aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
Diffstat (limited to 'main')
-rw-r--r--main/ca-certificates/APKBUILD4
-rw-r--r--main/cairo/APKBUILD12
-rw-r--r--main/cairo/fix-inf-loop.patch36
-rw-r--r--main/freetype/APKBUILD9
-rw-r--r--main/freetype/CVE-2022-27405.patch36
-rw-r--r--main/freetype/CVE-2022-27406.patch27
-rw-r--r--main/haproxy/APKBUILD4
-rw-r--r--main/mariadb/APKBUILD29
-rw-r--r--main/mqtt-exec/APKBUILD10
-rw-r--r--main/mqtt-exec/mqtt-exec.confd23
-rw-r--r--main/mqtt-exec/mqtt-exec.initd3
-rw-r--r--main/nettle/APKBUILD16
-rw-r--r--main/nettle/CVE-2021-3580.patch520
-rw-r--r--main/zlib/APKBUILD8
14 files changed, 720 insertions, 17 deletions
diff --git a/main/ca-certificates/APKBUILD b/main/ca-certificates/APKBUILD
index c81d6632a0..38e0b40206 100644
--- a/main/ca-certificates/APKBUILD
+++ b/main/ca-certificates/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ca-certificates
-pkgver=20211220
+pkgver=20220614
pkgrel=0
pkgdesc="Common CA certificates PEM files from Mozilla"
url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/"
@@ -64,5 +64,5 @@ bundle() {
}
sha512sums="
-6b486384c80b29632939a28524acfeeedc60f5df44da86bc16ce79f3cf2ff464455e963ebeb410c3072829b9083215961b32c18673ff77b211652d4c1e870799 ca-certificates-20211220.tar.bz2
+8e20d3021222bb3b470a935d34ffe23e7857bf0b7fedda5284049155aab01bc88ab54ae939376968fb7fbff41e6b06bd32e34405210a8e74faadb68ffa6d9dd4 ca-certificates-20220614.tar.bz2
"
diff --git a/main/cairo/APKBUILD b/main/cairo/APKBUILD
index b4a63a44a5..67b31fa38e 100644
--- a/main/cairo/APKBUILD
+++ b/main/cairo/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cairo
pkgver=1.16.0
-pkgrel=3
+pkgrel=5
pkgdesc="A vector graphics library"
url="https://cairographics.org/"
arch="all"
@@ -17,10 +17,13 @@ source="https://cairographics.org/releases/cairo-$pkgver.tar.xz
CVE-2018-19876.patch
pdf-flush.patch
85.patch
+ fix-inf-loop.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 1.16.0-r5:
+# - CVE-2019-6462
# 1.16.0-r3:
# - CVE-2020-35492
# 1.16.0-r1:
@@ -70,8 +73,11 @@ tools() {
"$subpkgdir"/usr/lib/cairo/
}
-sha512sums="9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz
+sha512sums="
+9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz
86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0 musl-stacksize.patch
8f13cdcae0f134e04778cf5915f858fb8d5357a7e0a454791c93d1566935b985ec66dfe1683cd0b74a1cb44a130923d7a27cf006f3fc70b9bee93abd58a55aa3 CVE-2018-19876.patch
533ea878dc7f917af92e2694bd3f535a09cde77f0ecd0cc00881fbc9ec1ea86f60026eacc76129705f525f6672929ad8d15d8cfe1bfa61e9962e805a7fbded81 pdf-flush.patch
-20699d2dd10531f99587cdcd187a23e23bca5a9f031255c95aade4dadb79bbb62118c7ddff677c2fd20e4ba7694eee4debcd79a4d0736d62951a4fcee56ccae0 85.patch"
+20699d2dd10531f99587cdcd187a23e23bca5a9f031255c95aade4dadb79bbb62118c7ddff677c2fd20e4ba7694eee4debcd79a4d0736d62951a4fcee56ccae0 85.patch
+ebe5d71b18aa9eefe1e0a6c150761bb7abef41f144f37eb0bfa8a01947aacb1292ac131cf815dcaaaa6478c0aac07ca5428fba28ad346a00c5aaa5fa64f6ff5b fix-inf-loop.patch
+"
diff --git a/main/cairo/fix-inf-loop.patch b/main/cairo/fix-inf-loop.patch
new file mode 100644
index 0000000000..2a26876c36
--- /dev/null
+++ b/main/cairo/fix-inf-loop.patch
@@ -0,0 +1,36 @@
+From bbeaf08190d3006a80b80a77724801cd477a37b8 Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <hlewin@worldiety.de>
+Date: Sat, 17 Apr 2021 19:15:03 +0200
+Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop
+
+---
+ src/cairo-arc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-arc.c b/src/cairo-arc.c
+index 390397bae..1c891d1a0 100644
+--- a/src/cairo-arc.c
++++ b/src/cairo-arc.c
+@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
+ { M_PI / 11.0, 9.81410988043554039085e-09 },
+ };
+ int table_size = ARRAY_LENGTH (table);
++ const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */
