aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitlab-ci.yml99
-rw-r--r--community/alpine-make-rootfs/APKBUILD4
-rw-r--r--community/docker/APKBUILD23
-rw-r--r--community/drupal7/APKBUILD7
-rw-r--r--community/exim/APKBUILD14
-rw-r--r--community/ffmpeg/APKBUILD17
-rw-r--r--community/firefox-esr/APKBUILD45
-rw-r--r--community/gvfs/APKBUILD22
-rw-r--r--community/gvfs/CVE-2019-12447.patch33
-rw-r--r--community/gvfs/CVE-2019-12448.patch128
-rw-r--r--community/gvfs/CVE-2019-12449.patch81
-rw-r--r--community/gvfs/CVE-2019-12795.patch93
-rw-r--r--community/imagemagick6/APKBUILD39
-rw-r--r--community/knot/APKBUILD6
-rw-r--r--community/libraw/APKBUILD3
-rw-r--r--community/live-media/0001-Add-a-pkg-config-file-for-the-shared-libraries.patch66
-rw-r--r--community/live-media/0003-Link-shared-libraries-with-g-instead-of-gcc-to-fix-b.patch49
-rw-r--r--community/live-media/0004-Reduce-number-of-unresolved-symbols-by-linking-libra.patch95
-rw-r--r--community/live-media/0005-Build-without-OpenSSL.patch30
-rw-r--r--community/live-media/APKBUILD22
-rw-r--r--community/milter-greylist/APKBUILD6
-rw-r--r--community/milter-greylist/milter-greylist.initd5
-rw-r--r--community/mplayer/APKBUILD2
-rw-r--r--community/nextcloud/APKBUILD4
-rw-r--r--community/opam/APKBUILD15
-rw-r--r--community/openexr/APKBUILD13
-rw-r--r--community/openexr/CVE-2018-18444.patch23
-rw-r--r--community/openjdk7/APKBUILD94
-rw-r--r--community/openjdk7/icedtea-jdk-fix-build.patch2
-rw-r--r--community/openjdk7/icedtea-jdk-revert-7fdd0d6ef2d3.patch1450
-rw-r--r--community/openjdk7/icedtea-jdk-revert-a32dc7400435.patch1377
-rw-r--r--community/openjdk8/APKBUILD82
-rw-r--r--community/openjdk8/icedtea-hotspot-musl.patch4
-rw-r--r--community/openjdk8/icedtea-jdk-getmntent-buffer.patch88
-rw-r--r--community/openjdk8/icedtea-jdk-includes.patch23
-rw-r--r--community/openjdk8/icedtea-jdk-musl.patch28
-rw-r--r--community/openjdk8/icedtea-jdk-tls-nist-curves.patch47
-rw-r--r--community/pdns-recursor/APKBUILD10
-rw-r--r--community/pdns/APKBUILD17
-rw-r--r--community/pdns/README.alpine6
-rw-r--r--community/php7-pecl-timezonedb/APKBUILD29
-rw-r--r--community/php7/APKBUILD26
-rw-r--r--community/py-psutil/APKBUILD13
-rw-r--r--community/py-psutil/CVE-2019-18874.patch576
-rw-r--r--community/ruby-nokogiri/APKBUILD2
-rw-r--r--community/sox/APKBUILD16
-rw-r--r--community/sox/CVE-2019-8355.patch45
-rw-r--r--community/sox/CVE-2019-8356.patch74
-rw-r--r--community/sox/CVE-2019-8357.patch12
-rw-r--r--community/tor/APKBUILD4
-rw-r--r--community/virtualbox-guest-modules-vanilla/APKBUILD2
-rw-r--r--community/vlc/APKBUILD2
-rw-r--r--community/webkit2gtk/APKBUILD74
-rw-r--r--community/webkit2gtk/fix-fast-memory-disabled.patch6
-rw-r--r--community/webkit2gtk/fix-openjpeg.patch11
-rw-r--r--community/webkit2gtk/fix_armv6l.patch23
-rw-r--r--community/webkit2gtk/musl-fixes.patch20
-rw-r--r--community/wireshark/APKBUILD31
-rw-r--r--community/zabbix/APKBUILD6
-rw-r--r--community/znc/APKBUILD8
-rw-r--r--community/znc/CVE-2019-12816.patch103
-rw-r--r--main/acf-core/APKBUILD6
-rw-r--r--main/acf-jquery/APKBUILD8
-rw-r--r--main/alpine-base/APKBUILD2
-rw-r--r--main/alpine-git-mirror-syncd/APKBUILD6
-rw-r--r--main/ansible/APKBUILD45
-rw-r--r--main/apache2/APKBUILD18
-rw-r--r--main/aspell/APKBUILD10
-rw-r--r--main/aspell/CVE-2019-17544.patch39
-rw-r--r--main/asterisk/APKBUILD13
-rw-r--r--main/avahi/APKBUILD14
-rw-r--r--main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch27
-rw-r--r--main/awall/APKBUILD4
-rw-r--r--main/axel/APKBUILD23
-rw-r--r--main/axel/CVE-2020-13614.patch223
-rw-r--r--main/bluez/APKBUILD11
-rw-r--r--main/bluez/CVE-2020-0556.patch188
-rw-r--r--main/busybox/APKBUILD2
-rw-r--r--main/ca-certificates/0003-update-ca-insert-newline-between-certs.patch38
-rw-r--r--main/ca-certificates/APKBUILD15
-rw-r--r--main/chrony/APKBUILD13
-rw-r--r--main/chrony/CVE-2020-14367.patch204
-rw-r--r--main/cups/APKBUILD8
-rw-r--r--main/curl/APKBUILD18
-rw-r--r--main/curl/CVE-2019-5481.patch40
-rw-r--r--main/curl/CVE-2019-5482.patch59
-rw-r--r--main/curl/CVE-2020-8169.patch21
-rw-r--r--main/curl/CVE-2020-8177.patch50
-rw-r--r--main/cvs/APKBUILD77
-rw-r--r--main/cvs/CVE-2017-12836.patch38
-rw-r--r--main/cvs/cvs-1.12.12-CVE-2012-0804.patch30
-rw-r--r--main/cvs/cvs-1.12.12-block-requests.patch140
-rw-r--r--main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch22
-rw-r--r--main/cvs/cvs-1.12.12-fix-massive-leak.patch52
-rw-r--r--main/cvs/cvs-1.12.12-format-security.patch22
-rw-r--r--main/cvs/cvs-1.12.12-getdelim.patch21
-rw-r--r--main/cvs/cvs-1.12.12-hash-nameclash.patch42
-rw-r--r--main/cvs/cvs-1.12.12-install-sh.patch12
-rw-r--r--main/cvs/cvs-1.12.12-mktime-configure.patch201
-rw-r--r--main/cvs/cvs-1.12.12-mktime-x32.patch29
-rw-r--r--main/cvs/cvs-1.12.12-musl.patch13
-rw-r--r--main/cvs/cvs-1.12.12-openat.patch21
-rw-r--r--main/cvs/cvs-1.12.12-rcs2log-coreutils.patch14
-rw-r--r--main/cvs/cvs-musl.patch27
-rw-r--r--main/cyrus-sasl/APKBUILD8
-rw-r--r--main/cyrus-sasl/CVE-2019-19906.patch15
-rw-r--r--main/dahdi-linux-vanilla/APKBUILD2
-rw-r--r--main/dbus/APKBUILD8
-rw-r--r--main/dbus/CVE-2020-12049.patch103
-rw-r--r--main/devicemaster-linux-vanilla/APKBUILD2
-rw-r--r--main/dnsmasq/APKBUILD8
-rw-r--r--main/dnsmasq/CVE-2019-14834.patch46
-rw-r--r--main/dovecot/APKBUILD16
-rw-r--r--main/drbd9-vanilla/APKBUILD2
-rw-r--r--main/dropbear/APKBUILD8
-rw-r--r--main/dropbear/CVE-2018-20685.patch23
-rw-r--r--main/e2fsprogs/APKBUILD23
-rw-r--r--main/e2fsprogs/CVE-2019-5094.patch190
-rw-r--r--main/e2fsprogs/CVE-2019-5188.patch51
-rw-r--r--main/exiv2/APKBUILD10
-rw-r--r--main/exiv2/CVE-2019-17402.patch32
-rw-r--r--main/expat/APKBUILD10
-rw-r--r--main/expat/CVE-2019-15903.patch80
-rw-r--r--main/faad2/APKBUILD39
-rw-r--r--main/faad2/automake.patch11
-rw-r--r--main/file/APKBUILD11
-rw-r--r--main/file/CVE-2019-18218.patch40
-rw-r--r--main/flite/APKBUILD8
-rw-r--r--main/flite/fix-internal-linking.patch90
-rw-r--r--main/freeradius/APKBUILD8
-rw-r--r--main/freeradius/CVE-2019-10143.patch94
-rw-r--r--main/freetds/APKBUILD10
-rw-r--r--main/freetds/CVE-2019-13508.patch30
-rw-r--r--main/freetype/APKBUILD8
-rw-r--r--main/freetype/CVE-2020-15999.patch48
-rw-r--r--main/fribidi/APKBUILD13
-rw-r--r--main/gd/APKBUILD17
-rw-r--r--main/gd/CVE-2018-14553.patch32
-rw-r--r--main/gd/CVE-2019-11038.patch36
-rw-r--r--main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch436
-rw-r--r--main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch41
-rw-r--r--main/ghostscript/APKBUILD31
-rw-r--r--main/ghostscript/CVE-2019-10216.patch49
-rw-r--r--main/ghostscript/CVE-2019-14811-14812-14813.patch69
-rw-r--r--main/ghostscript/CVE-2019-14817.patch218
-rw-r--r--main/ghostscript/CVE-2019-14869.patch58
-rw-r--r--main/git/APKBUILD33
-rw-r--r--main/gnupg/APKBUILD6
-rw-r--r--main/gnutls/APKBUILD19
-rw-r--r--main/gnutls/tests-date-compat.patch12
-rw-r--r--main/gst-plugins-base/APKBUILD12
-rw-r--r--main/gst-plugins-base/CVE-2019-9928.patch13
-rw-r--r--main/haproxy/APKBUILD12
-rw-r--r--main/hostapd/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch92
-rw-r--r--main/hostapd/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch150
-rw-r--r--main/hostapd/0002-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch60
-rw-r--r--main/hostapd/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch59
-rw-r--r--main/hostapd/0003-SAE-Minimize-timing-differences-in-PWE-derivation.patch241
-rw-r--r--main/hostapd/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch47
-rw-r--r--main/hostapd/0004-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch144
-rw-r--r--main/hostapd/0005-SAE-Mask-timing-of-MODP-groups-22-23-24.patch118
-rw-r--r--main/hostapd/0006-SAE-Use-const_time-selection-for-PWE-in-FFC.patch105
-rw-r--r--main/hostapd/0007-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch135
-rw-r--r--main/hostapd/0008-Add-helper-functions-for-constant-time-operations.patch218
-rw-r--r--main/hostapd/0009-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch324
-rw-r--r--main/hostapd/0010-EAP-pwd-server-Detect-reflection-attacks.patch45
-rw-r--r--main/hostapd/0011-EAP-pwd-client-Verify-received-scalar-and-element.patch58
-rw-r--r--main/hostapd/0012-EAP-pwd-server-Verify-received-scalar-and-element.patch58
-rw-r--r--main/hostapd/0013-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch331
-rw-r--r--main/hostapd/0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch (renamed from main/hostapd/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch)0
-rw-r--r--main/hostapd/0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch (renamed from main/hostapd/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch)0
-rw-r--r--main/hostapd/0016-SAE-Use-const_time_memcmp-for-pwd_value-prime-compar.patch31
-rw-r--r--main/hostapd/0017-EAP-pwd-Enforce-1-rand-mask-r-and-rand-mask-mod-r-1.patch121
-rw-r--r--main/hostapd/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch257
-rw-r--r--main/hostapd/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch70
-rw-r--r--main/hostapd/0020-OpenSSL-Use-BN_bn2binpad-or-BN_bn2bin_padded-if-avai.patch66
-rw-r--r--main/hostapd/0021-SAE-Run-through-prf-result-processing-even-if-it-pri.patch59
-rw-r--r--main/hostapd/0022-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch57
-rw-r--r--main/hostapd/0023-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch45
-rw-r--r--main/hostapd/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch59
-rw-r--r--main/hostapd/0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch51
-rw-r--r--main/hostapd/APKBUILD89
-rw-r--r--main/hostapd/CVE-2019-16275.patch73
-rw-r--r--main/hunspell/APKBUILD13
-rw-r--r--main/hunspell/CVE-2019-16707.patch22
-rw-r--r--main/hylafaxplus/APKBUILD12
-rw-r--r--main/hylafaxplus/CVE-2020-15396-CVE-2020-15397.patch68
-rw-r--r--main/icu/APKBUILD8
-rw-r--r--main/icu/CVE-2020-10531.patch106
-rw-r--r--main/imagemagick/APKBUILD37
-rw-r--r--main/imagemagick/disable-avaraging-tests.patch26
-rw-r--r--main/iproute2/APKBUILD13
-rw-r--r--main/iproute2/CVE-2019-20795.patch42
-rw-r--r--main/json-c/APKBUILD11
-rw-r--r--main/kamailio/0001-mohqueue.patch17
-rw-r--r--main/kamailio/APKBUILD3
-rw-r--r--main/krb5/APKBUILD6
-rw-r--r--main/krb5/CVE-2018-20217.patch72
-rw-r--r--main/krb5/CVE-2020-28196.patch100
-rw-r--r--main/lame/APKBUILD5
-rw-r--r--main/libarchive/APKBUILD22
-rw-r--r--main/libarchive/CVE-2017-14166.patch36
-rw-r--r--main/libarchive/libressl-2.7.patch12
-rw-r--r--main/libcroco/APKBUILD20
-rw-r--r--main/libcroco/CVE-2017-7960.patch59
-rw-r--r--main/libcroco/CVE-2017-7961.patch43
-rw-r--r--main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch29
-rw-r--r--main/libebml/APKBUILD4
-rw-r--r--main/libexif/APKBUILD44
-rw-r--r--main/libexif/CVE-2017-7544.patch20
-rw-r--r--main/libgcrypt/APKBUILD16
-rw-r--r--main/libjpeg-turbo/APKBUILD12
-rw-r--r--main/libjpeg-turbo/CVE-2018-14498.patch110
-rw-r--r--main/libjpeg-turbo/CVE-2019-2201.patch466
-rw-r--r--main/libmad/APKBUILD14
-rw-r--r--main/libmad/length-check.patch817
-rw-r--r--main/libmad/md_size.patch58
-rw-r--r--main/libmspack/APKBUILD11
-rw-r--r--main/libmspack/CVE-2019-1010305.patch39
-rw-r--r--main/librsvg/APKBUILD10
-rw-r--r--main/libseccomp/APKBUILD33
-rw-r--r--main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch36
-rw-r--r--main/libsndfile/APKBUILD2
-rw-r--r--main/libssh/APKBUILD21
-rw-r--r--main/libssh/CVE-2019-14889.patch1957
-rw-r--r--main/libssh/CVE-2020-16135.patch40
-rw-r--r--main/libssh2/APKBUILD14
-rw-r--r--main/libssh2/CVE-2019-17498.patch72
-rw-r--r--main/libtasn1/APKBUILD15
-rw-r--r--main/libtasn1/CVE-2017-10790.patch55
-rw-r--r--main/libuv/APKBUILD4
-rw-r--r--main/libvirt/APKBUILD14
-rw-r--r--main/libvirt/CVE-2019-20485.patch171
-rw-r--r--main/libvirt/CVE-2020-12430.patch44
-rw-r--r--main/libvncserver/APKBUILD11
-rw-r--r--main/libvncserver/CVE-2019-15681.patch23
-rw-r--r--main/libvorbis/APKBUILD1
-rw-r--r--main/libx11/APKBUILD8
-rw-r--r--main/libxml2/APKBUILD12
-rw-r--r--main/libxml2/CVE-2019-19956.patch33
-rw-r--r--main/libxml2/CVE-2020-24977.patch30
-rw-r--r--main/libxslt/APKBUILD19
-rw-r--r--main/libxslt/CVE-2019-13117.patch29
-rw-r--r--main/libxslt/CVE-2019-13118.patch71
-rw-r--r--main/libxslt/CVE-2019-18197.patch30
-rw-r--r--main/linux-rpi/APKBUILD6
-rw-r--r--main/linux-vanilla/APKBUILD26
-rw-r--r--main/linux-vanilla/config-vanilla.aarch6412
-rw-r--r--main/linux-vanilla/config-vanilla.armhf16
-rw-r--r--main/linux-vanilla/config-vanilla.ppc3731
-rw-r--r--main/linux-vanilla/config-vanilla.ppc64le11
-rw-r--r--main/linux-vanilla/config-vanilla.s390x5
-rw-r--r--main/linux-vanilla/config-vanilla.x8616
-rw-r--r--main/linux-vanilla/config-vanilla.x86_6416
-rw-r--r--main/linux-vanilla/config-virt.aarch6412
-rw-r--r--main/linux-vanilla/config-virt.x8614
-rw-r--r--main/linux-vanilla/config-virt.x86_6414
-rw-r--r--main/mariadb/APKBUILD31
-rw-r--r--main/mariadb/fix-c11-atomics-check.patch10
-rw-r--r--main/mcpp/APKBUILD18
-rw-r--r--main/mcpp/CVE-2019-14274.patch52
-rw-r--r--main/mkinitfs/APKBUILD6
-rw-r--r--main/mkinitfs/add-feature-rpirtc.patch44
-rw-r--r--main/mosquitto/APKBUILD11
-rw-r--r--main/mosquitto/CVE-2019-11779.patch168
-rw-r--r--main/musl/APKBUILD14
-rw-r--r--main/musl/CVE-2019-14697.patch233
-rw-r--r--main/musl/wcsnrtombs-cve-2020-28928.diff65
-rw-r--r--main/net-snmp/APKBUILD4
-rw-r--r--main/net-snmp/report-empty-strings-correctly.patch110
-rw-r--r--main/nfdump/APKBUILD10
-rw-r--r--main/nghttp2/0001-nghttpx-Fix-request-stall.patch179
-rw-r--r--main/nghttp2/0002-Add-nghttp2_option_set_max_outbound_ack.patch169
-rw-r--r--main/nghttp2/0003-Don-t-read-too-greedily.patch88
-rw-r--r--main/nghttp2/APKBUILD22
-rw-r--r--main/nghttp2/CVE-2020-11080.patch332
-rw-r--r--main/nginx/APKBUILD20
-rw-r--r--main/nginx/CVE-2019-20372.patch28
-rw-r--r--main/nginx/CVE-2019-9511.patch87
-rw-r--r--main/nginx/CVE-2019-9513.patch62
-rw-r--r--main/nginx/CVE-2019-9516.patch45
-rw-r--r--main/ngircd/APKBUILD13
-rw-r--r--main/ngircd/CVE-2020-14148.patch37
-rw-r--r--main/nmap/APKBUILD16
-rw-r--r--main/nmap/CVE-2017-18594.patch30
-rw-r--r--main/nmap/CVE-2018-15173.patch34
-rw-r--r--main/nodejs/APKBUILD35
-rw-r--r--main/ntfs-3g/APKBUILD20
-rw-r--r--main/ntfs-3g/CVE-2019-9755.patch62
-rw-r--r--main/oniguruma/APKBUILD23
-rw-r--r--main/openjpeg/APKBUILD25
-rw-r--r--main/openjpeg/CVE-2018-21010.patch179
-rw-r--r--main/openjpeg/CVE-2019-12973.patch152
-rw-r--r--main/openjpeg/CVE-2020-15389.patch39
-rw-r--r--main/openjpeg/CVE-2020-6851.patch29
-rw-r--r--main/openjpeg/CVE-2020-8112.patch43
-rw-r--r--main/openldap/APKBUILD16
-rw-r--r--main/openssh/0001-Deny-non-fatal-shmget-shmat-shmdt-in-preauth-privsep.patch37
-rw-r--r--main/openssh/APKBUILD4
-rw-r--r--main/openssl/APKBUILD19
-rw-r--r--main/openssl/CVE-2019-1543.patch66
-rw-r--r--main/openssl/man-section.patch54
-rw-r--r--main/pango/APKBUILD14
-rw-r--r--main/pango/CVE-2019-1010238.patch34
-rw-r--r--main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch33
-rw-r--r--main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch211
-rw-r--r--main/patch/APKBUILD33
-rw-r--r--main/patch/CVE-2019-13636.patch109
-rw-r--r--main/patch/CVE-2019-13638.patch38
-rw-r--r--main/perl-datetime-timezone/APKBUILD43
-rw-r--r--main/perl-dbi/APKBUILD25
-rw-r--r--main/perl-mozilla-ca/APKBUILD31
-rw-r--r--main/perl/APKBUILD14
-rw-r--r--main/perl/CVE-2020-10543.patch32
-rw-r--r--main/perl/CVE-2020-10878.patch148
-rw-r--r--main/perl/CVE-2020-12723.patch277
-rw-r--r--main/polkit/APKBUILD6
-rw-r--r--main/polkit/CVE-2019-6133.patch159
-rw-r--r--main/poppler/APKBUILD15
-rw-r--r--main/poppler/CVE-2019-9959.patch13
-rw-r--r--main/postgresql/APKBUILD52
-rw-r--r--main/ppp/APKBUILD13
-rw-r--r--main/ppp/fix-bound-check-eap.patch40
-rw-r--r--main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch64
-rw-r--r--main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch33
-rw-r--r--main/putty/APKBUILD11
-rw-r--r--main/py-django/APKBUILD17
-rw-r--r--main/python2/APKBUILD16
-rw-r--r--main/python2/CVE-2019-16935.patch92
-rw-r--r--main/python3/APKBUILD25
-rw-r--r--main/python3/CVE-2019-16056.patch89
-rw-r--r--main/python3/CVE-2019-16935.patch80
-rw-r--r--main/python3/CVE-2019-5010.patch116
-rw-r--r--main/python3/CVE-2020-14422.patch74
-rw-r--r--main/redis/APKBUILD9
-rw-r--r--main/rsyslog/APKBUILD14
-rw-r--r--main/ruby/APKBUILD12
-rw-r--r--main/samba/APKBUILD14
-rw-r--r--main/samba/samba-4.9.14-security-2019-10-29.patch539
-rw-r--r--main/samba/samba-4.9.17-security-2020-01-21.patch1662
-rw-r--r--main/screen/APKBUILD13
-rw-r--r--main/screen/CVE-2020-9366.patch42
-rw-r--r--main/sdl/0001-CVE-2019-7572.patch64
-rw-r--r--main/sdl/0001-CVE-2019-7573.patch83
-rw-r--r--main/sdl/0001-CVE-2019-7574.patch71
-rw-r--r--main/sdl/0001-CVE-2019-7575.patch84
-rw-r--r--main/sdl/0001-CVE-2019-7577.patch75
-rw-r--r--main/sdl/0001-CVE-2019-7578.patch67
-rw-r--r--main/sdl/0001-CVE-2019-7635.patch53
-rw-r--r--main/sdl/0001-CVE-2019-7636.patch29
-rw-r--r--main/sdl/0001-CVE-2019-7637.patch182
-rw-r--r--main/sdl/0002-CVE-2019-7572.patch59
-rw-r--r--main/sdl/0002-CVE-2019-7577.patch57
-rw-r--r--main/sdl/0002-CVE-2019-7635.patch21
-rw-r--r--main/sdl/0002-CVE-2019-7637.patch42
-rw-r--r--main/sdl/APKBUILD51
-rw-r--r--main/sdl2/APKBUILD17
-rw-r--r--main/sdl2_image/APKBUILD16
-rw-r--r--main/sdl2_image/CVE-2019-13616.patch24
-rw-r--r--main/sdl_image/APKBUILD13
-rw-r--r--main/sdl_image/CVE-2019-13616.patch16
-rw-r--r--main/smokeping/APKBUILD3
-rw-r--r--main/spamassassin/APKBUILD7
-rw-r--r--main/spl-vanilla/APKBUILD2
-rw-r--r--main/sprunge/APKBUILD6
-rw-r--r--main/sqlite/APKBUILD27
-rw-r--r--main/sqlite/CVE-2019-16168.patch24
-rw-r--r--main/sqlite/CVE-2019-19242.patch18
-rw-r--r--main/sqlite/CVE-2019-19244.patch12
-rw-r--r--main/sqlite/CVE-2020-11655.patch24
-rw-r--r--main/squid/APKBUILD18
-rw-r--r--main/subversion/APKBUILD9
-rw-r--r--main/sudo/APKBUILD11
-rw-r--r--main/sudo/CVE-2019-14287.patch260
-rw-r--r--main/sudo/CVE-2019-18634.patch98
-rw-r--r--main/tcl-tls/APKBUILD2
-rw-r--r--main/tcpdump/APKBUILD48
-rw-r--r--main/tcpdump/CVE-2020-8037.patch63
-rw-r--r--main/tiff/APKBUILD16
-rw-r--r--main/tiff/CVE-2019-14973-rebased.patch424
-rw-r--r--main/tiff/CVE-2019-17546.patch105
-rw-r--r--main/tiff/CVE-2019-6128.patch36
-rw-r--r--main/tzdata/APKBUILD27
-rw-r--r--main/unbound/APKBUILD20
-rw-r--r--main/unbound/CVE-2019-16866.patch26
-rw-r--r--main/unbound/CVE-2019-18934.patch218
-rw-r--r--main/unbound/CVE-2020-12662_CVE-2020-12663.patch948
-rw-r--r--main/unzip/APKBUILD36
-rw-r--r--main/unzip/CVE-2019-13232.patch487
-rw-r--r--main/vala/APKBUILD4
-rw-r--r--main/varnish/2f2387038a7b9aca4c31c0f839cda3b7ab3391c0.patch31
-rw-r--r--main/varnish/APKBUILD12
-rw-r--r--main/wavpack/APKBUILD19
-rw-r--r--main/wavpack/CVE-2019-1010315.patch36
-rw-r--r--main/wavpack/CVE-2019-1010317.patch40
-rw-r--r--main/wavpack/CVE-2019-1010319.patch23
-rw-r--r--main/wavpack/CVE-2019-11498.patch32
-rw-r--r--main/wpa_supplicant/0016-SAE-Use-const_time_memcmp-for-pwd_value-prime-compar.patch31
-rw-r--r--main/wpa_supplicant/0017-EAP-pwd-Enforce-1-rand-mask-r-and-rand-mask-mod-r-1.patch121
-rw-r--r--main/wpa_supplicant/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch257
-rw-r--r--main/wpa_supplicant/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch70
-rw-r--r--main/wpa_supplicant/0020-OpenSSL-Use-BN_bn2binpad-or-BN_bn2bin_padded-if-avai.patch66
-rw-r--r--main/wpa_supplicant/0021-SAE-Run-through-prf-result-processing-even-if-it-pri.patch59
-rw-r--r--main/wpa_supplicant/0022-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch57
-rw-r--r--main/wpa_supplicant/0023-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch45
-rw-r--r--main/wpa_supplicant/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch59
-rw-r--r--main/wpa_supplicant/0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch51
-rw-r--r--main/wpa_supplicant/APKBUILD38
-rw-r--r--main/wpa_supplicant/CVE-2019-16275.patch73
-rw-r--r--main/xen/APKBUILD149
-rw-r--r--main/xen/x86-msr-Shorten-ARCH_CAPABILITIES_-constants.patch71
-rw-r--r--main/xen/x86-spec-ctrl-Extend-repoline-safey-calcuations-for-.patch68
-rw-r--r--main/xen/x86-tsx-Implement-controls-for-RTM-force-abort-mode.patch194
-rw-r--r--main/xen/xen-Fix-backport-of-x86-tsx-Implement-controls-for-R.patch34
-rw-r--r--main/xen/xen-Fix-backport-of-xen-cmdline-Fix-buggy-strncmp-s-.patch52
-rw-r--r--main/xen/xen-cmdline-Fix-buggy-strncmp-s-LITERAL-ss-s-constru.patch464
-rw-r--r--main/xen/xsa297-4.11-1.patch163
-rw-r--r--main/xen/xsa297-4.11-2.patch54
-rw-r--r--main/xen/xsa297-4.11-3.patch109
-rw-r--r--main/xen/xsa297-4.11-4.patch55
-rw-r--r--main/xen/xsa297-4.11-5.patch141
-rw-r--r--main/xen/xsa297-4.11-6.patch134
-rw-r--r--main/xen/xsa297-4.11-7.patch316
-rw-r--r--main/xen/xsa317.patch50
-rw-r--r--main/xen/xsa319.patch27
-rw-r--r--main/xen/xsa320-4.11-1.patch133
-rw-r--r--main/xen/xsa320-4.11-2.patch179
-rw-r--r--main/xen/xsa320-4.11-3.patch57
-rw-r--r--main/xen/xsa321-4.11-1.patch31
-rw-r--r--main/xen/xsa321-4.11-2.patch175
-rw-r--r--main/xen/xsa321-4.11-3.patch82
-rw-r--r--main/xen/xsa321-4.11-4.patch36
-rw-r--r--main/xen/xsa321-4.11-5.patch24
-rw-r--r--main/xen/xsa321-4.11-6.patch91
-rw-r--r--main/xen/xsa321-4.11-7.patch164
-rw-r--r--main/xen/xsa327.patch63
-rw-r--r--main/xen/xsa328-4.11-1.patch118
-rw-r--r--main/xen/xsa328-4.11-2.patch48
-rw-r--r--main/xen/xsa333.patch39
-rw-r--r--main/xen/xsa335-qemu.patch84
-rw-r--r--main/xen/xsa336-4.11.patch256
-rw-r--r--main/xen/xsa337-4.12-1.patch92
-rw-r--r--main/xen/xsa337-4.12-2.patch182
-rw-r--r--main/xen/xsa338.patch42
-rw-r--r--main/xen/xsa339.patch76
-rw-r--r--main/xen/xsa340.patch65
-rw-r--r--main/xen/xsa342-4.13.patch145
-rw-r--r--main/xen/xsa343-4.11-1.patch190
-rw-r--r--main/xen/xsa343-4.11-2.patch290
-rw-r--r--main/xen/xsa343-4.11-3.patch381
-rw-r--r--main/xen/xsa344-4.11-1.patch132
-rw-r--r--main/xen/xsa344-4.11-2.patch203
-rw-r--r--main/xorg-server/APKBUILD18
-rw-r--r--main/xorg-server/CVE-2020-14345.patch178
-rw-r--r--main/xorg-server/CVE-2020-14346.patch31
-rw-r--r--main/xorg-server/CVE-2020-14361.patch31
-rw-r--r--main/xorg-server/CVE-2020-14362.patch65
-rw-r--r--main/xorgproto/APKBUILD3
-rw-r--r--main/xtables-addons-vanilla/APKBUILD2
-rw-r--r--main/zeromq/APKBUILD18
-rw-r--r--main/zfs-vanilla/APKBUILD2
-rw-r--r--testing/ipt-netflow-vanilla/APKBUILD4
-rw-r--r--testing/wireguard-vanilla/APKBUILD2
-rw-r--r--testing/wireguard-virt/APKBUILD2
464 files changed, 32203 insertions, 7190 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000..4294ab0ead
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,99 @@
+stages:
+ - lint
+ - build
+
+variables:
+ GIT_STRATEGY: fetch
+ GIT_DEPTH: "0"
+
+default:
+ # Make sure master points to the correct upstream commit
+ before_script:
+ - >
+ git fetch $CI_MERGE_REQUEST_PROJECT_URL
+ +refs/heads/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME:refs/heads/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
+
+lint:
+ stage: lint
+ image: alpinelinux/apkbuild-lint-tools:latest
+ script:
+ - changed-aports $CI_MERGE_REQUEST_TARGET_BRANCH_NAME | lint
+ allow_failure: true
+ only:
+ - merge_requests
+ tags:
+ - docker-alpine
+ - x86_64
+
+.build:
+ stage: build
+ image: alpinelinux/alpine-gitlab-ci:latest
+ script:
+ - build.sh
+ - cp -ar ~/packages packages/
+ - mkdir -p keys
+ - cp ~/.abuild/*.rsa.pub keys/
+ artifacts:
+ paths:
+ - packages/
+ - keys/
+ expire_in: 1 day
+ only:
+ - merge_requests
+
+build-x86_64:
+ extends: .build
+ artifacts:
+ name: MR${CI_MERGE_REQUEST_ID}_x86_64
+ tags:
+ - docker-alpine
+ - ci-build
+ - x86_64
+
+build-x86:
+ extends: .build
+ image:
+ name: alpinelinux/alpine-gitlab-ci:latest-x86
+ entrypoint: ["linux32", "sh", "-c"]
+ artifacts:
+ name: MR${CI_MERGE_REQUEST_ID}_x86
+ tags:
+ - docker-alpine
+ - ci-build
+ - x86
+
+build-s390x:
+ extends: .build
+ artifacts:
+ name: MR${CI_MERGE_REQUEST_ID}_s390x
+ tags:
+ - docker-alpine
+ - ci-build
+ - s390x
+
+build-ppc64le:
+ extends: .build
+ artifacts:
+ name: MR${CI_MERGE_REQUEST_ID}_ppc64le
+ tags:
+ - docker-alpine
+ - ci-build
+ - ppc64le
+
+build-aarch64:
+ extends: .build
+ artifacts:
+ name: MR${CI_MERGE_REQUEST_ID}_aarch64
+ tags:
+ - docker-alpine
+ - ci-build
+ - aarch64
+
+build-armv7:
+ extends: .build
+ artifacts:
+ name: MR${CI_MERGE_REQUEST_ID}_armv7
+ tags:
+ - docker-alpine
+ - ci-build
+ - armv7
diff --git a/community/alpine-make-rootfs/APKBUILD b/community/alpine-make-rootfs/APKBUILD
index 0786c10e40..9b01ab2d82 100644
--- a/community/alpine-make-rootfs/APKBUILD
+++ b/community/alpine-make-rootfs/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=alpine-make-rootfs
-pkgver=0.3.0
+pkgver=0.3.1
pkgrel=0
pkgdesc="Make customized Alpine Linux rootfs (base image) for containers"
url="https://github.com/alpinelinux/alpine-make-rootfs"
@@ -17,4 +17,4 @@ package() {
make install DESTDIR="$pkgdir" PREFIX=/usr
}
-sha512sums="1c595dac5f09f4bd74f16a16f771944972fa466ab22f69c9627d32b6a3edf776aa3133e327ad398ccd91fe0331a9ebeca1aaa220062531cbdbb8927afd2c79f1 alpine-make-rootfs-0.3.0.tar.gz"
+sha512sums="7971ac0275e4d2e9bdc3ea29197b40a66e493bf9977249922418f06e1bd9434a62a4ffa0cc637839ae1837f2f8916535977e695cb959288213ce1fee90cc3b44 alpine-make-rootfs-0.3.1.tar.gz"
diff --git a/community/docker/APKBUILD b/community/docker/APKBUILD
index c665c71bad..fec0f4a4ba 100644
--- a/community/docker/APKBUILD
+++ b/community/docker/APKBUILD
@@ -1,9 +1,9 @@
+# Contributor: Eivind Uggedal <eu@eju.no>
# Contributor: Jake Buchholz <tomalok@gmail.com>
# Maintainer: Jake Buchholz <tomalok@gmail.com>
-
pkgname=docker
-pkgver=18.09.7
-_gitcommit=2d0083d657f82c47044c8d3948ba434b622fe2fd # https://github.com/docker/docker-ce/commits/v$pkgver
+pkgver=18.09.8
+_gitcommit=0dd43dd87fd530113bf44c9bba9ad8b20ce4637f # https://github.com/docker/docker-ce/commits/v$pkgver
_ver=${pkgver/_/-}-ce
pkgrel=0
pkgdesc="Pack, ship and run any application as a lightweight container"
@@ -11,13 +11,20 @@ url="http://www.docker.io/"
arch="all"
license="Apache-2.0"
depends="ca-certificates containerd iptables tini-static"
-makedepends="go go-md2man btrfs-progs-dev bash linux-headers coreutils lvm2-dev libtool"
+makedepends="go go-md2man btrfs-progs-dev bash linux-headers coreutils lvm2-dev libtool
+ libseccomp-dev"
install="$pkgname.pre-install"
# from https://github.com/docker/docker-ce/blob/v$pkgver/components/engine/vendor.conf
_libnetwork_ver=e7933d41e7b206756115aa9df5e0599fc5169742
_cobra_ver="0.0.3"
+# secfixes:
+# 18.09.8:
+# - CVE-2019-13509
+# 18.09.7:
+# - CVE-2018-15664
+
subpackages="
$pkgname-bash-completion:bashcomp:noarch
$pkgname-fish-completion:fishcomp:noarch
@@ -38,14 +45,10 @@ source="
_dockerdir="$srcdir"/docker-$_ver
_cli_builddir="$_dockerdir"/components/cli
_daemon_builddir="$_dockerdir"/components/engine
-_buildtags=""
+_buildtags="seccomp"
_libnetwork_builddir="$srcdir"/libnetwork-$_libnetwork_ver
-# secfixes:
-# 18.09.7-r0:
-# - CVE-2018-15664
-
_apply_patches() {
local _dir="$1"
local _prefix="$2"
@@ -191,7 +194,7 @@ vim() {
done
}
-sha512sums="7d06ab01673b5931a8dde1d2fcebf442d1a107c98c95cd8fe3b886c123b48470950601782fe0c83e7537a1e856069e79a096b9f4523fea7984fd3e773b243b66 docker-18.09.7.tar.gz
+sha512sums="34cf91da732ebbde88f0c8cd39664130e6bd344b18d4643715a00e1c4062d0838a37650a8ee68fb371abd8f01910c7bdce1237af74a49cd63b5ed5382eaf00ed docker-18.09.8.tar.gz
0a833510df0029999bfc05c23445a58a8b2ff165c0fb2fd5c411498d1e89b5b1990d2778b32346dd2b6d61c166ff707c6277a5d1937db6345c77d3825eb59875 libnetwork-e7933d41e7b206756115aa9df5e0599fc5169742.tar.gz
c38db9432a168f913b41a1e1b11d84bedfade82ff70791be9d343a6cc86b8a05b18bae344d67ebd8bae4c98662db7ac664a9dc86fa9b9ad4aa5c96cbf0178efb cobra-0.0.3.tar.gz
33155a79799cc6c0520a030e1a9bdba60441776d612e5e255574b23bbce1c7a8e5d868284b05a8a92704be6bbb7db905388564e867986a705acbe4884ac58584 docker-openrc-fixes.patch
diff --git a/community/drupal7/APKBUILD b/community/drupal7/APKBUILD
index ce8d350340..445d31e4d9 100644
--- a/community/drupal7/APKBUILD
+++ b/community/drupal7/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Andy Postnikov <apostnikov@gmail.com>
pkgname=drupal7
-pkgver=7.67
+pkgver=7.69
pkgrel=0
pkgdesc="An open source content management platform"
url="https://www.drupal.org/"
@@ -30,7 +30,7 @@ depends="php7-fpm
makedepends="$depends_dev"
subpackages="$pkgname-doc"
pkggroups="www-data"
-source="http://ftp.drupal.org/files/projects/drupal-$pkgver.tar.gz"
+source="https://ftp.drupal.org/files/projects/drupal-$pkgver.tar.gz"
builddir="$srcdir/drupal-$pkgver"
options="!check" # This package not have testsuite
@@ -38,6 +38,7 @@ options="!check" # This package not have testsuite
# secfixes:
# 7.67-r0:
# - CVE-2019-11831
+# - CVE-2019-11358
# 7.62-r0:
# - CVE-2018-1000888
# 7.59-r0:
@@ -80,4 +81,4 @@ package() {
"$pkgdir"/var/lib/$pkgname/sites/default/files
}
-sha512sums="0e4f60010b1395183cea19424e8c2849f93fb7285a081bf7d0c774b8e82f403083533059f58c3831950cc06dfa8117d443db52b66a521301ceac10b1b333aa28 drupal-7.67.tar.gz"
+sha512sums="521eec475cbd11d9c997f660c8cd3f92e7a164650eaec67bc1d40c53e901576bc827a3805d2341ab80e9a5bb2f4524e7541d0a99970f2a51a3e45a9ac8ae7880 drupal-7.69.tar.gz"
diff --git a/community/exim/APKBUILD b/community/exim/APKBUILD
index 3f032d7aee..e7b54529c8 100644
--- a/community/exim/APKBUILD
+++ b/community/exim/APKBUILD
@@ -5,10 +5,10 @@
# Contributor: Jesse Young <jlyo@jlyo.org>
# Maintainer: Jesse Young <jlyo@jlyo.org>
pkgname=exim
-pkgver=4.92
+pkgver=4.92.3
pkgrel=0
pkgdesc="Message Transfer Agent"
-url="https://www.exim.org"
+url="https://www.exim.org/"
arch="all"
license="GPL-2.0-or-later"
options="!check suid"
@@ -30,10 +30,14 @@ source="https://ftp.exim.org/pub/exim/exim4/$pkgname-$pkgver.tar.xz
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 4.92.3-r0:
+# - CVE-2019-16928
+# 4.92.2-r0:
+# - CVE-2019-15846
+# 4.92.1-r0:
+# - CVE-2019-13917
# 4.92-r0:
# - CVE-2019-10149
-# 4.91-r0:
-# - CVE-2018-6789
# 4.89-r5:
# - CVE-2017-1000369
# 4.89-r7:
@@ -117,7 +121,7 @@ cdb() { _mv_ext cdb; }
dbmdb() { _mv_ext dbmdb; }
dnsdb() { _mv_ext dnsdb; }
-sha512sums="62c327e6184a358ba7f0dbc38b44d2537234be91727a5bfac97e74af64a8d77e376b3221dcfdd8f6eca7d812f9233595503dc6e50e2972bed40a1b74eb209c31 exim-4.92.tar.xz
+sha512sums="ca6d6f50653502345511b683859b33aa02faa48454fb2100ff89fed3dcb8af8933e7bce68939365fdee42f96eec0c3b135cf748f4581e92a62be0f0ab093868a exim-4.92.3.tar.xz
691df92954f015711398350963ea321d143127bc731a985bcacc5364c71b6df84b6c21a2e8dc3cc2048fcd3dd02def3dc8015f4d84dd672f23d5a41348e72dc7 bounce-charset.patch
f764a09ac7b6dfa34a5cd8bf5ad8b5fea355ac3b21a14f7218c84804bce420c6212cbebd2811fa40b0034dba626f0c9b293de77dbd634432edd31b237003515e exim.Makefile
bb6f5ead067af19ace661cc92bcd428da97570aedd1f9dc5b61a34e7e3fb3e028be6c96d51df73353bdfcaf69a3ee053fb03d245f868d63ebf518aa96ec82d66 exim.confd
diff --git a/community/ffmpeg/APKBUILD b/community/ffmpeg/APKBUILD
index 92d47f96c6..564265cf85 100644
--- a/community/ffmpeg/APKBUILD
+++ b/community/ffmpeg/APKBUILD
@@ -3,10 +3,10 @@
# Contributor: Jakub Skrzypnik <j.skrzypnik@openmailbox.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ffmpeg
-pkgver=4.0.2
+pkgver=4.0.6
pkgrel=0
pkgdesc="Complete and free Internet live audio and video broadcasting solution for Linux/Unix"
-url="http://ffmpeg.org/"
+url="https://ffmpeg.org/"
arch="all"
license="GPL"
options="!check" # tests/data/hls-lists.append.m3u8 fails
@@ -22,6 +22,17 @@ source="https://ffmpeg.org/releases/ffmpeg-$pkgver.tar.xz
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 4.0.6-r0:
+# - CVE-2019-12730
+# - CVE-2019-13390
+# - CVE-2019-17539
+# - CVE-2019-17542
+# - CVE-2020-13904
+# 4.0.4-r0:
+# - CVE-2018-15822
+# - CVE-2019-9718
+# - CVE-2019-9721
+# - CVE-2019-11339
# 3.4.4-r0:
# - CVE-2018-14395
# 3.4.3-r0:
@@ -112,5 +123,5 @@ libs() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr
}
-sha512sums="2dc2b8c66d9c31b6d06da5da336ef45415e3c24fac8c9063cd47f7d4cf688ec4846f88cdd9e841b956cea81e56bb3c6b7655aef503400c7367c32910c28990ac ffmpeg-4.0.2.tar.xz
+sha512sums="46e631393b3c1ed6332f738b650085c6639ddc82519d78900ab97e28bebe8d7a0d356b0721b1773488fb88fcfa9eb438ff2a92789883a6ad59c4b739250815b8 ffmpeg-4.0.6.tar.xz
32652e18d4eb231a2e32ad1cacffdf33264aac9d459e0e2e6dd91484fced4e1ca5a62886057b1f0b4b1589c014bbe793d17c78adbaffec195f9a75733b5b18cb 0001-libavutil-clean-up-unused-FF_SYMVER-macro.patch"
diff --git a/community/firefox-esr/APKBUILD b/community/firefox-esr/APKBUILD
index 9156238802..12da1198b6 100644
--- a/community/firefox-esr/APKBUILD
+++ b/community/firefox-esr/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: William Pitcock <nenolod@dereferenced.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=firefox-esr
-pkgver=60.6.1
+pkgver=60.9.0
pkgrel=0
pkgdesc="Firefox web browser - Extended Support Release"
url="https://www.mozilla.org/en-US/firefox/organizations/"
@@ -79,6 +79,46 @@ _mozappdir=/usr/lib/firefox
ldpath="$_mozappdir"
# secfixes:
+# 69.9.0-r0:
+# - CVE-2019-9812
+# - CVE-2019-11740
+# - CVE-2019-11742
+# - CVE-2019-11743
+# - CVE-2019-11744
+# - CVE-2019-11746
+# - CVE-2019-11752
+# 60.8.0-r0:
+# - CVE-2019-9811
+# - CVE-2019-11709
+# - CVE-2019-11711
+# - CVE-2019-11712
+# - CVE-2019-11713
+# - CVE-2019-11715
+# - CVE-2019-11717
+# - CVE-2019-11719
+# - CVE-2019-11729
+# - CVE-2019-11730
+# 60.7.2-r0:
+# - CVE-2019-11708
+# 60.7.1-r0:
+# - CVE-2019-11707
+# 60.7.0-r0:
+# - CVE-2019-9815
+# - CVE-2019-9816
+# - CVE-2019-9817
+# - CVE-2019-9818
+# - CVE-2019-9819
+# - CVE-2019-9820
+# - CVE-2019-11691
+# - CVE-2019-11692
+# - CVE-2019-11693
+# - CVE-2019-7317
+# - CVE-2019-9797
+# - CVE-2018-18511
+# - CVE-2019-11694
+# - CVE-2019-11698
+# - CVE-2019-5798
+# - CVE-2019-9800
# 60.6.1-r0:
# - CVE-2019-9810
# - CVE-2019-9813
@@ -114,7 +154,6 @@ ldpath="$_mozappdir"
# - CVE-2018-5117
# 52.5.2-r0:
# - CVE-2017-7843
-# - CVE-2017-7843
prepare() {
default_prepare
@@ -244,7 +283,7 @@ __EOF__
rm -f "$pkgdir"/${_mozappdirdev}/sdk/lib/libxul.so
}
-sha512sums="a1683e9ad551c2aa6b84013216393fe1f7107728c253ed8e5700d419cf0956513110ed4e1b5dbac3e3bc23930e3024706f1b24d405b6edcdf8c175b03ab241ed firefox-60.6.1esr.source.tar.xz
+sha512sums="4baea5c9c4eff257834bbaee6d7786f69f7e6bacd24ca13c2705226f4a0d88315ab38c650b2c5e9c76b698f2debc7cea1e5a99cb4dc24e03c48a24df5143a3cf firefox-60.9.0esr.source.tar.xz
0b3f1e4b9fdc868e4738b5c81fd6c6128ce8885b260affcb9a65ff9d164d7232626ce1291aaea70132b3e3124f5e13fef4d39326b8e7173e362a823722a85127 stab.h
2f4f15974d52de4bb273b62a332d13620945d284bbc6fe6bd0a1f58ff7388443bc1d3bf9c82cc31a8527aad92b0cd3a1bc41d0af5e1800e0dcbd7033e58ffd71 fix-fortify-system-wrappers.patch
09bc32cf9ee81b9cc6bb58ddbc66e6cc5c344badff8de3435cde5848e5a451e0172153231db85c2385ff05b5d9c20760cb18e4138dfc99060a9e960de2befbd5 fix-fortify-inline.patch
diff --git a/community/gvfs/APKBUILD b/community/gvfs/APKBUILD
index d7743e43c1..f161c09dc8 100644
--- a/community/gvfs/APKBUILD
+++ b/community/gvfs/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gvfs
pkgver=1.36.2
-pkgrel=0
+pkgrel=1
pkgdesc="Backends for the gio framework in GLib"
url="http://ftp.gnome.org/pub/gnome/sources/gvfs/${pkgver%.*}/"
arch="all"
@@ -27,7 +27,19 @@ subpackages="$pkgname-dev $pkgname-lang
$pkgname-nfs
$pkgname-smb
"
-source="https://download.gnome.org/sources/gvfs/${pkgver%.*}/gvfs-$pkgver.tar.xz"
+source="https://download.gnome.org/sources/gvfs/${pkgver%.*}/gvfs-$pkgver.tar.xz
+ CVE-2019-12448.patch
+ CVE-2019-12795.patch
+ CVE-2019-12449.patch
+ CVE-2019-12447.patch
+ "
+
+# secfixes:
+# 1.36.2-r1:
+# - CVE-2019-12447
+# - CVE-2019-12448
+# - CVE-2019-12795
+# - CVE-2019-12449
builddir="$srcdir/$pkgname-$pkgver"
build() {
@@ -161,4 +173,8 @@ nfs() {
usr/lib/gvfs/gvfsd-nfs
}
-sha512sums="c5ffc3d36ad1f438c245877d94924aa22c4edf9d89be0a990ad03897d462459229e576064797e53a62063f4aaf91ad30870f0b57df3731a69951f4ceb61db0db gvfs-1.36.2.tar.xz"
+sha512sums="c5ffc3d36ad1f438c245877d94924aa22c4edf9d89be0a990ad03897d462459229e576064797e53a62063f4aaf91ad30870f0b57df3731a69951f4ceb61db0db gvfs-1.36.2.tar.xz
+a4daaf8e7f6ece24fd0fdbe0ca4cfa5a5d36189249c36779a09f6ab9033b0fcd1db47d1aaa0b5dd4b14c444cc3763d9e25e0580fb2e2021aa42bc5e6d1eef1ec CVE-2019-12448.patch
+4d381da1e164c1205a4fea19b235163e22c8d1d65ea7ffb130df9c8c76395f20c4b5879111e4ba6d4f54cadbfb084b8c82434ab698e39e6ab2d1e5e0b5ab93ac CVE-2019-12795.patch
+15c7c46f74049b539ae5d76d03f22b7efda39f0424b13582afca1e82ca90a03bb372ef8c42afdd21f257a46aae8c6c709715bdd76cb5aa4fdf13e4c1f58fa012 CVE-2019-12449.patch
+02c4e94d8eef1f69b6d45ddbbbfa22ff9452238251c8bd3b8ae5cbbdc3a7c1fcde4612f96851dfff55f276bcf84f5b82561b06a18c1d9e20033457e72987013d CVE-2019-12447.patch"
diff --git a/community/gvfs/CVE-2019-12447.patch b/community/gvfs/CVE-2019-12447.patch
new file mode 100644
index 0000000000..4b37fc5070
--- /dev/null
+++ b/community/gvfs/CVE-2019-12447.patch
@@ -0,0 +1,33 @@
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index d67353d..daa6df9 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -907,7 +907,8 @@ g_vfs_backend_admin_init (GVfsBackendAdmin *self)
+
+ #define REQUIRED_CAPS (CAP_TO_MASK(CAP_FOWNER) | \
+ CAP_TO_MASK(CAP_DAC_OVERRIDE) | \
+- CAP_TO_MASK(CAP_DAC_READ_SEARCH))
++ CAP_TO_MASK(CAP_DAC_READ_SEARCH) | \
++ CAP_TO_MASK(CAP_CHOWN))
+
+ static void
+ acquire_caps (uid_t uid)
+@@ -919,10 +920,15 @@ acquire_caps (uid_t uid)
+ if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
+ g_error ("prctl(PR_SET_KEEPCAPS) failed");
+
+- /* Drop root uid, but retain the required permitted caps */
+- if (setuid (uid) < 0)
++ /* Set euid to user to make dbus work */
++ if (seteuid (uid) < 0)
+ g_error ("unable to drop privs");
+
++ /* Set fsuid to still behave like root when working with files */
++ setfsuid (0);
++ if (setfsuid (-1) != 0)
++ g_error ("setfsuid failed");
++
+ memset (&hdr, 0, sizeof(hdr));
+ hdr.version = _LINUX_CAPABILITY_VERSION;
+
+
diff --git a/community/gvfs/CVE-2019-12448.patch b/community/gvfs/CVE-2019-12448.patch
new file mode 100644
index 0000000000..53542a3a1b
--- /dev/null
+++ b/community/gvfs/CVE-2019-12448.patch
@@ -0,0 +1,128 @@
+From 5cd76d627f4d1982b6e77a0e271ef9301732d09e Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:24:36 +0200
+Subject: [PATCH] admin: Add query_info_on_read/write functionality
+
+Admin backend doesn't implement query_info_on_read/write which might
+potentially lead to some race conditions which aren't really wanted
+especially in case of admin backend. Let's add this missing functionality.
+---
+ daemon/gvfsbackendadmin.c | 79 +++++++++++++++++++++++++++++++++------
+ 1 file changed, 67 insertions(+), 12 deletions(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index 65a979e7..23d16f16 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -42,6 +42,8 @@
+ #include "gvfsjobopenforwrite.h"
+ #include "gvfsjobqueryattributes.h"
+ #include "gvfsjobqueryinfo.h"
++#include "gvfsjobqueryinforead.h"
++#include "gvfsjobqueryinfowrite.h"
+ #include "gvfsjobread.h"
+ #include "gvfsjobseekread.h"
+ #include "gvfsjobseekwrite.h"
+@@ -155,6 +157,19 @@ complete_job (GVfsJob *job,
+ g_vfs_job_succeeded (job);
+ }
+
++static void
++fix_file_info (GFileInfo *info)
++{
++ /* Override read/write flags, since the above call will use access()
++ * to determine permissions, which does not honor our privileged
++ * capabilities.
++ */
++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
++}
++
+ static void
+ do_query_info (GVfsBackend *backend,
+ GVfsJobQueryInfo *query_info_job,
+@@ -180,19 +195,57 @@ do_query_info (GVfsBackend *backend,
+ if (error != NULL)
+ goto out;
+
+- /* Override read/write flags, since the above call will use access()
+- * to determine permissions, which does not honor our privileged
+- * capabilities.
+- */
+- g_file_info_set_attribute_boolean (real_info,
+- G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
+- g_file_info_set_attribute_boolean (real_info,
+- G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
+- g_file_info_set_attribute_boolean (real_info,
+- G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
+- g_file_info_set_attribute_boolean (real_info,
+- G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
++ fix_file_info (real_info);
++ g_file_info_copy_into (real_info, info);
++ g_object_unref (real_info);
++
++ out:
++ complete_job (job, error);
++}
++
++static void
++do_query_info_on_read (GVfsBackend *backend,
++ GVfsJobQueryInfoRead *query_info_job,
++ GVfsBackendHandle handle,
++ GFileInfo *info,
++ GFileAttributeMatcher *matcher)
++{
++ GVfsJob *job = G_VFS_JOB (query_info_job);
++ GFileInputStream *stream = handle;
++ GError *error = NULL;
++ GFileInfo *real_info;
++
++ real_info = g_file_input_stream_query_info (stream, query_info_job->attributes,
++ job->cancellable, &error);
++ if (error != NULL)
++ goto out;
++
++ fix_file_info (real_info);
++ g_file_info_copy_into (real_info, info);
++ g_object_unref (real_info);
++
++ out:
++ complete_job (job, error);
++}
++
++static void
++do_query_info_on_write (GVfsBackend *backend,
++ GVfsJobQueryInfoWrite *query_info_job,
++ GVfsBackendHandle handle,
++ GFileInfo *info,
++ GFileAttributeMatcher *matcher)
++{
++ GVfsJob *job = G_VFS_JOB (query_info_job);
++ GFileOutputStream *stream = handle;
++ GError *error = NULL;
++ GFileInfo *real_info;
++
++ real_info = g_file_output_stream_query_info (stream, query_info_job->attributes,
++ job->cancellable, &error);
++ if (error != NULL)
++ goto out;
+
++ fix_file_info (real_info);
+ g_file_info_copy_into (real_info, info);
+ g_object_unref (real_info);
+
+@@ -868,6 +921,8 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass)
+ backend_class->mount = do_mount;
+ backend_class->open_for_read = do_open_for_read;
+ backend_class->query_info = do_query_info;
++ backend_class->query_info_on_read = do_query_info_on_read;
++ backend_class->query_info_on_write = do_query_info_on_write;
+ backend_class->read = do_read;
+ backend_class->create = do_create;
+ backend_class->append_to = do_append_to;
+--
+2.21.0
+
+
diff --git a/community/gvfs/CVE-2019-12449.patch b/community/gvfs/CVE-2019-12449.patch
new file mode 100644
index 0000000000..7d58c5d3d8
--- /dev/null
+++ b/community/gvfs/CVE-2019-12449.patch
@@ -0,0 +1,81 @@
+From d5dfd823c94045488aef8727c553f1e0f7666b90 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Fri, 24 May 2019 09:43:43 +0200
+Subject: [PATCH] admin: Ensure correct ownership when moving to file:// uri
+
+User and group is not restored properly when moving (or copying with
+G_FILE_COPY_ALL_METADATA) from admin:// to file://, because it is handled
+by GIO fallback code, which doesn't run with root permissions. Let's
+handle this case with pull method to ensure correct ownership.
+---
+ daemon/gvfsbackendadmin.c | 46 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index 32b51b1a..9a7e8295 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -807,6 +807,51 @@ do_move (GVfsBackend *backend,
+ complete_job (job, error);
+ }
+
++static void
++do_pull (GVfsBackend *backend,
++ GVfsJobPull *pull_job,
++ const char *source,
++ const char *local_path,
++ GFileCopyFlags flags,
++ gboolean remove_source,
++ GFileProgressCallback progress_callback,
++ gpointer progress_callback_data)
++{
++ GVfsBackendAdmin *self = G_VFS_BACKEND_ADMIN (backend);
++ GVfsJob *job = G_VFS_JOB (pull_job);
++ GError *error = NULL;
++ GFile *src_file, *dst_file;
++
++ /* Pull method is necessary when user/group needs to be restored, return
++ * G_IO_ERROR_NOT_SUPPORTED in other cases to proceed with the fallback code.
++ */
++ if (!(flags & G_FILE_COPY_ALL_METADATA))
++ {
++ g_vfs_job_failed_literal (G_VFS_JOB (job), G_IO_ERROR,
++ G_IO_ERROR_NOT_SUPPORTED,
++ _("Operation not supported"));
++ return;
++ }
++
++ if (!check_permission (self, job))
++ return;
++
++ src_file = g_file_new_for_path (source);
++ dst_file = g_file_new_for_path (local_path);
++
++ if (remove_source)
++ g_file_move (src_file, dst_file, flags, job->cancellable,
++ progress_callback, progress_callback_data, &error);
++ else
++ g_file_copy (src_file, dst_file, flags, job->cancellable,
++ progress_callback, progress_callback_data, &error);
++
++ g_object_unref (src_file);
++ g_object_unref (dst_file);
++
++ complete_job (job, error);
++}
++
+ static void
+ do_query_settable_attributes (GVfsBackend *backend,
+ GVfsJobQueryAttributes *query_job,
+@@ -927,6 +972,7 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass)
+ backend_class->set_attribute = do_set_attribute;
+ backend_class->delete = do_delete;
+ backend_class->move = do_move;
++ backend_class->pull = do_pull;
+ backend_class->query_settable_attributes = do_query_settable_attributes;
+ backend_class->query_writable_namespaces = do_query_writable_namespaces;
+ }
+--
+2.21.0
+
+
diff --git a/community/gvfs/CVE-2019-12795.patch b/community/gvfs/CVE-2019-12795.patch
new file mode 100644
index 0000000000..8d22342424
--- /dev/null
+++ b/community/gvfs/CVE-2019-12795.patch
@@ -0,0 +1,93 @@
+From e3808a1b4042761055b1d975333a8243d67b8bfe Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 5 Jun 2019 13:33:38 +0100
+Subject: [PATCH] gvfsdaemon: Check that the connecting client is the same user
+
+Otherwise, an attacker who learns the abstract socket address from
+netstat(8) or similar could connect to it and issue D-Bus method
+calls.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
+index 406d4f8e..be148a7b 100644
+--- a/daemon/gvfsdaemon.c
++++ b/daemon/gvfsdaemon.c
+@@ -79,6 +79,7 @@ struct _GVfsDaemon
+
+ gint mount_counter;
+
++ GDBusAuthObserver *auth_observer;
+ GDBusConnection *conn;
+ GVfsDBusDaemon *daemon_skeleton;
+ GVfsDBusMountable *mountable_skeleton;
+@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object)
+ }
+ if (daemon->conn != NULL)
+ g_object_unref (daemon->conn);
++ if (daemon->auth_observer != NULL)
++ g_object_unref (daemon->auth_observer);
+
+ g_hash_table_destroy (daemon->registered_paths);
+ g_hash_table_destroy (daemon->client_connections);
+@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection,
+ daemon->lost_main_daemon = TRUE;
+ }
+
++/*
++ * Authentication observer signal handler that authorizes connections
++ * from the same uid as this process. This matches the behaviour of a
++ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction
++ * has been set, but is not the default in GDBus.
++ */
++static gboolean
++authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
++ G_GNUC_UNUSED GIOStream *stream,
++ GCredentials *credentials,
++ G_GNUC_UNUSED gpointer user_data)
++{
++ gboolean authorized = FALSE;
++
++ if (credentials != NULL)
++ {
++ GCredentials *own_credentials;
++
++ own_credentials = g_credentials_new ();
++
++ if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++ authorized = TRUE;
++
++ g_object_unref (own_credentials);
++ }
++
++ return authorized;
++}
++
+ static void
+ g_vfs_daemon_init (GVfsDaemon *daemon)
+ {
+@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
+
+ daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+ g_assert (daemon->conn != NULL);
++ daemon->auth_observer = g_dbus_auth_observer_new ();
++ g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
+
+ daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
+ g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon);
+@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object,
+ server = g_dbus_server_new_sync (address1,
+ G_DBUS_SERVER_FLAGS_NONE,
+ guid,
+- NULL, /* GDBusAuthObserver */
++ daemon->auth_observer,
+ NULL, /* GCancellable */
+ &error);
+ g_free (guid);
+--
+2.21.0
+
+
diff --git a/community/imagemagick6/APKBUILD b/community/imagemagick6/APKBUILD
index db10abb5cd..b37fcd836a 100644
--- a/community/imagemagick6/APKBUILD
+++ b/community/imagemagick6/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=imagemagick6
-_pkgname=ImageMagick
-pkgver=6.9.10.44
+_pkgname=ImageMagick6
+pkgver=6.9.10.69
_pkgver=${pkgver%.*}-${pkgver##*.}
_abiver=${pkgname#imagemagick}
pkgrel=0
@@ -18,10 +18,36 @@ makedepends="fontconfig-dev freetype-dev ghostscript-dev lcms2-dev
zlib-dev"
checkdepends="freetype fontconfig ghostscript ghostscript-fonts lcms2 graphviz"
subpackages="$pkgname-doc $pkgname-dev $pkgname-c++:_cxx $pkgname-libs"
-source="https://www.imagemagick.org/download/releases/$_pkgname-$_pkgver.tar.xz"
+source="$_pkgname-$_pkgver.tar.gz::https://github.com/ImageMagick/ImageMagick6/archive/$_pkgver.tar.gz"
builddir="$srcdir/$_pkgname-$_pkgver"
# secfixes:
+# 6.9.10.55-r0:
+# - CVE-2019-13454
+# 6.9.10.53-r0:
+# - CVE-2019-13391
+# - CVE-2019-13311
+# - CVE-2019-13310
+# - CVE-2019-13309
+# - CVE-2019-13308
+# - CVE-2019-13307
+# - CVE-2019-13306
+# - CVE-2019-13305
+# - CVE-2019-13304
+# - CVE-2019-13303
+# - CVE-2019-13302
+# - CVE-2019-13301
+# - CVE-2019-13300
+# - CVE-2019-13299
+# - CVE-2019-13298
+# - CVE-2019-13297
+# - CVE-2019-13296
+# - CVE-2019-13295
+# - CVE-2019-13137
+# - CVE-2019-13136
+# - CVE-2019-13135
+# - CVE-2019-13134
+# - CVE-2019-13133
# 6.9.10.44-r0:
# - CVE-2019-11598
# - CVE-2019-11597
@@ -84,8 +110,6 @@ prepare() {
}
build() {
- cd "$builddir"
-
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -110,13 +134,10 @@ build() {
}
check() {
- cd "$builddir"
make check
}
package() {
- cd "$builddir"
-
make -j1 DESTDIR="$pkgdir" install
if [ ! -e "$pkgdir"/usr/lib/libMagickCore-$_abiver.Q16.so ]; then
@@ -165,4 +186,4 @@ _cxx() {
mv "$pkgdir"/usr/lib/libMagick++*.so.* "$subpkgdir"/usr/lib/
}
-sha512sums="520f93cada3b439198301916a3b59f5f4cbc2ff4dd3e8ba8e9023a109db024591e36c52e976906335e6f3eec9682cc987c025a1ed342db89206a660ce2d21d5e ImageMagick-6.9.10-44.tar.xz"
+sha512sums="89e548c76106f0417ac392e93866497dc41c478b5812e3dbcbb4950b27f8f85573411394c7cf41658968aa770085e8be6624a45aedbed0bf71a0f3437b8e1113 ImageMagick6-6.9.10-69.tar.gz"
diff --git a/community/knot/APKBUILD b/community/knot/APKBUILD
index 65dedf3cb2..3ef95e17ee 100644
--- a/community/knot/APKBUILD
+++ b/community/knot/APKBUILD
@@ -4,8 +4,8 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=knot
-pkgver=2.7.4
-pkgrel=1
+pkgver=2.7.8
+pkgrel=0
pkgdesc="An high-performance authoritative-only DNS server"
url="https://www.knot-dns.cz"
arch="all"
@@ -90,7 +90,7 @@ utils() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="e5f60a23817503468b18eaea517c5936945b901f568c56cb1ca67a208cc6206ff103e9ca03f1bf05018d13a688f54580ae816a5d70510f28a98ae31116a3f674 knot-2.7.4.tar.xz
+sha512sums="e220e9d885f488119bcb8324576b981e4c45e15d710595d6acaf121fbff9442e5c1d8c723c11dcd9cbc4d26e7a5200f002d52a94c67ba8af04f5c0c82615def7 knot-2.7.8.tar.xz
39503d16603eaff04cb34de97bff987952818d229ccb5b190567198505ece8077efdf230d5402e69ca4ab8acb282c53bfaaf495360dc11191c985a48fbb61318 test_net.patch
471d3c639a8235ba09491c99d36c0a4f1074d6055ccfd3807be02a30d3ed5bbe69a84f0414ea7810db6bbc1e38f5837108e5744fc59f949ed78a262a7de4597e knotd.confd
979f06a83dd4326920a682f8190319577faf904e0e379b3c55e0420eb43dcb55d86c6727015634fa0c2dff1dddac43bbd5a216ff04f217ad91d670eb899dbefa knotd.initd"
diff --git a/community/libraw/APKBUILD b/community/libraw/APKBUILD
index be3a5ea021..87d13be10b 100644
--- a/community/libraw/APKBUILD
+++ b/community/libraw/APKBUILD
@@ -17,6 +17,9 @@ builddir="$srcdir"/LibRaw-$pkgver
# - CVE-2018-20363
# - CVE-2018-20364
# - CVE-2018-20365
+# - CVE-2018-5817
+# - CVE-2018-5818
+# - CVE-2018-5819
# 0.18.6-r0:
# - CVE-2017-16910
# 0.18.5-r0:
diff --git a/community/live-media/0001-Add-a-pkg-config-file-for-the-shared-libraries.patch b/community/live-media/0001-Add-a-pkg-config-file-for-the-shared-libraries.patch
new file mode 100644
index 0000000000..a2ae1c183a
--- /dev/null
+++ b/community/live-media/0001-Add-a-pkg-config-file-for-the-shared-libraries.patch
@@ -0,0 +1,66 @@
+From: Benjamin Drung <bdrung@debian.org>
+Date: Sat, 16 Sep 2017 11:22:03 +0200
+Subject: Add a pkg-config file for the shared libraries
+
+This patch was downloaded from Debian
+https://sources.debian.org/src/liblivemedia/2018.08.05-1/debian/patches/0002-Add-a-pkg-config-file-for-the-shared-libraries.patch/
+
+The local/ part of PREXIX and LIBDIR was removed to fit into buildroot.
