diff options
190 files changed, 10209 insertions, 1061 deletions
diff --git a/community/firefox-esr/APKBUILD b/community/firefox-esr/APKBUILD index f0b39db09cc..7bcde52443f 100644 --- a/community/firefox-esr/APKBUILD +++ b/community/firefox-esr/APKBUILD @@ -97,7 +97,6 @@ ldpath="$_mozappdir" # - CVE-2018-5117 # 52.5.2-r0: # - CVE-2017-7843 -# - CVE-2017-7843 prepare() { local i diff --git a/community/imagemagick6/APKBUILD b/community/imagemagick6/APKBUILD index 43323633971..77657d81d3f 100644 --- a/community/imagemagick6/APKBUILD +++ b/community/imagemagick6/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Jakub Jirutka <jakub@jirutka.cz> pkgname=imagemagick6 -_pkgname=ImageMagick -pkgver=6.9.10.39 +_pkgname=ImageMagick6 +pkgver=6.9.10.68 _pkgver=${pkgver%.*}-${pkgver##*.} _abiver=${pkgname#imagemagick} pkgrel=0 @@ -18,10 +18,40 @@ makedepends="fontconfig-dev freetype-dev ghostscript-dev lcms2-dev zlib-dev" checkdepends="freetype fontconfig ghostscript ghostscript-fonts lcms2 graphviz" subpackages="$pkgname-doc $pkgname-dev $pkgname-c++:_cxx $pkgname-libs" -source="http://www.imagemagick.org/download/releases/$_pkgname-$_pkgver.tar.xz" +source="https://github.com/ImageMagick/ImageMagick6/archive/$_pkgver/$_pkgname-$_pkgver.tar.gz" builddir="$srcdir/$_pkgname-$_pkgver" # secfixes: +# 6.9.10.55-r0: +# - CVE-2019-13454 +# 6.9.10.53-r0: +# - CVE-2019-13391 +# - CVE-2019-13311 +# - CVE-2019-13310 +# - CVE-2019-13309 +# - CVE-2019-13308 +# - CVE-2019-13307 +# - CVE-2019-13306 +# - CVE-2019-13305 +# - CVE-2019-13304 +# - CVE-2019-13303 +# - CVE-2019-13302 +# - CVE-2019-13301 +# - CVE-2019-13300 +# - CVE-2019-13299 +# - CVE-2019-13298 +# - CVE-2019-13297 +# - CVE-2019-13296 +# - CVE-2019-13295 +# - CVE-2019-13137 +# - CVE-2019-13136 +# - CVE-2019-13135 +# - CVE-2019-13134 +# - CVE-2019-13133 +# 6.9.10.44-r0: +# - CVE-2019-11598 +# - CVE-2019-11597 +# - CVE-2019-11472 # 6.9.10.39-r0: # - CVE-2019-10649 # - CVE-2019-10650 @@ -161,4 +191,4 @@ _cxx() { mv "$pkgdir"/usr/lib/libMagick++*.so.* "$subpkgdir"/usr/lib/ } -sha512sums="82a0aa990ce3a146e02b02a9674340209bf58ce8edd694b8884509423f3503925b085496e7f299ea4a66c177420dde3e347ac4ea21dd9611ede892faf2425e34 ImageMagick-6.9.10-39.tar.xz" +sha512sums="867b6b7b88fafc6afbe65a0ef6f812a5a7eb0a0f24b8635dce6f923fc52954b3c96d925dffebb7e3cfc43dfa411c1aa3c03dc4393c40f25daa17e45689685647 ImageMagick6-6.9.10-68.tar.gz" diff --git a/community/openjdk8/APKBUILD b/community/openjdk8/APKBUILD index 86c8cd388e8..9e3f8de37b7 100644 --- a/community/openjdk8/APKBUILD +++ b/community/openjdk8/APKBUILD @@ -2,10 +2,10 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=openjdk8 -_icedteaver=3.12.0 +_icedteaver=3.17.1 # pkgver is <JDK version>.<JDK update>.<JDK build> # Check https://icedtea.classpath.org/wiki/Main_Page when updating! -pkgver=8.212.04 +pkgver=8.275.01 pkgrel=0 pkgdesc="OpenJDK 8 provided by IcedTea" url="https://icedtea.classpath.org/" @@ -13,14 +13,47 @@ arch="all" license="custom" depends="$pkgname-jre java-cacerts nss" options="sover-namecheck" -makedepends="bash findutils tar zip file paxmark gawk util-linux libxslt - autoconf automake linux-headers sed xz coreutils - openjdk7 ca-certificates - nss-dev nss-static cups-dev jpeg-dev giflib-dev libpng-dev libxt-dev - lcms2-dev libxp-dev libxtst-dev libxinerama-dev zlib-dev - libxrender-dev alsa-lib-dev freetype-dev fontconfig-dev - gtk+2.0-dev krb5-dev attr-dev pcsc-lite-dev lksctp-tools-dev - libxcomposite-dev" +makedepends=" + alsa-lib-dev + attr-dev + autoconf + automake + bash + ca-certificates + coreutils + cups-dev + file + findutils + fontconfig-dev + freetype-dev + gawk + giflib-dev + gtk+2.0-dev + jpeg-dev + krb5-dev + lcms2-dev + libpng-dev + libxcomposite-dev + libxinerama-dev + libxp-dev + libxrender-dev + libxslt + libxt-dev + libxtst-dev + linux-headers + lksctp-tools-dev + nss-dev + nss-static + openjdk7 + paxmark + pcsc-lite-dev + sed + tar + util-linux + xz + zip + zlib-dev + " case $CARCH in x86) _jarch=i386;; @@ -29,6 +62,12 @@ arm*) _jarch=aarch32;; *) _jarch="$CARCH";; esac +case $CARCH in +x86|x86_64|aarch64) + _configure_jfr="--enable-jfr";; +*) _configure_jfr="--disable-jfr";; +esac + _bootstrap_java_home="/usr/lib/jvm/java-1.7-openjdk" _java_home="/usr/lib/jvm/java-1.8-openjdk" _jrelib="$_java_home/jre/lib/$_jarch" @@ -63,13 +102,74 @@ source="https://icedtea.classpath.org/download/source/icedtea-$_icedteaver.tar.x icedtea-jdk-fix-libjvm-load.patch icedtea-jdk-musl.patch icedtea-jdk-includes.patch - icedtea-jdk-getmntent-buffer.patch icedtea-autoconf-config.patch - icedtea-jdk-tls-nist-curves.patch " builddir="$srcdir/icedtea-$_icedteaver" # secfixes: +# 8.272.10-r0: +# - CVE-2020-14556 +# - CVE-2020-14577 +# - CVE-2020-14578 +# - CVE-2020-14579 +# - CVE-2020-14581 +# - CVE-2020-14583 +# - CVE-2020-14593 +# - CVE-2020-14621 +# - CVE-2020-14779 +# - CVE-2020-14781 +# - CVE-2020-14782 +# - CVE-2020-14792 +# - CVE-2020-14796 +# - CVE-2020-14797 +# - CVE-2020-14798 +# - CVE-2020-14803 +# 8.252.09-r0: +# - CVE-2020-2754 +# - CVE-2020-2755 +# - CVE-2020-2756 +# - CVE-2020-2757 +# - CVE-2020-2773 +# - CVE-2020-2781 +# - CVE-2020-2800 +# - CVE-2020-2803 +# - CVE-2020-2805 +# - CVE-2020-2830 +# 8.242.08-r0: +# - CVE-2020-2583 +# - CVE-2020-2590 +# - CVE-2020-2593 +# - CVE-2020-2601 +# - CVE-2020-2604 +# - CVE-2020-2659 +# - CVE-2020-2654 +# 8.232.09-r0: +# - CVE-2019-2933 +# - CVE-2019-2945 +# - CVE-2019-2949 +# - CVE-2019-2958 +# - CVE-2019-2964 +# - CVE-2019-2962 +# - CVE-2019-2973 +# - CVE-2019-2975 +# - CVE-2019-2978 +# - CVE-2019-2981 +# - CVE-2019-2983 +# - CVE-2019-2987 +# - CVE-2019-2988 +# - CVE-2019-2989 +# - CVE-2019-2992 +# - CVE-2019-2999 +# - CVE-2019-2894 +# 8.222.10-r0: +# - CVE-2019-2745 +# - CVE-2019-2762 +# - CVE-2019-2766 +# - CVE-2019-2769 +# - CVE-2019-2786 +# - CVE-2019-2816 +# - CVE-2019-2842 +# - CVE-2019-7317 # 8.212.04-r0: # - CVE-2019-2602 # - CVE-2019-2684 @@ -102,7 +202,7 @@ unpack() { fi mkdir -p "$srcdir" msg "Unpacking sources..." - tar -C "$srcdir" -Jxf icedtea-$_icedteaver.tar.xz + unxz -c icedtea-$_icedteaver.tar.xz | tar -C "$srcdir" -x } prepare() { @@ -162,6 +262,7 @@ build() { --disable-dependency-tracking \ --disable-downloading \ --disable-precompiled-headers \ + --disable-docs \ --with-parallel-jobs=${JOBS:-2} \ --with-hotspot-build=default \ --with-openjdk-src-zip="$srcdir/openjdk-$_dropsver.tar.xz" \ @@ -174,10 +275,10 @@ build() { --with-nashorn-src-zip="$srcdir/nashorn-$_dropsver.tar.xz" \ --with-pax=paxmark \ --with-jdk-home="$_bootstrap_java_home" \ - --with-pkgversion="Alpine ${pkgver}-r${pkgrel}" \ + --with-pkgversion="Alpine $pkgver-r$pkgrel" \ + --with-curves="nist+" \ --enable-nss \ - --enable-sunec \ - --enable-non-nss-curves + $_configure_jfr make } @@ -232,6 +333,7 @@ jrelib() { jre() { pkgdesc="OpenJDK 8 Java Runtime" + depends="ttf-dejavu" local file dir mkdir -p "$subpkgdir" @@ -259,6 +361,7 @@ jrebase() { mkdir -p "$subpkgdir"/$_java_home/bin \ "$subpkgdir"/$_java_home/lib/$_jarch + ln -s java-1.8-openjdk "$subpkgdir"/usr/lib/jvm/java-8-openjdk mv "$pkgdir"/$_java_home/lib/$_jarch/jli \ "$subpkgdir"/$_java_home/lib/$_jarch/ @@ -291,24 +394,22 @@ demos() { "$subpkgdir"/$_java_home/ } -sha512sums="22582d65b9114749c7cfee0fc58fa2cb70e4cf77f3bc62e8097a6c601ead0bf86f530b942e6b0f32ef7bbc5bd17130da236714d83d6e9857c3c5b85c984f2efa icedtea-3.12.0.tar.xz -999aa17c0e73ebc465a982c5492043487b860b84dd6e4dda3fa51e3099b4642f3f5e03eb30252f835be81f1ea60dc28cf5f0905cbe347758a1f903db430fcc35 openjdk-3.12.0.tar.xz -d4ffe454a659db6c13b74c8e190beb3b427574d54fa44c80a3ba1dceb3af6f480ee99378d370ec2e9bfc6b5447a225eeb3e11821c83522479583fb21b0705bd7 corba-3.12.0.tar.xz -a5b8ca9b90797c5f0bc03b763fca50334a308bfd6955f5f488b661da6698abd991dbe08a7ac1a128922c546eb0061853e12a18971adb16c27302e2d9d0f13872 jaxp-3.12.0.tar.xz -f1deb09ccf6b1dff40d61f3bc54e55d430ebcbeb0cd53d6008cacf65b94824d486913b63034ee23a473298e0bee61ad1ea3e5520c2a3ab25e9e1e6d58d50d286 jaxws-3.12.0.tar.xz -2e15cdb58c9ce65c99ad5b5506343fb29cda02a4ea8490cfbe79f708deecee2ef28ad0e5a384d2113e72678aa857d821729b588e5ef53208ae06d0d5278ec326 jdk-3.12.0.tar.xz -838e3e458734d3fc8d2d968eb3bc7190838cd9a73bf3d61de662f9a992a9951a74021e25331d26545f0181b08c80f298de24e030dad4e076bd76368f3a14e960 langtools-3.12.0.tar.xz -2a0c18fea7b67c5042b39746f2c7ef53e252d6665efbcd74ebf9b171b13e311821310537e8b14cd4f9798c483afdb1107b9af6bb047262b97a526bfbb481777a hotspot-3.12.0.tar.xz -918489daf6d2816d0fac85ed89cccbb0e350dc068502857f1a7e518135c40e5fcca2709a60ae51bad392592bdc459675ea3543e684ba1ed0d8debc7a451af6d5 nashorn-3.12.0.tar.xz +sha512sums="eaf66df177f08cf335fe795f816e4f6b70a25a402ff8db4c1a2c545dd129350e1135c45e131eab8820620de2a75fda1d56141583ec1a651218d0a02680eb1df7 icedtea-3.17.1.tar.xz +82f2688b018b893cbf583ccc1cd328f6909ebeb4d30655ddb554691f1f0ee38debe57dc91bc8200d6676ad531047ffbf149ce7c1e49b65e67db3254c7d6205ed openjdk-3.17.1.tar.xz +c33886bfa517087e3cf37064fd9dcf1c0b8a9c9ccc4147beac3eb9c07e66c2f8aa3053feb8ab6cbdd42054b073854ed5aaf4a2cfb2888e0a09b7efe3809447c8 corba-3.17.1.tar.xz +e690a6c498e2418feaa22713517aefd051524aedd349fbab5c70fbdee3ca0f17a297089e02f1de2a27e318413e5ca6fe7dfd825b49c37e749ff48e9c8981307a jaxp-3.17.1.tar.xz +99c32483c6f5469c256026be9ee5c2a5654768ceff9d10fa9aa10888640af60d618668ae47880062d1253668e546949fd6ffe94c27d6436088e0a8367e2602fd jaxws-3.17.1.tar.xz +7f5321944cc6c7510db5d6ea6ef189bd15fdf7c904c8ec009576c33ce1e0288e18e51a5dc906e5c7c3beb4daebb161be0c08d1fe8f2ebde81b72a992da919142 jdk-3.17.1.tar.xz +68ff7857d180b90a77858505523416bee6102e30af7a394d08ab1581ba65d28b78c30f48c1b5555c30bf8b43adc5497d5530372101dc2e4adbc99e5d9c988def langtools-3.17.1.tar.xz +e377a2ad481727a1d5218f1bf629690ea5f1b7976307f593505efc07252cc5cd408f7eb0873032ec74ed44a31e5f2cd90747be3e6f709eba5ac9fd90857887ab hotspot-3.17.1.tar.xz +088948d01fc6ea627610bbdcf6691a7bcdd34c5715be103297292db54d0e9080f82f395c3b4bb432058615bc04e05c2d4292fc8f31735e3005d4cf16ff1f9af1 nashorn-3.17.1.tar.xz 1f470432275d5beaa8b4e4352a2f24a4a00593546dc4f3bd857794c89e521e8e6d6abc540762bbd769be3e1e3da058e134dc5dc066d12b9b8a1f0656040a795c fix-paxmark.patch -09104b19f647dce9ba0835163c05cc7e5e3ec9852b277f22b2d7a02bd483968853544125a09e384e96ba8811f2bbdc9546e05e378582ec6a554ede797ca5ad98 icedtea-hotspot-musl.patch -e5cf4d70f96fc1e72ae8b97a887adb96092ff36584711cbb8de9d9fa9e859cb8731d638838de0d9591239fc44ffe5c74422d1842bd9f10a0c00dff1627bdeeef icedtea-hotspot-musl-ppc.patch +28709285390a997adbd56ebda42ef718fbc08daf572b8568f484436d255514f9d25f033e3333dff8aa352fc9846057ac5bb42fa955d3e5e44eddc96dc273c07c icedtea-hotspot-musl.patch +54ef36ea5a749b733cadaf4fb47a2766db204fe7c9d4dbc1c2d49dd1cec14a552d18da5c49da9ebe8718329c59bdee2c34f94f7882a23837cee2f18af6ffe95f icedtea-hotspot-musl-ppc.patch 19459dbb922f5a71cd15b53199481498626a783c24f91d2544d55b7dddd2cdb34a64bbf0226b99548612dd1743af01b3f9ff32c30abbbc90ce727ca2dbbbd1f9 icedtea-hotspot-noagent-musl.patch f6365cfafafa008bd6c1bf0ccec01a63f8a39bd1a8bc87baa492a27234d47793ba02d455e5667a873ef50148df3baaf6a8421e2da0b15faac675867da714dd5f icedtea-jdk-execinfo.patch 48533f87fc2cf29d26b259be0df51087d2fe5b252e72d00c6ea2f4add7b0fb113141718c116279c5905e03f64a1118082e719393786811367cf4d472b5d36774 icedtea-jdk-fix-ipv6-init.patch b135991c76b0db8fa7c363e0903624668e11eda7b54a943035c214aa4d7fc8c3e8110ed200edcec82792f3c9393150a9bd628625ddf7f3e55720ff163fbbb471 icedtea-jdk-fix-libjvm-load.patch -1fbc32ddc528c7c0099dbc1e48f88d29dccf55e7b8997793aa1d3d8408003a1223d898cca4248e1a12d343d3feec5144f875e6cdac8460d763c73ab3ad7e49f9 icedtea-jdk-musl.patch -e8d9f1b867bf4fc84aa00d1237b264bcf503b1ed5f34735e14b0b747a728953fe0051a5af69ed058d377fbf65d8be1ed9e38fe5fc6edb2d50b31f34bf3ba91dc icedtea-jdk-includes.patch -7e6fa46b10c630517bfa46943858aea1d032c12d32ba3fcb7a2143ae1e896c34fa4cb8f925af80cb19f8e29149b835aa054adfd30ebb00539f6c78588d6f5211 icedtea-jdk-getmntent-buffer.patch -662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167 icedtea-autoconf-config.patch -9ea7ac942baf29cc619bc2e1acd59201b9f6d38f39a517b495d7613aec746459200c81afb57c5fcdcb856f6bc8b33f7566c8593fed07e5c73f43e08f1072d458 icedtea-jdk-tls-nist-curves.patch" +3b01de971f64f082d3e289cf337e635ef001381e8ca427a77baa9c52c7ba423889f57665779ca5b3c8bcefb8feacbea31dfaac580c969a4f061439069ee34aae icedtea-jdk-musl.patch +974fb54532b7e7d738f4278187fc6bd9f9b2d99866b94f68a617ee4911c89a3b8cc41ecfdcaefecf9157492d006b1844b6b0b41ac4209d84f9e8d13c9e485dd3 icedtea-jdk-includes.patch +662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167 icedtea-autoconf-config.patch" diff --git a/community/openjdk8/icedtea-hotspot-musl-ppc.patch b/community/openjdk8/icedtea-hotspot-musl-ppc.patch index eca684884c8..dfb3150f6b6 100644 --- a/community/openjdk8/icedtea-hotspot-musl-ppc.patch +++ b/community/openjdk8/icedtea-hotspot-musl-ppc.patch @@ -1,13 +1,94 @@ +Subject: Fix compilation with different ucontext_t on musl +Upstream: No +Author: Simon Frankenberger <simon-alpine@fraho.eu> + +The machine state registers have to be accessed differently when +running on musl libc. This patch fix this by replacing +"uc_mcontext.regs->grp" with "uc_mcontext.gp_regs" +and accessing the named fields (like "->nip") by the array index constants. + +--- openjdk.orig/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp ++++ openjdk/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp +@@ -1243,7 +1243,11 @@ + // the safepoing polling page. + ucontext_t* uc = (ucontext_t*) ucontext; + // Set polling address. ++#if defined(__GLIBC__) || defined(__UCLIBC__) + address addr = (address)uc->uc_mcontext.regs->gpr[ra] + (ssize_t)ds; ++#else // Musl ++ address addr = (address)uc->uc_mcontext.gp_regs[ra] + (ssize_t)ds; ++#endif + if (polling_address_ptr != NULL) { + *polling_address_ptr = addr; + } +@@ -1264,15 +1268,24 @@ + int rb = inv_rb_field(instruction); + + // look up content of ra and rb in ucontext ++#if defined(__GLIBC__) || defined(__UCLIBC__) + address ra_val=(address)uc->uc_mcontext.regs->gpr[ra]; + long rb_val=(long)uc->uc_mcontext.regs->gpr[rb]; ++#else // Musl ++ address ra_val=(address)uc->uc_mcontext.gp_regs[ra]; ++ long rb_val=(long)uc->uc_mcontext.gp_regs[rb]; ++#endif + return os::is_memory_serialize_page(thread, ra_val+rb_val); + } else if (is_stw(instruction) || is_stwu(instruction)) { + int ra = inv_ra_field(instruction); + int d1 = inv_d1_field(instruction); + + // look up content of ra in ucontext ++#if defined(__GLIBC__) || defined(__UCLIBC__) + address ra_val=(address)uc->uc_mcontext.regs->gpr[ra]; ++#else // Musl ++ address ra_val=(address)uc->uc_mcontext.gp_regs[ra]; ++#endif + return os::is_memory_serialize_page(thread, ra_val+d1); + } else { + return false; +@@ -1335,11 +1348,20 @@ + || (is_stdu(instruction) && rs == 1)) { + int ds = inv_ds_field(instruction); + // return banged address ++#if defined(__GLIBC__) || defined(__UCLIBC__) + return ds+(address)uc->uc_mcontext.regs->gpr[ra]; ++#else // Musl ++ return ds+(address)uc->uc_mcontext.gp_regs[ra]; ++#endif + } else if (is_stdux(instruction) && rs == 1) { + int rb = inv_rb_field(instruction); ++#if defined(__GLIBC__) || defined(__UCLIBC__) + address sp = (address)uc->uc_mcontext.regs->gpr[1]; + long rb_val = (long)uc->uc_mcontext.regs->gpr[rb]; ++#else // Musl ++ address sp = (address)uc->uc_mcontext.gp_regs[1]; ++ long rb_val = (long)uc->uc_mcontext.gp_regs[rb]; ++#endif + return ra != 1 || rb_val >= 0 ? NULL // not a stack bang + : sp + rb_val; // banged address + } --- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp +++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp -@@ -110,11 +110,19 @@ +@@ -75,7 +75,11 @@ + # include <poll.h> + # include <ucontext.h> + ++#if ! (defined(__GLIBC__) || defined(__UCLIBC__)) ++# include <asm/ptrace.h> ++#endif + ++ + address os::current_stack_pointer() { + intptr_t* csp; + +@@ -110,11 +114,19 @@ // it because the volatile registers are not needed to make setcontext() work. // Hopefully it was zero'd out beforehand. guarantee(uc->uc_mcontext.regs != NULL, "only use ucontext_get_pc in sigaction context"); +#if defined(__GLIBC__) || defined(__UCLIBC__) return (address)uc->uc_mcontext.regs->nip; +#else // Musl -+ return (address)uc->uc_mcontext.gp_regs[32]; ++ return (address)uc->uc_mcontext.gp_regs[PT_NIP]; +#endif } @@ -20,55 +101,55 @@ } intptr_t* os::Linux::ucontext_get_fp(ucontext_t * uc) { -@@ -213,7 +221,11 @@ +@@ -213,7 +225,11 @@ if (uc) { address const pc = os::Linux::ucontext_get_pc(uc); if (pc && StubRoutines::is_safefetch_fault(pc)) { +#if defined(__GLIBC__) || defined(__UCLIBC__) uc->uc_mcontext.regs->nip = (unsigned long)StubRoutines::continuation_for_safefetch_fault(pc); +#else // Musl -+ uc->uc_mcontext.gp_regs[32] = (unsigned long)StubRoutines::continuation_for_safefetch_fault(pc); ++ uc->uc_mcontext.gp_regs[PT_NIP] = (unsigned long)StubRoutines::continuation_for_safefetch_fault(pc); +#endif return true; } } -@@ -364,7 +376,11 @@ +@@ -364,7 +380,11 @@ // continue at the next instruction after the faulting read. Returning // garbage from this read is ok. thread->set_pending_unsafe_access_error(); +#if defined(__GLIBC__) || defined(__UCLIBC__) uc->uc_mcontext.regs->nip = ((unsigned long)pc) + 4; +#else // Musl -+ uc->uc_mcontext.gp_regs[32] = ((unsigned long)pc) + 4; ++ uc->uc_mcontext.gp_regs[PT_NIP] = ((unsigned long)pc) + 4; +#endif return true; } } -@@ -383,7 +399,11 @@ +@@ -383,7 +403,11 @@ // continue at the next instruction after the faulting read. Returning // garbage from this read is ok. thread->set_pending_unsafe_access_error(); +#if defined(__GLIBC__) || defined(__UCLIBC__) uc->uc_mcontext.regs->nip = ((unsigned long)pc) + 4; +#else // Musl -+ uc->uc_mcontext.gp_regs[32] = ((unsigned long)pc) + 4; ++ uc->uc_mcontext.gp_regs[PT_NIP] = ((unsigned long)pc) + 4; +#endif return true; } } -@@ -406,7 +426,11 @@ +@@ -406,7 +430,11 @@ if (stub != NULL) { // Save all thread context in case we need to restore it. if (thread != NULL) thread->set_saved_exception_pc(pc); +#if defined(__GLIBC__) || defined(__UCLIBC__) uc->uc_mcontext.regs->nip = (unsigned long)stub; +#else -+ uc->uc_mcontext.gp_regs[32] = (unsigned long)stub; ++ uc->uc_mcontext.gp_regs[PT_NIP] = (unsigned long)stub; +#endif return true; } -@@ -564,6 +588,7 @@ +@@ -564,6 +592,7 @@ ucontext_t* uc = (ucontext_t*)context; st->print_cr("Registers:"); @@ -76,14 +157,14 @@ st->print("pc =" INTPTR_FORMAT " ", uc->uc_mcontext.regs->nip); st->print("lr =" INTPTR_FORMAT " ", uc->uc_mcontext.regs->link); st->print("ctr=" INTPTR_FORMAT " ", uc->uc_mcontext.regs->ctr); -@@ -572,8 +597,18 @@ +@@ -572,8 +601,18 @@ st->print("r%-2d=" INTPTR_FORMAT " ", i, uc->uc_mcontext.regs->gpr[i]); if (i % 3 == 2) st->cr(); } +#else // Musl -+ st->print("pc =" INTPTR_FORMAT " ", uc->uc_mcontext.gp_regs[32]); -+ st->print("lr =" INTPTR_FORMAT " ", uc->uc_mcontext.gp_regs[36]); -+ st->print("ctr=" INTPTR_FORMAT " ", uc->uc_mcontext.gp_regs[35]); ++ st->print("pc =" INTPTR_FORMAT " ", uc->uc_mcontext.gp_regs[PT_NIP]); ++ st->print("lr =" INTPTR_FORMAT " ", uc->uc_mcontext.gp_regs[PT_LNK]); ++ st->print("ctr=" INTPTR_FORMAT " ", uc->uc_mcontext.gp_regs[PT_CTR]); st->cr(); + for (int i = 0; i < 32; i++) { + st->print("r%-2d=" INTPTR_FORMAT " ", i, uc->uc_mcontext.gp_regs[i]); @@ -95,7 +176,7 @@ intptr_t *sp = (intptr_t *)os::Linux::ucontext_get_sp(uc); st->print_cr("Top of Stack: (sp=" PTR_FORMAT ")", p2i(sp)); -@@ -600,7 +635,11 @@ +@@ -600,7 +639,11 @@ // this is only for the "general purpose" registers for (int i = 0; i < 32; i++) { st->print("r%-2d=", i); @@ -107,63 +188,42 @@ } st->cr(); } ---- openjdk.orig/hotspot.orig/src/cpu/ppc/vm/macroAssembler_ppc.cpp -+++ openjdk/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp -@@ -1242,7 +1242,11 @@ - // the safepoing polling page. - ucontext_t* uc = (ucontext_t*) ucontext; - // Set polling address. -+#if defined(__GLIBC__) || defined(__UCLIBC__) - address addr = (address)uc->uc_mcontext.regs->gpr[ra] + (ssize_t)ds; -+#else // Musl -+ address addr = (address)uc->uc_mcontext.gp_regs[ra] + (ssize_t)ds; -+#endif - if (polling_address_ptr != NULL) { - *polling_address_ptr = addr; - } -@@ -1263,15 +1267,24 @@ - int rb = inv_rb_field(instruction); +--- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/thread_linux_ppc.cpp ++++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/thread_linux_ppc.cpp +@@ -27,6 +27,10 @@ + #include "runtime/frame.inline.hpp" + #include "runtime/thread.hpp" - // look up content of ra and rb in ucontext -+#if defined(__GLIBC__) || defined(__UCLIBC__) - address ra_val=(address)uc->uc_mcontext.regs->gpr[ra]; - long rb_val=(long)uc->uc_mcontext.regs->gpr[rb]; -+#else // Musl -+ address ra_val=(address)uc->uc_mcontext.gp_regs[ra]; -+ long rb_val=(long)uc->uc_mcontext.gp_regs[rb]; ++#if ! (defined(__GLIBC__) || defined(__UCLIBC__)) ++#include <asm/ptrace.h> +#endif - return os::is_memory_serialize_page(thread, ra_val+rb_val); - } else if (is_stw(instruction) || is_stwu(instruction)) { - int ra = inv_ra_field(instruction); - int d1 = inv_d1_field(instruction); ++ + bool JavaThread::pd_get_top_frame_for_profiling(frame* fr_addr, void* ucontext, bool isInJava) { + assert(this->is_Java_thread(), "must be JavaThread"); - // look up content of ra in ucontext +@@ -42,8 +46,13 @@ + // if we were running Java code when SIGPROF came in. + if (isInJava) { + ucontext_t* uc = (ucontext_t*) ucontext; +#if defined(__GLIBC__) || defined(__UCLIBC__) - address ra_val=(address)uc->uc_mcontext.regs->gpr[ra]; + frame ret_frame((intptr_t*)uc->uc_mcontext.regs->gpr[1/*REG_SP*/], + (address)uc->uc_mcontext.regs->nip); +#else // Musl -+ address ra_val=(address)uc->uc_mcontext.gp_regs[ra]; ++ frame ret_frame((intptr_t*)uc->uc_mcontext.gp_regs[1/*REG_SP*/], ++ (address)uc->uc_mcontext.gp_regs[PT_NIP]); +#endif - return os::is_memory_serialize_page(thread, ra_val+d1); - } else { - return false; -@@ -1334,11 +1347,20 @@ - || (is_stdu(instruction) && rs == 1)) { - int ds = inv_ds_field(instruction); - // return banged address -+#if defined(__GLIBC__) || defined(__UCLIBC__) - return ds+(address)uc->uc_mcontext.regs->gpr[ra]; -+#else // Musl -+ return ds+(address)uc->uc_mcontext.gp_regs[ra]; -+#endif - } else if (is_stdux(instruction) && rs == 1) { - int rb = inv_rb_field(instruction); + + if (ret_frame.pc() == NULL) { + // ucontext wasn't useful +@@ -55,7 +64,11 @@ + if (!((Method*)(istate->method))->is_metaspace_object()) { + return false; + } +#if defined(__GLIBC__) || defined(__UCLIBC__) - address sp = (address)uc->uc_mcontext.regs->gpr[1]; - long rb_val = (long)uc->uc_mcontext.regs->gpr[rb]; + uint64_t reg_bcp = uc->uc_mcontext.regs->gpr[14/*R14_bcp*/]; +#else // Musl -+ address sp = (address)uc->uc_mcontext.gp_regs[1]; -+ long rb_val = (long)uc->uc_mcontext.gp_regs[rb]; ++ uint64_t reg_bcp = uc->uc_mcontext.gp_regs[14/*R14_bcp*/]; +#endif - return ra != 1 || rb_val >= 0 ? NULL // not a stack bang - : sp + rb_val; // banged address - } + uint64_t istate_bcp = istate->bcp; + uint64_t code_start = (uint64_t)(((Method*)(istate->method))->code_base()); + uint64_t code_end = (uint64_t)(((Method*)istate->method)->code_base() + ((Method*)istate->method)->code_size()); diff --git a/community/openjdk8/icedtea-hotspot-musl.patch b/community/openjdk8/icedtea-hotspot-musl.patch index cbbb5525f05..c18653b9b3b 100644 --- a/community/openjdk8/icedtea-hotspot-musl.patch +++ b/community/openjdk8/icedtea-hotspot-musl.patch @@ -82,8 +82,8 @@ index d2c10e0..20f657f 100644 -# include <fpu_control.h> +# include <linux/types.h> /* provides __u64 */ - #ifdef BUILTIN_SIM - #define REG_SP REG_RSP + #define REG_FP 29 + diff --git openjdk/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp openjdk/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp index 38388cb..2505ba8 100644 --- openjdk/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp diff --git a/community/openjdk8/icedtea-jdk-getmntent-buffer.patch b/community/openjdk8/icedtea-jdk-getmntent-buffer.patch deleted file mode 100644 index 075a9d42385..00000000000 --- a/community/openjdk8/icedtea-jdk-getmntent-buffer.patch +++ /dev/null @@ -1,88 +0,0 @@ -Give a much bigger buffer to getmntent_r. - -https://bugs.alpinelinux.org/issues/7093 - -diff --git a/openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c b/openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c -index c8500db..d0b85d6 100644 ---- openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c -+++ openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c -@@ -33,6 +33,7 @@ - #include <dlfcn.h> - #include <errno.h> - #include <mntent.h> -+#include <limits.h> - - #include "sun_nio_fs_LinuxNativeDispatcher.h" - -@@ -173,8 +174,8 @@ Java_sun_nio_fs_LinuxNativeDispatcher_getmntent(JNIEnv* env, jclass this, - jlong value, jobject entry) - { - struct mntent ent; -- char buf[1024]; -- int buflen = sizeof(buf); -+ char *buf = NULL; -+ const size_t buflen = PATH_MAX * 4; - struct mntent* m; - FILE* fp = jlong_to_ptr(value); - jsize len; -@@ -183,10 +184,17 @@ Java_sun_nio_fs_LinuxNativeDispatcher_getmntent(JNIEnv* env, jclass this, - char* dir; - char* fstype; - char* options; -+ jint res = -1; - -- m = getmntent_r(fp, &ent, (char*)&buf, buflen); -- if (m == NULL) -+ buf = malloc(buflen); -+ if (buf == NULL) { -+ JNU_ThrowOutOfMemoryError(env, "native heap"); - return -1; -+ } -+ m = getmntent_r(fp, &ent, buf, buflen); -+ if (m == NULL) -+ goto out; -+ - name = m->mnt_fsname; - dir = m->mnt_dir; - fstype = m->mnt_type; -@@ -195,32 +203,35 @@ Java_sun_nio_fs_LinuxNativeDispatcher_getmntent(JNIEnv* env, jclass this, - len = strlen(name); - bytes = (*env)->NewByteArray(env, len); - if (bytes == NULL) -- return -1; -+ goto out; - (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)name); - (*env)->SetObjectField(env, entry, entry_name, bytes); - - len = strlen(dir); - bytes = (*env)->NewByteArray(env, len); - if (bytes == NULL) -- return -1; -+ goto out; - (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)dir); - (*env)->SetObjectField(env, entry, entry_dir, bytes); - - len = strlen(fstype); - bytes = (*env)->NewByteArray(env, len); - if (bytes == NULL) -- return -1; -+ goto out; - (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)fstype); - (*env)->SetObjectField(env, entry, entry_fstype, bytes); - - len = strlen(options); - bytes = (*env)->NewByteArray(env, len); - if (bytes == NULL) -- return -1; -+ goto out; - (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)options); - (*env)->SetObjectField(env, entry, entry_options, bytes); - -- return 0; -+ res = 0; -+out: -+ free(buf); -+ return res; - } - - JNIEXPORT void JNICALL diff --git a/community/openjdk8/icedtea-jdk-includes.patch b/community/openjdk8/icedtea-jdk-includes.patch index 6443a1973d5..5acbb9efb86 100644 --- a/community/openjdk8/icedtea-jdk-includes.patch +++ b/community/openjdk8/icedtea-jdk-includes.patch @@ -53,17 +53,6 @@ /* O Flags */ ---- openjdk.orig/jdk/src/solaris/native/java/net/PlainSocketImpl.c -+++ openjdk/jdk/src/solaris/native/java/net/PlainSocketImpl.c -@@ -28,7 +28,7 @@ - #include <sys/types.h> - #include <sys/socket.h> - #if defined(__linux__) && !defined(USE_SELECT) --#include <sys/poll.h> -+#include <poll.h> - #endif - #include <netinet/tcp.h> /* Defines TCP_NODELAY, needed for 2.6 */ - #include <netinet/in.h> --- openjdk.orig/jdk/src/solaris/native/java/net/bsd_close.c +++ openjdk/jdk/src/solaris/native/java/net/bsd_close.c @@ -36,7 +36,7 @@ @@ -88,14 +77,14 @@ * Stack allocated by thread when doing blocking operation --- openjdk.orig/jdk/src/solaris/native/java/net/net_util_md.h +++ openjdk/jdk/src/solaris/native/java/net/net_util_md.h -@@ -33,7 +33,7 @@ - #include <unistd.h> - - #ifndef USE_SELECT +@@ -27,7 +27,7 @@ + #define NET_UTILS_MD_H + + #include <netdb.h> -#include <sys/poll.h> +#include <poll.h> - #endif - + #include <sys/socket.h> + int NET_Timeout(int s, long timeout); --- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c +++ openjdk/jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c diff --git a/community/openjdk8/icedtea-jdk-musl.patch b/community/openjdk8/icedtea-jdk-musl.patch index 97946ba424f..09f5c082e58 100644 --- a/community/openjdk8/icedtea-jdk-musl.patch +++ b/community/openjdk8/icedtea-jdk-musl.patch @@ -47,28 +47,6 @@ diff -ru openjdk.orig/jdk/src/solaris/native/java/net/Inet4AddressImpl.c openjdk #define HAS_GLIBC_GETHOSTBY_R 1 #endif -diff -ru openjdk.orig/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c openjdk/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c ---- openjdk.orig/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c 2017-01-25 04:22:03.000000000 +0000 -+++ openjdk/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c 2017-02-06 11:23:47.047832009 +0000 -@@ -41,7 +41,6 @@ - #endif - #ifdef __linux__ - #include <unistd.h> --#include <sys/sysctl.h> - #include <sys/utsname.h> - #include <netinet/ip.h> - -diff -ru openjdk.orig/jdk/src/solaris/native/java/net/PlainSocketImpl.c openjdk/jdk/src/solaris/native/java/net/PlainSocketImpl.c ---- openjdk.orig/jdk/src/solaris/native/java/net/PlainSocketImpl.c 2017-01-25 04:22:03.000000000 +0000 -+++ openjdk/jdk/src/solaris/native/java/net/PlainSocketImpl.c 2017-02-06 11:23:47.047832009 +0000 -@@ -43,7 +43,6 @@ - #endif - #ifdef __linux__ - #include <unistd.h> --#include <sys/sysctl.h> - #endif - - #include "jvm.h" diff -ru openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c openjdk/jdk/src/solaris/native/java/net/linux_close.c --- openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c 2017-01-25 04:22:03.000000000 +0000 +++ openjdk/jdk/src/solaris/native/java/net/linux_close.c 2017-02-06 11:23:47.047832009 +0000 @@ -80,7 +58,7 @@ diff -ru openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c openjdk/jdk/ +static int sigWakeup; /* - * The fd table and the number of file descriptors + * fdTable holds one entry per file descriptor, up to a certain @@ -95,6 +95,9 @@ /* * Setup the signal handler @@ -92,8 +70,8 @@ diff -ru openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c openjdk/jdk/ sa.sa_flags = 0; sigemptyset(&sa.sa_mask); diff -ru openjdk.orig/jdk/src/solaris/native/sun/nio/ch/NativeThread.c openjdk/jdk/src/solaris/native/sun/nio/ch/NativeThread.c ---- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/NativeThread.c 2017-01-25 04:22:03.000000000 +0000 -+++ openjdk/jdk/src/solaris/native/sun/nio/ch/NativeThread.c 2017-02-06 11:23:47.051165409 +0000 +--- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/NativeThread.c 2017-01-25 04:22:03.000000000 +0000 ++++ openjdk/jdk/src/solaris/native/sun/nio/ch/NativeThread.c 2017-02-06 11:23:47.051165409 +0000 @@ -36,7 +36,7 @@ #include <pthread.h> #include <sys/signal.h> diff --git a/community/openjdk8/icedtea-jdk-tls-nist-curves.patch b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch deleted file mode 100644 index 75fb3af8cf0..00000000000 --- a/community/openjdk8/icedtea-jdk-tls-nist-curves.patch +++ /dev/null @@ -1,47 +0,0 @@ -Bug #7404 TLS negotiation error in OpenJDK 8 u131 - -Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115 -on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation -errors for some clients. - -Root cause appears to be OpenJDK announcing support for NIST curves the -underlying NSS library does doesn't. This patch limits OpenJDK's -announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25 -(secp521r1). - -Related issues: - -* https://github.com/docker-library/openjdk/issues/115 -* https://bugs.alpinelinux.org/issues/7404 -* https://access.redhat.com/discussions/2339811 -* https://bugzilla.redhat.com/show_bug.cgi?id=1022017 -* https://bugzilla.redhat.com/show_bug.cgi?id=1348525 - ---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-05-08 20:03:50.000000000 -0700 -+++ openjdk/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-06-14 13:37:00.000000000 -0700 -@@ -168,21 +168,10 @@ - "contains no supported elliptic curves"); - } - } else { // default curves -- int[] ids; -- if (requireFips) { -- ids = new int[] { -- // only NIST curves in FIPS mode -- 23, 24, 25, 9, 10, 11, 12, 13, 14, -- }; -- } else { -- ids = new int[] { -- // NIST curves first -- 23, 24, 25, 9, 10, 11, 12, 13, 14, -- // non-NIST curves -- 22, -- }; -- } -- -+ int[] ids = new int[] { -+ // NSS currently only supports these three NIST curves -+ 23, 24, 25 -+ }; - idList = new ArrayList<>(ids.length); - for (int curveId : ids) { - if (isAvailableCurve(curveId)) { diff --git a/community/php5/APKBUILD b/community/php5/APKBUILD index 7e2fb19bc99..eb564943a7e 100644 --- a/community/php5/APKBUILD +++ b/community/php5/APKBUILD @@ -130,11 +130,11 @@ _peardir=/usr/share/pear # - CVE-2018-14883 # 5.6.36-r0: # - CVE-2018-5712 +# - CVE-2018-10547 # 5.6.34-r0: # - CVE-2018-7584 # 5.6.33-r0: # - CVE-2018-5711 -# - CVE-2018-5712 # 5.6.31-r0: # - CVE-2017-9224 # - CVE-2017-9226 diff --git a/community/php7/APKBUILD b/community/php7/APKBUILD index e7c20de6c6b..1477024edb3 100644 --- a/community/php7/APKBUILD +++ b/community/php7/APKBUILD @@ -25,7 +25,7 @@ pkgname=php7 _pkgreal=php -pkgver=7.1.30 +pkgver=7.1.33 pkgrel=0 _apiver=20160303 _suffix=${pkgname#php} @@ -181,6 +181,16 @@ ppc64le) options="$options !check";; esac # secfixes: +# 7.1.33-r0: +# - CVE-2019-11043 +# 7.1.32-r0: +# - CVE-2019-13224 +# - CVE-2019-11042 +# - CVE-2019-11041 +# 7.1.30-r0: +# - CVE-2019-11040 +# - CVE-2019-11039 +# - CVE-2019-11038 # 7.1.29-r0: # - CVE-2019-11034 # - CVE-2019-11035 @@ -201,7 +211,6 @@ esac # - CVE-2018-14884 # - CVE-2018-14883 # - CVE-2018-14851 -# - CVE-2018-7584 # - CVE-2018-5712 # - CVE-2016-10166 # 7.1.17-r0: @@ -214,7 +223,6 @@ esac # - CVE-2018-7584 # 7.1.13-r0: # - CVE-2018-5711 -# - CVE-2018-5712 # 7.1.11-r0: # - CVE-2016-1283 # 7.1.7-r0: @@ -670,7 +678,7 @@ _mv() { mv $@ } -sha512sums="9b8ae29d149803768408261306ed409e6191f403e1dff9fa8d608608c19f112c4822b34b242da82034954223196958b6d74ddd709cf7fe97fbc70237e196c9d0 php-7.1.30.tar.bz2 +sha512sums="60ecf04a5fcb77ad839f5c5514f0d83e16aa9d3cc5250a428ff6cb43defc9d1626bdb5b5ea2671261cc273c51c18387d6267307e28c25d18ca98b212cec7cc99 php-7.1.33.tar.bz2 1c708de82d1086f272f484faf6cf6d087af7c31750cc2550b0b94ed723961b363f28a947b015b2dfc0765caea185a75f5d2c2f2b099c948b65c290924f606e4f php7-fpm.initd cacce7bf789467ff40647b7319e3760c6c587218720538516e8d400baa75651f72165c4e28056cd0c1dc89efecb4d00d0d7823bed80b29136262c825ce816691 php7-fpm.logrotate 274bd7b0b2b7002fa84c779640af37b59258bb37b05cb7dd5c89452977d71807f628d91b523b5039608376d1f760f3425d165242ca75ee5129b2730e71c4e198 php7-module.conf diff --git a/community/tor/APKBUILD b/community/tor/APKBUILD index ae8eb19cc16..0ee183f6014 100644 --- a/community/tor/APKBUILD +++ b/community/tor/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Christine Dodrill <me@christine.website> pkgname=tor pkgver=0.3.1.10 -pkgrel=0 +pkgrel=1 pkgdesc="Anonymous network connectivity" url="https://www.torproject.org" arch="all" diff --git a/community/wireshark/APKBUILD b/community/wireshark/APKBUILD index ed8e4c2bf95..62a3ec96eed 100644 --- a/community/wireshark/APKBUILD +++ b/community/wireshark/APKBUILD @@ -109,14 +109,6 @@ builddir="$srcdir"/$pkgname-$pkgver # - CVE-2017-13765 # - CVE-2017-13766 # - CVE-2017-13767 -# 2.2.10-r0: -# - CVE-2017-15191 -# - CVE-2017-15192 -# - CVE-2017-15193 -# 2.2.9-r0: -# - CVE-2017-13765 -# - CVE-2017-13766 -# - CVE-2017-13767 # 2.2.8-r0: # - CVE-2017-11406 # - CVE-2017-11407 diff --git a/main/abuild/0001-abuild-chdir-to-builddir-if-it-exists.patch b/main/abuild/0001-abuild-chdir-to-builddir-if-it-exists.patch new file mode 100644 index 00000000000..d07b5a464e8 --- /dev/null +++ b/main/abuild/0001-abuild-chdir-to-builddir-if-it-exists.patch @@ -0,0 +1,30 @@ +From 2fe29d5829c0973ace1db350141b3c810ac888a7 Mon Sep 17 00:00:00 2001 +From: Natanael Copa <ncopa@alpinelinux.org> +Date: Wed, 3 Oct 2018 11:48:11 +0000 +Subject: [PATCH] abuild: chdir to $builddir if it exists + +chdir to $builddir before running prepare, build, package or check. +--- + abuild.in | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/abuild.in b/abuild.in +index b1be8fc..8d69b4b 100644 +--- a/abuild.in ++++ b/abuild.in +@@ -594,6 +594,12 @@ runpart() { + local part=$1 + [ -n "$DEBUG" ] && msg "$part" + trap "die '$part failed'" EXIT ++ if [ -d "$builddir" ]; then ++ case "$part" in ++ prepare|build|package|check) ++ cd "$builddir";; ++ esac ++ fi + $part + trap - EXIT + } +-- +2.18.1 + diff --git a/main/abuild/APKBUILD b/main/abuild/APKBUILD index 08d954c9a36..97a246438f3 100644 --- a/main/abuild/APKBUILD +++ b/main/abuild/APKBUILD @@ -2,7 +2,7 @@ pkgname=abuild pkgver=3.1.0 _ver=${pkgver%_git*} -pkgrel=4 +pkgrel=5 pkgdesc="Script to build Alpine Packages" url="https://git.alpinelinux.org/cgit/abuild/" arch="all" @@ -24,6 +24,7 @@ source="http://dev.alpinelinux.org/archive/abuild/abuild-$_ver.tar.xz 0001-abuild-add-env-option-to-require-tests.patch 0001-abuild-rootbld-run-testsuites-if-requested-also-hand.patch 0001-abuild-fix-race-when-stripping.patch + 0001-abuild-chdir-to-builddir-if-it-exists.patch " builddir="$srcdir/$pkgname-$_ver" @@ -73,4 +74,5 @@ _rootbld() { sha512sums="bb9093d67942e3a63e4e053692c0bca30940cae05955518206cd9f7029211a188b7f442456ae126e61cbdca224eddb31e967d5cf0637e16893163cc963871a52 abuild-3.1.0.tar.xz e02cc44c8ad9dd61c9b80684b8cf5b64477a6fd6221cde9efea2a7594c6e7ce01a51f8bd4b80d72f82f7caf93217979fb0b354c420983891fa93f34c4252a035 0001-abuild-add-env-option-to-require-tests.patch 5d196f302715f5f12ca13b70baea59f49bf3180e35e7a15849e9f9bc24b42a13666ee96666eae02bd31d54f227bb7c1fd5ae2e06dcfe1d7eb41ecfd6b9b3d28e 0001-abuild-rootbld-run-testsuites-if-requested-also-hand.patch -4399485506ce566b158f53b1e4cabf99994d34fa31ddd0c0a6e11d089420f09cf4f72599ae4540d7ad1d11b31a54be05e416e6e58ed4a8acf27e3b91c9df5e2e 0001-abuild-fix-race-when-stripping.patch" +4399485506ce566b158f53b1e4cabf99994d34fa31ddd0c0a6e11d089420f09cf4f72599ae4540d7ad1d11b31a54be05e416e6e58ed4a8acf27e3b91c9df5e2e 0001-abuild-fix-race-when-stripping.patch +4cdcd6c3076c1415c9fc2dfdae6634ecac18e43e33cde4fa978137baaf8927369c80e5e630085c68c4c82165234ab5962cf4373c04566c60de92fd62725508a8 0001-abuild-chdir-to-builddir-if-it-exists.patch" diff --git a/main/ansible/APKBUILD b/main/ansible/APKBUILD index 8413cbb1958..ab79ce646ff 100644 --- a/main/ansible/APKBUILD +++ b/main/ansible/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Fabian Affolter <fabian@affolter-engineering.ch> pkgname=ansible pkgver=2.4.6.0 -pkgrel=0 +pkgrel=1 pkgdesc="A configuration-management, deployment, task-execution, and multinode orchestration framework" url="https://ansible.com" arch="noarch" @@ -13,10 +13,14 @@ _py=py2 depends="python2 $_py-yaml $_py-paramiko $_py-jinja2 $_py-markupsafe $_py-crypto" makedepends="python2-dev py-setuptools" subpackages="$pkgname-doc" -source="$pkgname-$pkgver.tar.gz::https://releases.ansible.com/ansible/$pkgname-$pkgver.tar.gz" +source="$pkgname-$pkgver.tar.gz::https://releases.ansible.com/ansible/$pkgname-$pkgver.tar.gz + CVE-2019-10206.patch + " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 2.4.6.0-r1: +# - CVE-2019-10206 # 2.4.6.0-r0: # - CVE-2018-10855 @@ -39,4 +43,5 @@ package() { install -m644 README.md "$pkgdir"/usr/share/doc/$pkgname } -sha512sums="3b4d4d8f3b1eb27861e7beac4557b608e3f9a77d4a24d33868c8d1be2b3fd9a57ef98e4685bbfd859d64a2f591487852fb5409ef00006036be4409eaf07d1b5b ansible-2.4.6.0.tar.gz" +sha512sums="3b4d4d8f3b1eb27861e7beac4557b608e3f9a77d4a24d33868c8d1be2b3fd9a57ef98e4685bbfd859d64a2f591487852fb5409ef00006036be4409eaf07d1b5b ansible-2.4.6.0.tar.gz +cdc065686625c1724e1f286f2a4986920195c8714fea640c90b663499aa9e8709c52e11590b7816dcd753c68c5c5787d964056bdd8252bc06ff6ca1731a38bc2 CVE-2019-10206.patch" diff --git a/main/ansible/CVE-2019-10206.patch b/main/ansible/CVE-2019-10206.patch new file mode 100644 index 00000000000..004035ce5b5 --- /dev/null +++ b/main/ansible/CVE-2019-10206.patch @@ -0,0 +1,125 @@ +From d0f7adc5c629475111cdf50bacdeccf247423cf2 Mon Sep 17 00:00:00 2001 +From: Brian Coca <bcoca@users.noreply.github.com> +Date: Wed, 24 Jul 2019 16:00:20 -0400 +Subject: [PATCH 1/2] prevent templating of passwords from prompt (#59246) + +* prevent templating of passwords from prompt + + fixes CVE-2019-10206 + +(cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b) +--- + .../fragments/dont_template_passwords_from_prompt.yml | 2 ++ + lib/ansible/cli/__init__.py | 8 ++++++++ + lib/ansible/utils/unsafe_proxy.py | 11 +++++++---- + 3 files changed, 17 insertions(+), 4 deletions(-) + create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml + +diff --git a/changelogs/fragments/dont_template_passwords_from_prompt.yml b/changelogs/fragments/dont_template_passwords_from_prompt.yml +new file mode 100644 +index 000000000000..86a0e6122f94 +--- /dev/null ++++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml +@@ -0,0 +1,2 @@ ++bugfixes: ++ - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters. +diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py +index 380ddc4e2a43..76d652f7c8f0 100644 +--- a/lib/ansible/cli/__init__.py ++++ b/lib/ansible/cli/__init__.py +@@ -42,6 +42,7 @@ + from ansible.release import __version__ + from ansible.utils.path import unfrackpath + from ansible.utils.vars import load_extra_vars, load_options_vars ++from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes + from ansible.vars.manager import VariableManager + from ansible.parsing.vault import PromptVaultSecret, get_file_vault_secret + +@@ -342,6 +343,13 @@ def ask_passwords(self): + except EOFError: + pass + ++ # we 'wrap' the passwords to prevent templating as ++ # they can contain special chars and trigger it incorrectly ++ if sshpass: ++ sshpass = AnsibleUnsafeBytes(sshpass) ++ if becomepass: ++ becomepass = AnsibleUnsafeBytes(becomepass) ++ + return (sshpass, becomepass) + + def normalize_become_options(self): +diff --git a/lib/ansible/utils/unsafe_proxy.py b/lib/ansible/utils/unsafe_proxy.py +index 963798a08762..abefc1524914 100644 +--- a/lib/ansible/utils/unsafe_proxy.py ++++ b/lib/ansible/utils/unsafe_proxy.py +@@ -55,7 +55,7 @@ + + from collections import Mapping, MutableSequence, Set + +-from ansible.module_utils.six import string_types, text_type ++from ansible.module_utils.six import string_types, text_type, binary_type + from ansible.module_utils._text import to_text + + +@@ -70,15 +70,18 @@ class AnsibleUnsafeText(text_type, AnsibleUnsafe): + pass + + ++class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe): ++ pass ++ ++ + class UnsafeProxy(object): + def __new__(cls, obj, *args, **kwargs): + # In our usage we should only receive unicode strings. + # This conditional and conversion exists to sanity check the values + # we're given but we may want to take it out for testing and sanitize + # our input instead. +- if isinstance(obj, string_types): +- obj = to_text(obj, errors='surrogate_or_strict') +- return AnsibleUnsafeText(obj) ++ if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes): ++ obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict')) + return obj + + + +From 9f435f433ed5af11801a2b4c4da27ab413914b84 Mon Sep 17 00:00:00 2001 +From: Toshio Kuratomi <a.badger@gmail.com> +Date: Wed, 7 Aug 2019 09:11:56 -0500 +Subject: [PATCH 2/2] Improve performane of UnsafeProxy __new__ + +This adds an early return to the __new__ method of the UnsafeProxy object +which avoids creating the unsafe object if the incoming object is already +unsafe. + +(cherry picked from commit c1e23c22a9fedafaaa88c2119b26dc123ff1392e) +(cherry picked from commit 490f17c7f959ce153765c1f033fdc30becf0faf7) +--- + lib/ansible/utils/unsafe_proxy.py | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/ansible/utils/unsafe_proxy.py b/lib/ansible/utils/unsafe_proxy.py +index abefc1524914..6221e7339390 100644 +--- a/lib/ansible/utils/unsafe_proxy.py ++++ b/lib/ansible/utils/unsafe_proxy.py +@@ -76,11 +76,17 @@ class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe): + + class UnsafeProxy(object): + def __new__(cls, obj, *args, **kwargs): ++ if isinstance(obj, AnsibleUnsafe): ++ # Already marked unsafe ++ return obj ++ + # In our usage we should only receive unicode strings. + # This conditional and conversion exists to sanity check the values + # we're given but we may want to take it out for testing and sanitize + # our input instead. +- if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes): ++ # Note that this does the wrong thing if we're *intentionall* passing a byte string to this ++ # function. ++ if isinstance(obj, string_types): + obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict')) + return obj + diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD index 1f96ed6af53..cedab541937 100644 --- a/main/apache2/APKBUILD +++ b/main/apache2/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> pkgname=apache2 _pkgreal=httpd -pkgver=2.4.39 +pkgver=2.4.41 pkgrel=0 pkgdesc="A high performance Unix-based HTTP server" url="https://httpd.apache.org/" @@ -52,6 +52,13 @@ options="suid" builddir="$srcdir"/$_pkgreal-$pkgver # secfixes: +# 2.4.41-r0: +# - CVE-2019-9517 +# - CVE-2019-10081 +# - CVE-2019-10082 +# - CVE-2019-10092 +# - CVE-2019-10097 +# - CVE-2019-10098 # 2.4.39-r0: # - CVE-2019-0196 # - CVE-2019-0197 @@ -337,7 +344,7 @@ _lua() { "$subpkgdir"/usr/lib/apache2/ || return 1 _load_mods } -sha512sums="9742202040b3dc6344b301540f54b2d3f8e36898410d24206a7f8dcecb1bea7d7230fabc7256752724558af249facf64bffe2cf678b8f7cccb64076737abfda7 httpd-2.4.39.tar.bz2 +sha512sums="350cc7dcd2c439e0590338fa6da3f44df44f9bb885c381e91f91b14c2f48597f6f0bbac0ea118a8a67eaa70ae7edbb769beace368643ed73f6daee44c307b335 httpd-2.4.41.tar.bz2 655f5a655fedd737fb881b5caa6f012f5a43a611c513cab6d03bb69be7cca7fd70b49cfca0a3f7a5e7c696ad7bc80495c44155ad82a411306be4964e67faae6e libressl-fix.patch 8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd 18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate diff --git a/main/aspell/APKBUILD b/main/aspell/APKBUILD index e9ce10ab024..c17152a949c 100644 --- a/main/aspell/APKBUILD +++ b/main/aspell/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> pkgname=aspell pkgver=0.60.6.1 -pkgrel=12 +pkgrel=13 pkgdesc="A spell checker designed to eventually replace Ispell" url="http://aspell.net/" arch="all" @@ -13,9 +13,15 @@ depends= depends_dev="$pkgname-utils" makedepends="ncurses-dev perl gettext-dev" install= -source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz" +source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz + CVE-2019-17544.patch + " builddir="$srcdir"/$pkgname-$pkgver +# secfixes: +# 0.60.6.1-r13: +# - CVE-2019-17544 + prepare() { cd "$builddir" default_prepare @@ -67,6 +73,5 @@ libs() { rm -fr "$pkgdir"/usr/lib } -md5sums="e66a9c9af6a60dc46134fdacf6ce97d7 aspell-0.60.6.1.tar.gz" -sha256sums="f52583a83a63633701c5f71db3dc40aab87b7f76b29723aeb27941eff42df6e1 aspell-0.60.6.1.tar.gz" -sha512sums="f310c7590be98406589b5c26ca36a2ecfe4733f0b40fd6c176b96b7955ef2b5cd0ec9a3d770cf132146ae7a896042b4b698945112995ee1ae66adcfa5542247f aspell-0.60.6.1.tar.gz" +sha512sums="f310c7590be98406589b5c26ca36a2ecfe4733f0b40fd6c176b96b7955ef2b5cd0ec9a3d770cf132146ae7a896042b4b698945112995ee1ae66adcfa5542247f aspell-0.60.6.1.tar.gz +8df739702cc7591344359721eb7fff247b02404a60666cc94b1e8da063c711d87df5f97dcf22af05efdb54f4e2a38bbc0b6b2bb60386fc6e9c68e15fe2fa9535 CVE-2019-17544.patch" diff --git a/main/aspell/CVE-2019-17544.patch b/main/aspell/CVE-2019-17544.patch new file mode 100644 index 00000000000..5bdb4391514 --- /dev/null +++ b/main/aspell/CVE-2019-17544.patch @@ -0,0 +1,39 @@ +diff --git a/common/config.cpp b/common/config.cpp +index b1e919b..51486a7 100644 +--- a/common/config.cpp ++++ b/common/config.cpp +@@ -763,7 +763,7 @@ namespace acommon { + } + res.append(':'); + } +- if (res.back() == ':') res.pop_back(); ++ if (!res.empty() && res.back() == ':') res.pop_back(); + } + + struct ListAddHelper : public AddableContainer +diff --git a/common/file_util.cpp b/common/file_util.cpp +index 8515832..56ea501 100644 +--- a/common/file_util.cpp ++++ b/common/file_util.cpp +@@ -181,6 +181,7 @@ namespace acommon { + while ( (dir = els.next()) != 0 ) + { + path = dir; ++ if (path.empty()) continue; + if (path.back() != '/') path += '/'; + unsigned dir_len = path.size(); + path += filename; +diff --git a/common/getdata.cpp b/common/getdata.cpp +index 7e822c9..1b04823 100644 +--- a/common/getdata.cpp ++++ b/common/getdata.cpp +@@ -64,7 +64,7 @@ namespace acommon { + char * unescape(char * dest, const char * src) + { + while (*src) { +- if (*src == '\\') { ++ if (*src == '\\' && src[1]) { + ++src; + switch (*src) { + case 'n': *dest = '\n'; break; + diff --git a/main/asterisk/APKBUILD b/main/asterisk/APKBUILD index 809627e66d1..e34f50cab08 100644 --- a/main/asterisk/APKBUILD +++ b/main/asterisk/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Timo Teras <timo.teras@iki.fi> # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=asterisk -pkgver=15.6.1 +pkgver=15.6.2 pkgrel=0 pkgdesc="Asterisk: A Module Open Source PBX System" pkgusers="asterisk" @@ -30,6 +30,10 @@ _download="http://downloads.asterisk.org/pub/telephony/asterisk/releases" source="$_download/asterisk-$pkgver.tar.gz http://dev.alpinelinux.org/~tteras/asterisk-addon-mp3-r201.patch.gz musl-mutex-init.patch + AST-2019-001-15.patch + AST-2019-002-15.patch + AST-2019-003-15.patch + AST-2019-004-15.patch asterisk.initd asterisk.confd @@ -37,6 +41,14 @@ source="$_download/asterisk-$pkgver.tar.gz builddir="$srcdir/$pkgname-${pkgver/_/-}" +# secfixes: +# 15.6.2-r0: +# - CVE-2018-19278 +# - CVE-2019-7251 +# - CVE-2019-12827 +# - CVE-2019-13161 +# - CVE-2019-15297 + prepare() { default_prepare update_config_sub @@ -222,9 +234,13 @@ sound_en() { chown -R asterisk:asterisk "$subpkgdir"/var/*/asterisk } -sha512sums="b46db036ea1d885a5cf7ddee5a56efc7c02299cf1b8ea87f50d8f84e8a93437ce39671ee33256b5f8d524b1b4cc44fde6eacb86f0cc481f7d74fdd901be40d42 asterisk-15.6.1.tar.gz +sha512sums="7dac70149769a3be4c6ebe63b4ee0028161c2a96237a4aeb3adac82af81dcad8faf9490f82603bbe6b150eb5f45456dbb10c9877d8bde05896a32b1449e4aa42 asterisk-15.6.2.tar.gz aacef3f4796fb1abd33266998b53909cb4b36e7cc5ad2f7bac68bdc43e9a9072d9a4e2e7e681bddfa31f3d04575eb248afe6ea95da780c67e4829c1e22adfe1b asterisk-addon-mp3-r201.patch.gz f72c2e04de80d3ed9ce841308101383a1655e6da7a3c888ad31fffe63d1280993e08aefcf8e638316d439c68b38ee05362c87503fca1f36343976a01af9d6eb1 musl-mutex-init.patch +3528d29a667f4e27996d87797962100be21743d302eb94cc8828fa8985cf22b961c10b1f4a4e333fee92514a6809c9cf43c3a9a53466b1b8e798ac85f9f193d9 AST-2019-001-15.patch +94f81acebe10455a5e13df961a41d8c51ddc1399316c6758ff107771c6b785de7aa22aa73573718539fda546d351964714583140e6ef529d7de984cdd1affe18 AST-2019-002-15.patch +19cbcaf8ef8e525193631e2b1f47f3cf2d4075ca134e96b28df7bcad68530d216a9d7dcbcec8a444590d87e6d1894f6e7cd6ad0e2cb5852656a840164b8e1dc3 AST-2019-003-15.patch +4c2da08e53ba1ffff8df3152aab2751dcbc3d075cd4863a00a16899fe48caf50119ce335a5e9b923ab894c5f2ea9bfad48110a4e49d337e6457f845bba789d92 AST-2019-004-15.patch 0044c5db468ec8f2385d18d476f89976f6d036448583a4ef8017ce7a6f8f72105337e6b20037ffe47f561d2877fc9c86720aef23ab037df89b36dc140a5924c4 asterisk.initd ab6b6f08ff43268cbb1abb7ed7d678949991ba495682a644bbaeb017d6adbff0a43297905fd73ae8db1786a28d5b5904f1bc253209a0e388c8a27f26c6ce14ed asterisk.confd 7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate" diff --git a/main/asterisk/AST-2019-001-15.patch b/main/asterisk/AST-2019-001-15.patch new file mode 100644 index 00000000000..f7a68be4c0d --- /dev/null +++ b/main/asterisk/AST-2019-001-15.patch @@ -0,0 +1,34 @@ +From 476d60f850c75ca9142aaf783992db74efea6a49 Mon Sep 17 00:00:00 2001 +From: George Joseph <gjoseph@digium.com> +Date: Wed, 30 Jan 2019 12:25:55 -0700 +Subject: [PATCH] res_pjsip_sdp_rtp: Fix return code from apply_negotiated_sdp_stream + +apply_negotiated_sdp_stream was returning a "1" when no joint +capabilities were found on an outgoing call instead of a "-1". +This indicated to res_pjsip_session that the handler DID handle +the sdp when in fact it didn't. Without the appropriate setup, +a subsequent media frame coming in would have an invalid stream_num +and cause a seg fault when the stream was attempted to be retrieved. + +apply_negotiated_sdp_stream now returns the correct "-1" and any +media is now discarded before it reaches the core stream processing. + +ASTERISK-28620 +Reported by: Sotiris Ganouris + +Change-Id: Ia095cb16b4862f2f6ad6d2d2a77453fa2542371f +--- + +diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c +index e2067cc..7f5a859 100644 +--- a/res/res_pjsip_sdp_rtp.c ++++ b/res/res_pjsip_sdp_rtp.c +@@ -1941,7 +1941,7 @@ + } + + if (set_caps(session, session_media, session_media_transport, remote_stream, 0, asterisk_stream)) { +- return 1; ++ return -1; + } + + /* Set the channel uniqueid on the RTP instance now that it is becoming active */ diff --git a/main/asterisk/AST-2019-002-15.patch b/main/asterisk/AST-2019-002-15.patch new file mode 100644 index 00000000000..29f4299e3d1 --- /dev/null +++ b/main/asterisk/AST-2019-002-15.patch @@ -0,0 +1,40 @@ +From ed649e7f5ffcdc1a2dc4b6b2456311d5a1918e24 Mon Sep 17 00:00:00 2001 +From: George Joseph <gjoseph@digium.com> +Date: Wed, 12 Jun 2019 12:03:04 -0600 +Subject: [PATCH] res_pjsip_messaging: Check for body in in-dialog message + +We now check that a body exists and it has a length > 0 before +attempting to process it. + +ASTERISK-28447 +Reported-by: Gil Richard + +Change-Id: Ic469544b22ab848734636588d4c93426cc6f4b1f +--- + res/res_pjsip_messaging.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c +index 224721e7f1..cf9d484ab5 100644 +--- a/res/res_pjsip_messaging.c ++++ b/res/res_pjsip_messaging.c +@@ -91,10 +91,13 @@ static enum pjsip_status_code check_content_type_in_dialog(const pjsip_rx_data * + static const pj_str_t text = { "text", 4}; + static const pj_str_t application = { "application", 11}; + ++ if (!(rdata->msg_info.msg->body && rdata->msg_info.msg->body->len > 0)) { ++ return res; ++ } ++ + /* We'll accept any text/ or application/ content type */ +- if (rdata->msg_info.msg->body && rdata->msg_info.msg->body->len +- && (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0 +- || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0)) { ++ if (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0 ++ || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0) { + res = PJSIP_SC_OK; + } else if (rdata->msg_info.ctype + && (pj_stricmp(&rdata->msg_info.ctype->media.type, &text) == 0 +-- +2.21.0 + diff --git a/main/asterisk/AST-2019-003-15.patch b/main/asterisk/AST-2019-003-15.patch new file mode 100644 index 00000000000..0c8f89a7a16 --- /dev/null +++ b/main/asterisk/AST-2019-003-15.patch @@ -0,0 +1,39 @@ +From a8cc63a8b2b973d6d34251d74b8d4576d6796dce Mon Sep 17 00:00:00 2001 +From: Francesco Castellano <francesco.castellano@messagenet.it> +Date: Fri, 28 Jun 2019 18:15:31 +0200 +Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite + +The chan_sip module performs a T.38 re-invite using a single media +stream of udptl, and expects the SDP answer to be the same. + +If an SDP answer is received instead that contains an additional +media stream with no joint codec a crash will occur as the code +assumes that at least one joint codec will exist in this +scenario. + +This change removes this assumption. + +ASTERISK-28465 + +Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87 +--- + +diff --git a/channels/chan_sip.c b/channels/chan_sip.c +index fe2ae1e..6251878 100644 +--- a/channels/chan_sip.c ++++ b/channels/chan_sip.c +@@ -10921,7 +10921,13 @@ + ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0)); + } + +- if (portno != -1 || vportno != -1 || tportno != -1) { ++ /* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or ++ * video is not being transported, thus we continue in this function further up if that is ++ * the case. If we receive an SDP answer containing both a UDPTL stream and another media ++ * stream however we need to check again to ensure that there is at least one joint codec ++ * instead of assuming there is one. ++ */ ++ if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) { + /* We are now ready to change the sip session and RTP structures with the offered codecs, since + they are acceptable */ + unsigned int framing; diff --git a/main/asterisk/AST-2019-004-15.patch b/main/asterisk/AST-2019-004-15.patch new file mode 100644 index 00000000000..561e3d4ed3f --- /dev/null +++ b/main/asterisk/AST-2019-004-15.patch @@ -0,0 +1,171 @@ +From f361e65dc2c90aaee9472f97b54083e0a2d49303 Mon Sep 17 00:00:00 2001 +From: Kevin Harwell <kharwell@digium.com> +Date: Tue, 20 Aug 2019 15:05:45 -0500 +Subject: [PATCH] AST-2019-004 - res_pjsip_t38.c: Add NULL checks before using session media + +After receiving a 200 OK with a declined stream in response to a T.38 +initiated re-invite Asterisk would crash when attempting to dereference +a NULL session media object. + +This patch checks to make sure the session media object is not NULL before +attempting to use it. + +ASTERISK-28495 +patches: + ast-2019-004.patch submitted by Alexei Gradinari (license 5691) + +Change-Id: I168f45f4da29cfe739acf87e597baa2aae7aa572 +--- + +diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c +index fae6fbb..624139f 100644 +--- a/res/res_pjsip_t38.c ++++ b/res/res_pjsip_t38.c +@@ -203,7 +203,6 @@ + { + RAII_VAR(struct ast_sip_session *, session, obj, ao2_cleanup); + RAII_VAR(struct ast_datastore *, datastore, ast_sip_session_get_datastore(session, "t38"), ao2_cleanup); +- struct ast_sip_session_media *session_media; + + if (!datastore) { + return 0; +@@ -212,8 +211,7 @@ + ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n", + session->channel ? ast_channel_name(session->channel) : "<gone>"); + +- session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE]; +- t38_change_state(session, session_media, datastore->data, T38_REJECTED); ++ t38_change_state(session, NULL, datastore->data, T38_REJECTED); + ast_sip_session_resume_reinvite(session); + + return 0; +@@ -322,28 +320,37 @@ + int index; + + session_media = session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE]; +- t38_change_state(session, session_media, state, T38_ENABLED); ++ if (!session_media) { ++ ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but no active session media\n", ++ status.code, session->channel ? ast_channel_name(session->channel) : "unknown channel"); ++ } else { ++ t38_change_state(session, session_media, state, T38_ENABLED); + +- /* Stop all the streams in the stored away active state, they'll go back to being active once +- * we reinvite back. +- */ +- for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) { +- struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index); ++ /* Stop all the streams in the stored away active state, they'll go back to being active once ++ * we reinvite back. ++ */ ++ for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) { ++ struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index); + +- if (session_media && session_media->handler && session_media->handler->stream_stop) { +- session_media->handler->stream_stop(session_media); ++ if (session_media && session_media->handler && session_media->handler->stream_stop) { ++ session_media->handler->stream_stop(session_media); ++ } + } ++ ++ return 0; + } + } else { + session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE]; +- t38_change_state(session, session_media, state, T38_REJECTED); +- +- /* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */ +- ast_sip_session_media_state_free(state->media_state); +- state->media_state = NULL; +- ast_sip_session_media_state_reset(session->pending_media_state); + } + ++ /* If no session_media then response contained a declined stream, so disable */ ++ t38_change_state(session, NULL, state, session_media ? T38_REJECTED : T38_DISABLED); ++ ++ /* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */ ++ ast_sip_session_media_state_free(state->media_state); ++ state->media_state = NULL; ++ ast_sip_session_media_state_reset(session->pending_media_state); ++ + return 0; + } + +@@ -426,12 +433,10 @@ + /* Negotiation can not take place without a valid max_ifp value. */ + if (!parameters->max_ifp) { + if (data->session->t38state == T38_PEER_REINVITE) { +- session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE]; +- t38_change_state(data->session, session_media, state, T38_REJECTED); ++ t38_change_state(data->session, NULL, state, T38_REJECTED); + ast_sip_session_resume_reinvite(data->session); + } else if (data->session->t38state == T38_ENABLED) { +- session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE]; +- t38_change_state(data->session, session_media, state, T38_DISABLED); ++ t38_change_state(data->session, NULL, state, T38_DISABLED); + ast_sip_session_refresh(data->session, NULL, NULL, NULL, + AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state); + state->media_state = NULL; +@@ -454,6 +459,11 @@ + state->our_parms.version = MIN(state->our_parms.version, state->their_parms.version); + state->our_parms.rate_management = state->their_parms.rate_management; + session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE]; ++ if (!session_media) { ++ ast_log(LOG_ERROR, "Failed to negotiate parameters for reinvite on channel '%s' (No pending session media).