+
+ for (i = 0; i < table_size; i++)
+ if (table[i].error < tolerance)
+ return table[i].angle;
+
+ ++i;
++
+ do {
+ angle = M_PI / i++;
+ error = _arc_error_normalized (angle);
+- } while (error > tolerance);
++ } while (error > tolerance && i < max_segments);
+
+ return angle;
+ }
+--
+GitLab
+
diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD
index 947500924f..798c89fae9 100644
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=freetype
pkgver=2.10.4
-pkgrel=1
+pkgrel=2
pkgdesc="TrueType font rendering library"
url="https://www.freetype.org/"
arch="all"
@@ -14,9 +14,14 @@ source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar
0001-Enable-table-validation-modules.patch
subpixel.patch
CVE-2022-27404.patch
+ CVE-2022-27405.patch
+ CVE-2022-27406.patch
"
# secfixes:
+# 2.10.4-r2:
+# - CVE-2022-27405
+# - CVE-2022-27406
# 2.10.4-r1:
# - CVE-2022-27404
# 2.10.4-r0:
@@ -59,4 +64,6 @@ sha512sums="
580fe59acddfd41966e387bdb6a88336b8bc119cc3d60d8689be20c96fb0dd07c5138ea31f6cb9c854f497ecb41c3adc49eb3ec16a34b2e010e8294851770763 0001-Enable-table-validation-modules.patch
72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch
a00040fddd30f8b7add990c4614cbe69a04d702c471064eaf1f28b70a24c35e25e430bc8ae1d90f198b3e432d90c8884519db30fab2e41e467892d79f5cdee8f CVE-2022-27404.patch
+4e4ed4b325ca8dbbd7362782867901b90eef48cb78d6a030769c33add029d4f61ddafe590c1cca35edd8e2b0c128106b7e01874acf52ac7c2b475f4ca6cf8cdf CVE-2022-27405.patch
+574f0a93a022ba8bae4440012dd4062841187e1af4e906e5a8f117549a7e528e9d4a0bd35833294248f3a71b299175cbf6d144231af29d8d2dd350bc7dc5b804 CVE-2022-27406.patch
"
diff --git a/main/freetype/CVE-2022-27405.patch b/main/freetype/CVE-2022-27405.patch
new file mode 100644
index 0000000000..4766867601
--- /dev/null
+++ b/main/freetype/CVE-2022-27405.patch
@@ -0,0 +1,36 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+
+Fixes #1139.
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+
+
++ /* only use lower 31 bits together with sign bit */
++ if ( face_index > 0 )
++ face_index &= 0x7FFFFFFFL;
++ else
++ {
++ face_index &= 0x7FFFFFFFL;
++ face_index = -face_index;
++ }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+ FT_TRACE3(( "FT_Open_Face: " ));
+ if ( face_index < 0 )
+--
+GitLab
+
diff --git a/main/freetype/CVE-2022-27406.patch b/main/freetype/CVE-2022-27406.patch
new file mode 100644
index 0000000000..0fdef7d216
--- /dev/null
+++ b/main/freetype/CVE-2022-27406.patch
@@ -0,0 +1,27 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+ if ( !face )
+ return FT_THROW( Invalid_Face_Handle );
+
++ if ( !face->size )
++ return FT_THROW( Invalid_Size_Handle );
++
+ if ( !req || req->width < 0 || req->height < 0 ||
+ req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+ return FT_THROW( Invalid_Argument );
+--
+GitLab
+
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index ab8e37a148..e831425ecf 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Milan P. Stanić <mps@arvanta.net>
pkgname=haproxy
-pkgver=2.2.23
+pkgver=2.2.24
_pkgmajorver=${pkgver%.*}
pkgrel=0
pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
@@ -56,7 +56,7 @@ package() {
}
sha512sums="
-8e4f0e72fbeae0bf31533c74f9d518f4825702f1f7b36137a224a35ba08cbeefbbf587fa0b7ca11cb7306bf64eebc0d0e8aead505a1d53037148e1572c831ff4 haproxy-2.2.23.tar.gz
+021d065e53503248de122fdd9431786b9f375a5f87aca76f870e17e44c8c4001a778bfb4e430b28af781a3f175f3643a549e363e964210c717f212c5966e68d8 haproxy-2.2.24.tar.gz
3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd
26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg
"
diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD
index c67ed02d82..6c57ab093e 100644
--- a/main/mariadb/APKBUILD
+++ b/main/mariadb/APKBUILD
@@ -7,7 +7,7 @@
# Contributor: Jake Buchholz <tomalok@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mariadb
-pkgver=10.4.24
