aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitlab-ci.yml9
-rw-r--r--community/ceph/30-32bit_fix.patch.noauto2
-rw-r--r--community/ceph/APKBUILD15
-rw-r--r--community/gitea/APKBUILD2
-rw-r--r--community/jenkins/APKBUILD14
-rw-r--r--community/jool-modules-lts/APKBUILD2
-rw-r--r--community/lua-resty-openidc/APKBUILD8
-rw-r--r--community/nnn/APKBUILD4
-rw-r--r--community/nss/APKBUILD8
-rw-r--r--community/perl-app-cpanminus/APKBUILD12
-rw-r--r--community/rtl8821ce-lts/APKBUILD2
-rw-r--r--community/rtpengine-lts/APKBUILD2
-rw-r--r--main/alpine-base/APKBUILD2
-rw-r--r--main/amavis/APKBUILD54
-rw-r--r--main/amavis/amavisd-conf.patch33
-rw-r--r--main/apache2/APKBUILD12
-rw-r--r--main/bash/APKBUILD24
-rw-r--r--main/bind/APKBUILD13
-rw-r--r--main/bind/bind-9.16.20-map-format-fix.patch8
-rw-r--r--main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch40
-rw-r--r--main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch68
-rw-r--r--main/busybox/APKBUILD20
-rw-r--r--main/busybox/traceroute-opt-x.patch26
-rw-r--r--main/ca-certificates/APKBUILD19
-rw-r--r--main/cairo/APKBUILD12
-rw-r--r--main/cairo/fix-inf-loop-patch36
-rw-r--r--main/clamav/APKBUILD15
-rw-r--r--main/cryptsetup/APKBUILD8
-rw-r--r--main/curl/APKBUILD20
-rw-r--r--main/curl/CVE-2022-22576.patch143
-rw-r--r--main/curl/CVE-2022-27774-pre.patch41
-rw-r--r--main/curl/CVE-2022-27774.patch78
-rw-r--r--main/curl/CVE-2022-27775.patch35
-rw-r--r--main/curl/CVE-2022-27776.patch113
-rw-r--r--main/cyrus-sasl/APKBUILD24
-rw-r--r--main/cyrus-sasl/CVE-2019-19906.patch15
-rw-r--r--main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch25
-rw-r--r--main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch31
-rw-r--r--main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch17
-rw-r--r--main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch11
-rw-r--r--main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch16
-rw-r--r--main/dahdi-linux-lts/APKBUILD2
-rw-r--r--main/esh/APKBUILD6
-rw-r--r--main/expat/APKBUILD51
-rw-r--r--main/expat/CVE-2021-45960.patch59
-rw-r--r--main/expat/CVE-2021-46143.patch43
-rw-r--r--main/expat/CVE-2022-22822.patch250
-rw-r--r--main/expat/CVE-2022-23852.patch27
-rw-r--r--main/expat/CVE-2022-23990.patch42
-rw-r--r--main/expat/CVE-2022-25235.patch43
-rw-r--r--main/expat/CVE-2022-25236-regression.patch171
-rw-r--r--main/expat/CVE-2022-25236.patch33
-rw-r--r--main/expat/CVE-2022-25313-regression.patch243
-rw-r--r--main/expat/CVE-2022-25313.patch223
-rw-r--r--main/expat/CVE-2022-25314.patch25
-rw-r--r--main/expat/CVE-2022-25315.patch139
-rw-r--r--main/flac/APKBUILD9
-rw-r--r--main/freetype/APKBUILD19
-rw-r--r--main/freetype/CVE-2022-27404.patch44
-rw-r--r--main/freetype/CVE-2022-27405.patch36
-rw-r--r--main/freetype/CVE-2022-27406.patch27
-rw-r--r--main/git/APKBUILD11
-rw-r--r--main/gmp/APKBUILD10
-rw-r--r--main/gzip/APKBUILD14
-rw-r--r--main/haproxy/APKBUILD6
-rw-r--r--main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch318
-rw-r--r--main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch72
-rw-r--r--main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch99
-rw-r--r--main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch113
-rw-r--r--main/hostapd/APKBUILD20
-rw-r--r--main/intel-ucode/APKBUILD43
-rw-r--r--main/krb5/APKBUILD6
-rw-r--r--main/ldb/APKBUILD11
-rw-r--r--main/ldb/skip-failing-tests.patch35
-rw-r--r--main/libarchive/APKBUILD11
-rw-r--r--main/libxml2/APKBUILD12
-rw-r--r--main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch64
-rw-r--r--main/libxslt/APKBUILD10
-rw-r--r--main/lighttpd/APKBUILD14
-rw-r--r--main/linux-lts/APKBUILD30
-rw-r--r--main/linux-lts/config-lts.aarch6416
-rw-r--r--main/linux-lts/config-lts.armv717
-rw-r--r--main/linux-lts/config-lts.mips6410
-rw-r--r--main/linux-lts/config-lts.ppc64le12
-rw-r--r--main/linux-lts/config-lts.s390x10
-rw-r--r--main/linux-lts/config-lts.x8612
-rw-r--r--main/linux-lts/config-lts.x86_6414
-rw-r--r--main/linux-lts/config-virt.aarch6412
-rw-r--r--main/linux-lts/config-virt.armv714
-rw-r--r--main/linux-lts/config-virt.ppc64le11
-rw-r--r--main/linux-lts/config-virt.x8612
-rw-r--r--main/linux-lts/config-virt.x86_6412
-rw-r--r--main/logrotate/APKBUILD5
-rw-r--r--main/logrotate/logrotate.conf3
-rw-r--r--main/lz4/APKBUILD11
-rw-r--r--main/lz4/CVE-2021-3520.patch22
-rw-r--r--main/mariadb/APKBUILD39
-rw-r--r--main/mbedtls/APKBUILD6
-rw-r--r--main/ncurses/APKBUILD2
-rw-r--r--main/nodejs/APKBUILD12
-rw-r--r--main/openrc/0015-CVE-2018-21269.patch (renamed from main/openrc/CVE-2018-21269.patch)0
-rw-r--r--main/openrc/0016-fix-typo-synbolic-symbolic.patch22
-rw-r--r--main/openrc/0017-checkpath-replace-mkdir-with-mkdirat.patch33
-rw-r--r--main/openrc/0018-checkpath-remove-extra-slashes.patch106
-rw-r--r--main/openrc/0019-checkpath-fix-code-to-walk-the-directory-path.patch32
-rw-r--r--main/openrc/APKBUILD18
-rw-r--r--main/openrc/seedrng.patch619
-rw-r--r--main/opensmtpd/APKBUILD4
-rw-r--r--main/opensmtpd/smtpd.initd8
-rw-r--r--main/openssl/APKBUILD8
-rw-r--r--main/openvpn/APKBUILD12
-rw-r--r--main/postfix/APKBUILD4
-rw-r--r--main/postgresql/APKBUILD4
-rw-r--r--main/privoxy/APKBUILD13
-rw-r--r--main/rdiff-backup/APKBUILD3
-rw-r--r--main/rsyslog/APKBUILD8
-rw-r--r--main/rsyslog/CVE-2022-24903.patch57
-rw-r--r--main/rsyslog/rsyslog.logrotate1
-rw-r--r--main/ruby/APKBUILD11
-rw-r--r--main/samba/APKBUILD20
-rw-r--r--main/subversion/APKBUILD8
-rw-r--r--main/tcpdump/APKBUILD54
-rw-r--r--main/tiny-cloud/APKBUILD65
-rw-r--r--main/tzdata/APKBUILD8
-rw-r--r--main/util-linux/APKBUILD21
-rw-r--r--main/util-linux/libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch40
-rw-r--r--main/varnish/0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch31
-rw-r--r--main/varnish/0002-VRB_Ignore-errors-and-connection-close-test-case.patch75
-rw-r--r--main/varnish/APKBUILD10
-rw-r--r--main/vim/APKBUILD53
-rw-r--r--main/xen/APKBUILD91
-rw-r--r--main/xen/hotplug-vif-vtrill.patch18
-rw-r--r--main/xen/qemu-xen_paths.patch8
-rw-r--r--main/xen/stubdom-hack.patch6
-rw-r--r--main/xen/xenqemu-xattr-size-max.patch10
-rw-r--r--main/xen/xsa386.patch29
-rw-r--r--main/xen/xsa388-4.14-1.patch174
-rw-r--r--main/xen/xsa388-4.14-2.patch36
-rw-r--r--main/xen/xsa389-4.14.patch180
-rw-r--r--main/xtables-addons-lts/APKBUILD2
-rw-r--r--main/xz/APKBUILD14
-rw-r--r--main/xz/xzgrep-ZDI-CAN-16587.patch94
-rw-r--r--main/zfs-lts/APKBUILD2
-rw-r--r--main/zlib/APKBUILD20
-rw-r--r--main/zlib/Fix-CC-logic-in-configure.patch43
-rw-r--r--main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch74
-rw-r--r--main/zlib/crc32.patch51
-rw-r--r--main/zsh/APKBUILD18
148 files changed, 4880 insertions, 1020 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6aa6c35c9b..bcd0310a83 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,18 +6,11 @@ variables:
GIT_STRATEGY: clone
GIT_DEPTH: "500"
-default:
- # Make sure master points to the correct upstream commit
- before_script:
- - >
- git fetch -nq $CI_MERGE_REQUEST_PROJECT_URL
- +refs/heads/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME:refs/heads/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
-
lint:
stage: lint
image: alpinelinux/apkbuild-lint-tools:latest
script:
- - changed-aports $CI_MERGE_REQUEST_TARGET_BRANCH_NAME | lint
+ - lint
allow_failure: true
only:
- merge_requests
diff --git a/community/ceph/30-32bit_fix.patch.noauto b/community/ceph/30-32bit_fix.patch.noauto
index dfa6a7ef6e..caa56b9e54 100644
--- a/community/ceph/30-32bit_fix.patch.noauto
+++ b/community/ceph/30-32bit_fix.patch.noauto
@@ -106,7 +106,7 @@ diff -uNr ceph-15.2.4/src/pybind/mgr/dashboard/frontend/package.json ceph-15.2.4
"@types/node": "12.12.34",
"@types/simplebar": "5.1.1",
"codelyzer": "5.2.2",
-- "cypress": "4.4.0",
+- "cypress": "9.0.0",
"html-linter": "1.1.1",
"htmllint-cli": "0.0.7",
"jest": "25.2.4",
diff --git a/community/ceph/APKBUILD b/community/ceph/APKBUILD
index 02e01e8852..c6eaebe763 100644
--- a/community/ceph/APKBUILD
+++ b/community/ceph/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Duncan Bellamy <dunk@denkimushi.com>
# Maintainer: Duncan Bellamy <dunk@denkimushi.com>
pkgname=ceph
-pkgver=15.2.15
+pkgver=15.2.16
pkgrel=0
pkgdesc="Ceph is a distributed object store and file system"
pkgusers="ceph"
@@ -26,8 +26,6 @@ _osd_daemon_deps="fuse snappy lz4-libs"
_osd_tools_deps="lz4-libs"
_ceph_volume_deps="lvm2"
_ceph_test_deps="
- xmlstarlet
- py3-argparse
py3-coverage
py3-flake8
py3-nodeenv
@@ -35,6 +33,7 @@ _ceph_test_deps="
py3-pytest
py3-tox
py3-yaml
+ xmlstarlet
"
makedepends="
acl-dev
@@ -54,7 +53,6 @@ makedepends="
fcgi-dev
flex
fmt-dev
- fuse
fuse-dev
git
grep
@@ -90,7 +88,6 @@ makedepends="
snappy-dev
userspace-rcu-dev
xfsprogs-dev
- xmlstarlet
yasm
$_base_deps
$_osd_daemon_deps
@@ -244,7 +241,7 @@ package() {
# udev rules
install -m 0644 -D udev/50-rbd.rules "$pkgdir"/etc/udev/rules.d/50-rbd.rules
# sudoers.d
- install -m 0600 -D sudoers.d/ceph-osd-smartctl "$pkgdir"/etc/sudoers.d/ceph-osd-smartctl
+ install -m 0600 -D sudoers.d/ceph-smartctl "$pkgdir"/etc/sudoers.d/ceph-smartctl
# copy out things that need splitting
mv "$pkgdir"/usr/share/ceph/mgr/dashboard/frontend/node_modules "$builddir"/
@@ -421,7 +418,7 @@ osd_daemon() {
amove usr/bin/ceph-osd
amove usr/libexec/ceph/ceph-osd-prestart.sh
- amove etc/sudoers.d/ceph-osd-smartctl
+ amove etc/sudoers.d/ceph-smartctl
amove etc/sysctl.d/90-ceph-osd.conf
install -m 750 -o $_ceph_uid -g $_ceph_gid -d \
"$subpkgdir"/var/lib/ceph/osd
@@ -545,12 +542,12 @@ _pkg() {
}
sha512sums="
-e4d929ffda5c3e31767d93340fb97b5d49ca1d5641f6c30134ce5542486fc4f72684aef2ef47cb940a332e8b9144d8cec63ce8a9f86c773dbc0ccebdd8e7fb19 ceph_15.2.15.orig.tar.gz
+532b8a5073e157fe9ed552b26976faeb64dc29b79a249910c0982134ad5f945d4f57d8bf451adf63487b6d285c6e4bd5c39f0e3fcd449230d6fb3087539f8c3b ceph_15.2.16.orig.tar.gz
110bdbcb40216c7ed155a8d23020784741b4992d895f4f04a146d275506e4e68053854d3b063b41e9c9b3e3e4f95b6b90602f92c185c853c0d8f47ad0c6b7121 ceph.confd
ce5f162501f6b67fe254546dddf880d1a5b1d1a0fa69e0b1918de17e8da45c5c6124512b8cbd98b76f29d931403de0d11c5ffd330ed8ee1f4dc75bb04baecae3 ceph.initd
c608f11cf358d76daf5281467a4ea941a81474fbe7f5faa41f7f4d0abaf9136a01576bbb1ab24bdd7bc91a49f66bd7f0a84717de5ec27250d74dd1e47e3b5dd3 10-musl-fixes.patch
427ab410aeb02d49c5caa8ff68c7b8df325229823d625b7069cd48c66dd9e129e742270850fb2be2238eb6fa12b8256845b4d94426ca96b2a9187b2726e78423 20-pci.patch
-68660da5df1fe290f88707feb3781b5ccb5310fa248fd8b7c5075811b3ad4620bcc0aaed8cde857ff63695160172a4bfb668efc8b0fa55745fb8301168c6fe66 30-32bit_fix.patch.noauto
+659b99b2cf9b6f0fb82a788b0d62ed818733c83b57663a3b74a016967110070963165719ff833776d3bef17c86e18abf7b1bc4c0e31e0d44b4ae61f4f80fea6a 30-32bit_fix.patch.noauto
f974ab36cd6fa49c1d4613203a4f2152723e4952a185dfb6349bc4ca8ee1a7a9d0477bea136c54248271de30a4e584734ba41e8ec41bf274b04074622888ae39 31-32bit_fix_tests.patch.noauto
62ef2e7e10978e9e0eef4a094bc63d9890f0d7e71eba0f0e15baede0597ea179a77924f6dbd4d4a9c9b151c9ae934f4c10d7f2a17ee960b017f942ec57c7af35 34-fix_cpu_detection.patch
8a3e902309238ae6917b4c5fe9fa371dad3ba8e01848f462a9b67ad8d69b8370a8957f6c88462a7016319fd323eb6d6c31415734db56485a8a8b279d2705aff5 35-fix_ErasureCodeShec.patch
diff --git a/community/gitea/APKBUILD b/community/gitea/APKBUILD
index 69849a72dc..07d416130e 100644
--- a/community/gitea/APKBUILD
+++ b/community/gitea/APKBUILD
@@ -23,7 +23,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/go-gitea/gitea/archive/v$pkg
builddir="$srcdir/src/code.gitea.io/$pkgname"
# secfixes:
-# 1.13.7:
+# 1.13.7-r0:
# - CVE-2021-29272
case "$CARCH" in
diff --git a/community/jenkins/APKBUILD b/community/jenkins/APKBUILD
index 1acdc75c4e..e986452f73 100644
--- a/community/jenkins/APKBUILD
+++ b/community/jenkins/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=jenkins
-pkgver=2.287
+pkgver=2.319.3
pkgrel=0
pkgdesc="Extendable continuous integration server (stable version)"
url="https://jenkins.io"
@@ -14,13 +14,17 @@ options="!check"
pkgusers="$pkgname"
pkggroups="$pkgname"
subpackages="$pkgname-openrc"
-source="$pkgname-$pkgver.war::http://mirrors.jenkins.io/war/$pkgver/jenkins.war
+source="$pkgname-$pkgver.war::https://get.jenkins.io/war-stable/$pkgver/jenkins.war
$pkgname.logrotate
$pkgname.initd
$pkgname.confd"
builddir="$srcdir/"
# secfixes:
+# 2.319.3-r0:
+# - CVE-2022-0538
+# 2.319.2-r0:
+# - CVE-2022-20612
# 2.287-r0:
# - CVE-2021-21639
# - CVE-2021-21640
@@ -61,7 +65,9 @@ package() {
chown -R $pkgusers:$pkggroups "$pkgdir"/var/log/jenkins
}
-sha512sums="03c64fa595bd2b9b8463fcd47cdb2ccbe46cd820bcfdc2b2f0a9ae406d2dd32e6a5c8f51ddb8bdbc20498ae27672fb0b6e6f3e3f894f00bbc3f8e80dd627faf1 jenkins-2.287.war
+sha512sums="
+d6d952c064cf0a52d94db7ccd1903d726b10dcc6f41b20a23ca319a6e64ad8d8259c308cf44183e37ad9e6583b71a4d904da7aacb892a68b8dda826c71a9a425 jenkins-2.319.3.war
74423d3c66e2312eb3a1590e0582ccd82fc01b410d3bfc0627bef56fe6f4e7f4ea01a7a2d92a7a0c4870a1a1c48e911fe7eab3073e14db4910b52158182e5856 jenkins.logrotate
43686a537248c7a0a8fe53c3ca9577c8ffb50a141248de028d398d0fd3b3be8562b6cb2c63b44b3b0ac58d6431e8907790553791b2e125d1bfc2e3263ffaa83e jenkins.initd
-7247750a13fc2537dc1e405f6d8221ccdc80cfbaf40c47327ee04c206afa8607ada52e7b895c8eb3489dd9f6a94b42b8b38110b3120948a35dc4f197fe4c08ed jenkins.confd"
+7247750a13fc2537dc1e405f6d8221ccdc80cfbaf40c47327ee04c206afa8607ada52e7b895c8eb3489dd9f6a94b42b8b38110b3120948a35dc4f197fe4c08ed jenkins.confd
+"
diff --git a/community/jool-modules-lts/APKBUILD b/community/jool-modules-lts/APKBUILD
index bda20aca1c..e2ac5a91b4 100644
--- a/community/jool-modules-lts/APKBUILD
+++ b/community/jool-modules-lts/APKBUILD
@@ -21,7 +21,7 @@ fi
# Kernel version
# Keep in sync with main/linux-lts!
_kpkg=linux-$_flavor
-_kver=5.10.78
+_kver=5.10.109
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/community/lua-resty-openidc/APKBUILD b/community/lua-resty-openidc/APKBUILD
index f33d0636d1..69d1e20a3f 100644
--- a/community/lua-resty-openidc/APKBUILD
+++ b/community/lua-resty-openidc/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Timo Teräs <timo.teras@iki.fi>
# Maintainer: Timo Teräs <timo.teras@iki.fi>
pkgname=lua-resty-openidc
-pkgver=1.7.1
-pkgrel=1
+pkgver=1.7.5
+pkgrel=0
pkgdesc="OpenID Connect library for the nginx lua module"
url="https://github.com/zmartzone/$pkgname"
arch="noarch"
@@ -18,4 +18,6 @@ package() {
cp -r ./lib/resty "$pkgdir/usr/share/lua/common"
}
-sha512sums="ce52684ebb3a492382e93a71a11c62d1cd17d1a3fd266e7d95453729abeb036ed99fded1a9cee55aec444d7a3e36d7cebd7a537006dff71fafd5dc8aa4c32378 lua-resty-openidc-1.7.1.tar.gz"
+sha512sums="
+d483efff27a0566ffadeb8f0da0df0147e9510bcfd5f4d295c7ce11925af882c9604e8d72f676bd9d6b6ded83c2c9f65ff958605856a8d218d4992136f0f4577 lua-resty-openidc-1.7.5.tar.gz
+"
diff --git a/community/nnn/APKBUILD b/community/nnn/APKBUILD
index 0d2d17b36d..ac794966e6 100644
--- a/community/nnn/APKBUILD
+++ b/community/nnn/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=nnn
pkgver=3.5
-pkgrel=2
+pkgrel=3
pkgdesc="The unorthodox terminal file manager"
url="https://github.com/jarun/nnn"
arch="all"
@@ -41,7 +41,7 @@ plugins() {
install -D -m 0755 "$srcdir"/nnn-getplugs "$destdir"/getplugs
mkdir -p "$subpkgdir"/usr/bin
- ln -s "$destdir"/getplugs "$subpkgdir"/usr/bin/nnn-getplugs
+ ln -s ../share/$pkgname/plugins/getplugs "$subpkgdir"/usr/bin/nnn-getplugs
}
bashcomp() {
diff --git a/community/nss/APKBUILD b/community/nss/APKBUILD
index 194fb63406..4d36adf6a1 100644
--- a/community/nss/APKBUILD
+++ b/community/nss/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Rasmus Thomsen <oss@cogitri.dev>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=nss
-pkgver=3.66
+pkgver=3.68.3
pkgrel=0
pkgdesc="Mozilla Network Security Services"
url="https://developer.mozilla.org/docs/Mozilla/Projects/NSS"
@@ -24,6 +24,10 @@ source="https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM
options="!strip"
# secfixes:
+# 3.68.3-r0:
+# - CVE-2022-1097
+# 3.66-r0:
+# - CVE-2021-43527
# 3.58-r0:
# - CVE-2020-25648
# 3.55-r0:
@@ -185,7 +189,7 @@ tools() {
}
sha512sums="
-327129cb065a8c19246e081e3cbc4798c81dc52eab6ee366eade151e9d308990592075c52a7c672165725fd855a0c539d56a803c26ef066561c584d693e0e467 nss-3.66.tar.gz
+70fa8ab48d45249c04424979640583e8bc867432b7e3f26c1602db49a13861dd070f081ed82660bb7451f835dc859b5788ae12a67f9ddab1f6bd1a7afb1174d2 nss-3.68.3.tar.gz
75dbd648a461940647ff373389cc73bc8ec609139cd46c91bcce866af02be6bcbb0524eb3dfb721fbd5b0bc68c20081ed6f7debf6b24317f2a7ba823e8d3c531 nss.pc.in
0f2efa8563b11da68669d281b4459289a56f5a3a906eb60382126f3adcfe47420cdcedc6ab57727a3afeeffa2bbb4c750b43bef8b5f343a75c968411dfa30e09 nss-util.pc.in
09c69d4cc39ec9deebc88696a80d0f15eb2d8c94d9daa234a2adfec941b63805eb4ce7f2e1943857b938bddcaee1beac246a0ec627b71563d9f846e6119a4a15 nss-softokn.pc.in
diff --git a/community/perl-app-cpanminus/APKBUILD b/community/perl-app-cpanminus/APKBUILD
index 96aa80a624..fcabee9597 100644
--- a/community/perl-app-cpanminus/APKBUILD
+++ b/community/perl-app-cpanminus/APKBUILD
@@ -4,8 +4,8 @@
pkgname=perl-app-cpanminus
#_pkgreal is used by apkbuild-cpan to find modules at MetaCpan
_pkgreal=App-cpanminus
-pkgver=1.7044
-pkgrel=3
+pkgver=1.7045
+pkgrel=0
pkgdesc="Get, unpack, build and install modules from CPAN"
url="https://metacpan.org/release/App-cpanminus/"
arch="noarch"
@@ -16,6 +16,10 @@ subpackages="$pkgname-doc"
source="https://cpan.metacpan.org/authors/id/M/MI/MIYAGAWA/App-cpanminus-$pkgver.tar.gz"
builddir="$srcdir/$_pkgreal-$pkgver"
+# secfixes:
+# 1.7045-r0:
+# - CVE-2020-16154
+
build() {
export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}')
PERL_MM_USE_DEFAULT=1 perl -I. Makefile.PL INSTALLDIRS=vendor
@@ -32,4 +36,6 @@ package() {
find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete
}
-sha512sums="85e88de8fbefabdfd84fe8aeaa8294d58d63e27276cd6d8b8dfc5dc4cd6c30c12f5859f30e4930842d6d06af50c88d71358dee49c93821234c811aa39de822d7 App-cpanminus-1.7044.tar.gz"
+sha512sums="
+450b5e1aaa8774a1bc3ae93d7535d9ef7a175417f3e55e88bc8cab208e27334f5d2f69f7c709b8394476410a8f3eeea26b7369c3ab9565985a56b0bbf6310513 App-cpanminus-1.7045.tar.gz
+"
diff --git a/community/rtl8821ce-lts/APKBUILD b/community/rtl8821ce-lts/APKBUILD
index 600e66afa3..723a5f4cc6 100644
--- a/community/rtl8821ce-lts/APKBUILD
+++ b/community/rtl8821ce-lts/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Kevin Daudt <kdaudt@alpinelinux.org>
# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
-_kver=5.10.78
+_kver=5.10.109
_krel=0
_flavor="$FLAVOR"
[ -z "$_flavor" ] && _flavor=lts
diff --git a/community/rtpengine-lts/APKBUILD b/community/rtpengine-lts/APKBUILD
index 40bf67fccb..4bd55c7580 100644
--- a/community/rtpengine-lts/APKBUILD
+++ b/community/rtpengine-lts/APKBUILD
@@ -5,7 +5,7 @@ _ver=9.0.1.10
_rel=0
# kernel version
-_kver=5.10.78
+_kver=5.10.109
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/alpine-base/APKBUILD b/main/alpine-base/APKBUILD
index 42b593bacc..474bf5df88 100644
--- a/main/alpine-base/APKBUILD
+++ b/main/alpine-base/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=alpine-base
-pkgver=3.13.7
+pkgver=3.13.10
pkgrel=0
pkgdesc="Meta package for minimal alpine base"
url="https://alpinelinux.org"
diff --git a/main/amavis/APKBUILD b/main/amavis/APKBUILD
index 7b41bc8578..69468922fc 100644
--- a/main/amavis/APKBUILD
+++ b/main/amavis/APKBUILD
@@ -1,8 +1,7 @@
-# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
pkgname=amavis
-pkgver=2.12.1
-pkgrel=0
+pkgver=2.12.2
+pkgrel=1
pkgdesc="High-performance interface between mailer (MTA) and content checkers"
url="https://gitlab.com/amavis/amavis"
arch="noarch !x86" # perl-db
@@ -13,7 +12,7 @@ depends="sed file perl perl-archive-zip perl-carp perl-convert-tnef
perl-exporter perl-io-stringy perl-mime-tools
perl-mailtools perl-socket perl-net-libidn perl-net-server
perl-time-hires perl-unix-syslog perl-mail-dkim
- perl-io-socket-inet6
+ perl-io-socket-inet6 perl-io-socket-ssl
perl-mail-spamassassin
"
makedepends=""
@@ -23,47 +22,36 @@ subpackages="$pkgname-openrc"
source="https://gitlab.com/amavis/amavis/-/archive/v$pkgver/amavis-v$pkgver.tar.gz
amavisd.initd
amavisd.confd
+ amavisd-conf.patch
"
pkgusers="amavis"
pkggroups="amavis"
-
builddir="$srcdir"/$pkgname-v$pkgver
package() {
- cd "$builddir"
- (
- HOME=/var/amavis
- QUARANTINE=$HOME/quarantine
- USER=amavis
- GROUP=amavis
- DIRS="$HOME $HOME/tmp $HOME/var $HOME/db $HOME/home $QUARANTINE"
- CONFIG=/etc/amavisd.conf
+ _amavis_home=/var/amavis
- for dir in $DIRS
- do
- mkdir -p ${pkgdir}$dir
+ for dir in $_amavis_home/tmp \
+ $_amavis_home/var \
+ $_amavis_home/db \
+ $_amavis_home/home \
+ $_amavis_home/quarantine \
+ ; do
+ install -dm750 -o amavis -g amavis "${pkgdir}$dir"
done
- install -m 755 -o root -D amavisd $pkgdir/usr/sbin/amavisd
- install -m 755 -o root -D amavisd-nanny $pkgdir/usr/bin/amavisd-nanny
- install -m 755 -o root -D amavisd-release $pkgdir/usr/bin/amavisd-release
- sed -e "s:^.*\$MYHOME = .*$:\$MYHOME = '$HOME';:" \
- -e 's:^.*\$TEMPBASE = .*$:\$TEMPBASE = "\$MYHOME/tmp";:' \
- -e 's:^.*\$db_home = .*$:\$db_home = "$MYHOME/db";:' \
- -e "s:^.*\$QUARANTINEDIR = .*$:\$QUARANTINEDIR = '$QUARANTINE';:" \
- -e "s:^.*\$daemon_user = 'vscan';\(.*\)$:\$daemon_user = 'amavis';\1:" \
- -e "s:^.*\$daemon_group = 'vscan';\(.*\)$:\$daemon_group = 'amavis';\1:" < amavisd.conf > amavisd.conf.alpine
- install -m 640 -o root -D amavisd.conf.alpine ${pkgdir}${CONFIG}
- )
+ for file in amavisd amavisd-nanny amavisd-release amavisd.conf; do
+ install -Dm755 -o root -g amavis "$file" "$pkgdir/usr/sbin/$file"
+ done
+ install -Dm640 -o root -g amavis amavisd.conf "$pkgdir"/etc/amavisd.conf
install -Dm755 "$srcdir"/amavisd.initd "$pkgdir"/etc/init.d/amavisd
install -Dm644 "$srcdir"/amavisd.confd "$pkgdir"/etc/conf.d/amavisd
-
- chown -R amavis:amavis "$pkgdir"/var/amavis
- chmod -R 750 "$pkgdir"/var/amavis
- chown root:amavis "$pkgdir"/etc/amavisd.conf
}
-sha512sums="33bcc8606e142ed390cb368a7c640f96b70ecd1c8473e7d19f3125f89afde7a044981b9e3704c722c54472f88b2e4e54c89bab19bc28ceb89561aeb8ede04c8e amavis-v2.12.1.tar.gz
+sha512sums="
+7ef5ba670b530bf19352ba8aebd57a171e32d90adffc0b248b93a39f740fe4bb8ddf1d5ecdd46d0c9e1b4ca1a9ff0a9e86e73900e73a1a2cac514656c3a7db01 amavis-v2.12.2.tar.gz
6a9dd16a6b52f3d1fbd16887f29ccceddc58e88a02e681f23c1fe54b7e24feea5089d52813f4f3e87d9242daf79d2b2ea1e7c451d83d7de943403e71dc61c4e5 amavisd.initd
-a5ce3583c34197f335372728cf92da23bae2cd7a9ae48daff6eaadbf66fbd5be6bb8b480b0fce1ea2b3a662b0a54d1d2f1f277d2f9a06d9630b57fa5d7ac2635 amavisd.confd"
+a5ce3583c34197f335372728cf92da23bae2cd7a9ae48daff6eaadbf66fbd5be6bb8b480b0fce1ea2b3a662b0a54d1d2f1f277d2f9a06d9630b57fa5d7ac2635 amavisd.confd
+87f9c4489fb377e6e1315edcef75940b1a61a30c418106c1ef48eef4f425746333c550b270e0e6727fe89a68239f673f24392d81a53157ad487d3d2da1e95b4c amavisd-conf.patch
+"
diff --git a/main/amavis/amavisd-conf.patch b/main/amavis/amavisd-conf.patch
new file mode 100644
index 0000000000..708bd4a265
--- /dev/null
+++ b/main/amavis/amavisd-conf.patch
@@ -0,0 +1,33 @@
+--- a/amavisd.conf
++++ b/amavisd.conf
+@@ -17,15 +17,15 @@
+ # truncation in /proc/<pid>/stat and ps -e output
+
+ $max_servers = 2; # num of pre-forked children (2..30 is common), -m
+-$daemon_user = 'vscan'; # (no default; customary: vscan or amavis), -u
+-$daemon_group = 'vscan'; # (no default; customary: vscan or amavis), -g
++$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u
++$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g
+
+ $mydomain = 'example.com'; # a convenient default for other settings
+
+-# $MYHOME = '/var/amavis'; # a convenient default for other settings, -H
+-$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T
++$MYHOME = '/var/amavis';
++$TEMPBASE = "$MYHOME/tmp";
+ $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc.
+-$QUARANTINEDIR = '/var/virusmails'; # -Q
++$QUARANTINEDIR = '/var/amavis/quarantine';
+ # $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine
+ # $release_format = 'resend'; # 'attach', 'plain', 'resend'
+ # $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf'
+@@ -44,7 +44,8 @@
+ $syslog_facility = 'mail'; # Syslog facility as a string
+ # e.g.: mail, daemon, user, local0, ... local7
+
+-$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
++# BDB is no longer supported in Alpine
++$enable_db = 0; # enable use of BerkeleyDB/libdb (SNMP and nanny)
+ # $enable_zmq = 1; # enable use of ZeroMQ (SNMP and nanny)
+ $nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed
+ $enable_dkim_verification = 1; # enable DKIM signatures verification
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index 4b6dc0e204..723a3ec23b 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=apache2
_pkgreal=httpd
-pkgver=2.4.51
+pkgver=2.4.53
pkgrel=0
pkgdesc="A high performance Unix-based HTTP server"
url="https://httpd.apache.org/"
@@ -51,6 +51,14 @@ options="suid"
builddir="$srcdir"/$_pkgreal-$pkgver
# secfixes:
+# 2.4.53-r0:
+# - CVE-2022-22719
+# - CVE-2022-22720
+# - CVE-2022-22721
+# - CVE-2022-23943
+# 2.4.52-r0:
+# - CVE-2021-44224
+# - CVE-2021-44790
# 2.4.51-r0:
# - CVE-2021-42013
# 2.4.50-r0:
@@ -379,7 +387,7 @@ _lua() {
}
sha512sums="
-9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66 httpd-2.4.51.tar.bz2
+07ef59594251a30a864cc9cc9a58ab788c2d006cef85b728f29533243927c63cb063e0867f2a306f37324c3adb9cf7dcb2402f3516b05c2c6f32469d475dd756 httpd-2.4.53.tar.bz2
8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd
18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate
81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd
diff --git a/main/bash/APKBUILD b/main/bash/APKBUILD
index ac289ccc60..f25bd7e993 100644
--- a/main/bash/APKBUILD
+++ b/main/bash/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: TBK <alpine@jjtc.eu>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=bash
-pkgver=5.1.0
+pkgver=5.1.16
_patchlevel=${pkgver##*.}
_myver=${pkgver%.*}
_patchbase=${_myver/./}
@@ -90,5 +90,23 @@ dev() {
mv "$pkgdir"/usr/lib/$pkgname/Makefile* "$subpkgdir"/usr/lib/$pkgname
}
-sha512sums="c44a0ce381469219548a3a27589af3fea4f22eda1ca4e9434b59fc16da81b471c29ce18e31590e0860a6a251a664b68c2b45e3a17d22cfc02799ffd9a208390c bash-5.1.tar.gz
-9d8845491d0fe335bdd8e9a2bd98bda54bfed2ae3c35b2196c6d5a38bdf96c4d97572ba7d6b19ab605ef4e8f001f64cf3312f87dedebb9e37a95ad2c44e33cdb bash-noinfo.patch"
+sha512sums="
+c44a0ce381469219548a3a27589af3fea4f22eda1ca4e9434b59fc16da81b471c29ce18e31590e0860a6a251a664b68c2b45e3a17d22cfc02799ffd9a208390c bash-5.1.tar.gz
+9d8845491d0fe335bdd8e9a2bd98bda54bfed2ae3c35b2196c6d5a38bdf96c4d97572ba7d6b19ab605ef4e8f001f64cf3312f87dedebb9e37a95ad2c44e33cdb bash-noinfo.patch
+1cd86805a2639614372aec29a710bc456e330abcbbaa0867820c94f714a1fa5fb5c1b18aa2c10263ae0bce9dad7579c7af2f732282315c1c34bfd6a90777bfd2 bash51-001
+923e7822a9629645347d3aea0058fb5e2d52223507159a62369309f264612df44a84931c19e0ccb3852e98ce672dfbd454477090b4041b5a0de477c94eb61088 bash51-002
+01e952dcfdae58624723d64912ea3444eed2fdcd266ba1a929b95ec3abd70f914bf400607c3f7bb7a94ac2925f794f91f37c1929d5bb987de2ba7f60a19cb8bd bash51-003
+10ff24cd91a2cd88818bfa7218050843af6b409e43fcca89f5ec70d8266020c6c2a55132426271f165cd0f154f49eb0f8ec2761b80fc066c921b83120bb543ce bash51-004
+fa83d894fe874a05b9a7d47b8bca8e5b7f4067221d82e8b1af616d17725592c3737c621f2a8ad3c917b29846012c37c85acd34dcbb43eb6b05065ccce89b260c bash51-005
+b9b6e3d71f7b7718e2e8598ec8e337dcc675571fb233c29e5230ebf14eab2249204531f2fe8c4d1459c5fed10acb679048588d1e457e98dbc00ffc4d2cd227e3 bash51-006
+e4ebdc47e780ddc2588ecdfcfe00cb618039c7044e250ab2b836b0735c461ebacd15beaf2145e277c70b7f51cded55bd8dde7757df810f33f8dae306ee5ba571 bash51-007
+97f9558a08a66cc9da62c285bf9118b39328e25ed3b9277728e0539b1ac0adef176a090e39cd96dc03d6fd900d8155bd58040cb3390a09f637bab1de8af3faf6 bash51-008
+2d3c65162ec4e5c3dfeb439891950ef2c43973a84122fcdf6b56c388466c7e671dbc9b236d2253f01411b668c365855263995dbacb8e6f9e9dbcb7e6c2cc518c bash51-009
+aac4a0b72b559566334f1029c52754f4c98185af99e09436e401d83ab81bab7882d0d8050674b30f171733f3628157777a264566e927e93db2ea5a18d26630f1 bash51-010
+bb9e47a570bb9758c365831f9650b9379b60862b8cef572edc3cd833df96ebb8b9612de474bdc2a03ff4efc2275f871d55962295385e38f3658874488e974b81 bash51-011
+59819914b6821d9f4af0aade7b9b7ea92368c2b8eb8407cea11dfeee7208905dd06bdef7a049d7b1c4fac41c44d9a130b95a061957a9649050b37471b3044cf1 bash51-012
+67535155f49a7f54f151e62aba9274f82d01f33a1a1a7e5efd1aa0d63ba2d078765f0b5e22cb24db7132eff2d8c5852a3688298baa5217b8b6e159aae065d748 bash51-013
+f658ab7ef01ba1d26f735e24b23bf35687e15b0d5d20f90da233d000745a55bdba142c11e9fba52e3b84470ec625fab60cc74cd6be533d990496a3795c658e88 bash51-014
+fd4bc85f942a3a16c545f7e951a24f620ff2d884640dea6e05f305aaf88ed41862bfb05eea2258881608de696f9dc7a0fe3bebb51a011f50b720ea7a66699184 bash51-015
+020b3f3db77ca603a27a3423323538db5c9844be17ee428cf7cda80bebdcc715d30eab6c95773541cb8d14f3ad9e6142bf0adcda0e745ee638242508cc0ab05f bash51-016
+"
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index b1550e5cd8..693203d624 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -5,12 +5,12 @@
# Contributor: ungleich <alpinelinux@ungleich.ch>
# Maintainer:
pkgname=bind
-pkgver=9.16.20
+pkgver=9.16.27
_ver=${pkgver%_p*}
_p=${pkgver#*_p}
_major=${pkgver%%.*}
[ "$_p" != "$pkgver" ] && _ver="$_ver-P$_p"
-pkgrel=1
+pkgrel=0
pkgdesc="The ISC DNS server"
url="https://www.isc.org/"
arch="all"
@@ -57,10 +57,14 @@ source="
named.conf.recursive
127.zone
localhost.zone
- bind-9.16.20-map-format-fix.patch
"
# secfixes:
+# 9.16.27-r0:
+# - CVE-2022-0396
+# - CVE-2021-25220
+# 9.16.25-r0:
+# - CVE-2021-25219
# 9.16.20-r0:
# - CVE-2021-25218
# 9.16.15-r0:
@@ -273,7 +277,7 @@ _gpgfingerprints="
"
sha512sums="
-bd4ffcc2589ca8f1ac228576ec11e86f317d5a78d7964a0a7ae70b2fa38831d5bd65c2e8c35d8190502de7139f85d8b080b3b8ee968811a8df78e5761781525d bind-9.16.20.tar.xz
+5c71f228db83aa8cc9e65466d6e5afca4a9f80c693358111a003fe09e1a14522175eb2b6a0f11e2a2cd4fdba01f2ae315de52e394a441b3861ca2a011e02af62 bind-9.16.27.tar.xz
2b32d1e7f62cd1e01bb4fdd92d15460bc14761b933d5acc463a91f5ecd4773d7477c757c5dd2738e8e433693592cf3f623ffc142241861c91848f01aa84640d6 bind.plugindir.patch
7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch
53db80f7ee4902f42fb1d0bc959242bcb6f20d95256bda99ce2c206af8b4703c7f72bb26d026c633f70451b84a37c3946b210951e34dd5d6620b181cd0183de4 named.initd
@@ -282,5 +286,4 @@ d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793
3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive
eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone
340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone
-d9224712ee2c6f6d0ff483ed253497548935fe35f45e5bdf26c9bd25c6234adde00727df7eb49fbfbfb34aad9d9fa0f112e900804794ad90a5cd8a64e9db61c6 bind-9.16.20-map-format-fix.patch
"
diff --git a/main/bind/bind-9.16.20-map-format-fix.patch b/main/bind/bind-9.16.20-map-format-fix.patch
deleted file mode 100644
index f6e3c9b378..0000000000
--- a/main/bind/bind-9.16.20-map-format-fix.patch
+++ /dev/null
@@ -1,8 +0,0 @@
---- a/lib/dns/mapapi
-+++ b/lib/dns/mapapi
-@@ -13,4 +13,4 @@
- # Whenever releasing a new major release of BIND9, set this value
- # back to 1.0 when releasing the first alpha. Map files are *never*
- # compatible across major releases.
--MAPAPI=2.0
-+MAPAPI=3.0
diff --git a/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 0000000000..1d1716e3b0
--- /dev/null
+++ b/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,40 @@
+From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:14:33 +0000
+Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are
+ returned for the hostname part
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ libbb/xconnect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
+index 0e0b247b8..02c061e67 100644
+--- a/libbb/xconnect.c
++++ b/libbb/xconnect.c
+@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ );
+ if (rc)
+ return NULL;
++ /* ensure host contains only printable characters */
+ if (flags & IGNORE_PORT)
+- return xstrdup(host);
++ return xstrdup(printable_string(host));
+ #if ENABLE_FEATURE_IPV6
+ if (sa->sa_family == AF_INET6) {
+ if (strchr(host, ':')) /* heh, it's not a resolved hostname */
+@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ #endif
+ /* For now we don't support anything else, so it has to be INET */
+ /*if (sa->sa_family == AF_INET)*/
+- return xasprintf("%s:%s", host, serv);
++ return xasprintf("%s:%s", printable_string(host), serv);
+ /*return xstrdup(host);*/
+ }
+
+--
+2.35.1
+
diff --git a/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 0000000000..01c45c9ba6
--- /dev/null
+++ b/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,68 @@
+From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH 2/2] nslookup: sanitize all printed strings with
+ printable_string
+
+Otherwise, terminal sequences can be injected, which enables various terminal injection
+attacks from DNS results.
