aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
Diffstat (limited to 'main')
-rw-r--r--main/alpine-base/APKBUILD2
-rw-r--r--main/ansible/APKBUILD25
-rw-r--r--main/apache2/APKBUILD11
-rw-r--r--main/apk-tools/0001-fetch-fix-error-message-for-recursive.patch29
-rw-r--r--main/apk-tools/APKBUILD23
-rw-r--r--main/axel/APKBUILD23
-rw-r--r--main/axel/CVE-2020-13614.patch223
-rw-r--r--main/bind/CVE-2020-8619.patch545
-rw-r--r--main/bluez/APKBUILD15
-rw-r--r--main/bluez/CVE-2020-0556.patch188
-rw-r--r--main/bluez/CVE-2020-27153.patch95
-rw-r--r--main/busybox/APKBUILD2
-rw-r--r--main/ca-certificates/0003-update-ca-insert-newline-between-certs.patch38
-rw-r--r--main/ca-certificates/APKBUILD15
-rw-r--r--main/chrony/APKBUILD13
-rw-r--r--main/chrony/CVE-2020-14367.patch204
-rw-r--r--main/collectd/APKBUILD2
-rw-r--r--main/cups/APKBUILD11
-rw-r--r--main/cups/CVE-2019-8842.patch13
-rw-r--r--main/cups/CVE-2020-3898.patch14
-rw-r--r--main/curl/APKBUILD29
-rw-r--r--main/curl/CVE-2020-8169.patch21
-rw-r--r--main/curl/CVE-2020-8177.patch50
-rw-r--r--main/curl/CVE-2020-8231.patch123
-rw-r--r--main/cvs/APKBUILD77
-rw-r--r--main/cvs/CVE-2017-12836.patch38
-rw-r--r--main/cvs/cvs-1.12.12-CVE-2012-0804.patch30
-rw-r--r--main/cvs/cvs-1.12.12-block-requests.patch140
-rw-r--r--main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch22
-rw-r--r--main/cvs/cvs-1.12.12-fix-massive-leak.patch52
-rw-r--r--main/cvs/cvs-1.12.12-format-security.patch22
-rw-r--r--main/cvs/cvs-1.12.12-getdelim.patch21
-rw-r--r--main/cvs/cvs-1.12.12-hash-nameclash.patch42
-rw-r--r--main/cvs/cvs-1.12.12-install-sh.patch12
-rw-r--r--main/cvs/cvs-1.12.12-mktime-configure.patch201
-rw-r--r--main/cvs/cvs-1.12.12-mktime-x32.patch29
-rw-r--r--main/cvs/cvs-1.12.12-musl.patch13
-rw-r--r--main/cvs/cvs-1.12.12-openat.patch21
-rw-r--r--main/cvs/cvs-1.12.12-rcs2log-coreutils.patch14
-rw-r--r--main/cvs/cvs-musl.patch27
-rw-r--r--main/cyrus-sasl/APKBUILD8
-rw-r--r--main/cyrus-sasl/CVE-2019-19906.patch15
-rw-r--r--main/dahdi-linux-vanilla/APKBUILD2
-rw-r--r--main/dbus/APKBUILD8
-rw-r--r--main/dbus/CVE-2020-12049.patch103
-rw-r--r--main/devicemaster-linux-vanilla/APKBUILD2
-rw-r--r--main/dnsmasq/APKBUILD8
-rw-r--r--main/dnsmasq/CVE-2019-14834.patch46
-rw-r--r--main/dovecot/APKBUILD21
-rw-r--r--main/dovecot/CVE-2020-12673.patch31
-rw-r--r--main/dovecot/CVE-2020-12674.patch22
-rw-r--r--main/drbd9-vanilla/APKBUILD2
-rw-r--r--main/dropbear/APKBUILD8
-rw-r--r--main/dropbear/CVE-2018-20685.patch23
-rw-r--r--main/e2fsprogs/APKBUILD16
-rw-r--r--main/e2fsprogs/CVE-2019-5188.patch51
-rw-r--r--main/exiv2/APKBUILD10
-rw-r--r--main/exiv2/CVE-2019-17402.patch32
-rw-r--r--main/file/APKBUILD2
-rw-r--r--main/freetds/APKBUILD10
-rw-r--r--main/freetds/CVE-2019-13508.patch30
-rw-r--r--main/freetype/APKBUILD8
-rw-r--r--main/freetype/CVE-2020-15999.patch48
-rw-r--r--main/gd/APKBUILD17
-rw-r--r--main/gd/CVE-2018-14553.patch32
-rw-r--r--main/gd/CVE-2019-11038.patch36
-rw-r--r--main/ghostscript/APKBUILD12
-rw-r--r--main/ghostscript/CVE-2019-14869.patch58
-rw-r--r--main/git/APKBUILD33
-rw-r--r--main/gnupg/APKBUILD6
-rw-r--r--main/gnutls/APKBUILD19
-rw-r--r--main/gnutls/tests-date-compat.patch12
-rw-r--r--main/gst-plugins-base/APKBUILD12
-rw-r--r--main/gst-plugins-base/CVE-2019-9928.patch13
-rw-r--r--main/haproxy/APKBUILD12
-rw-r--r--main/hostapd/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch150
-rw-r--r--main/hostapd/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch59
-rw-r--r--main/hostapd/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch47
-rw-r--r--main/hostapd/APKBUILD29
-rw-r--r--main/hunspell/APKBUILD13
-rw-r--r--main/hunspell/CVE-2019-16707.patch22
-rw-r--r--main/hylafaxplus/APKBUILD12
-rw-r--r--main/hylafaxplus/CVE-2020-15396-CVE-2020-15397.patch68
-rw-r--r--main/icu/APKBUILD8
-rw-r--r--main/icu/CVE-2020-10531.patch106
-rw-r--r--main/imagemagick/APKBUILD4
-rw-r--r--main/iproute2/APKBUILD13
-rw-r--r--main/iproute2/CVE-2019-20795.patch42
-rw-r--r--main/jbig2dec/APKBUILD13
-rw-r--r--main/jbig2dec/CVE-2020-12268.patch44
-rw-r--r--main/json-c/APKBUILD11
-rw-r--r--main/krb5/APKBUILD6
-rw-r--r--main/krb5/CVE-2018-20217.patch72
-rw-r--r--main/krb5/CVE-2020-28196.patch100
-rw-r--r--main/lame/APKBUILD5
-rw-r--r--main/libarchive/APKBUILD8
-rw-r--r--main/libexif/APKBUILD44
-rw-r--r--main/libexif/CVE-2017-7544.patch20
-rw-r--r--main/libjpeg-turbo/APKBUILD8
-rw-r--r--main/libjpeg-turbo/CVE-2019-2201.patch466
-rw-r--r--main/libmspack/APKBUILD11
-rw-r--r--main/libmspack/CVE-2019-1010305.patch39
-rw-r--r--main/librsvg/APKBUILD10
-rw-r--r--main/libseccomp/APKBUILD33
-rw-r--r--main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch36
-rw-r--r--main/libsndfile/APKBUILD2
-rw-r--r--main/libssh/APKBUILD21
-rw-r--r--main/libssh/CVE-2019-14889.patch1957
-rw-r--r--main/libssh/CVE-2020-16135.patch40
-rw-r--r--main/libssh2/APKBUILD2
-rw-r--r--main/libuv/APKBUILD4
-rw-r--r--main/libvirt/APKBUILD14
-rw-r--r--main/libvirt/CVE-2019-20485.patch171
-rw-r--r--main/libvirt/CVE-2020-12430.patch44
-rw-r--r--main/libvorbis/APKBUILD1
-rw-r--r--main/libx11/APKBUILD8
-rw-r--r--main/libxml2/APKBUILD12
-rw-r--r--main/libxml2/CVE-2019-19956.patch33
-rw-r--r--main/libxml2/CVE-2020-24977.patch30
-rw-r--r--main/libxslt/APKBUILD11
-rw-r--r--main/libxslt/CVE-2019-13117.patch29
-rw-r--r--main/libxslt/CVE-2019-13118.patch71
-rw-r--r--main/linux-rpi/APKBUILD6
-rw-r--r--main/linux-vanilla/APKBUILD26
-rw-r--r--main/linux-vanilla/config-vanilla.aarch6412
-rw-r--r--main/linux-vanilla/config-vanilla.armhf16
-rw-r--r--main/linux-vanilla/config-vanilla.ppc3731
-rw-r--r--main/linux-vanilla/config-vanilla.ppc64le11
-rw-r--r--main/linux-vanilla/config-vanilla.s390x5
-rw-r--r--main/linux-vanilla/config-vanilla.x8616
-rw-r--r--main/linux-vanilla/config-vanilla.x86_6416
-rw-r--r--main/linux-vanilla/config-virt.aarch6412
-rw-r--r--main/linux-vanilla/config-virt.x8614
-rw-r--r--main/linux-vanilla/config-virt.x86_6414
-rw-r--r--main/mariadb-connector-c/APKBUILD13
-rw-r--r--main/mariadb-connector-c/CVE-2020-13249.patch154
-rw-r--r--main/mariadb/APKBUILD21
-rw-r--r--main/mcpp/APKBUILD18
-rw-r--r--main/mcpp/CVE-2019-14274.patch52
-rw-r--r--main/mkinitfs/APKBUILD6
-rw-r--r--main/mkinitfs/add-feature-rpirtc.patch44
-rw-r--r--main/musl/APKBUILD10
-rw-r--r--main/musl/wcsnrtombs-cve-2020-28928.diff65
-rw-r--r--main/net-snmp/APKBUILD4
-rw-r--r--main/net-snmp/report-empty-strings-correctly.patch110
-rw-r--r--main/nghttp2/APKBUILD8
-rw-r--r--main/nghttp2/CVE-2020-11080.patch332
-rw-r--r--main/nginx/APKBUILD6
-rw-r--r--main/nginx/CVE-2019-20372.patch28
-rw-r--r--main/ngircd/APKBUILD13
-rw-r--r--main/ngircd/CVE-2020-14148.patch37
-rw-r--r--main/nodejs/APKBUILD35
-rw-r--r--main/nrpe/APKBUILD2
-rw-r--r--main/ntfs-3g/APKBUILD20
-rw-r--r--main/ntfs-3g/CVE-2019-9755.patch62
-rw-r--r--main/oniguruma/APKBUILD23
-rw-r--r--main/openjpeg/APKBUILD25
-rw-r--r--main/openjpeg/CVE-2018-21010.patch179
-rw-r--r--main/openjpeg/CVE-2019-12973.patch152
-rw-r--r--main/openjpeg/CVE-2020-15389.patch39
-rw-r--r--main/openjpeg/CVE-2020-6851.patch29
-rw-r--r--main/openjpeg/CVE-2020-8112.patch43
-rw-r--r--main/openldap/APKBUILD17
-rw-r--r--main/openldap/CVE-2020-12243.patch125
-rw-r--r--main/openldap/CVE-2020-25692.patch27
-rw-r--r--main/openldap/CVE-2020-25709.patch26
-rw-r--r--main/openldap/CVE-2020-25710.patch27
-rw-r--r--main/openssl/APKBUILD22
-rw-r--r--main/openssl/man-section.patch54
-rw-r--r--main/patch/APKBUILD1
-rw-r--r--main/pcre/APKBUILD11
-rw-r--r--main/pcre/CVE-2020-14155.patch31
-rw-r--r--main/perl-datetime-timezone/APKBUILD43
-rw-r--r--main/perl-dbi/APKBUILD25
-rw-r--r--main/perl-mozilla-ca/APKBUILD31
-rw-r--r--main/perl/APKBUILD14
-rw-r--r--main/perl/CVE-2020-10543.patch32
-rw-r--r--main/perl/CVE-2020-10878.patch148
-rw-r--r--main/perl/CVE-2020-12723.patch277
-rw-r--r--main/postgresql/APKBUILD55
-rw-r--r--main/ppp/APKBUILD13
-rw-r--r--main/ppp/fix-bound-check-eap.patch40
-rw-r--r--main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch64
-rw-r--r--main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch33
-rw-r--r--main/putty/APKBUILD11
-rw-r--r--main/py-django/APKBUILD22
-rw-r--r--main/py-django/CVE-2020-24583.patch29
-rw-r--r--main/py-django/CVE-2020-24584.patch30
-rw-r--r--main/python2/APKBUILD16
-rw-r--r--main/python2/CVE-2019-16935.patch92
-rw-r--r--main/python3/APKBUILD8
-rw-r--r--main/python3/CVE-2020-14422.patch74
-rw-r--r--main/ruby/APKBUILD7
-rw-r--r--main/samba/APKBUILD14
-rw-r--r--main/samba/samba-4.9.14-security-2019-10-29.patch539
-rw-r--r--main/samba/samba-4.9.17-security-2020-01-21.patch1662
-rw-r--r--main/screen/APKBUILD13
-rw-r--r--main/screen/CVE-2020-9366.patch42
-rw-r--r--main/sdl/APKBUILD12
-rw-r--r--main/sdl_image/APKBUILD13
-rw-r--r--main/sdl_image/CVE-2019-13616.patch16
-rw-r--r--main/smokeping/APKBUILD3
-rw-r--r--main/spamassassin/APKBUILD7
-rw-r--r--main/spl-vanilla/APKBUILD2
-rw-r--r--main/sprunge/APKBUILD6
-rw-r--r--main/sqlite/APKBUILD20
-rw-r--r--main/sqlite/CVE-2019-19242.patch18
-rw-r--r--main/sqlite/CVE-2019-19244.patch12
-rw-r--r--main/sqlite/CVE-2020-11655.patch24
-rw-r--r--main/squid/APKBUILD22
-rw-r--r--main/sudo/APKBUILD11
-rw-r--r--main/sudo/CVE-2019-14287.patch260
-rw-r--r--main/sudo/CVE-2019-18634.patch98
-rw-r--r--main/tcpdump/APKBUILD48
-rw-r--r--main/tcpdump/CVE-2020-8037.patch63
-rw-r--r--main/tiff/APKBUILD8
-rw-r--r--main/tiff/CVE-2019-6128.patch36
-rw-r--r--main/tzdata/APKBUILD27
-rw-r--r--main/unbound/APKBUILD15
-rw-r--r--main/unbound/CVE-2019-18934.patch218
-rw-r--r--main/unbound/CVE-2020-12662_CVE-2020-12663.patch948
-rw-r--r--main/unzip/APKBUILD36
-rw-r--r--main/unzip/CVE-2019-13232.patch487
-rw-r--r--main/vala/APKBUILD4
-rw-r--r--main/vim/APKBUILD2
-rw-r--r--main/wpa_supplicant/APKBUILD10
-rw-r--r--main/xen/APKBUILD179
-rw-r--r--main/xen/xsa317.patch50
-rw-r--r--main/xen/xsa319.patch27
-rw-r--r--main/xen/xsa320-4.11-1.patch133
-rw-r--r--main/xen/xsa320-4.11-2.patch179
-rw-r--r--main/xen/xsa320-4.11-3.patch57
-rw-r--r--main/xen/xsa321-4.11-1.patch31
-rw-r--r--main/xen/xsa321-4.11-2.patch175
-rw-r--r--main/xen/xsa321-4.11-3.patch82
-rw-r--r--main/xen/xsa321-4.11-4.patch36
-rw-r--r--main/xen/xsa321-4.11-5.patch24
-rw-r--r--main/xen/xsa321-4.11-6.patch91
-rw-r--r--main/xen/xsa321-4.11-7.patch164
-rw-r--r--main/xen/xsa327.patch63
-rw-r--r--main/xen/xsa328-4.11-1.patch118
-rw-r--r--main/xen/xsa328-4.11-2.patch48
-rw-r--r--main/xen/xsa333.patch39
-rw-r--r--main/xen/xsa335-qemu.patch84
-rw-r--r--main/xen/xsa336-4.11.patch256
-rw-r--r--main/xen/xsa337-4.12-1.patch92
-rw-r--r--main/xen/xsa337-4.12-2.patch182
-rw-r--r--main/xen/xsa338.patch42
-rw-r--r--main/xen/xsa339.patch76
-rw-r--r--main/xen/xsa340.patch65
-rw-r--r--main/xen/xsa342-4.13.patch145
-rw-r--r--main/xen/xsa343-4.11-1.patch190
-rw-r--r--main/xen/xsa343-4.11-2.patch290
-rw-r--r--main/xen/xsa343-4.11-3.patch381
-rw-r--r--main/xen/xsa344-4.11-1.patch132
-rw-r--r--main/xen/xsa344-4.11-2.patch203
-rw-r--r--main/xorg-server/APKBUILD18
-rw-r--r--main/xorg-server/CVE-2020-14345.patch178
-rw-r--r--main/xorg-server/CVE-2020-14346.patch31
-rw-r--r--main/xorg-server/CVE-2020-14361.patch31
-rw-r--r--main/xorg-server/CVE-2020-14362.patch65
-rw-r--r--main/xorgproto/APKBUILD3
-rw-r--r--main/xtables-addons-vanilla/APKBUILD2
-rw-r--r--main/zeromq/APKBUILD10
-rw-r--r--main/zfs-vanilla/APKBUILD2
265 files changed, 18169 insertions, 4507 deletions
diff --git a/main/alpine-base/APKBUILD b/main/alpine-base/APKBUILD
index d58bc06fb95..76e68d03a84 100644
--- a/main/alpine-base/APKBUILD
+++ b/main/alpine-base/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=alpine-base
-pkgver=3.9.4
+pkgver=3.9.6
pkgrel=0
pkgdesc="Meta package for minimal alpine base"
url="https://alpinelinux.org"
diff --git a/main/ansible/APKBUILD b/main/ansible/APKBUILD
index bddff5733b2..385db4691fc 100644
--- a/main/ansible/APKBUILD
+++ b/main/ansible/APKBUILD
@@ -3,10 +3,10 @@
# Contributor: Takuya Noguchi <takninnovationresearch@gmail.com>
# Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
pkgname=ansible
-pkgver=2.7.13
+pkgver=2.7.17
pkgrel=0
pkgdesc="A configuration-management, deployment, task-execution, and multinode orchestration framework"
-url="https://ansible.com"
+url="https://ansible.com/"
arch="noarch"
license="GPL-3.0-or-later"
_py=py3
@@ -14,13 +14,28 @@ depends="python3 $_py-yaml $_py-paramiko $_py-jinja2 $_py-markupsafe $_py-crypto
makedepends="python3-dev py3-setuptools"
options="!check" # not included in release tarball
subpackages="$pkgname-doc"
-source="$pkgname-$pkgver.tar.gz::https://releases.ansible.com/ansible/$pkgname-$pkgver.tar.gz
+source="https://releases.ansible.com/ansible/ansible-$pkgver.tar.gz
add-lxc-container_shell-option.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 2.7.17-r0:
+# - CVE-2019-3828
+# - CVE-2020-1733
+# - CVE-2020-1737
+# - CVE-2020-1739
+# - CVE-2020-1740
+# - CVE-2020-1746
+# 2.7.16-r0:
+# - CVE-2019-14864
+# - CVE-2019-14904
+# - CVE-2019-14905
+# 2.7.14-r0:
+# - CVE-2019-14846
+# - CVE-2019-14856
+# - CVE-2019-14858
# 2.7.13-r0:
# - CVE-2019-10206
# 2.7.12-r0:
@@ -30,7 +45,7 @@ builddir="$srcdir/$pkgname-$pkgver"
# 2.7.5-r0:
# - CVE-2018-16876
# 2.7.3-r0:
-# - CVE 2018-16859
+# - CVE-2018-16859
# 2.7.1-r0:
# - CVE-2018-16837
# 2.6.3-r0:
@@ -60,5 +75,5 @@ package() {
install -m644 README.rst "$pkgdir"/usr/share/doc/$pkgname
}
-sha512sums="8dc19e5c93a90d43ced6628699d2da42d522a020bb2cdd35ba73f6286998c605852c89250af8696e94aba0080b2fab12761a39c3e2eb86d39c212a198f970652 ansible-2.7.13.tar.gz
+sha512sums="387ee26381d120e8b1a77a5251686831fefb47213dce4a1f0aee714e6c6e2a94f1bf283ef2bcf3d79940552407fff7d86453968f1aa5a866f013d396948ccc0f ansible-2.7.17.tar.gz
e1bd1affec585abf4556d1f2598df2689c2341fc0ddaec3eadc0a9c6df5725b8ab97092771f2c57da6ecaa72ae1bb5e5ccce55db8c4d74bfc785f611dd5b8c32 add-lxc-container_shell-option.patch"
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index b067ad7fb90..259166b50e1 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=apache2
_pkgreal=httpd
-pkgver=2.4.41
+pkgver=2.4.46
pkgrel=0
pkgdesc="A high performance Unix-based HTTP server"
url="https://httpd.apache.org/"
@@ -51,6 +51,13 @@ options="suid"
builddir="$srcdir"/$_pkgreal-$pkgver
# secfixes:
+# 2.4.46-r0:
+# - CVE-2020-9490
+# - CVE-2020-11984
+# - CVE-2020-11993
+# 2.4.43-r0:
+# - CVE-2020-1927
+# - CVE-2020-1934
# 2.4.41-r0:
# - CVE-2019-9517
# - CVE-2019-10081
@@ -344,7 +351,7 @@ _lua() {
"$subpkgdir"/usr/lib/apache2/
_load_mods
}
-sha512sums="350cc7dcd2c439e0590338fa6da3f44df44f9bb885c381e91f91b14c2f48597f6f0bbac0ea118a8a67eaa70ae7edbb769beace368643ed73f6daee44c307b335 httpd-2.4.41.tar.bz2
+sha512sums="5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 httpd-2.4.46.tar.bz2
8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd
18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate
81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd
diff --git a/main/apk-tools/0001-fetch-fix-error-message-for-recursive.patch b/main/apk-tools/0001-fetch-fix-error-message-for-recursive.patch
deleted file mode 100644
index 97a6abe6d5f..00000000000
--- a/main/apk-tools/0001-fetch-fix-error-message-for-recursive.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 947baeea1860a4eb44bb8636e1db295a7bc1d259 Mon Sep 17 00:00:00 2001
-From: Natanael Copa <ncopa@alpinelinux.org>
-Date: Thu, 10 Jan 2019 09:29:35 +0100
-Subject: [PATCH] fetch: fix error message for --recursive
-
-Give error message for `apk fetch --recursive missing`
----
- src/fetch.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/fetch.c b/src/fetch.c
-index e745d84..9a7c46a 100644
---- a/src/fetch.c
-+++ b/src/fetch.c
-@@ -229,8 +229,10 @@ static void mark_name_flags(struct apk_database *db, const char *match, struct a
- if (!IS_ERR_OR_NULL(name)) {
- name->auto_select_virtual = 1;
- apk_deps_add(&ctx->world, &dep);
-- } else
-+ } else {
- ctx->errors++;
-+ mark_error(ctx, match, name);
-+ }
- }
-
- static void mark_names_recursive(struct apk_database *db, struct apk_string_array *args, void *pctx)
---
-2.20.1
-
diff --git a/main/apk-tools/APKBUILD b/main/apk-tools/APKBUILD
index 31191903e2a..1d072c2054f 100644
--- a/main/apk-tools/APKBUILD
+++ b/main/apk-tools/APKBUILD
@@ -1,8 +1,11 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=apk-tools
-pkgver=2.10.3
-pkgrel=1
+pkgver=2.10.6
+pkgrel=0
pkgdesc="Alpine Package Keeper - package manager for alpine"
+arch="all"
+url="https://gitlab.alpinelinux.org/alpine/apk-tools"
+license=GPL2
subpackages="$pkgname-static"
depends=
makedepends_build="openssl"
@@ -12,15 +15,9 @@ if [ "$CBUILD" = "$CHOST" ]; then
subpackages="$subpackages lua5.2-apk:luaapk"
makedepends="$makedepends lua5.2-dev"
fi
-source="https://dev.alpinelinux.org/archive/$pkgname/$pkgname-$pkgver.tar.xz
- 0001-fetch-fix-error-message-for-recursive.patch
- "
-
-url="https://git.alpinelinux.org/cgit/apk-tools/"
-arch="all"
-license=GPL2
+source="https://gitlab.alpinelinux.org/alpine/$pkgname/-/archive/v$pkgver/$pkgname-v$pkgver.tar.gz"
+builddir="$srcdir/$pkgname-v$pkgver"
-builddir="$srcdir/$pkgname-$pkgver"
prepare() {
default_prepare || return 1
cd "$builddir"
@@ -32,6 +29,7 @@ prepare() {
echo "LUAAPK=" >> config.mk
fi
echo "export LUAAPK" >> config.mk
+ echo "export LUA_VERSION=5.2" >> config.mk
}
build() {
@@ -59,7 +57,7 @@ package() {
static() {
pkgdesc="Alpine Package Keeper - static binary"
- install -Dm755 "$srcdir"/$pkgname-$pkgver/src/apk.static \
+ install -Dm755 "$builddir"/src/apk.static \
"$subpkgdir"/sbin/apk.static
# lets sign the static binary so it can be vefified from distros
@@ -83,5 +81,4 @@ luaapk() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr/lib/
}
-sha512sums="1b190cfd04c69369bd4f2b708d4df0f8cf2937e1580c95138fd2c2257e7604d015deaca10a9fe0da6742981caadb6b067c15e417a1951866f781b8a5c71c98ee apk-tools-2.10.3.tar.xz
-0fe8d05d6d1c3f6ed5c86d5a5a9aca4fd5246579ed346adb990b8fba6dcac0033056a655181659b4e12a8c934d27df512d29e4e134889a4eafcfbf80e60da2a5 0001-fetch-fix-error-message-for-recursive.patch"
+sha512sums="81e51fdaf7976d589c847850dc3494a6bb91847f14a756e1dd9afe7f526b672e6aab743965506ef89e3229084bc92c9041a49796b400f454a2c912efebd44b4f apk-tools-v2.10.6.tar.gz"
diff --git a/main/axel/APKBUILD b/main/axel/APKBUILD
index 0e963192828..373726aa57a 100644
--- a/main/axel/APKBUILD
+++ b/main/axel/APKBUILD
@@ -2,18 +2,32 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=axel
pkgver=2.16.1
-pkgrel=2
+pkgrel=3
pkgdesc="A multiple-connection concurrent downloader"
url="https://github.com/axel-download-accelerator/axel"
arch="all"
options="!check" # has no checks
license="GPL-2.0-or-later"
-makedepends="openssl-dev"
+makedepends="openssl-dev automake autoconf libtool gettext-dev"
subpackages="$pkgname-doc"
-source="$url/releases/download/v$pkgver/axel-$pkgver.tar.xz"
+source="$url/releases/download/v$pkgver/axel-$pkgver.tar.xz
+ CVE-2020-13614.patch
+ "
+
+# secfixes:
+# 2.16.1-r3:
+# - CVE-2020-13614
builddir="$srcdir/$pkgname-$pkgver"
+prepare() {
+ default_prepare
+
+ # We need to regenerate the configure script because the CVE-2020-13614
+ # modifies src/Makefile.am
+ autoreconf -fi
+}
+
build() {
cd "$builddir"
./configure \
@@ -32,4 +46,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="a263b6926acb6acf16353d0d02464d48ad89c18dd3328b84273c26cdb23cb7323084a8204a5c6ad163ad5352136cb1709c6734d4fec9bc1c514174dbbb3c5dab axel-2.16.1.tar.xz"
+sha512sums="a263b6926acb6acf16353d0d02464d48ad89c18dd3328b84273c26cdb23cb7323084a8204a5c6ad163ad5352136cb1709c6734d4fec9bc1c514174dbbb3c5dab axel-2.16.1.tar.xz
+b5365d6ccb3453d4e1d70e8cf734e9d6723e412904427d8bbee5e409511864c7a9970343c9a9c9cbfb86032a54ab78579ca180094e18f4b53028116b669b4cb5 CVE-2020-13614.patch"
diff --git a/main/axel/CVE-2020-13614.patch b/main/axel/CVE-2020-13614.patch
new file mode 100644
index 00000000000..f23b705e16a
--- /dev/null
+++ b/main/axel/CVE-2020-13614.patch
@@ -0,0 +1,223 @@
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 6269979..a56b4dd 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -14,6 +14,7 @@ axel_SOURCES = \
+ search.c \
+ search.h \
+ ssl.c \
++ ssl_verify.c \
+ ssl.h \
+ tcp.c \
+ tcp.h \
+diff --git a/src/ssl.c b/src/ssl.c
+index c05f238..0859b76 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -70,7 +70,7 @@ ssl_startup(void)
+ SSL *
+ ssl_connect(int fd, char *hostname, char *message)
+ {
+-
++ X509 *server_cert;
+ SSL_CTX *ssl_ctx;
+ SSL *ssl;
+
+@@ -91,9 +91,33 @@ ssl_connect(int fd, char *hostname, char *message)
+ if (err <= 0) {
+ sprintf(message, _("SSL error: %s\n"),
+ ERR_reason_error_string(ERR_get_error()));
++ SSL_CTX_free(ssl_ctx);
++ return NULL;
++ }
++
++ err = SSL_get_verify_result(ssl);
++ if (err != X509_V_OK) {
++ fprintf(stderr, _("SSL error: Certificate error"));
++ SSL_CTX_free(ssl_ctx);
+ return NULL;
+ }
+
++ server_cert = SSL_get_peer_certificate(ssl);
++ if (server_cert == NULL) {
++ fprintf(stderr, _("SSL error: Certificate not found"));
++ SSL_CTX_free(ssl_ctx);
++ return NULL;
++ }
++
++ if (!ssl_validate_hostname(hostname, server_cert)) {
++ fprintf(stderr, _("SSL error: Hostname verification failed"));
++ X509_free(server_cert);
++ SSL_CTX_free(ssl_ctx);
++ return NULL;
++ }
++
++ X509_free(server_cert);
++
+ return ssl;
+ }
+
+diff --git a/src/ssl.h b/src/ssl.h
+index cc00eaf..64fb933 100644
+--- a/src/ssl.h
++++ b/src/ssl.h
+@@ -44,5 +44,6 @@
+ void ssl_init(conf_t *conf);
+ SSL *ssl_connect(int fd, char *hostname, char *message);
+ void ssl_disconnect(SSL *ssl);
++bool ssl_validate_hostname(const char *hostname, const X509 *server_cert);
+
+ #endif /* AXEL_SSL_H */
+diff --git a/src/ssl_verify.c b/src/ssl_verify.c
+new file mode 100644
+index 0000000..8a67a3c
+--- /dev/null
++++ b/src/ssl_verify.c
+@@ -0,0 +1,147 @@
++/*
++ Helper functions to perform basic hostname validation using OpenSSL.
++
++ Author: Alban Diquet
++ Copyright (C) 2012, iSEC Partners.
++
++ Permission is hereby granted, free of charge, to any person obtaining a copy of
++ this software and associated documentation files (the "Software"), to deal in
++ the Software without restriction, including without limitation the rights to
++ use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
++ of the Software, and to permit persons to whom the Software is furnished to do
++ so, subject to the following conditions:
++
++ The above copyright notice and this permission notice shall be included in all
++ copies or substantial portions of the Software.
++
++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ SOFTWARE.
++ */
++
++#include "axel.h"
++
++#ifdef HAVE_SSL
++
++#include <openssl/ssl.h>
++#include <openssl/x509v3.h>
++
++#if OPENSSL_VERSION_NUMBER < 0x10101000L
++#define ASN1_STRING_data_compat ASN1_STRING_data
++#else
++#define ASN1_STRING_data_compat ASN1_STRING_get0_data
++#endif
++
++typedef enum {
++ MatchFound,
++ MatchNotFound,
++ NoSANPresent,
++ MalformedCertificate,
++ Error
++} validate_result;
++
++static validate_result
++ssl_matches_common_name(const char *hostname, const X509 *server_cert)
++{
++ int common_name_loc = -1;
++ X509_NAME_ENTRY *common_name_entry = NULL;
++ ASN1_STRING *common_name_asn1 = NULL;
++ char *common_name_str = NULL;
++
++ // Find the position of the CN field in the Subject field of the certificate
++ common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1);
++ if (common_name_loc < 0) {
++ return Error;
++ }
++
++ // Extract the CN field
++ common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc);
++ if (common_name_entry == NULL) {
++ return Error;
++ }
++
++ // Convert the CN field to a C string
++ common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
++ if (common_name_asn1 == NULL) {
++ return Error;
++ }
++ common_name_str = (char *) ASN1_STRING_data_compat(common_name_asn1);
++
++ // Make sure there isn't an embedded NUL character in the CN
++ if ((size_t) ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
++ return MalformedCertificate;
++ }
++
++ // Compare expected hostname with the CN
++ if (strcasecmp(hostname, common_name_str) == 0) {
++ return MatchFound;
++ } else {
++ return MatchNotFound;
++ }
++}
++
++static validate_result
++ssl_matches_subject_alternative_name(const char *hostname, const X509 *server_cert)
++{
++ validate_result result = MatchNotFound;
++ int i;
++ int san_names_nb = -1;
++ STACK_OF(GENERAL_NAME) *san_names = NULL;
++
++ // Try to extract the names within the SAN extension from the certificate
++ san_names = X509_get_ext_d2i((X509 *) server_cert, NID_subject_alt_name, NULL, NULL);
++ if (san_names == NULL) {
++ return NoSANPresent;
++ }
++ san_names_nb = sk_GENERAL_NAME_num(san_names);
++
++ // Check each name within the extension
++ for (i = 0; i < san_names_nb; i++) {
++ const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
++
++ if (current_name->type == GEN_DNS) {
++ // Current name is a DNS name, let's check it
++ char *dns_name = (char *) ASN1_STRING_data_compat(current_name->d.dNSName);
++
++ // Make sure there isn't an embedded NUL character in the DNS name
++ if ((size_t) ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
++ result = MalformedCertificate;
++ break;
++ } else {
++ // Compare expected hostname with the DNS name
++ if (strcasecmp(hostname, dns_name) == 0) {
++ result = MatchFound;
++ break;
++ }
++ }
++ }
++ }
++ sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
++
++ return result;
++}
++
++bool
++ssl_validate_hostname(const char *hostname, const X509 *server_cert)
++{
++ validate_result result;
++
++ if ((hostname == NULL) || (server_cert == NULL)) {
++ return false;
++ }
++
++ // First try the Subject Alternative Names extension
++ result = ssl_matches_subject_alternative_name(hostname, server_cert);
++ if (result == NoSANPresent) {
++ // Extension was not found: try the Common Name
++ result = ssl_matches_common_name(hostname, server_cert);
++ }
++
++ return result == MatchFound;
++}
++
++#endif /* HAVE_SSL */
diff --git a/main/bind/CVE-2020-8619.patch b/main/bind/CVE-2020-8619.patch
new file mode 100644
index 00000000000..e6d305bdb84
--- /dev/null
+++ b/main/bind/CVE-2020-8619.patch
@@ -0,0 +1,545 @@
+From 569cc155b8680d8ed12db1fabbe20947db24a0f9 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 2 Jun 2020 12:38:40 +1000
+Subject: [PATCH] Remove INSIST from from new_reference
+
+RBTDB node can now appear on the deadnodes lists following the changes
+to decrement_reference in 176b23b6cd98e5b58f832902fdbe964ee5f762d0 to
+defer checking of node->down when the tree write lock is not held. The
+node should be unlinked instead.
+---
+ lib/dns/rbtdb.c | 173 ++++++++++++++++++++++++++++--------------------
+ 1 file changed, 100 insertions(+), 73 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index bfe3538a59..87fbdb317b 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -1858,8 +1858,13 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+ * Caller must be holding the node lock.
+ */
+ static inline void
+-new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+- INSIST(!ISC_LINK_LINKED(node, deadlink));
++new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
++ isc_rwlocktype_t locktype) {
++ if (locktype == isc_rwlocktype_write && ISC_LINK_LINKED(node, deadlink))
++ {
++ ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum], node,
++ deadlink);
++ }
+ if (isc_refcount_increment0(&node->references) == 0) {
+ /* this is the first reference to the node */
+ isc_refcount_increment0(
+@@ -1877,13 +1882,14 @@ is_leaf(dns_rbtnode_t *node) {
+ }
+
+ static inline void
+-send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
++send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
++ isc_rwlocktype_t locktype) {
+ isc_event_t *ev;
+ dns_db_t *db;
+
+ ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE,
+ prune_tree, node, sizeof(isc_event_t));
+- new_reference(rbtdb, node);
++ new_reference(rbtdb, node, locktype);
+ db = NULL;
+ attach((dns_db_t *)rbtdb, &db);
+ ev->ev_sender = db;
+@@ -1919,7 +1925,7 @@ cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
+ node->data == NULL);
+
+ if (is_leaf(node) && rbtdb->task != NULL) {
+- send_to_prune_tree(rbtdb, node);
++ send_to_prune_tree(rbtdb, node, isc_rwlocktype_write);
+ } else if (node->down == NULL && node->data == NULL) {
+ /*
+ * Not a interior node and not needing to be
+@@ -1987,7 +1993,7 @@ reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+ }
+ }
+
+- new_reference(rbtdb, node);
++ new_reference(rbtdb, node, locktype);
+
+ NODE_UNLOCK(nodelock, locktype);
+ }
+@@ -2122,15 +2128,17 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+ * periodic walk-through).
+ */
+ if (!pruning && is_leaf(node) && rbtdb->task != NULL) {
+- send_to_prune_tree(rbtdb, node);
++ send_to_prune_tree(rbtdb, node, isc_rwlocktype_write);
+ no_reference = false;
+ } else {
+ delete_node(rbtdb, node);
+ }
+ } else {
+ INSIST(node->data == NULL);
+- INSIST(!ISC_LINK_LINKED(node, deadlink));
+- ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink);
++ if (!ISC_LINK_LINKED(node, deadlink)) {
++ ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node,
++ deadlink);
++ }
+ }
+
+ restore_locks:
+@@ -2200,16 +2208,13 @@ prune_tree(isc_task_t *task, isc_event_t *event) {
+
+ /*
+ * We need to gain a reference to the node before
+- * decrementing it in the next iteration. In addition,
+- * if the node is in the dead-nodes list, extract it
+- * from the list beforehand as we do in
+- * reactivate_node().
++ * decrementing it in the next iteration.
+ */
+ if (ISC_LINK_LINKED(parent, deadlink)) {
+ ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
+ parent, deadlink);
+ }
+- new_reference(rbtdb, parent);
++ new_reference(rbtdb, parent, isc_rwlocktype_write);
+ } else {
+ parent = NULL;
+ }
+@@ -2976,7 +2981,7 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
+ * We increment the reference count on node to ensure that
+ * search->zonecut_rdataset will still be valid later.
+ */
+- new_reference(search->rbtdb, node);
++ new_reference(search->rbtdb, node, isc_rwlocktype_read);
+ search->zonecut = node;
+ search->zonecut_rdataset = found;
+ search->need_cleanup = true;
+@@ -3028,7 +3033,8 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
+
+ static inline void
+ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header,
+- isc_stdtime_t now, dns_rdataset_t *rdataset) {
++ isc_stdtime_t now, isc_rwlocktype_t locktype,
++ dns_rdataset_t *rdataset) {
+ unsigned char *raw; /* RDATASLAB */
+
+ /*
+@@ -3043,7 +3049,7 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header,
+ return;
+ }
+
+- new_reference(rbtdb, node);
++ new_reference(rbtdb, node, locktype);
+
+ INSIST(rdataset->methods == NULL); /* We must be disassociated. */
+
+@@ -3148,12 +3154,12 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
+ NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+ isc_rwlocktype_read);
+ bind_rdataset(search->rbtdb, node, search->zonecut_rdataset,
+- search->now, rdataset);
++ search->now, isc_rwlocktype_read, rdataset);
+ if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL)
+ {
+ bind_rdataset(search->rbtdb, node,
+ search->zonecut_sigrdataset, search->now,
+- sigrdataset);
++ isc_rwlocktype_read, sigrdataset);
+ }
+ NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+ isc_rwlocktype_read);
+@@ -3818,18 +3824,21 @@ again:
+ foundname, NULL);
+ if (result == ISC_R_SUCCESS) {
+ if (nodep != NULL) {
+- new_reference(search->rbtdb,
+- node);
++ new_reference(
++ search->rbtdb, node,
++ isc_rwlocktype_read);
+ *nodep = node;
+ }
+ bind_rdataset(search->rbtdb, node,
+ found, search->now,
++ isc_rwlocktype_read,
+ rdataset);
+ if (foundsig != NULL) {
+- bind_rdataset(search->rbtdb,
+- node, foundsig,
+- search->now,
+- sigrdataset);
++ bind_rdataset(
++ search->rbtdb, node,
++ foundsig, search->now,
++ isc_rwlocktype_read,
++ sigrdataset);
+ }
+ }
+ } else if (found == NULL && foundsig == NULL) {
+@@ -4114,7 +4123,8 @@ found:
+ * ensure that search->zonecut_rdataset will
+ * still be valid later.
+ */
+- new_reference(search.rbtdb, node);
++ new_reference(search.rbtdb, node,
++ isc_rwlocktype_read);
+ search.zonecut = node;
+ search.zonecut_rdataset = header;
+ search.zonecut_sigrdataset = NULL;
+@@ -4292,7 +4302,7 @@ found:
+ goto node_exit;
+ }
+ if (nodep != NULL) {
+- new_reference(search.rbtdb, node);
++ new_reference(search.rbtdb, node, isc_rwlocktype_read);
+ *nodep = node;
+ }
+ if ((search.rbtversion->secure == dns_db_secure &&
+@@ -4300,10 +4310,10 @@ found:
+ (search.options & DNS_DBFIND_FORCENSEC) != 0)
+ {
+ bind_rdataset(search.rbtdb, node, nsecheader, 0,
+- rdataset);
++ isc_rwlocktype_read, rdataset);
+ if (nsecsig != NULL) {
+ bind_rdataset(search.rbtdb, node, nsecsig, 0,
+- sigrdataset);
++ isc_rwlocktype_read, sigrdataset);
+ }
+ }
+ if (wild) {
+@@ -4376,7 +4386,7 @@ found:
+
+ if (nodep != NULL) {
+ if (!at_zonecut) {
+- new_reference(search.rbtdb, node);
++ new_reference(search.rbtdb, node, isc_rwlocktype_read);
+ } else {
+ search.need_cleanup = false;
+ }
+@@ -4384,10 +4394,11 @@ found:
+ }
+
+ if (type != dns_rdatatype_any) {
+- bind_rdataset(search.rbtdb, node, found, 0, rdataset);
++ bind_rdataset(search.rbtdb, node, found, 0, isc_rwlocktype_read,
++ rdataset);
+ if (foundsig != NULL) {
+ bind_rdataset(search.rbtdb, node, foundsig, 0,
+- sigrdataset);
++ isc_rwlocktype_read, sigrdataset);
+ }
+ }
+
+@@ -4570,8 +4581,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
+ * We increment the reference count on node to ensure that
+ * search->zonecut_rdataset will still be valid later.
+ */
+- new_reference(search->rbtdb, node);
+- INSIST(!ISC_LINK_LINKED(node, deadlink));
++ new_reference(search->rbtdb, node, locktype);
+ search->zonecut = node;
+ search->zonecut_rdataset = dname_header;
+ search->zonecut_sigrdataset = sigdname_header;
+@@ -4679,14 +4689,15 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
+ }
+ result = DNS_R_DELEGATION;
+ if (nodep != NULL) {
+- new_reference(search->rbtdb, node);
++ new_reference(search->rbtdb, node, locktype);
+ *nodep = node;
+ }
+ bind_rdataset(search->rbtdb, node, found, search->now,
+- rdataset);
++ locktype, rdataset);
+ if (foundsig != NULL) {
+ bind_rdataset(search->rbtdb, node, foundsig,
+- search->now, sigrdataset);
++ search->now, locktype,
++ sigrdataset);
+ }
+ if (need_headerupdate(found, search->now) ||
+ (foundsig != NULL &&
+@@ -4795,13 +4806,13 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
+ if (result != ISC_R_SUCCESS) {
+ goto unlock_node;
+ }
+- bind_rdataset(search->rbtdb, node, found, now,
++ bind_rdataset(search->rbtdb, node, found, now, locktype,
+ rdataset);
+ if (foundsig != NULL) {
+ bind_rdataset(search->rbtdb, node, foundsig,
+- now, sigrdataset);
++ now, locktype, sigrdataset);
+ }
+- new_reference(search->rbtdb, node);
++ new_reference(search->rbtdb, node, locktype);
+ *nodep = node;
+ result = DNS_R_COVERINGNSEC;
+ } else if (!empty_node) {
+@@ -5026,18 +5037,18 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+ if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0 &&
+ nsecheader != NULL) {
+ if (nodep != NULL) {
+- new_reference(search.rbtdb, node);
+- INSIST(!ISC_LINK_LINKED(node, deadlink));
++ new_reference(search.rbtdb, node, locktype);
+ *nodep = node;
+ }
+ bind_rdataset(search.rbtdb, node, nsecheader,
+- search.now, rdataset);
++ search.now, locktype, rdataset);
+ if (need_headerupdate(nsecheader, search.now)) {
+ update = nsecheader;
+ }
+ if (nsecsig != NULL) {
+ bind_rdataset(search.rbtdb, node, nsecsig,
+- search.now, sigrdataset);
++ search.now, locktype,
++ sigrdataset);
+ if (need_headerupdate(nsecsig, search.now)) {
+ updatesig = nsecsig;
+ }
+@@ -5052,18 +5063,18 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+ */
+ if (nsheader != NULL) {
+ if (nodep != NULL) {
+- new_reference(search.rbtdb, node);
+- INSIST(!ISC_LINK_LINKED(node, deadlink));
++ new_reference(search.rbtdb, node, locktype);
+ *nodep = node;
+ }
+ bind_rdataset(search.rbtdb, node, nsheader, search.now,
+- rdataset);
++ locktype, rdataset);
+ if (need_headerupdate(nsheader, search.now)) {
+ update = nsheader;
+ }
+ if (nssig != NULL) {
+ bind_rdataset(search.rbtdb, node, nssig,
+- search.now, sigrdataset);
++ search.now, locktype,
++ sigrdataset);
+ if (need_headerupdate(nssig, search.now)) {
+ updatesig = nssig;
+ }
+@@ -5084,8 +5095,7 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+ */
+
+ if (nodep != NULL) {
+- new_reference(search.rbtdb, node);
+- INSIST(!ISC_LINK_LINKED(node, deadlink));
++ new_reference(search.rbtdb, node, locktype);
+ *nodep = node;
+ }
+
+@@ -5117,13 +5127,14 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+ if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN ||
+ result == DNS_R_NCACHENXRRSET)
+ {
+- bind_rdataset(search.rbtdb, node, found, search.now, rdataset);
++ bind_rdataset(search.rbtdb, node, found, search.now, locktype,
++ rdataset);
+ if (need_headerupdate(found, search.now)) {
+ update = found;
+ }
+ if (!NEGATIVE(found) && foundsig != NULL) {
+ bind_rdataset(search.rbtdb, node, foundsig, search.now,
+- sigrdataset);
++ locktype, sigrdataset);
+ if (need_headerupdate(foundsig, search.now)) {
+ updatesig = foundsig;
+ }
+@@ -5282,15 +5293,15 @@ cache_findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
+ }
+
+ if (nodep != NULL) {
+- new_reference(search.rbtdb, node);
+- INSIST(!ISC_LINK_LINKED(node, deadlink));
++ new_reference(search.rbtdb, node, locktype);
+ *nodep = node;
+ }
+
+- bind_rdataset(search.rbtdb, node, found, search.now, rdataset);
++ bind_rdataset(search.rbtdb, node, found, search.now, locktype,
++ rdataset);
+ if (foundsig != NULL) {
+ bind_rdataset(search.rbtdb, node, foundsig, search.now,
+- sigrdataset);
++ locktype, sigrdataset);
+ }
+
+ if (need_headerupdate(found, search.now) ||
+@@ -5653,10 +5664,11 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ }
+ }
+ if (found != NULL) {
+- bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
++ bind_rdataset(rbtdb, rbtnode, found, now, isc_rwlocktype_read,
++ rdataset);
+ if (foundsig != NULL) {
+ bind_rdataset(rbtdb, rbtnode, foundsig, now,
+- sigrdataset);
++ isc_rwlocktype_read, sigrdataset);
+ }
+ }
+
+@@ -5747,9 +5759,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ }
+ }
+ if (found != NULL) {
+- bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
++ bind_rdataset(rbtdb, rbtnode, found, now, locktype, rdataset);
+ if (!NEGATIVE(found) && foundsig != NULL) {
+- bind_rdataset(rbtdb, rbtnode, foundsig, now,
++ bind_rdataset(rbtdb, rbtnode, foundsig, now, locktype,
+ sigrdataset);
+ }
+ }
+@@ -5917,6 +5929,9 @@ resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) {
+ return (result);
+ }
+
++/*
++ * node write lock must be held.
++ */
+ static void
+ resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+ rdatasetheader_t *header) {
+@@ -5928,7 +5943,8 @@ resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+ header->heap_index);
+ header->heap_index = 0;
+ if (version != NULL) {
+- new_reference(rbtdb, header->node);
++ new_reference(rbtdb, header->node,
++ isc_rwlocktype_write);
+ ISC_LIST_APPEND(version->resigned_list, header, link);
+ }
+ }
+@@ -5959,6 +5975,9 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
+ RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
+ }
+
++/*
++ * write lock on rbtnode must be held.
++ */
+ static isc_result_t
+ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
+ rbtdb_version_t *rbtversion, rdatasetheader_t *newheader,
+@@ -6085,9 +6104,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
+ free_rdataset(rbtdb, rbtdb->common.mctx,
+ newheader);
+ if (addedrdataset != NULL) {
+- bind_rdataset(rbtdb, rbtnode,
+- topheader, now,
+- addedrdataset);
++ bind_rdataset(
++ rbtdb, rbtnode,
++ topheader, now,
++ isc_rwlocktype_write,
++ addedrdataset);
+ }
+ return (DNS_R_UNCHANGED);
+ }
+@@ -6147,6 +6168,7 @@ find_header:
+ free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+ if (addedrdataset != NULL) {
+ bind_rdataset(rbtdb, rbtnode, header, now,
++ isc_rwlocktype_write,
+ addedrdataset);
+ }
+ return (DNS_R_UNCHANGED);
+@@ -6258,6 +6280,7 @@ find_header:
+ free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+ if (addedrdataset != NULL) {
+ bind_rdataset(rbtdb, rbtnode, header, now,
++ isc_rwlocktype_write,
+ addedrdataset);
+ }
+ return (ISC_R_SUCCESS);
+@@ -6307,6 +6330,7 @@ find_header:
+ free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+ if (addedrdataset != NULL) {
+ bind_rdataset(rbtdb, rbtnode, header, now,
++ isc_rwlocktype_write,
+ addedrdataset);
+ }
+ return (ISC_R_SUCCESS);
+@@ -6504,7 +6528,8 @@ find_header:
+ }
+
+ if (addedrdataset != NULL) {
+- bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset);
++ bind_rdataset(rbtdb, rbtnode, newheader, now,
++ isc_rwlocktype_write, addedrdataset);
+ }
+
+ return (ISC_R_SUCCESS);
+@@ -7045,13 +7070,15 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ }
+
+ if (result == ISC_R_SUCCESS && newrdataset != NULL) {
+- bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset);
++ bind_rdataset(rbtdb, rbtnode, newheader, 0,
++ isc_rwlocktype_write, newrdataset);
+ }
+
+ if (result == DNS_R_NXRRSET && newrdataset != NULL &&
+ (options & DNS_DBSUB_WANTOLD) != 0)
+ {
+- bind_rdataset(rbtdb, rbtnode, header, 0, newrdataset);
++ bind_rdataset(rbtdb, rbtnode, header, 0, isc_rwlocktype_write,
++ newrdataset);
+ }
+
+ unlock:
+@@ -7929,8 +7956,7 @@ getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+ /* Note that the access to origin_node doesn't require a DB lock */
+ onode = (dns_rbtnode_t *)rbtdb->origin_node;
+ if (onode != NULL) {
+- new_reference(rbtdb, onode);
+-
++ new_reference(rbtdb, onode, isc_rwlocktype_none);
+ *nodep = rbtdb->origin_node;
+ } else {
+ INSIST(IS_CACHE(rbtdb));
+@@ -8123,7 +8149,8 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *foundname) {
+ * Found something; pass back the answer and unlock
+ * the bucket.
+ */
+- bind_rdataset(rbtdb, header->node, header, 0, rdataset);
++ bind_rdataset(rbtdb, header->node, header, 0,
++ isc_rwlocktype_read, rdataset);
+
+ if (foundname != NULL) {
+ dns_rbt_fullnamefromnode(header->node, foundname);
+@@ -9130,7 +9157,7 @@ rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+ isc_rwlocktype_read);
+
+ bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now,
+- rdataset);
++ isc_rwlocktype_read, rdataset);
+
+ NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+ isc_rwlocktype_read);
+@@ -9585,7 +9612,7 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+ result = ISC_R_SUCCESS;
+ }
+
+- new_reference(rbtdb, node);
++ new_reference(rbtdb, node, isc_rwlocktype_none);
+
+ *nodep = rbtdbiter->node;
+
+@@ -10498,7 +10525,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked,
+ * We first need to gain a new reference to the node to meet a
+ * requirement of decrement_reference().
+ */
+- new_reference(rbtdb, header->node);
++ new_reference(rbtdb, header->node, isc_rwlocktype_write);
+ decrement_reference(rbtdb, header->node, 0,
+ isc_rwlocktype_write,
+ tree_locked ? isc_rwlocktype_write
+--
+GitLab
diff --git a/main/bluez/APKBUILD b/main/bluez/APKBUILD
index 83432cadc77..e431f069e5c 100644
--- a/main/bluez/APKBUILD
+++ b/main/bluez/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=bluez
pkgver=5.50
-pkgrel=0
+pkgrel=2
pkgdesc="Tools for the Bluetooth protocol stack"
url="http://www.bluez.org/"
arch="all"
@@ -24,9 +24,17 @@ source="https://www.kernel.org/pub/linux/bluetooth/bluez-$pkgver.tar.xz
bluez-5.40-obexd_without_systemd-1.patch
disable-lock-test.patch
fix-endianness.patch
+ CVE-2020-0556.patch
+ CVE-2020-27153.patch
"
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 5.50-r2:
+# - CVE-2020-27153
+# 5.50-r1:
+# - CVE-2020-0556
+
build() {
cd "$builddir"
./configure \
@@ -110,7 +118,6 @@ obexd() {
mkdir -p "$subpkgdir"/usr/lib/bluetooth
mv "$pkgdir"/usr/lib/bluetooth/obexd "$subpkgdir"/usr/lib/bluetooth
}
-
sha512sums="64a680e4b3c270bc2439610c91ad2aef36131d84401e4bbdf6c2b7ec8708a19dfc942b31b9189c38a97ca072c761c669ae1aace5f4ff5d06de3ccbf33184be45 bluez-5.50.tar.xz
fc43c78ed248ea412529eed5ae8bb47bacca9bf5b3b10de121ddd4e792c85893561a88be4aa2c6318106e5d2146a721445152d44fa60ca257ca0b4eb87318c1e bluetooth.initd
8d7b7c8938a2316ce0a855e9bdf1ef8fcdf33d23f4011df828270a088b88b140a19c432e83fef15355d0829e3c86be05b63e7718fef88563254ea239b8dc12ac rfcomm.initd
@@ -121,4 +128,6 @@ d5fd1c962bd846eaa6fff879bab85f753eb367d514f82d133b5d3242e1da989af5eddd942c60a87d
42ac04044a8c66e07487598b3a75ef52efc32999ebce4e7c63f6198e2f603f4a1442e74600e43a0938cb4f52d4db0298aa99050b18144b84990cda71748e9de5 004-Move-the-43xx-firmware-into-lib-firmware.patch
41ce7ccf78cca97563f0ef31e01dac6eb4484c24fe57be360b5e8de8c5bff5845e9d395766f891bd3f123788344456c88c9fc00cd1bb7c6a1dca89d09f19172b bluez-5.40-obexd_without_systemd-1.patch
04c4889372c8e790bb338dde7ffa76dc32fcf7370025c71b9184fcf17fd01ade4a6613d84d648303af3bbc54043ad489f29fc0cd4679ec8c9029dcb846d7e026 disable-lock-test.patch
-118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch"
+118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch
+1f7c41399e746942e091db22c1b42a0bd87dafd83c5074a34c24f51efd88ed4d2957308f9b4da0fdcd6cd99ea5b9e1885d628ae01ddde56cf31140ccc895be61 CVE-2020-0556.patch
+c8e65bdfb5edc8edd0d1f9a153a7d5b953f0c5700aa61645af251cd857117990090a27c0ee133056fc045d0f6b6a3c1aad60ff0dfd3707c2c5ba29c518fccca8 CVE-2020-27153.patch"
diff --git a/main/bluez/CVE-2020-0556.patch b/main/bluez/CVE-2020-0556.patch
new file mode 100644
index 00000000000..c22af03bf52
--- /dev/null
+++ b/main/bluez/CVE-2020-0556.patch
@@ -0,0 +1,188 @@
+This is the result of applying the following 4 commits in the order presented:
+
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index a711ef5..075b139 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -92,6 +92,7 @@ struct input_device {
+
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
++static bool classic_bonded_only = false;
+
+ void input_set_idle_timeout(int timeout)
+ {
+@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
+ uhid_enabled = state;
+ }
+
++void input_set_classic_bonded_only(bool state)
++{
++ classic_bonded_only = state;
++}
++
+ static void input_device_enter_reconnect_mode(struct input_device *idev);
+ static int connection_disconnect(struct input_device *idev, uint32_t flags);
+
+@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
+ if (device_name_known(idev->device))
+ device_get_name(idev->device, req->name, sizeof(req->name));
+
++ /* Make sure the device is bonded if required */
++ if (classic_bonded_only && !device_is_bonded(idev->device,
++ btd_device_get_bdaddr_type(idev->device))) {
++ error("Rejected connection from !bonded device %s", dst_addr);
++ goto cleanup;
++ }
++
+ /* Encryption is mandatory for keyboards */
+- if (req->subclass & 0x40) {
++ /* Some platforms may choose to require encryption for all devices */
++ /* Note that this only matters for pre 2.1 devices as otherwise the */
++ /* device is encrypted by default by the lower layers */
++ if (classic_bonded_only || req->subclass & 0x40) {
+ if (!bt_io_set(idev->intr_io, &gerr,
+ BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
+ BT_IO_OPT_INVALID)) {
+@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
+ DBG("path=%s reconnect_mode=%s", idev->path,
+ reconnect_mode_to_string(idev->reconnect_mode));
+
++ /* Make sure the device is bonded if required */
++ if (classic_bonded_only && !device_is_bonded(idev->device,
++ btd_device_get_bdaddr_type(idev->device)))
++ return;
++
+ /* Only attempt an auto-reconnect when the device is required to
+ * accept reconnections from the host.