+
+A similar version of this patch is part of the vlc source repo:
+http://git.videolan.org/?p=vlc.git;a=blob;f=contrib/src/live555/add-pkgconfig-file.patch;hb=HEAD
+
+Upstream status: Rejected
+http://lists.live555.com/pipermail/live-devel/2013-January/016374.html
+http://lists.live555.com/pipermail/live-devel/2013-January/016375.html
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ Makefile.head | 3 +++
+ Makefile.tail | 7 ++++++-
+ live555.pc.in | 9 +++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+ create mode 100644 live555.pc.in
+
+diff --git a/Makefile.head b/Makefile.head
+index 458c54c..1571037 100644
+--- a/Makefile.head
++++ b/Makefile.head
+@@ -1 +1,4 @@
++PREFIX = /usr
++LIBDIR = /usr/lib
++VERSION = $(shell grep LIVEMEDIA_LIBRARY_VERSION_STRING liveMedia/include/liveMedia_version.hh | sed 's/.*"\([^"]*\)".*/\1/')
+ ##### Change the following for your environment:
+diff --git a/Makefile.tail b/Makefile.tail
+index fc594ea..a20a527 100644
+--- a/Makefile.tail
++++ b/Makefile.tail
+@@ -22,7 +22,12 @@ all:
+ @echo
+ @echo "For more information about this source code (including your obligations under the LGPL), please see our FAQ at http://live555.com/liveMedia/faq.html"
+
+-install:
++install_shared_libraries:
++ install -d $(DESTDIR)$(LIBDIR)/pkgconfig
++ sed "s#@PREFIX@#$(PREFIX)#;s#@LIBDIR@#$(LIBDIR)#;s#@VERSION@#$(VERSION)#" live555.pc.in > $(DESTDIR)$(LIBDIR)/pkgconfig/live555.pc
++ chmod 644 $(DESTDIR)$(LIBDIR)/pkgconfig/live555.pc
++
++install: $(INSTALL2)
+ cd $(LIVEMEDIA_DIR) ; $(MAKE) install
+ cd $(GROUPSOCK_DIR) ; $(MAKE) install
+ cd $(USAGE_ENVIRONMENT_DIR) ; $(MAKE) install
+diff --git a/live555.pc.in b/live555.pc.in
+new file mode 100644
+index 0000000..3736944
+--- /dev/null
++++ b/live555.pc.in
+@@ -0,0 +1,9 @@
++prefix=@PREFIX@
++libdir=@LIBDIR@
++includedir=${prefix}/include
++
++Name: live555
++Description: multimedia RTSP streaming library
++Version: @VERSION@
++Cflags: -I${includedir}/liveMedia -I${includedir}/groupsock -I${includedir}/BasicUsageEnvironment -I${includedir}/UsageEnvironment
++Libs: -L${libdir} -lliveMedia -lgroupsock -lBasicUsageEnvironment -lUsageEnvironment
diff --git a/community/live-media/0003-Link-shared-libraries-with-g-instead-of-gcc-to-fix-b.patch b/community/live-media/0003-Link-shared-libraries-with-g-instead-of-gcc-to-fix-b.patch
new file mode 100644
index 0000000000..b463a1a82d
--- /dev/null
+++ b/community/live-media/0003-Link-shared-libraries-with-g-instead-of-gcc-to-fix-b.patch
@@ -0,0 +1,49 @@
+From: Benjamin Drung <bdrung@debian.org>
+Date: Sat, 16 Sep 2017 11:22:04 +0200
+Subject: Link shared libraries with g++ instead of gcc to fix build failure
+
+---
+ config.linux | 6 +++---
+ config.linux-with-shared-libraries | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/config.linux b/config.linux
+index b4021ef..efff3a9 100644
+--- a/config.linux
++++ b/config.linux
+@@ -1,12 +1,12 @@
+ COMPILE_OPTS = $(INCLUDES) -I/usr/local/include -I. -O2 -DSOCKLEN_T=socklen_t -D_LARGEFILE_SOURCE=1 -D_FILE_OFFSET_BITS=64
+ C = c
+-C_COMPILER = cc
++C_COMPILER = $(CC)
+ C_FLAGS = $(COMPILE_OPTS) $(CPPFLAGS) $(CFLAGS)
+ CPP = cpp
+-CPLUSPLUS_COMPILER = c++
++CPLUSPLUS_COMPILER = $(CXX)
+ CPLUSPLUS_FLAGS = $(COMPILE_OPTS) -Wall -DBSD=1 $(CPPFLAGS) $(CXXFLAGS)
+ OBJ = o
+-LINK = c++ -o
++LINK = $(CXX) -o
+ LINK_OPTS = -L. $(LDFLAGS)
+ CONSOLE_LINK_OPTS = $(LINK_OPTS)
+ LIBRARY_LINK = ar cr
+diff --git a/config.linux-with-shared-libraries b/config.linux-with-shared-libraries
+index 04d0ea0..2ae04ef 100644
+--- a/config.linux-with-shared-libraries
++++ b/config.linux-with-shared-libraries
+@@ -33,12 +33,12 @@ CPLUSPLUS_COMPILER = $(CXX)
+ CPLUSPLUS_FLAGS = $(COMPILE_OPTS) -Wall -DBSD=1 $(CPPFLAGS) $(CXXFLAGS)
+ OBJ = o
+ LINK = $(CXX) -o
+-LINK_OPTS = -L. $(LDFLAGS)
++LINK_OPTS = -L. $(CPPFLAGS) $(LDFLAGS)
+ CONSOLE_LINK_OPTS = $(LINK_OPTS)
+-LIBRARY_LINK = $(CC) -o
++LIBRARY_LINK = $(CXX) -o
+ SHORT_LIB_SUFFIX = so.$(shell expr $($(NAME)_VERSION_CURRENT) - $($(NAME)_VERSION_AGE))
+ LIB_SUFFIX = $(SHORT_LIB_SUFFIX).$($(NAME)_VERSION_AGE).$($(NAME)_VERSION_REVISION)
+-LIBRARY_LINK_OPTS = -shared -Wl,-soname,$(NAME).$(SHORT_LIB_SUFFIX) $(LDFLAGS)
++LIBRARY_LINK_OPTS = -shared -Wl,-soname,$(NAME).$(SHORT_LIB_SUFFIX) $(CPPFLAGS) $(LDFLAGS)
+ LIBS_FOR_CONSOLE_APPLICATION = -lssl -lcrypto
+ LIBS_FOR_GUI_APPLICATION =
+ EXE =
diff --git a/community/live-media/0004-Reduce-number-of-unresolved-symbols-by-linking-libra.patch b/community/live-media/0004-Reduce-number-of-unresolved-symbols-by-linking-libra.patch
new file mode 100644
index 0000000000..e3bf29e684
--- /dev/null
+++ b/community/live-media/0004-Reduce-number-of-unresolved-symbols-by-linking-libra.patch
@@ -0,0 +1,95 @@
+From: Sebastian Ramacher <sramacher@debian.org>
+Date: Sat, 16 Sep 2017 14:12:44 +0200
+Subject: Reduce number of unresolved symbols by linking libraries
+
+This leaves HashTable::Iterator::create as only reamining unresolved
+symbol. However, this symbol is not defined.
+---
+ BasicUsageEnvironment/Makefile.tail | 6 +++++-
+ Makefile.tail | 4 ++--
+ groupsock/Makefile.tail | 8 +++++++-
+ liveMedia/Makefile.tail | 10 +++++++++-
+ 4 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/BasicUsageEnvironment/Makefile.tail b/BasicUsageEnvironment/Makefile.tail
+index 5d04179..c02cf23 100644
+--- a/BasicUsageEnvironment/Makefile.tail
++++ b/BasicUsageEnvironment/Makefile.tail
+@@ -9,9 +9,13 @@ OBJS = BasicUsageEnvironment0.$(OBJ) BasicUsageEnvironment.$(OBJ) \
+ BasicTaskScheduler0.$(OBJ) BasicTaskScheduler.$(OBJ) \
+ DelayQueue.$(OBJ) BasicHashTable.$(OBJ)
+
++USAGE_ENVIRONMENT_DIR = ../UsageEnvironment
++USAGE_ENVIRONMENT_LIB = $(USAGE_ENVIRONMENT_DIR)/libUsageEnvironment.$(libUsageEnvironment_LIB_SUFFIX)
++
+ libBasicUsageEnvironment.$(LIB_SUFFIX): $(OBJS)
+ $(LIBRARY_LINK)$@ $(LIBRARY_LINK_OPTS) \
+- $(OBJS)
++ $(OBJS) \
++ $(USAGE_ENVIRONMENT_LIB)
+
+ .$(C).$(OBJ):
+ $(C_COMPILER) -c $(C_FLAGS) $<
+diff --git a/Makefile.tail b/Makefile.tail
+index a20a527..f28c77f 100644
+--- a/Makefile.tail
++++ b/Makefile.tail
+@@ -12,10 +12,10 @@ MEDIA_SERVER_DIR = mediaServer
+ PROXY_SERVER_DIR = proxyServer
+
+ all:
+- cd $(LIVEMEDIA_DIR) ; $(MAKE)
+- cd $(GROUPSOCK_DIR) ; $(MAKE)
+ cd $(USAGE_ENVIRONMENT_DIR) ; $(MAKE)
+ cd $(BASIC_USAGE_ENVIRONMENT_DIR) ; $(MAKE)
++ cd $(GROUPSOCK_DIR) ; $(MAKE)
++ cd $(LIVEMEDIA_DIR) ; $(MAKE)
+ cd $(TESTPROGS_DIR) ; $(MAKE)
+ cd $(MEDIA_SERVER_DIR) ; $(MAKE)
+ cd $(PROXY_SERVER_DIR) ; $(MAKE)
+diff --git a/groupsock/Makefile.tail b/groupsock/Makefile.tail
+index 89a8593..499cf14 100644
+--- a/groupsock/Makefile.tail
++++ b/groupsock/Makefile.tail
+@@ -25,10 +25,16 @@ NetInterface.$(CPP): include/NetInterface.hh include/GroupsockHelper.hh
+ NetAddress.$(CPP): include/NetAddress.hh include/GroupsockHelper.hh
+ IOHandlers.$(CPP): include/IOHandlers.hh include/TunnelEncaps.hh
+
++USAGE_ENVIRONMENT_DIR = ../UsageEnvironment
++USAGE_ENVIRONMENT_LIB = $(USAGE_ENVIRONMENT_DIR)/libUsageEnvironment.$(libUsageEnvironment_LIB_SUFFIX)
++BASIC_USAGE_ENVIRONMENT_DIR = ../BasicUsageEnvironment
++BASIC_USAGE_ENVIRONMENT_LIB = $(BASIC_USAGE_ENVIRONMENT_DIR)/libBasicUsageEnvironment.$(libBasicUsageEnvironment_LIB_SUFFIX)
++
+ libgroupsock.$(LIB_SUFFIX): $(GROUPSOCK_LIB_OBJS) \
+ $(PLATFORM_SPECIFIC_LIB_OBJS)
+ $(LIBRARY_LINK)$@ $(LIBRARY_LINK_OPTS) \
+- $(GROUPSOCK_LIB_OBJS)
++ $(GROUPSOCK_LIB_OBJS) \
++ $(BASIC_USAGE_ENVIRONMENT_LIB) $(USAGE_ENVIRONMENT_LIB)
+
+ clean:
+ -rm -rf *.$(OBJ) $(ALL) core *.core *~ include/*~
+diff --git a/liveMedia/Makefile.tail b/liveMedia/Makefile.tail
+index e23d1d4..3233a4b 100644
+--- a/liveMedia/Makefile.tail
++++ b/liveMedia/Makefile.tail
+@@ -63,10 +63,18 @@ MISC_OBJS = BitVector.$(OBJ) StreamParser.$(OBJ) DigestAuthentication.$(OBJ) our
+
+ LIVEMEDIA_LIB_OBJS = Media.$(OBJ) $(MISC_SOURCE_OBJS) $(MISC_SINK_OBJS) $(MISC_FILTER_OBJS) $(RTP_OBJS) $(RTCP_OBJS) $(GENERIC_MEDIA_SERVER_OBJS) $(RTSP_OBJS) $(SIP_OBJS) $(SESSION_OBJS) $(QUICKTIME_OBJS) $(AVI_OBJS) $(TRANSPORT_STREAM_TRICK_PLAY_OBJS) $(MATROSKA_OBJS) $(OGG_OBJS) $(TRANSPORT_STREAM_DEMUX_OBJS) $(HLS_OBJS) $(MISC_OBJS)
+
++GROUPSOCK_DIR = ../groupsock
++GROUPSOCK_LIB = $(GROUPSOCK_DIR)/libgroupsock.$(libgroupsock_LIB_SUFFIX)
++USAGE_ENVIRONMENT_DIR = ../UsageEnvironment
++USAGE_ENVIRONMENT_LIB = $(USAGE_ENVIRONMENT_DIR)/libUsageEnvironment.$(libUsageEnvironment_LIB_SUFFIX)
++BASIC_USAGE_ENVIRONMENT_DIR = ../BasicUsageEnvironment
++BASIC_USAGE_ENVIRONMENT_LIB = $(BASIC_USAGE_ENVIRONMENT_DIR)/libBasicUsageEnvironment.$(libBasicUsageEnvironment_LIB_SUFFIX)
++
+ $(LIVEMEDIA_LIB): $(LIVEMEDIA_LIB_OBJS) \
+ $(PLATFORM_SPECIFIC_LIB_OBJS)
+ $(LIBRARY_LINK)$@ $(LIBRARY_LINK_OPTS) \
+- $(LIVEMEDIA_LIB_OBJS)
++ $(LIVEMEDIA_LIB_OBJS) \
++ $(GROUPSOCK_LIB) $(BASIC_USAGE_ENVIRONMENT_LIB) $(USAGE_ENVIRONMENT_LIB)
+
+ Media.$(CPP): include/Media.hh
+ include/Media.hh: include/liveMedia_version.hh
diff --git a/community/live-media/0005-Build-without-OpenSSL.patch b/community/live-media/0005-Build-without-OpenSSL.patch
new file mode 100644
index 0000000000..1b931475ff
--- /dev/null
+++ b/community/live-media/0005-Build-without-OpenSSL.patch
@@ -0,0 +1,30 @@
+From: Sebastian Ramacher <sramacher@debian.org>
+Date: Sun, 19 Jan 2020 11:24:59 +0100
+Subject: Build without OpenSSL
+
+---
+ config.linux-with-shared-libraries | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config.linux-with-shared-libraries b/config.linux-with-shared-libraries
+index 2ae04ef..041da7f 100644
+--- a/config.linux-with-shared-libraries
++++ b/config.linux-with-shared-libraries
+@@ -24,7 +24,7 @@ libgroupsock_VERSION_AGE=2
+ libgroupsock_LIB_SUFFIX=so.$(shell expr $(libgroupsock_VERSION_CURRENT) - $(libgroupsock_VERSION_AGE)).$(libgroupsock_VERSION_AGE).$(libgroupsock_VERSION_REVISION)
+ #####
+
+-COMPILE_OPTS = $(INCLUDES) -I/usr/local/include -I. -O2 -DSOCKLEN_T=socklen_t -D_LARGEFILE_SOURCE=1 -D_FILE_OFFSET_BITS=64 -fPIC
++COMPILE_OPTS = $(INCLUDES) -I/usr/include -I. -O2 -DSOCKLEN_T=socklen_t -D_LARGEFILE_SOURCE=1 -D_FILE_OFFSET_BITS=64 -DNO_OPENSSL=1 -fPIC
+ C = c
+ C_COMPILER = $(CC)
+ C_FLAGS = $(COMPILE_OPTS) $(CPPFLAGS) $(CFLAGS)
+@@ -39,7 +39,7 @@ LIBRARY_LINK = $(CXX) -o
+ SHORT_LIB_SUFFIX = so.$(shell expr $($(NAME)_VERSION_CURRENT) - $($(NAME)_VERSION_AGE))
+ LIB_SUFFIX = $(SHORT_LIB_SUFFIX).$($(NAME)_VERSION_AGE).$($(NAME)_VERSION_REVISION)
+ LIBRARY_LINK_OPTS = -shared -Wl,-soname,$(NAME).$(SHORT_LIB_SUFFIX) $(CPPFLAGS) $(LDFLAGS)
+-LIBS_FOR_CONSOLE_APPLICATION = -lssl -lcrypto
++LIBS_FOR_CONSOLE_APPLICATION =
+ LIBS_FOR_GUI_APPLICATION =
+ EXE =
+ INSTALL2 = install_shared_libraries
diff --git a/community/live-media/APKBUILD b/community/live-media/APKBUILD
index deb9fc66d5..14da55cae0 100644
--- a/community/live-media/APKBUILD
+++ b/community/live-media/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=live-media
-pkgver=2018.12.14
+pkgver=2020.03.06
pkgrel=0
pkgdesc="A set of C++ libraries for multimedia streaming"
url="http://live555.com/liveMedia"
@@ -8,20 +8,24 @@ arch="all"
license="LGPL"
subpackages="$pkgname-dev $pkgname-utils"
options="!check"
-source="http://live555.com/liveMedia/public/live.$pkgver.tar.gz"
+source="http://live555.com/liveMedia/public/live.$pkgver.tar.gz
+0001-Add-a-pkg-config-file-for-the-shared-libraries.patch
+0003-Link-shared-libraries-with-g-instead-of-gcc-to-fix-b.patch
+0004-Reduce-number-of-unresolved-symbols-by-linking-libra.patch
+0005-Build-without-OpenSSL.patch
+"
builddir="$srcdir"/live
prepare() {
cd "$builddir"
- sed -e "/^COMPILE_OPTS/s/$/ $CFLAGS -fPIC -DPIC -DXLOCALE_NOT_USED=1 -DRTSPCLIENT_SYNCHRONOUS_INTERFACE/" \
- -i config.linux-with-shared-libraries
+ chmod -R 775 *
+ default_prepare
}
build() {
cd "$builddir"
./genMakefiles linux-with-shared-libraries
- make C_COMPILER="${CC:-gcc}" CPLUSPLUS_COMPILER="${CXX:-g++}" \
- || return 1
+ make PREFIX=/usr LIBDIR=/usr/lib
}
package() {
@@ -53,4 +57,8 @@ utils() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="8668f088e33c34a4a20a537e70c4f6678a93b275a77ce25697b95798f0b75d1d0f6a7f2d5284c0649330fa783d06946995e065241528169396460de548f5e44f live.2018.12.14.tar.gz"
+sha512sums="7da439fbdeab0da6687dee56d9a27bf7b8f8a9c84b420d72f2e2a7ff7a73d18756d1fdb920f29b36917d93efcecc9230877637322d5041eeba114882b4bf7a06 live.2020.03.06.tar.gz
+d542668dfe9386dc31389db6dfe9ed20a8395ede5d1dabfee40f49ad0db67d0b3665c8dcd59d48e4761ba00beeecc3197b2d25cb3a04ef40988f949269e7c9ef 0001-Add-a-pkg-config-file-for-the-shared-libraries.patch
+5cf4a6159531e126bee83f981bd8583a1cef68cde2129f0d255b2f2d73055a21b7bf2bbcc822aa0265f1df7c32add6b95c57f59c5e08060750567fc268643612 0003-Link-shared-libraries-with-g-instead-of-gcc-to-fix-b.patch
+d5be57357d3c04356aac41804ee3d13434f754c7f86936e24a39c5e966a902628d9570afb37aa96a7c33a45fa5787182bec0441394d114e59d5a1f25250ea0c5 0004-Reduce-number-of-unresolved-symbols-by-linking-libra.patch
+cb737f55844773a0ad13bb17c1ab236c880a3eebe9ac11cef30bccd949cc7a144cc73a9b81ead6b011c8664c2863f57e1b8255790fe6652146a1b094f879761a 0005-Build-without-OpenSSL.patch"
diff --git a/community/milter-greylist/APKBUILD b/community/milter-greylist/APKBUILD
index 5c4455b5b4..c6e5f3b4e2 100644
--- a/community/milter-greylist/APKBUILD
+++ b/community/milter-greylist/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
pkgname=milter-greylist
pkgver=4.6.2
-pkgrel=3
+pkgrel=5
pkgdesc="Stand-alone milter written in C that implements the greylist filtering method"
url="http://hcpnet.free.fr/milter-greylist"
arch="all"
@@ -55,9 +55,5 @@ package() {
chown -R smmsp:smmsp "$pkgdir"/var/lib/$pkgname
}
-md5sums="8872008db2fc6b93dd9ab8576383fec2 milter-greylist-4.6.2.tgz
-141e3b79fcea533cdd9ae57f2d731f24 milter-greylist-conf.patch"
-sha256sums="5405a71bc8273848a1e14cecc010b95491e754307b005c96d35081ab2f9b8bd5 milter-greylist-4.6.2.tgz
-973788cd06c96d7e9c02d9ccfc1dd62f85c3ef635b44873755575033b7a97336 milter-greylist-conf.patch"
sha512sums="458b4e74cadca6cb50838b87a192392cc19bde61062d2b25b2ca0fc515a277b53d177d9605f34aff1671f7722462c31ce419a4e058ca6ea23b80a8debf33079c milter-greylist-4.6.2.tgz
4057061fae24a8d008c6a8aed82018a4bb9f6e9ce72a13d9369d54b192e9a6e99b0e72db8905aa182879c9522b87a92844d0be92773843773508a21e42dbd447 milter-greylist-conf.patch"
diff --git a/community/milter-greylist/milter-greylist.initd b/community/milter-greylist/milter-greylist.initd
index 97ecabc1fa..700facde94 100644
--- a/community/milter-greylist/milter-greylist.initd
+++ b/community/milter-greylist/milter-greylist.initd
@@ -2,3 +2,8 @@
command=/usr/bin/$SVCNAME
pidfile=/var/run/$SVCNAME/$SVCNAME.pid
+
+depend() {
+ need net
+ after firewall
+}
diff --git a/community/mplayer/APKBUILD b/community/mplayer/APKBUILD
index e33db90746..c432be691e 100644
--- a/community/mplayer/APKBUILD
+++ b/community/mplayer/APKBUILD
@@ -2,7 +2,7 @@
pkgname=mplayer
pkgver=1.3.0
_ver=${pkgver/_/}
-pkgrel=6
+pkgrel=7
pkgdesc="A movie player for linux"
url="http://www.mplayerhq.hu/"
arch="x86_64"
diff --git a/community/nextcloud/APKBUILD b/community/nextcloud/APKBUILD
index 5f32c67752..c0159d722a 100644
--- a/community/nextcloud/APKBUILD
+++ b/community/nextcloud/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=nextcloud
-pkgver=15.0.8
+pkgver=15.0.14
pkgrel=0
pkgdesc="A safe home for all your data"
url="http://nextcloud.com"
@@ -228,7 +228,7 @@ _package_app() {
mv "$pkgdir"/$_appsdir/$appname "$subpkgdir"/$_appsdir/
}
-sha512sums="c800a703880f4f1aa5896f3eac34e70de7d0fd16f4f0ddef473f350a768b02aa96ad717ed67b254d6dbb4c632ac84fdb834049bae813a0f2a5468b29395a2b11 nextcloud-15.0.8.zip
+sha512sums="d847342bdeb298efafc691b1d3f3095e24643e429639be05bda51cd84c4c9c60cd82d467328a685b02f8cd48e97ed59e4ed68f8f984a71d36a009072a10754a5 nextcloud-15.0.14.zip
59151300c1153cad7fa2a1a972825c81a71df523b319b22799ce1bd846c1a63c7e37c608a125a98e4e733857cc65db9f329fafef7a5b1365d802c476450fce22 nextcloud15-dont-chmod.patch
e9d15d00368c8840c0144a9f0f45a951717b6c441f98a98568c064639f223df4b6190be040fc56840d3a23b3f7c69348b3d9e94ad4e86f371754ecd057a329d2 nextcloud15-app-encryption-info-add-mcrypt.patch
aef3c92497d738d6968e0f0b0d415b4953500db24ae14af41ef972665cf7eff00cb6c53dc953845fdbb389c3c965a75b8b14b9247513c05cf4130fe1cfc61731 dont-update-htaccess.patch
diff --git a/community/opam/APKBUILD b/community/opam/APKBUILD
index ba96c31029..cd135c39f1 100644
--- a/community/opam/APKBUILD
+++ b/community/opam/APKBUILD
@@ -1,21 +1,20 @@
# Contributor: Michael Zuo <muh.muhten@gmail.com>
+# Contributor: Sora Morimoto <sora@morimoto.io>
# Maintainer: Anil Madhavapeddy <anil@recoil.org>
pkgname=opam
-pkgver=2.0.1
+pkgver=2.0.7
pkgrel=0
pkgdesc="OCaml Package Manager"
url="https://opam.ocaml.org"
-arch="all !x86 !armhf !armv7 !s390x" # ocaml not avail on excluded platforms
+arch="all !x86 !armhf !armv7 !s390x !mips !mips64" # ocaml not avail on excluded platforms
license="LGPL-2.1"
-depends="ocaml curl xz tar unzip rsync patch bubblewrap bash"
+depends="ocaml curl tar unzip rsync patch bubblewrap bash"
makedepends="ocaml-compiler-libs"
-source="https://github.com/ocaml/$pkgname/releases/download/$pkgver/$pkgname-full-$pkgver.tar.gz"
+source="https://github.com/ocaml/opam/releases/download/$pkgver/opam-full-$pkgver.tar.gz"
builddir="$srcdir/$pkgname-full-$pkgver"
subpackages="$pkgname-doc"
build() {
- cd "$builddir"
-
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -30,13 +29,11 @@ build() {
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
check() {
- cd "$builddir"
make tests
}
-sha512sums="add6cd77067cddadd4be5d79699713211f5f2796c1e1931048eb5fc4f0127eca56e1f81d43335327ae04e2144186d9ce759e844d2a125ef27f22c26cd8153e3c opam-full-2.0.1.tar.gz"
+sha512sums="670af4935bba0679c65f6592b7a52b1d429b604eb261e40b13cf72312aeb0bab0c5a76829a555fc5379a0371c352692cbabc46b460fcd9bf32b3cfebdaeceb81 opam-full-2.0.7.tar.gz"
diff --git a/community/openexr/APKBUILD b/community/openexr/APKBUILD
index 821309910e..0b1516b02b 100644
--- a/community/openexr/APKBUILD
+++ b/community/openexr/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Mark Riedesel <mark+alpine@klowner.com>
pkgname=openexr
pkgver=2.2.1
-pkgrel=0
+pkgrel=1
pkgdesc="A high dynamic-range image file format library"
url="http://www.openexr.com/"
arch="all"
@@ -10,9 +10,15 @@ license="BSD"
depends=""
makedepends="ilmbase-dev zlib-dev"
subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
-source="http://download.savannah.nongnu.org/releases/openexr/${pkgname}-${pkgver}.tar.gz"
+source="http://download.savannah.nongnu.org/releases/openexr/${pkgname}-${pkgver}.tar.gz
+ CVE-2018-18444.patch
+ "
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 2.2.1-r1:
+# - CVE-2018-18444
+
build() {
cd "$builddir"
./configure \
@@ -37,4 +43,5 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="192100c6ac47534f3a93c55327d2ab90b07a8265156855086b326184328c257dcde12991b3f3f1831e2df4226fe884adcfe481c2f02a157c715aee665e89a480 openexr-2.2.1.tar.gz"
+sha512sums="192100c6ac47534f3a93c55327d2ab90b07a8265156855086b326184328c257dcde12991b3f3f1831e2df4226fe884adcfe481c2f02a157c715aee665e89a480 openexr-2.2.1.tar.gz
+c88f42bf9cb4fb2ccff493a3fded1a6efc67dedbe9475c0fa16e2bde8970fd6a03c5684558203cc7261b91c1f4521b0e007a653233ba16dfa3153320c7efe93d CVE-2018-18444.patch"
diff --git a/community/openexr/CVE-2018-18444.patch b/community/openexr/CVE-2018-18444.patch
new file mode 100644
index 0000000000..54be2400ba
--- /dev/null
+++ b/community/openexr/CVE-2018-18444.patch
@@ -0,0 +1,23 @@
+From 1b0f1e5d7dcf2e9d6cbb4e005e803808b010b1e0 Mon Sep 17 00:00:00 2001
+From: pgajdos <pgajdos@suse.cz>
+Date: Fri, 14 Jun 2019 22:19:30 +0200
+Subject: [PATCH] fix CVE-2018-18444
+
+---
+ exrmultiview/Image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/OpenEXR/exrmultiview/Image.h b/OpenEXR/exrmultiview/Image.h
+index 5d718f5d..c465d380 100644
+--- a/exrmultiview/Image.h
++++ b/exrmultiview/Image.h
+@@ -227,7 +227,7 @@ template <class T>
+ void
+ TypedImageChannel<T>::black ()
+ {
+- memset(&_pixels[0][0],0,image().width()/_xSampling*image().height()/_ySampling*sizeof(T));
++ memset(&_pixels[0][0],0,image().width()/_xSampling*(image().height()/_ySampling)*sizeof(T));
+ }
+
+
+
diff --git a/community/openjdk7/APKBUILD b/community/openjdk7/APKBUILD
index 6e10f94e6a..0d011c7ba4 100644
--- a/community/openjdk7/APKBUILD
+++ b/community/openjdk7/APKBUILD
@@ -2,11 +2,11 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openjdk7
-_icedteaver=2.6.17
-_icedteaversrc=$_icedteaver-r1
+_icedteaver=2.6.22
+_icedteaversrc=$_icedteaver
# pkgver is <JDK version>.<JDK update>
# check icedtea JDK when updating
-pkgver=7.211.$_icedteaver
+pkgver=7.261.$_icedteaver
pkgrel=0
pkgdesc="OpenJDK 7 via IcedTea"
url="https://icedtea.classpath.org/"
@@ -79,26 +79,71 @@ source="https://icedtea.classpath.org/download/source/icedtea-$_icedteaversrc.ta
icedtea-hotspot-uclibc-fixes.patch
icedtea-jdk-fix-build.patch
icedtea-jdk-execinfo.patch
- icedtea-jdk-fix-freetype-detection.patch
icedtea-jdk-fix-ipv6-init.patch
icedtea-jdk-musl.patch
icedtea-jdk-no-soname.patch
+ icedtea-jdk-revert-7fdd0d6ef2d3.patch
+ icedtea-jdk-revert-a32dc7400435.patch
icedtea-cpio.patch
"
# secfixes:
+# 7.261.2.6.22-r0:
+# - CVE-2020-2756
+# - CVE-2020-2757
+# - CVE-2020-2773
+# - CVE-2020-2781
+# - CVE-2020-2800
+# - CVE-2020-2803
+# - CVE-2020-2805
+# - CVE-2020-2830
+# 7.251.2.6.21-r0:
+# - CVE-2020-2583
+# - CVE-2020-2590
+# - CVE-2020-2593
+# - CVE-2020-2601
+# - CVE-2020-2604
+# - CVE-2020-2654
+# - CVE-2020-2659
+# 7.241.2.6.20-r0:
+# - CVE-2019-2894
+# - CVE-2019-2933
+# - CVE-2019-2945
+# - CVE-2019-2949
+# - CVE-2019-2958
+# - CVE-2019-2962
+# - CVE-2019-2964
+# - CVE-2019-2973
+# - CVE-2019-2978
+# - CVE-2019-2981
+# - CVE-2019-2983
+# - CVE-2019-2987
+# - CVE-2019-2988
+# - CVE-2019-2989
+# - CVE-2019-2992
+# - CVE-2019-2999
+# 7.231.2.6.19-r0:
+# - CVE-2019-2766
+# - CVE-2019-2769
+# - CVE-2019-2786
+# - CVE-2019-2816
+# - CVE-2019-2842
+# 7.221.2.6.18-r0:
+# - CVE-2019-2602
+# - CVE-2019-2684
+# - CVE-2019-2698
# 7.211.2.6.17-r0:
-# - CVE-2018-11212
-# - CVE-2019-2422
-# - CVE_2019-2426
+# - CVE-2018-11212
+# - CVE-2019-2422
+# - CVE_2019-2426
# 7.201.2.6.16-r0:
-# - CVE-2018-3136
-# - CVE-2018-3139
-# - CVE-2018-3149
-# - CVE-2018-3169
-# - CVE-2018-3180
-# - CVE-2018-3214
-# - CVE-2018-13785
+# - CVE-2018-3136
+# - CVE-2018-3139
+# - CVE-2018-3149
+# - CVE-2018-3169
+# - CVE-2018-3180
+# - CVE-2018-3214
+# - CVE-2018-13785
builddir="$srcdir/icedtea-$_icedteaver"
@@ -267,24 +312,25 @@ doc() {
mv "$pkgdir"/$INSTALL_BASE/man "$subpkgdir"/$INSTALL_BASE/
}
-sha512sums="cc4f3f06da3332224e3826e7b3f8292e708a791d6b478db612b7bd01bdcf5ab717507d144ec03349361d665df899459930e0f21f6a5ee78195575488e58bec57 icedtea-2.6.17-r1.tar.xz
-fe1ce302fe887dcb71f589387b44d3ae71ea389825df4f09d578a67c23aee79a1c2a463da84b22cf74e9b2ce92801da72c40d66093d0eb1c790f09955bb277cc openjdk-2.6.17.tar.bz2
-20336ab198e42d42c2f68d15b82fd25db523d68b65313df4c1233a13ccb286fc94e9941c84a2b2b18a196aa121109aedb0c2c6ca772b71c8e1721ebf04b702f6 corba-2.6.17.tar.bz2
-d7589d0586eb155225b263387099022af69b9e79c07348db4d48200f7b0a2f53b59c42df284a41604647b06ee4aff43b07dbc4d737b2a0cb29f857cb7fbc7f54 jaxp-2.6.17.tar.bz2
-cbc40096706743302b03204099ddc2d632cd14c24dd3d7a5dcb8ad6258146535d660a5f384e2df64c2b97e376122852f050f69f7e67983d86bfbf12a92c7cd2c jaxws-2.6.17.tar.bz2
-f0ba8dd6011b205fbc3b67924c7535cd7618df3b1ed084aa65e70532a352d604a908894bbc010d7a50fc2e2d28be7c3d0730d73fc30f1c361e444e63d4b34ac5 jdk-2.6.17.tar.bz2
-fd6cb9004c886b78b45ddad7ba98b202998d497ff26e3f0dd861cd418a52e7c0dd7e25e1e035a4278db449abd606a8248cccc28a10cdc543e9870848e05d30f5 langtools-2.6.17.tar.bz2
-2777299457b9f82736351a4c948431c1671a40bdc1315da66ba13f0f9930a40812da5385f7d8b10f4a847592cc4f253a36eb14b15bd6699fa5dcd7841718f821 hotspot-2.6.17.tar.bz2
+sha512sums="28c96cd2971ce381f0bd1c2a7fe6443602ad89dc0dd5a48d533e3c1a473421bdb98abf5e38117409f305bab7c6c8fecf95e854e8da8acf022966014539916b5c icedtea-2.6.22.tar.xz
+7e2027e0b32b34f63eb771aad0273313d963d455f11f635e6b268b49a7f390d9ef2ff2913f2b9f09b6959abbdc060788a1ad8da9ae221b0889054ec4120f9867 openjdk-2.6.22.tar.bz2
+105b9a40d2a65d106e2d59524b0ed24edc72f46f2383d5645d7dd1f09ea9359e76b07ce1712433c7ce1062c5c49f45937acbfe293cfb27379d9a412f03589324 corba-2.6.22.tar.bz2
+696f17f0ef263668fa775bfb65630dcbe5c673fd7b153eff598fc7a7ba60c99b3f6b5f8e82949f3ebf16f506a9158797227c7263292a04b63a8653189dd9bfbb jaxp-2.6.22.tar.bz2
+406d9066e66d38a6cfd697f594e6955a625b685fd7dd83eb774243a9c3bbeeef13a9f6fc5c9fa9b3e2de561264831779edc7af312f1df08c29315d97f5b71e9e jaxws-2.6.22.tar.bz2
+f2d6370b1bc5ee011670229b0d001f08e49aa688dfdaa196b5eb5db1484ce06046c6cf8415bb09ecca6810472f3211988a5a1cd42cdca805b3b56be8b6cd5bcd jdk-2.6.22.tar.bz2
+df11b0d172c1493870ce3aabca076c16f73c2e2f50ac6beac921c72c6bf925a8b879cf8754b19d2d6dd0407f9baadeb597719c6f5972c97f5a5f7567bf98fcb1 langtools-2.6.22.tar.bz2
+f7652d0e6c1fe33ed7fe0d6f0c36daffc6509bb92818d5eaaf183fd9e8afc1a2fca9d547a2c087aa41134d5da0da4c647b5cdad11b9a520cf9a94cc1a548e219 hotspot-2.6.22.tar.bz2
0da12cb0f761b8cb76e042449e7d93f43236e7bc948e337215470a70031f0a2dda6d1b508f9397b283808d84c4ebddb31558fe1cd8e6e6469c1dd390d69ec6e7 apache-ant-1.9.11-bin.tar.gz
1b9e8721749e81c5420a00af1e00ee0e4f48624ccb4e9aa969032114116ad50f59b254d4d16d74feff74de64157cc8b0a2ead9b555907c84b7055b796fba9a75 rhino-1.7.7.2.zip
f62b942f0bacda8e37d0f1876d8ba14ddb4fc55a7d5fd1019463744927f40f422a85e9ee051948d566242f5a785aa28f275eb58768611283cba89af91235f43c icedtea-hotspot-musl.patch
e5cf4d70f96fc1e72ae8b97a887adb96092ff36584711cbb8de9d9fa9e859cb8731d638838de0d9591239fc44ffe5c74422d1842bd9f10a0c00dff1627bdeeef icedtea-hotspot-musl-ppc.patch
e7a2c1771bb582d427041f8d22e48c0daf8f20d7c0926cbce3549d49c4e949359ee25a35682b486e82f3e390535c950c5beee3bd8d06fb5a717b50f2d9b2a6bc icedtea-hotspot-noagent-musl.patch
822eee0dc4d3ba677a289dfeb3668b536d2d626708390a9d9702fb4144a481fd443a215a0d2041c6026113837aafa4ba0b5e9ead8589d2da6717a238bbc95a5a icedtea-hotspot-uclibc-fixes.patch
-213a537de5f011cb39d608515c3413513ac75fb93593f9a9ef4205f71d72bdd8b097c80db185f7b26021d5bb85045b866f34f3478482dc4189972d8614a13458 icedtea-jdk-fix-build.patch
+8fadeee6ea9886c7ee3118a1abaee2fbd04931a3ba880062bc97397ad30aab114a83542c888461a5a8a1d131c4e73920872317c96620e2a8c4689620adf9e9c3 icedtea-jdk-fix-build.patch
0391970e6a32946aa3cccf38fdef9c0fe2af26cd0df824b98aa2fcfa1bf661d4a68e339bffcfd16f386c565fc68bb28a29208a67d4bad8a0e847ad02bd8becbb icedtea-jdk-execinfo.patch
-7b1525b5fb4bc7f0c6a8b957584a35297003b3063b6319f5557257ee1e6c277f0d4d1cf26cc389c72dd5157871010944f3fcb3fe70b64c429c76323521b6eb3d icedtea-jdk-fix-freetype-detection.patch
48533f87fc2cf29d26b259be0df51087d2fe5b252e72d00c6ea2f4add7b0fb113141718c116279c5905e03f64a1118082e719393786811367cf4d472b5d36774 icedtea-jdk-fix-ipv6-init.patch
44a35941c80f408d0607e32763b3b6ccee21e1d39886309327d3d74d2900117e4346ef59e77c663fd022fec10ee8f365eeb46c1260014d5765d226ce175ce3c5 icedtea-jdk-musl.patch
bf4b184e170f7b0ff64ab30d2162784fe2bd5460d1fa31973259f7065fd4c511c46f97724fe2bd72bb94e9006cb568d0e0c87d1a9c90819e65880f8f44830bb1 icedtea-jdk-no-soname.patch
+9a14c023662c25fc3338c60ba9e6ece625bf2db774776e0c633e5cc866d5c6daf160e90b164832b12eb304fcf65bf30b5d38f20cb7f97f01f6736bfa572ef4fc icedtea-jdk-revert-7fdd0d6ef2d3.patch
+f4ee0ede2b62e81971e79bd7d382c09847488656bfa27a7346cd5a92f478bcf67cd10aa632989836a49e87ee435c3de831ad4c71f824113f55c61361895a7af8 icedtea-jdk-revert-a32dc7400435.patch
a54c79c82afa1bc95265397b274260584c8b8c6be1651ddfb907d9523a809ea4581409e0d3fb0bbb63ef5a204e8ce29b7940e78cd640af1f490ae938c59129b6 icedtea-cpio.patch"
diff --git a/community/openjdk7/icedtea-jdk-fix-build.patch b/community/openjdk7/icedtea-jdk-fix-build.patch
index 9fae895b66..c8daa6fb2a 100644
--- a/community/openjdk7/icedtea-jdk-fix-build.patch
+++ b/community/openjdk7/icedtea-jdk-fix-build.patch
@@ -22,7 +22,7 @@ Fixes three issues:
+LDFLAGS_DEFS_OPTION =
LDFLAGS_COMMON += $(LDFLAGS_DEFS_OPTION)
- #
+ LDFLAGS_RELRO_OPTION = -Xlinker -z -Xlinker relro
@@ -407,7 +407,7 @@
# the library itself should not.
#
diff --git a/community/openjdk7/icedtea-jdk-revert-7fdd0d6ef2d3.patch b/community/openjdk7/icedtea-jdk-revert-7fdd0d6ef2d3.patch
new file mode 100644
index 0000000000..071a13c2ef
--- /dev/null
+++ b/community/openjdk7/icedtea-jdk-revert-7fdd0d6ef2d3.patch
@@ -0,0 +1,1450 @@
+Revert 7fdd0d6ef2d3 due build error
+This laos reverts a fix for CVE-2019-2745
+--- openjdk.orig/jdk/src/share/classes/sun/security/ec/ECDSAOperations.java 2019-07-14 02:30:40.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/ec/ECDSAOperations.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,206 +0,0 @@
+-/*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-
+-package sun.security.ec;
+-
+-import sun.security.ec.point.*;
+-import sun.security.util.ArrayUtil;
+-import sun.security.util.Function;
+-import sun.security.util.Optional;
+-import sun.security.util.math.*;
+-import static sun.security.ec.ECOperations.IntermediateValueException;
+-
+-import java.security.ProviderException;
+-import java.security.spec.*;
+-
+-public class ECDSAOperations {
+-
+- public static class Seed {
+- private final byte[] seedValue;
+-
+- public Seed(byte[] seedValue) {
+- this.seedValue = seedValue;
+- }
+-
+- public byte[] getSeedValue() {
+- return seedValue;
+- }
+- }
+-
+- public static class Nonce {
+- private final byte[] nonceValue;
+-
+- public Nonce(byte[] nonceValue) {
+- this.nonceValue = nonceValue;
+- }
+-
+- public byte[] getNonceValue() {
+- return nonceValue;
+- }
+- }
+-
+- private final ECOperations ecOps;
+- private final AffinePoint basePoint;
+-
+- public ECDSAOperations(ECOperations ecOps, ECPoint basePoint) {
+- this.ecOps = ecOps;
+- this.basePoint = toAffinePoint(basePoint, ecOps.getField());
+- }
+-
+- public ECOperations getEcOperations() {
+- return ecOps;
+- }
+-
+- public AffinePoint basePointMultiply(byte[] scalar) {
+- return ecOps.multiply(basePoint, scalar).asAffine();
+- }
+-
+- public static AffinePoint toAffinePoint(ECPoint point,
+- IntegerFieldModuloP field) {
+-
+- ImmutableIntegerModuloP affineX = field.getElement(point.getAffineX());
+- ImmutableIntegerModuloP affineY = field.getElement(point.getAffineY());
+- return new AffinePoint(affineX, affineY);
+- }
+-
+- public static
+- Optional<ECDSAOperations> forParameters(final ECParameterSpec ecParams) {
+- Optional<ECOperations> curveOps =
+- ECOperations.forParameters(ecParams);
+- return curveOps.map(new Function<ECOperations, ECDSAOperations>() {
+- @Override
+- public ECDSAOperations apply(ECOperations ops) {
+- return new ECDSAOperations(ops, ecParams.getGenerator());
+- }
+- });
+- }
+-
+- /**
+- *
+- * Sign a digest using the provided private key and seed.
+- * IMPORTANT: The private key is a scalar represented using a
+- * little-endian byte array. This is backwards from the conventional
+- * representation in ECDSA. The routines that produce and consume this
+- * value uses little-endian, so this deviation from convention removes
+- * the requirement to swap the byte order. The returned signature is in
+- * the conventional byte order.
+- *
+- * @param privateKey the private key scalar as a little-endian byte array
+- * @param digest the digest to be signed
+- * @param seed the seed that will be used to produce the nonce. This object
+- * should contain an array that is at least 64 bits longer than
+- * the number of bits required to represent the group order.
+- * @return the ECDSA signature value
+- * @throws IntermediateValueException if the signature cannot be produced
+- * due to an unacceptable intermediate or final value. If this
+- * exception is thrown, then the caller should discard the nonnce and
+- * try again with an entirely new nonce value.
+- */
+- public byte[] signDigest(byte[] privateKey, byte[] digest, Seed seed)
+- throws IntermediateValueException {
+-
+- byte[] nonceArr = ecOps.seedToScalar(seed.getSeedValue());
+-
+- Nonce nonce = new Nonce(nonceArr);
+- return signDigest(privateKey, digest, nonce);
+- }
+-
+- /**
+- *
+- * Sign a digest using the provided private key and nonce.
+- * IMPORTANT: The private key and nonce are scalars represented by a
+- * little-endian byte array. This is backwards from the conventional
+- * representation in ECDSA. The routines that produce and consume these
+- * values use little-endian, so this deviation from convention removes
+- * the requirement to swap the byte order. The returned signature is in
+- * the conventional byte order.
+- *
+- * @param privateKey the private key scalar as a little-endian byte array
+- * @param digest the digest to be signed
+- * @param nonce the nonce object containing a little-endian scalar value.
+- * @return the ECDSA signature value
+- * @throws IntermediateValueException if the signature cannot be produced
+- * due to an unacceptable intermediate or final value. If this
+- * exception is thrown, then the caller should discard the nonnce and
+- * try again with an entirely new nonce value.
+- */
+- public byte[] signDigest(byte[] privateKey, byte[] digest, Nonce nonce)
+- throws IntermediateValueException {
+-
+- IntegerFieldModuloP orderField = ecOps.getOrderField();
+- int orderBits = orderField.getSize().bitLength();
+- if (orderBits % 8 != 0 && orderBits < digest.length * 8) {
+- // This implementation does not support truncating digests to
+- // a length that is not a multiple of 8.
+- throw new ProviderException("Invalid digest length");
+- }
+-
+- byte[] k = nonce.getNonceValue();
+- // check nonce length
+- int length = (orderField.getSize().bitLength() + 7) / 8;
+- if (k.length != length) {
+- throw new ProviderException("Incorrect nonce length");
+- }
+-
+- MutablePoint R = ecOps.multiply(basePoint, k);
+- IntegerModuloP r = R.asAffine().getX();
+- // put r into the correct field by fully reducing to an array
+- byte[] temp = new byte[length];
+- r.asByteArray(temp);
+- r = orderField.getElement(temp);
+- // store r in result
+- r.asByteArray(temp);
+- byte[] result = new byte[2 * length];
+- ArrayUtil.reverse(temp);
+- System.arraycopy(temp, 0, result, 0, length);
+- // compare r to 0
+- if (ECOperations.allZero(temp)) {
+- throw new IntermediateValueException();
+- }
+-
+- IntegerModuloP dU = orderField.getElement(privateKey);
+- int lengthE = Math.min(length, digest.length);
+- byte[] E = new byte[lengthE];
+- System.arraycopy(digest, 0, E, 0, lengthE);
+- ArrayUtil.reverse(E);
+- IntegerModuloP e = orderField.getElement(E);
+- IntegerModuloP kElem = orderField.getElement(k);
+- IntegerModuloP kInv = kElem.multiplicativeInverse();
+- MutableIntegerModuloP s = r.mutable();
+- s.setProduct(dU).setSum(e).setProduct(kInv);
+- // store s in result
+- s.asByteArray(temp);
+- ArrayUtil.reverse(temp);
+- System.arraycopy(temp, 0, result, length, length);
+- // compare s to 0
+- if (ECOperations.allZero(temp)) {
+- throw new IntermediateValueException();
+- }
+-
+- return result;
+-
+- }
+-
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/ec/ECOperations.java 2019-07-14 02:30:40.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/ec/ECOperations.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,499 +0,0 @@
+-/*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-
+-package sun.security.ec;
+-
+-import sun.security.ec.point.*;
+-import sun.security.util.Optional;
+-import sun.security.util.math.*;
+-import sun.security.util.math.intpoly.*;
+-
+-import java.math.BigInteger;
+-import java.security.ProviderException;
+-import java.security.spec.ECFieldFp;
+-import java.security.spec.ECParameterSpec;
+-import java.security.spec.EllipticCurve;
+-import java.util.Collections;
+-import java.util.HashMap;
+-import java.util.Map;
+-
+-/*
+- * Elliptic curve point arithmetic for prime-order curves where a=-3.
+- * Formulas are derived from "Complete addition formulas for prime order
+- * elliptic curves" by Renes, Costello, and Batina.
+- */
+-
+-public class ECOperations {
+-
+- /*
+- * An exception indicating a problem with an intermediate value produced
+- * by some part of the computation. For example, the signing operation
+- * will throw this exception to indicate that the r or s value is 0, and
+- * that the signing operation should be tried again with a different nonce.
+- */
+- static class IntermediateValueException extends Exception {
+- private static final long serialVersionUID = 1;
+- }
+-
+- static final Map<BigInteger, IntegerFieldModuloP> fields;
+-
+- static final Map<BigInteger, IntegerFieldModuloP> orderFields;
+-
+- static {
+- Map<BigInteger, IntegerFieldModuloP> map = new HashMap<>();
+- map.put(IntegerPolynomialP256.MODULUS, new IntegerPolynomialP256());
+- map.put(IntegerPolynomialP384.MODULUS, new IntegerPolynomialP384());
+- map.put(IntegerPolynomialP521.MODULUS, new IntegerPolynomialP521());
+- fields = Collections.unmodifiableMap(map);
+- map = new HashMap<>();
+- map.put(P256OrderField.MODULUS, new P256OrderField());
+- map.put(P384OrderField.MODULUS, new P384OrderField());
+- map.put(P521OrderField.MODULUS, new P521OrderField());
+- orderFields = Collections.unmodifiableMap(map);
+- }
+-
+- public static Optional<ECOperations> forParameters(ECParameterSpec params) {
+-
+- EllipticCurve curve = params.getCurve();
+- if (!(curve.getField() instanceof ECFieldFp)) {
+- return Optional.empty();
+- }
+- ECFieldFp primeField = (ECFieldFp) curve.getField();
+-
+- BigInteger three = BigInteger.valueOf(3);
+- if (!primeField.getP().subtract(curve.getA()).equals(three)) {
+- return Optional.empty();
+- }
+- IntegerFieldModuloP field = fields.get(primeField.getP());
+- if (field == null) {
+- return Optional.empty();
+- }
+-
+- IntegerFieldModuloP orderField = orderFields.get(params.getOrder());
+- if (orderField == null) {
+- return Optional.empty();
+- }
+-
+- ImmutableIntegerModuloP b = field.getElement(curve.getB());
+- ECOperations ecOps = new ECOperations(b, orderField);
+- return Optional.of(ecOps);
+- }
+-
+- final ImmutableIntegerModuloP b;
+- final SmallValue one;
+- final SmallValue two;
+- final SmallValue three;
+- final SmallValue four;
+- final ProjectivePoint.Immutable neutral;
+- private final IntegerFieldModuloP orderField;
+-
+- public ECOperations(IntegerModuloP b, IntegerFieldModuloP orderField) {
+- this.b = b.fixed();
+- this.orderField = orderField;
+-
+- this.one = b.getField().getSmallValue(1);
+- this.two = b.getField().getSmallValue(2);
+- this.three = b.getField().getSmallValue(3);
+- this.four = b.getField().getSmallValue(4);
+-
+- IntegerFieldModuloP field = b.getField();
+- this.neutral = new ProjectivePoint.Immutable(field.get0(),
+- field.get1(), field.get0());
+- }
+-
+- public IntegerFieldModuloP getField() {
+- return b.getField();
+- }
+- public IntegerFieldModuloP getOrderField() {
+- return orderField;
+- }
+-
+- protected ProjectivePoint.Immutable getNeutral() {
+- return neutral;
+- }
+-
+- public boolean isNeutral(Point p) {
+- ProjectivePoint<?> pp = (ProjectivePoint<?>) p;
+-
+- IntegerModuloP z = pp.getZ();
+-
+- IntegerFieldModuloP field = z.getField();
+- int byteLength = (field.getSize().bitLength() + 7) / 8;
+- byte[] zBytes = z.asByteArray(byteLength);
+- return allZero(zBytes);
+- }
+-
+- byte[] seedToScalar(byte[] seedBytes)
+- throws IntermediateValueException {
+-
+- // Produce a nonce from the seed using FIPS 186-4,section B.5.1:
+- // Per-Message Secret Number Generation Using Extra Random Bits
+- // or
+- // Produce a scalar from the seed using FIPS 186-4, section B.4.1:
+- // Key Pair Generation Using Extra Random Bits
+-
+- // To keep the implementation simple, sample in the range [0,n)
+- // and throw IntermediateValueException in the (unlikely) event
+- // that the result is 0.
+-
+- // Get 64 extra bits and reduce in to the nonce
+- int seedBits = orderField.getSize().bitLength() + 64;
+- if (seedBytes.length * 8 < seedBits) {
+- throw new ProviderException("Incorrect seed length: " +
+- seedBytes.length * 8 + " < " + seedBits);
+- }
+-
+- // input conversion only works on byte boundaries
+- // clear high-order bits of last byte so they don't influence nonce
+- int lastByteBits = seedBits % 8;
+- if (lastByteBits != 0) {
+- int lastByteIndex = seedBits / 8;
+- byte mask = (byte) (0xFF >>> (8 - lastByteBits));
+- seedBytes[lastByteIndex] &= mask;
+- }
+-
+- int seedLength = (seedBits + 7) / 8;
+- IntegerModuloP scalarElem =
+- orderField.getElement(seedBytes, 0, seedLength, (byte) 0);
+- int scalarLength = (orderField.getSize().bitLength() + 7) / 8;
+- byte[] scalarArr = new byte[scalarLength];
+- scalarElem.asByteArray(scalarArr);
+- if (ECOperations.allZero(scalarArr)) {
+- throw new IntermediateValueException();
+- }
+- return scalarArr;
+- }
+-
+- /*
+- * Compare all values in the array to 0 without branching on any value
+- *
+- */
+- public static boolean allZero(byte[] arr) {
+- byte acc = 0;
+- for (int i = 0; i < arr.length; i++) {
+- acc |= arr[i];
+- }
+- return acc == 0;
+- }
+-
+- /*
+- * 4-bit branchless array lookup for projective points.
+- */
+- private void lookup4(ProjectivePoint.Immutable[] arr, int index,
+- ProjectivePoint.Mutable result, IntegerModuloP zero) {
+-
+- for (int i = 0; i < 16; i++) {
+- int xor = index ^ i;
+- int bit3 = (xor & 0x8) >>> 3;
+- int bit2 = (xor & 0x4) >>> 2;
+- int bit1 = (xor & 0x2) >>> 1;
+- int bit0 = (xor & 0x1);
+- int inverse = bit0 | bit1 | bit2 | bit3;
+- int set = 1 - inverse;
+-
+- ProjectivePoint.Immutable pi = arr[i];
+- result.conditionalSet(pi, set);
+- }
+- }
+-
+- private void double4(ProjectivePoint.Mutable p, MutableIntegerModuloP t0,
+- MutableIntegerModuloP t1, MutableIntegerModuloP t2,
+- MutableIntegerModuloP t3, MutableIntegerModuloP t4) {
+-
+- for (int i = 0; i < 4; i++) {
+- setDouble(p, t0, t1, t2, t3, t4);
+- }
+- }
+-
+- /**
+- * Multiply an affine point by a scalar and return the result as a mutable
+- * point.
+- *
+- * @param affineP the point
+- * @param s the scalar as a little-endian array
+- * @return the product
+- */
+- public MutablePoint multiply(AffinePoint affineP, byte[] s) {
+-
+- // 4-bit windowed multiply with branchless lookup.
+- // The mixed addition is faster, so it is used to construct the array
+- // at the beginning of the operation.
+-
+- IntegerFieldModuloP field = affineP.getX().getField();
+- ImmutableIntegerModuloP zero = field.get0();
+- // temporaries
+- MutableIntegerModuloP t0 = zero.mutable();
+- MutableIntegerModuloP t1 = zero.mutable();
+- MutableIntegerModuloP t2 = zero.mutable();
+- MutableIntegerModuloP t3 = zero.mutable();
+- MutableIntegerModuloP t4 = zero.mutable();
+-
+- ProjectivePoint.Mutable result = new ProjectivePoint.Mutable(field);
+- result.getY().setValue(field.get1().mutable());
+-
+- ProjectivePoint.Immutable[] pointMultiples =
+- new ProjectivePoint.Immutable[16];
+- // 0P is neutral---same as initial result value
+- pointMultiples[0] = result.fixed();
+-
+- ProjectivePoint.Mutable ps = new ProjectivePoint.Mutable(field);
+- ps.setValue(affineP);
+- // 1P = P
+- pointMultiples[1] = ps.fixed();
+-
+- // the rest are calculated using mixed point addition
+- for (int i = 2; i < 16; i++) {
+- setSum(ps, affineP, t0, t1, t2, t3, t4);
+- pointMultiples[i] = ps.fixed();
+- }
+-
+- ProjectivePoint.Mutable lookupResult = ps.mutable();
+-
+- for (int i = s.length - 1; i >= 0; i--) {
+-
+- double4(result, t0, t1, t2, t3, t4);
+-
+- int high = (0xFF & s[i]) >>> 4;
+- lookup4(pointMultiples, high, lookupResult, zero);
+- setSum(result, lookupResult, t0, t1, t2, t3, t4);
+-
+- double4(result, t0, t1, t2, t3, t4);
+-
+- int low = 0xF & s[i];
+- lookup4(pointMultiples, low, lookupResult, zero);
+- setSum(result, lookupResult, t0, t1, t2, t3, t4);
+- }
+-
+- return result;
+-
+- }
+-
+- /*
+- * Point double
+- */
+- private void setDouble(ProjectivePoint.Mutable p, MutableIntegerModuloP t0,
+- MutableIntegerModuloP t1, MutableIntegerModuloP t2,
+- MutableIntegerModuloP t3, MutableIntegerModuloP t4) {
+-
+- t0.setValue(p.getX()).setSquare();
+- t1.setValue(p.getY()).setSquare();
+- t2.setValue(p.getZ()).setSquare();
+- t3.setValue(p.getX()).setProduct(p.getY());
+- t4.setValue(p.getY()).setProduct(p.getZ());
+-
+- t3.setSum(t3);
+- p.getZ().setProduct(p.getX());
+-
+- p.getZ().setProduct(two);
+-
+- p.getY().setValue(t2).setProduct(b);
+- p.getY().setDifference(p.getZ());
+-
+- p.getX().setValue(p.getY()).setProduct(two);
+- p.getY().setSum(p.getX());
+- p.getY().setReduced();
+- p.getX().setValue(t1).setDifference(p.getY());
+-
+- p.getY().setSum(t1);
+- p.getY().setProduct(p.getX());
+- p.getX().setProduct(t3);
+-
+- t3.setValue(t2).setProduct(two);
+- t2.setSum(t3);
+- p.getZ().setProduct(b);
+-
+- t2.setReduced();
+- p.getZ().setDifference(t2);
+- p.getZ().setDifference(t0);
+- t3.setValue(p.getZ()).setProduct(two);
+- p.getZ().setReduced();
+- p.getZ().setSum(t3);
+- t0.setProduct(three);
+-
+- t0.setDifference(t2);
+- t0.setProduct(p.getZ());
+- p.getY().setSum(t0);
+-
+- t4.setSum(t4);
+- p.getZ().setProduct(t4);
+-
+- p.getX().setDifference(p.getZ());
+- p.getZ().setValue(t4).setProduct(t1);
+-
+- p.getZ().setProduct(four);
+-
+- }
+-
+- /*
+- * Mixed point addition. This method constructs new temporaries each time
+- * it is called. For better efficiency, the method that reuses temporaries
+- * should be used if more than one sum will be computed.
+- */
+- public void setSum(MutablePoint p, AffinePoint p2) {
+-
+- IntegerModuloP zero = p.getField().get0();
+- MutableIntegerModuloP t0 = zero.mutable();
+- MutableIntegerModuloP t1 = zero.mutable();
+- MutableIntegerModuloP t2 = zero.mutable();
+- MutableIntegerModuloP t3 = zero.mutable();
+- MutableIntegerModuloP t4 = zero.mutable();
+- setSum((ProjectivePoint.Mutable) p, p2, t0, t1, t2, t3, t4);
+-
+- }
+-
+- /*
+- * Mixed point addition
+- */
+- private void setSum(ProjectivePoint.Mutable p, AffinePoint p2,
+- MutableIntegerModuloP t0, MutableIntegerModuloP t1,
+- MutableIntegerModuloP t2, MutableIntegerModuloP t3,
+- MutableIntegerModuloP t4) {
+-
+- t0.setValue(p.getX()).setProduct(p2.getX());
+- t1.setValue(p.getY()).setProduct(p2.getY());
+- t3.setValue(p2.getX()).setSum(p2.getY());
+- t4.setValue(p.getX()).setSum(p.getY());
+- p.getX().setReduced();
+- t3.setProduct(t4);
+- t4.setValue(t0).setSum(t1);
+-
+- t3.setDifference(t4);
+- t4.setValue(p2.getY()).setProduct(p.getZ());
+- t4.setSum(p.getY());
+-
+- p.getY().setValue(p2.getX()).setProduct(p.getZ());
+- p.getY().setSum(p.getX());
+- t2.setValue(p.getZ());
+- p.getZ().setProduct(b);
+-
+- p.getX().setValue(p.getY()).setDifference(p.getZ());
+- p.getX().setReduced();
+- p.getZ().setValue(p.getX()).setProduct(two);
+- p.getX().setSum(p.getZ());
+-
+- p.getZ().setValue(t1).setDifference(p.getX());
+- p.getX().setSum(t1);
+- p.getY().setProduct(b);
+-
+- t1.setValue(t2).setProduct(two);
+- t2.setSum(t1);
+- t2.setReduced();
+- p.getY().setDifference(t2);
+-
+- p.getY().setDifference(t0);
+- p.getY().setReduced();
+- t1.setValue(p.getY()).setProduct(two);
+- p.getY().setSum(t1);
+-
+- t1.setValue(t0).setProduct(two);
+- t0.setSum(t1);
+- t0.setDifference(t2);
+-
+- t1.setValue(t4).setProduct(p.getY());
+- t2.setValue(t0).setProduct(p.getY());
+- p.getY().setValue(p.getX()).setProduct(p.getZ());
+-
+- p.getY().setSum(t2);
+- p.getX().setProduct(t3);
+- p.getX().setDifference(t1);
+-
+- p.getZ().setProduct(t4);
+- t1.setValue(t3).setProduct(t0);
+- p.getZ().setSum(t1);
+-
+- }
+-
+- /*
+- * Projective point addition
+- */
+- private void setSum(ProjectivePoint.Mutable p, ProjectivePoint.Mutable p2,
+- MutableIntegerModuloP t0, MutableIntegerModuloP t1,
+- MutableIntegerModuloP t2, MutableIntegerModuloP t3,
+- MutableIntegerModuloP t4) {
+-
+- t0.setValue(p.getX()).setProduct(p2.getX());
+- t1.setValue(p.getY()).setProduct(p2.getY());
+- t2.setValue(p.getZ()).setProduct(p2.getZ());
+-
+- t3.setValue(p.getX()).setSum(p.getY());
+- t4.setValue(p2.getX()).setSum(p2.getY());
+- t3.setProduct(t4);
+-
+- t4.setValue(t0).setSum(t1);
+- t3.setDifference(t4);
+- t4.setValue(p.getY()).setSum(p.getZ());
+-
+- p.getY().setValue(p2.getY()).setSum(p2.getZ());
+- t4.setProduct(p.getY());
+- p.getY().setValue(t1).setSum(t2);
+-
+- t4.setDifference(p.getY());
+- p.getX().setSum(p.getZ());
+- p.getY().setValue(p2.getX()).setSum(p2.getZ());
+-
+- p.getX().setProduct(p.getY());
+- p.getY().setValue(t0).setSum(t2);
+- p.getY().setAdditiveInverse().setSum(p.getX());
+- p.getY().setReduced();
+-
+- p.getZ().setValue(t2).setProduct(b);
+- p.getX().setValue(p.getY()).setDifference(p.getZ());
+- p.getZ().setValue(p.getX()).setProduct(two);
+-
+- p.getX().setSum(p.getZ());
+- p.getX().setReduced();
+- p.getZ().setValue(t1).setDifference(p.getX());
+- p.getX().setSum(t1);
+-
+- p.getY().setProduct(b);
+- t1.setValue(t2).setSum(t2);
+- t2.setSum(t1);
+- t2.setReduced();
+-
+- p.getY().setDifference(t2);
+- p.getY().setDifference(t0);
+- p.getY().setReduced();
+- t1.setValue(p.getY()).setSum(p.getY());
+-
+- p.getY().setSum(t1);
+- t1.setValue(t0).setProduct(two);
+- t0.setSum(t1);
+-
+- t0.setDifference(t2);
+- t1.setValue(t4).setProduct(p.getY());
+- t2.setValue(t0).setProduct(p.getY());
+-
+- p.getY().setValue(p.getX()).setProduct(p.getZ());
+- p.getY().setSum(t2);
+- p.getX().setProduct(t3);
+-
+- p.getX().setDifference(t1);
+- p.getZ().setProduct(t4);
+- t1.setValue(t3).setProduct(t0);
+-
+- p.getZ().setSum(t1);
+-
+- }
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/ec/point/AffinePoint.java 2019-07-14 02:30:40.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/ec/point/AffinePoint.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,76 +0,0 @@
+-/*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-package sun.security.ec.point;
+-
+-import sun.security.util.math.ImmutableIntegerModuloP;
+-
+-import java.util.Objects;
+-
+-/**
+- * Elliptic curve point represented using affine coordinates (x, y). This class
+- * is not part of the sun.security.ec.point.Point hierarchy because it is not
+- * used to hold intermediate values during point arithmetic, and so it does not
+- * have a mutable form.