+pkgver=10.4.25
pkgrel=0
pkgdesc="A fast SQL database server"
url="https://www.mariadb.org/"
@@ -46,6 +46,31 @@ source="https://archive.mariadb.org/mariadb-$pkgver/source/mariadb-$pkgver.tar.g
#options="!check"
# secfixes:
+# 10.4.25-r0:
+# - CVE-2022-21427
+# - CVE-2022-27376
+# - CVE-2022-27377
+# - CVE-2022-27378
+# - CVE-2022-27379
+# - CVE-2022-27380
+# - CVE-2022-27381
+# - CVE-2022-27382
+# - CVE-2022-27383
+# - CVE-2022-27384
+# - CVE-2022-27386
+# - CVE-2022-27387
+# - CVE-2022-27444
+# - CVE-2022-27445
+# - CVE-2022-27446
+# - CVE-2022-27447
+# - CVE-2022-27448
+# - CVE-2022-27449
+# - CVE-2022-27451
+# - CVE-2022-27452
+# - CVE-2022-27455
+# - CVE-2022-27456
+# - CVE-2022-27457
+# - CVE-2022-27458
# 10.4.24-r0:
# - CVE-2021-46659
# - CVE-2021-46661
@@ -476,7 +501,7 @@ _plugin_rocksdb() {
}
sha512sums="
-031eb369b3c8e9a6c840396010b40dc6fb99dd29bb04369ab5217637b9ef1feee27208fd5126d87e687ca4a39a0f1f7aa01e77b565a76953876814b045a47e49 mariadb-10.4.24.tar.gz
+27ad62985e19c877623d1512adcbec44e714ca50da9d303eab12bc2ad67dcae45d48a1aa010ad554341c46a1c5db7ee26c14570b9fa55fb71caf9979dd12671e mariadb-10.4.25.tar.gz
c352969f6665b0ffa387f7b185a5dea7751f4b16c12c809627857b27321efa09159369d7dd5c852d6159a9f173cb895fb601f0c52a1fa6e3527899520030964c mariadb.initd
70da971aa78815495098205bcbd28428430aa83c3f1050fec0231ca86af9d9def2d2108a48ee08d86812c8dc5ad8ab1ef4e17a49b4936ed5187ae0f6a7ef8f63 pcre.cmake.patch
dbd0970ea34e8bc8510431b3dc78f90b68be6f84bd27909a88516a469c2d5b402cfa62c548d78bac1e3eb717bb1b361cc375a3a77321a497e16dfba883233949 ppc-remove-glibc-dep.patch
diff --git a/main/mqtt-exec/APKBUILD b/main/mqtt-exec/APKBUILD
index 98f35288f4..28dc57d3af 100644
--- a/main/mqtt-exec/APKBUILD
+++ b/main/mqtt-exec/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mqtt-exec
pkgver=0.4
-pkgrel=5
+pkgrel=6
pkgdesc="simple MQTT client that executes a command on messages"
url="https://github.com/ncopa/mqtt-exec"
arch="all"
@@ -15,6 +15,7 @@ source="mqtt-exec-$pkgver.tar.gz::https://github.com/ncopa/mqtt-exec/archive/v$p
0001-authentication-expose-authentication-with-credential.patch
0001-Let-library-generate-client-id-when-unset.patch
mqtt-exec.initd
+ mqtt-exec.confd
"
builddir="$srcdir"/mqtt-exec-$pkgver
@@ -31,7 +32,10 @@ package() {
"$pkgdir"/etc/init.d/mqtt-exec || return 1
}
-sha512sums="1448b2dda0f27a5275c113331ea2bc073ec1740797c1bb5b472ee3e0fd4d3ef4bcdfa6dc42e7540ee154b291c3d70df89f0646899ebb1bfe585d1384797de5e7 mqtt-exec-0.4.tar.gz
+sha512sums="
+1448b2dda0f27a5275c113331ea2bc073ec1740797c1bb5b472ee3e0fd4d3ef4bcdfa6dc42e7540ee154b291c3d70df89f0646899ebb1bfe585d1384797de5e7 mqtt-exec-0.4.tar.gz
418058ecc05922df186d0dcbfeab7656977256a143f0346406598d1cf7331d3ba95a9b004bf3b6581be2e3cb2fbf5e69d7954b4c7ac488863f0318506c7f1c7c 0001-authentication-expose-authentication-with-credential.patch
7007ad1afcba6b5c0e6224a30e3a6c1b9ce178603b27f575bb76d7b979b8e7f4c4c1226afa3ff8cf1f217fff832d0a69cff1cfbc205203dcb8a98afbf6f345ed 0001-Let-library-generate-client-id-when-unset.patch
-7e0c461d5ed73fb8bac1da5f78bb7d8204f692fc3980ee916057c19c3673591d4143a71cc846f863566abfcc9ada22281bb690bc146e9ae37f43896248e5ed4a mqtt-exec.initd"
+f8cab7fe709fc80b3a75f1d65d55e10c05a4b27e319a9190d3ee78050fea86d8c6512e3d624b8b413dab01b2043bed5f672453090251b93d261d79125f9f0d17 mqtt-exec.initd
+e5cce69f5ad1f0fcf0eb0be7675c2f4ca4ba5518e8303adb16673b7e402dbe8d48b57c4b4512a0d3aba4541241d2ddeca68b88354d089606f67a5549508b44b5 mqtt-exec.confd
+"
diff --git a/main/mqtt-exec/mqtt-exec.confd b/main/mqtt-exec/mqtt-exec.confd
new file mode 100644
index 0000000000..10a14760bb
--- /dev/null
+++ b/main/mqtt-exec/mqtt-exec.confd
@@ -0,0 +1,23 @@
+# The MQTT broker to connect to
+#mqtt_broker=msg.alpinelinux.org
+
+# The topics to subscribe to. Separate topics by whitespace.
