +-BOOL setsom_found = FALSE; +-BOOL setmark_found = FALSE; +-BOOL capture_last_found = FALSE; +-BOOL control_head_found = FALSE; + ++memset(common->recurse_bitset, 0, common->recurse_bitset_size); ++ + #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD + SLJIT_ASSERT(common->control_head_ptr != 0); +-control_head_found = TRUE; ++recurse_check_bit(common, common->control_head_ptr); + #endif + + switch (type) +@@ -2647,11 +2702,10 @@ + { + case OP_SET_SOM: + SLJIT_ASSERT(common->has_set_som); +- if (has_quit && !setsom_found) ++ if (has_quit && recurse_check_bit(common, OVECTOR(0))) + { + kept_shared_srcw[0] = OVECTOR(0); + kept_shared_count = 1; +- setsom_found = TRUE; + } + cc += 1; + break; +@@ -2659,33 +2713,31 @@ + case OP_RECURSE: + if (has_quit) + { +- if (common->has_set_som && !setsom_found) ++ if (common->has_set_som && recurse_check_bit(common, OVECTOR(0))) + { + kept_shared_srcw[0] = OVECTOR(0); + kept_shared_count = 1; +- setsom_found = TRUE; + } +- if (common->mark_ptr != 0 && !setmark_found) ++ if (common->mark_ptr != 0 && recurse_check_bit(common, common->mark_ptr)) + { + kept_shared_srcw[kept_shared_count] = common->mark_ptr; + kept_shared_count++; +- setmark_found = TRUE; + } + } +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { + shared_srcw[0] = common->capture_last_ptr; + shared_count = 1; +- capture_last_found = TRUE; + } + cc += 1 + LINK_SIZE; + break; + + case OP_KET: +- if (PRIVATE_DATA(cc) != 0) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0) + { +- private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0); + cc += PRIVATE_DATA(cc + 1); + } +@@ -2704,50 +2756,66 @@ + case OP_SBRA: + case OP_SBRAPOS: + case OP_SCOND: +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + cc += 1 + LINK_SIZE; + break; + + case OP_CBRA: + case OP_SCBRA: +- offset = (GET2(cc, 1 + LINK_SIZE)) << 1; +- shared_srcw[0] = OVECTOR(offset); +- shared_srcw[1] = OVECTOR(offset + 1); +- shared_count = 2; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ shared_srcw[0] = OVECTOR(offset << 1); ++ if (recurse_check_bit(common, shared_srcw[0])) ++ { ++ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1])); ++ shared_count = 2; ++ } + +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { +- shared_srcw[2] = common->capture_last_ptr; +- shared_count = 3; +- capture_last_found = TRUE; ++ shared_srcw[shared_count] = common->capture_last_ptr; ++ shared_count++; + } + +- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0) ++ if (common->optimized_cbracket[offset] == 0) + { +- private_count = 1; +- private_srcw[0] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE)); ++ private_srcw[0] = OVECTOR_PRIV(offset); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + } ++ + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_CBRAPOS: + case OP_SCBRAPOS: +- offset = (GET2(cc, 1 + LINK_SIZE)) << 1; +- shared_srcw[0] = OVECTOR(offset); +- shared_srcw[1] = OVECTOR(offset + 1); +- shared_count = 2; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ shared_srcw[0] = OVECTOR(offset << 1); ++ if (recurse_check_bit(common, shared_srcw[0])) ++ { ++ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1])); ++ shared_count = 2; ++ } + +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { +- shared_srcw[2] = common->capture_last_ptr; +- shared_count = 3; +- capture_last_found = TRUE; ++ shared_srcw[shared_count] = common->capture_last_ptr; ++ shared_count++; + } + +- private_count = 2; + private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE)); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; ++ ++ offset = OVECTOR_PRIV(offset); ++ if (recurse_check_bit(common, offset)) ++ { ++ private_srcw[private_count] = offset; ++ private_count++; ++ } + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + +@@ -2756,18 +2824,17 @@ + alternative = cc + GET(cc, 1); + if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) + { +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + } + cc += 1 + LINK_SIZE; + break; + + CASE_ITERATOR_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc)) +- { ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); +- } + cc += 2; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2775,11 +2842,12 @@ + break; + + CASE_ITERATOR_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw); ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 2; + #ifdef SUPPORT_UNICODE +@@ -2788,11 +2856,12 @@ + break; + + CASE_ITERATOR_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw); ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 2 + IMM2_SIZE; + #ifdef SUPPORT_UNICODE +@@ -2801,30 +2870,30 @@ + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc)) +- { ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); +- } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); + private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); + private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 1 + IMM2_SIZE; + break; +@@ -2841,14 +2910,17 @@ + switch(get_class_iterator_size(cc + i)) + { + case 1: +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); + break; + + case 2: +- private_count = 2; + private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ if (recurse_check_bit(common, private_srcw[0])) ++ { ++ private_count = 2; ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); ++ } + break; + + default: +@@ -2863,28 +2935,25 @@ + case OP_PRUNE_ARG: + case OP_THEN_ARG: + SLJIT_ASSERT(common->mark_ptr != 0); +- if (has_quit && !setmark_found) ++ if (has_quit && recurse_check_bit(common, common->mark_ptr)) + { + kept_shared_srcw[0] = common->mark_ptr; + kept_shared_count = 1; +- setmark_found = TRUE; + } +- if (common->control_head_ptr != 0 && !control_head_found) ++ if (common->control_head_ptr != 0 && recurse_check_bit(common, common->control_head_ptr)) + { + private_srcw[0] = common->control_head_ptr; + private_count = 1; +- control_head_found = TRUE; + } + cc += 1 + 2 + cc[1]; + break; + + case OP_THEN: + SLJIT_ASSERT(common->control_head_ptr != 0); +- if (!control_head_found) ++ if (recurse_check_bit(common, common->control_head_ptr)) + { + private_srcw[0] = common->control_head_ptr; + private_count = 1; +- control_head_found = TRUE; + } + cc++; + break; +@@ -2892,7 +2961,7 @@ + default: + cc = next_opcode(common, cc); + SLJIT_ASSERT(cc != NULL); +- break; ++ continue; + } + + if (type != recurse_copy_shared_to_global && type != recurse_copy_kept_shared_to_global) +@@ -13652,7 +13721,7 @@ + common->cbra_ptr = OVECTOR_START + (re->top_bracket + 1) * 2 * sizeof(sljit_sw); + + total_length = ccend - common->start; +-common->private_data_ptrs = (sljit_s32 *)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data); ++common->private_data_ptrs = (sljit_s32*)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data); + if (!common->private_data_ptrs) + { + SLJIT_FREE(common->optimized_cbracket, allocator_data); +@@ -13691,6 +13760,7 @@ + common->compiler = compiler; + + /* Main pcre_jit_exec entry. */ ++SLJIT_ASSERT((private_data_size & (sizeof(sljit_sw) - 1)) == 0); + sljit_emit_enter(compiler, 0, SLJIT_ARG1(SW), 5, 5, 0, 0, private_data_size); + + /* Register init. */ +@@ -13913,20 +13983,40 @@ + common->currententry = common->entries; + common->local_quit_available = TRUE; + quit_label = common->quit_label; +-while (common->currententry != NULL) ++if (common->currententry != NULL) + { +- /* Might add new entries. */ +- compile_recurse(common); +- if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler))) ++ /* A free bit for each private data. */ ++ common->recurse_bitset_size = ((private_data_size / (int)sizeof(sljit_sw)) + 7) >> 3; ++ SLJIT_ASSERT(common->recurse_bitset_size > 0); ++ common->recurse_bitset = (sljit_u8*)SLJIT_MALLOC(common->recurse_bitset_size, allocator_data);; ++ ++ if (common->recurse_bitset != NULL) + { ++ do ++ { ++ /* Might add new entries. */ ++ compile_recurse(common); ++ if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler))) ++ break; ++ flush_stubs(common); ++ common->currententry = common->currententry->next; ++ } ++ while (common->currententry != NULL); ++ ++ SLJIT_FREE(common->recurse_bitset, allocator_data); ++ } ++ ++ if (common->currententry != NULL) ++ { ++ /* The common->recurse_bitset has been freed. */ ++ SLJIT_ASSERT(sljit_get_compiler_error(compiler) || common->recurse_bitset == NULL); ++ + sljit_free_compiler(compiler); + SLJIT_FREE(common->optimized_cbracket, allocator_data); + SLJIT_FREE(common->private_data_ptrs, allocator_data); + PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data); + return PCRE2_ERROR_NOMEMORY; + } +- flush_stubs(common); +- common->currententry = common->currententry->next; + } + common->local_quit_available = FALSE; + common->quit_label = quit_label; + +diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c +index 8450f0b6..bb141a0c 100644 +--- a/src/pcre2_jit_test.c ++++ b/src/pcre2_jit_test.c +@@ -745,6 +745,7 @@ + { MU, A, 0, 0, "((?(R)a|(?1)){1,3}?)M", "aaaM" }, + { MU, A, 0, 0, "((.)(?:.|\\2(?1))){0}#(?1)#", "#aabbccdde# #aabbccddee#" }, + { MU, A, 0, 0, "((.)(?:\\2|\\2{4}b)){0}#(?:(?1))+#", "#aaaab# #aaaaab#" }, ++ { MU, A, 0, 0 | F_NOMATCH, "(?1)$((.|\\2xx){1,2})", "abc" }, + + /* 16 bit specific tests. */ + { CM, A, 0, 0 | F_FORCECONV, "\xc3\xa1", "\xc3\x81\xc3\xa1" }, diff --git a/main/perl-datetime-timezone/APKBUILD b/main/perl-datetime-timezone/APKBUILD index 33bcc574721..b60ae1ff23f 100644 --- a/main/perl-datetime-timezone/APKBUILD +++ b/main/perl-datetime-timezone/APKBUILD @@ -4,7 +4,7 @@ pkgname=perl-datetime-timezone #_pkgreal is used by apkbuild-cpan to find modules at MetaCpan _pkgreal=DateTime-TimeZone -pkgver=2.51 +pkgver=2.56 pkgrel=0 pkgdesc="Time zone object base class and factory" url="https://metacpan.org/release/DateTime-TimeZone/" @@ -37,5 +37,5 @@ package() { sha512sums=" -11a506d71cb0875b322c9fe4bdb76a4ab2569127f33530a0970f50a851dc13b2e70dd110eca24a23fd997b3dae3c595045c6d3b03223615b40e6855be28ede08 DateTime-TimeZone-2.51.tar.gz +0ee4a7aed9a2377102d693eb0c98df43a9add5d329570e835d5b8bbe4bbfee7df793d6847f2ef9fb0ad958327ad8b688968d0f57ec4ae3033d1d866ab385498d DateTime-TimeZone-2.56.tar.gz " diff --git a/main/pixman/APKBUILD b/main/pixman/APKBUILD index 74507f860bd..52917cad840 100644 --- a/main/pixman/APKBUILD +++ b/main/pixman/APKBUILD @@ -1,16 +1,22 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=pixman pkgver=0.40.0 -pkgrel=2 +pkgrel=3 pkgdesc="Low-level pixel manipulation library" url="https://gitlab.freedesktop.org/pixman" arch="all" license="MIT" makedepends="meson libpng-dev linux-headers" subpackages="$pkgname-static $pkgname-dev $pkgname-dbg" -source="https://gitlab.freedesktop.org/pixman/pixman/-/archive/pixman-$pkgver/pixman-pixman-$pkgver.tar.gz" +source="https://gitlab.freedesktop.org/pixman/pixman/-/archive/pixman-$pkgver/pixman-pixman-$pkgver.tar.gz + $pkgname-CVE-2022-44638.patch::https://gitlab.freedesktop.org/pixman/pixman/-/commit/a1f88e842e0216a5b4df1ab023caebe33c101395.patch + " builddir="$srcdir/pixman-pixman-$pkgver" +# secfixes: +# 0.40.0-r3: +# - CVE-2022-44638 +# case "$CARCH" in # broken test (likely due to endianness assumptions) s390x) options="!check" ;; @@ -32,4 +38,7 @@ package() { DESTDIR="$pkgdir" meson install --no-rebuild -C output } -sha512sums="18774e22add5c5442edede5467fa07234c2b9e57a79d88110f25424e4253c6ab0c2921e951c5686cefebf4724ff19ad053d0c28f4d2f8d642bbcf6fc71764ef6 pixman-pixman-0.40.0.tar.gz" +sha512sums=" +18774e22add5c5442edede5467fa07234c2b9e57a79d88110f25424e4253c6ab0c2921e951c5686cefebf4724ff19ad053d0c28f4d2f8d642bbcf6fc71764ef6 pixman-pixman-0.40.0.tar.gz +141ad0a4b77d3ea28faab3b73dcb71ca48c3d9431b128a072c7bf934a5096c73a01209847639bf8b08a2b21243bf79147dc32774586b09641c2d8750ed7eeea2 pixman-CVE-2022-44638.patch +" diff --git a/main/postfix/APKBUILD b/main/postfix/APKBUILD index d232a6833fb..850a4b9bd3d 100644 --- a/main/postfix/APKBUILD +++ b/main/postfix/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=postfix -pkgver=3.5.12 +pkgver=3.5.17 pkgrel=0 pkgdesc="Secure and fast drop-in replacement for Sendmail (MTA)" url="http://www.postfix.org/" @@ -197,7 +197,7 @@ stone() { } sha512sums=" -8f545e79031689b41122cd8ea87512968bcdc8e06ef836a648a9eb8f2e664009c84ba42f14294b5b215d4efd5a2138acb4d0b0f97552eff45dadafcea518cda6 postfix-3.5.12.tar.gz +7a58a371fe418d39af1d72c6dcf4692b5d2437958aa8c5e9b9754b2c4b2f4281b330324647a50f6cf11a694c1261dcb0dfd98a8618f24d08991adcda535955bf postfix-3.5.17.tar.gz 2752e69c4e1857bdcf29444ffb458bca818bc60b9c77c20823c5f5b87c36cb5e0f3217a625a7fe5788d5bfcef7570a1f2149e1233fcd23ccf7ee14190aff47a2 postfix.initd 25cd34f23ca909d4e33aaf3239d1e397260abc7796d9a4456dee4f005682fd3a58aab8106126e5218c95bdddae415a3ef7e2223cd3b0d7b1e2bd76158bb7eaf8 postfix-install.patch 0769e2e503486f8dd6fa21f2c534ad7df7a9f1bb57dde2f0ad61863a3e615d0a6dc18132b27796eb28cd81afb2b4e97c65c9d490a391f835aa3b7b18e74252c5 lmdb-default.patch diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD index 8307bf54244..0daf3b95cec 100644 --- a/main/postgresql/APKBUILD +++ b/main/postgresql/APKBUILD @@ -2,7 +2,7 @@ # Contributor: G.J.R. Timmer <gjr.timmer@gmail.com> # Contributor: Jakub Jirutka <jakub@jirutka.cz> pkgname=postgresql -pkgver=13.5 +pkgver=13.12 pkgrel=0 pkgdesc="A sophisticated object-relational DBMS" url="https://www.postgresql.org/" @@ -35,6 +35,17 @@ source="https://ftp.postgresql.org/pub/source/v$pkgver/postgresql-$pkgver.tar.bz " # secfixes: +# 13.12-r0: +# - CVE-2023-39418 +# - CVE-2023-39417 +# 13.11-r0: +# - CVE-2023-2454 +# - CVE-2023-2455 +# - CVE-2022-41862 +# 13.8-r0: +# - CVE-2022-2625 +# 13.7-r0: +# - CVE-2022-1552 # 13.5-r0: # - CVE-2021-23214 # - CVE-2021-23222 @@ -274,7 +285,7 @@ _run_tests() { } sha512sums=" -c76effbca8ee63be48fa3aeb39c7038221848fe83ca2afc4e0904ba8c6a50b89aa2ad37080d4e3be75e9bdc2d6ca6dfefcda334ef55a5e1a8954bb955ce905e5 postgresql-13.5.tar.bz2 +6b6f6de998016b33f0954d4ed8233b84d98abd2dc9b50f5e959f403d1d87a7e9c3b8c8c2ed456806578c2610982f41be3169d9afd4221c52c320b1a2795043e4 postgresql-13.12.tar.bz2 1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch 27e00b58fe5c3899c66fc0dde51846c14701bcfedd132b106d676783ba603e8cbdc6e620f29b52dc892bdaa9302052788cf5e575a1659f61c017a12e0d2ee4d0 perl-rpath.patch 8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch diff --git a/main/py3-tz/APKBUILD b/main/py3-tz/APKBUILD index 1c38ea8c48e..94db0dc0f1f 100644 --- a/main/py3-tz/APKBUILD +++ b/main/py3-tz/APKBUILD @@ -1,17 +1,16 @@ # Contributor: Peter Bui <pnutzh4x0r@gmail.com> # Maintainer: Fabian Affolter <fabian@affolter-engineering.ch> pkgname=py3-tz -_pkgname=pytz -pkgver=2020.5 +pkgver=2022.6 pkgrel=0 pkgdesc="Python3 definitions of world timezone" -url="http://pytz.sourceforge.net/" +url="https://pythonhosted.org/pytz/" arch="noarch" license="MIT" depends="python3" makedepends="py3-setuptools" -source="https://pypi.io/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz" -builddir="$srcdir/$_pkgname-$pkgver" +source="https://pypi.python.org/packages/source/p/pytz/pytz-$pkgver.tar.gz" +builddir="$srcdir/pytz-$pkgver" replaces="py-tz" # Backwards compatibility provides="py-tz=$pkgver-r$pkgrel" # Backwards compatibility @@ -29,4 +28,6 @@ package() { python3 setup.py install --prefix=/usr --root="$pkgdir" } -sha512sums="0845c0b7cefb8732e3016568b17ae73232fe6537bac6da89cb1bf911ba5786ee1be6b5e3aa8767225291e3a7e9afd5b8e40e4051671a3a006f9e2f71c551e13e pytz-2020.5.tar.gz" +sha512sums=" +ea0343453d011e252fba64502984e2a43ea7c7437a211025ca68a4a45178c8aaef4c2b65261434289b21166a99a1941ec9e2d9d26bb3d22a76cbaa421250131d pytz-2022.6.tar.gz +" diff --git a/main/python3/APKBUILD b/main/python3/APKBUILD index 85409ce1cef..66fc72a5cf9 100644 --- a/main/python3/APKBUILD +++ b/main/python3/APKBUILD @@ -3,7 +3,7 @@ pkgname=python3 # the python3-tkinter's pkgver needs to be synchronized with this. -pkgver=3.8.10 +pkgver=3.8.15 _bluez_ver=5.54 _basever="${pkgver%.*}" pkgrel=0 @@ -125,6 +125,7 @@ EOF fail="$fail test_runpy" # fails on x86_64 fail="$fail test_threading" # hangs on all arches (except x86_64?) fail="$fail test_asyncio" # hangs; routinely problematic (e.g. bpo-39101, bpo-41891, bpo-42183) + fail="$fail test_minidom" # we fixed expat cves via backports, this thinks it's newer and fails # kernel related fail="$fail test_fcntl" # wants DNOTIFY, we don't have it @@ -184,9 +185,11 @@ wininst() { "$subpkgdir"/usr/lib/python$_basever/distutils/command } -sha512sums="0be69705483ff9692e12048a96180e586f9d84c8d53066629f7fb2389585eb75c0f3506bb8182936e322508f58b71f4d8c6dfebbab9049b31b49da11d3b98e80 Python-3.8.10.tar.xz +sha512sums=" +4fb3827b13c2452faa75e5ed18dddf381e80b4fffcfde046e289b4629cff0bb87fba1d09916b9b8a6f8039dc422c952293ebdb381c49f8ca7e7893ae4be6c28d Python-3.8.15.tar.xz e19d15d3a478a7af47c1921c8827843492e38787b1182152155bd3d8ad9e1d8ee25c5fda1f24e38c54ebbf946b09fe75007dca9a24d1c35f73303558e558dcbe bluez-5.54.tar.xz 37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch d489b5d5f374e2b298954a2388771e500c6cf9b274012e06b3e71a34aa85c354369b3fa2a37c3121808075c1f1f340a9fa097996c149399e10b9424170211d90 custom-bluetooth-h-path.patch -a84483246e413650a904c34c18f5e4f4168c39067d069f48557c330de6eb3db19fd96a4d453d742db3dcb7c7f962722903f62823c752ff90510c89830435ffc0 arm-alignment.patch" +a84483246e413650a904c34c18f5e4f4168c39067d069f48557c330de6eb3db19fd96a4d453d742db3dcb7c7f962722903f62823c752ff90510c89830435ffc0 arm-alignment.patch +" diff --git a/main/radvd/APKBUILD b/main/radvd/APKBUILD index 0b0ab722464..c77fa154583 100644 --- a/main/radvd/APKBUILD +++ b/main/radvd/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=radvd pkgver=2.19 -pkgrel=0 +pkgrel=1 pkgdesc="IPv6 router advertisement daemon" url="http://www.litech.org/radvd" arch="all" @@ -13,6 +13,7 @@ subpackages="$pkgname-doc $pkgname-openrc" source="http://www.litech.org/radvd/dist/radvd-$pkgver.tar.xz radvd.initd radvd.confd + fix-segfault.patch " # test failure on builders due to kernel issue @@ -44,6 +45,9 @@ package() { "$pkgdir"/usr/share/doc/radvd/radvd.conf.example } -sha512sums="a1eb40af90fc83ebab2517c16a0f7e85c11338ab276bec400b7c33177748d1e36bc5abd7e373b6742f12f7c690dd7ae6b951bc832c7de9bbb56f7e9bc844ed22 radvd-2.19.tar.xz +sha512sums=" +a1eb40af90fc83ebab2517c16a0f7e85c11338ab276bec400b7c33177748d1e36bc5abd7e373b6742f12f7c690dd7ae6b951bc832c7de9bbb56f7e9bc844ed22 radvd-2.19.tar.xz 5f96261f3914ff10966828231d1c8df0d7b0e432d5e075eb6405f923a25f1218e647ec8a2c5b7fa995cf44cc521fd226b4bacfe86920d108130852f00623d8c5 radvd.initd -386a6cdee43a0aa157760a590b9daa52e06e2c344a8d191a188c6174281734df95b82121e92d3c01e6c0fe76658dbdf6467dee2b30e2e010fc57dc8e0666b2cc radvd.confd" +386a6cdee43a0aa157760a590b9daa52e06e2c344a8d191a188c6174281734df95b82121e92d3c01e6c0fe76658dbdf6467dee2b30e2e010fc57dc8e0666b2cc radvd.confd +98eb2c9250c08edee6a78cc47b9153baa9cba631168e0b9562a29a61ae973a317c2670817e80c123ee88aa5ab7e1fca5e3c4a8e0324f28a58edfae3bf636f53e fix-segfault.patch +" diff --git a/main/radvd/fix-segfault.patch b/main/radvd/fix-segfault.patch new file mode 100644 index 00000000000..a223db53c8d --- /dev/null +++ b/main/radvd/fix-segfault.patch @@ -0,0 +1,34 @@ +Patch-Source: https://github.com/radvd-project/radvd/commit/06689f8c06f44c7e87f7ff1d814428f88375b53f +see: https://github.com/radvd-project/radvd/issues/174 +From 06689f8c06f44c7e87f7ff1d814428f88375b53f Mon Sep 17 00:00:00 2001 +From: Jonathan Davies <jpds@protonmail.com> +Date: Thu, 25 Nov 2021 15:29:18 +0000 +Subject: [PATCH] Reverts the include.h change in + 46883f8a1a02fe42040dd8e48aec0ed871545d4d + +Closes: #158 + +Signed-off-by: Jonathan Davies <jpds@protonmail.com> +--- + includes.h | 5 ----- + 1 file changed, 5 deletions(-) + +Patch-Origin: https://github.com/radvd-project/radvd/commit/06689f8c06f44c7e87f7ff1d814428f88375b53f + +diff --git a/includes.h b/includes.h +index ef30b10..c528c86 100644 +--- a/includes.h ++++ b/includes.h +@@ -76,12 +76,7 @@ + #include <sys/sysctl.h> + #endif + +-#if !defined(__GLIBC__) && defined(linux) +-#include <linux/if.h> +-#define IF_NAMESIZE IFNAMSIZ +-#else + #include <net/if.h> +-#endif + + #ifdef HAVE_NET_IF_DL_H + #include <net/if_dl.h> diff --git a/main/rdiff-backup/APKBUILD b/main/rdiff-backup/APKBUILD index 2002d3a572b..f7cd21c9634 100644 --- a/main/rdiff-backup/APKBUILD +++ b/main/rdiff-backup/APKBUILD @@ -2,12 +2,13 @@ # Maintainer: Jeremy Thomerson <jeremy@thomersonfamily.com> pkgname=rdiff-backup pkgver=2.0.5 -pkgrel=1 +pkgrel=2 pkgdesc="Reverse differential backup tool" options="!check" # Requires unpacakged 'xattr' url="https://rdiff-backup.net/" arch="all" license="GPL-2.0-or-later" +depends="python3" makedepends="librsync-dev python3-dev py3-setuptools" subpackages=" $pkgname-doc diff --git a/main/rsync/APKBUILD b/main/rsync/APKBUILD index 5529cd11996..3e83c882a1b 100644 --- a/main/rsync/APKBUILD +++ b/main/rsync/APKBUILD @@ -1,15 +1,14 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=rsync -pkgver=3.2.3 -pkgrel=4 +pkgver=3.2.5 +pkgrel=0 pkgdesc="A file transfer program to keep remote files in sync" url="https://rsync.samba.org/" arch="all" license="GPL-3.0-or-later" makedepends="perl acl-dev attr-dev popt-dev zlib-dev zstd-dev" subpackages="$pkgname-doc $pkgname-openrc rrsync" -source="https://download.samba.org/pub/rsync/rsync-$pkgver.tar.gz - Fix-regression-with---delay-updates.patch +source="https://download.samba.org/pub/rsync/src/rsync-$pkgver.tar.gz rsyncd.initd rsyncd.confd rsyncd.conf @@ -17,6 +16,9 @@ source="https://download.samba.org/pub/rsync/rsync-$pkgver.tar.gz " # secfixes: +# 3.2.4-r0: +# - CVE-2020-14387 +# - CVE-2022-29154 # 3.1.2-r7: # - CVE-2017-16548 # - CVE-2017-17433 @@ -71,7 +73,7 @@ package() { rrsync() { pkgdesc="Restricted rsync, restricts rsync to a subdir declared in .ssh/authorized_keys" - depends="rsync perl" + depends="rsync python3" arch="noarch" cd "$builddir" @@ -79,8 +81,7 @@ rrsync() { } sha512sums=" -48b68491f3ef644dbbbfcaec5ab90a1028593e02d50367ce161fd9d3d0bd0a3628bc57c5e5dec4be3a1d213f784f879b8a8fcdfd789ba0f99837cba16e1ae70e rsync-3.2.3.tar.gz -01a8560419e536c4987a6954b51d0751bce77e041f2d75157067156c0e197178e25e7a6b0ca29cca5d4474f5671ac36500079dba1ed1737cea18f1d663570321 Fix-regression-with---delay-updates.patch +6d115acb5bae546cd2b5df2c11390f8609107b7a45aa649158d8daa0c9290ab5f15640fdd4000b21d1ab39f7385b85d77cd8fe4628fa13b2adeea6fcd53d057a rsync-3.2.5.tar.gz b9bf1aa02f96e4294642ead5751bd529ca1267c08e83a16342fba5736c3a8ec89568feb11fb737e974cb1bee7e00e7a8898d25844892366c6167b9ea8d1e647c rsyncd.initd d91337cfb57e6e3b2a8ba1e24f7d851dd927bfc327da2212b9eb0acda0e1ca2f24987f6dcc4903eccc3bf170e0f115172b3cfa5a172700495296f26302c834d7 rsyncd.confd 3db8a2b364fc89132af6143af90513deb6be3a78c8180d47c969e33cb5edde9db88aad27758a6911f93781e3c9846aeadc80fffc761c355d6a28358853156b62 rsyncd.conf diff --git a/main/rsync/Fix-regression-with---delay-updates.patch b/main/rsync/Fix-regression-with---delay-updates.patch deleted file mode 100644 index d914d14decb..00000000000 --- a/main/rsync/Fix-regression-with---delay-updates.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 5a4ea7e468ae53c09b98803da3519727becb48ad Mon Sep 17 00:00:00 2001 -From: Natanael Copa <ncopa@alpinelinux.org> -Date: Thu, 22 Jul 2021 13:30:17 +0200 -Subject: [PATCH] Fix regression with --delay-updates (#192) - -Fixes regression introduced with commit 3a7bf54ad520 (A resumed -partial-dir file is transferred in-place.) - -Fixes https://github.com/WayneD/rsync/issues/192 ---- - receiver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/receiver.c b/receiver.c -index e85c4779..b5020d07 100644 ---- a/receiver.c -+++ b/receiver.c -@@ -881,7 +881,7 @@ int recv_files(int f_in, int f_out, char *local_name) - do_unlink(partialptr); - handle_partial_dir(partialptr, PDIR_DELETE); - } -- } else if (keep_partial && partialptr && !one_inplace) { -+ } else if (keep_partial && partialptr && (!one_inplace || delay_updates)) { - if (!handle_partial_dir(partialptr, PDIR_CREATE)) { - rprintf(FERROR, - "Unable to create partial-dir for %s -- discarding %s.\n", diff --git a/main/rsyslog/APKBUILD b/main/rsyslog/APKBUILD index 209b42f3c1f..49552553e9c 100644 --- a/main/rsyslog/APKBUILD +++ b/main/rsyslog/APKBUILD @@ -6,7 +6,7 @@ # Maintainer: Cameron Banta <cbanta@gmail.com> pkgname=rsyslog pkgver=8.2012.0 -pkgrel=1 +pkgrel=3 pkgdesc="Enhanced multi-threaded syslogd with database support and more" url="https://www.rsyslog.com/" arch="all !s390x" # limited by czmq @@ -49,6 +49,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/rsyslog/rsyslog/archive/v$pk $pkgname.conf musl-fix.patch queue.patch + CVE-2022-24903.patch " # <subpackage>[:<module>...] @@ -92,6 +93,8 @@ for _i in $_plugins; do done # secfixes: +# 8.2012.0-r3: +# - CVE-2022-24903 # 8.1908.0-r1: # - CVE-2019-17040 # - CVE-2019-17041 @@ -190,8 +193,9 @@ _plugin() { sha512sums=" 78a6f8499340a18b71da22788bb3323ac12f804725b2bb00e939ef6bd4cb6b803e5384a179ddee7db99bf49f2b963419fc26b1bf2d875f6aff7b58fdd4d254b2 rsyslog-8.2012.0.tar.gz bcd63c8df2ac63b80f3cb51ba7f544988df6cd875f4e81020e762dff30d7537f21b72c95a4b1c08baf15f4ed5f03defbf3f061673aabada5841f45ab9f579374 rsyslog.initd -198ad8f617b9edb93c9231118a9b3bb80b1e00e6517d2a79c393cbfef4417b8f0d08f231fb33843f8e9b09c7f9bc69dd501057ffe9eef583108af34996fee59d rsyslog.logrotate +6bf69f14746d0523a4e9189593bc62e14a6e05c7e17922e4398df4b951abdde165e826290f6b6cdc8149199288f555d098178d93d2fae202463ebc523626161b rsyslog.logrotate 451b861dc82d7a2810e6c9ff8f80b2c5149cc6b440baf5901149e7b6524a1179826787a924c84403c2e9d8fa7d4df2c909e7f0877ac0cd4e6faf2e37cba7c6c1 rsyslog.conf 15745c8cdb730ae548d038ca4c04f9f48ef55c6e04949a8e86df356877563c0fcb9660445e47d3f9530925092d6dd80b2b2fc3f64a114ee85103d137327524cb musl-fix.patch ef2e000b1c42cb5beffb26393952c2a692791e78972ee4b6f187ca53e338122b2004cc5216381c042195f12cc58f37f186a04e12a65b5bdfdcdf76b73393efb7 queue.patch +9b8ec516979cf344375c58320a44dce39ab92384b4782468f6063dac2c2b7f555888fdcaeff8520acfc27825962915241cfa8618ed65150156426706a6ad7d2a CVE-2022-24903.patch " diff --git a/main/rsyslog/CVE-2022-24903.patch b/main/rsyslog/CVE-2022-24903.patch new file mode 100644 index 00000000000..47e0ea77d1f --- /dev/null +++ b/main/rsyslog/CVE-2022-24903.patch @@ -0,0 +1,57 @@ +Patch-Source: https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f +From 89955b0bcb1ff105e1374aad7e0e993faa6a038f Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards <rgerhards@adiscon.com> +Date: Fri, 22 Apr 2022 09:49:46 +0200 +Subject: [PATCH] net bugfix: potential buffer overrun + +--- + contrib/imhttp/imhttp.c | 4 +++- + plugins/imptcp/imptcp.c | 4 +++- + runtime/tcps_sess.c | 4 +++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c +index f09260b586..95704af985 100644 +--- a/contrib/imhttp/imhttp.c ++++ b/contrib/imhttp/imhttp.c +@@ -487,7 +487,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk + connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0'; + } + // temporarily save this character into the message buffer +- connWrkr->pMsg[connWrkr->iMsg++] = ch; ++ if(connWrkr->iMsg + 1 < s_iMaxLine) { ++ connWrkr->pMsg[connWrkr->iMsg++] = ch; ++ } + } else { + const char *remoteAddr = ""; + if (connWrkr->propRemoteAddr) { +diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c +index 2df46a236c..c32dec5851 100644 +--- a/plugins/imptcp/imptcp.c ++++ b/plugins/imptcp/imptcp.c +@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->peerName, &propPeerName, &lenPeerName); +diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c +index 0efa2c23c4..c5442f7638 100644 +--- a/runtime/tcps_sess.c ++++ b/runtime/tcps_sess.c +@@ -390,7 +390,9 @@ processDataRcvd(tcps_sess_t *pThis, + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName); diff --git a/main/rsyslog/rsyslog.logrotate b/main/rsyslog/rsyslog.logrotate index e2842b88dc0..8450db8e70c 100644 --- a/main/rsyslog/rsyslog.logrotate +++ b/main/rsyslog/rsyslog.logrotate @@ -1,3 +1,4 @@ +/var/log/messages /var/log/auth.log /var/log/cron.log /var/log/kern.log diff --git a/main/ruby/APKBUILD b/main/ruby/APKBUILD index 4517f29631e..38dbde5f409 100644 --- a/main/ruby/APKBUILD +++ b/main/ruby/APKBUILD @@ -4,6 +4,8 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> # # secfixes: +# 2.7.6-r0: +# - CVE-2022-28739 # 2.7.5-r0: # - CVE-2021-41817 # - CVE-2021-41816 @@ -48,7 +50,7 @@ # - CVE-2017-17405 # pkgname=ruby -pkgver=2.7.5 +pkgver=2.7.6 _abiver="${pkgver%.