+- */
+-public class AffinePoint {
+-
+- private final ImmutableIntegerModuloP x;
+- private final ImmutableIntegerModuloP y;
+-
+- public AffinePoint(ImmutableIntegerModuloP x, ImmutableIntegerModuloP y) {
+- this.x = x;
+- this.y = y;
+- }
+-
+- public ImmutableIntegerModuloP getX() {
+- return x;
+- }
+-
+- public ImmutableIntegerModuloP getY() {
+- return y;
+- }
+-
+- @Override
+- public boolean equals(Object obj) {
+- if (!(obj instanceof AffinePoint)) {
+- return false;
+- }
+- AffinePoint p = (AffinePoint) obj;
+- boolean xEquals = x.asBigInteger().equals(p.x.asBigInteger());
+- boolean yEquals = y.asBigInteger().equals(p.y.asBigInteger());
+- return xEquals && yEquals;
+- }
+-
+- @Override
+- public int hashCode() {
+- return Objects.hash(x, y);
+- }
+-
+- @Override
+- public String toString() {
+- return "(" + x.asBigInteger().toString() + "," +
+- y.asBigInteger().toString() + ")";
+- }
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/ec/point/ImmutablePoint.java 2019-07-14 02:30:40.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/ec/point/ImmutablePoint.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,32 +0,0 @@
+-/*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-
+-package sun.security.ec.point;
+-
+-/**
+- * An interface for immutable points on an elliptic curve over a finite field.
+- */
+-public interface ImmutablePoint extends Point {
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/ec/point/MutablePoint.java 2019-07-14 02:30:40.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/ec/point/MutablePoint.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,37 +0,0 @@
+-/*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-
+-package sun.security.ec.point;
+-
+-/**
+- * An interface for mutable points on an elliptic curve over a finite field.
+- */
+-public interface MutablePoint extends Point {
+-
+- MutablePoint setValue(AffinePoint p);
+- MutablePoint setValue(Point p);
+- MutablePoint conditionalSet(Point p, int set);
+-
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/ec/point/Point.java 2019-07-14 02:30:40.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/ec/point/Point.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,45 +0,0 @@
+-/*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-
+-package sun.security.ec.point;
+-
+-import sun.security.util.math.IntegerFieldModuloP;
+-
+-/**
+- * A base interface for points on an elliptic curve over a finite field.
+- * Implementations may use different representations for points, and this
+- * interface creates a common API for manipulating points. This API has no
+- * methods for point arithmetic, which depends on group structure and curve
+- * parameters in addition to point representation.
+- */
+-public interface Point {
+-
+- IntegerFieldModuloP getField();
+- AffinePoint asAffine();
+-
+- ImmutablePoint fixed();
+- MutablePoint mutable();
+-
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/ec/point/ProjectivePoint.java 2019-07-14 02:30:40.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/ec/point/ProjectivePoint.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,160 +0,0 @@
+-/*
+- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-package sun.security.ec.point;
+-
+-import sun.security.util.math.*;
+-
+-/**
+- * Elliptic curve point in projective coordinates (X, Y, Z) where
+- * an affine point (x, y) is represented using any (X, Y, Z) s.t.
+- * x = X/Z and y = Y/Z.
+- */
+-public abstract class ProjectivePoint
+- <T extends IntegerModuloP> implements Point {
+-
+- protected final T x;
+- protected final T y;
+- protected final T z;
+-
+- protected ProjectivePoint(T x, T y, T z) {
+-
+- this.x = x;
+- this.y = y;
+- this.z = z;
+- }
+-
+- @Override
+- public IntegerFieldModuloP getField() {
+- return this.x.getField();
+- }
+-
+- @Override
+- public Immutable fixed() {
+- return new Immutable(x.fixed(), y.fixed(), z.fixed());
+- }
+-
+- @Override
+- public Mutable mutable() {
+- return new Mutable(x.mutable(), y.mutable(), z.mutable());
+- }
+-
+- public T getX() {
+- return x;
+- }
+-
+- public T getY() {
+- return y;
+- }
+-
+- public T getZ() {
+- return z;
+- }
+-
+- public AffinePoint asAffine() {
+- IntegerModuloP zInv = z.multiplicativeInverse();
+- return new AffinePoint(x.multiply(zInv), y.multiply(zInv));
+- }
+-
+- public static class Immutable
+- extends ProjectivePoint<ImmutableIntegerModuloP>
+- implements ImmutablePoint {
+-
+- public Immutable(ImmutableIntegerModuloP x,
+- ImmutableIntegerModuloP y,
+- ImmutableIntegerModuloP z) {
+- super(x, y, z);
+- }
+- }
+-
+- public static class Mutable
+- extends ProjectivePoint<MutableIntegerModuloP>
+- implements MutablePoint {
+-
+- public Mutable(MutableIntegerModuloP x,
+- MutableIntegerModuloP y,
+- MutableIntegerModuloP z) {
+- super(x, y, z);
+- }
+-
+- public Mutable(IntegerFieldModuloP field) {
+- super(field.get0().mutable(),
+- field.get0().mutable(),
+- field.get0().mutable());
+- }
+-
+- @Override
+- public Mutable conditionalSet(Point p, int set) {
+- if (!(p instanceof ProjectivePoint)) {
+- throw new RuntimeException("Incompatible point");
+- }
+- @SuppressWarnings("unchecked")
+- ProjectivePoint<IntegerModuloP> pp =
+- (ProjectivePoint<IntegerModuloP>) p;
+- return conditionalSet(pp, set);
+- }
+-
+- private <T extends IntegerModuloP>
+- Mutable conditionalSet(ProjectivePoint<T> pp, int set) {
+-
+- x.conditionalSet(pp.x, set);
+- y.conditionalSet(pp.y, set);
+- z.conditionalSet(pp.z, set);
+-
+- return this;
+- }
+-
+- @Override
+- public Mutable setValue(AffinePoint p) {
+- x.setValue(p.getX());
+- y.setValue(p.getY());
+- z.setValue(p.getX().getField().get1());
+-
+- return this;
+- }
+-
+- @Override
+- public Mutable setValue(Point p) {
+- if (!(p instanceof ProjectivePoint)) {
+- throw new RuntimeException("Incompatible point");
+- }
+- @SuppressWarnings("unchecked")
+- ProjectivePoint<IntegerModuloP> pp =
+- (ProjectivePoint<IntegerModuloP>) p;
+- return setValue(pp);
+- }
+-
+- private <T extends IntegerModuloP>
+- Mutable setValue(ProjectivePoint<T> pp) {
+-
+- x.setValue(pp.x);
+- y.setValue(pp.y);
+- z.setValue(pp.z);
+-
+- return this;
+- }
+-
+- }
+-
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/util/Function.java 2019-07-14 02:30:40.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/util/Function.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,44 +0,0 @@
+-/*
+- * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-package sun.security.util;
+-
+-/**
+- * Represents a function that accepts one argument and produces a result.
+- *
+- * @param <T> the type of the input to the function
+- * @param <R> the type of the result of the function
+- *
+- * @since 1.8
+- */
+-public interface Function<T, R> {
+-
+- /**
+- * Applies this function to the given argument.
+- *
+- * @param t the function argument
+- * @return the function result
+- */
+- R apply(T t);
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/util/Optional.java 2019-07-14 02:30:40.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/util/Optional.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,271 +0,0 @@
+-/*
+- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-package sun.security.util;
+-
+-import java.util.Objects;
+-import java.util.NoSuchElementException;
+-
+-/**
+- * A container object which may or may not contain a non-null value.
+- * If a value is present, {@code isPresent()} will return {@code true} and
+- * {@code get()} will return the value.
+- *
+- * <p>Additional methods that depend on the presence or absence of a contained
+- * value are provided, such as {@link #orElse(java.lang.Object) orElse()}
+- * (return a default value if value not present) and
+- * {@link #ifPresent(java.util.function.Consumer) ifPresent()} (execute a block
+- * of code if the value is present).
+- *
+- * <p>This is a <a href="../lang/doc-files/ValueBased.html">value-based</a>
+- * class; use of identity-sensitive operations (including reference equality
+- * ({@code ==}), identity hash code, or synchronization) on instances of
+- * {@code Optional} may have unpredictable results and should be avoided.
+- *
+- * @since 1.8
+- */
+-public final class Optional<T> {
+- /**
+- * Common instance for {@code empty()}.
+- */
+- private static final Optional<?> EMPTY = new Optional<>();
+-
+- /**
+- * If non-null, the value; if null, indicates no value is present
+- */
+- private final T value;
+-
+- /**
+- * Constructs an empty instance.
+- *
+- * @implNote Generally only one empty instance, {@link Optional#EMPTY},
+- * should exist per VM.
+- */
+- private Optional() {
+- this.value = null;
+- }
+-
+- /**
+- * Returns an empty {@code Optional} instance. No value is present for this
+- * {@code Optional}.
+- *
+- * @apiNote
+- * Though it may be tempting to do so, avoid testing if an object is empty
+- * by comparing with {@code ==} against instances returned by
+- * {@code Optional.empty()}. There is no guarantee that it is a singleton.
+- * Instead, use {@link #isPresent()}.
+- *
+- * @param <T> The type of the non-existent value
+- * @return an empty {@code Optional}
+- */
+- public static<T> Optional<T> empty() {
+- @SuppressWarnings("unchecked")
+- Optional<T> t = (Optional<T>) EMPTY;
+- return t;
+- }
+-
+-
+- /**
+- * Constructs an instance with the described value.
+- *
+- * @param value the non-{@code null} value to describe
+- * @throws NullPointerException if value is {@code null}
+- */
+- private Optional(T value) {
+- this.value = Objects.requireNonNull(value);
+- }
+-
+- /**
+- * Returns an {@code Optional} describing the given non-{@code null}
+- * value.
+- *
+- * @param value the value to describe, which must be non-{@code null}
+- * @param <T> the type of the value
+- * @return an {@code Optional} with the value present
+- * @throws NullPointerException if value is {@code null}
+- */
+- public static <T> Optional<T> of(T value) {
+- return new Optional<>(value);
+- }
+-
+- /**
+- * Returns an {@code Optional} describing the specified value, if non-null,
+- * otherwise returns an empty {@code Optional}.
+- *
+- * @param <T> the class of the value
+- * @param value the possibly-null value to describe
+- * @return an {@code Optional} with a present value if the specified value
+- * is non-null, otherwise an empty {@code Optional}
+- */
+- public static <T> Optional<T> ofNullable(T value) {
+- return value == null ? new Optional<T>() : of(value);
+- }
+-
+- /**
+- * If a value is present, returns the value, otherwise throws
+- * {@code NoSuchElementException}.
+- *
+- * @apiNote
+- * The preferred alternative to this method is {@link #orElseThrow()}.
+- *
+- * @return the non-{@code null} value described by this {@code Optional}
+- * @throws NoSuchElementException if no value is present
+- */
+- public T get() {
+- if (value == null) {
+- throw new NoSuchElementException("No value present");
+- }
+- return value;
+- }
+-
+- /**
+- * If a value is present, returns {@code true}, otherwise {@code false}.
+- *
+- * @return {@code true} if a value is present, otherwise {@code false}
+- */
+- public boolean isPresent() {
+- return value != null;
+- }
+-
+- /**
+- * If a value is not present, returns {@code true}, otherwise
+- * {@code false}.
+- *
+- * @return {@code true} if a value is not present, otherwise {@code false}
+- * @since 11
+- */
+- public boolean isEmpty() {
+- return value == null;
+- }
+-
+- /**
+- * If a value is present, apply the provided mapping function to it,
+- * and if the result is non-null, return an {@code Optional} describing the
+- * result. Otherwise return an empty {@code Optional}.
+- *
+- * @apiNote This method supports post-processing on optional values, without
+- * the need to explicitly check for a return status. For example, the
+- * following code traverses a stream of file names, selects one that has
+- * not yet been processed, and then opens that file, returning an
+- * {@code Optional<FileInputStream>}:
+- *
+- * <pre>{@code
+- * Optional<FileInputStream> fis =
+- * names.stream().filter(name -> !isProcessedYet(name))
+- * .findFirst()
+- * .map(name -> new FileInputStream(name));
+- * }</pre>
+- *
+- * Here, {@code findFirst} returns an {@code Optional<String>}, and then
+- * {@code map} returns an {@code Optional<FileInputStream>} for the desired
+- * file if one exists.
+- *
+- * @param <U> The type of the result of the mapping function
+- * @param mapper a mapping function to apply to the value, if present
+- * @return an {@code Optional} describing the result of applying a mapping
+- * function to the value of this {@code Optional}, if a value is present,
+- * otherwise an empty {@code Optional}
+- * @throws NullPointerException if the mapping function is null
+- */
+- public<U> Optional<U> map(Function<? super T, ? extends U> mapper) {
+- Objects.requireNonNull(mapper);
+- if (!isPresent())
+- return empty();
+- else {
+- return Optional.ofNullable(mapper.apply(value));
+- }
+- }
+-
+- /**
+- * Return the value if present, otherwise invoke {@code other} and return
+- * the result of that invocation.
+- *
+- * @param other a {@code Supplier} whose result is returned if no value
+- * is present
+- * @return the value if present otherwise the result of {@code other.get()}
+- * @throws NullPointerException if value is not present and {@code other} is
+- * null
+- */
+- public T orElseGet(Supplier<? extends T> other) {
+- return value != null ? value : other.get();
+- }
+-
+- /**
+- * Indicates whether some other object is "equal to" this {@code Optional}.
+- * The other object is considered equal if:
+- * <ul>
+- * <li>it is also an {@code Optional} and;
+- * <li>both instances have no value present or;
+- * <li>the present values are "equal to" each other via {@code equals()}.
+- * </ul>
+- *
+- * @param obj an object to be tested for equality
+- * @return {@code true} if the other object is "equal to" this object
+- * otherwise {@code false}
+- */
+- @Override
+- public boolean equals(Object obj) {
+- if (this == obj) {
+- return true;
+- }
+-
+- if (!(obj instanceof Optional)) {
+- return false;
+- }
+-
+- Optional<?> other = (Optional<?>) obj;
+- return Objects.equals(value, other.value);
+- }
+-
+- /**
+- * Returns the hash code of the value, if present, otherwise {@code 0}
+- * (zero) if no value is present.
+- *
+- * @return hash code value of the present value or {@code 0} if no value is
+- * present
+- */
+- @Override
+- public int hashCode() {
+- return Objects.hashCode(value);
+- }
+-
+- /**
+- * Returns a non-empty string representation of this {@code Optional}
+- * suitable for debugging. The exact presentation format is unspecified and
+- * may vary between implementations and versions.
+- *
+- * @implSpec
+- * If a value is present the result must include its string representation
+- * in the result. Empty and present {@code Optional}s must be unambiguously
+- * differentiable.
+- *
+- * @return the string representation of this instance
+- */
+- @Override
+- public String toString() {
+- return value != null
+- ? String.format("Optional[%s]", value)
+- : "Optional.empty";
+- }
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/util/Supplier.java 2019-07-14 02:30:40.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/util/Supplier.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,48 +0,0 @@
+-/*
+- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-package sun.security.util;
+-
+-/**
+- * Represents a supplier of results.
+- *
+- * <p>There is no requirement that a new or distinct result be returned each
+- * time the supplier is invoked.
+- *
+- * <p>This is a <a href="package-summary.html">functional interface</a>
+- * whose functional method is {@link #get()}.
+- *
+- * @param <T> the type of results supplied by this supplier
+- *
+- * @since 1.8
+- */
+-public interface Supplier<T> {
+-
+- /**
+- * Gets a result.
+- *
+- * @return a result
+- */
+- T get();
+-}
diff --git a/community/openjdk7/icedtea-jdk-revert-a32dc7400435.patch b/community/openjdk7/icedtea-jdk-revert-a32dc7400435.patch
new file mode 100644
index 0000000000..dc2eac6225
--- /dev/null
+++ b/community/openjdk7/icedtea-jdk-revert-a32dc7400435.patch
@@ -0,0 +1,1377 @@
+Revert a32dc7400435 due build error
+--- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/AESCrypt.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/AESCrypt.java 2019-07-04 19:20:08.000000000 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -38,6 +38,7 @@
+
+ import java.security.InvalidKeyException;
+ import java.security.MessageDigest;
++import java.util.Objects;
+
+ /**
+ * Rijndael --pronounced Reindaal-- is a symmetric cipher with a 128-bit
+@@ -347,8 +348,8 @@
+ */
+ void encryptBlock(byte[] in, int inOffset,
+ byte[] out, int outOffset) {
+- // Array bound checks are done in caller code, i.e.
+- // FeedbackCipher.encrypt/decrypt(...) to improve performance.
++ cryptBlockCheck(in, inOffset);
++ cryptBlockCheck(out, outOffset);
+ implEncryptBlock(in, inOffset, out, outOffset);
+ }
+
+@@ -425,8 +426,8 @@
+ */
+ void decryptBlock(byte[] in, int inOffset,
+ byte[] out, int outOffset) {
+- // Array bound checks are done in caller code, i.e.
+- // FeedbackCipher.encrypt/decrypt(...) to improve performance.
++ cryptBlockCheck(in, inOffset);
++ cryptBlockCheck(out, outOffset);
+ implDecryptBlock(in, inOffset, out, outOffset);
+ }
+
+@@ -587,6 +588,26 @@
+ out[outOffset ] = (byte)(Si[(a0 ) & 0xFF] ^ (t1 ));
+ }
+
++ // Used to perform all checks required by the Java semantics
++ // (i.e., null checks and bounds checks) on the input parameters
++ // to encryptBlock and to decryptBlock.
++ // Normally, the Java Runtime performs these checks, however, as
++ // encryptBlock and decryptBlock are possibly replaced with
++ // compiler intrinsics, the JDK performs the required checks instead.
++ // Does not check accesses to class-internal (private) arrays.
++ private static void cryptBlockCheck(byte[] array, int offset) {
++ Objects.requireNonNull(array);
++
++ if (offset < 0 || offset >= array.length) {
++ throw new ArrayIndexOutOfBoundsException(offset);
++ }
++
++ int largestIndex = offset + AES_BLOCK_SIZE - 1;
++ if (largestIndex < 0 || largestIndex >= array.length) {
++ throw new ArrayIndexOutOfBoundsException(largestIndex);
++ }
++ }
++
+ /**
+ * Expand a user-supplied key material into a session key.
+ *
+--- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/CipherBlockChaining.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/CipherBlockChaining.java 2019-07-04 19:20:08.000000000 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -29,7 +29,6 @@
+ import java.security.ProviderException;
+ import java.util.Objects;
+
+-import sun.security.util.ArrayUtil;
+
+ /**
+ * This class represents ciphers in cipher block chaining (CBC) mode.
+@@ -144,9 +143,9 @@
+ if (plainLen <= 0) {
+ return plainLen;
+ }
+- ArrayUtil.blockSizeCheck(plainLen, blockSize);
+- ArrayUtil.nullAndBoundsCheck(plain, plainOffset, plainLen);
+- ArrayUtil.nullAndBoundsCheck(cipher, cipherOffset, plainLen);
++ cryptBlockSizeCheck(plainLen);
++ cryptNullAndBoundsCheck(plain, plainOffset, plainLen);
++ cryptNullAndBoundsCheck(cipher, cipherOffset, plainLen);
+ return implEncrypt(plain, plainOffset, plainLen,
+ cipher, cipherOffset);
+ }
+@@ -194,9 +193,9 @@
+ if (cipherLen <= 0) {
+ return cipherLen;
+ }
+- ArrayUtil.blockSizeCheck(cipherLen, blockSize);
+- ArrayUtil.nullAndBoundsCheck(cipher, cipherOffset, cipherLen);
+- ArrayUtil.nullAndBoundsCheck(plain, plainOffset, cipherLen);
++ cryptBlockSizeCheck(cipherLen);
++ cryptNullAndBoundsCheck(cipher, cipherOffset, cipherLen);
++ cryptNullAndBoundsCheck(plain, plainOffset, cipherLen);
+ return implDecrypt(cipher, cipherOffset, cipherLen, plain, plainOffset);
+ }
+
+@@ -215,4 +214,23 @@
+ }
+ return cipherLen;
+ }
++
++ private void cryptBlockSizeCheck(int len) {
++ if ((len % blockSize) != 0) {
++ throw new ProviderException("Internal error in input buffering");
++ }
++ }
++
++ private static void cryptNullAndBoundsCheck(byte[] array, int offset, int len) {
++ Objects.requireNonNull(array);
++
++ if (offset < 0 || offset >= array.length) {
++ throw new ArrayIndexOutOfBoundsException(offset);
++ }
++
++ int endIndex = offset + len - 1;
++ if (endIndex < 0 || endIndex >= array.length) {
++ throw new ArrayIndexOutOfBoundsException(endIndex);
++ }
++ }
+ }
+--- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/CipherFeedback.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/CipherFeedback.java 2019-07-04 19:20:08.000000000 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -27,7 +27,6 @@
+
+ import java.security.InvalidKeyException;
+ import java.security.ProviderException;
+-import sun.security.util.ArrayUtil;
+
+ /**
+ * This class represents ciphers in cipher-feedback (CFB) mode.
+@@ -150,9 +149,9 @@
+ */
+ int encrypt(byte[] plain, int plainOffset, int plainLen,
+ byte[] cipher, int cipherOffset) {
+- ArrayUtil.blockSizeCheck(plainLen, numBytes);
+- ArrayUtil.nullAndBoundsCheck(plain, plainOffset, plainLen);
+- ArrayUtil.nullAndBoundsCheck(cipher, cipherOffset, plainLen);
++ if ((plainLen % numBytes) != 0) {
++ throw new ProviderException("Internal error in input buffering");
++ }
+
+ int nShift = blockSize - numBytes;
+ int loopCount = plainLen / numBytes;
+@@ -226,10 +225,9 @@
+ */
+ int decrypt(byte[] cipher, int cipherOffset, int cipherLen,
+ byte[] plain, int plainOffset) {
+-
+- ArrayUtil.blockSizeCheck(cipherLen, numBytes);
+- ArrayUtil.nullAndBoundsCheck(cipher, cipherOffset, cipherLen);
+- ArrayUtil.nullAndBoundsCheck(plain, plainOffset, cipherLen);
++ if ((cipherLen % numBytes) != 0) {
++ throw new ProviderException("Internal error in input buffering");
++ }
+
+ int nShift = blockSize - numBytes;
+ int loopCount = cipherLen / numBytes;
+--- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/CounterMode.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/CounterMode.java 2019-07-04 19:20:08.000000000 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -27,7 +27,6 @@
+
+ import java.security.InvalidKeyException;
+
+-import sun.security.util.ArrayUtil;
+
+ /**
+ * This class represents ciphers in counter (CTR) mode.
+@@ -174,10 +173,6 @@
+ if (len == 0) {
+ return 0;
+ }
+-
+- ArrayUtil.nullAndBoundsCheck(in, inOff, len);
+- ArrayUtil.nullAndBoundsCheck(out, outOff, len);
+-
+ int result = len;
+ while (len-- > 0) {
+ if (used >= blockSize) {
+--- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/ElectronicCodeBook.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/ElectronicCodeBook.java 2019-07-04 19:20:08.000000000 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -27,7 +27,6 @@
+
+ import java.security.InvalidKeyException;
+ import java.security.ProviderException;
+-import sun.security.util.ArrayUtil;
+
+ /**
+ * This class represents ciphers in electronic codebook (ECB) mode.
+@@ -113,10 +112,9 @@
+ * @return the length of the encrypted data
+ */
+ int encrypt(byte[] in, int inOff, int len, byte[] out, int outOff) {
+- ArrayUtil.blockSizeCheck(len, blockSize);
+- ArrayUtil.nullAndBoundsCheck(in, inOff, len);
+- ArrayUtil.nullAndBoundsCheck(out, outOff, len);
+-
++ if ((len % blockSize) != 0) {
++ throw new ProviderException("Internal error in input buffering");
++ }
+ for (int i = len; i >= blockSize; i -= blockSize) {
+ embeddedCipher.encryptBlock(in, inOff, out, outOff);
+ inOff += blockSize;
+@@ -143,10 +141,9 @@
+ * @return the length of the decrypted data
+ */
+ int decrypt(byte[] in, int inOff, int len, byte[] out, int outOff) {
+- ArrayUtil.blockSizeCheck(len, blockSize);
+- ArrayUtil.nullAndBoundsCheck(in, inOff, len);
+- ArrayUtil.nullAndBoundsCheck(out, outOff, len);
+-
++ if ((len % blockSize) != 0) {
++ throw new ProviderException("Internal error in input buffering");
++ }
+ for (int i = len; i >= blockSize; i -= blockSize) {
+ embeddedCipher.decryptBlock(in, inOff, out, outOff);
+ inOff += blockSize;
+--- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/OutputFeedback.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/OutputFeedback.java 2019-07-04 19:20:08.000000000 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -27,7 +27,6 @@
+
+ import java.security.InvalidKeyException;
+ import java.security.ProviderException;
+-import sun.security.util.ArrayUtil;
+
+ /**
+ * This class represents ciphers in output-feedback (OFB) mode.
+@@ -149,10 +148,10 @@
+ */
+ int encrypt(byte[] plain, int plainOffset, int plainLen,
+ byte[] cipher, int cipherOffset) {
+- ArrayUtil.blockSizeCheck(plainLen, numBytes);
+- ArrayUtil.nullAndBoundsCheck(plain, plainOffset, plainLen);
+- ArrayUtil.nullAndBoundsCheck(cipher, cipherOffset, plainLen);
+
++ if ((plainLen % numBytes) != 0) {
++ throw new ProviderException("Internal error in input buffering");
++ }
+ int nShift = blockSize - numBytes;
+ int loopCount = plainLen / numBytes;
+
+@@ -190,9 +189,6 @@
+ */
+ int encryptFinal(byte[] plain, int plainOffset, int plainLen,
+ byte[] cipher, int cipherOffset) {
+- ArrayUtil.nullAndBoundsCheck(plain, plainOffset, plainLen);
+- ArrayUtil.nullAndBoundsCheck(cipher, cipherOffset, plainLen);
+-
+ int oddBytes = plainLen % numBytes;
+ int len = encrypt(plain, plainOffset, (plainLen - oddBytes),
+ cipher, cipherOffset);
+--- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/PCBC.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/PCBC.java 2019-07-04 19:20:08.000000000 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -27,7 +27,6 @@
+
+ import java.security.InvalidKeyException;
+ import java.security.ProviderException;
+-import sun.security.util.ArrayUtil;
+
+
+ /**
+@@ -137,10 +136,9 @@
+ int encrypt(byte[] plain, int plainOffset, int plainLen,
+ byte[] cipher, int cipherOffset)
+ {
+- ArrayUtil.blockSizeCheck(plainLen, blockSize);
+- ArrayUtil.nullAndBoundsCheck(plain, plainOffset, plainLen);
+- ArrayUtil.nullAndBoundsCheck(cipher, cipherOffset, plainLen);
+-
++ if ((plainLen % blockSize) != 0) {
++ throw new ProviderException("Internal error in input buffering");
++ }
+ int i;
+ int endIndex = plainOffset + plainLen;
+
+@@ -178,10 +176,9 @@
+ int decrypt(byte[] cipher, int cipherOffset, int cipherLen,
+ byte[] plain, int plainOffset)
+ {
+- ArrayUtil.blockSizeCheck(cipherLen, blockSize);
+- ArrayUtil.nullAndBoundsCheck(cipher, cipherOffset, cipherLen);
+- ArrayUtil.nullAndBoundsCheck(plain, plainOffset, cipherLen);
+-
++ if ((cipherLen % blockSize) != 0) {
++ throw new ProviderException("Internal error in input buffering");
++ }
+ int i;
+ int endIndex = cipherOffset + cipherLen;
+
+--- openjdk.orig/jdk/src/share/classes/sun/security/util/ArrayUtil.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/util/ArrayUtil.java 2019-07-04 19:20:08.000000000 +0200
+@@ -25,38 +25,12 @@
+
+ package sun.security.util;
+
+-import java.util.List;
+-import java.security.*;
+-
+ /**
+ * This class holds the various utility methods for array range checks.
+ */
+
+ public final class ArrayUtil {
+
+- private static final Function<String, ArrayIndexOutOfBoundsException> aioobeGenerator =
+- new Function<String, ArrayIndexOutOfBoundsException>() {
+- @Override
+- public ArrayIndexOutOfBoundsException apply(String x) {
+- return new ArrayIndexOutOfBoundsException(x);
+- }
+- };
+-
+- private static final BiFunction<String, List<Integer>,
+- ArrayIndexOutOfBoundsException> AIOOBE_SUPPLIER =
+- Preconditions.outOfBoundsExceptionFormatter(aioobeGenerator);
+-
+- public static void blockSizeCheck(int len, int blockSize) {
+- if ((len % blockSize) != 0) {
+- throw new ProviderException("Internal error in input buffering");
+- }
+- }
+-
+- public static void nullAndBoundsCheck(byte[] array, int offset, int len) {
+- // NPE is thrown when array is null
+- Preconditions.checkFromIndexSize(offset, len, array.length, AIOOBE_SUPPLIER);
+- }
+-
+ private static void swap(byte[] arr, int i, int j) {
+ byte tmp = arr[i];
+ arr[i] = arr[j];
+@@ -74,3 +48,4 @@
+ }
+ }
+ }
++
+--- openjdk.orig/jdk/src/share/classes/sun/security/util/BiConsumer.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/util/BiConsumer.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,48 +0,0 @@
+-/*
+- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-package sun.security.util;
+-
+-/**
+- * Represents an operation that accepts two input arguments and returns no
+- * result. This is the two-arity specialization of {@link Consumer}.
+- * Unlike most other functional interfaces, {@code BiConsumer} is expected
+- * to operate via side-effects.
+- *
+- * @param <T> the type of the first argument to the operation
+- * @param <U> the type of the second argument to the operation
+- *
+- * @see Consumer
+- * @since 1.8
+- */
+-public interface BiConsumer<T, U> {
+-
+- /**
+- * Performs this operation on the given arguments.
+- *
+- * @param t the first input argument
+- * @param u the second input argument
+- */
+- void accept(T t, U u);
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/util/BiFunction.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/util/BiFunction.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,48 +0,0 @@
+-/*
+- * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-package sun.security.util;
+-
+-/**
+- * Represents a function that accepts two arguments and produces a result.
+- * This is the two-arity specialization of {@link Function}.
+- *
+- * @param <T> the type of the first argument to the function
+- * @param <U> the type of the second argument to the function
+- * @param <R> the type of the result of the function
+- *
+- * @see Function
+- * @since 1.8
+- */
+-public interface BiFunction<T, U, R> {
+-
+- /**
+- * Applies this function to the given arguments.
+- *
+- * @param t the first function argument
+- * @param u the second function argument
+- * @return the function result
+- */
+- R apply(T t, U u);
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/util/IntSupplier.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/util/IntSupplier.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,45 +0,0 @@
+-/*
+- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-package sun.security.util;
+-
+-/**
+- * Represents a supplier of {@code int}-valued results. This is the
+- * {@code int}-producing primitive specialization of {@link Supplier}.
+- *
+- * <p>There is no requirement that a distinct result be returned each
+- * time the supplier is invoked.
+- *
+- * @see Supplier
+- * @since 1.8
+- */
+-public interface IntSupplier {
+-
+- /**
+- * Gets a result.
+- *
+- * @return a result
+- */
+- int getAsInt();
+-}
+--- openjdk.orig/jdk/src/share/classes/sun/security/util/Preconditions.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/src/share/classes/sun/security/util/Preconditions.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,343 +0,0 @@
+-/*
+- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Oracle designates this
+- * particular file as subject to the "Classpath" exception as provided
+- * by Oracle in the LICENSE file that accompanied this code.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-package sun.security.util;
+-
+-import java.util.Arrays;
+-import java.util.Collections;
+-import java.util.List;
+-
+-/**
+- * Utility methods to check if state or arguments are correct.
+- *
+- */
+-public class Preconditions {
+-
+- /**
+- * Maps out-of-bounds values to a runtime exception.
+- *
+- * @param checkKind the kind of bounds check, whose name may correspond
+- * to the name of one of the range check methods, checkIndex,
+- * checkFromToIndex, checkFromIndexSize
+- * @param args the out-of-bounds arguments that failed the range check.
+- * If the checkKind corresponds a the name of a range check method
+- * then the bounds arguments are those that can be passed in order
+- * to the method.
+- * @param oobef the exception formatter that when applied with a checkKind
+- * and a list out-of-bounds arguments returns a runtime exception.
+- * If {@code null} then, it is as if an exception formatter was
+- * supplied that returns {@link IndexOutOfBoundsException} for any
+- * given arguments.
+- * @return the runtime exception
+- */
+- private static RuntimeException outOfBounds(
+- BiFunction<String, List<Integer>, ? extends RuntimeException> oobef,
+- String checkKind,
+- Integer... args) {
+- List<Integer> largs = Collections.unmodifiableList(Arrays.asList(args));
+- RuntimeException e = oobef == null
+- ? null : oobef.apply(checkKind, largs);
+- return e == null
+- ? new IndexOutOfBoundsException(outOfBoundsMessage(checkKind, largs)) : e;
+- }
+-
+- private static RuntimeException outOfBoundsCheckIndex(
+- BiFunction<String, List<Integer>, ? extends RuntimeException> oobe,
+- int index, int length) {
+- return outOfBounds(oobe, "checkIndex", index, length);
+- }
+-
+- private static RuntimeException outOfBoundsCheckFromToIndex(
+- BiFunction<String, List<Integer>, ? extends RuntimeException> oobe,
+- int fromIndex, int toIndex, int length) {
+- return outOfBounds(oobe, "checkFromToIndex", fromIndex, toIndex, length);
+- }
+-
+- private static RuntimeException outOfBoundsCheckFromIndexSize(
+- BiFunction<String, List<Integer>, ? extends RuntimeException> oobe,
+- int fromIndex, int size, int length) {
+- return outOfBounds(oobe, "checkFromIndexSize", fromIndex, size, length);
+- }
+-
+- /**
+- * Returns an out-of-bounds exception formatter from an given exception
+- * factory. The exception formatter is a function that formats an
+- * out-of-bounds message from its arguments and applies that message to the
+- * given exception factory to produce and relay an exception.
+- *
+- * <p>The exception formatter accepts two arguments: a {@code String}
+- * describing the out-of-bounds range check that failed, referred to as the
+- * <em>check kind</em>; and a {@code List<Integer>} containing the
+- * out-of-bound integer values that failed the check. The list of
+- * out-of-bound values is not modified.
+- *
+- * <p>Three check kinds are supported {@code checkIndex},
+- * {@code checkFromToIndex} and {@code checkFromIndexSize} corresponding
+- * respectively to the specified application of an exception formatter as an
+- * argument to the out-of-bounds range check methods
+- * {@link #checkIndex(int, int, BiFunction) checkIndex},
+- * {@link #checkFromToIndex(int, int, int, BiFunction) checkFromToIndex}, and
+- * {@link #checkFromIndexSize(int, int, int, BiFunction) checkFromIndexSize}.
+- * Thus a supported check kind corresponds to a method name and the
+- * out-of-bound integer values correspond to method argument values, in
+- * order, preceding the exception formatter argument (similar in many
+- * respects to the form of arguments required for a reflective invocation of
+- * such a range check method).
+- *
+- * <p>Formatter arguments conforming to such supported check kinds will
+- * produce specific exception messages describing failed out-of-bounds
+- * checks. Otherwise, more generic exception messages will be produced in
+- * any of the following cases: the check kind is supported but fewer
+- * or more out-of-bounds values are supplied, the check kind is not
+- * supported, the check kind is {@code null}, or the list of out-of-bound
+- * values is {@code null}.
+- *
+- * @apiNote
+- * This method produces an out-of-bounds exception formatter that can be
+- * passed as an argument to any of the supported out-of-bounds range check
+- * methods declared by {@code Objects}. For example, a formatter producing
+- * an {@code ArrayIndexOutOfBoundsException} may be produced and stored on a
+- * {@code static final} field as follows:
+- * <pre>{@code
+- * static final
+- * BiFunction<String, List<Integer>, ArrayIndexOutOfBoundsException> AIOOBEF =
+- * outOfBoundsExceptionFormatter(ArrayIndexOutOfBoundsException::new);
+- * }</pre>
+- * The formatter instance {@code AIOOBEF} may be passed as an argument to an
+- * out-of-bounds range check method, such as checking if an {@code index}
+- * is within the bounds of a {@code limit}:
+- * <pre>{@code
+- * checkIndex(index, limit, AIOOBEF);
+- * }</pre>
+- * If the bounds check fails then the range check method will throw an
+- * {@code ArrayIndexOutOfBoundsException} with an appropriate exception
+- * message that is a produced from {@code AIOOBEF} as follows:
+- * <pre>{@code
+- * AIOOBEF.apply("checkIndex", List.of(index, limit));
+- * }</pre>
+- *
+- * @param f the exception factory, that produces an exception from a message
+- * where the message is produced and formatted by the returned
+- * exception formatter. If this factory is stateless and side-effect
+- * free then so is the returned formatter.
+- * Exceptions thrown by the factory are relayed to the caller
+- * of the returned formatter.
+- * @param <X> the type of runtime exception to be returned by the given
+- * exception factory and relayed by the exception formatter
+- * @return the out-of-bounds exception formatter
+- */
+- public static <X extends RuntimeException>
+- BiFunction<String, List<Integer>, X> outOfBoundsExceptionFormatter(final Function<String, X> f) {
+- // Use anonymous class to avoid bootstrap issues if this method is
+- // used early in startup
+- return new BiFunction<String, List<Integer>, X>() {
+- @Override
+- public X apply(String checkKind, List<Integer> args) {
+- return f.apply(outOfBoundsMessage(checkKind, args));
+- }
+- };
+- }
+-
+- private static String outOfBoundsMessage(String checkKind, List<Integer> args) {
+- if (checkKind == null && args == null) {
+- return String.format("Range check failed");
+- } else if (checkKind == null) {
+- return String.format("Range check failed: %s", args);
+- } else if (args == null) {
+- return String.format("Range check failed: %s", checkKind);
+- }
+-
+- int argSize = 0;
+- switch (checkKind) {
+- case "checkIndex":
+- argSize = 2;
+- break;
+- case "checkFromToIndex":
+- case "checkFromIndexSize":
+- argSize = 3;
+- break;
+- default:
+- }
+-
+- // Switch to default if fewer or more arguments than required are supplied
+- switch ((args.size() != argSize) ? "" : checkKind) {
+- case "checkIndex":
+- return String.format("Index %d out-of-bounds for length %d",
+- args.get(0), args.get(1));
+- case "checkFromToIndex":
+- return String.format("Range [%d, %d) out-of-bounds for length %d",
+- args.get(0), args.get(1), args.get(2));
+- case "checkFromIndexSize":
+- return String.format("Range [%d, %<d + %d) out-of-bounds for length %d",
+- args.get(0), args.get(1), args.get(2));
+- default:
+- return String.format("Range check failed: %s %s", checkKind, args);
+- }
+- }
+-
+- /**
+- * Checks if the {@code index} is within the bounds of the range from
+- * {@code 0} (inclusive) to {@code length} (exclusive).
+- *
+- * <p>The {@code index} is defined to be out-of-bounds if any of the
+- * following inequalities is true:
+- * <ul>
+- * <li>{@code index < 0}</li>
+- * <li>{@code index >= length}</li>
+- * <li>{@code length < 0}, which is implied from the former inequalities</li>
+- * </ul>
+- *
+- * <p>If the {@code index} is out-of-bounds, then a runtime exception is
+- * thrown that is the result of applying the following arguments to the
+- * exception formatter: the name of this method, {@code checkIndex};
+- * and an unmodifiable list integers whose values are, in order, the
+- * out-of-bounds arguments {@code index} and {@code length}.
+- *
+- * @param <X> the type of runtime exception to throw if the arguments are
+- * out-of-bounds
+- * @param index the index
+- * @param length the upper-bound (exclusive) of the range
+- * @param oobef the exception formatter that when applied with this
+- * method name and out-of-bounds arguments returns a runtime
+- * exception. If {@code null} or returns {@code null} then, it is as
+- * if an exception formatter produced from an invocation of
+- * {@code outOfBoundsExceptionFormatter(IndexOutOfBounds::new)} is used
+- * instead (though it may be more efficient).
+- * Exceptions thrown by the formatter are relayed to the caller.
+- * @return {@code index} if it is within bounds of the range
+- * @throws X if the {@code index} is out-of-bounds and the exception
+- * formatter is non-{@code null}
+- * @throws IndexOutOfBoundsException if the {@code index} is out-of-bounds
+- * and the exception formatter is {@code null}
+- * @since 9
+- *
+- * @implNote
+- * This method is made intrinsic in optimizing compilers to guide them to
+- * perform unsigned comparisons of the index and length when it is known the
+- * length is a non-negative value (such as that of an array length or from
+- * the upper bound of a loop)
+- */
+- public static <X extends RuntimeException>
+- int checkIndex(int index, int length,
+- BiFunction<String, List<Integer>, X> oobef) {
+- if (index < 0 || index >= length)
+- throw outOfBoundsCheckIndex(oobef, index, length);
+- return index;
+- }
+-
+- /**
+- * Checks if the sub-range from {@code fromIndex} (inclusive) to
+- * {@code toIndex} (exclusive) is within the bounds of range from {@code 0}
+- * (inclusive) to {@code length} (exclusive).
+- *
+- * <p>The sub-range is defined to be out-of-bounds if any of the following
+- * inequalities is true:
+- * <ul>
+- * <li>{@code fromIndex < 0}</li>
+- * <li>{@code fromIndex > toIndex}</li>
+- * <li>{@code toIndex > length}</li>
+- * <li>{@code length < 0}, which is implied from the former inequalities</li>
+- * </ul>
+- *
+- * <p>If the sub-range is out-of-bounds, then a runtime exception is
+- * thrown that is the result of applying the following arguments to the
+- * exception formatter: the name of this method, {@code checkFromToIndex};
+- * and an unmodifiable list integers whose values are, in order, the
+- * out-of-bounds arguments {@code fromIndex}, {@code toIndex}, and {@code length}.
+- *
+- * @param <X> the type of runtime exception to throw if the arguments are
+- * out-of-bounds
+- * @param fromIndex the lower-bound (inclusive) of the sub-range
+- * @param toIndex the upper-bound (exclusive) of the sub-range
+- * @param length the upper-bound (exclusive) the range
+- * @param oobef the exception formatter that when applied with this
+- * method name and out-of-bounds arguments returns a runtime
+- * exception. If {@code null} or returns {@code null} then, it is as
+- * if an exception formatter produced from an invocation of
+- * {@code outOfBoundsExceptionFormatter(IndexOutOfBounds::new)} is used
+- * instead (though it may be more efficient).
+- * Exceptions thrown by the formatter are relayed to the caller.
+- * @return {@code fromIndex} if the sub-range within bounds of the range
+- * @throws X if the sub-range is out-of-bounds and the exception factory
+- * function is non-{@code null}
+- * @throws IndexOutOfBoundsException if the sub-range is out-of-bounds and
+- * the exception factory function is {@code null}
+- * @since 9
+- */
+- public static <X extends RuntimeException>
+- int checkFromToIndex(int fromIndex, int toIndex, int length,
+- BiFunction<String, List<Integer>, X> oobef) {
+- if (fromIndex < 0 || fromIndex > toIndex || toIndex > length)
+- throw outOfBoundsCheckFromToIndex(oobef, fromIndex, toIndex, length);
+- return fromIndex;
+- }
+-
+- /**
+- * Checks if the sub-range from {@code fromIndex} (inclusive) to
+- * {@code fromIndex + size} (exclusive) is within the bounds of range from
+- * {@code 0} (inclusive) to {@code length} (exclusive).
+- *
+- * <p>The sub-range is defined to be out-of-bounds if any of the following
+- * inequalities is true:
+- * <ul>
+- * <li>{@code fromIndex < 0}</li>
+- * <li>{@code size < 0}</li>
+- * <li>{@code fromIndex + size > length}, taking into account integer overflow</li>
+- * <li>{@code length < 0}, which is implied from the former inequalities</li>
+- * </ul>
+- *
+- * <p>If the sub-range is out-of-bounds, then a runtime exception is
+- * thrown that is the result of applying the following arguments to the
+- * exception formatter: the name of this method, {@code checkFromIndexSize};
+- * and an unmodifiable list integers whose values are, in order, the
+- * out-of-bounds arguments {@code fromIndex}, {@code size}, and
+- * {@code length}.
+- *
+- * @param <X> the type of runtime exception to throw if the arguments are
+- * out-of-bounds
+- * @param fromIndex the lower-bound (inclusive) of the sub-interval
+- * @param size the size of the sub-range
+- * @param length the upper-bound (exclusive) of the range
+- * @param oobef the exception formatter that when applied with this
+- * method name and out-of-bounds arguments returns a runtime
+- * exception. If {@code null} or returns {@code null} then, it is as
+- * if an exception formatter produced from an invocation of
+- * {@code outOfBoundsExceptionFormatter(IndexOutOfBounds::new)} is used
+- * instead (though it may be more efficient).
+- * Exceptions thrown by the formatter are relayed to the caller.
+- * @return {@code fromIndex} if the sub-range within bounds of the range
+- * @throws X if the sub-range is out-of-bounds and the exception factory
+- * function is non-{@code null}
+- * @throws IndexOutOfBoundsException if the sub-range is out-of-bounds and
+- * the exception factory function is {@code null}
+- * @since 9
+- */
+- public static <X extends RuntimeException>
+- int checkFromIndexSize(int fromIndex, int size, int length,
+- BiFunction<String, List<Integer>, X> oobef) {
+- if ((length | fromIndex | size) < 0 || size > length - fromIndex)
+- throw outOfBoundsCheckFromIndexSize(oobef, fromIndex, size, length);
+- return fromIndex;
+- }
+-}
+--- openjdk.orig/test/src/java/util/Objects/CheckIndex.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/test/java/util/Objects/CheckIndex.java 1970-01-01 01:00:00.000000000 +0100
+@@ -1,408 +0,0 @@
+-/*
+- * Copyright (c) 2015, 2016 Oracle and/or its affiliates. All rights reserved.
+- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+- *
+- * This code is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation.
+- *
+- * This code is distributed in the hope that it will be useful, but WITHOUT
+- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+- * version 2 for more details (a copy is included in the LICENSE file that
+- * accompanied this code).
+- *
+- * You should have received a copy of the GNU General Public License version
+- * 2 along with this work; if not, write to the Free Software Foundation,
+- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+- *
+- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+- * or visit www.oracle.com if you need additional information or have any
+- * questions.
+- */
+-
+-/**
+- * @test
+- * @summary Objects.checkIndex/jdk.internal.util.Preconditions.checkIndex tests
+- * @run testng CheckIndex
+- * @bug 8135248 8142493 8155794
+- */
+-
+-import org.testng.annotations.DataProvider;
+-import org.testng.annotations.Test;
+-
+-import java.util.ArrayList;
+-import java.util.Arrays;
+-import java.util.Collections;
+-import java.util.HashSet;
+-import java.util.List;
+-import java.util.Objects;
+-import java.util.Set;
+-
+-import sun.security.util.BiConsumer;
+-import sun.security.util.BiFunction;
+-import sun.security.util.Function;
+-import sun.security.util.IntSupplier;
+-import sun.security.util.Preconditions;
+-
+-import static org.testng.Assert.*;
+-
+-public class CheckIndex {
+-
+- private static final Function<String, IndexOutOfBoundsException> ioobeGenerator =
+- new Function<String, IndexOutOfBoundsException>() {
+- @Override
+- public IndexOutOfBoundsException apply(String x) {
+- return new IndexOutOfBoundsException(x);
+- }
+- };
+-
+- private static final Function<String, StringIndexOutOfBoundsException> sioobeGenerator =
+- new Function<String, StringIndexOutOfBoundsException>() {
+- @Override
+- public StringIndexOutOfBoundsException apply(String x) {
+- return new StringIndexOutOfBoundsException(x);
+- }
+- };
+-
+- private static final Function<String, ArrayIndexOutOfBoundsException> aioobeGenerator =
+- new Function<String, ArrayIndexOutOfBoundsException>() {
+- @Override
+- public ArrayIndexOutOfBoundsException apply(String x) {
+- return new ArrayIndexOutOfBoundsException(x);
+- }
+- };
+-
+- static class AssertingOutOfBoundsException extends RuntimeException {
+- public AssertingOutOfBoundsException(String message) {
+- super(message);
+- }
+- }
+-
+- static BiFunction<String, List<Integer>, AssertingOutOfBoundsException> assertingOutOfBounds(
+- final String message, final String expCheckKind, final Integer... expArgs) {
+- return new BiFunction<String, List<Integer>, AssertingOutOfBoundsException>() {
+- @Override
+- public AssertingOutOfBoundsException apply(String checkKind, List<Integer> args) {
+- assertEquals(checkKind, expCheckKind);
+- assertEquals(args, Collections.unmodifiableList(Arrays.asList(expArgs)));
+- try {
+- args.clear();
+- fail("Out of bounds List<Integer> argument should be unmodifiable");
+- } catch (Exception e) {
+- }
+- return new AssertingOutOfBoundsException(message);
+- }
+- };
+- }
+-
+- static BiFunction<String, List<Integer>, AssertingOutOfBoundsException> assertingOutOfBoundsReturnNull(
+- final String expCheckKind, final Integer... expArgs) {
+- return new BiFunction<String, List<Integer>, AssertingOutOfBoundsException>() {
+- @Override
+- public AssertingOutOfBoundsException apply(String checkKind, List<Integer> args) {
+- assertEquals(checkKind, expCheckKind);
+- assertEquals(args, Collections.unmodifiableList(Arrays.asList(expArgs)));
+- return null;
+- }
+- };
+- }
+-
+- static final int[] VALUES = {0, 1, Integer.MAX_VALUE - 1, Integer.MAX_VALUE, -1, Integer.MIN_VALUE + 1, Integer.MIN_VALUE};
+-
+- @DataProvider
+- static Object[][] checkIndexProvider() {
+- List<Object[]> l = new ArrayList<>();
+- for (int index : VALUES) {
+- for (int length : VALUES) {
+- boolean withinBounds = index >= 0 &&
+- length >= 0 &&
+- index < length;
+- l.add(new Object[]{index, length, withinBounds});
+- }
+- }
+- return l.toArray(new Object[0][0]);
+- }
+-
+- interface X {
+- int apply(int a, int b, int c);
+- }
+-
+- @Test(dataProvider = "checkIndexProvider")
+- public void testCheckIndex(final int index, final int length, final boolean withinBounds) {
+- List<Integer> list = Collections.unmodifiableList(Arrays.asList(new Integer[] { index, length }));
+- final String expectedMessage = withinBounds
+- ? null
+- : Preconditions.outOfBoundsExceptionFormatter(ioobeGenerator).
+- apply("checkIndex", list).getMessage();
+-
+- BiConsumer<Class<? extends RuntimeException>, IntSupplier> checker =
+- new BiConsumer<Class<? extends RuntimeException>, IntSupplier>() {
+- @Override
+- public void accept(Class<? extends RuntimeException> ec, IntSupplier s) {
+- try {
+- int rIndex = s.getAsInt();
+- if (!withinBounds)
+- fail(String.format(
+- "Index %d is out of bounds of [0, %d), but was reported to be within bounds", index, length));
+- assertEquals(rIndex, index);
+- }
+- catch (RuntimeException e) {
+- assertTrue(ec.isInstance(e));
+- if (withinBounds)
+- fail(String.format(
+- "Index %d is within bounds of [0, %d), but was reported to be out of bounds", index, length));
+- else
+- assertEquals(e.getMessage(), expectedMessage);
+- }
+- }
+- };
+-
+- checker.accept(AssertingOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkIndex(index, length,
+- assertingOutOfBounds(expectedMessage, "checkIndex", index, length));
+- }
+- });
+- checker.accept(IndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkIndex(index, length,
+- assertingOutOfBoundsReturnNull("checkIndex", index, length));
+- }
+- });
+- checker.accept(IndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkIndex(index, length, null);
+- }
+- });
+- checker.accept(ArrayIndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkIndex(index, length,
+- Preconditions.outOfBoundsExceptionFormatter(aioobeGenerator));
+- }
+- });
+- checker.accept(StringIndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkIndex(index, length,
+- Preconditions.outOfBoundsExceptionFormatter(sioobeGenerator));
+- }
+- });
+- }
+-
+-
+- @DataProvider
+- static Object[][] checkFromToIndexProvider() {
+- List<Object[]> l = new ArrayList<>();
+- for (int fromIndex : VALUES) {
+- for (int toIndex : VALUES) {
+- for (int length : VALUES) {
+- boolean withinBounds = fromIndex >= 0 &&
+- toIndex >= 0 &&
+- length >= 0 &&
+- fromIndex <= toIndex &&
+- toIndex <= length;
+- l.add(new Object[]{fromIndex, toIndex, length, withinBounds});
+- }
+- }
+- }
+- return l.toArray(new Object[0][0]);
+- }
+-
+- @Test(dataProvider = "checkFromToIndexProvider")
+- public void testCheckFromToIndex(final int fromIndex, final int toIndex,
+- final int length, final boolean withinBounds) {
+- List<Integer> list = Collections.unmodifiableList(Arrays.asList(new Integer[] { fromIndex, toIndex, length }));
+- final String expectedMessage = withinBounds
+- ? null
+- : Preconditions.outOfBoundsExceptionFormatter(ioobeGenerator).
+- apply("checkFromToIndex", list).getMessage();
+-
+- BiConsumer<Class<? extends RuntimeException>, IntSupplier> check =
+- new BiConsumer<Class<? extends RuntimeException>, IntSupplier>() {
+- @Override
+- public void accept(Class<? extends RuntimeException> ec, IntSupplier s) {
+- try {
+- int rIndex = s.getAsInt();
+- if (!withinBounds)
+- fail(String.format(
+- "Range [%d, %d) is out of bounds of [0, %d), but was reported to be withing bounds", fromIndex, toIndex, length));
+- assertEquals(rIndex, fromIndex);
+- }
+- catch (RuntimeException e) {
+- assertTrue(ec.isInstance(e));
+- if (withinBounds)
+- fail(String.format(
+- "Range [%d, %d) is within bounds of [0, %d), but was reported to be out of bounds", fromIndex, toIndex, length));
+- else
+- assertEquals(e.getMessage(), expectedMessage);
+- }
+- }
+- };
+-
+- check.accept(AssertingOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkFromToIndex(fromIndex, toIndex, length,
+- assertingOutOfBounds(expectedMessage, "checkFromToIndex", fromIndex, toIndex, length));
+- }
+- });
+- check.accept(IndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkFromToIndex(fromIndex, toIndex, length,
+- assertingOutOfBoundsReturnNull("checkFromToIndex", fromIndex, toIndex, length));
+- }
+- });
+- check.accept(IndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkFromToIndex(fromIndex, toIndex, length, null);
+- }
+- });
+- check.accept(ArrayIndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkFromToIndex(fromIndex, toIndex, length,
+- Preconditions.outOfBoundsExceptionFormatter(aioobeGenerator));
+- }
+- });
+- check.accept(StringIndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkFromToIndex(fromIndex, toIndex, length,
+- Preconditions.outOfBoundsExceptionFormatter(sioobeGenerator));
+- }
+- });
+- }
+-
+-
+- @DataProvider
+- static Object[][] checkFromIndexSizeProvider() {
+- List<Object[]> l = new ArrayList<>();
+- for (int fromIndex : VALUES) {
+- for (int size : VALUES) {
+- for (int length : VALUES) {
+- // Explicitly convert to long
+- long lFromIndex = fromIndex;
+- long lSize = size;
+- long lLength = length;
+- // Avoid overflow
+- long lToIndex = lFromIndex + lSize;
+-
+- boolean withinBounds = lFromIndex >= 0L &&
+- lSize >= 0L &&
+- lLength >= 0L &&
+- lFromIndex <= lToIndex &&
+- lToIndex <= lLength;
+- l.add(new Object[]{fromIndex, size, length, withinBounds});
+- }
+- }
+- }
+- return l.toArray(new Object[0][0]);
+- }
+-
+- @Test(dataProvider = "checkFromIndexSizeProvider")
+- public void testCheckFromIndexSize(final int fromIndex, final int size,
+- final int length, final boolean withinBounds) {
+- List<Integer> list = Collections.unmodifiableList(Arrays.asList(new Integer[] { fromIndex, size, length }));
+- final String expectedMessage = withinBounds
+- ? null
+- : Preconditions.outOfBoundsExceptionFormatter(ioobeGenerator).
+- apply("checkFromIndexSize", list).getMessage();
+-
+- BiConsumer<Class<? extends RuntimeException>, IntSupplier> check =
+- new BiConsumer<Class<? extends RuntimeException>, IntSupplier>() {
+- @Override
+- public void accept(Class<? extends RuntimeException> ec, IntSupplier s) {
+- try {
+- int rIndex = s.getAsInt();
+- if (!withinBounds)
+- fail(String.format(
+- "Range [%d, %d + %d) is out of bounds of [0, %d), but was reported to be withing bounds", fromIndex, fromIndex, size, length));
+- assertEquals(rIndex, fromIndex);
+- }
+- catch (RuntimeException e) {
+- assertTrue(ec.isInstance(e));
+- if (withinBounds)
+- fail(String.format(
+- "Range [%d, %d + %d) is within bounds of [0, %d), but was reported to be out of bounds", fromIndex, fromIndex, size, length));
+- else
+- assertEquals(e.getMessage(), expectedMessage);
+- }
+- }
+- };
+-
+- check.accept(AssertingOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkFromIndexSize(fromIndex, size, length,
+- assertingOutOfBounds(expectedMessage, "checkFromIndexSize", fromIndex, size, length));
+- }
+- });
+- check.accept(IndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkFromIndexSize(fromIndex, size, length,
+- assertingOutOfBoundsReturnNull("checkFromIndexSize", fromIndex, size, length));
+- }
+- });
+- check.accept(IndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkFromIndexSize(fromIndex, size, length, null);
+- }
+- });
+- check.accept(ArrayIndexOutOfBoundsException.class, new IntSupplier() {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkFromIndexSize(fromIndex, size, length,
+- Preconditions.outOfBoundsExceptionFormatter(aioobeGenerator));
+- }
+- });
+- check.accept(StringIndexOutOfBoundsException.class, new IntSupplier () {
+- @Override
+- public int getAsInt() {
+- return Preconditions.checkFromIndexSize(fromIndex, size, length,
+- Preconditions.outOfBoundsExceptionFormatter(sioobeGenerator));
+- }
+- });
+- }
+-
+- @Test
+- public void uniqueMessagesForCheckKinds() {
+- BiFunction<String, List<Integer>, IndexOutOfBoundsException> f =
+- Preconditions.outOfBoundsExceptionFormatter(ioobeGenerator);
+-
+- List<String> messages = new ArrayList<>();
+- List<Integer> arg1 = Collections.unmodifiableList(Arrays.asList(new Integer[] { -1 }));
+- List<Integer> arg2 = Collections.unmodifiableList(Arrays.asList(new Integer[] { -1, 0 }));
+- List<Integer> arg3 = Collections.unmodifiableList(Arrays.asList(new Integer[] { -1, 0, 0 }));
+- List<Integer> arg4 = Collections.unmodifiableList(Arrays.asList(new Integer[] { -1, 0, 0, 0 }));
+- // Exact arguments
+- messages.add(f.apply("checkIndex", arg2).getMessage());
+- messages.add(f.apply("checkFromToIndex", arg3).getMessage());
+- messages.add(f.apply("checkFromIndexSize", arg3).getMessage());
+- // Unknown check kind
+- messages.add(f.apply("checkUnknown", arg3).getMessage());
+- // Known check kind with more arguments
+- messages.add(f.apply("checkIndex", arg3).getMessage());
+- messages.add(f.apply("checkFromToIndex", arg4).getMessage());
+- messages.add(f.apply("checkFromIndexSize", arg4).getMessage());
+- // Known check kind with fewer arguments
+- messages.add(f.apply("checkIndex", arg1).getMessage());
+- messages.add(f.apply("checkFromToIndex", arg2).getMessage());
+- messages.add(f.apply("checkFromIndexSize", arg2).getMessage());
+- // Null arguments
+- messages.add(f.apply(null, null).getMessage());
+- messages.add(f.apply("checkNullArguments", null).getMessage());
+- messages.add(f.apply(null, arg1).getMessage());
+-
+- Set<String> distinct = new HashSet<>(messages);
+- assertEquals(messages.size(), distinct.size());
+- }
+-}
+--- openjdk.orig/test/src/sun/security/util/math/TestIntegerModuloP.java 2019-07-15 08:52:23.000000000 +0200
++++ openjdk/jdk/test/sun/security/util/math/TestIntegerModuloP.java 2019-07-04 19:20:08.000000000 +0200
+@@ -37,7 +37,6 @@
+ * @run main TestIntegerModuloP sun.security.util.math.intpoly.P521OrderField 66 10
+ */
+
+-import sun.security.util.BiFunction;
+ import sun.security.util.math.*;
+ import sun.security.util.math.intpoly.*;
+
+@@ -52,6 +51,9 @@
+ // The test has a list of functions, and it selects randomly from that list
+
+ // The function types
++ interface BiFunction <T, U, V> {
++ V apply(T t, U u);
++ }
+ interface ElemFunction extends BiFunction
+ <MutableIntegerModuloP, IntegerModuloP, IntegerModuloP> { }
+ interface ElemArrayFunction extends BiFunction
+--- patches.orig/boot/ecj-stringswitch.patch
++++ patches/boot/ecj-stringswitch.patch
+@@ -1800,64 +1800,6 @@
+ "No MAC implementation for " + algo);
+ }
+ return kdf;
+-diff -Nru openjdk-boot.orig/jdk/src/share/classes/sun/security/util/Preconditions.java openjdk-boot/jdk/src/share/classes/sun/security/util/Preconditions.java
+---- openjdk-boot.orig/jdk/src/share/classes/sun/security/util/Preconditions.java 2019-07-17 04:20:04.496029417 +0100
+-+++ openjdk-boot/jdk/src/share/classes/sun/security/util/Preconditions.java 2019-07-17 04:54:34.212283390 +0100
+-@@ -169,31 +169,30 @@
+- }
+-
+- int argSize = 0;
+-- switch (checkKind) {
+-- case "checkIndex":
+-- argSize = 2;
+-- break;
+-- case "checkFromToIndex":
+-- case "checkFromIndexSize":
+-- argSize = 3;
+-- break;
+-- default:
+-- }
+--
+-+ if ("checkIndex".equals(checkKind)) {
+-+ argSize = 2;
+-+ } else if ("checkFromToIndex".equals(checkKind) ||
+-+ "checkFromIndexSize".equals(checkKind)) {
+-+ argSize = 3;
+-+ }
+-+
+- // Switch to default if fewer or more arguments than required are supplied
+-- switch ((args.size() != argSize) ? "" : checkKind) {
+-- case "checkIndex":
+-- return String.format("Index %d out-of-bounds for length %d",
+-- args.get(0), args.get(1));
+-- case "checkFromToIndex":
+-- return String.format("Range [%d, %d) out-of-bounds for length %d",
+-- args.get(0), args.get(1), args.get(2));
+-- case "checkFromIndexSize":
+-- return String.format("Range [%d, %<d + %d) out-of-bounds for length %d",
+-- args.get(0), args.get(1), args.get(2));
+-- default:
+-- return String.format("Range check failed: %s %s", checkKind, args);
+-- }
+-+ if (args.size() != argSize) {
+-+ return String.format("Range check failed: %s %s", checkKind, args);
+-+ }
+-+
+-+ if ("checkIndex".equals(checkKind)) {
+-+ return String.format("Index %d out-of-bounds for length %d",
+-+ args.get(0), args.get(1));
+-+ } else if ("checkFromToIndex".equals(checkKind)) {
+-+ return String.format("Range [%d, %d) out-of-bounds for length %d",
+-+ args.get(0), args.get(1), args.get(2));
+-+ } else if ("checkFromIndexSize".equals(checkKind)) {
+-+ return String.format("Range [%d, %<d + %d) out-of-bounds for length %d",
+-+ args.get(0), args.get(1), args.get(2));
+-+ } else {
+-+ return String.format("Range check failed: %s %s", checkKind, args);
+-+ }
+- }
+-
+- /**
+ diff -Nru openjdk-boot.orig/jdk/src/share/classes/java/util/ResourceBundle.java openjdk-boot/jdk/src/share/classes/java/util/ResourceBundle.java
+ --- openjdk-boot.orig/jdk/src/share/classes/java/util/ResourceBundle.java 2019-11-13 21:46:22.926858210 +0000
+ +++ openjdk-boot/jdk/src/share/classes/java/util/ResourceBundle.java 2019-11-13 21:48:58.096470164 +0000
diff --git a/community/openjdk8/APKBUILD b/community/openjdk8/APKBUILD
index 86c8cd388e..2cf1d3e0f8 100644
--- a/community/openjdk8/APKBUILD
+++ b/community/openjdk8/APKBUILD
@@ -2,10 +2,10 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openjdk8
-_icedteaver=3.12.0
+_icedteaver=3.16.0
# pkgver is <JDK version>.<JDK update>.<JDK build>
# Check https://icedtea.classpath.org/wiki/Main_Page when updating!
-pkgver=8.212.04
+pkgver=8.252.09
pkgrel=0
pkgdesc="OpenJDK 8 provided by IcedTea"
url="https://icedtea.classpath.org/"
@@ -63,13 +63,57 @@ source="https://icedtea.classpath.org/download/source/icedtea-$_icedteaver.tar.x
icedtea-jdk-fix-libjvm-load.patch
icedtea-jdk-musl.patch
icedtea-jdk-includes.patch
- icedtea-jdk-getmntent-buffer.patch
icedtea-autoconf-config.patch
- icedtea-jdk-tls-nist-curves.patch
"
builddir="$srcdir/icedtea-$_icedteaver"
# secfixes:
+# 8.252.09-r0:
+# - CVE-2020-2754
+# - CVE-2020-2755
+# - CVE-2020-2756
+# - CVE-2020-2757
+# - CVE-2020-2773
+# - CVE-2020-2781
+# - CVE-2020-2800
+# - CVE-2020-2803
+# - CVE-2020-2805
+# - CVE-2020-2830
+# 8.242.08-r0:
+# - CVE-2020-2583
+# - CVE-2020-2590
+# - CVE-2020-2593
+# - CVE-2020-2601
+# - CVE-2020-2604
+# - CVE-2020-2659
+# - CVE-2020-2654
+# 8.232.09-r0:
+# - CVE-2019-2933
+# - CVE-2019-2945
+# - CVE-2019-2949
+# - CVE-2019-2958
+# - CVE-2019-2964
+# - CVE-2019-2962
+# - CVE-2019-2973
+# - CVE-2019-2975
+# - CVE-2019-2978
+# - CVE-2019-2981
+# - CVE-2019-2983
+# - CVE-2019-2987
+# - CVE-2019-2988
+# - CVE-2019-2989
+# - CVE-2019-2992
+# - CVE-2019-2999
+# - CVE-2019-2894
+# 8.222.10-r0:
+# - CVE-2019-2745
+# - CVE-2019-2762
+# - CVE-2019-2766
+# - CVE-2019-2769
+# - CVE-2019-2786
+# - CVE-2019-2816
+# - CVE-2019-2842
+# - CVE-2019-7317
# 8.212.04-r0:
# - CVE-2019-2602
# - CVE-2019-2684
@@ -255,7 +299,7 @@ jre() {
jrebase() {
pkgdesc="OpenJDK 8 Java Runtime (no GUI support)"
- depends="$pkgname-jre-lib java-common java-cacerts"
+ depends="$pkgname-jre-lib java-common java-cacerts nss"
mkdir -p "$subpkgdir"/$_java_home/bin \
"$subpkgdir"/$_java_home/lib/$_jarch
@@ -291,24 +335,22 @@ demos() {
"$subpkgdir"/$_java_home/
}
-sha512sums="22582d65b9114749c7cfee0fc58fa2cb70e4cf77f3bc62e8097a6c601ead0bf86f530b942e6b0f32ef7bbc5bd17130da236714d83d6e9857c3c5b85c984f2efa icedtea-3.12.0.tar.xz
-999aa17c0e73ebc465a982c5492043487b860b84dd6e4dda3fa51e3099b4642f3f5e03eb30252f835be81f1ea60dc28cf5f0905cbe347758a1f903db430fcc35 openjdk-3.12.0.tar.xz
-d4ffe454a659db6c13b74c8e190beb3b427574d54fa44c80a3ba1dceb3af6f480ee99378d370ec2e9bfc6b5447a225eeb3e11821c83522479583fb21b0705bd7 corba-3.12.0.tar.xz
-a5b8ca9b90797c5f0bc03b763fca50334a308bfd6955f5f488b661da6698abd991dbe08a7ac1a128922c546eb0061853e12a18971adb16c27302e2d9d0f13872 jaxp-3.12.0.tar.xz
-f1deb09ccf6b1dff40d61f3bc54e55d430ebcbeb0cd53d6008cacf65b94824d486913b63034ee23a473298e0bee61ad1ea3e5520c2a3ab25e9e1e6d58d50d286 jaxws-3.12.0.tar.xz
-2e15cdb58c9ce65c99ad5b5506343fb29cda02a4ea8490cfbe79f708deecee2ef28ad0e5a384d2113e72678aa857d821729b588e5ef53208ae06d0d5278ec326 jdk-3.12.0.tar.xz
-838e3e458734d3fc8d2d968eb3bc7190838cd9a73bf3d61de662f9a992a9951a74021e25331d26545f0181b08c80f298de24e030dad4e076bd76368f3a14e960 langtools-3.12.0.tar.xz
-2a0c18fea7b67c5042b39746f2c7ef53e252d6665efbcd74ebf9b171b13e311821310537e8b14cd4f9798c483afdb1107b9af6bb047262b97a526bfbb481777a hotspot-3.12.0.tar.xz
-918489daf6d2816d0fac85ed89cccbb0e350dc068502857f1a7e518135c40e5fcca2709a60ae51bad392592bdc459675ea3543e684ba1ed0d8debc7a451af6d5 nashorn-3.12.0.tar.xz
+sha512sums="67964f283b5a220ded7c86141ac359fc51f41077686d3e68568a9f303d2e5e6d62472bef2d6f5f9d53897a55589c84d3212983194607b9a6704192752f8ad2ac icedtea-3.16.0.tar.xz
+76b32457958c2cdbb0006629bb41652286a1a9bfbda862665eddf822d4653d4858f9f2565e849b0e49f031b7667be73be8fe8c71abc65e1795eb570a96d1fd1e openjdk-3.16.0.tar.xz
+bf90c95f401d4628e32b9a7ea78b7d43944f82882818a81d2ff368f09e49148091bf823d78ed56c343c175fe6d25492d9b78e25b725f218592ea94c4ae285e56 corba-3.16.0.tar.xz
+86e8c18741c1f4baca27d784b068765e404a5c2ee6ecb172c826fc1d6192b5776133f103b749839c39154fcaec87a0df95e8fd5bcb56b1e9b811711b296a4836 jaxp-3.16.0.tar.xz
+824ef15aa70ec629406fd9b98a69e5699fe8f6a8ab06be00ac546bcda1daf485b20de6ea0310064e000efbaf35b1cebee25bf69033634fdce8434efb3bb16f1d jaxws-3.16.0.tar.xz
+9202f88b360637ad474920d8a6f85740e6a425679617ef713efd67778b4c7ca0b3eba7e4fc9d33de0bbd5dacda4862c8a9b63a13880204388b01af29d5fb6a55 jdk-3.16.0.tar.xz
+1858bb3b7dd37edd817a52c67a878b48bc9b790623e77d9a6107f54b141638cb101ae3b8df560e3352c9ca2925aa5d493b4924e36a238be5a9628c714cc23642 langtools-3.16.0.tar.xz
+19490ccc377fde5dc3d4396425e945f32e121ad0cc4be394b07f8698a7e3805b16fc41e427bab5fa290cb84efc7edb62acf8ca98072176343f5584d692592d2d hotspot-3.16.0.tar.xz
+4bf87e7441ac747f133612e1fba5c06946c6731bae76132ffc614b41fcb689fda9d9ceb1e1fee3765765c6109894c85cf0f6e6fa9eb301f9a2d640ea6cd1c16c nashorn-3.16.0.tar.xz
1f470432275d5beaa8b4e4352a2f24a4a00593546dc4f3bd857794c89e521e8e6d6abc540762bbd769be3e1e3da058e134dc5dc066d12b9b8a1f0656040a795c fix-paxmark.patch
-09104b19f647dce9ba0835163c05cc7e5e3ec9852b277f22b2d7a02bd483968853544125a09e384e96ba8811f2bbdc9546e05e378582ec6a554ede797ca5ad98 icedtea-hotspot-musl.patch
+28709285390a997adbd56ebda42ef718fbc08daf572b8568f484436d255514f9d25f033e3333dff8aa352fc9846057ac5bb42fa955d3e5e44eddc96dc273c07c icedtea-hotspot-musl.patch
e5cf4d70f96fc1e72ae8b97a887adb96092ff36584711cbb8de9d9fa9e859cb8731d638838de0d9591239fc44ffe5c74422d1842bd9f10a0c00dff1627bdeeef icedtea-hotspot-musl-ppc.patch
19459dbb922f5a71cd15b53199481498626a783c24f91d2544d55b7dddd2cdb34a64bbf0226b99548612dd1743af01b3f9ff32c30abbbc90ce727ca2dbbbd1f9 icedtea-hotspot-noagent-musl.patch
f6365cfafafa008bd6c1bf0ccec01a63f8a39bd1a8bc87baa492a27234d47793ba02d455e5667a873ef50148df3baaf6a8421e2da0b15faac675867da714dd5f icedtea-jdk-execinfo.patch
48533f87fc2cf29d26b259be0df51087d2fe5b252e72d00c6ea2f4add7b0fb113141718c116279c5905e03f64a1118082e719393786811367cf4d472b5d36774 icedtea-jdk-fix-ipv6-init.patch
b135991c76b0db8fa7c363e0903624668e11eda7b54a943035c214aa4d7fc8c3e8110ed200edcec82792f3c9393150a9bd628625ddf7f3e55720ff163fbbb471 icedtea-jdk-fix-libjvm-load.patch
-1fbc32ddc528c7c0099dbc1e48f88d29dccf55e7b8997793aa1d3d8408003a1223d898cca4248e1a12d343d3feec5144f875e6cdac8460d763c73ab3ad7e49f9 icedtea-jdk-musl.patch
-e8d9f1b867bf4fc84aa00d1237b264bcf503b1ed5f34735e14b0b747a728953fe0051a5af69ed058d377fbf65d8be1ed9e38fe5fc6edb2d50b31f34bf3ba91dc icedtea-jdk-includes.patch
-7e6fa46b10c630517bfa46943858aea1d032c12d32ba3fcb7a2143ae1e896c34fa4cb8f925af80cb19f8e29149b835aa054adfd30ebb00539f6c78588d6f5211 icedtea-jdk-getmntent-buffer.patch
-662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167 icedtea-autoconf-config.patch
-9ea7ac942baf29cc619bc2e1acd59201b9f6d38f39a517b495d7613aec746459200c81afb57c5fcdcb856f6bc8b33f7566c8593fed07e5c73f43e08f1072d458 icedtea-jdk-tls-nist-curves.patch"
+3b01de971f64f082d3e289cf337e635ef001381e8ca427a77baa9c52c7ba423889f57665779ca5b3c8bcefb8feacbea31dfaac580c969a4f061439069ee34aae icedtea-jdk-musl.patch
+974fb54532b7e7d738f4278187fc6bd9f9b2d99866b94f68a617ee4911c89a3b8cc41ecfdcaefecf9157492d006b1844b6b0b41ac4209d84f9e8d13c9e485dd3 icedtea-jdk-includes.patch
+662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167 icedtea-autoconf-config.patch"
diff --git a/community/openjdk8/icedtea-hotspot-musl.patch b/community/openjdk8/icedtea-hotspot-musl.patch
index cbbb5525f0..c18653b9b3 100644
--- a/community/openjdk8/icedtea-hotspot-musl.patch
+++ b/community/openjdk8/icedtea-hotspot-musl.patch
@@ -82,8 +82,8 @@ index d2c10e0..20f657f 100644
-# include <fpu_control.h>
+# include <linux/types.h> /* provides __u64 */
- #ifdef BUILTIN_SIM
- #define REG_SP REG_RSP
+ #define REG_FP 29
+
diff --git openjdk/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp openjdk/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp
index 38388cb..2505ba8 100644
--- openjdk/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp
diff --git a/community/openjdk8/icedtea-jdk-getmntent-buffer.patch b/community/openjdk8/icedtea-jdk-getmntent-buffer.patch
deleted file mode 100644
index 075a9d4238..0000000000
--- a/community/openjdk8/icedtea-jdk-getmntent-buffer.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-Give a much bigger buffer to getmntent_r.