+#mqtt_topics=
+
+# Set the topic for the Will
+#will_topic=
+
+# Whether the Will should be retained or not
+#will_retain=yes
+
+# The message in the Will
+#will_payload=
+
+# QOS level for the Will
+#will_qos=
+
+# Optional username to authenticate as
+#mqtt_user=
+
+# Password for the user
+#export MQTT_EXEC_PASSWORD=
diff --git a/main/mqtt-exec/mqtt-exec.initd b/main/mqtt-exec/mqtt-exec.initd
index ff94d01d44..c9d4e941cb 100644
--- a/main/mqtt-exec/mqtt-exec.initd
+++ b/main/mqtt-exec/mqtt-exec.initd
@@ -34,6 +34,9 @@ start_pre() {
if [ -n "$will_qos" ]; then
set -- "$@" --will-qos "$will_qos"
fi
+ if [ -n "$mqtt_user" ]; then
+ set -- "$@" --username "$mqtt_user"
+ fi
set -- "$@" -- ${exec_command}
diff --git a/main/nettle/APKBUILD b/main/nettle/APKBUILD
index 79c643351c..7007729014 100644
--- a/main/nettle/APKBUILD
+++ b/main/nettle/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
pkgname=nettle
pkgver=3.5.1
-pkgrel=1
+pkgrel=2
pkgdesc="A low-level cryptographic library"
url="https://www.lysator.liu.se/~nisse/nettle/"
arch="all"
@@ -11,9 +11,16 @@ license="LGPL-2.0-or-later"
depends_dev="gmp-dev"
makedepends="$depends_dev m4"
subpackages="$pkgname-static $pkgname-dev $pkgname-utils"
-source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz"
+source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+ CVE-2021-3580.patch
+ "
+
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 3.5.1-r2:
+# - CVE-2021-3580
+
build() {
./configure \
--build=$CBUILD \
@@ -48,4 +55,7 @@ utils() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="f738121b9091cbe79435fb5d46b45cf6f10912320c233829356908127bab1cac6946ca56e022a832380c44f2c10f21d2feef64cb0f4f41e3da4a681dc0131784 nettle-3.5.1.tar.gz"
+sha512sums="
+f738121b9091cbe79435fb5d46b45cf6f10912320c233829356908127bab1cac6946ca56e022a832380c44f2c10f21d2feef64cb0f4f41e3da4a681dc0131784 nettle-3.5.1.tar.gz
+bfea56c22da1125fa4a3bda76c79fb432f49ede0dbc032c8e90a8048dacab6ac3544d19758b90763cccd99d4dc97ec988ecb6d4224715e0193ed9222b096a223 CVE-2021-3580.patch
+"
diff --git a/main/nettle/CVE-2021-3580.patch b/main/nettle/CVE-2021-3580.patch
new file mode 100644
index 0000000000..fb7dcd60b1
--- /dev/null
+++ b/main/nettle/CVE-2021-3580.patch
@@ -0,0 +1,520 @@
+Patch-Source: https://git.lysator.liu.se/nettle/nettle/-/commit/fd6d9ba7ca92912762c072fcf74490bc5d63d633
+Patch-Source: https://git.lysator.liu.se/nettle/nettle/-/commit/cd6059aebdd3059fbcf674dddb850b821c13b6c2
+Patch-Source: https://git.lysator.liu.se/nettle/nettle/-/commit/c80961c646b0962ab152619ac0a7c6a21850a380
+
+changelogs trimmed
+---
+
+From fd6d9ba7ca92912762c072fcf74490bc5d63d633 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Thu, 6 May 2021 21:30:23 +0200
+Subject: [PATCH] Add check that message length to _pkcs1_sec_decrypt is valid.
+
+* pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message
+length is valid, for given key size.
+* testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for
+calls to rsa_sec_decrypt specifying a too large message length.