\n", ++ data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel"); ++ break; ++ } + ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp); + t38_change_state(data->session, session_media, state, T38_ENABLED); + ast_sip_session_resume_reinvite(data->session); +@@ -468,8 +478,13 @@ + } + state->our_parms = *parameters; + session_media = media_state->default_session[AST_MEDIA_TYPE_IMAGE]; ++ if (!session_media) { ++ ast_log(LOG_ERROR, "Failed to negotiate parameters on channel '%s' (No default session media).\n", ++ data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel"); ++ break; ++ } + ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp); +- t38_change_state(data->session, session_media, state, T38_LOCAL_REINVITE); ++ t38_change_state(data->session, NULL, state, T38_LOCAL_REINVITE); + ast_sip_session_refresh(data->session, NULL, t38_reinvite_sdp_cb, t38_reinvite_response_cb, + AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, media_state); + } +@@ -478,12 +493,10 @@ + case AST_T38_REFUSED: + case AST_T38_REQUEST_TERMINATE: /* Shutdown T38 */ + if (data->session->t38state == T38_PEER_REINVITE) { +- session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE]; +- t38_change_state(data->session, session_media, state, T38_REJECTED); ++ t38_change_state(data->session, NULL, state, T38_REJECTED); + ast_sip_session_resume_reinvite(data->session); + } else if (data->session->t38state == T38_ENABLED) { +- session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE]; +- t38_change_state(data->session, session_media, state, T38_DISABLED); ++ t38_change_state(data->session, NULL, state, T38_DISABLED); + ast_sip_session_refresh(data->session, NULL, NULL, NULL, AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state); + state->media_state = NULL; + } +@@ -493,6 +506,11 @@ + + if (data->session->t38state == T38_PEER_REINVITE) { + session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE]; ++ if (!session_media) { ++ ast_log(LOG_ERROR, "Failed to request parameters for reinvite on channel '%s' (No pending session media).\n", ++ data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel"); ++ break; ++ } + parameters.max_ifp = ast_udptl_get_far_max_ifp(session_media->udptl); + parameters.request_response = AST_T38_REQUEST_NEGOTIATE; + ast_queue_control_data(data->session->channel, AST_CONTROL_T38_PARAMETERS, ¶meters, sizeof(parameters)); +@@ -788,7 +806,7 @@ + + if ((session->t38state == T38_REJECTED) || (session->t38state == T38_DISABLED)) { + ast_debug(3, "Declining; T.38 state is rejected or declined\n"); +- t38_change_state(session, session_media, state, T38_DISABLED); ++ t38_change_state(session, NULL, state, T38_DISABLED); + return 0; + } + diff --git a/main/avahi/APKBUILD b/main/avahi/APKBUILD index 4d76fbc2c84..df85dd28b31 100644 --- a/main/avahi/APKBUILD +++ b/main/avahi/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=avahi pkgver=0.6.32 -pkgrel=4 +pkgrel=5 pkgdesc="A multicast/unicast DNS-SD framework" url="http://www.avahi.org/" arch="all" @@ -20,9 +20,16 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-tools $pkgname-glib py-avahi:py" source="https://github.com/lathiat/avahi/releases/download/v$pkgver/avahi-$pkgver.tar.gz openrc-run.patch + CVE-2017-6519-and-CVE-2018-1000845.patch " builddir="$srcdir"/$pkgname-$pkgver + +# secfixes: +# 0.6.32-r5: +# - CVE-2017-6519 +# - CVE-2018-1000845 + prepare() { default_prepare autoreconf -vif @@ -115,7 +122,6 @@ py() { mkdir -p "$subpkgdir"/usr/lib mv "$pkgdir"/usr/lib/py* "$subpkgdir"/usr/lib/ } - - sha512sums="6f8d0a64292439cbb989c531a4ba2f25a53ee9cf7ad9df04dedf73149489a92612f3b5955e10aa4b1c76496c34b90ad75590e8aa49468249508267c1c8b899ee avahi-0.6.32.tar.gz -2754d11bf027676f30de6322eb9251ae83df5ef8f7b354793263224d432514a49e021d8f819f5525eeaeead04b544e15bfd2183ac8bc9f97e871d246e2b6a108 openrc-run.patch" +2754d11bf027676f30de6322eb9251ae83df5ef8f7b354793263224d432514a49e021d8f819f5525eeaeead04b544e15bfd2183ac8bc9f97e871d246e2b6a108 openrc-run.patch +dc5c9fde8d1244e70e3cf1c09bc274b094458d2fad982f5a79bcbf3cbddc43a0cf79e9ba106b3b0446a6f0b006fd3beeee48a03bd3d8a06cf8d9821f6945ffed CVE-2017-6519-and-CVE-2018-1000845.patch" diff --git a/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch b/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch new file mode 100644 index 00000000000..513489fa5b7 --- /dev/null +++ b/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch @@ -0,0 +1,27 @@ +diff --git a/avahi-core/server.c b/avahi-core/server.c +index a2cb19a..a2580e3 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + + if (avahi_dns_packet_is_query(p)) { + int legacy_unicast = 0; ++ char t[AVAHI_ADDRESS_STR_MAX]; + + /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the + * AR section completely here, so far. Until the day we add +@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + legacy_unicast = 1; + } + ++ if (!is_mdns_mcast_address(dst_address) && ++ !avahi_interface_address_on_link(i, src_address)) { ++ ++ avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol); ++ return; ++ } ++ + if (legacy_unicast) + reflect_legacy_unicast_query_packet(s, p, i, src_address, port); + + diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD index 6406784634a..b23f4a683cd 100644 --- a/main/bind/APKBUILD +++ b/main/bind/APKBUILD @@ -52,7 +52,6 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz # - CVE-2017-3143 # - CVE-2017-3141 # - CVE-2017-3140 -# - CVE-2017-3145 # 9.11.2_p1-r0: # - CVE-2017-3145 # 9.11.0_p5-r0: diff --git a/main/binutils/APKBUILD b/main/binutils/APKBUILD index 10a410b7bd5..6ac5bda4808 100644 --- a/main/binutils/APKBUILD +++ b/main/binutils/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=binutils pkgver=2.30 -pkgrel=1 +pkgrel=2 pkgdesc="Tools necessary to build programs" url="https://www.gnu.org/software/binutils/" depends="" @@ -15,6 +15,15 @@ source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.bz2 fix-powerpc64-out-ot-line-save-restore.patch binutils-ld-fix-static-linking.patch gold-mips.patch + CVE-2018-7208.patch + CVE-2018-6543.patch + CVE-2018-7643.patch + CVE-2018-6759.patch + CVE-2018-7642.patch + CVE-2018-7569.patch + CVE-2018-6872.patch + CVE-2018-7568.patch + CVE-2018-8945.patch " builddir="$srcdir/$pkgname-$pkgver" @@ -27,6 +36,17 @@ fi # secfixes: # 2.28-r1: # - CVE-2017-7614 +# 2.30-r2: +# - CVE-2018-7208 +# - CVE-2018-6543 +# - CVE-2018-7643 +# - CVE-2018-6759 +# - CVE-2018-7642 +# - CVE-2018-7570 +# - CVE-2018-7569 +# - CVE-2018-6872 +# - CVE-2018-7568 +# - CVE-2018-8945 build() { local _sysroot=/ @@ -111,4 +131,13 @@ gold() { sha512sums="c3ce91aa20f058ec589bf18c722bf651331b394db6378900cc813cc0eea3a331a96584d5ae090630b627369510397dccc9edfcd43d4aeefc99579f277a05c72c binutils-2.30.tar.bz2 29791af5a09387d16fc4272dc7a10f71aed5a13187187af533bbe365506d6e6b581030d3f9bb4b7d8e300fb29b8b37b5f48027d86e33a8395b1a6d2dfb2d895a fix-powerpc64-out-ot-line-save-restore.patch ecee33b0e435aa704af1c334e560f201638ff79e199aa11ed78a72f7c9b46f85fbb227af5748e735fd681d1965fcc42ac81b0c8824e540430ce0c706c81e8b49 binutils-ld-fix-static-linking.patch -f55cf2e0bf82f97583a1abe10710e4013ecf7d64f1da2ef8659a44a06d0dd8beaf58dab98a183488ea137f03e32d62efc878d95f018f836f8cec870bc448556f gold-mips.patch" +f55cf2e0bf82f97583a1abe10710e4013ecf7d64f1da2ef8659a44a06d0dd8beaf58dab98a183488ea137f03e32d62efc878d95f018f836f8cec870bc448556f gold-mips.patch +13d68a99c63ba82c301c51e0747897cb0ee0e199606f1e285d02b5035a2309eabb057fd372fe3ff5bad48119a6ed7968385d0ce2ead776c72a77f4174d2ca777 CVE-2018-7208.patch +6218beebc64299236073dc69acf6b1959b51abe55f3137b847c7bf66a76d030e5fa40fa2771cc8987559680c87f5c7e7eb5f8026cc62a6ea6f301a3b17e5fad4 CVE-2018-6543.patch +da7efaea69795bec35324748929befd504edf11454bca5cdd4a408ae144cd8783e45088277d5a2460a7cbd0f19222270f4249fc71bcf5359d1d96ade7ce8f6b1 CVE-2018-7643.patch +3a424369a49b5f970569748a9405c2927bfc5a300bced5ba1d2e9ce95757225d1727f8d05fbfb7771f7e88e67eaa895d9bece58a5004ef3ce2a83b43fc6f4452 CVE-2018-6759.patch +a75552fc21209b34a62af9861f8ce25fe01f4dfec13a14918b2d77dfda77b49983abddc4cd0f1ae2901ef385731e56f98fe603911c9a757584b4dc7e45534efa CVE-2018-7642.patch +9ecb0bcf73f2c6e6f41875557ad0ac77e968ee4e7de0fd69d3a989109b2d648fe2441da720befa5c975d25cc8241570914229897ccdc3b6e6ff05e424a01fe1c CVE-2018-7569.patch +cef3d0a50eda9296359f60feec7feb91610b500c74d0c42517a7f10b5b8b228257dbb6af55cf480d17d6532acb5dca708db1928aa4c6bf2d5c57b7a180a3d08a CVE-2018-6872.patch +b73a5fe747f6a967ba4bcfeca59286f1d7b1324841860d31dd914eb96ab61dd5241cb8b6a8491e29aa9ccd63d46bee92e8635f6d4c49b7da46593d43cdbc2e55 CVE-2018-7568.patch +3578788a75e720aa17e92bf28074ee8bee764a7a6335ef6a1d766b83a67aae27bf806f1354cd919fc69bfb5e9c6579cd01449156c188ac45f1e16e33d10b986a CVE-2018-8945.patch" diff --git a/main/binutils/CVE-2018-6543.patch b/main/binutils/CVE-2018-6543.patch new file mode 100644 index 00000000000..266140517ea --- /dev/null +++ b/main/binutils/CVE-2018-6543.patch @@ -0,0 +1,28 @@ +X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=binutils%2Fobjdump.c;h=d8dca90f40c87c9bfd437c374f123ba5625a5b1d;hp=6c4d936b266a29a2cab7292978ec8f725b4cf1aa;hb=f2023ce7e8d70b0155cc6206c901e185260918f0;hpb=35f48e217ab6f909510bf9ca07325ec16122ae88 + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index 6c4d936..d8dca90 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -2466,6 +2466,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, + struct dwarf_section *section = &debug_displays [debug].section; + bfd *abfd = (bfd *) file; + bfd_byte *contents; ++ bfd_size_type amt; + + if (section->start != NULL) + { +@@ -2480,9 +2481,11 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, + section->num_relocs = 0; + section->address = bfd_get_section_vma (abfd, sec); + section->size = bfd_get_section_size (sec); +- section->start = contents = malloc (section->size + 1); ++ amt = section->size + 1; ++ section->start = contents = malloc (amt); + section->user_data = sec; +- if (section->start == NULL ++ if (amt == 0 ++ || section->start == NULL + || !bfd_get_full_section_contents (abfd, sec, &contents)) + { + free_debug_section (debug); diff --git a/main/binutils/CVE-2018-6759.patch b/main/binutils/CVE-2018-6759.patch new file mode 100644 index 00000000000..c3f098fee50 --- /dev/null +++ b/main/binutils/CVE-2018-6759.patch @@ -0,0 +1,86 @@ +From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 6 Feb 2018 15:48:29 +0000 +Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by + chacking the size of debuglink sections. + + PR 22794 + * opncls.c (bfd_get_debug_link_info_1): Check the size of the + section before attempting to read it in. + (bfd_get_alt_debug_link_info): Likewise. +--- +diff --git a/bfd/opncls.c b/bfd/opncls.c +index 458f06e..16b568c 100644 +--- a/bfd/opncls.c ++++ b/bfd/opncls.c +@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out) + bfd_byte *contents; + unsigned int crc_offset; + char *name; ++ bfd_size_type size; + + BFD_ASSERT (abfd); + BFD_ASSERT (crc32_out); +@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out) + if (sect == NULL) + return NULL; + ++ size = bfd_get_section_size (sect); ++ ++ /* PR 22794: Make sure that the section has a reasonable size. */ ++ if (size < 8 || size >= bfd_get_size (abfd)) ++ return NULL; ++ + if (!bfd_malloc_and_get_section (abfd, sect, &contents)) + { + if (contents != NULL) +@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out) + + /* CRC value is stored after the filename, aligned up to 4 bytes. */ + name = (char *) contents; +- /* PR 17597: avoid reading off the end of the buffer. */ +- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1; ++ /* PR 17597: Avoid reading off the end of the buffer. */ ++ crc_offset = strnlen (name, size) + 1; + crc_offset = (crc_offset + 3) & ~3; +- if (crc_offset + 4 > bfd_get_section_size (sect)) ++ if (crc_offset + 4 > size) + return NULL; + + *crc32 = bfd_get_32 (abfd, contents + crc_offset); +@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len, + bfd_byte *contents; + unsigned int buildid_offset; + char *name; ++ bfd_size_type size; + + BFD_ASSERT (abfd); + BFD_ASSERT (buildid_len); +@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len, + if (sect == NULL) + return NULL; + ++ size = bfd_get_section_size (sect); ++ if (size < 8 || size >= bfd_get_size (abfd)) ++ return NULL; ++ + if (!bfd_malloc_and_get_section (abfd, sect, & contents)) + { + if (contents != NULL) +@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len, + + /* BuildID value is stored after the filename. */ + name = (char *) contents; +- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1; ++ buildid_offset = strnlen (name, size) + 1; + if (buildid_offset >= bfd_get_section_size (sect)) + return NULL; + +- *buildid_len = bfd_get_section_size (sect) - buildid_offset; ++ *buildid_len = size - buildid_offset; + *buildid_out = bfd_malloc (*buildid_len); + memcpy (*buildid_out, contents + buildid_offset, *buildid_len); + +-- +2.9.3 + diff --git a/main/binutils/CVE-2018-6872.patch b/main/binutils/CVE-2018-6872.patch new file mode 100644 index 00000000000..6b1e7e4e777 --- /dev/null +++ b/main/binutils/CVE-2018-6872.patch @@ -0,0 +1,15 @@ +X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Felf.c;h=db1e076b554a83be5db6234c11e89d26805fb527;hp=dedf35feb3c468d020025b3528a2c6544107db04;hb=ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6;hpb=a9479dc051ab00f311c04cdd5b299a70739f67ed + +diff --git a/bfd/elf.c b/bfd/elf.c +index dedf35f..db1e076 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -11012,6 +11012,8 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset, + align is less than 4, we use 4 byte alignment. */ + if (align < 4) + align = 4; ++ if (align != 4 && align != 8) ++ return FALSE; + + p = buf; + while (p < buf + size) diff --git a/main/binutils/CVE-2018-7208.patch b/main/binutils/CVE-2018-7208.patch new file mode 100644 index 00000000000..0c7ee6b4fdd --- /dev/null +++ b/main/binutils/CVE-2018-7208.patch @@ -0,0 +1,16 @@ +X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Fcoffgen.c;h=4f90eaddd9cf6d5ae77848043493f305a96bb26d;hp=b2410873d0c9fc9ccd6d44870ec8204dcf3bfbc2;hb=eb77f6a4621795367a39cdd30957903af9dbb815;hpb=0d5e2f6abee322730eea6d7c175ae24631d3b089 + +diff --git a/bfd/coffgen.c b/bfd/coffgen.c +index b241087..4f90ead 100644 +--- a/bfd/coffgen.c ++++ b/bfd/coffgen.c +@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd, + } + /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can + generate one, so we must be careful to ignore it. */ +- if (auxent->u.auxent.x_sym.x_tagndx.l > 0) ++ if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l ++ < obj_raw_syment_count (abfd)) + { + auxent->u.auxent.x_sym.x_tagndx.p = + table_base + auxent->u.auxent.x_sym.x_tagndx.l; diff --git a/main/binutils/CVE-2018-7568.patch b/main/binutils/CVE-2018-7568.patch new file mode 100644 index 00000000000..d9571a4810d --- /dev/null +++ b/main/binutils/CVE-2018-7568.patch @@ -0,0 +1,41 @@ +X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Fdwarf1.c;h=f272ea831157dc16283774edb933492ca8d3cf48;hp=71bc57bfdf825092c3449ba8810b0efa7b54bb8b;hb=eef104664efb52965d85a28bc3fc7c77e52e48e2;hpb=0d329c0a83a23cebb86fbe0ebddd780dc0df2424 + +diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c +index 71bc57b..f272ea8 100644 +--- a/bfd/dwarf1.c ++++ b/bfd/dwarf1.c +@@ -213,6 +213,7 @@ parse_die (bfd * abfd, + /* Then the attributes. */ + while (xptr + 2 <= aDiePtrEnd) + { ++ unsigned int block_len; + unsigned short attr; + + /* Parse the attribute based on its form. This section +@@ -255,12 +256,24 @@ parse_die (bfd * abfd, + break; + case FORM_BLOCK2: + if (xptr + 2 <= aDiePtrEnd) +- xptr += bfd_get_16 (abfd, xptr); ++ { ++ block_len = bfd_get_16 (abfd, xptr); ++ if (xptr + block_len > aDiePtrEnd ++ || xptr + block_len < xptr) ++ return FALSE; ++ xptr += block_len; ++ } + xptr += 2; + break; + case FORM_BLOCK4: + if (xptr + 4 <= aDiePtrEnd) +- xptr += bfd_get_32 (abfd, xptr); ++ { ++ block_len = bfd_get_32 (abfd, xptr); ++ if (xptr + block_len > aDiePtrEnd ++ || xptr + block_len < xptr) ++ return FALSE; ++ xptr += block_len; ++ } + xptr += 4; + break; + case FORM_STRING: diff --git a/main/binutils/CVE-2018-7569.patch b/main/binutils/CVE-2018-7569.patch new file mode 100644 index 00000000000..5b268b5a614 --- /dev/null +++ b/main/binutils/CVE-2018-7569.patch @@ -0,0 +1,78 @@ +X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Fdwarf2.c;h=ca22db766c54a0ee8c35199b5110b03d9f7524d8;hp=2413542b84b20554f9f6e58edd03880b81cc6171;hb=12c963421d045a127c413a0722062b9932c50aa9;hpb=116acb2c268c89c89186673a7c92620d21825b25 + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 2413542..ca22db7 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -623,14 +623,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf, bfd_byte *end) + } + + static bfd_byte * +-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED, +- bfd_byte *buf, +- bfd_byte *end, +- unsigned int size ATTRIBUTE_UNUSED) ++read_n_bytes (bfd_byte * buf, ++ bfd_byte * end, ++ struct dwarf_block * block) + { +- if (buf + size > end) +- return NULL; +- return buf; ++ unsigned int size = block->size; ++ bfd_byte * block_end = buf + size; ++ ++ if (block_end > end || block_end < buf) ++ { ++ block->data = NULL; ++ block->size = 0; ++ return end; ++ } ++ else ++ { ++ block->data = buf; ++ return block_end; ++ } + } + + /* Scans a NUL terminated string starting at BUF, returning a pointer to it. +@@ -1128,8 +1138,7 @@ read_attribute_value (struct attribute * attr, + return NULL; + blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end); + info_ptr += 2; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_block4: +@@ -1139,8 +1148,7 @@ read_attribute_value (struct attribute * attr, + return NULL; + blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end); + info_ptr += 4; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_data2: +@@ -1180,8 +1188,7 @@ read_attribute_value (struct attribute * attr, + blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read, + FALSE, info_ptr_end); + info_ptr += bytes_read; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_block1: +@@ -1191,8 +1198,7 @@ read_attribute_value (struct attribute * attr, + return NULL; + blk->size = read_1_byte (abfd, info_ptr, info_ptr_end); + info_ptr += 1; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_data1: diff --git a/main/binutils/CVE-2018-7642.patch b/main/binutils/CVE-2018-7642.patch new file mode 100644 index 00000000000..5a3b5f115a7 --- /dev/null +++ b/main/binutils/CVE-2018-7642.patch @@ -0,0 +1,21 @@ +X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Faoutx.h;h=525e5603ec90c296e086091327aa0c472cf06e41;hp=4cadbfbd2fad64e0417c37bb316e3b63f202b3ae;hb=116acb2c268c89c89186673a7c92620d21825b25;hpb=889be5dbd230ee47a90d4a83f682b13ed7e3faae + +diff --git a/bfd/aoutx.h b/bfd/aoutx.h +index 4cadbfb..525e560 100644 +--- a/bfd/aoutx.h ++++ b/bfd/aoutx.h +@@ -2289,10 +2289,12 @@ NAME (aout, swap_std_reloc_in) (bfd *abfd, + if (r_baserel) + r_extern = 1; + +- if (r_extern && r_index > symcount) ++ if (r_extern && r_index >= symcount) + { + /* We could arrange to return an error, but it might be useful +- to see the file even if it is bad. */ ++ to see the file even if it is bad. FIXME: Of course this ++ means that objdump -r *doesn't* see the actual reloc, and ++ objcopy silently writes a different reloc. */ + r_extern = 0; + r_index = N_ABS; + } diff --git a/main/binutils/CVE-2018-7643.patch b/main/binutils/CVE-2018-7643.patch new file mode 100644 index 00000000000..b0400cd4ceb --- /dev/null +++ b/main/binutils/CVE-2018-7643.patch @@ -0,0 +1,28 @@ +X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=binutils%2Fdwarf.c;h=17896e61107eb53afac4b47820d2b18cf2398a9d;hp=6aca9b79942b5593b6ab445795d5b50b8f973bed;hb=d11ae95ea3403559f052903ab053f43ad7821e37;hpb=0cb7c7b0bb79be910e261f3d30c58ace6b0d06d1 + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 6aca9b7..17896e6 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -6810,6 +6817,13 @@ display_debug_ranges (struct dwarf_section *section, + continue; + } + ++ if (next < section_begin || next >= finish) ++ { ++ warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"), ++ (unsigned long) offset, i); ++ continue; ++ } ++ + if (dwarf_check != 0 && i > 0) + { + if (start < next) +@@ -6825,6 +6839,7 @@ display_debug_ranges (struct dwarf_section *section, + (unsigned long) (next - section_begin), section->name); + } + } ++ + start = next; + last_start = next; + diff --git a/main/binutils/CVE-2018-8945.patch b/main/binutils/CVE-2018-8945.patch new file mode 100644 index 00000000000..290dd30b4d6 --- /dev/null +++ b/main/binutils/CVE-2018-8945.patch @@ -0,0 +1,52 @@ +From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 8 May 2018 12:51:06 +0100 +Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a + fuzzed input file with corrupt string and attribute sections. + + PR 22809 + * elf.c (bfd_elf_get_str_section): Check for an excessively large + string section. + * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the + attribute section is larger than the size of the file. +--- + bfd/ChangeLog | 8 ++++++++ + bfd/elf-attrs.c | 9 +++++++++ + bfd/elf.c | 1 + + 3 files changed, 18 insertions(+) + +diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c +index dfdf1a5..b353309 100644 +--- a/bfd/elf-attrs.c ++++ b/bfd/elf-attrs.c +@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr) + /* PR 17512: file: 2844a11d. */ + if (hdr->sh_size == 0) + return; ++ if (hdr->sh_size > bfd_get_file_size (abfd)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"), ++ abfd, hdr->bfd_section, (long long) hdr->sh_size); ++ bfd_set_error (bfd_error_invalid_operation); ++ return; ++ } ++ + contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1); + if (!contents) + return; +diff --git a/bfd/elf.c b/bfd/elf.c +index 21bc4e7..3e8d510 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsigned int shindex) + /* Allocate and clear an extra byte at the end, to prevent crashes + in case the string table is not terminated. */ + if (shstrtabsize + 1 <= 1 ++ || shstrtabsize > bfd_get_file_size (abfd) + || bfd_seek (abfd, offset, SEEK_SET) != 0 + || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL) + shstrtab = NULL; +-- +2.9.3 + diff --git a/main/coreutils/APKBUILD b/main/coreutils/APKBUILD index 22976d51599..fe51cc761ba 100644 --- a/main/coreutils/APKBUILD +++ b/main/coreutils/APKBUILD @@ -15,6 +15,10 @@ source="http://ftp.gnu.org/gnu/coreutils/$pkgname-$pkgver.tar.xz" builddir="$srcdir"/$pkgname-$pkgver +# secfixes: +# 8.28-r0: +# - CVE-2017-18018 + build() { cd "$builddir" LIBS="-lrt" ./configure \ diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD index 4ae0a25f071..343ff25bd6a 100644 --- a/main/cups/APKBUILD +++ b/main/cups/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cups -pkgver=2.2.10 +pkgver=2.2.12 pkgrel=0 pkgdesc="The CUPS Printing System" url="https://www.cups.org/" @@ -24,6 +24,9 @@ source="https://github.com/apple/cups/releases/download/v$pkgver/cups-$pkgver-so builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 2.2.12-r0: +# - CVE-2019-8696 +# - CVE-2019-8675 # 2.2.10-r0: # - CVE-2018-4700 @@ -124,8 +127,7 @@ _mv() { mv "$pkgdir"/$i "$subpkgdir"/${i%/*}/ done } - -sha512sums="1393987a263ebf20089dd3008ae4ed770a27a1f289032604eb9e18f2e863bd0e4215a70118f5a6d3940875625278b6798fbc9070e791ec559179c6cf7dc7b05f cups-2.2.10-source.tar.gz +sha512sums="b8e7be512938ad388d469d093ad0c882ab42ea1408c27a91340f8424aa0e79e588df3d59795624973b89074a2af650fa9b5b6ed5224138b17e4c6dbbcbf0a2e6 cups-2.2.12-source.tar.gz cf64211da59e79285f99d437c02fdd7db462855fb2920ec9563ba47bd8a9e5cbd10555094940ceedeb41ac805c4f0ddb9147481470112a11a76220d0298aef79 cups.logrotate 2c2683f755a220166b3a1653fdd1a6daa9718c8f0bbdff2e2d5e61d1133306260d63a83d3ff41619b5cf84c4913fae5822b79553e2822858f38fa3613f4c7082 cupsd.initd 7a8cd9ac33b0dd4627c72df4275db8ccd7cf8e201bce3833719b42f532f526bb347b842e3ea1ef0d61855b5c6e1088b5d20b68942f2c2c0acf504d8d9728efd3 cups-no-export-ssllibs.patch diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index 1cadc700486..33e0dd44c01 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=curl pkgver=7.61.1 -pkgrel=2 +pkgrel=3 pkgdesc="URL retrival utility and library" url="https://curl.haxx.se" arch="all" @@ -21,10 +21,16 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz CVE-2018-16890.patch CVE-2019-3822.patch CVE-2019-3823.patch + CVE-2019-5481.patch + CVE-2019-5482.patch " + builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 7.61.1-r3: +# - CVE-2019-5481 +# - CVE-2019-5482 # 7.61.1-r2: # - CVE-2018-16890 # - CVE-2019-3822 @@ -127,4 +133,6 @@ c1a684f17267b08f77625064ac62e4f06989c552d6d501565f8bebf31d3a96a613f0683376ec7cc1 dcaca036eafaaae66eba99808d00ff6bed3c9e59c2c1239ca1ddcf54c9e1c53edabd543dc6925ded3cdf9efd39c0968353527ae5ed0b986cefba333fbc7fd1af CVE-2018-16842.patch 573b896bd78e404002398bdf38d952ec6247af551ef7d6e34d52acbf004f8f4de60299e3a8f83be75e22dfb8731e466aea0253efec7116282afab32dbb1f66e8 CVE-2018-16890.patch 959a55237752b254bc5f58308607f3cf0475e207a7400ff6be7942c48131787f1dec4c05be5b76865ae0adf81ebae77774085ad0c19dd342fb0307cfcfe24b6c CVE-2019-3822.patch -73f0d06f9bbd6f0688e67310120d1e806752626c103b0a52bc4b4a1a77bbe248885778f39386fbfc38cb534cd12d18f205c091769558e6a04b50010cb9ba6a69 CVE-2019-3823.patch" +73f0d06f9bbd6f0688e67310120d1e806752626c103b0a52bc4b4a1a77bbe248885778f39386fbfc38cb534cd12d18f205c091769558e6a04b50010cb9ba6a69 CVE-2019-3823.patch +37161e4d94cdb1add2216b031f70d7ae84451229dffe48ca9856bb311e88678f0e11baab6bb4da0386ed31e8467aa51fabaf6122f876ef9bc0003638d07f22cf CVE-2019-5481.patch +6a048e3794415792a4554651bc55b71c22735f58293db584e9c822af9faad22f27c730b5d649d4bf1fb8d2c251f8d6e2f67249929bb7b3a76495c1f36a898ce7 CVE-2019-5482.patch" diff --git a/main/curl/CVE-2019-5481.patch b/main/curl/CVE-2019-5481.patch new file mode 100644 index 00000000000..2aa4952cee4 --- /dev/null +++ b/main/curl/CVE-2019-5481.patch @@ -0,0 +1,40 @@ +From 9069838b30fb3b48af0123e39f664cea683254a5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 3 Sep 2019 22:59:32 +0200 +Subject: [PATCH] security:read_data fix bad realloc() + +... that could end up a double-free + +CVE-2019-5481 +Bug: https://curl.haxx.se/docs/CVE-2019-5481.html +--- + lib/security.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/lib/security.c b/lib/security.c +index 550ea2da8d..c5e4e135df 100644 +--- a/lib/security.c ++++ b/lib/security.c +@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn, + struct krb5buffer *buf) + { + int len; +- void *tmp = NULL; + CURLcode result; + + result = socket_read(fd, &len, sizeof(len)); +@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- tmp = Curl_saferealloc(buf->data, len); ++ buf->data = Curl_saferealloc(buf->data, len); + } +- if(tmp == NULL) ++ if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; + +- buf->data = tmp; + result = socket_read(fd, buf->data, len); + if(result) + return result; diff --git a/main/curl/CVE-2019-5482.patch b/main/curl/CVE-2019-5482.patch new file mode 100644 index 00000000000..2cd32ef1798 --- /dev/null +++ b/main/curl/CVE-2019-5482.patch @@ -0,0 +1,50 @@ +From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001 +From: Thomas Vegas <> +Date: Sat, 31 Aug 2019 17:30:51 +0200 +Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is + received + +Fixes potential buffer overflow from 'recvfrom()', should the server +return an OACK without blksize. + +Bug: https://curl.haxx.se/docs/CVE-2019-5482.html +CVE-2019-5482 +--- + lib/tftp.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/tftp.c b/lib/tftp.c +index a7176cec80..346f293dc5 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + { + tftp_state_data_t *state; + int blksize; ++ int need_blksize; + + blksize = TFTP_BLKSIZE_DEFAULT; + +@@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + return CURLE_TFTP_ILLEGAL; + } + ++ need_blksize = blksize; ++ /* default size is the fallback when no OACK is received */ ++ if(need_blksize < TFTP_BLKSIZE_DEFAULT) ++ need_blksize = TFTP_BLKSIZE_DEFAULT; ++ + if(!state->rpacket.data) { +- state->rpacket.data = calloc(1, blksize + 2 + 2); ++ state->rpacket.data = calloc(1, need_blksize + 2 + 2); + + if(!state->rpacket.data) + return CURLE_OUT_OF_MEMORY; + } + + if(!state->spacket.data) { +- state->spacket.data = calloc(1, blksize + 2 + 2); ++ state->spacket.data = calloc(1, need_blksize + 2 + 2); + + if(!state->spacket.data) + return CURLE_OUT_OF_MEMORY; diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD index 413e0b02863..252b96fa69a 100644 --- a/main/dovecot/APKBUILD +++ b/main/dovecot/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Michael Mason <ms13sp@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=dovecot -pkgver=2.2.36.3 +pkgver=2.2.36.4 _pkgvermajor=2.2 pkgrel=0 _pigeonholever=0.4.21 @@ -40,6 +40,8 @@ _builddirpigeonhole="$srcdir/$pkgname-${_pkgvermajor}-pigeonhole-$_pigeonholever _builddirpluginextdata="$srcdir/pigeonhole-${_pigeonholevermajor/./-}-sieve-extdata-$_pluginextdataver" # secfixes: +# 2.2.36.4-r0: +# - CVE-2019-11500 # 2.2.36.3-r0: # - CVE-2019-7524 # 2.2.36.1-r0: @@ -234,7 +236,7 @@ _fts_lucene() { depends="$pkgname" _mv $(cd "$pkgdir" && find usr -name '*fts*lucene*') } -sha512sums="47611dbde7ee854ad323dcdb726757c7172376761fa774f28fce3f9d74ed590319d812f0555abed5f8178c326c3cb7661ac0b708ca5982914e255cec60f72e35 dovecot-2.2.36.3.tar.gz +sha512sums="e33ab2f6c5f7b4ffca3d57580329f1df8e1655c755a1a6b575a4e49d57ea94d1ab67df2419033c9d68acf5959c6edfa596815dc2bc43798e9aef3d17d271cc4d dovecot-2.2.36.4.tar.gz 4751f449ede1b05173c706b414ebf9f7f670ff78589ce6f0b687c32c9abe6dae8b3064ed1b20e893d9ec0147b0139ce479e1d74ebe94747c33f2d8ca177912de dovecot-2.2-pigeonhole-0.4.21.tar.gz 832a80264fb9bd3021c4e192eb7594c203100783df547aff35acf4dc4d8de5eddfd676fcc5a07a0691d9bb6eb884c9497a692b72a2af5bf9e9bb7a2d3f38923e 39.tar.gz 09bae967d35b9e5d7d91c81337e1bf5e5aba3abb7b0ab06427f1a0d6f9bb5b2f2e39306cfe45d80488110fc0414e3e2515c0265286c1584d80f8af366d1568a9 skip-iconv-check.patch diff --git a/main/e2fsprogs/APKBUILD b/main/e2fsprogs/APKBUILD index db30601d494..7988763db8f 100644 --- a/main/e2fsprogs/APKBUILD +++ b/main/e2fsprogs/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=e2fsprogs pkgver=1.43.7 -pkgrel=0 +pkgrel=1 pkgdesc="Standard Ext2/3/4 filesystem utilities" url="http://e2fsprogs.sourceforge.net" arch="all" @@ -12,9 +12,15 @@ depends_dev="util-linux-dev" options="!check" makedepends="$depends_dev linux-headers" subpackages="$pkgname-dev $pkgname-doc libcom_err $pkgname-libs $pkgname-extra" -source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz" - +source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz + CVE-2019-5094.patch + " builddir="$srcdir/$pkgname-$pkgver" + +# secfixes: +# 1.43.7-r1: +# - CVE-2019-5094 + build () { cd "$builddir" ./configure \ @@ -64,5 +70,5 @@ extra() { rmdir "$pkgdir"/lib mv "$pkgdir"/usr "$subpkgdir"/ } - -sha512sums="2ef270364d3cea620db3c3b9932849d0ff5b49d4a9a9b24f0d1ac36888199bd67432edc5f939d9f697ee0342b71a063e1ad4ce8119528a7adab7a777c1de57ba e2fsprogs-1.43.7.tar.xz" +sha512sums="2ef270364d3cea620db3c3b9932849d0ff5b49d4a9a9b24f0d1ac36888199bd67432edc5f939d9f697ee0342b71a063e1ad4ce8119528a7adab7a777c1de57ba e2fsprogs-1.43.7.tar.xz +72e7d8199ea071802fbe74fbb2153253e5460412b115e03750ecac46d298aeb73bd8e7610a2d5b8be83b7125080c7e9e23d9b71baee1c7a4f68026344106a922 CVE-2019-5094.patch" diff --git a/main/e2fsprogs/CVE-2019-5094.patch b/main/e2fsprogs/CVE-2019-5094.patch new file mode 100644 index 00000000000..d350b3f2943 --- /dev/null +++ b/main/e2fsprogs/CVE-2019-5094.patch @@ -0,0 +1,190 @@ +diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c +index 0b9e766..ddb5312 100644 +--- a/lib/support/mkquota.c ++++ b/lib/support/mkquota.c +@@ -671,6 +671,7 @@ errcode_t quota_compare_and_update(quota_ctx_t qctx, enum quota_type qtype, + err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data); + if (err) { + log_debug("Error scanning dquots"); ++ *usage_inconsistent = 1; + goto out_close_qh; + } + +diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c +index a7c2028..6cc4fb5 100644 +--- a/lib/support/quotaio_tree.c ++++ b/lib/support/quotaio_tree.c +@@ -540,6 +540,17 @@ struct dquot *qtree_read_dquot(struct quota_handle *h, qid_t id) + return dquot; + } + ++static int check_reference(struct quota_handle *h, unsigned int blk) ++{ ++ if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) { ++ log_err("Illegal reference (%u >= %u) in %s quota file", ++ blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks, ++ quota_type2name(h->qh_type)); ++ return -1; ++ } ++ return 0; ++} ++ + /* + * Scan all dquots in file and call callback on each + */ +@@ -558,7 +569,7 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap, + int entries, i; + + if (!buf) +- return 0; ++ return -1; + + set_bit(bitmap, blk); + read_blk(dquot->dq_h, blk, buf); +@@ -580,23 +591,12 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap, + return entries; + } + +-static void check_reference(struct quota_handle *h, unsigned int blk) +-{ +- if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) +- log_err("Illegal reference (%u >= %u) in %s quota file. " +- "Quota file is probably corrupted.\n" +- "Please run e2fsck (8) to fix it.", +- blk, +- h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks, +- quota_type2name(h->qh_type)); +-} +- + static int report_tree(struct dquot *dquot, unsigned int blk, int depth, + char *bitmap, + int (*process_dquot) (struct dquot *, void *), + void *data) + { +- int entries = 0, i; ++ int entries = 0, ret, i; + dqbuf_t buf = getdqbuf(); + __le32 *ref = (__le32 *) buf; + +@@ -607,22 +607,40 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth, + if (depth == QT_TREEDEPTH - 1) { + for (i = 0; i < QT_BLKSIZE >> 2; i++) { + blk = ext2fs_le32_to_cpu(ref[i]); +- check_reference(dquot->dq_h, blk); +- if (blk && !get_bit(bitmap, blk)) +- entries += report_block(dquot, blk, bitmap, +- process_dquot, data); ++ if (check_reference(dquot->dq_h, blk)) { ++ entries = -1; ++ goto errout; ++ } ++ if (blk && !get_bit(bitmap, blk)) { ++ ret = report_block(dquot, blk, bitmap, ++ process_dquot, data); ++ if (ret < 0) { ++ entries = ret; ++ goto errout; ++ } ++ entries += ret; ++ } + } + } else { + for (i = 0; i < QT_BLKSIZE >> 2; i++) { + blk = ext2fs_le32_to_cpu(ref[i]); + if (blk) { +- check_reference(dquot->dq_h, blk); +- entries += report_tree(dquot, blk, depth + 1, +- bitmap, process_dquot, +- data); ++ if (check_reference(dquot->dq_h, blk)) { ++ entries = -1; ++ goto errout; ++ } ++ ret = report_tree(dquot, blk, depth + 1, ++ bitmap, process_dquot, ++ data); ++ if (ret < 0) { ++ entries = ret; ++ goto errout; ++ } ++ entries += ret; + } + } + } ++errout: + freedqbuf(buf); + return entries; + } +@@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handle *h, + int (*process_dquot) (struct dquot *, void *), + void *data) + { ++ int ret; + char *bitmap; + struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi; + struct qtree_mem_dqinfo *info = &v2info->dqi_qtree; +@@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handle *h, + ext2fs_free_mem(&dquot); + return -1; + } +- v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap, +- process_dquot, data); ++ ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data); ++ if (ret < 0) ++ goto errout; ++ v2info->dqi_used_entries = ret; + v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks); ++ ret = 0; ++errout: + ext2fs_free_mem(&bitmap); + ext2fs_free_mem(&dquot); +- return 0; ++ return ret; + } +diff --git a/lib/support/quotaio_v2.c b/lib/support/quotaio_v2.c +index 38be2a3..7390667 100644 +--- a/lib/support/quotaio_v2.c ++++ b/lib/support/quotaio_v2.c +@@ -175,6 +175,8 @@ static int v2_check_file(struct quota_handle *h, int type, int fmt) + static int v2_init_io(struct quota_handle *h) + { + struct v2_disk_dqinfo ddqinfo; ++ struct v2_mem_dqinfo *info; ++ __u64 filesize; + + h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size = + sizeof(struct v2r1_disk_dqblk); +@@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handle *h) + sizeof(ddqinfo)) != sizeof(ddqinfo)) + return -1; + v2_disk2memdqinfo(&h->qh_info, &ddqinfo); ++ ++ /* Check to make sure quota file info is sane */ ++ info = &h->qh_info.u.v2_mdqi; ++ if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize)) ++ return -1; ++ if ((filesize > (1U << 31)) || ++ (info->dqi_qtree.dqi_blocks > ++ (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) { ++ log_err("Quota inode %u corrupted: file size %llu; " ++ "dqi_blocks %u", h->qh_qf.ino, ++ filesize, info->dqi_qtree.dqi_blocks); ++ return -1; ++ } ++ if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) { ++ log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u", ++ h->qh_qf.ino, info->dqi_qtree.dqi_free_blk, ++ info->dqi_qtree.dqi_blocks); ++ return -1; ++ } ++ if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) { ++ log_err("Quota inode %u corrupted: free_entry %u; " ++ "dqi_blocks %u", h->qh_qf.ino, ++ info->dqi_qtree.dqi_free_entry, ++ info->dqi_qtree.dqi_blocks); ++ return -1; ++ } + return 0; + } + + diff --git a/main/expat/APKBUILD b/main/expat/APKBUILD index 7b053971f75..5cf21bacaee 100644 --- a/main/expat/APKBUILD +++ b/main/expat/APKBUILD @@ -1,21 +1,23 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=expat -pkgver=2.2.7 +pkgver=2.2.8 pkgrel=0 pkgdesc="An XML Parser library written in C" url="http://www.libexpat.org/" arch="all" license='MIT' checkdepends="bash" -source="http://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2" +source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2" subpackages="$pkgname-dev $pkgname-doc" builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 2.2.7-r1: +# - CVE-2019-15903 # 2.2.7-r0: -# - CVE-2018-20843 +# - CVE-2018-20843 # 2.2.0-r1: -# - CVE-2017-9233 +# - CVE-2017-9233 build() { cd "$builddir" @@ -37,4 +39,4 @@ package() { make DESTDIR="$pkgdir/" install } -sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00 expat-2.2.7.tar.bz2" +sha512sums="b1c995320d3eb406fe98e87fad204cc1336a74fb70c3ce3876d16ab955507863c3ee406ab10f0e8b63ed51cda0f7da4df0039626990fc2710f41c589c04b4022 expat-2.2.8.tar.bz2" diff --git a/main/expat/CVE-2019-15903.patch b/main/expat/CVE-2019-15903.patch new file mode 100644 index 00000000000..bfba7a87b4f --- /dev/null +++ b/main/expat/CVE-2019-15903.patch @@ -0,0 +1,80 @@ +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 9c0987f..b8656ca 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -405,7 +405,7 @@ initializeEncoding(XML_Parser parser); + static enum XML_Error + doProlog(XML_Parser parser, const ENCODING *enc, const char *s, + const char *end, int tok, const char *next, const char **nextPtr, +- XML_Bool haveMore); ++ XML_Bool haveMore, XML_Bool allowClosingDoctype); + static enum XML_Error + processInternalEntity(XML_Parser parser, ENTITY *entity, + XML_Bool betweenDecl); +@@ -4232,7 +4232,7 @@ externalParEntProcessor(XML_Parser parser, + + parser->m_processor = prologProcessor; + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error PTRCALL +@@ -4282,7 +4282,7 @@ prologProcessor(XML_Parser parser, + const char *next = s; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error +@@ -4293,7 +4293,7 @@ doProlog(XML_Parser parser, + int tok, + const char *next, + const char **nextPtr, +- XML_Bool haveMore) ++ XML_Bool haveMore, XML_Bool allowClosingDoctype) + { + #ifdef XML_DTD + static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' }; +@@ -4472,6 +4472,11 @@ doProlog(XML_Parser parser, + } + break; + case XML_ROLE_DOCTYPE_CLOSE: ++ if (allowClosingDoctype != XML_TRUE) { ++ /* Must not close doctype from within expanded parameter entities */ ++ return XML_ERROR_INVALID_TOKEN; ++ } ++ + if (parser->m_doctypeName) { + parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName, + parser->m_doctypeSysid, parser->m_doctypePubid, 0); +@@ -5409,7 +5414,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_FALSE); + } + else + #endif /* XML_DTD */ +@@ -5456,7 +5461,7 @@ internalEntityProcessor(XML_Parser parser, + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_FALSE); + } + else + #endif /* XML_DTD */ +@@ -5483,7 +5488,7 @@ internalEntityProcessor(XML_Parser parser, + parser->m_processor = prologProcessor; + tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + else + #endif /* XML_DTD */ + diff --git a/main/faad2/APKBUILD b/main/faad2/APKBUILD index ae578853f46..4cde4b96950 100644 --- a/main/faad2/APKBUILD +++ b/main/faad2/APKBUILD @@ -1,21 +1,21 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=faad2 -pkgver=2.7 -pkgrel=7 +pkgver=2.9.0 +_pkgver="${pkgver//./_}" +pkgrel=0 pkgdesc="ISO AAC audio decoder" -url="http://www.audiocoding.com/" +url="https://github.com/knik0/faad2" arch="all" license="custom:GPL" subpackages="$pkgname-dev $pkgname-doc" depends= makedepends="autoconf automake libtool" -source="http://downloads.sourceforge.net/sourceforge/faac/$pkgname-$pkgver.tar.bz2 - automake.patch" +source="$pkgname-$pkgver.tar.gz::https://github.com/knik0/faad2/archive/$_pkgver.tar.gz" +builddir="$srcdir/$pkgname-$_pkgver" -_builddir="$srcdir"/$pkgname-$pkgver +_builddir="$srcdir"/$pkgname-$_pkgver prepare() { cd "$_builddir" - update_config_sub || return 1 for i in $source; do case $i in *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; @@ -23,6 +23,26 @@ prepare() { done } +# secfixes: +# 2.9.0-r0: +# - CVE-2019-6956 +# - CVE-2018-20196 +# - CVE-2018-20199 +# - CVE-2018-20360 +# - CVE-2018-20362 +# - CVE-2018-19504 +# - CVE-2018-20195 +# - CVE-2018-20198 +# - CVE-2018-20358 +# - CVE-2018-20194 +# - CVE-2018-19503 +# - CVE-2018-20197 +# - CVE-2018-20357 +# - CVE-2018-20359 +# - CVE-2018-20361 +# - CVE-2019-15296 +# - CVE-2018-19502 + build() { cd "$_builddir" @@ -43,12 +63,6 @@ build() { package() { cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 - install -m644 common/mp4ff/mp4ff_int_types.h "$pkgdir"/usr/include/mp4ff_int_types.h || return 1 } -md5sums="4c332fa23febc0e4648064685a3d4332 faad2-2.7.tar.bz2 -28b178eddf06bda888fe048abc65d57f automake.patch" -sha256sums="14561b5d6bc457e825bfd3921ae50a6648f377a9396eaf16d4b057b39a3f63b5 faad2-2.7.tar.bz2 -e7b9c8231dfd9227b27ff8c1e8a9be678abf73ce4ce0d3ee9333cb19608fdcfd automake.patch" -sha512sums="0934aa9b752b5d86879d94156dea02595e2428340d0cf44202ffea369895b21a9aadbb4833a39212c9a79429b409eb108706b1f523bfddd32809b53730d50947 faad2-2.7.tar.bz2 -0b66cfa240529a2139b47cb8dc87c4b43a451b906d66ef7d211fb509358b1493ceee13894516c2f552b33eae74640910e97957caa49dade2597ebd9777152a9e automake.patch" +sha512sums="1756b2672f9e438a56b11160ddc77fc721d85860eaa325a3ff01b51a2524baf4c1c61068a97cbc4e99d47e7643f10e1d6afb997eede3295b44551fe4661fb5dc faad2-2.9.0.tar.gz" diff --git a/main/faad2/automake.patch b/main/faad2/automake.patch deleted file mode 100644 index 809031eb006..00000000000 --- a/main/faad2/automake.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- ./configure.in.orig 2012-12-31 10:42:26.394219312 +0000 -+++ ./configure.in 2012-12-31 10:42:43.294360781 +0000 -@@ -25,7 +25,7 @@ - AC_PROG_MAKE_SET - AC_CHECK_PROGS(RPMBUILD, rpmbuild, rpm) - --AM_CONFIG_HEADER(config.h) -+AC_CONFIG_HEADER(config.h) - - AC_ARG_WITH(xmms,[ --with-xmms compile XMMS-1 plugin], - WITHXMMS=$withval, WITHXMMS=no) diff --git a/main/file/APKBUILD b/main/file/APKBUILD index 58477ab711d..fd9fbd1d604 100644 --- a/main/file/APKBUILD +++ b/main/file/APKBUILD @@ -2,15 +2,27 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=file pkgver=5.32 -pkgrel=0 +pkgrel=2 pkgdesc="File type identification utility" url="http://www.darwinsys.com/file/" arch="all" license="BSD" subpackages="$pkgname-dev $pkgname-doc libmagic" -source="ftp://ftp.astron.com/pub/$pkgname/$pkgname-$pkgver.tar.gz" +source="ftp://ftp.astron.com/pub/$pkgname/$pkgname-$pkgver.tar.gz + CVE-2019-8906.patch + CVE-2019-8905-and-CVE-2019-8907.patch + CVE-2019-18218.patch + " builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 5.32-r2: +# - CVE-2019-18218 +# 5.32-r1: +# - CVE-2019-8905 +# - CVE-2019-8906 +# - CVE-2019-8907 + build() { cd "$builddir" ./configure \ @@ -37,4 +49,7 @@ libmagic() { mv "$pkgdir"/usr/lib "$pkgdir"/usr/share "$subpkgdir"/usr } -sha512sums="315343229fa196335389544ee8010e9e80995ef4721938492dedcfb0465dfc45e1feb96f26dfe53cab484fb5d9bac54d2d72917fbfd28a1d998c6ad8c8f9792f file-5.32.tar.gz" +sha512sums="315343229fa196335389544ee8010e9e80995ef4721938492dedcfb0465dfc45e1feb96f26dfe53cab484fb5d9bac54d2d72917fbfd28a1d998c6ad8c8f9792f file-5.32.tar.gz +f54a16dbca2b5a490405e323924fb2657cc67f73648ad5203b41c13da1dc98e5ca64fc6c94415386538d3c2124f487fc3bf86082ce1571a24d05f5a5e213da08 CVE-2019-8906.patch +5b8058fd39d9f9d91c7d8377708068dc0161abdbbb7fdb3d1bd9358b297133e425252758b45cccec937a7c51226d4f6dd67f5a13ff935a4353a44f140f011a7e CVE-2019-8905-and-CVE-2019-8907.patch +d70c5d298db7f70c45feaeebb077f076e6f1b5bcccb85926afeead64838436fd42681541d56f4fbe35b97dd76bfdbf3abf2665894c18999b37d2ca3fe2f2cf17 CVE-2019-18218.patch" diff --git a/main/file/CVE-2019-18218.patch b/main/file/CVE-2019-18218.patch new file mode 100644 index 00000000000..e7eba449222 --- /dev/null +++ b/main/file/CVE-2019-18218.patch @@ -0,0 +1,40 @@ +Source: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84 + +diff --git a/src/cdf.c b/src/cdf.c +index 556a3ff..8bb0a6d 100644 +--- a/src/cdf.c ++++ b/src/cdf.c +@@ -1013,8 +1013,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + } + nelements = CDF_GETUINT32(q, 1); +- if (nelements == 0) { +- DPRINTF(("CDF_VECTOR with nelements == 0\n")); ++ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { ++ DPRINTF(("CDF_VECTOR with nelements == %" ++ SIZE_T_FORMAT "u\n", nelements)); + goto out; + } + slen = 2; +@@ -1056,8 +1057,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + inp += nelem; + } +- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", +- nelements)); + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { +diff --git a/src/cdf.h b/src/cdf.h +index 2f7e554..0505666 100644 +--- a/src/cdf.h ++++ b/src/cdf.h +@@ -48,6 +48,7 @@ + typedef int32_t cdf_secid_t; + + #define CDF_LOOP_LIMIT 10000 ++#define CDF_ELEMENT_LIMIT 100000 + + #define CDF_SECID_NULL 0 + #define CDF_SECID_FREE -1 + diff --git a/main/file/CVE-2019-8905-and-CVE-2019-8907.patch b/main/file/CVE-2019-8905-and-CVE-2019-8907.patch new file mode 100644 index 00000000000..d81c54636fb --- /dev/null +++ b/main/file/CVE-2019-8905-and-CVE-2019-8907.patch @@ -0,0 +1,102 @@ +diff --git a/src/file.h b/src/file.h +index eb9c054..6d9d204 100644 +--- a/src/file.h ++++ b/src/file.h +@@ -491,7 +491,7 @@ protected int file_looks_utf8(const unsigned char *, size_t, unichar *, + size_t *); + protected size_t file_pstring_length_size(const struct magic *); + protected size_t file_pstring_get_length(const struct magic *, const char *); +-protected char * file_printable(char *, size_t, const char *); ++protected char * file_printable(char *, size_t, const char *, size_t); + #ifdef __EMX__ + protected int file_os2_apptype(struct magic_set *, const char *, const void *, + size_t); +diff --git a/src/funcs.c b/src/funcs.c +index d7a18f4..eb44261 100644 +--- a/src/funcs.c ++++ b/src/funcs.c +@@ -581,12 +581,13 @@ file_pop_buffer(struct magic_set *ms, file_pushbuf_t *pb) + * convert string to ascii printable format. + */ + protected char * +-file_printable(char *buf, size_t bufsiz, const char *str) ++file_printable(char *buf, size_t bufsiz, const char *str, size_t slen) + { +- char *ptr, *eptr; ++ char *ptr, *eptr = buf + bufsiz - 1; + const unsigned char *s = (const unsigned char *)str; ++ const unsigned char *es = s + slen; + +- for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) { ++ for (ptr = buf; ptr < eptr && s < es && *s; s++) { + if (isprint(*s)) { + *ptr++ = *s; + continue; +diff --git a/src/readelf.c b/src/readelf.c +index 5f425c9..ee466fc 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -725,7 +725,7 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, + if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, " + "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)", + file_printable(sbuf, sizeof(sbuf), +- CAST(char *, pi.cpi_name)), ++ CAST(char *, pi.cpi_name), sizeof(pi.cpi_name)), + elf_getu32(swap, pi.cpi_pid), + elf_getu32(swap, pi.cpi_euid), + elf_getu32(swap, pi.cpi_egid), +@@ -1563,7 +1563,8 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off, + return -1; + if (interp[0]) + if (file_printf(ms, ", interpreter %s", +- file_printable(ibuf, sizeof(ibuf), interp)) == -1) ++ file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp))) ++ == -1) + return -1; + return 0; + } +diff --git a/src/softmagic.c b/src/softmagic.c +index b9e9753..fa82d58 100644 +--- a/src/softmagic.c ++++ b/src/softmagic.c +@@ -544,8 +544,8 @@ mprint(struct magic_set *ms, struct magic *m) + case FILE_LESTRING16: + if (m->reln == '=' || m->reln == '!') { + if (file_printf(ms, F(ms, m, "%s"), +- file_printable(sbuf, sizeof(sbuf), m->value.s)) +- == -1) ++ file_printable(sbuf, sizeof(sbuf), m->value.s, ++ sizeof(m->value.s))) == -1) + return -1; + t = ms->offset + m->vallen; + } +@@ -572,7 +572,8 @@ mprint(struct magic_set *ms, struct magic *m) + } + + if (file_printf(ms, F(ms, m, "%s"), +- file_printable(sbuf, sizeof(sbuf), str)) == -1) ++ file_printable(sbuf, sizeof(sbuf), str, ++ sizeof(p->s) - (str - p->s))) == -1) + return -1; + + if (m->type == FILE_PSTRING) +@@ -678,7 +679,7 @@ mprint(struct magic_set *ms, struct magic *m) + return -1; + } + rval = file_printf(ms, F(ms, m, "%s"), +- file_printable(sbuf, sizeof(sbuf), cp)); ++ file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len)); + free(cp); + + if (rval == -1) +@@ -705,7 +706,8 @@ mprint(struct magic_set *ms, struct magic *m) + break; + case FILE_DER: + if (file_printf(ms, F(ms, m, "%s"), +- file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1) ++ file_printable(sbuf, sizeof(sbuf), ms->ms_value.s, ++ sizeof(ms->ms_value.s))) == -1) + return -1; + t = ms->offset; + break; + diff --git a/main/file/CVE-2019-8906.patch b/main/file/CVE-2019-8906.patch new file mode 100644 index 00000000000..05ff2c73fdf --- /dev/null +++ b/main/file/CVE-2019-8906.patch @@ -0,0 +1,14 @@ +diff --git a/src/readelf.c b/src/readelf.c +index 5f425c9..50883fe 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -720,7 +720,7 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, + char sbuf[512]; + struct NetBSD_elfcore_procinfo pi; + memset(&pi, 0, sizeof(pi)); +- memcpy(&pi, nbuf + doff, descsz); ++ memcpy(&pi, nbuf + doff, MIN(descsz, sizeof(pi))); + + if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, " + "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)", + diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD index b0fc3b4494f..50456704b0e 100644 --- a/main/freeradius/APKBUILD +++ b/main/freeradius/APKBUILD @@ -5,7 +5,7 @@ pkgname=freeradius _realname=freeradius pkgver=3.0.15 -pkgrel=4 +pkgrel=5 pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server" url="http://freeradius.org/" arch="all" @@ -32,10 +32,13 @@ source="ftp://ftp.freeradius.org/pub/freeradius/old/$_realname-server-$pkgver.ta fix-scopeid.patch freeradius-313-default-config.patch CVE-2019-11234-5.patch + CVE-2019-10143.patch " builddir="$srcdir"/$_realname-server-$pkgver # secfixes: +# 3.0.17-r5: +# - CVE-2019-10143 # 3.0.15-r4: # - CVE-2019-11234 # - CVE-2019-11235 @@ -289,4 +292,5 @@ ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a74202 c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d musl-fix-headers.patch 41d478c0e40ff82fc36232964037c1ab8ffca9fdbb7dca02ed49319906e751c133b5d7bc7773c645cec6d9d39d1de69cba25e8d59afa8d6662563dd17f35f234 fix-scopeid.patch 666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e freeradius-313-default-config.patch -05b19e1b4d43eac3ddb2f1d62a31bedb2e3386bdafc0253506304d46e6ea41f1bf798c28d3b1207341c4c9d17de0775a9ca8aa2b9c27a90c92d21c0a73ee6477 CVE-2019-11234-5.patch" +05b19e1b4d43eac3ddb2f1d62a31bedb2e3386bdafc0253506304d46e6ea41f1bf798c28d3b1207341c4c9d17de0775a9ca8aa2b9c27a90c92d21c0a73ee6477 CVE-2019-11234-5.patch +5506cc095553c2024319f0818fd317c02c0aa52f306b506e44f661f2f600874426118decdc2313a2da8313bff3578d364262f947faa9198595a830764a336b57 CVE-2019-10143.patch" diff --git a/main/freeradius/CVE-2019-10143.patch b/main/freeradius/CVE-2019-10143.patch new file mode 100644 index 00000000000..528550aa822 --- /dev/null +++ b/main/freeradius/CVE-2019-10143.patch @@ -0,0 +1,94 @@ +From 1f233773962bf1a9c2d228a180eacddb9db2d574 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel <ascheel@redhat.com> +Date: Tue, 7 May 2019 16:04:29 -0400 +Subject: [PATCH] su to radiusd user/group when rotating logs + +The su directive to logrotate ensures that log rotation happens under the +owner of the logs. Otherwise, logrotate runs as root:root, potentially +enabling privilege escalation if a RCE is discovered against the +FreeRADIUS daemon. + +Signed-off-by: Alexander Scheel <ascheel@redhat.com> +--- + debian/freeradius.logrotate | 3 +++ + redhat/freeradius-logrotate | 1 + + scripts/logrotate/freeradius | 3 +++ + suse/radiusd-logrotate | 1 + + 4 files changed, 8 insertions(+) + +diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate +index 7d837d53bd..a8d29b7adf 100644 +--- a/debian/freeradius.logrotate ++++ b/debian/freeradius.logrotate +@@ -9,6 +9,7 @@ + notifempty + + copytruncate ++ su freerad freerad + } + + # (in order) +@@ -26,6 +27,7 @@ + notifempty + + nocreate ++ su freerad freerad + } + + # There are different detail-rotating strategies you can use. One is +@@ -45,4 +47,5 @@ + notifempty + + nocreate ++ su freerad freerad + } +diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate +index 360765ddc4..bb97ca5547 100644 +--- a/redhat/freeradius-logrotate ++++ b/redhat/freeradius-logrotate +@@ -9,6 +9,7 @@ rotate 4 + missingok + compress + delaycompress ++su radiusd radiusd + + # + # The main server log +diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius +index 3de435e76e..eecf63175a 100644 +--- a/scripts/logrotate/freeradius ++++ b/scripts/logrotate/freeradius +@@ -17,6 +17,7 @@ + notifempty + + copytruncate ++ su radiusd radiusd + } + + # (in order) +@@ -34,6 +35,7 @@ + notifempty + + nocreate ++ su radiusd radiusd + } + + # There are different detail-rotating strategies you can use. One is +@@ -53,4 +55,5 @@ + notifempty + + nocreate ++ su radiusd radiusd + } +diff --git a/suse/radiusd-logrotate b/suse/radiusd-logrotate +index 24d56be1a9..be5a797684 100644 +--- a/suse/radiusd-logrotate ++++ b/suse/radiusd-logrotate +@@ -11,6 +11,7 @@ missingok + compress + delaycompress + notifempty ++su radiusd radiusd + + # + # The main server log diff --git a/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch b/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch new file mode 100644 index 00000000000..463ae601d76 --- /dev/null +++ b/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch @@ -0,0 +1,436 @@ +From: Ray Johnston <ray.johnston@artifex.com> +Date: Thu, 31 Jan 2019 11:31:30 -0800 +Subject: Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF interp). +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3839 + +We now keep GS_PDF_ProcSet in pdfdict, and immediately bind pdfdict +where needed so we can undef it after the last PDF interp file has +run (pdf_sec.ps). +--- + Resource/Init/pdf_base.ps | 11 ++++----- + Resource/Init/pdf_draw.ps | 59 +++++++++++++++++++++++------------------------ + Resource/Init/pdf_font.ps | 9 ++++---- + Resource/Init/pdf_main.ps | 25 ++++++++++---------- + Resource/Init/pdf_ops.ps | 11 +++++---- + Resource/Init/pdf_sec.ps | 4 +++- + 6 files changed, 60 insertions(+), 59 deletions(-) + +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +index e35e0e3731d4..13dd51f46793 100644 +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -23,7 +23,6 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse + pdfdict begin + + % Define the name interpretation dictionary for reading values. +@@ -133,11 +132,11 @@ currentdict /num-chars-dict .undef + + /.