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ networking/nslookup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 6da97baf4..4bdcde1b8 100644
+--- a/networking/nslookup.c
++++ b/networking/nslookup.c
+@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ //printf("Unable to uncompress domain: %s\n", strerror(errno));
+ return -1;
+ }
+- printf(format, ns_rr_name(rr), dname);
++ printf(format, ns_rr_name(rr), printable_string(dname));
+ break;
+
+ case ns_t_mx:
+@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ //printf("Cannot uncompress MX domain: %s\n", strerror(errno));
+ return -1;
+ }
+- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
++ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
+ break;
+
+ case ns_t_txt:
+@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ if (n > 0) {
+ memset(dname, 0, sizeof(dname));
+ memcpy(dname, ns_rr_rdata(rr) + 1, n);
+- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
++ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
+ }
+ break;
+
+@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ }
+
+ printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
+- ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
++ ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
+ break;
+
+ case ns_t_soa:
+@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ return -1;
+ }
+
+- printf("\tmail addr = %s\n", dname);
++ printf("\tmail addr = %s\n", printable_string(dname));
+ cp += n;
+
+ printf("\tserial = %lu\n", ns_get32(cp));
+--
+2.35.1
+
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index 794f086804..6dcf60aa7a 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=busybox
pkgver=1.32.1
-pkgrel=7
+pkgrel=8
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url="https://busybox.net/"
arch="all"
@@ -38,12 +38,15 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
0001-echo-do-not-assume-that-free-leaves-errno-unmodified.patch
- traceroute-opt-x.patch::https://git.busybox.net/busybox/patch/?id=89358a7131d3e75c74af834bb117b4fad7914983
+ traceroute-opt-x.patch
CVE-2021-42374.patch
CVE-2021-42375.patch
awk-fixes.patch
+ 0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
+ 0002-nslookup-sanitize-all-printed-strings-with-printable.patch
+
acpid.logrotate
busyboxconfig
busyboxconfig-extras
@@ -54,6 +57,9 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
"
# secfixes:
+# 1.32.1-r8:
+# - ALPINE-13661
+# - CVE-2022-28391
# 1.32.1-r7:
# - CVE-2021-42374
# - CVE-2021-42375
@@ -249,7 +255,8 @@ ifupdown() {
mkdir -p "$subpkgdir"
}
-sha512sums="3a33e99adaf7cbd51dcbeb31b5361123bf61ac040c0a032656c654ddb69c4074af75fb4335ba63f283067f61a22d7d7cbca8e1ed265c9522982c453ce48ea2fd busybox-1.32.1.tar.bz2
+sha512sums="
+3a33e99adaf7cbd51dcbeb31b5361123bf61ac040c0a032656c654ddb69c4074af75fb4335ba63f283067f61a22d7d7cbca8e1ed265c9522982c453ce48ea2fd busybox-1.32.1.tar.bz2
84a6599d327d33350432d1f332006d8ce04363ecc53836a98a6180e0cc32fbc4f12c3f9f2b112a1cb2e787dce705b04562347d008465256e796c808433a188b6 0001-lineedit-fix-tab-completion-with-equal-sign.patch
ead3403578c071c2216de17ab0543984c1f1509c12c062f03af49141547c3ea21356f3e8f0f0695550f05a41a1379dd73fc3cc18dcd78addbb411f247351e353 0001-nologin-Install-applet-to-sbin-instead-of-usr-sbin.patch
a2787a3ecaf6746dadef62166e8ee6ecaa166147e5ad8b917c5838536057c875bab5f9cf40c3e05eba74d575484ac662929ac3799d58432d3a99ac46f364f302 0001-adduser-default-to-sbin-nologin-as-shell-for-system-.patch
@@ -265,14 +272,17 @@ df02adb3e3cd3349cc8d070911e3392164cb2e30bd72cae7ceaa974b2db6f958fdcedf809abc7b4b
3b13ba6bd9b697e48864cb5376849c1ac95b30650e3e27605cc05edf4fdc1ecbb4c4503d4fe9012a581bcd660f6bb44d644575cf437d30423614cb83ee92c22c 0010-Add-flag-for-not-following-symlinks-when-recursing.patch
4d043999ffbf6875e6b28ffdb43a36dd5d37d51e862ed7d89c6007e38cdda056292c5322a3ac3189fd489bf3ad1cce7b20508a96aee55c09f09354e1c3f5f5fe 0012-udhcpc-Don-t-background-if-n-is-given.patch
1ec62ab67e32684e2bbfbafefc9e2bffeb758248a97a1ed9468f449d1fc67fca5c1a6743acc889e12c6f18636708e35ba4bab3345c4994eea6be11f10c9a128c 0001-echo-do-not-assume-that-free-leaves-errno-unmodified.patch
-c6dc917e67ab4c9aa0294f22707fd3cfc8cb37d703d8a0bce7f257ac9fb931dc4b815ab1d5e4f3ed3520b6ba046bdc1fbd0d1f8ed73b8d2d51f9238f03e03688 traceroute-opt-x.patch
+90598077e3000efa92167d446211965737bd3ee8c9dc29b6a33ebbd7c2e2a52eaadd225a1695bc4375ae0ec90a533915926de5fa4364d880b6c99934d7b0f916 traceroute-opt-x.patch
0e241dc63d49103569852089c07149a2ff2599331f988ca20e8f6f606e560795b919ceffb6b3f4f1aba56b688b969c52bfdc2d1deb7c6ec08deaf707771b996a CVE-2021-42374.patch
9efaef6fd2099e3f2adf04a6c77a67bf6be84324565ce39725111b1538974d2e2c7febe9ad17086e7f900e9c0335a8e43e2330ddb6547772b4e5443f5cbc704e CVE-2021-42375.patch
52c885b9e0f9cfaf6d1ab8f7c988f9e43bc422a9017ea4e369fc79cd0e63510b8eb375dde88ec138382b1d67c8045b661fda150434d80c131bd1b7302ee02771 awk-fixes.patch
+b52050678e79e4da856956906d07fcb620cbf35f2ef6b5a8ee3b8d244ea63b4b98eef505451184d5b4937740d91eef154ed748c30d329ac485be51b37626f251 0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
+ead4ad65d270d8659e1898fa16f76b6cbcf567d8aba238eacccda3764edb4362240d9359d6389873bedc126d405f805fc6dfce653a7181618ebcc67c94bd08d2 0002-nslookup-sanitize-all-printed-strings-with-printable.patch
aa93095e20de88730f526c6f463cef711b290b9582cdbd8c1ba2bd290019150cbeaa7007c2e15f0362d5b9315dd63f60511878f0ea05e893f4fdfb4a54af3fb1 acpid.logrotate
2f093f620b6d9dcef6e2e00c5395143b6497882653b4155ff313dff26210be91059cabafc606324c0230e80a461e0560839b14bf37e20671a7b8762f488b6c8f busyboxconfig
931e628184a25ae29760f7853c15c570dfb33075af167346e9662b9c7c5829e834ec81027bb10526c376261d229152bb096eb741cea0a5c0e3c614dd2c9d287e busyboxconfig-extras
0becc2186d6c32fb0c401cf7bc0e46268b38ce8892db33be1daf40273024c1c02d518283f44086a313a2ccef34230a1d945ec148cc173f26e6aa9d88a7426e54 bbsuid.c
b993ce589685d5d1f806153d0b7f71657f2d37556654ec60884130a40f09acc4944a13e0a4d02914000bedd779e5a35da08c760fed5f7ca5b601243aff7ba2c9 dad.if-up
646ad9aefe3596d0170d92c8506ca1846e43b5b83cbef97ae565f15ffa7b14665a8c7061bc69c608c043f834c134c5d63f042509f8999031e89163508a868e46 ssl_client.c
-c3194ccffe7300a0f55d50fb56d38c8df55d588adac13056fd0be2676594974477f94de5570a5a882bc864c3711cf67aa43b6ad6808e672f4533dd0f7363d2f5 default.script"
+c3194ccffe7300a0f55d50fb56d38c8df55d588adac13056fd0be2676594974477f94de5570a5a882bc864c3711cf67aa43b6ad6808e672f4533dd0f7363d2f5 default.script
+"
diff --git a/main/busybox/traceroute-opt-x.patch b/main/busybox/traceroute-opt-x.patch
new file mode 100644
index 0000000000..eea1789100
--- /dev/null
+++ b/main/busybox/traceroute-opt-x.patch
@@ -0,0 +1,26 @@
+From 89358a7131d3e75c74af834bb117b4fad7914983 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Tue, 2 Feb 2021 13:48:21 +0100
+Subject: traceroute: fix option parsing
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ networking/traceroute.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/networking/traceroute.c b/networking/traceroute.c
+index 3f1a9ab46..29f5e480b 100644
+--- a/networking/traceroute.c
++++ b/networking/traceroute.c
+@@ -896,7 +896,7 @@ traceroute_init(int op, char **argv)
+
+ op |= getopt32(argv, "^"
+ OPT_STRING
+- "\0" "-1:x-x" /* minimum 1 arg */
++ "\0" "-1" /* minimum 1 arg */
+ , &tos_str, &device, &max_ttl_str, &port_str, &nprobes_str
+ , &source, &waittime_str, &pausemsecs_str, &first_ttl_str
+ );
+--
+cgit v1.2.3
+
diff --git a/main/ca-certificates/APKBUILD b/main/ca-certificates/APKBUILD
index c2f84505b3..8d3ba9faee 100644
--- a/main/ca-certificates/APKBUILD
+++ b/main/ca-certificates/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ca-certificates
-pkgver=20191127
-pkgrel=5
+pkgver=20211220
+pkgrel=0
pkgdesc="Common CA certificates PEM files from Mozilla"
url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/"
arch="all"
@@ -16,16 +16,10 @@ replaces="libcrypto1.0 openssl openssl1.0"
options="!fhs !check"
triggers="ca-certificates.trigger=/usr/share/ca-certificates:/usr/local/share/ca-certificates:/etc/ssl/certs:/etc/ca-certificates/update.d"
install="$pkgname.post-deinstall"
-source="https://gitlab.alpinelinux.org/alpine/ca-certificates/-/archive/$pkgver/ca-certificates-$pkgver.tar.bz2
- 0001-update-ca-fix-compiler-warning.patch
- 0002-replace-python-script-with-perl-script.patch
- 0003-update-ca-insert-newline-between-certs.patch
- "
+source="https://gitlab.alpinelinux.org/alpine/ca-certificates/-/archive/$pkgver/ca-certificates-$pkgver.tar.bz2"
build() {
make
- # remove expired cert (https://gitlab.alpinelinux.org/alpine/aports/issues/11607)
- rm AddTrust_External_Root.crt
}
package() {
@@ -70,7 +64,6 @@ bundle() {
"$subpkgdir"/etc/ssl/cert.pem
}
-sha512sums="05e3a11efd80ea88eb81774e084febe4b8d1fa48f01f49e5ed3d469e10a2769260a264faed42ea3a0b725659cda1cc4a67ce5575fe04cdff9dc1c08207911c9b ca-certificates-20191127.tar.bz2
-aafe6d9047380fc403792fbf27146dc9c0532ef401e6eb9bd8b533c110f902cad0a66701cf3563ad625d07ae54619e9f2f3091ec14772b92e178dbed142ecd97 0001-update-ca-fix-compiler-warning.patch
-4d9c71b9ea0596f5efaa188f244b7ab587f96c218bb6fed01f11e34c553909f65bbe660156f8300be9511ae50614661c5dcd3b493ac146a8e888f62fc52bd9d4 0002-replace-python-script-with-perl-script.patch
-051b5d78916ee7389dfbd4e8871aab720415bd6e9ee0313dba770fc40ee7c68ac67d7918f2503458a3218e3bfc10691b5e379b65269106fde02c7e7a36eb7595 0003-update-ca-insert-newline-between-certs.patch"
+sha512sums="
+6b486384c80b29632939a28524acfeeedc60f5df44da86bc16ce79f3cf2ff464455e963ebeb410c3072829b9083215961b32c18673ff77b211652d4c1e870799 ca-certificates-20211220.tar.bz2
+"
diff --git a/main/cairo/APKBUILD b/main/cairo/APKBUILD
index a7b31060b3..72d87e500b 100644
--- a/main/cairo/APKBUILD
+++ b/main/cairo/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cairo
pkgver=1.16.0
-pkgrel=2
+pkgrel=3
pkgdesc="A vector graphics library"
url="https://cairographics.org/"
arch="all"
@@ -17,10 +17,13 @@ source="https://cairographics.org/releases/cairo-$pkgver.tar.xz
CVE-2018-19876.patch
pdf-flush.patch
85.patch
+ fix-inf-loop-patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 1.16.0-r3:
+# - CVE-2019-6462
# 1.16.0-r2:
# - CVE-2020-35492
# 1.16.0-r1:
@@ -70,8 +73,11 @@ tools() {
"$subpkgdir"/usr/lib/cairo/
}
-sha512sums="9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz
+sha512sums="
+9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz
86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0 musl-stacksize.patch
8f13cdcae0f134e04778cf5915f858fb8d5357a7e0a454791c93d1566935b985ec66dfe1683cd0b74a1cb44a130923d7a27cf006f3fc70b9bee93abd58a55aa3 CVE-2018-19876.patch
533ea878dc7f917af92e2694bd3f535a09cde77f0ecd0cc00881fbc9ec1ea86f60026eacc76129705f525f6672929ad8d15d8cfe1bfa61e9962e805a7fbded81 pdf-flush.patch
-20699d2dd10531f99587cdcd187a23e23bca5a9f031255c95aade4dadb79bbb62118c7ddff677c2fd20e4ba7694eee4debcd79a4d0736d62951a4fcee56ccae0 85.patch"
+20699d2dd10531f99587cdcd187a23e23bca5a9f031255c95aade4dadb79bbb62118c7ddff677c2fd20e4ba7694eee4debcd79a4d0736d62951a4fcee56ccae0 85.patch
+ebe5d71b18aa9eefe1e0a6c150761bb7abef41f144f37eb0bfa8a01947aacb1292ac131cf815dcaaaa6478c0aac07ca5428fba28ad346a00c5aaa5fa64f6ff5b fix-inf-loop-patch
+"
diff --git a/main/cairo/fix-inf-loop-patch b/main/cairo/fix-inf-loop-patch
new file mode 100644
index 0000000000..2a26876c36
--- /dev/null
+++ b/main/cairo/fix-inf-loop-patch
@@ -0,0 +1,36 @@
+From bbeaf08190d3006a80b80a77724801cd477a37b8 Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <hlewin@worldiety.de>
+Date: Sat, 17 Apr 2021 19:15:03 +0200
+Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop
+
+---
+ src/cairo-arc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-arc.c b/src/cairo-arc.c
+index 390397bae..1c891d1a0 100644
+--- a/src/cairo-arc.c
++++ b/src/cairo-arc.c
+@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
+ { M_PI / 11.0, 9.81410988043554039085e-09 },
+ };
+ int table_size = ARRAY_LENGTH (table);
++ const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */
+
+ for (i = 0; i < table_size; i++)
+ if (table[i].error < tolerance)
+ return table[i].angle;
+
+ ++i;
++
+ do {
+ angle = M_PI / i++;
+ error = _arc_error_normalized (angle);
+- } while (error > tolerance);
++ } while (error > tolerance && i < max_segments);
+
+ return angle;
+ }
+--
+GitLab
+
diff --git a/main/clamav/APKBUILD b/main/clamav/APKBUILD
index b12b4efdb0..1f771ccd45 100644
--- a/main/clamav/APKBUILD
+++ b/main/clamav/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=clamav
-pkgver=0.103.2
+pkgver=0.103.6
pkgrel=0
pkgusers="clamav"
pkggroups="clamav"
@@ -32,6 +32,13 @@ source="https://www.clamav.net/downloads/production/clamav-$pkgver.tar.gz
# secfixes:
+# 0.103.6-r0:
+# - CVE-2022-20698
+# - CVE-2022-20770
+# - CVE-2022-20771
+# - CVE-2022-20785
+# - CVE-2022-20792
+# - CVE-2022-20796
# 0.103.2-r0:
# - CVE-2021-1405
# - CVE-2021-1404
@@ -256,10 +263,12 @@ milter() {
"$subpkgdir"/etc/clamav/clamav-milter.conf
}
-sha512sums="87d47c4529a57da0b47b3744a279996ca24fa74ce10d7e27a53c19c1e13098af680e0e48ed767122bb2bbd3f927302451da84ccf51a933e7e3556ef43cbe9f45 clamav-0.103.2.tar.gz
+sha512sums="
+d39e1964678b8251bde3a9f3db30fe3d3d76cc566a86834297f4dd8489086dc9cc4c6541ca128089159f4c071d2d85b530455bd942987d3929ea0082b8ab272b clamav-0.103.6.tar.gz
d886d810de66e8da800384c1e8192f7da4352402ffc3b33cfbca93d81a2235d8c902ca9d436b9be70f00740b4555e1efbf09bf9f84059095a1a297b27581cd20 clamd.initd
59c561b3dcb0b616b647cd8e4ebc46a2cc5e7144c8c7ea0054cc1c3021d1da8f67e4dad5c083c3fe712ed887aaabfca91b538f4759537e7c4c9ab71ba4fd5794 clamd.confd
6f0c615b89f0f0d2f0e9f965f025b9ac8c81b2168fa6727dc8a47222abd780f9b656732f289d6061a20126b16126a975d50e8b3b8ff131f55dd8803da8be5dec freshclam.initd
ba181fe1abaac7b898ccb40b0713455aa3c9d5e25ad21d687b6cac09b0105b9e376526e7c776a44636234d8db819709d8d6a6cc76119bc3e98b637b1a3f26c08 freshclam.confd
3ae493dd1610a819402c015f6b8c0f080f926b72dc43d2bded60030bf6a55040e4b88e0f64d3aae299dc1133d7e1b89855e7346b4665a64e8b82592f7b75cf6a clamd.logrotate
-30cff378bc28c76b795e00c92ae5ee623f3abe4a19bed61dd8403c96e72658bb02b7f040d26a6258104af754464d25ea7d9646918c4b47d2ba9a8cbf4687056c freshclam.logrotate"
+30cff378bc28c76b795e00c92ae5ee623f3abe4a19bed61dd8403c96e72658bb02b7f040d26a6258104af754464d25ea7d9646918c4b47d2ba9a8cbf4687056c freshclam.logrotate
+"
diff --git a/main/cryptsetup/APKBUILD b/main/cryptsetup/APKBUILD
index 797e43b7b8..f0de5353a3 100644
--- a/main/cryptsetup/APKBUILD
+++ b/main/cryptsetup/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cryptsetup
-pkgver=2.3.4
-pkgrel=1
+pkgver=2.3.7
+pkgrel=0
pkgdesc="Userspace setup tool for transparent encryption of block devices using the Linux 2.6 cryptoapi"
url="https://gitlab.com/cryptsetup/cryptsetup"
arch="all"
@@ -19,6 +19,8 @@ source="https://www.kernel.org/pub/linux/utils/cryptsetup/v${pkgver%.*}/cryptset
"
# secfixes:
+# 2.3.7-r0:
+# - CVE-2021-4122
# 2.3.4-r0:
# - CVE-2020-14382
@@ -59,7 +61,7 @@ libs() {
mv "$pkgdir"/lib "$subpkgdir"/
}
-sha512sums="a0a4981ca7294d6f0568bc9465e78ee1781ad73fe77e8daa0bbe67693534f02d3510e6fba9f76749b90ce7533bc9ac96dd27b73d733f8051e9560a3b4196ca3c cryptsetup-2.3.4.tar.gz
+sha512sums="754f1b5c3dd234f256549118789af4187d75466743e5ec43d929d402c01e9c6997a9166fd8e4dc30c177f58d43284f7e28cc02fc015f02d605f3d6e5784a6b4c cryptsetup-2.3.7.tar.gz
dc896fdb7697d01443a168819f01af02db00a9de75589f062a1ebbfc0bc185b6d2109b18352309c41b818e3ad89609dcea3660d6f3cda890de825f053f94de97 flush-stdout.patch
74422d5e1614b43af894ea01da1ea80d805ec7f77981cbb80a6b1a4becad737a8825d7269812499095a7f50d39fa7da5bf4e4edae63529b1fe87b9176943a733 dmcrypt.confd
a3ca3e648749136ee724692b61488cd855f118eb93435942c2b04964a34fe49d0f0da4ef64cd2531c1c0f650e77808cf5d802789fd7664398248ead668bb35e5 dmcrypt.initd"
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index bb23e53483..0f49d219fd 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.79.1
-pkgrel=0
+pkgrel=1
pkgdesc="URL retrival utility and library"
url="https://curl.se/"
arch="all"
@@ -15,10 +15,21 @@ checkdepends="nghttp2 python3"
makedepends_host="$depends_dev"
makedepends_build="autoconf automake groff libtool perl"
subpackages="$pkgname-dbg $pkgname-static $pkgname-doc $pkgname-dev libcurl"
-source="https://curl.se/download/curl-$pkgver.tar.xz"
+source="https://curl.se/download/curl-$pkgver.tar.xz
+ CVE-2022-22576.patch
+ CVE-2022-27774-pre.patch
+ CVE-2022-27774.patch
+ CVE-2022-27775.patch
+ CVE-2022-27776.patch
+ "
options="net" # Required for running tests
# secfixes:
+# 7.79.1-r1:
+# - CVE-2022-22576
+# - CVE-2022-27774
+# - CVE-2022-27775
+# - CVE-2022-27776
# 7.79.0-r0:
# - CVE-2021-22945
# - CVE-2021-22946
@@ -159,4 +170,9 @@ static() {
sha512sums="
1edb71647a7f4dbb070baf1a019b4751aefeda793ff523c504410bb5cc74e5bffc52f20dd889697d1585f9ca3c4e81b1a9caadd182c30c8358ffd25f33e4db4d curl-7.79.1.tar.xz
+9456de77de52e7980fb8e42bdc524b56dc7029c8205209de2de39d6354c8f5457e3fc8068d36d55cbf96ae82aabd390afc94721995dfc4b8e4a69bed9d0b00c8 CVE-2022-22576.patch
+63af4876fa94ff11ec3c1d4a36cfd2919083cf57cedc5086703966e627b27d8fac520155214b6f81e80a38a392cbd542f135f218944ae5117cf8b1ba388c7046 CVE-2022-27774-pre.patch
+4161539ebf5b9d4b1c5f4f83a8af313a96f5d9a4871a3da5f1ea564903b9079ac02003816f613e05aec9f3819bd2e152bb7885d0df138997abcaeb4adab897d6 CVE-2022-27774.patch
+c68b3eff3ef6120277c8acbd1d3ce4e16a26219a6b543af03a7bb9c5c3bc5d3480c237f11470995d088c9cbd06531352b86b151038cfcd551477038da0a96b33 CVE-2022-27775.patch
+116d30037af107cd028bd6404b6488106ebe1f3482b65159fe6764c355edf57b5fc460ce034a4eb07053f97128d68e89ef50ae080b33ee82b0fc5460f09866c4 CVE-2022-27776.patch
"
diff --git a/main/curl/CVE-2022-22576.patch b/main/curl/CVE-2022-22576.patch
new file mode 100644
index 0000000000..5238d9998b
--- /dev/null
+++ b/main/curl/CVE-2022-22576.patch
@@ -0,0 +1,143 @@
+Patch-Source: https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
+From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 25 Apr 2022 11:44:05 +0200
+Subject: [PATCH] url: check sasl additional parameters for connection reuse.
+
+Also move static function safecmp() as non-static Curl_safecmp() since
+its purpose is needed at several places.
+
+Bug: https://curl.se/docs/CVE-2022-22576.html
+
+CVE-2022-22576
+
+Closes #8746
+---
+ lib/strcase.c | 10 ++++++++++
+ lib/strcase.h | 2 ++
+ lib/url.c | 13 ++++++++++++-
+ lib/urldata.h | 1 +
+ lib/vtls/vtls.c | 21 ++++++---------------
+ 5 files changed, 31 insertions(+), 16 deletions(-)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index dd46ca1ba0e5..692a3f14aee7 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
+ } while(*src++ && --n);
+ }
+
++/* Compare case-sensitive NUL-terminated strings, taking care of possible
++ * null pointers. Return true if arguments match.
++ */
++bool Curl_safecmp(char *a, char *b)
++{
++ if(a && b)
++ return !strcmp(a, b);
++ return !a && !b;
++}
++
+ /* --- public functions --- */
+
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index b234d3815220..2635f5117e99 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -49,4 +49,6 @@ char Curl_raw_toupper(char in);
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+
++bool Curl_safecmp(char *a, char *b);
++
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index 9a988b4d58d8..e1647b133854 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -781,6 +781,7 @@ static void conn_free(struct connectdata *conn)
+ Curl_safefree(conn->passwd);
+ Curl_safefree(conn->sasl_authzid);
+ Curl_safefree(conn->options);
++ Curl_safefree(conn->oauth_bearer);
+ Curl_dyn_free(&conn->trailer);
+ Curl_safefree(conn->host.rawalloc); /* host name buffer */
+ Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
+@@ -1342,7 +1343,9 @@ ConnectionExists(struct Curl_easy *data,
+ /* This protocol requires credentials per connection,
+ so verify that we're using the same name and password as well */
+ if(strcmp(needle->user, check->user) ||
+- strcmp(needle->passwd, check->passwd)) {
++ strcmp(needle->passwd, check->passwd) ||
++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
+ /* one of them was different */
+ continue;
+ }
+@@ -3637,6 +3640,14 @@ static CURLcode create_conn(struct Curl_easy *data,
+ }
+ }
+
++ if(data->set.str[STRING_BEARER]) {
++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
++ if(!conn->oauth_bearer) {
++ result = CURLE_OUT_OF_MEMORY;
++ goto out;
++ }
++ }
++
+ #ifdef USE_UNIX_SOCKETS
+ if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
+ conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 07eb19b87034..1d89b8d7fa68 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -984,6 +984,7 @@ struct connectdata {
+ char *passwd; /* password string, allocated */
+ char *options; /* options string, allocated */
+ char *sasl_authzid; /* authorisation identity string, allocated */
++ char *oauth_bearer; /* OAUTH2 bearer, allocated */
+ unsigned char httpversion; /* the HTTP version*10 reported by the server */
+ struct curltime now; /* "current" time */
+ struct curltime created; /* creation time */
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 03b85ba065e5..a40ac06f684f 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
+ return !memcmp(first->data, second->data, first->len); /* same data */
+ }
+
+-static bool safecmp(char *a, char *b)
+-{
+- if(a && b)
+- return !strcmp(a, b);
+- else if(!a && !b)
+- return TRUE; /* match */
+- return FALSE; /* no match */
+-}
+-
+
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config *data,
+@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ blobcmp(data->cert_blob, needle->cert_blob) &&
+ blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
+ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
+- safecmp(data->CApath, needle->CApath) &&
+- safecmp(data->CAfile, needle->CAfile) &&
+- safecmp(data->issuercert, needle->issuercert) &&
+- safecmp(data->clientcert, needle->clientcert) &&
+- safecmp(data->random_file, needle->random_file) &&
+- safecmp(data->egdsocket, needle->egdsocket) &&
++ Curl_safecmp(data->CApath, needle->CApath) &&
++ Curl_safecmp(data->CAfile, needle->CAfile) &&
++ Curl_safecmp(data->issuercert, needle->issuercert) &&
++ Curl_safecmp(data->clientcert, needle->clientcert) &&
++ Curl_safecmp(data->random_file, needle->random_file) &&
++ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+ Curl_safe_strcasecompare(data->curves, needle->curves) &&
diff --git a/main/curl/CVE-2022-27774-pre.patch b/main/curl/CVE-2022-27774-pre.patch
new file mode 100644
index 0000000000..b5cf4fccc3
--- /dev/null
+++ b/main/curl/CVE-2022-27774-pre.patch
@@ -0,0 +1,41 @@
+Patch-Source: https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839
+From 08b8ef4e726ba10f45081ecda5b3cea788d3c839 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH] connect: store "conn_remote_port" in the info struct
+
+To make it available after the connection ended.
+---
+ lib/connect.c | 1 +
+ lib/urldata.h | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index e0b740147157..9bcf525ebb39 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
+ data->info.conn_scheme = conn->handler->scheme;
+ data->info.conn_protocol = conn->handler->protocol;
+ data->info.conn_primary_port = conn->port;
++ data->info.conn_remote_port = conn->remote_port;
+ data->info.conn_local_port = local_port;
+ }
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ef2174d9e727..9c34ec444c08 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1160,7 +1160,11 @@ struct PureInfo {
+ reused, in the connection cache. */
+
+ char conn_primary_ip[MAX_IPADR_LEN];
+- int conn_primary_port;
++ int conn_primary_port; /* this is the destination port to the connection,
++ which might have been a proxy */
++ int conn_remote_port; /* this is the "remote port", which is the port
++ number of the used URL, independent of proxy or
++ not */
+ char conn_local_ip[MAX_IPADR_LEN];
+ int conn_local_port;
+ const char *conn_scheme;
diff --git a/main/curl/CVE-2022-27774.patch b/main/curl/CVE-2022-27774.patch
new file mode 100644
index 0000000000..db358af55e
--- /dev/null
+++ b/main/curl/CVE-2022-27774.patch
@@ -0,0 +1,78 @@
+Patch-Source: https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79
+From 620ea21410030a9977396b4661806bc187231b79 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH] transfer: redirects to other protocols or ports clear auth
+
+... unless explicitly permitted.
+
+Bug: https://curl.se/docs/CVE-2022-27774.html
+Reported-by: Harry Sintonen
+Closes #8748
+---
+ lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 53ef0b03b8e0..315da876c4a8 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1611,10 +1611,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ return CURLE_OUT_OF_MEMORY;
+ }
+ else {
+-
+ uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
++
++ /* Clear auth if this redirects to a different port number or protocol,
++ unless permitted */
++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
++ char *portnum;
++ int port;
++ bool clear = FALSE;
++
++ if(data->set.use_port && data->state.allow_port)
++ /* a custom port is used */
++ port = (int)data->set.use_port;
++ else {
++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
++ CURLU_DEFAULT_PORT);
++ if(uc) {
++ free(newurl);
++ return Curl_uc_to_curlcode(uc);
++ }
++ port = atoi(portnum);
++ free(portnum);
++ }
++ if(port != data->info.conn_remote_port) {
++ infof(data, "Clear auth, redirects to port from %u to %u",
++ data->info.conn_remote_port, port);
++ clear = TRUE;
++ }
++ else {
++ char *scheme;
++ const struct Curl_handler *p;
++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
++ if(uc) {
++ free(newurl);
++ return Curl_uc_to_curlcode(uc);
++ }
++
++ p = Curl_builtin_scheme(scheme);
++ if(p && (p->protocol != data->info.conn_protocol)) {
++ infof(data, "Clear auth, redirects scheme from %s to %s",
++ data->info.conn_scheme, scheme);
++ clear = TRUE;
++ }
++ free(scheme);
++ }
++ if(clear) {
++ Curl_safefree(data->state.aptr.user);
++ Curl_safefree(data->state.aptr.passwd);
++ }
++ }
+ }
+
+ if(type == FOLLOW_FAKE) {
diff --git a/main/curl/CVE-2022-27775.patch b/main/curl/CVE-2022-27775.patch
new file mode 100644
index 0000000000..e1c02b8969
--- /dev/null
+++ b/main/curl/CVE-2022-27775.patch
@@ -0,0 +1,35 @@
+Patch-Source: https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705
+From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 11:48:00 +0200
+Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
+
+Make connections to two separate IPv6 zone ids create separate
+connections.
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27775.html
+Closes #8747
+---
+ lib/conncache.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/conncache.c b/lib/conncache.c
+index ec669b971dc3..8948b53fa500 100644
+--- a/lib/conncache.c
++++ b/lib/conncache.c
+@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf,
+ /* report back which name we used */
+ *hostp = hostname;
+
+- /* put the number first so that the hostname gets cut off if too long */
+- msnprintf(buf, len, "%ld%s", port, hostname);
++ /* put the numbers first so that the hostname gets cut off if too long */
++#ifdef ENABLE_IPV6
++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
++#else
++ msnprintf(buf, len, "%ld/%s", port, hostname);
++#endif
+ Curl_strntolower(buf, buf, len);
+ }
+
diff --git a/main/curl/CVE-2022-27776.patch b/main/curl/CVE-2022-27776.patch
new file mode 100644
index 0000000000..59ffa79a36
--- /dev/null
+++ b/main/curl/CVE-2022-27776.patch
@@ -0,0 +1,113 @@
+Patch-Source: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258
+From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:40 +0200
+Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port
+
+CVE-2022-27776
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27776.html
+Closes #8749
+---
+ lib/http.c | 34 ++++++++++++++++++++++------------
+ lib/urldata.h | 16 +++++++++-------
+ 2 files changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index ce79fc4e31c8..f0476f3b9272 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
+ return CURLE_OK;
+ }
+
++/*
++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
++ * data" can (still) be sent to this host.
++ */
++static bool allow_auth_to_host(struct Curl_easy *data)
++{
++ struct connectdata *conn = data->conn;
++ return (!data->state.this_is_a_follow ||
++ data->set.allow_auth_to_other_hosts ||
++ (data->state.first_host &&
++ strcasecompare(data->state.first_host, conn->host.name) &&
++ (data->state.first_remote_port == conn->remote_port) &&
++ (data->state.first_remote_protocol == conn->handler->protocol)));
++}
++
+ /**
+ * Curl_http_output_auth() setups the authentication headers for the
+ * host/proxy and the correct authentication
+@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data,
+ with it */
+ authproxy->done = TRUE;
+
+- /* To prevent the user+password to get sent to other than the original
+- host due to a location-follow, we do some weirdo checks here */
+- if(!data->state.this_is_a_follow ||
++ /* To prevent the user+password to get sent to other than the original host
++ due to a location-follow */
++ if(allow_auth_to_host(data)
+ #ifndef CURL_DISABLE_NETRC
+- conn->bits.netrc ||
++ || conn->bits.netrc
+ #endif
+- !data->state.first_host ||
+- data->set.allow_auth_to_other_hosts ||
+- strcasecompare(data->state.first_host, conn->host.name)) {
++ )
+ result = output_auth_headers(data, conn, authhost, request, path, FALSE);
+- }
+ else
+ authhost->done = TRUE;
+
+@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
+ checkprefix("Cookie:", compare)) &&
+ /* be careful of sending this potentially sensitive header to
+ other hosts */
+- (data->state.this_is_a_follow &&
+- data->state.first_host &&
+- !data->set.allow_auth_to_other_hosts &&
+- !strcasecompare(data->state.first_host, conn->host.name)))
++ !allow_auth_to_host(data))
+ ;
+ else {
+ #ifdef USE_HYPER
+@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
+ return CURLE_OUT_OF_MEMORY;
+
+ data->state.first_remote_port = conn->remote_port;
++ data->state.first_remote_protocol = conn->handler->protocol;
+ }
+ Curl_safefree(data->state.aptr.host);
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 1d89b8d7fa68..ef2174d9e727 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1329,14 +1329,16 @@ struct UrlState {
+ char *ulbuf; /* allocated upload buffer or NULL */
+ curl_off_t current_speed; /* the ProgressShow() function sets this,
+ bytes / second */
+- char *first_host; /* host name of the first (not followed) request.
+- if set, this should be the host name that we will
+- sent authorization to, no else. Used to make Location:
+- following not keep sending user+password... This is
+- strdup() data.
+- */
++
++ /* host name, port number and protocol of the first (not followed) request.
++ if set, this should be the host name that we will sent authorization to,
++ no else. Used to make Location: following not keep sending user+password.
++ This is strdup()ed data. */
++ char *first_host;
++ int first_remote_port;
++ unsigned int first_remote_protocol;
++
+ int retrycount; /* number of retries on a new connection */
+- int first_remote_port; /* remote port of the first (not followed) request */
+ struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
+ long sessionage; /* number of the most recent session */
+ struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD
index 6c2e687f3a..98ed884f84 100644
--- a/main/cyrus-sasl/APKBUILD
+++ b/main/cyrus-sasl/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cyrus-sasl
-pkgver=2.1.27
-pkgrel=10
+pkgver=2.1.28
+pkgrel=0
pkgdesc="Cyrus Simple Authentication Service Layer (SASL)"
url="https://www.cyrusimap.org/sasl/"
arch="all"
@@ -35,16 +35,12 @@ makedepends="
libtool
"
source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pkgver/cyrus-sasl-$pkgver.tar.gz
- cyrus-sasl-2.1.27-as_needed.patch
- cyrus-sasl-2.1.27-autotools_fixes.patch
- cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
- cyrus-sasl-2.1.27-doc_build_fix.patch
- cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
- CVE-2019-19906.patch
saslauthd.initd
"
# secfixes:
+# 2.1.28-r0:
+# - CVE-2022-24407
# 2.1.27-r5:
# - CVE-2019-19906
# 2.1.26-r7:
@@ -119,11 +115,7 @@ libsasl() {
amove usr/lib/libsasl*.so.*
}
-sha512sums="d11549a99b3b06af79fc62d5478dba3305d7e7cc0824f4b91f0d2638daafbe940623eab235f85af9be38dcf5d42fc131db531c177040a85187aee5096b8df63b cyrus-sasl-2.1.27.tar.gz
-9eefa6d45e3dd9157a5672909acdd88f0ae35e76d64c3723890a474bbb05b22499cfadb0c077924d27f34da3710b2b700094dd7d5704050138c08dabcefdde94 cyrus-sasl-2.1.27-as_needed.patch
-0d99ca049e76c11500769079d94f3bdb634bddb4c8d45a83b383e9bb9777edda66b17566800acbd450e1f4842d070ec3fbc236e7f0ef8759c36e6dd5ea8e3c64 cyrus-sasl-2.1.27-autotools_fixes.patch
-4ca601839b023ef790e48dae567ffbbd57c632384c980946639ec7437ad23874961451718569455e6e25afaeff1728ecbc71a8686f6b43246f83465f95a2c904 cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
-6d723e7ec2c431b45c011b887187b6a670dbe646aa4c39d38171047ab23db529c30c433f8d4dd624181917c5ce4e5271f86e35e2644ede1c40dfb09cb67dccde cyrus-sasl-2.1.27-doc_build_fix.patch
-fca4f2b7e427c7613f71daa4a31772c33c8c0fe9d7f85b57b85da71bc5a88a18fc52f7caea463188b4addd31cd041d5349af689d5face2cc45fb50c700a8afd7 cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
-c39efd87dc9c883d3b07474197f6835fbd32f23baa1f5cd04b25a0473639f847321c40f232e390d4dc9d9ee189dbd177c05d3d1461af4d28a48a4827abc5d9b8 CVE-2019-19906.patch
-f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75 saslauthd.initd"
+sha512sums="
+db15af9079758a9f385457a79390c8a7cd7ea666573dace8bf4fb01bb4b49037538d67285727d6a70ad799d2e2318f265c9372e2427de9371d626a1959dd6f78 cyrus-sasl-2.1.28.tar.gz
+f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75 saslauthd.initd
+"
diff --git a/main/cyrus-sasl/CVE-2019-19906.patch b/main/cyrus-sasl/CVE-2019-19906.patch
deleted file mode 100644
index f7edb521e8..0000000000
--- a/main/cyrus-sasl/CVE-2019-19906.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-https://github.com/cyrusimap/cyrus-sasl/issues/587
-
-diff --git a/lib/common.c b/lib/common.c
-index bc3bf1df..9969d6aa 100644
---- a/lib/common.c
-+++ b/lib/common.c
-@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
-
- if (add==NULL) add = "(null)";
-
-- addlen=strlen(add); /* only compute once */
-+ addlen=strlen(add)+1; /* only compute once */
- if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
- return SASL_NOMEM;
-
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch
deleted file mode 100644
index 7cd9e151fb..0000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Author: Matthias Klose <doko@ubuntu.com>
-Desription: Fix FTBFS, add $(SASL_DB_LIB) as dependency to libsasldb, and use
-it.
---- cyrus-sasl-2.1.27/saslauthd/Makefile.am
-+++ cyrus-sasl-2.1.27/saslauthd/Makefile.am
-@@ -25,7 +25,7 @@
- saslauthd_DEPENDENCIES = saslauthd-main.o $(LTLIBOBJS_FULL)
- saslauthd_LDADD = @SASL_KRB_LIB@ \
- @GSSAPIBASE_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \
-- @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS)
-+ @LIB_SOCKET@ ../sasldb/libsasldb.la @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS)
-
- testsaslauthd_SOURCES = testsaslauthd.c utils.c
- testsaslauthd_LDADD = @LIB_SOCKET@
---- cyrus-sasl-2.1.27/sasldb/Makefile.am
-+++ cyrus-sasl-2.1.27/sasldb/Makefile.am
-@@ -54,6 +54,6 @@
-
- libsasldb_la_SOURCES = allockey.c sasldb.h
- EXTRA_libsasldb_la_SOURCES = $(extra_common_sources)
--libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND)
--libsasldb_la_LIBADD = $(SASL_DB_BACKEND)
-+libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) $(SASL_DB_LIB)
-+libsasldb_la_LIBADD = $(SASL_DB_BACKEND) $(SASL_DB_LIB)
- libsasldb_la_LDFLAGS = -no-undefined
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch
deleted file mode 100644
index 2ce971efc5..0000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch
+++ /dev/null
@@ -1,31 +0,0 @@
---- cyrus-sasl-2.1.27/configure.ac
-+++ cyrus-sasl-2.1.27/configure.ac
-@@ -44,6 +44,8 @@
-
- AC_PREREQ(2.63)
-
-+AC_CONFIG_MACRO_DIR([config])
-+
- dnl
- dnl REMINDER: When changing the version number here, please also update
- dnl the values in win32/include/config.h and include/sasl.h as well.
---- cyrus-sasl-2.1.27/Makefile.am
-+++ cyrus-sasl-2.1.27/Makefile.am
-@@ -44,6 +44,8 @@
- #
- ################################################################
-
-+ACLOCAL_AMFLAGS = -I config
-+
- if SASLAUTHD
- SAD = saslauthd
- else
---- cyrus-sasl-2.1.27/saslauthd/Makefile.am
-+++ cyrus-sasl-2.1.27/saslauthd/Makefile.am
-@@ -1,4 +1,6 @@
- AUTOMAKE_OPTIONS = 1.7
-+ACLOCAL_AMFLAGS = -I ../config
-+
- sbin_PROGRAMS = saslauthd testsaslauthd
- EXTRA_PROGRAMS = saslcache
-
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
deleted file mode 100644
index c331039e2f..0000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Author: Fabian Fagerholm <fabbe@debian.org>
-Description: This patch makes sure the non-PIC version of libsasldb.a, which
-is created out of non-PIC objects, is not going to overwrite the PIC version,
-which is created out of PIC objects. The PIC version is placed in .libs, and
-the non-PIC version in the current directory. This ensures that both non-PIC
-and PIC versions are available in the correct locations.
