diff options
Diffstat (limited to 'main')
179 files changed, 5246 insertions, 4548 deletions
diff --git a/main/alpine-base/APKBUILD b/main/alpine-base/APKBUILD index f020e70f716..b4caf90b765 100644 --- a/main/alpine-base/APKBUILD +++ b/main/alpine-base/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=alpine-base -pkgver=3.10.5 +pkgver=3.10.9 pkgrel=0 pkgdesc="Meta package for minimal alpine base" url="https://alpinelinux.org" diff --git a/main/ansible/APKBUILD b/main/ansible/APKBUILD index 1d0b7841599..e053a35fd63 100644 --- a/main/ansible/APKBUILD +++ b/main/ansible/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Takuya Noguchi <takninnovationresearch@gmail.com> # Maintainer: Fabian Affolter <fabian@affolter-engineering.ch> pkgname=ansible -pkgver=2.8.16 +pkgver=2.8.19 pkgrel=0 pkgdesc="A configuration-management, deployment, task-execution, and multinode orchestration framework" url="https://ansible.com/" @@ -17,6 +17,8 @@ source="https://releases.ansible.com/ansible/ansible-$pkgver.tar.gz " # secfixes: +# 2.8.19-r0: +# - CVE-2021-20191 # 2.8.15-r0: # - CVE-2020-14330 # - CVE-2020-14332 @@ -67,5 +69,7 @@ package() { install -m644 README.rst "$pkgdir"/usr/share/doc/$pkgname } -sha512sums="88c1b9c136846add896e9fb0b2cacc270d4025efa63bea3f020180e2f9c89de0b671a60aa9f05fad2aed9cd289586773dbe3acb964f1b6207075cbf36698ce46 ansible-2.8.16.tar.gz -f44f1492495abe092cd9f91669ccfee65748f43663571361de97c3b1c5c1219d355aa7236179decb73446376018fa81aace7eaeb8c10a83d3cf4e006508533dd add-lxc-container_shell-option.patch" +sha512sums=" +05ddd69d9eb278652b561ab9bfcfa4cb478b5c458a2c6825d76b3039dbf24132d554adba2871e1eaea98e6f9c1c56433522340f043a034419eca5a819d086c6f ansible-2.8.19.tar.gz +f44f1492495abe092cd9f91669ccfee65748f43663571361de97c3b1c5c1219d355aa7236179decb73446376018fa81aace7eaeb8c10a83d3cf4e006508533dd add-lxc-container_shell-option.patch +" diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD index 259166b50e1..31393206b38 100644 --- a/main/apache2/APKBUILD +++ b/main/apache2/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> pkgname=apache2 _pkgreal=httpd -pkgver=2.4.46 +pkgver=2.4.48 pkgrel=0 pkgdesc="A high performance Unix-based HTTP server" url="https://httpd.apache.org/" @@ -51,6 +51,15 @@ options="suid" builddir="$srcdir"/$_pkgreal-$pkgver # secfixes: +# 2.4.48-r0: +# - CVE-2019-17657 +# - CVE-2020-13938 +# - CVE-2020-13950 +# - CVE-2020-35452 +# - CVE-2021-26690 +# - CVE-2021-26691 +# - CVE-2021-30641 +# - CVE-2021-31618 # 2.4.46-r0: # - CVE-2020-9490 # - CVE-2020-11984 @@ -351,7 +360,8 @@ _lua() { "$subpkgdir"/usr/lib/apache2/ _load_mods } -sha512sums="5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 httpd-2.4.46.tar.bz2 +sha512sums=" +6c250626f1e7d10428a92d984fd48ff841effcc8705f7816ab71b681bbd51d0012ad158dcd13763fe7d630311f2de258b27574603140d648be42796ab8326724 httpd-2.4.48.tar.bz2 8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd 18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate 81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd @@ -369,4 +379,5 @@ a3936713f8ffcbf2bb633035873249b94fa8ace9fdb758405264f075f755fbcfec4d08794f79e469 eb09b3bcbab70f6a48d5efe8fc4bd62cc2b3f46def97c09d8454b846a065c02d18bd846313c421897c8d13be728e4b2ca790e2a5c5c6add3821d9e572bacfab2 0011-httpd.conf-IncludeOptional.patch 695742f569720d7bad9306acc40456de3a12ff2ff3a108499afc3fed2e8b13883027c6e14a3fac3efe387a70386b958605b5bbfd0147ec06bb87fad30f3b66fa 0012-httpd.conf-MIMEMagicFile.patch efbba3c3475bebe5c63ce8d6eaf153cf2c46188e282a65830571c8b7dbc1e657ab9ce160dc82e331097ac483fe632f5201fde6f3f5de32fe5c52dcc7dee66216 0013-httpd-.conf-IfModule.patch -56e7bb9743d153416b15c32bb5435e4cf85d84204a02f28767c8dcba08eec1ac302521d57ce74154d3e9f7a3644ab3f8a9318150e21f8559eb67e387087a0821 0014-httpd-.conf-LoadModule.patch" +56e7bb9743d153416b15c32bb5435e4cf85d84204a02f28767c8dcba08eec1ac302521d57ce74154d3e9f7a3644ab3f8a9318150e21f8559eb67e387087a0821 0014-httpd-.conf-LoadModule.patch +" diff --git a/main/apk-tools/0001-add-fix-virtual-package-id-generation.patch b/main/apk-tools/0001-add-fix-virtual-package-id-generation.patch deleted file mode 100644 index fdc780dcd21..00000000000 --- a/main/apk-tools/0001-add-fix-virtual-package-id-generation.patch +++ /dev/null @@ -1,109 +0,0 @@ -From b45415b1096e76f40b32326d2798123f81fe5976 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> -Date: Tue, 2 Jul 2019 15:27:57 +0300 -Subject: [PATCH] add: fix virtual package id generation - -Fixes 37fbafcd by adding more input to the hash than just second -grained time stamp - collisions would happen when running apk -scripted. - -For virtual package the hash works only as unique identifier, so -try to add elements that should make it unique in most cases. - -Fixes #10648 ---- - src/add.c | 51 +++++++++++++++++++++++++++++++++++---------------- - 1 file changed, 35 insertions(+), 16 deletions(-) - -diff --git a/src/add.c b/src/add.c -index 2d342ab..e028736 100644 ---- a/src/add.c -+++ b/src/add.c -@@ -11,6 +11,7 @@ - - #include <errno.h> - #include <stdio.h> -+#include <unistd.h> - #include "apk_applet.h" - #include "apk_database.h" - #include "apk_print.h" -@@ -80,6 +81,38 @@ static int non_repository_check(struct apk_database *db) - return 1; - } - -+static struct apk_package *create_virtual_package(struct apk_database *db, struct apk_name *name) -+{ -+ char ver[32]; -+ struct apk_package *virtpkg; -+ struct tm tm; -+ EVP_MD_CTX *mdctx; -+ time_t now = apk_time(); -+ pid_t pid = getpid(); -+ -+ localtime_r(&now, &tm); -+ strftime(ver, sizeof ver, "%Y%m%d.%H%M%S", &tm); -+ -+ virtpkg = apk_pkg_new(); -+ if (virtpkg == NULL) return 0; -+ -+ virtpkg->name = name; -+ virtpkg->version = apk_blob_atomize(APK_BLOB_STR(ver)); -+ virtpkg->description = strdup("virtual meta package"); -+ virtpkg->arch = apk_blob_atomize(APK_BLOB_STR("noarch")); -+ -+ mdctx = EVP_MD_CTX_new(); -+ EVP_DigestInit_ex(mdctx, apk_checksum_default(), NULL); -+ EVP_DigestUpdate(mdctx, &tm, sizeof tm); -+ EVP_DigestUpdate(mdctx, &pid, sizeof pid); -+ EVP_DigestUpdate(mdctx, virtpkg->name->name, strlen(virtpkg->name->name) + 1); -+ virtpkg->csum.type = EVP_MD_CTX_size(mdctx); -+ EVP_DigestFinal_ex(mdctx, virtpkg->csum.data, NULL); -+ EVP_MD_CTX_free(mdctx); -+ -+ return virtpkg; -+} -+ - static int add_main(void *ctx, struct apk_database *db, struct apk_string_array *args) - { - struct add_ctx *actx = (struct add_ctx *) ctx; -@@ -93,10 +126,6 @@ static int add_main(void *ctx, struct apk_database *db, struct apk_string_array - - if (actx->virtpkg) { - apk_blob_t b = APK_BLOB_STR(actx->virtpkg); -- struct tm tm; -- time_t now; -- char ver[32]; -- - apk_blob_pull_dep(&b, db, &virtdep); - if (APK_BLOB_IS_NULL(b) || virtdep.conflict || - virtdep.result_mask != APK_DEPMASK_ANY || -@@ -104,24 +133,14 @@ static int add_main(void *ctx, struct apk_database *db, struct apk_string_array - apk_error("%s: bad package specifier"); - return -1; - } -- - if (virtdep.name->name[0] != '.' && non_repository_check(db)) - return -1; - -- now = apk_time(); -- localtime_r(&now, &tm); -- strftime(ver, sizeof ver, "%Y%m%d.%H%M%S", &tm); -- -- virtpkg = apk_pkg_new(); -- if (virtpkg == NULL) { -+ virtpkg = create_virtual_package(db, virtdep.name); -+ if (!virtpkg) { - apk_error("Failed to allocate virtual meta package"); - return -1; - } -- virtpkg->name = virtdep.name; -- apk_blob_checksum(APK_BLOB_STR(ver), apk_checksum_default(), &virtpkg->csum); -- virtpkg->version = apk_blob_atomize(APK_BLOB_STR(ver)); -- virtpkg->description = strdup("virtual meta package"); -- virtpkg->arch = apk_blob_atomize(APK_BLOB_STR("noarch")); - - virtdep.result_mask = APK_VERSION_EQUAL; - virtdep.version = virtpkg->version; --- -2.22.0 - diff --git a/main/apk-tools/APKBUILD b/main/apk-tools/APKBUILD index 3e7d5556d6f..cbd75fae006 100644 --- a/main/apk-tools/APKBUILD +++ b/main/apk-tools/APKBUILD @@ -1,8 +1,11 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=apk-tools -pkgver=2.10.4 -pkgrel=2 +pkgver=2.10.8 +pkgrel=0 pkgdesc="Alpine Package Keeper - package manager for alpine" +arch="all" +url="https://gitlab.alpinelinux.org/alpine/apk-tools" +license=GPL2 subpackages="$pkgname-static" depends= makedepends_build="openssl" @@ -12,16 +15,18 @@ if [ "$CBUILD" = "$CHOST" ]; then subpackages="$subpackages lua5.2-apk:luaapk" makedepends="$makedepends lua5.2-dev" fi -source="https://dev.alpinelinux.org/archive/$pkgname/$pkgname-$pkgver.tar.xz - 0001-add-fix-virtual-package-id-generation.patch - lua-apk_time.patch - " +source="https://gitlab.alpinelinux.org/alpine/$pkgname/-/archive/v$pkgver/$pkgname-v$pkgver.tar.gz" +builddir="$srcdir/$pkgname-v$pkgver" -url="https://git.alpinelinux.org/cgit/apk-tools/" -arch="all" -license=GPL2 +# secfixes: +# 2.10.7-r0: +# - CVE-2021-36159 +# 2.10.6-r0: +# - CVE-2021-30139 +# 2.7.2-r0: +# - CVE-2017-9669 +# - CVE-2017-9671 -builddir="$srcdir/$pkgname-$pkgver" prepare() { default_prepare || return 1 cd "$builddir" @@ -33,6 +38,7 @@ prepare() { echo "LUAAPK=" >> config.mk fi echo "export LUAAPK" >> config.mk + echo "export LUA_VERSION=5.2" >> config.mk } build() { @@ -60,7 +66,7 @@ package() { static() { pkgdesc="Alpine Package Keeper - static binary" - install -Dm755 "$srcdir"/$pkgname-$pkgver/src/apk.static \ + install -Dm755 "$builddir"/src/apk.static \ "$subpkgdir"/sbin/apk.static # lets sign the static binary so it can be vefified from distros @@ -84,6 +90,6 @@ luaapk() { mv "$pkgdir"/usr/lib "$subpkgdir"/usr/lib/ } -sha512sums="d2d9fde0aae9059236f68a3fc2f2186104bb9a099b15d296a6202a20ab2912638f10bb3b9edb70f359d060c5839573c3d50ef37d13095fa01c66dc3219ab6e39 apk-tools-2.10.4.tar.xz -3cf1ae421e136ebe8c037a468fbeb3bca11668eb04dd4b8b9346c4089306002c891d6c2544d22522550f37a4fad0dfcecabceb4c8872165ea6827dcce46d9f2b 0001-add-fix-virtual-package-id-generation.patch -7751f4ddbf3f1b14f5d70ea0f8c2f78168d6138272f883fe1c0137ed135c3f3639f4bf2860dbf6b6de0d4321c93ec9c150edaf5f496c4dc0fedd0a201f399599 lua-apk_time.patch" +sha512sums=" +865772688b93343361d82847e3fc0846a52062304c2370e8da5c5a86a23ce37edf44b213174c85b27f1c392b0ac4851e0b8b44e90fc371412458e0b9321a82e1 apk-tools-v2.10.8.tar.gz +" diff --git a/main/apk-tools/lua-apk_time.patch b/main/apk-tools/lua-apk_time.patch deleted file mode 100644 index 01b68f369e3..00000000000 --- a/main/apk-tools/lua-apk_time.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/src/lua-apk.c b/src/lua-apk.c -index 532577a..26129fb 100644 ---- a/src/lua-apk.c -+++ b/src/lua-apk.c -@@ -37,6 +37,15 @@ struct flagmap opendb_flagmap[] = { - {NULL, 0} - }; - -+time_t apk_time(void) -+{ -+#ifdef TEST_MODE -+ return 1559567666; -+#else -+ return time(NULL); -+#endif -+} -+ - /* implemented as luaL_typerror until lua 5.1, dropped in 5.2 - * (C) 1994-2012 Lua.org, PUC-Rio. MIT license - */ diff --git a/main/apk-tools/tar-parser-overflow.patch b/main/apk-tools/tar-parser-overflow.patch new file mode 100644 index 00000000000..19dffdbfd43 --- /dev/null +++ b/main/apk-tools/tar-parser-overflow.patch @@ -0,0 +1,65 @@ +From 1423c95eb62afcad29c6a1946de63e5b6a1e804a Mon Sep 17 00:00:00 2001 +From: Ariadne Conill <ariadne@dereferenced.org> +Date: Fri, 2 Apr 2021 13:22:14 -0600 +Subject: [PATCH] archive: more strictly validate tarball headers + +--- + src/archive.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/src/archive.c b/src/archive.c +index 81821dc..80677d0 100644 +--- a/src/archive.c ++++ b/src/archive.c +@@ -60,6 +60,7 @@ struct apk_tar_digest_info { + + #define GET_OCTAL(s) get_octal(s, sizeof(s)) + #define PUT_OCTAL(s,v) put_octal(s, sizeof(s), v) ++#define HAS_NULLTERM(a) memchr(a, '\0', sizeof(a)) + + static unsigned int get_octal(char *s, size_t l) + { +@@ -193,6 +194,27 @@ static void handle_extended_header(struct apk_file_info *fi, apk_blob_t hdr) + } + } + ++static int validate_tar_header(struct tar_header *buf) ++{ ++ /* Ensure that fields which should be null-terminated ++ * are null-terminated to use string functions on them. */ ++ if (!HAS_NULLTERM(buf->uname) || !HAS_NULLTERM(buf->gname) || ++ !HAS_NULLTERM(buf->linkname) || !HAS_NULLTERM(buf->magic) || ++ !HAS_NULLTERM(buf->name) || !HAS_NULLTERM(buf->prefix)) { ++ return FALSE; ++ } ++ ++ /* Validate the typeflag field. */ ++ if (!strchr("KLgx01234567", buf->typeflag)) ++ return FALSE; ++ ++ /* Validate the size field. */ ++ if (GET_OCTAL(buf->size) >= SSIZE_MAX - 512) ++ return FALSE; ++ ++ return TRUE; ++} ++ + int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser, + void *ctx, int soft_checksums, struct apk_id_cache *idc) + { +@@ -216,7 +238,12 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser, + memset(&entry, 0, sizeof(entry)); + entry.name = buf.name; + while ((r = apk_istream_read(is, &buf, 512)) == 512) { ++ if (!validate_tar_header(&buf)) { ++ goto err; ++ } ++ + offset += 512; ++ + if (buf.name[0] == '\0') { + if (end) break; + end++; +-- +2.31.0 + diff --git a/main/avahi/APKBUILD b/main/avahi/APKBUILD index 27844820328..2e50b44c664 100644 --- a/main/avahi/APKBUILD +++ b/main/avahi/APKBUILD @@ -26,6 +26,8 @@ builddir="$srcdir/$pkgname-$pkgver" # 0.7-r2: # - CVE-2017-6519 # - CVE-2018-1000845 +# 0: +# - CVE-2021-26720 prepare() { default_prepare diff --git a/main/awstats/APKBUILD b/main/awstats/APKBUILD index 71d001fc6b7..31fd7de5237 100644 --- a/main/awstats/APKBUILD +++ b/main/awstats/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=awstats -pkgver=7.7 +pkgver=7.8 pkgrel=0 pkgdesc="Free real-time logfile analyzer to get advanced statistics" url="http://awstats.sourceforge.net/" @@ -10,10 +10,13 @@ license="GPL-3.0-or-later" depends="perl perl-uri" subpackages="$pkgname-doc" options="!check" # no testsuite -source="https://prdownloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz" -builddir="$srcdir/$pkgname-$pkgver" +source="https://prdownloads.sourceforge.net/awstats/awstats-$pkgver.tar.gz + CVE-2020-35176.patch" # secfixes: +# 7.8-r0: +# - CVE-2020-29600 +# - CVE-2020-35176 # 7.6-r2: # - CVE-2017-1000501 @@ -59,4 +62,5 @@ package() { "$pkgdir"/usr/lib/$pkgname/cgi-bin/plugins/example } -sha512sums="8bf32b0650ef0cc900a16eead866da3847d81c2696e7a90fb49833679c958768833d781e5b4becd9b4f6748c7266e2887ff7ff33d98293ce3a0296a810fbe899 awstats-7.7.tar.gz" +sha512sums="b532f74a8b420841b1ae7eea73fd341049925af01688a06114f53807c14c6a4edc4ca4f671b2b9c1aee8024ba25ccf69b6eae391250e5722d2fd719de4cf87e2 awstats-7.8.tar.gz +d012866662206ffba9f84af437824324bf402a49ecb67161833b3f9593ccd4327db4b465d305c3ca78e5b29917acd469760faac6f7678055d4de01621f689c63 CVE-2020-35176.patch" diff --git a/main/awstats/CVE-2020-35176.patch b/main/awstats/CVE-2020-35176.patch new file mode 100644 index 00000000000..3e707c35dc4 --- /dev/null +++ b/main/awstats/CVE-2020-35176.patch @@ -0,0 +1,30 @@ +From 0d4d4c05f8e73be8f71dd361dc55cbd52858b823 Mon Sep 17 00:00:00 2001 +From: Beuc <beuc@beuc.net> +Date: Thu, 17 Dec 2020 18:14:43 +0100 +Subject: [PATCH] Only look for configuration in dedicated awstats directories + +Fixes #195/CVE-2020-35176 +--- + wwwroot/cgi-bin/awstats.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl +index e709b7f5..8341c0a5 100755 +--- a/wwwroot/cgi-bin/awstats.pl ++++ b/wwwroot/cgi-bin/awstats.pl +@@ -1711,13 +1711,13 @@ sub Read_Config { + # Check config file in common possible directories : + # Windows : "$DIR" (same dir than awstats.pl) + # Standard, Mandrake and Debian package : "/etc/awstats" +- # Other possible directories : "/usr/local/etc/awstats", "/etc" ++ # Other possible directories : "/usr/local/etc/awstats", + # FHS standard, Suse package : "/etc/opt/awstats" + my $configdir = shift; + my @PossibleConfigDir = ( + "$DIR", + "/etc/awstats", +- "/usr/local/etc/awstats", "/etc", ++ "/usr/local/etc/awstats", + "/etc/opt/awstats" + ); + diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD index 743ad9a6553..bc4f7199835 100644 --- a/main/bind/APKBUILD +++ b/main/bind/APKBUILD @@ -1,26 +1,26 @@ # Contributor: Sergei Lukin <sergej.lukin@gmail.com> # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> -# Contributor: Carlo Landmeter <clandmeter@gmail.com> +# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org> # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: tcely <bind+aports@tcely.33mail.com> pkgname=bind -pkgver=9.14.12 +pkgver=9.16.15 _ver=${pkgver%_p*} _p=${pkgver#*_p} _major=${pkgver%%.*} -pkgrel=0 -[ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p" +[ "$_p" != "$pkgver" ] && _ver="$_ver-P$_p" +pkgrel=2 pkgdesc="The ISC DNS server" -url="https://www.isc.org" +url="https://www.isc.org/" arch="all" license="MPL-2.0" pkgusers="named" pkggroups="named" depends="dns-root-hints" depends_dev="$pkgname $pkgname-plugins $pkgname-tools" -depends_plugins="$pkgname" +_depends_plugins="$pkgname" _root_keys_upstream="dnssec-root" -depends_root_keys="$_root_keys_upstream" +_depends_root_keys="$_root_keys_upstream" _py3deps="py3-ply python3" makedepends=" bash @@ -29,6 +29,7 @@ makedepends=" json-c-dev krb5-dev libcap-dev + libuv-dev libxml2-dev linux-headers openldap-dev @@ -37,6 +38,7 @@ makedepends=" protobuf-c-dev $_py3deps python3-dev + $_depends_root_keys " install="$pkgname.pre-install" subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc @@ -45,7 +47,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc $pkgname-plugins $pkgname-tools " source=" - https://ftp.isc.org/isc/${pkgname}${_major}/$_ver/$pkgname-$_ver.tar.gz + https://downloads.isc.org/isc/bind$_major/$_ver/bind-$_ver.tar.xz bind.plugindir.patch bind.so_bsdcompat.patch named.initd @@ -57,6 +59,21 @@ source=" " # secfixes: +# 9.16.15-r0: +# - CVE-2021-25214 +# - CVE-2021-25215 +# - CVE-2021-25216 +# 9.16.11-r2: +# - CVE-2020-8625 +# 9.16.6-r0: +# - CVE-2020-8620 +# - CVE-2020-8621 +# - CVE-2020-8622 +# - CVE-2020-8623 +# - CVE-2020-8624 +# 9.16.4-r0: +# - CVE-2020-8618 +# - CVE-2020-8619 # 9.14.12-r0: # - CVE-2020-8616 # - CVE-2020-8617 @@ -94,7 +111,7 @@ source=" prepare() { default_prepare # Adjusting PATHs in manpages - for i in bin/named/named.8 bin/check/named-checkconf.8 bin/rndc/rndc.8; do + for i in bin/named/named.rst bin/check/named-checkconf.rst bin/rndc/rndc.rst; do sed -i \ -e 's:/etc/named.conf:/etc/bind/named.conf:g' \ -e 's:/etc/rndc.conf:/etc/bind/rndc.conf:g' \ @@ -104,7 +121,7 @@ prepare() { } build() { - ### http://bugs.gentoo.org/show_bug.cgi?id=227333 + ### https://bugs.gentoo.org/show_bug.cgi?id=227333 export CFLAGS="$CFLAGS -D_GNU_SOURCE" ./configure \ @@ -130,7 +147,8 @@ build() { --enable-linux-caps \ --enable-shared \ --enable-static \ - --disable-isc-spnego + --disable-isc-spnego \ + --disable-backtrace make } @@ -167,13 +185,6 @@ package() { ln -s named.ca root.cache } -dev() { - default_dev - - mkdir -p "$subpkgdir"/usr/bin - mv "$pkgdir"/usr/bin/isc-config.sh "$subpkgdir"/usr/bin/ -} - _py3() { pkgdesc="A module allowing rndc commands to be sent from Python programs" depends="$_py3deps" @@ -194,7 +205,7 @@ _dnssec_tools() { plugins() { pkgdesc="The ISC DNS server plugins" - depends="$depends_plugins" + depends="$_depends_plugins" mkdir -p "$subpkgdir"/usr/lib mv "$pkgdir"/usr/lib/bind "$subpkgdir"/usr/lib/ @@ -235,16 +246,27 @@ root_keys() { ln -s "../../$_dir/$_file" "$_link" } -# TODO: remove when abuild is sufficiently upgraded +# The default_libs() in abuild uses the wrong pattern. libs() { depends="$depends_libs" - default_libs + pkgdesc="$pkgdesc (libraries)" + local dir= file= + for dir in lib usr/lib; do + for file in "$pkgdir"/$dir/lib*.so; do + [ -f "$file" ] || continue + mkdir -p "$subpkgdir"/$dir + mv "$file" "$subpkgdir"/$dir/ + done + done } -#gpg_signature_extensions="sha512.asc" -#gpgfingerprints="good:AE3F AC79 6711 EC59 FC00 7AA4 74BB 6B9A 4CBB 3D38" +_gpg_signature_extensions="sha512.asc" +_gpgfingerprints=" + good:AE3F AC79 6711 EC59 FC00 7AA4 74BB 6B9A 4CBB 3D38 + BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57 + " -sha512sums="f4e6c50cbe8fdb44cdd8e30b4560b6fe2fccd0fd5bde527a897a66e85065265da0d0aceb95af42d5568dea95d59e68574e5a486bbb7e6c5d0af275538c353ddf bind-9.14.12.tar.gz +sha512sums="30dad6e2144b3ac53ef0a2d1ed3c8342120f148fc0eb6409113a6d5ed3444eecb917915fdf39c26fd223396fc1e873410a50da305f0b870864f7fbbdccec8033 bind-9.16.15.tar.xz 2b32d1e7f62cd1e01bb4fdd92d15460bc14761b933d5acc463a91f5ecd4773d7477c757c5dd2738e8e433693592cf3f623ffc142241861c91848f01aa84640d6 bind.plugindir.patch 7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch ca779f52a0a96d774bbc4dbb4e62d136f483ce528693ac73b844435be73500d8495bfddce34534825b5f6fa3197601e3175918a076428bab52bbc33c509a816e named.initd diff --git a/main/bind/CVE-2020-8621.patch b/main/bind/CVE-2020-8621.patch new file mode 100644 index 00000000000..f401fc46fdf --- /dev/null +++ b/main/bind/CVE-2020-8621.patch @@ -0,0 +1,20 @@ +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 7d443fd55b..3c0e3013aa 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -4020,6 +4020,15 @@ fctx_nextaddress(fetchctx_t *fctx) { + addrinfo->flags |= FCTX_ADDRINFO_MARK; + fctx->find = NULL; + fctx->forwarding = true; ++ ++ /* ++ * QNAME minimization is disabled when ++ * forwarding, and has to remain disabled if ++ * we switch back to normal recursion; otherwise ++ * forwarding could leave us in an inconsistent ++ * state. ++ */ ++ fctx->minimized = false; + return (addrinfo); + } + } diff --git a/main/bind/CVE-2020-8622.patch b/main/bind/CVE-2020-8622.patch new file mode 100644 index 00000000000..b963712113e --- /dev/null +++ b/main/bind/CVE-2020-8622.patch @@ -0,0 +1,42 @@ +diff --git a/lib/dns/message.c b/lib/dns/message.c +index d9e341a09e..7c813a5cf6 100644 +--- a/lib/dns/message.c ++++ b/lib/dns/message.c +@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, + msg->header_ok = 0; + msg->question_ok = 0; + ++ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) { ++ isc_buffer_usedregion(&origsource, &msg->saved); ++ } else { ++ msg->saved.length = isc_buffer_usedlength(&origsource); ++ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); ++ if (msg->saved.base == NULL) { ++ return (ISC_R_NOMEMORY); ++ } ++ memmove(msg->saved.base, isc_buffer_base(&origsource), ++ msg->saved.length); ++ msg->free_saved = 1; ++ } ++ + isc_buffer_remainingregion(source, &r); + if (r.length < DNS_MESSAGE_HEADERLEN) + return (ISC_R_UNEXPECTEDEND); +@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, + } + + truncated: +- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) +- isc_buffer_usedregion(&origsource, &msg->saved); +- else { +- msg->saved.length = isc_buffer_usedlength(&origsource); +- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); +- if (msg->saved.base == NULL) +- return (ISC_R_NOMEMORY); +- memmove(msg->saved.base, isc_buffer_base(&origsource), +- msg->saved.length); +- msg->free_saved = 1; +- } + + if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) + return (DNS_R_RECOVERABLE); diff --git a/main/bind/CVE-2020-8624.patch b/main/bind/CVE-2020-8624.patch new file mode 100644 index 00000000000..4968bda55b7 --- /dev/null +++ b/main/bind/CVE-2020-8624.patch @@ -0,0 +1,14 @@ +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index 55f191bad4..b77a07c14a 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, + + str = cfg_obj_asstring(matchtype); + CHECK(dns_ssu_mtypefromstring(str, &mtype)); +- if (mtype == dns_ssumatchtype_subdomain) { ++ if (mtype == dns_ssumatchtype_subdomain && ++ strcasecmp(str, "zonesub") == 0) { + usezone = true; + } + diff --git a/main/binutils/APKBUILD b/main/binutils/APKBUILD index 91f5f4f777d..d536ade1a3b 100644 --- a/main/binutils/APKBUILD +++ b/main/binutils/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=binutils pkgver=2.32 -pkgrel=0 +pkgrel=1 pkgdesc="Tools necessary to build programs" url="https://www.gnu.org/software/binutils/" makedepends_build="bison flex texinfo" @@ -13,6 +13,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-gold" source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.bz2 binutils-ld-fix-static-linking.patch gold-mips.patch + CVE-2021-3487.patch " builddir="$srcdir/$pkgname-$pkgver" @@ -23,13 +24,15 @@ if [ "$CHOST" != "$CTARGET" ]; then fi # secfixes: +# 2.33.1-r1: +# - CVE-2021-3487 # 2.32-r0: -# - CVE-2018-19931 -# - CVE-2018-19932 -# - CVE-2018-20002 -# - CVE-2018-20712 +# - CVE-2018-19931 +# - CVE-2018-19932 +# - CVE-2018-20002 +# - CVE-2018-20712 # 2.28-r1: -# - CVE-2017-7614 +# - CVE-2017-7614 build() { local _sysroot=/ @@ -113,4 +116,5 @@ gold() { sha512sums="99ec7ed2b5ebfd3ac16cecb1567ec4a72f81ac30717002d601708f7547b2f8122ffcce076c986f22894aede33c54c73012210a4e973ba9b6e2d87a242a2bee12 binutils-2.32.tar.bz2 ecee33b0e435aa704af1c334e560f201638ff79e199aa11ed78a72f7c9b46f85fbb227af5748e735fd681d1965fcc42ac81b0c8824e540430ce0c706c81e8b49 binutils-ld-fix-static-linking.patch -f55cf2e0bf82f97583a1abe10710e4013ecf7d64f1da2ef8659a44a06d0dd8beaf58dab98a183488ea137f03e32d62efc878d95f018f836f8cec870bc448556f gold-mips.patch" +f55cf2e0bf82f97583a1abe10710e4013ecf7d64f1da2ef8659a44a06d0dd8beaf58dab98a183488ea137f03e32d62efc878d95f018f836f8cec870bc448556f gold-mips.patch +b08384ed124a74ad3a424db370c107230f09a54378502ca4385deb738f7cf799857f2af0db52709c7eeab8fa6c0a3d972f891396cce1e2834a21f67682fc4355 CVE-2021-3487.patch" diff --git a/main/binutils/CVE-2021-3487.patch b/main/binutils/CVE-2021-3487.patch new file mode 100644 index 00000000000..db99ae73d97 --- /dev/null +++ b/main/binutils/CVE-2021-3487.patch @@ -0,0 +1,72 @@ +From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 26 Nov 2020 17:08:33 +0000 +Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt + DWARF debug sections. + + PR 26946 + * dwarf2.c (read_section): Check for debug sections with excessive + sizes. + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 977bf43a6a1..8bbfc81d3e7 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -531,22 +531,24 @@ read_section (bfd * abfd, + bfd_byte ** section_buffer, + bfd_size_type * section_size) + { +- asection *msec; + const char *section_name = sec->uncompressed_name; + bfd_byte *contents = *section_buffer; +- bfd_size_type amt; + + /* The section may have already been read. */ + if (contents == NULL) + { ++ bfd_size_type amt; ++ asection *msec; ++ ufile_ptr filesize; ++ + msec = bfd_get_section_by_name (abfd, section_name); +- if (! msec) ++ if (msec == NULL) + { + section_name = sec->compressed_name; + if (section_name != NULL) + msec = bfd_get_section_by_name (abfd, section_name); + } +- if (! msec) ++ if (msec == NULL) + { + _bfd_error_handler (_("DWARF error: can't find %s section."), + sec->uncompressed_name); +@@ -554,12 +556,23 @@ read_section (bfd * abfd, + return FALSE; + } + +- *section_size = msec->rawsize ? msec->rawsize : msec->size; ++ amt = bfd_get_section_limit_octets (abfd, msec); ++ filesize = bfd_get_file_size (abfd); ++ if (amt >= filesize) ++ { ++ /* PR 26946 */ ++ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"), ++ section_name, (long) amt, (long) filesize); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ *section_size = amt; + /* Paranoia - alloc one extra so that we can make sure a string + section is NUL terminated. */ +- amt = *section_size + 1; ++ amt += 1; + if (amt == 0) + { ++ /* Paranoia - this should never happen. */ + bfd_set_error (bfd_error_no_memory); + return FALSE; + } +-- +2.27.0 + diff --git a/main/bluez/APKBUILD b/main/bluez/APKBUILD index 769d69df617..3338604d506 100644 --- a/main/bluez/APKBUILD +++ b/main/bluez/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=bluez pkgver=5.50 -pkgrel=4 +pkgrel=5 pkgdesc="Tools for the Bluetooth protocol stack" url="http://www.bluez.org/" arch="all" @@ -25,10 +25,13 @@ source="https://www.kernel.org/pub/linux/bluetooth/bluez-$pkgver.tar.xz disable-lock-test.patch fix-endianness.patch CVE-2020-0556.patch + CVE-2020-27153.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 5.50-r5: +# - CVE-2020-27153 # 5.50-r4: # - CVE-2020-0556 @@ -126,4 +129,5 @@ d5fd1c962bd846eaa6fff879bab85f753eb367d514f82d133b5d3242e1da989af5eddd942c60a87d 41ce7ccf78cca97563f0ef31e01dac6eb4484c24fe57be360b5e8de8c5bff5845e9d395766f891bd3f123788344456c88c9fc00cd1bb7c6a1dca89d09f19172b bluez-5.40-obexd_without_systemd-1.patch 04c4889372c8e790bb338dde7ffa76dc32fcf7370025c71b9184fcf17fd01ade4a6613d84d648303af3bbc54043ad489f29fc0cd4679ec8c9029dcb846d7e026 disable-lock-test.patch 118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch -1f7c41399e746942e091db22c1b42a0bd87dafd83c5074a34c24f51efd88ed4d2957308f9b4da0fdcd6cd99ea5b9e1885d628ae01ddde56cf31140ccc895be61 CVE-2020-0556.patch" +1f7c41399e746942e091db22c1b42a0bd87dafd83c5074a34c24f51efd88ed4d2957308f9b4da0fdcd6cd99ea5b9e1885d628ae01ddde56cf31140ccc895be61 CVE-2020-0556.patch +c8e65bdfb5edc8edd0d1f9a153a7d5b953f0c5700aa61645af251cd857117990090a27c0ee133056fc045d0f6b6a3c1aad60ff0dfd3707c2c5ba29c518fccca8 CVE-2020-27153.patch" diff --git a/main/bluez/CVE-2020-27153.patch b/main/bluez/CVE-2020-27153.patch new file mode 100644 index 00000000000..48a346fe2c0 --- /dev/null +++ b/main/bluez/CVE-2020-27153.patch @@ -0,0 +1,95 @@ +Adapted from https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a + +diff --git a/src/shared/att.c b/src/shared/att.c +index 0ea6d55..b0fdb8e 100644 +--- a/src/shared/att.c ++++ b/src/shared/att.c +@@ -62,6 +62,7 @@ struct bt_att { + struct queue *ind_queue; /* Queued ATT protocol indications */ + struct att_send_op *pending_ind; + struct queue *write_queue; /* Queue of PDUs ready to send */ ++ bool in_disc; /* Cleanup queues on disconnect_cb */ + bool writer_active; + + struct queue *notify_list; /* List of registered callbacks */ +@@ -211,8 +212,10 @@ static void destroy_att_send_op(void *data) + free(op); + } + +-static void cancel_att_send_op(struct att_send_op *op) ++static void cancel_att_send_op(void *data) + { ++ struct att_send_op *op = data; ++ + if (op->destroy) + op->destroy(op->user_data); + +@@ -572,11 +575,6 @@ static bool disconnect_cb(struct io *io, void *user_data) + att->io = NULL; + att->fd = -1; + +- /* Notify request callbacks */ +- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op); +- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op); +- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op); +- + if (att->pending_req) { + disc_att_send_op(att->pending_req); + att->pending_req = NULL; +@@ -589,6 +587,15 @@ static bool disconnect_cb(struct io *io, void *user_data) + + bt_att_ref(att); + ++ att->in_disc = true; ++ ++ /* Notify request callbacks */ ++ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op); ++ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op); ++ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op); ++ ++ att->in_disc = false; ++ + queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err)); + + bt_att_unregister_all(att); +@@ -1306,6 +1313,30 @@ static bool match_op_id(const void *a, const void *b) + return op->id == id; + } + ++static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id) ++{ ++ struct att_send_op *op; ++ ++ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id)); ++ if (op) ++ goto done; ++ ++ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id)); ++ if (op) ++ goto done; ++ ++ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id)); ++ ++done: ++ if (!op) ++ return false; ++ ++ /* Just cancel since disconnect_cb will be cleaning up */ ++ cancel_att_send_op(op); ++ ++ return true; ++} ++ + bool bt_att_cancel(struct bt_att *att, unsigned int id) + { + struct att_send_op *op; +@@ -1325,6 +1356,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id) + return true; + } + ++ if (att->in_disc) ++ return bt_att_disc_cancel(att, id); ++ + op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id)); + if (op) + goto done; diff --git a/main/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/main/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch new file mode 100644 index 00000000000..0838f089516 --- /dev/null +++ b/main/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch @@ -0,0 +1,54 @@ +From f25d254dfd4243698c31a4f3153d4ac72aa9e9bd Mon Sep 17 00:00:00 2001 +From: Samuel Sapalski <samuel.sapalski@nokia.com> +Date: Wed, 3 Mar 2021 16:31:22 +0100 +Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt + +On certain corrupt gzip files, huft_build will set the error bit on +the result pointer. If afterwards abort_unzip is called huft_free +might run into a segmentation fault or an invalid pointer to +free(p). + +In order to mitigate this, we check in huft_free if the error bit +is set and clear it before the linked list is freed. + +Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com> +Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + archival/libarchive/decompress_gunzip.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c +index eb3b64930..e93cd5005 100644 +--- a/archival/libarchive/decompress_gunzip.c ++++ b/archival/libarchive/decompress_gunzip.c +@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = { + * each table. + * t: table to free + */ ++#define BAD_HUFT(p) ((uintptr_t)(p) & 1) ++#define ERR_RET ((huft_t*)(uintptr_t)1) + static void huft_free(huft_t *p) + { + huft_t *q; + ++ /* ++ * If 'p' has the error bit set we have to clear it, otherwise we might run ++ * into a segmentation fault or an invalid pointer to free(p) ++ */ ++ if (BAD_HUFT(p)) { ++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET)); ++ } ++ + /* Go through linked list, freeing from the malloced (t[-1]) address. */ + while (p) { + q = (--p)->v.t; +@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current + * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table + * is given: "fixed inflate" decoder feeds us such data. + */ +-#define BAD_HUFT(p) ((uintptr_t)(p) & 1) +-#define ERR_RET ((huft_t*)(uintptr_t)1) + static huft_t* huft_build(const unsigned *b, const unsigned n, + const unsigned s, const struct cp_ext *cp_ext, + unsigned *m) diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD index c0f6c55bb47..b08bc34e19d 100644 --- a/main/busybox/APKBUILD +++ b/main/busybox/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=busybox pkgver=1.30.1 -pkgrel=4 +pkgrel=5 pkgdesc="Size optimized toolbox of many common UNIX utilities" url="https://busybox.net/" arch="all" @@ -40,6 +40,8 @@ source="https://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 0016-ip-fix-oneline-link.patch CVE-2019-5747.patch + traceroute-opt-x.patch::https://git.busybox.net/busybox/patch/?id=89358a7131d3e75c74af834bb117b4fad7914983 + acpid.logrotate busyboxconfig busyboxconfig-extras @@ -49,6 +51,8 @@ source="https://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 " # secfixes: +# 1.30.1-r5: +# - CVE-2021-28831 # 1.30.1-r2: # - CVE-2019-5747 # 1.29.3-r10: @@ -226,6 +230,7 @@ d8926f0e4ed7d2fe5af89ff2a944d781b45b109c9edf1ef2591e7bce2a8bbadd7c8ca814cb3c928a 2fdf01e4bb26a3b6fd7ff73649f15eff599d38db1bc61a699576ec9caae2fb37c49d689baca8b1a3a7b2999fbe04751da897518c2fb42d6f21756b468aa7599d 0015-ip-print-dadfailed-flag.patch bd2c278176e6ca826bbc056f20341220fd39f5ce3ca457c4120b0e49768d2325fb65261c00f476bacbfe6daecaea86212136469f11e3148ebec91baad1ca0225 0016-ip-fix-oneline-link.patch 6952770be92a980174691ac65fda778eaafd23bf8da63ad62149f2cb0f289bef216bb512ae5e013328b3bd5289a351124d22dd819b1e3116cc2244b435eb7287 CVE-2019-5747.patch +c6dc917e67ab4c9aa0294f22707fd3cfc8cb37d703d8a0bce7f257ac9fb931dc4b815ab1d5e4f3ed3520b6ba046bdc1fbd0d1f8ed73b8d2d51f9238f03e03688 traceroute-opt-x.patch aa93095e20de88730f526c6f463cef711b290b9582cdbd8c1ba2bd290019150cbeaa7007c2e15f0362d5b9315dd63f60511878f0ea05e893f4fdfb4a54af3fb1 acpid.logrotate fc1f4e44e3f7874a8036d48e039c45e08761007a0f4f9b6f242b63f57b641b7609f47cffc620e08ab6384885a0bec822f840e79567c304dc1944124f27a9f4ad busyboxconfig c6f0fc8e6f5a166309d8548bd1a7e11a2bc71b67c1222567485329602b55fbd4e12b627fa092fff3c269ebc01f20eb55ae7fca12f7c655afe0e563af4fd2c873 busyboxconfig-extras diff --git a/main/cairo/85.patch b/main/cairo/85.patch new file mode 100644 index 00000000000..8d5717ffa21 --- /dev/null +++ b/main/cairo/85.patch @@ -0,0 +1,172 @@ +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <heiko.lewin@worldiety.de> +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH 1/3] Fix mask usage in image-compositor + +--- + src/cairo-image-compositor.c | 8 ++-- + test/Makefile.sources | 1 + + test/bug-image-compositor.c | 39 ++++++++++++++++++++ + test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes + 4 files changed, 44 insertions(+), 4 deletions(-) + create mode 100644 test/bug-image-compositor.c + create mode 100644 test/reference/bug-image-compositor.ref.png + +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 79ad69f68..4f8aaed99 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; +diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c +new file mode 100644 +index 000000000..fc4fd370b +--- /dev/null ++++ b/test/bug-image-compositor.c +@@ -0,0 +1,39 @@ ++#include "cairo-test.h" ++ ++static cairo_test_status_t ++draw (cairo_t *cr, int width, int height) ++{ ++ cairo_set_source_rgb (cr, 0., 0., 0.); ++ cairo_paint (cr); ++ ++ cairo_set_source_rgb (cr, 1., 1., 1.); ++ cairo_set_line_width (cr, 1.); ++ ++ cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height); ++ cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1); ++ cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1); ++ cairo_set_source (cr, p); ++ ++ cairo_move_to (cr, 0.5, -1); ++ for (int i = 0; i < width; i+=3) { ++ cairo_rel_line_to (cr, 2, 2); ++ cairo_rel_line_to (cr, 1, -2); ++ } ++ ++ cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE); ++ cairo_stroke (cr); ++ ++ cairo_pattern_destroy(p); ++ ++ return CAIRO_TEST_SUCCESS; ++} ++ ++ ++CAIRO_TEST (bug_image_compositor, ++ "Crash in image-compositor", ++ "stroke, stress", /* keywords */ ++ NULL, /* requirements */ ++ 10000, 1, ++ NULL, draw) ++ ++ + +From 8bc14a6bba3bc8a64ff0749c74d9b96305bf6429 Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <heiko.lewin@worldiety.de> +Date: Tue, 15 Dec 2020 17:14:18 +0100 +Subject: [PATCH 2/3] Minor cleanups + +--- + test/bug-image-compositor.c | 33 ++++++++++++++++++++++++++++++--- + 1 file changed, 30 insertions(+), 3 deletions(-) + +diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c +index fc4fd370b..304ea089c 100644 +--- a/test/bug-image-compositor.c ++++ b/test/bug-image-compositor.c +@@ -1,5 +1,34 @@ ++/* ++ * Copyright © 2020 Uli Schlachter, Heiko Lewin ++ * ++ * Permission is hereby granted, free of charge, to any person ++ * obtaining a copy of this software and associated documentation ++ * files (the "Software"), to deal in the Software without ++ * restriction, including without limitation the rights to use, copy, ++ * modify, merge, publish, distribute, sublicense, and/or sell copies ++ * of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS ++ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ++ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN ++ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ * ++ * Author: Uli Schlachter <psychon@znc.in> ++ * Author: Heiko Lewin <hlewin@gmx.de> ++ */ + #include "cairo-test.h" + ++ ++/* This test reproduces an overflow of a mask-buffer in cairo-image-compositor.c */ ++ + static cairo_test_status_t + draw (cairo_t *cr, int width, int height) + { +@@ -13,6 +42,7 @@ draw (cairo_t *cr, int width, int height) + cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1); + cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1); + cairo_set_source (cr, p); ++ cairo_pattern_destroy(p); + + cairo_move_to (cr, 0.5, -1); + for (int i = 0; i < width; i+=3) { +@@ -23,8 +53,6 @@ draw (cairo_t *cr, int width, int height) + cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE); + cairo_stroke (cr); + +- cairo_pattern_destroy(p); +- + return CAIRO_TEST_SUCCESS; + } + +@@ -36,4 +64,3 @@ CAIRO_TEST (bug_image_compositor, + 10000, 1, + NULL, draw) + +- +-- +GitLab + diff --git a/main/cairo/APKBUILD b/main/cairo/APKBUILD index d15bd16726b..b4a63a44a5b 100644 --- a/main/cairo/APKBUILD +++ b/main/cairo/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cairo pkgver=1.16.0 -pkgrel=2 +pkgrel=3 pkgdesc="A vector graphics library" url="https://cairographics.org/" arch="all" @@ -16,10 +16,13 @@ source="https://cairographics.org/releases/cairo-$pkgver.tar.xz musl-stacksize.patch CVE-2018-19876.patch pdf-flush.patch + 85.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 1.16.0-r3: +# - CVE-2020-35492 # 1.16.0-r1: # - CVE-2018-19876 @@ -70,4 +73,5 @@ tools() { sha512sums="9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz 86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0 musl-stacksize.patch 8f13cdcae0f134e04778cf5915f858fb8d5357a7e0a454791c93d1566935b985ec66dfe1683cd0b74a1cb44a130923d7a27cf006f3fc70b9bee93abd58a55aa3 CVE-2018-19876.patch -533ea878dc7f917af92e2694bd3f535a09cde77f0ecd0cc00881fbc9ec1ea86f60026eacc76129705f525f6672929ad8d15d8cfe1bfa61e9962e805a7fbded81 pdf-flush.patch" +533ea878dc7f917af92e2694bd3f535a09cde77f0ecd0cc00881fbc9ec1ea86f60026eacc76129705f525f6672929ad8d15d8cfe1bfa61e9962e805a7fbded81 pdf-flush.patch +20699d2dd10531f99587cdcd187a23e23bca5a9f031255c95aade4dadb79bbb62118c7ddff677c2fd20e4ba7694eee4debcd79a4d0736d62951a4fcee56ccae0 85.patch" diff --git a/main/cifs-utils/APKBUILD b/main/cifs-utils/APKBUILD index 89f6bd6ace0..cd214d5e306 100644 --- a/main/cifs-utils/APKBUILD +++ b/main/cifs-utils/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Francesco Colista <fcolista@alpinelinux.org> # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=cifs-utils -pkgver=6.9 +pkgver=6.13 pkgrel=0 pkgdesc="CIFS filesystem user-space tools" url="https://wiki.samba.org/index.php/LinuxCIFS_utils" @@ -15,6 +15,12 @@ source="https://ftp.samba.org/pub/linux-cifs/$pkgname/$pkgname-$pkgver.tar.bz2 xattr_size_max.patch" options=suid +# secfixes: +# 6.13-r0: +# - CVE-2021-20208 +# 0: +# - CVE-2020-14342 # (not actually applicable) + builddir=$srcdir/$pkgname-$pkgver build() { @@ -40,6 +46,8 @@ package() { chmod +s $pkgdir/sbin/mount.cifs } -sha512sums="b92e4e39eeed1032bb175659296cde034703fb3ca63aae00419d46a33dadf821fedaf03734128112c164c84bcbb48d92d03cdc275c4a7cba26f984aeca40a40a cifs-utils-6.9.tar.bz2 +sha512sums=" +1337ac4b69f0c3e8d0241eb608207ba81dfa35f84c661649d25da78637882c4d73467b0f632be0bd120362e0b786e40eb340bffcf21c8a09629c441100fd10de cifs-utils-6.13.tar.bz2 99a2fab05bc2f14a600f89526ae0ed2c183cfa179fe386cb327075f710aee3aed5ae823f7c2f51913d1217c2371990d6d4609fdb8d80288bd3a6139df3c8aebe musl-fix-includes.patch -2a9366ec1ddb0389c535d2fa889f63287cb8374535a47232de102c7e50b6874f67a3d5ef3318df23733300fd8459c7ec4b11f3211508aca7800b756119308e98 xattr_size_max.patch" +2a9366ec1ddb0389c535d2fa889f63287cb8374535a47232de102c7e50b6874f67a3d5ef3318df23733300fd8459c7ec4b11f3211508aca7800b756119308e98 xattr_size_max.patch +" diff --git a/main/collectd/APKBUILD b/main/collectd/APKBUILD index 36ce14e605f..14d07c176d0 100644 --- a/main/collectd/APKBUILD +++ b/main/collectd/APKBUILD @@ -31,7 +31,7 @@ source="https://collectd.org/files/collectd-$pkgver.tar.bz2 builddir="$srcdir"/$pkgname-$pkgver -# security fixes: +# secfixes: # 5.5.2-r0: # - CVE-2016-6254 diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD index de2f9c1808a..50353110eef 100644 --- a/main/cups/APKBUILD +++ b/main/cups/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cups pkgver=2.2.12 -pkgrel=0 +pkgrel=1 pkgdesc="The CUPS Printing System" url="https://www.cups.org/" arch="all" @@ -20,9 +20,14 @@ source="https://github.com/apple/cups/releases/download/v$pkgver/cups-$pkgver-so cupsd.initd cups-no-export-ssllibs.patch default-config-no-gssapi.patch + CVE-2019-8842.patch + CVE-2020-3898.patch " # secfixes: +# 2.2.12-r1: +# - CVE-2019-8842 +# - CVE-2020-3898 # 2.2.12-r0: # - CVE-2019-8696 # - CVE-2019-8675 @@ -134,4 +139,6 @@ sha512sums="b8e7be512938ad388d469d093ad0c882ab42ea1408c27a91340f8424aa0e79e588df cf64211da59e79285f99d437c02fdd7db462855fb2920ec9563ba47bd8a9e5cbd10555094940ceedeb41ac805c4f0ddb9147481470112a11a76220d0298aef79 cups.logrotate 2c2683f755a220166b3a1653fdd1a6daa9718c8f0bbdff2e2d5e61d1133306260d63a83d3ff41619b5cf84c4913fae5822b79553e2822858f38fa3613f4c7082 cupsd.initd 7a8cd9ac33b0dd4627c72df4275db8ccd7cf8e201bce3833719b42f532f526bb347b842e3ea1ef0d61855b5c6e1088b5d20b68942f2c2c0acf504d8d9728efd3 cups-no-export-ssllibs.patch -98bb97f4af69ea286fc3d398b8e57c32440e6b2d49fb7f79b418a4fe7f13441f3a610f65d3433d10d971ade808233c0b29b4d66160623ccaae919179384be918 default-config-no-gssapi.patch" +98bb97f4af69ea286fc3d398b8e57c32440e6b2d49fb7f79b418a4fe7f13441f3a610f65d3433d10d971ade808233c0b29b4d66160623ccaae919179384be918 default-config-no-gssapi.patch +1a6dc3560c78eef28cad977abde076c02791e34fc05e53ce3137ac4ff1feb2f6bae5f64ba8733f44280ac4273d825372b29b15da6bb179776496f62a7d06462d CVE-2019-8842.patch +560466d3721cd105ef1e6aa03d0cb6c55964e94f06fe80e2f8570d481941cfd03ac6940d0108e111ea7f4bee55460b93423975410890e105902c5a4ce3b79d77 CVE-2020-3898.patch" diff --git a/main/cups/CVE-2019-8842.patch b/main/cups/CVE-2019-8842.patch new file mode 100644 index 00000000000..2e1a212239a --- /dev/null +++ b/main/cups/CVE-2019-8842.patch @@ -0,0 +1,13 @@ +diff --git a/cups/ipp.c b/cups/ipp.c +index b0762fd..dba4f31 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -2960,7 +2960,7 @@ ippReadIO(void *src, /* I - Data source */ + * Read 32-bit "extension" tag... + */ + +- if ((*cb)(src, buffer, 4) < 1) ++ if ((*cb)(src, buffer, 4) < 4) + { + DEBUG_puts("1ippReadIO: Callback returned EOF/error"); + _cupsBufferRelease((char *)buffer); diff --git a/main/cups/CVE-2020-3898.patch b/main/cups/CVE-2020-3898.patch new file mode 100644 index 00000000000..d797a0be1a2 --- /dev/null +++ b/main/cups/CVE-2020-3898.patch @@ -0,0 +1,14 @@ +diff --git a/cups/ppd.c b/cups/ppd.c +index 58d92c1..5bc7939 100644 +--- a/cups/ppd.c ++++ b/cups/ppd.c +@@ -1730,8 +1730,7 @@ _ppdOpen( + constraint->choice1, constraint->option2, + constraint->choice2)) + { +- case 0 : /* Error */ +- case 1 : /* Error */ ++ default : /* Error */ + pg->ppd_status = PPD_BAD_UI_CONSTRAINTS; + goto error; + diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index adc14c8de54..139bb53191f 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=curl pkgver=7.66.0 -pkgrel=1 +pkgrel=4 pkgdesc="URL retrival utility and library" url="https://curl.haxx.se/" arch="all" @@ -17,9 +17,20 @@ subpackages="$pkgname-dbg $pkgname-static $pkgname-doc $pkgname-dev libcurl" source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz CVE-2020-8169.patch CVE-2020-8177.patch + CVE-2020-8231.patch + CVE-2020-8285.patch + CVE-2020-8286.patch + CVE-2021-22898.patch " # secfixes: +# 7.66.0-r4: +# - CVE-2021-22898 +# 7.66.0-r3: +# - CVE-2020-8285 +# - CVE-2020-8286 +# 7.66.0-r2: +# - CVE-2020-8231 # 7.66.0-r1: # - CVE-2020-8169 # - CVE-2020-8177 @@ -62,11 +73,11 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz # - CVE-2017-7468 # 7.53.1-r2: # - CVE-2017-7407 -# 7.53.0: +# 7.53.0-r0: # - CVE-2017-2629 -# 7.52.1: +# 7.52.1-r0: # - CVE-2016-9594 -# 7.51.0: +# 7.51.0-r0: # - CVE-2016-8615 # - CVE-2016-8616 # - CVE-2016-8617 @@ -78,23 +89,25 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz # - CVE-2016-8623 # - CVE-2016-8624 # - CVE-2016-8625 -# 7.50.3: +# 7.50.3-r0: # - CVE-2016-7167 -# 7.50.2: +# 7.50.2-r0: # - CVE-2016-7141 -# 7.50.1: +# 7.50.1-r0: # - CVE-2016-5419 # - CVE-2016-5420 # - CVE-2016-5421 -# 7.36.0: +# 7.36.0-r0: # - CVE-2014-0138 # - CVE-2014-0139 +# 0: +# - CVE-2021-22297 prepare() { default_prepare autoreconf -vfi } - + build() { ./configure \ --build=$CBUILD \ @@ -128,7 +141,10 @@ libcurl() { mkdir -p "$subpkgdir"/usr mv "$pkgdir"/usr/lib "$subpkgdir"/usr } - sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 curl-7.66.0.tar.xz 4950975d59bdf8398dd5f4b8338e5f76ae3752247be9054a28753351bcddb46f71a8bd601dba31da1b6b3fbbfbe6192f33a6500144d89f2cfdfb47161e3addba CVE-2020-8169.patch -964b6bece2d748ac5dca6afe4689341e677b3c0961237485167157567526a898b8371104a7e075cd3c255ead50ea8658d8760d4a2eab4e5de11558372c4d189c CVE-2020-8177.patch" +964b6bece2d748ac5dca6afe4689341e677b3c0961237485167157567526a898b8371104a7e075cd3c255ead50ea8658d8760d4a2eab4e5de11558372c4d189c CVE-2020-8177.patch +d5f4421e5ac6f89220d00fb156c803edbb64679e9064ca8328269eea3582ee7780f77522b5069a1288cc09e968567175c94139249cc337906243c95d0bc3e684 CVE-2020-8231.patch +2765302f147ad29b7187d334edfb66076ab81088583dd681ba37aed96eee6a5108ca8281fe185e60494d4aeda003216319d15e05a341f5796698452816fe0f97 CVE-2020-8285.patch +6c42a589a8bc7b588dcd2c3e656a221000608841b6347c66e640ba818f6ff73fcfaf1ae1948dcbd446689559f54476b0ca5e340fb00f44da1defb7c2573d4a8c CVE-2020-8286.patch +c52275bc8ce1463b5a05c5387144b743462a2f551853134254317023ad39445eb53119d88bfb58d17aaa6e5f86985c2f2b540980337eaca1f385ac15818546e6 CVE-2021-22898.patch" diff --git a/main/curl/CVE-2020-8231.patch b/main/curl/CVE-2020-8231.patch new file mode 100644 index 00000000000..0d6a76d94d1 --- /dev/null +++ b/main/curl/CVE-2020-8231.patch @@ -0,0 +1,123 @@ +Based on https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8 + +Didn't apply cleanly, fixed up lib/urldata.h and lib/url.c, ignored 2 changes in lib/multi.c +that refer to things that do not yet exist in this version of curl + +diff --git a/lib/connect.c b/lib/connect.c +index 0a7475c..b3d4057 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -1356,15 +1356,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */ + } + + struct connfind { +- struct connectdata *tofind; +- bool found; ++ long id_tofind; ++ struct connectdata *found; + }; + + static int conn_is_conn(struct connectdata *conn, void *param) + { + struct connfind *f = (struct connfind *)param; +- if(conn == f->tofind) { +- f->found = TRUE; ++ if(conn->connection_id == f->id_tofind) { ++ f->found = conn; + return 1; + } + return 0; +@@ -1386,21 +1386,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data, + * - that is associated with a multi handle, and whose connection + * was detached with CURLOPT_CONNECT_ONLY + */ +- if(data->state.lastconnect && (data->multi_easy || data->multi)) { +- struct connectdata *c = data->state.lastconnect; ++ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) { ++ struct connectdata *c; + struct connfind find; +- find.tofind = data->state.lastconnect; +- find.found = FALSE; ++ find.id_tofind = data->state.lastconnect_id; ++ find.found = NULL; + + Curl_conncache_foreach(data, data->multi_easy? + &data->multi_easy->conn_cache: + &data->multi->conn_cache, &find, conn_is_conn); + + if(!find.found) { +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + return CURL_SOCKET_BAD; + } + ++ c = find.found; + if(connp) { + /* only store this if the caller cares for it */ + *connp = c; +diff --git a/lib/easy.c b/lib/easy.c +index b648e80..7b0ea9a 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -831,8 +831,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + + /* the connection cache is setup on demand */ + outcurl->state.conn_cache = NULL; +- +- outcurl->state.lastconnect = NULL; ++ outcurl->state.lastconnect_id = -1; + + outcurl->progress.flags = data->progress.flags; + outcurl->progress.callback = data->progress.callback; +diff --git a/lib/multi.c b/lib/multi.c +index e10e752..02687dd 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -454,6 +454,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi, + data->state.conn_cache = &data->share->conn_cache; + else + data->state.conn_cache = &multi->conn_cache; ++ data->state.lastconnect_id = -1; + + #ifdef USE_LIBPSL + /* Do the same for PSL. */ +@@ -669,11 +670,11 @@ static CURLcode multi_done(struct Curl_easy *data, + CONN_UNLOCK(data); + if(Curl_conncache_return_conn(data, conn)) { + /* remember the most recently used connection */ +- data->state.lastconnect = conn; ++ data->state.lastconnect_id = conn->connection_id; + infof(data, "%s\n", buffer); + } + else +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + } + + Curl_free_request_state(data); +diff --git a/lib/url.c b/lib/url.c +index 47fc66a..f0a880f 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -617,7 +617,7 @@ CURLcode Curl_open(struct Curl_easy **curl) + Curl_initinfo(data); + + /* most recent connection is not yet defined */ +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + + data->progress.flags |= PGRS_HIDE; + data->state.current_speed = -1; /* init to negative == impossible */ +diff --git a/lib/urldata.h b/lib/urldata.h +index