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ? + PDFDEBUG { +- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if ++ //pdfdict /PDFSTEPcount known not { //pdfdict /PDFSTEPcount 1 .forceput } executeonly if + PDFSTEP { +- pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput ++ //pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput + PDFSTEPcount 1 gt { +- pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput ++ //pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput + } executeonly + { + dup ==only +@@ -145,10 +144,10 @@ currentdict /num-chars-dict .undef + ( ? ) print flush 1 //false .outputpage + (%stdin) (r) file 255 string readline { + token { +- exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput ++ exch pop //pdfdict /PDFSTEPcount 3 -1 roll .forceput + } executeonly + { +- pdfdict /PDFSTEPcount 1 .forceput ++ //pdfdict /PDFSTEPcount 1 .forceput + } executeonly ifelse % token + } { + pop /PDFSTEP //false def % EOF on stdin +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 36c41a9a30c2..2e39c87d207c 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -18,8 +18,7 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse +-GS_PDF_ProcSet begin ++/GS_PDF_ProcSet load begin + pdfdict begin + + % For simplicity, we use a single interpretation dictionary for all +@@ -113,7 +112,7 @@ pdfdict begin + + /resolvefunction { % <fndict> resolvefunction <function> + .resolvefn +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if + } bind executeonly def + + /resolvefnproc { % <fndict> resolvefnproc <proc> +@@ -1086,7 +1085,7 @@ currentdict end readonly def + %% finished running the PaintProc. + + /.actual_pdfpaintproc { % <patdict> <resdict> .pdfpaintproc - +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if + PDFfile fileposition 3 1 roll + q + 1 index /PaintType oget 1 eq { +@@ -1121,21 +1120,21 @@ currentdict end readonly def + Q + }{ + (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n) +- pdfdict /.Qqwarning_issued .knownget ++ //pdfdict /.Qqwarning_issued .knownget + { + { + pop + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +@@ -1144,21 +1143,21 @@ currentdict end readonly def + } loop + { + (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) +- pdfdict /.Qqwarning_issued .knownget ++ //pdfdict /.Qqwarning_issued .knownget + { + { + pop + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +@@ -1169,7 +1168,7 @@ currentdict end readonly def + /pdfemptycount exch def + + Q +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if + PDFfile exch setfileposition + } bind executeonly odef + +@@ -1240,7 +1239,7 @@ currentdict end readonly def + ] cvx put + dup /BBox 2 copy knownoget { normrect FixPatternBBox put } { pop pop } ifelse + dup /.pattern_uses_transparency 1 index patternusestransparency put +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if + } bind executeonly def + + /ignore_color_op ( **** Error: Ignoring a color operation in a cached context.\n Output may be incorrect.\n) readonly def +@@ -2361,16 +2360,16 @@ currentdict /last-ditch-bpc-csp undef + } bind executeonly def + + /IncrementAppearanceNumber { +- pdfdict /AppearanceNumber .knownget { +- 1 add pdfdict /AppearanceNumber 3 -1 roll .forceput ++ //pdfdict /AppearanceNumber .knownget { ++ 1 add //pdfdict /AppearanceNumber 3 -1 roll .forceput + } executeonly + { +- pdfdict /AppearanceNumber 0 .forceput ++ //pdfdict /AppearanceNumber 0 .forceput + } executeonly ifelse + }bind executeonly odef + + /MakeAppearanceName { +- pdfdict /AppearanceNumber get ++ //pdfdict /AppearanceNumber get + 10 string cvs + dup length 10 add string dup 0 (\{FormName) putinterval + dup 3 -1 roll +@@ -2391,17 +2390,17 @@ currentdict /last-ditch-bpc-csp undef + gsave initclip + MakeNewAppearanceName + .pdfFormName +- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch +- pdfdict /.PreservePDFForm true .forceput ++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch ++ //pdfdict /.PreservePDFForm true .forceput + DoForm +- pdfdict /.PreservePDFForm 3 -1 roll .forceput ++ //pdfdict /.PreservePDFForm 3 -1 roll .forceput + grestore + } bind executeonly odef + + /DoForm { + %% save the current value, if its true we will set it to false later, in order + %% to prevent us preserving Forms which are used *from* an annotation /Appearance. +- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch ++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch + + %% We may alter the Default* colour spaces, if the Resources + %% ColorSpace entry contains one of them. But we don't want that +@@ -2516,13 +2515,13 @@ currentdict /last-ditch-bpc-csp undef + pdfemptycount countdictstack 3 -1 roll + /pdfemptycount count 4 sub store + +- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get}{//false} ifelse ++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get}{//false} ifelse + { + %% We must *not* preserve any subsidiary forms (curently at least) as PDF + %% form preservation doesn't really work. This is used just for Annotation + %% Appearances currently, and if they should happen to use a form, we do not + %% want to preserve it. +- pdfdict /.PreservePDFForm false .forceput ++ //pdfdict /.PreservePDFForm false .forceput + /q cvx /execform cvx 5 -2 roll + } executeonly + { +@@ -2555,7 +2554,7 @@ currentdict /last-ditch-bpc-csp undef + saved_DCMYK /DefaultCMYK exch /ColorSpace defineresource pop + end + } if +- pdfdict /.PreservePDFForm 3 -1 roll .forceput ++ //pdfdict /.PreservePDFForm 3 -1 roll .forceput + } bind executeonly odef + + /_dops_save 1 array def +@@ -2714,13 +2713,13 @@ drawopdict begin + % Start by getting the object number for a Form XObject + dup Page /XObject obj_get dup 0 eq not { + % Now get the recording dictionary and see if that object number has been seen +- pdfdict /Recursive_XObject_D get 1 index known { ++ //pdfdict /Recursive_XObject_D get 1 index known { + ( **** Error: Recursive XObject detected, ignoring ") print 1 index 256 string cvs print (", object number ) print 256 string cvs print (\n) print + ( Output may be incorrect.\n) pdfformaterror + //false + }{ + % We haven't seen it yet, so record it. +- pdfdict /Recursive_XObject_D get 1 index null put ++ //pdfdict /Recursive_XObject_D get 1 index null put + 3 1 roll + //true + }ifelse +@@ -2758,7 +2757,7 @@ drawopdict begin + ( Output may be incorrect.\n) pdfformaterror + } ifelse + PDFfile exch setfileposition +- pdfdict /Recursive_XObject_D get exch undef ++ //pdfdict /Recursive_XObject_D get exch undef + }{ + % Otherwise ignore it and tidy up the stacks + pop pop +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index 7e35c02ac132..6b09be61f8f2 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -37,8 +37,7 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse +-GS_PDF_ProcSet begin ++/GS_PDF_ProcSet load begin % from userdict at this point + pdfdict begin + + % We cache the PostScript font in an additional element of the +@@ -1227,11 +1226,11 @@ currentdict /eexec_pdf_param_dict .undef + .pdfruncontext + countdictstack BuildCharDictDepth sub + { +- pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse ++ //pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse + { + (\n **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + pdfformatwarning +- pdfdict /.Qqwarning_issued //true .forceput ++ //pdfdict /.Qqwarning_issued //true .forceput + } executeonly if + Q + } repeat +@@ -2361,7 +2360,7 @@ currentdict /bndef undef + dup //null eq + {pop} + { +- pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if ++ //pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if + exch dup /.OrigUniqueIDXUID .knownget not + { + dup /XUID .knownget not +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index 0a8929a2ac14..c1de1b0ef05c 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -18,8 +18,9 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse + pdfdict begin ++/GS_PDF_ProcSet dup load def % keep in pdfdict to hide it ++userdict /GS_PDF_ProcSet undef + + % Patch in an obsolete variable used by some third-party software. + /#? //false def +@@ -304,8 +305,8 @@ currentdict /runpdfstring .undef + /Page //null def + /DSCPageCount 0 def + /PDFSave //null def +- GS_PDF_ProcSet begin +- pdfdict begin ++ //pdfdict /GS_PDF_ProcSet get begin ++ //pdfdict begin + pdfopen begin + /CumulativePageCount currentpagedevice /PageCount get def + } bind executeonly def +@@ -624,7 +625,7 @@ currentdict /runpdfstring .undef + %% copied to a temporary file) and store it in pdfdict. We will use this for + %% hashing fonts to detect if fonts with the same name are from different files. + %% +- dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch pdfdict 3 1 roll .forceput ++ dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch //pdfdict 3 1 roll .forceput + + //runpdfbegin exec + //pdf_collection_files exec +@@ -1390,7 +1391,7 @@ currentdict /xref-char-dict undef + } bind executeonly def + + /pdfopenfile { % <file> pdfopenfile <dict> +- pdfdict readonly pop % can't do it any earlier than this ++ //pdfdict readonly pop % can't do it any earlier than this + 32 dict begin + /LocalResources 0 dict def + /DefaultQstate //null def % establish binding +@@ -2717,21 +2718,21 @@ currentdict /PDF2PS_matrix_key undef + StreamRunAborted not { + (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + +- pdfdict /.Qqwarning_issued .knownget ++ //pdfdict /.Qqwarning_issued .knownget + { + { + pop + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +@@ -2743,8 +2744,8 @@ currentdict /PDF2PS_matrix_key undef + Repaired % pass Repaired state around the restore + RepairedAnError + PDFSave restore +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //false .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //false .forceput + .setglobal + /RepairedAnError exch def + /Repaired exch def +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +index 34e2fbd5861a..46de547f7a98 100644 +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -24,6 +24,7 @@ + systemdict /pdfmark known not + { userdict /pdfmark { cleartomark } bind executeonly put } if + ++systemdict /pdfdict where { pop } { /pdfdict 100 dict put } ifelse + userdict /GS_PDF_ProcSet 256 dict dup begin + + % ---------------- Abbreviations ---------------- % +@@ -174,21 +175,21 @@ currentdict /gput_always_allow .undef + { + (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n) + +- pdfdict /.Qqwarning_issued .knownget ++ //pdfdict /.Qqwarning_issued .knownget + { + { + pop + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +diff --git a/Resource/Init/pdf_sec.ps b/Resource/Init/pdf_sec.ps +index d8cc94c86574..163dd687764e 100644 +--- a/Resource/Init/pdf_sec.ps ++++ b/Resource/Init/pdf_sec.ps +@@ -39,7 +39,6 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse + pdfdict begin + + % Older ghostscript versions do not have .pdftoken, so we use 'token' instead. +@@ -748,4 +747,7 @@ currentdict /PDFScanRules_null undef + } bind executeonly def + + end % pdfdict ++ ++systemdict /pdfdict .forceundef % hide pdfdict ++ + .setglobal +-- +2.11.0 + diff --git a/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch b/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch new file mode 100644 index 00000000000..5da83ab565c --- /dev/null +++ b/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch @@ -0,0 +1,41 @@ +From: Ray Johnston <ray.johnston@artifex.com> +Date: Mon, 18 Feb 2019 12:11:45 -0800 +Subject: Bug 700599: Issue an error message if an ExtGstate is not found. +Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=be86d2ff2f0f0ea0e365707f3be0fa0c9e7315ee +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=700599 + +Previously, this was silently ignored. Only issue a single warning, +and respect PDFSTOPONERROR to prevent continuing with potentially +incorrect output. + +Note that tests_private/pdf/uploads/bug696410.pdf also now gets this +error message (ExtGState" instead of ExtGState in object 10). +--- + Resource/Init/pdf_draw.ps | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 75b5eb622b52..c0201ad65da2 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -494,7 +494,16 @@ end + dup { + oforce exch gsparamdict exch .knownget { exec } { pop } ifelse + } forall pop +- } if ++ } { ++ //pdfdict /.gs_warning_issued known not { ++ (\n **** Error 'gs' ignored -- ExtGState missing from Resources.\n) ++ pdfformaterror ++ ( Output may be incorrect.\n) pdfformaterror ++ //pdfdict /.gs_warning_issued //true .forceput ++ PDFSTOPONERROR { /gs /undefined signalerror } if ++ } if ++ } ++ ifelse + } bind executeonly def + + % ------ Transparency support ------ % +-- +2.20.1 + diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD index ac139d32cb0..ac04652d3fb 100644 --- a/main/ghostscript/APKBUILD +++ b/main/ghostscript/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Cameron Banta <cbanta@gmail.com> pkgname=ghostscript pkgver=9.26 -pkgrel=2 +pkgrel=4 pkgdesc="An interpreter for the PostScript language and for PDF" url="https://ghostscript.com/" arch="all" @@ -12,22 +12,31 @@ makedepends="autoconf automake libjpeg-turbo-dev libpng-dev jasper-dev expat-dev cups-dev libtool jbig2dec-dev openjpeg-dev" subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-gtk" source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver/./}/ghostscript-$pkgver.tar.gz - https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/0001-Bug700317-Address-.force-operators-exposure.tgz CVE-2019-6116.patch CVE-2019-3835.patch CVE-2019-3838.patch + CVE-2019-10216.patch ghostscript-system-zlib.patch fix-sprintf.patch + CVE-2019-14811-14812-14813.patch + 0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch + 0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch + CVE-2019-14817.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 9.26-r4: +# - CVE-2019-14811 +# - CVE-2019-14812 +# - CVE-2019-14813 +# - CVE-2019-14817 +# 9.26-r3: +# - CVE-2019-10216 # 9.26-r2: # - CVE-2019-3835 # - CVE-2019-3838 # - CVE-2019-6116 -# 9.26-r1: -# - CVE-2019-6116 # 9.26-r0: # - CVE-2018-19409 # - CVE-2018-19475 @@ -134,9 +143,13 @@ gtk() { } sha512sums="670159c23618ffafa85c671642bf182a107a82c053a1fd8c3f45f73f203524077be1b212d2ddbabae7892c7713922877e03b020f78bd2aab1ae582c4fc7d820a ghostscript-9.26.tar.gz -289d916a0b0da410e6f721e42bc44659c91c66ca0f7b96b1a6b010ae1c25e47788e282edc3578b4e4b120a2c684c7b1fd4cc574084bdc9cbbf6e431a01fbae0e 0001-Bug700317-Address-.force-operators-exposure.tgz +78564c1dd878cb6a924663cb5d61901a413a867dedc8753e537e08a4da9cc0aaeb817bab266fd66e5d0e871d9ed6078af6e6f455b5426e0917875682d76638f5 CVE-2019-6116.patch 31769852e75be4e1cd0e7c3f43cc7b3457bf9ba505fc2a5acda53779cc5626854bf15fef3e225f3d922f4038dd18c598dbac30abb863159202e4d0fe02c02d3b CVE-2019-3835.patch dc3bd1de86e4a968ed35a35a125f682cffeed51fe4dbf9b3939dd78b07ef0748fe6b34816e689bcfffb4f819e51bcb5022f3151a5610aa24fd2468cdcbc665ea CVE-2019-3838.patch -78564c1dd878cb6a924663cb5d61901a413a867dedc8753e537e08a4da9cc0aaeb817bab266fd66e5d0e871d9ed6078af6e6f455b5426e0917875682d76638f5 CVE-2019-6116.patch +f89744b17922b7d9c04c6de69ce35fa621732e4373eccc158b7ff6a9e56d2cf0bbea30c28119f4808864ca584e94342e5125d7bcc6195252455b5f223f379e3f CVE-2019-10216.patch 70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482 ghostscript-system-zlib.patch -beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch" +beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch +b61a1c5d818c054463e606a9f85e4f4a308ac839f734d6200dfc3b74e3859ac64b23996ff1bf4c90a0ee95acf10dfa19d066fda0b6fb11689294d0dc4267689e CVE-2019-14811-14812-14813.patch +8036fa8a7175546dc3aae8619c92fa38016a8be132bb2a3a01f16ba66b5d9c05581dba40c1f184380b43b4e0b079d3cace7e401f9ed5fd718f36fbe7038649bc 0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch +26ad5e996d4724a1683083c1abfdd39ebf41f5e7478a061f5713e11f2ffaf3834fe52f29e03d585044c7536b1201a97626f3640324abdc3e90b6ecc2a2db399b 0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch +63b7d1a30045e454eba0bcceba52fd402c5fd9313c0057100bb98d2e82c1d61cd404826f63c4b9d7e4fdf4935c71f09a9633d43edbcd0658fb5dc5e20afc6ca0 CVE-2019-14817.patch" diff --git a/main/ghostscript/CVE-2019-10216.patch b/main/ghostscript/CVE-2019-10216.patch new file mode 100644 index 00000000000..e8dfa05a941 --- /dev/null +++ b/main/ghostscript/CVE-2019-10216.patch @@ -0,0 +1,49 @@ +From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Fri, 2 Aug 2019 15:18:26 +0100 +Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly + +--- + Resource/Init/gs_type1.ps | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps +index 6c7735b..a039cce 100644 +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -118,25 +118,25 @@ + ( to be the same as glyph: ) print 1 index //== exec } if + 3 index exch 3 index .forceput + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname +- } ++ }executeonly + {pop} ifelse +- } forall ++ } executeonly forall + pop pop +- } ++ } executeonly + { + pop pop pop + } ifelse +- } ++ } executeonly + { + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname + pop pop + } ifelse +- } forall ++ } executeonly forall + 3 1 roll pop pop +- } if ++ } executeonly if + pop + dup /.AGLprocessed~GS //true .forceput +- } if ++ } executeonly if + + %% We need to excute the C .buildfont1 in a stopped context so that, if there + %% are errors we can put the stack back sanely and exit. Otherwise callers won't +-- +2.9.1 + diff --git a/main/ghostscript/CVE-2019-14811-14812-14813.patch b/main/ghostscript/CVE-2019-14811-14812-14813.patch new file mode 100644 index 00000000000..a3d6b76c846 --- /dev/null +++ b/main/ghostscript/CVE-2019-14811-14812-14813.patch @@ -0,0 +1,69 @@ +From: Ken Sharp <ken.sharp@artifex.com> +Date: Tue, 20 Aug 2019 10:10:28 +0100 +Subject: make .forceput inaccessible +Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701443 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14813 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701444 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14812 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701445 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14811 + +Bug #701343, #701344, #701345 + +More defensive programming. We don't want people to access .forecput +even though it is no longer sufficient to bypass SAFER. The exploit +in #701343 didn't work anyway because of earlier work to stop the error +handler being used, but nevertheless, prevent access to .forceput from +.setuserparams2. +--- + Resource/Init/gs_lev2.ps | 6 +++--- + Resource/Init/gs_pdfwr.ps | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps +index 4cc7f820f765..0fd4164650ab 100644 +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -158,7 +158,7 @@ end + { + pop pop + } ifelse +- } forall ++ } executeonly forall + % A context switch might have occurred during the above loop, + % causing the interpreter-level parameters to be reset. + % Set them again to the new values. From here on, we are safe, +@@ -229,9 +229,9 @@ end + { pop pop + } + ifelse +- } ++ } executeonly + forall pop +-} .bind odef ++} .bind executeonly odef + + % Initialize the passwords. + % NOTE: the names StartJobPassword and SystemParamsPassword are known to +diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps +index c158a8faf540..422e66e1a6ca 100644 +--- a/Resource/Init/gs_pdfwr.ps ++++ b/Resource/Init/gs_pdfwr.ps +@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef + systemdict /.pdf_hooked_DSC_Creator //true .forceput + } executeonly if + pop +- } if ++ } executeonly if + } { + pop + } ifelse +- } ++ } executeonly + { + pop + } ifelse +-- +2.23.0.rc1 + diff --git a/main/ghostscript/CVE-2019-14817.patch b/main/ghostscript/CVE-2019-14817.patch new file mode 100644 index 00000000000..80cdcecb8e2 --- /dev/null +++ b/main/ghostscript/CVE-2019-14817.patch @@ -0,0 +1,218 @@ +From: Ken Sharp <ken.sharp@artifex.com> +Date: Wed, 21 Aug 2019 10:10:51 +0100 +Subject: PDF interpreter - review .forceput security +Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701450 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14817 + +Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken" + +By abusing the error handler it was possible to get the PDFDEBUG portion +of .pdfexectoken, which uses .forceput left readable. + +Add an executeonly appropriately to make sure that clause isn't readable +no mstter what. + +Review all the uses of .forceput searching for similar cases, add +executeonly as required to secure those. All cases in the PostScript +support files seem to be covered already. +--- + Resource/Init/pdf_base.ps | 2 +- + Resource/Init/pdf_draw.ps | 14 +++++++------- + Resource/Init/pdf_font.ps | 29 ++++++++++++++++------------- + Resource/Init/pdf_main.ps | 6 +++--- + Resource/Init/pdf_ops.ps | 11 ++++++----- + 5 files changed, 33 insertions(+), 29 deletions(-) + +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +index 2e28cdd7181e..02503eef8bc4 100644 +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef + { + dup ==only () = flush + } ifelse % PDFSTEP +- } if % PDFDEBUG ++ } executeonly if % PDFDEBUG + 2 copy .knownget { + exch pop exch pop exch pop exec + } { +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 11eb485f2eb7..fe3fc56c4161 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -501,8 +501,8 @@ end + ( Output may be incorrect.\n) pdfformaterror + //pdfdict /.gs_warning_issued //true .forceput + PDFSTOPONERROR { /gs /undefined signalerror } if +- } if +- } ++ } executeonly if ++ } executeonly + ifelse + } bind executeonly def + +@@ -1152,7 +1152,7 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput +@@ -1160,8 +1160,8 @@ currentdict end readonly def + pdfformaterror + } executeonly ifelse + end +- } ifelse +- } loop ++ } executeonly ifelse ++ } executeonly loop + { + (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + //pdfdict /.Qqwarning_issued .knownget +@@ -1175,14 +1175,14 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + pop + + % restore pdfemptycount +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index 8b8fef8..86b1870 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -677,7 +677,7 @@ currentdict end readonly def + currentglobal 2 index dup gcheck setglobal + /FontInfo 5 dict dup 5 1 roll .forceput + setglobal +- } if ++ } executeonly if + dup /GlyphNames2Unicode .knownget not { + //true % No existing G2U, make one + } { +@@ -701,9 +701,9 @@ currentdict end readonly def + } if + PDFDEBUG { + (.processToUnicode end) = +- } if +- } if +- } stopped ++ } executeonly if ++ } executeonly if ++ } executeonly stopped + { + .dstackdepth 1 countdictstack 1 sub + {pop end} for +@@ -1298,19 +1300,20 @@ currentdict /eexec_pdf_param_dict .undef + //pdfdict /.Qqwarning_issued //true .forceput + } executeonly if + Q +- } repeat ++ } executeonly repeat + Q +- } PDFfile fileposition 2 .execn % Keep pdfcount valid. ++ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid. + PDFfile exch setfileposition +- } ifelse +- } { ++ } executeonly ifelse ++ } executeonly ++ { + % PDF Type 3 fonts don't use .notdef + % d1 implementation adjusts the width as needed + 0 0 0 0 0 0 + pdfopdict /d1 get exec + } ifelse + end end +- } bdef ++ } executeonly bdef + dup currentdict Encoding .processToUnicode + currentdict end .completefont exch pop + } bind executeonly odef +@@ -2124,9 +2127,9 @@ currentdict /CMap_read_dict undef + (Will continue, but content may be missing.) = flush + } ifelse + } if +- } if ++ } executeonly if + /findresource cvx /undefined signalerror +- } loop ++ } executeonly loop + } bind executeonly odef + + /buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font> +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index 00d7e3682fd8..7690bae0f920 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -2771,15 +2771,15 @@ currentdict /PDF2PS_matrix_key undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if +- } if ++ } executeonly if ++ } executeonly if + pop + count PDFexecstackcount sub { pop } repeat + (after exec) VMDEBUG +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +index a15c8c6770f7..d594035c066a 100644 +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -192,14 +192,14 @@ currentdict /gput_always_allow .undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + } bind executeonly odef + + % Save PDF gstate +@@ -446,11 +446,12 @@ currentdict /gput_always_allow .undef + dup type /booleantype eq { + .currentSMask type /dicttype eq { + .currentSMask /Processed 2 index .forceput ++ } executeonly ++ { ++ .setSMask ++ }ifelse + } executeonly + { +- .setSMask +- }ifelse +- }{ + .setSMask + }ifelse + +-- +2.23.0.rc1 + diff --git a/main/git/APKBUILD b/main/git/APKBUILD index 3fb8c48ff0f..c224548dd34 100644 --- a/main/git/APKBUILD +++ b/main/git/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=git -pkgver=2.15.3 +pkgver=2.15.4 pkgrel=0 pkgdesc="A distributed version control system" url="https://www.git-scm.com/" @@ -11,6 +11,15 @@ depends= replaces="git-perl" # secfixes: +# 2.15.4-r0: +# - CVE-2019-1348 +# - CVE-2019-1349 +# - CVE-2019-1350 +# - CVE-2019-1351 +# - CVE-2019-1352 +# - CVE-2019-1353 +# - CVE-2019-1354 +# - CVE-2019-1387 # 2.15.r-r1: # - CVE-2018-19486 # 2.15.3-r0: @@ -248,7 +257,7 @@ _git_perl() { } -sha512sums="0de84aa3511f3b2bf3311efe4ed6991b1d41c292be72a884d477cb893d28e317ec5ee915c392805d866edae019da755c39f9b5e0259fcbf1973f65a112c7670b git-2.15.3.tar.xz +sha512sums="b4a7754f0de47f8d260010185576b379da18a5c3978a151c6b0bea421dfabcc2569b40bca5f24ff4cd708837573bb4fbe4f5c886ec3e69fa8875bd43473378a2 git-2.15.4.tar.xz 85767b5e03137008d6a96199e769e3979f75d83603ac8cb13a3481a915005637409a4fd94e0720da2ec6cd1124f35eba7cf20109a94816c4b4898a81fbc46bd2 bb-tar.patch 98e4d87d492f2e65930b842e2de3f2043d737dcb1cbcb09e504a21a387ad5e5ce7fbe8f9eea2594eec302c45d0f8f069c6b6767deba1ed61b4636f43dfe2a7aa CVE-2018-19486.patch 89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a git-daemon.initd diff --git a/main/gvfs/APKBUILD b/main/gvfs/APKBUILD index 58c93dfeb47..06c058e5967 100644 --- a/main/gvfs/APKBUILD +++ b/main/gvfs/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gvfs pkgver=1.34.1 -pkgrel=0 +pkgrel=1 pkgdesc="Backends for the gio framework in GLib" url="http://ftp.gnome.org/pub/gnome/sources/gvfs/${pkgver%.*}/" arch="all" @@ -25,7 +25,19 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-smb $pkgname-mtp " -source="https://download.gnome.org/sources/gvfs/${pkgver%.*}/gvfs-$pkgver.tar.xz" +source="https://download.gnome.org/sources/gvfs/${pkgver%.*}/gvfs-$pkgver.tar.xz + CVE-2019-12448.patch + CVE-2019-12795.patch + CVE-2019-12449.patch + CVE-2019-12447.patch + " + +# secfixes: +# 1.34.1-r1: +# - CVE-2019-12447 +# - CVE-2019-12448 +# - CVE-2019-12795 +# - CVE-2019-12449 builddir="$srcdir/$pkgname-$pkgver" build() { @@ -145,4 +157,8 @@ dav() { # pkgdesc="AFC support for gvfs" #} -sha512sums="383f20c3dad1ff833f1d14466f215c7183459c0ed18d842fd09a68061e09814f2a4e33d574a0bf62bc9b6f5023721d03461eaaed86e840513f7e115662af91b6 gvfs-1.34.1.tar.xz" +sha512sums="383f20c3dad1ff833f1d14466f215c7183459c0ed18d842fd09a68061e09814f2a4e33d574a0bf62bc9b6f5023721d03461eaaed86e840513f7e115662af91b6 gvfs-1.34.1.tar.xz +a4daaf8e7f6ece24fd0fdbe0ca4cfa5a5d36189249c36779a09f6ab9033b0fcd1db47d1aaa0b5dd4b14c444cc3763d9e25e0580fb2e2021aa42bc5e6d1eef1ec CVE-2019-12448.patch +4d381da1e164c1205a4fea19b235163e22c8d1d65ea7ffb130df9c8c76395f20c4b5879111e4ba6d4f54cadbfb084b8c82434ab698e39e6ab2d1e5e0b5ab93ac CVE-2019-12795.patch +15c7c46f74049b539ae5d76d03f22b7efda39f0424b13582afca1e82ca90a03bb372ef8c42afdd21f257a46aae8c6c709715bdd76cb5aa4fdf13e4c1f58fa012 CVE-2019-12449.patch +02c4e94d8eef1f69b6d45ddbbbfa22ff9452238251c8bd3b8ae5cbbdc3a7c1fcde4612f96851dfff55f276bcf84f5b82561b06a18c1d9e20033457e72987013d CVE-2019-12447.patch" diff --git a/main/gvfs/CVE-2019-12447.patch b/main/gvfs/CVE-2019-12447.patch new file mode 100644 index 00000000000..4b37fc5070e --- /dev/null +++ b/main/gvfs/CVE-2019-12447.patch @@ -0,0 +1,33 @@ +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c +index d67353d..daa6df9 100644 +--- a/daemon/gvfsbackendadmin.c ++++ b/daemon/gvfsbackendadmin.c +@@ -907,7 +907,8 @@ g_vfs_backend_admin_init (GVfsBackendAdmin *self) + + #define REQUIRED_CAPS (CAP_TO_MASK(CAP_FOWNER) | \ + CAP_TO_MASK(CAP_DAC_OVERRIDE) | \ +- CAP_TO_MASK(CAP_DAC_READ_SEARCH)) ++ CAP_TO_MASK(CAP_DAC_READ_SEARCH) | \ ++ CAP_TO_MASK(CAP_CHOWN)) + + static void + acquire_caps (uid_t uid) +@@ -919,10 +920,15 @@ acquire_caps (uid_t uid) + if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) + g_error ("prctl(PR_SET_KEEPCAPS) failed"); + +- /* Drop root uid, but retain the required permitted caps */ +- if (setuid (uid) < 0) ++ /* Set euid to user to make dbus work */ ++ if (seteuid (uid) < 0) + g_error ("unable to drop privs"); + ++ /* Set fsuid to still behave like root when working with files */ ++ setfsuid (0); ++ if (setfsuid (-1) != 0) ++ g_error ("setfsuid failed"); ++ + memset (&hdr, 0, sizeof(hdr)); + hdr.version = _LINUX_CAPABILITY_VERSION; + + diff --git a/main/gvfs/CVE-2019-12448.patch b/main/gvfs/CVE-2019-12448.patch new file mode 100644 index 00000000000..53542a3a1b8 --- /dev/null +++ b/main/gvfs/CVE-2019-12448.patch @@ -0,0 +1,128 @@ +From 5cd76d627f4d1982b6e77a0e271ef9301732d09e Mon Sep 17 00:00:00 2001 +From: Ondrej Holy <oholy@redhat.com> +Date: Thu, 23 May 2019 10:24:36 +0200 +Subject: [PATCH] admin: Add query_info_on_read/write functionality + +Admin backend doesn't implement query_info_on_read/write which might +potentially lead to some race conditions which aren't really wanted +especially in case of admin backend. Let's add this missing functionality. +--- + daemon/gvfsbackendadmin.c | 79 +++++++++++++++++++++++++++++++++------ + 1 file changed, 67 insertions(+), 12 deletions(-) + +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c +index 65a979e7..23d16f16 100644 +--- a/daemon/gvfsbackendadmin.c ++++ b/daemon/gvfsbackendadmin.c +@@ -42,6 +42,8 @@ + #include "gvfsjobopenforwrite.h" + #include "gvfsjobqueryattributes.h" + #include "gvfsjobqueryinfo.h" ++#include "gvfsjobqueryinforead.h" ++#include "gvfsjobqueryinfowrite.h" + #include "gvfsjobread.h" + #include "gvfsjobseekread.h" + #include "gvfsjobseekwrite.h" +@@ -155,6 +157,19 @@ complete_job (GVfsJob *job, + g_vfs_job_succeeded (job); + } + ++static void ++fix_file_info (GFileInfo *info) ++{ ++ /* Override read/write flags, since the above call will use access() ++ * to determine permissions, which does not honor our privileged ++ * capabilities. ++ */ ++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE); ++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE); ++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE); ++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE); ++} ++ + static void + do_query_info (GVfsBackend *backend, + GVfsJobQueryInfo *query_info_job, +@@ -180,19 +195,57 @@ do_query_info (GVfsBackend *backend, + if (error != NULL) + goto out; + +- /* Override read/write flags, since the above call will use access() +- * to determine permissions, which does not honor our privileged +- * capabilities. +- */ +- g_file_info_set_attribute_boolean (real_info, +- G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE); +- g_file_info_set_attribute_boolean (real_info, +- G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE); +- g_file_info_set_attribute_boolean (real_info, +- G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE); +- g_file_info_set_attribute_boolean (real_info, +- G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE); ++ fix_file_info (real_info); ++ g_file_info_copy_into (real_info, info); ++ g_object_unref (real_info); ++ ++ out: ++ complete_job (job, error); ++} ++ ++static void ++do_query_info_on_read (GVfsBackend *backend, ++ GVfsJobQueryInfoRead *query_info_job, ++ GVfsBackendHandle handle, ++ GFileInfo *info, ++ GFileAttributeMatcher *matcher) ++{ ++ GVfsJob *job = G_VFS_JOB (query_info_job); ++ GFileInputStream *stream = handle; ++ GError *error = NULL; ++ GFileInfo *real_info; ++ ++ real_info = g_file_input_stream_query_info (stream, query_info_job->attributes, ++ job->cancellable, &error); ++ if (error != NULL) ++ goto out; ++ ++ fix_file_info (real_info); ++ g_file_info_copy_into (real_info, info); ++ g_object_unref (real_info); ++ ++ out: ++ complete_job (job, error); ++} ++ ++static void ++do_query_info_on_write (GVfsBackend *backend, ++ GVfsJobQueryInfoWrite *query_info_job, ++ GVfsBackendHandle handle, ++ GFileInfo *info, ++ GFileAttributeMatcher *matcher) ++{ ++ GVfsJob *job = G_VFS_JOB (query_info_job); ++ GFileOutputStream *stream = handle; ++ GError *error = NULL; ++ GFileInfo *real_info; ++ ++ real_info = g_file_output_stream_query_info (stream, query_info_job->attributes, ++ job->cancellable, &error); ++ if (error != NULL) ++ goto out; + ++ fix_file_info (real_info); + g_file_info_copy_into (real_info, info); + g_object_unref (real_info); + +@@ -868,6 +921,8 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass) + backend_class->mount = do_mount; + backend_class->open_for_read = do_open_for_read; + backend_class->query_info = do_query_info; ++ backend_class->query_info_on_read = do_query_info_on_read; ++ backend_class->query_info_on_write = do_query_info_on_write; + backend_class->read = do_read; + backend_class->create = do_create; + backend_class->append_to = do_append_to; +-- +2.21.0 + + diff --git a/main/gvfs/CVE-2019-12449.patch b/main/gvfs/CVE-2019-12449.patch new file mode 100644 index 00000000000..7d58c5d3d8f --- /dev/null +++ b/main/gvfs/CVE-2019-12449.patch @@ -0,0 +1,81 @@ +From d5dfd823c94045488aef8727c553f1e0f7666b90 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy <oholy@redhat.com> +Date: Fri, 24 May 2019 09:43:43 +0200 +Subject: [PATCH] admin: Ensure correct ownership when moving to file:// uri + +User and group is not restored properly when moving (or copying with +G_FILE_COPY_ALL_METADATA) from admin:// to file://, because it is handled +by GIO fallback code, which doesn't run with root permissions. Let's +handle this case with pull method to ensure correct ownership. +--- + daemon/gvfsbackendadmin.c | 46 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c +index 32b51b1a..9a7e8295 100644 +--- a/daemon/gvfsbackendadmin.c ++++ b/daemon/gvfsbackendadmin.c +@@ -807,6 +807,51 @@ do_move (GVfsBackend *backend, + complete_job (job, error); + } + ++static void ++do_pull (GVfsBackend *backend, ++ GVfsJobPull *pull_job, ++ const char *source, ++ const char *local_path, ++ GFileCopyFlags flags, ++ gboolean remove_source, ++ GFileProgressCallback progress_callback, ++ gpointer progress_callback_data) ++{ ++ GVfsBackendAdmin *self = G_VFS_BACKEND_ADMIN (backend); ++ GVfsJob *job = G_VFS_JOB (pull_job); ++ GError *error = NULL; ++ GFile *src_file, *dst_file; ++ ++ /* Pull method is necessary when user/group needs to be restored, return ++ * G_IO_ERROR_NOT_SUPPORTED in other cases to proceed with the fallback code. ++ */ ++ if (!(flags & G_FILE_COPY_ALL_METADATA)) ++ { ++ g_vfs_job_failed_literal (G_VFS_JOB (job), G_IO_ERROR, ++ G_IO_ERROR_NOT_SUPPORTED, ++ _("Operation not supported")); ++ return; ++ } ++ ++ if (!check_permission (self, job)) ++ return; ++ ++ src_file = g_file_new_for_path (source); ++ dst_file = g_file_new_for_path (local_path); ++ ++ if (remove_source) ++ g_file_move (src_file, dst_file, flags, job->cancellable, ++ progress_callback, progress_callback_data, &error); ++ else ++ g_file_copy (src_file, dst_file, flags, job->cancellable, ++ progress_callback, progress_callback_data, &error); ++ ++ g_object_unref (src_file); ++ g_object_unref (dst_file); ++ ++ complete_job (job, error); ++} ++ + static void + do_query_settable_attributes (GVfsBackend *backend, + GVfsJobQueryAttributes *query_job, +@@ -927,6 +972,7 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass) + backend_class->set_attribute = do_set_attribute; + backend_class->delete = do_delete; + backend_class->move = do_move; ++ backend_class->pull = do_pull; + backend_class->query_settable_attributes = do_query_settable_attributes; + backend_class->query_writable_namespaces = do_query_writable_namespaces; + } +-- +2.21.0 + + diff --git a/main/gvfs/CVE-2019-12795.patch b/main/gvfs/CVE-2019-12795.patch new file mode 100644 index 00000000000..8d22342424c --- /dev/null +++ b/main/gvfs/CVE-2019-12795.patch @@ -0,0 +1,93 @@ +From e3808a1b4042761055b1d975333a8243d67b8bfe Mon Sep 17 00:00:00 2001 +From: Simon McVittie <smcv@collabora.com> +Date: Wed, 5 Jun 2019 13:33:38 +0100 +Subject: [PATCH] gvfsdaemon: Check that the connecting client is the same user + +Otherwise, an attacker who learns the abstract socket address from +netstat(8) or similar could connect to it and issue D-Bus method +calls. + +Signed-off-by: Simon McVittie <smcv@collabora.com> +--- + daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++- + 1 file changed, 35 insertions(+), 1 deletion(-) + +diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c +index 406d4f8e..be148a7b 100644 +--- a/daemon/gvfsdaemon.c ++++ b/daemon/gvfsdaemon.c +@@ -79,6 +79,7 @@ struct _GVfsDaemon + + gint mount_counter; + ++ GDBusAuthObserver *auth_observer; + GDBusConnection *conn; + GVfsDBusDaemon *daemon_skeleton; + GVfsDBusMountable *mountable_skeleton; +@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object) + } + if (daemon->conn != NULL) + g_object_unref (daemon->conn); ++ if (daemon->auth_observer != NULL) ++ g_object_unref (daemon->auth_observer); + + g_hash_table_destroy (daemon->registered_paths); + g_hash_table_destroy (daemon->client_connections); +@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection, + daemon->lost_main_daemon = TRUE; + } + ++/* ++ * Authentication observer signal handler that authorizes connections ++ * from the same uid as this process. This matches the behaviour of a ++ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction ++ * has been set, but is not the default in GDBus. ++ */ ++static gboolean ++authorize_authenticated_peer_cb (GDBusAuthObserver *observer, ++ G_GNUC_UNUSED GIOStream *stream, ++ GCredentials *credentials, ++ G_GNUC_UNUSED gpointer user_data) ++{ ++ gboolean authorized = FALSE; ++ ++ if (credentials != NULL) ++ { ++ GCredentials *own_credentials; ++ ++ own_credentials = g_credentials_new (); ++ ++ if (g_credentials_is_same_user (credentials, own_credentials, NULL)) ++ authorized = TRUE; ++ ++ g_object_unref (own_credentials); ++ } ++ ++ return authorized; ++} ++ + static void + g_vfs_daemon_init (GVfsDaemon *daemon) + { +@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon) + + daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL); + g_assert (daemon->conn != NULL); ++ daemon->auth_observer = g_dbus_auth_observer_new (); ++ g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL); + + daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new (); + g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon); +@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object, + server = g_dbus_server_new_sync (address1, + G_DBUS_SERVER_FLAGS_NONE, + guid, +- NULL, /* GDBusAuthObserver */ ++ daemon->auth_observer, + NULL, /* GCancellable */ + &error); + g_free (guid); +-- +2.21.0 + + diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD index 1a510d26fb1..ac56f28c670 100644 --- a/main/hostapd/APKBUILD +++ b/main/hostapd/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=hostapd pkgver=2.6 -pkgrel=5 +pkgrel=6 pkgdesc="daemon for wireless software access points" url="http://hostap.epitest.fi/hostapd/" arch="all" @@ -20,8 +20,9 @@ patches="CVE-2012-4445.patch CVE-2019-9496.patch 0009-EAP-pwd-server-Fix-reassembly-buffer-handling.patch 0010-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch + CVE-2019-16275.patch " -source="http://hostap.epitest.fi/releases/$pkgname-$pkgver.tar.gz +source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz $patches $pkgname.initd $pkgname.confd" @@ -29,6 +30,8 @@ options="!check" #no testsuite builddir="$srcdir"/$pkgname-$pkgver/hostapd # secfixes: +# 2.6-r6: +# - CVE-2019-16275 # 2.6-r5: # - CVE-2019-9496 # 2.6-r4: @@ -115,5 +118,6 @@ fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed 90981a52d6cb2e91f67a9bc830d3db02da6fde4bea0cf512b22111da6c8ab151f5dd171a2f2e409d9ff75e388e72c2314dd023a98fdabf16248b11a950bde881 CVE-2019-9496.patch 7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c 0009-EAP-pwd-server-Fix-reassembly-buffer-handling.patch 99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822 0010-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch +63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd 0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd" diff --git a/main/hostapd/CVE-2019-16275.patch b/main/hostapd/CVE-2019-16275.patch new file mode 100644 index 00000000000..d764a9db016 --- /dev/null +++ b/main/hostapd/CVE-2019-16275.patch @@ -0,0 +1,73 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + diff --git a/main/lame/APKBUILD b/main/lame/APKBUILD index 0e5638d788c..2bce7a5e74b 100644 --- a/main/lame/APKBUILD +++ b/main/lame/APKBUILD @@ -12,11 +12,6 @@ source="http://downloads.sourceforge.net/project/lame/lame/$pkgver/$pkgname-$pkg builddir="$srcdir"/$pkgname-$pkgver # secfixes: -# 3.100-r0: -# - CVE-2017-9410 -# - CVE-2017-9411 -# - CVE-2017-9412 -# - CVE-2015-9099 # 3.99.5-r6: # - CVE-2015-9099 # - CVE-2015-9100 diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD index a3ed3e8338f..cefa0105137 100644 --- a/main/libarchive/APKBUILD +++ b/main/libarchive/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Sergei Lukin <sergej.lukin@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libarchive -pkgver=3.3.2 -pkgrel=2 +pkgver=3.3.3 +pkgrel=1 pkgdesc="library that can create and read several streaming archive formats" url="http://libarchive.org/" arch="all" @@ -10,10 +10,17 @@ license="BSD" makedepends="zlib-dev bzip2-dev xz-dev lz4-dev acl-dev libressl-dev expat-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-tools" source="http://www.libarchive.org/downloads/$pkgname-$pkgver.tar.gz - CVE-2017-14166.patch" + CVE-2019-18408.patch::https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60.patch + " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 3.3.3-r1: +# - CVE-2019-18408 +# 3.3.3-r0: +# - CVE-2017-14501 +# - CVE-2017-14502 +# - CVE-2017-14503 # 3.3.2-r1: # - CVE-2017-14166 @@ -39,5 +46,5 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="1e538cd7d492f54b11c16c56f12c1632ba14302a3737ec0db786272aec0c8020f1e27616a7654d57e26737e5ed9bfc9a62f1fdda61a95c39eb726aa7c2f673e4 libarchive-3.3.2.tar.gz -7cc9dbafd970c07fb4421b7a72a075cc0a000db77df4432222539c58625c93c45f01a144838b551980bc0c6dc5b4c3ab852eb1433006c3174581ba0897010dbe CVE-2017-14166.patch" +sha512sums="9d12b47d6976efa9f98e62c25d8b85fd745d4e9ca7b7e6d36bfe095dfe5c4db017d4e785d110f3758f5938dad6f1a1b009267fd7e82cb7212e93e1aea237bab7 libarchive-3.3.3.tar.gz +4807e01dffb83ff4ef430c66339157e9f7a61db4fc5cec2812c3ee5ad130b4fc2d3c1cbeea87930c76cd8ec3e66272e20622a48edf0c66215b626c4e0db99cab CVE-2019-18408.patch" diff --git a/main/libarchive/CVE-2017-14166.patch b/main/libarchive/CVE-2017-14166.patch deleted file mode 100644 index b729ae41e0a..00000000000 --- a/main/libarchive/CVE-2017-14166.patch +++ /dev/null @@ -1,36 +0,0 @@ -From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001 -From: Joerg Sonnenberger <joerg@bec.de> -Date: Tue, 5 Sep 2017 18:12:19 +0200 -Subject: [PATCH] Do something sensible for empty strings to make fuzzers - happy. - ---- - libarchive/archive_read_support_format_xar.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c -index 7a22beb9d..93eeacc5e 100644 ---- a/libarchive/archive_read_support_format_xar.c -+++ b/libarchive/archive_read_support_format_xar.c -@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) - uint64_t l; - int digit; - -+ if (char_cnt == 0) -+ return (0); -+ - l = 0; - digit = *p - '0'; - while (digit >= 0 && digit < 10 && char_cnt-- > 0) { -@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) - { - int64_t l; - int digit; -- -+ -+ if (char_cnt == 0) -+ return (0); -+ - l = 0; - while (char_cnt-- > 0) { - if (*p >= '0' && *p <= '7') diff --git a/main/libcroco/APKBUILD b/main/libcroco/APKBUILD index ef28628b1e4..fa44fa80660 100644 --- a/main/libcroco/APKBUILD +++ b/main/libcroco/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libcroco pkgver=0.6.12 -pkgrel=0 +pkgrel=1 pkgdesc="GNOME CSS2 parsing and manipulation toolkit" url="http://www.gnome.org" arch="all" @@ -9,11 +9,20 @@ license="LGPL" subpackages="$pkgname-dev" depends= makedepends="glib-dev libxml2-dev" -source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz" +source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz + CVE-2017-7960.patch + CVE-2017-7961.patch + CVE-2017-8871-and-CVE-2017-8834.patch + " -depends_dev="glib-dev libxml2-dev pkgconfig" +# secfixes: +# 0.6.12-r1: +# - CVE-2017-7960 +# - CVE-2017-7961 +# - CVE-2017-8871 +# - CVE-2017-8834 -builddir="$srcdir/$pkgname-$pkgver" +depends_dev="glib-dev libxml2-dev pkgconfig" build() { cd "$builddir" @@ -28,6 +37,9 @@ build() { package() { cd "$builddir" - make DESTDIR="$pkgdir" install || return 1 + make DESTDIR="$pkgdir" install } -sha512sums="af9a171d5ccded255b57f170576e67155f12fa0f61ab3e379e907975f77afc37e82e22772c6019b2897cffc15b2425faf3ccfda92b1a45b23eda2519debabeb6 libcroco-0.6.12.tar.xz" +sha512sums="af9a171d5ccded255b57f170576e67155f12fa0f61ab3e379e907975f77afc37e82e22772c6019b2897cffc15b2425faf3ccfda92b1a45b23eda2519debabeb6 libcroco-0.6.12.tar.xz +e6a799e5547c60a317602aa5b537b27ecbc47de84ceb9ef109586370406cd8151c7ab1e7c27f346becf3c10f0524bfc7ac98dcf3160089880c2ac189ee4e7176 CVE-2017-7960.patch +a1820039d23793ac53ba3acb771f487fe7fed839b298734435e168fecb5cd8b2b20b2fd08b4f827d0ed7eb0b5e76c9290ba912533b95acbf1be7cda5fd604da6 CVE-2017-7961.patch +568ad8205f5c2ab1eb949ef664671069fad5991e43992e35092738c1a741289303dba343c8002caec817d1c27fe5645dc2a861573fb4d91074aef59ff41f3d27 CVE-2017-8871-and-CVE-2017-8834.patch" diff --git a/main/libcroco/CVE-2017-7960.patch b/main/libcroco/CVE-2017-7960.patch new file mode 100644 index 00000000000..cd8dbaafa48 --- /dev/null +++ b/main/libcroco/CVE-2017-7960.patch @@ -0,0 +1,59 @@ +From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro <qignacio@amazon.com> +Date: Sun, 16 Apr 2017 13:13:43 +0200 +Subject: [PATCH] input: check end of input before reading a byte + +When reading bytes we weren't check that the index wasn't +out of bound and this could produce an invalid read which +could deal to a security bug. +--- + src/cr-input.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/cr-input.c b/src/cr-input.c +index 49000b1..3b63a88 100644 +--- a/src/cr-input.c ++++ b/src/cr-input.c +@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc) + *we should free buf here because it's own by CRInput. + *(see the last parameter of cr_input_new_from_buf(). + */ +- buf = NULL ; ++ buf = NULL; + } + + cleanup: +@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this) + enum CRStatus + cr_input_read_byte (CRInput * a_this, guchar * a_byte) + { ++ gulong nb_bytes_left = 0; ++ + g_return_val_if_fail (a_this && PRIVATE (a_this) + && a_byte, CR_BAD_PARAM_ERROR); + +@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte) + if (PRIVATE (a_this)->end_of_input == TRUE) + return CR_END_OF_INPUT_ERROR; + ++ nb_bytes_left = cr_input_get_nb_bytes_left (a_this); ++ ++ if (nb_bytes_left < 1) { ++ return CR_END_OF_INPUT_ERROR; ++ } ++ + *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index]; + + if (PRIVATE (a_this)->nb_bytes - +@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char) + if (*a_char == '\n') { + PRIVATE (a_this)->end_of_line = TRUE; + } +- + } + + return status; +-- +2.21.0 + + diff --git a/main/libcroco/CVE-2017-7961.patch b/main/libcroco/CVE-2017-7961.patch new file mode 100644 index 00000000000..bb0236e6a5a --- /dev/null +++ b/main/libcroco/CVE-2017-7961.patch @@ -0,0 +1,43 @@ +From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro <qignacio@amazon.com> +Date: Sun, 16 Apr 2017 13:56:09 +0200 +Subject: [PATCH] tknzr: support only max long rgb values + +This fixes a possible out of bound when reading rgbs which +are longer than the support MAXLONG +--- + src/cr-tknzr.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c +index 1a7cfeb..1548c35 100644 +--- a/src/cr-tknzr.c ++++ b/src/cr-tknzr.c +@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) + status = cr_tknzr_parse_num (a_this, &num); + ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); + ++ if (num->val > G_MAXLONG) { ++ status = CR_PARSING_ERROR; ++ goto error; ++ } ++ + red = num->val; + cr_num_destroy (num); + num = NULL; +@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) + status = cr_tknzr_parse_num (a_this, &num); + ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); + ++ if (num->val > G_MAXLONG) { ++ status = CR_PARSING_ERROR; ++ goto error; ++ } ++ + PEEK_BYTE (a_this, 1, &next_bytes[0]); + if (next_bytes[0] == '%') { + SKIP_CHARS (a_this, 1); +-- +2.21.0 + + diff --git a/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch new file mode 100644 index 00000000000..f65c6a97481 --- /dev/null +++ b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch @@ -0,0 +1,29 @@ +From deda38539f5b25616aa294d8b19d33ebf8e175ff Mon Sep 17 00:00:00 2001 +From: Mike Gorse <mgorse@alum.wpi.edu> +Date: Thu, 2 May 2019 10:54:43 -0500 +Subject: [PATCH] cr_utils_read_char_from_utf8_buf: move past invalid UTF-8 + +Otherwise, the offending character is never consumed, possibly leading +to an infinite loop. + +https://bugzilla.gnome.org/show_bug.cgi?id=782647 +--- + src/cr-utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cr-utils.c b/src/cr-utils.c +index 2420cec..6cf4849 100644 +--- a/src/cr-utils.c ++++ b/src/cr-utils.c +@@ -505,6 +505,7 @@ cr_utils_read_char_from_utf8_buf (const guchar * a_in, + + } else { + /*BAD ENCODING */ ++ nb_bytes_2_decode = 1; + goto end; + } + +-- +2.20.1 + + diff --git a/main/libebml/APKBUILD b/main/libebml/APKBUILD index 686fdb0aa06..d5f64bc41f5 100644 --- a/main/libebml/APKBUILD +++ b/main/libebml/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Timo Teräs <timo.teras@iki.fi> pkgname=libebml pkgver=1.3.5 -pkgrel=0 +pkgrel=1 pkgdesc="a C++ library to parse Extensible Binary Meta-Language files" url="https://www.matroska.org/" arch="all" @@ -12,9 +12,15 @@ depends_dev="" makedepends="$depends_dev" install="" subpackages="$pkgname-dev" -source="http://dl.matroska.org/downloads/$pkgname/$pkgname-$pkgver.tar.xz" +source="http://dl.matroska.org/downloads/$pkgname/$pkgname-$pkgver.tar.xz + CVE-2019-13615.patch + " options="!check" +# secfixes: +# 1.3.5-r1: +# - CVE-2019-13615 + _builddir="$srcdir"/$pkgname-$pkgver prepare() { local i @@ -42,4 +48,5 @@ package() { make install DESTDIR="$pkgdir" } -sha512sums="cdf05015724919b19281bf99c562bb7e0bdf16990da274010f664ff316b6ce95ecbeaa1e479f03505281a7f45d5796aee6e7750a9e1c0596b630911d220dca24 libebml-1.3.5.tar.xz" +sha512sums="cdf05015724919b19281bf99c562bb7e0bdf16990da274010f664ff316b6ce95ecbeaa1e479f03505281a7f45d5796aee6e7750a9e1c0596b630911d220dca24 libebml-1.3.5.tar.xz +9cdda162a58c77541065121edafe09643f6c37ffb7b94851903f80a2fb5bf2e4729c6d97b5a23d05257b65abada0f5bf10d9d245cc3b4fd07653bb5ad3c29f0a CVE-2019-13615.patch" diff --git a/main/libebml/CVE-2019-13615.patch b/main/libebml/CVE-2019-13615.patch new file mode 100644 index 00000000000..0c8e24c820d --- /dev/null +++ b/main/libebml/CVE-2019-13615.patch @@ -0,0 +1,85 @@ +diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp +index 143f439..871247c 100644 +--- a/src/EbmlElement.cpp ++++ b/src/EbmlElement.cpp +@@ -372,11 +372,12 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe + int PossibleSizeLength; + uint64 SizeUnknown; + int ReadIndex = 0; // trick for the algo, start index at 0 +- uint32 ReadSize = 0; ++ uint32 ReadSize = 0, IdStart = 0; + uint64 SizeFound; + int SizeIdx; + bool bFound; + int UpperLevel_original = UpperLevel; ++ uint64 ParseStart = DataStream.getFilePointer(); + + do { + // read a potential ID +@@ -402,14 +403,17 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe + // ID not found + // shift left the read octets + memmove(&PossibleIdNSize[0],&PossibleIdNSize[1], --ReadIndex); ++ IdStart++; + } + ++ if (MaxDataSize <= ReadSize) ++ break; + if (DataStream.read(&PossibleIdNSize[ReadIndex++], 1) == 0) { + return NULL; // no more data ? + } + ReadSize++; + +- } while (!bFound && MaxDataSize > ReadSize); ++ } while (!bFound); + + if (!bFound) + // we reached the maximum we could read without a proper ID +@@ -432,6 +436,10 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe + bFound = false; + break; + } ++ if (MaxDataSize <= ReadSize) { ++ bFound = false; ++ break; ++ } + if( DataStream.read( &PossibleIdNSize[SizeIdx++], 1 ) == 0 ) { + return NULL; // no more data ? + } +@@ -454,16 +462,15 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe + // 0 : child + // 1 : same level + // + : further parent +- if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 || MaxDataSize >= (PossibleID_Length + PossibleSizeLength + SizeFound))) { +- if (SizeFound == SizeUnknown) { +- Result->SetSizeInfinite(); ++ if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 || ++ MaxDataSize >= (IdStart + PossibleID_Length + _SizeLength + SizeFound))) { ++ if (SizeFound != SizeUnknown || Result->SetSizeInfinite()) { ++ Result->ElementPosition = ParseStart + IdStart; ++ Result->SizePosition = Result->ElementPosition + PossibleID_Length; ++ // place the file at the beggining of the data ++ DataStream.setFilePointer(Result->SizePosition + _SizeLength); ++ return Result; + } +- +- Result->SizePosition = DataStream.getFilePointer() - SizeIdx + EBML_ID_LENGTH(PossibleID); +- Result->ElementPosition = Result->SizePosition - EBML_ID_LENGTH(PossibleID); +- // place the file at the beggining of the data +- DataStream.setFilePointer(Result->SizePosition + _SizeLength); +- return Result; + } + } + delete Result; +@@ -473,8 +480,9 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe + // recover all the data in the buffer minus one byte + ReadIndex = SizeIdx - 1; + memmove(&PossibleIdNSize[0], &PossibleIdNSize[1], ReadIndex); ++ IdStart++; + UpperLevel = UpperLevel_original; +- } while ( MaxDataSize > DataStream.getFilePointer() - SizeIdx + PossibleID_Length ); ++ } while ( MaxDataSize >= ReadSize ); + + return NULL; + } + diff --git a/main/libgcrypt/APKBUILD b/main/libgcrypt/APKBUILD index 9cc6bc1115f..1cac74a1f2e 100644 --- a/main/libgcrypt/APKBUILD +++ b/main/libgcrypt/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libgcrypt pkgver=1.8.3 -pkgrel=0 +pkgrel=2 pkgdesc="general purpose crypto library based on the code used in GnuPG" url="http://www.gnupg.org" arch="all" @@ -11,15 +11,22 @@ depends_dev="libgpg-error-dev" makedepends="$depends_dev texinfo" subpackages="$pkgname-dev $pkgname-doc" source="https://www.gnupg.org/ftp/gcrypt/libgcrypt/$pkgname-$pkgver.tar.bz2 - random-Fix-hang-of-_gcry_rndjent_get_version.patch" + random-Fix-hang-of-_gcry_rndjent_get_version.patch + CVE-2019-12904.patch + CVE-2019-13627.patch + " builddir="$srcdir"/$pkgname-$pkgver options="!checkroot" # secfixes: +# 1.8.3-r1: +# - CVE-2019-13527 +# 1.8.3-r1: +# - CVE-2019-12904 # 1.8.3-r0: -# - CVE-2018-0495 +# - CVE-2018-0495 -build () { +build() { cd "$builddir" local _arch_configure= @@ -60,4 +67,6 @@ package() { } sha512sums="8c873204303f173dd3f49817a81035c1d504b2fc885965c9bc074a6e3fb108ceb6dca366d85e840a40712a6890fc325018ea9b8c1b7b8804c51c44b296cb96a0 libgcrypt-1.8.3.tar.bz2 -a717d40702c8ffdd40a7bffc563bf7aecf01640514a2d07c7eb5e40d742473ba297779fc0fea64576b254214011711a010de0cf306f88c5617fd06214a9fd30e random-Fix-hang-of-_gcry_rndjent_get_version.patch" +a717d40702c8ffdd40a7bffc563bf7aecf01640514a2d07c7eb5e40d742473ba297779fc0fea64576b254214011711a010de0cf306f88c5617fd06214a9fd30e random-Fix-hang-of-_gcry_rndjent_get_version.patch +36f5f7f99e2c4f28207f91a7a500c3bca81044027b6d37ed0399e395a36638b37c0dff3145854a6caa2e9383722862b37a82bde1af520f06a9f4b327df1ec0af CVE-2019-12904.patch +3368e1b09d527f225dc800c26cda5448d592665baa726147784f7648ec0a9cd96309042988c7155b65ac2ddb7af4e5cb635eef561a95723b8f81c672bf773764 CVE-2019-13627.patch" diff --git a/main/libgcrypt/CVE-2019-12904.patch b/main/libgcrypt/CVE-2019-12904.patch new file mode 100644 index 00000000000..b596a665704 --- /dev/null +++ b/main/libgcrypt/CVE-2019-12904.patch @@ -0,0 +1,475 @@ +Adapted from OpenSUSE patches which are adapted from upstream for 1.8.4 and previous versions. + +Upstream commits: + +https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 +https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 + +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +index 6169d14..4be77d2 100644 +--- a/cipher/cipher-gcm.c ++++ b/cipher/cipher-gcm.c +@@ -30,6 +30,14 @@ + #include "./cipher-internal.h" + + ++/* Helper macro to force alignment to 16 or 64 bytes. */ ++#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED ++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) ++#else ++# define ATTR_ALIGNED_64 ++#endif ++ ++ + #ifdef GCM_USE_INTEL_PCLMUL + extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c); + +@@ -63,40 +71,94 @@ ghash_armv8_ce_pmull (gcry_cipher_hd_t c, byte *result, const byte *buf, + + + #ifdef GCM_USE_TABLES +-static const u16 gcmR[256] = { +- 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, +- 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, +- 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, +- 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, +- 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, +- 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, +- 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, +- 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, +- 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, +- 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, +- 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, +- 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, +- 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, +- 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, +- 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, +- 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, +- 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, +- 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, +- 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, +- 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, +- 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, +- 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, +- 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, +- 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, +- 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, +- 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, +- 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, +- 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, +- 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, +- 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, +- 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, +- 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, +-}; ++static struct ++{ ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; ++ u16 R[256]; ++ volatile u32 counter_tail; ++} gcm_table ATTR_ALIGNED_64 = ++ { ++ 0, ++ { 0, }, ++ { ++ 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, ++ 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, ++ 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, ++ 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, ++ 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, ++ 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, ++ 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, ++ 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, ++ 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, ++ 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, ++ 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, ++ 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, ++ 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, ++ 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, ++ 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, ++ 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, ++ 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, ++ 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, ++ 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, ++ 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, ++ 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, ++ 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, ++ 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, ++ 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, ++ 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, ++ 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, ++ 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, ++ 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, ++ 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, ++ 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, ++ 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, ++ 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, ++ }, ++ 0 ++ }; ++ ++#define gcmR gcm_table.R ++ ++static inline ++void prefetch_table(const void *tab, size_t len) ++{ ++ const volatile byte *vtab = tab; ++ size_t i; ++ ++ for (i = 0; len - i >= 8 * 32; i += 8 * 32) ++ { ++ (void)vtab[i + 0 * 32]; ++ (void)vtab[i + 1 * 32]; ++ (void)vtab[i + 2 * 32]; ++ (void)vtab[i + 3 * 32]; ++ (void)vtab[i + 4 * 32]; ++ (void)vtab[i + 5 * 32]; ++ (void)vtab[i + 6 * 32]; ++ (void)vtab[i + 7 * 32]; ++ } ++ for (; i < len; i += 32) ++ { ++ (void)vtab[i]; ++ } ++ ++ (void)vtab[len - 1]; ++} ++ ++static inline void ++do_prefetch_tables (const void *gcmM, size_t gcmM_size) ++{ ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ gcm_table.counter_head++; ++ gcm_table.