---- cyrus-sasl-2.1.27/lib/Makefile.am
-+++ cyrus-sasl-2.1.27/lib/Makefile.am
-@@ -98,7 +98,7 @@
-
- libsasl2.a: libsasl2.la $(SASL_STATIC_OBJS)
- @echo adding static plugins and dependencies
-- $(AR) cru .libs/$@ $(SASL_STATIC_OBJS)
-+ $(AR) cru $@ $(SASL_STATIC_OBJS)
- @for i in ./libsasl2.la ../common/libplugin_common.la ../sasldb/libsasldb.la ../plugins/lib*.la; do \
- if test ! -f $$i; then continue; fi; . $$i; \
- for j in $$dependency_libs foo; do \
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch
deleted file mode 100644
index bdd02f7796..0000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- cyrus-sasl-2.1.27/docsrc/exts/sphinxlocal/writers/manpage.py
-+++ cyrus-sasl-2.1.27/docsrc/exts/sphinxlocal/writers/manpage.py
-@@ -23,7 +23,7 @@
- from sphinx import addnodes
- from sphinx.locale import admonitionlabels, _
- from sphinx.util.osutil import ustrftime
--from sphinx.util.compat import docutils_version
-+#from sphinx.util.compat import docutils_version
-
- class CyrusManualPageWriter(ManualPageWriter):
-
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
deleted file mode 100644
index c585cb158e..0000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Gentoo bug #389349
---- cyrus-sasl-2.1.27/m4/sasl2.m4
-+++ cyrus-sasl-2.1.27/m4/sasl2.m4
-@@ -220,7 +220,11 @@
- [AC_WARN([Cybersafe define not found])])
-
- elif test "$ac_cv_header_gssapi_h" = "yes"; then
-- AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi.h,
-+ AC_EGREP_CPP(hostbased_service_gss_nt_yes, gssapi.h,
-+ [#include <gssapi.h>
-+ #ifdef GSS_C_NT_HOSTBASED_SERVICE
-+ hostbased_service_gss_nt_yes
-+ #endif],
- [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,,
- [Define if your GSSAPI implementation defines GSS_C_NT_HOSTBASED_SERVICE])])
- elif test "$ac_cv_header_gssapi_gssapi_h"; then
diff --git a/main/dahdi-linux-lts/APKBUILD b/main/dahdi-linux-lts/APKBUILD
index f785930a44..2dc67a3c81 100644
--- a/main/dahdi-linux-lts/APKBUILD
+++ b/main/dahdi-linux-lts/APKBUILD
@@ -9,7 +9,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.78
+_kver=5.10.109
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/esh/APKBUILD b/main/esh/APKBUILD
index fc6c53e03b..ebaa57ad5f 100644
--- a/main/esh/APKBUILD
+++ b/main/esh/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=esh
-pkgver=0.3.1
+pkgver=0.3.2
pkgrel=0
pkgdesc="Simple template system based on shell"
url="https://github.com/jirutka/esh"
@@ -22,4 +22,6 @@ package() {
make DESTDIR="$pkgdir" prefix=/usr install
}
-sha512sums="a29f8b028ceba305c8a37f2df20be95701fa3bdaeefd9853e05cc6423a6c685b33954deabda9af25c31baeae2321084e2a2badee216010c8efd75e58888effa3 esh-0.3.1.tar.gz"
+sha512sums="
+f93835f0c28b75fa4b4ab2fdccd860050e4dde25634074065b182f289dd36d05074c7a5762f6cd35f409ae2ef239de5e0799af70ec6a96ba63df50fc8c123784 esh-0.3.2.tar.gz
+"
diff --git a/main/expat/APKBUILD b/main/expat/APKBUILD
index 9bf52beab2..b9c94f2206 100644
--- a/main/expat/APKBUILD
+++ b/main/expat/APKBUILD
@@ -1,16 +1,47 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=expat
pkgver=2.2.10
-pkgrel=1
+pkgrel=6
pkgdesc="XML Parser library written in C"
url="http://www.libexpat.org/"
arch="all"
license='MIT'
checkdepends="bash"
-source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2"
+source="https://github.com/libexpat/libexpat/releases/download/R_${pkgver//./_}/expat-$pkgver.tar.xz
+ CVE-2021-45960.patch
+ CVE-2021-46143.patch
+ CVE-2022-22822.patch
+ CVE-2022-23852.patch
+ CVE-2022-23990.patch
+ CVE-2022-25235.patch
+ CVE-2022-25236.patch
+ CVE-2022-25236-regression.patch
+ CVE-2022-25313.patch
+ CVE-2022-25313-regression.patch
+ CVE-2022-25314.patch
+ CVE-2022-25315.patch
+ "
subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
# secfixes:
+# 2.2.10-r4:
+# - CVE-2022-25235
+# - CVE-2022-25236
+# - CVE-2022-25313
+# - CVE-2022-25314
+# - CVE-2022-25315
+# 2.2.10-r3:
+# - CVE-2022-23852
+# - CVE-2022-23990
+# 2.2.10-r2:
+# - CVE-2021-45960
+# - CVE-2021-46143
+# - CVE-2022-22822
+# - CVE-2022-22823
+# - CVE-2022-22824
+# - CVE-2022-22825
+# - CVE-2022-22826
+# - CVE-2022-22827
# 2.2.7-r1:
# - CVE-2019-15903
# 2.2.7-r0:
@@ -36,4 +67,18 @@ package() {
make DESTDIR="$pkgdir/" install
}
-sha512sums="9623e86024d09e3bb0cf51fd0d56ecaee5fb8c8acb71589104a63b510f73c1e84abb0ccea4e2c196bdf1d30b5ad0633a915758f75813717d031d633e34f022b7 expat-2.2.10.tar.bz2"
+sha512sums="
+a8e0c8a9cf7e6fbacdc6e709f3c99c533ab550fba52557d24259bb8b360f9697624c7500c0e9886fa57ee2b529aadd0d1835d66fe8112e15c20df75cd3eb090f expat-2.2.10.tar.xz
+4afd3777fc682a2f9057d4cc42afe6e04680d7d24f93dc11a2677cb8b1a4b400921f6d689e2953aff4a3312118ea801c9e161f85774360b3b5c2d3bd0067f7ad CVE-2021-45960.patch
+dd0339a0cdf5b18638a5732f2f9930af7adb5b20aa3bf102317a571f0f7d4f453313f0d8fdaa60f89c7a8f2e59eeaaca4b9c2e427a45594b7e21ed7c253d547a CVE-2021-46143.patch
+dcf6bfc07b4919b1248dba5fc6d4e425d09975b09255d77456bb44b40495e92b4d4ffae6a9e949b204770848b70edfc4be1869c191cb01ebe967b1906ffc9d59 CVE-2022-22822.patch
+cb079c0b9fe7df6afe2e06d706461489527802dce811d894587221b6316784b6cf1c7cf70573f41a276b5d97f7530d17c7ed854273f4eeae9652d971f64ef282 CVE-2022-23852.patch
+7de120a34b5fc2fcb3779e259b24d47d8f40f38aab490b738eea52c55542b9cac45c897d90cb129c17c2d0057518f59b013c2af87a579c70b28a9aa70c1f27cb CVE-2022-23990.patch
+c3ed585a62d5aadd9e1d1d589b636e37ffba5b5cc0c4d264a151cf308a9bfcfe9859704f43fd6d4e1ed86633fa4672378288bdc05b5e47dcb42c75f8258035f5 CVE-2022-25235.patch
+016ca726fde03ef9049404faff7122e4f6e9b8a89d4a188e1ffa7bcf4d177fe79e00a3e1f90b45424ec60586cdde7615c6f5a39db1be1e585713f1a7385aa14c CVE-2022-25236.patch
+36d441df896a6734091c15c3cd84515114d805349123a98eb43b61a268533f36b1ae0ac437e99b26a1792863e6d23c8d0a38eac902942b768e551cf2f2ea6187 CVE-2022-25236-regression.patch
+4db9ad13e5e1461339ab93554d14acacbbdc121824a1dfd8a1d9df3194452711606da1f9f9ed5c03c0c5ca8de61237ef588897bbde95f89109160dc685fde25f CVE-2022-25313.patch
+36d310754e76db577cdeeb0ae1563867f9db65c9de12b1423d4e67f8e2604893525474d6e07b6305553308b6b06285b1b9da3c4e858ef79874296f68b82080e8 CVE-2022-25313-regression.patch
+ac7d03f3ef8be557bda0294247a645db820470be47ea7fa3dab8047f7f11ada831e4f0a4cd4b82e3b2f7715ada08435b8292257a64714c0242407ef58a661b72 CVE-2022-25314.patch
+946e0983f9159ae4b01627581a99594f0e7263438ddfd40a1705b8de39ee9c6739af08598d3bc4f145a8ff142209d3fde85c20bbebe2932d9e60596f192db5b5 CVE-2022-25315.patch
+"
diff --git a/main/expat/CVE-2021-45960.patch b/main/expat/CVE-2021-45960.patch
new file mode 100644
index 0000000000..7c366ab390
--- /dev/null
+++ b/main/expat/CVE-2021-45960.patch
@@ -0,0 +1,59 @@
+From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 27 Dec 2021 20:15:02 +0100
+Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function
+ storeAtts (CVE-2021-45960)
+
+---
+ expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d730f41c3..b47c31b05 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ if (nPrefixes) {
+ int j; /* hash table index */
+ unsigned long version = parser->m_nsAttsVersion;
+- int nsAttsSize = (int)1 << parser->m_nsAttsPower;
++
++ /* Detect and prevent invalid shift */
++ if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
++ return XML_ERROR_NO_MEMORY;
++ }
++
++ unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
+ unsigned char oldNsAttsPower = parser->m_nsAttsPower;
+ /* size of hash table must be at least 2 * (# of prefixed attributes) */
+ if ((nPrefixes << 1)
+@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ ;
+ if (parser->m_nsAttsPower < 3)
+ parser->m_nsAttsPower = 3;
+- nsAttsSize = (int)1 << parser->m_nsAttsPower;
++
++ /* Detect and prevent invalid shift */
++ if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
++ /* Restore actual size of memory in m_nsAtts */
++ parser->m_nsAttsPower = oldNsAttsPower;
++ return XML_ERROR_NO_MEMORY;
++ }
++
++ nsAttsSize = 1u << parser->m_nsAttsPower;
++
++ /* Detect and prevent integer overflow.
++ * The preprocessor guard addresses the "always false" warning
++ * from -Wtype-limits on platforms where
++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++ if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
++ /* Restore actual size of memory in m_nsAtts */
++ parser->m_nsAttsPower = oldNsAttsPower;
++ return XML_ERROR_NO_MEMORY;
++ }
++#endif
++
+ temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
+ nsAttsSize * sizeof(NS_ATT));
+ if (! temp) {
diff --git a/main/expat/CVE-2021-46143.patch b/main/expat/CVE-2021-46143.patch
new file mode 100644
index 0000000000..d6bafba0ff
--- /dev/null
+++ b/main/expat/CVE-2021-46143.patch
@@ -0,0 +1,43 @@
+From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 25 Dec 2021 20:52:08 +0100
+Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function
+ doProlog (CVE-2021-46143)
+
+---
+ expat/lib/xmlparse.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index b47c31b0..8f243126 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ if (parser->m_prologState.level >= parser->m_groupSize) {
+ if (parser->m_groupSize) {
+ {
++ /* Detect and prevent integer overflow */
++ if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
++ return XML_ERROR_NO_MEMORY;
++ }
++
+ char *const new_connector = (char *)REALLOC(
+ parser, parser->m_groupConnector, parser->m_groupSize *= 2);
+ if (new_connector == NULL) {
+@@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ }
+
+ if (dtd->scaffIndex) {
++ /* Detect and prevent integer overflow.
++ * The preprocessor guard addresses the "always false" warning
++ * from -Wtype-limits on platforms where
++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++ if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
++ return XML_ERROR_NO_MEMORY;
++ }
++#endif
++
+ int *const new_scaff_index = (int *)REALLOC(
+ parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
+ if (new_scaff_index == NULL)
diff --git a/main/expat/CVE-2022-22822.patch b/main/expat/CVE-2022-22822.patch
new file mode 100644
index 0000000000..4fed22e63c
--- /dev/null
+++ b/main/expat/CVE-2022-22822.patch
@@ -0,0 +1,250 @@
+From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 30 Dec 2021 22:46:03 +0100
+Subject: [PATCH] lib: Prevent integer overflow at multiple places
+ (CVE-2022-22822 to CVE-2022-22827)
+
+The involved functions are:
+- addBinding (CVE-2022-22822)
+- build_model (CVE-2022-22823)
+- defineAttribute (CVE-2022-22824)
+- lookup (CVE-2022-22825)
+- nextScaffoldPart (CVE-2022-22826)
+- storeAtts (CVE-2022-22827)
+---
+ expat/lib/xmlparse.c | 153 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 151 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 8f243126..575e73ee 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+
+ /* get the attributes from the tokenizer */
+ n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
++
++ /* Detect and prevent integer overflow */
++ if (n > INT_MAX - nDefaultAtts) {
++ return XML_ERROR_NO_MEMORY;
++ }
++
+ if (n + nDefaultAtts > parser->m_attsSize) {
+ int oldAttsSize = parser->m_attsSize;
+ ATTRIBUTE *temp;
+ #ifdef XML_ATTR_INFO
+ XML_AttrInfo *temp2;
+ #endif
++
++ /* Detect and prevent integer overflow */
++ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
++ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
++ return XML_ERROR_NO_MEMORY;
++ }
++
+ parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
++
++ /* Detect and prevent integer overflow.
++ * The preprocessor guard addresses the "always false" warning
++ * from -Wtype-limits on platforms where
++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
++ parser->m_attsSize = oldAttsSize;
++ return XML_ERROR_NO_MEMORY;
++ }
++#endif
++
+ temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
+ parser->m_attsSize * sizeof(ATTRIBUTE));
+ if (temp == NULL) {
+@@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ }
+ parser->m_atts = temp;
+ #ifdef XML_ATTR_INFO
++ /* Detect and prevent integer overflow.
++ * The preprocessor guard addresses the "always false" warning
++ * from -Wtype-limits on platforms where
++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++# if UINT_MAX >= SIZE_MAX
++ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
++ parser->m_attsSize = oldAttsSize;
++ return XML_ERROR_NO_MEMORY;
++ }
++# endif
++
+ temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
+ parser->m_attsSize * sizeof(XML_AttrInfo));
+ if (temp2 == NULL) {
+@@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ tagNamePtr->prefixLen = prefixLen;
+ for (i = 0; localPart[i++];)
+ ; /* i includes null terminator */
++
++ /* Detect and prevent integer overflow */
++ if (binding->uriLen > INT_MAX - prefixLen
++ || i > INT_MAX - (binding->uriLen + prefixLen)) {
++ return XML_ERROR_NO_MEMORY;
++ }
++
+ n = i + binding->uriLen + prefixLen;
+ if (n > binding->uriAlloc) {
+ TAG *p;
++
++ /* Detect and prevent integer overflow */
++ if (n > INT_MAX - EXPAND_SPARE) {
++ return XML_ERROR_NO_MEMORY;
++ }
++ /* Detect and prevent integer overflow.
++ * The preprocessor guard addresses the "always false" warning
++ * from -Wtype-limits on platforms where
++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++ return XML_ERROR_NO_MEMORY;
++ }
++#endif
++
+ uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
+ if (! uri)
+ return XML_ERROR_NO_MEMORY;
+@@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+ if (parser->m_freeBindingList) {
+ b = parser->m_freeBindingList;
+ if (len > b->uriAlloc) {
++ /* Detect and prevent integer overflow */
++ if (len > INT_MAX - EXPAND_SPARE) {
++ return XML_ERROR_NO_MEMORY;
++ }
++
++ /* Detect and prevent integer overflow.
++ * The preprocessor guard addresses the "always false" warning
++ * from -Wtype-limits on platforms where
++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++ return XML_ERROR_NO_MEMORY;
++ }
++#endif
++
+ XML_Char *temp = (XML_Char *)REALLOC(
+ parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
+ if (temp == NULL)
+@@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+ b = (BINDING *)MALLOC(parser, sizeof(BINDING));
+ if (! b)
+ return XML_ERROR_NO_MEMORY;
++
++ /* Detect and prevent integer overflow */
++ if (len > INT_MAX - EXPAND_SPARE) {
++ return XML_ERROR_NO_MEMORY;
++ }
++ /* Detect and prevent integer overflow.
++ * The preprocessor guard addresses the "always false" warning
++ * from -Wtype-limits on platforms where
++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++ return XML_ERROR_NO_MEMORY;
++ }
++#endif
++
+ b->uri
+ = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
+ if (! b->uri) {
+@@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+ }
+ } else {
+ DEFAULT_ATTRIBUTE *temp;
++
++ /* Detect and prevent integer overflow */
++ if (type->allocDefaultAtts > INT_MAX / 2) {
++ return 0;
++ }
++
+ int count = type->allocDefaultAtts * 2;
++
++ /* Detect and prevent integer overflow.
++ * The preprocessor guard addresses the "always false" warning
++ * from -Wtype-limits on platforms where
++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
++ return 0;
++ }
++#endif
++
+ temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
+ (count * sizeof(DEFAULT_ATTRIBUTE)));
+ if (temp == NULL)
+@@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
+ /* check for overflow (table is half full) */
+ if (table->used >> (table->power - 1)) {
+ unsigned char newPower = table->power + 1;
++
++ /* Detect and prevent invalid shift */
++ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
++ return NULL;
++ }
++
+ size_t newSize = (size_t)1 << newPower;
+ unsigned long newMask = (unsigned long)newSize - 1;
++
++ /* Detect and prevent integer overflow */
++ if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
++ return NULL;
++ }
++
+ size_t tsize = newSize * sizeof(NAMED *);
+ NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
+ if (! newV)
+@@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {
+ if (dtd->scaffCount >= dtd->scaffSize) {
+ CONTENT_SCAFFOLD *temp;
+ if (dtd->scaffold) {
++ /* Detect and prevent integer overflow */
++ if (dtd->scaffSize > UINT_MAX / 2u) {
++ return -1;
++ }
++ /* Detect and prevent integer overflow.
++ * The preprocessor guard addresses the "always false" warning
++ * from -Wtype-limits on platforms where
++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
++ return -1;
++ }
++#endif
++
+ temp = (CONTENT_SCAFFOLD *)REALLOC(
+ parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
+ if (temp == NULL)
+@@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {
+ XML_Content *ret;
+ XML_Content *cpos;
+ XML_Char *str;
+- int allocsize = (dtd->scaffCount * sizeof(XML_Content)
+- + (dtd->contentStringLen * sizeof(XML_Char)));
++
++ /* Detect and prevent integer overflow.
++ * The preprocessor guard addresses the "always false" warning
++ * from -Wtype-limits on platforms where
++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
++ return NULL;
++ }
++ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
++ return NULL;
++ }
++#endif
++ if (dtd->scaffCount * sizeof(XML_Content)
++ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
++ return NULL;
++ }
++
++ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
++ + (dtd->contentStringLen * sizeof(XML_Char)));
+
+ ret = (XML_Content *)MALLOC(parser, allocsize);
+ if (! ret)
diff --git a/main/expat/CVE-2022-23852.patch b/main/expat/CVE-2022-23852.patch
new file mode 100644
index 0000000000..fe020c441e
--- /dev/null
+++ b/main/expat/CVE-2022-23852.patch
@@ -0,0 +1,27 @@
+Patch-Source: https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40
+From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 22 Jan 2022 17:48:00 +0100
+Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d54af683..5ce31402 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+ if (keep > XML_CONTEXT_BYTES)
+ keep = XML_CONTEXT_BYTES;
++ /* Detect and prevent integer overflow */
++ if (keep > INT_MAX - neededSize) {
++ parser->m_errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
+ neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+ if (neededSize
diff --git a/main/expat/CVE-2022-23990.patch b/main/expat/CVE-2022-23990.patch
new file mode 100644
index 0000000000..f8cff18cb4
--- /dev/null
+++ b/main/expat/CVE-2022-23990.patch
@@ -0,0 +1,42 @@
+Patch-Source: https://github.com/libexpat/libexpat/commit/ede41d1e186ed2aba88a06e84cac839b770af3a1
+From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 26 Jan 2022 02:36:43 +0100
+Subject: [PATCH] lib: Prevent integer overflow in doProlog (CVE-2022-23990)
+
+The change from "int nameLen" to "size_t nameLen"
+addresses the overflow on "nameLen++" in code
+"for (; name[nameLen++];)" right above the second
+change in the patch.
+---
+ expat/lib/xmlparse.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 5ce31402..d1d17005 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ if (dtd->in_eldecl) {
+ ELEMENT_TYPE *el;
+ const XML_Char *name;
+- int nameLen;
++ size_t nameLen;
+ const char *nxt
+ = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
+ int myindex = nextScaffoldPart(parser);
+@@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ nameLen = 0;
+ for (; name[nameLen++];)
+ ;
+- dtd->contentStringLen += nameLen;
++
++ /* Detect and prevent integer overflow */
++ if (nameLen > UINT_MAX - dtd->contentStringLen) {
++ return XML_ERROR_NO_MEMORY;
++ }
++
++ dtd->contentStringLen += (unsigned)nameLen;
+ if (parser->m_elementDeclHandler)
+ handleDefault = XML_FALSE;
+ }
diff --git a/main/expat/CVE-2022-25235.patch b/main/expat/CVE-2022-25235.patch
new file mode 100644
index 0000000000..191ad98005
--- /dev/null
+++ b/main/expat/CVE-2022-25235.patch
@@ -0,0 +1,43 @@
+Patch-Source: https://github.com/libexpat/libexpat/commit/3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6
+From 3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 8 Feb 2022 04:32:20 +0100
+Subject: [PATCH] lib: Add missing validation of encoding (CVE-2022-25235)
+
+---
+ expat/lib/xmltok_impl.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/xmltok_impl.c b/expat/lib/xmltok_impl.c
+index 0430591b4..64a3b2c15 100644
+--- a/lib/xmltok_impl.c
++++ b/lib/xmltok_impl.c
+@@ -69,7 +69,7 @@
+ case BT_LEAD##n: \
+ if (end - ptr < n) \
+ return XML_TOK_PARTIAL_CHAR; \
+- if (! IS_NAME_CHAR(enc, ptr, n)) { \
++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \
+ *nextTokPtr = ptr; \
+ return XML_TOK_INVALID; \
+ } \
+@@ -98,7 +98,7 @@
+ case BT_LEAD##n: \
+ if (end - ptr < n) \
+ return XML_TOK_PARTIAL_CHAR; \
+- if (! IS_NMSTRT_CHAR(enc, ptr, n)) { \
++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \
+ *nextTokPtr = ptr; \
+ return XML_TOK_INVALID; \
+ } \
+@@ -1142,6 +1142,10 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
+ case BT_LEAD##n: \
+ if (end - ptr < n) \
+ return XML_TOK_PARTIAL_CHAR; \
++ if (IS_INVALID_CHAR(enc, ptr, n)) { \
++ *nextTokPtr = ptr; \
++ return XML_TOK_INVALID; \
++ } \
+ if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
+ ptr += n; \
+ tok = XML_TOK_NAME; \
diff --git a/main/expat/CVE-2022-25236-regression.patch b/main/expat/CVE-2022-25236-regression.patch
new file mode 100644
index 0000000000..2bcab60116
--- /dev/null
+++ b/main/expat/CVE-2022-25236-regression.patch
@@ -0,0 +1,171 @@
+non-code patches skipped
+---
+
+From 2ba6c76fca21397959145e18c5ef376201209020 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 27 Feb 2022 16:58:08 +0100
+Subject: [PATCH 1/5] lib: Relax fix to CVE-2022-25236 with regard to RFC 3986
+ URI characters
+
+---
+ expat/lib/xmlparse.c | 139 ++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 131 insertions(+), 8 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 59da19c8..6fe2cf1e 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3705,6 +3705,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ return XML_ERROR_NONE;
+ }
+
++static XML_Bool
++is_rfc3986_uri_char(XML_Char candidate) {
++ // For the RFC 3986 ANBF grammar see
++ // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
++
++ switch (candidate) {
++ // From rule "ALPHA" (uppercase half)
++ case 'A':
++ case 'B':
++ case 'C':
++ case 'D':
++ case 'E':
++ case 'F':
++ case 'G':
++ case 'H':
++ case 'I':
++ case 'J':
++ case 'K':
++ case 'L':
++ case 'M':
++ case 'N':
++ case 'O':
++ case 'P':
++ case 'Q':
++ case 'R':
++ case 'S':
++ case 'T':
++ case 'U':
++ case 'V':
++ case 'W':
++ case 'X':
++ case 'Y':
++ case 'Z':
++
++ // From rule "ALPHA" (lowercase half)
++ case 'a':
++ case 'b':
++ case 'c':
++ case 'd':
++ case 'e':
++ case 'f':
++ case 'g':
++ case 'h':
++ case 'i':
++ case 'j':
++ case 'k':
++ case 'l':
++ case 'm':
++ case 'n':
++ case 'o':
++ case 'p':
++ case 'q':
++ case 'r':
++ case 's':
++ case 't':
++ case 'u':
++ case 'v':
++ case 'w':
++ case 'x':
++ case 'y':
++ case 'z':
++
++ // From rule "DIGIT"
++ case '0':
++ case '1':
++ case '2':
++ case '3':
++ case '4':
++ case '5':
++ case '6':
++ case '7':
++ case '8':
++ case '9':
++
++ // From rule "pct-encoded"
++ case '%':
++
++ // From rule "unreserved"
++ case '-':
++ case '.':
++ case '_':
++ case '~':
++
++ // From rule "gen-delims"
++ case ':':
++ case '/':
++ case '?':
++ case '#':
++ case '[':
++ case ']':
++ case '@':
++
++ // From rule "sub-delims"
++ case '!':
++ case '$':
++ case '&':
++ case '\'':
++ case '(':
++ case ')':
++ case '*':
++ case '+':
++ case ',':
++ case ';':
++ case '=':
++ return XML_TRUE;
++
++ default:
++ return XML_FALSE;
++ }
++}
++
+ /* addBinding() overwrites the value of prefix->binding without checking.
+ Therefore one must keep track of the old value outside of addBinding().
+ */
+@@ -3763,14 +3874,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+ && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+ isXMLNS = XML_FALSE;
+
+- // NOTE: While Expat does not validate namespace URIs against RFC 3986,
+- // we have to at least make sure that the XML processor on top of
+- // Expat (that is splitting tag names by namespace separator into
+- // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
+- // by an attacker putting additional namespace separator characters
+- // into namespace declarations. That would be ambiguous and not to
+- // be expected.
+- if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
++ // NOTE: While Expat does not validate namespace URIs against RFC 3986
++ // today (and is not REQUIRED to do so with regard to the XML 1.0
++ // namespaces specification) we have to at least make sure, that
++ // the application on top of Expat (that is likely splitting expanded
++ // element names ("qualified names") of form
++ // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
++ // in its element handler code) cannot be confused by an attacker
++ // putting additional namespace separator characters into namespace
++ // declarations. That would be ambiguous and not to be expected.
++ //
++ // While the HTML API docs of function XML_ParserCreateNS have been
++ // advising against use of a namespace separator character that can
++ // appear in a URI for >20 years now, some widespread applications
++ // are using URI characters (':' (colon) in particular) for a
++ // namespace separator, in practice. To keep these applications
++ // functional, we only reject namespaces URIs containing the
++ // application-chosen namespace separator if the chosen separator
++ // is a non-URI character with regard to RFC 3986.
++ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
++ && ! is_rfc3986_uri_char(uri[len])) {
+ return XML_ERROR_SYNTAX;
+ }
+ }
+
diff --git a/main/expat/CVE-2022-25236.patch b/main/expat/CVE-2022-25236.patch
new file mode 100644
index 0000000000..ad91fc195f
--- /dev/null
+++ b/main/expat/CVE-2022-25236.patch
@@ -0,0 +1,33 @@
+Patch-Source: https://github.com/libexpat/libexpat/commit/a2fe525e660badd64b6c557c2b1ec26ddc07f6e4
+From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 12 Feb 2022 01:09:29 +0100
+Subject: [PATCH] lib: Protect against malicious namespace declarations
+ (CVE-2022-25236)
+
+---
+ expat/lib/xmlparse.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index c768f856..a3aef88c 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+ if (! mustBeXML && isXMLNS
+ && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+ isXMLNS = XML_FALSE;
++
++ // NOTE: While Expat does not validate namespace URIs against RFC 3986,
++ // we have to at least make sure that the XML processor on top of
++ // Expat (that is splitting tag names by namespace separator into
++ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
++ // by an attacker putting additional namespace separator characters
++ // into namespace declarations. That would be ambiguous and not to
++ // be expected.
++ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
++ return XML_ERROR_SYNTAX;
++ }
+ }
+ isXML = isXML && len == xmlLen;
+ isXMLNS = isXMLNS && len == xmlnsLen;
diff --git a/main/expat/CVE-2022-25313-regression.patch b/main/expat/CVE-2022-25313-regression.patch
new file mode 100644
index 0000000000..195ccfcc0d
--- /dev/null
+++ b/main/expat/CVE-2022-25313-regression.patch
@@ -0,0 +1,243 @@
+Patch-Source: https://github.com/libexpat/libexpat/commit/9288cd5474bf6d3d0c037c247f9581d5e4df5097
+Patch 3/3 skipped due it being only a Changes readme change.
+---
+
+Patch-Source: https://github.com/libexpat/libexpat/commit/9288cd5474bf6d3d0c037c247f9581d5e4df5097
+From b12f34fe32821a69dc12ff9a021daca0856de238 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 19 Feb 2022 23:59:25 +0000
+Subject: [PATCH 1/3] Fix build_model regression.
+
+The iterative approach in build_model failed to fill children arrays
+correctly. A preorder traversal is not required and turned out to be the
+culprit. Use an easier algorithm:
+
+Add nodes from scaffold tree starting at index 0 (root) to the target
+array whenever children are encountered. This ensures that children
+are adjacent to each other. This complies with the recursive version.
+
+Store only the scaffold index in numchildren field to prevent a direct
+processing of these children, which would require a recursive solution.
+This allows the algorithm to iterate through the target array from start
+to end without jumping back and forth, converting on the fly.
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+---
+ expat/lib/xmlparse.c | 79 ++++++++++++++++++++++++++------------------
+ 1 file changed, 47 insertions(+), 32 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index c479a258..84885b5a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7373,39 +7373,58 @@ build_model(XML_Parser parser) {
+ *
+ * The iterative approach works as follows:
+ *
+- * - We use space in the target array for building a temporary stack structure
+- * while that space is still unused.
+- * The stack grows from the array's end downwards and the "actual data"
+- * grows from the start upwards, sequentially.
+- * (Because stack grows downwards, pushing onto the stack is a decrement
+- * while popping off the stack is an increment.)
++ * - We have two writing pointers, both walking up the result array; one does
++ * the work, the other creates "jobs" for its colleague to do, and leads
++ * the way:
+ *
+- * - A stack element appears as a regular XML_Content node on the outside,
+- * but only uses a single field -- numchildren -- to store the source
+- * tree node array index. These are the breadcrumbs leading the way back
+- * during pre-order (node first) depth-first traversal.
++ * - The faster one, pointer jobDest, always leads and writes "what job
++ * to do" by the other, once they reach that place in the
++ * array: leader "jobDest" stores the source node array index (relative
++ * to array dtd->scaffold) in field "numchildren".
+ *
+- * - The reason we know the stack will never grow into (or overlap with)
+- * the area with data of value at the start of the array is because
+- * the overall number of elements to process matches the size of the array,
+- * and the sum of fully processed nodes and yet-to-be processed nodes
+- * on the stack, cannot be more than the total number of nodes.
+- * It is possible for the top of the stack and the about-to-write node
+- * to meet, but that is safe because we get the source index out
+- * before doing any writes on that node.
++ * - The slower one, pointer dest, looks at the value stored in the
++ * "numchildren" field (which actually holds a source node array index
++ * at that time) and puts the real data from dtd->scaffold in.
++ *
++ * - Before the loop starts, jobDest writes source array index 0
++ * (where the root node is located) so that dest will have something to do
++ * when it starts operation.
++ *
++ * - Whenever nodes with children are encountered, jobDest appends
++ * them as new jobs, in order. As a result, tree node siblings are
++ * adjacent in the resulting array, for example:
++ *
++ * [0] root, has two children
++ * [1] first child of 0, has three children
++ * [3] first child of 1, does not have children
++ * [4] second child of 1, does not have children
++ * [5] third child of 1, does not have children
++ * [2] second child of 0, does not have children
++ *
++ * Or (the same data) presented in flat array view:
++ *
++ * [0] root, has two children
++ *
++ * [1] first child of 0, has three children
++ * [2] second child of 0, does not have children
++ *
++ * [3] first child of 1, does not have children
++ * [4] second child of 1, does not have children
++ * [5] third child of 1, does not have children
++ *
++ * - The algorithm repeats until all target array indices have been processed.
+ */
+ XML_Content *dest = ret; /* tree node writing location, moves upwards */
+ XML_Content *const destLimit = &ret[dtd->scaffCount];
+- XML_Content *const stackBottom = &ret[dtd->scaffCount];
+- XML_Content *stackTop = stackBottom; /* i.e. stack is initially empty */
++ XML_Content *jobDest = ret; /* next free writing location in target array */
+ str = (XML_Char *)&ret[dtd->scaffCount];
+
+- /* Push source tree root node index onto the stack */
+- (--stackTop)->numchildren = 0;
++ /* Add the starting job, the root node (index 0) of the source tree */
++ (jobDest++)->numchildren = 0;
+
+ for (; dest < destLimit; dest++) {
+- /* Pop source tree node index off the stack */
+- const int src_node = (int)(stackTop++)->numchildren;
++ /* Retrieve source tree array index from job storage */
++ const int src_node = (int)dest->numchildren;
+
+ /* Convert item */
+ dest->type = dtd->scaffold[src_node].type;
+@@ -7427,16 +7446,12 @@ build_model(XML_Parser parser) {
+ int cn;
+ dest->name = NULL;
+ dest->numchildren = dtd->scaffold[src_node].childcnt;
+- dest->children = &dest[1];
++ dest->children = jobDest;
+
+- /* Push children to the stack
+- * in a way where the first child ends up at the top of the
+- * (downwards growing) stack, in order to be processed first. */
+- stackTop -= dest->numchildren;
++ /* Append scaffold indices of children to array */
+ for (i = 0, cn = dtd->scaffold[src_node].firstchild;
+- i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) {
+- (stackTop + i)->numchildren = (unsigned int)cn;
+- }
++ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib)
++ (jobDest++)->numchildren = (unsigned int)cn;
+ }
+ }
+
+
+From 154e565f6ef329c9ec97e6534c411ddde0b320c8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 20 Feb 2022 03:26:57 +0100
+Subject: [PATCH 2/3] tests: Protect against nested element declaration model
+ regressions
+
+---
+ expat/tests/runtests.c | 77 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 77 insertions(+)
+
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index 2cd4acbe..e28670d2 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -2664,6 +2664,82 @@ START_TEST(test_dtd_elements) {
+ }
+ END_TEST
+
++static void XMLCALL
++element_decl_check_model(void *userData, const XML_Char *name,
++ XML_Content *model) {
++ UNUSED_P(userData);
++ uint32_t errorFlags = 0;
++
++ /* Expected model array structure is this:
++ * [0] (type 6, quant 0)
++ * [1] (type 5, quant 0)
++ * [3] (type 4, quant 0, name "bar")
++ * [4] (type 4, quant 0, name "foo")
++ * [5] (type 4, quant 3, name "xyz")
++ * [2] (type 4, quant 2, name "zebra")
++ */
++ errorFlags |= ((xcstrcmp(name, XCS("junk")) == 0) ? 0 : (1u << 0));
++ errorFlags |= ((model != NULL) ? 0 : (1u << 1));
++
++ errorFlags |= ((model[0].type == XML_CTYPE_SEQ) ? 0 : (1u << 2));
++ errorFlags |= ((model[0].quant == XML_CQUANT_NONE) ? 0 : (1u << 3));
++ errorFlags |= ((model[0].numchildren == 2) ? 0 : (1u << 4));
++ errorFlags |= ((model[0].children == &model[1]) ? 0 : (1u << 5));
++ errorFlags |= ((model[0].name == NULL) ? 0 : (1u << 6));
++
++ errorFlags |= ((model[1].type == XML_CTYPE_CHOICE) ? 0 : (1u << 7));
++ errorFlags |= ((model[1].quant == XML_CQUANT_NONE) ? 0 : (1u << 8));
++ errorFlags |= ((model[1].numchildren == 3) ? 0 : (1u << 9));
++ errorFlags |= ((model[1].children == &model[3]) ? 0 : (1u << 10));
++ errorFlags |= ((model[1].name == NULL) ? 0 : (1u << 11));
++
++ errorFlags |= ((model[2].type == XML_CTYPE_NAME) ? 0 : (1u << 12));
++ errorFlags |= ((model[2].quant == XML_CQUANT_REP) ? 0 : (1u << 13));
++ errorFlags |= ((model[2].numchildren == 0) ? 0 : (1u << 14));
++ errorFlags |= ((model[2].children == NULL) ? 0 : (1u << 15));
++ errorFlags |= ((xcstrcmp(model[2].name, XCS("zebra")) == 0) ? 0 : (1u << 16));
++
++ errorFlags |= ((model[3].type == XML_CTYPE_NAME) ? 0 : (1u << 17));
++ errorFlags |= ((model[3].quant == XML_CQUANT_NONE) ? 0 : (1u << 18));
++ errorFlags |= ((model[3].numchildren == 0) ? 0 : (1u << 19));
++ errorFlags |= ((model[3].children == NULL) ? 0 : (1u << 20));
++ errorFlags |= ((xcstrcmp(model[3].name, XCS("bar")) == 0) ? 0 : (1u << 21));
++
++ errorFlags |= ((model[4].type == XML_CTYPE_NAME) ? 0 : (1u << 22));
++ errorFlags |= ((model[4].quant == XML_CQUANT_NONE) ? 0 : (1u << 23));
++ errorFlags |= ((model[4].numchildren == 0) ? 0 : (1u << 24));
++ errorFlags |= ((model[4].children == NULL) ? 0 : (1u << 25));
++ errorFlags |= ((xcstrcmp(model[4].name, XCS("foo")) == 0) ? 0 : (1u << 26));
++
++ errorFlags |= ((model[5].type == XML_CTYPE_NAME) ? 0 : (1u << 27));
++ errorFlags |= ((model[5].quant == XML_CQUANT_PLUS) ? 0 : (1u << 28));
++ errorFlags |= ((model[5].numchildren == 0) ? 0 : (1u << 29));
++ errorFlags |= ((model[5].children == NULL) ? 0 : (1u << 30));
++ errorFlags |= ((xcstrcmp(model[5].name, XCS("xyz")) == 0) ? 0 : (1u << 31));
++
++ XML_SetUserData(g_parser, (void *)(uintptr_t)errorFlags);
++ XML_FreeContentModel(g_parser, model);
++}
++
++START_TEST(test_dtd_elements_nesting) {
++ // Payload inspired by a test in Perl's XML::Parser
++ const char *text = "<!DOCTYPE foo [\n"
++ "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>\n"
++ "]>\n"
++ "<foo/>";
++
++ XML_SetUserData(g_parser, (void *)(uintptr_t)-1);
++
++ XML_SetElementDeclHandler(g_parser, element_decl_check_model);
++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE)
++ == XML_STATUS_ERROR)
++ xml_failure(g_parser);
++
++ if ((uint32_t)(uintptr_t)XML_GetUserData(g_parser) != 0)
++ fail("Element declaration model regression detected");
++}
++END_TEST
++
+ /* Test foreign DTD handling */
+ START_TEST(test_set_foreign_dtd) {
+ const char *text1 = "<?xml version='1.0' encoding='us-ascii'?>\n";
+@@ -11863,6 +11939,7 @@ make_suite(void) {
+ tcase_add_test(tc_basic, test_memory_allocation);
+ tcase_add_test(tc_basic, test_default_current);
+ tcase_add_test(tc_basic, test_dtd_elements);
++ tcase_add_test(tc_basic, test_dtd_elements_nesting);
+ tcase_add_test__ifdef_xml_dtd(tc_basic, test_set_foreign_dtd);
+ tcase_add_test__ifdef_xml_dtd(tc_basic, test_foreign_dtd_not_standalone);
+ tcase_add_test__ifdef_xml_dtd(tc_basic, test_invalid_foreign_dtd);
+
diff --git a/main/expat/CVE-2022-25313.patch b/main/expat/CVE-2022-25313.patch
new file mode 100644
index 0000000000..d0431bc0b2
--- /dev/null
+++ b/main/expat/CVE-2022-25313.patch
@@ -0,0 +1,223 @@
+Patch-Source: https://github.com/libexpat/libexpat/commit/bbdfcfef4747d2d66e81c19f4a55e29e291aa171
+From 9b4ce651b26557f16103c3a366c91934ecd439ab Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Tue, 15 Feb 2022 11:54:29 +0000
+Subject: [PATCH] Prevent stack exhaustion in build_model
+
+It is possible to trigger stack exhaustion in build_model function if
+depth of nested children in DTD element is large enough. This happens
+because build_node is a recursively called function within build_model.
+
+The code has been adjusted to run iteratively. It uses the already
+allocated heap space as temporary stack (growing from top to bottom).
+
+Output is identical to recursive version. No new fields in data
+structures were added, i.e. it keeps full API and ABI compatibility.
+Instead the numchildren variable is used to temporarily keep the
+index of items (uint vs int).
+
+Documentation and readability improvements kindly added by Sebastian.
+
+Proof of Concept:
+
+1. Compile poc binary which parses XML file line by line
+
+```
+cat > poc.c << EOF
+ #include <err.h>
+ #include <expat.h>
+ #include <stdio.h>
+
+ XML_Parser parser;
+
+ static void XMLCALL
+ dummy_element_decl_handler(void *userData, const XML_Char *name,
+ XML_Content *model) {
+ XML_FreeContentModel(parser, model);
+ }
+
+ int main(int argc, char *argv[]) {
+ FILE *fp;
+ char *p = NULL;
+ size_t s = 0;
+ ssize_t l;
+ if (argc != 2)
+ errx(1, "usage: poc poc.xml");
+ if ((parser = XML_ParserCreate(NULL)) == NULL)
+ errx(1, "XML_ParserCreate");
+ XML_SetElementDeclHandler(parser, dummy_element_decl_handler);
+ if ((fp = fopen(argv[1], "r")) == NULL)
+ err(1, "fopen");
+ while ((l = getline(&p, &s, fp)) > 0)
+ if (XML_Parse(parser, p, (int)l, XML_FALSE) != XML_STATUS_OK)
+ errx(1, "XML_Parse");
+ XML_ParserFree(parser);
+ free(p);
+ fclose(fp);
+ return 0;
+ }
+EOF
+cc -std=c11 -D_POSIX_C_SOURCE=200809L -lexpat -o poc poc.c
+```
+
+2. Create XML file with a lot of nested groups in DTD element
+
+```
+cat > poc.xml.zst.b64 << EOF
+KLUv/aQkACAAPAEA+DwhRE9DVFlQRSB1d3UgWwo8IUVMRU1FTlQgdXd1CigBAHv/58AJAgAQKAIA
+ECgCABAoAgAQKAIAECgCABAoAgAQKHwAAChvd28KKQIA2/8gV24XBAIAECkCABApAgAQKQIAECkC
+ABApAgAQKQIAEClVAAAgPl0+CgEA4A4I2VwwnQ==
+EOF
+base64 -d poc.xml.zst.b64 | zstd -d > poc.xml
+```
+
+3. Run Proof of Concept
+
+```
+./poc poc.xml
+```
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+---
+ expat/lib/xmlparse.c | 116 +++++++++++++++++++++++++++++--------------
+ 1 file changed, 79 insertions(+), 37 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 4b43e613..594cf12c 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7317,44 +7317,15 @@ nextScaffoldPart(XML_Parser parser) {
+ return next;
+ }
+
+-static void
+-build_node(XML_Parser parser, int src_node, XML_Content *dest,
+- XML_Content **contpos, XML_Char **strpos) {
+- DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+- dest->type = dtd->scaffold[src_node].type;
+- dest->quant = dtd->scaffold[src_node].quant;
+- if (dest->type == XML_CTYPE_NAME) {
+- const XML_Char *src;
+- dest->name = *strpos;
+- src = dtd->scaffold[src_node].name;
+- for (;;) {
+- *(*strpos)++ = *src;
+- if (! *src)
+- break;
+- src++;
+- }
+- dest->numchildren = 0;
+- dest->children = NULL;
+- } else {
+- unsigned int i;
+- int cn;
+- dest->numchildren = dtd->scaffold[src_node].childcnt;
+- dest->children = *contpos;
+- *contpos += dest->numchildren;
+- for (i = 0, cn = dtd->scaffold[src_node].firstchild; i < dest->numchildren;
+- i++, cn = dtd->scaffold[cn].nextsib) {
+- build_node(parser, cn, &(dest->children[i]), contpos, strpos);
+- }
+- dest->name = NULL;
+- }
+-}
+-
+ static XML_Content *
+ build_model(XML_Parser parser) {
++ /* Function build_model transforms the existing parser->m_dtd->scaffold
++ * array of CONTENT_SCAFFOLD tree nodes into a new array of
++ * XML_Content tree nodes followed by a gapless list of zero-terminated
++ * strings. */
+ DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+ XML_Content *ret;
+- XML_Content *cpos;
+- XML_Char *str;
++ XML_Char *str; /* the current string writing location */
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+@@ -7380,10 +7351,81 @@ build_model(XML_Parser parser) {
+ if (! ret)
+ return NULL;
+
+- str = (XML_Char *)(&ret[dtd->scaffCount]);
+- cpos = &ret[1];
++ /* What follows is an iterative implementation (of what was previously done
++ * recursively in a dedicated function called "build_node". The old recursive
++ * build_node could be forced into stack exhaustion from input as small as a
++ * few megabyte, and so that was a security issue. Hence, a function call
++ * stack is avoided now by resolving recursion.)
++ *
++ * The iterative approach works as follows:
++ *
++ * - We use space in the target array for building a temporary stack structure
++ * while that space is still unused.
++ * The stack grows from the array's end downwards and the "actual data"
++ * grows from the start upwards, sequentially.
++ * (Because stack grows downwards, pushing onto the stack is a decrement
++ * while popping off the stack is an increment.)
++ *
++ * - A stack element appears as a regular XML_Content node on the outside,
++ * but only uses a single field -- numchildren -- to store the source
++ * tree node array index. These are the breadcrumbs leading the way back
++ * during pre-order (node first) depth-first traversal.
++ *
++ * - The reason we know the stack will never grow into (or overlap with)
++ * the area with data of value at the start of the array is because
++ * the overall number of elements to process matches the size of the array,
++ * and the sum of fully processed nodes and yet-to-be processed nodes
++ * on the stack, cannot be more than the total number of nodes.
++ * It is possible for the top of the stack and the about-to-write node
++ * to meet, but that is safe because we get the source index out
++ * before doing any writes on that node.