-
-https://bugs.alpinelinux.org/issues/7093
-
-diff --git a/openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c b/openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c
-index c8500db..d0b85d6 100644
---- openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c
-+++ openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c
-@@ -33,6 +33,7 @@
- #include <dlfcn.h>
- #include <errno.h>
- #include <mntent.h>
-+#include <limits.h>
-
- #include "sun_nio_fs_LinuxNativeDispatcher.h"
-
-@@ -173,8 +174,8 @@ Java_sun_nio_fs_LinuxNativeDispatcher_getmntent(JNIEnv* env, jclass this,
- jlong value, jobject entry)
- {
- struct mntent ent;
-- char buf[1024];
-- int buflen = sizeof(buf);
-+ char *buf = NULL;
-+ const size_t buflen = PATH_MAX * 4;
- struct mntent* m;
- FILE* fp = jlong_to_ptr(value);
- jsize len;
-@@ -183,10 +184,17 @@ Java_sun_nio_fs_LinuxNativeDispatcher_getmntent(JNIEnv* env, jclass this,
- char* dir;
- char* fstype;
- char* options;
-+ jint res = -1;
-
-- m = getmntent_r(fp, &ent, (char*)&buf, buflen);
-- if (m == NULL)
-+ buf = malloc(buflen);
-+ if (buf == NULL) {
-+ JNU_ThrowOutOfMemoryError(env, "native heap");
- return -1;
-+ }
-+ m = getmntent_r(fp, &ent, buf, buflen);
-+ if (m == NULL)
-+ goto out;
-+
- name = m->mnt_fsname;
- dir = m->mnt_dir;
- fstype = m->mnt_type;
-@@ -195,32 +203,35 @@ Java_sun_nio_fs_LinuxNativeDispatcher_getmntent(JNIEnv* env, jclass this,
- len = strlen(name);
- bytes = (*env)->NewByteArray(env, len);
- if (bytes == NULL)
-- return -1;
-+ goto out;
- (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)name);
- (*env)->SetObjectField(env, entry, entry_name, bytes);
-
- len = strlen(dir);
- bytes = (*env)->NewByteArray(env, len);
- if (bytes == NULL)
-- return -1;
-+ goto out;
- (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)dir);
- (*env)->SetObjectField(env, entry, entry_dir, bytes);
-
- len = strlen(fstype);
- bytes = (*env)->NewByteArray(env, len);
- if (bytes == NULL)
-- return -1;
-+ goto out;
- (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)fstype);
- (*env)->SetObjectField(env, entry, entry_fstype, bytes);
-
- len = strlen(options);
- bytes = (*env)->NewByteArray(env, len);
- if (bytes == NULL)
-- return -1;
-+ goto out;
- (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)options);
- (*env)->SetObjectField(env, entry, entry_options, bytes);
-
-- return 0;
-+ res = 0;
-+out:
-+ free(buf);
-+ return res;
- }
-
- JNIEXPORT void JNICALL
diff --git a/community/openjdk8/icedtea-jdk-includes.patch b/community/openjdk8/icedtea-jdk-includes.patch
index 6443a1973d..5acbb9efb8 100644
--- a/community/openjdk8/icedtea-jdk-includes.patch
+++ b/community/openjdk8/icedtea-jdk-includes.patch
@@ -53,17 +53,6 @@
/* O Flags */
---- openjdk.orig/jdk/src/solaris/native/java/net/PlainSocketImpl.c
-+++ openjdk/jdk/src/solaris/native/java/net/PlainSocketImpl.c
-@@ -28,7 +28,7 @@
- #include <sys/types.h>
- #include <sys/socket.h>
- #if defined(__linux__) && !defined(USE_SELECT)
--#include <sys/poll.h>
-+#include <poll.h>
- #endif
- #include <netinet/tcp.h> /* Defines TCP_NODELAY, needed for 2.6 */
- #include <netinet/in.h>
--- openjdk.orig/jdk/src/solaris/native/java/net/bsd_close.c
+++ openjdk/jdk/src/solaris/native/java/net/bsd_close.c
@@ -36,7 +36,7 @@
@@ -88,14 +77,14 @@
* Stack allocated by thread when doing blocking operation
--- openjdk.orig/jdk/src/solaris/native/java/net/net_util_md.h
+++ openjdk/jdk/src/solaris/native/java/net/net_util_md.h
-@@ -33,7 +33,7 @@
- #include <unistd.h>
-
- #ifndef USE_SELECT
+@@ -27,7 +27,7 @@
+ #define NET_UTILS_MD_H
+
+ #include <netdb.h>
-#include <sys/poll.h>
+#include <poll.h>
- #endif
-
+ #include <sys/socket.h>
+
int NET_Timeout(int s, long timeout);
--- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c
+++ openjdk/jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c
diff --git a/community/openjdk8/icedtea-jdk-musl.patch b/community/openjdk8/icedtea-jdk-musl.patch
index 97946ba424..09f5c082e5 100644
--- a/community/openjdk8/icedtea-jdk-musl.patch
+++ b/community/openjdk8/icedtea-jdk-musl.patch
@@ -47,28 +47,6 @@ diff -ru openjdk.orig/jdk/src/solaris/native/java/net/Inet4AddressImpl.c openjdk
#define HAS_GLIBC_GETHOSTBY_R 1
#endif
-diff -ru openjdk.orig/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c openjdk/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c
---- openjdk.orig/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c 2017-01-25 04:22:03.000000000 +0000
-+++ openjdk/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c 2017-02-06 11:23:47.047832009 +0000
-@@ -41,7 +41,6 @@
- #endif
- #ifdef __linux__
- #include <unistd.h>
--#include <sys/sysctl.h>
- #include <sys/utsname.h>
- #include <netinet/ip.h>
-
-diff -ru openjdk.orig/jdk/src/solaris/native/java/net/PlainSocketImpl.c openjdk/jdk/src/solaris/native/java/net/PlainSocketImpl.c
---- openjdk.orig/jdk/src/solaris/native/java/net/PlainSocketImpl.c 2017-01-25 04:22:03.000000000 +0000
-+++ openjdk/jdk/src/solaris/native/java/net/PlainSocketImpl.c 2017-02-06 11:23:47.047832009 +0000
-@@ -43,7 +43,6 @@
- #endif
- #ifdef __linux__
- #include <unistd.h>
--#include <sys/sysctl.h>
- #endif
-
- #include "jvm.h"
diff -ru openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c openjdk/jdk/src/solaris/native/java/net/linux_close.c
--- openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c 2017-01-25 04:22:03.000000000 +0000
+++ openjdk/jdk/src/solaris/native/java/net/linux_close.c 2017-02-06 11:23:47.047832009 +0000
@@ -80,7 +58,7 @@ diff -ru openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c openjdk/jdk/
+static int sigWakeup;
/*
- * The fd table and the number of file descriptors
+ * fdTable holds one entry per file descriptor, up to a certain
@@ -95,6 +95,9 @@
/*
* Setup the signal handler
@@ -92,8 +70,8 @@ diff -ru openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c openjdk/jdk/
sa.sa_flags = 0;
sigemptyset(&sa.sa_mask);
diff -ru openjdk.orig/jdk/src/solaris/native/sun/nio/ch/NativeThread.c openjdk/jdk/src/solaris/native/sun/nio/ch/NativeThread.c
---- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/NativeThread.c 2017-01-25 04:22:03.000000000 +0000
-+++ openjdk/jdk/src/solaris/native/sun/nio/ch/NativeThread.c 2017-02-06 11:23:47.051165409 +0000
+--- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/NativeThread.c 2017-01-25 04:22:03.000000000 +0000
++++ openjdk/jdk/src/solaris/native/sun/nio/ch/NativeThread.c 2017-02-06 11:23:47.051165409 +0000
@@ -36,7 +36,7 @@
#include <pthread.h>
#include <sys/signal.h>
diff --git a/community/openjdk8/icedtea-jdk-tls-nist-curves.patch b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch
deleted file mode 100644
index 75fb3af8cf..0000000000
--- a/community/openjdk8/icedtea-jdk-tls-nist-curves.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Bug #7404 TLS negotiation error in OpenJDK 8 u131
-
-Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
-on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
-errors for some clients.
-
-Root cause appears to be OpenJDK announcing support for NIST curves the
-underlying NSS library does doesn't. This patch limits OpenJDK's
-announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
-(secp521r1).
-
-Related issues:
-
-* https://github.com/docker-library/openjdk/issues/115
-* https://bugs.alpinelinux.org/issues/7404
-* https://access.redhat.com/discussions/2339811
-* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
-* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
-
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-05-08 20:03:50.000000000 -0700
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-06-14 13:37:00.000000000 -0700
-@@ -168,21 +168,10 @@
- "contains no supported elliptic curves");
- }
- } else { // default curves
-- int[] ids;
-- if (requireFips) {
-- ids = new int[] {
-- // only NIST curves in FIPS mode
-- 23, 24, 25, 9, 10, 11, 12, 13, 14,
-- };
-- } else {
-- ids = new int[] {
-- // NIST curves first
-- 23, 24, 25, 9, 10, 11, 12, 13, 14,
-- // non-NIST curves
-- 22,
-- };
-- }
--
-+ int[] ids = new int[] {
-+ // NSS currently only supports these three NIST curves
-+ 23, 24, 25
-+ };
- idList = new ArrayList<>(ids.length);
- for (int curveId : ids) {
- if (isAvailableCurve(curveId)) {
diff --git a/community/pdns-recursor/APKBUILD b/community/pdns-recursor/APKBUILD
index d2137dad8e..60204c880f 100644
--- a/community/pdns-recursor/APKBUILD
+++ b/community/pdns-recursor/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Olivier Mauras <olivier@mauras.ch>
pkgname=pdns-recursor
-pkgver=4.1.9
-pkgrel=1
+pkgver=4.1.16
+pkgrel=0
pkgdesc="PowerDNS Recursive Server"
url="https://www.powerdns.com/"
# s390x: missing boost-context
@@ -22,6 +22,10 @@ source="https://downloads.powerdns.com/releases/$pkgname-$pkgver.tar.bz2
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 4.1.16-r0:
+# - CVE-2020-10030
+# - CVE-2020-10995
+# - CVE-2020-12244
# 4.1.9-r0:
# - CVE-2019-3806
# - CVE-2019-3807
@@ -69,6 +73,6 @@ package() {
"$pkgdir"/etc/pdns/recursor.conf
}
-sha512sums="2deaf1cdc8c32087f744efe0d142421cfd2d89dc9b31edcdea55c1efc2637987e8557891716498e3703c4b1af4b0d301e2a53316c5a97c7a18ec85016ccfa8f1 pdns-recursor-4.1.9.tar.bz2
+sha512sums="dc5d6113d88ce0da9e4735b2af98705c635651215e11f10b94e93b11fcbe20e91479aa0a9730e8d0f027aa6d1905c2b1131f3fd0efeeb5ca11af97bd3d7d7ff4 pdns-recursor-4.1.16.tar.bz2
6eea64828a363a8f36a694da4ab08f48482a096572e5597e3182bbf5f4e7c0114d9b643c7ea5060ae46b50b05c6ebbace2fedd44dc6309b641fd638d44db879e pdns-recursor.initd
954df537693a202fc195e751011bbfaa605b3f3df42ac386fa82eb809b73c2b987f5e418b5c96bb3b0669497426ce0daa39a719844701e06990b82843a4cf0d4 recursor.conf"
diff --git a/community/pdns/APKBUILD b/community/pdns/APKBUILD
index 1f793ab187..999e58ded8 100644
--- a/community/pdns/APKBUILD
+++ b/community/pdns/APKBUILD
@@ -5,7 +5,7 @@
# Contributor: Fabian Zoske <fabian@zoske.it>
# Maintainer: Matt Smith <mcs@darkregion.net>
pkgname=pdns
-pkgver=4.1.10
+pkgver=4.1.14
pkgrel=0
pkgdesc="PowerDNS Authoritative Server"
url="https://www.powerdns.com/"
@@ -37,10 +37,16 @@ pkgusers="pdns"
pkggroups="pdns"
source="https://downloads.powerdns.com/releases/$pkgname-$pkgver.tar.bz2
$pkgname.initd
- $pkgname.conf"
+ $pkgname.conf
+ README.alpine
+ "
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 4.1.14-r0:
+# - CVE-2020-17482
+# 4.1.11-r0:
+# - CVE-2019-10203
# 4.1.10-r0:
# - CVE-2019-10163
# - CVE-2019-10162
@@ -85,6 +91,8 @@ package() {
install -m600 -D "$srcdir/$pkgname.conf" \
"$pkgdir/etc/$pkgname/$pkgname.conf"
chown pdns:pdns "$pkgdir/etc/$pkgname/$pkgname.conf"
+
+ install -Dm644 "$srcdir"/README.alpine "$pkgdir"/usr/share/doc/$pkgname/README.alpine
}
tools() {
@@ -138,6 +146,7 @@ backend_remote() { _mv_backend remote; }
backend_sqlite3() { _mv_backend gsqlite3 sqlite; }
#backend_tinydns() { _mv_backend tinydns; }
-sha512sums="59a7a52468f6daae8de01bb2b08d812906ef58047026369895341cfff253a5b9ba29d6a6b43a822f1632641eec34fa1afa6fbb5b0ba5e72ecce8e61787892136 pdns-4.1.10.tar.bz2
+sha512sums="d78e5548fd6d497c827b3e3ad3c10f0d14d1c5da8c302aacb853e6c54f853288b86c6efd5d7e0cd84d4508accc7b0641c70f9278117540c6e22ba1fdf64d37d1 pdns-4.1.14.tar.bz2
3a55547e1b6407e7d2faa6e02982ed903c2364381af1b7eeb626ae3a8b0e32558dd79bf31c982b134414e5636d4868c1f3660ac523f25d2440ed6f7b436843bf pdns.initd
-3f809f3257680c3e496fa6a4c86c8a636db5d9d5b92aef96fe54c29b8266ee590deb792d13205cc171e27307fa73295dd3b101b09102fd66a2393a7cdbf9dd27 pdns.conf"
+3f809f3257680c3e496fa6a4c86c8a636db5d9d5b92aef96fe54c29b8266ee590deb792d13205cc171e27307fa73295dd3b101b09102fd66a2393a7cdbf9dd27 pdns.conf
+f2781a23e14bea9b4bbb84f3b596663c76359c449ef6fd39c87b5ea1163c47e01c5ba490c804709033598f0542ac558bde477729ad1ab9f17d49606fa61b2049 README.alpine"
diff --git a/community/pdns/README.alpine b/community/pdns/README.alpine
new file mode 100644
index 0000000000..625cb68d2b
--- /dev/null
+++ b/community/pdns/README.alpine
@@ -0,0 +1,6 @@
+When upgrading from 4.1.10 and previous:
+
+This release contains a fix for CVE-2019-10203
+Upgrading is not enough you need to manually apply the schema change
+
+ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END;
diff --git a/community/php7-pecl-timezonedb/APKBUILD b/community/php7-pecl-timezonedb/APKBUILD
index 55bfa4326e..5026e0a52f 100644
--- a/community/php7-pecl-timezonedb/APKBUILD
+++ b/community/php7-pecl-timezonedb/APKBUILD
@@ -1,33 +1,36 @@
# Contributor: Fabio Ribeiro <fabiorphp@gmail.com>
# Maintainer: Fabio Ribeiro <fabiorphp@gmail.com>
pkgname=php7-pecl-timezonedb
-_pkgreal=timezonedb
-pkgver=2018.9
+_extname=timezonedb
+pkgver=2020.4
pkgrel=0
pkgdesc="Timezone Database to be used with PHP's date and time functions."
url="https://pecl.php.net/package/timezonedb"
arch="all"
-license="PHP"
+license="PHP-3.01"
depends="php7-common"
-makedepends="php7-dev autoconf re2c"
-source="https://pecl.php.net/get/$_pkgreal-$pkgver.tgz"
-builddir="$srcdir/$_pkgreal-$pkgver"
-options="!check" # upstream does not provide tests yet
+makedepends="php7-dev"
+source="https://pecl.php.net/get/$_extname-$pkgver.tgz"
+builddir="$srcdir/$_extname-$pkgver"
provides="php7-timezonedb=$pkgver-r$pkgrel" # for backward compatibility
replaces="php7-timezonedb" # for backward compatibility
build() {
- cd "$builddir"
phpize7
./configure --prefix=/usr --with-php-config=php-config7
make
}
+check() {
+ # Test suite is not a part of pecl release.
+ php7 -d extension=modules/$_extname.so --ri $_extname
+}
+
package() {
- cd "$builddir"
- make INSTALL_ROOT="$pkgdir"/ install
- install -d "$pkgdir"/etc/php7/conf.d
- echo "extension=$_pkgreal.so" > "$pkgdir"/etc/php7/conf.d/40_$_pkgreal.ini
+ make INSTALL_ROOT="$pkgdir" install
+ local _confdir="$pkgdir"/etc/php7/conf.d
+ install -d $_confdir
+ echo "extension=$_extname.so" > $_confdir/40_$_extname.ini
}
-sha512sums="77fabe3aa0283900ea2d3d20caaf7c4b9bac1859249c9df4f0225c203fc92310dfe9b4144640af034a4ba86ba78a748a39980ff796affc67edc99ec874867e06 timezonedb-2018.9.tgz"
+sha512sums="d5c41c76b4b0b033464a4f086072d061504fc439c910c47a7077a0586b308cc37a4202ff9f418a39cee63534d55136d15a173bb94923160c0fa16bb33ac89a09 timezonedb-2020.4.tgz"
diff --git a/community/php7/APKBUILD b/community/php7/APKBUILD
index 9bc83877a7..e1098e6336 100644
--- a/community/php7/APKBUILD
+++ b/community/php7/APKBUILD
@@ -25,14 +25,14 @@
pkgname=php7
_pkgreal=php
-pkgver=7.2.19
+pkgver=7.2.33
pkgrel=0
_apiver=20170718
_suffix=${pkgname#php}
# Is this package the default (latest) PHP version?
_default_php="yes"
pkgdesc="The PHP$_suffix language runtime engine"
-url="https://secure.php.net"
+url="https://www.php.net/"
arch="all"
license="PHP-3.0 BSD LGPL-2.0 MIT Zend"
depends="$pkgname-common"
@@ -181,6 +181,26 @@ case "$CARCH" in
esac
# secfixes:
+# 7.2.33-r0:
+# - CVE-2020-7068
+# 7.2.31-r0:
+# - CVE-2019-11048
+# - CVE-2020-7062
+# - CVE-2020-7063
+# - CVE-2020-7064
+# - CVE-2020-7066
+# 7.2.27-r0:
+# - CVE-2020-7059
+# - CVE-2020-7060
+# 7.2.26-r0:
+# - CVE-2019-11045
+# - CVE-2019-11047
+# - CVE-2019-11050
+# 7.2.24-r0:
+# - CVE-2019-11043
+# 7.2.21-r0:
+# - CVE-2019-11041
+# - CVE-2019-11042
# 7.2.19-r0:
# - CVE-2019-11039
# - CVE-2019-11040
@@ -667,7 +687,7 @@ _mv() {
mv $@
}
-sha512sums="79077e73075f4aaba86699c536d8bad4929d351ad40f89c35b6f9ff0d1237b9e3d528be2918dae16519659bdaf93c5ab16fc81653fe13f667e6251871f05d722 php-7.2.19.tar.bz2
+sha512sums="44664414c537fc9dc0bd77c6def5f23ce31a24e4cbc7a817cc581292f2ddb3ed163b72edda3284e065ee9533462837eb87391230742c326f80d5d295ab5f5550 php-7.2.33.tar.bz2
1c708de82d1086f272f484faf6cf6d087af7c31750cc2550b0b94ed723961b363f28a947b015b2dfc0765caea185a75f5d2c2f2b099c948b65c290924f606e4f php7-fpm.initd
cacce7bf789467ff40647b7319e3760c6c587218720538516e8d400baa75651f72165c4e28056cd0c1dc89efecb4d00d0d7823bed80b29136262c825ce816691 php7-fpm.logrotate
274bd7b0b2b7002fa84c779640af37b59258bb37b05cb7dd5c89452977d71807f628d91b523b5039608376d1f760f3425d165242ca75ee5129b2730e71c4e198 php7-module.conf
diff --git a/community/py-psutil/APKBUILD b/community/py-psutil/APKBUILD
index 85c5297556..800572f12b 100644
--- a/community/py-psutil/APKBUILD
+++ b/community/py-psutil/APKBUILD
@@ -3,16 +3,22 @@
pkgname=py-psutil
_pkgname=psutil
pkgver=5.5.0
-pkgrel=0
+pkgrel=1
pkgdesc="A cross-platform process and system utilities module for Python"
url="https://github.com/giampaolo/psutil"
arch="all"
license="BSD"
makedepends="$depends_dev linux-headers python2-dev python3-dev"
subpackages="py3-$_pkgname:_py3 py2-$_pkgname:_py2"
-source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz"
+source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
+ CVE-2019-18874.patch
+ "
builddir="$srcdir/$_pkgname-$pkgver"
+# secfixes:
+# 5.5.0-r1:
+# - CVE-2019-18874
+
build() {
cd "$builddir"
python2 setup.py build
@@ -48,4 +54,5 @@ _py3() {
_py python3
}
-sha512sums="e614d41162087e236779738b50ec9e83403082f20492e152605fe80da23a11a4bd667db82a234f00815f68139d53b19368c2118ab27d52144341c2250091c570 psutil-5.5.0.tar.gz"
+sha512sums="e614d41162087e236779738b50ec9e83403082f20492e152605fe80da23a11a4bd667db82a234f00815f68139d53b19368c2118ab27d52144341c2250091c570 psutil-5.5.0.tar.gz
+a39fbc2f1c1d092fbbcded94291d3640edb4800f938a2665b84c88c211fc5f53155e1dfbb1898d92ebeac35357108fc1b31c550eab760e9e8dfd8e117970cd5d CVE-2019-18874.patch"
diff --git a/community/py-psutil/CVE-2019-18874.patch b/community/py-psutil/CVE-2019-18874.patch
new file mode 100644
index 0000000000..441615a06d
--- /dev/null
+++ b/community/py-psutil/CVE-2019-18874.patch
@@ -0,0 +1,576 @@
+diff --git a/psutil/_psutil_aix.c b/psutil/_psutil_aix.c
+index 898da6b..fa05be6 100644
+--- a/psutil/_psutil_aix.c
++++ b/psutil/_psutil_aix.c
+@@ -390,10 +390,10 @@ psutil_users(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_username);
+- Py_DECREF(py_tty);
+- Py_DECREF(py_hostname);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_username);
++ Py_CLEAR(py_tty);
++ Py_CLEAR(py_hostname);
++ Py_CLEAR(py_tuple);
+ }
+ endutxent();
+
+@@ -450,9 +450,9 @@ psutil_disk_partitions(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_dev);
+- Py_DECREF(py_mountp);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_dev);
++ Py_CLEAR(py_mountp);
++ Py_CLEAR(py_tuple);
+ mt = getmntent(file);
+ }
+ endmntent(file);
+diff --git a/psutil/_psutil_bsd.c b/psutil/_psutil_bsd.c
+index dce157f..d31436e 100644
+--- a/psutil/_psutil_bsd.c
++++ b/psutil/_psutil_bsd.c
+@@ -152,7 +152,7 @@ psutil_pids(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_pid))
+ goto error;
+- Py_DECREF(py_pid);
++ Py_CLEAR(py_pid);
+ proclist++;
+ }
+ free(orig_address);
+@@ -507,8 +507,8 @@ psutil_proc_open_files(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_path);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_path);
++ Py_CLEAR(py_tuple);
+ }
+ }
+ free(freep);
+@@ -670,9 +670,9 @@ psutil_disk_partitions(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_dev);
+- Py_DECREF(py_mountp);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_dev);
++ Py_CLEAR(py_mountp);
++ Py_CLEAR(py_tuple);
+ }
+
+ free(fs);
+@@ -765,7 +765,7 @@ psutil_net_io_counters(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyDict_SetItemString(py_retdict, ifc_name, py_ifc_info))
+ goto error;
+- Py_DECREF(py_ifc_info);
++ Py_CLEAR(py_ifc_info);
+ }
+ else {
+ continue;
+@@ -840,10 +840,10 @@ psutil_users(PyObject *self, PyObject *args) {
+ fclose(fp);
+ goto error;
+ }
+- Py_DECREF(py_username);
+- Py_DECREF(py_tty);
+- Py_DECREF(py_hostname);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_username);
++ Py_CLEAR(py_tty);
++ Py_CLEAR(py_hostname);
++ Py_CLEAR(py_tuple);
+ }
+
+ fclose(fp);
+@@ -883,10 +883,10 @@ psutil_users(PyObject *self, PyObject *args) {
+ endutxent();
+ goto error;
+ }
+- Py_DECREF(py_username);
+- Py_DECREF(py_tty);
+- Py_DECREF(py_hostname);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_username);
++ Py_CLEAR(py_tty);
++ Py_CLEAR(py_hostname);
++ Py_CLEAR(py_tuple);
+ }
+
+ endutxent();
+diff --git a/psutil/_psutil_linux.c b/psutil/_psutil_linux.c
+index bd27b5f..aabe3f4 100644
+--- a/psutil/_psutil_linux.c
++++ b/psutil/_psutil_linux.c
+@@ -235,9 +235,9 @@ psutil_disk_partitions(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_dev);
+- Py_DECREF(py_mountp);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_dev);
++ Py_CLEAR(py_mountp);
++ Py_CLEAR(py_tuple);
+ }
+ endmntent(file);
+ return py_retlist;
+@@ -491,10 +491,10 @@ psutil_users(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_username);
+- Py_DECREF(py_tty);
+- Py_DECREF(py_hostname);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_username);
++ Py_CLEAR(py_tty);
++ Py_CLEAR(py_hostname);
++ Py_CLEAR(py_tuple);
+ }
+ endutent();
+ return py_retlist;
+diff --git a/psutil/_psutil_osx.c b/psutil/_psutil_osx.c
+index be08de5..518ac4a 100644
+--- a/psutil/_psutil_osx.c
++++ b/psutil/_psutil_osx.c
+@@ -831,7 +831,7 @@ psutil_per_cpu_times(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_cputime))
+ goto error;
+- Py_DECREF(py_cputime);
++ Py_CLEAR(py_cputime);
+ }
+
+ ret = vm_deallocate(mach_task_self(), (vm_address_t)info_array,
+@@ -1013,9 +1013,9 @@ psutil_disk_partitions(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_dev);
+- Py_DECREF(py_mountp);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_dev);
++ Py_CLEAR(py_mountp);
++ Py_CLEAR(py_tuple);
+ }
+
+ free(fs);
+@@ -1083,7 +1083,6 @@ psutil_proc_threads(PyObject *self, PyObject *args) {
+ }
+
+ for (j = 0; j < thread_count; j++) {
+- py_tuple = NULL;
+ thread_info_count = THREAD_INFO_MAX;
+ kr = thread_info(thread_list[j], THREAD_BASIC_INFO,
+ (thread_info_t)thinfo_basic, &thread_info_count);
+@@ -1106,7 +1105,7 @@ psutil_proc_threads(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+ }
+
+ ret = vm_deallocate(task, (vm_address_t)thread_list,
+@@ -1215,10 +1214,8 @@ psutil_proc_open_files(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
+- py_tuple = NULL;
+- Py_DECREF(py_path);
+- py_path = NULL;
++ Py_CLEAR(py_tuple);
++ Py_CLEAR(py_path);
+ // --- /construct python list
+ }
+ }
+@@ -1398,7 +1395,7 @@ psutil_proc_connections(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+ }
+ else if (family == AF_UNIX) {
+ py_laddr = PyUnicode_DecodeFSDefault(
+@@ -1420,9 +1417,9 @@ psutil_proc_connections(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
+- Py_DECREF(py_laddr);
+- Py_DECREF(py_raddr);
++ Py_CLEAR(py_tuple);
++ Py_CLEAR(py_laddr);
++ Py_CLEAR(py_raddr);
+ }
+ }
+ }
+@@ -1543,7 +1540,7 @@ psutil_net_io_counters(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyDict_SetItemString(py_retdict, ifc_name, py_ifc_info))
+ goto error;
+- Py_DECREF(py_ifc_info);
++ Py_CLEAR(py_ifc_info);
+ }
+ else {
+ continue;
+@@ -1716,7 +1713,7 @@ psutil_disk_io_counters(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyDict_SetItemString(py_retdict, disk_name, py_disk_info))
+ goto error;
+- Py_DECREF(py_disk_info);
++ Py_CLEAR(py_disk_info);
+
+ CFRelease(parent_dict);
+ IOObjectRelease(parent);
+@@ -1778,10 +1775,10 @@ psutil_users(PyObject *self, PyObject *args) {
+ endutxent();
+ goto error;
+ }
+- Py_DECREF(py_username);
+- Py_DECREF(py_tty);
+- Py_DECREF(py_hostname);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_username);
++ Py_CLEAR(py_tty);
++ Py_CLEAR(py_hostname);
++ Py_CLEAR(py_tuple);
+ }
+
+ endutxent();
+diff --git a/psutil/_psutil_sunos.c b/psutil/_psutil_sunos.c
+index 0717f19..ea015e1 100644
+--- a/psutil/_psutil_sunos.c
++++ b/psutil/_psutil_sunos.c
+@@ -298,8 +298,8 @@ psutil_proc_environ(PyObject *self, PyObject *args) {
+ if (PyDict_SetItem(py_retdict, py_envname, py_envval) < 0)
+ goto error;
+
+- Py_DECREF(py_envname);
+- Py_DECREF(py_envval);
++ Py_CLEAR(py_envname);
++ Py_CLEAR(py_envval);
+ }
+
+ psutil_free_cstrings_array(env, env_count);
+@@ -653,10 +653,10 @@ psutil_users(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_username);
+- Py_DECREF(py_tty);
+- Py_DECREF(py_hostname);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_username);
++ Py_CLEAR(py_tty);
++ Py_CLEAR(py_hostname);
++ Py_CLEAR(py_tuple);
+ }
+ endutxent();
+
+@@ -712,9 +712,9 @@ psutil_disk_partitions(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_dev);
+- Py_DECREF(py_mountp);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_dev);
++ Py_CLEAR(py_mountp);
++ Py_CLEAR(py_tuple);
+ }
+ fclose(file);
+ return py_retlist;
+@@ -765,8 +765,7 @@ psutil_per_cpu_times(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_cputime))
+ goto error;
+- Py_DECREF(py_cputime);
+- py_cputime = NULL;
++ Py_CLEAR(py_cputime);
+ }
+ }
+
+@@ -822,7 +821,7 @@ psutil_disk_io_counters(PyObject *self, PyObject *args) {
+ if (PyDict_SetItemString(py_retdict, ksp->ks_name,
+ py_disk_info))
+ goto error;
+- Py_DECREF(py_disk_info);
++ Py_CLEAR(py_disk_info);
+ }
+ }
+ ksp = ksp->ks_next;
+@@ -957,8 +956,8 @@ psutil_proc_memory_maps(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_path);
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_path);
++ Py_CLEAR(py_tuple);
+
+ // increment pointer
+ p += 1;
+@@ -1073,7 +1072,7 @@ psutil_net_io_counters(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyDict_SetItemString(py_retdict, ksp->ks_name, py_ifc_info))
+ goto error;
+- Py_DECREF(py_ifc_info);
++ Py_CLEAR(py_ifc_info);
+ goto next;
+
+ next:
+@@ -1271,7 +1270,7 @@ psutil_net_connections(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+ }
+ }
+ #if defined(AF_INET6)
+@@ -1285,7 +1284,7 @@ psutil_net_connections(PyObject *self, PyObject *args) {
+ #ifdef NEW_MIB_COMPLIANT
+ processed_pid = tp6.tcp6ConnCreationProcess;
+ #else
+- processed_pid = 0;
++ processed_pid = 0;
+ #endif
+ if (pid != -1 && processed_pid != pid)
+ continue;
+@@ -1314,14 +1313,14 @@ psutil_net_connections(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+ }
+ }
+ #endif
+ // UDPv4
+ else if (mibhdr.level == MIB2_UDP || mibhdr.level == MIB2_UDP_ENTRY) {
+ num_ent = mibhdr.len / sizeof(mib2_udpEntry_t);
+- assert(num_ent * sizeof(mib2_udpEntry_t) == mibhdr.len);
++ assert(num_ent * sizeof(mib2_udpEntry_t) == mibhdr.len);
+ for (i = 0; i < num_ent; i++) {
+ memcpy(&ude, databuf.buf + i * sizeof ude, sizeof ude);
+ #ifdef NEW_MIB_COMPLIANT
+@@ -1353,7 +1352,7 @@ psutil_net_connections(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+ }
+ }
+ #if defined(AF_INET6)
+@@ -1386,7 +1385,7 @@ psutil_net_connections(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+ }
+ }
+ #endif
+@@ -1559,7 +1558,7 @@ psutil_net_if_stats(PyObject* self, PyObject* args) {
+ goto error;
+ if (PyDict_SetItemString(py_retdict, ksp->ks_name, py_ifc_info))
+ goto error;
+- Py_DECREF(py_ifc_info);
++ Py_CLEAR(py_ifc_info);
+ }
+ }
+
+diff --git a/psutil/_psutil_windows.c b/psutil/_psutil_windows.c
+index ce44258..bf5d57d 100644
+--- a/psutil/_psutil_windows.c
++++ b/psutil/_psutil_windows.c
+@@ -350,7 +350,7 @@ psutil_pids(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_pid))
+ goto error;
+- Py_DECREF(py_pid);
++ Py_CLEAR(py_pid);
+ }
+
+ // free C array allocated for PIDs
+@@ -1113,7 +1113,7 @@ psutil_per_cpu_times(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+ }
+
+ free(sppi);
+@@ -1331,7 +1331,7 @@ psutil_proc_threads(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+
+ CloseHandle(hThread);
+ }
+@@ -1788,7 +1788,7 @@ psutil_net_connections(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_conn_tuple))
+ goto error;
+- Py_DECREF(py_conn_tuple);
++ Py_CLEAR(py_conn_tuple);
+ }
+ }
+ else {
+@@ -1885,7 +1885,7 @@ psutil_net_connections(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_conn_tuple))
+ goto error;
+- Py_DECREF(py_conn_tuple);
++ Py_CLEAR(py_conn_tuple);
+ }
+ }
+ else {
+@@ -1959,7 +1959,7 @@ psutil_net_connections(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_conn_tuple))
+ goto error;
+- Py_DECREF(py_conn_tuple);
++ Py_CLEAR(py_conn_tuple);
+ }
+ }
+ else {
+@@ -2032,7 +2032,7 @@ psutil_net_connections(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_conn_tuple))
+ goto error;
+- Py_DECREF(py_conn_tuple);
++ Py_CLEAR(py_conn_tuple);
+ }
+ }
+ else {
+@@ -2439,8 +2439,8 @@ psutil_net_io_counters(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyDict_SetItem(py_retdict, py_nic_name, py_nic_info))
+ goto error;
+- Py_XDECREF(py_nic_name);
+- Py_XDECREF(py_nic_info);
++ Py_CLEAR(py_nic_name);
++ Py_CLEAR(py_nic_info);
+
+ free(pIfRow);
+ pCurrAddresses = pCurrAddresses->Next;
+@@ -2555,7 +2555,7 @@ psutil_disk_io_counters(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyDict_SetItemString(py_retdict, szDeviceDisplay, py_tuple))
+ goto error;
+- Py_XDECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+
+ next:
+ CloseHandle(hDevice);
+@@ -2712,7 +2712,7 @@ psutil_disk_partitions(PyObject *self, PyObject *args) {
+ goto error;
+ }
+
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+
+ // Continue looking for more mount points
+ mp_flag = FindNextVolumeMountPoint(mp_h, mp_buf, MAX_PATH);
+@@ -2737,7 +2737,7 @@ psutil_disk_partitions(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
++ Py_CLEAR(py_tuple);
+ goto next;
+
+ next:
+@@ -2867,9 +2867,9 @@ psutil_users(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_XDECREF(py_username);
+- Py_XDECREF(py_address);
+- Py_XDECREF(py_tuple);
++ Py_CLEAR(py_username);
++ Py_CLEAR(py_address);
++ Py_CLEAR(py_tuple);
+ }
+
+ WTSFreeMemory(sessions);
+@@ -3105,8 +3105,8 @@ psutil_proc_memory_maps(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
+- Py_DECREF(py_str);
++ Py_CLEAR(py_tuple);
++ Py_CLEAR(py_str);
+ }
+ previousAllocationBase = basicInfo.AllocationBase;
+ baseAddress = (PCHAR)baseAddress + basicInfo.RegionSize;
+@@ -3156,8 +3156,8 @@ psutil_ppid_map(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyDict_SetItem(py_retdict, py_pid, py_ppid))
+ goto error;
+- Py_DECREF(py_pid);
+- Py_DECREF(py_ppid);
++ Py_CLEAR(py_pid);
++ Py_CLEAR(py_ppid);
+ } while (Process32Next(handle, &pe));
+ }
+
+@@ -3260,8 +3260,8 @@ psutil_net_if_addrs(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
+- Py_DECREF(py_mac_address);
++ Py_CLEAR(py_tuple);
++ Py_CLEAR(py_mac_address);
+ }
+
+ // find out the IP address associated with the NIC
+@@ -3337,14 +3337,14 @@ psutil_net_if_addrs(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyList_Append(py_retlist, py_tuple))
+ goto error;
+- Py_DECREF(py_tuple);
+- Py_DECREF(py_address);
+- Py_DECREF(py_netmask);
++ Py_CLEAR(py_tuple);
++ Py_CLEAR(py_address);
++ Py_CLEAR(py_netmask);
+
+ pUnicast = pUnicast->Next;
+ }
+ }
+- Py_DECREF(py_nic_name);
++ Py_CLEAR(py_nic_name);
+ pCurrAddresses = pCurrAddresses->Next;
+ }
+
+@@ -3464,8 +3464,8 @@ psutil_net_if_stats(PyObject *self, PyObject *args) {
+ goto error;
+ if (PyDict_SetItem(py_retdict, py_nic_name, py_ifc_info))
+ goto error;
+- Py_DECREF(py_nic_name);
+- Py_DECREF(py_ifc_info);
++ Py_CLEAR(py_nic_name);
++ Py_CLEAR(py_ifc_info);
+ }
+
+ free(pIfTable);
diff --git a/community/ruby-nokogiri/APKBUILD b/community/ruby-nokogiri/APKBUILD
index 88e465ae2e..40f1cf4b49 100644
--- a/community/ruby-nokogiri/APKBUILD
+++ b/community/ruby-nokogiri/APKBUILD
@@ -3,7 +3,7 @@
pkgname=ruby-nokogiri
_gemname=${pkgname#ruby-}
pkgver=1.8.5
-pkgrel=0
+pkgrel=1
pkgdesc="An HTML, XML, SAX, and Reader parser"
url="http://nokogiri.org/"
arch="all"
diff --git a/community/sox/APKBUILD b/community/sox/APKBUILD
index e50a1d5d75..1c6c41a6f8 100644
--- a/community/sox/APKBUILD
+++ b/community/sox/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=sox
pkgver=14.4.2
-pkgrel=2
+pkgrel=3
pkgdesc="The Swiss Army knife of sound processing tools"
url="http://sox.sourceforge.net/"
arch="all"
@@ -18,8 +18,17 @@ subpackages="$pkgname-dev $pkgname-doc"
source="https://downloads.sourceforge.net/sourceforge/$pkgname/$pkgname-$pkgver.tar.gz
sox-uclibc.patch
sox-dynamic.patch
+ CVE-2019-8357.patch
+ CVE-2019-8356.patch
+ CVE-2019-8355.patch
"
+# secfixes:
+# 14.4.2-r3:
+# - CVE-2019-8357
+# - CVE-2019-8356
+# - CVE-2019-8355
+
prepare() {
cd "$builddir"
default_prepare
@@ -47,4 +56,7 @@ package() {
}
sha512sums="b5c6203f4f5577503a034fe5b3d6a033ee97fe4d171c533933e2b036118a43a14f97c9668433229708609ccf9ee16abdeca3fc7501aa0aafe06baacbba537eca sox-14.4.2.tar.gz
08c55a0de96733e10544d450f39c2205b4057b9fc024503ec97b1906a075752ee8a4b0a1b4c5bbad2eebec17bcf8d069b22d243a63d28b77c23d545efcca6aec sox-uclibc.patch
-3950834db26faa0523006c6fd8e0769d080518f127d345c8ec9bf53e9db8a6bd67cd724f0f86492aaf9ce6ede2dfbde167049768f35c14ef3c2b96e7e00302b6 sox-dynamic.patch"
+3950834db26faa0523006c6fd8e0769d080518f127d345c8ec9bf53e9db8a6bd67cd724f0f86492aaf9ce6ede2dfbde167049768f35c14ef3c2b96e7e00302b6 sox-dynamic.patch
+b5daae78fc4eb855049c298da98ff6bb16933fb9b308801c02853fe58fb9086304343007740e2783a64fddc09c3ba576645e10cf4d5fe24f99ae98c4c1d943d7 CVE-2019-8357.patch
+38f0572603181422ffa9d25ee17dea924b9b523803d0a835039c64aab1408d8e7cc36f9d2285d6d9a310901c3449b90ccc34da1273e33842e9f0634a5bb2757f CVE-2019-8356.patch
+7a5499a5dea5635eb67703f95144e57b68c4c0c50aea04f2ecbfffd4cdd31cc183d97410da4f79cdbb9af4f357792a04fc7496f031cd2e30eb9dacf258050ff3 CVE-2019-8355.patch"
diff --git a/community/sox/CVE-2019-8355.patch b/community/sox/CVE-2019-8355.patch
new file mode 100644
index 0000000000..0936b38d51
--- /dev/null
+++ b/community/sox/CVE-2019-8355.patch
@@ -0,0 +1,45 @@
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 4e50abb..c76c812 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -95,7 +95,7 @@ libsox_la_LIBADD += @GOMP_LIBS@
+
+ libsox_la_CFLAGS = @WARN_CFLAGS@
+ libsox_la_LDFLAGS = @APP_LDFLAGS@ -version-info @SHLIB_VERSION@ \
+- -export-symbols-regex '^(sox_.*|lsx_(error|flush|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|fail_errno|filelength|find_(enum_(text|value)|file_extension)|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|realloc|rewind|seeki|sigfigs3p?|strcasecmp|tell|unreadb|write(b|_b_buf|buf|s)))$$'
++ -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc.*|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$'
+
+ if HAVE_WIN32_LTDL
+ libsox_la_SOURCES += win32-ltdl.c win32-ltdl.h
+diff --git a/src/xmalloc.c b/src/xmalloc.c
+index 9bf1596..5ca7cdd 100644
+--- a/src/xmalloc.c
++++ b/src/xmalloc.c
+@@ -41,3 +41,13 @@ void *lsx_realloc(void *ptr, size_t newsize)
+
+ return ptr;
+ }
++
++void *lsx_realloc_array(void *p, size_t n, size_t size)
++{
++ if (n > (size_t)-1 / size) {
++ lsx_fail("malloc size overflow");
++ exit(2);
++ }
++
++ return lsx_realloc(p, n * size);
++}
+diff --git a/src/xmalloc.h b/src/xmalloc.h
+index 9ee77f6..d708a90 100644
+--- a/src/xmalloc.h
++++ b/src/xmalloc.h
+@@ -28,7 +28,7 @@
+ #define lsx_Calloc(v,n) v = lsx_calloc(n,sizeof(*(v)))
+ #define lsx_strdup(p) ((p)? strcpy((char *)lsx_malloc(strlen(p) + 1), p) : NULL)
+ #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL)
+-#define lsx_valloc(v,n) v = lsx_malloc((n)*sizeof(*(v)))
+-#define lsx_revalloc(v,n) v = lsx_realloc(v, (n)*sizeof(*(v)))
++#define lsx_valloc(v,n) v = lsx_realloc_array(NULL, n, sizeof(*(v)))
++#define lsx_revalloc(v,n) v = lsx_realloc_array(v, n, sizeof(*(v)))
+
+ #endif
diff --git a/community/sox/CVE-2019-8356.patch b/community/sox/CVE-2019-8356.patch
new file mode 100644
index 0000000000..a9ae615bf8
--- /dev/null
+++ b/community/sox/CVE-2019-8356.patch
@@ -0,0 +1,74 @@
+--- a/src/fft4g.h
++++ b/src/fft4g.h
+@@ -12,6 +12,8 @@
+ * along with this library; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
++
++#define FFT4G_MAX_SIZE 262144
+
+ void lsx_cdft(int, int, double *, int *, double *);
+ void lsx_rdft(int, int, double *, int *, double *);
+
+--- a/src/fft4g.c
++++ b/src/fft4g.c
+@@ -322,6 +322,9 @@
+
+ void cdft(int n, int isgn, double *a, int *ip, double *w)
+ {
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ if (n > (ip[0] << 2)) {
+ makewt(n >> 2, ip, w);
+ }
+@@ -344,6 +347,9 @@
+ int nw, nc;
+ double xi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -384,6 +390,9 @@
+ int j, nw, nc;
+ double xr;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -435,6 +444,9 @@
+ int j, nw, nc;
+ double xr;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -486,6 +498,9 @@
+ int j, k, l, m, mh, nw, nc;
+ double xr, xi, yr, yi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 3)) {
+ nw = n >> 3;
+@@ -576,6 +591,9 @@
+ int j, k, l, m, mh, nw, nc;
+ double xr, xi, yr, yi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 3)) {
+ nw = n >> 3;
diff --git a/community/sox/CVE-2019-8357.patch b/community/sox/CVE-2019-8357.patch
new file mode 100644
index 0000000000..6f0bf72e53
--- /dev/null
+++ b/community/sox/CVE-2019-8357.patch
@@ -0,0 +1,12 @@
+--- a/src/effects_i_dsp.c
++++ b/src/effects_i_dsp.c
+@@ -362,6 +362,9 @@
+ assert(Fc >= 0 && Fc <= 1);
+ lsx_debug("make_lpf(n=%i Fc=%.7g β=%g ρ=%g dc-norm=%i scale=%g)", num_taps, Fc, beta, rho, dc_norm, scale);
+
++ if (!h)
++ return NULL;
++
+ for (i = 0; i <= m / 2; ++i) {
+ double z = i - .5 * m, x = z * M_PI, y = z * mult1;
+ h[i] = x? sin(Fc * x) / x : Fc;
diff --git a/community/tor/APKBUILD b/community/tor/APKBUILD
index 14caac4d98..97d3d3919e 100644
--- a/community/tor/APKBUILD
+++ b/community/tor/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Christine Dodrill <me@christine.website>
pkgname=tor
pkgver=0.3.4.11
-pkgrel=0
+pkgrel=1
pkgdesc="Anonymous network connectivity"
url="https://www.torproject.org"
arch="all"
@@ -12,7 +12,7 @@ makedepends="linux-headers bash libevent-dev openssl-dev ca-certificates
zlib-dev"
install="$pkgname.post-upgrade $pkgname.pre-install"
subpackages="$pkgname-doc $pkgname-openrc"
-source="https://www.torproject.org/dist/$pkgname-$pkgver.tar.gz
+source="https://archive.torproject.org/tor-package-archive/$pkgname-$pkgver.tar.gz
tor.initd
tor.confd
torrc.sample.patch"
diff --git a/community/virtualbox-guest-modules-vanilla/APKBUILD b/community/virtualbox-guest-modules-vanilla/APKBUILD
index 45514c71db..81304aa622 100644
--- a/community/virtualbox-guest-modules-vanilla/APKBUILD
+++ b/community/virtualbox-guest-modules-vanilla/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-vanilla}
_kpkg=linux-$_flavor
-_kver=4.19.52
+_kver=4.19.118
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/community/vlc/APKBUILD b/community/vlc/APKBUILD
index ba41bc70ba..c939fa1027 100644
--- a/community/vlc/APKBUILD
+++ b/community/vlc/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=vlc
pkgver=3.0.6
-pkgrel=0
+pkgrel=1
pkgdesc="A multi-platform MPEG, VCD/DVD, and DivX player"
triggers="vlc-libs.trigger=/usr/lib/vlc/plugins"
pkgusers="vlc"
diff --git a/community/webkit2gtk/APKBUILD b/community/webkit2gtk/APKBUILD
index ce57ab2be5..eddcba2132 100644
--- a/community/webkit2gtk/APKBUILD
+++ b/community/webkit2gtk/APKBUILD
@@ -1,13 +1,14 @@
+# Contributor: Rasmus Thomsen <oss@cogitri.dev>
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Jiri Horner <laeqten@gmail.com>
# Maintainer: Jiri Horner <laeqten@gmail.com>
pkgname=webkit2gtk
-pkgver=2.22.7
+pkgver=2.24.3
pkgrel=0
pkgdesc="Portable web rendering engine WebKit for GTK+"
url="https://webkitgtk.org/"
arch="all"
-license="LGPL-2.0-or-later BSD-2-Clause"
+license="LGPL-2.0-or-later AND BSD-2-Clause"
options="!check" # 2.20.3-r1 no idea why gtest is removed in prepare
makedepends="
bison
@@ -35,6 +36,9 @@ makedepends="
libxslt-dev
libxt-dev
mesa-dev
+ ninja
+ openjpeg-dev
+ openjpeg-tools
pango-dev
paxmark
python2
@@ -42,15 +46,28 @@ makedepends="
sqlite-dev
"
replaces="webkit"
-subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
+options="!check" # upstream doesn't package them in release tarballs: Tools/Scripts/run-gtk-tests: Command not found
+subpackages="$pkgname-dev $pkgname-lang"
source="https://webkitgtk.org/releases/webkitgtk-$pkgver.tar.xz
fix-fast-memory-disabled.patch
- fix_armv6l.patch
musl-fixes.patch
+ fix-openjpeg.patch
"
builddir="$srcdir/webkitgtk-$pkgver"
# secfixes:
+# 2.24.1-r0:
+# - CVE-2019-6251
+# - CVE-2019-8506
+# - CVE-2019-8524
+# - CVE-2019-8535
+# - CVE-2019-8536
+# - CVE-2019-8544
+# - CVE-2019-8551
+# - CVE-2019-8558
+# - CVE-2019-8559
+# - CVE-2019-8563
+# - CVE-2019-11070
# 2.22.7-r0:
# - CVE-2018-4437
# - CVE-2019-6212
@@ -81,48 +98,53 @@ builddir="$srcdir/webkitgtk-$pkgver"
# - CVE-2017-2371
# - CVE-2017-2373
-prepare() {
- default_prepare
- cd "$builddir"
- rm -r Source/ThirdParty/gtest/
-}
-
build() {
local _archopt=
case "$CARCH" in
- armhf) _archopt="-DUSE_LD_GOLD=OFF -DENABLE_JIT=OFF -DUSE_SYSMEM_MALLOC=ON";;
- aarch64) _archopt="-DUSE_LD_GOLD=OFF";;
- ppc64le) _archopt="-DENABLE_JIT=OFF -DUSE_SYSMTE_MALLOC=ON";;
- s390x) _archopt="-DUSE_LD_GOLD=OFF -DENABLE_JIT=OFF -DUSE_SYSMEM_MALLOC=ON";;
+ # disable _FORTIFY_SOURCE to work around:
+ # cc1plus: out of memory allocating 65536 bytes after a total of 3131101184 bytes
+ x86) CXXFLAGS="$CXXFLAGS -U_FORTIFY_SOURCE";;
+ armhf|armv7|ppc64le|s390x) _archopt="-DENABLE_JIT=OFF";;
esac
- cd "$builddir"
+ # reduce memory usage on 32 bit
+ # https://bugs.webkit.org/show_bug.cgi?id=199272
+ export CXXFLAGS="$CXXFLAGS -g1"
+
mkdir build
cd build
- cmake -DPORT=GTK \
- -DCMAKE_BUILD_TYPE=Release \
+ cmake -GNinja \
+ -DPORT=GTK \
+ -DCMAKE_BUILD_TYPE=MinSizeRel \
-DCMAKE_SKIP_RPATH=ON \
-DCMAKE_INSTALL_PREFIX=/usr \
-DLIB_INSTALL_DIR=/usr/lib \
-DLIBEXEC_INSTALL_DIR=/usr/lib/webkit2gtk-4.0 \
- -DENABLE_GTKDOC=ON \
+ -DENABLE_GTKDOC=OFF \
-DENABLE_GEOLOCATION=OFF \
-DENABLE_PLUGIN_PROCESS_GTK2=OFF \
-DENABLE_SAMPLING_PROFILER=OFF \
- -DUSE_WOFF2=OFF\
+ -DENABLE_MINIBROWSER=ON \
+ -DUSE_WOFF2=OFF \
+ -DCMAKE_CXX_FLAGS="$CXXFLAGS" \
$_archopt \
..
- make
+ # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923476
+ ninja JavaScriptCore-4-gir
+ ninja
+}
+
+check() {
+ ninja -C "$builddir"/build check
}
package() {
- cd "$builddir"/build
- make DESTDIR="$pkgdir" install
+ DESTDIR="$pkgdir" ninja -C "$builddir"/build install
# needed for JIT
paxmark -m "$pkgdir"/usr/lib/webkit2gtk-4.0/WebKitWebProcess
}
-sha512sums="c11f60b14f279752bb75efce4b69cbfd75e854bfb16772edc3b24d28eff2fb65090e03f24c1cfaf1f27668e017d877e04d5210560da70568029c5af33a916126 webkitgtk-2.22.7.tar.xz
-9d7de4755c21d2573103dde326bb86ba37d54032627cb1bd362138906ac1d6a1dc48d4e548f29e29dc507831bae833ac5a8d2cf7fdb3d6a9d5bd5fb06f222b00 fix-fast-memory-disabled.patch
-f8fad1450d87f1cb195818cddb8a2307616916612e4676a4d71a20d58864d1c153550e4465a128e04f136c437518a4b90f1fa685ef6519fa8054637760635c72 fix_armv6l.patch
-922957ae400853bcfd5bff2c4e5b98a8351227a0b3b759dc34913ea5c8437e852899467a293cd2fb7a67f65022c4e99506f2be3c54fbcd74f038eb98ac02189e musl-fixes.patch"
+sha512sums="b358bb11f7df477e5b3d6a12e2e6b41cb4e6a7274e34ce6299bf0c56044ffc7db5a834e9abf5c71d992ef41d194d30171b8be406420ffc54fe766cc811afb79f webkitgtk-2.24.3.tar.xz
+e1537b9937af1cb936669d405993a52204cb9968b8b3161cb12a3f3f1343c260088c9490fcd7a7deeab6dbabdb5f7ce7e6cb2f857b9f0a4205aba6db2b11fb20 fix-fast-memory-disabled.patch
+d0d5e37822644cab071e33d325affd1ce5948b414f6f54d695e6b4a7bffadecd25c0df6dc1cb63e70127499f5a8da43b02286a3518b2488b5da32c622df45d97 musl-fixes.patch
+c517c012f5630ef6be5be7d9592c5e042a070f849a141859edefa7984acb98dbd0d718fe6613cd35ba3b7d8530beebcc7408fd077cd914ed335c5e524e9e746a fix-openjpeg.patch"
diff --git a/community/webkit2gtk/fix-fast-memory-disabled.patch b/community/webkit2gtk/fix-fast-memory-disabled.patch
index 95b9f6a091..9d2747c7da 100644
--- a/community/webkit2gtk/fix-fast-memory-disabled.patch
+++ b/community/webkit2gtk/fix-fast-memory-disabled.patch
@@ -1,6 +1,6 @@
---- a/Source/JavaScriptCore/wasm/WasmFaultSignalHandler.cpp.orig 2017-09-14 10:03:40.908890971 +0200
-+++ b/Source/JavaScriptCore/wasm/WasmFaultSignalHandler.cpp 2017-09-14 10:04:17.084859537 +0200
-@@ -112,7 +112,11 @@ void unregisterCode(void* start, void* e
+--- a/Source/JavaScriptCore/wasm/WasmFaultSignalHandler.cpp
++++ b/Source/JavaScriptCore/wasm/WasmFaultSignalHandler.cpp
+@@ -118,7 +118,11 @@ void unregisterCode(void* start, void* e
bool fastMemoryEnabled()
{
diff --git a/community/webkit2gtk/fix-openjpeg.patch b/community/webkit2gtk/fix-openjpeg.patch
new file mode 100644
index 0000000000..221f060f7e
--- /dev/null
+++ b/community/webkit2gtk/fix-openjpeg.patch
@@ -0,0 +1,11 @@
+--- a/Source/WebCore/platform/image-decoders/jpeg2000/JPEG2000ImageDecoder.cpp
++++ b/Source/WebCore/platform/image-decoders/jpeg2000/JPEG2000ImageDecoder.cpp
+@@ -28,7 +28,7 @@
+
+ #if USE(OPENJPEG)
+
+-#include <openjpeg.h>
++#include <openjpeg-2.3/openjpeg.h>
+
+ namespace WebCore {
+
diff --git a/community/webkit2gtk/fix_armv6l.patch b/community/webkit2gtk/fix_armv6l.patch
deleted file mode 100644
index c07a95b9c3..0000000000
--- a/community/webkit2gtk/fix_armv6l.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Fix code emitted for armv6l to not use movw/movt but ldr.
-See https://bugs.webkit.org/show_bug.cgi?id=131612
-and https://bugs.webkit.org/show_bug.cgi?id=141288
-
---- a/Source/JavaScriptCore/offlineasm/arm.rb 2015-07-22 14:37:57.000000000 +0200
-+++ b/Source/JavaScriptCore/offlineasm/arm.rb 2015-08-08 00:31:21.011824644 +0200
-@@ -473,8 +473,16 @@
- $asm.puts "mov #{armFlippedOperands(operands)}"
- end
- when "mvlbl"
-+ if isARMv7 or isARMv7Traditional
- $asm.puts "movw #{operands[1].armOperand}, \#:lower16:#{operands[0].value}"
- $asm.puts "movt #{operands[1].armOperand}, \#:upper16:#{operands[0].value}"
-+ else
-+ $mvlbl_counter ||= 0
-+ $mvlbl_counter += 1
-+ const_label = "_mvlbl_const_label#{$mvlbl_counter}"
-+ $asm.puts ".equ #{const_label}, (#{operands[0].value})"
-+ $asm.puts "ldr #{operands[1].armOperand}, =#{const_label}"
-+ end
- when "nop"
- $asm.puts "nop"
- when "bieq", "bpeq", "bbeq"
diff --git a/community/webkit2gtk/musl-fixes.patch b/community/webkit2gtk/musl-fixes.patch
index b5fd0bbbf1..c829f19fe7 100644
--- a/community/webkit2gtk/musl-fixes.patch
+++ b/community/webkit2gtk/musl-fixes.patch
@@ -1,5 +1,3 @@
-diff --git a/Source/JavaScriptCore/runtime/MachineContext.h b/Source/JavaScriptCore/runtime/MachineContext.h
-index 836d755..4a0518a 100644
--- a/Source/JavaScriptCore/runtime/MachineContext.h
+++ b/Source/JavaScriptCore/runtime/MachineContext.h
@@ -188,7 +188,7 @@ static inline void*& stackPointerImpl(mcontext_t& machineContext)
@@ -47,11 +45,10 @@ index 836d755..4a0518a 100644
// The following sequence depends on glibc's sys/ucontext.h.