+
+(cherry picked from commit 7616541e6eff73353bf682c62e3a68e4fe696707)
+---
+ ChangeLog | 8 ++++++++
+ pkcs1-sec-decrypt.c | 4 +++-
+ testsuite/rsa-sec-decrypt-test.c | 17 ++++++++++++++++-
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/pkcs1-sec-decrypt.c b/pkcs1-sec-decrypt.c
+index 4f13080e..16833691 100644
+--- a/pkcs1-sec-decrypt.c
++++ b/pkcs1-sec-decrypt.c
+@@ -63,7 +63,9 @@ _pkcs1_sec_decrypt (size_t length, uint8_t *message,
+ volatile int ok;
+ size_t i, t;
+
+- assert (padded_message_length >= length);
++ /* Message independent branch */
++ if (length + 11 > padded_message_length)
++ return 0;
+
+ t = padded_message_length - length - 1;
+
+diff --git a/testsuite/rsa-sec-decrypt-test.c b/testsuite/rsa-sec-decrypt-test.c
+index fb0ed3a1..3419322e 100644
+--- a/testsuite/rsa-sec-decrypt-test.c
++++ b/testsuite/rsa-sec-decrypt-test.c
+@@ -55,6 +55,7 @@ rsa_decrypt_for_test(const struct rsa_public_key *pub,
+ #endif
+
+ #define PAYLOAD_SIZE 50
++#define DECRYPTED_SIZE 256
+ void
+ test_main(void)
+ {
+@@ -63,7 +64,7 @@ test_main(void)
+ struct knuth_lfib_ctx random_ctx;
+
+ uint8_t plaintext[PAYLOAD_SIZE];
+- uint8_t decrypted[PAYLOAD_SIZE];
++ uint8_t decrypted[DECRYPTED_SIZE];
+ uint8_t verifybad[PAYLOAD_SIZE];
+ unsigned n_size = 1024;
+ mpz_t gibberish;
+@@ -99,6 +100,20 @@ test_main(void)
+ PAYLOAD_SIZE, decrypted, gibberish) == 1);
+ ASSERT (MEMEQ (PAYLOAD_SIZE, plaintext, decrypted));
+
++ ASSERT (pub.size > 10);
++ ASSERT (pub.size <= DECRYPTED_SIZE);
++
++ /* Check that too large message length is rejected, largest
++ valid size is pub.size - 11. */
++ ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx,
++ (nettle_random_func *) knuth_lfib_random,
++ pub.size - 10, decrypted, gibberish));
++
++ /* This case used to result in arithmetic underflow and a crash. */
++ ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx,
++ (nettle_random_func *) knuth_lfib_random,
++ pub.size, decrypted, gibberish));
++
+ /* bad one */
+ memcpy(decrypted, verifybad, PAYLOAD_SIZE);
+ nettle_mpz_random_size(garbage, &random_ctx,
+--
+GitLab
+
+From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:31:39 +0200
+Subject: [PATCH] Change _rsa_sec_compute_root_tr to take a fix input size.
+
+Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug.
+
+(cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c)
+---
+ ChangeLog | 17 +++++++++-
+ rsa-decrypt-tr.c | 7 ++---
+ rsa-internal.h | 4 +--
+ rsa-sec-decrypt.c | 9 ++++--
+ rsa-sign-tr.c | 61 +++++++++++++++++-------------------
+ testsuite/rsa-encrypt-test.c | 14 ++++++++-
+ 6 files changed, 69 insertions(+), 43 deletions(-)
+
+diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c
+index 0224c0b7..927a8915 100644
+--- a/rsa-decrypt-tr.c
++++ b/rsa-decrypt-tr.c
+@@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
+ mp_size_t key_limb_size;
+ int res;
+
+- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
++ key_limb_size = mpz_size(pub->n);
+
+ TMP_GMP_ALLOC (m, key_limb_size);
+ TMP_GMP_ALLOC (em, key->size);
++ mpz_limbs_copy(m, gibberish, key_limb_size);
+
+- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+- mpz_limbs_read(gibberish),
+- mpz_size(gibberish));
++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+
+ mpn_get_base256 (em, key->size, m, key_limb_size);
+
+diff --git a/rsa-internal.h b/rsa-internal.h
+index b828e451..f66a7df0 100644
+--- a/rsa-internal.h
++++ b/rsa-internal.h
+@@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_private_key *key,
+ mp_limb_t *scratch);
+
+ /* Safe side-channel silent variant, using RSA blinding, and checking the
+- * result after CRT. */
++ * result after CRT. In-place calls, with x == m, is allowed. */
+ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *x, const mp_limb_t *m, size_t mn);
++ mp_limb_t *x, const mp_limb_t *m);
+
+ #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
+diff --git a/rsa-sec-decrypt.c b/rsa-sec-decrypt.c
+index 6866e7c8..fc4757a0 100644
+--- a/rsa-sec-decrypt.c
++++ b/rsa-sec-decrypt.c
+@@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_key *pub,
+ TMP_GMP_ALLOC (m, mpz_size(pub->n));
+ TMP_GMP_ALLOC (em, key->size);
+
+- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+- mpz_limbs_read(gibberish),
+- mpz_size(gibberish));
++ /* We need a copy because m can be shorter than key_size,
++ * but _rsa_sec_compute_root_tr expect all inputs to be
++ * normalized to a key_size long buffer length */
++ mpz_limbs_copy(m, gibberish, mpz_size(pub->n));
++
++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+
+ mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
+
+diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c
+index f824c4ca..9e137c7a 100644
+--- a/rsa-sign-tr.c
++++ b/rsa-sign-tr.c
+@@ -131,35 +131,34 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *x, const mp_limb_t *m, size_t mn)
++ mp_limb_t *x, const mp_limb_t *m)
+ {
++ mp_size_t nn;
+ mpz_t mz;
+ mpz_t xz;
+ int res;
+
+- mpz_init(mz);
+ mpz_init(xz);
+
+- mpn_copyi(mpz_limbs_write(mz, mn), m, mn);
+- mpz_limbs_finish(mz, mn);
++ nn = mpz_size (pub->n);
+
+- res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz);
++ res = rsa_compute_root_tr(pub, key, random_ctx, random, xz,
++ mpz_roinit_n(mz, m, nn));
+
+ if (res)
+- mpz_limbs_copy(x, xz, mpz_size(pub->n));
++ mpz_limbs_copy(x, xz, nn);
+
+- mpz_clear(mz);
+ mpz_clear(xz);
+ return res;
+ }
+ #else
+ /* Blinds m, by computing c = m r^e (mod n), for a random r. Also
+- returns the inverse (ri), for use by rsa_unblind. */
++ returns the inverse (ri), for use by rsa_unblind. Must have c != m,
++ no in-place operation.*/
+ static void
+ rsa_sec_blind (const struct rsa_public_key *pub,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m,
+- mp_size_t mn)
++ mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m)
+ {
+ const mp_limb_t *ep = mpz_limbs_read (pub->e);
+ const mp_limb_t *np = mpz_limbs_read (pub->n);
+@@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_key *pub,
+
+ /* c = m*(r^e) mod n */
+ itch = mpn_sec_powm_itch(nn, ebn, nn);
+- i2 = mpn_sec_mul_itch(nn, mn);
++ i2 = mpn_sec_mul_itch(nn, nn);
+ itch = MAX(itch, i2);
+- i2 = mpn_sec_div_r_itch(nn + mn, nn);
++ i2 = mpn_sec_div_r_itch(2*nn, nn);
+ itch = MAX(itch, i2);
+ i2 = mpn_sec_invert_itch(nn);
+ itch = MAX(itch, i2);
+
+- TMP_GMP_ALLOC (tp, nn + mn + itch);
+- scratch = tp + nn + mn;
++ TMP_GMP_ALLOC (tp, 2*nn + itch);
++ scratch = tp + 2*nn;
+
+ /* ri = r^(-1) */
+ do
+@@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_key *pub,
+ while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch));
+
+ mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch);
+- /* normally mn == nn, but m can be smaller in some cases */
+- mpn_sec_mul (tp, c, nn, m, mn, scratch);
+- mpn_sec_div_r (tp, nn + mn, np, nn, scratch);
++ mpn_sec_mul (tp, c, nn, m, nn, scratch);
++ mpn_sec_div_r (tp, 2*nn, np, nn, scratch);
+ mpn_copyi(c, tp, nn);
+
+ TMP_GMP_FREE (r);
+@@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_key *pub,
+ TMP_GMP_FREE (tp);
+ }
+
+-/* m = c ri mod n */
++/* m = c ri mod n. Allows x == c. */
+ static void
+ rsa_sec_unblind (const struct rsa_public_key *pub,
+ mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c)
+@@ -299,7 +297,7 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *x, const mp_limb_t *m, size_t mn)
++ mp_limb_t *x, const mp_limb_t *m)
+ {
+ TMP_GMP_DECL (c, mp_limb_t);
+ TMP_GMP_DECL (ri, mp_limb_t);
+@@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ size_t key_limb_size;
+ int ret;
+
+- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
++ key_limb_size = mpz_size(pub->n);
+
+ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
+ key is invalid and rejected by rsa_private_key_prepare. However,
+@@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ }
+
+ assert(mpz_size(pub->n) == key_limb_size);
+- assert(mn <= key_limb_size);
+
+ TMP_GMP_ALLOC (c, key_limb_size);
+ TMP_GMP_ALLOC (ri, key_limb_size);
+ TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
+
+- rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn);
++ rsa_sec_blind (pub, random_ctx, random, c, ri, m);
+
+- _rsa_sec_compute_root(key, c, x, scratch);
++ _rsa_sec_compute_root(key, x, c, scratch);
+
+- ret = rsa_sec_check_root(pub, c, x);
++ ret = rsa_sec_check_root(pub, x, c);
+
+- rsa_sec_unblind(pub, x, ri, c);