*}.0" pkgrel=0 pkgdesc="An object-oriented language for quick and easy programming" @@ -352,7 +354,7 @@ _mvgem() { } sha512sums=" -09e029b5cc15b6e4e37bcf15adb28213eaedec3ea22106d63095b37ea6b2a2b68e82e74e6b50746c87dd77e5185795d014e0db118bf0f45ffa0b0a307f5f65da ruby-2.7.5.tar.gz +94810bb204cec55b5bbec8d51a5f5cc696613d1812b152399441a5cc7e4eddd2b376bc85e16d8da0b12f1938d19bf0d056b49a028809c036fb5a446a65bffbee ruby-2.7.6.tar.gz a142199140fa711a64717429e9069fd2082319abaf4b129f561db374b3bc16e2a90cc4c849b5d28334505d1c71fed242aef3c44d983da3513d239dcb778673a5 rubygems-avoid-platform-specific-gems.patch 43c1fc80f0dcb4f24d891478889808583da90dc9e0df74c3b1cf41253c13a0d416d2b7ae17e7d53ac1238340a845b088f0fe20324a79905cc6b950b3dcfa4ac6 test_insns-lower-recursion-depth.patch 3ffc034c01110ee5531265333ca5ee8d61d08131843fe3004c5b34c88c9c1b32cb4ed89574f393177c8bd526e9c15da61ab344f93adf07b9148c561ee19e2eb5 fix-get_main_stack.patch diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD index 59985ef928b..e7e956ab01f 100644 --- a/main/samba/APKBUILD +++ b/main/samba/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=samba -pkgver=4.13.8 +pkgver=4.13.17 pkgrel=0 pkgdesc="Tools to access a server's filespace and printers via SMB" url="https://www.samba.org/" @@ -95,6 +95,17 @@ source=" pkggroups="winbind" # secfixes: +# 4.13.17-r0: +# - CVE-2016-2124 +# - CVE-2020-25717 +# - CVE-2020-25718 +# - CVE-2020-25719 +# - CVE-2020-25721 +# - CVE-2020-25722 +# - CVE-2021-23192 +# - CVE-2021-3738 +# - CVE-2021-43566 +# - CVE-2021-44142 # 4.13.8-r0: # - CVE-2021-20254 # 4.13.7-r0: @@ -546,6 +557,7 @@ libs() { usr/lib/$pkgname/libcmocka-samba4.so \ usr/lib/$pkgname/libcommon-auth-samba4.so \ usr/lib/$pkgname/libdbwrap-samba4.so \ + usr/lib/$pkgname/libdcerpc-pkt-auth-samba4.so \ usr/lib/$pkgname/libdcerpc-samba-samba4.so \ usr/lib/$pkgname/libevents-samba4.so \ usr/lib/$pkgname/libflag-mapping-samba4.so \ @@ -606,7 +618,8 @@ libs() { "$pkgdir"/usr } -sha512sums="b8704097b5c20f2d5eb04f41b4519205f1b554215b396e558715a3039aeaece6ad776928c9aa7be84a3bc98994cdfdb0b7e3787c31832eb0e025eb796fe06bae samba-4.13.8.tar.gz +sha512sums=" +3f47cc588c370510a11a1d5dc1a9f64872d765a2940a0dd39f02718f9a81b134dda9c9cb593f291f2aa1657de65b26458adcda33369c0858e16edf7f088edaf4 samba-4.13.17.tar.gz 58de5e79fdfd06e828d478e112d581d333a8bee88d2602b92204d780f0d707b27dd84f8e2e6b00fca40da81c8fe99aa5bcec70d8b393d3a0a83199c72a4aa48b getpwent_r.patch b7906d66fe55a980a54161ee3f311b51bcbce76b8d4c8cc1ba6d0c5bdf98232cb192b9d2c1aa7b3e2742f5b9848c6cf429347940eefe66c3e0eda1d5aac1bf93 musl_uintptr.patch 1854577d0e4457e27da367a6c7ec0fb5cfd63cefea0a39181c9d6e78cf8d3eb50878cdddeea3daeec955d00263151c2f86ea754ff4276ef98bc52c0276d9ffe8 netdb-defines.patch @@ -617,4 +630,5 @@ bc2df70e327fea5dfbd923600225f1448815d842c37d6937dd74eab7f7699d7f52cd7a8e28a61233 c0bbe1186b150a9bb2a0b741a8cfbd7a5109e5fed1eaa07aaa38cf026ebe054d38cc01e2496f0cab7b40f743e1b7ecfbf8a4d5820810226c4152021df65f36dc pidl.patch 96070e2461370437f48571e7de550c13a332fef869480cfe92e7cac73a998f6c2ee85d2580df58211953bebd0e577691aa710c8edddf3ea0f30e9d47d0a2fd44 samba.initd e2b49cb394e758447ca97de155a61b4276499983a0a5c00b44ae621c5559b759a766f8d1c8d3ee98ad5560f4064a847a7a20cfa2e14f85c061bec8b80fd649eb samba.confd -3458a4e1f8a8b44c966afb339b2dca51615be049f594c14911fc4d8203623deee416b6fe881436e246fc7d49c97a2b3bf9c5f33ba774302b24190a1103d6b67d samba.logrotate" +3458a4e1f8a8b44c966afb339b2dca51615be049f594c14911fc4d8203623deee416b6fe881436e246fc7d49c97a2b3bf9c5f33ba774302b24190a1103d6b67d samba.logrotate +" diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index 132c261d577..3779c0f73f4 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -3,7 +3,7 @@ pkgname=strongswan pkgver=5.9.1 _pkgver=${pkgver//_rc/rc} -pkgrel=1 +pkgrel=2 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="https://www.strongswan.org/" arch="all" @@ -19,6 +19,8 @@ subpackages="$pkgname-doc $pkgname-dbg $pkgname-logfile $pkgname-openrc" source="https://download.strongswan.org/strongswan-$_pkgver.tar.bz2 https://download.strongswan.org/security/CVE-2021-41990/strongswan-5.6.1-5.9.3_gmp-rsa-ssa-salt-len.patch https://download.strongswan.org/security/CVE-2021-41991/strongswan-4.4.1-5.9.3_cert-cache-random.patch + https://download.strongswan.org/security/CVE-2021-45079/strongswan-5.5.0-5.9.4_eap_success.patch + https://download.strongswan.org/security/CVE-2022-40617/strongswan-5.1.0-5.9.7_cert_online_validate.patch 1001-charon-add-optional-source-and-remote-overrides-for-.patch 1002-vici-send-certificates-for-ike-sa-events.patch @@ -31,6 +33,9 @@ source="https://download.strongswan.org/strongswan-$_pkgver.tar.bz2 " # secfixes: +# 5.9.1-r2: +# - CVE-2021-45079 +# - CVE-2022-40617 # 5.9.1-r1: # - CVE-2021-41990 # - CVE-2021-41991 @@ -136,6 +141,8 @@ sha512sums=" 222625e77bd86959da6dd7346cfa9f92569fc396a494bb95ddf2c8e0680b7e8041541e8a14320517a0c735d713ae0fdc0d0c4694215e812817814b0b4efc3497 strongswan-5.9.1.tar.bz2 42bb9dc02e04735183cb2966e23f26bdb2b14b56b10dc3df770cfbea066a690130ce84dc3a17b1369c2d45852bcd8a2902f19368099a1e71c858293decdb48ee strongswan-5.6.1-5.9.3_gmp-rsa-ssa-salt-len.patch 39f607625bc6aa128b71e65e9806c60051015378d0250961bafbe787aa652141e1b3126d235b9cede08e4fe816b3220dbae54e40492b0aeb48f034220f1ee446 strongswan-4.4.1-5.9.3_cert-cache-random.patch +d3ecccf616a1d0a0b364a64f9d5cd0a75d7230948a8b455217d3f665f2a9f4b79bda787c2d0b608c31b40bf9c97c89b7e18b37794794bef4c7b17b4f0bf430a2 strongswan-5.5.0-5.9.4_eap_success.patch +748753eb615cceaea162a264b40c1ae9d4fd2b3ea2f15d6faf40b19619f11e3b98d0e0bbc2339261ce4fff9cb070c25a1037778c3d6476e3c6e97397dcd19c47 strongswan-5.1.0-5.9.7_cert_online_validate.patch 8cd2f7e10dca25c8739b18f26f0aba427d00c5689ee126da5fc2699ce75ed567f0d25b4e50b716eab58097c06a51418e489e7f853d02bb53ba32aca72a6ae7c8 1001-charon-add-optional-source-and-remote-overrides-for-.patch f92609a1f6810786baeae1688688cbdd2a3116200cdba8d23e13da08992f5280bcbe04712cc89402f1e39aff6f4ebc8da05a2529b1e61e25a5229deb74c4dc3f 1002-vici-send-certificates-for-ike-sa-events.patch da39b5654c6f39d175c5491dabd5ed5c1b552857af7cbe7eeb8d0ecb34dad265bb8cd7725930eb75ceb99d51813f8e59631e687b09c1ff5c6437388f5f4d9647 1003-vici-add-support-for-individual-sa-state-changes.patch diff --git a/main/subversion/APKBUILD b/main/subversion/APKBUILD index 638b0b398af..3e0d09ccd71 100644 --- a/main/subversion/APKBUILD +++ b/main/subversion/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=subversion -pkgver=1.14.1 +pkgver=1.14.2 pkgrel=0 _py3c_ver=1.1 pkgdesc="Replacement for CVS, another versioning system (svn)" @@ -24,6 +24,9 @@ source="https://archive.apache.org/dist/subversion/subversion-$pkgver.tar.bz2 svnserve.initd" # secfixes: +# 1.14.2-r0: +# - CVE-2021-28544 +# - CVE-2022-24070 # 1.14.1-r0: # - CVE-2020-17525 # 1.12.2-r0: @@ -133,7 +136,8 @@ py() { "$subpkgdir"/usr/lib/ } -sha512sums="0a70c7152b77cdbcb810a029263e4b3240b6ef41d1c19714e793594088d3cca758d40dfbc05622a806b06463becb73207df249393924ce591026b749b875fcdd subversion-1.14.1.tar.bz2 +sha512sums=" +20ada4688ca07d9fb8da4b7d53b5084568652a3b9418c65e688886bae950a16a3ff37710fcfc9c29ef14a89e75b2ceec4e9cf35d5876a7896ebc2b512cfb9ecc subversion-1.14.2.tar.bz2 aa95bbe1a80eec9e32d3dab4b0771a35fc467052757077fa17b42ceba78a5fe7fb1fa99079240aeeea5538abff778518b706f3bf16dbce2cd4f7dc1900c61b24 py3c-1.1.tar.gz fb219c45b80602d919176cc191394df09f90d0f5c7d24e6a36b166bd92777ecae67eeac1e49c0ffbb0e724396b3d2094dbb0bef17d01dc87d418b1cd554bd7c4 subversion-1.7.0-deplibs.patch fd6e5f45cff4d3cf0d885a34c822b32141b13b199d99ad8e1b04d641c9c1ee27e73f5c556a4ad54a900b6d39cc14afad17b6738d8af44c76758f1a27b4d49f9a subversion-perl-deplibs.patch diff --git a/main/sudo/APKBUILD b/main/sudo/APKBUILD index 76254db7f3b..0ee0bf0f033 100644 --- a/main/sudo/APKBUILD +++ b/main/sudo/APKBUILD @@ -2,13 +2,13 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=sudo -pkgver=1.9.5p2 +pkgver=1.9.12 if [ "${pkgver%_*}" != "$pkgver" ]; then _realver=${pkgver%_*}${pkgver#*_} else _realver=$pkgver fi -pkgrel=0 +pkgrel=1 pkgdesc="Give certain users the ability to run some commands as root" url="https://www.sudo.ws/sudo/" arch="all" @@ -16,9 +16,7 @@ license="custom ISC" makedepends="zlib-dev bash mandoc" subpackages="$pkgname-doc $pkgname-dev" source="https://www.sudo.ws/dist/sudo-$_realver.tar.gz - fix-cross-compile.patch - SIGUNUSED.patch - " + CVE-2022-43995.patch" options="suid" builddir="$srcdir/sudo-$_realver" @@ -51,9 +49,6 @@ build() { --with-sendmail=/usr/sbin/sendmail \ --with-passprompt="[sudo] password for %p: " - # Workaround until SIGUNUSED.patch is not needed anymore - rm lib/util/mksiglist.h lib/util/mksigname.h - make -C lib/util DEVEL=1 mksiglist.h mksigname.h make } @@ -69,6 +64,5 @@ package() { rm -rf "$pkgdir"/var/run } -sha512sums="f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27 sudo-1.9.5p2.tar.gz -f476bb5ac02c3222d3be7eecb828131374e0baf806cc0fd548fb9d4a90f40a848d0ef58851a63ea1d988b720fe259312f3a457ca994ac0e93ed9e16fc72d5234 fix-cross-compile.patch -03a2cef9fcc26cc2711edb5928c945fcf214b22139bb88d77538d25f3bfd144d17b6c9dabb1e01960ac1697d83b3452397a5ef4c7d0e68ea72548a631b212e6d SIGUNUSED.patch" +sha512sums="34ee165baa2e37ba2530901d49bf0dad30159f27aeccd2519d4719bf93be8281edff71220a49ba2e41dacaa3c58031de1464df48d75a8caea7b9568a76f80b67 sudo-1.9.12.tar.gz +47f7b14663a2e98dc98190346361f447c4a0b71fa3074d2c9dcaf15ef0cac7621bea27e25cced6f6005ada4deb4b11521dc418bf25bca18b70feafc6f7e6f359 CVE-2022-43995.patch" diff --git a/main/sudo/CVE-2022-43995.patch b/main/sudo/CVE-2022-43995.patch new file mode 100644 index 00000000000..fb4f802e300 --- /dev/null +++ b/main/sudo/CVE-2022-43995.patch @@ -0,0 +1,50 @@ +From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" <Todd.Miller@sudo.ws> +Date: Fri, 28 Oct 2022 07:29:55 -0600 +Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8 + characters. Starting with sudo 1.8.0 the plaintext password buffer is + dynamically sized so it is not safe to assume that it is at least 9 bytes in + size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. + +--- + plugins/sudoers/auth/passwd.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c +index b2046eca2..0416861e9 100644 +--- a/plugins/sudoers/auth/passwd.c ++++ b/plugins/sudoers/auth/passwd.c +@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) + int + sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) + { +- char sav, *epass; ++ char des_pass[9], *epass; + char *pw_epasswd = auth->data; + size_t pw_len; + int matched = 0; +@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c + + /* + * Truncate to 8 chars if standard DES since not all crypt()'s do this. +- * If this turns out not to be safe we will have to use OS #ifdef's (sigh). + */ +- sav = pass[8]; + pw_len = strlen(pw_epasswd); +- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) +- pass[8] = '\0'; ++ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { ++ strlcpy(des_pass, pass, sizeof(des_pass)); ++ pass = des_pass; ++ } + + /* + * Normal UN*X password check. +@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c + * only compare the first DESLEN characters in that case. + */ + epass = (char *) crypt(pass, pw_epasswd); +- pass[8] = sav; + if (epass != NULL) { + if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) + matched = !strncmp(pw_epasswd, epass, DESLEN); diff --git a/main/sudo/SIGUNUSED.patch b/main/sudo/SIGUNUSED.patch deleted file mode 100644 index be4f73541b8..00000000000 --- a/main/sudo/SIGUNUSED.patch +++ /dev/null @@ -1,19 +0,0 @@ -Upstream: No -Reason: Musl compatibility - ---- a/lib/util/siglist.in 2019-10-10 11:32:54.000000000 -0500 -+++ b/lib/util/siglist.in 2019-10-14 16:42:46.259938722 -0500 -@@ -17,11 +17,12 @@ - EMT EMT trap - FPE Floating point exception - KILL Killed -+# before UNUSED (musl defines them as the same number) -+ SYS Bad system call - # before BUS (Older Linux doesn't really have a BUS, but defines it to UNUSED) - UNUSED Unused - BUS Bus error - SEGV Memory fault -- SYS Bad system call - PIPE Broken pipe - ALRM Alarm clock - TERM Terminated diff --git a/main/sudo/fix-cross-compile.patch b/main/sudo/fix-cross-compile.patch deleted file mode 100644 index f001877a406..00000000000 --- a/main/sudo/fix-cross-compile.patch +++ /dev/null @@ -1,18 +0,0 @@ -Upstream: No -Reason: Enable cross-compile - ---- ./lib/util/Makefile.in.orig -+++ ./lib/util/Makefile.in -@@ -160,10 +160,10 @@ - ./mksigname > $@ - - mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(incdir)/sudo_compat.h $(top_builddir)/config.h -- $(CC) $(CPPFLAGS) $(CFLAGS) $(srcdir)/mksiglist.c -o $@ -+ $${HOSTCC:-gcc} $(CPPFLAGS) $(CFLAGS) $(srcdir)/mksiglist.c -o $@ - - mksigname: $(srcdir)/mksigname.c $(srcdir)/mksigname.h $(incdir)/sudo_compat.h $(top_builddir)/config.h -- $(CC) $(CPPFLAGS) $(CFLAGS) $(srcdir)/mksigname.c -o $@ -+ $${HOSTCC:-gcc} $(CPPFLAGS) $(CFLAGS) $(srcdir)/mksigname.c -o $@ - - $(srcdir)/mksiglist.h: $(srcdir)/siglist.in - @if [ -n "$(DEVEL)" ]; then \ diff --git a/main/tcpdump/APKBUILD b/main/tcpdump/APKBUILD index 7641c49cfd8..6029b120f5e 100644 --- a/main/tcpdump/APKBUILD +++ b/main/tcpdump/APKBUILD @@ -16,33 +16,33 @@ source="https://www.tcpdump.org/release/tcpdump-$pkgver.tar.gz # 4.9.3-r1: # - CVE-2020-8037 # 4.9.3-r0: -# - CVE-2017-16808 (AoE) -# - CVE-2018-14468 (FrameRelay) -# - CVE-2018-14469 (IKEv1) -# - CVE-2018-14470 (BABEL) -# - CVE-2018-14466 (AFS/RX) -# - CVE-2018-14461 (LDP) -# - CVE-2018-14462 (ICMP) -# - CVE-2018-14465 (RSVP) -# - CVE-2018-14881 (BGP) -# - CVE-2018-14464 (LMP) -# - CVE-2018-14463 (VRRP) -# - CVE-2018-14467 (BGP) -# - CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled) -# - CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled) -# - CVE-2018-14880 (OSPF6) -# - CVE-2018-16451 (SMB) -# - CVE-2018-14882 (RPL) -# - CVE-2018-16227 (802.11) -# - CVE-2018-16229 (DCCP) -# - CVE-2018-16301 (was fixed in libpcap) -# - CVE-2018-16230 (BGP) -# - CVE-2018-16452 (SMB) -# - CVE-2018-16300 (BGP) -# - CVE-2018-16228 (HNCP) -# - CVE-2019-15166 (LMP) -# - CVE-2019-15167 (VRRP) -# - CVE-2018-14879 (tcpdump -V) +# - CVE-2017-16808 # (AoE) +# - CVE-2018-14468 # (FrameRelay) +# - CVE-2018-14469 # (IKEv1) +# - CVE-2018-14470 # (BABEL) +# - CVE-2018-14466 # (AFS/RX) +# - CVE-2018-14461 # (LDP) +# - CVE-2018-14462 # (ICMP) +# - CVE-2018-14465 # (RSVP) +# - CVE-2018-14881 # (BGP) +# - CVE-2018-14464 # (LMP) +# - CVE-2018-14463 # (VRRP) +# - CVE-2018-14467 # (BGP) +# - CVE-2018-10103 # (SMB - partially fixed, but SMB printing disabled) +# - CVE-2018-10105 # (SMB - too unreliably reproduced, SMB printing disabled) +# - CVE-2018-14880 # (OSPF6) +# - CVE-2018-16451 # (SMB) +# - CVE-2018-14882 # (RPL) +# - CVE-2018-16227 # (802.11) +# - CVE-2018-16229 # (DCCP) +# - CVE-2018-16301 # (was fixed in libpcap) +# - CVE-2018-16230 # (BGP) +# - CVE-2018-16452 # (SMB) +# - CVE-2018-16300 # (BGP) +# - CVE-2018-16228 # (HNCP) +# - CVE-2019-15166 # (LMP) +# - CVE-2019-15167 # (VRRP) +# - CVE-2018-14879 # (tcpdump -V) # 4.9.0-r0: # - CVE-2016-7922 # - CVE-2016-7923 diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 588e7736722..00308b932c3 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> # Maintainer: Michael Mason <ms13sp@gmail.com> pkgname=tiff -pkgver=4.2.0 +pkgver=4.4.0 pkgrel=0 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="https://gitlab.com/libtiff/libtiff" @@ -12,12 +12,24 @@ depends_dev="zlib-dev libjpeg-turbo-dev" makedepends="libtool autoconf automake $depends_dev" checkdepends="diffutils" subpackages="$pkgname-doc $pkgname-dev $pkgname-tools libtiffxx:_libtiffxx" -source="https://gitlab.com/libtiff/libtiff/-/archive/v$pkgver/libtiff-v$pkgver.tar.gz - CVE-2018-12900.patch - " +source="https://gitlab.com/libtiff/libtiff/-/archive/v$pkgver/libtiff-v$pkgver.tar.gz" builddir="$srcdir/libtiff-v$pkgver" # secfixes: +# 4.4.0-r0: +# - CVE-2022-2867 +# - CVE-2022-2868 +# - CVE-2022-2869 +# 4.3.0-r0: +# - CVE-2022-0561 +# - CVE-2022-0562 +# - CVE-2022-0865 +# - CVE-2022-0891 +# - CVE-2022-0907 +# - CVE-2022-0908 +# - CVE-2022-0909 +# - CVE-2022-0924 +# - CVE-2022-22844 # 4.2.0-r0: # - CVE-2020-35521 # - CVE-2020-35522 @@ -105,5 +117,6 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="d47578feffcc1ecdac2d188c1df4faf05865cd9075b4d01c708a0e71928cce3b60850738a6b7ace334ae00e96ccffc6189ed91b9be81840a1d2b040777010dd5 libtiff-v4.2.0.tar.gz -c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch" +sha512sums=" +93955a2b802cf243e41d49048499da73862b5d3ffc005e3eddf0bf948a8bd1537f7c9e7f112e72d082549b4c49e256b9da9a3b6d8039ad8fc5c09a941b7e75d7 libtiff-v4.4.0.tar.gz +" diff --git a/main/tiff/CVE-2018-12900.patch b/main/tiff/CVE-2018-12900.patch deleted file mode 100644 index f95cd06a523..00000000000 --- a/main/tiff/CVE-2018-12900.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 86861b86f26be5301ccfa96f9bf765051f4e644a Mon Sep 17 00:00:00 2001 -From: pgajdos <pgajdos@suse.cz> -Date: Tue, 13 Nov 2018 09:03:31 +0100 -Subject: [PATCH] prevent integer overflow - ---- - tools/tiffcp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 2f406e2d..ece7ba13 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -1435,6 +1435,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) - status = 0; - goto done; - } -+ if (0xFFFFFFFF / tilew < spp) -+ { -+ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps); -+ status = 0; -+ goto done; -+ } - bytes_per_sample = bps/8; - - for (row = 0; row < imagelength; row += tl) { --- -2.18.1 - diff --git a/main/tiny-cloud/APKBUILD b/main/tiny-cloud/APKBUILD new file mode 100644 index 00000000000..b42318cfebb --- /dev/null +++ b/main/tiny-cloud/APKBUILD @@ -0,0 +1,65 @@ +# Contributor: Mike Crute <mike@crute.us> +# Contributor: Jake Buchholz Göktürk <tomalok@gmail.com> +# Maintainer: Jake Buchholz Göktürk <tomalok@gmail.com> +pkgname=tiny-cloud +pkgver=2.0.0 +pkgrel=0 +pkgdesc="Tiny Cloud instance bootstrapper" +url="https://gitlab.alpinelinux.org/alpine/cloud/tiny-cloud" +arch="noarch" +license="MIT" +options="!check" # no tests provided +depends="e2fsprogs-extra partx sfdisk" +source="$url/-/archive/$pkgver/$pkgname-$pkgver.tar.gz" +subpackages=" + $pkgname-network + $pkgname-openrc + $pkgname-aws + $pkgname-azure + $pkgname-gcp + $pkgname-oci +" + +package() { + make PREFIX="$pkgdir" core openrc +} + +network() { + pkgdesc="Tiny Cloud - networking module" + depends="ifupdown-ng iproute2-minimal $pkgname=$pkgver-r$pkgrel" + cd "$builddir" + make PREFIX="$subpkgdir" network +} + +aws() { + pkgdesc="Tiny Cloud - Amazon Web Services module" + depends="nvme-cli $pkgname-network=$pkgver-r$pkgrel" + provides="tiny-ec2-bootstrap" + cd "$builddir" + make PREFIX="$subpkgdir" aws +} + +azure() { + pkgdesc="Tiny Cloud - Azure module" + depends="$pkgname=$pkgver-r$pkgrel" + cd "$builddir" + make PREFIX="$subpkgdir" azure +} + +gcp() { + pkgdesc="Tiny Cloud - Google Cloud Platform module" + depends="$pkgname=$pkgver-r$pkgrel" + cd "$builddir" + make PREFIX="$subpkgdir" gcp +} + +oci() { + pkgdesc="Tiny Cloud - Oracle Cloud Infrastructure module" + depends="$pkgname=$pkgver-r$pkgrel" + cd "$builddir" + make PREFIX="$subpkgdir" oci +} + +sha512sums=" +d3c1eb1daf1d298f34459ab2b54c1077b3bc037bbe0df3591cade85ba9d351a47f9ce42fabe5480505236731795679a32f0144998de689f35139aa28ac490d48 tiny-cloud-2.0.0.tar.gz +" diff --git a/main/tzdata/APKBUILD b/main/tzdata/APKBUILD index a7611d6e3a8..d757063abb9 100644 --- a/main/tzdata/APKBUILD +++ b/main/tzdata/APKBUILD @@ -2,10 +2,10 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=tzdata -pkgver=2021e -_tzcodever=2021e +pkgver=2022f +_tzcodever=2022f _ptzver=0.5 -pkgrel=0 +pkgrel=1 pkgdesc="Timezone data" url="https://www.iana.org/time-zones" arch="all" @@ -16,7 +16,9 @@ source="https://www.iana.org/time-zones/repository/releases/tzcode$_tzcodever.ta https://dev.alpinelinux.org/archive/posixtz/posixtz-$_ptzver.tar.xz 0001-posixtz-ensure-the-file-offset-we-pass-to-lseek-is-o.patch - 0002-fix-implicit-declaration-warnings-by-including-strin.patch" + 0002-fix-implicit-declaration-warnings-by-including-strin.patch + $pkgname-fix-tzalloc.patch::https://github.com/eggert/tz/commit/a91830b783db3bb481930c67914d3c16b821f717.patch + " builddir="$srcdir" _timezones="africa antarctica asia australasia europe northamerica \ @@ -24,7 +26,7 @@ _timezones="africa antarctica asia australasia europe northamerica \ options="!check" # Testsuite require nsgmls (SP) build() { - make cc="${CC:-gcc}" CFLAGS="$CFLAGS -DHAVE_STDINT_H=1" + make cc="${CC:-gcc}" CFLAGS="$CFLAGS -DHAVE_STDINT_H=1" \ TZDIR="/usr/share/zoneinfo" cd "$builddir"/posixtz-$_ptzver @@ -51,9 +53,10 @@ package() { } sha512sums=" -87b0335129ea41c5f42f687f548712e5da892baa8494cecf5d34851beceecf6ae52f22104696ed187713cf9e502570eb2041e277dfd3c043c11d0253bfde685a tzcode2021e.tar.gz -c1e8d04e049157ed5d4af0868855bbd75517e3d7e1db9c41d5283ff260109de46b6fac6be94828201d093e163d868044ac2a9db2bf0aeab800e264d0c73a9119 tzdata2021e.tar.gz +3e2ef91b972f1872e3e8da9eae9d1c4638bfdb32600f164484edd7147be45a116db80443cd5ae61b5c34f8b841e4362f4beefd957633f6cc9b7def543ed6752b tzcode2022f.tar.gz +72d05d05be999075cdf57b896c0f4238b1b862d4d0ed92cc611736592a4ada14d47bd7f0fc8be39e7938a7f5940a903c8af41e87859482bcfab787d889d429f6 tzdata2022f.tar.gz 68dbaab9f4aef166ac2f2d40b49366527b840bebe17a47599fe38345835e4adb8a767910745ece9c384b57af815a871243c3e261a29f41d71f8054df3061b3fd posixtz-0.5.tar.xz 0f2a10ee2bb4007f57b59123d1a0b8ef6accf99e568f21537f0bb19f290fff46e24050f55f12569d7787be600e1b62aa790ea85a333153f3ea081a812c81b1b5 0001-posixtz-ensure-the-file-offset-we-pass-to-lseek-is-o.patch fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4 0002-fix-implicit-declaration-warnings-by-including-strin.patch +642fb74699ca81abc5ec18633fa40c144a5b80665672e7ab6fa871847fb3c2d086be7e2e7ca8a1d3ec93b16384b1faad65efe9c65d8fdaf528777a34f1c16264 tzdata-fix-tzalloc.patch " diff --git a/main/util-linux/APKBUILD b/main/util-linux/APKBUILD index a4b0e2e277a..945d9fc81d3 100644 --- a/main/util-linux/APKBUILD +++ b/main/util-linux/APKBUILD @@ -2,25 +2,24 @@ # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=util-linux -pkgver=2.36.1 +pkgver=2.37.4 case $pkgver in *.*.*) _v=${pkgver%.*};; *.*) _v=$pkgver;; esac -pkgrel=1 +pkgrel=0 pkgdesc="Random collection of Linux utilities" url="https://git.kernel.org/cgit/utils/util-linux/util-linux.git" arch="all" license="GPL-3.0-or-later AND GPL-2.0-or-later AND GPL-2.0-only AND LGPL-2.1-or-later AND BSD-3-Clause AND BSD-4-Clause-UC AND Public-Domain" depends="blkid setpriv findmnt mcookie hexdump lsblk sfdisk cfdisk partx" -makedepends_build="autoconf automake libtool" +makedepends_build="autoconf automake libtool asciidoctor" makedepends_host="zlib-dev ncurses-dev linux-headers libcap-ng-dev" options="suid" source="https://www.kernel.org/pub/linux/utils/util-linux/v$_v/util-linux-$pkgver.tar.xz - libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch ttydefaults.h rfkill.confd rfkill.initd @@ -51,6 +50,13 @@ else fi makedepends="$makedepends_build $makedepends_host" +# secfixes: +# 2.37.4-r0: +# - CVE-2022-0563 +# 2.37.3-r0: +# - CVE-2021-3995 +# - CVE-2021-3996 + prepare() { default_prepare @@ -146,8 +152,9 @@ _py3() { mv "$pkgdir"/usr/lib/python* "$subpkgdir"/usr/lib/ } -sha512sums="9dfd01ae4c16fa35015dafd222d555988b72e4d1d2fbadd140791b9ef78f84fa8254d4d08dc67cabf41e873338867f19e786b989d708ccfe5161c4f7679bba7a util-linux-2.36.1.tar.xz -ef916685b7b8d36f6c0e5a0b4697bc9edcc139427eb050a16d5af4bc28960ba4760faf37550bc1d8afa183724a884eb23de6316ffca6f2903126872e8394686d libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch +sha512sums=" +ada2629b0a8e83ea83513e04f7b1ccceb3b8ab82acd119c5d8389d1abc48c92d0b591f39fb34b1fd65db3ab630f03a672a9f3dacf1a6e4f124bdb083fc1be6d7 util-linux-2.37.4.tar.xz 876bb9041eca1b2cca1e9aac898f282db576f7860aba690a95c0ac629d7c5b2cdeccba504dda87ff55c2a10b67165985ce16ca41a0694a267507e1e0cafd46d9 ttydefaults.h 401d2ccbdbfb0ebd573ac616c1077e2c2b79ff03e9221007759d8ac25eb522c401f705abbf7daac183d5e8017982b8ec5dd0a5ebad39507c5bb0a9f31f04ee97 rfkill.confd -c4e7ba6d257496c99934add2ca532db16fb070ea2367554587c9fb4e24ab1d80b8ba3fd0fd4fdd5ef1374c3ec6414007369b292ee334ef23171d0232ef709db2 rfkill.initd" +c4e7ba6d257496c99934add2ca532db16fb070ea2367554587c9fb4e24ab1d80b8ba3fd0fd4fdd5ef1374c3ec6414007369b292ee334ef23171d0232ef709db2 rfkill.initd +" diff --git a/main/util-linux/libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch b/main/util-linux/libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch deleted file mode 100644 index 9504df6f9db..00000000000 --- a/main/util-linux/libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 76bb9b30cfcf54b59591a57a3d2a747e514469b2 Mon Sep 17 00:00:00 2001 -From: Karel Zak <kzak@redhat.com> -Date: Thu, 19 Nov 2020 09:49:16 +0100 -Subject: libmount: don't use "symfollow" for helpers on user mounts - -Addresses: https://github.com/karelzak/util-linux/issues/1193 -Signed-off-by: Karel Zak <kzak@redhat.com> ---- - libmount/src/context_mount.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/libmount/src/context_mount.c b/libmount/src/context_mount.c -index 8c394c1ff..dd1786176 100644 ---- a/libmount/src/context_mount.c -+++ b/libmount/src/context_mount.c -@@ -415,6 +415,9 @@ static int generate_helper_optstr(struct libmnt_context *cxt, char **optstr) - * string, because there is nothing like MS_EXEC (we only have - * MS_NOEXEC in mount flags and we don't care about the original - * mount string in libmount for VFS options). -+ * -+ * This use-case makes sense for MS_SECURE flags only (see -+ * mnt_optstr_get_flags() and mnt_context_merge_mflags()). - */ - if (!(cxt->mountflags & MS_NOEXEC)) - mnt_optstr_append_option(optstr, "exec", NULL); -@@ -422,11 +425,8 @@ static int generate_helper_optstr(struct libmnt_context *cxt, char **optstr) - mnt_optstr_append_option(optstr, "suid", NULL); - if (!(cxt->mountflags & MS_NODEV)) - mnt_optstr_append_option(optstr, "dev", NULL); -- if (!(cxt->mountflags & MS_NOSYMFOLLOW)) -- mnt_optstr_append_option(optstr, "symfollow", NULL); - } - -- - if (cxt->flags & MNT_FL_SAVED_USER) - rc = mnt_optstr_set_option(optstr, "user", cxt->orig_user); - if (rc) --- -cgit 1.2.3-1.el7 - diff --git a/main/varnish/0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch b/main/varnish/0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch new file mode 100644 index 00000000000..c8d3fde7f18 --- /dev/null +++ b/main/varnish/0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch @@ -0,0 +1,31 @@ +From fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland <martin@varnish-software.com> +Date: Fri, 17 Dec 2021 22:10:16 +0100 +Subject: [PATCH 1/2] Mark req doclose when failing to ignore req body + +Previously we would ignore errors to iterate the request body into +oblivion in VRB_Ignore(), keeping the connection open. This opens an +out-of-sync vulnerability on H/1 connections. + +This patch tests the status of the request body in VRB_Ignore(), marking +the request failed and that it should be closed on errors. +--- + bin/varnishd/cache/cache_req_body.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c +index 6391f928d..5ffd08b77 100644 +--- a/bin/varnishd/cache/cache_req_body.c ++++ b/bin/varnishd/cache/cache_req_body.c +@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req) + if (req->req_body_status->avail > 0) + (void)VRB_Iterate(req->wrk, req->vsl, req, + httpq_req_body_discard, NULL); ++ if (req->req_body_status == BS_ERROR) ++ req->doclose = SC_RX_BODY; + return (0); + } + +-- +2.35.0 + diff --git a/main/varnish/0002-VRB_Ignore-errors-and-connection-close-test-case.patch b/main/varnish/0002-VRB_Ignore-errors-and-connection-close-test-case.patch new file mode 100644 index 00000000000..7343dc0ba4a --- /dev/null +++ b/main/varnish/0002-VRB_Ignore-errors-and-connection-close-test-case.patch @@ -0,0 +1,75 @@ +From 1020be7e886399a4e94407ae0dfbfd1475cc5756 Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland <martin@varnish-software.com> +Date: Fri, 17 Dec 2021 22:10:27 +0100 +Subject: [PATCH 2/2] VRB_Ignore() errors and connection close test case + +--- + bin/varnishtest/tests/f00008.vtc | 56 ++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + create mode 100644 bin/varnishtest/tests/f00008.vtc + +diff --git a/bin/varnishtest/tests/f00008.vtc b/bin/varnishtest/tests/f00008.vtc +new file mode 100644 +index 000000000..4d6161a35 +--- /dev/null ++++ b/bin/varnishtest/tests/f00008.vtc +@@ -0,0 +1,56 @@ ++varnishtest "VRB_Ignore and connection close" ++ ++server s1 { ++ rxreq ++ txresp -body HIT ++} -start ++ ++varnish v1 -arg "-p timeout_idle=1" -vcl+backend { ++ sub vcl_recv { ++ if (req.url == "/synth") { ++ return (synth(200, "SYNTH")); ++ } ++ } ++} -start ++ ++# Prime an object ++client c1 { ++ txreq -url /hit ++ rxresp ++ expect resp.status == 200 ++ expect resp.body == HIT ++} -run ++ ++# Test synth ++client c2 { ++ txreq -req POST -url /synth -hdr "Content-Length: 2" ++ # Send 1 byte ++ send a ++ # Wait timeout_idle ++ delay 1.1 ++ # Send 1 byte ++ send b ++ rxresp ++ expect resp.status == 200 ++ expect resp.reason == SYNTH ++ expect resp.http.connection == close ++ timeout 0.5 ++ expect_close ++} -run ++ ++# Test cache hit ++client c3 { ++ txreq -req GET -url /hit -hdr "Content-Length: 2" ++ # Send 1 byte ++ send a ++ # Wait timeout_idle ++ delay 1.1 ++ # Send 1 byte ++ send b ++ rxresp ++ expect resp.status == 200 ++ expect resp.body == HIT ++ expect resp.http.connection == close ++ timeout 0.5 ++ expect_close ++} -run +-- +2.35.0 + diff --git a/main/varnish/APKBUILD b/main/varnish/APKBUILD index 47030bdb329..0aad693f469 100644 --- a/main/varnish/APKBUILD +++ b/main/varnish/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=varnish pkgver=6.5.2 -pkgrel=0 +pkgrel=1 pkgdesc="High-performance HTTP accelerator" url="https://www.varnish-cache.org/" arch="all" @@ -27,10 +27,14 @@ source="https://varnish-cache.org/_downloads/varnish-$pkgver.tgz varnishncsa.initd varnishncsa.confd varnishd.logrotate - maxminddb.vcl" + maxminddb.vcl + 0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch + 0002-VRB_Ignore-errors-and-connection-close-test-case.patch" # secfixes: +# 6.5.2-r1: +# - CVE-2022-23959 # 6.5.2-r0: # - CVE-2021-36740 # 6.2.1-r0: @@ -109,4 +113,6 @@ e0b7d67bbd710f0a17b77837c581f128e6b746eff2b12e81d03d1ad040037e95bb00fb8007d89bc6 a5426ff66b89d2afb6273f05e4117b3eec5ce0162a624d52c92b418960f72e58bd01224165613221af76ec241bd98e1eb985b2ef7b83a5b615e9ece67234dcc8 varnishncsa.confd 51cc6d46ff7439de93977ab87dfb0af399458c1e446475696f73342ae7a0c1a8ca8fc6e79e593659f1af30716a5f8a1ee5e3b1f5e7b35df40b45d47e7b0f2ffd varnishd.logrotate 69f088819cff6d4441813be284f4117f232d08908515bd15d96bd5bb9d41ba7100657a52fd408d44c396d004366062ae22fbf08e2a983cd8023b554539ccf596 maxminddb.vcl +62f8c3f86d283b20f25db20504434095392c1aacbf4c91cea0ee9ba3cfd22ad1de928cb56ff4e1a226a5b31cc25466dcae0f28a8ebf575faa8655a9676ea896c 0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch +010d96023cd03c5350da9d779cbb05f0ce47b36d47869ace01e2c7cd841fffb610f28b39118bf9bc36617f778ab59a5d913b14ae2e71467852f6390021f7a295 0002-VRB_Ignore-errors-and-connection-close-test-case.patch " diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD index 3760c45e953..612bbde0a63 100644 --- a/main/vim/APKBUILD +++ b/main/vim/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=vim -pkgver=8.2.3437 +pkgver=8.2.4836 pkgrel=0 pkgdesc="Improved vi-style text editor" url="https://www.vim.org/" @@ -18,6 +18,55 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/vim/vim/archive/v$pkgver.tar " # secfixes: +# 8.2.4836-r0: +# - CVE-2022-1381 +# 8.2.4708-r0: +# - CVE-2022-1154 +# - CVE-2022-1160 +# 8.2.4619-r0: +# - CVE-2022-0943 +# - CVE-2022-0572 +# - CVE-2022-0629 +# - CVE-2022-0685 +# - CVE-2022-0696 +# - CVE-2022-0714 +# - CVE-2022-0729 +# - CVE-2022-0359 +# - CVE-2022-0361 +# - CVE-2022-0368 +# - CVE-2022-0392 +# - CVE-2022-0393 +# - CVE-2022-0407 +# - CVE-2022-0408 +# - CVE-2022-0413 +# - CVE-2022-0417 +# - CVE-2022-0443 +# 8.2.4173-r0: +# - CVE-2021-4069 +# - CVE-2021-4136 +# - CVE-2021-4166 +# - CVE-2021-4173 +# - CVE-2021-4187 +# - CVE-2021-4192 +# - CVE-2021-4193 +# - CVE-2021-46059 +# - CVE-2022-0128 +# - CVE-2022-0156 +# - CVE-2022-0158 +# - CVE-2022-0213 +# 8.2.3779-r0: +# - CVE-2021-4019 +# 8.2.3650-r0: +# - CVE-2021-3927 +# - CVE-2021-3928 +# - CVE-2021-3968 +# - CVE-2021-3973 +# - CVE-2021-3974 +# - CVE-2021-3984 +# 8.2.3567-r0: +# - CVE-2021-3903 +# 8.2.3500-r0: +# - CVE-2021-3875 # 8.2.3437-r0: # - CVE-2021-3770 # - CVE-2021-3778 @@ -133,6 +182,6 @@ xxd() { } sha512sums=" -7f6fc24f8f4a4fa01d20702684cc09aa5c3b51cdc2c96f3afcb484bc60874fab5dcafc33a9daa5ff25f7ae7b90ba0b124a7667d33d9fa5d9553a11be9a1ee069 vim-8.2.3437.tar.gz +e1afe03a3140c91fa928d88a8b3ad5e7c8808e5de5b7a07726b2a4f8f402adfdef2890be6a279e52848cc75346d15d4653f579f96da409544d58aba036abbbf7 vim-8.2.4836.tar.gz d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02 vimrc " diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index c50f0fbace9..2a5644453d9 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=xen -pkgver=4.14.3 -pkgrel=2 +pkgver=4.14.5 +pkgrel=7 pkgdesc="Xen hypervisor" url="https://www.xenproject.org/" arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8 @@ -119,35 +119,35 @@ options="!strip" # 4.10.1-r0: # - CVE-2018-10472 XSA-258 # - CVE-2018-10471 XSA-259 -# 4.10-1-r1: +# 4.10.1-r1: # - CVE-2018-8897 XSA-260 # - CVE-2018-10982 XSA-261 # - CVE-2018-10981 XSA-262 # 4.11.0-r0: -# - CVE-2018-3639 XSA-263 -# - CVE-2018-12891 XSA-264 -# - CVE-2018-12893 XSA-265 -# - CVE-2018-12892 XSA-266 -# - CVE-2018-3665 XSA-267 +# - CVE-2018-3639 XSA-263 +# - CVE-2018-12891 XSA-264 +# - CVE-2018-12893 XSA-265 +# - CVE-2018-12892 XSA-266 +# - CVE-2018-3665 XSA-267 # 4.11.1-r0: -# - CVE-2018-15469 XSA-268 -# - CVE-2018-15468 XSA-269 -# - CVE-2018-15470 XSA-272 -# - CVE-2018-3620 XSA-273 -# - CVE-2018-3646 XSA-273 -# - CVE-2018-19961 XSA-275 -# - CVE-2018-19962 XSA-275 -# - CVE-2018-19963 XSA-276 -# - CVE-2018-19964 XSA-277 -# - CVE-2018-18883 XSA-278 -# - CVE-2018-19965 XSA-279 -# - CVE-2018-19966 XSA-280 -# - CVE-2018-19967 XSA-282 +# - CVE-2018-15469 XSA-268 +# - CVE-2018-15468 XSA-269 +# - CVE-2018-15470 XSA-272 +# - CVE-2018-3620 XSA-273 +# - CVE-2018-3646 XSA-273 +# - CVE-2018-19961 XSA-275 +# - CVE-2018-19962 XSA-275 +# - CVE-2018-19963 XSA-276 +# - CVE-2018-19964 XSA-277 +# - CVE-2018-18883 XSA-278 +# - CVE-2018-19965 XSA-279 +# - CVE-2018-19966 XSA-280 +# - CVE-2018-19967 XSA-282 # 4.12.0-r2: -# - CVE-2018-12126 XSA-297 -# - CVE-2018-12127 XSA-297 -# - CVE-2018-12130 XSA-297 -# - CVE-2019-11091 XSA-297 +# - CVE-2018-12126 XSA-297 +# - CVE-2018-12127 XSA-297 +# - CVE-2018-12130 XSA-297 +# - CVE-2019-11091 XSA-297 # 4.12.1-r0: # - CVE-2019-17349 CVE-2019-17350 XSA-295 # 4.13.0-r0: @@ -170,9 +170,9 @@ options="!strip" # - CVE-2020-11743 XSA-316 # - CVE-2020-11742 XSA-318 # 4.13.1-r0: -# - CVE-????