#if CPU(X86)
-diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h
-index 27396d2..23a7b9e 100644
+
--- a/Source/JavaScriptCore/runtime/Options.h
+++ b/Source/JavaScriptCore/runtime/Options.h
-@@ -144,9 +144,9 @@ constexpr bool enableWebAssemblyStreamingApi = false;
+@@ -138,9 +138,9 @@ constexpr bool enableWebAssemblyStreamingApi = false;
\
v(bool, reportMustSucceedExecutableAllocations, false, Normal, nullptr) \
\
@@ -64,8 +61,7 @@ index 27396d2..23a7b9e 100644
\
v(bool, crashIfCantAllocateJITMemory, false, Normal, nullptr) \
v(unsigned, jitMemoryReservationSize, 0, Normal, "Set this number to change the executable allocation size in ExecutableAllocatorFixedVMPool. (In bytes.)") \
-diff --git a/Source/ThirdParty/ANGLE/src/compiler/preprocessor/ExpressionParser.cpp b/Source/ThirdParty/ANGLE/src/compiler/preprocessor/ExpressionParser.cpp
-index c0f8b9c..1074cce 100644
+
--- a/Source/ThirdParty/ANGLE/src/compiler/preprocessor/ExpressionParser.cpp
+++ b/Source/ThirdParty/ANGLE/src/compiler/preprocessor/ExpressionParser.cpp
@@ -836,7 +836,7 @@ int yydebug;
@@ -86,8 +82,7 @@ index c0f8b9c..1074cce 100644
# define yystpcpy stpcpy
# else
/* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
-diff --git a/Source/ThirdParty/ANGLE/src/compiler/translator/glslang_tab.cpp b/Source/ThirdParty/ANGLE/src/compiler/translator/glslang_tab.cpp
-index 14cd536..6084d64 100644
+
--- a/Source/ThirdParty/ANGLE/src/compiler/translator/glslang_tab.cpp
+++ b/Source/ThirdParty/ANGLE/src/compiler/translator/glslang_tab.cpp
@@ -1975,7 +1975,7 @@ int yydebug;
@@ -108,11 +103,10 @@ index 14cd536..6084d64 100644
# define yystpcpy stpcpy
# else
/* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
-diff --git a/Source/WTF/wtf/Platform.h b/Source/WTF/wtf/Platform.h
-index 67cfa93..341a9f5 100644
+
--- a/Source/WTF/wtf/Platform.h
+++ b/Source/WTF/wtf/Platform.h
-@@ -697,7 +697,7 @@
+@@ -710,7 +710,7 @@
#define HAVE_CFNETWORK_STORAGE_PARTITIONING 1
#endif
@@ -121,8 +115,6 @@ index 67cfa93..341a9f5 100644
#define HAVE_MACHINE_CONTEXT 1
#endif
-diff --git a/Source/WebCore/xml/XPathGrammar.cpp b/Source/WebCore/xml/XPathGrammar.cpp
-index 31df1c0..bc569c1 100644
--- a/Source/WebCore/xml/XPathGrammar.cpp
+++ b/Source/WebCore/xml/XPathGrammar.cpp
@@ -966,7 +966,7 @@ int yydebug;
diff --git a/community/wireshark/APKBUILD b/community/wireshark/APKBUILD
index 6cbaf39f83..45f3e3ddcb 100644
--- a/community/wireshark/APKBUILD
+++ b/community/wireshark/APKBUILD
@@ -3,23 +3,36 @@
# Contributor: Jeremy Thomerson <jeremy@thomersonfamily.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=wireshark
-pkgver=2.6.9
+pkgver=2.6.20
pkgrel=0
-pkgdesc="A network protocol analyzer - GTK version"
+pkgdesc="network protocol analyzer - GTK version"
url="https://www.wireshark.org"
arch="all"
license="GPL-2.0-or-later"
-depends=""
makedepends="bison flex perl-dev glib glib-dev libpcap-dev libcap-dev
gtk+3.0-dev c-ares-dev pcre-dev gnutls-dev libgcrypt-dev
libnl3-dev qt5-qtbase-dev qt5-qttools-dev lua5.2-dev bash portaudio-dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-gtk $pkgname-common tshark"
source="https://www.wireshark.org/download/src/$pkgname-$pkgver.tar.xz
fix-udpdump.patch
- "
+ "
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
+# 2.6.20-r0:
+# - CVE-2020-25862
+# 2.6.16-r0:
+# - CVE-2020-11647
+# 2.6.15-r0:
+# - CVE-2020-9431
+# - CVE-2020-9430
+# - CVE-2020-9428
+# 2.6.13-r0:
+# - CVE-2019-19553
+# 2.6.11-r0:
+# - CVE-2019-16319
+# 2.6.10-r0:
+# - CVE-2019-13619
# 2.6.9-r0:
# - CVE-2019-12295
# 2.6.8-r0:
@@ -123,14 +136,6 @@ builddir="$srcdir"/$pkgname-$pkgver
# - CVE-2017-13765
# - CVE-2017-13766
# - CVE-2017-13767
-# 2.2.10-r0:
-# - CVE-2017-15191
-# - CVE-2017-15192
-# - CVE-2017-15193
-# 2.2.9-r0:
-# - CVE-2017-13765
-# - CVE-2017-13766
-# - CVE-2017-13767
# 2.2.8-r0:
# - CVE-2017-11406
# - CVE-2017-11407
@@ -234,5 +239,5 @@ gtk() {
mv "$pkgdir"/usr/bin/wireshark-gtk "$subpkgdir"/usr/bin/
}
-sha512sums="ddd2efe25623f44d7f3d47808a000b2979d426a0cdf37dfa81af4d4159e0f67b172c7dbeedeb31034d48499089bfc7a99a8e7c6d1e7890be0523b693269c41ca wireshark-2.6.9.tar.xz
+sha512sums="0e49e807b578368478e912970e7b4434cffcf499b803f62dbff64281c1400db5be8e96b69872270f2f52276c5fd8aee75ad3f175e8c1979dbe721a2d77f8cb13 wireshark-2.6.20.tar.xz
951677dd125b1e36b351cc87a98e8b8d0391d184c7695594dd4270334d86ada1dff5f14cd960da9c5d5d26fc801c42f0219b2db6269f3c526c841c7940d2f369 fix-udpdump.patch"
diff --git a/community/zabbix/APKBUILD b/community/zabbix/APKBUILD
index 705fa6e2a7..9d9290ca24 100644
--- a/community/zabbix/APKBUILD
+++ b/community/zabbix/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=zabbix
-pkgver=4.0.9
+pkgver=4.0.21
pkgrel=0
pkgdesc="Enterprise-class open source distributed monitoring"
url="http://www.zabbix.com"
@@ -25,7 +25,7 @@ options="!check" # no tests available
subpackages="$pkgname-doc $pkgname-agent $pkgname-pgsql $pkgname-mysql $pkgname-sqlite
$pkgname-webif::noarch $pkgname-utils $pkgname-setup::noarch
$pkgname-openrc $pkgname-agent-openrc:agent_openrc"
-source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz
+source="$pkgname-$pkgver.tar.gz::https://github.com/zabbix/zabbix/archive/$pkgver.tar.gz
zabbix-server.initd
zabbix-server.confd
zabbix-agentd.initd
@@ -200,7 +200,7 @@ agent_openrc() {
"$subpkgdir"/etc/init.d/zabbix-agentd
}
-sha512sums="4e04d80490f43d2e7833a4e11dbc7ce0ed70dc1f43653eeff923f5bfa16bbeedf37597599d68e0de3194820501d896d785a20d6ae0dce9328c458fd711a6a7bf zabbix-4.0.9.tar.gz
+sha512sums="f93137602a6f89feed66d35d6604f92bb4f8b6831cd9348108408a5bddeb98ac22ed72077e59b6e9dd12b894d115c0e410912e0c1d83bb36a9398188dbe80e30 zabbix-4.0.21.tar.gz
9998ee172a28002d98bacc3f76038ff52b8cf2b206e101418d76b4ca3de94afaf92cb4f7a6235ecf177f74beb9dd3ea1f3983c4f164b4f60bb601acba65aa175 zabbix-server.initd
9c06527bf653c40585fa7eeb3f7a0b2fc454031d24cd0d1633aed87b78a681c5227a193c5b9fcfcea0839135874e27ba7dd9b198573f905f680a2856f79e9512 zabbix-server.confd
523013cab3ba79cbc00db92f09d4c5d514fd6aa9cbebf8f29227dc91fbc19d2f8375af74c21d2037e4f3380a818f808194dbc94e69709ef2cf90f66e715895c4 zabbix-agentd.initd
diff --git a/community/znc/APKBUILD b/community/znc/APKBUILD
index 7f8d2b413b..d7dc8b7f1e 100644
--- a/community/znc/APKBUILD
+++ b/community/znc/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=znc
pkgver=1.7.1
-pkgrel=3
+pkgrel=4
pkgdesc="Advanced IRC bouncer"
url="http://znc.in"
arch="all"
@@ -14,13 +14,16 @@ pkggroups="$pkgusers"
install="$pkgname.pre-install"
subpackages="$pkgname-dev $pkgname-doc $pkgname-extra $pkgname-modtcl
$pkgname-modperl $pkgname-modpython"
-source="http://znc.in/releases/znc-$pkgver.tar.gz
+source="http://znc.in/releases/archive/znc-$pkgver.tar.gz
CVE-2019-9917.patch
+ CVE-2019-12816.patch
$pkgname.initd
$pkgname.confd"
builddir="$srcdir/znc-$pkgver"
# secfixes:
+# 1.7.1-r4:
+# - CVE-2019-12816
# 1.7.1-r3:
# - CVE-2019-9917
# 1.7.1-r0:
@@ -114,5 +117,6 @@ _mv_to_sub() {
sha512sums="907068fb0828091026d440145b70ca76109302f13c18d94f772660192434287f209a06a52da1dd39726b9a38735b3cea9afbd062eb6def4cd428bb73c562a902 znc-1.7.1.tar.gz
0c1bdb08ce5ca4b0ff8efedff9e711ffceba460594caf14aa1bfd04ca81ec2d3e2b10ed6e34960b8251f2d9d1e95ad1e9093db1aefd36beb35ff92c2e58e84f8 CVE-2019-9917.patch
+187dad0bbe90b354b746ca8dc13bcaf5781cdc86b8c94670ecfbbf2b6e99b3182b588873ec58a475ece06021265f6e7f60a73bae18b28e284387b550dc3ca65d CVE-2019-12816.patch
47f9bd00f07861e195333d2cda5b1c7386e2324a1842b890837a7936a94b65b7a269f7fee656a522ec86b58a94bd451a2a3629bd6465578681b8d0733c2c77dc znc.initd
00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29 znc.confd"
diff --git a/community/znc/CVE-2019-12816.patch b/community/znc/CVE-2019-12816.patch
new file mode 100644
index 0000000000..6d4d8b199d
--- /dev/null
+++ b/community/znc/CVE-2019-12816.patch
@@ -0,0 +1,103 @@
+From 8de9e376ce531fe7f3c8b0aa4876d15b479b7311 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Wed, 12 Jun 2019 08:57:29 +0100
+Subject: [PATCH] Fix remote code execution and privilege escalation
+ vulnerability.
+
+To trigger this, need to have a user already.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+
+CVE-2019-12816
+---
+ include/znc/Modules.h | 1 +
+ src/Modules.cpp | 38 +++++++++++++++++++++++++++++---------
+ 2 files changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/include/znc/Modules.h b/include/znc/Modules.h
+index 28fdd3a62..db8f87b81 100644
+--- a/include/znc/Modules.h
++++ b/include/znc/Modules.h
+@@ -1600,6 +1600,7 @@ class CModules : public std::vector<CModule*>, private CCoreTranslationMixin {
+ private:
+ static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
+ CModInfo& Info, CString& sRetMsg);
++ static bool ValidateModuleName(const CString& sModule, CString& sRetMsg);
+
+ protected:
+ CUser* m_pUser;
+diff --git a/src/Modules.cpp b/src/Modules.cpp
+index 5aec7805a..d41951a8d 100644
+--- a/src/Modules.cpp
++++ b/src/Modules.cpp
+@@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CString& sModule) const {
+ return nullptr;
+ }
+
++bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) {
++ for (unsigned int a = 0; a < sModule.length(); a++) {
++ if (((sModule[a] < '0') || (sModule[a] > '9')) &&
++ ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
++ ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
++ sRetMsg =
++ t_f("Module names can only contain letters, numbers and "
++ "underscores, [{1}] is invalid")(sModule);
++ return false;
++ }
++ }
++
++ return true;
++}
++
+ bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
+ CModInfo::EModuleType eType, CUser* pUser,
+ CIRCNetwork* pNetwork, CString& sRetMsg) {
+ sRetMsg = "";
+
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ if (FindModule(sModule) != nullptr) {
+ sRetMsg = t_f("Module {1} already loaded.")(sModule);
+ return false;
+@@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CString& sModule, const CString& sArgs,
+
+ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+ CString& sRetMsg) {
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ CString sModPath, sTmp;
+
+ bool bSuccess;
+@@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+
+ bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
+ const CString& sModPath, CString& sRetMsg) {
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ ModInfo.SetName(sModule);
+ ModInfo.SetPath(sModPath);
+
+@@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CString& sModule, const CString& sModPath,
+ // Some sane defaults in case anything errors out below
+ sRetMsg.clear();
+
+- for (unsigned int a = 0; a < sModule.length(); a++) {
+- if (((sModule[a] < '0') || (sModule[a] > '9')) &&
+- ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
+- ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
+- sRetMsg =
+- t_f("Module names can only contain letters, numbers and "
+- "underscores, [{1}] is invalid")(sModule);
+- return nullptr;
+- }
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return nullptr;
+ }
+
+ // The second argument to dlopen() has a long history. It seems clear
diff --git a/main/acf-core/APKBUILD b/main/acf-core/APKBUILD
index 35be35999b..9458ab62c1 100644
--- a/main/acf-core/APKBUILD
+++ b/main/acf-core/APKBUILD
@@ -2,8 +2,8 @@
# Maintainer: Ted Trask <ttrask01@yahoo.com>
_luaversion="5.2"
pkgname=acf-core
-pkgver=0.21.1
-pkgrel=1
+pkgver=0.21.3
+pkgrel=0
pkgdesc="A web-based system administration interface framework"
url="https://git.alpinelinux.org/cgit/acf/acf-core"
arch="noarch"
@@ -29,4 +29,4 @@ package() {
make DESTDIR="$pkgdir" install || return 1
mkdir -p "$pkgdir"/etc/acf/skins
}
-sha512sums="21cf8da93e90978c57e166abda2e2cbf922722e86bfeacabebfa16e3f94a130ef45368363d9409e063c4abeba05f6e89b5212f684202e6ef77d1f8019f822acd acf-core-0.21.1.tar.xz"
+sha512sums="89537cceaa59b8150c451db3e07510d403503703a1d4782b8c8b79c860449946d365dfcecf852e9e6ff194ab9690b52f0c19e08c8b22f840bd16f02db42b0e16 acf-core-0.21.3.tar.xz"
diff --git a/main/acf-jquery/APKBUILD b/main/acf-jquery/APKBUILD
index c55d4d1431..be4e3e9231 100644
--- a/main/acf-jquery/APKBUILD
+++ b/main/acf-jquery/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Ted Trask <ttrask01@yahoo.com>
# Maintainer: Ted Trask <ttrask01@yahoo.com>
pkgname=acf-jquery
-pkgver=0.4.2
-pkgrel=1
+pkgver=0.4.3
+pkgrel=0
pkgdesc="jquery libraries for ACF"
url="https://git.alpinelinux.org/cgit/acf/acf-jquery"
arch="noarch"
@@ -15,6 +15,4 @@ package() {
cd "$srcdir/$pkgname-$pkgver"
make DESTDIR="$pkgdir" install
}
-md5sums="b2162d8c4df46aa6a8c286eb994853fd acf-jquery-0.4.2.tar.xz"
-sha256sums="d7890f40c001cc0a0f2758a1ef157d3b74f6321f26c644f37216cd9eefc57ff7 acf-jquery-0.4.2.tar.xz"
-sha512sums="255e4351d26eba731d5a8428adfb297387d64b387f66cb0925fb881a868117b73f9486a0f88ba3dc5ac359aa53782b8added9b0455e746c210261f7d939dd263 acf-jquery-0.4.2.tar.xz"
+sha512sums="adec4facdd31cab95454095080091d32306511d1535b12c9a00788ba0d08a52abdfec1cedf1c7b024c8bafff0cbcdc01b12f23212e638162ead4363fef3e8c83 acf-jquery-0.4.3.tar.xz"
diff --git a/main/alpine-base/APKBUILD b/main/alpine-base/APKBUILD
index d58bc06fb9..76e68d03a8 100644
--- a/main/alpine-base/APKBUILD
+++ b/main/alpine-base/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=alpine-base
-pkgver=3.9.4
+pkgver=3.9.6
pkgrel=0
pkgdesc="Meta package for minimal alpine base"
url="https://alpinelinux.org"
diff --git a/main/alpine-git-mirror-syncd/APKBUILD b/main/alpine-git-mirror-syncd/APKBUILD
index 72574046de..d465f2e700 100644
--- a/main/alpine-git-mirror-syncd/APKBUILD
+++ b/main/alpine-git-mirror-syncd/APKBUILD
@@ -2,14 +2,14 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=alpine-git-mirror-syncd
_shortname=git-mirror-syncd
-pkgver=0.3.0
+pkgver=0.3.1
pkgrel=0
pkgdesc="Lua script that listens on MQTT and synchronizes Git mirrors when notified about changes"
url="https://github.com/jirutka/alpine-git-mirror-syncd"
arch="noarch"
license="MIT"
depends="ca-certificates git lua5.1 lua5.1-cjson lua5.1-mosquitto"
-source="$pkgname-$pkgver.tar.gz::https://github.com/jirutka/$pkgname/archive/v$pkgver.tar.gz"
+source="https://github.com/jirutka/$pkgname/archive/v$pkgver/$pkgname-$pkgver.tar.gz"
builddir="$srcdir/$pkgname-$pkgver"
options="!check" # upstream does not provide any tests yet
@@ -28,4 +28,4 @@ package() {
install -D -m 644 etc/conf.d/$_shortname "$pkgdir"/etc/conf.d/$_shortname
}
-sha512sums="714deff8915eefbc48f6786d3142f75a8befbd48f6bf1e20ba369fd66e5e1c41c7226972b199b736c43fa70728142daf6ae26f211c0b37ac87d4a2d2f959f8f1 alpine-git-mirror-syncd-0.3.0.tar.gz"
+sha512sums="ec85f1907d23332c9342aa6e44edc9591fdd5f77501de7df39abdacff7482d942aa499ba70152b461f7ec2d77f72279710e55d14def483b69bdc39651b272008 alpine-git-mirror-syncd-0.3.1.tar.gz"
diff --git a/main/ansible/APKBUILD b/main/ansible/APKBUILD
index e23d0826f9..385db4691f 100644
--- a/main/ansible/APKBUILD
+++ b/main/ansible/APKBUILD
@@ -3,26 +3,59 @@
# Contributor: Takuya Noguchi <takninnovationresearch@gmail.com>
# Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
pkgname=ansible
-pkgver=2.7.0
-pkgrel=1
+pkgver=2.7.17
+pkgrel=0
pkgdesc="A configuration-management, deployment, task-execution, and multinode orchestration framework"
-url="https://ansible.com"
+url="https://ansible.com/"
arch="noarch"
license="GPL-3.0-or-later"
_py=py3
depends="python3 $_py-yaml $_py-paramiko $_py-jinja2 $_py-markupsafe $_py-crypto"
-makedepends="python2-dev py-setuptools"
+makedepends="python3-dev py3-setuptools"
+options="!check" # not included in release tarball
subpackages="$pkgname-doc"
-source="$pkgname-$pkgver.tar.gz::https://releases.ansible.com/ansible/$pkgname-$pkgver.tar.gz
+source="https://releases.ansible.com/ansible/ansible-$pkgver.tar.gz
add-lxc-container_shell-option.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 2.7.17-r0:
+# - CVE-2019-3828
+# - CVE-2020-1733
+# - CVE-2020-1737
+# - CVE-2020-1739
+# - CVE-2020-1740
+# - CVE-2020-1746
+# 2.7.16-r0:
+# - CVE-2019-14864
+# - CVE-2019-14904
+# - CVE-2019-14905
+# 2.7.14-r0:
+# - CVE-2019-14846
+# - CVE-2019-14856
+# - CVE-2019-14858
+# 2.7.13-r0:
+# - CVE-2019-10206
+# 2.7.12-r0:
+# - CVE-2019-101562
+# 2.7.8-r0:
+# - CVE-2019-38287
+# 2.7.5-r0:
+# - CVE-2018-16876
+# 2.7.3-r0:
+# - CVE-2018-16859
+# 2.7.1-r0:
+# - CVE-2018-16837
# 2.6.3-r0:
# - CVE-2018-10875
+prepare() {
+ # Windows-only scripts
+ rm -r examples/scripts
+}
+
build() {
cd "$builddir"
python3 setup.py build
@@ -42,5 +75,5 @@ package() {
install -m644 README.rst "$pkgdir"/usr/share/doc/$pkgname
}
-sha512sums="a5e0e0b87bb2fa8fbc76825733a5c6afe642d4602be80466e5f28324e90be4487fd1c300e567a164222f171bd9eac65b7b36ca9b6fe4bebfcbd2c24dd60049ad ansible-2.7.0.tar.gz
+sha512sums="387ee26381d120e8b1a77a5251686831fefb47213dce4a1f0aee714e6c6e2a94f1bf283ef2bcf3d79940552407fff7d86453968f1aa5a866f013d396948ccc0f ansible-2.7.17.tar.gz
e1bd1affec585abf4556d1f2598df2689c2341fc0ddaec3eadc0a9c6df5725b8ab97092771f2c57da6ecaa72ae1bb5e5ccce55db8c4d74bfc785f611dd5b8c32 add-lxc-container_shell-option.patch"
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index f4e9180d3f..259166b50e 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=apache2
_pkgreal=httpd
-pkgver=2.4.39
+pkgver=2.4.46
pkgrel=0
pkgdesc="A high performance Unix-based HTTP server"
url="https://httpd.apache.org/"
@@ -51,6 +51,20 @@ options="suid"
builddir="$srcdir"/$_pkgreal-$pkgver
# secfixes:
+# 2.4.46-r0:
+# - CVE-2020-9490
+# - CVE-2020-11984
+# - CVE-2020-11993
+# 2.4.43-r0:
+# - CVE-2020-1927
+# - CVE-2020-1934
+# 2.4.41-r0:
+# - CVE-2019-9517
+# - CVE-2019-10081
+# - CVE-2019-10082
+# - CVE-2019-10092
+# - CVE-2019-10097
+# - CVE-2019-10098
# 2.4.39-r0:
# - CVE-2019-0196
# - CVE-2019-0197
@@ -337,7 +351,7 @@ _lua() {
"$subpkgdir"/usr/lib/apache2/
_load_mods
}
-sha512sums="9742202040b3dc6344b301540f54b2d3f8e36898410d24206a7f8dcecb1bea7d7230fabc7256752724558af249facf64bffe2cf678b8f7cccb64076737abfda7 httpd-2.4.39.tar.bz2
+sha512sums="5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 httpd-2.4.46.tar.bz2
8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd
18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate
81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd
diff --git a/main/aspell/APKBUILD b/main/aspell/APKBUILD
index 208b251e7e..358b2ac985 100644
--- a/main/aspell/APKBUILD
+++ b/main/aspell/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=aspell
pkgver=0.60.6.1
-pkgrel=13
+pkgrel=14
pkgdesc="A spell checker designed to eventually replace Ispell"
url="http://aspell.net/"
arch="all"
@@ -15,9 +15,14 @@ makedepends="ncurses-dev perl gettext-dev"
install=
source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
0001-Compile-Fixes-for-GCC-7.patch
+ CVE-2019-17544.patch
"
builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+# 0.60.6.1-r14:
+# - CVE-2019-17544
+
prepare() {
cd "$builddir"
default_prepare
@@ -70,4 +75,5 @@ libs() {
}
sha512sums="f310c7590be98406589b5c26ca36a2ecfe4733f0b40fd6c176b96b7955ef2b5cd0ec9a3d770cf132146ae7a896042b4b698945112995ee1ae66adcfa5542247f aspell-0.60.6.1.tar.gz
-05875eca05d3b5ba9b7577f193fd8b0a2a372b4392f7a7901aee250bacbde924622e27278dc50582be684ed5d289968a98ee70ae0d9f6cb44a50ed454805c58a 0001-Compile-Fixes-for-GCC-7.patch"
+05875eca05d3b5ba9b7577f193fd8b0a2a372b4392f7a7901aee250bacbde924622e27278dc50582be684ed5d289968a98ee70ae0d9f6cb44a50ed454805c58a 0001-Compile-Fixes-for-GCC-7.patch
+8df739702cc7591344359721eb7fff247b02404a60666cc94b1e8da063c711d87df5f97dcf22af05efdb54f4e2a38bbc0b6b2bb60386fc6e9c68e15fe2fa9535 CVE-2019-17544.patch"
diff --git a/main/aspell/CVE-2019-17544.patch b/main/aspell/CVE-2019-17544.patch
new file mode 100644
index 0000000000..5bdb439151
--- /dev/null
+++ b/main/aspell/CVE-2019-17544.patch
@@ -0,0 +1,39 @@
+diff --git a/common/config.cpp b/common/config.cpp
+index b1e919b..51486a7 100644
+--- a/common/config.cpp
++++ b/common/config.cpp
+@@ -763,7 +763,7 @@ namespace acommon {
+ }
+ res.append(':');
+ }
+- if (res.back() == ':') res.pop_back();
++ if (!res.empty() && res.back() == ':') res.pop_back();
+ }
+
+ struct ListAddHelper : public AddableContainer
+diff --git a/common/file_util.cpp b/common/file_util.cpp
+index 8515832..56ea501 100644
+--- a/common/file_util.cpp
++++ b/common/file_util.cpp
+@@ -181,6 +181,7 @@ namespace acommon {
+ while ( (dir = els.next()) != 0 )
+ {
+ path = dir;
++ if (path.empty()) continue;
+ if (path.back() != '/') path += '/';
+ unsigned dir_len = path.size();
+ path += filename;
+diff --git a/common/getdata.cpp b/common/getdata.cpp
+index 7e822c9..1b04823 100644
+--- a/common/getdata.cpp
++++ b/common/getdata.cpp
+@@ -64,7 +64,7 @@ namespace acommon {
+ char * unescape(char * dest, const char * src)
+ {
+ while (*src) {
+- if (*src == '\\') {
++ if (*src == '\\' && src[1]) {
+ ++src;
+ switch (*src) {
+ case 'n': *dest = '\n'; break;
+
diff --git a/main/asterisk/APKBUILD b/main/asterisk/APKBUILD
index dec1233503..c65ec86dd3 100644
--- a/main/asterisk/APKBUILD
+++ b/main/asterisk/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Timo Teras <timo.teras@iki.fi>
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=asterisk
-pkgver=15.7.1
+pkgver=15.7.4
pkgrel=0
pkgdesc="Asterisk: A Module Open Source PBX System"
pkgusers="asterisk"
@@ -38,6 +38,15 @@ source="$_download/asterisk-$pkgver.tar.gz
builddir="$srcdir/$pkgname-${pkgver/_/-}"
+# secfixes:
+# 15.7.4-r0:
+# - CVE-2019-7251
+# - CVE-2019-12827
+# - CVE-2019-13161
+# - CVE-2019-15297
+# 15.7.1-r0:
+# - CVE-2018-19278
+
prepare() {
default_prepare
update_config_sub
@@ -223,7 +232,7 @@ sound_en() {
chown -R asterisk:asterisk "$subpkgdir"/var/*/asterisk
}
-sha512sums="1e4672c8a9fed70c2b4cfd3533805c662078663241cf97bea5c19aa33fec9841b062ca99e749dac3e230e60b781c675847dd6aee6576cb585868f793ca256c08 asterisk-15.7.1.tar.gz
+sha512sums="fe6fe24daad5b09f2eea1ba8b69a28cdf2149c334038387491fef2215aa2c8051190648f14f3db09b024d80fdfa27b0693289d4e5bdc1fbe4733eed94893f79b asterisk-15.7.4.tar.gz
aacef3f4796fb1abd33266998b53909cb4b36e7cc5ad2f7bac68bdc43e9a9072d9a4e2e7e681bddfa31f3d04575eb248afe6ea95da780c67e4829c1e22adfe1b asterisk-addon-mp3-r201.patch.gz
f72c2e04de80d3ed9ce841308101383a1655e6da7a3c888ad31fffe63d1280993e08aefcf8e638316d439c68b38ee05362c87503fca1f36343976a01af9d6eb1 musl-mutex-init.patch
c76a882588194372d0c45a2bd1a9a946543f2dc07fde9240b3e600682e9737337c7602da35bfaeddb4d9fe568daa668016237c6f7986e7c44cf5a8dbba291e1f asterisk-mariadb.patch
diff --git a/main/avahi/APKBUILD b/main/avahi/APKBUILD
index db7e8135a4..2784482032 100644
--- a/main/avahi/APKBUILD
+++ b/main/avahi/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=avahi
pkgver=0.7
-pkgrel=1
+pkgrel=2
pkgdesc="A multicast/unicast DNS-SD framework"
url="https://www.avahi.org/"
arch="all"
@@ -17,9 +17,16 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-tools $pkgname-glib
$pkgname-libs $pkgname-compat-howl:howl
$pkgname-compat-libdns_sd:lidns_sd $pkgname-lang
py2-avahi:_py2:noarch"
-source="https://github.com/lathiat/avahi/releases/download/v$pkgver/avahi-$pkgver.tar.gz"
+source="https://github.com/lathiat/avahi/releases/download/v$pkgver/avahi-$pkgver.tar.gz
+ CVE-2017-6519-and-CVE-2018-1000845.patch
+ "
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 0.7-r2:
+# - CVE-2017-6519
+# - CVE-2018-1000845
+
prepare() {
default_prepare
autoreconf -vif
@@ -128,4 +135,5 @@ _py2() {
mv "$pkgdir"/usr/lib/python2.* "$subpkgdir"/usr/lib/
}
-sha512sums="bae5a1e9204aca90b90e7fd223d19e809e3514d03ba5fa2da1e55bf1d72d3d3b98567f357900c36393613dc17dc98e15ff3ebf0f226f2f6b9766e592452a6ce7 avahi-0.7.tar.gz"
+sha512sums="bae5a1e9204aca90b90e7fd223d19e809e3514d03ba5fa2da1e55bf1d72d3d3b98567f357900c36393613dc17dc98e15ff3ebf0f226f2f6b9766e592452a6ce7 avahi-0.7.tar.gz
+dc5c9fde8d1244e70e3cf1c09bc274b094458d2fad982f5a79bcbf3cbddc43a0cf79e9ba106b3b0446a6f0b006fd3beeee48a03bd3d8a06cf8d9821f6945ffed CVE-2017-6519-and-CVE-2018-1000845.patch"
diff --git a/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch b/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch
new file mode 100644
index 0000000000..513489fa5b
--- /dev/null
+++ b/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch
@@ -0,0 +1,27 @@
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index a2cb19a..a2580e3 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+
+ if (avahi_dns_packet_is_query(p)) {
+ int legacy_unicast = 0;
++ char t[AVAHI_ADDRESS_STR_MAX];
+
+ /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the
+ * AR section completely here, so far. Until the day we add
+@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+ legacy_unicast = 1;
+ }
+
++ if (!is_mdns_mcast_address(dst_address) &&
++ !avahi_interface_address_on_link(i, src_address)) {
++
++ avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol);
++ return;
++ }
++
+ if (legacy_unicast)
+ reflect_legacy_unicast_query_packet(s, p, i, src_address, port);
+
+
diff --git a/main/awall/APKBUILD b/main/awall/APKBUILD
index aff081620c..1673c101ea 100644
--- a/main/awall/APKBUILD
+++ b/main/awall/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
# Maintainer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
pkgname=awall
-pkgver=1.6.9
+pkgver=1.6.12
pkgrel=0
pkgdesc="Alpine Wall"
url="https://git.alpinelinux.org/cgit/awall/"
@@ -52,5 +52,5 @@ policies() {
install -D "$srcdir"/setup-firewall "$subpkgdir"/usr/sbin/setup-firewall
}
-sha512sums="9dd5c641a5c9469dbbe280ffd5283bb0a62203bcc07538d79f3154c118438ea2edd24636b39d92113dc8ca6994d02c7b14e9f136b48bff20808e4c35b6d68880 awall-1.6.9.tar.xz
+sha512sums="bfb0e9a73e0196d95419d4fef0e27357e7caf62c866c9521b7a529a8e778a0ebfe94d48b3a8272da4575ebeb908dd95074ce13da735d319d0ec08276b4838d44 awall-1.6.12.tar.xz
c9307fe9d8d7cb64e20c3eb301628b6b57e3ccfa104bbe0f08204b4ee49214dcd67b81124094e35ff19603e19363b864140658f3b5138bb02dcff1670a068bd4 setup-firewall"
diff --git a/main/axel/APKBUILD b/main/axel/APKBUILD
index 0e96319282..373726aa57 100644
--- a/main/axel/APKBUILD
+++ b/main/axel/APKBUILD
@@ -2,18 +2,32 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=axel
pkgver=2.16.1
-pkgrel=2
+pkgrel=3
pkgdesc="A multiple-connection concurrent downloader"
url="https://github.com/axel-download-accelerator/axel"
arch="all"
options="!check" # has no checks
license="GPL-2.0-or-later"
-makedepends="openssl-dev"
+makedepends="openssl-dev automake autoconf libtool gettext-dev"
subpackages="$pkgname-doc"
-source="$url/releases/download/v$pkgver/axel-$pkgver.tar.xz"
+source="$url/releases/download/v$pkgver/axel-$pkgver.tar.xz
+ CVE-2020-13614.patch
+ "
+
+# secfixes:
+# 2.16.1-r3:
+# - CVE-2020-13614
builddir="$srcdir/$pkgname-$pkgver"
+prepare() {
+ default_prepare
+
+ # We need to regenerate the configure script because the CVE-2020-13614
+ # modifies src/Makefile.am
+ autoreconf -fi
+}
+
build() {
cd "$builddir"
./configure \
@@ -32,4 +46,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="a263b6926acb6acf16353d0d02464d48ad89c18dd3328b84273c26cdb23cb7323084a8204a5c6ad163ad5352136cb1709c6734d4fec9bc1c514174dbbb3c5dab axel-2.16.1.tar.xz"
+sha512sums="a263b6926acb6acf16353d0d02464d48ad89c18dd3328b84273c26cdb23cb7323084a8204a5c6ad163ad5352136cb1709c6734d4fec9bc1c514174dbbb3c5dab axel-2.16.1.tar.xz
+b5365d6ccb3453d4e1d70e8cf734e9d6723e412904427d8bbee5e409511864c7a9970343c9a9c9cbfb86032a54ab78579ca180094e18f4b53028116b669b4cb5 CVE-2020-13614.patch"
diff --git a/main/axel/CVE-2020-13614.patch b/main/axel/CVE-2020-13614.patch
new file mode 100644
index 0000000000..f23b705e16
--- /dev/null
+++ b/main/axel/CVE-2020-13614.patch
@@ -0,0 +1,223 @@
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 6269979..a56b4dd 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -14,6 +14,7 @@ axel_SOURCES = \
+ search.c \
+ search.h \
+ ssl.c \
++ ssl_verify.c \
+ ssl.h \
+ tcp.c \
+ tcp.h \
+diff --git a/src/ssl.c b/src/ssl.c
+index c05f238..0859b76 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -70,7 +70,7 @@ ssl_startup(void)
+ SSL *
+ ssl_connect(int fd, char *hostname, char *message)
+ {
+-
++ X509 *server_cert;
+ SSL_CTX *ssl_ctx;
+ SSL *ssl;
+
+@@ -91,9 +91,33 @@ ssl_connect(int fd, char *hostname, char *message)
+ if (err <= 0) {
+ sprintf(message, _("SSL error: %s\n"),
+ ERR_reason_error_string(ERR_get_error()));
++ SSL_CTX_free(ssl_ctx);
++ return NULL;
++ }
++
++ err = SSL_get_verify_result(ssl);
++ if (err != X509_V_OK) {
++ fprintf(stderr, _("SSL error: Certificate error"));
++ SSL_CTX_free(ssl_ctx);
+ return NULL;
+ }
+
++ server_cert = SSL_get_peer_certificate(ssl);
++ if (server_cert == NULL) {
++ fprintf(stderr, _("SSL error: Certificate not found"));
++ SSL_CTX_free(ssl_ctx);
++ return NULL;
++ }
++
++ if (!ssl_validate_hostname(hostname, server_cert)) {
++ fprintf(stderr, _("SSL error: Hostname verification failed"));
++ X509_free(server_cert);
++ SSL_CTX_free(ssl_ctx);
++ return NULL;
++ }
++
++ X509_free(server_cert);
++
+ return ssl;
+ }
+
+diff --git a/src/ssl.h b/src/ssl.h
+index cc00eaf..64fb933 100644
+--- a/src/ssl.h
++++ b/src/ssl.h
+@@ -44,5 +44,6 @@
+ void ssl_init(conf_t *conf);
+ SSL *ssl_connect(int fd, char *hostname, char *message);
+ void ssl_disconnect(SSL *ssl);
++bool ssl_validate_hostname(const char *hostname, const X509 *server_cert);
+
+ #endif /* AXEL_SSL_H */
+diff --git a/src/ssl_verify.c b/src/ssl_verify.c
+new file mode 100644
+index 0000000..8a67a3c
+--- /dev/null
++++ b/src/ssl_verify.c
+@@ -0,0 +1,147 @@
++/*
++ Helper functions to perform basic hostname validation using OpenSSL.
++
++ Author: Alban Diquet
++ Copyright (C) 2012, iSEC Partners.
++
++ Permission is hereby granted, free of charge, to any person obtaining a copy of
++ this software and associated documentation files (the "Software"), to deal in
++ the Software without restriction, including without limitation the rights to
++ use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
++ of the Software, and to permit persons to whom the Software is furnished to do
++ so, subject to the following conditions:
++
++ The above copyright notice and this permission notice shall be included in all
++ copies or substantial portions of the Software.
++
++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ SOFTWARE.
++ */
++
++#include "axel.h"
++
++#ifdef HAVE_SSL
++
++#include <openssl/ssl.h>
++#include <openssl/x509v3.h>
++
++#if OPENSSL_VERSION_NUMBER < 0x10101000L
++#define ASN1_STRING_data_compat ASN1_STRING_data
++#else
++#define ASN1_STRING_data_compat ASN1_STRING_get0_data
++#endif
++
++typedef enum {
++ MatchFound,
++ MatchNotFound,
++ NoSANPresent,
++ MalformedCertificate,
++ Error
++} validate_result;
++
++static validate_result
++ssl_matches_common_name(const char *hostname, const X509 *server_cert)
++{
++ int common_name_loc = -1;
++ X509_NAME_ENTRY *common_name_entry = NULL;
++ ASN1_STRING *common_name_asn1 = NULL;
++ char *common_name_str = NULL;
++
++ // Find the position of the CN field in the Subject field of the certificate
++ common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1);
++ if (common_name_loc < 0) {
++ return Error;
++ }
++
++ // Extract the CN field
++ common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc);
++ if (common_name_entry == NULL) {
++ return Error;
++ }
++
++ // Convert the CN field to a C string
++ common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
++ if (common_name_asn1 == NULL) {
++ return Error;
++ }
++ common_name_str = (char *) ASN1_STRING_data_compat(common_name_asn1);
++
++ // Make sure there isn't an embedded NUL character in the CN
++ if ((size_t) ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
++ return MalformedCertificate;
++ }
++
++ // Compare expected hostname with the CN
++ if (strcasecmp(hostname, common_name_str) == 0) {
++ return MatchFound;
++ } else {
++ return MatchNotFound;
++ }
++}
++
++static validate_result
++ssl_matches_subject_alternative_name(const char *hostname, const X509 *server_cert)
++{
++ validate_result result = MatchNotFound;
++ int i;
++ int san_names_nb = -1;
++ STACK_OF(GENERAL_NAME) *san_names = NULL;
++
++ // Try to extract the names within the SAN extension from the certificate
++ san_names = X509_get_ext_d2i((X509 *) server_cert, NID_subject_alt_name, NULL, NULL);
++ if (san_names == NULL) {
++ return NoSANPresent;
++ }
++ san_names_nb = sk_GENERAL_NAME_num(san_names);
++
++ // Check each name within the extension
++ for (i = 0; i < san_names_nb; i++) {
++ const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
++
++ if (current_name->type == GEN_DNS) {
++ // Current name is a DNS name, let's check it
++ char *dns_name = (char *) ASN1_STRING_data_compat(current_name->d.dNSName);
++
++ // Make sure there isn't an embedded NUL character in the DNS name
++ if ((size_t) ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
++ result = MalformedCertificate;
++ break;
++ } else {
++ // Compare expected hostname with the DNS name
++ if (strcasecmp(hostname, dns_name) == 0) {
++ result = MatchFound;
++ break;
++ }
++ }
++ }
++ }
++ sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
++
++ return result;
++}
++
++bool
++ssl_validate_hostname(const char *hostname, const X509 *server_cert)
++{
++ validate_result result;
++
++ if ((hostname == NULL) || (server_cert == NULL)) {
++ return false;
++ }
++
++ // First try the Subject Alternative Names extension
++ result = ssl_matches_subject_alternative_name(hostname, server_cert);
++ if (result == NoSANPresent) {
++ // Extension was not found: try the Common Name
++ result = ssl_matches_common_name(hostname, server_cert);
++ }
++
++ return result == MatchFound;
++}
++
++#endif /* HAVE_SSL */
diff --git a/main/bluez/APKBUILD b/main/bluez/APKBUILD
index 83432cadc7..7a6788eacb 100644
--- a/main/bluez/APKBUILD
+++ b/main/bluez/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=bluez
pkgver=5.50
-pkgrel=0
+pkgrel=1
pkgdesc="Tools for the Bluetooth protocol stack"
url="http://www.bluez.org/"
arch="all"
@@ -24,9 +24,14 @@ source="https://www.kernel.org/pub/linux/bluetooth/bluez-$pkgver.tar.xz
bluez-5.40-obexd_without_systemd-1.patch
disable-lock-test.patch
fix-endianness.patch
+ CVE-2020-0556.patch
"
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 5.50-r1:
+# - CVE-2020-0556
+
build() {
cd "$builddir"
./configure \
@@ -110,7 +115,6 @@ obexd() {
mkdir -p "$subpkgdir"/usr/lib/bluetooth
mv "$pkgdir"/usr/lib/bluetooth/obexd "$subpkgdir"/usr/lib/bluetooth
}
-
sha512sums="64a680e4b3c270bc2439610c91ad2aef36131d84401e4bbdf6c2b7ec8708a19dfc942b31b9189c38a97ca072c761c669ae1aace5f4ff5d06de3ccbf33184be45 bluez-5.50.tar.xz
fc43c78ed248ea412529eed5ae8bb47bacca9bf5b3b10de121ddd4e792c85893561a88be4aa2c6318106e5d2146a721445152d44fa60ca257ca0b4eb87318c1e bluetooth.initd
8d7b7c8938a2316ce0a855e9bdf1ef8fcdf33d23f4011df828270a088b88b140a19c432e83fef15355d0829e3c86be05b63e7718fef88563254ea239b8dc12ac rfcomm.initd
@@ -121,4 +125,5 @@ d5fd1c962bd846eaa6fff879bab85f753eb367d514f82d133b5d3242e1da989af5eddd942c60a87d
42ac04044a8c66e07487598b3a75ef52efc32999ebce4e7c63f6198e2f603f4a1442e74600e43a0938cb4f52d4db0298aa99050b18144b84990cda71748e9de5 004-Move-the-43xx-firmware-into-lib-firmware.patch
41ce7ccf78cca97563f0ef31e01dac6eb4484c24fe57be360b5e8de8c5bff5845e9d395766f891bd3f123788344456c88c9fc00cd1bb7c6a1dca89d09f19172b bluez-5.40-obexd_without_systemd-1.patch
04c4889372c8e790bb338dde7ffa76dc32fcf7370025c71b9184fcf17fd01ade4a6613d84d648303af3bbc54043ad489f29fc0cd4679ec8c9029dcb846d7e026 disable-lock-test.patch
-118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch"
+118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch
+1f7c41399e746942e091db22c1b42a0bd87dafd83c5074a34c24f51efd88ed4d2957308f9b4da0fdcd6cd99ea5b9e1885d628ae01ddde56cf31140ccc895be61 CVE-2020-0556.patch"
diff --git a/main/bluez/CVE-2020-0556.patch b/main/bluez/CVE-2020-0556.patch
new file mode 100644
index 0000000000..c22af03bf5
--- /dev/null
+++ b/main/bluez/CVE-2020-0556.patch
@@ -0,0 +1,188 @@
+This is the result of applying the following 4 commits in the order presented:
+
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index a711ef5..075b139 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -92,6 +92,7 @@ struct input_device {
+
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
++static bool classic_bonded_only = false;
+
+ void input_set_idle_timeout(int timeout)
+ {
+@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
+ uhid_enabled = state;
+ }
+
++void input_set_classic_bonded_only(bool state)
++{
++ classic_bonded_only = state;
++}
++
+ static void input_device_enter_reconnect_mode(struct input_device *idev);
+ static int connection_disconnect(struct input_device *idev, uint32_t flags);
+
+@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
+ if (device_name_known(idev->device))
+ device_get_name(idev->device, req->name, sizeof(req->name));
+
++ /* Make sure the device is bonded if required */
++ if (classic_bonded_only && !device_is_bonded(idev->device,
++ btd_device_get_bdaddr_type(idev->device))) {
++ error("Rejected connection from !bonded device %s", dst_addr);
++ goto cleanup;
++ }
++
+ /* Encryption is mandatory for keyboards */
+- if (req->subclass & 0x40) {
++ /* Some platforms may choose to require encryption for all devices */
++ /* Note that this only matters for pre 2.1 devices as otherwise the */
++ /* device is encrypted by default by the lower layers */
++ if (classic_bonded_only || req->subclass & 0x40) {
+ if (!bt_io_set(idev->intr_io, &gerr,
+ BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
+ BT_IO_OPT_INVALID)) {
+@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
+ DBG("path=%s reconnect_mode=%s", idev->path,
+ reconnect_mode_to_string(idev->reconnect_mode));
+
++ /* Make sure the device is bonded if required */
++ if (classic_bonded_only && !device_is_bonded(idev->device,
++ btd_device_get_bdaddr_type(idev->device)))
++ return;
++
+ /* Only attempt an auto-reconnect when the device is required to
+ * accept reconnections from the host.
+ */
+diff --git a/profiles/input/device.h b/profiles/input/device.h
+index 51a9aee..5a077f9 100644
+--- a/profiles/input/device.h
++++ b/profiles/input/device.h
+@@ -29,6 +29,8 @@ struct input_conn;
+
+ void input_set_idle_timeout(int timeout);
+ void input_enable_userspace_hid(bool state);
++void input_set_classic_bonded_only(bool state);
++void input_set_auto_sec(bool state);
+
+ int input_device_register(struct btd_service *service);
+ void input_device_unregister(struct btd_service *service);
+diff --git a/profiles/input/hog.c b/profiles/input/hog.c
+index 83c017d..327a1d1 100644
+--- a/profiles/input/hog.c
++++ b/profiles/input/hog.c
+@@ -49,8 +49,11 @@
+ #include "src/shared/util.h"
+ #include "src/shared/uhid.h"
+ #include "src/shared/queue.h"
++#include "src/shared/att.h"
++#include "src/shared/gatt-client.h"
+ #include "src/plugin.h"
+
++#include "device.h"
+ #include "suspend.h"
+ #include "attrib/att.h"
+ #include "attrib/gattrib.h"
+@@ -65,8 +68,14 @@ struct hog_device {
+ };
+
+ static gboolean suspend_supported = FALSE;
++static bool auto_sec = true;
+ static struct queue *devices = NULL;
+
++void input_set_auto_sec(bool state)
++{
++ auto_sec = state;
++}
++
+ static void hog_device_accept(struct hog_device *dev, struct gatt_db *db)
+ {
+ char name[248];
+@@ -186,6 +195,19 @@ static int hog_accept(struct btd_service *service)
+ return -EINVAL;
+ }
+
++ /* HOGP 1.0 Section 6.1 requires bonding */
++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) {
++ struct bt_gatt_client *client;
++
++ if (!auto_sec)
++ return -ECONNREFUSED;
++
++ client = btd_device_get_gatt_client(device);
++ if (!bt_gatt_client_set_security(client,
++ BT_ATT_SECURITY_MEDIUM))
++ return -ECONNREFUSED;
++ }
++
+ /* TODO: Replace GAttrib with bt_gatt_client */
+ bt_hog_attach(dev->hog, attrib);
+
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 3e1d65a..4c70bc5 100644
+--- a/profiles/input/input.conf
++++ b/profiles/input/input.conf
+@@ -11,3 +11,16 @@
+ # Enable HID protocol handling in userspace input profile
+ # Defaults to false (HIDP handled in HIDP kernel module)
+ #UserspaceHID=true
++
++# Limit HID connections to bonded devices
++# The HID Profile does not specify that devices must be bonded, however some
++# platforms may want to make sure that input connections only come from bonded
++# device connections. Several older mice have been known for not supporting
++# pairing/encryption.
++# Defaults to false to maximize device compatibility.
++#ClassicBondedOnly=true
++
++# LE upgrade security
++# Enables upgrades of security automatically if required.
++# Defaults to true to maximize device compatibility.
++#LEAutoSecurity=true
+diff --git a/profiles/input/manager.c b/profiles/input/manager.c
+index 1d31b06..bf4acb4 100644
+--- a/profiles/input/manager.c
++++ b/profiles/input/manager.c
+@@ -96,7 +96,7 @@ static int input_init(void)
+ config = load_config_file(CONFIGDIR "/input.conf");
+ if (config) {
+ int idle_timeout;
+- gboolean uhid_enabled;
++ gboolean uhid_enabled, classic_bonded_only, auto_sec;
+
+ idle_timeout = g_key_file_get_integer(config, "General",
+ "IdleTimeout", &err);
+@@ -114,6 +114,26 @@ static int input_init(void)
+ input_enable_userspace_hid(uhid_enabled);
+ } else
+ g_clear_error(&err);
++
++ classic_bonded_only = g_key_file_get_boolean(config, "General",
++ "ClassicBondedOnly", &err);
++
++ if (!err) {
++ DBG("input.conf: ClassicBondedOnly=%s",
++ classic_bonded_only ? "true" : "false");
++ input_set_classic_bonded_only(classic_bonded_only);
++ } else
++ g_clear_error(&err);
++
++ auto_sec = g_key_file_get_boolean(config, "General",
++ "LEAutoSecurity", &err);
++ if (!err) {
++ DBG("input.conf: LEAutoSecurity=%s",
++ auto_sec ? "true" : "false");
++ input_set_auto_sec(auto_sec);
++ } else
++ g_clear_error(&err);
++
+ }
+
+ btd_profile_register(&input_profile);
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index 46fca6c603..a4a135b086 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -53,6 +53,8 @@ source="https://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
# 1.29.3-r10:
# - CVE-2018-20679
# - CVE-2019-5747
+# 1.28.3-r2:
+# - CVE-2018-1000500
# 1.27.2-r4:
# - CVE-2017-16544
# - CVE-2017-15873
diff --git a/main/ca-certificates/0003-update-ca-insert-newline-between-certs.patch b/main/ca-certificates/0003-update-ca-insert-newline-between-certs.patch
new file mode 100644
index 0000000000..4a945a076b
--- /dev/null
+++ b/main/ca-certificates/0003-update-ca-insert-newline-between-certs.patch
@@ -0,0 +1,38 @@
+From fd399b2416191bd7f3b0f267bdb530ed829de271 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Wed, 5 Feb 2020 17:40:57 +0100
+Subject: [PATCH 3/3] update-ca: insert newline between certs
+
+There may be certificates that lack a trailing newline, which is allowed
+in the certificate format. We work around that by inject a newline after
+each cert.
+
+see https://gitlab.alpinelinux.org/alpine/aports/issues/8379
+---
+ update-ca.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/update-ca.c b/update-ca.c
+index 2b3195b..0260f83 100644
+--- a/update-ca.c
++++ b/update-ca.c
+@@ -191,6 +191,7 @@ static void proc_localglobaldir(const char *fullpath, struct hash *h, int tmpfil
+ fprintf(stderr, "Warning! Cannot hash: %s\n", fullpath);
+ if (!copyfile(fullpath, tmpfile_fd))
+ fprintf(stderr, "Warning! Cannot copy to bundle: %s\n", fullpath);
++ write(tmpfile_fd, "\n", 1);
+ free(actual_file);
+ }
+
+@@ -260,7 +261,7 @@ static bool dir_readfiles(struct hash* d, const char* path,
+ DIR *dp = opendir(path);
+ if (!dp)
+ return false;
+-
++
+ struct dirent *dirp;
+ while ((dirp = readdir(dp)) != NULL) {
+ if (str_begins(dirp->d_name, "."))
+--
+2.25.0
+
diff --git a/main/ca-certificates/APKBUILD b/main/ca-certificates/APKBUILD
index a8a1b5456e..b3d7084abc 100644
--- a/main/ca-certificates/APKBUILD
+++ b/main/ca-certificates/APKBUILD
@@ -2,9 +2,9 @@
# Contributor: William Pitcock <nenolod@dereferenced.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ca-certificates
-pkgver=20190108
-pkgrel=0
-pkgdesc="Common CA certificates PEM files"
+pkgver=20191127
+pkgrel=2
+pkgdesc="Common CA certificates PEM files from Mozilla"
url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/"
arch="all"
license="MPL-2.0 GPL-2.0-or-later"
@@ -16,12 +16,16 @@ replaces="libcrypto1.0 openssl openssl1.0"
options="!fhs !check"
triggers="ca-certificates.trigger=/usr/share/ca-certificates:/usr/local/share/ca-certificates:/etc/ssl/certs:/etc/ca-certificates/update.d"
install="$pkgname.post-deinstall"
-source="https://git.alpinelinux.org/ca-certificates/snapshot/ca-certificates-$pkgver.tar.xz"
+source="https://gitlab.alpinelinux.org/alpine/ca-certificates/-/archive/$pkgver/ca-certificates-$pkgver.tar.bz2
+ 0003-update-ca-insert-newline-between-certs.patch
+ "
builddir="$srcdir/ca-certificates-$pkgver"
build() {
cd "$builddir"
make
+ # remove expired cert (https://gitlab.alpinelinux.org/alpine/aports/issues/11607)
+ rm AddTrust_External_Root.crt
}
package() {
@@ -58,4 +62,5 @@ cacert() {
"$subpkgdir"/etc/ssl/cert.pem
}
-sha512sums="7b022c3b3319ac4ebbf13f551626f3d60a5552014d564166165030ee799c2fd470c593fb7171732100089b17ad3d309abc73f2429967222676915cad46f95a8e ca-certificates-20190108.tar.xz"
+sha512sums="05e3a11efd80ea88eb81774e084febe4b8d1fa48f01f49e5ed3d469e10a2769260a264faed42ea3a0b725659cda1cc4a67ce5575fe04cdff9dc1c08207911c9b ca-certificates-20191127.tar.bz2
+051b5d78916ee7389dfbd4e8871aab720415bd6e9ee0313dba770fc40ee7c68ac67d7918f2503458a3218e3bfc10691b5e379b65269106fde02c7e7a36eb7595 0003-update-ca-insert-newline-between-certs.patch"
diff --git a/main/chrony/APKBUILD b/main/chrony/APKBUILD
index 8327c29f69..d4e0add148 100644
--- a/main/chrony/APKBUILD
+++ b/main/chrony/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=chrony
pkgver=3.4
-pkgrel=1
+pkgrel=2
_ver=${pkgver/_/-}
pkgdesc="NTP client and server programs"
url="https://chrony.tuxfamily.org"
@@ -26,8 +26,16 @@ source="https://download.tuxfamily.org/$pkgname/$pkgname-$_ver.tar.gz
chrony.logrotate
chrony.conf
timepps.h
+
+ CVE-2020-14367.patch
"
builddir="$srcdir/$pkgname-$_ver"
+options="!check" # line 82 of test/unit/util.c fails on all arches
+
+# secfixes:
+# 3.4-r2:
+# - CVE-2020-14367
+
prepare() {
default_prepare
@@ -91,4 +99,5 @@ b26581ed32680585edea5b8163a0062a87f648394c0f363c77a7d01a36608fcf4d005d9e6ab179ed
60d6aab60132b11e82888b755a47aa6ae2949db07016b475e7bce53ed5083c888ab88f3b53e87bfa7396f0559f6870c28816b395361645dda157ab7649b28236 chronyd.initd
ab38f06bf45888846778ad935e24abb30d13b6805e9a750bc694ff953695fa8c5b33aac560f5f7f96dc46031c1a38660e5c418b6fce6fb34a87908a9a3c99357 chrony.logrotate
0ae453fca3461b6e56a32a9eb6be0d448c39bf0279583222ab2fecef307e1113f082d4e86f957e4baac4f223c5c57804cdea97322678009f3413ab99d54694b6 chrony.conf
-eb11fc19243d1789016d88eb7645bfe67c46304547781489bf36eb1dd4c252d523681ff835a6488fa0ef62b6b9e2f781c672279f4439f5d5640a3f214a113048 timepps.h"
+eb11fc19243d1789016d88eb7645bfe67c46304547781489bf36eb1dd4c252d523681ff835a6488fa0ef62b6b9e2f781c672279f4439f5d5640a3f214a113048 timepps.h
+777c5b83fac51424eaaf5e348e138389c449fcb03e382deebab727c6d265332ef3e1b7a168740b18ca669add05ba02c21a7c52edfdd442ed2b3893706098c343 CVE-2020-14367.patch"
diff --git a/main/chrony/CVE-2020-14367.patch b/main/chrony/CVE-2020-14367.patch
new file mode 100644
index 0000000000..f0e331bd97
--- /dev/null
+++ b/main/chrony/CVE-2020-14367.patch
@@ -0,0 +1,204 @@
+From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 6 Aug 2020 09:31:11 +0200
+Subject: [PATCH] main: create new file when writing pidfile
+
+When writing the pidfile, open the file with the O_CREAT|O_EXCL flags
+to avoid following a symlink and writing the PID to an unexpected file,
+when chronyd still has the root privileges.
+
+The Linux open(2) man page warns about O_EXCL not working as expected on
+NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on
+a distributed filesystem like NFS is not generally expected, but if
+there is a reason to do that, these old kernel and NFS versions are not
+considered to be supported for saving files by chronyd.
+
+This is a minimal backport specific to this issue of the following
+commits:
+- commit 2fc8edacb810 ("use PATH_MAX")
+- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()")
+- commit 7a4c396bba8f ("util: add functions for common file operations")
+- commit e18903a6b563 ("switch to new util file functions")
+
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+---
+ logging.c | 1 +
+ main.c | 10 ++----
+ sysincl.h | 1 +
+ util.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ util.h | 11 +++++++
+ 5 files changed, 111 insertions(+), 7 deletions(-)
+
+diff --git a/logging.c b/logging.c
+index d2296e0..fd7f900 100644
+--- a/logging.c
++++ b/logging.c
+@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity,
+ system_log = 0;
+ log_message(1, severity, buf);
+ }
++ exit(1);
+ break;
+ default:
+ assert(0);
+diff --git a/main.c b/main.c
+index 6ccf32e..8edb2e1 100644
+--- a/main.c
++++ b/main.c
+@@ -281,13 +281,9 @@ write_pidfile(void)
+ if (!pidfile[0])
+ return;
+
+- out = fopen(pidfile, "w");
+- if (!out) {
+- LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno));
+- } else {
+- fprintf(out, "%d\n", (int)getpid());
+- fclose(out);
+- }
++ out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644);
++ fprintf(out, "%d\n", (int)getpid());
++ fclose(out);
+ }
+
+ /* ================================================== */
+diff --git a/sysincl.h b/sysincl.h
+index 296c5e6..873a3bd 100644
+--- a/sysincl.h
++++ b/sysincl.h
+@@ -37,6 +37,7 @@
+ #include <glob.h>
+ #include <grp.h>
+ #include <inttypes.h>
++#include <limits.h>
+ #include <math.h>
+ #include <netinet/in.h>
+ #include <pwd.h>
+diff --git a/util.c b/util.c
+index e7e3442..83b3b20 100644
+--- a/util.c
++++ b/util.c
+@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid)
+
+ /* ================================================== */
+
++static int
++join_path(const char *basedir, const char *name, const char *suffix,
++ char *buffer, size_t length, LOG_Severity severity)
++{
++ const char *sep;
++
++ if (!basedir) {
++ basedir = "";
++ sep = "";
++ } else {
++ sep = "/";
++ }
++
++ if (!suffix)
++ suffix = "";
++
++ if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) {
++ LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix);
++ return 0;
++ }
++
++ return 1;
++}
++
++/* ================================================== */
++
++FILE *
++UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
++ char mode, mode_t perm)
++{
++ const char *file_mode;
++ char path[PATH_MAX];
++ LOG_Severity severity;
++ int fd, flags;
++ FILE *file;
++
++ severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR;
++
++ if (!join_path(basedir, name, suffix, path, sizeof (path), severity))
++ return NULL;
++
++ switch (mode) {
++ case 'r':
++ case 'R':
++ flags = O_RDONLY;
++ file_mode = "r";
++ if (severity != LOGS_FATAL)
++ severity = LOGS_DEBUG;
++ break;
++ case 'w':
++ case 'W':
++ flags = O_WRONLY | O_CREAT | O_EXCL;
++ file_mode = "w";
++ break;
++ case 'a':
++ case 'A':
++ flags = O_WRONLY | O_CREAT | O_APPEND;
++ file_mode = "a";
++ break;
++ default:
++ assert(0);
++ return NULL;
++ }
++
++try_again:
++ fd = open(path, flags, perm);
++ if (fd < 0) {
++ if (errno == EEXIST) {
++ if (unlink(path) < 0) {
++ LOG(severity, "Could not remove %s : %s", path, strerror(errno));
++ return NULL;
++ }
++ DEBUG_LOG("Removed %s", path);
++ goto try_again;
++ }
++ LOG(severity, "Could not open %s : %s", path, strerror(errno));
++ return NULL;
++ }
++
++ UTI_FdSetCloexec(fd);
++
++ file = fdopen(fd, file_mode);
++ if (!file) {
++ LOG(severity, "Could not open %s : %s", path, strerror(errno));
++ close(fd);
++ return NULL;
++ }
++
++ DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode);
++
++ return file;
++}
++
++/* ================================================== */
++
+ void
+ UTI_DropRoot(uid_t uid, gid_t gid)
+ {
+diff --git a/util.h b/util.h
+index e3d6767..a2481cc 100644
+--- a/util.h
++++ b/util.h
+@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid
+ permissions and its uid/gid must match the specified values. */
+ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid);
+
++/* Open a file. The full path of the file is constructed from the basedir
++ (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL).
++ Created files have specified permissions (umasked). Returns NULL on error.