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ ++ prefetch_table(gcmM, gcmM_size); ++ prefetch_table(&gcm_table, sizeof(gcm_table)); ++} + + #ifdef GCM_TABLES_USE_U64 + static void +@@ -313,6 +375,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM) + #define fillM(c) \ + do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table) + #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table) ++#define prefetch_tables(c) \ ++ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table)) + + #else + +@@ -378,6 +442,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf) + + #define fillM(c) do { } while (0) + #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf) ++#define prefetch_tables(c) do {} while (0) + + #endif /* !GCM_USE_TABLES */ + +@@ -389,6 +454,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf, + const unsigned int blocksize = GCRY_GCM_BLOCK_LEN; + unsigned int burn = 0; + ++ prefetch_tables (c); ++ + while (nblocks) + { + burn = GHASH (c, result, buf); +diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h +index 160fb8c..a62d4b7 100644 +--- a/cipher/rijndael-internal.h ++++ b/cipher/rijndael-internal.h +@@ -29,11 +29,13 @@ + #define BLOCKSIZE (128/8) + + +-/* Helper macro to force alignment to 16 bytes. */ ++/* Helper macro to force alignment to 16 or 64 bytes. */ + #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED + # define ATTR_ALIGNED_16 __attribute__ ((aligned (16))) ++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) + #else + # define ATTR_ALIGNED_16 ++# define ATTR_ALIGNED_64 + #endif + + +diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h +index 8359470..b54d959 100644 +--- a/cipher/rijndael-tables.h ++++ b/cipher/rijndael-tables.h +@@ -21,80 +21,98 @@ + /* To keep the actual implementation at a readable size we use this + include file to define the tables. */ + +-static const u32 encT[256] = ++static struct ++{ ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; ++ u32 T[256]; ++ volatile u32 counter_tail; ++} enc_tables ATTR_ALIGNED_64 = + { +- 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, +- 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, +- 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, +- 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, +- 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, +- 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, +- 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, +- 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, +- 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, +- 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, +- 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, +- 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, +- 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, +- 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, +- 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, +- 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, +- 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, +- 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, +- 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, +- 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, +- 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, +- 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, +- 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, +- 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, +- 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, +- 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, +- 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, +- 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, +- 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, +- 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, +- 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, +- 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, +- 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, +- 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, +- 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, +- 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, +- 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, +- 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, +- 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, +- 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, +- 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, +- 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, +- 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, +- 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, +- 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, +- 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, +- 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, +- 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, +- 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, +- 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, +- 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, +- 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, +- 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, +- 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, +- 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, +- 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, +- 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, +- 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, +- 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, +- 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, +- 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, +- 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, +- 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, +- 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c ++ 0, ++ { 0, }, ++ { ++ 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, ++ 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, ++ 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, ++ 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, ++ 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, ++ 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, ++ 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, ++ 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, ++ 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, ++ 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, ++ 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, ++ 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, ++ 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, ++ 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, ++ 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, ++ 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, ++ 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, ++ 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, ++ 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, ++ 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, ++ 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, ++ 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, ++ 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, ++ 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, ++ 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, ++ 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, ++ 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, ++ 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, ++ 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, ++ 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, ++ 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, ++ 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, ++ 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, ++ 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, ++ 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, ++ 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, ++ 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, ++ 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, ++ 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, ++ 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, ++ 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, ++ 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, ++ 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, ++ 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, ++ 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, ++ 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, ++ 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, ++ 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, ++ 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, ++ 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, ++ 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, ++ 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, ++ 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, ++ 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, ++ 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, ++ 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, ++ 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, ++ 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, ++ 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, ++ 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, ++ 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, ++ 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, ++ 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, ++ 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c ++ }, ++ 0 + }; + +-static const struct ++#define encT enc_tables.T ++ ++static struct + { ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; + u32 T[256]; + byte inv_sbox[256]; +-} dec_tables = ++ volatile u32 counter_tail; ++} dec_tables ATTR_ALIGNED_64 = + { ++ 0, ++ { 0, }, + { + 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, + 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, +@@ -194,7 +212,8 @@ static const struct + 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, + 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, + 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d +- } ++ }, ++ 0 + }; + + #define decT dec_tables.T +diff --git a/cipher/rijndael.c b/cipher/rijndael.c +index 8637195..d0edab2 100644 +--- a/cipher/rijndael.c ++++ b/cipher/rijndael.c +@@ -227,11 +227,11 @@ static const char *selftest(void); + + + /* Prefetching for encryption/decryption tables. */ +-static void prefetch_table(const volatile byte *tab, size_t len) ++static inline void prefetch_table(const volatile byte *tab, size_t len) + { + size_t i; + +- for (i = 0; i < len; i += 8 * 32) ++ for (i = 0; len - i >= 8 * 32; i += 8 * 32) + { + (void)tab[i + 0 * 32]; + (void)tab[i + 1 * 32]; +@@ -242,17 +242,37 @@ static void prefetch_table(const volatile byte *tab, size_t len) + (void)tab[i + 6 * 32]; + (void)tab[i + 7 * 32]; + } ++ for (; i < len; i += 32) ++ { ++ (void)tab[i]; ++ } + + (void)tab[len - 1]; + } + + static void prefetch_enc(void) + { +- prefetch_table((const void *)encT, sizeof(encT)); ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ enc_tables.counter_head++; ++ enc_tables.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ ++ prefetch_table((const void *)&enc_tables, sizeof(enc_tables)); + } + + static void prefetch_dec(void) + { ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ dec_tables.counter_head++; ++ dec_tables.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ + prefetch_table((const void *)&dec_tables, sizeof(dec_tables)); + } + +@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx, + #ifdef USE_AMD64_ASM + # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS + return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, +- encT); ++ enc_tables.T); + # else + /* Call SystemV ABI function without storing non-volatile XMM registers, + * as target function does not use vector instruction sets. */ +@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx, + return ret; + # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ + #elif defined(USE_ARM_ASM) +- return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT); ++ return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, ++ enc_tables.T); + #else + return do_encrypt_fn (ctx, bx, ax); + #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/ +@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, + #ifdef USE_AMD64_ASM + # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS + return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, +- &dec_tables); ++ dec_tables.T); + # else + /* Call SystemV ABI function without storing non-volatile XMM registers, + * as target function does not use vector instruction sets. */ +@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, + # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ + #elif defined(USE_ARM_ASM) + return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, +- &dec_tables); ++ dec_tables.T); + #else + return do_decrypt_fn (ctx, bx, ax); + #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/ + diff --git a/main/libgcrypt/CVE-2019-13627.patch b/main/libgcrypt/CVE-2019-13627.patch new file mode 100644 index 00000000000..4399507340b --- /dev/null +++ b/main/libgcrypt/CVE-2019-13627.patch @@ -0,0 +1,103 @@ +diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c +index 6f2c2f9..647639c 100644 +--- a/cipher/dsa-common.c ++++ b/cipher/dsa-common.c +@@ -29,6 +29,30 @@ + #include "pubkey-internal.h" + + ++/* ++ * Modify K, so that computation time difference can be small, ++ * by making K large enough. ++ * ++ * Originally, (EC)DSA computation requires k where 0 < k < q. Here, ++ * we add q (the order), to keep k in a range: q < k < 2*q (or, ++ * addming more q, to keep k in a range: 2*q < k < 3*q), so that ++ * timing difference of the EC multiply (or exponentiation) operation ++ * can be small. The result of (EC)DSA computation is same. ++ */ ++void ++_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits) ++{ ++ gcry_mpi_t k1 = mpi_new (qbits+2); ++ ++ mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB); ++ k->nlimbs = k->alloced; ++ mpi_add (k, k, q); ++ mpi_add (k1, k, q); ++ mpi_set_cond (k, k1, !mpi_test_bit (k, qbits)); ++ ++ mpi_free (k1); ++} ++ + /* + * Generate a random secret exponent K less than Q. + * Note that ECDSA uses this code also to generate D. +diff --git a/cipher/dsa.c b/cipher/dsa.c +index 22d8d78..24a5352 100644 +--- a/cipher/dsa.c ++++ b/cipher/dsa.c +@@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey, + k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM); + } + ++ _gcry_dsa_modify_k (k, skey->q, qbits); ++ + /* r = (a^k mod p) mod q */ + mpi_powm( r, skey->g, k, skey->p ); + mpi_fdiv_r( r, r, skey->q ); +diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c +index 140e8c0..97966c3 100644 +--- a/cipher/ecc-ecdsa.c ++++ b/cipher/ecc-ecdsa.c +@@ -114,6 +114,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, + else + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); + ++ _gcry_dsa_modify_k (k, skey->E.n, qbits); ++ + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) + { +diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c +index a34fa08..0362a6c 100644 +--- a/cipher/ecc-gost.c ++++ b/cipher/ecc-gost.c +@@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, ECC_secret_key *skey, + mpi_free (k); + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); + ++ _gcry_dsa_modify_k (k, skey->E.n, qbits); ++ + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) + { +diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h +index b8167c7..d31e26f 100644 +--- a/cipher/pubkey-internal.h ++++ b/cipher/pubkey-internal.h +@@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded, + + + /*-- dsa-common.c --*/ ++void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits); + gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level); + gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k, + gcry_mpi_t dsa_q, gcry_mpi_t dsa_x, +diff --git a/mpi/ec.c b/mpi/ec.c +index 89077cd..adb0260 100644 +--- a/mpi/ec.c ++++ b/mpi/ec.c +@@ -1309,7 +1309,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result, + unsigned int nbits; + int j; + +- nbits = mpi_get_nbits (scalar); ++ if (mpi_cmp (scalar, ctx->p) >= 0) ++ nbits = mpi_get_nbits (scalar); ++ else ++ nbits = mpi_get_nbits (ctx->p); ++ + if (ctx->model == MPI_EC_WEIERSTRASS) + { + mpi_set_ui (result->x, 1); diff --git a/main/libjpeg-turbo/APKBUILD b/main/libjpeg-turbo/APKBUILD index e12587d21b7..2efe02530a4 100644 --- a/main/libjpeg-turbo/APKBUILD +++ b/main/libjpeg-turbo/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libjpeg-turbo pkgver=1.5.3 -pkgrel=2 +pkgrel=3 pkgdesc="accelerated baseline JPEG compression and decompression library" url="http://libjpeg-turbo.virtualgl.org/" arch="all" @@ -15,9 +15,12 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-utils" source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch CVE-2018-11813.patch + CVE-2018-14498.patch " # secfixes: +# 1.5.3-r3: +# - CVE-2018-14498 # 1.5.3-r2: # - CVE-2018-11813 # 1.5.3-r1: @@ -66,4 +69,5 @@ dev() { sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202 libjpeg-turbo-1.5.3.tar.gz d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch -d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a CVE-2018-11813.patch" +d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a CVE-2018-11813.patch +315aba552a2d66cdc8d83c5602a7e47c995f6709509afd07daf3ffacaf650404dc9f7a4beeb1373cabb5afc915a3d4c704b71dfdfcad3bc25ae5361ed16980d5 CVE-2018-14498.patch" diff --git a/main/libjpeg-turbo/CVE-2018-14498.patch b/main/libjpeg-turbo/CVE-2018-14498.patch new file mode 100644 index 00000000000..edf9365448f --- /dev/null +++ b/main/libjpeg-turbo/CVE-2018-14498.patch @@ -0,0 +1,110 @@ +diff --git a/cderror.h b/cderror.h +index 63de498..92dd2ed 100644 +--- a/cderror.h ++++ b/cderror.h +@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB") + JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported") + JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image") + JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM") ++JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file") + JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image") + JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image") + JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image") +@@ -77,6 +78,7 @@ JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB") + JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file") + JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file") + JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file") ++JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file") + JMESSAGE(JTRC_PGM, "%ux%u PGM image") + JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image") + JMESSAGE(JTRC_PPM, "%ux%u PPM image") +diff --git a/rdbmp.c b/rdbmp.c +index eaa7086..01fa2bc 100644 +--- a/rdbmp.c ++++ b/rdbmp.c +@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct { + JDIMENSION row_width; /* Physical width of scanlines in file */ + + int bits_per_pixel; /* remembers 8- or 24-bit format */ ++ int cmap_length; /* colormap length */ + } bmp_source_struct; + + +@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + { + bmp_source_ptr source = (bmp_source_ptr) sinfo; + register JSAMPARRAY colormap = source->colormap; ++ int cmaplen = source->cmap_length; + JSAMPARRAY image_ptr; + register int t; + register JSAMPROW inptr, outptr; +@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + outptr = source->pub.buffer[0]; + for (col = cinfo->image_width; col > 0; col--) { + t = GETJSAMPLE(*inptr++); ++ if (t >= cmaplen) ++ ERREXIT(cinfo, JERR_BMP_OUTOFRANGE); + *outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */ + *outptr++ = colormap[1][t]; + *outptr++ = colormap[2][t]; +@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + source->colormap = (*cinfo->mem->alloc_sarray) + ((j_common_ptr) cinfo, JPOOL_IMAGE, + (JDIMENSION) biClrUsed, (JDIMENSION) 3); ++ source->cmap_length = (int)biClrUsed; + /* and read it from the file */ + read_colormap(source, (int) biClrUsed, mapentrysize); + /* account for size of colormap */ +diff --git a/rdppm.c b/rdppm.c +index 33ff749..c0c0962 100644 +--- a/rdppm.c ++++ b/rdppm.c +@@ -69,7 +69,7 @@ typedef struct { + JSAMPROW pixrow; /* compressor input buffer */ + size_t buffer_width; /* width of I/O buffer */ + JSAMPLE *rescale; /* => maxval-remapping array, or NULL */ +- int maxval; ++ unsigned int maxval; + } ppm_source_struct; + + typedef ppm_source_struct *ppm_source_ptr; +@@ -119,7 +119,7 @@ read_pbm_integer (j_compress_ptr cinfo, FILE *infile, unsigned int maxval) + } + + if (val > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + + return val; + } +@@ -255,7 +255,7 @@ get_word_gray_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + *ptr++ = rescale[temp]; + } + return 1; +@@ -282,17 +282,17 @@ get_word_rgb_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + *ptr++ = rescale[temp]; + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + *ptr++ = rescale[temp]; + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + *ptr++ = rescale[temp]; + } + return 1; + diff --git a/main/libmad/APKBUILD b/main/libmad/APKBUILD index d542c5bc33c..08f0cb76630 100644 --- a/main/libmad/APKBUILD +++ b/main/libmad/APKBUILD @@ -2,21 +2,28 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libmad pkgver=0.15.1b -pkgrel=7 +pkgrel=8 pkgdesc="A high-quality MPEG audio decoder" url="http://www.underbit.com/products/mad/" arch="all" -license="GPL" +license="GPL-2.0-or-later" subpackages="$pkgname-dev" -depends= makedepends="autoconf automake libtool" source="http://downloads.sourceforge.net/sourceforge/mad/$pkgname-$pkgver.tar.gz libmad-0.15.1b-cflags-O2.patch libmad-0.15.1b-cflags.patch automake.patch + length-check.patch + md_size.patch mad.pc " +# secfixes: +# 0.15.1b-r8: +# - CVE-2017-8372 +# - CVE-2017-8373 +# - CVE-2017-8374 + _builddir="$srcdir"/$pkgname-$pkgver prepare() { cd "$_builddir" @@ -51,4 +58,6 @@ sha512sums="2cad30347fb310dc605c46bacd9da117f447a5cabedd8fefdb24ab5de641429e5ec5 13a8bac30cea4861f903b4abc8673f9a35b6253aae6a02915f99b67e5e8c56460fc1fb059a0aa52143b665f888928baba098daf0ed022420e46317be4dbc6161 libmad-0.15.1b-cflags-O2.patch 01dc8421dba2b652aa8ca6d1f1a5c310645465b18190ebfdeaae516de881869957e8e7c0c373d0d09623da33719d01e028f2f6164790b54c43a71271f5b4dbba libmad-0.15.1b-cflags.patch e73ec5ae3b14e8d45579b52bcc561a309b85e1e51d946e061e2f0a9252f515e48e2d818e8bdce1adf5a9801ec314be8c911914d0bb12f9113a7afc54cf385250 automake.patch +dd412962246d4c9db8c07dbafcaba2f64fdc0c94cf6bcc3f4f0f88a92800f40e550cc56dc8a2324c0123d9c70a89055dc50cd714206d7886e2f6877d4cc26600 length-check.patch +511fc4496044bc676e1957c5085aded89e33248c5ee4c965c76c609904086911dcc912a943be98244b2d7e5f140f432584722cc3b53fdb27265328322a727427 md_size.patch ec0b14bd0c6236a216107b507b92c06e295352f1657ba5e45f37fff220a73e1454b262ac36fc715d698c4ffd210d348fca71cf0198e2c49d16fe0ec5ea839f08 mad.pc" diff --git a/main/libmad/length-check.patch b/main/libmad/length-check.patch new file mode 100644 index 00000000000..80e48469e65 --- /dev/null +++ b/main/libmad/length-check.patch @@ -0,0 +1,817 @@ +From: Kurt Roeckx <kurt@roeckx.be> +Date: Sun, 28 Jan 2018 19:26:36 +0100 +Subject: Check the size before reading with mad_bit_read + +There are various cases where it attemps to read past the end of the buffer +using mad_bit_read(). Most functions didn't even know the size of the buffer +they were reading from. + +Index: libmad-0.15.1b/bit.c +=================================================================== +--- libmad-0.15.1b.orig/bit.c ++++ libmad-0.15.1b/bit.c +@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi + { + register unsigned long value; + ++ if (len == 0) ++ return 0; ++ + if (bitptr->left == CHAR_BIT) + bitptr->cache = *bitptr->byte; + +Index: libmad-0.15.1b/frame.c +=================================================================== +--- libmad-0.15.1b.orig/frame.c ++++ libmad-0.15.1b/frame.c +@@ -120,11 +120,18 @@ static + int decode_header(struct mad_header *header, struct mad_stream *stream) + { + unsigned int index; ++ struct mad_bitptr bufend_ptr; + + header->flags = 0; + header->private_bits = 0; + ++ mad_bit_init(&bufend_ptr, stream->bufend); ++ + /* header() */ ++ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) { ++ stream->error = MAD_ERROR_BUFLEN; ++ return -1; ++ } + + /* syncword */ + mad_bit_skip(&stream->ptr, 11); +@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea + /* error_check() */ + + /* crc_check */ +- if (header->flags & MAD_FLAG_PROTECTION) ++ if (header->flags & MAD_FLAG_PROTECTION) { ++ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) { ++ stream->error = MAD_ERROR_BUFLEN; ++ return -1; ++ } + header->crc_target = mad_bit_read(&stream->ptr, 16); ++ } + + return 0; + } +@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header + stream->error = MAD_ERROR_BUFLEN; + goto fail; + } +- else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) { ++ else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) { + /* mark point where frame sync word was expected */ + stream->this_frame = ptr; + stream->next_frame = ptr + 1; +@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header + ptr = mad_bit_nextbyte(&stream->ptr); + } + ++ stream->error = MAD_ERROR_NONE; ++ + /* begin processing */ + stream->this_frame = ptr; + stream->next_frame = ptr + 1; /* possibly bogus sync word */ +@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header + /* check that a valid frame header follows this frame */ + + ptr = stream->next_frame; +- if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) { ++ if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) { + ptr = stream->next_frame = stream->this_frame + 1; + goto sync; + } +Index: libmad-0.15.1b/layer12.c +=================================================================== +--- libmad-0.15.1b.orig/layer12.c ++++ libmad-0.15.1b/layer12.c +@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = { + * DESCRIPTION: decode one requantized Layer I sample from a bitstream + */ + static +-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb) ++mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream) + { + mad_fixed_t sample; ++ struct mad_bitptr frameend_ptr; + ++ mad_bit_init(&frameend_ptr, stream->next_frame); ++ ++ if (mad_bit_length(ptr, &frameend_ptr) < nb) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return 0; ++ } + sample = mad_bit_read(ptr, nb); + + /* invert most significant bit, extend sign, then scale to fixed format */ +@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea + struct mad_header *header = &frame->header; + unsigned int nch, bound, ch, s, sb, nb; + unsigned char allocation[2][32], scalefactor[2][32]; ++ struct mad_bitptr bufend_ptr, frameend_ptr; ++ ++ mad_bit_init(&bufend_ptr, stream->bufend); ++ mad_bit_init(&frameend_ptr, stream->next_frame); + + nch = MAD_NCHANNELS(header); + +@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea + /* check CRC word */ + + if (header->flags & MAD_FLAG_PROTECTION) { ++ if (mad_bit_length(&stream->ptr, &bufend_ptr) ++ < 4 * (bound * nch + (32 - bound))) { ++ stream->error = MAD_ERROR_BADCRC; ++ return -1; ++ } + header->crc_check = + mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)), + header->crc_check); +@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea + + for (sb = 0; sb < bound; ++sb) { + for (ch = 0; ch < nch; ++ch) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + nb = mad_bit_read(&stream->ptr, 4); + + if (nb == 15) { +@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea + } + + for (sb = bound; sb < 32; ++sb) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + nb = mad_bit_read(&stream->ptr, 4); + + if (nb == 15) { +@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea + for (sb = 0; sb < 32; ++sb) { + for (ch = 0; ch < nch; ++ch) { + if (allocation[ch][sb]) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6); + + # if defined(OPT_STRICT) +@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea + for (ch = 0; ch < nch; ++ch) { + nb = allocation[ch][sb]; + frame->sbsample[ch][s][sb] = nb ? +- mad_f_mul(I_sample(&stream->ptr, nb), ++ mad_f_mul(I_sample(&stream->ptr, nb, stream), + sf_table[scalefactor[ch][sb]]) : 0; ++ if (stream->error != 0) ++ return -1; + } + } + +@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea + if ((nb = allocation[0][sb])) { + mad_fixed_t sample; + +- sample = I_sample(&stream->ptr, nb); ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } ++ sample = I_sample(&stream->ptr, nb, stream); ++ if (stream->error != 0) ++ return -1; + + for (ch = 0; ch < nch; ++ch) { + frame->sbsample[ch][s][sb] = +@@ -280,13 +321,21 @@ struct quantclass { + static + void II_samples(struct mad_bitptr *ptr, + struct quantclass const *quantclass, +- mad_fixed_t output[3]) ++ mad_fixed_t output[3], struct mad_stream *stream) + { + unsigned int nb, s, sample[3]; ++ struct mad_bitptr frameend_ptr; ++ ++ mad_bit_init(&frameend_ptr, stream->next_frame); + + if ((nb = quantclass->group)) { + unsigned int c, nlevels; + ++ if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return; ++ } + /* degrouping */ + c = mad_bit_read(ptr, quantclass->bits); + nlevels = quantclass->nlevels; +@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr, + else { + nb = quantclass->bits; + +- for (s = 0; s < 3; ++s) ++ for (s = 0; s < 3; ++s) { ++ if (mad_bit_length(ptr, &frameend_ptr) < nb) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return; ++ } + sample[s] = mad_bit_read(ptr, nb); ++ } + } + + for (s = 0; s < 3; ++s) { +@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre + unsigned char const *offsets; + unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3]; + mad_fixed_t samples[3]; ++ struct mad_bitptr frameend_ptr; ++ ++ mad_bit_init(&frameend_ptr, stream->next_frame); + + nch = MAD_NCHANNELS(header); + +@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre + for (sb = 0; sb < bound; ++sb) { + nbal = bitalloc_table[offsets[sb]].nbal; + +- for (ch = 0; ch < nch; ++ch) ++ for (ch = 0; ch < nch; ++ch) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal); ++ } + } + + for (sb = bound; sb < sblimit; ++sb) { + nbal = bitalloc_table[offsets[sb]].nbal; + ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + allocation[0][sb] = + allocation[1][sb] = mad_bit_read(&stream->ptr, nbal); + } +@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre + + for (sb = 0; sb < sblimit; ++sb) { + for (ch = 0; ch < nch; ++ch) { +- if (allocation[ch][sb]) ++ if (allocation[ch][sb]) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2); ++ } + } + } + +@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre + for (sb = 0; sb < sblimit; ++sb) { + for (ch = 0; ch < nch; ++ch) { + if (allocation[ch][sb]) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6); + + switch (scfsi[ch][sb]) { +@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre + break; + + case 0: ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6); + /* fall through */ + + case 1: + case 3: ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6); + } + +@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre + if ((index = allocation[ch][sb])) { + index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; + +- II_samples(&stream->ptr, &qc_table[index], samples); ++ II_samples(&stream->ptr, &qc_table[index], samples, stream); ++ if (stream->error != 0) ++ return -1; + + for (s = 0; s < 3; ++s) { + frame->sbsample[ch][3 * gr + s][sb] = +@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre + if ((index = allocation[0][sb])) { + index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; + +- II_samples(&stream->ptr, &qc_table[index], samples); ++ II_samples(&stream->ptr, &qc_table[index], samples, stream); ++ if (stream->error != 0) ++ return -1; + + for (ch = 0; ch < nch; ++ch) { + for (s = 0; s < 3; ++s) { +Index: libmad-0.15.1b/layer3.c +=================================================================== +--- libmad-0.15.1b.orig/layer3.c ++++ libmad-0.15.1b/layer3.c +@@ -598,7 +598,8 @@ enum mad_error III_sideinfo(struct mad_b + static + unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr, + struct channel *channel, +- struct channel *gr1ch, int mode_extension) ++ struct channel *gr1ch, int mode_extension, ++ unsigned int bits_left, unsigned int *part2_length) + { + struct mad_bitptr start; + unsigned int scalefac_compress, index, slen[4], part, n, i; +@@ -644,8 +645,12 @@ unsigned int III_scalefactors_lsf(struct + + n = 0; + for (part = 0; part < 4; ++part) { +- for (i = 0; i < nsfb[part]; ++i) ++ for (i = 0; i < nsfb[part]; ++i) { ++ if (bits_left < slen[part]) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[n++] = mad_bit_read(ptr, slen[part]); ++ bits_left -= slen[part]; ++ } + } + + while (n < 39) +@@ -690,7 +695,10 @@ unsigned int III_scalefactors_lsf(struct + max = (1 << slen[part]) - 1; + + for (i = 0; i < nsfb[part]; ++i) { ++ if (bits_left < slen[part]) ++ return MAD_ERROR_BADSCFSI; + is_pos = mad_bit_read(ptr, slen[part]); ++ bits_left -= slen[part]; + + channel->scalefac[n] = is_pos; + gr1ch->scalefac[n++] = (is_pos == max); +@@ -703,7 +711,8 @@ unsigned int III_scalefactors_lsf(struct + } + } + +- return mad_bit_length(&start, ptr); ++ *part2_length = mad_bit_length(&start, ptr); ++ return MAD_ERROR_NONE; + } + + /* +@@ -712,7 +721,8 @@ unsigned int III_scalefactors_lsf(struct + */ + static + unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel, +- struct channel const *gr0ch, unsigned int scfsi) ++ struct channel const *gr0ch, unsigned int scfsi, ++ unsigned int bits_left, unsigned int *part2_length) + { + struct mad_bitptr start; + unsigned int slen1, slen2, sfbi; +@@ -728,12 +738,20 @@ unsigned int III_scalefactors(struct mad + sfbi = 0; + + nsfb = (channel->flags & mixed_block_flag) ? 8 + 3 * 3 : 6 * 3; +- while (nsfb--) ++ while (nsfb--) { ++ if (bits_left < slen1) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi++] = mad_bit_read(ptr, slen1); ++ bits_left -= slen1; ++ } + + nsfb = 6 * 3; +- while (nsfb--) ++ while (nsfb--) { ++ if (bits_left < slen2) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi++] = mad_bit_read(ptr, slen2); ++ bits_left -= slen2; ++ } + + nsfb = 1 * 3; + while (nsfb--) +@@ -745,8 +763,12 @@ unsigned int III_scalefactors(struct mad + channel->scalefac[sfbi] = gr0ch->scalefac[sfbi]; + } + else { +- for (sfbi = 0; sfbi < 6; ++sfbi) ++ for (sfbi = 0; sfbi < 6; ++sfbi) { ++ if (bits_left < slen1) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi] = mad_bit_read(ptr, slen1); ++ bits_left -= slen1; ++ } + } + + if (scfsi & 0x4) { +@@ -754,8 +776,12 @@ unsigned int III_scalefactors(struct mad + channel->scalefac[sfbi] = gr0ch->scalefac[sfbi]; + } + else { +- for (sfbi = 6; sfbi < 11; ++sfbi) ++ for (sfbi = 6; sfbi < 11; ++sfbi) { ++ if (bits_left < slen1) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi] = mad_bit_read(ptr, slen1); ++ bits_left -= slen1; ++ } + } + + if (scfsi & 0x2) { +@@ -763,8 +789,12 @@ unsigned int III_scalefactors(struct mad + channel->scalefac[sfbi] = gr0ch->scalefac[sfbi]; + } + else { +- for (sfbi = 11; sfbi < 16; ++sfbi) ++ for (sfbi = 11; sfbi < 16; ++sfbi) { ++ if (bits_left < slen2) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi] = mad_bit_read(ptr, slen2); ++ bits_left -= slen2; ++ } + } + + if (scfsi & 0x1) { +@@ -772,14 +802,19 @@ unsigned int III_scalefactors(struct mad + channel->scalefac[sfbi] = gr0ch->scalefac[sfbi]; + } + else { +- for (sfbi = 16; sfbi < 21; ++sfbi) ++ for (sfbi = 16; sfbi < 21; ++sfbi) { ++ if (bits_left < slen2) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi] = mad_bit_read(ptr, slen2); ++ bits_left -= slen2; ++ } + } + + channel->scalefac[21] = 0; + } + +- return mad_bit_length(&start, ptr); ++ *part2_length = mad_bit_length(&start, ptr); ++ return MAD_ERROR_NONE; + } + + /* +@@ -933,19 +968,17 @@ static + enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576], + struct channel *channel, + unsigned char const *sfbwidth, +- unsigned int part2_length) ++ signed int part3_length) + { + signed int exponents[39], exp; + signed int const *expptr; + struct mad_bitptr peek; +- signed int bits_left, cachesz; ++ signed int bits_left, cachesz, fakebits; + register mad_fixed_t *xrptr; + mad_fixed_t const *sfbound; + register unsigned long bitcache; + +- bits_left = (signed) channel->part2_3_length - (signed) part2_length; +- if (bits_left < 0) +- return MAD_ERROR_BADPART3LEN; ++ bits_left = part3_length; + + III_exponents(channel, sfbwidth, exponents); + +@@ -956,8 +989,12 @@ enum mad_error III_huffdecode(struct mad + cachesz = mad_bit_bitsleft(&peek); + cachesz += ((32 - 1 - 24) + (24 - cachesz)) & ~7; + ++ if (bits_left < cachesz) { ++ cachesz = bits_left; ++ } + bitcache = mad_bit_read(&peek, cachesz); + bits_left -= cachesz; ++ fakebits = 0; + + xrptr = &xr[0]; + +@@ -986,7 +1023,7 @@ enum mad_error III_huffdecode(struct mad + + big_values = channel->big_values; + +- while (big_values-- && cachesz + bits_left > 0) { ++ while (big_values-- && cachesz + bits_left - fakebits > 0) { + union huffpair const *pair; + unsigned int clumpsz, value; + register mad_fixed_t requantized; +@@ -1023,10 +1060,19 @@ enum mad_error III_huffdecode(struct mad + unsigned int bits; + + bits = ((32 - 1 - 21) + (21 - cachesz)) & ~7; ++ if (bits_left < bits) { ++ bits = bits_left; ++ } + bitcache = (bitcache << bits) | mad_bit_read(&peek, bits); + cachesz += bits; + bits_left -= bits; + } ++ if (cachesz < 21) { ++ unsigned int bits = 21 - cachesz; ++ bitcache <<= bits; ++ cachesz += bits; ++ fakebits += bits; ++ } + + /* hcod (0..19) */ + +@@ -1041,6 +1087,8 @@ enum mad_error III_huffdecode(struct mad + } + + cachesz -= pair->value.hlen; ++ if (cachesz < fakebits) ++ return MAD_ERROR_BADHUFFDATA; + + if (linbits) { + /* x (0..14) */ +@@ -1054,10 +1102,15 @@ enum mad_error III_huffdecode(struct mad + + case 15: + if (cachesz < linbits + 2) { +- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16); +- cachesz += 16; +- bits_left -= 16; ++ unsigned int bits = 16; ++ if (bits_left < 16) ++ bits = bits_left; ++ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits); ++ cachesz += bits; ++ bits_left -= bits; + } ++ if (cachesz - fakebits < linbits) ++ return MAD_ERROR_BADHUFFDATA; + + value += MASK(bitcache, cachesz, linbits); + cachesz -= linbits; +@@ -1074,6 +1127,8 @@ enum mad_error III_huffdecode(struct mad + } + + x_final: ++ if (cachesz - fakebits < 1) ++ return MAD_ERROR_BADHUFFDATA; + xrptr[0] = MASK1BIT(bitcache, cachesz--) ? + -requantized : requantized; + } +@@ -1089,10 +1144,15 @@ enum mad_error III_huffdecode(struct mad + + case 15: + if (cachesz < linbits + 1) { +- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16); +- cachesz += 16; +- bits_left -= 16; ++ unsigned int bits = 16; ++ if (bits_left < 16) ++ bits = bits_left; ++ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits); ++ cachesz += bits; ++ bits_left -= bits; + } ++ if (cachesz - fakebits < linbits) ++ return MAD_ERROR_BADHUFFDATA; + + value += MASK(bitcache, cachesz, linbits); + cachesz -= linbits; +@@ -1109,6 +1169,8 @@ enum mad_error III_huffdecode(struct mad + } + + y_final: ++ if (cachesz - fakebits < 1) ++ return MAD_ERROR_BADHUFFDATA; + xrptr[1] = MASK1BIT(bitcache, cachesz--) ? + -requantized : requantized; + } +@@ -1128,6 +1190,8 @@ enum mad_error III_huffdecode(struct mad + requantized = reqcache[value] = III_requantize(value, exp); + } + ++ if (cachesz - fakebits < 1) ++ return MAD_ERROR_BADHUFFDATA; + xrptr[0] = MASK1BIT(bitcache, cachesz--) ? + -requantized : requantized; + } +@@ -1146,6 +1210,8 @@ enum mad_error III_huffdecode(struct mad + requantized = reqcache[value] = III_requantize(value, exp); + } + ++ if (cachesz - fakebits < 1) ++ return MAD_ERROR_BADHUFFDATA; + xrptr[1] = MASK1BIT(bitcache, cachesz--) ? + -requantized : requantized; + } +@@ -1155,9 +1221,6 @@ enum mad_error III_huffdecode(struct mad + } + } + +- if (cachesz + bits_left < 0) +- return MAD_ERROR_BADHUFFDATA; /* big_values overrun */ +- + /* count1 */ + { + union huffquad const *table; +@@ -1167,15 +1230,24 @@ enum mad_error III_huffdecode(struct mad + + requantized = III_requantize(1, exp); + +- while (cachesz + bits_left > 0 && xrptr <= &xr[572]) { ++ while (cachesz + bits_left - fakebits > 0 && xrptr <= &xr[572]) { + union huffquad const *quad; + + /* hcod (1..6) */ + + if (cachesz < 10) { +- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16); +- cachesz += 16; +- bits_left -= 16; ++ unsigned int bits = 16; ++ if (bits_left < 16) ++ bits = bits_left; ++ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits); ++ cachesz += bits; ++ bits_left -= bits; ++ } ++ if (cachesz < 10) { ++ unsigned int bits = 10 - cachesz; ++ bitcache <<= bits; ++ cachesz += bits; ++ fakebits += bits; + } + + quad = &table[MASK(bitcache, cachesz, 4)]; +@@ -1188,6 +1260,11 @@ enum mad_error III_huffdecode(struct mad + MASK(bitcache, cachesz, quad->ptr.bits)]; + } + ++ if (cachesz - fakebits < quad->value.hlen + quad->value.v ++ + quad->value.w + quad->value.x + quad->value.y) ++ /* We don't have enough bits to read one more entry, consider them ++ * stuffing bits. */ ++ break; + cachesz -= quad->value.hlen; + + if (xrptr == sfbound) { +@@ -1236,22 +1313,8 @@ enum mad_error III_huffdecode(struct mad + + xrptr += 2; + } +- +- if (cachesz + bits_left < 0) { +-# if 0 && defined(DEBUG) +- fprintf(stderr, "huffman count1 overrun (%d bits)\n", +- -(cachesz + bits_left)); +-# endif +- +- /* technically the bitstream is misformatted, but apparently +- some encoders are just a bit sloppy with stuffing bits */ +- +- xrptr -= 4; +- } + } + +- assert(-bits_left <= MAD_BUFFER_GUARD * CHAR_BIT); +- + # if 0 && defined(DEBUG) + if (bits_left < 0) + fprintf(stderr, "read %d bits too many\n", -bits_left); +@@ -2348,10 +2411,11 @@ void III_freqinver(mad_fixed_t sample[18 + */ + static + enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame, +- struct sideinfo *si, unsigned int nch) ++ struct sideinfo *si, unsigned int nch, unsigned int md_len) + { + struct mad_header *header = &frame->header; + unsigned int sfreqi, ngr, gr; ++ int bits_left = md_len * CHAR_BIT; + + { + unsigned int sfreq; +@@ -2383,6 +2447,7 @@ enum mad_error III_decode(struct mad_bit + for (ch = 0; ch < nch; ++ch) { + struct channel *channel = &granule->ch[ch]; + unsigned int part2_length; ++ unsigned int part3_length; + + sfbwidth[ch] = sfbwidth_table[sfreqi].l; + if (channel->block_type == 2) { +@@ -2391,18 +2456,30 @@ enum mad_error III_decode(struct mad_bit + } + + if (header->flags & MAD_FLAG_LSF_EXT) { +- part2_length = III_scalefactors_lsf(ptr, channel, ++ error = III_scalefactors_lsf(ptr, channel, + ch == 0 ? 0 : &si->gr[1].ch[1], +- header->mode_extension); ++ header->mode_extension, bits_left, &part2_length); + } + else { +- part2_length = III_scalefactors(ptr, channel, &si->gr[0].ch[ch], +- gr == 0 ? 0 : si->scfsi[ch]); ++ error = III_scalefactors(ptr, channel, &si->gr[0].ch[ch], ++ gr == 0 ? 0 : si->scfsi[ch], bits_left, &part2_length); + } ++ if (error) ++ return error; ++ ++ bits_left -= part2_length; + +- error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part2_length); ++ if (part2_length > channel->part2_3_length) ++ return MAD_ERROR_BADPART3LEN; ++ ++ part3_length = channel->part2_3_length - part2_length; ++ if (part3_length > bits_left) ++ return MAD_ERROR_BADPART3LEN; ++ ++ error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part3_length); + if (error) + return error; ++ bits_left -= part3_length; + } + + /* joint stereo processing */ +@@ -2519,11 +2596,13 @@ int mad_layer_III(struct mad_stream *str + unsigned int nch, priv_bitlen, next_md_begin = 0; + unsigned int si_len, data_bitlen, md_len; + unsigned int frame_space, frame_used, frame_free; +- struct mad_bitptr ptr; ++ struct mad_bitptr ptr, bufend_ptr; + struct sideinfo si; + enum mad_error error; + int result = 0; + ++ mad_bit_init(&bufend_ptr, stream->bufend); ++ + /* allocate Layer III dynamic structures */ + + if (stream->main_data == 0) { +@@ -2587,14 +2666,15 @@ int mad_layer_III(struct mad_stream *str + unsigned long header; + + mad_bit_init(&peek, stream->next_frame); ++ if (mad_bit_length(&peek, &bufend_ptr) >= 57) { ++ header = mad_bit_read(&peek, 32); ++ if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) { ++ if (!(header & 0x00010000L)) /* protection_bit */ ++ mad_bit_skip(&peek, 16); /* crc_check */ + +- header = mad_bit_read(&peek, 32); +- if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) { +- if (!(header & 0x00010000L)) /* protection_bit */ +- mad_bit_skip(&peek, 16); /* crc_check */ +- +- next_md_begin = +- mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8); ++ next_md_begin = ++ mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8); ++ } + } + + mad_bit_finish(&peek); +@@ -2653,7 +2733,7 @@ int mad_layer_III(struct mad_stream *str + /* decode main_data */ + + if (result == 0) { +- error = III_decode(&ptr, frame, &si, nch); ++ error = III_decode(&ptr, frame, &si, nch, md_len); + if (error) { + stream->error = error; + result = -1; diff --git a/main/libmad/md_size.patch b/main/libmad/md_size.patch new file mode 100644 index 00000000000..657b5ffdb97 --- /dev/null +++ b/main/libmad/md_size.patch @@ -0,0 +1,58 @@ +From: Kurt Roeckx <kurt@roeckx.be> +Date: Sun, 28 Jan 2018 15:44:08 +0100 +Subject: Check the size of the main data + +The main data to decode a frame can come from the current frame and part of the +previous frame, the so called bit reservoir. si.main_data_begin is the part of +the previous frame we need for this frame. frame_space is the amount of main +data that can be in this frame, and next_md_begin is the part of this frame that +is going to be used for the next frame. + +The maximum amount of data from a previous frame that the format allows is 511 +bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2 +at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881. +So those defines are not large enough: + # define MAD_BUFFER_GUARD 8 + # define MAD_BUFFER_MDLEN (511 + 2048 + MAD_BUFFER_GUARD) + +There is also support for a "free" bitrate which allows you to create any frame +size, which can be larger than the buffer. + +Changing the defines is not an option since it's part of the ABI, so we check +that the main data fits in the bufer. + +The previous frame data is stored in *stream->main_data and contains +stream->md_len bytes. If stream->md_len is larger than the data we +need from the previous frame (si.main_data_begin) it still wouldn't fit +in the buffer, so just keep the data that we need. + +Index: libmad-0.15.1b/layer3.c +=================================================================== +--- libmad-0.15.1b.orig/layer3.c ++++ libmad-0.15.1b/layer3.c +@@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream *str + next_md_begin = 0; + + md_len = si.main_data_begin + frame_space - next_md_begin; ++ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + frame_used = 0; + +@@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream *str + } + } + else { +- mad_bit_init(&ptr, +- *stream->main_data + stream->md_len - si.main_data_begin); ++ memmove(stream->main_data, ++ *stream->main_data + stream->md_len - si.main_data_begin, ++ si.main_data_begin); ++ stream->md_len = si.main_data_begin; ++ mad_bit_init(&ptr, *stream->main_data); + + if (md_len > si.main_data_begin) { + assert(stream->md_len + md_len - diff --git a/main/libsndfile/APKBUILD b/main/libsndfile/APKBUILD index b75ce398611..60725f26730 100644 --- a/main/libsndfile/APKBUILD +++ b/main/libsndfile/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libsndfile pkgver=1.0.28 -pkgrel=4 +pkgrel=5 pkgdesc="A C library for reading and writing files containing sampled sound" url="http://www.mega-nerd.com/libsndfile" arch="all" @@ -17,9 +17,13 @@ source="http://www.mega-nerd.com/$pkgname/files/$pkgname-$pkgver.tar.gz CVE-2017-12562.patch CVE-2018-13139.patch CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch + CVE-2018-19758-and-CVE-2019-3832.patch " # secfixes: +# 1.0.28-r5: +# - CVE-2018-19758 +# - CVE-2019-3832 # 1.0.28-r4: # - CVE-2017-17456 # - CVE-2017-17457 @@ -57,17 +61,10 @@ package() { cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 } -md5sums="646b5f98ce89ac60cdb060fcd398247c libsndfile-1.0.28.tar.gz -cdd75dee754a3f97a2b9852193858e8b CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch -883e150165932d7dc89aee64795a5e5e CVE-2017-8362.patch -bcee757ad4ec56f92c0c2ad5c9c9bf96 CVE-2017-12562.patch" -sha256sums="1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9 libsndfile-1.0.28.tar.gz -c2d2665744b32facab093540bd0b0c28e72496dd03f8fd51e0aef42fb76d9631 CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch -3dc977a26f36a779874bda304685a221a9da08d3e6b8d239f19785a31e18dbf7 CVE-2017-8362.patch -5e13e843a247c5cc3e33e926183281003512bd34dbb32acab6c9360e06e6e3c9 CVE-2017-12562.patch" sha512sums="890731a6b8173f714155ce05eaf6d991b31632c8ab207fbae860968861a107552df26fcf85602df2e7f65502c7256c1b41735e1122485a3a07ddb580aa83b57f libsndfile-1.0.28.tar.gz f98c40696fca3e7bca867df993de55bb4145c23428e65d1a669182eb2293046478ac727ae7f94bb77123ef0355c3c53be4f9d6a432665c90c74687d8d3afd9e3 CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch dfd4b5f1c7471fc416eed5c6040580a020543f145de9103751adaad6ce1c5c6a22abc1cf0ffd381aed3072644cd5ee03ba3598265aa7d202d63167da251cb595 CVE-2017-8362.patch 814139567d90fb07908014e858c341fe933e04dca69b88ad66078910888237bbeba94f85d9e1489883c424f35fca312eb98c21ae2b122d9289bb6418725cd02e CVE-2017-12562.patch 33817e7c85180635fa239e4ea38973b18312878522639f43071188a995f0e1a35dbca6d133555fb0875292b4b609950ae38e747a6b1949f8ae840db9dc3a2805 CVE-2018-13139.patch -ba3e5321713dbc118f45dac6f86049a15e6ba54fc788776eb267b1b165a0853bec278d8b066c71372cd243c852faa6781bef6a71d108e7cdbc64fb77fa3afc0a CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch" +ba3e5321713dbc118f45dac6f86049a15e6ba54fc788776eb267b1b165a0853bec278d8b066c71372cd243c852faa6781bef6a71d108e7cdbc64fb77fa3afc0a CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch +0cde1fba48e57a009a396fabb3332633e165409de64e7d098f944421e9ef7b5e5c0edb428ce2bca33fc6311f6454b3be30d1259a6cf2a84e1f78eae996f14135 CVE-2018-19758-and-CVE-2019-3832.patch" diff --git a/main/libsndfile/CVE-2018-19758-and-CVE-2019-3832.patch b/main/libsndfile/CVE-2018-19758-and-CVE-2019-3832.patch new file mode 100644 index 00000000000..3b08a642129 --- /dev/null +++ b/main/libsndfile/CVE-2018-19758-and-CVE-2019-3832.patch @@ -0,0 +1,16 @@ +diff --git a/src/wav.c b/src/wav.c +index 4b943dc..6020f20 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -1094,6 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) + psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ + psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; + ++ /* Make sure we don't read past the loops array end. */ ++ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops)) ++ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ; ++ + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + + diff --git a/main/libssh2/APKBUILD b/main/libssh2/APKBUILD index 023e983eeea..fc7e47b538a 100644 --- a/main/libssh2/APKBUILD +++ b/main/libssh2/APKBUILD @@ -1,8 +1,8 @@ # Contributor: William Pitcock <nenolod@dereferenced.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libssh2 -pkgver=1.8.2 -pkgrel=0 +pkgver=1.9.0 +pkgrel=1 pkgdesc="library for accessing ssh1/ssh2 protocol servers" url="https://libssh2.org/" arch="all" @@ -10,10 +10,15 @@ license="BSD" makedepends="libressl-dev zlib-dev" options="!check" subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc" -source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz" +source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz + CVE-2019-17498.patch" builddir="$srcdir"/libssh2-$pkgver # security fixes: +# 1.9.0-r1: +# - CVE-2019-17498 +# 1.9.0-r0: +# - CVE-2019-13115 # 1.8.1-r0: # - CVE-2019-3855 # - CVE-2019-3856 @@ -43,4 +48,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="390ab4ad93bb738415ec11a6eb92806c9b9e9e5d8ee7c442d841a58b4292c1c447a9bc99e153ba464e2e11f9c0d1913469303598c3046722d1ae821991e8cb93 libssh2-1.8.2.tar.gz" +sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz +fedd840ec8459409c80ef3984f3539e09c0730fb1a7ccc8034e3e03618590a5c0589b7dff132c813b148be9f5b784d3cd50830c502d419af77ce86e848297813 CVE-2019-17498.patch" diff --git a/main/libssh2/CVE-2019-17498.patch b/main/libssh2/CVE-2019-17498.patch new file mode 100644 index 00000000000..e858cca1862 --- /dev/null +++ b/main/libssh2/CVE-2019-17498.patch @@ -0,0 +1,72 @@ +From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Thu, 29 Aug 2019 15:24:22 -0700 +Subject: [PATCH] fixed type issue, updated SSH_MSG_DISCONNECT + +SSH_MSG_DISCONNECT now also uses _libssh2_get API. +--- + src/packet.c | 40 +++++++++++++++------------------------- + 1 file changed, 15 insertions(+), 25 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 8908b2c5..97f0cdd4 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message = NULL; +- char *language = NULL; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; + size_t message_len = 0; + size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; +@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ + +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = +- _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len = 0; +- } + if(session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); diff --git a/main/libtasn1/APKBUILD b/main/libtasn1/APKBUILD index f00bed5706f..fecfe0bae2d 100644 --- a/main/libtasn1/APKBUILD +++ b/main/libtasn1/APKBUILD @@ -2,20 +2,23 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libtasn1 pkgver=4.12 -pkgrel=3 +pkgrel=4 pkgdesc="The ASN.1 library used in GNUTLS" url="https://www.gnu.org/software/gnutls/" arch="all" license="GPL3 LGPL" makedepends="texinfo" subpackages="$pkgname-dev $pkgname-doc" -source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz +source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz CVE-2017-10790.patch CVE-2018-6003.patch + CVE-2018-1000654.