-????? XSA-312 +# - XSA-312 # 4.13.1-r3: -# - CVE-2020-0543 XSA-320 +# - CVE-2020-0543 XSA-320 # 4.13.1-r4: # - CVE-2020-15566 XSA-317 # - CVE-2020-15563 XSA-319 @@ -214,13 +214,13 @@ options="!strip" # - CVE-2020-29570 XSA-358 # - CVE-2020-29571 XSA-359 # 4.14.1-r1: -# - CVE-2021-3308 XSA-360 +# - CVE-2021-3308 XSA-360 # 4.14.1-r2: # - CVE-2021-26933 XSA-364 # 4.14.1-r3: # - CVE-2021-28693 XSA-372 # - CVE-2021-28692 XSA-373 -# - CVE-2021-0089 XSA-375 +# - CVE-2021-0089 XSA-375 # - CVE-2021-28690 XSA-377 # 4.14.2-r0: # - CVE-2021-28694 XSA-378 @@ -240,6 +240,42 @@ options="!strip" # - CVE-2021-28708 XSA-388 # - CVE-2021-28705 XSA-389 # - CVE-2021-28709 XSA-389 +# 4.14.5-r0: +# - CVE-2021-28706 XSA-385 +# - CVE-2021-28703 XSA-387 +# - CVE-2022-23033 XSA-393 +# - CVE-2022-23034 XSA-394 +# - CVE-2022-23035 XSA-395 +# - CVE-2022-26356 XSA-397 +# - XSA-398 +# - CVE-2022-26357 XSA-399 +# - CVE-2022-26358 XSA-400 +# - CVE-2022-26359 XSA-400 +# - CVE-2022-26360 XSA-400 +# - CVE-2022-26361 XSA-400 +# 4.14.5-r1: +# - CVE-2022-26362 XSA-401 +# - CVE-2022-26363 XSA-402 +# - CVE-2022-26364 XSA-402 +# 4.14.5-r2: +# - CVE-2022-21123 XSA-404 +# - CVE-2022-21125 XSA-404 +# - CVE-2022-21166 XSA-404 +# 4.14.5-r3: +# - CVE-2022-26365 XSA-403 +# - CVE-2022-33740 XSA-403 +# - CVE-2022-33741 XSA-403 +# - CVE-2022-33742 XSA-403 +# 4.14.5-r4: +# - CVE-2022-23816 XSA-407 +# - CVE-2022-23825 XSA-407 +# - CVE-2022-29900 XSA-407 +# 4.14.5-r5: +# - CVE-2022-33745 XSA-408 +# 4.14.5-r6: +# - CVE-2022-42309 XSA-412 +# 4.14.5-r7: +# - CVE-2022-23824 XSA-422 case "$CARCH" in x86*) @@ -303,12 +339,6 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz qemu-xen-time64.patch gcc10-etherboot-enum.patch - xsa386.patch - - xsa388-4.14-1.patch - xsa388-4.14-2.patch - xsa389-4.14.patch - xenstored.initd xenstored.confd xenconsoled.initd @@ -321,6 +351,35 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz xendriverdomain.initd xen-pci.initd xen-pci.confd + + xsa401-4.16-1.patch + xsa401-4.16-2.patch + xsa402-4.14-1.patch + xsa402-4.14-2.patch + xsa402-4.14-3.patch + xsa402-4.14-4.patch + xsa402-4.14-5.patch + xsa403-4.14-1.patch + xsa404-4.14-1.patch + xsa404-4.14-2.patch + xsa404-4.14-3.patch + + xsa407-4.14-01.patch + xsa407-4.14-02.patch + xsa407-4.14-03.patch + xsa407-4.14-04.patch + xsa407-4.14-05.patch + xsa407-4.14-06.patch + xsa407-4.14-07.patch + xsa407-4.14-08.patch + xsa407-4.14-09.patch + xsa407-4.14-10.patch + xsa407-4.14-11.patch + xsa407-4.14-12.patch + xsa408.patch + xsa414-4.14.patch + xsa422-4.14-1.patch + xsa422-4.14-2.patch " _seabios=/usr/share/seabios/bios-256k.bin @@ -535,7 +594,7 @@ EOF } sha512sums=" -b462fcc1549f6e57f7f2a4fd10ce1e957a25a6a7c0319672b62699468f6c4330b9cd0cf2b0231b5cce94f4bb142a957eb8aa58aa0ffb5c85b37211d6b34ccf16 xen-4.14.3.tar.gz +7fc1c98b5e135e14a1902786d6cf44304c1c1e9b600195592aa3d12ba937bc307eaae984596c30544519f181d2a02f2c9ad9c94d6b2b6fac2091b54568b0705e xen-4.14.5.tar.gz 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz @@ -546,21 +605,17 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e zlib-1.2.3.tar.gz 8120696ba6d79fd9189664deed9b0489825d8d1edf7b931023b3979b7b9f82248e5b808c4517036cd40a85442ddf51a8dcad3b05d7f3c3cc6650654d53da4050 ipxe-git-1dd56dbd11082fb622c2ed21cfaced4f47d798a6.tar.gz b9c754220187955d01ffbb6e030dace9d9aaae755db1765d07e407858c71a2cb0de04e0ab2099cd121d9e1bc1978af06c7dbd2fd805e06eca12ac5d527f15a52 mini-os-__divmoddi4.patch -1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch -f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch +809df33d86072834cf6f740fa9a4c7f5292b35bb44b5527c6439085c4656f6744a30b311abc2d79fca0ec098c22e49ebdb514c007eb1f8b8ece417618060709f qemu-xen_paths.patch +392e56cbfad2780d3666fba62d26381eed8b56ee101b60c07d367232bae1458b40af89d8b94b0e26f603378a36fde8ea6830d95c43f0fde666299f723c90c537 hotplug-vif-vtrill.patch 5fc028b5e4eb9b14fd5b27e3470172e3eb1ac63c1443fc0af7ed04efd874db733165e62d41504a547651c4466737303a6a5128f66212a42664ff6c1c9d233f4a musl-hvmloader-fix-stdint.patch 8c3b57eab8641bcee3dbdc1937ea7874f77b9722a5a0aa3ddb8dff8cc0ced7e19703ef5d998621b3809bea7c16f3346cfa47610ec9ab014ad0de12651c94e5ff stdint_local.h 853467a2d055c5bfbdc7bdca175a334241be44a7c5ac3c0a84a4bc5463b5c070b66d37e2a557429ef860727a6b7350683af758cc2494d85b6be4d883143a2c0d elf_local.h -2094ea964fa610b2bf72fd2c7ede7e954899a75c0f5b08030cf1d74460fb759ade84866176e32f8fe29c921dfdc6dafd2b31e23ab9b0a3874d3dceeabdd1913b xenqemu-xattr-size-max.patch +e78c84dabe2dd77132b003c71730e378245f04110396d0a0e71aa4964309dd2cb63a802337833bd90cb9d7cef9918d4fc8879a6f978e8489800cd5e14f272fb3 xenqemu-xattr-size-max.patch 8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch -6c28470dab368ce94d94db9e66954e4d915394ea730f6d4abb198ae122dbd7412453d6d8054f0a348d43d7f807fb13294363162f8b19f47311e802ffa9a40a90 stubdom-hack.patch +996383249d20384e85a04339ecfe62b7afb9ef5a0fbf92c05889f28e31e07682eaf9e68c5ef1f4142e690d2d0f0154e1c3009071f650eb706e05171dbe4ee7dd stubdom-hack.patch 5b582453ea64fae138e9442c7f4c083bbef82c216b25bb3e509c0e8f5c0e88487f9e12152367760fb8a6133266e7d8b58eda5e20cf7234a0f39ed6804070cc8d tpm-version.patch 231b5d0abf6420722534bf48b4f263bdf70dd258f5f34b344f230b4e166edb3ebaf769592f40653ea5836b4431ef951ebcf1995f09e2beb4a591edd3b024a652 qemu-xen-time64.patch e72ae17cb80c78412996845b996e442cdc21ee4b840c8b7ebacca101619b3d47104bf6b6330520aecf0d7ccf2699826b4f2a649c729b21d5ac81b37f7fc505fc gcc10-etherboot-enum.patch -77811232c5cf199d24fb8e4a5367a56d56e61ad218397913fa22bd89d0dffabe92acfded246aa731d450f80dcffee84268b27e73e60f19eec15d0ada988a0574 xsa386.patch -5e8165695a7e5a7fdc332de0d4ee31626eb72c8765f12855543592cb86f0eb4f98ea49cae31c8fc356a0645f6a2fe05ddf2b38f9f2bb04196bb4b9efc204dc26 xsa388-4.14-1.patch -9e7b5f66480d3c0898cc080d0506dddbe35a814ccd72619abb82e8241b8cddc726e7bb38ce818335451b56ba549ed9ea1743f46fb9f0fd81ac1310ec6e94fea4 xsa388-4.14-2.patch -a3196bac727ed19185cf61f6e0c5a43400556f42239055cdb03f2689a82647110ab77d06f059185c7ab12ccedd520d2951f258ca61a6ed06507343356571abb4 xsa389-4.14.patch 52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd 3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd @@ -573,4 +628,31 @@ bdbe15c924071cdc2d0f23e53ba8e3f837d4b5369bfb218abd3405f9bef25d105269aaf0784baeb6 85afec835a374aac3d307b3226eee7a08a676b1daac7e39bb7463d564ef72438dc27dd188a871cfd031e80c6992b756951f26bdca0d445e07eab6dba5245de46 xendriverdomain.initd a46337bebce24337f00adbe08095b9f5128c1f440e2033329e5ace9fd817a31fb772d75c0ecc7cc06f34b1522ebf8b21874ee4d0881a0f29851b1c1235f29cf3 xen-pci.initd 2db5fa6edeeb028236460029b976a849f22b3a15d3929acc3911dc41f365b471c2b815eb111639bc230a69528b1571f3c2e9e8e1e81a6679e55387e39355aa99 xen-pci.confd +070fcb4a4041bd9ed53fdca6ef743581be7b5ecee25bc51a4a1e4753aacabb3081834d8aa70db1f6220e5a689225ec2d90ea3df408bfdc72d84fd93cb8f45d72 xsa401-4.16-1.patch +c7d88603b7377cfffd3f52117f546a9d9df09eb7f1937c7a91b7631f4b7ac2a0ce348b40955cbcdf46040f45657a06bb56282e62c9f57a2a15c3751da5013c8f xsa401-4.16-2.patch +0e6140d71490797d5d2874de8097748f8e6b8ea4f076512da4f27947ec2b16ab3f8c2125edbfeeb9d6e4f04d28baad7b9736724128289f80782088bcfb6e5a6f xsa402-4.14-1.patch +d3dda6f48cfa6d590fa2cf1568b566771d3e26a1823f25559ceaa610e98889239b089d161db1917553559941b95032f5a696f0e47ce2a22ccc4cf95f5e64d3f7 xsa402-4.14-2.patch +0a6a089d35c6fc5bf0c6fa9a018ef2d7dd8e983b4d0afd04a57173ec530810656af175af1d5d78cd136529bb47171e3152e7dde71b714ea5464df0c9b55ff97a xsa402-4.14-3.patch +13e70329f9116f2d95f340fc83c71974a7c4d2290b0a68ee8b38de35f474e8c466faac21c6e4e9cae1b1fcbda7536cb835becee22a39fbe8fbfe40d4bc27032c xsa402-4.14-4.patch +fe8ae1acabe419070da37ba593eb108df9841787456da38489c63ad874648eb3b976ace0e2b941ee54fa75c6b11397ad7f9f346e39d0a2d54fe8931926495eef xsa402-4.14-5.patch +80743a91c18f80f631ba22a9ffef7cbff2481a07312bda79d337261c4cf0796bdd55dddae85a8df010300b4cc712c3bd7d162b02191f7eaebd1fb57a45d56560 xsa403-4.14-1.patch +6380d7abdedb6d00aa85418d07b03b336a2e5000177cfa776014e51ca22b2c58352d2ac4c6281ef9dcd2b454c46640cc3b1fb37b51a4581396b8eae2b142cedf xsa404-4.14-1.patch +1a691b03ed8180931328d00398f40fa8805f51614c01c6920014139407f81c0c2a16429af8f35645d0f2b0704d2563cea192372831fde58a702306da8f297684 xsa404-4.14-2.patch +1f95dba19afb1d13888dbd1c3d750407d231d34b5fa26067df7d691cc7fdbe6078ffda1ca148aa268ce01056e35b04276f8f1c87607699dbf9d27906609343dc xsa404-4.14-3.patch +7ddf9d467fd7d7d7ee231aa3d6bb731c26a7ba985bbd78d131fecef8aa70bf7dda475a350611dcaaefb65fbc0d6754a11acd6e2b6d71a5601d4dc27ee11521d9 xsa407-4.14-01.patch +cc874d802cf8eef2a94916fa17b4cc9dc9457218f62ce77a74bcd12d1c4f158b2421cbc06599214ae4016781bc591113be9caf87d19d559b2bae30907e1617d7 xsa407-4.14-02.patch +7e42273d9204d9c3ea3c3ee2d78e1fbb3b479c18f2683b50b36e210b96b82390d2ad34bde8816c617f9fcdef3e4825551fa764eff74f5b979e3d027e126e3683 xsa407-4.14-03.patch +2c8fa55eddea560eac0d79ca224e5240fc39d81e83f3794c371889b538c05d0cd4f1fca726c3a78ef9afafbb9bf4a90a419e20bc0d0c6ffef3af6479a5f086e6 xsa407-4.14-04.patch +5a8f592efb00615d4a105c946e63d4d208e285ea196e4208dfaf5675974268c0a3faf7843ce8b89b80d23e18634ea7e7be6c00b5fcf8f5c6fc3d103f22210ad3 xsa407-4.14-05.patch +a6f6cdc4073f1a1a8c209e073bff81dba8b5f2eb20fe821bddfaf772dc9603c04e2146b6544ecaaa46e76c23737b4b276834e750313a6fd55e655acaa934c92e xsa407-4.14-06.patch +7d65c45873d293aa0c03bd8b15f9f79b1f0a75523548306c77e329a8e2326853a1ef2d4167cc7b4370dcb9e6a5871495e4ebad3bcba1b483fe579d9e5026b30c xsa407-4.14-07.patch +9aa28eb6bae8de5a2d725ad7ba665196f19f8f405260952a38ee07a3b6be11baa04326da8c925d6c4e7eeb6c541ae8333dc4adb9260b375bb02ad2cbb0d07d95 xsa407-4.14-08.patch +efc5d0849c0dd53910f5f01c2278cb36c6723a4a208bac5416f9673e95aa7898e49f0894b66ae22d36cd61bdfaccbdf5421a44ab522a1843295f758c1a6463c4 xsa407-4.14-09.patch +041ac095e2aa27932a076af884a2dc9074f86a06b031eec8b829fc53b5e2f721ec490b068d37a0bef8b7cc91f5a75270a83abbf5a3fefffdf01644866ee80dd5 xsa407-4.14-10.patch +4336d90c20f7311847c6933379463c032772682d0b4ea6b7cf0bf61c3dd5294357f03b7f7abeb7b9cf1804485d97c3f06cd69dd985c258b95c080229081a90cd xsa407-4.14-11.patch +4ebad40167c39f798459774a20db7a30dee2b5cefbc1170e59059b7aef94e4be2cab43c841613cd8cc64f33888054ed876f218953fcf2f0ee7086ce77e6b30a0 xsa407-4.14-12.patch +2a624ce29fa74f78d971a93ca48aa4f09e66b47f94ebc3d256681c40a2fc55fd4bb0ec060418f3d96841b1824e1a016c69e9ec90e7702a6ba8b69246d6466b3d xsa408.patch +4894a57920057aaf603de2a079569f7fd01f9e177c55845a3988f0714a35e164cbbe6779c145a5821cbcdeede26b0b9713d26aee113b6fab7259ff3c48b11c98 xsa414-4.14.patch +a429d89371a9688d6f3d215eab7ee12276115f9b09843bc237a08ae9ea3f9a7eb5c2d9bea9310e058f350b594d8a6cc9e9b09278ad25406a8b527eefcd00c88b xsa422-4.14-1.patch +f2f03e3c17624a5dd7be62403fb367c7369da2fb619c051f1f3a24dc760747a5828038049cd52525aefd8b9cb7a7a7ebb935bc4ebdbfc23bd011856479dbf2a7 xsa422-4.14-2.patch " diff --git a/main/xen/hotplug-vif-vtrill.patch b/main/xen/hotplug-vif-vtrill.patch index 6f9d894250c..7384d697d7c 100644 --- a/main/xen/hotplug-vif-vtrill.patch +++ b/main/xen/hotplug-vif-vtrill.patch @@ -1,16 +1,16 @@ ---- xen-4.3.0/tools/hotplug/Linux/Makefile -+++ xen-4.3.0.mod/tools/hotplug/Linux/Makefile -@@ -14,6 +14,7 @@ - XEN_SCRIPTS += network-route vif-route - XEN_SCRIPTS += network-nat vif-nat +--- a/tools/hotplug/Linux/Makefile ++++ b/tools/hotplug/Linux/Makefile +@@ -6,6 +6,7 @@ XEN_SCRIPTS = vif-bridge + XEN_SCRIPTS += vif-route + XEN_SCRIPTS += vif-nat XEN_SCRIPTS += vif-openvswitch +XEN_SCRIPTS += vif-vtrill XEN_SCRIPTS += vif2 XEN_SCRIPTS += vif-setup - XEN_SCRIPTS += block ---- xen-4.3.0/tools/hotplug/Linux/vif-common.sh -+++ xen-4.3.0.mod/tools/hotplug/Linux/vif-common.sh -@@ -213,3 +213,31 @@ + XEN_SCRIPTS-$(CONFIG_LIBNL) += remus-netbuf-setup +--- a/tools/hotplug/Linux/vif-common.sh ++++ b/tools/hotplug/Linux/vif-common.sh +@@ -244,3 +244,31 @@ dom0_ip() fi echo "$result" } diff --git a/main/xen/qemu-xen_paths.patch b/main/xen/qemu-xen_paths.patch index e558d1f37f3..ff0ee04f6f8 100644 --- a/main/xen/qemu-xen_paths.patch +++ b/main/xen/qemu-xen_paths.patch @@ -1,7 +1,7 @@ ---- ./tools/Makefile.orig -+++ ./tools/Makefile -@@ -219,6 +219,8 @@ - -L$(XEN_ROOT)/tools/xenstore \ +--- a/tools/Makefile ++++ b/tools/Makefile +@@ -275,6 +275,8 @@ subdir-all-qemu-xen-dir: qemu-xen-dir-fi + -Wl,-rpath-link=$(XEN_ROOT)/tools/libs/devicemodel \ $(QEMU_UPSTREAM_RPATH)" \ --bindir=$(LIBEXEC_BIN) \ + --libexecdir=$(LIBEXEC_BIN) \ diff --git a/main/xen/stubdom-hack.patch b/main/xen/stubdom-hack.patch index 2e7ddc89260..74006bfdd81 100644 --- a/main/xen/stubdom-hack.patch +++ b/main/xen/stubdom-hack.patch @@ -1,6 +1,6 @@ ---- xen-4.15.0.orig/stubdom/Makefile -+++ xen-4.15.0/stubdom/Makefile -@@ -186,7 +186,7 @@ +--- a/stubdom/Makefile ++++ b/stubdom/Makefile +@@ -179,7 +179,7 @@ gmp-$(XEN_TARGET_ARCH): gmp-$(GMP_VERSIO rm $@ -rf || : mv gmp-$(GMP_VERSION) $@ #patch -d $@ -p0 < gmp.patch diff --git a/main/xen/xenqemu-xattr-size-max.patch b/main/xen/xenqemu-xattr-size-max.patch index b0c02cbdada..4a48ca0ce71 100644 --- a/main/xen/xenqemu-xattr-size-max.patch +++ b/main/xen/xenqemu-xattr-size-max.patch @@ -1,8 +1,8 @@ ---- xen-4.9.0/tools/qemu-xen/hw/9pfs/9p.c.orig -+++ xen-4.9.0/tools/qemu-xen/hw/9pfs/9p.c -@@ -25,6 +25,10 @@ - #include "trace.h" - #include "migration/migration.h" +--- a/tools/qemu-xen/hw/9pfs/9p.c ++++ b/tools/qemu-xen/hw/9pfs/9p.c +@@ -30,6 +30,10 @@ + #include <math.h> + #include <linux/limits.h> +#ifdef __linux__ +#include <linux/limits.h> /* for XATTR_SIZE_MAX */ diff --git a/main/xen/xsa386.patch b/main/xen/xsa386.patch deleted file mode 100644 index 83f24d30d53..00000000000 --- a/main/xen/xsa386.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: VT-d: fix deassign of device with RMRR -Date: Fri, 1 Oct 2021 15:05:42 +0200 - -Ignoring a specific error code here was not meant to short circuit -deassign to _just_ the unmapping of RMRRs. This bug was previously -hidden by the bogus (potentially indefinite) looping in -pci_release_devices(), until f591755823a7 ("IOMMU/PCI: don't let domain -cleanup continue when device de-assignment failed") fixed that loop. - -This is CVE-2021-28702 / XSA-386. - -Fixes: 8b99f4400b69 ("VT-d: fix RMRR related error handling") -Reported-by: Ivan Kardykov <kardykov@tabit.pro> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Tested-by: Ivan Kardykov <kardykov@tabit.pro> - ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -2409,7 +2409,7 @@ static int reassign_device_ownership( - ret = iommu_identity_mapping(source, p2m_access_x, - rmrr->base_address, - rmrr->end_address, 0); -- if ( ret != -ENOENT ) -+ if ( ret && ret != -ENOENT ) - return ret; - } - } - diff --git a/main/xen/xsa388-4.14-1.patch b/main/xen/xsa388-4.14-1.patch deleted file mode 100644 index f76f2d56b6b..00000000000 --- a/main/xen/xsa388-4.14-1.patch +++ /dev/null @@ -1,174 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/PoD: deal with misaligned GFNs - -Users of XENMEM_decrease_reservation and XENMEM_populate_physmap aren't -required to pass in order-aligned GFN values. (While I consider this -bogus, I don't think we can fix this there, as that might break existing -code, e.g Linux'es swiotlb, which - while affecting PV only - until -recently had been enforcing only page alignment on the original -allocation.) Only non-PoD code paths (guest_physmap_{add,remove}_page(), -p2m_set_entry()) look to be dealing with this properly (in part by being -implemented inefficiently, handling every 4k page separately). - -Introduce wrappers taking care of splitting the incoming request into -aligned chunks, without putting much effort in trying to determine the -largest possible chunk at every iteration. - -Also "handle" p2m_set_entry() failure for non-order-0 requests by -crashing the domain in one more place. Alongside putting a log message -there, also add one to the other similar path. - -Note regarding locking: This is left in the actual worker functions on -the assumption that callers aren't guaranteed atomicity wrt acting on -multiple pages at a time. For mis-aligned GFNs gfn_lock() wouldn't have -locked the correct GFN range anyway, if it didn't simply resolve to -p2m_lock(), and for well-behaved callers there continues to be only a -single iteration, i.e. behavior is unchanged for them. (FTAOD pulling -out just pod_lock() into p2m_pod_decrease_reservation() would result in -a lock order violation.) - -This is CVE-2021-28704 and CVE-2021-28707 / part of XSA-388. - -Fixes: 3c352011c0d3 ("x86/PoD: shorten certain operations on higher order ranges") -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> - ---- a/xen/arch/x86/mm/p2m-pod.c -+++ b/xen/arch/x86/mm/p2m-pod.c -@@ -495,7 +495,7 @@ p2m_pod_zero_check_superpage(struct p2m_ - - - /* -- * This function is needed for two reasons: -+ * This pair of functions is needed for two reasons: - * + To properly handle clearing of PoD entries - * + To "steal back" memory being freed for the PoD cache, rather than - * releasing it. -@@ -503,8 +503,8 @@ p2m_pod_zero_check_superpage(struct p2m_ - * Once both of these functions have been completed, we can return and - * allow decrease_reservation() to handle everything else. - */ --unsigned long --p2m_pod_decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order) -+static unsigned long -+decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order) - { - unsigned long ret = 0, i, n; - struct p2m_domain *p2m = p2m_get_hostp2m(d); -@@ -551,8 +551,10 @@ p2m_pod_decrease_reservation(struct doma - * All PoD: Mark the whole region invalid and tell caller - * we're done. - */ -- if ( p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_invalid, -- p2m->default_access) ) -+ int rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_invalid, -+ p2m->default_access); -+ -+ if ( rc ) - { - /* - * If this fails, we can't tell how much of the range was changed. -@@ -560,7 +562,12 @@ p2m_pod_decrease_reservation(struct doma - * impossible. - */ - if ( order != 0 ) -+ { -+ printk(XENLOG_G_ERR -+ "%pd: marking GFN %#lx (order %u) as non-PoD failed: %d\n", -+ d, gfn_x(gfn), order, rc); - domain_crash(d); -+ } - goto out_unlock; - } - ret = 1UL << order; -@@ -667,6 +674,22 @@ out_unlock: - return ret; - } - -+unsigned long -+p2m_pod_decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order) -+{ -+ unsigned long left = 1UL << order, ret = 0; -+ unsigned int chunk_order = find_first_set_bit(gfn_x(gfn) | left); -+ -+ do { -+ ret += decrease_reservation(d, gfn, chunk_order); -+ -+ left -= 1UL << chunk_order; -+ gfn = gfn_add(gfn, 1UL << chunk_order); -+ } while ( left ); -+ -+ return ret; -+} -+ - void p2m_pod_dump_data(struct domain *d) - { - struct p2m_domain *p2m = p2m_get_hostp2m(d); -@@ -1266,19 +1289,15 @@ remap_and_retry: - return true; - } - -- --int --guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn_l, -- unsigned int order) -+static int -+mark_populate_on_demand(struct domain *d, unsigned long gfn_l, -+ unsigned int order) - { - struct p2m_domain *p2m = p2m_get_hostp2m(d); - gfn_t gfn = _gfn(gfn_l); - unsigned long i, n, pod_count = 0; - int rc = 0; - -- if ( !paging_mode_translate(d) ) -- return -EINVAL; -- - gfn_lock(p2m, gfn, order); - - P2M_DEBUG("mark pod gfn=%#lx\n", gfn_l); -@@ -1316,12 +1335,44 @@ guest_physmap_mark_populate_on_demand(st - BUG_ON(p2m->pod.entry_count < 0); - pod_unlock(p2m); - } -+ else if ( order ) -+ { -+ /* -+ * If this failed, we can't tell how much of the range was changed. -+ * Best to crash the domain. -+ */ -+ printk(XENLOG_G_ERR -+ "%pd: marking GFN %#lx (order %u) as PoD failed: %d\n", -+ d, gfn_l, order, rc); -+ domain_crash(d); -+ } - - out: - gfn_unlock(p2m, gfn, order); - - return rc; - } -+ -+int -+guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn, -+ unsigned int order) -+{ -+ unsigned long left = 1UL << order; -+ unsigned int chunk_order = find_first_set_bit(gfn | left); -+ int rc; -+ -+ if ( !paging_mode_translate(d) ) -+ return -EINVAL; -+ -+ do { -+ rc = mark_populate_on_demand(d, gfn, chunk_order); -+ -+ left -= 1UL << chunk_order; -+ gfn += 1UL << chunk_order; -+ } while ( !rc && left ); -+ -+ return rc; -+} - - void p2m_pod_init(struct p2m_domain *p2m) - { diff --git a/main/xen/xsa388-4.14-2.patch b/main/xen/xsa388-4.14-2.patch deleted file mode 100644 index 2f8cc881f0a..00000000000 --- a/main/xen/xsa388-4.14-2.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/PoD: handle intermediate page orders in p2m_pod_cache_add() - -p2m_pod_decrease_reservation() may pass pages to the function which -aren't 4k, 2M, or 1G. Handle all intermediate orders as well, to avoid -hitting the BUG() at the switch() statement's "default" case. - -This is CVE-2021-28708 / part of XSA-388. - -Fixes: 3c352011c0d3 ("x86/PoD: shorten certain operations on higher order ranges") -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> - ---- a/xen/arch/x86/mm/p2m-pod.c -+++ b/xen/arch/x86/mm/p2m-pod.c -@@ -111,15 +111,13 @@ p2m_pod_cache_add(struct p2m_domain *p2m - /* Then add to the appropriate populate-on-demand list. */ - switch ( order ) - { -- case PAGE_ORDER_1G: -- for ( i = 0; i < (1UL << PAGE_ORDER_1G); i += 1UL << PAGE_ORDER_2M ) -+ case PAGE_ORDER_2M ... PAGE_ORDER_1G: -+ for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_2M ) - page_list_add_tail(page + i, &p2m->pod.super); - break; -- case PAGE_ORDER_2M: -- page_list_add_tail(page, &p2m->pod.super); -- break; -- case PAGE_ORDER_4K: -- page_list_add_tail(page, &p2m->pod.single); -+ case PAGE_ORDER_4K ... PAGE_ORDER_2M - 1: -+ for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_4K ) -+ page_list_add_tail(page + i, &p2m->pod.single); - break; - default: - BUG(); diff --git a/main/xen/xsa389-4.14.patch b/main/xen/xsa389-4.14.patch deleted file mode 100644 index 1d893f123f0..00000000000 --- a/main/xen/xsa389-4.14.patch +++ /dev/null @@ -1,180 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/P2M: deal with partial success of p2m_set_entry() - -M2P and PoD stats need to remain in sync with P2M; if an update succeeds -only partially, respective adjustments need to be made. If updates get -made before the call, they may also need undoing upon complete failure -(i.e. including the single-page case). - -Log-dirty state would better also be kept in sync. - -Note that the change to set_typed_p2m_entry() may not be strictly -necessary (due to the order restriction enforced near the top of the -function), but is being kept here to be on the safe side. - -This is CVE-2021-28705 and CVE-2021-28709 / XSA-389. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> - ---- a/xen/arch/x86/mm/p2m.c -+++ b/xen/arch/x86/mm/p2m.c -@@ -780,6 +780,7 @@ p2m_remove_page(struct p2m_domain *p2m, - unsigned long i; - p2m_type_t t; - p2m_access_t a; -+ int rc; - - /* IOMMU for PV guests is handled in get_page_type() and put_page(). */ - if ( !paging_mode_translate(p2m->domain) ) -@@ -813,8 +814,27 @@ p2m_remove_page(struct p2m_domain *p2m, - } - } - -- return p2m_set_entry(p2m, gfn, INVALID_MFN, page_order, p2m_invalid, -- p2m->default_access); -+ rc = p2m_set_entry(p2m, gfn, INVALID_MFN, page_order, p2m_invalid, -+ p2m->default_access); -+ if ( likely(!rc) || !mfn_valid(mfn) ) -+ return rc; -+ -+ /* -+ * The operation may have partially succeeded. For the failed part we need -+ * to undo the M2P update and, out of precaution, mark the pages dirty -+ * again. -+ */ -+ for ( i = 0; i < (1UL << page_order); ++i ) -+ { -+ p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0, NULL, NULL); -+ if ( !p2m_is_hole(t) && !p2m_is_special(t) && !p2m_is_shared(t) ) -+ { -+ set_gpfn_from_mfn(mfn_x(mfn) + i, gfn_x(gfn) + i); -+ paging_mark_pfn_dirty(p2m->domain, _pfn(gfn_x(gfn) + i)); -+ } -+ } -+ -+ return rc; - } - - int -@@ -1003,13 +1023,8 @@ guest_physmap_add_entry(struct domain *d - - /* Now, actually do the two-way mapping */ - rc = p2m_set_entry(p2m, gfn, mfn, page_order, t, p2m->default_access); -- if ( rc == 0 ) -+ if ( likely(!rc) ) - { -- pod_lock(p2m); -- p2m->pod.entry_count -= pod_count; -- BUG_ON(p2m->pod.entry_count < 0); -- pod_unlock(p2m); -- - if ( !p2m_is_grant(t) ) - { - for ( i = 0; i < (1UL << page_order); i++ ) -@@ -1017,6 +1032,42 @@ guest_physmap_add_entry(struct domain *d - gfn_x(gfn_add(gfn, i))); - } - } -+ else -+ { -+ /* -+ * The operation may have partially succeeded. For the successful part -+ * we need to update M2P and dirty state, while for the failed part we -+ * may need to adjust PoD stats as well as undo the earlier M2P update. -+ */ -+ for ( i = 0; i < (1UL << page_order); ++i ) -+ { -+ omfn = p2m->get_entry(p2m, gfn_add(gfn, i), &ot, &a, 0, NULL, NULL); -+ if ( p2m_is_pod(ot) ) -+ { -+ BUG_ON(!pod_count); -+ --pod_count; -+ } -+ else if ( mfn_eq(omfn, mfn_add(mfn, i)) && ot == t && -+ a == p2m->default_access && !p2m_is_grant(t) ) -+ { -+ set_gpfn_from_mfn(mfn_x(omfn), gfn_x(gfn) + i); -+ paging_mark_pfn_dirty(d, _pfn(gfn_x(gfn) + i)); -+ } -+ else if ( p2m_is_ram(ot) && !p2m_is_paged(ot) ) -+ { -+ ASSERT(mfn_valid(omfn)); -+ set_gpfn_from_mfn(mfn_x(omfn), gfn_x(gfn) + i); -+ } -+ } -+ } -+ -+ if ( pod_count ) -+ { -+ pod_lock(p2m); -+ p2m->pod.entry_count -= pod_count; -+ BUG_ON(p2m->pod.entry_count < 0); -+ pod_unlock(p2m); -+ } - - out: - p2m_unlock(p2m); -@@ -1308,6 +1359,49 @@ static int set_typed_p2m_entry(struct do - return 0; - } - } -+ -+ P2M_DEBUG("set %d %lx %lx\n", gfn_p2mt, gfn_l, mfn_x(mfn)); -+ rc = p2m_set_entry(p2m, gfn, mfn, order, gfn_p2mt, access); -+ if ( unlikely(rc) ) -+ { -+ gdprintk(XENLOG_ERR, "p2m_set_entry: %#lx:%u -> %d (0x%"PRI_mfn")\n", -+ gfn_l, order, rc, mfn_x(mfn)); -+ -+ /* -+ * The operation may have partially succeeded. For the successful part -+ * we need to update PoD stats, M2P, and dirty state. -+ */ -+ if ( order != PAGE_ORDER_4K ) -+ { -+ unsigned long i; -+ -+ for ( i = 0; i < (1UL << order); ++i ) -+ { -+ p2m_type_t t; -+ mfn_t cmfn = p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0, -+ NULL, NULL); -+ -+ if ( !mfn_eq(cmfn, mfn_add(mfn, i)) || t != gfn_p2mt || -+ a != access ) -+ continue; -+ -+ if ( p2m_is_ram(ot) ) -+ { -+ ASSERT(mfn_valid(mfn_add(omfn, i))); -+ set_gpfn_from_mfn(mfn_x(omfn) + i, INVALID_M2P_ENTRY); -+ } -+#ifdef CONFIG_HVM -+ else if ( p2m_is_pod(ot) ) -+ { -+ pod_lock(p2m); -+ BUG_ON(!p2m->pod.entry_count); -+ --p2m->pod.entry_count; -+ pod_unlock(p2m); -+ } -+#endif -+ } -+ } -+ } - else if ( p2m_is_ram(ot) ) - { - unsigned long i; -@@ -1318,12 +1412,6 @@ static int set_typed_p2m_entry(struct do - set_gpfn_from_mfn(mfn_x(omfn) + i, INVALID_M2P_ENTRY); - } - } -- -- P2M_DEBUG("set %d %lx %lx\n", gfn_p2mt, gfn_l, mfn_x(mfn)); -- rc = p2m_set_entry(p2m, gfn, mfn, order, gfn_p2mt, access); -- if ( rc ) -- gdprintk(XENLOG_ERR, "p2m_set_entry: %#lx:%u -> %d (0x%"PRI_mfn")\n", -- gfn_l, order, rc, mfn_x(mfn)); - #ifdef CONFIG_HVM - else if ( p2m_is_pod(ot) ) - { diff --git a/main/xen/xsa401-4.16-1.patch b/main/xen/xsa401-4.16-1.patch new file mode 100644 index 00000000000..5c8c50617a2 --- /dev/null +++ b/main/xen/xsa401-4.16-1.patch @@ -0,0 +1,170 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/pv: Clean up _get_page_type() + +Various fixes for clarity, ahead of making complicated changes. + + * Split the overflow check out of the if/else chain for type handling, as + it's somewhat unrelated. + * Comment the main if/else chain to explain what is going on. Adjust one + ASSERT() and state the bit layout for validate-locked and partial states. + * Correct the comment about TLB flushing, as it's backwards. The problem + case is when writeable mappings are retained to a page becoming read-only, + as it allows the guest to bypass Xen's safety checks for updates. + * Reduce the scope of 'y'. It is an artefact of the cmpxchg loop and not + valid for use by subsequent logic. Switch to using ACCESS_ONCE() to treat + all reads as explicitly volatile. The only thing preventing the validated + wait-loop being infinite is the compiler barrier hidden in cpu_relax(). + * Replace one page_get_owner(page) with the already-calculated 'd' already in + scope. + +No functional change. + +This is part of XSA-401 / CVE-2022-26362. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: George Dunlap <george.dunlap@citrix.com> + +diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c +index 796faca64103..ddd32f88c798 100644 +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -2935,16 +2935,17 @@ static int _put_page_type(struct page_info *page, unsigned int flags, + static int _get_page_type(struct page_info *page, unsigned long type, + bool preemptible) + { +- unsigned long nx, x, y = page->u.inuse.type_info; ++ unsigned long nx, x; + int rc = 0; + + ASSERT(!(type & ~(PGT_type_mask | PGT_pae_xen_l2))); + ASSERT(!in_irq()); + +- for ( ; ; ) ++ for ( unsigned long y = ACCESS_ONCE(page->u.inuse.type_info); ; ) + { + x = y; + nx = x + 1; ++ + if ( unlikely((nx & PGT_count_mask) == 0) ) + { + gdprintk(XENLOG_WARNING, +@@ -2952,8 +2953,15 @@ static int _get_page_type(struct page_info *page, unsigned long type, + mfn_x(page_to_mfn(page))); + return -EINVAL; + } +- else if ( unlikely((x & PGT_count_mask) == 0) ) ++ ++ if ( unlikely((x & PGT_count_mask) == 0) ) + { ++ /* ++ * Typeref 0 -> 1. ++ * ++ * Type changes are permitted when the typeref is 0. If the type ++ * actually changes, the page needs re-validating. ++ */ + struct domain *d = page_get_owner(page); + + if ( d && shadow_mode_enabled(d) ) +@@ -2964,8 +2972,8 @@ static int _get_page_type(struct page_info *page, unsigned long type, + { + /* + * On type change we check to flush stale TLB entries. It is +- * vital that no other CPUs are left with mappings of a frame +- * which is about to become writeable to the guest. ++ * vital that no other CPUs are left with writeable mappings ++ * to a frame which is intending to become pgtable/segdesc. + */ + cpumask_t *mask = this_cpu(scratch_cpumask); + +@@ -2977,7 +2985,7 @@ static int _get_page_type(struct page_info *page, unsigned long type, + + if ( unlikely(!cpumask_empty(mask)) && + /* Shadow mode: track only writable pages. */ +- (!shadow_mode_enabled(page_get_owner(page)) || ++ (!shadow_mode_enabled(d) || + ((nx & PGT_type_mask) == PGT_writable_page)) ) + { + perfc_incr(need_flush_tlb_flush); +@@ -3008,7 +3016,14 @@ static int _get_page_type(struct page_info *page, unsigned long type, + } + else if ( unlikely((x & (PGT_type_mask|PGT_pae_xen_l2)) != type) ) + { +- /* Don't log failure if it could be a recursive-mapping attempt. */ ++ /* ++ * else, we're trying to take a new reference, of the wrong type. ++ * ++ * This (being able to prohibit use of the wrong type) is what the ++ * typeref system exists for, but skip printing the failure if it ++ * looks like a recursive mapping, as subsequent logic might ++ * ultimately permit the attempt. ++ */ + if ( ((x & PGT_type_mask) == PGT_l2_page_table) && + (type == PGT_l1_page_table) ) + return -EINVAL; +@@ -3027,18 +3042,46 @@ static int _get_page_type(struct page_info *page, unsigned long type, + } + else if ( unlikely(!(x & PGT_validated)) ) + { ++ /* ++ * else, the count is non-zero, and we're grabbing the right type; ++ * but the page hasn't been validated yet. ++ * ++ * The page is in one of two states (depending on PGT_partial), ++ * and should have exactly one reference. ++ */ ++ ASSERT((x & (PGT_type_mask | PGT_count_mask)) == (type | 1)); ++ + if ( !(x & PGT_partial) ) + { +- /* Someone else is updating validation of this page. Wait... */ ++ /* ++ * The page has been left in the "validate locked" state ++ * (i.e. PGT_[type] | 1) which means that a concurrent caller ++ * of _get_page_type() is in the middle of validation. ++ * ++ * Spin waiting for the concurrent user to complete (partial ++ * or fully validated), then restart our attempt to acquire a ++ * type reference. ++ */ + do { + if ( preemptible && hypercall_preempt_check() ) + return -EINTR; + cpu_relax(); +- } while ( (y = page->u.inuse.type_info) == x ); ++ } while ( (y = ACCESS_ONCE(page->u.inuse.type_info)) == x ); + continue; + } +- /* Type ref count was left at 1 when PGT_partial got set. */ +- ASSERT((x & PGT_count_mask) == 1); ++ ++ /* ++ * The page has been left in the "partial" state ++ * (i.e., PGT_[type] | PGT_partial | 1). ++ * ++ * Rather than bumping the type count, we need to try to grab the ++ * validation lock; if we succeed, we need to validate the page, ++ * then drop the general ref associated with the PGT_partial bit. ++ * ++ * We grab the validation lock by setting nx to (PGT_[type] | 1) ++ * (i.e., non-zero type count, neither PGT_validated nor ++ * PGT_partial set). ++ */ + nx = x & ~PGT_partial; + } + +@@ -3087,6 +3130,13 @@ static int _get_page_type(struct page_info *page, unsigned long type, + } + + out: ++ /* ++ * Did we drop the PGT_partial bit when acquiring the typeref? If so, ++ * drop the general reference that went along with it. ++ * ++ * N.B. validate_page() may have have re-set PGT_partial, not reflected in ++ * nx, but will have taken an extra ref when doing so. ++ */ + if ( (x & PGT_partial) && !(nx & PGT_partial) ) + put_page(page); + diff --git a/main/xen/xsa401-4.16-2.patch b/main/xen/xsa401-4.16-2.patch new file mode 100644 index 00000000000..be58db59a51 --- /dev/null +++ b/main/xen/xsa401-4.16-2.patch @@ -0,0 +1,191 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/pv: Fix ABAC cmpxchg() race in _get_page_type() + +_get_page_type() suffers from a race condition where it incorrectly assumes +that because 'x' was read and a subsequent a cmpxchg() succeeds, the type +cannot have changed in-between. Consider: + +CPU A: + 1. Creates an L2e referencing pg + `-> _get_page_type(pg, PGT_l1_page_table), sees count 0, type PGT_writable_page + 2. Issues flush_tlb_mask() +CPU B: + 3. Creates a writeable mapping of pg + `-> _get_page_type(pg, PGT_writable_page), count increases to 1 + 4. Writes into new mapping, creating a TLB entry for pg + 5. Removes the writeable mapping of pg + `-> _put_page_type(pg), count goes back down to 0 +CPU A: + 7. Issues cmpxchg(), setting count 1, type PGT_l1_page_table + +CPU B now has a writeable mapping to pg, which Xen believes is a pagetable and +suitably protected (i.e. read-only). The TLB flush in step 2 must be deferred +until after the guest is prohibited from creating new writeable mappings, +which is after step 7. + +Defer all safety actions until after the cmpxchg() has successfully taken the +intended typeref, because that is what prevents concurrent users from using +the old type. + +Also remove the early validation for writeable and shared pages. This removes +race conditions where one half of a parallel mapping attempt can return +successfully before: + * The IOMMU pagetables are in sync with the new page type + * Writeable mappings to shared pages have been torn down + +This is part of XSA-401 / CVE-2022-26362. + +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: George Dunlap <george.dunlap@citrix.com> + +diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c +index ddd32f88c798..1693b580b152 100644 +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -2962,56 +2962,12 @@ static int _get_page_type(struct page_info *page, unsigned long type, + * Type changes are permitted when the typeref is 0. If the type + * actually changes, the page needs re-validating. + */ +- struct domain *d = page_get_owner(page); +- +- if ( d && shadow_mode_enabled(d) ) +- shadow_prepare_page_type_change(d, page, type); + + ASSERT(!(x & PGT_pae_xen_l2)); + if ( (x & PGT_type_mask) != type ) + { +- /* +- * On type change we check to flush stale TLB entries. It is +- * vital that no other CPUs are left with writeable mappings +- * to a frame which is intending to become pgtable/segdesc. +- */ +- cpumask_t *mask = this_cpu(scratch_cpumask); +- +- BUG_ON(in_irq()); +- cpumask_copy(mask, d->dirty_cpumask); +- +- /* Don't flush if the timestamp is old enough */ +- tlbflush_filter(mask, page->tlbflush_timestamp); +- +- if ( unlikely(!cpumask_empty(mask)) && +- /* Shadow mode: track only writable pages. */ +- (!shadow_mode_enabled(d) || +- ((nx & PGT_type_mask) == PGT_writable_page)) ) +- { +- perfc_incr(need_flush_tlb_flush); +- /* +- * If page was a page table make sure the flush is +- * performed using an IPI in order to avoid changing the +- * type of a page table page under the feet of +- * spurious_page_fault(). +- */ +- flush_mask(mask, +- (x & PGT_type_mask) && +- (x & PGT_type_mask) <= PGT_root_page_table +- ? FLUSH_TLB | FLUSH_FORCE_IPI +- : FLUSH_TLB); +- } +- +- /* We lose existing type and validity. */ + nx &= ~(PGT_type_mask | PGT_validated); + nx |= type; +- +- /* +- * No special validation needed for writable pages. +- * Page tables and GDT/LDT need to be scanned for validity. +- */ +- if ( type == PGT_writable_page || type == PGT_shared_page ) +- nx |= PGT_validated; + } + } + else if ( unlikely((x & (PGT_type_mask|PGT_pae_xen_l2)) != type) ) +@@ -3092,6 +3048,56 @@ static int _get_page_type(struct page_info *page, unsigned long type, + return -EINTR; + } + ++ /* ++ * One typeref has been taken and is now globally visible. ++ * ++ * The page is either in the "validate locked" state (PGT_[type] | 1) or ++ * fully validated (PGT_[type] | PGT_validated | >0). ++ */ ++ ++ if ( unlikely((x & PGT_count_mask) == 0) ) ++ { ++ struct domain *d = page_get_owner(page); ++ ++ if ( d && shadow_mode_enabled(d) ) ++ shadow_prepare_page_type_change(d, page, type); ++ ++ if ( (x & PGT_type_mask) != type ) ++ { ++ /* ++ * On type change we check to flush stale TLB entries. It is ++ * vital that no other CPUs are left with writeable mappings ++ * to a frame which is intending to become pgtable/segdesc. ++ */ ++ cpumask_t *mask = this_cpu(scratch_cpumask); ++ ++ BUG_ON(in_irq()); ++ cpumask_copy(mask, d->dirty_cpumask); ++ ++ /* Don't flush if the timestamp is old enough */ ++ tlbflush_filter(mask, page->tlbflush_timestamp); ++ ++ if ( unlikely(!cpumask_empty(mask)) && ++ /* Shadow mode: track only writable pages. */ ++ (!shadow_mode_enabled(d) || ++ ((nx & PGT_type_mask) == PGT_writable_page)) ) ++ { ++ perfc_incr(need_flush_tlb_flush); ++ /* ++ * If page was a page table make sure the flush is ++ * performed using an IPI in order to avoid changing the ++ * type of a page table page under the feet of ++ * spurious_page_fault(). ++ */ ++ flush_mask(mask, ++ (x & PGT_type_mask) && ++ (x & PGT_type_mask) <= PGT_root_page_table ++ ? FLUSH_TLB | FLUSH_FORCE_IPI ++ : FLUSH_TLB); ++ } ++ } ++ } ++ + if ( unlikely(((x & PGT_type_mask) == PGT_writable_page) != + (type == PGT_writable_page)) ) + { +@@ -3120,13 +3126,25 @@ static int _get_page_type(struct page_info *page, unsigned long type, + + if ( unlikely(!(nx & PGT_validated)) ) + { +- if ( !(x & PGT_partial) ) ++ /* ++ * No special validation needed for writable or shared pages. Page ++ * tables and GDT/LDT need to have their contents audited. ++ * ++ * per validate_page(), non-atomic updates are fine here. ++ */ ++ if ( type == PGT_writable_page || type == PGT_shared_page ) ++ page->u.inuse.type_info |= PGT_validated; ++ else + { +- page->nr_validated_ptes = 0; +- page->partial_flags = 0; +- page->linear_pt_count = 0; ++ if ( !(x & PGT_partial) ) ++ { ++ page->nr_validated_ptes = 0; ++ page->partial_flags = 0; ++ page->linear_pt_count = 0; ++ } ++ ++ rc = validate_page(page, type, preemptible); + } +- rc = validate_page(page, type, preemptible); + } + + out: diff --git a/main/xen/xsa402-4.14-1.patch b/main/xen/xsa402-4.14-1.patch new file mode 100644 index 00000000000..1446f9b5d3f --- /dev/null +++ b/main/xen/xsa402-4.14-1.patch @@ -0,0 +1,43 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/page: Introduce _PAGE_* constants for memory types + +... rather than opencoding the PAT/PCD/PWT attributes in __PAGE_HYPERVISOR_* +constants. These are going to be needed by forthcoming logic. + +No functional change. + +This is part of XSA-402. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/xen/include/asm-x86/page.h b/xen/include/asm-x86/page.h +index f632affaef68..52551535a991 100644 +--- a/xen/include/asm-x86/page.h ++++ b/xen/include/asm-x86/page.h +@@ -344,6 +344,14 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t); + + #define PAGE_CACHE_ATTRS (_PAGE_PAT | _PAGE_PCD | _PAGE_PWT) + ++/* Memory types, encoded under Xen's choice of MSR_PAT. */ ++#define _PAGE_WB ( 0) ++#define _PAGE_WT ( _PAGE_PWT) ++#define _PAGE_UCM ( _PAGE_PCD ) ++#define _PAGE_UC ( _PAGE_PCD | _PAGE_PWT) ++#define _PAGE_WC (_PAGE_PAT ) ++#define _PAGE_WP (_PAGE_PAT | _PAGE_PWT) ++ + /* + * Debug option: Ensure that granted mappings are not implicitly unmapped. + * WARNING: This will need to be disabled to run OSes that use the spare PTE +@@ -362,8 +370,8 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t); + #define __PAGE_HYPERVISOR_RX (_PAGE_PRESENT | _PAGE_ACCESSED) + #define __PAGE_HYPERVISOR (__PAGE_HYPERVISOR_RX | \ + _PAGE_DIRTY | _PAGE_RW) +-#define __PAGE_HYPERVISOR_UCMINUS (__PAGE_HYPERVISOR | _PAGE_PCD) +-#define __PAGE_HYPERVISOR_UC (__PAGE_HYPERVISOR | _PAGE_PCD | _PAGE_PWT) ++#define __PAGE_HYPERVISOR_UCMINUS (__PAGE_HYPERVISOR | _PAGE_UCM) ++#define __PAGE_HYPERVISOR_UC (__PAGE_HYPERVISOR | _PAGE_UC) + #define __PAGE_HYPERVISOR_SHSTK (__PAGE_HYPERVISOR_RO | _PAGE_DIRTY) + + #define MAP_SMALL_PAGES _PAGE_AVAIL0 /* don't use superpages mappings */ diff --git a/main/xen/xsa402-4.14-2.patch b/main/xen/xsa402-4.14-2.patch new file mode 100644 index 00000000000..bf01e6cdba3 --- /dev/null +++ b/main/xen/xsa402-4.14-2.patch @@ -0,0 +1,209 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86: Don't change the cacheability of the directmap + +Changeset 55f97f49b7ce ("x86: Change cache attributes of Xen 1:1 page mappings +in response to guest mapping requests") attempted to keep the cacheability +consistent between different mappings of the same page. + +The reason wasn't described in the changelog, but it is understood to be in +regards to a concern over machine check exceptions, owing to errata when using +mixed cacheabilities. It did this primarily by updating Xen's mapping of the +page in the direct map when the guest mapped a page with reduced cacheability. + +Unfortunately, the logic didn't actually prevent mixed cacheability from +occurring: + * A guest could map a page normally, and then map the same page with + different cacheability; nothing prevented this. + * The cacheability of the directmap was always latest-takes-precedence in + terms of guest requests. + * Grant-mapped frames with lesser cacheability didn't adjust the page's + cacheattr settings. + * The map_domain_page() function still unconditionally created WB mappings, + irrespective of the page's cacheattr settings. + +Additionally, update_xen_mappings() had a bug where the alias calculation was +wrong for mfn's which were .init content, which should have been treated as +fully guest pages, not Xen pages. + +Worse yet, the logic introduced a vulnerability whereby necessary +pagetable/segdesc adjustments made by Xen in the validation logic could become +non-coherent between the cache and main memory. The CPU could subsequently +operate on the stale value in the cache, rather than the safe value in main +memory. + +The directmap contains primarily mappings of RAM. PAT/MTRR conflict +resolution is asymmetric, and generally for MTRR=WB ranges, PAT of lesser +cacheability resolves to being coherent. The special case is WC mappings, +which are non-coherent against MTRR=WB regions (except for fully-coherent +CPUs). + +Xen must not have any WC cacheability in the directmap, to prevent Xen's +actions from creating non-coherency. (Guest actions creating non-coherency is +dealt with in subsequent patches.) As all memory types for MTRR=WB ranges +inter-operate coherently, so leave Xen's directmap mappings as WB. + +Only PV guests with access to devices can use reduced-cacheability mappings to +begin with, and they're trusted not to mount DoSs against the system anyway. + +Drop PGC_cacheattr_{base,mask} entirely, and the logic to manipulate them. +Shift the later PGC_* constants up, to gain 3 extra bits in the main reference +count. Retain the check in get_page_from_l1e() for special_pages() because a +guest has no business using reduced cacheability on these. + +This reverts changeset 55f97f49b7ce6c3520c555d19caac6cf3f9a5df0 + +This is CVE-2022-26363, part of XSA-402. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: George Dunlap <george.dunlap@citrix.com> + +diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c +index 0b75b6371d4b..7d3d186edbd5 100644 +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -785,24 +785,6 @@ bool is_iomem_page(mfn_t mfn) + return (page_get_owner(page) == dom_io); + } + +-static int update_xen_mappings(unsigned long mfn, unsigned int cacheattr) +-{ +- int err = 0; +- bool alias = mfn >= PFN_DOWN(xen_phys_start) && +- mfn < PFN_UP(xen_phys_start + xen_virt_end - XEN_VIRT_START); +- unsigned long xen_va = +- XEN_VIRT_START + ((mfn - PFN_DOWN(xen_phys_start)) << PAGE_SHIFT); +- +- if ( unlikely(alias) && cacheattr ) +- err = map_pages_to_xen(xen_va, _mfn(mfn), 1, 0); +- if ( !err ) +- err = map_pages_to_xen((unsigned long)mfn_to_virt(mfn), _mfn(mfn), 1, +- PAGE_HYPERVISOR | cacheattr_to_pte_flags(cacheattr)); +- if ( unlikely(alias) && !cacheattr && !err ) +- err = map_pages_to_xen(xen_va, _mfn(mfn), 1, PAGE_HYPERVISOR); +- return err; +-} +- + #ifndef NDEBUG + struct mmio_emul_range_ctxt { + const struct domain *d; +@@ -1007,47 +989,14 @@ get_page_from_l1e( + goto could_not_pin; + } + +- if ( pte_flags_to_cacheattr(l1f) != +- ((page->count_info & PGC_cacheattr_mask) >> PGC_cacheattr_base) ) ++ if ( (l1f & PAGE_CACHE_ATTRS) != _PAGE_WB && is_special_page(page) ) + { +- unsigned long x, nx, y = page->count_info; +- unsigned long cacheattr = pte_flags_to_cacheattr(l1f); +- int err; +- +- if ( is_special_page(page) ) +- { +- if ( write ) +- put_page_type(page); +- put_page(page); +- gdprintk(XENLOG_WARNING, +- "Attempt to change cache attributes of Xen heap page\n"); +- return -EACCES; +- } +- +- do { +- x = y; +- nx = (x & ~PGC_cacheattr_mask) | (cacheattr << PGC_cacheattr_base); +- } while ( (y = cmpxchg(&page->count_info, x, nx)) != x ); +- +- err = update_xen_mappings(mfn, cacheattr); +- if ( unlikely(err) ) +- { +- cacheattr = y & PGC_cacheattr_mask; +- do { +- x = y; +- nx = (x & ~PGC_cacheattr_mask) | cacheattr; +- } while ( (y = cmpxchg(&page->count_info, x, nx)) != x ); +- +- if ( write ) +- put_page_type(page); +- put_page(page); +- +- gdprintk(XENLOG_WARNING, "Error updating mappings for mfn %" PRI_mfn +- " (pfn %" PRI_pfn ", from L1 entry %" PRIpte ") for d%d\n", +- mfn, get_gpfn_from_mfn(mfn), +- l1e_get_intpte(l1e), l1e_owner->domain_id); +- return err; +- } ++ if ( write ) ++ put_page_type(page); ++ put_page(page); ++ gdprintk(XENLOG_WARNING, ++ "Attempt to change cache attributes of Xen heap page\n"); ++ return -EACCES; + } + + return 0; +@@ -2453,25 +2402,10 @@ static int mod_l4_entry(l4_pgentry_t *pl4e, + */ + static int cleanup_page_mappings(struct page_info *page) + { +- unsigned int cacheattr = +- (page->count_info & PGC_cacheattr_mask) >> PGC_cacheattr_base; + int rc = 0; + unsigned long mfn = mfn_x(page_to_mfn(page)); + + /* +- * If we've modified xen mappings as a result of guest cache +- * attributes, restore them to the "normal" state. +- */ +- if ( unlikely(cacheattr) ) +- { +- page->count_info &= ~PGC_cacheattr_mask; +- +- BUG_ON(is_special_page(page)); +- +- rc = update_xen_mappings(mfn, 0); +- } +- +- /* + * If this may be in a PV domain's IOMMU, remove it. + * + * NB that writable xenheap pages have their type set and cleared by +diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h +index 7e74996053b0..7a2093da5977 100644 +--- a/xen/include/asm-x86/mm.h ++++ b/xen/include/asm-x86/mm.h +@@ -64,25 +64,22 @@ + /* Set when is using a page as a page table */ + #define _PGC_page_table PG_shift(3) + #define PGC_page_table PG_mask(1, 3) +- /* 3-bit PAT/PCD/PWT cache-attribute hint. */ +-#define PGC_cacheattr_base PG_shift(6) +-#define PGC_cacheattr_mask PG_mask(7, 6) + /* Page is broken? */ +-#define _PGC_broken PG_shift(7) +-#define PGC_broken PG_mask(1, 7) ++#define _PGC_broken PG_shift(4) ++#define PGC_broken PG_mask(1, 4) + /* Mutually-exclusive page states: { inuse, offlining, offlined, free }. */ +-#define PGC_state PG_mask(3, 9) +-#define PGC_state_inuse PG_mask(0, 9) +-#define PGC_state_offlining PG_mask(1, 9) +-#define PGC_state_offlined PG_mask(2, 9) +-#define PGC_state_free PG_mask(3, 9) ++#define PGC_state PG_mask(3, 6) ++#define PGC_state_inuse PG_mask(0, 6) ++#define PGC_state_offlining PG_mask(1, 6) ++#define PGC_state_offlined PG_mask(2, 6) ++#define PGC_state_free PG_mask(3, 6) + #define page_state_is(pg, st) (((pg)->count_info&PGC_state) == PGC_state_##st) + /* Page is not reference counted */ +-#define _PGC_extra PG_shift(10) +-#define PGC_extra PG_mask(1, 10) ++#define _PGC_extra PG_shift(7) ++#define PGC_extra PG_mask(1, 7) + + /* Count of references to this frame. */ +-#define PGC_count_width PG_shift(10) ++#define PGC_count_width PG_shift(7) + #define PGC_count_mask ((1UL<<PGC_count_width)-1) + + /* diff --git a/main/xen/xsa402-4.14-3.patch b/main/xen/xsa402-4.14-3.patch new file mode 100644 index 00000000000..e5d4e14db66 --- /dev/null +++ b/main/xen/xsa402-4.14-3.patch @@ -0,0 +1,266 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86: Split cache_flush() out of cache_writeback() + +Subsequent changes will want a fully flushing version. + +Use the new helper rather than opencoding it in flush_area_local(). This +resolves an outstanding issue where the conditional sfence is on the wrong +side of the clflushopt loop. clflushopt is ordered with respect to older +stores, not to younger stores. + +Rename gnttab_cache_flush()'s helper to avoid colliding in name. +grant_table.c can see the prototype from cache.h so the build fails +otherwise. + +This is part of XSA-402. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +Xen 4.16 and earlier: + * Also backport half of c/s 3330013e67396 "VT-d / x86: re-arrange cache + syncing" to split cache_writeback() out of the IOMMU logic, but without the + associated hooks changes. + +diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c +index 25798df50f54..0c912b8669f8 100644 +--- a/xen/arch/x86/flushtlb.c ++++ b/xen/arch/x86/flushtlb.c +@@ -234,7 +234,7 @@ unsigned int flush_area_local(const void *va, unsigned int flags) + if ( flags & FLUSH_CACHE ) + { + const struct cpuinfo_x86 *c = ¤t_cpu_data; +- unsigned long i, sz = 0; ++ unsigned long sz = 0; + + if ( order < (BITS_PER_LONG - PAGE_SHIFT) ) + sz = 1UL << (order + PAGE_SHIFT); +@@ -244,13 +244,7 @@ unsigned int flush_area_local(const void *va, unsigned int flags) + c->x86_clflush_size && c->x86_cache_size && sz && + ((sz >> 10) < c->x86_cache_size) ) + { +- alternative("", "sfence", X86_FEATURE_CLFLUSHOPT); +- for ( i = 0; i < sz; i += c->x86_clflush_size ) +- alternative_input(".byte " __stringify(NOP_DS_PREFIX) ";" +- " clflush %0", +- "data16 clflush %0", /* clflushopt */ +- X86_FEATURE_CLFLUSHOPT, +- "m" (((const char *)va)[i])); ++ cache_flush(va, sz); + flags &= ~FLUSH_CACHE; + } + else +@@ -265,6 +259,80 @@ unsigned int flush_area_local(const void *va, unsigned int flags) + return flags; + } + ++void cache_flush(const void *addr, unsigned int size) ++{ ++ /* ++ * This function may be called before current_cpu_data is established. ++ * Hence a fallback is needed to prevent the loop below becoming infinite. ++ */ ++ unsigned int clflush_size = current_cpu_data.x86_clflush_size ?: 16; ++ const void *end = addr + size; ++ ++ addr -= (unsigned long)addr & (clflush_size - 1); ++ for ( ; addr < end; addr += clflush_size ) ++ { ++ /* ++ * Note regarding the "ds" prefix use: it's faster to do a clflush ++ * + prefix than a clflush + nop, and hence the prefix is added instead ++ * of letting the alternative framework fill the gap by appending nops. ++ */ ++ alternative_io("ds; clflush %[p]", ++ "data16 clflush %[p]", /* clflushopt */ ++ X86_FEATURE_CLFLUSHOPT, ++ /* no outputs */, ++ [p] "m" (*(const char *)(addr))); ++ } ++ ++ alternative("", "sfence", X86_FEATURE_CLFLUSHOPT); ++} ++ ++void cache_writeback(const void *addr, unsigned int size) ++{ ++ unsigned int clflush_size; ++ const void *end = addr + size; ++ ++ /* Fall back to CLFLUSH{,OPT} when CLWB isn't available. */ ++ if ( !boot_cpu_has(X86_FEATURE_CLWB) ) ++ return cache_flush(addr, size); ++ ++ /* ++ * This function may be called before current_cpu_data is established. ++ * Hence a fallback is needed to prevent the loop below becoming infinite. ++ */ ++ clflush_size = current_cpu_data.x86_clflush_size ?: 16; ++ addr -= (unsigned long)addr & (clflush_size - 1); ++ for ( ; addr < end; addr += clflush_size ) ++ { ++/* ++ * The arguments to a macro must not include preprocessor directives. Doing so ++ * results in undefined behavior, so we have to create some defines here in ++ * order to avoid it. ++ */ ++#if defined(HAVE_AS_CLWB) ++# define CLWB_ENCODING "clwb %[p]" ++#elif defined(HAVE_AS_XSAVEOPT) ++# define CLWB_ENCODING "data16 xsaveopt %[p]" /* clwb */ ++#else ++# define CLWB_ENCODING ".byte 0x66, 0x0f, 0xae, 0x30" /* clwb (%%rax) */ ++#endif ++ ++#define BASE_INPUT(addr) [p] "m" (*(const char *)(addr)) ++#if defined(HAVE_AS_CLWB) || defined(HAVE_AS_XSAVEOPT) ++# define INPUT BASE_INPUT ++#else ++# define INPUT(addr) "a" (addr), BASE_INPUT(addr) ++#endif ++ ++ asm volatile (CLWB_ENCODING :: INPUT(addr)); ++ ++#undef INPUT ++#undef BASE_INPUT ++#undef CLWB_ENCODING ++ } ++ ++ asm volatile ("sfence" ::: "memory"); ++} ++ + unsigned int guest_flush_tlb_flags(const struct domain *d) + { + bool shadow = paging_mode_shadow(d); +diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c +index 71ee5c6ec511..34498d465285 100644 +--- a/xen/common/grant_table.c ++++ b/xen/common/grant_table.c +@@ -3440,7 +3440,7 @@ gnttab_swap_grant_ref(XEN_GUEST_HANDLE_PARAM(gnttab_swap_grant_ref_t) uop, + return 0; + } + +-static int cache_flush(const gnttab_cache_flush_t *cflush, grant_ref_t *cur_ref) ++static int _cache_flush(const gnttab_cache_flush_t *cflush, grant_ref_t *cur_ref) + { + struct domain *d, *owner; + struct page_info *page; +@@ -3534,7 +3534,7 @@ gnttab_cache_flush(XEN_GUEST_HANDLE_PARAM(gnttab_cache_flush_t) uop, + return -EFAULT; + for ( ; ; ) + { +- int ret = cache_flush(&op, cur_ref); ++ int ret = _cache_flush(&op, cur_ref); + + if ( ret < 0 ) + return ret; +diff --git a/xen/drivers/passthrough/vtd/extern.h b/xen/drivers/passthrough/vtd/extern.h +index fbe951b2fad0..3defe9677f06 100644 +--- a/xen/drivers/passthrough/vtd/extern.h ++++ b/xen/drivers/passthrough/vtd/extern.h +@@ -77,7 +77,6 @@ int __must_check qinval_device_iotlb_sync(struct vtd_iommu *iommu, + struct pci_dev *pdev, + u16 did, u16 size, u64 addr); + +-unsigned int get_cache_line_size(void); + void flush_all_cache(void); + + uint64_t alloc_pgtable_maddr(unsigned long npages, nodeid_t node); +diff --git a/xen/drivers/passthrough/vtd/iommu.c b/xen/drivers/passthrough/vtd/iommu.c +index cc088cd9ff20..3bd17a4a24a2 100644 +--- a/xen/drivers/passthrough/vtd/iommu.c ++++ b/xen/drivers/passthrough/vtd/iommu.c +@@ -31,6 +31,7 @@ + #include <xen/pci.h> + #include <xen/pci_regs.h> + #include <xen/keyhandler.h> ++#include <asm/cache.h> + #include <asm/msi.h> + #include <asm/nops.h> + #include <asm/irq.h> +@@ -207,53 +208,10 @@ static int iommus_incoherent; + + static void sync_cache(const void *addr, unsigned int size) + { +- static unsigned long clflush_size = 0; +- const void *end = addr + size; +- + if ( !iommus_incoherent ) + return; + +- if ( clflush_size == 0 ) +- clflush_size = get_cache_line_size(); +- +- addr -= (unsigned long)addr & (clflush_size - 1); +- for ( ; addr < end; addr += clflush_size ) +-/* +- * The arguments to a macro must not include preprocessor directives. Doing so +- * results in undefined behavior, so we have to create some defines here in +- * order to avoid it. +- */ +-#if defined(HAVE_AS_CLWB) +-# define CLWB_ENCODING "clwb %[p]" +-#elif defined(HAVE_AS_XSAVEOPT) +-# define CLWB_ENCODING "data16 xsaveopt %[p]" /* clwb */ +-#else +-# define CLWB_ENCODING ".byte 0x66, 0x0f, 0xae, 0x30" /* clwb (%%rax) */ +-#endif +- +-#define BASE_INPUT(addr) [p] "m" (*(const char *)(addr)) +-#if defined(HAVE_AS_CLWB) || defined(HAVE_AS_XSAVEOPT) +-# define INPUT BASE_INPUT +-#else +-# define INPUT(addr) "a" (addr), BASE_INPUT(addr) +-#endif +- /* +- * Note regarding the use of NOP_DS_PREFIX: it's faster to do a clflush +- * + prefix than a clflush + nop, and hence the prefix is added instead +- * of letting the alternative framework fill the gap by appending nops. +- */ +- alternative_io_2(".byte " __stringify(NOP_DS_PREFIX) "; clflush %[p]", +- "data16 clflush %[p]", /* clflushopt */ +- X86_FEATURE_CLFLUSHOPT, +- CLWB_ENCODING, +- X86_FEATURE_CLWB, /* no outputs */, +- INPUT(addr)); +-#undef INPUT +-#undef BASE_INPUT +-#undef CLWB_ENCODING +- +- alternative_2("", "sfence", X86_FEATURE_CLFLUSHOPT, +- "sfence", X86_FEATURE_CLWB); ++ cache_writeback(addr, size); + } + + /* Allocate page table, return its machine address */ +diff --git a/xen/drivers/passthrough/vtd/x86/vtd.c b/xen/drivers/passthrough/vtd/x86/vtd.c +index bbe358dc36c7..bb08a55e294a 100644 +--- a/xen/drivers/passthrough/vtd/x86/vtd.c ++++ b/xen/drivers/passthrough/vtd/x86/vtd.c +@@ -47,11 +47,6 @@ void unmap_vtd_domain_page(void *va) + unmap_domain_page(va); + } + +-unsigned int get_cache_line_size(void) +-{ +- return ((cpuid_ebx(1) >> 8) & 0xff) * 8; +-} +- + void flush_all_cache() + { + wbinvd(); +diff --git a/xen/include/asm-x86/cache.h b/xen/include/asm-x86/cache.h +index 1f7173d8c72c..e4770efb22b9 100644 +--- a/xen/include/asm-x86/cache.h ++++ b/xen/include/asm-x86/cache.h +@@ -11,4 +11,11 @@ + + #define __read_mostly __section(".data.read_mostly") + ++#ifndef __ASSEMBLY__ ++ ++void cache_flush(const void *addr, unsigned int size); ++void cache_writeback(const void *addr, unsigned int size); ++ ++#endif ++ + #endif diff --git a/main/xen/xsa402-4.14-4.patch b/main/xen/xsa402-4.14-4.patch new file mode 100644 index 00000000000..cb9330be8c6 --- /dev/null +++ b/main/xen/xsa402-4.14-4.patch @@ -0,0 +1,83 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/amd: Work around CLFLUSH ordering on older parts + +On pre-CLFLUSHOPT AMD CPUs, CLFLUSH is weakely ordered with everything, +including reads and writes to the address, and LFENCE/SFENCE instructions. + +This creates a multitude of problematic corner cases, laid out in the manual. +Arrange to use MFENCE on both sides of the CLFLUSH to force proper ordering. + +This is part of XSA-402. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c +index 2ef59e22dc31..142f34af5f70 100644 +--- a/xen/arch/x86/cpu/amd.c ++++ b/xen/arch/x86/cpu/amd.c +@@ -787,6 +787,14 @@ static void init_amd(struct cpuinfo_x86 *c) + if (!cpu_has_lfence_dispatch) + __set_bit(X86_FEATURE_MFENCE_RDTSC, c->x86_capability); + ++ /* ++ * On pre-CLFLUSHOPT AMD CPUs, CLFLUSH is weakly ordered with ++ * everything, including reads and writes to address, and ++ * LFENCE/SFENCE instructions. ++ */ ++ if (!cpu_has_clflushopt) ++ setup_force_cpu_cap(X86_BUG_CLFLUSH_MFENCE); ++ + switch(c->x86) + { + case 0xf ... 0x11: +diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c +index 0c912b8669f8..dcbb4064012e 100644 +--- a/xen/arch/x86/flushtlb.c ++++ b/xen/arch/x86/flushtlb.c +@@ -259,6 +259,13 @@ unsigned int flush_area_local(const void *va, unsigned int flags) + return flags; + } + ++/* ++ * On pre-CLFLUSHOPT AMD CPUs, CLFLUSH is weakly ordered with everything, ++ * including reads and writes to address, and LFENCE/SFENCE instructions. ++ * ++ * This function only works safely after alternatives have run. Luckily, at ++ * the time of writing, we don't flush the caches that early. ++ */ + void cache_flush(const void *addr, unsigned int size) + { + /* +@@ -268,6 +275,8 @@ void cache_flush(const void *addr, unsigned int size) + unsigned int clflush_size = current_cpu_data.x86_clflush_size ?: 16; + const void *end = addr + size; + ++ alternative("", "mfence", X86_BUG_CLFLUSH_MFENCE); ++ + addr -= (unsigned long)addr & (clflush_size - 1); + for ( ; addr < end; addr += clflush_size ) + { +@@ -283,7 +292,9 @@ void cache_flush(const void *addr, unsigned int size) + [p] "m" (*(const char *)(addr))); + } + +- alternative("", "sfence", X86_FEATURE_CLFLUSHOPT); ++ alternative_2("", ++ "sfence", X86_FEATURE_CLFLUSHOPT, ++ "mfence", X86_BUG_CLFLUSH_MFENCE); + } + + void cache_writeback(const void *addr, unsigned int size) +diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h +index fe2f97354fb6..09f619459bc7 100644 +--- a/xen/include/asm-x86/cpufeatures.h ++++ b/xen/include/asm-x86/cpufeatures.h +@@ -46,6 +46,7 @@ XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch + #define X86_BUG(x) ((FSCAPINTS + X86_NR_SYNTH) * 32 + (x)) + + #define X86_BUG_FPU_PTRS X86_BUG( 0) /* (F)X{SAVE,RSTOR} doesn't save/restore FOP/FIP/FDP. */ ++#define X86_BUG_CLFLUSH_MFENCE X86_BUG( 2) /* MFENCE needed to serialise CLFLUSH */ + + /* Total number of capability words, inc synth and bug words. */ + #define NCAPINTS (FSCAPINTS + X86_NR_SYNTH + X86_NR_BUG) /* N 32-bit words worth of info */ diff --git a/main/xen/xsa402-4.14-5.patch b/main/xen/xsa402-4.14-5.patch new file mode 100644 index 00000000000..7b6ad6ad4bb --- /dev/null +++ b/main/xen/xsa402-4.14-5.patch @@ -0,0 +1,148 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/pv: Track and flush non-coherent mappings of RAM + +There are legitimate uses of WC mappings of RAM, e.g. for DMA buffers with +devices that make non-coherent writes. The Linux sound subsystem makes +extensive use of this technique. + +For such usecases, the guest's DMA buffer is mapped and consistently used as +WC, and Xen doesn't interact with the buffer. + +However, a mischevious guest can use WC mappings to deliberately create +non-coherency between the cache and RAM, and use this to trick Xen into +validating a pagetable which isn't actually safe. + +Allocate a new PGT_non_coherent to track the non-coherency of mappings. Set +it whenever a non-coherent writeable mapping is created. If the page is used +as anything other than PGT_writable_page, force a cache flush before +validation. Also force a cache flush before the page is returned to the heap. + +This is CVE-2022-26364, part of XSA-402. + +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: George Dunlap <george.dunlap@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c +index 7d3d186edbd5..4d6b04c1cf31 100644 +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -999,6 +999,15 @@ get_page_from_l1e( + return -EACCES; + } + ++ /* ++ * Track writeable non-coherent mappings to RAM pages, to trigger a cache ++ * flush later if the target is used as anything but a PGT_writeable page. ++ * We care about all writeable mappings, including foreign mappings. ++ */ ++ if ( !boot_cpu_has(X86_FEATURE_XEN_SELFSNOOP) && ++ (l1f & (PAGE_CACHE_ATTRS | _PAGE_RW)) == (_PAGE_WC | _PAGE_RW) ) ++ set_bit(_PGT_non_coherent, &page->u.inuse.type_info); ++ + return 0; + + could_not_pin: +@@ -2444,6 +2453,19 @@ static int cleanup_page_mappings(struct page_info *page) + } + } + ++ /* ++ * Flush the cache if there were previously non-coherent writeable ++ * mappings of this page. This forces the page to be coherent before it ++ * is freed back to the heap. ++ */ ++ if ( __test_and_clear_bit(_PGT_non_coherent, &page->u.inuse.type_info) ) ++ { ++ void *addr = __map_domain_page(page); ++ ++ cache_flush(addr, PAGE_SIZE); ++ unmap_domain_page(addr); ++ } ++ + return rc; + } + +@@ -3016,6 +3038,22 @@ static int _get_page_type(struct page_info *page, unsigned long type, + if ( unlikely(!(nx & PGT_validated)) ) + { + /* ++ * Flush the cache if there were previously non-coherent mappings of ++ * this page, and we're trying to use it as anything other than a ++ * writeable page. This forces the page to be coherent before we ++ * validate its contents for safety. ++ */ ++ if ( (nx & PGT_non_coherent) && type != PGT_writable_page ) ++ { ++ void *addr = __map_domain_page(page); ++ ++ cache_flush(addr, PAGE_SIZE); ++ unmap_domain_page(addr); ++ ++ page->u.inuse.type_info &= ~PGT_non_coherent; ++ } ++ ++ /* + * No special validation needed for writable or shared pages. Page + * tables and GDT/LDT need to have their contents audited. + * +diff --git a/xen/arch/x86/pv/grant_table.c b/xen/arch/x86/pv/grant_table.c +index 0325618c9883..81c72e61ed55 100644 +--- a/xen/arch/x86/pv/grant_table.c ++++ b/xen/arch/x86/pv/grant_table.c +@@ -109,7 +109,17 @@ int create_grant_pv_mapping(uint64_t addr, mfn_t frame, + + ol1e = *pl1e; + if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, curr, 0) ) ++ { ++ /* ++ * We always create mappings in this path. However, our caller, ++ * map_grant_ref(), only passes potentially non-zero cache_flags for ++ * MMIO frames, so this path doesn't create non-coherent mappings of ++ * RAM frames and there's no need to calculate PGT_non_coherent. ++ */ ++ ASSERT(!cache_flags || is_iomem_page(frame)); ++ + rc = GNTST_okay; ++ } + + out_unlock: + page_unlock(page); +@@ -294,7 +304,18 @@ int replace_grant_pv_mapping(uint64_t addr, mfn_t frame, + l1e_get_flags(ol1e), addr, grant_pte_flags); + + if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, curr, 0) ) ++ { ++ /* ++ * Generally, replace_grant_pv_mapping() is used to destroy mappings ++ * (n1le = l1e_empty()), but it can be a present mapping on the ++ * GNTABOP_unmap_and_replace path. ++ * ++ * In such cases, the PTE is fully transplanted from its old location ++ * via steal_linear_addr(), so we need not perform PGT_non_coherent ++ * checking here. ++ */ + rc = GNTST_okay; ++ } + + out_unlock: + page_unlock(page); +diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h +index 7a2093da5977..4c814abaa028 100644 +--- a/xen/include/asm-x86/mm.h ++++ b/xen/include/asm-x86/mm.h +@@ -48,8 +48,12 @@ + #define _PGT_partial PG_shift(8) + #define PGT_partial PG_mask(1, 8) + ++/* Has this page been mapped writeable with a non-coherent memory type? */ ++#define _PGT_non_coherent PG_shift(9) ++#define PGT_non_coherent PG_mask(1, 9) ++ + /* Count of uses of this frame as its current type. */ +-#define PGT_count_width PG_shift(8) ++#define PGT_count_width PG_shift(9) + #define PGT_count_mask ((1UL<<PGT_count_width)-1) + + /* Are the 'type mask' bits identical? */ diff --git a/main/xen/xsa403-4.14-1.patch b/main/xen/xsa403-4.14-1.patch new file mode 100644 index 00000000000..455eb0b9a30 --- /dev/null +++ b/main/xen/xsa403-4.14-1.patch @@ -0,0 +1,56 @@ +From 340cb938b957a2baaaee1700a882148dc4c788bc Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne <roger.pau@citrix.com> +Date: Thu, 30 Jun 2022 14:35:35 +0200 +Subject: [PATCH] tools/libxl: env variable to signal whether disk/nic backend + is trusted +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Introduce support in libxl for fetching the default backend trusted +option for disk and nic devices. + +Users can set libxl_{disk,nic}_backend_untrusted environment variable +to notify libxl of whether the backends for disk and nic devices +should be trusted. Such information is passed into the frontend so it +can take the appropriate measures. + +This is part of XSA-403. + +Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> +--- + tools/libxl/libxl_disk.c | 3 +++ + tools/libxl/libxl_nic.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/tools/libxl/libxl_disk.c b/tools/libxl/libxl_disk.c +index ddc1eec176..36862bbbcb 100644 +--- a/tools/libxl/libxl_disk.c ++++ b/tools/libxl/libxl_disk.c +@@ -395,6 +395,9 @@ static void device_disk_add(libxl__egc *egc, uint32_t domid, + flexarray_append(front, GCSPRINTF("%d", device->devid)); + flexarray_append(front, "device-type"); + flexarray_append(front, disk->is_cdrom ? "cdrom" : "disk"); ++ flexarray_append(front, "trusted"); ++ flexarray_append(front, getenv("libxl_disk_backend_untrusted") ? "0" ++ : "1"); + + /* + * Old PV kernel disk frontends before 2.6.26 rely on tool stack to +diff --git a/tools/libxl/libxl_nic.c b/tools/libxl/libxl_nic.c +index 07880b39e1..4d09fb8b46 100644 +--- a/tools/libxl/libxl_nic.c ++++ b/tools/libxl/libxl_nic.c +@@ -237,6 +237,9 @@ static int libxl__set_xenstore_nic(libxl__gc *gc, uint32_t domid, + flexarray_append(front, GCSPRINTF( + LIBXL_MAC_FMT, LIBXL_MAC_BYTES(nic->mac))); + ++ flexarray_append(front, "trusted"); ++ flexarray_append(front, getenv("libxl_nic_backend_untrusted") ? "0" : "1"); ++ + return 0; + } + +-- +2.37.0 + diff --git a/main/xen/xsa404-4.14-1.patch b/main/xen/xsa404-4.14-1.patch new file mode 100644 index 00000000000..2c40a0ee43c --- /dev/null +++ b/main/xen/xsa404-4.14-1.patch @@ -0,0 +1,239 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Make VERW flushing runtime conditional + +Currently, VERW flushing to mitigate MDS is boot time conditional per domain +type. However, to provide mitigations for DRPW (CVE-2022-21166), we need to +conditionally use VERW based on the trustworthiness of the guest, and the +devices passed through. + +Remove the PV/HVM alternatives and instead issue a VERW on the return-to-guest +path depending on the SCF_verw bit in cpuinfo spec_ctrl_flags. + +Introduce spec_ctrl_init_domain() and d->arch.verw to calculate the VERW +disposition at domain creation time, and context switch the SCF_verw bit. + +For now, VERW flushing is used and controlled exactly as before, but later +patches will add per-domain cases too. + +No change in behaviour. + +This is part of XSA-404. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index 5467ae7168ff..ad85785e14b3 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2129,9 +2129,8 @@ in place for guests to use. + Use of a positive boolean value for either of these options is invalid. + + The booleans `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` offer fine +-grained control over the alternative blocks used by Xen. These impact Xen's +-ability to protect itself, and Xen's ability to virtualise support for guests +-to use. ++grained control over the primitives by Xen. These impact Xen's ability to ++protect itself, and Xen's ability to virtualise support for guests to use. + + * `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests + respectively. +diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c +index 3da81ebf1d41..5ea5ef6ba037 100644 +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -651,6 +651,8 @@ int arch_domain_create(struct domain *d, + + domain_cpu_policy_changed(d); + ++ spec_ctrl_init_domain(d); ++ + return 0; + + fail: +@@ -1763,14 +1765,15 @@ static void __context_switch(void) + void context_switch(struct vcpu *prev, struct vcpu *next) + { + unsigned int cpu = smp_processor_id(); ++ struct cpu_info *info = get_cpu_info(); + const struct domain *prevd = prev->domain, *nextd = next->domain; + unsigned int dirty_cpu = read_atomic(&next->dirty_cpu); + + ASSERT(prev != next); + ASSERT(local_irq_is_enabled()); + +- get_cpu_info()->use_pv_cr3 = false; +- get_cpu_info()->xen_cr3 = 0; ++ info->use_pv_cr3 = false; ++ info->xen_cr3 = 0; + + if ( unlikely(dirty_cpu != cpu) && dirty_cpu != VCPU_CPU_CLEAN ) + { +@@ -1834,6 +1837,11 @@ void context_switch(struct vcpu *prev, struct vcpu *next) + *last_id = next_id; + } + } ++ ++ /* Update the top-of-stack block with the VERW disposition. */ ++ info->spec_ctrl_flags &= ~SCF_verw; ++ if ( nextd->arch.verw ) ++ info->spec_ctrl_flags |= SCF_verw; + } + + sched_context_switched(prev, next); +diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S +index 49651f3c435a..5f5de45a1309 100644 +--- a/xen/arch/x86/hvm/vmx/entry.S ++++ b/xen/arch/x86/hvm/vmx/entry.S +@@ -87,7 +87,7 @@ UNLIKELY_END(realmode) + + /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ + /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ +- ALTERNATIVE "", __stringify(verw CPUINFO_verw_sel(%rsp)), X86_FEATURE_SC_VERW_HVM ++ DO_SPEC_CTRL_COND_VERW + + mov VCPU_hvm_guest_cr2(%rbx),%rax + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 1e226102d399..b4efc940aa2b 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -36,8 +36,8 @@ static bool __initdata opt_msr_sc_pv = true; + static bool __initdata opt_msr_sc_hvm = true; + static bool __initdata opt_rsb_pv = true; + static bool __initdata opt_rsb_hvm = true; +-static int8_t __initdata opt_md_clear_pv = -1; +-static int8_t __initdata opt_md_clear_hvm = -1; ++static int8_t __read_mostly opt_md_clear_pv = -1; ++static int8_t __read_mostly opt_md_clear_hvm = -1; + + /* Cmdline controls for Xen's speculative settings. */ + static enum ind_thunk { +@@ -903,6 +903,13 @@ static __init void mds_calculations(uint64_t caps) + } + } + ++void spec_ctrl_init_domain(struct domain *d) ++{ ++ bool pv = is_pv_domain(d); ++ ++ d->arch.verw = pv ? opt_md_clear_pv : opt_md_clear_hvm; ++} ++ + void __init init_speculation_mitigations(void) + { + enum ind_thunk thunk = THUNK_DEFAULT; +@@ -1148,21 +1155,20 @@ void __init init_speculation_mitigations(void) + boot_cpu_has(X86_FEATURE_MD_CLEAR)); + + /* +- * Enable MDS defences as applicable. The PV blocks need using all the +- * time, and the Idle blocks need using if either PV or HVM defences are +- * used. ++ * Enable MDS defences as applicable. The Idle blocks need using if ++ * either PV or HVM defences are used. + * + * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with +- * equivelent semantics to avoid needing to perform both flushes on the +- * HVM path. The HVM blocks don't need activating if our hypervisor told +- * us it was handling L1D_FLUSH, or we are using L1D_FLUSH ourselves. ++ * equivalent semantics to avoid needing to perform both flushes on the ++ * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH. ++ * ++ * After calculating the appropriate idle setting, simplify ++ * opt_md_clear_hvm to mean just "should we VERW on the way into HVM ++ * guests", so spec_ctrl_init_domain() can calculate suitable settings. + */ +- if ( opt_md_clear_pv ) +- setup_force_cpu_cap(X86_FEATURE_SC_VERW_PV); + if ( opt_md_clear_pv || opt_md_clear_hvm ) + setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); +- if ( opt_md_clear_hvm && !(caps & ARCH_CAPS_SKIP_L1DFL) && !opt_l1d_flush ) +- setup_force_cpu_cap(X86_FEATURE_SC_VERW_HVM); ++ opt_md_clear_hvm &= !(caps & ARCH_CAPS_SKIP_L1DFL) && !opt_l1d_flush; + + /* + * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT +diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h +index 09f619459bc7..9eaab7a2a1fa 100644 +--- a/xen/include/asm-x86/cpufeatures.h ++++ b/xen/include/asm-x86/cpufeatures.h +@@ -35,8 +35,7 @@ XEN_CPUFEATURE(SC_RSB_HVM, X86_SYNTH(19)) /* RSB overwrite needed for HVM + XEN_CPUFEATURE(XEN_SELFSNOOP, X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */ + XEN_CPUFEATURE(SC_MSR_IDLE, X86_SYNTH(21)) /* (SC_MSR_PV || SC_MSR_HVM) && default_xen_spec_ctrl */ + XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */ +-XEN_CPUFEATURE(SC_VERW_PV, X86_SYNTH(23)) /* VERW used by Xen for PV */ +-XEN_CPUFEATURE(SC_VERW_HVM, X86_SYNTH(24)) /* VERW used by Xen for HVM */ ++/* Bits 23,24 unused. */ + XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ + XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */ + XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */ +diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h +index 0db551bff344..4ee76bba45da 100644 +--- a/xen/include/asm-x86/domain.h ++++ b/xen/include/asm-x86/domain.h +@@ -308,6 +308,9 @@ struct arch_domain + uint32_t pci_cf8; + uint8_t cmos_idx; + ++ /* Use VERW on return-to-guest for its flushing side effect. */ ++ bool verw; ++ + union { + struct pv_domain pv; + struct hvm_domain hvm; +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 9caecddfec96..68f6c46c470c 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -24,6 +24,7 @@ + #define SCF_use_shadow (1 << 0) + #define SCF_ist_wrmsr (1 << 1) + #define SCF_ist_rsb (1 << 2) ++#define SCF_verw (1 << 3) + + #ifndef __ASSEMBLY__ + +@@ -32,6 +33,7 @@ + #include <asm/msr-index.h> + + void init_speculation_mitigations(void); ++void spec_ctrl_init_domain(struct domain *d); + + extern bool opt_ibpb; + extern bool opt_ssbd; +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 02b3b18ce69f..5a590bac44aa 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -136,6 +136,19 @@ + #endif + .endm + ++.macro DO_SPEC_CTRL_COND_VERW ++/* ++ * Requires %rsp=cpuinfo ++ * ++ * Issue a VERW for its flushing side effect, if indicated. This is a Spectre ++ * v1 gadget, but the IRET/VMEntry is serialising. ++ */ ++ testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) ++ jz .L\@_verw_skip ++ verw CPUINFO_verw_sel(%rsp) ++.L\@_verw_skip: ++.endm ++ + .macro DO_SPEC_CTRL_ENTRY maybexen:req + /* + * Requires %rsp=regs (also cpuinfo if !maybexen) +@@ -231,8 +244,7 @@ + #define SPEC_CTRL_EXIT_TO_PV \ + ALTERNATIVE "", \ + DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV; \ +- ALTERNATIVE "", __stringify(verw CPUINFO_verw_sel(%rsp)), \ +- X86_FEATURE_SC_VERW_PV ++ DO_SPEC_CTRL_COND_VERW + + /* + * Use in IST interrupt/exception context. May interrupt Xen or PV context. diff --git a/main/xen/xsa404-4.14-2.patch b/main/xen/xsa404-4.14-2.patch new file mode 100644 index 00000000000..6ead4618c23 --- /dev/null +++ b/main/xen/xsa404-4.14-2.patch @@ -0,0 +1,85 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Enumeration for MMIO Stale Data controls + +The three *_NO bits indicate non-susceptibility to the SSDP, FBSDP and PSDP +data movement primitives. + +FB_CLEAR indicates that the VERW instruction has re-gained it's Fill Buffer +flushing side effect. This is only enumerated on parts where VERW had +previously lost it's flushing side effect due to the MDS/TAA vulnerabilities +being fixed in hardware. + +FB_CLEAR_CTRL is available on a subset of FB_CLEAR parts where the Fill Buffer +clearing side effect of VERW can be turned off for performance reasons. + +This is part of XSA-404. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index b4efc940aa2b..38e0cc2847e0 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -323,7 +323,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + * Hardware read-only information, stating immunity to certain issues, or + * suggestions of which mitigation to use. + */ +- printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s\n", ++ printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", + (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", + (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", +@@ -332,13 +332,16 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "", + (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : "", + (caps & ARCH_CAPS_TAA_NO) ? " TAA_NO" : "", ++ (caps & ARCH_CAPS_SBDR_SSDP_NO) ? " SBDR_SSDP_NO" : "", ++ (caps & ARCH_CAPS_FBSDP_NO) ? " FBSDP_NO" : "", ++ (caps & ARCH_CAPS_PSDP_NO) ? " PSDP_NO" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : ""); + + /* Hardware features which need driving to mitigate issues. */ +- printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s\n", ++ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", + (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || + (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || +@@ -353,7 +356,9 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", + (_7d0 & cpufeat_mask(X86_FEATURE_SRBDS_CTRL)) ? " SRBDS_CTRL" : "", + (e8b & cpufeat_mask(X86_FEATURE_VIRT_SSBD)) ? " VIRT_SSBD" : "", +- (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : ""); ++ (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", ++ (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", ++ (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : ""); + + /* Compiled-in support which pertains to mitigations. */ + if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) +diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h +index 7a39d94b9a70..c8670eab8ef5 100644 +--- a/xen/include/asm-x86/msr-index.h ++++ b/xen/include/asm-x86/msr-index.h +@@ -56,6 +56,11 @@ + #define ARCH_CAPS_IF_PSCHANGE_MC_NO (_AC(1, ULL) << 6) + #define ARCH_CAPS_TSX_CTRL (_AC(1, ULL) << 7) + #define ARCH_CAPS_TAA_NO (_AC(1, ULL) << 8) ++#define ARCH_CAPS_SBDR_SSDP_NO (_AC(1, ULL) << 13) ++#define ARCH_CAPS_FBSDP_NO (_AC(1, ULL) << 14) ++#define ARCH_CAPS_PSDP_NO (_AC(1, ULL) << 15) ++#define ARCH_CAPS_FB_CLEAR (_AC(1, ULL) << 17) ++#define ARCH_CAPS_FB_CLEAR_CTRL (_AC(1, ULL) << 18) + + #define MSR_FLUSH_CMD 0x0000010b + #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) +@@ -73,6 +78,7 @@ + #define MCU_OPT_CTRL_RNGDS_MITG_DIS (_AC(1, ULL) << 0) + #define MCU_OPT_CTRL_RTM_ALLOW (_AC(1, ULL) << 1) + #define MCU_OPT_CTRL_RTM_LOCKED (_AC(1, ULL) << 2) ++#define MCU_OPT_CTRL_FB_CLEAR_DIS (_AC(1, ULL) << 3) + + #define MSR_RTIT_OUTPUT_BASE 0x00000560 + #define MSR_RTIT_OUTPUT_MASK 0x00000561 diff --git a/main/xen/xsa404-4.14-3.patch b/main/xen/xsa404-4.14-3.patch new file mode 100644 index 00000000000..5fe549e07e3 --- /dev/null +++ b/main/xen/xsa404-4.14-3.patch @@ -0,0 +1,177 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Add spec-ctrl=unpriv-mmio + +Per Xen's support statement, PCI passthrough should be to trusted domains +because the overall system security depends on factors outside of Xen's +control. + +As such, Xen, in a supported configuration, is not vulnerable to DRPW/SBDR. + +However, users who have risk assessed their configuration may be happy with +the risk of DoS, but unhappy with the risk of cross-domain data leakage. Such +users should enable this option. + +On CPUs vulnerable to MDS, the existing mitigations are the best we can do to +mitigate MMIO cross-domain data leakage. + +On CPUs fixed to MDS but vulnerable MMIO stale data leakage, this option: + + * On CPUs susceptible to FBSDP, mitigates cross-domain fill buffer leakage + using FB_CLEAR. + * On CPUs susceptible to SBDR, mitigates RNG data recovery by engaging the + srb-lock, previously used to mitigate SRBDS. + +Both mitigations require microcode from IPU 2022.1, May 2022. + +This is part of XSA-404. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +--- +Backporting note: For Xen 4.7 and earlier with bool_t not aliasing bool, the +ARCH_CAPS_FB_CLEAR hunk needs !! + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index ad85785e14b3..d1d5852cdd84 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2106,7 +2106,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + ### spec-ctrl (x86) + > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>, + > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu, +-> l1d-flush,branch-harden,srb-lock}=<bool> ]` ++> l1d-flush,branch-harden,srb-lock,unpriv-mmio}=<bool> ]` + + Controls for speculative execution sidechannel mitigations. By default, Xen + will pick the most appropriate mitigations based on compiled in support, +@@ -2185,8 +2185,16 @@ Xen will enable this mitigation. + On hardware supporting SRBDS_CTRL, the `srb-lock=` option can be used to force + or prevent Xen from protect the Special Register Buffer from leaking stale + data. By default, Xen will enable this mitigation, except on parts where MDS +-is fixed and TAA is fixed/mitigated (in which case, there is believed to be no +-way for an attacker to obtain the stale data). ++is fixed and TAA is fixed/mitigated and there are no unprivileged MMIO ++mappings (in which case, there is believed to be no way for an attacker to ++obtain stale data). ++ ++The `unpriv-mmio=` boolean indicates whether the system has (or will have) ++less than fully privileged domains granted access to MMIO devices. By ++default, this option is disabled. If enabled, Xen will use the `FB_CLEAR` ++and/or `SRBDS_CTRL` functionality available in the Intel May 2022 microcode ++release to mitigate cross-domain leakage of data via the MMIO Stale Data ++vulnerabilities. + + ### sync_console + > `= <boolean>` +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 38e0cc2847e0..83b856fa9158 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -67,6 +67,8 @@ static bool __initdata cpu_has_bug_msbds_only; /* => minimal HT impact. */ + static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. */ + + static int8_t __initdata opt_srb_lock = -1; ++static bool __initdata opt_unpriv_mmio; ++static bool __read_mostly opt_fb_clear_mmio; + + static int __init parse_spec_ctrl(const char *s) + { +@@ -184,6 +186,8 @@ static int __init parse_spec_ctrl(const char *s) + opt_branch_harden = val; + else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) + opt_srb_lock = val; ++ else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) ++ opt_unpriv_mmio = val; + else + rc = -EINVAL; + +@@ -392,7 +396,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", + opt_ibpb ? " IBPB" : "", + opt_l1d_flush ? " L1D_FLUSH" : "", +- opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "", ++ opt_md_clear_pv || opt_md_clear_hvm || ++ opt_fb_clear_mmio ? " VERW" : "", + opt_branch_harden ? " BRANCH_HARDEN" : ""); + + /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ +@@ -912,7 +917,9 @@ void spec_ctrl_init_domain(struct domain *d) + { + bool pv = is_pv_domain(d); + +- d->arch.verw = pv ? opt_md_clear_pv : opt_md_clear_hvm; ++ d->arch.verw = ++ (pv ? opt_md_clear_pv : opt_md_clear_hvm) || ++ (opt_fb_clear_mmio && is_iommu_enabled(d)); + } + + void __init init_speculation_mitigations(void) +@@ -1148,6 +1155,18 @@ void __init init_speculation_mitigations(void) + mds_calculations(caps); + + /* ++ * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have ++ * reintroduced the VERW fill buffer flushing side effect because of a ++ * susceptibility to FBSDP. ++ * ++ * If unprivileged guests have (or will have) MMIO mappings, we can ++ * mitigate cross-domain leakage of fill buffer data by issuing VERW on ++ * the return-to-guest path. ++ */ ++ if ( opt_unpriv_mmio ) ++ opt_fb_clear_mmio = caps & ARCH_CAPS_FB_CLEAR; ++ ++ /* + * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. + * This will only be a token effort for MLPDS/MFBDS when HT is enabled, + * but it is somewhat better than nothing. +@@ -1160,18 +1179,20 @@ void __init init_speculation_mitigations(void) + boot_cpu_has(X86_FEATURE_MD_CLEAR)); + + /* +- * Enable MDS defences as applicable. The Idle blocks need using if +- * either PV or HVM defences are used. ++ * Enable MDS/MMIO defences as applicable. The Idle blocks need using if ++ * either the PV or HVM MDS defences are used, or if we may give MMIO ++ * access to untrusted guests. + * + * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with + * equivalent semantics to avoid needing to perform both flushes on the +- * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH. ++ * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for ++ * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) + * + * After calculating the appropriate idle setting, simplify + * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * guests", so spec_ctrl_init_domain() can calculate suitable settings. + */ +- if ( opt_md_clear_pv || opt_md_clear_hvm ) ++ if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); + opt_md_clear_hvm &= !