++ rsa_sec_unblind(pub, x, ri, x);
+
+ cnd_mpn_zero(1 - ret, x, key_limb_size);
+
+@@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
+ mpz_t x, const mpz_t m)
+ {
+ TMP_GMP_DECL (l, mp_limb_t);
++ mp_size_t nn = mpz_size(pub->n);
+ int res;
+
+- mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+- TMP_GMP_ALLOC (l, l_size);
++ TMP_GMP_ALLOC (l, nn);
++ mpz_limbs_copy(l, m, nn);
+
+- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
+- mpz_limbs_read(m), mpz_size(m));
++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l);
+ if (res) {
+- mp_limb_t *xp = mpz_limbs_write (x, l_size);
+- mpn_copyi (xp, l, l_size);
+- mpz_limbs_finish (x, l_size);
++ mp_limb_t *xp = mpz_limbs_write (x, nn);
++ mpn_copyi (xp, l, nn);
++ mpz_limbs_finish (x, nn);
+ }
+
+ TMP_GMP_FREE (l);
+diff --git a/testsuite/rsa-encrypt-test.c b/testsuite/rsa-encrypt-test.c
+index 87525f78..d3bc374b 100644
+--- a/testsuite/rsa-encrypt-test.c
++++ b/testsuite/rsa-encrypt-test.c
+@@ -19,6 +19,7 @@ test_main(void)
+ uint8_t after;
+
+ mpz_t gibberish;
++ mpz_t zero;
+
+ rsa_private_key_init(&key);
+ rsa_public_key_init(&pub);
+@@ -101,6 +102,17 @@ test_main(void)
+ ASSERT(decrypted[decrypted_length] == after);
+ ASSERT(decrypted[0] == 'A');
+
++ /* Test zero input. */
++ mpz_init_set_ui (zero, 0);
++ decrypted_length = msg_length;
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
++ ASSERT(!rsa_decrypt_tr(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ &decrypted_length, decrypted, zero));
++ ASSERT(!rsa_sec_decrypt(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ decrypted_length, decrypted, zero));
++ ASSERT(decrypted_length == msg_length);
+
+ /* Test invalid key. */
+ mpz_add_ui (key.q, key.q, 2);
+@@ -112,6 +124,6 @@ test_main(void)
+ rsa_private_key_clear(&key);
+ rsa_public_key_clear(&pub);
+ mpz_clear(gibberish);
++ mpz_clear(zero);
+ free(decrypted);
+ }
+-
+--
+GitLab
+
+From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:32:38 +0200
+Subject: [PATCH] Add input check to rsa_decrypt family of functions.
+
+(cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe)
+---
+ ChangeLog | 10 +++++++++-
+ rsa-decrypt-tr.c | 4 ++++
+ rsa-decrypt.c | 10 ++++++++++
+ rsa-sec-decrypt.c | 4 ++++
+ rsa.h | 5 +++--
+ testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------
+ 6 files changed, 62 insertions(+), 9 deletions(-)
+
+diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c
+index 927a8915..4a9e9d74 100644
+--- a/rsa-decrypt-tr.c
++++ b/rsa-decrypt-tr.c
+@@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
+ mp_size_t key_limb_size;
+ int res;
+
++ /* First check that input is in range. */
++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
++ return 0;
++
+ key_limb_size = mpz_size(pub->n);
+
+ TMP_GMP_ALLOC (m, key_limb_size);
+diff --git a/rsa-decrypt.c b/rsa-decrypt.c
+index 7681439d..540d8baa 100644
+--- a/rsa-decrypt.c
++++ b/rsa-decrypt.c
+@@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key *key,
+ int res;
+
+ mpz_init(m);
++
++ /* First check that input is in range. Since we don't have the
++ public key available here, we need to reconstruct n. */
++ mpz_mul (m, key->p, key->q);
++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0)
++ {
++ mpz_clear (m);
++ return 0;
++ }
++
+ rsa_compute_root(key, m, gibberish);
+
+ res = pkcs1_decrypt (key->size, m, length, message);
+diff --git a/rsa-sec-decrypt.c b/rsa-sec-decrypt.c
+index fc4757a0..4c98958d 100644
+--- a/rsa-sec-decrypt.c
++++ b/rsa-sec-decrypt.c
+@@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_key *pub,
+ TMP_GMP_DECL (em, uint8_t);
+ int res;
+
++ /* First check that input is in range. */
++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
++ return 0;
++
+ TMP_GMP_ALLOC (m, mpz_size(pub->n));
+ TMP_GMP_ALLOC (em, key->size);
+
+diff --git a/rsa.h b/rsa.h
+index 3b10155f..2dd35a2d 100644
+--- a/rsa.h
++++ b/rsa.h
+@@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_key *pub,
+ size_t length, uint8_t *message,
+ const mpz_t gibberish);
+
+-/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
++/* Compute x, the e:th root of m. Calling it with x == m is allowed.