fbb8b64..6586986 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1332,7 +1332,7 @@ struct UrlState { + /* buffers to store authentication data in, as parsed from input options */ + struct curltime keeps_speed; /* for the progress meter really */ + +- struct connectdata *lastconnect; /* The last connection, NULL if undefined */ ++ long lastconnect_id; /* The last connection, -1 if undefined */ + + char *headerbuff; /* allocated buffer to store headers in */ + size_t headersize; /* size of the allocation */ diff --git a/main/curl/CVE-2020-8285.patch b/main/curl/CVE-2020-8285.patch new file mode 100644 index 00000000000..f501981c2d7 --- /dev/null +++ b/main/curl/CVE-2020-8285.patch @@ -0,0 +1,236 @@ +diff --git a/lib/ftp.c b/lib/ftp.c +index 8072a33..f65e220 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3775,129 +3775,130 @@ static CURLcode init_wc_data(struct connectdata *conn) + return result; + } + +-/* This is called recursively */ + static CURLcode wc_statemach(struct connectdata *conn) + { + struct WildcardData * const wildcard = &(conn->data->wildcard); + CURLcode result = CURLE_OK; + +- switch(wildcard->state) { +- case CURLWC_INIT: +- result = init_wc_data(conn); +- if(wildcard->state == CURLWC_CLEAN) +- /* only listing! */ +- break; +- wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING; +- break; ++ for(;;) { ++ switch(wildcard->state) { ++ case CURLWC_INIT: ++ result = init_wc_data(conn); ++ if(wildcard->state == CURLWC_CLEAN) ++ /* only listing! */ ++ return result; ++ wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING; ++ return result; + +- case CURLWC_MATCHING: { +- /* In this state is LIST response successfully parsed, so lets restore +- previous WRITEFUNCTION callback and WRITEDATA pointer */ +- struct ftp_wc *ftpwc = wildcard->protdata; +- conn->data->set.fwrite_func = ftpwc->backup.write_function; +- conn->data->set.out = ftpwc->backup.file_descriptor; +- ftpwc->backup.write_function = ZERO_NULL; +- ftpwc->backup.file_descriptor = NULL; +- wildcard->state = CURLWC_DOWNLOADING; +- +- if(Curl_ftp_parselist_geterror(ftpwc->parser)) { +- /* error found in LIST parsing */ +- wildcard->state = CURLWC_CLEAN; +- return wc_statemach(conn); +- } +- if(wildcard->filelist.size == 0) { +- /* no corresponding file */ +- wildcard->state = CURLWC_CLEAN; +- return CURLE_REMOTE_FILE_NOT_FOUND; ++ case CURLWC_MATCHING: { ++ /* In this state is LIST response successfully parsed, so lets restore ++ previous WRITEFUNCTION callback and WRITEDATA pointer */ ++ struct ftp_wc *ftpwc = wildcard->protdata; ++ conn->data->set.fwrite_func = ftpwc->backup.write_function; ++ conn->data->set.out = ftpwc->backup.file_descriptor; ++ ftpwc->backup.write_function = ZERO_NULL; ++ ftpwc->backup.file_descriptor = NULL; ++ wildcard->state = CURLWC_DOWNLOADING; ++ ++ if(Curl_ftp_parselist_geterror(ftpwc->parser)) { ++ /* error found in LIST parsing */ ++ wildcard->state = CURLWC_CLEAN; ++ continue; ++ } ++ if(wildcard->filelist.size == 0) { ++ /* no corresponding file */ ++ wildcard->state = CURLWC_CLEAN; ++ return CURLE_REMOTE_FILE_NOT_FOUND; ++ } ++ continue; + } +- return wc_statemach(conn); +- } + +- case CURLWC_DOWNLOADING: { +- /* filelist has at least one file, lets get first one */ +- struct ftp_conn *ftpc = &conn->proto.ftpc; +- struct curl_fileinfo *finfo = wildcard->filelist.head->ptr; +- struct FTP *ftp = conn->data->req.protop; ++ case CURLWC_DOWNLOADING: { ++ /* filelist has at least one file, lets get first one */ ++ struct ftp_conn *ftpc = &conn->proto.ftpc; ++ struct curl_fileinfo *finfo = wildcard->filelist.head->ptr; ++ struct FTP *ftp = conn->data->req.protop; + +- char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename); +- if(!tmp_path) +- return CURLE_OUT_OF_MEMORY; ++ char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename); ++ if(!tmp_path) ++ return CURLE_OUT_OF_MEMORY; + +- /* switch default ftp->path and tmp_path */ +- free(ftp->pathalloc); +- ftp->pathalloc = ftp->path = tmp_path; +- +- infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename); +- if(conn->data->set.chunk_bgn) { +- long userresponse; +- Curl_set_in_callback(conn->data, true); +- userresponse = conn->data->set.chunk_bgn( +- finfo, wildcard->customptr, (int)wildcard->filelist.size); +- Curl_set_in_callback(conn->data, false); +- switch(userresponse) { +- case CURL_CHUNK_BGN_FUNC_SKIP: +- infof(conn->data, "Wildcard - \"%s\" skipped by user\n", +- finfo->filename); ++ /* switch default ftp->path and tmp_path */ ++ free(ftp->pathalloc); ++ ftp->pathalloc = ftp->path = tmp_path; ++ ++ infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename); ++ if(conn->data->set.chunk_bgn) { ++ long userresponse; ++ Curl_set_in_callback(conn->data, true); ++ userresponse = conn->data->set.chunk_bgn( ++ finfo, wildcard->customptr, (int)wildcard->filelist.size); ++ Curl_set_in_callback(conn->data, false); ++ switch(userresponse) { ++ case CURL_CHUNK_BGN_FUNC_SKIP: ++ infof(conn->data, "Wildcard - \"%s\" skipped by user\n", ++ finfo->filename); ++ wildcard->state = CURLWC_SKIP; ++ continue; ++ case CURL_CHUNK_BGN_FUNC_FAIL: ++ return CURLE_CHUNK_FAILED; ++ } ++ } ++ ++ if(finfo->filetype != CURLFILETYPE_FILE) { + wildcard->state = CURLWC_SKIP; +- return wc_statemach(conn); +- case CURL_CHUNK_BGN_FUNC_FAIL: +- return CURLE_CHUNK_FAILED; ++ continue; + } +- } + +- if(finfo->filetype != CURLFILETYPE_FILE) { +- wildcard->state = CURLWC_SKIP; +- return wc_statemach(conn); +- } ++ if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE) ++ ftpc->known_filesize = finfo->size; + +- if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE) +- ftpc->known_filesize = finfo->size; ++ result = ftp_parse_url_path(conn); ++ if(result) ++ return result; + +- result = ftp_parse_url_path(conn); +- if(result) ++ /* we don't need the Curl_fileinfo of first file anymore */ ++ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); ++ if(wildcard->filelist.size == 0) { /* remains only one file to down. */ ++ wildcard->state = CURLWC_CLEAN; ++ /* after that will be ftp_do called once again and no transfer ++ will be done because of CURLWC_CLEAN state */ ++ return CURLE_OK; ++ } + return result; +- +- /* we don't need the Curl_fileinfo of first file anymore */ +- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); +- +- if(wildcard->filelist.size == 0) { /* remains only one file to down. */ +- wildcard->state = CURLWC_CLEAN; +- /* after that will be ftp_do called once again and no transfer +- will be done because of CURLWC_CLEAN state */ +- return CURLE_OK; + } +- } break; + +- case CURLWC_SKIP: { +- if(conn->data->set.chunk_end) { +- Curl_set_in_callback(conn->data, true); +- conn->data->set.chunk_end(conn->data->wildcard.customptr); +- Curl_set_in_callback(conn->data, false); ++ case CURLWC_SKIP: { ++ if(conn->data->set.chunk_end) { ++ Curl_set_in_callback(conn->data, true); ++ conn->data->set.chunk_end(conn->data->wildcard.customptr); ++ Curl_set_in_callback(conn->data, false); ++ } ++ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); ++ wildcard->state = (wildcard->filelist.size == 0) ? ++ CURLWC_CLEAN : CURLWC_DOWNLOADING; ++ continue; + } +- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); +- wildcard->state = (wildcard->filelist.size == 0) ? +- CURLWC_CLEAN : CURLWC_DOWNLOADING; +- return wc_statemach(conn); +- } +- +- case CURLWC_CLEAN: { +- struct ftp_wc *ftpwc = wildcard->protdata; +- result = CURLE_OK; +- if(ftpwc) +- result = Curl_ftp_parselist_geterror(ftpwc->parser); ++ ++ case CURLWC_CLEAN: { ++ struct ftp_wc *ftpwc = wildcard->protdata; ++ result = CURLE_OK; ++ if(ftpwc) ++ result = Curl_ftp_parselist_geterror(ftpwc->parser); + +- wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE; +- } break; ++ wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE; ++ return result; ++ } + +- case CURLWC_DONE: +- case CURLWC_ERROR: +- case CURLWC_CLEAR: +- if(wildcard->dtor) +- wildcard->dtor(wildcard->protdata); +- break; ++ case CURLWC_DONE: ++ case CURLWC_ERROR: ++ case CURLWC_CLEAR: ++ if(wildcard->dtor) ++ wildcard->dtor(wildcard->protdata); ++ return result; ++ } + } +- +- return result; ++ /* UNREACHABLE */ + } + + /*********************************************************************** diff --git a/main/curl/CVE-2020-8286.patch b/main/curl/CVE-2020-8286.patch new file mode 100644 index 00000000000..9abdd1171d0 --- /dev/null +++ b/main/curl/CVE-2020-8286.patch @@ -0,0 +1,110 @@ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 760758d..e7d3ede 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -1713,6 +1713,12 @@ static CURLcode verifystatus(struct connectdata *conn, + X509_STORE *st = NULL; + STACK_OF(X509) *ch = NULL; + ++ X509 *cert; ++ OCSP_CERTID *id = NULL; ++ int cert_status, crl_reason; ++ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; ++ int ret; ++ + long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &status); + + if(!status) { +@@ -1780,43 +1786,63 @@ static CURLcode verifystatus(struct connectdata *conn, + goto end; + } + +- for(i = 0; i < OCSP_resp_count(br); i++) { +- int cert_status, crl_reason; +- OCSP_SINGLERESP *single = NULL; +- +- ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; ++ /* Compute the certificate's ID */ ++ cert = SSL_get_peer_certificate(BACKEND->handle); ++ if(!cert) { ++ failf(data, "Error getting peer certficate"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- single = OCSP_resp_get0(br, i); +- if(!single) +- continue; ++ for(i = 0; i < sk_X509_num(ch); i++) { ++ X509 *issuer = sk_X509_value(ch, i); ++ if(X509_check_issued(issuer, cert) == X509_V_OK) { ++ id = OCSP_cert_to_id(EVP_sha1(), cert, issuer); ++ break; ++ } ++ } ++ X509_free(cert); + +- cert_status = OCSP_single_get0_status(single, &crl_reason, &rev, +- &thisupd, &nextupd); ++ if(!id) { ++ failf(data, "Error computing OCSP ID"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) { +- failf(data, "OCSP response has expired"); +- result = CURLE_SSL_INVALIDCERTSTATUS; +- goto end; +- } ++ /* Find the single OCSP response corresponding to the certificate ID */ ++ ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev, ++ &thisupd, &nextupd); ++ OCSP_CERTID_free(id); ++ if(ret != 1) { ++ failf(data, "Could not find certificate ID in OCSP response"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- infof(data, "SSL certificate status: %s (%d)\n", +- OCSP_cert_status_str(cert_status), cert_status); ++ /* Validate the corresponding single OCSP response */ ++ if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) { ++ failf(data, "OCSP response has expired"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- switch(cert_status) { +- case V_OCSP_CERTSTATUS_GOOD: +- break; ++ infof(data, "SSL certificate status: %s (%d)\n", ++ OCSP_cert_status_str(cert_status), cert_status); + +- case V_OCSP_CERTSTATUS_REVOKED: +- result = CURLE_SSL_INVALIDCERTSTATUS; ++ switch(cert_status) { ++ case V_OCSP_CERTSTATUS_GOOD: ++ break; + +- failf(data, "SSL certificate revocation reason: %s (%d)", +- OCSP_crl_reason_str(crl_reason), crl_reason); +- goto end; ++ case V_OCSP_CERTSTATUS_REVOKED: ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ failf(data, "SSL certificate revocation reason: %s (%d)", ++ OCSP_crl_reason_str(crl_reason), crl_reason); ++ goto end; + +- case V_OCSP_CERTSTATUS_UNKNOWN: +- result = CURLE_SSL_INVALIDCERTSTATUS; +- goto end; +- } ++ case V_OCSP_CERTSTATUS_UNKNOWN: ++ default: ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; + } + + end: diff --git a/main/curl/CVE-2021-22898.patch b/main/curl/CVE-2021-22898.patch new file mode 100644 index 00000000000..ea4d2cb37e8 --- /dev/null +++ b/main/curl/CVE-2021-22898.patch @@ -0,0 +1,25 @@ +From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001 +From: Harry Sintonen <sintonen@iki.fi> +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE-2021-22898 + +Bug: https://curl.se/docs/CVE-2021-22898.html +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 26e0658ba9cc..fdd137fb0c04 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + msnprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD index 33336704378..81b9414a7ca 100644 --- a/main/cyrus-sasl/APKBUILD +++ b/main/cyrus-sasl/APKBUILD @@ -48,6 +48,8 @@ source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pk # - CVE-2019-19906 # 2.1.26-r7: # - CVE-2013-4122 +# 0: +# - CVE-2020-8032 builddir="$srcdir"/$pkgname-$pkgver diff --git a/main/dahdi-linux-vanilla/APKBUILD b/main/dahdi-linux-vanilla/APKBUILD index b2f9c627893..b40d50d7034 100644 --- a/main/dahdi-linux-vanilla/APKBUILD +++ b/main/dahdi-linux-vanilla/APKBUILD @@ -8,7 +8,7 @@ _rel=0 _flavor=${FLAVOR:-vanilla} _kpkg=linux-$_flavor -_kver=4.19.118 +_kver=4.19.176 _krel=0 _kpkgver="$_kver-r$_krel" diff --git a/main/devicemaster-linux-vanilla/APKBUILD b/main/devicemaster-linux-vanilla/APKBUILD index 5bbcf9f019e..a3cd720be2f 100644 --- a/main/devicemaster-linux-vanilla/APKBUILD +++ b/main/devicemaster-linux-vanilla/APKBUILD @@ -7,7 +7,7 @@ _rel=0 _flavor=${FLAVOR:-vanilla} _kpkg=linux-$_flavor -_kver=4.19.118 +_kver=4.19.176 _krel=0 _kpkgver="$_kver-r$_krel" diff --git a/main/dnsmasq/APKBUILD b/main/dnsmasq/APKBUILD index 395843cff37..38dc7fd8ae9 100644 --- a/main/dnsmasq/APKBUILD +++ b/main/dnsmasq/APKBUILD @@ -2,6 +2,16 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 2.85-r0: +# - CVE-2021-3448 +# 2.83-r0: +# - CVE-2020-25681 +# - CVE-2020-25682 +# - CVE-2020-25683 +# - CVE-2020-25684 +# - CVE-2020-25685 +# - CVE-2020-25686 +# - CVE-2020-25687 # 2.80-r4: # - CVE-2019-14834 # 2.79-r0: @@ -16,22 +26,21 @@ # - CVE-2017-14496 # pkgname=dnsmasq -pkgver=2.80 -pkgrel=4 +pkgver=2.85 +pkgrel=0 pkgdesc="A lightweight DNS, DHCP, RA, TFTP and PXE server" -url="http://www.thekelleys.org.uk/dnsmasq/" +url="https://www.thekelleys.org.uk/dnsmasq/" arch="all" -license="GPL-2.0" +license="GPL-2.0-only OR GPL-3.0-only" depends="!$pkgname-dnssec" -makedepends="linux-headers nettle-dev" +makedepends="linux-headers nettle-dev coreutils" install="$pkgname.pre-install $pkgname.pre-upgrade $pkgname-dnssec.pre-install $pkgname-dnssec.pre-upgrade" subpackages="$pkgname-doc $pkgname-dnssec" -source="http://www.thekelleys.org.uk/dnsmasq/$pkgname-$pkgver.tar.gz +source="https://www.thekelleys.org.uk/dnsmasq/dnsmasq-$pkgver.tar.xz $pkgname.initd $pkgname.confd uncomment-conf-dir.patch - CVE-2019-14834.patch " builddir="$srcdir/$pkgname-$pkgver" @@ -76,8 +85,7 @@ dnssec() { cp -r "$pkgdir"/etc "$subpkgdir"/etc } -sha512sums="da50030ac96617fbb7d54d5ef02d2ed1e14ec1ebe0df49bc23a1509381bc1644cf6fb95ff72ed15e0ad1e9bd6aa11ec6e4dcabec8ebb152da0d84f9a4408565b dnsmasq-2.80.tar.gz +sha512sums="8beefe76b46f7d561f40d0900ba68b260a199cb62ab5b653746e3a1104c04fb8899b9e7a160a1be4fe8782bfb1607b556e9ffb9c25c4e99653e4bc74fcc03b09 dnsmasq-2.85.tar.xz a7d64a838d10f4f69e0f2178cf66f0b3725901696e30df9e8e3e09f2afd7c86e9d95af64d2b63ef66f18b8a637397b7015573938df9ad961e2b36c391c3ac579 dnsmasq.initd 9a401bfc408bf1638645c61b8ca734bea0a09ef79fb36648ec7ef21666257234254bbe6c73c82cc23aa1779ddcdda0e6baa2c041866f16dfb9c4e0ba9133eab8 dnsmasq.confd -01e9e235e667abda07675009fb1947547863e0bb0256393c5a415978e2a49c1007585c7f0b51e8decce79c05e6f2ced3f400b11343feaa4de9b2e524f74a1ee3 uncomment-conf-dir.patch -d4d11945578430da629d7a38b00eb552cd95b1c438a0b85b63ba637ed19b4283623e39692f48146132b7cb5d453eaa3c07680f1514017d8d458e347153215a9b CVE-2019-14834.patch" +01e9e235e667abda07675009fb1947547863e0bb0256393c5a415978e2a49c1007585c7f0b51e8decce79c05e6f2ced3f400b11343feaa4de9b2e524f74a1ee3 uncomment-conf-dir.patch" diff --git a/main/dnsmasq/CVE-2019-14834.patch b/main/dnsmasq/CVE-2019-14834.patch deleted file mode 100644 index 5f60f5f1d97..00000000000 --- a/main/dnsmasq/CVE-2019-14834.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 69bc94779c2f035a9fffdb5327a54c3aeca73ed5 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon@thekelleys.org.uk> -Date: Wed, 14 Aug 2019 20:44:50 +0100 -Subject: [PATCH] Fix memory leak in helper.c - -Thanks to Xu Mingjie <xumingjie1995@outlook.com> for spotting this. ---- - src/helper.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/helper.c b/src/helper.c -index 33ba120..c392eec 100644 ---- a/src/helper.c -+++ b/src/helper.c -@@ -80,7 +80,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd) - pid_t pid; - int i, pipefd[2]; - struct sigaction sigact; -- -+ unsigned char *alloc_buff = NULL; -+ - /* create the pipe through which the main program sends us commands, - then fork our process. */ - if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1) -@@ -186,11 +187,16 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd) - struct script_data data; - char *p, *action_str, *hostname = NULL, *domain = NULL; - unsigned char *buf = (unsigned char *)daemon->namebuff; -- unsigned char *end, *extradata, *alloc_buff = NULL; -+ unsigned char *end, *extradata; - int is6, err = 0; - int pipeout[2]; - -- free(alloc_buff); -+ /* Free rarely-allocated memory from previous iteration. */ -+ if (alloc_buff) -+ { -+ free(alloc_buff); -+ alloc_buff = NULL; -+ } - - /* we read zero bytes when pipe closed: this is our signal to exit */ - if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1)) --- -1.7.10.4 - diff --git a/main/dovecot/0001-lib-time-util-Fix-calculations-to-work-on-32-bit-sys.patch b/main/dovecot/0001-lib-time-util-Fix-calculations-to-work-on-32-bit-sys.patch new file mode 100644 index 00000000000..3c494b40c5c --- /dev/null +++ b/main/dovecot/0001-lib-time-util-Fix-calculations-to-work-on-32-bit-sys.patch @@ -0,0 +1,49 @@ +From b715149395814fc1f77da2d52f74a635854efd49 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Mon, 18 Jan 2021 17:38:15 +0200 +Subject: [PATCH] lib: time-util - Fix calculations to work on 32-bit systems + +Broken by 16ab55427a727d3c93046367f7ae582c9f744458 +--- + src/lib/time-util.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/lib/time-util.c b/src/lib/time-util.c +index 294bb02310..c9ff4a5b62 100644 +--- a/src/lib/time-util.c ++++ b/src/lib/time-util.c +@@ -38,22 +38,24 @@ int timeval_cmp(const struct timeval *tv1, const struct timeval *tv2) + int timeval_cmp_margin(const struct timeval *tv1, const struct timeval *tv2, + unsigned int usec_margin) + { +- long long usecs_diff; ++ long long usecs_diff, secs_diff; + int sec_margin, ret; + + if (tv1->tv_sec < tv2->tv_sec) { ++ secs_diff = (long long)tv2->tv_sec - (long long)tv1->tv_sec; ++ usecs_diff = tv2->tv_usec - tv1->tv_usec; + sec_margin = ((int)usec_margin / 1000000) + 1; +- if ((tv2->tv_sec - tv1->tv_sec) > sec_margin) ++ if (secs_diff > sec_margin) + return -1; +- usecs_diff = (tv2->tv_sec - tv1->tv_sec) * 1000000LL + +- (tv2->tv_usec - tv1->tv_usec); ++ usecs_diff = secs_diff * 1000000LL + usecs_diff; + ret = -1; + } else if (tv1->tv_sec > tv2->tv_sec) { ++ secs_diff = (long long)tv1->tv_sec - (long long)tv2->tv_sec; ++ usecs_diff = tv1->tv_usec - tv2->tv_usec; + sec_margin = ((int)usec_margin / 1000000) + 1; +- if ((tv1->tv_sec - tv2->tv_sec) > sec_margin) ++ if (secs_diff > sec_margin) + return 1; +- usecs_diff = (tv1->tv_sec - tv2->tv_sec) * 1000000LL + +- (tv1->tv_usec - tv2->tv_usec); ++ usecs_diff = secs_diff * 1000000LL + usecs_diff; + ret = 1; + } else if (tv1->tv_usec < tv2->tv_usec) { + usecs_diff = tv2->tv_usec - tv1->tv_usec; +-- +2.20.1 + diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD index faee15a14db..75dbf1ea023 100644 --- a/main/dovecot/APKBUILD +++ b/main/dovecot/APKBUILD @@ -4,10 +4,11 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=dovecot -pkgver=2.3.10.1 -_pkgvermajor=2.3 -pkgrel=0 -_pigeonholever=0.5.10 +pkgver=2.3.13 +_pkgverminor=${pkgver%.*} +_pkgvermajor=${_pkgverminor%.*} +pkgrel=1 +_pigeonholever=0.5.13 _pigeonholevermajor=${_pigeonholever%.*} pkgdesc="IMAP and POP3 server" url="https://www.dovecot.org/" @@ -57,18 +58,26 @@ subpackages=" $pkgname-fts-solr:_fts_solr $pkgname-fts-lucene:_fts_lucene " -source="https://www.dovecot.org/releases/$_pkgvermajor/$pkgname-$pkgver.tar.gz - https://pigeonhole.dovecot.org/releases/$_pkgvermajor/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever.tar.gz +source="https://www.dovecot.org/releases/$_pkgverminor/dovecot-$pkgver.tar.gz + https://pigeonhole.dovecot.org/releases/$_pkgverminor/$pkgname-$_pkgverminor-pigeonhole-$_pigeonholever.tar.gz skip-iconv-check.patch split-protocols.patch default-config.patch + fix-oauth2-jwt.c.patch + fix-out-of-memory-test.patch + 0001-lib-time-util-Fix-calculations-to-work-on-32-bit-sys.patch dovecot.logrotate dovecot.initd " -builddir="$srcdir/$pkgname-$pkgver" -_builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever" +_builddir_pigeonhole="$srcdir/$pkgname-$_pkgverminor-pigeonhole-$_pigeonholever" # secfixes: +# 2.3.13-r0: +# - CVE-2020-24386 +# - CVE-2020-25275 +# 2.3.10.1-r1: +# - CVE-2020-12673 +# - CVE-2020-12674 # 2.3.10.1-r0: # - CVE-2020-10957 # - CVE-2020-10958 @@ -310,10 +319,13 @@ _submv() { done } -sha512sums="5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06 dovecot-2.3.10.1.tar.gz -f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b dovecot-2.3-pigeonhole-0.5.10.tar.gz +sha512sums="758a169fba8925637ed18fa7522a6f06c9fe01a1707b1ca0d0a4d8757c578a8e117c91733e8314403839f9a484bbcac71ce3532c82379eb583b480756d556a95 dovecot-2.3.13.tar.gz +fcbc13d71af4e6dd4e34192484e203d755e5015da76a4774b11a79182b2baad36cab5a471346093111ace36a7775dfe8294555f8b777786dde386820b3ec5cd3 dovecot-2.3-pigeonhole-0.5.13.tar.gz fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch 794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5 split-protocols.patch 0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07 default-config.patch +7f428b0f14323a5dda00aef93f4835c2c38a7b780a939a47f759d31df4636e86055f95d17e2358cb37a2704ea022dfad602c7ed4568cba644347f20fd1e15e3b fix-oauth2-jwt.c.patch +733cdbfb7f6b2608470bd30a0f9190ec86099d4c8e48b7fb92d7b595be665bf749976889033e1ad438edd3f99f2e0d496dd0d667291915c80df82f7e62483f59 fix-out-of-memory-test.patch +ad2cd2c51b0fe977d22b62fda7258de68d62513c6fe11bd0e38d8326f478f2d5a469800fd5a110070f35072facccfdb6c044e41b3a5c4b03ea1ea0b2a3e00395 0001-lib-time-util-Fix-calculations-to-work-on-32-bit-sys.patch 9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0 dovecot.logrotate d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70 dovecot.initd" diff --git a/main/dovecot/fix-oauth2-jwt.c.patch b/main/dovecot/fix-oauth2-jwt.c.patch new file mode 100644 index 00000000000..b3755f6993e --- /dev/null +++ b/main/dovecot/fix-oauth2-jwt.c.patch @@ -0,0 +1,55 @@ +From 42c37d2473116bf4a7fcafcaf94de83947fe80bc Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Thu, 13 Aug 2020 20:01:41 +0300 +Subject: [PATCH] oauth2-jwt: Use int64_t instead time_t for portability + + +diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c +index a68875e57..0adf612d9 100644 +--- a/src/lib-oauth2/oauth2-jwt.c ++++ b/src/lib-oauth2/oauth2-jwt.c +@@ -31,18 +31,25 @@ static const char *get_field(const struct json_tree *tree, const char *key) + } + + static int get_time_field(const struct json_tree *tree, const char *key, +- long *value_r) ++ int64_t *value_r) + { ++ time_t tvalue; + const char *value = get_field(tree, key); + int tz_offset ATTR_UNUSED; + if (value == NULL) + return 0; +- if ((str_to_long(value, value_r) < 0 && +- !iso8601_date_parse((const unsigned char*)value, strlen(value), +- value_r, &tz_offset)) || +- *value_r < 0) +- return -1; +- return 1; ++ if (str_to_int64(value, value_r) == 0) { ++ if (*value_r < 0) ++ return -1; ++ return 1; ++ } else if (iso8601_date_parse((const unsigned char*)value, strlen(value), ++ &tvalue, &tz_offset)) { ++ if (tvalue < 0) ++ return -1; ++ *value_r = tvalue; ++ return 1; ++ } ++ return -1; + } + + static int oauth2_lookup_hmac_key(const struct oauth2_settings *set, +@@ -283,9 +290,9 @@ oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg, cons + const char *sub = get_field(tree, "sub"); + + int ret; +- long t0 = time(NULL); ++ int64_t t0 = time(NULL); + /* default IAT and NBF to now */ +- long iat, nbf, exp; ++ int64_t iat, nbf, exp; + int tz_offset ATTR_UNUSED; + + if (sub == NULL) { diff --git a/main/dovecot/fix-out-of-memory-test.patch b/main/dovecot/fix-out-of-memory-test.patch new file mode 100644 index 00000000000..09df953d5c2 --- /dev/null +++ b/main/dovecot/fix-out-of-memory-test.patch @@ -0,0 +1,22 @@ +fixes test in src/lib/test-file-cache.c for musl + +--- a/src/lib/test-file-cache.c 2021-01-04 17:55:39.550032767 +0000 ++++ b/src/lib/test-file-cache.c 2021-01-04 17:54:31.439645416 +0000 +@@ -263,7 +263,7 @@ + }; + const char *errstr = + t_strdup_printf("mmap_anon(.test_file_cache, %zu) failed: " +- "Cannot allocate memory", page_size); ++ "Out of memory", page_size); + test_assert(setrlimit(RLIMIT_AS, &rl_new) == 0); + test_expect_error_string(errstr); + test_assert(file_cache_set_size(cache, 1024) == -1); +@@ -271,7 +271,7 @@ + + /* same for mremap */ + errstr = t_strdup_printf("mremap_anon(.test_file_cache, %zu) failed: " +- "Cannot allocate memory", page_size*2); ++ "Out of memory", page_size*2); + test_assert(file_cache_set_size(cache, 1) == 0); + test_assert(setrlimit(RLIMIT_AS, &rl_new) == 0); + test_expect_error_string(errstr); diff --git a/main/drbd-vanilla/APKBUILD b/main/drbd-vanilla/APKBUILD index 6ff48af94d6..7cdd8fd12bb 100644 --- a/main/drbd-vanilla/APKBUILD +++ b/main/drbd-vanilla/APKBUILD @@ -3,12 +3,12 @@ # when changing _ver we *must* bump _rel _name=drbd -_ver=9.0.16-1 +_ver=9.0.27-1 _rel=0 _flavor=${FLAVOR:-vanilla} _kpkg=linux-$_flavor -_kver=4.19.118 +_kver=4.19.176 _krel=0 _kabi="$_kver-$_krel-$_flavor" _kpkgver="$_kver-r$_krel" @@ -22,8 +22,9 @@ url="https://www.linbit.com/en/drbd-community/drbd-download/" arch="all" license="GPL-2.0-or-later" depends="$_kpkg=$_kpkgver" -makedepends="$_kpkg-dev=$_kpkgver bash" -source="http://www.linbit.com/downloads/drbd/${_ver%.*}/drbd-$_ver.tar.gz" +makedepends="$_kpkg-dev=$_kpkgver bash coreutils" +source="http://www.linbit.com/downloads/drbd/${_ver%.*}/drbd-$_ver.tar.gz + build-fix-32bit.patch" builddir=$srcdir/$_name-$_ver @@ -52,4 +53,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="8e2ecb9fdfd3ed2b4d7c82839f55f348e8d2277c775c0a9fa655002e98a7b565c638a11436a1f22dd31fdc223d4575fea41eedf8a922b2d1dc5b579ebd1a2b09 drbd-9.0.16-1.tar.gz" +sha512sums="e8a2ec57241b9933dd5655e2d6e65d04c0e88017ed76773b5d351f0ed30c167a8b1f4e7145221fb0aec8bdb5ca3d95c428b46c9dceb2576b6c3598962abc699f drbd-9.0.27-1.tar.gz +32e30116c51442a8c67ff250537bd63f199c7fb9749d8c502894c6da2de4b0e707cd8922e8331b6284721c4679061533f7cc6e681a7e85482060a212adb97d17 build-fix-32bit.patch" diff --git a/main/drbd-vanilla/build-fix-32bit.patch b/main/drbd-vanilla/build-fix-32bit.patch new file mode 100644 index 00000000000..fbe2605e481 --- /dev/null +++ b/main/drbd-vanilla/build-fix-32bit.patch @@ -0,0 +1,15 @@ +upstream: https://lists.linbit.com/pipermail/drbd-user/2021-February/025841.html + +diff --git a/drbd/drbd_sender.c b/drbd/drbd_sender.c +index 3f52dfe..5b3c9c7 100644 +--- a/drbd/drbd_sender.c ++++ b/drbd/drbd_sender.c +@@ -664,7 +664,7 @@ static int drbd_single_request_delay(struct drbd_peer_device *peer_device) + struct peer_device_conf *pdc = rcu_dereference(peer_device->conf); + /* The delay should be at least enough so that we can request + * some data next time, so round up. */ +- delay = DIV_ROUND_UP(HZ * BM_SECT_PER_BIT, pdc->c_max_rate * 2); ++ delay = DIV_ROUND_UP((unsigned long)(HZ * BM_SECT_PER_BIT / 2), pdc->c_max_rate); + } else { + delay = RS_MAKE_REQS_INTV; + } diff --git a/main/dropbear/APKBUILD b/main/dropbear/APKBUILD index 53f520d8a03..64d8ba8c031 100644 --- a/main/dropbear/APKBUILD +++ b/main/dropbear/APKBUILD @@ -27,6 +27,7 @@ source="https://matt.ucc.asn.au/dropbear/releases/${pkgname}-${pkgver}.tar.bz2 # secfixes: # 2019.78-r1: # - CVE-2018-20685 +# - CVE-2020-36254 # 2018.76-r2: # - CVE-2018-15599 diff --git a/main/git/APKBUILD b/main/git/APKBUILD index 957e3b0f195..507797ae74d 100644 --- a/main/git/APKBUILD +++ b/main/git/APKBUILD @@ -2,6 +2,8 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> # # secfixes: +# 2.22.5-r0: +# - CVE-2021-21300 # 2.22.4-r0: # - CVE-2020-11008 # 2.22.3-r0: @@ -23,8 +25,11 @@ # - CVE-2018-11235 # 2.14.1-r0: # - CVE-2017-1000117 +# 0: +# - CVE-2021-29468 + pkgname=git -pkgver=2.22.4 +pkgver=2.22.5 pkgrel=0 pkgdesc="Distributed version control system" url="https://www.git-scm.com/" @@ -273,6 +278,6 @@ _perl_config() { perl -e "use Config; print \$Config{$1};" } -sha512sums="fbc84ecbfe05e4e8fd24d3a3e46802186c2c878ce4b09713491dd778f99320214b6d6187a7d3597163edfa4b9bc8fe3c11f1585f2ea41d1d7e34830d8625a311 git-2.22.4.tar.xz +sha512sums="b254d426f5ede9c15e934ad7aec98e3dcc49e82ae0e18518ff70df2a48b5bec6c666c9b3999bbd4caed112fbbc6ba0ad00d347a0e5655bcb3c08c72b1e05f521 git-2.22.5.tar.xz 89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a git-daemon.initd fbf1f425206a76e2a8f82342537ed939ff7e623d644c086ca2ced5f69b36734695f9f80ebda1728f75a94d6cd2fcb71bf845b64239368caab418e4d368c141ec git-daemon.confd" diff --git a/main/gnutls/APKBUILD b/main/gnutls/APKBUILD index 9ee64e49cf8..1cfa356915e 100644 --- a/main/gnutls/APKBUILD +++ b/main/gnutls/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gnutls pkgver=3.6.15 -pkgrel=0 +pkgrel=1 pkgdesc="A TLS protocol implementation" url="https://www.gnutls.org/" arch="all" @@ -17,9 +17,14 @@ case $pkgver in *.*.*.*) _v=${_v%.*};; esac source="https://www.gnupg.org/ftp/gcrypt/gnutls/v$_v/gnutls-$pkgver.tar.xz + CVE-2021-20231.patch + CVE-2021-20232.patch " # secfixes: +# 3.6.15-r1: +# - CVE-2021-20231 +# - CVE-2021-20232 # 3.6.15-r0: # - CVE-2020-24659 GNUTLS-SA-2020-09-04 # 3.6.14-r0: @@ -69,4 +74,6 @@ xx() { mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/ } -sha512sums="f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c gnutls-3.6.15.tar.xz" +sha512sums="f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c gnutls-3.6.15.tar.xz +37261adbb9da45b3f2b11e65a148e19c825970d3342b2946ccbc4abbea9b61c8a90d79b220ddc16cdcad95ee26a77a53fac6400d68c76e2cf8aea5e22900e374 CVE-2021-20231.patch +9c6bffcccc2ac887f92f252be94a822465a79a5080d6e912c3f8ef44a53511f1eefb2fa876a3af6d21ddc2baf5717b8c454d6a79bd328fe52b02f4d27c12a505 CVE-2021-20232.patch" diff --git a/main/gnutls/CVE-2021-20231.patch b/main/gnutls/CVE-2021-20231.patch new file mode 100644 index 00000000000..36014467942 --- /dev/null +++ b/main/gnutls/CVE-2021-20231.patch @@ -0,0 +1,62 @@ +From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Fri, 29 Jan 2021 14:06:32 +0100 +Subject: [PATCH] key_share: avoid use-after-free around realloc + +Signed-off-by: Daiki Ueno <ueno@gnu.org> +--- + lib/ext/key_share.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c +index ab8abf8fe6..a8c4bb5cff 100644 +--- a/lib/ext/key_share.c ++++ b/lib/ext/key_share.c +@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session, + { + unsigned i; + int ret; +- unsigned char *lengthp; +- unsigned int cur_length; + unsigned int generated = 0; + const gnutls_group_entry_st *group; + const version_entry_st *ver; + + /* this extension is only being sent on client side */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { ++ unsigned int length_pos; ++ + ver = _gnutls_version_max(session); + if (unlikely(ver == NULL || ver->key_shares == 0)) + return 0; +@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session, + if (!have_creds_for_tls13(session)) + return 0; + +- /* write the total length later */ +- lengthp = &extdata->data[extdata->length]; ++ length_pos = extdata->length; + + ret = + _gnutls_buffer_append_prefix(extdata, 16, 0); + if (ret < 0) + return gnutls_assert_val(ret); + +- cur_length = extdata->length; +- + if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */ + group = get_group(session); + if (unlikely(group == NULL)) +@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session, + } + + /* copy actual length */ +- _gnutls_write_uint16(extdata->length - cur_length, lengthp); ++ _gnutls_write_uint16(extdata->length - length_pos - 2, ++ &extdata->data[length_pos]); + + } else { /* server */ + ver = get_version(session); +-- +GitLab + diff --git a/main/gnutls/CVE-2021-20232.patch b/main/gnutls/CVE-2021-20232.patch new file mode 100644 index 00000000000..fd1575e4faf --- /dev/null +++ b/main/gnutls/CVE-2021-20232.patch @@ -0,0 +1,60 @@ +From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Fri, 29 Jan 2021 14:06:50 +0100 +Subject: [PATCH] pre_shared_key: avoid use-after-free around realloc + +Signed-off-by: Daiki Ueno <ueno@gnu.org> +--- + lib/ext/pre_shared_key.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c +index a042c6488e..380bf39ed5 100644 +--- a/lib/ext/pre_shared_key.c ++++ b/lib/ext/pre_shared_key.c +@@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session, + size_t spos; + gnutls_datum_t username = {NULL, 0}; + gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0}; +- gnutls_datum_t client_hello; ++ unsigned client_hello_len; + unsigned next_idx; + const mac_entry_st *prf_res = NULL; + const mac_entry_st *prf_psk = NULL; +@@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session, + assert(extdata->length >= sizeof(mbuffer_st)); + assert(ext_offset >= (ssize_t)sizeof(mbuffer_st)); + ext_offset -= sizeof(mbuffer_st); +- client_hello.data = extdata->data+sizeof(mbuffer_st); +- client_hello.size = extdata->length-sizeof(mbuffer_st); ++ client_hello_len = extdata->length-sizeof(mbuffer_st); + + next_idx = 0; + +@@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session, + } + + if (prf_res && rkey.size > 0) { ++ gnutls_datum_t client_hello; ++ ++ client_hello.data = extdata->data+sizeof(mbuffer_st); ++ client_hello.size = client_hello_len; ++ + ret = compute_psk_binder(session, prf_res, + binders_len, binders_pos, + ext_offset, &rkey, &client_hello, 1, +@@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session, + } + + if (prf_psk && user_key.size > 0 && info) { ++ gnutls_datum_t client_hello; ++ ++ client_hello.data = extdata->data+sizeof(mbuffer_st); ++ client_hello.size = client_hello_len; ++ + ret = compute_psk_binder(session, prf_psk, + binders_len, binders_pos, + ext_offset, &user_key, &client_hello, 0, +-- +GitLab + diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD index 670f122460f..1679916c58e 100644 --- a/main/haproxy/APKBUILD +++ b/main/haproxy/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Jeff Bilyk <jbilyk@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=haproxy -pkgver=2.0.14 +pkgver=2.0.21 _pkgmajorver=${pkgver%.*} pkgrel=0 pkgdesc="A TCP/HTTP reverse proxy for high availability environments" @@ -53,6 +53,6 @@ package() { "$pkgdir"/etc/haproxy/haproxy.cfg } -sha512sums="6b63b713a1009eff59a2622fa93462deb8794c910685840f142711a61be88ea228c7cb2ec7ca50bba0803288625e1a65b2d2f87ffbcedfd23debfbbbb5d96993 haproxy-2.0.14.tar.gz +sha512sums="a2273928568ca27d164a9bfae579a4635afa57f8d52f576073758d26a60973bb713a49fbafa6173e3130ca5712efdbf4e214bf85b7530b23eb523b667848f588 haproxy-2.0.21.tar.gz 3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd 26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg" diff --git a/main/haserl/APKBUILD b/main/haserl/APKBUILD index ab604859e83..3dfe5133a29 100644 --- a/main/haserl/APKBUILD +++ b/main/haserl/APKBUILD @@ -2,8 +2,8 @@ _luaversions="5.3 5.2 5.1" _defaultlua="5.3" pkgname=haserl -pkgver=0.9.35 -pkgrel=1 +pkgver=0.9.36 +pkgrel=0 pkgdesc="Html And Shell Embedded Report Language" url="http://haserl.sourceforge.net/" arch="all" @@ -19,6 +19,10 @@ done options="suid" source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz" +# secfixes: +# 0.9.36-r0: +# - CVE-2021-29133 + _sdir="$srcdir"/$pkgname-$pkgver prepare() { cd "$_sdir" @@ -75,6 +79,4 @@ for _i in $_luaversions; do eval "split_${_i/./_}() { _split $_i; }" done -md5sums="918f0b4f6cec0b438c8b5c78f2989010 haserl-0.9.35.tar.gz" -sha256sums="a1b633e80f3e2638e7f8f850786e95072cfd9877f88780092996fd6aaf7ae2da haserl-0.9.35.tar.gz" -sha512sums="f0f2fc46540223b4b5369fe13b3020bed5e0578b7ca1ed1688f01678ba5302c876540c0d58dde427f9180915fa38cfffd01f1a4cbbc0fce851789056b3665ab0 haserl-0.9.35.tar.gz" +sha512sums="727c6b4cf26bb7fd9d55c328dcca47dc0093b2836cd4874ad28a9c07d9ad4c82c22b899f64df33bad37325f66ce1af8aec1fe0a90e42b9f6cc06b01afe3062d9 haserl-0.9.36.tar.gz" diff --git a/main/jansson/APKBUILD b/main/jansson/APKBUILD index e5dcf1347d0..67e6868154f 100644 --- a/main/jansson/APKBUILD +++ b/main/jansson/APKBUILD @@ -10,6 +10,10 @@ subpackages="$pkgname-dev" source="http://www.digip.org/jansson/releases/$pkgname-$pkgver.tar.bz2" builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 0: +# - CVE-2020-36325 + build() { cd "$builddir" ./configure \ diff --git a/main/jbig2dec/APKBUILD b/main/jbig2dec/APKBUILD index 4b3ae405c3b..ccdcfb56de0 100644 --- a/main/jbig2dec/APKBUILD +++ b/main/jbig2dec/APKBUILD @@ -3,7 +3,7 @@ pkgname=jbig2dec pkgver=0.16 _gsver="gs927" -pkgrel=0 +pkgrel=1 pkgdesc="JBIG2 image compression format decoder" url="https://www.ghostscript.com/jbig2dec.html" arch="all" @@ -11,7 +11,13 @@ license="GPL-2.0-or-later" makedepends="autoconf automake libtool" checkdepends="python2" subpackages="$pkgname-dev $pkgname-doc" -source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/$_gsver/jbig2dec-$pkgver.tar.gz" +source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/$_gsver/jbig2dec-$pkgver.tar.gz + CVE-2020-12268.patch + " + +# secfixes: +# 0.16-r1: +# - CVE-2020-12268 builddir="$srcdir/$pkgname-$pkgver" @@ -45,4 +51,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="1c1a9b9fc46d40ef3bd6133fd95b02163456e4d9fb271f57c75f4dcc4ace726ec54b8d22f984e4804bbad7f1d018566e522c1924bc8ad2e807d48d57a8851949 jbig2dec-0.16.tar.gz" +sha512sums="1c1a9b9fc46d40ef3bd6133fd95b02163456e4d9fb271f57c75f4dcc4ace726ec54b8d22f984e4804bbad7f1d018566e522c1924bc8ad2e807d48d57a8851949 jbig2dec-0.16.tar.gz +e33c6a942af79dfb98c8160bccb0d7e6965d90b77f4e8e370787a9c0af0273001f02d5591b92d4285b901182ea335eb09854ce2fa995266837156b568747aa24 CVE-2020-12268.patch" diff --git a/main/jbig2dec/CVE-2020-12268.patch b/main/jbig2dec/CVE-2020-12268.patch new file mode 100644 index 00000000000..773515ae2dc --- /dev/null +++ b/main/jbig2dec/CVE-2020-12268.patch @@ -0,0 +1,44 @@ +From 0726320a4b55078e9d8deb590e477d598b3da66e Mon Sep 17 00:00:00 2001 +From: Robin Watts <Robin.Watts@artifex.com> +Date: Mon, 27 Jan 2020 10:12:24 -0800 +Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in + jbig2_image_compose. + +With extreme values of x/y/w/h we can get overflow. Test for this +and exit safely. + +Thanks for OSS-Fuzz for reporting. +--- + jbig2_image.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/jbig2_image.c b/jbig2_image.c +index 22e21ef..100263d 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -33,6 +33,9 @@ + #if !defined (INT32_MAX) + #define INT32_MAX 0x7fffffff + #endif ++#if !defined (UINT32_MAX) ++#define UINT32_MAX 0xffffffffu ++#endif + + /* allocate a Jbig2Image structure and its associated bitmap */ + Jbig2Image * +@@ -258,6 +261,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + if (src == NULL) + return 0; + ++ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) || ++ (UINT32_MAX - src->height < (y > 0 ? y : -y))) ++ { ++#ifdef JBIG2_DEBUG ++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image"); ++#endif ++ return 0; ++ } ++ + /* The optimized code for the OR operator below doesn't + handle the source image partially placed outside the + destination (above and/or to the left). The affected diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD index 633130ae627..ed1e56853a0 100644 --- a/main/krb5/APKBUILD +++ b/main/krb5/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=krb5 -pkgver=1.17 +pkgver=1.17.2 pkgrel=0 pkgdesc="The Kerberos network authentication system" url="https://web.mit.edu/kerberos/www/" @@ -19,7 +19,7 @@ case $pkgver in *.*.*) _maj_min=${pkgver%.*};; esac -source="https://web.mit.edu/kerberos/dist/krb5/${_maj_min}/krb5-$pkgver.tar.gz +source="https://web.mit.edu/kerberos/dist/krb5/$_maj_min/krb5-$pkgver.tar.gz mit-krb5_krb5-config_LDFLAGS.patch krb5kadmind.initd @@ -28,6 +28,8 @@ source="https://web.mit.edu/kerberos/dist/krb5/${_maj_min}/krb5-$pkgver.tar.gz " # secfixes: +# 1.17.2-r0: +# - CVE-2020-28196 # 1.15.4-r0: # - CVE-2018-20217 # 1.15.3-r0: @@ -105,7 +107,8 @@ libs() { mkdir -p "$subpkgdir"/usr/ mv "$pkgdir"/usr/lib "$subpkgdir"/usr/ } -sha512sums="7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52 krb5-1.17.tar.gz + +sha512sums="73e8d1f1d94b49fc678c88029eab525dab941d5759f69b13bd66fc77a198603502797526ff89a00f7f7e39e0777b0f4b4585b3279c4def45443f05b752ac476a krb5-1.17.2.tar.gz 5a3782ff17b383f8cd0415fd13538ab56afd788130d6ad640e9f2682b7deaae7f25713ce358058ed771091040dccf62a3bc87e6fd473d505ec189a95debcc801 mit-krb5_krb5-config_LDFLAGS.patch 43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd diff --git a/main/libbsd/APKBUILD b/main/libbsd/APKBUILD index 4fa127bf286..73e8005cd6b 100644 --- a/main/libbsd/APKBUILD +++ b/main/libbsd/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Drew DeVault <sir@cmpwn.com> pkgname=libbsd pkgver=0.9.1 -pkgrel=0 +pkgrel=1 pkgdesc="commonly-used BSD functions not implemented by all libcs" url="https://libbsd.freedesktop.org/" arch="all" @@ -15,9 +15,15 @@ subpackages="$pkgname-dev $pkgname-doc" source="https://libbsd.freedesktop.org/releases/$pkgname-$pkgver.tar.xz disable-fpurge-test.patch headers.patch + CVE-2019-20367.patch " builddir="$srcdir/$pkgname-$pkgver" + +# secfixes: +# 0.9.1-r1: +# - CVE-2019-20367 + prepare() { default_prepare @@ -50,4 +56,5 @@ package() { sha512sums="435822b8f2495a5e2705e5ab5c834a4f0f3a177b3e5c46a7c6162924507ca984e957e94a512b5ebd0067ecb413bac458fade357709ef199e9b75edf0315de91c libbsd-0.9.1.tar.xz 34ab57a9b67c0d6035312dff78e6dd0d1c48442c6a1b6e769b6ebb6dccb0dac80ccc2c309724e39c097cdac944bdbd9522582f93f2567da8c6615990e2d0238b disable-fpurge-test.patch -594d598bc7f6d34bff080a26f8d726bf779d3827423f242ee7caa9a58fc89c89d80e0677c03e9c640e0074afbdc34636fa8ffa47a99fd9c576845e3039a7ccbd headers.patch" +594d598bc7f6d34bff080a26f8d726bf779d3827423f242ee7caa9a58fc89c89d80e0677c03e9c640e0074afbdc34636fa8ffa47a99fd9c576845e3039a7ccbd headers.patch +6e77f28b4e8f5214528e6b5e4fdf482e6e3b09780bae028d2d5c381410060fc5e006bcccb4013bea4fb4caa8e125961824230f292ced5c80763887c9566089fc CVE-2019-20367.patch" diff --git a/main/libbsd/CVE-2019-20367.patch b/main/libbsd/CVE-2019-20367.patch new file mode 100644 index 00000000000..eb1fffba902 --- /dev/null +++ b/main/libbsd/CVE-2019-20367.patch @@ -0,0 +1,42 @@ +From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00 2001 +From: Guillem Jover <guillem@hadrons.org> +Date: Wed, 7 Aug 2019 22:58:30 +0200 +Subject: [PATCH] nlist: Fix out-of-bounds read on strtab + +When doing a string comparison for a symbol name from the string table, +we should make sure we do a bounded comparison, otherwise a non-NUL +terminated string might make the code read out-of-bounds. + +Warned-by: coverity +--- + src/nlist.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/nlist.c b/src/nlist.c +index 8aa46a2..228c220 100644 +--- a/src/nlist.c ++++ b/src/nlist.c +@@ -236,16 +236,18 @@ __fdnlist(int fd, struct nlist *list) + symsize -= cc; + for (s = sbuf; cc > 0 && nent > 0; ++s, cc -= sizeof(*s)) { + char *name; ++ Elf_Word size; + struct nlist *p; + + name = strtab + s->st_name; + if (name[0] == '\0') + continue; ++ size = symstrsize - s->st_name; + + for (p = list; !ISLAST(p); p++) { + if ((p->n_un.n_name[0] == '_' && +- strcmp(name, p->n_un.n_name+1) == 0) +- || strcmp(name, p->n_un.n_name) == 0) { ++ strncmp(name, p->n_un.n_name+1, size) == 0) || ++ strncmp(name, p->n_un.n_name, size) == 0) { + elf_sym_to_nlist(p, s, shdr, + ehdr.e_shnum); + if (--nent <= 0) +-- +GitLab + diff --git a/main/libmaxminddb/APKBUILD b/main/libmaxminddb/APKBUILD index b85471b7b17..0672840a3d6 100644 --- a/main/libmaxminddb/APKBUILD +++ b/main/libmaxminddb/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Timo Teräs <timo.teras@iki.fi> pkgname=libmaxminddb pkgver=1.3.2 -pkgrel=0 +pkgrel=1 pkgdesc="Maxmind GeoIP2 database library" url="https://github.com/maxmind/libmaxminddb" arch="all" @@ -14,9 +14,13 @@ subpackages="$pkgname-dev $pkgname-doc" source="$url/releases/download/$pkgver/$pkgname-$pkgver.tar.gz libmaxminddb.cron libmaxminddb.confd + CVE-2020-28241.patch " builddir="$srcdir"/$pkgname-$pkgver +# secfixes: +# 1.3.2-r1: +# - CVE-2020-28241 build() { cd "$builddir" @@ -45,4 +49,5 @@ package() { sha512sums="906e80531a901091fd9f88075ece5189b0885400216ea994889d9250dd37ead14e00dc14ca2a38eb2100e4814d0eb3a205ba1618606f1375ab0dcc3981097115 libmaxminddb-1.3.2.tar.gz 1feb1f2dd57991d729b6f9d29834f43d7405038cdbdfb0113a0e8f8f951a74c5e40651f9d241460f110acdd300196cf580b370e6cec56985cca797ba5610e622 libmaxminddb.cron -5f8dc6dad84cb1d188504a22470acf89542755c0bb3a78e4d3ae4e5bfa49fe64a7d2ee17441084db2710115463d39361df060a74b3a48fc4d8fc5e802afd2099 libmaxminddb.confd" +5f8dc6dad84cb1d188504a22470acf89542755c0bb3a78e4d3ae4e5bfa49fe64a7d2ee17441084db2710115463d39361df060a74b3a48fc4d8fc5e802afd2099 libmaxminddb.confd +a29764b86617e1eb17f2c710d450ee8852fb7b18c28b51d326c026fd2250574454ca9a961a74f1a5270f7b18a62b8bffcefd2f1320f5916ea177245c1581f830 CVE-2020-28241.patch" diff --git a/main/libmaxminddb/CVE-2020-28241.patch b/main/libmaxminddb/CVE-2020-28241.patch new file mode 100644 index 00000000000..d31eeafa849 --- /dev/null +++ b/main/libmaxminddb/CVE-2020-28241.patch @@ -0,0 +1,119 @@ +diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c +index 030d88c..513ad2d 100644 +--- a/bin/mmdblookup.c ++++ b/bin/mmdblookup.c +@@ -263,7 +263,7 @@ LOCAL const char **get_options( + } + + const char **lookup_path = +- malloc(sizeof(const char *) * ((argc - optind) + 1)); ++ calloc((argc - optind) + 1, sizeof(const char *)); + int i; + for (i = 0; i < argc - optind; i++) { + lookup_path[i] = argv[i + optind]; +diff --git a/doc/libmaxminddb.md b/doc/libmaxminddb.md +index e6de9d5..15433c3 100644 +--- a/doc/libmaxminddb.md ++++ b/doc/libmaxminddb.md +@@ -307,7 +307,7 @@ libmaxminddb code. + + The `utf8_string`, `bytes`, and (maybe) the `uint128` members of this structure + are all pointers directly into the database's data section. This can either be +-a `malloc`'d or `mmap`'d block of memory. In either case, these pointers will ++a `calloc`'d or `mmap`'d block of memory. In either case, these pointers will + become invalid after `MMDB_close()` is called. + + If you need to refer to this data after that time you should copy the data +diff --git a/src/maxminddb.c b/src/maxminddb.c +index 7580e1e..6801930 100644 +--- a/src/maxminddb.c ++++ b/src/maxminddb.c +@@ -35,7 +35,7 @@ + do { \ + char *binary = byte_to_binary(byte); \ + if (NULL == binary) { \ +- fprintf(stderr, "Malloc failed in DEBUG_BINARY\n"); \ ++ fprintf(stderr, "Calloc failed in DEBUG_BINARY\n"); \ + abort(); \ + } \ + fprintf(stderr, fmt "\n", binary); \ +@@ -54,7 +54,7 @@ + #ifdef MMDB_DEBUG + DEBUG_FUNC char *byte_to_binary(uint8_t byte) + { +- char *bits = malloc(sizeof(char) * 9); ++ char *bits = calloc(9, sizeof(char)); + if (NULL == bits) { + return bits; + } +@@ -687,7 +687,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + MMDB_INVALID_METADATA_ERROR); + + mmdb->metadata.languages.count = 0; +- mmdb->metadata.languages.names = malloc(array_size * sizeof(char *)); ++ mmdb->metadata.languages.names = calloc(array_size, sizeof(char *)); + if (NULL == mmdb->metadata.languages.names) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +@@ -705,7 +705,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + if (NULL == mmdb->metadata.languages.names[i]) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +- // We assign this as we go so that if we fail a malloc and need to ++ // We assign this as we go so that if we fail a calloc and need to + // free it, the count is right. + mmdb->metadata.languages.count = i + 1; + } +@@ -757,7 +757,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + MMDB_INVALID_METADATA_ERROR); + + mmdb->metadata.description.descriptions = +- malloc(map_size * sizeof(MMDB_description_s *)); ++ calloc(map_size, sizeof(MMDB_description_s *)); + if (NULL == mmdb->metadata.description.descriptions) { + status = MMDB_OUT_OF_MEMORY_ERROR; + goto cleanup; +@@ -765,7 +765,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + + for (uint32_t i = 0; i < map_size; i++) { + mmdb->metadata.description.descriptions[i] = +- malloc(sizeof(MMDB_description_s)); ++ calloc(1, sizeof(MMDB_description_s)); + if (NULL == mmdb->metadata.description.descriptions[i]) { + status = MMDB_OUT_OF_MEMORY_ERROR; + goto cleanup; +@@ -1172,7 +1172,7 @@ int MMDB_vget_value(MMDB_entry_s *const start, + MAYBE_CHECK_SIZE_OVERFLOW(length, SIZE_MAX / sizeof(const char *) - 1, + MMDB_INVALID_METADATA_ERROR); + +- const char **path = malloc((length + 1) * sizeof(const char *)); ++ const char **path = calloc(length + 1, sizeof(const char *)); + if (NULL == path) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +@@ -2037,6 +2037,7 @@ LOCAL MMDB_entry_data_list_s *dump_entry_data_list( + char *hex_string = + bytes_to_hex((uint8_t *)entry_data_list->entry_data.bytes, + entry_data_list->entry_data.data_size); ++ + if (NULL == hex_string) { + *status = MMDB_OUT_OF_MEMORY_ERROR; + return NULL; +@@ -2130,7 +2131,7 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size) + char *hex_string; + MAYBE_CHECK_SIZE_OVERFLOW(size, SIZE_MAX / 2 - 1, NULL); + +- hex_string = malloc((size * 2) + 1); ++ hex_string = calloc((size * 2) + 1, sizeof(char)); + if (NULL == hex_string) { + return NULL; + } +@@ -2139,6 +2140,8 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size) + sprintf(hex_string + (2 * i), "%02X", bytes[i]); + } + ++ ++ + return hex_string; + } + diff --git a/main/libssh2/APKBUILD b/main/libssh2/APKBUILD index 92fca5cbb77..5c4feef289f 100644 --- a/main/libssh2/APKBUILD +++ b/main/libssh2/APKBUILD @@ -12,7 +12,7 @@ source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz CVE-2019-17498.patch" builddir="$srcdir"/libssh2-$pkgver -# security fixes: +# secfixes: # 1.9.0-r1: # - CVE-2019-17498 # 1.9.0-r0: diff --git a/main/libx11/APKBUILD b/main/libx11/APKBUILD index c1eec74bbc6..1018fba8084 100644 --- a/main/libx11/APKBUILD +++ b/main/libx11/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libx11 pkgver=1.6.12 -pkgrel=0 +pkgrel=1 pkgdesc="X11 client-side library" url="http://xorg.freedesktop.org/" arch="all" @@ -9,11 +9,14 @@ license="custom:XFREE86" subpackages="$pkgname-static $pkgname-dev $pkgname-doc" depends_dev="libxcb-dev xtrans" makedepends="$depends_dev xorgproto util-macros xmlto" -source="https://www.x.org/releases/individual/lib/libX11-$pkgver.tar.bz2" - +source="https://www.x.org/releases/individual/lib/libX11-$pkgver.tar.bz2 + CVE-2021-31535.patch + " builddir="$srcdir"/libX11-$pkgver # secfixes: +# 1.6.12-r1: +# - CVE-2021-31535 # 1.6.12-r0: # - CVE-2020-14363 # 1.6.10-r0: @@ -47,4 +50,7 @@ package() { install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -sha512sums="79df7d61d9009b0dd3b65f67a62189aa0a43799c01026b3d2d534092596a0b67f246af5e398a89eb1ccc61a27335f81be8262b8a39768a76f62d862cd7415a47 libX11-1.6.12.tar.bz2" +sha512sums=" +79df7d61d9009b0dd3b65f67a62189aa0a43799c01026b3d2d534092596a0b67f246af5e398a89eb1ccc61a27335f81be8262b8a39768a76f62d862cd7415a47 libX11-1.6.12.tar.bz2 +6b4b6c58eacda10cb521b122ff0f1563e70b185739d578dbba3d010e20ebcd4d1a3dce1bcf868e23eefc94155d63b91129a571882ceaa7372dcffd8db339bbea CVE-2021-31535.patch +" diff --git a/main/libx11/CVE-2021-31535.patch b/main/libx11/CVE-2021-31535.patch new file mode 100644 index 00000000000..5c6778a1304 --- /dev/null +++ b/main/libx11/CVE-2021-31535.patch @@ -0,0 +1,315 @@ +From 8d2e02ae650f00c4a53deb625211a0527126c605 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Fri, 19 Feb 2021 15:30:39 +0100 +Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on + the wire + +The X protocol uses CARD16 values to represent the length so +this would overflow. + +CVE-2021-31535 + +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> +--- + src/Font.c | 4 +++- + src/FontInfo.c | 3 +++ + src/FontNames.c | 3 +++ + src/GetColor.c | 4 ++++ + src/LoadFont.c | 4 ++++ + src/LookupCol.c | 6 ++++-- + src/ParseCol.c | 3 +++ + src/QuExt.c | 5 +++++ + src/SetFPath.c | 6 ++++++ + src/SetHints.c | 7 +++++++ + src/StNColor.c | 3 +++ + src/StName.c | 7 ++++++- + 12 files changed, 51 insertions(+), 4 deletions(-) + +diff --git a/src/Font.c b/src/Font.c +index d4ebdaca..1cd89cca 100644 +--- a/src/Font.c ++++ b/src/Font.c +@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont( + XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); + #endif + ++ if (strlen(name) >= USHRT_MAX) ++ return NULL; + if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0)) + return font_result; + LockDisplay(dpy); +@@ -663,7 +665,7 @@ int _XF86LoadQueryLocaleFont( + if (!name) + return 0; + l = (int) strlen(name); +- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') ++ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) + return 0; + charset = NULL; + /* next three lines stolen from _XkbGetCharset() */ +diff --git a/src/FontInfo.c b/src/FontInfo.c +index 694efa10..6644b3fa 100644 +--- a/src/FontInfo.c ++++ b/src/FontInfo.c +@@ -58,6 +58,9 @@ XFontStruct **info) /* RETURN */ + register xListFontsReq *req; + int j; + ++ if (strlen(pattern) >= USHRT_MAX) ++ return NULL; ++ + LockDisplay(dpy); + GetReq(ListFontsWithInfo, req); + req->maxNames = maxNames; +diff --git a/src/FontNames.c b/src/FontNames.c +index 30912925..458d80c9 100644 +--- a/src/FontNames.c ++++ b/src/FontNames.c +@@ -51,6 +51,9 @@ int *actualCount) /* RETURN */ + register xListFontsReq *req; + unsigned long rlen = 0; + ++ if (strlen(pattern) >= USHRT_MAX) ++ return NULL; ++ + LockDisplay(dpy); + GetReq(ListFonts, req); + req->maxNames = maxNames; +diff --git a/src/GetColor.c b/src/GetColor.c +index d088497f..c8178067 100644 +--- a/src/GetColor.c ++++ b/src/GetColor.