++ The following modes are supported (if the mode is an uppercase character,
++ errors are fatal):
++ r/R - open an existing file for reading
++ w/W - open a new file for writing (remove existing file)
++ a/A - open an existing file for appending (create if does not exist) */
++extern FILE *UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
++ char mode, mode_t perm);
++
+ /* Set process user/group IDs and drop supplementary groups */
+ extern void UTI_DropRoot(uid_t uid, gid_t gid);
+
diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD
index f931f822f0..3c7166e23d 100644
--- a/main/cups/APKBUILD
+++ b/main/cups/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cups
-pkgver=2.2.10
+pkgver=2.2.12
pkgrel=0
pkgdesc="The CUPS Printing System"
url="https://www.cups.org/"
@@ -24,6 +24,9 @@ source="https://github.com/apple/cups/releases/download/v$pkgver/cups-$pkgver-so
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 2.2.12-r0:
+# - CVE-2019-8696
+# - CVE-2019-8675
# 2.2.10-r0:
# - CVE-2018-4700
@@ -127,8 +130,7 @@ _mv() {
mv "$pkgdir"/$i "$subpkgdir"/${i%/*}/
done
}
-
-sha512sums="1393987a263ebf20089dd3008ae4ed770a27a1f289032604eb9e18f2e863bd0e4215a70118f5a6d3940875625278b6798fbc9070e791ec559179c6cf7dc7b05f cups-2.2.10-source.tar.gz
+sha512sums="b8e7be512938ad388d469d093ad0c882ab42ea1408c27a91340f8424aa0e79e588df3d59795624973b89074a2af650fa9b5b6ed5224138b17e4c6dbbcbf0a2e6 cups-2.2.12-source.tar.gz
cf64211da59e79285f99d437c02fdd7db462855fb2920ec9563ba47bd8a9e5cbd10555094940ceedeb41ac805c4f0ddb9147481470112a11a76220d0298aef79 cups.logrotate
2c2683f755a220166b3a1653fdd1a6daa9718c8f0bbdff2e2d5e61d1133306260d63a83d3ff41619b5cf84c4913fae5822b79553e2822858f38fa3613f4c7082 cupsd.initd
7a8cd9ac33b0dd4627c72df4275db8ccd7cf8e201bce3833719b42f532f526bb347b842e3ea1ef0d61855b5c6e1088b5d20b68942f2c2c0acf504d8d9728efd3 cups-no-export-ssllibs.patch
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index cc50a0acf9..8af79f2f03 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.64.0
-pkgrel=2
+pkgrel=4
pkgdesc="URL retrival utility and library"
url="https://curl.haxx.se"
arch="all"
@@ -18,11 +18,21 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz
url-fix-7.64.patch
CVE-2019-5435.patch
CVE-2019-5436.patch
+ CVE-2019-5481.patch
+ CVE-2019-5482.patch
+ CVE-2020-8169.patch
+ CVE-2020-8177.patch
"
options="!check" # sftp tests failing
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 7.64.0-r4:
+# - CVE-2020-8169
+# - CVE-2020-8177
+# 7.64.0-r3:
+# - CVE-2019-5481
+# - CVE-2019-5482
# 7.64.0-r2:
# - CVE-2019-5435
# - CVE-2019-5436
@@ -125,4 +135,8 @@ libcurl() {
sha512sums="953f1f5336ce5dfd1b9f933624432d401552d91ee02d39ecde6f023c956f99ec6aae8d7746d7c34b6eb2d6452f114e67da4e64d9c8dd90b7644b7844e7b9b423 curl-7.64.0.tar.xz
9b0cd3bfb705e804f21b3c87929ec5c3bbd6f17748e82cda75c3edbca5ea66cbcb0260c666635a2cbdaa6d4081008a9c445b4f266e9b970d3deaed21f9b352a1 url-fix-7.64.patch
c629a1b36920a3f8eab3321b0222e203f53f29e5947d39a0c32e0a7de2d8ab2182c3d6bbb0828847f2f353d1d3a15d85203e17ef74018a5c865a854d7a413fc3 CVE-2019-5435.patch
-9ccb8d898530f14cf497b4d0ede3b28d6baac5fa0b867636219795cf748f0149a110a386d4212ff48781c2c37e03290f2afe47cc186bd606f569acfd48457a15 CVE-2019-5436.patch"
+9ccb8d898530f14cf497b4d0ede3b28d6baac5fa0b867636219795cf748f0149a110a386d4212ff48781c2c37e03290f2afe47cc186bd606f569acfd48457a15 CVE-2019-5436.patch
+37161e4d94cdb1add2216b031f70d7ae84451229dffe48ca9856bb311e88678f0e11baab6bb4da0386ed31e8467aa51fabaf6122f876ef9bc0003638d07f22cf CVE-2019-5481.patch
+6703658d9212bb87de22fabd996e8f8eb8c98aa4c015b1daa4c1a15f503c4a5530dafbcc1817032d973ef94ac29fe7b8ee16426e443b20d0bcdbe5d7f0209ffb CVE-2019-5482.patch
+4950975d59bdf8398dd5f4b8338e5f76ae3752247be9054a28753351bcddb46f71a8bd601dba31da1b6b3fbbfbe6192f33a6500144d89f2cfdfb47161e3addba CVE-2020-8169.patch
+250359963230de2970ab4a56d731312f0772d6f89672b4189e7d6aa8553cb9efd8808221f418a1b7778f7b9e52a45738451aec2d4a0e73e084a748cff1b3d6da CVE-2020-8177.patch"
diff --git a/main/curl/CVE-2019-5481.patch b/main/curl/CVE-2019-5481.patch
new file mode 100644
index 0000000000..2aa4952cee
--- /dev/null
+++ b/main/curl/CVE-2019-5481.patch
@@ -0,0 +1,40 @@
+From 9069838b30fb3b48af0123e39f664cea683254a5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 3 Sep 2019 22:59:32 +0200
+Subject: [PATCH] security:read_data fix bad realloc()
+
+... that could end up a double-free
+
+CVE-2019-5481
+Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
+---
+ lib/security.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 550ea2da8d..c5e4e135df 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
+ struct krb5buffer *buf)
+ {
+ int len;
+- void *tmp = NULL;
+ CURLcode result;
+
+ result = socket_read(fd, &len, sizeof(len));
+@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
+ if(len) {
+ /* only realloc if there was a length */
+ len = ntohl(len);
+- tmp = Curl_saferealloc(buf->data, len);
++ buf->data = Curl_saferealloc(buf->data, len);
+ }
+- if(tmp == NULL)
++ if(!len || !buf->data)
+ return CURLE_OUT_OF_MEMORY;
+
+- buf->data = tmp;
+ result = socket_read(fd, buf->data, len);
+ if(result)
+ return result;
diff --git a/main/curl/CVE-2019-5482.patch b/main/curl/CVE-2019-5482.patch
new file mode 100644
index 0000000000..fc9dc73f7d
--- /dev/null
+++ b/main/curl/CVE-2019-5482.patch
@@ -0,0 +1,59 @@
+From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index a7176cec80..346f293dc5 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+ tftp_state_data_t *state;
+ int blksize;
++ int need_blksize;
+
+ blksize = TFTP_BLKSIZE_DEFAULT;
+
+@@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ return CURLE_TFTP_ILLEGAL;
+ }
+
++ need_blksize = blksize;
++ /* default size is the fallback when no OACK is received */
++ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++ need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+ if(!state->rpacket.data) {
+- state->rpacket.data = calloc(1, blksize + 2 + 2);
++ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+
+ if(!state->rpacket.data)
+ return CURLE_OUT_OF_MEMORY;
+ }
+
+ if(!state->spacket.data) {
+- state->spacket.data = calloc(1, blksize + 2 + 2);
++ state->spacket.data = calloc(1, need_blksize + 2 + 2);
+
+ if(!state->spacket.data)
+ return CURLE_OUT_OF_MEMORY;
+@@ -1021,7 +1027,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ state->sockfd = state->conn->sock[FIRSTSOCKET];
+ state->state = TFTP_STATE_START;
+ state->error = TFTP_ERR_NONE;
+- state->blksize = blksize;
++ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+ state->requested_blksize = blksize;
+
+ ((struct sockaddr *)&state->local_addr)->sa_family =
diff --git a/main/curl/CVE-2020-8169.patch b/main/curl/CVE-2020-8169.patch
new file mode 100644
index 0000000000..d89e21f4d7
--- /dev/null
+++ b/main/curl/CVE-2020-8169.patch
@@ -0,0 +1,21 @@
+diff --git a/lib/url.c b/lib/url.c
+index 47fc66a..a826f8a 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Curl_easy *data,
+
+ /* for updated strings, we update them in the URL */
+ if(user_changed) {
+- uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
++ uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
++ CURLU_URLENCODE);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
+ }
+ if(passwd_changed) {
+- uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
++ uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
++ CURLU_URLENCODE);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
+ }
diff --git a/main/curl/CVE-2020-8177.patch b/main/curl/CVE-2020-8177.patch
new file mode 100644
index 0000000000..556dcc10ee
--- /dev/null
+++ b/main/curl/CVE-2020-8177.patch
@@ -0,0 +1,50 @@
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index 3844904..1813cb3 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -132,25 +132,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+ filename = parse_filename(p, len);
+ if(filename) {
+ if(outs->stream) {
+- int rc;
+- /* already opened and possibly written to */
+- if(outs->fopened)
+- fclose(outs->stream);
+- outs->stream = NULL;
+-
+- /* rename the initial file name to the new file name */
+- rc = rename(outs->filename, filename);
+- if(rc != 0) {
+- warnf(outs->config->global, "Failed to rename %s -> %s: %s\n",
+- outs->filename, filename, strerror(errno));
+- }
+- if(outs->alloc_filename)
+- Curl_safefree(outs->filename);
+- if(rc != 0) {
+- free(filename);
+- return failure;
+- }
++ /* indication of problem, get out! */
++ free(filename);
++ return failure;
+ }
++
+ outs->is_cd_filename = TRUE;
+ outs->s_isreg = TRUE;
+ outs->fopened = FALSE;
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index c7ba5f2..505b991 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -1760,6 +1760,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+ }
+ break;
+ case 'i':
++ if(config->content_disposition) {
++ warnf(global,
++ "--include and --remote-header-name cannot be combined.\n");
++ return PARAM_BAD_USE;
++ }
+ config->show_headers = toggle; /* show the headers as well in the
+ general output stream */
+ break;
diff --git a/main/cvs/APKBUILD b/main/cvs/APKBUILD
index b11d7ac61e..c2537d6ed8 100644
--- a/main/cvs/APKBUILD
+++ b/main/cvs/APKBUILD
@@ -1,33 +1,45 @@
# Contributor: Michael Mason <ms13sp@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cvs
-pkgver=1.11.23
+pkgver=1.12.12
pkgrel=0
pkgdesc="Concurrent Versions System"
-url="http://www.nongnu.org/cvs/"
+url="https://www.nongnu.org/cvs/"
arch="all"
license="GPL-2.0-or-later"
-depends=""
+options="!check" # Tests fail - src/lib/test-getdate.sh
makedepends="zlib-dev"
-install=
subpackages="$pkgname-doc"
-source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz
- cvs-musl.patch
+source="https://ftp.gnu.org/non-gnu/cvs/source/feature/$pkgver/cvs-$pkgver.tar.gz
+ cvs-1.12.12-cvsbug-tmpfix.patch
+ cvs-1.12.12-openat.patch
+ cvs-1.12.12-block-requests.patch
+ cvs-1.12.12-install-sh.patch
+ cvs-1.12.12-hash-nameclash.patch
+ cvs-1.12.12-getdelim.patch
+ cvs-1.12.12-rcs2log-coreutils.patch
+ cvs-1.12.12-mktime-x32.patch
+ cvs-1.12.12-fix-massive-leak.patch
+ cvs-1.12.12-mktime-configure.patch
+ cvs-1.12.12-CVE-2012-0804.patch
+ cvs-1.12.12-format-security.patch
+ cvs-1.12.12-musl.patch
+ CVE-2017-12836.patch
"
+builddir="$srcdir/$pkgname-$pkgver"
-_builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+# 1.12.12-r0:
+# - CVE-2010-3846
+# - CVE-2012-0804
+# - CVE-2017-12836
prepare() {
- local i
- cd "$_builddir"
- for i in $source; do
- case $i in
- *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
- esac
- done
+ default_prepare
+ update_config_sub
}
build() {
- cd "$_builddir"
+ cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -36,19 +48,32 @@ build() {
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--with-external-zlib \
- --with-tmpdir=/tmp \
- || return 1
- make || return 1
+ --with-tmpdir=/tmp
+ make
+}
+
+check() {
+ cd "$builddir"
+ make check
}
package() {
- cd "$_builddir"
- make -j1 DESTDIR="$pkgdir" install
+ cd "$builddir"
+ make DESTDIR="$pkgdir" install
}
-md5sums="bf185eb51b5918330a04671c3f3cccde cvs-1.11.23.tar.gz
-3b51f4b2b94b83666f9e105038222cd8 cvs-musl.patch"
-sha256sums="0ad692e3c22e4b33274a53ad22a194deb3024ec833b9e87ad7968d9b0b58cdcf cvs-1.11.23.tar.gz
-b5b687e9c5349fbb15e82ca1f99d9227432f6be29a55b7ca22bd9b1c8b6f08d5 cvs-musl.patch"
-sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a cvs-1.11.23.tar.gz
-7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch"
+sha512sums="36cae30bbd075773d260fd8d0170335d37ba4b6dd09056465290df5c14cd7c39a18931d70761d98e2bd989798b013e372603e94c252b4062c56c3ab53251a1fb cvs-1.12.12.tar.gz
+29014631f5595dbf51a47032a19a23e545190dd8d40d77a71d363cee07a9ae38263b67db52a512436a9a7b37a7f5ff4daafa4a0a9f3c29bcfeb71ecff74408b7 cvs-1.12.12-cvsbug-tmpfix.patch
+b0a7abc785169705d2f0668a8af706f93ee3eba3d050d555689577962283e54f6bd186e662b64c65f926cf72dff76a37259181338707d641ee0f20591ba62805 cvs-1.12.12-openat.patch
+541545ffc64c4f2303b7e8f6cae2cdff0437452e4bcf94b2149d51e43710096e17f024c1a8ed32433560ea51ecef2aba2f3e6bfaef8fa9e4ad2f2436649884d1 cvs-1.12.12-block-requests.patch
+7e468d41c1eb23c0a62b605e6e48cffc004e8f386a87a9696dd73b36702c74aad529f5cba7280dee1100027b6e1e907adad257cc446ca3ad734fa40d47e4ff72 cvs-1.12.12-install-sh.patch
+dcd612dcc4b008c0fbabd74bcc179e69ebaed31a9f6622127061194a8ed99549502fbc0bffc75cc87aed26f7fe46215da81438c3a797e2179ed3da8e0b5ebdbb cvs-1.12.12-hash-nameclash.patch
+181b5daa6e103218e3fc1629a0b5f74daad613cdbe530655eff32479e4b9f32d067e60a82107efdbb129f917ee0626d274fb65555c66d907c997bf01fa262bdb cvs-1.12.12-getdelim.patch
+73c3506fa670b00ac52363efa2a2fa34203108d3dc112400e52f78eb7d83967cf49b11280d6c27a461f79a9c38317b41b26dd1f67d10229dbcb6c2ad9d43b521 cvs-1.12.12-rcs2log-coreutils.patch
+4a58c0f94de8e19c2de1930b7e5e04816e79a86885c89b792616a4c43f6e12aef271005ae59ae0d5788a910ba97735ccdf35f0ef5faafc2e3c50a9858b8f6216 cvs-1.12.12-mktime-x32.patch
+c4c9026e971f3da49cefce102b57bc681427a708ec8caa185df1234fd2a95090c8dc8cbf84374a762fdef7002d658cd4b52450429664cb3a1bfbda63d31c78a7 cvs-1.12.12-fix-massive-leak.patch
+10b29450d5d0a6a02d92812b919edbba2b86f2217aa54896b44358edb2eb8d8d6111b5c5db39faa50ef1f9a86ed1ee190332629f33402ad8cd8082b77547f486 cvs-1.12.12-mktime-configure.patch
+4f86f75f59caf4ef7e83964ec2d9c93575ccdcb031b1a6a1774a2a80ab7d6f278b3d27c4ab9270b91edf457a0195d702e3bd20da17c167b3f204fd9d8980b720 cvs-1.12.12-CVE-2012-0804.patch
+34f16defa5ab03ca2efcdea27269a37e27510d235bc4efd7a91871c2ae32fe9b922a51f3b87bcfec988964f8ae50d4649d7876937e25352836d5274ce88eea13 cvs-1.12.12-format-security.patch
+1c14b89dccee3130cc4ff881b7204f01dd8e14d1767e21d30b879df17a368a0f6bc7d3945872f8a6adcf47e34c3e48b9f2c0c0c90cccbf10fa935690a57f5e20 cvs-1.12.12-musl.patch
+1daf3d26acabe5e1f46331595f95f62a3bc7ffd28dfb063cfc8c9eec3f13f67ad32ba236ea4ff5f3180a10996ac5c902473d4a34226f9706f3b008b0c55491ea CVE-2017-12836.patch"
diff --git a/main/cvs/CVE-2017-12836.patch b/main/cvs/CVE-2017-12836.patch
new file mode 100644
index 0000000000..b20a88b667
--- /dev/null
+++ b/main/cvs/CVE-2017-12836.patch
@@ -0,0 +1,38 @@
+Subject: [PATCH] Fix CVE-2017-12836
+From: Thorsten Glaser <tg@mirbsd.de>
+
+--- a/src/rsh-client.c
++++ b/src/rsh-client.c
+@@ -53,9 +53,10 @@
+ char *cvs_server = (root->cvs_server != NULL
+ ? root->cvs_server : getenv ("CVS_SERVER"));
+ int i = 0;
+- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+- "cmd (w/ args)", and NULL. We leave some room to grow. */
+- char *rsh_argv[10];
++ /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
++ "--", "host", "cvs", "-R", "server", and NULL.
++ We leave some room to grow. */
++ char *rsh_argv[16];
+
+ if (!cvs_rsh)
+ /* People sometimes suggest or assume that this should default
+@@ -97,6 +98,9 @@
+ rsh_argv[i++] = root->username;
+ }
+
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ rsh_argv[i++] = "--";
++
+ rsh_argv[i++] = root->hostname;
+ rsh_argv[i++] = cvs_server;
+ rsh_argv[i++] = "server";
+@@ -171,6 +175,8 @@
+ *p++ = root->username;
+ }
+
++ *p++ = "--";
++
+ *p++ = root->hostname;
+ *p++ = command;
+ *p++ = NULL;
diff --git a/main/cvs/cvs-1.12.12-CVE-2012-0804.patch b/main/cvs/cvs-1.12.12-CVE-2012-0804.patch
new file mode 100644
index 0000000000..107c3ea122
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-CVE-2012-0804.patch
@@ -0,0 +1,30 @@
+[CVE-2012-0804] Fix proxy response parser
+
+If proxy sends overlong HTTP vesion string, the string will be copied
+to unallocatd space (write_buf) causing heap overflow.
+
+This patch fixes it by ignoring the HTTP version string and checking
+the response line has been parsed correctly.
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more
+details.
+
+Index: src/client.c
+===================================================================
+RCS file: /sources/cvs/ccvs/src/client.c,v
+retrieving revision 1.483
+diff -u -r1.483 client.c
+--- a/src/client.c 18 Nov 2008 22:59:02 -0000 1.483
++++ b/src/client.c 26 Jan 2012 16:32:25 -0000
+@@ -4339,9 +4339,9 @@
+ * code.
+ */
+ read_line_via (from_server, to_server, &read_buf);
+- sscanf (read_buf, "%s %d", write_buf, &codenum);
++ count = sscanf (read_buf, "%*s %d", &codenum);
+
+- if ((codenum / 100) != 2)
++ if (count != 1 || (codenum / 100) != 2)
+ error (1, 0, "proxy server %s:%d does not support http tunnelling",
+ root->proxy_hostname, proxy_port_number);
+ free (read_buf);
diff --git a/main/cvs/cvs-1.12.12-block-requests.patch b/main/cvs/cvs-1.12.12-block-requests.patch
new file mode 100644
index 0000000000..9c9b49db8f
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-block-requests.patch
@@ -0,0 +1,140 @@
+Author: Robin H. Johnson <robbat2@gentoo.org>
+Date: 2006-08-09
+
+This patch allows a CVS server to deny usage of specific commands, based on
+input in the environment.
+
+Just set the CVS_BLOCK_REQUESTS env var with all of the commands you want,
+seperated by spaces. Eg:
+CVS_BLOCK_REQUESTS="Gzip-stream gzip-file-contents"
+would block ALL usage of compression.
+
+Please see the array 'struct request requests[]' in src/server.c for a full
+list of commands.
+
+Please note that if you block any commands marked as RQ_ESSENTIAL, CVS clients
+may fail! (This includes 'ci'!).
+
+See the companion cvs-custom.c for a wrapper that can enforce the environment variable for pserver setups.
+
+Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
+
+diff -Nuar --exclude '*~' -U 10 cvs-1.12.12.orig/src/server.c cvs-1.12.12/src/server.c
+--- cvs-1.12.12.orig/src/server.c 2005-04-14 14:13:29.000000000 +0000
++++ cvs-1.12.12/src/server.c 2006-08-09 01:40:44.000000000 +0000
+@@ -5836,43 +5836,90 @@
+ #undef REQ_LINE
+ };
+ #endif /* SERVER_SUPPORT or CLIENT_SUPPORT */
+
+
+
+ #ifdef SERVER_SUPPORT
+ /*
+ * This server request is not ignored by the secondary.
+ */
++
++/* Hack by Robin H. Johnson <robbat2@gentoo.org>.
++ * Allow the server ENV to specify what request types are to be ignored.
++ */
++
++static char blocked_requests[BUFSIZ] = " ";
++
++static void build_blocked_requests() {
++ char *tmp = getenv("CVS_BLOCK_REQUESTS");
++
++ if (tmp != NULL && strlen(tmp) > 0) {
++ // move to our custom buffer
++ strncat(blocked_requests, tmp, sizeof(blocked_requests)-strlen(blocked_requests));
++ //add a space on the end as well for searching
++ strncat(blocked_requests, " ", sizeof(blocked_requests)-strlen(blocked_requests));
++ }
++
++ // now blocked_requests contains the list of every request that we do not
++ // want to serve
++}
++
++// returns 0 if we should serve this request
++// use as if(checker(FOO)) continue;
++static int serve_valid_requests_checker(char *reqname) {
++ char needle[BUFSIZ] = " ";
++ char *tmp;
++
++ if(!blocked_requests || strlen(blocked_requests) < 2)
++ return 0;
++
++ // we want to look for ' 'reqname' '
++ snprintf(needle, sizeof(needle), " %s ", reqname);
++
++ // now do the search
++ tmp = strstr(blocked_requests, needle);
++
++ if (tmp != NULL)
++ return 1;
++
++ return 0;
++
++}
++
+ static void
+ serve_valid_requests (char *arg)
+ {
+ struct request *rq;
+
+ /* Since this is processed in the first pass, don't reprocess it in the
+ * second.
+ *
+ * We still print errors since new errors could have been generated in the
+ * second pass.
+ */
+ if (print_pending_error ()
+ #ifdef PROXY_SUPPORT
+ || reprocessing
+ #endif /* PROXY_SUPPORT */
+ )
+ return;
++
++ build_blocked_requests();
+
+ buf_output0 (buf_to_net, "Valid-requests");
+ for (rq = requests; rq->name != NULL; rq++)
+ {
+ if (rq->func != NULL)
+ {
++ if(serve_valid_requests_checker(rq->name))
++ continue;
+ buf_append_char (buf_to_net, ' ');
+ buf_output0 (buf_to_net, rq->name);
+ }
+ }
+ buf_output0 (buf_to_net, "\nok\n");
+
+ /* The client is waiting for the list of valid requests, so we
+ must send the output now. */
+ buf_flush (buf_to_net, 1);
+ }
+@@ -6353,20 +6400,24 @@
+ cmd += len;
+ else if (cmd[len] == ' ')
+ cmd += len + 1;
+ else
+ /*
+ * The first len characters match, but it's a different
+ * command. e.g. the command is "cooperate" but we matched
+ * "co".
+ */
+ continue;
++ // Ignore commands that we are supposed to ignore.
++ if(serve_valid_requests_checker(rq->name))
++ continue;
++
+
+ if (!(rq->flags & RQ_ROOTLESS)
+ && current_parsed_root == NULL)
+ {
+ /* For commands which change the way in which data
+ is sent and received, for example Gzip-stream,
+ this does the wrong thing. Since the client
+ assumes that everything is being compressed,
+ unconditionally, there is no way to give this
+ error to the client without turning on
diff --git a/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch b/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch
new file mode 100644
index 0000000000..fcd4431e87
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch
@@ -0,0 +1,22 @@
+Index: cvs-1.12.12/src/cvsbug.in
+===================================================================
+--- cvs-1.12.12.orig/src/cvsbug.in
++++ cvs-1.12.12/src/cvsbug.in
+@@ -109,14 +109,14 @@ elif [ -f /bin/domainname ]; then
+ /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
+ cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
+ ORIGINATOR="`cat $TEMP`"
+- rm -f $TEMP
++ > $TEMP
+ fi
+ fi
+
+ if [ "$ORIGINATOR" = "" ]; then
+ grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
+ ORIGINATOR="`cat $TEMP`"
+- rm -f $TEMP
++ > $TEMP
+ fi
+
+ if [ -n "$ORGANIZATION" ]; then
+
diff --git a/main/cvs/cvs-1.12.12-fix-massive-leak.patch b/main/cvs/cvs-1.12.12-fix-massive-leak.patch
new file mode 100644
index 0000000000..5366f50855
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-fix-massive-leak.patch
@@ -0,0 +1,52 @@
+buf_free_data must free data independently
+of send or reseived bytes over network.
+
+Moreover, when buffer is usually freed
+buffer _is_ empty, but has one clean mapped page.
+
+I've observed massive 'cvs server' leaks
+when importing large gentoo-x86 repo with 'cvsps'.
+Leak ate all my 32GBs of RAM and killed process.
+(Leaked around 3 pages per client request).
+
+valgrind found the leak easily:
+
+$ valgrind \
+ cvsps \
+ --root :local:$HOME/portage/gentoo-x86.rsync \
+ --fast-export \
+ gentoo-x86/dev-vcs/git-annex 2>l |
+ git fast-import
+
+ ==13504== 1,248 bytes in 52 blocks are still reachable in loss record 41 of 47
+ ==13504== at 0x4C2C19B: malloc (vg_replace_malloc.c:270)
+ ==13504== by 0x48A556: xnmalloc_inline (xmalloc.c:40)
+ ==13504== by 0x48A5B5: xmalloc (xmalloc.c:56)
+ ==13504== by 0x4855F5: new_memnode (pagealign_alloc.c:91)
+ ==13504== by 0x48571B: pagealign_alloc (pagealign_alloc.c:151)
+ ==13504== by 0x485739: pagealign_xalloc (pagealign_alloc.c:182)
+ ==13504== by 0x408DD7: get_buffer_data (buffer.c:98)
+ ==13504== by 0x409C0C: buf_input_data (buffer.c:738)
+ ==13504== by 0x45BB63: do_cvs_command (server.c:3847)
+ ==13504== by 0x45D39E: serve_co (server.c:4809)
+ ==13504== by 0x45F845: server (server.c:6438)
+ ==13504== by 0x438784: main (main.c:1066)
+
+And now it takes constant space (less, than 18MB)
+for 'cvs server' process to convert all gentoo-x86
+by serving more, than 5 000 000 client requests.
+
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+diff --git a/src/buffer.c b/src/buffer.c
+index 3f12513..9a7a559 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -526,7 +526,7 @@ buf_copy_data (struct buffer *buf, struct buffer_data *data,
+ void
+ buf_free_data (struct buffer *buffer)
+ {
+- if (buf_empty_p (buffer)) return;
++ if (! buffer->data) return;
+ buf_free_datas (buffer->data, buffer->last);
+ buffer->data = buffer->last = NULL;
+ }
diff --git a/main/cvs/cvs-1.12.12-format-security.patch b/main/cvs/cvs-1.12.12-format-security.patch
new file mode 100644
index 0000000000..d710a90207
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-format-security.patch
@@ -0,0 +1,22 @@
+--- a/diff/diff3.c
++++ b/diff/diff3.c
+@@ -1503,7 +1503,7 @@
+ line = 0;
+ do
+ {
+- printf_output (line_prefix);
++ printf_output ("%s", line_prefix);
+ cp = D_RELNUM (ptr, realfile, line);
+ length = D_RELLEN (ptr, realfile, line);
+ write_output (cp, length);
+--- a/src/main.c
++++ b/src/main.c
+@@ -1375,7 +1375,7 @@
+ {
+ (void) fprintf (stderr, *cpp++, program_name, cvs_cmd_name);
+ for (; *cpp; cpp++)
+- (void) fprintf (stderr, *cpp);
++ (void) fprintf (stderr, "%s", *cpp);
+ exit (EXIT_FAILURE);
+ }
+
diff --git a/main/cvs/cvs-1.12.12-getdelim.patch b/main/cvs/cvs-1.12.12-getdelim.patch
new file mode 100644
index 0000000000..837d4408ab
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-getdelim.patch
@@ -0,0 +1,21 @@
+The function getdelim() behaves slightly different on FreeBSD,
+only appending to the *line buffer if line_size is 0.
+
+See:
+https://savannah.nongnu.org/bugs/?29466
+http://bugs.gentoo.org/314791
+
+Already comitted upstream:
+http://cvs.savannah.gnu.org/viewvc/ccvs/src/myndbm.c?root=cvs&r1=1.38&r2=1.39
+
+--- a/src/myndbm.c.orig
++++ b/src/myndbm.c
+@@ -213,7 +213,7 @@
+ mydbm_load_file (FILE *fp, List *list, char *filename)
+ {
+ char *line = NULL;
+- size_t line_size;
++ size_t line_size = 0;
+ char *value;
+ size_t value_allocated;
+ char *cp, *vp;
diff --git a/main/cvs/cvs-1.12.12-hash-nameclash.patch b/main/cvs/cvs-1.12.12-hash-nameclash.patch
new file mode 100644
index 0000000000..95fd61e0a5
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-hash-nameclash.patch
@@ -0,0 +1,42 @@
+http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/hash.h?r1=1.14.6.2&r2=1.14.6.3&pathrev=cvs1-11-x-branch
+fixed in cvs-1.11.23, cvs-HEAD after cvs-1.12.13a
+
+--- a/src/hash.h.orig 2005-02-01 22:56:48 +0100
++++ b/src/hash.h 2010-03-10 19:00:11 +0100
+@@ -27,26 +27,26 @@
+ };
+ typedef enum ntype Ntype;
+
+-struct node
++struct hashnode
+ {
+ Ntype type;
+- struct node *next;
+- struct node *prev;
+- struct node *hashnext;
+- struct node *hashprev;
++ struct hashnode *next;
++ struct hashnode *prev;
++ struct hashnode *hashnext;
++ struct hashnode *hashprev;
+ char *key;
+ void *data;
+- void (*delproc) (struct node *);
++ void (*delproc) (struct hashnode *);
+ };
+-typedef struct node Node;
++typedef struct hashnode Node;
+
+-struct list
++struct hashlist
+ {
+ Node *list;
+ Node *hasharray[HASHSIZE];
+- struct list *next;
++ struct hashlist *next;
+ };
+-typedef struct list List;
++typedef struct hashlist List;
+
+ List *getlist (void);
+ Node *findnode (List * list, const char *key);
diff --git a/main/cvs/cvs-1.12.12-install-sh.patch b/main/cvs/cvs-1.12.12-install-sh.patch
new file mode 100644
index 0000000000..825c0ee6f1
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-install-sh.patch
@@ -0,0 +1,12 @@
+diff -ur a/build-aux/install-sh b/build-aux/install-sh
+--- a/build-aux/install-sh 2006-03-25 20:04:46 +0000
++++ b/build-aux/install-sh 2007-09-14 10:53:29 +0100
+@@ -246,7 +246,7 @@
+ fi
+
+ if test -n "$dir_arg"; then
+- $doit $mkdircmd "$dst" \
++ { test -d "$dst" || $doit $mkdircmd -p "$dst"; } \
+ && { test -z "$chowncmd" || $doit $chowncmd "$dst"; } \
+ && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } \
+ && { test -z "$stripcmd" || $doit $stripcmd "$dst"; } \
diff --git a/main/cvs/cvs-1.12.12-mktime-configure.patch b/main/cvs/cvs-1.12.12-mktime-configure.patch
new file mode 100644
index 0000000000..03d7f35601
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-mktime-configure.patch
@@ -0,0 +1,201 @@
+https://bugs.gentoo.org/220040
+https://bugs.gentoo.org/570208
+
+update mktime check to latest autoconf version which is less buggy
+
+--- a/configure
++++ b/configure
+@@ -5299,26 +6059,25 @@
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h. */
+ /* Test program from Paul Eggert and Tony Leneis. */
+-#if TIME_WITH_SYS_TIME
++#ifdef TIME_WITH_SYS_TIME
+ # include <sys/time.h>
+ # include <time.h>
+ #else
+-# if HAVE_SYS_TIME_H
++# ifdef HAVE_SYS_TIME_H
+ # include <sys/time.h>
+ # else
+ # include <time.h>
+ # endif
+ #endif
+
+-#if HAVE_STDLIB_H
+-# include <stdlib.h>
+-#endif
++#include <limits.h>
++#include <stdlib.h>
+
+-#if HAVE_UNISTD_H
++#ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+ #endif
+
+-#if !HAVE_ALARM
++#ifndef HAVE_ALARM
+ # define alarm(X) /* empty */
+ #endif
+
+@@ -5335,9 +6094,9 @@
+ };
+ #define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0]))
+
+-/* Fail if mktime fails to convert a date in the spring-forward gap.
++/* Return 0 if mktime fails to convert a date in the spring-forward gap.
+ Based on a problem report from Andreas Jaeger. */
+-static void
++static int
+ spring_forward_gap ()
+ {
+ /* glibc (up to about 1998-10-07) failed this test. */
+@@ -5356,29 +6115,27 @@
+ tm.tm_min = 0;
+ tm.tm_sec = 0;
+ tm.tm_isdst = -1;
+- if (mktime (&tm) == (time_t)-1)
+- exit (1);
++ return mktime (&tm) != (time_t) -1;
+ }
+
+-static void
++static int
+ mktime_test1 (now)
+ time_t now;
+ {
+ struct tm *lt;
+- if ((lt = localtime (&now)) && mktime (lt) != now)
+- exit (1);
++ return ! (lt = localtime (&now)) || mktime (lt) == now;
+ }
+
+-static void
++static int
+ mktime_test (now)
+ time_t now;
+ {
+- mktime_test1 (now);
+- mktime_test1 ((time_t) (time_t_max - now));
+- mktime_test1 ((time_t) (time_t_min + now));
++ return (mktime_test1 (now)
++ && mktime_test1 ((time_t) (time_t_max - now))
++ && mktime_test1 ((time_t) (time_t_min + now)));
+ }
+
+-static void
++static int
+ irix_6_4_bug ()
+ {
+ /* Based on code from Ariel Faigon. */
+@@ -5391,11 +6148,10 @@
+ tm.tm_sec = 0;
+ tm.tm_isdst = -1;
+ mktime (&tm);
+- if (tm.tm_mon != 2 || tm.tm_mday != 31)
+- exit (1);
++ return tm.tm_mon == 2 && tm.tm_mday == 31;
+ }
+
+-static void
++static int
+ bigtime_test (j)
+ int j;
+ {
+@@ -5417,8 +6173,39 @@
+ && lt->tm_wday == tm.tm_wday
+ && ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst)
+ == (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst))))
+- exit (1);
++ return 0;
+ }
++ return 1;
++}
++
++static int
++year_2050_test ()
++{
++ /* The correct answer for 2050-02-01 00:00:00 in Pacific time,
++ ignoring leap seconds. */
++ unsigned long int answer = 2527315200UL;
++
++ struct tm tm;
++ time_t t;
++ tm.tm_year = 2050 - 1900;
++ tm.tm_mon = 2 - 1;
++ tm.tm_mday = 1;
++ tm.tm_hour = tm.tm_min = tm.tm_sec = 0;
++ tm.tm_isdst = -1;
++
++ /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0"
++ instead of "TZ=America/Vancouver" in order to detect the bug even
++ on systems that don't support the Olson extension, or don't have the
++ full zoneinfo tables installed. */
++ putenv ("TZ=PST8PDT,M4.1.0,M10.5.0");
++
++ t = mktime (&tm);
++
++ /* Check that the result is either a failure, or close enough
++ to the correct answer that we can assume the discrepancy is
++ due to leap seconds. */
++ return (t == (time_t) -1
++ || (0 < t && answer - 120 <= t && t <= answer + 120));
+ }
+
+ int
+@@ -5432,12 +6219,15 @@
+ isn't worth using anyway. */
+ alarm (60);
+
+- for (time_t_max = 1; 0 < time_t_max; time_t_max *= 2)
+- continue;
+- time_t_max--;
+- if ((time_t) -1 < 0)
+- for (time_t_min = -1; (time_t) (time_t_min * 2) < 0; time_t_min *= 2)
+- continue;
++ for (;;)
++ {
++ t = (time_t_max << 1) + 1;
++ if (t <= time_t_max)
++ break;
++ time_t_max = t;
++ }
++ time_t_min = - ((time_t) ~ (time_t) 0 == (time_t) -1) - time_t_max;
++
+ delta = time_t_max / 997; /* a suitable prime number */
+ for (i = 0; i < N_STRINGS; i++)
+ {
+@@ -5445,18 +6235,22 @@
+ putenv (tz_strings[i]);
+
+ for (t = 0; t <= time_t_max - delta; t += delta)
+- mktime_test (t);
+- mktime_test ((time_t) 1);
+- mktime_test ((time_t) (60 * 60));
+- mktime_test ((time_t) (60 * 60 * 24));
+-
+- for (j = 1; 0 < j; j *= 2)
+- bigtime_test (j);
+- bigtime_test (j - 1);
++ if (! mktime_test (t))
++ return 1;
++ if (! (mktime_test ((time_t) 1)
++ && mktime_test ((time_t) (60 * 60))
++ && mktime_test ((time_t) (60 * 60 * 24))))
++ return 1;
++
++ for (j = 1; ; j <<= 1)
++ if (! bigtime_test (j))
++ return 1;
++ else if (INT_MAX / 2 < j)
++ break;
++ if (! bigtime_test (INT_MAX))
++ return 1;
+ }
+- irix_6_4_bug ();
+- spring_forward_gap ();
+- exit (0);
++ return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ());
+ }
+ _ACEOF
+ rm -f conftest$ac_exeext
diff --git a/main/cvs/cvs-1.12.12-mktime-x32.patch b/main/cvs/cvs-1.12.12-mktime-x32.patch
new file mode 100644
index 0000000000..948fa4d714
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-mktime-x32.patch
@@ -0,0 +1,29 @@
+back port changes from upstream gnulib to make this work on x32
+
+https://bugs.gentoo.org/395641
+
+--- cvs-1.12.12/lib/mktime.c
++++ cvs-1.12.12/lib/mktime.c
+@@ -115,6 +115,13 @@
+ #define TM_YEAR_BASE 1900
+ verify (base_year_is_a_multiple_of_100, TM_YEAR_BASE % 100 == 0);
+
++#if INT_MAX <= LONG_MAX / 2
++typedef long int long_int;
++#else
++typedef long long int long_int;
++#endif
++verify (long_int_is_wide_enough, INT_MAX == INT_MAX * (long_int) 2 / 2);
++
+ /* Return 1 if YEAR + TM_YEAR_BASE is a leap year. */
+ static inline int
+ leapyear (long int year)
+@@ -167,8 +174,6 @@
+ int year0, int yday0, int hour0, int min0, int sec0)
+ {
+ verify (C99_integer_division, -1 / 2 == 0);
+- verify (long_int_year_and_yday_are_wide_enough,
+- INT_MAX <= LONG_MAX / 2 || TIME_T_MAX <= UINT_MAX);
+
+ /* Compute intervening leap days correctly even if year is negative.
+ Take care to avoid integer overflow here. */
diff --git a/main/cvs/cvs-1.12.12-musl.patch b/main/cvs/cvs-1.12.12-musl.patch
new file mode 100644
index 0000000000..e426cf55fc
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-musl.patch
@@ -0,0 +1,13 @@
+http://gcc.gnu.org/ml/gcc/2003-04/msg00518.html
+
+--- a/lib/regex.c
++++ b/lib/regex.c
+@@ -8184,7 +8184,7 @@
+ if (msg_size > errbuf_size)
+ {
+ #if defined HAVE_MEMPCPY || defined _LIBC
+- *((char *) __mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
++ *((char *) mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
+ #else
+ memcpy (errbuf, msg, errbuf_size - 1);
+ errbuf[errbuf_size - 1] = 0;
diff --git a/main/cvs/cvs-1.12.12-openat.patch b/main/cvs/cvs-1.12.12-openat.patch
new file mode 100644
index 0000000000..fdb406a45e
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-openat.patch
@@ -0,0 +1,21 @@
+Index: cvs-1.12.12/lib/openat.c
+===================================================================
+--- cvs-1.12.12.orig/lib/openat.c
++++ cvs-1.12.12/lib/openat.c
+@@ -55,9 +55,13 @@ rpl_openat (int fd, char const *filename
+ va_list arg;
+ va_start (arg, flags);
+
+- /* Assume that mode_t is passed compatibly with mode_t's type
+- after argument promotion. */
+- mode = va_arg (arg, mode_t);
++ /* If mode_t is narrower than int, use the promoted type (int),
++ not mode_t. Use sizeof to guess whether mode_t is nerrower;
++ we don't know of any practical counterexamples. */
++ if (sizeof (mode_t) < sizeof (int))
++ mode = va_arg (arg, int);
++ else
++ mode = va_arg (arg, mode_t);
+
+ va_end (arg);
+ }
diff --git a/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch b/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch
new file mode 100644
index 0000000000..7dda3f0f17
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch
@@ -0,0 +1,14 @@
+X-Gentoo-bug: 144114
+
+diff -Nuar cvs-1.12.12.orig/contrib/rcs2log.sh cvs-1.12.12/contrib/rcs2log.sh
+--- cvs-1.12.12.orig/contrib/rcs2log.sh 2003-02-25 21:32:51.000000000 +0000
++++ cvs-1.12.12/contrib/rcs2log.sh 2010-12-06 21:14:33.831532212 +0000
+@@ -620,7 +620,7 @@
+ # Sort the log entries, first by date+time (in reverse order),
+ # then by author, then by log entry, and finally by file name and revision
+ # (just in case).
+-sort -t"$SOH" +2 -4r +4 +0 |
++sort -t"$SOH" -k 3,4r -k 5 -k 1,2 |
+
+ # Finally, reformat the sorted log entries.
+ $AWK -F"$SOH" '
diff --git a/main/cvs/cvs-musl.patch b/main/cvs/cvs-musl.patch
deleted file mode 100644
index 313377dbdd..0000000000
--- a/main/cvs/cvs-musl.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- cvs-1.11.23.org/lib/getline.h 2013-09-16 18:28:13.026099577 +0000
-+++ cvs-1.11.23/lib/getline.h 2013-09-16 18:44:33.356064387 +0000
-@@ -12,8 +12,6 @@
- #define GETLINE_NO_LIMIT -1
-
- int
-- getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream));
--int
- getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream,
- int limit));
- int
---- cvs-1.11.23.org/lib/getline.c 2013-09-16 18:28:13.021099577 +0000
-+++ cvs-1.11.23/lib/getline.c 2013-09-16 18:45:14.463062911 +0000
-@@ -154,12 +154,7 @@
- return ret;
- }
-
--int
--getline (lineptr, n, stream)
-- char **lineptr;
-- size_t *n;
-- FILE *stream;
--{
-+ssize_t getline(char ** lineptr, size_t * n, FILE *stream) {
- return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT);
- }
-
diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD
index 5bb6602ead..5d01ff4a01 100644
--- a/main/cyrus-sasl/APKBUILD
+++ b/main/cyrus-sasl/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cyrus-sasl
pkgver=2.1.27
-pkgrel=1
+pkgrel=2
pkgdesc="Cyrus Simple Authentication Service Layer (SASL)"
url="https://cyrusimap.org/"
arch="all"
@@ -12,7 +12,7 @@ subpackages="
$pkgname-dev
$pkgname-doc
$pkgname-openrc
- libsasl
+ libsasl
$pkgname-gssapiv2:_plugin
$pkgname-gs2:_plugin
$pkgname-scram:_plugin
@@ -39,10 +39,13 @@ source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pk
cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
cyrus-sasl-2.1.27-doc_build_fix.patch
cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+ CVE-2019-19906.patch
saslauthd.initd
"
# secfixes:
+# 2.1.27-r2:
+# - CVE-2019-19906
# 2.1.26-r7:
# - CVE-2013-4122
@@ -123,4 +126,5 @@ sha512sums="d11549a99b3b06af79fc62d5478dba3305d7e7cc0824f4b91f0d2638daafbe940623
4ca601839b023ef790e48dae567ffbbd57c632384c980946639ec7437ad23874961451718569455e6e25afaeff1728ecbc71a8686f6b43246f83465f95a2c904 cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
6d723e7ec2c431b45c011b887187b6a670dbe646aa4c39d38171047ab23db529c30c433f8d4dd624181917c5ce4e5271f86e35e2644ede1c40dfb09cb67dccde cyrus-sasl-2.1.27-doc_build_fix.patch
fca4f2b7e427c7613f71daa4a31772c33c8c0fe9d7f85b57b85da71bc5a88a18fc52f7caea463188b4addd31cd041d5349af689d5face2cc45fb50c700a8afd7 cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+c39efd87dc9c883d3b07474197f6835fbd32f23baa1f5cd04b25a0473639f847321c40f232e390d4dc9d9ee189dbd177c05d3d1461af4d28a48a4827abc5d9b8 CVE-2019-19906.patch
f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75 saslauthd.initd"
diff --git a/main/cyrus-sasl/CVE-2019-19906.patch b/main/cyrus-sasl/CVE-2019-19906.patch
new file mode 100644
index 0000000000..f7edb521e8
--- /dev/null
+++ b/main/cyrus-sasl/CVE-2019-19906.patch
@@ -0,0 +1,15 @@
+https://github.com/cyrusimap/cyrus-sasl/issues/587
+
+diff --git a/lib/common.c b/lib/common.c
+index bc3bf1df..9969d6aa 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
+
+ if (add==NULL) add = "(null)";
+
+- addlen=strlen(add); /* only compute once */
++ addlen=strlen(add)+1; /* only compute once */
+ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+ return SASL_NOMEM;
+
diff --git a/main/dahdi-linux-vanilla/APKBUILD b/main/dahdi-linux-vanilla/APKBUILD
index 96dc7faab0..b2f9c62789 100644
--- a/main/dahdi-linux-vanilla/APKBUILD
+++ b/main/dahdi-linux-vanilla/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-vanilla}
_kpkg=linux-$_flavor
-_kver=4.19.52
+_kver=4.19.118
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/dbus/APKBUILD b/main/dbus/APKBUILD
index ee9fdc492a..fae169cfda 100644
--- a/main/dbus/APKBUILD
+++ b/main/dbus/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dbus
pkgver=1.10.28
-pkgrel=0
+pkgrel=1
pkgdesc="Freedesktop.org message bus system"
url="http://www.freedesktop.org/Software/dbus"
pkggroups="messagebus"
@@ -17,12 +17,15 @@ makedepends="$depends_dev expat-dev libx11-dev autoconf automake libtool xmlto
install="$pkgname.pre-install $pkgname.post-install"
source="https://dbus.freedesktop.org/releases/dbus/dbus-$pkgver.tar.gz
fix-int64-print.patch
+ CVE-2020-12049.patch
$pkgname.initd
"
# secfixes:
+# 1.12.28-r1:
+# - CVE-2020-12049
# 1.10.28-r0:
-# - CVE-2019-12749
+# - CVE-2019-12749
prepare() {
default_prepare
@@ -75,4 +78,5 @@ x11() {
sha512sums="d699e5c115dd33c7667c32bf66db0a211e98678ba4b6a155541a705af2819cd45868ca9d33d57a2df7fb1a1ac072e09c8607157a7cd3f8664292c118ae164f61 dbus-1.10.28.tar.gz
5f07d8cb377ab80c927a77236c3f3437f08351161e594c62a1ad43f0324c2dba3cc98d50257ae27b9a4f5148571c5f26f35db8b40f13c72e92f267d5356c87f0 fix-int64-print.patch
+f05e2d14f072da81186e8a70d0895b37ee8f17c566b71865a72419218562e0f08544b7ea04daf6682dec5ff9ebab440c015f57a05abfb93610ec77caf9c2da97 CVE-2020-12049.patch
df74e7d6a4f76f777d356e94bd23422b17656aa51a5b2d3c655fcabb32c84f2f06b9f5cd8827920d51842f89e8c0d968a6e723315e4bf216e55711fcda9b0ee9 dbus.initd"
diff --git a/main/dbus/CVE-2020-12049.patch b/main/dbus/CVE-2020-12049.patch
new file mode 100644
index 0000000000..f1b04b4a65
--- /dev/null
+++ b/main/dbus/CVE-2020-12049.patch
@@ -0,0 +1,103 @@
+This is a combination of
+
+https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748.patch
+https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5.patch
+
+Applied against the 1.10 tree (the commits are for 1.12)
+
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+index b730971..4b0e390 100644
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -432,18 +432,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
+ struct cmsghdr *cm;
+ dbus_bool_t found = FALSE;
+
+- if (m.msg_flags & MSG_CTRUNC)
+- {
+- /* Hmm, apparently the control data was truncated. The bad
+- thing is that we might have completely lost a couple of fds
+- without chance to recover them. Hence let's treat this as a
+- serious error. */
+-
+- errno = ENOSPC;
+- _dbus_string_set_length (buffer, start);
+- return -1;
+- }
+-
+ for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
+ if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
+ {
+@@ -498,6 +486,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
+ if (!found)
+ *n_fds = 0;
+
++ if (m.msg_flags & MSG_CTRUNC)
++ {
++ unsigned int i;
++
++ /* Hmm, apparently the control data was truncated. The bad
++ thing is that we might have completely lost a couple of fds
++ without chance to recover them. Hence let's treat this as a
++ serious error. */
++
++ /* We still need to close whatever fds we *did* receive,
++ * otherwise they'll never get closed. (CVE-2020-12049) */
++ for (i = 0; i < *n_fds; i++)
++ close (fds[i]);
++
++ *n_fds = 0;
++ errno = ENOSPC;
++ _dbus_string_set_length (buffer, start);
++ return -1;
++ }
++
+ /* put length back (doesn't actually realloc) */
+ _dbus_string_set_length (buffer, start + bytes_read);
+
+diff --git a/test/fdpass.c b/test/fdpass.c
+index 665b4a1..d8d9c67 100644
+--- a/test/fdpass.c
++++ b/test/fdpass.c
+@@ -50,6 +50,14 @@
+
+ #include "test-utils-glib.h"
+
++#ifdef DBUS_ENABLE_EMBEDDED_TESTS
++#include <dbus/dbus-message-internal.h>
++#else
++typedef struct _DBusInitialFDs DBusInitialFDs;
++#define _dbus_check_fdleaks_enter() NULL
++#define _dbus_check_fdleaks_leave(fds) do {} while (0)
++#endif
++
+ /* Arbitrary; included here to avoid relying on the default */
+ #define MAX_MESSAGE_UNIX_FDS 20
+ /* This test won't work on Linux unless this is true. */
+@@ -91,6 +99,7 @@ typedef struct {
+ GQueue messages;
+
+ int fd_before;
++ DBusInitialFDs *initial_fds;
+ } Fixture;
+
+ static void oom (const gchar *doing) G_GNUC_NORETURN;
+@@ -172,6 +181,8 @@ test_connect (Fixture *f,
+ {
+ char *address;
+
++ f->initial_fds = _dbus_check_fdleaks_enter ();
++
+ g_assert (f->left_server_conn == NULL);
+ g_assert (f->right_server_conn == NULL);
+
+@@ -835,6 +846,9 @@ teardown (Fixture *f,
+ if (f->fd_before >= 0 && close (f->fd_before) < 0)
+ g_error ("%s", g_strerror (errno));
+ #endif
++
++ if (f->initial_fds != NULL)
++ _dbus_check_fdleaks_leave (f->initial_fds);
+ }
+
+ int
diff --git a/main/devicemaster-linux-vanilla/APKBUILD b/main/devicemaster-linux-vanilla/APKBUILD
index b0ae6cbadc..5bbcf9f019 100644
--- a/main/devicemaster-linux-vanilla/APKBUILD
+++ b/main/devicemaster-linux-vanilla/APKBUILD
@@ -7,7 +7,7 @@ _rel=0
_flavor=${FLAVOR:-vanilla}
_kpkg=linux-$_flavor
-_kver=4.19.52
+_kver=4.19.118
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/dnsmasq/APKBUILD b/main/dnsmasq/APKBUILD
index cb61ea892a..395843cff3 100644
--- a/main/dnsmasq/APKBUILD
+++ b/main/dnsmasq/APKBUILD
@@ -2,6 +2,8 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 2.80-r4:
+# - CVE-2019-14834
# 2.79-r0:
# - CVE-2017-15107
# 2.78-r0:
@@ -15,7 +17,7 @@
#
pkgname=dnsmasq
pkgver=2.80
-pkgrel=3
+pkgrel=4
pkgdesc="A lightweight DNS, DHCP, RA, TFTP and PXE server"
url="http://www.thekelleys.org.uk/dnsmasq/"
arch="all"
@@ -29,6 +31,7 @@ source="http://www.thekelleys.org.uk/dnsmasq/$pkgname-$pkgver.tar.gz
$pkgname.initd
$pkgname.confd
uncomment-conf-dir.patch
+ CVE-2019-14834.patch
"
builddir="$srcdir/$pkgname-$pkgver"
@@ -76,4 +79,5 @@ dnssec() {
sha512sums="da50030ac96617fbb7d54d5ef02d2ed1e14ec1ebe0df49bc23a1509381bc1644cf6fb95ff72ed15e0ad1e9bd6aa11ec6e4dcabec8ebb152da0d84f9a4408565b dnsmasq-2.80.tar.gz
a7d64a838d10f4f69e0f2178cf66f0b3725901696e30df9e8e3e09f2afd7c86e9d95af64d2b63ef66f18b8a637397b7015573938df9ad961e2b36c391c3ac579 dnsmasq.initd
9a401bfc408bf1638645c61b8ca734bea0a09ef79fb36648ec7ef21666257234254bbe6c73c82cc23aa1779ddcdda0e6baa2c041866f16dfb9c4e0ba9133eab8 dnsmasq.confd
-01e9e235e667abda07675009fb1947547863e0bb0256393c5a415978e2a49c1007585c7f0b51e8decce79c05e6f2ced3f400b11343feaa4de9b2e524f74a1ee3 uncomment-conf-dir.patch"
+01e9e235e667abda07675009fb1947547863e0bb0256393c5a415978e2a49c1007585c7f0b51e8decce79c05e6f2ced3f400b11343feaa4de9b2e524f74a1ee3 uncomment-conf-dir.patch
+d4d11945578430da629d7a38b00eb552cd95b1c438a0b85b63ba637ed19b4283623e39692f48146132b7cb5d453eaa3c07680f1514017d8d458e347153215a9b CVE-2019-14834.patch"
diff --git a/main/dnsmasq/CVE-2019-14834.patch b/main/dnsmasq/CVE-2019-14834.patch
new file mode 100644
index 0000000000..5f60f5f1d9
--- /dev/null
+++ b/main/dnsmasq/CVE-2019-14834.patch
@@ -0,0 +1,46 @@
+From 69bc94779c2f035a9fffdb5327a54c3aeca73ed5 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 14 Aug 2019 20:44:50 +0100
+Subject: [PATCH] Fix memory leak in helper.c
+
+Thanks to Xu Mingjie <xumingjie1995@outlook.com> for spotting this.
+---
+ src/helper.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/helper.c b/src/helper.c
+index 33ba120..c392eec 100644
+--- a/src/helper.c
++++ b/src/helper.c
+@@ -80,7 +80,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
+ pid_t pid;
+ int i, pipefd[2];
+ struct sigaction sigact;
+-
++ unsigned char *alloc_buff = NULL;
++
+ /* create the pipe through which the main program sends us commands,
+ then fork our process. */
+ if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1)
+@@ -186,11 +187,16 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
+ struct script_data data;
+ char *p, *action_str, *hostname = NULL, *domain = NULL;
+ unsigned char *buf = (unsigned char *)daemon->namebuff;
+- unsigned char *end, *extradata, *alloc_buff = NULL;
++ unsigned char *end, *extradata;
+ int is6, err = 0;
+ int pipeout[2];
+
+- free(alloc_buff);
++ /* Free rarely-allocated memory from previous iteration. */
++ if (alloc_buff)
++ {
++ free(alloc_buff);
++ alloc_buff = NULL;
++ }
+
+ /* we read zero bytes when pipe closed: this is our signal to exit */
+ if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1))
+--
+1.7.10.4
+
diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD
index 06a19558fc..3d7caebb5a 100644
--- a/main/dovecot/APKBUILD
+++ b/main/dovecot/APKBUILD
@@ -4,10 +4,10 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dovecot
-pkgver=2.3.6
+pkgver=2.3.10.1
_pkgvermajor=2.3
pkgrel=0
-_pigeonholever=0.5.5
+_pigeonholever=0.5.10
_pigeonholevermajor=${_pigeonholever%.*}
pkgdesc="IMAP and POP3 server"
url="https://www.dovecot.org/"
@@ -68,6 +68,14 @@ builddir="$srcdir/$pkgname-$pkgver"
_builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever"
# secfixes:
+# 2.3.10.1-r0:
+# - CVE-2020-10957
+# - CVE-2020-10958
+# - CVE-2020-10967
+# - CVE-2020-7046
+# - CVE-2020-7957
+# 2.3.7.2-r0:
+# - CVE-2019-11500
# 2.3.6-r0:
# - CVE-2019-11499
# - CVE-2019-11494
@@ -301,8 +309,8 @@ _submv() {
done
}
-sha512sums="ec28af2efcbd4ab534298c3342709251074dcdb0f0f4bcad0d24b996b273387e2ce557d7ab54abafb69be3ed7dd61f25c82b9710d78156932e2eff7f941c9eb2 dovecot-2.3.6.tar.gz
-21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 dovecot-2.3-pigeonhole-0.5.5.tar.gz
+sha512sums="5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06 dovecot-2.3.10.1.tar.gz
+f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b dovecot-2.3-pigeonhole-0.5.10.tar.gz
fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch
794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5 split-protocols.patch
0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07 default-config.patch
diff --git a/main/drbd9-vanilla/APKBUILD b/main/drbd9-vanilla/APKBUILD
index 9fea34ad1b..ae51e4c86f 100644
--- a/main/drbd9-vanilla/APKBUILD
+++ b/main/drbd9-vanilla/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-vanilla}
_kpkg=linux-$_flavor
-_kver=4.19.52
+_kver=4.19.118
_krel=0
_kabi="$_kver-$_krel-$_flavor"
_kpkgver="$_kver-r$_krel"
diff --git a/main/dropbear/APKBUILD b/main/dropbear/APKBUILD
index 570be69730..8d0fb472be 100644
--- a/main/dropbear/APKBUILD
+++ b/main/dropbear/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dropbear
pkgver=2018.76
-pkgrel=2
+pkgrel=3
pkgdesc="small SSH 2 client/server designed for small memory environments"
url="http://matt.ucc.asn.au/dropbear/dropbear.html"
arch="all"
@@ -23,9 +23,12 @@ source="https://matt.ucc.asn.au/dropbear/releases/${pkgname}-${pkgver}.tar.bz2
dropbear-0.53.1-static_build_fix.patch
dropbear-options_sftp-server_path.patch
CVE-2018-15599.patch
+ CVE-2018-20685.patch
"
# secfixes:
+# 2018.76-r3:
+# - CVE-2018-20685
# 2018.76-r2:
# - CVE-2018-15599
@@ -89,4 +92,5 @@ sha512sums="82323279f7e78c366ba1ea07ff242259132b2576122429f54326518dd6092aba8ae5
83f2c1eaf7687917a4b2bae7d599d4378c4bd64f9126ba42fc5d235f2b3c9a474d1b3168d70ed64bb4101cc251d30bc9ae20604da9b5d819fcd635ee4d0ebb0f dropbear.confd
c9b0f28eb9653de21da4e8646fc27870a156112bce3d8a13baa6154ebf4baada3dee4f75bd5fdf5b6cd24a43fb80fb009e917d139d9e65d35118b082de0ebfbf dropbear-0.53.1-static_build_fix.patch
e11456ec3bc7e1265727c8921a6eb6151712a9a498c7768e2d4b7f9043256099457cebf29b2d47dd61eb260746d97f4b19e9429443bda1c3e441ea50ced79b48 dropbear-options_sftp-server_path.patch
-f204c2ee5aea8c0962573c4c49479ac17e9f6a9ab9ce21060a252b449323be841c1e64460f0e191fc72c6e213ffe829544418715d120a8f6c40de7b6374428e0 CVE-2018-15599.patch"
+f204c2ee5aea8c0962573c4c49479ac17e9f6a9ab9ce21060a252b449323be841c1e64460f0e191fc72c6e213ffe829544418715d120a8f6c40de7b6374428e0 CVE-2018-15599.patch
+6f17cf2b344b97457d2e0c1588fd285fac9757aa5e46aa2c103783978cc5fd9f7085aba36e7409270380d1250a277b43b0f5ff860d157148c6c28a0bbcbdce4c CVE-2018-20685.patch"
diff --git a/main/dropbear/CVE-2018-20685.patch b/main/dropbear/CVE-2018-20685.patch
new file mode 100644
index 0000000000..a8ea2af85b
--- /dev/null
+++ b/main/dropbear/CVE-2018-20685.patch
@@ -0,0 +1,23 @@
+From 8f8a3dff705fad774a10864a2e3dbcfa9779ceff Mon Sep 17 00:00:00 2001
+From: Haelwenn Monnier <contact+github.com@hacktivis.me>
+Date: Mon, 25 May 2020 14:54:29 +0200
+Subject: [PATCH] scp.c: Port OpenSSH CVE-2018-20685 fix (#80)
+
+---
+ scp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/scp.c b/scp.c
+index 742ae00f..7b8e7d22 100644
+--- a/scp.c
++++ b/scp.c
+@@ -935,7 +935,8 @@ sink(int argc, char **argv)
+ size = size * 10 + (*cp++ - '0');
+ if (*cp++ != ' ')
+ SCREWUP("size not delimited");
+- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
++ if (*cp == '\0' || strchr(cp, '/') != NULL ||
++ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+ run_err("error: unexpected filename: %s", cp);
+ exit(1);
+ } \ No newline at end of file
diff --git a/main/e2fsprogs/APKBUILD b/main/e2fsprogs/APKBUILD
index 572cecd8c6..aacb951b4f 100644
--- a/main/e2fsprogs/APKBUILD
+++ b/main/e2fsprogs/APKBUILD
@@ -2,23 +2,28 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=e2fsprogs
pkgver=1.44.5
-pkgrel=0
+pkgrel=2
pkgdesc="Standard Ext2/3/4 filesystem utilities"
url="http://e2fsprogs.sourceforge.net"
arch="all"
license="GPL-2.0-or-later LGPL-2.0 BSD-3-Clause MIT"
-depends=""
depends_dev="util-linux-dev"
options="!check"
makedepends="$depends_dev linux-headers"
subpackages="$pkgname-dev $pkgname-doc libcom_err $pkgname-libs $pkgname-extra"
-source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz
+source="https://www.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v$pkgver/e2fsprogs-$pkgver.tar.xz
gnuc-prereq.patch
+ CVE-2019-5094.patch
+ CVE-2019-5188.patch
"
-builddir="$srcdir/$pkgname-$pkgver"
-build () {
- cd "$builddir"
+# secfixes:
+# 1.44.5-r2:
+# - CVE-2019-5188
+# 1.44.5-r1:
+# - CVE-2019-5094
+
+build() {
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -34,7 +39,6 @@ build () {
}
package() {
- cd "$builddir"
make -j1 MKDIR_P="install -d" DESTDIR="$pkgdir" install install-libs
mv "$pkgdir"/sbin/* "$pkgdir"/usr/sbin/
local i; for i in e2fsck mke2fs mkfs.* fsck.*; do
@@ -65,6 +69,7 @@ extra() {
rmdir "$pkgdir"/lib
mv "$pkgdir"/usr "$subpkgdir"/
}
-
sha512sums="c0faec90b2be81460d374c150be917cd6beb1d10dc7cd0c6c4747de19de9af1763e90d48aec5b3c0fbff1b59bf79a35f93536cd52e68d1e45d4db610e158bb2e e2fsprogs-1.44.5.tar.xz
-155340b6fec21419fa9ca27ff1bd8e12f679013dd82f4dc0cd1feae2dbf143a942d6d4427a1e966e68fa37ecb282880ff5d07a3760ee8d6ac7f7c5e34a276735 gnuc-prereq.patch"
+155340b6fec21419fa9ca27ff1bd8e12f679013dd82f4dc0cd1feae2dbf143a942d6d4427a1e966e68fa37ecb282880ff5d07a3760ee8d6ac7f7c5e34a276735 gnuc-prereq.patch
+72e7d8199ea071802fbe74fbb2153253e5460412b115e03750ecac46d298aeb73bd8e7610a2d5b8be83b7125080c7e9e23d9b71baee1c7a4f68026344106a922 CVE-2019-5094.patch
+3147433f58b283faa46ca950921d814de832dc8e33cf5042c7e86078738f256ccf7be40b918ba11a467d04761ffcac85e12a8de4d86e745bca84f0198ba2f176 CVE-2019-5188.patch"
diff --git a/main/e2fsprogs/CVE-2019-5094.patch b/main/e2fsprogs/CVE-2019-5094.patch
new file mode 100644
index 0000000000..d350b3f294
--- /dev/null
+++ b/main/e2fsprogs/CVE-2019-5094.patch
@@ -0,0 +1,190 @@
+diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c
+index 0b9e766..ddb5312 100644
+--- a/lib/support/mkquota.c
++++ b/lib/support/mkquota.c
+@@ -671,6 +671,7 @@ errcode_t quota_compare_and_update(quota_ctx_t qctx, enum quota_type qtype,
+ err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data);
+ if (err) {
+ log_debug("Error scanning dquots");
++ *usage_inconsistent = 1;
+ goto out_close_qh;
+ }
+
+diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c
+index a7c2028..6cc4fb5 100644
+--- a/lib/support/quotaio_tree.c
++++ b/lib/support/quotaio_tree.c
+@@ -540,6 +540,17 @@ struct dquot *qtree_read_dquot(struct quota_handle *h, qid_t id)
+ return dquot;
+ }
+
++static int check_reference(struct quota_handle *h, unsigned int blk)
++{
++ if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) {
++ log_err("Illegal reference (%u >= %u) in %s quota file",
++ blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
++ quota_type2name(h->qh_type));
++ return -1;
++ }
++ return 0;
++}
++
+ /*
+ * Scan all dquots in file and call callback on each
+ */
+@@ -558,7 +569,7 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap,
+ int entries, i;
+
+ if (!buf)
+- return 0;
++ return -1;
+
+ set_bit(bitmap, blk);
+ read_blk(dquot->dq_h, blk, buf);
+@@ -580,23 +591,12 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap,
+ return entries;
+ }
+
+-static void check_reference(struct quota_handle *h, unsigned int blk)
+-{
+- if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks)
+- log_err("Illegal reference (%u >= %u) in %s quota file. "
+- "Quota file is probably corrupted.\n"
+- "Please run e2fsck (8) to fix it.",
+- blk,
+- h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
+- quota_type2name(h->qh_type));
+-}
+-
+ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
+ char *bitmap,
+ int (*process_dquot) (struct dquot *, void *),
+ void *data)
+ {
+- int entries = 0, i;
++ int entries = 0, ret, i;
+ dqbuf_t buf = getdqbuf();
+ __le32 *ref = (__le32 *) buf;
+
+@@ -607,22 +607,40 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
+ if (depth == QT_TREEDEPTH - 1) {
+ for (i = 0; i < QT_BLKSIZE >> 2; i++) {
+ blk = ext2fs_le32_to_cpu(ref[i]);
+- check_reference(dquot->dq_h, blk);
+- if (blk && !get_bit(bitmap, blk))
+- entries += report_block(dquot, blk, bitmap,
+- process_dquot, data);
++ if (check_reference(dquot->dq_h, blk)) {
++ entries = -1;
++ goto errout;
++ }
++ if (blk && !get_bit(bitmap, blk)) {
++ ret = report_block(dquot, blk, bitmap,
++ process_dquot, data);
++ if (ret < 0) {
++ entries = ret;
++ goto errout;
++ }
++ entries += ret;
++ }
+ }
+ } else {
+ for (i = 0; i < QT_BLKSIZE >> 2; i++) {
+ blk = ext2fs_le32_to_cpu(ref[i]);
+ if (blk) {
+- check_reference(dquot->dq_h, blk);
+- entries += report_tree(dquot, blk, depth + 1,
+- bitmap, process_dquot,
+- data);
++ if (check_reference(dquot->dq_h, blk)) {
++ entries = -1;
++ goto errout;
++ }
++ ret = report_tree(dquot, blk, depth + 1,
++ bitmap, process_dquot,
++ data);
++ if (ret < 0) {
++ entries = ret;
++ goto errout;
++ }
++ entries += ret;
+ }
+ }
+ }
++errout:
+ freedqbuf(buf);
+ return entries;
+ }
+@@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handle *h,
+ int (*process_dquot) (struct dquot *, void *),
+ void *data)
+ {
++ int ret;
+ char *bitmap;
+ struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi;
+ struct qtree_mem_dqinfo *info = &v2info->dqi_qtree;
+@@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handle *h,
+ ext2fs_free_mem(&dquot);
+ return -1;
+ }
+- v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap,
+- process_dquot, data);
++ ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data);
++ if (ret < 0)
++ goto errout;
++ v2info->dqi_used_entries = ret;
+ v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks);
++ ret = 0;
++errout:
+ ext2fs_free_mem(&bitmap);
+ ext2fs_free_mem(&dquot);
+- return 0;
++ return ret;
+ }
+diff --git a/lib/support/quotaio_v2.c b/lib/support/quotaio_v2.c
+index 38be2a3..7390667 100644
+--- a/lib/support/quotaio_v2.c
++++ b/lib/support/quotaio_v2.c
+@@ -175,6 +175,8 @@ static int v2_check_file(struct quota_handle *h, int type, int fmt)
+ static int v2_init_io(struct quota_handle *h)
+ {
+ struct v2_disk_dqinfo ddqinfo;
++ struct v2_mem_dqinfo *info;
++ __u64 filesize;
+
+ h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size =
+ sizeof(struct v2r1_disk_dqblk);
+@@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handle *h)
+ sizeof(ddqinfo)) != sizeof(ddqinfo))
+ return -1;
+ v2_disk2memdqinfo(&h->qh_info, &ddqinfo);
++
++ /* Check to make sure quota file info is sane */
++ info = &h->qh_info.u.v2_mdqi;
++ if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize))
++ return -1;
++ if ((filesize > (1U << 31)) ||
++ (info->dqi_qtree.dqi_blocks >
++ (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) {
++ log_err("Quota inode %u corrupted: file size %llu; "
++ "dqi_blocks %u", h->qh_qf.ino,
++ filesize, info->dqi_qtree.dqi_blocks);
++ return -1;
++ }
++ if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) {
++ log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u",
++ h->qh_qf.ino, info->dqi_qtree.dqi_free_blk,
++ info->dqi_qtree.dqi_blocks);
++ return -1;
++ }
++ if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) {
++ log_err("Quota inode %u corrupted: free_entry %u; "
++ "dqi_blocks %u", h->qh_qf.ino,
++ info->dqi_qtree.dqi_free_entry,
++ info->dqi_qtree.dqi_blocks);
++ return -1;
++ }
+ return 0;
+ }
+
+
diff --git a/main/e2fsprogs/CVE-2019-5188.patch b/main/e2fsprogs/CVE-2019-5188.patch
new file mode 100644
index 0000000000..d60b118ac3
--- /dev/null
+++ b/main/e2fsprogs/CVE-2019-5188.patch
@@ -0,0 +1,51 @@
+diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c
+index 5693b9c..bca701c 100644
+--- a/e2fsck/pass1b.c
++++ b/e2fsck/pass1b.c
+@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino,
+ fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx);
+ if (ctx->inode_bad_map)
+ ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino);
++ if (ctx->inode_reg_map)
++ ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino);
++ ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino);
++ ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino);
+ ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode));
+ quota_data_sub(ctx->qctx, &dp->inode, ino,
+ pb.dup_blocks * fs->blocksize);
+diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
+index a5fc1be..2c908be 100644
+--- a/e2fsck/rehash.c
++++ b/e2fsck/rehash.c
+@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,
+ dir_offset += rec_len;
+ if (dirent->inode == 0)
+ continue;
++ if ((name_len) == 0) {
++ fd->err = EXT2_ET_DIR_CORRUPTED;
++ return BLOCK_ABORT;
++ }
+ if (!fd->compress && (name_len == 1) &&
+ (dirent->name[0] == '.'))