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 4.12-r4: +# - CVE-2018-1000654 # 4.12-r3: # - CVE-2018-6003 # 4.12-r1: @@ -44,4 +47,5 @@ package() { } sha512sums="6c551670949881193e39122f72948e4999ff1ba377f9ee5963d0a4ad1b84256e4fe42e9f6d6a2aa9f7d4ef7acc0e5174fb5cc3df5298524cdeda92f4b8c104f7 libtasn1-4.12.tar.gz 8e9dad0a1ee7cb7a8ed3d2a60c1c1bcb3e1ef689dbd2879992d4098f36edbae3bb962b9c87a0a9a77335e83abf10fd72bd78bde99989421c35f4434a9e1d08cc CVE-2017-10790.patch -ab35a4aa314d02b1e7e93b1e5ae04138583274c6774447566e48dd03cf92db2c78760901da6a325b630b2525811c450e8ba180b4a4c188ae48cbaf94fc4c7d3d CVE-2018-6003.patch" +ab35a4aa314d02b1e7e93b1e5ae04138583274c6774447566e48dd03cf92db2c78760901da6a325b630b2525811c450e8ba180b4a4c188ae48cbaf94fc4c7d3d CVE-2018-6003.patch +c0bf6265c0318af0348d0ce24375977afd9abbce66683a1e7ddf06fea34d018aff6e0cbc670eb3097960bb9a6f9e1058eea457aabff3db74df3181e9a70c5b05 CVE-2018-1000654.patch" diff --git a/main/libtasn1/CVE-2018-1000654.patch b/main/libtasn1/CVE-2018-1000654.patch new file mode 100644 index 00000000000..9738995ffca --- /dev/null +++ b/main/libtasn1/CVE-2018-1000654.patch @@ -0,0 +1,182 @@ +diff --git a/lib/ASN1.c b/lib/ASN1.c +index 586dcca..47074f0 100644 +--- a/lib/ASN1.c ++++ b/lib/ASN1.c +@@ -2811,7 +2811,12 @@ asn1_parser2tree (const char *file, asn1_node * definitions, + /* Convert into DER coding the value assign to INTEGER constants */ + _asn1_change_integer_value (p_tree); + /* Expand the IDs of OBJECT IDENTIFIER constants */ +- _asn1_expand_object_id (p_tree); ++ result_parse = _asn1_expand_object_id (p_tree); ++ if (result_parse != ASN1_SUCCESS) ++ { ++ _asn1_delete_list_and_nodes (); ++ goto error; ++ } + + *definitions = p_tree; + } +@@ -2824,6 +2829,7 @@ asn1_parser2tree (const char *file, asn1_node * definitions, + _asn1_delete_list_and_nodes (); + } + ++ error: + _asn1_create_errorDescription (result_parse, error_desc); + + return result_parse; +diff --git a/lib/ASN1.y b/lib/ASN1.y +index 534a9f1..0b81b5b 100644 +--- a/lib/ASN1.y ++++ b/lib/ASN1.y +@@ -701,7 +701,9 @@ asn1_parser2tree (const char *file, asn1_node * definitions, + /* Convert into DER coding the value assign to INTEGER constants */ + _asn1_change_integer_value (p_tree); + /* Expand the IDs of OBJECT IDENTIFIER constants */ +- _asn1_expand_object_id (p_tree); ++ result_parse = _asn1_expand_object_id (p_tree); ++ if (result_parse != ASN1_SUCCESS) ++ goto error; + + *definitions = p_tree; + } +@@ -714,6 +716,7 @@ asn1_parser2tree (const char *file, asn1_node * definitions, + _asn1_delete_list_and_nodes (); + } + ++ error: + _asn1_create_errorDescription (result_parse, error_desc); + + return result_parse; +diff --git a/lib/errors.c b/lib/errors.c +index fef45ae..cee74da 100644 +--- a/lib/errors.c ++++ b/lib/errors.c +@@ -53,6 +53,7 @@ static const libtasn1_error_entry error_algorithms[] = { + LIBTASN1_ERROR_ENTRY (ASN1_ARRAY_ERROR), + LIBTASN1_ERROR_ENTRY (ASN1_ELEMENT_NOT_EMPTY), + LIBTASN1_ERROR_ENTRY (ASN1_TIME_ENCODING_ERROR), ++ LIBTASN1_ERROR_ENTRY (ASN1_RECURSION), + {0, 0} + }; + +diff --git a/lib/libtasn1.h b/lib/libtasn1.h +index ea26b78..8c757d6 100644 +--- a/lib/libtasn1.h ++++ b/lib/libtasn1.h +@@ -79,6 +79,7 @@ extern "C" + #define ASN1_ARRAY_ERROR 16 + #define ASN1_ELEMENT_NOT_EMPTY 17 + #define ASN1_TIME_ENCODING_ERROR 18 ++#define ASN1_RECURSION 19 + + /*************************************/ + /* Constants used in asn1_visit_tree */ +diff --git a/lib/parser_aux.c b/lib/parser_aux.c +index 786ea64..0090157 100644 +--- a/lib/parser_aux.c ++++ b/lib/parser_aux.c +@@ -516,6 +516,23 @@ _asn1_find_up (asn1_node node) + return p->left; + } + ++/******************************************************************/ ++/* Function : _asn1_delete_node_from_list */ ++/* Description: deletes the list element given */ ++/******************************************************************/ ++static void ++_asn1_delete_node_from_list (asn1_node node) ++{ ++ list_type *p = firstElement; ++ ++ while (p) ++ { ++ if (p->node == node) ++ p->node = NULL; ++ p = p->next; ++ } ++} ++ + /******************************************************************/ + /* Function : _asn1_delete_list */ + /* Description: deletes the list elements (not the elements */ +@@ -667,15 +684,15 @@ _asn1_change_integer_value (asn1_node node) + /* Parameters: */ + /* node: root of an ASN1 element. */ + /* Return: */ +-/* ASN1_ELEMENT_NOT_FOUND if NODE is NULL, */ +-/* otherwise ASN1_SUCCESS */ ++/* ASN1_ELEMENT_NOT_FOUND if NODE is NULL, */ ++/* otherwise ASN1_SUCCESS */ + /******************************************************************/ + int + _asn1_expand_object_id (asn1_node node) + { + asn1_node p, p2, p3, p4, p5; + char name_root[ASN1_MAX_NAME_SIZE], name2[2 * ASN1_MAX_NAME_SIZE + 1]; +- int move, tlen; ++ int move, tlen, tries; + + if (node == NULL) + return ASN1_ELEMENT_NOT_FOUND; +@@ -684,6 +701,7 @@ _asn1_expand_object_id (asn1_node node) + + p = node; + move = DOWN; ++ tries = 0; + + while (!((p == node) && (move == UP))) + { +@@ -707,6 +725,7 @@ _asn1_expand_object_id (asn1_node node) + || !(p3->type & CONST_ASSIGN)) + return ASN1_ELEMENT_NOT_FOUND; + _asn1_set_down (p, p2->right); ++ _asn1_delete_node_from_list(p2); + _asn1_remove_node (p2, 0); + p2 = p; + p4 = p3->down; +@@ -738,6 +757,11 @@ _asn1_expand_object_id (asn1_node node) + p4 = p4->right; + } + move = DOWN; ++ ++ tries++; ++ if (tries >= EXPAND_OBJECT_ID_MAX_RECURSION) ++ return ASN1_RECURSION; ++ + continue; + } + } +@@ -747,6 +771,7 @@ _asn1_expand_object_id (asn1_node node) + else + move = RIGHT; + ++ tries = 0; + if (move == DOWN) + { + if (p->down) +diff --git a/lib/parser_aux.h b/lib/parser_aux.h +index 9f91833..bb05ae8 100644 +--- a/lib/parser_aux.h ++++ b/lib/parser_aux.h +@@ -60,6 +60,7 @@ asn1_node _asn1_find_up (asn1_node node); + + int _asn1_change_integer_value (asn1_node node); + ++#define EXPAND_OBJECT_ID_MAX_RECURSION 16 + int _asn1_expand_object_id (asn1_node node); + + int _asn1_type_set_config (asn1_node node); +diff --git a/lib/structure.c b/lib/structure.c +index 01715b1..f6a93fa 100644 +--- a/lib/structure.c ++++ b/lib/structure.c +@@ -245,7 +245,7 @@ asn1_array2tree (const asn1_static_node * array, asn1_node * definitions, + if (result == ASN1_SUCCESS) + { + _asn1_change_integer_value (*definitions); +- _asn1_expand_object_id (*definitions); ++ result = _asn1_expand_object_id (*definitions); + } + } + else + diff --git a/main/libvncserver/APKBUILD b/main/libvncserver/APKBUILD index e1ba034da16..cb8b743b1d3 100644 --- a/main/libvncserver/APKBUILD +++ b/main/libvncserver/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libvncserver pkgver=0.9.11 -pkgrel=2 +pkgrel=3 pkgdesc="Library to make writing a vnc server easy" url="http://libvncserver.sourceforge.net/" arch="all" @@ -16,9 +16,13 @@ makedepends="$depends_dev autoconf automake libtool" install="" subpackages="$pkgname-dev" source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz - CVE-2018-7225.patch" + CVE-2018-7225.patch + CVE-2019-15681.patch + " # secfixes: +# 0.9.11-r3: +# - CVE-2019-15681 # 0.9.11-r2: # - CVE-2018-7225 # 0.9.11-r0: @@ -53,4 +57,5 @@ package() { } sha512sums="e473c081b68dd3cdd96a1756b4f4945ece79d3c8e4cef62140be1699671555fc16d3080e81d764197a14ea83203ffcd0e18c3cc182e012d036e3faae943003fb LibVNCServer-0.9.11.tar.gz -1704254e74aa0adca48669c28ff475bf82a9468cf31edf43c3e0d10178307a7c8ecd8a8f11c061931318a6e529922d4adc188347da1e632dc2ade604a4388706 CVE-2018-7225.patch" +1704254e74aa0adca48669c28ff475bf82a9468cf31edf43c3e0d10178307a7c8ecd8a8f11c061931318a6e529922d4adc188347da1e632dc2ade604a4388706 CVE-2018-7225.patch +5ecb5a26813f3f07440ef6c54eebaca4e9b4f7c1cf2ba13375e3b23b950a9b818d068d4eef5532d7ea4d7ae084c4356af7257c45426101ff51afe2b7da338a1f CVE-2019-15681.patch" diff --git a/main/libvncserver/CVE-2019-15681.patch b/main/libvncserver/CVE-2019-15681.patch new file mode 100644 index 00000000000..e328d87920d --- /dev/null +++ b/main/libvncserver/CVE-2019-15681.patch @@ -0,0 +1,23 @@ +From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001 +From: Christian Beier <dontmind@freeshell.org> +Date: Mon, 19 Aug 2019 22:32:25 +0200 +Subject: [PATCH] rfbserver: don't leak stack memory to the remote + +Thanks go to Pavel Cheremushkin of Kaspersky for reporting. +--- + libvncserver/rfbserver.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 3bacc891..310e5487 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len) + rfbServerCutTextMsg sct; + rfbClientIteratorPtr iterator; + ++ memset((char *)&sct, 0, sizeof(sct)); ++ + iterator = rfbGetClientIterator(rfbScreen); + while ((cl = rfbClientIteratorNext(iterator)) != NULL) { + sct.type = rfbServerCutText; diff --git a/main/libxslt/APKBUILD b/main/libxslt/APKBUILD index e8c16c027d6..c4d0ab1bd8b 100644 --- a/main/libxslt/APKBUILD +++ b/main/libxslt/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Francesco Colista <fcolista@alpinelinux.org> pkgname=libxslt pkgver=1.1.31 -pkgrel=1 +pkgrel=2 pkgdesc="XML stylesheet transformation library" url="http://xmlsoft.org/XSLT/" arch="all" @@ -11,14 +11,17 @@ makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python2-dev" subpackages="$pkgname-dev $pkgname-doc py-$pkgname:py" source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz CVE-2019-11068.patch + CVE-2019-18197.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 1.1.31-r2: +# - CVE-2019-18197 # 1.1.31-r1: -# - CVE-2019-11068 +# - CVE-2019-11068 # 1.1.29-r1: -# - CVE-2017-5029 +# - CVE-2017-5029 build() { cd "$builddir" @@ -45,4 +48,5 @@ py() { } sha512sums="9012d643625d827b131c825a103f2e2a5f3cbd45d3cdf3318378e8f046da8d084db51c6b0078b5850a26adc81ba3bf357101d65ef510eff54c8b416a71efed92 libxslt-1.1.31.tar.gz -9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948 CVE-2019-11068.patch" +9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948 CVE-2019-11068.patch +ec0a7cd35f9078a3939ef6c695f183d9a0da5dd837d0a7f586b89a07c0c0782384501e4c1532b4d9ee7e94e717c37179f470bae59923d0074b309f09b5bf18fa CVE-2019-18197.patch" diff --git a/main/libxslt/CVE-2019-18197.patch b/main/libxslt/CVE-2019-18197.patch new file mode 100644 index 00000000000..a8c7cf541d0 --- /dev/null +++ b/main/libxslt/CVE-2019-18197.patch @@ -0,0 +1,30 @@ +From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 17 Aug 2019 16:51:53 +0200 +Subject: [PATCH] Fix dangling pointer in xsltCopyText + +xsltCopyText didn't reset ctxt->lasttext in some cases which could +lead to various memory errors in relation with CDATA sections in input +documents. + +Found by OSS-Fuzz. +--- + libxslt/transform.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 95ebd073..d7ab0b66 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, + if ((copy->content = xmlStrdup(cur->content)) == NULL) + return NULL; + } ++ ++ ctxt->lasttext = NULL; + } else { + /* + * normal processing. keep counters to extend the text node +-- +2.22.0 + diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD index 328ffb1cc93..73a53673b4b 100644 --- a/main/mariadb/APKBUILD +++ b/main/mariadb/APKBUILD @@ -4,7 +4,7 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mariadb -pkgver=10.1.40 +pkgver=10.1.41 pkgrel=0 pkgdesc="A fast SQL database server" url="https://www.mariadb.org/" @@ -23,6 +23,11 @@ source="https://downloads.mariadb.org/interstitial/mariadb-$pkgver/source/mariad " # secfixes: +# 10.1.41-r0: +# - CVE-2019-2805 +# - CVE-2019-2740 +# - CVE-2019-2739 +# - CVE-2019-2737 # 10.1.40-r0: # - CVE-2019-2614 # - CVE-2019-2627 @@ -249,6 +254,6 @@ mysql() { _compat mysql mariadb; } _compat_client() { _compat mysql-client mariadb-client; } _compat_bench() { _compat mysql-bench mariadb-client; } -sha512sums="6b946189c69905f1a23a96d34720f1592353e0095455bf452bba31d53c90143d088f0fd997cac3da0a779840bb6ae6cc30b45144cba474463a8e3a6978a8a8f3 mariadb-10.1.40.tar.gz +sha512sums="4a18b06fda49c5c3627b4e7cd32fb460e73762273a0c3d09098e34c71e63caa8fad03cdd92ae4a391cdfdb3719934688f0bdf312fa4af7ac3b9e5f5d90f404be mariadb-10.1.41.tar.gz 06751768cb00d2e433655635c38d267ef25084a5830ff40e719ac579223c7192dc34b43f919ab6faf480094632327511cbd22456064dde2d04dc15648b9e3b9f mariadb.initd a352661d19becae717c16ac67a0e47ed93787653851a75d27e7764133b31dc02e18c38dbbce6d3138e4db08da616dfc75a0141865cd042cef669d6afe4463127 ppc-remove-glibc-dep.patch" diff --git a/main/mercurial/APKBUILD b/main/mercurial/APKBUILD index e382844ace0..1d2f427ae29 100644 --- a/main/mercurial/APKBUILD +++ b/main/mercurial/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mercurial pkgver=4.5.2 -pkgrel=0 +pkgrel=1 pkgdesc="A scalable distributed SCM tool" url="https://www.mercurial-scm.org/" arch="all" @@ -14,10 +14,14 @@ subpackages=" $pkgname-vim:vim:noarch $pkgname-zsh-completion:zshcomp:noarch $pkgname-bash-completion:bashcomp:noarch" -source="https://www.mercurial-scm.org/release/$pkgname-$pkgver.tar.gz" +source="https://www.mercurial-scm.org/release/$pkgname-$pkgver.tar.gz + CVE-2019-3902.patch + " builddir="$srcdir"/$pkgname-$pkgver # secfixes: +# 4.5.2-r1: +# - CVE-2019-3902 # 4.5.2-r0: # - CVE-2018-1000132 @@ -66,4 +70,5 @@ bashcomp() { "$subpkgdir"/usr/share/bash-completion/completions/${pkgname} } -sha512sums="f70e40cba72b7955f0ecec9c1f53ffffac26f206188617cb182e22ce4f43dc8b970ce46d12c516ef88480c3fa076a59afcddd736dffb642d8e23befaf45b4941 mercurial-4.5.2.tar.gz" +sha512sums="f70e40cba72b7955f0ecec9c1f53ffffac26f206188617cb182e22ce4f43dc8b970ce46d12c516ef88480c3fa076a59afcddd736dffb642d8e23befaf45b4941 mercurial-4.5.2.tar.gz +f6a53411ba137661db283878ff1191ee13f879b171e6e97335ebc68e6276373ecff89a6ab16eec5eb572de9c909f5d4f81b726d15da56fa026a758482b5373f3 CVE-2019-3902.patch" diff --git a/main/mercurial/CVE-2019-3902.patch b/main/mercurial/CVE-2019-3902.patch new file mode 100644 index 00000000000..28d88c63e7f --- /dev/null +++ b/main/mercurial/CVE-2019-3902.patch @@ -0,0 +1,60 @@ + +# HG changeset patch +# User Yuya Nishihara <yuya@tcha.org> +# Date 1546953576 -32400 +# Node ID 83377b4b4ae0e9a6b8e579f7b0a693b8cf5c3b10 +# Parent 6c10eba6b9cddab020de49fd4fabcb2cadcd85d0 +subrepo: reject potentially unsafe subrepo paths (BC) (SEC) + +In addition to the previous patch, this prohibits '~', '$nonexistent', etc. +for any subrepo types. I think this is safer, and real-world subrepos wouldn't +use such (local) paths. + +diff -r 6c10eba6b9cd -r 83377b4b4ae0 mercurial/subrepo.py +--- a/mercurial/subrepo.py Tue Jan 08 22:07:45 2019 +0900 ++++ b/mercurial/subrepo.py Tue Jan 08 22:19:36 2019 +0900 +@@ -115,6 +115,10 @@ + vfs.unlink(vfs.reljoin(dirname, f)) + + def _auditsubrepopath(repo, path): ++ # sanity check for potentially unsafe paths such as '~' and '$FOO' ++ if path.startswith('~') or '$' in path or util.expandpath(path) != path: ++ raise error.Abort(_('subrepo path contains illegal component: %s') ++ % path) + # auditor doesn't check if the path itself is a symlink + pathutil.pathauditor(repo.root)(path) + if repo.wvfs.islink(path): + +# HG changeset patch +# User Yuya Nishihara <yuya@tcha.org> +# Date 1546952865 -32400 +# Node ID 6c10eba6b9cddab020de49fd4fabcb2cadcd85d0 +# Parent 31286c9282dfa734e9da085649b7ae5a8ba290ad +subrepo: prohibit variable expansion on creation of hg subrepo (SEC) + +It's probably wrong to expand path at localrepo.*repository() layer, but +fixing the layering issue would require careful inspection of call paths. +So, this patch adds add a validation to the subrepo constructor. + +os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do. + +diff -r 31286c9282df -r 6c10eba6b9cd mercurial/subrepo.py +--- a/mercurial/subrepo.py Tue Jan 08 21:51:54 2019 +0900 ++++ b/mercurial/subrepo.py Tue Jan 08 22:07:45 2019 +0900 +@@ -403,7 +403,16 @@ + r = ctx.repo() + root = r.wjoin(path) + create = allowcreate and not r.wvfs.exists('%s/.hg' % path) ++ # repository constructor does expand variables in path, which is ++ # unsafe since subrepo path might come from untrusted source. ++ if os.path.realpath(util.expandpath(root)) != root: ++ raise error.Abort(_('subrepo path contains illegal component: %s') ++ % path) + self._repo = hg.repository(r.baseui, root, create=create) ++ if self._repo.root != root: ++ raise error.ProgrammingError('failed to reject unsafe subrepo ' ++ 'path: %s (expanded to %s)' ++ % (root, self._repo.root)) + + # Propagate the parent's --hidden option + if r is r.unfiltered(): diff --git a/main/mosquitto/APKBUILD b/main/mosquitto/APKBUILD index 859a37a43d3..643420a97e3 100644 --- a/main/mosquitto/APKBUILD +++ b/main/mosquitto/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mosquitto pkgver=1.4.15 -pkgrel=0 +pkgrel=2 pkgdesc="An Open Source MQTT v3.1 Broker" url="http://mosquitto.org/" arch="all" @@ -17,10 +17,19 @@ replaces="mosquitto-utils" source="http://mosquitto.org/files/source/$pkgname-$pkgver.tar.gz libressl.patch config.patch - mosquitto.initd" + mosquitto-1.4.x-cve-2018-12550.patch + mosquitto-1.4.x-cve-2018-12551.patch + mosquitto-1.4.x-cve-2018-12546.patch + + mosquitto.initd + " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 1.4.15-r1: +# - CVE-2018-12546 +# - CVE-2018-12550 +# - CVE-2018-12551 # 1.4.15-r0: # - CVE-2017-7652 # - CVE-2017-7651 @@ -41,7 +50,7 @@ prepare() { build() { cd "$builddir" # PSK not supported by libressl - make \ + make mosquitto \ WITH_MEMORY_TRACKING=no \ WITH_WEBSOCKETS=yes \ WITH_SRV=yes \ @@ -82,4 +91,7 @@ clients() { sha512sums="36b06547553cf28af3ca9b728c42fc27e849c4ae84d7964572d430233ab26e2b59eee2a215ac23ddf2d0bef419e7c70e64e2a22c397fadb3e0677314d03f1100 mosquitto-1.4.15.tar.gz 53859b628f965b77f6e47910c0ceba2f2737b815131ed800dc64a80419e434d25b5ba0938ae645882e9aa5d475d4940c7d35cc6d56f54bc4937a66b32d7db4ad libressl.patch d5442373ae6ae8bc83eee59b425fbd76e80f905b9fd2bd2ed2a37a7e156fe95a9cf477c9c4dac0975c5fd90e70884de6fb8a16aefcd37b239199d5deae50b7d2 config.patch +58cf7211781c07d25ad555e982b66aca716230698ad239b964de073bb41dc2566d2c6fde379ded18106f704aba864859e36cb39c4c85762d00b5ed4f2b5cef58 mosquitto-1.4.x-cve-2018-12550.patch +b1ba9d61ede7b7f0232811d6e2381a2943ed12a3c8b83ea2c2e1d3fce153260565f48ca900d4e0590688031013e1f425dfa8b1d89e0f1194516438b42dc158e2 mosquitto-1.4.x-cve-2018-12551.patch +e6544a171eb792ca80b3179e860474e6b19cfc99abe1d05173dac2bd310b2a8c6fcc9c6718812236ceb570f96a137f38eb621fe971cd63b8fe1178e0f2820207 mosquitto-1.4.x-cve-2018-12546.patch 16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433 mosquitto.initd" diff --git a/main/mosquitto/mosquitto-1.4.x-cve-2018-12546.patch b/main/mosquitto/mosquitto-1.4.x-cve-2018-12546.patch new file mode 100644 index 00000000000..6ae3457199a --- /dev/null +++ b/main/mosquitto/mosquitto-1.4.x-cve-2018-12546.patch @@ -0,0 +1,625 @@ +diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml +index e27fb58..f429a6f 100644 +--- a/man/mosquitto.conf.5.xml ++++ b/man/mosquitto.conf.5.xml +@@ -230,6 +230,24 @@ + <para>Reloaded on reload signal.</para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term><option>check_retain_source</option> [ true | false ]</term> ++ <listitem> ++ <para>This option affects the scenario when a client ++ subscribes to a topic that has retained messages. It is ++ possible that the client that published the retained ++ message to the topic had access at the time they ++ published, but that access has been subsequently ++ removed. If <option>check_retain_source</option> is set ++ to true, the default, the source of a retained message ++ will be checked for access rights before it is ++ republished. When set to false, no check will be made ++ and the retained message will always be ++ published.</para> ++ <para>This option applies globally, regardless of the ++ <option>per_listener_settings</option> option.</para> ++ </listitem> ++ </varlistentry> + <varlistentry> + <term><option>clientid_prefixes</option> <replaceable>prefix</replaceable></term> + <listitem> +diff --git a/mosquitto.conf b/mosquitto.conf +index df1aa8b..70f1f80 100644 +--- a/mosquitto.conf ++++ b/mosquitto.conf +@@ -122,6 +122,15 @@ + # This is a non-standard option explicitly disallowed by the spec. + #upgrade_outgoing_qos false + ++# This option affects the scenario when a client subscribes to a topic that has ++# retained messages. It is possible that the client that published the retained ++# message to the topic had access at the time they published, but that access ++# has been subsequently removed. If check_retain_source is set to true, the ++# default, the source of a retained message will be checked for access rights ++# before it is republished. When set to false, no check will be made and the ++# retained message will always be published. This affects all listeners. ++#check_retain_source true ++ + # ================================================================= + # Default listener + # ================================================================= +diff --git a/src/conf.c b/src/conf.c +index 6edd705..a060827 100644 +--- a/src/conf.c ++++ b/src/conf.c +@@ -971,6 +971,8 @@ int _config_read_file_core(struct mqtt3_config *config, bool reload, const char + #else + _mosquitto_log_printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available."); + #endif ++ }else if(!strcmp(token, "check_retain_source")){ ++ if(_conf_parse_bool(&token, "check_retain_source", &config->check_retain_source, saveptr)) return MOSQ_ERR_INVAL; + }else if(!strcmp(token, "ciphers")){ + #ifdef WITH_TLS + if(reload) continue; // Listeners not valid for reloading. +diff --git a/src/database.c b/src/database.c +index 6de68a9..a952337 100644 +--- a/src/database.c ++++ b/src/database.c +@@ -161,6 +161,7 @@ void mosquitto__db_msg_store_remove(struct mosquitto_db *db, struct mosquitto_ms + db->msg_store_count--; + + if(store->source_id) _mosquitto_free(store->source_id); ++ if(store->source_username) _mosquitto_free(store->source_username); + if(store->dest_ids){ + for(i=0; i<store->dest_id_count; i++){ + if(store->dest_ids[i]) _mosquitto_free(store->dest_ids[i]); +@@ -518,24 +519,24 @@ int mqtt3_db_messages_easy_queue(struct mosquitto_db *db, struct mosquitto *cont + }else{ + source_id = ""; + } +- if(mqtt3_db_message_store(db, source_id, 0, topic, qos, payloadlen, payload, retain, &stored, 0)) return 1; ++ if(mqtt3_db_message_store(db, context, 0, topic, qos, payloadlen, payload, retain, &stored, 0)) return 1; + + return mqtt3_db_messages_queue(db, source_id, topic, qos, retain, &stored); + } + +-int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t source_mid, const char *topic, int qos, uint32_t payloadlen, const void *payload, int retain, struct mosquitto_msg_store **stored, dbid_t store_id) ++int mqtt3_db_message_store(struct mosquitto_db *db, const struct mosquitto *source, uint16_t source_mid, const char *topic, int qos, uint32_t payloadlen, const void *payload, int retain, struct mosquitto_msg_store **stored, dbid_t store_id) + { + struct mosquitto_msg_store *temp; + + assert(db); + assert(stored); + +- temp = _mosquitto_malloc(sizeof(struct mosquitto_msg_store)); ++ temp = _mosquitto_calloc(1, sizeof(struct mosquitto_msg_store)); + if(!temp) return MOSQ_ERR_NOMEM; + + temp->ref_count = 0; +- if(source){ +- temp->source_id = _mosquitto_strdup(source); ++ if(source && source->id){ ++ temp->source_id = _mosquitto_strdup(source->id); + }else{ + temp->source_id = _mosquitto_strdup(""); + } +@@ -544,6 +545,18 @@ int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t + _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory."); + return MOSQ_ERR_NOMEM; + } ++ ++ if(source && source->username){ ++ temp->source_username = _mosquitto_strdup(source->username); ++ if(!temp->source_username){ ++ _mosquitto_free(temp->source_id); ++ _mosquitto_free(temp); ++ return MOSQ_ERR_NOMEM; ++ } ++ } ++ if(source){ ++ temp->source_listener = source->listener; ++ } + temp->source_mid = source_mid; + temp->mid = 0; + temp->qos = qos; +@@ -552,6 +565,7 @@ int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t + temp->topic = _mosquitto_strdup(topic); + if(!temp->topic){ + _mosquitto_free(temp->source_id); ++ _mosquitto_free(temp->source_username); + _mosquitto_free(temp); + _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory."); + return MOSQ_ERR_NOMEM; +@@ -564,6 +578,7 @@ int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t + temp->payload = _mosquitto_malloc(sizeof(char)*payloadlen); + if(!temp->payload){ + if(temp->source_id) _mosquitto_free(temp->source_id); ++ if(temp->source_username) _mosquitto_free(temp->source_username); + if(temp->topic) _mosquitto_free(temp->topic); + if(temp->payload) _mosquitto_free(temp->payload); + _mosquitto_free(temp); +@@ -576,6 +591,7 @@ int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t + + if(!temp->source_id || (payloadlen && !temp->payload)){ + if(temp->source_id) _mosquitto_free(temp->source_id); ++ if(temp->source_username) _mosquitto_free(temp->source_username); + if(temp->topic) _mosquitto_free(temp->topic); + if(temp->payload) _mosquitto_free(temp->payload); + _mosquitto_free(temp); +diff --git a/src/mosquitto_broker.h b/src/mosquitto_broker.h +index 8d19790..7d535cf 100644 +--- a/src/mosquitto_broker.h ++++ b/src/mosquitto_broker.h +@@ -109,6 +109,7 @@ struct mqtt3_config { + int auto_id_prefix_len; + int autosave_interval; + bool autosave_on_changes; ++ bool check_retain_source; + char *clientid_prefixes; + bool connection_messages; + bool daemon; +@@ -176,6 +177,8 @@ struct mosquitto_msg_store{ + struct mosquitto_msg_store *prev; + dbid_t db_id; + char *source_id; ++ char *source_username; ++ struct _mqtt3_listener *source_listener; + char **dest_ids; + int dest_id_count; + int ref_count; +@@ -421,7 +424,7 @@ int mqtt3_db_message_write(struct mosquitto_db *db, struct mosquitto *context); + int mqtt3_db_messages_delete(struct mosquitto_db *db, struct mosquitto *context); + int mqtt3_db_messages_easy_queue(struct mosquitto_db *db, struct mosquitto *context, const char *topic, int qos, uint32_t payloadlen, const void *payload, int retain); + int mqtt3_db_messages_queue(struct mosquitto_db *db, const char *source_id, const char *topic, int qos, int retain, struct mosquitto_msg_store **stored); +-int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t source_mid, const char *topic, int qos, uint32_t payloadlen, const void *payload, int retain, struct mosquitto_msg_store **stored, dbid_t store_id); ++int mqtt3_db_message_store(struct mosquitto_db *db, const struct mosquitto *source, uint16_t source_mid, const char *topic, int qos, uint32_t payloadlen, const void *payload, int retain, struct mosquitto_msg_store **stored, dbid_t store_id); + int mqtt3_db_message_store_find(struct mosquitto *context, uint16_t mid, struct mosquitto_msg_store **stored); + void mosquitto__db_msg_store_add(struct mosquitto_db *db, struct mosquitto_msg_store *store); + void mosquitto__db_msg_store_remove(struct mosquitto_db *db, struct mosquitto_msg_store *store); +@@ -471,6 +474,7 @@ void mqtt3_bridge_packet_cleanup(struct mosquitto *context); + /* ============================================================ + * Security related functions + * ============================================================ */ ++int acl__find_acls(struct mosquitto_db *db, struct mosquitto *context); + int mosquitto_security_module_init(struct mosquitto_db *db); + int mosquitto_security_module_cleanup(struct mosquitto_db *db); + +diff --git a/src/persist.c b/src/persist.c +index 7cf50b6..3f20b68 100644 +--- a/src/persist.c ++++ b/src/persist.c +@@ -39,6 +39,8 @@ static uint32_t db_version; + + + static int _db_restore_sub(struct mosquitto_db *db, const char *client_id, const char *sub, int qos); ++static int persist__read_string(FILE *db_fptr, char **str); ++static int persist__write_string(FILE *db_fptr, const char *str, bool nullok); + + static struct mosquitto *_db_find_or_add_context(struct mosquitto_db *db, const char *client_id, uint16_t last_mid) + { +@@ -148,10 +151,19 @@ static int mqtt3_db_message_store_write(struct mosquitto_db *db, FILE *db_fptr) + }else{ + tlen = 0; + } +- length = htonl(sizeof(dbid_t) + 2+strlen(stored->source_id) + ++ length = sizeof(dbid_t) + 2+strlen(stored->source_id) + + sizeof(uint16_t) + sizeof(uint16_t) + + 2+tlen + sizeof(uint32_t) + +- stored->payloadlen + sizeof(uint8_t) + sizeof(uint8_t)); ++ stored->payloadlen + sizeof(uint8_t) + sizeof(uint8_t) ++ + 2*sizeof(uint16_t); ++ ++ if(stored->source_id){ ++ length += strlen(stored->source_id); ++ } ++ if(stored->source_username){ ++ length += strlen(stored->source_username); ++ } ++ length = htonl(length); + + i16temp = htons(DB_CHUNK_MSG_STORE); + write_e(db_fptr, &i16temp, sizeof(uint16_t)); +@@ -160,12 +172,15 @@ static int mqtt3_db_message_store_write(struct mosquitto_db *db, FILE *db_fptr) + i64temp = stored->db_id; + write_e(db_fptr, &i64temp, sizeof(dbid_t)); + +- slen = strlen(stored->source_id); +- i16temp = htons(slen); +- write_e(db_fptr, &i16temp, sizeof(uint16_t)); +- if(slen){ +- write_e(db_fptr, stored->source_id, slen); ++ if(persist__write_string(db_fptr, stored->source_id, false)) return 1; ++ if(persist__write_string(db_fptr, stored->source_username, true)) return 1; ++ if(stored->source_listener){ ++ i16temp = htons(stored->source_listener->port); ++ }else{ ++ i16temp = 0; + } ++ write_e(db_fptr, &i16temp, sizeof(uint16_t)); ++ + + i16temp = htons(stored->source_mid); + write_e(db_fptr, &i16temp, sizeof(uint16_t)); +@@ -243,6 +258,60 @@ error: + return 1; + } + ++ ++static int persist__read_string(FILE *db_fptr, char **str) ++{ ++ uint16_t i16temp; ++ uint16_t slen; ++ char *s = NULL; ++ ++ if(fread(&i16temp, 1, sizeof(uint16_t), db_fptr) != sizeof(uint16_t)){ ++ return MOSQ_ERR_INVAL; ++ } ++ ++ slen = ntohs(i16temp); ++ if(slen){ ++ s = _mosquitto_malloc(slen+1); ++ if(!s){ ++ fclose(db_fptr); ++ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory."); ++ return MOSQ_ERR_NOMEM; ++ } ++ if(fread(s, 1, slen, db_fptr) != slen){ ++ _mosquitto_free(s); ++ return MOSQ_ERR_NOMEM; ++ } ++ s[slen] = '\0'; ++ } ++ ++ *str = s; ++ return MOSQ_ERR_SUCCESS; ++} ++ ++ ++static int persist__write_string(FILE *db_fptr, const char *str, bool nullok) ++{ ++ uint16_t i16temp, slen; ++ ++ if(str){ ++ slen = strlen(str); ++ i16temp = htons(slen); ++ write_e(db_fptr, &i16temp, sizeof(uint16_t)); ++ write_e(db_fptr, str, slen); ++ }else if(nullok){ ++ i16temp = htons(0); ++ write_e(db_fptr, &i16temp, sizeof(uint16_t)); ++ }else{ ++ return 1; ++ } ++ ++ return MOSQ_ERR_SUCCESS; ++error: ++ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: %s.", strerror(errno)); ++ return 1; ++} ++ ++ + static int _db_subs_retain_write(struct mosquitto_db *db, FILE *db_fptr, struct _mosquitto_subhier *node, const char *topic, int level) + { + struct _mosquitto_subhier *subhier; +@@ -555,9 +624,9 @@ static int _db_msg_store_chunk_restore(struct mosquitto_db *db, FILE *db_fptr) + { + dbid_t i64temp, store_id; + uint32_t i32temp, payloadlen; +- uint16_t i16temp, slen, source_mid; ++ uint16_t i16temp, source_mid, source_port = 0; + uint8_t qos, retain, *payload = NULL; +- char *source_id = NULL; ++ struct mosquitto source; + char *topic = NULL; + int rc = 0; + struct mosquitto_msg_store *stored = NULL; +@@ -574,41 +643,45 @@ static int _db_msg_store_chunk_restore(struct mosquitto_db *db, FILE *db_fptr) + read_e(db_fptr, &i64temp, sizeof(dbid_t)); + store_id = i64temp; + +- read_e(db_fptr, &i16temp, sizeof(uint16_t)); +- slen = ntohs(i16temp); +- if(slen){ +- source_id = _mosquitto_malloc(slen+1); +- if(!source_id){ ++ memset(&source, 0, sizeof(struct mosquitto)); ++ ++ rc = persist__read_string(db_fptr, &source.id); ++ if(rc){ ++ _mosquitto_free(load); ++ return rc; ++ } ++ if(db_version == 4){ ++ rc = persist__read_string(db_fptr, &source.username); ++ if(rc){ + _mosquitto_free(load); +- fclose(db_fptr); +- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory."); +- return MOSQ_ERR_NOMEM; ++ return rc; ++ } ++ read_e(db_fptr, &i16temp, sizeof(uint16_t)); ++ source_port = ntohs(i16temp); ++ if(source_port){ ++ for(int i=0; i<db->config->listener_count; i++){ ++ if(db->config->listeners[i].port == source_port){ ++ source.listener = &db->config->listeners[i]; ++ break; ++ } ++ } + } +- read_e(db_fptr, source_id, slen); +- source_id[slen] = '\0'; + } ++ + read_e(db_fptr, &i16temp, sizeof(uint16_t)); + source_mid = ntohs(i16temp); + + /* This is the mid - don't need it */ + read_e(db_fptr, &i16temp, sizeof(uint16_t)); + +- read_e(db_fptr, &i16temp, sizeof(uint16_t)); +- slen = ntohs(i16temp); +- if(slen){ +- topic = _mosquitto_malloc(slen+1); +- if(!topic){ +- _mosquitto_free(load); +- fclose(db_fptr); +- if(source_id) _mosquitto_free(source_id); +- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory."); +- return MOSQ_ERR_NOMEM; +- } +- read_e(db_fptr, topic, slen); +- topic[slen] = '\0'; +- }else{ +- topic = NULL; ++ rc = persist__read_string(db_fptr, &topic); ++ if(rc){ ++ _mosquitto_free(load); ++ fclose(db_fptr); ++ _mosquitto_free(source.id); ++ return rc; + } ++ + read_e(db_fptr, &qos, sizeof(uint8_t)); + read_e(db_fptr, &retain, sizeof(uint8_t)); + +@@ -624,7 +693,7 @@ static int _db_msg_store_chunk_restore(struct mosquitto_db *db, FILE *db_fptr) + if(!payload){ + _mosquitto_free(load); + fclose(db_fptr); +- if(source_id) _mosquitto_free(source_id); ++ if(source.id) _mosquitto_free(source.id); + _mosquitto_free(topic); + _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory."); + return MOSQ_ERR_NOMEM; +@@ -632,14 +701,14 @@ static int _db_msg_store_chunk_restore(struct mosquitto_db *db, FILE *db_fptr) + read_e(db_fptr, payload, payloadlen); + } + +- rc = mqtt3_db_message_store(db, source_id, source_mid, topic, qos, payloadlen, payload, retain, &stored, store_id); ++ rc = mqtt3_db_message_store(db, &source, source_mid, topic, qos, payloadlen, payload, retain, &stored, store_id); + + load->db_id = stored->db_id; + load->store = stored; + + HASH_ADD(hh, db->msg_store_load, db_id, sizeof(dbid_t), load); + +- if(source_id) _mosquitto_free(source_id); ++ if(source.id) _mosquitto_free(source.id); + _mosquitto_free(topic); + _mosquitto_free(payload); + +@@ -648,7 +717,7 @@ error: + strerror_r(errno, err, 256); + _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: %s.", err); + fclose(db_fptr); +- if(source_id) _mosquitto_free(source_id); ++ if(source.id) _mosquitto_free(source.id); + if(topic) _mosquitto_free(topic); + if(payload) _mosquitto_free(payload); + return 1; +@@ -679,35 +748,24 @@ static int _db_retain_chunk_restore(struct mosquitto_db *db, FILE *db_fptr) + + static int _db_sub_chunk_restore(struct mosquitto_db *db, FILE *db_fptr) + { +- uint16_t i16temp, slen; + uint8_t qos; + char *client_id; + char *topic; + int rc = 0; + char err[256]; + +- read_e(db_fptr, &i16temp, sizeof(uint16_t)); +- slen = ntohs(i16temp); +- client_id = _mosquitto_malloc(slen+1); +- if(!client_id){ ++ rc = persist__read_string(db_fptr, &client_id); ++ if(rc){ + fclose(db_fptr); +- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory."); +- return MOSQ_ERR_NOMEM; ++ return rc; + } +- read_e(db_fptr, client_id, slen); +- client_id[slen] = '\0'; + +- read_e(db_fptr, &i16temp, sizeof(uint16_t)); +- slen = ntohs(i16temp); +- topic = _mosquitto_malloc(slen+1); +- if(!topic){ +- fclose(db_fptr); +- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory."); ++ rc = persist__read_string(db_fptr, &topic); ++ if(rc){ + _mosquitto_free(client_id); +- return MOSQ_ERR_NOMEM; ++ fclose(db_fptr); ++ return rc; + } +- read_e(db_fptr, topic, slen); +- topic[slen] = '\0'; + + read_e(db_fptr, &qos, sizeof(uint8_t)); + if(_db_restore_sub(db, client_id, topic, qos)){ +@@ -756,7 +814,9 @@ int mqtt3_db_restore(struct mosquitto_db *db) + * Is your DB change still compatible with previous versions? + */ + if(db_version > MOSQ_DB_VERSION && db_version != 0){ +- if(db_version == 2){ ++ if(db_version == 3){ ++ /* Addition of source_username and source_port to msg_store chunk in v4, v1.5.6 */ ++ }else if(db_version == 2){ + /* Addition of disconnect_t to client chunk in v3. */ + }else{ + fclose(fptr); +diff --git a/src/persist.h b/src/persist.h +index 808b05f..fb6f474 100644 +--- a/src/persist.h ++++ b/src/persist.h +@@ -17,7 +17,7 @@ Contributors: + #ifndef PERSIST_H + #define PERSIST_H + +-#define MOSQ_DB_VERSION 3 ++#define MOSQ_DB_VERSION 4 + + /* DB read/write */ + const unsigned char magic[15] = {0x00, 0xB5, 0x00, 'm','o','s','q','u','i','t','t','o',' ','d','b'}; +diff --git a/src/read_handle.c b/src/read_handle.c +index ddc16ce..51e88d4 100644 +--- a/src/read_handle.c ++++ b/src/read_handle.c +@@ -220,7 +220,7 @@ int mqtt3_handle_publish(struct mosquitto_db *db, struct mosquitto *context) + } + if(!stored){ + dup = 0; +- if(mqtt3_db_message_store(db, context->id, mid, topic, qos, payloadlen, payload, retain, &stored, 0)){ ++ if(mqtt3_db_message_store(db, context, mid, topic, qos, payloadlen, payload, retain, &stored, 0)){ + _mosquitto_free(topic); + if(payload) _mosquitto_free(payload); + return 1; +@@ -266,7 +266,7 @@ process_bad_message: + case 2: + mqtt3_db_message_store_find(context, mid, &stored); + if(!stored){ +- if(mqtt3_db_message_store(db, context->id, mid, NULL, qos, 0, NULL, false, &stored, 0)){ ++ if(mqtt3_db_message_store(db, context, mid, NULL, qos, 0, NULL, false, &stored, 0)){ + return 1; + } + res = mqtt3_db_message_insert(db, context, mid, mosq_md_in, qos, false, stored); +diff --git a/src/read_handle_server.c b/src/read_handle_server.c +index 2b9c8f5..c075344 100644 +--- a/src/read_handle_server.c ++++ b/src/read_handle_server.c +@@ -89,7 +89,6 @@ int mqtt3_handle_connect(struct mosquitto_db *db, struct mosquitto *context) + uint8_t username_flag, password_flag; + char *username = NULL, *password = NULL; + int rc; +- struct _mosquitto_acl_user *acl_tail; + struct mosquitto_client_msg *msg_tail, *msg_prev; + struct mosquitto *found_context; + int slen; +@@ -475,26 +474,8 @@ int mqtt3_handle_connect(struct mosquitto_db *db, struct mosquitto *context) + do_disconnect(db, found_context); + } + +- /* Associate user with its ACL, assuming we have ACLs loaded. */ +- if(db->acl_list){ +- acl_tail = db->acl_list; +- while(acl_tail){ +- if(context->username){ +- if(acl_tail->username && !strcmp(context->username, acl_tail->username)){ +- context->acl_list = acl_tail; +- break; +- } +- }else{ +- if(acl_tail->username == NULL){ +- context->acl_list = acl_tail; +- break; +- } +- } +- acl_tail = acl_tail->next; +- } +- }else{ +- context->acl_list = NULL; +- } ++ rc = acl__find_acls(db, context); ++ if(rc) return rc; + + if(will_struct){ + context->will = will_struct; +diff --git a/src/security_default.c b/src/security_default.c +index a1d3ec1..8a39995 100644 +--- a/src/security_default.c ++++ b/src/security_default.c +@@ -482,6 +482,39 @@ static int _acl_cleanup(struct mosquitto_db *db, bool reload) + return MOSQ_ERR_SUCCESS; + } + ++ ++int acl__find_acls(struct mosquitto_db *db, struct mosquitto *context) ++{ ++ struct _mosquitto_acl_user *acl_tail; ++ ++ /* Associate user with its ACL, assuming we have ACLs loaded. */ ++ if(db->acl_list){ ++ acl_tail = db->acl_list; ++ while(acl_tail){ ++ if(context->username){ ++ if(acl_tail->username && !strcmp(context->username, acl_tail->username)){ ++ context->acl_list = acl_tail; ++ break; ++ } ++ }else{ ++ if(acl_tail->username == NULL){ ++ context->acl_list = acl_tail; ++ break; ++ } ++ } ++ acl_tail = acl_tail->next; ++ } ++ if(context->username && context->acl_list == NULL){ ++ return MOSQ_ERR_INVAL; ++ } ++ }else{ ++ context->acl_list = NULL; ++ } ++ ++ return MOSQ_ERR_SUCCESS; ++} ++ ++ + static int _pwfile_parse(const char *file, struct _mosquitto_unpwd **root) + { + FILE *pwfile; +diff --git a/src/subs.c b/src/subs.c +index 4f64b3e..7aed30f 100644 +--- a/src/subs.c ++++ b/src/subs.c +@@ -681,6 +681,26 @@ static int _retain_process(struct mosquitto_db *db, struct mosquitto_msg_store * + return rc; + } + ++ /* Check for original source access */ ++ if(db->config->check_retain_source && retained->source_id){ ++ struct mosquitto retain_ctxt; ++ memset(&retain_ctxt, 0, sizeof(struct mosquitto)); ++ ++ retain_ctxt.id = retained->source_id; ++ retain_ctxt.username = retained->source_username; ++ retain_ctxt.listener = retained->source_listener; ++ ++ rc = acl__find_acls(db, &retain_ctxt); ++ if(rc) return rc; ++ ++ rc = mosquitto_acl_check(db, &retain_ctxt, retained->topic, MOSQ_ACL_WRITE); ++ if(rc == MOSQ_ERR_ACL_DENIED){ ++ return MOSQ_ERR_SUCCESS; ++ }else if(rc != MOSQ_ERR_SUCCESS){ ++ return rc; ++ } ++ } ++ + if (db->config->upgrade_outgoing_qos){ + qos = sub_qos; + } else { diff --git a/main/mosquitto/mosquitto-1.4.x-cve-2018-12550.patch b/main/mosquitto/mosquitto-1.4.x-cve-2018-12550.patch new file mode 100644 index 00000000000..c6a4d9406e4 --- /dev/null +++ b/main/mosquitto/mosquitto-1.4.x-cve-2018-12550.patch @@ -0,0 +1,28 @@ +Description: Fix for CVE-2018-12550 +Author: Roger Light <roger@atchoo.org> +Forwarded: not-needed +Origin: upstream, https://mosquitto.org/files/cve/2018-12550/mosquitto-1.4.x_cve-2018-12550.patch +Index: mosquitto-1.4.10/src/security_default.c +=================================================================== +--- mosquitto-1.4.10.orig/src/security_default.c ++++ mosquitto-1.4.10/src/security_default.c +@@ -231,7 +231,7 @@ int mosquitto_acl_check_default(struct m + char *s; + + if(!db || !context || !topic) return MOSQ_ERR_INVAL; +- if(!db->acl_list && !db->acl_patterns) return MOSQ_ERR_SUCCESS; ++ if(!db->config->acl_file && !db->acl_list && !db->acl_patterns) return MOSQ_ERR_SUCCESS; + if(context->bridge) return MOSQ_ERR_SUCCESS; + if(!context->acl_list && !db->acl_patterns) return MOSQ_ERR_ACL_DENIED; + +@@ -442,6 +442,10 @@ static int _aclfile_parse(struct mosquit + fclose(aclfile); + return 1; + } ++ }else{ ++ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid line in acl_file \"%s\": %s.", db->config->acl_file, buf); ++ fclose(aclfile); ++ return 1; + } + } + } diff --git a/main/mosquitto/mosquitto-1.4.x-cve-2018-12551.patch b/main/mosquitto/mosquitto-1.4.x-cve-2018-12551.patch new file mode 100644 index 00000000000..fee254dea86 --- /dev/null +++ b/main/mosquitto/mosquitto-1.4.x-cve-2018-12551.patch @@ -0,0 +1,94 @@ +Description: Fix for CVE-2018-12551 +Author: Roger Light <roger@atchoo.org> +Forwarded: not-needed +Origin: upstream, https://mosquitto.org/files/cve/2018-12551/mosquitto-1.4.x_cve-2018-12551.patch +Index: mosquitto-1.4.10/src/security_default.c +=================================================================== +--- mosquitto-1.4.10.orig/src/security_default.c ++++ mosquitto-1.4.10/src/security_default.c +@@ -556,6 +556,9 @@ static int _pwfile_parse(const char *fil + + while(!feof(pwfile)){ + if(fgets(buf, 256, pwfile)){ ++ if(buf[0] == '#') continue; ++ if(!strchr(buf, ':')) continue; ++ + username = strtok_r(buf, ":", &saveptr); + if(username){ + unpwd = _mosquitto_calloc(1, sizeof(struct _mosquitto_unpwd)); +@@ -588,8 +591,13 @@ static int _pwfile_parse(const char *fil + unpwd->password[len-1] = '\0'; + len = strlen(unpwd->password); + } ++ ++ HASH_ADD_KEYPTR(hh, *root, unpwd->username, strlen(unpwd->username), unpwd); ++ }else{ ++ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "Warning: Invalid line in password file '%s': %s", file, buf); ++ _mosquitto_free(unpwd->username); ++ _mosquitto_free(unpwd); + } +- HASH_ADD_KEYPTR(hh, *root, unpwd->username, strlen(unpwd->username), unpwd); + } + } + } +@@ -626,34 +634,39 @@ static int _unpwd_file_parse(struct mosq + token = strtok(NULL, "$"); + if(token){ + rc = _base64_decode(token, &salt, &salt_len); +- if(rc){ +- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password salt for user %s.", u->username); +- return MOSQ_ERR_INVAL; +- } +- u->salt = salt; +- u->salt_len = salt_len; +- token = strtok(NULL, "$"); +- if(token){ +- rc = _base64_decode(token, &password, &password_len); +- if(rc){ +- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password for user %s.", u->username); +- return MOSQ_ERR_INVAL; ++ if(rc == MOSQ_ERR_SUCCESS && salt_len == 12){ ++ u->salt = salt; ++ u->salt_len = salt_len; ++ token = strtok(NULL, "$"); ++ if(token){ ++ rc = _base64_decode(token, &password, &password_len); ++ if(rc == MOSQ_ERR_SUCCESS && password_len == 64){ ++ _mosquitto_free(u->password); ++ u->password = (char *)password; ++ u->password_len = password_len; ++ }else{ ++ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password for user %s, removing entry.", u->username); ++ HASH_DEL(db->unpwd, u); ++ } ++ }else{ ++ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username); ++ HASH_DEL(db->unpwd, u); + } +- _mosquitto_free(u->password); +- u->password = (char *)password; +- u->password_len = password_len; + }else{ +- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username); +- return MOSQ_ERR_INVAL; ++ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password salt for user %s, removing entry.", u->username); ++ HASH_DEL(db->unpwd, u); + } + }else{ +- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username); +- return MOSQ_ERR_INVAL; ++ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username); ++ HASH_DEL(db->unpwd, u); + } + }else{ +- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username); +- return MOSQ_ERR_INVAL; ++ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username); ++ HASH_DEL(db->unpwd, u); + } ++ }else{ ++ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Missing password hash for user %s, removing entry.", u->username); ++ HASH_DEL(db->unpwd, u); + } + } + #endif diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD index a6ce6887d0c..bd8c74c0753 100644 --- a/main/musl/APKBUILD +++ b/main/musl/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Timo Teräs <timo.teras@iki.fi> pkgname=musl pkgver=1.1.18 -pkgrel=3 +pkgrel=4 pkgdesc="the musl c library (libc) implementation" url="http://www.musl-libc.org/" arch="all" @@ -17,6 +17,7 @@ nolibc) ;; *) subpackages="$subpackages $pkgname-utils";; esac source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz + CVE-2019-14697.patch 0001-fix-sysconf-for-infinite-rlimits.patch 0001-use-the-name-UTC-instead-of-GMT-for-UTC-timezone.patch 1000-implement-strftime-GNU-extension-padding-specifiers-.patch @@ -31,6 +32,8 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz " # secfixes: +# 1.1.18-r4: +# - CVE-2019-14697 # 1.1.15-r4: # - CVE-2016-8859 @@ -145,6 +148,7 @@ compat() { } sha512sums="4d55c92efe41dfdd9fff6aca5dda76a632a3be60d10e5a7f66a4731d8f7040fb0a20b998965ba4d069b4f8a3527fcd7388e646cb66afc649c4d0cc6c3d358c9c musl-1.1.18.tar.gz +37ab61c96b940848e4114de105d87754c7039f52eb2fc19d8bf59c27f484bffbac8b4740e9478207eae03bd7416f7036e04197d0efe30ee5293b17d6d5c1cc15 CVE-2019-14697.patch 7b44cc006d37672a67bc261de33e64d11f6426fd1ab3ff80f9f980aefc8e0b099ab61f95d110eeb59f75c2fe772fe13bc5546c194c3f90ca9ec4c812dfff6b1b 0001-fix-sysconf-for-infinite-rlimits.patch c28abac671f531d200bd1ebc934fc57b1c04404e49237dd6cfde4fe72e4fd8b855df0e75f76d62ec930c56daa00a12a6a3b3bb1c86576c7504fdf9628ad58975 0001-use-the-name-UTC-instead-of-GMT-for-UTC-timezone.patch 7e4c703e57a3564cd3ee1d5334b806cbe654355179ba55d4d25361dfc555eb4a7d081d80d64fdaff8476949afd04558d278b124d1fb108080beaa5ba2f8ce2b9 1000-implement-strftime-GNU-extension-padding-specifiers-.patch diff --git a/main/musl/CVE-2019-14697.patch b/main/musl/CVE-2019-14697.patch new file mode 100644 index 00000000000..eae91a00f9c --- /dev/null +++ b/main/musl/CVE-2019-14697.patch @@ -0,0 +1,233 @@ +From f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Mon, 5 Aug 2019 18:41:47 -0400 +Subject: fix x87 stack imbalance in corner cases of i386 math asm + +commit 31c5fb80b9eae86f801be4f46025bc6532a554c5 introduced underflow +code paths for the i386 math asm, along with checks on the fpu status +word to skip the underflow-generation instructions if the underflow +flag was already raised. unfortunately, at least one such path, in +log1p, returned with 2 items on the x87 stack rather than just 1 item +for the return value. this is a violation of the ABI's calling +convention, and could cause subsequent floating point code to produce +NANs due to x87 stack overflow. if floating point results are used in +flow control, this can lead to runaway wrong code execution. + +rather than reviewing each "underflow already raised" code path for +correctness, remove them all. they're likely slower than just +performing the underflow code unconditionally, and significantly more +complex. + +all of this code should be ripped out and replaced by C source files +with inline asm. doing so would preclude this kind of error by having +the compiler perform all x87 stack register allocation and stack +manipulation, and would produce comparable or better code. however +such a change is a much larger project. +--- + src/math/i386/asin.s | 10 ++-------- + src/math/i386/atan.s | 7 ++----- + src/math/i386/atan2.s | 5 +---- + src/math/i386/atan2f.s | 5 +---- + src/math/i386/atanf.s | 7 ++----- + src/math/i386/exp.s | 10 ++-------- + src/math/i386/log1p.s | 7 ++----- + src/math/i386/log1pf.s | 7 ++----- + 8 files changed, 14 insertions(+), 44 deletions(-) + +diff --git a/src/math/i386/asin.s b/src/math/i386/asin.s +index a9f691bf..920d967a 100644 +--- a/src/math/i386/asin.s ++++ b/src/math/i386/asin.s +@@ -7,13 +7,10 @@ asinf: + cmp $0x01000000,%eax + jae 1f + # subnormal x, return x with underflow +- fnstsw %ax +- and $16,%ax +- jnz 2f + fld %st(0) + fmul %st(1) + fstps 4(%esp) +-2: ret ++ ret + + .global asinl + .type asinl,@function +@@ -30,11 +27,8 @@ asin: + cmp $0x00200000,%eax + jae 1f + # subnormal x, return x with underflow +- fnstsw %ax +- and $16,%ax +- jnz 2f + fsts 4(%esp) +-2: ret ++ ret + 1: fld %st(0) + fld1 + fsub %st(0),%st(1) +diff --git a/src/math/i386/atan.s b/src/math/i386/atan.s +index d73137b2..a26feae1 100644 +--- a/src/math/i386/atan.s ++++ b/src/math/i386/atan.s +@@ -10,8 +10,5 @@ atan: + fpatan + ret + # subnormal x, return x with underflow +-1: fnstsw %ax +- and $16,%ax +- jnz 2f +- fsts 4(%esp) +-2: ret ++1: fsts 4(%esp) ++ ret +diff --git a/src/math/i386/atan2.s b/src/math/i386/atan2.s +index a7d2979b..1fa0524d 100644 +--- a/src/math/i386/atan2.s ++++ b/src/math/i386/atan2.s +@@ -10,8 +10,5 @@ atan2: + cmp $0x00200000,%eax + jae 1f + # subnormal x, return x with underflow +- fnstsw %ax +- and $16,%ax +- jnz 1f + fsts 4(%esp) +-1: ret ++ ret +diff --git a/src/math/i386/atan2f.s b/src/math/i386/atan2f.s +index 14b88ce5..0b264726 100644 +--- a/src/math/i386/atan2f.s ++++ b/src/math/i386/atan2f.s +@@ -10,10 +10,7 @@ atan2f: + cmp $0x01000000,%eax + jae 1f + # subnormal x, return x with underflow +- fnstsw %ax +- and $16,%ax +- jnz 1f + fld %st(0) + fmul %st(1) + fstps 4(%esp) +-1: ret ++ ret +diff --git a/src/math/i386/atanf.s b/src/math/i386/atanf.s +index 8caddefa..893beac5 100644 +--- a/src/math/i386/atanf.s ++++ b/src/math/i386/atanf.s +@@ -10,10 +10,7 @@ atanf: + fpatan + ret + # subnormal x, return x with underflow +-1: fnstsw %ax +- and $16,%ax +- jnz 2f +- fld %st(0) ++1: fld %st(0) + fmul %st(1) + fstps 4(%esp) +-2: ret ++ ret +diff --git a/src/math/i386/exp.s b/src/math/i386/exp.s +index c7aa5b6e..df87c497 100644 +--- a/src/math/i386/exp.s ++++ b/src/math/i386/exp.s +@@ -7,13 +7,10 @@ expm1f: + cmp $0x01000000,%eax + jae 1f + # subnormal x, return x with underflow +- fnstsw %ax +- and $16,%ax +- jnz 2f + fld %st(0) + fmul %st(1) + fstps 4(%esp) +-2: ret ++ ret + + .global expm1l + .type expm1l,@function +@@ -30,11 +27,8 @@ expm1: + cmp $0x00200000,%eax + jae 1f + # subnormal x, return x with underflow +- fnstsw %ax +- and $16,%ax +- jnz 2f + fsts 4(%esp) +-2: ret ++ ret + 1: fldl2e + fmulp + mov $0xc2820000,%eax +diff --git a/src/math/i386/log1p.s b/src/math/i386/log1p.s +index 6b6929c7..354f391a 100644 +--- a/src/math/i386/log1p.s ++++ b/src/math/i386/log1p.s +@@ -16,9 +16,6 @@ log1p: + fyl2x + ret + # subnormal x, return x with underflow +-2: fnstsw %ax +- and $16,%ax +- jnz 1f +- fsts 4(%esp) ++2: fsts 4(%esp) + fstp %st(1) +-1: ret ++ ret +diff --git a/src/math/i386/log1pf.s b/src/math/i386/log1pf.s +index c0bcd30f..4d3484cd 100644 +--- a/src/math/i386/log1pf.s ++++ b/src/math/i386/log1pf.s +@@ -16,10 +16,7 @@ log1pf: + fyl2x + ret + # subnormal x, return x with underflow +-2: fnstsw %ax +- and $16,%ax +- jnz 1f +- fxch ++2: fxch + fmul %st(1) + fstps 4(%esp) +-1: ret ++ ret +-- +cgit v1.2.1 + +From 6818c31c9bc4bbad5357f1de14bedf781e5b349e Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Mon, 5 Aug 2019 19:57:07 -0400 +Subject: fix build regression in i386 asm for atan2, atan2f + +commit f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 inadvertently removed +labels that were still needed. +--- + src/math/i386/atan2.s | 2 +- + src/math/i386/atan2f.s | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/math/i386/atan2.s b/src/math/i386/atan2.s +index 1fa0524d..76b95f31 100644 +--- a/src/math/i386/atan2.s ++++ b/src/math/i386/atan2.s +@@ -11,4 +11,4 @@ atan2: + jae 1f + # subnormal x, return x with underflow + fsts 4(%esp) +- ret ++1: ret +diff --git a/src/math/i386/atan2f.s b/src/math/i386/atan2f.s +index 0b264726..c9408a90 100644 +--- a/src/math/i386/atan2f.s ++++ b/src/math/i386/atan2f.s +@@ -13,4 +13,4 @@ atan2f: + fld %st(0) + fmul %st(1) + fstps 4(%esp) +- ret ++1: ret +-- +cgit v1.2.1 + diff --git a/main/nfdump/APKBUILD b/main/nfdump/APKBUILD index cf588cf6445..5974b470b36 100644 --- a/main/nfdump/APKBUILD +++ b/main/nfdump/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=nfdump pkgver=1.6.15 -pkgrel=0 +pkgrel=1 pkgdesc="The nfdump tools collect and process netflow data on the command line." url="http://nfdump.sourceforge.net/" arch="all" @@ -18,8 +18,15 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/phaag/nfdump/archive/v$pkgve nfcapd.initd sfcapd.confd sfcapd.initd + CVE-2019-1010057.patch + CVE-2019-14459.patch " +# secfixes: +# 1.6.15-r1: +# - CVE-2019-1010057 +# - CVE-2019-14459 + _builddir="$srcdir"/$pkgname-$pkgver prepare() { local i @@ -73,21 +80,11 @@ sfcapd() { "$subpkgdir"/etc/init.d/sfcapd } -md5sums="6f52c01099a2a74e451ebfb17bf92da8 nfdump-1.6.15.tar.gz -e7f9467142159da5ebbb4aa858aae142 fix-64bit-fts-compat.patch -541c45b9ac0e85ac955dd58919972b18 nfcapd.confd -a82001153dbdfa6c4125064fcc7cd090 nfcapd.initd -443ef11c9b458c12d0efea627742732c sfcapd.confd -1ac7c20be80b87fc725310747125e081 sfcapd.initd" -sha256sums="9505c0511d273b9aa3f87a5e664425689a3c7370c6ae3bbc05ff4bdb41bfd457 nfdump-1.6.15.tar.gz -8ffd9160bb5cb639cec08ac68be5cbd33ef918e41630d02c18a75e03881cb5a9 fix-64bit-fts-compat.patch -7cb26698b26f5cd6c9c6cb2b49bb7be3cc0faffe851c5ac5c78e0a41984a276f nfcapd.confd -33c3b5c42655410661f1019e3b8bccb8b875400861a945a7dd784f80520f8a97 nfcapd.initd -4559669b23534a7bec9cc9d342e7abd55316393ccb4dc57e9b335ac27bdf920c sfcapd.confd -4fd63dee5323ce4116fffffa7573bb6a0f781d36867204e7d3670c182a078c56 sfcapd.initd" sha512sums="a6bb4f2293ad85d8f16025e7272b889d3814cea2e9255dbd315ee92754675e4ee925c3ebe4e1350f2d5452d69d1d3c13ddeb656324a409c4744da1d4927fe1f2 nfdump-1.6.15.tar.gz 71a838d493658a3a8479bc9eca70a857fd8629937d4954d21c1d5453d6cc122c089f72e3e109425c902439ee8cfaa273b4089ac347d1fe926473ce6062b7c49a fix-64bit-fts-compat.patch fcb467f819f2b73ac0e13de6de4d6c94cafd3866a7a56685d5d4a048fa975135299655e896ff8370c8c5061d03ab38644623f8be455c08dfe5f630f152820148 nfcapd.confd 97e432e884dd1cc8f27c2d7398bb0320164d46dea06c64ad72fa385d190998b3d62356634962f42652daf6e31f237baa2f3f3efad47c3fc38cc6bea799db61cc nfcapd.initd abe594a95a9320bec1d6ee6af6b75cd4d176526d4b10d07aa7ed79fc292b51c341339ba8e1e468df9ec2aae138b1dd66e3a291921938217835ac33819da9d153 sfcapd.confd -7a65c80186a8708a27e90a7239d1b44ee919c3bbf8cd1ca07ef5d35a623d0dce5eac516b65ba7a98c5fcfab5bad6c15e1f03af38a06eb6280afd1c1f0f52cee4 sfcapd.initd" +7a65c80186a8708a27e90a7239d1b44ee919c3bbf8cd1ca07ef5d35a623d0dce5eac516b65ba7a98c5fcfab5bad6c15e1f03af38a06eb6280afd1c1f0f52cee4 sfcapd.initd +c57441c5ec04c9b57ae65816731f0960459ab317ca579f2fcc85d5f0f76009e9f01462191e2ca6d3c79adbdf0c6e57633ae67c9f9eb65ef3063385e992ccfba6 CVE-2019-1010057.patch +6964077020f2273cdb80a6ed72f001c3f5e7241c412681f59e0dd0a2d629d5d549e52e474401e7c7906cff3176440c5d5c419b87c36fa87107f70f45944dc105 CVE-2019-14459.patch" diff --git a/main/nfdump/CVE-2019-1010057.patch b/main/nfdump/CVE-2019-1010057.patch new file mode 100644 index 00000000000..3a7ae479108 --- /dev/null +++ b/main/nfdump/CVE-2019-1010057.patch @@ -0,0 +1,64 @@ +diff --git a/bin/nfdump.c b/bin/nfdump.c +index ba8d92f..9f653f8 100644 +--- a/bin/nfdump.c ++++ b/bin/nfdump.c +@@ -559,7 +559,10 @@ int v1_map_done = 0; + exit(255); + } + } +- ConvertCommonV0((void *)record_ptr, (common_record_t *)ConvertBuffer); ++ if ( !ConvertCommonV0((void *)record_ptr, (common_record_t *)ConvertBuffer) ) { ++ LogError("Corrupt data file. Unable to decode at %s line %d\n", __FILE__, __LINE__); ++ exit(255); ++ } + flow_record = (common_record_t *)ConvertBuffer; + dbg_printf("Converted type %u to %u record\n", CommonRecordV0Type, CommonRecordType); + case CommonRecordType: { +diff --git a/bin/nffile_inline.c b/bin/nffile_inline.c +index 58225aa..4a9ca25 100755 +--- a/bin/nffile_inline.c ++++ b/bin/nffile_inline.c +@@ -49,7 +49,7 @@ static inline void AppendToBuffer(nffile_t *nffile, void *record, size_t require + + static inline void CopyV6IP(uint32_t *dst, uint32_t *src); + +-static inline void ConvertCommonV0(void *record, common_record_t *flow_record); ++static inline int ConvertCommonV0(void *record, common_record_t *flow_record); + + static inline void ExpandRecord_v2(common_record_t *input_record, extension_info_t *extension_info, exporter_info_record_t *exporter_info, master_record_t *output_record ); + +@@ -88,11 +88,13 @@ static inline void CopyV6IP(uint32_t *dst, uint32_t *src) { + dst[3] = src[3]; + } // End of CopyV6IP + +-static inline void ConvertCommonV0(void *record, common_record_t *flow_record) { ++static inline int ConvertCommonV0(void *record, common_record_t *flow_record) { + common_record_v0_t *flow_record_v0 = (common_record_v0_t *)record; + + // copy v0 common record + memcpy((void *)flow_record, record, COMMON_RECORDV0_DATA_SIZE); ++ if ( flow_record_v0->size <= COMMON_RECORDV0_DATA_SIZE ) ++ return 0; + memcpy((void *)flow_record->data, (void *)flow_record_v0->data, flow_record_v0->size - COMMON_RECORDV0_DATA_SIZE); + + // fix record differences +@@ -102,6 +104,7 @@ common_record_v0_t *flow_record_v0 = (common_record_v0_t *)record; + flow_record->exporter_sysid = flow_record_v0->exporter_sysid; + flow_record->reserved = 0; + ++ return 1; + } // End of ConvertCommonV0 + + /* +diff --git a/bin/nfx.c b/bin/nfx.c +index fa84afe..ceea74e 100755 +--- a/bin/nfx.c ++++ b/bin/nfx.c +@@ -542,6 +542,7 @@ int i, extension_size, max_elements; + int id = map->ex_id[i]; + if ( id > Max_num_extensions ) { + printf("PANIC! - Verify map id %i: ERROR: element id %i out of range [%i]!