++ It is required that 0 <= m < n. */
+ void
+ rsa_compute_root(const struct rsa_private_key *key,
+ mpz_t x, const mpz_t m);
+
+ /* Safer variant, using RSA blinding, and checking the result after
+- CRT. */
++ CRT. It is required that 0 <= m < n. */
+ int
+ rsa_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+diff --git a/testsuite/rsa-encrypt-test.c b/testsuite/rsa-encrypt-test.c
+index d3bc374b..d1a440f6 100644
+--- a/testsuite/rsa-encrypt-test.c
++++ b/testsuite/rsa-encrypt-test.c
+@@ -19,11 +19,12 @@ test_main(void)
+ uint8_t after;
+
+ mpz_t gibberish;
+- mpz_t zero;
++ mpz_t bad_input;
+
+ rsa_private_key_init(&key);
+ rsa_public_key_init(&pub);
+ mpz_init(gibberish);
++ mpz_init(bad_input);
+
+ knuth_lfib_init(&lfib, 17);
+
+@@ -103,15 +104,40 @@ test_main(void)
+ ASSERT(decrypted[0] == 'A');
+
+ /* Test zero input. */
+- mpz_init_set_ui (zero, 0);
++ mpz_set_ui (bad_input, 0);
+ decrypted_length = msg_length;
+- ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_decrypt_tr(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+- &decrypted_length, decrypted, zero));
++ &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_sec_decrypt(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+- decrypted_length, decrypted, zero));
++ decrypted_length, decrypted, bad_input));
++ ASSERT(decrypted_length == msg_length);
++
++ /* Test input that is slightly larger than n */
++ mpz_add(bad_input, gibberish, pub.n);
++ decrypted_length = msg_length;
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_decrypt_tr(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_sec_decrypt(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ decrypted_length, decrypted, bad_input));
++ ASSERT(decrypted_length == msg_length);
++
++ /* Test input that is considerably larger than n */
++ mpz_mul_2exp (bad_input, pub.n, 100);
++ mpz_add (bad_input, bad_input, gibberish);
++ decrypted_length = msg_length;
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_decrypt_tr(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_sec_decrypt(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ decrypted_length, decrypted, bad_input));
+ ASSERT(decrypted_length == msg_length);
+
+ /* Test invalid key. */
+@@ -124,6 +150,6 @@ test_main(void)
+ rsa_private_key_clear(&key);
+ rsa_public_key_clear(&pub);
+ mpz_clear(gibberish);
+- mpz_clear(zero);
++ mpz_clear(bad_input);
+ free(decrypted);
+ }
+--
+GitLab
+
diff --git a/main/zlib/APKBUILD b/main/zlib/APKBUILD
index 989c41687b..ef345c16e0 100644
--- a/main/zlib/APKBUILD
+++ b/main/zlib/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=zlib
pkgver=1.2.12
-pkgrel=1
+pkgrel=3
pkgdesc="A compression/decompression Library"
arch="all"
license="Zlib"
@@ -11,8 +11,12 @@ source="https://zlib.net/zlib-$pkgver.tar.gz
Fix-CC-logic-in-configure.patch
configure-Pass-LDFLAGS-to-link-tests.patch
crc32.patch
+ $pkgname-CVE-2022-37434.patch::https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1.patch
+ $pkgname-CVE-2022-37434-bugfix.patch::https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch
"
# secfixes:
+# 1.2.12-r2:
+# - CVE-2022-37434
# 1.2.12-r0:
# - CVE-2018-25032
@@ -41,4 +45,6 @@ cc2366fa45d5dfee1f983c8c51515e0cff959b61471e2e8d24350dea22d3f6fcc50723615a911b04
faa19991e88cbfd624ac9ce4a0ba12e3d7d54f88680b1a0a156a542a45bafe2053d69c6f309327817f7cc74f5765204bbb3c56ff531efd29d8fd6bb682c78598 Fix-CC-logic-in-configure.patch
76179eb7e498aef5bc88c3f826c6f2506a2d3c3a2e2560ef1825bd4a9297d68b0d2390619a4b3b0b2e6dde765431e5fba18fd15fbd1ad99827244f8f9bdbd909 configure-Pass-LDFLAGS-to-link-tests.patch
38f0593a0bc17336d31191b7af684e31ec2eb34bd3add49bcb1f95c5e2bfb4405ffc341c2650d52c4fbf417ab4f80a0cc82fb868c9816b04d25210ae29a71f2c crc32.patch
+13bf48cb15636d77428e7e20d8c72d772eade1e099740f8541b7adee0e789097fa867512b6f3ebcff8496727999f2bf408e38414771c9b4440ad283f4c029558 zlib-CVE-2022-37434.patch
+cadeb0b05da99435c2074cb0d7aebdec2bad1c745856c8ac6ea0f2474ef091d8efeea90deafe13757cbaa465ccfbbb1b8873a8025b24f3145b2a87abb84bac83 zlib-CVE-2022-37434-bugfix.patch
"