+ */
+diff --git a/profiles/input/device.h b/profiles/input/device.h
+index 51a9aee..5a077f9 100644
+--- a/profiles/input/device.h
++++ b/profiles/input/device.h
+@@ -29,6 +29,8 @@ struct input_conn;
+
+ void input_set_idle_timeout(int timeout);
+ void input_enable_userspace_hid(bool state);
++void input_set_classic_bonded_only(bool state);
++void input_set_auto_sec(bool state);
+
+ int input_device_register(struct btd_service *service);
+ void input_device_unregister(struct btd_service *service);
+diff --git a/profiles/input/hog.c b/profiles/input/hog.c
+index 83c017d..327a1d1 100644
+--- a/profiles/input/hog.c
++++ b/profiles/input/hog.c
+@@ -49,8 +49,11 @@
+ #include "src/shared/util.h"
+ #include "src/shared/uhid.h"
+ #include "src/shared/queue.h"
++#include "src/shared/att.h"
++#include "src/shared/gatt-client.h"
+ #include "src/plugin.h"
+
++#include "device.h"
+ #include "suspend.h"
+ #include "attrib/att.h"
+ #include "attrib/gattrib.h"
+@@ -65,8 +68,14 @@ struct hog_device {
+ };
+
+ static gboolean suspend_supported = FALSE;
++static bool auto_sec = true;
+ static struct queue *devices = NULL;
+
++void input_set_auto_sec(bool state)
++{
++ auto_sec = state;
++}
++
+ static void hog_device_accept(struct hog_device *dev, struct gatt_db *db)
+ {
+ char name[248];
+@@ -186,6 +195,19 @@ static int hog_accept(struct btd_service *service)
+ return -EINVAL;
+ }
+
++ /* HOGP 1.0 Section 6.1 requires bonding */
++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) {
++ struct bt_gatt_client *client;
++
++ if (!auto_sec)
++ return -ECONNREFUSED;
++
++ client = btd_device_get_gatt_client(device);
++ if (!bt_gatt_client_set_security(client,
++ BT_ATT_SECURITY_MEDIUM))
++ return -ECONNREFUSED;
++ }
++
+ /* TODO: Replace GAttrib with bt_gatt_client */
+ bt_hog_attach(dev->hog, attrib);
+
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 3e1d65a..4c70bc5 100644
+--- a/profiles/input/input.conf
++++ b/profiles/input/input.conf
+@@ -11,3 +11,16 @@
+ # Enable HID protocol handling in userspace input profile
+ # Defaults to false (HIDP handled in HIDP kernel module)
+ #UserspaceHID=true
++
++# Limit HID connections to bonded devices
++# The HID Profile does not specify that devices must be bonded, however some
++# platforms may want to make sure that input connections only come from bonded
++# device connections. Several older mice have been known for not supporting
++# pairing/encryption.
++# Defaults to false to maximize device compatibility.
++#ClassicBondedOnly=true
++
++# LE upgrade security
++# Enables upgrades of security automatically if required.
++# Defaults to true to maximize device compatibility.
++#LEAutoSecurity=true
+diff --git a/profiles/input/manager.c b/profiles/input/manager.c
+index 1d31b06..bf4acb4 100644
+--- a/profiles/input/manager.c
++++ b/profiles/input/manager.c
+@@ -96,7 +96,7 @@ static int input_init(void)
+ config = load_config_file(CONFIGDIR "/input.conf");
+ if (config) {
+ int idle_timeout;
+- gboolean uhid_enabled;
++ gboolean uhid_enabled, classic_bonded_only, auto_sec;
+
+ idle_timeout = g_key_file_get_integer(config, "General",
+ "IdleTimeout", &err);
+@@ -114,6 +114,26 @@ static int input_init(void)
+ input_enable_userspace_hid(uhid_enabled);
+ } else
+ g_clear_error(&err);
++
++ classic_bonded_only = g_key_file_get_boolean(config, "General",
++ "ClassicBondedOnly", &err);
++
++ if (!err) {
++ DBG("input.conf: ClassicBondedOnly=%s",
++ classic_bonded_only ? "true" : "false");
++ input_set_classic_bonded_only(classic_bonded_only);
++ } else
++ g_clear_error(&err);
++
++ auto_sec = g_key_file_get_boolean(config, "General",
++ "LEAutoSecurity", &err);
++ if (!err) {
++ DBG("input.conf: LEAutoSecurity=%s",
++ auto_sec ? "true" : "false");
++ input_set_auto_sec(auto_sec);
++ } else
++ g_clear_error(&err);
++
+ }
+
+ btd_profile_register(&input_profile);
diff --git a/main/bluez/CVE-2020-27153.patch b/main/bluez/CVE-2020-27153.patch
new file mode 100644
index 00000000000..48a346fe2c0
--- /dev/null
+++ b/main/bluez/CVE-2020-27153.patch
@@ -0,0 +1,95 @@
+Adapted from https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a
+
+diff --git a/src/shared/att.c b/src/shared/att.c
+index 0ea6d55..b0fdb8e 100644
+--- a/src/shared/att.c
++++ b/src/shared/att.c
+@@ -62,6 +62,7 @@ struct bt_att {
+ struct queue *ind_queue; /* Queued ATT protocol indications */
+ struct att_send_op *pending_ind;
+ struct queue *write_queue; /* Queue of PDUs ready to send */
++ bool in_disc; /* Cleanup queues on disconnect_cb */
+ bool writer_active;
+
+ struct queue *notify_list; /* List of registered callbacks */
+@@ -211,8 +212,10 @@ static void destroy_att_send_op(void *data)
+ free(op);
+ }
+
+-static void cancel_att_send_op(struct att_send_op *op)
++static void cancel_att_send_op(void *data)
+ {
++ struct att_send_op *op = data;
++
+ if (op->destroy)
+ op->destroy(op->user_data);
+
+@@ -572,11 +575,6 @@ static bool disconnect_cb(struct io *io, void *user_data)
+ att->io = NULL;
+ att->fd = -1;
+
+- /* Notify request callbacks */
+- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
+- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
+- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
+-
+ if (att->pending_req) {
+ disc_att_send_op(att->pending_req);
+ att->pending_req = NULL;
+@@ -589,6 +587,15 @@ static bool disconnect_cb(struct io *io, void *user_data)
+
+ bt_att_ref(att);
+
++ att->in_disc = true;
++
++ /* Notify request callbacks */
++ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
++ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
++ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
++
++ att->in_disc = false;
++
+ queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err));
+
+ bt_att_unregister_all(att);
+@@ -1306,6 +1313,30 @@ static bool match_op_id(const void *a, const void *b)
+ return op->id == id;
+ }
+
++static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id)
++{
++ struct att_send_op *op;
++
++ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id));
++ if (op)
++ goto done;
++
++ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id));
++ if (op)
++ goto done;
++
++ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id));
++
++done:
++ if (!op)
++ return false;
++
++ /* Just cancel since disconnect_cb will be cleaning up */
++ cancel_att_send_op(op);
++
++ return true;
++}
++
+ bool bt_att_cancel(struct bt_att *att, unsigned int id)
+ {
+ struct att_send_op *op;
+@@ -1325,6 +1356,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id)
+ return true;
+ }
+
++ if (att->in_disc)
++ return bt_att_disc_cancel(att, id);
++
+ op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id));
+ if (op)
+ goto done;
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index 46fca6c6030..a4a135b086c 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -53,6 +53,8 @@ source="https://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
# 1.29.3-r10:
# - CVE-2018-20679
# - CVE-2019-5747
+# 1.28.3-r2:
+# - CVE-2018-1000500
# 1.27.2-r4:
# - CVE-2017-16544
# - CVE-2017-15873
diff --git a/main/ca-certificates/0003-update-ca-insert-newline-between-certs.patch b/main/ca-certificates/0003-update-ca-insert-newline-between-certs.patch
new file mode 100644
index 00000000000..4a945a076ba
--- /dev/null
+++ b/main/ca-certificates/0003-update-ca-insert-newline-between-certs.patch
@@ -0,0 +1,38 @@
+From fd399b2416191bd7f3b0f267bdb530ed829de271 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Wed, 5 Feb 2020 17:40:57 +0100
+Subject: [PATCH 3/3] update-ca: insert newline between certs
+
+There may be certificates that lack a trailing newline, which is allowed
+in the certificate format. We work around that by inject a newline after
+each cert.
+
+see https://gitlab.alpinelinux.org/alpine/aports/issues/8379
+---
+ update-ca.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/update-ca.c b/update-ca.c
+index 2b3195b..0260f83 100644
+--- a/update-ca.c
++++ b/update-ca.c
+@@ -191,6 +191,7 @@ static void proc_localglobaldir(const char *fullpath, struct hash *h, int tmpfil
+ fprintf(stderr, "Warning! Cannot hash: %s\n", fullpath);
+ if (!copyfile(fullpath, tmpfile_fd))
+ fprintf(stderr, "Warning! Cannot copy to bundle: %s\n", fullpath);
++ write(tmpfile_fd, "\n", 1);
+ free(actual_file);
+ }
+
+@@ -260,7 +261,7 @@ static bool dir_readfiles(struct hash* d, const char* path,
+ DIR *dp = opendir(path);
+ if (!dp)
+ return false;
+-
++
+ struct dirent *dirp;
+ while ((dirp = readdir(dp)) != NULL) {
+ if (str_begins(dirp->d_name, "."))
+--
+2.25.0
+
diff --git a/main/ca-certificates/APKBUILD b/main/ca-certificates/APKBUILD
index a8a1b5456ee..b3d7084abcd 100644
--- a/main/ca-certificates/APKBUILD
+++ b/main/ca-certificates/APKBUILD
@@ -2,9 +2,9 @@
# Contributor: William Pitcock <nenolod@dereferenced.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ca-certificates
-pkgver=20190108
-pkgrel=0
-pkgdesc="Common CA certificates PEM files"
+pkgver=20191127
+pkgrel=2
+pkgdesc="Common CA certificates PEM files from Mozilla"
url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/"
arch="all"
license="MPL-2.0 GPL-2.0-or-later"
@@ -16,12 +16,16 @@ replaces="libcrypto1.0 openssl openssl1.0"
options="!fhs !check"
triggers="ca-certificates.trigger=/usr/share/ca-certificates:/usr/local/share/ca-certificates:/etc/ssl/certs:/etc/ca-certificates/update.d"
install="$pkgname.post-deinstall"
-source="https://git.alpinelinux.org/ca-certificates/snapshot/ca-certificates-$pkgver.tar.xz"
+source="https://gitlab.alpinelinux.org/alpine/ca-certificates/-/archive/$pkgver/ca-certificates-$pkgver.tar.bz2
+ 0003-update-ca-insert-newline-between-certs.patch
+ "
builddir="$srcdir/ca-certificates-$pkgver"
build() {
cd "$builddir"
make
+ # remove expired cert (https://gitlab.alpinelinux.org/alpine/aports/issues/11607)
+ rm AddTrust_External_Root.crt
}
package() {
@@ -58,4 +62,5 @@ cacert() {
"$subpkgdir"/etc/ssl/cert.pem
}
-sha512sums="7b022c3b3319ac4ebbf13f551626f3d60a5552014d564166165030ee799c2fd470c593fb7171732100089b17ad3d309abc73f2429967222676915cad46f95a8e ca-certificates-20190108.tar.xz"
+sha512sums="05e3a11efd80ea88eb81774e084febe4b8d1fa48f01f49e5ed3d469e10a2769260a264faed42ea3a0b725659cda1cc4a67ce5575fe04cdff9dc1c08207911c9b ca-certificates-20191127.tar.bz2
+051b5d78916ee7389dfbd4e8871aab720415bd6e9ee0313dba770fc40ee7c68ac67d7918f2503458a3218e3bfc10691b5e379b65269106fde02c7e7a36eb7595 0003-update-ca-insert-newline-between-certs.patch"
diff --git a/main/chrony/APKBUILD b/main/chrony/APKBUILD
index 8327c29f690..d4e0add1481 100644
--- a/main/chrony/APKBUILD
+++ b/main/chrony/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=chrony
pkgver=3.4
-pkgrel=1
+pkgrel=2
_ver=${pkgver/_/-}
pkgdesc="NTP client and server programs"
url="https://chrony.tuxfamily.org"
@@ -26,8 +26,16 @@ source="https://download.tuxfamily.org/$pkgname/$pkgname-$_ver.tar.gz
chrony.logrotate
chrony.conf
timepps.h
+
+ CVE-2020-14367.patch
"
builddir="$srcdir/$pkgname-$_ver"
+options="!check" # line 82 of test/unit/util.c fails on all arches
+
+# secfixes:
+# 3.4-r2:
+# - CVE-2020-14367
+
prepare() {
default_prepare
@@ -91,4 +99,5 @@ b26581ed32680585edea5b8163a0062a87f648394c0f363c77a7d01a36608fcf4d005d9e6ab179ed
60d6aab60132b11e82888b755a47aa6ae2949db07016b475e7bce53ed5083c888ab88f3b53e87bfa7396f0559f6870c28816b395361645dda157ab7649b28236 chronyd.initd
ab38f06bf45888846778ad935e24abb30d13b6805e9a750bc694ff953695fa8c5b33aac560f5f7f96dc46031c1a38660e5c418b6fce6fb34a87908a9a3c99357 chrony.logrotate
0ae453fca3461b6e56a32a9eb6be0d448c39bf0279583222ab2fecef307e1113f082d4e86f957e4baac4f223c5c57804cdea97322678009f3413ab99d54694b6 chrony.conf
-eb11fc19243d1789016d88eb7645bfe67c46304547781489bf36eb1dd4c252d523681ff835a6488fa0ef62b6b9e2f781c672279f4439f5d5640a3f214a113048 timepps.h"
+eb11fc19243d1789016d88eb7645bfe67c46304547781489bf36eb1dd4c252d523681ff835a6488fa0ef62b6b9e2f781c672279f4439f5d5640a3f214a113048 timepps.h
+777c5b83fac51424eaaf5e348e138389c449fcb03e382deebab727c6d265332ef3e1b7a168740b18ca669add05ba02c21a7c52edfdd442ed2b3893706098c343 CVE-2020-14367.patch"
diff --git a/main/chrony/CVE-2020-14367.patch b/main/chrony/CVE-2020-14367.patch
new file mode 100644
index 00000000000..f0e331bd97e
--- /dev/null
+++ b/main/chrony/CVE-2020-14367.patch
@@ -0,0 +1,204 @@
+From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 6 Aug 2020 09:31:11 +0200
+Subject: [PATCH] main: create new file when writing pidfile
+
+When writing the pidfile, open the file with the O_CREAT|O_EXCL flags
+to avoid following a symlink and writing the PID to an unexpected file,
+when chronyd still has the root privileges.
+
+The Linux open(2) man page warns about O_EXCL not working as expected on
+NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on
+a distributed filesystem like NFS is not generally expected, but if
+there is a reason to do that, these old kernel and NFS versions are not
+considered to be supported for saving files by chronyd.
+
+This is a minimal backport specific to this issue of the following
+commits:
+- commit 2fc8edacb810 ("use PATH_MAX")
+- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()")
+- commit 7a4c396bba8f ("util: add functions for common file operations")
+- commit e18903a6b563 ("switch to new util file functions")
+
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+---
+ logging.c | 1 +
+ main.c | 10 ++----
+ sysincl.h | 1 +
+ util.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ util.h | 11 +++++++
+ 5 files changed, 111 insertions(+), 7 deletions(-)
+
+diff --git a/logging.c b/logging.c
+index d2296e0..fd7f900 100644
+--- a/logging.c
++++ b/logging.c
+@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity,
+ system_log = 0;
+ log_message(1, severity, buf);
+ }
++ exit(1);
+ break;
+ default:
+ assert(0);
+diff --git a/main.c b/main.c
+index 6ccf32e..8edb2e1 100644
+--- a/main.c
++++ b/main.c
+@@ -281,13 +281,9 @@ write_pidfile(void)
+ if (!pidfile[0])
+ return;
+
+- out = fopen(pidfile, "w");
+- if (!out) {
+- LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno));
+- } else {
+- fprintf(out, "%d\n", (int)getpid());
+- fclose(out);
+- }
++ out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644);
++ fprintf(out, "%d\n", (int)getpid());
++ fclose(out);
+ }
+
+ /* ================================================== */
+diff --git a/sysincl.h b/sysincl.h
+index 296c5e6..873a3bd 100644
+--- a/sysincl.h
++++ b/sysincl.h
+@@ -37,6 +37,7 @@
+ #include <glob.h>
+ #include <grp.h>
+ #include <inttypes.h>
++#include <limits.h>
+ #include <math.h>
+ #include <netinet/in.h>
+ #include <pwd.h>
+diff --git a/util.c b/util.c
+index e7e3442..83b3b20 100644
+--- a/util.c
++++ b/util.c
+@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid)
+
+ /* ================================================== */
+
++static int
++join_path(const char *basedir, const char *name, const char *suffix,
++ char *buffer, size_t length, LOG_Severity severity)
++{
++ const char *sep;
++
++ if (!basedir) {
++ basedir = "";
++ sep = "";
++ } else {
++ sep = "/";
++ }
++
++ if (!suffix)
++ suffix = "";
++
++ if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) {
++ LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix);
++ return 0;
++ }
++
++ return 1;
++}
++
++/* ================================================== */
++
++FILE *
++UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
++ char mode, mode_t perm)
++{
++ const char *file_mode;
++ char path[PATH_MAX];
++ LOG_Severity severity;
++ int fd, flags;
++ FILE *file;
++
++ severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR;
++
++ if (!join_path(basedir, name, suffix, path, sizeof (path), severity))
++ return NULL;
++
++ switch (mode) {
++ case 'r':
++ case 'R':
++ flags = O_RDONLY;
++ file_mode = "r";
++ if (severity != LOGS_FATAL)
++ severity = LOGS_DEBUG;
++ break;
++ case 'w':
++ case 'W':
++ flags = O_WRONLY | O_CREAT | O_EXCL;
++ file_mode = "w";
++ break;
++ case 'a':
++ case 'A':
++ flags = O_WRONLY | O_CREAT | O_APPEND;
++ file_mode = "a";
++ break;
++ default:
++ assert(0);
++ return NULL;
++ }
++
++try_again:
++ fd = open(path, flags, perm);
++ if (fd < 0) {
++ if (errno == EEXIST) {
++ if (unlink(path) < 0) {
++ LOG(severity, "Could not remove %s : %s", path, strerror(errno));
++ return NULL;
++ }
++ DEBUG_LOG("Removed %s", path);
++ goto try_again;
++ }
++ LOG(severity, "Could not open %s : %s", path, strerror(errno));
++ return NULL;
++ }
++
++ UTI_FdSetCloexec(fd);
++
++ file = fdopen(fd, file_mode);
++ if (!file) {
++ LOG(severity, "Could not open %s : %s", path, strerror(errno));
++ close(fd);
++ return NULL;
++ }
++
++ DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode);
++
++ return file;
++}
++
++/* ================================================== */
++
+ void
+ UTI_DropRoot(uid_t uid, gid_t gid)
+ {
+diff --git a/util.h b/util.h
+index e3d6767..a2481cc 100644
+--- a/util.h
++++ b/util.h
+@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid
+ permissions and its uid/gid must match the specified values. */
+ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid);
+
++/* Open a file. The full path of the file is constructed from the basedir
++ (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL).
++ Created files have specified permissions (umasked). Returns NULL on error.
++ The following modes are supported (if the mode is an uppercase character,
++ errors are fatal):
++ r/R - open an existing file for reading
++ w/W - open a new file for writing (remove existing file)
++ a/A - open an existing file for appending (create if does not exist) */
++extern FILE *UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
++ char mode, mode_t perm);
++
+ /* Set process user/group IDs and drop supplementary groups */
+ extern void UTI_DropRoot(uid_t uid, gid_t gid);
+
diff --git a/main/collectd/APKBUILD b/main/collectd/APKBUILD
index 4a996e4c7db..39de6acdaff 100644
--- a/main/collectd/APKBUILD
+++ b/main/collectd/APKBUILD
@@ -32,7 +32,7 @@ source="https://collectd.org/files/collectd-$pkgver.tar.bz2
builddir="$srcdir"/$pkgname-$pkgver
-# security fixes:
+# secfixes:
# 5.5.2-r0:
# - CVE-2016-6254
diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD
index 3c7166e23d1..127c7292d8a 100644
--- a/main/cups/APKBUILD
+++ b/main/cups/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cups
pkgver=2.2.12
-pkgrel=0
+pkgrel=1
pkgdesc="The CUPS Printing System"
url="https://www.cups.org/"
arch="all"
@@ -20,10 +20,15 @@ source="https://github.com/apple/cups/releases/download/v$pkgver/cups-$pkgver-so
cupsd.initd
cups-no-export-ssllibs.patch
default-config-no-gssapi.patch
+ CVE-2019-8842.patch
+ CVE-2020-3898.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 2.2.12-r1:
+# - CVE-2019-8842
+# - CVE-2020-3898
# 2.2.12-r0:
# - CVE-2019-8696
# - CVE-2019-8675
@@ -134,4 +139,6 @@ sha512sums="b8e7be512938ad388d469d093ad0c882ab42ea1408c27a91340f8424aa0e79e588df
cf64211da59e79285f99d437c02fdd7db462855fb2920ec9563ba47bd8a9e5cbd10555094940ceedeb41ac805c4f0ddb9147481470112a11a76220d0298aef79 cups.logrotate
2c2683f755a220166b3a1653fdd1a6daa9718c8f0bbdff2e2d5e61d1133306260d63a83d3ff41619b5cf84c4913fae5822b79553e2822858f38fa3613f4c7082 cupsd.initd
7a8cd9ac33b0dd4627c72df4275db8ccd7cf8e201bce3833719b42f532f526bb347b842e3ea1ef0d61855b5c6e1088b5d20b68942f2c2c0acf504d8d9728efd3 cups-no-export-ssllibs.patch
-98bb97f4af69ea286fc3d398b8e57c32440e6b2d49fb7f79b418a4fe7f13441f3a610f65d3433d10d971ade808233c0b29b4d66160623ccaae919179384be918 default-config-no-gssapi.patch"
+98bb97f4af69ea286fc3d398b8e57c32440e6b2d49fb7f79b418a4fe7f13441f3a610f65d3433d10d971ade808233c0b29b4d66160623ccaae919179384be918 default-config-no-gssapi.patch
+1a6dc3560c78eef28cad977abde076c02791e34fc05e53ce3137ac4ff1feb2f6bae5f64ba8733f44280ac4273d825372b29b15da6bb179776496f62a7d06462d CVE-2019-8842.patch
+560466d3721cd105ef1e6aa03d0cb6c55964e94f06fe80e2f8570d481941cfd03ac6940d0108e111ea7f4bee55460b93423975410890e105902c5a4ce3b79d77 CVE-2020-3898.patch"
diff --git a/main/cups/CVE-2019-8842.patch b/main/cups/CVE-2019-8842.patch
new file mode 100644
index 00000000000..2e1a212239a
--- /dev/null
+++ b/main/cups/CVE-2019-8842.patch
@@ -0,0 +1,13 @@
+diff --git a/cups/ipp.c b/cups/ipp.c
+index b0762fd..dba4f31 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2960,7 +2960,7 @@ ippReadIO(void *src, /* I - Data source */
+ * Read 32-bit "extension" tag...
+ */
+
+- if ((*cb)(src, buffer, 4) < 1)
++ if ((*cb)(src, buffer, 4) < 4)
+ {
+ DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+ _cupsBufferRelease((char *)buffer);
diff --git a/main/cups/CVE-2020-3898.patch b/main/cups/CVE-2020-3898.patch
new file mode 100644
index 00000000000..d797a0be1a2
--- /dev/null
+++ b/main/cups/CVE-2020-3898.patch
@@ -0,0 +1,14 @@
+diff --git a/cups/ppd.c b/cups/ppd.c
+index 58d92c1..5bc7939 100644
+--- a/cups/ppd.c
++++ b/cups/ppd.c
+@@ -1730,8 +1730,7 @@ _ppdOpen(
+ constraint->choice1, constraint->option2,
+ constraint->choice2))
+ {
+- case 0 : /* Error */
+- case 1 : /* Error */
++ default : /* Error */
+ pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+ goto error;
+
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 2ecf03e30ac..5abc6272a29 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.64.0
-pkgrel=3
+pkgrel=5
pkgdesc="URL retrival utility and library"
url="https://curl.haxx.se"
arch="all"
@@ -20,11 +20,19 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz
CVE-2019-5436.patch
CVE-2019-5481.patch
CVE-2019-5482.patch
+ CVE-2020-8169.patch
+ CVE-2020-8177.patch
+ CVE-2020-8231.patch
"
options="!check" # sftp tests failing
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 7.66.0-r5:
+# - CVE-2020-8231
+# 7.64.0-r4:
+# - CVE-2020-8169
+# - CVE-2020-8177
# 7.64.0-r3:
# - CVE-2019-5481
# - CVE-2019-5482
@@ -64,11 +72,11 @@ builddir="$srcdir/$pkgname-$pkgver"
# - CVE-2017-7468
# 7.53.1-r2:
# - CVE-2017-7407
-# 7.53.0:
+# 7.53.0-r0:
# - CVE-2017-2629
-# 7.52.1:
+# 7.52.1-r0:
# - CVE-2016-9594
-# 7.51.0:
+# 7.51.0-r0:
# - CVE-2016-8615
# - CVE-2016-8616
# - CVE-2016-8617
@@ -80,15 +88,15 @@ builddir="$srcdir/$pkgname-$pkgver"
# - CVE-2016-8623
# - CVE-2016-8624
# - CVE-2016-8625
-# 7.50.3:
+# 7.50.3-r1:
# - CVE-2016-7167
-# 7.50.2:
+# 7.50.2-r1:
# - CVE-2016-7141
-# 7.50.1:
+# 7.50.1-r0:
# - CVE-2016-5419
# - CVE-2016-5420
# - CVE-2016-5421
-# 7.36.0:
+# 7.36.0-r0:
# - CVE-2014-0138
# - CVE-2014-0139
@@ -132,4 +140,7 @@ sha512sums="953f1f5336ce5dfd1b9f933624432d401552d91ee02d39ecde6f023c956f99ec6aae
c629a1b36920a3f8eab3321b0222e203f53f29e5947d39a0c32e0a7de2d8ab2182c3d6bbb0828847f2f353d1d3a15d85203e17ef74018a5c865a854d7a413fc3 CVE-2019-5435.patch
9ccb8d898530f14cf497b4d0ede3b28d6baac5fa0b867636219795cf748f0149a110a386d4212ff48781c2c37e03290f2afe47cc186bd606f569acfd48457a15 CVE-2019-5436.patch
37161e4d94cdb1add2216b031f70d7ae84451229dffe48ca9856bb311e88678f0e11baab6bb4da0386ed31e8467aa51fabaf6122f876ef9bc0003638d07f22cf CVE-2019-5481.patch
-6703658d9212bb87de22fabd996e8f8eb8c98aa4c015b1daa4c1a15f503c4a5530dafbcc1817032d973ef94ac29fe7b8ee16426e443b20d0bcdbe5d7f0209ffb CVE-2019-5482.patch"
+6703658d9212bb87de22fabd996e8f8eb8c98aa4c015b1daa4c1a15f503c4a5530dafbcc1817032d973ef94ac29fe7b8ee16426e443b20d0bcdbe5d7f0209ffb CVE-2019-5482.patch
+4950975d59bdf8398dd5f4b8338e5f76ae3752247be9054a28753351bcddb46f71a8bd601dba31da1b6b3fbbfbe6192f33a6500144d89f2cfdfb47161e3addba CVE-2020-8169.patch
+250359963230de2970ab4a56d731312f0772d6f89672b4189e7d6aa8553cb9efd8808221f418a1b7778f7b9e52a45738451aec2d4a0e73e084a748cff1b3d6da CVE-2020-8177.patch
+d5f4421e5ac6f89220d00fb156c803edbb64679e9064ca8328269eea3582ee7780f77522b5069a1288cc09e968567175c94139249cc337906243c95d0bc3e684 CVE-2020-8231.patch"
diff --git a/main/curl/CVE-2020-8169.patch b/main/curl/CVE-2020-8169.patch
new file mode 100644
index 00000000000..d89e21f4d79
--- /dev/null
+++ b/main/curl/CVE-2020-8169.patch
@@ -0,0 +1,21 @@
+diff --git a/lib/url.c b/lib/url.c
+index 47fc66a..a826f8a 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Curl_easy *data,
+
+ /* for updated strings, we update them in the URL */
+ if(user_changed) {
+- uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
++ uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
++ CURLU_URLENCODE);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
+ }
+ if(passwd_changed) {
+- uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
++ uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
++ CURLU_URLENCODE);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
+ }
diff --git a/main/curl/CVE-2020-8177.patch b/main/curl/CVE-2020-8177.patch
new file mode 100644
index 00000000000..556dcc10ee6
--- /dev/null
+++ b/main/curl/CVE-2020-8177.patch
@@ -0,0 +1,50 @@
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index 3844904..1813cb3 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -132,25 +132,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+ filename = parse_filename(p, len);
+ if(filename) {
+ if(outs->stream) {
+- int rc;
+- /* already opened and possibly written to */
+- if(outs->fopened)
+- fclose(outs->stream);
+- outs->stream = NULL;
+-
+- /* rename the initial file name to the new file name */
+- rc = rename(outs->filename, filename);
+- if(rc != 0) {
+- warnf(outs->config->global, "Failed to rename %s -> %s: %s\n",
+- outs->filename, filename, strerror(errno));
+- }
+- if(outs->alloc_filename)
+- Curl_safefree(outs->filename);
+- if(rc != 0) {
+- free(filename);
+- return failure;
+- }
++ /* indication of problem, get out! */
++ free(filename);
++ return failure;
+ }
++
+ outs->is_cd_filename = TRUE;
+ outs->s_isreg = TRUE;
+ outs->fopened = FALSE;
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index c7ba5f2..505b991 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -1760,6 +1760,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+ }
+ break;
+ case 'i':
++ if(config->content_disposition) {
++ warnf(global,
++ "--include and --remote-header-name cannot be combined.\n");
++ return PARAM_BAD_USE;
++ }
+ config->show_headers = toggle; /* show the headers as well in the
+ general output stream */
+ break;
diff --git a/main/curl/CVE-2020-8231.patch b/main/curl/CVE-2020-8231.patch
new file mode 100644
index 00000000000..0d6a76d94d1
--- /dev/null
+++ b/main/curl/CVE-2020-8231.patch
@@ -0,0 +1,123 @@
+Based on https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8
+
+Didn't apply cleanly, fixed up lib/urldata.h and lib/url.c, ignored 2 changes in lib/multi.c
+that refer to things that do not yet exist in this version of curl
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 0a7475c..b3d4057 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -1356,15 +1356,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */
+ }
+
+ struct connfind {
+- struct connectdata *tofind;
+- bool found;
++ long id_tofind;
++ struct connectdata *found;
+ };
+
+ static int conn_is_conn(struct connectdata *conn, void *param)
+ {
+ struct connfind *f = (struct connfind *)param;
+- if(conn == f->tofind) {
+- f->found = TRUE;
++ if(conn->connection_id == f->id_tofind) {
++ f->found = conn;
+ return 1;
+ }
+ return 0;
+@@ -1386,21 +1386,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
+ * - that is associated with a multi handle, and whose connection
+ * was detached with CURLOPT_CONNECT_ONLY
+ */
+- if(data->state.lastconnect && (data->multi_easy || data->multi)) {
+- struct connectdata *c = data->state.lastconnect;
++ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
++ struct connectdata *c;
+ struct connfind find;
+- find.tofind = data->state.lastconnect;
+- find.found = FALSE;
++ find.id_tofind = data->state.lastconnect_id;
++ find.found = NULL;
+
+ Curl_conncache_foreach(data, data->multi_easy?
+ &data->multi_easy->conn_cache:
+ &data->multi->conn_cache, &find, conn_is_conn);
+
+ if(!find.found) {
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+ return CURL_SOCKET_BAD;
+ }
+
++ c = find.found;
+ if(connp) {
+ /* only store this if the caller cares for it */
+ *connp = c;
+diff --git a/lib/easy.c b/lib/easy.c
+index b648e80..7b0ea9a 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -831,8 +831,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+
+ /* the connection cache is setup on demand */
+ outcurl->state.conn_cache = NULL;
+-
+- outcurl->state.lastconnect = NULL;
++ outcurl->state.lastconnect_id = -1;
+
+ outcurl->progress.flags = data->progress.flags;
+ outcurl->progress.callback = data->progress.callback;
+diff --git a/lib/multi.c b/lib/multi.c
+index e10e752..02687dd 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -454,6 +454,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
+ data->state.conn_cache = &data->share->conn_cache;
+ else
+ data->state.conn_cache = &multi->conn_cache;
++ data->state.lastconnect_id = -1;
+
+ #ifdef USE_LIBPSL
+ /* Do the same for PSL. */
+@@ -669,11 +670,11 @@ static CURLcode multi_done(struct Curl_easy *data,
+ CONN_UNLOCK(data);
+ if(Curl_conncache_return_conn(data, conn)) {
+ /* remember the most recently used connection */
+- data->state.lastconnect = conn;
++ data->state.lastconnect_id = conn->connection_id;
+ infof(data, "%s\n", buffer);
+ }
+ else
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+ }
+
+ Curl_free_request_state(data);
+diff --git a/lib/url.c b/lib/url.c
+index 47fc66a..f0a880f 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -617,7 +617,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
+ Curl_initinfo(data);
+
+ /* most recent connection is not yet defined */
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+
+ data->progress.flags |= PGRS_HIDE;
+ data->state.current_speed = -1; /* init to negative == impossible */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index fbb8b64..6586986 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1332,7 +1332,7 @@ struct UrlState {
+ /* buffers to store authentication data in, as parsed from input options */
+ struct curltime keeps_speed; /* for the progress meter really */
+
+- struct connectdata *lastconnect; /* The last connection, NULL if undefined */
++ long lastconnect_id; /* The last connection, -1 if undefined */
+
+ char *headerbuff; /* allocated buffer to store headers in */
+ size_t headersize; /* size of the allocation */
diff --git a/main/cvs/APKBUILD b/main/cvs/APKBUILD
index b11d7ac61eb..c2537d6ed89 100644
--- a/main/cvs/APKBUILD
+++ b/main/cvs/APKBUILD
@@ -1,33 +1,45 @@
# Contributor: Michael Mason <ms13sp@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cvs
-pkgver=1.11.23
+pkgver=1.12.12
pkgrel=0
pkgdesc="Concurrent Versions System"
-url="http://www.nongnu.org/cvs/"
+url="https://www.nongnu.org/cvs/"
arch="all"
license="GPL-2.0-or-later"
-depends=""
+options="!check" # Tests fail - src/lib/test-getdate.sh
makedepends="zlib-dev"
-install=
subpackages="$pkgname-doc"
-source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz
- cvs-musl.patch
+source="https://ftp.gnu.org/non-gnu/cvs/source/feature/$pkgver/cvs-$pkgver.tar.gz
+ cvs-1.12.12-cvsbug-tmpfix.patch
+ cvs-1.12.12-openat.patch
+ cvs-1.12.12-block-requests.patch
+ cvs-1.12.12-install-sh.patch
+ cvs-1.12.12-hash-nameclash.patch
+ cvs-1.12.12-getdelim.patch
+ cvs-1.12.12-rcs2log-coreutils.patch
+ cvs-1.12.12-mktime-x32.patch
+ cvs-1.12.12-fix-massive-leak.patch
+ cvs-1.12.12-mktime-configure.patch
+ cvs-1.12.12-CVE-2012-0804.patch
+ cvs-1.12.12-format-security.patch
+ cvs-1.12.12-musl.patch
+ CVE-2017-12836.patch
"
+builddir="$srcdir/$pkgname-$pkgver"
-_builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+# 1.12.12-r0:
+# - CVE-2010-3846
+# - CVE-2012-0804
+# - CVE-2017-12836
prepare() {
- local i
- cd "$_builddir"
- for i in $source; do
- case $i in
- *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
- esac
- done
+ default_prepare
+ update_config_sub
}
build() {
- cd "$_builddir"
+ cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -36,19 +48,32 @@ build() {
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--with-external-zlib \
- --with-tmpdir=/tmp \
- || return 1
- make || return 1
+ --with-tmpdir=/tmp
+ make
+}
+
+check() {
+ cd "$builddir"
+ make check
}
package() {
- cd "$_builddir"
- make -j1 DESTDIR="$pkgdir" install
+ cd "$builddir"
+ make DESTDIR="$pkgdir" install
}
-md5sums="bf185eb51b5918330a04671c3f3cccde cvs-1.11.23.tar.gz
-3b51f4b2b94b83666f9e105038222cd8 cvs-musl.patch"
-sha256sums="0ad692e3c22e4b33274a53ad22a194deb3024ec833b9e87ad7968d9b0b58cdcf cvs-1.11.23.tar.gz
-b5b687e9c5349fbb15e82ca1f99d9227432f6be29a55b7ca22bd9b1c8b6f08d5 cvs-musl.patch"
-sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a cvs-1.11.23.tar.gz
-7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch"
+sha512sums="36cae30bbd075773d260fd8d0170335d37ba4b6dd09056465290df5c14cd7c39a18931d70761d98e2bd989798b013e372603e94c252b4062c56c3ab53251a1fb cvs-1.12.12.tar.gz
+29014631f5595dbf51a47032a19a23e545190dd8d40d77a71d363cee07a9ae38263b67db52a512436a9a7b37a7f5ff4daafa4a0a9f3c29bcfeb71ecff74408b7 cvs-1.12.12-cvsbug-tmpfix.patch
+b0a7abc785169705d2f0668a8af706f93ee3eba3d050d555689577962283e54f6bd186e662b64c65f926cf72dff76a37259181338707d641ee0f20591ba62805 cvs-1.12.12-openat.patch
+541545ffc64c4f2303b7e8f6cae2cdff0437452e4bcf94b2149d51e43710096e17f024c1a8ed32433560ea51ecef2aba2f3e6bfaef8fa9e4ad2f2436649884d1 cvs-1.12.12-block-requests.patch
+7e468d41c1eb23c0a62b605e6e48cffc004e8f386a87a9696dd73b36702c74aad529f5cba7280dee1100027b6e1e907adad257cc446ca3ad734fa40d47e4ff72 cvs-1.12.12-install-sh.patch
+dcd612dcc4b008c0fbabd74bcc179e69ebaed31a9f6622127061194a8ed99549502fbc0bffc75cc87aed26f7fe46215da81438c3a797e2179ed3da8e0b5ebdbb cvs-1.12.12-hash-nameclash.patch
+181b5daa6e103218e3fc1629a0b5f74daad613cdbe530655eff32479e4b9f32d067e60a82107efdbb129f917ee0626d274fb65555c66d907c997bf01fa262bdb cvs-1.12.12-getdelim.patch
+73c3506fa670b00ac52363efa2a2fa34203108d3dc112400e52f78eb7d83967cf49b11280d6c27a461f79a9c38317b41b26dd1f67d10229dbcb6c2ad9d43b521 cvs-1.12.12-rcs2log-coreutils.patch
+4a58c0f94de8e19c2de1930b7e5e04816e79a86885c89b792616a4c43f6e12aef271005ae59ae0d5788a910ba97735ccdf35f0ef5faafc2e3c50a9858b8f6216 cvs-1.12.12-mktime-x32.patch
+c4c9026e971f3da49cefce102b57bc681427a708ec8caa185df1234fd2a95090c8dc8cbf84374a762fdef7002d658cd4b52450429664cb3a1bfbda63d31c78a7 cvs-1.12.12-fix-massive-leak.patch
+10b29450d5d0a6a02d92812b919edbba2b86f2217aa54896b44358edb2eb8d8d6111b5c5db39faa50ef1f9a86ed1ee190332629f33402ad8cd8082b77547f486 cvs-1.12.12-mktime-configure.patch
+4f86f75f59caf4ef7e83964ec2d9c93575ccdcb031b1a6a1774a2a80ab7d6f278b3d27c4ab9270b91edf457a0195d702e3bd20da17c167b3f204fd9d8980b720 cvs-1.12.12-CVE-2012-0804.patch
+34f16defa5ab03ca2efcdea27269a37e27510d235bc4efd7a91871c2ae32fe9b922a51f3b87bcfec988964f8ae50d4649d7876937e25352836d5274ce88eea13 cvs-1.12.12-format-security.patch
+1c14b89dccee3130cc4ff881b7204f01dd8e14d1767e21d30b879df17a368a0f6bc7d3945872f8a6adcf47e34c3e48b9f2c0c0c90cccbf10fa935690a57f5e20 cvs-1.12.12-musl.patch
+1daf3d26acabe5e1f46331595f95f62a3bc7ffd28dfb063cfc8c9eec3f13f67ad32ba236ea4ff5f3180a10996ac5c902473d4a34226f9706f3b008b0c55491ea CVE-2017-12836.patch"
diff --git a/main/cvs/CVE-2017-12836.patch b/main/cvs/CVE-2017-12836.patch
new file mode 100644
index 00000000000..b20a88b6672
--- /dev/null
+++ b/main/cvs/CVE-2017-12836.patch
@@ -0,0 +1,38 @@
+Subject: [PATCH] Fix CVE-2017-12836
+From: Thorsten Glaser <tg@mirbsd.de>
+
+--- a/src/rsh-client.c
++++ b/src/rsh-client.c
+@@ -53,9 +53,10 @@
+ char *cvs_server = (root->cvs_server != NULL
+ ? root->cvs_server : getenv ("CVS_SERVER"));
+ int i = 0;
+- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+- "cmd (w/ args)", and NULL. We leave some room to grow. */
+- char *rsh_argv[10];
++ /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
++ "--", "host", "cvs", "-R", "server", and NULL.
++ We leave some room to grow. */
++ char *rsh_argv[16];
+
+ if (!cvs_rsh)
+ /* People sometimes suggest or assume that this should default
+@@ -97,6 +98,9 @@
+ rsh_argv[i++] = root->username;
+ }
+
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ rsh_argv[i++] = "--";
++
+ rsh_argv[i++] = root->hostname;
+ rsh_argv[i++] = cvs_server;
+ rsh_argv[i++] = "server";
+@@ -171,6 +175,8 @@
+ *p++ = root->username;
+ }
+
++ *p++ = "--";
++
+ *p++ = root->hostname;
+ *p++ = command;
+ *p++ = NULL;
diff --git a/main/cvs/cvs-1.12.12-CVE-2012-0804.patch b/main/cvs/cvs-1.12.12-CVE-2012-0804.patch
new file mode 100644
index 00000000000..107c3ea1220
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-CVE-2012-0804.patch
@@ -0,0 +1,30 @@
+[CVE-2012-0804] Fix proxy response parser
+
+If proxy sends overlong HTTP vesion string, the string will be copied
+to unallocatd space (write_buf) causing heap overflow.
+
+This patch fixes it by ignoring the HTTP version string and checking
+the response line has been parsed correctly.
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more
+details.
+
+Index: src/client.c
+===================================================================
+RCS file: /sources/cvs/ccvs/src/client.c,v
+retrieving revision 1.483
+diff -u -r1.483 client.c
+--- a/src/client.c 18 Nov 2008 22:59:02 -0000 1.483
++++ b/src/client.c 26 Jan 2012 16:32:25 -0000
+@@ -4339,9 +4339,9 @@
+ * code.
+ */
+ read_line_via (from_server, to_server, &read_buf);
+- sscanf (read_buf, "%s %d", write_buf, &codenum);
++ count = sscanf (read_buf, "%*s %d", &codenum);
+
+- if ((codenum / 100) != 2)
++ if (count != 1 || (codenum / 100) != 2)
+ error (1, 0, "proxy server %s:%d does not support http tunnelling",
+ root->proxy_hostname, proxy_port_number);
+ free (read_buf);
diff --git a/main/cvs/cvs-1.12.12-block-requests.patch b/main/cvs/cvs-1.12.12-block-requests.patch
new file mode 100644
index 00000000000..9c9b49db8f6
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-block-requests.patch
@@ -0,0 +1,140 @@
+Author: Robin H. Johnson <robbat2@gentoo.org>
+Date: 2006-08-09
+
+This patch allows a CVS server to deny usage of specific commands, based on
+input in the environment.
+
+Just set the CVS_BLOCK_REQUESTS env var with all of the commands you want,
+seperated by spaces. Eg:
+CVS_BLOCK_REQUESTS="Gzip-stream gzip-file-contents"
+would block ALL usage of compression.
+
+Please see the array 'struct request requests[]' in src/server.c for a full
+list of commands.
+
+Please note that if you block any commands marked as RQ_ESSENTIAL, CVS clients
+may fail! (This includes 'ci'!).
+
+See the companion cvs-custom.c for a wrapper that can enforce the environment variable for pserver setups.
+
+Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
+
+diff -Nuar --exclude '*~' -U 10 cvs-1.12.12.orig/src/server.c cvs-1.12.12/src/server.c
+--- cvs-1.12.12.orig/src/server.c 2005-04-14 14:13:29.000000000 +0000
++++ cvs-1.12.12/src/server.c 2006-08-09 01:40:44.000000000 +0000
+@@ -5836,43 +5836,90 @@
+ #undef REQ_LINE
+ };
+ #endif /* SERVER_SUPPORT or CLIENT_SUPPORT */
+
+
+
+ #ifdef SERVER_SUPPORT
+ /*
+ * This server request is not ignored by the secondary.
+ */
++
++/* Hack by Robin H. Johnson <robbat2@gentoo.org>.
++ * Allow the server ENV to specify what request types are to be ignored.
++ */
++
++static char blocked_requests[BUFSIZ] = " ";
++
++static void build_blocked_requests() {
++ char *tmp = getenv("CVS_BLOCK_REQUESTS");
++
++ if (tmp != NULL && strlen(tmp) > 0) {
++ // move to our custom buffer
++ strncat(blocked_requests, tmp, sizeof(blocked_requests)-strlen(blocked_requests));
++ //add a space on the end as well for searching
++ strncat(blocked_requests, " ", sizeof(blocked_requests)-strlen(blocked_requests));
++ }
++
++ // now blocked_requests contains the list of every request that we do not
++ // want to serve
++}
++
++// returns 0 if we should serve this request
++// use as if(checker(FOO)) continue;
++static int serve_valid_requests_checker(char *reqname) {
++ char needle[BUFSIZ] = " ";
++ char *tmp;
++
++ if(!blocked_requests || strlen(blocked_requests) < 2)
++ return 0;
++
++ // we want to look for ' 'reqname' '
++ snprintf(needle, sizeof(needle), " %s ", reqname);
++
++ // now do the search
++ tmp = strstr(blocked_requests, needle);
++
++ if (tmp != NULL)
++ return 1;
++
++ return 0;
++
++}
++
+ static void
+ serve_valid_requests (char *arg)
+ {
+ struct request *rq;
+
+ /* Since this is processed in the first pass, don't reprocess it in the
+ * second.
+ *
+ * We still print errors since new errors could have been generated in the
+ * second pass.
+ */
+ if (print_pending_error ()
+ #ifdef PROXY_SUPPORT
+ || reprocessing
+ #endif /* PROXY_SUPPORT */
+ )
+ return;
++
++ build_blocked_requests();
+
+ buf_output0 (buf_to_net, "Valid-requests");
+ for (rq = requests; rq->name != NULL; rq++)
+ {
+ if (rq->func != NULL)
+ {
++ if(serve_valid_requests_checker(rq->name))
++ continue;
+ buf_append_char (buf_to_net, ' ');
+ buf_output0 (buf_to_net, rq->name);
+ }
+ }
+ buf_output0 (buf_to_net, "\nok\n");
+
+ /* The client is waiting for the list of valid requests, so we
+ must send the output now. */
+ buf_flush (buf_to_net, 1);
+ }
+@@ -6353,20 +6400,24 @@
+ cmd += len;
+ else if (cmd[len] == ' ')
+ cmd += len + 1;
+ else
+ /*
+ * The first len characters match, but it's a different
+ * command. e.g. the command is "cooperate" but we matched
+ * "co".
+ */
+ continue;
++ // Ignore commands that we are supposed to ignore.
++ if(serve_valid_requests_checker(rq->name))
++ continue;
++
+
+ if (!(rq->flags & RQ_ROOTLESS)
+ && current_parsed_root == NULL)
+ {
+ /* For commands which change the way in which data
+ is sent and received, for example Gzip-stream,
+ this does the wrong thing. Since the client
+ assumes that everything is being compressed,
+ unconditionally, there is no way to give this
+ error to the client without turning on
diff --git a/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch b/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch
new file mode 100644
index 00000000000..fcd4431e877
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch
@@ -0,0 +1,22 @@
+Index: cvs-1.12.12/src/cvsbug.in
+===================================================================
+--- cvs-1.12.12.orig/src/cvsbug.in
++++ cvs-1.12.12/src/cvsbug.in
+@@ -109,14 +109,14 @@ elif [ -f /bin/domainname ]; then
+ /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
+ cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
+ ORIGINATOR="`cat $TEMP`"
+- rm -f $TEMP
++ > $TEMP
+ fi
+ fi
+
+ if [ "$ORIGINATOR" = "" ]; then
+ grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
+ ORIGINATOR="`cat $TEMP`"
+- rm -f $TEMP
++ > $TEMP
+ fi
+
+ if [ -n "$ORGANIZATION" ]; then
+
diff --git a/main/cvs/cvs-1.12.12-fix-massive-leak.patch b/main/cvs/cvs-1.12.12-fix-massive-leak.patch
new file mode 100644
index 00000000000..5366f50855f
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-fix-massive-leak.patch
@@ -0,0 +1,52 @@
+buf_free_data must free data independently
+of send or reseived bytes over network.
+
+Moreover, when buffer is usually freed
+buffer _is_ empty, but has one clean mapped page.
+
+I've observed massive 'cvs server' leaks
+when importing large gentoo-x86 repo with 'cvsps'.
+Leak ate all my 32GBs of RAM and killed process.
+(Leaked around 3 pages per client request).
+
+valgrind found the leak easily:
+
+$ valgrind \
+ cvsps \
+ --root :local:$HOME/portage/gentoo-x86.rsync \
+ --fast-export \
+ gentoo-x86/dev-vcs/git-annex 2>l |
+ git fast-import
+
+ ==13504== 1,248 bytes in 52 blocks are still reachable in loss record 41 of 47
+ ==13504== at 0x4C2C19B: malloc (vg_replace_malloc.c:270)
+ ==13504== by 0x48A556: xnmalloc_inline (xmalloc.c:40)
+ ==13504== by 0x48A5B5: xmalloc (xmalloc.c:56)
+ ==13504== by 0x4855F5: new_memnode (pagealign_alloc.c:91)
+ ==13504== by 0x48571B: pagealign_alloc (pagealign_alloc.c:151)
+ ==13504== by 0x485739: pagealign_xalloc (pagealign_alloc.c:182)
+ ==13504== by 0x408DD7: get_buffer_data (buffer.c:98)
+ ==13504== by 0x409C0C: buf_input_data (buffer.c:738)
+ ==13504== by 0x45BB63: do_cvs_command (server.c:3847)
+ ==13504== by 0x45D39E: serve_co (server.c:4809)
+ ==13504== by 0x45F845: server (server.c:6438)
+ ==13504== by 0x438784: main (main.c:1066)
+
+And now it takes constant space (less, than 18MB)
+for 'cvs server' process to convert all gentoo-x86
+by serving more, than 5 000 000 client requests.
+
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+diff --git a/src/buffer.c b/src/buffer.c
+index 3f12513..9a7a559 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -526,7 +526,7 @@ buf_copy_data (struct buffer *buf, struct buffer_data *data,
+ void
+ buf_free_data (struct buffer *buffer)
+ {
+- if (buf_empty_p (buffer)) return;
++ if (! buffer->data) return;
+ buf_free_datas (buffer->data, buffer->last);
+ buffer->data = buffer->last = NULL;
+ }
diff --git a/main/cvs/cvs-1.12.12-format-security.patch b/main/cvs/cvs-1.12.12-format-security.patch
new file mode 100644
index 00000000000..d710a902073
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-format-security.patch
@@ -0,0 +1,22 @@
+--- a/diff/diff3.c
++++ b/diff/diff3.c
+@@ -1503,7 +1503,7 @@
+ line = 0;
+ do
+ {
+- printf_output (line_prefix);
++ printf_output ("%s", line_prefix);
+ cp = D_RELNUM (ptr, realfile, line);
+ length = D_RELLEN (ptr, realfile, line);
+ write_output (cp, length);
+--- a/src/main.c
++++ b/src/main.c
+@@ -1375,7 +1375,7 @@
+ {
+ (void) fprintf (stderr, *cpp++, program_name, cvs_cmd_name);
+ for (; *cpp; cpp++)
+- (void) fprintf (stderr, *cpp);
++ (void) fprintf (stderr, "%s", *cpp);
+ exit (EXIT_FAILURE);
+ }
+
diff --git a/main/cvs/cvs-1.12.12-getdelim.patch b/main/cvs/cvs-1.12.12-getdelim.patch
new file mode 100644
index 00000000000..837d4408ab1
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-getdelim.patch
@@ -0,0 +1,21 @@
+The function getdelim() behaves slightly different on FreeBSD,
+only appending to the *line buffer if line_size is 0.
+
+See:
+https://savannah.nongnu.org/bugs/?29466
+http://bugs.gentoo.org/314791
+
+Already comitted upstream:
+http://cvs.savannah.gnu.org/viewvc/ccvs/src/myndbm.c?root=cvs&r1=1.38&r2=1.39
+
+--- a/src/myndbm.c.orig
++++ b/src/myndbm.c
+@@ -213,7 +213,7 @@
+ mydbm_load_file (FILE *fp, List *list, char *filename)
+ {
+ char *line = NULL;
+- size_t line_size;
++ size_t line_size = 0;
+ char *value;
+ size_t value_allocated;
+ char *cp, *vp;
diff --git a/main/cvs/cvs-1.12.12-hash-nameclash.patch b/main/cvs/cvs-1.12.12-hash-nameclash.patch
new file mode 100644
index 00000000000..95fd61e0a51
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-hash-nameclash.patch
@@ -0,0 +1,42 @@
+http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/hash.h?r1=1.14.6.2&r2=1.14.6.3&pathrev=cvs1-11-x-branch
+fixed in cvs-1.11.23, cvs-HEAD after cvs-1.12.13a
+
+--- a/src/hash.h.orig 2005-02-01 22:56:48 +0100
++++ b/src/hash.h 2010-03-10 19:00:11 +0100
+@@ -27,26 +27,26 @@
+ };
+ typedef enum ntype Ntype;
+
+-struct node
++struct hashnode
+ {
+ Ntype type;
+- struct node *next;
+- struct node *prev;
+- struct node *hashnext;
+- struct node *hashprev;
++ struct hashnode *next;
++ struct hashnode *prev;
++ struct hashnode *hashnext;
++ struct hashnode *hashprev;
+ char *key;
+ void *data;
+- void (*delproc) (struct node *);
++ void (*delproc) (struct hashnode *);
+ };
+-typedef struct node Node;
++typedef struct hashnode Node;
+
+-struct list
++struct hashlist
+ {
+ Node *list;
+ Node *hasharray[HASHSIZE];
+- struct list *next;
++ struct hashlist *next;
+ };
+-typedef struct list List;
++typedef struct hashlist List;
+
+ List *getlist (void);
+ Node *findnode (List * list, const char *key);
diff --git a/main/cvs/cvs-1.12.12-install-sh.patch b/main/cvs/cvs-1.12.12-install-sh.patch
new file mode 100644
index 00000000000..825c0ee6f1c
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-install-sh.patch
@@ -0,0 +1,12 @@
+diff -ur a/build-aux/install-sh b/build-aux/install-sh
+--- a/build-aux/install-sh 2006-03-25 20:04:46 +0000
++++ b/build-aux/install-sh 2007-09-14 10:53:29 +0100
+@@ -246,7 +246,7 @@
+ fi
+
+ if test -n "$dir_arg"; then
+- $doit $mkdircmd "$dst" \
++ { test -d "$dst" || $doit $mkdircmd -p "$dst"; } \
+ && { test -z "$chowncmd" || $doit $chowncmd "$dst"; } \
+ && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } \
+ && { test -z "$stripcmd" || $doit $stripcmd "$dst"; } \
diff --git a/main/cvs/cvs-1.12.12-mktime-configure.patch b/main/cvs/cvs-1.12.12-mktime-configure.patch
new file mode 100644
index 00000000000..03d7f35601e
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-mktime-configure.patch
@@ -0,0 +1,201 @@
+https://bugs.gentoo.org/220040
+https://bugs.gentoo.org/570208
+
+update mktime check to latest autoconf version which is less buggy
+
+--- a/configure
++++ b/configure
+@@ -5299,26 +6059,25 @@
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h. */
+ /* Test program from Paul Eggert and Tony Leneis. */
+-#if TIME_WITH_SYS_TIME
++#ifdef TIME_WITH_SYS_TIME
+ # include <sys/time.h>
+ # include <time.h>
+ #else
+-# if HAVE_SYS_TIME_H
++# ifdef HAVE_SYS_TIME_H
+ # include <sys/time.h>
+ # else
+ # include <time.h>
+ # endif
+ #endif
+
+-#if HAVE_STDLIB_H
+-# include <stdlib.h>
+-#endif
++#include <limits.h>
++#include <stdlib.h>
+
+-#if HAVE_UNISTD_H
++#ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+ #endif
+
+-#if !HAVE_ALARM
++#ifndef HAVE_ALARM
+ # define alarm(X) /* empty */
+ #endif
+
+@@ -5335,9 +6094,9 @@
+ };
+ #define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0]))
+
+-/* Fail if mktime fails to convert a date in the spring-forward gap.
++/* Return 0 if mktime fails to convert a date in the spring-forward gap.