++ */
++ XML_Content *dest = ret; /* tree node writing location, moves upwards */
++ XML_Content *const destLimit = &ret[dtd->scaffCount];
++ XML_Content *const stackBottom = &ret[dtd->scaffCount];
++ XML_Content *stackTop = stackBottom; /* i.e. stack is initially empty */
++ str = (XML_Char *)&ret[dtd->scaffCount];
++
++ /* Push source tree root node index onto the stack */
++ (--stackTop)->numchildren = 0;
++
++ for (; dest < destLimit; dest++) {
++ /* Pop source tree node index off the stack */
++ const int src_node = (int)(stackTop++)->numchildren;
++
++ /* Convert item */
++ dest->type = dtd->scaffold[src_node].type;
++ dest->quant = dtd->scaffold[src_node].quant;
++ if (dest->type == XML_CTYPE_NAME) {
++ const XML_Char *src;
++ dest->name = str;
++ src = dtd->scaffold[src_node].name;
++ for (;;) {
++ *str++ = *src;
++ if (! *src)
++ break;
++ src++;
++ }
++ dest->numchildren = 0;
++ dest->children = NULL;
++ } else {
++ unsigned int i;
++ int cn;
++ dest->name = NULL;
++ dest->numchildren = dtd->scaffold[src_node].childcnt;
++ dest->children = &dest[1];
++
++ /* Push children to the stack
++ * in a way where the first child ends up at the top of the
++ * (downwards growing) stack, in order to be processed first. */
++ stackTop -= dest->numchildren;
++ for (i = 0, cn = dtd->scaffold[src_node].firstchild;
++ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) {
++ (stackTop + i)->numchildren = (unsigned int)cn;
++ }
++ }
++ }
+
+- build_node(parser, 0, ret, &cpos, &str);
+ return ret;
+ }
+
diff --git a/main/expat/CVE-2022-25314.patch b/main/expat/CVE-2022-25314.patch
new file mode 100644
index 0000000000..25674a4383
--- /dev/null
+++ b/main/expat/CVE-2022-25314.patch
@@ -0,0 +1,25 @@
+Patch-Source: https://github.com/libexpat/libexpat/commit/d477fdd284468f2ab822024e75702f2c1b254f42
+From efcb347440ade24b9f1054671e6bd05e60b4cafd Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Tue, 15 Feb 2022 11:56:57 +0000
+Subject: [PATCH] Prevent integer overflow in copyString
+
+The copyString function is only used for encoding string supplied by
+the library user.
+---
+ expat/lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 4b43e613..a39377c2 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7412,7 +7412,7 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr,
+
+ static XML_Char *
+ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+- int charsRequired = 0;
++ size_t charsRequired = 0;
+ XML_Char *result;
+
+ /* First determine how long the string is */
diff --git a/main/expat/CVE-2022-25315.patch b/main/expat/CVE-2022-25315.patch
new file mode 100644
index 0000000000..fe0e8f298a
--- /dev/null
+++ b/main/expat/CVE-2022-25315.patch
@@ -0,0 +1,139 @@
+Patch-Source: https://github.com/libexpat/libexpat/commit/89214940efd13e3b83fa078fd70eb4dbdc04c4a5
+From eb0362808b4f9f1e2345a0cf203b8cc196d776d9 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Tue, 15 Feb 2022 11:55:46 +0000
+Subject: [PATCH] Prevent integer overflow in storeRawNames
+
+It is possible to use an integer overflow in storeRawNames for out of
+boundary heap writes. Default configuration is affected. If compiled
+with XML_UNICODE then the attack does not work. Compiling with
+-fsanitize=address confirms the following proof of concept.
+
+The problem can be exploited by abusing the m_buffer expansion logic.
+Even though the initial size of m_buffer is a power of two, eventually
+it can end up a little bit lower, thus allowing allocations very close
+to INT_MAX (since INT_MAX/2 can be surpassed). This means that tag
+names can be parsed which are almost INT_MAX in size.
+
+Unfortunately (from an attacker point of view) INT_MAX/2 is also a
+limitation in string pools. Having a tag name of INT_MAX/2 characters
+or more is not possible.
+
+Expat can convert between different encodings. UTF-16 documents which
+contain only ASCII representable characters are twice as large as their
+ASCII encoded counter-parts.
+
+The proof of concept works by taking these three considerations into
+account:
+
+1. Move the m_buffer size slightly below a power of two by having a
+ short root node <a>. This allows the m_buffer to grow very close
+ to INT_MAX.
+2. The string pooling forbids tag names longer than or equal to
+ INT_MAX/2, so keep the attack tag name smaller than that.
+3. To be able to still overflow INT_MAX even though the name is
+ limited at INT_MAX/2-1 (nul byte) we use UTF-16 encoding and a tag
+ which only contains ASCII characters. UTF-16 always stores two
+ bytes per character while the tag name is converted to using only
+ one. Our attack node byte count must be a bit higher than
+ 2/3 INT_MAX so the converted tag name is around INT_MAX/3 which
+ in sum can overflow INT_MAX.
+
+Thanks to our small root node, m_buffer can handle 2/3 INT_MAX bytes
+without running into INT_MAX boundary check. The string pooling is
+able to store INT_MAX/3 as tag name because the amount is below
+INT_MAX/2 limitation. And creating the sum of both eventually overflows
+in storeRawNames.
+
+Proof of Concept:
+
+1. Compile expat with -fsanitize=address.
+
+2. Create Proof of Concept binary which iterates through input
+ file 16 MB at once for better performance and easier integer
+ calculations:
+
+```
+cat > poc.c << EOF
+ #include <err.h>
+ #include <expat.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+
+ #define CHUNK (16 * 1024 * 1024)
+ int main(int argc, char *argv[]) {
+ XML_Parser parser;
+ FILE *fp;
+ char *buf;
+ int i;
+
+ if (argc != 2)
+ errx(1, "usage: poc file.xml");
+ if ((parser = XML_ParserCreate(NULL)) == NULL)
+ errx(1, "failed to create expat parser");
+ if ((fp = fopen(argv[1], "r")) == NULL) {
+ XML_ParserFree(parser);
+ err(1, "failed to open file");
+ }
+ if ((buf = malloc(CHUNK)) == NULL) {
+ fclose(fp);
+ XML_ParserFree(parser);
+ err(1, "failed to allocate buffer");
+ }
+ i = 0;
+ while (fread(buf, CHUNK, 1, fp) == 1) {
+ printf("iteration %d: XML_Parse returns %d\n", ++i,
+ XML_Parse(parser, buf, CHUNK, XML_FALSE));
+ }
+ free(buf);
+ fclose(fp);
+ XML_ParserFree(parser);
+ return 0;
+ }
+EOF
+gcc -fsanitize=address -lexpat -o poc poc.c
+```
+
+3. Construct specially prepared UTF-16 XML file:
+
+```
+dd if=/dev/zero bs=1024 count=794624 | tr '\0' 'a' > poc-utf8.xml
+echo -n '<a><' | dd conv=notrunc of=poc-utf8.xml
+echo -n '><' | dd conv=notrunc of=poc-utf8.xml bs=1 seek=805306368
+iconv -f UTF-8 -t UTF-16LE poc-utf8.xml > poc-utf16.xml
+```
+
+4. Run proof of concept:
+
+```
+./poc poc-utf16.xml
+```
+---
+ expat/lib/xmlparse.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 4b43e613..f34d6ab5 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2563,6 +2563,7 @@ storeRawNames(XML_Parser parser) {
+ while (tag) {
+ int bufSize;
+ int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
++ size_t rawNameLen;
+ char *rawNameBuf = tag->buf + nameLen;
+ /* Stop if already stored. Since m_tagStack is a stack, we can stop
+ at the first entry that has already been copied; everything
+@@ -2574,7 +2575,11 @@ storeRawNames(XML_Parser parser) {
+ /* For re-use purposes we need to ensure that the
+ size of tag->buf is a multiple of sizeof(XML_Char).
+ */
+- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
++ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
++ /* Detect and prevent integer overflow. */
++ if (rawNameLen > (size_t)INT_MAX - nameLen)
++ return XML_FALSE;
++ bufSize = nameLen + (int)rawNameLen;
+ if (bufSize > tag->bufEnd - tag->buf) {
+ char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+ if (temp == NULL)
diff --git a/main/flac/APKBUILD b/main/flac/APKBUILD
index d358fe2167..2e62156cfb 100644
--- a/main/flac/APKBUILD
+++ b/main/flac/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=flac
-pkgver=1.3.3
+pkgver=1.3.4
pkgrel=0
pkgdesc="Free Lossless Audio Codec"
url="https://xiph.org/flac/"
@@ -12,6 +12,9 @@ makedepends="libogg-dev !libiconv"
source="http://downloads.xiph.org/releases/flac/flac-$pkgver.tar.xz"
# secfixes:
+# 1.3.4-r0:
+# - CVE-2020-0499
+# - CVE-2021-0561
# 1.3.2-r2:
# - CVE-2017-6888
@@ -47,4 +50,6 @@ package() {
install -Dm0644 COPYING.Xiph \
"$pkgdir"/usr/share/licenses/$pkgname/COPYING.Xiph
}
-sha512sums="d6417e14fab0c41b2df369e5e39ce62a5f588e491af4d465b0162f74e171e5549b2f061867f344bfbf8aaccd246bf5f2acd697e532a2c7901c920c69429b1a28 flac-1.3.3.tar.xz"
+sha512sums="
+4a626e8a1bd126e234c0e5061e3b46f3a27c2065fdfa228fd8cf00d3c7fa2c05fafb5cec36acce7bfce4914bfd7db0b2a27ee15decf2d8c4caad630f62d44ec9 flac-1.3.4.tar.xz
+"
diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD
index 6d3aaf337c..34532ab6c3 100644
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=freetype
pkgver=2.10.4
-pkgrel=1
+pkgrel=3
pkgdesc="TrueType font rendering library"
url="https://www.freetype.org/"
arch="all"
@@ -13,9 +13,17 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar.xz
0001-Enable-table-validation-modules.patch
subpixel.patch
+ CVE-2022-27404.patch
+ CVE-2022-27405.patch
+ CVE-2022-27406.patch
"
# secfixes:
+# 2.10.4-r3:
+# - CVE-2022-27405
+# - CVE-2022-27406
+# 2.10.4-r2:
+# - CVE-2022-27404
# 2.10.4-r0:
# - CVE-2020-15999
# 2.9-r1:
@@ -51,6 +59,11 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="827cda734aa6b537a8bcb247549b72bc1e082a5b32ab8d3cccb7cc26d5f6ee087c19ce34544fa388a1eb4ecaf97600dbabc3e10e950f2ba692617fee7081518f freetype-2.10.4.tar.xz
+sha512sums="
+827cda734aa6b537a8bcb247549b72bc1e082a5b32ab8d3cccb7cc26d5f6ee087c19ce34544fa388a1eb4ecaf97600dbabc3e10e950f2ba692617fee7081518f freetype-2.10.4.tar.xz
580fe59acddfd41966e387bdb6a88336b8bc119cc3d60d8689be20c96fb0dd07c5138ea31f6cb9c854f497ecb41c3adc49eb3ec16a34b2e010e8294851770763 0001-Enable-table-validation-modules.patch
-72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch"
+72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch
+a00040fddd30f8b7add990c4614cbe69a04d702c471064eaf1f28b70a24c35e25e430bc8ae1d90f198b3e432d90c8884519db30fab2e41e467892d79f5cdee8f CVE-2022-27404.patch
+4e4ed4b325ca8dbbd7362782867901b90eef48cb78d6a030769c33add029d4f61ddafe590c1cca35edd8e2b0c128106b7e01874acf52ac7c2b475f4ca6cf8cdf CVE-2022-27405.patch
+574f0a93a022ba8bae4440012dd4062841187e1af4e906e5a8f117549a7e528e9d4a0bd35833294248f3a71b299175cbf6d144231af29d8d2dd350bc7dc5b804 CVE-2022-27406.patch
+"
diff --git a/main/freetype/CVE-2022-27404.patch b/main/freetype/CVE-2022-27404.patch
new file mode 100644
index 0000000000..841ab4c593
--- /dev/null
+++ b/main/freetype/CVE-2022-27404.patch
@@ -0,0 +1,44 @@
+Patch-Source: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 17 Mar 2022 19:24:16 +0100
+Subject: [PATCH] [sfnt] Avoid invalid face index.
+
+Fixes #1138.
+
+* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
+Check `face_index` before decrementing.
+---
+ src/sfnt/sfobjs.c | 2 +-
+ src/sfnt/sfwoff2.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
+index f9d4d3858..9771c35df 100644
+--- a/src/sfnt/sfobjs.c
++++ b/src/sfnt/sfobjs.c
+@@ -566,7 +566,7 @@
+ face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+
+ /* value -(N+1) requests information on index N */
+- if ( face_instance_index < 0 )
++ if ( face_instance_index < 0 && face_index > 0 )
+ face_index--;
+
+ if ( face_index >= face->ttc_header.count )
+diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
+index cb1e0664a..165b875e5 100644
+--- a/src/sfnt/sfwoff2.c
++++ b/src/sfnt/sfwoff2.c
+@@ -2085,7 +2085,7 @@
+ /* Validate requested face index. */
+ *num_faces = woff2.num_fonts;
+ /* value -(N+1) requests information on index N */
+- if ( *face_instance_index < 0 )
++ if ( *face_instance_index < 0 && face_index > 0 )
+ face_index--;
+
+ if ( face_index >= woff2.num_fonts )
+--
+GitLab
+
diff --git a/main/freetype/CVE-2022-27405.patch b/main/freetype/CVE-2022-27405.patch
new file mode 100644
index 0000000000..4766867601
--- /dev/null
+++ b/main/freetype/CVE-2022-27405.patch
@@ -0,0 +1,36 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+
+Fixes #1139.
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+
+
++ /* only use lower 31 bits together with sign bit */
++ if ( face_index > 0 )
++ face_index &= 0x7FFFFFFFL;
++ else
++ {
++ face_index &= 0x7FFFFFFFL;
++ face_index = -face_index;
++ }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+ FT_TRACE3(( "FT_Open_Face: " ));
+ if ( face_index < 0 )
+--
+GitLab
+
diff --git a/main/freetype/CVE-2022-27406.patch b/main/freetype/CVE-2022-27406.patch
new file mode 100644
index 0000000000..0fdef7d216
--- /dev/null
+++ b/main/freetype/CVE-2022-27406.patch
@@ -0,0 +1,27 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+ if ( !face )
+ return FT_THROW( Invalid_Face_Handle );
+
++ if ( !face->size )
++ return FT_THROW( Invalid_Size_Handle );
++
+ if ( !req || req->width < 0 || req->height < 0 ||
+ req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+ return FT_THROW( Invalid_Argument );
+--
+GitLab
+
diff --git a/main/git/APKBUILD b/main/git/APKBUILD
index eac08ff51d..a790db42f6 100644
--- a/main/git/APKBUILD
+++ b/main/git/APKBUILD
@@ -2,6 +2,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
+# 2.30.3-r0:
+# - CVE-2022-24765
# 2.30.2-r0:
# - CVE-2021-21300
# 2.26.2-r0:
@@ -27,9 +29,10 @@
# - CVE-2017-1000117
# 0:
# - CVE-2021-29468
+# - CVE-2021-46101
pkgname=git
-pkgver=2.30.2
+pkgver=2.30.3
pkgrel=0
pkgdesc="Distributed version control system"
url="https://www.git-scm.com/"
@@ -287,7 +290,9 @@ _perl_config() {
perl -e "use Config; print \$Config{$1};"
}
-sha512sums="4f7e1c30f8eee849d1febeda872d56c60c5d051a31726505a4c7bab11b274d3a2ab5588f910b7b49c5c0ec5228a18457f705c7b66e8bbdf809d3c75c59032b7e git-2.30.2.tar.xz
+sha512sums="
+966bbfa93f06aa747a0c7af714681d4e2d09431b8bbf53d31dd106d8411d769d8b6162fe99cbdd322837e34a8f4ac371eb04638a4d17db1fb4ead9615d4eb071 git-2.30.3.tar.xz
89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a git-daemon.initd
fbf1f425206a76e2a8f82342537ed939ff7e623d644c086ca2ced5f69b36734695f9f80ebda1728f75a94d6cd2fcb71bf845b64239368caab418e4d368c141ec git-daemon.confd
-be5d568fc5b8b84c9afb97b31e471e41f32ccfe188eba0588ea0ef98b2d96c2ce4b2c1a3d70e88205aa4f6667f850b3f32c13bbb149ecddbf670344c162a4e25 fix-t4219-with-sticky-bit.patch"
+be5d568fc5b8b84c9afb97b31e471e41f32ccfe188eba0588ea0ef98b2d96c2ce4b2c1a3d70e88205aa4f6667f850b3f32c13bbb149ecddbf670344c162a4e25 fix-t4219-with-sticky-bit.patch
+"
diff --git a/main/gmp/APKBUILD b/main/gmp/APKBUILD
index c5e80d754d..691d934d61 100644
--- a/main/gmp/APKBUILD
+++ b/main/gmp/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gmp
pkgver=6.2.1
-pkgrel=0
+pkgrel=1
pkgdesc="free library for arbitrary precision arithmetic"
url="https://gmplib.org/"
arch="all"
@@ -9,9 +9,14 @@ license="LGPL-3.0-or-later OR GPL-2.0-or-later"
makedepends="m4 texinfo libtool"
subpackages="$pkgname-doc $pkgname-dev libgmpxx"
source="https://gmplib.org/download/gmp/gmp-$pkgver.tar.xz
+ CVE-2021-43618.patch::https://gmplib.org/repo/gmp-6.2/raw-rev/561a9c25298e
"
replaces="gmp5"
+# secfixes:
+# 6.2.1-r1:
+# - CVE-2021-43618
+
prepare() {
default_prepare
# force update to libtool with fixed cross-build support
@@ -51,4 +56,5 @@ doc() {
replaces="gmp5-doc"
}
-sha512sums="c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 gmp-6.2.1.tar.xz"
+sha512sums="c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 gmp-6.2.1.tar.xz
+3956190d9c266feb62f8965c3cd32d0a9260f76ffb0d3e32211974bb53ddd5c6eaa657f7e00ba8fa7c914c0e1375155d25de6a81cdb9b03d6a5bbc16ac121447 CVE-2021-43618.patch"
diff --git a/main/gzip/APKBUILD b/main/gzip/APKBUILD
index bdb30df8d5..92a548f46d 100644
--- a/main/gzip/APKBUILD
+++ b/main/gzip/APKBUILD
@@ -1,15 +1,19 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gzip
-pkgver=1.10
-pkgrel=1
+pkgver=1.12
+pkgrel=0
pkgdesc="Popular data compression program"
subpackages="$pkgname-doc"
url="https://www.gnu.org/software/gzip/"
arch="all"
license="GPL-3.0-or-later"
depends="less"
-source="https://ftp.gnu.org/gnu/gzip/gzip-$pkgver.tar.gz"
+source="https://ftp.gnu.org/gnu/gzip/gzip-$pkgver.tar.xz"
+
+# secfixes:
+# 1.12-r0:
+# - CVE-2022-1271
build() {
# avoid text relocation
@@ -42,4 +46,6 @@ package() {
ln -sf /bin/gunzip "$pkgdir"/usr/bin/uncompress
}
-sha512sums="7939043e74554ced0c1c05d354ab4eb36cd6dce89ad79d02ccdc5ed6b7ee390759689b2d47c07227b9b44a62851afe7c76c4cae9f92527d999f3f1b4df1cccff gzip-1.10.tar.gz"
+sha512sums="
+116326fe991828227de150336a0c016f4fe932dfbb728a16b4a84965256d9929574a4f5cfaf3cf6bb4154972ef0d110f26ab472c93e62ec9a5fd7a5d65abea24 gzip-1.12.tar.xz
+"
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index 7c73e016e6..268e09df25 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -4,7 +4,7 @@
pkgname=haproxy
# NOTE: Upgrade only to LTS versions announced on upstream site url!
# Using LTS versions is easier to keep it in good shape for stable releases
-pkgver=2.2.17
+pkgver=2.2.24
_pkgmajorver=${pkgver%.*}
pkgrel=0
pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
@@ -21,6 +21,8 @@ source="https://www.haproxy.org/download/$_pkgmajorver/src/haproxy-$pkgver.tar.g
haproxy.cfg"
# secfixes:
+# 2.2.21-r0:
+# - CVE-2022-0711
# 2.1.4-r0:
# - CVE-2020-11100
@@ -57,7 +59,7 @@ package() {
}
sha512sums="
-174197e1e0915a6ae6062b9a070f16102ac7f3429f991f36cdb2e2cce587bd26059bd1dc71a368f904bcdecd292ab5926715160400ae96d498d902aac356864f haproxy-2.2.17.tar.gz
+021d065e53503248de122fdd9431786b9f375a5f87aca76f870e17e44c8c4001a778bfb4e430b28af781a3f175f3643a549e363e964210c717f212c5966e68d8 haproxy-2.2.24.tar.gz
4aa8fc812079baf1d17cf9484a9b44568c3dd94f35243a57a4a7868e7f88146a4e94c80ea8ab86f1b08a524567e269a3ec119b67fc679f6bd0d9f1c70ce4f080 haproxy.initd
26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg
"
diff --git a/main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch b/main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch
new file mode 100644
index 0000000000..9f4b0c2959
--- /dev/null
+++ b/main/hostapd/0001-crypto-Add-more-bignum-EC-helper-functions.patch
@@ -0,0 +1,318 @@
+From 208e5687ff2e48622e28d8888ce5444a54353bbd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 27 Aug 2019 16:33:15 +0300
+Subject: [PATCH 1/4] crypto: Add more bignum/EC helper functions
+
+These are needed for implementing SAE hash-to-element.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/crypto/crypto.h | 45 ++++++++++++++++++
+ src/crypto/crypto_openssl.c | 94 +++++++++++++++++++++++++++++++++++++
+ src/crypto/crypto_wolfssl.c | 66 ++++++++++++++++++++++++++
+ 3 files changed, 205 insertions(+)
+
+diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
+index 15f8ad04cea4..68476dbce96c 100644
+--- a/src/crypto/crypto.h
++++ b/src/crypto/crypto.h
+@@ -518,6 +518,13 @@ struct crypto_bignum * crypto_bignum_init(void);
+ */
+ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len);
+
++/**
++ * crypto_bignum_init_set - Allocate memory for bignum and set the value (uint)
++ * @val: Value to set
++ * Returns: Pointer to allocated bignum or %NULL on failure
++ */
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val);
++
+ /**
+ * crypto_bignum_deinit - Free bignum
+ * @n: Bignum from crypto_bignum_init() or crypto_bignum_init_set()
+@@ -612,6 +619,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ const struct crypto_bignum *b,
+ struct crypto_bignum *c);
+
++/**
++ * crypto_bignum_addmod - d = a + b (mod c)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum
++ * @d: Bignum; used to store the result of (a + b) % c
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ const struct crypto_bignum *c,
++ struct crypto_bignum *d);
++
+ /**
+ * crypto_bignum_mulmod - d = a * b (mod c)
+ * @a: Bignum
+@@ -625,6 +645,28 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ const struct crypto_bignum *c,
+ struct crypto_bignum *d);
+
++/**
++ * crypto_bignum_sqrmod - c = a^2 (mod b)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum; used to store the result of a^2 % b
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c);
++
++/**
++ * crypto_bignum_sqrtmod - returns sqrt(a) (mod b)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum; used to store the result
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c);
++
+ /**
+ * crypto_bignum_rshift - r = a >> n
+ * @a: Bignum
+@@ -731,6 +773,9 @@ const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e);
+ */
+ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e);
+
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e);
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e);
++
+ /**
+ * struct crypto_ec_point - Elliptic curve point
+ *
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index bab33a537293..ed463105e8f1 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -1283,6 +1283,24 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
+ }
+
+
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
++{
++ BIGNUM *bn;
++
++ if (TEST_FAIL())
++ return NULL;
++
++ bn = BN_new();
++ if (!bn)
++ return NULL;
++ if (BN_set_word(bn, val) != 1) {
++ BN_free(bn);
++ return NULL;
++ }
++ return (struct crypto_bignum *) bn;
++}
++
++
+ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ {
+ if (clear)
+@@ -1449,6 +1467,28 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ }
+
+
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ const struct crypto_bignum *c,
++ struct crypto_bignum *d)
++{
++ int res;
++ BN_CTX *bnctx;
++
++ if (TEST_FAIL())
++ return -1;
++
++ bnctx = BN_CTX_new();
++ if (!bnctx)
++ return -1;
++ res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
++ (const BIGNUM *) c, bnctx);
++ BN_CTX_free(bnctx);
++
++ return res ? 0 : -1;
++}
++
++
+ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ const struct crypto_bignum *b,
+ const struct crypto_bignum *c,
+@@ -1472,6 +1512,48 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ }
+
+
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c)
++{
++ int res;
++ BN_CTX *bnctx;
++
++ if (TEST_FAIL())
++ return -1;
++
++ bnctx = BN_CTX_new();
++ if (!bnctx)
++ return -1;
++ res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
++ bnctx);
++ BN_CTX_free(bnctx);
++
++ return res ? 0 : -1;
++}
++
++
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c)
++{
++ BN_CTX *bnctx;
++ BIGNUM *res;
++
++ if (TEST_FAIL())
++ return -1;
++
++ bnctx = BN_CTX_new();
++ if (!bnctx)
++ return -1;
++ res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
++ bnctx);
++ BN_CTX_free(bnctx);
++
++ return res ? 0 : -1;
++}
++
++
+ int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
+ struct crypto_bignum *r)
+ {
+@@ -1682,6 +1764,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+ }
+
+
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
++{
++ return (const struct crypto_bignum *) e->a;
++}
++
++
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
++{
++ return (const struct crypto_bignum *) e->b;
++}
++
++
+ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
+ {
+ if (clear)
+diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
+index 4cedab4367cd..e9894b335e53 100644
+--- a/src/crypto/crypto_wolfssl.c
++++ b/src/crypto/crypto_wolfssl.c
+@@ -1042,6 +1042,26 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
+ }
+
+
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
++{
++ mp_int *a;
++
++ if (TEST_FAIL())
++ return NULL;
++
++ a = (mp_int *) crypto_bignum_init();
++ if (!a)
++ return NULL;
++
++ if (mp_set_int(a, val) != MP_OKAY) {
++ os_free(a);
++ a = NULL;
++ }
++
++ return (struct crypto_bignum *) a;
++}
++
++
+ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ {
+ if (!n)
+@@ -1168,6 +1188,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ }
+
+
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ const struct crypto_bignum *c,
++ struct crypto_bignum *d)
++{
++ if (TEST_FAIL())
++ return -1;
++
++ return mp_addmod((mp_int *) a, (mp_int *) b, (mp_int *) c,
++ (mp_int *) d) == MP_OKAY ? 0 : -1;
++}
++
++
+ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ const struct crypto_bignum *b,
+ const struct crypto_bignum *m,
+@@ -1181,6 +1214,27 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ }
+
+
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c)
++{
++ if (TEST_FAIL())
++ return -1;
++
++ return mp_sqrmod((mp_int *) a, (mp_int *) b,
++ (mp_int *) c) == MP_OKAY ? 0 : -1;
++}
++
++
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++ const struct crypto_bignum *b,
++ struct crypto_bignum *c)
++{
++ /* TODO */
++ return -1;
++}
++
++
+ int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
+ struct crypto_bignum *r)
+ {
+@@ -1386,6 +1440,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+ }
+
+
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
++{
++ return (const struct crypto_bignum *) &e->a;
++}
++
++
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
++{
++ return (const struct crypto_bignum *) &e->b;
++}
++
++
+ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
+ {
+ ecc_point *point = (ecc_point *) p;
+--
+2.25.1
+
diff --git a/main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch b/main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch
new file mode 100644
index 0000000000..6c8509b8c2
--- /dev/null
+++ b/main/hostapd/0002-dragonfly-Add-sqrt-helper-function.patch
@@ -0,0 +1,72 @@
+From 2232d3d5f188b65dbb6c823ac62175412739eb16 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 13:47:16 +0200
+Subject: [PATCH 2/4] dragonfly: Add sqrt() helper function
+
+This is a backport of "SAE: Move sqrt() implementation into a helper
+function" to introduce the helper function needed for the following
+patches.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/dragonfly.c | 34 ++++++++++++++++++++++++++++++++++
+ src/common/dragonfly.h | 2 ++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
+index 547be66f1561..1e842716668e 100644
+--- a/src/common/dragonfly.c
++++ b/src/common/dragonfly.c
+@@ -213,3 +213,37 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
+ "dragonfly: Unable to get randomness for own scalar");
+ return -1;
+ }
++
++
++/* res = sqrt(val) */
++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
++ struct crypto_bignum *res)
++{
++ const struct crypto_bignum *prime;
++ struct crypto_bignum *tmp, *one;
++ int ret = 0;
++ u8 prime_bin[DRAGONFLY_MAX_ECC_PRIME_LEN];
++ size_t prime_len;
++
++ /* For prime p such that p = 3 mod 4, sqrt(w) = w^((p+1)/4) mod p */
++
++ prime = crypto_ec_get_prime(ec);
++ prime_len = crypto_ec_prime_len(ec);
++ tmp = crypto_bignum_init();
++ one = crypto_bignum_init_uint(1);
++
++ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
++ prime_len) < 0 ||
++ (prime_bin[prime_len - 1] & 0x03) != 3 ||
++ !tmp || !one ||
++ /* tmp = (p+1)/4 */
++ crypto_bignum_add(prime, one, tmp) < 0 ||
++ crypto_bignum_rshift(tmp, 2, tmp) < 0 ||
++ /* res = sqrt(val) */
++ crypto_bignum_exptmod(val, tmp, prime, res) < 0)
++ ret = -1;
++
++ crypto_bignum_deinit(tmp, 0);
++ crypto_bignum_deinit(one, 0);
++ return ret;
++}
+diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h
+index ec3dd593eda4..84d67f575c54 100644
+--- a/src/common/dragonfly.h
++++ b/src/common/dragonfly.h
+@@ -27,5 +27,7 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
+ struct crypto_bignum *_rand,
+ struct crypto_bignum *_mask,
+ struct crypto_bignum *scalar);
++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
++ struct crypto_bignum *res);
+
+ #endif /* DRAGONFLY_H */
+--
+2.25.1
+
diff --git a/main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch b/main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch
new file mode 100644
index 0000000000..f2a9cb3a9f
--- /dev/null
+++ b/main/hostapd/0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch
@@ -0,0 +1,99 @@
+From fe534b0baaa8c0e6ddeb24cf529d6e50e33dc501 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 13:47:16 +0200
+Subject: [PATCH 3/4] SAE: Derive the y coordinate for PWE with own
+ implementation
+
+The crypto_ec_point_solve_y_coord() wrapper function might not use
+constant time operations in the crypto library and as such, could leak
+side channel information about the password that is used to generate the
+PWE in the hunting and pecking loop. As such, calculate the two possible
+y coordinate values and pick the correct one to use with constant time
+selection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/sae.c | 47 +++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 33 insertions(+), 14 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 08fdbfd18173..8d79ed962768 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -286,14 +286,16 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ int pwd_seed_odd = 0;
+ u8 prime[SAE_MAX_ECC_PRIME_LEN];
+ size_t prime_len;
+- struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
++ struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL;
+ u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
+ u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
+ u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
+ u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
++ u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN];
+ int res = -1;
+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+ * mask */
++ unsigned int is_eq;
+
+ os_memset(x_bin, 0, sizeof(x_bin));
+
+@@ -402,25 +404,42 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ goto fail;
+ }
+
+- if (!sae->tmp->pwe_ecc)
+- sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
+- if (!sae->tmp->pwe_ecc)
+- res = -1;
+- else
+- res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
+- sae->tmp->pwe_ecc, x,
+- pwd_seed_odd);
+- if (res < 0) {
+- /*
+- * This should not happen since we already checked that there
+- * is a result.
+- */
++ /* y = sqrt(x^3 + ax + b) mod p
++ * if LSB(save) == LSB(y): PWE = (x, y)
++ * else: PWE = (x, p - y)
++ *
++ * Calculate y and the two possible values for PWE and after that,
++ * use constant time selection to copy the correct alternative.
++ */
++ y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x);
++ if (!y ||
++ dragonfly_sqrt(sae->tmp->ec, y, y) < 0 ||
++ crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN,
++ prime_len) < 0 ||
++ crypto_bignum_sub(sae->tmp->prime, y, y) < 0 ||
++ crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN,
++ SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) {
+ wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
++ goto fail;
++ }
++
++ is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01);
++ const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN,
++ prime_len, x_y + prime_len);
++ os_memcpy(x_y, x_bin, prime_len);
++ wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len);
++ crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1);
++ sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y);
++ if (!sae->tmp->pwe_ecc) {
++ wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
++ res = -1;
+ }
+
+ fail:
++ forced_memzero(x_y, sizeof(x_y));
+ crypto_bignum_deinit(qr, 0);
+ crypto_bignum_deinit(qnr, 0);
++ crypto_bignum_deinit(y, 1);
+ os_free(dummy_password);
+ bin_clear_free(tmp_password, password_len);
+ crypto_bignum_deinit(x, 1);
+--
+2.25.1
+
diff --git a/main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch b/main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch
new file mode 100644
index 0000000000..71d22b0864
--- /dev/null
+++ b/main/hostapd/0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch
@@ -0,0 +1,113 @@
+From 603cd880e7f90595482658a7136fa6a7be5cb485 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 18:52:27 +0200
+Subject: [PATCH 4/4] EAP-pwd: Derive the y coordinate for PWE with own
+ implementation
+
+The crypto_ec_point_solve_y_coord() wrapper function might not use
+constant time operations in the crypto library and as such, could leak
+side channel information about the password that is used to generate the
+PWE in the hunting and pecking loop. As such, calculate the two possible
+y coordinate values and pick the correct one to use with constant time
+selection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_common/eap_pwd_common.c | 46 ++++++++++++++++++++++++++-------
+ 1 file changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 2b2b8efdbd01..ff22b29b087a 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -127,7 +127,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
+ u8 x_bin[MAX_ECC_PRIME_LEN];
+ u8 prime_bin[MAX_ECC_PRIME_LEN];
+- struct crypto_bignum *tmp2 = NULL;
++ u8 x_y[2 * MAX_ECC_PRIME_LEN];
++ struct crypto_bignum *tmp2 = NULL, *y = NULL;
+ struct crypto_hash *hash;
+ unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+ int ret = 0, res;
+@@ -139,6 +140,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ u8 found_ctr = 0, is_odd = 0;
+ int cmp_prime;
+ unsigned int in_range;
++ unsigned int is_eq;
+
+ if (grp->pwe)
+ return -1;
+@@ -151,11 +153,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
+ primebytelen) < 0)
+ return -1;
+- grp->pwe = crypto_ec_point_init(grp->group);
+- if (!grp->pwe) {
+- wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
+- goto fail;
+- }
+
+ if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+ wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
+@@ -261,10 +258,37 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ */
+ crypto_bignum_deinit(x_candidate, 1);
+ x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
+- if (!x_candidate ||
+- crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
+- is_odd) != 0) {
+- wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
++ if (!x_candidate)
++ goto fail;
++
++ /* y = sqrt(x^3 + ax + b) mod p
++ * if LSB(y) == LSB(pwd-seed): PWE = (x, y)
++ * else: PWE = (x, p - y)
++ *
++ * Calculate y and the two possible values for PWE and after that,
++ * use constant time selection to copy the correct alternative.