\n", map->map_id, id, Max_num_extensions); ++ exit(255); + } + extension_size += extension_descriptor[id].size; + i++; diff --git a/main/nfdump/CVE-2019-14459.patch b/main/nfdump/CVE-2019-14459.patch new file mode 100644 index 00000000000..6e10f0dcbe1 --- /dev/null +++ b/main/nfdump/CVE-2019-14459.patch @@ -0,0 +1,27 @@ +diff --git a/bin/ipfix.c b/bin/ipfix.c +index f998b72..604fe25 100644 +--- a/bin/ipfix.c ++++ b/bin/ipfix.c +@@ -1067,6 +1067,13 @@ ipfix_template_record_t *ipfix_template_record; + while ( size_left ) { + uint32_t id, count; + ++ if ( size_left < 4 ) { ++ LogError("Process_ipfix [%u] Template withdraw size error at %s line %u" , ++ exporter->info.id, __FILE__, __LINE__, strerror (errno)); ++ size_left = 0; ++ continue; ++ } ++ + // map next record. + ipfix_template_record = (ipfix_template_record_t *)DataPtr; + size_left -= 4; +@@ -1146,7 +1153,7 @@ uint16_t offset_std_sampler_interval, offset_std_sampler_algorithm, found_std_sa + uint16_t id, length; + int Enterprise; + +- if ( size_left && size_left < 4 ) { ++ if ( size_left < 4 ) { + LogError("Process_ipfix [%u] Template size error at %s line %u" , + exporter->info.id, __FILE__, __LINE__, strerror (errno)); + return; diff --git a/main/nghttp2/APKBUILD b/main/nghttp2/APKBUILD index 1c52b1ca62d..a6d58eaaf87 100644 --- a/main/nghttp2/APKBUILD +++ b/main/nghttp2/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=nghttp2 -pkgver=1.28.0 +pkgver=1.39.2 pkgrel=0 pkgdesc="Experimental HTTP/2 client, server and proxy" url="https://nghttp2.org/" @@ -12,6 +12,11 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs" source="https://github.com/tatsuhiro-t/$pkgname/releases/download/v$pkgver/nghttp2-$pkgver.tar.xz" builddir="$srcdir"/$pkgname-$pkgver +# secfixes: +# 1.39.2-r0: +# - CVE-2019-9511 +# - CVE-2019-9513 + check() { cd "$builddir" make check @@ -42,4 +47,4 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="c49d4e02ec8e894e01aff0b3573e5ce6a33e37ddbd777f6363a2890681a2d09d9e29794c7a6aaf20dd094b4b6da4b535f3e81ac58ef4164b1f8cca9e0da26ee9 nghttp2-1.28.0.tar.xz" +sha512sums="d8c971543e3e87736dfafebca55e9ecd0644e304c9731edaccba34170205824476595861a439077289b438ad489dd6008dedf2c6b2c111920300329be1b1bf34 nghttp2-1.39.2.tar.xz" diff --git a/main/nmap/APKBUILD b/main/nmap/APKBUILD index 5254d983ed4..3bf70046291 100644 --- a/main/nmap/APKBUILD +++ b/main/nmap/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Leonardo Arena <rnalrd@alpinelinux.org> pkgname=nmap pkgver=7.60 -pkgrel=2 +pkgrel=3 pkgdesc="A network exploration tool and security/port scanner" url="http://nmap.org" arch="all" @@ -16,9 +16,17 @@ subpackages=" $pkgname-nping $pkgname-ncat" source="http://nmap.org/dist/$pkgname-$pkgver.tar.bz2 - fortify-source.patch" + fortify-source.patch + CVE-2017-18594.patch + CVE-2018-15173.patch + " builddir="$srcdir"/$pkgname-$pkgver +# secfixes: +# 7.60-r3: +# - CVE-2017-18594 +# - CVE-2018-15173 + prepare() { default_prepare update_config_sub @@ -83,4 +91,6 @@ nping() { } sha512sums="74ba8f6de026ade9ee6bb2252bee18a57210f8207977df7f1c04556629dcdc1e6127f33febc8a52ef88a1dac876116d590564dee4f1c23798c3ac37529991aa4 nmap-7.60.tar.bz2 -2d1f6e290723ac643f456a0e1ac95c4c966106cf2ab743839d25c835bf0141dc2d6bfee19285c3518d4c5f553b0505dabe5a496b769ba47b7adb03e791f05b8d fortify-source.patch" +2d1f6e290723ac643f456a0e1ac95c4c966106cf2ab743839d25c835bf0141dc2d6bfee19285c3518d4c5f553b0505dabe5a496b769ba47b7adb03e791f05b8d fortify-source.patch +a3edb3dc75d4dfa20ebed17b97044f1024b1a9d58145bfc31f3e8bd9d299f047aae47c146866fdfa62fab18383f60dd1ae41091adda0ff7db4a017756886d97d CVE-2017-18594.patch +9e439f09e9499a5664aa376273c84cdfc12f9c6854ed218e63c1a48fb76e5a63a8410bc946c4f2dbcb47784161bb75b0c7f45706b83845ec6f612790382bb4e2 CVE-2018-15173.patch" diff --git a/main/nmap/CVE-2017-18594.patch b/main/nmap/CVE-2017-18594.patch new file mode 100644 index 00000000000..d6cbce77e7c --- /dev/null +++ b/main/nmap/CVE-2017-18594.patch @@ -0,0 +1,30 @@ +diff --git a/nse_libssh2.cc b/nse_libssh2.cc +index bf721b6..22f5bbf 100644 +--- a/nse_libssh2.cc ++++ b/nse_libssh2.cc +@@ -13,7 +13,6 @@ extern "C" { + #include "libssh2.h" + } + +-#include "nse_debug.h" + #include "nse_nsock.h" + #include "nse_utility.h" + +@@ -296,6 +295,7 @@ static int do_session_handshake (lua_State *L, int status, lua_KContext ctx) { + + if (rc) { + libssh2_session_free(sshu->session); ++ sshu->session = NULL; + return luaL_error(L, "Unable to complete libssh2 handshake."); + } + +@@ -479,7 +479,7 @@ static int userauth_list (lua_State *L, int status, lua_KContext ctx) { + } + + /* +-* Returns list of supported authenication methods ++* Returns list of supported authentication methods + */ + static int l_userauth_list (lua_State *L) { + return userauth_list(L, 0, 0); + diff --git a/main/nmap/CVE-2018-15173.patch b/main/nmap/CVE-2018-15173.patch new file mode 100644 index 00000000000..4b066dbd97c --- /dev/null +++ b/main/nmap/CVE-2018-15173.patch @@ -0,0 +1,34 @@ +diff --git a/service_scan.cc b/service_scan.cc +index 1273513..0a431d6 100644 +--- a/service_scan.cc ++++ b/service_scan.cc +@@ -489,6 +489,15 @@ void ServiceProbeMatch::InitMatch(const char *matchtext, int lineno) { + if (pcre_errptr != NULL) + fatal("%s: failed to pcre_study regexp on line %d of nmap-service-probes: %s\n", __func__, lineno, pcre_errptr); + ++ // Set some limits to avoid evil match cases. ++ // These are flexible; if they cause problems, increase them. ++#ifdef PCRE_ERROR_MATCHLIMIT ++ regex_extra->match_limit = 100000; // 100K ++#endif ++#ifdef PCRE_ERROR_RECURSIONLIMIT ++ regex_extra->match_limit_recursion = 10000; // 10K ++#endif ++ + free(modestr); + free(flags); + +@@ -568,6 +577,12 @@ const struct MatchDetails *ServiceProbeMatch::testMatch(const u8 *buf, int bufle + if (o.debugging || o.verbose > 1) + error("Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service %s with the regex '%s'", servicename, matchstr); + } else ++#endif // PCRE_ERROR_MATCHLIMIT ++#ifdef PCRE_ERROR_RECURSIONLIMIT ++ if (rc == PCRE_ERROR_RECURSIONLIMIT) { ++ if (o.debugging || o.verbose > 1) ++ error("Warning: Hit PCRE_ERROR_RECURSIONLIMIT when probing for service %s with the regex '%s'", servicename, matchstr); ++ } else + #endif // PCRE_ERROR_MATCHLIMIT + if (rc != PCRE_ERROR_NOMATCH) { + fatal("Unexpected PCRE error (%d) when probing for service %s with the regex '%s'", rc, servicename, matchstr); + diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD index 3b3caa86282..e511fc9b1f9 100644 --- a/main/openldap/APKBUILD +++ b/main/openldap/APKBUILD @@ -2,12 +2,18 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 2.4.48-r0: +# - CVE-2019-13565 +# - CVE-2019-13057 +# 2.4.46-r0: +# - CVE-2017-14159 +# - CVE-2017-17740 # 2.4.44-r5: # - CVE-2017-9287 # pkgname=openldap -pkgver=2.4.45 -pkgrel=3 +pkgver=2.4.48 +pkgrel=0 pkgdesc="LDAP Server" url="http://www.openldap.org/" arch="all" @@ -23,7 +29,8 @@ subpackages="$pkgname-dev $pkgname-doc libldap $pkgname-backend-all:_backend_all:noarch $pkgname-overlay-all:_overlay_all:noarch" install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade" -source="ftp://ftp.$pkgname.org/pub/OpenLDAP/$pkgname-release/$pkgname-$pkgver.tgz +source=" + https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-$pkgver.tgz openldap-2.4-ppolicy.patch openldap-2.4.11-libldap_r.patch openldap-mqtt-overlay.patch @@ -212,11 +219,11 @@ _submv() { done } -sha512sums="1c9fc84efed8998f107ce6e1c6be3f5466388241afdca0cb3847720c9def0bc263a2dbc15bf0f9112d1b4c391fd01e8531a4fb08c5532c30fb86924c08daedab openldap-2.4.45.tgz +sha512sums="cf694a415be0bd55cc7f606099da2ed461748efd276561944cd29d7f5a8252a9be799d8778fac2d4fa9f382731eb4ca48c6b85630cb58a3b8249843561ae8feb openldap-2.4.48.tgz 5d34d49eabe7cb66cf8284cc3bd9730fa23df4932df68549e242d250ee50d40c434ae074ebc720d5fbcd9d16587c9333c5598d30a5f1177caa61461ab7771f38 openldap-2.4-ppolicy.patch 44d97efb25d4f39ab10cd5571db43f3bfa7c617a5bb087085ae16c0298aca899b55c8742a502121ba743a73e6d77cd2056bc96cee63d6d0862dabc8fb5574357 openldap-2.4.11-libldap_r.patch 9c7f41279e91ed995c91e9a8c543c797d9294a93cf260afdc03ab5777e45ed045a4d6a4d4d0180b5dc387dc04babca01d818fbfa8168309df44f4500d2a430a4 openldap-mqtt-overlay.patch -cbfd573139e6b0c51d0f1f1337d74d5c07813509754758df240b09bc2ba559127f656580eef88f1db1c1322d7cb05042b1926e046e24c19889759647aee7aec6 libressl.patch +ec4604e4ec55ab2109d59deb54e0b6291f43ec91da9bb42a784add67de3200bed22cfd64b1426d3b8f2f0bdee8d97440adc7c21be43db0646d7508cdee2fdac2 libressl.patch 8c4244d316a05870dd1147b2ab7ddbcfd7626b5dce2f5a0e72f066dc635c2edb4f1ea3be88c6fec2d5ab016001be16bedef70f2ce0695c3cd96f69e1614ff177 fix-manpages.patch 0d2e570ddcb7ace1221abad9fc1d3dd0d00d6948340df69879b449959a68feee6a0ad8e17ef9971b35986293e16fc9d8e88de81815fedd5ea6a952eb085406ca configs.patch 0c3606e4dad1b32f1c4b62f2bc1990a4c9f7ccd10c7b50e623309ba9df98064e68fc42a7242450f32fb6e5fa2203609d3d069871b5ae994cd4b227a078c93532 slapd.initd diff --git a/main/openldap/libressl.patch b/main/openldap/libressl.patch index ac01064186d..919816c2dc0 100644 --- a/main/openldap/libressl.patch +++ b/main/openldap/libressl.patch @@ -1,4 +1,6 @@ ---- a/libraries/libldap/tls_o.c.orig 2017-06-04 16:31:28 UTC +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 92c708b..77910bb 100644 +--- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -47,7 +47,7 @@ #include <ssl.h> @@ -9,7 +11,16 @@ #define ASN1_STRING_data(x) ASN1_STRING_get0_data(x) #endif -@@ -157,7 +157,7 @@ tlso_init( void ) +@@ -116,7 +116,7 @@ static void tlso_thr_init( void ) {} + #endif + #endif /* OpenSSL 1.1 */ + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) + /* + * OpenSSL 1.1 API and later makes the BIO method concrete types internal. + */ +@@ -197,7 +197,7 @@ tlso_init( void ) (void) tlso_seed_PRNG( lo->ldo_tls_randfile ); #endif @@ -18,7 +29,7 @@ SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_digests(); -@@ -205,7 +205,7 @@ static void +@@ -249,7 +249,7 @@ static void tlso_ctx_ref( tls_ctx *ctx ) { tlso_ctx *c = (tlso_ctx *)ctx; @@ -27,7 +38,7 @@ #define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1, CRYPTO_LOCK_SSL_CTX ) #endif SSL_CTX_up_ref( c ); -@@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval * +@@ -508,7 +508,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *der_dn ) if (!x) return LDAP_INVALID_CREDENTIALS; xn = X509_get_subject_name(x); @@ -36,7 +47,7 @@ der_dn->bv_len = i2d_X509_NAME( xn, NULL ); der_dn->bv_val = xn->bytes->data; #else -@@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval +@@ -544,7 +544,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn ) return LDAP_INVALID_CREDENTIALS; xn = X509_get_subject_name(x); @@ -45,7 +56,7 @@ der_dn->bv_len = i2d_X509_NAME( xn, NULL ); der_dn->bv_val = xn->bytes->data; #else -@@ -721,7 +721,7 @@ struct tls_data { +@@ -765,7 +765,7 @@ struct tls_data { Sockbuf_IO_Desc *sbiod; }; @@ -54,12 +65,4 @@ #define BIO_set_init(b, x) b->init = x #define BIO_set_data(b, x) b->ptr = x #define BIO_clear_flags(b, x) b->flags &= ~(x) -@@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str ) - return tlso_bio_write( b, str, strlen( str ) ); - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000 -+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) - struct bio_method_st { - int type; - const char *name; + diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index cfab6962b7a..eaf1f4edfdf 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=openssl -pkgver=1.0.2r +pkgver=1.0.2t pkgrel=0 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url="https://openssl.org" @@ -29,6 +29,9 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz " # secfixes: +# 1.0.2t-r0: +# - CVE-2019-1547 +# - CVE-2019-1563 # 1.0.2h-r0: # - CVE-2016-2107 # - CVE-2016-2105 @@ -58,7 +61,6 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz # - CVE-2017-3737 # - CVE-2017-3738 # 1.0.2o-r0: -# - CVE-2017-3738 # - CVE-2018-0733 # - CVE-2018-0739 # 1.0.2o-r1: @@ -140,7 +142,7 @@ libssl() { done } -sha512sums="6eb2211f3ad56d7573ac26f388338592c37e5faaf5e2d44c0fa9062c12186e56a324f135d1c956a89b55fcce047e6428bec2756658d103e7275e08b46f741235 openssl-1.0.2r.tar.gz +sha512sums="0b88868933f42fab87e8b22449435a1091cc6e75f986aad6c173e01ad123161fcae8c226759073701bc65c9f2f0b6ce6a63a61203008ed873cfb6e484f32bc71 openssl-1.0.2t.tar.gz 2244f46cb18e6b98f075051dd2446c47f7590abccd108fbab707f168a20cad8d32220d704635973f09e3b2879f523be5160f1ffbc12ab3900f8a8891dc855c5c 0002-busybox-basename.patch 58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4 0003-use-termios.patch c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae 0004-fix-default-ca-path-for-apps.patch diff --git a/main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch b/main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch new file mode 100644 index 00000000000..b26651ab05e --- /dev/null +++ b/main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch @@ -0,0 +1,33 @@ +From b5a91a01e5d0897facdd0f49d64b76b0f02b43e1 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Fri, 6 Apr 2018 11:34:51 +0200 +Subject: [PATCH] Allow input files to be missing for ed-style patches + +* src/pch.c (do_ed_script): Allow input files to be missing so that new +files will be created as with non-ed-style patches. +--- + src/pch.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/pch.c b/src/pch.c +index bc6278c..0c5cc26 100644 +--- a/src/pch.c ++++ b/src/pch.c +@@ -2394,9 +2394,11 @@ do_ed_script (char const *inname, char const *outname, + + if (! dry_run && ! skip_rest_of_patch) { + int exclusive = *outname_needs_removal ? 0 : O_EXCL; +- assert (! inerrno); +- *outname_needs_removal = true; +- copy_file (inname, outname, 0, exclusive, instat.st_mode, true); ++ if (inerrno != ENOENT) ++ { ++ *outname_needs_removal = true; ++ copy_file (inname, outname, 0, exclusive, instat.st_mode, true); ++ } + sprintf (buf, "%s %s%s", editor_program, + verbosity == VERBOSE ? "" : "- ", + outname); +-- +2.22.0 + diff --git a/main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch b/main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch new file mode 100644 index 00000000000..6b65e2dd486 --- /dev/null +++ b/main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch @@ -0,0 +1,211 @@ +From 123eaff0d5d1aebe128295959435b9ca5909c26d Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Fri, 6 Apr 2018 12:14:49 +0200 +Subject: [PATCH] Fix arbitrary command execution in ed-style patches + (CVE-2018-1000156) + +* src/pch.c (do_ed_script): Write ed script to a temporary file instead +of piping it to ed: this will cause ed to abort on invalid commands +instead of rejecting them and carrying on. +* tests/ed-style: New test case. +* tests/Makefile.am (TESTS): Add test case. +--- + src/pch.c | 91 ++++++++++++++++++++++++++++++++++------------- + tests/Makefile.am | 1 + + tests/ed-style | 41 +++++++++++++++++++++ + 3 files changed, 108 insertions(+), 25 deletions(-) + create mode 100644 tests/ed-style + +diff --git a/src/pch.c b/src/pch.c +index 0c5cc26..4fd5a05 100644 +--- a/src/pch.c ++++ b/src/pch.c +@@ -33,6 +33,7 @@ + # include <io.h> + #endif + #include <safe.h> ++#include <sys/wait.h> + + #define INITHUNKMAX 125 /* initial dynamic allocation size */ + +@@ -2389,24 +2390,28 @@ do_ed_script (char const *inname, char const *outname, + static char const editor_program[] = EDITOR_PROGRAM; + + file_offset beginning_of_this_line; +- FILE *pipefp = 0; + size_t chars_read; ++ FILE *tmpfp = 0; ++ char const *tmpname; ++ int tmpfd; ++ pid_t pid; ++ ++ if (! dry_run && ! skip_rest_of_patch) ++ { ++ /* Write ed script to a temporary file. This causes ed to abort on ++ invalid commands such as when line numbers or ranges exceed the ++ number of available lines. When ed reads from a pipe, it rejects ++ invalid commands and treats the next line as a new command, which ++ can lead to arbitrary command execution. */ ++ ++ tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0); ++ if (tmpfd == -1) ++ pfatal ("Can't create temporary file %s", quotearg (tmpname)); ++ tmpfp = fdopen (tmpfd, "w+b"); ++ if (! tmpfp) ++ pfatal ("Can't open stream for file %s", quotearg (tmpname)); ++ } + +- if (! dry_run && ! skip_rest_of_patch) { +- int exclusive = *outname_needs_removal ? 0 : O_EXCL; +- if (inerrno != ENOENT) +- { +- *outname_needs_removal = true; +- copy_file (inname, outname, 0, exclusive, instat.st_mode, true); +- } +- sprintf (buf, "%s %s%s", editor_program, +- verbosity == VERBOSE ? "" : "- ", +- outname); +- fflush (stdout); +- pipefp = popen(buf, binary_transput ? "wb" : "w"); +- if (!pipefp) +- pfatal ("Can't open pipe to %s", quotearg (buf)); +- } + for (;;) { + char ed_command_letter; + beginning_of_this_line = file_tell (pfp); +@@ -2417,14 +2422,14 @@ do_ed_script (char const *inname, char const *outname, + } + ed_command_letter = get_ed_command_letter (buf); + if (ed_command_letter) { +- if (pipefp) +- if (! fwrite (buf, sizeof *buf, chars_read, pipefp)) ++ if (tmpfp) ++ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp)) + write_fatal (); + if (ed_command_letter != 'd' && ed_command_letter != 's') { + p_pass_comments_through = true; + while ((chars_read = get_line ()) != 0) { +- if (pipefp) +- if (! fwrite (buf, sizeof *buf, chars_read, pipefp)) ++ if (tmpfp) ++ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp)) + write_fatal (); + if (chars_read == 2 && strEQ (buf, ".\n")) + break; +@@ -2437,13 +2442,49 @@ do_ed_script (char const *inname, char const *outname, + break; + } + } +- if (!pipefp) ++ if (!tmpfp) + return; +- if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0 +- || fflush (pipefp) != 0) ++ if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0 ++ || fflush (tmpfp) != 0) + write_fatal (); +- if (pclose (pipefp) != 0) +- fatal ("%s FAILED", editor_program); ++ ++ if (lseek (tmpfd, 0, SEEK_SET) == -1) ++ pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); ++ ++ if (! dry_run && ! skip_rest_of_patch) { ++ int exclusive = *outname_needs_removal ? 0 : O_EXCL; ++ *outname_needs_removal = true; ++ if (inerrno != ENOENT) ++ { ++ *outname_needs_removal = true; ++ copy_file (inname, outname, 0, exclusive, instat.st_mode, true); ++ } ++ sprintf (buf, "%s %s%s", editor_program, ++ verbosity == VERBOSE ? "" : "- ", ++ outname); ++ fflush (stdout); ++ ++ pid = fork(); ++ if (pid == -1) ++ pfatal ("Can't fork"); ++ else if (pid == 0) ++ { ++ dup2 (tmpfd, 0); ++ execl ("/bin/sh", "sh", "-c", buf, (char *) 0); ++ _exit (2); ++ } ++ else ++ { ++ int wstatus; ++ if (waitpid (pid, &wstatus, 0) == -1 ++ || ! WIFEXITED (wstatus) ++ || WEXITSTATUS (wstatus) != 0) ++ fatal ("%s FAILED", editor_program); ++ } ++ } ++ ++ fclose (tmpfp); ++ safe_unlink (tmpname); + + if (ofp) + { +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 6b6df63..16f8693 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -32,6 +32,7 @@ TESTS = \ + crlf-handling \ + dash-o-append \ + deep-directories \ ++ ed-style \ + empty-files \ + false-match \ + fifo \ +diff --git a/tests/ed-style b/tests/ed-style +new file mode 100644 +index 0000000..d8c0689 +--- /dev/null ++++ b/tests/ed-style +@@ -0,0 +1,41 @@ ++# Copyright (C) 2018 Free Software Foundation, Inc. ++# ++# Copying and distribution of this file, with or without modification, ++# in any medium, are permitted without royalty provided the copyright ++# notice and this notice are preserved. ++ ++. $srcdir/test-lib.sh ++ ++require cat ++use_local_patch ++use_tmpdir ++ ++# ============================================================== ++ ++cat > ed1.diff <<EOF ++0a ++foo ++. ++EOF ++ ++check 'patch -e foo -i ed1.diff' <<EOF ++EOF ++ ++check 'cat foo' <<EOF ++foo ++EOF ++ ++cat > ed2.diff <<EOF ++1337a ++r !echo bar ++,p ++EOF ++ ++check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF ++? ++Status: 2 ++EOF ++ ++check 'cat foo' <<EOF ++foo ++EOF +-- +2.22.0 + diff --git a/main/patch/APKBUILD b/main/patch/APKBUILD index 3a1cf46ddb2..aae46046b5e 100644 --- a/main/patch/APKBUILD +++ b/main/patch/APKBUILD @@ -1,29 +1,45 @@ # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=patch -pkgver=2.7.5 -pkgrel=2 +pkgver=2.7.6 +pkgrel=0 pkgdesc="Utility to apply diffs to files" url="https://www.gnu.org/software/patch/patch.html" arch="all" -license="GPL" +license="GPL-3.0-or-later" depends="" -depends_dev="" -makedepends="" -install="" +makedepends="autoconf automake" +# testsuite needs coreutils due to bug in busybox `cat -ve` +# http://lists.busybox.net/pipermail/busybox/2018-April/086401.html +checkdepends="coreutils bash ed" subpackages="$pkgname-doc" source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz CVE-2018-6951.patch + CVE-2018-6952.patch + 0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch + 0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch + CVE-2019-13636.patch + CVE-2019-13638.patch " -_builddir="$srcdir"/$pkgname-$pkgver - # secfixes: +# 2.7.6-r0: +# - CVE-2018-6952 +# - CVE-2018-1000156 +# - CVE-2019-13638 +# 2.7.5-r3: +# - CVE-2019-13636 # 2.7.5-r2: # - CVE-2018-6951 +prepare() { + default_prepare + aclocal && autoheader && autoconf && automake --add-missing +} + build() { - cd "$_builddir" + gl_cv_func_gettimeofday_clobber=no \ + gl_cv_func_tzset_clobber=no \ ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -31,19 +47,28 @@ build() { --sysconfdir=/etc \ --mandir=/usr/share/man \ --localstatedir=/var \ - --disable-nls \ || return 1 make || return 1 } +check() { + cd "$builddir" + make SHELL=bash check +} + package() { + cd "$builddir" make prefix="$pkgdir"/usr \ mandir="$pkgdir"/usr/share/man \ - -C "$_builddir" install || return 1 + -C "$builddir" install || return 1 rm -f "$pkgdir"/usr/lib/charset.alias rmdir -p "$pkgdir"/usr/lib 2>/dev/null || true } - -sha512sums="6620ac8101f60c0b456ce339fa5e371f40be0b391e2e9728f34f3625f9907e516de61dac2f91bc76e6fd28a9bd1224efc3ba827cfaa606d857730c1af4195a0f patch-2.7.5.tar.xz -db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0 CVE-2018-6951.patch" +sha512sums="fcca87bdb67a88685a8a25597f9e015f5e60197b9a269fa350ae35a7991ed8da553939b4bbc7f7d3cfd863c67142af403b04165633acbce4339056a905e87fbd patch-2.7.6.tar.xz +db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0 CVE-2018-6951.patch +5d2eaef629bae92e5b4e5e57d140c24a73e2811306d5f2854858f846646b034d2da315071f478bcf6f8d856a065b9bb073f76322e8e3a42616bc212281ce6945 CVE-2018-6952.patch +33e8a82f5ee6b896fd434e7de1ca9e16e8d317941a021bea8c53afd5bf210774e8727df22f8d8f63f255de10de5a26428047bc710b033423d1e7a459cbbaf83a 0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch +d0d46e28c5fdcd5fe16826cbcf39d5a74fdf2593375d5206aa7bad759f16dbebeca3bf259239f99c13344579044a3de1000d705065cc19e917266bca6e5c0630 0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch +029b92bb899d0b1165cfe7f55b5a4c2d7090852f52e5c85a6bb1cf5913c914a5c68c6c34517e84f0a020a56d21814f8c18b934c8ebe059ba4eddece78a3a258c CVE-2019-13636.patch +d60f8c2364fca9b73aa73b5914cfd6571d11528d13fa7703ccfa93730cbdf8a6e4c9ca04cb7d02a40d33c38075890790b490052d5217e728b0948991da937980 CVE-2019-13638.patch" diff --git a/main/patch/CVE-2018-6952.patch b/main/patch/CVE-2018-6952.patch new file mode 100644 index 00000000000..5f1511c7b16 --- /dev/null +++ b/main/patch/CVE-2018-6952.patch @@ -0,0 +1,27 @@ +From 9c986353e420ead6e706262bf204d6e03322c300 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Fri, 17 Aug 2018 13:35:40 +0200 +Subject: [PATCH] Fix swapping fake lines in pch_swap + +* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a +blank line in the middle of a context-diff hunk: that empty line stays +in the middle of the hunk and isn't swapped. + +Fixes: https://savannah.gnu.org/bugs/index.php?53133 +--- + src/pch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pch.c b/src/pch.c +index e92bc64..a500ad9 100644 +--- a/src/pch.c ++++ b/src/pch.c +@@ -2122,7 +2122,7 @@ pch_swap (void) + } + if (p_efake >= 0) { /* fix non-freeable ptr range */ + if (p_efake <= i) +- n = p_end - i + 1; ++ n = p_end - p_ptrn_lines; + else + n = -i; + p_efake += n; diff --git a/main/patch/CVE-2019-13636.patch b/main/patch/CVE-2019-13636.patch new file mode 100644 index 00000000000..ea4a98d3307 --- /dev/null +++ b/main/patch/CVE-2019-13636.patch @@ -0,0 +1,109 @@ +From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Mon, 15 Jul 2019 16:21:48 +0200 +Subject: Don't follow symlinks unless --follow-symlinks is given + +* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file, +append_to_file): Unless the --follow-symlinks option is given, open files with +the O_NOFOLLOW flag to avoid following symlinks. So far, we were only doing +that consistently for input files. +* src/util.c (create_backup): When creating empty backup files, (re)create them +with O_CREAT | O_EXCL to avoid following symlinks in that case as well. +--- + src/inp.c | 12 ++++++++++-- + src/util.c | 14 +++++++++++--- + 2 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/inp.c b/src/inp.c +index 32d0919..22d7473 100644 +--- a/src/inp.c ++++ b/src/inp.c +@@ -238,8 +238,13 @@ plan_a (char const *filename) + { + if (S_ISREG (instat.st_mode)) + { +- int ifd = safe_open (filename, O_RDONLY|binary_transput, 0); ++ int flags = O_RDONLY | binary_transput; + size_t buffered = 0, n; ++ int ifd; ++ ++ if (! follow_symlinks) ++ flags |= O_NOFOLLOW; ++ ifd = safe_open (filename, flags, 0); + if (ifd < 0) + pfatal ("can't open file %s", quotearg (filename)); + +@@ -340,6 +345,7 @@ plan_a (char const *filename) + static void + plan_b (char const *filename) + { ++ int flags = O_RDONLY | binary_transput; + int ifd; + FILE *ifp; + int c; +@@ -353,7 +359,9 @@ plan_b (char const *filename) + + if (instat.st_size == 0) + filename = NULL_DEVICE; +- if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0 ++ if (! follow_symlinks) ++ flags |= O_NOFOLLOW; ++ if ((ifd = safe_open (filename, flags, 0)) < 0 + || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r"))) + pfatal ("Can't open file %s", quotearg (filename)); + if (TMPINNAME_needs_removal) +diff --git a/src/util.c b/src/util.c +index 1cc08ba..fb38307 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original) + + try_makedirs_errno = ENOENT; + safe_unlink (bakname); +- while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0) ++ while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0) + { + if (errno != try_makedirs_errno) + pfatal ("Can't create file %s", quotearg (bakname)); +@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode, + static void + copy_to_fd (const char *from, int tofd) + { ++ int from_flags = O_RDONLY | O_BINARY; + int fromfd; + ssize_t i; + +- if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0) ++ if (! follow_symlinks) ++ from_flags |= O_NOFOLLOW; ++ if ((fromfd = safe_open (from, from_flags, 0)) < 0) + pfatal ("Can't reopen file %s", quotearg (from)); + while ((i = read (fromfd, buf, bufsize)) != 0) + { +@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost, + else + { + assert (S_ISREG (mode)); ++ if (! follow_symlinks) ++ to_flags |= O_NOFOLLOW; + tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode, + to_dir_known_to_exist); + copy_to_fd (from, tofd); +@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost, + void + append_to_file (char const *from, char const *to) + { ++ int to_flags = O_WRONLY | O_APPEND | O_BINARY; + int tofd; + +- if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0) ++ if (! follow_symlinks) ++ to_flags |= O_NOFOLLOW; ++ if ((tofd = safe_open (to, to_flags, 0)) < 0) + pfatal ("Can't reopen file %s", quotearg (to)); + copy_to_fd (from, tofd); + if (close (tofd) != 0) +-- +cgit v1.0-41-gc330 + + diff --git a/main/patch/CVE-2019-13638.patch b/main/patch/CVE-2019-13638.patch new file mode 100644 index 00000000000..38caff628aa --- /dev/null +++ b/main/patch/CVE-2019-13638.patch @@ -0,0 +1,38 @@ +From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Fri, 6 Apr 2018 19:36:15 +0200 +Subject: Invoke ed directly instead of using the shell + +* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell +command to avoid quoting vulnerabilities. +--- + src/pch.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/pch.c b/src/pch.c +index 4fd5a05..16e001a 100644 +--- a/src/pch.c ++++ b/src/pch.c +@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname, + *outname_needs_removal = true; + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + } +- sprintf (buf, "%s %s%s", editor_program, +- verbosity == VERBOSE ? "" : "- ", +- outname); + fflush (stdout); + + pid = fork(); +@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname, + else if (pid == 0) + { + dup2 (tmpfd, 0); +- execl ("/bin/sh", "sh", "-c", buf, (char *) 0); ++ assert (outname[0] != '!' && outname[0] != '-'); ++ execlp (editor_program, editor_program, "-", outname, (char *) NULL); + _exit (2); + } + else +-- +cgit v1.0-41-gc330 + diff --git a/main/polkit/APKBUILD b/main/polkit/APKBUILD index 5cf5e8fa56c..c2c4b3d6f69 100644 --- a/main/polkit/APKBUILD +++ b/main/polkit/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=polkit pkgver=0.105 -pkgrel=8 +pkgrel=10 pkgdesc="Application development toolkit for controlling system-wide privileges" url="http://www.freedesktop.org/wiki/Software/polkit/" arch="all" @@ -21,6 +21,7 @@ source="http://www.freedesktop.org/software/polkit/releases/polkit-$pkgver.tar.g CVE-2015-3255.patch CVE-2015-4625.patch CVE-2018-19788.patch + CVE-2019-6133.patch automake.patch fix-parallel-make.patch fix-consolekit-db-stat.patch @@ -28,6 +29,8 @@ source="http://www.freedesktop.org/software/polkit/releases/polkit-$pkgver.tar.g _builddir="$srcdir"/polkit-$pkgver # secfixes: +# 0.105-r10: +# - CVE-2019-6133 # 0.105-r8: # - CVE-2018-19788 @@ -71,24 +74,6 @@ package() { make DESTDIR="$pkgdir" install || return 1 } -md5sums="9c29e1b6c214f0bd6f1d4ee303dfaed9 polkit-0.105.tar.gz -bb4e7bffa5bad89bf3033b3d866a4087 0001-Bug-50145-make-netgroup-support-optional.patch -2f2b7a0a5e79516582ce12a80c5677a2 CVE-2013-4288.patch -a3d38d5b0bd35c066806b61cedc175d6 CVE-2015-3218.patch -ff484f4397db117a6924fe6a65eb552e CVE-2015-3255.patch -d18b03f6a0efe134e3c201a2c2410d33 CVE-2015-4625.patch -38dfb2ffefa4f84d64e4cd93fda145f2 automake.patch -cca56781a0ac23c0c56b5390fc8f8238 fix-parallel-make.patch -3d049fef3f78c78b9bd0a6d9e7731692 fix-consolekit-db-stat.patch" -sha256sums="8fdc7cc8ba4750fcce1a4db9daa759c12afebc7901237e1c993c38f08985e1df polkit-0.105.tar.gz -80bf119937c5b75887bf6405e69e364a31e6e2edcac7957816ed7d8ea6b2a5a3 0001-Bug-50145-make-netgroup-support-optional.patch -394be8089e90ed662af0b2043fa6abdda0c062d89970ce5f5a25df8633123d5e CVE-2013-4288.patch -b15b54e86195a5c87efe058cc970db69f1dddbfebd97399689fccc77794f678a CVE-2015-3218.patch -90b2a03cabe3a6ea5a5bab13cfb4236b8b7c6820f7a6d27786c601b0331a70e0 CVE-2015-3255.patch -f34f46d445391234f75b0f92b63af70a5b9597555981dcc34bec78fd46229a98 CVE-2015-4625.patch -de9e99ec691e45fc204eba576e301299952c0eb13ecedcb7399ba1b6aab94200 automake.patch -fb0352d687b4b23acace3d211d9f48635d2eae43f5a478cbdda0f1e42784f735 fix-parallel-make.patch -f0de45566d1ac79c0d9256e5c36244dfc74936dbc45f2af63ce9c6893dedea52 fix-consolekit-db-stat.patch" sha512sums="7c0f84b9639814b4690e42b570285ff2018a5ea4cfd7216d9abf44c84ece6592c530f2d6211511c1346963daf4f135e9fa79d1b2f592b454115950991b5e4bc3 polkit-0.105.tar.gz 09ca9c14044c0a281e9069919efbb6d14918f23f58a282b5ce25c8a6640966396904373822869fe994c711f40c33d5c34cf3b77f85a59e239ba3d0c22a31ca8e 0001-Bug-50145-make-netgroup-support-optional.patch d6de3beb063243c11906f525ef2eb65aeca823c25b1f44dde4a16f4fc2c5ce587b129e0bfb25a4a4b88ac2bf5713c47e57700c139323d961c9f9b6ba4c03fffb CVE-2013-4288.patch @@ -96,6 +81,7 @@ d6de3beb063243c11906f525ef2eb65aeca823c25b1f44dde4a16f4fc2c5ce587b129e0bfb25a4a4 0b26b819da0b34f10ff8a768850560b3207a6e10a7141bd1aa4769c1cb2829eb110164974b99d993d4e3a62145ace0fc5375489f84d2b56fe08e3430e3232aa8 CVE-2015-3255.patch 32ecc38db938fc1e3d14ffd9c492d12a42a91750e0eb1f66f8346d0cefd6e18fd0dffac8bffc65578cfb56c9598d3b336721477e8496de2619d6d69f1a6b309e CVE-2015-4625.patch 9bde734555526c77cac43b0aa90545ede4718d837bb2cb4b9fe5833cdaee0cc91215df4c7103fd675add434c1344385ce4b03c4fdeb3024245e4721cd0703f6a CVE-2018-19788.patch +be30f6319ffbc729802f316140b2b45c5a3d3059a818fc13814113e46816e1aafb9d594ff7208d8322db9b2e74c2ea5292b9d51aaeb0987f0183320e48e1ef0b CVE-2019-6133.patch 25465a23332247d0873e24cb5f011a267413615526755a8295a6367d64fc5eb8c2aa3c9c1fdcfa183b39e3ece14f33b25f15a339d966a31f3feb861b3f17adbf automake.patch 6b0d9262ba8b3c000acdcc8c86bd6fc043e5750a0155730638d4e3a92e63f43cb476d63b11856c041d60d8f38f7eb5ada0eb0eced9100bdac3bc2c7dd5108ddd fix-parallel-make.patch 95493ef842b46ce9e724933a5d86083589075fb452435057b8f629643cac7c7eff67a24fd188087987e98057f0130757fad546d0c090767da3d71ebaf8485a24 fix-consolekit-db-stat.patch" diff --git a/main/polkit/CVE-2019-6133.patch b/main/polkit/CVE-2019-6133.patch new file mode 100644 index 00000000000..9cdf220624c --- /dev/null +++ b/main/polkit/CVE-2019-6133.patch @@ -0,0 +1,159 @@ +diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c +index d2c4c20..3d86022 100644 +--- a/src/polkit/polkitsubject.c ++++ b/src/polkit/polkitsubject.c +@@ -97,6 +97,8 @@ polkit_subject_hash (PolkitSubject *subject) + * @b: A #PolkitSubject. + * + * Checks if @a and @b are equal, ie. represent the same subject. ++ * However, avoid calling polkit_subject_equal() to compare two processes; ++ * for more information see the `PolkitUnixProcess` documentation. + * + * This function can be used in e.g. g_hash_table_new(). + * +diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c +index 913be3a..ceaf145 100644 +--- a/src/polkit/polkitunixprocess.c ++++ b/src/polkit/polkitunixprocess.c +@@ -44,13 +44,82 @@ + * @title: PolkitUnixProcess + * @short_description: Unix processs + * +- * An object for representing a UNIX process. ++ * An object for representing a UNIX process. NOTE: This object as ++ * designed is now known broken; a mechanism to exploit a delay in ++ * start time in the Linux kernel was identified. Avoid ++ * calling polkit_subject_equal() to compare two processes. + * + * To uniquely identify processes, both the process id and the start + * time of the process (a monotonic increasing value representing the + * time since the kernel was started) is used. + */ + ++/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75 ++ ++ But quoting the original email in full here to ensure it's preserved: ++ ++ From: Jann Horn <jannh@google.com> ++ Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork ++ Date: Wednesday, October 10, 2018 5:34 PM ++ ++When a (non-root) user attempts to e.g. control systemd units in the system ++instance from an active session over DBus, the access is gated by a polkit ++policy that requires "auth_admin_keep" auth. This results in an auth prompt ++being shown to the user, asking the user to confirm the action by entering the ++password of an administrator account. ++ ++After the action has been confirmed, the auth decision for "auth_admin_keep" is ++cached for up to five minutes. Subject to some restrictions, similar actions can ++then be performed in this timespan without requiring re-auth: ++ ++ - The PID of the DBus client requesting the new action must match the PID of ++ the DBus client requesting the old action (based on SO_PEERCRED information ++ forwarded by the DBus daemon). ++ - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22) ++ must not have changed. The granularity of this timestamp is in the ++ millisecond range. ++ - polkit polls every two seconds whether a process with the expected start time ++ still exists. If not, the temporary auth entry is purged. ++ ++Without the start time check, this would obviously be buggy because an attacker ++could simply wait for the legitimate client to disappear, then create a new ++client with the same PID. ++ ++Unfortunately, the start time check is bypassable because fork() is not atomic. ++Looking at the source code of copy_process() in the kernel: ++ ++ p->start_time = ktime_get_ns(); ++ p->real_start_time = ktime_get_boot_ns(); ++ [...] ++ retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls); ++ if (retval) ++ goto bad_fork_cleanup_io; ++ ++ if (pid != &init_struct_pid) { ++ pid = alloc_pid(p->nsproxy->pid_ns_for_children); ++ if (IS_ERR(pid)) { ++ retval = PTR_ERR(pid); ++ goto bad_fork_cleanup_thread; ++ } ++ } ++ ++The ktime_get_boot_ns() call is where the "start time" of the process is ++recorded. The alloc_pid() call is where a free PID is allocated. In between ++these, some time passes; and because the copy_thread_tls() call between them can ++access userspace memory when sys_clone() is invoked through the 32-bit syscall ++entry point, an attacker can even stall the kernel arbitrarily long at this ++point (by supplying a pointer into userspace memory that is associated with a ++userfaultfd or is backed by a custom FUSE filesystem). ++ ++This means that an attacker can immediately call sys_clone() when the victim ++process is created, often resulting in a process that has the exact same start ++time reported in procfs; and then the attacker can delay the alloc_pid() call ++until after the victim process has died and the PID assignment has cycled ++around. This results in an attacker process that polkit can't distinguish from ++the victim process. ++*/ ++ ++ + /** + * PolkitUnixProcess: + * +diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c +index b237e9d..e2200ef 100644 +--- a/src/polkitbackend/polkitbackendinteractiveauthority.c ++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c +@@ -2755,6 +2755,43 @@ temporary_authorization_store_free (TemporaryAuthorizationStore *store) + g_free (store); + } + ++/* See the comment at the top of polkitunixprocess.c */ ++static gboolean ++subject_equal_for_authz (PolkitSubject *a, ++ PolkitSubject *b) ++{ ++ if (!polkit_subject_equal (a, b)) ++ return FALSE; ++ ++ /* Now special case unix processes, as we want to protect against ++ * pid reuse by including the UID. ++ */ ++ if (POLKIT_IS_UNIX_PROCESS (a) && POLKIT_IS_UNIX_PROCESS (b)) { ++ PolkitUnixProcess *ap = (PolkitUnixProcess*)a; ++ int uid_a = polkit_unix_process_get_uid ((PolkitUnixProcess*)a); ++ PolkitUnixProcess *bp = (PolkitUnixProcess*)b; ++ int uid_b = polkit_unix_process_get_uid ((PolkitUnixProcess*)b); ++ ++ if (uid_a != -1 && uid_b != -1) ++ { ++ if (uid_a == uid_b) ++ { ++ return TRUE; ++ } ++ else ++ { ++ g_printerr ("denying slowfork; pid %d uid %d != %d!\n", ++ polkit_unix_process_get_pid (ap), ++ uid_a, uid_b); ++ return FALSE; ++ } ++ } ++ /* Fall through; one of the uids is unset so we can't reliably compare */ ++ } ++ ++ return TRUE; ++} ++ + static gboolean + temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *store, + PolkitSubject *subject, +@@ -2797,7 +2834,7 @@ temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *st + TemporaryAuthorization *authorization = l->data; + + if (strcmp (action_id, authorization->action_id) == 0 && +- polkit_subject_equal (subject_to_use, authorization->subject)) ++ subject_equal_for_authz (subject_to_use, authorization->subject)) + { + ret = TRUE; + if (out_tmp_authz_id != NULL) + diff --git a/main/poppler/APKBUILD b/main/poppler/APKBUILD index c224a6571c3..6fced481681 100644 --- a/main/poppler/APKBUILD +++ b/main/poppler/APKBUILD @@ -5,7 +5,7 @@ # So we build qt support in separate package poppler-qt4 pkgname=poppler pkgver=0.56.0 -pkgrel=0 +pkgrel=1 pkgdesc="PDF rendering library based on xpdf 3.0" url="https://poppler.freedesktop.org/" arch="all" @@ -17,10 +17,15 @@ makedepends="$depends_dev libjpeg-turbo-dev cairo-dev libxml2-dev openjpeg-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-utils $pkgname-glib " -source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz" - +source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz + CVE-2019-9959.patch + " builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 0.56.0-r1: +# - CVE-2019-9959 + prepare() { local _linked_pkg=poppler-qt4 local _linked_apkbuild="$startdir"/../$_linked_pkg/APKBUILD @@ -32,6 +37,7 @@ prepare() { return 1 fi fi + default_prepare } build() { @@ -80,4 +86,5 @@ _cpp() { "$subpkgdir"/usr/lib/ || return 1 } -sha512sums="74d2ca63afcb7e155c153b4ddc71621b7f4f2c60d4fcafd873176d5ac59fafedc35b200a22c7af2013d7f75e670a1cc23d6ba878167a02209917f8d30002d528 poppler-0.56.0.tar.xz" +sha512sums="74d2ca63afcb7e155c153b4ddc71621b7f4f2c60d4fcafd873176d5ac59fafedc35b200a22c7af2013d7f75e670a1cc23d6ba878167a02209917f8d30002d528 poppler-0.56.0.tar.xz +c647bf98ee1ec86270d942d256d9ae4264537f9bbfe2b2adc1f31c9cf27604682ba780943cbc6059451dc67228cf923fb1626e24da2635c7728fe1da2613a929 CVE-2019-9959.patch" diff --git a/main/poppler/CVE-2019-9959.patch b/main/poppler/CVE-2019-9959.patch new file mode 100644 index 00000000000..d417a698b2b --- /dev/null +++ b/main/poppler/CVE-2019-9959.patch @@ -0,0 +1,13 @@ +diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc +index 7daa23d..714d814 100644 +--- a/poppler/JPEG2000Stream.cc ++++ b/poppler/JPEG2000Stream.cc +@@ -368,7 +368,7 @@ void JPXStream::init() + if (getDict()) getDict()->lookup("SMaskInData", &smaskInData); + + int bufSize = BUFFER_INITIAL_SIZE; +- if (oLen.isInt()) bufSize = oLen.getInt(); ++ if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt(); + oLen.free(); + + if (cspace.isArray() && cspace.arrayGetLength() > 0) { diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD index 7eda6c2186a..b926f0bb01b 100644 --- a/main/postgresql/APKBUILD +++ b/main/postgresql/APKBUILD @@ -2,7 +2,7 @@ # Contributor: G.J.R. Timmer <gjr.timmer@gmail.com> # Contributor: Jakub Jirutka <jakub@jirutka.cz> pkgname=postgresql -pkgver=10.9 +pkgver=10.10 pkgrel=0 pkgdesc="A sophisticated object-relational DBMS" url="https://www.postgresql.org/" @@ -36,32 +36,34 @@ builddir="$srcdir/$pkgname-$pkgver" options="!checkroot" # secfixes: +# 10.10-r0: +# - CVE-2019-10208 # 10.9-r0: -# - CVE-2019-10164 +# - CVE-2019-10164 # 10.8-r0: -# - CVE-2019-10129 -# - CVE-2019-10130 +# - CVE-2019-10129 +# - CVE-2019-10130 # 10.5-r0: -# - CVE-2018-10915 -# - CVE-2018-10925 +# - CVE-2018-10915 +# - CVE-2018-10925 # 10.4-r0: -# - CVE-2018-1115 +# - CVE-2018-1115 # 10.3-r0: -# - CVE-2018-1058 +# - CVE-2018-1058 # 10.2-r0: -# - CVE-2018-1052 -# - CVE-2018-1053 +# - CVE-2018-1052 +# - CVE-2018-1053 # 10.1-r0: -# - CVE-2017-15098 -# - CVE-2017-15099 +# - CVE-2017-15098 +# - CVE-2017-15099 # 9.6.4-r0: -# - CVE-2017-7546 -# - CVE-2017-7547 -# - CVE-2017-7548 +# - CVE-2017-7546 +# - CVE-2017-7547 +# - CVE-2017-7548 # 9.6.3-r0: -# - CVE-2017-7484 -# - CVE-2017-7485 -# - CVE-2017-7486 +# - CVE-2017-7484 +# - CVE-2017-7485 +# - CVE-2017-7486 prepare() { default_prepare @@ -303,7 +305,7 @@ _submv() { done } -sha512sums="4e2f30a0fd262f2e3ce5fc836425be635326600cd6cd4e117c57f59ea7ab2e9ea463a8d357fe7adb8c0dd0094e43d08efc2a137f8f9975715a5908e35920f98e postgresql-10.9.tar.bz2 +sha512sums="60cafe4b27a194949aff482dcce4fa096a9916f37205868437a32afb8964df71934b619a0b891fe85eb7c7f9b11775cffbbedca589e78feb6c4184eb224b48bc postgresql-10.10.tar.bz2 1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch 5f9d8bb4957194069d01af8ab3abc6d4d83a7e7f8bd7ebe1caae5361d621a3e58f91b14b952958138a794e0a80bc154fbb7e3e78d211e2a95b9b7901335de854 perl-rpath.patch 8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD index 1524c6d952c..c856c7bc7e5 100644 --- a/main/py-django/APKBUILD +++ b/main/py-django/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=py-django _pkgname=Django -pkgver=1.11.21 +pkgver=1.11.23 pkgrel=0 pkgdesc="A high-level Python Web framework" url="http://djangoproject.com/" @@ -17,6 +17,13 @@ source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname builddir="$srcdir"/$_pkgname-$pkgver # secfixes: +# 1.11.23-r0: +# - CVE-2019-14232 +# - CVE-2019-14233 +# - CVE-2019-14234 +# - CVE-2019-14235 +# 1.11.22-r0: +# - CVE-2019-12781 # 1.8.16-r0: # - CVE-2016-9013 # - CVE-2016-9014 @@ -78,4 +85,4 @@ _py() { done } -sha512sums="c91a1189b6b8fbbb1470f870b09c1c553e860d3b8c0977240399524a830d5403929f14b4e4b689354080748aab1c70587ad56e265f4ac0b3bdc2714d01adbbc4 Django-1.11.21.tar.gz" +sha512sums="c4c5d82e4ecf1a100637ac32eafd3fb0d7690ba5c0cb884846f31c434c0cb1282d94149e031c577d676570f3b331c2a320d58f34f40ac02deae089c4b61c65ea Django-1.11.23.tar.gz" diff --git a/main/python2/APKBUILD b/main/python2/APKBUILD index 79bbe4fe34e..e66422fb7c1 100644 --- a/main/python2/APKBUILD +++ b/main/python2/APKBUILD @@ -4,7 +4,7 @@ pkgname=python2 # the python2-tkinter's pkgver needs to be synchronized with this. pkgver=2.7.15 _verbase=${pkgver%.*} -pkgrel=2 +pkgrel=3 pkgdesc="A high-level scripting language" url="http://www.python.org" arch="all" @@ -17,10 +17,19 @@ makedepends="expat-dev libressl-dev zlib-dev ncurses-dev bzip2-dev gdbm-dev sqlite-dev libffi-dev readline-dev linux-headers paxmark" source="http://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz musl-find_library.patch - unchecked-ioctl.patch" + unchecked-ioctl.patch + CVE-2018-14647.patch + CVE-2019-9636.patch + CVE-2019-9948.patch + CVE-2019-16935.patch + " builddir="$srcdir/Python-$pkgver" # secfixes: +# 2.7.15-r2: +# - CVE-2019-9636 +# - CVE-2019-9948 +# - CVE-2018-14647 # 2.7.15-r0: # - CVE-2018-1060 # - CVE-2018-1061 @@ -126,4 +135,8 @@ gdbm() { sha512sums="27ea43eb45fc68f3d2469d5f07636e10801dee11635a430ec8ec922ed790bb426b072da94df885e4dfa1ea8b7a24f2f56dd92f9b0f51e162330f161216bd6de6 Python-2.7.15.tar.xz ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch -5a8e013a4132d71c4360771f130d27b37275ae59330cf9a75378dc8a11236017f540eb224f2a148984e82ca3fb6b29129375b1080ba05b81044faa717520ab82 unchecked-ioctl.patch" +5a8e013a4132d71c4360771f130d27b37275ae59330cf9a75378dc8a11236017f540eb224f2a148984e82ca3fb6b29129375b1080ba05b81044faa717520ab82 unchecked-ioctl.patch +6ea4cde4483250bd3ecbf46214935c80ecd79958d09d7fab4f5ba0b80d73ff0a1433f7b6fbd9a5c42d4f2a3dda877cde6a3264a5c832c1e8f4ee3eb2405a624e CVE-2018-14647.patch +54086e7b4d3597969b945b1460fe578ff3a13289703d58d79b8f00f644eccc4acc11fc6128b7b114f022a6f6cedc91e02eead6373bac0d36e22eb580a1becb53 CVE-2019-9636.patch +2f9523bd3e39c4831110821d93aef1562ca80708f1b553428eb5c228cdf2192feb13d7aef41097a5df4b4243da8b8f7247f691c0ab73967b0bf2bf6a1a0d487f CVE-2019-9948.patch +758a897f01665149a23cbc3898fe060c043647d6fe6d22d8ca9038554b4ef1c7b2ac638d37eaed265167cd50f9329be2518f07464dccb7a7ab34ec9be4710095 CVE-2019-16935.patch" diff --git a/main/python2/CVE-2018-14647.patch b/main/python2/CVE-2018-14647.patch new file mode 100644 index 00000000000..ff27dba7456 --- /dev/null +++ b/main/python2/CVE-2018-14647.patch @@ -0,0 +1,82 @@ +From 18b20bad75b4ff0486940fba4ec680e96e70f3a2 Mon Sep 17 00:00:00 2001 +From: Christian Heimes <christian@python.org> +Date: Tue, 18 Sep 2018 15:13:09 +0200 +Subject: [PATCH] [2.7] bpo-34623: Use XML_SetHashSalt in _elementtree + (GH-9146) (GH-9394) + +The C accelerated _elementtree module now initializes hash randomization +salt from _Py_HashSecret instead of libexpat's default CPRNG. + +Signed-off-by: Christian Heimes <christian@python.org> + +https://bugs.python.org/issue34623. +(cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b) + +Co-authored-by: Christian Heimes <christian@python.org> + + + +https://bugs.python.org/issue34623 +--- + Include/pyexpat.h | 4 +++- + .../next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | 2 ++ + Modules/_elementtree.c | 5 +++++ + Modules/pyexpat.c | 5 +++++ + 4 files changed, 15 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst + +diff --git a/Include/pyexpat.h b/Include/pyexpat.h +index 5340ef5fa386..3fc5fa54da63 100644 +--- a/Include/pyexpat.h ++++ b/Include/pyexpat.h +@@ -3,7 +3,7 @@ + + /* note: you must import expat.h before importing this module! */ + +-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0" ++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1" + #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI" + + struct PyExpat_CAPI +@@ -43,6 +43,8 @@ struct PyExpat_CAPI + XML_Parser parser, XML_UnknownEncodingHandler handler, + void *encodingHandlerData); + void (*SetUserData)(XML_Parser parser, void *userData); ++ /* might be none for expat < 2.1.0 */ ++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt); + /* always add new stuff to the end! */ + }; + +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c +index f7f992dd3a95..b38e0ab329c7 100644 +--- a/Modules/_elementtree.c ++++ b/Modules/_elementtree.c +@@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject* kw) + PyErr_NoMemory(); + return NULL; + } ++ /* expat < 2.1.0 has no XML_SetHashSalt() */ ++ if (EXPAT(SetHashSalt) != NULL) { ++ EXPAT(SetHashSalt)(self->parser, ++ (unsigned long)_Py_HashSecret.prefix); ++ } + + ALLOC(sizeof(XMLParserObject), "create expatparser"); + +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c +index 2b4d31293c64..1f8c0d70a559 100644 +--- a/Modules/pyexpat.c ++++ b/Modules/pyexpat.c +@@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void) + capi.SetProcessingInstructionHandler = XML_SetProcessingInstructionHandler; + capi.SetUnknownEncodingHandler = XML_SetUnknownEncodingHandler; + capi.SetUserData = XML_SetUserData; ++#if XML_COMBINED_VERSION >= 20100 ++ capi.SetHashSalt = XML_SetHashSalt; ++#else ++ capi.SetHashSalt = NULL; ++#endif + + /* export using capsule */ + capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL); + diff --git a/main/python2/CVE-2019-16935.patch b/main/python2/CVE-2019-16935.patch new file mode 100644 index 00000000000..632a3e77b37 --- /dev/null +++ b/main/python2/CVE-2019-16935.patch @@ -0,0 +1,92 @@ +From 8eb64155ff26823542ccf0225b3d57b6ae36ea89 Mon Sep 17 00:00:00 2001 +From: Dong-hee Na <donghee.na92@gmail.com> +Date: Tue, 1 Oct 2019 19:58:01 +0900 +Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer + (GH-16447) + +Escape the server title of DocXMLRPCServer.DocXMLRPCServer +when rendering the document page as HTML. +--- + Lib/DocXMLRPCServer.py | 13 +++++++++++- + Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++ + .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ + 3 files changed, 35 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst + +diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py +index 4064ec2e48d4d..90b037dd35d6b 100644 +--- a/Lib/DocXMLRPCServer.py ++++ b/Lib/DocXMLRPCServer.py +@@ -20,6 +20,16 @@ + CGIXMLRPCRequestHandler, + resolve_dotted_attribute) + ++ ++def _html_escape_quote(s): ++ s = s.replace("&", "&") # Must be done first! ++ s = s.replace("<", "<") ++ s = s.replace(">", ">") ++ s = s.replace('"', """) ++ s = s.replace('\'', "'") ++ return s ++ ++ + class ServerHTMLDoc(pydoc.HTMLDoc): + """Class used to generate pydoc HTML document for a server""" + +@@ -210,7 +220,8 @@ def generate_html_documentation(self): + methods + ) + +- return documenter.page(self.server_title, documentation) ++ title = _html_escape_quote(self.server_title) ++ return documenter.page(title, documentation) + + class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): + """XML-RPC and documentation request handler class. +diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +index 4dff4159e2466..c45b892b8b3e7 100644 +--- a/Lib/test/test_docxmlrpc.py ++++ b/Lib/test/test_docxmlrpc.py +@@ -1,5 +1,6 @@ + from DocXMLRPCServer import DocXMLRPCServer + import httplib ++import re + import sys + from test import test_support + threading = test_support.import_module('threading') +@@ -176,6 +177,25 @@ def test_autolink_dotted_methods(self): + self.assertIn("""Try self.<strong>add</strong>, too.""", + response.read()) + ++ def test_server_title_escape(self): ++ """Test that the server title and documentation ++ are escaped for HTML. ++ """ ++ self.serv.set_server_title('test_title<script>') ++ self.serv.set_server_documentation('test_documentation<script>') ++ self.assertEqual('test_title<script>', self.serv.server_title) ++ self.assertEqual('test_documentation<script>', ++ self.serv.server_documentation) ++ ++ generated = self.serv.generate_html_documentation() ++ title = re.search(r'<title>(.+?)</title>', generated).group() ++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group() ++ self.assertEqual('<title>Python: test_title<script></title>', ++ title) ++ self.assertEqual('<p><tt>test_documentation<script></tt></p>', ++ documentation) ++ ++ + def test_main(): + test_support.run_unittest(DocXMLRPCHTTPGETServer) + +diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +new file mode 100644 +index 0000000000000..8f02baed9ebe5 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +@@ -0,0 +1,3 @@ ++Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer` ++when rendering the document page as HTML. ++(Contributed by Dong-hee Na in :issue:`38243`.) diff --git a/main/python3/CVE-2019-9636.patch b/main/python2/CVE-2019-9636.patch index 45a2c8e976e..17a98a4196c 100644 --- a/main/python3/CVE-2019-9636.patch +++ b/main/python2/CVE-2019-9636.patch @@ -1,58 +1,60 @@ -From 23fc0416454c4ad5b9b23d520fbe6d89be3efc24 Mon Sep 17 00:00:00 2001 +From e37ef41289b77e0f0bb9a6aedb0360664c55bdd5 Mon Sep 17 00:00:00 2001 From: Steve Dower <steve.dower@microsoft.com> -Date: Mon, 11 Mar 2019 21:34:03 -0700 -Subject: [PATCH] [3.6] bpo-36216: Add check for characters in netloc that - normalize to separators (GH-12201) (GH-12215) +Date: Thu, 7 Mar 2019 09:08:45 -0800 +Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize + to separators (GH-12201) --- - Doc/library/urllib.parse.rst | 18 +++++++++++++++ - Lib/test/test_urlparse.py | 23 +++++++++++++++++++ - Lib/urllib/parse.py | 17 ++++++++++++++ + Doc/library/urlparse.rst | 20 ++++++++++++++++ + Lib/test/test_urlparse.py | 24 +++++++++++++++++++ + Lib/urlparse.py | 17 +++++++++++++ .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++ - 4 files changed, 61 insertions(+) + 4 files changed, 64 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst -diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst -index d991254d5ca1..647af613a315 100644 ---- a/Doc/library/urllib.parse.rst -+++ b/Doc/library/urllib.parse.rst -@@ -121,6 +121,11 @@ or on combining URL components into a URL string. - Unmatched square brackets in the :attr:`netloc` attribute will raise a - :exc:`ValueError`. +diff --git a/Doc/library/urlparse.rst b/Doc/library/urlparse.rst +index 22249da54fbb..0989c88c3022 100644 +--- a/Doc/library/urlparse.rst ++++ b/Doc/library/urlparse.rst +@@ -119,12 +119,22 @@ The :mod:`urlparse` module defines the following functions: + See section :ref:`urlparse-result-object` for more information on the result + object. + Characters in the :attr:`netloc` attribute that decompose under NFKC + normalization (as used by the IDNA encoding) into any of ``/``, ``?``, + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is -+ decomposed before parsing, no error will be raised. ++ decomposed before parsing, or is not a Unicode string, no error will be ++ raised. + - .. versionchanged:: 3.2 - Added IPv6 URL parsing capabilities. + .. versionchanged:: 2.5 + Added attributes to return value. -@@ -133,6 +138,10 @@ or on combining URL components into a URL string. - Out-of-range port numbers now raise :exc:`ValueError`, instead of - returning :const:`None`. + .. versionchanged:: 2.7 + Added IPv6 URL parsing capabilities. -+ .. versionchanged:: 3.6.9 ++ .. versionchanged:: 2.7.17 + Characters that affect netloc parsing under NFKC normalization will + now raise :exc:`ValueError`. + - .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None) + .. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]]) -@@ -256,10 +265,19 @@ or on combining URL components into a URL string. - Unmatched square brackets in the :attr:`netloc` attribute will raise a - :exc:`ValueError`. +@@ -232,11 +242,21 @@ The :mod:`urlparse` module defines the following functions: + See section :ref:`urlparse-result-object` for more information on the result + object. + Characters in the :attr:`netloc` attribute that decompose under NFKC + normalization (as used by the IDNA encoding) into any of ``/``, ``?``, + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is -+ decomposed before parsing, no error will be raised. ++ decomposed before parsing, or is not a Unicode string, no error will be ++ raised. + - .. versionchanged:: 3.6 - Out-of-range port numbers now raise :exc:`ValueError`, instead of - returning :const:`None`. + .. versionadded:: 2.2 -+ .. versionchanged:: 3.6.9 + .. versionchanged:: 2.5 + Added attributes to return value. + ++ .. versionchanged:: 2.7.17 + Characters that affect netloc parsing under NFKC normalization will + now raise :exc:`ValueError`. + @@ -60,53 +62,55 @@ index d991254d5ca1..647af613a315 100644 .. function:: urlunsplit(parts) diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py -index be50b47603aa..e6638aee2244 100644 +index 4e1ded73c266..73b0228ea8e3 100644 --- a/Lib/test/test_urlparse.py +++ b/Lib/test/test_urlparse.py -@@ -1,3 +1,5 @@ +@@ -1,4 +1,6 @@ + from test import test_support +import sys +import unicodedata import unittest - import urllib.parse + import urlparse -@@ -984,6 +986,27 @@ def test_all(self): - expected.append(name) - self.assertCountEqual(urllib.parse.