+ Based on a problem report from Andreas Jaeger. */
+-static void
++static int
+ spring_forward_gap ()
+ {
+ /* glibc (up to about 1998-10-07) failed this test. */
+@@ -5356,29 +6115,27 @@
+ tm.tm_min = 0;
+ tm.tm_sec = 0;
+ tm.tm_isdst = -1;
+- if (mktime (&tm) == (time_t)-1)
+- exit (1);
++ return mktime (&tm) != (time_t) -1;
+ }
+
+-static void
++static int
+ mktime_test1 (now)
+ time_t now;
+ {
+ struct tm *lt;
+- if ((lt = localtime (&now)) && mktime (lt) != now)
+- exit (1);
++ return ! (lt = localtime (&now)) || mktime (lt) == now;
+ }
+
+-static void
++static int
+ mktime_test (now)
+ time_t now;
+ {
+- mktime_test1 (now);
+- mktime_test1 ((time_t) (time_t_max - now));
+- mktime_test1 ((time_t) (time_t_min + now));
++ return (mktime_test1 (now)
++ && mktime_test1 ((time_t) (time_t_max - now))
++ && mktime_test1 ((time_t) (time_t_min + now)));
+ }
+
+-static void
++static int
+ irix_6_4_bug ()
+ {
+ /* Based on code from Ariel Faigon. */
+@@ -5391,11 +6148,10 @@
+ tm.tm_sec = 0;
+ tm.tm_isdst = -1;
+ mktime (&tm);
+- if (tm.tm_mon != 2 || tm.tm_mday != 31)
+- exit (1);
++ return tm.tm_mon == 2 && tm.tm_mday == 31;
+ }
+
+-static void
++static int
+ bigtime_test (j)
+ int j;
+ {
+@@ -5417,8 +6173,39 @@
+ && lt->tm_wday == tm.tm_wday
+ && ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst)
+ == (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst))))
+- exit (1);
++ return 0;
+ }
++ return 1;
++}
++
++static int
++year_2050_test ()
++{
++ /* The correct answer for 2050-02-01 00:00:00 in Pacific time,
++ ignoring leap seconds. */
++ unsigned long int answer = 2527315200UL;
++
++ struct tm tm;
++ time_t t;
++ tm.tm_year = 2050 - 1900;
++ tm.tm_mon = 2 - 1;
++ tm.tm_mday = 1;
++ tm.tm_hour = tm.tm_min = tm.tm_sec = 0;
++ tm.tm_isdst = -1;
++
++ /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0"
++ instead of "TZ=America/Vancouver" in order to detect the bug even
++ on systems that don't support the Olson extension, or don't have the
++ full zoneinfo tables installed. */
++ putenv ("TZ=PST8PDT,M4.1.0,M10.5.0");
++
++ t = mktime (&tm);
++
++ /* Check that the result is either a failure, or close enough
++ to the correct answer that we can assume the discrepancy is
++ due to leap seconds. */
++ return (t == (time_t) -1
++ || (0 < t && answer - 120 <= t && t <= answer + 120));
+ }
+
+ int
+@@ -5432,12 +6219,15 @@
+ isn't worth using anyway. */
+ alarm (60);
+
+- for (time_t_max = 1; 0 < time_t_max; time_t_max *= 2)
+- continue;
+- time_t_max--;
+- if ((time_t) -1 < 0)
+- for (time_t_min = -1; (time_t) (time_t_min * 2) < 0; time_t_min *= 2)
+- continue;
++ for (;;)
++ {
++ t = (time_t_max << 1) + 1;
++ if (t <= time_t_max)
++ break;
++ time_t_max = t;
++ }
++ time_t_min = - ((time_t) ~ (time_t) 0 == (time_t) -1) - time_t_max;
++
+ delta = time_t_max / 997; /* a suitable prime number */
+ for (i = 0; i < N_STRINGS; i++)
+ {
+@@ -5445,18 +6235,22 @@
+ putenv (tz_strings[i]);
+
+ for (t = 0; t <= time_t_max - delta; t += delta)
+- mktime_test (t);
+- mktime_test ((time_t) 1);
+- mktime_test ((time_t) (60 * 60));
+- mktime_test ((time_t) (60 * 60 * 24));
+-
+- for (j = 1; 0 < j; j *= 2)
+- bigtime_test (j);
+- bigtime_test (j - 1);
++ if (! mktime_test (t))
++ return 1;
++ if (! (mktime_test ((time_t) 1)
++ && mktime_test ((time_t) (60 * 60))
++ && mktime_test ((time_t) (60 * 60 * 24))))
++ return 1;
++
++ for (j = 1; ; j <<= 1)
++ if (! bigtime_test (j))
++ return 1;
++ else if (INT_MAX / 2 < j)
++ break;
++ if (! bigtime_test (INT_MAX))
++ return 1;
+ }
+- irix_6_4_bug ();
+- spring_forward_gap ();
+- exit (0);
++ return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ());
+ }
+ _ACEOF
+ rm -f conftest$ac_exeext
diff --git a/main/cvs/cvs-1.12.12-mktime-x32.patch b/main/cvs/cvs-1.12.12-mktime-x32.patch
new file mode 100644
index 00000000000..948fa4d7144
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-mktime-x32.patch
@@ -0,0 +1,29 @@
+back port changes from upstream gnulib to make this work on x32
+
+https://bugs.gentoo.org/395641
+
+--- cvs-1.12.12/lib/mktime.c
++++ cvs-1.12.12/lib/mktime.c
+@@ -115,6 +115,13 @@
+ #define TM_YEAR_BASE 1900
+ verify (base_year_is_a_multiple_of_100, TM_YEAR_BASE % 100 == 0);
+
++#if INT_MAX <= LONG_MAX / 2
++typedef long int long_int;
++#else
++typedef long long int long_int;
++#endif
++verify (long_int_is_wide_enough, INT_MAX == INT_MAX * (long_int) 2 / 2);
++
+ /* Return 1 if YEAR + TM_YEAR_BASE is a leap year. */
+ static inline int
+ leapyear (long int year)
+@@ -167,8 +174,6 @@
+ int year0, int yday0, int hour0, int min0, int sec0)
+ {
+ verify (C99_integer_division, -1 / 2 == 0);
+- verify (long_int_year_and_yday_are_wide_enough,
+- INT_MAX <= LONG_MAX / 2 || TIME_T_MAX <= UINT_MAX);
+
+ /* Compute intervening leap days correctly even if year is negative.
+ Take care to avoid integer overflow here. */
diff --git a/main/cvs/cvs-1.12.12-musl.patch b/main/cvs/cvs-1.12.12-musl.patch
new file mode 100644
index 00000000000..e426cf55fcc
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-musl.patch
@@ -0,0 +1,13 @@
+http://gcc.gnu.org/ml/gcc/2003-04/msg00518.html
+
+--- a/lib/regex.c
++++ b/lib/regex.c
+@@ -8184,7 +8184,7 @@
+ if (msg_size > errbuf_size)
+ {
+ #if defined HAVE_MEMPCPY || defined _LIBC
+- *((char *) __mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
++ *((char *) mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
+ #else
+ memcpy (errbuf, msg, errbuf_size - 1);
+ errbuf[errbuf_size - 1] = 0;
diff --git a/main/cvs/cvs-1.12.12-openat.patch b/main/cvs/cvs-1.12.12-openat.patch
new file mode 100644
index 00000000000..fdb406a45e4
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-openat.patch
@@ -0,0 +1,21 @@
+Index: cvs-1.12.12/lib/openat.c
+===================================================================
+--- cvs-1.12.12.orig/lib/openat.c
++++ cvs-1.12.12/lib/openat.c
+@@ -55,9 +55,13 @@ rpl_openat (int fd, char const *filename
+ va_list arg;
+ va_start (arg, flags);
+
+- /* Assume that mode_t is passed compatibly with mode_t's type
+- after argument promotion. */
+- mode = va_arg (arg, mode_t);
++ /* If mode_t is narrower than int, use the promoted type (int),
++ not mode_t. Use sizeof to guess whether mode_t is nerrower;
++ we don't know of any practical counterexamples. */
++ if (sizeof (mode_t) < sizeof (int))
++ mode = va_arg (arg, int);
++ else
++ mode = va_arg (arg, mode_t);
+
+ va_end (arg);
+ }
diff --git a/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch b/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch
new file mode 100644
index 00000000000..7dda3f0f172
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch
@@ -0,0 +1,14 @@
+X-Gentoo-bug: 144114
+
+diff -Nuar cvs-1.12.12.orig/contrib/rcs2log.sh cvs-1.12.12/contrib/rcs2log.sh
+--- cvs-1.12.12.orig/contrib/rcs2log.sh 2003-02-25 21:32:51.000000000 +0000
++++ cvs-1.12.12/contrib/rcs2log.sh 2010-12-06 21:14:33.831532212 +0000
+@@ -620,7 +620,7 @@
+ # Sort the log entries, first by date+time (in reverse order),
+ # then by author, then by log entry, and finally by file name and revision
+ # (just in case).
+-sort -t"$SOH" +2 -4r +4 +0 |
++sort -t"$SOH" -k 3,4r -k 5 -k 1,2 |
+
+ # Finally, reformat the sorted log entries.
+ $AWK -F"$SOH" '
diff --git a/main/cvs/cvs-musl.patch b/main/cvs/cvs-musl.patch
deleted file mode 100644
index 313377dbdd5..00000000000
--- a/main/cvs/cvs-musl.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- cvs-1.11.23.org/lib/getline.h 2013-09-16 18:28:13.026099577 +0000
-+++ cvs-1.11.23/lib/getline.h 2013-09-16 18:44:33.356064387 +0000
-@@ -12,8 +12,6 @@
- #define GETLINE_NO_LIMIT -1
-
- int
-- getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream));
--int
- getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream,
- int limit));
- int
---- cvs-1.11.23.org/lib/getline.c 2013-09-16 18:28:13.021099577 +0000
-+++ cvs-1.11.23/lib/getline.c 2013-09-16 18:45:14.463062911 +0000
-@@ -154,12 +154,7 @@
- return ret;
- }
-
--int
--getline (lineptr, n, stream)
-- char **lineptr;
-- size_t *n;
-- FILE *stream;
--{
-+ssize_t getline(char ** lineptr, size_t * n, FILE *stream) {
- return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT);
- }
-
diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD
index 5bb6602ead7..5d01ff4a019 100644
--- a/main/cyrus-sasl/APKBUILD
+++ b/main/cyrus-sasl/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cyrus-sasl
pkgver=2.1.27
-pkgrel=1
+pkgrel=2
pkgdesc="Cyrus Simple Authentication Service Layer (SASL)"
url="https://cyrusimap.org/"
arch="all"
@@ -12,7 +12,7 @@ subpackages="
$pkgname-dev
$pkgname-doc
$pkgname-openrc
- libsasl
+ libsasl
$pkgname-gssapiv2:_plugin
$pkgname-gs2:_plugin
$pkgname-scram:_plugin
@@ -39,10 +39,13 @@ source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pk
cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
cyrus-sasl-2.1.27-doc_build_fix.patch
cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+ CVE-2019-19906.patch
saslauthd.initd
"
# secfixes:
+# 2.1.27-r2:
+# - CVE-2019-19906
# 2.1.26-r7:
# - CVE-2013-4122
@@ -123,4 +126,5 @@ sha512sums="d11549a99b3b06af79fc62d5478dba3305d7e7cc0824f4b91f0d2638daafbe940623
4ca601839b023ef790e48dae567ffbbd57c632384c980946639ec7437ad23874961451718569455e6e25afaeff1728ecbc71a8686f6b43246f83465f95a2c904 cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
6d723e7ec2c431b45c011b887187b6a670dbe646aa4c39d38171047ab23db529c30c433f8d4dd624181917c5ce4e5271f86e35e2644ede1c40dfb09cb67dccde cyrus-sasl-2.1.27-doc_build_fix.patch
fca4f2b7e427c7613f71daa4a31772c33c8c0fe9d7f85b57b85da71bc5a88a18fc52f7caea463188b4addd31cd041d5349af689d5face2cc45fb50c700a8afd7 cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+c39efd87dc9c883d3b07474197f6835fbd32f23baa1f5cd04b25a0473639f847321c40f232e390d4dc9d9ee189dbd177c05d3d1461af4d28a48a4827abc5d9b8 CVE-2019-19906.patch
f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75 saslauthd.initd"
diff --git a/main/cyrus-sasl/CVE-2019-19906.patch b/main/cyrus-sasl/CVE-2019-19906.patch
new file mode 100644
index 00000000000..f7edb521e89
--- /dev/null
+++ b/main/cyrus-sasl/CVE-2019-19906.patch
@@ -0,0 +1,15 @@
+https://github.com/cyrusimap/cyrus-sasl/issues/587
+
+diff --git a/lib/common.c b/lib/common.c
+index bc3bf1df..9969d6aa 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
+
+ if (add==NULL) add = "(null)";
+
+- addlen=strlen(add); /* only compute once */
++ addlen=strlen(add)+1; /* only compute once */
+ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+ return SASL_NOMEM;
+
diff --git a/main/dahdi-linux-vanilla/APKBUILD b/main/dahdi-linux-vanilla/APKBUILD
index 96dc7faab04..b2f9c627893 100644
--- a/main/dahdi-linux-vanilla/APKBUILD
+++ b/main/dahdi-linux-vanilla/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-vanilla}
_kpkg=linux-$_flavor
-_kver=4.19.52
+_kver=4.19.118
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/dbus/APKBUILD b/main/dbus/APKBUILD
index ee9fdc492a0..fae169cfdab 100644
--- a/main/dbus/APKBUILD
+++ b/main/dbus/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dbus
pkgver=1.10.28
-pkgrel=0
+pkgrel=1
pkgdesc="Freedesktop.org message bus system"
url="http://www.freedesktop.org/Software/dbus"
pkggroups="messagebus"
@@ -17,12 +17,15 @@ makedepends="$depends_dev expat-dev libx11-dev autoconf automake libtool xmlto
install="$pkgname.pre-install $pkgname.post-install"
source="https://dbus.freedesktop.org/releases/dbus/dbus-$pkgver.tar.gz
fix-int64-print.patch
+ CVE-2020-12049.patch
$pkgname.initd
"
# secfixes:
+# 1.12.28-r1:
+# - CVE-2020-12049
# 1.10.28-r0:
-# - CVE-2019-12749
+# - CVE-2019-12749
prepare() {
default_prepare
@@ -75,4 +78,5 @@ x11() {
sha512sums="d699e5c115dd33c7667c32bf66db0a211e98678ba4b6a155541a705af2819cd45868ca9d33d57a2df7fb1a1ac072e09c8607157a7cd3f8664292c118ae164f61 dbus-1.10.28.tar.gz
5f07d8cb377ab80c927a77236c3f3437f08351161e594c62a1ad43f0324c2dba3cc98d50257ae27b9a4f5148571c5f26f35db8b40f13c72e92f267d5356c87f0 fix-int64-print.patch
+f05e2d14f072da81186e8a70d0895b37ee8f17c566b71865a72419218562e0f08544b7ea04daf6682dec5ff9ebab440c015f57a05abfb93610ec77caf9c2da97 CVE-2020-12049.patch
df74e7d6a4f76f777d356e94bd23422b17656aa51a5b2d3c655fcabb32c84f2f06b9f5cd8827920d51842f89e8c0d968a6e723315e4bf216e55711fcda9b0ee9 dbus.initd"
diff --git a/main/dbus/CVE-2020-12049.patch b/main/dbus/CVE-2020-12049.patch
new file mode 100644
index 00000000000..f1b04b4a650
--- /dev/null
+++ b/main/dbus/CVE-2020-12049.patch
@@ -0,0 +1,103 @@
+This is a combination of
+
+https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748.patch
+https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5.patch
+
+Applied against the 1.10 tree (the commits are for 1.12)
+
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+index b730971..4b0e390 100644
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -432,18 +432,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
+ struct cmsghdr *cm;
+ dbus_bool_t found = FALSE;
+
+- if (m.msg_flags & MSG_CTRUNC)
+- {
+- /* Hmm, apparently the control data was truncated. The bad
+- thing is that we might have completely lost a couple of fds
+- without chance to recover them. Hence let's treat this as a
+- serious error. */
+-
+- errno = ENOSPC;
+- _dbus_string_set_length (buffer, start);
+- return -1;
+- }
+-
+ for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
+ if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
+ {
+@@ -498,6 +486,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
+ if (!found)
+ *n_fds = 0;
+
++ if (m.msg_flags & MSG_CTRUNC)
++ {
++ unsigned int i;
++
++ /* Hmm, apparently the control data was truncated. The bad
++ thing is that we might have completely lost a couple of fds
++ without chance to recover them. Hence let's treat this as a
++ serious error. */
++
++ /* We still need to close whatever fds we *did* receive,
++ * otherwise they'll never get closed. (CVE-2020-12049) */
++ for (i = 0; i < *n_fds; i++)
++ close (fds[i]);
++
++ *n_fds = 0;
++ errno = ENOSPC;
++ _dbus_string_set_length (buffer, start);
++ return -1;
++ }
++
+ /* put length back (doesn't actually realloc) */
+ _dbus_string_set_length (buffer, start + bytes_read);
+
+diff --git a/test/fdpass.c b/test/fdpass.c
+index 665b4a1..d8d9c67 100644
+--- a/test/fdpass.c
++++ b/test/fdpass.c
+@@ -50,6 +50,14 @@
+
+ #include "test-utils-glib.h"
+
++#ifdef DBUS_ENABLE_EMBEDDED_TESTS
++#include <dbus/dbus-message-internal.h>
++#else
++typedef struct _DBusInitialFDs DBusInitialFDs;
++#define _dbus_check_fdleaks_enter() NULL
++#define _dbus_check_fdleaks_leave(fds) do {} while (0)
++#endif
++
+ /* Arbitrary; included here to avoid relying on the default */
+ #define MAX_MESSAGE_UNIX_FDS 20
+ /* This test won't work on Linux unless this is true. */
+@@ -91,6 +99,7 @@ typedef struct {
+ GQueue messages;
+
+ int fd_before;
++ DBusInitialFDs *initial_fds;
+ } Fixture;
+
+ static void oom (const gchar *doing) G_GNUC_NORETURN;
+@@ -172,6 +181,8 @@ test_connect (Fixture *f,
+ {
+ char *address;
+
++ f->initial_fds = _dbus_check_fdleaks_enter ();
++
+ g_assert (f->left_server_conn == NULL);
+ g_assert (f->right_server_conn == NULL);
+
+@@ -835,6 +846,9 @@ teardown (Fixture *f,
+ if (f->fd_before >= 0 && close (f->fd_before) < 0)
+ g_error ("%s", g_strerror (errno));
+ #endif
++
++ if (f->initial_fds != NULL)
++ _dbus_check_fdleaks_leave (f->initial_fds);
+ }
+
+ int
diff --git a/main/devicemaster-linux-vanilla/APKBUILD b/main/devicemaster-linux-vanilla/APKBUILD
index b0ae6cbadce..5bbcf9f019e 100644
--- a/main/devicemaster-linux-vanilla/APKBUILD
+++ b/main/devicemaster-linux-vanilla/APKBUILD
@@ -7,7 +7,7 @@ _rel=0
_flavor=${FLAVOR:-vanilla}
_kpkg=linux-$_flavor
-_kver=4.19.52
+_kver=4.19.118
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/dnsmasq/APKBUILD b/main/dnsmasq/APKBUILD
index cb61ea892a5..395843cff37 100644
--- a/main/dnsmasq/APKBUILD
+++ b/main/dnsmasq/APKBUILD
@@ -2,6 +2,8 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 2.80-r4:
+# - CVE-2019-14834
# 2.79-r0:
# - CVE-2017-15107
# 2.78-r0:
@@ -15,7 +17,7 @@
#
pkgname=dnsmasq
pkgver=2.80
-pkgrel=3
+pkgrel=4
pkgdesc="A lightweight DNS, DHCP, RA, TFTP and PXE server"
url="http://www.thekelleys.org.uk/dnsmasq/"
arch="all"
@@ -29,6 +31,7 @@ source="http://www.thekelleys.org.uk/dnsmasq/$pkgname-$pkgver.tar.gz
$pkgname.initd
$pkgname.confd
uncomment-conf-dir.patch
+ CVE-2019-14834.patch
"
builddir="$srcdir/$pkgname-$pkgver"
@@ -76,4 +79,5 @@ dnssec() {
sha512sums="da50030ac96617fbb7d54d5ef02d2ed1e14ec1ebe0df49bc23a1509381bc1644cf6fb95ff72ed15e0ad1e9bd6aa11ec6e4dcabec8ebb152da0d84f9a4408565b dnsmasq-2.80.tar.gz
a7d64a838d10f4f69e0f2178cf66f0b3725901696e30df9e8e3e09f2afd7c86e9d95af64d2b63ef66f18b8a637397b7015573938df9ad961e2b36c391c3ac579 dnsmasq.initd
9a401bfc408bf1638645c61b8ca734bea0a09ef79fb36648ec7ef21666257234254bbe6c73c82cc23aa1779ddcdda0e6baa2c041866f16dfb9c4e0ba9133eab8 dnsmasq.confd
-01e9e235e667abda07675009fb1947547863e0bb0256393c5a415978e2a49c1007585c7f0b51e8decce79c05e6f2ced3f400b11343feaa4de9b2e524f74a1ee3 uncomment-conf-dir.patch"
+01e9e235e667abda07675009fb1947547863e0bb0256393c5a415978e2a49c1007585c7f0b51e8decce79c05e6f2ced3f400b11343feaa4de9b2e524f74a1ee3 uncomment-conf-dir.patch
+d4d11945578430da629d7a38b00eb552cd95b1c438a0b85b63ba637ed19b4283623e39692f48146132b7cb5d453eaa3c07680f1514017d8d458e347153215a9b CVE-2019-14834.patch"
diff --git a/main/dnsmasq/CVE-2019-14834.patch b/main/dnsmasq/CVE-2019-14834.patch
new file mode 100644
index 00000000000..5f60f5f1d97
--- /dev/null
+++ b/main/dnsmasq/CVE-2019-14834.patch
@@ -0,0 +1,46 @@
+From 69bc94779c2f035a9fffdb5327a54c3aeca73ed5 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 14 Aug 2019 20:44:50 +0100
+Subject: [PATCH] Fix memory leak in helper.c
+
+Thanks to Xu Mingjie <xumingjie1995@outlook.com> for spotting this.
+---
+ src/helper.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/helper.c b/src/helper.c
+index 33ba120..c392eec 100644
+--- a/src/helper.c
++++ b/src/helper.c
+@@ -80,7 +80,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
+ pid_t pid;
+ int i, pipefd[2];
+ struct sigaction sigact;
+-
++ unsigned char *alloc_buff = NULL;
++
+ /* create the pipe through which the main program sends us commands,
+ then fork our process. */
+ if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1)
+@@ -186,11 +187,16 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
+ struct script_data data;
+ char *p, *action_str, *hostname = NULL, *domain = NULL;
+ unsigned char *buf = (unsigned char *)daemon->namebuff;
+- unsigned char *end, *extradata, *alloc_buff = NULL;
++ unsigned char *end, *extradata;
+ int is6, err = 0;
+ int pipeout[2];
+
+- free(alloc_buff);
++ /* Free rarely-allocated memory from previous iteration. */
++ if (alloc_buff)
++ {
++ free(alloc_buff);
++ alloc_buff = NULL;
++ }
+
+ /* we read zero bytes when pipe closed: this is our signal to exit */
+ if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1))
+--
+1.7.10.4
+
diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD
index 8203823d11f..3ca3451bfca 100644
--- a/main/dovecot/APKBUILD
+++ b/main/dovecot/APKBUILD
@@ -4,10 +4,10 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dovecot
-pkgver=2.3.7.2
+pkgver=2.3.10.1
_pkgvermajor=2.3
pkgrel=1
-_pigeonholever=0.5.7.2
+_pigeonholever=0.5.10
_pigeonholevermajor=${_pigeonholever%.*}
pkgdesc="IMAP and POP3 server"
url="https://www.dovecot.org/"
@@ -61,6 +61,8 @@ source="https://www.dovecot.org/releases/$_pkgvermajor/$pkgname-$pkgver.tar.gz
skip-iconv-check.patch
split-protocols.patch
default-config.patch
+ CVE-2020-12673.patch
+ CVE-2020-12674.patch
dovecot.logrotate
dovecot.initd
"
@@ -68,6 +70,15 @@ builddir="$srcdir/$pkgname-$pkgver"
_builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever"
# secfixes:
+# 2.3.10.1-r1:
+# - CVE-2020-12673
+# - CVE-2020-12674
+# 2.3.10.1-r0:
+# - CVE-2020-10957
+# - CVE-2020-10958
+# - CVE-2020-10967
+# - CVE-2020-7046
+# - CVE-2020-7957
# 2.3.7.2-r0:
# - CVE-2019-11500
# 2.3.6-r0:
@@ -303,10 +314,12 @@ _submv() {
done
}
-sha512sums="172f7f0edb884259e4c050607510aee67a35c3a20b7dd147e7c8a25a04921c18f7d6b5c85af2c69ae8c4d53791550970e471b033dbfae94253e331053b6a317d dovecot-2.3.7.2.tar.gz
-7fc8d89ee31c8e8c16a9aeaeffb591f4188de36fc80e3a30a9ae10bc5acd7ea5d5d91e077fda566e61d588d9221ec53044ce17a9cc0c9c219dbe6824558a1d60 dovecot-2.3-pigeonhole-0.5.7.2.tar.gz
+sha512sums="5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06 dovecot-2.3.10.1.tar.gz
+f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b dovecot-2.3-pigeonhole-0.5.10.tar.gz
fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch
794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5 split-protocols.patch
0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07 default-config.patch
+54d5b1bfbc9fcdc00a5c943420bcbbfc8f0107ab2ff160ef0b2f73093a23766e0fcdb4cfc7944def40526414f97aff818cac6bdec155a6f3962f477b210a8ed5 CVE-2020-12673.patch
+3599ca53dff1234dcea483006a82ec7276c1feee8df4f1df50f0b080202e351dd34e011af1bbdbdce1d9db54761beb0890b0be6e4ce7ed86e62513896c072e0c CVE-2020-12674.patch
9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0 dovecot.logrotate
d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70 dovecot.initd"
diff --git a/main/dovecot/CVE-2020-12673.patch b/main/dovecot/CVE-2020-12673.patch
new file mode 100644
index 00000000000..9dd26e0350f
--- /dev/null
+++ b/main/dovecot/CVE-2020-12673.patch
@@ -0,0 +1,31 @@
+From fb246611e62ad8c5a95b0ca180a63f17aa34b0d8 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Mon, 18 May 2020 12:33:39 +0300
+Subject: [PATCH] lib-ntlm: Check buffer length on responses
+
+Add missing check for buffer length.
+
+If this is not checked, it is possible to send message which
+causes read past buffer bug.
+
+Broken in c7480644202e5451fbed448508ea29a25cffc99c
+---
+ src/lib-ntlm/ntlm-message.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
+index 160b9f918c..a29413b47e 100644
+--- a/src/lib-ntlm/ntlm-message.c
++++ b/src/lib-ntlm/ntlm-message.c
+@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
+ if (length == 0 && space == 0)
+ return TRUE;
+
++ if (length > data_size) {
++ *error = "buffer length out of bounds";
++ return FALSE;
++ }
++
+ if (offset >= data_size) {
+ *error = "buffer offset out of bounds";
+ return FALSE;
diff --git a/main/dovecot/CVE-2020-12674.patch b/main/dovecot/CVE-2020-12674.patch
new file mode 100644
index 00000000000..a9dca2a82dd
--- /dev/null
+++ b/main/dovecot/CVE-2020-12674.patch
@@ -0,0 +1,22 @@
+From 69ad3c902ea4bbf9f21ab1857d8923f975dc6145 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Wed, 6 May 2020 13:40:36 +0300
+Subject: [PATCH] auth: mech-rpa - Fail on zero len buffer
+
+---
+ src/auth/mech-rpa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c
+index 08298ebdd6..2de8705b4f 100644
+--- a/src/auth/mech-rpa.c
++++ b/src/auth/mech-rpa.c
+@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data,
+ return 0;
+
+ len = *p++;
+- if (p + len > end)
++ if (p + len > end || len == 0)
+ return 0;
+
+ *buffer = p_malloc(pool, len);
diff --git a/main/drbd9-vanilla/APKBUILD b/main/drbd9-vanilla/APKBUILD
index 9fea34ad1b8..ae51e4c86fd 100644
--- a/main/drbd9-vanilla/APKBUILD
+++ b/main/drbd9-vanilla/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-vanilla}
_kpkg=linux-$_flavor
-_kver=4.19.52
+_kver=4.19.118
_krel=0
_kabi="$_kver-$_krel-$_flavor"
_kpkgver="$_kver-r$_krel"
diff --git a/main/dropbear/APKBUILD b/main/dropbear/APKBUILD
index 570be697301..8d0fb472be7 100644
--- a/main/dropbear/APKBUILD
+++ b/main/dropbear/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dropbear
pkgver=2018.76
-pkgrel=2
+pkgrel=3
pkgdesc="small SSH 2 client/server designed for small memory environments"
url="http://matt.ucc.asn.au/dropbear/dropbear.html"
arch="all"
@@ -23,9 +23,12 @@ source="https://matt.ucc.asn.au/dropbear/releases/${pkgname}-${pkgver}.tar.bz2
dropbear-0.53.1-static_build_fix.patch
dropbear-options_sftp-server_path.patch
CVE-2018-15599.patch
+ CVE-2018-20685.patch
"
# secfixes:
+# 2018.76-r3:
+# - CVE-2018-20685
# 2018.76-r2:
# - CVE-2018-15599
@@ -89,4 +92,5 @@ sha512sums="82323279f7e78c366ba1ea07ff242259132b2576122429f54326518dd6092aba8ae5
83f2c1eaf7687917a4b2bae7d599d4378c4bd64f9126ba42fc5d235f2b3c9a474d1b3168d70ed64bb4101cc251d30bc9ae20604da9b5d819fcd635ee4d0ebb0f dropbear.confd
c9b0f28eb9653de21da4e8646fc27870a156112bce3d8a13baa6154ebf4baada3dee4f75bd5fdf5b6cd24a43fb80fb009e917d139d9e65d35118b082de0ebfbf dropbear-0.53.1-static_build_fix.patch
e11456ec3bc7e1265727c8921a6eb6151712a9a498c7768e2d4b7f9043256099457cebf29b2d47dd61eb260746d97f4b19e9429443bda1c3e441ea50ced79b48 dropbear-options_sftp-server_path.patch
-f204c2ee5aea8c0962573c4c49479ac17e9f6a9ab9ce21060a252b449323be841c1e64460f0e191fc72c6e213ffe829544418715d120a8f6c40de7b6374428e0 CVE-2018-15599.patch"
+f204c2ee5aea8c0962573c4c49479ac17e9f6a9ab9ce21060a252b449323be841c1e64460f0e191fc72c6e213ffe829544418715d120a8f6c40de7b6374428e0 CVE-2018-15599.patch
+6f17cf2b344b97457d2e0c1588fd285fac9757aa5e46aa2c103783978cc5fd9f7085aba36e7409270380d1250a277b43b0f5ff860d157148c6c28a0bbcbdce4c CVE-2018-20685.patch"
diff --git a/main/dropbear/CVE-2018-20685.patch b/main/dropbear/CVE-2018-20685.patch
new file mode 100644
index 00000000000..a8ea2af85b4
--- /dev/null
+++ b/main/dropbear/CVE-2018-20685.patch
@@ -0,0 +1,23 @@
+From 8f8a3dff705fad774a10864a2e3dbcfa9779ceff Mon Sep 17 00:00:00 2001
+From: Haelwenn Monnier <contact+github.com@hacktivis.me>
+Date: Mon, 25 May 2020 14:54:29 +0200
+Subject: [PATCH] scp.c: Port OpenSSH CVE-2018-20685 fix (#80)
+
+---
+ scp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/scp.c b/scp.c
+index 742ae00f..7b8e7d22 100644
+--- a/scp.c
++++ b/scp.c
+@@ -935,7 +935,8 @@ sink(int argc, char **argv)
+ size = size * 10 + (*cp++ - '0');
+ if (*cp++ != ' ')
+ SCREWUP("size not delimited");
+- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
++ if (*cp == '\0' || strchr(cp, '/') != NULL ||
++ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+ run_err("error: unexpected filename: %s", cp);
+ exit(1);
+ } \ No newline at end of file
diff --git a/main/e2fsprogs/APKBUILD b/main/e2fsprogs/APKBUILD
index 8e1fc8af6b3..aacb951b4f4 100644
--- a/main/e2fsprogs/APKBUILD
+++ b/main/e2fsprogs/APKBUILD
@@ -2,28 +2,28 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=e2fsprogs
pkgver=1.44.5
-pkgrel=1
+pkgrel=2
pkgdesc="Standard Ext2/3/4 filesystem utilities"
url="http://e2fsprogs.sourceforge.net"
arch="all"
license="GPL-2.0-or-later LGPL-2.0 BSD-3-Clause MIT"
-depends=""
depends_dev="util-linux-dev"
options="!check"
makedepends="$depends_dev linux-headers"
subpackages="$pkgname-dev $pkgname-doc libcom_err $pkgname-libs $pkgname-extra"
-source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz
+source="https://www.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v$pkgver/e2fsprogs-$pkgver.tar.xz
gnuc-prereq.patch
CVE-2019-5094.patch
+ CVE-2019-5188.patch
"
-builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 1.44.5-r2:
+# - CVE-2019-5188
# 1.44.5-r1:
# - CVE-2019-5094
-build () {
- cd "$builddir"
+build() {
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -39,7 +39,6 @@ build () {
}
package() {
- cd "$builddir"
make -j1 MKDIR_P="install -d" DESTDIR="$pkgdir" install install-libs
mv "$pkgdir"/sbin/* "$pkgdir"/usr/sbin/
local i; for i in e2fsck mke2fs mkfs.* fsck.*; do
@@ -72,4 +71,5 @@ extra() {
}
sha512sums="c0faec90b2be81460d374c150be917cd6beb1d10dc7cd0c6c4747de19de9af1763e90d48aec5b3c0fbff1b59bf79a35f93536cd52e68d1e45d4db610e158bb2e e2fsprogs-1.44.5.tar.xz
155340b6fec21419fa9ca27ff1bd8e12f679013dd82f4dc0cd1feae2dbf143a942d6d4427a1e966e68fa37ecb282880ff5d07a3760ee8d6ac7f7c5e34a276735 gnuc-prereq.patch
-72e7d8199ea071802fbe74fbb2153253e5460412b115e03750ecac46d298aeb73bd8e7610a2d5b8be83b7125080c7e9e23d9b71baee1c7a4f68026344106a922 CVE-2019-5094.patch"
+72e7d8199ea071802fbe74fbb2153253e5460412b115e03750ecac46d298aeb73bd8e7610a2d5b8be83b7125080c7e9e23d9b71baee1c7a4f68026344106a922 CVE-2019-5094.patch
+3147433f58b283faa46ca950921d814de832dc8e33cf5042c7e86078738f256ccf7be40b918ba11a467d04761ffcac85e12a8de4d86e745bca84f0198ba2f176 CVE-2019-5188.patch"
diff --git a/main/e2fsprogs/CVE-2019-5188.patch b/main/e2fsprogs/CVE-2019-5188.patch
new file mode 100644
index 00000000000..d60b118ac32
--- /dev/null
+++ b/main/e2fsprogs/CVE-2019-5188.patch
@@ -0,0 +1,51 @@
+diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c
+index 5693b9c..bca701c 100644
+--- a/e2fsck/pass1b.c
++++ b/e2fsck/pass1b.c
+@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino,
+ fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx);
+ if (ctx->inode_bad_map)
+ ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino);
++ if (ctx->inode_reg_map)
++ ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino);
++ ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino);
++ ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino);
+ ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode));
+ quota_data_sub(ctx->qctx, &dp->inode, ino,
+ pb.dup_blocks * fs->blocksize);
+diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
+index a5fc1be..2c908be 100644
+--- a/e2fsck/rehash.c
++++ b/e2fsck/rehash.c
+@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,
+ dir_offset += rec_len;
+ if (dirent->inode == 0)
+ continue;
++ if ((name_len) == 0) {
++ fd->err = EXT2_ET_DIR_CORRUPTED;
++ return BLOCK_ABORT;
++ }
+ if (!fd->compress && (name_len == 1) &&
+ (dirent->name[0] == '.'))
+ continue;
+@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
+ continue;
+ }
+ new_len = ext2fs_dirent_name_len(ent->dir);
++ if (new_len == 0) {
++ /* should never happen */
++ ext2fs_unmark_valid(fs);
++ continue;
++ }
+ memcpy(new_name, ent->dir->name, new_len);
+ mutate_name(new_name, &new_len);
+ for (j=0; j < fd->num_array; j++) {
+@@ -1019,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx)
+ if (!ext2fs_u32_list_iterate(iter, &ino))
+ break;
+ }
++ if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino))
++ continue;
+
+ pctx.dir = ino;
+ if (first) {
diff --git a/main/exiv2/APKBUILD b/main/exiv2/APKBUILD
index 1b9add39761..b3593991049 100644
--- a/main/exiv2/APKBUILD
+++ b/main/exiv2/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=exiv2
pkgver=0.26
-pkgrel=0
+pkgrel=1
pkgdesc="Exif and Iptc metadata manipulation library and tools."
url="http://exiv2.org"
arch="all"
@@ -14,8 +14,13 @@ subpackages="$pkgname-dev $pkgname-doc"
source="http://exiv2.org/releases/exiv2-$pkgver-trunk.tar.gz
0000-pthread-init-fix.patch
0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch
+ CVE-2019-17402.patch
"
+# secfixes:
+# 0.26-r1:
+# - CVE-2019-17402
+
builddir="$srcdir"/exiv2-trunk
prepare() {
default_prepare
@@ -38,4 +43,5 @@ package() {
sha512sums="d1e9cab886e279b045768dd9ec781f07d2d36d573119403d0b76dc571442173aae6972f86ec55c3ea53fb3ee9ca3571eb8fd63a2a6643a970852813e88634a86 exiv2-0.26-trunk.tar.gz
9721d359708c385be7c86a8f8a63de43b05b2578a29b4339861e82873aa81a98a7ee7252847b6c55529341187d40f552c488589b416fd9d1e27418925929c018 0000-pthread-init-fix.patch
-485bd340169f69a3ce356e59e9138250cc14592f4477bb73827c799fe465535954469634fc58a1856f690f0e0b4171cba6fdd3391d43c0efc5e89652b93eb3ce 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch"
+485bd340169f69a3ce356e59e9138250cc14592f4477bb73827c799fe465535954469634fc58a1856f690f0e0b4171cba6fdd3391d43c0efc5e89652b93eb3ce 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch
+b408ec85b5aa0fde6e08a277292ebde90f25b31605ba29039464e217c7f249d9ffeebfef9dc187955663d0b02ccafc020c16c4a5342cd38483816a1f9038c2d0 CVE-2019-17402.patch"
diff --git a/main/exiv2/CVE-2019-17402.patch b/main/exiv2/CVE-2019-17402.patch
new file mode 100644
index 00000000000..c6b5166adb0
--- /dev/null
+++ b/main/exiv2/CVE-2019-17402.patch
@@ -0,0 +1,32 @@
+From cb2467834d118ae11526f7d24a699799ce5c4912 Mon Sep 17 00:00:00 2001
+From: Jens Georg <mail@jensge.org>
+Date: Sun, 6 Oct 2019 15:05:20 +0200
+Subject: [PATCH 1/2] crwimage: Check offset and size against total size
+
+Corrupted or specially crafted CRW images might exceed the overall
+buffersize.
+
+Fixes #1019
+
+(cherry picked from commit 683451567284005cd24e1ccb0a76ca401000968b)
+---
+ src/crwimage.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/crwimage.cpp b/src/crwimage.cpp
+index 989c0eb8..a0978aaf 100644
+--- a/src/crwimage.cpp
++++ b/src/crwimage.cpp
+@@ -448,6 +448,9 @@ namespace Exiv2 {
+ #ifdef DEBUG
+ std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
+ #endif
++ if (this->offset() + this->size() > size)
++ throw Error(26);
++
+ readDirectory(pData + offset(), this->size(), byteOrder);
+ #ifdef DEBUG
+ std::cout << "<---- 0x" << std::hex << tag() << "\n";
+--
+2.24.1
+
diff --git a/main/file/APKBUILD b/main/file/APKBUILD
index 3d0e54def2c..51d2062f222 100644
--- a/main/file/APKBUILD
+++ b/main/file/APKBUILD
@@ -15,7 +15,7 @@ builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 5.36-r1:
-# - CVE-2019-19218
+# - CVE-2019-18218
# 5.36-r0:
# - CVE-2019-8904
# - CVE-2019-8905
diff --git a/main/freetds/APKBUILD b/main/freetds/APKBUILD
index 0337a839df3..2e3143a4dec 100644
--- a/main/freetds/APKBUILD
+++ b/main/freetds/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=freetds
pkgver=1.00.104
-pkgrel=0
+pkgrel=1
pkgdesc="Tabular Datastream Library"
url="http://www.freetds.org"
arch="all"
@@ -11,10 +11,15 @@ makedepends="openssl-dev linux-headers readline-dev unixodbc-dev"
subpackages="$pkgname-doc $pkgname-dev"
source="http://www.freetds.org/files/stable/$pkgname-$pkgver.tar.bz2
fix-includes.patch
+ CVE-2019-13508.patch
"
builddir="$srcdir/$pkgname-$pkgver"
options="!check" # tests require running SQL server http://www.freetds.org/userguide/confirminstall.htm#TESTS
+# secfixes:
+# 1.1.6-r1:
+# - CVE-2019-13508
+
build() {
cd "$builddir"
./configure \
@@ -42,4 +47,5 @@ package() {
}
sha512sums="6467437ccc2d59edd0baffe9a93a16407a5d74695d339625b0f9c4b138eb3dee432f38ad3753f6bb3ee24d3fb8887ce455b3d8ded4759358798c8d422f16dd19 freetds-1.00.104.tar.bz2
-d75d1aab6687586697f3e430db1e82f21208f10076b45996542eea682e36cbbbb344f479a9336fcfd294b5b87d7acb2ec5fb8ddd1914e990e23dd5e7ae93a0b6 fix-includes.patch"
+d75d1aab6687586697f3e430db1e82f21208f10076b45996542eea682e36cbbbb344f479a9336fcfd294b5b87d7acb2ec5fb8ddd1914e990e23dd5e7ae93a0b6 fix-includes.patch
+d654640796c64bdae87f91e43701d689f9ba7b8c28cd21b07b58d0e0b9033d46a4b67e4a71a44ff1a793661c89d1bfb9e4ce5b52397ea8e898d0481b2afa5000 CVE-2019-13508.patch"
diff --git a/main/freetds/CVE-2019-13508.patch b/main/freetds/CVE-2019-13508.patch
new file mode 100644
index 00000000000..fa7df8dab1e
--- /dev/null
+++ b/main/freetds/CVE-2019-13508.patch
@@ -0,0 +1,30 @@
+From 0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Tue, 9 Jul 2019 09:26:43 +0100
+Subject: [PATCH] tds: Make sure UDT has varint set to 8
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+---
+ src/tds/data.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/tds/data.c b/src/tds/data.c
+index c10ebe1ca..0c5e90f95 100644
+--- a/src/tds/data.c
++++ b/src/tds/data.c
+@@ -1425,6 +1425,7 @@ tds_clrudt_get_info(TDSSOCKET * tds, TDSCOLUMN * col)
+ tds_get_string(tds, tds_get_usmallint(tds), NULL, 0);
+
+ col->column_size = 0x7ffffffflu;
++ col->column_varint_size = 8;
+
+ return TDS_SUCCESS;
+ }
+@@ -1432,6 +1433,7 @@ tds_clrudt_get_info(TDSSOCKET * tds, TDSCOLUMN * col)
+ TDS_INT
+ tds_clrudt_row_len(TDSCOLUMN *col)
+ {
++ col->column_varint_size = 8;
+ /* TODO save other fields */
+ return sizeof(TDSBLOB);
+ }
diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD
index c4363e5414c..bcee7aed1d8 100644
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=freetype
pkgver=2.9.1
-pkgrel=2
+pkgrel=3
pkgdesc="TrueType font rendering library"
url="https://www.freetype.org/"
arch="all"
@@ -15,9 +15,12 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar.bz2
0001-Enable-table-validation-modules.patch
subpixel.patch
+ CVE-2020-15999.patch
"
# secfixes:
+# 2.9.1-r3:
+# - CVE-2020-15999
# 2.9-r1:
# - CVE-2018-6942
# 2.7.1-r1:
@@ -56,4 +59,5 @@ package() {
sha512sums="856766e1f3f4c7dc8afb2b5ee991138c8b642c6a6e5e007cd2bc04ae58bde827f082557cf41bf541d97e8485f7fd064d10390d1ee597f19d1daed6c152e27708 freetype-2.9.1.tar.bz2
41a84be2631b53072a76b78c582575aa48b650ee7b00017d018381002bc25df10cf33da4954c95ef50db39f1fa566678e3b4ae9bfee1dfd705423fb53e53e494 0001-Enable-table-validation-modules.patch
-6206ecbf733e47beeacd8dcec747be46ee74beffe9955ba11d61ccd81a7da6fe4bef81e15f2da8a57ded6245dc41b865f1297f120c2e332f643a43e18db99394 subpixel.patch"
+6206ecbf733e47beeacd8dcec747be46ee74beffe9955ba11d61ccd81a7da6fe4bef81e15f2da8a57ded6245dc41b865f1297f120c2e332f643a43e18db99394 subpixel.patch
+fe697a15777b44bb36c705aa4e13f352329c418de89e3d457381d0852ca2931dfa6d6b6ebc6c59322ba2af94e956f06a31e25f0d57db139f5ba2ce79fa5a8fd9 CVE-2020-15999.patch"
diff --git a/main/freetype/CVE-2020-15999.patch b/main/freetype/CVE-2020-15999.patch
new file mode 100644
index 00000000000..067aa7e4605
--- /dev/null
+++ b/main/freetype/CVE-2020-15999.patch
@@ -0,0 +1,48 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+---
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+
+ if ( populate_map_and_metrics )
+ {
++ /* reject too large bitmaps similarly to the rasterizer */
++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++ {
++ error = FT_THROW( Array_Too_Large );
++ goto DestroyExit;
++ }
++
+ metrics->width = (FT_UShort)imgWidth;
+ metrics->height = (FT_UShort)imgHeight;
+
+@@ -340,13 +347,6 @@
+ map->pixel_mode = FT_PIXEL_MODE_BGRA;
+ map->pitch = (int)( map->width * 4 );
+ map->num_grays = 256;
+-
+- /* reject too large bitmaps similarly to the rasterizer */
+- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+- {
+- error = FT_THROW( Array_Too_Large );
+- goto DestroyExit;
+- }
+ }
+
+ /* convert palette/gray image to rgb */
+--
+cgit v1.2.1
+
+
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index 9a5ffe91c04..a8abc50656a 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=gd
pkgver=2.2.5
-pkgrel=3
+pkgrel=4
_pkgreal=lib$pkgname
pkgdesc="Library for the dynamic creation of images by programmers"
url="https://libgd.github.io/"
@@ -13,7 +13,9 @@ makedepends="bash libpng-dev libjpeg-turbo-dev libwebp-dev freetype-dev zlib-dev
subpackages="$pkgname-dev $_pkgreal:libs"
source="https://github.com/$_pkgreal/$_pkgreal/releases/download/$pkgname-$pkgver/$_pkgreal-$pkgver.tar.xz
CVE-2018-1000222.patch
+ CVE-2018-14553.patch
CVE-2018-5711.patch
+ CVE-2019-11038.patch
CVE-2019-6977.patch
CVE-2019-6978.patch
"
@@ -23,12 +25,15 @@ case "$CARCH" in
esac
# secfixes:
+# 2.2.5-r3:
+# - CVE-2018-14553
+# - CVE-2019-11038
# 2.2.5-r2:
-# - CVE-2018-5711
-# - CVE-2019-6977
-# - CVE-2019-6978
+# - CVE-2018-5711
+# - CVE-2019-6977
+# - CVE-2019-6978
# 2.2.5-r1:
-# - CVE-2018-1000222
+# - CVE-2018-1000222
build() {
cd "$builddir"
@@ -62,6 +67,8 @@ dev() {
sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz
d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch
+9bf1677d69d04f41eba48b48e853ad706f3097edb1a96c3b681b516708be0ba199c463e7b3e44f52921e14028a7c4d74977d66e7f456b9f96d935ce9db342c0e CVE-2018-14553.patch
b23929f10ad75fa97d2ff797ef44d185cfe6de4f26b649e8e507b6fc41ebdb527ab4633d10df955c92d677428d9ed1707d9997954a1bcfb0070995191211d886 CVE-2018-5711.patch
+a56397fb310c94d4dc9c565dcec17ffd7411e1957ba45f1093e9fffad74192c244b1ef4f9d954c052f589fd5b4d1cc37ca5d53d8db569cee09a7bdc38bfc4eaf CVE-2019-11038.patch
5214ac4148c618f3fef3bb3b6675e41a76e31465cd8dac326ee99dc1ae4cfe760749997d2941743efa48e79b8dbdb536d6b6d79d9bc4e5363f2c50da52ab5cac CVE-2019-6977.patch
2f70f041b531a23d0bac5c5370a3fb135ca8facaa7baf1554baf35135cc9c6e21de9c09400d939e133ad090b9aa23fa901ea7b5cd9ea20d11edc38257601eb97 CVE-2019-6978.patch"
diff --git a/main/gd/CVE-2018-14553.patch b/main/gd/CVE-2018-14553.patch
new file mode 100644
index 00000000000..816bd9ccc96
--- /dev/null
+++ b/main/gd/CVE-2018-14553.patch
@@ -0,0 +1,32 @@
+From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
+Date: Fri, 20 Dec 2019 12:03:33 -0300
+Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
+
+diff --git a/src/gd.c b/src/gd.c
+index 592a0286..d564d1f9 100644
+--- a/src/gd.c
++++ b/src/gd.c
+@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ }
+ }
+
+- if (src->styleLength > 0) {
+- dst->styleLength = src->styleLength;
+- dst->stylePos = src->stylePos;
+- for (i = 0; i < src->styleLength; i++) {
+- dst->style[i] = src->style[i];
+- }
+- }
+-
+ dst->interlace = src->interlace;
+
+ dst->alphaBlendingFlag = src->alphaBlendingFlag;
+@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+
+ if (src->style) {
+ gdImageSetStyle(dst, src->style, src->styleLength);
++ dst->stylePos = src->stylePos;
+ }
+
+ for (i = 0; i < gdMaxColors; i++) {
diff --git a/main/gd/CVE-2019-11038.patch b/main/gd/CVE-2019-11038.patch
new file mode 100644
index 00000000000..1ccb9c1c153
--- /dev/null
+++ b/main/gd/CVE-2019-11038.patch
@@ -0,0 +1,36 @@
+From e13a342c079aeb73e31dfa19eaca119761bac3f3 Mon Sep 17 00:00:00 2001
+From: Jonas Meurer <jonas@freesources.org>
+Date: Tue, 11 Jun 2019 12:16:46 +0200
+Subject: [PATCH] Fix #501: Uninitialized read in gdImageCreateFromXbm
+ (CVE-2019-11038)
+
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
+Bug-Debian: https://bugs.debian.org/929821
+Bug: https://github.com/libgd/libgd/issues/501
+
+We have to ensure that `sscanf()` does indeed read a hex value here,
+and bail out otherwise.
+
+Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext.
+https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
+---
+ src/gd_xbm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 4ca41acf..cf0545ef 100644
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ }
+ h[3] = ch;
+ }
+- sscanf(h, "%x", &b);
++ if (sscanf(h, "%x", &b) != 1) {
++ gd_error("invalid XBM");
++ gdImageDestroy(im);
++ return 0;
++ }
+ for (bit = 1; bit <= max_bit; bit = bit << 1) {
+ gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
+ if (x == im->sx) {
diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD
index 68b83c4bb5a..978938f8b9c 100644
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=ghostscript
pkgver=9.26
-pkgrel=4
+pkgrel=5
pkgdesc="An interpreter for the PostScript language and for PDF"
url="https://ghostscript.com/"
arch="all"
@@ -12,7 +12,6 @@ makedepends="autoconf automake libjpeg-turbo-dev libpng-dev jasper-dev expat-dev
cups-dev libtool jbig2dec-dev openjpeg-dev"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-gtk"
source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver/./}/ghostscript-$pkgver.tar.gz
- https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/0001-Bug700317-Address-.force-operators-exposure.tgz
CVE-2019-6116.patch
CVE-2019-3835.patch
CVE-2019-3838.patch
@@ -23,10 +22,13 @@ source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/
0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch
0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch
CVE-2019-14817.patch
+ CVE-2019-14869.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 9.26-r5:
+# - CVE-2019-14869
# 9.26-r4:
# - CVE-2019-14811
# - CVE-2019-14812
@@ -38,8 +40,6 @@ builddir="$srcdir/$pkgname-$pkgver"
# - CVE-2019-3835
# - CVE-2019-3838
# - CVE-2019-6116
-# 9.26-r1:
-# - CVE-2019-6116
# 9.26-r0:
# - CVE-2018-19409
# - CVE-2018-19475
@@ -146,7 +146,6 @@ gtk() {
}
sha512sums="670159c23618ffafa85c671642bf182a107a82c053a1fd8c3f45f73f203524077be1b212d2ddbabae7892c7713922877e03b020f78bd2aab1ae582c4fc7d820a ghostscript-9.26.tar.gz
-289d916a0b0da410e6f721e42bc44659c91c66ca0f7b96b1a6b010ae1c25e47788e282edc3578b4e4b120a2c684c7b1fd4cc574084bdc9cbbf6e431a01fbae0e 0001-Bug700317-Address-.force-operators-exposure.tgz
78564c1dd878cb6a924663cb5d61901a413a867dedc8753e537e08a4da9cc0aaeb817bab266fd66e5d0e871d9ed6078af6e6f455b5426e0917875682d76638f5 CVE-2019-6116.patch
31769852e75be4e1cd0e7c3f43cc7b3457bf9ba505fc2a5acda53779cc5626854bf15fef3e225f3d922f4038dd18c598dbac30abb863159202e4d0fe02c02d3b CVE-2019-3835.patch
dc3bd1de86e4a968ed35a35a125f682cffeed51fe4dbf9b3939dd78b07ef0748fe6b34816e689bcfffb4f819e51bcb5022f3151a5610aa24fd2468cdcbc665ea CVE-2019-3838.patch
@@ -156,4 +155,5 @@ beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771
b61a1c5d818c054463e606a9f85e4f4a308ac839f734d6200dfc3b74e3859ac64b23996ff1bf4c90a0ee95acf10dfa19d066fda0b6fb11689294d0dc4267689e CVE-2019-14811-14812-14813.patch
8036fa8a7175546dc3aae8619c92fa38016a8be132bb2a3a01f16ba66b5d9c05581dba40c1f184380b43b4e0b079d3cace7e401f9ed5fd718f36fbe7038649bc 0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch
26ad5e996d4724a1683083c1abfdd39ebf41f5e7478a061f5713e11f2ffaf3834fe52f29e03d585044c7536b1201a97626f3640324abdc3e90b6ecc2a2db399b 0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch
-63b7d1a30045e454eba0bcceba52fd402c5fd9313c0057100bb98d2e82c1d61cd404826f63c4b9d7e4fdf4935c71f09a9633d43edbcd0658fb5dc5e20afc6ca0 CVE-2019-14817.patch"
+63b7d1a30045e454eba0bcceba52fd402c5fd9313c0057100bb98d2e82c1d61cd404826f63c4b9d7e4fdf4935c71f09a9633d43edbcd0658fb5dc5e20afc6ca0 CVE-2019-14817.patch
+d0fc37c94abf1104ff5c17e0c36bd02799fa9b06b2f57d764bf79a0b6927cd8be8a59c58f40d3727954877f44754aa1b0ad6c3d8dc79bf3c6ae4991a7a56cf9e CVE-2019-14869.patch"
diff --git a/main/ghostscript/CVE-2019-14869.patch b/main/ghostscript/CVE-2019-14869.patch
new file mode 100644
index 00000000000..9b66436fa84
--- /dev/null
+++ b/main/ghostscript/CVE-2019-14869.patch
@@ -0,0 +1,58 @@
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 5 Nov 2019 09:45:27 +0000
+Subject: Bug 701841: remove .forceput from /.charkeys
+Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=485904772c5f0aa1140032746e5a0abfc40f4cef
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701841
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14869
+
+When loading Type 1 or Truetype fonts from disk, we attempt to extend the glyph
+name table to include all identifiable glyph names from the Adobe Glyph List.
+
+In the case of Type 1 fonts, the font itself (almost always) marks the
+CharStrings dictionary as read-only, hence we have to use .forceput for that
+case.
+
+But for Truetype fonts, the CharStrings dictionary is created internally and is
+not read-only until *after* we have fully populated it (including the extended
+glyph names from the AGL), hence there is no need for .forceput, and no need to
+carry the security risk of using it.
+
+Replace with regular put.