(caps & ARCH_CAPS_SKIP_L1DFL) && !opt_l1d_flush; + +@@ -1236,14 +1257,19 @@ void __init init_speculation_mitigations(void) + * On some SRBDS-affected hardware, it may be safe to relax srb-lock by + * default. + * +- * On parts which enumerate MDS_NO and not TAA_NO, TSX is the only known +- * way to access the Fill Buffer. If TSX isn't available (inc. SKU +- * reasons on some models), or TSX is explicitly disabled, then there is +- * no need for the extra overhead to protect RDRAND/RDSEED. ++ * All parts with SRBDS_CTRL suffer SSDP, the mechanism by which stale RNG ++ * data becomes available to other contexts. To recover the data, an ++ * attacker needs to use: ++ * - SBDS (MDS or TAA to sample the cores fill buffer) ++ * - SBDR (Architecturally retrieve stale transaction buffer contents) ++ * - DRPW (Architecturally latch stale fill buffer data) ++ * ++ * On MDS_NO parts, and with TAA_NO or TSX unavailable/disabled, and there ++ * is no unprivileged MMIO access, the RNG data doesn't need protecting. + */ + if ( cpu_has_srbds_ctrl ) + { +- if ( opt_srb_lock == -1 && ++ if ( opt_srb_lock == -1 && !opt_unpriv_mmio && + (caps & (ARCH_CAPS_MDS_NO|ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO && + (!cpu_has_hle || ((caps & ARCH_CAPS_TSX_CTRL) && rtm_disabled)) ) + opt_srb_lock = 0; diff --git a/main/xen/xsa407-4.14-01.patch b/main/xen/xsa407-4.14-01.patch new file mode 100644 index 00000000000..1eb027f6890 --- /dev/null +++ b/main/xen/xsa407-4.14-01.patch @@ -0,0 +1,78 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Only adjust MSR_SPEC_CTRL for idle with legacy IBRS + +Back at the time of the original Spectre-v2 fixes, it was recommended to clear +MSR_SPEC_CTRL when going idle. This is because of the side effects on the +sibling thread caused by the microcode IBRS and STIBP implementations which +were retrofitted to existing CPUs. + +However, there are no relevant cross-thread impacts for the hardware +IBRS/STIBP implementations, so this logic should not be used on Intel CPUs +supporting eIBRS, or any AMD CPUs; doing so only adds unnecessary latency to +the idle path. + +Furthermore, there's no point playing with MSR_SPEC_CTRL in the idle paths if +SMT is disabled for other reasons. + +Fixes: 8d03080d2a33 ("x86/spec-ctrl: Cease using thunk=lfence on AMD") +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +(cherry picked from commit ffc7694e0c99eea158c32aa164b7d1e1bb1dc46b) + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 58a2797dfea1..d7f767b0739c 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -1104,8 +1104,14 @@ void __init init_speculation_mitigations(void) + /* (Re)init BSP state now that default_spec_ctrl_flags has been calculated. */ + init_shadow_spec_ctrl_state(); + +- /* If Xen is using any MSR_SPEC_CTRL settings, adjust the idle path. */ +- if ( default_xen_spec_ctrl ) ++ /* ++ * For microcoded IBRS only (i.e. Intel, pre eIBRS), it is recommended to ++ * clear MSR_SPEC_CTRL before going idle, to avoid impacting sibling ++ * threads. Activate this if SMT is enabled, and Xen is using a non-zero ++ * MSR_SPEC_CTRL setting. ++ */ ++ if ( boot_cpu_has(X86_FEATURE_IBRSB) && !(caps & ARCH_CAPS_IBRS_ALL) && ++ hw_smt_enabled && default_xen_spec_ctrl ) + setup_force_cpu_cap(X86_FEATURE_SC_MSR_IDLE); + + xpti_init_default(caps); +diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h +index 9eaab7a2a1fa..f7488d3ccbfa 100644 +--- a/xen/include/asm-x86/cpufeatures.h ++++ b/xen/include/asm-x86/cpufeatures.h +@@ -33,7 +33,7 @@ XEN_CPUFEATURE(SC_MSR_HVM, X86_SYNTH(17)) /* MSR_SPEC_CTRL used by Xen fo + XEN_CPUFEATURE(SC_RSB_PV, X86_SYNTH(18)) /* RSB overwrite needed for PV */ + XEN_CPUFEATURE(SC_RSB_HVM, X86_SYNTH(19)) /* RSB overwrite needed for HVM */ + XEN_CPUFEATURE(XEN_SELFSNOOP, X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */ +-XEN_CPUFEATURE(SC_MSR_IDLE, X86_SYNTH(21)) /* (SC_MSR_PV || SC_MSR_HVM) && default_xen_spec_ctrl */ ++XEN_CPUFEATURE(SC_MSR_IDLE, X86_SYNTH(21)) /* Clear MSR_SPEC_CTRL on idle */ + XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */ + /* Bits 23,24 unused. */ + XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 68f6c46c470c..12283573cdd5 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -78,7 +78,8 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info) + uint32_t val = 0; + + /* +- * Branch Target Injection: ++ * It is recommended in some cases to clear MSR_SPEC_CTRL when going idle, ++ * to avoid impacting sibling threads. + * + * Latch the new shadow value, then enable shadowing, then update the MSR. + * There are no SMP issues here; only local processor ordering concerns. +@@ -114,7 +115,7 @@ static always_inline void spec_ctrl_exit_idle(struct cpu_info *info) + uint32_t val = info->xen_spec_ctrl; + + /* +- * Branch Target Injection: ++ * Restore MSR_SPEC_CTRL on exit from idle. + * + * Disable shadowing before updating the MSR. There are no SMP issues + * here; only local processor ordering concerns. diff --git a/main/xen/xsa407-4.14-02.patch b/main/xen/xsa407-4.14-02.patch new file mode 100644 index 00000000000..5fab7fc7ff3 --- /dev/null +++ b/main/xen/xsa407-4.14-02.patch @@ -0,0 +1,219 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Knobs for STIBP and PSFD, and follow hardware STIBP + hint + +STIBP and PSFD are slightly weird bits, because they're both implied by other +bits in MSR_SPEC_CTRL. Add fine grain controls for them, and take the +implications into account when setting IBRS/SSBD. + +Rearrange the IBPB text/variables/logic to keep all the MSR_SPEC_CTRL bits +together, for consistency. + +However, AMD have a hardware hint CPUID bit recommending that STIBP be set +unilaterally. This is advertised on Zen3, so follow the recommendation. +Furthermore, in such cases, set STIBP behind the guest's back for now. This +has negligible overhead for the guest, but saves a WRMSR on vmentry. This is +the only default change. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +(cherry picked from commit fef244b179c06fcdfa581f7d57fa6e578c49ff50) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index d1d5852cdd84..2302cec91fea 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2105,8 +2105,9 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + + ### spec-ctrl (x86) + > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>, +-> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu, +-> l1d-flush,branch-harden,srb-lock,unpriv-mmio}=<bool> ]` ++> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, ++> eager-fpu,l1d-flush,branch-harden,srb-lock, ++> unpriv-mmio}=<bool> ]` + + Controls for speculative execution sidechannel mitigations. By default, Xen + will pick the most appropriate mitigations based on compiled in support, +@@ -2156,9 +2157,10 @@ On hardware supporting IBRS (Indirect Branch Restricted Speculation), the + If Xen is not using IBRS itself, functionality is still set up so IBRS can be + virtualised for guests. + +-On hardware supporting IBPB (Indirect Branch Prediction Barrier), the `ibpb=` +-option can be used to force (the default) or prevent Xen from issuing branch +-prediction barriers on vcpu context switches. ++On hardware supporting STIBP (Single Thread Indirect Branch Predictors), the ++`stibp=` option can be used to force or prevent Xen using the feature itself. ++By default, Xen will use STIBP when IBRS is in use (IBRS implies STIBP), and ++when hardware hints recommend using it as a blanket setting. + + On hardware supporting SSBD (Speculative Store Bypass Disable), the `ssbd=` + option can be used to force or prevent Xen using the feature itself. On AMD +@@ -2166,6 +2168,15 @@ hardware, this is a global option applied at boot, and not virtualised for + guest use. On Intel hardware, the feature is virtualised for guests, + independently of Xen's choice of setting. + ++On hardware supporting PSFD (Predictive Store Forwarding Disable), the `psfd=` ++option can be used to force or prevent Xen using the feature itself. By ++default, Xen will not use PSFD. PSFD is implied by SSBD, and SSBD is off by ++default. ++ ++On hardware supporting IBPB (Indirect Branch Prediction Barrier), the `ibpb=` ++option can be used to force (the default) or prevent Xen from issuing branch ++prediction barriers on vcpu context switches. ++ + On all hardware, the `eager-fpu=` option can be used to force or prevent Xen + from using fully eager FPU context switches. This is currently implemented as + a global control. By default, Xen will choose to use fully eager context +diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c +index 55da9302e5d7..a0bf9f4e056a 100644 +--- a/xen/arch/x86/hvm/svm/vmcb.c ++++ b/xen/arch/x86/hvm/svm/vmcb.c +@@ -29,6 +29,7 @@ + #include <asm/hvm/support.h> + #include <asm/hvm/svm/svm.h> + #include <asm/hvm/svm/svmdebug.h> ++#include <asm/spec_ctrl.h> + + struct vmcb_struct *alloc_vmcb(void) + { +@@ -175,6 +176,14 @@ static int construct_vmcb(struct vcpu *v) + vmcb->_pause_filter_thresh = SVM_PAUSETHRESH_INIT; + } + ++ /* ++ * When default_xen_spec_ctrl simply SPEC_CTRL_STIBP, default this behind ++ * the back of the VM too. Our SMT topology isn't accurate, the overhead ++ * is neglegable, and doing this saves a WRMSR on the vmentry path. ++ */ ++ if ( default_xen_spec_ctrl == SPEC_CTRL_STIBP ) ++ v->arch.msrs->spec_ctrl.raw = SPEC_CTRL_STIBP; ++ + return 0; + } + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index d7f767b0739c..06790897e496 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -48,9 +48,13 @@ static enum ind_thunk { + THUNK_LFENCE, + THUNK_JMP, + } opt_thunk __initdata = THUNK_DEFAULT; ++ + static int8_t __initdata opt_ibrs = -1; ++int8_t __initdata opt_stibp = -1; ++bool __read_mostly opt_ssbd; ++int8_t __initdata opt_psfd = -1; ++ + bool __read_mostly opt_ibpb = true; +-bool __read_mostly opt_ssbd = false; + int8_t __read_mostly opt_eager_fpu = -1; + int8_t __read_mostly opt_l1d_flush = -1; + bool __read_mostly opt_branch_harden = true; +@@ -173,12 +177,20 @@ static int __init parse_spec_ctrl(const char *s) + else + rc = -EINVAL; + } ++ ++ /* Bits in MSR_SPEC_CTRL. */ + else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 ) + opt_ibrs = val; +- else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) +- opt_ibpb = val; ++ else if ( (val = parse_boolean("stibp", s, ss)) >= 0 ) ++ opt_stibp = val; + else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) + opt_ssbd = val; ++ else if ( (val = parse_boolean("psfd", s, ss)) >= 0 ) ++ opt_psfd = val; ++ ++ /* Misc settings. */ ++ else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) ++ opt_ibpb = val; + else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) + opt_eager_fpu = val; + else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 ) +@@ -377,7 +389,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + "\n"); + + /* Settings for Xen's protection, irrespective of guests. */ +- printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s, Other:%s%s%s%s%s\n", ++ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s\n", + thunk == THUNK_NONE ? "N/A" : + thunk == THUNK_RETPOLINE ? "RETPOLINE" : + thunk == THUNK_LFENCE ? "LFENCE" : +@@ -391,6 +403,9 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (!boot_cpu_has(X86_FEATURE_SSBD) && + !boot_cpu_has(X86_FEATURE_AMD_SSBD)) ? "" : + (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", ++ (!boot_cpu_has(X86_FEATURE_PSFD) && ++ !boot_cpu_has(X86_FEATURE_INTEL_PSFD)) ? "" : ++ (default_xen_spec_ctrl & SPEC_CTRL_PSFD) ? " PSFD+" : " PSFD-", + !(caps & ARCH_CAPS_TSX_CTRL) ? "" : + (opt_tsx & 1) ? " TSX+" : " TSX-", + !cpu_has_srbds_ctrl ? "" : +@@ -951,10 +966,7 @@ void __init init_speculation_mitigations(void) + if ( !has_spec_ctrl ) + printk(XENLOG_WARNING "?!? CET active, but no MSR_SPEC_CTRL?\n"); + else if ( opt_ibrs == -1 ) +- { + opt_ibrs = ibrs = true; +- default_xen_spec_ctrl |= SPEC_CTRL_IBRS | SPEC_CTRL_STIBP; +- } + + if ( opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE ) + thunk = THUNK_JMP; +@@ -1058,14 +1070,49 @@ void __init init_speculation_mitigations(void) + setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM); + } + +- /* If we have IBRS available, see whether we should use it. */ ++ /* Figure out default_xen_spec_ctrl. */ + if ( has_spec_ctrl && ibrs ) ++ { ++ /* IBRS implies STIBP. */ ++ if ( opt_stibp == -1 ) ++ opt_stibp = 1; ++ + default_xen_spec_ctrl |= SPEC_CTRL_IBRS; ++ } ++ ++ /* ++ * Use STIBP by default if the hardware hint is set. Otherwise, leave it ++ * off as it a severe performance pentalty on pre-eIBRS Intel hardware ++ * where it was retrofitted in microcode. ++ */ ++ if ( opt_stibp == -1 ) ++ opt_stibp = !!boot_cpu_has(X86_FEATURE_STIBP_ALWAYS); ++ ++ if ( opt_stibp && (boot_cpu_has(X86_FEATURE_STIBP) || ++ boot_cpu_has(X86_FEATURE_AMD_STIBP)) ) ++ default_xen_spec_ctrl |= SPEC_CTRL_STIBP; + +- /* If we have SSBD available, see whether we should use it. */ + if ( opt_ssbd && (boot_cpu_has(X86_FEATURE_SSBD) || + boot_cpu_has(X86_FEATURE_AMD_SSBD)) ) ++ { ++ /* SSBD implies PSFD */ ++ if ( opt_psfd == -1 ) ++ opt_psfd = 1; ++ + default_xen_spec_ctrl |= SPEC_CTRL_SSBD; ++ } ++ ++ /* ++ * Don't use PSFD by default. AMD designed the predictor to ++ * auto-clear on privilege change. PSFD is implied by SSBD, which is ++ * off by default. ++ */ ++ if ( opt_psfd == -1 ) ++ opt_psfd = 0; ++ ++ if ( opt_psfd && (boot_cpu_has(X86_FEATURE_PSFD) || ++ boot_cpu_has(X86_FEATURE_INTEL_PSFD)) ) ++ default_xen_spec_ctrl |= SPEC_CTRL_PSFD; + + /* + * PV guests can poison the RSB to any virtual address from which diff --git a/main/xen/xsa407-4.14-03.patch b/main/xen/xsa407-4.14-03.patch new file mode 100644 index 00000000000..7082e407744 --- /dev/null +++ b/main/xen/xsa407-4.14-03.patch @@ -0,0 +1,76 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: xen/cmdline: Extend parse_boolean() to signal a name match + +This will help parsing a sub-option which has boolean and non-boolean options +available. + +First, rework 'int val' into 'bool has_neg_prefix'. This inverts it's value, +but the resulting logic is far easier to follow. + +Second, reject anything of the form 'no-$FOO=' which excludes ambiguous +constructs such as 'no-$foo=yes' which have never been valid. + +This just leaves the case where everything is otherwise fine, but parse_bool() +can't interpret the provided string. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 382326cac528dd1eb0d04efd5c05363c453e29f4) + +diff --git a/xen/common/kernel.c b/xen/common/kernel.c +index c3a943f07765..f07ff41d881e 100644 +--- a/xen/common/kernel.c ++++ b/xen/common/kernel.c +@@ -272,9 +272,9 @@ int parse_bool(const char *s, const char *e) + int parse_boolean(const char *name, const char *s, const char *e) + { + size_t slen, nlen; +- int val = !!strncmp(s, "no-", 3); ++ bool has_neg_prefix = !strncmp(s, "no-", 3); + +- if ( !val ) ++ if ( has_neg_prefix ) + s += 3; + + slen = e ? ({ ASSERT(e >= s); e - s; }) : strlen(s); +@@ -286,11 +286,23 @@ int parse_boolean(const char *name, const char *s, const char *e) + + /* Exact, unadorned name? Result depends on the 'no-' prefix. */ + if ( slen == nlen ) +- return val; ++ return !has_neg_prefix; ++ ++ /* Inexact match with a 'no-' prefix? Not valid. */ ++ if ( has_neg_prefix ) ++ return -1; + + /* =$SOMETHING? Defer to the regular boolean parsing. */ + if ( s[nlen] == '=' ) +- return parse_bool(&s[nlen + 1], e); ++ { ++ int b = parse_bool(&s[nlen + 1], e); ++ ++ if ( b >= 0 ) ++ return b; ++ ++ /* Not a boolean, but the name matched. Signal specially. */ ++ return -2; ++ } + + /* Unrecognised. Give up. */ + return -1; +diff --git a/xen/include/xen/lib.h b/xen/include/xen/lib.h +index 076bcfb67dbb..900c0ce3e466 100644 +--- a/xen/include/xen/lib.h ++++ b/xen/include/xen/lib.h +@@ -82,7 +82,8 @@ int parse_bool(const char *s, const char *e); + /** + * Given a specific name, parses a string of the form: + * [no-]$NAME[=...] +- * returning 0 or 1 for a recognised boolean, or -1 for an error. ++ * returning 0 or 1 for a recognised boolean. Returns -1 for general errors, ++ * and -2 for "not a boolean, but $NAME= matches". + */ + int parse_boolean(const char *name, const char *s, const char *e); + diff --git a/main/xen/xsa407-4.14-04.patch b/main/xen/xsa407-4.14-04.patch new file mode 100644 index 00000000000..1b743c4f641 --- /dev/null +++ b/main/xen/xsa407-4.14-04.patch @@ -0,0 +1,126 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Add fine-grained cmdline suboptions for primitives + +Support controling the PV/HVM suboption of msr-sc/rsb/md-clear, which +previously wasn't possible. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 27357c394ba6e1571a89105b840ce1c6f026485c) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index 2302cec91fea..a84f5c19218d 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2104,7 +2104,8 @@ not be able to control the state of the mitigation. + By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + + ### spec-ctrl (x86) +-> `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>, ++> `= List of [ <bool>, xen=<bool>, {pv,hvm}=<bool>, ++> {msr-sc,rsb,md-clear}=<bool>|{pv,hvm}=<bool>, + > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, + > eager-fpu,l1d-flush,branch-harden,srb-lock, + > unpriv-mmio}=<bool> ]` +@@ -2129,12 +2130,17 @@ in place for guests to use. + + Use of a positive boolean value for either of these options is invalid. + +-The booleans `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` offer fine ++The `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` options offer fine + grained control over the primitives by Xen. These impact Xen's ability to +-protect itself, and Xen's ability to virtualise support for guests to use. ++protect itself, and/or Xen's ability to virtualise support for guests to use. + + * `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests + respectively. ++* Each other option can be used either as a plain boolean ++ (e.g. `spec-ctrl=rsb` to control both the PV and HVM sub-options), or with ++ `pv=` or `hvm=` subsuboptions (e.g. `spec-ctrl=rsb=no-hvm` to disable HVM ++ RSB only). ++ + * `msr-sc=` offers control over Xen's support for manipulating `MSR_SPEC_CTRL` + on entry and exit. These blocks are necessary to virtualise support for + guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 06790897e496..225fe08259b3 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -147,20 +147,68 @@ static int __init parse_spec_ctrl(const char *s) + opt_rsb_hvm = val; + opt_md_clear_hvm = val; + } +- else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) ++ else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) + { +- opt_msr_sc_pv = val; +- opt_msr_sc_hvm = val; ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_msr_sc_pv = opt_msr_sc_hvm = val; ++ break; ++ ++ case -2: ++ s += strlen("msr-sc="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_msr_sc_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_msr_sc_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } + } +- else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) ++ else if ( (val = parse_boolean("rsb", s, ss)) != -1 ) + { +- opt_rsb_pv = val; +- opt_rsb_hvm = val; ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_rsb_pv = opt_rsb_hvm = val; ++ break; ++ ++ case -2: ++ s += strlen("rsb="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_rsb_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_rsb_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } + } +- else if ( (val = parse_boolean("md-clear", s, ss)) >= 0 ) ++ else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + { +- opt_md_clear_pv = val; +- opt_md_clear_hvm = val; ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_md_clear_pv = opt_md_clear_hvm = val; ++ break; ++ ++ case -2: ++ s += strlen("md-clear="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_md_clear_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_md_clear_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } + } + + /* Xen's speculative sidechannel mitigation settings. */ diff --git a/main/xen/xsa407-4.14-05.patch b/main/xen/xsa407-4.14-05.patch new file mode 100644 index 00000000000..1f25f2635b4 --- /dev/null +++ b/main/xen/xsa407-4.14-05.patch @@ -0,0 +1,153 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Rework spec_ctrl_flags context switching + +We are shortly going to need to context switch new bits in both the vcpu and +S3 paths. Introduce SCF_IST_MASK and SCF_DOM_MASK, and rework d->arch.verw +into d->arch.spec_ctrl_flags to accommodate. + +No functional change. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c +index 774e0fcd35d7..06f3e0e9f3e0 100644 +--- a/xen/arch/x86/acpi/power.c ++++ b/xen/arch/x86/acpi/power.c +@@ -246,8 +246,8 @@ static int enter_state(u32 state) + error = 0; + + ci = get_cpu_info(); +- /* Avoid NMI/#MC using MSR_SPEC_CTRL until we've reloaded microcode. */ +- ci->spec_ctrl_flags &= ~SCF_ist_wrmsr; ++ /* Avoid NMI/#MC using unsafe MSRs until we've reloaded microcode. */ ++ ci->spec_ctrl_flags &= ~SCF_IST_MASK; + + ACPI_FLUSH_CPU_CACHE(); + +@@ -290,8 +290,8 @@ static int enter_state(u32 state) + if ( !recheck_cpu_features(0) ) + panic("Missing previously available feature(s)\n"); + +- /* Re-enabled default NMI/#MC use of MSR_SPEC_CTRL. */ +- ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr); ++ /* Re-enabled default NMI/#MC use of MSRs now microcode is loaded. */ ++ ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_IST_MASK); + + if ( boot_cpu_has(X86_FEATURE_IBRSB) || boot_cpu_has(X86_FEATURE_IBRS) ) + { +diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c +index 5ea5ef6ba037..305a63b67e2d 100644 +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -1838,10 +1838,10 @@ void context_switch(struct vcpu *prev, struct vcpu *next) + } + } + +- /* Update the top-of-stack block with the VERW disposition. */ +- info->spec_ctrl_flags &= ~SCF_verw; +- if ( nextd->arch.verw ) +- info->spec_ctrl_flags |= SCF_verw; ++ /* Update the top-of-stack block with the new spec_ctrl settings. */ ++ info->spec_ctrl_flags = ++ (info->spec_ctrl_flags & ~SCF_DOM_MASK) | ++ (nextd->arch.spec_ctrl_flags & SCF_DOM_MASK); + } + + sched_context_switched(prev, next); +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 225fe08259b3..0fabfbe2a9f4 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -981,9 +981,12 @@ void spec_ctrl_init_domain(struct domain *d) + { + bool pv = is_pv_domain(d); + +- d->arch.verw = +- (pv ? opt_md_clear_pv : opt_md_clear_hvm) || +- (opt_fb_clear_mmio && is_iommu_enabled(d)); ++ bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || ++ (opt_fb_clear_mmio && is_iommu_enabled(d))); ++ ++ d->arch.spec_ctrl_flags = ++ (verw ? SCF_verw : 0) | ++ 0; + } + + void __init init_speculation_mitigations(void) +diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h +index 4ee76bba45da..53d5a43ec0ce 100644 +--- a/xen/include/asm-x86/domain.h ++++ b/xen/include/asm-x86/domain.h +@@ -308,8 +308,7 @@ struct arch_domain + uint32_t pci_cf8; + uint8_t cmos_idx; + +- /* Use VERW on return-to-guest for its flushing side effect. */ +- bool verw; ++ uint8_t spec_ctrl_flags; /* See SCF_DOM_MASK */ + + union { + struct pv_domain pv; +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 12283573cdd5..60d6d2dc9407 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -20,12 +20,40 @@ + #ifndef __X86_SPEC_CTRL_H__ + #define __X86_SPEC_CTRL_H__ + +-/* Encoding of cpuinfo.spec_ctrl_flags */ ++/* ++ * Encoding of: ++ * cpuinfo.spec_ctrl_flags ++ * default_spec_ctrl_flags ++ * domain.spec_ctrl_flags ++ * ++ * Live settings are in the top-of-stack block, because they need to be ++ * accessable when XPTI is active. Some settings are fixed from boot, some ++ * context switched per domain, and some inhibited in the S3 path. ++ */ + #define SCF_use_shadow (1 << 0) + #define SCF_ist_wrmsr (1 << 1) + #define SCF_ist_rsb (1 << 2) + #define SCF_verw (1 << 3) + ++/* ++ * The IST paths (NMI/#MC) can interrupt any arbitrary context. Some ++ * functionality requires updated microcode to work. ++ * ++ * On boot, this is easy; we load microcode before figuring out which ++ * speculative protections to apply. However, on the S3 resume path, we must ++ * be able to disable the configured mitigations until microcode is reloaded. ++ * ++ * These are the controls to inhibit on the S3 resume path until microcode has ++ * been reloaded. ++ */ ++#define SCF_IST_MASK (SCF_ist_wrmsr) ++ ++/* ++ * Some speculative protections are per-domain. These settings are merged ++ * into the top-of-stack block in the context switch path. ++ */ ++#define SCF_DOM_MASK (SCF_verw) ++ + #ifndef __ASSEMBLY__ + + #include <asm/alternative.h> +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 5a590bac44aa..66b00d511fc6 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -248,9 +248,6 @@ + + /* + * Use in IST interrupt/exception context. May interrupt Xen or PV context. +- * Fine grain control of SCF_ist_wrmsr is needed for safety in the S3 resume +- * path to avoid using MSR_SPEC_CTRL before the microcode introducing it has +- * been reloaded. + */ + .macro SPEC_CTRL_ENTRY_FROM_INTR_IST + /* diff --git a/main/xen/xsa407-4.14-06.patch b/main/xen/xsa407-4.14-06.patch new file mode 100644 index 00000000000..282999a93f5 --- /dev/null +++ b/main/xen/xsa407-4.14-06.patch @@ -0,0 +1,99 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Rename SCF_ist_wrmsr to SCF_ist_sc_msr + +We are about to introduce SCF_ist_ibpb, at which point SCF_ist_wrmsr becomes +ambiguous. + +No functional change. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 0fabfbe2a9f4..a6def47061e8 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -1086,7 +1086,7 @@ void __init init_speculation_mitigations(void) + { + if ( opt_msr_sc_pv ) + { +- default_spec_ctrl_flags |= SCF_ist_wrmsr; ++ default_spec_ctrl_flags |= SCF_ist_sc_msr; + setup_force_cpu_cap(X86_FEATURE_SC_MSR_PV); + } + +@@ -1097,7 +1097,7 @@ void __init init_speculation_mitigations(void) + * Xen's value is not restored atomically. An early NMI hitting + * the VMExit path needs to restore Xen's value for safety. + */ +- default_spec_ctrl_flags |= SCF_ist_wrmsr; ++ default_spec_ctrl_flags |= SCF_ist_sc_msr; + setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM); + } + } +@@ -1110,7 +1110,7 @@ void __init init_speculation_mitigations(void) + * on real hardware matches the availability of MSR_SPEC_CTRL in the + * first place. + * +- * No need for SCF_ist_wrmsr because Xen's value is restored ++ * No need for SCF_ist_sc_msr because Xen's value is restored + * atomically WRT NMIs in the VMExit path. + * + * TODO: Adjust cpu_has_svm_spec_ctrl to be usable earlier on boot. +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 60d6d2dc9407..6f8b0e09348e 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -31,7 +31,7 @@ + * context switched per domain, and some inhibited in the S3 path. + */ + #define SCF_use_shadow (1 << 0) +-#define SCF_ist_wrmsr (1 << 1) ++#define SCF_ist_sc_msr (1 << 1) + #define SCF_ist_rsb (1 << 2) + #define SCF_verw (1 << 3) + +@@ -46,7 +46,7 @@ + * These are the controls to inhibit on the S3 resume path until microcode has + * been reloaded. + */ +-#define SCF_IST_MASK (SCF_ist_wrmsr) ++#define SCF_IST_MASK (SCF_ist_sc_msr) + + /* + * Some speculative protections are per-domain. These settings are merged +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 66b00d511fc6..0ff1b118f882 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -266,8 +266,8 @@ + + .L\@_skip_rsb: + +- test $SCF_ist_wrmsr, %al +- jz .L\@_skip_wrmsr ++ test $SCF_ist_sc_msr, %al ++ jz .L\@_skip_msr_spec_ctrl + + xor %edx, %edx + testb $3, UREGS_cs(%rsp) +@@ -290,7 +290,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): + * to speculate around the WRMSR. As a result, we need a dispatch + * serialising instruction in the else clause. + */ +-.L\@_skip_wrmsr: ++.L\@_skip_msr_spec_ctrl: + lfence + UNLIKELY_END(\@_serialise) + .endm +@@ -301,7 +301,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): + * Requires %rbx=stack_end + * Clobbers %rax, %rcx, %rdx + */ +- testb $SCF_ist_wrmsr, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx) ++ testb $SCF_ist_sc_msr, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx) + jz .L\@_skip + + DO_SPEC_CTRL_EXIT_TO_XEN diff --git a/main/xen/xsa407-4.14-07.patch b/main/xen/xsa407-4.14-07.patch new file mode 100644 index 00000000000..16e86a4471f --- /dev/null +++ b/main/xen/xsa407-4.14-07.patch @@ -0,0 +1,86 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Rename opt_ibpb to opt_ibpb_ctxt_switch + +We are about to introduce the use of IBPB at different points in Xen, making +opt_ibpb ambiguous. Rename it to opt_ibpb_ctxt_switch. + +No functional change. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c +index 305a63b67e2d..3658e50d56c7 100644 +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -1810,7 +1810,7 @@ void context_switch(struct vcpu *prev, struct vcpu *next) + + ctxt_switch_levelling(next); + +- if ( opt_ibpb && !is_idle_domain(nextd) ) ++ if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) ) + { + static DEFINE_PER_CPU(unsigned int, last); + unsigned int *last_id = &this_cpu(last); +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index a6def47061e8..ced0f8c2aea6 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -54,7 +54,7 @@ int8_t __initdata opt_stibp = -1; + bool __read_mostly opt_ssbd; + int8_t __initdata opt_psfd = -1; + +-bool __read_mostly opt_ibpb = true; ++bool __read_mostly opt_ibpb_ctxt_switch = true; + int8_t __read_mostly opt_eager_fpu = -1; + int8_t __read_mostly opt_l1d_flush = -1; + bool __read_mostly opt_branch_harden = true; +@@ -117,7 +117,7 @@ static int __init parse_spec_ctrl(const char *s) + + opt_thunk = THUNK_JMP; + opt_ibrs = 0; +- opt_ibpb = false; ++ opt_ibpb_ctxt_switch = false; + opt_ssbd = false; + opt_l1d_flush = 0; + opt_branch_harden = false; +@@ -238,7 +238,7 @@ static int __init parse_spec_ctrl(const char *s) + + /* Misc settings. */ + else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) +- opt_ibpb = val; ++ opt_ibpb_ctxt_switch = val; + else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) + opt_eager_fpu = val; + else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 ) +@@ -458,7 +458,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (opt_tsx & 1) ? " TSX+" : " TSX-", + !cpu_has_srbds_ctrl ? "" : + opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", +- opt_ibpb ? " IBPB" : "", ++ opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", + opt_l1d_flush ? " L1D_FLUSH" : "", + opt_md_clear_pv || opt_md_clear_hvm || + opt_fb_clear_mmio ? " VERW" : "", +@@ -1193,7 +1193,7 @@ void __init init_speculation_mitigations(void) + + /* Check we have hardware IBPB support before using it... */ + if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) +- opt_ibpb = false; ++ opt_ibpb_ctxt_switch = false; + + /* Check whether Eager FPU should be enabled by default. */ + if ( opt_eager_fpu == -1 ) +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 6f8b0e09348e..fd8162ca9ab9 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -63,7 +63,7 @@ + void init_speculation_mitigations(void); + void spec_ctrl_init_domain(struct domain *d); + +-extern bool opt_ibpb; ++extern bool opt_ibpb_ctxt_switch; + extern bool opt_ssbd; + extern int8_t opt_eager_fpu; + extern int8_t opt_l1d_flush; diff --git a/main/xen/xsa407-4.14-08.patch b/main/xen/xsa407-4.14-08.patch new file mode 100644 index 00000000000..15d9d81697a --- /dev/null +++ b/main/xen/xsa407-4.14-08.patch @@ -0,0 +1,96 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Rework SPEC_CTRL_ENTRY_FROM_INTR_IST + +We are shortly going to add a conditional IBPB in this path. + +Therefore, we cannot hold spec_ctrl_flags in %eax, and rely on only clobbering +it after we're done with its contents. %rbx is available for use, and the +more normal register to hold preserved information in. + +With %rax freed up, use it instead of %rdx for the RSB tmp register, and for +the adjustment to spec_ctrl_flags. + +This leaves no use of %rdx, except as 0 for the upper half of WRMSR. In +practice, %rdx is 0 from SAVE_ALL on all paths and isn't likely to change in +the foreseeable future, so update the macro entry requirements to state this +dependency. This marginal optimisation can be revisited if circumstances +change. + +No practical change. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S +index cbf332e752a8..87bf9cb6942b 100644 +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -854,7 +854,7 @@ ENTRY(double_fault) + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: abcd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rbx +@@ -889,7 +889,7 @@ handle_ist_exception: + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: abcd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rcx +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 0ff1b118f882..15e24cde00d1 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -251,34 +251,33 @@ + */ + .macro SPEC_CTRL_ENTRY_FROM_INTR_IST + /* +- * Requires %rsp=regs, %r14=stack_end +- * Clobbers %rax, %rcx, %rdx ++ * Requires %rsp=regs, %r14=stack_end, %rdx=0 ++ * Clobbers %rax, %rbx, %rcx, %rdx + * + * This is logical merge of DO_OVERWRITE_RSB and DO_SPEC_CTRL_ENTRY + * maybexen=1, but with conditionals rather than alternatives. + */ +- movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %eax ++ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx + +- test $SCF_ist_rsb, %al ++ test $SCF_ist_rsb, %bl + jz .L\@_skip_rsb + +- DO_OVERWRITE_RSB tmp=rdx /* Clobbers %rcx/%rdx */ ++ DO_OVERWRITE_RSB /* Clobbers %rax/%rcx */ + + .L\@_skip_rsb: + +- test $SCF_ist_sc_msr, %al ++ test $SCF_ist_sc_msr, %bl + jz .L\@_skip_msr_spec_ctrl + +- xor %edx, %edx ++ xor %eax, %eax + testb $3, UREGS_cs(%rsp) +- setnz %dl +- not %edx +- and %dl, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14) ++ setnz %al ++ not %eax ++ and %al, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14) + + /* Load Xen's intended value. */ + mov $MSR_SPEC_CTRL, %ecx + movzbl STACK_CPUINFO_FIELD(xen_spec_ctrl)(%r14), %eax +- xor %edx, %edx + wrmsr + + /* Opencoded UNLIKELY_START() with no condition. */ diff --git a/main/xen/xsa407-4.14-09.patch b/main/xen/xsa407-4.14-09.patch new file mode 100644 index 00000000000..7b165426233 --- /dev/null +++ b/main/xen/xsa407-4.14-09.patch @@ -0,0 +1,285 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Support IBPB-on-entry + +We are going to need this to mitigate Branch Type Confusion on AMD/Hygon CPUs, +but as we've talked about using it in other cases too, arrange to support it +generally. However, this is also very expensive in some cases, so we're going +to want per-domain controls. + +Introduce SCF_ist_ibpb and SCF_entry_ibpb controls, adding them to the IST and +DOM masks as appropriate. Also introduce X86_FEATURE_IBPB_ENTRY_{PV,HVM} to +to patch the code blocks. + +For SVM, the STGI is serialising enough to protect against Spectre-v1 attacks, +so no "else lfence" is necessary. VT-x will use use the MSR host load list, +so doesn't need any code in the VMExit path. + +For the IST path, we can't safely check CPL==0 to skip a flush, as we might +have hit an entry path before it's IBPB. As IST hitting Xen is rare, flush +irrespective of CPL. A later path, SCF_ist_sc_msr, provides Spectre-v1 +safety. + +For the PV paths, we know we're interrupting CPL>0, while for the INTR paths, +we can safely check CPL==0. Only flush when interrupting guest context. + +An "else lfence" is needed for safety, but we want to be able to skip it on +unaffected CPUs, so the block wants to be an alternative, which means the +lfence has to be inline rather than UNLIKELY() (the replacement block doesn't +have displacements fixed up for anything other than the first instruction). + +As with SPEC_CTRL_ENTRY_FROM_INTR_IST, %rdx is 0 on entry so rely on this to +shrink the logic marginally. Update the comments to specify this new +dependency. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S +index 055e6f4564c6..7aab67899bea 100644 +--- a/xen/arch/x86/hvm/svm/entry.S ++++ b/xen/arch/x86/hvm/svm/entry.S +@@ -101,7 +101,19 @@ __UNLIKELY_END(nsvm_hap) + + GET_CURRENT(bx) + +- /* SPEC_CTRL_ENTRY_FROM_SVM Req: %rsp=regs/cpuinfo Clob: acd */ ++ /* SPEC_CTRL_ENTRY_FROM_SVM Req: %rsp=regs/cpuinfo, %rdx=0 Clob: acd */ ++ ++ .macro svm_vmexit_cond_ibpb ++ testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp) ++ jz .L_skip_ibpb ++ ++ mov $MSR_PRED_CMD, %ecx ++ mov $PRED_CMD_IBPB, %eax ++ wrmsr ++.L_skip_ibpb: ++ .endm ++ ALTERNATIVE "", svm_vmexit_cond_ibpb, X86_FEATURE_IBPB_ENTRY_HVM ++ + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_HVM + + .macro svm_vmexit_spec_ctrl +@@ -118,6 +130,10 @@ __UNLIKELY_END(nsvm_hap) + ALTERNATIVE "", svm_vmexit_spec_ctrl, X86_FEATURE_SC_MSR_HVM + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + ++ /* ++ * STGI is executed unconditionally, and is sufficiently serialising ++ * to safely resolve any Spectre-v1 concerns in the above logic. ++ */ + STGI + GLOBAL(svm_stgi_label) + mov %rsp,%rdi +diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c +index 1466064d0cc9..3d271178e8bb 100644 +--- a/xen/arch/x86/hvm/vmx/vmcs.c ++++ b/xen/arch/x86/hvm/vmx/vmcs.c +@@ -1332,6 +1332,10 @@ static int construct_vmcs(struct vcpu *v) + rc = vmx_add_msr(v, MSR_FLUSH_CMD, FLUSH_CMD_L1D, + VMX_MSR_GUEST_LOADONLY); + ++ if ( !rc && (d->arch.spec_ctrl_flags & SCF_entry_ibpb) ) ++ rc = vmx_add_msr(v, MSR_PRED_CMD, PRED_CMD_IBPB, ++ VMX_MSR_HOST); ++ + out: + vmx_vmcs_exit(v); + +diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S +index b67468f7c934..302530e65e0b 100644 +--- a/xen/arch/x86/x86_64/compat/entry.S ++++ b/xen/arch/x86/x86_64/compat/entry.S +@@ -18,7 +18,7 @@ ENTRY(entry_int82) + movl $HYPERCALL_VECTOR, 4(%rsp) + SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + CR4_PV32_RESTORE +@@ -212,7 +212,7 @@ ENTRY(cstar_enter) + movl $TRAP_syscall, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S +index 87bf9cb6942b..153e89e24694 100644 +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -248,7 +248,7 @@ ENTRY(lstar_enter) + movl $TRAP_syscall, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +@@ -287,7 +287,7 @@ GLOBAL(sysenter_eflags_saved) + movl $TRAP_syscall, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +@@ -339,7 +339,7 @@ ENTRY(int80_direct_trap) + movl $0x80, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +@@ -600,7 +600,7 @@ ENTRY(common_interrupt) + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rcx +@@ -633,7 +633,7 @@ GLOBAL(handle_exception) + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rcx +diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h +index f7488d3ccbfa..b233e5835fb5 100644 +--- a/xen/include/asm-x86/cpufeatures.h ++++ b/xen/include/asm-x86/cpufeatures.h +@@ -39,6 +39,8 @@ XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */ + XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ + XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */ + XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */ ++XEN_CPUFEATURE(IBPB_ENTRY_PV, X86_SYNTH(28)) /* MSR_PRED_CMD used by Xen for PV */ ++XEN_CPUFEATURE(IBPB_ENTRY_HVM, X86_SYNTH(29)) /* MSR_PRED_CMD used by Xen for HVM */ + + /* Bug words follow the synthetic words. */ + #define X86_NR_BUG 1 +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index fd8162ca9ab9..10cd0cd2518f 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -34,6 +34,8 @@ + #define SCF_ist_sc_msr (1 << 1) + #define SCF_ist_rsb (1 << 2) + #define SCF_verw (1 << 3) ++#define SCF_ist_ibpb (1 << 4) ++#define SCF_entry_ibpb (1 << 5) + + /* + * The IST paths (NMI/#MC) can interrupt any arbitrary context. Some +@@ -46,13 +48,13 @@ + * These are the controls to inhibit on the S3 resume path until microcode has + * been reloaded. + */ +-#define SCF_IST_MASK (SCF_ist_sc_msr) ++#define SCF_IST_MASK (SCF_ist_sc_msr | SCF_ist_ibpb) + + /* + * Some speculative protections are per-domain. These settings are merged + * into the top-of-stack block in the context switch path. + */ +-#define SCF_DOM_MASK (SCF_verw) ++#define SCF_DOM_MASK (SCF_verw | SCF_entry_ibpb) + + #ifndef __ASSEMBLY__ + +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 15e24cde00d1..9eb4ad9ab71d 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -88,6 +88,35 @@ + * - SPEC_CTRL_EXIT_TO_{SVM,VMX} + */ + ++.macro DO_SPEC_CTRL_COND_IBPB maybexen:req ++/* ++ * Requires %rsp=regs (also cpuinfo if !maybexen) ++ * Requires %r14=stack_end (if maybexen), %rdx=0 ++ * Clobbers %rax, %rcx, %rdx ++ * ++ * Conditionally issue IBPB if SCF_entry_ibpb is active. In the maybexen ++ * case, we can safely look at UREGS_cs to skip taking the hit when ++ * interrupting Xen. ++ */ ++ .if \maybexen ++ testb $SCF_entry_ibpb, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14) ++ jz .L\@_skip ++ testb $3, UREGS_cs(%rsp) ++ .else ++ testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp) ++ .endif ++ jz .L\@_skip ++ ++ mov $MSR_PRED_CMD, %ecx ++ mov $PRED_CMD_IBPB, %eax ++ wrmsr ++ jmp .L\@_done ++ ++.L\@_skip: ++ lfence ++.L\@_done: ++.endm ++ + .macro DO_OVERWRITE_RSB tmp=rax + /* + * Requires nothing +@@ -225,12 +254,16 @@ + + /* Use after an entry from PV context (syscall/sysenter/int80/int82/etc). */ + #define SPEC_CTRL_ENTRY_FROM_PV \ ++ ALTERNATIVE "", __stringify(DO_SPEC_CTRL_COND_IBPB maybexen=0), \ ++ X86_FEATURE_IBPB_ENTRY_PV; \ + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV; \ + ALTERNATIVE "", __stringify(DO_SPEC_CTRL_ENTRY maybexen=0), \ + X86_FEATURE_SC_MSR_PV + + /* Use in interrupt/exception context. May interrupt Xen or PV context. */ + #define SPEC_CTRL_ENTRY_FROM_INTR \ ++ ALTERNATIVE "", __stringify(DO_SPEC_CTRL_COND_IBPB maybexen=1), \ ++ X86_FEATURE_IBPB_ENTRY_PV; \ + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV; \ + ALTERNATIVE "", __stringify(DO_SPEC_CTRL_ENTRY maybexen=1), \ + X86_FEATURE_SC_MSR_PV +@@ -254,11 +287,23 @@ + * Requires %rsp=regs, %r14=stack_end, %rdx=0 + * Clobbers %rax, %rbx, %rcx, %rdx + * +- * This is logical merge of DO_OVERWRITE_RSB and DO_SPEC_CTRL_ENTRY +- * maybexen=1, but with conditionals rather than alternatives. ++ * This is logical merge of: ++ * DO_SPEC_CTRL_COND_IBPB maybexen=0 ++ * DO_OVERWRITE_RSB ++ * DO_SPEC_CTRL_ENTRY maybexen=1 ++ * but with conditionals rather than alternatives. + */ + movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx + ++ test $SCF_ist_ibpb, %bl ++ jz .L\@_skip_ibpb ++ ++ mov $MSR_PRED_CMD, %ecx ++ mov $PRED_CMD_IBPB, %eax ++ wrmsr ++ ++.L\@_skip_ibpb: ++ + test $SCF_ist_rsb, %bl + jz .L\@_skip_rsb + diff --git a/main/xen/xsa407-4.14-10.patch b/main/xen/xsa407-4.14-10.patch new file mode 100644 index 00000000000..0d30e6fac4e --- /dev/null +++ b/main/xen/xsa407-4.14-10.patch @@ -0,0 +1,93 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/cpuid: Enumeration for BTC_NO + +BTC_NO indicates that hardware is not succeptable to Branch Type Confusion. + +Zen3 CPUs don't suffer BTC. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/tools/libxl/libxl_cpuid.c b/tools/libxl/libxl_cpuid.c +index 86c8d21555ba..25576b4d992d 100644 +--- a/tools/libxl/libxl_cpuid.c ++++ b/tools/libxl/libxl_cpuid.c +@@ -280,6 +280,7 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str) + {"virt-ssbd", 0x80000008, NA, CPUID_REG_EBX, 25, 1}, + {"ssb-no", 0x80000008, NA, CPUID_REG_EBX, 26, 1}, + {"psfd", 0x80000008, NA, CPUID_REG_EBX, 28, 1}, ++ {"btc-no", 0x80000008, NA, CPUID_REG_EBX, 29, 1}, + + {"nc", 0x80000008, NA, CPUID_REG_ECX, 0, 8}, + {"apicidsize", 0x80000008, NA, CPUID_REG_ECX, 12, 4}, +diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c +index 7ebf520a7171..e5208cfa4538 100644 +--- a/tools/misc/xen-cpuid.c ++++ b/tools/misc/xen-cpuid.c +@@ -157,7 +157,7 @@ static const char *const str_e8b[32] = + /* [22] */ [23] = "ppin", + [24] = "amd-ssbd", [25] = "virt-ssbd", + [26] = "ssb-no", +- [28] = "psfd", ++ [28] = "psfd", [29] = "btc-no", + }; + + static const char *const str_7d0[32] = +diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c +index 142f34af5f70..7409af98f633 100644 +--- a/xen/arch/x86/cpu/amd.c ++++ b/xen/arch/x86/cpu/amd.c +@@ -822,6 +822,16 @@ static void init_amd(struct cpuinfo_x86 *c) + warning_add(text); + } + break; ++ ++ case 0x19: ++ /* ++ * Zen3 (Fam19h model < 0x10) parts are not susceptible to ++ * Branch Type Confusion, but predate the allocation of the ++ * BTC_NO bit. Fill it back in if we're not virtualised. ++ */ ++ if (!cpu_has_hypervisor && !cpu_has(c, X86_FEATURE_BTC_NO)) ++ __set_bit(X86_FEATURE_BTC_NO, c->x86_capability); ++ break; + } + + display_cacheinfo(c); +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index ced0f8c2aea6..9f66c715516c 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -388,7 +388,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + * Hardware read-only information, stating immunity to certain issues, or + * suggestions of which mitigation to use. + */ +- printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", ++ printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", + (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", + (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", +@@ -403,7 +403,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", +- (e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : ""); ++ (e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : "", ++ (e8b & cpufeat_mask(X86_FEATURE_BTC_NO)) ? " BTC_NO" : ""); + + /* Hardware features which need driving to mitigate issues. */ + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", +diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h +index c5af6f03cff6..746a75200ab8 100644 +--- a/xen/include/public/arch-x86/cpufeatureset.h ++++ b/xen/include/public/arch-x86/cpufeatureset.h +@@ -264,6 +264,7 @@ XEN_CPUFEATURE(AMD_SSBD, 8*32+24) /*S MSR_SPEC_CTRL.SSBD available */ + XEN_CPUFEATURE(VIRT_SSBD, 8*32+25) /* MSR_VIRT_SPEC_CTRL.SSBD */ + XEN_CPUFEATURE(SSB_NO, 8*32+26) /*A Hardware not vulnerable to SSB */ + XEN_CPUFEATURE(PSFD, 8*32+28) /*S MSR_SPEC_CTRL.PSFD */ ++XEN_CPUFEATURE(BTC_NO, 8*32+29) /*A Hardware not vulnerable to Branch Type Confusion */ + + /* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */ + XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions */ diff --git a/main/xen/xsa407-4.14-11.patch b/main/xen/xsa407-4.14-11.patch new file mode 100644 index 00000000000..edaf1dcd6b4 --- /dev/null +++ b/main/xen/xsa407-4.14-11.patch @@ -0,0 +1,93 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Enable Zen2 chickenbit + +... as instructed in the Branch Type Confusion whitepaper. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> + +diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c +index 7409af98f633..f50f91f81eb9 100644 +--- a/xen/arch/x86/cpu/amd.c ++++ b/xen/arch/x86/cpu/amd.c +@@ -731,6 +731,31 @@ void amd_init_ssbd(const struct cpuinfo_x86 *c) + printk_once(XENLOG_ERR "No SSBD controls available\n"); + } + ++/* ++ * On Zen2 we offer this chicken (bit) on the altar of Speculation. ++ * ++ * Refer to the AMD Branch Type Confusion whitepaper: ++ * https://XXX ++ * ++ * Setting this unnamed bit supposedly causes prediction information on ++ * non-branch instructions to be ignored. It is to be set unilaterally in ++ * newer microcode. ++ * ++ * This chickenbit is something unrelated on Zen1, and Zen1 vs Zen2 isn't a ++ * simple model number comparison, so use STIBP as a heuristic to separate the ++ * two uarches in Fam17h(AMD)/18h(Hygon). ++ */ ++void amd_init_spectral_chicken(void) ++{ ++ uint64_t val, chickenbit = 1 << 1; ++ ++ if (cpu_has_hypervisor || !boot_cpu_has(X86_FEATURE_AMD_STIBP)) ++ return; ++ ++ if (rdmsr_safe(MSR_AMD64_DE_CFG2, val) == 0 && !(val & chickenbit)) ++ wrmsr_safe(MSR_AMD64_DE_CFG2, val | chickenbit); ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + u32 l, h; +@@ -783,6 +808,9 @@ static void init_amd(struct cpuinfo_x86 *c) + + amd_init_ssbd(c); + ++ if (c->x86 == 0x17) ++ amd_init_spectral_chicken(); ++ + /* MFENCE stops RDTSC speculation */ + if (!cpu_has_lfence_dispatch) + __set_bit(X86_FEATURE_MFENCE_RDTSC, c->x86_capability); +diff --git a/xen/arch/x86/cpu/cpu.h b/xen/arch/x86/cpu/cpu.h +index 1a5b3918b37e..e76ab5ce1ae2 100644 +--- a/xen/arch/x86/cpu/cpu.h ++++ b/xen/arch/x86/cpu/cpu.h +@@ -22,3 +22,4 @@ void early_init_amd(struct cpuinfo_x86 *c); + void amd_log_freq(const struct cpuinfo_x86 *c); + void amd_init_lfence(struct cpuinfo_x86 *c); + void amd_init_ssbd(const struct cpuinfo_x86 *c); ++void amd_init_spectral_chicken(void); +diff --git a/xen/arch/x86/cpu/hygon.c b/xen/arch/x86/cpu/hygon.c +index 3845e0cf0e89..0cb0e7d55e61 100644 +--- a/xen/arch/x86/cpu/hygon.c ++++ b/xen/arch/x86/cpu/hygon.c +@@ -36,6 +36,12 @@ static void init_hygon(struct cpuinfo_x86 *c) + + amd_init_ssbd(c); + ++ /* ++ * TODO: Check heuristic safety with Hygon first ++ if (c->x86 == 0x18) ++ amd_init_spectral_chicken(); ++ */ ++ + /* MFENCE stops RDTSC speculation */ + if (!cpu_has_lfence_dispatch) + __set_bit(X86_FEATURE_MFENCE_RDTSC, c->x86_capability); +diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h +index c8670eab8ef5..4c1cba589d08 100644 +--- a/xen/include/asm-x86/msr-index.h ++++ b/xen/include/asm-x86/msr-index.h +@@ -359,6 +359,7 @@ + #define MSR_AMD64_DC_CFG 0xc0011022 + #define MSR_AMD64_DE_CFG 0xc0011029 + #define AMD64_DE_CFG_LFENCE_SERIALISE (_AC(1, ULL) << 1) ++#define MSR_AMD64_DE_CFG2 0xc00110e3 + + #define MSR_AMD64_DR0_ADDRESS_MASK 0xc0011027 + #define MSR_AMD64_DR1_ADDRESS_MASK 0xc0011019 diff --git a/main/xen/xsa407-4.14-12.patch b/main/xen/xsa407-4.14-12.patch new file mode 100644 index 00000000000..38836fbe571 --- /dev/null +++ b/main/xen/xsa407-4.14-12.patch @@ -0,0 +1,293 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Mitigate Branch Type Confusion when possible + +Branch Type Confusion affects AMD/Hygon CPUs on Zen2 and earlier. To +mitigate, we require SMT safety (STIBP on Zen2, no-SMT on Zen1), and to issue +an IBPB on each entry to Xen, to flush the BTB. + +Due to performance concerns, dom0 (which is trusted in most configurations) is +excluded from protections by default. + +Therefore: + * Use STIBP by default on Zen2 too, which now means we want it on by default + on all hardware supporting STIBP. + * Break the current IBPB logic out into a new function, extending it with + IBPB-at-entry logic. + * Change the existing IBPB-at-ctxt-switch boolean to be tristate, and disable + it by default when IBPB-at-entry is providing sufficient safety. + +If all PV guests on the system are trusted, then it is recommended to boot +with `spec-ctrl=ibpb-entry=no-pv`, as this will provide an additional marginal +perf improvement. + +This is part of XSA-407 / CVE-2022-23825. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index a84f5c19218d..f13304ef4eb1 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2105,7 +2105,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + + ### spec-ctrl (x86) + > `= List of [ <bool>, xen=<bool>, {pv,hvm}=<bool>, +-> {msr-sc,rsb,md-clear}=<bool>|{pv,hvm}=<bool>, ++> {msr-sc,rsb,md-clear,ibpb-entry}=<bool>|{pv,hvm}=<bool>, + > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, + > eager-fpu,l1d-flush,branch-harden,srb-lock, + > unpriv-mmio}=<bool> ]` +@@ -2130,9 +2130,10 @@ in place for guests to use. + + Use of a positive boolean value for either of these options is invalid. + +-The `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` options offer fine +-grained control over the primitives by Xen. These impact Xen's ability to +-protect itself, and/or Xen's ability to virtualise support for guests to use. ++The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options ++offer fine grained control over the primitives by Xen. These impact Xen's ++ability to protect itself, and/or Xen's ability to virtualise support for ++guests to use. + + * `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests + respectively. +@@ -2151,6 +2152,11 @@ protect itself, and/or Xen's ability to virtualise support for guests to use. + compatibility with development versions of this fix, `mds=` is also accepted + on Xen 4.12 and earlier as an alias. Consult vendor documentation in + preference to here.* ++* `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction ++ Barrier) is used on entry to Xen. This is used by default on hardware ++ vulnerable to Branch Type Confusion, but for performance reasons, dom0 is ++ unprotected by default. If it necessary to protect dom0 too, boot with ++ `spec-ctrl=ibpb-entry`. + + If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to + select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 9f66c715516c..563519ce0e31 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -39,6 +39,10 @@ static bool __initdata opt_rsb_hvm = true; + static int8_t __read_mostly opt_md_clear_pv = -1; + static int8_t __read_mostly opt_md_clear_hvm = -1; + ++static int8_t __read_mostly opt_ibpb_entry_pv = -1; ++static int8_t __read_mostly opt_ibpb_entry_hvm = -1; ++static bool __read_mostly opt_ibpb_entry_dom0; ++ + /* Cmdline controls for Xen's speculative settings. */ + static enum ind_thunk { + THUNK_DEFAULT, /* Decide which thunk to use at boot time. */ +@@ -54,7 +58,7 @@ int8_t __initdata opt_stibp = -1; + bool __read_mostly opt_ssbd; + int8_t __initdata opt_psfd = -1; + +-bool __read_mostly opt_ibpb_ctxt_switch = true; ++int8_t __read_mostly opt_ibpb_ctxt_switch = -1; + int8_t __read_mostly opt_eager_fpu = -1; + int8_t __read_mostly opt_l1d_flush = -1; + bool __read_mostly opt_branch_harden = true; +@@ -114,6 +118,9 @@ static int __init parse_spec_ctrl(const char *s) + opt_rsb_hvm = false; + opt_md_clear_pv = 0; + opt_md_clear_hvm = 0; ++ opt_ibpb_entry_pv = 0; ++ opt_ibpb_entry_hvm = 0; ++ opt_ibpb_entry_dom0 = false; + + opt_thunk = THUNK_JMP; + opt_ibrs = 0; +@@ -140,12 +147,14 @@ static int __init parse_spec_ctrl(const char *s) + opt_msr_sc_pv = val; + opt_rsb_pv = val; + opt_md_clear_pv = val; ++ opt_ibpb_entry_pv = val; + } + else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) + { + opt_msr_sc_hvm = val; + opt_rsb_hvm = val; + opt_md_clear_hvm = val; ++ opt_ibpb_entry_hvm = val; + } + else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) + { +@@ -210,6 +219,28 @@ static int __init parse_spec_ctrl(const char *s) + break; + } + } ++ else if ( (val = parse_boolean("ibpb-entry", s, ss)) != -1 ) ++ { ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_ibpb_entry_pv = opt_ibpb_entry_hvm = ++ opt_ibpb_entry_dom0 = val; ++ break; ++ ++ case -2: ++ s += strlen("ibpb-entry="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_ibpb_entry_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_ibpb_entry_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } ++ } + + /* Xen's speculative sidechannel mitigation settings. */ + else if ( !strncmp(s, "bti-thunk=", 10) ) +@@ -477,27 +508,31 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + * mitigation support for guests. + */ + #ifdef CONFIG_HVM +- printk(" Support for HVM VMs:%s%s%s%s%s\n", ++ printk(" Support for HVM VMs:%s%s%s%s%s%s\n", + (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || + boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || + boot_cpu_has(X86_FEATURE_MD_CLEAR) || ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || + opt_eager_fpu) ? "" : " None", + boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", + boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", + opt_eager_fpu ? " EAGER_FPU" : "", +- boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : ""); ++ boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : "", ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); + + #endif + #ifdef CONFIG_PV +- printk(" Support for PV VMs:%s%s%s%s%s\n", ++ printk(" Support for PV VMs:%s%s%s%s%s%s\n", + (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || + boot_cpu_has(X86_FEATURE_SC_RSB_PV) || + boot_cpu_has(X86_FEATURE_MD_CLEAR) || ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || + opt_eager_fpu) ? "" : " None", + boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", + boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", + opt_eager_fpu ? " EAGER_FPU" : "", +- boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : ""); ++ boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : "", ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); + + printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", + opt_xpti_hwdom ? "enabled" : "disabled", +@@ -730,6 +765,55 @@ static bool __init should_use_eager_fpu(void) + } + } + ++static void __init ibpb_calculations(void) ++{ ++ /* Check we have hardware IBPB support before using it... */ ++ if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) ++ { ++ opt_ibpb_entry_hvm = opt_ibpb_entry_pv = opt_ibpb_ctxt_switch = 0; ++ opt_ibpb_entry_dom0 = false; ++ return; ++ } ++ ++ /* ++ * IBPB-on-entry mitigations for Branch Type Confusion. ++ * ++ * IBPB && !BTC_NO selects all AMD/Hygon hardware, not known to be safe, ++ * that we can provide some form of mitigation on. ++ */ ++ if ( opt_ibpb_entry_pv == -1 ) ++ opt_ibpb_entry_pv = (IS_ENABLED(CONFIG_PV) && ++ boot_cpu_has(X86_FEATURE_IBPB) && ++ !boot_cpu_has(X86_FEATURE_BTC_NO)); ++ if ( opt_ibpb_entry_hvm == -1 ) ++ opt_ibpb_entry_hvm = (IS_ENABLED(CONFIG_HVM) && ++ boot_cpu_has(X86_FEATURE_IBPB) && ++ !boot_cpu_has(X86_FEATURE_BTC_NO)); ++ ++ if ( opt_ibpb_entry_pv ) ++ { ++ setup_force_cpu_cap(X86_FEATURE_IBPB_ENTRY_PV); ++ ++ /* ++ * We only need to flush in IST context if we're protecting against PV ++ * guests. HVM IBPB-on-entry protections are both atomic with ++ * NMI/#MC, so can't interrupt Xen ahead of having already flushed the ++ * BTB. ++ */ ++ default_spec_ctrl_flags |= SCF_ist_ibpb; ++ } ++ if ( opt_ibpb_entry_hvm ) ++ setup_force_cpu_cap(X86_FEATURE_IBPB_ENTRY_HVM); ++ ++ /* ++ * If we're using IBPB-on-entry to protect against PV and HVM guests ++ * (ignoring dom0 if trusted), then there's no need to also issue IBPB on ++ * context switch too. ++ */ ++ if ( opt_ibpb_ctxt_switch == -1 ) ++ opt_ibpb_ctxt_switch = !