diff options
30 files changed, 1439 insertions, 53 deletions
diff --git a/community/zabbix/APKBUILD b/community/zabbix/APKBUILD index 9d9290ca24..9daf7982e3 100644 --- a/community/zabbix/APKBUILD +++ b/community/zabbix/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=zabbix -pkgver=4.0.21 +pkgver=4.0.27 pkgrel=0 pkgdesc="Enterprise-class open source distributed monitoring" url="http://www.zabbix.com" @@ -200,10 +200,10 @@ agent_openrc() { "$subpkgdir"/etc/init.d/zabbix-agentd } -sha512sums="f93137602a6f89feed66d35d6604f92bb4f8b6831cd9348108408a5bddeb98ac22ed72077e59b6e9dd12b894d115c0e410912e0c1d83bb36a9398188dbe80e30 zabbix-4.0.21.tar.gz +sha512sums="c5187c4421db0d179a49a7ef3af0a0bca950090644bbf8b474a5be807a8e54d08688946e5c9a63e5f367487314d806873718b081f2dc62ac310a2c19f1472eaf zabbix-4.0.27.tar.gz 9998ee172a28002d98bacc3f76038ff52b8cf2b206e101418d76b4ca3de94afaf92cb4f7a6235ecf177f74beb9dd3ea1f3983c4f164b4f60bb601acba65aa175 zabbix-server.initd 9c06527bf653c40585fa7eeb3f7a0b2fc454031d24cd0d1633aed87b78a681c5227a193c5b9fcfcea0839135874e27ba7dd9b198573f905f680a2856f79e9512 zabbix-server.confd -523013cab3ba79cbc00db92f09d4c5d514fd6aa9cbebf8f29227dc91fbc19d2f8375af74c21d2037e4f3380a818f808194dbc94e69709ef2cf90f66e715895c4 zabbix-agentd.initd +c6513c5cdc4709886ad2f2351ddd9fb3a5aeb35d07a3ca34ca7a531cc48be3b3c1dab74aecabe67aac78146bb5ee984c102b882707d1fbfa4120cf780eca9a92 zabbix-agentd.initd a26e7ac422ff60a4b8eed3603022c3a1bde640870bb9286ab061c3cb5c2fd7e91ddb317cb3d1cf61034adda0a080fc212ad416c9e2853a1deb03c5279753f4e2 zabbix-proxy.initd 9fc413b11a01c8202c7ee1c7950d6ca3de2d2d6cd01bea994cd4bc412533b53c4e4b1f58fc3c8df16ea70902053e278e2c5dcc936ce3e0a686a6eac62310ef53 zabbix-getloadavg.patch 7f70dfd602aa164ec8cc65ebb7e8274c685975f6aea9051933928051b8d9b6e368e5a673a07e7084a2105468c5085d72fa7b9f934460f10648d594f28f031a91 automake.patch diff --git a/community/zabbix/zabbix-agentd.initd b/community/zabbix/zabbix-agentd.initd index 56d67db8ae..c24b0f8226 100644 --- a/community/zabbix/zabbix-agentd.initd +++ b/community/zabbix/zabbix-agentd.initd @@ -1,34 +1,19 @@ #!/sbin/openrc-run -# Copyright 1999-2007 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/zabbix/files/1.6.6/init.d/zabbix-agentd,v 1.1 2009/10/05 15:55:23 patrick Exp $ -# ensure the same file is specified as PidFile in /etc/zabbix/zabbix_agentd.conf -pidfile=/var/run/zabbix/zabbix_agentd.pid -user=zabbix -group=zabbix +name="Zabbix Agent" +command="/usr/sbin/zabbix_agentd" +command_args="--foreground" +command_background=yes +pidfile="/run/zabbix/zabbix_agentd.pid" +: ${command_user:=zabbix} +: ${command_group:=zabbix} start_pre() { - checkpath --owner ${user}:${group} --directory ${pidfile%/*} + checkpath --owner ${command_user}:${command_group} --directory ${pidfile%/*} /var/log/zabbix } - depend() { need net provide zabbix-agent use zabbix-server } - -start() { - ebegin "Starting Zabbix agent" - start-stop-daemon --pidfile ${pidfile} --start --user ${user}:${group} --exec /usr/sbin/zabbix_agentd - eend $? -} - -stop() { - ebegin "Stopping Zabbix agent" - start-stop-daemon --stop --user ${user} --pidfile ${pidfile} - eend $? -} - - diff --git a/main/bind/CVE-2020-8619.patch b/main/bind/CVE-2020-8619.patch new file mode 100644 index 0000000000..e6d305bdb8 --- /dev/null +++ b/main/bind/CVE-2020-8619.patch @@ -0,0 +1,545 @@ +From 569cc155b8680d8ed12db1fabbe20947db24a0f9 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Tue, 2 Jun 2020 12:38:40 +1000 +Subject: [PATCH] Remove INSIST from from new_reference + +RBTDB node can now appear on the deadnodes lists following the changes +to decrement_reference in 176b23b6cd98e5b58f832902fdbe964ee5f762d0 to +defer checking of node->down when the tree write lock is not held. The +node should be unlinked instead. +--- + lib/dns/rbtdb.c | 173 ++++++++++++++++++++++++++++-------------------- + 1 file changed, 100 insertions(+), 73 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index bfe3538a59..87fbdb317b 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -1858,8 +1858,13 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { + * Caller must be holding the node lock. + */ + static inline void +-new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, ++ isc_rwlocktype_t locktype) { ++ if (locktype == isc_rwlocktype_write && ISC_LINK_LINKED(node, deadlink)) ++ { ++ ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum], node, ++ deadlink); ++ } + if (isc_refcount_increment0(&node->references) == 0) { + /* this is the first reference to the node */ + isc_refcount_increment0( +@@ -1877,13 +1882,14 @@ is_leaf(dns_rbtnode_t *node) { + } + + static inline void +-send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { ++send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, ++ isc_rwlocktype_t locktype) { + isc_event_t *ev; + dns_db_t *db; + + ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE, + prune_tree, node, sizeof(isc_event_t)); +- new_reference(rbtdb, node); ++ new_reference(rbtdb, node, locktype); + db = NULL; + attach((dns_db_t *)rbtdb, &db); + ev->ev_sender = db; +@@ -1919,7 +1925,7 @@ cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) { + node->data == NULL); + + if (is_leaf(node) && rbtdb->task != NULL) { +- send_to_prune_tree(rbtdb, node); ++ send_to_prune_tree(rbtdb, node, isc_rwlocktype_write); + } else if (node->down == NULL && node->data == NULL) { + /* + * Not a interior node and not needing to be +@@ -1987,7 +1993,7 @@ reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, + } + } + +- new_reference(rbtdb, node); ++ new_reference(rbtdb, node, locktype); + + NODE_UNLOCK(nodelock, locktype); + } +@@ -2122,15 +2128,17 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, + * periodic walk-through). + */ + if (!pruning && is_leaf(node) && rbtdb->task != NULL) { +- send_to_prune_tree(rbtdb, node); ++ send_to_prune_tree(rbtdb, node, isc_rwlocktype_write); + no_reference = false; + } else { + delete_node(rbtdb, node); + } + } else { + INSIST(node->data == NULL); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); +- ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink); ++ if (!ISC_LINK_LINKED(node, deadlink)) { ++ ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, ++ deadlink); ++ } + } + + restore_locks: +@@ -2200,16 +2208,13 @@ prune_tree(isc_task_t *task, isc_event_t *event) { + + /* + * We need to gain a reference to the node before +- * decrementing it in the next iteration. In addition, +- * if the node is in the dead-nodes list, extract it +- * from the list beforehand as we do in +- * reactivate_node(). ++ * decrementing it in the next iteration. + */ + if (ISC_LINK_LINKED(parent, deadlink)) { + ISC_LIST_UNLINK(rbtdb->deadnodes[locknum], + parent, deadlink); + } +- new_reference(rbtdb, parent); ++ new_reference(rbtdb, parent, isc_rwlocktype_write); + } else { + parent = NULL; + } +@@ -2976,7 +2981,7 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { + * We increment the reference count on node to ensure that + * search->zonecut_rdataset will still be valid later. + */ +- new_reference(search->rbtdb, node); ++ new_reference(search->rbtdb, node, isc_rwlocktype_read); + search->zonecut = node; + search->zonecut_rdataset = found; + search->need_cleanup = true; +@@ -3028,7 +3033,8 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { + + static inline void + bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header, +- isc_stdtime_t now, dns_rdataset_t *rdataset) { ++ isc_stdtime_t now, isc_rwlocktype_t locktype, ++ dns_rdataset_t *rdataset) { + unsigned char *raw; /* RDATASLAB */ + + /* +@@ -3043,7 +3049,7 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header, + return; + } + +- new_reference(rbtdb, node); ++ new_reference(rbtdb, node, locktype); + + INSIST(rdataset->methods == NULL); /* We must be disassociated. */ + +@@ -3148,12 +3154,12 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep, + NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock), + isc_rwlocktype_read); + bind_rdataset(search->rbtdb, node, search->zonecut_rdataset, +- search->now, rdataset); ++ search->now, isc_rwlocktype_read, rdataset); + if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL) + { + bind_rdataset(search->rbtdb, node, + search->zonecut_sigrdataset, search->now, +- sigrdataset); ++ isc_rwlocktype_read, sigrdataset); + } + NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock), + isc_rwlocktype_read); +@@ -3818,18 +3824,21 @@ again: + foundname, NULL); + if (result == ISC_R_SUCCESS) { + if (nodep != NULL) { +- new_reference(search->rbtdb, +- node); ++ new_reference( ++ search->rbtdb, node, ++ isc_rwlocktype_read); + *nodep = node; + } + bind_rdataset(search->rbtdb, node, + found, search->now, ++ isc_rwlocktype_read, + rdataset); + if (foundsig != NULL) { +- bind_rdataset(search->rbtdb, +- node, foundsig, +- search->now, +- sigrdataset); ++ bind_rdataset( ++ search->rbtdb, node, ++ foundsig, search->now, ++ isc_rwlocktype_read, ++ sigrdataset); + } + } + } else if (found == NULL && foundsig == NULL) { +@@ -4114,7 +4123,8 @@ found: + * ensure that search->zonecut_rdataset will + * still be valid later. + */ +- new_reference(search.rbtdb, node); ++ new_reference(search.rbtdb, node, ++ isc_rwlocktype_read); + search.zonecut = node; + search.zonecut_rdataset = header; + search.zonecut_sigrdataset = NULL; +@@ -4292,7 +4302,7 @@ found: + goto node_exit; + } + if (nodep != NULL) { +- new_reference(search.rbtdb, node); ++ new_reference(search.rbtdb, node, isc_rwlocktype_read); + *nodep = node; + } + if ((search.rbtversion->secure == dns_db_secure && +@@ -4300,10 +4310,10 @@ found: + (search.options & DNS_DBFIND_FORCENSEC) != 0) + { + bind_rdataset(search.rbtdb, node, nsecheader, 0, +- rdataset); ++ isc_rwlocktype_read, rdataset); + if (nsecsig != NULL) { + bind_rdataset(search.rbtdb, node, nsecsig, 0, +- sigrdataset); ++ isc_rwlocktype_read, sigrdataset); + } + } + if (wild) { +@@ -4376,7 +4386,7 @@ found: + + if (nodep != NULL) { + if (!at_zonecut) { +- new_reference(search.rbtdb, node); ++ new_reference(search.rbtdb, node, isc_rwlocktype_read); + } else { + search.need_cleanup = false; + } +@@ -4384,10 +4394,11 @@ found: + } + + if (type != dns_rdatatype_any) { +- bind_rdataset(search.rbtdb, node, found, 0, rdataset); ++ bind_rdataset(search.rbtdb, node, found, 0, isc_rwlocktype_read, ++ rdataset); + if (foundsig != NULL) { + bind_rdataset(search.rbtdb, node, foundsig, 0, +- sigrdataset); ++ isc_rwlocktype_read, sigrdataset); + } + } + +@@ -4570,8 +4581,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { + * We increment the reference count on node to ensure that + * search->zonecut_rdataset will still be valid later. + */ +- new_reference(search->rbtdb, node); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++ new_reference(search->rbtdb, node, locktype); + search->zonecut = node; + search->zonecut_rdataset = dname_header; + search->zonecut_sigrdataset = sigdname_header; +@@ -4679,14 +4689,15 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node, + } + result = DNS_R_DELEGATION; + if (nodep != NULL) { +- new_reference(search->rbtdb, node); ++ new_reference(search->rbtdb, node, locktype); + *nodep = node; + } + bind_rdataset(search->rbtdb, node, found, search->now, +- rdataset); ++ locktype, rdataset); + if (foundsig != NULL) { + bind_rdataset(search->rbtdb, node, foundsig, +- search->now, sigrdataset); ++ search->now, locktype, ++ sigrdataset); + } + if (need_headerupdate(found, search->now) || + (foundsig != NULL && +@@ -4795,13 +4806,13 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, + if (result != ISC_R_SUCCESS) { + goto unlock_node; + } +- bind_rdataset(search->rbtdb, node, found, now, ++ bind_rdataset(search->rbtdb, node, found, now, locktype, + rdataset); + if (foundsig != NULL) { + bind_rdataset(search->rbtdb, node, foundsig, +- now, sigrdataset); ++ now, locktype, sigrdataset); + } +- new_reference(search->rbtdb, node); ++ new_reference(search->rbtdb, node, locktype); + *nodep = node; + result = DNS_R_COVERINGNSEC; + } else if (!empty_node) { +@@ -5026,18 +5037,18 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0 && + nsecheader != NULL) { + if (nodep != NULL) { +- new_reference(search.rbtdb, node); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++ new_reference(search.rbtdb, node, locktype); + *nodep = node; + } + bind_rdataset(search.rbtdb, node, nsecheader, +- search.now, rdataset); ++ search.now, locktype, rdataset); + if (need_headerupdate(nsecheader, search.now)) { + update = nsecheader; + } + if (nsecsig != NULL) { + bind_rdataset(search.rbtdb, node, nsecsig, +- search.now, sigrdataset); ++ search.now, locktype, ++ sigrdataset); + if (need_headerupdate(nsecsig, search.now)) { + updatesig = nsecsig; + } +@@ -5052,18 +5063,18 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + */ + if (nsheader != NULL) { + if (nodep != NULL) { +- new_reference(search.rbtdb, node); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++ new_reference(search.rbtdb, node, locktype); + *nodep = node; + } + bind_rdataset(search.rbtdb, node, nsheader, search.now, +- rdataset); ++ locktype, rdataset); + if (need_headerupdate(nsheader, search.now)) { + update = nsheader; + } + if (nssig != NULL) { + bind_rdataset(search.rbtdb, node, nssig, +- search.now, sigrdataset); ++ search.now, locktype, ++ sigrdataset); + if (need_headerupdate(nssig, search.now)) { + updatesig = nssig; + } +@@ -5084,8 +5095,7 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + */ + + if (nodep != NULL) { +- new_reference(search.rbtdb, node); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++ new_reference(search.rbtdb, node, locktype); + *nodep = node; + } + +@@ -5117,13 +5127,14 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN || + result == DNS_R_NCACHENXRRSET) + { +- bind_rdataset(search.rbtdb, node, found, search.now, rdataset); ++ bind_rdataset(search.rbtdb, node, found, search.now, locktype, ++ rdataset); + if (need_headerupdate(found, search.now)) { + update = found; + } + if (!NEGATIVE(found) && foundsig != NULL) { + bind_rdataset(search.rbtdb, node, foundsig, search.now, +- sigrdataset); ++ locktype, sigrdataset); + if (need_headerupdate(foundsig, search.now)) { + updatesig = foundsig; + } +@@ -5282,15 +5293,15 @@ cache_findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options, + } + + if (nodep != NULL) { +- new_reference(search.rbtdb, node); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++ new_reference(search.rbtdb, node, locktype); + *nodep = node; + } + +- bind_rdataset(search.rbtdb, node, found, search.now, rdataset); ++ bind_rdataset(search.rbtdb, node, found, search.now, locktype, ++ rdataset); + if (foundsig != NULL) { + bind_rdataset(search.rbtdb, node, foundsig, search.now, +- sigrdataset); ++ locktype, sigrdataset); + } + + if (need_headerupdate(found, search.now) || +@@ -5653,10 +5664,11 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + } + } + if (found != NULL) { +- bind_rdataset(rbtdb, rbtnode, found, now, rdataset); ++ bind_rdataset(rbtdb, rbtnode, found, now, isc_rwlocktype_read, ++ rdataset); + if (foundsig != NULL) { + bind_rdataset(rbtdb, rbtnode, foundsig, now, +- sigrdataset); ++ isc_rwlocktype_read, sigrdataset); + } + } + +@@ -5747,9 +5759,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + } + } + if (found != NULL) { +- bind_rdataset(rbtdb, rbtnode, found, now, rdataset); ++ bind_rdataset(rbtdb, rbtnode, found, now, locktype, rdataset); + if (!NEGATIVE(found) && foundsig != NULL) { +- bind_rdataset(rbtdb, rbtnode, foundsig, now, ++ bind_rdataset(rbtdb, rbtnode, foundsig, now, locktype, + sigrdataset); + } + } +@@ -5917,6 +5929,9 @@ resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) { + return (result); + } + ++/* ++ * node write lock must be held. ++ */ + static void + resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, + rdatasetheader_t *header) { +@@ -5928,7 +5943,8 @@ resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, + header->heap_index); + header->heap_index = 0; + if (version != NULL) { +- new_reference(rbtdb, header->node); ++ new_reference(rbtdb, header->node, ++ isc_rwlocktype_write); + ISC_LIST_APPEND(version->resigned_list, header, link); + } + } +@@ -5959,6 +5975,9 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion, + RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write); + } + ++/* ++ * write lock on rbtnode must be held. ++ */ + static isc_result_t + add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + rbtdb_version_t *rbtversion, rdatasetheader_t *newheader, +@@ -6085,9 +6104,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + free_rdataset(rbtdb, rbtdb->common.mctx, + newheader); + if (addedrdataset != NULL) { +- bind_rdataset(rbtdb, rbtnode, +- topheader, now, +- addedrdataset); ++ bind_rdataset( ++ rbtdb, rbtnode, ++ topheader, now, ++ isc_rwlocktype_write, ++ addedrdataset); + } + return (DNS_R_UNCHANGED); + } +@@ -6147,6 +6168,7 @@ find_header: + free_rdataset(rbtdb, rbtdb->common.mctx, newheader); + if (addedrdataset != NULL) { + bind_rdataset(rbtdb, rbtnode, header, now, ++ isc_rwlocktype_write, + addedrdataset); + } + return (DNS_R_UNCHANGED); +@@ -6258,6 +6280,7 @@ find_header: + free_rdataset(rbtdb, rbtdb->common.mctx, newheader); + if (addedrdataset != NULL) { + bind_rdataset(rbtdb, rbtnode, header, now, ++ isc_rwlocktype_write, + addedrdataset); + } + return (ISC_R_SUCCESS); +@@ -6307,6 +6330,7 @@ find_header: + free_rdataset(rbtdb, rbtdb->common.mctx, newheader); + if (addedrdataset != NULL) { + bind_rdataset(rbtdb, rbtnode, header, now, ++ isc_rwlocktype_write, + addedrdataset); + } + return (ISC_R_SUCCESS); +@@ -6504,7 +6528,8 @@ find_header: + } + + if (addedrdataset != NULL) { +- bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset); ++ bind_rdataset(rbtdb, rbtnode, newheader, now, ++ isc_rwlocktype_write, addedrdataset); + } + + return (ISC_R_SUCCESS); +@@ -7045,13 +7070,15 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + } + + if (result == ISC_R_SUCCESS && newrdataset != NULL) { +- bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset); ++ bind_rdataset(rbtdb, rbtnode, newheader, 0, ++ isc_rwlocktype_write, newrdataset); + } + + if (result == DNS_R_NXRRSET && newrdataset != NULL && + (options & DNS_DBSUB_WANTOLD) != 0) + { +- bind_rdataset(rbtdb, rbtnode, header, 0, newrdataset); ++ bind_rdataset(rbtdb, rbtnode, header, 0, isc_rwlocktype_write, ++ newrdataset); + } + + unlock: +@@ -7929,8 +7956,7 @@ getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) { + /* Note that the access to origin_node doesn't require a DB lock */ + onode = (dns_rbtnode_t *)rbtdb->origin_node; + if (onode != NULL) { +- new_reference(rbtdb, onode); +- ++ new_reference(rbtdb, onode, isc_rwlocktype_none); + *nodep = rbtdb->origin_node; + } else { + INSIST(IS_CACHE(rbtdb)); +@@ -8123,7 +8149,8 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *foundname) { + * Found something; pass back the answer and unlock + * the bucket. + */ +- bind_rdataset(rbtdb, header->node, header, 0, rdataset); ++ bind_rdataset(rbtdb, header->node, header, 0, ++ isc_rwlocktype_read, rdataset); + + if (foundname != NULL) { + dns_rbt_fullnamefromnode(header->node, foundname); +@@ -9130,7 +9157,7 @@ rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) { + isc_rwlocktype_read); + + bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now, +- rdataset); ++ isc_rwlocktype_read, rdataset); + + NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_read); +@@ -9585,7 +9612,7 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep, + result = ISC_R_SUCCESS; + } + +- new_reference(rbtdb, node); ++ new_reference(rbtdb, node, isc_rwlocktype_none); + + *nodep = rbtdbiter->node; + +@@ -10498,7 +10525,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked, + * We first need to gain a new reference to the node to meet a + * requirement of decrement_reference(). + */ +- new_reference(rbtdb, header->node); ++ new_reference(rbtdb, header->node, isc_rwlocktype_write); + decrement_reference(rbtdb, header->node, 0, + isc_rwlocktype_write, + tree_locked ? isc_rwlocktype_write +-- +GitLab diff --git a/main/bluez/APKBUILD b/main/bluez/APKBUILD index 7a6788eacb..e431f069e5 100644 --- a/main/bluez/APKBUILD +++ b/main/bluez/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=bluez pkgver=5.50 -pkgrel=1 +pkgrel=2 pkgdesc="Tools for the Bluetooth protocol stack" url="http://www.bluez.org/" arch="all" @@ -25,10 +25,13 @@ source="https://www.kernel.org/pub/linux/bluetooth/bluez-$pkgver.tar.xz disable-lock-test.patch fix-endianness.patch CVE-2020-0556.patch + CVE-2020-27153.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 5.50-r2: +# - CVE-2020-27153 # 5.50-r1: # - CVE-2020-0556 @@ -126,4 +129,5 @@ d5fd1c962bd846eaa6fff879bab85f753eb367d514f82d133b5d3242e1da989af5eddd942c60a87d 41ce7ccf78cca97563f0ef31e01dac6eb4484c24fe57be360b5e8de8c5bff5845e9d395766f891bd3f123788344456c88c9fc00cd1bb7c6a1dca89d09f19172b bluez-5.40-obexd_without_systemd-1.patch 04c4889372c8e790bb338dde7ffa76dc32fcf7370025c71b9184fcf17fd01ade4a6613d84d648303af3bbc54043ad489f29fc0cd4679ec8c9029dcb846d7e026 disable-lock-test.patch 118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch -1f7c41399e746942e091db22c1b42a0bd87dafd83c5074a34c24f51efd88ed4d2957308f9b4da0fdcd6cd99ea5b9e1885d628ae01ddde56cf31140ccc895be61 CVE-2020-0556.patch" +1f7c41399e746942e091db22c1b42a0bd87dafd83c5074a34c24f51efd88ed4d2957308f9b4da0fdcd6cd99ea5b9e1885d628ae01ddde56cf31140ccc895be61 CVE-2020-0556.patch +c8e65bdfb5edc8edd0d1f9a153a7d5b953f0c5700aa61645af251cd857117990090a27c0ee133056fc045d0f6b6a3c1aad60ff0dfd3707c2c5ba29c518fccca8 CVE-2020-27153.patch" diff --git a/main/bluez/CVE-2020-27153.patch b/main/bluez/CVE-2020-27153.patch new file mode 100644 index 0000000000..48a346fe2c --- /dev/null +++ b/main/bluez/CVE-2020-27153.patch @@ -0,0 +1,95 @@ +Adapted from https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a + +diff --git a/src/shared/att.c b/src/shared/att.c +index 0ea6d55..b0fdb8e 100644 +--- a/src/shared/att.c ++++ b/src/shared/att.c +@@ -62,6 +62,7 @@ struct bt_att { + struct queue *ind_queue; /* Queued ATT protocol indications */ + struct att_send_op *pending_ind; + struct queue *write_queue; /* Queue of PDUs ready to send */ ++ bool in_disc; /* Cleanup queues on disconnect_cb */ + bool writer_active; + + struct queue *notify_list; /* List of registered callbacks */ +@@ -211,8 +212,10 @@ static void destroy_att_send_op(void *data) + free(op); + } + +-static void cancel_att_send_op(struct att_send_op *op) ++static void cancel_att_send_op(void *data) + { ++ struct att_send_op *op = data; ++ + if (op->destroy) + op->destroy(op->user_data); + +@@ -572,11 +575,6 @@ static bool disconnect_cb(struct io *io, void *user_data) + att->io = NULL; + att->fd = -1; + +- /* Notify request callbacks */ +- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op); +- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op); +- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op); +- + if (att->pending_req) { + disc_att_send_op(att->pending_req); + att->pending_req = NULL; +@@ -589,6 +587,15 @@ static bool disconnect_cb(struct io *io, void *user_data) + + bt_att_ref(att); + ++ att->in_disc = true; ++ ++ /* Notify request callbacks */ ++ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op); ++ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op); ++ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op); ++ ++ att->in_disc = false; ++ + queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err)); + + bt_att_unregister_all(att); +@@ -1306,6 +1313,30 @@ static bool match_op_id(const void *a, const void *b) + return op->id == id; + } + ++static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id) ++{ ++ struct att_send_op *op; ++ ++ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id)); ++ if (op) ++ goto done; ++ ++ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id)); ++ if (op) ++ goto done; ++ ++ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id)); ++ ++done: ++ if (!op) ++ return false; ++ ++ /* Just cancel since disconnect_cb will be cleaning up */ ++ cancel_att_send_op(op); ++ ++ return true; ++} ++ + bool bt_att_cancel(struct bt_att *att, unsigned int id) + { + struct att_send_op *op; +@@ -1325,6 +1356,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id) + return true; + } + ++ if (att->in_disc) ++ return bt_att_disc_cancel(att, id); ++ + op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id)); + if (op) + goto done; diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD index 3c7166e23d..127c7292d8 100644 --- a/main/cups/APKBUILD +++ b/main/cups/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cups pkgver=2.2.12 -pkgrel=0 +pkgrel=1 pkgdesc="The CUPS Printing System" url="https://www.cups.org/" arch="all" @@ -20,10 +20,15 @@ source="https://github.com/apple/cups/releases/download/v$pkgver/cups-$pkgver-so cupsd.initd cups-no-export-ssllibs.patch default-config-no-gssapi.patch + CVE-2019-8842.patch + CVE-2020-3898.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 2.2.12-r1: +# - CVE-2019-8842 +# - CVE-2020-3898 # 2.2.12-r0: # - CVE-2019-8696 # - CVE-2019-8675 @@ -134,4 +139,6 @@ sha512sums="b8e7be512938ad388d469d093ad0c882ab42ea1408c27a91340f8424aa0e79e588df cf64211da59e79285f99d437c02fdd7db462855fb2920ec9563ba47bd8a9e5cbd10555094940ceedeb41ac805c4f0ddb9147481470112a11a76220d0298aef79 cups.logrotate 2c2683f755a220166b3a1653fdd1a6daa9718c8f0bbdff2e2d5e61d1133306260d63a83d3ff41619b5cf84c4913fae5822b79553e2822858f38fa3613f4c7082 cupsd.initd 7a8cd9ac33b0dd4627c72df4275db8ccd7cf8e201bce3833719b42f532f526bb347b842e3ea1ef0d61855b5c6e1088b5d20b68942f2c2c0acf504d8d9728efd3 cups-no-export-ssllibs.patch -98bb97f4af69ea286fc3d398b8e57c32440e6b2d49fb7f79b418a4fe7f13441f3a610f65d3433d10d971ade808233c0b29b4d66160623ccaae919179384be918 default-config-no-gssapi.patch" +98bb97f4af69ea286fc3d398b8e57c32440e6b2d49fb7f79b418a4fe7f13441f3a610f65d3433d10d971ade808233c0b29b4d66160623ccaae919179384be918 default-config-no-gssapi.patch +1a6dc3560c78eef28cad977abde076c02791e34fc05e53ce3137ac4ff1feb2f6bae5f64ba8733f44280ac4273d825372b29b15da6bb179776496f62a7d06462d CVE-2019-8842.patch +560466d3721cd105ef1e6aa03d0cb6c55964e94f06fe80e2f8570d481941cfd03ac6940d0108e111ea7f4bee55460b93423975410890e105902c5a4ce3b79d77 CVE-2020-3898.patch" diff --git a/main/cups/CVE-2019-8842.patch b/main/cups/CVE-2019-8842.patch new file mode 100644 index 0000000000..2e1a212239 --- /dev/null +++ b/main/cups/CVE-2019-8842.patch @@ -0,0 +1,13 @@ +diff --git a/cups/ipp.c b/cups/ipp.c +index b0762fd..dba4f31 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -2960,7 +2960,7 @@ ippReadIO(void *src, /* I - Data source */ + * Read 32-bit "extension" tag... + */ + +- if ((*cb)(src, buffer, 4) < 1) ++ if ((*cb)(src, buffer, 4) < 4) + { + DEBUG_puts("1ippReadIO: Callback returned EOF/error"); + _cupsBufferRelease((char *)buffer); diff --git a/main/cups/CVE-2020-3898.patch b/main/cups/CVE-2020-3898.patch new file mode 100644 index 0000000000..d797a0be1a --- /dev/null +++ b/main/cups/CVE-2020-3898.patch @@ -0,0 +1,14 @@ +diff --git a/cups/ppd.c b/cups/ppd.c +index 58d92c1..5bc7939 100644 +--- a/cups/ppd.c ++++ b/cups/ppd.c +@@ -1730,8 +1730,7 @@ _ppdOpen( + constraint->choice1, constraint->option2, + constraint->choice2)) + { +- case 0 : /* Error */ +- case 1 : /* Error */ ++ default : /* Error */ + pg->ppd_status = PPD_BAD_UI_CONSTRAINTS; + goto error; + diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index 8af79f2f03..3431a71ebf 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=curl pkgver=7.64.0 -pkgrel=4 +pkgrel=5 pkgdesc="URL retrival utility and library" url="https://curl.haxx.se" arch="all" @@ -22,11 +22,14 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz CVE-2019-5482.patch CVE-2020-8169.patch CVE-2020-8177.patch + CVE-2020-8231.patch " options="!check" # sftp tests failing builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 7.66.0-r5: +# - CVE-2020-8231 # 7.64.0-r4: # - CVE-2020-8169 # - CVE-2020-8177 @@ -139,4 +142,5 @@ c629a1b36920a3f8eab3321b0222e203f53f29e5947d39a0c32e0a7de2d8ab2182c3d6bbb0828847 37161e4d94cdb1add2216b031f70d7ae84451229dffe48ca9856bb311e88678f0e11baab6bb4da0386ed31e8467aa51fabaf6122f876ef9bc0003638d07f22cf CVE-2019-5481.patch 6703658d9212bb87de22fabd996e8f8eb8c98aa4c015b1daa4c1a15f503c4a5530dafbcc1817032d973ef94ac29fe7b8ee16426e443b20d0bcdbe5d7f0209ffb CVE-2019-5482.patch 4950975d59bdf8398dd5f4b8338e5f76ae3752247be9054a28753351bcddb46f71a8bd601dba31da1b6b3fbbfbe6192f33a6500144d89f2cfdfb47161e3addba CVE-2020-8169.patch -250359963230de2970ab4a56d731312f0772d6f89672b4189e7d6aa8553cb9efd8808221f418a1b7778f7b9e52a45738451aec2d4a0e73e084a748cff1b3d6da CVE-2020-8177.patch" +250359963230de2970ab4a56d731312f0772d6f89672b4189e7d6aa8553cb9efd8808221f418a1b7778f7b9e52a45738451aec2d4a0e73e084a748cff1b3d6da CVE-2020-8177.patch +d5f4421e5ac6f89220d00fb156c803edbb64679e9064ca8328269eea3582ee7780f77522b5069a1288cc09e968567175c94139249cc337906243c95d0bc3e684 CVE-2020-8231.patch" diff --git a/main/curl/CVE-2020-8231.patch b/main/curl/CVE-2020-8231.patch new file mode 100644 index 0000000000..0d6a76d94d --- /dev/null +++ b/main/curl/CVE-2020-8231.patch @@ -0,0 +1,123 @@ +Based on https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8 + +Didn't apply cleanly, fixed up lib/urldata.h and lib/url.c, ignored 2 changes in lib/multi.c +that refer to things that do not yet exist in this version of curl + +diff --git a/lib/connect.c b/lib/connect.c +index 0a7475c..b3d4057 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -1356,15 +1356,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */ + } + + struct connfind { +- struct connectdata *tofind; +- bool found; ++ long id_tofind; ++ struct connectdata *found; + }; + + static int conn_is_conn(struct connectdata *conn, void *param) + { + struct connfind *f = (struct connfind *)param; +- if(conn == f->tofind) { +- f->found = TRUE; ++ if(conn->connection_id == f->id_tofind) { ++ f->found = conn; + return 1; + } + return 0; +@@ -1386,21 +1386,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data, + * - that is associated with a multi handle, and whose connection + * was detached with CURLOPT_CONNECT_ONLY + */ +- if(data->state.lastconnect && (data->multi_easy || data->multi)) { +- struct connectdata *c = data->state.lastconnect; ++ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) { ++ struct connectdata *c; + struct connfind find; +- find.tofind = data->state.lastconnect; +- find.found = FALSE; ++ find.id_tofind = data->state.lastconnect_id; ++ find.found = NULL; + + Curl_conncache_foreach(data, data->multi_easy? + &data->multi_easy->conn_cache: + &data->multi->conn_cache, &find, conn_is_conn); + + if(!find.found) { +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + return CURL_SOCKET_BAD; + } + ++ c = find.found; + if(connp) { + /* only store this if the caller cares for it */ + *connp = c; +diff --git a/lib/easy.c b/lib/easy.c +index b648e80..7b0ea9a 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -831,8 +831,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + + /* the connection cache is setup on demand */ + outcurl->state.conn_cache = NULL; +- +- outcurl->state.lastconnect = NULL; ++ outcurl->state.lastconnect_id = -1; + + outcurl->progress.flags = data->progress.flags; + outcurl->progress.callback = data->progress.callback; +diff --git a/lib/multi.c b/lib/multi.c +index e10e752..02687dd 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -454,6 +454,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi, + data->state.conn_cache = &data->share->conn_cache; + else + data->state.conn_cache = &multi->conn_cache; ++ data->state.lastconnect_id = -1; + + #ifdef USE_LIBPSL + /* Do the same for PSL. */ +@@ -669,11 +670,11 @@ static CURLcode multi_done(struct Curl_easy *data, + CONN_UNLOCK(data); + if(Curl_conncache_return_conn(data, conn)) { + /* remember the most recently used connection */ +- data->state.lastconnect = conn; ++ data->state.lastconnect_id = conn->connection_id; + infof(data, "%s\n", buffer); + } + else +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + } + + Curl_free_request_state(data); +diff --git a/lib/url.c b/lib/url.c +index 47fc66a..f0a880f 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -617,7 +617,7 @@ CURLcode Curl_open(struct Curl_easy **curl) + Curl_initinfo(data); + + /* most recent connection is not yet defined */ +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + + data->progress.flags |= PGRS_HIDE; + data->state.current_speed = -1; /* init to negative == impossible */ +diff --git a/lib/urldata.h b/lib/urldata.h +index fbb8b64..6586986 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1332,7 +1332,7 @@ struct UrlState { + /* buffers to store authentication data in, as parsed from input options */ + struct curltime keeps_speed; /* for the progress meter really */ + +- struct connectdata *lastconnect; /* The last connection, NULL if undefined */ ++ long lastconnect_id; /* The last connection, -1 if undefined */ + + char *headerbuff; /* allocated buffer to store headers in */ + size_t headersize; /* size of the allocation */ diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD index 3d7caebb5a..3ca3451bfc 100644 --- a/main/dovecot/APKBUILD +++ b/main/dovecot/APKBUILD @@ -6,7 +6,7 @@ pkgname=dovecot pkgver=2.3.10.1 _pkgvermajor=2.3 -pkgrel=0 +pkgrel=1 _pigeonholever=0.5.10 _pigeonholevermajor=${_pigeonholever%.*} pkgdesc="IMAP and POP3 server" @@ -61,6 +61,8 @@ source="https://www.dovecot.org/releases/$_pkgvermajor/$pkgname-$pkgver.tar.gz skip-iconv-check.patch split-protocols.patch default-config.patch + CVE-2020-12673.patch + CVE-2020-12674.patch dovecot.logrotate dovecot.initd " @@ -68,6 +70,9 @@ builddir="$srcdir/$pkgname-$pkgver" _builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever" # secfixes: +# 2.3.10.1-r1: +# - CVE-2020-12673 +# - CVE-2020-12674 # 2.3.10.1-r0: # - CVE-2020-10957 # - CVE-2020-10958 @@ -314,5 +319,7 @@ f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch 794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5 split-protocols.patch 0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07 default-config.patch +54d5b1bfbc9fcdc00a5c943420bcbbfc8f0107ab2ff160ef0b2f73093a23766e0fcdb4cfc7944def40526414f97aff818cac6bdec155a6f3962f477b210a8ed5 CVE-2020-12673.patch +3599ca53dff1234dcea483006a82ec7276c1feee8df4f1df50f0b080202e351dd34e011af1bbdbdce1d9db54761beb0890b0be6e4ce7ed86e62513896c072e0c CVE-2020-12674.patch 9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0 dovecot.logrotate d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70 dovecot.initd" diff --git a/main/dovecot/CVE-2020-12673.patch b/main/dovecot/CVE-2020-12673.patch new file mode 100644 index 0000000000..9dd26e0350 --- /dev/null +++ b/main/dovecot/CVE-2020-12673.patch @@ -0,0 +1,31 @@ +From fb246611e62ad8c5a95b0ca180a63f17aa34b0d8 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Mon, 18 May 2020 12:33:39 +0300 +Subject: [PATCH] lib-ntlm: Check buffer length on responses + +Add missing check for buffer length. + +If this is not checked, it is possible to send message which +causes read past buffer bug. + +Broken in c7480644202e5451fbed448508ea29a25cffc99c +--- + src/lib-ntlm/ntlm-message.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c +index 160b9f918c..a29413b47e 100644 +--- a/src/lib-ntlm/ntlm-message.c ++++ b/src/lib-ntlm/ntlm-message.c +@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer, + if (length == 0 && space == 0) + return TRUE; + ++ if (length > data_size) { ++ *error = "buffer length out of bounds"; ++ return FALSE; ++ } ++ + if (offset >= data_size) { + *error = "buffer offset out of bounds"; + return FALSE; diff --git a/main/dovecot/CVE-2020-12674.patch b/main/dovecot/CVE-2020-12674.patch new file mode 100644 index 0000000000..a9dca2a82d --- /dev/null +++ b/main/dovecot/CVE-2020-12674.patch @@ -0,0 +1,22 @@ +From 69ad3c902ea4bbf9f21ab1857d8923f975dc6145 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Wed, 6 May 2020 13:40:36 +0300 +Subject: [PATCH] auth: mech-rpa - Fail on zero len buffer + +--- + src/auth/mech-rpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c +index 08298ebdd6..2de8705b4f 100644 +--- a/src/auth/mech-rpa.c ++++ b/src/auth/mech-rpa.c +@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data, + return 0; + + len = *p++; +- if (p + len > end) ++ if (p + len > end || len == 0) + return 0; + + *buffer = p_malloc(pool, len); diff --git a/main/jbig2dec/APKBUILD b/main/jbig2dec/APKBUILD index b4396b7869..670eff8d95 100644 --- a/main/jbig2dec/APKBUILD +++ b/main/jbig2dec/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=jbig2dec pkgver=0.15 -pkgrel=0 +pkgrel=1 pkgdesc="JBIG2 image compression format decoder" url="https://www.ghostscript.com/jbig2dec.html" arch="all" @@ -10,7 +10,13 @@ license="GPL-2.0-or-later" makedepends="autoconf automake libtool" checkdepends="python2" subpackages="$pkgname-dev $pkgname-doc" -source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs924/jbig2dec-0.15.tar.gz" +source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs924/jbig2dec-0.15.tar.gz + CVE-2020-12268.patch + " + +# secfixes: +# 0.15-r1: +# - CVE-2020-12268 builddir="$srcdir/$pkgname-$pkgver" @@ -44,4 +50,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="142acf0c47be094232ff21074414be5cf633a7008b2095d60b8878c4e125966f36632d8db191959ae1ac4b12b8fdc78139f67cd531717d203864b459d2570369 jbig2dec-0.15.tar.gz" +sha512sums="142acf0c47be094232ff21074414be5cf633a7008b2095d60b8878c4e125966f36632d8db191959ae1ac4b12b8fdc78139f67cd531717d203864b459d2570369 jbig2dec-0.15.tar.gz +e33c6a942af79dfb98c8160bccb0d7e6965d90b77f4e8e370787a9c0af0273001f02d5591b92d4285b901182ea335eb09854ce2fa995266837156b568747aa24 CVE-2020-12268.patch" diff --git a/main/jbig2dec/CVE-2020-12268.patch b/main/jbig2dec/CVE-2020-12268.patch new file mode 100644 index 0000000000..773515ae2d --- /dev/null +++ b/main/jbig2dec/CVE-2020-12268.patch @@ -0,0 +1,44 @@ +From 0726320a4b55078e9d8deb590e477d598b3da66e Mon Sep 17 00:00:00 2001 +From: Robin Watts <Robin.Watts@artifex.com> +Date: Mon, 27 Jan 2020 10:12:24 -0800 +Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in + jbig2_image_compose. + +With extreme values of x/y/w/h we can get overflow. Test for this +and exit safely. + +Thanks for OSS-Fuzz for reporting. +--- + jbig2_image.