+[Salvatore Bonaccorso: Backport to 9.26a: Drop last hunck removing
+'executeonly' (hiding .forceput) as this was never added back in 9.26a. Thanks
+to Marc Deslauriers for pointing this out]
+---
+ Resource/Init/gs_ttf.ps | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps
+index 74043d16b0cf..6be8fe9955cd 100644
+--- a/Resource/Init/gs_ttf.ps
++++ b/Resource/Init/gs_ttf.ps
+@@ -1304,7 +1304,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
+ TTFDEBUG { (\n1 setting alias: ) print dup ==only
+ ( to be the same as ) print 2 index //== exec } if
+
+- 7 index 2 index 3 -1 roll exch .forceput
++ 7 index 2 index 3 -1 roll exch put
+ } forall
+ pop pop pop
+ }
+@@ -1322,7 +1322,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
+ exch pop
+ TTFDEBUG { (\n2 setting alias: ) print 1 index ==only
+ ( to use glyph index: ) print dup //== exec } if
+- 5 index 3 1 roll .forceput
++ 5 index 3 1 roll put
+ //false
+ }
+ {
+@@ -1339,7 +1339,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
+ { % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer)
+ TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only
+ ( to be index: ) print dup //== exec } if
+- exch pop 5 index 3 1 roll .forceput
++ exch pop 5 index 3 1 roll put
+ }
+ {
+ pop pop
diff --git a/main/git/APKBUILD b/main/git/APKBUILD
index 6d7c585d105..1d002fc2784 100644
--- a/main/git/APKBUILD
+++ b/main/git/APKBUILD
@@ -2,18 +2,31 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
-# 2.19.1:
-# - CVE-2018-17456
-# 2.17.1:
-# - CVE-2018-11233
-# - CVE-2018-11235
-# 2.14.1:
-# - CVE-2017-1000117
+# 2.20.4-r0:
+# - CVE-2020-11008
+# 2.20.3-r0:
+# - CVE-2020-5260
+# 2.20.2-r0:
+# - CVE-2019-1348
+# - CVE-2019-1349
+# - CVE-2019-1350
+# - CVE-2019-1351
+# - CVE-2019-1352
+# - CVE-2019-1353
+# - CVE-2019-1354
+# - CVE-2019-1387
+# 2.19.1-r0:
+# - CVE-2018-17456
+# 2.17.1-r0:
+# - CVE-2018-11233
+# - CVE-2018-11235
+# 2.14.1-r0:
+# - CVE-2017-1000117
pkgname=git
-pkgver=2.20.1
+pkgver=2.20.4
pkgrel=0
pkgdesc="Distributed version control system"
-url="https://www.git-scm.com"
+url="https://www.git-scm.com/"
arch="all"
license="GPL-2.0-or-later"
depends=""
@@ -266,7 +279,7 @@ _perl_config() {
perl -e "use Config; print \$Config{$1};"
}
-sha512sums="3f05ea3a645d4d74c7380b03e2de39f893ff77a05d8b595ce30300d1d4e032f11d84952366096f8effd5fba18dfa5ebb946bc07a984eb7cbbda113cb88202f6c git-2.20.1.tar.xz
+sha512sums="271d0c238cb892ecef542e56ccbfc50cbc2bade12f4771f7aa1bacecfbcd15d116bd20986861101545be985aca3a45bc49fb63742ac48cac463e3564b243da08 git-2.20.4.tar.xz
85767b5e03137008d6a96199e769e3979f75d83603ac8cb13a3481a915005637409a4fd94e0720da2ec6cd1124f35eba7cf20109a94816c4b4898a81fbc46bd2 bb-tar.patch
89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a git-daemon.initd
fbf1f425206a76e2a8f82342537ed939ff7e623d644c086ca2ced5f69b36734695f9f80ebda1728f75a94d6cd2fcb71bf845b64239368caab418e4d368c141ec git-daemon.confd"
diff --git a/main/gnupg/APKBUILD b/main/gnupg/APKBUILD
index e77fa985762..f1ec77b5194 100644
--- a/main/gnupg/APKBUILD
+++ b/main/gnupg/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gnupg
-pkgver=2.2.12
+pkgver=2.2.19
_ver=${pkgver/_beta/-beta}
pkgrel=0
pkgdesc="GNU Privacy Guard 2 - a PGP replacement tool"
@@ -23,6 +23,8 @@ install="$pkgname-scdaemon.pre-install"
builddir="$srcdir"/$pkgname-$_ver
# secfixes:
+# 2.2.19-r0:
+# - CVE-2019-14855
# 2.2.8-r0:
# - CVE-2018-12020
@@ -72,7 +74,7 @@ scdaemon() {
mv "${pkgdir}/usr/libexec/scdaemon" "${subpkgdir}/usr/libexec/"
}
-sha512sums="30de9757bb60a5cb6bf0dc2c8da5f4742c54affec3fcd0bcbf66f28f2812149afec5db70dcb6ba592101de4bdc479d1ba0b47c53c8b8d4765ddff32fa51c26c8 gnupg-2.2.12.tar.bz2
+sha512sums="d7700136ac9f0a8cf04b33da4023a42427fced648c2f90d76250c92904353b85fe728bdd89a713d847e8d38e5900c98d46075614492fdc3d1421f927a92f49dd gnupg-2.2.19.tar.bz2
c6cc4595081c5b025913fa3ebecf0dff87a84f3c669e3fef106e4fa040f1d4314ee52dd4c0e0002b213034fb0810221cfdd0033eae5349b6e3978f05d08bcac7 0001-Include-sys-select.h-for-FD_SETSIZE.patch
b19a44dacf061dd02b439ab8bd820e3c721aab77168f705f5ce65661f26527b03ea88eec16d78486a633c474120589ec8736692ebff57ab9b95f52f57190ba6b fix-i18n.patch
4bfb9742279c2d1c872d63cd4bcb01f6a2a13d94618eff954d3a37451fa870a9bb29687330854ee47e8876d6e60dc81cb2569c3931beaefacda33db23c464402 60-scdaemon.rules"
diff --git a/main/gnutls/APKBUILD b/main/gnutls/APKBUILD
index 7e83be5b918..c3557566936 100644
--- a/main/gnutls/APKBUILD
+++ b/main/gnutls/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Michael Mason <ms13sp@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gnutls
-pkgver=3.6.7
+pkgver=3.6.15
pkgrel=0
pkgdesc="A TLS protocol implementation"
url="https://www.gnutls.org/"
@@ -16,11 +16,16 @@ _v=${pkgver%.*}
case $pkgver in
*.*.*.*) _v=${_v%.*};;
esac
-source="https://www.gnupg.org/ftp/gcrypt/gnutls/v${_v}/gnutls-$pkgver.tar.xz
- tests-date-compat.patch"
-builddir="$srcdir/$pkgname-$pkgver"
+source="https://www.gnupg.org/ftp/gcrypt/gnutls/v$_v/gnutls-$pkgver.tar.xz
+ "
# secfixes:
+# 3.6.15-r0:
+# - CVE-2020-24659 GNUTLS-SA-2020-09-04
+# 3.6.14-r0:
+# - CVE-2020-13777 GNUTLS-SA-2020-06-03
+# 3.6.7-r1:
+# - CVE-2020-11501 GNUTLS-SA-2020-03-31
# 3.6.7-r0:
# - CVE-2019-3836
# - CVE-2019-3829
@@ -28,7 +33,6 @@ builddir="$srcdir/$pkgname-$pkgver"
# - CVE-2017-7507
build() {
- cd "$builddir"
LIBS="-lgmp" ./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -45,8 +49,6 @@ build() {
}
check() {
- cd "$builddir"
-
make check
}
@@ -67,5 +69,4 @@ xx() {
mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/
}
-sha512sums="ae9b8996eb9b7269d28213f0aca3a4a17890ba8d47e3dc3b8e754ab8e2b4251e9412aaaa161a8bf56167f04cc169b4cada46f55a7bde92b955eb36cd717a99f3 gnutls-3.6.7.tar.xz
-b9aefaca8a894b223b8bcc738524602e36edf6a49f458606235598470033c81b02e876bec18a41ac57760cb9644d44b4c35969be74d4a8120245fff716429531 tests-date-compat.patch"
+sha512sums="f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c gnutls-3.6.15.tar.xz"
diff --git a/main/gnutls/tests-date-compat.patch b/main/gnutls/tests-date-compat.patch
deleted file mode 100644
index 82e3314d298..00000000000
--- a/main/gnutls/tests-date-compat.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Busybox date does not support %N, this is GNU extension.
---- a/tests/scripts/common.sh
-+++ b/tests/scripts/common.sh
-@@ -61,7 +61,7 @@
- # Find a port number not currently in use.
- GETPORT='rc=0; unset myrandom
- if test -n "$RANDOM"; then myrandom=$(($RANDOM + $RANDOM)); fi
-- if test -z "$myrandom"; then myrandom=$(date +%N | sed s/^0*//); fi
-+ if test -z "$myrandom"; then myrandom=$(date +%s | sed s/^0*//); fi
- if test -z "$myrandom"; then myrandom=0; fi
- while test $rc = 0;do
- PORT="$(((($$<<15)|$myrandom) % 63001 + 2000))"
diff --git a/main/gst-plugins-base/APKBUILD b/main/gst-plugins-base/APKBUILD
index 6961a8f8642..8f51a713864 100644
--- a/main/gst-plugins-base/APKBUILD
+++ b/main/gst-plugins-base/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gst-plugins-base
pkgver=1.14.4
-pkgrel=0
+pkgrel=1
pkgdesc="GStreamer Multimedia Framework Base Plugins"
url="https://gstreamer.freedesktop.org"
arch="all"
@@ -29,10 +29,15 @@ makedepends="
mesa-dev
orc-compiler
"
-source="https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-$pkgver.tar.xz"
+source="https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-$pkgver.tar.xz
+ CVE-2019-9928.patch"
ldpath="/usr/lib/gstreamer-1.0"
builddir="$srcdir"/gst-plugins-base-$pkgver
+# secfixes:
+# 1.14.4-r1:
+# - CVE-2019-9928
+
# sporadic testsuite failures on various archs, testsuite fails with network restricted too
options="!check"
@@ -69,4 +74,5 @@ doc() {
replaces="${pkgname}1-doc"
}
-sha512sums="42c59df9f2d848108f12afa0466acbcfa5ccda64e4d0d44608d4268abed20f2e036713de04e7d71feaed1868ad742c5bcb55ae0eef5dec8e19e053dc8541b8af gst-plugins-base-1.14.4.tar.xz"
+sha512sums="42c59df9f2d848108f12afa0466acbcfa5ccda64e4d0d44608d4268abed20f2e036713de04e7d71feaed1868ad742c5bcb55ae0eef5dec8e19e053dc8541b8af gst-plugins-base-1.14.4.tar.xz
+064305bced4754b9d916adc97254c1cfd52fd25f5cf31f406f7bebac18bc1e9fc5cdab1ee59e2027d3299c5dbbc6134b6171ee925e7dab3dd134fd130b755e1b CVE-2019-9928.patch"
diff --git a/main/gst-plugins-base/CVE-2019-9928.patch b/main/gst-plugins-base/CVE-2019-9928.patch
new file mode 100644
index 00000000000..e17f98aba82
--- /dev/null
+++ b/main/gst-plugins-base/CVE-2019-9928.patch
@@ -0,0 +1,13 @@
+diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c
+index 76ae7d4..81239dc 100644
+--- a/gst-libs/gst/rtsp/gstrtspconnection.c
++++ b/gst-libs/gst/rtsp/gstrtspconnection.c
+@@ -2128,7 +2128,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message,
+ maxlen = sizeof (conn->session_id) - 1;
+ /* the sessionid can have attributes marked with ;
+ * Make sure we strip them */
+- for (i = 0; session_id[i] != '\0'; i++) {
++ for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {
+ if (session_id[i] == ';') {
+ maxlen = i;
+ /* parse timeout */
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index e83bb1259c4..01998b6f237 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -1,9 +1,9 @@
# Contributor: Jeff Bilyk <jbilyk@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=haproxy
-pkgver=1.8.12
+pkgver=1.8.25
_pkgmajorver=${pkgver%.*}
-pkgrel=1
+pkgrel=0
pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
url="http://haproxy.1wt.eu"
arch="all"
@@ -20,6 +20,12 @@ source="http://haproxy.1wt.eu/download/${_pkgmajorver}/src/$pkgname-$pkgver.tar.
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 1.8.25-r0:
+# - CVE-2020-11100
+# 1.8.23-r0:
+# - CVE-2019-19330
+
build() {
cd "$builddir"
case "$CARCH" in mips|mipsel*) _carchflags="ADDLIB=-latomic";; esac
@@ -50,6 +56,6 @@ package() {
"$pkgdir"/etc/haproxy/haproxy.cfg
}
-sha512sums="2b782a54988cc88d1af0e5f011af062910e8fac28eab13db7e05a58d0d23961f827da47e3871e8d081f5a2d222588480d81dec2e9f14ec9f54a1c3cb5bf3d56a haproxy-1.8.12.tar.gz
+sha512sums="655eb4056989a3fee321ea9278a2085b0a999e522293f1f6229ebb8d17f3d33cb78abb4fd55a06d0218082e632b2d42de105575d0acd0c1b49996d4b45aa78e8 haproxy-1.8.25.tar.gz
3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd
26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg"
diff --git a/main/hostapd/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch b/main/hostapd/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
new file mode 100644
index 00000000000..0aa8a5ea1de
--- /dev/null
+++ b/main/hostapd/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
@@ -0,0 +1,150 @@
+From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 3 Jun 2020 23:17:35 +0300
+Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
+ other networks
+
+The UPnP Device Architecture 2.0 specification errata ("UDA errata
+16-04-2020.docx") addresses a problem with notifications being allowed
+to go out to other domains by disallowing such cases. Do such filtering
+for the notification callback URLs to avoid undesired connections to
+external networks based on subscriptions that any device in the local
+network could request when WPS support for external registrars is
+enabled (the upnp_iface parameter in hostapd configuration).
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/wps/wps_er.c | 2 +-
+ src/wps/wps_upnp.c | 38 ++++++++++++++++++++++++++++++++++++--
+ src/wps/wps_upnp_i.h | 3 ++-
+ 3 files changed, 39 insertions(+), 4 deletions(-)
+
+diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c
+index 6bded14327f8..31d2e50e4cff 100644
+--- a/src/wps/wps_er.c
++++ b/src/wps/wps_er.c
+@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, const char *ifname, const char *filter)
+ "with %s", filter);
+ }
+ if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
+- er->mac_addr)) {
++ NULL, er->mac_addr)) {
+ wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
+ "for %s. Does it have IP address?", er->ifname);
+ wps_er_deinit(er, NULL, NULL);
+diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
+index 6e10e4bc0c3f..7d4b7439940e 100644
+--- a/src/wps/wps_upnp.c
++++ b/src/wps/wps_upnp.c
+@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct subscription *s)
+ }
+
+
++static int local_network_addr(struct upnp_wps_device_sm *sm,
++ struct sockaddr_in *addr)
++{
++ return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
++ (sm->ip_addr & sm->netmask.s_addr);
++}
++
++
+ /* subscr_addr_add_url -- add address(es) for one url to subscription */
+ static void subscr_addr_add_url(struct subscription *s, const char *url,
+ size_t url_len)
+@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
+
+ for (rp = result; rp; rp = rp->ai_next) {
+ struct subscr_addr *a;
++ struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
+
+ /* Limit no. of address to avoid denial of service attack */
+ if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
+@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
+ break;
+ }
+
++ if (!local_network_addr(s->sm, addr)) {
++ wpa_printf(MSG_INFO,
++ "WPS UPnP: Ignore a delivery URL that points to another network %s",
++ inet_ntoa(addr->sin_addr));
++ continue;
++ }
++
+ a = os_zalloc(sizeof(*a) + alloc_len);
+ if (a == NULL)
+ break;
+@@ -890,11 +906,12 @@ static int eth_get(const char *device, u8 ea[ETH_ALEN])
+ * @net_if: Selected network interface name
+ * @ip_addr: Buffer for returning IP address in network byte order
+ * @ip_addr_text: Buffer for returning a pointer to allocated IP address text
++ * @netmask: Buffer for returning netmask or %NULL if not needed
+ * @mac: Buffer for returning MAC address
+ * Returns: 0 on success, -1 on failure
+ */
+ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
+- u8 mac[ETH_ALEN])
++ struct in_addr *netmask, u8 mac[ETH_ALEN])
+ {
+ struct ifreq req;
+ int sock = -1;
+@@ -920,6 +937,19 @@ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
+ in_addr.s_addr = *ip_addr;
+ os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
+
++ if (netmask) {
++ os_memset(&req, 0, sizeof(req));
++ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
++ if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
++ wpa_printf(MSG_ERROR,
++ "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
++ errno, strerror(errno));
++ goto fail;
++ }
++ addr = (struct sockaddr_in *) &req.ifr_netmask;
++ netmask->s_addr = addr->sin_addr.s_addr;
++ }
++
+ #ifdef __linux__
+ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
+ if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
+@@ -1026,11 +1056,15 @@ static int upnp_wps_device_start(struct upnp_wps_device_sm *sm, char *net_if)
+
+ /* Determine which IP and mac address we're using */
+ if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
+- sm->mac_addr)) {
++ &sm->netmask, sm->mac_addr)) {
+ wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
+ "for %s. Does it have IP address?", net_if);
+ goto fail;
+ }
++ wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
++ MACSTR,
++ sm->ip_addr_text, inet_ntoa(sm->netmask),
++ MAC2STR(sm->mac_addr));
+
+ /* Listen for incoming TCP connections so that others
+ * can fetch our "xml files" from us.
+diff --git a/src/wps/wps_upnp_i.h b/src/wps/wps_upnp_i.h
+index e87a93232df1..6ead7b4e9a30 100644
+--- a/src/wps/wps_upnp_i.h
++++ b/src/wps/wps_upnp_i.h
+@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
+ u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
+ char *ip_addr_text; /* IP address of network i.f. we use */
+ unsigned ip_addr; /* IP address of network i.f. we use (host order) */
++ struct in_addr netmask;
+ int multicast_sd; /* send multicast messages over this socket */
+ int ssdp_sd; /* receive discovery UPD packets on socket */
+ int ssdp_sd_registered; /* nonzero if we must unregister */
+@@ -158,7 +159,7 @@ struct subscription * subscription_find(struct upnp_wps_device_sm *sm,
+ const u8 uuid[UUID_LEN]);
+ void subscr_addr_delete(struct subscr_addr *a);
+ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
+- u8 mac[ETH_ALEN]);
++ struct in_addr *netmask, u8 mac[ETH_ALEN]);
+
+ /* wps_upnp_ssdp.c */
+ void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
+--
+2.20.1
+
diff --git a/main/hostapd/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/main/hostapd/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
new file mode 100644
index 00000000000..c7a449e0b5c
--- /dev/null
+++ b/main/hostapd/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
@@ -0,0 +1,59 @@
+From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 3 Jun 2020 22:41:02 +0300
+Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
+ path
+
+More than about 700 character URL ended up overflowing the wpabuf used
+for building the event notification and this resulted in the wpabuf
+buffer overflow checks terminating the hostapd process. Fix this by
+allocating the buffer to be large enough to contain the full URL path.
+However, since that around 700 character limit has been the practical
+limit for more than ten years, start explicitly enforcing that as the
+limit or the callback URLs since any longer ones had not worked before
+and there is no need to enable them now either.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/wps/wps_upnp.c | 9 +++++++--
+ src/wps/wps_upnp_event.c | 3 ++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
+index 7d4b7439940e..ab685d52ecab 100644
+--- a/src/wps/wps_upnp.c
++++ b/src/wps/wps_upnp.c
+@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
+ int rerr;
+ size_t host_len, path_len;
+
+- /* url MUST begin with http: */
+- if (url_len < 7 || os_strncasecmp(url, "http://", 7))
++ /* URL MUST begin with HTTP scheme. In addition, limit the length of
++ * the URL to 700 characters which is around the limit that was
++ * implicitly enforced for more than 10 years due to a bug in
++ * generating the event messages. */
++ if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
++ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
+ goto fail;
++ }
+ url += 7;
+ url_len -= 7;
+
+diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
+index d7e6edcc6503..08a23612f338 100644
+--- a/src/wps/wps_upnp_event.c
++++ b/src/wps/wps_upnp_event.c
+@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
+ struct wpabuf *buf;
+ char *b;
+
+- buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
++ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
++ wpabuf_len(e->data));
+ if (buf == NULL)
+ return NULL;
+ wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
+--
+2.20.1
+
diff --git a/main/hostapd/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch b/main/hostapd/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
new file mode 100644
index 00000000000..9d0376043d0
--- /dev/null
+++ b/main/hostapd/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
@@ -0,0 +1,47 @@
+From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 4 Jun 2020 21:24:04 +0300
+Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
+ properly
+
+While it is appropriate to try to retransmit the event to another
+callback URL on a failure to initiate the HTTP client connection, there
+is no point in trying the exact same operation multiple times in a row.
+Replve the event_retry() calls with event_addr_failure() for these cases
+to avoid busy loops trying to repeat the same failing operation.
+
+These potential busy loops would go through eloop callbacks, so the
+process is not completely stuck on handling them, but unnecessary CPU
+would be used to process the continues retries that will keep failing
+for the same reason.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/wps/wps_upnp_event.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
+index 08a23612f338..c0d9e41d9a38 100644
+--- a/src/wps/wps_upnp_event.c
++++ b/src/wps/wps_upnp_event.c
+@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
+
+ buf = event_build_message(e);
+ if (buf == NULL) {
+- event_retry(e, 0);
++ event_addr_failure(e);
+ return -1;
+ }
+
+@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
+ event_http_cb, e);
+ if (e->http_event == NULL) {
+ wpabuf_free(buf);
+- event_retry(e, 0);
++ event_addr_failure(e);
+ return -1;
+ }
+
+--
+2.20.1
+
diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD
index 2ac593fbecc..28bc83d0e63 100644
--- a/main/hostapd/APKBUILD
+++ b/main/hostapd/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=hostapd
pkgver=2.7
-pkgrel=5
+pkgrel=6
pkgdesc="daemon for wireless software access points"
url="http://hostap.epitest.fi/hostapd/"
arch="all"
@@ -36,15 +36,21 @@ patches="CVE-2012-4445.patch
0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch
0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
CVE-2019-16275.patch
- "
-source="http://hostap.epitest.fi/releases/$pkgname-$pkgver.tar.gz
+ 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
+ 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
+ 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
+"
+source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
$patches
$pkgname.initd
- $pkgname.confd"
+ $pkgname.confd
+ "
options="!check" #no testsuite
builddir="$srcdir"/$pkgname-$pkgver/hostapd
# secfixes:
+# 2.7-r6:
+# - CVE-2020-12695
# 2.7-r5:
# - CVE-2019-16275
# 2.7-r4:
@@ -53,8 +59,6 @@ builddir="$srcdir"/$pkgname-$pkgver/hostapd
# - CVE-2019-9496
# 2.7-r1:
# - CVE-2019-11555
-# 2.7-r0:
-# - CVE-2017-13082
# 2.6-r2:
# - CVE-2017-13077
# - CVE-2017-13078
@@ -69,10 +73,14 @@ builddir="$srcdir"/$pkgname-$pkgver/hostapd
prepare() {
local conf="$builddir/.config"
+ # This is required because our builddir is the hostapd/ directory
+ # inside the extracted archive, while patches mostly apply against
+ # the src/ directory that is in the same directory as the hostapd/
+ # one is
cd "$builddir"/..
- for i in $patches; do
- msg $i
- patch -p1 -i "$srcdir"/$i
+ for i in "$srcdir"/*.patch; do
+ msg "Applying $i..."
+ patch -p1 -i $i
done
cd "$builddir"
@@ -153,5 +161,8 @@ bcae73930c35d441c5615970c305abb3dff293fdec16df50823e57419b22d1aac0e780970619e0c7
da5f4248a0173cd7d07972b760631a8dc26f258e7b5be059c0d7de26e17f668945a62d2afce01ed1a1e9df6c55f9fd6ee344d4f006f5564b90a25e90e1e7c704 0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch
4734a8ab8ba1e91fc9e3d729f34527c14c291df238b02adea5acc04b0361b41d4bffca2fb13a4f464e9f007fa624117af4f50d755cb41a3129b4868da91bdf9a 0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch
+b76bbca282a74ef16c0303e5dbd2ccd33a62461595964d52c1481b0bfa4f41deacde56830b85409b288803b87ceb6f33cf0ccc69c5b17ec632c2d4784b872f3c 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
+00cc739e78c42353a555c0de2f29defecff372927040e14407a231d1ead7ff32a37c9fd46bea7cdf1c24e3ac891bc3d483800d44fc6d2c8a12d2ae886523b12c 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
+69243af20cdcfa837c51917a3723779f4825e11436fb83311355b4ffe8f7a4b7a5747a976f7bf923038c410c9e9055b13b866d9a396913ad08bdec3a70e9f6e0 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd"
diff --git a/main/hunspell/APKBUILD b/main/hunspell/APKBUILD
index 9bc05a42cb6..2b3d1b6aae3 100644
--- a/main/hunspell/APKBUILD
+++ b/main/hunspell/APKBUILD
@@ -1,16 +1,22 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=hunspell
pkgver=1.6.2
-pkgrel=1
+pkgrel=2
pkgdesc="Spell checker and morphological analyzer library and program"
url="https://hunspell.github.io/"
arch="all"
license="GPL-2.0-or-later LGPL-2.0-or-later MPL-1.1"
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
makedepends="gettext-dev ncurses-dev readline-dev autoconf automake libtool"
-source="$pkgname-$pkgver.tar.gz::https://github.com/hunspell/hunspell/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/hunspell/hunspell/archive/v$pkgver.tar.gz
+ CVE-2019-16707.patch
+ "
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 1.6.2-r2:
+# - CVE-2019-16707
+
prepare() {
cd "$builddir"
default_prepare
@@ -40,4 +46,5 @@ package() {
make -j1 DESTDIR="$pkgdir" install
}
-sha512sums="a23127f1271da95ac06a1fb2f57b659485e959567b61da05b2bb350684003a0fb7e882b5e524c465fd890f79f513ed03174f38611989a1c09081147c47d6da11 hunspell-1.6.2.tar.gz"
+sha512sums="a23127f1271da95ac06a1fb2f57b659485e959567b61da05b2bb350684003a0fb7e882b5e524c465fd890f79f513ed03174f38611989a1c09081147c47d6da11 hunspell-1.6.2.tar.gz
+e7674819a9da4c3d742d34338d68d137d8613f97be2d25bf20db5219d4dd626f59a63ed4757b92f34307f499f2d687014065cdea97b55c98db295a8290300d2d CVE-2019-16707.patch"
diff --git a/main/hunspell/CVE-2019-16707.patch b/main/hunspell/CVE-2019-16707.patch
new file mode 100644
index 00000000000..649eef5b293
--- /dev/null
+++ b/main/hunspell/CVE-2019-16707.patch
@@ -0,0 +1,22 @@
+From ac938e2ecb48ab4dd21298126c7921689d60571b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Tue, 12 Nov 2019 20:03:15 +0000
+Subject: [PATCH] invalid read memory access #624
+
+---
+ src/hunspell/suggestmgr.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/hunspell/suggestmgr.cxx b/src/hunspell/suggestmgr.cxx
+index dba084e9..c23f165a 100644
+--- a/src/hunspell/suggestmgr.cxx
++++ b/src/hunspell/suggestmgr.cxx
+@@ -2040,7 +2040,7 @@ int SuggestMgr::leftcommonsubstring(
+ int l2 = su2.size();
+ // decapitalize dictionary word
+ if (complexprefixes) {
+- if (su1[l1 - 1] == su2[l2 - 1])
++ if (l1 && l2 && su1[l1 - 1] == su2[l2 - 1])
+ return 1;
+ } else {
+ unsigned short idx = su2.empty() ? 0 : (su2[0].h << 8) + su2[0].l;
diff --git a/main/hylafaxplus/APKBUILD b/main/hylafaxplus/APKBUILD
index be0f300dfee..fee0c0957e0 100644
--- a/main/hylafaxplus/APKBUILD
+++ b/main/hylafaxplus/APKBUILD
@@ -3,7 +3,7 @@
pkgname=hylafaxplus
_pkgname=hylafax
pkgver=7.0.0
-pkgrel=0
+pkgrel=1
pkgdesc="Making the Premier Open-Source Fax Management System Even Better"
url="http://hylafax.sourceforge.net"
arch="all"
@@ -19,9 +19,15 @@ source="https://downloads.sourceforge.net/hylafax/${_pkgname}-${pkgver}.tar.gz
$pkgname.confd
no-locale.patch
utf8-dictionary.patch
+ CVE-2020-15396-CVE-2020-15397.patch
"
builddir="$srcdir"/$_pkgname-$pkgver
+# secfixes:
+# 7.0.0-r1:
+# - CVE-2020-15396
+# - CVE-2020-15397
+
build() {
cd "$builddir"
# the configure script does not handle ccache or distcc
@@ -89,9 +95,9 @@ package(){
install -D -m644 "$srcdir"/$pkgname.confd \
"$pkgdir"/etc/conf.d/$pkgname
}
-
sha512sums="c63fdbff79c2ced29e03907c2e401c95a739e343414840a25b9582e3f4db880eaf4622295035e4728a9d1f224f97985007944397f28c9b29595aeec157bc2031 hylafax-7.0.0.tar.gz
3862cefcd26092000e4489c097537e5e0e2ae1f7c2a7a16b1e933b3bb78d136b6d8a65fb712ae245dd8ca881900408d0d9788bd2e0b859a9569fc6f4ede8cc7c hylafaxplus.initd
a2117eddc8f0ff70a23a90f2001dcb88c5bddee46ffa021d6d1701cc5cfc3bcb0362ead2b1b1ce2b288992728053c5947466d08916649f45e7dfb1876576e50f hylafaxplus.confd
4a1243daff9904e6395c3e28aa4a78a74de99f5aa9dbf5055a3781acfcd9b1b3db42b1569409b27e3ef9b0e55272dc99122436a79a08c9a1c140c2547c5a2c15 no-locale.patch
-f5f1e33897a91b8297311c033d50e7ea2f9088568264a5b9224285066a504da8cc4296f973dd0a70e09abca538cef26964c6181f4f67f76400783d0697f05e61 utf8-dictionary.patch"
+f5f1e33897a91b8297311c033d50e7ea2f9088568264a5b9224285066a504da8cc4296f973dd0a70e09abca538cef26964c6181f4f67f76400783d0697f05e61 utf8-dictionary.patch
+ed6a717eb54d9ead7e2122cb2ecb9871343adcbbb615c0b63dfde5c23883c0f10bb2f0d3ae0ea73906522026f73bf743e2abcb54f08f2c75d61a5b87b933bbb8 CVE-2020-15396-CVE-2020-15397.patch"
diff --git a/main/hylafaxplus/CVE-2020-15396-CVE-2020-15397.patch b/main/hylafaxplus/CVE-2020-15396-CVE-2020-15397.patch
new file mode 100644
index 00000000000..b3af03d18a1
--- /dev/null
+++ b/main/hylafaxplus/CVE-2020-15396-CVE-2020-15397.patch
@@ -0,0 +1,68 @@
+Upstream: Adapted from upstream, SourceForge has no raw diffs
+diff --git a/etc/faxaddmodem.sh.in b/etc/faxaddmodem.sh.in
+index dc39917..c4d3ff1 100644
+--- a/etc/faxaddmodem.sh.in
++++ b/etc/faxaddmodem.sh.in
+@@ -113,12 +113,14 @@ if [ "$euid" != "root" ]; then
+ fi
+
+ # security
++o="`umask`"
++umask 077
+ TMPDIR=`(mktemp -d /tmp/.faxaddmodem.XXXXXX) 2>/dev/null`
++umask "$o"
+ if test X$TMPDIR = X; then
+- TMPDIR=/tmp/.faxaddmodem$$
++ echo "Failed to create temporary directory. Cannot continue."
++ exit 1
+ fi
+-@RM@ -rf $TMPDIR
+-(umask 077 ; mkdir $TMPDIR) || exit 1
+
+ SH=$SCRIPT_SH # shell for use below
+ CPATH=$SPOOL/etc/config # prefix of configuration file
+diff --git a/etc/faxsetup.sh.in b/etc/faxsetup.sh.in
+index 556eef5..794d3d9 100644
+--- a/etc/faxsetup.sh.in
++++ b/etc/faxsetup.sh.in
+@@ -922,12 +922,14 @@ if onServer; then
+ #
+
+ # Setup TMPDIR before anything can trap and rm it
++ o="`umask`"
++ umask 077
+ TMPDIR=`(mktemp -d /tmp/.faxsetup.XXXXXX) 2>/dev/null`
++ umask "$o"
+ if test x$TMPDIR = x; then
+- TMPDIR=/tmp/.faxsetup$$
+- fi
+- $RM -rf $TMPDIR
+- (umask 077 ; mkdir $TMPDIR) || exit 1
++ echo "Failed to create temporary directory. Cannot continue."
+++ exit 1
+++ fi
+
+ JUNK="etc/setup.tmp"
+ trap "$RM \$JUNK; $RM -r \$TMPDIR; exit 1" 1 2 15
+diff --git a/etc/probemodem.sh.in b/etc/probemodem.sh.in
+index 55b5d9b..269c886 100644
+--- a/etc/probemodem.sh.in
++++ b/etc/probemodem.sh.in
+@@ -85,12 +85,14 @@ test -f $SPOOL/etc/setup.cache || {
+ . $SPOOL/etc/setup.cache # common configuration stuff
+ . $SPOOL/etc/setup.modem # modem-specific stuff
+
++o="`umask`"
++umask 077
+ TMPDIR=`(mktemp -d /tmp/.probemodem.XXXXXX) 2>/dev/null`
++umask "$o"
+ if test X$TMPDIR = X; then
+- TMPDIR=/tmp/.probemodem$$
++ echo "Failed to create temporary directory. Cannot continue."
++ exit 1
+ fi
+-@RM@ -fr $TMPDIR
+-(umask 077 ; mkdir $TMPDIR) || exit 1
+
+ SH=$SCRIPT_SH # shell for use below
+ OUT=$TMPDIR/probemodem$$ # temp file in which modem output is recorded
diff --git a/main/icu/APKBUILD b/main/icu/APKBUILD
index 1af5dbc75e4..bbb903c7582 100644
--- a/main/icu/APKBUILD
+++ b/main/icu/APKBUILD
@@ -6,7 +6,7 @@ pkgver=62.1
# convert x.y.z to x_y_z
_ver=${pkgver//./_}
-pkgrel=0
+pkgrel=1
pkgdesc="International Components for Unicode library"
url="http://www.icu-project.org/"
arch="all"
@@ -17,9 +17,12 @@ depends_dev="$pkgname=$pkgver-r$pkgrel"
checkdepends="diffutils"
makedepends=
source="http://download.icu-project.org/files/icu4c/${pkgver}/${pkgname}4c-$_ver-src.tgz
+ CVE-2020-10531.patch
"
# secfixes:
+# 62.1-r1:
+# - CVE-2020-10531
# 57.1-r1:
# - CVE-2016-6293
# 58.1-r1:
@@ -90,4 +93,5 @@ libs() {
replaces="icu"
}
-sha512sums="8295f2754fb6907e2cc8f515dccca05530963b544e89a2b8e323cd0ddfdbbe0c9eba8b367c1dbc04d7bb906b66b1003fd545ca05298939747c832c9d4431cf2a icu4c-62_1-src.tgz"
+sha512sums="8295f2754fb6907e2cc8f515dccca05530963b544e89a2b8e323cd0ddfdbbe0c9eba8b367c1dbc04d7bb906b66b1003fd545ca05298939747c832c9d4431cf2a icu4c-62_1-src.tgz
+cf3718d9f6a43de4e9a49d20080a04146f6b62c094d2fbd3efd898d7670c9a5ed28736a2c1e71c773a3f807dfeb8c262feeea7b9ea66bb147f58056608d7c3d6 CVE-2020-10531.patch"
diff --git a/main/icu/CVE-2020-10531.patch b/main/icu/CVE-2020-10531.patch
new file mode 100644
index 00000000000..f2eb712b1a3
--- /dev/null
+++ b/main/icu/CVE-2020-10531.patch
@@ -0,0 +1,106 @@
+diff --git a/common/unistr.cpp b/common/unistr.cpp
+index 5d7cab2..78cf394 100644
+--- a/common/unistr.cpp
++++ b/common/unistr.cpp
+@@ -1544,7 +1544,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+ }
+
+ int32_t oldLength = length();
+- int32_t newLength = oldLength + srcLength;
++ int32_t newLength;
++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
++ setToBogus();
++ return *this;
++ }
+ // optimize append() onto a large-enough, owned string
+ if((newLength <= getCapacity() && isBufferWritable()) ||
+ cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) {
+diff --git a/test/intltest/ustrtest.cpp b/test/intltest/ustrtest.cpp
+index 4b7cb7a..c5e5a80 100644
+--- a/test/intltest/ustrtest.cpp
++++ b/test/intltest/ustrtest.cpp
+@@ -64,6 +64,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+ TESTCASE_AUTO(TestUInt16Pointers);
+ TESTCASE_AUTO(TestWCharPointers);
+ TESTCASE_AUTO(TestNullPointers);
++ TESTCASE_AUTO(TestLargeAppend);
+ TESTCASE_AUTO_END;
+ }
+
+@@ -2248,3 +2249,64 @@ UnicodeStringTest::TestNullPointers() {
+ UnicodeString(u"def").extract(nullptr, 0, errorCode);
+ assertEquals("buffer overflow extracting to nullptr", U_BUFFER_OVERFLOW_ERROR, errorCode);
+ }
++
++void UnicodeStringTest::TestLargeAppend() {
++ if(quick) return;
++
++ IcuTestErrorCode status(*this, "TestLargeAppend");
++ // Make a large UnicodeString
++ int32_t len = 0xAFFFFFF;
++ UnicodeString str;
++ char16_t *buf = str.getBuffer(len);
++ // A fast way to set buffer to valid Unicode.
++ // 4E4E is a valid unicode character
++ uprv_memset(buf, 0x4e, len * 2);
++ str.releaseBuffer(len);
++ UnicodeString dest;
++ // Append it 16 times
++ // 0xAFFFFFF times 16 is 0xA4FFFFF1,
++ // which is greater than INT32_MAX, which is 0x7FFFFFFF.
++ int64_t total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++ dest.remove();
++ total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total + len <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else if (total <= INT32_MAX) {
++ // Check that a string of exactly the maximum size works
++ UnicodeString str2;
++ int32_t remain = INT32_MAX - total;
++ char16_t *buf2 = str2.getBuffer(remain);
++ if (buf2 == nullptr) {
++ // if somehow memory allocation fail, return the test
++ return;
++ }
++ uprv_memset(buf2, 0x4e, remain * 2);
++ str2.releaseBuffer(remain);
++ dest.append(str2);
++ total += remain;
++ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
++ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
++ assertFalse("dest is not bogus", dest.isBogus());
++
++ // Check that a string size+1 goes bogus
++ str2.truncate(1);
++ dest.append(str2);
++ total++;
++ assertTrue("dest should be bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++}
+diff --git a/test/intltest/ustrtest.h b/test/intltest/ustrtest.h
+index 4ba348c..d2d5ee1 100644
+--- a/test/intltest/ustrtest.h
++++ b/test/intltest/ustrtest.h
+@@ -96,6 +96,7 @@ public:
+ void TestUInt16Pointers();
+ void TestWCharPointers();
+ void TestNullPointers();
++ void TestLargeAppend();
+ };
+
+ #endif
diff --git a/main/imagemagick/APKBUILD b/main/imagemagick/APKBUILD
index d5f22774257..f7df01ea291 100644
--- a/main/imagemagick/APKBUILD
+++ b/main/imagemagick/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=imagemagick
_pkgname=ImageMagick
-pkgver=7.0.8.58
+pkgver=7.0.8.68
pkgrel=0
_pkgver=${pkgver%.*}-${pkgver##*.}
_abiver=7
@@ -113,5 +113,5 @@ _cxx() {
mv "$pkgdir"/usr/lib/libMagick++*.so.* "$subpkgdir"/usr/lib/
}
-sha512sums="c77eea33e633c92f0d5033c5ccd2bb2aee02ce049c4f48fdff9043e35d4f2119bab93c9140ecc052b2bfc55e9382308a35389e06927a9895751a5b530cac418c ImageMagick-7.0.8-58.tar.gz
+sha512sums="ee337901890724fcf06b804ae6377926e75e00b1319adf4d2cc7e4a5f2381263740e0269e119bca91413413742d904e7e3cf2bd3ca5d6974f9b61abf66b96802 ImageMagick-7.0.8-68.tar.gz
58afb2da075a6208b6a990ff297b3a827d260687c3355198a8b4d987e1596c0b0cd78aff6f0be0e1896e537fbe44a3d467473183f5f149664ea6e6fb3d3291a9 disable-avaraging-tests.patch"
diff --git a/main/iproute2/APKBUILD b/main/iproute2/APKBUILD
index a2c79c9a19b..740763a72df 100644
--- a/main/iproute2/APKBUILD
+++ b/main/iproute2/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=iproute2
pkgver=4.19.0
-pkgrel=0
+pkgrel=1
pkgdesc="IP Routing Utilities"
url="https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2"
arch="all"
@@ -11,9 +11,15 @@ install="$pkgname.post-install"
makedepends="bison flex bash iptables-dev libelf-dev"
subpackages="$pkgname-doc $pkgname-bash-completion:bashcomp:noarch"
source="https://kernel.org/pub/linux/utils/net/iproute2/iproute2-$pkgver.tar.xz
- fix-install-errors.patch"
+ fix-install-errors.patch
+ CVE-2019-20795.patch
+ "
builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+# 4.19.0-r1:
+# - CVE-2019-20795
+
prepare() {
default_prepare
cd "$builddir"
@@ -54,4 +60,5 @@ bashcomp() {
}
sha512sums="47c750da2247705b1b1d1621f58987333e54370d0fff2f24106194022de793ff35dfd67fd1be127ce019008705702092d31dac49abf930a7c0dc5c7e7c0665b8 iproute2-4.19.0.tar.xz
-24fc2a901650e11f80bcaa82c839e70c21aafdf3c5b8a357d932d066a0b98ae2ec8379fc17a0a16a1b5b4fa5edc131179c10fc02e55d6101701df5a09966912c fix-install-errors.patch"
+24fc2a901650e11f80bcaa82c839e70c21aafdf3c5b8a357d932d066a0b98ae2ec8379fc17a0a16a1b5b4fa5edc131179c10fc02e55d6101701df5a09966912c fix-install-errors.patch
+a9f7685dc50495e338fcfce31fc097c220227e78158e16845ed9341d96ba82f34d2778e6268ed7ad795d0bde7293b63d19b3066d37f37dde9112277e61a4e9ac CVE-2019-20795.patch"
diff --git a/main/iproute2/CVE-2019-20795.patch b/main/iproute2/CVE-2019-20795.patch
new file mode 100644
index 00000000000..bc50bee0910
--- /dev/null
+++ b/main/iproute2/CVE-2019-20795.patch
@@ -0,0 +1,42 @@
+diff --git a/ip/ipnetns.c b/ip/ipnetns.c
+index 03879b4..18d6e26 100644
+--- a/ip/ipnetns.c
++++ b/ip/ipnetns.c
+@@ -106,7 +106,7 @@ int get_netnsid_from_name(const char *name)
+ struct nlmsghdr *answer;
+ struct rtattr *tb[NETNSA_MAX + 1];
+ struct rtgenmsg *rthdr;
+- int len, fd;
++ int len, fd, ret = -1;
+
+ netns_nsid_socket_init();
+
+@@ -123,23 +123,22 @@ int get_netnsid_from_name(const char *name)
+
+ /* Validate message and parse attributes */
+ if (answer->nlmsg_type == NLMSG_ERROR)
+- goto err_out;
++ goto out;
+
+ rthdr = NLMSG_DATA(answer);
+ len = answer->nlmsg_len - NLMSG_SPACE(sizeof(*rthdr));
+ if (len < 0)
+- goto err_out;
++ goto out;
+
+ parse_rtattr(tb, NETNSA_MAX, NETNS_RTA(rthdr), len);
+
+ if (tb[NETNSA_NSID]) {
+- free(answer);
+- return rta_getattr_u32(tb[NETNSA_NSID]);
++ ret = rta_getattr_u32(tb[NETNSA_NSID]);
+ }
+
+-err_out:
++out:
+ free(answer);
+- return -1;
++ return ret;
+ }
+
+ struct nsid_cache {
diff --git a/main/jbig2dec/APKBUILD b/main/jbig2dec/APKBUILD
index b4396b78694..670eff8d952 100644
--- a/main/jbig2dec/APKBUILD
+++ b/main/jbig2dec/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=jbig2dec
pkgver=0.15
-pkgrel=0
+pkgrel=1
pkgdesc="JBIG2 image compression format decoder"
url="https://www.ghostscript.com/jbig2dec.html"
arch="all"
@@ -10,7 +10,13 @@ license="GPL-2.0-or-later"
makedepends="autoconf automake libtool"
checkdepends="python2"
subpackages="$pkgname-dev $pkgname-doc"
-source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs924/jbig2dec-0.15.tar.gz"
+source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs924/jbig2dec-0.15.tar.gz
+ CVE-2020-12268.patch
+ "
+
+# secfixes:
+# 0.15-r1:
+# - CVE-2020-12268
builddir="$srcdir/$pkgname-$pkgver"
@@ -44,4 +50,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="142acf0c47be094232ff21074414be5cf633a7008b2095d60b8878c4e125966f36632d8db191959ae1ac4b12b8fdc78139f67cd531717d203864b459d2570369 jbig2dec-0.15.tar.gz"
+sha512sums="142acf0c47be094232ff21074414be5cf633a7008b2095d60b8878c4e125966f36632d8db191959ae1ac4b12b8fdc78139f67cd531717d203864b459d2570369 jbig2dec-0.15.tar.gz
+e33c6a942af79dfb98c8160bccb0d7e6965d90b77f4e8e370787a9c0af0273001f02d5591b92d4285b901182ea335eb09854ce2fa995266837156b568747aa24 CVE-2020-12268.patch"
diff --git a/main/jbig2dec/CVE-2020-12268.patch b/main/jbig2dec/CVE-2020-12268.patch
new file mode 100644
index 00000000000..773515ae2dc
--- /dev/null
+++ b/main/jbig2dec/CVE-2020-12268.patch
@@ -0,0 +1,44 @@
+From 0726320a4b55078e9d8deb590e477d598b3da66e Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Mon, 27 Jan 2020 10:12:24 -0800
+Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in
+ jbig2_image_compose.
+
+With extreme values of x/y/w/h we can get overflow. Test for this
+and exit safely.
+
+Thanks for OSS-Fuzz for reporting.
+---
+ jbig2_image.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/jbig2_image.c b/jbig2_image.c
+index 22e21ef..100263d 100644
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -33,6 +33,9 @@
+ #if !defined (INT32_MAX)
+ #define INT32_MAX 0x7fffffff
+ #endif
++#if !defined (UINT32_MAX)
++#define UINT32_MAX 0xffffffffu
++#endif
+
+ /* allocate a Jbig2Image structure and its associated bitmap */
+ Jbig2Image *
+@@ -258,6 +261,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+ if (src == NULL)
+ return 0;
+
++ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) ||
++ (UINT32_MAX - src->height < (y > 0 ? y : -y)))
++ {
++#ifdef JBIG2_DEBUG
++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
++#endif
++ return 0;
++ }
++
+ /* The optimized code for the OR operator below doesn't
+ handle the source image partially placed outside the
+ destination (above and/or to the left). The affected
diff --git a/main/json-c/APKBUILD b/main/json-c/APKBUILD
index de361f308c4..365b0ad323d 100644
--- a/main/json-c/APKBUILD
+++ b/main/json-c/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=json-c
pkgver=0.13.1
-pkgrel=0
+pkgrel=1
pkgdesc="A JSON implementation in C"
url="https://github.com/json-c/json-c/wiki"
arch="all"
@@ -12,9 +12,15 @@ makedepends="$depends_dev autoconf automake libtool"
install=""
subpackages="$pkgname-static $pkgname-dev"
source="https://s3.amazonaws.com/${pkgname}_releases/releases/$pkgname-${pkgver}.tar.gz
+ CVE-2020-12762.patch::https://github.com/json-c/json-c/pull/607.patch
"
builddir="$srcdir"/json-c-$pkgver
+
+# secfixes:
+# 0.13.1-r1:
+# - CVE-2020-12762
+
prepare() {
cd "$builddir"
default_prepare
@@ -53,4 +59,5 @@ static() {
mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/
}
-sha512sums="e984db2a42b9c95b52c798b2e8dd1b79951a8dcba27370af30c43b9549fbb00008dbcf052a535c528209aaee38e6d1f760168b706905ae72f3e704ed20f8a1a1 json-c-0.13.1.tar.gz"
+sha512sums="e984db2a42b9c95b52c798b2e8dd1b79951a8dcba27370af30c43b9549fbb00008dbcf052a535c528209aaee38e6d1f760168b706905ae72f3e704ed20f8a1a1 json-c-0.13.1.tar.gz
+f6c47ba18cdbf5cf150fdac97e931e511e12cbb5c30e6798b1ebf6173556eda1e84384bf0019a95bcfbb9dcd561a13d05639c68e07838b28cdbcf5b86bd3d497 CVE-2020-12762.patch"
diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD
index a07d7c41060..595c44a0b79 100644
--- a/main/krb5/APKBUILD
+++ b/main/krb5/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=krb5
pkgver=1.15.5
-pkgrel=0
+pkgrel=1
case $pkgver in
*.*.*) _ver=${pkgver%.*};;
@@ -21,6 +21,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-server
$pkgname-server-ldap:ldap $pkgname-pkinit $pkgname-libs"
source="https://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver.tar.gz
mit-krb5_krb5-config_LDFLAGS.patch
+ CVE-2020-28196.patch
krb5kadmind.initd
krb5kdc.initd
@@ -29,6 +30,8 @@ source="https://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver.tar.gz
builddir="$srcdir"/krb5-$pkgver
# secfixes:
+# 1.15.5-r1:
+# - CVE-2020-28196
# 1.15.4-r0:
# - CVE-2018-20217
# 1.15.3-r0:
@@ -114,6 +117,7 @@ libs() {
}
sha512sums="cf2c5764a081acc44c416108da40f76dafa5c764d1fb842cba1736942999548962a57c64e67924a409c068b1b8ed824f17857ea9a34594724f70903e555505b5 krb5-1.15.5.tar.gz
5a3782ff17b383f8cd0415fd13538ab56afd788130d6ad640e9f2682b7deaae7f25713ce358058ed771091040dccf62a3bc87e6fd473d505ec189a95debcc801 mit-krb5_krb5-config_LDFLAGS.patch
+d7b4b55f01f8e70c0b1c9390ba1753d590253ac9ab39aaf22da15b6169506d019923837bb18d856b0c4508afc9c387180068dfe0c6847d6bd7d0970b34769a97 CVE-2020-28196.patch
43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd
ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd
45be0d421efd41e9dd056125a750c90856586e990317456b68170d733b03cba9ecd18ab87603b20e49575e7839fb4a6d628255533f2631f9e8ddb7f3cc493a90 krb5kpropd.initd"
diff --git a/main/krb5/CVE-2018-20217.patch b/main/krb5/CVE-2018-20217.patch
deleted file mode 100644
index 80f2d550583..00000000000
--- a/main/krb5/CVE-2018-20217.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 5e6d1796106df8ba6bc1973ee0917c170d929086 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Mon, 3 Dec 2018 02:33:07 +0200
-Subject: [PATCH] Ignore password attributes for S4U2Self requests
-
-For consistency with Windows KDCs, allow protocol transition to work
-even if the password has expired or needs changing.
-
-Also, when looking up an enterprise principal with an AS request,
-treat ERR_KEY_EXP as confirmation that the client is present in the
-realm.
-
-[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
-commit message]
-
-ticket: 8763 (new)
-tags: pullup
-target_version: 1.17
----
- src/kdc/kdc_util.c | 5 +++++
- src/lib/krb5/krb/s4u_creds.c | 2 +-
- src/tests/gssapi/t_s4u.py | 8 ++++++++
- 3 files changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
-index 6d53173fb0..6517a213cd 100644
---- a/src/kdc/kdc_util.c
-+++ b/src/kdc/kdc_util.c
-@@ -1607,6 +1607,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
-
- memset(&no_server, 0, sizeof(no_server));
-
-+ /* Ignore password expiration and needchange attributes (as Windows
-+ * does), since S4U2Self is not password authentication. */
-+ princ->pw_expiration = 0;
-+ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
-+
- code = validate_as_request(kdc_active_realm, request, *princ,
- no_server, kdc_time, status, &e_data);
- if (code) {
-diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
-index d2fdcb3f16..614ed41908 100644
---- a/src/lib/krb5/krb/s4u_creds.c
-+++ b/src/lib/krb5/krb/s4u_creds.c
-@@ -116,7 +116,7 @@ s4u_identify_user(krb5_context context,
- code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL,
- opts, krb5_get_as_key_noop, &userid, &use_master,
- NULL);
-- if (code == 0 || code == KRB5_PREAUTH_FAILED) {
-+ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
- *canon_user = userid.user;
- userid.user = NULL;
- code = 0;
-diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
-index fd29e1a270..84f3fbd752 100755
---- a/src/tests/gssapi/t_s4u.py
-+++ b/src/tests/gssapi/t_s4u.py
-@@ -19,6 +19,14 @@
- # Get forwardable creds for service1 in the default cache.
- realm.kinit(service1, None, ['-f', '-k'])
-
-+# Try S4U2Self for user with a restricted password.
-+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
-+realm.run(['./t_s4u', 'e:user', '-'])
-+realm.run([kadminl, 'modprinc', '-needchange',
-+ '-pwexpire', '1/1/2000', realm.user_princ])
-+realm.run(['./t_s4u', 'e:user', '-'])
-+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
-+
- # Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
- # at the S4U2Proxy step since the DB2 back end currently has no
- # support for allowing it.
diff --git a/main/krb5/CVE-2020-28196.patch b/main/krb5/CVE-2020-28196.patch
new file mode 100644
index 00000000000..4d6b4238388
--- /dev/null
+++ b/main/krb5/CVE-2020-28196.patch
@@ -0,0 +1,100 @@
+From 2289312180a5162114037df8eaa4f4f990d67447 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Sat, 31 Oct 2020 17:07:05 -0400
+Subject: [PATCH] Add recursion limit for ASN.1 indefinite lengths
+
+The libkrb5 ASN.1 decoder supports BER indefinite lengths. It
+computes the tag length using recursion; the lack of a recursion limit
+allows an attacker to overrun the stack and cause the process to
+crash. Reported by Demi Obenour.
+
+CVE-2020-28196:
+
+In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
+cause a denial of service for any client or server to which it can
+send an ASN.1-encoded Kerberos message of sufficient length.
+
+ticket: 8959 (new)
+tags: pullup
+target_version: 1.18-next
+target_version: 1.17-next
+
+(cherry picked from commit 57415dda6cf04e73ffc3723be518eddfae599bfd)
+---
+ src/lib/krb5/asn.1/asn1_encode.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
+index a7423b642..8c0cda852 100644
+--- a/src/lib/krb5/asn.1/asn1_encode.c
++++ b/src/lib/krb5/asn.1/asn1_encode.c
+@@ -393,7 +393,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len, size_t *retlen)
+ static asn1_error_code
+ get_tag(const unsigned char *asn1, size_t len, taginfo *tag_out,
+ const unsigned char **contents_out, size_t *clen_out,
+- const unsigned char **remainder_out, size_t *rlen_out)
++ const unsigned char **remainder_out, size_t *rlen_out, int recursion)
+ {
+ asn1_error_code ret;
+ unsigned char o;
+@@ -431,9 +431,11 @@ get_tag(const unsigned char *asn1, size_t len, taginfo *tag_out,
+ /* Indefinite form (should not be present in DER, but we accept it). */
+ if (tag_out->construction != CONSTRUCTED)
+ return ASN1_MISMATCH_INDEF;
++ if (recursion >= 32)
++ return ASN1_OVERFLOW;
+ p = asn1;
+ while (!(len >= 2 && p[0] == 0 && p[1] == 0)) {
+- ret = get_tag(p, len, &t, &c, &clen, &p, &len);
++ ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1);
+ if (ret)
+ return ret;
+ }
+@@ -652,7 +654,7 @@ split_der(asn1buf *buf, unsigned char *const *der, size_t len,
+ const unsigned char *contents, *remainder;
+ size_t clen, rlen;
+
+- ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen);
++ ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0);
+ if (ret)
+ return ret;
+ if (rlen != 0)
+@@ -1259,7 +1261,7 @@ decode_atype(const taginfo *t, const unsigned char *asn1,
+ const unsigned char *rem;
+ size_t rlen;
+ if (!tag->implicit) {
+- ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen);
++ ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0);
+ if (ret)
+ return ret;
+ /* Note: we don't check rlen (it should be 0). */
+@@ -1481,7 +1483,7 @@ decode_sequence(const unsigned char *asn1, size_t len,
+ for (i = 0; i < seq->n_fields; i++) {
+ if (len == 0)
+ break;
+- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
++ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
+ if (ret)
+ goto error;
+ /*
+@@ -1539,7 +1541,7 @@ decode_sequence_of(const unsigned char *asn1, size_t len,
+ *seq_out = NULL;
+ *count_out = 0;
+ while (len > 0) {
+- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
++ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
+ if (ret)
+ goto error;
+ if (!check_atype_tag(elemtype, &t)) {
+@@ -1625,7 +1627,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a,
+
+ *retrep = NULL;
+ ret = get_tag((unsigned char *)code->data, code->length, &t, &contents,
+- &clen, &remainder, &rlen);
++ &clen, &remainder, &rlen, 0);
+ if (ret)
+ return ret;
+ /* rlen should be 0, but we don't check it (and due to padding in
+--
+2.20.4
+
diff --git a/main/lame/APKBUILD b/main/lame/APKBUILD
index 80caadcd112..75a21d54843 100644
--- a/main/lame/APKBUILD
+++ b/main/lame/APKBUILD
@@ -12,11 +12,6 @@ source="https://downloads.sourceforge.net/project/lame/lame/$pkgver/$pkgname-$pk
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
-# 3.100-r0:
-# - CVE-2017-9410
-# - CVE-2017-9411
-# - CVE-2017-9412
-# - CVE-2015-9099
# 3.99.5-r6:
# - CVE-2015-9099
# - CVE-2015-9100
diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD
index 6087277977b..14b0ad1dd5a 100644
--- a/main/libarchive/APKBUILD
+++ b/main/libarchive/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libarchive
pkgver=3.3.3
-pkgrel=1
+pkgrel=2
pkgdesc="library that can create and read several streaming archive formats"
url="http://libarchive.org/"
arch="all"
@@ -11,10 +11,13 @@ makedepends="zlib-dev bzip2-dev xz-dev lz4-dev acl-dev openssl-dev expat-dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-tools"
source="http://www.libarchive.org/downloads/$pkgname-$pkgver.tar.gz
CVE-2019-18408.patch::https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60.patch
+ CVE-2020-19221.patch::https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 3.3.3-r2:
+# - CVE-2020-19221
# 3.3.3-r1:
# - CVE-2019-18408
# 3.3.3-r0:
@@ -47,4 +50,5 @@ tools() {
}
sha512sums="9d12b47d6976efa9f98e62c25d8b85fd745d4e9ca7b7e6d36bfe095dfe5c4db017d4e785d110f3758f5938dad6f1a1b009267fd7e82cb7212e93e1aea237bab7 libarchive-3.3.3.tar.gz
-4807e01dffb83ff4ef430c66339157e9f7a61db4fc5cec2812c3ee5ad130b4fc2d3c1cbeea87930c76cd8ec3e66272e20622a48edf0c66215b626c4e0db99cab CVE-2019-18408.patch"
+4807e01dffb83ff4ef430c66339157e9f7a61db4fc5cec2812c3ee5ad130b4fc2d3c1cbeea87930c76cd8ec3e66272e20622a48edf0c66215b626c4e0db99cab CVE-2019-18408.patch
+5ffd3838b3ddbbae5613bf2a75583dd513942b804cd8fed11d24d38adc9c81d7fa739b94cc2d9d0621a93909f4b7b4ec2632cdd8e3e66c1ffd89440e5e3168de CVE-2020-19221.patch"
diff --git a/main/libexif/APKBUILD b/main/libexif/APKBUILD
index 467acb3b995..22a32de8c3b 100644
--- a/main/libexif/APKBUILD
+++ b/main/libexif/APKBUILD
@@ -1,30 +1,47 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libexif
-pkgver=0.6.21
-pkgrel=3
+pkgver=0.6.22
+pkgrel=0
pkgdesc="A library to parse an EXIF file and read the data from those tags"
url="https://sourceforge.net/projects/libexif"
arch="all"
-license="LGPL-2.0+"
+license="LGPL-2.0-or-later"
subpackages="$pkgname-dev $pkgname-doc"
-depends=
-makedepends=
-source="https://downloads.sf.net/sourceforge/$pkgname/$pkgname-$pkgver.tar.bz2
- CVE-2017-7544.patch
- "
+source="https://github.com/libexif/libexif/releases/download/libexif-${pkgver//./_}-release/libexif-$pkgver.tar.xz"
# secfixes:
+# 0.6.22-r0:
+# - CVE-2018-20030
+# - CVE-2020-13114
+# - CVE-2020-13113
+# - CVE-2020-13112
+# - CVE-2020-0093
+# - CVE-2019-9278
+# - CVE-2020-12767
+# - CVE-2016-6328
# 0.6.21-r3:
# - CVE-2017-7544
+# 0.6.21-r0:
+# - CVE-2012-2812
+# - CVE-2012-2813
+# - CVE-2012-2814
+# - CVE-2012-2836
+# - CVE-2012-2837
+# - CVE-2012-2840
+# - CVE-2012-2841
+# - CVE-2012-2845
+# 0.6.19-r0:
+# - CVE-2009-3895
prepare() {
- cd "$builddir"
- update_config_sub
default_prepare
+
+ # The tarballs upstream provides uses /usr/bin/sh instead of /bin/sh
+ # most likely as a result of a poor usrmerge
+ grep -l '^#!/usr/bin/sh' -r . | xargs sed -i 's|^#!/usr/bin/sh|#!/bin/sh|g'
}
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -33,13 +50,10 @@ build() {
}
check() {
- cd "$builddir"
make check
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
-sha512sums="4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35 libexif-0.6.21.tar.bz2
-5475c9e0f4a05448a571077d24d545cfaa0a7b15978345e92440107770077158b994fc0c785a81bb95ad6b409929c4c516c6e002cd65c9d35eb0e91161750e48 CVE-2017-7544.patch"
+sha512sums="0a9e7bf0258ed98a794b667d45e8fc65299101a2a2d2e39c358715b20b003beff258782f0736cd5b53978428a2f878a989f303bee249a978850a065f33c534af libexif-0.6.22.tar.xz"
diff --git a/main/libexif/CVE-2017-7544.patch b/main/libexif/CVE-2017-7544.patch
deleted file mode 100644
index b8825e1385c..00000000000
--- a/main/libexif/CVE-2017-7544.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Index: libexif/exif-data.c
-===================================================================
-RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
-retrieving revision 1.131
-diff -u -r1.131 exif-data.c
---- a/libexif/exif-data.c 12 Jul 2012 17:28:26 -0000 1.131
-+++ b/libexif/exif-data.c 25 Jul 2017 21:34:06 -0000
-@@ -255,6 +255,12 @@
- exif_mnote_data_set_offset (data->priv->md, *ds - 6);
- exif_mnote_data_save (data->priv->md, &e->data, &e->size);
- e->components = e->size;
-+ if (exif_format_get_size (e->format) != 1) {
-+ /* e->format is taken from input code,
-+ * but we need to make sure it is a 1 byte
-+ * entity due to the multiplication below. */
-+ e->format = EXIF_FORMAT_UNDEFINED;
-+ }
- }
- }
-
diff --git a/main/libjpeg-turbo/APKBUILD b/main/libjpeg-turbo/APKBUILD
index b14a205b13c..a996682d70a 100644
--- a/main/libjpeg-turbo/APKBUILD
+++ b/main/libjpeg-turbo/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libjpeg-turbo
pkgver=1.5.3
-pkgrel=5
+pkgrel=6
pkgdesc="accelerated baseline JPEG compression and decompression library"
url="https://libjpeg-turbo.org/"
arch="all"
@@ -15,9 +15,12 @@ source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.ta
0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
CVE-2018-11813.patch
CVE-2018-14498.patch
+ CVE-2019-2201.patch
"
# secfixes:
+# 1.5.3-r6:
+# - CVE-2019-2201
# 1.5.3-r5:
# - CVE-2018-14498
# 1.5.3-r3:
@@ -74,4 +77,5 @@ dev() {
sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202 libjpeg-turbo-1.5.3.tar.gz
d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a CVE-2018-11813.patch
-315aba552a2d66cdc8d83c5602a7e47c995f6709509afd07daf3ffacaf650404dc9f7a4beeb1373cabb5afc915a3d4c704b71dfdfcad3bc25ae5361ed16980d5 CVE-2018-14498.patch"
+315aba552a2d66cdc8d83c5602a7e47c995f6709509afd07daf3ffacaf650404dc9f7a4beeb1373cabb5afc915a3d4c704b71dfdfcad3bc25ae5361ed16980d5 CVE-2018-14498.patch
+28e0efd9227c3f6fe3d328f8ad6ae3f52875cdbb91934a93b516a0005bf4d22ac9e589e27472a17da8d8641cad10561cbd2de46e41d2b83378d6df969eed8848 CVE-2019-2201.patch"
diff --git a/main/libjpeg-turbo/CVE-2019-2201.patch b/main/libjpeg-turbo/CVE-2019-2201.patch
new file mode 100644
index 00000000000..31f1d92bbab
--- /dev/null
+++ b/main/libjpeg-turbo/CVE-2019-2201.patch
@@ -0,0 +1,466 @@
+From b5eb30229e9b9c4a09917e7f563317c380031a22 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Thu, 11 Jul 2019 15:30:04 -0500
+Subject: [PATCH 1/2] TurboJPEG: Properly handle gigapixel images
+
+Prevent several integer overflow issues and subsequent segfaults that
+occurred when attempting to compress or decompress gigapixel images with
+the TurboJPEG API:
+
+- Modify tjBufSize(), tjBufSizeYUV2(), and tjPlaneSizeYUV() to avoid
+ integer overflow when computing the return values and to return an
+ error if such an overflow is unavoidable.