++ */
++ y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
++ if (!y ||
++ dragonfly_sqrt(grp->group, y, y) < 0 ||
++ crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 ||
++ crypto_bignum_sub(prime, y, y) < 0 ||
++ crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN,
++ MAX_ECC_PRIME_LEN, primebytelen) < 0) {
++ wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
++ goto fail;
++ }
++
++ /* Constant time selection of the y coordinate from the two
++ * options */
++ is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01);
++ const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN,
++ primebytelen, x_y + primebytelen);
++ os_memcpy(x_y, x_bin, primebytelen);
++ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen);
++ grp->pwe = crypto_ec_point_from_bin(grp->group, x_y);
++ if (!grp->pwe) {
++ wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE");
+ goto fail;
+ }
+
+@@ -289,6 +313,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ /* cleanliness and order.... */
+ crypto_bignum_deinit(x_candidate, 1);
+ crypto_bignum_deinit(tmp2, 1);
++ crypto_bignum_deinit(y, 1);
+ crypto_bignum_deinit(qr, 1);
+ crypto_bignum_deinit(qnr, 1);
+ bin_clear_free(prfbuf, primebytelen);
+@@ -296,6 +321,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ os_memset(qnr_bin, 0, sizeof(qnr_bin));
+ os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
+ os_memset(pwe_digest, 0, sizeof(pwe_digest));
++ forced_memzero(x_y, sizeof(x_y));
+
+ return ret;
+ }
+--
+2.25.1
+
diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD
index 848cd883e6..7d122c95ed 100644
--- a/main/hostapd/APKBUILD
+++ b/main/hostapd/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=hostapd
pkgver=2.9
-pkgrel=3
+pkgrel=4
pkgdesc="daemon for wireless software access points"
url="https://w1.fi/hostapd/"
arch="all"
@@ -16,11 +16,19 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
CVE-2021-30004.patch::https://w1.fi/cgit/hostap/patch/?id=a0541334a6394f8237a4393b7372693cd7e96f15
+
+ 0001-crypto-Add-more-bignum-EC-helper-functions.patch
+ 0002-dragonfly-Add-sqrt-helper-function.patch
+ 0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch
+ 0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch
"
options="!check" #no testsuite
builddir="$srcdir"/$pkgname-$pkgver/hostapd
# secfixes:
+# 2.9-r4:
+# - CVE-2022-23303
+# - CVE-2022-23304
# 2.9-r3:
# - CVE-2021-30004
# 2.9-r2:
@@ -103,11 +111,17 @@ package() {
&& install -Dm644 hostapd_cli.1 \
"$pkgdir"/usr/share/man/man1/hostapd_cli
}
-sha512sums="66c729380152db18b64520bda55dfa00af3b0264f97b5de100b81a46e2593571626c4bdcf900f0988ea2131e30bc8788f75d8489dd1f57e37fd56e8098e48a9c hostapd-2.9.tar.gz
+sha512sums="
+66c729380152db18b64520bda55dfa00af3b0264f97b5de100b81a46e2593571626c4bdcf900f0988ea2131e30bc8788f75d8489dd1f57e37fd56e8098e48a9c hostapd-2.9.tar.gz
b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd
63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch
b76bbca282a74ef16c0303e5dbd2ccd33a62461595964d52c1481b0bfa4f41deacde56830b85409b288803b87ceb6f33cf0ccc69c5b17ec632c2d4784b872f3c 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
00cc739e78c42353a555c0de2f29defecff372927040e14407a231d1ead7ff32a37c9fd46bea7cdf1c24e3ac891bc3d483800d44fc6d2c8a12d2ae886523b12c 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
69243af20cdcfa837c51917a3723779f4825e11436fb83311355b4ffe8f7a4b7a5747a976f7bf923038c410c9e9055b13b866d9a396913ad08bdec3a70e9f6e0 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
-88608529763a6fd9e8cb1e9c9a35630dc2e311a260e023e2a69002d0db700d5f58fc7723a00433b4ea895b92c371cf1db221f38742490b4ed9b4b049892b65e1 CVE-2021-30004.patch"
+88608529763a6fd9e8cb1e9c9a35630dc2e311a260e023e2a69002d0db700d5f58fc7723a00433b4ea895b92c371cf1db221f38742490b4ed9b4b049892b65e1 CVE-2021-30004.patch
+540ddb5ddde8aa8e2292ab01f632b63ac2e390aecd63506ac4e736b4677125d10be44c4dee153f135e51b510e6b62d4926f921e4bbd117ed0864b5becc9b873e 0001-crypto-Add-more-bignum-EC-helper-functions.patch
+77402d5917144850d3d521b6f880c942de809d058eb09c6e79e5d54898165e21c06eb997eb089f9bf3f9ef387bc8b3697e62f1a80dbb319892a72e5b5f0ff14c 0002-dragonfly-Add-sqrt-helper-function.patch
+9dd05d81597a13552d094735dd6da0e298e2c372ee0ed0f191ead149dd5ec32f4002f2950d327fdebfd942ba47ec87c5064f6cd512eef41867e9568a75e61352 0003-SAE-Derive-the-y-coordinate-for-PWE-with-own-impleme.patch
+55879aacd970ba6a926ed6936204e8507736551aa24d8d384d80d790da8c7362dd80f247b84e8bb51ea527fa516d37163d5b82bc595a85a432116cc5e042606e 0004-EAP-pwd-Derive-the-y-coordinate-for-PWE-with-own-imp.patch
+"
diff --git a/main/intel-ucode/APKBUILD b/main/intel-ucode/APKBUILD
index 00bb0b57aa..d508671db0 100644
--- a/main/intel-ucode/APKBUILD
+++ b/main/intel-ucode/APKBUILD
@@ -1,16 +1,51 @@
# Maintainer: Marian Buschsieweke <marian.buschsieweke@ovgu.de>
pkgname=intel-ucode
-pkgver=20210608
+pkgver=20220510
pkgrel=0
pkgdesc="Microcode update files for Intel CPUs"
arch="x86 x86_64"
-url="https://downloadcenter.intel.com/SearchResult.aspx?lang=eng&keyword=%22microcode%22"
+url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files"
license="custom"
makedepends="iucode-tool"
source="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-$pkgver.tar.gz"
options="!check"
builddir="$srcdir/Intel-Linux-Processor-Microcode-Data-Files-microcode-$pkgver"
+# (Taken from https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md)
+# secfixes:
+# 20220510-r0:
+# - CVE-2022-21151
+# 20220207-r0:
+# - CVE-2021-0127
+# - CVE-2021-0146
+# 20210608-r0:
+# - CVE-2020-24489
+# - CVE-2020-24511
+# - CVE-2020-24513
+# 20210216-r0:
+# - CVE-2020-8698
+# 20201112-r0:
+# - CVE-2020-8694
+# - CVE-2020-8698
+# 20201110-r0:
+# - CVE-2020-8694
+# - CVE-2020-8698
+# 20200609-r0:
+# - CVE-2020-0548
+# 20191113-r0:
+# - CVE-2019-11135
+# 20191112-r0:
+# - CVE-2018-12126
+# - CVE-2019-11135
+# 20190918-r0:
+# - CVE-2019-11135
+# 20190618-r0:
+# - CVE-2018-12126
+# 20190514a-r0:
+# - CVE-2018-12126
+# - CVE-2017-5754
+# - CVE-2017-5753
+
build() {
rm -f intel-ucode/list intel-ucode-with-caveats/list
mkdir -p kernel/x86/microcode
@@ -25,4 +60,6 @@ package() {
install -Dm644 license "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
-sha512sums="61acd2e76aa019fa0002fbf56c503791080a937ff93d81e020f8f0cc089dc08928b4c7e9884f713b886e2f9d4a8409fea59e39f628ef534a588515e1c3fc861d microcode-20210608.tar.gz"
+sha512sums="
+00329ce62a6d9cc66fb8594d132ef67951086ab1250ceaf908d5a357753ed62557275f55c5eb7b3ad55d1fdd312b5d1a436b214cdcbf6e3e1a840c8bf6f4795d microcode-20220510.tar.gz
+"
diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD
index 966042ad10..f9a9af34d8 100644
--- a/main/krb5/APKBUILD
+++ b/main/krb5/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=krb5
-pkgver=1.18.4
+pkgver=1.18.5
pkgrel=0
pkgdesc="The Kerberos network authentication system"
url="https://web.mit.edu/kerberos/www/"
@@ -30,6 +30,8 @@ source="https://web.mit.edu/kerberos/dist/krb5/$_maj_min/krb5-$pkgver.tar.gz
builddir="$srcdir/$pkgname-$pkgver/src"
# secfixes:
+# 1.18.5-r0:
+# - CVE-2021-37750
# 1.18.4-r0:
# - CVE-2021-36222
# 1.18.3-r0:
@@ -118,7 +120,7 @@ libs() {
}
sha512sums="
-7d9f1e937ba122f5af1340b5025420903a4cc3692bdf4093289921ad09b3fd02c8684b65a783d4b397ba15c4cf29c728cbf24a6405c5fff72fb882137703539e krb5-1.18.4.tar.gz
+7fd25944ac66074bf21465824f226aa3456a253a7517e7d3cacb7664103b8b033076cc23ee7c7806e7c9f884747c05eac5b1f1cf771b3d1989e5129c36de4bb2 krb5-1.18.5.tar.gz
5c62cbcbf1ef0462323f3392a362b42ed301967a1de80ddcb27eece4fad23efeeb5f04f5af521cfffff36b918bb93813262aa62785e59d6cb5af437a2c9e886d mit-krb5_krb5-config_LDFLAGS.patch
43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd
ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd
diff --git a/main/ldb/APKBUILD b/main/ldb/APKBUILD
index d3ddbf41e0..6c9b7d472b 100644
--- a/main/ldb/APKBUILD
+++ b/main/ldb/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ldb
-pkgver=2.2.1
+pkgver=2.2.3
pkgrel=0
pkgdesc="A schema-less, ldap like, API and database"
url="https://ldb.samba.org/"
@@ -11,6 +11,7 @@ makedepends="libtirpc-dev tevent-dev py3-tevent tdb-dev py3-tdb talloc-dev
subpackages="$pkgname-dev py3-$pkgname:_py3 $pkgname-tools $pkgname-doc"
source="https://www.samba.org/ftp/pub/ldb/ldb-$pkgver.tar.gz
disable-compile-error-test.patch
+ skip-failing-tests.patch
"
# secfixes:
@@ -21,6 +22,7 @@ _waf=buildtools/bin/waf
case "$CARCH" in
ppc64le) options="$options !check" ;;
+ armhf|armv7|x86) export DEB_HOST_ARCH_BITS=32 ;;
esac
build() {
@@ -57,5 +59,8 @@ tools() {
mv "$pkgdir"/usr/lib/ldb/libldb-cmdline.* "$subpkgdir"/usr/lib/ldb/
}
-sha512sums="a2b1598869e3d9f17c5b82fc2b7289f1f08a7378a1d72609af5ed5cc91fb571ac67d3a8c22d64dad5dcc9fe32520baccd5cc37d5b4fc5f1b00a7064902296344 ldb-2.2.1.tar.gz
-ed55d5151bbcaf5c0a1b70a1f44b461a501ad94ce02ee97e3ea10c560ce3656a190510697bbd3c5b6f70a74519bf7c0a91210bcb415ffd97d9440045e10a02e8 disable-compile-error-test.patch"
+sha512sums="
+0fdda9e033cbd04d6b50c76ecf044068353d2abf50c5c9d9c804b8b9e70f6d85bf925ac984a38c2b7a159a384bfc94e5232b05a32cdbc9299dc43930d1b6a985 ldb-2.2.3.tar.gz
+ed55d5151bbcaf5c0a1b70a1f44b461a501ad94ce02ee97e3ea10c560ce3656a190510697bbd3c5b6f70a74519bf7c0a91210bcb415ffd97d9440045e10a02e8 disable-compile-error-test.patch
+08e6a0b075dc40c8d1c9ac12fcf72c0601d3ec128a56915be88336754b876580d52f64e94bf9157e82810a9afe2eb6cdb7be0e999fd88a5e70e70dd71ce1dab5 skip-failing-tests.patch
+"
diff --git a/main/ldb/skip-failing-tests.patch b/main/ldb/skip-failing-tests.patch
new file mode 100644
index 0000000000..0b32f2bd95
--- /dev/null
+++ b/main/ldb/skip-failing-tests.patch
@@ -0,0 +1,35 @@
+From 38f5e8e09a7ae641b3669068b10c6bd966e46632 Mon Sep 17 00:00:00 2001
+From: Mathieu Parent <math.parent@gmail.com>
+Date: Thu, 4 Nov 2021 22:46:15 +0100
+Subject: [PATCH] Skip failing tests (on 32-bit architectures)
+
+See https://bugzilla.samba.org/show_bug.cgi?id=14558#c17
+---
+ tests/python/api.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tests/python/api.py b/tests/python/api.py
+index 8d154aa..e1de40c 100755
+--- a/tests/python/api.py
++++ b/tests/python/api.py
+@@ -44,6 +44,9 @@ class NoContextTests(TestCase):
+ self.assertEqual("19700101000000.0Z", ldb.timestring(0))
+ self.assertEqual("20071119191012.0Z", ldb.timestring(1195499412))
+
++ if os.environ.get('DEB_HOST_ARCH_BITS', '64') == '32':
++ self.skipTest('Test failing on 32-bit')
++
+ self.assertEqual("00000101000000.0Z", ldb.timestring(-62167219200))
+ self.assertEqual("99991231235959.0Z", ldb.timestring(253402300799))
+
+@@ -62,6 +65,9 @@ class NoContextTests(TestCase):
+ self.assertEqual(0, ldb.string_to_time("19700101000000.0Z"))
+ self.assertEqual(1195499412, ldb.string_to_time("20071119191012.0Z"))
+
++ if os.environ.get('DEB_HOST_ARCH_BITS', '64') == '32':
++ self.skipTest('Test failing on 32-bit')
++
+ self.assertEqual(-62167219200, ldb.string_to_time("00000101000000.0Z"))
+ self.assertEqual(253402300799, ldb.string_to_time("99991231235959.0Z"))
+
+--
diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD
index c508d79c42..cfecc03b66 100644
--- a/main/libarchive/APKBUILD
+++ b/main/libarchive/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libarchive
-pkgver=3.5.1
+pkgver=3.5.3
pkgrel=0
pkgdesc="library that can create and read several streaming archive formats"
url="https://libarchive.org/"
@@ -10,9 +10,12 @@ license="BSD-2-Clause AND BSD-3-Clause AND Public-Domain"
makedepends="zlib-dev bzip2-dev xz-dev lz4-dev acl-dev openssl-dev expat-dev
attr-dev zstd-dev"
subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-tools"
-source="https://github.com/libarchive/libarchive/releases/download/$pkgver/libarchive-$pkgver.tar.xz"
+source="https://libarchive.org/downloads/libarchive-$pkgver.tar.xz"
# secfixes:
+# 3.5.3-r0:
+# - CVE-2021-31566
+# - CVE-2021-36976
# 3.4.2-r0:
# - CVE-2020-19221
# - CVE-2020-9308
@@ -41,4 +44,6 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="04ad3e98e840fee19eb4c2652f29eccef1cffc071fd5c6a6feb358fea6048699281c7baacbb9ca8f823b1bfaaef6d4c87d9cf6a8b0c28aab53b75b2d259b2045 libarchive-3.5.1.tar.xz"
+sha512sums="
+90da8508cbaf4e187234e70ded9522316db35c3843eb6d51e8676088d9db68b13490d53eb05c6dbf6df78496319ce2a4bd4e4a3a1b83240a57b58492aceb4c7f libarchive-3.5.3.tar.xz
+"
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index 45362268c6..3c16cc0701 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=libxml2
-pkgver=2.9.12
+pkgver=2.9.14
pkgrel=0
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
@@ -17,12 +17,15 @@ if [ -z "$BOOTSTRAP" ]; then
py_configure="--with-python=/usr/bin/python3"
fi
options="!strip"
-source="http://xmlsoft.org/sources/libxml2-$pkgver.tar.gz
- revert-Make-xmlFreeNodeList-non-recursive.patch
+source="https://download.gnome.org/sources/libxml2/${pkgver%.*}/libxml2-$pkgver.tar.xz
libxml2-2.9.8-python3-unicode-errors.patch
"
# secfixes:
+# 2.9.14-r0:
+# - CVE-2022-29824
+# 2.9.13-r0:
+# - CVE-2022-23308
# 2.9.11-r0:
# - CVE-2021-3541
# 2.9.10-r7:
@@ -103,7 +106,6 @@ utils() {
}
sha512sums="
-df1c6486e80f0fcf3c506f3599bcfb94b620c00d0b5d26831bc983daa78d58ec58b5057b1ec7c1a26c694f40199c6234ee2a6dcabf65abfa10c447cb5705abbd libxml2-2.9.12.tar.gz
-347178e432379d543683cba21b902e7305202c03e8dbd724ae395963d677096a5cfc4e345e208d498163ca5174683c167610fc2b297090476038bc2bb7c84b4f revert-Make-xmlFreeNodeList-non-recursive.patch
+d08e6cafb289c499fdc5b3a12181e032a34f7a249bc66758859f964d3e71e19fd69be79921e1a9d8ab1e692d15b13f5fae95eeb10c3236974d89e218f5107606 libxml2-2.9.14.tar.xz
a205c97fa1488fb8907cfa08b5f82e2055c80b86213dc3cc5c4b526fe6aa786bcc4e4eeb226c44635a1d021307b39e3940f706c42fb60e9e3e9b490a84164df7 libxml2-2.9.8-python3-unicode-errors.patch
"
diff --git a/main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch b/main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch
deleted file mode 100644
index 102abdb313..0000000000
--- a/main/libxml2/revert-Make-xmlFreeNodeList-non-recursive.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-This is a revert of
-https://github.com/GNOME/libxml2/commit/0762c9b69ba01628f72eada1c64ff3d361fb5716
-
-This fixes perl-xml-libxslt test suite
-https://bugzilla.suse.com/show_bug.cgi?id=1157450
-
-diff --git a/tree.c b/tree.c
-index 08b1a50..f2b1457 100644
---- a/tree.c
-+++ b/tree.c
-@@ -3664,9 +3664,7 @@ xmlNextElementSibling(xmlNodePtr node) {
- void
- xmlFreeNodeList(xmlNodePtr cur) {
- xmlNodePtr next;
-- xmlNodePtr parent;
- xmlDictPtr dict = NULL;
-- size_t depth = 0;
-
- if (cur == NULL) return;
- if (cur->type == XML_NAMESPACE_DECL) {
-@@ -3682,21 +3680,16 @@ xmlFreeNodeList(xmlNodePtr cur) {
- return;
- }
- if (cur->doc != NULL) dict = cur->doc->dict;
-- while (1) {
-- while ((cur->children != NULL) &&
-- (cur->type != XML_DTD_NODE) &&
-- (cur->type != XML_ENTITY_REF_NODE)) {
-- cur = cur->children;
-- depth += 1;
-- }
--
-+ while (cur != NULL) {
- next = cur->next;
-- parent = cur->parent;
- if (cur->type != XML_DTD_NODE) {
-
- if ((__xmlRegisterCallbacks) && (xmlDeregisterNodeDefaultValue))
- xmlDeregisterNodeDefaultValue(cur);
-
-+ if ((cur->children != NULL) &&
-+ (cur->type != XML_ENTITY_REF_NODE))
-+ xmlFreeNodeList(cur->children);
- if (((cur->type == XML_ELEMENT_NODE) ||
- (cur->type == XML_XINCLUDE_START) ||
- (cur->type == XML_XINCLUDE_END)) &&
-@@ -3727,16 +3720,7 @@ xmlFreeNodeList(xmlNodePtr cur) {
- DICT_FREE(cur->name)
- xmlFree(cur);
- }
--
-- if (next != NULL) {
-- cur = next;
-- } else {
-- if ((depth == 0) || (parent == NULL))
-- break;
-- depth -= 1;
-- cur = parent;
-- cur->children = NULL;
-- }
-+ cur = next;
- }
- }
-
diff --git a/main/libxslt/APKBUILD b/main/libxslt/APKBUILD
index 18e3a9782f..defc4a03d0 100644
--- a/main/libxslt/APKBUILD
+++ b/main/libxslt/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
pkgname=libxslt
-pkgver=1.1.34
+pkgver=1.1.35
pkgrel=0
pkgdesc="XML stylesheet transformation library"
url="http://xmlsoft.org/XSLT/"
@@ -9,9 +9,11 @@ arch="all"
license="custom"
makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="http://xmlsoft.org/sources/libxslt-$pkgver.tar.gz"
+source="https://download.gnome.org/sources/libxslt/${pkgver%.*}/libxslt-$pkgver.tar.xz"
# secfixes:
+# 1.1.35-r0:
+# - CVE-2021-30560
# 1.1.34-r0:
# - CVE-2019-13117
# - CVE-2019-13118
@@ -43,4 +45,6 @@ package() {
make DESTDIR="$pkgdir" install
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
-sha512sums="1516a11ad608b04740674060d2c5d733b88889de5e413b9a4e8bf8d1a90d712149df6d2b1345b615f529d7c7d3fa6dae12e544da828b39c7d415e54c0ee0776b libxslt-1.1.34.tar.gz"
+sha512sums="
+9dd4a699235f50ae9b75b25137e387471635b4b2da0a4e4380879cd49f1513470fcfbfd775269b066eac513a1ffa6860c77ec42747168e2348248f09f60c8c96 libxslt-1.1.35.tar.xz
+"
diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
index a546b9c8dc..f8212d3dda 100644
--- a/main/lighttpd/APKBUILD
+++ b/main/lighttpd/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=lighttpd
-pkgver=1.4.57
+pkgver=1.4.64
pkgrel=0
pkgdesc="Secure, fast, compliant and very flexible web-server"
url="https://www.lighttpd.net"
@@ -12,7 +12,7 @@ pkgusers="lighttpd"
pkggroups="lighttpd"
makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua5.3-dev
automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev
- bsd-compat-headers"
+ bsd-compat-headers pcre2-dev"
subpackages="$pkgname-doc $pkgname-dbg $pkgname-openrc $pkgname-mod_auth
$pkgname-mod_webdav"
source="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-$pkgver.tar.xz
@@ -25,6 +25,10 @@ source="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-$pkgver.t
mod_fastcgi.conf
mod_fastcgi_fpm.conf"
+# secfixes:
+# 1.4.64-r0:
+# - CVE-2022-22707
+
build() {
./configure \
--build=$CBUILD \
@@ -95,7 +99,8 @@ mod_webdav() {
_mv_mod mod_webdav
}
-sha512sums="d6b04b8c75674241e5606305ad34f61941f4bb26f635aa73375c13dbacdccea1415e3aece42ffb32f0c11e0da891459cc4d845a8d4679d357271193657e28567 lighttpd-1.4.57.tar.xz
+sha512sums="
+8e2ad0830ff80fcebf0c33600caafb5ab4e9ff6b5073c12572f88a44fdfe85f777fa8b22b2fc2964fecbeb556997ad660867dcee80efb224d63329c8b18ea936 lighttpd-1.4.64.tar.xz
f2f3c5c7731550237fd75a8de66275f427eaf897cffff7ac7ef44178328ad8fad6c4ec6654759bfc665cbaf7991ddcdf0aaa916831c8b6aa440192d57b242038 lighttpd.initd
9d2ab5deb7353ebf290e90936b511941df440859c78589d0bcf130ef69a5e9c79e4d318548b6b118df002083c46f7476230a28954b7a10a9dbd05040e02b1291 lighttpd.confd
0536b4f21d2e8659f7831b45998c13d9f6051ae7ecde13be01f372f837d255bfc4e211de48a7686cc743d53aa9c08ab3f10ec19788896dcf8356b90053ca7a16 lighttpd.logrotate
@@ -103,4 +108,5 @@ f2f3c5c7731550237fd75a8de66275f427eaf897cffff7ac7ef44178328ad8fad6c4ec6654759bfc
a3f2f5763885d7e4f510491b24164e34aaf62bb02daa12991575dc64335c12668355af5bb8d6ce191eb4e9cce95324b1f7c9ba61b323b4e7b50a1e03e021afcf mime-types.conf
27cc638d8068dcf47bd9db44943d1db6c6f4e8e6abd6b42af7cea004b1c093440068541d98c68f8bea70b956713adaf8ed59a4b642dea826ee8620a05f8cfde5 mod_cgi.conf
1d15b84c03fb648a0e67ab5c5411b85478b4454c44bc2959cc96d1700eeadd7ff429520a5f1550db6527267646622dccd3d47d3fd1258869fccaf5c22d4ad4b2 mod_fastcgi.conf
-f9efc4b70d825600f5356c30e57d0b6cac11c01739337f7192c09c2cfd96cb76c8328b11d818ea4c2addc1a6d253975b84700106ae75854d55d0df73e220bd2b mod_fastcgi_fpm.conf"
+f9efc4b70d825600f5356c30e57d0b6cac11c01739337f7192c09c2cfd96cb76c8328b11d818ea4c2addc1a6d253975b84700106ae75854d55d0df73e220bd2b mod_fastcgi_fpm.conf
+"
diff --git a/main/linux-lts/APKBUILD b/main/linux-lts/APKBUILD
index 43eb216b7f..9191b2d8c1 100644
--- a/main/linux-lts/APKBUILD
+++ b/main/linux-lts/APKBUILD
@@ -2,7 +2,7 @@
_flavor=lts
pkgname=linux-${_flavor}
-pkgver=5.10.78
+pkgver=5.10.109
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=$pkgver;;
@@ -11,7 +11,7 @@ pkgrel=0
pkgdesc="Linux lts kernel"
url="https://www.kernel.org"
depends="mkinitfs"
-_depends_dev="perl gmp-dev elfutils-dev bash flex bison"
+_depends_dev="perl gmp-dev mpc1-dev mpfr-dev elfutils-dev bash flex bison"
makedepends="$_depends_dev sed installkernel bc linux-headers linux-firmware-any openssl-dev
diffutils findutils"
options="!strip"
@@ -235,16 +235,16 @@ d19365fe94431008768c96a2c88955652f70b6df6677457ee55ee95246a64fdd2c6fed9b3bef37c2
ca5aafac37e0b5f3fcbaf801e12f98beb58ffaf1d8c88f76caff22b059831869b4094e7fdcb6d6860422d6b2d036e072caff460e1feb84bd04d10740ad56265b 0007-pci-hotplug-declare-IDT-bridge-as-hotpluggabl-bridge.patch
cbe85cf34e8420c91d2276c2d2aa0ab5023af68e57a1fa613f073f16a76766c67f585eda71c28f232bd0625e0dc8275a9eddc95f49409205dc0dbcc28c9fac1c 0008-pci-spr2803-quirk-to-fix-class-ID.patch
16b2d5b0255b37075ba894fc797673d633395907ce0b93400c5a8bd05b512b5cd040b91000fa41f9240d42afc664a69206597d1e3f754a1aa64b9be21a67f5c6 ampere-mt-jade.patch
-89934520a6acb51b20f403cdf0531c54c9bd96ea51ae71597bd7bbb230d0e4cc4e213e6f4abdbdac70770f9d571e6dab18f15a7d205fccc2b0e01a29539f397f config-lts.aarch64
-7586c2c14e3e5d1733ba6b10f9e505884e69ebd73f5660a83d6e0a229067be10bd74fdd3c39f3e86a6d370713e3c515023a98a590804f46092ff8ae7c069b657 config-lts.armv7
-2e1191008bb2e73af4863152cdcd28f8b5ad7e8c383712de32c389b8b34e8cb5453a1875999e035e17e6adc3620372716e0dad2d89f63d4a7f9d4a4c1563f311 config-lts.x86
-7054e12a504ba4104ae64f15b1751630ca865ab0501f57338d672c7265eee742c691ab6f5cfb8ca2f8b4646017ad40ec4ab4af317ea0af030847662bab654db3 config-lts.x86_64
-9f35e146fd04ac383306eef06214da9991dc452f941b53acc6d8922452fbbb432098a0b1eb65a206a69b84f26e1dc21dc6542f74f7f472714e9a9fc50807f6a6 config-lts.ppc64le
-2ff28ec6132d54a843a8d83d48d6264622ccaf0bf5b8dfba052328c7370b177bb89a74bcc4c1fbde13a5966dbc76e563b7568747d3319a329f399e45aa73ce3b config-lts.s390x
-c3f71766203e547c0bc4390de0389b6593c6cce2a36618a9c683af2cf09e0ec10dec288c0e6bd58eab0c0e1b1d0afceb13c7d8a7a1ef68a5689955a714654567 config-lts.mips64
-a351ed481a3d8346811869fd72ea62541d4e7a5019154022061c9c90765fe33d73ea1c8981acda6d19f57aa796b8450bb0379c2357fd708bc9a97522e428279c config-virt.aarch64
-59d622fc8425995da40bc600fe0013c4e1fabd4d5ffff03de075d798e11d575fc061ce602ec2950f4aacae00b4f61a3195152d3bdf015d7d511609ec451b91d6 config-virt.armv7
-c666e9c8e2b9981cd5bba8196610c4ec364e512935d6f094e41b27189f23568f749562e146b67c8f06f196e235c428f11c5ee78ab5af5e0c42cfdad081b26267 config-virt.ppc64le
-dbfec3bbdd6a2920ffeb677d672dc85f0bc7b76a4a10eca5c092799b22cf887c441ee5db314f65e1634ec9f6a625a99bf289864989172d0cbb8f2a8042d3cb9e config-virt.x86
-4816b2fb44164a6823fc4554b228ac42ae864f535f0976a71c63ae1d12fbfddda90f2519258b44fdbdea56faeee7a63a1c79797ea4b3fc8f50d7971471635cee config-virt.x86_64
-81153a790c3c5bbdedc1610bb1fd798cc81f3574fb199891d2ed14d98c38055c85a3b74d8c5bbf0695e71a2beb54f6a588b697bff06cd672a031ad269c289f81 patch-5.10.78.xz"
+9455503abd98bb54718a03dbf027a869de5c929c06c0158f8cbf642bf653c8a1ac455de60b0c916aeae8ff17d869fd84f6914508ea48ec38e19e8e37e4b0e20b config-lts.aarch64
+14829450de8b7ada73fe095427dea7d14c1f41f3fcfdc62c6c148a3cd014eefdc35588af6cbeb3ed61416837da88547b6fa9270c41ba3438aff0413647f81151 config-lts.armv7
+49145188dc72f1b43eec78d4977740595318af42a7e60e91c4bc4bfac5e407eb7d765b731ffad14102e968369303a3ee2a24492776f6007d0851120abbd0dc37 config-lts.x86
+19d9fae84af94951d0c08872801e2f2667cf49841eb408921ffe196856257e6b15329f199479be4050934c54a833f65a0674b7fcd04600f6886a7158d3c425af config-lts.x86_64
+5a284ae787cdf77fd4e025ffb3d537d6e8a844ca3ee8f495f8038b2a45fa8743dfa7b98c67db562704261cf6f93fb3754125f91ebd5b95eac1b1359ee1f4d885 config-lts.ppc64le
+4f79bb6169b4540fc5af0fed1478b918b9ec08f0540fdb49d759b22029cf01f1da4427742c1e0f2d8834ee431ccde2314bc032a7269bbb04221b05f48817a8e6 config-lts.s390x
+85bb52343905b975ea653f79174041b766eed471f6dd8202aa9f830d28328d4ce29d7252ac1f00f55d51e642f2b1b09d3205d21f1db1cfc21af562ffd392eebe config-lts.mips64
+20e28677505827315e904dd3070f6af24a6030aae2957e42a7f8af742eb8565c1ee0253ad3a8cdbbff930f9e13806287d429a499ab9aa1eca1bbaec44930989d config-virt.aarch64
+e489b4d4b43176ce31e94219005c30585a5accca2d59a65145f6f913602cdb53a2bb2314452c3b11e666392c15261ece0af24b720ebffa4892a1d88d388364f9 config-virt.armv7
+9d00477d1c36521c7f9d33be550b4b3580aeff3f184a01f859938cef8d58fe016123d983f6f79fe58e661b0d1dae080e1ae589d6cfc957c974c5278ab87e93e6 config-virt.ppc64le
+2dcdaa4cb47c370aa3f87b4575934d771e836f8441256473c90bc4c137624934526942d354d5ec1b703c2fd2938cf7c697a304f8617af9d62357a5d9522ef305 config-virt.x86
+8559a049c8401acc345af31757b058123a81967e7e528af8abd313b910db0b3b470e9bc0cac329a969fab44e855b3982dde3e03688cd72471dd5a06399a4db66 config-virt.x86_64
+857028984882fe1945133bbcb5660c795e9f3616fd202a87f26ad6ff2063d2b3a0a5efb17bc905433aa2400163ba9bf7340c9283ea3573b49e9eed2eda332eb2 patch-5.10.109.xz"
diff --git a/main/linux-lts/config-lts.aarch64 b/main/linux-lts/config-lts.aarch64
index dc9f07cad9..e5d829295e 100644
--- a/main/linux-lts/config-lts.aarch64
+++ b/main/linux-lts/config-lts.aarch64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.10.61 Kernel Configuration
+# Linux/arm64 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -218,6 +218,7 @@ CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
@@ -796,6 +797,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -5743,7 +5748,6 @@ CONFIG_DRM_AMD_ACP=y
#
CONFIG_DRM_AMD_DC=y
# CONFIG_DRM_AMD_DC_HDCP is not set
-# CONFIG_DRM_AMD_DC_SI is not set
# end of Display Engine Configuration
# CONFIG_HSA_AMD is not set
@@ -6069,6 +6073,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
@@ -6627,7 +6632,7 @@ CONFIG_I2C_HID=m
CONFIG_USB_OHCI_LITTLE_ENDIAN=y
CONFIG_USB_SUPPORT=y
-CONFIG_USB_COMMON=y
+CONFIG_USB_COMMON=m
CONFIG_USB_LED_TRIG=y
CONFIG_USB_ULPI_BUS=m
CONFIG_USB_CONN_GPIO=m
@@ -7570,6 +7575,7 @@ CONFIG_ASHMEM=y
# CONFIG_FIREWIRE_SERIAL is not set
# CONFIG_GS_FPGABOOT is not set
# CONFIG_UNISYSSPAR is not set
+# CONFIG_COMMON_CLK_XLNX_CLKWZRD is not set
# CONFIG_FB_TFT is not set
CONFIG_FSL_DPAA2=y
CONFIG_FSL_DPAA2_ETHSW=m
@@ -9057,6 +9063,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+# CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.armv7 b/main/linux-lts/config-lts.armv7
index 7f995d6650..dcf82cb942 100644
--- a/main/linux-lts/config-lts.armv7
+++ b/main/linux-lts/config-lts.armv7
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 5.10.61 Kernel Configuration
+# Linux/arm 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -195,6 +195,7 @@ CONFIG_ELF_CORE=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_FUTEX_PI=y
+CONFIG_HAVE_FUTEX_CMPXCHG=y
CONFIG_EPOLL=y
CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
@@ -208,6 +209,7 @@ CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
+# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
CONFIG_USERMODE_DRIVER=y
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
@@ -585,6 +587,7 @@ CONFIG_ALIGNMENT_TRAP=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_TIME_ACCOUNTING=y
# CONFIG_XEN is not set
+CONFIG_STACKPROTECTOR_PER_TASK=y
# end of Kernel Features
#
@@ -846,6 +849,11 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK=y
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -5061,6 +5069,7 @@ CONFIG_HDMI=y
#
CONFIG_DUMMY_CONSOLE=y
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
@@ -5535,7 +5544,7 @@ CONFIG_I2C_HID=m
CONFIG_USB_OHCI_LITTLE_ENDIAN=y
CONFIG_USB_SUPPORT=y
-CONFIG_USB_COMMON=y
+CONFIG_USB_COMMON=m
CONFIG_USB_LED_TRIG=y
# CONFIG_USB_ULPI_BUS is not set
# CONFIG_USB_CONN_GPIO is not set
@@ -6315,6 +6324,7 @@ CONFIG_ASHMEM=y
# CONFIG_LTE_GDM724X is not set
CONFIG_GS_FPGABOOT=m
# CONFIG_UNISYSSPAR is not set
+# CONFIG_COMMON_CLK_XLNX_CLKWZRD is not set
CONFIG_FB_TFT=m
# CONFIG_FB_TFT_AGM1264K_FL is not set
# CONFIG_FB_TFT_BD663474 is not set
@@ -7617,6 +7627,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.mips64 b/main/linux-lts/config-lts.mips64
index 752c6940f5..e62eddf130 100644
--- a/main/linux-lts/config-lts.mips64
+++ b/main/linux-lts/config-lts.mips64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/mips 5.10.61 Kernel Configuration
+# Linux/mips 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -192,6 +192,7 @@ CONFIG_KALLSYMS=y
# CONFIG_KALLSYMS_ALL is not set
CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
+# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_KCMP=y
@@ -541,6 +542,10 @@ CONFIG_HAVE_SPARSE_SYSCALL_NR=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -3157,6 +3162,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.ppc64le b/main/linux-lts/config-lts.ppc64le
index 27feb876ce..d8955c6b66 100644
--- a/main/linux-lts/config-lts.ppc64le
+++ b/main/linux-lts/config-lts.ppc64le
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/powerpc 5.10.61 Kernel Configuration
+# Linux/powerpc 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -205,6 +205,7 @@ CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
+# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_CALLBACKS=y
@@ -589,6 +590,9 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -1863,6 +1867,7 @@ CONFIG_WIREGUARD=m
# CONFIG_WIREGUARD_DEBUG is not set
# CONFIG_EQUALIZER is not set
# CONFIG_NET_FC is not set
+# CONFIG_IFB is not set
# CONFIG_NET_TEAM is not set
CONFIG_MACVLAN=m
CONFIG_MACVTAP=m
@@ -2834,7 +2839,6 @@ CONFIG_DRM_AMDGPU=m
CONFIG_DRM_AMD_DC=y
CONFIG_DRM_AMD_DC_DCN=y
# CONFIG_DRM_AMD_DC_HDCP is not set
-# CONFIG_DRM_AMD_DC_SI is not set
# end of Display Engine Configuration
# CONFIG_HSA_AMD is not set
@@ -3011,6 +3015,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
@@ -4192,6 +4197,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.s390x b/main/linux-lts/config-lts.s390x
index e80306c09d..22c8096af6 100644
--- a/main/linux-lts/config-lts.s390x
+++ b/main/linux-lts/config-lts.s390x
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/s390 5.10.61 Kernel Configuration
+# Linux/s390 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -206,6 +206,7 @@ CONFIG_KALLSYMS_ALL=y
CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
+# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_KCMP=y
@@ -446,6 +447,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -3018,6 +3023,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.x86 b/main/linux-lts/config-lts.x86
index 983cdccde0..c5f1235e2c 100644
--- a/main/linux-lts/config-lts.x86
+++ b/main/linux-lts/config-lts.x86
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.10.61 Kernel Configuration
+# Linux/x86 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -221,6 +221,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
@@ -793,6 +794,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -5774,6 +5779,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
@@ -8356,6 +8362,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+# CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-lts.x86_64 b/main/linux-lts/config-lts.x86_64
index 0f9a14248e..625dcdac3e 100644
--- a/main/linux-lts/config-lts.x86_64
+++ b/main/linux-lts/config-lts.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.10.61 Kernel Configuration
+# Linux/x86_64 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -238,6 +238,7 @@ CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
@@ -826,6 +827,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -5875,6 +5880,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
@@ -6558,7 +6564,7 @@ CONFIG_INTEL_ISH_HID=m
CONFIG_USB_OHCI_LITTLE_ENDIAN=y
CONFIG_USB_SUPPORT=y
-CONFIG_USB_COMMON=y
+CONFIG_USB_COMMON=m
CONFIG_USB_LED_TRIG=y
# CONFIG_USB_ULPI_BUS is not set
# CONFIG_USB_CONN_GPIO is not set
@@ -8565,6 +8571,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+# CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-virt.aarch64 b/main/linux-lts/config-virt.aarch64
index 83ac3ffe32..95eac79fc6 100644
--- a/main/linux-lts/config-virt.aarch64
+++ b/main/linux-lts/config-virt.aarch64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.10.61 Kernel Configuration
+# Linux/arm64 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -211,6 +211,7 @@ CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
@@ -766,6 +767,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -3406,6 +3411,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
# end of Console display driver support
@@ -4512,6 +4518,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+# CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-virt.armv7 b/main/linux-lts/config-virt.armv7
index 78b577091a..85a24b9418 100644
--- a/main/linux-lts/config-virt.armv7
+++ b/main/linux-lts/config-virt.armv7
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 5.10.61 Kernel Configuration
+# Linux/arm 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -192,6 +192,7 @@ CONFIG_ELF_CORE=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_FUTEX_PI=y
+CONFIG_HAVE_FUTEX_CMPXCHG=y
CONFIG_EPOLL=y
CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
@@ -207,6 +208,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
@@ -486,6 +488,7 @@ CONFIG_ALIGNMENT_TRAP=y
CONFIG_PARAVIRT=y
# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
# CONFIG_XEN is not set
+CONFIG_STACKPROTECTOR_PER_TASK=y
# end of Kernel Features
#
@@ -716,6 +719,11 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK=y
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -3258,6 +3266,7 @@ CONFIG_HDMI=y
#
CONFIG_DUMMY_CONSOLE=y
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
# end of Console display driver support
@@ -4321,6 +4330,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-virt.ppc64le b/main/linux-lts/config-virt.ppc64le
index c2cad0fbd9..5651397955 100644
--- a/main/linux-lts/config-virt.ppc64le
+++ b/main/linux-lts/config-virt.ppc64le
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/powerpc 5.10.61 Kernel Configuration
+# Linux/powerpc 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -207,6 +207,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_CALLBACKS=y
@@ -583,6 +584,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -3051,6 +3056,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
# end of Console display driver support
@@ -4019,6 +4025,9 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-virt.x86 b/main/linux-lts/config-virt.x86
index 26f4636f00..0b8715c2d0 100644
--- a/main/linux-lts/config-virt.x86
+++ b/main/linux-lts/config-virt.x86
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.10.61 Kernel Configuration
+# Linux/x86 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -217,6 +217,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
@@ -736,6 +737,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -3129,6 +3134,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
# end of Console display driver support
@@ -4086,6 +4092,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+# CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/linux-lts/config-virt.x86_64 b/main/linux-lts/config-virt.x86_64
index dc191e3e58..4b2daf1e9c 100644
--- a/main/linux-lts/config-virt.x86_64
+++ b/main/linux-lts/config-virt.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.10.61 Kernel Configuration
+# Linux/x86_64 5.10.103 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.2.1_pre1) 10.2.1 20201203"
CONFIG_CC_IS_GCC=y
@@ -233,6 +233,7 @@ CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
# CONFIG_USERFAULTFD is not set
CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
@@ -774,6 +775,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@@ -3202,6 +3207,7 @@ CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
# end of Console display driver support
@@ -4242,6 +4248,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+# CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
diff --git a/main/logrotate/APKBUILD b/main/logrotate/APKBUILD
index 1d1373d2fc..4a4ef6fc8f 100644
--- a/main/logrotate/APKBUILD
+++ b/main/logrotate/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=logrotate
pkgver=3.18.0
-pkgrel=0
+pkgrel=1
pkgdesc="Tool to rotate logfiles"
url="https://github.com/logrotate/logrotate"
arch="all"
@@ -48,8 +48,7 @@ package() {
install -Dm644 "$srcdir"/logrotate.confd \
"$pkgdir"/etc/conf.d/logrotate
}
-
sha512sums="3b44168af53779d7f53e686c192a04ff97ddecca32da66a0c4ac6284fb55dbb9ded5a300652621963ccea91aeb6bebc4cec8a22cc94597484456742442f026be logrotate-3.18.0.tar.xz
f4d708594fb2b240cfc2928f38a180d27c2cecb9867e048dc29a32c0147244db4d2f6d92e7bff27e1f2623537587db87b2f8fc9bb988f98eff0c98f79f5a5bf2 logrotate.cron
-9e6a1d024b1cf1ddb8b631fdc1379bfecbfeb1af873930d2a19d32313b26881926df5c21b47b55ada2b6012be981ec2d6d8fa2f249a68b61fd2c97c32f52a957 logrotate.conf
+e91c1648a088410d1f5ad16d05b67e316977be5cc0cbbb21a4e1fda2267415fb7945553aa4b4a4701d658fd6bfe35e3d9a304e0cf2a9c7f1be5a5753c3dbc7cb logrotate.conf
be9f0043b594d26b4f64e07a2188d19c3c43af75ef726305e4d98f744fc16cee9f280227116858e2f5b781c0a7b58e0209d7e9ab1285dfa7ba55a9dfda700229 logrotate.confd"
diff --git a/main/logrotate/logrotate.conf b/main/logrotate/logrotate.conf
index ba75a0c2cb..30cf9c9904 100644
--- a/main/logrotate/logrotate.conf
+++ b/main/logrotate/logrotate.conf
@@ -17,9 +17,6 @@ tabooext + .apk-new
# uncomment this if you want your log files compressed
compress
-# main log file
-/var/log/messages {}
-
# apk packages drop log rotation information into this directory
include /etc/logrotate.d
diff --git a/main/lz4/APKBUILD b/main/lz4/APKBUILD
index b3b89891c0..49eaa4af3e 100644
--- a/main/lz4/APKBUILD
+++ b/main/lz4/APKBUILD
@@ -2,16 +2,20 @@
# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
pkgname=lz4
pkgver=1.9.2
-pkgrel=0
+pkgrel=1
pkgdesc="LZ4 is lossless compression algorithm with fast decoder @ multiple GB/s per core."
url="https://github.com/lz4/lz4"
arch="all"
license="BSD-2-Clause GPL-2.0-only"
checkdepends="diffutils"
subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-libs $pkgname-tests:tests"
-source="$pkgname-$pkgver.tar.gz::https://github.com/lz4/lz4/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/lz4/lz4/archive/v$pkgver.tar.gz
+ CVE-2021-3520.patch
+ "
# secfixes:
+# 1.9.2-r1:
+# - CVE-2021-3520
# 1.9.2-r0:
# - CVE-2019-17543
@@ -34,4 +38,5 @@ package() {
make PREFIX="/usr" DESTDIR="$pkgdir" install
}
-sha512sums="ae714c61ec8e33ed91359b63f2896cfa102d66b730dce112b74696ec5850e59d88bd5527173e01e354a70fbe8f036557a47c767ee0766bc5f9c257978116c3c1 lz4-1.9.2.tar.gz"
+sha512sums="ae714c61ec8e33ed91359b63f2896cfa102d66b730dce112b74696ec5850e59d88bd5527173e01e354a70fbe8f036557a47c767ee0766bc5f9c257978116c3c1 lz4-1.9.2.tar.gz
+29038d80c4399ded52b49e69d0f0d80bef8bf424e3540de366ef539706c8c1119784d6137c96130f131239d74a4c110dd9790cae5c9b17c102820446582c5637 CVE-2021-3520.patch"
diff --git a/main/lz4/CVE-2021-3520.patch b/main/lz4/CVE-2021-3520.patch
new file mode 100644
index 0000000000..053958dfe8
--- /dev/null
+++ b/main/lz4/CVE-2021-3520.patch
@@ -0,0 +1,22 @@
+From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
+From: Jasper Lievisse Adriaanse <j@jasper.la>
+Date: Fri, 26 Feb 2021 15:21:20 +0100
+Subject: [PATCH] Fix potential memory corruption with negative memmove() size
+
+---
+ lib/lz4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/lz4.c b/lib/lz4.c
+index 5f524d01d..c2f504ef3 100644
+--- a/lib/lz4.c
++++ b/lib/lz4.c
+@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
+ const size_t dictSize /* note : = 0 if noDict */
+ )
+ {
+- if (src == NULL) { return -1; }
++ if ((src == NULL) || (outputSize < 0)) { return -1; }
+
+ { const BYTE* ip = (const BYTE*) src;
+ const BYTE* const iend = ip + srcSize;
diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD
index 193e067a25..61840717e6 100644
--- a/main/mariadb/APKBUILD
+++ b/main/mariadb/APKBUILD
@@ -7,7 +7,7 @@
# Contributor: Jake Buchholz <tomalok@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mariadb
-pkgver=10.5.13
+pkgver=10.5.16
pkgrel=0
pkgdesc="A fast SQL database server"
url="https://www.mariadb.org/"
@@ -45,6 +45,41 @@ source="https://archive.mariadb.org/mariadb-$pkgver/source/mariadb-$pkgver.tar.g
"
# secfixes:
+# 10.5.16-r0:
+# - CVE-2022-27376
+# - CVE-2022-27377
+# - CVE-2022-27378
+# - CVE-2022-27379
+# - CVE-2022-27380
+# - CVE-2022-27381
+# - CVE-2022-27382
+# - CVE-2022-27383
+# - CVE-2022-27384
+# - CVE-2022-27386
+# - CVE-2022-27387
+# - CVE-2022-27444
+# - CVE-2022-27445
+# - CVE-2022-27446
+# - CVE-2022-27447
+# - CVE-2022-27448
+# - CVE-2022-27449
+# - CVE-2022-27451
+# - CVE-2022-27452
+# - CVE-2022-27455
+# - CVE-2022-27456
+# - CVE-2022-27457
+# - CVE-2022-27458
+# 10.5.15-r0:
+# - CVE-2021-46659
+# - CVE-2021-46661
+# - CVE-2021-46663
+# - CVE-2021-46664
+# - CVE-2021-46665
+# - CVE-2021-46668
+# - CVE-2022-24048
+# - CVE-2022-24050
+# - CVE-2022-24051
+# - CVE-2022-24052
# 10.5.13-r0:
# - CVE-2021-35604
# 10.5.12-r0:
@@ -461,7 +496,7 @@ _plugin_rocksdb() {
}
sha512sums="
-5d5ac04a3c8099a982cacb98dd4c162966fc7957e11c28e8b5645e49ffcf0513b9c8956f43d215c37e5eaa34aa8db6c71cfe993c89d62cab123021ee83169e7f mariadb-10.5.13.tar.gz
+28cea63cc3c5e1b236fb13593285e5d4b9aac5eaf259784e760def42bca8b09954510d39014a7a7c9e8656d61f5995a356df2f2ebb0df2696dd739ff3de5865d mariadb-10.5.16.tar.gz
c352969f6665b0ffa387f7b185a5dea7751f4b16c12c809627857b27321efa09159369d7dd5c852d6159a9f173cb895fb601f0c52a1fa6e3527899520030964c mariadb.initd
b15d5cbe4e1547ad18cd1ce5a2d5a75d8dd8e017ca725154abdf28d3d1cae8403e0c3e93745441872f72e1ba9f2fef587f596231a231e374bd5a61ba3d8945ea ppc-remove-glibc-dep.patch
598490b4bb45c9f7be46086d25c2b6c601d417c45f11aa519c2290065e7d6e98a7519f9860b823e67a8fd3e6ce3b4728af73ec3a2c66eec32b42fd4ad7cc07f7 disable-failing-test.patch
diff --git a/main/mbedtls/APKBUILD b/main/mbedtls/APKBUILD
index 0a7ddba6b0..b35e34be09 100644
--- a/main/mbedtls/APKBUILD
+++ b/main/mbedtls/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mbedtls
-pkgver=2.16.10
+pkgver=2.16.12
pkgrel=0
pkgdesc="Light-weight cryptographic and SSL/TLS library"
url="https://tls.mbed.org"
@@ -16,6 +16,8 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/ARMmbed/mbedtls/archive/v$pk
# https://tls.mbed.org/security
# secfixes:
+# 2.16.12-r0:
+# - CVE-2021-44732
# 2.16.8-r0:
# - CVE-2020-16150
# 2.16.6-r0:
@@ -80,4 +82,4 @@ static() {
chmod -x "$subpkgdir"/usr/lib/*.a
}
-sha512sums="9a2d7b5e786d7bc377c9fbf36322621b8873037e6f28d1ff16bd81650f87d421aaf1c34f8b8f1829c824710c63b2c262208dc3f242dac7f361c1d9607fe9933c mbedtls-2.16.10.tar.gz"
+sha512sums="8d96d8cd906cc0999134320e4e1f550631426d166eab5da6e65469ee7286093810fcc6ac4bd5500ee55972d159f8bef7f9e53245f7f0eec72f72c35265b4313b mbedtls-2.16.12.tar.gz"
diff --git a/main/ncurses/APKBUILD b/main/ncurses/APKBUILD
index 13ac1ba827..42c2215b4f 100644
--- a/main/ncurses/APKBUILD
+++ b/main/ncurses/APKBUILD
@@ -15,6 +15,8 @@ source="https://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz"
builddir="$srcdir"/ncurses-$_ver
# secfixes:
+# 6.2_p20200530-r0:
+# - CVE-2021-39537
# 6.1_p20180414-r0:
# - CVE-2018-10754
# 6.0_p20171125-r0:
diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD
index 3d8c17d662..4abe5907ca 100644
--- a/main/nodejs/APKBUILD
+++ b/main/nodejs/APKBUILD
@@ -6,6 +6,11 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 14.19.0-r0:
+# - CVE-2022-21824
+# - CVE-2021-44533
+# - CVE-2021-44532
+# - CVE-2021-44531
# 14.18.1-r0:
# - CVE-2021-22959
# - CVE-2021-22960
@@ -86,7 +91,7 @@
pkgname=nodejs
# Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
# Odd-numbered versions are supported only for 9 months by upstream.
-pkgver=14.18.1
+pkgver=14.19.0
pkgrel=0
pkgdesc="JavaScript runtime built on V8 engine - LTS version"
url="https://nodejs.org/"
@@ -152,7 +157,8 @@ build() {
--shared-nghttp2 \
--openssl-use-def-ca-store \
--with-icu-default-data-dir=$(icu-config --icudatadir) \
- --with-intl=small-icu
+ --with-intl=small-icu \
+ --without-corepack
make BUILDTYPE=Release
}
@@ -202,7 +208,7 @@ npm() {
}
sha512sums="
-f9455ff65a57772e242343e2c1113e769c2ab8123e8a4fd6bd65525f4401d5f35e0bc73981db4f76af4f8da4e14a389fd41d2eca97cde6f0dfed5ed7a6ec532c node-v14.18.1.tar.gz
+2973947c60fea08fa6e5a4adfd0b8e419fdeb69261e2e1df4d80cc75ee482115494040733a278f873d6402343f8424e80ea5151d85b99f2fc49c85d1dcb9135e node-v14.19.0.tar.gz
dbe8167b61518f8f59176759d69834d57bf3e6a5a5fd3dfc2359cafe0325da08b27f8220d278ed77f50c9f63a03313eabbbb0eaca3e592e5bb4e0d5be0ced373 disable-running-gyp-on-shared-deps.patch
44e81fbf254bd79e38b813f7f5a1336df854588939cba50aaec600660495f9b7745a7049a99eb59d15a51100b3a44f66892a902d7fc32e1399b51883ad4c02cf link-with-libatomic-on-mips32.patch
30ca1ce7f9512c943950b8eec98bca99d24c740ebaa14619292fe5ed931dcf603ca90afb1d704ca7f545e421752ba4dde81c0c5bbb5242eb1726739ca627e15f fix-build-with-system-c-ares.patch
diff --git a/main/openrc/CVE-2018-21269.patch b/main/openrc/0015-CVE-2018-21269.patch
index 9975d7bf81..9975d7bf81 100644
--- a/main/openrc/CVE-2018-21269.patch
+++ b/main/openrc/0015-CVE-2018-21269.patch
diff --git a/main/openrc/0016-fix-typo-synbolic-symbolic.patch b/main/openrc/0016-fix-typo-synbolic-symbolic.patch
new file mode 100644
index 0000000000..46f90974b8
--- /dev/null
+++ b/main/openrc/0016-fix-typo-synbolic-symbolic.patch
@@ -0,0 +1,22 @@
+From ac7ca6d901d72b1bc4ed13be5438e825c07fc0da Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Wed, 25 Nov 2020 07:11:55 -0500
+Subject: [PATCH] src/rc/checkpath.c: fix typo "synbolic" -> "symbolic".