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */ + XcmsColor cmsColor_exact; + Status ret; + ++ if (strlen(colorname) >= USHRT_MAX) ++ return (0); ++ + #ifdef XCMS + /* + * Let's Attempt to use Xcms and i18n approach to Parse Color +diff --git a/src/LoadFont.c b/src/LoadFont.c +index 0a3809a8..3996436f 100644 +--- a/src/LoadFont.c ++++ b/src/LoadFont.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include "Xlibint.h" + + Font +@@ -38,6 +39,9 @@ XLoadFont ( + Font fid; + register xOpenFontReq *req; + ++ if (strlen(name) >= USHRT_MAX) ++ return (0); ++ + if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid)) + return fid; + +diff --git a/src/LookupCol.c b/src/LookupCol.c +index 9608d512..cd9b1368 100644 +--- a/src/LookupCol.c ++++ b/src/LookupCol.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,6 +47,9 @@ XLookupColor ( + XcmsCCC ccc; + XcmsColor cmsColor_exact; + ++ n = (int) strlen (spec); ++ if (n >= USHRT_MAX) ++ return 0; + #ifdef XCMS + /* + * Let's Attempt to use Xcms and i18n approach to Parse Color +@@ -77,8 +81,6 @@ XLookupColor ( + * Xcms and i18n methods failed, so lets pass it to the server + * for parsing. + */ +- +- n = (int) strlen (spec); + LockDisplay(dpy); + GetReq (LookupColor, req); + req->cmap = cmap; +diff --git a/src/ParseCol.c b/src/ParseCol.c +index 2691df36..7a84a17b 100644 +--- a/src/ParseCol.c ++++ b/src/ParseCol.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -47,6 +48,8 @@ XParseColor ( + + if (!spec) return(0); + n = (int) strlen (spec); ++ if (n >= USHRT_MAX) ++ return(0); + if (*spec == '#') { + /* + * RGB +diff --git a/src/QuExt.c b/src/QuExt.c +index 2021dca4..4cb99fcf 100644 +--- a/src/QuExt.c ++++ b/src/QuExt.c +@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> ++#include <stdbool.h> + #include "Xlibint.h" + + Bool +@@ -40,6 +42,9 @@ XQueryExtension( + xQueryExtensionReply rep; + register xQueryExtensionReq *req; + ++ if (strlen(name) >= USHRT_MAX) ++ return false; ++ + LockDisplay(dpy); + GetReq(QueryExtension, req); + req->nbytes = name ? (CARD16) strlen(name) : 0; +diff --git a/src/SetFPath.c b/src/SetFPath.c +index 7d12f18c..13fce49e 100644 +--- a/src/SetFPath.c ++++ b/src/SetFPath.c +@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group. + + #ifdef HAVE_CONFIG_H + #include <config.h> ++#include <limits.h> + #endif + #include "Xlibint.h" + +@@ -49,6 +50,11 @@ XSetFontPath ( + req->nFonts = ndirs; + for (i = 0; i < ndirs; i++) { + n = (int) ((size_t) n + (safestrlen (directories[i]) + 1)); ++ if (n >= USHRT_MAX) { ++ UnlockDisplay(dpy); ++ SyncHandle(); ++ return 0; ++ } + } + nbytes = (n + 3) & ~3; + req->length += nbytes >> 2; +diff --git a/src/SetHints.c b/src/SetHints.c +index e81aa9d3..61cb0684 100644 +--- a/src/SetHints.c ++++ b/src/SetHints.c +@@ -49,6 +49,7 @@ SOFTWARE. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <X11/Xlibint.h> + #include <X11/Xutil.h> + #include "Xatomtype.h" +@@ -214,6 +215,8 @@ XSetCommand ( + register char *buf, *bp; + for (i = 0, nbytes = 0; i < argc; i++) { + nbytes += safestrlen(argv[i]) + 1; ++ if (nbytes >= USHRT_MAX) ++ return 1; + } + if ((bp = buf = Xmalloc(nbytes))) { + /* copy arguments into single buffer */ +@@ -256,6 +259,8 @@ XSetStandardProperties ( + + if (name != NULL) XStoreName (dpy, w, name); + ++ if (safestrlen(icon_string) >= USHRT_MAX) ++ return 1; + if (icon_string != NULL) { + XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, + PropModeReplace, +@@ -298,6 +303,8 @@ XSetClassHint( + + len_nm = safestrlen(classhint->res_name); + len_cl = safestrlen(classhint->res_class); ++ if (len_nm + len_cl >= USHRT_MAX) ++ return 1; + if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { + if (len_nm) { + strcpy(s, classhint->res_name); +diff --git a/src/StNColor.c b/src/StNColor.c +index 3b50401b..16dc9cbc 100644 +--- a/src/StNColor.c ++++ b/src/StNColor.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */ + XcmsColor cmsColor_exact; + XColor scr_def; + ++ if (strlen(name) >= USHRT_MAX) ++ return 0; + #ifdef XCMS + /* + * Let's Attempt to use Xcms approach to Parse Color +diff --git a/src/StName.c b/src/StName.c +index 58b5a5a6..04bb3aa6 100644 +--- a/src/StName.c ++++ b/src/StName.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <X11/Xlibint.h> + #include <X11/Xatom.h> + +@@ -36,7 +37,9 @@ XStoreName ( + Window w, + _Xconst char *name) + { +- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, ++ if (strlen(name) >= USHRT_MAX) ++ return 0; ++ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */ + 8, PropModeReplace, (_Xconst unsigned char *)name, + name ? (int) strlen(name) : 0); + } +@@ -47,6 +50,8 @@ XSetIconName ( + Window w, + _Xconst char *icon_name) + { ++ if (strlen(icon_name) >= USHRT_MAX) ++ return 0; + return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, + PropModeReplace, (_Xconst unsigned char *)icon_name, + icon_name ? (int) strlen(icon_name) : 0); +-- +GitLab + diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index 75efe53cc49..a3b5f6edf0e 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=libxml2 pkgver=2.9.9 -pkgrel=4 +pkgrel=5 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -17,10 +17,17 @@ source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz fix-null-pointer-dereference.patch CVE-2019-19956.patch CVE-2020-24977.patch + CVE-2021-3517.patch + CVE-2021-3518.patch + CVE-2021-3537.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 2.9.9-r5: +# - CVE-2021-3517 +# - CVE-2021-3518 +# - CVE-2021-3537 # 2.9.9-r4: # - CVE-2020-24977 # 2.9.9-r3: @@ -114,7 +121,12 @@ utils() { mkdir -p "$subpkgdir"/usr mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="cb7784ba4e72e942614e12e4f83f4ceb275f3d738b30e3b5c1f25edf8e9fa6789e854685974eed95b362049dbf6c8e7357e0327d64c681ed390534ac154e6810 libxml2-2.9.9.tar.gz +sha512sums=" +cb7784ba4e72e942614e12e4f83f4ceb275f3d738b30e3b5c1f25edf8e9fa6789e854685974eed95b362049dbf6c8e7357e0327d64c681ed390534ac154e6810 libxml2-2.9.9.tar.gz 83074e582cdba8bedff40fc653731ad18ca357bde8f1420e2e8a2a38998b951aebcb73ca5d51859be3b4d9bc1a0308836ca2bb612269edbc61b9dd6ebc7fdb2a fix-null-pointer-dereference.patch 0e03d0dcfae1e99e06c7a4c9a4d863a1518589e403d79665727883b27d7c0d7026b18e29b7c68df41138fbdffb88d977c5ef10ce2ffb96d1a6255304d89c2bb6 CVE-2019-19956.patch -dfc6fa0232bd94635c66535734175c04e8b7461c216e1337da68d7c5dce36fc750f787f2ee08ef6d91521df55c45f4ae235f8f44bea697a7c734a3b62c9fab60 CVE-2020-24977.patch" +dfc6fa0232bd94635c66535734175c04e8b7461c216e1337da68d7c5dce36fc750f787f2ee08ef6d91521df55c45f4ae235f8f44bea697a7c734a3b62c9fab60 CVE-2020-24977.patch +9fc13877ddf53e5897dde490917ab6911e048c6fd6dca9f696c21e45f69ddaceae09a9bf92929317c84c96aeaa8531ffdf7737b1f7cde05de2a7be0e6fddd999 CVE-2021-3517.patch +5341026c46337dfb376ad0c0580ea287f81338a439737580eee67e2ffe833e695563245532072631509acd29e70ad0700663c16e2d531e5409c15f541e9ae3c4 CVE-2021-3518.patch +169568745f86235dc6d8dfb56597cf947dc66741cdf4dafc980658d614f7d21e67a1bacbeeed644d91c52cf3c56e9ef0857ec567bb6fd68d3e164e5f18bf87d5 CVE-2021-3537.patch +" diff --git a/main/libxml2/CVE-2021-3517.patch b/main/libxml2/CVE-2021-3517.patch new file mode 100644 index 00000000000..e3ef73602ff --- /dev/null +++ b/main/libxml2/CVE-2021-3517.patch @@ -0,0 +1,49 @@ +From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001 +From: Joel Hockey <joel.hockey@gmail.com> +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: [PATCH] Validate UTF8 in xmlEncodeEntities + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 +--- + entities.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index 37b99a56..1a8f86f0 100644 +--- a/entities.c ++++ b/entities.c +@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* + * We assume we have UTF-8 input. ++ * It must match either: ++ * 110xxxxx 10xxxxxx ++ * 1110xxxx 10xxxxxx 10xxxxxx ++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx ++ * That is: ++ * cur[0] is 11xxxxxx ++ * cur[1] is 10xxxxxx ++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx ++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx ++ * cur[0] is not 11111xxx + */ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +GitLab + diff --git a/main/libxml2/CVE-2021-3518.patch b/main/libxml2/CVE-2021-3518.patch new file mode 100644 index 00000000000..3ed2a68e8d7 --- /dev/null +++ b/main/libxml2/CVE-2021-3518.patch @@ -0,0 +1,15 @@ +diff -urN libxml2-2.9.10.orig/xinclude.c libxml2-2.9.10/xinclude.c +--- libxml2-2.9.10.orig/xinclude.c 2021-06-04 10:26:43.173188644 -0600 ++++ libxml2-2.9.10/xinclude.c 2021-06-04 10:28:19.633720058 -0600 +@@ -2397,9 +2397,8 @@ + while ((cur != NULL) && (cur != tree->parent)) { + /* TODO: need to work on entities -> stack */ + if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { ++ ((cur->type == XML_DOCUMENT_NODE) || ++ (cur->type == XML_ELEMENT_NODE))) { + cur = cur->children; + if (xmlXIncludeTestNode(ctxt, cur)) + xmlXIncludePreProcessNode(ctxt, cur); diff --git a/main/libxml2/CVE-2021-3537.patch b/main/libxml2/CVE-2021-3537.patch new file mode 100644 index 00000000000..3df1539523b --- /dev/null +++ b/main/libxml2/CVE-2021-3537.patch @@ -0,0 +1,44 @@ +From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 1 May 2021 16:53:33 +0200 +Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv + +Check return value of recursive calls to +xmlParseElementChildrenContentDeclPriv and return immediately in case +of errors. Otherwise, struct xmlElementContent could contain unexpected +null pointers, leading to a null deref when post-validating documents +which aren't well-formed and parsed in recovery mode. + +Fixes #243. +--- + parser.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/parser.c b/parser.c +index b42e6043..73c27edd 100644 +--- a/parser.c ++++ b/parser.c +@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (cur == NULL) ++ return(NULL); + SKIP_BLANKS; + GROW; + } else { +@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (last == NULL) { ++ if (ret != NULL) ++ xmlFreeDocElementContent(ctxt->myDoc, ret); ++ return(NULL); ++ } + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt); +-- +GitLab + diff --git a/main/linux-vanilla/0001-arm64-Avoid-redundant-type-conversions-in-xchg-and-c.patch b/main/linux-vanilla/0001-arm64-Avoid-redundant-type-conversions-in-xchg-and-c.patch new file mode 100644 index 00000000000..2441864dfb7 --- /dev/null +++ b/main/linux-vanilla/0001-arm64-Avoid-redundant-type-conversions-in-xchg-and-c.patch @@ -0,0 +1,355 @@ +From 7b7b95eca1c3c2d6e5302b813b2b8470d004dedb Mon Sep 17 00:00:00 2001 +From: Will Deacon <will.deacon@arm.com> +Date: Thu, 13 Sep 2018 13:30:45 +0100 +Subject: [PATCH 1/2] arm64: Avoid redundant type conversions in xchg() and + cmpxchg() + +Our atomic instructions (either LSE atomics of LDXR/STXR sequences) +natively support byte, half-word, word and double-word memory accesses +so there is no need to mask the data register prior to being stored. + +Signed-off-by: Will Deacon <will.deacon@arm.com> +(cherry picked from commit 5ef3fe4cecdf82fdd71ce78988403963d01444d4) +--- + arch/arm64/include/asm/atomic_ll_sc.h | 53 ++++++------ + arch/arm64/include/asm/atomic_lse.h | 46 +++++----- + arch/arm64/include/asm/cmpxchg.h | 116 +++++++++++++------------- + 3 files changed, 108 insertions(+), 107 deletions(-) + +diff --git a/arch/arm64/include/asm/atomic_ll_sc.h b/arch/arm64/include/asm/atomic_ll_sc.h +index f5a2d09afb38..f02d3bf7b9e6 100644 +--- a/arch/arm64/include/asm/atomic_ll_sc.h ++++ b/arch/arm64/include/asm/atomic_ll_sc.h +@@ -248,48 +248,49 @@ __LL_SC_PREFIX(atomic64_dec_if_positive(atomic64_t *v)) + } + __LL_SC_EXPORT(atomic64_dec_if_positive); + +-#define __CMPXCHG_CASE(w, sz, name, mb, acq, rel, cl) \ +-__LL_SC_INLINE unsigned long \ +-__LL_SC_PREFIX(__cmpxchg_case_##name(volatile void *ptr, \ +- unsigned long old, \ +- unsigned long new)) \ ++#define __CMPXCHG_CASE(w, sfx, name, sz, mb, acq, rel, cl) \ ++__LL_SC_INLINE u##sz \ ++__LL_SC_PREFIX(__cmpxchg_case_##name##sz(volatile void *ptr, \ ++ unsigned long old, \ ++ u##sz new)) \ + { \ +- unsigned long tmp, oldval; \ ++ unsigned long tmp; \ ++ u##sz oldval; \ + \ + asm volatile( \ + " prfm pstl1strm, %[v]\n" \ +- "1: ld" #acq "xr" #sz "\t%" #w "[oldval], %[v]\n" \ ++ "1: ld" #acq "xr" #sfx "\t%" #w "[oldval], %[v]\n" \ + " eor %" #w "[tmp], %" #w "[oldval], %" #w "[old]\n" \ + " cbnz %" #w "[tmp], 2f\n" \ +- " st" #rel "xr" #sz "\t%w[tmp], %" #w "[new], %[v]\n" \ ++ " st" #rel "xr" #sfx "\t%w[tmp], %" #w "[new], %[v]\n" \ + " cbnz %w[tmp], 1b\n" \ + " " #mb "\n" \ + "2:" \ + : [tmp] "=&r" (tmp), [oldval] "=&r" (oldval), \ +- [v] "+Q" (*(unsigned long *)ptr) \ ++ [v] "+Q" (*(u##sz *)ptr) \ + : [old] "Lr" (old), [new] "r" (new) \ + : cl); \ + \ + return oldval; \ + } \ +-__LL_SC_EXPORT(__cmpxchg_case_##name); ++__LL_SC_EXPORT(__cmpxchg_case_##name##sz); + +-__CMPXCHG_CASE(w, b, 1, , , , ) +-__CMPXCHG_CASE(w, h, 2, , , , ) +-__CMPXCHG_CASE(w, , 4, , , , ) +-__CMPXCHG_CASE( , , 8, , , , ) +-__CMPXCHG_CASE(w, b, acq_1, , a, , "memory") +-__CMPXCHG_CASE(w, h, acq_2, , a, , "memory") +-__CMPXCHG_CASE(w, , acq_4, , a, , "memory") +-__CMPXCHG_CASE( , , acq_8, , a, , "memory") +-__CMPXCHG_CASE(w, b, rel_1, , , l, "memory") +-__CMPXCHG_CASE(w, h, rel_2, , , l, "memory") +-__CMPXCHG_CASE(w, , rel_4, , , l, "memory") +-__CMPXCHG_CASE( , , rel_8, , , l, "memory") +-__CMPXCHG_CASE(w, b, mb_1, dmb ish, , l, "memory") +-__CMPXCHG_CASE(w, h, mb_2, dmb ish, , l, "memory") +-__CMPXCHG_CASE(w, , mb_4, dmb ish, , l, "memory") +-__CMPXCHG_CASE( , , mb_8, dmb ish, , l, "memory") ++__CMPXCHG_CASE(w, b, , 8, , , , ) ++__CMPXCHG_CASE(w, h, , 16, , , , ) ++__CMPXCHG_CASE(w, , , 32, , , , ) ++__CMPXCHG_CASE( , , , 64, , , , ) ++__CMPXCHG_CASE(w, b, acq_, 8, , a, , "memory") ++__CMPXCHG_CASE(w, h, acq_, 16, , a, , "memory") ++__CMPXCHG_CASE(w, , acq_, 32, , a, , "memory") ++__CMPXCHG_CASE( , , acq_, 64, , a, , "memory") ++__CMPXCHG_CASE(w, b, rel_, 8, , , l, "memory") ++__CMPXCHG_CASE(w, h, rel_, 16, , , l, "memory") ++__CMPXCHG_CASE(w, , rel_, 32, , , l, "memory") ++__CMPXCHG_CASE( , , rel_, 64, , , l, "memory") ++__CMPXCHG_CASE(w, b, mb_, 8, dmb ish, , l, "memory") ++__CMPXCHG_CASE(w, h, mb_, 16, dmb ish, , l, "memory") ++__CMPXCHG_CASE(w, , mb_, 32, dmb ish, , l, "memory") ++__CMPXCHG_CASE( , , mb_, 64, dmb ish, , l, "memory") + + #undef __CMPXCHG_CASE + +diff --git a/arch/arm64/include/asm/atomic_lse.h b/arch/arm64/include/asm/atomic_lse.h +index eab3de4f2ad2..80cadc789f1a 100644 +--- a/arch/arm64/include/asm/atomic_lse.h ++++ b/arch/arm64/include/asm/atomic_lse.h +@@ -480,24 +480,24 @@ static inline long atomic64_dec_if_positive(atomic64_t *v) + + #define __LL_SC_CMPXCHG(op) __LL_SC_CALL(__cmpxchg_case_##op) + +-#define __CMPXCHG_CASE(w, sz, name, mb, cl...) \ +-static inline unsigned long __cmpxchg_case_##name(volatile void *ptr, \ +- unsigned long old, \ +- unsigned long new) \ ++#define __CMPXCHG_CASE(w, sfx, name, sz, mb, cl...) \ ++static inline u##sz __cmpxchg_case_##name##sz(volatile void *ptr, \ ++ unsigned long old, \ ++ u##sz new) \ + { \ + register unsigned long x0 asm ("x0") = (unsigned long)ptr; \ + register unsigned long x1 asm ("x1") = old; \ +- register unsigned long x2 asm ("x2") = new; \ ++ register u##sz x2 asm ("x2") = new; \ + \ + asm volatile( \ + __LSE_PREAMBLE \ + ARM64_LSE_ATOMIC_INSN( \ + /* LL/SC */ \ +- __LL_SC_CMPXCHG(name) \ ++ __LL_SC_CMPXCHG(name##sz) \ + __nops(2), \ + /* LSE atomics */ \ + " mov " #w "30, %" #w "[old]\n" \ +- " cas" #mb #sz "\t" #w "30, %" #w "[new], %[v]\n" \ ++ " cas" #mb #sfx "\t" #w "30, %" #w "[new], %[v]\n" \ + " mov %" #w "[ret], " #w "30") \ + : [ret] "+r" (x0), [v] "+Q" (*(unsigned long *)ptr) \ + : [old] "r" (x1), [new] "r" (x2) \ +@@ -506,22 +506,22 @@ static inline unsigned long __cmpxchg_case_##name(volatile void *ptr, \ + return x0; \ + } + +-__CMPXCHG_CASE(w, b, 1, ) +-__CMPXCHG_CASE(w, h, 2, ) +-__CMPXCHG_CASE(w, , 4, ) +-__CMPXCHG_CASE(x, , 8, ) +-__CMPXCHG_CASE(w, b, acq_1, a, "memory") +-__CMPXCHG_CASE(w, h, acq_2, a, "memory") +-__CMPXCHG_CASE(w, , acq_4, a, "memory") +-__CMPXCHG_CASE(x, , acq_8, a, "memory") +-__CMPXCHG_CASE(w, b, rel_1, l, "memory") +-__CMPXCHG_CASE(w, h, rel_2, l, "memory") +-__CMPXCHG_CASE(w, , rel_4, l, "memory") +-__CMPXCHG_CASE(x, , rel_8, l, "memory") +-__CMPXCHG_CASE(w, b, mb_1, al, "memory") +-__CMPXCHG_CASE(w, h, mb_2, al, "memory") +-__CMPXCHG_CASE(w, , mb_4, al, "memory") +-__CMPXCHG_CASE(x, , mb_8, al, "memory") ++__CMPXCHG_CASE(w, b, , 8, ) ++__CMPXCHG_CASE(w, h, , 16, ) ++__CMPXCHG_CASE(w, , , 32, ) ++__CMPXCHG_CASE(x, , , 64, ) ++__CMPXCHG_CASE(w, b, acq_, 8, a, "memory") ++__CMPXCHG_CASE(w, h, acq_, 16, a, "memory") ++__CMPXCHG_CASE(w, , acq_, 32, a, "memory") ++__CMPXCHG_CASE(x, , acq_, 64, a, "memory") ++__CMPXCHG_CASE(w, b, rel_, 8, l, "memory") ++__CMPXCHG_CASE(w, h, rel_, 16, l, "memory") ++__CMPXCHG_CASE(w, , rel_, 32, l, "memory") ++__CMPXCHG_CASE(x, , rel_, 64, l, "memory") ++__CMPXCHG_CASE(w, b, mb_, 8, al, "memory") ++__CMPXCHG_CASE(w, h, mb_, 16, al, "memory") ++__CMPXCHG_CASE(w, , mb_, 32, al, "memory") ++__CMPXCHG_CASE(x, , mb_, 64, al, "memory") + + #undef __LL_SC_CMPXCHG + #undef __CMPXCHG_CASE +diff --git a/arch/arm64/include/asm/cmpxchg.h b/arch/arm64/include/asm/cmpxchg.h +index d8b01c7c9cd3..94ccb3bfbd61 100644 +--- a/arch/arm64/include/asm/cmpxchg.h ++++ b/arch/arm64/include/asm/cmpxchg.h +@@ -30,46 +30,46 @@ + * barrier case is generated as release+dmb for the former and + * acquire+release for the latter. + */ +-#define __XCHG_CASE(w, sz, name, mb, nop_lse, acq, acq_lse, rel, cl) \ +-static inline unsigned long __xchg_case_##name(unsigned long x, \ +- volatile void *ptr) \ +-{ \ +- unsigned long ret, tmp; \ +- \ +- asm volatile(ARM64_LSE_ATOMIC_INSN( \ +- /* LL/SC */ \ +- " prfm pstl1strm, %2\n" \ +- "1: ld" #acq "xr" #sz "\t%" #w "0, %2\n" \ +- " st" #rel "xr" #sz "\t%w1, %" #w "3, %2\n" \ +- " cbnz %w1, 1b\n" \ +- " " #mb, \ +- /* LSE atomics */ \ +- " swp" #acq_lse #rel #sz "\t%" #w "3, %" #w "0, %2\n" \ +- __nops(3) \ +- " " #nop_lse) \ +- : "=&r" (ret), "=&r" (tmp), "+Q" (*(unsigned long *)ptr) \ +- : "r" (x) \ +- : cl); \ +- \ +- return ret; \ ++#define __XCHG_CASE(w, sfx, name, sz, mb, nop_lse, acq, acq_lse, rel, cl) \ ++static inline u##sz __xchg_case_##name##sz(u##sz x, volatile void *ptr) \ ++{ \ ++ u##sz ret; \ ++ unsigned long tmp; \ ++ \ ++ asm volatile(ARM64_LSE_ATOMIC_INSN( \ ++ /* LL/SC */ \ ++ " prfm pstl1strm, %2\n" \ ++ "1: ld" #acq "xr" #sfx "\t%" #w "0, %2\n" \ ++ " st" #rel "xr" #sfx "\t%w1, %" #w "3, %2\n" \ ++ " cbnz %w1, 1b\n" \ ++ " " #mb, \ ++ /* LSE atomics */ \ ++ " swp" #acq_lse #rel #sfx "\t%" #w "3, %" #w "0, %2\n" \ ++ __nops(3) \ ++ " " #nop_lse) \ ++ : "=&r" (ret), "=&r" (tmp), "+Q" (*(u##sz *)ptr) \ ++ : "r" (x) \ ++ : cl); \ ++ \ ++ return ret; \ + } + +-__XCHG_CASE(w, b, 1, , , , , , ) +-__XCHG_CASE(w, h, 2, , , , , , ) +-__XCHG_CASE(w, , 4, , , , , , ) +-__XCHG_CASE( , , 8, , , , , , ) +-__XCHG_CASE(w, b, acq_1, , , a, a, , "memory") +-__XCHG_CASE(w, h, acq_2, , , a, a, , "memory") +-__XCHG_CASE(w, , acq_4, , , a, a, , "memory") +-__XCHG_CASE( , , acq_8, , , a, a, , "memory") +-__XCHG_CASE(w, b, rel_1, , , , , l, "memory") +-__XCHG_CASE(w, h, rel_2, , , , , l, "memory") +-__XCHG_CASE(w, , rel_4, , , , , l, "memory") +-__XCHG_CASE( , , rel_8, , , , , l, "memory") +-__XCHG_CASE(w, b, mb_1, dmb ish, nop, , a, l, "memory") +-__XCHG_CASE(w, h, mb_2, dmb ish, nop, , a, l, "memory") +-__XCHG_CASE(w, , mb_4, dmb ish, nop, , a, l, "memory") +-__XCHG_CASE( , , mb_8, dmb ish, nop, , a, l, "memory") ++__XCHG_CASE(w, b, , 8, , , , , , ) ++__XCHG_CASE(w, h, , 16, , , , , , ) ++__XCHG_CASE(w, , , 32, , , , , , ) ++__XCHG_CASE( , , , 64, , , , , , ) ++__XCHG_CASE(w, b, acq_, 8, , , a, a, , "memory") ++__XCHG_CASE(w, h, acq_, 16, , , a, a, , "memory") ++__XCHG_CASE(w, , acq_, 32, , , a, a, , "memory") ++__XCHG_CASE( , , acq_, 64, , , a, a, , "memory") ++__XCHG_CASE(w, b, rel_, 8, , , , , l, "memory") ++__XCHG_CASE(w, h, rel_, 16, , , , , l, "memory") ++__XCHG_CASE(w, , rel_, 32, , , , , l, "memory") ++__XCHG_CASE( , , rel_, 64, , , , , l, "memory") ++__XCHG_CASE(w, b, mb_, 8, dmb ish, nop, , a, l, "memory") ++__XCHG_CASE(w, h, mb_, 16, dmb ish, nop, , a, l, "memory") ++__XCHG_CASE(w, , mb_, 32, dmb ish, nop, , a, l, "memory") ++__XCHG_CASE( , , mb_, 64, dmb ish, nop, , a, l, "memory") + + #undef __XCHG_CASE + +@@ -80,13 +80,13 @@ static __always_inline unsigned long __xchg##sfx(unsigned long x, \ + { \ + switch (size) { \ + case 1: \ +- return __xchg_case##sfx##_1(x, ptr); \ ++ return __xchg_case##sfx##_8(x, ptr); \ + case 2: \ +- return __xchg_case##sfx##_2(x, ptr); \ ++ return __xchg_case##sfx##_16(x, ptr); \ + case 4: \ +- return __xchg_case##sfx##_4(x, ptr); \ ++ return __xchg_case##sfx##_32(x, ptr); \ + case 8: \ +- return __xchg_case##sfx##_8(x, ptr); \ ++ return __xchg_case##sfx##_64(x, ptr); \ + default: \ + BUILD_BUG(); \ + } \ +@@ -123,13 +123,13 @@ static __always_inline unsigned long __cmpxchg##sfx(volatile void *ptr, \ + { \ + switch (size) { \ + case 1: \ +- return __cmpxchg_case##sfx##_1(ptr, (u8)old, new); \ ++ return __cmpxchg_case##sfx##_8(ptr, (u8)old, new); \ + case 2: \ +- return __cmpxchg_case##sfx##_2(ptr, (u16)old, new); \ ++ return __cmpxchg_case##sfx##_16(ptr, (u16)old, new); \ + case 4: \ +- return __cmpxchg_case##sfx##_4(ptr, old, new); \ ++ return __cmpxchg_case##sfx##_32(ptr, old, new); \ + case 8: \ +- return __cmpxchg_case##sfx##_8(ptr, old, new); \ ++ return __cmpxchg_case##sfx##_64(ptr, old, new); \ + default: \ + BUILD_BUG(); \ + } \ +@@ -197,16 +197,16 @@ __CMPXCHG_GEN(_mb) + __ret; \ + }) + +-#define __CMPWAIT_CASE(w, sz, name) \ +-static inline void __cmpwait_case_##name(volatile void *ptr, \ +- unsigned long val) \ ++#define __CMPWAIT_CASE(w, sfx, sz) \ ++static inline void __cmpwait_case_##sz(volatile void *ptr, \ ++ unsigned long val) \ + { \ + unsigned long tmp; \ + \ + asm volatile( \ + " sevl\n" \ + " wfe\n" \ +- " ldxr" #sz "\t%" #w "[tmp], %[v]\n" \ ++ " ldxr" #sfx "\t%" #w "[tmp], %[v]\n" \ + " eor %" #w "[tmp], %" #w "[tmp], %" #w "[val]\n" \ + " cbnz %" #w "[tmp], 1f\n" \ + " wfe\n" \ +@@ -215,10 +215,10 @@ static inline void __cmpwait_case_##name(volatile void *ptr, \ + : [val] "r" (val)); \ + } + +-__CMPWAIT_CASE(w, b, 1); +-__CMPWAIT_CASE(w, h, 2); +-__CMPWAIT_CASE(w, , 4); +-__CMPWAIT_CASE( , , 8); ++__CMPWAIT_CASE(w, b, 8); ++__CMPWAIT_CASE(w, h, 16); ++__CMPWAIT_CASE(w, , 32); ++__CMPWAIT_CASE( , , 64); + + #undef __CMPWAIT_CASE + +@@ -229,13 +229,13 @@ static __always_inline void __cmpwait##sfx(volatile void *ptr, \ + { \ + switch (size) { \ + case 1: \ +- return __cmpwait_case##sfx##_1(ptr, (u8)val); \ ++ return __cmpwait_case##sfx##_8(ptr, (u8)val); \ + case 2: \ +- return __cmpwait_case##sfx##_2(ptr, (u16)val); \ ++ return __cmpwait_case##sfx##_16(ptr, (u16)val); \ + case 4: \ +- return __cmpwait_case##sfx##_4(ptr, val); \ ++ return __cmpwait_case##sfx##_32(ptr, val); \ + case 8: \ +- return __cmpwait_case##sfx##_8(ptr, val); \ ++ return __cmpwait_case##sfx##_64(ptr, val); \ + default: \ + BUILD_BUG(); \ + } \ +-- +2.30.1 + diff --git a/main/linux-vanilla/0002-arm64-Use-correct-ll-sc-atomic-constraints.patch b/main/linux-vanilla/0002-arm64-Use-correct-ll-sc-atomic-constraints.patch new file mode 100644 index 00000000000..2390c520d9b --- /dev/null +++ b/main/linux-vanilla/0002-arm64-Use-correct-ll-sc-atomic-constraints.patch @@ -0,0 +1,252 @@ +From 44f0d02f40ee3203fd3c6433be3407b826d94e42 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <andrew.murray@arm.com> +Date: Wed, 28 Aug 2019 18:50:06 +0100 +Subject: [PATCH 2/2] arm64: Use correct ll/sc atomic constraints + +The A64 ISA accepts distinct (but overlapping) ranges of immediates for: + + * add arithmetic instructions ('I' machine constraint) + * sub arithmetic instructions ('J' machine constraint) + * 32-bit logical instructions ('K' machine constraint) + * 64-bit logical instructions ('L' machine constraint) + +... but we currently use the 'I' constraint for many atomic operations +using sub or logical instructions, which is not always valid. + +When CONFIG_ARM64_LSE_ATOMICS is not set, this allows invalid immediates +to be passed to instructions, potentially resulting in a build failure. +When CONFIG_ARM64_LSE_ATOMICS is selected the out-of-line ll/sc atomics +always use a register as they have no visibility of the value passed by +the caller. + +This patch adds a constraint parameter to the ATOMIC_xx and +__CMPXCHG_CASE macros so that we can pass appropriate constraints for +each case, with uses updated accordingly. + +Unfortunately prior to GCC 8.1.0 the 'K' constraint erroneously accepted +'4294967295', so we must instead force the use of a register. + +Signed-off-by: Andrew Murray <andrew.murray@arm.com> +Signed-off-by: Will Deacon <will@kernel.org> +(cherry picked from commit 580fa1b874711d633f9b145b7777b0e83ebf3787) +--- + arch/arm64/include/asm/atomic_ll_sc.h | 89 ++++++++++++++------------- + 1 file changed, 47 insertions(+), 42 deletions(-) + +diff --git a/arch/arm64/include/asm/atomic_ll_sc.h b/arch/arm64/include/asm/atomic_ll_sc.h +index f02d3bf7b9e6..1cc42441bc67 100644 +--- a/arch/arm64/include/asm/atomic_ll_sc.h ++++ b/arch/arm64/include/asm/atomic_ll_sc.h +@@ -37,7 +37,7 @@ + * (the optimize attribute silently ignores these options). + */ + +-#define ATOMIC_OP(op, asm_op) \ ++#define ATOMIC_OP(op, asm_op, constraint) \ + __LL_SC_INLINE void \ + __LL_SC_PREFIX(atomic_##op(int i, atomic_t *v)) \ + { \ +@@ -51,11 +51,11 @@ __LL_SC_PREFIX(atomic_##op(int i, atomic_t *v)) \ + " stxr %w1, %w0, %2\n" \ + " cbnz %w1, 1b" \ + : "=&r" (result), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i)); \ ++ : #constraint "r" (i)); \ + } \ + __LL_SC_EXPORT(atomic_##op); + +-#define ATOMIC_OP_RETURN(name, mb, acq, rel, cl, op, asm_op) \ ++#define ATOMIC_OP_RETURN(name, mb, acq, rel, cl, op, asm_op, constraint)\ + __LL_SC_INLINE int \ + __LL_SC_PREFIX(atomic_##op##_return##name(int i, atomic_t *v)) \ + { \ +@@ -70,14 +70,14 @@ __LL_SC_PREFIX(atomic_##op##_return##name(int i, atomic_t *v)) \ + " cbnz %w1, 1b\n" \ + " " #mb \ + : "=&r" (result), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i) \ ++ : #constraint "r" (i) \ + : cl); \ + \ + return result; \ + } \ + __LL_SC_EXPORT(atomic_##op##_return##name); + +-#define ATOMIC_FETCH_OP(name, mb, acq, rel, cl, op, asm_op) \ ++#define ATOMIC_FETCH_OP(name, mb, acq, rel, cl, op, asm_op, constraint) \ + __LL_SC_INLINE int \ + __LL_SC_PREFIX(atomic_fetch_##op##name(int i, atomic_t *v)) \ + { \ +@@ -92,7 +92,7 @@ __LL_SC_PREFIX(atomic_fetch_##op##name(int i, atomic_t *v)) \ + " cbnz %w2, 1b\n" \ + " " #mb \ + : "=&r" (result), "=&r" (val), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i) \ ++ : #constraint "r" (i) \ + : cl); \ + \ + return result; \ +@@ -110,8 +110,8 @@ __LL_SC_EXPORT(atomic_fetch_##op##name); + ATOMIC_FETCH_OP (_acquire, , a, , "memory", __VA_ARGS__)\ + ATOMIC_FETCH_OP (_release, , , l, "memory", __VA_ARGS__) + +-ATOMIC_OPS(add, add) +-ATOMIC_OPS(sub, sub) ++ATOMIC_OPS(add, add, I) ++ATOMIC_OPS(sub, sub, J) + + #undef ATOMIC_OPS + #define ATOMIC_OPS(...) \ +@@ -121,17 +121,17 @@ ATOMIC_OPS(sub, sub) + ATOMIC_FETCH_OP (_acquire, , a, , "memory", __VA_ARGS__)\ + ATOMIC_FETCH_OP (_release, , , l, "memory", __VA_ARGS__) + +-ATOMIC_OPS(and, and) +-ATOMIC_OPS(andnot, bic) +-ATOMIC_OPS(or, orr) +-ATOMIC_OPS(xor, eor) ++ATOMIC_OPS(and, and, ) ++ATOMIC_OPS(andnot, bic, ) ++ATOMIC_OPS(or, orr, ) ++ATOMIC_OPS(xor, eor, ) + + #undef ATOMIC_OPS + #undef ATOMIC_FETCH_OP + #undef ATOMIC_OP_RETURN + #undef ATOMIC_OP + +-#define ATOMIC64_OP(op, asm_op) \ ++#define ATOMIC64_OP(op, asm_op, constraint) \ + __LL_SC_INLINE void \ + __LL_SC_PREFIX(atomic64_##op(long i, atomic64_t *v)) \ + { \ +@@ -145,11 +145,11 @@ __LL_SC_PREFIX(atomic64_##op(long i, atomic64_t *v)) \ + " stxr %w1, %0, %2\n" \ + " cbnz %w1, 1b" \ + : "=&r" (result), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i)); \ ++ : #constraint "r" (i)); \ + } \ + __LL_SC_EXPORT(atomic64_##op); + +-#define ATOMIC64_OP_RETURN(name, mb, acq, rel, cl, op, asm_op) \ ++#define ATOMIC64_OP_RETURN(name, mb, acq, rel, cl, op, asm_op, constraint)\ + __LL_SC_INLINE long \ + __LL_SC_PREFIX(atomic64_##op##_return##name(long i, atomic64_t *v)) \ + { \ +@@ -164,14 +164,14 @@ __LL_SC_PREFIX(atomic64_##op##_return##name(long i, atomic64_t *v)) \ + " cbnz %w1, 1b\n" \ + " " #mb \ + : "=&r" (result), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i) \ ++ : #constraint "r" (i) \ + : cl); \ + \ + return result; \ + } \ + __LL_SC_EXPORT(atomic64_##op##_return##name); + +-#define ATOMIC64_FETCH_OP(name, mb, acq, rel, cl, op, asm_op) \ ++#define ATOMIC64_FETCH_OP(name, mb, acq, rel, cl, op, asm_op, constraint)\ + __LL_SC_INLINE long \ + __LL_SC_PREFIX(atomic64_fetch_##op##name(long i, atomic64_t *v)) \ + { \ +@@ -186,7 +186,7 @@ __LL_SC_PREFIX(atomic64_fetch_##op##name(long i, atomic64_t *v)) \ + " cbnz %w2, 1b\n" \ + " " #mb \ + : "=&r" (result), "=&r" (val), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i) \ ++ : #constraint "r" (i) \ + : cl); \ + \ + return result; \ +@@ -204,8 +204,8 @@ __LL_SC_EXPORT(atomic64_fetch_##op##name); + ATOMIC64_FETCH_OP (_acquire,, a, , "memory", __VA_ARGS__) \ + ATOMIC64_FETCH_OP (_release,, , l, "memory", __VA_ARGS__) + +-ATOMIC64_OPS(add, add) +-ATOMIC64_OPS(sub, sub) ++ATOMIC64_OPS(add, add, I) ++ATOMIC64_OPS(sub, sub, J) + + #undef ATOMIC64_OPS + #define ATOMIC64_OPS(...) \ +@@ -215,10 +215,10 @@ ATOMIC64_OPS(sub, sub) + ATOMIC64_FETCH_OP (_acquire,, a, , "memory", __VA_ARGS__) \ + ATOMIC64_FETCH_OP (_release,, , l, "memory", __VA_ARGS__) + +-ATOMIC64_OPS(and, and) +-ATOMIC64_OPS(andnot, bic) +-ATOMIC64_OPS(or, orr) +-ATOMIC64_OPS(xor, eor) ++ATOMIC64_OPS(and, and, L) ++ATOMIC64_OPS(andnot, bic, ) ++ATOMIC64_OPS(or, orr, L) ++ATOMIC64_OPS(xor, eor, L) + + #undef ATOMIC64_OPS + #undef ATOMIC64_FETCH_OP +@@ -248,7 +248,7 @@ __LL_SC_PREFIX(atomic64_dec_if_positive(atomic64_t *v)) + } + __LL_SC_EXPORT(atomic64_dec_if_positive); + +-#define __CMPXCHG_CASE(w, sfx, name, sz, mb, acq, rel, cl) \ ++#define __CMPXCHG_CASE(w, sfx, name, sz, mb, acq, rel, cl, constraint) \ + __LL_SC_INLINE u##sz \ + __LL_SC_PREFIX(__cmpxchg_case_##name##sz(volatile void *ptr, \ + unsigned long old, \ +@@ -268,29 +268,34 @@ __LL_SC_PREFIX(__cmpxchg_case_##name##sz(volatile void *ptr, \ + "2:" \ + : [tmp] "=&r" (tmp), [oldval] "=&r" (oldval), \ + [v] "+Q" (*(u##sz *)ptr) \ +- : [old] "Lr" (old), [new] "r" (new) \ ++ : [old] #constraint "r" (old), [new] "r" (new) \ + : cl); \ + \ + return oldval; \ + } \ + __LL_SC_EXPORT(__cmpxchg_case_##name##sz); + +-__CMPXCHG_CASE(w, b, , 8, , , , ) +-__CMPXCHG_CASE(w, h, , 16, , , , ) +-__CMPXCHG_CASE(w, , , 32, , , , ) +-__CMPXCHG_CASE( , , , 64, , , , ) +-__CMPXCHG_CASE(w, b, acq_, 8, , a, , "memory") +-__CMPXCHG_CASE(w, h, acq_, 16, , a, , "memory") +-__CMPXCHG_CASE(w, , acq_, 32, , a, , "memory") +-__CMPXCHG_CASE( , , acq_, 64, , a, , "memory") +-__CMPXCHG_CASE(w, b, rel_, 8, , , l, "memory") +-__CMPXCHG_CASE(w, h, rel_, 16, , , l, "memory") +-__CMPXCHG_CASE(w, , rel_, 32, , , l, "memory") +-__CMPXCHG_CASE( , , rel_, 64, , , l, "memory") +-__CMPXCHG_CASE(w, b, mb_, 8, dmb ish, , l, "memory") +-__CMPXCHG_CASE(w, h, mb_, 16, dmb ish, , l, "memory") +-__CMPXCHG_CASE(w, , mb_, 32, dmb ish, , l, "memory") +-__CMPXCHG_CASE( , , mb_, 64, dmb ish, , l, "memory") ++/* ++ * Earlier versions of GCC (no later than 8.1.0) appear to incorrectly ++ * handle the 'K' constraint for the value 4294967295 - thus we use no ++ * constraint for 32 bit operations. ++ */ ++__CMPXCHG_CASE(w, b, , 8, , , , , ) ++__CMPXCHG_CASE(w, h, , 16, , , , , ) ++__CMPXCHG_CASE(w, , , 32, , , , , ) ++__CMPXCHG_CASE( , , , 64, , , , , L) ++__CMPXCHG_CASE(w, b, acq_, 8, , a, , "memory", ) ++__CMPXCHG_CASE(w, h, acq_, 16, , a, , "memory", ) ++__CMPXCHG_CASE(w, , acq_, 32, , a, , "memory", ) ++__CMPXCHG_CASE( , , acq_, 64, , a, , "memory", L) ++__CMPXCHG_CASE(w, b, rel_, 8, , , l, "memory", ) ++__CMPXCHG_CASE(w, h, rel_, 16, , , l, "memory", ) ++__CMPXCHG_CASE(w, , rel_, 32, , , l, "memory", ) ++__CMPXCHG_CASE( , , rel_, 64, , , l, "memory", L) ++__CMPXCHG_CASE(w, b, mb_, 8, dmb ish, , l, "memory", ) ++__CMPXCHG_CASE(w, h, mb_, 16, dmb ish, , l, "memory", ) ++__CMPXCHG_CASE(w, , mb_, 32, dmb ish, , l, "memory", ) ++__CMPXCHG_CASE( , , mb_, 64, dmb ish, , l, "memory", L) + + #undef __CMPXCHG_CASE + +-- +2.30.1 + diff --git a/main/linux-vanilla/APKBUILD b/main/linux-vanilla/APKBUILD index 16390071873..c107d5510e5 100644 --- a/main/linux-vanilla/APKBUILD +++ b/main/linux-vanilla/APKBUILD @@ -2,7 +2,7 @@ _flavor=vanilla pkgname=linux-${_flavor} -pkgver=4.19.118 +pkgver=4.19.176 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=$pkgver;; @@ -17,6 +17,9 @@ options="!strip" _config=${config:-config-vanilla.${CARCH}} install= source="https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-$_kernver.tar.xz + 0001-arm64-Avoid-redundant-type-conversions-in-xchg-and-c.patch + 0002-arm64-Use-correct-ll-sc-atomic-constraints.patch + config-vanilla.aarch64 config-vanilla.armhf config-vanilla.armv7 @@ -228,14 +231,16 @@ _dev() { } sha512sums="ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4 linux-4.19.tar.xz -865231541bc54858a1a37b8106701fa7efdf09d2c67a2a62395c19a22d321f9b491b8added3aad391f92b885533ab90415b803c6f21a89cfc3d1da9a95cf31f2 config-vanilla.aarch64 +b6ca08d280358402f39e184ca4670e7f0216a8129ad54128ca92b3a8b0c1ac3ef04fa1a0ddbf0aee5f9a94ec4607e1e1f0e14d7684416fd04b0552b2aa39f986 0001-arm64-Avoid-redundant-type-conversions-in-xchg-and-c.patch +2387d6abd2947a2aa8da51dce8b0eeb432b30ed6e7e26e43e6851011aa5a3a784d8a78cf09dfad9598cfd9608e1b722708787730f0714fa734acd87e0f0df82d 0002-arm64-Use-correct-ll-sc-atomic-constraints.patch +0371a31ff6af76824bc443a253ebfad7594121a2081c94029fa60db3ac34057da1bc5ea9c2be647fd71732a4303c8e20981091e9b88e518b50f6f14baef8f141 config-vanilla.aarch64 60d58456547437829df739d0a58e0ae4b716d877e5e0b6512a5e60d0a2fba8c5adf14ef8f89c0dcb371d66e32a90796926be1cf6dd32779084796e071e5c1fd0 config-vanilla.armhf 60d58456547437829df739d0a58e0ae4b716d877e5e0b6512a5e60d0a2fba8c5adf14ef8f89c0dcb371d66e32a90796926be1cf6dd32779084796e071e5c1fd0 config-vanilla.armv7 e835acb24d8b395cfd29a7f1af1510df097d8a2315558ddd6f7eba7490f9763afbc64d2a9a084a367d53bce911413d603e577e957bcbf4e4a1066e57a51e6d70 config-vanilla.x86 ecbc5b5e2cc4b81a881cd543bc57ea691fc8600dc52d465085912c31d271c9a0e39926c1a06843706ad8907c147b7dbcb3b5324aaf4b9139baa61e51f1e6930a config-vanilla.x86_64 a805810bab50a5850248ae15f01cdadcf227cc808af472bc58e0c18305d1659e2e6f3796710beb22388dc5ea293e3cf4293daafa869e807dfe021710d7828e42 config-vanilla.ppc64le cffd64189ec33ca8a93f81252d718a1f6699ca45e169315f91dba6ff3342d6c5fed20834a879f702f63afa76545a29bc27b1c4f368f1fbcc23d0ca7de0dc1b64 config-vanilla.s390x -d2951cf4a4557512c5a10c9f3a3b0b7405e18fbe86684024dc2e7a54658f3474d6a188d314bc582dd50310b7a1f7218bfde4771b22033cddb63983836e4788e4 config-virt.aarch64 +9709525ae51b3bade186c64897f93e2fe90d878e5d94605320a9cc747b8a0e3164ecf6143c929d5be161648476bb36bdd7a371f7221ca9bf96f8d3f4e79b872d config-virt.aarch64 ee0dcae6e6f0db5342ce21fa4dd78acc417045a84d9758a7e6650d3bed5b4b304eea57b5d3e0a1109d04f79d02e9e7f4c9a69268d477ea6c4435df092cda8119 config-virt.x86 c2b17dbc82c3f995bb32428f42f63ab3f537289b6fd4d0395dc5112273636a1dbba9547f66a75e9e0773713e09c514148ddd3e1a216475b862295318861cfdf1 config-virt.x86_64 -55d9cf9dc2fe87ea0cb788a7c9abc71307be1b2420cd446e4281634c1fbb077510da2f067c12094f6c38c87bad26a39dd1d553e4afc9b73baa6a0ffa18eaafd2 patch-4.19.118.xz" +9bb51df1822242aee8340b8d54b5d1eb9bab8c0fff37a5b671f2ab7d10e5b3f1bd9f6a7e13af600434cc406a42b6638a5659cc056917c44a158bf243b5383146 patch-4.19.176.xz" diff --git a/main/linux-vanilla/config-vanilla.aarch64 b/main/linux-vanilla/config-vanilla.aarch64 index 5ef9347f8d7..df9042d3bdb 100644 --- a/main/linux-vanilla/config-vanilla.aarch64 +++ b/main/linux-vanilla/config-vanilla.aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 4.19.118 Kernel Configuration +# Linux/arm64 4.19.176 Kernel Configuration # # @@ -378,6 +378,7 @@ CONFIG_ARM64_ERRATUM_845719=y CONFIG_ARM64_ERRATUM_843419=y CONFIG_ARM64_ERRATUM_1024718=y CONFIG_ARM64_ERRATUM_1463225=y +CONFIG_ARM64_ERRATUM_1542419=y CONFIG_CAVIUM_ERRATUM_22375=y CONFIG_CAVIUM_ERRATUM_23144=y CONFIG_CAVIUM_ERRATUM_23154=y @@ -2153,7 +2154,6 @@ CONFIG_BLK_DEV_SD=m CONFIG_CHR_DEV_ST=m CONFIG_CHR_DEV_OSST=m CONFIG_BLK_DEV_SR=m -CONFIG_BLK_DEV_SR_VENDOR=y CONFIG_CHR_DEV_SG=m CONFIG_CHR_DEV_SCH=m CONFIG_SCSI_ENCLOSURE=m @@ -3830,6 +3830,7 @@ CONFIG_SPI_SPIDEV=m # CONFIG_SPI_LOOPBACK_TEST is not set CONFIG_SPI_TLE62X0=m # CONFIG_SPI_SLAVE is not set +CONFIG_SPI_DYNAMIC=y # CONFIG_SPMI is not set # CONFIG_HSI is not set CONFIG_PPS=y @@ -5990,7 +5991,6 @@ CONFIG_USB_IDMOUSE=m CONFIG_USB_FTDI_ELAN=m # CONFIG_USB_APPLEDISPLAY is not set CONFIG_USB_SISUSBVGA=m -CONFIG_USB_SISUSBVGA_CON=y CONFIG_USB_LD=m # CONFIG_USB_TRANCEVIBRATOR is not set CONFIG_USB_IOWARRIOR=m @@ -6599,6 +6599,8 @@ CONFIG_TIMER_OF=y CONFIG_TIMER_ACPI=y CONFIG_TIMER_PROBE=y CONFIG_CLKSRC_MMIO=y +CONFIG_DW_APB_TIMER=y +CONFIG_DW_APB_TIMER_OF=y CONFIG_ROCKCHIP_TIMER=y CONFIG_ARM_ARCH_TIMER=y CONFIG_ARM_ARCH_TIMER_EVTSTREAM=y @@ -7740,6 +7742,7 @@ CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_STACK_TRACER is not set # CONFIG_BLK_DEV_IO_TRACE is not set CONFIG_KPROBE_EVENTS=y +# CONFIG_KPROBE_EVENTS_ON_NOTRACE is not set CONFIG_UPROBE_EVENTS=y CONFIG_PROBE_EVENTS=y CONFIG_DYNAMIC_FTRACE=y diff --git a/main/linux-vanilla/config-virt.aarch64 b/main/linux-vanilla/config-virt.aarch64 index 8cb928b1f20..36ead24c36e 100644 --- a/main/linux-vanilla/config-virt.aarch64 +++ b/main/linux-vanilla/config-virt.aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 4.19.118 Kernel Configuration +# Linux/arm64 4.19.176 Kernel Configuration # # @@ -361,6 +361,7 @@ CONFIG_ARM64_ERRATUM_834220=y CONFIG_ARM64_ERRATUM_843419=y CONFIG_ARM64_ERRATUM_1024718=y CONFIG_ARM64_ERRATUM_1463225=y +CONFIG_ARM64_ERRATUM_1542419=y CONFIG_CAVIUM_ERRATUM_22375=y CONFIG_CAVIUM_ERRATUM_23144=y CONFIG_CAVIUM_ERRATUM_23154=y @@ -1849,7 +1850,6 @@ CONFIG_BLK_DEV_SD=m # CONFIG_CHR_DEV_ST is not set # CONFIG_CHR_DEV_OSST is not set CONFIG_BLK_DEV_SR=m -# CONFIG_BLK_DEV_SR_VENDOR is not set CONFIG_CHR_DEV_SG=m # CONFIG_CHR_DEV_SCH is not set # CONFIG_SCSI_CONSTANTS is not set diff --git a/main/mariadb-connector-c/APKBUILD b/main/mariadb-connector-c/APKBUILD index 39abec9d8f7..7e81bf47f5d 100644 --- a/main/mariadb-connector-c/APKBUILD +++ b/main/mariadb-connector-c/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mariadb-connector-c pkgver=3.0.10 -pkgrel=0 +pkgrel=1 pkgdesc="The MariaDB Native Client library (C driver)" url="https://mariadb.org/" arch="all" @@ -10,12 +10,17 @@ depends_dev="openssl-dev zlib-dev" makedepends="$depends_dev cmake" replaces="mariadb-client-libs" subpackages="$pkgname-dev" -source="https://downloads.mariadb.org/interstitial/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz +source="https://downloads.mariadb.com/Connectors/c/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz cmake.patch fix-ucontext-header.patch + CVE-2020-13249.patch " builddir="$srcdir/mariadb-connector-c-$pkgver-src" +# secfixes: +# 3.0.10-r1: +# - CVE-2020-13249 + build() { cd "$builddir" if [ "$CBUILD" != "$CHOST" ]; then @@ -57,7 +62,7 @@ dev() { replaces="mariadb-dev" mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } - sha512sums="1358d8f87e4693ef05d17915a399054ef40a1c9d58675b2704673fd40af843b366293c5b7d1e60c9335f68018c22d8aa86e41d90acebf1d4364229911dc8b6dc mariadb-connector-c-3.0.10-src.tar.gz 027a9d383ce27a527b77ac06b9505709cad8fe0173455863590f502996966300fedea87687630113d74e5b9be5349217b18206c2dbb89f7064129cb5417e44cf cmake.patch -757a2d3531ee271cf5473671bf4d0ac07dc8eb94ab4b6ede848ba7a55415a77f90e7275103be91c73e343e94cdbf2cd652eb6cef6ed48917991733d60d3b8777 fix-ucontext-header.patch" +757a2d3531ee271cf5473671bf4d0ac07dc8eb94ab4b6ede848ba7a55415a77f90e7275103be91c73e343e94cdbf2cd652eb6cef6ed48917991733d60d3b8777 fix-ucontext-header.patch +4370a517bc082e5aca8ebc0abf1ace7742af6cffc7f0c12b70705b31885a573192bbac473a9d0322582e64a75698db86bd36db23558dd1c1e1eaf693632a559f CVE-2020-13249.patch" diff --git a/main/mariadb-connector-c/CVE-2020-13249.patch b/main/mariadb-connector-c/CVE-2020-13249.patch new file mode 100644 index 00000000000..8f58063c4ee --- /dev/null +++ b/main/mariadb-connector-c/CVE-2020-13249.patch @@ -0,0 +1,154 @@ +diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c +index 4c1108b..1f04c35 100644 +--- a/libmariadb/mariadb_lib.c ++++ b/libmariadb/mariadb_lib.c +@@ -76,6 +76,8 @@ + #define ASYNC_CONTEXT_DEFAULT_STACK_SIZE (4096*15) + #define MA_RPL_VERSION_HACK "5.5.5-" + ++#define CHARSET_NAME_LEN 64 ++ + #undef max_allowed_packet + #undef net_buffer_length + extern ulong max_allowed_packet; /* net.c */ +@@ -2029,6 +2031,7 @@ mysql_send_query(MYSQL* mysql, const char* query, unsigned long length) + + int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + { ++ uchar *end= mysql->net.read_pos+length; + size_t item_len; + mysql->affected_rows= net_field_length_ll(&pos); + mysql->insert_id= net_field_length_ll(&pos); +@@ -2036,10 +2039,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + pos+=2; + mysql->warning_count=uint2korr(pos); + pos+=2; +- if (pos < mysql->net.read_pos+length) ++ if (pos > end) ++ goto corrupted; ++ if (pos < end) + { + if ((item_len= net_field_length(&pos))) + mysql->info=(char*) pos; ++ if (pos + item_len > end) ++ goto corrupted; + + /* check if server supports session tracking */ + if (mysql->server_capabilities & CLIENT_SESSION_TRACKING) +@@ -2050,23 +2057,26 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (mysql->server_status & SERVER_SESSION_STATE_CHANGED) + { + int i; +- if (pos < mysql->net.read_pos + length) ++ if (pos < end) + { + LIST *session_item; + MYSQL_LEX_STRING *str= NULL; + enum enum_session_state_type si_type; + uchar *old_pos= pos; +- size_t item_len= net_field_length(&pos); /* length for all items */ ++ ++ item_len= net_field_length(&pos); /* length for all items */ ++ if (pos + item_len > end) ++ goto corrupted; ++ end= pos + item_len; + + /* length was already set, so make sure that info will be zero terminated */ + if (mysql->info) + *old_pos= 0; + +- while (item_len > 0) ++ while (pos < end) + { + size_t plen; + char *data; +- old_pos= pos; + si_type= (enum enum_session_state_type)net_field_length(&pos); + switch(si_type) { + case SESSION_TRACK_SCHEMA: +@@ -2076,15 +2086,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (si_type != SESSION_TRACK_STATE_CHANGE) + net_field_length(&pos); /* ignore total length, item length will follow next */ + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + if (!ma_multi_malloc(0, + &session_item, sizeof(LIST), + &str, sizeof(MYSQL_LEX_STRING), + &data, plen, + NULL)) +- { +- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); +- return -1; +- } ++ goto oom; + str->length= plen; + str->str= data; + memcpy(str->str, (char *)pos, plen); +@@ -2107,29 +2116,28 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (!strncmp(str->str, "character_set_client", str->length)) + set_charset= 1; + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + if (!ma_multi_malloc(0, + &session_item, sizeof(LIST), + &str, sizeof(MYSQL_LEX_STRING), + &data, plen, + NULL)) +- { +- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); +- return -1; +- } ++ goto oom; + str->length= plen; + str->str= data; + memcpy(str->str, (char *)pos, plen); + pos+= plen; + session_item->data= str; + mysql->extension->session_state[si_type].list= list_add(mysql->extension->session_state[si_type].list, session_item); +- if (set_charset && ++ if (set_charset && str->length < CHARSET_NAME_LEN && + strncmp(mysql->charset->csname, str->str, str->length) != 0) + { +- char cs_name[64]; +- MARIADB_CHARSET_INFO *cs_info; ++ char cs_name[CHARSET_NAME_LEN]; ++ const MARIADB_CHARSET_INFO *cs_info; + memcpy(cs_name, str->str, str->length); + cs_name[str->length]= 0; +- if ((cs_info = (MARIADB_CHARSET_INFO *)mysql_find_charset_name(cs_name))) ++ if ((cs_info = mysql_find_charset_name(cs_name))) + mysql->charset= cs_info; + } + } +@@ -2137,10 +2145,11 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + default: + /* not supported yet */ + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + pos+= plen; + break; + } +- item_len-= (pos - old_pos); + } + } + for (i= SESSION_TRACK_BEGIN; i <= SESSION_TRACK_END; i++) +@@ -2155,6 +2164,16 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + else if (mysql->server_capabilities & CLIENT_SESSION_TRACKING) + ma_clear_session_state(mysql); + return(0); ++ ++oom: ++ ma_clear_session_state(mysql); ++ SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); ++ return -1; ++ ++corrupted: ++ ma_clear_session_state(mysql); ++ SET_CLIENT_ERROR(mysql, CR_MALFORMED_PACKET, SQLSTATE_UNKNOWN, 0); ++ return -1; + } + + int mthd_my_read_query_result(MYSQL *mysql) diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD index cc3cc2ba7b7..e77bcaa4989 100644 --- a/main/mariadb/APKBUILD +++ b/main/mariadb/APKBUILD @@ -6,7 +6,7 @@ # Contributor: Marcel Haazen <marcel@haazen.xyz> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mariadb -pkgver=10.3.25 +pkgver=10.3.29 pkgrel=0 pkgdesc="A fast SQL database server" url="https://www.mariadb.org/" @@ -40,16 +40,25 @@ fi source="https://downloads.mariadb.org/interstitial/mariadb-$pkgver/source/mariadb-$pkgver.tar.gz $pkgname.initd - fix-c11-atomics-check.patch ppc-remove-glibc-dep.patch pcre.cmake.patch - disable-failing-test.patch " # dbug test fails under rootbld #options="!check" builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 10.3.29-r0: +# - CVE-2021-2154 +# - CVE-2021-2166 +# 10.3.28-r0: +# - CVE-2021-27928 +# 10.3.27-r0: +# - CVE-2020-14765 +# - CVE-2020-14776 +# - CVE-2020-14789 +# - CVE-2020-14812 +# - CVE-2020-28912 # 10.3.25-r0: # - CVE-2020-15180 # 10.3.23-r0: @@ -443,9 +452,9 @@ _plugin_rocksdb() { "$subpkgdir"/usr/lib/mariadb/plugin/ha_rocksdb.so } -sha512sums="9504e401db3b65b2b2bd4d3c91a468d357e82fdafbf90d54539a291e46570c2bed66ae047b17b9da95e925f8970fa048d329ba06c2dd6de7d46d5a0f2aad1f4d mariadb-10.3.25.tar.gz +sha512sums=" +fe868cde5ac3536ff5bbf34f235253c79e897e61bb34f7fdaca8fa8fcdb83e4a19c615beab27d3fdb5daee64ac0c8f36ec7e8089a9422c8540f7e92b1999a769 mariadb-10.3.29.tar.gz c352969f6665b0ffa387f7b185a5dea7751f4b16c12c809627857b27321efa09159369d7dd5c852d6159a9f173cb895fb601f0c52a1fa6e3527899520030964c mariadb.initd -ecfea6503edd301bb628e2a44f36315079efa70e7615ff06b27714397332034f02e68ef40d4d5c761942e024ed1993621127c9df80b7e2327c68b1d839a7a322 fix-c11-atomics-check.patch e9ae4613f1d8c5f0a59b39a3548c46e50674ae78e7457d0e64c49f7e1573125c13634bbce7e29179bb8865a423171f852f43b96f7ef95619a95f02edcfc71efd ppc-remove-glibc-dep.patch 70da971aa78815495098205bcbd28428430aa83c3f1050fec0231ca86af9d9def2d2108a48ee08d86812c8dc5ad8ab1ef4e17a49b4936ed5187ae0f6a7ef8f63 pcre.cmake.patch -0f5f2147e80b21abe65ccdee72b7d820ea1459112802e44f63d00d9247704d6a5562fce146a255e02f7367bc5d81cffe4e7c39758d533bf5ec9a6544a2a25738 disable-failing-test.patch" +" diff --git a/main/mariadb/disable-failing-test.patch b/main/mariadb/disable-failing-test.patch deleted file mode 100644 index 4eeac251074..00000000000 --- a/main/mariadb/disable-failing-test.