+ continue;
+@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
+ continue;
+ }
+ new_len = ext2fs_dirent_name_len(ent->dir);
++ if (new_len == 0) {
++ /* should never happen */
++ ext2fs_unmark_valid(fs);
++ continue;
++ }
+ memcpy(new_name, ent->dir->name, new_len);
+ mutate_name(new_name, &new_len);
+ for (j=0; j < fd->num_array; j++) {
+@@ -1019,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx)
+ if (!ext2fs_u32_list_iterate(iter, &ino))
+ break;
+ }
++ if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino))
++ continue;
+
+ pctx.dir = ino;
+ if (first) {
diff --git a/main/exiv2/APKBUILD b/main/exiv2/APKBUILD
index 1b9add3976..b359399104 100644
--- a/main/exiv2/APKBUILD
+++ b/main/exiv2/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=exiv2
pkgver=0.26
-pkgrel=0
+pkgrel=1
pkgdesc="Exif and Iptc metadata manipulation library and tools."
url="http://exiv2.org"
arch="all"
@@ -14,8 +14,13 @@ subpackages="$pkgname-dev $pkgname-doc"
source="http://exiv2.org/releases/exiv2-$pkgver-trunk.tar.gz
0000-pthread-init-fix.patch
0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch
+ CVE-2019-17402.patch
"
+# secfixes:
+# 0.26-r1:
+# - CVE-2019-17402
+
builddir="$srcdir"/exiv2-trunk
prepare() {
default_prepare
@@ -38,4 +43,5 @@ package() {
sha512sums="d1e9cab886e279b045768dd9ec781f07d2d36d573119403d0b76dc571442173aae6972f86ec55c3ea53fb3ee9ca3571eb8fd63a2a6643a970852813e88634a86 exiv2-0.26-trunk.tar.gz
9721d359708c385be7c86a8f8a63de43b05b2578a29b4339861e82873aa81a98a7ee7252847b6c55529341187d40f552c488589b416fd9d1e27418925929c018 0000-pthread-init-fix.patch
-485bd340169f69a3ce356e59e9138250cc14592f4477bb73827c799fe465535954469634fc58a1856f690f0e0b4171cba6fdd3391d43c0efc5e89652b93eb3ce 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch"
+485bd340169f69a3ce356e59e9138250cc14592f4477bb73827c799fe465535954469634fc58a1856f690f0e0b4171cba6fdd3391d43c0efc5e89652b93eb3ce 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch
+b408ec85b5aa0fde6e08a277292ebde90f25b31605ba29039464e217c7f249d9ffeebfef9dc187955663d0b02ccafc020c16c4a5342cd38483816a1f9038c2d0 CVE-2019-17402.patch"
diff --git a/main/exiv2/CVE-2019-17402.patch b/main/exiv2/CVE-2019-17402.patch
new file mode 100644
index 0000000000..c6b5166adb
--- /dev/null
+++ b/main/exiv2/CVE-2019-17402.patch
@@ -0,0 +1,32 @@
+From cb2467834d118ae11526f7d24a699799ce5c4912 Mon Sep 17 00:00:00 2001
+From: Jens Georg <mail@jensge.org>
+Date: Sun, 6 Oct 2019 15:05:20 +0200
+Subject: [PATCH 1/2] crwimage: Check offset and size against total size
+
+Corrupted or specially crafted CRW images might exceed the overall
+buffersize.
+
+Fixes #1019
+
+(cherry picked from commit 683451567284005cd24e1ccb0a76ca401000968b)
+---
+ src/crwimage.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/crwimage.cpp b/src/crwimage.cpp
+index 989c0eb8..a0978aaf 100644
+--- a/src/crwimage.cpp
++++ b/src/crwimage.cpp
+@@ -448,6 +448,9 @@ namespace Exiv2 {
+ #ifdef DEBUG
+ std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
+ #endif
++ if (this->offset() + this->size() > size)
++ throw Error(26);
++
+ readDirectory(pData + offset(), this->size(), byteOrder);
+ #ifdef DEBUG
+ std::cout << "<---- 0x" << std::hex << tag() << "\n";
+--
+2.24.1
+
diff --git a/main/expat/APKBUILD b/main/expat/APKBUILD
index 14438038dd..5cf21bacae 100644
--- a/main/expat/APKBUILD
+++ b/main/expat/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=expat
-pkgver=2.2.7
+pkgver=2.2.8
pkgrel=0
pkgdesc="An XML Parser library written in C"
url="http://www.libexpat.org/"
@@ -12,10 +12,12 @@ subpackages="$pkgname-dev $pkgname-doc"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 2.2.7-r1:
+# - CVE-2019-15903
# 2.2.7-r0:
-# - CVE-2018-20843
+# - CVE-2018-20843
# 2.2.0-r1:
-# - CVE-2017-9233
+# - CVE-2017-9233
build() {
cd "$builddir"
@@ -37,4 +39,4 @@ package() {
make DESTDIR="$pkgdir/" install
}
-sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00 expat-2.2.7.tar.bz2"
+sha512sums="b1c995320d3eb406fe98e87fad204cc1336a74fb70c3ce3876d16ab955507863c3ee406ab10f0e8b63ed51cda0f7da4df0039626990fc2710f41c589c04b4022 expat-2.2.8.tar.bz2"
diff --git a/main/expat/CVE-2019-15903.patch b/main/expat/CVE-2019-15903.patch
new file mode 100644
index 0000000000..bfba7a87b4
--- /dev/null
+++ b/main/expat/CVE-2019-15903.patch
@@ -0,0 +1,80 @@
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 9c0987f..b8656ca 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -405,7 +405,7 @@ initializeEncoding(XML_Parser parser);
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
+ const char *end, int tok, const char *next, const char **nextPtr,
+- XML_Bool haveMore);
++ XML_Bool haveMore, XML_Bool allowClosingDoctype);
+ static enum XML_Error
+ processInternalEntity(XML_Parser parser, ENTITY *entity,
+ XML_Bool betweenDecl);
+@@ -4232,7 +4232,7 @@ externalParEntProcessor(XML_Parser parser,
+
+ parser->m_processor = prologProcessor;
+ return doProlog(parser, parser->m_encoding, s, end, tok, next,
+- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+
+ static enum XML_Error PTRCALL
+@@ -4282,7 +4282,7 @@ prologProcessor(XML_Parser parser,
+ const char *next = s;
+ int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ return doProlog(parser, parser->m_encoding, s, end, tok, next,
+- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+
+ static enum XML_Error
+@@ -4293,7 +4293,7 @@ doProlog(XML_Parser parser,
+ int tok,
+ const char *next,
+ const char **nextPtr,
+- XML_Bool haveMore)
++ XML_Bool haveMore, XML_Bool allowClosingDoctype)
+ {
+ #ifdef XML_DTD
+ static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
+@@ -4472,6 +4472,11 @@ doProlog(XML_Parser parser,
+ }
+ break;
+ case XML_ROLE_DOCTYPE_CLOSE:
++ if (allowClosingDoctype != XML_TRUE) {
++ /* Must not close doctype from within expanded parameter entities */
++ return XML_ERROR_INVALID_TOKEN;
++ }
++
+ if (parser->m_doctypeName) {
+ parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
+ parser->m_doctypeSysid, parser->m_doctypePubid, 0);
+@@ -5409,7 +5414,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity,
+ if (entity->is_param) {
+ int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+- next, &next, XML_FALSE);
++ next, &next, XML_FALSE, XML_FALSE);
+ }
+ else
+ #endif /* XML_DTD */
+@@ -5456,7 +5461,7 @@ internalEntityProcessor(XML_Parser parser,
+ if (entity->is_param) {
+ int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+- next, &next, XML_FALSE);
++ next, &next, XML_FALSE, XML_FALSE);
+ }
+ else
+ #endif /* XML_DTD */
+@@ -5483,7 +5488,7 @@ internalEntityProcessor(XML_Parser parser,
+ parser->m_processor = prologProcessor;
+ tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+- (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ else
+ #endif /* XML_DTD */
+
diff --git a/main/faad2/APKBUILD b/main/faad2/APKBUILD
index 3c1b4402af..cbf45a4b1f 100644
--- a/main/faad2/APKBUILD
+++ b/main/faad2/APKBUILD
@@ -1,23 +1,38 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=faad2
-pkgver=2.7
-pkgrel=8
+pkgver=2.9.0
+_pkgver="${pkgver//./_}"
+pkgrel=0
pkgdesc="ISO AAC audio decoder"
-url="http://www.audiocoding.com/"
+url="https://github.com/knik0/faad2"
arch="all"
options="!check" # No test suite.
license="GPL-2.0+"
subpackages="$pkgname-dev $pkgname-doc"
depends=
makedepends="autoconf automake libtool"
-source="https://downloads.sourceforge.net/sourceforge/faac/$pkgname-$pkgver.tar.bz2
- automake.patch"
+source="$pkgname-$pkgver.tar.gz::https://github.com/knik0/faad2/archive/$_pkgver.tar.gz"
+builddir="$srcdir/$pkgname-$_pkgver"
-prepare() {
- cd "$builddir"
- update_config_sub
- default_prepare
-}
+# secfixes:
+# 2.9.0-r0:
+# - CVE-2019-6956
+# - CVE-2018-20196
+# - CVE-2018-20199
+# - CVE-2018-20360
+# - CVE-2018-20362
+# - CVE-2018-19504
+# - CVE-2018-20195
+# - CVE-2018-20198
+# - CVE-2018-20358
+# - CVE-2018-20194
+# - CVE-2018-19503
+# - CVE-2018-20197
+# - CVE-2018-20357
+# - CVE-2018-20359
+# - CVE-2018-20361
+# - CVE-2019-15296
+# - CVE-2018-19502
build() {
cd "$builddir"
@@ -37,8 +52,6 @@ build() {
package() {
cd "$builddir"
make DESTDIR="$pkgdir" install
- install -m644 common/mp4ff/mp4ff_int_types.h "$pkgdir"/usr/include/mp4ff_int_types.h
}
-sha512sums="0934aa9b752b5d86879d94156dea02595e2428340d0cf44202ffea369895b21a9aadbb4833a39212c9a79429b409eb108706b1f523bfddd32809b53730d50947 faad2-2.7.tar.bz2
-0b66cfa240529a2139b47cb8dc87c4b43a451b906d66ef7d211fb509358b1493ceee13894516c2f552b33eae74640910e97957caa49dade2597ebd9777152a9e automake.patch"
+sha512sums="1756b2672f9e438a56b11160ddc77fc721d85860eaa325a3ff01b51a2524baf4c1c61068a97cbc4e99d47e7643f10e1d6afb997eede3295b44551fe4661fb5dc faad2-2.9.0.tar.gz"
diff --git a/main/faad2/automake.patch b/main/faad2/automake.patch
deleted file mode 100644
index 809031eb00..0000000000
--- a/main/faad2/automake.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- ./configure.in.orig 2012-12-31 10:42:26.394219312 +0000
-+++ ./configure.in 2012-12-31 10:42:43.294360781 +0000
-@@ -25,7 +25,7 @@
- AC_PROG_MAKE_SET
- AC_CHECK_PROGS(RPMBUILD, rpmbuild, rpm)
-
--AM_CONFIG_HEADER(config.h)
-+AC_CONFIG_HEADER(config.h)
-
- AC_ARG_WITH(xmms,[ --with-xmms compile XMMS-1 plugin],
- WITHXMMS=$withval, WITHXMMS=no)
diff --git a/main/file/APKBUILD b/main/file/APKBUILD
index 684863757a..51d2062f22 100644
--- a/main/file/APKBUILD
+++ b/main/file/APKBUILD
@@ -2,16 +2,20 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=file
pkgver=5.36
-pkgrel=0
+pkgrel=1
pkgdesc="File type identification utility"
url="http://www.darwinsys.com/file"
arch="all"
license="BSD-2-Clause"
subpackages="$pkgname-dev $pkgname-doc libmagic"
-source="ftp://ftp.astron.com/pub/file/$pkgname-$pkgver.tar.gz"
+source="ftp://ftp.astron.com/pub/file/$pkgname-$pkgver.tar.gz
+ CVE-2019-18218.patch
+ "
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 5.36-r1:
+# - CVE-2019-18218
# 5.36-r0:
# - CVE-2019-8904
# - CVE-2019-8905
@@ -44,4 +48,5 @@ libmagic() {
mv "$pkgdir"/usr/lib "$pkgdir"/usr/share "$subpkgdir"/usr
}
-sha512sums="3ec5e51ffb7a82defa74845a90fbc983f6e169fc116606049bc01ff6e720d340c8abf6eb7a08b9ac1099162a5c02deac3633b07b039d486344c8abd9052ca751 file-5.36.tar.gz"
+sha512sums="3ec5e51ffb7a82defa74845a90fbc983f6e169fc116606049bc01ff6e720d340c8abf6eb7a08b9ac1099162a5c02deac3633b07b039d486344c8abd9052ca751 file-5.36.tar.gz
+d70c5d298db7f70c45feaeebb077f076e6f1b5bcccb85926afeead64838436fd42681541d56f4fbe35b97dd76bfdbf3abf2665894c18999b37d2ca3fe2f2cf17 CVE-2019-18218.patch"
diff --git a/main/file/CVE-2019-18218.patch b/main/file/CVE-2019-18218.patch
new file mode 100644
index 0000000000..e7eba44922
--- /dev/null
+++ b/main/file/CVE-2019-18218.patch
@@ -0,0 +1,40 @@
+Source: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
+
+diff --git a/src/cdf.c b/src/cdf.c
+index 556a3ff..8bb0a6d 100644
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -1013,8 +1013,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ goto out;
+ }
+ nelements = CDF_GETUINT32(q, 1);
+- if (nelements == 0) {
+- DPRINTF(("CDF_VECTOR with nelements == 0\n"));
++ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
++ DPRINTF(("CDF_VECTOR with nelements == %"
++ SIZE_T_FORMAT "u\n", nelements));
+ goto out;
+ }
+ slen = 2;
+@@ -1056,8 +1057,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ goto out;
+ inp += nelem;
+ }
+- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+- nelements));
+ for (j = 0; j < nelements && i < sh.sh_properties;
+ j++, i++)
+ {
+diff --git a/src/cdf.h b/src/cdf.h
+index 2f7e554..0505666 100644
+--- a/src/cdf.h
++++ b/src/cdf.h
+@@ -48,6 +48,7 @@
+ typedef int32_t cdf_secid_t;
+
+ #define CDF_LOOP_LIMIT 10000
++#define CDF_ELEMENT_LIMIT 100000
+
+ #define CDF_SECID_NULL 0
+ #define CDF_SECID_FREE -1
+
diff --git a/main/flite/APKBUILD b/main/flite/APKBUILD
index 57c379462f..2fbf4b84e7 100644
--- a/main/flite/APKBUILD
+++ b/main/flite/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=flite
pkgver=2.1
-pkgrel=0
+pkgrel=1
pkgdesc="Small, fast speech synthesis engine (text-to-speech)"
url="http://www.speech.cs.cmu.edu/flite"
arch="all"
@@ -12,7 +12,8 @@ depends_dev=
makedepends="$depends_dev"
install=""
subpackages="$pkgname-dev"
-source="http://www.festvox.org/$pkgname/packed/$pkgname-$pkgver/$pkgname-$pkgver-release.tar.bz2"
+source="http://www.festvox.org/$pkgname/packed/$pkgname-$pkgver/$pkgname-$pkgver-release.tar.bz2
+ fix-internal-linking.patch"
builddir="$srcdir/$pkgname-$pkgver-release"
build() {
@@ -55,4 +56,5 @@ Cflags: -I\${includedir}/flite/
EOF
}
-sha512sums="e9ef9ca4b6920178634d94bbe6e21a8b0ec471b010b07e6cc961ed2d120acb944c8e1d268fe26188f7dfe43fb7bd4bdff7fa53b2d2f12029d37e08d0316620d2 flite-2.1-release.tar.bz2"
+sha512sums="e9ef9ca4b6920178634d94bbe6e21a8b0ec471b010b07e6cc961ed2d120acb944c8e1d268fe26188f7dfe43fb7bd4bdff7fa53b2d2f12029d37e08d0316620d2 flite-2.1-release.tar.bz2
+3794f7b6520ab11e5fd2e6e8dc2ce630f0bcb26ea42f94778e410c08f50e3b4c9c6388e60c15deb545df0d8a83f0299fc75766a606f040c13f68ae2f38b6a5df fix-internal-linking.patch"
diff --git a/main/flite/fix-internal-linking.patch b/main/flite/fix-internal-linking.patch
new file mode 100644
index 0000000000..b1883bb7ad
--- /dev/null
+++ b/main/flite/fix-internal-linking.patch
@@ -0,0 +1,90 @@
+From 6e3c1a2fa29c066f7d1a25037a1f61cd295ac3af Mon Sep 17 00:00:00 2001
+From: Paul Gevers <elbrus@debian.org>
+Date: Tue, 2 Jan 2018 19:58:18 +0100
+Subject: [PATCH] Improve internal linking
+
+Building packages in Debian uses a tool to link libraries together at the
+package level. It emits warnings when unknonw symbols are found. E.g:
+
+dpkg-shlibdeps: warning: symbol us_tokentowords used by debian/libflite1/usr/lib/x86_64-linux-gnu/libflite_cmu_indic_lang.so.2.0.0 found in none of the libraries
+---
+ config/common_make_rules | 2 +-
+ main/Makefile | 16 ++++++++++++++--
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/config/common_make_rules b/config/common_make_rules
+index 7a03785..34434fd 100644
+--- a/config/common_make_rules
++++ b/config/common_make_rules
+@@ -123,7 +123,7 @@ $(LIBDIR)/%.so: $(LIBDIR)/%.shared.a
+ @ rm -rf shared_os && mkdir shared_os
+ @ rm -f $@ $@.${PROJECT_VERSION} $@.${PROJECT_SHLIB_VERSION}
+ @ (cd shared_os && ar x ../$<)
+- @ (cd shared_os && $(CC) -shared -Wl,-soname,`basename $@`.${PROJECT_SHLIB_VERSION} -o ../$@.${PROJECT_VERSION} *.os)
++ @ (cd shared_os && $(CC) -shared -Wl,-soname,`basename $@`.${PROJECT_SHLIB_VERSION} -o ../$@.${PROJECT_VERSION} *.os $(LDFLAGS))
+ @ (cd $(LIBDIR) && ln -s `basename $@.${PROJECT_VERSION}` `basename $@.${PROJECT_SHLIB_VERSION}` )
+ @ (cd $(LIBDIR) && ln -s `basename $@.${PROJECT_SHLIB_VERSION}` `basename $@` )
+ @ rm -rf shared_os
+diff --git a/main/Makefile b/main/Makefile
+index ff422e0..47b6344 100644
+--- a/main/Makefile
++++ b/main/Makefile
+@@ -54,7 +54,8 @@ ALL = shared_libs \
+ VOICES=$(VOXES)
+ VOICELIBS=$(VOICES:%=flite_%)
+
+-flite_LIBS = $(VOICELIBS) $(LANGS:%=flite_%) $(LEXES:%=flite_%) flite
++flite_MODS = $(VOICELIBS) $(LANGS:%=flite_%) $(LEXES:%=flite_%)
++flite_LIBS = flite $(flite_MODS)
+
+ flite_LIBS_flags = -L$(LIBDIR) $(flite_LIBS:%=-l%)
+ flite_LIBS_deps = $(flite_LIBS:%=$(LIBDIR)/lib%.a)
+@@ -65,6 +66,10 @@ include $(TOP)/config/common_make_rules
+ # so make clean can remove them
+ SHAREDARLIBS= $(flite_LIBS:%=$(LIBDIR)/lib%.shared.a)
+ SHAREDLIBS = $(SHAREDARLIBS:%.shared.a=%.so)
++SHAREDMODS = $(flite_MODS:%=$(LIBDIR)/lib%.so)
++SHAREDusenMODS = $(LIBDIR)/libflite_cmu_time_awb.so $(LIBDIR)/libflite_cmu_us_awb.so $(LIBDIR)/libflite_cmu_us_kal16.so $(LIBDIR)/libflite_cmu_us_kal.so $(LIBDIR)/libflite_cmu_us_rms.so $(LIBDIR)/libflite_cmu_us_slt.so $(LIBDIR)/libflite_cmu_indic_lang.so
++SHAREDcmulexMODS = $(LIBDIR)/libflite_cmu_time_awb.so $(LIBDIR)/libflite_cmu_us_awb.so $(LIBDIR)/libflite_cmu_us_kal16.so $(LIBDIR)/libflite_cmu_us_kal.so $(LIBDIR)/libflite_cmu_us_rms.so $(LIBDIR)/libflite_cmu_us_slt.so $(LIBDIR)/libflite_cmu_indic_lex.so
++SHAREDindicMODS = $(LIBDIR)/libflite_cmu_indic_lex.so
+ VERSIONSHAREDLIBS = $(SHAREDLIBS:%=%.${PROJECT_VERSION}) \
+ $(SHAREDLIBS:%=%.${PROJECT_SHLIB_VERSION})
+
+@@ -79,7 +84,14 @@ LOCAL_CLEAN = $(BINDIR)/flite$(EXEEXT) $(BINDIR)/flite_time$(EXEEXT) \
+ flite_voice_list.c
+
+ ifdef SHFLAGS
+-flite_LIBS_flags += -Wl,-rpath $(LIBDIR)
++$(SHAREDMODS): $(LIBDIR)/libflite.so
++$(SHAREDMODS): LDFLAGS+=-L../$(LIBDIR) -lflite
++$(SHAREDusenMODS): $(LIBDIR)/libflite_usenglish.so
++$(SHAREDusenMODS): LDFLAGS+=-L../$(LIBDIR) -lflite_usenglish
++$(SHAREDcmulexMODS): $(LIBDIR)/libflite_cmulex.so
++$(SHAREDcmulexMODS): LDFLAGS+=-L../$(LIBDIR) -lflite_cmulex
++$(SHAREDindicMODS): $(LIBDIR)/libflite_cmu_indic_lang.so
++$(SHAREDindicMODS): LDFLAGS+=-L../$(LIBDIR) -lflite_cmu_indic_lang
+ shared_libs: $(SHAREDLIBS)
+ else
+ shared_libs: nothing
+From d673f65b2c4a8cd3da7447079309a6dc4bcf1a5e Mon Sep 17 00:00:00 2001
+From: Alan W Black <awb@cs.cmu.edu>
+Date: Sun, 4 Mar 2018 08:55:40 -0500
+Subject: [PATCH] get libs in the right order
+
+---
+ main/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/main/Makefile b/main/Makefile
+index 47b6344..1da18a8 100644
+--- a/main/Makefile
++++ b/main/Makefile
+@@ -55,7 +55,7 @@ VOICES=$(VOXES)
+ VOICELIBS=$(VOICES:%=flite_%)
+
+ flite_MODS = $(VOICELIBS) $(LANGS:%=flite_%) $(LEXES:%=flite_%)
+-flite_LIBS = flite $(flite_MODS)
++flite_LIBS = $(flite_MODS) flite
+
+ flite_LIBS_flags = -L$(LIBDIR) $(flite_LIBS:%=-l%)
+ flite_LIBS_deps = $(flite_LIBS:%=$(LIBDIR)/lib%.a)
diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD
index e9cd6a3d67..38ef6fe8a0 100644
--- a/main/freeradius/APKBUILD
+++ b/main/freeradius/APKBUILD
@@ -5,7 +5,7 @@
pkgname=freeradius
_realname=freeradius
pkgver=3.0.17
-pkgrel=5
+pkgrel=6
pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server"
url="http://freeradius.org/"
arch="all"
@@ -33,10 +33,13 @@ source="ftp://ftp.freeradius.org/pub/freeradius/$_realname-server-$pkgver.tar.gz
fix-scopeid.patch
freeradius-313-default-config.patch
CVE-2019-11234-5.patch
+ CVE-2019-10143.patch
"
builddir="$srcdir"/$_realname-server-$pkgver
# secfixes:
+# 3.0.17-r6:
+# - CVE-2019-10143
# 3.0.17-r5:
# - CVE-2019-11234
# - CVE-2019-11235
@@ -290,4 +293,5 @@ ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a74202
c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d musl-fix-headers.patch
41d478c0e40ff82fc36232964037c1ab8ffca9fdbb7dca02ed49319906e751c133b5d7bc7773c645cec6d9d39d1de69cba25e8d59afa8d6662563dd17f35f234 fix-scopeid.patch
666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e freeradius-313-default-config.patch
-05b19e1b4d43eac3ddb2f1d62a31bedb2e3386bdafc0253506304d46e6ea41f1bf798c28d3b1207341c4c9d17de0775a9ca8aa2b9c27a90c92d21c0a73ee6477 CVE-2019-11234-5.patch"
+05b19e1b4d43eac3ddb2f1d62a31bedb2e3386bdafc0253506304d46e6ea41f1bf798c28d3b1207341c4c9d17de0775a9ca8aa2b9c27a90c92d21c0a73ee6477 CVE-2019-11234-5.patch
+5506cc095553c2024319f0818fd317c02c0aa52f306b506e44f661f2f600874426118decdc2313a2da8313bff3578d364262f947faa9198595a830764a336b57 CVE-2019-10143.patch"
diff --git a/main/freeradius/CVE-2019-10143.patch b/main/freeradius/CVE-2019-10143.patch
new file mode 100644
index 0000000000..528550aa82
--- /dev/null
+++ b/main/freeradius/CVE-2019-10143.patch
@@ -0,0 +1,94 @@
+From 1f233773962bf1a9c2d228a180eacddb9db2d574 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Tue, 7 May 2019 16:04:29 -0400
+Subject: [PATCH] su to radiusd user/group when rotating logs
+
+The su directive to logrotate ensures that log rotation happens under the
+owner of the logs. Otherwise, logrotate runs as root:root, potentially
+enabling privilege escalation if a RCE is discovered against the
+FreeRADIUS daemon.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ debian/freeradius.logrotate | 3 +++
+ redhat/freeradius-logrotate | 1 +
+ scripts/logrotate/freeradius | 3 +++
+ suse/radiusd-logrotate | 1 +
+ 4 files changed, 8 insertions(+)
+
+diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate
+index 7d837d53bd..a8d29b7adf 100644
+--- a/debian/freeradius.logrotate
++++ b/debian/freeradius.logrotate
+@@ -9,6 +9,7 @@
+ notifempty
+
+ copytruncate
++ su freerad freerad
+ }
+
+ # (in order)
+@@ -26,6 +27,7 @@
+ notifempty
+
+ nocreate
++ su freerad freerad
+ }
+
+ # There are different detail-rotating strategies you can use. One is
+@@ -45,4 +47,5 @@
+ notifempty
+
+ nocreate
++ su freerad freerad
+ }
+diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate
+index 360765ddc4..bb97ca5547 100644
+--- a/redhat/freeradius-logrotate
++++ b/redhat/freeradius-logrotate
+@@ -9,6 +9,7 @@ rotate 4
+ missingok
+ compress
+ delaycompress
++su radiusd radiusd
+
+ #
+ # The main server log
+diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius
+index 3de435e76e..eecf63175a 100644
+--- a/scripts/logrotate/freeradius
++++ b/scripts/logrotate/freeradius
+@@ -17,6 +17,7 @@
+ notifempty
+
+ copytruncate
++ su radiusd radiusd
+ }
+
+ # (in order)
+@@ -34,6 +35,7 @@
+ notifempty
+
+ nocreate
++ su radiusd radiusd
+ }
+
+ # There are different detail-rotating strategies you can use. One is
+@@ -53,4 +55,5 @@
+ notifempty
+
+ nocreate
++ su radiusd radiusd
+ }
+diff --git a/suse/radiusd-logrotate b/suse/radiusd-logrotate
+index 24d56be1a9..be5a797684 100644
+--- a/suse/radiusd-logrotate
++++ b/suse/radiusd-logrotate
+@@ -11,6 +11,7 @@ missingok
+ compress
+ delaycompress
+ notifempty
++su radiusd radiusd
+
+ #
+ # The main server log
diff --git a/main/freetds/APKBUILD b/main/freetds/APKBUILD
index 0337a839df..2e3143a4de 100644
--- a/main/freetds/APKBUILD
+++ b/main/freetds/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=freetds
pkgver=1.00.104
-pkgrel=0
+pkgrel=1
pkgdesc="Tabular Datastream Library"
url="http://www.freetds.org"
arch="all"
@@ -11,10 +11,15 @@ makedepends="openssl-dev linux-headers readline-dev unixodbc-dev"
subpackages="$pkgname-doc $pkgname-dev"
source="http://www.freetds.org/files/stable/$pkgname-$pkgver.tar.bz2
fix-includes.patch
+ CVE-2019-13508.patch
"
builddir="$srcdir/$pkgname-$pkgver"
options="!check" # tests require running SQL server http://www.freetds.org/userguide/confirminstall.htm#TESTS
+# secfixes:
+# 1.1.6-r1:
+# - CVE-2019-13508
+
build() {
cd "$builddir"
./configure \
@@ -42,4 +47,5 @@ package() {
}
sha512sums="6467437ccc2d59edd0baffe9a93a16407a5d74695d339625b0f9c4b138eb3dee432f38ad3753f6bb3ee24d3fb8887ce455b3d8ded4759358798c8d422f16dd19 freetds-1.00.104.tar.bz2
-d75d1aab6687586697f3e430db1e82f21208f10076b45996542eea682e36cbbbb344f479a9336fcfd294b5b87d7acb2ec5fb8ddd1914e990e23dd5e7ae93a0b6 fix-includes.patch"
+d75d1aab6687586697f3e430db1e82f21208f10076b45996542eea682e36cbbbb344f479a9336fcfd294b5b87d7acb2ec5fb8ddd1914e990e23dd5e7ae93a0b6 fix-includes.patch
+d654640796c64bdae87f91e43701d689f9ba7b8c28cd21b07b58d0e0b9033d46a4b67e4a71a44ff1a793661c89d1bfb9e4ce5b52397ea8e898d0481b2afa5000 CVE-2019-13508.patch"
diff --git a/main/freetds/CVE-2019-13508.patch b/main/freetds/CVE-2019-13508.patch
new file mode 100644
index 0000000000..fa7df8dab1
--- /dev/null
+++ b/main/freetds/CVE-2019-13508.patch
@@ -0,0 +1,30 @@
+From 0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Tue, 9 Jul 2019 09:26:43 +0100
+Subject: [PATCH] tds: Make sure UDT has varint set to 8
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+---
+ src/tds/data.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/tds/data.c b/src/tds/data.c
+index c10ebe1ca..0c5e90f95 100644
+--- a/src/tds/data.c
++++ b/src/tds/data.c
+@@ -1425,6 +1425,7 @@ tds_clrudt_get_info(TDSSOCKET * tds, TDSCOLUMN * col)
+ tds_get_string(tds, tds_get_usmallint(tds), NULL, 0);
+
+ col->column_size = 0x7ffffffflu;
++ col->column_varint_size = 8;
+
+ return TDS_SUCCESS;
+ }
+@@ -1432,6 +1433,7 @@ tds_clrudt_get_info(TDSSOCKET * tds, TDSCOLUMN * col)
+ TDS_INT
+ tds_clrudt_row_len(TDSCOLUMN *col)
+ {
++ col->column_varint_size = 8;
+ /* TODO save other fields */
+ return sizeof(TDSBLOB);
+ }
diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD
index c4363e5414..bcee7aed1d 100644
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=freetype
pkgver=2.9.1
-pkgrel=2
+pkgrel=3
pkgdesc="TrueType font rendering library"
url="https://www.freetype.org/"
arch="all"
@@ -15,9 +15,12 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar.bz2
0001-Enable-table-validation-modules.patch
subpixel.patch
+ CVE-2020-15999.patch
"
# secfixes:
+# 2.9.1-r3:
+# - CVE-2020-15999
# 2.9-r1:
# - CVE-2018-6942
# 2.7.1-r1:
@@ -56,4 +59,5 @@ package() {
sha512sums="856766e1f3f4c7dc8afb2b5ee991138c8b642c6a6e5e007cd2bc04ae58bde827f082557cf41bf541d97e8485f7fd064d10390d1ee597f19d1daed6c152e27708 freetype-2.9.1.tar.bz2
41a84be2631b53072a76b78c582575aa48b650ee7b00017d018381002bc25df10cf33da4954c95ef50db39f1fa566678e3b4ae9bfee1dfd705423fb53e53e494 0001-Enable-table-validation-modules.patch
-6206ecbf733e47beeacd8dcec747be46ee74beffe9955ba11d61ccd81a7da6fe4bef81e15f2da8a57ded6245dc41b865f1297f120c2e332f643a43e18db99394 subpixel.patch"
+6206ecbf733e47beeacd8dcec747be46ee74beffe9955ba11d61ccd81a7da6fe4bef81e15f2da8a57ded6245dc41b865f1297f120c2e332f643a43e18db99394 subpixel.patch
+fe697a15777b44bb36c705aa4e13f352329c418de89e3d457381d0852ca2931dfa6d6b6ebc6c59322ba2af94e956f06a31e25f0d57db139f5ba2ce79fa5a8fd9 CVE-2020-15999.patch"
diff --git a/main/freetype/CVE-2020-15999.patch b/main/freetype/CVE-2020-15999.patch
new file mode 100644
index 0000000000..067aa7e460
--- /dev/null
+++ b/main/freetype/CVE-2020-15999.patch
@@ -0,0 +1,48 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+---
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+
+ if ( populate_map_and_metrics )
+ {
++ /* reject too large bitmaps similarly to the rasterizer */
++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++ {
++ error = FT_THROW( Array_Too_Large );
++ goto DestroyExit;
++ }
++
+ metrics->width = (FT_UShort)imgWidth;
+ metrics->height = (FT_UShort)imgHeight;
+
+@@ -340,13 +347,6 @@
+ map->pixel_mode = FT_PIXEL_MODE_BGRA;
+ map->pitch = (int)( map->width * 4 );
+ map->num_grays = 256;
+-
+- /* reject too large bitmaps similarly to the rasterizer */
+- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+- {
+- error = FT_THROW( Array_Too_Large );
+- goto DestroyExit;
+- }
+ }
+
+ /* convert palette/gray image to rgb */
+--
+cgit v1.2.1
+
+
diff --git a/main/fribidi/APKBUILD b/main/fribidi/APKBUILD
index c433c60d89..0f613ff45e 100644
--- a/main/fribidi/APKBUILD
+++ b/main/fribidi/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=fribidi
pkgver=1.0.5
-pkgrel=0
+pkgrel=1
pkgdesc="Free Implementation of the Unicode Bidirectional Algorithm"
url="https://github.com/fribidi/fribidi"
arch="all"
@@ -9,9 +9,15 @@ license="LGPL-2.0-or-later"
subpackages="$pkgname-doc $pkgname-dev"
depends=""
makedepends=""
-source="https://github.com/fribidi/fribidi/releases/download/v$pkgver/fribidi-$pkgver.tar.bz2"
+source="https://github.com/fribidi/fribidi/releases/download/v$pkgver/fribidi-$pkgver.tar.bz2
+ CVE-2019-18397.patch::https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568.patch
+ "
builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+# 1.0.5-r1:
+# - CVE-2019-18397
+
build() {
cd "$builddir"
./configure \
@@ -34,4 +40,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="c8fb32468be4c461832d586d6c6af65fad1cfe9d5b2fed405f247d6974425ccedeb21ad11609fbcabc3ae5d635d78d88c12d201a4d19ef997e9497054afcdeb2 fribidi-1.0.5.tar.bz2"
+sha512sums="c8fb32468be4c461832d586d6c6af65fad1cfe9d5b2fed405f247d6974425ccedeb21ad11609fbcabc3ae5d635d78d88c12d201a4d19ef997e9497054afcdeb2 fribidi-1.0.5.tar.bz2
+3d8efc59781c36203d618d3348b54fbfaff79306964e43c93d2cbe97d2e122c06a44aea519e3ea6ad78e46ecc37cf64975b8b89de0cb21048b89d0ce20e4ab46 CVE-2019-18397.patch"
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index 9a5ffe91c0..a8abc50656 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=gd
pkgver=2.2.5
-pkgrel=3
+pkgrel=4
_pkgreal=lib$pkgname
pkgdesc="Library for the dynamic creation of images by programmers"
url="https://libgd.github.io/"
@@ -13,7 +13,9 @@ makedepends="bash libpng-dev libjpeg-turbo-dev libwebp-dev freetype-dev zlib-dev
subpackages="$pkgname-dev $_pkgreal:libs"
source="https://github.com/$_pkgreal/$_pkgreal/releases/download/$pkgname-$pkgver/$_pkgreal-$pkgver.tar.xz
CVE-2018-1000222.patch
+ CVE-2018-14553.patch
CVE-2018-5711.patch
+ CVE-2019-11038.patch
CVE-2019-6977.patch
CVE-2019-6978.patch
"
@@ -23,12 +25,15 @@ case "$CARCH" in
esac
# secfixes:
+# 2.2.5-r3:
+# - CVE-2018-14553
+# - CVE-2019-11038
# 2.2.5-r2:
-# - CVE-2018-5711
-# - CVE-2019-6977
-# - CVE-2019-6978
+# - CVE-2018-5711
+# - CVE-2019-6977
+# - CVE-2019-6978
# 2.2.5-r1:
-# - CVE-2018-1000222
+# - CVE-2018-1000222
build() {
cd "$builddir"
@@ -62,6 +67,8 @@ dev() {
sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz
d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch
+9bf1677d69d04f41eba48b48e853ad706f3097edb1a96c3b681b516708be0ba199c463e7b3e44f52921e14028a7c4d74977d66e7f456b9f96d935ce9db342c0e CVE-2018-14553.patch
b23929f10ad75fa97d2ff797ef44d185cfe6de4f26b649e8e507b6fc41ebdb527ab4633d10df955c92d677428d9ed1707d9997954a1bcfb0070995191211d886 CVE-2018-5711.patch
+a56397fb310c94d4dc9c565dcec17ffd7411e1957ba45f1093e9fffad74192c244b1ef4f9d954c052f589fd5b4d1cc37ca5d53d8db569cee09a7bdc38bfc4eaf CVE-2019-11038.patch
5214ac4148c618f3fef3bb3b6675e41a76e31465cd8dac326ee99dc1ae4cfe760749997d2941743efa48e79b8dbdb536d6b6d79d9bc4e5363f2c50da52ab5cac CVE-2019-6977.patch
2f70f041b531a23d0bac5c5370a3fb135ca8facaa7baf1554baf35135cc9c6e21de9c09400d939e133ad090b9aa23fa901ea7b5cd9ea20d11edc38257601eb97 CVE-2019-6978.patch"
diff --git a/main/gd/CVE-2018-14553.patch b/main/gd/CVE-2018-14553.patch
new file mode 100644
index 0000000000..816bd9ccc9
--- /dev/null
+++ b/main/gd/CVE-2018-14553.patch
@@ -0,0 +1,32 @@
+From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
+Date: Fri, 20 Dec 2019 12:03:33 -0300
+Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
+
+diff --git a/src/gd.c b/src/gd.c
+index 592a0286..d564d1f9 100644
+--- a/src/gd.c
++++ b/src/gd.c
+@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ }
+ }
+
+- if (src->styleLength > 0) {
+- dst->styleLength = src->styleLength;
+- dst->stylePos = src->stylePos;
+- for (i = 0; i < src->styleLength; i++) {
+- dst->style[i] = src->style[i];
+- }
+- }
+-
+ dst->interlace = src->interlace;
+
+ dst->alphaBlendingFlag = src->alphaBlendingFlag;
+@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+
+ if (src->style) {
+ gdImageSetStyle(dst, src->style, src->styleLength);
++ dst->stylePos = src->stylePos;
+ }
+
+ for (i = 0; i < gdMaxColors; i++) {
diff --git a/main/gd/CVE-2019-11038.patch b/main/gd/CVE-2019-11038.patch
new file mode 100644
index 0000000000..1ccb9c1c15
--- /dev/null
+++ b/main/gd/CVE-2019-11038.patch
@@ -0,0 +1,36 @@
+From e13a342c079aeb73e31dfa19eaca119761bac3f3 Mon Sep 17 00:00:00 2001
+From: Jonas Meurer <jonas@freesources.org>
+Date: Tue, 11 Jun 2019 12:16:46 +0200
+Subject: [PATCH] Fix #501: Uninitialized read in gdImageCreateFromXbm
+ (CVE-2019-11038)
+
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
+Bug-Debian: https://bugs.debian.org/929821
+Bug: https://github.com/libgd/libgd/issues/501
+
+We have to ensure that `sscanf()` does indeed read a hex value here,
+and bail out otherwise.
+
+Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext.
+https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
+---
+ src/gd_xbm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 4ca41acf..cf0545ef 100644
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ }
+ h[3] = ch;
+ }
+- sscanf(h, "%x", &b);
++ if (sscanf(h, "%x", &b) != 1) {
++ gd_error("invalid XBM");
++ gdImageDestroy(im);
++ return 0;
++ }
+ for (bit = 1; bit <= max_bit; bit = bit << 1) {
+ gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
+ if (x == im->sx) {
diff --git a/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch b/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch
new file mode 100644
index 0000000000..463ae601d7
--- /dev/null
+++ b/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch
@@ -0,0 +1,436 @@
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Thu, 31 Jan 2019 11:31:30 -0800
+Subject: Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF interp).
+Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3839
+
+We now keep GS_PDF_ProcSet in pdfdict, and immediately bind pdfdict
+where needed so we can undef it after the last PDF interp file has
+run (pdf_sec.ps).
+---
+ Resource/Init/pdf_base.ps | 11 ++++-----
+ Resource/Init/pdf_draw.ps | 59 +++++++++++++++++++++++------------------------
+ Resource/Init/pdf_font.ps | 9 ++++----
+ Resource/Init/pdf_main.ps | 25 ++++++++++----------
+ Resource/Init/pdf_ops.ps | 11 +++++----
+ Resource/Init/pdf_sec.ps | 4 +++-
+ 6 files changed, 60 insertions(+), 59 deletions(-)
+
+diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
+index e35e0e3731d4..13dd51f46793 100644
+--- a/Resource/Init/pdf_base.ps
++++ b/Resource/Init/pdf_base.ps
+@@ -23,7 +23,6 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
+
+ % Define the name interpretation dictionary for reading values.
+@@ -133,11 +132,11 @@ currentdict /num-chars-dict .undef
+
+ /.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ?
+ PDFDEBUG {
+- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if
++ //pdfdict /PDFSTEPcount known not { //pdfdict /PDFSTEPcount 1 .forceput } executeonly if
+ PDFSTEP {
+- pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
++ //pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
+ PDFSTEPcount 1 gt {
+- pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
++ //pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
+ } executeonly
+ {
+ dup ==only
+@@ -145,10 +144,10 @@ currentdict /num-chars-dict .undef
+ ( ? ) print flush 1 //false .outputpage
+ (%stdin) (r) file 255 string readline {
+ token {
+- exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput
++ exch pop //pdfdict /PDFSTEPcount 3 -1 roll .forceput
+ } executeonly
+ {
+- pdfdict /PDFSTEPcount 1 .forceput
++ //pdfdict /PDFSTEPcount 1 .forceput
+ } executeonly ifelse % token
+ } {
+ pop /PDFSTEP //false def % EOF on stdin
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 36c41a9a30c2..2e39c87d207c 100644
+--- a/Resource/Init/pdf_draw.ps
++++ b/Resource/Init/pdf_draw.ps
+@@ -18,8 +18,7 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+-GS_PDF_ProcSet begin
++/GS_PDF_ProcSet load begin
+ pdfdict begin
+
+ % For simplicity, we use a single interpretation dictionary for all
+@@ -113,7 +112,7 @@ pdfdict begin
+
+ /resolvefunction { % <fndict> resolvefunction <function>
+ .resolvefn
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if
+ } bind executeonly def
+
+ /resolvefnproc { % <fndict> resolvefnproc <proc>
+@@ -1086,7 +1085,7 @@ currentdict end readonly def
+ %% finished running the PaintProc.
+
+ /.actual_pdfpaintproc { % <patdict> <resdict> .pdfpaintproc -
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if
+ PDFfile fileposition 3 1 roll
+ q
+ 1 index /PaintType oget 1 eq {
+@@ -1121,21 +1120,21 @@ currentdict end readonly def
+ Q
+ }{
+ (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n)
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+@@ -1144,21 +1143,21 @@ currentdict end readonly def
+ } loop
+ {
+ (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+@@ -1169,7 +1168,7 @@ currentdict end readonly def
+ /pdfemptycount exch def
+
+ Q
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
+ PDFfile exch setfileposition
+ } bind executeonly odef
+
+@@ -1240,7 +1239,7 @@ currentdict end readonly def
+ ] cvx put
+ dup /BBox 2 copy knownoget { normrect FixPatternBBox put } { pop pop } ifelse
+ dup /.pattern_uses_transparency 1 index patternusestransparency put
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if
+ } bind executeonly def
+
+ /ignore_color_op ( **** Error: Ignoring a color operation in a cached context.\n Output may be incorrect.\n) readonly def
+@@ -2361,16 +2360,16 @@ currentdict /last-ditch-bpc-csp undef
+ } bind executeonly def
+
+ /IncrementAppearanceNumber {
+- pdfdict /AppearanceNumber .knownget {
+- 1 add pdfdict /AppearanceNumber 3 -1 roll .forceput
++ //pdfdict /AppearanceNumber .knownget {
++ 1 add //pdfdict /AppearanceNumber 3 -1 roll .forceput
+ } executeonly
+ {
+- pdfdict /AppearanceNumber 0 .forceput
++ //pdfdict /AppearanceNumber 0 .forceput
+ } executeonly ifelse
+ }bind executeonly odef
+
+ /MakeAppearanceName {
+- pdfdict /AppearanceNumber get
++ //pdfdict /AppearanceNumber get
+ 10 string cvs
+ dup length 10 add string dup 0 (\{FormName) putinterval
+ dup 3 -1 roll
+@@ -2391,17 +2390,17 @@ currentdict /last-ditch-bpc-csp undef
+ gsave initclip
+ MakeNewAppearanceName
+ .pdfFormName
+- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch
+- pdfdict /.PreservePDFForm true .forceput
++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch
++ //pdfdict /.PreservePDFForm true .forceput
+ DoForm
+- pdfdict /.PreservePDFForm 3 -1 roll .forceput
++ //pdfdict /.PreservePDFForm 3 -1 roll .forceput
+ grestore
+ } bind executeonly odef
+
+ /DoForm {
+ %% save the current value, if its true we will set it to false later, in order
+ %% to prevent us preserving Forms which are used *from* an annotation /Appearance.
+- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch
++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch
+
+ %% We may alter the Default* colour spaces, if the Resources
+ %% ColorSpace entry contains one of them. But we don't want that
+@@ -2516,13 +2515,13 @@ currentdict /last-ditch-bpc-csp undef
+ pdfemptycount countdictstack 3 -1 roll
+ /pdfemptycount count 4 sub store
+
+- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get}{//false} ifelse
++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get}{//false} ifelse
+ {
+ %% We must *not* preserve any subsidiary forms (curently at least) as PDF
+ %% form preservation doesn't really work. This is used just for Annotation
+ %% Appearances currently, and if they should happen to use a form, we do not
+ %% want to preserve it.
+- pdfdict /.PreservePDFForm false .forceput
++ //pdfdict /.PreservePDFForm false .forceput
+ /q cvx /execform cvx 5 -2 roll
+ } executeonly
+ {
+@@ -2555,7 +2554,7 @@ currentdict /last-ditch-bpc-csp undef
+ saved_DCMYK /DefaultCMYK exch /ColorSpace defineresource pop
+ end
+ } if
+- pdfdict /.PreservePDFForm 3 -1 roll .forceput
++ //pdfdict /.PreservePDFForm 3 -1 roll .forceput
+ } bind executeonly odef
+
+ /_dops_save 1 array def
+@@ -2714,13 +2713,13 @@ drawopdict begin
+ % Start by getting the object number for a Form XObject
+ dup Page /XObject obj_get dup 0 eq not {
+ % Now get the recording dictionary and see if that object number has been seen
+- pdfdict /Recursive_XObject_D get 1 index known {
++ //pdfdict /Recursive_XObject_D get 1 index known {
+ ( **** Error: Recursive XObject detected, ignoring ") print 1 index 256 string cvs print (", object number ) print 256 string cvs print (\n) print
+ ( Output may be incorrect.\n) pdfformaterror
+ //false
+ }{
+ % We haven't seen it yet, so record it.
+- pdfdict /Recursive_XObject_D get 1 index null put
++ //pdfdict /Recursive_XObject_D get 1 index null put
+ 3 1 roll
+ //true
+ }ifelse
+@@ -2758,7 +2757,7 @@ drawopdict begin
+ ( Output may be incorrect.\n) pdfformaterror
+ } ifelse
+ PDFfile exch setfileposition
+- pdfdict /Recursive_XObject_D get exch undef
++ //pdfdict /Recursive_XObject_D get exch undef
+ }{
+ % Otherwise ignore it and tidy up the stacks
+ pop pop
+diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
+index 7e35c02ac132..6b09be61f8f2 100644
+--- a/Resource/Init/pdf_font.ps
++++ b/Resource/Init/pdf_font.ps
+@@ -37,8 +37,7 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+-GS_PDF_ProcSet begin
++/GS_PDF_ProcSet load begin % from userdict at this point
+ pdfdict begin
+
+ % We cache the PostScript font in an additional element of the
+@@ -1227,11 +1226,11 @@ currentdict /eexec_pdf_param_dict .undef
+ .pdfruncontext
+ countdictstack BuildCharDictDepth sub
+ {
+- pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse
++ //pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse
+ {
+ (\n **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+ pdfformatwarning
+- pdfdict /.Qqwarning_issued //true .forceput
++ //pdfdict /.Qqwarning_issued //true .forceput
+ } executeonly if
+ Q
+ } repeat
+@@ -2361,7 +2360,7 @@ currentdict /bndef undef
+ dup //null eq
+ {pop}
+ {
+- pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if
++ //pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if
+ exch dup /.OrigUniqueIDXUID .knownget not
+ {
+ dup /XUID .knownget not
+diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
+index 0a8929a2ac14..c1de1b0ef05c 100644
+--- a/Resource/Init/pdf_main.ps
++++ b/Resource/Init/pdf_main.ps
+@@ -18,8 +18,9 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
++/GS_PDF_ProcSet dup load def % keep in pdfdict to hide it
++userdict /GS_PDF_ProcSet undef
+
+ % Patch in an obsolete variable used by some third-party software.
+ /#? //false def
+@@ -304,8 +305,8 @@ currentdict /runpdfstring .undef
+ /Page //null def
+ /DSCPageCount 0 def
+ /PDFSave //null def
+- GS_PDF_ProcSet begin
+- pdfdict begin
++ //pdfdict /GS_PDF_ProcSet get begin
++ //pdfdict begin
+ pdfopen begin
+ /CumulativePageCount currentpagedevice /PageCount get def
+ } bind executeonly def
+@@ -624,7 +625,7 @@ currentdict /runpdfstring .undef
+ %% copied to a temporary file) and store it in pdfdict. We will use this for
+ %% hashing fonts to detect if fonts with the same name are from different files.
+ %%
+- dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch pdfdict 3 1 roll .forceput
++ dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch //pdfdict 3 1 roll .forceput
+
+ //runpdfbegin exec
+ //pdf_collection_files exec
+@@ -1390,7 +1391,7 @@ currentdict /xref-char-dict undef
+ } bind executeonly def
+
+ /pdfopenfile { % <file> pdfopenfile <dict>
+- pdfdict readonly pop % can't do it any earlier than this
++ //pdfdict readonly pop % can't do it any earlier than this
+ 32 dict begin
+ /LocalResources 0 dict def
+ /DefaultQstate //null def % establish binding
+@@ -2717,21 +2718,21 @@ currentdict /PDF2PS_matrix_key undef
+ StreamRunAborted not {
+ (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+@@ -2743,8 +2744,8 @@ currentdict /PDF2PS_matrix_key undef
+ Repaired % pass Repaired state around the restore
+ RepairedAnError
+ PDFSave restore
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //false .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //false .forceput
+ .setglobal
+ /RepairedAnError exch def
+ /Repaired exch def
+diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
+index 34e2fbd5861a..46de547f7a98 100644
+--- a/Resource/Init/pdf_ops.ps
++++ b/Resource/Init/pdf_ops.ps
+@@ -24,6 +24,7 @@
+ systemdict /pdfmark known not
+ { userdict /pdfmark { cleartomark } bind executeonly put } if
+
++systemdict /pdfdict where { pop } { /pdfdict 100 dict put } ifelse
+ userdict /GS_PDF_ProcSet 256 dict dup begin
+
+ % ---------------- Abbreviations ---------------- %
+@@ -174,21 +175,21 @@ currentdict /gput_always_allow .undef
+ {
+ (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n)
+
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+diff --git a/Resource/Init/pdf_sec.ps b/Resource/Init/pdf_sec.ps
+index d8cc94c86574..163dd687764e 100644
+--- a/Resource/Init/pdf_sec.ps
++++ b/Resource/Init/pdf_sec.ps
+@@ -39,7 +39,6 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
+
+ % Older ghostscript versions do not have .pdftoken, so we use 'token' instead.
+@@ -748,4 +747,7 @@ currentdict /PDFScanRules_null undef
+ } bind executeonly def
+
+ end % pdfdict
++
++systemdict /pdfdict .forceundef % hide pdfdict
++
+ .setglobal
+--
+2.11.0
+
diff --git a/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch b/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch
new file mode 100644
index 0000000000..5da83ab565
--- /dev/null
+++ b/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch
@@ -0,0 +1,41 @@
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Mon, 18 Feb 2019 12:11:45 -0800
+Subject: Bug 700599: Issue an error message if an ExtGstate is not found.
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=be86d2ff2f0f0ea0e365707f3be0fa0c9e7315ee
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=700599
+
+Previously, this was silently ignored. Only issue a single warning,
+and respect PDFSTOPONERROR to prevent continuing with potentially
+incorrect output.
+
+Note that tests_private/pdf/uploads/bug696410.pdf also now gets this
+error message (ExtGState" instead of ExtGState in object 10).
+---
+ Resource/Init/pdf_draw.ps | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 75b5eb622b52..c0201ad65da2 100644
+--- a/Resource/Init/pdf_draw.ps
++++ b/Resource/Init/pdf_draw.ps
+@@ -494,7 +494,16 @@ end
+ dup {
+ oforce exch gsparamdict exch .knownget { exec } { pop } ifelse
+ } forall pop
+- } if
++ } {
++ //pdfdict /.gs_warning_issued known not {
++ (\n **** Error 'gs' ignored -- ExtGState missing from Resources.\n)
++ pdfformaterror
++ ( Output may be incorrect.\n) pdfformaterror
++ //pdfdict /.gs_warning_issued //true .forceput
++ PDFSTOPONERROR { /gs /undefined signalerror } if
++ } if
++ }
++ ifelse
+ } bind executeonly def
+
+ % ------ Transparency support ------ %
+--
+2.20.1
+
diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD
index 84fa2799c4..978938f8b9 100644
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=ghostscript
pkgver=9.26
-pkgrel=2
+pkgrel=5
pkgdesc="An interpreter for the PostScript language and for PDF"
url="https://ghostscript.com/"
arch="all"
@@ -12,22 +12,34 @@ makedepends="autoconf automake libjpeg-turbo-dev libpng-dev jasper-dev expat-dev
cups-dev libtool jbig2dec-dev openjpeg-dev"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-gtk"
source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver/./}/ghostscript-$pkgver.tar.gz
- https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/0001-Bug700317-Address-.force-operators-exposure.tgz
CVE-2019-6116.patch
CVE-2019-3835.patch
CVE-2019-3838.patch
+ CVE-2019-10216.patch
ghostscript-system-zlib.patch
fix-sprintf.patch
+ CVE-2019-14811-14812-14813.patch
+ 0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch
+ 0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch
+ CVE-2019-14817.patch
+ CVE-2019-14869.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 9.26-r5:
+# - CVE-2019-14869
+# 9.26-r4:
+# - CVE-2019-14811
+# - CVE-2019-14812
+# - CVE-2019-14813
+# - CVE-2019-14817
+# 9.26-r3:
+# - CVE-2019-10216
# 9.26-r2:
# - CVE-2019-3835
# - CVE-2019-3838
# - CVE-2019-6116
-# 9.26-r1:
-# - CVE-2019-6116
# 9.26-r0:
# - CVE-2018-19409
# - CVE-2018-19475
@@ -134,9 +146,14 @@ gtk() {
}
sha512sums="670159c23618ffafa85c671642bf182a107a82c053a1fd8c3f45f73f203524077be1b212d2ddbabae7892c7713922877e03b020f78bd2aab1ae582c4fc7d820a ghostscript-9.26.tar.gz
-289d916a0b0da410e6f721e42bc44659c91c66ca0f7b96b1a6b010ae1c25e47788e282edc3578b4e4b120a2c684c7b1fd4cc574084bdc9cbbf6e431a01fbae0e 0001-Bug700317-Address-.force-operators-exposure.tgz
+78564c1dd878cb6a924663cb5d61901a413a867dedc8753e537e08a4da9cc0aaeb817bab266fd66e5d0e871d9ed6078af6e6f455b5426e0917875682d76638f5 CVE-2019-6116.patch
31769852e75be4e1cd0e7c3f43cc7b3457bf9ba505fc2a5acda53779cc5626854bf15fef3e225f3d922f4038dd18c598dbac30abb863159202e4d0fe02c02d3b CVE-2019-3835.patch
dc3bd1de86e4a968ed35a35a125f682cffeed51fe4dbf9b3939dd78b07ef0748fe6b34816e689bcfffb4f819e51bcb5022f3151a5610aa24fd2468cdcbc665ea CVE-2019-3838.patch
-78564c1dd878cb6a924663cb5d61901a413a867dedc8753e537e08a4da9cc0aaeb817bab266fd66e5d0e871d9ed6078af6e6f455b5426e0917875682d76638f5 CVE-2019-6116.patch
+f89744b17922b7d9c04c6de69ce35fa621732e4373eccc158b7ff6a9e56d2cf0bbea30c28119f4808864ca584e94342e5125d7bcc6195252455b5f223f379e3f CVE-2019-10216.patch
70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482 ghostscript-system-zlib.patch
-beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch"
+beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch
+b61a1c5d818c054463e606a9f85e4f4a308ac839f734d6200dfc3b74e3859ac64b23996ff1bf4c90a0ee95acf10dfa19d066fda0b6fb11689294d0dc4267689e CVE-2019-14811-14812-14813.patch
+8036fa8a7175546dc3aae8619c92fa38016a8be132bb2a3a01f16ba66b5d9c05581dba40c1f184380b43b4e0b079d3cace7e401f9ed5fd718f36fbe7038649bc 0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch
+26ad5e996d4724a1683083c1abfdd39ebf41f5e7478a061f5713e11f2ffaf3834fe52f29e03d585044c7536b1201a97626f3640324abdc3e90b6ecc2a2db399b 0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch
+63b7d1a30045e454eba0bcceba52fd402c5fd9313c0057100bb98d2e82c1d61cd404826f63c4b9d7e4fdf4935c71f09a9633d43edbcd0658fb5dc5e20afc6ca0 CVE-2019-14817.patch
+d0fc37c94abf1104ff5c17e0c36bd02799fa9b06b2f57d764bf79a0b6927cd8be8a59c58f40d3727954877f44754aa1b0ad6c3d8dc79bf3c6ae4991a7a56cf9e CVE-2019-14869.patch"
diff --git a/main/ghostscript/CVE-2019-10216.patch b/main/ghostscript/CVE-2019-10216.patch
new file mode 100644
index 0000000000..e8dfa05a94
--- /dev/null
+++ b/main/ghostscript/CVE-2019-10216.patch
@@ -0,0 +1,49 @@
+From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 2 Aug 2019 15:18:26 +0100
+Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
+
+---
+ Resource/Init/gs_type1.ps | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
+index 6c7735b..a039cce 100644
+--- a/Resource/Init/gs_type1.ps
++++ b/Resource/Init/gs_type1.ps
+@@ -118,25 +118,25 @@
+ ( to be the same as glyph: ) print 1 index //== exec } if
+ 3 index exch 3 index .forceput
+ % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+- }
++ }executeonly
+ {pop} ifelse
+- } forall
++ } executeonly forall
+ pop pop
+- }
++ } executeonly
+ {
+ pop pop pop
+ } ifelse
+- }
++ } executeonly
+ {
+ % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+ pop pop
+ } ifelse
+- } forall
++ } executeonly forall
+ 3 1 roll pop pop
+- } if
++ } executeonly if
+ pop
+ dup /.AGLprocessed~GS //true .forceput
+- } if
++ } executeonly if
+
+ %% We need to excute the C .buildfont1 in a stopped context so that, if there
+ %% are errors we can put the stack back sanely and exit. Otherwise callers won't
+--
+2.9.1
+
diff --git a/main/ghostscript/CVE-2019-14811-14812-14813.patch b/main/ghostscript/CVE-2019-14811-14812-14813.patch
new file mode 100644
index 0000000000..a3d6b76c84
--- /dev/null
+++ b/main/ghostscript/CVE-2019-14811-14812-14813.patch
@@ -0,0 +1,69 @@
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Tue, 20 Aug 2019 10:10:28 +0100
+Subject: make .forceput inaccessible
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701443
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14813
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701444
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14812
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701445
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14811
+
+Bug #701343, #701344, #701345
+
+More defensive programming. We don't want people to access .forecput
+even though it is no longer sufficient to bypass SAFER. The exploit
+in #701343 didn't work anyway because of earlier work to stop the error
+handler being used, but nevertheless, prevent access to .forceput from
+.setuserparams2.
+---
+ Resource/Init/gs_lev2.ps | 6 +++---
+ Resource/Init/gs_pdfwr.ps | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
+index 4cc7f820f765..0fd4164650ab 100644
+--- a/Resource/Init/gs_lev2.ps
++++ b/Resource/Init/gs_lev2.ps
+@@ -158,7 +158,7 @@ end
+ {
+ pop pop
+ } ifelse
+- } forall
++ } executeonly forall
+ % A context switch might have occurred during the above loop,
+ % causing the interpreter-level parameters to be reset.
+ % Set them again to the new values. From here on, we are safe,
+@@ -229,9 +229,9 @@ end
+ { pop pop
+ }
+ ifelse
+- }
++ } executeonly
+ forall pop
+-} .bind odef
++} .bind executeonly odef
+
+ % Initialize the passwords.
+ % NOTE: the names StartJobPassword and SystemParamsPassword are known to
+diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
+index c158a8faf540..422e66e1a6ca 100644
+--- a/Resource/Init/gs_pdfwr.ps
++++ b/Resource/Init/gs_pdfwr.ps
+@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef
+ systemdict /.pdf_hooked_DSC_Creator //true .forceput
+ } executeonly if
+ pop
+- } if
++ } executeonly if
+ } {
+ pop
+ } ifelse
+- }
++ } executeonly
+ {
+ pop
+ } ifelse
+--
+2.23.0.rc1
+
diff --git a/main/ghostscript/CVE-2019-14817.patch b/main/ghostscript/CVE-2019-14817.patch
new file mode 100644
index 0000000000..80cdcecb8e
--- /dev/null
+++ b/main/ghostscript/CVE-2019-14817.patch
@@ -0,0 +1,218 @@
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 21 Aug 2019 10:10:51 +0100
+Subject: PDF interpreter - review .forceput security
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701450
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14817
+
+Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken"
+
+By abusing the error handler it was possible to get the PDFDEBUG portion
+of .pdfexectoken, which uses .forceput left readable.
+
+Add an executeonly appropriately to make sure that clause isn't readable
+no mstter what.
+
+Review all the uses of .forceput searching for similar cases, add
+executeonly as required to secure those. All cases in the PostScript
+support files seem to be covered already.
+---
+ Resource/Init/pdf_base.ps | 2 +-
+ Resource/Init/pdf_draw.ps | 14 +++++++-------
+ Resource/Init/pdf_font.ps | 29 ++++++++++++++++-------------
+ Resource/Init/pdf_main.ps | 6 +++---
+ Resource/Init/pdf_ops.ps | 11 ++++++-----
+ 5 files changed, 33 insertions(+), 29 deletions(-)
+
+diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
+index 2e28cdd7181e..02503eef8bc4 100644
+--- a/Resource/Init/pdf_base.ps
++++ b/Resource/Init/pdf_base.ps
+@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
+ {
+ dup ==only () = flush
+ } ifelse % PDFSTEP
+- } if % PDFDEBUG
++ } executeonly if % PDFDEBUG
+ 2 copy .knownget {
+ exch pop exch pop exch pop exec
+ } {
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 11eb485f2eb7..fe3fc56c4161 100644
+--- a/Resource/Init/pdf_draw.ps
++++ b/Resource/Init/pdf_draw.ps
+@@ -501,8 +501,8 @@ end
+ ( Output may be incorrect.\n) pdfformaterror
+ //pdfdict /.gs_warning_issued //true .forceput
+ PDFSTOPONERROR { /gs /undefined signalerror } if
+- } if
+- }
++ } executeonly if
++ } executeonly
+ ifelse
+ } bind executeonly def
+
+@@ -1152,7 +1152,7 @@ currentdict end readonly def
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+- }
++ } executeonly
+ {
+ currentglobal //pdfdict gcheck .setglobal
+ //pdfdict /.Qqwarning_issued //true .forceput
+@@ -1160,8 +1160,8 @@ currentdict end readonly def
+ pdfformaterror
+ } executeonly ifelse
+ end
+- } ifelse
+- } loop
++ } executeonly ifelse
++ } executeonly loop
+ {
+ (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+ //pdfdict /.Qqwarning_issued .knownget
+@@ -1175,14 +1175,14 @@ currentdict end readonly def
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+- }
++ } executeonly
+ {
+ currentglobal //pdfdict gcheck .setglobal
+ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+- } if
++ } executeonly if
+ pop
+
+ % restore pdfemptycount
+diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
+index 8b8fef8..86b1870 100644
+--- a/Resource/Init/pdf_font.ps
++++ b/Resource/Init/pdf_font.ps
+@@ -677,7 +677,7 @@ currentdict end readonly def
+ currentglobal 2 index dup gcheck setglobal
+ /FontInfo 5 dict dup 5 1 roll .forceput
+ setglobal
+- } if
++ } executeonly if
+ dup /GlyphNames2Unicode .knownget not {
+ //true % No existing G2U, make one
+ } {
+@@ -701,9 +701,9 @@ currentdict end readonly def
+ } if
+ PDFDEBUG {
+ (.processToUnicode end) =
+- } if
+- } if
+- } stopped
++ } executeonly if
++ } executeonly if
++ } executeonly stopped
+ {
+ .dstackdepth 1 countdictstack 1 sub
+ {pop end} for
+@@ -1298,19 +1300,20 @@ currentdict /eexec_pdf_param_dict .undef
+ //pdfdict /.Qqwarning_issued //true .forceput
+ } executeonly if
+ Q
+- } repeat
++ } executeonly repeat
+ Q
+- } PDFfile fileposition 2 .execn % Keep pdfcount valid.
++ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
+ PDFfile exch setfileposition
+- } ifelse
+- } {
++ } executeonly ifelse
++ } executeonly
++ {
+ % PDF Type 3 fonts don't use .notdef
+ % d1 implementation adjusts the width as needed
+ 0 0 0 0 0 0
+ pdfopdict /d1 get exec
+ } ifelse
+ end end
+- } bdef
++ } executeonly bdef
+ dup currentdict Encoding .processToUnicode
+ currentdict end .completefont exch pop
+ } bind executeonly odef
+@@ -2124,9 +2127,9 @@ currentdict /CMap_read_dict undef
+ (Will continue, but content may be missing.) = flush
+ } ifelse
+ } if
+- } if
++ } executeonly if
+ /findresource cvx /undefined signalerror
+- } loop
++ } executeonly loop
+ } bind executeonly odef
+
+ /buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
+diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
+index 00d7e3682fd8..7690bae0f920 100644
+--- a/Resource/Init/pdf_main.ps
++++ b/Resource/Init/pdf_main.ps
+@@ -2771,15 +2771,15 @@ currentdict /PDF2PS_matrix_key undef
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+- }
++ } executeonly
+ {
+ currentglobal //pdfdict gcheck .setglobal
+ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+- } if
+- } if
++ } executeonly if
++ } executeonly if
+ pop
+ count PDFexecstackcount sub { pop } repeat
+ (after exec) VMDEBUG
+diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
+index a15c8c6770f7..d594035c066a 100644
+--- a/Resource/Init/pdf_ops.ps
++++ b/Resource/Init/pdf_ops.ps
+@@ -192,14 +192,14 @@ currentdict /gput_always_allow .undef
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+- }
++ } executeonly
+ {
+ currentglobal //pdfdict gcheck .setglobal
+ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+- } if
++ } executeonly if
+ } bind executeonly odef
+
+ % Save PDF gstate
+@@ -446,11 +446,12 @@ currentdict /gput_always_allow .undef
+ dup type /booleantype eq {
+ .currentSMask type /dicttype eq {
+ .currentSMask /Processed 2 index .forceput
++ } executeonly
++ {
++ .setSMask
++ }ifelse
+ } executeonly
+ {
+- .setSMask
+- }ifelse
+- }{
+ .setSMask
+ }ifelse
+
+--
+2.23.0.rc1
+
diff --git a/main/ghostscript/CVE-2019-14869.patch b/main/ghostscript/CVE-2019-14869.patch
new file mode 100644
index 0000000000..9b66436fa8
--- /dev/null
+++ b/main/ghostscript/CVE-2019-14869.patch
@@ -0,0 +1,58 @@
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 5 Nov 2019 09:45:27 +0000
+Subject: Bug 701841: remove .forceput from /.charkeys
+Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=485904772c5f0aa1140032746e5a0abfc40f4cef
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701841
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14869
+
+When loading Type 1 or Truetype fonts from disk, we attempt to extend the glyph
+name table to include all identifiable glyph names from the Adobe Glyph List.