+
+---
+ src/rc/checkpath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c
+index ff54a8922..6422446a1 100644
+--- a/src/rc/checkpath.c
++++ b/src/rc/checkpath.c
+@@ -117,7 +117,7 @@ static int get_dirfd(char *path, bool symlinks) {
+ strerror(errno));
+ if (S_ISLNK(st.st_mode) ) {
+ if (st.st_uid != 0)
+- eerrorx("%s: %s: synbolic link %s not owned by root",
++ eerrorx("%s: %s: symbolic link %s not owned by root",
+ applet, path, str);
+ linksize = st.st_size+1;
+ if (linkpath)
diff --git a/main/openrc/0017-checkpath-replace-mkdir-with-mkdirat.patch b/main/openrc/0017-checkpath-replace-mkdir-with-mkdirat.patch
new file mode 100644
index 0000000000..8f3d55db5d
--- /dev/null
+++ b/main/openrc/0017-checkpath-replace-mkdir-with-mkdirat.patch
@@ -0,0 +1,33 @@
+From 00ea2166081856774f24f7243126f701c7fe6db9 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Wed, 25 Nov 2020 07:15:50 -0500
+Subject: [PATCH] src/rc/checkpath.c: replace mkdir() with mkdirat().
+
+The do_check() function recently gained some defenses against symlink
+replacement attacks that involve the use of *at functions in place of
+their vanilla counterparts; openat() instead of open(), for example.
+One opportunity to replace mkdir() with mkdirat() was missed, however,
+and this commit replaces it.
+
+This fixes #386.
+---
+ src/rc/checkpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c
+index 6422446a1..1e570de92 100644
+--- a/src/rc/checkpath.c
++++ b/src/rc/checkpath.c
+@@ -197,10 +197,10 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
+ mode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
+ u = umask(0);
+ /* We do not recursively create parents */
+- r = mkdir(path, mode);
++ r = mkdirat(dirfd, name, mode);
+ umask(u);
+ if (r == -1 && errno != EEXIST) {
+- eerror("%s: mkdir: %s", applet,
++ eerror("%s: mkdirat: %s", applet,
+ strerror (errno));
+ return -1;
+ }
diff --git a/main/openrc/0018-checkpath-remove-extra-slashes.patch b/main/openrc/0018-checkpath-remove-extra-slashes.patch
new file mode 100644
index 0000000000..6643f56475
--- /dev/null
+++ b/main/openrc/0018-checkpath-remove-extra-slashes.patch
@@ -0,0 +1,106 @@
+From 63db2d99e730547339d1bdd28e8437999c380cae Mon Sep 17 00:00:00 2001
+From: William Hubbs <w.d.hubbs@gmail.com>
+Date: Tue, 13 Apr 2021 17:13:20 -0500
+Subject: [PATCH] checkpath: remove extra slashes from paths
+
+This fixes #418.
+---
+ src/rc/checkpath.c | 49 ++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 39 insertions(+), 10 deletions(-)
+
+diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c
+index f8eb0e81..b2d1dd23 100644
+--- a/src/rc/checkpath.c
++++ b/src/rc/checkpath.c
+@@ -93,13 +93,13 @@ static int get_dirfd(char *path, bool symlinks)
+ if (dirfd == -1)
+ eerrorx("%s: unable to open the root directory: %s",
+ applet, strerror(errno));
+- path_dupe = xstrdup(path);
+- ch = path_dupe;
++ ch = path;
+ while (*ch) {
+ if (*ch == '/')
+ components++;
+ ch++;
+ }
++ path_dupe = xstrdup(path);
+ item = strtok(path_dupe, "/");
+ #ifdef O_PATH
+ flags |= O_PATH;
+@@ -136,18 +136,44 @@ static int get_dirfd(char *path, bool symlinks)
+ dirfd = new_dirfd;
+ free(linkpath);
+ linkpath = NULL;
+- item = strtok(NULL, "/");
+- components--;
+ }
++ item = strtok(NULL, "/");
++ components--;
+ }
+ free(path_dupe);
+- if (linkpath) {
+- free(linkpath);
+- linkpath = NULL;
+- }
++ free(linkpath);
+ return dirfd;
+ }
+
++static char *clean_path(char *path)
++{
++ char *ch;
++ char *ch2;
++ char *str;
++ str = xmalloc(strlen(path));
++ ch = path;
++ ch2 = str;
++ while (true) {
++ *ch2 = *ch;
++ ch++;
++ ch2++;
++ if (!*(ch-1))
++ break;
++ while (*(ch - 1) == '/' && *ch == '/')
++ ch++;
++ }
++ /* get rid of trailing / characters */
++ while ((ch = strrchr(str, '/'))) {
++ if (ch == str)
++ break;
++ if (!*(ch+1))
++ *ch = 0;
++ else
++ break;
++ }
++ return str;
++}
++
+ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
+ inode_t type, bool trunc, bool chowner, bool symlinks, bool selinux_on)
+ {
+@@ -345,6 +371,7 @@ int main(int argc, char **argv)
+ bool symlinks = false;
+ bool writable = false;
+ bool selinux_on = false;
++ char *path = NULL;
+
+ applet = basename_c(argv[0]);
+ while ((opt = getopt_long(argc, argv, getoptstring,
+@@ -407,12 +434,14 @@ int main(int argc, char **argv)
+ selinux_on = true;
+
+ while (optind < argc) {
++ path = clean_path(argv[optind]);
+ if (writable)
+- exit(!is_writable(argv[optind]));
+- if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner,
++ exit(!is_writable(path));
++ if (do_check(path, uid, gid, mode, type, trunc, chowner,
+ symlinks, selinux_on))
+ retval = EXIT_FAILURE;
+ optind++;
++ free(path);
+ }
+
+ if (selinux_on)
diff --git a/main/openrc/0019-checkpath-fix-code-to-walk-the-directory-path.patch b/main/openrc/0019-checkpath-fix-code-to-walk-the-directory-path.patch
new file mode 100644
index 0000000000..4cfd18bee9
--- /dev/null
+++ b/main/openrc/0019-checkpath-fix-code-to-walk-the-directory-path.patch
@@ -0,0 +1,32 @@
+From 55ceac775c388191090fe37aef489d721ee9299d Mon Sep 17 00:00:00 2001
+From: William Hubbs <w.d.hubbs@gmail.com>
+Date: Thu, 15 Apr 2021 17:39:51 -0500
+Subject: [PATCH] checkpath: fix code to walk the directory path
+
+X-Gentoo-Bug: 782808
+X-Gentoo-Bug-URL: https://bugs.gentoo.org/782808
+---
+ src/rc/checkpath.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c
+index 48275ca9..6856d034 100644
+--- a/src/rc/checkpath.c
++++ b/src/rc/checkpath.c
+@@ -131,13 +131,14 @@ static int get_dirfd(char *path, bool symlinks) {
+ */
+ close(new_dirfd);
+ } else {
++ /* now walk down the directory path */
+ close(dirfd);
+ dirfd = new_dirfd;
+ free(linkpath);
+ linkpath = NULL;
++ item = strtok(NULL, "/");
++ components--;
+ }
+- item = strtok(NULL, "/");
+- components--;
+ }
+ free(path_dupe);
+ free(linkpath);
diff --git a/main/openrc/APKBUILD b/main/openrc/APKBUILD
index f0e855736e..20feab4047 100644
--- a/main/openrc/APKBUILD
+++ b/main/openrc/APKBUILD
@@ -2,13 +2,13 @@
pkgname=openrc
pkgver=0.42.1
_ver=${pkgver/_git*/}
-pkgrel=20
+pkgrel=22
pkgdesc="OpenRC manages the services, startup and shutdown of a host"
url="https://github.com/OpenRC/openrc"
arch="all"
license="BSD-2-Clause"
depends="ifupdown-any"
-makedepends="bsd-compat-headers"
+makedepends="bsd-compat-headers linux-headers"
checkdepends="sed"
subpackages="$pkgname-doc $pkgname-dev $pkgname-dbg
$pkgname-zsh-completion:zshcomp:noarch
@@ -29,8 +29,13 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve
0012-gcc-10.patch
0013-fix-osclock.patch
0014-time_t-64bit.patch
+ 0015-CVE-2018-21269.patch
+ 0016-fix-typo-synbolic-symbolic.patch
+ 0017-checkpath-replace-mkdir-with-mkdirat.patch
+ 0018-checkpath-remove-extra-slashes.patch
+ 0019-checkpath-fix-code-to-walk-the-directory-path.patch
- CVE-2018-21269.patch
+ seedrng.patch
openrc.logrotate
hostname.initd
@@ -150,7 +155,12 @@ ff9bf2f6e4f55633a9641385398f70a2e591e2b3b56b1903f168a97b07bd56dc5a65d151deeab942
24c665098475c8a1dca75677b48864dc554930f8039900785d8f73c4ebab857255607297fdcbce6249f18f2b97bd7804a35a782721d4658a1c7a7b7b985418ff 0012-gcc-10.patch
4dca5fb25dc9cf356716042650e3b50969b4749f4e839505f87054d45ca074931ac9ef9aca6b6be4f36cc82c46e838a9e9122ee27154de703d8d9eb7b6f6273b 0013-fix-osclock.patch
af0d5a3e6bdd09abd65174a0292450ebb79116a6be50ad4dc368e7ade497020bf4f7d55487335eb32067616603c7d9c3f8596228064c93bfd47596fb12ef7215 0014-time_t-64bit.patch
-715016b4f481a6d4d2ab37d23659e6cacc023b02fa6908b566391ee2744369076ea74e54f0fe576e2cc1d3371d4d9e3818395ca3f417233358fc70a9edc4dba6 CVE-2018-21269.patch
+715016b4f481a6d4d2ab37d23659e6cacc023b02fa6908b566391ee2744369076ea74e54f0fe576e2cc1d3371d4d9e3818395ca3f417233358fc70a9edc4dba6 0015-CVE-2018-21269.patch
+95a5e825836be935009d233d8e4e00707bf2fda0ff3f01f97a10a4a3a0a42eded0a235a008345bf4b89a60bc363bad05ff0a98c00dd179a4b56c573523f17630 0016-fix-typo-synbolic-symbolic.patch
+cdad2ee011efa0ec38c27243cfec6f4353b6a1d9de3bff29e79e1c341e45bd4ef29aa1f641363a50246a3a876b8668b66971f59c857e979a2beb41fb5a25a327 0017-checkpath-replace-mkdir-with-mkdirat.patch
+3c502dda023387c852e1fe92e873ca88ff9e6311a870f3f5317e9529b9513e0c42b8b7241ba6546129530e42a64f7c61b074fc1cb262c3228aabaf83db1cc1d8 0018-checkpath-remove-extra-slashes.patch
+90e50369c04a4b2c4e5924f9ae084d69f6d3d09a3bd7c902a7e3797d5d52c725e1a4033e5c554f104807f3a7ecbb3ab2ecb89636680d69024fd0ec123866a35b 0019-checkpath-fix-code-to-walk-the-directory-path.patch
+e204fef5e5d1e8da140c43f42f0eb97283cb56c02193d137f56217cfd7b9ae0dfad5954fb8d1ce0fcb63c20537551ba706e7fd09f3f012fc2a6a0c1106d2540b seedrng.patch
12bb6354e808fbf47bbab963de55ee7901738b4a912659982c57ef2777fff9a670e867fcb8ec316a76b151032c92dc89a950d7d1d835ef53f753a8f3b41d2cec openrc.logrotate
493f27d588e64bb2bb542b32493ed05873f4724e8ad1751002982d7b4e07963cfb72f93603b2d678f305177cf9556d408a87b793744c6b7cd46cf9be4b744c02 hostname.initd
c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55 hwdrivers.initd
diff --git a/main/openrc/seedrng.patch b/main/openrc/seedrng.patch
new file mode 100644
index 0000000000..4f06f1e801
--- /dev/null
+++ b/main/openrc/seedrng.patch
@@ -0,0 +1,619 @@
+From 076c2552aeff88a27fe275dfaae61dedf4bb4bd5 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 24 Mar 2022 22:07:16 -0600
+Subject: [PATCH] Use seedrng for seeding the random number generator
+
+The RNG can't actually be seeded from a shell script, due to the
+reliance on ioctls. For this reason, the seedrng project provides a
+basic script meant to be copy and pasted into projects like OpenRC and
+tweaked as needed: https://git.zx2c4.com/seedrng/about/
+
+This commit imports it into OpenRC and wires up /etc/init.d/urandom to
+call it. It shouldn't be called by other things on the system, so it
+lives in rc_sbindir.
+
+Closes #506.
+Closes #507.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+---
+ AUTHORS | 1 +
+ conf.d/urandom | 9 +-
+ init.d/urandom.in | 41 ++--
+ src/rc/Makefile | 6 +-
+ src/rc/meson.build | 10 +-
+ src/rc/seedrng.c | 453 +++++++++++++++++++++++++++++++++++++++++++++
+ 6 files changed, 499 insertions(+), 21 deletions(-)
+ create mode 100644 src/rc/seedrng.c
+
+diff --git a/AUTHORS b/AUTHORS
+index 0616d5175..ede0f471b 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -43,6 +43,7 @@ Ian Stakenvicius <axs@gentoo.org>
+ Jakob Drexel <jake42@rommel.stw.uni-erlangen.de>
+ James Le Cuirot <chewi@aura-online.co.uk>
+ Jan Psota <jasiu@belsznica.pl>
++Jason A. Donenfeld <Jason@zx2c4.com>
+ Jason Zaman <jason@perfinion.com>
+ Joe Harvell <jharvell@dogpad.net>
+ Joe M <joe9mail@gmail.com>
+diff --git a/conf.d/urandom b/conf.d/urandom
+index f721a2491..744e4f702 100644
+--- a/conf.d/urandom
++++ b/conf.d/urandom
+@@ -2,4 +2,11 @@
+ # (say for crypt swap), so you will need to customize this
+ # behavior. If you have /var on a separate partition, then
+ # make sure this path lives on your root device somewhere.
+-urandom_seed="/var/lib/misc/random-seed"
++seed_dir="/var/lib/seedrng"
++lock_file="/var/run/seedrng.lock"
++
++# Set this to true if you do not want seed files to actually
++# credit the RNG. Set this if you plan to replicate this
++# file system image and do not have the wherewithal to first
++# delete the contents of /var/lib/seedrng.
++skip_credit="false"
+diff --git a/init.d/urandom.in b/init.d/urandom.in
+index 0d6ab66e0..cda431fdb 100644
+--- a/init.d/urandom.in
++++ b/init.d/urandom.in
+@@ -1,5 +1,5 @@
+ #!@SBINDIR@/openrc-run
+-# Copyright (c) 2007-2015 The OpenRC Authors.
++# Copyright (c) 2007-2022 The OpenRC Authors.
+ # See the Authors file at the top-level directory of this distribution and
+ # https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS
+ #
+@@ -9,7 +9,10 @@
+ # This file may not be copied, modified, propagated, or distributed
+ # except according to the terms contained in the LICENSE file.
+
+-: ${urandom_seed:=${URANDOM_SEED:-/var/lib/misc/random-seed}}
++export SEEDRNG_SEED_DIR="${seed_dir:-/var/lib/seedrng}"
++export SEEDRNG_LOCK_FILE="${lock_file:-/var/run/seedrng.lock}"
++export SEEDRNG_SKIP_CREDIT="${skip_credit:-false}"
++: ${urandom_seed:=${SEEDRNG_SEED_DIR}/../misc/random-seed}
+ description="Initializes the random number generator."
+
+ depend()
+@@ -21,33 +24,35 @@ depend()
+
+ save_seed()
+ {
+- local psz=1
+-
+- if [ -e /proc/sys/kernel/random/poolsize ]; then
+- : $(( psz = $(cat /proc/sys/kernel/random/poolsize) / 4096 ))
+- fi
+-
+ ( # sub shell to prevent umask pollution
+ umask 077
+- dd if=/dev/urandom of="$urandom_seed" count=${psz} 2>/dev/null
++ dd if=/dev/urandom of="$urandom_seed" count=1 2>/dev/null
+ )
+ }
+
+ start()
+ {
+- [ -c /dev/urandom ] || return
+- if [ -f "$urandom_seed" ]; then
+- ebegin "Initializing random number generator"
+- cat "$urandom_seed" > /dev/urandom
+- eend $? "Error initializing random number generator"
++ if [ "$RC_UNAME" = Linux ]; then
++ seedrng
++ else
++ [ -c /dev/urandom ] || return
++ if [ -f "$urandom_seed" ]; then
++ ebegin "Initializing random number generator"
++ cat "$urandom_seed" > /dev/urandom
++ eend $? "Error initializing random number generator"
++ fi
++ rm -f "$urandom_seed" && save_seed
+ fi
+- rm -f "$urandom_seed" && save_seed
+ return 0
+ }
+
+ stop()
+ {
+- ebegin "Saving random seed"
+- save_seed
+- eend $? "Failed to save random seed"
++ if [ "$RC_UNAME" = Linux ]; then
++ seedrng
++ else
++ ebegin "Saving random seed"
++ save_seed
++ eend $? "Failed to save random seed"
++ fi
+ }
+diff --git a/src/rc/Makefile b/src/rc/Makefile
+index fd796d920..62539f134 100644
+--- a/src/rc/Makefile
++++ b/src/rc/Makefile
+@@ -15,7 +15,7 @@ endif
+
+ ifeq (${OS},Linux)
+ SRCS+= kill_all.c openrc-init.c openrc-shutdown.c rc-sysvinit.c broadcast.c \
+- rc-wtmp.c
++ rc-wtmp.c seedrng.c
+ endif
+
+ CLEANFILES= version.h rc-selinux.o
+@@ -47,6 +47,7 @@ RC_SBINPROGS= mark_service_starting mark_service_started \
+
+ ifeq (${OS},Linux)
+ RC_BINPROGS+= kill_all
++RC_SBINPROGS+= seedrng
+ SBINPROGS+= openrc-init openrc-shutdown
+ endif
+
+@@ -180,3 +181,6 @@ shell_var: shell_var.o
+
+ swclock: swclock.o _usage.o rc-misc.o
+ ${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS} ${CFLAGS} ${LDFLAGS} -o $@ $^ ${LDADD}
++
++seedrng: seedrng.o
++ ${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS} ${CFLAGS} ${LDFLAGS} -o $@ $^ ${LDADD}
+diff --git a/src/rc/seedrng.c b/src/rc/seedrng.c
+new file mode 100644
+index 000000000..c1f941457
+--- /dev/null
++++ b/src/rc/seedrng.c
+@@ -0,0 +1,453 @@
++/*
++ * seedrng.c
++ * Seed kernel RNG from seed file, based on code from:
++ * https://git.zx2c4.com/seedrng/about/
++ */
++
++/*
++ * Copyright (c) 2022 The OpenRC Authors.
++ * See the Authors file at the top-level directory of this distribution and
++ * https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS
++ *
++ * This file is part of OpenRC. It is subject to the license terms in
++ * the LICENSE file found in the top-level directory of this
++ * distribution and at https://github.com/OpenRC/openrc/blob/HEAD/LICENSE
++ * This file may not be copied, modified, propagated, or distributed
++ * except according to the terms contained in the LICENSE file.
++ */
++
++#include <linux/random.h>
++#include <sys/random.h>
++#include <sys/ioctl.h>
++#include <sys/file.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <fcntl.h>
++#include <poll.h>
++#include <unistd.h>
++#include <time.h>
++#include <errno.h>
++#include <endian.h>
++#include <stdbool.h>
++#include <stdint.h>
++#include <string.h>
++#include <stdio.h>
++#include <stdlib.h>
++
++#include "rc.h"
++#include "einfo.h"
++#include "helpers.h"
++
++#ifndef GRND_INSECURE
++#define GRND_INSECURE 0x0004 /* Apparently some headers don't ship with this yet. */
++#endif
++
++static const char *SEED_DIR;
++static const char *LOCK_FILE;
++static char *CREDITABLE_SEED;
++static char *NON_CREDITABLE_SEED;
++
++enum blake2s_lengths {
++ BLAKE2S_BLOCK_LEN = 64,
++ BLAKE2S_HASH_LEN = 32,
++ BLAKE2S_KEY_LEN = 32
++};
++
++enum seedrng_lengths {
++ MAX_SEED_LEN = 512,
++ MIN_SEED_LEN = BLAKE2S_HASH_LEN
++};
++
++struct blake2s_state {
++ uint32_t h[8];
++ uint32_t t[2];
++ uint32_t f[2];
++ uint8_t buf[BLAKE2S_BLOCK_LEN];
++ unsigned int buflen;
++ unsigned int outlen;
++};
++
++#define le32_to_cpup(a) le32toh(*(a))
++#define cpu_to_le32(a) htole32(a)
++#ifndef ARRAY_SIZE
++#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
++#endif
++#ifndef DIV_ROUND_UP
++#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d))
++#endif
++
++static inline void cpu_to_le32_array(uint32_t *buf, unsigned int words)
++{
++ while (words--) {
++ *buf = cpu_to_le32(*buf);
++ ++buf;
++ }
++}
++
++static inline void le32_to_cpu_array(uint32_t *buf, unsigned int words)
++{
++ while (words--) {
++ *buf = le32_to_cpup(buf);
++ ++buf;
++ }
++}
++
++static inline uint32_t ror32(uint32_t word, unsigned int shift)
++{
++ return (word >> (shift & 31)) | (word << ((-shift) & 31));
++}
++
++static const uint32_t blake2s_iv[8] = {
++ 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL,
++ 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL
++};
++
++static const uint8_t blake2s_sigma[10][16] = {
++ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
++ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
++ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
++ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
++ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
++ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
++ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
++ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
++ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
++ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
++};
++
++static void blake2s_set_lastblock(struct blake2s_state *state)
++{
++ state->f[0] = -1;
++}
++
++static void blake2s_increment_counter(struct blake2s_state *state, const uint32_t inc)
++{
++ state->t[0] += inc;
++ state->t[1] += (state->t[0] < inc);
++}
++
++static void blake2s_init_param(struct blake2s_state *state, const uint32_t param)
++{
++ int i;
++
++ memset(state, 0, sizeof(*state));
++ for (i = 0; i < 8; ++i)
++ state->h[i] = blake2s_iv[i];
++ state->h[0] ^= param;
++}
++
++static void blake2s_init(struct blake2s_state *state, const size_t outlen)
++{
++ blake2s_init_param(state, 0x01010000 | outlen);
++ state->outlen = outlen;
++}
++
++static void blake2s_compress(struct blake2s_state *state, const uint8_t *block, size_t nblocks, const uint32_t inc)
++{
++ uint32_t m[16];
++ uint32_t v[16];
++ int i;
++
++ while (nblocks > 0) {
++ blake2s_increment_counter(state, inc);
++ memcpy(m, block, BLAKE2S_BLOCK_LEN);
++ le32_to_cpu_array(m, ARRAY_SIZE(m));
++ memcpy(v, state->h, 32);
++ v[ 8] = blake2s_iv[0];
++ v[ 9] = blake2s_iv[1];
++ v[10] = blake2s_iv[2];
++ v[11] = blake2s_iv[3];
++ v[12] = blake2s_iv[4] ^ state->t[0];
++ v[13] = blake2s_iv[5] ^ state->t[1];
++ v[14] = blake2s_iv[6] ^ state->f[0];
++ v[15] = blake2s_iv[7] ^ state->f[1];
++
++#define G(r, i, a, b, c, d) do { \
++ a += b + m[blake2s_sigma[r][2 * i + 0]]; \
++ d = ror32(d ^ a, 16); \
++ c += d; \
++ b = ror32(b ^ c, 12); \
++ a += b + m[blake2s_sigma[r][2 * i + 1]]; \
++ d = ror32(d ^ a, 8); \
++ c += d; \
++ b = ror32(b ^ c, 7); \
++} while (0)
++
++#define ROUND(r) do { \
++ G(r, 0, v[0], v[ 4], v[ 8], v[12]); \
++ G(r, 1, v[1], v[ 5], v[ 9], v[13]); \
++ G(r, 2, v[2], v[ 6], v[10], v[14]); \
++ G(r, 3, v[3], v[ 7], v[11], v[15]); \
++ G(r, 4, v[0], v[ 5], v[10], v[15]); \
++ G(r, 5, v[1], v[ 6], v[11], v[12]); \
++ G(r, 6, v[2], v[ 7], v[ 8], v[13]); \
++ G(r, 7, v[3], v[ 4], v[ 9], v[14]); \
++} while (0)
++ ROUND(0);
++ ROUND(1);
++ ROUND(2);
++ ROUND(3);
++ ROUND(4);
++ ROUND(5);
++ ROUND(6);
++ ROUND(7);
++ ROUND(8);
++ ROUND(9);
++
++#undef G
++#undef ROUND
++
++ for (i = 0; i < 8; ++i)
++ state->h[i] ^= v[i] ^ v[i + 8];
++
++ block += BLAKE2S_BLOCK_LEN;
++ --nblocks;
++ }
++}
++
++static void blake2s_update(struct blake2s_state *state, const void *inp, size_t inlen)
++{
++ const size_t fill = BLAKE2S_BLOCK_LEN - state->buflen;
++ const uint8_t *in = inp;
++
++ if (!inlen)
++ return;
++ if (inlen > fill) {
++ memcpy(state->buf + state->buflen, in, fill);
++ blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_LEN);
++ state->buflen = 0;
++ in += fill;
++ inlen -= fill;
++ }
++ if (inlen > BLAKE2S_BLOCK_LEN) {
++ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_LEN);
++ blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_LEN);
++ in += BLAKE2S_BLOCK_LEN * (nblocks - 1);
++ inlen -= BLAKE2S_BLOCK_LEN * (nblocks - 1);
++ }
++ memcpy(state->buf + state->buflen, in, inlen);
++ state->buflen += inlen;
++}
++
++static void blake2s_final(struct blake2s_state *state, uint8_t *out)
++{
++ blake2s_set_lastblock(state);
++ memset(state->buf + state->buflen, 0, BLAKE2S_BLOCK_LEN - state->buflen);
++ blake2s_compress(state, state->buf, 1, state->buflen);
++ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
++ memcpy(out, state->h, state->outlen);
++}
++
++static size_t determine_optimal_seed_len(void)
++{
++ size_t ret = 0;
++ char poolsize_str[11] = { 0 };
++ int fd = open("/proc/sys/kernel/random/poolsize", O_RDONLY);
++
++ if (fd < 0 || read(fd, poolsize_str, sizeof(poolsize_str) - 1) < 0) {
++ ewarn("Unable to determine pool size, falling back to %u bits: %s", MIN_SEED_LEN * 8, strerror(errno));
++ ret = MIN_SEED_LEN;
++ } else
++ ret = DIV_ROUND_UP(strtoul(poolsize_str, NULL, 10), 8);
++ if (fd >= 0)
++ close(fd);
++ if (ret < MIN_SEED_LEN)
++ ret = MIN_SEED_LEN;
++ else if (ret > MAX_SEED_LEN)
++ ret = MAX_SEED_LEN;
++ return ret;
++}
++
++static int read_new_seed(uint8_t *seed, size_t len, bool *is_creditable)
++{
++ ssize_t ret;
++ int urandom_fd;
++
++ *is_creditable = false;
++ ret = getrandom(seed, len, GRND_NONBLOCK);
++ if (ret == (ssize_t)len) {
++ *is_creditable = true;
++ return 0;
++ }
++ if (ret == -1 && errno == ENOSYS) {
++ struct pollfd random_fd = {
++ .fd = open("/dev/random", O_RDONLY),
++ .events = POLLIN
++ };
++ if (random_fd.fd < 0)
++ return -errno;
++ *is_creditable = poll(&random_fd, 1, 0) == 1;
++ close(random_fd.fd);
++ } else if (getrandom(seed, len, GRND_INSECURE) == (ssize_t)len)
++ return 0;
++ urandom_fd = open("/dev/urandom", O_RDONLY);
++ if (urandom_fd < 0)
++ return -errno;
++ ret = read(urandom_fd, seed, len);
++ if (ret == (ssize_t)len)
++ ret = 0;
++ else
++ ret = -errno ? -errno : -EIO;
++ close(urandom_fd);
++ return ret;
++}
++
++static int seed_rng(uint8_t *seed, size_t len, bool credit)
++{
++ struct {
++ int entropy_count;
++ int buf_size;
++ uint8_t buffer[MAX_SEED_LEN];
++ } req = {
++ .entropy_count = credit ? len * 8 : 0,
++ .buf_size = len
++ };
++ int random_fd, ret;
++
++ if (len > sizeof(req.buffer))
++ return -EFBIG;
++ memcpy(req.buffer, seed, len);
++
++ random_fd = open("/dev/random", O_RDWR);
++ if (random_fd < 0)
++ return -errno;
++ ret = ioctl(random_fd, RNDADDENTROPY, &req);
++ if (ret)
++ ret = -errno ? -errno : -EIO;
++ close(random_fd);
++ return ret;
++}
++
++static int seed_from_file_if_exists(const char *filename, bool credit, struct blake2s_state *hash)
++{
++ uint8_t seed[MAX_SEED_LEN];
++ ssize_t seed_len;
++ int fd, dfd, ret = 0;
++
++ fd = open(filename, O_RDONLY);
++ if (fd < 0 && errno == ENOENT)
++ return 0;
++ else if (fd < 0) {
++ ret = -errno;
++ eerror("Unable to open seed file: %s", strerror(errno));
++ return ret;
++ }
++ dfd = open(SEED_DIR, O_DIRECTORY | O_RDONLY);
++ if (dfd < 0) {
++ ret = -errno;
++ close(fd);
++ eerror("Unable to open seed directory: %s", strerror(errno));
++ return ret;
++ }
++ seed_len = read(fd, seed, sizeof(seed));
++ if (seed_len < 0) {
++ ret = -errno;
++ eerror("Unable to read seed file: %s", strerror(errno));
++ }
++ close(fd);
++ if (ret) {
++ close(dfd);
++ return ret;
++ }
++ if ((unlink(filename) < 0 || fsync(dfd) < 0) && seed_len) {
++ ret = -errno;
++ eerror("Unable to remove seed after reading, so not seeding: %s", strerror(errno));
++ }
++ close(dfd);
++ if (ret)
++ return ret;
++ if (!seed_len)
++ return 0;
++
++ blake2s_update(hash, &seed_len, sizeof(seed_len));
++ blake2s_update(hash, seed, seed_len);
++
++ einfo("Seeding %zd bits %s crediting", seed_len * 8, credit ? "and" : "without");
++ ret = seed_rng(seed, seed_len, credit);
++ if (ret < 0)
++ eerror("Unable to seed: %s", strerror(-ret));
++ return ret;
++}
++
++static void populate_global_paths(void)
++{
++ SEED_DIR = getenv("SEEDRNG_SEED_DIR");
++ if (!SEED_DIR || !*SEED_DIR)
++ SEED_DIR = "/var/lib/seedrng";
++ LOCK_FILE = getenv("SEEDRNG_LOCK_FILE");
++ if (!LOCK_FILE || !*LOCK_FILE)
++ LOCK_FILE = "/var/run/seedrng.lock";
++ xasprintf(&CREDITABLE_SEED, "%s/seed.credit", SEED_DIR);
++ xasprintf(&NON_CREDITABLE_SEED, "%s/seed.no-credit", SEED_DIR);
++}
++
++int main(int argc _unused, char *argv[] _unused)
++{
++ static const char seedrng_prefix[] = "SeedRNG v1 Old+New Prefix";
++ static const char seedrng_failure[] = "SeedRNG v1 No New Seed Failure";
++ int ret, fd, lock, program_ret = 0;
++ uint8_t new_seed[MAX_SEED_LEN];
++ size_t new_seed_len;
++ bool new_seed_creditable;
++ struct timespec realtime = { 0 }, boottime = { 0 };
++ struct blake2s_state hash;
++
++ umask(0077);
++ if (getuid())
++ eerrorx("This rc helper program requires root");
++
++ populate_global_paths();
++ blake2s_init(&hash, BLAKE2S_HASH_LEN);
++ blake2s_update(&hash, seedrng_prefix, strlen(seedrng_prefix));
++ clock_gettime(CLOCK_REALTIME, &realtime);
++ clock_gettime(CLOCK_BOOTTIME, &boottime);
++ blake2s_update(&hash, &realtime, sizeof(realtime));
++ blake2s_update(&hash, &boottime, sizeof(boottime));
++
++ if (mkdir(SEED_DIR, 0700) < 0 && errno != EEXIST)
++ eerrorx("Unable to create \"%s\" directory: %s", SEED_DIR, strerror(errno));
++
++ lock = open(LOCK_FILE, O_WRONLY | O_CREAT, 0000);
++ if (lock < 0 || flock(lock, LOCK_EX) < 0)
++ eerrorx("Unable to open lock file: %s", strerror(errno));
++
++ ret = seed_from_file_if_exists(NON_CREDITABLE_SEED, false, &hash);
++ if (ret < 0)
++ program_ret |= 1 << 1;
++ ret = seed_from_file_if_exists(CREDITABLE_SEED, !rc_yesno(getenv("SEEDRNG_SKIP_CREDIT")), &hash);
++ if (ret < 0)
++ program_ret |= 1 << 2;
++
++ new_seed_len = determine_optimal_seed_len();
++ ret = read_new_seed(new_seed, new_seed_len, &new_seed_creditable);
++ if (ret < 0) {
++ eerror("Unable to read new seed: %s", strerror(-ret));
++ new_seed_len = BLAKE2S_HASH_LEN;
++ strncpy((char *)new_seed, seedrng_failure, new_seed_len);
++ program_ret |= 1 << 3;
++ }
++ blake2s_update(&hash, &new_seed_len, sizeof(new_seed_len));
++ blake2s_update(&hash, new_seed, new_seed_len);
++ blake2s_final(&hash, new_seed + new_seed_len - BLAKE2S_HASH_LEN);
++
++ einfo("Saving %zu bits of %s seed for next boot", new_seed_len * 8, new_seed_creditable ? "creditable" : "non-creditable");
++ fd = open(NON_CREDITABLE_SEED, O_WRONLY | O_CREAT | O_TRUNC, 0400);
++ if (fd < 0) {
++ eerror("Unable to open seed file for writing: %s", strerror(errno));
++ program_ret |= 1 << 4;
++ goto out;
++ }
++ if (write(fd, new_seed, new_seed_len) != (ssize_t)new_seed_len || fsync(fd) < 0) {
++ eerror("Unable to write seed file: %s", strerror(errno));
++ program_ret |= 1 << 5;
++ goto out;
++ }
++ if (new_seed_creditable && rename(NON_CREDITABLE_SEED, CREDITABLE_SEED) < 0) {
++ ewarn("Unable to make new seed creditable: %s", strerror(errno));
++ program_ret |= 1 << 6;
++ }
++out:
++ close(fd);
++ close(lock);
++ return program_ret;
++}
diff --git a/main/opensmtpd/APKBUILD b/main/opensmtpd/APKBUILD
index de576a9c57..9703c9fcc8 100644
--- a/main/opensmtpd/APKBUILD
+++ b/main/opensmtpd/APKBUILD
@@ -11,7 +11,7 @@
# - CVE-2020-7247
pkgname=opensmtpd
pkgver=6.7.1p1
-pkgrel=2
+pkgrel=4
pkgdesc="Secure, reliable, lean, and easy-to configure SMTP server"
url="https://www.opensmtpd.org/"
arch="all"
@@ -89,7 +89,7 @@ pam() {
}
sha512sums="403952e77b360f42d8dc8ae7cd7faeced831b9e37bffd7c67d338b7208f7471d50f3594c3475a9282d18cb17435efd305ec8c05f89eaeab5d363ddb1c4d54a2e opensmtpd-6.7.1p1.tar.gz
-ec3e3a877f77d55a8f676169ff30feb1467b5ac5b0a3bfa960c54ab3848610ccf819e037d2d2a3b2231ec35989cf1dd03f105a7b5188fc828ee653260532fe1b smtpd.initd
+cce0c3b014a02d46c77d4de6495cf8e7e48d17c89c27432f121060d6712ae3606a6e5d51a74cf5504e826f7dd72176297dc83c9e6623f8e3fe9a952c8d02add1 smtpd.initd
e68fca4a7e0ceda271ad61c5a6592a859789bea9ccb6417258f7a0b45d92163ed6097c208d3fdfb78bf978a6a01b6f3678e047e3ce972b2c521419d54a992e0a smtpd.confd
51d47b34eb3d728daa45f29d6434cc75db28dfa69b6fb3ecd873121df85b296a2d2c81016d765a07778aa26a496e4b29c09a30b82678cf42596a536734b5deca aliases
37104cc605569f142ceffa902f200e8a7e9e1114ebe5394ed1eac0ed6ce25454e1610270921c45246de8396eee04b7c8ab5a112a231036a6ef14e7e229b264e3 autoconf-decl-checks.patch
diff --git a/main/opensmtpd/smtpd.initd b/main/opensmtpd/smtpd.initd
index ae55a7a73d..e72fa4173d 100644
--- a/main/opensmtpd/smtpd.initd
+++ b/main/opensmtpd/smtpd.initd
@@ -33,9 +33,9 @@ checkconfig() {
ebegin "Checking $name configuration"
# Don't output anything unless something is *not* ok.
- local out; out=$($command -n 2>&1)
- local ret=$?
+ local out rc=0
+ out=$($command -n 2>&1) || rc=$?
+ [ "$rc" -eq 0 ] || printf '%s\n' "$out" >&2
- [ "$ret" -eq 0 ] || printf '%s\n' "$out" >&2
- eend $?