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/jbig2_image.c b/jbig2_image.c +index 22e21ef..100263d 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -33,6 +33,9 @@ + #if !defined (INT32_MAX) + #define INT32_MAX 0x7fffffff + #endif ++#if !defined (UINT32_MAX) ++#define UINT32_MAX 0xffffffffu ++#endif + + /* allocate a Jbig2Image structure and its associated bitmap */ + Jbig2Image * +@@ -258,6 +261,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + if (src == NULL) + return 0; + ++ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) || ++ (UINT32_MAX - src->height < (y > 0 ? y : -y))) ++ { ++#ifdef JBIG2_DEBUG ++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image"); ++#endif ++ return 0; ++ } ++ + /* The optimized code for the OR operator below doesn't + handle the source image partially placed outside the + destination (above and/or to the left). The affected diff --git a/main/mariadb-connector-c/APKBUILD b/main/mariadb-connector-c/APKBUILD index 0d01de5763..90e853563b 100644 --- a/main/mariadb-connector-c/APKBUILD +++ b/main/mariadb-connector-c/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mariadb-connector-c pkgver=3.0.8 -pkgrel=0 +pkgrel=1 pkgdesc="The MariaDB Native Client library (C driver)" url="https://mariadb.org/" arch="all" @@ -10,12 +10,17 @@ depends_dev="openssl-dev zlib-dev" makedepends="$depends_dev cmake" replaces="mariadb-client-libs" subpackages="$pkgname-dev" -source="https://downloads.mariadb.org/interstitial/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz +source="https://downloads.mariadb.com/Connectors/c/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz cmake.patch fix-ucontext-header.patch + CVE-2020-13249.patch " builddir="$srcdir/mariadb-connector-c-$pkgver-src" +# secfixes: +# 3.0.8-r1: +# - CVE-2020-13249 + build() { cd "$builddir" if [ "$CBUILD" != "$CHOST" ]; then @@ -57,7 +62,7 @@ dev() { replaces="mariadb-dev" mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } - sha512sums="d9f970c7ac164ef7d8dd748bf2f749cc1f877a9c8f68a1d57e9ff62d95046bb9505619feca1f1d0d1cdefc1ac49489742aadf4ad9e47c8e6a9b8b40c56eed788 mariadb-connector-c-3.0.8-src.tar.gz 027a9d383ce27a527b77ac06b9505709cad8fe0173455863590f502996966300fedea87687630113d74e5b9be5349217b18206c2dbb89f7064129cb5417e44cf cmake.patch -ad52cccb5517d11838bf16aee5aff63d87075e9ef5787e726d8bfea2854d3e2b5fa7aa94c0e93b1f7e7e21f48d21b1b6fcdd161fadb9999dcc7a3a5b8e12d883 fix-ucontext-header.patch" +ad52cccb5517d11838bf16aee5aff63d87075e9ef5787e726d8bfea2854d3e2b5fa7aa94c0e93b1f7e7e21f48d21b1b6fcdd161fadb9999dcc7a3a5b8e12d883 fix-ucontext-header.patch +4370a517bc082e5aca8ebc0abf1ace7742af6cffc7f0c12b70705b31885a573192bbac473a9d0322582e64a75698db86bd36db23558dd1c1e1eaf693632a559f CVE-2020-13249.patch" diff --git a/main/mariadb-connector-c/CVE-2020-13249.patch b/main/mariadb-connector-c/CVE-2020-13249.patch new file mode 100644 index 0000000000..8f58063c4e --- /dev/null +++ b/main/mariadb-connector-c/CVE-2020-13249.patch @@ -0,0 +1,154 @@ +diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c +index 4c1108b..1f04c35 100644 +--- a/libmariadb/mariadb_lib.c ++++ b/libmariadb/mariadb_lib.c +@@ -76,6 +76,8 @@ + #define ASYNC_CONTEXT_DEFAULT_STACK_SIZE (4096*15) + #define MA_RPL_VERSION_HACK "5.5.5-" + ++#define CHARSET_NAME_LEN 64 ++ + #undef max_allowed_packet + #undef net_buffer_length + extern ulong max_allowed_packet; /* net.c */ +@@ -2029,6 +2031,7 @@ mysql_send_query(MYSQL* mysql, const char* query, unsigned long length) + + int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + { ++ uchar *end= mysql->net.read_pos+length; + size_t item_len; + mysql->affected_rows= net_field_length_ll(&pos); + mysql->insert_id= net_field_length_ll(&pos); +@@ -2036,10 +2039,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + pos+=2; + mysql->warning_count=uint2korr(pos); + pos+=2; +- if (pos < mysql->net.read_pos+length) ++ if (pos > end) ++ goto corrupted; ++ if (pos < end) + { + if ((item_len= net_field_length(&pos))) + mysql->info=(char*) pos; ++ if (pos + item_len > end) ++ goto corrupted; + + /* check if server supports session tracking */ + if (mysql->server_capabilities & CLIENT_SESSION_TRACKING) +@@ -2050,23 +2057,26 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (mysql->server_status & SERVER_SESSION_STATE_CHANGED) + { + int i; +- if (pos < mysql->net.read_pos + length) ++ if (pos < end) + { + LIST *session_item; + MYSQL_LEX_STRING *str= NULL; + enum enum_session_state_type si_type; + uchar *old_pos= pos; +- size_t item_len= net_field_length(&pos); /* length for all items */ ++ ++ item_len= net_field_length(&pos); /* length for all items */ ++ if (pos + item_len > end) ++ goto corrupted; ++ end= pos + item_len; + + /* length was already set, so make sure that info will be zero terminated */ + if (mysql->info) + *old_pos= 0; + +- while (item_len > 0) ++ while (pos < end) + { + size_t plen; + char *data; +- old_pos= pos; + si_type= (enum enum_session_state_type)net_field_length(&pos); + switch(si_type) { + case SESSION_TRACK_SCHEMA: +@@ -2076,15 +2086,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (si_type != SESSION_TRACK_STATE_CHANGE) + net_field_length(&pos); /* ignore total length, item length will follow next */ + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + if (!ma_multi_malloc(0, + &session_item, sizeof(LIST), + &str, sizeof(MYSQL_LEX_STRING), + &data, plen, + NULL)) +- { +- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); +- return -1; +- } ++ goto oom; + str->length= plen; + str->str= data; + memcpy(str->str, (char *)pos, plen); +@@ -2107,29 +2116,28 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (!strncmp(str->str, "character_set_client", str->length)) + set_charset= 1; + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + if (!ma_multi_malloc(0, + &session_item, sizeof(LIST), + &str, sizeof(MYSQL_LEX_STRING), + &data, plen, + NULL)) +- { +- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); +- return -1; +- } ++ goto oom; + str->length= plen; + str->str= data; + memcpy(str->str, (char *)pos, plen); + pos+= plen; + session_item->data= str; + mysql->extension->session_state[si_type].list= list_add(mysql->extension->session_state[si_type].list, session_item); +- if (set_charset && ++ if (set_charset && str->length < CHARSET_NAME_LEN && + strncmp(mysql->charset->csname, str->str, str->length) != 0) + { +- char cs_name[64]; +- MARIADB_CHARSET_INFO *cs_info; ++ char cs_name[CHARSET_NAME_LEN]; ++ const MARIADB_CHARSET_INFO *cs_info; + memcpy(cs_name, str->str, str->length); + cs_name[str->length]= 0; +- if ((cs_info = (MARIADB_CHARSET_INFO *)mysql_find_charset_name(cs_name))) ++ if ((cs_info = mysql_find_charset_name(cs_name))) + mysql->charset= cs_info; + } + } +@@ -2137,10 +2145,11 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + default: + /* not supported yet */ + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + pos+= plen; + break; + } +- item_len-= (pos - old_pos); + } + } + for (i= SESSION_TRACK_BEGIN; i <= SESSION_TRACK_END; i++) +@@ -2155,6 +2164,16 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + else if (mysql->server_capabilities & CLIENT_SESSION_TRACKING) + ma_clear_session_state(mysql); + return(0); ++ ++oom: ++ ma_clear_session_state(mysql); ++ SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); ++ return -1; ++ ++corrupted: ++ ma_clear_session_state(mysql); ++ SET_CLIENT_ERROR(mysql, CR_MALFORMED_PACKET, SQLSTATE_UNKNOWN, 0); ++ return -1; + } + + int mthd_my_read_query_result(MYSQL *mysql) diff --git a/main/nrpe/APKBUILD b/main/nrpe/APKBUILD index 44d2b163ab..c09b953a02 100644 --- a/main/nrpe/APKBUILD +++ b/main/nrpe/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Jeff Bilyk <jbilyk@gmail.com> pkgname=nrpe pkgver=3.2.1 -pkgrel=0 +pkgrel=2 pkgusers="nagios" pkggroups="nagios" pkgdesc="NRPE allows you to remotely execute Nagios plugins on other Linux/Unix machines." diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD index c6e075176b..eaa032f275 100644 --- a/main/openldap/APKBUILD +++ b/main/openldap/APKBUILD @@ -2,6 +2,10 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 2.4.48-r2: +# - CVE-2020-25709 +# - CVE-2020-25710 +# - CVE-2020-25692 # 2.4.48-r1: # - CVE-2020-12243 # 