(opt_ibpb_entry_hvm && opt_ibpb_entry_pv); ++} ++ + /* Calculate whether this CPU is vulnerable to L1TF. */ + static __init void l1tf_calculations(uint64_t caps) + { +@@ -985,8 +1069,12 @@ void spec_ctrl_init_domain(struct domain *d) + bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || + (opt_fb_clear_mmio && is_iommu_enabled(d))); + ++ bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && ++ (d->domain_id != 0 || opt_ibpb_entry_dom0)); ++ + d->arch.spec_ctrl_flags = + (verw ? SCF_verw : 0) | ++ (ibpb ? SCF_entry_ibpb : 0) | + 0; + } + +@@ -1133,12 +1221,15 @@ void __init init_speculation_mitigations(void) + } + + /* +- * Use STIBP by default if the hardware hint is set. Otherwise, leave it +- * off as it a severe performance pentalty on pre-eIBRS Intel hardware +- * where it was retrofitted in microcode. ++ * Use STIBP by default on all AMD systems. Zen3 and later enumerate ++ * STIBP_ALWAYS, but STIBP is needed on Zen2 as part of the mitigations ++ * for Branch Type Confusion. ++ * ++ * Leave STIBP off by default on Intel. Pre-eIBRS systems suffer a ++ * substantial perf hit when it was implemented in microcode. + */ + if ( opt_stibp == -1 ) +- opt_stibp = !!boot_cpu_has(X86_FEATURE_STIBP_ALWAYS); ++ opt_stibp = !!boot_cpu_has(X86_FEATURE_AMD_STIBP); + + if ( opt_stibp && (boot_cpu_has(X86_FEATURE_STIBP) || + boot_cpu_has(X86_FEATURE_AMD_STIBP)) ) +@@ -1192,9 +1283,7 @@ void __init init_speculation_mitigations(void) + if ( opt_rsb_hvm ) + setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM); + +- /* Check we have hardware IBPB support before using it... */ +- if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) +- opt_ibpb_ctxt_switch = false; ++ ibpb_calculations(); + + /* Check whether Eager FPU should be enabled by default. */ + if ( opt_eager_fpu == -1 ) +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 10cd0cd2518f..33e845991b0a 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -65,7 +65,7 @@ + void init_speculation_mitigations(void); + void spec_ctrl_init_domain(struct domain *d); + +-extern bool opt_ibpb_ctxt_switch; ++extern int8_t opt_ibpb_ctxt_switch; + extern bool opt_ssbd; + extern int8_t opt_eager_fpu; + extern int8_t opt_l1d_flush; diff --git a/main/xen/xsa408.patch b/main/xen/xsa408.patch new file mode 100644 index 00000000000..c58193f5716 --- /dev/null +++ b/main/xen/xsa408.patch @@ -0,0 +1,36 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: x86/mm: correct TLB flush condition in _get_page_type() + +When this logic was moved, it was moved across the point where nx is +updated to hold the new type for the page. IOW originally it was +equivalent to using x (and perhaps x would better have been used), but +now it isn't anymore. Switch to using x, which then brings things in +line again with the slightly earlier comment there (now) talking about +transitions _from_ writable. + +I have to confess though that I cannot make a direct connection between +the reported observed behavior of guests leaving several pages around +with pending general references and the change here. Repeated testing, +nevertheless, confirms the reported issue is no longer there. + +This is CVE-2022-33745 / XSA-408. + +Reported-by: Charles Arnold <carnold@suse.com> +Fixes: 8cc5036bc385 ("x86/pv: Fix ABAC cmpxchg() race in _get_page_type()") +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> +--- +I'd be happy to update the description to actually connect things, as +long as someone can give some plausible explanation. + +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -3038,7 +3038,7 @@ static int _get_page_type(struct page_in + if ( unlikely(!cpumask_empty(mask)) && + /* Shadow mode: track only writable pages. */ + (!shadow_mode_enabled(d) || +- ((nx & PGT_type_mask) == PGT_writable_page)) ) ++ ((x & PGT_type_mask) == PGT_writable_page)) ) + { + perfc_incr(need_flush_tlb_flush); + /* diff --git a/main/xen/xsa414-4.14.patch b/main/xen/xsa414-4.14.patch new file mode 100644 index 00000000000..db7f7ec421e --- /dev/null +++ b/main/xen/xsa414-4.14.patch @@ -0,0 +1,112 @@ +From: Julien Grall <jgrall@amazon.com> +Subject: tools/xenstore: create_node: Don't defer work to undo any changes on + failure + +XSA-115 extended destroy_node() to update the node accounting for the +connection. The implementation is assuming the connection is the parent +of the node, however all the nodes are allocated using a separate context +(see process_message()). This will result to crash (or corrupt) xenstored +as the pointer is wrongly used. + +In case of an error, any changes to the database or update to the +accounting will now be reverted in create_node() by calling directly +destroy_node(). This has the nice advantage to remove the loop to unset +the destructors in case of success. + +Take the opportunity to free the nodes right now as they are not +going to be reachable (the function returns NULL) and are just wasting +resources. + +This is XSA-414 / CVE-2022-42309. + +Reported-by: Julien Grall <jgrall@amazon.com> +Fixes: 0bfb2101f243 ("tools/xenstore: fix node accounting after failed node creation") +Signed-off-by: Julien Grall <jgrall@amazon.com> +Reviewed-by: Juergen Gross <jgross@suse.com> + +diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c +index 1d05d25a4864..6afe8cb59d7e 100644 +--- a/tools/xenstore/xenstored_core.c ++++ b/tools/xenstore/xenstored_core.c +@@ -977,9 +977,8 @@ static struct node *construct_node(struct connection *conn, const void *ctx, + return NULL; + } + +-static int destroy_node(void *_node) ++static int destroy_node(struct connection *conn, struct node *node) + { +- struct node *node = _node; + TDB_DATA key; + + if (streq(node->name, "/")) +@@ -990,7 +989,7 @@ static int destroy_node(void *_node) + + tdb_delete(tdb_ctx, key); + +- domain_entry_dec(talloc_parent(node), node); ++ domain_entry_dec(conn, node); + + return 0; + } +@@ -999,7 +998,8 @@ static struct node *create_node(struct connection *conn, const void *ctx, + const char *name, + void *data, unsigned int datalen) + { +- struct node *node, *i; ++ struct node *node, *i, *j; ++ int ret; + + node = construct_node(conn, ctx, name); + if (!node) +@@ -1021,23 +1021,40 @@ static struct node *create_node(struct connection *conn, const void *ctx, + /* i->parent is set for each new node, so check quota. */ + if (i->parent && + domain_entry(conn) >= quota_nb_entry_per_domain) { +- errno = ENOSPC; +- return NULL; ++ ret = ENOSPC; ++ goto err; + } +- if (write_node(conn, i, false)) +- return NULL; + +- /* Account for new node, set destructor for error case. */ +- if (i->parent) { ++ ret = write_node(conn, i, false); ++ if (ret) ++ goto err; ++ ++ /* Account for new node */ ++ if (i->parent) + domain_entry_inc(conn, i); +- talloc_set_destructor(i, destroy_node); +- } + } + +- /* OK, now remove destructors so they stay around */ +- for (i = node; i->parent; i = i->parent) +- talloc_set_destructor(i, NULL); + return node; ++ ++err: ++ /* ++ * We failed to update TDB for some of the nodes. Undo any work that ++ * have already been done. ++ */ ++ for (j = node; j != i; j = j->parent) ++ destroy_node(conn, j); ++ ++ /* We don't need to keep the nodes around, so free them. */ ++ i = node; ++ while (i) { ++ j = i; ++ i = i->parent; ++ talloc_free(j); ++ } ++ ++ errno = ret; ++ ++ return NULL; + } + + /* path, data... */ diff --git a/main/xen/xsa422-4.14-1.patch b/main/xen/xsa422-4.14-1.patch new file mode 100644 index 00000000000..dccfba84f65 --- /dev/null +++ b/main/xen/xsa422-4.14-1.patch @@ -0,0 +1,70 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Enumeration for IBPB_RET + +The IBPB_RET bit indicates that the CPU's implementation of MSR_PRED_CMD.IBPB +does flush the RSB/RAS too. + +This is part of XSA-422 / CVE-2022-23824. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/tools/libxl/libxl_cpuid.c b/tools/libxl/libxl_cpuid.c +index 25576b4d992d..1b7626f7d41c 100644 +--- a/tools/libxl/libxl_cpuid.c ++++ b/tools/libxl/libxl_cpuid.c +@@ -281,6 +281,7 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str) + {"ssb-no", 0x80000008, NA, CPUID_REG_EBX, 26, 1}, + {"psfd", 0x80000008, NA, CPUID_REG_EBX, 28, 1}, + {"btc-no", 0x80000008, NA, CPUID_REG_EBX, 29, 1}, ++ {"ibpb-ret", 0x80000008, NA, CPUID_REG_EBX, 30, 1}, + + {"nc", 0x80000008, NA, CPUID_REG_ECX, 0, 8}, + {"apicidsize", 0x80000008, NA, CPUID_REG_ECX, 12, 4}, +diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c +index e5208cfa4538..7771da49532f 100644 +--- a/tools/misc/xen-cpuid.c ++++ b/tools/misc/xen-cpuid.c +@@ -158,6 +158,7 @@ static const char *const str_e8b[32] = + [24] = "amd-ssbd", [25] = "virt-ssbd", + [26] = "ssb-no", + [28] = "psfd", [29] = "btc-no", ++ [30] = "ibpb-ret", + }; + + static const char *const str_7d0[32] = +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 563519ce0e31..679fbac57ec7 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -419,7 +419,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + * Hardware read-only information, stating immunity to certain issues, or + * suggestions of which mitigation to use. + */ +- printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", ++ printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", + (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", + (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", +@@ -435,7 +435,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : "", +- (e8b & cpufeat_mask(X86_FEATURE_BTC_NO)) ? " BTC_NO" : ""); ++ (e8b & cpufeat_mask(X86_FEATURE_BTC_NO)) ? " BTC_NO" : "", ++ (e8b & cpufeat_mask(X86_FEATURE_IBPB_RET)) ? " IBPB_RET" : ""); + + /* Hardware features which need driving to mitigate issues. */ + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", +diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h +index 746a75200ab8..e536ab42b31d 100644 +--- a/xen/include/public/arch-x86/cpufeatureset.h ++++ b/xen/include/public/arch-x86/cpufeatureset.h +@@ -265,6 +265,7 @@ XEN_CPUFEATURE(VIRT_SSBD, 8*32+25) /* MSR_VIRT_SPEC_CTRL.SSBD */ + XEN_CPUFEATURE(SSB_NO, 8*32+26) /*A Hardware not vulnerable to SSB */ + XEN_CPUFEATURE(PSFD, 8*32+28) /*S MSR_SPEC_CTRL.PSFD */ + XEN_CPUFEATURE(BTC_NO, 8*32+29) /*A Hardware not vulnerable to Branch Type Confusion */ ++XEN_CPUFEATURE(IBPB_RET, 8*32+30) /*A IBPB clears RSB/RAS too. */ + + /* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */ + XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions */ diff --git a/main/xen/xsa422-4.14-2.patch b/main/xen/xsa422-4.14-2.patch new file mode 100644 index 00000000000..09cb00d3573 --- /dev/null +++ b/main/xen/xsa422-4.14-2.patch @@ -0,0 +1,99 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Mitigate IBPB not flushing the RSB/RAS + +Introduce spec_ctrl_new_guest_context() to encapsulate all logic pertaining to +using MSR_PRED_CMD for a new guest context, even if it only has one user +presently. + +Introduce X86_BUG_IBPB_NO_RET, and use it extend spec_ctrl_new_guest_context() +with a manual fixup for hardware which mis-implements IBPB. + +This is part of XSA-422 / CVE-2022-23824. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/xen/arch/x86/asm-macros.c b/xen/arch/x86/asm-macros.c +index b963d56a5663..8c585697b9f6 100644 +--- a/xen/arch/x86/asm-macros.c ++++ b/xen/arch/x86/asm-macros.c +@@ -1 +1,2 @@ + #include <asm/alternative-asm.h> ++#include <asm/spec_ctrl_asm.h> +diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c +index 4fb78d38e719..b3774af1a5f6 100644 +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -1832,7 +1832,7 @@ void context_switch(struct vcpu *prev, struct vcpu *next) + */ + if ( *last_id != next_id ) + { +- wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB); ++ spec_ctrl_new_guest_context(); + *last_id = next_id; + } + } +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 679fbac57ec7..c650e07b0629 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -777,6 +777,14 @@ static void __init ibpb_calculations(void) + } + + /* ++ * AMD/Hygon CPUs to date (June 2022) don't flush the the RAS. Future ++ * CPUs are expected to enumerate IBPB_RET when this has been fixed. ++ * Until then, cover the difference with the software sequence. ++ */ ++ if ( boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_IBPB_RET) ) ++ setup_force_cpu_cap(X86_BUG_IBPB_NO_RET); ++ ++ /* + * IBPB-on-entry mitigations for Branch Type Confusion. + * + * IBPB && !BTC_NO selects all AMD/Hygon hardware, not known to be safe, +diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h +index b233e5835fb5..bdb119a34c5d 100644 +--- a/xen/include/asm-x86/cpufeatures.h ++++ b/xen/include/asm-x86/cpufeatures.h +@@ -48,6 +48,7 @@ XEN_CPUFEATURE(IBPB_ENTRY_HVM, X86_SYNTH(29)) /* MSR_PRED_CMD used by Xen for + + #define X86_BUG_FPU_PTRS X86_BUG( 0) /* (F)X{SAVE,RSTOR} doesn't save/restore FOP/FIP/FDP. */ + #define X86_BUG_CLFLUSH_MFENCE X86_BUG( 2) /* MFENCE needed to serialise CLFLUSH */ ++#define X86_BUG_IBPB_NO_RET X86_BUG( 3) /* IBPB doesn't flush the RSB/RAS */ + + /* Total number of capability words, inc synth and bug words. */ + #define NCAPINTS (FSCAPINTS + X86_NR_SYNTH + X86_NR_BUG) /* N 32-bit words worth of info */ +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 33e845991b0a..e400ff227391 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -65,6 +65,28 @@ + void init_speculation_mitigations(void); + void spec_ctrl_init_domain(struct domain *d); + ++/* ++ * Switch to a new guest prediction context. ++ * ++ * This flushes all indirect branch predictors (BTB, RSB/RAS), so guest code ++ * which has previously run on this CPU can't attack subsequent guest code. ++ * ++ * As this flushes the RSB/RAS, it destroys the predictions of the calling ++ * context. For best performace, arrange for this to be used when we're going ++ * to jump out of the current context, e.g. with reset_stack_and_jump(). ++ * ++ * For hardware which mis-implements IBPB, fix up by flushing the RSB/RAS ++ * manually. ++ */ ++static always_inline void spec_ctrl_new_guest_context(void) ++{ ++ wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB); ++ ++ /* (ab)use alternative_input() to specify clobbers. */ ++ alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET, ++ : "rax", "rcx"); ++} ++ + extern int8_t opt_ibpb_ctxt_switch; + extern bool opt_ssbd; + extern int8_t opt_eager_fpu; diff --git a/main/xtables-addons-lts/APKBUILD b/main/xtables-addons-lts/APKBUILD index 6540c510684..8d085b7f93e 100644 --- a/main/xtables-addons-lts/APKBUILD +++ b/main/xtables-addons-lts/APKBUILD @@ -2,12 +2,12 @@ # when changing _ver we *must* bump _rel _name=xtables-addons -_ver=3.11 +_ver=3.21 _rel=0 _flavor=${FLAVOR:-lts} _kpkg=linux-$_flavor -_kver=5.10.88 +_kver=5.10.152 _krel=0 _kpkgver="$_kver-r$_krel" @@ -25,7 +25,7 @@ depends="$_kpkg=$_kpkgver" makedepends="$_kpkg-dev=$_kpkgver iptables-dev linux-headers" install_if="$_kpkg=$_kpkgver $_name" source="https://inai.de/files/xtables-addons/xtables-addons-$_ver.tar.xz - ip_route_me_harder-5.4.78.patch" + " builddir="$srcdir/$_name-$_ver" options="!check" @@ -60,5 +60,4 @@ package() { make DESTDIR="$pkgdir" modules_install } -sha512sums="3b9d57596002efa4f874734debdab560d49bc600010986a2b3db9dab262251fd37da45bc8e9d0cbbe77f9c5e95c96a36d5372ae2bd12822a5765c7b5ebb715ea xtables-addons-3.11.tar.xz -a746279a28b7ab9d6d0783ccded9d4dec953dd33127b1e5cf3421cf8e601e81c003869831aaa78fb811ffe10e2b5c0d3dd80c4d0fc31a0ca134459caeb428fe5 ip_route_me_harder-5.4.78.patch" +sha512sums="5ec30a14f7dffcaa87bbeb910b46ef5ba3bafc4b6f0ce1579eb21ca6395106fa9157b300f463b43169ea85ec9ff0d9a5377cb5ebc2bb2f637e2a1fe9ff61728e xtables-addons-3.21.tar.xz" diff --git a/main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch b/main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch deleted file mode 100644 index 075f52dadec..00000000000 --- a/main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff --git a/extensions/xt_DELUDE.c b/extensions/xt_DELUDE.c -index b384c8e..cb1d055 100644 ---- a/extensions/xt_DELUDE.c -+++ b/extensions/xt_DELUDE.c -@@ -122,7 +122,7 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb, - /* ip_route_me_harder expects skb->dst to be set */ - skb_dst_set(nskb, dst_clone(skb_dst(oldskb))); - -- if (ip_route_me_harder(net, nskb, addr_type)) -+ if (ip_route_me_harder(net, nskb->sk, nskb, addr_type)) - goto free_nskb; - else - niph = ip_hdr(nskb); -diff --git a/extensions/xt_ECHO.c b/extensions/xt_ECHO.c -index e99312b..2ab413b 100644 ---- a/extensions/xt_ECHO.c -+++ b/extensions/xt_ECHO.c -@@ -192,7 +192,7 @@ echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par) - /* ip_route_me_harder expects the skb's dst to be set */ - skb_dst_set(newskb, dst_clone(skb_dst(oldskb))); - -- if (ip_route_me_harder(par_net(par), newskb, RTN_UNSPEC) != 0) -+ if (ip_route_me_harder(par_net(par), par->state->sk, newskb, RTN_UNSPEC) != 0) - goto free_nskb; - - newip->ttl = ip4_dst_hoplimit(skb_dst(newskb)); -diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c -index 4926f2e..6256e60 100644 ---- a/extensions/xt_TARPIT.c -+++ b/extensions/xt_TARPIT.c -@@ -265,7 +265,7 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb, - #endif - addr_type = RTN_LOCAL; - -- if (ip_route_me_harder(net, nskb, addr_type)) -+ if (ip_route_me_harder(net, nskb->sk, nskb, addr_type)) - goto free_nskb; - else - niph = ip_hdr(nskb); -@@ -399,7 +399,7 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb, - IPPROTO_TCP, - csum_partial(tcph, sizeof(struct tcphdr), 0)); - -- if (ip6_route_me_harder(net, nskb)) -+ if (ip6_route_me_harder(net, nskb->sk, nskb)) - goto free_nskb; - - nskb->ip_summed = CHECKSUM_NONE; diff --git a/main/xtables-addons/APKBUILD b/main/xtables-addons/APKBUILD index 963b58731aa..fa47993c14c 100644 --- a/main/xtables-addons/APKBUILD +++ b/main/xtables-addons/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=xtables-addons -pkgver=3.11 +pkgver=3.21 pkgrel=0 pkgdesc="Netfilter userspace extensions for iptables" url="http://xtables-addons.sourceforge.net/" @@ -25,4 +25,4 @@ package() { make builddir= DESTDIR="$pkgdir" install } -sha512sums="3b9d57596002efa4f874734debdab560d49bc600010986a2b3db9dab262251fd37da45bc8e9d0cbbe77f9c5e95c96a36d5372ae2bd12822a5765c7b5ebb715ea xtables-addons-3.11.tar.xz" +sha512sums="5ec30a14f7dffcaa87bbeb910b46ef5ba3bafc4b6f0ce1579eb21ca6395106fa9157b300f463b43169ea85ec9ff0d9a5377cb5ebc2bb2f637e2a1fe9ff61728e xtables-addons-3.21.tar.xz" diff --git a/main/xz/APKBUILD b/main/xz/APKBUILD index a8022f590e5..1e4bd3c428b 100644 --- a/main/xz/APKBUILD +++ b/main/xz/APKBUILD @@ -2,13 +2,18 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=xz pkgver=5.2.5 -pkgrel=0 +pkgrel=1 pkgdesc="Library and CLI tools for XZ and LZMA compressed files" url="https://tukaani.org/xz" arch="all" license="GPL-2.0-or-later AND Public-Domain AND LGPL-2.1-or-later" subpackages="$pkgname-dev $pkgname-doc $pkgname-libs" -source="https://tukaani.org/xz/xz-$pkgver.tar.xz" +source="https://tukaani.org/xz/xz-$pkgver.tar.xz + xzgrep-ZDI-CAN-16587.patch" + +# secfixes: +# 5.2.5-r1: +# - CVE-2022-1271 build() { ./configure \ @@ -38,4 +43,7 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="59266068a51cb616eb31b67cd8f07ffeb2288d1391c61665ae2ec6814465afac80fec69248f6a2f2db45b44475af001296a99af6a32287226a9c41419173ccbb xz-5.2.5.tar.xz" +sha512sums=" +59266068a51cb616eb31b67cd8f07ffeb2288d1391c61665ae2ec6814465afac80fec69248f6a2f2db45b44475af001296a99af6a32287226a9c41419173ccbb xz-5.2.5.tar.xz +52b16268e333399444f433a11ccf3a9b020a6914ed23fc8e082128fec596011d7c6863d47414d4c0f245d20ebed4b3a50b422599b4b88d66f6c6eb2e74b9a939 xzgrep-ZDI-CAN-16587.patch +" diff --git a/main/xz/xzgrep-ZDI-CAN-16587.patch b/main/xz/xzgrep-ZDI-CAN-16587.patch new file mode 100644 index 00000000000..406ded5903e --- /dev/null +++ b/main/xz/xzgrep-ZDI-CAN-16587.patch @@ -0,0 +1,94 @@ +From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001 +From: Lasse Collin <lasse.collin@tukaani.org> +Date: Tue, 29 Mar 2022 19:19:12 +0300 +Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587). + +Malicious filenames can make xzgrep to write to arbitrary files +or (with a GNU sed extension) lead to arbitrary code execution. + +xzgrep from XZ Utils versions up to and including 5.2.5 are +affected. 5.3.1alpha and 5.3.2alpha are affected as well. +This patch works for all of them. + +This bug was inherited from gzip's zgrep. gzip 1.12 includes +a fix for zgrep. + +The issue with the old sed script is that with multiple newlines, +the N-command will read the second line of input, then the +s-commands will be skipped because it's not the end of the +file yet, then a new sed cycle starts and the pattern space +is printed and emptied. So only the last line or two get escaped. + +One way to fix this would be to read all lines into the pattern +space first. However, the included fix is even simpler: All lines +except the last line get a backslash appended at the end. To ensure +that shell command substitution doesn't eat a possible trailing +newline, a colon is appended to the filename before escaping. +The colon is later used to separate the filename from the grep +output so it is fine to add it here instead of a few lines later. + +The old code also wasn't POSIX compliant as it used \n in the +replacement section of the s-command. Using \<newline> is the +POSIX compatible method. + +LC_ALL=C was added to the two critical sed commands. POSIX sed +manual recommends it when using sed to manipulate pathnames +because in other locales invalid multibyte sequences might +cause issues with some sed implementations. In case of GNU sed, +these particular sed scripts wouldn't have such problems but some +other scripts could have, see: + + info '(sed)Locale Considerations' + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Thanks to Jim Meyering and Paul Eggert discussing the different +ways to fix this and for coordinating the patch release schedule +with gzip. +--- + src/scripts/xzgrep.in | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in +index b180936..e5186ba 100644 +--- a/src/scripts/xzgrep.in ++++ b/src/scripts/xzgrep.in +@@ -180,22 +180,26 @@ for i; do + { test $# -eq 1 || test $no_filename -eq 1; }; then + eval "$grep" + else ++ # Append a colon so that the last character will never be a newline ++ # which would otherwise get lost in shell command substitution. ++ i="$i:" ++ ++ # Escape & \ | and newlines only if such characters are present ++ # (speed optimization). + case $i in + (*' + '* | *'&'* | *'\'* | *'|'*) +- i=$(printf '%s\n' "$i" | +- sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g +- ');; ++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');; + esac +- sed_script="s|^|$i:|" ++ ++ # $i already ends with a colon so don't add it here. ++ sed_script="s|^|$i|" + + # Fail if grep or sed fails. + r=$( + exec 4>&1 +- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&- ++ (eval "$grep" 4>&-; echo $? >&4) 3>&- | ++ LC_ALL=C sed "$sed_script" >&3 4>&- + ) || r=2 + exit $r + fi >&3 5>&- +-- +2.35.1 + diff --git a/main/zfs-lts/APKBUILD b/main/zfs-lts/APKBUILD index c6115d7e877..9d2dd176373 100644 --- a/main/zfs-lts/APKBUILD +++ b/main/zfs-lts/APKBUILD @@ -8,7 +8,7 @@ _rel=0 _flavor=${FLAVOR:-lts} _kpkg=linux-$_flavor -_kver=5.10.88 +_kver=5.10.152 _krel=0 _kpkgver="$_kver-r$_krel" diff --git a/main/zlib/APKBUILD b/main/zlib/APKBUILD index e9f33ee6475..ef345c16e0c 100644 --- a/main/zlib/APKBUILD +++ b/main/zlib/APKBUILD @@ -1,13 +1,24 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=zlib -pkgver=1.2.11 +pkgver=1.2.12 pkgrel=3 pkgdesc="A compression/decompression Library" arch="all" license="Zlib" url="https://zlib.net/" subpackages="$pkgname-static $pkgname-dev $pkgname-doc" -source="https://zlib.net/zlib-$pkgver.tar.gz" +source="https://zlib.net/zlib-$pkgver.tar.gz + Fix-CC-logic-in-configure.patch + configure-Pass-LDFLAGS-to-link-tests.patch + crc32.patch + $pkgname-CVE-2022-37434.patch::https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1.patch + $pkgname-CVE-2022-37434-bugfix.patch::https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch + " +# secfixes: +# 1.2.12-r2: +# - CVE-2022-37434 +# 1.2.12-r0: +# - CVE-2018-25032 build() { # we trade size for a little more speed. @@ -29,4 +40,11 @@ package() { DESTDIR="$pkgdir" } -sha512sums="73fd3fff4adeccd4894084c15ddac89890cd10ef105dd5e1835e1e9bbb6a49ff229713bd197d203edfa17c2727700fce65a2a235f07568212d820dca88b528ae zlib-1.2.11.tar.gz" +sha512sums=" +cc2366fa45d5dfee1f983c8c51515e0cff959b61471e2e8d24350dea22d3f6fcc50723615a911b046ffc95f51ba337d39ae402131a55e6d1541d3b095d6c0a14 zlib-1.2.12.tar.gz +faa19991e88cbfd624ac9ce4a0ba12e3d7d54f88680b1a0a156a542a45bafe2053d69c6f309327817f7cc74f5765204bbb3c56ff531efd29d8fd6bb682c78598 Fix-CC-logic-in-configure.patch +76179eb7e498aef5bc88c3f826c6f2506a2d3c3a2e2560ef1825bd4a9297d68b0d2390619a4b3b0b2e6dde765431e5fba18fd15fbd1ad99827244f8f9bdbd909 configure-Pass-LDFLAGS-to-link-tests.patch +38f0593a0bc17336d31191b7af684e31ec2eb34bd3add49bcb1f95c5e2bfb4405ffc341c2650d52c4fbf417ab4f80a0cc82fb868c9816b04d25210ae29a71f2c crc32.patch +13bf48cb15636d77428e7e20d8c72d772eade1e099740f8541b7adee0e789097fa867512b6f3ebcff8496727999f2bf408e38414771c9b4440ad283f4c029558 zlib-CVE-2022-37434.patch +cadeb0b05da99435c2074cb0d7aebdec2bad1c745856c8ac6ea0f2474ef091d8efeea90deafe13757cbaa465ccfbbb1b8873a8025b24f3145b2a87abb84bac83 zlib-CVE-2022-37434-bugfix.patch +" diff --git a/main/zlib/Fix-CC-logic-in-configure.patch b/main/zlib/Fix-CC-logic-in-configure.patch new file mode 100644 index 00000000000..f34c40445de --- /dev/null +++ b/main/zlib/Fix-CC-logic-in-configure.patch @@ -0,0 +1,43 @@ +From 80d086357a55b94a13e43756cf3e131f25eef0e4 Mon Sep 17 00:00:00 2001 +From: Sam James <sam@gentoo.org> +Date: Mon, 28 Mar 2022 08:40:45 +0100 +Subject: [PATCH] Fix CC logic in configure + +In https://github.com/madler/zlib/commit/e9a52aa129efe3834383e415580716a7c4027f8d, +the logic was changed to try check harder for GCC, but it dropped +the default setting of cc=${CC}. It was throwing away any pre-set CC value as +a result. + +The rest of the script then cascades down a bad path because it's convinced +it's not GCC or a GCC-like compiler. + +This led to e.g. misdetection of inability to build shared libs +for say, multilib cases (w/ CC being one thing from the environment being used +for one test (e.g. x86_64-unknown-linux-gnu-gcc -m32 and then 'cc' used for +shared libs (but missing "-m32"!)). Obviously just one example of how +the old logic could break. + +This restores the old default of 'CC' if nothing overrides it later +in configure. + +Bug: https://bugs.gentoo.org/836308 +Signed-off-by: Sam James <sam@gentoo.org> +--- + configure | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/configure b/configure +index 52ff4a04e..3fa3e8618 100755 +--- a/configure ++++ b/configure +@@ -174,7 +174,10 @@ if test -z "$CC"; then + else + cc=${CROSS_PREFIX}cc + fi ++else ++ cc=${CC} + fi ++ + cflags=${CFLAGS-"-O3"} + # to force the asm version use: CFLAGS="-O3 -DASMV" ./configure + case "$cc" in diff --git a/main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch b/main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch new file mode 100644 index 00000000000..3689dd88d65 --- /dev/null +++ b/main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch @@ -0,0 +1,74 @@ +From 37c9730ba474d274f4cc6a974943eef95087b9f6 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 8 Mar 2022 22:38:47 -0800 +Subject: [PATCH] configure: Pass LDFLAGS to link tests + +LDFLAGS can contain critical flags without which linking wont succeed +therefore ensure that all configure tests involving link time checks are +using LDFLAGS on compiler commandline along with CFLAGS to ensure the +tests perform correctly. Without this some tests may fail resulting in +wrong confgure result, ending in miscompiling the package + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + configure | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/configure b/configure +index e974d1fd7..69dfa3f69 100755 +--- a/configure ++++ b/configure +@@ -410,7 +410,7 @@ if test $shared -eq 1; then + echo Checking for shared library support... | tee -a configure.log + # we must test in two steps (cc then ld), required at least on SunOS 4.x + if try $CC -w -c $SFLAGS $test.c && +- try $LDSHARED $SFLAGS -o $test$shared_ext $test.o; then ++ try $LDSHARED $SFLAGS $LDFLAGS -o $test$shared_ext $test.o; then + echo Building shared library $SHAREDLIBV with $CC. | tee -a configure.log + elif test -z "$old_cc" -a -z "$old_cflags"; then + echo No shared library support. | tee -a configure.log +@@ -492,7 +492,7 @@ int main(void) { + } + EOF + fi +- if try $CC $CFLAGS -o $test $test.c; then ++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then + sizet=`./$test` + echo "Checking for a pointer-size integer type..." $sizet"." | tee -a configure.log + else +@@ -530,7 +530,7 @@ int main(void) { + return 0; + } + EOF +- if try $CC $CFLAGS -o $test $test.c; then ++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then + echo "Checking for fseeko... Yes." | tee -a configure.log + else + CFLAGS="${CFLAGS} -DNO_FSEEKO" +@@ -547,7 +547,7 @@ cat > $test.c <<EOF + #include <errno.h> + int main() { return strlen(strerror(errno)); } + EOF +-if try $CC $CFLAGS -o $test $test.c; then ++if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then + echo "Checking for strerror... Yes." | tee -a configure.log + else + CFLAGS="${CFLAGS} -DNO_STRERROR" +@@ -654,7 +654,7 @@ int main() + return (mytest("Hello%d\n", 1)); + } + EOF +- if try $CC $CFLAGS -o $test $test.c; then ++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then + echo "Checking for vsnprintf() in stdio.h... Yes." | tee -a configure.log + + echo >> configure.log +@@ -744,7 +744,7 @@ int main() + } + EOF + +- if try $CC $CFLAGS -o $test $test.c; then ++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then + echo "Checking for snprintf() in stdio.h... Yes." | tee -a configure.log + + echo >> configure.log diff --git a/main/zlib/crc32.patch b/main/zlib/crc32.patch new file mode 100644 index 00000000000..85a6a7e3ab4 --- /dev/null +++ b/main/zlib/crc32.patch @@ -0,0 +1,51 @@ +From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 +From: Mark Adler <madler@alumni.caltech.edu> +Date: Wed, 30 Mar 2022 11:14:53 -0700 +Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. + +The previous releases of zlib were not sensitive to incorrect CRC +inputs with bits set above the low 32. This commit restores that +behavior, so that applications with such bugs will continue to +operate as before. +--- + crc32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crc32.c b/crc32.c +index a1bdce5c2..451887bc7 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + /* Compute the CRC up to a word boundary. */ + while (len && ((z_size_t)buf & 7) != 0) { +@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + #ifdef W + +@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; ++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); + } + + /* ========================================================================= */ +@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) + uLong crc2; + uLong op; + { +- return multmodp(op, crc1) ^ crc2; ++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); + } diff --git a/main/zsh/APKBUILD b/main/zsh/APKBUILD index 9986a1ced0e..0b2bc50633b 100644 --- a/main/zsh/APKBUILD +++ b/main/zsh/APKBUILD @@ -3,6 +3,8 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> # # secfixes: +# 5.8.1-r0: +# - CVE-2021-45444 # 5.8-r0: # - CVE-2019-20044 # 5.4.2-r1: @@ -10,8 +12,8 @@ # - CVE-2018-1071 # pkgname=zsh -pkgver=5.8 -pkgrel=1 +pkgver=5.8.1 +pkgrel=0 pkgdesc="Very advanced and programmable command interpreter (shell)" url="https://www.zsh.org/" arch="all" @@ -102,6 +104,12 @@ build() { check() { cd "$builddir" + if [ "$CARCH" = "x86" ] || [ "$CARCH" = "ppc64le" ]; then + # fail on x86/ppc64le builders + rm Test/B03print.ztst + rm Test/A03quoting.ztst + fi + make test } @@ -165,5 +173,7 @@ _submv() { mv "$pkgdir"/$path "$subpkgdir"/${path%/*}/ } -sha512sums="96198ecef498b7d7945fecebbe6bf14065fa8c5d81a7662164579eba8206b79575812d292adea1864bc7487ac0818ba900e25f9ab3802449340de80417c2c533 zsh-5.8.tar.xz -1067ad916d8921fe8880e040453782dcaafb6c05566f72b806e71aef2c2a53f25b6039cf8133196dd52cf7e23b172452ef3f77188bab8c8b1a50c1ea6ffa176a zprofile" +sha512sums=" +f54a5a47ed15d134902613f6169c985680afc45a67538505e11b66b348fcb367145e9b8ae2d9eac185e07ef5f97254b85df01ba97294002a8c036fd02ed5e76d zsh-5.8.1.tar.xz +1067ad916d8921fe8880e040453782dcaafb6c05566f72b806e71aef2c2a53f25b6039cf8133196dd52cf7e23b172452ef3f77188bab8c8b1a50c1ea6ffa176a zprofile +" |