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/storage/maria/unittest/CMakeLists.txt b/storage/maria/unittest/CMakeLists.txt -index a2da150..fd04ef4 100644 ---- a/storage/maria/unittest/CMakeLists.txt -+++ b/storage/maria/unittest/CMakeLists.txt -@@ -60,10 +60,10 @@ ADD_EXECUTABLE(ma_test_loghandler_readonly-t - ma_test_loghandler_multigroup-t.c ma_maria_log_cleanup.c ma_loghandler_examples.c sequence_storage.c) - MY_ADD_TEST(ma_test_loghandler_readonly) - --SET_TARGET_PROPERTIES(ma_test_loghandler_readonly-t PROPERTIES COMPILE_FLAGS "-DREADONLY_TEST") --ADD_EXECUTABLE(ma_test_loghandler_nologs-t -- ma_test_loghandler_nologs-t.c ma_maria_log_cleanup.c ma_loghandler_examples.c) --MY_ADD_TEST(ma_test_loghandler_nologs) -+#SET_TARGET_PROPERTIES(ma_test_loghandler_readonly-t PROPERTIES COMPILE_FLAGS "-DREADONLY_TEST") -+#ADD_EXECUTABLE(ma_test_loghandler_nologs-t -+# ma_test_loghandler_nologs-t.c ma_maria_log_cleanup.c ma_loghandler_examples.c) -+#MY_ADD_TEST(ma_test_loghandler_nologs) - - SET(ma_pagecache_single_src ma_pagecache_single.c test_file.c test_file.h) - SET(ma_pagecache_consist_src ma_pagecache_consist.c test_file.c test_file.h) diff --git a/main/mariadb/fix-c11-atomics-check.patch b/main/mariadb/fix-c11-atomics-check.patch deleted file mode 100644 index 0566cb8cea6..00000000000 --- a/main/mariadb/fix-c11-atomics-check.patch +++ /dev/null @@ -1,67 +0,0 @@ ---- a/configure.cmake -+++ b/configure.cmake -@@ -135,10 +135,11 @@ - IF(NOT LIBRT) - MY_SEARCH_LIBS(clock_gettime rt LIBRT) - ENDIF() -+ MY_SEARCH_LIBS(__atomic_load_8 atomic LIBATOMIC) - FIND_PACKAGE(Threads) - - SET(CMAKE_REQUIRED_LIBRARIES -- ${LIBM} ${LIBNSL} ${LIBBIND} ${LIBCRYPT} ${LIBSOCKET} ${LIBDL} ${CMAKE_THREAD_LIBS_INIT} ${LIBRT} ${LIBEXECINFO}) -+ ${LIBM} ${LIBNSL} ${LIBBIND} ${LIBCRYPT} ${LIBSOCKET} ${LIBDL} ${LIBATOMIC} ${CMAKE_THREAD_LIBS_INIT} ${LIBRT} ${LIBEXECINFO}) - # Need explicit pthread for gcc -fsanitize=address - IF(CMAKE_USE_PTHREADS_INIT AND CMAKE_C_FLAGS MATCHES "-fsanitize=") - SET(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} pthread) -@@ -919,14 +920,26 @@ - return 0; - }" - HAVE_GCC_ATOMIC_BUILTINS) --CHECK_CXX_SOURCE_COMPILES(" -+ -+SET(MAIN__ATOMIC_LOAD_N " - int main() - { - long long int var= 1; - long long int *ptr= &var; - return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); --}" --HAVE_GCC_C11_ATOMICS) -+}") -+CHECK_CXX_SOURCE_COMPILES("${MAIN__ATOMIC_LOAD_N}" HAVE_GCC_C11_ATOMICS) -+IF(HAVE_GCC_C11_ATOMICS AND HAVE_LIBATOMIC) -+ SET(SAVE_CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES}) -+ LIST(REMOVE_ITEM CMAKE_REQUIRED_LIBRARIES "${LIBATOMIC}") -+ CHECK_CXX_SOURCE_COMPILES("${MAIN__ATOMIC_LOAD_N}" HAVE_GCC_C11_INLINE_ATOMICS) -+ IF(HAVE_GCC_C11_INLINE_ATOMICS) -+ UNSET(HAVE_LIBATOMIC) -+ UNSET(LIBATOMIC) -+ ELSE() -+ SET(CMAKE_REQUIRED_LIBRARIES ${SAVE_CMAKE_REQUIRED_LIBRARIES}) -+ ENDIF() -+ENDIF() - - IF(WITH_VALGRIND) - SET(HAVE_valgrind 1) ---- a/mysys/CMakeLists.txt -+++ b/mysys/CMakeLists.txt -@@ -75,7 +75,7 @@ - - ADD_CONVENIENCE_LIBRARY(mysys ${MYSYS_SOURCES}) - TARGET_LINK_LIBRARIES(mysys dbug strings ${ZLIB_LIBRARY} -- ${LIBNSL} ${LIBM} ${LIBRT} ${LIBDL} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY}) -+ ${LIBNSL} ${LIBM} ${LIBRT} ${LIBDL} ${LIBATOMIC} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY}) - DTRACE_INSTRUMENT(mysys) - - IF(HAVE_BFD_H) ---- a/storage/rocksdb/build_rocksdb.cmake -+++ b/storage/rocksdb/build_rocksdb.cmake -@@ -162,7 +162,7 @@ - if(WIN32) - set(SYSTEM_LIBS ${SYSTEM_LIBS} Shlwapi.lib Rpcrt4.lib) - else() -- set(SYSTEM_LIBS ${CMAKE_THREAD_LIBS_INIT} ${LIBRT} ${LIBDL}) -+ set(SYSTEM_LIBS ${LIBATOMIC} ${CMAKE_THREAD_LIBS_INIT} ${LIBRT} ${LIBDL}) - endif() - - set(ROCKSDB_LIBS rocksdblib}) diff --git a/main/mbedtls/APKBUILD b/main/mbedtls/APKBUILD index f145f2b13fd..0455d8bd273 100644 --- a/main/mbedtls/APKBUILD +++ b/main/mbedtls/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mbedtls -pkgver=2.16.8 +pkgver=2.16.9 pkgrel=0 pkgdesc="Light-weight cryptographic and SSL/TLS library" url="https://tls.mbed.org" @@ -81,4 +81,4 @@ static() { chmod -x "$subpkgdir"/usr/lib/*.a } -sha512sums="645d58d42594a2b547b904634acc1e7e8583465e075c190183e1179638f05e1f8f5c56561ab172fed8dcec4a1742429663abdfdc25d607410ea64a35fbb22168 mbedtls-2.16.8.tar.gz" +sha512sums="f72538851c7a24ac14b5c153220260a49a083bfff44a52e9c1e77c51109bac779b5b4caac21f995176fe8f9d27843f3495692d6c7e9dc733cbcec896823ff0e0 mbedtls-2.16.9.tar.gz" diff --git a/main/mrxvt/APKBUILD b/main/mrxvt/APKBUILD index 6c92f3ef5c2..56392906522 100644 --- a/main/mrxvt/APKBUILD +++ b/main/mrxvt/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Mark Constable <markc@renta.net> pkgname=mrxvt pkgver=0.5.4 -pkgrel=7 +pkgrel=8 pkgdesc="A multi-tabbed X terminal emulator based on rxvt code" url="http://materm.sourceforge.net/wiki/pmwiki.php" arch="all" @@ -13,9 +13,14 @@ source=" https://downloads.sourceforge.net/sourceforge/materm/$pkgname-$pkgver.tar.gz mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch musl-fix-includes.patch + CVE-2021-33477.patch mrxvt.desktop " +# secfixes: +# 0.5.4-r8: +# - CVE-2021-33477 + _builddir="$srcdir"/$pkgname-$pkgver prepare() { cd "$_builddir" @@ -58,15 +63,10 @@ package() { install -Dm644 ../mrxvt.desktop $pkgdir/usr/share/applications/mrxvt.desktop } -md5sums="0232c8868484751dcb931a28f0756f69 mrxvt-0.5.4.tar.gz -e4a8bb2521246aba85f8dcaa01aed527 mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch -762a151ed6d4f3ee6928678fda5b477f musl-fix-includes.patch -6ba3bcd484c8dad1b0b48465ded54de3 mrxvt.desktop" -sha256sums="f403ad5a908fcd38a55ed0a7e1b85584cb77be8781199653a39b8af1a9ad10d7 mrxvt-0.5.4.tar.gz -578f52cf072574ccfc8d500fb4d5d3ce97d7ecf610ec0f7798b8a74850b18756 mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch -146201eb1f3e525eac3e287dae80575e20c3c09ed9d7c1d2d1f32414cd9ca8cd musl-fix-includes.patch -3bdaed1adcd443347b01e3c976cd8c0923a75645ae75fcc4b5020dba07d20ac1 mrxvt.desktop" -sha512sums="572bb4dda9f9b9dcb597f3185922646523bce34003f536acca82992f68f8f7c1a5f2778d626f805ea2cd061e8451fbbf12010e5d655221f76b83440825c80992 mrxvt-0.5.4.tar.gz +sha512sums=" +572bb4dda9f9b9dcb597f3185922646523bce34003f536acca82992f68f8f7c1a5f2778d626f805ea2cd061e8451fbbf12010e5d655221f76b83440825c80992 mrxvt-0.5.4.tar.gz 27d8a9775a5ea6e5e0e588d84ab5c76cc76aaa4ebeb473950e8f6b3dbf660a380c2d2385356ab9bd12d2e00b98c467f99f8e1aac16c91f8ffa4e29a38124340a mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch 4f2cf06484b1b364f7eb9f2acc629d2e600d4e614071fca5035d3654b083347f00162d2077496626fe4184dcac938b0b91f3ffe23f259b53ed475c4b8e85dbb0 musl-fix-includes.patch -04e0f2e93449d2656e55bdbdf6742d50c625c86ba8e64062e40f447a077b3a01f457ea855a99df39b4a099b30517d4a8cc45e91de6300023d0072ee76ae2b375 mrxvt.desktop" +0b299ba3c049e91619a59df4c53053cdea0b3000e633495843518d1676b146214fea567fa1d441aca023e8c6ef0447cd43c7a4c4c0a498121e562d3afbafc59f CVE-2021-33477.patch +04e0f2e93449d2656e55bdbdf6742d50c625c86ba8e64062e40f447a077b3a01f457ea855a99df39b4a099b30517d4a8cc45e91de6300023d0072ee76ae2b375 mrxvt.desktop +" diff --git a/main/mrxvt/CVE-2021-33477.patch b/main/mrxvt/CVE-2021-33477.patch new file mode 100644 index 00000000000..b1c6185a089 --- /dev/null +++ b/main/mrxvt/CVE-2021-33477.patch @@ -0,0 +1,41 @@ +--- mrxvt-0.5.4/src/command.c.orig ++++ mrxvt-0.5.4/src/command.c +@@ -207,7 +207,9 @@ + int rxvt_privcases (rxvt_t*, int, int, uint32_t); + void rxvt_process_terminal_mode (rxvt_t*, int, int, int, unsigned int, const int*); + void rxvt_process_sgr_mode (rxvt_t*, int, unsigned int, const int*); ++#if 0 + void rxvt_process_graphics (rxvt_t*, int); ++#endif + void rxvt_process_getc (rxvt_t*, int, unsigned char); + /*--------------------------------------------------------------------* + * END `INTERNAL' ROUTINE PROTOTYPES * +@@ -5029,10 +5031,12 @@ + rxvt_scr_add_lines(r, page, (const unsigned char *)"\n\r", 1, 2); + break; + ++#if 0 + /* kidnapped escape sequence: Should be 8.3.48 */ + case C1_ESA: /* ESC G */ + rxvt_process_graphics(r, page); + break; ++#endif + + /* 8.3.63: CHARACTER TABULATION SET */ + case C1_HTS: /* ESC H */ +@@ -6671,6 +6675,7 @@ + } + /*}}} */ + ++#if 0 + /*{{{ process Rob Nation's own graphics mode sequences */ + /* INTPROTO */ + void +@@ -6707,6 +6712,7 @@ + printable characters. */ + } + /*}}} */ ++#endif + + /* ------------------------------------------------------------------------- */ + diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD index 0c5f569e3b3..6f0eb2a9efe 100644 --- a/main/musl/APKBUILD +++ b/main/musl/APKBUILD @@ -1,13 +1,14 @@ -# Contributor: +# Contributor: Ariadne Conill <ariadne@dereferenced.org> # Maintainer: Timo Teräs <timo.teras@iki.fi> pkgname=musl pkgver=1.1.22 -pkgrel=3 +pkgrel=4 pkgdesc="the musl c library (libc) implementation" url="http://www.musl-libc.org/" arch="all" license="MIT" subpackages="$pkgname-dev $pkgname-dbg libc6-compat:compat:noarch" +options="lib64" case "$BOOTSTRAP" in nocc) pkgname="musl-dev"; subpackages="";; nolibc) ;; @@ -17,6 +18,8 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz CVE-2019-14697.patch handle-aux-at_base.patch + wcsnrtombs-cve-2020-28928.diff + ldconfig __stack_chk_fail_local.c getconf.c @@ -25,6 +28,8 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz " # secfixes: +# 1.1.22-r4: +# - CVE-2020-28928 # 1.1.22-r3: # - CVE-2019-14697 # 1.1.15-r4: @@ -153,6 +158,7 @@ compat() { sha512sums="08a40d722672504427238e71c9e52a723c6a14735abe9581d6d4bb3f86662d5d51a3f32a6aed6420c1f9680e22a3a554a9b87ae342635be971e2db49cc9fdb87 musl-1.1.22.tar.gz 37ab61c96b940848e4114de105d87754c7039f52eb2fc19d8bf59c27f484bffbac8b4740e9478207eae03bd7416f7036e04197d0efe30ee5293b17d6d5c1cc15 CVE-2019-14697.patch 6a7ff16d95b5d1be77e0a0fbb245491817db192176496a57b22ab037637d97a185ea0b0d19da687da66c2a2f5578e4343d230f399d49fe377d8f008410974238 handle-aux-at_base.patch +35dc5df28d90d1c84f9100116b63ba9e7fd44a20f512d12760da5e01f1aec4e799f726cbafb586bae568ff4f6d5a70948f1bf9fb901f1ca7dfcdf35c5d7510a6 wcsnrtombs-cve-2020-28928.diff 8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f ldconfig 062bb49fa54839010acd4af113e20f7263dde1c8a2ca359b5fb2661ef9ed9d84a0f7c3bc10c25dcfa10bb3c5a4874588dff636ac43d5dbb3d748d75400756d0b __stack_chk_fail_local.c 0d80f37b34a35e3d14b012257c50862dfeb9d2c81139ea2dfa101d981d093b009b9fa450ba27a708ac59377a48626971dfc58e20a3799084a65777a0c32cbc7d getconf.c diff --git a/main/musl/wcsnrtombs-cve-2020-28928.diff b/main/musl/wcsnrtombs-cve-2020-28928.diff new file mode 100644 index 00000000000..8465f9422a8 --- /dev/null +++ b/main/musl/wcsnrtombs-cve-2020-28928.diff @@ -0,0 +1,65 @@ +diff --git a/src/multibyte/wcsnrtombs.c b/src/multibyte/wcsnrtombs.c +index 676932b5..95e25e70 100644 +--- a/src/multibyte/wcsnrtombs.c ++++ b/src/multibyte/wcsnrtombs.c +@@ -1,41 +1,33 @@ + #include <wchar.h> ++#include <limits.h> ++#include <string.h> + + size_t wcsnrtombs(char *restrict dst, const wchar_t **restrict wcs, size_t wn, size_t n, mbstate_t *restrict st) + { +- size_t l, cnt=0, n2; +- char *s, buf[256]; + const wchar_t *ws = *wcs; +- const wchar_t *tmp_ws; +- +- if (!dst) s = buf, n = sizeof buf; +- else s = dst; +- +- while ( ws && n && ( (n2=wn)>=n || n2>32 ) ) { +- if (n2>=n) n2=n; +- tmp_ws = ws; +- l = wcsrtombs(s, &ws, n2, 0); +- if (!(l+1)) { +- cnt = l; +- n = 0; ++ size_t cnt = 0; ++ if (!dst) n=0; ++ while (ws && wn) { ++ char tmp[MB_LEN_MAX]; ++ size_t l = wcrtomb(n<MB_LEN_MAX ? tmp : dst, *ws, 0); ++ if (l==-1) { ++ cnt = -1; + break; + } +- if (s != buf) { +- s += l; ++ if (dst) { ++ if (n<MB_LEN_MAX) { ++ if (l>n) break; ++ memcpy(dst, tmp, l); ++ } ++ dst += l; + n -= l; + } +- wn = ws ? wn - (ws - tmp_ws) : 0; +- cnt += l; +- } +- if (ws) while (n && wn) { +- l = wcrtomb(s, *ws, 0); +- if ((l+1)<=1) { +- if (!l) ws = 0; +- else cnt = l; ++ if (!*ws) { ++ ws = 0; + break; + } +- ws++; wn--; +- /* safe - this loop runs fewer than sizeof(buf) times */ +- s+=l; n-=l; ++ ws++; ++ wn--; + cnt += l; + } + if (dst) *wcs = ws; diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD index 7d3e58afd53..1339d3754bf 100644 --- a/main/nginx/APKBUILD +++ b/main/nginx/APKBUILD @@ -4,6 +4,8 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 1.16.1-r3: +# - CVE-2021-23017 # 1.16.1-r2: # - CVE-2019-20372 # 1.16.1-r0: @@ -21,7 +23,7 @@ pkgname=nginx # NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)! # Odd-numbered versions are mainline (development) versions. pkgver=1.16.1 -pkgrel=2 +pkgrel=3 # Revision of nginx-tests to use for check(). _tests_hgrev=2be630357aa7 _njs_ver=0.3.1 @@ -64,6 +66,7 @@ replaces="$pkgname-common $pkgname-initscripts $pkgname-lua $pkgname-rtmp" source="https://nginx.org/download/$pkgname-$pkgver.tar.gz $pkgname-tests-$_tests_hgrev.tar.gz::https://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz $pkgname-njs-$_njs_ver.tar.gz::https://hg.nginx.org/njs/archive/$_njs_ver.tar.gz + CVE-2021-23017.patch nginx.conf default.conf $pkgname.logrotate @@ -331,6 +334,7 @@ _module() { sha512sums="17e95b43fa47d4fef5e652dea587518e16ab5ec562c9c94355c356440166d4b6a6a41ee520d406e5a34791a327d2e3c46b3f9b105ac9ce07afdd495c49eca437 nginx-1.16.1.tar.gz dfc558537847ab322d9e88f9b3141edc7f4391b42f672358f10ddba31b90d4e271b73c79b437cfc45d4db3932049379a1c3269953bdaafb7b4e24e436b46e4bf nginx-tests-2be630357aa7.tar.gz d6fddcfee8e9fdbc4bdc7c945721d5751c22075da35cadc27689069bbf5d763ed1630050daecc2fa22606a0bcd3990aea4ce16bbc85581d685888f3d009789fb nginx-njs-0.3.1.tar.gz +b8ed5dedc55f4e1c60f3c0b97836096e83a9f928b13c125fe568f5d369bb35535224c7def05677f04adc9733a983ac9cc8aa2c7af94468085eb3121c1817dc45 CVE-2021-23017.patch ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41 nginx.conf 0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf 09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb nginx.logrotate diff --git a/main/nginx/CVE-2021-23017.patch b/main/nginx/CVE-2021-23017.patch new file mode 100644 index 00000000000..9d551c26d64 --- /dev/null +++ b/main/nginx/CVE-2021-23017.patch @@ -0,0 +1,25 @@ +Patch-Source: http://nginx.org/download/patch.2021.resolver.txt + +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -4008,15 +4008,15 @@ done: + n = *src++; + + } else { ++ if (dst != name->data) { ++ *dst++ = '.'; ++ } ++ + ngx_strlow(dst, src, n); + dst += n; + src += n; + + n = *src++; +- +- if (n != 0) { +- *dst++ = '.'; +- } + } + + if (n == 0) { diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD index 19e80ed7d52..e5c439a31d4 100644 --- a/main/nodejs/APKBUILD +++ b/main/nodejs/APKBUILD @@ -6,6 +6,8 @@ # Maintainer: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 10.24.1-r0: +# - CVE-2020-7774 # 10.19.0-r0: # - CVE-2019-15606 # - CVE-2019-15605 @@ -48,14 +50,13 @@ pkgname=nodejs # Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)! # Odd-numbered versions are supported only for 9 months by upstream. -pkgver=10.19.0 +pkgver=10.24.1 pkgrel=0 pkgdesc="JavaScript runtime built on V8 engine - LTS version" url="https://nodejs.org/" arch="all !mips64 !mips64el" license="MIT" depends="ca-certificates" -depends_dev="libuv" # gold is needed for mksnapshot makedepends="$depends_dev python2 openssl-dev zlib-dev libuv-dev linux-headers paxmark binutils-gold http-parser-dev ca-certificates c-ares-dev" @@ -72,7 +73,7 @@ prepare() { default_prepare # Remove bundled dependencies that we're not using. - rm -rf deps/http_parser deps/openssl deps/uv deps/zlib + rm -rf deps/http_parser deps/openssl deps/zlib } build() { @@ -82,10 +83,13 @@ build() { mips*) _carchflags="--with-mips-arch-variant=r1 --with-mips-float-abi=soft";; esac + # NOTE: We use bundled libuv because they don't care much about backward + # compatibility and it has happened several times in past that we + # couldn't upgrade nodejs package in stable branches to fix CVEs due to + # libuv incompatibility. ./configure --prefix=/usr \ $_carchflags \ --shared-zlib \ - --shared-libuv \ --shared-openssl \ --shared-http-parser \ --shared-cares \ @@ -149,6 +153,6 @@ npm() { mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/ } -sha512sums="59f584e27dfd99453a031722ca3e094d658a90e77316a85a7048868fe6a6164b8aef0f03b60cbe681ace273d902434210bf3cd10a638583b74264d8b42bf2565 node-v10.19.0.tar.gz -9d09a88074bf0093f35c5b610e73ebf4c5381df2a2b29feb69da1af0b18776a683b13f1276375bbcfc60936cc27769539e1f01b4ba94b22cad2d5f4daae14c46 dont-run-gyp-files-for-bundled-deps.patch +sha512sums="1ce82fd404a434e48ebd16dc83792a4b3cff18433c1cce53b09b85dda2fbf1abf372574e3ab113e99c884012caadc13b246698ce071aaa329577bc08cdc2be46 node-v10.24.1.tar.gz +c27cb338eea8c817042d58b8fbadc234fb586f490020677f28f900ade31d2f4dd7bcdd4e52fddf209d9221b7e1fa57f629bd38787456995413cee79311f9571f dont-run-gyp-files-for-bundled-deps.patch 4fd3f10bd82d1e851ed000169c2635c001a4a051283edf96f1efb2260e2d395199dd5843f79f1cff8f2c0c65462c44241c508ea67835dfbd9880d9196fae290a link-with-libatomic-on-mips32.patch" diff --git a/main/nodejs/dont-run-gyp-files-for-bundled-deps.patch b/main/nodejs/dont-run-gyp-files-for-bundled-deps.patch index ace84fbdefe..2c2ebe22213 100644 --- a/main/nodejs/dont-run-gyp-files-for-bundled-deps.patch +++ b/main/nodejs/dont-run-gyp-files-for-bundled-deps.patch @@ -15,7 +15,7 @@ Node.js 7.2.0 -out/Makefile: common.gypi deps/uv/uv.gyp deps/http_parser/http_parser.gyp \ - deps/zlib/zlib.gyp deps/v8/gypfiles/toolchain.gypi \ -+out/Makefile: common.gypi deps/v8/gypfiles/toolchain.gypi \ ++out/Makefile: common.gypi deps/uv/uv.gyp deps/v8/gypfiles/toolchain.gypi \ deps/v8/gypfiles/features.gypi deps/v8/gypfiles/v8.gyp node.gyp \ config.gypi $(PYTHON) tools/gyp_node.py -f make diff --git a/main/nrpe/APKBUILD b/main/nrpe/APKBUILD index da004c910de..082d81c16a4 100644 --- a/main/nrpe/APKBUILD +++ b/main/nrpe/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Jeff Bilyk <jbilyk@gmail.com> pkgname=nrpe pkgver=3.2.1 -pkgrel=1 +pkgrel=3 pkgusers="nagios" pkggroups="nagios" pkgdesc="NRPE allows you to remotely execute Nagios plugins on other Linux/Unix machines." diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD index 14ebbaf04a4..a7dd0f3fdab 100644 --- a/main/openjpeg/APKBUILD +++ b/main/openjpeg/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=openjpeg -pkgver=2.3.1 -pkgrel=4 +pkgver=2.4.0 +pkgrel=1 pkgdesc="Open-source implementation of JPEG2000 image codec" url="https://www.openjpeg.org/" arch="all" @@ -11,10 +11,7 @@ makedepends="libpng-dev tiff-dev lcms2-dev doxygen cmake" subpackages="$pkgname-dev $pkgname-tools" source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz fix-cmakelists.patch - CVE-2020-6851.patch - CVE-2020-8112.patch - CVE-2019-12973.patch - CVE-2020-15389.patch + CVE-2021-29338.patch::https://github.com/uclouvain/openjpeg/commit/b4700bc09d55ac17ff6bef9b0a867f6de527be17.patch " build() { @@ -26,6 +23,14 @@ build() { } # secfixes: +# 2.4.0-r1: +# - CVE-2021-29338 +# 2.4.0-r0: +# - CVE-2020-27844 +# 2.3.1-r5: +# - CVE-2020-27814 +# - CVE-2020-27823 +# - CVE-2020-27824 # 2.3.1-r4: # - CVE-2019-12973 # - CVE-2020-15389 @@ -64,9 +69,6 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03 openjpeg-2.3.1.tar.gz +sha512sums="55daab47d33823af94e32e5d345b52c251a5410f0c8e0a13b693f17899eedc8b2bb107489ddcba9ab78ef17dfd7cd80d3c5ec80c1e429189cb041124b67e07a8 openjpeg-2.4.0.tar.gz b50cd382d08647db18f202769aae7df87613a18143a30e360e8f00aba1ec1b7fd0a153685dbea3950bc5623b06c314326777c4fb7aff56adfc6b17bc74c933e5 fix-cmakelists.patch -c8ffc926d91392b38250fd4e00fff5f93fbf5e17487d0e4a0184c9bd191aa2233c5c5dcf097dd62824714097bba2d8cc865bed31193d1a072aa954f216011297 CVE-2020-6851.patch -9659e04087e0d80bf53555e9807aae59205adef2d49d7a49e05bf250c484a2e92132d471ec6076e57ca69b5ce98fd81462a6a8c01205ca7096781eec06e401cc CVE-2020-8112.patch -472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516 CVE-2019-12973.patch -f36ea384272b3918d194f7d64bcc321a66fa6ebb2d73ece3d69225f883ec8a2777284f633902cf954f9a847bd758da2c36c74d8ef28c4cd82a3bf076e326c611 CVE-2020-15389.patch" +94ca747f6655a9b927d50cceb82529c36e0d4ef3f883b76b7f1aacc0784dce5df3cc7ba21ff888077873e0c3029f0ac505f0c741cbe225edb3880790527f5d81 CVE-2021-29338.patch" diff --git a/main/openjpeg/CVE-2019-12973.patch b/main/openjpeg/CVE-2019-12973.patch deleted file mode 100644 index 0d330ae6d92..00000000000 --- a/main/openjpeg/CVE-2019-12973.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001 -From: Young Xiao <YangX92@hotmail.com> -Date: Sat, 16 Mar 2019 19:57:27 +0800 -Subject: [PATCH 1/2] convertbmp: detect invalid file dimensions early - -width/length dimensions read from bmp headers are not necessarily -valid. For instance they may have been maliciously set to very large -values with the intention to cause DoS (large memory allocation, stack -overflow). In these cases we want to detect the invalid size as early -as possible. - -This commit introduces a counter which verifies that the number of -written bytes corresponds to the advertized width/length. - -See commit 8ee335227bbc for details. - -Signed-off-by: Young Xiao <YangX92@hotmail.com> ---- - src/bin/jp2/convertbmp.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c -index 0af52f816..ec34f535b 100644 ---- a/src/bin/jp2/convertbmp.c -+++ b/src/bin/jp2/convertbmp.c -@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, - static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, - OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) - { -- OPJ_UINT32 x, y; -+ OPJ_UINT32 x, y, written; - OPJ_UINT8 *pix; - const OPJ_UINT8 *beyond; - - beyond = pData + stride * height; - pix = pData; -- x = y = 0U; -+ x = y = written = 0U; - while (y < height) { - int c = getc(IN); - if (c == EOF) { -@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, - for (j = 0; (j < c) && (x < width) && - ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { - *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); -+ written++; - } - } else { /* absolute mode */ - c = getc(IN); -@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, - c1 = (OPJ_UINT8)getc(IN); - } - *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); -+ written++; - } - if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ - getc(IN); -@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, - } - } - } /* while(y < height) */ -+ if (written != width * height) { -+ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); -+ return OPJ_FALSE; -+ } - return OPJ_TRUE; - } - - -From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001 -From: Young Xiao <YangX92@hotmail.com> -Date: Sat, 16 Mar 2019 20:09:59 +0800 -Subject: [PATCH 2/2] bmp_read_rle4_data(): avoid potential infinite loop - ---- - src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------ - 1 file changed, 26 insertions(+), 6 deletions(-) - -diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c -index ec34f535b..2fc4e9bc4 100644 ---- a/src/bin/jp2/convertbmp.c -+++ b/src/bin/jp2/convertbmp.c -@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, - while (y < height) { - int c = getc(IN); - if (c == EOF) { -- break; -+ return OPJ_FALSE; - } - - if (c) { /* encoded mode */ -- int j; -- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN); -+ int j, c1_int; -+ OPJ_UINT8 c1; -+ -+ c1_int = getc(IN); -+ if (c1_int == EOF) { -+ return OPJ_FALSE; -+ } -+ c1 = (OPJ_UINT8)c1_int; - - for (j = 0; (j < c) && (x < width) && - ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { -@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, - } else { /* absolute mode */ - c = getc(IN); - if (c == EOF) { -- break; -+ return OPJ_FALSE; - } - - if (c == 0x00) { /* EOL */ -@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, - break; - } else if (c == 0x02) { /* MOVE by dxdy */ - c = getc(IN); -+ if (c == EOF) { -+ return OPJ_FALSE; -+ } - x += (OPJ_UINT32)c; - c = getc(IN); -+ if (c == EOF) { -+ return OPJ_FALSE; -+ } - y += (OPJ_UINT32)c; - pix = pData + y * stride + x; - } else { /* 03 .. 255 : absolute mode */ -@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, - for (j = 0; (j < c) && (x < width) && - ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { - if ((j & 1) == 0) { -- c1 = (OPJ_UINT8)getc(IN); -+ int c1_int; -+ c1_int = getc(IN); -+ if (c1_int == EOF) { -+ return OPJ_FALSE; -+ } -+ c1 = (OPJ_UINT8)c1_int; - } - *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); - written++; - } - if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ -- getc(IN); -+ c = getc(IN); -+ if (c == EOF) { -+ return OPJ_FALSE; -+ } - } - } - } diff --git a/main/openjpeg/CVE-2020-15389.patch b/main/openjpeg/CVE-2020-15389.patch deleted file mode 100644 index f5737a3b245..00000000000 --- a/main/openjpeg/CVE-2020-15389.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Sun, 28 Jun 2020 14:19:59 +0200 -Subject: [PATCH] opj_decompress: fix double-free on input directory with mix - of valid and invalid images (CVE-2020-15389) - -Fixes #1261 - -Credits to @Ruia-ruia for reporting and analysis. ---- - src/bin/jp2/opj_decompress.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c -index 7eeb0952f..2634907f0 100644 ---- a/src/bin/jp2/opj_decompress.c -+++ b/src/bin/jp2/opj_decompress.c -@@ -1316,10 +1316,6 @@ static opj_image_t* upsample_image_components(opj_image_t* original) - int main(int argc, char **argv) - { - opj_decompress_parameters parameters; /* decompression parameters */ -- opj_image_t* image = NULL; -- opj_stream_t *l_stream = NULL; /* Stream */ -- opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ -- opj_codestream_index_t* cstr_index = NULL; - - OPJ_INT32 num_images, imageno; - img_fol_t img_fol; -@@ -1393,6 +1389,10 @@ int main(int argc, char **argv) - - /*Decoding image one by one*/ - for (imageno = 0; imageno < num_images ; imageno++) { -+ opj_image_t* image = NULL; -+ opj_stream_t *l_stream = NULL; /* Stream */ -+ opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ -+ opj_codestream_index_t* cstr_index = NULL; - - if (!parameters.quiet) { - fprintf(stderr, "\n"); diff --git a/main/openjpeg/CVE-2020-6851.patch b/main/openjpeg/CVE-2020-6851.patch deleted file mode 100644 index 9a70291f50e..00000000000 --- a/main/openjpeg/CVE-2020-6851.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Sat, 11 Jan 2020 01:51:19 +0100 -Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose - coordinates are beyond INT_MAX (fixes #1228) - ---- - src/lib/openjp2/j2k.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c -index 14f6ff41a..922550eb1 100644 ---- a/src/lib/openjp2/j2k.c -+++ b/src/lib/openjp2/j2k.c -@@ -9221,6 +9221,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, - l_img_comp = p_image->comps; - for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { - OPJ_INT32 l_h, l_w; -+ if (p_image->x0 > (OPJ_UINT32)INT_MAX || -+ p_image->y0 > (OPJ_UINT32)INT_MAX || -+ p_image->x1 > (OPJ_UINT32)INT_MAX || -+ p_image->y1 > (OPJ_UINT32)INT_MAX) { -+ opj_event_msg(p_manager, EVT_ERROR, -+ "Image coordinates above INT_MAX are not supported\n"); -+ return OPJ_FALSE; -+ } - - l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0, - (OPJ_INT32)l_img_comp->dx); diff --git a/main/openjpeg/CVE-2020-8112.patch b/main/openjpeg/CVE-2020-8112.patch deleted file mode 100644 index 95cb8095f56..00000000000 --- a/main/openjpeg/CVE-2020-8112.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Thu, 30 Jan 2020 00:59:57 +0100 -Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow - -That could lead to later assertion failures. - -Fixes #1231 / CVE-2020-8112 ---- - src/lib/openjp2/tcd.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c -index deecc4dff..aa419030a 100644 ---- a/src/lib/openjp2/tcd.c -+++ b/src/lib/openjp2/tcd.c -@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, - /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ - l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; - l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; -- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; -- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; -+ { -+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, -+ (OPJ_INT32)l_pdx)) << l_pdx; -+ if (tmp > (OPJ_UINT32)INT_MAX) { -+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); -+ return OPJ_FALSE; -+ } -+ l_br_prc_x_end = (OPJ_INT32)tmp; -+ } -+ { -+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, -+ (OPJ_INT32)l_pdy)) << l_pdy; -+ if (tmp > (OPJ_UINT32)INT_MAX) { -+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); -+ return OPJ_FALSE; -+ } -+ l_br_prc_y_end = (OPJ_INT32)tmp; -+ } - /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ - - l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)(( diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD index 96919975906..ea555831242 100644 --- a/main/openldap/APKBUILD +++ b/main/openldap/APKBUILD @@ -2,6 +2,10 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 2.4.48-r2: +# - CVE-2020-25709 +# - CVE-2020-25710 +# - CVE-2020-25692 # 2.4.48-r1: # - CVE-2020-12243 # 2.4.48-r0: @@ -15,7 +19,7 @@ # pkgname=openldap pkgver=2.4.48 -pkgrel=1 +pkgrel=2 pkgdesc="LDAP Server" url="http://www.openldap.org/" arch="all" @@ -37,11 +41,14 @@ source="https://www.openldap.org/software/download/OpenLDAP/$pkgname-release/$pk fix-manpages.patch configs.patch cacheflush.patch + CVE-2020-25709.patch + CVE-2020-25710.patch + CVE-2020-25692.patch + CVE-2020-12243.patch slapd.initd slapd.confd - CVE-2020-12243.patch::https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440.patch " # SLAPD backends @@ -227,6 +234,9 @@ sha512sums="cf694a415be0bd55cc7f606099da2ed461748efd276561944cd29d7f5a8252a9be79 8c4244d316a05870dd1147b2ab7ddbcfd7626b5dce2f5a0e72f066dc635c2edb4f1ea3be88c6fec2d5ab016001be16bedef70f2ce0695c3cd96f69e1614ff177 fix-manpages.patch 0d2e570ddcb7ace1221abad9fc1d3dd0d00d6948340df69879b449959a68feee6a0ad8e17ef9971b35986293e16fc9d8e88de81815fedd5ea6a952eb085406ca configs.patch 60c1ec62003a33036de68402544e25a71715ed124a3139056a94ed1ba02fb8148ee510ab8f182a308105a2f744b9787e67112bcd8cd0d800cdb6f5409c4f63ff cacheflush.patch +61d2d02b733011eefaac0681b7f6274e416dac4d420b354e37f51b07cc42dab61c798fbe5fab36f47079962046f309373b41886b4632e86dc08d5bfe59b275f7 CVE-2020-25709.patch +abb7f43b6379fe6c03e583dc3a2c861c573ad6b83710954e35928e0449a1b78e259d8d5c6b7c33747b347ab67388d4894980a954d5ddb24b51a693b9c43798f2 CVE-2020-25710.patch +023b32e1a8e61c96b77723dfe39d33de170af684e29defdb34c14719b77fa0e9a101f8aaafe378afb30bf5ca732cf7209ef291089d7524b2301a97c102f5f6e4 CVE-2020-25692.patch +fddf5cf57c5b4b1d0e148ce850aafe5791dd7772727c824e858fe97e375871d2d3f622894d978444f7c5d8d64160c6fd766ae91de5eac3eb7f5292ceaaf599ea CVE-2020-12243.patch 0c3606e4dad1b32f1c4b62f2bc1990a4c9f7ccd10c7b50e623309ba9df98064e68fc42a7242450f32fb6e5fa2203609d3d069871b5ae994cd4b227a078c93532 slapd.initd -64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a slapd.confd -d4d8bec1c23c73e7126462bfe2e51cb603d1e83be4c64698ac167f221d515554b3b0e311f9789450b5c4c206c09cbdad1842b0b5b2364919967195da4ea6d833 CVE-2020-12243.patch" +64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a slapd.confd" diff --git a/main/openldap/CVE-2020-12243.patch b/main/openldap/CVE-2020-12243.patch new file mode 100644 index 00000000000..d8e10f5bc66 --- /dev/null +++ b/main/openldap/CVE-2020-12243.patch @@ -0,0 +1,125 @@ +From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Thu, 16 Apr 2020 01:08:19 +0100 +Subject: [PATCH] ITS#9202 limit depth of nested filters + +Using a hardcoded limit for now; no reasonable apps +should ever run into it. +--- + servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 9 deletions(-) + +diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c +index 3252cf2a7..ed57bbd7b 100644 +--- a/servers/slapd/filter.c ++++ b/servers/slapd/filter.c +@@ -37,11 +37,16 @@ + const Filter *slap_filter_objectClass_pres; + const struct berval *slap_filterstr_objectClass_pres; + ++#ifndef SLAPD_MAX_FILTER_DEPTH ++#define SLAPD_MAX_FILTER_DEPTH 5000 ++#endif ++ + static int get_filter_list( + Operation *op, + BerElement *ber, + Filter **f, +- const char **text ); ++ const char **text, ++ int depth ); + + static int get_ssa( + Operation *op, +@@ -80,12 +85,13 @@ filter_destroy( void ) + return; + } + +-int +-get_filter( ++static int ++get_filter0( + Operation *op, + BerElement *ber, + Filter **filt, +- const char **text ) ++ const char **text, ++ int depth ) + { + ber_tag_t tag; + ber_len_t len; +@@ -126,6 +132,11 @@ get_filter( + * + */ + ++ if( depth > SLAPD_MAX_FILTER_DEPTH ) { ++ *text = "filter nested too deeply"; ++ return SLAPD_DISCONNECT; ++ } ++ + tag = ber_peek_tag( ber, &len ); + + if( tag == LBER_ERROR ) { +@@ -221,7 +232,7 @@ get_filter( + + case LDAP_FILTER_AND: + Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); +- err = get_filter_list( op, ber, &f.f_and, text ); ++ err = get_filter_list( op, ber, &f.f_and, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -234,7 +245,7 @@ get_filter( + + case LDAP_FILTER_OR: + Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); +- err = get_filter_list( op, ber, &f.f_or, text ); ++ err = get_filter_list( op, ber, &f.f_or, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -248,7 +259,7 @@ get_filter( + case LDAP_FILTER_NOT: + Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); + (void) ber_skip_tag( ber, &len ); +- err = get_filter( op, ber, &f.f_not, text ); ++ err = get_filter0( op, ber, &f.f_not, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -311,10 +322,22 @@ get_filter( + return( err ); + } + ++int ++get_filter( ++ Operation *op, ++ BerElement *ber, ++ Filter **filt, ++ const char **text ) ++{ ++ return get_filter0( op, ber, filt, text, 0 ); ++} ++ ++ + static int + get_filter_list( Operation *op, BerElement *ber, + Filter **f, +- const char **text ) ++ const char **text, ++ int depth ) + { + Filter **new; + int err; +@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber, + tag != LBER_DEFAULT; + tag = ber_next_element( ber, &len, last ) ) + { +- err = get_filter( op, ber, new, text ); ++ err = get_filter0( op, ber, new, text, depth ); + if ( err != LDAP_SUCCESS ) + return( err ); + new = &(*new)->f_next; +-- +GitLab + diff --git a/main/openldap/CVE-2020-25692.patch b/main/openldap/CVE-2020-25692.patch new file mode 100644 index 00000000000..941a4f56be3 --- /dev/null +++ b/main/openldap/CVE-2020-25692.patch @@ -0,0 +1,27 @@ +From 4c774220a752bf8e3284984890dc0931fe73165d Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 19 Oct 2020 14:03:41 +0100 +Subject: [PATCH] ITS#9370 check for equality rule on old_rdn + +Just skip normalization if there's no equality rule. We accept +DNs without equality rules already. +--- + servers/slapd/modrdn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c +index c73dd8dba..a22975540 100644 +--- a/servers/slapd/modrdn.c ++++ b/servers/slapd/modrdn.c +@@ -505,7 +505,7 @@ slap_modrdn2mods( + mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value ); + mod_tmp->sml_values[1].bv_val = NULL; +- if( desc->ad_type->sat_equality->smr_normalize) { ++ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + (void) (*desc->ad_type->sat_equality->smr_normalize)( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, +-- +GitLab + diff --git a/main/openldap/CVE-2020-25709.patch b/main/openldap/CVE-2020-25709.patch new file mode 100644 index 00000000000..d38c9d241da --- /dev/null +++ b/main/openldap/CVE-2020-25709.patch @@ -0,0 +1,26 @@ +From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 2 Nov 2020 13:12:10 +0000 +Subject: [PATCH] ITS#9383 remove assert in certificateListValidate + +--- + servers/slapd/schema_init.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index ea0d67aa6..28f9e71a1 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in ) + /* Optional version */ + if ( tag == LBER_INTEGER ) { + tag = ber_get_int( ber, &version ); +- assert( tag == LBER_INTEGER ); +- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; ++ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; + } + tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; +-- +GitLab + diff --git a/main/openldap/CVE-2020-25710.patch b/main/openldap/CVE-2020-25710.patch new file mode 100644 index 00000000000..9b9bae8b31f --- /dev/null +++ b/main/openldap/CVE-2020-25710.patch @@ -0,0 +1,27 @@ +From bdb0d459187522a6063df13871b82ba8dcc6efe2 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 2 Nov 2020 16:01:14 +0000 +Subject: [PATCH] ITS#9384 remove assert in obsolete csnNormalize23() + +--- + servers/slapd/schema_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 5812bc4b6..ea0d67aa6 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -5327,8 +5327,8 @@ csnNormalize23( + } + *ptr = '\0'; + +- assert( ptr == &bv.bv_val[bv.bv_len] ); +- if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) { ++ if ( ptr != &bv.bv_val[bv.bv_len] || ++ csnValidate( syntax, &bv ) != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + +-- +GitLab + diff --git a/main/openrc/APKBUILD b/main/openrc/APKBUILD index d647c6eb4e7..3813917c647 100644 --- a/main/openrc/APKBUILD +++ b/main/openrc/APKBUILD @@ -2,7 +2,7 @@ pkgname=openrc pkgver=0.41.2 _ver=${pkgver/_git*/} -pkgrel=1 +pkgrel=2 pkgdesc="OpenRC manages the services, startup and shutdown of a host" url="https://github.com/OpenRC/openrc" arch="all" @@ -25,6 +25,8 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve 0009-Support-early-loading-of-keymap-if-kdb-is-installed.patch 0010-Allow-0-respawn-max.patch + CVE-2018-21269.patch + openrc.logrotate hostname.initd hwdrivers.initd @@ -37,6 +39,10 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve " builddir="$srcdir/$pkgname-$_ver" +# secfixes: +# 0.41.2-r2: +# - CVE-2018-21269 + prepare() { default_prepare sed -i -e '/^sed/d' "$builddir"/pkgconfig/Makefile @@ -113,8 +119,8 @@ zshcomp() { "$subpkgdir"/usr/share/zsh rm -rf "$pkgdir"/usr/share/zsh } - -sha512sums="ebfa691cae4704bb3023ea0508a712a45b8c20809828729dfa5292e96f3fd1b309813d80d7c286d0c09680bf5378aba40cfd994f27951f43a3ffb1fd0d69a58b openrc-0.41.2.tar.gz +sha512sums=" +ebfa691cae4704bb3023ea0508a712a45b8c20809828729dfa5292e96f3fd1b309813d80d7c286d0c09680bf5378aba40cfd994f27951f43a3ffb1fd0d69a58b openrc-0.41.2.tar.gz 71fce711adbcb411189a089f1d49567c50348e12c42b7a9c9b582dae5d18051f88ccf81c768337e87d6792d953e84d1e8b93d7978a1947d7d20ef3b1cd330875 0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch b1cedd38badda4fc308decdff06f9644b96fe35617792da8d6d62407409841705fd71b5b57d1804a6395095604a70898f80830c76395ec99f715038a0809d815 0002-force-root-be-rw-before-localmount.patch 9dea3fcdb90e3e8078a771beefeba3ca91b9966a1b8ee9ff96cf460e7dd21abbc4a46a501a960c3edf5a76c083c2cf60ccb06d9da7a4c6df2a50660745beb278 0003-sysctl-add-compatibility-for-busybox-sysctl.patch @@ -125,6 +131,7 @@ dbe3f170440f0f357f31ac4d49c56a9a7ec22172df2701bf4a0afdee22aedda1f88b9fa5ffdbe19a d2b8700f56b05579926352855de8fcee5cf78f0c13200643a5195f8c60e2b5082d476b42cc77b13246b9fb883aa002d723237b0fc7ae84ccd7ebe3b25690cf50 0008-fix-undeclared-UT_LINESIZE.patch 667085d89e194f7e2255d5c098c3d8de272f54cb925710cb98d5e7a6b58982d0acfe15f97b574cfc646b139cd7aa5b527ba700ef9b8048a6d6d9dee8cc74913c 0009-Support-early-loading-of-keymap-if-kdb-is-installed.patch 275d3e65fa84aaf06f908bf5c99c8e1243acb691fc931b28b2276b586b55b6198986ed9080c28fb2b598b7bdb2d577439031bea6d232eac0d8f9d8f5cb373fa3 0010-Allow-0-respawn-max.patch +715016b4f481a6d4d2ab37d23659e6cacc023b02fa6908b566391ee2744369076ea74e54f0fe576e2cc1d3371d4d9e3818395ca3f417233358fc70a9edc4dba6 CVE-2018-21269.patch 12bb6354e808fbf47bbab963de55ee7901738b4a912659982c57ef2777fff9a670e867fcb8ec316a76b151032c92dc89a950d7d1d835ef53f753a8f3b41d2cec openrc.logrotate 259552165ee5e9ca973bbe18d1d9ec5cc67526cb26a9e0ac717076ef4913bb7ff4055d6ccb9f77996ed9c00b67f46edba552e1a21b836068a112dda2428502b3 hostname.initd c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55 hwdrivers.initd @@ -133,4 +140,5 @@ b04058ec630e19de0bafefe06198dc1bff8c8d5d2c89e4660dd83dda8bb82a76cdb1d8661cce88e4 55df0ac13dac1f215f0c573ac07b150d31232a5204eccfc8941d5af73f91b4535a85d79b7f6514217038ecbe6bffa28cb83fd8d46fd4c596e07103deb8bc8a57 networking.initd 80e43ded522e2d48b876131c7c9997debd43f3790e0985801a8c1dd60bc6e09f625b35a127bf225eb45a65eec7808a50d1c08a5e8abceafc61726211e061e0a2 modloop.confd d76c75c58e6f4b0801edac4e081b725ef3d50a9a8c9bbb5692bf4d0f804af7d383bf71a73d5d03ed348a89741ef0b2427eb6a7cbf5a9b9ff60a240639fa6ec88 sysfsconf.initd -f65b061b4272463071022e88a7392d5573f2d95f91e42c8b4f3ef69171604460ddd3d426dfbab382f73a3fac68d4b4ff3a923fdc49fb6fd9f27ebd3ab24e0d0e firstboot.initd" +f65b061b4272463071022e88a7392d5573f2d95f91e42c8b4f3ef69171604460ddd3d426dfbab382f73a3fac68d4b4ff3a923fdc49fb6fd9f27ebd3ab24e0d0e firstboot.initd +" diff --git a/main/openrc/CVE-2018-21269.patch b/main/openrc/CVE-2018-21269.patch new file mode 100644 index 00000000000..9975d7bf81b --- /dev/null +++ b/main/openrc/CVE-2018-21269.patch @@ -0,0 +1,244 @@ +From 577f00abe5f8ec6da40ac79d77df3e514593090d Mon Sep 17 00:00:00 2001 +From: William Hubbs <w.d.hubbs@gmail.com> +Date: Wed, 11 Nov 2020 10:28:50 -0600 +Subject: [PATCH] checkpath: fix CVE-2018-21269 + +This walks the directory path to the file we are going to manipulate to make +sure that when we create the file and change the ownership and permissions +we are working on the same file. +Also, all non-terminal symbolic links must be owned by root. This will +keep a non-root user from making a symbolic link as described in the +bug. If root creates the symbolic link, it is assumed to be trusted. + +On non-linux platforms, we no longer follow non-terminal symbolic links +by default. If you need to do that, add the -s option on the checkpath +command line, but keep in mind that this is not secure. + +This fixes #201. +--- + man/openrc-run.8 | 6 +++ + src/rc/checkpath.c | 103 ++++++++++++++++++++++++++++++++++++++++++--- + 2 files changed, 102 insertions(+), 7 deletions(-) + +diff --git a/man/openrc-run.8 b/man/openrc-run.8 +index 1102daaa..ec4b88de 100644 +--- a/man/openrc-run.8 ++++ b/man/openrc-run.8 +@@ -461,6 +461,7 @@ Mark the service as inactive. + .Op Fl p , -pipe + .Op Fl m , -mode Ar mode + .Op Fl o , -owner Ar owner ++.Op Fl s , -symlinks + .Op Fl W , -writable + .Op Fl q , -quiet + .Ar path ... +@@ -481,6 +482,11 @@ or with names, and are separated by a colon. + The truncate options (-D and -F) cause the directory or file to be + cleared of all contents. + .Pp ++If -s is not specified on a non-linux platform, checkpath will refuse to ++allow non-terminal symbolic links to exist in the path. This is for ++security reasons so that a non-root user can't create a symbolic link to ++a root-owned file and take ownership of that file. ++.Pp + If -W is specified, checkpath checks to see if the first path given on + the command line is writable. This is different from how the test + command in the shell works, because it also checks to make sure the file +diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c +index 448c9cf8..ff54a892 100644 +--- a/src/rc/checkpath.c ++++ b/src/rc/checkpath.c +@@ -16,6 +16,7 @@ + * except according to the terms contained in the LICENSE file. + */ + ++#define _GNU_SOURCE + #include <sys/types.h> + #include <sys/stat.h> + +@@ -23,6 +24,7 @@ + #include <fcntl.h> + #include <getopt.h> + #include <grp.h> ++#include <libgen.h> + #include <pwd.h> + #include <stdio.h> + #include <stdlib.h> +@@ -44,7 +46,7 @@ typedef enum { + + const char *applet = NULL; + const char *extraopts ="path1 [path2] [...]"; +-const char *getoptstring = "dDfFpm:o:W" getoptstring_COMMON; ++const char *getoptstring = "dDfFpm:o:sW" getoptstring_COMMON; + const struct option longopts[] = { + { "directory", 0, NULL, 'd'}, + { "directory-truncate", 0, NULL, 'D'}, +@@ -53,6 +55,7 @@ const struct option longopts[] = { + { "pipe", 0, NULL, 'p'}, + { "mode", 1, NULL, 'm'}, + { "owner", 1, NULL, 'o'}, ++ { "symlinks", 0, NULL, 's'}, + { "writable", 0, NULL, 'W'}, + longopts_COMMON + }; +@@ -64,15 +67,92 @@ const char * const longopts_help[] = { + "Create a named pipe (FIFO) if not exists", + "Mode to check", + "Owner to check (user:group)", ++ "follow symbolic links (irrelivent on linux)", + "Check whether the path is writable or not", + longopts_help_COMMON + }; + const char *usagestring = NULL; + ++static int get_dirfd(char *path, bool symlinks) { ++ char *ch; ++ char *item; ++ char *linkpath = NULL; ++ char *path_dupe; ++ char *str; ++ int components = 0; ++ int dirfd; ++ int flags = 0; ++ int new_dirfd; ++ struct stat st; ++ ssize_t linksize; ++ ++ if (!path || *path != '/') ++ eerrorx("%s: empty or relative path", applet); ++ dirfd = openat(dirfd, "/", O_RDONLY); ++ if (dirfd == -1) ++ eerrorx("%s: unable to open the root directory: %s", ++ applet, strerror(errno)); ++ path_dupe = xstrdup(path); ++ ch = path_dupe; ++ while (*ch) { ++ if (*ch == '/') ++ components++; ++ ch++; ++ } ++ item = strtok(path_dupe, "/"); ++#ifdef O_PATH ++ flags |= O_PATH; ++#endif ++ if (!symlinks) ++ flags |= O_NOFOLLOW; ++ flags |= O_RDONLY; ++ while (dirfd > 0 && item && components > 1) { ++ str = xstrdup(linkpath ? linkpath : item); ++ new_dirfd = openat(dirfd, str, flags); ++ if (new_dirfd == -1) ++ eerrorx("%s: %s: could not open %s: %s", applet, path, str, ++ strerror(errno)); ++ if (fstat(new_dirfd, &st) == -1) ++ eerrorx("%s: %s: unable to stat %s: %s", applet, path, item, ++ strerror(errno)); ++ if (S_ISLNK(st.st_mode) ) { ++ if (st.st_uid != 0) ++ eerrorx("%s: %s: synbolic link %s not owned by root", ++ applet, path, str); ++ linksize = st.st_size+1; ++ if (linkpath) ++ free(linkpath); ++ linkpath = xmalloc(linksize); ++ memset(linkpath, 0, linksize); ++ if (readlinkat(new_dirfd, "", linkpath, linksize) != st.st_size) ++ eerrorx("%s: symbolic link destination changed", applet); ++ /* ++ * now follow the symlink. ++ */ ++ close(new_dirfd); ++ } else { ++ close(dirfd); ++ dirfd = new_dirfd; ++ free(linkpath); ++ linkpath = NULL; ++ item = strtok(NULL, "/"); ++ components--; ++ } ++ } ++ free(path_dupe); ++ if (linkpath) { ++ free(linkpath); ++ linkpath = NULL; ++ } ++ return dirfd; ++} ++ + static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, +- inode_t type, bool trunc, bool chowner, bool selinux_on) ++ inode_t type, bool trunc, bool chowner, bool symlinks, bool selinux_on) + { + struct stat st; ++ char *name = NULL; ++ int dirfd; + int fd; + int flags; + int r; +@@ -93,14 +173,16 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, + #endif + if (trunc) + flags |= O_TRUNC; +- readfd = open(path, readflags); ++ xasprintf(&name, "%s", basename_c(path)); ++ dirfd = get_dirfd(path, symlinks); ++ readfd = openat(dirfd, name, readflags); + if (readfd == -1 || (type == inode_file && trunc)) { + if (type == inode_file) { + einfo("%s: creating file", path); + if (!mode) /* 664 */ + mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH; + u = umask(0); +- fd = open(path, flags, mode); ++ fd = openat(dirfd, name, flags, mode); + umask(u); + if (fd == -1) { + eerror("%s: open: %s", applet, strerror(errno)); +@@ -122,7 +204,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, + strerror (errno)); + return -1; + } +- readfd = open(path, readflags); ++ readfd = openat(dirfd, name, readflags); + if (readfd == -1) { + eerror("%s: unable to open directory: %s", applet, + strerror(errno)); +@@ -140,7 +222,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, + strerror (errno)); + return -1; + } +- readfd = open(path, readflags); ++ readfd = openat(dirfd, name, readflags); + if (readfd == -1) { + eerror("%s: unable to open fifo: %s", applet, + strerror(errno)); +@@ -259,6 +341,7 @@ int main(int argc, char **argv) + int retval = EXIT_SUCCESS; + bool trunc = false; + bool chowner = false; ++ bool symlinks = false; + bool writable = false; + bool selinux_on = false; + +@@ -293,6 +376,11 @@ int main(int argc, char **argv) + eerrorx("%s: owner `%s' not found", + applet, optarg); + break; ++ case 's': ++#ifndef O_PATH ++ symlinks = true; ++#endif ++ break; + case 'W': + writable = true; + break; +@@ -320,7 +408,8 @@ int main(int argc, char **argv) + while (optind < argc) { + if (writable) + exit(!is_writable(argv[optind])); +- if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner, selinux_on)) ++ if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner, ++ symlinks, selinux_on)) + retval = EXIT_FAILURE; + optind++; + } diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index 8ecefb4f55b..22090b345c1 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=openssl -pkgver=1.1.1g +pkgver=1.1.1k _abiver=${pkgver%.*} pkgrel=0 pkgdesc="Toolkit for Transport Layer Security (TLS)" @@ -22,6 +22,15 @@ esac builddir="$srcdir/openssl-$pkgver" # secfixes: +# 1.1.1k-r0: +# - CVE-2021-3449 +# - CVE-2021-3450 +# 1.1.1j-r0: +# - CVE-2021-23841 +# - CVE-2021-23840 +# - CVE-2021-23839 +# 1.1.1i-r0: +# - CVE-2020-1971 # 1.1.1g-r0: # - CVE-2020-1967 # 1.1.1d-r2: @@ -113,5 +122,5 @@ _libssl() { done } -sha512sums="01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab openssl-1.1.1g.tar.gz +sha512sums="73cd042d4056585e5a9dd7ab68e7c7310a3a4c783eafa07ab0b560e7462b924e4376436a6d38a155c687f6942a881cfc0c1b9394afcde1d8c46bf396e7d51121 openssl-1.1.1k.tar.gz 43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch" diff --git a/main/openvpn/APKBUILD b/main/openvpn/APKBUILD index b51e4d891d5..677a7edcb3c 100644 --- a/main/openvpn/APKBUILD +++ b/main/openvpn/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=openvpn -pkgver=2.4.7 -pkgrel=1 +pkgver=2.4.11 +pkgrel=0 pkgdesc="A robust, and highly configurable VPN (Virtual Private Network)" url="https://openvpn.net/" arch="all" @@ -19,6 +19,17 @@ source="https://swupdate.openvpn.net/community/releases/$pkgname-$pkgver.tar.xz " builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 2.4.11-r0: +# - CVE-2020-15078 +# 2.4.9-r0: +# - CVE-2020-11810 +# 2.4.6-r0: +# - CVE-2018-9336 +# 0: +# - CVE-2020-7224 +# - CVE-2020-27569 + build() { cd "$builddir" ./configure \ @@ -62,7 +73,7 @@ pam() { "$subpkgdir"/usr/lib/openvpn/plugins/ } -sha512sums="5398084ad0002b3ed34871375888a1ec5d4d0f0dbc7c979ab12fc16b00559613c0654f1760e84bea77d4fe7284bce25e2e9d3d309fe85ffd1060ced10978ff95 openvpn-2.4.7.tar.xz +sha512sums="aeeefd32e71b0595a577bfbf5871c78c633efa863584a57b7a47fc825fdac35c2aa1fb7decbd0269ec5be35e3fc2a42cf2a1e7d9a8547aaff4e1481a247bc5da openvpn-2.4.11.tar.xz 3594937d4cc9d7b87ac6a3af433f651ed9695f41586994f9d9789554fbe3f87f054b997b89486eda4ae0b852d816aac9007222168d585910aa9f255073324bd9 openvpn.initd 6b2353aca9df7f43044e4e37990491b4ba077e259ebe13b8f2eb43e35ca7a617c1a65c5bfb8ab05e87cf12c4444184ae064f01f9abbb3c023dbbc07ff3f9c84e openvpn.confd cdb73c9a5b1eb56e9cbd29955d94297ce5a87079419cd626d6a0b6680d88cbf310735a53f794886df02030b687eaea553c7c569a8ea1282a149441add1c65760 openvpn.up diff --git a/main/p11-kit/APKBUILD b/main/p11-kit/APKBUILD index 8578bd66528..4eb647728b4 100644 --- a/main/p11-kit/APKBUILD +++ b/main/p11-kit/APKBUILD @@ -2,14 +2,22 @@ # Maintainer: Fabian Affolter <fabian@affolter-engineering.ch> pkgname=p11-kit pkgver=0.23.16.1 -pkgrel=0 +pkgrel=1 pkgdesc="Library for loading and sharing PKCS#11 modules" url="https://p11-glue.freedesktop.org/" arch="all" license="BSD" makedepends="libtasn1-dev libffi-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-trust $pkgname-server" -source="https://github.com/p11-glue/p11-kit/releases/download/$pkgver/p11-kit-$pkgver.tar.gz" +source="https://github.com/p11-glue/p11-kit/releases/download/$pkgver/p11-kit-$pkgver.tar.gz + backport-CVE-2020-29361-2-3.patch + " + +# secfixes: +# 0.23.16.1-r1: +# - CVE-2020-29361 +# - CVE-2020-29362 +# - CVE-2020-29363 build() { cd "$builddir" @@ -62,4 +70,5 @@ server() { "$subpkgdir"/usr/libexec/p11-kit } -sha512sums="7d0bbd793b43dba081054b4d022a8dbd1d477a3bd6aced72a641087023cf020f1d898899a08e737880e6c810f924814c62497c5ecb19f8322cde42667426a9a7 p11-kit-0.23.16.1.tar.gz" +sha512sums="7d0bbd793b43dba081054b4d022a8dbd1d477a3bd6aced72a641087023cf020f1d898899a08e737880e6c810f924814c62497c5ecb19f8322cde42667426a9a7 p11-kit-0.23.16.1.tar.gz +4fd8919a73870d63aed338e78ae5c9ca495898e41be6d3a565d802cad509e9cba8e4d65b71197e79c659ef5156cd2c25f7948db37e9ac12472bd8fdb3fbdbfef backport-CVE-2020-29361-2-3.patch" diff --git a/main/p11-kit/backport-CVE-2020-29361-2-3.patch b/main/p11-kit/backport-CVE-2020-29361-2-3.patch new file mode 100644 index 00000000000..82691464312 --- /dev/null +++ b/main/p11-kit/backport-CVE-2020-29361-2-3.patch @@ -0,0 +1,226 @@ +Meshed up: +https://github.com/p11-glue/p11-kit/commit/bb3a3cb1cb4ae8341fa1cf1cc4e9f282c7c74b76 +https://github.com/p11-glue/p11-kit/commit/69d751ca9df9ac101adfb1e5aa7e83e3358106ba +https://github.com/p11-glue/p11-kit/commit/7625cfcebccf1c02d17e9295e1d883ea688ea264 +https://github.com/p11-glue/p11-kit/commit/6c1c94bd2360f5778beb397ba5508d5084b7f0ee +https://github.com/p11-glue/p11-kit/commit/7f032183dfd36c1f91d2400ceb5bbc90376a310c + +Should fix CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 + +diff --git a/common/compat.c b/common/compat.c +index 8b14658..3570770 100644 +--- a/common/compat.c ++++ b/common/compat.c +@@ -496,8 +496,8 @@ reallocarray (void *ptr, + size_t nmemb, + size_t size) + { +- assert (nmemb > 0 && size > 0); +- if (SIZE_MAX / nmemb < size) { ++ assert (nmemb >= 0 && size >= 0); ++ if (nmemb != 0 && SIZE_MAX / nmemb < size) { + errno = ENOMEM; + return NULL; + } +diff --git a/p11-kit/iter.c b/p11-kit/iter.c +index d26cd71..766dd9a 100644 +--- a/p11-kit/iter.c ++++ b/p11-kit/iter.c +@@ -545,7 +545,7 @@ move_next_session (P11KitIter *iter) + if (rv != CKR_OK) + return finish_iterating (iter, rv); + +- iter->slots = realloc (iter->slots, sizeof (CK_SLOT_ID) * (num_slots + 1)); ++ iter->slots = reallocarray (iter->slots, num_slots + 1, sizeof (CK_SLOT_ID)); + return_val_if_fail (iter->slots != NULL, CKR_HOST_MEMORY); + + rv = (iter->module->C_GetSlotList) (CK_TRUE, iter->slots, &num_slots); +@@ -698,7 +698,7 @@ p11_kit_iter_next (P11KitIter *iter) + for (;;) { + if (iter->max_objects - iter->num_objects == 0) { + iter->max_objects = iter->max_objects ? iter->max_objects * 2 : 64; +- iter->objects = realloc (iter->objects, iter->max_objects * sizeof (CK_ULONG)); ++ iter->objects = reallocarray (iter->objects, iter->max_objects, sizeof (CK_ULONG)); + return_val_if_fail (iter->objects != NULL, CKR_HOST_MEMORY); + } + +diff --git a/p11-kit/lists.c b/p11-kit/lists.c +index 5804be2..365a6d8 100644 +--- a/p11-kit/lists.c ++++ b/p11-kit/lists.c +@@ -64,6 +64,8 @@ hex_encode (const unsigned char *data, + size_t i; + size_t o; + ++ if ((SIZE_MAX - 1) / 3 < n_data) ++ return NULL; + result = malloc (n_data * 3 + 1); + if (result == NULL) + return NULL; +diff --git a/p11-kit/log.c b/p11-kit/log.c +index 19377b2..58bc5f4 100644 +--- a/p11-kit/log.c ++++ b/p11-kit/log.c +@@ -726,7 +726,7 @@ log_token_info (p11_buffer *buf, + (unsigned int)info->firmwareVersion.minor); + p11_buffer_add (buf, temp, -1); + p11_buffer_add (buf, "\n\tutcTime: ", -1); +- p11_buffer_add (buf, (info->flags & CKF_CLOCK_ON_TOKEN) ? (const char*)info->utcTime : "", -1); ++ p11_buffer_add (buf, (info->flags & CKF_CLOCK_ON_TOKEN) ? (const char*)info->utcTime : "", sizeof (info->utcTime)); + p11_buffer_add (buf, "\n }\n", -1); + } + } +diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c +index 643bf4e..8066c84 100644 +--- a/p11-kit/proxy.c ++++ b/p11-kit/proxy.c +@@ -278,7 +278,7 @@ proxy_list_slots (Proxy *py, Mapping *mappings, unsigned int n_mappings) + return_val_if_fail (count == 0 || slots != NULL, CKR_GENERAL_ERROR); + + if (count > 0) { +- py->mappings = realloc (py->mappings, sizeof (Mapping) * (py->n_mappings + count)); ++ py->mappings = reallocarray (py->mappings, (py->n_mappings + count), sizeof (Mapping)); + return_val_if_fail (py->mappings != NULL, CKR_HOST_MEMORY); + + /* And now add a mapping for each of those slots */ +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 672d1c7..fad569e 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -43,6 +43,7 @@ + #include "rpc-message.h" + + #include <assert.h> ++#include <errno.h> + #include <string.h> + + #define ELEMS(x) (sizeof (x) / sizeof (x[0])) +@@ -114,6 +115,18 @@ p11_rpc_message_alloc_extra (p11_rpc_message *msg, + return (void *)(data + 1); + } + ++void * ++p11_rpc_message_alloc_extra_array (p11_rpc_message *msg, ++ size_t nmemb, ++ size_t size) ++{ ++ if (nmemb != 0 && (SIZE_MAX - sizeof (void *)) / nmemb < size) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ return p11_rpc_message_alloc_extra (msg, nmemb * size); ++} ++ + bool + p11_rpc_message_prep (p11_rpc_message *msg, + int call_id, +@@ -744,7 +757,7 @@ p11_rpc_buffer_get_byte_array (p11_buffer *buf, + return false; + } + +- if (buf->len < len || *offset > buf->len - len) { ++ if (buf->len < len || off > buf->len - len) { + p11_buffer_fail (buf); + return false; + } +@@ -1212,7 +1225,7 @@ p11_rpc_buffer_get_attribute (p11_buffer *buffer, + size_t *offset, + CK_ATTRIBUTE *attr) + { +- uint32_t type, length; ++ uint32_t type, length, decode_length; + unsigned char validity; + p11_rpc_attribute_serializer *serializer; + p11_rpc_value_type value_type; +@@ -1242,8 +1255,13 @@ p11_rpc_buffer_get_attribute (p11_buffer *buffer, + assert (serializer != NULL); + if (!serializer->decode (buffer, offset, attr->pValue, &attr->ulValueLen)) + return false; +- if (!attr->pValue) ++ if (!attr->pValue) { ++ decode_length = attr->ulValueLen; + attr->ulValueLen = length; ++ if (decode_length > length) { ++ return false; ++ } ++ } + attr->type = type; + return true; + } +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 989bbc0..62e7b18 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -255,6 +255,10 @@ void p11_rpc_message_clear (p11_rpc_message *msg); + void * p11_rpc_message_alloc_extra (p11_rpc_message *msg, + size_t length); + ++void * p11_rpc_message_alloc_extra_array (p11_rpc_message *msg, ++ size_t nmemb, ++ size_t size); ++ + bool p11_rpc_message_prep (p11_rpc_message *msg, + int call_id, + p11_rpc_message_type type); +diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c +index 846ee94..dfdb76d 100644 +--- a/p11-kit/rpc-server.c ++++ b/p11-kit/rpc-server.c +@@ -88,7 +88,7 @@ proto_read_byte_buffer (p11_rpc_message *msg, + if (length == 0) + return CKR_OK; + +- *buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_BYTE)); ++ *buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_BYTE)); + if (*buffer == NULL) + return CKR_DEVICE_MEMORY; + +@@ -186,7 +186,7 @@ proto_read_ulong_buffer (p11_rpc_message *msg, + if (length == 0) + return CKR_OK; + +- *buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_ULONG)); ++ *buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_ULONG)); + if (!