2.4.48-r0: @@ -15,7 +19,7 @@ # pkgname=openldap pkgver=2.4.48 -pkgrel=1 +pkgrel=2 pkgdesc="LDAP Server" url="http://www.openldap.org/" arch="all" @@ -38,11 +42,14 @@ source="https://www.openldap.org/software/download/OpenLDAP/$pkgname-release/$pk fix-manpages.patch configs.patch cacheflush.patch + CVE-2020-25709.patch + CVE-2020-25710.patch + CVE-2020-25692.patch + CVE-2020-12243.patch slapd.initd slapd.confd - CVE-2020-12243.patch::https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440.patch " builddir="$srcdir/$pkgname-$pkgver" @@ -229,6 +236,9 @@ sha512sums="cf694a415be0bd55cc7f606099da2ed461748efd276561944cd29d7f5a8252a9be79 8c4244d316a05870dd1147b2ab7ddbcfd7626b5dce2f5a0e72f066dc635c2edb4f1ea3be88c6fec2d5ab016001be16bedef70f2ce0695c3cd96f69e1614ff177 fix-manpages.patch 0d2e570ddcb7ace1221abad9fc1d3dd0d00d6948340df69879b449959a68feee6a0ad8e17ef9971b35986293e16fc9d8e88de81815fedd5ea6a952eb085406ca configs.patch 60c1ec62003a33036de68402544e25a71715ed124a3139056a94ed1ba02fb8148ee510ab8f182a308105a2f744b9787e67112bcd8cd0d800cdb6f5409c4f63ff cacheflush.patch +61d2d02b733011eefaac0681b7f6274e416dac4d420b354e37f51b07cc42dab61c798fbe5fab36f47079962046f309373b41886b4632e86dc08d5bfe59b275f7 CVE-2020-25709.patch +abb7f43b6379fe6c03e583dc3a2c861c573ad6b83710954e35928e0449a1b78e259d8d5c6b7c33747b347ab67388d4894980a954d5ddb24b51a693b9c43798f2 CVE-2020-25710.patch +023b32e1a8e61c96b77723dfe39d33de170af684e29defdb34c14719b77fa0e9a101f8aaafe378afb30bf5ca732cf7209ef291089d7524b2301a97c102f5f6e4 CVE-2020-25692.patch +fddf5cf57c5b4b1d0e148ce850aafe5791dd7772727c824e858fe97e375871d2d3f622894d978444f7c5d8d64160c6fd766ae91de5eac3eb7f5292ceaaf599ea CVE-2020-12243.patch 0c3606e4dad1b32f1c4b62f2bc1990a4c9f7ccd10c7b50e623309ba9df98064e68fc42a7242450f32fb6e5fa2203609d3d069871b5ae994cd4b227a078c93532 slapd.initd -64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a slapd.confd -d4d8bec1c23c73e7126462bfe2e51cb603d1e83be4c64698ac167f221d515554b3b0e311f9789450b5c4c206c09cbdad1842b0b5b2364919967195da4ea6d833 CVE-2020-12243.patch" +64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a slapd.confd" diff --git a/main/openldap/CVE-2020-12243.patch b/main/openldap/CVE-2020-12243.patch new file mode 100644 index 0000000000..d8e10f5bc6 --- /dev/null +++ b/main/openldap/CVE-2020-12243.patch @@ -0,0 +1,125 @@ +From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Thu, 16 Apr 2020 01:08:19 +0100 +Subject: [PATCH] ITS#9202 limit depth of nested filters + +Using a hardcoded limit for now; no reasonable apps +should ever run into it. +--- + servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 9 deletions(-) + +diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c +index 3252cf2a7..ed57bbd7b 100644 +--- a/servers/slapd/filter.c ++++ b/servers/slapd/filter.c +@@ -37,11 +37,16 @@ + const Filter *slap_filter_objectClass_pres; + const struct berval *slap_filterstr_objectClass_pres; + ++#ifndef SLAPD_MAX_FILTER_DEPTH ++#define SLAPD_MAX_FILTER_DEPTH 5000 ++#endif ++ + static int get_filter_list( + Operation *op, + BerElement *ber, + Filter **f, +- const char **text ); ++ const char **text, ++ int depth ); + + static int get_ssa( + Operation *op, +@@ -80,12 +85,13 @@ filter_destroy( void ) + return; + } + +-int +-get_filter( ++static int ++get_filter0( + Operation *op, + BerElement *ber, + Filter **filt, +- const char **text ) ++ const char **text, ++ int depth ) + { + ber_tag_t tag; + ber_len_t len; +@@ -126,6 +132,11 @@ get_filter( + * + */ + ++ if( depth > SLAPD_MAX_FILTER_DEPTH ) { ++ *text = "filter nested too deeply"; ++ return SLAPD_DISCONNECT; ++ } ++ + tag = ber_peek_tag( ber, &len ); + + if( tag == LBER_ERROR ) { +@@ -221,7 +232,7 @@ get_filter( + + case LDAP_FILTER_AND: + Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); +- err = get_filter_list( op, ber, &f.f_and, text ); ++ err = get_filter_list( op, ber, &f.f_and, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -234,7 +245,7 @@ get_filter( + + case LDAP_FILTER_OR: + Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); +- err = get_filter_list( op, ber, &f.f_or, text ); ++ err = get_filter_list( op, ber, &f.f_or, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -248,7 +259,7 @@ get_filter( + case LDAP_FILTER_NOT: + Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); + (void) ber_skip_tag( ber, &len ); +- err = get_filter( op, ber, &f.f_not, text ); ++ err = get_filter0( op, ber, &f.f_not, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -311,10 +322,22 @@ get_filter( + return( err ); + } + ++int ++get_filter( ++ Operation *op, ++ BerElement *ber, ++ Filter **filt, ++ const char **text ) ++{ ++ return get_filter0( op, ber, filt, text, 0 ); ++} ++ ++ + static int + get_filter_list( Operation *op, BerElement *ber, + Filter **f, +- const char **text ) ++ const char **text, ++ int depth ) + { + Filter **new; + int err; +@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber, + tag != LBER_DEFAULT; + tag = ber_next_element( ber, &len, last ) ) + { +- err = get_filter( op, ber, new, text ); ++ err = get_filter0( op, ber, new, text, depth ); + if ( err != LDAP_SUCCESS ) + return( err ); + new = &(*new)->f_next; +-- +GitLab + diff --git a/main/openldap/CVE-2020-25692.patch b/main/openldap/CVE-2020-25692.patch new file mode 100644 index 0000000000..941a4f56be --- /dev/null +++ b/main/openldap/CVE-2020-25692.patch @@ -0,0 +1,27 @@ +From 4c774220a752bf8e3284984890dc0931fe73165d Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 19 Oct 2020 14:03:41 +0100 +Subject: [PATCH] ITS#9370 check for equality rule on old_rdn + +Just skip normalization if there's no equality rule. We accept +DNs without equality rules already. +--- + servers/slapd/modrdn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c +index c73dd8dba..a22975540 100644 +--- a/servers/slapd/modrdn.c ++++ b/servers/slapd/modrdn.c +@@ -505,7 +505,7 @@ slap_modrdn2mods( + mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value ); + mod_tmp->sml_values[1].bv_val = NULL; +- if( desc->ad_type->sat_equality->smr_normalize) { ++ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + (void) (*desc->ad_type->sat_equality->smr_normalize)( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, +-- +GitLab + diff --git a/main/openldap/CVE-2020-25709.patch b/main/openldap/CVE-2020-25709.patch new file mode 100644 index 0000000000..d38c9d241d --- /dev/null +++ b/main/openldap/CVE-2020-25709.patch @@ -0,0 +1,26 @@ +From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 2 Nov 2020 13:12:10 +0000 +Subject: [PATCH] ITS#9383 remove assert in certificateListValidate + +--- + servers/slapd/schema_init.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index ea0d67aa6..28f9e71a1 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in ) + /* Optional version */ + if ( tag == LBER_INTEGER ) { + tag = ber_get_int( ber, &version ); +- assert( tag == LBER_INTEGER ); +- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; ++ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; + } + tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; +-- +GitLab + diff --git a/main/openldap/CVE-2020-25710.patch b/main/openldap/CVE-2020-25710.patch new file mode 100644 index 0000000000..9b9bae8b31 --- /dev/null +++ b/main/openldap/CVE-2020-25710.patch @@ -0,0 +1,27 @@ +From bdb0d459187522a6063df13871b82ba8dcc6efe2 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 2 Nov 2020 16:01:14 +0000 +Subject: [PATCH] ITS#9384 remove assert in obsolete csnNormalize23() + +--- + servers/slapd/schema_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 5812bc4b6..ea0d67aa6 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -5327,8 +5327,8 @@ csnNormalize23( + } + *ptr = '\0'; + +- assert( ptr == &bv.bv_val[bv.bv_len] ); +- if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) { ++ if ( ptr != &bv.bv_val[bv.bv_len] || ++ csnValidate( syntax, &bv ) != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + +-- +GitLab + diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD index da65eef6bb..d7f05247b8 100644 --- a/main/pcre/APKBUILD +++ b/main/pcre/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=pcre pkgver=8.42 -pkgrel=1 +pkgrel=2 pkgdesc="Perl-compatible regular expression library" url="http://pcre.sourceforge.net" arch="all" @@ -12,9 +12,13 @@ makedepends="" checkdepends="paxmark" subpackages="$pkgname-dev $pkgname-doc $pkgname-tools libpcrecpp libpcre16 libpcre32" -source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2 +source="https://ftp.pcre.org/pub/pcre/pcre-$pkgver.tar.bz2 + CVE-2020-14155.patch " + # secfixes: +# 8.42-r2: +# - CVE-2020-14155 # 8.40-r2: # - CVE-2017-7186 # 7.8-r0: @@ -94,4 +98,5 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="b47b923108f6ee0c31409b79d0888314271b482a22590e164d02f21d2112fba22dd0342c24f9ba0f5fcc5b8c65550bad08c476e30a2fc79b34ecf4601ed82f3d pcre-8.42.tar.bz2" +sha512sums="b47b923108f6ee0c31409b79d0888314271b482a22590e164d02f21d2112fba22dd0342c24f9ba0f5fcc5b8c65550bad08c476e30a2fc79b34ecf4601ed82f3d pcre-8.42.tar.bz2 +23baa5fbaff7b52e861a539a83ad4406937d7a8a85d2a4e2419d0bea99204659e350caab68091d6354842297df2bb3097204bc63c4e1d3d9d1b94427efc46748 CVE-2020-14155.patch" diff --git a/main/pcre/CVE-2020-14155.patch b/main/pcre/CVE-2020-14155.patch new file mode 100644 index 0000000000..3bfa119f3b --- /dev/null +++ b/main/pcre/CVE-2020-14155.patch @@ -0,0 +1,31 @@ +pcre: Fix int overflow when parsing "?C<arg>" callout args. + +Numerical args must be 0-255, so this shouldn't break correct usage. + +--- a/pcre_compile.c 2020/02/10 17:01:27 1760 ++++ b/pcre_compile.c 2020/02/10 17:17:34 1761 +@@ -7130,17 +7130,19 @@ + int n = 0; + ptr++; + while(IS_DIGIT(*ptr)) ++ { + n = n * 10 + *ptr++ - CHAR_0; ++ if (n > 255) ++ { ++ *errorcodeptr = ERR38; ++ goto FAILED; ++ } ++ } + if (*ptr != CHAR_RIGHT_PARENTHESIS) + { + *errorcodeptr = ERR39; + goto FAILED; + } +- if (n > 255) +- { +- *errorcodeptr = ERR38; +- goto FAILED; +- } + *code++ = n; + PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */ + PUT(code, LINK_SIZE, 0); /* Default length */ diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD index 435c0428f4..6179607fc1 100644 --- a/main/postgresql/APKBUILD +++ b/main/postgresql/APKBUILD @@ -2,7 +2,7 @@ # Contributor: G.J.R. Timmer <gjr.timmer@gmail.com> # Contributor: Jakub Jirutka <jakub@jirutka.cz> pkgname=postgresql -pkgver=11.9 +pkgver=11.10 pkgrel=0 pkgdesc="A sophisticated object-relational DBMS" url="https://www.postgresql.org/" @@ -36,6 +36,10 @@ builddir="$srcdir/$pkgname-$pkgver" options="!checkroot" # secfixes: +# 11.10-r0: +# - CVE-2020-25694 +# - CVE-2020-25695 +# - CVE-2020-25696 # 11.9-r0: # - CVE-2020-14349 # - CVE-2020-14350 @@ -312,7 +316,7 @@ _submv() { done } -sha512sums="2c5c2f51aa01f02af4aa0849441767383e30fef69dd52efa442892f39d2456bfa8bf01f633a265e00eca0745e792609d2c1d33f77d8f29a02f5f374c84f2bf6e postgresql-11.9.tar.bz2 +sha512sums="0cc0e9b0f76e00727dc699ea59a45d760d37d91ec736a62cbc9bda3e38eb1ef1565e4e399dd3ae96bad87f866e56e364f916de7740d8be6e1cfc2bf654dfbb68 postgresql-11.10.tar.bz2 1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch 5f9d8bb4957194069d01af8ab3abc6d4d83a7e7f8bd7ebe1caae5361d621a3e58f91b14b952958138a794e0a80bc154fbb7e3e78d211e2a95b9b7901335de854 perl-rpath.patch 8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD index b5168c142b..479ba87cf7 100644 --- a/main/py-django/APKBUILD +++ b/main/py-django/APKBUILD @@ -3,7 +3,7 @@ pkgname=py-django _pkgname=Django pkgver=1.11.29 -pkgrel=0 +pkgrel=1 pkgdesc="A high-level Python Web framework" url="http://djangoproject.com/" arch="noarch" @@ -12,10 +12,16 @@ depends="py-tz" makedepends="python2-dev python3-dev py-setuptools" options="!check" # some depends missing, others in community/testing subpackages="py2-${pkgname#py-}:_py2 py3-${pkgname#py-}:_py3" -source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz" +source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz + CVE-2020-24583.patch + CVE-2020-24584.patch + " builddir="$srcdir"/$_pkgname-$pkgver # secfixes: +# 1.11.29-r1: +# - CVE-2020-24583 +# - CVE-2020-24584 # 1.11.29-r0: # - CVE-2020-9402 # 1.11.28-r0: @@ -99,4 +105,6 @@ _py() { done } -sha512sums="dc8d1c5c09f998bf7015967961247e56a9c1dd55701534c6bce6dac2270a5531e1162d9bcbf5ec5f4d411d2d0dc820c82fd9b69628c5ff944bb9f1a22290a562 Django-1.11.29.tar.gz" +sha512sums="dc8d1c5c09f998bf7015967961247e56a9c1dd55701534c6bce6dac2270a5531e1162d9bcbf5ec5f4d411d2d0dc820c82fd9b69628c5ff944bb9f1a22290a562 Django-1.11.29.tar.gz +e4eda8069558471268f2e8a705877b3f682adac80221ade5ba742476f897eb3a13d82af7367083b707186e4a49de4f7a6beaadc05274d10b9c88cb2f169ff1a9 CVE-2020-24583.patch +4fde0868b63a739c28e066665e098bb7a667fe81311a839ff7d1dfff13cb67751271be6e88b4f245aa3ebcbd2bb856730418f3006f7820405cd54bf951e98faf CVE-2020-24584.patch" diff --git a/main/py-django/CVE-2020-24583.patch b/main/py-django/CVE-2020-24583.patch new file mode 100644 index 0000000000..b21c6b8ead --- /dev/null +++ b/main/py-django/CVE-2020-24583.patch @@ -0,0 +1,29 @@ +From bbf6bd8a50a02d5015a2b0043abfbf2b4e6acce6 Mon Sep 17 00:00:00 2001 +From: Leo <thinkabit.ukim@gmail.com> +Date: Fri, 11 Dec 2020 02:07:01 -0300 +Subject: [PATCH 1/2] CVE-2020-24583 + +--- + django/core/files/storage.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/django/core/files/storage.py b/django/core/files/storage.py +index 98c89dd..9643198 100644 +--- a/django/core/files/storage.py ++++ b/django/core/files/storage.py +@@ -310,9 +310,9 @@ class FileSystemStorage(Storage): + if not os.path.exists(directory): + try: + if self.directory_permissions_mode is not None: +- # os.makedirs applies the global umask, so we reset it, +- # for consistency with file_permissions_mode behavior. +- old_umask = os.umask(0) ++ # Set the umask because os.makedirs() doesn't apply the "mode" ++ # argument to intermediate-level directories. ++ old_umask = os.umask(0o777 & ~self.directory_permissions_mode) + try: + os.makedirs(directory, self.directory_permissions_mode) + finally: +-- +2.29.2 + diff --git a/main/py-django/CVE-2020-24584.patch b/main/py-django/CVE-2020-24584.patch new file mode 100644 index 0000000000..fa4dc132a5 --- /dev/null +++ b/main/py-django/CVE-2020-24584.patch @@ -0,0 +1,30 @@ +From 13e83e6f60d9ed91316c975425bc4b89c130ec9c Mon Sep 17 00:00:00 2001 +From: Leo <thinkabit.ukim@gmail.com> +Date: Fri, 11 Dec 2020 02:08:48 -0300 +Subject: [PATCH 2/2] CVE-2020-24584 + +--- + django/core/cache/backends/filebased.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/django/core/cache/backends/filebased.py b/django/core/cache/backends/filebased.py +index 7c2c5c7..88cebef 100644 +--- a/django/core/cache/backends/filebased.py ++++ b/django/core/cache/backends/filebased.py +@@ -102,8 +102,13 @@ class FileBasedCache(BaseCache): + + def _createdir(self): + if not os.path.exists(self._dir): ++ # Set the umask because os.makedirs() doesn't apply the "mode" argument ++ # to intermediate-level directories. ++ old_umask = os.umask(0o077) + try: + os.makedirs(self._dir, 0o700) ++ finally: ++ os.umask(old_umask) + except OSError as e: + if e.errno != errno.EEXIST: + raise EnvironmentError( +-- +2.29.2 + diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD index da95d86142..c6e0ec7acc 100644 --- a/main/squid/APKBUILD +++ b/main/squid/APKBUILD @@ -33,6 +33,10 @@ options="!check" # does not work. Error message is about "applet not found", so # - CVE-2020-15810 # - CVE-2020-15811 # - CVE-2020-24606 +# 4.11-r0: +# - CVE-2019-12519 +# - CVE-2019-12521 +# - CVE-2020-11945 # 4.10-r0: # - CVE-2019-12528 # - CVE-2020-8449 |