__all__, expected) +@@ -624,6 +626,28 @@ def test_portseparator(self): + self.assertEqual(urlparse.urlparse("http://www.python.org:80"), + ('http','www.python.org:80','','','','')) + def test_urlsplit_normalization(self): + # Certain characters should never occur in the netloc, + # including under normalization. + # Ensure that ALL of them are detected and cause an error -+ illegal_chars = '/:#?@' ++ illegal_chars = u'/:#?@' + hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars} + denorm_chars = [ -+ c for c in map(chr, range(128, sys.maxunicode)) ++ c for c in map(unichr, range(128, sys.maxunicode)) + if (hex_chars & set(unicodedata.decomposition(c).split())) + and c not in illegal_chars + ] + # Sanity check that we found at least one such character -+ self.assertIn('\u2100', denorm_chars) -+ self.assertIn('\uFF03', denorm_chars) ++ self.assertIn(u'\u2100', denorm_chars) ++ self.assertIn(u'\uFF03', denorm_chars) + -+ for scheme in ["http", "https", "ftp"]: ++ for scheme in [u"http", u"https", u"ftp"]: + for c in denorm_chars: -+ url = "{}://netloc{}false.netloc/path".format(scheme, c) -+ with self.subTest(url=url, char='{:04X}'.format(ord(c))): -+ with self.assertRaises(ValueError): -+ urllib.parse.urlsplit(url) ++ url = u"{}://netloc{}false.netloc/path".format(scheme, c) ++ print "Checking %r" % url ++ with self.assertRaises(ValueError): ++ urlparse.urlsplit(url) ++ + def test_main(): + test_support.run_unittest(UrlParseTestCase) - class Utility_Tests(unittest.TestCase): - """Testcase to test the various utility functions in the urllib.""" -diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py -index 85e68c8b42c7..7b06f4d71d67 100644 ---- a/Lib/urllib/parse.py -+++ b/Lib/urllib/parse.py -@@ -391,6 +391,21 @@ def _splitnetloc(url, start=0): +diff --git a/Lib/urlparse.py b/Lib/urlparse.py +index f7c2b032b097..54eda08651ab 100644 +--- a/Lib/urlparse.py ++++ b/Lib/urlparse.py +@@ -165,6 +165,21 @@ def _splitnetloc(url, start=0): delim = min(delim, wdelim) # use earliest delim position return url[start:delim], url[delim:] # return (domain, rest) +def _checknetloc(netloc): -+ if not netloc or not any(ord(c) > 127 for c in netloc): ++ if not netloc or not isinstance(netloc, unicode): + return + # looking for characters like \u2100 that expand to 'a/c' + # IDNA uses NFKC equivalence, so normalize for this check @@ -123,28 +127,29 @@ index 85e68c8b42c7..7b06f4d71d67 100644 def urlsplit(url, scheme='', allow_fragments=True): """Parse a URL into 5 components: <scheme>://<netloc>/<path>?<query>#<fragment> -@@ -420,6 +435,7 @@ def urlsplit(url, scheme='', allow_fragments=True): +@@ -193,6 +208,7 @@ def urlsplit(url, scheme='', allow_fragments=True): url, fragment = url.split('#', 1) if '?' in url: url, query = url.split('?', 1) + _checknetloc(netloc) v = SplitResult(scheme, netloc, url, query, fragment) _parse_cache[key] = v - return _coerce_result(v) -@@ -443,6 +459,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + return v +@@ -216,6 +232,7 @@ def urlsplit(url, scheme='', allow_fragments=True): url, fragment = url.split('#', 1) if '?' in url: url, query = url.split('?', 1) + _checknetloc(netloc) v = SplitResult(scheme, netloc, url, query, fragment) _parse_cache[key] = v - return _coerce_result(v) + return v diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst new file mode 100644 -index 000000000000..5546394157f9 +index 000000000000..1e1ad92c6feb --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst @@ -0,0 +1,3 @@ +Changes urlsplit() to raise ValueError when the URL contains characters that +decompose under IDNA encoding (NFKC-normalization) into characters that +affect how the URL is parsed. +\ No newline at end of file diff --git a/main/python2/CVE-2019-9948.patch b/main/python2/CVE-2019-9948.patch new file mode 100644 index 00000000000..e5d38bd0aca --- /dev/null +++ b/main/python2/CVE-2019-9948.patch @@ -0,0 +1,50 @@ +From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001 +From: push0ebp <push0ebp@shl-MacBook-Pro.local> +Date: Thu, 14 Feb 2019 02:05:46 +0900 +Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary + URL scheme in urllib + +--- + Lib/test/test_urllib.py | 12 ++++++++++++ + Lib/urllib.py | 5 ++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py +index 1ce9201c0693..e5f210e62a18 100644 +--- a/Lib/test/test_urllib.py ++++ b/Lib/test/test_urllib.py +@@ -1023,6 +1023,18 @@ def open_spam(self, url): + "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), + "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") + ++ def test_local_file_open(self): ++ class DummyURLopener(urllib.URLopener): ++ def open_local_file(self, url): ++ return url ++ self.assertEqual(DummyURLopener().open( ++ 'local-file://example'), '//example') ++ self.assertEqual(DummyURLopener().open( ++ 'local_file://example'), '//example') ++ self.assertRaises(IOError, urllib.urlopen, ++ 'local-file://example') ++ self.assertRaises(IOError, urllib.urlopen, ++ 'local_file://example') + + # Just commented them out. + # Can't really tell why keep failing in windows and sparc. +diff --git a/Lib/urllib.py b/Lib/urllib.py +index d85504a5cb7e..a24e9a5c68fb 100644 +--- a/Lib/urllib.py ++++ b/Lib/urllib.py +@@ -203,7 +203,10 @@ def open(self, fullurl, data=None): + name = 'open_' + urltype + self.type = urltype + name = name.replace('-', '_') +- if not hasattr(self, name): ++ ++ # bpo-35907: # disallow the file reading with the type not allowed ++ if not hasattr(self, name) or \ ++ (self == _urlopener and name == 'open_local_file'): + if proxy: + return self.open_unknown_proxy(proxy, fullurl, data) + else: diff --git a/main/python3/APKBUILD b/main/python3/APKBUILD index a4926f1bd2a..c5d300ce1e9 100644 --- a/main/python3/APKBUILD +++ b/main/python3/APKBUILD @@ -3,9 +3,9 @@ pkgname=python3 # the python2-tkinter's pkgver needs to be synchronized with this. -pkgver=3.6.8 +pkgver=3.6.9 _basever="${pkgver%.*}" -pkgrel=0 +pkgrel=1 pkgdesc="A high-level scripting language" url="http://www.python.org" arch="all" @@ -18,11 +18,16 @@ makedepends="expat-dev libressl-dev zlib-dev ncurses-dev bzip2-dev xz-dev source="http://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz musl-find_library.patch fix-xattrs-glibc.patch - CVE-2019-9636.patch + CVE-2019-16056.patch + CVE-2019-16935.patch " builddir="$srcdir/Python-$pkgver" # secfixes: +# 3.6.9-r1: +# - CVE-2019-16935 +# 3.6.8-r1: +# - CVE-2019-16056 # 3.6.8-r0: # - CVE-2018-14647 # - CVE-2018-20406 @@ -151,7 +156,8 @@ wininst() { "$subpkgdir"/usr/lib/python$_basever/distutils/command } -sha512sums="b17867e451ebe662f50df83ed112d3656c089e7d750651ea640052b01b713b58e66aac9e082f71fd16f5b5510bc9b797f5ccd30f5399581e9aa406197f02938a Python-3.6.8.tar.xz +sha512sums="05de9c6f44d96a52bfce10ede4312de892573edaf8bece65926d19973a3a800d65eed7a857af945f69efcfb25efa3788e7a54016b03d80b611eb51c3ea074819 Python-3.6.9.tar.xz ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch 37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch -bf2ec0bdba63b714f99aa9783a31ab935b234cabe4dc482769462a55bd572c74e03f192fbc5e8a7e2b9a887a5eef7dc0c3819fb464b656f73b500d1b65b591ad CVE-2019-9636.patch" +e8708c4fef1b591dd7251b36a785f9bc6472f2a25fba11bc4116814e93e770230ebd0016285c28d9065c49c5bf2be10f72182e23fb2767e1875ef20c94b5c97c CVE-2019-16056.patch +7f94d887c81f79d90afd4a9621547c13cbdd0232250f62a686b26a63160a4d286a6db9b342d06b9b63af64f994835b489c37bab499a2093c3c2585dc7a04d8a1 CVE-2019-16935.patch" diff --git a/main/python3/CVE-2019-16056.patch b/main/python3/CVE-2019-16056.patch new file mode 100644 index 00000000000..b6b4d90385a --- /dev/null +++ b/main/python3/CVE-2019-16056.patch @@ -0,0 +1,89 @@ +diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py +index 1fb8cb4..9815e4e 100644 +--- a/Lib/email/_header_value_parser.py ++++ b/Lib/email/_header_value_parser.py +@@ -1561,6 +1561,8 @@ def get_domain(value): + token, value = get_dot_atom(value) + except errors.HeaderParseError: + token, value = get_atom(value) ++ if value and value[0] == '@': ++ raise errors.HeaderParseError('Invalid Domain') + if leader is not None: + token[:0] = [leader] + domain.append(token) +diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py +index cdfa372..41ff6f8 100644 +--- a/Lib/email/_parseaddr.py ++++ b/Lib/email/_parseaddr.py +@@ -379,7 +379,12 @@ class AddrlistClass: + aslist.append('@') + self.pos += 1 + self.gotonext() +- return EMPTYSTRING.join(aslist) + self.getdomain() ++ domain = self.getdomain() ++ if not domain: ++ # Invalid domain, return an empty address instead of returning a ++ # local part to denote failed parsing. ++ return EMPTYSTRING ++ return EMPTYSTRING.join(aslist) + domain + + def getdomain(self): + """Get the complete domain name from an address.""" +@@ -394,6 +399,10 @@ class AddrlistClass: + elif self.field[self.pos] == '.': + self.pos += 1 + sdlist.append('.') ++ elif self.field[self.pos] == '@': ++ # bpo-34155: Don't parse domains with two `@` like ++ # `a@malicious.org@important.com`. ++ return EMPTYSTRING + elif self.field[self.pos] in self.atomends: + break + else: +diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py +index 676732b..577dc43 100644 +--- a/Lib/test/test_email/test__header_value_parser.py ++++ b/Lib/test/test_email/test__header_value_parser.py +@@ -1418,6 +1418,16 @@ class TestParser(TestParserMixin, TestEmailBase): + self.assertEqual(addr_spec.domain, 'example.com') + self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com') + ++ def test_get_addr_spec_multiple_domains(self): ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@a.star@example.com') ++ ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@a@example.com') ++ ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@172.17.0.1@example.com') ++ + # get_obs_route + + def test_get_obs_route_simple(self): +diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py +index f97ccc6..68d0522 100644 +--- a/Lib/test/test_email/test_email.py ++++ b/Lib/test/test_email/test_email.py +@@ -3035,6 +3035,20 @@ class TestMiscellaneous(TestEmailBase): + self.assertEqual(utils.parseaddr('<>'), ('', '')) + self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '') + ++ def test_parseaddr_multiple_domains(self): ++ self.assertEqual( ++ utils.parseaddr('a@b@c'), ++ ('', '') ++ ) ++ self.assertEqual( ++ utils.parseaddr('a@b.c@c'), ++ ('', '') ++ ) ++ self.assertEqual( ++ utils.parseaddr('a@172.17.0.1@c'), ++ ('', '') ++ ) ++ + def test_noquote_dump(self): + self.assertEqual( + utils.formataddr(('A Silly Person', 'person@dom.ain')), + diff --git a/main/python3/CVE-2019-16935.patch b/main/python3/CVE-2019-16935.patch new file mode 100644 index 00000000000..567eb90fca3 --- /dev/null +++ b/main/python3/CVE-2019-16935.patch @@ -0,0 +1,80 @@ +From 1698cacfb924d1df452e78d11a4bf81ae7777389 Mon Sep 17 00:00:00 2001 +From: Victor Stinner <vstinner@redhat.com> +Date: Sat, 28 Sep 2019 09:33:00 +0200 +Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) + (GH-16441) + +Escape the server title of xmlrpc.server.DocXMLRPCServer +when rendering the document page as HTML. + +(cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa) +--- + Lib/test/test_docxmlrpc.py | 16 ++++++++++++++++ + Lib/xmlrpc/server.py | 3 ++- + .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst + +diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +index 00903337c07c2..d2adb21af0fb3 100644 +--- a/Lib/test/test_docxmlrpc.py ++++ b/Lib/test/test_docxmlrpc.py +@@ -1,5 +1,6 @@ + from xmlrpc.server import DocXMLRPCServer + import http.client ++import re + import sys + from test import support + threading = support.import_module('threading') +@@ -193,6 +194,21 @@ def test_annotations(self): + b'method_annotation</strong></a>(x: bytes)</dt></dl>'), + response.read()) + ++ def test_server_title_escape(self): ++ # bpo-38243: Ensure that the server title and documentation ++ # are escaped for HTML. ++ self.serv.set_server_title('test_title<script>') ++ self.serv.set_server_documentation('test_documentation<script>') ++ self.assertEqual('test_title<script>', self.serv.server_title) ++ self.assertEqual('test_documentation<script>', ++ self.serv.server_documentation) ++ ++ generated = self.serv.generate_html_documentation() ++ title = re.search(r'<title>(.+?)</title>', generated).group() ++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group() ++ self.assertEqual('<title>Python: test_title<script></title>', title) ++ self.assertEqual('<p><tt>test_documentation<script></tt></p>', documentation) ++ + + if __name__ == '__main__': + unittest.main() +diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py +index 3e0dca027f068..efe593748968c 100644 +--- a/Lib/xmlrpc/server.py ++++ b/Lib/xmlrpc/server.py +@@ -106,6 +106,7 @@ def export_add(self, x, y): + + from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode + from http.server import BaseHTTPRequestHandler ++import html + import http.server + import socketserver + import sys +@@ -904,7 +905,7 @@ def generate_html_documentation(self): + methods + ) + +- return documenter.page(self.server_title, documentation) ++ return documenter.page(html.escape(self.server_title), documentation) + + class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): + """XML-RPC and documentation request handler class. +diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +new file mode 100644 +index 0000000000000..98d7be129573a +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +@@ -0,0 +1,3 @@ ++Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer` ++when rendering the document page as HTML. ++(Contributed by Dong-hee Na in :issue:`38243`.) diff --git a/main/redis/APKBUILD b/main/redis/APKBUILD index ea415ec2ee2..e5a74fa1a73 100644 --- a/main/redis/APKBUILD +++ b/main/redis/APKBUILD @@ -1,7 +1,7 @@ # Contributor: V.Krishn <vkrishn4@gmail.com> # Maintainer: TBK <alpine@jjtc.eu> pkgname=redis -pkgver=4.0.11 +pkgver=4.0.14 pkgrel=0 pkgdesc="Advanced key-value store" url="https://redis.io/" @@ -21,6 +21,9 @@ source="http://download.redis.io/releases/$pkgname-$pkgver.tar.gz builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 4.0.14-r0: +# - CVE-2019-10192 +# - CVE-2019-10193 # 4.0.10-r0: # - CVE-2018-11218 # - CVE-2018-11219 @@ -80,7 +83,7 @@ package() { install } -sha512sums="f0054af9ca2143731a397b2b21285387707b7f40d9326ba15225feb1a2ff470fab5194308342f63bbe1081f84c7e9ef19543c5a8e3eae49e17bfc515c64201f0 redis-4.0.11.tar.gz +sha512sums="7730a4083962046f8fee674a8ce95e1d3e8c8dcc2d64a65491dc3b851413b2d745942be7a94ee77074aa530da5f3d458c4e7388d7950a8495d8ee9f4862b7e06 redis-4.0.14.tar.gz 91b663f802aea9a473195940d3bf2ce3ca2af4e5b6e61a2d28ebbfe502ef2c764b574b7e87c49e60345d1a5d6b73d12920924c93b26be110c2ce824023347b6f redis.initd 6d17d169b40a7e23a0a2894eff0f3e2fe8e4461b36f2a9d45468f0abd84ea1035d679b4c0a34029bce093147f9c7bb697e843c113c17769d38c934d4a78a5848 redis.logrotate d87aad6185300c99cc9b6a478c83bf62c450fb2c225592d74cc43a3adb93e19d8d2a42cc279907b385aa73a7b9c77b66828dbfb001009edc16a604abb2087e99 redis.confd" diff --git a/main/rsyslog/APKBUILD b/main/rsyslog/APKBUILD index ee76846336b..b930f05b2a5 100644 --- a/main/rsyslog/APKBUILD +++ b/main/rsyslog/APKBUILD @@ -5,7 +5,7 @@ # Maintainer: Cameron Banta <cbanta@gmail.com> pkgname=rsyslog pkgver=8.31.0 -pkgrel=0 +pkgrel=1 pkgdesc="Enhanced multi-threaded syslogd with database support and more." url="http://www.rsyslog.com/" arch="all" @@ -23,9 +23,16 @@ source="http://www.rsyslog.com/files/download/$pkgname/$pkgname-$pkgver.tar.gz $pkgname.conf musl-fix.patch queue.patch + CVE-2019-17041.patch::https://github.com/rsyslog/rsyslog/commit/10549ba915556c557b22b3dac7e4cb73ad22d3d8.patch + CVE-2019-17042.patch::https://github.com/rsyslog/rsyslog/commit/abc0960a7561e18944a0e08d48f4eb570ea7435a.patch " builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 8.31.0-r1: +# - CVE-2019-17041 +# - CVE-2019-17042 + build() { cd "$builddir" @@ -103,11 +110,12 @@ snmp() { mv "$pkgdir"/usr/lib/rsyslog/omsnmp.so \ "$subpkgdir"/usr/lib/rsyslog/ } - sha512sums="aab888dda8df3ad7ff404767a58539cdc0bb92d0e537b703cf5833555688dd6d8223889b8d70bf8c594339a51831b57df7a65b397d8b40cded608dfb007befe7 rsyslog-8.31.0.tar.gz 9a4b184076a82e0899da79ab3749e1c67eac03f36c4460d34ed0385f4a3ffad53681a1cc25dd514e835c9399a9abd01c235743535ad549d5be7f66d9e127b9dc rsyslog.initd a4d969671800227129be870b0318961b79d16365663754111a136734bbf7005abd4da24853dfdc07b3b6691ab5a7b215f0ac6c19022b4c5c8dab06165a42431b rsyslog.confd d54377ddf39197656811a84272568ea761f984e19dd04fc54f372dd04a9244e66d02b26ab33073d0344d054f031660ec611f3c7a18c266e7b68cef5e2c47f06f rsyslog.logrotate 3bcd58b222eb7f4d8a42a0643cacb6ab44790f90c9bd550678e002bc19863d5d6a7341e5e5ba0b9292f85c6c04cd5cc42d174acdc63e8ba22022620db10f2b9b rsyslog.conf bd469f3126d9db65cbe6b48a0e6da3ae1a6ef0194b7132799b4fdfcfc50de750691f44de21905fe40c047b7281d3db64b74a473383dd07077c81170daaf3ec6b musl-fix.patch -7be105f9a30d23b48ee46e19d31ba37ec30477935a9f7ba3929666a9abe175313dbb7caf55fbb1c6579dd5d25fe037eea84cae9065fe3f765f23569344bce5d7 queue.patch" +7be105f9a30d23b48ee46e19d31ba37ec30477935a9f7ba3929666a9abe175313dbb7caf55fbb1c6579dd5d25fe037eea84cae9065fe3f765f23569344bce5d7 queue.patch +e9f75ce261dcefb4bd8f1f70707e1ee4221743f562882eb0e77bee0df468b4dd6aea0513a025909a8abb82d026ab010d8fc74a868c6cd8d5e244d5335d3fcf59 CVE-2019-17041.patch +2edf53a861d8bf20c2b7434cc13f0cf8d077dfa4d9a924742e521ff17088c5a1e6386af03ac1c1d5fd900fd0ce819f19011e4eb86d6844cb888d5d86bc268168 CVE-2019-17042.patch" diff --git a/main/ruby/APKBUILD b/main/ruby/APKBUILD index 6564ca9f72c..1300efb2411 100644 --- a/main/ruby/APKBUILD +++ b/main/ruby/APKBUILD @@ -3,6 +3,12 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> # # secfixes: +# 2.4.10-r0: +# - CVE-2019-16255 +# - CVE-2019-16254 +# - CVE-2019-15845 +# - CVE-2019-16201 +# - CVE-2020-10663 # 2.4.6-r0: # - CVE-2019-8320 # - CVE-2019-8321 @@ -33,7 +39,7 @@ # - CVE-2017-17405 # pkgname=ruby -pkgver=2.4.6 +pkgver=2.4.10 _abiver="${pkgver%.*}.0" pkgrel=0 pkgdesc="An object-oriented language for quick and easy programming" @@ -260,5 +266,5 @@ _mvgem() { done } -sha512sums="7eb7720961e98e22e4335c38eeead9db96d049ef3ac1da437769b98fee7a10feb092643ce75822a2fe3bd5fd94938417ab5c2de7c6056afe0abf6e4cf03ca282 ruby-2.4.6.tar.gz +sha512sums="dfbe2a28b1a2d458dfc8d4287fbe7caec70890dfecf1e12ac62cddd323d8921ca14a0479453e3691641e3d49366de2e4eb239029c46685234b8f29ac84e1da11 ruby-2.4.10.tar.gz cfdc5ea3b2e2ea69c51f38e8e2180cb1dc27008ca55cc6301f142ebafdbab31c3379b3b6bba9ff543153876dd98ed2ad194df3255b7ea77a62e931c935f80538 rubygems-avoid-platform-specific-gems.patch" diff --git a/main/sdl/0001-CVE-2019-7572.patch b/main/sdl/0001-CVE-2019-7572.patch new file mode 100644 index 00000000000..2c17831dfcb --- /dev/null +++ b/main/sdl/0001-CVE-2019-7572.patch @@ -0,0 +1,64 @@ +From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Fri, 15 Feb 2019 09:21:45 +0100 +Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If data chunk was longer than expected based on a WAV format +definition, IMA_ADPCM_decode() tried to write past the output +buffer. This patch fixes it. + +Based on patch from +<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/audio/SDL_wave.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 69d62dc..91e89e8 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { +@@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + + /* Store the initial sample we start with */ ++ if (decoded + 2 > decoded_end) goto invalid_size; + decoded[0] = (Uint8)(state[c].sample&0xFF); + decoded[1] = (Uint8)(state[c].sample>>8); + decoded += 2; +@@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( samplesleft > 0 ) { + for ( c=0; c<channels; ++c ) { + if (encoded + 4 > encoded_end) goto invalid_size; ++ if (decoded + 4 * 4 * channels > decoded_end) ++ goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +-- +2.20.1 + diff --git a/main/sdl/0001-CVE-2019-7573.patch b/main/sdl/0001-CVE-2019-7573.patch new file mode 100644 index 00000000000..767a3b20740 --- /dev/null +++ b/main/sdl/0001-CVE-2019-7573.patch @@ -0,0 +1,83 @@ +From 3e2c89e516701f3586dfeadec13932f665371d2a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Fri, 15 Feb 2019 10:36:13 +0100 +Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in + InitMS_ADPCM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it +could read past the end of chunk data. This patch fixes it. + +CVE-2019-7573 +https://bugzilla.libsdl.org/show_bug.cgi?id=4491 +CVE-2019-7576 +https://bugzilla.libsdl.org/show_bug.cgi?id=4490 + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/audio/SDL_wave.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 91e89e8..1d446ed 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder { + struct MS_ADPCM_decodestate state[2]; + } MS_ADPCM_state; + +-static int InitMS_ADPCM(WaveFMT *format) ++static int InitMS_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + int i; + + /* Set the rogue pointer to the MS_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format) + MS_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); +@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format) + return(-1); + } + for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) { ++ if (rogue_feel + 4 > rogue_feel_end) goto too_short; + MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); + rogue_feel += sizeof(Uint16); + } + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); ++ return(-1); + } + + static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, +@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, + break; + case MS_ADPCM_CODE: + /* Try to understand this */ +- if ( InitMS_ADPCM(format) < 0 ) { ++ if ( InitMS_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } +-- +2.20.1 + diff --git a/main/sdl/0001-CVE-2019-7574.patch b/main/sdl/0001-CVE-2019-7574.patch new file mode 100644 index 00000000000..0bae80ff875 --- /dev/null +++ b/main/sdl/0001-CVE-2019-7574.patch @@ -0,0 +1,71 @@ +From 9b2eee24768889378032077423cb6a3221a8ad18 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Thu, 14 Feb 2019 15:41:47 +0100 +Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If data chunk was shorter than expected based on a WAV format +definition, IMA_ADPCM_decode() tried to read past the data chunk +buffer. This patch fixes it. + +CVE-2019-7574 +https://bugzilla.libsdl.org/show_bug.cgi?id=4496 + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/audio/SDL_wave.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index b6c49de..2968b3d 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -334,7 +334,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, + static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct IMA_ADPCM_decodestate *state; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded; + Sint32 encoded_len, samplesleft; + unsigned int c, channels; + +@@ -350,6 +350,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * + IMA_ADPCM_state.wSamplesPerBlock* +@@ -365,6 +366,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ + for ( c=0; c<channels; ++c ) { ++ if (encoded + 4 > encoded_end) goto invalid_size; + /* Fill the state information for this block */ + state[c].sample = ((encoded[1]<<8)|encoded[0]); + encoded += 2; +@@ -387,6 +389,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; + while ( samplesleft > 0 ) { + for ( c=0; c<channels; ++c ) { ++ if (encoded + 4 > encoded_end) goto invalid_size; + Fill_IMA_ADPCM_block(decoded, encoded, + c, channels, &state[c]); + encoded += 4; +@@ -398,6 +401,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, +-- +2.20.1 + diff --git a/main/sdl/0001-CVE-2019-7575.patch b/main/sdl/0001-CVE-2019-7575.patch new file mode 100644 index 00000000000..53965aa2f23 --- /dev/null +++ b/main/sdl/0001-CVE-2019-7575.patch @@ -0,0 +1,84 @@ +From e1f80cadb079e35103e6eebf160a818815c823df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Thu, 14 Feb 2019 14:51:52 +0100 +Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk +is longer, decoding continued past the output audio buffer. + +This fix is based on a patch from +<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>. + +https://bugzilla.libsdl.org/show_bug.cgi?id=4493 +CVE-2019-7575 + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/audio/SDL_wave.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index e42d01c..b6c49de 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *encoded_end, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + return(-1); + } + decoded = *audio_buf; ++ decoded_end = decoded + *audio_len; + + /* Get ready... Go! */ + stereo = (MS_ADPCM_state.wavefmt.channels == 2); +@@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ +- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; + + /* Store the two initial samples we start with */ ++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; + decoded[0] = state[0]->iSamp2&0xFF; + decoded[1] = state[0]->iSamp2>>8; + decoded += 2; +@@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { +- if (encoded + 1 > encoded_end) goto too_short; ++ if (encoded + 1 > encoded_end) goto invalid_size; ++ if (decoded + 4 > decoded_end) goto invalid_size; + + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); +@@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); +-too_short: +- SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++invalid_size: ++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); + } +-- +2.20.1 + diff --git a/main/sdl/0001-CVE-2019-7577.patch b/main/sdl/0001-CVE-2019-7577.patch new file mode 100644 index 00000000000..23cbf98192b --- /dev/null +++ b/main/sdl/0001-CVE-2019-7577.patch @@ -0,0 +1,75 @@ +From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Thu, 14 Feb 2019 14:12:22 +0100 +Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If RIFF/WAV data chunk length is shorter then expected for an audio +format defined in preceeding RIFF/WAV format headers, a buffer +overread can happen. + +This patch fixes it by checking a MS ADPCM data to be decoded are not +past the initialized buffer. + +CVE-2019-7577 +Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/audio/SDL_wave.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index b4ad6c7..e42d01c 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, + static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + { + struct MS_ADPCM_decodestate *state[2]; +- Uint8 *freeable, *encoded, *decoded; ++ Uint8 *freeable, *encoded, *encoded_end, *decoded; + Sint32 encoded_len, samplesleft; + Sint8 nybble, stereo; + Sint16 *coeff[2]; +@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + /* Allocate the proper sized output buffer */ + encoded_len = *audio_len; + encoded = *audio_buf; ++ encoded_end = encoded + encoded_len; + freeable = *audio_buf; + *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * + MS_ADPCM_state.wSamplesPerBlock* +@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + state[1] = &MS_ADPCM_state.state[stereo]; + while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { + /* Grab the initial information for this block */ ++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; + state[0]->hPredictor = *encoded++; + if ( stereo ) { + state[1]->hPredictor = *encoded++; +@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* + MS_ADPCM_state.wavefmt.channels; + while ( samplesleft > 0 ) { ++ if (encoded + 1 > encoded_end) goto too_short; ++ + nybble = (*encoded)>>4; + new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); + decoded[0] = new_sample&0xFF; +@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + } + SDL_free(freeable); + return(0); ++too_short: ++ SDL_SetError("Too short chunk for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { +-- +2.20.1 + diff --git a/main/sdl/0001-CVE-2019-7578.patch b/main/sdl/0001-CVE-2019-7578.patch new file mode 100644 index 00000000000..b0a89de20df --- /dev/null +++ b/main/sdl/0001-CVE-2019-7578.patch @@ -0,0 +1,67 @@ +From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Fri, 15 Feb 2019 10:56:59 +0100 +Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it +could read past the end of chunk data. This patch fixes it. + +CVE-2019-7578 +https://bugzilla.libsdl.org/show_bug.cgi?id=4494 + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/audio/SDL_wave.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 1d446ed..08f65cb 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder { + struct IMA_ADPCM_decodestate state[2]; + } IMA_ADPCM_state; + +-static int InitIMA_ADPCM(WaveFMT *format) ++static int InitIMA_ADPCM(WaveFMT *format, int length) + { +- Uint8 *rogue_feel; ++ Uint8 *rogue_feel, *rogue_feel_end; + + /* Set the rogue pointer to the IMA_ADPCM specific data */ ++ if (length < sizeof(*format)) goto too_short; + IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); + IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); + IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); +@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format) + IMA_ADPCM_state.wavefmt.bitspersample = + SDL_SwapLE16(format->bitspersample); + rogue_feel = (Uint8 *)format+sizeof(*format); ++ rogue_feel_end = (Uint8 *)format + length; + if ( sizeof(*format) == 16 ) { + rogue_feel += sizeof(Uint16); + } ++ if (rogue_feel + 2 > rogue_feel_end) goto too_short; + IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); + return(0); ++too_short: ++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); ++ return(-1); + } + + static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) +@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, + break; + case IMA_ADPCM_CODE: + /* Try to understand this */ +- if ( InitIMA_ADPCM(format) < 0 ) { ++ if ( InitIMA_ADPCM(format, lenread) < 0 ) { + was_error = 1; + goto done; + } +-- +2.20.1 + diff --git a/main/sdl/0001-CVE-2019-7635.patch b/main/sdl/0001-CVE-2019-7635.patch new file mode 100644 index 00000000000..ebf8b91e7fd --- /dev/null +++ b/main/sdl/0001-CVE-2019-7635.patch @@ -0,0 +1,53 @@ +CVE-2019-7635: Reject BMP images with pixel colors out the palette +If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors +than the palette offers an SDL_Surface with a palette of the indicated +number of used colors is created. If some of the image's pixel +refer to a color number higher then the maximal used colors, a subsequent +bliting operation on the surface will look up a color past a blit map +(that is based on the palette) memory. I.e. passing such SDL_Surface +to e.g. an SDL_DisplayFormat() function will result in a buffer overread in +a blit function. + +This patch fixes it by validing each pixel's color to be less than the +maximal color number in the palette. A validation failure raises an +error from a SDL_LoadBMP_RW() function. + +CVE-2019-7635 +https://bugzilla.libsdl.org/show_bug.cgi?id=4498 + +Signed-off-by: Petr Písař <ppisar@redhat.com> + +diff -r a936f9bd3e38 -r f1f5878be5db src/video/SDL_bmp.c +--- a/src/video/SDL_bmp.c Mon Jun 10 09:25:05 2019 -0700 ++++ b/src/video/SDL_bmp.c Tue Jun 11 06:28:12 2019 -0700 +@@ -308,6 +308,12 @@ + } + *(bits+i) = (pixel>>shift); + pixel <<= ExpandBMP; ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + } } + break; + +@@ -318,6 +324,16 @@ + was_error = SDL_TRUE; + goto done; + } ++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { ++ for ( i=0; i<surface->w; ++i ) { ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ + diff --git a/main/sdl/0001-CVE-2019-7636.patch b/main/sdl/0001-CVE-2019-7636.patch new file mode 100644 index 00000000000..51e40ef1cec --- /dev/null +++ b/main/sdl/0001-CVE-2019-7636.patch @@ -0,0 +1,29 @@ +Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c + +Petr Pisar + +The reproducer has these data in BITMAPINFOHEADER: + +biSize = 40 +biBitCount = 8 +biClrUsed = 131075 + +SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount. + +Also fixes CVE-2019-7638 + +diff -r 8586f153eede -r 19d8c3b9c251 src/video/SDL_bmp.c +--- a/src/video/SDL_bmp.c Sun Jan 13 15:27:50 2019 +0100 ++++ b/src/video/SDL_bmp.c Mon Feb 18 07:48:23 2019 -0800 +@@ -233,6 +233,10 @@ + if ( palette ) { + if ( biClrUsed == 0 ) { + biClrUsed = 1 << biBitCount; ++ } else if ( biClrUsed > (1 << biBitCount) ) { ++ SDL_SetError("BMP file has an invalid number of colors"); ++ was_error = SDL_TRUE; ++ goto done; + } + if ( biSize == 12 ) { + for ( i = 0; i < (int)biClrUsed; ++i ) { + diff --git a/main/sdl/0001-CVE-2019-7637.patch b/main/sdl/0001-CVE-2019-7637.patch new file mode 100644 index 00000000000..90a734f8ae8 --- /dev/null +++ b/main/sdl/0001-CVE-2019-7637.patch @@ -0,0 +1,182 @@ +CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch +If a too large width is passed to SDL_SetVideoMode() the width travels +to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by +BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch +variable. During this arithmetics an integer overflow can happen (e.g. +the value is clamped as 65532). As a result SDL_Surface with a pitch +smaller than width * BytesPerPixel is created, too small pixel buffer +is allocated and when the SDL_Surface is processed in SDL_FillRect() +a buffer overflow occurs. + +This can be reproduced with "./graywin -width 21312312313123213213213" +command. + +This patch fixes is by using a very careful arithmetics in +SDL_CalculatePitch(). If an overflow is detected, an error is reported +back as a special 0 value. We assume that 0-width surfaces do not +occur in the wild. Since SDL_CalculatePitch() is a private function, +we can change the semantics. + +CVE-2019-7637 +https://bugzilla.libsdl.org/show_bug.cgi?id=4497 + +Signed-off-by: Petr Písař <ppisar@redhat.com> + +diff -r 4646533663ae -r 9b0e5c555c0f src/video/SDL_pixels.c +--- a/src/video/SDL_pixels.c Sat Mar 16 18:35:33 2019 -0700 ++++ b/src/video/SDL_pixels.c Sat Mar 16 19:16:24 2019 -0700 +@@ -286,26 +286,53 @@ + } + } + /* +- * Calculate the pad-aligned scanline width of a surface ++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of ++ * an error. + */ + Uint16 SDL_CalculatePitch(SDL_Surface *surface) + { +- Uint16 pitch; ++ unsigned int pitch = 0; + + /* Surface should be 4-byte aligned for speed */ +- pitch = surface->w*surface->format->BytesPerPixel; ++ /* The code tries to prevent from an Uint16 overflow. */; ++ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) { ++ pitch += (unsigned int)surface->w; ++ if (pitch < surface->w) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ } + switch (surface->format->BitsPerPixel) { + case 1: +- pitch = (pitch+7)/8; ++ if (pitch % 8) { ++ pitch = pitch / 8 + 1; ++ } else { ++ pitch = pitch / 8; ++ } + break; + case 4: +- pitch = (pitch+1)/2; ++ if (pitch % 2) { ++ pitch = pitch / 2 + 1; ++ } else { ++ pitch = pitch / 2; ++ } + break; + default: + break; + } +- pitch = (pitch + 3) & ~3; /* 4-byte aligning */ +- return(pitch); ++ /* 4-byte aligning */ ++ if (pitch & 3) { ++ if (pitch + 3 < pitch) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ pitch = (pitch + 3) & ~3; ++ } ++ if (pitch > 0xFFFF) { ++ SDL_SetError("A scanline is too wide"); ++ return(0); ++ } ++ return((Uint16)pitch); + } + /* + * Match an RGB value to a particular palette index +diff -r 4646533663ae -r 9b0e5c555c0f src/video/gapi/SDL_gapivideo.c +--- a/src/video/gapi/SDL_gapivideo.c Sat Mar 16 18:35:33 2019 -0700 ++++ b/src/video/gapi/SDL_gapivideo.c Sat Mar 16 19:16:24 2019 -0700 +@@ -733,6 +733,9 @@ + video->w = gapi->w = width; + video->h = gapi->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +diff -r 4646533663ae -r 9b0e5c555c0f src/video/nanox/SDL_nxvideo.c +--- a/src/video/nanox/SDL_nxvideo.c Sat Mar 16 18:35:33 2019 -0700 ++++ b/src/video/nanox/SDL_nxvideo.c Sat Mar 16 19:16:24 2019 -0700 +@@ -378,6 +378,10 @@ + current -> w = width ; + current -> h = height ; + current -> pitch = SDL_CalculatePitch (current) ; ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + NX_ResizeImage (this, current, flags) ; + } + +diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps2gs/SDL_gsvideo.c +--- a/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 18:35:33 2019 -0700 ++++ b/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 19:16:24 2019 -0700 +@@ -479,6 +479,9 @@ + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Memory map the DMA area for block memory transfer */ + if ( ! mapped_mem ) { +diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps3/SDL_ps3video.c +--- a/src/video/ps3/SDL_ps3video.c Sat Mar 16 18:35:33 2019 -0700 ++++ b/src/video/ps3/SDL_ps3video.c Sat Mar 16 19:16:24 2019 -0700 +@@ -339,6 +339,9 @@ + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Alloc aligned mem for current->pixels */ + s_pixels = memalign(16, current->h * current->pitch); +diff -r 4646533663ae -r 9b0e5c555c0f src/video/windib/SDL_dibvideo.c +--- a/src/video/windib/SDL_dibvideo.c Sat Mar 16 18:35:33 2019 -0700 ++++ b/src/video/windib/SDL_dibvideo.c Sat Mar 16 19:16:24 2019 -0700 +@@ -675,6 +675,9 @@ + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + /* Small fix for WinCE/Win32 - when activating window + SDL_VideoSurface is equal to zero, so activating code +diff -r 4646533663ae -r 9b0e5c555c0f src/video/windx5/SDL_dx5video.c +--- a/src/video/windx5/SDL_dx5video.c Sat Mar 16 18:35:33 2019 -0700 ++++ b/src/video/windx5/SDL_dx5video.c Sat Mar 16 19:16:24 2019 -0700 +@@ -1127,6 +1127,9 @@ + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); ++ if (!current->pitch) { ++ return(NULL); ++ } + + #ifndef NO_CHANGEDISPLAYSETTINGS + /* Set fullscreen mode if appropriate. +diff -r 4646533663ae -r 9b0e5c555c0f src/video/x11/SDL_x11video.c +--- a/src/video/x11/SDL_x11video.c Sat Mar 16 18:35:33 2019 -0700 ++++ b/src/video/x11/SDL_x11video.c Sat Mar 16 19:16:24 2019 -0700 +@@ -1225,6 +1225,10 @@ + current->w = width; + current->h = height; + current->pitch = SDL_CalculatePitch(current); ++ if (!current->pitch) { ++ current = NULL; ++ goto done; ++ } + if (X11_ResizeImage(this, current, flags) < 0) { + current = NULL; + goto done; + diff --git a/main/sdl/0002-CVE-2019-7572.patch b/main/sdl/0002-CVE-2019-7572.patch new file mode 100644 index 00000000000..0f242be4e40 --- /dev/null +++ b/main/sdl/0002-CVE-2019-7572.patch @@ -0,0 +1,59 @@ +From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Thu, 14 Feb 2019 16:51:54 +0100 +Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If an IMA ADPCM block contained an initial index out of step table +range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used +this bogus value and that lead to a buffer overread. + +This patch fixes it by moving clamping the index value at the +beginning of IMA_ADPCM_nibble() function instead of the end after +an update. + +CVE-2019-7572 +https://bugzilla.libsdl.org/show_bug.cgi?id=4495 + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/audio/SDL_wave.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 2968b3d..69d62dc 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) + }; + Sint32 delta, step; + ++ /* Clamp index value. The inital value can be invalid. */ ++ if ( state->index > 88 ) { ++ state->index = 88; ++ } else ++ if ( state->index < 0 ) { ++ state->index = 0; ++ } ++ + /* Compute difference and new sample value */ + step = step_table[state->index]; + delta = step >> 3; +@@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) + + /* Update index value */ + state->index += index_table[nybble]; +- if ( state->index > 88 ) { +- state->index = 88; +- } else +- if ( state->index < 0 ) { +- state->index = 0; +- } + + /* Clamp output sample */ + if ( state->sample > max_audioval ) { +-- +2.20.1 + diff --git a/main/sdl/0002-CVE-2019-7577.patch b/main/sdl/0002-CVE-2019-7577.patch new file mode 100644 index 00000000000..06b429cb6dd --- /dev/null +++ b/main/sdl/0002-CVE-2019-7577.patch @@ -0,0 +1,57 @@ +From 69cd6157644cb0a5c9edd7b5920232c2ca31c151 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Tue, 12 Mar 2019 16:21:41 +0100 +Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and + MS_ADPCM_decode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid +predictor (a valid predictor's value is between 0 and 6 inclusive), +a buffer overread can happen when the predictor is used as an index +into an array of MS ADPCM coefficients. + +The overead happens when indexing MS_ADPCM_state.aCoeff[] array in +MS_ADPCM_decode() and later when dereferencing a coef pointer in +MS_ADPCM_nibble(). + +This patch fixes it by checking the MS ADPCM predictor values fit +into the valid range. + +CVE-2019-7577 +Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/audio/SDL_wave.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c +index 08f65cb..5f93651 100644 +--- a/src/audio/SDL_wave.c ++++ b/src/audio/SDL_wave.c +@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) + if ( stereo ) { + state[1]->hPredictor = *encoded++; + } ++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { ++ goto invalid_predictor; ++ } + state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); + encoded += sizeof(Sint16); + if ( stereo ) { +@@ -227,6 +230,10 @@ invalid_size: + SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); + SDL_free(freeable); + return(-1); ++invalid_predictor: ++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); ++ SDL_free(freeable); ++ return(-1); + } + + struct IMA_ADPCM_decodestate { +-- +2.20.1 + diff --git a/main/sdl/0002-CVE-2019-7635.patch b/main/sdl/0002-CVE-2019-7635.patch new file mode 100644 index 00000000000..01a111ccc4f --- /dev/null +++ b/main/sdl/0002-CVE-2019-7635.patch @@ -0,0 +1,21 @@ +diff -r 19d8c3b9c251 -r 08f3b4992538 src/video/SDL_bmp.c +--- a/src/video/SDL_bmp.c Mon Feb 18 07:48:23 2019 -0800 ++++ b/src/video/SDL_bmp.c Sat Mar 16 18:35:11 2019 -0700 +@@ -163,6 +163,14 @@ + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; + + + diff --git a/main/sdl/0002-CVE-2019-7637.patch b/main/sdl/0002-CVE-2019-7637.patch new file mode 100644 index 00000000000..bf28310d5eb --- /dev/null +++ b/main/sdl/0002-CVE-2019-7637.patch @@ -0,0 +1,42 @@ +fix copy+paste mistakes in commit 9b0e5c555c0f (CVE-2019-7637 fix): + +http://hg.libsdl.org/SDL/rev/9b0e5c555c0f made copy+paste mistakes which +resulted in windows versions failing to set video mode. + +diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/gapi/SDL_gapivideo.c +--- a/src/video/gapi/SDL_gapivideo.c Wed Jul 31 23:50:10 2019 +0300 ++++ b/src/video/gapi/SDL_gapivideo.c Fri Aug 02 00:35:05 2019 +0300 +@@ -733,7 +733,7 @@ + video->w = gapi->w = width; + video->h = gapi->h = height; + video->pitch = SDL_CalculatePitch(video); +- if (!current->pitch) { ++ if (!video->pitch) { + return(NULL); + } + +diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windib/SDL_dibvideo.c +--- a/src/video/windib/SDL_dibvideo.c Wed Jul 31 23:50:10 2019 +0300 ++++ b/src/video/windib/SDL_dibvideo.c Fri Aug 02 00:35:05 2019 +0300 +@@ -675,7 +675,7 @@ + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); +- if (!current->pitch) { ++ if (!video->pitch) { + return(NULL); + } + +diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windx5/SDL_dx5video.c +--- a/src/video/windx5/SDL_dx5video.c Wed Jul 31 23:50:10 2019 +0300 ++++ b/src/video/windx5/SDL_dx5video.c Fri Aug 02 00:35:05 2019 +0300 +@@ -1127,7 +1127,7 @@ + video->w = width; + video->h = height; + video->pitch = SDL_CalculatePitch(video); +- if (!current->pitch) { ++ if (!video->pitch) { + return(NULL); + } + + diff --git a/main/sdl/APKBUILD b/main/sdl/APKBUILD index 69d81747b47..d18b8ce4a3f 100644 --- a/main/sdl/APKBUILD +++ b/main/sdl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=sdl pkgver=1.2.15 -pkgrel=7 +pkgrel=9 pkgdesc="A library for portable low-level access to a video framebuffer, audio output, mouse, and keyboard" url="http://www.libsdl.org" arch="all" @@ -12,11 +12,42 @@ depends_dev="libx11-dev" makedepends="$depends_dev libxext-dev libxrender-dev libx11-dev libice-dev libsm-dev libxrandr-dev mesa-dev alsa-lib-dev glu-dev" source="http://www.libsdl.org/release/SDL-$pkgver.tar.gz + 0001-CVE-2019-7574.patch + 0001-CVE-2019-7572.patch + 0002-CVE-2019-7572.patch + 0001-CVE-2019-7573.patch + 0001-CVE-2019-7577.patch + 0002-CVE-2019-7577.patch + 0001-CVE-2019-7575.patch + 0001-CVE-2019-7578.patch + 0001-CVE-2019-7635.patch + 0002-CVE-2019-7635.patch + 0001-CVE-2019-7636.patch + 0001-CVE-2019-7637.patch + 0002-CVE-2019-7637.patch SDL-1.2.10-GrabNotViewable.patch SDL-1.2.15-const_XData32.patch + CVE-2019-13616.patch::https://hg.libsdl.org/SDL/raw-diff/ad1bbfbca760/src/video/SDL_bmp.c " + _builddir="$srcdir"/SDL-$pkgver +# secfixes: +# 1.2.15-r9: +# - CVE-2019-13616 +# 1.2.15-r8: +# - CVE-2019-7572 +# - CVE-2019-7573 +# - CVE-2019-7574 +# - CVE-2019-7575 +# - CVE-2019-7576 +# - CVE-2019-7577 +# - CVE-2019-7578 +# - CVE-2019-7635 +# - CVE-2019-7636 +# - CVE-2019-7637 +# - CVE-2019-7638 + prepare() { cd "$_builddir" update_config_sub || return 1 @@ -50,13 +81,20 @@ package() { cd "$srcdir"/SDL-$pkgver make DESTDIR="$pkgdir" install } - -md5sums="9d96df8417572a2afb781a7c4c811a85 SDL-1.2.15.tar.gz -37ad001a4d2ff924a5fab356b49f8a78 SDL-1.2.10-GrabNotViewable.patch -d9ad0c726f7d3f3e3c8bbf83368cd38d SDL-1.2.15-const_XData32.patch" -sha256sums="d6d316a793e5e348155f0dd93b979798933fb98aa1edebcc108829d6474aad00 SDL-1.2.15.tar.gz -ea2042b8a45a083b1447d5c56e52b23b79f2ddb0d717ec7b287b34ef71bd2d1a SDL-1.2.10-GrabNotViewable.patch -465c611d4a9db44a6d7f0a8f6ef9583ec4b85383b17a2b706b3a811294220173 SDL-1.2.15-const_XData32.patch" sha512sums="ac392d916e6953b0925a7cbb0f232affea33339ef69b47a0a7898492afb9784b93138986df53d6da6d3e2ad79af1e9482df565ecca30f89428be0ae6851b1adc SDL-1.2.15.tar.gz +8c287d6ffcc159f19d934d560e073a716325b6a62d9dea974b92b2d4a417defc4f8441769b4761c5a2600b10a45ff401b0afbab6823880e3d54eab09e22f9859 0001-CVE-2019-7574.patch +e713d0f3d24d73831d9f116d4e15e965c5f09e19b15634e8cbf92714612b0172f24a5c542b3fde09732d17b03d7dac3aaac0d8f4e359a45c1c538970413d6e7c 0001-CVE-2019-7572.patch +3274f91e41b72cd98b6d7962013dd45289952b7af78cc7bc5fe99d4f143434243c8ef0743117d3ec6b090784dfcba8dd460679cc5b49f298ebd8b5afab78a108 0002-CVE-2019-7572.patch +3bf62a71988feff2329e298cee8ce48c636c65100959385b73953c95eea21cb069a7ed096165c252e5ef1db133330da5d095cf5ad145d9875b1197d3b5517b81 0001-CVE-2019-7573.patch +f364161069ceb5d05d329ff04f6e72d2c52baff68d0d3f2203f8a7ee3ace1efe8fc63676ea7d097ccc8eb696dcc20c6b141319ddf0c2bb6efc4fd92cb1dba038 0001-CVE-2019-7577.patch +d2f0664cc0388908ec621c84e7f889ef5abda31dc4e4d23e6e379e26475ed73863ad47b2f13d282c96ba269bdbc77e7effaf5f01032d0683ad991b506063ef19 0002-CVE-2019-7577.patch +abe54d9f29b5e6c1a91cba2bb44e0988b7ceb5a94c3f63569f436f49f282b80280cecd79ee48b9926fff458efbdf0fff019b0fdbf6530692a11a68dbec73e7ca 0001-CVE-2019-7575.patch +a31d5c685fafbca72fdc5336343b74b90b1bfd5af4b6f632b4d8271bb1a218ec6419a7994290f65e7a5fc36d921c2d3c1a25ddf0cdf29bffb7229229415eaa9f 0001-CVE-2019-7578.patch +47729b56a7d323fecd4e4cccddce06061c4f53b723cb08108e1800897da54bae0bede862a09d219dce515696d9e270d062c7aa0af1ba445cc3160cdac8e3d3f7 0001-CVE-2019-7635.patch +8e2c04d8a8167c479f56aa2b363bd3b5ee302c473642717445385210871e0c7b6bfb3020c553c4b0ca849b8a290602b20e7e398d396fdbf47980c38b0969f230 0002-CVE-2019-7635.patch +8e9fa28015e64f08d7d8124398ee5b268546105b73313490cfffdd547e67e729455535407177827e485c4132badfc48a73cce18c0ff7ff8a1c8706613acf180c 0001-CVE-2019-7636.patch +0ad1e445a067afb726df48eac55d593075c945199bd718b4116af84c15df6f5c095f541a5c8a008aef4474dda874e68517236f2f37e1539e0e5684240b058231 0001-CVE-2019-7637.patch +105378cf7609872198c83b8824a1c36463b01f5696cda6c184252b728cdd1054cdc2e68a338f5d728facd182628d2a8b29b961664e89d7f9022abc0268c9afc1 0002-CVE-2019-7637.patch 20049408d4c00d895c39a7901d889d1874ebcd382e93b2e8df38bd3726e2236f4e9a980720724cf176a35d05fb0db5dbcabd42089423adeb404f2dba16d52b7b SDL-1.2.10-GrabNotViewable.patch -ae7cdb61930199a7989e1690be37133eddeb8d446fef3fb5bbe0008d5e3b30abb28f4cc8ffea5d7a186ec242f158ed06dbd2b9ea98ca3e3caeed5ab12bac6875 SDL-1.2.15-const_XData32.patch" +ae7cdb61930199a7989e1690be37133eddeb8d446fef3fb5bbe0008d5e3b30abb28f4cc8ffea5d7a186ec242f158ed06dbd2b9ea98ca3e3caeed5ab12bac6875 SDL-1.2.15-const_XData32.patch +1b97970d0bcb7c49a3edfab2dd8c622a591ee64543ebe9e03b1de29a5cfb87820100444ff5ba0ce319911d1020ad94f6a8678c31aa13e370d1c9aeed6e3fd669 CVE-2019-13616.patch" diff --git a/main/sdl2/APKBUILD b/main/sdl2/APKBUILD index 679614c4b50..e66d186d830 100644 --- a/main/sdl2/APKBUILD +++ b/main/sdl2/APKBUILD @@ -1,8 +1,8 @@ # Contributor: August Klein <amatcoder@gmail.com> # Maintainer: August Klein <amatcoder@gmail.com> pkgname=sdl2 -pkgver=2.0.7 -pkgrel=3 +pkgver=2.0.10 +pkgrel=0 pkgdesc="A development library designed to provide low level access to audio, keyboard, mouse, joystick and graphics" url="http://www.libsdl.org" arch="all" @@ -16,6 +16,19 @@ source="https://www.libsdl.org/release/SDL2-$pkgver.tar.gz fix-directfb-include.patch" builddir="$srcdir/SDL2-$pkgver" +# secfixes: +# 2.0.10-r0: +# - CVE-2019-7572 +# - CVE-2019-7573 +# - CVE-2019-7574 +# - CVE-2019-7575 +# - CVE-2019-7576 +# - CVE-2019-7578 +# - CVE-2019-7635 +# - CVE-2019-7636 +# - CVE-2019-7637 +# - CVE-2019-7638 + build() { cd "$builddir" # NOTE: Please do not remove the --enable-video-directfb flag. @@ -43,6 +56,5 @@ package() { cd "$builddir" make DESTDIR="$pkgdir" install } - -sha512sums="eed5477843086a0e66552eb197a5c4929134522bc366d873732361ea0df5fb841ef7e2b1913e21d1bae69e6fd3152ee630492e615c58cbe903e7d6e47b587410 SDL2-2.0.7.tar.gz -f57a7a7b89f11934835b5693d104354be1107ddd31d34f6cfc07cf480b0811d775c95685f6b6b20c6154f03744ed976c8092973ddb6e87773969b8394e852c24 fix-directfb-include.patch" +sha512sums="f49b869362699b3282f6e82920e59c7fac581bcbf955f18a81cc126293c08093a90df7fcb39517cc8bc32708d2213fe645a42b655d6d811c1386efebb3d3c798 SDL2-2.0.10.tar.gz +126fe6f072e7f45c0d8db710904ffc2a3382fa1403d34a4f9c656e1deca633147b1e5273ce9dfd148af2694cd472ab045129ff50e9ebbb0a888125253710a805 fix-directfb-include.patch" diff --git a/main/sdl2/fix-directfb-include.patch b/main/sdl2/fix-directfb-include.patch index 0f7cf360161..5ddf7b198ae 100644 --- a/main/sdl2/fix-directfb-include.patch +++ b/main/sdl2/fix-directfb-include.patch @@ -14,14 +14,3 @@ index 2d18afb..6416e2f 100644 /* Set up for C function definitions, even when using C++ */ #ifdef __cplusplus extern "C" { -@@ -79,10 +84,6 @@ struct SDL_SysWMinfo; - - #endif /* defined(SDL_VIDEO_DRIVER_X11) */ - --#if defined(SDL_VIDEO_DRIVER_DIRECTFB) --#include <directfb.h> --#endif -- - #if defined(SDL_VIDEO_DRIVER_COCOA) - #ifdef __OBJC__ - @class NSWindow; diff --git a/main/sdl2_image/APKBUILD b/main/sdl2_image/APKBUILD index 64c70f91169..6023ff887b2 100644 --- a/main/sdl2_image/APKBUILD +++ b/main/sdl2_image/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Francesco Colista <fcolista@alpinelinux.org> # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=sdl2_image -pkgver=2.0.2 -pkgrel=1 +pkgver=2.0.5 +pkgrel=0 _pkgname=SDL2_image pkgdesc="A simple library to load images of various formats as SDL surfaces" url="http://www.libsdl.org/projects/SDL_image/" @@ -11,22 +11,22 @@ license="zlib" makedepends="sdl2-dev libpng-dev libjpeg-turbo-dev libwebp-dev tiff-dev zlib-dev" subpackages="$pkgname-dev" -source="http://www.libsdl.org/projects/SDL_image/release/$_pkgname-$pkgver.tar.gz - CVE-2017-12122.patch - CVE-2017-14440.patch - CVE-2017-14441.patch - CVE-2017-14442.patch - CVE-2017-14448.patch - CVE-2017-14450.patch - CVE-2018-3837.patch - CVE-2018-3838.patch - CVE-2018-3839.patch -" - +source="http://www.libsdl.org/projects/SDL_image/release/$_pkgname-$pkgver.tar.gz" builddir="$srcdir/$_pkgname-$pkgver" # secfixes: -# +# 2.0.5-r0: +# - CVE-2019-5060 TALOS-2019-0844 +# - CVE-2019-5059 TALOS-2019-0843 +# - CVE-2019-5058 TALOS-2019-0842 +# - CVE-2019-5057 TALOS-2019-0841 +# - CVE-2019-5052 TALOS-2019-0821 +# - CVE-2019-5051 TALOS-2019-0820 +# - CVE-2019-12222 +# - CVE-2019-12221 +# - CVE-2019-12219 +# - CVE-2019-12218 +# - CVE-2019-12217 # 2.0.2-r1: # - CVE-2017-12122 TALOS-2017-0488 # - CVE-2017-14440 TALOS-2017-0489 @@ -63,13 +63,4 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="468f1a5aaee0b6920adb80df21aaaa41bfc5c642b4a00ac60244a90c5e9f27b092b73bcdd2c5520aa1de2759e8b174686b186a51f2d07e7e188ce2cd10519724 SDL2_image-2.0.2.tar.gz -1c3c713af1b3d1996a226741fa0e053e76aee4355c5dfeb9d727b0af016c73760c63907547a11de2d3bb1f23fcbfe5265317d20d54baf10ec8e0cdd25e2370ec CVE-2017-12122.patch -0527bcb0113d09a935f694192f864457f3d86c2d69ef7bc89036544756ab23c32e5b30e526190b1642f8d0a531c9dd52eaeca9605320578168932d98bb4badea CVE-2017-14440.patch -6455c44fa0727b91fef53bca887b86fc8ae4652ef13ffcb305d86405fba7d2527941530eba2e87af382a05333694bfa69ea3e2c692422a0eb33ef58538ac74b1 CVE-2017-14441.patch -ac7be687db2fcea5daa0b8f8685f3b7a106bd748ba8277986515d1129b969fbdc9adb3a4836141f81f3cb51c93539339fad40c9bf132582bc977bc0e0103de83 CVE-2017-14442.patch -e483cfb17333c2f1f3513549891d6378161f70ad70876fb4a4f44e32c4b85e76503eefbb7294c2ad77ab0cb812e646466169aa2f15637ac8337aa623b328d9b9 CVE-2017-14448.patch -eec58e6fbe0a96f63a01241bb9a3b26b6dbacdd5a5fcbbae5a62a3f577d8b8ef9cf9ec60f70cec854990a16f53086f510c2adc40d345b15ce8a6412910da1a86 CVE-2017-14450.patch -59c8d73eb65d896c6ea168ac97a817f482507ae9f694c90359096160d9f0c0f584143762d848cf1d021af4a6d16d33c69ad7382b5a2bc10ee22621304420bc36 CVE-2018-3837.patch -f0a74538c70e47264f892d6b8f3280c8e45db0e0aa05fb145e4398f5c6b16636da12c66de90835015541a236c065287f715351042a79139cbd1b337b4ed0715c CVE-2018-3838.patch -09da40655972e32ee9f6498aff12d235e2137dd28e1f3e0fa858d22ee7b228602400b9ce1b40cbf8ec447bf0a07c3c2bd9cf4bcecea0d8360aa5c606d63c53dd CVE-2018-3839.patch" +sha512sums="77e743d3f32707e015b290c1379ae3c7d7a3fe265995713267f0d0ec6517de4808f0de9890b5ab28445941af5bc9fbff346620629e0d7d7e9f365262cab05ee7 SDL2_image-2.0.5.tar.gz" diff --git a/main/sdl2_image/CVE-2017-12122.patch b/main/sdl2_image/CVE-2017-12122.patch deleted file mode 100644 index 9c2f33b1707..00000000000 --- a/main/sdl2_image/CVE-2017-12122.