+- Modify tjunittest to validate the above.
+- Modify tjCompress2(), tjEncodeYUVPlanes(), tjDecompress2(), and
+ tjDecodeYUVPlanes() to avoid integer overflow when computing the row
+ pointers in the 64-bit TurboJPEG C API.
+- Modify TJBench (both C and Java versions) to avoid overflowing the
+ size argument to malloc()/new and to fail gracefully if such an
+ overflow is unavoidable.
+
+In general, this allows gigapixel images to be accommodated by the
+64-bit TurboJPEG C API when using automatic JPEG buffer (re)allocation.
+Such images cannot currently be accommodated without automatic JPEG
+buffer (re)allocation, due to the fact that tjAlloc() accepts a 32-bit
+integer argument (oops.) Such images cannot be accommodated in the
+TurboJPEG Java API due to the fact that Java always uses a signed 32-bit
+integer as an array index.
+
+Fixes #361
+
+(cherry picked from commit 2a9e3bd7430cfda1bc812d139e0609c6aca0b884)
+---
+ java/TJBench.java | 11 ++++++++++-
+ tjbench.c | 44 +++++++++++++++++++++++++++++------------
+ tjunittest.c | 38 +++++++++++++++++++++++++++++++++++
+ turbojpeg.c | 50 ++++++++++++++++++++++++++++-------------------
+ 4 files changed, 109 insertions(+), 34 deletions(-)
+
+diff --git a/java/TJBench.java b/java/TJBench.java
+index ddc414c..9b1ff81 100644
+--- a/java/TJBench.java
++++ b/java/TJBench.java
+@@ -96,6 +96,8 @@ class TJBench {
+ int rindex = TJ.getRedOffset(pixelFormat);
+ int gindex = TJ.getGreenOffset(pixelFormat);
+ int bindex = TJ.getBlueOffset(pixelFormat);
++ if ((long)w[0] * (long)h[0] * (long)ps > (long)Integer.MAX_VALUE)
++ throw new Exception("Image is too large");
+ byte[] dstBuf = new byte[w[0] * h[0] * ps];
+ int pixels = w[0] * h[0], dstPtr = 0, rgbPtr = 0;
+ while (pixels-- > 0) {
+@@ -147,8 +149,11 @@ class TJBench {
+
+ tjd = new TJDecompressor();
+
+- if (dstBuf == null)
++ if (dstBuf == null) {
++ if ((long)pitch * (long)scaledh > (long)Integer.MAX_VALUE)
++ throw new Exception("Image is too large");
+ dstBuf = new byte[pitch * scaledh];
++ }
+
+ /* Set the destination buffer to gray so we know whether the decompressor
+ attempted to write to it */
+@@ -287,6 +292,8 @@ class TJBench {
+ String pfStr = pixFormatStr[pf];
+ YUVImage yuvImage = null;
+
++ if ((long)pitch * (long)h > (long)Integer.MAX_VALUE)
++ throw new Exception("Image is too large");
+ tmpBuf = new byte[pitch * h];
+
+ if (quiet == 0)
+@@ -435,6 +442,8 @@ class TJBench {
+ int ps = TJ.getPixelSize(pf), tile;
+
+ FileInputStream fis = new FileInputStream(fileName);
++ if (fis.getChannel().size() > (long)Integer.MAX_VALUE)
++ throw new Exception("Image is too large");
+ int srcSize = (int)fis.getChannel().size();
+ srcBuf = new byte[srcSize];
+ fis.read(srcBuf, 0, srcSize);
+diff --git a/tjbench.c b/tjbench.c
+index 0187b75..e90ba3d 100644
+--- a/tjbench.c
++++ b/tjbench.c
+@@ -32,6 +32,7 @@
+ #include <ctype.h>
+ #include <math.h>
+ #include <errno.h>
++#include <limits.h>
+ #include <cdjpeg.h>
+ #include "./bmp.h"
+ #include "./tjutil.h"
+@@ -127,7 +128,10 @@ int decomp(unsigned char *srcbuf, unsigned char **jpegbuf,
+
+ if(dstbuf==NULL)
+ {
+- if((dstbuf=(unsigned char *)malloc(pitch*scaledh))==NULL)
++ if ((unsigned long long)pitch * (unsigned long long)scaledh >
++ (unsigned long long)((size_t)-1))
++ _throw("allocating destination buffer", "Image is too large");
++ if ((dstbuf = (unsigned char *)malloc((size_t)pitch * scaledh)) == NULL)
+ _throwunix("allocating destination buffer");
+ dstbufalloc=1;
+ }
+@@ -139,7 +143,10 @@ int decomp(unsigned char *srcbuf, unsigned char **jpegbuf,
+ {
+ int width=dotile? tilew:scaledw;
+ int height=dotile? tileh:scaledh;
+- int yuvsize=tjBufSizeYUV2(width, yuvpad, height, subsamp);
++ unsigned long yuvsize=tjBufSizeYUV2(width, yuvpad, height, subsamp);
++
++ if (yuvsize == (unsigned long)-1)
++ _throwtj("allocating YUV buffer");
+ if((yuvbuf=(unsigned char *)malloc(yuvsize))==NULL)
+ _throwunix("allocating YUV buffer");
+ memset(yuvbuf, 127, yuvsize);
+@@ -242,14 +249,14 @@ int decomp(unsigned char *srcbuf, unsigned char **jpegbuf,
+ if(!quiet) printf("Compression error written to %s.\n", tempstr);
+ if(subsamp==TJ_GRAYSCALE)
+ {
+- int index, index2;
++ unsigned long index, index2;
+ for(row=0, index=0; row<h; row++, index+=pitch)
+ {
+ for(col=0, index2=index; col<w; col++, index2+=ps)
+ {
+- int rindex=index2+tjRedOffset[pf];
+- int gindex=index2+tjGreenOffset[pf];
+- int bindex=index2+tjBlueOffset[pf];
++ unsigned long rindex=index2+tjRedOffset[pf];
++ unsigned long gindex=index2+tjGreenOffset[pf];
++ unsigned long bindex=index2+tjBlueOffset[pf];
+ int y=(int)((double)srcbuf[rindex]*0.299
+ + (double)srcbuf[gindex]*0.587
+ + (double)srcbuf[bindex]*0.114 + 0.5);
+@@ -290,13 +297,16 @@ int fullTest(unsigned char *srcbuf, int w, int h, int subsamp, int jpegqual,
+ unsigned char **jpegbuf=NULL, *yuvbuf=NULL, *tmpbuf=NULL, *srcptr, *srcptr2;
+ double start, elapsed, elapsedEncode;
+ int totaljpegsize=0, row, col, i, tilew=w, tileh=h, retval=0;
+- int iter, yuvsize=0;
+- unsigned long *jpegsize=NULL;
++ int iter;
++ unsigned long *jpegsize=NULL, yuvsize=0;
+ int ps=tjPixelSize[pf];
+ int ntilesw=1, ntilesh=1, pitch=w*ps;
+ const char *pfStr=pixFormatStr[pf];
+
+- if((tmpbuf=(unsigned char *)malloc(pitch*h)) == NULL)
++ if((unsigned long long)pitch * (unsigned long long)h >
++ (unsigned long long)((size_t)-1))
++ _throw("allocating temporary image buffer", "Image is too large");
++ if((tmpbuf = (unsigned char *)malloc((size_t)pitch * h)) == NULL)
+ _throwunix("allocating temporary image buffer");
+
+ if(!quiet)
+@@ -322,6 +332,8 @@ int fullTest(unsigned char *srcbuf, int w, int h, int subsamp, int jpegqual,
+ if((flags&TJFLAG_NOREALLOC)!=0)
+ for(i=0; i<ntilesw*ntilesh; i++)
+ {
++ if(tjBufSize(tilew, tileh, subsamp) > (unsigned long)INT_MAX)
++ _throw("getting buffer size", "Image is too large");
+ if((jpegbuf[i]=(unsigned char *)tjAlloc(tjBufSize(tilew, tileh,
+ subsamp)))==NULL)
+ _throwunix("allocating JPEG tiles");
+@@ -339,6 +351,8 @@ int fullTest(unsigned char *srcbuf, int w, int h, int subsamp, int jpegqual,
+ if(doyuv)
+ {
+ yuvsize=tjBufSizeYUV2(tilew, yuvpad, tileh, subsamp);
++ if(yuvsize == (unsigned long)-1)
++ _throwtj("allocating YUV buffer");
+ if((yuvbuf=(unsigned char *)malloc(yuvsize))==NULL)
+ _throwunix("allocating YUV buffer");
+ memset(yuvbuf, 127, yuvsize);
+@@ -418,7 +432,7 @@ int fullTest(unsigned char *srcbuf, int w, int h, int subsamp, int jpegqual,
+ {
+ printf("Encode YUV --> Frame rate: %f fps\n",
+ (double)iter/elapsedEncode);
+- printf(" Output image size: %d bytes\n", yuvsize);
++ printf(" Output image size: %lu bytes\n", yuvsize);
+ printf(" Compression ratio: %f:1\n",
+ (double)(w*h*ps)/(double)yuvsize);
+ printf(" Throughput: %f Megapixels/sec\n",
+@@ -561,9 +575,12 @@ int decompTest(char *filename)
+ _throwunix("allocating JPEG size array");
+ memset(jpegsize, 0, sizeof(unsigned long)*ntilesw*ntilesh);
+
+- if((flags&TJFLAG_NOREALLOC)!=0 || !dotile)
++ if ((flags & TJFLAG_NOREALLOC) != 0 &&
++ (dotile || xformop != TJXOP_NONE || xformopt != 0 || customFilter))
+ for(i=0; i<ntilesw*ntilesh; i++)
+ {
++ if (tjBufSize(tilew, tileh, subsamp) > (unsigned long)INT_MAX)
++ _throw("getting buffer size", "Image is too large");
+ if((jpegbuf[i]=(unsigned char *)tjAlloc(tjBufSize(tilew, tileh,
+ subsamp)))==NULL)
+ _throwunix("allocating JPEG tiles");
+@@ -684,7 +701,7 @@ int decompTest(char *filename)
+ else
+ {
+ if(quiet==1) printf("N/A N/A ");
+- tjFree(jpegbuf[0]);
++ if(jpegbuf[0]) tjFree(jpegbuf[0]);
+ jpegbuf[0]=NULL;
+ decompsrc=1;
+ }
+@@ -701,7 +718,8 @@ int decompTest(char *filename)
+
+ for(i=0; i<ntilesw*ntilesh; i++)
+ {
+- tjFree(jpegbuf[i]); jpegbuf[i]=NULL;
++ if(jpegbuf[i]) tjFree(jpegbuf[i]);
++ jpegbuf[i] = NULL;
+ }
+ free(jpegbuf); jpegbuf=NULL;
+ if(jpegsize) {free(jpegsize); jpegsize=NULL;}
+diff --git a/tjunittest.c b/tjunittest.c
+index f793796..a96440b 100644
+--- a/tjunittest.c
++++ b/tjunittest.c
+@@ -40,6 +40,7 @@
+ #include <time.h>
+ #define random() rand()
+ #endif
++#include "config.h" /* for SIZEOF_SIZE_T */
+
+
+ void usage(char *progName)
+@@ -593,6 +594,42 @@ void doTest(int w, int h, const int *formats, int nformats, int subsamp,
+ }
+
+
++#if SIZEOF_SIZE_T == 8
++#define CHECKSIZE(function) { \
++ if ((unsigned long long)size < (unsigned long long)0xFFFFFFFF) \
++ _throw(#function " overflow"); \
++}
++#else
++#define CHECKSIZE(function) { \
++ if (size != (unsigned long)(-1) || \
++ !strcmp(tjGetErrorStr(), "No error")) \
++ _throw(#function " overflow"); \
++}
++#endif
++
++static void overflowTest(void)
++{
++ /* Ensure that the various buffer size functions don't overflow */
++ unsigned long size;
++
++ size = tjBufSize(26755, 26755, TJSAMP_444);
++ CHECKSIZE(tjBufSize());
++ size = TJBUFSIZE(26755, 26755);
++ CHECKSIZE(TJBUFSIZE());
++ size = tjBufSizeYUV2(37838, 1, 37838, TJSAMP_444);
++ CHECKSIZE(tjBufSizeYUV2());
++ size = TJBUFSIZEYUV(37838, 37838, TJSAMP_444);
++ CHECKSIZE(TJBUFSIZEYUV());
++ size = tjBufSizeYUV(37838, 37838, TJSAMP_444);
++ CHECKSIZE(tjBufSizeYUV());
++ size = tjPlaneSizeYUV(0, 65536, 0, 65536, TJSAMP_444);
++ CHECKSIZE(tjPlaneSizeYUV());
++
++bailout:
++ return;
++}
++
++
+ void bufSizeTest(void)
+ {
+ int w, h, i, subsamp;
+@@ -704,6 +741,7 @@ int main(int argc, char *argv[])
+ }
+ if(alloc) printf("Testing automatic buffer allocation\n");
+ if(doyuv) num4bf=4;
++ overflowTest();
+ doTest(35, 39, _3byteFormats, 2, TJSAMP_444, "test");
+ doTest(39, 41, _4byteFormats, num4bf, TJSAMP_444, "test");
+ doTest(41, 35, _3byteFormats, 2, TJSAMP_422, "test");
+diff --git a/turbojpeg.c b/turbojpeg.c
+index 330a004..be03482 100644
+--- a/turbojpeg.c
++++ b/turbojpeg.c
+@@ -644,7 +644,8 @@ DLLEXPORT tjhandle DLLCALL tjInitCompress(void)
+ DLLEXPORT unsigned long DLLCALL tjBufSize(int width, int height,
+ int jpegSubsamp)
+ {
+- unsigned long retval=0; int mcuw, mcuh, chromasf;
++ unsigned long long retval=0;
++ int mcuw, mcuh, chromasf;
+ if(width<1 || height<1 || jpegSubsamp<0 || jpegSubsamp>=NUMSUBOPT)
+ _throw("tjBufSize(): Invalid argument");
+
+@@ -654,32 +655,37 @@ DLLEXPORT unsigned long DLLCALL tjBufSize(int width, int height,
+ mcuw=tjMCUWidth[jpegSubsamp];
+ mcuh=tjMCUHeight[jpegSubsamp];
+ chromasf=jpegSubsamp==TJSAMP_GRAY? 0: 4*64/(mcuw*mcuh);
+- retval=PAD(width, mcuw) * PAD(height, mcuh) * (2 + chromasf) + 2048;
++ retval = PAD(width, mcuw) * PAD(height, mcuh) * (2ULL + chromasf) + 2048ULL;
++ if (retval > (unsigned long long)((unsigned long)-1))
++ _throw("tjBufSize(): Image is too large");
+
+ bailout:
+- return retval;
++ return (unsigned long)retval;
+ }
+
+ DLLEXPORT unsigned long DLLCALL TJBUFSIZE(int width, int height)
+ {
+- unsigned long retval=0;
++ unsigned long long retval = 0;
+ if(width<1 || height<1)
+ _throw("TJBUFSIZE(): Invalid argument");
+
+ /* This allows for rare corner cases in which a JPEG image can actually be
+ larger than the uncompressed input (we wouldn't mention it if it hadn't
+ happened before.) */
+- retval=PAD(width, 16) * PAD(height, 16) * 6 + 2048;
++ retval = PAD(width, 16) * PAD(height, 16) * 6ULL + 2048ULL;
++ if (retval > (unsigned long long)((unsigned long)-1))
++ _throw("TJBUFSIZE(): Image is too large");
+
+ bailout:
+- return retval;
++ return (unsigned long)retval;
+ }
+
+
+ DLLEXPORT unsigned long DLLCALL tjBufSizeYUV2(int width, int pad, int height,
+ int subsamp)
+ {
+- int retval=0, nc, i;
++ unsigned long long retval=0;
++ int nc, i;
+
+ if(subsamp<0 || subsamp>=NUMSUBOPT)
+ _throw("tjBufSizeYUV2(): Invalid argument");
+@@ -691,11 +697,13 @@ DLLEXPORT unsigned long DLLCALL tjBufSizeYUV2(int width, int pad, int height,
+ int stride=PAD(pw, pad);
+ int ph=tjPlaneHeight(i, height, subsamp);
+ if(pw<0 || ph<0) return -1;
+- else retval+=stride*ph;
++ else retval+=(unsigned long long)stride*ph;
+ }
++ if (retval > (unsigned long long)((unsigned long)-1))
++ _throw("tjBufSizeYUV2(): Image is too large");
+
+ bailout:
+- return retval;
++ return (unsigned long) retval;
+ }
+
+ DLLEXPORT unsigned long DLLCALL tjBufSizeYUV(int width, int height,
+@@ -756,7 +764,7 @@ DLLEXPORT int tjPlaneHeight(int componentID, int height, int subsamp)
+ DLLEXPORT unsigned long DLLCALL tjPlaneSizeYUV(int componentID, int width,
+ int stride, int height, int subsamp)
+ {
+- unsigned long retval=0;
++ unsigned long long retval=0;
+ int pw, ph;
+
+ if(width<1 || height<1 || subsamp<0 || subsamp>=NUMSUBOPT)
+@@ -769,10 +777,12 @@ DLLEXPORT unsigned long DLLCALL tjPlaneSizeYUV(int componentID, int width,
+ if(stride==0) stride=pw;
+ else stride=abs(stride);
+
+- retval=stride*(ph-1)+pw;
++ retval=(unsigned long long)stride*(ph-1)+pw;
++ if (retval > (unsigned long long)((unsigned long)-1))
++ _throw("tjPlaneSizeYUV(): Image is too large");
+
+ bailout:
+- return retval;
++ return (unsigned long)retval;
+ }
+
+
+@@ -836,8 +846,8 @@ DLLEXPORT int DLLCALL tjCompress2(tjhandle handle, const unsigned char *srcBuf,
+ for(i=0; i<height; i++)
+ {
+ if(flags&TJFLAG_BOTTOMUP)
+- row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*pitch];
+- else row_pointer[i]=(JSAMPROW)&srcBuf[i*pitch];
++ row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*(size_t)pitch];
++ else row_pointer[i]=(JSAMPROW)&srcBuf[i*(size_t)pitch];
+ }
+ while(cinfo->next_scanline<cinfo->image_height)
+ {
+@@ -964,8 +974,8 @@ DLLEXPORT int DLLCALL tjEncodeYUVPlanes(tjhandle handle,
+ for(i=0; i<height; i++)
+ {
+ if(flags&TJFLAG_BOTTOMUP)
+- row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*pitch];
+- else row_pointer[i]=(JSAMPROW)&srcBuf[i*pitch];
++ row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*(size_t)pitch];
++ else row_pointer[i]=(JSAMPROW)&srcBuf[i*(size_t)pitch];
+ }
+ if(height<ph0)
+ for(i=height; i<ph0; i++) row_pointer[i]=row_pointer[height-1];
+@@ -1485,8 +1495,8 @@ DLLEXPORT int DLLCALL tjDecompress2(tjhandle handle,
+ for(i=0; i<(int)dinfo->output_height; i++)
+ {
+ if(flags&TJFLAG_BOTTOMUP)
+- row_pointer[i]=&dstBuf[(dinfo->output_height-i-1)*pitch];
+- else row_pointer[i]=&dstBuf[i*pitch];
++ row_pointer[i]=&dstBuf[(dinfo->output_height-i-1)*(size_t)pitch];
++ else row_pointer[i]=&dstBuf[i*(size_t)pitch];
+ }
+ while(dinfo->output_scanline<dinfo->output_height)
+ {
+@@ -1672,8 +1682,8 @@ DLLEXPORT int DLLCALL tjDecodeYUVPlanes(tjhandle handle,
+ _throw("tjDecodeYUVPlanes(): Memory allocation failure");
+ for(i=0; i<height; i++)
+ {
+- if(flags&TJFLAG_BOTTOMUP) row_pointer[i]=&dstBuf[(height-i-1)*pitch];
+- else row_pointer[i]=&dstBuf[i*pitch];
++ if(flags&TJFLAG_BOTTOMUP) row_pointer[i]=&dstBuf[(height-i-1)*(size_t)pitch];
++ else row_pointer[i]=&dstBuf[i*(size_t)pitch];
+ }
+ if(height<ph0)
+ for(i=height; i<ph0; i++) row_pointer[i]=row_pointer[height-1];
+--
+2.25.0
+
+
+From c511336e5ead5f125647cc92174295d5d5c7d4bf Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 12 Nov 2019 12:27:22 -0600
+Subject: [PATCH 2/2] 64-bit tjbench: Fix signed int overflow/segfault
+
+... that occurred when attempting to decompress images with more than
+715827882 (2048*1024*1024 / 3) pixels.
+
+Fixes #388
+
+(cherry picked from commit c30b1e72dac76343ef9029833d1561de07d29bad)
+---
+ tjbench.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tjbench.c b/tjbench.c
+index e90ba3d..858471c 100644
+--- a/tjbench.c
++++ b/tjbench.c
+@@ -137,7 +137,7 @@ int decomp(unsigned char *srcbuf, unsigned char **jpegbuf,
+ }
+ /* Set the destination buffer to gray so we know whether the decompressor
+ attempted to write to it */
+- memset(dstbuf, 127, pitch*scaledh);
++ memset(dstbuf, 127, (size_t)pitch * scaledh);
+
+ if(doyuv)
+ {
+@@ -159,7 +159,7 @@ int decomp(unsigned char *srcbuf, unsigned char **jpegbuf,
+ {
+ int tile=0;
+ double start=gettime();
+- for(row=0, dstptr=dstbuf; row<ntilesh; row++, dstptr+=pitch*tileh)
++ for(row=0, dstptr=dstbuf; row<ntilesh; row++, dstptr+=(size_t)pitch*tileh)
+ {
+ for(col=0, dstptr2=dstptr; col<ntilesw; col++, tile++, dstptr2+=ps*tilew)
+ {
+--
+2.25.0
+
diff --git a/main/libmspack/APKBUILD b/main/libmspack/APKBUILD
index 83f62b4eab9..10fa5d68697 100644
--- a/main/libmspack/APKBUILD
+++ b/main/libmspack/APKBUILD
@@ -2,18 +2,22 @@
pkgname=libmspack
pkgver=0.8_alpha
_ver=${pkgver/_/}
-pkgrel=0
+pkgrel=1
pkgdesc="Library for Microsoft CAB compression formats"
url="https://www.cabextract.org.uk/libmspack/"
arch="all"
license="LGPL-2.1-only"
makedepends="$depends_dev"
subpackages="$pkgname-dev $pkgname-utils"
-source="https://www.cabextract.org.uk/libmspack/libmspack-$_ver.tar.gz"
+source="https://www.cabextract.org.uk/libmspack/libmspack-$_ver.tar.gz
+ CVE-2019-1010305.patch
+ "
builddir="$srcdir"/libmspack-$_ver
# secfixes:
+# 0.8_alpha-r1:
+# - CVE-2019-1010305
# 0.8_alpha-r0:
# - CVE-2018-18584
# - CVE-2018-18585
@@ -58,4 +62,5 @@ utils() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr
}
-sha512sums="d178afc4d2eded204594c81af1c91be17d3be4f1a09829e08c103023aa7badc6b2595e9ec13cc7f77e3262d2cd874ed40ce6da01695c5c839682562740d2bf0a libmspack-0.8alpha.tar.gz"
+sha512sums="d178afc4d2eded204594c81af1c91be17d3be4f1a09829e08c103023aa7badc6b2595e9ec13cc7f77e3262d2cd874ed40ce6da01695c5c839682562740d2bf0a libmspack-0.8alpha.tar.gz
+4c5f5ab9d597538303ce2adf27014db715603afdde50904cd3cb363077f2ff883086cf9ccf1072fa516f73df4652bec3bddd81854aeac5f11c0698d1cfb59cdf CVE-2019-1010305.patch"
diff --git a/main/libmspack/CVE-2019-1010305.patch b/main/libmspack/CVE-2019-1010305.patch
new file mode 100644
index 00000000000..af113af2d34
--- /dev/null
+++ b/main/libmspack/CVE-2019-1010305.patch
@@ -0,0 +1,39 @@
+diff --git a/mspack/chmd.c b/mspack/chmd.c
+index 1d198bf..26c1b18 100644
+--- a/mspack/chmd.c
++++ b/mspack/chmd.c
+@@ -482,21 +482,19 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,
+ fi->filename[name_len] = '\0';
+
+ if (name[0] == ':' && name[1] == ':') {
+- /* system file */
+- if (mspack_memcmp(&name[2], &content_name[2], 31L) == 0) {
+- if (mspack_memcmp(&name[33], &content_name[33], 8L) == 0) {
+- chm->sec1.content = fi;
+- }
+- else if (mspack_memcmp(&name[33], &control_name[33], 11L) == 0) {
+- chm->sec1.control = fi;
+- }
+- else if (mspack_memcmp(&name[33], &spaninfo_name[33], 8L) == 0) {
+- chm->sec1.spaninfo = fi;
+- }
+- else if (mspack_memcmp(&name[33], &rtable_name[33], 72L) == 0) {
+- chm->sec1.rtable = fi;
+- }
+- }
++ /* system file */
++ if (name_len == 40 && memcmp(name, content_name, 40) == 0) {
++ chm->sec1.content = fi;
++ }
++ else if (name_len == 44 && memcmp(name, control_name, 44) == 0) {
++ chm->sec1.control = fi;
++ }
++ else if (name_len == 41 && memcmp(name, spaninfo_name, 41) == 0) {
++ chm->sec1.spaninfo = fi;
++ }
++ else if (name_len == 105 && memcmp(name, rtable_name, 105) == 0) {
++ chm->sec1.rtable = fi;
++ }
+ fi->next = chm->sysfiles;
+ chm->sysfiles = fi;
+ }
diff --git a/main/librsvg/APKBUILD b/main/librsvg/APKBUILD
index 00591d42184..8d2c0622681 100644
--- a/main/librsvg/APKBUILD
+++ b/main/librsvg/APKBUILD
@@ -1,11 +1,11 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=librsvg
-pkgver=2.40.20
+pkgver=2.40.21
pkgrel=0
pkgdesc="SAX-based renderer for SVG files into a GdkPixbuf"
url="http://live.gnome.org/LibRsvg"
arch="all"
-license="LGPL-2.0+"
+license="LGPL-2.0-or-later"
subpackages="$pkgname-dev $pkgname-doc"
depends=
depends_dev="gtk+2.0-dev libcroco-dev libgsf-dev"
@@ -17,6 +17,10 @@ source="https://download.gnome.org/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgve
# sporadic testsuite failures
options="!check"
+# secfixes:
+# 2.40.21-r0:
+# - CVE-2019-20446
+
build() {
cd "$builddir"
./configure \
@@ -39,4 +43,4 @@ package() {
rm -rf "$pkgdir"/usr/lib/mozilla
}
-sha512sums="cdd8224deb4c3786e29f48ed02c32ed9dff5cb15aba574a5ef845801ad3669cfcc3eedb9d359c22213dc7a29de24c363248825adad5877c40abf73b3688ff12f librsvg-2.40.20.tar.xz"
+sha512sums="db0563d8e0edaae642a6b2bcd239cf54191495058ac8c7ff614ebaf88c0e30bd58dbcd41f58d82a9d5ed200ced45fc5bae22f2ed3cf3826e9348a497009e1280 librsvg-2.40.21.tar.xz"
diff --git a/main/libseccomp/APKBUILD b/main/libseccomp/APKBUILD
index f6eddb18f7b..8be0cbfcd7d 100644
--- a/main/libseccomp/APKBUILD
+++ b/main/libseccomp/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Contributor: Dan Williams <dan@ma.ssive.co>
pkgname=libseccomp
-pkgver=2.3.3
-pkgrel=1
+pkgver=2.4.2
+pkgrel=2
pkgdesc="An interface to the Linux Kernel's syscall filtering mechanism"
url="https://github.com/seccomp/libseccomp"
arch="all"
@@ -13,8 +13,13 @@ makedepends="$depends_dev"
checkdepends="bash"
subpackages="$pkgname-dev $pkgname-doc"
source="https://github.com/seccomp/libseccomp/releases/download/v$pkgver/libseccomp-$pkgver.tar.gz
- remove-redefinition-prctl.patch"
-builddir="$srcdir/libseccomp-$pkgver"
+ remove-redefinition-prctl.patch
+ tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
+ "
+
+# secfixes:
+# 2.4.0-r0:
+# - CVE-2019-9893
build() {
cd "$builddir"
@@ -25,20 +30,26 @@ build() {
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
- --localstatedir=/var \
- || return 1
- make || return 1
+ --localstatedir=/var
+ make
}
check() {
cd "$builddir"
- make check || return 1
+ # commit be65b26b67099be2b2b4890d736dbd1ad15adf36 adapted to new kernel 5.x syscalls
+ # as long as we are at 4.19 kernel, we need this change
+ case "$CARCH" in
+ ppc64le|s390x) rm -f tests/36-sim-ipc_syscalls.tests \
+ tests/37-sim-ipc_syscalls_be.tests;;
+ esac
+ make check
}
package() {
cd "$builddir"
- make DESTDIR="$pkgdir" install || return 1
+ make DESTDIR="$pkgdir" install
}
-sha512sums="845c7e0e916b5f5ad74da446ceff3250148b745c909185f6d5059e807d1b42fa6b74f356cce2a396bff0d4c7a3120e7cdad98d490a97d549327c7693fe1918be libseccomp-2.3.3.tar.gz
-f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f remove-redefinition-prctl.patch"
+sha512sums="375a3c7c658be6a08b9bb30963e10bb49e8e066119e0be6d3d97faac3db18b8e2c6938d8b5d3874b2f5331ec8295170112fbae83b5a3b5a5bebc0d6705bdfdbb libseccomp-2.4.2.tar.gz
+f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f remove-redefinition-prctl.patch
+e9c6adbc424c310802851ec486df23aedd8121397a9742f3a5ed4754a5eee7ec1701a6f5e220bb37911b8c48626ba00d70943fad43e489d740d0295e6e9b0dff tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch"
diff --git a/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch b/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
new file mode 100644
index 00000000000..5f688a4a7db
--- /dev/null
+++ b/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
@@ -0,0 +1,36 @@
+From 35803ceb43c453762a3ab5177c5f8d5dbb813478 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Tue, 5 Nov 2019 15:11:11 -0500
+Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
+
+We recently changed how libseccomp handles syscall numbers that are
+not defined natively, but we missed test #15.
+
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ tests/15-basic-resolver.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
+index 6badef1..0c1eefe 100644
+--- a/tests/15-basic-resolver.c
++++ b/tests/15-basic-resolver.c
+@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
+ unsigned int arch;
+ char *name = NULL;
+
+- if (seccomp_syscall_resolve_name("open") != __NR_open)
++ if (seccomp_syscall_resolve_name("open") != __SNR_open)
+ goto fail;
+- if (seccomp_syscall_resolve_name("read") != __NR_read)
++ if (seccomp_syscall_resolve_name("read") != __SNR_read)
+ goto fail;
+ if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
+ goto fail;
+
+ rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
+- if (rc != __NR_openat)
++ if (rc != __SNR_openat)
+ goto fail;
+
+ while ((arch = arch_list[iter++]) != -1) {
diff --git a/main/libsndfile/APKBUILD b/main/libsndfile/APKBUILD
index 481d8a140c1..baa1b6f2c50 100644
--- a/main/libsndfile/APKBUILD
+++ b/main/libsndfile/APKBUILD
@@ -27,8 +27,6 @@ case $CARCH in arm*) options="!check";; esac
# 1.0.28-r8:
# - CVE-2018-19758
# - CVE-2019-3832
-# 1.0.28-r7:
-# - CVE-2018-19758
# 1.0.28-r6:
# - CVE-2017-17456
# - CVE-2017-17457
diff --git a/main/libssh/APKBUILD b/main/libssh/APKBUILD
index 504837ec62c..c574cf3420b 100644
--- a/main/libssh/APKBUILD
+++ b/main/libssh/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libssh
pkgver=0.7.6
-pkgrel=1
+pkgrel=3
pkgdesc="Library for accessing ssh client services through C libraries"
url="http://www.libssh.org/"
arch="all"
@@ -11,9 +11,21 @@ makedepends="zlib-dev openssl-dev cmake doxygen"
subpackages="$pkgname-dev"
options="!check"
source="https://www.libssh.org/files/0.7/libssh-$pkgver.tar.xz
- fix-includes.patch"
+ fix-includes.patch
+ CVE-2019-14889.patch
+ CVE-2020-16135.patch
+ "
builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+# 0.7.6-r3:
+# - CVE-2020-1730
+# - CVE-2020-16135
+# 0.7.6-r2:
+# - CVE-2019-14889
+# 0.7.6-r0:
+# - CVE-2018-10933
+
build() {
cd "$srcdir"
mkdir build && cd build
@@ -27,6 +39,7 @@ package() {
cd "$srcdir"/build
make DESTDIR="$pkgdir" install
}
-
sha512sums="2a01402b5a9fab9ecc29200544ed45d3f2c40871ed1c8241ca793f8dc7fdb3ad2150f6a522c4321affa9b8778e280dc7ed10f76adfc4a73f0751ae735a42f56c libssh-0.7.6.tar.xz
-055a8f6b97c65384a5a3ab8fe00c69d94cc30092fe926093dbbc122ce301fbe9d76127aa07b5e6107d7fa9dd2aad6b165fa0958b56520253b5d64428ff42a318 fix-includes.patch"
+055a8f6b97c65384a5a3ab8fe00c69d94cc30092fe926093dbbc122ce301fbe9d76127aa07b5e6107d7fa9dd2aad6b165fa0958b56520253b5d64428ff42a318 fix-includes.patch
+ed832fd00cb1ccae94e4b9e6771d92822dd1ef0e3fcc4649fab04dcde9f959909b7564fe1533e48eb4d016d3fef2dd711e1b9be5bda286545bd18bb81ae9cb6a CVE-2019-14889.patch
+e70708cb7973c2e8c13905cef45ef9b669273869dd2ea7f399b7ce57b363fd6a3775e7fd8a3be7b7c343a2c536ee15a859cc3609e69a0a615112b125b6ebfe4b CVE-2020-16135.patch"
diff --git a/main/libssh/CVE-2019-14889.patch b/main/libssh/CVE-2019-14889.patch
new file mode 100644
index 00000000000..ba049a10fc3
--- /dev/null
+++ b/main/libssh/CVE-2019-14889.patch
@@ -0,0 +1,1957 @@
+From 4aea835974996b2deb011024c53f4ff4329a95b5 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Thu, 31 Oct 2019 17:56:34 +0100
+Subject: CVE-2019-14889: scp: Reformat scp.c
+
+Fixes T181
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 42c727d0c186a1e2fa84a31ab40e16e58b404ab3)
+---
+ src/scp.c | 1200 +++++++++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 698 insertions(+), 502 deletions(-)
+
+diff --git a/src/scp.c b/src/scp.c
+index fd9aaaaa..5de0e6ff 100644
+--- a/src/scp.c
++++ b/src/scp.c
+@@ -57,30 +57,47 @@
+ *
+ * @returns A ssh_scp handle, NULL if the creation was impossible.
+ */
+-ssh_scp ssh_scp_new(ssh_session session, int mode, const char *location){
+- ssh_scp scp=malloc(sizeof(struct ssh_scp_struct));
+- if(scp == NULL){
+- ssh_set_error(session,SSH_FATAL,"Error allocating memory for ssh_scp");
+- return NULL;
+- }
+- ZERO_STRUCTP(scp);
+- if((mode&~SSH_SCP_RECURSIVE) != SSH_SCP_WRITE && (mode &~SSH_SCP_RECURSIVE) != SSH_SCP_READ){
+- ssh_set_error(session,SSH_FATAL,"Invalid mode %d for ssh_scp_new()",mode);
+- ssh_scp_free(scp);
+- return NULL;
+- }
+- scp->location=strdup(location);
+- if (scp->location == NULL) {
+- ssh_set_error(session,SSH_FATAL,"Error allocating memory for ssh_scp");
++ssh_scp ssh_scp_new(ssh_session session, int mode, const char *location)
++{
++ ssh_scp scp = NULL;
++
++ if (session == NULL) {
++ goto error;
++ }
++
++ scp = (ssh_scp)calloc(1, sizeof(struct ssh_scp_struct));
++ if (scp == NULL) {
++ ssh_set_error(session, SSH_FATAL,
++ "Error allocating memory for ssh_scp");
++ goto error;
++ }
++
++ if ((mode & ~SSH_SCP_RECURSIVE) != SSH_SCP_WRITE &&
++ (mode & ~SSH_SCP_RECURSIVE) != SSH_SCP_READ)
++ {
++ ssh_set_error(session, SSH_FATAL,
++ "Invalid mode %d for ssh_scp_new()", mode);
++ goto error;
++ }
++
++ scp->location = strdup(location);
++ if (scp->location == NULL) {
++ ssh_set_error(session, SSH_FATAL,
++ "Error allocating memory for ssh_scp");
++ goto error;
++ }
++
++ scp->session = session;
++ scp->mode = mode & ~SSH_SCP_RECURSIVE;
++ scp->recursive = (mode & SSH_SCP_RECURSIVE) != 0;
++ scp->channel = NULL;
++ scp->state = SSH_SCP_NEW;
++
++ return scp;
++
++error:
+ ssh_scp_free(scp);
+ return NULL;
+- }
+- scp->session=session;
+- scp->mode=mode & ~SSH_SCP_RECURSIVE;
+- scp->recursive = (mode & SSH_SCP_RECURSIVE) != 0;
+- scp->channel=NULL;
+- scp->state=SSH_SCP_NEW;
+- return scp;
+ }
+
+ /**
+@@ -94,59 +111,78 @@ ssh_scp ssh_scp_new(ssh_session session, int mode, const char *location){
+ */
+ int ssh_scp_init(ssh_scp scp)
+ {
+- int r;
+- char execbuffer[1024];
+- uint8_t code;
+- if(scp==NULL)
+- return SSH_ERROR;
+- if(scp->state != SSH_SCP_NEW){
+- ssh_set_error(scp->session,SSH_FATAL,"ssh_scp_init called under invalid state");
+- return SSH_ERROR;
+- }
+- SSH_LOG(SSH_LOG_PROTOCOL,"Initializing scp session %s %son location '%s'",
+- scp->mode==SSH_SCP_WRITE?"write":"read",
+- scp->recursive?"recursive ":"",
+- scp->location);
+- scp->channel=ssh_channel_new(scp->session);
+- if(scp->channel == NULL){
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- r= ssh_channel_open_session(scp->channel);
+- if(r==SSH_ERROR){
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- if(scp->mode == SSH_SCP_WRITE)
+- snprintf(execbuffer,sizeof(execbuffer),"scp -t %s %s",
+- scp->recursive ? "-r":"", scp->location);
+- else
+- snprintf(execbuffer,sizeof(execbuffer),"scp -f %s %s",
+- scp->recursive ? "-r":"", scp->location);
+- if(ssh_channel_request_exec(scp->channel,execbuffer) == SSH_ERROR){
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- if(scp->mode == SSH_SCP_WRITE){
+- r=ssh_channel_read(scp->channel,&code,1,0);
+- if(r<=0){
+- ssh_set_error(scp->session,SSH_FATAL, "Error reading status code: %s",ssh_get_error(scp->session));
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- if(code != 0){
+- ssh_set_error(scp->session,SSH_FATAL, "scp status code %ud not valid", code);
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- } else {
+- ssh_channel_write(scp->channel,"",1);
+- }
+- if(scp->mode == SSH_SCP_WRITE)
+- scp->state=SSH_SCP_WRITE_INITED;
+- else
+- scp->state=SSH_SCP_READ_INITED;
+- return SSH_OK;
++ int rc;
++ char execbuffer[1024] = {0};
++ uint8_t code;
++
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ if (scp->state != SSH_SCP_NEW) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "ssh_scp_init called under invalid state");
++ return SSH_ERROR;
++ }
++
++ SSH_LOG(SSH_LOG_PROTOCOL,
++ "Initializing scp session %s %son location '%s'",
++ scp->mode == SSH_SCP_WRITE?"write":"read",
++ scp->recursive?"recursive ":"",
++ scp->location);
++
++ scp->channel = ssh_channel_new(scp->session);
++ if (scp->channel == NULL) {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ rc = ssh_channel_open_session(scp->channel);
++ if (rc == SSH_ERROR) {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ if (scp->mode == SSH_SCP_WRITE) {
++ snprintf(execbuffer, sizeof(execbuffer), "scp -t %s %s",
++ scp->recursive ? "-r":"", scp->location);
++ } else {
++ snprintf(execbuffer, sizeof(execbuffer), "scp -f %s %s",
++ scp->recursive ? "-r":"", scp->location);
++ }
++
++ if (ssh_channel_request_exec(scp->channel, execbuffer) == SSH_ERROR) {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ if (scp->mode == SSH_SCP_WRITE) {
++ rc = ssh_channel_read(scp->channel, &code, 1, 0);
++ if (rc <= 0) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Error reading status code: %s",
++ ssh_get_error(scp->session));
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ if (code != 0) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "scp status code %ud not valid", code);
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++ } else {
++ ssh_channel_write(scp->channel, "", 1);
++ }
++
++ if (scp->mode == SSH_SCP_WRITE) {
++ scp->state = SSH_SCP_WRITE_INITED;
++ } else {
++ scp->state = SSH_SCP_READ_INITED;
++ }
++
++ return SSH_OK;
+ }
+
+ /**
+@@ -160,33 +196,40 @@ int ssh_scp_init(ssh_scp scp)
+ */
+ int ssh_scp_close(ssh_scp scp)
+ {
+- char buffer[128];
+- int err;
+- if(scp==NULL)
+- return SSH_ERROR;
+- if(scp->channel != NULL){
+- if(ssh_channel_send_eof(scp->channel) == SSH_ERROR){
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- /* avoid situations where data are buffered and
+- * not yet stored on disk. This can happen if the close is sent
+- * before we got the EOF back
+- */
+- while(!ssh_channel_is_eof(scp->channel)){
+- err=ssh_channel_read(scp->channel,buffer,sizeof(buffer),0);
+- if(err==SSH_ERROR || err==0)
+- break;
++ char buffer[128] = {0};
++ int rc;
++
++ if (scp == NULL) {
++ return SSH_ERROR;
+ }
+- if(ssh_channel_close(scp->channel) == SSH_ERROR){
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
++
++ if (scp->channel != NULL) {
++ if (ssh_channel_send_eof(scp->channel) == SSH_ERROR) {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++ /* avoid situations where data are buffered and
++ * not yet stored on disk. This can happen if the close is sent
++ * before we got the EOF back
++ */
++ while (!ssh_channel_is_eof(scp->channel)) {
++ rc = ssh_channel_read(scp->channel, buffer, sizeof(buffer), 0);
++ if (rc == SSH_ERROR || rc == 0) {
++ break;
++ }
++ }
++
++ if (ssh_channel_close(scp->channel) == SSH_ERROR) {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ ssh_channel_free(scp->channel);
++ scp->channel = NULL;
+ }
+- ssh_channel_free(scp->channel);
+- scp->channel=NULL;
+- }
+- scp->state=SSH_SCP_NEW;
+- return SSH_OK;
++
++ scp->state = SSH_SCP_NEW;
++ return SSH_OK;
+ }
+
+ /**
+@@ -198,16 +241,22 @@ int ssh_scp_close(ssh_scp scp)
+ */
+ void ssh_scp_free(ssh_scp scp)
+ {
+- if(scp==NULL)
+- return;
+- if(scp->state != SSH_SCP_NEW)
+- ssh_scp_close(scp);
+- if(scp->channel)
+- ssh_channel_free(scp->channel);
+- SAFE_FREE(scp->location);
+- SAFE_FREE(scp->request_name);
+- SAFE_FREE(scp->warning);
+- SAFE_FREE(scp);
++ if (scp == NULL) {
++ return;
++ }
++
++ if (scp->state != SSH_SCP_NEW) {
++ ssh_scp_close(scp);
++ }
++
++ if (scp->channel) {
++ ssh_channel_free(scp->channel);
++ }
++
++ SAFE_FREE(scp->location);
++ SAFE_FREE(scp->request_name);
++ SAFE_FREE(scp->warning);
++ SAFE_FREE(scp);
+ }
+
+ /**
+@@ -224,81 +273,106 @@ void ssh_scp_free(ssh_scp scp)
+ *
+ * @see ssh_scp_leave_directory()
+ */
+-int ssh_scp_push_directory(ssh_scp scp, const char *dirname, int mode){
+- char buffer[1024];
+- int r;
+- uint8_t code;
+- char *dir;
+- char *perms;
+- if(scp==NULL)
+- return SSH_ERROR;
+- if(scp->state != SSH_SCP_WRITE_INITED){
+- ssh_set_error(scp->session,SSH_FATAL,"ssh_scp_push_directory called under invalid state");
+- return SSH_ERROR;
+- }
+- dir=ssh_basename(dirname);
+- perms=ssh_scp_string_mode(mode);
+- snprintf(buffer, sizeof(buffer), "D%s 0 %s\n", perms, dir);
+- SAFE_FREE(dir);
+- SAFE_FREE(perms);
+- r=ssh_channel_write(scp->channel,buffer,strlen(buffer));
+- if(r==SSH_ERROR){
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- r=ssh_channel_read(scp->channel,&code,1,0);
+- if(r<=0){
+- ssh_set_error(scp->session,SSH_FATAL, "Error reading status code: %s",ssh_get_error(scp->session));
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- if(code != 0){
+- ssh_set_error(scp->session,SSH_FATAL, "scp status code %ud not valid", code);
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- return SSH_OK;
++int ssh_scp_push_directory(ssh_scp scp, const char *dirname, int mode)
++{
++ char buffer[1024] = {0};
++ int rc;
++ uint8_t code;
++ char *dir = NULL;
++ char *perms = NULL;
++
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ if (scp->state != SSH_SCP_WRITE_INITED) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "ssh_scp_push_directory called under invalid state");
++ return SSH_ERROR;
++ }
++
++ dir = ssh_basename(dirname);
++ perms = ssh_scp_string_mode(mode);
++ snprintf(buffer, sizeof(buffer), "D%s 0 %s\n", perms, dir);
++ SAFE_FREE(dir);
++ SAFE_FREE(perms);
++
++ rc = ssh_channel_write(scp->channel, buffer, strlen(buffer));
++ if (rc == SSH_ERROR) {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ rc = ssh_channel_read(scp->channel, &code, 1, 0);
++ if (rc <= 0) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Error reading status code: %s",
++ ssh_get_error(scp->session));
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ if (code != 0) {
++ ssh_set_error(scp->session, SSH_FATAL, "scp status code %ud not valid",
++ code);
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ return SSH_OK;
+ }
+
+ /**
+ * @brief Leave a directory.
+ *
+- * @returns SSH_OK if the directory has been left,SSH_ERROR if an
++ * @returns SSH_OK if the directory has been left, SSH_ERROR if an
+ * error occured.
+ *
+ * @see ssh_scp_push_directory()
+ */
+- int ssh_scp_leave_directory(ssh_scp scp){
+- char buffer[]="E\n";
+- int r;
+- uint8_t code;
+- if(scp==NULL)
+- return SSH_ERROR;
+- if(scp->state != SSH_SCP_WRITE_INITED){
+- ssh_set_error(scp->session,SSH_FATAL,"ssh_scp_leave_directory called under invalid state");
+- return SSH_ERROR;
+- }
+- r=ssh_channel_write(scp->channel,buffer,strlen(buffer));
+- if(r==SSH_ERROR){
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- r=ssh_channel_read(scp->channel,&code,1,0);
+- if(r<=0){
+- ssh_set_error(scp->session,SSH_FATAL, "Error reading status code: %s",ssh_get_error(scp->session));
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- if(code != 0){
+- ssh_set_error(scp->session,SSH_FATAL, "scp status code %ud not valid", code);
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- return SSH_OK;
++int ssh_scp_leave_directory(ssh_scp scp)
++{
++ char buffer[] = "E\n";
++ int rc;
++ uint8_t code;
++
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ if (scp->state != SSH_SCP_WRITE_INITED) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "ssh_scp_leave_directory called under invalid state");
++ return SSH_ERROR;
++ }
++
++ rc = ssh_channel_write(scp->channel, buffer, strlen(buffer));
++ if (rc == SSH_ERROR) {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ rc = ssh_channel_read(scp->channel, &code, 1, 0);
++ if (rc <= 0) {
++ ssh_set_error(scp->session, SSH_FATAL, "Error reading status code: %s",
++ ssh_get_error(scp->session));
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ if (code != 0) {
++ ssh_set_error(scp->session, SSH_FATAL, "scp status code %ud not valid",
++ code);
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ return SSH_OK;
+ }
+
+ /**
+- * @brief Initialize the sending of a file to a scp in sink mode, using a 64-bit size.
++ * @brief Initialize the sending of a file to a scp in sink mode, using a 64-bit
++ * size.
+ *
+ * @param[in] scp The scp handle.
+ *
+@@ -314,44 +388,61 @@ int ssh_scp_push_directory(ssh_scp scp, const char *dirname, int mode){
+ *
+ * @see ssh_scp_push_file()
+ */
+-int ssh_scp_push_file64(ssh_scp scp, const char *filename, uint64_t size, int mode){
+- char buffer[1024];
+- int r;
+- uint8_t code;
+- char *file;
+- char *perms;
+- if(scp==NULL)
+- return SSH_ERROR;
+- if(scp->state != SSH_SCP_WRITE_INITED){
+- ssh_set_error(scp->session,SSH_FATAL,"ssh_scp_push_file called under invalid state");
+- return SSH_ERROR;
+- }
+- file=ssh_basename(filename);
+- perms=ssh_scp_string_mode(mode);
+- SSH_LOG(SSH_LOG_PROTOCOL,"SCP pushing file %s, size %" PRIu64 " with permissions '%s'",file,size,perms);
+- snprintf(buffer, sizeof(buffer), "C%s %" PRIu64 " %s\n", perms, size, file);
+- SAFE_FREE(file);
+- SAFE_FREE(perms);
+- r=ssh_channel_write(scp->channel,buffer,strlen(buffer));
+- if(r==SSH_ERROR){
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- r=ssh_channel_read(scp->channel,&code,1,0);
+- if(r<=0){
+- ssh_set_error(scp->session,SSH_FATAL, "Error reading status code: %s",ssh_get_error(scp->session));
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- if(code != 0){
+- ssh_set_error(scp->session,SSH_FATAL, "scp status code %ud not valid", code);
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- scp->filelen = size;
+- scp->processed = 0;
+- scp->state=SSH_SCP_WRITE_WRITING;
+- return SSH_OK;
++int ssh_scp_push_file64(ssh_scp scp, const char *filename, uint64_t size,
++ int mode)
++{
++ char buffer[1024] = {0};
++ int rc;
++ char *file = NULL;
++ char *perms = NULL;
++ uint8_t code;
++
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ if (scp->state != SSH_SCP_WRITE_INITED) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "ssh_scp_push_file called under invalid state");
++ return SSH_ERROR;
++ }
++
++ file = ssh_basename(filename);
++ perms = ssh_scp_string_mode(mode);
++ SSH_LOG(SSH_LOG_PROTOCOL,
++ "SCP pushing file %s, size %" PRIu64 " with permissions '%s'",
++ file, size, perms);
++ snprintf(buffer, sizeof(buffer), "C%s %" PRIu64 " %s\n", perms, size, file);
++ SAFE_FREE(file);
++ SAFE_FREE(perms);
++
++ rc = ssh_channel_write(scp->channel, buffer, strlen(buffer));
++ if (rc == SSH_ERROR) {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ rc = ssh_channel_read(scp->channel, &code, 1, 0);
++ if (rc <= 0) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Error reading status code: %s",
++ ssh_get_error(scp->session));
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ if (code != 0) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "scp status code %ud not valid", code);
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ scp->filelen = size;
++ scp->processed = 0;
++ scp->state = SSH_SCP_WRITE_WRITING;
++
++ return SSH_OK;
+ }
+
+ /**
+@@ -369,8 +460,9 @@ int ssh_scp_push_file64(ssh_scp scp, const char *filename, uint64_t size, int mo
+ * @returns SSH_OK if the file is ready to be sent, SSH_ERROR if an
+ * error occured.
+ */
+-int ssh_scp_push_file(ssh_scp scp, const char *filename, size_t size, int mode){
+- return ssh_scp_push_file64(scp, filename, (uint64_t) size, mode);
++int ssh_scp_push_file(ssh_scp scp, const char *filename, size_t size, int mode)
++{
++ return ssh_scp_push_file64(scp, filename, (uint64_t) size, mode);
+ }
+
+ /**
+@@ -385,41 +477,60 @@ int ssh_scp_push_file(ssh_scp scp, const char *filename, size_t size, int mode){
+ *
+ * @returns The return code, SSH_ERROR a error occured.
+ */
+-int ssh_scp_response(ssh_scp scp, char **response){
+- unsigned char code;
+- int r;
+- char msg[128];
+- if(scp==NULL)
+- return SSH_ERROR;
+- r=ssh_channel_read(scp->channel,&code,1,0);
+- if(r == SSH_ERROR)
+- return SSH_ERROR;
+- if(code == 0)
+- return 0;
+- if(code > 2){
+- ssh_set_error(scp->session,SSH_FATAL, "SCP: invalid status code %ud received", code);
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- r=ssh_scp_read_string(scp,msg,sizeof(msg));
+- if(r==SSH_ERROR)
+- return r;
+- /* Warning */
+- if(code == 1){
+- ssh_set_error(scp->session,SSH_REQUEST_DENIED, "SCP: Warning: status code 1 received: %s", msg);
+- SSH_LOG(SSH_LOG_RARE,"SCP: Warning: status code 1 received: %s", msg);
+- if(response)
+- *response=strdup(msg);
+- return 1;
+- }
+- if(code == 2){
+- ssh_set_error(scp->session,SSH_FATAL, "SCP: Error: status code 2 received: %s", msg);
+- if(response)
+- *response=strdup(msg);
+- return 2;
+- }
+- /* Not reached */
+- return SSH_ERROR;
++int ssh_scp_response(ssh_scp scp, char **response)
++{
++ unsigned char code;
++ int rc;
++ char msg[128] = {0};
++
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ rc = ssh_channel_read(scp->channel, &code, 1, 0);
++ if (rc == SSH_ERROR) {
++ return SSH_ERROR;
++ }
++
++ if (code == 0) {
++ return 0;
++ }
++
++ if (code > 2) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "SCP: invalid status code %ud received", code);
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ rc = ssh_scp_read_string(scp, msg, sizeof(msg));
++ if (rc == SSH_ERROR) {
++ return rc;
++ }
++
++ /* Warning */
++ if (code == 1) {
++ ssh_set_error(scp->session, SSH_REQUEST_DENIED,
++ "SCP: Warning: status code 1 received: %s", msg);
++ SSH_LOG(SSH_LOG_RARE,
++ "SCP: Warning: status code 1 received: %s", msg);
++ if (response) {
++ *response = strdup(msg);
++ }
++ return 1;
++ }
++
++ if (code == 2) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "SCP: Error: status code 2 received: %s", msg);
++ if (response) {
++ *response = strdup(msg);
++ }
++ return 2;
++ }
++
++ /* Not reached */
++ return SSH_ERROR;
+ }
+
+ /**
+@@ -434,57 +545,72 @@ int ssh_scp_response(ssh_scp scp, char **response){
+ * @returns SSH_OK if the write was successful, SSH_ERROR an error
+ * occured while writing.