+ eend $rc
}
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index 211971e7fc..172790ccef 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openssl
-pkgver=1.1.1l
+pkgver=1.1.1o
_abiver=${pkgver%.*}
pkgrel=0
pkgdesc="Toolkit for Transport Layer Security (TLS)"
@@ -19,6 +19,8 @@ source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
"
# secfixes:
+# 1.1.1n-r0:
+# - CVE-2022-0778
# 1.1.1l-r0:
# - CVE-2021-3711
# - CVE-2021-3712
@@ -44,6 +46,8 @@ source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
# 1.1.1a-r0:
# - CVE-2018-0734
# - CVE-2018-0735
+# 0:
+# - CVE-2022-1292
build() {
local _target _optflags
@@ -125,7 +129,7 @@ _libssl() {
}
sha512sums="
-d9611f393e37577cca05004531388d3e0ebbf714894cab9f95f4903909cd4f45c214faab664c0cbc3ad3cca309d500b9e6d0ecbf9a0a0588d1677dc6b047f9e0 openssl-1.1.1l.tar.gz
+75b2f1499cb4640229eb6cd35d85cbff2e19db17b959ac4d04b60f1b395b73567f9003521452a0fcfeea9b31b26de0a7bccf476ecf9caae02298f3647cfb7e23 openssl-1.1.1o.tar.gz
43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch
e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch
"
diff --git a/main/openvpn/APKBUILD b/main/openvpn/APKBUILD
index 89eadfccaf..622ed25d52 100644
--- a/main/openvpn/APKBUILD
+++ b/main/openvpn/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openvpn
-pkgver=2.5.2
+pkgver=2.5.6
pkgrel=0
pkgdesc="Robust, and highly configurable VPN (Virtual Private Network)"
url="https://openvpn.net/"
@@ -12,7 +12,7 @@ depends="iproute2"
depends_dev="openssl-dev" # openvpn-plugin.h includes openssl/x509.h
makedepends="$depends_dev lzo-dev linux-pam-dev linux-headers"
install="$pkgname.pre-install"
-source="https://swupdate.openvpn.net/community/releases/openvpn-$pkgver.tar.xz
+source="https://swupdate.openvpn.net/community/releases/openvpn-$pkgver.tar.gz
openvpn.initd
openvpn.confd
openvpn.up
@@ -20,6 +20,8 @@ source="https://swupdate.openvpn.net/community/releases/openvpn-$pkgver.tar.xz
"
# secfixes:
+# 2.5.6-r0:
+# - CVE-2022-0547
# 2.5.2-r0:
# - CVE-2020-15078
# 2.4.9-r0:
@@ -71,8 +73,10 @@ pam() {
"$subpkgdir"/usr/lib/openvpn/plugins/
}
-sha512sums="ae2cac00ae4b9e06e7e70b268ed47d36bbb45409650175e507d5bfa12b0a4f24bccc64f2494d1563f9269c8076d0f753a492f01ea33ce376ba00b7cdcb5c7bd0 openvpn-2.5.2.tar.xz
+sha512sums="
+0bb0dda44ff757cf5249b6c047932c51073344a1d69048f210da421263a07bb5f4370f5b0c3ed4fdd6c6da2888d28fe8ee8947b59594f4c17a9ea20588852bc0 openvpn-2.5.6.tar.gz
111a1ce79bdb41b8a03c0d43f1fd87de8a0d5592a8b1bd878113af79adce3d0a3109badd92b5af9a0f80b6585473a1e01638f7e78e6baa8aac439f0708bc2a72 openvpn.initd
1f14d4bd7a4a026c276af048ce647501c15358c6b0d184e95c49be5b8184188c8edafb76ed94835cdbb314187ee3b5b3ccd852e3a47add0599814c402309bece openvpn.confd
cdb73c9a5b1eb56e9cbd29955d94297ce5a87079419cd626d6a0b6680d88cbf310735a53f794886df02030b687eaea553c7c569a8ea1282a149441add1c65760 openvpn.up
-4456880d5c2db061219ba94e4052786700efa5e685f03b0d12d75a6023e3c0fc7b5242cc3d2bd3988e42fcd99701ab13a6257b1a0943b812318d30c64843ad27 openvpn.down"
+4456880d5c2db061219ba94e4052786700efa5e685f03b0d12d75a6023e3c0fc7b5242cc3d2bd3988e42fcd99701ab13a6257b1a0943b812318d30c64843ad27 openvpn.down
+"
diff --git a/main/postfix/APKBUILD b/main/postfix/APKBUILD
index d232a6833f..48b8b706a9 100644
--- a/main/postfix/APKBUILD
+++ b/main/postfix/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=postfix
-pkgver=3.5.12
+pkgver=3.5.16
pkgrel=0
pkgdesc="Secure and fast drop-in replacement for Sendmail (MTA)"
url="http://www.postfix.org/"
@@ -197,7 +197,7 @@ stone() {
}
sha512sums="
-8f545e79031689b41122cd8ea87512968bcdc8e06ef836a648a9eb8f2e664009c84ba42f14294b5b215d4efd5a2138acb4d0b0f97552eff45dadafcea518cda6 postfix-3.5.12.tar.gz
+81e482b2474df0fb711c86e83c585669b3934d3de1c74fc1bc0bef216225a91809fe802b53e9134bad6916d3dd889267b89dd83f78876f361f18a3192b07cefc postfix-3.5.16.tar.gz
2752e69c4e1857bdcf29444ffb458bca818bc60b9c77c20823c5f5b87c36cb5e0f3217a625a7fe5788d5bfcef7570a1f2149e1233fcd23ccf7ee14190aff47a2 postfix.initd
25cd34f23ca909d4e33aaf3239d1e397260abc7796d9a4456dee4f005682fd3a58aab8106126e5218c95bdddae415a3ef7e2223cd3b0d7b1e2bd76158bb7eaf8 postfix-install.patch
0769e2e503486f8dd6fa21f2c534ad7df7a9f1bb57dde2f0ad61863a3e615d0a6dc18132b27796eb28cd81afb2b4e97c65c9d490a391f835aa3b7b18e74252c5 lmdb-default.patch
diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD
index 8307bf5424..16244c0301 100644
--- a/main/postgresql/APKBUILD
+++ b/main/postgresql/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: G.J.R. Timmer <gjr.timmer@gmail.com>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=postgresql
-pkgver=13.5
+pkgver=13.6
pkgrel=0
pkgdesc="A sophisticated object-relational DBMS"
url="https://www.postgresql.org/"
@@ -274,7 +274,7 @@ _run_tests() {
}
sha512sums="
-c76effbca8ee63be48fa3aeb39c7038221848fe83ca2afc4e0904ba8c6a50b89aa2ad37080d4e3be75e9bdc2d6ca6dfefcda334ef55a5e1a8954bb955ce905e5 postgresql-13.5.tar.bz2
+2852726a3031b8d469f1c38f3019af02fc5afe40ec27b22288a29acefd30c63a98806bce88a214d0c2f9177f547b0b5010ad64e70bcbe2c2f1d97a27ae1984f8 postgresql-13.6.tar.bz2
1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch
27e00b58fe5c3899c66fc0dde51846c14701bcfedd132b106d676783ba603e8cbdc6e620f29b52dc892bdaa9302052788cf5e575a1659f61c017a12e0d2ee4d0 perl-rpath.patch
8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch
diff --git a/main/privoxy/APKBUILD b/main/privoxy/APKBUILD
index f517834c99..496f9e905d 100644
--- a/main/privoxy/APKBUILD
+++ b/main/privoxy/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=privoxy
-pkgver=3.0.32
+pkgver=3.0.33
pkgrel=0
pkgdesc="web proxy with advanced filtering capabilities"
url="https://www.privoxy.org/"
@@ -20,6 +20,11 @@ options="!check" # No test suite
builddir="$srcdir/$pkgname-$pkgver-stable"
# secfixes:
+# 3.0.33-r0:
+# - CVE-2021-44540
+# - CVE-2021-44541
+# - CVE-2021-44542
+# - CVE-2021-44543
# 3.0.32-r0:
# - CVE-2021-20272
# - CVE-2021-20273
@@ -75,7 +80,9 @@ package() {
"$pkgdir"/etc/privoxy
}
-sha512sums="da41c0045bf593219df64718645eff984b5df43737811cc0fa12fce7e8ae1ab59eefbe20f23d6ce8f62216cfd81f1a9c319688d15693c25eed36010f3e1d5ffd privoxy-3.0.32-stable-src.tar.gz
+sha512sums="
+9684455dbce7f6d8f5defd31aa9a7316e0c1dc896525ab4d562d0359462b541b1c366dea9db07b798f3e00b9cbcc44f494d8c431bcb10f2cb05b5bca3cfeaf75 privoxy-3.0.33-stable-src.tar.gz
346bda3a2108547569af3397c77e092c54fa0c20bc6d3bb1d4c202b4e2b8d9c13018eab0a326cd9632310ec8052600ee7db4b6011610faec386c399cdd01af9c privoxy.initd
118caaeac3aba751584c5bdfc737bf5bfeddf1a62fda1f44bcd4654ae2e33183bc1ce6fc66d4a1bdd79766e42e669b1615a6d46d528a1bd49cabdf98385a3bb9 privoxy.logrotate
-1059feed20a31d7d2b5d1f44b7b1af40373d87dbd9e7e83c8998ac1b4e27dfbfdfeb6a9ea7934e15d0c14fed1fd03fb63d2ec8d2a6b53e5884a21dc8df4828fc privoxy-alpine.patch"
+1059feed20a31d7d2b5d1f44b7b1af40373d87dbd9e7e83c8998ac1b4e27dfbfdfeb6a9ea7934e15d0c14fed1fd03fb63d2ec8d2a6b53e5884a21dc8df4828fc privoxy-alpine.patch
+"
diff --git a/main/rdiff-backup/APKBUILD b/main/rdiff-backup/APKBUILD
index 2002d3a572..f7cd21c963 100644
--- a/main/rdiff-backup/APKBUILD
+++ b/main/rdiff-backup/APKBUILD
@@ -2,12 +2,13 @@
# Maintainer: Jeremy Thomerson <jeremy@thomersonfamily.com>
pkgname=rdiff-backup
pkgver=2.0.5
-pkgrel=1
+pkgrel=2
pkgdesc="Reverse differential backup tool"
options="!check" # Requires unpacakged 'xattr'
url="https://rdiff-backup.net/"
arch="all"
license="GPL-2.0-or-later"
+depends="python3"
makedepends="librsync-dev python3-dev py3-setuptools"
subpackages="
$pkgname-doc
diff --git a/main/rsyslog/APKBUILD b/main/rsyslog/APKBUILD
index 209b42f3c1..49552553e9 100644
--- a/main/rsyslog/APKBUILD
+++ b/main/rsyslog/APKBUILD
@@ -6,7 +6,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=rsyslog
pkgver=8.2012.0
-pkgrel=1
+pkgrel=3
pkgdesc="Enhanced multi-threaded syslogd with database support and more"
url="https://www.rsyslog.com/"
arch="all !s390x" # limited by czmq
@@ -49,6 +49,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/rsyslog/rsyslog/archive/v$pk
$pkgname.conf
musl-fix.patch
queue.patch
+ CVE-2022-24903.patch
"
# <subpackage>[:<module>...]
@@ -92,6 +93,8 @@ for _i in $_plugins; do
done
# secfixes:
+# 8.2012.0-r3:
+# - CVE-2022-24903
# 8.1908.0-r1:
# - CVE-2019-17040
# - CVE-2019-17041
@@ -190,8 +193,9 @@ _plugin() {
sha512sums="
78a6f8499340a18b71da22788bb3323ac12f804725b2bb00e939ef6bd4cb6b803e5384a179ddee7db99bf49f2b963419fc26b1bf2d875f6aff7b58fdd4d254b2 rsyslog-8.2012.0.tar.gz
bcd63c8df2ac63b80f3cb51ba7f544988df6cd875f4e81020e762dff30d7537f21b72c95a4b1c08baf15f4ed5f03defbf3f061673aabada5841f45ab9f579374 rsyslog.initd
-198ad8f617b9edb93c9231118a9b3bb80b1e00e6517d2a79c393cbfef4417b8f0d08f231fb33843f8e9b09c7f9bc69dd501057ffe9eef583108af34996fee59d rsyslog.logrotate
+6bf69f14746d0523a4e9189593bc62e14a6e05c7e17922e4398df4b951abdde165e826290f6b6cdc8149199288f555d098178d93d2fae202463ebc523626161b rsyslog.logrotate
451b861dc82d7a2810e6c9ff8f80b2c5149cc6b440baf5901149e7b6524a1179826787a924c84403c2e9d8fa7d4df2c909e7f0877ac0cd4e6faf2e37cba7c6c1 rsyslog.conf
15745c8cdb730ae548d038ca4c04f9f48ef55c6e04949a8e86df356877563c0fcb9660445e47d3f9530925092d6dd80b2b2fc3f64a114ee85103d137327524cb musl-fix.patch
ef2e000b1c42cb5beffb26393952c2a692791e78972ee4b6f187ca53e338122b2004cc5216381c042195f12cc58f37f186a04e12a65b5bdfdcdf76b73393efb7 queue.patch
+9b8ec516979cf344375c58320a44dce39ab92384b4782468f6063dac2c2b7f555888fdcaeff8520acfc27825962915241cfa8618ed65150156426706a6ad7d2a CVE-2022-24903.patch
"
diff --git a/main/rsyslog/CVE-2022-24903.patch b/main/rsyslog/CVE-2022-24903.patch
new file mode 100644
index 0000000000..47e0ea77d1
--- /dev/null
+++ b/main/rsyslog/CVE-2022-24903.patch
@@ -0,0 +1,57 @@
+Patch-Source: https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f
+From 89955b0bcb1ff105e1374aad7e0e993faa6a038f Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Fri, 22 Apr 2022 09:49:46 +0200
+Subject: [PATCH] net bugfix: potential buffer overrun
+
+---
+ contrib/imhttp/imhttp.c | 4 +++-
+ plugins/imptcp/imptcp.c | 4 +++-
+ runtime/tcps_sess.c | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c
+index f09260b586..95704af985 100644
+--- a/contrib/imhttp/imhttp.c
++++ b/contrib/imhttp/imhttp.c
+@@ -487,7 +487,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk
+ connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0';
+ }
+ // temporarily save this character into the message buffer
+- connWrkr->pMsg[connWrkr->iMsg++] = ch;
++ if(connWrkr->iMsg + 1 < s_iMaxLine) {
++ connWrkr->pMsg[connWrkr->iMsg++] = ch;
++ }
+ } else {
+ const char *remoteAddr = "";
+ if (connWrkr->propRemoteAddr) {
+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
+index 2df46a236c..c32dec5851 100644
+--- a/plugins/imptcp/imptcp.c
++++ b/plugins/imptcp/imptcp.c
+@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
+ if(pThis->iOctetsRemain <= 200000000) {
+ pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ }
+- *(pThis->pMsg + pThis->iMsg++) = c;
++ if(pThis->iMsg < iMaxLine) {
++ *(pThis->pMsg + pThis->iMsg++) = c;
++ }
+ } else { /* done with the octet count, so this must be the SP terminator */
+ DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
+index 0efa2c23c4..c5442f7638 100644
+--- a/runtime/tcps_sess.c
++++ b/runtime/tcps_sess.c
+@@ -390,7 +390,9 @@ processDataRcvd(tcps_sess_t *pThis,
+ if(pThis->iOctetsRemain <= 200000000) {
+ pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ }
+- *(pThis->pMsg + pThis->iMsg++) = c;
++ if(pThis->iMsg < iMaxLine) {
++ *(pThis->pMsg + pThis->iMsg++) = c;
++ }
+ } else { /* done with the octet count, so this must be the SP terminator */
+ DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);
diff --git a/main/rsyslog/rsyslog.logrotate b/main/rsyslog/rsyslog.logrotate
index e2842b88dc..8450db8e70 100644
--- a/main/rsyslog/rsyslog.logrotate
+++ b/main/rsyslog/rsyslog.logrotate
@@ -1,3 +1,4 @@
+/var/log/messages
/var/log/auth.log
/var/log/cron.log
/var/log/kern.log
diff --git a/main/ruby/APKBUILD b/main/ruby/APKBUILD
index d53e7fa841..38dbde5f40 100644
--- a/main/ruby/APKBUILD
+++ b/main/ruby/APKBUILD
@@ -1,8 +1,15 @@
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+# Contributor: Nulo <git@nulo.in>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
+# 2.7.6-r0:
+# - CVE-2022-28739
+# 2.7.5-r0:
+# - CVE-2021-41817
+# - CVE-2021-41816
+# - CVE-2021-41819
# 2.7.4-r0:
# - CVE-2021-31799
# - CVE-2021-31810
@@ -43,7 +50,7 @@
# - CVE-2017-17405
#
pkgname=ruby
-pkgver=2.7.4
+pkgver=2.7.6
_abiver="${pkgver%.*}.0"
pkgrel=0
pkgdesc="An object-oriented language for quick and easy programming"
@@ -347,7 +354,7 @@ _mvgem() {
}
sha512sums="
-a317752e9a32c8d1261e67ca89c396722ee779ec8ba4594987812d065b73751f51485a1ede8044aae14b3b16e8d049c6953cef530ae1b82abb135b446c653f8a ruby-2.7.4.tar.gz
+94810bb204cec55b5bbec8d51a5f5cc696613d1812b152399441a5cc7e4eddd2b376bc85e16d8da0b12f1938d19bf0d056b49a028809c036fb5a446a65bffbee ruby-2.7.6.tar.gz
a142199140fa711a64717429e9069fd2082319abaf4b129f561db374b3bc16e2a90cc4c849b5d28334505d1c71fed242aef3c44d983da3513d239dcb778673a5 rubygems-avoid-platform-specific-gems.patch
43c1fc80f0dcb4f24d891478889808583da90dc9e0df74c3b1cf41253c13a0d416d2b7ae17e7d53ac1238340a845b088f0fe20324a79905cc6b950b3dcfa4ac6 test_insns-lower-recursion-depth.patch
3ffc034c01110ee5531265333ca5ee8d61d08131843fe3004c5b34c88c9c1b32cb4ed89574f393177c8bd526e9c15da61ab344f93adf07b9148c561ee19e2eb5 fix-get_main_stack.patch
diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD
index 59985ef928..e7e956ab01 100644
--- a/main/samba/APKBUILD
+++ b/main/samba/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=samba
-pkgver=4.13.8
+pkgver=4.13.17
pkgrel=0
pkgdesc="Tools to access a server's filespace and printers via SMB"
url="https://www.samba.org/"
@@ -95,6 +95,17 @@ source="
pkggroups="winbind"
# secfixes:
+# 4.13.17-r0:
+# - CVE-2016-2124
+# - CVE-2020-25717
+# - CVE-2020-25718
+# - CVE-2020-25719
+# - CVE-2020-25721
+# - CVE-2020-25722
+# - CVE-2021-23192
+# - CVE-2021-3738
+# - CVE-2021-43566
+# - CVE-2021-44142
# 4.13.8-r0:
# - CVE-2021-20254
# 4.13.7-r0:
@@ -546,6 +557,7 @@ libs() {
usr/lib/$pkgname/libcmocka-samba4.so \
usr/lib/$pkgname/libcommon-auth-samba4.so \
usr/lib/$pkgname/libdbwrap-samba4.so \
+ usr/lib/$pkgname/libdcerpc-pkt-auth-samba4.so \
usr/lib/$pkgname/libdcerpc-samba-samba4.so \
usr/lib/$pkgname/libevents-samba4.so \
usr/lib/$pkgname/libflag-mapping-samba4.so \
@@ -606,7 +618,8 @@ libs() {
"$pkgdir"/usr
}
-sha512sums="b8704097b5c20f2d5eb04f41b4519205f1b554215b396e558715a3039aeaece6ad776928c9aa7be84a3bc98994cdfdb0b7e3787c31832eb0e025eb796fe06bae samba-4.13.8.tar.gz
+sha512sums="
+3f47cc588c370510a11a1d5dc1a9f64872d765a2940a0dd39f02718f9a81b134dda9c9cb593f291f2aa1657de65b26458adcda33369c0858e16edf7f088edaf4 samba-4.13.17.tar.gz
58de5e79fdfd06e828d478e112d581d333a8bee88d2602b92204d780f0d707b27dd84f8e2e6b00fca40da81c8fe99aa5bcec70d8b393d3a0a83199c72a4aa48b getpwent_r.patch
b7906d66fe55a980a54161ee3f311b51bcbce76b8d4c8cc1ba6d0c5bdf98232cb192b9d2c1aa7b3e2742f5b9848c6cf429347940eefe66c3e0eda1d5aac1bf93 musl_uintptr.patch
1854577d0e4457e27da367a6c7ec0fb5cfd63cefea0a39181c9d6e78cf8d3eb50878cdddeea3daeec955d00263151c2f86ea754ff4276ef98bc52c0276d9ffe8 netdb-defines.patch
@@ -617,4 +630,5 @@ bc2df70e327fea5dfbd923600225f1448815d842c37d6937dd74eab7f7699d7f52cd7a8e28a61233
c0bbe1186b150a9bb2a0b741a8cfbd7a5109e5fed1eaa07aaa38cf026ebe054d38cc01e2496f0cab7b40f743e1b7ecfbf8a4d5820810226c4152021df65f36dc pidl.patch
96070e2461370437f48571e7de550c13a332fef869480cfe92e7cac73a998f6c2ee85d2580df58211953bebd0e577691aa710c8edddf3ea0f30e9d47d0a2fd44 samba.initd
e2b49cb394e758447ca97de155a61b4276499983a0a5c00b44ae621c5559b759a766f8d1c8d3ee98ad5560f4064a847a7a20cfa2e14f85c061bec8b80fd649eb samba.confd
-3458a4e1f8a8b44c966afb339b2dca51615be049f594c14911fc4d8203623deee416b6fe881436e246fc7d49c97a2b3bf9c5f33ba774302b24190a1103d6b67d samba.logrotate"
+3458a4e1f8a8b44c966afb339b2dca51615be049f594c14911fc4d8203623deee416b6fe881436e246fc7d49c97a2b3bf9c5f33ba774302b24190a1103d6b67d samba.logrotate
+"
diff --git a/main/subversion/APKBUILD b/main/subversion/APKBUILD
index 638b0b398a..3e0d09ccd7 100644
--- a/main/subversion/APKBUILD
+++ b/main/subversion/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=subversion
-pkgver=1.14.1
+pkgver=1.14.2
pkgrel=0
_py3c_ver=1.1
pkgdesc="Replacement for CVS, another versioning system (svn)"
@@ -24,6 +24,9 @@ source="https://archive.apache.org/dist/subversion/subversion-$pkgver.tar.bz2
svnserve.initd"
# secfixes:
+# 1.14.2-r0:
+# - CVE-2021-28544
+# - CVE-2022-24070
# 1.14.1-r0:
# - CVE-2020-17525
# 1.12.2-r0:
@@ -133,7 +136,8 @@ py() {
"$subpkgdir"/usr/lib/
}
-sha512sums="0a70c7152b77cdbcb810a029263e4b3240b6ef41d1c19714e793594088d3cca758d40dfbc05622a806b06463becb73207df249393924ce591026b749b875fcdd subversion-1.14.1.tar.bz2
+sha512sums="
+20ada4688ca07d9fb8da4b7d53b5084568652a3b9418c65e688886bae950a16a3ff37710fcfc9c29ef14a89e75b2ceec4e9cf35d5876a7896ebc2b512cfb9ecc subversion-1.14.2.tar.bz2
aa95bbe1a80eec9e32d3dab4b0771a35fc467052757077fa17b42ceba78a5fe7fb1fa99079240aeeea5538abff778518b706f3bf16dbce2cd4f7dc1900c61b24 py3c-1.1.tar.gz
fb219c45b80602d919176cc191394df09f90d0f5c7d24e6a36b166bd92777ecae67eeac1e49c0ffbb0e724396b3d2094dbb0bef17d01dc87d418b1cd554bd7c4 subversion-1.7.0-deplibs.patch
fd6e5f45cff4d3cf0d885a34c822b32141b13b199d99ad8e1b04d641c9c1ee27e73f5c556a4ad54a900b6d39cc14afad17b6738d8af44c76758f1a27b4d49f9a subversion-perl-deplibs.patch
diff --git a/main/tcpdump/APKBUILD b/main/tcpdump/APKBUILD
index 7641c49cfd..6029b120f5 100644
--- a/main/tcpdump/APKBUILD
+++ b/main/tcpdump/APKBUILD
@@ -16,33 +16,33 @@ source="https://www.tcpdump.org/release/tcpdump-$pkgver.tar.gz
# 4.9.3-r1:
# - CVE-2020-8037
# 4.9.3-r0:
-# - CVE-2017-16808 (AoE)
-# - CVE-2018-14468 (FrameRelay)
-# - CVE-2018-14469 (IKEv1)
-# - CVE-2018-14470 (BABEL)
-# - CVE-2018-14466 (AFS/RX)
-# - CVE-2018-14461 (LDP)
-# - CVE-2018-14462 (ICMP)
-# - CVE-2018-14465 (RSVP)
-# - CVE-2018-14881 (BGP)
-# - CVE-2018-14464 (LMP)
-# - CVE-2018-14463 (VRRP)
-# - CVE-2018-14467 (BGP)
-# - CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
-# - CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)
-# - CVE-2018-14880 (OSPF6)
-# - CVE-2018-16451 (SMB)
-# - CVE-2018-14882 (RPL)
-# - CVE-2018-16227 (802.11)
-# - CVE-2018-16229 (DCCP)
-# - CVE-2018-16301 (was fixed in libpcap)
-# - CVE-2018-16230 (BGP)
-# - CVE-2018-16452 (SMB)
-# - CVE-2018-16300 (BGP)
-# - CVE-2018-16228 (HNCP)
-# - CVE-2019-15166 (LMP)
-# - CVE-2019-15167 (VRRP)
-# - CVE-2018-14879 (tcpdump -V)
+# - CVE-2017-16808 # (AoE)
+# - CVE-2018-14468 # (FrameRelay)
+# - CVE-2018-14469 # (IKEv1)
+# - CVE-2018-14470 # (BABEL)
+# - CVE-2018-14466 # (AFS/RX)
+# - CVE-2018-14461 # (LDP)
+# - CVE-2018-14462 # (ICMP)
+# - CVE-2018-14465 # (RSVP)
+# - CVE-2018-14881 # (BGP)
+# - CVE-2018-14464 # (LMP)
+# - CVE-2018-14463 # (VRRP)
+# - CVE-2018-14467 # (BGP)
+# - CVE-2018-10103 # (SMB - partially fixed, but SMB printing disabled)
+# - CVE-2018-10105 # (SMB - too unreliably reproduced, SMB printing disabled)
+# - CVE-2018-14880 # (OSPF6)
+# - CVE-2018-16451 # (SMB)
+# - CVE-2018-14882 # (RPL)
+# - CVE-2018-16227 # (802.11)
+# - CVE-2018-16229 # (DCCP)
+# - CVE-2018-16301 # (was fixed in libpcap)
+# - CVE-2018-16230 # (BGP)
+# - CVE-2018-16452 # (SMB)
+# - CVE-2018-16300 # (BGP)
+# - CVE-2018-16228 # (HNCP)
+# - CVE-2019-15166 # (LMP)
+# - CVE-2019-15167 # (VRRP)
+# - CVE-2018-14879 # (tcpdump -V)
# 4.9.0-r0:
# - CVE-2016-7922
# - CVE-2016-7923
diff --git a/main/tiny-cloud/APKBUILD b/main/tiny-cloud/APKBUILD
new file mode 100644
index 0000000000..b42318cfeb
--- /dev/null
+++ b/main/tiny-cloud/APKBUILD
@@ -0,0 +1,65 @@
+# Contributor: Mike Crute <mike@crute.us>
+# Contributor: Jake Buchholz Göktürk <tomalok@gmail.com>
+# Maintainer: Jake Buchholz Göktürk <tomalok@gmail.com>
+pkgname=tiny-cloud
+pkgver=2.0.0
+pkgrel=0
+pkgdesc="Tiny Cloud instance bootstrapper"
+url="https://gitlab.alpinelinux.org/alpine/cloud/tiny-cloud"
+arch="noarch"
+license="MIT"
+options="!check" # no tests provided
+depends="e2fsprogs-extra partx sfdisk"
+source="$url/-/archive/$pkgver/$pkgname-$pkgver.tar.gz"
+subpackages="
+ $pkgname-network
+ $pkgname-openrc
+ $pkgname-aws
+ $pkgname-azure
+ $pkgname-gcp
+ $pkgname-oci
+"
+
+package() {
+ make PREFIX="$pkgdir" core openrc
+}
+
+network() {
+ pkgdesc="Tiny Cloud - networking module"
+ depends="ifupdown-ng iproute2-minimal $pkgname=$pkgver-r$pkgrel"
+ cd "$builddir"
+ make PREFIX="$subpkgdir" network
+}
+
+aws() {
+ pkgdesc="Tiny Cloud - Amazon Web Services module"
+ depends="nvme-cli $pkgname-network=$pkgver-r$pkgrel"
+ provides="tiny-ec2-bootstrap"
+ cd "$builddir"
+ make PREFIX="$subpkgdir" aws
+}
+
+azure() {
+ pkgdesc="Tiny Cloud - Azure module"
+ depends="$pkgname=$pkgver-r$pkgrel"
+ cd "$builddir"
+ make PREFIX="$subpkgdir" azure
+}
+
+gcp() {
+ pkgdesc="Tiny Cloud - Google Cloud Platform module"
+ depends="$pkgname=$pkgver-r$pkgrel"
+ cd "$builddir"
+ make PREFIX="$subpkgdir" gcp
+}
+
+oci() {
+ pkgdesc="Tiny Cloud - Oracle Cloud Infrastructure module"
+ depends="$pkgname=$pkgver-r$pkgrel"
+ cd "$builddir"
+ make PREFIX="$subpkgdir" oci
+}
+
+sha512sums="
+d3c1eb1daf1d298f34459ab2b54c1077b3bc037bbe0df3591cade85ba9d351a47f9ce42fabe5480505236731795679a32f0144998de689f35139aa28ac490d48 tiny-cloud-2.0.0.tar.gz
+"
diff --git a/main/tzdata/APKBUILD b/main/tzdata/APKBUILD
index a7611d6e3a..1dec5d6eff 100644
--- a/main/tzdata/APKBUILD
+++ b/main/tzdata/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=tzdata
-pkgver=2021e
-_tzcodever=2021e
+pkgver=2022a
+_tzcodever=2022a
_ptzver=0.5
pkgrel=0
pkgdesc="Timezone data"
@@ -51,8 +51,8 @@ package() {
}
sha512sums="
-87b0335129ea41c5f42f687f548712e5da892baa8494cecf5d34851beceecf6ae52f22104696ed187713cf9e502570eb2041e277dfd3c043c11d0253bfde685a tzcode2021e.tar.gz
-c1e8d04e049157ed5d4af0868855bbd75517e3d7e1db9c41d5283ff260109de46b6fac6be94828201d093e163d868044ac2a9db2bf0aeab800e264d0c73a9119 tzdata2021e.tar.gz
+3f047a6f414ae3df4a3d6bb9b39a1790833d191ae48e6320ab9438cd326dc455475186a02c44e4cde96b48101ab000880919b1e0e8092aed7254443ed2c831ed tzcode2022a.tar.gz
+542e4559beac8fd8c4af7d08d816fd12cfe7ffcb6f20bba4ff1c20eba717749ef96e5cf599b2fe03b5b8469c0467f8cb1c893008160da281055a123dd9e810d9 tzdata2022a.tar.gz
68dbaab9f4aef166ac2f2d40b49366527b840bebe17a47599fe38345835e4adb8a767910745ece9c384b57af815a871243c3e261a29f41d71f8054df3061b3fd posixtz-0.5.tar.xz
0f2a10ee2bb4007f57b59123d1a0b8ef6accf99e568f21537f0bb19f290fff46e24050f55f12569d7787be600e1b62aa790ea85a333153f3ea081a812c81b1b5 0001-posixtz-ensure-the-file-offset-we-pass-to-lseek-is-o.patch
fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4 0002-fix-implicit-declaration-warnings-by-including-strin.patch
diff --git a/main/util-linux/APKBUILD b/main/util-linux/APKBUILD
index a4b0e2e277..945d9fc81d 100644
--- a/main/util-linux/APKBUILD
+++ b/main/util-linux/APKBUILD
@@ -2,25 +2,24 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=util-linux
-pkgver=2.36.1
+pkgver=2.37.4
case $pkgver in
*.*.*) _v=${pkgver%.*};;
*.*) _v=$pkgver;;
esac
-pkgrel=1
+pkgrel=0
pkgdesc="Random collection of Linux utilities"
url="https://git.kernel.org/cgit/utils/util-linux/util-linux.git"
arch="all"
license="GPL-3.0-or-later AND GPL-2.0-or-later AND GPL-2.0-only AND
LGPL-2.1-or-later AND BSD-3-Clause AND BSD-4-Clause-UC AND Public-Domain"
depends="blkid setpriv findmnt mcookie hexdump lsblk sfdisk cfdisk partx"
-makedepends_build="autoconf automake libtool"
+makedepends_build="autoconf automake libtool asciidoctor"
makedepends_host="zlib-dev ncurses-dev linux-headers libcap-ng-dev"
options="suid"
source="https://www.kernel.org/pub/linux/utils/util-linux/v$_v/util-linux-$pkgver.tar.xz
- libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch
ttydefaults.h
rfkill.confd
rfkill.initd
@@ -51,6 +50,13 @@ else
fi
makedepends="$makedepends_build $makedepends_host"
+# secfixes:
+# 2.37.4-r0:
+# - CVE-2022-0563
+# 2.37.3-r0:
+# - CVE-2021-3995
+# - CVE-2021-3996
+
prepare() {
default_prepare
@@ -146,8 +152,9 @@ _py3() {
mv "$pkgdir"/usr/lib/python* "$subpkgdir"/usr/lib/
}
-sha512sums="9dfd01ae4c16fa35015dafd222d555988b72e4d1d2fbadd140791b9ef78f84fa8254d4d08dc67cabf41e873338867f19e786b989d708ccfe5161c4f7679bba7a util-linux-2.36.1.tar.xz
-ef916685b7b8d36f6c0e5a0b4697bc9edcc139427eb050a16d5af4bc28960ba4760faf37550bc1d8afa183724a884eb23de6316ffca6f2903126872e8394686d libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch
+sha512sums="
+ada2629b0a8e83ea83513e04f7b1ccceb3b8ab82acd119c5d8389d1abc48c92d0b591f39fb34b1fd65db3ab630f03a672a9f3dacf1a6e4f124bdb083fc1be6d7 util-linux-2.37.4.tar.xz
876bb9041eca1b2cca1e9aac898f282db576f7860aba690a95c0ac629d7c5b2cdeccba504dda87ff55c2a10b67165985ce16ca41a0694a267507e1e0cafd46d9 ttydefaults.h
401d2ccbdbfb0ebd573ac616c1077e2c2b79ff03e9221007759d8ac25eb522c401f705abbf7daac183d5e8017982b8ec5dd0a5ebad39507c5bb0a9f31f04ee97 rfkill.confd
-c4e7ba6d257496c99934add2ca532db16fb070ea2367554587c9fb4e24ab1d80b8ba3fd0fd4fdd5ef1374c3ec6414007369b292ee334ef23171d0232ef709db2 rfkill.initd"
+c4e7ba6d257496c99934add2ca532db16fb070ea2367554587c9fb4e24ab1d80b8ba3fd0fd4fdd5ef1374c3ec6414007369b292ee334ef23171d0232ef709db2 rfkill.initd
+"
diff --git a/main/util-linux/libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch b/main/util-linux/libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch
deleted file mode 100644
index 9504df6f9d..0000000000
--- a/main/util-linux/libmount-dont-use-symfollow-for-helpers-on-user-mounts.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 76bb9b30cfcf54b59591a57a3d2a747e514469b2 Mon Sep 17 00:00:00 2001
-From: Karel Zak <kzak@redhat.com>
-Date: Thu, 19 Nov 2020 09:49:16 +0100
-Subject: libmount: don't use "symfollow" for helpers on user mounts
-
-Addresses: https://github.com/karelzak/util-linux/issues/1193
-Signed-off-by: Karel Zak <kzak@redhat.com>
----
- libmount/src/context_mount.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/libmount/src/context_mount.c b/libmount/src/context_mount.c
-index 8c394c1ff..dd1786176 100644
---- a/libmount/src/context_mount.c
-+++ b/libmount/src/context_mount.c
-@@ -415,6 +415,9 @@ static int generate_helper_optstr(struct libmnt_context *cxt, char **optstr)
- * string, because there is nothing like MS_EXEC (we only have
- * MS_NOEXEC in mount flags and we don't care about the original
- * mount string in libmount for VFS options).
-+ *
-+ * This use-case makes sense for MS_SECURE flags only (see
-+ * mnt_optstr_get_flags() and mnt_context_merge_mflags()).
- */
- if (!(cxt->mountflags & MS_NOEXEC))
- mnt_optstr_append_option(optstr, "exec", NULL);
-@@ -422,11 +425,8 @@ static int generate_helper_optstr(struct libmnt_context *cxt, char **optstr)
- mnt_optstr_append_option(optstr, "suid", NULL);
- if (!(cxt->mountflags & MS_NODEV))
- mnt_optstr_append_option(optstr, "dev", NULL);
-- if (!(cxt->mountflags & MS_NOSYMFOLLOW))
-- mnt_optstr_append_option(optstr, "symfollow", NULL);
- }
-
--
- if (cxt->flags & MNT_FL_SAVED_USER)
- rc = mnt_optstr_set_option(optstr, "user", cxt->orig_user);
- if (rc)
---
-cgit 1.2.3-1.el7
-
diff --git a/main/varnish/0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch b/main/varnish/0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch
new file mode 100644
index 0000000000..c8d3fde7f1
--- /dev/null
+++ b/main/varnish/0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch
@@ -0,0 +1,31 @@
+From fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 Mon Sep 17 00:00:00 2001
+From: Martin Blix Grydeland <martin@varnish-software.com>
+Date: Fri, 17 Dec 2021 22:10:16 +0100
+Subject: [PATCH 1/2] Mark req doclose when failing to ignore req body
+
+Previously we would ignore errors to iterate the request body into
+oblivion in VRB_Ignore(), keeping the connection open. This opens an
+out-of-sync vulnerability on H/1 connections.
+
+This patch tests the status of the request body in VRB_Ignore(), marking
+the request failed and that it should be closed on errors.