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff -r 3e1ebbbaba54 -r 16772bbb1b09 IMG_lbm.c ---- a/IMG_lbm.c Wed Jan 24 01:43:46 2018 -0500 -+++ b/IMG_lbm.c Wed Jan 24 01:44:36 2018 -0500 -@@ -245,7 +245,7 @@ - goto done; - } - -- if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (bmhd.planes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL ) -+ if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (nbplanes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL ) - goto done; - - if ( bmhd.mask & 2 ) /* There is a transparent color */ -@@ -272,7 +272,7 @@ - /* The 32 last colors are the same but divided by 2 */ - /* Some Amiga pictures save 64 colors with 32 last wrong colors, */ - /* they shouldn't !, and here we overwrite these 32 bad colors. */ -- if ( (nbcolors==32 || flagEHB ) && (1<<bmhd.planes)==64 ) -+ if ( (nbcolors==32 || flagEHB ) && (1<<nbplanes)==64 ) - { - nbcolors = 64; - ptr = &colormap[0]; -@@ -286,8 +286,8 @@ - - /* If nbcolors < 2^nbplanes, repeat the colormap */ - /* This happens when pictures have a stencil mask */ -- if ( nbrcolorsfinal > (1<<bmhd.planes) ) { -- nbrcolorsfinal = (1<<bmhd.planes); -+ if ( nbrcolorsfinal > (1<<nbplanes) ) { -+ nbrcolorsfinal = (1<<nbplanes); - } - for ( i=nbcolors; i < (Uint32)nbrcolorsfinal; i++ ) - { - - -diff -r 16772bbb1b09 -r 97f7f01e0665 IMG_lbm.c ---- a/IMG_lbm.c Wed Jan 24 01:44:36 2018 -0500 -+++ b/IMG_lbm.c Wed Jan 24 01:45:04 2018 -0500 -@@ -233,6 +233,12 @@ - nbplanes = 1; - } - -+ if ((nbplanes != 1) && (nbplanes != 4) && (nbplanes != 8) && (nbplanes != 24)) -+ { -+ error="unsupported number of color planes"; -+ goto done; -+ } -+ - stencil = (bmhd.mask & 1); /* There is a mask ( 'stencil' ) */ - - /* Allocate memory for a temporary buffer ( used for - diff --git a/main/sdl2_image/CVE-2017-14440.patch b/main/sdl2_image/CVE-2017-14440.patch deleted file mode 100644 index 49ab2b03235..00000000000 --- a/main/sdl2_image/CVE-2017-14440.patch +++ /dev/null @@ -1,23 +0,0 @@ -# HG changeset patch -# User Ryan C. Gordon <icculus@icculus.org> -# Date 1516813224 18000 -# Node ID bfa08dc02b3c7b265ead6019f901f17f925570c3 -# Parent 97f7f01e0665b7555a0e5e9465799e80c8f59528 -lbm: Don't overflow static colormap buffer. - -diff -r 97f7f01e0665 -r bfa08dc02b3c IMG_lbm.c ---- a/IMG_lbm.c Wed Jan 24 01:45:04 2018 -0500 -+++ b/IMG_lbm.c Wed Jan 24 12:00:24 2018 -0500 -@@ -183,6 +183,11 @@ - - if ( !SDL_memcmp( id, "CMAP", 4 ) ) /* palette ( Color Map ) */ - { -+ if (size > sizeof (colormap)) { -+ error="colormap size is too large"; -+ goto done; -+ } -+ - if ( !SDL_RWread( src, &colormap, size, 1 ) ) - { - error="error reading CMAP chunk"; - diff --git a/main/sdl2_image/CVE-2017-14441.patch b/main/sdl2_image/CVE-2017-14441.patch deleted file mode 100644 index 19c30bbf995..00000000000 --- a/main/sdl2_image/CVE-2017-14441.patch +++ /dev/null @@ -1,26 +0,0 @@ -# HG changeset patch -# User Ryan C. Gordon <icculus@icculus.org> -# Date 1516816924 18000 -# Node ID a1e9b624ca1033f893e93691802682bf36400f7a -# Parent bfa08dc02b3c7b265ead6019f901f17f925570c3 -ico: reject obviously incorrect image sizes. - -diff -r bfa08dc02b3c -r a1e9b624ca10 IMG_bmp.c ---- a/IMG_bmp.c Wed Jan 24 12:00:24 2018 -0500 -+++ b/IMG_bmp.c Wed Jan 24 13:02:04 2018 -0500 -@@ -735,6 +735,14 @@ - goto done; - } - -+ /* sanity check image size, so we don't overflow integers, etc. */ -+ if ((biWidth < 0) || (biWidth > 0xFFFFFF) || -+ (biHeight < 0) || (biHeight > 0xFFFFFF)) { -+ IMG_SetError("Unsupported or invalid ICO dimensions"); -+ was_error = SDL_TRUE; -+ goto done; -+ } -+ - /* Create a RGBA surface */ - biHeight = biHeight >> 1; - //printf("%d x %d\n", biWidth, biHeight); - diff --git a/main/sdl2_image/CVE-2017-14442.patch b/main/sdl2_image/CVE-2017-14442.patch deleted file mode 100644 index 6fa4524b400..00000000000 --- a/main/sdl2_image/CVE-2017-14442.patch +++ /dev/null @@ -1,24 +0,0 @@ - -# HG changeset patch -# User Ryan C. Gordon <icculus@icculus.org> -# Date 1516817527 18000 -# Node ID 37445f6180a8ca7a218ab9f9eaaeaf088b4f6c3a -# Parent a1e9b624ca1033f893e93691802682bf36400f7a -bmp: don't overflow palette buffer with bogus biClrUsed values. - -diff -r a1e9b624ca10 -r 37445f6180a8 IMG_bmp.c ---- a/IMG_bmp.c Wed Jan 24 13:02:04 2018 -0500 -+++ b/IMG_bmp.c Wed Jan 24 13:12:07 2018 -0500 -@@ -760,6 +760,11 @@ - if (biClrUsed == 0) { - biClrUsed = 1 << biBitCount; - } -+ if (biClrUsed > SDL_arraysize(palette)) { -+ IMG_SetError("Unsupported or incorrect biClrUsed field"); -+ was_error = SDL_TRUE; -+ goto done; -+ } - for (i = 0; i < (int) biClrUsed; ++i) { - SDL_RWread(src, &palette[i], 4, 1); - } - diff --git a/main/sdl2_image/CVE-2017-14448.patch b/main/sdl2_image/CVE-2017-14448.patch deleted file mode 100644 index 6b02f743165..00000000000 --- a/main/sdl2_image/CVE-2017-14448.patch +++ /dev/null @@ -1,59 +0,0 @@ - -# HG changeset patch -# User Ryan C. Gordon <icculus@icculus.org> -# Date 1517092075 18000 -# Node ID 7df1580f1695d327c1c4580dccbf7ca6da5aed9e -# Parent 37445f6180a8ca7a218ab9f9eaaeaf088b4f6c3a -xcf: deal with bogus data in rle tile decoding. - -diff -r 37445f6180a8 -r 7df1580f1695 IMG_xcf.c ---- a/IMG_xcf.c Wed Jan 24 13:12:07 2018 -0500 -+++ b/IMG_xcf.c Sat Jan 27 17:27:55 2018 -0500 -@@ -486,7 +486,7 @@ - t = load = (unsigned char *) SDL_malloc (len); - reallen = SDL_RWread (src, t, 1, len); - -- data = (unsigned char *) SDL_malloc (x*y*bpp); -+ data = (unsigned char *) SDL_calloc (1, x*y*bpp); - for (i = 0; i < bpp; i++) { - d = data + i; - size = x*y; -@@ -503,6 +503,12 @@ - t += 2; - } - -+ if (((size_t) (t - load) + length) >= len) { -+ break; /* bogus data */ -+ } else if (length > size) { -+ break; /* bogus data */ -+ } -+ - count += length; - size -= length; - -@@ -518,6 +524,12 @@ - t += 2; - } - -+ if (((size_t) (t - load)) >= len) { -+ break; /* bogus data */ -+ } else if (length > size) { -+ break; /* bogus data */ -+ } -+ - count += length; - size -= length; - -@@ -529,6 +541,11 @@ - } - } - } -+ -+ if (size > 0) { -+ break; /* just drop out, untouched data initialized to zero. */ -+ } -+ - } - - SDL_free (load); - diff --git a/main/sdl2_image/CVE-2017-14450.patch b/main/sdl2_image/CVE-2017-14450.patch deleted file mode 100644 index c7feeb7f8c5..00000000000 --- a/main/sdl2_image/CVE-2017-14450.patch +++ /dev/null @@ -1,25 +0,0 @@ - -# HG changeset patch -# User Ryan C. Gordon <icculus@icculus.org> -# Date 1517113689 18000 -# Node ID 45e750f92c843dccea0820d86726e9cf1d524392 -# Parent d0142861559ccd4fde994fbd33c34fbdee25f84c -gif: report error on bogus LWZ data, instead of overflowing a buffer. - -diff -r d0142861559c -r 45e750f92c84 IMG_gif.c ---- a/IMG_gif.c Sat Jan 27 22:50:18 2018 -0500 -+++ b/IMG_gif.c Sat Jan 27 23:28:09 2018 -0500 -@@ -497,8 +497,10 @@ - return -3; - } - *sp++ = table[1][code]; -- if (code == table[0][code]) -- RWSetMsg("circular table entry BIG ERROR"); -+ if (code == table[0][code]) { -+ RWSetMsg("circular table entry BIG ERROR"); -+ return -3; -+ } - code = table[0][code]; - } - - diff --git a/main/sdl2_image/CVE-2017-2887.patch b/main/sdl2_image/CVE-2017-2887.patch deleted file mode 100644 index 8b4d0c571c8..00000000000 --- a/main/sdl2_image/CVE-2017-2887.patch +++ /dev/null @@ -1,25 +0,0 @@ ---- a/IMG_xcf.c Mon Sep 18 16:10:17 2017 -0700 -+++ b/IMG_xcf.c Fri Oct 06 15:40:19 2017 -0700 -@@ -251,6 +251,7 @@ - } - - static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) { -+ Uint32 len; - prop->id = SDL_ReadBE32 (src); - prop->length = SDL_ReadBE32 (src); - -@@ -274,7 +275,12 @@ - break; - case PROP_COMPRESSION: - case PROP_COLOR: -- SDL_RWread (src, &prop->data, prop->length, 1); -+ if (prop->length > sizeof(prop->data)) { -+ len = sizeof(prop->data); -+ } else { -+ len = prop->length; -+ } -+ SDL_RWread(src, &prop->data, len, 1); - break; - case PROP_VISIBLE: - prop->data.visible = SDL_ReadBE32 (src); - diff --git a/main/sdl2_image/CVE-2018-3837.patch b/main/sdl2_image/CVE-2018-3837.patch deleted file mode 100644 index 823a2b9cbce..00000000000 --- a/main/sdl2_image/CVE-2018-3837.patch +++ /dev/null @@ -1,21 +0,0 @@ - -# HG changeset patch -# User Ryan C. Gordon <icculus@icculus.org> -# Date 1518036231 18000 -# Node ID 2938fc80591abeae74b971cbdf966eff3213297e -# Parent f50c9c46ba52f5a594313774a938844e5cf82b4d -pcx: don't overflow buffer if bytes-per-line is less than image width. - -diff -r f50c9c46ba52 -r 2938fc80591a IMG_pcx.c ---- a/IMG_pcx.c Sun Jan 28 22:10:40 2018 -0800 -+++ b/IMG_pcx.c Wed Feb 07 15:43:51 2018 -0500 -@@ -147,7 +147,7 @@ - if (bpl > surface->pitch) { - error = "bytes per line is too large (corrupt?)"; - } -- buf = (Uint8 *)SDL_malloc(bpl); -+ buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1); - row = (Uint8 *)surface->pixels; - for ( y=0; y<surface->h; ++y ) { - /* decode a scan line to a temporary buffer first */ - diff --git a/main/sdl2_image/CVE-2018-3838.patch b/main/sdl2_image/CVE-2018-3838.patch deleted file mode 100644 index b0e89b804b5..00000000000 --- a/main/sdl2_image/CVE-2018-3838.patch +++ /dev/null @@ -1,40 +0,0 @@ - -# HG changeset patch -# User Ryan C. Gordon <icculus@icculus.org> -# Date 1518038334 18000 -# Node ID c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d -# Parent 2938fc80591abeae74b971cbdf966eff3213297e -xcf: Prevent infinite loop and/or buffer overflow on bogus data. - -diff -r 2938fc80591a -r c5f9cbb5d2bb IMG_xcf.c ---- a/IMG_xcf.c Wed Feb 07 15:43:51 2018 -0500 -+++ b/IMG_xcf.c Wed Feb 07 16:18:54 2018 -0500 -@@ -483,6 +483,10 @@ - int i, size, count, j, length; - unsigned char val; - -+ if (len == 0) { /* probably bogus data. */ -+ return NULL; -+ } -+ - t = load = (unsigned char *) SDL_malloc (len); - reallen = SDL_RWread (src, t, 1, len); - -@@ -608,6 +612,16 @@ - tile = load_tile(src, ox * oy * 6, hierarchy->bpp, ox, oy); - } - -+ if (!tile) { -+ if (hierarchy) { -+ free_xcf_hierarchy(hierarchy); -+ } -+ if (level) { -+ free_xcf_level(level); -+ } -+ return 1; -+ } -+ - p8 = tile; - p16 = (Uint16 *) p8; - p = (Uint32 *) p8; - diff --git a/main/sdl2_image/CVE-2018-3839.patch b/main/sdl2_image/CVE-2018-3839.patch deleted file mode 100644 index 86370cbc4ce..00000000000 --- a/main/sdl2_image/CVE-2018-3839.patch +++ /dev/null @@ -1,31 +0,0 @@ - -# HG changeset patch -# User Ryan C. Gordon <icculus@icculus.org> -# Date 1518038991 18000 -# Node ID fb643e371806910f1973abfdfe7f981e8dba60f5 -# Parent c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d -xcf: check for some potential integer overflows. - -diff -r c5f9cbb5d2bb -r fb643e371806 IMG_xcf.c ---- a/IMG_xcf.c Wed Feb 07 16:18:54 2018 -0500 -+++ b/IMG_xcf.c Wed Feb 07 16:29:51 2018 -0500 -@@ -595,6 +595,18 @@ - SDL_RWseek(src, layer->hierarchy_file_offset, RW_SEEK_SET); - hierarchy = read_xcf_hierarchy(src); - -+ if (hierarchy->bpp > 4) { /* unsupported. */ -+ SDL_Log("Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp); -+ free_xcf_hierarchy(hierarchy); -+ return 1; -+ } -+ -+ if ((hierarchy->width > 20000) || (hierarchy->height > 20000)) { /* arbitrary limit to avoid integer overflow. */ -+ SDL_Log("Gimp image too large (%ux%u)\n", (unsigned int) hierarchy->width, (unsigned int) hierarchy->height); -+ free_xcf_hierarchy(hierarchy); -+ return 1; -+ } -+ - level = NULL; - for (i = 0; hierarchy->level_file_offsets[i]; i++) { - SDL_RWseek(src, hierarchy->level_file_offsets[i], RW_SEEK_SET); - diff --git a/main/sdl2_image/CVE-2019-13616.patch b/main/sdl2_image/CVE-2019-13616.patch new file mode 100644 index 00000000000..cb0fe87a389 --- /dev/null +++ b/main/sdl2_image/CVE-2019-13616.patch @@ -0,0 +1,24 @@ + +# HG changeset patch +# User Sam Lantinga <slouken@libsdl.org> +# Date 1564509612 25200 +# Node ID ba45f00879ba0b957780e1fd28304c41503c1737 +# Parent f1baffa48926c4c76f482f21a240667e9159d1d5 +Fixed bug 4538 - validate image size when loading BMP files + +diff -r f1baffa48926 -r ba45f00879ba IMG_bmp.c +--- a/IMG_bmp.c Tue Jul 30 10:16:02 2019 -0700 ++++ b/IMG_bmp.c Tue Jul 30 11:00:12 2019 -0700 +@@ -351,6 +351,11 @@ + SDL_RWseek(src, (biSize - headerSize), RW_SEEK_CUR); + } + } ++ if (biWidth <= 0 || biHeight == 0) { ++ IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; + diff --git a/main/sdl_image/APKBUILD b/main/sdl_image/APKBUILD index 65e0c8b104d..d5f0411fe54 100644 --- a/main/sdl_image/APKBUILD +++ b/main/sdl_image/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=sdl_image pkgver=1.2.12 -pkgrel=3 +pkgrel=4 pkgdesc="A simple library to load images of various formats as SDL surfaces" url="http://www.libsdl.org/projects/SDL_image/" arch="all" @@ -11,7 +11,13 @@ depends="" makedepends="sdl-dev libpng-dev libjpeg-turbo-dev tiff-dev zlib-dev" install="" subpackages="$pkgname-dev" -source="http://www.libsdl.org/projects/SDL_image/release/SDL_image-${pkgver}.tar.gz" +source="http://www.libsdl.org/projects/SDL_image/release/SDL_image-${pkgver}.tar.gz + CVE-2019-13616.patch + " + +# secfixes: +# 1.2.12-r4: +# - CVE-2019-13616 _builddir="$srcdir"/SDL_image-$pkgver prepare() { @@ -42,4 +48,5 @@ package() { make DESTDIR="$pkgdir" install || return 1 } -sha512sums="0e71b280abc2a7f15755e4480a3c1b52d41f9f8b0c9216a6f5bd9fc0e939456fb5d6c10419e1d1904785783f9a1891ead278c03e88b0466fecc6871c3ca40136 SDL_image-1.2.12.tar.gz" +sha512sums="0e71b280abc2a7f15755e4480a3c1b52d41f9f8b0c9216a6f5bd9fc0e939456fb5d6c10419e1d1904785783f9a1891ead278c03e88b0466fecc6871c3ca40136 SDL_image-1.2.12.tar.gz +0ae144202435ad35e5ff6ae6b73592cd8ef68dba2704e09ba22f2b9e9d98f547f2ead28327be0594897f2165d2bf5c26f07e8ef72760527e8d9e4e593e8e5f60 CVE-2019-13616.patch" diff --git a/main/sdl_image/CVE-2019-13616.patch b/main/sdl_image/CVE-2019-13616.patch new file mode 100644 index 00000000000..f2ed7c6aa07 --- /dev/null +++ b/main/sdl_image/CVE-2019-13616.patch @@ -0,0 +1,16 @@ +diff --git a/IMG_bmp.c b/IMG_bmp.c +index b3c7580..bfadd45 100644 +--- a/IMG_bmp.c ++++ b/IMG_bmp.c +@@ -272,6 +272,11 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc) + biClrUsed = SDL_ReadLE32(src); + biClrImportant = SDL_ReadLE32(src); + } ++ if (biWidth <= 0 || biHeight == 0) { ++ IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; diff --git a/main/sqlite/APKBUILD b/main/sqlite/APKBUILD index ee26f82e4cd..2864c8107f3 100644 --- a/main/sqlite/APKBUILD +++ b/main/sqlite/APKBUILD @@ -2,8 +2,12 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # # secfixes: +# 3.25.3-r1: +# - CVE-2019-8457 +# 3.25.3-r0: +# - CVE-2018-20346 # 3.21.0-r1: -# - CVE-2018-8740 +# - CVE-2018-8740 # pkgname=sqlite pkgver=3.25.3 @@ -22,7 +26,7 @@ esac [ $_d -lt 10 ] && _d=0$_d _ver=${_a}${_b}${_c}${_d} -pkgrel=0 +pkgrel=2 pkgdesc="A C library that implements an SQL database engine" url="http://www.sqlite.org/" arch="all" @@ -30,9 +34,13 @@ options="!check" license="custom" depends="" makedepends="readline-dev" -source="http://www.sqlite.org/2018/$pkgname-autoconf-$_ver.tar.gz - license.txt" subpackages="$pkgname-doc $pkgname-dev $pkgname-libs" +source="http://www.sqlite.org/2018/$pkgname-autoconf-$_ver.tar.gz + license.txt + CVE-2019-8457.patch + CVE-2019-16168.patch + " +builddir="$srcdir/$pkgname-autoconf-$_ver" _amalgamation="-DSQLITE_ENABLE_FTS4 \ -DSQLITE_ENABLE_FTS3_PARENTHESIS \ @@ -46,11 +54,13 @@ _amalgamation="-DSQLITE_ENABLE_FTS4 \ -DSQLITE_MAX_VARIABLE_NUMBER=250000 \ -DSQLITE_ENABLE_JSON1" -builddir="$srcdir/$pkgname-autoconf-$_ver" - # secfixes: +# 3.25.3-r2: +# - CVE-2018-20346 +# 3.25.3-r1: +# - CVE-2019-8457 # 3.25.3-r0: -# - CVE-2018-20346 +# - CVE-2018-20346 build() { cd "$builddir" @@ -88,4 +98,6 @@ libs() { } sha512sums="5bc501d15367e097f4070185974b0c3a8246c06b205fb2258ed18870ff3fbf120ac5e0ba031a6744af89f7659206e28e7de2f0367bdb190b8412e453b43de4ba sqlite-autoconf-3250300.tar.gz -5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9 license.txt" +5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9 license.txt +ab795b18d5426ff9ccad20f413de4f46fce7b532ebbf72dfbafc7db2d2e46453541abe992535c7aea598ec69c8557b477008e58299e3426afd2e8ab458c859e4 CVE-2019-8457.patch +19eb036e0d03543127a9ed67155522952cb7f3ce9da81ee49fba14a1c0bfc2cd0c86acab1b47b794043cac033959d861dce7ec97fca2293cb146a7ee1b83b8fa CVE-2019-16168.patch" diff --git a/main/sqlite/CVE-2019-16168.patch b/main/sqlite/CVE-2019-16168.patch new file mode 100644 index 00000000000..d1be258aecd --- /dev/null +++ b/main/sqlite/CVE-2019-16168.patch @@ -0,0 +1,24 @@ +diff --git a/sqlite3.c b/sqlite3.c +index c607252..7c01bbf 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -104242,7 +104242,9 @@ static void decodeIntArray( + if( sqlite3_strglob("unordered*", z)==0 ){ + pIndex->bUnordered = 1; + }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){ +- pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3)); ++ int sz = sqlite3Atoi(z+3); ++ if( sz<2 ) sz = 2; ++ pIndex->szIdxRow = sqlite3LogEst(sz); + }else if( sqlite3_strglob("noskipscan*", z)==0 ){ + pIndex->noSkipScan = 1; + } +@@ -141020,6 +141022,7 @@ static int whereLoopAddBtreeIndex( + ** it to pNew->rRun, which is currently set to the cost of the index + ** seek only. Then, if this is a non-covering index, add the cost of + ** visiting the rows in the main table. */ ++ assert( pSrc->pTab->szTabRow>0 ); + rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow; + pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx); + if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){ + diff --git a/main/sqlite/CVE-2019-8457.patch b/main/sqlite/CVE-2019-8457.patch new file mode 100644 index 00000000000..de1e30a2c50 --- /dev/null +++ b/main/sqlite/CVE-2019-8457.patch @@ -0,0 +1,71 @@ +diff --git a/sqlite3.c b/sqlite3.c +index c607252..2c133c5 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -181825,49 +181825,46 @@ rtreeInit_fail: + ** <num-dimension>*2 coordinates. + */ + static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){ +- char *zText = 0; + RtreeNode node; + Rtree tree; + int ii; ++ int nData; ++ int errCode; ++ sqlite3_str *pOut; + + UNUSED_PARAMETER(nArg); + memset(&node, 0, sizeof(RtreeNode)); + memset(&tree, 0, sizeof(Rtree)); + tree.nDim = (u8)sqlite3_value_int(apArg[0]); ++ if( tree.nDim<1 || tree.nDim>5 ) return; + tree.nDim2 = tree.nDim*2; + tree.nBytesPerCell = 8 + 8 * tree.nDim; + node.zData = (u8 *)sqlite3_value_blob(apArg[1]); ++ nData = sqlite3_value_bytes(apArg[1]); ++ if( nData<4 ) return; ++ if( nData<NCELL(&node)*tree.nBytesPerCell ) return; + ++ pOut = sqlite3_str_new(0); + for(ii=0; ii<NCELL(&node); ii++){ +- char zCell[512]; +- int nCell = 0; + RtreeCell cell; + int jj; + + nodeGetCell(&tree, &node, ii, &cell); +- sqlite3_snprintf(512-nCell,&zCell[nCell],"%lld", cell.iRowid); +- nCell = (int)strlen(zCell); ++ if( ii>0 ) sqlite3_str_append(pOut, " ", 1); ++ sqlite3_str_appendf(pOut, "{%lld", cell.iRowid); + for(jj=0; jj<tree.nDim2; jj++){ + #ifndef SQLITE_RTREE_INT_ONLY +- sqlite3_snprintf(512-nCell,&zCell[nCell], " %g", +- (double)cell.aCoord[jj].f); ++ sqlite3_str_appendf(pOut, " %g", (double)cell.aCoord[jj].f); + #else +- sqlite3_snprintf(512-nCell,&zCell[nCell], " %d", +- cell.aCoord[jj].i); ++ sqlite3_str_appendf(pOut, " %d", cell.aCoord[jj].i); + #endif +- nCell = (int)strlen(zCell); +- } +- +- if( zText ){ +- char *zTextNew = sqlite3_mprintf("%s {%s}", zText, zCell); +- sqlite3_free(zText); +- zText = zTextNew; +- }else{ +- zText = sqlite3_mprintf("{%s}", zCell); + } ++ sqlite3_str_append(pOut, "}", 1); + } + +- sqlite3_result_text(ctx, zText, -1, sqlite3_free); ++ errCode = sqlite3_str_errcode(pOut); ++ sqlite3_result_text(ctx, sqlite3_str_finish(pOut), -1, sqlite3_free); ++ sqlite3_result_error_code(ctx, errCode); + } + + /* This routine implements an SQL function that returns the "depth" parameter + diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD index d6055dcd223..ebc43a73eaf 100644 --- a/main/squid/APKBUILD +++ b/main/squid/APKBUILD @@ -117,15 +117,8 @@ squid_kerb_auth() { mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/ } sha512sums="4172a053c3b7ffe7a12dfb3febac96942d0fbbe7e98e3f797f22cd75b0a3a89cbbfe7260b5daad099e79d5e9303bb5dfbfee7499cb30a90590aa1bd242ff4817 squid-3.5.27.tar.xz -<<<<<<< HEAD a403573bf3d3d600f7a1ff8639f0f48ac45963b028c7aa09e00f95173b7a9d46c42c21a609d987a18869d850a4be0537c3dc0d0f10398b67509b2a43ccf81776 bug-3679.patch -======= -d08d87d4cf97e794735e29ed2a273e27757a9ef95059cf6a2e2855a0c56e92d9e665b85115c9f3b699974447a7b9cccadb0a8ce606beedb41d27df8361241f8b SQUID-2018_1.patch -392442527ead5cbb045f6eded522c9aff6ce395034ca028e7298394eccb6ed5b06c814f966ddc6cb264b9a37bf7ae2751e3ed87853566b1d7b757d99280fe60c SQUID-2018_2.patch -20a036b34f7a595d83e707180d831c4adc9b7432f09be5341cfe7b3b00cbe3e5c0de07376a67834b94e08c849703822371eb71938a024307cb52cf8ef52138e8 SQUID-2018_3.patch -d44d0688a416ce993e186afe77051f764c7b01f452cfe27474a7876bc7f58e36c15c06978eedb189b98e276f512aa3bd58992a08668e89a5ef9cd843c22af72a bug-3679.patch 9ca3f86fbce36f109a35c35cdb0a9ed21a6fe5cbe7bbb4b92f4527fedd57c19599d338087b099e048084db0374b2ea28bdcbe1798fa37aea8a13d54f6cc0d6a4 CVE-2019-13345.patch ->>>>>>> 61747ef724... main/squid: fix CVE-2019-13345 15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate" diff --git a/main/subversion/APKBUILD b/main/subversion/APKBUILD index 554d0543cbe..1cd95f6a9c4 100644 --- a/main/subversion/APKBUILD +++ b/main/subversion/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=subversion -pkgver=1.9.7 +pkgver=1.9.12 pkgrel=0 pkgdesc="Replacement for CVS, another versioning system (svn)" url="http://subversion.apache.org/" @@ -24,6 +24,9 @@ source="http://archive.apache.org/dist/$pkgname/$pkgname-$pkgver.tar.bz2 _builddir="$srcdir"/$pkgname-$pkgver # secfixes: +# 1.9.12-r0: +# - CVE-2018-11782 +# - CVE-2019-0203 # 1.9.7-r0: # - CVE-2017-9800 @@ -95,7 +98,7 @@ py() { mv "${pkgdir}"/usr/lib/*py* "${subpkgdir}${pypath}" } -sha512sums="a55efd3edaddbc099450d849fcc6fe5a8d20b85ece966d8ac2fd73ee9cb4255a0349bbcfceb4e9fca6daf054ce7c648eff8d273c6873f5dade6e62dcea7eeb2b subversion-1.9.7.tar.bz2 +sha512sums="08a5c6c0233cc1dbd992180d2077eb1c67725682c457d3f67ebb6d22db0f6b64002a699ab828d435b708340ce6fb07bb1f03d11daefb887053c427ed75ad2de7 subversion-1.9.12.tar.bz2 fb219c45b80602d919176cc191394df09f90d0f5c7d24e6a36b166bd92777ecae67eeac1e49c0ffbb0e724396b3d2094dbb0bef17d01dc87d418b1cd554bd7c4 subversion-1.7.0-deplibs.patch fd6e5f45cff4d3cf0d885a34c822b32141b13b199d99ad8e1b04d641c9c1ee27e73f5c556a4ad54a900b6d39cc14afad17b6738d8af44c76758f1a27b4d49f9a subversion-perl-deplibs.patch 7fe993443d4d3ef5e1e75f60e85036ee0b2bb2636c2c830210e64f525f95ae4c10ca1dc4504fc36915ec9391815becbe7cbf5f589c28609386d8d079ed02c630 svnserve.confd diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 7e055fe1c94..e2a620c3c7a 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Michael Mason <ms13sp@gmail.com> pkgname=tiff pkgver=4.0.10 -pkgrel=0 +pkgrel=2 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org/" arch="all" @@ -15,9 +15,15 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" builddir="$srcdir/$pkgname-$pkgver" source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz CVE-2018-12900.patch + CVE-2019-14973-rebased.patch + CVE-2019-17546.patch " # secfixes: +# 4.0.10-r2: +# - CVE-2019-10927 +# 4.0.10-r1: +# - CVE-2019-14973 # 4.0.10-r0: # - CVE-2018-12900 # - CVE-2018-18557 @@ -87,4 +93,6 @@ tools() { } sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 tiff-4.0.10.tar.gz -c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch" +c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch +4567184ea17028dbf90753dbebce221881ec26632d88f02d4f6b56556fc19bb9134523f16487707fdd908f21c7bc4660103d0a95f3ccf0890ad4f0d93e81c503 CVE-2019-14973-rebased.patch +140a6f435a682c5fd2a56e364e0d7448e56b8bf20c8db45db8b15ffd711fa6449f6cdaecab417d7fa96fc832d8eebd40423658153c05dd4f25f769b4b346d5f1 CVE-2019-17546.patch" diff --git a/main/tiff/CVE-2019-14973-rebased.patch b/main/tiff/CVE-2019-14973-rebased.patch new file mode 100644 index 00000000000..9bd5c846aee --- /dev/null +++ b/main/tiff/CVE-2019-14973-rebased.patch @@ -0,0 +1,424 @@ +From 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sat, 10 Aug 2019 18:25:03 +0200 +Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other + implementation-defined behaviour (CVE-2019-14973) + +_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow +in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus +signed), which was especially easily triggered on 32-bit builds (with recent +enough compilers that assume that signed multiplication cannot overflow, since +this is undefined behaviour by the C standard). The original issue which lead to +this fix was trigged from tif_fax3.c + +There were also unsafe (implementation defied), and broken in practice on 64bit +builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing +(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known +at that time exploits, but are better to fix in a more bullet-proof way. +Or similarly use of (int64)uint64_var <= 0. +--- + libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++----- + libtiff/tif_getimage.c | 6 ++---- + libtiff/tif_luv.c | 8 +------ + libtiff/tif_pixarlog.c | 7 +----- + libtiff/tif_read.c | 38 +++++++++----------------------- + libtiff/tif_strip.c | 35 ++++-------------------------- + libtiff/tif_tile.c | 27 +++-------------------- + libtiff/tiffiop.h | 7 +++++- + 8 files changed, 71 insertions(+), 106 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 4ece162..33fb8a4 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) + return bytes; + } + ++tmsize_t ++_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) ++{ ++ if( first <= 0 || second <= 0 ) ++ { ++ if( tif != NULL && where != NULL ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, where, ++ "Invalid argument to _TIFFMultiplySSize() in %s", where); ++ } ++ return 0; ++ } ++ ++ if( first > TIFF_TMSIZE_T_MAX / second ) ++ { ++ if( tif != NULL && where != NULL ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, where, ++ "Integer overflow in %s", where); ++ } ++ return 0; ++ } ++ return first * second; ++} ++ ++tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) ++{ ++ if( val > (uint64)TIFF_TMSIZE_T_MAX ) ++ { ++ if( tif != NULL && module != NULL ) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); ++ } ++ return 0; ++ } ++ return (tmsize_t)val; ++} ++ + void* + _TIFFCheckRealloc(TIFF* tif, void* buffer, + tmsize_t nmemb, tmsize_t elem_size, const char* what) + { + void* cp = NULL; +- tmsize_t bytes = nmemb * elem_size; +- ++ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); + /* +- * XXX: Check for integer overflow. ++ * Check for integer overflow. + */ +- if (nmemb && elem_size && bytes / elem_size == nmemb) +- cp = _TIFFrealloc(buffer, bytes); ++ if (count != 0) ++ { ++ cp = _TIFFrealloc(buffer, count); ++ } + + if (cp == NULL) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 6a9d5a7..2106ca2 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + uint32 leftmost_tw; + + tilesize = TIFFTileSize(tif); +- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); ++ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); + if (bufsize == 0) { +- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); + return (0); + } + +@@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + uint16 colorchannels; + + stripsize = TIFFStripSize(tif); +- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); ++ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); + if (bufsize == 0) { +- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); + return (0); + } + +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c +index aa35ea0..46d2dff 100644 +--- a/libtiff/tif_luv.c ++++ b/libtiff/tif_luv.c +@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td) + return (SGILOGDATAFMT_UNKNOWN); + } + +- +-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) +- + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) +- return 0; +- return m1 * m2; ++ return _TIFFMultiplySSize(NULL, m1, m2, NULL); + } + + static int +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index 7438d69..5c9a6bf 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td) + return guess; + } + +-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) +- + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) +- return 0; +- return m1 * m2; ++ return _TIFFMultiplySSize(NULL, m1, m2, NULL); + } + + static tmsize_t +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c +index e63810c..9a82baa 100644 +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -29,9 +29,6 @@ + #include "tiffiop.h" + #include <stdio.h> + +-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) +- + int TIFFFillStrip(TIFF* tif, uint32 strip); + int TIFFFillTile(TIFF* tif, uint32 tile); + static int TIFFStartStrip(TIFF* tif, uint32 strip); +@@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m + #define THRESHOLD_MULTIPLIER 10 + #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) + ++#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF) ++ + /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' + * Returns 1 in case of success, 0 otherwise. */ + static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, +@@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) + return ((tmsize_t)(-1)); + } + bytecount = td->td_stripbytecount[strip]; +- if ((int64)bytecount <= 0) { +-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) +- TIFFErrorExt(tif->tif_clientdata, module, +- "%I64u: Invalid strip byte count, strip %lu", +- (unsigned __int64) bytecount, +- (unsigned long) strip); +-#else +- TIFFErrorExt(tif->tif_clientdata, module, +- "%llu: Invalid strip byte count, strip %lu", +- (unsigned long long) bytecount, +- (unsigned long) strip); +-#endif +- return ((tmsize_t)(-1)); +- } +- bytecountm = (tmsize_t)bytecount; +- if ((uint64)bytecountm!=bytecount) { +- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow"); ++ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module); ++ if (bytecountm == 0) { + return ((tmsize_t)(-1)); + } + if (size != (tmsize_t)(-1) && size < bytecountm) +@@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[strip]; +- if ((int64)bytecount <= 0) { ++ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "Invalid strip byte count %I64u, strip %lu", +@@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; +- if( (int64)newbytecount >= 0 ) ++ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) + { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, +@@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) + bytecount64 = td->td_stripbytecount[tile]; + if (size != (tmsize_t)(-1) && (uint64)size < bytecount64) + bytecount64 = (uint64)size; +- bytecountm = (tmsize_t)bytecount64; +- if ((uint64)bytecountm!=bytecount64) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); ++ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module); ++ if( bytecountm == 0 ) { + return ((tmsize_t)(-1)); + } + return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module)); +@@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[tile]; +- if ((int64)bytecount <= 0) { ++ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid tile byte count, tile %lu", +@@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; +- if( (int64)newbytecount >= 0 ) ++ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) + { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, +diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c +index 5b76fba..2366acf 100644 +--- a/libtiff/tif_strip.c ++++ b/libtiff/tif_strip.c +@@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) + { + static const char module[] = "TIFFVStripSize"; + uint64 m; +- tmsize_t n; + m=TIFFVStripSize64(tif,nrows); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif) + { + static const char module[] = "TIFFStripSize"; + uint64 m; +- tmsize_t n; + m=TIFFStripSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif) + { + static const char module[] = "TIFFScanlineSize"; + uint64 m; +- tmsize_t n; + m=TIFFScanlineSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif) + { + static const char module[] = "TIFFRasterScanlineSize"; + uint64 m; +- tmsize_t n; + m=TIFFRasterScanlineSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* vim: set ts=8 sts=8 sw=8 noet: */ +diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c +index 58fe935..661cc77 100644 +--- a/libtiff/tif_tile.c ++++ b/libtiff/tif_tile.c +@@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif) + { + static const char module[] = "TIFFTileRowSize"; + uint64 m; +- tmsize_t n; + m=TIFFTileRowSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) + { + static const char module[] = "TIFFVTileSize"; + uint64 m; +- tmsize_t n; + m=TIFFVTileSize64(tif,nrows); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif) + { + static const char module[] = "TIFFTileSize"; + uint64 m; +- tmsize_t n; + m=TIFFTileSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index 186c291..558484f 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...); + #define FALSE 0 + #endif + ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + typedef struct client_info { + struct client_info *next; + void *data; +@@ -258,7 +261,7 @@ struct tiff { + #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) + #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) + +-/* Safe multiply which returns zero if there is an integer overflow */ ++/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */ + #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) +@@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt; + + extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*); + extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*); ++extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*); ++extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*); + extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); + extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); + +-- +2.23.0 + diff --git a/main/tiff/CVE-2019-17546.patch b/main/tiff/CVE-2019-17546.patch new file mode 100644 index 00000000000..c04f0a34281 --- /dev/null +++ b/main/tiff/CVE-2019-17546.patch @@ -0,0 +1,105 @@ +From 4bb584a35f87af42d6cf09d15e9ce8909a839145 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 15 Aug 2019 15:05:28 +0200 +Subject: [PATCH] RGBA interface: fix integer overflow potentially causing + write heap buffer overflow, especially on 32 bit builds. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS + Fuzz + +--- + libtiff/tif_getimage.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index c88b5fa6..4da785d3 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) + { ++ uint32 temp; + rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; + nrow = (row + rowstoread > h ? h - row : rowstoread); + nrowsub = nrow; + if ((nrowsub%subsamplingver)!=0) + nrowsub+=subsamplingver-nrowsub%subsamplingver; ++ temp = (row + img->row_offset)%rowsperstrip + nrowsub; ++ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); ++ return 0; ++ } + if (_TIFFReadEncodedStripAndAllocBuffer(tif, + TIFFComputeStrip(tif,row+img->row_offset, 0), + (void**)(&buf), + maxstripsize, +- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) ++ temp * scanline)==(tmsize_t)(-1) + && (buf == NULL || img->stoponerr)) + { + ret = 0; +@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) + { ++ uint32 temp; + rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; + nrow = (row + rowstoread > h ? h - row : rowstoread); + offset_row = row + img->row_offset; ++ temp = (row + img->row_offset)%rowsperstrip + nrow; ++ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); ++ return 0; ++ } + if( buf == NULL ) + { + if (_TIFFReadEncodedStripAndAllocBuffer( + tif, TIFFComputeStrip(tif, offset_row, 0), + (void**) &buf, bufsize, +- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ temp * scanline)==(tmsize_t)(-1) + && (buf == NULL || img->stoponerr)) + { + ret = 0; +@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + } + else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), +- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ p0, temp * scanline)==(tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + if (colorchannels > 1 + && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), +- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) ++ p1, temp * scanline) == (tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + if (colorchannels > 1 + && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), +- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) ++ p2, temp * scanline) == (tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + if (alpha) + { + if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), +- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ pa, temp * scanline)==(tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +-- +2.22.0 + + diff --git a/main/tzdata/APKBUILD b/main/tzdata/APKBUILD index 869dec1c23a..906ab128cd8 100644 --- a/main/tzdata/APKBUILD +++ b/main/tzdata/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=tzdata -pkgver=2019a -_tzcodever=2019a +pkgver=2019c +_tzcodever=2019c _ptzver=0.5 pkgrel=0 pkgdesc="Timezone data" @@ -57,8 +57,8 @@ package() { "$pkgdir"/usr/bin/posixtz } -sha512sums="7cc76ce6be4a67c3e1b2222cb632d2de9dabb76899793a938f87a1d4bb20e462cabdae9e3b986aaabaa400795370510095d236dbad5aff4c192d0887f0ecedf5 tzcode2019a.tar.gz -d8eb5b2b68abee08bd2b0d2134bce85b5c0aee85168e9697a607604ed5be7d1539ac60fda9b37e0c9c793ef6251978bc250563a0af59497fde775499964bb5aa tzdata2019a.tar.gz +sha512sums="61ef36385f501c338c263081486de0d1fccd454b86f8777b0dbad4ea3f21bbde059d0a91c23e207b167ed013127d3db8b7528f0188814a8b44d1f946b19d9b8b tzcode2019c.tar.gz +2921cbb2fd44a6b8f7f2ed42c13fbae28195aa5c2eeefa70396bc97cdbaad679c6cc3c143da82cca5b0279065c02389e9af536904288c12886bf345baa8c6565 tzdata2019c.tar.gz 68dbaab9f4aef166ac2f2d40b49366527b840bebe17a47599fe38345835e4adb8a767910745ece9c384b57af815a871243c3e261a29f41d71f8054df3061b3fd posixtz-0.5.tar.xz 0f2a10ee2bb4007f57b59123d1a0b8ef6accf99e568f21537f0bb19f290fff46e24050f55f12569d7787be600e1b62aa790ea85a333153f3ea081a812c81b1b5 0001-posixtz-ensure-the-file-offset-we-pass-to-lseek-is-o.patch fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4 0002-fix-implicit-declaration-warnings-by-including-strin.patch" diff --git a/main/wavpack/APKBUILD b/main/wavpack/APKBUILD index 12b44ba3cb7..f5b1af74a55 100644 --- a/main/wavpack/APKBUILD +++ b/main/wavpack/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=wavpack pkgver=5.1.0 -pkgrel=3 +pkgrel=4 pkgdesc="Audio compression format with lossless, lossy, and hybrid compression modes" url="http://www.wavpack.com/" arch="all" @@ -18,10 +18,19 @@ source="http://www.wavpack.com/${pkgname}-${pkgver}.tar.bz2 CVE-2018-10538_10539_10540.patch CVE-2018-19840.patch CVE-2018-19841.patch + CVE-2019-1010315.patch + CVE-2019-11498.patch + CVE-2019-1010317.patch + CVE-2019-1010319.patch " builddir="$srcdir"/$pkgname-$pkgver # secfixes: +# 5.1.0-r4: +# - CVE-2019-1010319 +# - CVE-2019-1010317 +# - CVE-2019-1010315 +# - CVE-2019-11498 # 5.1.0-r3: # - CVE-2018-19840 # - CVE-2018-19841 @@ -79,4 +88,8 @@ sha512sums="4c31616ae63c3a875afa20f26ce935f7a8f9921e2892b4b8388eca3ccd83b2d686f4 fd7ff58c53f9b4cec335e36017c5b1709c5526a2d44a54dfbeb050ea303997418d1fa312ebe39f521a35a6f2151b8a0f5845ee9bf6bbda22bef036e9fc0166a5 CVE-2018-10536_10537.patch a59eff2a8f47d4383f33667e7737f5e2e639778b367340169f1c5d6335c8948cfd8e1a7554e8b6c05a59d80a04048cf137c0f4fdfd88d2d88757404d3dac31ee CVE-2018-10538_10539_10540.patch 67d02dd744c638d126cf5a894d1ff2c39726bd4d3771ef7410ea782e5c9a0f9341909432bd4bea9b8959891c38699601c1aac2da6e0eaddaa5a4d679e7f58dd2 CVE-2018-19840.patch -dba007fa8cb2537b6f6c8ee559a98e501e948260ce7e7af7d3fdc8c9145bbbbf85c8fed8030de354459c4b08d3015a0ea769a948636bdfd66e567c0a2d2493c6 CVE-2018-19841.patch" +dba007fa8cb2537b6f6c8ee559a98e501e948260ce7e7af7d3fdc8c9145bbbbf85c8fed8030de354459c4b08d3015a0ea769a948636bdfd66e567c0a2d2493c6 CVE-2018-19841.patch +46d0fb4483e5ea824b1bce67f2ea76894e16b3f86cd28f234c1e393ea1d859ac304f44f22a7e32cdfbd83ff83d99fc147e0f9de932ee674c4f565cc92e279c28 CVE-2019-1010315.patch +30ad915f481eef07737cb95e44c1988441b72d0fc6731c4e48b391deb44168ad7536e0e7c3c9363e18f27814cade4c784e9a61e6a46e103aa88db0b42cef57e3 CVE-2019-11498.patch +91b0fdefdfe2a3f135f3fdf947b43a7bc347e4cd21804d0e4997066997a32bc9bb218cc2ef6b1733c011d83c22035efd22cf993b7af5d0fa540441a3e9685c3c CVE-2019-1010317.patch +a180c662d41e96913b946782ae4679b944029d0d62161a7fc204c0b2ff898409a375a33d2376885fe425c449128de61f161867d1c264120682c0708aeea2d21e CVE-2019-1010319.patch" diff --git a/main/wavpack/CVE-2019-1010315.patch b/main/wavpack/CVE-2019-1010315.patch new file mode 100644 index 00000000000..b52d8884a00 --- /dev/null +++ b/main/wavpack/CVE-2019-1010315.patch @@ -0,0 +1,36 @@ +From 4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc Mon Sep 17 00:00:00 2001 +From: David Bryant <david@wavpack.com> +Date: Sat, 2 Mar 2019 18:37:14 -0800 +Subject: [PATCH] issue #65: make sure DSDIFF files have a valid channel count + +--- + cli/dsdiff.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/cli/dsdiff.c b/cli/dsdiff.c +index 0ac4321..f357181 100644 +--- a/cli/dsdiff.c ++++ b/cli/dsdiff.c +@@ -180,7 +180,7 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + + if (!strncmp (prop_chunk, "SND ", 4)) { + char *cptr = prop_chunk + 4, *eptr = prop_chunk + dff_chunk_header.ckDataSize; +- uint16_t numChannels, chansSpecified, chanMask = 0; ++ uint16_t numChannels = 0, chansSpecified, chanMask = 0; + uint32_t sampleRate; + + while (eptr - cptr >= sizeof (dff_chunk_header)) { +@@ -279,6 +279,12 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + free (prop_chunk); + } + else if (!strncmp (dff_chunk_header.ckID, "DSD ", 4)) { ++ ++ if (!config->num_channels) { ++ error_line ("%s is not a valid .DFF file!", infilename); ++ return WAVPACK_SOFT_ERROR; ++ } ++ + total_samples = dff_chunk_header.ckDataSize / config->num_channels; + break; + } + diff --git a/main/wavpack/CVE-2019-1010317.patch b/main/wavpack/CVE-2019-1010317.patch new file mode 100644 index 00000000000..94f90275b82 --- /dev/null +++ b/main/wavpack/CVE-2019-1010317.patch @@ -0,0 +1,40 @@ +From f68a9555b548306c5b1ee45199ccdc4a16a6101b Mon Sep 17 00:00:00 2001 +From: David Bryant <david@wavpack.com> +Date: Mon, 4 Mar 2019 21:09:41 -0800 +Subject: [PATCH] issue #66: make sure CAF files have a "desc" chunk + +--- + cli/caff.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/cli/caff.c b/cli/caff.c +index 2a5e2d9..a35da74 100644 +--- a/cli/caff.c ++++ b/cli/caff.c +@@ -152,7 +152,7 @@ static struct { + + int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackContext *wpc, WavpackConfig *config) + { +- uint32_t chan_chunk = 0, channel_layout = 0, bcount; ++ uint32_t chan_chunk = 0, desc_chunk = 0, channel_layout = 0, bcount; + unsigned char *channel_identities = NULL; + unsigned char *channel_reorder = NULL; + int64_t total_samples = 0, infilesize; +@@ -218,6 +218,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack + } + + WavpackBigEndianToNative (&caf_audio_format, CAFAudioFormatFormat); ++ desc_chunk = 1; + + if (debug_logging_mode) { + char formatstr [5]; +@@ -458,7 +459,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack + else if (!strncmp (caf_chunk_header.mChunkType, "data", 4)) { // on the data chunk, get size and exit loop + uint32_t mEditCount; + +- if (!DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) || ++ if (!desc_chunk || !DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) || + bcount != sizeof (mEditCount)) { + error_line ("%s is not a valid .CAF file!", infilename); + return WAVPACK_SOFT_ERROR; + diff --git a/main/wavpack/CVE-2019-1010319.patch b/main/wavpack/CVE-2019-1010319.patch new file mode 100644 index 00000000000..6a53ef8fbbc --- /dev/null +++ b/main/wavpack/CVE-2019-1010319.patch @@ -0,0 +1,23 @@ +From 33a0025d1d63ccd05d9dbaa6923d52b1446a62fe Mon Sep 17 00:00:00 2001 +From: David Bryant <david@wavpack.com> +Date: Tue, 5 Mar 2019 21:21:48 -0800 +Subject: [PATCH] issue #68: clear WaveHeader at start to prevent uninitialized + read + +--- + cli/wave64.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cli/wave64.c b/cli/wave64.c +index 7beffe6..59548b1 100644 +--- a/cli/wave64.c ++++ b/cli/wave64.c +@@ -56,6 +56,7 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + int format_chunk = 0; + uint32_t bcount; + ++ CLEAR (WaveHeader); + infilesize = DoGetFileSize (infile); + memcpy (&filehdr, fourcc, 4); + + diff --git a/main/wavpack/CVE-2019-11498.patch b/main/wavpack/CVE-2019-11498.patch new file mode 100644 index 00000000000..c94aee14665 --- /dev/null +++ b/main/wavpack/CVE-2019-11498.patch @@ -0,0 +1,32 @@ +From bc6cba3f552c44565f7f1e66dc1580189addb2b4 Mon Sep 17 00:00:00 2001 +From: David Bryant <david@wavpack.com> +Date: Tue, 5 Mar 2019 21:32:27 -0800 +Subject: [PATCH] issue #67: make sure sample rate is specified and non-zero in + DFF files + +--- + cli/dsdiff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/cli/dsdiff.c b/cli/dsdiff.c +index f357181..193adee 100644 +--- a/cli/dsdiff.c ++++ b/cli/dsdiff.c +@@ -181,7 +181,7 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + if (!strncmp (prop_chunk, "SND ", 4)) { + char *cptr = prop_chunk + 4, *eptr = prop_chunk + dff_chunk_header.ckDataSize; + uint16_t numChannels = 0, chansSpecified, chanMask = 0; +- uint32_t sampleRate; ++ uint32_t sampleRate = 0; + + while (eptr - cptr >= sizeof (dff_chunk_header)) { + memcpy (&dff_chunk_header, cptr, sizeof (dff_chunk_header)); +@@ -280,7 +280,7 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + } + else if (!strncmp (dff_chunk_header.ckID, "DSD ", 4)) { + +- if (!config->num_channels) { ++ if (!config->num_channels || !config->sample_rate) { + error_line ("%s is not a valid .DFF file!", infilename); + return WAVPACK_SOFT_ERROR; + } diff --git a/main/wpa_supplicant/APKBUILD b/main/wpa_supplicant/APKBUILD index 3378a74fe1b..55524416e8b 100644 --- a/main/wpa_supplicant/APKBUILD +++ b/main/wpa_supplicant/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=wpa_supplicant pkgver=2.6 -pkgrel=10 +pkgrel=11 pkgdesc="A utility providing key negotiation for WPA wireless networks" url="https://w1.fi/wpa_supplicant/" arch="all" @@ -21,6 +21,7 @@ source="http://w1.fi/releases/$pkgname-$pkgver.tar.gz rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch 0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch 0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch + CVE-2019-16275.patch wpa_supplicant.initd wpa_supplicant.confd @@ -31,6 +32,8 @@ source="http://w1.fi/releases/$pkgname-$pkgver.tar.gz wpa_cli.sh" # secfixes: +# 2.6-r16: +# - CVE-2019-16275 # 2.6-r10: # - CVE-2019-11555 # 2.6-r9: @@ -103,6 +106,7 @@ fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed c275cb1a41901d3e5389ca301809baa16a73b40afdcd3a24b63b294e1b9e5eaead148b30742273deecbdd03c6b387a6b3da74de2ae6c49a499b5dd326ff4da9f rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch 7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c 0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch 99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822 0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch +63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch 11eed22f6e793f40c788d586c715deecae03c421d11761b7b4a376660bce812c54cc6f353c7d4d5da9c455aeffd778baefb9e76d380027a729574a756e54ddcc wpa_supplicant.initd 29103161ec2b9631fca9e8d9a97fafd60ffac3fe78cf613b834395ddcaf8be1e253c22e060d7d9f9b974b2d7ce794caa932a2125e29f6494b75bce475f7b30e1 wpa_supplicant.confd e98edc1ecec91335d515c50cac8816e3f6eef139aba574bcf0c6c20c131ef0de40aa657a33d07af09ab28245471a09cb6b3e29b306e48f46d335a0c47a0a56c4 libressl.patch diff --git a/main/wpa_supplicant/CVE-2019-16275.patch b/main/wpa_supplicant/CVE-2019-16275.patch new file mode 100644 index 00000000000..d764a9db016 --- /dev/null +++ b/main/wpa_supplicant/CVE-2019-16275.patch @@ -0,0 +1,73 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + diff --git a/main/zeromq/APKBUILD b/main/zeromq/APKBUILD index 3cfe83e1df1..3edd05f8669 100644 --- a/main/zeromq/APKBUILD +++ b/main/zeromq/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=zeromq pkgver=4.2.5 -pkgrel=0 +pkgrel=1 pkgdesc="The ZeroMQ messaging library and tools" url="http://www.zeromq.org/" arch="all" @@ -14,10 +14,13 @@ subpackages="$pkgname-dev $pkgname-doc libzmq:libs" source="https://github.com/zeromq/libzmq/releases/download/v$pkgver/$pkgname-$pkgver.tar.gz test-driver.patch CVE-2019-6250.patch + CVE-2019-13132.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 4.2.5-r1: +# - CVE-2019-13132 # 4.2.5-r0: # - CVE-2019-6250 @@ -47,4 +50,5 @@ package() { sha512sums="4556cb50d05a6d133015a0ba804d6d951a47479a33fa29561eaeecb93d48b7bb6477365d0986c38b779f500cadaf08522c4a7aa13f5510303bd923f794d37036 zeromq-4.2.5.tar.gz 64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660 test-driver.patch -ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d CVE-2019-6250.patch" +ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d CVE-2019-6250.patch +e70db052cced7110ff0066c495a1230459710e31bb1f6afd6f01194ac024c625cf365413d81fccf1c4e1670f9ec6e5ed340fddf9e06a0b726ed79009db92c587 CVE-2019-13132.patch" diff --git a/main/zeromq/CVE-2019-13132.patch b/main/zeromq/CVE-2019-13132.patch new file mode 100644 index 00000000000..39c80d7996e --- /dev/null +++ b/main/zeromq/CVE-2019-13132.patch @@ -0,0 +1,110 @@ +From 4287cd2274ad48faa2b5346b6108f05b32ec20f2 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi <luca.boccassi@gmail.com> +Date: Tue, 2 Jul 2019 01:24:19 +0100 +Subject: [PATCH] Problem: application metadata not parsed correctly when using + CURVE + +Solution: create buffers large enough to contain arbitrary metadata +--- + src/curve_server.cpp | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +diff --git a/src/curve_server.cpp b/src/curve_server.cpp +index 6938a637..d3a710db 100644 +--- a/src/curve_server.cpp ++++ b/src/curve_server.cpp +@@ -327,8 +327,12 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_) + const size_t clen = (size - 113) + crypto_box_BOXZEROBYTES; + + uint8_t initiate_nonce[crypto_box_NONCEBYTES]; +- uint8_t initiate_plaintext[crypto_box_ZEROBYTES + 128 + 256]; +- uint8_t initiate_box[crypto_box_BOXZEROBYTES + 144 + 256]; ++ uint8_t *initiate_plaintext = ++ static_cast<uint8_t *> (malloc (crypto_box_ZEROBYTES + clen)); ++ alloc_assert (initiate_plaintext); ++ uint8_t *initiate_box = ++ static_cast<uint8_t *> (malloc (crypto_box_BOXZEROBYTES + clen)); ++ alloc_assert (initiate_box); + + // Open Box [C + vouch + metadata](C'->S') + memset (initiate_box, 0, crypto_box_BOXZEROBYTES); +@@ -339,6 +343,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_) + memcpy (initiate_nonce + 16, initiate + 105, 8); + cn_peer_nonce = get_uint64 (initiate + 105); + ++ const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES; ++ + rc = crypto_box_open (initiate_plaintext, initiate_box, clen, + initiate_nonce, cn_client, cn_secret); + if (rc != 0) { +@@ -346,11 +352,10 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_) + session->get_socket ()->event_handshake_failed_protocol ( + session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC); + errno = EPROTO; +- return -1; ++ rc = -1; ++ goto exit; + } + +- const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES; +- + uint8_t vouch_nonce[crypto_box_NONCEBYTES]; + uint8_t vouch_plaintext[crypto_box_ZEROBYTES + 64]; + uint8_t vouch_box[crypto_box_BOXZEROBYTES + 80]; +@@ -371,7 +376,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_) + session->get_socket ()->event_handshake_failed_protocol ( + session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC); + errno = EPROTO; +- return -1; ++ rc = -1; ++ goto exit; + } + + // What we decrypted must be the client's short-term public key +@@ -383,7 +389,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_) + session->get_socket ()->event_handshake_failed_protocol ( + session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_KEY_EXCHANGE); + errno = EPROTO; +- return -1; ++ rc = -1; ++ goto exit; + } + + // Precompute connection secret from client key +@@ -405,7 +412,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_) + // is attempted) + rc = receive_and_process_zap_reply (); + if (rc == -1) +- return -1; ++ goto exit; + } else if (!options.zap_enforce_domain) { + // This supports the Stonehouse pattern (encryption without + // authentication) in legacy mode (domain set but no handler). +@@ -413,15 +420,21 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_) + } else { + session->get_socket ()->event_handshake_failed_no_detail ( + session->get_endpoint (), EFAULT); +- return -1; ++ rc = -1; ++ goto exit; + } + } else { + // This supports the Stonehouse pattern (encryption without authentication). + state = sending_ready; + } + +- return parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128, +- clen - crypto_box_ZEROBYTES - 128); ++ rc = parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128, ++ clen - crypto_box_ZEROBYTES - 128); ++ ++exit: ++ free (initiate_plaintext); ++ free (initiate_box); ++ return rc; + } + + int zmq::curve_server_t::produce_ready (msg_t *msg_) +-- +2.20.1 + diff --git a/main/znc/APKBUILD b/main/znc/APKBUILD index 98f02ad9228..eecf0435c8c 100644 --- a/main/znc/APKBUILD +++ b/main/znc/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=znc pkgver=1.7.1 -pkgrel=0 +pkgrel=1 pkgdesc="Advanced IRC bouncer" url="http://znc.in" arch="all" @@ -14,12 +14,18 @@ pkggroups="$pkgusers" install="$pkgname.pre-install" subpackages="$pkgname-dev $pkgname-doc $pkgname-extra $pkgname-modtcl $pkgname-modperl $pkgname-modpython" -source="http://znc.in/releases/znc-$pkgver.tar.gz +source="http://znc.in/releases/archive/znc-$pkgver.tar.gz $pkgname.initd - $pkgname.confd" + $pkgname.confd + CVE-2019-9917.patch + CVE-2019-12816.patch + " builddir="$srcdir/znc-$pkgver" # secfixes: +# 1.7.1-r1: +# - CVE-2019-9917 +# - CVE-2019-12816 # 1.7.1-r0: # - CVE-2018-14055 # - CVE-2018-14056 @@ -111,4 +117,6 @@ _mv_to_sub() { sha512sums="907068fb0828091026d440145b70ca76109302f13c18d94f772660192434287f209a06a52da1dd39726b9a38735b3cea9afbd062eb6def4cd428bb73c562a902 znc-1.7.1.tar.gz 47f9bd00f07861e195333d2cda5b1c7386e2324a1842b890837a7936a94b65b7a269f7fee656a522ec86b58a94bd451a2a3629bd6465578681b8d0733c2c77dc znc.initd -00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29 znc.confd" +00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29 znc.confd +0c1bdb08ce5ca4b0ff8efedff9e711ffceba460594caf14aa1bfd04ca81ec2d3e2b10ed6e34960b8251f2d9d1e95ad1e9093db1aefd36beb35ff92c2e58e84f8 CVE-2019-9917.patch +187dad0bbe90b354b746ca8dc13bcaf5781cdc86b8c94670ecfbbf2b6e99b3182b588873ec58a475ece06021265f6e7f60a73bae18b28e284387b550dc3ca65d CVE-2019-12816.patch" diff --git a/main/znc/CVE-2019-12816.patch b/main/znc/CVE-2019-12816.patch new file mode 100644 index 00000000000..6d4d8b199d7 --- /dev/null +++ b/main/znc/CVE-2019-12816.patch @@ -0,0 +1,103 @@ +From 8de9e376ce531fe7f3c8b0aa4876d15b479b7311 Mon Sep 17 00:00:00 2001 +From: Alexey Sokolov <alexey+znc@asokolov.org> +Date: Wed, 12 Jun 2019 08:57:29 +0100 +Subject: [PATCH] Fix remote code execution and privilege escalation + vulnerability. + +To trigger this, need to have a user already. + +Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this. + +CVE-2019-12816 +--- + include/znc/Modules.h | 1 + + src/Modules.cpp | 38 +++++++++++++++++++++++++++++--------- + 2 files changed, 30 insertions(+), 9 deletions(-) + +diff --git a/include/znc/Modules.h b/include/znc/Modules.h +index 28fdd3a62..db8f87b81 100644 +--- a/include/znc/Modules.h ++++ b/include/znc/Modules.h +@@ -1600,6 +1600,7 @@ class CModules : public std::vector<CModule*>, private CCoreTranslationMixin { + private: + static ModHandle OpenModule(const CString& sModule, const CString& sModPath, + CModInfo& Info, CString& sRetMsg); ++ static bool ValidateModuleName(const CString& sModule, CString& sRetMsg); + + protected: + CUser* m_pUser; +diff --git a/src/Modules.cpp b/src/Modules.cpp +index 5aec7805a..d41951a8d 100644 +--- a/src/Modules.cpp ++++ b/src/Modules.cpp +@@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CString& sModule) const { + return nullptr; + } + ++bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) { ++ for (unsigned int a = 0; a < sModule.length(); a++) { ++ if (((sModule[a] < '0') || (sModule[a] > '9')) && ++ ((sModule[a] < 'a') || (sModule[a] > 'z')) && ++ ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) { ++ sRetMsg = ++ t_f("Module names can only contain letters, numbers and " ++ "underscores, [{1}] is invalid")(sModule); ++ return false; ++ } ++ } ++ ++ return true; ++} ++ + bool CModules::LoadModule(const CString& sModule, const CString& sArgs, + CModInfo::EModuleType eType, CUser* pUser, + CIRCNetwork* pNetwork, CString& sRetMsg) { + sRetMsg = ""; + ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + if (FindModule(sModule) != nullptr) { + sRetMsg = t_f("Module {1} already loaded.")(sModule); + return false; +@@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CString& sModule, const CString& sArgs, + + bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule, + CString& sRetMsg) { ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + CString sModPath, sTmp; + + bool bSuccess; +@@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule, + + bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule, + const CString& sModPath, CString& sRetMsg) { ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + ModInfo.SetName(sModule); + ModInfo.SetPath(sModPath); + +@@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CString& sModule, const CString& sModPath, + // Some sane defaults in case anything errors out below + sRetMsg.clear(); + +- for (unsigned int a = 0; a < sModule.length(); a++) { +- if (((sModule[a] < '0') || (sModule[a] > '9')) && +- ((sModule[a] < 'a') || (sModule[a] > 'z')) && +- ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) { +- sRetMsg = +- t_f("Module names can only contain letters, numbers and " +- "underscores, [{1}] is invalid")(sModule); +- return nullptr; +- } ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return nullptr; + } + + // The second argument to dlopen() has a long history. It seems clear diff --git a/main/znc/CVE-2019-9917.patch b/main/znc/CVE-2019-9917.patch new file mode 100644 index 00000000000..595d95f5537 --- /dev/null +++ b/main/znc/CVE-2019-9917.patch @@ -0,0 +1,122 @@ +From 64613bc8b6b4adf1e32231f9844d99cd512b8973 Mon Sep 17 00:00:00 2001 +From: Alexey Sokolov <alexey+znc@asokolov.org> +Date: Fri, 15 Mar 2019 20:34:10 +0000 +Subject: [PATCH] Don't crash if user specified invalid encoding. + +This is CVE-2019-9917 +--- + modules/controlpanel.cpp | 2 +- + src/IRCNetwork.cpp | 4 ++-- + src/User.cpp | 4 ++-- + src/znc.cpp | 26 ++++++++++++++++++++++---- + test/integration/tests/scripting.cpp | 7 +++++++ + 5 files changed, 34 insertions(+), 9 deletions(-) + +diff --git a/modules/controlpanel.cpp b/modules/controlpanel.cpp +index 139c2aefa..109f8c6b0 100644 +--- a/modules/controlpanel.cpp ++++ b/modules/controlpanel.cpp +@@ -495,7 +495,7 @@ class CAdminMod : public CModule { + #ifdef HAVE_ICU + else if (sVar == "clientencoding") { + pUser->SetClientEncoding(sValue); +- PutModule("ClientEncoding = " + sValue); ++ PutModule("ClientEncoding = " + pUser->GetClientEncoding()); + } + #endif + else +diff --git a/src/IRCNetwork.cpp b/src/IRCNetwork.cpp +index 0284dc53e..0e1d6e2a3 100644 +--- a/src/IRCNetwork.cpp ++++ b/src/IRCNetwork.cpp +@@ -1482,9 +1482,9 @@ void CIRCNetwork::SetBindHost(const CString& s) { + } + + void CIRCNetwork::SetEncoding(const CString& s) { +- m_sEncoding = s; ++ m_sEncoding = CZNC::Get().FixupEncoding(s); + if (GetIRCSock()) { +- GetIRCSock()->SetEncoding(s); ++ GetIRCSock()->SetEncoding(m_sEncoding); + } + } + +diff --git a/src/User.cpp b/src/User.cpp +index 3fd532a7c..c44cf6070 100644 +--- a/src/User.cpp ++++ b/src/User.cpp +@@ -1253,9 +1253,9 @@ void CUser::SetAdmin(bool b) { m_bAdmin = b; } + void CUser::SetDenySetBindHost(bool b) { m_bDenySetBindHost = b; } + void CUser::SetDefaultChanModes(const CString& s) { m_sDefaultChanModes = s; } + void CUser::SetClientEncoding(const CString& s) { +- m_sClientEncoding = s; ++ m_sClientEncoding = CZNC::Get().FixupEncoding(s); + for (CClient* pClient : GetAllClients()) { +- pClient->SetEncoding(s); ++ pClient->SetEncoding(m_sClientEncoding); + } + } + void CUser::SetQuitMsg(const CString& s) { m_sQuitMsg = s; } +diff --git a/src/znc.cpp b/src/znc.cpp +index 4e7216ee1..3f4dd2e07 100644 +--- a/src/znc.cpp ++++ b/src/znc.cpp +@@ -2092,18 +2092,36 @@ void CZNC::ForceEncoding() { + m_uiForceEncoding++; + #ifdef HAVE_ICU + for (Csock* pSock : GetManager()) { +- if (pSock->GetEncoding().empty()) { +- pSock->SetEncoding("UTF-8"); +- } ++ pSock->SetEncoding(FixupEncoding(pSock->GetEncoding())); + } + #endif + } + void CZNC::UnforceEncoding() { m_uiForceEncoding--; } + bool CZNC::IsForcingEncoding() const { return m_uiForceEncoding; } + CString CZNC::FixupEncoding(const CString& sEncoding) const { +- if (sEncoding.empty() && m_uiForceEncoding) { ++ if (!m_uiForceEncoding) { ++ return sEncoding; ++ } ++ if (sEncoding.empty()) { ++ return "UTF-8"; ++ } ++ const char* sRealEncoding = sEncoding.c_str(); ++ if (sEncoding[0] == '*' || sEncoding[0] == '^') { ++ sRealEncoding++; ++ } ++ if (!*sRealEncoding) { + return "UTF-8"; + } ++#ifdef HAVE_ICU ++ UErrorCode e = U_ZERO_ERROR; ++ UConverter* cnv = ucnv_open(sRealEncoding, &e); ++ if (cnv) { ++ ucnv_close(cnv); ++ } ++ if (U_FAILURE(e)) { ++ return "UTF-8"; ++ } ++#endif + return sEncoding; + } + +diff --git a/test/integration/tests/scripting.cpp b/test/integration/tests/scripting.cpp +index 9dd68d8fa..8f809f50c 100644 +--- a/test/integration/tests/scripting.cpp ++++ b/test/integration/tests/scripting.cpp +@@ -55,6 +55,13 @@ TEST_F(ZNCTest, Modpython) { + ircd.Write(":n!u@h PRIVMSG nick :Hi\xF0, github issue #1229"); + // "replacement character" + client.ReadUntil("Hi\xEF\xBF\xBD, github issue"); ++ ++ // Non-existing encoding ++ client.Write("PRIVMSG *controlpanel :Set ClientEncoding $me Western"); ++ client.Write("JOIN #a\342"); ++ client.ReadUntil( ++ ":*controlpanel!znc@znc.in PRIVMSG nick :ClientEncoding = UTF-8"); ++ ircd.ReadUntil("JOIN #a\xEF\xBF\xBD"); + } + + TEST_F(ZNCTest, ModpythonSocket) { |