+ */
+-int ssh_scp_write(ssh_scp scp, const void *buffer, size_t len){
+- int w;
+- int r;
+- uint8_t code;
+- if(scp==NULL)
+- return SSH_ERROR;
+- if(scp->state != SSH_SCP_WRITE_WRITING){
+- ssh_set_error(scp->session,SSH_FATAL,"ssh_scp_write called under invalid state");
+- return SSH_ERROR;
+- }
+- if(scp->processed + len > scp->filelen)
+- len = (size_t) (scp->filelen - scp->processed);
+- /* hack to avoid waiting for window change */
+- r = ssh_channel_poll(scp->channel, 0);
+- if (r == SSH_ERROR) {
+- scp->state = SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- w=ssh_channel_write(scp->channel,buffer,len);
+- if(w != SSH_ERROR)
+- scp->processed += w;
+- else {
+- scp->state=SSH_SCP_ERROR;
+- //return=channel_get_exit_status(scp->channel);
+- return SSH_ERROR;
+- }
+- /* Far end sometimes send a status message, which we need to read
+- * and handle */
+- r = ssh_channel_poll(scp->channel,0);
+- if(r > 0){
+- r = ssh_channel_read(scp->channel, &code, 1, 0);
+- if(r == SSH_ERROR){
+- return SSH_ERROR;
+- }
+- if(code == 1 || code == 2){
+- ssh_set_error(scp->session,SSH_REQUEST_DENIED, "SCP: Error: status code %i received", code);
+- return SSH_ERROR;
+- }
+- }
+- /* Check if we arrived at end of file */
+- if(scp->processed == scp->filelen) {
+- code = 0;
+- w = ssh_channel_write(scp->channel, &code, 1);
+- if(w == SSH_ERROR){
+- scp->state = SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- scp->processed=scp->filelen=0;
+- scp->state=SSH_SCP_WRITE_INITED;
+- }
+- return SSH_OK;
++int ssh_scp_write(ssh_scp scp, const void *buffer, size_t len)
++{
++ int w;
++ int rc;
++ uint8_t code;
++
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ if (scp->state != SSH_SCP_WRITE_WRITING) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "ssh_scp_write called under invalid state");
++ return SSH_ERROR;
++ }
++
++ if (scp->processed + len > scp->filelen) {
++ len = (size_t) (scp->filelen - scp->processed);
++ }
++
++ /* hack to avoid waiting for window change */
++ rc = ssh_channel_poll(scp->channel, 0);
++ if (rc == SSH_ERROR) {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ w = ssh_channel_write(scp->channel, buffer, len);
++ if (w != SSH_ERROR) {
++ scp->processed += w;
++ } else {
++ scp->state = SSH_SCP_ERROR;
++ //return = channel_get_exit_status(scp->channel);
++ return SSH_ERROR;
++ }
++
++ /* Far end sometimes send a status message, which we need to read
++ * and handle */
++ rc = ssh_channel_poll(scp->channel, 0);
++ if (rc > 0) {
++ rc = ssh_channel_read(scp->channel, &code, 1, 0);
++ if (rc == SSH_ERROR) {
++ return SSH_ERROR;
++ }
++
++ if (code == 1 || code == 2) {
++ ssh_set_error(scp->session, SSH_REQUEST_DENIED,
++ "SCP: Error: status code %i received", code);
++ return SSH_ERROR;
++ }
++ }
++
++ /* Check if we arrived at end of file */
++ if (scp->processed == scp->filelen) {
++ code = 0;
++ w = ssh_channel_write(scp->channel, &code, 1);
++ if (w == SSH_ERROR) {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ scp->processed = scp->filelen = 0;
++ scp->state = SSH_SCP_WRITE_INITED;
++ }
++
++ return SSH_OK;
+ }
+
+ /**
+@@ -501,27 +627,36 @@ int ssh_scp_write(ssh_scp scp, const void *buffer, size_t len){
+ * @returns SSH_OK if the string was read, SSH_ERROR if an error
+ * occured while reading.
+ */
+-int ssh_scp_read_string(ssh_scp scp, char *buffer, size_t len){
+- size_t r=0;
+- int err=SSH_OK;
+- if(scp==NULL)
+- return SSH_ERROR;
+- while(r<len-1){
+- err=ssh_channel_read(scp->channel,&buffer[r],1,0);
+- if(err==SSH_ERROR){
+- break;
+- }
+- if(err==0){
+- ssh_set_error(scp->session,SSH_FATAL,"End of file while reading string");
+- err=SSH_ERROR;
+- break;
+- }
+- r++;
+- if(buffer[r-1] == '\n')
+- break;
+- }
+- buffer[r]=0;
+- return err;
++int ssh_scp_read_string(ssh_scp scp, char *buffer, size_t len)
++{
++ size_t read = 0;
++ int err = SSH_OK;
++
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ while (read < len - 1) {
++ err = ssh_channel_read(scp->channel, &buffer[read], 1, 0);
++ if (err == SSH_ERROR) {
++ break;
++ }
++
++ if (err == 0) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "End of file while reading string");
++ err = SSH_ERROR;
++ break;
++ }
++
++ read++;
++ if (buffer[read - 1] == '\n') {
++ break;
++ }
++ }
++
++ buffer[read] = 0;
++ return err;
+ }
+
+ /**
+@@ -544,90 +679,105 @@ int ssh_scp_read_string(ssh_scp scp, char *buffer, size_t len){
+ * @see ssh_scp_accept_request()
+ * @see ssh_scp_request_get_warning()
+ */
+-int ssh_scp_pull_request(ssh_scp scp){
+- char buffer[MAX_BUF_SIZE] = {0};
+- char *mode=NULL;
+- char *p,*tmp;
+- uint64_t size;
+- char *name=NULL;
+- int err;
+- if(scp==NULL)
+- return SSH_ERROR;
+- if(scp->state != SSH_SCP_READ_INITED){
+- ssh_set_error(scp->session,SSH_FATAL,"ssh_scp_pull_request called under invalid state");
+- return SSH_ERROR;
+- }
+- err=ssh_scp_read_string(scp,buffer,sizeof(buffer));
+- if(err==SSH_ERROR){
+- if(ssh_channel_is_eof(scp->channel)){
+- scp->state=SSH_SCP_TERMINATED;
+- return SSH_SCP_REQUEST_EOF;
+- }
+- return err;
+- }
+- p=strchr(buffer,'\n');
+- if(p!=NULL)
+- *p='\0';
+- SSH_LOG(SSH_LOG_PROTOCOL,"Received SCP request: '%s'",buffer);
+- switch(buffer[0]){
++int ssh_scp_pull_request(ssh_scp scp)
++{
++ char buffer[MAX_BUF_SIZE] = {0};
++ char *mode = NULL;
++ char *p, *tmp;
++ uint64_t size;
++ char *name = NULL;
++ int rc;
++
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ if (scp->state != SSH_SCP_READ_INITED) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "ssh_scp_pull_request called under invalid state");
++ return SSH_ERROR;
++ }
++
++ rc = ssh_scp_read_string(scp, buffer, sizeof(buffer));
++ if (rc == SSH_ERROR) {
++ if (ssh_channel_is_eof(scp->channel)) {
++ scp->state = SSH_SCP_TERMINATED;
++ return SSH_SCP_REQUEST_EOF;
++ }
++ return rc;
++ }
++
++ p = strchr(buffer, '\n');
++ if (p != NULL) {
++ *p = '\0';
++ }
++
++ SSH_LOG(SSH_LOG_PROTOCOL, "Received SCP request: '%s'", buffer);
++ switch(buffer[0]) {
+ case 'C':
+- /* File */
++ /* File */
+ case 'D':
+- /* Directory */
+- p=strchr(buffer,' ');
+- if(p==NULL)
+- goto error;
+- *p='\0';
+- p++;
+- //mode=strdup(&buffer[1]);
+- scp->request_mode=ssh_scp_integer_mode(&buffer[1]);
+- tmp=p;
+- p=strchr(p,' ');
+- if(p==NULL)
+- goto error;
+- *p=0;
+- size = strtoull(tmp,NULL,10);
+- p++;
+- name=strdup(p);
+- SAFE_FREE(scp->request_name);
+- scp->request_name=name;
+- if(buffer[0]=='C'){
+- scp->filelen=size;
+- scp->request_type=SSH_SCP_REQUEST_NEWFILE;
+- } else {
+- scp->filelen='0';
+- scp->request_type=SSH_SCP_REQUEST_NEWDIR;
+- }
+- scp->state=SSH_SCP_READ_REQUESTED;
+- scp->processed = 0;
+- return scp->request_type;
+- break;
++ /* Directory */
++ p = strchr(buffer, ' ');
++ if (p == NULL) {
++ goto error;
++ }
++ *p = '\0';
++ p++;
++ //mode = strdup(&buffer[1]);
++ scp->request_mode = ssh_scp_integer_mode(&buffer[1]);
++ tmp = p;
++ p = strchr(p, ' ');
++ if (p == NULL) {
++ goto error;
++ }
++ *p = 0;
++ size = strtoull(tmp, NULL, 10);
++ p++;
++ name = strdup(p);
++ SAFE_FREE(scp->request_name);
++ scp->request_name = name;
++ if (buffer[0] == 'C') {
++ scp->filelen = size;
++ scp->request_type = SSH_SCP_REQUEST_NEWFILE;
++ } else {
++ scp->filelen = '0';
++ scp->request_type = SSH_SCP_REQUEST_NEWDIR;
++ }
++ scp->state = SSH_SCP_READ_REQUESTED;
++ scp->processed = 0;
++ return scp->request_type;
++ break;
+ case 'E':
+- scp->request_type=SSH_SCP_REQUEST_ENDDIR;
+- ssh_channel_write(scp->channel,"",1);
+- return scp->request_type;
++ scp->request_type = SSH_SCP_REQUEST_ENDDIR;
++ ssh_channel_write(scp->channel, "", 1);
++ return scp->request_type;
+ case 0x1:
+- ssh_set_error(scp->session,SSH_REQUEST_DENIED,"SCP: Warning: %s",&buffer[1]);
+- scp->request_type=SSH_SCP_REQUEST_WARNING;
+- SAFE_FREE(scp->warning);
+- scp->warning=strdup(&buffer[1]);
+- return scp->request_type;
++ ssh_set_error(scp->session, SSH_REQUEST_DENIED,
++ "SCP: Warning: %s", &buffer[1]);
++ scp->request_type = SSH_SCP_REQUEST_WARNING;
++ SAFE_FREE(scp->warning);
++ scp->warning = strdup(&buffer[1]);
++ return scp->request_type;
+ case 0x2:
+- ssh_set_error(scp->session,SSH_FATAL,"SCP: Error: %s",&buffer[1]);
+- return SSH_ERROR;
++ ssh_set_error(scp->session, SSH_FATAL,
++ "SCP: Error: %s", &buffer[1]);
++ return SSH_ERROR;
+ case 'T':
+- /* Timestamp */
++ /* Timestamp */
+ default:
+- ssh_set_error(scp->session,SSH_FATAL,"Unhandled message: (%d)%s",buffer[0],buffer);
+- return SSH_ERROR;
+- }
+-
+- /* a parsing error occured */
+- error:
+- SAFE_FREE(name);
+- SAFE_FREE(mode);
+- ssh_set_error(scp->session,SSH_FATAL,"Parsing error while parsing message: %s",buffer);
+- return SSH_ERROR;
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Unhandled message: (%d)%s", buffer[0], buffer);
++ return SSH_ERROR;
++ }
++
++ /* a parsing error occured */
++error:
++ SAFE_FREE(name);
++ SAFE_FREE(mode);
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Parsing error while parsing message: %s", buffer);
++ return SSH_ERROR;
+ }
+
+ /**
+@@ -641,24 +791,31 @@ int ssh_scp_pull_request(ssh_scp scp){
+ * @returns SSH_OK if the message was sent, SSH_ERROR if the sending
+ * the message failed, or sending it in a bad state.
+ */
+-int ssh_scp_deny_request(ssh_scp scp, const char *reason){
+- char buffer[MAX_BUF_SIZE];
+- int err;
+- if(scp==NULL)
+- return SSH_ERROR;
+- if(scp->state != SSH_SCP_READ_REQUESTED){
+- ssh_set_error(scp->session,SSH_FATAL,"ssh_scp_deny_request called under invalid state");
+- return SSH_ERROR;
+- }
+- snprintf(buffer,sizeof(buffer),"%c%s\n",2,reason);
+- err=ssh_channel_write(scp->channel,buffer,strlen(buffer));
+- if(err==SSH_ERROR) {
+- return SSH_ERROR;
+- }
+- else {
+- scp->state=SSH_SCP_READ_INITED;
+- return SSH_OK;
+- }
++int ssh_scp_deny_request(ssh_scp scp, const char *reason)
++{
++ char buffer[MAX_BUF_SIZE] = {0};
++ int rc;
++
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ if (scp->state != SSH_SCP_READ_REQUESTED) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "ssh_scp_deny_request called under invalid state");
++ return SSH_ERROR;
++ }
++
++ snprintf(buffer, sizeof(buffer), "%c%s\n", 2, reason);
++ rc = ssh_channel_write(scp->channel, buffer, strlen(buffer));
++ if (rc == SSH_ERROR) {
++ return SSH_ERROR;
++ }
++
++ else {
++ scp->state = SSH_SCP_READ_INITED;
++ return SSH_OK;
++ }
+ }
+
+ /**
+@@ -670,24 +827,32 @@ int ssh_scp_deny_request(ssh_scp scp, const char *reason){
+ * @returns SSH_OK if the message was sent, SSH_ERROR if sending the
+ * message failed, or sending it in a bad state.
+ */
+-int ssh_scp_accept_request(ssh_scp scp){
+- char buffer[]={0x00};
+- int err;
+- if(scp==NULL)
+- return SSH_ERROR;
+- if(scp->state != SSH_SCP_READ_REQUESTED){
+- ssh_set_error(scp->session,SSH_FATAL,"ssh_scp_deny_request called under invalid state");
+- return SSH_ERROR;
+- }
+- err=ssh_channel_write(scp->channel,buffer,1);
+- if(err==SSH_ERROR) {
+- return SSH_ERROR;
+- }
+- if(scp->request_type==SSH_SCP_REQUEST_NEWFILE)
+- scp->state=SSH_SCP_READ_READING;
+- else
+- scp->state=SSH_SCP_READ_INITED;
+- return SSH_OK;
++int ssh_scp_accept_request(ssh_scp scp)
++{
++ char buffer[] = {0x00};
++ int rc;
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ if (scp->state != SSH_SCP_READ_REQUESTED) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "ssh_scp_deny_request called under invalid state");
++ return SSH_ERROR;
++ }
++
++ rc = ssh_channel_write(scp->channel, buffer, 1);
++ if (rc == SSH_ERROR) {
++ return SSH_ERROR;
++ }
++
++ if (scp->request_type == SSH_SCP_REQUEST_NEWFILE) {
++ scp->state = SSH_SCP_READ_READING;
++ } else {
++ scp->state = SSH_SCP_READ_INITED;
++ }
++
++ return SSH_OK;
+ }
+
+ /** @brief Read from a remote scp file
+@@ -700,48 +865,64 @@ int ssh_scp_accept_request(ssh_scp scp){
+ * @returns The nNumber of bytes read, SSH_ERROR if an error occured
+ * while reading.
+ */
+-int ssh_scp_read(ssh_scp scp, void *buffer, size_t size){
+- int r;
+- int code;
+- if(scp==NULL)
+- return SSH_ERROR;
+- if(scp->state == SSH_SCP_READ_REQUESTED && scp->request_type == SSH_SCP_REQUEST_NEWFILE){
+- r=ssh_scp_accept_request(scp);
+- if(r==SSH_ERROR)
+- return r;
+- }
+- if(scp->state != SSH_SCP_READ_READING){
+- ssh_set_error(scp->session,SSH_FATAL,"ssh_scp_read called under invalid state");
+- return SSH_ERROR;
+- }
+- if(scp->processed + size > scp->filelen)
+- size = (size_t) (scp->filelen - scp->processed);
+- if(size > 65536)
+- size=65536; /* avoid too large reads */
+- r=ssh_channel_read(scp->channel,buffer,size,0);
+- if(r != SSH_ERROR)
+- scp->processed += r;
+- else {
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- /* Check if we arrived at end of file */
+- if(scp->processed == scp->filelen) {
+- scp->processed=scp->filelen=0;
+- ssh_channel_write(scp->channel,"",1);
+- code=ssh_scp_response(scp,NULL);
+- if(code == 0){
+- scp->state=SSH_SCP_READ_INITED;
+- return r;
+- }
+- if(code==1){
+- scp->state=SSH_SCP_READ_INITED;
+- return SSH_ERROR;
+- }
+- scp->state=SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+- return r;
++int ssh_scp_read(ssh_scp scp, void *buffer, size_t size)
++{
++ int rc;
++ int code;
++
++ if (scp == NULL) {
++ return SSH_ERROR;
++ }
++
++ if (scp->state == SSH_SCP_READ_REQUESTED &&
++ scp->request_type == SSH_SCP_REQUEST_NEWFILE)
++ {
++ rc = ssh_scp_accept_request(scp);
++ if (rc == SSH_ERROR) {
++ return rc;
++ }
++ }
++
++ if (scp->state != SSH_SCP_READ_READING) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "ssh_scp_read called under invalid state");
++ return SSH_ERROR;
++ }
++
++ if (scp->processed + size > scp->filelen) {
++ size = (size_t) (scp->filelen - scp->processed);
++ }
++
++ if (size > 65536) {
++ size = 65536; /* avoid too large reads */
++ }
++
++ rc = ssh_channel_read(scp->channel, buffer, size, 0);
++ if (rc != SSH_ERROR) {
++ scp->processed += rc;
++ } else {
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ /* Check if we arrived at end of file */
++ if (scp->processed == scp->filelen) {
++ scp->processed = scp->filelen = 0;
++ ssh_channel_write(scp->channel, "", 1);
++ code = ssh_scp_response(scp, NULL);
++ if (code == 0) {
++ scp->state = SSH_SCP_READ_INITED;
++ return rc;
++ }
++ if (code == 1) {
++ scp->state = SSH_SCP_READ_INITED;
++ return SSH_ERROR;
++ }
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ return rc;
+ }
+
+ /**
+@@ -751,10 +932,13 @@ int ssh_scp_read(ssh_scp scp, void *buffer, size_t size){
+ * @returns The file name, NULL on error. The string should not be
+ * freed.
+ */
+-const char *ssh_scp_request_get_filename(ssh_scp scp){
+- if(scp==NULL)
+- return NULL;
+- return scp->request_name;
++const char *ssh_scp_request_get_filename(ssh_scp scp)
++{
++ if (scp == NULL) {
++ return NULL;
++ }
++
++ return scp->request_name;
+ }
+
+ /**
+@@ -763,10 +947,13 @@ const char *ssh_scp_request_get_filename(ssh_scp scp){
+ *
+ * @returns The UNIX permission, e.g 0644, -1 on error.
+ */
+-int ssh_scp_request_get_permissions(ssh_scp scp){
+- if(scp==NULL)
+- return -1;
+- return scp->request_mode;
++int ssh_scp_request_get_permissions(ssh_scp scp)
++{
++ if (scp == NULL) {
++ return -1;
++ }
++
++ return scp->request_mode;
+ }
+
+ /** @brief Get the size of the file being pushed from the other party.
+@@ -776,20 +963,24 @@ int ssh_scp_request_get_permissions(ssh_scp scp){
+ * be truncated.
+ * @see ssh_scp_request_get_size64()
+ */
+-size_t ssh_scp_request_get_size(ssh_scp scp){
+- if(scp==NULL)
+- return 0;
+- return (size_t)scp->filelen;
++size_t ssh_scp_request_get_size(ssh_scp scp)
++{
++ if (scp == NULL) {
++ return 0;
++ }
++ return (size_t)scp->filelen;
+ }
+
+ /** @brief Get the size of the file being pushed from the other party.
+ *
+ * @returns The numeric size of the file being read.
+ */
+-uint64_t ssh_scp_request_get_size64(ssh_scp scp){
+- if(scp==NULL)
+- return 0;
+- return scp->filelen;
++uint64_t ssh_scp_request_get_size64(ssh_scp scp)
++{
++ if (scp == NULL) {
++ return 0;
++ }
++ return scp->filelen;
+ }
+
+ /**
+@@ -799,9 +990,10 @@ uint64_t ssh_scp_request_get_size64(ssh_scp scp){
+ *
+ * @returns An integer value, e.g. 420 for "0644".
+ */
+-int ssh_scp_integer_mode(const char *mode){
+- int value=strtoul(mode,NULL,8) & 0xffff;
+- return value;
++int ssh_scp_integer_mode(const char *mode)
++{
++ int value = strtoul(mode, NULL, 8) & 0xffff;
++ return value;
+ }
+
+ /**
+@@ -812,10 +1004,11 @@ int ssh_scp_integer_mode(const char *mode){
+ * @returns A pointer to a malloc'ed string containing the scp mode,
+ * e.g. "0644".
+ */
+-char *ssh_scp_string_mode(int mode){
+- char buffer[16];
+- snprintf(buffer,sizeof(buffer),"%.4o",mode);
+- return strdup(buffer);
++char *ssh_scp_string_mode(int mode)
++{
++ char buffer[16] = {0};
++ snprintf(buffer, sizeof(buffer), "%.4o", mode);
++ return strdup(buffer);
+ }
+
+ /**
+@@ -826,10 +1019,13 @@ char *ssh_scp_string_mode(int mode){
+ * @returns A warning string, or NULL on error. The string should
+ * not be freed.
+ */
+-const char *ssh_scp_request_get_warning(ssh_scp scp){
+- if(scp==NULL)
+- return NULL;
+- return scp->warning;
++const char *ssh_scp_request_get_warning(ssh_scp scp)
++{
++ if (scp == NULL) {
++ return NULL;
++ }
++
++ return scp->warning;
+ }
+
+ /** @} */
+--
+cgit v1.2.1
+
+From 82c375b7c99141a5495e62060e0b7f9c97981e7e Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Fri, 25 Oct 2019 13:24:28 +0200
+Subject: CVE-2019-14889: scp: Log SCP warnings received from the server
+
+Fixes T181
+
+Previously, warnings received from the server were ignored. With this
+change the warning message sent by the server will be logged.
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit c75d417d06867fd792b788e6281334621c2cd335)
+---
+ src/scp.c | 75 ++++++++++-----------------------------------------------------
+ 1 file changed, 11 insertions(+), 64 deletions(-)
+
+diff --git a/src/scp.c b/src/scp.c
+index 5de0e6ff..166f3d2f 100644
+--- a/src/scp.c
++++ b/src/scp.c
+@@ -113,7 +113,6 @@ int ssh_scp_init(ssh_scp scp)
+ {
+ int rc;
+ char execbuffer[1024] = {0};
+- uint8_t code;
+
+ if (scp == NULL) {
+ return SSH_ERROR;
+@@ -157,19 +156,8 @@ int ssh_scp_init(ssh_scp scp)
+ }
+
+ if (scp->mode == SSH_SCP_WRITE) {
+- rc = ssh_channel_read(scp->channel, &code, 1, 0);
+- if (rc <= 0) {
+- ssh_set_error(scp->session, SSH_FATAL,
+- "Error reading status code: %s",
+- ssh_get_error(scp->session));
+- scp->state = SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+-
+- if (code != 0) {
+- ssh_set_error(scp->session, SSH_FATAL,
+- "scp status code %ud not valid", code);
+- scp->state = SSH_SCP_ERROR;
++ rc = ssh_scp_response(scp, NULL);
++ if (rc != 0) {
+ return SSH_ERROR;
+ }
+ } else {
+@@ -277,7 +265,6 @@ int ssh_scp_push_directory(ssh_scp scp, const char *dirname, int mode)
+ {
+ char buffer[1024] = {0};
+ int rc;
+- uint8_t code;
+ char *dir = NULL;
+ char *perms = NULL;
+
+@@ -303,19 +290,8 @@ int ssh_scp_push_directory(ssh_scp scp, const char *dirname, int mode)
+ return SSH_ERROR;
+ }
+
+- rc = ssh_channel_read(scp->channel, &code, 1, 0);
+- if (rc <= 0) {
+- ssh_set_error(scp->session, SSH_FATAL,
+- "Error reading status code: %s",
+- ssh_get_error(scp->session));
+- scp->state = SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+-
+- if (code != 0) {
+- ssh_set_error(scp->session, SSH_FATAL, "scp status code %ud not valid",
+- code);
+- scp->state = SSH_SCP_ERROR;
++ rc = ssh_scp_response(scp, NULL);
++ if (rc != 0) {
+ return SSH_ERROR;
+ }
+
+@@ -334,7 +310,6 @@ int ssh_scp_leave_directory(ssh_scp scp)
+ {
+ char buffer[] = "E\n";
+ int rc;
+- uint8_t code;
+
+ if (scp == NULL) {
+ return SSH_ERROR;
+@@ -352,18 +327,8 @@ int ssh_scp_leave_directory(ssh_scp scp)
+ return SSH_ERROR;
+ }
+
+- rc = ssh_channel_read(scp->channel, &code, 1, 0);
+- if (rc <= 0) {
+- ssh_set_error(scp->session, SSH_FATAL, "Error reading status code: %s",
+- ssh_get_error(scp->session));
+- scp->state = SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+-
+- if (code != 0) {
+- ssh_set_error(scp->session, SSH_FATAL, "scp status code %ud not valid",
+- code);
+- scp->state = SSH_SCP_ERROR;
++ rc = ssh_scp_response(scp, NULL);
++ if (rc != 0) {
+ return SSH_ERROR;
+ }
+
+@@ -395,7 +360,6 @@ int ssh_scp_push_file64(ssh_scp scp, const char *filename, uint64_t size,
+ int rc;
+ char *file = NULL;
+ char *perms = NULL;
+- uint8_t code;
+
+ if (scp == NULL) {
+ return SSH_ERROR;
+@@ -422,19 +386,8 @@ int ssh_scp_push_file64(ssh_scp scp, const char *filename, uint64_t size,
+ return SSH_ERROR;
+ }
+
+- rc = ssh_channel_read(scp->channel, &code, 1, 0);
+- if (rc <= 0) {
+- ssh_set_error(scp->session, SSH_FATAL,
+- "Error reading status code: %s",
+- ssh_get_error(scp->session));
+- scp->state = SSH_SCP_ERROR;
+- return SSH_ERROR;
+- }
+-
+- if (code != 0) {
+- ssh_set_error(scp->session, SSH_FATAL,
+- "scp status code %ud not valid", code);
+- scp->state = SSH_SCP_ERROR;
++ rc = ssh_scp_response(scp, NULL);
++ if (rc != 0) {
+ return SSH_ERROR;
+ }
+
+@@ -498,7 +451,7 @@ int ssh_scp_response(ssh_scp scp, char **response)
+
+ if (code > 2) {
+ ssh_set_error(scp->session, SSH_FATAL,
+- "SCP: invalid status code %ud received", code);
++ "SCP: invalid status code %u received", code);
+ scp->state = SSH_SCP_ERROR;
+ return SSH_ERROR;
+ }
+@@ -585,14 +538,8 @@ int ssh_scp_write(ssh_scp scp, const void *buffer, size_t len)
+ * and handle */
+ rc = ssh_channel_poll(scp->channel, 0);
+ if (rc > 0) {
+- rc = ssh_channel_read(scp->channel, &code, 1, 0);
+- if (rc == SSH_ERROR) {
+- return SSH_ERROR;
+- }
+-
+- if (code == 1 || code == 2) {
+- ssh_set_error(scp->session, SSH_REQUEST_DENIED,
+- "SCP: Error: status code %i received", code);
++ rc = ssh_scp_response(scp, NULL);
++ if (rc != 0) {
+ return SSH_ERROR;
+ }
+ }
+--
+cgit v1.2.1
+
+From 2ba1dea5493fb2f5a5be2dd263ce46ccb5f8ec76 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Tue, 22 Oct 2019 16:08:24 +0200
+Subject: CVE-2019-14889: misc: Add function to quote file names
+
+The added function quote file names strings to be used in a shell.
+Special cases are treated for the charactes '\'' and '!'.
+
+Fixes T181
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit c4ad1aba9860e02fe03ef3f58a047964e9e765fc)
+---
+ include/libssh/misc.h | 8 +++
+ src/misc.c | 184 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 192 insertions(+)
+
+diff --git a/include/libssh/misc.h b/include/libssh/misc.h
+index bc50cff8..0531d4f3 100644
+--- a/include/libssh/misc.h
++++ b/include/libssh/misc.h
+@@ -50,6 +50,12 @@ struct ssh_timestamp {
+ long useconds;
+ };
+
++enum ssh_quote_state_e {
++ NO_QUOTE,
++ SINGLE_QUOTE,
++ DOUBLE_QUOTE
++};
++
+ struct ssh_list *ssh_list_new(void);
+ void ssh_list_free(struct ssh_list *list);
+ struct ssh_iterator *ssh_list_get_iterator(const struct ssh_list *list);
+@@ -81,4 +87,6 @@ int ssh_timeout_update(struct ssh_timestamp *ts, int timeout);
+
+ int ssh_match_group(const char *group, const char *object);
+
++int ssh_quote_file_name(const char *file_name, char *buf, size_t buf_len);
++
+ #endif /* MISC_H_ */
+diff --git a/src/misc.c b/src/misc.c
+index 18c9745e..b042b46d 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -1108,4 +1108,188 @@ char *strndup(const char *s, size_t n)
+ }
+ #endif /* ! HAVE_STRNDUP */
+
++/**
++ * @internal
++ *
++ * @brief Quote file name to be used on shell.
++ *
++ * Try to put the given file name between single quotes. There are special
++ * cases:
++ *
++ * - When the '\'' char is found in the file name, it is double quoted
++ * - example:
++ * input: a'b
++ * output: 'a'"'"'b'
++ * - When the '!' char is found in the file name, it is replaced by an unquoted
++ * verbatim char "\!"
++ * - example:
++ * input: a!b
++ * output 'a'\!'b'
++ *
++ * @param[in] file_name File name string to be quoted before used on shell
++ * @param[out] buf Buffer to receive the final quoted file name. Must
++ * have room for the final quoted string. The maximum
++ * output length would be (3 * strlen(file_name) + 1)
++ * since in the worst case each character would be
++ * replaced by 3 characters, plus the terminating '\0'.
++ * @param[in] buf_len The size of the provided output buffer
++ *
++ * @returns SSH_ERROR on error; length of the resulting string not counting the
++ * string terminator '\0'
++ * */
++int ssh_quote_file_name(const char *file_name, char *buf, size_t buf_len)
++{
++ const char *src = NULL;
++ char *dst = NULL;
++ size_t required_buf_len;
++
++ enum ssh_quote_state_e state = NO_QUOTE;
++
++ if (file_name == NULL || buf == NULL || buf_len == 0) {
++ SSH_LOG(SSH_LOG_WARNING, "Invalid parameter");
++ return SSH_ERROR;
++ }
++
++ /* Only allow file names smaller than 32kb. */
++ if (strlen(file_name) > 32 * 1024) {
++ SSH_LOG(SSH_LOG_WARNING, "File name too long");
++ return SSH_ERROR;
++ }
++
++ /* Paranoia check */
++ required_buf_len = (size_t)3 * strlen(file_name) + 1;
++ if (required_buf_len > buf_len) {
++ SSH_LOG(SSH_LOG_WARNING, "Buffer too small");
++ return SSH_ERROR;
++ }
++
++ src = file_name;
++ dst = buf;
++
++ while ((*src != '\0')) {
++ switch (*src) {
++
++ /* The '\'' char is double quoted */
++
++ case '\'':
++ switch (state) {
++ case NO_QUOTE:
++ /* Start a new double quoted string. The '\'' char will be
++ * copied to the beginning of it at the end of the loop. */
++ *dst++ = '"';
++ break;
++ case SINGLE_QUOTE:
++ /* Close the current single quoted string and start a new double
++ * quoted string. The '\'' char will be copied to the beginning
++ * of it at the end of the loop. */
++ *dst++ = '\'';
++ *dst++ = '"';
++ break;
++ case DOUBLE_QUOTE:
++ /* If already in the double quoted string, keep copying the
++ * sequence of chars. */
++ break;
++ default:
++ /* Should never be reached */
++ goto error;
++ }
++
++ /* When the '\'' char is found, the resulting state will be
++ * DOUBLE_QUOTE in any case*/
++ state = DOUBLE_QUOTE;
++ break;
++
++ /* The '!' char is replaced by unquoted "\!" */
++
++ case '!':
++ switch (state) {
++ case NO_QUOTE:
++ /* The '!' char is interpreted in some shells (e.g. CSH) even
++ * when is quoted with single quotes. Replace it with unquoted
++ * "\!" which is correctly interpreted as the '!' character. */
++ *dst++ = '\\';
++ break;
++ case SINGLE_QUOTE:
++ /* Close the current quoted string and replace '!' for unquoted
++ * "\!" */
++ *dst++ = '\'';
++ *dst++ = '\\';
++ break;
++ case DOUBLE_QUOTE:
++ /* Close current quoted string and replace "!" for unquoted
++ * "\!" */
++ *dst++ = '"';
++ *dst++ = '\\';
++ break;
++ default:
++ /* Should never be reached */
++ goto error;
++ }
++
++ /* When the '!' char is found, the resulting state will be NO_QUOTE
++ * in any case*/
++ state = NO_QUOTE;
++ break;
++
++ /* Ordinary chars are single quoted */
++
++ default:
++ switch (state) {
++ case NO_QUOTE:
++ /* Start a new single quoted string */
++ *dst++ = '\'';
++ break;
++ case SINGLE_QUOTE:
++ /* If already in the single quoted string, keep copying the
++ * sequence of chars. */
++ break;
++ case DOUBLE_QUOTE:
++ /* Close current double quoted string and start a new single
++ * quoted string. */
++ *dst++ = '"';
++ *dst++ = '\'';
++ break;
++ default:
++ /* Should never be reached */
++ goto error;
++ }
++
++ /* When an ordinary char is found, the resulting state will be
++ * SINGLE_QUOTE in any case*/
++ state = SINGLE_QUOTE;
++ break;
++ }
++
++ /* Copy the current char to output */
++ *dst++ = *src++;
++ }
++
++ /* Close the quoted string when necessary */
++
++ switch (state) {
++ case NO_QUOTE:
++ /* No open string */
++ break;
++ case SINGLE_QUOTE:
++ /* Close current single quoted string */
++ *dst++ = '\'';
++ break;
++ case DOUBLE_QUOTE:
++ /* Close current double quoted string */
++ *dst++ = '"';
++ break;
++ default:
++ /* Should never be reached */
++ goto error;
++ }
++
++ /* Put the string terminator */
++ *dst = '\0';
++
++ return dst - buf;
++
++error:
++ return SSH_ERROR;
++}
++
+ /** @} */
+--
+cgit v1.2.1
+
+From 391c78de9d0f7baec3a44d86a76f4e1324eb9529 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Fri, 6 Dec 2019 09:40:30 +0100
+Subject: CVE-2019-14889: scp: Don't allow file path longer than 32kb
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+(cherry picked from commit 0b5ee397260b6e08dffa2c1ce515a153aaeda765)
+---
+ src/scp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/scp.c b/src/scp.c
+index 166f3d2f..4b00aa5f 100644
+--- a/src/scp.c
++++ b/src/scp.c
+@@ -80,6 +80,12 @@ ssh_scp ssh_scp_new(ssh_session session, int mode, const char *location)
+ goto error;
+ }
+
++ if (strlen(location) > 32 * 1024) {
++ ssh_set_error(session, SSH_FATAL,
++ "Location path is too long");
++ goto error;
++ }
++
+ scp->location = strdup(location);
+ if (scp->location == NULL) {
+ ssh_set_error(session, SSH_FATAL,
+--
+cgit v1.2.1
+
+From b0edec4e8d01ad73b0d26ad4070d7e1a1e86dfc8 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Thu, 31 Oct 2019 18:10:27 +0100
+Subject: CVE-2019-14889: scp: Quote location to be used on shell
+
+Single quote file paths to be used on commands to be executed on remote
+shell.
+
+Fixes T181
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 3830c7ae6eec751b7618d3fc159cb5bb3c8806a6)
+---
+ src/scp.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 56 insertions(+), 6 deletions(-)
+
+diff --git a/src/scp.c b/src/scp.c
+index 4b00aa5f..652551e3 100644
+--- a/src/scp.c
++++ b/src/scp.c
+@@ -29,6 +29,7 @@
+
+ #include "libssh/priv.h"
+ #include "libssh/scp.h"
++#include "libssh/misc.h"
+
+ /**
+ * @defgroup libssh_scp The SSH scp functions
+@@ -119,6 +120,9 @@ int ssh_scp_init(ssh_scp scp)
+ {
+ int rc;
+ char execbuffer[1024] = {0};
++ char *quoted_location = NULL;
++ size_t quoted_location_len = 0;
++ size_t scp_location_len;
+
+ if (scp == NULL) {
+ return SSH_ERROR;
+@@ -130,33 +134,79 @@ int ssh_scp_init(ssh_scp scp)
+ return SSH_ERROR;
+ }
+
+- SSH_LOG(SSH_LOG_PROTOCOL,
+- "Initializing scp session %s %son location '%s'",
++ if (scp->location == NULL) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Invalid scp context: location is NULL");
++ return SSH_ERROR;
++ }
++
++ SSH_LOG(SSH_LOG_PROTOCOL, "Initializing scp session %s %son location '%s'",
+ scp->mode == SSH_SCP_WRITE?"write":"read",
+- scp->recursive?"recursive ":"",
++ scp->recursive ? "recursive " : "",
+ scp->location);
+
+ scp->channel = ssh_channel_new(scp->session);
+ if (scp->channel == NULL) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Channel creation failed for scp");
+ scp->state = SSH_SCP_ERROR;
+ return SSH_ERROR;
+ }
+
+ rc = ssh_channel_open_session(scp->channel);
+ if (rc == SSH_ERROR) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Failed to open channel for scp");
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ /* In the worst case, each character would be replaced by 3 plus the string
++ * terminator '\0' */
++ scp_location_len = strlen(scp->location);
++ quoted_location_len = ((size_t)3 * scp_location_len) + 1;
++ /* Paranoia check */
++ if (quoted_location_len < scp_location_len) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Buffer overflow detected");
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ quoted_location = (char *)calloc(1, quoted_location_len);
++ if (quoted_location == NULL) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Failed to allocate memory for quoted location");
++ scp->state = SSH_SCP_ERROR;
++ return SSH_ERROR;
++ }
++
++ rc = ssh_quote_file_name(scp->location, quoted_location,
++ quoted_location_len);
++ if (rc <= 0) {
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Failed to single quote command location");
++ SAFE_FREE(quoted_location);
+ scp->state = SSH_SCP_ERROR;
+ return SSH_ERROR;
+ }
+
+ if (scp->mode == SSH_SCP_WRITE) {
+ snprintf(execbuffer, sizeof(execbuffer), "scp -t %s %s",
+- scp->recursive ? "-r":"", scp->location);
++ scp->recursive ? "-r" : "", quoted_location);
+ } else {
+ snprintf(execbuffer, sizeof(execbuffer), "scp -f %s %s",
+- scp->recursive ? "-r":"", scp->location);
++ scp->recursive ? "-r" : "", quoted_location);
+ }
+
+- if (ssh_channel_request_exec(scp->channel, execbuffer) == SSH_ERROR) {
++ SAFE_FREE(quoted_location);
++
++ SSH_LOG(SSH_LOG_DEBUG, "Executing command: %s", execbuffer);
++
++ rc = ssh_channel_request_exec(scp->channel, execbuffer);
++ if (rc == SSH_ERROR){
++ ssh_set_error(scp->session, SSH_FATAL,
++ "Failed executing command: %s", execbuffer);
+ scp->state = SSH_SCP_ERROR;
+ return SSH_ERROR;
+ }
+--
+cgit v1.2.1
+
diff --git a/main/libssh/CVE-2020-16135.patch b/main/libssh/CVE-2020-16135.patch
new file mode 100644
index 00000000000..a86f19e3f7a
--- /dev/null
+++ b/main/libssh/CVE-2020-16135.patch
@@ -0,0 +1,40 @@
+From 0a9268a60f2d3748ca69bde5651f20e72761058c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:04:09 +0200
+Subject: CVE-2020-16135: Add missing NULL check for ssh_buffer_new()
+
+Add a missing NULL check for the pointer returned by ssh_buffer_new() in
+sftpserver.c.
+
+Thanks to Ramin Farajpour Cami for spotting this.
+
+Fixes T232
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+(cherry picked from commit 533d881b0f4b24c72b35ecc97fa35d295d063e53)
+---
+ src/sftpserver.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 1717aa41..1af8a0e7 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -64,6 +64,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
+
+ /* take a copy of the whole packet */
+ msg->complete_message = ssh_buffer_new();
++ if (msg->complete_message == NULL) {
++ ssh_set_error_oom(session);
++ sftp_client_message_free(msg);
++ return NULL;
++ }
++
+ ssh_buffer_add_data(msg->complete_message,
+ ssh_buffer_get(payload),
+ ssh_buffer_get_len(payload));
+--
+cgit v1.2.1
+
diff --git a/main/libssh2/APKBUILD b/main/libssh2/APKBUILD
index 064393dc799..7a08c0f4442 100644
--- a/main/libssh2/APKBUILD
+++ b/main/libssh2/APKBUILD
@@ -14,7 +14,7 @@ source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz
CVE-2019-17498.patch"
builddir="$srcdir"/libssh2-$pkgver
-# security fixes:
+# secfixes:
# 1.9.0-r1:
# - CVE-2019-17498
# 1.9.0-r0:
diff --git a/main/libuv/APKBUILD b/main/libuv/APKBUILD
index eb97e6616aa..e1d687a3038 100644
--- a/main/libuv/APKBUILD
+++ b/main/libuv/APKBUILD
@@ -2,7 +2,7 @@
# Conttributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libuv
-pkgver=1.23.2
+pkgver=1.25.0
pkgrel=0
pkgdesc="Cross-platform asychronous I/O"
url="https://libuv.org"
@@ -45,5 +45,5 @@ package() {
"$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
-sha512sums="8dd9053adad115ae6dd012bf1059aab87cea2adcd8d2f8061607929bf5b0c83b1898f5945325b0f3ace7cdd70b7cdc03f60d4b2f85495c34ca94b9dcf76b42fe libuv-v1.23.2.tar.gz
+sha512sums="ee120b3baf3f399319b6f21258c25f980a4961f80059b82537f1760faea70bbaf96a8ebdb66ba9552d7b4a3e2287eed8f0169829472d690b6338a0d8aaf9f521 libuv-v1.25.0.tar.gz
081b98efa33264d326d998f32600635efd5723de1d9836b99039c60168580c7f56a7ea9fdd138f41bb1aede11da70079cce4aa69ea5b954b7f9e4dcad53ba16a disable-setuid-test.patch"
diff --git a/main/libvirt/APKBUILD b/main/libvirt/APKBUILD
index 80674edae69..f6061835cf5 100644
--- a/main/libvirt/APKBUILD
+++ b/main/libvirt/APKBUILD
@@ -2,7 +2,7 @@
pkgname=libvirt
pkgver=5.5.0
_ver="${pkgver/_rc/-rc}"
-pkgrel=0
+pkgrel=2
pkgdesc="A virtualization API for several hypervisor and container systems"
url="http://libvirt.org/"
arch="all"
@@ -31,6 +31,8 @@ source="https://libvirt.org/sources/$pkgname-$pkgver.tar.xz
virtlockd.initd
musl-fix-includes.patch
musl-stderr.patch
+ CVE-2020-12430.patch
+ CVE-2019-20485.patch
"
if [ "$CARCH" = "x86_64" ]; then
@@ -42,8 +44,10 @@ subpackages="$subpackages $pkgname-common-drivers:_common_drivers"
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
-# 4.10.0-r2:
-# - CVE-2019-3840
+# 5.5.0-r2:
+# - CVE-2019-20485
+# 5.5.0-r1:
+# - CVE-2020-12430
# 5.5.0-r0:
# - CVE-2019-10161
# - CVE-2019-10166
@@ -188,4 +192,6 @@ sha512sums="47923aaca605fb43a53238ac535abc1f88f73435336b8f3e88cb01df277ed205d99c
36b85f473d292be8df415256d01a562131d8ae61450ba3893658090a12d589ca32215382f56f286a830b4e59ffd98fbe1d92004f2ce14ca0834451b943cd8f2f virtlogd.initd
a4c4d26e4111931acbe7594451bf963a36c8db33c64b1bc447ab4758bb92803510bebee0511d6bc16ba80c289ab6f87e74377d47bf560412f9adb9c161a206d9 virtlockd.initd
dfe042c596028125bf8548115de2922683829c4716f6b0efb8efc38518670e3e848481661b9714bb0664c1022b87e8f3c0773611fe10187b0bc588e2336ada0c musl-fix-includes.patch
-a583c5981cda7fe2c17b5c7d4262399debea3e273124c43590cff029ce8d93868836ec1fe45d5776cd7ff26e31df577828e8541af56801a2b75eaa8f179cfc13 musl-stderr.patch"
+a583c5981cda7fe2c17b5c7d4262399debea3e273124c43590cff029ce8d93868836ec1fe45d5776cd7ff26e31df577828e8541af56801a2b75eaa8f179cfc13 musl-stderr.patch
+9f395a8be5c401b3e63f2a95154b2459ba4f9e5dffd0c9e0d96822f9e5b6b36c4b0b6e8e5de11fc280505d001ede0a196b477e60af95c6035daa7b29ca054d69 CVE-2020-12430.patch
+f38df9102e6ae0c05428990043aefee379f0e40b4f1d253a90f5897a41e6fdde7b60d013c776afc7be2f006c1d930228b369f54fe71b137e981da1af464f3ea0 CVE-2019-20485.patch"
diff --git a/main/libvirt/CVE-2019-20485.patch b/main/libvirt/CVE-2019-20485.patch
new file mode 100644
index 00000000000..69e1a285737
--- /dev/null
+++ b/main/libvirt/CVE-2019-20485.patch
@@ -0,0 +1,171 @@
+From a663a860819287e041c3de672aad1d8543098ecc Mon Sep 17 00:00:00 2001
+From: Jonathon Jongsma <jjongsma@redhat.com>
+Date: Thu, 5 Dec 2019 10:08:52 -0600
+Subject: [PATCH] qemu: don't hold both jobs for suspend
+
+We have to assume that the guest agent may be malicious so we don't want
+to allow any agent queries to block any other libvirt API. By holding a
+monitor job while we're querying the agent, we open ourselves up to a
+DoS.
+
+So split the function up a bit to only hold the monitor job while
+querying qemu for whether the domain supports suspend. Then acquire only
+an agent job while issuing the agent suspend command.
+
+Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/qemu/qemu_driver.c | 94 ++++++++++++++++++++++++++++++------------------
+ 1 files changed, 59 insertions(+), 35 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 2891faf..52cf27f 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -19759,6 +19759,59 @@ qemuDomainProbeQMPCurrentMachine(virQEMUDriverPtr driver,
+ }
+
+
++/* returns -1 on error, or if query is not supported, 0 if query was successful */
++static int
++qemuDomainQueryWakeupSuspendSupport(virQEMUDriverPtr driver,
++ virDomainObjPtr vm,
++ bool *wakeupSupported)
++{
++ qemuDomainObjPrivatePtr priv = vm->privateData;
++ int ret = -1;
++
++ if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE))
++ return -1;
++
++ if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0)
++ return -1;
++
++ if ((ret = virDomainObjCheckActive(vm)) < 0)
++ goto endjob;
++
++ ret = qemuDomainProbeQMPCurrentMachine(driver, vm, wakeupSupported);
++
++ endjob:
++ qemuDomainObjEndJob(driver, vm);
++ return ret;
++}
++
++
++static int
++qemuDomainPMSuspendAgent(virQEMUDriverPtr driver,
++ virDomainObjPtr vm,
++ unsigned int target)
++{
++ qemuAgentPtr agent;
++ int ret = -1;
++
++ if (qemuDomainObjBeginAgentJob(driver, vm, QEMU_AGENT_JOB_MODIFY) < 0)
++ return -1;
++
++ if ((ret = virDomainObjCheckActive(vm)) < 0)
++ goto endjob;
++
++ if (!qemuDomainAgentAvailable(vm, true))
++ goto endjob;
++
++ agent = qemuDomainObjEnterAgent(vm);
++ ret = qemuAgentSuspend(agent, target);
++ qemuDomainObjExitAgent(vm, agent);
++
++ endjob:
++ qemuDomainObjEndAgentJob(vm);
++ return ret;
++}
++
++
+ static int
+ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+ unsigned int target,
+@@ -19766,11 +19819,9 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+ unsigned int flags)
+ {
+ virQEMUDriverPtr driver = dom->conn->privateData;
+- qemuDomainObjPrivatePtr priv;
+ virDomainObjPtr vm;
+- qemuAgentPtr agent;
+- qemuDomainJob job = QEMU_JOB_NONE;
+ int ret = -1;
++ bool wakeupSupported;
+
+ virCheckFlags(0, -1);
+
+@@ -19795,17 +19846,6 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+ if (virDomainPMSuspendForDurationEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
+- priv = vm->privateData;
+-
+- if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE))
+- job = QEMU_JOB_MODIFY;
+-
+- if (qemuDomainObjBeginJobWithAgent(driver, vm, job, QEMU_AGENT_JOB_MODIFY) < 0)
+- goto cleanup;
+-
+- if (virDomainObjCheckActive(vm) < 0)
+- goto endjob;
+-
+ /*
+ * The case we want to handle here is when QEMU has the API (i.e.
+ * QEMU_CAPS_QUERY_CURRENT_MACHINE is set). Otherwise, do not interfere
+@@ -19813,16 +19853,11 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+ * that don't know about this cap, will keep their old behavior of
+ * suspending 'in the dark'.
+ */
+- if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE)) {
+- bool wakeupSupported;
+-
+- if (qemuDomainProbeQMPCurrentMachine(driver, vm, &wakeupSupported) < 0)
+- goto endjob;
+-
++ if (qemuDomainQueryWakeupSuspendSupport(driver, vm, &wakeupSupported) == 0) {
+ if (!wakeupSupported) {
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+ _("Domain does not have suspend support"));
+- goto endjob;
++ goto cleanup;
+ }
+ }
+
+@@ -19832,29 +19867,18 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+ target == VIR_NODE_SUSPEND_TARGET_HYBRID)) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("S3 state is disabled for this domain"));
+- goto endjob;
++ goto cleanup;
+ }
+
+ if (vm->def->pm.s4 == VIR_TRISTATE_BOOL_NO &&
+ target == VIR_NODE_SUSPEND_TARGET_DISK) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("S4 state is disabled for this domain"));
+- goto endjob;
++ goto cleanup;
+ }
+ }
+
+- if (!qemuDomainAgentAvailable(vm, true))
+- goto endjob;
+-
+- agent = qemuDomainObjEnterAgent(vm);
+- ret = qemuAgentSuspend(agent, target);
+- qemuDomainObjExitAgent(vm, agent);
+-
+- endjob:
+- if (job)
+- qemuDomainObjEndJobWithAgent(driver, vm);
+- else
+- qemuDomainObjEndAgentJob(vm);
++ ret = qemuDomainPMSuspendAgent(driver, vm, target);
+
+ cleanup:
+ virDomainObjEndAPI(&vm);
+--
+1.7.1
+
diff --git a/main/libvirt/CVE-2020-12430.patch b/main/libvirt/CVE-2020-12430.patch
new file mode 100644
index 00000000000..0d2b9e0f754
--- /dev/null
+++ b/main/libvirt/CVE-2020-12430.patch
@@ -0,0 +1,44 @@
+From 9bf9e0ae6af38c806f4672ca7b12a6b38d5a9581 Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 19 Feb 2020 08:40:59 +0100
+Subject: [PATCH] qemuDomainGetStatsIOThread: Don't leak array with 0 iothreads
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+qemuMonitorGetIOThreads returns a NULL-terminated list even when 0
+iothreads are present. The caller didn't perform cleanup if there were 0
+iothreads leaking the array.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1804548
+
+Fixes: d1eac92784573559b6fd56836e33b215c89308e3
+Reported-by: Jing Yan <jiyan@redhat.com>
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/qemu/qemu_driver.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index f686b85..39e1f04 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -21759,8 +21759,12 @@ qemuDomainGetStatsIOThread(virQEMUDriverPtr driver,
+ if ((niothreads = qemuDomainGetIOThreadsMon(driver, dom, &iothreads)) < 0)
+ return -1;
+
+- if (niothreads == 0)
+- return 0;
++ /* qemuDomainGetIOThreadsMon returns a NULL-terminated list, so we must free
++ * it even if it returns 0 */
++ if (niothreads == 0) {
++ ret = 0;
++ goto cleanup;
++ }
+
+ if (virTypedParamListAddUInt(params, niothreads, "iothread.count") < 0)
+ goto cleanup;
+--
+1.7.1
+
diff --git a/main/libvorbis/APKBUILD b/main/libvorbis/APKBUILD
index 390b4d840e2..09fa4810063 100644
--- a/main/libvorbis/APKBUILD
+++ b/main/libvorbis/APKBUILD
@@ -27,7 +27,6 @@ builddir="$srcdir/$pkgname-$pkgver"
# - CVE-2017-14633
# 1.3.5-r3:
# - CVE-2017-14160
-# - CVE-2018-10393
prepare() {
default_prepare
diff --git a/main/libx11/APKBUILD b/main/libx11/APKBUILD
index 827f32e2442..f00f435e69c 100644
--- a/main/libx11/APKBUILD
+++ b/main/libx11/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libx11
-pkgver=1.6.7
+pkgver=1.6.12
pkgrel=0
pkgdesc="X11 client-side library"
url="http://xorg.freedesktop.org/"
@@ -15,6 +15,10 @@ source="https://www.x.org/releases/individual/lib/libX11-$pkgver.tar.bz2"
builddir="$srcdir"/libX11-$pkgver
# secfixes:
+# 1.6.12-r0:
+# - CVE-2020-14363
+# 1.6.10-r0:
+# - CVE-2020-14344
# 1.6.6-r0:
# - CVE-2018-14598
# - CVE-2018-14599
@@ -44,4 +48,4 @@ package() {
install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
-sha512sums="edd2273b9dadbbf90ad8d7b5715db29eb120a5a22ad2595f697e56532cc24b84e358580c00548fa6be8e9d26601a2b2cdab32272c59266709534317abbd05cd5 libX11-1.6.7.tar.bz2"
+sha512sums="79df7d61d9009b0dd3b65f67a62189aa0a43799c01026b3d2d534092596a0b67f246af5e398a89eb1ccc61a27335f81be8262b8a39768a76f62d862cd7415a47 libX11-1.6.12.tar.bz2"
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index fa7361a4e05..0636a38dc4f 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=libxml2
pkgver=2.9.9
-pkgrel=1
+pkgrel=3
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
arch="all"
@@ -15,10 +15,16 @@ subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-utils
options="!strip"
source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz
fix-null-pointer-dereference.patch
+ CVE-2019-19956.patch
+ CVE-2020-24977.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 2.9.9-r3:
+# - CVE-2020-24977
+# 2.9.9-r2:
+# - CVE-2019-19956
# 2.9.8-r1:
# - CVE-2018-9251
# - CVE-2018-14404
@@ -110,4 +116,6 @@ utils() {
}
sha512sums="cb7784ba4e72e942614e12e4f83f4ceb275f3d738b30e3b5c1f25edf8e9fa6789e854685974eed95b362049dbf6c8e7357e0327d64c681ed390534ac154e6810 libxml2-2.9.9.tar.gz
-83074e582cdba8bedff40fc653731ad18ca357bde8f1420e2e8a2a38998b951aebcb73ca5d51859be3b4d9bc1a0308836ca2bb612269edbc61b9dd6ebc7fdb2a fix-null-pointer-dereference.patch"
+83074e582cdba8bedff40fc653731ad18ca357bde8f1420e2e8a2a38998b951aebcb73ca5d51859be3b4d9bc1a0308836ca2bb612269edbc61b9dd6ebc7fdb2a fix-null-pointer-dereference.patch
+0e03d0dcfae1e99e06c7a4c9a4d863a1518589e403d79665727883b27d7c0d7026b18e29b7c68df41138fbdffb88d977c5ef10ce2ffb96d1a6255304d89c2bb6 CVE-2019-19956.patch
+dfc6fa0232bd94635c66535734175c04e8b7461c216e1337da68d7c5dce36fc750f787f2ee08ef6d91521df55c45f4ae235f8f44bea697a7c734a3b62c9fab60 CVE-2020-24977.patch"
diff --git a/main/libxml2/CVE-2019-19956.patch b/main/libxml2/CVE-2019-19956.patch
new file mode 100644
index 00000000000..5bfb5d50648
--- /dev/null
+++ b/main/libxml2/CVE-2019-19956.patch
@@ -0,0 +1,33 @@
+From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Wed, 7 Aug 2019 17:39:17 +0800
+Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
+
+When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
+is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
+NULL and free newDoc will cause a memory leak.
+
+Found with libFuzzer.
+
+Closes #82.