*buffer) + return CKR_DEVICE_MEMORY; + +@@ -246,7 +246,7 @@ proto_read_attribute_buffer (p11_rpc_message *msg, + return PARSE_ERROR; + + /* Allocate memory for the attribute structures */ +- attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE)); ++ attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE)); + if (attrs == NULL) + return CKR_DEVICE_MEMORY; + +@@ -300,7 +300,7 @@ proto_read_attribute_array (p11_rpc_message *msg, + return PARSE_ERROR; + + /* Allocate memory for the attribute structures */ +- attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE)); ++ attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE)); + if (attrs == NULL) + return CKR_DEVICE_MEMORY; + +diff --git a/trust/index.c b/trust/index.c +index 2d1da29..795c67f 100644 +--- a/trust/index.c ++++ b/trust/index.c +@@ -271,7 +271,7 @@ bucket_insert (index_bucket *bucket, + if (bucket->num + 1 > alloc) { + alloc = alloc ? alloc * 2 : 1; + return_if_fail (alloc != 0); +- bucket->elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE)); ++ bucket->elem = reallocarray (bucket->elem, alloc, sizeof (CK_OBJECT_HANDLE)); + } + + return_if_fail (bucket->elem != NULL); +@@ -291,7 +291,7 @@ bucket_push (index_bucket *bucket, + if (bucket->num + 1 > alloc) { + alloc = alloc ? alloc * 2 : 1; + return_val_if_fail (alloc != 0, false); +- bucket->elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE)); ++ bucket->elem = reallocarray (bucket->elem, alloc, sizeof (CK_OBJECT_HANDLE)); + } + + return_val_if_fail (bucket->elem != NULL, false); diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD index 9e5bbe684a8..7cf50e19b24 100644 --- a/main/pcre/APKBUILD +++ b/main/pcre/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=pcre pkgver=8.43 -pkgrel=0 +pkgrel=1 pkgdesc="Perl-compatible regular expression library" url="http://pcre.sourceforge.net" arch="all" @@ -12,9 +12,13 @@ makedepends="" checkdepends="paxmark" subpackages="$pkgname-dev $pkgname-doc $pkgname-tools libpcrecpp libpcre16 libpcre32" -source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2 +source="https://ftp.pcre.org/pub/pcre/pcre-$pkgver.tar.bz2 + CVE-2020-14155.patch " + # secfixes: +# 8.43-r1: +# - CVE-2020-14155 # 8.40-r2: # - CVE-2017-7186 # 7.8-r0: @@ -94,4 +98,5 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="3b4ac2c7ccd77c9575d07a33c3456f40b50731029e62d01fb8f2f5871d7118e12bc9e6bc7a8079769c765e38da5ecf98c4b261b10ff0a2f14f0881b434f67af7 pcre-8.43.tar.bz2" +sha512sums="3b4ac2c7ccd77c9575d07a33c3456f40b50731029e62d01fb8f2f5871d7118e12bc9e6bc7a8079769c765e38da5ecf98c4b261b10ff0a2f14f0881b434f67af7 pcre-8.43.tar.bz2 +23baa5fbaff7b52e861a539a83ad4406937d7a8a85d2a4e2419d0bea99204659e350caab68091d6354842297df2bb3097204bc63c4e1d3d9d1b94427efc46748 CVE-2020-14155.patch" diff --git a/main/pcre/CVE-2020-14155.patch b/main/pcre/CVE-2020-14155.patch new file mode 100644 index 00000000000..3bfa119f3b5 --- /dev/null +++ b/main/pcre/CVE-2020-14155.patch @@ -0,0 +1,31 @@ +pcre: Fix int overflow when parsing "?C<arg>" callout args. + +Numerical args must be 0-255, so this shouldn't break correct usage. + +--- a/pcre_compile.c 2020/02/10 17:01:27 1760 ++++ b/pcre_compile.c 2020/02/10 17:17:34 1761 +@@ -7130,17 +7130,19 @@ + int n = 0; + ptr++; + while(IS_DIGIT(*ptr)) ++ { + n = n * 10 + *ptr++ - CHAR_0; ++ if (n > 255) ++ { ++ *errorcodeptr = ERR38; ++ goto FAILED; ++ } ++ } + if (*ptr != CHAR_RIGHT_PARENTHESIS) + { + *errorcodeptr = ERR39; + goto FAILED; + } +- if (n > 255) +- { +- *errorcodeptr = ERR38; +- goto FAILED; +- } + *code++ = n; + PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */ + PUT(code, LINK_SIZE, 0); /* Default length */ diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD index 435c0428f4c..15d7f98a109 100644 --- a/main/postgresql/APKBUILD +++ b/main/postgresql/APKBUILD @@ -2,7 +2,7 @@ # Contributor: G.J.R. Timmer <gjr.timmer@gmail.com> # Contributor: Jakub Jirutka <jakub@jirutka.cz> pkgname=postgresql -pkgver=11.9 +pkgver=11.12 pkgrel=0 pkgdesc="A sophisticated object-relational DBMS" url="https://www.postgresql.org/" @@ -36,6 +36,16 @@ builddir="$srcdir/$pkgname-$pkgver" options="!checkroot" # secfixes: +# 11.12-r0: +# - CVE-2021-32027 +# - CVE-2021-32028 +# - CVE-2021-32029 +# 11.11-r0: +# - CVE-2021-3393 +# 11.10-r0: +# - CVE-2020-25694 +# - CVE-2020-25695 +# - CVE-2020-25696 # 11.9-r0: # - CVE-2020-14349 # - CVE-2020-14350 @@ -312,7 +322,7 @@ _submv() { done } -sha512sums="2c5c2f51aa01f02af4aa0849441767383e30fef69dd52efa442892f39d2456bfa8bf01f633a265e00eca0745e792609d2c1d33f77d8f29a02f5f374c84f2bf6e postgresql-11.9.tar.bz2 +sha512sums="668914424e1dbe09a66d5272e5b0a17fa24c90d3d099f8161f1420eaa76675ea1c622e4d149bdfcb31f07af19602a500913cb97c49d717df23e374de09dc0274 postgresql-11.12.tar.bz2 1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch 5f9d8bb4957194069d01af8ab3abc6d4d83a7e7f8bd7ebe1caae5361d621a3e58f91b14b952958138a794e0a80bc154fbb7e3e78d211e2a95b9b7901335de854 perl-rpath.patch 8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD index b5168c142b7..479ba87cf7d 100644 --- a/main/py-django/APKBUILD +++ b/main/py-django/APKBUILD @@ -3,7 +3,7 @@ pkgname=py-django _pkgname=Django pkgver=1.11.29 -pkgrel=0 +pkgrel=1 pkgdesc="A high-level Python Web framework" url="http://djangoproject.com/" arch="noarch" @@ -12,10 +12,16 @@ depends="py-tz" makedepends="python2-dev python3-dev py-setuptools" options="!check" # some depends missing, others in community/testing subpackages="py2-${pkgname#py-}:_py2 py3-${pkgname#py-}:_py3" -source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz" +source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz + CVE-2020-24583.patch + CVE-2020-24584.patch + " builddir="$srcdir"/$_pkgname-$pkgver # secfixes: +# 1.11.29-r1: +# - CVE-2020-24583 +# - CVE-2020-24584 # 1.11.29-r0: # - CVE-2020-9402 # 1.11.28-r0: @@ -99,4 +105,6 @@ _py() { done } -sha512sums="dc8d1c5c09f998bf7015967961247e56a9c1dd55701534c6bce6dac2270a5531e1162d9bcbf5ec5f4d411d2d0dc820c82fd9b69628c5ff944bb9f1a22290a562 Django-1.11.29.tar.gz" +sha512sums="dc8d1c5c09f998bf7015967961247e56a9c1dd55701534c6bce6dac2270a5531e1162d9bcbf5ec5f4d411d2d0dc820c82fd9b69628c5ff944bb9f1a22290a562 Django-1.11.29.tar.gz +e4eda8069558471268f2e8a705877b3f682adac80221ade5ba742476f897eb3a13d82af7367083b707186e4a49de4f7a6beaadc05274d10b9c88cb2f169ff1a9 CVE-2020-24583.patch +4fde0868b63a739c28e066665e098bb7a667fe81311a839ff7d1dfff13cb67751271be6e88b4f245aa3ebcbd2bb856730418f3006f7820405cd54bf951e98faf CVE-2020-24584.patch" diff --git a/main/py-django/CVE-2020-24583.patch b/main/py-django/CVE-2020-24583.patch new file mode 100644 index 00000000000..b21c6b8ead5 --- /dev/null +++ b/main/py-django/CVE-2020-24583.patch @@ -0,0 +1,29 @@ +From bbf6bd8a50a02d5015a2b0043abfbf2b4e6acce6 Mon Sep 17 00:00:00 2001 +From: Leo <thinkabit.ukim@gmail.com> +Date: Fri, 11 Dec 2020 02:07:01 -0300 +Subject: [PATCH 1/2] CVE-2020-24583 + +--- + django/core/files/storage.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/django/core/files/storage.py b/django/core/files/storage.py +index 98c89dd..9643198 100644 +--- a/django/core/files/storage.py ++++ b/django/core/files/storage.py +@@ -310,9 +310,9 @@ class FileSystemStorage(Storage): + if not os.path.exists(directory): + try: + if self.directory_permissions_mode is not None: +- # os.makedirs applies the global umask, so we reset it, +- # for consistency with file_permissions_mode behavior. +- old_umask = os.umask(0) ++ # Set the umask because os.makedirs() doesn't apply the "mode" ++ # argument to intermediate-level directories. ++ old_umask = os.umask(0o777 & ~self.directory_permissions_mode) + try: + os.makedirs(directory, self.directory_permissions_mode) + finally: +-- +2.29.2 + diff --git a/main/py-django/CVE-2020-24584.patch b/main/py-django/CVE-2020-24584.patch new file mode 100644 index 00000000000..fa4dc132a5f --- /dev/null +++ b/main/py-django/CVE-2020-24584.patch @@ -0,0 +1,30 @@ +From 13e83e6f60d9ed91316c975425bc4b89c130ec9c Mon Sep 17 00:00:00 2001 +From: Leo <thinkabit.ukim@gmail.com> +Date: Fri, 11 Dec 2020 02:08:48 -0300 +Subject: [PATCH 2/2] CVE-2020-24584 + +--- + django/core/cache/backends/filebased.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/django/core/cache/backends/filebased.py b/django/core/cache/backends/filebased.py +index 7c2c5c7..88cebef 100644 +--- a/django/core/cache/backends/filebased.py ++++ b/django/core/cache/backends/filebased.py +@@ -102,8 +102,13 @@ class FileBasedCache(BaseCache): + + def _createdir(self): + if not os.path.exists(self._dir): ++ # Set the umask because os.makedirs() doesn't apply the "mode" argument ++ # to intermediate-level directories. ++ old_umask = os.umask(0o077) + try: + os.makedirs(self._dir, 0o700) ++ finally: ++ os.umask(old_umask) + except OSError as e: + if e.errno != errno.EEXIST: + raise EnvironmentError( +-- +2.29.2 + diff --git a/main/python3/APKBUILD b/main/python3/APKBUILD index bd3aff41ee9..ed21605bf06 100644 --- a/main/python3/APKBUILD +++ b/main/python3/APKBUILD @@ -3,9 +3,9 @@ pkgname=python3 # the python2-tkinter's pkgver needs to be synchronized with this. -pkgver=3.7.7 +pkgver=3.7.10 _basever="${pkgver%.*}" -pkgrel=1 +pkgrel=0 pkgdesc="A high-level scripting language" url="https://www.python.org" arch="all" @@ -20,11 +20,12 @@ source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz fix-xattrs-glibc.patch musl-find_library.patch bpo-36044-Reduce-number-of-unit-tests-run-for-PGO-build.patch - CVE-2020-14422.patch " builddir="$srcdir/Python-$pkgver" # secfixes: +# 3.7.7-r2: +# - CVE-2021-3177 # 3.7.7-r1: # - CVE-2020-14422 # 3.7.7-r0: @@ -167,9 +168,7 @@ wininst() { mv "$pkgdir"/usr/lib/python$_basever/distutils/command/*.exe \ "$subpkgdir"/usr/lib/python$_basever/distutils/command } - -sha512sums="ddc838a7b0c442c2e465616f20231f2b703ed6b69ed2dc17858aac8760814fdf7cff43d350d359300e47b6bb1f0bd38c31126b855e423a3a65ed06a8fa16d136 Python-3.7.7.tar.xz +sha512sums="5cb61739acbd29f526d25073443398b2ca0eef30d01d134e8236c8bbc7ab0586c44ec00689f5a75e6aedc0170acf4551721ada5e967e4b99a146cfcaad949128 Python-3.7.10.tar.xz 37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch -ad2715f2a4ddfed714f6040b79deed691f457e1e57c5d880c741ef71c5db5bad02a5faab50c32cd98e517ad1117ddf6d2fea0c3daf178d029e6a5fce2f95444a bpo-36044-Reduce-number-of-unit-tests-run-for-PGO-build.patch -f84922e46e39d681c0d1f95a211b81c6fba1fc3636379fa5c6b47284d693478b6afe08e07703678d9d8ce8e59295df2a705f9a0c8cb54a69a1fee6960d2ebddd CVE-2020-14422.patch" +ad2715f2a4ddfed714f6040b79deed691f457e1e57c5d880c741ef71c5db5bad02a5faab50c32cd98e517ad1117ddf6d2fea0c3daf178d029e6a5fce2f95444a bpo-36044-Reduce-number-of-unit-tests-run-for-PGO-build.patch" diff --git a/main/python3/CVE-2020-14422.patch b/main/python3/CVE-2020-14422.patch deleted file mode 100644 index 9042f832d4b..00000000000 --- a/main/python3/CVE-2020-14422.patch +++ /dev/null @@ -1,74 +0,0 @@ -From b98e7790c77a4378ec4b1c71b84138cb930b69b7 Mon Sep 17 00:00:00 2001 -From: Tapas Kundu <39723251+tapakund@users.noreply.github.com> -Date: Wed, 1 Jul 2020 00:50:21 +0530 -Subject: [PATCH] [3.7] bpo-41004: Resolve hash collisions for IPv4Interface - and IPv6Interface (GH-21033) (GH-21231) - -CVE-2020-14422 -The __hash__() methods of classes IPv4Interface and IPv6Interface had issue -of generating constant hash values of 32 and 128 respectively causing hash collisions. -The fix uses the hash() function to generate hash values for the objects -instead of XOR operation -(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28) - -Co-authored-by: Ravi Teja P <rvteja92@gmail.com> - -Signed-off-by: Tapas Kundu <tkundu@vmware.com> ---- - Lib/ipaddress.py | 4 ++-- - Lib/test/test_ipaddress.py | 11 +++++++++++ - .../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 + - 3 files changed, 14 insertions(+), 2 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst - -diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py -index 80249288d73ab..54882934c3dc1 100644 ---- a/Lib/ipaddress.py -+++ b/Lib/ipaddress.py -@@ -1442,7 +1442,7 @@ def __lt__(self, other): - return False - - def __hash__(self): -- return self._ip ^ self._prefixlen ^ int(self.network.network_address) -+ return hash((self._ip, self._prefixlen, int(self.network.network_address))) - - __reduce__ = _IPAddressBase.__reduce__ - -@@ -2088,7 +2088,7 @@ def __lt__(self, other): - return False - - def __hash__(self): -- return self._ip ^ self._prefixlen ^ int(self.network.network_address) -+ return hash((self._ip, self._prefixlen, int(self.network.network_address))) - - __reduce__ = _IPAddressBase.__reduce__ - -diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py -index 455b893fb126f..1fb6a929dc2d9 100644 ---- a/Lib/test/test_ipaddress.py -+++ b/Lib/test/test_ipaddress.py -@@ -2091,6 +2091,17 @@ def testsixtofour(self): - sixtofouraddr.sixtofour) - self.assertFalse(bad_addr.sixtofour) - -+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface -+ def testV4HashIsNotConstant(self): -+ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4") -+ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5") -+ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__()) -+ -+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface -+ def testV6HashIsNotConstant(self): -+ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1") -+ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2") -+ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__()) - - if __name__ == '__main__': - unittest.main() -diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst -new file mode 100644 -index 0000000000000..f5a9db52fff52 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst -@@ -0,0 +1 @@ -+CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). diff --git a/main/razor/APKBUILD b/main/razor/APKBUILD index b429dc3ced1..9d5b2d9171e 100644 --- a/main/razor/APKBUILD +++ b/main/razor/APKBUILD @@ -3,40 +3,41 @@ pkgname=razor _realname=razor-agents pkgver=2.85 -pkgrel=8 +pkgrel=9 pkgdesc="Vipul's Razor is a distributed, collaborative spam detection and filtering network" url="http://razor.sourceforge.net/" arch="all" -license="Artistic" +license="Artistic-2.0" depends="perl perl-digest-sha1 perl-getopt-long perl-uri" makedepends="perl-dev" subpackages="$pkgname-doc" -source="https://downloads.sourceforge.net/razor/razor-agents/$_realname-$pkgver.tar.bz2" +source="https://downloads.sourceforge.net/razor/razor-agents/$_realname-$pkgver.tar.bz2 + fix-cosmetic-pv.patch + fix-manpage-quoting.patch + " builddir="$srcdir/$_realname-$pkgver" prepare() { - cd "$builddir" - export CFLAGS=`perl -MConfig -E 'say $Config{ccflags}'` + default_prepare + + export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}') PERL_MM_USE_DEFAULT=1 perl Makefile.PL INSTALLDIRS=vendor } build() { - cd "$builddir" - export CFLAGS=`perl -MConfig -E 'say $Config{ccflags}'` + export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}') make -j1 } package() { - cd "$builddir" make DESTDIR="$pkgdir" install find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete } check() { - cd "$builddir" make test } -md5sums="014d08db40187cb1316482191566b012 razor-agents-2.85.tar.bz2" -sha256sums="7fe0afe73e5b3979444dd86e2ad25ea99bc05b23d5648d357544f78f0b6eb6d7 razor-agents-2.85.tar.bz2" -sha512sums="31dded1969dde963389a5939514c29638ad07f45dbb2f4c633cf20ebc4abab94e65e9a6d8885233cdde686ef365aab11fa5eba2ca38d79c5b8fab689143ff5db razor-agents-2.85.tar.bz2" +sha512sums="31dded1969dde963389a5939514c29638ad07f45dbb2f4c633cf20ebc4abab94e65e9a6d8885233cdde686ef365aab11fa5eba2ca38d79c5b8fab689143ff5db razor-agents-2.85.tar.bz2 +75c18cbf22172657976eb3140e736134115c072be46c5165326237f73af592afbe49229058d9c80f8a99f486cae075e16b36822b73f194034b20e83afee382ec fix-cosmetic-pv.patch +25b5449f4b13d3c8373ed3bb67970c187d7ea3235a6e4f0baf60618004addc124321b36bf0a4c320b5b7370498c857c6477bfecb1658e441e0edacde149d361e fix-manpage-quoting.patch" diff --git a/main/razor/fix-cosmetic-pv.patch b/main/razor/fix-cosmetic-pv.patch new file mode 100644 index 00000000000..6082392b313 --- /dev/null +++ b/main/razor/fix-cosmetic-pv.patch @@ -0,0 +1,24 @@ +Taken from Arch Linux + +--- a/lib/Razor2/Client/Version.pm 2007-05-10 22:32:10.000000000 +0200 ++++ b/lib/Razor2/Client/Version.pm 2010-03-25 11:11:36.911409707 +0100 +@@ -14,7 +14,7 @@ + + $PROTOCOL = 3; + +-$VERSION = '2.84'; ++$VERSION = '2.85'; + + 1; + +--- a/META.yml 2007-05-23 20:29:34.000000000 +0200 ++++ b/META.yml 2010-03-25 11:11:43.691408628 +0100 +@@ -1,7 +1,7 @@ + # http://module-build.sourceforge.net/META-spec.html + #XXXXXXX This is a prototype!!! It will change in the future!!! XXXXX# + name: razor-agents +-version: 2.84 ++version: 2.85 + version_from: lib/Razor2/Client/Version.pm + installdirs: site + requires: diff --git a/main/razor/fix-manpage-quoting.patch b/main/razor/fix-manpage-quoting.patch new file mode 100644 index 00000000000..6be965cc548 --- /dev/null +++ b/main/razor/fix-manpage-quoting.patch @@ -0,0 +1,17 @@ +Taken from Arch Linux + +diff -uprw razor-agents-2.85.orig/Makefile.PL razor-agents-2.85/Makefile.PL +--- razor-agents-2.85.orig/Makefile.PL 2007-05-09 01:47:53.000000000 +0300 ++++ razor-agents-2.85/Makefile.PL 2015-06-14 20:36:23.677213987 +0300 +@@ -140,9 +140,9 @@ sub MY::install { + my $inherited = $self->SUPER::install(@_); + + my $man5 = q{ \\ +- $(INST_MAN5DIR) $(INSTALLMAN5DIR)}; ++ "$(INST_MAN5DIR)" "$(INSTALLMAN5DIR)"}; + +- $inherited =~ s/(\$\((?:DEST)?INSTALL\w*MAN1DIR\))/$1$man5/gm; ++ $inherited =~ s/("?\$\((?:DEST)?INSTALL\w*MAN1DIR\)"?)/$1$man5/gm; + + return $inherited; + } diff --git a/main/redis/APKBUILD b/main/redis/APKBUILD index fb936c4381e..d0065c959fa 100644 --- a/main/redis/APKBUILD +++ b/main/redis/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Eivind Uggedal <eu@eju.no> # Maintainer: TBK <alpine@jjtc.eu> pkgname=redis -pkgver=5.0.5 +pkgver=5.0.11 pkgrel=0 pkgdesc="Advanced key-value store" url="https://redis.io/" @@ -22,10 +22,15 @@ source="http://download.redis.io/releases/$pkgname-$pkgver.tar.gz $pkgname.confd $pkgname-sentinel.initd $pkgname.logrotate + musl-zmalloc.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 5.0.11-r0: +# - CVE-2021-21309 +# 5.0.5-r1: +# - CVE-2015-8080 # 5.0.4-r0: # - CVE-2019-10192 # - CVE-2019-10193 @@ -78,11 +83,12 @@ package() { var/log/redis } -sha512sums="78215ec02b7184e05788c7a368146ea53095a877a0e09174b4c9f175aeb9ba9174023c19e33bf62e4513b848e1841538d398e7c0a651c5c947255c1691cb4586 redis-5.0.5.tar.gz -0bfe894843a0b0b1800c5ff1c570cbc631d0bf94e5911210ae8780f57e661c8a61bb7309181fb8492392747deb340025a5380db168418aaf46b273a8120a4169 makefile-dont-duplicate-binary.patch +sha512sums="fb585e0040d07b97af941ad4b424dd50403fcb7edb07154e79b9933c6882f9fbe6010f8e6bae4d398cfdb44dfc492fc7dde8568eba34d45dda5e547453b4254a redis-5.0.11.tar.gz +0d6710543f111a7e9d07ac8398ceee0b38c6a4da35fd34088cb3b5a8efb3aa2eefc49dc2b58d7386c72113834bbe27625333b9283da2ae1e3df252a5712f62cf makefile-dont-duplicate-binary.patch c8a35e3c30be99fef8678acb2502f424bcca478dcc1ef1750f8c8c8e9e9c462f97586159f32ebba84b6a4eb398a9d568e3200241fb0de1f96293c9fdaafb06c9 redis.conf.patch e8cd03ab08b354d7d852cc43719ef537586c024f3911e27f0be052de471d3e6c1af947313ba0b045af3f2212afd41eb0cd4e0464cc6568853cfbfd4718b09fa5 sentinel.conf.patch f6dcdad1edd6b5fb6aa28ba774bfc8aba035f316695da261fb2ad291b76f00f177479f9d74434d06c26bd15f131edc9a2f55c9880758cf0987800d2031069738 redis.initd 6752e99df632b14d62a3266929e80c3d667be5c270e4f34e0dcf2b7f9b1754fe0ce9d4569fa413dbbe207e406ff2848a64e0c47629997536ae1d14ca84ebd56b redis.confd e7a60a090df53eef05d58d73709f07536135a93efb34e48ad933e3859d3d1c0f476975a3232df18f57476bf7fc3b0548471e1c86445878457ac8507b3da71384 redis-sentinel.initd -bf2def2077a989047e9bfff8a7f754bcdf96e020fd4a470f8967ee1fca601e11f044cfb3742f00e932cc013e0d0b199045d78c8878a0e529715c9f77786d353f redis.logrotate" +bf2def2077a989047e9bfff8a7f754bcdf96e020fd4a470f8967ee1fca601e11f044cfb3742f00e932cc013e0d0b199045d78c8878a0e529715c9f77786d353f redis.logrotate +e29fb36a43dbd991aa46f469d49f76d6c22354abf11abcfe91c2cc8254c0fe9f997e51288ca37e3d184b89b49cd9ffb42483f8ec35b99aee829bf3ee5b4c5163 musl-zmalloc.patch" diff --git a/main/redis/makefile-dont-duplicate-binary.patch b/main/redis/makefile-dont-duplicate-binary.patch index 085fcc4cc72..012a6bd6f4d 100644 --- a/main/redis/makefile-dont-duplicate-binary.patch +++ b/main/redis/makefile-dont-duplicate-binary.patch @@ -4,7 +4,7 @@ See https://github.com/antirez/redis/pull/3494 --- a/src/Makefile +++ b/src/Makefile -@@ -307,9 +307,9 @@ +@@ -316,9 +316,9 @@ $(REDIS_INSTALL) $(REDIS_SERVER_NAME) $(INSTALL_BIN) $(REDIS_INSTALL) $(REDIS_BENCHMARK_NAME) $(INSTALL_BIN) $(REDIS_INSTALL) $(REDIS_CLI_NAME) $(INSTALL_BIN) diff --git a/main/redis/musl-zmalloc.patch b/main/redis/musl-zmalloc.patch new file mode 100644 index 00000000000..90e79d05a29 --- /dev/null +++ b/main/redis/musl-zmalloc.patch @@ -0,0 +1,23 @@ +Without this change it fails to compile, giving the following error: + +zmalloc.c:55:28: error: missing binary operator before token "(" + #define PREFIX_SIZE (sizeof(size_t)) + ^ +zmalloc.c:59:5: note: in expansion of macro 'PREFIX_SIZE' + #if PREFIX_SIZE > 0 + +--- a/src/zmalloc.h ++++ b/src/zmalloc.h +@@ -63,12 +63,10 @@ + + #ifndef ZMALLOC_LIB + #define ZMALLOC_LIB "libc" +-#ifdef __GLIBC__ + #include <malloc.h> + #define HAVE_MALLOC_SIZE 1 + #define zmalloc_size(p) malloc_usable_size(p) + #endif +-#endif + + /* We can enable the Redis defrag capabilities only if we are using Jemalloc + * and the version used is our special version modified for Redis having diff --git a/main/ruby/APKBUILD b/main/ruby/APKBUILD index 5d616b979f4..8738c5fc059 100644 --- a/main/ruby/APKBUILD +++ b/main/ruby/APKBUILD @@ -3,6 +3,11 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> # # secfixes: +# 2.5.9-r0: +# - CVE-2021-28965 +# - CVE-2021-28966 +# 2.5.8-r1: +# - CVE-2020-25613 # 2.5.8-r0: # - CVE-2020-10663 # - CVE-2020-10933 @@ -34,11 +39,11 @@ # - CVE-2017-17405 # pkgname=ruby -pkgver=2.5.8 +pkgver=2.5.9 _abiver="${pkgver%.*}.0" pkgrel=0 pkgdesc="An object-oriented language for quick and easy programming" -url="http://www.ruby-lang.org/en/" +url="https://www.ruby-lang.org/" arch="all" license="Ruby BSD-2-Clause" depends="ca-certificates" @@ -347,7 +352,7 @@ _mvgem() { done } -sha512sums="ec8bf18b5ef8bf14a568dfb50cbddcc4bb13241f07b0de969e7b60cc261fb4e08fefeb5236bcf620bc690af112a9ab7f7c89f5b8a03fd3430e58804227b5041f ruby-2.5.8.tar.gz +sha512sums="5c9a6703b4c8d6e365856d7815e202f24659078d4c8e7a5059443453032b73b28e7ab2b8a6fa995c92c8e7f4838ffa6f9eec31593854e2fc3fc35532cb2db788 ruby-2.5.9.tar.gz cfdc5ea3b2e2ea69c51f38e8e2180cb1dc27008ca55cc6301f142ebafdbab31c3379b3b6bba9ff543153876dd98ed2ad194df3255b7ea77a62e931c935f80538 rubygems-avoid-platform-specific-gems.patch 814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150 test_insns-lower-recursion-depth.patch 8d730f02f76e53799f1c220eb23e3d2305940bb31216a7ab1e42d3256149c0721c7d173cdbfe505023b1af2f5cb3faa233dcc1b5d560fa8f980c17c2d29a9d81 fix-get_main_stack.patch" diff --git a/main/rxvt-unicode/APKBUILD b/main/rxvt-unicode/APKBUILD index 09375b2207b..1aaa679fc4e 100644 --- a/main/rxvt-unicode/APKBUILD +++ b/main/rxvt-unicode/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net> pkgname=rxvt-unicode pkgver=9.22 -pkgrel=6 +pkgrel=7 pkgdesc="rxvt fork with improved unicode support" url="http://software.schmorp.de/pkg/rxvt-unicode.html" arch="all" @@ -14,12 +14,17 @@ depends="$pkgname-terminfo" makedepends="libx11-dev libxft-dev ncurses fontconfig-dev gdk-pixbuf-dev libxrender-dev perl-dev startup-notification-dev" subpackages="$pkgname-doc $pkgname-terminfo::noarch" -source="http://dist.schmorp.de/rxvt-unicode/$pkgname-$pkgver.tar.bz2 +source="http://dist.schmorp.de/rxvt-unicode/Attic/$pkgname-$pkgver.tar.bz2 gentables.patch - rxvt-unicode-kerning.patch" + rxvt-unicode-kerning.patch + CVE-2021-33477.patch" builddir="${srcdir}/${pkgname}-${pkgver}" +# secfixes: +# 9.22-r7: +# - CVE-2021-33477 + build() { cd "$builddir" ./configure \ @@ -68,6 +73,9 @@ terminfo() { "$subpkgdir"/usr/share/terminfo/ } -sha512sums="b39f1b2cbe6dd3fbd2a0ad6a9d391a2b6f49d7c5e67bc65fe44a9c86937f8db379572c67564c6e21ff6e09b447cdfd4e540544e486179e94da0e0db679c04dd9 rxvt-unicode-9.22.tar.bz2 +sha512sums=" +b39f1b2cbe6dd3fbd2a0ad6a9d391a2b6f49d7c5e67bc65fe44a9c86937f8db379572c67564c6e21ff6e09b447cdfd4e540544e486179e94da0e0db679c04dd9 rxvt-unicode-9.22.tar.bz2 2a973e001dacf900895d0c1045dfffd5a1ca7650669853bd5fdf09819b19a750bb59d913f8bdc83b103e5e0e7cce7f0d2b6184f36a29c1bac86e90c08ae6a475 gentables.patch -d2fb68b3e11a78328ded4d2d646ffbaae657e9f23f3b4b81e11bc4350dd3e1e7585eeaeee47a70246bdfb7e12fbb667e40a7766989154235064f56ed4ad0a987 rxvt-unicode-kerning.patch" +d2fb68b3e11a78328ded4d2d646ffbaae657e9f23f3b4b81e11bc4350dd3e1e7585eeaeee47a70246bdfb7e12fbb667e40a7766989154235064f56ed4ad0a987 rxvt-unicode-kerning.patch +2c1cb4dad04b0fdf9212949337a37b402ed86638b26390d18f00620a71a80e91894eb624ec8058e10b7c18e1c369d8e6af91a7cd26ca6c2b221a0cf060aa0950 CVE-2021-33477.patch +" diff --git a/main/rxvt-unicode/CVE-2021-33477.patch b/main/rxvt-unicode/CVE-2021-33477.patch new file mode 100644 index 00000000000..e315fb1309d --- /dev/null +++ b/main/rxvt-unicode/CVE-2021-33477.patch @@ -0,0 +1,20 @@ +--- rxvt-unicode/src/command.C 2016/07/14 05:33:26 1.582 ++++ rxvt-unicode/src/command.C 2017/05/18 02:43:18 1.583 +@@ -2695,7 +2695,7 @@ + /* kidnapped escape sequence: Should be 8.3.48 */ + case C1_ESA: /* ESC G */ + // used by original rxvt for rob nations own graphics mode +- if (cmd_getc () == 'Q') ++ if (cmd_getc () == 'Q' && option (Opt_insecure)) + tt_printf ("\033G0\012"); /* query graphics - no graphics */ + break; + +@@ -2914,7 +2914,7 @@ + break; + + case CSI_CUB: /* 8.3.18: (1) CURSOR LEFT */ +- case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */ ++ case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */ + #ifdef ISO6429 + arg[0] = -arg[0]; + #else /* emulate common DEC VTs */ diff --git a/main/screen/APKBUILD b/main/screen/APKBUILD index 8d7cc4c8282..53bd0746f29 100644 --- a/main/screen/APKBUILD +++ b/main/screen/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=screen pkgver=4.6.2 -pkgrel=1 +pkgrel=3 pkgdesc="A window manager that multiplexes a physical terminal" url="http://ftp.gnu.org/gnu/screen/" arch="all" @@ -16,6 +16,8 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 4.6.2-r2: +# - CVE-2021-26937 # 4.6.2-r1: # - CVE-2020-9366 @@ -43,6 +45,5 @@ package() { install -Dm644 etc/etcscreenrc "$pkgdir"/etc/screenrc install -Dm644 etc/screenrc "$pkgdir"/etc/skel/.screenrc } - sha512sums="224bd16ad5ae501d1b8bb7d2ba9cc19e6a0743de5a5b320109c2f6bf3b1ca564cc7094ed9211be13733d9d769cde77d13fe236341d448cad0518038ab1e85c99 screen-4.6.2.tar.gz a711983119b86527a85464d4f5c8fecd6d481ab5691dd7b1b83c33983594d511ac69a8a67b088906540f8475dba08bda4ba559b2b514ac43535bd668db801fe0 CVE-2020-9366.patch" diff --git a/main/screen/CVE-2021-26937.patch b/main/screen/CVE-2021-26937.patch new file mode 100644 index 00000000000..bfd188a95b0 --- /dev/null +++ b/main/screen/CVE-2021-26937.patch @@ -0,0 +1,59 @@ +Source: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html +diff --git a/encoding.c b/encoding.c +index e5db3e7..79f5d14 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -43,7 +43,7 @@ static int encmatch __P((char *, char *)); + # ifdef UTF8 + static int recode_char __P((int, int, int)); + static int recode_char_to_encoding __P((int, int)); +-static void comb_tofront __P((int, int)); ++static void comb_tofront __P((int)); + # ifdef DW_CHARS + static int recode_char_dw __P((int, int *, int, int)); + static int recode_char_dw_to_encoding __P((int, int *, int)); +@@ -1263,6 +1263,8 @@ int c; + {0x30000, 0x3FFFD}, + }; + ++ if (c >= 0xdf00 && c <= 0xdfff) ++ return 1; /* dw combining sequence */ + return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) || + (cjkwidth && + bisearch(c, ambiguous, +@@ -1330,11 +1332,12 @@ int c; + } + + static void +-comb_tofront(root, i) +-int root, i; ++comb_tofront(i) ++int i; + { + for (;;) + { ++ int root = i >= 0x700 ? 0x801 : 0x800; + debug1("bring to front: %x\n", i); + combchars[combchars[i]->prev]->next = combchars[i]->next; + combchars[combchars[i]->next]->prev = combchars[i]->prev; +@@ -1396,9 +1399,9 @@ struct mchar *mc; + { + /* full, recycle old entry */ + if (c1 >= 0xd800 && c1 < 0xe000) +- comb_tofront(root, c1 - 0xd800); ++ comb_tofront(c1 - 0xd800); + i = combchars[root]->prev; +- if (c1 == i + 0xd800) ++ if (i == 0x800 || i == 0x801 || c1 == i + 0xd800) + { + /* completely full, can't recycle */ + debug("utf8_handle_comp: completely full!\n"); +@@ -1422,7 +1425,7 @@ struct mchar *mc; + mc->font = (i >> 8) + 0xd8; + mc->fontx = 0; + debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800); +- comb_tofront(root, i); ++ comb_tofront(i); + } + + #else /* !UTF8 */ diff --git a/main/spamassassin/APKBUILD b/main/spamassassin/APKBUILD index 8dd7b151a7f..6edebf96a86 100644 --- a/main/spamassassin/APKBUILD +++ b/main/spamassassin/APKBUILD @@ -2,8 +2,8 @@ # Maintainer: Leonardo Arena <rnalrd@alpinelinux.org> pkgname=spamassassin _pkgreal=Mail-SpamAssassin -pkgver=3.4.4 -pkgrel=0 +pkgver=3.4.5 +pkgrel=1 pkgdesc="The Powerful #1 Open-Source Spam Filter" url="https://metacpan.org/pod/Mail::SpamAssassin" arch="all" @@ -14,7 +14,7 @@ cpanmakedepends="$cpandepends" depends="perl-mail-$pkgname curl" makedepends="perl-dev $cpanmakedepends" subpackages="$pkgname-doc $pkgname-client $pkgname-compiler perl-mail-$pkgname:cpan" -source="https://cpan.metacpan.org/authors/id/K/KM/KMCGRAIL/${_pkgreal#*-}/$_pkgreal-$pkgver.tar.gz +source="https://cpan.metacpan.org/authors/id/S/SI/SIDNEY/Mail-SpamAssassin-$pkgver.tar.gz spamd.initd spamd.confd spamd.crond @@ -24,6 +24,8 @@ source="https://cpan.metacpan.org/authors/id/K/KM/KMCGRAIL/${_pkgreal#*-}/$_pkgr builddir="$srcdir/$_pkgreal-$pkgver" # secfixes: +# 3.4.5-r0: +# - CVE-2020-1946 # 3.4.4-r0: # - CVE-2020-1930 # - CVE-2020-1931 @@ -86,7 +88,7 @@ cpan() { sed -i '/^#\*/d' "$subpkgdir"/etc/mail/$pkgname/user_prefs } -sha512sums="b6efa1c733ddf810b189ec69445faeae6488ee2671f87f56b49ec3bf85690bf7950aa5ce251c1f1371b2bbe4fb88dbce0a162c9a24a48ed5e6584f9019611552 Mail-SpamAssassin-3.4.4.tar.gz +sha512sums="76323d8a5be1f5451375adc8b7989f183e72d0fa52848a1356c3b7fb3da9a9328fe9f91bcc941228c2cb91180ed49583a9a8bebf1f00caf7ad898251af3b9ba3 Mail-SpamAssassin-3.4.5.tar.gz 0a22933290a3abd147689bf3a9de4b6b277628c22966f353c5da932cd98560babf1d0bb9d92c456ea24decfb5af0bbc960192d29a90d9cab437e7986c75c8278 spamd.initd 274d3aa0d9aab05e83c8d5ad3e93a457649360021a67c8cb19088365bed681ebe26889cfa86f8c46a6044c7ee969231f2a71e3227adf8ad9e38d0286b9caf48d spamd.confd e0bbdb21020f4b4e5b11fb3ec18ad7e496fa4521d24275d806db96fc91cde3c0b8e8c8215e51b18903bf5916de74e9e2584fe7f62a9ec7da2f185641e533916d spamd.crond diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD index 1239322ff56..ee9e4d84d9e 100644 --- a/main/spice/APKBUILD +++ b/main/spice/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=spice pkgver=0.14.2 -pkgrel=0 +pkgrel=1 pkgdesc="Implements the SPICE protocol" url="http://www.spice-space.org/" arch="all" @@ -16,10 +16,13 @@ makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev lz4-dev subpackages="$pkgname-dev $pkgname-server" source="https://www.spice-space.org/download/releases/spice-server/spice-$pkgver.tar.bz2 0001-Disable-failing-tests-on-some-arches.patch + CVE-2021-20201.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 0.14.2-r1: +# - CVE-2021-20201 # 0.14.1-r4: # - CVE-2019-3813 # 0.14.1-r0: @@ -66,6 +69,8 @@ server() { mkdir -p "$subpkgdir"/usr/lib mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/ } - -sha512sums="1093b618ea4a7ff31944429ce2903abecfc8d20c35f2d9c8c837a6e053ee429c0115e40665542637a717869209523ac05d15cdb5e77563102d5d3915e4aaaf76 spice-0.14.2.tar.bz2 -0ce5c4077a436a8895452557529d4ad118a578b8e6d157e1d8453105b7456496a0f85da0821afafbae7359a3fd6fe46d47de3bf639fa9bdb9a535ce68ab17dfa 0001-Disable-failing-tests-on-some-arches.patch" +sha512sums=" +1093b618ea4a7ff31944429ce2903abecfc8d20c35f2d9c8c837a6e053ee429c0115e40665542637a717869209523ac05d15cdb5e77563102d5d3915e4aaaf76 spice-0.14.2.tar.bz2 +0ce5c4077a436a8895452557529d4ad118a578b8e6d157e1d8453105b7456496a0f85da0821afafbae7359a3fd6fe46d47de3bf639fa9bdb9a535ce68ab17dfa 0001-Disable-failing-tests-on-some-arches.patch +f7584c07c2c521c1454d1a7bc49aba4fd17553b96ce5107114e9bb02d58439cabd1471dd6e6e639a3f783255efecbd1a17cd543672a8021c9d59f68acb4fcbb7 CVE-2021-20201.patch +" diff --git a/main/spice/CVE-2021-20201.patch b/main/spice/CVE-2021-20201.patch new file mode 100644 index 00000000000..9c633c89e25 --- /dev/null +++ b/main/spice/CVE-2021-20201.patch @@ -0,0 +1,36 @@ +From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com> +Date: Wed, 2 Dec 2020 13:39:27 +0100 +Subject: [PATCH] With OpenSSL 1.1: Disable client-initiated renegotiation. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes issue #49 +Fixes BZ#1904459 + +Signed-off-by: Julien Ropé <jrope@redhat.com> +Reported-by: BlackKD +Acked-by: Frediano Ziglio <fziglio@redhat.com> +--- + server/reds.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/server/reds.c b/server/reds.c +index fe69508e..f61086cb 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2753,6 +2753,10 @@ static int reds_init_ssl(RedsState *reds) + * When some other SSL/TLS version becomes obsolete, add it to this + * variable. */ + long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1; ++#ifdef SSL_OP_NO_RENEGOTIATION ++ // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier ++ ssl_options |= SSL_OP_NO_RENEGOTIATION; ++#endif + + /* Global system initialization*/ + openssl_global_init(); +-- +GitLab + diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD index 440d6eb6ee9..86946becd27 100644 --- a/main/squid/APKBUILD +++ b/main/squid/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=squid -pkgver=4.10 +pkgver=4.15 pkgrel=0 pkgdesc="A full-featured Web proxy cache server." url="http://www.squid-cache.org" @@ -29,6 +29,24 @@ builddir="$srcdir"/$pkgname-$pkgver options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox # secfixes: +# 4.15-r0: +# - CVE-2021-28651 +# - CVE-2021-28652 +# - CVE-2021-28662 +# - CVE-2021-31806 +# - CVE-2021-31807 +# - CVE-2021-31808 +# - GHSA-572g-rvwr-6c7f +# 4.14-r0: +# - CVE-2020-25097 +# 4.13-r0: +# - CVE-2020-15810 +# - CVE-2020-15811 +# - CVE-2020-24606 +# 4.11-r0: +# - CVE-2019-12519 +# - CVE-2019-12521 +# - CVE-2020-11945 # 4.10-r0: # - CVE-2019-12528 # - CVE-2020-8449 @@ -112,7 +130,8 @@ squid_kerb_auth() { install -d "$subpkgdir"/usr/lib/squid mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/ } -sha512sums="033891f84789fe23a23fabcfb6f51a5b044c16892600f94380b5f0bcbceaef67b95c7047154d940511146248ca9846a949f00a609c6ed27f9af8829325eb08e0 squid-4.10.tar.xz + +sha512sums="8f0ce6e30dd9173927e8133618211ffb865fb5dde4c63c2fb465e2efccda4a6efb33f2c0846870c9b915340aff5f59461a60171882bcc0c890336b846fe60bd1 squid-4.15.tar.xz 15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate" diff --git a/main/subversion/APKBUILD b/main/subversion/APKBUILD index 3ff1a75e736..4b751487518 100644 --- a/main/subversion/APKBUILD +++ b/main/subversion/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=subversion pkgver=1.12.2 -pkgrel=0 +pkgrel=1 pkgdesc="Replacement for CVS, another versioning system (svn)" url="https://subversion.apache.org/" arch="all" @@ -17,10 +17,14 @@ subpackages="$pkgname-dev $pkgname-doc mod_dav_svn source="https://archive.apache.org/dist/subversion/$pkgname-$pkgver.tar.bz2 subversion-1.7.0-deplibs.patch subversion-perl-deplibs.patch + CVE-2020-17525.patch svnserve.confd - svnserve.initd" + svnserve.initd + " # secfixes: +# 1.12.2-r1: +# - CVE-2020-17525 # 1.12.2-r0: # - CVE-2019-0203 # - CVE-2018-11782 @@ -118,5 +122,6 @@ py() { sha512sums="b1f859b460afa54598778d8633f648acb4fa46138f7d6f0c1451e3c6a1de71df859233cd9ac7f19f0f20d7237ed3988f0a38da7552ffa58391e19d957bc7c136 subversion-1.12.2.tar.bz2 fb219c45b80602d919176cc191394df09f90d0f5c7d24e6a36b166bd92777ecae67eeac1e49c0ffbb0e724396b3d2094dbb0bef17d01dc87d418b1cd554bd7c4 subversion-1.7.0-deplibs.patch fd6e5f45cff4d3cf0d885a34c822b32141b13b199d99ad8e1b04d641c9c1ee27e73f5c556a4ad54a900b6d39cc14afad17b6738d8af44c76758f1a27b4d49f9a subversion-perl-deplibs.patch +85fceca6bf92fb816263a2846e932b47e15920cb87183135e2a1218f2ea44d810810700cb2dd1a892508af4f08c298f688baa191c7e987280843cf01afb6f335 CVE-2020-17525.patch 7fe993443d4d3ef5e1e75f60e85036ee0b2bb2636c2c830210e64f525f95ae4c10ca1dc4504fc36915ec9391815becbe7cbf5f589c28609386d8d079ed02c630 svnserve.confd f6392193cc65aaceee9b6e5e66f80af4b095ba4007e8536e8b1c4e8b2c75610d7f5596b83e5edd504672f021c074887fc6464cf4fc1dfe9446741105f11cd855 svnserve.initd" diff --git a/main/subversion/CVE-2020-17525.patch b/main/subversion/CVE-2020-17525.patch new file mode 100644 index 00000000000..ca59b7914a5 --- /dev/null +++ b/main/subversion/CVE-2020-17525.patch @@ -0,0 +1,15 @@ +Index: subversion/libsvn_repos/config_file.c +=================================================================== +--- a/subversion/libsvn_repos/config_file.c (revision 1883994) ++++ b/subversion/libsvn_repos/config_file.c (working copy) +@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream, + { + /* Search for a repository in the full path. */ + repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool); ++ if (repos_root_dirent == NULL) ++ return svn_error_trace(handle_missing_file(stream, checksum, access, ++ url, must_exist, ++ svn_node_none)); + + /* Attempt to open a repository at repos_root_dirent. */ + SVN_ERR(svn_repos_open3(&access->repos, repos_root_dirent, NULL, diff --git a/main/sudo/APKBUILD b/main/sudo/APKBUILD index 7e592f9fdc1..fc4d2e6ace0 100644 --- a/main/sudo/APKBUILD +++ b/main/sudo/APKBUILD @@ -2,13 +2,13 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=sudo -pkgver=1.8.27 +pkgver=1.9.5p2 if [ "${pkgver%_*}" != "$pkgver" ]; then _realver=${pkgver%_*}${pkgver#*_} else _realver=$pkgver fi -pkgrel=2 +pkgrel=0 pkgdesc="Give certain users the ability to run some commands as root" url="https://www.sudo.ws/sudo/" arch="all" @@ -18,21 +18,21 @@ depends= subpackages="$pkgname-doc $pkgname-dev" source="https://www.sudo.ws/dist/sudo-${_realver}.tar.gz fix-cross-compile.patch - fix-tests.patch - libcrypt.patch - sudo-cvtsudoers.patch - CVE-2019-14287.patch - CVE-2019-18634.patch + SIGUNUSED.patch " options="suid" # secfixes: +# 1.9.5p2-r0: +# - CVE-2021-3156 +# - CVE-2021-23239 +# - CVE-2021-23240 # 1.8.27-r2: -# - CVE-2019-18634 +# - CVE-2019-18634 # 1.8.27-r1: -# - CVE-2019-14287 +# - CVE-2019-14287 # 1.8.20_p2-r0: -# - CVE-2017-1000368 +# - CVE-2017-1000368 builddir="$srcdir"/$pkgname-$_realver build() { @@ -68,10 +68,6 @@ package() { rm -rf "$pkgdir"/var/run } -sha512sums="0480def650ab880ab9e6c51c606a06897fd638f0381e99c038f5aa47d064aaa2fb35b73eee7f86e73185e18d5dbb8b6ba49c616b1785a1edb2dd6d7b2fa4fcac sudo-1.8.27.tar.gz +sha512sums="f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27 sudo-1.9.5p2.tar.gz f0f462f40502da2194310fe4a72ec1a16ba40f95a821ba9aa6aabaa423d28c4ab26b684afa7fb81c2407cf60de9327bdab01de51b878c5d4de49b0d62645f53c fix-cross-compile.patch -b2d7816d334826545420c578114e5af361ced65c00e5bfc2e0b16f3c9325aa9d2b902defeebb181da3cf7bc6aba3a59a496293d2f11d83c9793f11138ba50343 fix-tests.patch -0fa06d13d202ee5ab58596413a7498b3e9b6925e87385bb876f5e0b29b22010a84918686a5974de87392ab18158e883da343fe6a14448a4e273eaa1bb81f5995 libcrypt.patch -a4a219c16cd353b54f69b74ce7383b90f89745351776bd91bfccb63a2211fa84177719634d4e7e753cf22a8b175d797a474416ffac66d4aee31d3b8e28bfabd1 sudo-cvtsudoers.patch -bad0eda3a7473e4b13d2d9744c41d37bd1c2f4a50491e7e6c6e2cdb67f98eea5d595ead70ab7ac93444d41d1c9f65d83e67f905614869b9df0bd59365fefae1f CVE-2019-14287.patch -2e701aecd05f2a9b77e77f43e91d748794661dabfc7a0826bea41a9668220a1889f273568b67632829df7dba66ad3d2e0e73513ca59753c1c8e64967f0e705f8 CVE-2019-18634.patch" +03a2cef9fcc26cc2711edb5928c945fcf214b22139bb88d77538d25f3bfd144d17b6c9dabb1e01960ac1697d83b3452397a5ef4c7d0e68ea72548a631b212e6d SIGUNUSED.patch" diff --git a/main/sudo/SIGUNUSED.patch b/main/sudo/SIGUNUSED.patch new file mode 100644 index 00000000000..be4f73541b8 --- /dev/null +++ b/main/sudo/SIGUNUSED.patch @@ -0,0 +1,19 @@ +Upstream: No +Reason: Musl compatibility + +--- a/lib/util/siglist.in 2019-10-10 11:32:54.000000000 -0500 ++++ b/lib/util/siglist.in 2019-10-14 16:42:46.259938722 -0500 +@@ -17,11 +17,12 @@ + EMT EMT trap + FPE Floating point exception + KILL Killed ++# before UNUSED (musl defines them as the same number) ++ SYS Bad system call + # before BUS (Older Linux doesn't really have a BUS, but defines it to UNUSED) + UNUSED Unused + BUS Bus error + SEGV Memory fault +- SYS Bad system call + PIPE Broken pipe + ALRM Alarm clock + TERM Terminated diff --git a/main/tar/APKBUILD b/main/tar/APKBUILD index 6a297c48aa8..d91ede9c9bd 100644 --- a/main/tar/APKBUILD +++ b/main/tar/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=tar pkgver=1.32 -pkgrel=0 +pkgrel=1 pkgdesc="Utility used to store, backup, and transport files" url="https://www.gnu.org" arch="all" @@ -11,9 +11,13 @@ install="" makedepends="" subpackages="$pkgname-doc" source="https://ftp.gnu.org/gnu/tar/$pkgname-$pkgver.tar.xz - ignore-apk-tools-checksums.patch" + ignore-apk-tools-checksums.patch + CVE-2021-20193.patch + " # secfixes: +# 1.32-r1: +# - CVE-2021-20193 # 1.29-r1: # - CVE-2016-6321 # 1.31-r0: @@ -52,4 +56,5 @@ package() { } sha512sums="1bd13854009b6ee08958481738e6bf661e40216a2befe461d06b4b350eb882e431b3a4eeea7ca1d35d37102df76194c9d933df2b18b3c5401350e9fc17017750 tar-1.32.tar.xz -9cde0f1509328bc5fe2cb46642b53c7681c548cf28a2fb83eda7e9374c9c0ad27a0cd55b9c0cc93951def58dafa55ee71cace5493ddcb7966ee94dc5f1099739 ignore-apk-tools-checksums.patch" +9cde0f1509328bc5fe2cb46642b53c7681c548cf28a2fb83eda7e9374c9c0ad27a0cd55b9c0cc93951def58dafa55ee71cace5493ddcb7966ee94dc5f1099739 ignore-apk-tools-checksums.patch +31d2863d47bf01a7425047222460ae4ecd7a66203de40fb0b1071a3a53c539d358cf600b7862bc1cc01cab34da2fb71a6d9da7b248e06d6592b99c7115816862 CVE-2021-20193.patch" diff --git a/main/tar/CVE-2021-20193.patch b/main/tar/CVE-2021-20193.patch new file mode 100644 index 00000000000..c721f870bde --- /dev/null +++ b/main/tar/CVE-2021-20193.patch @@ -0,0 +1,127 @@ +From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Sun, 17 Jan 2021 20:41:11 +0200 +Subject: Fix memory leak in read_header + +Bug reported in https://savannah.gnu.org/bugs/?59897 + +* src/list.c (read_header): Don't return directly from the loop. +Instead set the status and break. Return the status. Free +next_long_name and next_long_link before returning. +--- + src/list.c | 40 ++++++++++++++++++++++++++++------------ + 1 file changed, 28 insertions(+), 12 deletions(-) + +diff --git a/src/list.c b/src/list.c +index e40a5c8..d7ef441 100644 +--- a/src/list.c ++++ b/src/list.c +@@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info, + enum read_header_mode mode) + { + union block *header; +- union block *header_copy; + char *bp; + union block *data_block; + size_t size, written; +- union block *next_long_name = 0; +- union block *next_long_link = 0; ++ union block *next_long_name = NULL; ++ union block *next_long_link = NULL; + size_t next_long_name_blocks = 0; + size_t next_long_link_blocks = 0; +- ++ enum read_header status = HEADER_SUCCESS; ++ + while (1) + { +- enum read_header status; +- + header = find_next_block (); + *return_block = header; + if (!header) +- return HEADER_END_OF_FILE; ++ { ++ status = HEADER_END_OF_FILE; ++ break; ++ } + + if ((status = tar_checksum (header, false)) != HEADER_SUCCESS) +- return status; ++ break; + + /* Good block. Decode file size and return. */ + +@@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info, + { + info->stat.st_size = OFF_FROM_HEADER (header->header.size); + if (info->stat.st_size < 0) +- return HEADER_FAILURE; ++ { ++ status = HEADER_FAILURE; ++ break; ++ } + } + + if (header->header.typeflag == GNUTYPE_LONGNAME +@@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info, + || header->header.typeflag == SOLARIS_XHDTYPE) + { + if (mode == read_header_x_raw) +- return HEADER_SUCCESS_EXTENDED; ++ { ++ status = HEADER_SUCCESS_EXTENDED; ++ break; ++ } + else if (header->header.typeflag == GNUTYPE_LONGNAME + || header->header.typeflag == GNUTYPE_LONGLINK) + { ++ union block *header_copy; + size_t name_size = info->stat.st_size; + size_t n = name_size % BLOCKSIZE; + size = name_size + BLOCKSIZE; +@@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info, + xheader_decode_global (&xhdr); + xheader_destroy (&xhdr); + if (mode == read_header_x_global) +- return HEADER_SUCCESS_EXTENDED; ++ { ++ status = HEADER_SUCCESS_EXTENDED; ++ break; ++ } + } + + /* Loop! */ +@@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info, + name = next_long_name->buffer + BLOCKSIZE; + recent_long_name = next_long_name; + recent_long_name_blocks = next_long_name_blocks; ++ next_long_name = NULL; + } + else + { +@@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info, + name = next_long_link->buffer + BLOCKSIZE; + recent_long_link = next_long_link; + recent_long_link_blocks = next_long_link_blocks; ++ next_long_link = NULL; + } + else + { +@@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info, + } + assign_string (&info->link_name, name); + +- return HEADER_SUCCESS; ++ break; + } + } ++ free (next_long_name); ++ free (next_long_link); ++ return status; + } + + #define ISOCTAL(c) ((c)>='0'&&(c)<='7') +-- +cgit v1.2.1 + diff --git a/main/tcpdump/APKBUILD b/main/tcpdump/APKBUILD index b06d0b297ad..a24b2ea322a 100644 --- a/main/tcpdump/APKBUILD +++ b/main/tcpdump/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=tcpdump pkgver=4.9.3 -pkgrel=0 +pkgrel=1 pkgdesc="A tool for network monitoring and data acquisition" url="http://www.tcpdump.org" arch="all" @@ -9,37 +9,41 @@ license="BSD-3-Clause" options="!check" # fail on ppc64le makedepends="libpcap-dev openssl-dev perl" subpackages="$pkgname-doc" -source="http://www.$pkgname.org/release/$pkgname-$pkgver.tar.gz" +source="http://www.$pkgname.org/release/$pkgname-$pkgver.tar.gz + CVE-2020-8037.patch + " # secfixes: +# 4.9.3-r1: +# - CVE-2020-8037 # 4.9.3-r0: -# - CVE-2017-16808 (AoE) -# - CVE-2018-14468 (FrameRelay) -# - CVE-2018-14469 (IKEv1) -# - CVE-2018-14470 (BABEL) -# - CVE-2018-14466 (AFS/RX) -# - CVE-2018-14461 (LDP) -# - CVE-2018-14462 (ICMP) -# - CVE-2018-14465 (RSVP) -# - CVE-2018-14881 (BGP) -# - CVE-2018-14464 (LMP) -# - CVE-2018-14463 (VRRP) -# - CVE-2018-14467 (BGP) -# - CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled) -# - CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled) -# - CVE-2018-14880 (OSPF6) -# - CVE-2018-16451 (SMB) -# - CVE-2018-14882 (RPL) -# - CVE-2018-16227 (802.11) -# - CVE-2018-16229 (DCCP) -# - CVE-2018-16301 (was fixed in libpcap) -# - CVE-2018-16230 (BGP) -# - CVE-2018-16452 (SMB) -# - CVE-2018-16300 (BGP) -# - CVE-2018-16228 (HNCP) -# - CVE-2019-15166 (LMP) -# - CVE-2019-15167 (VRRP) -# - CVE-2018-14879 (tcpdump -V) +# - CVE-2017-16808 # (AoE) +# - CVE-2018-14468 # (FrameRelay) +# - CVE-2018-14469 # (IKEv1) +# - CVE-2018-14470 # (BABEL) +# - CVE-2018-14466 # (AFS/RX) +# - CVE-2018-14461 # (LDP) +# - CVE-2018-14462 # (ICMP) +# - CVE-2018-14465 # (RSVP) +# - CVE-2018-14881 # (BGP) +# - CVE-2018-14464 # (LMP) +# - CVE-2018-14463 # (VRRP) +# - CVE-2018-14467 # (BGP) +# - CVE-2018-10103 # (SMB - partially fixed, but SMB printing disabled) +# - CVE-2018-10105 # (SMB - too unreliably reproduced, SMB printing disabled) +# - CVE-2018-14880 # (OSPF6) +# - CVE-2018-16451 # (SMB) +# - CVE-2018-14882 # (RPL) +# - CVE-2018-16227 # (802.11) +# - CVE-2018-16229 # (DCCP) +# - CVE-2018-16301 # (was fixed in libpcap) +# - CVE-2018-16230 # (BGP) +# - CVE-2018-16452 # (SMB) +# - CVE-2018-16300 # (BGP) +# - CVE-2018-16228 # (HNCP) +# - CVE-2019-15166 # (LMP) +# - CVE-2019-15167 # (VRRP) +# - CVE-2018-14879 # (tcpdump -V) # 4.9.0-r0: # - CVE-2016-7922 # - CVE-2016-7923 @@ -111,4 +115,5 @@ package() { rm -f "$pkgdir"/usr/sbin/tcpdump.4* } -sha512sums="3aec673f78b996a4df884b1240e5d0a26a2ca81ee7aca8a2e6d50255bb53476e008a5ced4409e278a956710d8a4d31d85bbb800c9f1aab92b0b1046b59292a22 tcpdump-4.9.3.tar.gz" +sha512sums="3aec673f78b996a4df884b1240e5d0a26a2ca81ee7aca8a2e6d50255bb53476e008a5ced4409e278a956710d8a4d31d85bbb800c9f1aab92b0b1046b59292a22 tcpdump-4.9.3.tar.gz +f53b5557ad2c68c28bbd6121b637ade43937ce4956fa9c2c8b187e8c62726c018509eb728f7f7479d078c9018f091f64114944b2d6106e6214662899f880445a CVE-2020-8037.patch" diff --git a/main/tcpdump/CVE-2020-8037.patch b/main/tcpdump/CVE-2020-8037.patch new file mode 100644 index 00000000000..2852845eb74 --- /dev/null +++ b/main/tcpdump/CVE-2020-8037.patch @@ -0,0 +1,63 @@ +From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001 +From: Guy Harris <guy@alum.mit.edu> +Date: Sat, 18 Apr 2020 14:04:59 -0700 +Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer. + +The buffer should be big enough to hold the captured data, but it +doesn't need to be big enough to hold the entire on-the-network packet, +if we haven't captured all of it. + +(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334) +--- + print-ppp.