+---
+ bin/varnishd/cache/cache_req_body.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
+index 6391f928d..5ffd08b77 100644
+--- a/bin/varnishd/cache/cache_req_body.c
++++ b/bin/varnishd/cache/cache_req_body.c
+@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
+ if (req->req_body_status->avail > 0)
+ (void)VRB_Iterate(req->wrk, req->vsl, req,
+ httpq_req_body_discard, NULL);
++ if (req->req_body_status == BS_ERROR)
++ req->doclose = SC_RX_BODY;
+ return (0);
+ }
+
+--
+2.35.0
+
diff --git a/main/varnish/0002-VRB_Ignore-errors-and-connection-close-test-case.patch b/main/varnish/0002-VRB_Ignore-errors-and-connection-close-test-case.patch
new file mode 100644
index 0000000000..7343dc0ba4
--- /dev/null
+++ b/main/varnish/0002-VRB_Ignore-errors-and-connection-close-test-case.patch
@@ -0,0 +1,75 @@
+From 1020be7e886399a4e94407ae0dfbfd1475cc5756 Mon Sep 17 00:00:00 2001
+From: Martin Blix Grydeland <martin@varnish-software.com>
+Date: Fri, 17 Dec 2021 22:10:27 +0100
+Subject: [PATCH 2/2] VRB_Ignore() errors and connection close test case
+
+---
+ bin/varnishtest/tests/f00008.vtc | 56 ++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+ create mode 100644 bin/varnishtest/tests/f00008.vtc
+
+diff --git a/bin/varnishtest/tests/f00008.vtc b/bin/varnishtest/tests/f00008.vtc
+new file mode 100644
+index 000000000..4d6161a35
+--- /dev/null
++++ b/bin/varnishtest/tests/f00008.vtc
+@@ -0,0 +1,56 @@
++varnishtest "VRB_Ignore and connection close"
++
++server s1 {
++ rxreq
++ txresp -body HIT
++} -start
++
++varnish v1 -arg "-p timeout_idle=1" -vcl+backend {
++ sub vcl_recv {
++ if (req.url == "/synth") {
++ return (synth(200, "SYNTH"));
++ }
++ }
++} -start
++
++# Prime an object
++client c1 {
++ txreq -url /hit
++ rxresp
++ expect resp.status == 200
++ expect resp.body == HIT
++} -run
++
++# Test synth
++client c2 {
++ txreq -req POST -url /synth -hdr "Content-Length: 2"
++ # Send 1 byte
++ send a
++ # Wait timeout_idle
++ delay 1.1
++ # Send 1 byte
++ send b
++ rxresp
++ expect resp.status == 200
++ expect resp.reason == SYNTH
++ expect resp.http.connection == close
++ timeout 0.5
++ expect_close
++} -run
++
++# Test cache hit
++client c3 {
++ txreq -req GET -url /hit -hdr "Content-Length: 2"
++ # Send 1 byte
++ send a
++ # Wait timeout_idle
++ delay 1.1
++ # Send 1 byte
++ send b
++ rxresp
++ expect resp.status == 200
++ expect resp.body == HIT
++ expect resp.http.connection == close
++ timeout 0.5
++ expect_close
++} -run
+--
+2.35.0
+
diff --git a/main/varnish/APKBUILD b/main/varnish/APKBUILD
index 47030bdb32..0aad693f46 100644
--- a/main/varnish/APKBUILD
+++ b/main/varnish/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=varnish
pkgver=6.5.2
-pkgrel=0
+pkgrel=1
pkgdesc="High-performance HTTP accelerator"
url="https://www.varnish-cache.org/"
arch="all"
@@ -27,10 +27,14 @@ source="https://varnish-cache.org/_downloads/varnish-$pkgver.tgz
varnishncsa.initd
varnishncsa.confd
varnishd.logrotate
- maxminddb.vcl"
+ maxminddb.vcl
+ 0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch
+ 0002-VRB_Ignore-errors-and-connection-close-test-case.patch"
# secfixes:
+# 6.5.2-r1:
+# - CVE-2022-23959
# 6.5.2-r0:
# - CVE-2021-36740
# 6.2.1-r0:
@@ -109,4 +113,6 @@ e0b7d67bbd710f0a17b77837c581f128e6b746eff2b12e81d03d1ad040037e95bb00fb8007d89bc6
a5426ff66b89d2afb6273f05e4117b3eec5ce0162a624d52c92b418960f72e58bd01224165613221af76ec241bd98e1eb985b2ef7b83a5b615e9ece67234dcc8 varnishncsa.confd
51cc6d46ff7439de93977ab87dfb0af399458c1e446475696f73342ae7a0c1a8ca8fc6e79e593659f1af30716a5f8a1ee5e3b1f5e7b35df40b45d47e7b0f2ffd varnishd.logrotate
69f088819cff6d4441813be284f4117f232d08908515bd15d96bd5bb9d41ba7100657a52fd408d44c396d004366062ae22fbf08e2a983cd8023b554539ccf596 maxminddb.vcl
+62f8c3f86d283b20f25db20504434095392c1aacbf4c91cea0ee9ba3cfd22ad1de928cb56ff4e1a226a5b31cc25466dcae0f28a8ebf575faa8655a9676ea896c 0001-Mark-req-doclose-when-failing-to-ignore-req-body.patch
+010d96023cd03c5350da9d779cbb05f0ce47b36d47869ace01e2c7cd841fffb610f28b39118bf9bc36617f778ab59a5d913b14ae2e71467852f6390021f7a295 0002-VRB_Ignore-errors-and-connection-close-test-case.patch
"
diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD
index 3760c45e95..612bbde0a6 100644
--- a/main/vim/APKBUILD
+++ b/main/vim/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=vim
-pkgver=8.2.3437
+pkgver=8.2.4836
pkgrel=0
pkgdesc="Improved vi-style text editor"
url="https://www.vim.org/"
@@ -18,6 +18,55 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/vim/vim/archive/v$pkgver.tar
"
# secfixes:
+# 8.2.4836-r0:
+# - CVE-2022-1381
+# 8.2.4708-r0:
+# - CVE-2022-1154
+# - CVE-2022-1160
+# 8.2.4619-r0:
+# - CVE-2022-0943
+# - CVE-2022-0572
+# - CVE-2022-0629
+# - CVE-2022-0685
+# - CVE-2022-0696
+# - CVE-2022-0714
+# - CVE-2022-0729
+# - CVE-2022-0359
+# - CVE-2022-0361
+# - CVE-2022-0368
+# - CVE-2022-0392
+# - CVE-2022-0393
+# - CVE-2022-0407
+# - CVE-2022-0408
+# - CVE-2022-0413
+# - CVE-2022-0417
+# - CVE-2022-0443
+# 8.2.4173-r0:
+# - CVE-2021-4069
+# - CVE-2021-4136
+# - CVE-2021-4166
+# - CVE-2021-4173
+# - CVE-2021-4187
+# - CVE-2021-4192
+# - CVE-2021-4193
+# - CVE-2021-46059
+# - CVE-2022-0128
+# - CVE-2022-0156
+# - CVE-2022-0158
+# - CVE-2022-0213
+# 8.2.3779-r0:
+# - CVE-2021-4019
+# 8.2.3650-r0:
+# - CVE-2021-3927
+# - CVE-2021-3928
+# - CVE-2021-3968
+# - CVE-2021-3973
+# - CVE-2021-3974
+# - CVE-2021-3984
+# 8.2.3567-r0:
+# - CVE-2021-3903
+# 8.2.3500-r0:
+# - CVE-2021-3875
# 8.2.3437-r0:
# - CVE-2021-3770
# - CVE-2021-3778
@@ -133,6 +182,6 @@ xxd() {
}
sha512sums="
-7f6fc24f8f4a4fa01d20702684cc09aa5c3b51cdc2c96f3afcb484bc60874fab5dcafc33a9daa5ff25f7ae7b90ba0b124a7667d33d9fa5d9553a11be9a1ee069 vim-8.2.3437.tar.gz
+e1afe03a3140c91fa928d88a8b3ad5e7c8808e5de5b7a07726b2a4f8f402adfdef2890be6a279e52848cc75346d15d4653f579f96da409544d58aba036abbbf7 vim-8.2.4836.tar.gz
d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02 vimrc
"
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index c50f0fbace..1be8f47e6d 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xen
-pkgver=4.14.3
-pkgrel=2
+pkgver=4.14.5
+pkgrel=0
pkgdesc="Xen hypervisor"
url="https://www.xenproject.org/"
arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8
@@ -119,35 +119,35 @@ options="!strip"
# 4.10.1-r0:
# - CVE-2018-10472 XSA-258
# - CVE-2018-10471 XSA-259
-# 4.10-1-r1:
+# 4.10.1-r1:
# - CVE-2018-8897 XSA-260
# - CVE-2018-10982 XSA-261
# - CVE-2018-10981 XSA-262
# 4.11.0-r0:
-# - CVE-2018-3639 XSA-263
-# - CVE-2018-12891 XSA-264
-# - CVE-2018-12893 XSA-265
-# - CVE-2018-12892 XSA-266
-# - CVE-2018-3665 XSA-267
+# - CVE-2018-3639 XSA-263
+# - CVE-2018-12891 XSA-264
+# - CVE-2018-12893 XSA-265
+# - CVE-2018-12892 XSA-266
+# - CVE-2018-3665 XSA-267
# 4.11.1-r0:
-# - CVE-2018-15469 XSA-268
-# - CVE-2018-15468 XSA-269
-# - CVE-2018-15470 XSA-272
-# - CVE-2018-3620 XSA-273
-# - CVE-2018-3646 XSA-273
-# - CVE-2018-19961 XSA-275
-# - CVE-2018-19962 XSA-275
-# - CVE-2018-19963 XSA-276
-# - CVE-2018-19964 XSA-277
-# - CVE-2018-18883 XSA-278
-# - CVE-2018-19965 XSA-279
-# - CVE-2018-19966 XSA-280
-# - CVE-2018-19967 XSA-282
+# - CVE-2018-15469 XSA-268
+# - CVE-2018-15468 XSA-269
+# - CVE-2018-15470 XSA-272
+# - CVE-2018-3620 XSA-273
+# - CVE-2018-3646 XSA-273
+# - CVE-2018-19961 XSA-275
+# - CVE-2018-19962 XSA-275
+# - CVE-2018-19963 XSA-276
+# - CVE-2018-19964 XSA-277
+# - CVE-2018-18883 XSA-278
+# - CVE-2018-19965 XSA-279
+# - CVE-2018-19966 XSA-280
+# - CVE-2018-19967 XSA-282
# 4.12.0-r2:
-# - CVE-2018-12126 XSA-297
-# - CVE-2018-12127 XSA-297
-# - CVE-2018-12130 XSA-297
-# - CVE-2019-11091 XSA-297
+# - CVE-2018-12126 XSA-297
+# - CVE-2018-12127 XSA-297
+# - CVE-2018-12130 XSA-297
+# - CVE-2019-11091 XSA-297
# 4.12.1-r0:
# - CVE-2019-17349 CVE-2019-17350 XSA-295
# 4.13.0-r0:
@@ -170,9 +170,9 @@ options="!strip"
# - CVE-2020-11743 XSA-316
# - CVE-2020-11742 XSA-318
# 4.13.1-r0:
-# - CVE-????-????? XSA-312
+# - XSA-312
# 4.13.1-r3:
-# - CVE-2020-0543 XSA-320
+# - CVE-2020-0543 XSA-320
# 4.13.1-r4:
# - CVE-2020-15566 XSA-317
# - CVE-2020-15563 XSA-319
@@ -214,13 +214,13 @@ options="!strip"
# - CVE-2020-29570 XSA-358
# - CVE-2020-29571 XSA-359
# 4.14.1-r1:
-# - CVE-2021-3308 XSA-360
+# - CVE-2021-3308 XSA-360
# 4.14.1-r2:
# - CVE-2021-26933 XSA-364
# 4.14.1-r3:
# - CVE-2021-28693 XSA-372
# - CVE-2021-28692 XSA-373
-# - CVE-2021-0089 XSA-375
+# - CVE-2021-0089 XSA-375
# - CVE-2021-28690 XSA-377
# 4.14.2-r0:
# - CVE-2021-28694 XSA-378
@@ -240,6 +240,19 @@ options="!strip"
# - CVE-2021-28708 XSA-388
# - CVE-2021-28705 XSA-389
# - CVE-2021-28709 XSA-389
+# 4.14.5-r0:
+# - CVE-2021-28706 XSA-385
+# - CVE-2021-28703 XSA-387
+# - CVE-2022-23033 XSA-393
+# - CVE-2022-23034 XSA-394
+# - CVE-2022-23035 XSA-395
+# - CVE-2022-26356 XSA-397
+# - XSA-398
+# - CVE-2022-26357 XSA-399
+# - CVE-2022-26358 XSA-400
+# - CVE-2022-26359 XSA-400
+# - CVE-2022-26360 XSA-400
+# - CVE-2022-26361 XSA-400
case "$CARCH" in
x86*)
@@ -303,12 +316,6 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
qemu-xen-time64.patch
gcc10-etherboot-enum.patch
- xsa386.patch
-
- xsa388-4.14-1.patch
- xsa388-4.14-2.patch
- xsa389-4.14.patch
-
xenstored.initd
xenstored.confd
xenconsoled.initd
@@ -535,7 +542,7 @@ EOF
}
sha512sums="
-b462fcc1549f6e57f7f2a4fd10ce1e957a25a6a7c0319672b62699468f6c4330b9cd0cf2b0231b5cce94f4bb142a957eb8aa58aa0ffb5c85b37211d6b34ccf16 xen-4.14.3.tar.gz
+7fc1c98b5e135e14a1902786d6cf44304c1c1e9b600195592aa3d12ba937bc307eaae984596c30544519f181d2a02f2c9ad9c94d6b2b6fac2091b54568b0705e xen-4.14.5.tar.gz
2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz
@@ -546,21 +553,17 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e zlib-1.2.3.tar.gz
8120696ba6d79fd9189664deed9b0489825d8d1edf7b931023b3979b7b9f82248e5b808c4517036cd40a85442ddf51a8dcad3b05d7f3c3cc6650654d53da4050 ipxe-git-1dd56dbd11082fb622c2ed21cfaced4f47d798a6.tar.gz
b9c754220187955d01ffbb6e030dace9d9aaae755db1765d07e407858c71a2cb0de04e0ab2099cd121d9e1bc1978af06c7dbd2fd805e06eca12ac5d527f15a52 mini-os-__divmoddi4.patch
-1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
-f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch
+809df33d86072834cf6f740fa9a4c7f5292b35bb44b5527c6439085c4656f6744a30b311abc2d79fca0ec098c22e49ebdb514c007eb1f8b8ece417618060709f qemu-xen_paths.patch
+392e56cbfad2780d3666fba62d26381eed8b56ee101b60c07d367232bae1458b40af89d8b94b0e26f603378a36fde8ea6830d95c43f0fde666299f723c90c537 hotplug-vif-vtrill.patch
5fc028b5e4eb9b14fd5b27e3470172e3eb1ac63c1443fc0af7ed04efd874db733165e62d41504a547651c4466737303a6a5128f66212a42664ff6c1c9d233f4a musl-hvmloader-fix-stdint.patch
8c3b57eab8641bcee3dbdc1937ea7874f77b9722a5a0aa3ddb8dff8cc0ced7e19703ef5d998621b3809bea7c16f3346cfa47610ec9ab014ad0de12651c94e5ff stdint_local.h
853467a2d055c5bfbdc7bdca175a334241be44a7c5ac3c0a84a4bc5463b5c070b66d37e2a557429ef860727a6b7350683af758cc2494d85b6be4d883143a2c0d elf_local.h
-2094ea964fa610b2bf72fd2c7ede7e954899a75c0f5b08030cf1d74460fb759ade84866176e32f8fe29c921dfdc6dafd2b31e23ab9b0a3874d3dceeabdd1913b xenqemu-xattr-size-max.patch
+e78c84dabe2dd77132b003c71730e378245f04110396d0a0e71aa4964309dd2cb63a802337833bd90cb9d7cef9918d4fc8879a6f978e8489800cd5e14f272fb3 xenqemu-xattr-size-max.patch
8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch
-6c28470dab368ce94d94db9e66954e4d915394ea730f6d4abb198ae122dbd7412453d6d8054f0a348d43d7f807fb13294363162f8b19f47311e802ffa9a40a90 stubdom-hack.patch
+996383249d20384e85a04339ecfe62b7afb9ef5a0fbf92c05889f28e31e07682eaf9e68c5ef1f4142e690d2d0f0154e1c3009071f650eb706e05171dbe4ee7dd stubdom-hack.patch
5b582453ea64fae138e9442c7f4c083bbef82c216b25bb3e509c0e8f5c0e88487f9e12152367760fb8a6133266e7d8b58eda5e20cf7234a0f39ed6804070cc8d tpm-version.patch
231b5d0abf6420722534bf48b4f263bdf70dd258f5f34b344f230b4e166edb3ebaf769592f40653ea5836b4431ef951ebcf1995f09e2beb4a591edd3b024a652 qemu-xen-time64.patch
e72ae17cb80c78412996845b996e442cdc21ee4b840c8b7ebacca101619b3d47104bf6b6330520aecf0d7ccf2699826b4f2a649c729b21d5ac81b37f7fc505fc gcc10-etherboot-enum.patch
-77811232c5cf199d24fb8e4a5367a56d56e61ad218397913fa22bd89d0dffabe92acfded246aa731d450f80dcffee84268b27e73e60f19eec15d0ada988a0574 xsa386.patch
-5e8165695a7e5a7fdc332de0d4ee31626eb72c8765f12855543592cb86f0eb4f98ea49cae31c8fc356a0645f6a2fe05ddf2b38f9f2bb04196bb4b9efc204dc26 xsa388-4.14-1.patch
-9e7b5f66480d3c0898cc080d0506dddbe35a814ccd72619abb82e8241b8cddc726e7bb38ce818335451b56ba549ed9ea1743f46fb9f0fd81ac1310ec6e94fea4 xsa388-4.14-2.patch
-a3196bac727ed19185cf61f6e0c5a43400556f42239055cdb03f2689a82647110ab77d06f059185c7ab12ccedd520d2951f258ca61a6ed06507343356571abb4 xsa389-4.14.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd
diff --git a/main/xen/hotplug-vif-vtrill.patch b/main/xen/hotplug-vif-vtrill.patch
index 6f9d894250..7384d697d7 100644
--- a/main/xen/hotplug-vif-vtrill.patch
+++ b/main/xen/hotplug-vif-vtrill.patch
@@ -1,16 +1,16 @@
---- xen-4.3.0/tools/hotplug/Linux/Makefile
-+++ xen-4.3.0.mod/tools/hotplug/Linux/Makefile
-@@ -14,6 +14,7 @@
- XEN_SCRIPTS += network-route vif-route
- XEN_SCRIPTS += network-nat vif-nat
+--- a/tools/hotplug/Linux/Makefile
++++ b/tools/hotplug/Linux/Makefile
+@@ -6,6 +6,7 @@ XEN_SCRIPTS = vif-bridge
+ XEN_SCRIPTS += vif-route
+ XEN_SCRIPTS += vif-nat
XEN_SCRIPTS += vif-openvswitch
+XEN_SCRIPTS += vif-vtrill
XEN_SCRIPTS += vif2
XEN_SCRIPTS += vif-setup
- XEN_SCRIPTS += block
---- xen-4.3.0/tools/hotplug/Linux/vif-common.sh
-+++ xen-4.3.0.mod/tools/hotplug/Linux/vif-common.sh
-@@ -213,3 +213,31 @@
+ XEN_SCRIPTS-$(CONFIG_LIBNL) += remus-netbuf-setup
+--- a/tools/hotplug/Linux/vif-common.sh
++++ b/tools/hotplug/Linux/vif-common.sh
+@@ -244,3 +244,31 @@ dom0_ip()
fi
echo "$result"
}
diff --git a/main/xen/qemu-xen_paths.patch b/main/xen/qemu-xen_paths.patch
index e558d1f37f..ff0ee04f6f 100644
--- a/main/xen/qemu-xen_paths.patch
+++ b/main/xen/qemu-xen_paths.patch
@@ -1,7 +1,7 @@
---- ./tools/Makefile.orig
-+++ ./tools/Makefile
-@@ -219,6 +219,8 @@
- -L$(XEN_ROOT)/tools/xenstore \
+--- a/tools/Makefile
++++ b/tools/Makefile
+@@ -275,6 +275,8 @@ subdir-all-qemu-xen-dir: qemu-xen-dir-fi
+ -Wl,-rpath-link=$(XEN_ROOT)/tools/libs/devicemodel \
$(QEMU_UPSTREAM_RPATH)" \
--bindir=$(LIBEXEC_BIN) \
+ --libexecdir=$(LIBEXEC_BIN) \
diff --git a/main/xen/stubdom-hack.patch b/main/xen/stubdom-hack.patch
index 2e7ddc8926..74006bfdd8 100644
--- a/main/xen/stubdom-hack.patch
+++ b/main/xen/stubdom-hack.patch
@@ -1,6 +1,6 @@
---- xen-4.15.0.orig/stubdom/Makefile
-+++ xen-4.15.0/stubdom/Makefile
-@@ -186,7 +186,7 @@
+--- a/stubdom/Makefile
++++ b/stubdom/Makefile
+@@ -179,7 +179,7 @@ gmp-$(XEN_TARGET_ARCH): gmp-$(GMP_VERSIO
rm $@ -rf || :
mv gmp-$(GMP_VERSION) $@
#patch -d $@ -p0 < gmp.patch
diff --git a/main/xen/xenqemu-xattr-size-max.patch b/main/xen/xenqemu-xattr-size-max.patch
index b0c02cbdad..4a48ca0ce7 100644
--- a/main/xen/xenqemu-xattr-size-max.patch
+++ b/main/xen/xenqemu-xattr-size-max.patch
@@ -1,8 +1,8 @@
---- xen-4.9.0/tools/qemu-xen/hw/9pfs/9p.c.orig
-+++ xen-4.9.0/tools/qemu-xen/hw/9pfs/9p.c
-@@ -25,6 +25,10 @@
- #include "trace.h"
- #include "migration/migration.h"
+--- a/tools/qemu-xen/hw/9pfs/9p.c
++++ b/tools/qemu-xen/hw/9pfs/9p.c
+@@ -30,6 +30,10 @@
+ #include <math.h>
+ #include <linux/limits.h>
+#ifdef __linux__
+#include <linux/limits.h> /* for XATTR_SIZE_MAX */
diff --git a/main/xen/xsa386.patch b/main/xen/xsa386.patch
deleted file mode 100644
index 83f24d30d5..0000000000
--- a/main/xen/xsa386.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: VT-d: fix deassign of device with RMRR
-Date: Fri, 1 Oct 2021 15:05:42 +0200
-
-Ignoring a specific error code here was not meant to short circuit
-deassign to _just_ the unmapping of RMRRs. This bug was previously
-hidden by the bogus (potentially indefinite) looping in
-pci_release_devices(), until f591755823a7 ("IOMMU/PCI: don't let domain
-cleanup continue when device de-assignment failed") fixed that loop.
-
-This is CVE-2021-28702 / XSA-386.
-
-Fixes: 8b99f4400b69 ("VT-d: fix RMRR related error handling")
-Reported-by: Ivan Kardykov <kardykov@tabit.pro>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Tested-by: Ivan Kardykov <kardykov@tabit.pro>
-
---- a/xen/drivers/passthrough/vtd/iommu.c
-+++ b/xen/drivers/passthrough/vtd/iommu.c
-@@ -2409,7 +2409,7 @@ static int reassign_device_ownership(
- ret = iommu_identity_mapping(source, p2m_access_x,
- rmrr->base_address,
- rmrr->end_address, 0);
-- if ( ret != -ENOENT )
-+ if ( ret && ret != -ENOENT )
- return ret;
- }
- }
-
diff --git a/main/xen/xsa388-4.14-1.patch b/main/xen/xsa388-4.14-1.patch
deleted file mode 100644
index f76f2d56b6..0000000000
--- a/main/xen/xsa388-4.14-1.patch
+++ /dev/null
@@ -1,174 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: x86/PoD: deal with misaligned GFNs
-
-Users of XENMEM_decrease_reservation and XENMEM_populate_physmap aren't
-required to pass in order-aligned GFN values. (While I consider this
-bogus, I don't think we can fix this there, as that might break existing
-code, e.g Linux'es swiotlb, which - while affecting PV only - until
-recently had been enforcing only page alignment on the original
-allocation.) Only non-PoD code paths (guest_physmap_{add,remove}_page(),
-p2m_set_entry()) look to be dealing with this properly (in part by being
-implemented inefficiently, handling every 4k page separately).
-
-Introduce wrappers taking care of splitting the incoming request into
-aligned chunks, without putting much effort in trying to determine the
-largest possible chunk at every iteration.
-
-Also "handle" p2m_set_entry() failure for non-order-0 requests by
-crashing the domain in one more place. Alongside putting a log message
-there, also add one to the other similar path.
-
-Note regarding locking: This is left in the actual worker functions on
-the assumption that callers aren't guaranteed atomicity wrt acting on
-multiple pages at a time. For mis-aligned GFNs gfn_lock() wouldn't have
-locked the correct GFN range anyway, if it didn't simply resolve to
-p2m_lock(), and for well-behaved callers there continues to be only a
-single iteration, i.e. behavior is unchanged for them. (FTAOD pulling
-out just pod_lock() into p2m_pod_decrease_reservation() would result in
-a lock order violation.)
-
-This is CVE-2021-28704 and CVE-2021-28707 / part of XSA-388.
-
-Fixes: 3c352011c0d3 ("x86/PoD: shorten certain operations on higher order ranges")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
-
---- a/xen/arch/x86/mm/p2m-pod.c
-+++ b/xen/arch/x86/mm/p2m-pod.c
-@@ -495,7 +495,7 @@ p2m_pod_zero_check_superpage(struct p2m_
-
-
- /*
-- * This function is needed for two reasons:
-+ * This pair of functions is needed for two reasons:
- * + To properly handle clearing of PoD entries
- * + To "steal back" memory being freed for the PoD cache, rather than
- * releasing it.
-@@ -503,8 +503,8 @@ p2m_pod_zero_check_superpage(struct p2m_
- * Once both of these functions have been completed, we can return and
- * allow decrease_reservation() to handle everything else.
- */
--unsigned long
--p2m_pod_decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order)
-+static unsigned long
-+decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order)
- {
- unsigned long ret = 0, i, n;
- struct p2m_domain *p2m = p2m_get_hostp2m(d);
-@@ -551,8 +551,10 @@ p2m_pod_decrease_reservation(struct doma
- * All PoD: Mark the whole region invalid and tell caller
- * we're done.
- */
-- if ( p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_invalid,
-- p2m->default_access) )
-+ int rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_invalid,
-+ p2m->default_access);
-+
-+ if ( rc )
- {
- /*
- * If this fails, we can't tell how much of the range was changed.
-@@ -560,7 +562,12 @@ p2m_pod_decrease_reservation(struct doma
- * impossible.
- */
- if ( order != 0 )
-+ {
-+ printk(XENLOG_G_ERR
-+ "%pd: marking GFN %#lx (order %u) as non-PoD failed: %d\n",
-+ d, gfn_x(gfn), order, rc);
- domain_crash(d);
-+ }
- goto out_unlock;
- }
- ret = 1UL << order;
-@@ -667,6 +674,22 @@ out_unlock:
- return ret;
- }
-
-+unsigned long
-+p2m_pod_decrease_reservation(struct domain *d, gfn_t gfn, unsigned int order)
-+{
-+ unsigned long left = 1UL << order, ret = 0;
-+ unsigned int chunk_order = find_first_set_bit(gfn_x(gfn) | left);
-+
-+ do {
-+ ret += decrease_reservation(d, gfn, chunk_order);
-+
-+ left -= 1UL << chunk_order;
-+ gfn = gfn_add(gfn, 1UL << chunk_order);
-+ } while ( left );
-+
-+ return ret;
-+}
-+
- void p2m_pod_dump_data(struct domain *d)
- {
- struct p2m_domain *p2m = p2m_get_hostp2m(d);
-@@ -1266,19 +1289,15 @@ remap_and_retry:
- return true;
- }
-
--
--int
--guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn_l,
-- unsigned int order)
-+static int
-+mark_populate_on_demand(struct domain *d, unsigned long gfn_l,
-+ unsigned int order)
- {
- struct p2m_domain *p2m = p2m_get_hostp2m(d);
- gfn_t gfn = _gfn(gfn_l);
- unsigned long i, n, pod_count = 0;
- int rc = 0;
-
-- if ( !paging_mode_translate(d) )
-- return -EINVAL;
--
- gfn_lock(p2m, gfn, order);
-
- P2M_DEBUG("mark pod gfn=%#lx\n", gfn_l);
-@@ -1316,12 +1335,44 @@ guest_physmap_mark_populate_on_demand(st
- BUG_ON(p2m->pod.entry_count < 0);
- pod_unlock(p2m);
- }
-+ else if ( order )
-+ {
-+ /*
-+ * If this failed, we can't tell how much of the range was changed.
-+ * Best to crash the domain.
-+ */
-+ printk(XENLOG_G_ERR
-+ "%pd: marking GFN %#lx (order %u) as PoD failed: %d\n",
-+ d, gfn_l, order, rc);
-+ domain_crash(d);
-+ }
-
- out:
- gfn_unlock(p2m, gfn, order);
-
- return rc;
- }
-+
-+int
-+guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn,
-+ unsigned int order)
-+{
-+ unsigned long left = 1UL << order;
-+ unsigned int chunk_order = find_first_set_bit(gfn | left);
-+ int rc;
-+
-+ if ( !paging_mode_translate(d) )
-+ return -EINVAL;
-+
-+ do {
-+ rc = mark_populate_on_demand(d, gfn, chunk_order);
-+
-+ left -= 1UL << chunk_order;
-+ gfn += 1UL << chunk_order;
-+ } while ( !rc && left );
-+
-+ return rc;
-+}
-
- void p2m_pod_init(struct p2m_domain *p2m)
- {
diff --git a/main/xen/xsa388-4.14-2.patch b/main/xen/xsa388-4.14-2.patch
deleted file mode 100644
index 2f8cc881f0..0000000000
--- a/main/xen/xsa388-4.14-2.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: x86/PoD: handle intermediate page orders in p2m_pod_cache_add()
-
-p2m_pod_decrease_reservation() may pass pages to the function which
-aren't 4k, 2M, or 1G. Handle all intermediate orders as well, to avoid
-hitting the BUG() at the switch() statement's "default" case.
-
-This is CVE-2021-28708 / part of XSA-388.
-
-Fixes: 3c352011c0d3 ("x86/PoD: shorten certain operations on higher order ranges")
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
-
---- a/xen/arch/x86/mm/p2m-pod.c
-+++ b/xen/arch/x86/mm/p2m-pod.c
-@@ -111,15 +111,13 @@ p2m_pod_cache_add(struct p2m_domain *p2m
- /* Then add to the appropriate populate-on-demand list. */
- switch ( order )
- {
-- case PAGE_ORDER_1G:
-- for ( i = 0; i < (1UL << PAGE_ORDER_1G); i += 1UL << PAGE_ORDER_2M )
-+ case PAGE_ORDER_2M ... PAGE_ORDER_1G:
-+ for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_2M )
- page_list_add_tail(page + i, &p2m->pod.super);
- break;
-- case PAGE_ORDER_2M:
-- page_list_add_tail(page, &p2m->pod.super);
-- break;
-- case PAGE_ORDER_4K:
-- page_list_add_tail(page, &p2m->pod.single);
-+ case PAGE_ORDER_4K ... PAGE_ORDER_2M - 1:
-+ for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_4K )
-+ page_list_add_tail(page + i, &p2m->pod.single);
- break;
- default:
- BUG();
diff --git a/main/xen/xsa389-4.14.patch b/main/xen/xsa389-4.14.patch
deleted file mode 100644
index 1d893f123f..0000000000
--- a/main/xen/xsa389-4.14.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: x86/P2M: deal with partial success of p2m_set_entry()
-
-M2P and PoD stats need to remain in sync with P2M; if an update succeeds
-only partially, respective adjustments need to be made. If updates get
-made before the call, they may also need undoing upon complete failure
-(i.e. including the single-page case).
-
-Log-dirty state would better also be kept in sync.
-
-Note that the change to set_typed_p2m_entry() may not be strictly
-necessary (due to the order restriction enforced near the top of the
-function), but is being kept here to be on the safe side.
-
-This is CVE-2021-28705 and CVE-2021-28709 / XSA-389.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
-
---- a/xen/arch/x86/mm/p2m.c
-+++ b/xen/arch/x86/mm/p2m.c
-@@ -780,6 +780,7 @@ p2m_remove_page(struct p2m_domain *p2m,
- unsigned long i;
- p2m_type_t t;
- p2m_access_t a;
-+ int rc;
-
- /* IOMMU for PV guests is handled in get_page_type() and put_page(). */
- if ( !paging_mode_translate(p2m->domain) )
-@@ -813,8 +814,27 @@ p2m_remove_page(struct p2m_domain *p2m,
- }
- }
-
-- return p2m_set_entry(p2m, gfn, INVALID_MFN, page_order, p2m_invalid,
-- p2m->default_access);
-+ rc = p2m_set_entry(p2m, gfn, INVALID_MFN, page_order, p2m_invalid,
-+ p2m->default_access);
-+ if ( likely(!rc) || !mfn_valid(mfn) )
-+ return rc;
-+
-+ /*
-+ * The operation may have partially succeeded. For the failed part we need
-+ * to undo the M2P update and, out of precaution, mark the pages dirty
-+ * again.
-+ */
-+ for ( i = 0; i < (1UL << page_order); ++i )
-+ {
-+ p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0, NULL, NULL);
-+ if ( !p2m_is_hole(t) && !p2m_is_special(t) && !p2m_is_shared(t) )
-+ {
-+ set_gpfn_from_mfn(mfn_x(mfn) + i, gfn_x(gfn) + i);
-+ paging_mark_pfn_dirty(p2m->domain, _pfn(gfn_x(gfn) + i));
-+ }
-+ }
-+
-+ return rc;
- }
-
- int
-@@ -1003,13 +1023,8 @@ guest_physmap_add_entry(struct domain *d
-
- /* Now, actually do the two-way mapping */
- rc = p2m_set_entry(p2m, gfn, mfn, page_order, t, p2m->default_access);
-- if ( rc == 0 )
-+ if ( likely(!rc) )
- {
-- pod_lock(p2m);
-- p2m->pod.entry_count -= pod_count;
-- BUG_ON(p2m->pod.entry_count < 0);
-- pod_unlock(p2m);
--
- if ( !p2m_is_grant(t) )
- {
- for ( i = 0; i < (1UL << page_order); i++ )
-@@ -1017,6 +1032,42 @@ guest_physmap_add_entry(struct domain *d
- gfn_x(gfn_add(gfn, i)));
- }
- }
-+ else
-+ {
-+ /*
-+ * The operation may have partially succeeded. For the successful part
-+ * we need to update M2P and dirty state, while for the failed part we
-+ * may need to adjust PoD stats as well as undo the earlier M2P update.
-+ */
-+ for ( i = 0; i < (1UL << page_order); ++i )
-+ {
-+ omfn = p2m->get_entry(p2m, gfn_add(gfn, i), &ot, &a, 0, NULL, NULL);
-+ if ( p2m_is_pod(ot) )
-+ {
-+ BUG_ON(!pod_count);
-+ --pod_count;
-+ }
-+ else if ( mfn_eq(omfn, mfn_add(mfn, i)) && ot == t &&
-+ a == p2m->default_access && !p2m_is_grant(t) )
-+ {
-+ set_gpfn_from_mfn(mfn_x(omfn), gfn_x(gfn) + i);
-+ paging_mark_pfn_dirty(d, _pfn(gfn_x(gfn) + i));
-+ }
-+ else if ( p2m_is_ram(ot) && !p2m_is_paged(ot) )
-+ {
-+ ASSERT(mfn_valid(omfn));
-+ set_gpfn_from_mfn(mfn_x(omfn), gfn_x(gfn) + i);
-+ }
-+ }
-+ }
-+
-+ if ( pod_count )
-+ {
-+ pod_lock(p2m);
-+ p2m->pod.entry_count -= pod_count;
-+ BUG_ON(p2m->pod.entry_count < 0);
-+ pod_unlock(p2m);
-+ }
-
- out:
- p2m_unlock(p2m);
-@@ -1308,6 +1359,49 @@ static int set_typed_p2m_entry(struct do
- return 0;
- }
- }
-+
-+ P2M_DEBUG("set %d %lx %lx\n", gfn_p2mt, gfn_l, mfn_x(mfn));
-+ rc = p2m_set_entry(p2m, gfn, mfn, order, gfn_p2mt, access);
-+ if ( unlikely(rc) )
-+ {
-+ gdprintk(XENLOG_ERR, "p2m_set_entry: %#lx:%u -> %d (0x%"PRI_mfn")\n",
-+ gfn_l, order, rc, mfn_x(mfn));
-+
-+ /*
-+ * The operation may have partially succeeded. For the successful part
-+ * we need to update PoD stats, M2P, and dirty state.
-+ */
-+ if ( order != PAGE_ORDER_4K )
-+ {
-+ unsigned long i;
-+
-+ for ( i = 0; i < (1UL << order); ++i )
-+ {
-+ p2m_type_t t;
-+ mfn_t cmfn = p2m->get_entry(p2m, gfn_add(gfn, i), &t, &a, 0,
-+ NULL, NULL);
-+
-+ if ( !mfn_eq(cmfn, mfn_add(mfn, i)) || t != gfn_p2mt ||
-+ a != access )
-+ continue;
-+
-+ if ( p2m_is_ram(ot) )
-+ {
-+ ASSERT(mfn_valid(mfn_add(omfn, i)));
-+ set_gpfn_from_mfn(mfn_x(omfn) + i, INVALID_M2P_ENTRY);
-+ }
-+#ifdef CONFIG_HVM
-+ else if ( p2m_is_pod(ot) )
-+ {
-+ pod_lock(p2m);
-+ BUG_ON(!p2m->pod.entry_count);
-+ --p2m->pod.entry_count;
-+ pod_unlock(p2m);
-+ }
-+#endif
-+ }
-+ }
-+ }
- else if ( p2m_is_ram(ot) )
- {
- unsigned long i;
-@@ -1318,12 +1412,6 @@ static int set_typed_p2m_entry(struct do
- set_gpfn_from_mfn(mfn_x(omfn) + i, INVALID_M2P_ENTRY);
- }
- }
--
-- P2M_DEBUG("set %d %lx %lx\n", gfn_p2mt, gfn_l, mfn_x(mfn));
-- rc = p2m_set_entry(p2m, gfn, mfn, order, gfn_p2mt, access);
-- if ( rc )
-- gdprintk(XENLOG_ERR, "p2m_set_entry: %#lx:%u -> %d (0x%"PRI_mfn")\n",
-- gfn_l, order, rc, mfn_x(mfn));
- #ifdef CONFIG_HVM
- else if ( p2m_is_pod(ot) )
- {
diff --git a/main/xtables-addons-lts/APKBUILD b/main/xtables-addons-lts/APKBUILD
index 46288f95dc..3fc429e38b 100644
--- a/main/xtables-addons-lts/APKBUILD
+++ b/main/xtables-addons-lts/APKBUILD
@@ -7,7 +7,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.78
+_kver=5.10.109
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/xz/APKBUILD b/main/xz/APKBUILD
index a8022f590e..1e4bd3c428 100644
--- a/main/xz/APKBUILD
+++ b/main/xz/APKBUILD
@@ -2,13 +2,18 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xz
pkgver=5.2.5
-pkgrel=0
+pkgrel=1
pkgdesc="Library and CLI tools for XZ and LZMA compressed files"
url="https://tukaani.org/xz"
arch="all"
license="GPL-2.0-or-later AND Public-Domain AND LGPL-2.1-or-later"
subpackages="$pkgname-dev $pkgname-doc $pkgname-libs"
-source="https://tukaani.org/xz/xz-$pkgver.tar.xz"
+source="https://tukaani.org/xz/xz-$pkgver.tar.xz
+ xzgrep-ZDI-CAN-16587.patch"
+
+# secfixes:
+# 5.2.5-r1:
+# - CVE-2022-1271
build() {
./configure \
@@ -38,4 +43,7 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="59266068a51cb616eb31b67cd8f07ffeb2288d1391c61665ae2ec6814465afac80fec69248f6a2f2db45b44475af001296a99af6a32287226a9c41419173ccbb xz-5.2.5.tar.xz"
+sha512sums="
+59266068a51cb616eb31b67cd8f07ffeb2288d1391c61665ae2ec6814465afac80fec69248f6a2f2db45b44475af001296a99af6a32287226a9c41419173ccbb xz-5.2.5.tar.xz
+52b16268e333399444f433a11ccf3a9b020a6914ed23fc8e082128fec596011d7c6863d47414d4c0f245d20ebed4b3a50b422599b4b88d66f6c6eb2e74b9a939 xzgrep-ZDI-CAN-16587.patch
+"
diff --git a/main/xz/xzgrep-ZDI-CAN-16587.patch b/main/xz/xzgrep-ZDI-CAN-16587.patch
new file mode 100644
index 0000000000..406ded5903
--- /dev/null
+++ b/main/xz/xzgrep-ZDI-CAN-16587.patch
@@ -0,0 +1,94 @@
+From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Tue, 29 Mar 2022 19:19:12 +0300
+Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
+
+Malicious filenames can make xzgrep to write to arbitrary files
+or (with a GNU sed extension) lead to arbitrary code execution.
+
+xzgrep from XZ Utils versions up to and including 5.2.5 are
+affected. 5.3.1alpha and 5.3.2alpha are affected as well.
+This patch works for all of them.
+
+This bug was inherited from gzip's zgrep. gzip 1.12 includes
+a fix for zgrep.
+
+The issue with the old sed script is that with multiple newlines,
+the N-command will read the second line of input, then the
+s-commands will be skipped because it's not the end of the
+file yet, then a new sed cycle starts and the pattern space
+is printed and emptied. So only the last line or two get escaped.
+
+One way to fix this would be to read all lines into the pattern
+space first. However, the included fix is even simpler: All lines
+except the last line get a backslash appended at the end. To ensure
+that shell command substitution doesn't eat a possible trailing
+newline, a colon is appended to the filename before escaping.
+The colon is later used to separate the filename from the grep
+output so it is fine to add it here instead of a few lines later.
+
+The old code also wasn't POSIX compliant as it used \n in the
+replacement section of the s-command. Using \<newline> is the
+POSIX compatible method.
+
+LC_ALL=C was added to the two critical sed commands. POSIX sed
+manual recommends it when using sed to manipulate pathnames
+because in other locales invalid multibyte sequences might
+cause issues with some sed implementations. In case of GNU sed,
+these particular sed scripts wouldn't have such problems but some
+other scripts could have, see:
+
+ info '(sed)Locale Considerations'
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Thanks to Jim Meyering and Paul Eggert discussing the different
+ways to fix this and for coordinating the patch release schedule
+with gzip.
+---
+ src/scripts/xzgrep.in | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
+index b180936..e5186ba 100644
+--- a/src/scripts/xzgrep.in
++++ b/src/scripts/xzgrep.in
+@@ -180,22 +180,26 @@ for i; do
+ { test $# -eq 1 || test $no_filename -eq 1; }; then
+ eval "$grep"
+ else
++ # Append a colon so that the last character will never be a newline
++ # which would otherwise get lost in shell command substitution.
++ i="$i:"
++
++ # Escape & \ | and newlines only if such characters are present
++ # (speed optimization).
+ case $i in
+ (*'
+ '* | *'&'* | *'\'* | *'|'*)
+- i=$(printf '%s\n' "$i" |
+- sed '
+- $!N
+- $s/[&\|]/\\&/g
+- $s/\n/\\n/g
+- ');;
++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
+ esac
+- sed_script="s|^|$i:|"
++
++ # $i already ends with a colon so don't add it here.
++ sed_script="s|^|$i|"
+
+ # Fail if grep or sed fails.
+ r=$(
+ exec 4>&1
+- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
++ (eval "$grep" 4>&-; echo $? >&4) 3>&- |
++ LC_ALL=C sed "$sed_script" >&3 4>&-
+ ) || r=2
+ exit $r
+ fi >&3 5>&-
+--
+2.35.1
+
diff --git a/main/zfs-lts/APKBUILD b/main/zfs-lts/APKBUILD
index 5a8f9119aa..17c1d32fdb 100644
--- a/main/zfs-lts/APKBUILD
+++ b/main/zfs-lts/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-lts}
_kpkg=linux-$_flavor
-_kver=5.10.78
+_kver=5.10.109
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/zlib/APKBUILD b/main/zlib/APKBUILD
index e9f33ee647..989c41687b 100644
--- a/main/zlib/APKBUILD
+++ b/main/zlib/APKBUILD
@@ -1,13 +1,20 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=zlib
-pkgver=1.2.11
-pkgrel=3
+pkgver=1.2.12
+pkgrel=1
pkgdesc="A compression/decompression Library"
arch="all"
license="Zlib"
url="https://zlib.net/"
subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
-source="https://zlib.net/zlib-$pkgver.tar.gz"
+source="https://zlib.net/zlib-$pkgver.tar.gz
+ Fix-CC-logic-in-configure.patch
+ configure-Pass-LDFLAGS-to-link-tests.patch
+ crc32.patch
+ "
+# secfixes:
+# 1.2.12-r0:
+# - CVE-2018-25032
build() {
# we trade size for a little more speed.
@@ -29,4 +36,9 @@ package() {
DESTDIR="$pkgdir"
}
-sha512sums="73fd3fff4adeccd4894084c15ddac89890cd10ef105dd5e1835e1e9bbb6a49ff229713bd197d203edfa17c2727700fce65a2a235f07568212d820dca88b528ae zlib-1.2.11.tar.gz"
+sha512sums="
+cc2366fa45d5dfee1f983c8c51515e0cff959b61471e2e8d24350dea22d3f6fcc50723615a911b046ffc95f51ba337d39ae402131a55e6d1541d3b095d6c0a14 zlib-1.2.12.tar.gz
+faa19991e88cbfd624ac9ce4a0ba12e3d7d54f88680b1a0a156a542a45bafe2053d69c6f309327817f7cc74f5765204bbb3c56ff531efd29d8fd6bb682c78598 Fix-CC-logic-in-configure.patch
+76179eb7e498aef5bc88c3f826c6f2506a2d3c3a2e2560ef1825bd4a9297d68b0d2390619a4b3b0b2e6dde765431e5fba18fd15fbd1ad99827244f8f9bdbd909 configure-Pass-LDFLAGS-to-link-tests.patch
+38f0593a0bc17336d31191b7af684e31ec2eb34bd3add49bcb1f95c5e2bfb4405ffc341c2650d52c4fbf417ab4f80a0cc82fb868c9816b04d25210ae29a71f2c crc32.patch
+"
diff --git a/main/zlib/Fix-CC-logic-in-configure.patch b/main/zlib/Fix-CC-logic-in-configure.patch
new file mode 100644
index 0000000000..f34c40445d
--- /dev/null
+++ b/main/zlib/Fix-CC-logic-in-configure.patch
@@ -0,0 +1,43 @@
+From 80d086357a55b94a13e43756cf3e131f25eef0e4 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Mon, 28 Mar 2022 08:40:45 +0100
+Subject: [PATCH] Fix CC logic in configure
+
+In https://github.com/madler/zlib/commit/e9a52aa129efe3834383e415580716a7c4027f8d,
+the logic was changed to try check harder for GCC, but it dropped
+the default setting of cc=${CC}. It was throwing away any pre-set CC value as
+a result.
+
+The rest of the script then cascades down a bad path because it's convinced
+it's not GCC or a GCC-like compiler.
+
+This led to e.g. misdetection of inability to build shared libs
+for say, multilib cases (w/ CC being one thing from the environment being used
+for one test (e.g. x86_64-unknown-linux-gnu-gcc -m32 and then 'cc' used for
+shared libs (but missing "-m32"!)). Obviously just one example of how
+the old logic could break.
+
+This restores the old default of 'CC' if nothing overrides it later
+in configure.
+
+Bug: https://bugs.gentoo.org/836308
+Signed-off-by: Sam James <sam@gentoo.org>
+---
+ configure | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/configure b/configure
+index 52ff4a04e..3fa3e8618 100755
+--- a/configure
++++ b/configure
+@@ -174,7 +174,10 @@ if test -z "$CC"; then
+ else
+ cc=${CROSS_PREFIX}cc
+ fi
++else
++ cc=${CC}
+ fi
++
+ cflags=${CFLAGS-"-O3"}
+ # to force the asm version use: CFLAGS="-O3 -DASMV" ./configure
+ case "$cc" in
diff --git a/main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch b/main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch
new file mode 100644
index 0000000000..3689dd88d6
--- /dev/null
+++ b/main/zlib/configure-Pass-LDFLAGS-to-link-tests.patch
@@ -0,0 +1,74 @@
+From 37c9730ba474d274f4cc6a974943eef95087b9f6 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 8 Mar 2022 22:38:47 -0800
+Subject: [PATCH] configure: Pass LDFLAGS to link tests
+
+LDFLAGS can contain critical flags without which linking wont succeed
+therefore ensure that all configure tests involving link time checks are
+using LDFLAGS on compiler commandline along with CFLAGS to ensure the
+tests perform correctly. Without this some tests may fail resulting in
+wrong confgure result, ending in miscompiling the package
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ configure | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/configure b/configure
+index e974d1fd7..69dfa3f69 100755
+--- a/configure
++++ b/configure
+@@ -410,7 +410,7 @@ if test $shared -eq 1; then
+ echo Checking for shared library support... | tee -a configure.log
+ # we must test in two steps (cc then ld), required at least on SunOS 4.x
+ if try $CC -w -c $SFLAGS $test.c &&
+- try $LDSHARED $SFLAGS -o $test$shared_ext $test.o; then
++ try $LDSHARED $SFLAGS $LDFLAGS -o $test$shared_ext $test.o; then
+ echo Building shared library $SHAREDLIBV with $CC. | tee -a configure.log
+ elif test -z "$old_cc" -a -z "$old_cflags"; then
+ echo No shared library support. | tee -a configure.log
+@@ -492,7 +492,7 @@ int main(void) {
+ }
+ EOF
+ fi
+- if try $CC $CFLAGS -o $test $test.c; then
++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then
+ sizet=`./$test`
+ echo "Checking for a pointer-size integer type..." $sizet"." | tee -a configure.log
+ else
+@@ -530,7 +530,7 @@ int main(void) {
+ return 0;
+ }
+ EOF
+- if try $CC $CFLAGS -o $test $test.c; then
++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then
+ echo "Checking for fseeko... Yes." | tee -a configure.log
+ else
+ CFLAGS="${CFLAGS} -DNO_FSEEKO"
+@@ -547,7 +547,7 @@ cat > $test.c <<EOF
+ #include <errno.h>
+ int main() { return strlen(strerror(errno)); }
+ EOF
+-if try $CC $CFLAGS -o $test $test.c; then
++if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then
+ echo "Checking for strerror... Yes." | tee -a configure.log
+ else
+ CFLAGS="${CFLAGS} -DNO_STRERROR"
+@@ -654,7 +654,7 @@ int main()
+ return (mytest("Hello%d\n", 1));
+ }
+ EOF
+- if try $CC $CFLAGS -o $test $test.c; then
++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then
+ echo "Checking for vsnprintf() in stdio.h... Yes." | tee -a configure.log
+
+ echo >> configure.log
+@@ -744,7 +744,7 @@ int main()
+ }
+ EOF
+
+- if try $CC $CFLAGS -o $test $test.c; then
++ if try $CC $CFLAGS $LDFLAGS -o $test $test.c; then
+ echo "Checking for snprintf() in stdio.h... Yes." | tee -a configure.log
+
+ echo >> configure.log
diff --git a/main/zlib/crc32.patch b/main/zlib/crc32.patch
new file mode 100644
index 0000000000..85a6a7e3ab
--- /dev/null
+++ b/main/zlib/crc32.patch
@@ -0,0 +1,51 @@
+From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Wed, 30 Mar 2022 11:14:53 -0700
+Subject: [PATCH] Correct incorrect inputs provided to the CRC functions.
+
+The previous releases of zlib were not sensitive to incorrect CRC
+inputs with bits set above the low 32. This commit restores that
+behavior, so that applications with such bugs will continue to
+operate as before.
+---
+ crc32.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/crc32.c b/crc32.c
+index a1bdce5c2..451887bc7 100644
+--- a/crc32.c
++++ b/crc32.c
+@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
+ #endif /* DYNAMIC_CRC_TABLE */
+
+ /* Pre-condition the CRC */
+- crc ^= 0xffffffff;
++ crc = (~crc) & 0xffffffff;
+
+ /* Compute the CRC up to a word boundary. */
+ while (len && ((z_size_t)buf & 7) != 0) {
+@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
+ #endif /* DYNAMIC_CRC_TABLE */
+
+ /* Pre-condition the CRC */
+- crc ^= 0xffffffff;
++ crc = (~crc) & 0xffffffff;
+
+ #ifdef W
+
+@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
+ #ifdef DYNAMIC_CRC_TABLE
+ once(&made, make_crc_table);
+ #endif /* DYNAMIC_CRC_TABLE */
+- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2;
++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff);
+ }
+
+ /* ========================================================================= */
+@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op)
+ uLong crc2;
+ uLong op;
+ {
+- return multmodp(op, crc1) ^ crc2;
++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff);
+ }
diff --git a/main/zsh/APKBUILD b/main/zsh/APKBUILD
index 9986a1ced0..0b2bc50633 100644
--- a/main/zsh/APKBUILD
+++ b/main/zsh/APKBUILD
@@ -3,6 +3,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
+# 5.8.1-r0:
+# - CVE-2021-45444
# 5.8-r0:
# - CVE-2019-20044
# 5.4.2-r1:
@@ -10,8 +12,8 @@
# - CVE-2018-1071
#
pkgname=zsh
-pkgver=5.8
-pkgrel=1
+pkgver=5.8.1
+pkgrel=0
pkgdesc="Very advanced and programmable command interpreter (shell)"
url="https://www.zsh.org/"
arch="all"
@@ -102,6 +104,12 @@ build() {
check() {
cd "$builddir"
+ if [ "$CARCH" = "x86" ] || [ "$CARCH" = "ppc64le" ]; then
+ # fail on x86/ppc64le builders
+ rm Test/B03print.ztst
+ rm Test/A03quoting.ztst
+ fi
+
make test
}
@@ -165,5 +173,7 @@ _submv() {
mv "$pkgdir"/$path "$subpkgdir"/${path%/*}/
}
-sha512sums="96198ecef498b7d7945fecebbe6bf14065fa8c5d81a7662164579eba8206b79575812d292adea1864bc7487ac0818ba900e25f9ab3802449340de80417c2c533 zsh-5.8.tar.xz
-1067ad916d8921fe8880e040453782dcaafb6c05566f72b806e71aef2c2a53f25b6039cf8133196dd52cf7e23b172452ef3f77188bab8c8b1a50c1ea6ffa176a zprofile"
+sha512sums="
+f54a5a47ed15d134902613f6169c985680afc45a67538505e11b66b348fcb367145e9b8ae2d9eac185e07ef5f97254b85df01ba97294002a8c036fd02ed5e76d zsh-5.8.1.tar.xz
+1067ad916d8921fe8880e040453782dcaafb6c05566f72b806e71aef2c2a53f25b6039cf8133196dd52cf7e23b172452ef3f77188bab8c8b1a50c1ea6ffa176a zprofile
+"