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1ce1ccf1..26d9f4e3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
+ xmlFreeParserCtxt(ctxt);
+ newDoc->intSubset = NULL;
+ newDoc->extSubset = NULL;
+- newDoc->oldNs = NULL;
++ if(doc != NULL)
++ newDoc->oldNs = NULL;
+ xmlFreeDoc(newDoc);
+
+ return(ret);
+--
+2.24.1
+
diff --git a/main/libxml2/CVE-2020-24977.patch b/main/libxml2/CVE-2020-24977.patch
new file mode 100644
index 00000000000..cd348c2aa52
--- /dev/null
+++ b/main/libxml2/CVE-2020-24977.patch
@@ -0,0 +1,30 @@
+Found by OSS-Fuzz
+
+diff --git a/xmlschemastypes.c b/xmlschemastypes.c
+index ca381d3..dd9eac1 100644
+--- a/xmlschemastypes.c
++++ b/xmlschemastypes.c
+@@ -3628,6 +3628,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
+ minday = 0;
+ maxday = 0;
+ } else {
++ if (myear > LONG_MAX / 366)
++ return -2;
+ maxday = 366 * ((myear + 3) / 4) +
+ 365 * ((myear - 1) % 4);
+ minday = maxday - 1;
+@@ -4014,6 +4016,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
+ if ((x == NULL) || (y == NULL))
+ return -2;
+
++ if ((x->value.date.year > LONG_MAX / 366) ||
++ (x->value.date.year < LONG_MIN / 366) ||
++ (y->value.date.year > LONG_MAX / 366) ||
++ (y->value.date.year < LONG_MIN / 366)) {
++ /* Possible overflow when converting to days. */
++ return -2;
++ }
++
+ if (x->value.date.tz_flag) {
+
+ if (!y->value.date.tz_flag) {
diff --git a/main/libxslt/APKBUILD b/main/libxslt/APKBUILD
index a4e3616ae6e..1d5c6413e5a 100644
--- a/main/libxslt/APKBUILD
+++ b/main/libxslt/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Francesco Colista <fcolista@alpinelinux.org>
pkgname=libxslt
pkgver=1.1.33
-pkgrel=2
+pkgrel=3
pkgdesc="XML stylesheet transformation library"
url="http://xmlsoft.org/XSLT/"
arch="all"
@@ -12,10 +12,15 @@ subpackages="$pkgname-dev $pkgname-doc py2-$pkgname:py2"
source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz
CVE-2019-11068.patch
CVE-2019-18197.patch
+ CVE-2019-13117.patch
+ CVE-2019-13118.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 1.1.33-r3:
+# - CVE-2019-13117
+# - CVE-2019-13118
# 1.1.33-r2:
# - CVE-2019-18197
# 1.1.33-r1:
@@ -51,4 +56,6 @@ py2() {
sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0 libxslt-1.1.33.tar.gz
9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948 CVE-2019-11068.patch
-ec0a7cd35f9078a3939ef6c695f183d9a0da5dd837d0a7f586b89a07c0c0782384501e4c1532b4d9ee7e94e717c37179f470bae59923d0074b309f09b5bf18fa CVE-2019-18197.patch"
+ec0a7cd35f9078a3939ef6c695f183d9a0da5dd837d0a7f586b89a07c0c0782384501e4c1532b4d9ee7e94e717c37179f470bae59923d0074b309f09b5bf18fa CVE-2019-18197.patch
+da6f4ddb5c698d2bfd03b7ee8d96001223759a142532e0a8cb77f66744575dcc02ecd0da5ce038b744e740f350060b73c596b9919df331d230d7c4d88a2b912a CVE-2019-13117.patch
+0e8912db00e3eefbcb9ee6494aff769cd0764b2e05741ec381ca8b7f72ef3cd4d6125acf086cf79c04ebdbd5a4eebc18815fd7e42653fdbcc7c0e079a3da6482 CVE-2019-13118.patch"
diff --git a/main/libxslt/CVE-2019-13117.patch b/main/libxslt/CVE-2019-13117.patch
new file mode 100644
index 00000000000..99466495d67
--- /dev/null
+++ b/main/libxslt/CVE-2019-13117.patch
@@ -0,0 +1,29 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ tokens->tokens[tokens->nTokens].token = val - 1;
+ ix += len;
+ val = xmlStringCurrentChar(NULL, format+ix, &len);
+- }
++ } else {
++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++ tokens->tokens[tokens->nTokens].width = 1;
++ }
+ } else if ( (val == (xmlChar)'A') ||
+ (val == (xmlChar)'a') ||
+ (val == (xmlChar)'I') ||
+--
+2.24.1
+
diff --git a/main/libxslt/CVE-2019-13118.patch b/main/libxslt/CVE-2019-13118.patch
new file mode 100644
index 00000000000..c597fe48b20
--- /dev/null
+++ b/main/libxslt/CVE-2019-13118.patch
@@ -0,0 +1,71 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 +++--
+ tests/docs/bug-222.xml | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+ number = floor((scale * number + 0.5)) / scale;
+ if ((self->grouping != NULL) &&
+ (self->grouping[0] != 0)) {
++ int gchar;
+
+ len = xmlStrlen(self->grouping);
+- pchar = xsltGetUTF8Char(self->grouping, &len);
++ gchar = xsltGetUTF8Char(self->grouping, &len);
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+ format_info.group,
+- pchar, len);
++ gchar, len);
+ } else
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 00000000..e3139698
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 00000000..e32dc473
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++ <xsl:decimal-format name="f" grouping-separator="⠢"/>
++ <xsl:template match="/">
++ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++ </xsl:template>
++</xsl:stylesheet>
+--
+2.24.1
+
diff --git a/main/linux-rpi/APKBUILD b/main/linux-rpi/APKBUILD
index ca0ce1c8fd0..ba34717c93d 100644
--- a/main/linux-rpi/APKBUILD
+++ b/main/linux-rpi/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=linux-rpi
-pkgver=4.19.52
+pkgver=4.19.98
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
@@ -284,8 +284,8 @@ _dev() {
}
sha512sums="ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4 linux-4.19.tar.xz
-b4908d348f18bfa694e8458639e94c85390fc60f9137b0721af59b1044815df156ea2ee76135911019db6ab2fdbd99e7b5107db57780d41a4bc97ba2a52a5525 patch-4.19.52.xz
-06983ff23100ab911a7e4d51db075e5c175b5c112989c4985da35ae6b1d4e1c7bb62af699dd28244f8108bfe1066feb7bf0145577374848fb634c9840d9cfbe8 rpi-4.19.52-alpine.patch
+5e87edc8475864f99018ccac64102f3000fdc7fcb6669d497ee1d9116334c53b82d7c1bea2411ef76d59961cb3a3882d75ff82c61c190a999b7a6be08ad41d06 patch-4.19.98.xz
+a1425c778cb02037203396bd282067c9534d4932850a709a27727daf67885e6f9c6812f21871a72406a80ae3e2de586783f276a50a00903637e68d661bbb5dc5 rpi-4.19.98-alpine.patch
501c91bf2538a18102da59bbccc3097f9c3c90079acc0e946ff075074160c09b8a66934e5ce5470e170f0e4f93d114709a95230367426d0bb7ea02c4bdf4cc9b issue-4973.patch
6c1c1c61ceb323eecb0e81e226af6b5b8fef7c8c075b1eb836639f465de5ef5d23648716c953d295250f8c6567546782956afe644573b84920a4f6902a1a0454 config-changes-rpi.armhf
6c1c1c61ceb323eecb0e81e226af6b5b8fef7c8c075b1eb836639f465de5ef5d23648716c953d295250f8c6567546782956afe644573b84920a4f6902a1a0454 config-changes-rpi.aarch64
diff --git a/main/linux-vanilla/APKBUILD b/main/linux-vanilla/APKBUILD
index 386198aa85e..5836d27727b 100644
--- a/main/linux-vanilla/APKBUILD
+++ b/main/linux-vanilla/APKBUILD
@@ -2,7 +2,7 @@
_flavor=vanilla
pkgname=linux-${_flavor}
-pkgver=4.19.52
+pkgver=4.19.118
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=$pkgver;;
@@ -22,7 +22,6 @@ source="https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-$_kernver
config-vanilla.armv7
config-vanilla.x86
config-vanilla.x86_64
- config-vanilla.ppc
config-vanilla.ppc64le
config-vanilla.s390x
@@ -222,15 +221,14 @@ _dev() {
}
sha512sums="ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4 linux-4.19.tar.xz
-f70b11a82936b044f4d82f241554c974ab0bf17e8c205617a2c4739064556c1e70fa50b57885da21ae0d54c97f0f3abaa65f362b550e8e2cbd69ed0d8e39a36b config-vanilla.aarch64
-081322c29496bd741a8d185185898f3138c17ead22ccd57f46641c15eaaba2ad4c9ce25506cde1f1cc99e767f505424e46e2202d1e5f2776be7187b7d2b3190c config-vanilla.armhf
-081322c29496bd741a8d185185898f3138c17ead22ccd57f46641c15eaaba2ad4c9ce25506cde1f1cc99e767f505424e46e2202d1e5f2776be7187b7d2b3190c config-vanilla.armv7
-cd53837102090d1fe1f704f505dc7f7b0577bcbf52ee9b7e7c1fcbffb081066a4cd0cbfc1c54861d594460aabce1f6ab629e6e6885746e549b98bba2ed1663bc config-vanilla.x86
-28e69ddc61a2d0e373aaaf3a5c478b6727b21615cbca56bc948aec4bf2a69c46cf6aa290cae41c16de22512e8f48689bafd3413d4aa199f93ce7ad7f4c04deb8 config-vanilla.x86_64
-96651aca476c905c04d616565a2dd08066167c1d4887e2ddc86c4b7cdda44257ef633a9bcf745a91f00f88023dde8f1804c56b258e7e99232bb8bfa25d0ba4db config-vanilla.ppc
-502825e58e17eeff446bdd63d47ba610424f366f60676e0aa61f5216f531e1a836e19b3a97a9494c4c58dafa81c5379c2ab9b19bad9aa869261969dd97a1f6ee config-vanilla.ppc64le
-106806e81f78b25caaffd6302d78745b0b9a1bdbc80ab238b5574bed1f97e5bf2dba359ca20307cced14edb3c81accae4923b96da38096fcf2665a9d1c5e5af6 config-vanilla.s390x
-7757e4140eb3d8f1e70b37c73b6df99acbc0a1bbb4b6249c46a6e544997c2c8eb894468eaae8e14ba0a4a042f153222f51e60b4ef0fee2f3283b102c5dc9bd4f config-virt.aarch64
-eca355a7cb09310dc2302ee01d37c3f029a61368a236bf60a301b27c4339e4de11e4e7f398c9e103aa36706b27aa928c7652b5de1452118b4034aa6195dffce5 config-virt.x86
-2d144143e89c534151cf02ded520fd51867f7c1f81af33c685d8c99ee7b6c24406406008b84015e2e5db59d3a3f5a14485f839e24a7bdb3e16d3a7ada91cb3be config-virt.x86_64
-b4908d348f18bfa694e8458639e94c85390fc60f9137b0721af59b1044815df156ea2ee76135911019db6ab2fdbd99e7b5107db57780d41a4bc97ba2a52a5525 patch-4.19.52.xz"
+0e7f4cd857519d307b87dc3ef7860b8420e5c3da70e2814b648f3c5a298f56e9e5cede50f1223f441ebb7231e5f36eb2654c3be579335329daf1e74f7a4c941d config-vanilla.aarch64
+2b0b7cfff2ee6e0622e0113efcf379f9ecfe4dfd49e22a634cb2a8a094680b13974994c1b844deebd67d8bde3fd84414cb6f2cd3ad6a8808c11af4c898d1c6b2 config-vanilla.armhf
+2b0b7cfff2ee6e0622e0113efcf379f9ecfe4dfd49e22a634cb2a8a094680b13974994c1b844deebd67d8bde3fd84414cb6f2cd3ad6a8808c11af4c898d1c6b2 config-vanilla.armv7
+e04de3450d02245bd7f8eca6502e7c3d62bbab4f154a80c79d30dfbd996fccedfb050f6305bddc4ad7bf868eea5456bdbd578a4bd1ef73e96b4cd09347acf1b6 config-vanilla.x86
+0887328ce1d886e21774d895aa5e0abffd3ab070480fab1433d569954e74271052cdbff7db4e59722fbc3911f17db4acddf8757546235f8c1d941dc46f266cbd config-vanilla.x86_64
+107b4419c439aec04fffa466a9e33f58720ee4372ea75bc05b46653a6cdc815a2238c7e38c5f5382e36fb4080147e9ba8eb64bf918ab843ef51107fbf4d02056 config-vanilla.ppc64le
+c1c31f6d4b2d5cf710659a18fe6580e8546865ccc7b3d908a7a200a29e3024d4c05111ddfdc430d55bb8b153e7e3bd1a4fa7da1344dc390d3347db28e48273d7 config-vanilla.s390x
+bb73130a966f4d8bbb0e81c735b76ce6cca5fece05c95411bae95e044b82922528ff515328fff010f8e0b433c6f315bc36e968f93d3eb718f97a85d0debf4354 config-virt.aarch64
+7f6a4c3cb89b9582b90513860ada012e37d377dd4d5760ccaf57586af5c359c910c00dd7e7d9185bdcdf136e8e2c2c705218273f977e942bd2cc2792fdda55db config-virt.x86
+bb3ee3538228c80f6afc25610e565c3e580ad6640816a26b55527d9d694d59b120b9c3b1c28d6578b5d448a0f8bb44f34c8d5c21e61197c25e822b053e842a34 config-virt.x86_64
+55d9cf9dc2fe87ea0cb788a7c9abc71307be1b2420cd446e4281634c1fbb077510da2f067c12094f6c38c87bad26a39dd1d553e4afc9b73baa6a0ffa18eaafd2 patch-4.19.118.xz"
diff --git a/main/linux-vanilla/config-vanilla.aarch64 b/main/linux-vanilla/config-vanilla.aarch64
index 9aee6eba504..d2d6910d601 100644
--- a/main/linux-vanilla/config-vanilla.aarch64
+++ b/main/linux-vanilla/config-vanilla.aarch64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 4.19.50 Kernel Configuration
+# Linux/arm64 4.19.118 Kernel Configuration
#
#
@@ -563,6 +563,7 @@ CONFIG_ARM_SDE_INTERFACE=y
CONFIG_FIRMWARE_MEMMAP=y
CONFIG_DMIID=y
# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT is not set
CONFIG_RASPBERRYPI_FIRMWARE=m
CONFIG_FW_CFG_SYSFS=m
# CONFIG_FW_CFG_SYSFS_CMDLINE is not set
@@ -1804,6 +1805,7 @@ CONFIG_DEBUG_DEVRES=y
# CONFIG_TEST_ASYNC_DRIVER_PROBE is not set
CONFIG_SYS_HYPERVISOR=y
CONFIG_GENERIC_CPU_AUTOPROBE=y
+CONFIG_GENERIC_CPU_VULNERABILITIES=y
CONFIG_SOC_BUS=y
CONFIG_REGMAP=y
CONFIG_REGMAP_I2C=m
@@ -2552,6 +2554,7 @@ CONFIG_ACENIC=m
# CONFIG_ACENIC_OMIT_TIGON_I is not set
CONFIG_ALTERA_TSE=m
CONFIG_NET_VENDOR_AMAZON=y
+CONFIG_ENA_ETHERNET=m
CONFIG_NET_VENDOR_AMD=y
CONFIG_AMD8111_ETH=m
CONFIG_PCNET32=m
@@ -2837,7 +2840,7 @@ CONFIG_SWPHY=y
CONFIG_SFP=m
CONFIG_AMD_PHY=m
CONFIG_AQUANTIA_PHY=m
-# CONFIG_ASIX_PHY is not set
+# CONFIG_AX88796B_PHY is not set
CONFIG_AT803X_PHY=m
CONFIG_BCM7XXX_PHY=m
CONFIG_BCM87XX_PHY=m
@@ -5191,10 +5194,10 @@ CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y
#
# Frame buffer Devices
#
-CONFIG_FB=y
-# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CMDLINE=y
CONFIG_FB_NOTIFY=y
+CONFIG_FB=y
+# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_DDC=m
CONFIG_FB_CFB_FILLRECT=y
CONFIG_FB_CFB_COPYAREA=y
@@ -5978,7 +5981,6 @@ CONFIG_USB_EMI62=m
CONFIG_USB_EMI26=m
CONFIG_USB_ADUTUX=m
CONFIG_USB_SEVSEG=m
-CONFIG_USB_RIO500=m
# CONFIG_USB_LEGOTOWER is not set
CONFIG_USB_LCD=m
CONFIG_USB_CYPRESS_CY7C63=m
diff --git a/main/linux-vanilla/config-vanilla.armhf b/main/linux-vanilla/config-vanilla.armhf
index 4d5da5e2ecc..62d7cc480a8 100644
--- a/main/linux-vanilla/config-vanilla.armhf
+++ b/main/linux-vanilla/config-vanilla.armhf
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 4.19.50 Kernel Configuration
+# Linux/arm 4.19.118 Kernel Configuration
#
#
@@ -2225,7 +2225,6 @@ CONFIG_MDIO_DEVICE=y
CONFIG_MDIO_BUS=y
CONFIG_MDIO_BCM_UNIMAC=m
CONFIG_MDIO_BITBANG=m
-CONFIG_MDIO_BUS_MUX=m
# CONFIG_MDIO_BUS_MUX_GPIO is not set
# CONFIG_MDIO_BUS_MUX_MMIOREG is not set
CONFIG_MDIO_GPIO=m
@@ -2241,7 +2240,7 @@ CONFIG_SWPHY=y
#
CONFIG_AMD_PHY=m
CONFIG_AQUANTIA_PHY=m
-# CONFIG_ASIX_PHY is not set
+# CONFIG_AX88796B_PHY is not set
# CONFIG_AT803X_PHY is not set
CONFIG_BCM7XXX_PHY=m
CONFIG_BCM87XX_PHY=m
@@ -4104,10 +4103,10 @@ CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y
#
# Frame buffer Devices
#
-CONFIG_FB=y
-# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CMDLINE=y
CONFIG_FB_NOTIFY=y
+CONFIG_FB=y
+# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CFB_FILLRECT=y
CONFIG_FB_CFB_COPYAREA=y
CONFIG_FB_CFB_IMAGEBLIT=y
@@ -4742,7 +4741,6 @@ CONFIG_USB_EMI62=m
CONFIG_USB_EMI26=m
CONFIG_USB_ADUTUX=m
CONFIG_USB_SEVSEG=m
-CONFIG_USB_RIO500=m
# CONFIG_USB_LEGOTOWER is not set
CONFIG_USB_LCD=m
CONFIG_USB_CYPRESS_CY7C63=m
@@ -5277,11 +5275,6 @@ CONFIG_REMOTEPROC=m
CONFIG_RPMSG=m
# CONFIG_RPMSG_CHAR is not set
CONFIG_RPMSG_VIRTIO=m
-CONFIG_SOUNDWIRE=y
-
-#
-# SoundWire Devices
-#
#
# SOC (System On Chip) specific Drivers
@@ -6252,7 +6245,6 @@ CONFIG_ARM_UNWIND=y
CONFIG_OLD_MCOUNT=y
# CONFIG_DEBUG_USER is not set
# CONFIG_DEBUG_LL is not set
-CONFIG_DEBUG_IMX_UART_PORT=1
CONFIG_DEBUG_LL_INCLUDE="mach/debug-macro.S"
CONFIG_UNCOMPRESS_INCLUDE="debug/uncompress.h"
# CONFIG_ARM_KPROBES_TEST is not set
diff --git a/main/linux-vanilla/config-vanilla.ppc b/main/linux-vanilla/config-vanilla.ppc
deleted file mode 100644
index 23720e922a4..00000000000
--- a/main/linux-vanilla/config-vanilla.ppc
+++ /dev/null
@@ -1,3731 +0,0 @@
-#
-# Automatically generated file; DO NOT EDIT.
-# Linux/powerpc 4.14.13 Kernel Configuration
-#
-# CONFIG_PPC64 is not set
-
-#
-# Processor support
-#
-CONFIG_PPC_BOOK3S_32=y
-# CONFIG_PPC_85xx is not set
-# CONFIG_PPC_8xx is not set
-# CONFIG_40x is not set
-# CONFIG_44x is not set
-# CONFIG_E200 is not set
-CONFIG_PPC_BOOK3S=y
-CONFIG_6xx=y
-CONFIG_PPC_FPU=y
-CONFIG_ALTIVEC=y
-CONFIG_PPC_STD_MMU=y
-CONFIG_PPC_STD_MMU_32=y
-# CONFIG_PPC_MM_SLICES is not set
-CONFIG_PPC_HAVE_PMU_SUPPORT=y
-CONFIG_PPC_PERF_CTRS=y
-# CONFIG_FORCE_SMP is not set
-# CONFIG_SMP is not set
-# CONFIG_PPC_DOORBELL is not set
-CONFIG_VDSO32=y
-CONFIG_CPU_BIG_ENDIAN=y
-CONFIG_PPC32=y
-CONFIG_32BIT=y
-# CONFIG_ARCH_PHYS_ADDR_T_64BIT is not set
-# CONFIG_ARCH_DMA_ADDR_T_64BIT is not set
-CONFIG_MMU=y
-CONFIG_ARCH_MMAP_RND_BITS_MAX=17
-CONFIG_ARCH_MMAP_RND_BITS_MIN=11
-CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=17
-CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=11
-# CONFIG_HAVE_SETUP_PER_CPU_AREA is not set
-# CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK is not set
-CONFIG_NR_IRQS=512
-CONFIG_STACKTRACE_SUPPORT=y
-CONFIG_TRACE_IRQFLAGS_SUPPORT=y
-CONFIG_LOCKDEP_SUPPORT=y
-CONFIG_RWSEM_XCHGADD_ALGORITHM=y
-CONFIG_GENERIC_HWEIGHT=y
-CONFIG_ARCH_HAS_DMA_SET_COHERENT_MASK=y
-CONFIG_PPC=y
-# CONFIG_GENERIC_CSUM is not set
-CONFIG_EARLY_PRINTK=y
-CONFIG_PANIC_TIMEOUT=180
-CONFIG_GENERIC_NVRAM=y
-CONFIG_SCHED_OMIT_FRAME_POINTER=y
-CONFIG_ARCH_MAY_HAVE_PC_FDC=y
-# CONFIG_PPC_UDBG_16550 is not set
-# CONFIG_GENERIC_TBSYNC is not set
-CONFIG_AUDIT_ARCH=y
-CONFIG_GENERIC_BUG=y
-CONFIG_SYS_SUPPORTS_APM_EMULATION=y
-# CONFIG_EPAPR_BOOT is not set
-# CONFIG_DEFAULT_UIMAGE is not set
-CONFIG_ARCH_HIBERNATION_POSSIBLE=y
-CONFIG_ARCH_SUSPEND_POSSIBLE=y
-# CONFIG_PPC_DCR_NATIVE is not set
-# CONFIG_PPC_DCR_MMIO is not set
-CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
-CONFIG_ARCH_SUPPORTS_UPROBES=y
-CONFIG_PGTABLE_LEVELS=2
-CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
-CONFIG_IRQ_WORK=y
-CONFIG_BUILDTIME_EXTABLE_SORT=y
-
-#
-# General setup
-#
-CONFIG_BROKEN_ON_SMP=y
-CONFIG_INIT_ENV_ARG_LIMIT=32
-CONFIG_CROSS_COMPILE=""
-# CONFIG_COMPILE_TEST is not set
-CONFIG_LOCALVERSION=""
-# CONFIG_LOCALVERSION_AUTO is not set
-CONFIG_HAVE_KERNEL_GZIP=y
-CONFIG_KERNEL_GZIP=y
-CONFIG_DEFAULT_HOSTNAME="(none)"
-CONFIG_SWAP=y
-CONFIG_SYSVIPC=y
-CONFIG_SYSVIPC_SYSCTL=y
-CONFIG_POSIX_MQUEUE=y
-CONFIG_POSIX_MQUEUE_SYSCTL=y
-CONFIG_CROSS_MEMORY_ATTACH=y
-CONFIG_FHANDLE=y
-CONFIG_USELIB=y
-CONFIG_AUDIT=y
-CONFIG_HAVE_ARCH_AUDITSYSCALL=y
-
-#
-# IRQ subsystem
-#
-CONFIG_GENERIC_IRQ_SHOW=y
-CONFIG_GENERIC_IRQ_SHOW_LEVEL=y
-CONFIG_IRQ_DOMAIN=y
-# CONFIG_IRQ_DOMAIN_DEBUG is not set
-CONFIG_IRQ_FORCED_THREADING=y
-CONFIG_SPARSE_IRQ=y
-# CONFIG_GENERIC_IRQ_DEBUGFS is not set
-CONFIG_GENERIC_TIME_VSYSCALL=y
-CONFIG_GENERIC_CLOCKEVENTS=y
-CONFIG_GENERIC_CMOS_UPDATE=y
-
-#
-# Timers subsystem
-#
-CONFIG_TICK_ONESHOT=y
-CONFIG_NO_HZ_COMMON=y
-# CONFIG_HZ_PERIODIC is not set
-CONFIG_NO_HZ_IDLE=y
-CONFIG_NO_HZ=y
-CONFIG_HIGH_RES_TIMERS=y
-
-#
-# CPU/Task time and stats accounting
-#
-CONFIG_TICK_CPU_ACCOUNTING=y
-# CONFIG_VIRT_CPU_ACCOUNTING_NATIVE is not set
-# CONFIG_IRQ_TIME_ACCOUNTING is not set
-# CONFIG_BSD_PROCESS_ACCT is not set
-# CONFIG_TASKSTATS is not set
-
-#
-# RCU Subsystem
-#
-CONFIG_TINY_RCU=y
-# CONFIG_RCU_EXPERT is not set
-CONFIG_SRCU=y
-CONFIG_TINY_SRCU=y
-# CONFIG_TASKS_RCU is not set
-# CONFIG_RCU_STALL_COMMON is not set
-# CONFIG_RCU_NEED_SEGCBLIST is not set
-CONFIG_BUILD_BIN2C=y
-CONFIG_IKCONFIG=y
-CONFIG_IKCONFIG_PROC=y
-CONFIG_LOG_BUF_SHIFT=14
-CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13
-# CONFIG_CGROUPS is not set
-# CONFIG_CHECKPOINT_RESTORE is not set
-CONFIG_NAMESPACES=y
-CONFIG_UTS_NS=y
-CONFIG_IPC_NS=y
-# CONFIG_USER_NS is not set
-CONFIG_PID_NS=y
-CONFIG_NET_NS=y
-# CONFIG_SCHED_AUTOGROUP is not set
-# CONFIG_SYSFS_DEPRECATED is not set
-# CONFIG_RELAY is not set
-CONFIG_BLK_DEV_INITRD=y
-CONFIG_INITRAMFS_SOURCE=""
-CONFIG_RD_GZIP=y
-CONFIG_RD_BZIP2=y
-CONFIG_RD_LZMA=y
-CONFIG_RD_XZ=y
-CONFIG_RD_LZO=y
-CONFIG_RD_LZ4=y
-CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
-# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
-CONFIG_SYSCTL=y
-CONFIG_ANON_INODES=y
-CONFIG_SYSCTL_EXCEPTION_TRACE=y
-CONFIG_BPF=y
-# CONFIG_EXPERT is not set
-CONFIG_MULTIUSER=y
-CONFIG_SGETMASK_SYSCALL=y
-CONFIG_SYSFS_SYSCALL=y
-# CONFIG_SYSCTL_SYSCALL is not set
-CONFIG_POSIX_TIMERS=y
-CONFIG_KALLSYMS=y
-CONFIG_KALLSYMS_ALL=y
-# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set
-CONFIG_KALLSYMS_BASE_RELATIVE=y
-CONFIG_PRINTK=y
-CONFIG_PRINTK_NMI=y
-CONFIG_BUG=y
-CONFIG_ELF_CORE=y
-CONFIG_BASE_FULL=y
-CONFIG_FUTEX=y
-CONFIG_FUTEX_PI=y
-CONFIG_EPOLL=y
-CONFIG_SIGNALFD=y
-CONFIG_TIMERFD=y
-CONFIG_EVENTFD=y
-# CONFIG_BPF_SYSCALL is not set
-CONFIG_SHMEM=y
-CONFIG_AIO=y
-CONFIG_ADVISE_SYSCALLS=y
-# CONFIG_USERFAULTFD is not set
-CONFIG_PCI_QUIRKS=y
-CONFIG_MEMBARRIER=y
-# CONFIG_EMBEDDED is not set
-CONFIG_HAVE_PERF_EVENTS=y
-# CONFIG_PC104 is not set
-
-#
-# Kernel Performance Events And Counters
-#
-CONFIG_PERF_EVENTS=y
-CONFIG_VM_EVENT_COUNTERS=y
-CONFIG_SLUB_DEBUG=y
-# CONFIG_COMPAT_BRK is not set
-# CONFIG_SLAB is not set
-CONFIG_SLUB=y
-CONFIG_SLAB_MERGE_DEFAULT=y
-# CONFIG_SLAB_FREELIST_RANDOM is not set
-# CONFIG_SLAB_FREELIST_HARDENED is not set
-# CONFIG_SYSTEM_DATA_VERIFICATION is not set
-CONFIG_PROFILING=y
-CONFIG_TRACEPOINTS=y
-CONFIG_OPROFILE=y
-CONFIG_HAVE_OPROFILE=y
-# CONFIG_KPROBES is not set
-# CONFIG_JUMP_LABEL is not set
-CONFIG_UPROBES=y
-# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
-CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
-CONFIG_ARCH_USE_BUILTIN_BSWAP=y
-CONFIG_HAVE_IOREMAP_PROT=y
-CONFIG_HAVE_KPROBES=y
-CONFIG_HAVE_KRETPROBES=y
-CONFIG_HAVE_KPROBES_ON_FTRACE=y
-CONFIG_HAVE_NMI=y
-CONFIG_HAVE_ARCH_TRACEHOOK=y
-CONFIG_GENERIC_SMP_IDLE_THREAD=y
-CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
-CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
-CONFIG_HAVE_DMA_API_DEBUG=y
-CONFIG_HAVE_HW_BREAKPOINT=y
-CONFIG_HAVE_PERF_REGS=y
-CONFIG_HAVE_PERF_USER_STACK_DUMP=y
-CONFIG_HAVE_ARCH_JUMP_LABEL=y
-CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
-CONFIG_ARCH_WEAK_RELEASE_ACQUIRE=y
-CONFIG_ARCH_WANT_IPC_PARSE_VERSION=y
-CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
-CONFIG_SECCOMP_FILTER=y
-CONFIG_HAVE_GCC_PLUGINS=y
-# CONFIG_GCC_PLUGINS is not set
-# CONFIG_CC_STACKPROTECTOR is not set
-CONFIG_THIN_ARCHIVES=y
-CONFIG_HAVE_VIRT_CPU_ACCOUNTING=y
-CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
-CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
-CONFIG_MODULES_USE_ELF_RELA=y
-CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
-CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
-CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
-CONFIG_ARCH_MMAP_RND_BITS=11
-# CONFIG_HAVE_ARCH_HASH is not set
-# CONFIG_ISA_BUS_API is not set
-CONFIG_CLONE_BACKWARDS=y
-CONFIG_OLD_SIGSUSPEND=y
-CONFIG_OLD_SIGACTION=y
-# CONFIG_CPU_NO_EFFICIENT_FFS is not set
-# CONFIG_HAVE_ARCH_VMAP_STACK is not set
-# CONFIG_ARCH_OPTIONAL_KERNEL_RWX is not set
-# CONFIG_ARCH_OPTIONAL_KERNEL_RWX_DEFAULT is not set
-# CONFIG_ARCH_HAS_STRICT_KERNEL_RWX is not set
-# CONFIG_ARCH_HAS_STRICT_MODULE_RWX is not set
-# CONFIG_REFCOUNT_FULL is not set
-
-#
-# GCOV-based kernel profiling
-#
-# CONFIG_GCOV_KERNEL is not set
-CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
-# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
-CONFIG_SLABINFO=y
-CONFIG_RT_MUTEXES=y
-CONFIG_BASE_SMALL=0
-CONFIG_MODULES=y
-# CONFIG_MODULE_FORCE_LOAD is not set
-CONFIG_MODULE_UNLOAD=y
-CONFIG_MODULE_FORCE_UNLOAD=y
-# CONFIG_MODVERSIONS is not set
-# CONFIG_MODULE_SRCVERSION_ALL is not set
-# CONFIG_MODULE_SIG is not set
-# CONFIG_MODULE_COMPRESS is not set
-# CONFIG_TRIM_UNUSED_KSYMS is not set
-CONFIG_MODULES_TREE_LOOKUP=y
-CONFIG_BLOCK=y
-CONFIG_LBDAF=y
-CONFIG_BLK_SCSI_REQUEST=y
-CONFIG_BLK_DEV_BSG=y
-CONFIG_BLK_DEV_BSGLIB=y
-# CONFIG_BLK_DEV_INTEGRITY is not set
-# CONFIG_BLK_DEV_ZONED is not set
-# CONFIG_BLK_CMDLINE_PARSER is not set
-# CONFIG_BLK_WBT is not set
-CONFIG_BLK_DEBUG_FS=y
-# CONFIG_BLK_SED_OPAL is not set
-
-#
-# Partition Types
-#
-CONFIG_PARTITION_ADVANCED=y
-# CONFIG_ACORN_PARTITION is not set
-# CONFIG_AIX_PARTITION is not set
-# CONFIG_OSF_PARTITION is not set
-# CONFIG_AMIGA_PARTITION is not set
-# CONFIG_ATARI_PARTITION is not set
-CONFIG_MAC_PARTITION=y
-CONFIG_MSDOS_PARTITION=y
-# CONFIG_BSD_DISKLABEL is not set
-# CONFIG_MINIX_SUBPARTITION is not set
-# CONFIG_SOLARIS_X86_PARTITION is not set
-# CONFIG_UNIXWARE_DISKLABEL is not set
-# CONFIG_LDM_PARTITION is not set
-# CONFIG_SGI_PARTITION is not set
-# CONFIG_ULTRIX_PARTITION is not set
-# CONFIG_SUN_PARTITION is not set
-# CONFIG_KARMA_PARTITION is not set
-CONFIG_EFI_PARTITION=y
-# CONFIG_SYSV68_PARTITION is not set
-# CONFIG_CMDLINE_PARTITION is not set
-CONFIG_BLK_MQ_PCI=y
-
-#
-# IO Schedulers
-#
-CONFIG_IOSCHED_NOOP=y
-CONFIG_IOSCHED_DEADLINE=y
-CONFIG_IOSCHED_CFQ=y
-# CONFIG_DEFAULT_DEADLINE is not set
-CONFIG_DEFAULT_CFQ=y
-# CONFIG_DEFAULT_NOOP is not set
-CONFIG_DEFAULT_IOSCHED="cfq"
-CONFIG_MQ_IOSCHED_DEADLINE=y
-CONFIG_MQ_IOSCHED_KYBER=y
-# CONFIG_IOSCHED_BFQ is not set
-CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
-CONFIG_INLINE_READ_UNLOCK=y
-CONFIG_INLINE_READ_UNLOCK_IRQ=y
-CONFIG_INLINE_WRITE_UNLOCK=y
-CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
-CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
-CONFIG_FREEZER=y
-# CONFIG_PPC_XICS is not set
-# CONFIG_PPC_ICP_NATIVE is not set
-# CONFIG_PPC_ICP_HV is not set
-# CONFIG_PPC_ICS_RTAS is not set
-# CONFIG_PPC_XIVE is not set
-# CONFIG_PPC_XIVE_SPAPR is not set
-# CONFIG_GE_FPGA is not set
-
-#
-# Platform support
-#
-# CONFIG_PPC_CHRP is not set
-# CONFIG_PPC_MPC512x is not set
-# CONFIG_PPC_MPC52xx is not set
-CONFIG_PPC_PMAC=y
-# CONFIG_PPC_CELL is not set
-# CONFIG_PPC_CELL_NATIVE is not set
-# CONFIG_PPC_82xx is not set
-# CONFIG_PQ2ADS is not set
-# CONFIG_PPC_83xx is not set
-# CONFIG_PPC_86xx is not set
-# CONFIG_EMBEDDED6xx is not set
-# CONFIG_AMIGAONE is not set
-# CONFIG_KVM_GUEST is not set
-# CONFIG_EPAPR_PARAVIRT is not set
-CONFIG_PPC_NATIVE=y
-CONFIG_PPC_OF_BOOT_TRAMPOLINE=y
-# CONFIG_IPIC is not set
-CONFIG_MPIC=y
-# CONFIG_PPC_EPAPR_HV_PIC is not set
-# CONFIG_MPIC_WEIRD is not set
-# CONFIG_MPIC_MSGR is not set
-# CONFIG_PPC_I8259 is not set
-# CONFIG_PPC_RTAS is not set
-# CONFIG_MMIO_NVRAM is not set
-# CONFIG_MPIC_U3_HT_IRQS is not set
-CONFIG_PPC_MPC106=y
-# CONFIG_PPC_970_NAP is not set
-# CONFIG_PPC_P7_NAP is not set
-
-#
-# CPU Frequency scaling
-#
-CONFIG_CPU_FREQ=y
-CONFIG_CPU_FREQ_STAT=y
-CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
-# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set
-# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set
-# CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND is not set
-# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set
-CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
-CONFIG_CPU_FREQ_GOV_POWERSAVE=y
-CONFIG_CPU_FREQ_GOV_USERSPACE=y
-# CONFIG_CPU_FREQ_GOV_ONDEMAND is not set
-# CONFIG_CPU_FREQ_GOV_CONSERVATIVE is not set
-
-#
-# CPU frequency scaling drivers
-#
-CONFIG_CPU_FREQ_PMAC=y
-
-#
-# CPUIdle driver
-#
-
-#
-# CPU Idle
-#
-# CONFIG_CPU_IDLE is not set
-# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
-CONFIG_PPC601_SYNC_FIX=y
-# CONFIG_TAU is not set
-# CONFIG_FSL_ULI1575 is not set
-CONFIG_GEN_RTC=y
-# CONFIG_SIMPLE_GPIO is not set
-
-#
-# Kernel options
-#
-CONFIG_HIGHMEM=y
-# CONFIG_HZ_100 is not set
-CONFIG_HZ_250=y
-# CONFIG_HZ_300 is not set
-# CONFIG_HZ_1000 is not set
-CONFIG_HZ=250
-CONFIG_SCHED_HRTICK=y
-CONFIG_PREEMPT_NONE=y
-# CONFIG_PREEMPT_VOLUNTARY is not set
-# CONFIG_PREEMPT is not set
-CONFIG_BINFMT_ELF=y
-CONFIG_ELFCORE=y
-CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
-CONFIG_BINFMT_SCRIPT=y
-# CONFIG_HAVE_AOUT is not set
-CONFIG_BINFMT_MISC=m
-CONFIG_COREDUMP=y
-# CONFIG_IOMMU_HELPER is not set
-# CONFIG_SWIOTLB is not set
-CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
-CONFIG_ARCH_HAS_WALK_MEMORY=y
-CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
-# CONFIG_KEXEC is not set
-# CONFIG_CRASH_DUMP is not set
-CONFIG_ARCH_FLATMEM_ENABLE=y
-CONFIG_ILLEGAL_POINTER_VALUE=0
-CONFIG_FLATMEM=y
-CONFIG_FLAT_NODE_MEM_MAP=y
-CONFIG_HAVE_MEMBLOCK=y
-CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
-CONFIG_HAVE_GENERIC_GUP=y
-CONFIG_NO_BOOTMEM=y
-# CONFIG_HAVE_BOOTMEM_INFO_NODE is not set
-CONFIG_SPLIT_PTLOCK_CPUS=4
-CONFIG_COMPACTION=y
-CONFIG_MIGRATION=y
-# CONFIG_PHYS_ADDR_T_64BIT is not set
-CONFIG_BOUNCE=y
-CONFIG_VIRT_TO_BUS=y
-# CONFIG_KSM is not set
-CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
-# CONFIG_ARCH_WANTS_THP_SWAP is not set
-CONFIG_NEED_PER_CPU_KM=y
-# CONFIG_CLEANCACHE is not set
-# CONFIG_FRONTSWAP is not set
-# CONFIG_CMA is not set
-# CONFIG_ZPOOL is not set
-# CONFIG_ZBUD is not set
-# CONFIG_ZSMALLOC is not set
-CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
-# CONFIG_IDLE_PAGE_TRACKING is not set
-# CONFIG_PERCPU_STATS is not set
-CONFIG_PPC_4K_PAGES=y
-CONFIG_THREAD_SHIFT=13
-CONFIG_FORCE_MAX_ZONEORDER=11
-# CONFIG_PPC_COPRO_BASE is not set
-# CONFIG_CMDLINE_BOOL is not set
-CONFIG_EXTRA_TARGETS=""
-CONFIG_ARCH_WANTS_FREEZER_CONTROL=y
-CONFIG_SUSPEND=y
-CONFIG_SUSPEND_FREEZER=y
-CONFIG_HIBERNATE_CALLBACKS=y
-CONFIG_HIBERNATION=y
-CONFIG_PM_STD_PARTITION=""
-CONFIG_PM_SLEEP=y
-# CONFIG_PM_AUTOSLEEP is not set
-# CONFIG_PM_WAKELOCKS is not set
-CONFIG_PM=y
-CONFIG_PM_DEBUG=y
-# CONFIG_PM_ADVANCED_DEBUG is not set
-# CONFIG_PM_TEST_SUSPEND is not set
-CONFIG_PM_SLEEP_DEBUG=y
-CONFIG_APM_EMULATION=y
-# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
-CONFIG_SECCOMP=y
-CONFIG_ISA_DMA_API=y
-
-#
-# Bus options
-#
-CONFIG_ZONE_DMA=y
-# CONFIG_NEED_DMA_MAP_STATE is not set
-CONFIG_NEED_SG_DMA_LENGTH=y
-CONFIG_GENERIC_ISA_DMA=y
-CONFIG_PPC_INDIRECT_PCI=y
-# CONFIG_FSL_LBC is not set
-CONFIG_PCI=y
-CONFIG_PCI_DOMAINS=y
-CONFIG_PCI_SYSCALL=y
-# CONFIG_PCIEPORTBUS is not set
-# CONFIG_PCI_MSI is not set
-# CONFIG_PCI_DEBUG is not set
-# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
-# CONFIG_PCI_STUB is not set
-# CONFIG_PCI_IOV is not set
-# CONFIG_PCI_PRI is not set
-# CONFIG_PCI_PASID is not set
-# CONFIG_HOTPLUG_PCI is not set
-
-#
-# DesignWare PCI Core Support
-#
-
-#
-# PCI host controller drivers
-#
-
-#
-# PCI Endpoint
-#
-# CONFIG_PCI_ENDPOINT is not set
-
-#
-# PCI switch controller drivers
-#
-# CONFIG_PCI_SW_SWITCHTEC is not set
-CONFIG_PCCARD=m
-CONFIG_PCMCIA=m
-CONFIG_PCMCIA_LOAD_CIS=y
-CONFIG_CARDBUS=y
-
-#
-# PC-card bridges
-#
-CONFIG_YENTA=m
-CONFIG_YENTA_O2=y
-CONFIG_YENTA_RICOH=y
-CONFIG_YENTA_TI=y
-CONFIG_YENTA_ENE_TUNE=y
-CONFIG_YENTA_TOSHIBA=y
-# CONFIG_PD6729 is not set
-# CONFIG_I82092 is not set
-CONFIG_PCCARD_NONSTATIC=y
-# CONFIG_HAS_RAPIDIO is not set
-# CONFIG_RAPIDIO is not set
-# CONFIG_NONSTATIC_KERNEL is not set
-
-#
-# Advanced setup
-#
-# CONFIG_ADVANCED_OPTIONS is not set
-
-#
-# Default settings for advanced configuration options are used
-#
-CONFIG_LOWMEM_SIZE=0x30000000
-CONFIG_PAGE_OFFSET=0xc0000000
-CONFIG_KERNEL_START=0xc0000000
-CONFIG_PHYSICAL_START=0x00000000
-CONFIG_TASK_SIZE=0xc0000000
-# CONFIG_ARCH_RANDOM is not set
-CONFIG_NET=y
-CONFIG_NET_INGRESS=y
-
-#
-# Networking options
-#
-CONFIG_PACKET=y
-# CONFIG_PACKET_DIAG is not set
-CONFIG_UNIX=y
-# CONFIG_UNIX_DIAG is not set
-# CONFIG_TLS is not set
-CONFIG_XFRM=y
-CONFIG_XFRM_ALGO=y
-CONFIG_XFRM_USER=y
-# CONFIG_XFRM_SUB_POLICY is not set
-# CONFIG_XFRM_MIGRATE is not set
-# CONFIG_XFRM_STATISTICS is not set
-CONFIG_NET_KEY=y
-# CONFIG_NET_KEY_MIGRATE is not set
-CONFIG_INET=y
-CONFIG_IP_MULTICAST=y
-# CONFIG_IP_ADVANCED_ROUTER is not set
-CONFIG_IP_ROUTE_CLASSID=y
-# CONFIG_IP_PNP is not set
-# CONFIG_NET_IPIP is not set
-# CONFIG_NET_IPGRE_DEMUX is not set
-# CONFIG_NET_IP_TUNNEL is not set
-# CONFIG_IP_MROUTE is not set
-CONFIG_SYN_COOKIES=y
-# CONFIG_NET_UDP_TUNNEL is not set
-# CONFIG_NET_FOU is not set
-CONFIG_INET_AH=y
-CONFIG_INET_ESP=y
-# CONFIG_INET_ESP_OFFLOAD is not set
-# CONFIG_INET_IPCOMP is not set
-# CONFIG_INET_XFRM_TUNNEL is not set
-# CONFIG_INET_TUNNEL is not set
-# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
-# CONFIG_INET_XFRM_MODE_TUNNEL is not set
-CONFIG_INET_XFRM_MODE_BEET=y
-CONFIG_INET_DIAG=y
-CONFIG_INET_TCP_DIAG=y
-# CONFIG_INET_UDP_DIAG is not set
-# CONFIG_INET_RAW_DIAG is not set
-# CONFIG_INET_DIAG_DESTROY is not set
-# CONFIG_TCP_CONG_ADVANCED is not set
-CONFIG_TCP_CONG_CUBIC=y
-CONFIG_DEFAULT_TCP_CONG="cubic"
-# CONFIG_TCP_MD5SIG is not set
-# CONFIG_IPV6 is not set
-# CONFIG_NETLABEL is not set
-# CONFIG_NETWORK_SECMARK is not set
-# CONFIG_NET_PTP_CLASSIFY is not set
-# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
-CONFIG_NETFILTER=y
-CONFIG_NETFILTER_ADVANCED=y
-
-#
-# Core Netfilter Configuration
-#
-CONFIG_NETFILTER_INGRESS=y
-CONFIG_NETFILTER_NETLINK=m
-# CONFIG_NETFILTER_NETLINK_ACCT is not set
-CONFIG_NETFILTER_NETLINK_QUEUE=m
-CONFIG_NETFILTER_NETLINK_LOG=m
-CONFIG_NF_CONNTRACK=m
-# CONFIG_NF_LOG_NETDEV is not set
-# CONFIG_NF_CONNTRACK_MARK is not set
-CONFIG_NF_CONNTRACK_PROCFS=y
-# CONFIG_NF_CONNTRACK_EVENTS is not set
-# CONFIG_NF_CONNTRACK_TIMEOUT is not set
-# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
-CONFIG_NF_CT_PROTO_DCCP=y
-# CONFIG_NF_CT_PROTO_SCTP is not set
-# CONFIG_NF_CT_PROTO_UDPLITE is not set
-# CONFIG_NF_CONNTRACK_AMANDA is not set
-CONFIG_NF_CONNTRACK_FTP=m
-# CONFIG_NF_CONNTRACK_H323 is not set
-CONFIG_NF_CONNTRACK_IRC=m
-# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
-# CONFIG_NF_CONNTRACK_SNMP is not set
-# CONFIG_NF_CONNTRACK_PPTP is not set
-# CONFIG_NF_CONNTRACK_SANE is not set
-# CONFIG_NF_CONNTRACK_SIP is not set
-CONFIG_NF_CONNTRACK_TFTP=m
-CONFIG_NF_CT_NETLINK=m
-# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
-# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
-# CONFIG_NF_TABLES is not set
-CONFIG_NETFILTER_XTABLES=m
-
-#
-# Xtables combined modules
-#
-CONFIG_NETFILTER_XT_MARK=m
-# CONFIG_NETFILTER_XT_CONNMARK is not set
-
-#
-# Xtables targets
-#
-# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
-CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
-# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
-# CONFIG_NETFILTER_XT_TARGET_CT is not set
-# CONFIG_NETFILTER_XT_TARGET_DSCP is not set
-CONFIG_NETFILTER_XT_TARGET_HL=m
-# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
-# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
-# CONFIG_NETFILTER_XT_TARGET_LED is not set
-# CONFIG_NETFILTER_XT_TARGET_LOG is not set
-CONFIG_NETFILTER_XT_TARGET_MARK=m
-CONFIG_NETFILTER_XT_TARGET_NFLOG=m
-CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
-# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
-CONFIG_NETFILTER_XT_TARGET_RATEEST=m
-# CONFIG_NETFILTER_XT_TARGET_TEE is not set
-# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
-CONFIG_NETFILTER_XT_TARGET_TRACE=m
-CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
-CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
-
-#
-# Xtables matches
-#
-# CONFIG_NETFILTER_XT_MATCH_ADDRTYPE is not set
-# CONFIG_NETFILTER_XT_MATCH_BPF is not set
-# CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set
-CONFIG_NETFILTER_XT_MATCH_COMMENT=m
-# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set
-# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
-CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
-# CONFIG_NETFILTER_XT_MATCH_CONNMARK is not set
-CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
-# CONFIG_NETFILTER_XT_MATCH_CPU is not set
-CONFIG_NETFILTER_XT_MATCH_DCCP=m
-# CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set
-CONFIG_NETFILTER_XT_MATCH_DSCP=m
-CONFIG_NETFILTER_XT_MATCH_ECN=m
-CONFIG_NETFILTER_XT_MATCH_ESP=m
-# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set
-CONFIG_NETFILTER_XT_MATCH_HELPER=m
-CONFIG_NETFILTER_XT_MATCH_HL=m
-# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
-CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
-# CONFIG_NETFILTER_XT_MATCH_L2TP is not set
-CONFIG_NETFILTER_XT_MATCH_LENGTH=m
-CONFIG_NETFILTER_XT_MATCH_LIMIT=m
-CONFIG_NETFILTER_XT_MATCH_MAC=m
-CONFIG_NETFILTER_XT_MATCH_MARK=m
-CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
-# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
-# CONFIG_NETFILTER_XT_MATCH_OSF is not set
-CONFIG_NETFILTER_XT_MATCH_OWNER=m
-CONFIG_NETFILTER_XT_MATCH_POLICY=m
-CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
-# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set
-CONFIG_NETFILTER_XT_MATCH_RATEEST=m
-CONFIG_NETFILTER_XT_MATCH_REALM=m
-CONFIG_NETFILTER_XT_MATCH_RECENT=m
-CONFIG_NETFILTER_XT_MATCH_SCTP=m
-# CONFIG_NETFILTER_XT_MATCH_STATE is not set
-# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
-CONFIG_NETFILTER_XT_MATCH_STRING=m
-CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
-CONFIG_NETFILTER_XT_MATCH_TIME=m
-CONFIG_NETFILTER_XT_MATCH_U32=m
-# CONFIG_IP_SET is not set
-# CONFIG_IP_VS is not set
-
-#
-# IP: Netfilter Configuration
-#
-CONFIG_NF_DEFRAG_IPV4=m
-CONFIG_NF_CONNTRACK_IPV4=m
-# CONFIG_NF_SOCKET_IPV4 is not set
-# CONFIG_NF_DUP_IPV4 is not set
-# CONFIG_NF_LOG_ARP is not set
-# CONFIG_NF_LOG_IPV4 is not set
-CONFIG_NF_REJECT_IPV4=m
-# CONFIG_NF_NAT_IPV4 is not set
-CONFIG_IP_NF_IPTABLES=m
-CONFIG_IP_NF_MATCH_AH=m
-CONFIG_IP_NF_MATCH_ECN=m
-# CONFIG_IP_NF_MATCH_RPFILTER is not set
-CONFIG_IP_NF_MATCH_TTL=m
-CONFIG_IP_NF_FILTER=m
-CONFIG_IP_NF_TARGET_REJECT=m
-# CONFIG_IP_NF_TARGET_SYNPROXY is not set
-# CONFIG_IP_NF_NAT is not set
-CONFIG_IP_NF_MANGLE=m
-# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
-CONFIG_IP_NF_TARGET_ECN=m
-CONFIG_IP_NF_TARGET_TTL=m
-CONFIG_IP_NF_RAW=m
-# CONFIG_IP_NF_SECURITY is not set
-CONFIG_IP_NF_ARPTABLES=m
-CONFIG_IP_NF_ARPFILTER=m
-CONFIG_IP_NF_ARP_MANGLE=m
-CONFIG_IP_DCCP=m
-CONFIG_INET_DCCP_DIAG=m
-
-#
-# DCCP CCIDs Configuration
-#
-# CONFIG_IP_DCCP_CCID2_DEBUG is not set
-CONFIG_IP_DCCP_CCID3=y
-# CONFIG_IP_DCCP_CCID3_DEBUG is not set
-CONFIG_IP_DCCP_TFRC_LIB=y
-
-#
-# DCCP Kernel Hacking
-#
-# CONFIG_IP_DCCP_DEBUG is not set
-# CONFIG_IP_SCTP is not set
-# CONFIG_RDS is not set
-# CONFIG_TIPC is not set
-# CONFIG_ATM is not set
-# CONFIG_L2TP is not set
-# CONFIG_BRIDGE is not set
-CONFIG_HAVE_NET_DSA=y
-# CONFIG_NET_DSA is not set
-# CONFIG_VLAN_8021Q is not set
-# CONFIG_DECNET is not set
-# CONFIG_LLC2 is not set
-# CONFIG_IPX is not set
-# CONFIG_ATALK is not set
-# CONFIG_X25 is not set
-# CONFIG_LAPB is not set
-# CONFIG_PHONET is not set
-# CONFIG_IEEE802154 is not set
-# CONFIG_NET_SCHED is not set
-# CONFIG_DCB is not set
-CONFIG_DNS_RESOLVER=y
-# CONFIG_BATMAN_ADV is not set
-# CONFIG_OPENVSWITCH is not set
-# CONFIG_VSOCKETS is not set
-# CONFIG_NETLINK_DIAG is not set
-# CONFIG_MPLS is not set
-# CONFIG_NET_NSH is not set
-# CONFIG_HSR is not set
-# CONFIG_NET_SWITCHDEV is not set
-# CONFIG_NET_L3_MASTER_DEV is not set
-# CONFIG_NET_NCSI is not set
-CONFIG_NET_RX_BUSY_POLL=y
-CONFIG_BQL=y
-# CONFIG_BPF_JIT is not set
-
-#
-# Network testing
-#
-# CONFIG_NET_PKTGEN is not set
-# CONFIG_NET_DROP_MONITOR is not set
-# CONFIG_HAMRADIO is not set
-# CONFIG_CAN is not set
-CONFIG_BT=m
-CONFIG_BT_BREDR=y
-CONFIG_BT_RFCOMM=m
-CONFIG_BT_RFCOMM_TTY=y
-CONFIG_BT_BNEP=m
-CONFIG_BT_BNEP_MC_FILTER=y
-CONFIG_BT_BNEP_PROTO_FILTER=y
-CONFIG_BT_HIDP=m
-CONFIG_BT_HS=y
-CONFIG_BT_LE=y
-# CONFIG_BT_LEDS is not set
-# CONFIG_BT_SELFTEST is not set
-CONFIG_BT_DEBUGFS=y
-
-#
-# Bluetooth device drivers
-#
-# CONFIG_BT_HCIBTUSB is not set
-# CONFIG_BT_HCIUART is not set
-CONFIG_BT_HCIBCM203X=m
-CONFIG_BT_HCIBFUSB=m
-# CONFIG_BT_HCIDTL1 is not set
-# CONFIG_BT_HCIBT3C is not set
-# CONFIG_BT_HCIBLUECARD is not set
-# CONFIG_BT_HCIBTUART is not set
-# CONFIG_BT_HCIVHCI is not set
-# CONFIG_BT_MRVL is not set
-# CONFIG_AF_RXRPC is not set
-# CONFIG_AF_KCM is not set
-# CONFIG_STREAM_PARSER is not set
-CONFIG_WIRELESS=y
-CONFIG_WIRELESS_EXT=y
-CONFIG_WEXT_CORE=y
-CONFIG_WEXT_PROC=y
-CONFIG_WEXT_SPY=y
-CONFIG_WEXT_PRIV=y
-CONFIG_CFG80211=m
-# CONFIG_NL80211_TESTMODE is not set
-# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