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/print-ppp.c b/print-ppp.c +index 891761728..33fb03412 100644 +--- a/print-ppp.c ++++ b/print-ppp.c +@@ -1367,19 +1367,29 @@ print_bacp_config_options(netdissect_options *ndo, + return 0; + } + ++/* ++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes. ++ * The length argument is the on-the-wire length, not the captured ++ * length; we can only un-escape the captured part. ++ */ + static void + ppp_hdlc(netdissect_options *ndo, + const u_char *p, int length) + { ++ u_int caplen = ndo->ndo_snapend - p; + u_char *b, *t, c; + const u_char *s; +- int i, proto; ++ u_int i; ++ int proto; + const void *se; + ++ if (caplen == 0) ++ return; ++ + if (length <= 0) + return; + +- b = (u_char *)malloc(length); ++ b = (u_char *)malloc(caplen); + if (b == NULL) + return; + +@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo, + * Do this so that we dont overwrite the original packet + * contents. + */ +- for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) { ++ for (s = p, t = b, i = caplen; i != 0; i--) { + c = *s++; + if (c == 0x7d) { +- if (i <= 1 || !ND_TTEST(*s)) ++ if (i <= 1) + break; + i--; + c = *s++ ^ 0x20; diff --git a/main/tiny-ec2-bootstrap/APKBUILD b/main/tiny-ec2-bootstrap/APKBUILD index a9b430d4ae3..dc2eefc374b 100644 --- a/main/tiny-ec2-bootstrap/APKBUILD +++ b/main/tiny-ec2-bootstrap/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Mike Crute <mike@crute.us> # Maintainer: Mike Crute <mike@crute.us> pkgname=tiny-ec2-bootstrap -pkgver=1.2.0 +pkgver=1.4.3 pkgrel=0 pkgdesc="A tiny EC2 instance bootstrapper that uses instance metadata" url="https://github.com/mcrute/tiny-ec2-bootstrap" @@ -17,4 +17,4 @@ package() { make install PREFIX=$pkgdir } -sha512sums="a653dd56ac7cc887077d83d1e01c6e2b58550548293e848a456b74a45b2d0061ed3a4188e9a4eb3aaf23ee96d22b00f4e0610d044d640e036591dc43b4681a63 tiny-ec2-bootstrap-1.2.0.tar.gz" +sha512sums="6b15eaae722975b5f9deb6650cfd2319a37cab24084c3638ee3264e7784637cadfda863777909fc2cb09f1c27755082591b645342da697be040687da7a9936f3 tiny-ec2-bootstrap-1.4.3.tar.gz" diff --git a/main/tmux/APKBUILD b/main/tmux/APKBUILD index 33d9df04cac..b028978edec 100644 --- a/main/tmux/APKBUILD +++ b/main/tmux/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=tmux pkgver=2.9a -pkgrel=1 +pkgrel=2 pkgdesc="Tool to control multiple terminals from a single terminal" url="https://tmux.github.io" arch="all" @@ -10,8 +10,13 @@ license="ISC" depends="ncurses-terminfo-base" makedepends="autoconf automake bsd-compat-headers libevent-dev ncurses-dev" subpackages="$pkgname-doc" -source="https://github.com/tmux/tmux/releases/download/$pkgver/tmux-$pkgver.tar.gz" +source="https://github.com/tmux/tmux/releases/download/$pkgver/tmux-$pkgver.tar.gz + CVE-2020-27347.patch + " +# secfixes: +# 2.9a-r2: +# - CVE-2020-27347 build() { ./configure \ @@ -38,4 +43,5 @@ package() { done } -sha512sums="aca6882688727c10c5647443fdd18bbd6c0f80b7a3bf9667903d1b89d523e604cd715f176f33f2e5673258f00e626a6dc273f80fe97ae4f91621814d89985713 tmux-2.9a.tar.gz" +sha512sums="aca6882688727c10c5647443fdd18bbd6c0f80b7a3bf9667903d1b89d523e604cd715f176f33f2e5673258f00e626a6dc273f80fe97ae4f91621814d89985713 tmux-2.9a.tar.gz +29ffcf27c9ffa2a67742732f44ba0821172746b3a824ebd8087deb9a91e437bbfdc385498c2a09c9f6e206dc57e61fe7ea65b2432b3e89af01e2f72fc0a23e89 CVE-2020-27347.patch" diff --git a/main/tmux/CVE-2020-27347.patch b/main/tmux/CVE-2020-27347.patch new file mode 100644 index 00000000000..fe335b307e1 --- /dev/null +++ b/main/tmux/CVE-2020-27347.patch @@ -0,0 +1,30 @@ +From a868bacb46e3c900530bed47a1c6f85b0fbe701c Mon Sep 17 00:00:00 2001 +From: nicm <nicm> +Date: Thu, 29 Oct 2020 16:33:01 +0000 +Subject: [PATCH] Do not write after the end of the array and overwrite the + stack when colon-separated SGR sequences contain empty arguments. Reported by + Sergey Nizovtsev. + +--- + input.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/input.c b/input.c +index 42a60c92a..c280c0d97 100644 +--- a/input.c ++++ b/input.c +@@ -1976,8 +1976,13 @@ input_csi_dispatch_sgr_colon(struct input_ctx *ictx, u_int i) + free(copy); + return; + } +- } else ++ } else { + n++; ++ if (n == nitems(p)) { ++ free(copy); ++ return; ++ } ++ } + log_debug("%s: %u = %d", __func__, n - 1, p[n - 1]); + } + free(copy); diff --git a/main/tzdata/APKBUILD b/main/tzdata/APKBUILD index f70b03cab17..e2b48d56b73 100644 --- a/main/tzdata/APKBUILD +++ b/main/tzdata/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=tzdata -pkgver=2020c -_tzcodever=2020c +pkgver=2021a +_tzcodever=2021a _ptzver=0.5 pkgrel=0 pkgdesc="Timezone data" @@ -32,11 +32,11 @@ build() { } package() { - ./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo $_timezones - ./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/right -L leapseconds $_timezones - #./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/posix $_timezones + ./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo $_timezones + ./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/right -L leapseconds $_timezones + #./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/posix $_timezones - ./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo -p America/New_York + ./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo -p America/New_York install -m444 -t "$pkgdir"/usr/share/zoneinfo iso3166.tab zone1970.tab zone.tab mkdir -p "$pkgdir"/usr/sbin @@ -50,8 +50,8 @@ package() { "$pkgdir"/usr/bin/posixtz } -sha512sums="c77fa69d2a005ba7cff602b2267983fd01613f81385bc13c90b9581d69fb0ac73491641cac81e0e5d7dd00ed120c45103859902c2d10da9d25c98b33354f88f7 tzcode2020c.tar.gz -bbd66fe236ba0949261cb238bfed454c03b4500b239dc38f1b8fef8d229136f5964c1a8386fe54484e4e5e34a3c28a7b66ee7374ff7e0dd07865d78fc53bf96c tzdata2020c.tar.gz +sha512sums="bf1d53bcbfecd3b09d57a9e6d3cb49b5dc5f8e1b6674b67e7f974e1a268c2aaf13ca89a7ef12f49d0665aff782bd72685e00c22a41ca88a028da0429f972fd45 tzcode2021a.tar.gz +7cdd762ec90ce12a30fa36b1d66d1ea82d9fa21e514e2b9c7fcbe2541514ee0fadf30843ff352c65512fb270857b51d1517b45e1232b89c6f954ba9ff1833bb3 tzdata2021a.tar.gz 68dbaab9f4aef166ac2f2d40b49366527b840bebe17a47599fe38345835e4adb8a767910745ece9c384b57af815a871243c3e261a29f41d71f8054df3061b3fd posixtz-0.5.tar.xz 0f2a10ee2bb4007f57b59123d1a0b8ef6accf99e568f21537f0bb19f290fff46e24050f55f12569d7787be600e1b62aa790ea85a333153f3ea081a812c81b1b5 0001-posixtz-ensure-the-file-offset-we-pass-to-lseek-is-o.patch fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4 0002-fix-implicit-declaration-warnings-by-including-strin.patch" diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD index 94db17e325c..2aed210bdbe 100644 --- a/main/vim/APKBUILD +++ b/main/vim/APKBUILD @@ -17,7 +17,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$ " # secfixes: -# 8.1.1365: +# 8.1.1365-r0: # - CVE-2019-12735 # 8.0.1521-r0: # - CVE-2017-6350 diff --git a/main/wpa_supplicant/APKBUILD b/main/wpa_supplicant/APKBUILD index b1e30d0be35..198862cc981 100644 --- a/main/wpa_supplicant/APKBUILD +++ b/main/wpa_supplicant/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=wpa_supplicant pkgver=2.8 -pkgrel=3 +pkgrel=5 pkgdesc="A utility providing key negotiation for WPA wireless networks" url="https://w1.fi/wpa_supplicant/" arch="all" @@ -24,11 +24,17 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz 0005-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch 0006-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch CVE-2019-16275.patch + CVE-2021-0326.patch + CVE-2021-27803.patch config wpa_cli.sh" # secfixes: +# 2.8-r5: +# - CVE-2021-27803 +# 2.8-r4: +# - CVE-2021-0326 # 2.8-r3: # - CVE-2019-16275 # 2.8-r2: @@ -121,5 +127,7 @@ a0ac905ef23af18f1899a797e18157a54fa509c7cc3c59583de768a493d750876bbc0a89237373b6 bcae73930c35d441c5615970c305abb3dff293fdec16df50823e57419b22d1aac0e780970619e0c78b4482b7d07962bcf6162706a20e20f7b21a3a10f500eff1 0005-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch 4734a8ab8ba1e91fc9e3d729f34527c14c291df238b02adea5acc04b0361b41d4bffca2fb13a4f464e9f007fa624117af4f50d755cb41a3129b4868da91bdf9a 0006-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch 63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch +e212dd6a2c56c086c14a2c96f479f7a8e6521b6a24c648eb03363db078398e64a38e343ff6faa327d5a0244a7969ecd34c5844d676c697eeb8eb842101fa9cf9 CVE-2021-0326.patch +af8b4a526a6833de4921fcbbd1b03da7e027276c909d512bd59a95e9767ffe8580135f9aee8947c4317681c4fe130f7ec50cba947f8375313f832a66c66b2cd5 CVE-2021-27803.patch 6707991f9a071f2fcb09d164d31d12b1f52b91fbb5574b70b8d6f9727f72bbe42b03dd66d10fcc2126f5b7e49ac785657dec90e88b4bf54a9aa5638582f6e505 config 212c4265afce2e72b95a32cd785612d6c3e821b47101ead154136d184ac4add01434ada6c87edbb9a98496552e76e1a4d79c6b5840e3a5cfe5e6d602fceae576 wpa_cli.sh" diff --git a/main/wpa_supplicant/CVE-2021-0326.patch b/main/wpa_supplicant/CVE-2021-0326.patch new file mode 100644 index 00000000000..2ad5f441bef --- /dev/null +++ b/main/wpa_supplicant/CVE-2021-0326.patch @@ -0,0 +1,37 @@ +From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Mon, 9 Nov 2020 11:43:12 +0200 +Subject: P2P: Fix copying of secondary device types for P2P group client + +Parsing and copying of WPS secondary device types list was verifying +that the contents is not too long for the internal maximum in the case +of WPS messages, but similar validation was missing from the case of P2P +group information which encodes this information in a different +attribute. This could result in writing beyond the memory area assigned +for these entries and corrupting memory within an instance of struct +p2p_device. This could result in invalid operations and unexpected +behavior when trying to free pointers from that corrupted memory. + +Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 +Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/p2p/p2p.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index 74b7b52..5cbfc21 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, + dev->info.config_methods = cli->config_methods; + os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); + dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; ++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) ++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; + os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, + dev->info.wps_sec_dev_type_list_len); + } +-- +cgit v0.12 + diff --git a/main/wpa_supplicant/CVE-2021-27803.patch b/main/wpa_supplicant/CVE-2021-27803.patch new file mode 100644 index 00000000000..1942bb3d553 --- /dev/null +++ b/main/wpa_supplicant/CVE-2021-27803.patch @@ -0,0 +1,50 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec03f86b..05fd593494ef 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.25.1 + diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 859bf29451c..e8c790ee4ec 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Maintainer: pkgname=xen -pkgver=4.12.3 -pkgrel=4 +pkgver=4.12.4 +pkgrel=0 pkgdesc="Xen hypervisor" url="https://www.xenproject.org/" arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8 @@ -120,30 +120,30 @@ options="!strip" # - CVE-2018-10982 XSA-261 # - CVE-2018-10981 XSA-262 # 4.11.0-r0: -# - CVE-2018-3639 XSA-263 -# - CVE-2018-128911 XSA-264 -# - CVE-2018-12893 XSA-265 -# - CVE-2018-12892 XSA-266 -# - CVE-2018-3665 XSA-267 +# - CVE-2018-3639 XSA-263 +# - CVE-2018-12891 XSA-264 +# - CVE-2018-12893 XSA-265 +# - CVE-2018-12892 XSA-266 +# - CVE-2018-3665 XSA-267 # 4.11.1-r0: -# - CVE-2018-15469 XSA-268 -# - CVE-2018-15468 XSA-269 -# - CVE-2018-15470 XSA-272 -# - CVE-2018-3620 XSA-273 -# - CVE-2018-3646 XSA-273 -# - CVE-2018-19961 XSA-275 -# - CVE-2018-19962 XSA-275 -# - CVE-2018-19963 XSA-276 -# - CVE-2018-19964 XSA-277 -# - CVE-2018-18883 XSA-278 -# - CVE-2018-19965 XSA-279 -# - CVE-2018-19966 XSA-280 -# - CVE-2018-19967 XSA-282 +# - CVE-2018-15469 XSA-268 +# - CVE-2018-15468 XSA-269 +# - CVE-2018-15470 XSA-272 +# - CVE-2018-3620 XSA-273 +# - CVE-2018-3646 XSA-273 +# - CVE-2018-19961 XSA-275 +# - CVE-2018-19962 XSA-275 +# - CVE-2018-19963 XSA-276 +# - CVE-2018-19964 XSA-277 +# - CVE-2018-18883 XSA-278 +# - CVE-2018-19965 XSA-279 +# - CVE-2018-19966 XSA-280 +# - CVE-2018-19967 XSA-282 # 4.12.0-r2: -# - CVE-2018-12126 XSA-297 -# - CVE-2018-12127 XSA-297 -# - CVE-2018-12130 XSA-297 -# - CVE-2019-11091 XSA-297 +# - CVE-2018-12126 XSA-297 +# - CVE-2018-12127 XSA-297 +# - CVE-2018-12130 XSA-297 +# - CVE-2019-11091 XSA-297 # 4.12.1-r0: # - CVE-2019-17349 CVE-2019-17350 XSA-295 # 4.12.1-r1: @@ -167,9 +167,9 @@ options="!strip" # - CVE-2020-11743 XSA-316 # - CVE-2020-11742 XSA-318 # 4.12.3-r0: -# - CVE-2020-????? XSA-312 +# - XSA-312 # 4.12.3-r1: -# - CVE-2020-0543 XSA-320 +# - CVE-2020-0543 XSA-320 # 4.12.3-r2: # - CVE-2020-15566 XSA-317 # - CVE-2020-15563 XSA-319 @@ -189,6 +189,13 @@ options="!strip" # - CVE-2020-25600 XSA-342 # - CVE-2020-25599 XSA-343 # - CVE-2020-25601 XSA-344 +# 4.12.4-r0: +# - CVE-2020-27674 XSA-286 +# - CVE-2020-27672 XSA-345 +# - CVE-2020-27671 XSA-346 +# - CVE-2020-27670 XSA-347 +# - CVE-2020-28368 XSA-351 +# - CVE-2020-29040 XSA-355 case "$CARCH" in @@ -253,36 +260,9 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv hotplug-Linux-iscsi-block-handle-lun-1.patch - xsa320-4.12-1.patch - xsa320-4.12-2.patch - xsa320-4.12-3.patch - xsa317.patch - xsa319.patch - xsa328-4.12-1.patch - xsa328-4.12-2.patch - xsa321-4.12-1.patch - xsa321-4.12-2.patch - xsa321-4.12-3.patch - xsa321-4.12-4.patch - xsa321-4.12-5.patch - xsa321-4.12-6.patch - xsa321-4.12-7.patch - xsa327.patch - xsa335-qemu.patch - xsa333.patch - xsa334-4.12.patch - xsa336.patch - xsa337-4.12-1.patch - xsa337-4.12-2.patch - xsa338.patch - xsa339.patch - xsa340.patch - xsa342-4.13.patch - xsa343-4.12-1.patch - xsa343-4.12-2.patch - xsa343-4.12-3.patch - xsa344-4.12-1.patch - xsa344-4.12-2.patch + xsa351-x86-4.12-1.patch + xsa351-x86-4.12-2.patch + xsa355.patch xenstored.initd xenstored.confd @@ -517,7 +497,7 @@ EOF } -sha512sums="7bbf4e752477f18143ac9a62fb633b1fbe115a1a9b03d0132f33dfca025bc9b76d9c2e9b66a3e407d14aff161b940b1a82e3e3ca43213798e9dd38b6970194e0 xen-4.12.3.tar.gz +sha512sums="21787470d8efd9930da7618c00528643454df5b3c487bb9348f88643b90a2b7f9067ad252a6ea423c31e185090d053ca3dbec25b4f6cd64bd1ceb5aa3129b547 xen-4.12.4.tar.gz 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz @@ -530,43 +510,16 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36 b9c754220187955d01ffbb6e030dace9d9aaae755db1765d07e407858c71a2cb0de04e0ab2099cd121d9e1bc1978af06c7dbd2fd805e06eca12ac5d527f15a52 mini-os-__divmoddi4.patch 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch -77b08e9655e091b0352e4630d520b54c6ca6d659d1d38fbb4b3bfc9ff3e66db433a2e194ead32bb10ff962c382d800a670e82b7a62835b238e294b22808290ea musl-hvmloader-fix-stdint.patch +e768734462e8b2818a1b5ea532274f04ec13cb4a61d20cd60a382c7e4de5267d3ffa7f148730a155fbe87afffd37fcc72b7e09ed8ec7b256b764025fc1bd6e75 musl-hvmloader-fix-stdint.patch 8c3b57eab8641bcee3dbdc1937ea7874f77b9722a5a0aa3ddb8dff8cc0ced7e19703ef5d998621b3809bea7c16f3346cfa47610ec9ab014ad0de12651c94e5ff stdint_local.h 853467a2d055c5bfbdc7bdca175a334241be44a7c5ac3c0a84a4bc5463b5c070b66d37e2a557429ef860727a6b7350683af758cc2494d85b6be4d883143a2c0d elf_local.h 79cb1b6b81b17cb87a064dfe3548949dfb80f64f203cac11ef327102b7a25794549ce2d9c019ebf05f752214da8e05065e9219d069e679c0ae5bee3d090c685e xen-hotplug-lockfd.patch e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3ac853c5dbad8082da3c9cd53b65081910516feb492577b7fc xen-fd-is-file.c 2094ea964fa610b2bf72fd2c7ede7e954899a75c0f5b08030cf1d74460fb759ade84866176e32f8fe29c921dfdc6dafd2b31e23ab9b0a3874d3dceeabdd1913b xenqemu-xattr-size-max.patch 8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch -325f66b008a76ff569fdca430e2926633996511f1bd7dcd375259377e4c88758b13c95ee66b8edaa5ffebc3d927442409dc36bd8e35b2c928e43d82a539583cf xsa317.patch -d57d8cfd749df1816060345bedd9fa7ef2381ea9d85562ddf0c39ffe832ca56834c3e8c1fb67a64fd5631fd219c4d66a3ef655dca0989bf39911c87e0145717f xsa319.patch -7f7d75b90d43ec7f6d78817105a51310681a4886fab0e53222566cf9ea96ae24cd9c4a6bf48ed833c9fc2eb4caf49290e2fb8fe59dc889ed284decb80fb0b8ed xsa320-4.12-1.patch -55bb7d226a8816614231274eb05fb7ea42ce9b7415c92a9f142f2c4c69686ffebbee6ba0e1c6d061af7669a9b5710b276dcd981893ade6d40d466ec6fc84b724 xsa320-4.12-2.patch -26b178f19003de89979579e6f9fe50e1a02170c17d0e50351197c808a53a5bae20d73f43223fdc9bd08b23fd9c2f4e1e80e104d4d211a456ce93ab24f5821c37 xsa320-4.12-3.patch -411e42e1f88fee11c18d83f20be0f3c8b15e48b3e8b7cd9ebe0a34f728d0486874a6e9e475d4abb324bfeacdb9d6107b56af7be54e26dbb54912948aead45c20 xsa321-4.12-1.patch -412c7c18ad7b6d8022d73d50fbf2efc41f4b7258f8e75603b86d55f4cae0d327c6f16526d43af0a88eccbd0c87e8d96881be919954996a03ff5fd4b0c38c9fd4 xsa321-4.12-2.patch -40117383f40710f30f9f0fc64502458c4cdfa25b4b1a87c647852f3b43a0cf3e7f06b9b7961200d68a1ff9859224942d3d9469ba2a95b463d5a5a3cb1532ae8b xsa321-4.12-3.patch -922f46623c1dca5d067e7897fe2cf0e3045ea7bf26f1aab12935c47a4a764ddb3e9cef2c8efef29f933aab9351a301572c0ea21ef84514cfba06d6159500876a xsa321-4.12-4.patch -0c4932886cfb7495fbe1007cb0a9562341c1a33243fd64274b4bb02e7094842bfb2766ef2a8f5ac41c586ffece029f332302f4e3e2271d9f3b9ce4af97dafc4d xsa321-4.12-5.patch -030c429b328876dcdffdd2a7e664ad0cbf073466a0c91bf603a067c20e4977d41891dd2615e178f2bfb4413cea57104c531f537786518de7723984261a070709 xsa321-4.12-6.patch -5b9d281bfa6faf7c77b7984d1ea57dda690163b165e6a3408b6c3b2a089359bb78bba1f214dc84ecfc0fa0995381f9fcd7dc92a4bbcc457b9b8ad1d945537140 xsa321-4.12-7.patch -83823056dbd0142585d8b0fb9b3179ac8cc099a21ee489008a4cfb1f310daae72dff1fb6c7cd3a1c8ca5cec43a6b964587d8121a2423226baad0bcd302e73263 xsa327.patch -81beeaabf03d10ea8610487d76f859f76e92f19b188abcb2e33e6c1e31ddf9f78dcb1b9decb6a403d8237fe9fa580ed4a0037d46628ff6730569c355ebc0e405 xsa328-4.12-1.patch -a9551daa73a7deb332fcfd647d0df6ebab84699a91eaca43697e182612304910610f80c1edc3c5e3b86e4a580137a4ae178fadba62fe148795a6ab240df174cf xsa328-4.12-2.patch -a18f552845ca105ce846ff8281b6c5b10f45301571f3163a33a6c212b87b742bb039f15c2d346bd34a9fdedd8a007fd9e51f319900cb8ee05febf178ed6ef8b0 xsa335-qemu.patch -7457a53eee28044143800124f422d530c49f7ee976ed5a5ff74e25100fc7ea364b8cd4f690b55dc308fe028bbaaf73164f994abab70d6388901199c8415eded1 xsa333.patch -ef22acfca9b0d149a25ea9bf573d544f28dacdfac470baa5f50ac123f16e01b291db1d1188ef44f3d3ab9f264e1ed683f4bfec668b0cb9693b56459e59317486 xsa334-4.12.patch -b89faf5147706d71ef354d7e6bf290df7d86b9881dfc16e8f591eb9402382a6eef3b2a450f21dfe779f060001114f85ae32ff7ceaa05db6e3c924a0137b3cd1d xsa336.patch -4cf0a5776162297ecad3c8ff3bb67003a86cbf70fe4150d5a1dfc4cd9fef2d0b02fe6bb83547d11330124665546e3319e7e7155b7f253551785aaacc902bb439 xsa337-4.12-1.patch -9fb56b526cebe73d78c8a921882bbc084bd0772dbfd06890d28ce5407e72394d90c44da6e78f6b86df25af4354fec9cf9327dd019553a6d4e7f54663a7821268 xsa337-4.12-2.patch -11a637e6de41012046115ed66e95e7fec90a3c274030dc1617dbcee4cc3b88dfa812e21323a628e27356aedfbaa094508fbdedc340dc37db29960ff6d4ef9921 xsa338.patch -7eaa70d891cdfd60001308c6b88f635048babdd1ba2952bcc88322b2096bafd1aee6a3f7dc1f4188fa7c44217c4d9bcaadf4bdd274d95762b0646e65f6b9659e xsa339.patch -2d4b2887f1a779267c15b16bd83d78ca84ceaaf9cad08a64162c28440527d3ac8edf80c8c2916e152bdf9e0e3e768c316d95dfa4c362c7a34dfb3348e8a2c568 xsa340.patch -c61fe4121c7a9314a8c3514dcdd62779dd11a90c2edb33cc1df55131477af7a1ec2c8a6dc15ad6d0975b335170d23c2b0057c55bd9923d20c4d4b31934c2f675 xsa342-4.13.patch -c454080662fd8b716d1df99c20729e1d48c5be08884adb9ba9386113badbaf4867ff7da4bf69cfd0e05cc42fb640176106dd467ae9d7c6de8530b5fff31885d5 xsa343-4.12-1.patch -73715412ad0f60685685d1c426a37703d2ad8f3af7be9811cb48a5d931f14debeb1d2c29a25b699dd305ac39a1af2084cd2fa410d58669d6dcaa7a55dbd3b19e xsa343-4.12-2.patch -d83925afad228eedb07ef5f43d7dfb04e4af96da9c36b62aa1e127d085fca57f2870456e15ac46fd0502910652a5e3b1cbfc918e38104f7b54cfb0e523652329 xsa343-4.12-3.patch -085bdccd77a4a4b90d6d64e804b128b9dbb86ed346df42fdb402f374a4606912338dc0b9a9eb4be0dbdb5ac3671daf469ea219a40863f10393134d46474ae8dd xsa344-4.12-1.patch -6a97729208cd725609b9207de8887599f04ff4d7a969db549c4526d59b0e2f58bce777456630aab01800f9d58613405cac09b6bb0ca72db3b686d9913d36ca3b xsa344-4.12-2.patch +b19c167ee9eaafc0b37c2f77418787e044e5e8a29e4a4b6bdf4ada5d75cd3f52231bfc70b69929af3934151efc661dd47974b0372ae0a23ba1293f7f23458d15 xsa351-x86-4.12-1.patch +3b08cc4a5608f53d5a64f6eff00eb018f751ae0c8d855b98c53a58d3766c1472a236bb3d11002d1aa5d4b75d0d645b8fa052c76b69639f76cf1062b73e2d5ab1 xsa351-x86-4.12-2.patch +70b4b03c956b189ed75d0105152945bf3bfbee406135cab32f7b8160739f207ae17f9e7028b13d298de97de6dadcb205e8a7cd2830cad8b91e8a62b93f168a80 xsa355.patch 52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd 3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd diff --git a/main/xen/musl-hvmloader-fix-stdint.patch b/main/xen/musl-hvmloader-fix-stdint.patch index 0d42f034a12..1eb0d4b8c57 100644 --- a/main/xen/musl-hvmloader-fix-stdint.patch +++ b/main/xen/musl-hvmloader-fix-stdint.patch @@ -1,5 +1,5 @@ musl's stdint does not support gcc -m32 so we need to make sure that we -don't use system's stdint.h. We ship a stdind_local.h and make sure that +don't use system's stdint.h. We ship a stdint_local.h and make sure that we use that instead https://bugs.alpinelinux.org/issues/3308 @@ -8,7 +8,7 @@ diff --git a/tools/firmware/Rules.mk b/tools/firmware/Rules.mk index 26bbddc..efad58c 100644 --- a/tools/firmware/Rules.mk +++ b/tools/firmware/Rules.mk -@@ -12,6 +12,7 @@ CFLAGS += -DNDEBUG +@@ -12,6 +12,7 @@ endif CFLAGS += -Werror @@ -21,7 +21,7 @@ index fe770a3..cdab677 100644 --- a/tools/firmware/hvmloader/32bitbios_support.c +++ b/tools/firmware/hvmloader/32bitbios_support.c @@ -21,8 +21,8 @@ - * Place - Suite 330, Boston, MA 02111-1307 USA. + * this program; If not, see <http://www.gnu.org/licenses/>. */ -#include <inttypes.h> @@ -54,9 +54,9 @@ index b838cf9..33d48b3 100644 -#include <stdint.h> +#include <stdint_local.h> + #include <stdbool.h> enum virtual_vga { VGA_none, VGA_std, VGA_cirrus, VGA_pt }; - extern enum virtual_vga virtual_vga; diff --git a/tools/firmware/hvmloader/hypercall.h b/tools/firmware/hvmloader/hypercall.h index 5368c30..c57bc86 100644 --- a/tools/firmware/hvmloader/hypercall.h @@ -75,7 +75,7 @@ index fd636a0..b3b703e 100644 --- a/tools/firmware/hvmloader/mp_tables.c +++ b/tools/firmware/hvmloader/mp_tables.c @@ -28,7 +28,7 @@ - * Place - Suite 330, Boston, MA 02111-1307 USA. + * this program; If not, see <http://www.gnu.org/licenses/>. */ -#include <stdint.h> @@ -160,8 +160,8 @@ index a70e4aa..a8a2628 100644 -#include <stdint.h> +#include <stdint_local.h> #include <stddef.h> + #include <stdbool.h> #include <xen/xen.h> - #include <xen/hvm/hvm_info_table.h> diff --git a/tools/firmware/rombios/32bit/pmm.c b/tools/firmware/rombios/32bit/pmm.c index 4a279ca..b90b813 100644 --- a/tools/firmware/rombios/32bit/pmm.c @@ -180,7 +180,7 @@ index a47bb71..777f742 100644 --- a/tools/firmware/rombios/32bit/util.c +++ b/tools/firmware/rombios/32bit/util.c @@ -18,7 +18,7 @@ - * Place - Suite 330, Boston, MA 02111-1307 USA. + * this program; If not, see <http://www.gnu.org/licenses/>. */ #include <stdarg.h> -#include <stdint.h> diff --git a/main/xen/xsa317.patch b/main/xen/xsa317.patch deleted file mode 100644 index 20e2c643d06..00000000000 --- a/main/xen/xsa317.patch +++ /dev/null @@ -1,50 +0,0 @@ -From aeb46e92f915f19a61d5a8a1f4b696793f64e6fb Mon Sep 17 00:00:00 2001 -From: Julien Grall <jgrall@amazon.com> -Date: Thu, 19 Mar 2020 13:17:31 +0000 -Subject: [PATCH] xen/common: event_channel: Don't ignore error in - get_free_port() - -Currently, get_free_port() is assuming that the port has been allocated -when evtchn_allocate_port() is not return -EBUSY. - -However, the function may return an error when: - - We exhausted all the event channels. This can happen if the limit - configured by the administrator for the guest ('max_event_channels' - in xl cfg) is higher than the ABI used by the guest. For instance, - if the guest is using 2L, the limit should not be higher than 4095. - - We cannot allocate memory (e.g Xen has not more memory). - -Users of get_free_port() (such as EVTCHNOP_alloc_unbound) will validly -assuming the port was valid and will next call evtchn_from_port(). This -will result to a crash as the memory backing the event channel structure -is not present. - -Fixes: 368ae9a05fe ("xen/pvshim: forward evtchn ops between L0 Xen and L2 DomU") -Signed-off-by: Julien Grall <jgrall@amazon.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/common/event_channel.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c -index e86e2bfab0..a8d182b584 100644 ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c -@@ -195,10 +195,10 @@ static int get_free_port(struct domain *d) - { - int rc = evtchn_allocate_port(d, port); - -- if ( rc == -EBUSY ) -- continue; -- -- return port; -+ if ( rc == 0 ) -+ return port; -+ else if ( rc != -EBUSY ) -+ return rc; - } - - return -ENOSPC; --- -2.17.1 - diff --git a/main/xen/xsa319.patch b/main/xen/xsa319.patch deleted file mode 100644 index 769443c900e..00000000000 --- a/main/xen/xsa319.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/shadow: correct an inverted conditional in dirty VRAM tracking - -This originally was "mfn_x(mfn) == INVALID_MFN". Make it like this -again, taking the opportunity to also drop the unnecessary nearby -braces. - -This is XSA-319. - -Fixes: 246a5a3377c2 ("xen: Use a typesafe to define INVALID_MFN") -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/mm/shadow/common.c -+++ b/xen/arch/x86/mm/shadow/common.c -@@ -3252,10 +3252,8 @@ int shadow_track_dirty_vram(struct domai - int dirty = 0; - paddr_t sl1ma = dirty_vram->sl1ma[i]; - -- if ( !mfn_eq(mfn, INVALID_MFN) ) -- { -+ if ( mfn_eq(mfn, INVALID_MFN) ) - dirty = 1; -- } - else - { - page = mfn_to_page(mfn); diff --git a/main/xen/xsa320-4.12-1.patch b/main/xen/xsa320-4.12-1.patch deleted file mode 100644 index e1fc2773b33..00000000000 --- a/main/xen/xsa320-4.12-1.patch +++ /dev/null @@ -1,133 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/spec-ctrl: CPUID/MSR definitions for Special Register Buffer Data Sampling - -This is part of XSA-320 / CVE-2020-0543 - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Wei Liu <wl@xen.org> - -diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc -index 3561d88b59..dbdaee92dc 100644 ---- a/docs/misc/xen-command-line.pandoc -+++ b/docs/misc/xen-command-line.pandoc -@@ -483,10 +483,10 @@ accounting for hardware capabilities as enumerated via CPUID. - - Currently accepted: - --The Speculation Control hardware features `md-clear`, `ibrsb`, `stibp`, `ibpb`, --`l1d-flush` and `ssbd` are used by default if available and applicable. They can --be ignored, e.g. `no-ibrsb`, at which point Xen won't use them itself, and --won't offer them to guests. -+The Speculation Control hardware features `srbds-ctrl`, `md-clear`, `ibrsb`, -+`stibp`, `ibpb`, `l1d-flush` and `ssbd` are used by default if available and -+applicable. They can be ignored, e.g. `no-ibrsb`, at which point Xen won't -+use them itself, and won't offer them to guests. - - ### cpuid_mask_cpu - > `= fam_0f_rev_[cdefg] | fam_10_rev_[bc] | fam_11_rev_b` -diff --git a/tools/libxl/libxl_cpuid.c b/tools/libxl/libxl_cpuid.c -index 4cf0f0738d..88b5760c85 100644 ---- a/tools/libxl/libxl_cpuid.c -+++ b/tools/libxl/libxl_cpuid.c -@@ -203,6 +203,7 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str) - - {"avx512-4vnniw",0x00000007, 0, CPUID_REG_EDX, 2, 1}, - {"avx512-4fmaps",0x00000007, 0, CPUID_REG_EDX, 3, 1}, -+ {"srbds-ctrl", 0x00000007, 0, CPUID_REG_EDX, 9, 1}, - {"md-clear", 0x00000007, 0, CPUID_REG_EDX, 10, 1}, - {"cet-ibt", 0x00000007, 0, CPUID_REG_EDX, 20, 1}, - {"ibrsb", 0x00000007, 0, CPUID_REG_EDX, 26, 1}, -diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c -index 2a00697643..b4c4dfcf19 100644 ---- a/tools/misc/xen-cpuid.c -+++ b/tools/misc/xen-cpuid.c -@@ -154,6 +154,7 @@ static const char *str_7d0[32] = - [ 2] = "avx512_4vnniw", [ 3] = "avx512_4fmaps", - [ 4] = "fsrm", - -+ /* 8 */ [ 9] = "srbds-ctrl", - [10] = "md-clear", - /* 12 */ [13] = "tsx-force-abort", - -diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c -index 1727497459..22d8c71a95 100644 ---- a/xen/arch/x86/cpuid.c -+++ b/xen/arch/x86/cpuid.c -@@ -59,6 +59,11 @@ static int __init parse_xen_cpuid(const char *s) - if ( !val ) - setup_clear_cpu_cap(X86_FEATURE_SSBD); - } -+ else if ( (val = parse_boolean("srbds-ctrl", s, ss)) >= 0 ) -+ { -+ if ( !val ) -+ setup_clear_cpu_cap(X86_FEATURE_SRBDS_CTRL); -+ } - else - rc = -EINVAL; - -diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c -index 4888fff16c..9ff27b7007 100644 ---- a/xen/arch/x86/msr.c -+++ b/xen/arch/x86/msr.c -@@ -133,6 +133,7 @@ int guest_rdmsr(const struct vcpu *v, uint32_t msr, uint64_t *val) - /* Write-only */ - case MSR_TSX_FORCE_ABORT: - case MSR_TSX_CTRL: -+ case MSR_MCU_OPT_CTRL: - case MSR_U_CET: - case MSR_S_CET: - case MSR_PL0_SSP ... MSR_INTERRUPT_SSP_TABLE: -@@ -273,6 +274,7 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val) - /* Read-only */ - case MSR_TSX_FORCE_ABORT: - case MSR_TSX_CTRL: -+ case MSR_MCU_OPT_CTRL: - case MSR_U_CET: - case MSR_S_CET: - case MSR_PL0_SSP ... MSR_INTERRUPT_SSP_TABLE: -diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c -index 800139d79c..5158e012ca 100644 ---- a/xen/arch/x86/spec_ctrl.c -+++ b/xen/arch/x86/spec_ctrl.c -@@ -309,12 +309,13 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) - printk("Speculative mitigation facilities:\n"); - - /* Hardware features which pertain to speculative mitigations. */ -- printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", -+ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", - (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", - (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", - (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "", - (_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", - (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", -+ (_7d0 & cpufeat_mask(X86_FEATURE_SRBDS_CTRL)) ? " SRBDS_CTRL" : "", - (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", - (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", - (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", -diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h -index 7693c4a71a..91994669e1 100644 ---- a/xen/include/asm-x86/msr-index.h -+++ b/xen/include/asm-x86/msr-index.h -@@ -179,6 +179,9 @@ - #define MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 - #define MSR_IA32_VMX_VMFUNC 0x491 - -+#define MSR_MCU_OPT_CTRL 0x00000123 -+#define MCU_OPT_CTRL_RNGDS_MITG_DIS (_AC(1, ULL) << 0) -+ - #define MSR_U_CET 0x000006a0 - #define MSR_S_CET 0x000006a2 - #define MSR_PL0_SSP 0x000006a4 -diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h -index 865a435d2c..31490a7c10 100644 ---- a/xen/include/public/arch-x86/cpufeatureset.h -+++ b/xen/include/public/arch-x86/cpufeatureset.h -@@ -243,6 +243,7 @@ XEN_CPUFEATURE(IBPB, 8*32+12) /*A IBPB support only (no IBRS, used by - /* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */ - XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions */ - XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single Precision */ -+XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ - XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ - XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ - XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ diff --git a/main/xen/xsa320-4.12-2.patch b/main/xen/xsa320-4.12-2.patch deleted file mode 100644 index 3046f829648..00000000000 --- a/main/xen/xsa320-4.12-2.patch +++ /dev/null @@ -1,179 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/spec-ctrl: Mitigate the Special Register Buffer Data Sampling sidechannel - -See patch documentation and comments. - -This is part of XSA-320 / CVE-2020-0543 - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - -diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc -index dbdaee92dc..337fbf0492 100644 ---- a/docs/misc/xen-command-line.pandoc -+++ b/docs/misc/xen-command-line.pandoc -@@ -1909,7 +1909,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). - ### spec-ctrl (x86) - > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>, - > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu, --> l1d-flush}=<bool> ]` -+> l1d-flush,srb-lock}=<bool> ]` - - Controls for speculative execution sidechannel mitigations. By default, Xen - will pick the most appropriate mitigations based on compiled in support, -@@ -1981,6 +1981,12 @@ Irrespective of Xen's setting, the feature is virtualised for HVM guests to - use. By default, Xen will enable this mitigation on hardware believed to be - vulnerable to L1TF. - -+On hardware supporting SRBDS_CTRL, the `srb-lock=` option can be used to force -+or prevent Xen from protect the Special Register Buffer from leaking stale -+data. By default, Xen will enable this mitigation, except on parts where MDS -+is fixed and TAA is fixed/mitigated (in which case, there is believed to be no -+way for an attacker to obtain the stale data). -+ - ### sync_console - > `= <boolean>` - -diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c -index c1d772f63f..a07aa3b9ed 100644 ---- a/xen/arch/x86/acpi/power.c -+++ b/xen/arch/x86/acpi/power.c -@@ -266,6 +266,9 @@ static int enter_state(u32 state) - ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr); - spec_ctrl_exit_idle(ci); - -+ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ) -+ wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl); -+ - done: - spin_debug_enable(); - local_irq_restore(flags); -diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c -index 699e21bfb7..b741d1354a 100644 ---- a/xen/arch/x86/smpboot.c -+++ b/xen/arch/x86/smpboot.c -@@ -369,12 +369,14 @@ void start_secondary(void *unused) - microcode_resume_cpu(cpu); - - /* -- * If MSR_SPEC_CTRL is available, apply Xen's default setting and discard -- * any firmware settings. Note: MSR_SPEC_CTRL may only become available -- * after loading microcode. -+ * If any speculative control MSRs are available, apply Xen's default -+ * settings. Note: These MSRs may only become available after loading -+ * microcode. - */ - if ( boot_cpu_has(X86_FEATURE_IBRSB) ) - wrmsrl(MSR_SPEC_CTRL, default_xen_spec_ctrl); -+ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ) -+ wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl); - - tsx_init(); /* Needs microcode. May change HLE/RTM feature bits. */ - -diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c -index 5158e012ca..e2fcefc86a 100644 ---- a/xen/arch/x86/spec_ctrl.c -+++ b/xen/arch/x86/spec_ctrl.c -@@ -64,6 +64,9 @@ static unsigned int __initdata l1d_maxphysaddr; - static bool __initdata cpu_has_bug_msbds_only; /* => minimal HT impact. */ - static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. */ - -+static int8_t __initdata opt_srb_lock = -1; -+uint64_t __read_mostly default_xen_mcu_opt_ctrl; -+ - static int __init parse_spec_ctrl(const char *s) - { - const char *ss; -@@ -110,6 +113,7 @@ static int __init parse_spec_ctrl(const char *s) - opt_ibpb = false; - opt_ssbd = false; - opt_l1d_flush = 0; -+ opt_srb_lock = 0; - } - else if ( val > 0 ) - rc = -EINVAL; -@@ -175,6 +179,8 @@ static int __init parse_spec_ctrl(const char *s) - opt_eager_fpu = val; - else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 ) - opt_l1d_flush = val; -+ else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) -+ opt_srb_lock = val; - else - rc = -EINVAL; - -@@ -338,7 +344,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) - "\n"); - - /* Settings for Xen's protection, irrespective of guests. */ -- printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s\n", -+ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n", - thunk == THUNK_NONE ? "N/A" : - thunk == THUNK_RETPOLINE ? "RETPOLINE" : - thunk == THUNK_LFENCE ? "LFENCE" : -@@ -349,6 +355,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) - (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", - !(caps & ARCH_CAPS_TSX_CTRL) ? "" : - (opt_tsx & 1) ? " TSX+" : " TSX-", -+ !boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ? "" : -+ opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", - opt_ibpb ? " IBPB" : "", - opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : ""); -@@ -1142,6 +1150,34 @@ void __init init_speculation_mitigations(void) - tsx_init(); - } - -+ /* Calculate suitable defaults for MSR_MCU_OPT_CTRL */ -+ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ) -+ { -+ uint64_t val; -+ -+ rdmsrl(MSR_MCU_OPT_CTRL, val); -+ -+ /* -+ * On some SRBDS-affected hardware, it may be safe to relax srb-lock -+ * by default. -+ * -+ * On parts which enumerate MDS_NO and not TAA_NO, TSX is the only way -+ * to access the Fill Buffer. If TSX isn't available (inc. SKU -+ * reasons on some models), or TSX is explicitly disabled, then there -+ * is no need for the extra overhead to protect RDRAND/RDSEED. -+ */ -+ if ( opt_srb_lock == -1 && -+ (caps & (ARCH_CAPS_MDS_NO|ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO && -+ (!cpu_has_hle || ((caps & ARCH_CAPS_TSX_CTRL) && opt_tsx == 0)) ) -+ opt_srb_lock = 0; -+ -+ val &= ~MCU_OPT_CTRL_RNGDS_MITG_DIS; -+ if ( !opt_srb_lock ) -+ val |= MCU_OPT_CTRL_RNGDS_MITG_DIS; -+ -+ default_xen_mcu_opt_ctrl = val; -+ } -+ - print_details(thunk, caps); - - /* -@@ -1173,6 +1209,9 @@ void __init init_speculation_mitigations(void) - - wrmsrl(MSR_SPEC_CTRL, bsp_delay_spec_ctrl ? 0 : default_xen_spec_ctrl); - } -+ -+ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ) -+ wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl); - } - - static void __init __maybe_unused build_assertions(void) -diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h -index ba03bb42e5..59bab1a41b 100644 ---- a/xen/include/asm-x86/spec_ctrl.h -+++ b/xen/include/asm-x86/spec_ctrl.h -@@ -53,6 +53,8 @@ extern int8_t opt_pv_l1tf_hwdom, opt_pv_l1tf_domu; - */ - extern paddr_t l1tf_addr_mask, l1tf_safe_maddr; - -+extern uint64_t default_xen_mcu_opt_ctrl; -+ - static inline void init_shadow_spec_ctrl_state(void) - { - struct cpu_info *info = get_cpu_info(); diff --git a/main/xen/xsa320-4.12-3.patch b/main/xen/xsa320-4.12-3.patch deleted file mode 100644 index b2a8313c79d..00000000000 --- a/main/xen/xsa320-4.12-3.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/spec-ctrl: Allow the RDRAND/RDSEED features to be hidden - -RDRAND/RDSEED can be hidden using cpuid= to mitigate SRBDS if microcode -isn't available. - -This is part of XSA-320 / CVE-2020-0543. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Julien Grall <jgrall@amazon.com> - -diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc -index 337fbf0492..7897da55ca 100644 ---- a/docs/misc/xen-command-line.pandoc -+++ b/docs/misc/xen-command-line.pandoc -@@ -481,12 +481,18 @@ choice of `dom0-kernel` is deprecated and not supported by all Dom0 kernels. - This option allows for fine tuning of the facilities Xen will use, after - accounting for hardware capabilities as enumerated via CPUID. - -+Unless otherwise noted, options only have any effect in their negative form, -+to hide the named feature(s). Ignoring a feature using this mechanism will -+cause Xen not to use the feature, nor offer them as usable to guests. -+ - Currently accepted: - - The Speculation Control hardware features `srbds-ctrl`, `md-clear`, `ibrsb`, - `stibp`, `ibpb`, `l1d-flush` and `ssbd` are used by default if available and --applicable. They can be ignored, e.g. `no-ibrsb`, at which point Xen won't --use them itself, and won't offer them to guests. -+applicable. They can all be ignored. -+ -+`rdrand` and `rdseed` can be ignored, as a mitigation to XSA-320 / -+CVE-2020-0543. - - ### cpuid_mask_cpu - > `= fam_0f_rev_[cdefg] | fam_10_rev_[bc] | fam_11_rev_b` -diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c -index 22d8c71a95..d07567c901 100644 ---- a/xen/arch/x86/cpuid.c -+++ b/xen/arch/x86/cpuid.c -@@ -64,6 +64,16 @@ static int __init parse_xen_cpuid(const char *s) - if ( !val ) - setup_clear_cpu_cap(X86_FEATURE_SRBDS_CTRL); - } -+ else if ( (val = parse_boolean("rdrand", s, ss)) >= 0 ) -+ { -+ if ( !val ) -+ setup_clear_cpu_cap(X86_FEATURE_RDRAND); -+ } -+ else if ( (val = parse_boolean("rdseed", s, ss)) >= 0 ) -+ { -+ if ( !val ) -+ setup_clear_cpu_cap(X86_FEATURE_RDSEED); -+ } - else - rc = -EINVAL; - diff --git a/main/xen/xsa321-4.12-1.patch b/main/xen/xsa321-4.12-1.patch deleted file mode 100644 index b6c55a7e570..00000000000 --- a/main/xen/xsa321-4.12-1.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: vtd: improve IOMMU TLB flush - -Do not limit PSI flushes to order 0 pages, in order to avoid doing a -full TLB flush if the passed in page has an order greater than 0 and -is aligned. Should increase the performance of IOMMU TLB flushes when -dealing with page orders greater than 0. - -This is part of XSA-321. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -611,13 +611,14 @@ static int __must_check iommu_flush_iotl - if ( iommu_domid == -1 ) - continue; - -- if ( page_count != 1 || dfn_eq(dfn, INVALID_DFN) ) -+ if ( !page_count || (page_count & (page_count - 1)) || -+ dfn_eq(dfn, INVALID_DFN) || !IS_ALIGNED(dfn_x(dfn), page_count) ) - rc = iommu_flush_iotlb_dsi(iommu, iommu_domid, - 0, flush_dev_iotlb); - else - rc = iommu_flush_iotlb_psi(iommu, iommu_domid, - dfn_to_daddr(dfn), -- PAGE_ORDER_4K, -+ get_order_from_pages(page_count), - !dma_old_pte_present, - flush_dev_iotlb); - diff --git a/main/xen/xsa321-4.12-2.patch b/main/xen/xsa321-4.12-2.patch deleted file mode 100644 index a05205ca5e8..00000000000 --- a/main/xen/xsa321-4.12-2.patch +++ /dev/null @@ -1,175 +0,0 @@ -From: <security@xenproject.org> -Subject: vtd: prune (and rename) cache flush functions - -Rename __iommu_flush_cache to iommu_sync_cache and remove -iommu_flush_cache_page. Also remove the iommu_flush_cache_entry -wrapper and just use iommu_sync_cache instead. Note the _entry suffix -was meaningless as the wrapper was already taking a size parameter in -bytes. While there also constify the addr parameter. - -No functional change intended. - -This is part of XSA-321. - -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/drivers/passthrough/vtd/extern.h -+++ b/xen/drivers/passthrough/vtd/extern.h -@@ -38,8 +38,7 @@ void disable_qinval(struct iommu *iommu) - int enable_intremap(struct iommu *iommu, int eim); - void disable_intremap(struct iommu *iommu); - --void iommu_flush_cache_entry(void *addr, unsigned int size); --void iommu_flush_cache_page(void *addr, unsigned long npages); -+void iommu_sync_cache(const void *addr, unsigned int size); - int iommu_alloc(struct acpi_drhd_unit *drhd); - void iommu_free(struct acpi_drhd_unit *drhd); - ---- a/xen/drivers/passthrough/vtd/intremap.c -+++ b/xen/drivers/passthrough/vtd/intremap.c -@@ -231,7 +231,7 @@ static void free_remap_entry(struct iomm - iremap_entries, iremap_entry); - - update_irte(iommu, iremap_entry, &new_ire, false); -- iommu_flush_cache_entry(iremap_entry, sizeof(*iremap_entry)); -+ iommu_sync_cache(iremap_entry, sizeof(*iremap_entry)); - iommu_flush_iec_index(iommu, 0, index); - - unmap_vtd_domain_page(iremap_entries); -@@ -403,7 +403,7 @@ static int ioapic_rte_to_remap_entry(str - } - - update_irte(iommu, iremap_entry, &new_ire, !init); -- iommu_flush_cache_entry(iremap_entry, sizeof(*iremap_entry)); -+ iommu_sync_cache(iremap_entry, sizeof(*iremap_entry)); - iommu_flush_iec_index(iommu, 0, index); - - unmap_vtd_domain_page(iremap_entries); -@@ -694,7 +694,7 @@ static int msi_msg_to_remap_entry( - update_irte(iommu, iremap_entry, &new_ire, msi_desc->irte_initialized); - msi_desc->irte_initialized = true; - -- iommu_flush_cache_entry(iremap_entry, sizeof(*iremap_entry)); -+ iommu_sync_cache(iremap_entry, sizeof(*iremap_entry)); - iommu_flush_iec_index(iommu, 0, index); - - unmap_vtd_domain_page(iremap_entries); ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -158,7 +158,8 @@ static void __init free_intel_iommu(stru - } - - static int iommus_incoherent; --static void __iommu_flush_cache(void *addr, unsigned int size) -+ -+void iommu_sync_cache(const void *addr, unsigned int size) - { - int i; - static unsigned int clflush_size = 0; -@@ -173,16 +174,6 @@ static void __iommu_flush_cache(void *ad - cacheline_flush((char *)addr + i); - } - --void iommu_flush_cache_entry(void *addr, unsigned int size) --{ -- __iommu_flush_cache(addr, size); --} -- --void iommu_flush_cache_page(void *addr, unsigned long npages) --{ -- __iommu_flush_cache(addr, PAGE_SIZE * npages); --} -- - /* Allocate page table, return its machine address */ - u64 alloc_pgtable_maddr(struct acpi_drhd_unit *drhd, unsigned long npages) - { -@@ -207,7 +198,7 @@ u64 alloc_pgtable_maddr(struct acpi_drhd - vaddr = __map_domain_page(cur_pg); - memset(vaddr, 0, PAGE_SIZE); - -- iommu_flush_cache_page(vaddr, 1); -+ iommu_sync_cache(vaddr, PAGE_SIZE); - unmap_domain_page(vaddr); - cur_pg++; - } -@@ -242,7 +233,7 @@ static u64 bus_to_context_maddr(struct i - } - set_root_value(*root, maddr); - set_root_present(*root); -- iommu_flush_cache_entry(root, sizeof(struct root_entry)); -+ iommu_sync_cache(root, sizeof(struct root_entry)); - } - maddr = (u64) get_context_addr(*root); - unmap_vtd_domain_page(root_entries); -@@ -300,7 +291,7 @@ static u64 addr_to_dma_page_maddr(struct - */ - dma_set_pte_readable(*pte); - dma_set_pte_writable(*pte); -- iommu_flush_cache_entry(pte, sizeof(struct dma_pte)); -+ iommu_sync_cache(pte, sizeof(struct dma_pte)); - } - - if ( level == 2 ) -@@ -681,7 +672,7 @@ static int __must_check dma_pte_clear_on - *flush_flags |= IOMMU_FLUSHF_modified; - - spin_unlock(&hd->arch.mapping_lock); -- iommu_flush_cache_entry(pte, sizeof(struct dma_pte)); -+ iommu_sync_cache(pte, sizeof(struct dma_pte)); - - unmap_vtd_domain_page(page); - -@@ -720,7 +711,7 @@ static void iommu_free_page_table(struct - iommu_free_pagetable(dma_pte_addr(*pte), next_level); - - dma_clear_pte(*pte); -- iommu_flush_cache_entry(pte, sizeof(struct dma_pte)); -+ iommu_sync_cache(pte, sizeof(struct dma_pte)); - } - - unmap_vtd_domain_page(pt_vaddr); -@@ -1449,7 +1440,7 @@ int domain_context_mapping_one( - context_set_address_width(*context, agaw); - context_set_fault_enable(*context); - context_set_present(*context); -- iommu_flush_cache_entry(context, sizeof(struct context_entry)); -+ iommu_sync_cache(context, sizeof(struct context_entry)); - spin_unlock(&iommu->lock); - - /* Context entry was previously non-present (with domid 0). */ -@@ -1602,7 +1593,7 @@ int domain_context_unmap_one( - - context_clear_present(*context); - context_clear_entry(*context); -- iommu_flush_cache_entry(context, sizeof(struct context_entry)); -+ iommu_sync_cache(context, sizeof(struct context_entry)); - - iommu_domid= domain_iommu_domid(domain, iommu); - if ( iommu_domid == -1 ) -@@ -1837,7 +1828,7 @@ static int __must_check intel_iommu_map_ - - *pte = new; - -- iommu_flush_cache_entry(pte, sizeof(struct dma_pte)); -+ iommu_sync_cache(pte, sizeof(struct dma_pte)); - spin_unlock(&hd->arch.mapping_lock); - unmap_vtd_domain_page(page); - -@@ -1912,7 +1903,7 @@ int iommu_pte_flush(struct domain *d, ui - int iommu_domid; - int rc = 0; - -- iommu_flush_cache_entry(pte, sizeof(struct dma_pte)); -+ iommu_sync_cache(pte, sizeof(struct dma_pte)); - - for_each_drhd_unit ( drhd ) - { -@@ -2777,7 +2768,7 @@ static int __init intel_iommu_quarantine - dma_set_pte_addr(*pte, maddr); - dma_set_pte_readable(*pte); - } -- iommu_flush_cache_page(parent, 1); -+ iommu_sync_cache(parent, PAGE_SIZE); - - unmap_vtd_domain_page(parent); - parent = map_vtd_domain_page(maddr); diff --git a/main/xen/xsa321-4.12-3.patch b/main/xen/xsa321-4.12-3.patch deleted file mode 100644 index 60215859416..00000000000 --- a/main/xen/xsa321-4.12-3.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: <security@xenproject.org> -Subject: x86/iommu: introduce a cache sync hook - -The hook is only implemented for VT-d and it uses the already existing -iommu_sync_cache function present in VT-d code. The new hook is -added so that the cache can be flushed by code outside of VT-d when -using shared page tables. - -Note that alloc_pgtable_maddr must use the now locally defined -sync_cache function, because IOMMU ops are not yet setup the first -time the function gets called during IOMMU initialization. - -No functional change intended. - -This is part of XSA-321. - -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/drivers/passthrough/vtd/extern.h -+++ b/xen/drivers/passthrough/vtd/extern.h -@@ -38,7 +38,6 @@ void disable_qinval(struct iommu *iommu) - int enable_intremap(struct iommu *iommu, int eim); - void disable_intremap(struct iommu *iommu); - --void iommu_sync_cache(const void *addr, unsigned int size); - int iommu_alloc(struct acpi_drhd_unit *drhd); - void iommu_free(struct acpi_drhd_unit *drhd); - ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -159,7 +159,7 @@ static void __init free_intel_iommu(stru - - static int iommus_incoherent; - --void iommu_sync_cache(const void *addr, unsigned int size) -+static void sync_cache(const void *addr, unsigned int size) - { - int i; - static unsigned int clflush_size = 0; -@@ -198,7 +198,7 @@ u64 alloc_pgtable_maddr(struct acpi_drhd - vaddr = __map_domain_page(cur_pg); - memset(vaddr, 0, PAGE_SIZE); - -- iommu_sync_cache(vaddr, PAGE_SIZE); -+ sync_cache(vaddr, PAGE_SIZE); - unmap_domain_page(vaddr); - cur_pg++; - } -@@ -2813,6 +2813,7 @@ const struct iommu_ops __initconstrel in - .iotlb_flush_all = iommu_flush_iotlb_all, - .get_reserved_device_memory = intel_iommu_get_reserved_device_memory, - .dump_p2m_table = vtd_dump_p2m_table, -+ .sync_cache = sync_cache, - }; - - /* ---- a/xen/include/asm-x86/iommu.h -+++ b/xen/include/asm-x86/iommu.h -@@ -101,6 +101,13 @@ extern bool untrusted_msi; - int pi_update_irte(const struct pi_desc *pi_desc, const struct pirq *pirq, - const uint8_t gvec); - -+#define iommu_sync_cache(addr, size) ({ \ -+ const struct iommu_ops *ops = iommu_get_ops(); \ -+ \ -+ if ( ops->sync_cache ) \ -+ ops->sync_cache(addr, size); \ -+}) -+ - #endif /* !__ARCH_X86_IOMMU_H__ */ - /* - * Local variables: ---- a/xen/include/xen/iommu.h -+++ b/xen/include/xen/iommu.h -@@ -221,6 +221,7 @@ struct iommu_ops { - void (*update_ire_from_apic)(unsigned int apic, unsigned int reg, unsigned int value); - unsigned int (*read_apic_from_ire)(unsigned int apic, unsigned int reg); - int (*setup_hpet_msi)(struct msi_desc *); -+ void (*sync_cache)(const void *addr, unsigned int size); - #endif /* CONFIG_X86 */ - int __must_check (*suspend)(void); - void (*resume)(void); diff --git a/main/xen/xsa321-4.12-4.patch b/main/xen/xsa321-4.12-4.patch deleted file mode 100644 index 24cea6d8af3..00000000000 --- a/main/xen/xsa321-4.12-4.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: <security@xenproject.org> -Subject: vtd: don't assume addresses are aligned in sync_cache - -Current code in sync_cache assume that the address passed in is -aligned to a cache line size. Fix the code to support passing in -arbitrary addresses not necessarily aligned to a cache line size. - -This is part of XSA-321. - -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -161,8 +161,8 @@ static int iommus_incoherent; - - static void sync_cache(const void *addr, unsigned int size) - { -- int i; -- static unsigned int clflush_size = 0; -+ static unsigned long clflush_size = 0; -+ const void *end = addr + size; - - if ( !iommus_incoherent ) - return; -@@ -170,8 +170,9 @@ static void sync_cache(const void *addr, - if ( clflush_size == 0 ) - clflush_size = get_cache_line_size(); - -- for ( i = 0; i < size; i += clflush_size ) -- cacheline_flush((char *)addr + i); -+ addr -= (unsigned long)addr & (clflush_size - 1); -+ for ( ; addr < end; addr += clflush_size ) -+ cacheline_flush((char *)addr); - } - - /* Allocate page table, return its machine address */ diff --git a/main/xen/xsa321-4.12-5.patch b/main/xen/xsa321-4.12-5.patch deleted file mode 100644 index 9d47529bded..00000000000 --- a/main/xen/xsa321-4.12-5.