+
+In the case of Type 1 fonts, the font itself (almost always) marks the
+CharStrings dictionary as read-only, hence we have to use .forceput for that
+case.
+
+But for Truetype fonts, the CharStrings dictionary is created internally and is
+not read-only until *after* we have fully populated it (including the extended
+glyph names from the AGL), hence there is no need for .forceput, and no need to
+carry the security risk of using it.
+
+Replace with regular put.
+[Salvatore Bonaccorso: Backport to 9.26a: Drop last hunck removing
+'executeonly' (hiding .forceput) as this was never added back in 9.26a. Thanks
+to Marc Deslauriers for pointing this out]
+---
+ Resource/Init/gs_ttf.ps | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps
+index 74043d16b0cf..6be8fe9955cd 100644
+--- a/Resource/Init/gs_ttf.ps
++++ b/Resource/Init/gs_ttf.ps
+@@ -1304,7 +1304,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
+ TTFDEBUG { (\n1 setting alias: ) print dup ==only
+ ( to be the same as ) print 2 index //== exec } if
+
+- 7 index 2 index 3 -1 roll exch .forceput
++ 7 index 2 index 3 -1 roll exch put
+ } forall
+ pop pop pop
+ }
+@@ -1322,7 +1322,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
+ exch pop
+ TTFDEBUG { (\n2 setting alias: ) print 1 index ==only
+ ( to use glyph index: ) print dup //== exec } if
+- 5 index 3 1 roll .forceput
++ 5 index 3 1 roll put
+ //false
+ }
+ {
+@@ -1339,7 +1339,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
+ { % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer)
+ TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only
+ ( to be index: ) print dup //== exec } if
+- exch pop 5 index 3 1 roll .forceput
++ exch pop 5 index 3 1 roll put
+ }
+ {
+ pop pop
diff --git a/main/git/APKBUILD b/main/git/APKBUILD
index 6d7c585d10..1d002fc278 100644
--- a/main/git/APKBUILD
+++ b/main/git/APKBUILD
@@ -2,18 +2,31 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
-# 2.19.1:
-# - CVE-2018-17456
-# 2.17.1:
-# - CVE-2018-11233
-# - CVE-2018-11235
-# 2.14.1:
-# - CVE-2017-1000117
+# 2.20.4-r0:
+# - CVE-2020-11008
+# 2.20.3-r0:
+# - CVE-2020-5260
+# 2.20.2-r0:
+# - CVE-2019-1348
+# - CVE-2019-1349
+# - CVE-2019-1350
+# - CVE-2019-1351
+# - CVE-2019-1352
+# - CVE-2019-1353
+# - CVE-2019-1354
+# - CVE-2019-1387
+# 2.19.1-r0:
+# - CVE-2018-17456
+# 2.17.1-r0:
+# - CVE-2018-11233
+# - CVE-2018-11235
+# 2.14.1-r0:
+# - CVE-2017-1000117
pkgname=git
-pkgver=2.20.1
+pkgver=2.20.4
pkgrel=0
pkgdesc="Distributed version control system"
-url="https://www.git-scm.com"
+url="https://www.git-scm.com/"
arch="all"
license="GPL-2.0-or-later"
depends=""
@@ -266,7 +279,7 @@ _perl_config() {
perl -e "use Config; print \$Config{$1};"
}
-sha512sums="3f05ea3a645d4d74c7380b03e2de39f893ff77a05d8b595ce30300d1d4e032f11d84952366096f8effd5fba18dfa5ebb946bc07a984eb7cbbda113cb88202f6c git-2.20.1.tar.xz
+sha512sums="271d0c238cb892ecef542e56ccbfc50cbc2bade12f4771f7aa1bacecfbcd15d116bd20986861101545be985aca3a45bc49fb63742ac48cac463e3564b243da08 git-2.20.4.tar.xz
85767b5e03137008d6a96199e769e3979f75d83603ac8cb13a3481a915005637409a4fd94e0720da2ec6cd1124f35eba7cf20109a94816c4b4898a81fbc46bd2 bb-tar.patch
89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a git-daemon.initd
fbf1f425206a76e2a8f82342537ed939ff7e623d644c086ca2ced5f69b36734695f9f80ebda1728f75a94d6cd2fcb71bf845b64239368caab418e4d368c141ec git-daemon.confd"
diff --git a/main/gnupg/APKBUILD b/main/gnupg/APKBUILD
index e77fa98576..f1ec77b519 100644
--- a/main/gnupg/APKBUILD
+++ b/main/gnupg/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gnupg
-pkgver=2.2.12
+pkgver=2.2.19
_ver=${pkgver/_beta/-beta}
pkgrel=0
pkgdesc="GNU Privacy Guard 2 - a PGP replacement tool"
@@ -23,6 +23,8 @@ install="$pkgname-scdaemon.pre-install"
builddir="$srcdir"/$pkgname-$_ver
# secfixes:
+# 2.2.19-r0:
+# - CVE-2019-14855
# 2.2.8-r0:
# - CVE-2018-12020
@@ -72,7 +74,7 @@ scdaemon() {
mv "${pkgdir}/usr/libexec/scdaemon" "${subpkgdir}/usr/libexec/"
}
-sha512sums="30de9757bb60a5cb6bf0dc2c8da5f4742c54affec3fcd0bcbf66f28f2812149afec5db70dcb6ba592101de4bdc479d1ba0b47c53c8b8d4765ddff32fa51c26c8 gnupg-2.2.12.tar.bz2
+sha512sums="d7700136ac9f0a8cf04b33da4023a42427fced648c2f90d76250c92904353b85fe728bdd89a713d847e8d38e5900c98d46075614492fdc3d1421f927a92f49dd gnupg-2.2.19.tar.bz2
c6cc4595081c5b025913fa3ebecf0dff87a84f3c669e3fef106e4fa040f1d4314ee52dd4c0e0002b213034fb0810221cfdd0033eae5349b6e3978f05d08bcac7 0001-Include-sys-select.h-for-FD_SETSIZE.patch
b19a44dacf061dd02b439ab8bd820e3c721aab77168f705f5ce65661f26527b03ea88eec16d78486a633c474120589ec8736692ebff57ab9b95f52f57190ba6b fix-i18n.patch
4bfb9742279c2d1c872d63cd4bcb01f6a2a13d94618eff954d3a37451fa870a9bb29687330854ee47e8876d6e60dc81cb2569c3931beaefacda33db23c464402 60-scdaemon.rules"
diff --git a/main/gnutls/APKBUILD b/main/gnutls/APKBUILD
index 7e83be5b91..c355756693 100644
--- a/main/gnutls/APKBUILD
+++ b/main/gnutls/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Michael Mason <ms13sp@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gnutls
-pkgver=3.6.7
+pkgver=3.6.15
pkgrel=0
pkgdesc="A TLS protocol implementation"
url="https://www.gnutls.org/"
@@ -16,11 +16,16 @@ _v=${pkgver%.*}
case $pkgver in
*.*.*.*) _v=${_v%.*};;
esac
-source="https://www.gnupg.org/ftp/gcrypt/gnutls/v${_v}/gnutls-$pkgver.tar.xz
- tests-date-compat.patch"
-builddir="$srcdir/$pkgname-$pkgver"
+source="https://www.gnupg.org/ftp/gcrypt/gnutls/v$_v/gnutls-$pkgver.tar.xz
+ "
# secfixes:
+# 3.6.15-r0:
+# - CVE-2020-24659 GNUTLS-SA-2020-09-04
+# 3.6.14-r0:
+# - CVE-2020-13777 GNUTLS-SA-2020-06-03
+# 3.6.7-r1:
+# - CVE-2020-11501 GNUTLS-SA-2020-03-31
# 3.6.7-r0:
# - CVE-2019-3836
# - CVE-2019-3829
@@ -28,7 +33,6 @@ builddir="$srcdir/$pkgname-$pkgver"
# - CVE-2017-7507
build() {
- cd "$builddir"
LIBS="-lgmp" ./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -45,8 +49,6 @@ build() {
}
check() {
- cd "$builddir"
-
make check
}
@@ -67,5 +69,4 @@ xx() {
mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/
}
-sha512sums="ae9b8996eb9b7269d28213f0aca3a4a17890ba8d47e3dc3b8e754ab8e2b4251e9412aaaa161a8bf56167f04cc169b4cada46f55a7bde92b955eb36cd717a99f3 gnutls-3.6.7.tar.xz
-b9aefaca8a894b223b8bcc738524602e36edf6a49f458606235598470033c81b02e876bec18a41ac57760cb9644d44b4c35969be74d4a8120245fff716429531 tests-date-compat.patch"
+sha512sums="f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c gnutls-3.6.15.tar.xz"
diff --git a/main/gnutls/tests-date-compat.patch b/main/gnutls/tests-date-compat.patch
deleted file mode 100644
index 82e3314d29..0000000000
--- a/main/gnutls/tests-date-compat.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Busybox date does not support %N, this is GNU extension.
---- a/tests/scripts/common.sh
-+++ b/tests/scripts/common.sh
-@@ -61,7 +61,7 @@
- # Find a port number not currently in use.
- GETPORT='rc=0; unset myrandom
- if test -n "$RANDOM"; then myrandom=$(($RANDOM + $RANDOM)); fi
-- if test -z "$myrandom"; then myrandom=$(date +%N | sed s/^0*//); fi
-+ if test -z "$myrandom"; then myrandom=$(date +%s | sed s/^0*//); fi
- if test -z "$myrandom"; then myrandom=0; fi
- while test $rc = 0;do
- PORT="$(((($$<<15)|$myrandom) % 63001 + 2000))"
diff --git a/main/gst-plugins-base/APKBUILD b/main/gst-plugins-base/APKBUILD
index 6961a8f864..8f51a71386 100644
--- a/main/gst-plugins-base/APKBUILD
+++ b/main/gst-plugins-base/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gst-plugins-base
pkgver=1.14.4
-pkgrel=0
+pkgrel=1
pkgdesc="GStreamer Multimedia Framework Base Plugins"
url="https://gstreamer.freedesktop.org"
arch="all"
@@ -29,10 +29,15 @@ makedepends="
mesa-dev
orc-compiler
"
-source="https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-$pkgver.tar.xz"
+source="https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-$pkgver.tar.xz
+ CVE-2019-9928.patch"
ldpath="/usr/lib/gstreamer-1.0"
builddir="$srcdir"/gst-plugins-base-$pkgver
+# secfixes:
+# 1.14.4-r1:
+# - CVE-2019-9928
+
# sporadic testsuite failures on various archs, testsuite fails with network restricted too
options="!check"
@@ -69,4 +74,5 @@ doc() {
replaces="${pkgname}1-doc"
}
-sha512sums="42c59df9f2d848108f12afa0466acbcfa5ccda64e4d0d44608d4268abed20f2e036713de04e7d71feaed1868ad742c5bcb55ae0eef5dec8e19e053dc8541b8af gst-plugins-base-1.14.4.tar.xz"
+sha512sums="42c59df9f2d848108f12afa0466acbcfa5ccda64e4d0d44608d4268abed20f2e036713de04e7d71feaed1868ad742c5bcb55ae0eef5dec8e19e053dc8541b8af gst-plugins-base-1.14.4.tar.xz
+064305bced4754b9d916adc97254c1cfd52fd25f5cf31f406f7bebac18bc1e9fc5cdab1ee59e2027d3299c5dbbc6134b6171ee925e7dab3dd134fd130b755e1b CVE-2019-9928.patch"
diff --git a/main/gst-plugins-base/CVE-2019-9928.patch b/main/gst-plugins-base/CVE-2019-9928.patch
new file mode 100644
index 0000000000..e17f98aba8
--- /dev/null
+++ b/main/gst-plugins-base/CVE-2019-9928.patch
@@ -0,0 +1,13 @@
+diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c
+index 76ae7d4..81239dc 100644
+--- a/gst-libs/gst/rtsp/gstrtspconnection.c
++++ b/gst-libs/gst/rtsp/gstrtspconnection.c
+@@ -2128,7 +2128,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message,
+ maxlen = sizeof (conn->session_id) - 1;
+ /* the sessionid can have attributes marked with ;
+ * Make sure we strip them */
+- for (i = 0; session_id[i] != '\0'; i++) {
++ for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {
+ if (session_id[i] == ';') {
+ maxlen = i;
+ /* parse timeout */
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index e83bb1259c..01998b6f23 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -1,9 +1,9 @@
# Contributor: Jeff Bilyk <jbilyk@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=haproxy
-pkgver=1.8.12
+pkgver=1.8.25
_pkgmajorver=${pkgver%.*}
-pkgrel=1
+pkgrel=0
pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
url="http://haproxy.1wt.eu"
arch="all"
@@ -20,6 +20,12 @@ source="http://haproxy.1wt.eu/download/${_pkgmajorver}/src/$pkgname-$pkgver.tar.
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 1.8.25-r0:
+# - CVE-2020-11100
+# 1.8.23-r0:
+# - CVE-2019-19330
+
build() {
cd "$builddir"
case "$CARCH" in mips|mipsel*) _carchflags="ADDLIB=-latomic";; esac
@@ -50,6 +56,6 @@ package() {
"$pkgdir"/etc/haproxy/haproxy.cfg
}
-sha512sums="2b782a54988cc88d1af0e5f011af062910e8fac28eab13db7e05a58d0d23961f827da47e3871e8d081f5a2d222588480d81dec2e9f14ec9f54a1c3cb5bf3d56a haproxy-1.8.12.tar.gz
+sha512sums="655eb4056989a3fee321ea9278a2085b0a999e522293f1f6229ebb8d17f3d33cb78abb4fd55a06d0218082e632b2d42de105575d0acd0c1b49996d4b45aa78e8 haproxy-1.8.25.tar.gz
3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd
26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg"
diff --git a/main/hostapd/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch b/main/hostapd/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch
new file mode 100644
index 0000000000..516c3b633a
--- /dev/null
+++ b/main/hostapd/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch
@@ -0,0 +1,92 @@
+From d42c477cc794163a3757956bbffca5cea000923c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 11:43:03 +0200
+Subject: [PATCH] OpenSSL: Use constant time operations for private bignums
+
+This helps in reducing measurable timing differences in operations
+involving private information. BoringSSL has removed BN_FLG_CONSTTIME
+and expects specific constant time functions to be called instead, so a
+bit different approach is needed depending on which library is used.
+
+The main operation that needs protection against side channel attacks is
+BN_mod_exp() that depends on private keys (the public key validation
+step in crypto_dh_derive_secret() is an exception that can use the
+faster version since it does not depend on private keys).
+
+crypto_bignum_div() is currently used only in SAE FFC case with not
+safe-prime groups and only with values that do not depend on private
+keys, so it is not critical to protect it.
+
+crypto_bignum_inverse() is currently used only in SAE FFC PWE
+derivation. The additional protection here is targeting only OpenSSL.
+BoringSSL may need conversion to using BN_mod_inverse_blinded().
+
+This is related to CVE-2019-9494 and CVE-2019-9495.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/crypto/crypto_openssl.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 9c2ba58d5..ac53cc81a 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -607,7 +607,8 @@ int crypto_mod_exp(const u8 *base, size_t base_len,
+ bn_result == NULL)
+ goto error;
+
+- if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1)
++ if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
++ ctx, NULL) != 1)
+ goto error;
+
+ *result_len = BN_bn2bin(bn_result, result);
+@@ -1360,8 +1361,9 @@ int crypto_bignum_exptmod(const struct crypto_bignum *a,
+ bnctx = BN_CTX_new();
+ if (bnctx == NULL)
+ return -1;
+- res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
+- (const BIGNUM *) c, bnctx);
++ res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
++ (const BIGNUM *) b, (const BIGNUM *) c,
++ bnctx, NULL);
+ BN_CTX_free(bnctx);
+
+ return res ? 0 : -1;
+@@ -1380,6 +1382,11 @@ int crypto_bignum_inverse(const struct crypto_bignum *a,
+ bnctx = BN_CTX_new();
+ if (bnctx == NULL)
+ return -1;
++#ifdef OPENSSL_IS_BORINGSSL
++ /* TODO: use BN_mod_inverse_blinded() ? */
++#else /* OPENSSL_IS_BORINGSSL */
++ BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
++#endif /* OPENSSL_IS_BORINGSSL */
+ res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
+ (const BIGNUM *) b, bnctx);
+ BN_CTX_free(bnctx);
+@@ -1413,6 +1420,9 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ bnctx = BN_CTX_new();
+ if (bnctx == NULL)
+ return -1;
++#ifndef OPENSSL_IS_BORINGSSL
++ BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
++#endif /* OPENSSL_IS_BORINGSSL */
+ res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
+ (const BIGNUM *) b, bnctx);
+ BN_CTX_free(bnctx);
+@@ -1504,8 +1514,8 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
+ /* exp = (p-1) / 2 */
+ !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
+ !BN_rshift1(exp, exp) ||
+- !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p,
+- bnctx))
++ !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
++ (const BIGNUM *) p, bnctx, NULL))
+ goto fail;
+
+ if (BN_is_word(tmp, 1))
+--
+2.21.0
+
diff --git a/main/hostapd/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch b/main/hostapd/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
new file mode 100644
index 0000000000..0aa8a5ea1d
--- /dev/null
+++ b/main/hostapd/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
@@ -0,0 +1,150 @@
+From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 3 Jun 2020 23:17:35 +0300
+Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
+ other networks
+
+The UPnP Device Architecture 2.0 specification errata ("UDA errata
+16-04-2020.docx") addresses a problem with notifications being allowed
+to go out to other domains by disallowing such cases. Do such filtering
+for the notification callback URLs to avoid undesired connections to
+external networks based on subscriptions that any device in the local
+network could request when WPS support for external registrars is
+enabled (the upnp_iface parameter in hostapd configuration).
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/wps/wps_er.c | 2 +-
+ src/wps/wps_upnp.c | 38 ++++++++++++++++++++++++++++++++++++--
+ src/wps/wps_upnp_i.h | 3 ++-
+ 3 files changed, 39 insertions(+), 4 deletions(-)
+
+diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c
+index 6bded14327f8..31d2e50e4cff 100644
+--- a/src/wps/wps_er.c
++++ b/src/wps/wps_er.c
+@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, const char *ifname, const char *filter)
+ "with %s", filter);
+ }
+ if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
+- er->mac_addr)) {
++ NULL, er->mac_addr)) {
+ wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
+ "for %s. Does it have IP address?", er->ifname);
+ wps_er_deinit(er, NULL, NULL);
+diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
+index 6e10e4bc0c3f..7d4b7439940e 100644
+--- a/src/wps/wps_upnp.c
++++ b/src/wps/wps_upnp.c
+@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct subscription *s)
+ }
+
+
++static int local_network_addr(struct upnp_wps_device_sm *sm,
++ struct sockaddr_in *addr)
++{
++ return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
++ (sm->ip_addr & sm->netmask.s_addr);
++}
++
++
+ /* subscr_addr_add_url -- add address(es) for one url to subscription */
+ static void subscr_addr_add_url(struct subscription *s, const char *url,
+ size_t url_len)
+@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
+
+ for (rp = result; rp; rp = rp->ai_next) {
+ struct subscr_addr *a;
++ struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
+
+ /* Limit no. of address to avoid denial of service attack */
+ if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
+@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
+ break;
+ }
+
++ if (!local_network_addr(s->sm, addr)) {
++ wpa_printf(MSG_INFO,
++ "WPS UPnP: Ignore a delivery URL that points to another network %s",
++ inet_ntoa(addr->sin_addr));
++ continue;
++ }
++
+ a = os_zalloc(sizeof(*a) + alloc_len);
+ if (a == NULL)
+ break;
+@@ -890,11 +906,12 @@ static int eth_get(const char *device, u8 ea[ETH_ALEN])
+ * @net_if: Selected network interface name
+ * @ip_addr: Buffer for returning IP address in network byte order
+ * @ip_addr_text: Buffer for returning a pointer to allocated IP address text
++ * @netmask: Buffer for returning netmask or %NULL if not needed
+ * @mac: Buffer for returning MAC address
+ * Returns: 0 on success, -1 on failure
+ */
+ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
+- u8 mac[ETH_ALEN])
++ struct in_addr *netmask, u8 mac[ETH_ALEN])
+ {
+ struct ifreq req;
+ int sock = -1;
+@@ -920,6 +937,19 @@ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
+ in_addr.s_addr = *ip_addr;
+ os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
+
++ if (netmask) {
++ os_memset(&req, 0, sizeof(req));
++ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
++ if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
++ wpa_printf(MSG_ERROR,
++ "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
++ errno, strerror(errno));
++ goto fail;
++ }
++ addr = (struct sockaddr_in *) &req.ifr_netmask;
++ netmask->s_addr = addr->sin_addr.s_addr;
++ }
++
+ #ifdef __linux__
+ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
+ if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
+@@ -1026,11 +1056,15 @@ static int upnp_wps_device_start(struct upnp_wps_device_sm *sm, char *net_if)
+
+ /* Determine which IP and mac address we're using */
+ if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
+- sm->mac_addr)) {
++ &sm->netmask, sm->mac_addr)) {
+ wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
+ "for %s. Does it have IP address?", net_if);
+ goto fail;
+ }
++ wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
++ MACSTR,
++ sm->ip_addr_text, inet_ntoa(sm->netmask),
++ MAC2STR(sm->mac_addr));
+
+ /* Listen for incoming TCP connections so that others
+ * can fetch our "xml files" from us.
+diff --git a/src/wps/wps_upnp_i.h b/src/wps/wps_upnp_i.h
+index e87a93232df1..6ead7b4e9a30 100644
+--- a/src/wps/wps_upnp_i.h
++++ b/src/wps/wps_upnp_i.h
+@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
+ u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
+ char *ip_addr_text; /* IP address of network i.f. we use */
+ unsigned ip_addr; /* IP address of network i.f. we use (host order) */
++ struct in_addr netmask;
+ int multicast_sd; /* send multicast messages over this socket */
+ int ssdp_sd; /* receive discovery UPD packets on socket */
+ int ssdp_sd_registered; /* nonzero if we must unregister */
+@@ -158,7 +159,7 @@ struct subscription * subscription_find(struct upnp_wps_device_sm *sm,
+ const u8 uuid[UUID_LEN]);
+ void subscr_addr_delete(struct subscr_addr *a);
+ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
+- u8 mac[ETH_ALEN]);
++ struct in_addr *netmask, u8 mac[ETH_ALEN]);
+
+ /* wps_upnp_ssdp.c */
+ void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
+--
+2.20.1
+
diff --git a/main/hostapd/0002-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch b/main/hostapd/0002-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch
new file mode 100644
index 0000000000..8e635c1371
--- /dev/null
+++ b/main/hostapd/0002-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch
@@ -0,0 +1,60 @@
+From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Fri, 8 Mar 2019 00:24:12 +0200
+Subject: [PATCH] OpenSSL: Use constant time selection for
+ crypto_bignum_legendre()
+
+Get rid of the branches that depend on the result of the Legendre
+operation. This is needed to avoid leaking information about different
+temporary results in blinding mechanisms.
+
+This is related to CVE-2019-9494 and CVE-2019-9495.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/crypto/crypto_openssl.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index ac53cc81a..0f52101ea 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -24,6 +24,7 @@
+ #endif /* CONFIG_ECC */
+
+ #include "common.h"
++#include "utils/const_time.h"
+ #include "wpabuf.h"
+ #include "dh_group5.h"
+ #include "sha1.h"
+@@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
+ BN_CTX *bnctx;
+ BIGNUM *exp = NULL, *tmp = NULL;
+ int res = -2;
++ unsigned int mask;
+
+ if (TEST_FAIL())
+ return -2;
+@@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
+ (const BIGNUM *) p, bnctx, NULL))
+ goto fail;
+
+- if (BN_is_word(tmp, 1))
+- res = 1;
+- else if (BN_is_zero(tmp))
+- res = 0;
+- else
+- res = -1;
++ /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
++ * constant time selection to avoid branches here. */
++ res = -1;
++ mask = const_time_eq(BN_is_word(tmp, 1), 1);
++ res = const_time_select_int(mask, 1, res);
++ mask = const_time_eq(BN_is_zero(tmp), 1);
++ res = const_time_select_int(mask, 0, res);
+
+ fail:
+ BN_clear_free(tmp);
+--
+2.21.0
+
diff --git a/main/hostapd/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/main/hostapd/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
new file mode 100644
index 0000000000..c7a449e0b5
--- /dev/null
+++ b/main/hostapd/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
@@ -0,0 +1,59 @@
+From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 3 Jun 2020 22:41:02 +0300
+Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
+ path
+
+More than about 700 character URL ended up overflowing the wpabuf used
+for building the event notification and this resulted in the wpabuf
+buffer overflow checks terminating the hostapd process. Fix this by
+allocating the buffer to be large enough to contain the full URL path.
+However, since that around 700 character limit has been the practical
+limit for more than ten years, start explicitly enforcing that as the
+limit or the callback URLs since any longer ones had not worked before
+and there is no need to enable them now either.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/wps/wps_upnp.c | 9 +++++++--
+ src/wps/wps_upnp_event.c | 3 ++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
+index 7d4b7439940e..ab685d52ecab 100644
+--- a/src/wps/wps_upnp.c
++++ b/src/wps/wps_upnp.c
+@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
+ int rerr;
+ size_t host_len, path_len;
+
+- /* url MUST begin with http: */
+- if (url_len < 7 || os_strncasecmp(url, "http://", 7))
++ /* URL MUST begin with HTTP scheme. In addition, limit the length of
++ * the URL to 700 characters which is around the limit that was
++ * implicitly enforced for more than 10 years due to a bug in
++ * generating the event messages. */
++ if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
++ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
+ goto fail;
++ }
+ url += 7;
+ url_len -= 7;
+
+diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
+index d7e6edcc6503..08a23612f338 100644
+--- a/src/wps/wps_upnp_event.c
++++ b/src/wps/wps_upnp_event.c
+@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
+ struct wpabuf *buf;
+ char *b;
+
+- buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
++ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
++ wpabuf_len(e->data));
+ if (buf == NULL)
+ return NULL;
+ wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
+--
+2.20.1
+
diff --git a/main/hostapd/0003-SAE-Minimize-timing-differences-in-PWE-derivation.patch b/main/hostapd/0003-SAE-Minimize-timing-differences-in-PWE-derivation.patch
new file mode 100644
index 0000000000..10b89d6b02
--- /dev/null
+++ b/main/hostapd/0003-SAE-Minimize-timing-differences-in-PWE-derivation.patch
@@ -0,0 +1,241 @@
+From 6513db3e96c43c2e36805cf5ead349765d18eaf7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 13:05:09 +0200
+Subject: [PATCH] SAE: Minimize timing differences in PWE derivation
+
+The QR test result can provide information about the password to an
+attacker, so try to minimize differences in how the
+sae_test_pwd_seed_ecc() result is used. (CVE-2019-9494)
+
+Use heap memory for the dummy password to allow the same password length
+to be used even with long passwords.
+
+Use constant time selection functions to track the real vs. dummy
+variables so that the exact same operations can be performed for both QR
+test results.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 106 +++++++++++++++++++++++++----------------------
+ 1 file changed, 57 insertions(+), 49 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 8129a7c15..d55323bcd 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -9,6 +9,7 @@
+ #include "includes.h"
+
+ #include "common.h"
++#include "utils/const_time.h"
+ #include "crypto/crypto.h"
+ #include "crypto/sha256.h"
+ #include "crypto/random.h"
+@@ -292,15 +293,12 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ const u8 *prime,
+ const struct crypto_bignum *qr,
+ const struct crypto_bignum *qnr,
+- struct crypto_bignum **ret_x_cand)
++ u8 *pwd_value)
+ {
+- u8 pwd_value[SAE_MAX_ECC_PRIME_LEN];
+ struct crypto_bignum *y_sqr, *x_cand;
+ int res;
+ size_t bits;
+
+- *ret_x_cand = NULL;
+-
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
+
+ /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
+@@ -309,7 +307,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ prime, sae->tmp->prime_len, pwd_value, bits) < 0)
+ return -1;
+ if (bits % 8)
+- buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8);
++ buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8);
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
+ pwd_value, sae->tmp->prime_len);
+
+@@ -320,20 +318,13 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ if (!x_cand)
+ return -1;
+ y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand);
+- if (!y_sqr) {
+- crypto_bignum_deinit(x_cand, 1);
++ crypto_bignum_deinit(x_cand, 1);
++ if (!y_sqr)
+ return -1;
+- }
+
+ res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
+ crypto_bignum_deinit(y_sqr, 1);
+- if (res <= 0) {
+- crypto_bignum_deinit(x_cand, 1);
+- return res;
+- }
+-
+- *ret_x_cand = x_cand;
+- return 1;
++ return res;
+ }
+
+
+@@ -454,25 +445,30 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ const u8 *addr[3];
+ size_t len[3];
+ size_t num_elem;
+- u8 dummy_password[32];
+- size_t dummy_password_len;
++ u8 *dummy_password, *tmp_password;
+ int pwd_seed_odd = 0;
+ u8 prime[SAE_MAX_ECC_PRIME_LEN];
+ size_t prime_len;
+- struct crypto_bignum *x = NULL, *qr, *qnr;
++ struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
++ u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
++ u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
+ size_t bits;
+- int res;
++ int res = -1;
++ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
++ * mask */
+
+- dummy_password_len = password_len;
+- if (dummy_password_len > sizeof(dummy_password))
+- dummy_password_len = sizeof(dummy_password);
+- if (random_get_bytes(dummy_password, dummy_password_len) < 0)
+- return -1;
++ os_memset(x_bin, 0, sizeof(x_bin));
++
++ dummy_password = os_malloc(password_len);
++ tmp_password = os_malloc(password_len);
++ if (!dummy_password || !tmp_password ||
++ random_get_bytes(dummy_password, password_len) < 0)
++ goto fail;
+
+ prime_len = sae->tmp->prime_len;
+ if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
+ prime_len) < 0)
+- return -1;
++ goto fail;
+ bits = crypto_ec_prime_len_bits(sae->tmp->ec);
+
+ /*
+@@ -481,7 +477,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ */
+ if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
+ &qr, &qnr) < 0)
+- return -1;
++ goto fail;
+
+ wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+ password, password_len);
+@@ -497,7 +493,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ */
+ sae_pwd_seed_key(addr1, addr2, addrs);
+
+- addr[0] = password;
++ addr[0] = tmp_password;
+ len[0] = password_len;
+ num_elem = 1;
+ if (identifier) {
+@@ -514,9 +510,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ * attacks that attempt to determine the number of iterations required
+ * in the loop.
+ */
+- for (counter = 1; counter <= k || !x; counter++) {
++ for (counter = 1; counter <= k || !found; counter++) {
+ u8 pwd_seed[SHA256_MAC_LEN];
+- struct crypto_bignum *x_cand;
+
+ if (counter > 200) {
+ /* This should not happen in practice */
+@@ -524,36 +519,45 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ break;
+ }
+
+- wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
++ wpa_printf(MSG_DEBUG, "SAE: counter = %03u", counter);
++ const_time_select_bin(found, dummy_password, password,
++ password_len, tmp_password);
+ if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+ addr, len, pwd_seed) < 0)
+ break;
+
+ res = sae_test_pwd_seed_ecc(sae, pwd_seed,
+- prime, qr, qnr, &x_cand);
++ prime, qr, qnr, x_cand_bin);
++ const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
++ x_bin);
++ pwd_seed_odd = const_time_select_u8(
++ found, pwd_seed_odd,
++ pwd_seed[SHA256_MAC_LEN - 1] & 0x01);
++ os_memset(pwd_seed, 0, sizeof(pwd_seed));
+ if (res < 0)
+ goto fail;
+- if (res > 0 && !x) {
+- wpa_printf(MSG_DEBUG,
+- "SAE: Selected pwd-seed with counter %u",
+- counter);
+- x = x_cand;
+- pwd_seed_odd = pwd_seed[SHA256_MAC_LEN - 1] & 0x01;
+- os_memset(pwd_seed, 0, sizeof(pwd_seed));
++ /* Need to minimize differences in handling res == 0 and 1 here
++ * to avoid differences in timing and instruction cache access,
++ * so use const_time_select_*() to make local copies of the
++ * values based on whether this loop iteration was the one that
++ * found the pwd-seed/x. */
++
++ /* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
++ * (with res converted to 0/0xff) handles this in constant time.
++ */
++ found |= res * 0xff;
++ wpa_printf(MSG_DEBUG, "SAE: pwd-seed result %d found=0x%02x",
++ res, found);
++ }
+
+- /*
+- * Use a dummy password for the following rounds, if
+- * any.
+- */
+- addr[0] = dummy_password;
+- len[0] = dummy_password_len;
+- } else if (res > 0) {
+- crypto_bignum_deinit(x_cand, 1);
+- }
++ if (!found) {
++ wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
++ res = -1;
++ goto fail;
+ }
+
++ x = crypto_bignum_init_set(x_bin, prime_len);
+ if (!x) {
+- wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
+ res = -1;
+ goto fail;
+ }
+@@ -566,7 +570,6 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
+ sae->tmp->pwe_ecc, x,
+ pwd_seed_odd);
+- crypto_bignum_deinit(x, 1);
+ if (res < 0) {
+ /*
+ * This should not happen since we already checked that there
+@@ -578,6 +581,11 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ fail:
+ crypto_bignum_deinit(qr, 0);
+ crypto_bignum_deinit(qnr, 0);
++ os_free(dummy_password);
++ bin_clear_free(tmp_password, password_len);
++ crypto_bignum_deinit(x, 1);
++ os_memset(x_bin, 0, sizeof(x_bin));
++ os_memset(x_cand_bin, 0, sizeof(x_cand_bin));
+
+ return res;
+ }
+--
+2.21.0
+
diff --git a/main/hostapd/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch b/main/hostapd/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
new file mode 100644
index 0000000000..9d0376043d
--- /dev/null
+++ b/main/hostapd/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
@@ -0,0 +1,47 @@
+From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 4 Jun 2020 21:24:04 +0300
+Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
+ properly
+
+While it is appropriate to try to retransmit the event to another
+callback URL on a failure to initiate the HTTP client connection, there
+is no point in trying the exact same operation multiple times in a row.
+Replve the event_retry() calls with event_addr_failure() for these cases
+to avoid busy loops trying to repeat the same failing operation.
+
+These potential busy loops would go through eloop callbacks, so the
+process is not completely stuck on handling them, but unnecessary CPU
+would be used to process the continues retries that will keep failing
+for the same reason.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/wps/wps_upnp_event.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
+index 08a23612f338..c0d9e41d9a38 100644
+--- a/src/wps/wps_upnp_event.c
++++ b/src/wps/wps_upnp_event.c
+@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
+
+ buf = event_build_message(e);
+ if (buf == NULL) {
+- event_retry(e, 0);
++ event_addr_failure(e);
+ return -1;
+ }
+
+@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
+ event_http_cb, e);
+ if (e->http_event == NULL) {
+ wpabuf_free(buf);
+- event_retry(e, 0);
++ event_addr_failure(e);
+ return -1;
+ }
+
+--
+2.20.1
+
diff --git a/main/hostapd/0004-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch b/main/hostapd/0004-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch
new file mode 100644
index 0000000000..aad9b1d4a4
--- /dev/null
+++ b/main/hostapd/0004-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch
@@ -0,0 +1,144 @@
+From 362704dda04507e7ebb8035122e83d9f0ae7c320 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 19:34:38 +0200
+Subject: [PATCH] SAE: Avoid branches in is_quadratic_residue_blind()
+
+Make the non-failure path in the function proceed without branches based
+on r_odd and in constant time to minimize risk of observable differences
+in timing or cache use. (CVE-2019-9494)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 64 ++++++++++++++++++++++++++++--------------------
+ 1 file changed, 37 insertions(+), 27 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index d55323bcd..5df9b95aa 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -232,12 +232,14 @@ get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
+
+ static int is_quadratic_residue_blind(struct sae_data *sae,
+ const u8 *prime, size_t bits,
+- const struct crypto_bignum *qr,
+- const struct crypto_bignum *qnr,
++ const u8 *qr, const u8 *qnr,
+ const struct crypto_bignum *y_sqr)
+ {
+- struct crypto_bignum *r, *num;
++ struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
+ int r_odd, check, res = -1;
++ u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
++ size_t prime_len = sae->tmp->prime_len;
++ unsigned int mask;
+
+ /*
+ * Use the blinding technique to mask y_sqr while determining
+@@ -248,7 +250,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
+ * r = a random number between 1 and p-1, inclusive
+ * num = (v * r * r) modulo p
+ */
+- r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd);
++ r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
+ if (!r)
+ return -1;
+
+@@ -258,41 +260,45 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
+ crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
+ goto fail;
+
+- if (r_odd) {
+- /*
+- * num = (num * qr) module p
+- * LGR(num, p) = 1 ==> quadratic residue
+- */
+- if (crypto_bignum_mulmod(num, qr, sae->tmp->prime, num) < 0)
+- goto fail;
+- check = 1;
+- } else {
+- /*
+- * num = (num * qnr) module p
+- * LGR(num, p) = -1 ==> quadratic residue
+- */
+- if (crypto_bignum_mulmod(num, qnr, sae->tmp->prime, num) < 0)
+- goto fail;
+- check = -1;
+- }
++ /*
++ * Need to minimize differences in handling different cases, so try to
++ * avoid branches and timing differences.
++ *
++ * If r_odd:
++ * num = (num * qr) module p
++ * LGR(num, p) = 1 ==> quadratic residue
++ * else:
++ * num = (num * qnr) module p
++ * LGR(num, p) = -1 ==> quadratic residue
++ */
++ mask = const_time_is_zero(r_odd);
++ const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
++ qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
++ if (!qr_or_qnr ||
++ crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0)
++ goto fail;
++ /* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */
++ check = const_time_select_int(mask, -1, 1);
+
+ res = crypto_bignum_legendre(num, sae->tmp->prime);
+ if (res == -2) {
+ res = -1;
+ goto fail;
+ }
+- res = res == check;
++ /* branchless version of res = res == check
++ * (res is -1, 0, or 1; check is -1 or 1) */
++ mask = const_time_eq(res, check);
++ res = const_time_select_int(mask, 1, 0);
+ fail:
+ crypto_bignum_deinit(num, 1);
+ crypto_bignum_deinit(r, 1);
++ crypto_bignum_deinit(qr_or_qnr, 1);
+ return res;
+ }
+
+
+ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+- const u8 *prime,
+- const struct crypto_bignum *qr,
+- const struct crypto_bignum *qnr,
++ const u8 *prime, const u8 *qr, const u8 *qnr,
+ u8 *pwd_value)
+ {
+ struct crypto_bignum *y_sqr, *x_cand;
+@@ -452,6 +458,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
+ u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
+ u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
++ u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
++ u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
+ size_t bits;
+ int res = -1;
+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+@@ -476,7 +484,9 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ * (qnr) modulo p for blinding purposes during the loop.
+ */
+ if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
+- &qr, &qnr) < 0)
++ &qr, &qnr) < 0 ||
++ crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 ||
++ crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0)
+ goto fail;
+
+ wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+@@ -527,7 +537,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ break;
+
+ res = sae_test_pwd_seed_ecc(sae, pwd_seed,
+- prime, qr, qnr, x_cand_bin);
++ prime, qr_bin, qnr_bin, x_cand_bin);
+ const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
+ x_bin);
+ pwd_seed_odd = const_time_select_u8(
+--
+2.21.0
+
diff --git a/main/hostapd/0005-SAE-Mask-timing-of-MODP-groups-22-23-24.patch b/main/hostapd/0005-SAE-Mask-timing-of-MODP-groups-22-23-24.patch
new file mode 100644
index 0000000000..11dc244f5f
--- /dev/null
+++ b/main/hostapd/0005-SAE-Mask-timing-of-MODP-groups-22-23-24.patch
@@ -0,0 +1,118 @@
+From 90839597cc4016b33f00055b12d59174c62770a3 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 12:24:09 +0200
+Subject: [PATCH] SAE: Mask timing of MODP groups 22, 23, 24
+
+These groups have significant probability of coming up with pwd-value
+that is equal or greater than the prime and as such, need for going
+through the PWE derivation loop multiple times. This can result in
+sufficient timing different to allow an external observer to determine
+how many rounds are needed and that can leak information about the used
+password.
+
+Force at least 40 loop rounds for these MODP groups similarly to the ECC
+group design to mask timing. This behavior is not described in IEEE Std
+802.11-2016 for SAE, but it does not result in different values (i.e.,
+only different timing), so such implementation specific countermeasures
+can be done without breaking interoperability with other implementation.
+
+Note: These MODP groups 22, 23, and 24 are not considered sufficiently
+strong to be used with SAE (or more or less anything else). As such,
+they should never be enabled in runtime configuration for any production
+use cases. These changes to introduce additional protection to mask
+timing is only for completeness of implementation and not an indication
+that these groups should be used.
+
+This is related to CVE-2019-9494.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 38 ++++++++++++++++++++++++++++----------
+ 1 file changed, 28 insertions(+), 10 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 5df9b95aa..75b1b4a83 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -601,22 +601,27 @@ fail:
+ }
+
+
++static int sae_modp_group_require_masking(int group)
++{
++ /* Groups for which pwd-value is likely to be >= p frequently */
++ return group == 22 || group == 23 || group == 24;
++}
++
++
+ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ const u8 *addr2, const u8 *password,
+ size_t password_len, const char *identifier)
+ {
+- u8 counter;
++ u8 counter, k;
+ u8 addrs[2 * ETH_ALEN];
+ const u8 *addr[3];
+ size_t len[3];
+ size_t num_elem;
+ int found = 0;
++ struct crypto_bignum *pwe = NULL;
+
+- if (sae->tmp->pwe_ffc == NULL) {
+- sae->tmp->pwe_ffc = crypto_bignum_init();
+- if (sae->tmp->pwe_ffc == NULL)
+- return -1;
+- }
++ crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
++ sae->tmp->pwe_ffc = NULL;
+
+ wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+ password, password_len);
+@@ -640,7 +645,9 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ len[num_elem] = sizeof(counter);
+ num_elem++;
+
+- for (counter = 1; !found; counter++) {
++ k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
++
++ for (counter = 1; counter <= k || !found; counter++) {
+ u8 pwd_seed[SHA256_MAC_LEN];
+ int res;
+
+@@ -650,19 +657,30 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ break;
+ }
+
+- wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
++ wpa_printf(MSG_DEBUG, "SAE: counter = %02u", counter);
+ if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+ addr, len, pwd_seed) < 0)
+ break;
+- res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc);
++ if (!pwe) {
++ pwe = crypto_bignum_init();
++ if (!pwe)
++ break;
++ }
++ res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
+ if (res < 0)
+ break;
+ if (res > 0) {
+- wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
+ found = 1;
++ if (!sae->tmp->pwe_ffc) {
++ wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
++ sae->tmp->pwe_ffc = pwe;
++ pwe = NULL;
++ }
+ }
+ }
+
++ crypto_bignum_deinit(pwe, 1);
++
+ return found ? 0 : -1;
+ }
+
+--
+2.21.0
+
diff --git a/main/hostapd/0006-SAE-Use-const_time-selection-for-PWE-in-FFC.patch b/main/hostapd/0006-SAE-Use-const_time-selection-for-PWE-in-FFC.patch
new file mode 100644
index 0000000000..f336d5b74a
--- /dev/null
+++ b/main/hostapd/0006-SAE-Use-const_time-selection-for-PWE-in-FFC.patch
@@ -0,0 +1,105 @@
+From f8f20717f87eff1f025f48ed585c7684debacf72 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 12:45:33 +0200
+Subject: [PATCH] SAE: Use const_time selection for PWE in FFC
+
+This is an initial step towards making the FFC case use strictly
+constant time operations similarly to the ECC case.
+sae_test_pwd_seed_ffc() does not yet have constant time behavior,
+though.
+
+This is related to CVE-2019-9494.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 53 ++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 35 insertions(+), 18 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 75b1b4a83..fa9a145e3 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -612,17 +612,28 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ const u8 *addr2, const u8 *password,
+ size_t password_len, const char *identifier)
+ {
+- u8 counter, k;
++ u8 counter, k, sel_counter = 0;
+ u8 addrs[2 * ETH_ALEN];
+ const u8 *addr[3];
+ size_t len[3];
+ size_t num_elem;
+- int found = 0;
+- struct crypto_bignum *pwe = NULL;
++ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
++ * mask */
++ u8 mask;
++ struct crypto_bignum *pwe;
++ size_t prime_len = sae->tmp->prime_len * 8;
++ u8 *pwe_buf;
+
+ crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
+ sae->tmp->pwe_ffc = NULL;
+
++ /* Allocate a buffer to maintain selected and candidate PWE for constant
++ * time selection. */
++ pwe_buf = os_zalloc(prime_len * 2);
++ pwe = crypto_bignum_init();
++ if (!pwe_buf || !pwe)
++ goto fail;
++
+ wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+ password, password_len);
+
+@@ -661,27 +672,33 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+ addr, len, pwd_seed) < 0)
+ break;
+- if (!pwe) {
+- pwe = crypto_bignum_init();
+- if (!pwe)
+- break;
+- }
+ res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
++ /* res is -1 for fatal failure, 0 if a valid PWE was not found,
++ * or 1 if a valid PWE was found. */
+ if (res < 0)
+ break;
+- if (res > 0) {
+- found = 1;
+- if (!sae->tmp->pwe_ffc) {
+- wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
+- sae->tmp->pwe_ffc = pwe;
+- pwe = NULL;
+- }
+- }
++ /* Store the candidate PWE into the second half of pwe_buf and
++ * the selected PWE in the beginning of pwe_buf using constant
++ * time selection. */
++ if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len,
++ prime_len) < 0)
++ break;
++ const_time_select_bin(found, pwe_buf, pwe_buf + prime_len,
++ prime_len, pwe_buf);
++ sel_counter = const_time_select_u8(found, sel_counter, counter);
++ mask = const_time_eq_u8(res, 1);
++ found = const_time_select_u8(found, found, mask);
+ }
+
+- crypto_bignum_deinit(pwe, 1);
++ if (!found)
++ goto fail;
+
+- return found ? 0 : -1;
++ wpa_printf(MSG_DEBUG, "SAE: Use PWE from counter = %02u", sel_counter);
++ sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len);
++fail:
++ crypto_bignum_deinit(pwe, 1);
++ bin_clear_free(pwe_buf, prime_len * 2);
++ return sae->tmp->pwe_ffc ? 0 : -1;
+ }
+
+
+--
+2.21.0
+
diff --git a/main/hostapd/0007-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch b/main/hostapd/0007-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch
new file mode 100644
index 0000000000..bf22916b7d
--- /dev/null
+++ b/main/hostapd/0007-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch
@@ -0,0 +1,135 @@
+From cff138b0747fa39765cbc641b66cfa5d7f1735d1 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 16:05:56 +0200
+Subject: [PATCH] SAE: Use constant time operations in sae_test_pwd_seed_ffc()
+
+Try to avoid showing externally visible timing or memory access
+differences regardless of whether the derived pwd-value is smaller than
+the group prime.
+
+This is related to CVE-2019-9494.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 75 +++++++++++++++++++++++++++++-------------------
+ 1 file changed, 46 insertions(+), 29 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index fa9a145e3..eaf825d19 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -334,14 +334,17 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ }
+
+
++/* Returns -1 on fatal failure, 0 if PWE cannot be derived from the provided
++ * pwd-seed, or 1 if a valid PWE was derived from pwd-seed. */
+ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
+ struct crypto_bignum *pwe)
+ {
+ u8 pwd_value[SAE_MAX_PRIME_LEN];
+ size_t bits = sae->tmp->prime_len * 8;
+ u8 exp[1];
+- struct crypto_bignum *a, *b;
+- int res;
++ struct crypto_bignum *a, *b = NULL;
++ int res, is_val;
++ u8 pwd_value_valid;
+
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
+
+@@ -353,16 +356,29 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value,
+ sae->tmp->prime_len);
+
+- if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0)
+- {
+- wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p");
+- return 0;
+- }
++ /* Check whether pwd-value < p */
++ res = const_time_memcmp(pwd_value, sae->tmp->dh->prime,
++ sae->tmp->prime_len);
++ /* pwd-value >= p is invalid, so res is < 0 for the valid cases and
++ * the negative sign can be used to fill the mask for constant time
++ * selection */
++ pwd_value_valid = const_time_fill_msb(res);
++
++ /* If pwd-value >= p, force pwd-value to be < p and perform the
++ * calculations anyway to hide timing difference. The derived PWE will
++ * be ignored in that case. */
++ pwd_value[0] = const_time_select_u8(pwd_value_valid, pwd_value[0], 0);
+
+ /* PWE = pwd-value^((p-1)/r) modulo p */
+
++ res = -1;
+ a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
++ if (!a)
++ goto fail;
+
++ /* This is an optimization based on the used group that does not depend
++ * on the password in any way, so it is fine to use separate branches
++ * for this step without constant time operations. */
+ if (sae->tmp->dh->safe_prime) {
+ /*
+ * r = (p-1)/2 for the group used here, so this becomes:
+@@ -376,33 +392,34 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
+ b = crypto_bignum_init_set(exp, sizeof(exp));
+ if (b == NULL ||
+ crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||
+- crypto_bignum_div(b, sae->tmp->order, b) < 0) {
+- crypto_bignum_deinit(b, 0);
+- b = NULL;
+- }
++ crypto_bignum_div(b, sae->tmp->order, b) < 0)
++ goto fail;
+ }
+
+- if (a == NULL || b == NULL)
+- res = -1;
+- else
+- res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
+-
+- crypto_bignum_deinit(a, 0);
+- crypto_bignum_deinit(b, 0);
++ if (!b)
++ goto fail;
+
+- if (res < 0) {
+- wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE");
+- return -1;
+- }
++ res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
++ if (res < 0)
++ goto fail;
+
+- /* if (PWE > 1) --> found */
+- if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) {
+- wpa_printf(MSG_DEBUG, "SAE: PWE <= 1");
+- return 0;
+- }
++ /* There were no fatal errors in calculations, so determine the return
++ * value using constant time operations. We get here for number of
++ * invalid cases which are cleared here after having performed all the
++ * computation. PWE is valid if pwd-value was less than prime and
++ * PWE > 1. Start with pwd-value check first and then use constant time
++ * operations to clear res to 0 if PWE is 0 or 1.
++ */
++ res = const_time_select_u8(pwd_value_valid, 1, 0);
++ is_val = crypto_bignum_is_zero(pwe);
++ res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
++ is_val = crypto_bignum_is_one(pwe);
++ res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
+
+- wpa_printf(MSG_DEBUG, "SAE: PWE found");
+- return 1;
++fail:
++ crypto_bignum_deinit(a, 1);
++ crypto_bignum_deinit(b, 1);
++ return res;
+ }
+
+
+--
+2.21.0
+
diff --git a/main/hostapd/0008-Add-helper-functions-for-constant-time-operations.patch b/main/hostapd/0008-Add-helper-functions-for-constant-time-operations.patch
new file mode 100644
index 0000000000..e0b8550c8f
--- /dev/null
+++ b/main/hostapd/0008-Add-helper-functions-for-constant-time-operations.patch
@@ -0,0 +1,218 @@
+From 6e34f618d37ddbb5854c42e2ad4fca83492fa7b7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 27 Feb 2019 18:38:30 +0200
+Subject: [PATCH] Add helper functions for constant time operations
+
+These functions can be used to help implement constant time operations
+for various cryptographic operations that must minimize externally
+observable differences in processing (both in timing and also in
+internal cache use, etc.).
+
+This is related to CVE-2019-9494 and CVE-2019-9495.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/utils/const_time.h | 191 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 191 insertions(+)
+ create mode 100644 src/utils/const_time.h
+
+diff --git a/src/utils/const_time.h b/src/utils/const_time.h
+new file mode 100644
+index 000000000..ab8f611ef
+--- /dev/null
++++ b/src/utils/const_time.h
+@@ -0,0 +1,191 @@
++/*
++ * Helper functions for constant time operations
++ * Copyright (c) 2019, The Linux Foundation
++ *
++ * This software may be distributed under the terms of the BSD license.
++ * See README for more details.
++ *
++ * These helper functions can be used to implement logic that needs to minimize
++ * externally visible differences in execution path by avoiding use of branches,
++ * avoiding early termination or other time differences, and forcing same memory
++ * access pattern regardless of values.
++ */
++
++#ifndef CONST_TIME_H
++#define CONST_TIME_H
++
++
++#if defined(__clang__)
++#define NO_UBSAN_UINT_OVERFLOW \
++ __attribute__((no_sanitize("unsigned-integer-overflow")))
++#else
++#define NO_UBSAN_UINT_OVERFLOW
++#endif
++
++
++/**
++ * const_time_fill_msb - Fill all bits with MSB value
++ * @val: Input value
++ * Returns: Value with all the bits set to the MSB of the input val
++ */
++static inline unsigned int const_time_fill_msb(unsigned int val)
++{
++ /* Move the MSB to LSB and multiple by -1 to fill in all bits. */
++ return (val >> (sizeof(val) * 8 - 1)) * ~0U;
++}
++
++
++/* Returns: -1 if val is zero; 0 if val is not zero */
++static inline unsigned int const_time_is_zero(unsigned int val)
++ NO_UBSAN_UINT_OVERFLOW
++{
++ /* Set MSB to 1 for 0 and fill rest of bits with the MSB value */
++ return const_time_fill_msb(~val & (val - 1));
++}
++
++
++/* Returns: -1 if a == b; 0 if a != b */
++static inline unsigned int const_time_eq(unsigned int a, unsigned int b)
++{
++ return const_time_is_zero(a ^ b);
++}
++
++
++/* Returns: -1 if a == b; 0 if a != b */
++static inline u8 const_time_eq_u8(unsigned int a, unsigned int b)
++{
++ return (u8) const_time_eq(a, b);
++}
++
++
++/**
++ * const_time_eq_bin - Constant time memory comparison
++ * @a: First buffer to compare
++ * @b: Second buffer to compare
++ * @len: Number of octets to compare
++ * Returns: -1 if buffers are equal, 0 if not
++ *
++ * This function is meant for comparing passwords or hash values where
++ * difference in execution time or memory access pattern could provide external
++ * observer information about the location of the difference in the memory
++ * buffers. The return value does not behave like memcmp(), i.e.,
++ * const_time_eq_bin() cannot be used to sort items into a defined order. Unlike
++ * memcmp(), the execution time of const_time_eq_bin() does not depend on the
++ * contents of the compared memory buffers, but only on the total compared
++ * length.
++ */
++static inline unsigned int const_time_eq_bin(const void *a, const void *b,
++ size_t len)
++{
++ const u8 *aa = a;
++ const u8 *bb = b;
++ size_t i;
++ u8 res = 0;
++
++ for (i = 0; i < len; i++)
++ res |= aa[i] ^ bb[i];
++
++ return const_time_is_zero(res);
++}
++
++
++/**
++ * const_time_select - Constant time unsigned int selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline unsigned int const_time_select(unsigned int mask,
++ unsigned int true_val,
++ unsigned int false_val)
++{
++ return (mask & true_val) | (~mask & false_val);
++}
++
++
++/**
++ * const_time_select_int - Constant time int selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline int const_time_select_int(unsigned int mask, int true_val,
++ int false_val)
++{
++ return (int) const_time_select(mask, (unsigned int) true_val,
++ (unsigned int) false_val);
++}
++
++
++/**
++ * const_time_select_u8 - Constant time u8 selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline u8 const_time_select_u8(u8 mask, u8 true_val, u8 false_val)
++{
++ return (u8) const_time_select(mask, true_val, false_val);
++}
++
++
++/**
++ * const_time_select_s8 - Constant time s8 selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline s8 const_time_select_s8(u8 mask, s8 true_val, s8 false_val)
++{
++ return (s8) const_time_select(mask, (unsigned int) true_val,
++ (unsigned int) false_val);
++}
++
++
++/**
++ * const_time_select_bin - Constant time binary buffer selection copy
++ * @mask: 0 (false) or -1 (true) to identify which value to copy
++ * @true_val: Buffer to copy for the true case
++ * @false_val: Buffer to copy for the false case
++ * @len: Number of octets to copy
++ * @dst: Destination buffer for the copy
++ *
++ * This function copies the specified buffer into the destination buffer using
++ * operations with identical memory access pattern regardless of which buffer
++ * is being copied.
++ */
++static inline void const_time_select_bin(u8 mask, const u8 *true_val,
++ const u8 *false_val, size_t len,
++ u8 *dst)
++{
++ size_t i;
++
++ for (i = 0; i < len; i++)
++ dst[i] = const_time_select_u8(mask, true_val[i], false_val[i]);
++}
++
++
++static inline int const_time_memcmp(const void *a, const void *b, size_t len)
++{
++ const u8 *aa = a;
++ const u8 *bb = b;
++ int diff, res = 0;
++ unsigned int mask;
++
++ if (len == 0)
++ return 0;
++ do {
++ len--;
++ diff = (int) aa[len] - (int) bb[len];
++ mask = const_time_is_zero((unsigned int) diff);
++ res = const_time_select_int(mask, res, diff);
++ } while (len);
++
++ return res;
++}
++
++#endif /* CONST_TIME_H */
+--
+2.21.0
+
diff --git a/main/hostapd/0009-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch b/main/hostapd/0009-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch
new file mode 100644
index 0000000000..f363f1563c
--- /dev/null
+++ b/main/hostapd/0009-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch
@@ -0,0 +1,324 @@
+From aaf65feac67c3993935634eefe5bc76b9fce03aa Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 11:59:45 +0200
+Subject: [PATCH] EAP-pwd: Use constant time and memory access for finding the
+ PWE
+
+This algorithm could leak information to external observers in form of
+timing differences or memory access patterns (cache use). While the
+previous implementation had protection against the most visible timing
+differences (looping 40 rounds and masking the legendre operation), it
+did not protect against memory access patterns between the two possible
+code paths in the masking operations. That might be sufficient to allow
+an unprivileged process running on the same device to be able to
+determine which path is being executed through a cache attack and based
+on that, determine information about the used password.
+
+Convert the PWE finding loop to use constant time functions and
+identical memory access path without different branches for the QR/QNR
+cases to minimize possible side-channel information similarly to the
+changes done for SAE authentication. (CVE-2019-9495)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/eap_common/eap_pwd_common.c | 187 +++++++++++++++++---------------
+ 1 file changed, 99 insertions(+), 88 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 02fe01e9f..e49aaf8c7 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -8,11 +8,15 @@
+
+ #include "includes.h"
+ #include "common.h"
++#include "utils/const_time.h"
+ #include "crypto/sha256.h"
+ #include "crypto/crypto.h"
+ #include "eap_defs.h"
+ #include "eap_pwd_common.h"
+
++#define MAX_ECC_PRIME_LEN 66
++
++
+ /* The random function H(x) = HMAC-SHA256(0^32, x) */
+ struct crypto_hash * eap_pwd_h_init(void)
+ {
+@@ -102,6 +106,15 @@ EAP_PWD_group * get_eap_pwd_group(u16 num)
+ }
+
+
++static void buf_shift_right(u8 *buf, size_t len, size_t bits)
++{
++ size_t i;
++ for (i = len - 1; i > 0; i--)
++ buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits);
++ buf[0] >>= bits;
++}
++
++
+ /*
+ * compute a "random" secret point on an elliptic curve based
+ * on the password and identities.
+@@ -113,17 +126,27 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ const u8 *token)
+ {
+ struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL;
++ struct crypto_bignum *qr_or_qnr = NULL;
++ u8 qr_bin[MAX_ECC_PRIME_LEN];
++ u8 qnr_bin[MAX_ECC_PRIME_LEN];
++ u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
++ u8 x_bin[MAX_ECC_PRIME_LEN];
+ struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+ struct crypto_hash *hash;
+ unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+- int is_odd, ret = 0, check, found = 0;
+- size_t primebytelen, primebitlen;
+- struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
++ int ret = 0, check, res;
++ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
++ * mask */
++ size_t primebytelen = 0, primebitlen;
++ struct crypto_bignum *x_candidate = NULL, *cofactor = NULL;
+ const struct crypto_bignum *prime;
++ u8 mask, found_ctr = 0, is_odd = 0;
+
+ if (grp->pwe)
+ return -1;
+
++ os_memset(x_bin, 0, sizeof(x_bin));
++
+ prime = crypto_ec_get_prime(grp->group);
+ cofactor = crypto_bignum_init();
+ grp->pwe = crypto_ec_point_init(grp->group);
+@@ -152,8 +175,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+
+ /* get a random quadratic residue and nonresidue */
+ while (!qr || !qnr) {
+- int res;
+-
+ if (crypto_bignum_rand(tmp1, prime) < 0)
+ goto fail;
+ res = crypto_bignum_legendre(tmp1, prime);
+@@ -167,6 +188,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ if (!tmp1)
+ goto fail;
+ }
++ if (crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin),
++ primebytelen) < 0 ||
++ crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin),
++ primebytelen) < 0)
++ goto fail;
+
+ os_memset(prfbuf, 0, primebytelen);
+ ctr = 0;
+@@ -194,17 +220,16 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ eap_pwd_h_update(hash, &ctr, sizeof(ctr));
+ eap_pwd_h_final(hash, pwe_digest);
+
+- crypto_bignum_deinit(rnd, 1);
+- rnd = crypto_bignum_init_set(pwe_digest, SHA256_MAC_LEN);
+- if (!rnd) {
+- wpa_printf(MSG_INFO, "EAP-pwd: unable to create rnd");
+- goto fail;
+- }
++ is_odd = const_time_select_u8(
++ found, is_odd, pwe_digest[SHA256_MAC_LEN - 1] & 0x01);
+ if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
+ (u8 *) "EAP-pwd Hunting And Pecking",
+ os_strlen("EAP-pwd Hunting And Pecking"),
+ prfbuf, primebitlen) < 0)
+ goto fail;
++ if (primebitlen % 8)
++ buf_shift_right(prfbuf, primebytelen,
++ 8 - primebitlen % 8);
+
+ crypto_bignum_deinit(x_candidate, 1);
+ x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
+@@ -214,24 +239,13 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ goto fail;
+ }
+
+- /*
+- * eap_pwd_kdf() returns a string of bits 0..primebitlen but
+- * BN_bin2bn will treat that string of bits as a big endian
+- * number. If the primebitlen is not an even multiple of 8
+- * then excessive bits-- those _after_ primebitlen-- so now
+- * we have to shift right the amount we masked off.
+- */
+- if ((primebitlen % 8) &&
+- crypto_bignum_rshift(x_candidate,
+- (8 - (primebitlen % 8)),
+- x_candidate) < 0)
+- goto fail;
+-
+ if (crypto_bignum_cmp(x_candidate, prime) >= 0)
+ continue;
+
+- wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
+- prfbuf, primebytelen);
++ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
++ prfbuf, primebytelen);
++ const_time_select_bin(found, x_bin, prfbuf, primebytelen,
++ x_bin);
+
+ /*
+ * compute y^2 using the equation of the curve
+@@ -261,13 +275,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ * Flip a coin, multiply by the random quadratic residue or the
+ * random quadratic nonresidue and record heads or tails.
+ */
+- if (crypto_bignum_is_odd(tmp1)) {
+- crypto_bignum_mulmod(tmp2, qr, prime, tmp2);
+- check = 1;
+- } else {
+- crypto_bignum_mulmod(tmp2, qnr, prime, tmp2);
+- check = -1;
+- }
++ mask = const_time_eq_u8(crypto_bignum_is_odd(tmp1), 1);
++ check = const_time_select_s8(mask, 1, -1);
++ const_time_select_bin(mask, qr_bin, qnr_bin, primebytelen,
++ qr_or_qnr_bin);
++ crypto_bignum_deinit(qr_or_qnr, 1);
++ qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, primebytelen);
++ if (!qr_or_qnr ||
++ crypto_bignum_mulmod(tmp2, qr_or_qnr, prime, tmp2) < 0)
++ goto fail;
+
+ /*
+ * Now it's safe to do legendre, if check is 1 then it's
+@@ -275,59 +291,12 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ * change result), if check is -1 then it's the opposite test
+ * (multiplying a qr by qnr would make a qnr).
+ */
+- if (crypto_bignum_legendre(tmp2, prime) == check) {
+- if (found == 1)
+- continue;
+-
+- /* need to unambiguously identify the solution */
+- is_odd = crypto_bignum_is_odd(rnd);
+-
+- /*
+- * We know x_candidate is a quadratic residue so set
+- * it here.
+- */
+- if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe,
+- x_candidate,
+- is_odd) != 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: Could not solve for y");
+- continue;
+- }
+-
+- /*
+- * If there's a solution to the equation then the point
+- * must be on the curve so why check again explicitly?
+- * OpenSSL code says this is required by X9.62. We're
+- * not X9.62 but it can't hurt just to be sure.
+- */
+- if (!crypto_ec_point_is_on_curve(grp->group,
+- grp->pwe)) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: point is not on curve");
+- continue;
+- }
+-
+- if (!crypto_bignum_is_one(cofactor)) {
+- /* make sure the point is not in a small
+- * sub-group */
+- if (crypto_ec_point_mul(grp->group, grp->pwe,
+- cofactor,
+- grp->pwe) != 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: cannot multiply generator by order");
+- continue;
+- }
+- if (crypto_ec_point_is_at_infinity(grp->group,
+- grp->pwe)) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: point is at infinity");
+- continue;
+- }
+- }
+- wpa_printf(MSG_DEBUG,
+- "EAP-pwd: found a PWE in %d tries", ctr);
+- found = 1;
+- }
++ res = crypto_bignum_legendre(tmp2, prime);
++ if (res == -2)
++ goto fail;
++ mask = const_time_eq(res, check);
++ found_ctr = const_time_select_u8(found, found_ctr, ctr);
++ found |= mask;
+ }
+ if (found == 0) {
+ wpa_printf(MSG_INFO,
+@@ -335,6 +304,44 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ num);
+ goto fail;
+ }
++
++ /*
++ * We know x_candidate is a quadratic residue so set it here.
++ */
++ crypto_bignum_deinit(x_candidate, 1);
++ x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
++ if (!x_candidate ||
++ crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
++ is_odd) != 0) {
++ wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
++ goto fail;
++ }
++
++ /*
++ * If there's a solution to the equation then the point must be on the
++ * curve so why check again explicitly? OpenSSL code says this is
++ * required by X9.62. We're not X9.62 but it can't hurt just to be sure.
++ */
++ if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) {
++ wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
++ goto fail;
++ }
++
++ if (!crypto_bignum_is_one(cofactor)) {
++ /* make sure the point is not in a small sub-group */
++ if (crypto_ec_point_mul(grp->group, grp->pwe, cofactor,
++ grp->pwe) != 0) {
++ wpa_printf(MSG_INFO,
++ "EAP-pwd: cannot multiply generator by order");
++ goto fail;
++ }
++ if (crypto_ec_point_is_at_infinity(grp->group, grp->pwe)) {
++ wpa_printf(MSG_INFO, "EAP-pwd: point is at infinity");
++ goto fail;
++ }
++ }
++ wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr);
++
+ if (0) {
+ fail:
+ crypto_ec_point_deinit(grp->pwe, 1);