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: <security@xenproject.org> -Subject: x86/alternative: introduce alternative_2 - -It's based on alternative_io_2 without inputs or outputs but with an -added memory clobber. - -This is part of XSA-321. - -Acked-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/include/asm-x86/alternative.h -+++ b/xen/include/asm-x86/alternative.h -@@ -113,6 +113,11 @@ extern void alternative_instructions(voi - #define alternative(oldinstr, newinstr, feature) \ - asm volatile (ALTERNATIVE(oldinstr, newinstr, feature) : : : "memory") - -+#define alternative_2(oldinstr, newinstr1, feature1, newinstr2, feature2) \ -+ asm volatile (ALTERNATIVE_2(oldinstr, newinstr1, feature1, \ -+ newinstr2, feature2) \ -+ : : : "memory") -+ - /* - * Alternative inline assembly with input. - * diff --git a/main/xen/xsa321-4.12-6.patch b/main/xen/xsa321-4.12-6.patch deleted file mode 100644 index a4bae3efa86..00000000000 --- a/main/xen/xsa321-4.12-6.patch +++ /dev/null @@ -1,91 +0,0 @@ -From: <security@xenproject.org> -Subject: vtd: optimize CPU cache sync - -Some VT-d IOMMUs are non-coherent, which requires a cache write back -in order for the changes made by the CPU to be visible to the IOMMU. -This cache write back was unconditionally done using clflush, but there are -other more efficient instructions to do so, hence implement support -for them using the alternative framework. - -This is part of XSA-321. - -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/drivers/passthrough/vtd/extern.h -+++ b/xen/drivers/passthrough/vtd/extern.h -@@ -64,7 +64,6 @@ int __must_check qinval_device_iotlb_syn - u16 did, u16 size, u64 addr); - - unsigned int get_cache_line_size(void); --void cacheline_flush(char *); - void flush_all_cache(void); - - u64 alloc_pgtable_maddr(struct acpi_drhd_unit *drhd, unsigned long npages); ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -31,6 +31,7 @@ - #include <xen/pci_regs.h> - #include <xen/keyhandler.h> - #include <asm/msi.h> -+#include <asm/nops.h> - #include <asm/irq.h> - #include <asm/hvm/vmx/vmx.h> - #include <asm/p2m.h> -@@ -172,7 +173,42 @@ static void sync_cache(const void *addr, - - addr -= (unsigned long)addr & (clflush_size - 1); - for ( ; addr < end; addr += clflush_size ) -- cacheline_flush((char *)addr); -+/* -+ * The arguments to a macro must not include preprocessor directives. Doing so -+ * results in undefined behavior, so we have to create some defines here in -+ * order to avoid it. -+ */ -+#if defined(HAVE_AS_CLWB) -+# define CLWB_ENCODING "clwb %[p]" -+#elif defined(HAVE_AS_XSAVEOPT) -+# define CLWB_ENCODING "data16 xsaveopt %[p]" /* clwb */ -+#else -+# define CLWB_ENCODING ".byte 0x66, 0x0f, 0xae, 0x30" /* clwb (%%rax) */ -+#endif -+ -+#define BASE_INPUT(addr) [p] "m" (*(const char *)(addr)) -+#if defined(HAVE_AS_CLWB) || defined(HAVE_AS_XSAVEOPT) -+# define INPUT BASE_INPUT -+#else -+# define INPUT(addr) "a" (addr), BASE_INPUT(addr) -+#endif -+ /* -+ * Note regarding the use of NOP_DS_PREFIX: it's faster to do a clflush -+ * + prefix than a clflush + nop, and hence the prefix is added instead -+ * of letting the alternative framework fill the gap by appending nops. -+ */ -+ alternative_io_2(".byte " __stringify(NOP_DS_PREFIX) "; clflush %[p]", -+ "data16 clflush %[p]", /* clflushopt */ -+ X86_FEATURE_CLFLUSHOPT, -+ CLWB_ENCODING, -+ X86_FEATURE_CLWB, /* no outputs */, -+ INPUT(addr)); -+#undef INPUT -+#undef BASE_INPUT -+#undef CLWB_ENCODING -+ -+ alternative_2("", "sfence", X86_FEATURE_CLFLUSHOPT, -+ "sfence", X86_FEATURE_CLWB); - } - - /* Allocate page table, return its machine address */ ---- a/xen/drivers/passthrough/vtd/x86/vtd.c -+++ b/xen/drivers/passthrough/vtd/x86/vtd.c -@@ -51,11 +51,6 @@ unsigned int get_cache_line_size(void) - return ((cpuid_ebx(1) >> 8) & 0xff) * 8; - } - --void cacheline_flush(char * addr) --{ -- clflush(addr); --} -- - void flush_all_cache() - { - wbinvd(); diff --git a/main/xen/xsa321-4.12-7.patch b/main/xen/xsa321-4.12-7.patch deleted file mode 100644 index 7b9feb8be81..00000000000 --- a/main/xen/xsa321-4.12-7.patch +++ /dev/null @@ -1,151 +0,0 @@ -From: <security@xenproject.org> -Subject: x86/ept: flush cache when modifying PTEs and sharing page tables - -Modifications made to the page tables by EPT code need to be written -to memory when the page tables are shared with the IOMMU, as Intel -IOMMUs can be non-coherent and thus require changes to be written to -memory in order to be visible to the IOMMU. - -In order to achieve this make sure data is written back to memory -after writing an EPT entry when the recalc bit is not set in -atomic_write_ept_entry. If such bit is set, the entry will be -adjusted and atomic_write_ept_entry will be called a second time -without the recalc bit set. Note that when splitting a super page the -new tables resulting of the split should also be written back. - -Failure to do so can allow devices behind the IOMMU access to the -stale super page, or cause coherency issues as changes made by the -processor to the page tables are not visible to the IOMMU. - -This allows to remove the VT-d specific iommu_pte_flush helper, since -the cache write back is now performed by atomic_write_ept_entry, and -hence iommu_iotlb_flush can be used to flush the IOMMU TLB. The newly -used method (iommu_iotlb_flush) can result in less flushes, since it -might sometimes be called rightly with 0 flags, in which case it -becomes a no-op. - -This is part of XSA-321. - -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/arch/x86/mm/p2m-ept.c -+++ b/xen/arch/x86/mm/p2m-ept.c -@@ -58,6 +58,19 @@ static int atomic_write_ept_entry(struct - - write_atomic(&entryptr->epte, new.epte); - -+ /* -+ * The recalc field on the EPT is used to signal either that a -+ * recalculation of the EMT field is required (which doesn't effect the -+ * IOMMU), or a type change. Type changes can only be between ram_rw, -+ * logdirty and ioreq_server: changes to/from logdirty won't work well with -+ * an IOMMU anyway, as IOMMU #PFs are not synchronous and will lead to -+ * aborts, and changes to/from ioreq_server are already fully flushed -+ * before returning to guest context (see -+ * XEN_DMOP_map_mem_type_to_ioreq_server). -+ */ -+ if ( !new.recalc && iommu_use_hap_pt(p2m->domain) ) -+ iommu_sync_cache(entryptr, sizeof(*entryptr)); -+ - return 0; - } - -@@ -278,6 +291,9 @@ static bool_t ept_split_super_page(struc - break; - } - -+ if ( iommu_use_hap_pt(p2m->domain) ) -+ iommu_sync_cache(table, EPT_PAGETABLE_ENTRIES * sizeof(ept_entry_t)); -+ - unmap_domain_page(table); - - /* Even failed we should install the newly allocated ept page. */ -@@ -337,6 +353,9 @@ static int ept_next_level(struct p2m_dom - if ( !next ) - return GUEST_TABLE_MAP_FAILED; - -+ if ( iommu_use_hap_pt(p2m->domain) ) -+ iommu_sync_cache(next, EPT_PAGETABLE_ENTRIES * sizeof(ept_entry_t)); -+ - rc = atomic_write_ept_entry(p2m, ept_entry, e, next_level); - ASSERT(rc == 0); - } -@@ -815,7 +834,10 @@ out: - need_modify_vtd_table ) - { - if ( iommu_use_hap_pt(d) ) -- rc = iommu_pte_flush(d, gfn, &ept_entry->epte, order, vtd_pte_present); -+ rc = iommu_iotlb_flush(d, _dfn(gfn), (1u << order), -+ (iommu_flags ? IOMMU_FLUSHF_added : 0) | -+ (vtd_pte_present ? IOMMU_FLUSHF_modified -+ : 0)); - else if ( need_iommu_pt_sync(d) ) - rc = iommu_flags ? - iommu_legacy_map(d, _dfn(gfn), mfn, order, iommu_flags) : ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -1930,53 +1930,6 @@ static int intel_iommu_lookup_page(struc - return 0; - } - --int iommu_pte_flush(struct domain *d, uint64_t dfn, uint64_t *pte, -- int order, int present) --{ -- struct acpi_drhd_unit *drhd; -- struct iommu *iommu = NULL; -- struct domain_iommu *hd = dom_iommu(d); -- bool_t flush_dev_iotlb; -- int iommu_domid; -- int rc = 0; -- -- iommu_sync_cache(pte, sizeof(struct dma_pte)); -- -- for_each_drhd_unit ( drhd ) -- { -- iommu = drhd->iommu; -- if ( !test_bit(iommu->index, &hd->arch.iommu_bitmap) ) -- continue; -- -- flush_dev_iotlb = !!find_ats_dev_drhd(iommu); -- iommu_domid= domain_iommu_domid(d, iommu); -- if ( iommu_domid == -1 ) -- continue; -- -- rc = iommu_flush_iotlb_psi(iommu, iommu_domid, -- __dfn_to_daddr(dfn), -- order, !present, flush_dev_iotlb); -- if ( rc > 0 ) -- { -- iommu_flush_write_buffer(iommu); -- rc = 0; -- } -- } -- -- if ( unlikely(rc) ) -- { -- if ( !d->is_shutting_down && printk_ratelimit() ) -- printk(XENLOG_ERR VTDPREFIX -- " d%d: IOMMU pages flush failed: %d\n", -- d->domain_id, rc); -- -- if ( !is_hardware_domain(d) ) -- domain_crash(d); -- } -- -- return rc; --} -- - static int __init vtd_ept_page_compatible(struct iommu *iommu) - { - u64 ept_cap, vtd_cap = iommu->cap; ---- a/xen/include/asm-x86/iommu.h -+++ b/xen/include/asm-x86/iommu.h -@@ -90,8 +90,6 @@ int iommu_setup_hpet_msi(struct msi_desc - - /* While VT-d specific, this must get declared in a generic header. */ - int adjust_vtd_irq_affinities(void); --int __must_check iommu_pte_flush(struct domain *d, u64 gfn, u64 *pte, -- int order, int present); - bool_t iommu_supports_eim(void); - int iommu_enable_x2apic_IR(void); - void iommu_disable_x2apic_IR(void); diff --git a/main/xen/xsa327.patch b/main/xen/xsa327.patch deleted file mode 100644 index 0541cfa0df8..00000000000 --- a/main/xen/xsa327.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 030300ebbb86c40c12db038714479d746167c767 Mon Sep 17 00:00:00 2001 -From: Julien Grall <jgrall@amazon.com> -Date: Tue, 26 May 2020 18:31:33 +0100 -Subject: [PATCH] xen: Check the alignment of the offset pased via - VCPUOP_register_vcpu_info - -Currently a guest is able to register any guest physical address to use -for the vcpu_info structure as long as the structure can fits in the -rest of the frame. - -This means a guest can provide an address that is not aligned to the -natural alignment of the structure. - -On Arm 32-bit, unaligned access are completely forbidden by the -hypervisor. This will result to a data abort which is fatal. - -On Arm 64-bit, unaligned access are only forbidden when used for atomic -access. As the structure contains fields (such as evtchn_pending_self) -that are updated using atomic operations, any unaligned access will be -fatal as well. - -While the misalignment is only fatal on Arm, a generic check is added -as an x86 guest shouldn't sensibly pass an unaligned address (this -would result to a split lock). - -This is XSA-327. - -Reported-by: Julien Grall <jgrall@amazon.com> -Signed-off-by: Julien Grall <jgrall@amazon.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> ---- - xen/common/domain.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/xen/common/domain.c b/xen/common/domain.c -index 7cc9526139a6..e9be05f1d05f 100644 ---- a/xen/common/domain.c -+++ b/xen/common/domain.c -@@ -1227,10 +1227,20 @@ int map_vcpu_info(struct vcpu *v, unsigned long gfn, unsigned offset) - void *mapping; - vcpu_info_t *new_info; - struct page_info *page; -+ unsigned int align; - - if ( offset > (PAGE_SIZE - sizeof(vcpu_info_t)) ) - return -EINVAL; - -+#ifdef CONFIG_COMPAT -+ if ( has_32bit_shinfo(d) ) -+ align = alignof(new_info->compat); -+ else -+#endif -+ align = alignof(*new_info); -+ if ( offset & (align - 1) ) -+ return -EINVAL; -+ - if ( !mfn_eq(v->vcpu_info_mfn, INVALID_MFN) ) - return -EINVAL; - --- -2.17.1 - diff --git a/main/xen/xsa328-4.12-1.patch b/main/xen/xsa328-4.12-1.patch deleted file mode 100644 index a53993ca209..00000000000 --- a/main/xen/xsa328-4.12-1.patch +++ /dev/null @@ -1,118 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/EPT: ept_set_middle_entry() related adjustments - -ept_split_super_page() wants to further modify the newly allocated -table, so have ept_set_middle_entry() return the mapped pointer rather -than tearing it down and then getting re-established right again. - -Similarly ept_next_level() wants to hand back a mapped pointer of -the next level page, so re-use the one established by -ept_set_middle_entry() in case that path was taken. - -Pull the setting of suppress_ve ahead of insertion into the higher level -table, and don't have ept_split_super_page() set the field a 2nd time. - -This is part of XSA-328. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/arch/x86/mm/p2m-ept.c -+++ b/xen/arch/x86/mm/p2m-ept.c -@@ -187,8 +187,9 @@ static void ept_p2m_type_to_flags(struct - #define GUEST_TABLE_SUPER_PAGE 2 - #define GUEST_TABLE_POD_PAGE 3 - --/* Fill in middle levels of ept table */ --static int ept_set_middle_entry(struct p2m_domain *p2m, ept_entry_t *ept_entry) -+/* Fill in middle level of ept table; return pointer to mapped new table. */ -+static ept_entry_t *ept_set_middle_entry(struct p2m_domain *p2m, -+ ept_entry_t *ept_entry) - { - mfn_t mfn; - ept_entry_t *table; -@@ -196,7 +197,12 @@ static int ept_set_middle_entry(struct p - - mfn = p2m_alloc_ptp(p2m, 0); - if ( mfn_eq(mfn, INVALID_MFN) ) -- return 0; -+ return NULL; -+ -+ table = map_domain_page(mfn); -+ -+ for ( i = 0; i < EPT_PAGETABLE_ENTRIES; i++ ) -+ table[i].suppress_ve = 1; - - ept_entry->epte = 0; - ept_entry->mfn = mfn_x(mfn); -@@ -208,14 +214,7 @@ static int ept_set_middle_entry(struct p - - ept_entry->suppress_ve = 1; - -- table = map_domain_page(mfn); -- -- for ( i = 0; i < EPT_PAGETABLE_ENTRIES; i++ ) -- table[i].suppress_ve = 1; -- -- unmap_domain_page(table); -- -- return 1; -+ return table; - } - - /* free ept sub tree behind an entry */ -@@ -253,10 +252,10 @@ static bool_t ept_split_super_page(struc - - ASSERT(is_epte_superpage(ept_entry)); - -- if ( !ept_set_middle_entry(p2m, &new_ept) ) -+ table = ept_set_middle_entry(p2m, &new_ept); -+ if ( !table ) - return 0; - -- table = map_domain_page(_mfn(new_ept.mfn)); - trunk = 1UL << ((level - 1) * EPT_TABLE_ORDER); - - for ( i = 0; i < EPT_PAGETABLE_ENTRIES; i++ ) -@@ -267,7 +266,6 @@ static bool_t ept_split_super_page(struc - epte->sp = (level > 1); - epte->mfn += i * trunk; - epte->snp = (iommu_enabled && iommu_snoop); -- epte->suppress_ve = 1; - - ept_p2m_type_to_flags(p2m, epte, epte->sa_p2mt, epte->access); - -@@ -306,8 +304,7 @@ static int ept_next_level(struct p2m_dom - ept_entry_t **table, unsigned long *gfn_remainder, - int next_level) - { -- unsigned long mfn; -- ept_entry_t *ept_entry, e; -+ ept_entry_t *ept_entry, *next = NULL, e; - u32 shift, index; - - shift = next_level * EPT_TABLE_ORDER; -@@ -332,19 +329,17 @@ static int ept_next_level(struct p2m_dom - if ( read_only ) - return GUEST_TABLE_MAP_FAILED; - -- if ( !ept_set_middle_entry(p2m, ept_entry) ) -+ next = ept_set_middle_entry(p2m, ept_entry); -+ if ( !next ) - return GUEST_TABLE_MAP_FAILED; -- else -- e = atomic_read_ept_entry(ept_entry); /* Refresh */ -+ /* e is now stale and hence may not be used anymore below. */ - } -- - /* The only time sp would be set here is if we had hit a superpage */ -- if ( is_epte_superpage(&e) ) -+ else if ( is_epte_superpage(&e) ) - return GUEST_TABLE_SUPER_PAGE; - -- mfn = e.mfn; - unmap_domain_page(*table); -- *table = map_domain_page(_mfn(mfn)); -+ *table = next ?: map_domain_page(_mfn(e.mfn)); - *gfn_remainder &= (1UL << shift) - 1; - return GUEST_TABLE_NORMAL_PAGE; - } diff --git a/main/xen/xsa328-4.12-2.patch b/main/xen/xsa328-4.12-2.patch deleted file mode 100644 index c4f437f625a..00000000000 --- a/main/xen/xsa328-4.12-2.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: <security@xenproject.org> -Subject: x86/ept: atomically modify entries in ept_next_level - -ept_next_level was passing a live PTE pointer to ept_set_middle_entry, -which was then modified without taking into account that the PTE could -be part of a live EPT table. This wasn't a security issue because the -pages returned by p2m_alloc_ptp are zeroed, so adding such an entry -before actually initializing it didn't allow a guest to access -physical memory addresses it wasn't supposed to access. - -This is part of XSA-328. - -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/arch/x86/mm/p2m-ept.c -+++ b/xen/arch/x86/mm/p2m-ept.c -@@ -307,6 +307,8 @@ static int ept_next_level(struct p2m_dom - ept_entry_t *ept_entry, *next = NULL, e; - u32 shift, index; - -+ ASSERT(next_level); -+ - shift = next_level * EPT_TABLE_ORDER; - - index = *gfn_remainder >> shift; -@@ -323,16 +325,20 @@ static int ept_next_level(struct p2m_dom - - if ( !is_epte_present(&e) ) - { -+ int rc; -+ - if ( e.sa_p2mt == p2m_populate_on_demand ) - return GUEST_TABLE_POD_PAGE; - - if ( read_only ) - return GUEST_TABLE_MAP_FAILED; - -- next = ept_set_middle_entry(p2m, ept_entry); -+ next = ept_set_middle_entry(p2m, &e); - if ( !next ) - return GUEST_TABLE_MAP_FAILED; -- /* e is now stale and hence may not be used anymore below. */ -+ -+ rc = atomic_write_ept_entry(p2m, ept_entry, e, next_level); -+ ASSERT(rc == 0); - } - /* The only time sp would be set here is if we had hit a superpage */ - else if ( is_epte_superpage(&e) ) diff --git a/main/xen/xsa333.patch b/main/xen/xsa333.patch deleted file mode 100644 index 6b86c942faa..00000000000 --- a/main/xen/xsa333.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/pv: Handle the Intel-specific MSR_MISC_ENABLE correctly - -This MSR doesn't exist on AMD hardware, and switching away from the safe -functions in the common MSR path was an erroneous change. - -Partially revert the change. - -This is XSA-333. - -Fixes: 4fdc932b3cc ("x86/Intel: drop another 32-bit leftover") -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Wei Liu <wl@xen.org> - -diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c -index efeb2a727e..6332c74b80 100644 ---- a/xen/arch/x86/pv/emul-priv-op.c -+++ b/xen/arch/x86/pv/emul-priv-op.c -@@ -924,7 +924,8 @@ static int read_msr(unsigned int reg, uint64_t *val, - return X86EMUL_OKAY; - - case MSR_IA32_MISC_ENABLE: -- rdmsrl(reg, *val); -+ if ( rdmsr_safe(reg, *val) ) -+ break; - *val = guest_misc_enable(*val); - return X86EMUL_OKAY; - -@@ -1059,7 +1060,8 @@ static int write_msr(unsigned int reg, uint64_t val, - break; - - case MSR_IA32_MISC_ENABLE: -- rdmsrl(reg, temp); -+ if ( rdmsr_safe(reg, temp) ) -+ break; - if ( val != guest_misc_enable(temp) ) - goto invalid; - return X86EMUL_OKAY; diff --git a/main/xen/xsa334-4.12.patch b/main/xen/xsa334-4.12.patch deleted file mode 100644 index 57ec6d6f8ac..00000000000 --- a/main/xen/xsa334-4.12.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: xen/memory: Don't skip the RCU unlock path in acquire_resource() - -In the case that an HVM Stubdomain makes an XENMEM_acquire_resource hypercall, -the FIXME path will bypass rcu_unlock_domain() on the way out of the function. - -Move the check to the start of the function. This does change the behaviour -of the get-size path for HVM Stubdomains, but that functionality is currently -broken and unused anyway, as well as being quite useless to entities which -can't actually map the resource anyway. - -This is XSA-334. - -Fixes: 83fa6552ce ("common: add a new mappable resource type: XENMEM_resource_grant_table") -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - -Backport note: The deletion of the XENMEM_rsrc_acq_caller_owned clause is -correct and intentional. This was an output-only flag who's use never -survived into the Xen 4.12 release, and was subsequently deleted in Xen 4.13. - -diff --git a/xen/common/memory.c b/xen/common/memory.c -index dbc06fb0bf..ff88ebb314 100644 ---- a/xen/common/memory.c -+++ b/xen/common/memory.c -@@ -1059,6 +1059,14 @@ static int acquire_resource( - xen_pfn_t mfn_list[32]; - int rc; - -+ /* -+ * FIXME: Until foreign pages inserted into the P2M are properly -+ * reference counted, it is unsafe to allow mapping of -+ * resource pages unless the caller is the hardware domain. -+ */ -+ if ( paging_mode_translate(currd) && !is_hardware_domain(currd) ) -+ return -EACCES; -+ - if ( copy_from_guest(&xmar, arg, 1) ) - return -EFAULT; - -@@ -1115,16 +1123,6 @@ static int acquire_resource( - xen_pfn_t gfn_list[ARRAY_SIZE(mfn_list)]; - unsigned int i; - -- /* -- * FIXME: Until foreign pages inserted into the P2M are properly -- * reference counted, it is unsafe to allow mapping of -- * non-caller-owned resource pages unless the caller is -- * the hardware domain. -- */ -- if ( !(xmar.flags & XENMEM_rsrc_acq_caller_owned) && -- !is_hardware_domain(currd) ) -- return -EACCES; -- - if ( copy_from_guest(gfn_list, xmar.frame_list, xmar.nr_frames) ) - rc = -EFAULT; - diff --git a/main/xen/xsa335-qemu.patch b/main/xen/xsa335-qemu.patch deleted file mode 100644 index 320b4197820..00000000000 --- a/main/xen/xsa335-qemu.patch +++ /dev/null @@ -1,84 +0,0 @@ -From c5bd2924c6d6a5bcbffb8b5e7798a88970131c07 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Mon, 17 Aug 2020 08:34:22 +0200 -Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364) - -Store calculated setup_len in a local variable, verify it, and only -write it to the struct (USBDevice->setup_len) in case it passed the -sanity checks. - -This prevents other code (do_token_{in,out} functions specifically) -from working with invalid USBDevice->setup_len values and overrunning -the USBDevice->setup_buf[] buffer. - -Fixes: CVE-2020-14364 -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/usb/core.c | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/hw/usb/core.c b/hw/usb/core.c -index 5abd128b6bc5..5234dcc73fea 100644 ---- a/tools/qemu-xen/hw/usb/core.c -+++ b/tools/qemu-xen/hw/usb/core.c -@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) - static void do_token_setup(USBDevice *s, USBPacket *p) - { - int request, value, index; -+ unsigned int setup_len; - - if (p->iov.size != 8) { - p->status = USB_RET_STALL; -@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) - usb_packet_copy(p, s->setup_buf, p->iov.size); - s->setup_index = 0; - p->actual_length = 0; -- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; -- if (s->setup_len > sizeof(s->data_buf)) { -+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; -+ if (setup_len > sizeof(s->data_buf)) { - fprintf(stderr, - "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", -- s->setup_len, sizeof(s->data_buf)); -+ setup_len, sizeof(s->data_buf)); - p->status = USB_RET_STALL; - return; - } -+ s->setup_len = setup_len; - - request = (s->setup_buf[0] << 8) | s->setup_buf[1]; - value = (s->setup_buf[3] << 8) | s->setup_buf[2]; -@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) - static void do_parameter(USBDevice *s, USBPacket *p) - { - int i, request, value, index; -+ unsigned int setup_len; - - for (i = 0; i < 8; i++) { - s->setup_buf[i] = p->parameter >> (i*8); - } - - s->setup_state = SETUP_STATE_PARAM; -- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; - s->setup_index = 0; - - request = (s->setup_buf[0] << 8) | s->setup_buf[1]; - value = (s->setup_buf[3] << 8) | s->setup_buf[2]; - index = (s->setup_buf[5] << 8) | s->setup_buf[4]; - -- if (s->setup_len > sizeof(s->data_buf)) { -+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; -+ if (setup_len > sizeof(s->data_buf)) { - fprintf(stderr, - "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", -- s->setup_len, sizeof(s->data_buf)); -+ setup_len, sizeof(s->data_buf)); - p->status = USB_RET_STALL; - return; - } -+ s->setup_len = setup_len; - - if (p->pid == USB_TOKEN_OUT) { - usb_packet_copy(p, s->data_buf, s->setup_len); --- -2.18.4 diff --git a/main/xen/xsa336.patch b/main/xen/xsa336.patch deleted file mode 100644 index b44c298b70b..00000000000 --- a/main/xen/xsa336.patch +++ /dev/null @@ -1,283 +0,0 @@ -From: Roger Pau Monné <roger.pau@citrix.com> -Subject: x86/vpt: fix race when migrating timers between vCPUs - -The current vPT code will migrate the emulated timers between vCPUs -(change the pt->vcpu field) while just holding the destination lock, -either from create_periodic_time or pt_adjust_global_vcpu_target if -the global target is adjusted. Changing the periodic_timer vCPU field -in this way creates a race where a third party could grab the lock in -the unlocked region of pt_adjust_global_vcpu_target (or before -create_periodic_time performs the vcpu change) and then release the -lock from a different vCPU, creating a locking imbalance. - -Introduce a per-domain rwlock in order to protect periodic_time -migration between vCPU lists. Taking the lock in read mode prevents -any timer from being migrated to a different vCPU, while taking it in -write mode allows performing migration of timers across vCPUs. The -per-vcpu locks are still used to protect all the other fields from the -periodic_timer struct. - -Note that such migration shouldn't happen frequently, and hence -there's no performance drop as a result of such locking. - -This is XSA-336. - -Reported-by: Igor Druzhinin <igor.druzhinin@citrix.com> -Tested-by: Igor Druzhinin <igor.druzhinin@citrix.com> -Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- -Changes since v2: - - Re-order pt_adjust_vcpu to remove one if. - - Fix pt_lock to not call pt_vcpu_lock, as we might end up using a - stale value of pt->vcpu when taking the per-vcpu lock. - -Changes since v1: - - Use a per-domain rwlock to protect timer vCPU migration. - ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -658,6 +658,8 @@ int hvm_domain_initialise(struct domain - /* need link to containing domain */ - d->arch.hvm.pl_time->domain = d; - -+ rwlock_init(&d->arch.hvm.pl_time->pt_migrate); -+ - /* Set the default IO Bitmap. */ - if ( is_hardware_domain(d) ) - { ---- a/xen/arch/x86/hvm/vpt.c -+++ b/xen/arch/x86/hvm/vpt.c -@@ -153,23 +153,32 @@ static int pt_irq_masked(struct periodic - return 1; - } - --static void pt_lock(struct periodic_time *pt) -+static void pt_vcpu_lock(struct vcpu *v) - { -- struct vcpu *v; -+ read_lock(&v->domain->arch.hvm.pl_time->pt_migrate); -+ spin_lock(&v->arch.hvm.tm_lock); -+} - -- for ( ; ; ) -- { -- v = pt->vcpu; -- spin_lock(&v->arch.hvm.tm_lock); -- if ( likely(pt->vcpu == v) ) -- break; -- spin_unlock(&v->arch.hvm.tm_lock); -- } -+static void pt_vcpu_unlock(struct vcpu *v) -+{ -+ spin_unlock(&v->arch.hvm.tm_lock); -+ read_unlock(&v->domain->arch.hvm.pl_time->pt_migrate); -+} -+ -+static void pt_lock(struct periodic_time *pt) -+{ -+ /* -+ * We cannot use pt_vcpu_lock here, because we need to acquire the -+ * per-domain lock first and then (re-)fetch the value of pt->vcpu, or -+ * else we might be using a stale value of pt->vcpu. -+ */ -+ read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); -+ spin_lock(&pt->vcpu->arch.hvm.tm_lock); - } - - static void pt_unlock(struct periodic_time *pt) - { -- spin_unlock(&pt->vcpu->arch.hvm.tm_lock); -+ pt_vcpu_unlock(pt->vcpu); - } - - static void pt_process_missed_ticks(struct periodic_time *pt) -@@ -219,7 +228,7 @@ void pt_save_timer(struct vcpu *v) - if ( v->pause_flags & VPF_blocked ) - return; - -- spin_lock(&v->arch.hvm.tm_lock); -+ pt_vcpu_lock(v); - - list_for_each_entry ( pt, head, list ) - if ( !pt->do_not_freeze ) -@@ -227,7 +236,7 @@ void pt_save_timer(struct vcpu *v) - - pt_freeze_time(v); - -- spin_unlock(&v->arch.hvm.tm_lock); -+ pt_vcpu_unlock(v); - } - - void pt_restore_timer(struct vcpu *v) -@@ -235,7 +244,7 @@ void pt_restore_timer(struct vcpu *v) - struct list_head *head = &v->arch.hvm.tm_list; - struct periodic_time *pt; - -- spin_lock(&v->arch.hvm.tm_lock); -+ pt_vcpu_lock(v); - - list_for_each_entry ( pt, head, list ) - { -@@ -248,7 +257,7 @@ void pt_restore_timer(struct vcpu *v) - - pt_thaw_time(v); - -- spin_unlock(&v->arch.hvm.tm_lock); -+ pt_vcpu_unlock(v); - } - - static void pt_timer_fn(void *data) -@@ -309,7 +318,7 @@ int pt_update_irq(struct vcpu *v) - int irq, pt_vector = -1; - bool level; - -- spin_lock(&v->arch.hvm.tm_lock); -+ pt_vcpu_lock(v); - - earliest_pt = NULL; - max_lag = -1ULL; -@@ -339,7 +348,7 @@ int pt_update_irq(struct vcpu *v) - - if ( earliest_pt == NULL ) - { -- spin_unlock(&v->arch.hvm.tm_lock); -+ pt_vcpu_unlock(v); - return -1; - } - -@@ -347,7 +356,7 @@ int pt_update_irq(struct vcpu *v) - irq = earliest_pt->irq; - level = earliest_pt->level; - -- spin_unlock(&v->arch.hvm.tm_lock); -+ pt_vcpu_unlock(v); - - switch ( earliest_pt->source ) - { -@@ -394,7 +403,7 @@ int pt_update_irq(struct vcpu *v) - time_cb *cb = NULL; - void *cb_priv; - -- spin_lock(&v->arch.hvm.tm_lock); -+ pt_vcpu_lock(v); - /* Make sure the timer is still on the list. */ - list_for_each_entry ( pt, &v->arch.hvm.tm_list, list ) - if ( pt == earliest_pt ) -@@ -404,7 +413,7 @@ int pt_update_irq(struct vcpu *v) - cb_priv = pt->priv; - break; - } -- spin_unlock(&v->arch.hvm.tm_lock); -+ pt_vcpu_unlock(v); - - if ( cb != NULL ) - cb(v, cb_priv); -@@ -441,12 +450,12 @@ void pt_intr_post(struct vcpu *v, struct - if ( intack.source == hvm_intsrc_vector ) - return; - -- spin_lock(&v->arch.hvm.tm_lock); -+ pt_vcpu_lock(v); - - pt = is_pt_irq(v, intack); - if ( pt == NULL ) - { -- spin_unlock(&v->arch.hvm.tm_lock); -+ pt_vcpu_unlock(v); - return; - } - -@@ -455,7 +464,7 @@ void pt_intr_post(struct vcpu *v, struct - cb = pt->cb; - cb_priv = pt->priv; - -- spin_unlock(&v->arch.hvm.tm_lock); -+ pt_vcpu_unlock(v); - - if ( cb != NULL ) - cb(v, cb_priv); -@@ -466,12 +475,12 @@ void pt_migrate(struct vcpu *v) - struct list_head *head = &v->arch.hvm.tm_list; - struct periodic_time *pt; - -- spin_lock(&v->arch.hvm.tm_lock); -+ pt_vcpu_lock(v); - - list_for_each_entry ( pt, head, list ) - migrate_timer(&pt->timer, v->processor); - -- spin_unlock(&v->arch.hvm.tm_lock); -+ pt_vcpu_unlock(v); - } - - void create_periodic_time( -@@ -490,7 +499,7 @@ void create_periodic_time( - - destroy_periodic_time(pt); - -- spin_lock(&v->arch.hvm.tm_lock); -+ write_lock(&v->domain->arch.hvm.pl_time->pt_migrate); - - pt->pending_intr_nr = 0; - pt->do_not_freeze = 0; -@@ -540,7 +549,7 @@ void create_periodic_time( - init_timer(&pt->timer, pt_timer_fn, pt, v->processor); - set_timer(&pt->timer, pt->scheduled); - -- spin_unlock(&v->arch.hvm.tm_lock); -+ write_unlock(&v->domain->arch.hvm.pl_time->pt_migrate); - } - - void destroy_periodic_time(struct periodic_time *pt) -@@ -565,30 +574,20 @@ void destroy_periodic_time(struct period - - static void pt_adjust_vcpu(struct periodic_time *pt, struct vcpu *v) - { -- int on_list; -- - ASSERT(pt->source == PTSRC_isa || pt->source == PTSRC_ioapic); - - if ( pt->vcpu == NULL ) - return; - -- pt_lock(pt); -- on_list = pt->on_list; -- if ( pt->on_list ) -- list_del(&pt->list); -- pt->on_list = 0; -- pt_unlock(pt); -- -- spin_lock(&v->arch.hvm.tm_lock); -+ write_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); - pt->vcpu = v; -- if ( on_list ) -+ if ( pt->on_list ) - { -- pt->on_list = 1; -+ list_del(&pt->list); - list_add(&pt->list, &v->arch.hvm.tm_list); -- - migrate_timer(&pt->timer, v->processor); - } -- spin_unlock(&v->arch.hvm.tm_lock); -+ write_unlock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); - } - - void pt_adjust_global_vcpu_target(struct vcpu *v) ---- a/xen/include/asm-x86/hvm/vpt.h -+++ b/xen/include/asm-x86/hvm/vpt.h -@@ -128,6 +128,13 @@ struct pl_time { /* platform time */ - struct RTCState vrtc; - struct HPETState vhpet; - struct PMTState vpmt; -+ /* -+ * rwlock to prevent periodic_time vCPU migration. Take the lock in read -+ * mode in order to prevent the vcpu field of periodic_time from changing. -+ * Lock must be taken in write mode when changes to the vcpu field are -+ * performed, as it allows exclusive access to all the timers of a domain. -+ */ -+ rwlock_t pt_migrate; - /* guest_time = Xen sys time + stime_offset */ - int64_t stime_offset; - /* Ensures monotonicity in appropriate timer modes. */ diff --git a/main/xen/xsa337-4.12-1.patch b/main/xen/xsa337-4.12-1.patch deleted file mode 100644 index c8d3b1f4e24..00000000000 --- a/main/xen/xsa337-4.12-1.patch +++ /dev/null @@ -1,92 +0,0 @@ -From: Roger Pau Monné <roger.pau@citrix.com> -Subject: x86/msi: get rid of read_msi_msg - -It's safer and faster to just use the cached last written -(untranslated) MSI message stored in msi_desc for the single user that -calls read_msi_msg. - -This also prevents relying on the data read from the device MSI -registers in order to figure out the index into the IOMMU interrupt -remapping table, which is not safe. - -This is part of XSA-337. - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Requested-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/arch/x86/msi.c -+++ b/xen/arch/x86/msi.c -@@ -192,59 +192,6 @@ void msi_compose_msg(unsigned vector, co - MSI_DATA_VECTOR(vector); - } - --static bool read_msi_msg(struct msi_desc *entry, struct msi_msg *msg) --{ -- switch ( entry->msi_attrib.type ) -- { -- case PCI_CAP_ID_MSI: -- { -- struct pci_dev *dev = entry->dev; -- int pos = entry->msi_attrib.pos; -- u16 data, seg = dev->seg; -- u8 bus = dev->bus; -- u8 slot = PCI_SLOT(dev->devfn); -- u8 func = PCI_FUNC(dev->devfn); -- -- msg->address_lo = pci_conf_read32(seg, bus, slot, func, -- msi_lower_address_reg(pos)); -- if ( entry->msi_attrib.is_64 ) -- { -- msg->address_hi = pci_conf_read32(seg, bus, slot, func, -- msi_upper_address_reg(pos)); -- data = pci_conf_read16(seg, bus, slot, func, -- msi_data_reg(pos, 1)); -- } -- else -- { -- msg->address_hi = 0; -- data = pci_conf_read16(seg, bus, slot, func, -- msi_data_reg(pos, 0)); -- } -- msg->data = data; -- break; -- } -- case PCI_CAP_ID_MSIX: -- { -- void __iomem *base = entry->mask_base; -- -- if ( unlikely(!msix_memory_decoded(entry->dev, -- entry->msi_attrib.pos)) ) -- return false; -- msg->address_lo = readl(base + PCI_MSIX_ENTRY_LOWER_ADDR_OFFSET); -- msg->address_hi = readl(base + PCI_MSIX_ENTRY_UPPER_ADDR_OFFSET); -- msg->data = readl(base + PCI_MSIX_ENTRY_DATA_OFFSET); -- break; -- } -- default: -- BUG(); -- } -- -- if ( iommu_intremap ) -- iommu_read_msi_from_ire(entry, msg); -- -- return true; --} -- - static int write_msi_msg(struct msi_desc *entry, struct msi_msg *msg) - { - entry->msg = *msg; -@@ -322,10 +269,7 @@ void set_msi_affinity(struct irq_desc *d - - ASSERT(spin_is_locked(&desc->lock)); - -- memset(&msg, 0, sizeof(msg)); -- if ( !read_msi_msg(msi_desc, &msg) ) -- return; -- -+ msg = msi_desc->msg; - msg.data &= ~MSI_DATA_VECTOR_MASK; - msg.data |= MSI_DATA_VECTOR(desc->arch.vector); - msg.address_lo &= ~MSI_ADDR_DEST_ID_MASK; diff --git a/main/xen/xsa337-4.12-2.patch b/main/xen/xsa337-4.12-2.patch deleted file mode 100644 index aa2fb57162c..00000000000 --- a/main/xen/xsa337-4.12-2.patch +++ /dev/null @@ -1,182 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/MSI-X: restrict reading of table/PBA bases from BARs - -When assigned to less trusted or un-trusted guests, devices may change -state behind our backs (they may e.g. get reset by means we may not know -about). Therefore we should avoid reading BARs from hardware once a -device is no longer owned by Dom0. Furthermore when we can't read a BAR, -or when we read zero, we shouldn't instead use the caller provided -address unless that caller can be trusted. - -Re-arrange the logic in msix_capability_init() such that only Dom0 (and -only if the device isn't DomU-owned yet) or calls through -PHYSDEVOP_prepare_msix will actually result in the reading of the -respective BAR register(s). Additionally do so only as long as in-use -table entries are known (note that invocation of PHYSDEVOP_prepare_msix -counts as a "pseudo" entry). In all other uses the value already -recorded will get used instead. - -Clear the recorded values in _pci_cleanup_msix() as well as on the one -affected error path. (Adjust this error path to also avoid blindly -disabling MSI-X when it was enabled on entry to the function.) - -While moving around variable declarations (in many cases to reduce their -scopes), also adjust some of their types. - -This is part of XSA-337. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> - ---- a/xen/arch/x86/msi.c -+++ b/xen/arch/x86/msi.c -@@ -790,16 +790,14 @@ static int msix_capability_init(struct p - { - struct arch_msix *msix = dev->msix; - struct msi_desc *entry = NULL; -- int vf; - u16 control; - u64 table_paddr; - u32 table_offset; -- u8 bir, pbus, pslot, pfunc; - u16 seg = dev->seg; - u8 bus = dev->bus; - u8 slot = PCI_SLOT(dev->devfn); - u8 func = PCI_FUNC(dev->devfn); -- bool maskall = msix->host_maskall; -+ bool maskall = msix->host_maskall, zap_on_error = false; - - ASSERT(pcidevs_locked()); - -@@ -837,43 +835,45 @@ static int msix_capability_init(struct p - /* Locate MSI-X table region */ - table_offset = pci_conf_read32(seg, bus, slot, func, - msix_table_offset_reg(pos)); -- bir = (u8)(table_offset & PCI_MSIX_BIRMASK); -- table_offset &= ~PCI_MSIX_BIRMASK; -+ if ( !msix->used_entries && -+ (!msi || -+ (is_hardware_domain(current->domain) && -+ (dev->domain == current->domain || dev->domain == dom_io))) ) -+ { -+ unsigned int bir = table_offset & PCI_MSIX_BIRMASK, pbus, pslot, pfunc; -+ int vf; -+ paddr_t pba_paddr; -+ unsigned int pba_offset; - -- if ( !dev->info.is_virtfn ) -- { -- pbus = bus; -- pslot = slot; -- pfunc = func; -- vf = -1; -- } -- else -- { -- pbus = dev->info.physfn.bus; -- pslot = PCI_SLOT(dev->info.physfn.devfn); -- pfunc = PCI_FUNC(dev->info.physfn.devfn); -- vf = PCI_BDF2(dev->bus, dev->devfn); -- } -- -- table_paddr = read_pci_mem_bar(seg, pbus, pslot, pfunc, bir, vf); -- WARN_ON(msi && msi->table_base != table_paddr); -- if ( !table_paddr ) -- { -- if ( !msi || !msi->table_base ) -+ if ( !dev->info.is_virtfn ) - { -- pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), -- control & ~PCI_MSIX_FLAGS_ENABLE); -- xfree(entry); -- return -ENXIO; -+ pbus = bus; -+ pslot = slot; -+ pfunc = func; -+ vf = -1; -+ } -+ else -+ { -+ pbus = dev->info.physfn.bus; -+ pslot = PCI_SLOT(dev->info.physfn.devfn); -+ pfunc = PCI_FUNC(dev->info.physfn.devfn); -+ vf = PCI_BDF2(dev->bus, dev->devfn); - } -- table_paddr = msi->table_base; -- } -- table_paddr += table_offset; - -- if ( !msix->used_entries ) -- { -- u64 pba_paddr; -- u32 pba_offset; -+ table_paddr = read_pci_mem_bar(seg, pbus, pslot, pfunc, bir, vf); -+ WARN_ON(msi && msi->table_base != table_paddr); -+ if ( !table_paddr ) -+ { -+ if ( !msi || !msi->table_base ) -+ { -+ pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), -+ control & ~PCI_MSIX_FLAGS_ENABLE); -+ xfree(entry); -+ return -ENXIO; -+ } -+ table_paddr = msi->table_base; -+ } -+ table_paddr += table_offset & ~PCI_MSIX_BIRMASK; - - msix->nr_entries = nr_entries; - msix->table.first = PFN_DOWN(table_paddr); -@@ -894,7 +894,19 @@ static int msix_capability_init(struct p - BITS_TO_LONGS(nr_entries) - 1); - WARN_ON(rangeset_overlaps_range(mmio_ro_ranges, msix->pba.first, - msix->pba.last)); -+ -+ zap_on_error = true; - } -+ else if ( !msix->table.first ) -+ { -+ pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), -+ control); -+ xfree(entry); -+ return -ENODATA; -+ } -+ else -+ table_paddr = (msix->table.first << PAGE_SHIFT) + -+ (table_offset & ~PCI_MSIX_BIRMASK & ~PAGE_MASK); - - if ( entry ) - { -@@ -905,8 +917,16 @@ static int msix_capability_init(struct p - - if ( idx < 0 ) - { -+ if ( zap_on_error ) -+ { -+ msix->table.first = 0; -+ msix->pba.first = 0; -+ -+ control &= ~PCI_MSIX_FLAGS_ENABLE; -+ } -+ - pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), -- control & ~PCI_MSIX_FLAGS_ENABLE); -+ control); - xfree(entry); - return idx; - } -@@ -1102,9 +1122,14 @@ static void _pci_cleanup_msix(struct arc - if ( rangeset_remove_range(mmio_ro_ranges, msix->table.first, - msix->table.last) ) - WARN(); -+ msix->table.first = 0; -+ msix->table.last = 0; -+ - if ( rangeset_remove_range(mmio_ro_ranges, msix->pba.first, - msix->pba.last) ) - WARN(); -+ msix->pba.first = 0; -+ msix->pba.last = 0; - } - } - diff --git a/main/xen/xsa338.patch b/main/xen/xsa338.patch deleted file mode 100644 index 776521990e7..00000000000 --- a/main/xen/xsa338.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: evtchn: relax port_is_valid() - -To avoid ports potentially becoming invalid behind the back of certain -other functions (due to ->max_evtchn shrinking) because of -- a guest invoking evtchn_reset() and from a 2nd vCPU opening new - channels in parallel (see also XSA-343), -- alloc_unbound_xen_event_channel() produced channels living above the - 2-level range (see also XSA-342), -drop the max_evtchns check from port_is_valid(). For a port for which -the function once returned "true", the returned value may not turn into -"false" later on. The function's result may only depend on bounds which -can only ever grow (which is the case for d->valid_evtchns). - -This also eliminates a false sense of safety, utilized by some of the -users (see again XSA-343): Without a suitable lock held, d->max_evtchns -may change at any time, and hence deducing that certain other operations -are safe when port_is_valid() returned true is not legitimate. The -opportunities to abuse this may get widened by the change here -(depending on guest and host configuration), but will be taken care of -by the other XSA. - -This is XSA-338. - -Fixes: 48974e6ce52e ("evtchn: use a per-domain variable for the max number of event channels") -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> -Reviewed-by: Julien Grall <jgrall@amazon.com> ---- -v5: New, split from larger patch. - ---- a/xen/include/xen/event.h -+++ b/xen/include/xen/event.h -@@ -107,8 +107,6 @@ void notify_via_xen_event_channel(struct - - static inline bool_t port_is_valid(struct domain *d, unsigned int p) - { -- if ( p >= d->max_evtchns ) -- return 0; - return p < read_atomic(&d->valid_evtchns); - } - diff --git a/main/xen/xsa339.patch b/main/xen/xsa339.patch deleted file mode 100644 index 3311ae093fd..00000000000 --- a/main/xen/xsa339.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/pv: Avoid double exception injection - -There is at least one path (SYSENTER with NT set, Xen converts to #GP) which -ends up injecting the #GP fault twice, first in compat_sysenter(), and then a -second time in compat_test_all_events(), due to the stale TBF_EXCEPTION left -in TRAPBOUNCE_flags. - -The guest kernel sees the second fault first, which is a kernel level #GP -pointing at the head of the #GP handler, and is therefore a userspace -trigger-able DoS. - -This particular bug has bitten us several times before, so rearrange -{compat_,}create_bounce_frame() to clobber TRAPBOUNCE on success, rather than -leaving this task to one area of code which isn't used uniformly. - -Other scenarios which might result in a double injection (e.g. two calls -directly to compat_create_bounce_frame) will now crash the guest, which is far -more obvious than letting the kernel run with corrupt state. - -This is XSA-339 - -Fixes: fdac9515607b ("x86: clear EFLAGS.NT in SYSENTER entry path") -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - -diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S -index c3e62f8734..73619f57ca 100644 ---- a/xen/arch/x86/x86_64/compat/entry.S -+++ b/xen/arch/x86/x86_64/compat/entry.S -@@ -78,7 +78,6 @@ compat_process_softirqs: - sti - .Lcompat_bounce_exception: - call compat_create_bounce_frame -- movb $0, TRAPBOUNCE_flags(%rdx) - jmp compat_test_all_events - - ALIGN -@@ -352,7 +351,13 @@ __UNLIKELY_END(compat_bounce_null_selector) - movl %eax,UREGS_cs+8(%rsp) - movl TRAPBOUNCE_eip(%rdx),%eax - movl %eax,UREGS_rip+8(%rsp) -+ -+ /* Trapbounce complete. Clobber state to avoid an erroneous second injection. */ -+ xor %eax, %eax -+ mov %ax, TRAPBOUNCE_cs(%rdx) -+ mov %al, TRAPBOUNCE_flags(%rdx) - ret -+ - .section .fixup,"ax" - .Lfx13: - xorl %edi,%edi -diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S -index 1e880eb9f6..71a00e846b 100644 ---- a/xen/arch/x86/x86_64/entry.S -+++ b/xen/arch/x86/x86_64/entry.S -@@ -90,7 +90,6 @@ process_softirqs: - sti - .Lbounce_exception: - call create_bounce_frame -- movb $0, TRAPBOUNCE_flags(%rdx) - jmp test_all_events - - ALIGN -@@ -512,6 +511,11 @@ UNLIKELY_START(z, create_bounce_frame_bad_bounce_ip) - jmp asm_domain_crash_synchronous /* Does not return */ - __UNLIKELY_END(create_bounce_frame_bad_bounce_ip) - movq %rax,UREGS_rip+8(%rsp) -+ -+ /* Trapbounce complete. Clobber state to avoid an erroneous second injection. */ -+ xor %eax, %eax -+ mov %rax, TRAPBOUNCE_eip(%rdx) -+ mov %al, TRAPBOUNCE_flags(%rdx) - ret - - .pushsection .fixup, "ax", @progbits diff --git a/main/xen/xsa340.patch b/main/xen/xsa340.patch deleted file mode 100644 index 38d04da4650..00000000000 --- a/main/xen/xsa340.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Julien Grall <jgrall@amazon.com> -Subject: xen/evtchn: Add missing barriers when accessing/allocating an event channel - -While the allocation of a bucket is always performed with the per-domain -lock, the bucket may be accessed without the lock taken (for instance, see -evtchn_send()). - -Instead such sites relies on port_is_valid() to return a non-zero value -when the port has a struct evtchn associated to it. The function will -mostly check whether the port is less than d->valid_evtchns as all the -buckets/event channels should be allocated up to that point. - -Unfortunately a compiler is free to re-order the assignment in -evtchn_allocate_port() so it would be possible to have d->valid_evtchns -updated before the new bucket has finish to allocate. - -Additionally on Arm, even if this was compiled "correctly", the -processor can still re-order the memory access. - -Add a write memory barrier in the allocation side and a read memory -barrier when the port is valid to prevent any re-ordering issue. - -This is XSA-340. - -Reported-by: Julien Grall <jgrall@amazon.com> -Signed-off-by: Julien Grall <jgrall@amazon.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> - ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c -@@ -178,6 +178,13 @@ int evtchn_allocate_port(struct domain * - return -ENOMEM; - bucket_from_port(d, port) = chn; - -+ /* -+ * d->valid_evtchns is used to check whether the bucket can be -+ * accessed without the per-domain lock. Therefore, -+ * d->valid_evtchns should be seen *after* the new bucket has -+ * been setup. -+ */ -+ smp_wmb(); - write_atomic(&d->valid_evtchns, d->valid_evtchns + EVTCHNS_PER_BUCKET); - } - ---- a/xen/include/xen/event.h -+++ b/xen/include/xen/event.h -@@ -107,7 +107,17 @@ void notify_via_xen_event_channel(struct - - static inline bool_t port_is_valid(struct domain *d, unsigned int p) - { -- return p < read_atomic(&d->valid_evtchns); -+ if ( p >= read_atomic(&d->valid_evtchns) ) -+ return false; -+ -+ /* -+ * The caller will usually access the event channel afterwards and -+ * may be done without taking the per-domain lock. The barrier is -+ * going in pair the smp_wmb() barrier in evtchn_allocate_port(). -+ */ -+ smp_rmb(); -+ -+ return true; - } - - static inline struct evtchn *evtchn_from_port(struct domain *d, unsigned int p) diff --git a/main/xen/xsa342-4.13.patch b/main/xen/xsa342-4.13.patch deleted file mode 100644 index 334baf1b69c..00000000000 --- a/main/xen/xsa342-4.13.patch +++ /dev/null @@ -1,145 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: evtchn/x86: enforce correct upper limit for 32-bit guests - -The recording of d->max_evtchns in evtchn_2l_init(), in particular with -the limited set of callers of the function, is insufficient. Neither for -PV nor for HVM guests the bitness is known at domain_create() time, yet -the upper bound in 2-level mode depends upon guest bitness. Recording -too high a limit "allows" x86 32-bit domains to open not properly usable -event channels, management of which (inside Xen) would then result in -corruption of the shared info and vCPU info structures. - -Keep the upper limit dynamic for the 2-level case, introducing a helper -function to retrieve the effective limit. This helper is now supposed to -be private to the event channel code. The used in do_poll() and -domain_dump_evtchn_info() weren't consistent with port uses elsewhere -and hence get switched to port_is_valid(). - -Furthermore FIFO mode's setup_ports() gets adjusted to loop only up to -the prior ABI limit, rather than all the way up to the new one. - -Finally a word on the change to do_poll(): Accessing ->max_evtchns -without holding a suitable lock was never safe, as it as well as -->evtchn_port_ops may change behind do_poll()'s back. Using -port_is_valid() instead widens some the window for potential abuse, -until we've dealt with the race altogether (see XSA-343). - -This is XSA-342. - -Reported-by: Julien Grall <jgrall@amazon.com> -Fixes: 48974e6ce52e ("evtchn: use a per-domain variable for the max number of event channels") -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> -Reviewed-by: Julien Grall <jgrall@amazon.com> - ---- a/xen/common/event_2l.c -+++ b/xen/common/event_2l.c -@@ -103,7 +103,6 @@ static const struct evtchn_port_ops evtc - void evtchn_2l_init(struct domain *d) - { - d->evtchn_port_ops = &evtchn_port_ops_2l; -- d->max_evtchns = BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d); - } - - /* ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c -@@ -151,7 +151,7 @@ static void free_evtchn_bucket(struct do - - int evtchn_allocate_port(struct domain *d, evtchn_port_t port) - { -- if ( port > d->max_evtchn_port || port >= d->max_evtchns ) -+ if ( port > d->max_evtchn_port || port >= max_evtchns(d) ) - return -ENOSPC; - - if ( port_is_valid(d, port) ) -@@ -1396,13 +1396,11 @@ static void domain_dump_evtchn_info(stru - - spin_lock(&d->event_lock); - -- for ( port = 1; port < d->max_evtchns; ++port ) -+ for ( port = 1; port_is_valid(d, port); ++port ) - { - const struct evtchn *chn; - char *ssid; - -- if ( !port_is_valid(d, port) ) -- continue; - chn = evtchn_from_port(d, port); - if ( chn->state == ECS_FREE ) - continue; ---- a/xen/common/event_fifo.c -+++ b/xen/common/event_fifo.c -@@ -478,7 +478,7 @@ static void cleanup_event_array(struct d - d->evtchn_fifo = NULL; - } - --static void setup_ports(struct domain *d) -+static void setup_ports(struct domain *d, unsigned int prev_evtchns) - { - unsigned int port; - -@@ -488,7 +488,7 @@ static void setup_ports(struct domain *d - * - save its pending state. - * - set default priority. - */ -- for ( port = 1; port < d->max_evtchns; port++ ) -+ for ( port = 1; port < prev_evtchns; port++ ) - { - struct evtchn *evtchn; - -@@ -546,6 +546,8 @@ int evtchn_fifo_init_control(struct evtc - if ( !d->evtchn_fifo ) - { - struct vcpu *vcb; -+ /* Latch the value before it changes during setup_event_array(). */ -+ unsigned int prev_evtchns = max_evtchns(d); - - for_each_vcpu ( d, vcb ) { - rc = setup_control_block(vcb); -@@ -562,8 +564,7 @@ int evtchn_fifo_init_control(struct evtc - goto error; - - d->evtchn_port_ops = &evtchn_port_ops_fifo; -- d->max_evtchns = EVTCHN_FIFO_NR_CHANNELS; -- setup_ports(d); -+ setup_ports(d, prev_evtchns); - } - else - rc = map_control_block(v, gfn, offset); ---- a/xen/common/schedule.c -+++ b/xen/common/schedule.c -@@ -1434,7 +1434,7 @@ static long do_poll(struct sched_poll *s - goto out; - - rc = -EINVAL; -- if ( port >= d->max_evtchns ) -+ if ( !port_is_valid(d, port) ) - goto out; - - rc = 0; ---- a/xen/include/xen/event.h -+++ b/xen/include/xen/event.h -@@ -105,6 +105,12 @@ void notify_via_xen_event_channel(struct - #define bucket_from_port(d, p) \ - ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) - -+static inline unsigned int max_evtchns(const struct domain *d) -+{ -+ return d->evtchn_fifo ? EVTCHN_FIFO_NR_CHANNELS -+ : BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d); -+} -+ - static inline bool_t port_is_valid(struct domain *d, unsigned int p) - { - if ( p >= read_atomic(&d->valid_evtchns) ) ---- a/xen/include/xen/sched.h -+++ b/xen/include/xen/sched.h -@@ -382,7 +382,6 @@ struct domain - /* Event channel information. */ - struct evtchn *evtchn; /* first bucket only */ - struct evtchn **evtchn_group[NR_EVTCHN_GROUPS]; /* all other buckets */ -- unsigned int max_evtchns; /* number supported by ABI */ - unsigned int max_evtchn_port; /* max permitted port number */ - unsigned int valid_evtchns; /* number of allocated event channels */ - spinlock_t event_lock; diff --git a/main/xen/xsa343-4.12-1.patch b/main/xen/xsa343-4.12-1.patch deleted file mode 100644 index c164b62af2e..00000000000 --- a/main/xen/xsa343-4.12-1.patch +++ /dev/null @@ -1,190 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: evtchn: evtchn_reset() shouldn't succeed with still-open ports - -While the function closes all ports, it does so without holding any -lock, and hence racing requests may be issued causing new ports to get -opened. This would have been problematic in particular if such a newly -opened port had a port number above the new implementation limit (i.e. -when switching from FIFO to 2-level) after the reset, as prior to -"evtchn: relax port_is_valid()" this could have led to e.g. -evtchn_close()'s "BUG_ON(!port_is_valid(d2, port2))" to trigger. - -Introduce a counter of active ports and check that it's (still) no -larger then the number of Xen internally used ones after obtaining the -necessary lock in evtchn_reset(). - -As to the access model of the new {active,xen}_evtchns fields - while -all writes get done using write_atomic(), reads ought to use -read_atomic() only when outside of a suitably locked region. - -Note that as of now evtchn_bind_virq() and evtchn_bind_ipi() don't have -a need to call check_free_port(). - -This is part of XSA-343. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> -Reviewed-by: Julien Grall <jgrall@amazon.com> - ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c -@@ -188,6 +188,8 @@ int evtchn_allocate_port(struct domain * - write_atomic(&d->valid_evtchns, d->valid_evtchns + EVTCHNS_PER_BUCKET); - } - -+ write_atomic(&d->active_evtchns, d->active_evtchns + 1); -+ - return 0; - } - -@@ -211,11 +213,26 @@ static int get_free_port(struct domain * - return -ENOSPC; - } - -+/* -+ * Check whether a port is still marked free, and if so update the domain -+ * counter accordingly. To be used on function exit paths. -+ */ -+static void check_free_port(struct domain *d, evtchn_port_t port) -+{ -+ if ( port_is_valid(d, port) && -+ evtchn_from_port(d, port)->state == ECS_FREE ) -+ write_atomic(&d->active_evtchns, d->active_evtchns - 1); -+} -+ - void evtchn_free(struct domain *d, struct evtchn *chn) - { - /* Clear pending event to avoid unexpected behavior on re-bind. */ - evtchn_port_clear_pending(d, chn); - -+ if ( consumer_is_xen(chn) ) -+ write_atomic(&d->xen_evtchns, d->xen_evtchns - 1); -+ write_atomic(&d->active_evtchns, d->active_evtchns - 1); -+ - /* Reset binding to vcpu0 when the channel is freed. */ - chn->state = ECS_FREE; - chn->notify_vcpu_id = 0; -@@ -258,6 +275,7 @@ static long evtchn_alloc_unbound(evtchn_ - alloc->port = port; - - out: -+ check_free_port(d, port); - spin_unlock(&d->event_lock); - rcu_unlock_domain(d); - -@@ -351,6 +369,7 @@ static long evtchn_bind_interdomain(evtc - bind->local_port = lport; - - out: -+ check_free_port(ld, lport); - spin_unlock(&ld->event_lock); - if ( ld != rd ) - spin_unlock(&rd->event_lock); -@@ -488,7 +507,7 @@ static long evtchn_bind_pirq(evtchn_bind - struct domain *d = current->domain; - struct vcpu *v = d->vcpu[0]; - struct pirq *info; -- int port, pirq = bind->pirq; -+ int port = 0, pirq = bind->pirq; - long rc; - - if ( (pirq < 0) || (pirq >= d->nr_pirqs) ) -@@ -536,6 +555,7 @@ static long evtchn_bind_pirq(evtchn_bind - arch_evtchn_bind_pirq(d, pirq); - - out: -+ check_free_port(d, port); - spin_unlock(&d->event_lock); - - return rc; -@@ -1011,10 +1031,10 @@ int evtchn_unmask(unsigned int port) - return 0; - } - -- - int evtchn_reset(struct domain *d) - { - unsigned int i; -+ int rc = 0; - - if ( d != current->domain && !d->controller_pause_count ) - return -EINVAL; -@@ -1024,7 +1044,9 @@ int evtchn_reset(struct domain *d) - - spin_lock(&d->event_lock); - -- if ( d->evtchn_fifo ) -+ if ( d->active_evtchns > d->xen_evtchns ) -+ rc = -EAGAIN; -+ else if ( d->evtchn_fifo ) - { - /* Switching back to 2-level ABI. */ - evtchn_fifo_destroy(d); -@@ -1033,7 +1055,7 @@ int evtchn_reset(struct domain *d) - - spin_unlock(&d->event_lock); - -- return 0; -+ return rc; - } - - static long evtchn_set_priority(const struct evtchn_set_priority *set_priority) -@@ -1219,10 +1241,9 @@ int alloc_unbound_xen_event_channel( - - spin_lock(&ld->event_lock); - -- rc = get_free_port(ld); -+ port = rc = get_free_port(ld); - if ( rc < 0 ) - goto out; -- port = rc; - chn = evtchn_from_port(ld, port); - - rc = xsm_evtchn_unbound(XSM_TARGET, ld, chn, remote_domid); -@@ -1238,7 +1259,10 @@ int alloc_unbound_xen_event_channel( - - spin_unlock(&chn->lock); - -+ write_atomic(&ld->xen_evtchns, ld->xen_evtchns + 1); -+ - out: -+ check_free_port(ld, port); - spin_unlock(&ld->event_lock); - - return rc < 0 ? rc : port; -@@ -1314,6 +1338,7 @@ int evtchn_init(struct domain *d, unsign - return -EINVAL; - } - evtchn_from_port(d, 0)->state = ECS_RESERVED; -+ write_atomic(&d->active_evtchns, 0); - - #if MAX_VIRT_CPUS > BITS_PER_LONG - d->poll_mask = xzalloc_array(unsigned long, BITS_TO_LONGS(d->max_vcpus)); -@@ -1340,6 +1365,8 @@ void evtchn_destroy(struct domain *d) - for ( i = 0; port_is_valid(d, i); i++ ) - evtchn_close(d, i, 0); - -+ ASSERT(!d->active_evtchns); -+ - clear_global_virq_handlers(d); - - evtchn_fifo_destroy(d); ---- a/xen/include/xen/sched.h -+++ b/xen/include/xen/sched.h -@@ -346,6 +346,16 @@ struct domain - struct evtchn **evtchn_group[NR_EVTCHN_GROUPS]; /* all other buckets */ - unsigned int max_evtchn_port; /* max permitted port number */ - unsigned int valid_evtchns; /* number of allocated event channels */ -+ /* -+ * Number of in-use event channels. Writers should use write_atomic(). -+ * Readers need to use read_atomic() only when not holding event_lock. -+ */ -+ unsigned int active_evtchns; -+ /* -+ * Number of event channels used internally by Xen (not subject to -+ * EVTCHNOP_reset). Read/write access like for active_evtchns. -+ */ -+ unsigned int xen_evtchns; - spinlock_t event_lock; - const struct evtchn_port_ops *evtchn_port_ops; - struct evtchn_fifo_domain *evtchn_fifo; diff --git a/main/xen/xsa343-4.12-2.patch b/main/xen/xsa343-4.12-2.patch deleted file mode 100644 index 6032d9163a3..00000000000 --- a/main/xen/xsa343-4.12-2.patch +++ /dev/null @@ -1,290 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: evtchn: convert per-channel lock to be IRQ-safe - -... in order for send_guest_{global,vcpu}_virq() to be able to make use -of it. - -This is part of XSA-343. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Julien Grall <jgrall@amazon.com> - ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c -@@ -248,6 +248,7 @@ static long evtchn_alloc_unbound(evtchn_ - int port; - domid_t dom = alloc->dom; - long rc; -+ unsigned long flags; - - d = rcu_lock_domain_by_any_id(dom); - if ( d == NULL ) -@@ -263,14 +264,14 @@ static long evtchn_alloc_unbound(evtchn_ - if ( rc ) - goto out; - -- spin_lock(&chn->lock); -+ spin_lock_irqsave(&chn->lock, flags); - - chn->state = ECS_UNBOUND; - if ( (chn->u.unbound.remote_domid = alloc->remote_dom) == DOMID_SELF ) - chn->u.unbound.remote_domid = current->domain->domain_id; - evtchn_port_init(d, chn); - -- spin_unlock(&chn->lock); -+ spin_unlock_irqrestore(&chn->lock, flags); - - alloc->port = port; - -@@ -283,26 +284,32 @@ static long evtchn_alloc_unbound(evtchn_ - } - - --static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) -+static unsigned long double_evtchn_lock(struct evtchn *lchn, -+ struct evtchn *rchn) - { -- if ( lchn < rchn ) -+ unsigned long flags; -+ -+ if ( lchn <= rchn ) - { -- spin_lock(&lchn->lock); -- spin_lock(&rchn->lock); -+ spin_lock_irqsave(&lchn->lock, flags); -+ if ( lchn != rchn ) -+ spin_lock(&rchn->lock); - } - else - { -- if ( lchn != rchn ) -- spin_lock(&rchn->lock); -+ spin_lock_irqsave(&rchn->lock, flags); - spin_lock(&lchn->lock); - } -+ -+ return flags; - } - --static void double_evtchn_unlock(struct evtchn *lchn, struct evtchn *rchn) -+static void double_evtchn_unlock(struct evtchn *lchn, struct evtchn *rchn, -+ unsigned long flags) - { -- spin_unlock(&lchn->lock); - if ( lchn != rchn ) -- spin_unlock(&rchn->lock); -+ spin_unlock(&lchn->lock); -+ spin_unlock_irqrestore(&rchn->lock, flags); - } - - static long evtchn_bind_interdomain(evtchn_bind_interdomain_t *bind) -@@ -312,6 +319,7 @@ static long evtchn_bind_interdomain(evtc - int lport, rport = bind->remote_port; - domid_t rdom = bind->remote_dom; - long rc; -+ unsigned long flags; - - if ( rdom == DOMID_SELF ) - rdom = current->domain->domain_id; -@@ -347,7 +355,7 @@ static long evtchn_bind_interdomain(evtc - if ( rc ) - goto out; - -- double_evtchn_lock(lchn, rchn); -+ flags = double_evtchn_lock(lchn, rchn); - - lchn->u.interdomain.remote_dom = rd; - lchn->u.interdomain.remote_port = rport; -@@ -364,7 +372,7 @@ static long evtchn_bind_interdomain(evtc - */ - evtchn_port_set_pending(ld, lchn->notify_vcpu_id, lchn); - -- double_evtchn_unlock(lchn, rchn); -+ double_evtchn_unlock(lchn, rchn, flags); - - bind->local_port = lport; - -@@ -387,6 +395,7 @@ int evtchn_bind_virq(evtchn_bind_virq_t - struct domain *d = current->domain; - int virq = bind->virq, vcpu = bind->vcpu; - int rc = 0; -+ unsigned long flags; - - if ( (virq < 0) || (virq >= ARRAY_SIZE(v->virq_to_evtchn)) ) - return -EINVAL; -@@ -424,14 +433,14 @@ int evtchn_bind_virq(evtchn_bind_virq_t - - chn = evtchn_from_port(d, port); - -- spin_lock(&chn->lock); -+ spin_lock_irqsave(&chn->lock, flags); - - chn->state = ECS_VIRQ; - chn->notify_vcpu_id = vcpu; - chn->u.virq = virq; - evtchn_port_init(d, chn); - -- spin_unlock(&chn->lock); -+ spin_unlock_irqrestore(&chn->lock, flags); - - v->virq_to_evtchn[virq] = bind->port = port; - -@@ -448,6 +457,7 @@ static long evtchn_bind_ipi(evtchn_bind_ - struct domain *d = current->domain; - int port, vcpu = bind->vcpu; - long rc = 0; -+ unsigned long flags; - - if ( domain_vcpu(d, vcpu) == NULL ) - return -ENOENT; -@@ -459,13 +469,13 @@ static long evtchn_bind_ipi(evtchn_bind_ - - chn = evtchn_from_port(d, port); - -- spin_lock(&chn->lock); -+ spin_lock_irqsave(&chn->lock, flags); - - chn->state = ECS_IPI; - chn->notify_vcpu_id = vcpu; - evtchn_port_init(d, chn); - -- spin_unlock(&chn->lock); -+ spin_unlock_irqrestore(&chn->lock, flags); - - bind->port = port; - -@@ -509,6 +519,7 @@ static long evtchn_bind_pirq(evtchn_bind - struct pirq *info; - int port = 0, pirq = bind->pirq; - long rc; -+ unsigned long flags; - - if ( (pirq < 0) || (pirq >= d->nr_pirqs) ) - return -EINVAL; -@@ -541,14 +552,14 @@ static long evtchn_bind_pirq(evtchn_bind - goto out; - } - -- spin_lock(&chn->lock); -+ spin_lock_irqsave(&chn->lock, flags); - - chn->state = ECS_PIRQ; - chn->u.pirq.irq = pirq; - link_pirq_port(port, chn, v); - evtchn_port_init(d, chn); - -- spin_unlock(&chn->lock); -+ spin_unlock_irqrestore(&chn->lock, flags); - - bind->port = port; - -@@ -569,6 +580,7 @@ int evtchn_close(struct domain *d1, int - struct evtchn *chn1, *chn2; - int port2; - long rc = 0; -+ unsigned long flags; - - again: - spin_lock(&d1->event_lock); -@@ -668,14 +680,14 @@ int evtchn_close(struct domain *d1, int - BUG_ON(chn2->state != ECS_INTERDOMAIN); - BUG_ON(chn2->u.interdomain.remote_dom != d1); - -- double_evtchn_lock(chn1, chn2); -+ flags = double_evtchn_lock(chn1, chn2); - - evtchn_free(d1, chn1); - - chn2->state = ECS_UNBOUND; - chn2->u.unbound.remote_domid = d1->domain_id; - -- double_evtchn_unlock(chn1, chn2); -+ double_evtchn_unlock(chn1, chn2, flags); - - goto out; - -@@ -683,9 +695,9 @@ int evtchn_close(struct domain *d1, int - BUG(); - } - -- spin_lock(&chn1->lock); -+ spin_lock_irqsave(&chn1->lock, flags); - evtchn_free(d1, chn1); -- spin_unlock(&chn1->lock); -+ spin_unlock_irqrestore(&chn1->lock, flags); - - out: - if ( d2 != NULL ) -@@ -705,13 +717,14 @@ int evtchn_send(struct domain *ld, unsig - struct evtchn *lchn, *rchn; - struct domain *rd; - int rport, ret = 0; -+ unsigned long flags; - - if ( !port_is_valid(ld, lport) ) - return -EINVAL; - - lchn = evtchn_from_port(ld, lport); - -- spin_lock(&lchn->lock); -+ spin_lock_irqsave(&lchn->lock, flags); - - /* Guest cannot send via a Xen-attached event channel. */ - if ( unlikely(consumer_is_xen(lchn)) ) -@@ -746,7 +759,7 @@ int evtchn_send(struct domain *ld, unsig - } - - out: -- spin_unlock(&lchn->lock); -+ spin_unlock_irqrestore(&lchn->lock, flags); - - return ret; - } -@@ -1238,6 +1251,7 @@ int alloc_unbound_xen_event_channel( - { - struct evtchn *chn; - int port, rc; -+ unsigned long flags; - - spin_lock(&ld->event_lock); - -@@ -1250,14 +1264,14 @@ int alloc_unbound_xen_event_channel( - if ( rc ) - goto out; - -- spin_lock(&chn->lock); -+ spin_lock_irqsave(&chn->lock, flags); - - chn->state = ECS_UNBOUND; - chn->xen_consumer = get_xen_consumer(notification_fn); - chn->notify_vcpu_id = lvcpu; - chn->u.unbound.remote_domid = remote_domid; - -- spin_unlock(&chn->lock); -+ spin_unlock_irqrestore(&chn->lock, flags); - - write_atomic(&ld->xen_evtchns, ld->xen_evtchns + 1); - -@@ -1280,11 +1294,12 @@ void notify_via_xen_event_channel(struct - { - struct evtchn *lchn, *rchn; - struct domain *rd; -+ unsigned long flags; - - ASSERT(port_is_valid(ld, lport)); - lchn = evtchn_from_port(ld, lport); - -- spin_lock(&lchn->lock); -+ spin_lock_irqsave(&lchn->lock, flags); - - if ( likely(lchn->state == ECS_INTERDOMAIN) ) - { -@@ -1294,7 +1309,7 @@ void notify_via_xen_event_channel(struct - evtchn_port_set_pending(rd, rchn->notify_vcpu_id, rchn); - } - -- spin_unlock(&lchn->lock); -+ spin_unlock_irqrestore(&lchn->lock, flags); - } - - void evtchn_check_pollers(struct domain *d, unsigned int port) diff --git a/main/xen/xsa343-4.12-3.patch b/main/xen/xsa343-4.12-3.patch deleted file mode 100644 index fb1751d74dd..00000000000 --- a/main/xen/xsa343-4.12-3.patch +++ /dev/null @@ -1,381 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: evtchn: address races with evtchn_reset() - -Neither d->evtchn_port_ops nor max_evtchns(d) may be used in an entirely -lock-less manner, as both may change by a racing evtchn_reset(). In the -common case, at least one of the domain's event lock or the per-channel -lock needs to be held. In the specific case of the inter-domain sending -by evtchn_send() and notify_via_xen_event_channel() holding the other -side's per-channel lock is sufficient, as the channel can't change state -without both per-channel locks held. Without such a channel changing -state, evtchn_reset() can't complete successfully. - -Lock-free accesses continue to be permitted for the shim (calling some -otherwise internal event channel functions), as this happens while the -domain is in effectively single-threaded mode. Special care also needs -taking for the shim's marking of in-use ports as ECS_RESERVED (allowing -use of such ports in the shim case is okay because switching into and -hence also out of FIFO mode is impossible there). - -As a side effect, certain operations on Xen bound event channels which -were mistakenly permitted so far (e.g. unmask or poll) will be refused -now. - -This is part of XSA-343. - -Reported-by: Julien Grall <jgrall@amazon.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Julien Grall <jgrall@amazon.com> - ---- a/xen/arch/x86/irq.c -+++ b/xen/arch/x86/irq.c -@@ -2364,14 +2364,24 @@ static void dump_irqs(unsigned char key) - - for ( i = 0; i < action->nr_guests; i++ ) - { -+ struct evtchn *evtchn; -+ unsigned int pending = 2, masked = 2; -+ - d = action->guest[i]; - pirq = domain_irq_to_pirq(d, irq); - info = pirq_info(d, pirq); -+ evtchn = evtchn_from_port(d, info->evtchn); -+ local_irq_disable(); -+ if ( spin_trylock(&evtchn->lock) ) -+ { -+ pending = evtchn_is_pending(d, evtchn); -+ masked = evtchn_is_masked(d, evtchn); -+ spin_unlock(&evtchn->lock); -+ } -+ local_irq_enable(); - printk("%u:%3d(%c%c%c)", -- d->domain_id, pirq, -- evtchn_port_is_pending(d, info->evtchn) ? 'P' : '-', -- evtchn_port_is_masked(d, info->evtchn) ? 'M' : '-', -- (info->masked ? 'M' : '-')); -+ d->domain_id, pirq, "-P?"[pending], -+ "-M?"[masked], info->masked ? 'M' : '-'); - if ( i != action->nr_guests ) - printk(","); - } ---- a/xen/arch/x86/pv/shim.c -+++ b/xen/arch/x86/pv/shim.c -@@ -662,8 +662,11 @@ void pv_shim_inject_evtchn(unsigned int - if ( port_is_valid(guest, port) ) - { - struct evtchn *chn = evtchn_from_port(guest, port); -+ unsigned long flags; - -+ spin_lock_irqsave(&chn->lock, flags); - evtchn_port_set_pending(guest, chn->notify_vcpu_id, chn); -+ spin_unlock_irqrestore(&chn->lock, flags); - } - } - ---- a/xen/common/event_2l.c -+++ b/xen/common/event_2l.c -@@ -63,8 +63,10 @@ static void evtchn_2l_unmask(struct doma - } - } - --static bool evtchn_2l_is_pending(const struct domain *d, evtchn_port_t port) -+static bool evtchn_2l_is_pending(const struct domain *d, -+ const struct evtchn *evtchn) - { -+ evtchn_port_t port = evtchn->port; - unsigned int max_ports = BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d); - - ASSERT(port < max_ports); -@@ -72,8 +74,10 @@ static bool evtchn_2l_is_pending(const s - guest_test_bit(d, port, &shared_info(d, evtchn_pending))); - } - --static bool evtchn_2l_is_masked(const struct domain *d, evtchn_port_t port) -+static bool evtchn_2l_is_masked(const struct domain *d, -+ const struct evtchn *evtchn) - { -+ evtchn_port_t port = evtchn->port; - unsigned int max_ports = BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d); - - ASSERT(port < max_ports); ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c -@@ -156,8 +156,9 @@ int evtchn_allocate_port(struct domain * - - if ( port_is_valid(d, port) ) - { -- if ( evtchn_from_port(d, port)->state != ECS_FREE || -- evtchn_port_is_busy(d, port) ) -+ const struct evtchn *chn = evtchn_from_port(d, port); -+ -+ if ( chn->state != ECS_FREE || evtchn_is_busy(d, chn) ) - return -EBUSY; - } - else -@@ -774,6 +775,7 @@ void send_guest_vcpu_virq(struct vcpu *v - unsigned long flags; - int port; - struct domain *d; -+ struct evtchn *chn; - - ASSERT(!virq_is_global(virq)); - -@@ -784,7 +786,10 @@ void send_guest_vcpu_virq(struct vcpu *v - goto out; - - d = v->domain; -- evtchn_port_set_pending(d, v->vcpu_id, evtchn_from_port(d, port)); -+ chn = evtchn_from_port(d, port); -+ spin_lock(&chn->lock); -+ evtchn_port_set_pending(d, v->vcpu_id, chn); -+ spin_unlock(&chn->lock); - - out: - spin_unlock_irqrestore(&v->virq_lock, flags); -@@ -813,7 +818,9 @@ void send_guest_global_virq(struct domai - goto out; - - chn = evtchn_from_port(d, port); -+ spin_lock(&chn->lock); - evtchn_port_set_pending(d, chn->notify_vcpu_id, chn); -+ spin_unlock(&chn->lock); - - out: - spin_unlock_irqrestore(&v->virq_lock, flags); -@@ -823,6 +830,7 @@ void send_guest_pirq(struct domain *d, c - { - int port; - struct evtchn *chn; -+ unsigned long flags; - - /* - * PV guests: It should not be possible to race with __evtchn_close(). The -@@ -837,7 +845,9 @@ void send_guest_pirq(struct domain *d, c - } - - chn = evtchn_from_port(d, port); -+ spin_lock_irqsave(&chn->lock, flags); - evtchn_port_set_pending(d, chn->notify_vcpu_id, chn); -+ spin_unlock_irqrestore(&chn->lock, flags); - } - - static struct domain *global_virq_handlers[NR_VIRQS] __read_mostly; -@@ -1034,12 +1044,15 @@ int evtchn_unmask(unsigned int port) - { - struct domain *d = current->domain; - struct evtchn *evtchn; -+ unsigned long flags; - - if ( unlikely(!port_is_valid(d, port)) ) - return -EINVAL; - - evtchn = evtchn_from_port(d, port); -+ spin_lock_irqsave(&evtchn->lock, flags); - evtchn_port_unmask(d, evtchn); -+ spin_unlock_irqrestore(&evtchn->lock, flags); - - return 0; - } -@@ -1449,8 +1462,8 @@ static void domain_dump_evtchn_info(stru - - printk(" %4u [%d/%d/", - port, -- evtchn_port_is_pending(d, port), -- evtchn_port_is_masked(d, port)); -+ evtchn_is_pending(d, chn), -+ evtchn_is_masked(d, chn)); - evtchn_port_print_state(d, chn); - printk("]: s=%d n=%d x=%d", - chn->state, chn->notify_vcpu_id, chn->xen_consumer); ---- a/xen/common/event_fifo.c -+++ b/xen/common/event_fifo.c -@@ -296,23 +296,26 @@ static void evtchn_fifo_unmask(struct do - evtchn_fifo_set_pending(v, evtchn); - } - --static bool evtchn_fifo_is_pending(const struct domain *d, evtchn_port_t port) -+static bool evtchn_fifo_is_pending(const struct domain *d, -+ const struct evtchn *evtchn) - { -- const event_word_t *word = evtchn_fifo_word_from_port(d, port); -+ const event_word_t *word = evtchn_fifo_word_from_port(d, evtchn->port); - - return word && guest_test_bit(d, EVTCHN_FIFO_PENDING, word); - } - --static bool_t evtchn_fifo_is_masked(const struct domain *d, evtchn_port_t port) -+static bool_t evtchn_fifo_is_masked(const struct domain *d, -+ const struct evtchn *evtchn) - { -- const event_word_t *word = evtchn_fifo_word_from_port(d, port); -+ const event_word_t *word = evtchn_fifo_word_from_port(d, evtchn->port); - - return !word || guest_test_bit(d, EVTCHN_FIFO_MASKED, word); - } - --static bool_t evtchn_fifo_is_busy(const struct domain *d, evtchn_port_t port) -+static bool_t evtchn_fifo_is_busy(const struct domain *d, -+ const struct evtchn *evtchn) - { -- const event_word_t *word = evtchn_fifo_word_from_port(d, port); -+ const event_word_t *word = evtchn_fifo_word_from_port(d, evtchn->port); - - return word && guest_test_bit(d, EVTCHN_FIFO_LINKED, word); - } ---- a/xen/include/asm-x86/event.h -+++ b/xen/include/asm-x86/event.h -@@ -47,4 +47,10 @@ static inline bool arch_virq_is_global(u - return true; - } - -+#ifdef CONFIG_PV_SHIM -+# include <asm/pv/shim.h> -+# define arch_evtchn_is_special(chn) \ -+ (pv_shim && (chn)->port && (chn)->state == ECS_RESERVED) -+#endif -+ - #endif ---- a/xen/include/xen/event.h -+++ b/xen/include/xen/event.h -@@ -133,6 +133,24 @@ static inline struct evtchn *evtchn_from - return bucket_from_port(d, p) + (p % EVTCHNS_PER_BUCKET); - } - -+/* -+ * "usable" as in "by a guest", i.e. Xen consumed channels are assumed to be -+ * taken care of separately where used for Xen's internal purposes. -+ */ -+static bool evtchn_usable(const struct evtchn *evtchn) -+{ -+ if ( evtchn->xen_consumer ) -+ return false; -+ -+#ifdef arch_evtchn_is_special -+ if ( arch_evtchn_is_special(evtchn) ) -+ return true; -+#endif -+ -+ BUILD_BUG_ON(ECS_FREE > ECS_RESERVED); -+ return evtchn->state > ECS_RESERVED; -+} -+ - /* Wait on a Xen-attached event channel. */ - #define wait_on_xen_event_channel(port, condition) \ - do { \ -@@ -165,19 +183,24 @@ int evtchn_reset(struct domain *d); - - /* - * Low-level event channel port ops. -+ * -+ * All hooks have to be called with a lock held which prevents the channel -+ * from changing state. This may be the domain event lock, the per-channel -+ * lock, or in the case of sending interdomain events also the other side's -+ * per-channel lock. Exceptions apply in certain cases for the PV shim. - */ - struct evtchn_port_ops { - void (*init)(struct domain *d, struct evtchn *evtchn); - void (*set_pending)(struct vcpu *v, struct evtchn *evtchn); - void (*clear_pending)(struct domain *d, struct evtchn *evtchn); - void (*unmask)(struct domain *d, struct evtchn *evtchn); -- bool (*is_pending)(const struct domain *d, evtchn_port_t port); -- bool (*is_masked)(const struct domain *d, evtchn_port_t port); -+ bool (*is_pending)(const struct domain *d, const struct evtchn *evtchn); -+ bool (*is_masked)(const struct domain *d, const struct evtchn *evtchn); - /* - * Is the port unavailable because it's still being cleaned up - * after being closed? - */ -- bool (*is_busy)(const struct domain *d, evtchn_port_t port); -+ bool (*is_busy)(const struct domain *d, const struct evtchn *evtchn); - int (*set_priority)(struct domain *d, struct evtchn *evtchn, - unsigned int priority); - void (*print_state)(struct domain *d, const struct evtchn *evtchn); -@@ -193,38 +216,67 @@ static inline void evtchn_port_set_pendi - unsigned int vcpu_id, - struct evtchn *evtchn) - { -- d->evtchn_port_ops->set_pending(d->vcpu[vcpu_id], evtchn); -+ if ( evtchn_usable(evtchn) ) -+ d->evtchn_port_ops->set_pending(d->vcpu[vcpu_id], evtchn); - } - - static inline void evtchn_port_clear_pending(struct domain *d, - struct evtchn *evtchn) - { -- d->evtchn_port_ops->clear_pending(d, evtchn); -+ if ( evtchn_usable(evtchn) ) -+ d->evtchn_port_ops->clear_pending(d, evtchn); - } - - static inline void evtchn_port_unmask(struct domain *d, - struct evtchn *evtchn) - { -- d->evtchn_port_ops->unmask(d, evtchn); -+ if ( evtchn_usable(evtchn) ) -+ d->evtchn_port_ops->unmask(d, evtchn); - } - --static inline bool evtchn_port_is_pending(const struct domain *d, -- evtchn_port_t port) -+static inline bool evtchn_is_pending(const struct domain *d, -+ const struct evtchn *evtchn) - { -- return d->evtchn_port_ops->is_pending(d, port); -+ return evtchn_usable(evtchn) && d->evtchn_port_ops->is_pending(d, evtchn); - } - --static inline bool evtchn_port_is_masked(const struct domain *d, -- evtchn_port_t port) -+static inline bool evtchn_port_is_pending(struct domain *d, evtchn_port_t port) - { -- return d->evtchn_port_ops->is_masked(d, port); -+ struct evtchn *evtchn = evtchn_from_port(d, port); -+ bool rc; -+ unsigned long flags; -+ -+ spin_lock_irqsave(&evtchn->lock, flags); -+ rc = evtchn_is_pending(d, evtchn); -+ spin_unlock_irqrestore(&evtchn->lock, flags); -+ -+ return rc; -+} -+ -+static inline bool evtchn_is_masked(const struct domain *d, -+ const struct evtchn *evtchn) -+{ -+ return !evtchn_usable(evtchn) || d->evtchn_port_ops->is_masked(d, evtchn); -+} -+ -+static inline bool evtchn_port_is_masked(struct domain *d, evtchn_port_t port) -+{ -+ struct evtchn *evtchn = evtchn_from_port(d, port); -+ bool rc; -+ unsigned long flags; -+ -+ spin_lock_irqsave(&evtchn->lock, flags); -+ rc = evtchn_is_masked(d, evtchn); -+ spin_unlock_irqrestore(&evtchn->lock, flags); -+ -+ return rc; - } - --static inline bool evtchn_port_is_busy(const struct domain *d, -- evtchn_port_t port) -+static inline bool evtchn_is_busy(const struct domain *d, -+ const struct evtchn *evtchn) - { - return d->evtchn_port_ops->is_busy && -- d->evtchn_port_ops->is_busy(d, port); -+ d->evtchn_port_ops->is_busy(d, evtchn); - } - - static inline int evtchn_port_set_priority(struct domain *d, -@@ -233,6 +285,8 @@ static inline int evtchn_port_set_priori - { - if ( !d->evtchn_port_ops->set_priority ) - return -ENOSYS; -+ if ( !evtchn_usable(evtchn) ) -+ return -EACCES; - return d->evtchn_port_ops->set_priority(d, evtchn, priority); - } - diff --git a/main/xen/xsa344-4.12-1.patch b/main/xen/xsa344-4.12-1.patch deleted file mode 100644 index ef78c83cf98..00000000000 --- a/main/xen/xsa344-4.12-1.patch +++ /dev/null @@ -1,132 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: evtchn: arrange for preemption in evtchn_destroy() - -Especially closing of fully established interdomain channels can take -quite some time, due to the locking involved. Therefore we shouldn't -assume we can clean up still active ports all in one go. Besides adding -the necessary preemption check, also avoid pointlessly starting from -(or now really ending at) 0; 1 is the lowest numbered port which may -need closing. - -Since we're now reducing ->valid_evtchns, free_xen_event_channel(), -and (at least to be on the safe side) notify_via_xen_event_channel() -need to cope with attempts to close / unbind from / send through already -closed (and no longer valid, as per port_is_valid()) ports. - -This is part of XSA-344. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Julien Grall <jgrall@amazon.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> - ---- a/xen/common/domain.c -+++ b/xen/common/domain.c -@@ -724,7 +724,6 @@ int domain_kill(struct domain *d) - return domain_kill(d); - d->is_dying = DOMDYING_dying; - argo_destroy(d); -- evtchn_destroy(d); - gnttab_release_mappings(d); - tmem_destroy(d->tmem_client); - vnuma_destroy(d->vnuma); -@@ -732,6 +731,9 @@ int domain_kill(struct domain *d) - d->tmem_client = NULL; - /* fallthrough */ - case DOMDYING_dying: -+ rc = evtchn_destroy(d); -+ if ( rc ) -+ break; - rc = domain_relinquish_resources(d); - if ( rc != 0 ) - break; ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c -@@ -1297,7 +1297,16 @@ int alloc_unbound_xen_event_channel( - - void free_xen_event_channel(struct domain *d, int port) - { -- BUG_ON(!port_is_valid(d, port)); -+ if ( !port_is_valid(d, port) ) -+ { -+ /* -+ * Make sure ->is_dying is read /after/ ->valid_evtchns, pairing -+ * with the spin_barrier() and BUG_ON() in evtchn_destroy(). -+ */ -+ smp_rmb(); -+ BUG_ON(!d->is_dying); -+ return; -+ } - - evtchn_close(d, port, 0); - } -@@ -1309,7 +1318,17 @@ void notify_via_xen_event_channel(struct - struct domain *rd; - unsigned long flags; - -- ASSERT(port_is_valid(ld, lport)); -+ if ( !port_is_valid(ld, lport) ) -+ { -+ /* -+ * Make sure ->is_dying is read /after/ ->valid_evtchns, pairing -+ * with the spin_barrier() and BUG_ON() in evtchn_destroy(). -+ */ -+ smp_rmb(); -+ ASSERT(ld->is_dying); -+ return; -+ } -+ - lchn = evtchn_from_port(ld, lport); - - spin_lock_irqsave(&lchn->lock, flags); -@@ -1380,8 +1399,7 @@ int evtchn_init(struct domain *d, unsign - return 0; - } - -- --void evtchn_destroy(struct domain *d) -+int evtchn_destroy(struct domain *d) - { - unsigned int i; - -@@ -1390,14 +1408,29 @@ void evtchn_destroy(struct domain *d) - spin_barrier(&d->event_lock); - - /* Close all existing event channels. */ -- for ( i = 0; port_is_valid(d, i); i++ ) -+ for ( i = d->valid_evtchns; --i; ) -+ { - evtchn_close(d, i, 0); - -+ /* -+ * Avoid preempting when called from domain_create()'s error path, -+ * and don't check too often (choice of frequency is arbitrary). -+ */ -+ if ( i && !(i & 0x3f) && d->is_dying != DOMDYING_dead && -+ hypercall_preempt_check() ) -+ { -+ write_atomic(&d->valid_evtchns, i); -+ return -ERESTART; -+ } -+ } -+ - ASSERT(!d->active_evtchns); - - clear_global_virq_handlers(d); - - evtchn_fifo_destroy(d); -+ -+ return 0; - } - - ---- a/xen/include/xen/sched.h -+++ b/xen/include/xen/sched.h -@@ -136,7 +136,7 @@ struct evtchn - } __attribute__((aligned(64))); - - int evtchn_init(struct domain *d, unsigned int max_port); --void evtchn_destroy(struct domain *d); /* from domain_kill */ -+int evtchn_destroy(struct domain *d); /* from domain_kill */ - void evtchn_destroy_final(struct domain *d); /* from complete_domain_destroy */ - - struct waitqueue_vcpu; diff --git a/main/xen/xsa344-4.12-2.patch b/main/xen/xsa344-4.12-2.patch deleted file mode 100644 index eda4cac321a..00000000000 --- a/main/xen/xsa344-4.12-2.patch +++ /dev/null @@ -1,203 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: evtchn: arrange for preemption in evtchn_reset() - -Like for evtchn_destroy() looping over all possible event channels to -close them can take a significant amount of time. Unlike done there, we -can't alter domain properties (i.e. d->valid_evtchns) here. Borrow, in a -lightweight form, the paging domctl continuation concept, redirecting -the continuations to different sub-ops. Just like there this is to be -able to allow for predictable overall results of the involved sub-ops: -Racing requests should either complete or be refused. - -Note that a domain can't interfere with an already started (by a remote -domain) reset, due to being paused. It can prevent a remote reset from -happening by leaving a reset unfinished, but that's only going to affect -itself. - -This is part of XSA-344. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Julien Grall <jgrall@amazon.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> - ---- a/xen/common/domain.c -+++ b/xen/common/domain.c -@@ -1170,7 +1170,7 @@ void domain_unpause_except_self(struct d - domain_unpause(d); - } - --int domain_soft_reset(struct domain *d) -+int domain_soft_reset(struct domain *d, bool resuming) - { - struct vcpu *v; - int rc; -@@ -1184,7 +1184,7 @@ int domain_soft_reset(struct domain *d) - } - spin_unlock(&d->shutdown_lock); - -- rc = evtchn_reset(d); -+ rc = evtchn_reset(d, resuming); - if ( rc ) - return rc; - ---- a/xen/common/domctl.c -+++ b/xen/common/domctl.c -@@ -585,12 +585,22 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe - } - - case XEN_DOMCTL_soft_reset: -+ case XEN_DOMCTL_soft_reset_cont: - if ( d == current->domain ) /* no domain_pause() */ - { - ret = -EINVAL; - break; - } -- ret = domain_soft_reset(d); -+ ret = domain_soft_reset(d, op->cmd == XEN_DOMCTL_soft_reset_cont); -+ if ( ret == -ERESTART ) -+ { -+ op->cmd = XEN_DOMCTL_soft_reset_cont; -+ if ( !__copy_field_to_guest(u_domctl, op, cmd) ) -+ ret = hypercall_create_continuation(__HYPERVISOR_domctl, -+ "h", u_domctl); -+ else -+ ret = -EFAULT; -+ } - break; - - case XEN_DOMCTL_destroydomain: ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c -@@ -1057,7 +1057,7 @@ int evtchn_unmask(unsigned int port) - return 0; - } - --int evtchn_reset(struct domain *d) -+int evtchn_reset(struct domain *d, bool resuming) - { - unsigned int i; - int rc = 0; -@@ -1065,11 +1065,40 @@ int evtchn_reset(struct domain *d) - if ( d != current->domain && !d->controller_pause_count ) - return -EINVAL; - -- for ( i = 0; port_is_valid(d, i); i++ ) -+ spin_lock(&d->event_lock); -+ -+ /* -+ * If we are resuming, then start where we stopped. Otherwise, check -+ * that a reset operation is not already in progress, and if none is, -+ * record that this is now the case. -+ */ -+ i = resuming ? d->next_evtchn : !d->next_evtchn; -+ if ( i > d->next_evtchn ) -+ d->next_evtchn = i; -+ -+ spin_unlock(&d->event_lock); -+ -+ if ( !i ) -+ return -EBUSY; -+ -+ for ( ; port_is_valid(d, i); i++ ) -+ { - evtchn_close(d, i, 1); - -+ /* NB: Choice of frequency is arbitrary. */ -+ if ( !(i & 0x3f) && hypercall_preempt_check() ) -+ { -+ spin_lock(&d->event_lock); -+ d->next_evtchn = i; -+ spin_unlock(&d->event_lock); -+ return -ERESTART; -+ } -+ } -+ - spin_lock(&d->event_lock); - -+ d->next_evtchn = 0; -+ - if ( d->active_evtchns > d->xen_evtchns ) - rc = -EAGAIN; - else if ( d->evtchn_fifo ) -@@ -1204,7 +1233,8 @@ long do_event_channel_op(int cmd, XEN_GU - break; - } - -- case EVTCHNOP_reset: { -+ case EVTCHNOP_reset: -+ case EVTCHNOP_reset_cont: { - struct evtchn_reset reset; - struct domain *d; - -@@ -1217,9 +1247,13 @@ long do_event_channel_op(int cmd, XEN_GU - - rc = xsm_evtchn_reset(XSM_TARGET, current->domain, d); - if ( !rc ) -- rc = evtchn_reset(d); -+ rc = evtchn_reset(d, cmd == EVTCHNOP_reset_cont); - - rcu_unlock_domain(d); -+ -+ if ( rc == -ERESTART ) -+ rc = hypercall_create_continuation(__HYPERVISOR_event_channel_op, -+ "ih", EVTCHNOP_reset_cont, arg); - break; - } - ---- a/xen/include/public/domctl.h -+++ b/xen/include/public/domctl.h -@@ -1144,7 +1144,10 @@ struct xen_domctl { - #define XEN_DOMCTL_iomem_permission 20 - #define XEN_DOMCTL_ioport_permission 21 - #define XEN_DOMCTL_hypercall_init 22 --#define XEN_DOMCTL_arch_setup 23 /* Obsolete IA64 only */ -+#ifdef __XEN__ -+/* #define XEN_DOMCTL_arch_setup 23 Obsolete IA64 only */ -+#define XEN_DOMCTL_soft_reset_cont 23 -+#endif - #define XEN_DOMCTL_settimeoffset 24 - #define XEN_DOMCTL_getvcpuaffinity 25 - #define XEN_DOMCTL_real_mode_area 26 /* Obsolete PPC only */ ---- a/xen/include/public/event_channel.h -+++ b/xen/include/public/event_channel.h -@@ -74,6 +74,9 @@ - #define EVTCHNOP_init_control 11 - #define EVTCHNOP_expand_array 12 - #define EVTCHNOP_set_priority 13 -+#ifdef __XEN__ -+#define EVTCHNOP_reset_cont 14 -+#endif - /* ` } */ - - typedef uint32_t evtchn_port_t; ---- a/xen/include/xen/event.h -+++ b/xen/include/xen/event.h -@@ -171,7 +171,7 @@ void evtchn_check_pollers(struct domain - void evtchn_2l_init(struct domain *d); - - /* Close all event channels and reset to 2-level ABI. */ --int evtchn_reset(struct domain *d); -+int evtchn_reset(struct domain *d, bool resuming); - - /* - * Low-level event channel port ops. ---- a/xen/include/xen/sched.h -+++ b/xen/include/xen/sched.h -@@ -356,6 +356,8 @@ struct domain - * EVTCHNOP_reset). Read/write access like for active_evtchns. - */ - unsigned int xen_evtchns; -+ /* Port to resume from in evtchn_reset(), when in a continuation. */ -+ unsigned int next_evtchn; - spinlock_t event_lock; - const struct evtchn_port_ops *evtchn_port_ops; - struct evtchn_fifo_domain *evtchn_fifo; -@@ -628,7 +630,7 @@ int domain_shutdown(struct domain *d, u8 - void domain_resume(struct domain *d); - void domain_pause_for_debugger(void); - --int domain_soft_reset(struct domain *d); -+int domain_soft_reset(struct domain *d, bool resuming); - - int vcpu_start_shutdown_deferral(struct vcpu *v); - void vcpu_end_shutdown_deferral(struct vcpu *v); diff --git a/main/xen/xsa351-x86-4.12-1.patch b/main/xen/xsa351-x86-4.12-1.patch new file mode 100644 index 00000000000..7d9109cb59b --- /dev/null +++ b/main/xen/xsa351-x86-4.12-1.patch @@ -0,0 +1,155 @@ +From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com> +Subject: x86/msr: fix handling of MSR_IA32_PERF_{STATUS/CTL} +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently a PV hardware domain can also be given control over the CPU +frequency, and such guest is allowed to write to MSR_IA32_PERF_CTL. +However since commit 322ec7c89f6 the default behavior has been changed +to reject accesses to not explicitly handled MSRs, preventing PV +guests that manage CPU frequency from reading +MSR_IA32_PERF_{STATUS/CTL}. + +Additionally some HVM guests (Windows at least) will attempt to read +MSR_IA32_PERF_CTL and will panic if given back a #GP fault: + + vmx.c:3035:d8v0 RDMSR 0x00000199 unimplemented + d8v0 VIRIDIAN CRASH: 3b c0000096 fffff806871c1651 ffffda0253683720 0 + +Move the handling of MSR_IA32_PERF_{STATUS/CTL} to the common MSR +handling shared between HVM and PV guests, and add an explicit case +for reads to MSR_IA32_PERF_{STATUS/CTL}. + +Restore previous behavior and allow PV guests with the required +permissions to read the contents of the mentioned MSRs. Non privileged +guests will get 0 when trying to read those registers, as writes to +MSR_IA32_PERF_CTL by such guest will already be silently dropped. + +Fixes: 322ec7c89f6 ('x86/pv: disallow access to unknown MSRs') +Fixes: 84e848fd7a1 ('x86/hvm: disallow access to unknown MSRs') +Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 3059178798a23ba870ff86ff54d442a07e6651fc) + +diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c +index 4677222c40..a427826ba0 100644 +--- a/xen/arch/x86/msr.c ++++ b/xen/arch/x86/msr.c +@@ -206,6 +206,25 @@ int guest_rdmsr(const struct vcpu *v, uint32_t msr, uint64_t *val) + *val = msrs->misc_features_enables.raw; + break; + ++ /* ++ * These MSRs are not enumerated in CPUID. They have been around ++ * since the Pentium 4, and implemented by other vendors. ++ * ++ * Some versions of Windows try reading these before setting up a #GP ++ * handler, and Linux has several unguarded reads as well. Provide ++ * RAZ semantics, in general, but permit a cpufreq controller dom0 to ++ * have full access. ++ */ ++ case MSR_IA32_PERF_STATUS: ++ case MSR_IA32_PERF_CTL: ++ if ( !(cp->x86_vendor & (X86_VENDOR_INTEL | X86_VENDOR_CENTAUR)) ) ++ goto gp_fault; ++ ++ *val = 0; ++ if ( likely(!is_cpufreq_controller(d)) || rdmsr_safe(msr, *val) == 0 ) ++ break; ++ goto gp_fault; ++ + case MSR_X2APIC_FIRST ... MSR_X2APIC_LAST: + if ( !is_hvm_domain(d) || v != curr ) + goto gp_fault; +@@ -290,6 +309,7 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val) + case MSR_INTEL_CORE_THREAD_COUNT: + case MSR_INTEL_PLATFORM_INFO: + case MSR_ARCH_CAPABILITIES: ++ case MSR_IA32_PERF_STATUS: + /* Read-only */ + case MSR_TSX_FORCE_ABORT: + case MSR_TSX_CTRL: +@@ -394,6 +414,21 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val) + break; + } + ++ /* ++ * This MSR is not enumerated in CPUID. It has been around since the ++ * Pentium 4, and implemented by other vendors. ++ * ++ * To match the RAZ semantics, implement as write-discard, except for ++ * a cpufreq controller dom0 which has full access. ++ */ ++ case MSR_IA32_PERF_CTL: ++ if ( !(cp->x86_vendor & (X86_VENDOR_INTEL | X86_VENDOR_CENTAUR)) ) ++ goto gp_fault; ++ ++ if ( likely(!is_cpufreq_controller(d)) || wrmsr_safe(msr, val) == 0 ) ++ break; ++ goto gp_fault; ++ + case MSR_X2APIC_FIRST ... MSR_X2APIC_LAST: + if ( !is_hvm_domain(d) || v != curr ) + goto gp_fault; +diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c +index 324a2334a2..933036ea34 100644 +--- a/xen/arch/x86/pv/emul-priv-op.c ++++ b/xen/arch/x86/pv/emul-priv-op.c +@@ -799,12 +799,6 @@ static inline uint64_t guest_misc_enable(uint64_t val) + return val; + } + +-static inline bool is_cpufreq_controller(const struct domain *d) +-{ +- return ((cpufreq_controller == FREQCTL_dom0_kernel) && +- is_hardware_domain(d)); +-} +- + static int read_msr(unsigned int reg, uint64_t *val, + struct x86_emulate_ctxt *ctxt) + { +@@ -1047,14 +1041,6 @@ static int write_msr(unsigned int reg, uint64_t val, + return X86EMUL_OKAY; + break; + +- case MSR_IA32_PERF_CTL: +- if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL ) +- break; +- if ( likely(!is_cpufreq_controller(currd)) || +- wrmsr_safe(reg, val) == 0 ) +- return X86EMUL_OKAY; +- break; +- + case MSR_IA32_THERM_CONTROL: + case MSR_IA32_ENERGY_PERF_BIAS: + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL ) +diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h +index 819f6ede2b..b918624327 100644 +--- a/xen/include/xen/sched.h ++++ b/xen/include/xen/sched.h +@@ -993,6 +993,22 @@ extern enum cpufreq_controller { + FREQCTL_none, FREQCTL_dom0_kernel, FREQCTL_xen + } cpufreq_controller; + ++static always_inline bool is_cpufreq_controller(const struct domain *d) ++{ ++ /* ++ * A PV dom0 can be nominated as the cpufreq controller, instead of using ++ * Xen's cpufreq driver, at which point dom0 gets direct access to certain ++ * MSRs. ++ * ++ * This interface only works when dom0 is identity pinned and has the same ++ * number of vCPUs as pCPUs on the system. ++ * ++ * It would be far better to paravirtualise the interface. ++ */ ++ return (is_pv_domain(d) && is_hardware_domain(d) && ++ cpufreq_controller == FREQCTL_dom0_kernel); ++} ++ + #define CPUPOOLID_NONE -1 + + struct cpupool *cpupool_get_by_id(int poolid); diff --git a/main/xen/xsa351-x86-4.12-2.patch b/main/xen/xsa351-x86-4.12-2.patch new file mode 100644 index 00000000000..b4dce621ea6 --- /dev/null +++ b/main/xen/xsa351-x86-4.12-2.patch @@ -0,0 +1,124 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/msr: Disallow guest access to the RAPL MSRs + +Researchers have demonstrated using the RAPL interface to perform a +differential power analysis attack to recover AES keys used by other cores in +the system. + +Furthermore, even privileged guests cannot use this interface correctly, due +to MSR scope and vcpu scheduling issues. The interface would want to be +paravirtualised to be used sensibly. + +Disallow access to the RAPL MSRs completely, as well as other MSRs which +potentially access fine grain power information. + +This is part of XSA-351. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c +index a427826ba0..927ed625df 100644 +--- a/xen/arch/x86/msr.c ++++ b/xen/arch/x86/msr.c +@@ -151,9 +151,18 @@ int guest_rdmsr(const struct vcpu *v, uint32_t msr, uint64_t *val) + case MSR_TSX_CTRL: + case MSR_MCU_OPT_CTRL: + case MSR_RTIT_OUTPUT_BASE ... MSR_RTIT_ADDR_B(7): ++ case MSR_RAPL_POWER_UNIT: ++ case MSR_PKG_POWER_LIMIT ... MSR_PKG_POWER_INFO: ++ case MSR_DRAM_POWER_LIMIT ... MSR_DRAM_POWER_INFO: ++ case MSR_PP0_POWER_LIMIT ... MSR_PP0_POLICY: ++ case MSR_PP1_POWER_LIMIT ... MSR_PP1_POLICY: ++ case MSR_PLATFORM_ENERGY_COUNTER: ++ case MSR_PLATFORM_POWER_LIMIT: + case MSR_U_CET: + case MSR_S_CET: + case MSR_PL0_SSP ... MSR_INTERRUPT_SSP_TABLE: ++ case MSR_F15H_CU_POWER ... MSR_F15H_CU_MAX_POWER: ++ case MSR_AMD_RAPL_POWER_UNIT ... MSR_AMD_PKG_ENERGY_STATUS: + /* Not offered to guests. */ + goto gp_fault; + +@@ -315,9 +324,18 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val) + case MSR_TSX_CTRL: + case MSR_MCU_OPT_CTRL: + case MSR_RTIT_OUTPUT_BASE ... MSR_RTIT_ADDR_B(7): ++ case MSR_RAPL_POWER_UNIT: ++ case MSR_PKG_POWER_LIMIT ... MSR_PKG_POWER_INFO: ++ case MSR_DRAM_POWER_LIMIT ... MSR_DRAM_POWER_INFO: ++ case MSR_PP0_POWER_LIMIT ... MSR_PP0_POLICY: ++ case MSR_PP1_POWER_LIMIT ... MSR_PP1_POLICY: ++ case MSR_PLATFORM_ENERGY_COUNTER: ++ case MSR_PLATFORM_POWER_LIMIT: + case MSR_U_CET: + case MSR_S_CET: + case MSR_PL0_SSP ... MSR_INTERRUPT_SSP_TABLE: ++ case MSR_F15H_CU_POWER ... MSR_F15H_CU_MAX_POWER: ++ case MSR_AMD_RAPL_POWER_UNIT ... MSR_AMD_PKG_ENERGY_STATUS: + /* Not offered to guests. */ + goto gp_fault; + +diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h +index 0eb6855614..ba9e90af21 100644 +--- a/xen/include/asm-x86/msr-index.h ++++ b/xen/include/asm-x86/msr-index.h +@@ -96,6 +96,38 @@ + /* Lower 6 bits define the format of the address in the LBR stack */ + #define MSR_IA32_PERF_CAP_LBR_FORMAT 0x3f + ++/* ++ * Intel Runtime Average Power Limiting (RAPL) interface. Power plane base ++ * addresses (MSR_*_POWER_LIMIT) are model specific, but have so-far been ++ * consistent since their introduction in SandyBridge. ++ * ++ * Offsets of functionality from the power plane base is architectural, but ++ * not all power planes support all functionality. ++ */ ++#define MSR_RAPL_POWER_UNIT 0x00000606 ++ ++#define MSR_PKG_POWER_LIMIT 0x00000610 ++#define MSR_PKG_ENERGY_STATUS 0x00000611 ++#define MSR_PKG_PERF_STATUS 0x00000613 ++#define MSR_PKG_POWER_INFO 0x00000614 ++ ++#define MSR_DRAM_POWER_LIMIT 0x00000618 ++#define MSR_DRAM_ENERGY_STATUS 0x00000619 ++#define MSR_DRAM_PERF_STATUS 0x0000061b ++#define MSR_DRAM_POWER_INFO 0x0000061c ++ ++#define MSR_PP0_POWER_LIMIT 0x00000638 ++#define MSR_PP0_ENERGY_STATUS 0x00000639 ++#define MSR_PP0_POLICY 0x0000063a ++ ++#define MSR_PP1_POWER_LIMIT 0x00000640 ++#define MSR_PP1_ENERGY_STATUS 0x00000641 ++#define MSR_PP1_POLICY 0x00000642 ++ ++/* Intel Platform-wide power interface. */ ++#define MSR_PLATFORM_ENERGY_COUNTER 0x0000064d ++#define MSR_PLATFORM_POWER_LIMIT 0x0000065c ++ + #define MSR_IA32_BNDCFGS 0x00000d90 + #define IA32_BNDCFGS_ENABLE 0x00000001 + #define IA32_BNDCFGS_PRESERVE 0x00000002 +@@ -236,6 +268,8 @@ + #define MSR_K8_VM_CR 0xc0010114 + #define MSR_K8_VM_HSAVE_PA 0xc0010117 + ++#define MSR_F15H_CU_POWER 0xc001007a ++#define MSR_F15H_CU_MAX_POWER 0xc001007b + #define MSR_AMD_FAM15H_EVNTSEL0 0xc0010200 + #define MSR_AMD_FAM15H_PERFCTR0 0xc0010201 + #define MSR_AMD_FAM15H_EVNTSEL1 0xc0010202 +@@ -249,6 +283,10 @@ + #define MSR_AMD_FAM15H_EVNTSEL5 0xc001020a + #define MSR_AMD_FAM15H_PERFCTR5 0xc001020b + ++#define MSR_AMD_RAPL_POWER_UNIT 0xc0010299 ++#define MSR_AMD_CORE_ENERGY_STATUS 0xc001029a ++#define MSR_AMD_PKG_ENERGY_STATUS 0xc001029b ++ + #define MSR_AMD_L7S0_FEATURE_MASK 0xc0011002 + #define MSR_AMD_THRM_FEATURE_MASK 0xc0011003 + #define MSR_K8_FEATURE_MASK 0xc0011004 diff --git a/main/xen/xsa355.patch b/main/xen/xsa355.patch new file mode 100644 index 00000000000..491dd05028a --- /dev/null +++ b/main/xen/xsa355.patch @@ -0,0 +1,23 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: memory: fix off-by-one in XSA-346 change + +The comparison against ARRAY_SIZE() needs to be >= in order to avoid +overrunning the pages[] array. + +This is XSA-355. + +Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush") +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Julien Grall <jgrall@amazon.com> + +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain + ++extra.ppage; + + /* Check for continuation if it's not the last iteration. */ +- if ( (++done > ARRAY_SIZE(pages) && extra.ppage) || ++ if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) || + (xatp->size > done && hypercall_preempt_check()) ) + { + rc = start + done; diff --git a/main/xorg-server/APKBUILD b/main/xorg-server/APKBUILD index dc1156b4748..5763dcfe8e9 100644 --- a/main/xorg-server/APKBUILD +++ b/main/xorg-server/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=xorg-server pkgver=1.20.5 -pkgrel=2 +pkgrel=3 pkgdesc="X.Org X servers" url="https://www.x.org/wiki" arch="all" @@ -64,9 +64,12 @@ source="https://www.x.org/releases/individual/xserver/$pkgname-$pkgver.tar.bz2 CVE-2020-14346.patch CVE-2020-14361.patch CVE-2020-14362.patch + CVE-2021-3472.patch::https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd.patch " # secfixes: +# 1.20.5-r3: +# - CVE-2021-3472 # 1.20.5-r2: # - CVE-2020-14345 # - CVE-2020-14346 @@ -187,4 +190,5 @@ e2f1de245d526fbfe48011aaa1236ce16de9af4468e4825a233569c49c6f85cb046d019b1d1df45e 3e411cb0af272b3f89ce9b8bb7e35eef703b4a01d8722331aaf3d365cd7867a28deee8d5224ceb8fe0cd63e9cf600f05d7360aa5ffb4c0ae2655e80e6430f7f9 CVE-2020-14345.patch 6981bb37302e6c6afc6e389698eef1e1021577a6ac54a81ec0470cc198a975274db8a2b6d9ecd0b22a1c8bb6aff07d37030c3cd451467452e6a05203f942e296 CVE-2020-14346.patch 4acf43c8a08a3ee3012cf9ae1af517bf8f7cc493316e6d9f5b55f39b205f22406b757618024e70ed98f9c56baa238ed166bcf8aa26995d33183e1e323c48f9c8 CVE-2020-14361.patch -0fa92233e405b74de6dc4ee144d995581f0ab7fbf7ee5f8410e4a842496724ac9425ed6406881d005e4fc70d01d4d05c4aff83491683f3e270e9ba360cb94d52 CVE-2020-14362.patch" +0fa92233e405b74de6dc4ee144d995581f0ab7fbf7ee5f8410e4a842496724ac9425ed6406881d005e4fc70d01d4d05c4aff83491683f3e270e9ba360cb94d52 CVE-2020-14362.patch +249e7b0142193f7828e888879d8548ef8afbe56ec7188674dcc8a16f3caa1e19b84f87d29334a991463b08ad05a2e677ebb186a2495c1dfbd39c2193570e381b CVE-2021-3472.patch" diff --git a/main/xtables-addons-vanilla/APKBUILD b/main/xtables-addons-vanilla/APKBUILD index ec77c540fb2..ff80697f6aa 100644 --- a/main/xtables-addons-vanilla/APKBUILD +++ b/main/xtables-addons-vanilla/APKBUILD @@ -2,12 +2,12 @@ # when changing _ver we *must* bump _rel _name=xtables-addons -_ver=3.2 +_ver=3.6 _rel=0 _flavor=${FLAVOR:-vanilla} _kpkg=linux-$_flavor -_kver=4.19.118 +_kver=4.19.176 _krel=0 _kpkgver="$_kver-r$_krel" @@ -24,7 +24,9 @@ license="GPL-2.0" depends="$_kpkg=$_kpkgver" makedepends="$_kpkg-dev=$_kpkgver iptables-dev linux-headers" install_if="$_kpkg=$_kpkgver $_name" -source="https://downloads.sourceforge.net/$_name/$_name-$_ver.tar.xz" +source="https://downloads.sourceforge.net/$_name/$_name-$_ver.tar.xz + ip_route_me_harder.patch + " # temporary disable the provides til hardened is fully removed #provides="${_name}-grsec=${pkgver}-r${pkgrel}" #replaces="$_name-hardened" @@ -62,4 +64,5 @@ package() { make DESTDIR="$pkgdir" modules_install } -sha512sums="57b02aec83765ad407a813cc8bb5ba471739da09ee8177094592833d1eaa54300ce06b326e9897cb80f563bdaec24b33d42c2cdb72f8a0ec8f86b085fcc6494d xtables-addons-3.2.tar.xz" +sha512sums="f2d9e1dc1b23696132fa845f5767cabc6b39494d46587cfee77f7099bfba67f137712163f120496d33a9a38bbb1aeb418faac51125494952e69733006e563c67 xtables-addons-3.6.tar.xz +a746279a28b7ab9d6d0783ccded9d4dec953dd33127b1e5cf3421cf8e601e81c003869831aaa78fb811ffe10e2b5c0d3dd80c4d0fc31a0ca134459caeb428fe5 ip_route_me_harder.patch" diff --git a/main/xtables-addons-vanilla/ip_route_me_harder.patch b/main/xtables-addons-vanilla/ip_route_me_harder.patch new file mode 100644 index 00000000000..075f52dadec --- /dev/null +++ b/main/xtables-addons-vanilla/ip_route_me_harder.patch @@ -0,0 +1,48 @@ +diff --git a/extensions/xt_DELUDE.c b/extensions/xt_DELUDE.c +index b384c8e..cb1d055 100644 +--- a/extensions/xt_DELUDE.c ++++ b/extensions/xt_DELUDE.c +@@ -122,7 +122,7 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb, + /* ip_route_me_harder expects skb->dst to be set */ + skb_dst_set(nskb, dst_clone(skb_dst(oldskb))); + +- if (ip_route_me_harder(net, nskb, addr_type)) ++ if (ip_route_me_harder(net, nskb->sk, nskb, addr_type)) + goto free_nskb; + else + niph = ip_hdr(nskb); +diff --git a/extensions/xt_ECHO.c b/extensions/xt_ECHO.c +index e99312b..2ab413b 100644 +--- a/extensions/xt_ECHO.c ++++ b/extensions/xt_ECHO.c +@@ -192,7 +192,7 @@ echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par) + /* ip_route_me_harder expects the skb's dst to be set */ + skb_dst_set(newskb, dst_clone(skb_dst(oldskb))); + +- if (ip_route_me_harder(par_net(par), newskb, RTN_UNSPEC) != 0) ++ if (ip_route_me_harder(par_net(par), par->state->sk, newskb, RTN_UNSPEC) != 0) + goto free_nskb; + + newip->ttl = ip4_dst_hoplimit(skb_dst(newskb)); +diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c +index 4926f2e..6256e60 100644 +--- a/extensions/xt_TARPIT.c ++++ b/extensions/xt_TARPIT.c +@@ -265,7 +265,7 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb, + #endif + addr_type = RTN_LOCAL; + +- if (ip_route_me_harder(net, nskb, addr_type)) ++ if (ip_route_me_harder(net, nskb->sk, nskb, addr_type)) + goto free_nskb; + else + niph = ip_hdr(nskb); +@@ -399,7 +399,7 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb, + IPPROTO_TCP, + csum_partial(tcph, sizeof(struct tcphdr), 0)); + +- if (ip6_route_me_harder(net, nskb)) ++ if (ip6_route_me_harder(net, nskb->sk, nskb)) + goto free_nskb; + + nskb->ip_summed = CHECKSUM_NONE; diff --git a/main/zfs-vanilla/APKBUILD b/main/zfs-vanilla/APKBUILD index 2d1152ac61c..5823b6d7733 100644 --- a/main/zfs-vanilla/APKBUILD +++ b/main/zfs-vanilla/APKBUILD @@ -8,7 +8,7 @@ _rel=1 _flavor=${FLAVOR:-vanilla} _kpkg=linux-$_flavor -_kver=4.19.118 +_kver=4.19.176 _krel=0 _kpkgver="$_kver-r$_krel" |