-CONFIG_CFG80211_DEFAULT_PS=y
-# CONFIG_CFG80211_DEBUGFS is not set
-# CONFIG_CFG80211_INTERNAL_REGDB is not set
-CONFIG_CFG80211_CRDA_SUPPORT=y
-# CONFIG_CFG80211_WEXT is not set
-# CONFIG_LIB80211 is not set
-CONFIG_MAC80211=m
-CONFIG_MAC80211_HAS_RC=y
-CONFIG_MAC80211_RC_MINSTREL=y
-CONFIG_MAC80211_RC_MINSTREL_HT=y
-# CONFIG_MAC80211_RC_MINSTREL_VHT is not set
-CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
-CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
-# CONFIG_MAC80211_MESH is not set
-CONFIG_MAC80211_LEDS=y
-# CONFIG_MAC80211_DEBUGFS is not set
-# CONFIG_MAC80211_MESSAGE_TRACING is not set
-# CONFIG_MAC80211_DEBUG_MENU is not set
-CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
-# CONFIG_WIMAX is not set
-# CONFIG_RFKILL is not set
-# CONFIG_NET_9P is not set
-# CONFIG_CAIF is not set
-# CONFIG_CEPH_LIB is not set
-# CONFIG_NFC is not set
-# CONFIG_PSAMPLE is not set
-# CONFIG_NET_IFE is not set
-# CONFIG_LWTUNNEL is not set
-# CONFIG_DST_CACHE is not set
-CONFIG_GRO_CELLS=y
-# CONFIG_NET_DEVLINK is not set
-CONFIG_MAY_USE_DEVLINK=y
-CONFIG_HAVE_CBPF_JIT=y
-
-#
-# Device Drivers
-#
-
-#
-# Generic Driver Options
-#
-CONFIG_UEVENT_HELPER=y
-CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
-# CONFIG_DEVTMPFS is not set
-# CONFIG_STANDALONE is not set
-CONFIG_PREVENT_FIRMWARE_BUILD=y
-CONFIG_FW_LOADER=y
-CONFIG_FIRMWARE_IN_KERNEL=y
-CONFIG_EXTRA_FIRMWARE=""
-# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
-CONFIG_ALLOW_DEV_COREDUMP=y
-# CONFIG_DEBUG_DRIVER is not set
-# CONFIG_DEBUG_DEVRES is not set
-# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
-# CONFIG_TEST_ASYNC_DRIVER_PROBE is not set
-# CONFIG_SYS_HYPERVISOR is not set
-# CONFIG_GENERIC_CPU_DEVICES is not set
-CONFIG_GENERIC_CPU_AUTOPROBE=y
-CONFIG_REGMAP=y
-CONFIG_REGMAP_I2C=y
-CONFIG_DMA_SHARED_BUFFER=y
-# CONFIG_DMA_FENCE_TRACE is not set
-
-#
-# Bus devices
-#
-# CONFIG_SIMPLE_PM_BUS is not set
-CONFIG_CONNECTOR=y
-CONFIG_PROC_EVENTS=y
-# CONFIG_MTD is not set
-CONFIG_DTC=y
-CONFIG_OF=y
-# CONFIG_OF_UNITTEST is not set
-CONFIG_OF_FLATTREE=y
-CONFIG_OF_EARLY_FLATTREE=y
-CONFIG_OF_ADDRESS=y
-CONFIG_OF_ADDRESS_PCI=y
-CONFIG_OF_IRQ=y
-CONFIG_OF_NET=y
-CONFIG_OF_MDIO=m
-CONFIG_OF_PCI=y
-CONFIG_OF_PCI_IRQ=y
-CONFIG_OF_RESERVED_MEM=y
-# CONFIG_OF_OVERLAY is not set
-CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
-# CONFIG_PARPORT is not set
-CONFIG_BLK_DEV=y
-# CONFIG_BLK_DEV_NULL_BLK is not set
-# CONFIG_BLK_DEV_FD is not set
-CONFIG_MAC_FLOPPY=m
-# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
-# CONFIG_BLK_DEV_DAC960 is not set
-# CONFIG_BLK_DEV_UMEM is not set
-# CONFIG_BLK_DEV_COW_COMMON is not set
-CONFIG_BLK_DEV_LOOP=y
-CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
-# CONFIG_BLK_DEV_CRYPTOLOOP is not set
-# CONFIG_BLK_DEV_DRBD is not set
-# CONFIG_BLK_DEV_NBD is not set
-# CONFIG_BLK_DEV_SX8 is not set
-CONFIG_BLK_DEV_RAM=y
-CONFIG_BLK_DEV_RAM_COUNT=16
-CONFIG_BLK_DEV_RAM_SIZE=4096
-# CONFIG_CDROM_PKTCDVD is not set
-# CONFIG_ATA_OVER_ETH is not set
-# CONFIG_BLK_DEV_RBD is not set
-# CONFIG_BLK_DEV_RSXX is not set
-# CONFIG_BLK_DEV_NVME is not set
-# CONFIG_NVME_FC is not set
-
-#
-# Misc devices
-#
-# CONFIG_SENSORS_LIS3LV02D is not set
-# CONFIG_AD525X_DPOT is not set
-# CONFIG_DUMMY_IRQ is not set
-# CONFIG_PHANTOM is not set
-# CONFIG_SGI_IOC4 is not set
-# CONFIG_TIFM_CORE is not set
-# CONFIG_ICS932S401 is not set
-# CONFIG_ENCLOSURE_SERVICES is not set
-# CONFIG_HP_ILO is not set
-# CONFIG_APDS9802ALS is not set
-# CONFIG_ISL29003 is not set
-# CONFIG_ISL29020 is not set
-# CONFIG_SENSORS_TSL2550 is not set
-# CONFIG_SENSORS_BH1770 is not set
-# CONFIG_SENSORS_APDS990X is not set
-# CONFIG_HMC6352 is not set
-# CONFIG_DS1682 is not set
-# CONFIG_USB_SWITCH_FSA9480 is not set
-# CONFIG_SRAM is not set
-# CONFIG_PCI_ENDPOINT_TEST is not set
-# CONFIG_C2PORT is not set
-
-#
-# EEPROM support
-#
-# CONFIG_EEPROM_AT24 is not set
-# CONFIG_EEPROM_LEGACY is not set
-# CONFIG_EEPROM_MAX6875 is not set
-# CONFIG_EEPROM_93CX6 is not set
-# CONFIG_EEPROM_IDT_89HPESX is not set
-# CONFIG_CB710_CORE is not set
-
-#
-# Texas Instruments shared transport line discipline
-#
-# CONFIG_SENSORS_LIS3_I2C is not set
-
-#
-# Altera FPGA firmware download module
-#
-# CONFIG_ALTERA_STAPL is not set
-
-#
-# Intel MIC Bus Driver
-#
-
-#
-# SCIF Bus Driver
-#
-
-#
-# VOP Bus Driver
-#
-
-#
-# Intel MIC Host Driver
-#
-
-#
-# Intel MIC Card Driver
-#
-
-#
-# SCIF Driver
-#
-
-#
-# Intel MIC Coprocessor State Management (COSM) Drivers
-#
-
-#
-# VOP Driver
-#
-# CONFIG_ECHO is not set
-# CONFIG_CXL_BASE is not set
-# CONFIG_CXL_AFU_DRIVER_OPS is not set
-# CONFIG_CXL_LIB is not set
-CONFIG_HAVE_IDE=y
-CONFIG_IDE=y
-
-#
-# Please see Documentation/ide/ide.txt for help/info on IDE drives
-#
-CONFIG_IDE_XFER_MODE=y
-CONFIG_IDE_TIMINGS=y
-CONFIG_IDE_ATAPI=y
-# CONFIG_BLK_DEV_IDE_SATA is not set
-CONFIG_IDE_GD=y
-CONFIG_IDE_GD_ATA=y
-# CONFIG_IDE_GD_ATAPI is not set
-CONFIG_BLK_DEV_IDECS=m
-# CONFIG_BLK_DEV_DELKIN is not set
-CONFIG_BLK_DEV_IDECD=y
-CONFIG_BLK_DEV_IDECD_VERBOSE_ERRORS=y
-# CONFIG_BLK_DEV_IDETAPE is not set
-# CONFIG_IDE_TASK_IOCTL is not set
-CONFIG_IDE_PROC_FS=y
-
-#
-# IDE chipset support/bugfixes
-#
-# CONFIG_BLK_DEV_PLATFORM is not set
-CONFIG_BLK_DEV_IDEDMA_SFF=y
-
-#
-# PCI IDE chipsets support
-#
-CONFIG_BLK_DEV_IDEPCI=y
-CONFIG_IDEPCI_PCIBUS_ORDER=y
-# CONFIG_BLK_DEV_OFFBOARD is not set
-CONFIG_BLK_DEV_GENERIC=y
-# CONFIG_BLK_DEV_OPTI621 is not set
-CONFIG_BLK_DEV_IDEDMA_PCI=y
-# CONFIG_BLK_DEV_AEC62XX is not set
-# CONFIG_BLK_DEV_ALI15X3 is not set
-# CONFIG_BLK_DEV_AMD74XX is not set
-# CONFIG_BLK_DEV_CMD64X is not set
-# CONFIG_BLK_DEV_TRIFLEX is not set
-# CONFIG_BLK_DEV_HPT366 is not set
-# CONFIG_BLK_DEV_JMICRON is not set
-# CONFIG_BLK_DEV_PIIX is not set
-# CONFIG_BLK_DEV_IT8172 is not set
-# CONFIG_BLK_DEV_IT8213 is not set
-# CONFIG_BLK_DEV_IT821X is not set
-# CONFIG_BLK_DEV_NS87415 is not set
-# CONFIG_BLK_DEV_PDC202XX_OLD is not set
-CONFIG_BLK_DEV_PDC202XX_NEW=y
-# CONFIG_BLK_DEV_SVWKS is not set
-# CONFIG_BLK_DEV_SIIMAGE is not set
-CONFIG_BLK_DEV_SL82C105=y
-# CONFIG_BLK_DEV_SLC90E66 is not set
-# CONFIG_BLK_DEV_TRM290 is not set
-# CONFIG_BLK_DEV_VIA82CXXX is not set
-# CONFIG_BLK_DEV_TC86C001 is not set
-CONFIG_BLK_DEV_IDE_PMAC=y
-CONFIG_BLK_DEV_IDE_PMAC_ATA100FIRST=y
-CONFIG_BLK_DEV_IDEDMA=y
-
-#
-# SCSI device support
-#
-CONFIG_SCSI_MOD=y
-# CONFIG_RAID_ATTRS is not set
-CONFIG_SCSI=y
-CONFIG_SCSI_DMA=y
-CONFIG_SCSI_NETLINK=y
-# CONFIG_SCSI_MQ_DEFAULT is not set
-CONFIG_SCSI_PROC_FS=y
-
-#
-# SCSI support type (disk, tape, CD-ROM)
-#
-CONFIG_BLK_DEV_SD=y
-CONFIG_CHR_DEV_ST=y
-# CONFIG_CHR_DEV_OSST is not set
-CONFIG_BLK_DEV_SR=y
-CONFIG_BLK_DEV_SR_VENDOR=y
-CONFIG_CHR_DEV_SG=y
-# CONFIG_CHR_DEV_SCH is not set
-CONFIG_SCSI_CONSTANTS=y
-# CONFIG_SCSI_LOGGING is not set
-# CONFIG_SCSI_SCAN_ASYNC is not set
-
-#
-# SCSI Transports
-#
-CONFIG_SCSI_SPI_ATTRS=y
-CONFIG_SCSI_FC_ATTRS=y
-# CONFIG_SCSI_ISCSI_ATTRS is not set
-# CONFIG_SCSI_SAS_ATTRS is not set
-# CONFIG_SCSI_SAS_LIBSAS is not set
-# CONFIG_SCSI_SRP_ATTRS is not set
-CONFIG_SCSI_LOWLEVEL=y
-# CONFIG_ISCSI_TCP is not set
-# CONFIG_ISCSI_BOOT_SYSFS is not set
-# CONFIG_SCSI_CXGB3_ISCSI is not set
-# CONFIG_SCSI_CXGB4_ISCSI is not set
-# CONFIG_SCSI_BNX2_ISCSI is not set
-# CONFIG_BE2ISCSI is not set
-# CONFIG_BLK_DEV_3W_XXXX_RAID is not set
-# CONFIG_SCSI_HPSA is not set
-# CONFIG_SCSI_3W_9XXX is not set
-# CONFIG_SCSI_3W_SAS is not set
-# CONFIG_SCSI_ACARD is not set
-# CONFIG_SCSI_AACRAID is not set
-CONFIG_SCSI_AIC7XXX=m
-CONFIG_AIC7XXX_CMDS_PER_DEVICE=253
-CONFIG_AIC7XXX_RESET_DELAY_MS=15000
-CONFIG_AIC7XXX_DEBUG_ENABLE=y
-CONFIG_AIC7XXX_DEBUG_MASK=0
-CONFIG_AIC7XXX_REG_PRETTY_PRINT=y
-# CONFIG_SCSI_AIC79XX is not set
-# CONFIG_SCSI_AIC94XX is not set
-# CONFIG_SCSI_MVSAS is not set
-# CONFIG_SCSI_MVUMI is not set
-# CONFIG_SCSI_DPT_I2O is not set
-# CONFIG_SCSI_ADVANSYS is not set
-# CONFIG_SCSI_ARCMSR is not set
-# CONFIG_SCSI_ESAS2R is not set
-# CONFIG_MEGARAID_NEWGEN is not set
-# CONFIG_MEGARAID_LEGACY is not set
-# CONFIG_MEGARAID_SAS is not set
-# CONFIG_SCSI_MPT3SAS is not set
-# CONFIG_SCSI_MPT2SAS is not set
-# CONFIG_SCSI_SMARTPQI is not set
-# CONFIG_SCSI_UFSHCD is not set
-# CONFIG_SCSI_HPTIOP is not set
-# CONFIG_SCSI_BUSLOGIC is not set
-# CONFIG_LIBFC is not set
-# CONFIG_SCSI_SNIC is not set
-# CONFIG_SCSI_DMX3191D is not set
-# CONFIG_SCSI_EATA is not set
-# CONFIG_SCSI_FUTURE_DOMAIN is not set
-# CONFIG_SCSI_GDTH is not set
-# CONFIG_SCSI_IPS is not set
-# CONFIG_SCSI_INITIO is not set
-# CONFIG_SCSI_INIA100 is not set
-# CONFIG_SCSI_STEX is not set
-CONFIG_SCSI_SYM53C8XX_2=y
-CONFIG_SCSI_SYM53C8XX_DMA_ADDRESSING_MODE=0
-CONFIG_SCSI_SYM53C8XX_DEFAULT_TAGS=16
-CONFIG_SCSI_SYM53C8XX_MAX_TAGS=64
-CONFIG_SCSI_SYM53C8XX_MMIO=y
-# CONFIG_SCSI_QLOGIC_1280 is not set
-# CONFIG_SCSI_QLA_FC is not set
-# CONFIG_SCSI_QLA_ISCSI is not set
-# CONFIG_SCSI_LPFC is not set
-# CONFIG_SCSI_DC395x is not set
-# CONFIG_SCSI_AM53C974 is not set
-# CONFIG_SCSI_NSP32 is not set
-# CONFIG_SCSI_WD719X is not set
-# CONFIG_SCSI_DEBUG is not set
-CONFIG_SCSI_MESH=y
-CONFIG_SCSI_MESH_SYNC_RATE=5
-CONFIG_SCSI_MESH_RESET_DELAY_MS=4000
-CONFIG_SCSI_MAC53C94=y
-# CONFIG_SCSI_PMCRAID is not set
-# CONFIG_SCSI_PM8001 is not set
-# CONFIG_SCSI_BFA_FC is not set
-# CONFIG_SCSI_CHELSIO_FCOE is not set
-# CONFIG_SCSI_LOWLEVEL_PCMCIA is not set
-# CONFIG_SCSI_DH is not set
-# CONFIG_SCSI_OSD_INITIATOR is not set
-# CONFIG_ATA is not set
-CONFIG_MD=y
-CONFIG_BLK_DEV_MD=m
-CONFIG_MD_LINEAR=m
-CONFIG_MD_RAID0=m
-CONFIG_MD_RAID1=m
-CONFIG_MD_RAID10=m
-# CONFIG_MD_RAID456 is not set
-CONFIG_MD_MULTIPATH=m
-CONFIG_MD_FAULTY=m
-# CONFIG_BCACHE is not set
-CONFIG_BLK_DEV_DM_BUILTIN=y
-CONFIG_BLK_DEV_DM=m
-# CONFIG_DM_MQ_DEFAULT is not set
-# CONFIG_DM_DEBUG is not set
-CONFIG_DM_BUFIO=m
-# CONFIG_DM_DEBUG_BLOCK_MANAGER_LOCKING is not set
-CONFIG_DM_CRYPT=m
-CONFIG_DM_SNAPSHOT=m
-# CONFIG_DM_THIN_PROVISIONING is not set
-# CONFIG_DM_CACHE is not set
-# CONFIG_DM_ERA is not set
-CONFIG_DM_MIRROR=m
-# CONFIG_DM_LOG_USERSPACE is not set
-# CONFIG_DM_RAID is not set
-CONFIG_DM_ZERO=m
-# CONFIG_DM_MULTIPATH is not set
-# CONFIG_DM_DELAY is not set
-# CONFIG_DM_UEVENT is not set
-# CONFIG_DM_FLAKEY is not set
-# CONFIG_DM_VERITY is not set
-# CONFIG_DM_SWITCH is not set
-# CONFIG_DM_LOG_WRITES is not set
-# CONFIG_DM_INTEGRITY is not set
-# CONFIG_TARGET_CORE is not set
-# CONFIG_FUSION is not set
-
-#
-# IEEE 1394 (FireWire) support
-#
-# CONFIG_FIREWIRE is not set
-# CONFIG_FIREWIRE_NOSY is not set
-CONFIG_MACINTOSH_DRIVERS=y
-CONFIG_ADB=y
-CONFIG_ADB_CUDA=y
-CONFIG_ADB_PMU=y
-CONFIG_ADB_PMU_LED=y
-# CONFIG_ADB_PMU_LED_DISK is not set
-CONFIG_PMAC_APM_EMU=m
-CONFIG_PMAC_MEDIABAY=y
-CONFIG_PMAC_BACKLIGHT=y
-CONFIG_PMAC_BACKLIGHT_LEGACY=y
-CONFIG_INPUT_ADBHID=y
-CONFIG_MAC_EMUMOUSEBTN=y
-CONFIG_THERM_WINDTUNNEL=m
-CONFIG_THERM_ADT746X=m
-# CONFIG_WINDFARM is not set
-# CONFIG_ANSLCD is not set
-CONFIG_PMAC_RACKMETER=m
-# CONFIG_SENSORS_AMS is not set
-CONFIG_NETDEVICES=y
-CONFIG_MII=y
-CONFIG_NET_CORE=y
-# CONFIG_BONDING is not set
-CONFIG_DUMMY=m
-# CONFIG_EQUALIZER is not set
-# CONFIG_NET_FC is not set
-# CONFIG_NET_TEAM is not set
-# CONFIG_MACVLAN is not set
-# CONFIG_VXLAN is not set
-# CONFIG_MACSEC is not set
-# CONFIG_NETCONSOLE is not set
-# CONFIG_NETPOLL is not set
-# CONFIG_NET_POLL_CONTROLLER is not set
-CONFIG_TUN=m
-# CONFIG_TUN_VNET_CROSS_LE is not set
-# CONFIG_VETH is not set
-# CONFIG_NLMON is not set
-CONFIG_SUNGEM_PHY=y
-# CONFIG_ARCNET is not set
-
-#
-# CAIF transport drivers
-#
-
-#
-# Distributed Switch Architecture drivers
-#
-CONFIG_ETHERNET=y
-CONFIG_NET_VENDOR_3COM=y
-# CONFIG_PCMCIA_3C574 is not set
-# CONFIG_PCMCIA_3C589 is not set
-# CONFIG_VORTEX is not set
-# CONFIG_TYPHOON is not set
-CONFIG_NET_VENDOR_ADAPTEC=y
-# CONFIG_ADAPTEC_STARFIRE is not set
-CONFIG_NET_VENDOR_AGERE=y
-# CONFIG_ET131X is not set
-CONFIG_NET_VENDOR_ALACRITECH=y
-# CONFIG_SLICOSS is not set
-CONFIG_NET_VENDOR_ALTEON=y
-# CONFIG_ACENIC is not set
-# CONFIG_ALTERA_TSE is not set
-CONFIG_NET_VENDOR_AMAZON=y
-CONFIG_NET_VENDOR_AMD=y
-# CONFIG_AMD8111_ETH is not set
-CONFIG_PCNET32=y
-# CONFIG_PCMCIA_NMCLAN is not set
-# CONFIG_AMD_XGBE_HAVE_ECC is not set
-CONFIG_NET_VENDOR_APPLE=y
-CONFIG_MACE=y
-# CONFIG_MACE_AAUI_PORT is not set
-CONFIG_BMAC=y
-CONFIG_NET_VENDOR_AQUANTIA=y
-CONFIG_NET_VENDOR_ARC=y
-CONFIG_NET_VENDOR_ATHEROS=y
-# CONFIG_ATL2 is not set
-# CONFIG_ATL1 is not set
-# CONFIG_ATL1E is not set
-# CONFIG_ATL1C is not set
-# CONFIG_ALX is not set
-# CONFIG_NET_VENDOR_AURORA is not set
-CONFIG_NET_CADENCE=y
-# CONFIG_MACB is not set
-CONFIG_NET_VENDOR_BROADCOM=y
-# CONFIG_B44 is not set
-# CONFIG_BCMGENET is not set
-# CONFIG_BNX2 is not set
-# CONFIG_CNIC is not set
-# CONFIG_TIGON3 is not set
-# CONFIG_BNX2X is not set
-# CONFIG_SYSTEMPORT is not set
-# CONFIG_BNXT is not set
-CONFIG_NET_VENDOR_BROCADE=y
-# CONFIG_BNA is not set
-CONFIG_NET_VENDOR_CAVIUM=y
-CONFIG_NET_VENDOR_CHELSIO=y
-# CONFIG_CHELSIO_T1 is not set
-# CONFIG_CHELSIO_T3 is not set
-# CONFIG_CHELSIO_T4 is not set
-# CONFIG_CHELSIO_T4VF is not set
-CONFIG_NET_VENDOR_CISCO=y
-# CONFIG_ENIC is not set
-# CONFIG_DNET is not set
-CONFIG_NET_VENDOR_DEC=y
-# CONFIG_NET_TULIP is not set
-CONFIG_NET_VENDOR_DLINK=y
-# CONFIG_DL2K is not set
-# CONFIG_SUNDANCE is not set
-CONFIG_NET_VENDOR_EMULEX=y
-# CONFIG_BE2NET is not set
-CONFIG_NET_VENDOR_EZCHIP=y
-# CONFIG_EZCHIP_NPS_MANAGEMENT_ENET is not set
-CONFIG_NET_VENDOR_EXAR=y
-# CONFIG_S2IO is not set
-# CONFIG_VXGE is not set
-CONFIG_NET_VENDOR_FUJITSU=y
-# CONFIG_PCMCIA_FMVJ18X is not set
-CONFIG_NET_VENDOR_HP=y
-# CONFIG_HP100 is not set
-CONFIG_NET_VENDOR_HUAWEI=y
-CONFIG_NET_VENDOR_INTEL=y
-# CONFIG_E100 is not set
-# CONFIG_E1000 is not set
-# CONFIG_E1000E is not set
-# CONFIG_IGB is not set
-# CONFIG_IGBVF is not set
-# CONFIG_IXGB is not set
-# CONFIG_IXGBE is not set
-# CONFIG_I40E is not set
-CONFIG_NET_VENDOR_I825XX=y
-# CONFIG_JME is not set
-CONFIG_NET_VENDOR_MARVELL=y
-# CONFIG_MV643XX_ETH is not set
-# CONFIG_MVMDIO is not set
-# CONFIG_MVNETA_BM is not set
-# CONFIG_SKGE is not set
-# CONFIG_SKY2 is not set
-CONFIG_NET_VENDOR_MELLANOX=y
-# CONFIG_MLX4_EN is not set
-# CONFIG_MLX4_CORE is not set
-# CONFIG_MLX5_CORE is not set
-# CONFIG_MLXSW_CORE is not set
-# CONFIG_MLXFW is not set
-CONFIG_NET_VENDOR_MICREL=y
-# CONFIG_KS8851_MLL is not set
-# CONFIG_KSZ884X_PCI is not set
-CONFIG_NET_VENDOR_MYRI=y
-# CONFIG_MYRI10GE is not set
-# CONFIG_FEALNX is not set
-CONFIG_NET_VENDOR_NATSEMI=y
-# CONFIG_NATSEMI is not set
-# CONFIG_NS83820 is not set
-CONFIG_NET_VENDOR_NETRONOME=y
-CONFIG_NET_VENDOR_8390=y
-# CONFIG_PCMCIA_AXNET is not set
-# CONFIG_NE2K_PCI is not set
-# CONFIG_PCMCIA_PCNET is not set
-CONFIG_NET_VENDOR_NVIDIA=y
-# CONFIG_FORCEDETH is not set
-CONFIG_NET_VENDOR_OKI=y
-# CONFIG_ETHOC is not set
-CONFIG_NET_PACKET_ENGINE=y
-# CONFIG_HAMACHI is not set
-# CONFIG_YELLOWFIN is not set
-CONFIG_NET_VENDOR_QLOGIC=y
-# CONFIG_QLA3XXX is not set
-# CONFIG_QLCNIC is not set
-# CONFIG_QLGE is not set
-# CONFIG_NETXEN_NIC is not set
-# CONFIG_QED is not set
-CONFIG_NET_VENDOR_QUALCOMM=y
-# CONFIG_QCOM_EMAC is not set
-# CONFIG_RMNET is not set
-CONFIG_NET_VENDOR_REALTEK=y
-# CONFIG_8139CP is not set
-# CONFIG_8139TOO is not set
-# CONFIG_R8169 is not set
-CONFIG_NET_VENDOR_RENESAS=y
-CONFIG_NET_VENDOR_RDC=y
-# CONFIG_R6040 is not set
-CONFIG_NET_VENDOR_ROCKER=y
-CONFIG_NET_VENDOR_SAMSUNG=y
-# CONFIG_SXGBE_ETH is not set
-CONFIG_NET_VENDOR_SEEQ=y
-CONFIG_NET_VENDOR_SILAN=y
-# CONFIG_SC92031 is not set
-CONFIG_NET_VENDOR_SIS=y
-# CONFIG_SIS900 is not set
-# CONFIG_SIS190 is not set
-CONFIG_NET_VENDOR_SOLARFLARE=y
-# CONFIG_SFC is not set
-# CONFIG_SFC_FALCON is not set
-CONFIG_NET_VENDOR_SMSC=y
-# CONFIG_PCMCIA_SMC91C92 is not set
-# CONFIG_EPIC100 is not set
-# CONFIG_SMSC911X is not set
-# CONFIG_SMSC9420 is not set
-CONFIG_NET_VENDOR_STMICRO=y
-# CONFIG_STMMAC_ETH is not set
-CONFIG_NET_VENDOR_SUN=y
-# CONFIG_HAPPYMEAL is not set
-CONFIG_SUNGEM=y
-# CONFIG_CASSINI is not set
-# CONFIG_NIU is not set
-CONFIG_NET_VENDOR_TEHUTI=y
-# CONFIG_TEHUTI is not set
-CONFIG_NET_VENDOR_TI=y
-# CONFIG_TI_CPSW_ALE is not set
-# CONFIG_TLAN is not set
-CONFIG_NET_VENDOR_VIA=y
-# CONFIG_VIA_RHINE is not set
-# CONFIG_VIA_VELOCITY is not set
-CONFIG_NET_VENDOR_WIZNET=y
-# CONFIG_WIZNET_W5100 is not set
-# CONFIG_WIZNET_W5300 is not set
-CONFIG_NET_VENDOR_XILINX=y
-# CONFIG_XILINX_EMACLITE is not set
-# CONFIG_XILINX_LL_TEMAC is not set
-CONFIG_NET_VENDOR_XIRCOM=y
-# CONFIG_PCMCIA_XIRC2PS is not set
-CONFIG_NET_VENDOR_SYNOPSYS=y
-# CONFIG_DWC_XLGMAC is not set
-# CONFIG_FDDI is not set
-# CONFIG_HIPPI is not set
-CONFIG_MDIO_DEVICE=m
-CONFIG_MDIO_BUS=m
-# CONFIG_MDIO_BCM_UNIMAC is not set
-# CONFIG_MDIO_BITBANG is not set
-# CONFIG_MDIO_BUS_MUX_MMIOREG is not set
-# CONFIG_MDIO_HISI_FEMAC is not set
-CONFIG_PHYLIB=m
-CONFIG_SWPHY=y
-# CONFIG_LED_TRIGGER_PHY is not set
-
-#
-# MII PHY device drivers
-#
-# CONFIG_AMD_PHY is not set
-# CONFIG_AQUANTIA_PHY is not set
-# CONFIG_AT803X_PHY is not set
-# CONFIG_BCM7XXX_PHY is not set
-# CONFIG_BCM87XX_PHY is not set
-# CONFIG_BROADCOM_PHY is not set
-# CONFIG_CICADA_PHY is not set
-# CONFIG_CORTINA_PHY is not set
-# CONFIG_DAVICOM_PHY is not set
-# CONFIG_DP83848_PHY is not set
-# CONFIG_DP83867_PHY is not set
-CONFIG_FIXED_PHY=m
-# CONFIG_ICPLUS_PHY is not set
-# CONFIG_INTEL_XWAY_PHY is not set
-# CONFIG_LSI_ET1011C_PHY is not set
-# CONFIG_LXT_PHY is not set
-# CONFIG_MARVELL_PHY is not set
-# CONFIG_MARVELL_10G_PHY is not set
-# CONFIG_MICREL_PHY is not set
-# CONFIG_MICROCHIP_PHY is not set
-# CONFIG_MICROSEMI_PHY is not set
-# CONFIG_NATIONAL_PHY is not set
-# CONFIG_QSEMI_PHY is not set
-# CONFIG_REALTEK_PHY is not set
-# CONFIG_ROCKCHIP_PHY is not set
-# CONFIG_SMSC_PHY is not set
-# CONFIG_STE10XP is not set
-# CONFIG_TERANETICS_PHY is not set
-# CONFIG_VITESSE_PHY is not set
-# CONFIG_XILINX_GMII2RGMII is not set
-CONFIG_PPP=y
-CONFIG_PPP_BSDCOMP=m
-CONFIG_PPP_DEFLATE=y
-# CONFIG_PPP_FILTER is not set
-# CONFIG_PPP_MPPE is not set
-CONFIG_PPP_MULTILINK=y
-# CONFIG_PPPOE is not set
-CONFIG_PPP_ASYNC=y
-CONFIG_PPP_SYNC_TTY=m
-# CONFIG_SLIP is not set
-CONFIG_SLHC=y
-CONFIG_USB_NET_DRIVERS=y
-# CONFIG_USB_CATC is not set
-# CONFIG_USB_KAWETH is not set
-# CONFIG_USB_PEGASUS is not set
-# CONFIG_USB_RTL8150 is not set
-# CONFIG_USB_RTL8152 is not set
-# CONFIG_USB_LAN78XX is not set
-CONFIG_USB_USBNET=m
-CONFIG_USB_NET_AX8817X=m
-CONFIG_USB_NET_AX88179_178A=m
-CONFIG_USB_NET_CDCETHER=m
-# CONFIG_USB_NET_CDC_EEM is not set
-CONFIG_USB_NET_CDC_NCM=m
-# CONFIG_USB_NET_HUAWEI_CDC_NCM is not set
-# CONFIG_USB_NET_CDC_MBIM is not set
-# CONFIG_USB_NET_DM9601 is not set
-# CONFIG_USB_NET_SR9700 is not set
-# CONFIG_USB_NET_SR9800 is not set
-# CONFIG_USB_NET_SMSC75XX is not set
-# CONFIG_USB_NET_SMSC95XX is not set
-# CONFIG_USB_NET_GL620A is not set
-CONFIG_USB_NET_NET1080=m
-# CONFIG_USB_NET_PLUSB is not set
-# CONFIG_USB_NET_MCS7830 is not set
-# CONFIG_USB_NET_RNDIS_HOST is not set
-# CONFIG_USB_NET_CDC_SUBSET is not set
-CONFIG_USB_NET_ZAURUS=m
-# CONFIG_USB_NET_CX82310_ETH is not set
-# CONFIG_USB_NET_KALMIA is not set
-# CONFIG_USB_NET_QMI_WWAN is not set
-# CONFIG_USB_NET_INT51X1 is not set
-# CONFIG_USB_IPHETH is not set
-# CONFIG_USB_SIERRA_NET is not set
-# CONFIG_USB_VL600 is not set
-# CONFIG_USB_NET_CH9200 is not set
-CONFIG_WLAN=y
-CONFIG_WLAN_VENDOR_ADMTEK=y
-# CONFIG_ADM8211 is not set
-CONFIG_WLAN_VENDOR_ATH=y
-# CONFIG_ATH_DEBUG is not set
-# CONFIG_ATH5K is not set
-# CONFIG_ATH5K_PCI is not set
-# CONFIG_ATH9K is not set
-# CONFIG_ATH9K_HTC is not set
-# CONFIG_CARL9170 is not set
-# CONFIG_ATH6KL is not set
-# CONFIG_AR5523 is not set
-# CONFIG_WIL6210 is not set
-# CONFIG_ATH10K is not set
-# CONFIG_WCN36XX is not set
-CONFIG_WLAN_VENDOR_ATMEL=y
-# CONFIG_ATMEL is not set
-# CONFIG_AT76C50X_USB is not set
-CONFIG_WLAN_VENDOR_BROADCOM=y
-CONFIG_B43=m
-CONFIG_B43_BCMA=y
-CONFIG_B43_SSB=y
-CONFIG_B43_BUSES_BCMA_AND_SSB=y
-# CONFIG_B43_BUSES_BCMA is not set
-# CONFIG_B43_BUSES_SSB is not set
-CONFIG_B43_PCI_AUTOSELECT=y
-CONFIG_B43_PCICORE_AUTOSELECT=y
-CONFIG_B43_BCMA_PIO=y
-CONFIG_B43_PIO=y
-CONFIG_B43_PHY_G=y
-CONFIG_B43_PHY_N=y
-CONFIG_B43_PHY_LP=y
-CONFIG_B43_PHY_HT=y
-CONFIG_B43_LEDS=y
-CONFIG_B43_HWRNG=y
-# CONFIG_B43_DEBUG is not set
-CONFIG_B43LEGACY=m
-CONFIG_B43LEGACY_PCI_AUTOSELECT=y
-CONFIG_B43LEGACY_PCICORE_AUTOSELECT=y
-CONFIG_B43LEGACY_LEDS=y
-CONFIG_B43LEGACY_HWRNG=y
-CONFIG_B43LEGACY_DEBUG=y
-CONFIG_B43LEGACY_DMA=y
-CONFIG_B43LEGACY_PIO=y
-CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
-# CONFIG_B43LEGACY_DMA_MODE is not set
-# CONFIG_B43LEGACY_PIO_MODE is not set
-# CONFIG_BRCMSMAC is not set
-# CONFIG_BRCMFMAC is not set
-CONFIG_WLAN_VENDOR_CISCO=y
-# CONFIG_AIRO is not set
-# CONFIG_AIRO_CS is not set
-CONFIG_WLAN_VENDOR_INTEL=y
-# CONFIG_IPW2100 is not set
-# CONFIG_IPW2200 is not set
-# CONFIG_IWL4965 is not set
-# CONFIG_IWL3945 is not set
-# CONFIG_IWLWIFI is not set
-CONFIG_WLAN_VENDOR_INTERSIL=y
-# CONFIG_HOSTAP is not set
-# CONFIG_HERMES is not set
-CONFIG_P54_COMMON=m
-# CONFIG_P54_USB is not set
-# CONFIG_P54_PCI is not set
-CONFIG_P54_LEDS=y
-CONFIG_PRISM54=m
-CONFIG_WLAN_VENDOR_MARVELL=y
-# CONFIG_LIBERTAS is not set
-# CONFIG_LIBERTAS_THINFIRM is not set
-# CONFIG_MWIFIEX is not set
-# CONFIG_MWL8K is not set
-CONFIG_WLAN_VENDOR_MEDIATEK=y
-# CONFIG_MT7601U is not set
-CONFIG_WLAN_VENDOR_RALINK=y
-# CONFIG_RT2X00 is not set
-CONFIG_WLAN_VENDOR_REALTEK=y
-# CONFIG_RTL8180 is not set
-# CONFIG_RTL8187 is not set
-CONFIG_RTL_CARDS=m
-# CONFIG_RTL8192CE is not set
-# CONFIG_RTL8192SE is not set
-# CONFIG_RTL8192DE is not set
-# CONFIG_RTL8723AE is not set
-# CONFIG_RTL8723BE is not set
-# CONFIG_RTL8188EE is not set
-# CONFIG_RTL8192EE is not set
-# CONFIG_RTL8821AE is not set
-# CONFIG_RTL8192CU is not set
-# CONFIG_RTL8XXXU is not set
-CONFIG_WLAN_VENDOR_RSI=y
-# CONFIG_RSI_91X is not set
-CONFIG_WLAN_VENDOR_ST=y
-# CONFIG_CW1200 is not set
-CONFIG_WLAN_VENDOR_TI=y
-# CONFIG_WL1251 is not set
-# CONFIG_WL12XX is not set
-# CONFIG_WL18XX is not set
-# CONFIG_WLCORE is not set
-CONFIG_WLAN_VENDOR_ZYDAS=y
-# CONFIG_USB_ZD1201 is not set
-# CONFIG_ZD1211RW is not set
-CONFIG_WLAN_VENDOR_QUANTENNA=y
-# CONFIG_QTNFMAC_PEARL_PCIE is not set
-# CONFIG_PCMCIA_RAYCS is not set
-# CONFIG_PCMCIA_WL3501 is not set
-# CONFIG_MAC80211_HWSIM is not set
-# CONFIG_USB_NET_RNDIS_WLAN is not set
-
-#
-# Enable WiMAX (Networking options) to see the WiMAX drivers
-#
-# CONFIG_WAN is not set
-# CONFIG_VMXNET3 is not set
-# CONFIG_ISDN is not set
-# CONFIG_NVM is not set
-
-#
-# Input device support
-#
-CONFIG_INPUT=y
-CONFIG_INPUT_LEDS=y
-# CONFIG_INPUT_FF_MEMLESS is not set
-# CONFIG_INPUT_POLLDEV is not set
-# CONFIG_INPUT_SPARSEKMAP is not set
-# CONFIG_INPUT_MATRIXKMAP is not set
-
-#
-# Userland interfaces
-#
-CONFIG_INPUT_MOUSEDEV=y
-CONFIG_INPUT_MOUSEDEV_PSAUX=y
-CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
-CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
-# CONFIG_INPUT_JOYDEV is not set
-CONFIG_INPUT_EVDEV=y
-# CONFIG_INPUT_EVBUG is not set
-
-#
-# Input Device Drivers
-#
-CONFIG_INPUT_KEYBOARD=y
-# CONFIG_KEYBOARD_ADP5588 is not set
-# CONFIG_KEYBOARD_ADP5589 is not set
-# CONFIG_KEYBOARD_ATKBD is not set
-# CONFIG_KEYBOARD_QT1070 is not set
-# CONFIG_KEYBOARD_QT2160 is not set
-# CONFIG_KEYBOARD_DLINK_DIR685 is not set
-# CONFIG_KEYBOARD_LKKBD is not set
-# CONFIG_KEYBOARD_TCA6416 is not set
-# CONFIG_KEYBOARD_TCA8418 is not set
-# CONFIG_KEYBOARD_LM8323 is not set
-# CONFIG_KEYBOARD_LM8333 is not set
-# CONFIG_KEYBOARD_MAX7359 is not set
-# CONFIG_KEYBOARD_MCS is not set
-# CONFIG_KEYBOARD_MPR121 is not set
-# CONFIG_KEYBOARD_NEWTON is not set
-# CONFIG_KEYBOARD_OPENCORES is not set
-# CONFIG_KEYBOARD_STOWAWAY is not set
-# CONFIG_KEYBOARD_SUNKBD is not set
-# CONFIG_KEYBOARD_OMAP4 is not set
-# CONFIG_KEYBOARD_TM2_TOUCHKEY is not set
-# CONFIG_KEYBOARD_XTKBD is not set
-# CONFIG_KEYBOARD_CAP11XX is not set
-CONFIG_INPUT_MOUSE=y
-# CONFIG_MOUSE_PS2 is not set
-# CONFIG_MOUSE_SERIAL is not set
-CONFIG_MOUSE_APPLETOUCH=y
-# CONFIG_MOUSE_BCM5974 is not set
-# CONFIG_MOUSE_CYAPA is not set
-# CONFIG_MOUSE_ELAN_I2C is not set
-# CONFIG_MOUSE_VSXXXAA is not set
-# CONFIG_MOUSE_SYNAPTICS_I2C is not set
-# CONFIG_MOUSE_SYNAPTICS_USB is not set
-# CONFIG_INPUT_JOYSTICK is not set
-# CONFIG_INPUT_TABLET is not set
-# CONFIG_INPUT_TOUCHSCREEN is not set
-# CONFIG_INPUT_MISC is not set
-# CONFIG_RMI4_CORE is not set
-
-#
-# Hardware I/O ports
-#
-CONFIG_SERIO=y
-CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
-# CONFIG_SERIO_I8042 is not set
-# CONFIG_SERIO_SERPORT is not set
-# CONFIG_SERIO_PCIPS2 is not set
-# CONFIG_SERIO_LIBPS2 is not set
-# CONFIG_SERIO_RAW is not set
-# CONFIG_SERIO_XILINX_XPS_PS2 is not set
-# CONFIG_SERIO_ALTERA_PS2 is not set
-# CONFIG_SERIO_PS2MULT is not set
-# CONFIG_SERIO_ARC_PS2 is not set
-# CONFIG_SERIO_APBPS2 is not set
-# CONFIG_USERIO is not set
-# CONFIG_GAMEPORT is not set
-
-#
-# Character devices
-#
-CONFIG_TTY=y
-CONFIG_VT=y
-CONFIG_CONSOLE_TRANSLATIONS=y
-CONFIG_VT_CONSOLE=y
-CONFIG_VT_CONSOLE_SLEEP=y
-CONFIG_HW_CONSOLE=y
-CONFIG_VT_HW_CONSOLE_BINDING=y
-CONFIG_UNIX98_PTYS=y
-CONFIG_LEGACY_PTYS=y
-CONFIG_LEGACY_PTY_COUNT=256
-# CONFIG_SERIAL_NONSTANDARD is not set
-# CONFIG_NOZOMI is not set
-# CONFIG_N_GSM is not set
-# CONFIG_TRACE_SINK is not set
-# CONFIG_PPC_EPAPR_HV_BYTECHAN is not set
-CONFIG_DEVMEM=y
-CONFIG_DEVKMEM=y
-
-#
-# Serial drivers
-#
-CONFIG_SERIAL_8250=m
-CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y
-# CONFIG_SERIAL_8250_FINTEK is not set
-CONFIG_SERIAL_8250_PCI=m
-CONFIG_SERIAL_8250_EXAR=m
-# CONFIG_SERIAL_8250_CS is not set
-CONFIG_SERIAL_8250_NR_UARTS=4
-CONFIG_SERIAL_8250_RUNTIME_UARTS=4
-# CONFIG_SERIAL_8250_EXTENDED is not set
-# CONFIG_SERIAL_8250_ASPEED_VUART is not set
-# CONFIG_SERIAL_8250_DW is not set
-# CONFIG_SERIAL_8250_RT288X is not set
-# CONFIG_SERIAL_8250_MOXA is not set
-# CONFIG_SERIAL_OF_PLATFORM is not set
-
-#
-# Non-8250 serial port support
-#
-# CONFIG_SERIAL_UARTLITE is not set
-CONFIG_SERIAL_CORE=m
-CONFIG_SERIAL_PMACZILOG=m
-CONFIG_SERIAL_PMACZILOG_TTYS=y
-# CONFIG_SERIAL_JSM is not set
-# CONFIG_SERIAL_SCCNXP is not set
-# CONFIG_SERIAL_SC16IS7XX is not set
-# CONFIG_SERIAL_ALTERA_JTAGUART is not set
-# CONFIG_SERIAL_ALTERA_UART is not set
-# CONFIG_SERIAL_XILINX_PS_UART is not set
-# CONFIG_SERIAL_ARC is not set
-# CONFIG_SERIAL_RP2 is not set
-# CONFIG_SERIAL_FSL_LPUART is not set
-# CONFIG_SERIAL_CONEXANT_DIGICOLOR is not set
-# CONFIG_SERIAL_DEV_BUS is not set
-# CONFIG_HVC_UDBG is not set
-# CONFIG_IPMI_HANDLER is not set
-CONFIG_HW_RANDOM=m
-# CONFIG_HW_RANDOM_TIMERIOMEM is not set
-CONFIG_NVRAM=y
-# CONFIG_R3964 is not set
-# CONFIG_APPLICOM is not set
-
-#
-# PCMCIA character devices
-#
-# CONFIG_SYNCLINK_CS is not set
-# CONFIG_CARDMAN_4000 is not set
-# CONFIG_CARDMAN_4040 is not set
-# CONFIG_SCR24X is not set
-# CONFIG_IPWIRELESS is not set
-# CONFIG_RAW_DRIVER is not set
-# CONFIG_TCG_TPM is not set
-CONFIG_DEVPORT=y
-# CONFIG_XILLYBUS is not set
-
-#
-# I2C support
-#
-CONFIG_I2C=y
-CONFIG_I2C_BOARDINFO=y
-CONFIG_I2C_COMPAT=y
-CONFIG_I2C_CHARDEV=m
-# CONFIG_I2C_MUX is not set
-CONFIG_I2C_HELPER_AUTO=y
-CONFIG_I2C_ALGOBIT=y
-
-#
-# I2C Hardware Bus support
-#
-
-#
-# PC SMBus host controller drivers
-#
-# CONFIG_I2C_ALI1535 is not set
-# CONFIG_I2C_ALI1563 is not set
-# CONFIG_I2C_ALI15X3 is not set
-# CONFIG_I2C_AMD756 is not set
-# CONFIG_I2C_AMD8111 is not set
-# CONFIG_I2C_I801 is not set
-# CONFIG_I2C_ISCH is not set
-# CONFIG_I2C_PIIX4 is not set
-# CONFIG_I2C_NFORCE2 is not set
-# CONFIG_I2C_SIS5595 is not set
-# CONFIG_I2C_SIS630 is not set
-# CONFIG_I2C_SIS96X is not set
-# CONFIG_I2C_VIA is not set
-# CONFIG_I2C_VIAPRO is not set
-
-#
-# Mac SMBus host controller drivers
-#
-CONFIG_I2C_POWERMAC=y
-
-#
-# I2C system bus drivers (mostly embedded / system-on-chip)
-#
-# CONFIG_I2C_DESIGNWARE_PLATFORM is not set
-# CONFIG_I2C_DESIGNWARE_PCI is not set
-# CONFIG_I2C_MPC is not set
-# CONFIG_I2C_OCORES is not set
-# CONFIG_I2C_PCA_PLATFORM is not set
-# CONFIG_I2C_PXA_PCI is not set
-# CONFIG_I2C_SIMTEC is not set
-# CONFIG_I2C_XILINX is not set
-
-#
-# External I2C/SMBus adapter drivers
-#
-# CONFIG_I2C_DIOLAN_U2C is not set
-# CONFIG_I2C_PARPORT_LIGHT is not set
-# CONFIG_I2C_ROBOTFUZZ_OSIF is not set
-# CONFIG_I2C_TAOS_EVM is not set
-# CONFIG_I2C_TINY_USB is not set
-
-#
-# Other I2C/SMBus bus drivers
-#
-# CONFIG_I2C_STUB is not set
-# CONFIG_I2C_SLAVE is not set
-# CONFIG_I2C_DEBUG_CORE is not set
-# CONFIG_I2C_DEBUG_ALGO is not set
-# CONFIG_I2C_DEBUG_BUS is not set
-# CONFIG_SPI is not set
-# CONFIG_SPMI is not set
-# CONFIG_HSI is not set
-# CONFIG_PPS is not set
-
-#
-# PTP clock support
-#
-# CONFIG_PTP_1588_CLOCK is not set
-
-#
-# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
-#
-# CONFIG_GPIOLIB is not set
-# CONFIG_W1 is not set
-# CONFIG_POWER_AVS is not set
-# CONFIG_POWER_RESET is not set
-CONFIG_POWER_SUPPLY=y
-# CONFIG_POWER_SUPPLY_DEBUG is not set
-# CONFIG_PDA_POWER is not set
-CONFIG_APM_POWER=y
-# CONFIG_TEST_POWER is not set
-# CONFIG_BATTERY_DS2780 is not set
-# CONFIG_BATTERY_DS2781 is not set
-# CONFIG_BATTERY_DS2782 is not set
-CONFIG_BATTERY_PMU=y
-# CONFIG_BATTERY_SBS is not set
-# CONFIG_CHARGER_SBS is not set
-# CONFIG_BATTERY_BQ27XXX is not set
-# CONFIG_BATTERY_MAX17040 is not set
-# CONFIG_BATTERY_MAX17042 is not set
-# CONFIG_CHARGER_MAX8903 is not set
-# CONFIG_CHARGER_LP8727 is not set
-# CONFIG_CHARGER_DETECTOR_MAX14656 is not set
-# CONFIG_CHARGER_BQ2415X is not set
-# CONFIG_CHARGER_SMB347 is not set
-# CONFIG_BATTERY_GAUGE_LTC2941 is not set
-CONFIG_HWMON=m
-# CONFIG_HWMON_VID is not set
-# CONFIG_HWMON_DEBUG_CHIP is not set
-
-#
-# Native drivers
-#
-# CONFIG_SENSORS_AD7414 is not set
-# CONFIG_SENSORS_AD7418 is not set
-# CONFIG_SENSORS_ADM1021 is not set
-# CONFIG_SENSORS_ADM1025 is not set
-# CONFIG_SENSORS_ADM1026 is not set
-# CONFIG_SENSORS_ADM1029 is not set
-# CONFIG_SENSORS_ADM1031 is not set
-# CONFIG_SENSORS_ADM9240 is not set
-# CONFIG_SENSORS_ADT7410 is not set
-# CONFIG_SENSORS_ADT7411 is not set
-# CONFIG_SENSORS_ADT7462 is not set
-# CONFIG_SENSORS_ADT7470 is not set
-# CONFIG_SENSORS_ADT7475 is not set
-# CONFIG_SENSORS_ASC7621 is not set
-# CONFIG_SENSORS_ASPEED is not set
-# CONFIG_SENSORS_ATXP1 is not set
-# CONFIG_SENSORS_DS620 is not set
-# CONFIG_SENSORS_DS1621 is not set
-# CONFIG_SENSORS_I5K_AMB is not set
-# CONFIG_SENSORS_F75375S is not set
-# CONFIG_SENSORS_GL518SM is not set
-# CONFIG_SENSORS_GL520SM is not set
-# CONFIG_SENSORS_G760A is not set
-# CONFIG_SENSORS_G762 is not set
-# CONFIG_SENSORS_HIH6130 is not set
-# CONFIG_SENSORS_JC42 is not set
-# CONFIG_SENSORS_POWR1220 is not set
-# CONFIG_SENSORS_LINEAGE is not set
-# CONFIG_SENSORS_LTC2945 is not set
-# CONFIG_SENSORS_LTC2990 is not set
-# CONFIG_SENSORS_LTC4151 is not set
-# CONFIG_SENSORS_LTC4215 is not set
-# CONFIG_SENSORS_LTC4222 is not set
-# CONFIG_SENSORS_LTC4245 is not set
-# CONFIG_SENSORS_LTC4260 is not set
-# CONFIG_SENSORS_LTC4261 is not set
-# CONFIG_SENSORS_MAX16065 is not set
-# CONFIG_SENSORS_MAX1619 is not set
-# CONFIG_SENSORS_MAX1668 is not set
-# CONFIG_SENSORS_MAX197 is not set
-# CONFIG_SENSORS_MAX6639 is not set
-# CONFIG_SENSORS_MAX6642 is not set
-# CONFIG_SENSORS_MAX6650 is not set
-# CONFIG_SENSORS_MAX6697 is not set
-# CONFIG_SENSORS_MAX31790 is not set
-# CONFIG_SENSORS_MCP3021 is not set
-# CONFIG_SENSORS_TC654 is not set
-# CONFIG_SENSORS_LM63 is not set
-# CONFIG_SENSORS_LM73 is not set
-# CONFIG_SENSORS_LM75 is not set
-# CONFIG_SENSORS_LM77 is not set
-# CONFIG_SENSORS_LM78 is not set
-# CONFIG_SENSORS_LM80 is not set
-# CONFIG_SENSORS_LM83 is not set
-# CONFIG_SENSORS_LM85 is not set
-# CONFIG_SENSORS_LM87 is not set
-# CONFIG_SENSORS_LM90 is not set
-# CONFIG_SENSORS_LM92 is not set
-# CONFIG_SENSORS_LM93 is not set
-# CONFIG_SENSORS_LM95234 is not set
-# CONFIG_SENSORS_LM95241 is not set
-# CONFIG_SENSORS_LM95245 is not set
-# CONFIG_SENSORS_NTC_THERMISTOR is not set
-# CONFIG_SENSORS_NCT7802 is not set
-# CONFIG_SENSORS_NCT7904 is not set
-# CONFIG_SENSORS_PCF8591 is not set
-# CONFIG_PMBUS is not set
-# CONFIG_SENSORS_SHT21 is not set
-# CONFIG_SENSORS_SHT3x is not set
-# CONFIG_SENSORS_SHTC1 is not set
-# CONFIG_SENSORS_SIS5595 is not set
-# CONFIG_SENSORS_EMC1403 is not set
-# CONFIG_SENSORS_EMC2103 is not set
-# CONFIG_SENSORS_EMC6W201 is not set
-# CONFIG_SENSORS_SMSC47M192 is not set
-# CONFIG_SENSORS_SCH56XX_COMMON is not set
-# CONFIG_SENSORS_STTS751 is not set
-# CONFIG_SENSORS_SMM665 is not set
-# CONFIG_SENSORS_ADC128D818 is not set
-# CONFIG_SENSORS_ADS1015 is not set
-# CONFIG_SENSORS_ADS7828 is not set
-# CONFIG_SENSORS_AMC6821 is not set
-# CONFIG_SENSORS_INA209 is not set
-# CONFIG_SENSORS_INA2XX is not set
-# CONFIG_SENSORS_INA3221 is not set
-# CONFIG_SENSORS_TC74 is not set
-# CONFIG_SENSORS_THMC50 is not set
-# CONFIG_SENSORS_TMP102 is not set
-# CONFIG_SENSORS_TMP103 is not set
-# CONFIG_SENSORS_TMP108 is not set
-# CONFIG_SENSORS_TMP401 is not set
-# CONFIG_SENSORS_TMP421 is not set
-# CONFIG_SENSORS_VIA686A is not set
-# CONFIG_SENSORS_VT8231 is not set
-# CONFIG_SENSORS_W83781D is not set
-# CONFIG_SENSORS_W83791D is not set
-# CONFIG_SENSORS_W83792D is not set
-# CONFIG_SENSORS_W83793 is not set
-# CONFIG_SENSORS_W83795 is not set
-# CONFIG_SENSORS_W83L785TS is not set
-# CONFIG_SENSORS_W83L786NG is not set
-# CONFIG_THERMAL is not set
-# CONFIG_WATCHDOG is not set
-CONFIG_SSB_POSSIBLE=y
-
-#
-# Sonics Silicon Backplane
-#
-CONFIG_SSB=m
-CONFIG_SSB_SPROM=y
-CONFIG_SSB_BLOCKIO=y
-CONFIG_SSB_PCIHOST_POSSIBLE=y
-CONFIG_SSB_PCIHOST=y
-CONFIG_SSB_B43_PCI_BRIDGE=y
-CONFIG_SSB_PCMCIAHOST_POSSIBLE=y
-# CONFIG_SSB_PCMCIAHOST is not set
-# CONFIG_SSB_DEBUG is not set
-CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y
-CONFIG_SSB_DRIVER_PCICORE=y
-CONFIG_BCMA_POSSIBLE=y
-CONFIG_BCMA=m
-CONFIG_BCMA_BLOCKIO=y
-CONFIG_BCMA_HOST_PCI_POSSIBLE=y
-CONFIG_BCMA_HOST_PCI=y
-# CONFIG_BCMA_HOST_SOC is not set
-CONFIG_BCMA_DRIVER_PCI=y
-# CONFIG_BCMA_DRIVER_GMAC_CMN is not set
-# CONFIG_BCMA_DEBUG is not set
-
-#
-# Multifunction device drivers
-#
-# CONFIG_MFD_CORE is not set
-# CONFIG_MFD_ACT8945A is not set
-# CONFIG_MFD_AS3711 is not set
-# CONFIG_MFD_AS3722 is not set
-# CONFIG_PMIC_ADP5520 is not set
-# CONFIG_MFD_ATMEL_FLEXCOM is not set
-# CONFIG_MFD_ATMEL_HLCDC is not set
-# CONFIG_MFD_BCM590XX is not set
-# CONFIG_MFD_BD9571MWV is not set
-# CONFIG_MFD_AXP20X_I2C is not set
-# CONFIG_PMIC_DA903X is not set
-# CONFIG_MFD_DA9052_I2C is not set
-# CONFIG_MFD_DA9055 is not set
-# CONFIG_MFD_DA9062 is not set
-# CONFIG_MFD_DA9063 is not set
-# CONFIG_MFD_DA9150 is not set
-# CONFIG_MFD_DLN2 is not set
-# CONFIG_MFD_MC13XXX_I2C is not set
-# CONFIG_MFD_HI6421_PMIC is not set
-# CONFIG_HTC_PASIC3 is not set
-# CONFIG_LPC_ICH is not set
-# CONFIG_LPC_SCH is not set
-# CONFIG_MFD_JANZ_CMODIO is not set
-# CONFIG_MFD_KEMPLD is not set
-# CONFIG_MFD_88PM800 is not set
-# CONFIG_MFD_88PM805 is not set
-# CONFIG_MFD_88PM860X is not set
-# CONFIG_MFD_MAX14577 is not set
-# CONFIG_MFD_MAX77620 is not set
-# CONFIG_MFD_MAX77686 is not set
-# CONFIG_MFD_MAX77693 is not set
-# CONFIG_MFD_MAX77843 is not set
-# CONFIG_MFD_MAX8907 is not set
-# CONFIG_MFD_MAX8925 is not set
-# CONFIG_MFD_MAX8997 is not set
-# CONFIG_MFD_MAX8998 is not set
-# CONFIG_MFD_MT6397 is not set
-# CONFIG_MFD_MENF21BMC is not set
-# CONFIG_MFD_VIPERBOARD is not set
-# CONFIG_MFD_RETU is not set
-# CONFIG_MFD_PCF50633 is not set
-# CONFIG_MFD_RDC321X is not set
-# CONFIG_MFD_RTSX_PCI is not set
-# CONFIG_MFD_RT5033 is not set
-# CONFIG_MFD_RTSX_USB is not set
-# CONFIG_MFD_RC5T583 is not set
-# CONFIG_MFD_RK808 is not set
-# CONFIG_MFD_RN5T618 is not set
-# CONFIG_MFD_SEC_CORE is not set
-# CONFIG_MFD_SI476X_CORE is not set
-# CONFIG_MFD_SM501 is not set
-# CONFIG_MFD_SKY81452 is not set
-# CONFIG_MFD_SMSC is not set
-# CONFIG_ABX500_CORE is not set
-# CONFIG_MFD_STMPE is not set
-# CONFIG_MFD_SYSCON is not set
-# CONFIG_MFD_TI_AM335X_TSCADC is not set
-# CONFIG_MFD_LP3943 is not set
-# CONFIG_MFD_LP8788 is not set
-# CONFIG_MFD_TI_LMU is not set
-# CONFIG_MFD_PALMAS is not set
-# CONFIG_TPS6105X is not set
-# CONFIG_TPS6507X is not set
-# CONFIG_MFD_TPS65086 is not set
-# CONFIG_MFD_TPS65090 is not set
-# CONFIG_MFD_TPS65217 is not set
-# CONFIG_MFD_TI_LP873X is not set
-# CONFIG_MFD_TI_LP87565 is not set
-# CONFIG_MFD_TPS65218 is not set
-# CONFIG_MFD_TPS6586X is not set
-# CONFIG_MFD_TPS65912_I2C is not set
-# CONFIG_MFD_TPS80031 is not set
-# CONFIG_TWL4030_CORE is not set
-# CONFIG_TWL6040_CORE is not set
-# CONFIG_MFD_WL1273_CORE is not set
-# CONFIG_MFD_LM3533 is not set
-# CONFIG_MFD_TC3589X is not set
-# CONFIG_MFD_TMIO is not set
-# CONFIG_MFD_VX855 is not set
-# CONFIG_MFD_ARIZONA_I2C is not set
-# CONFIG_MFD_WM8400 is not set
-# CONFIG_MFD_WM831X_I2C is not set
-# CONFIG_MFD_WM8350_I2C is not set
-# CONFIG_MFD_WM8994 is not set
-# CONFIG_REGULATOR is not set
-CONFIG_RC_CORE=y
-CONFIG_RC_MAP=y
-CONFIG_RC_DECODERS=y
-# CONFIG_LIRC is not set
-CONFIG_IR_NEC_DECODER=y
-CONFIG_IR_RC5_DECODER=y
-CONFIG_IR_RC6_DECODER=y
-CONFIG_IR_JVC_DECODER=y
-CONFIG_IR_SONY_DECODER=y
-CONFIG_IR_SANYO_DECODER=y
-CONFIG_IR_SHARP_DECODER=y
-CONFIG_IR_MCE_KBD_DECODER=y
-CONFIG_IR_XMP_DECODER=y
-# CONFIG_RC_DEVICES is not set
-# CONFIG_MEDIA_SUPPORT is not set
-
-#
-# Graphics support
-#
-CONFIG_AGP=m
-CONFIG_AGP_UNINORTH=m
-CONFIG_VGA_ARB=y
-CONFIG_VGA_ARB_MAX_GPUS=16
-CONFIG_DRM=m
-# CONFIG_DRM_DP_AUX_CHARDEV is not set
-# CONFIG_DRM_DEBUG_MM_SELFTEST is not set
-CONFIG_DRM_KMS_HELPER=m
-CONFIG_DRM_KMS_FB_HELPER=y
-CONFIG_DRM_FBDEV_EMULATION=y
-CONFIG_DRM_FBDEV_OVERALLOC=100
-# CONFIG_DRM_LOAD_EDID_FIRMWARE is not set
-CONFIG_DRM_TTM=m
-
-#
-# I2C encoder or helper chips
-#
-# CONFIG_DRM_I2C_CH7006 is not set
-# CONFIG_DRM_I2C_SIL164 is not set
-# CONFIG_DRM_I2C_NXP_TDA998X is not set
-CONFIG_DRM_RADEON=m
-# CONFIG_DRM_RADEON_USERPTR is not set
-# CONFIG_DRM_AMDGPU is not set
-
-#
-# ACP (Audio CoProcessor) Configuration
-#
-# CONFIG_DRM_NOUVEAU is not set
-# CONFIG_DRM_VGEM is not set
-# CONFIG_DRM_UDL is not set
-# CONFIG_DRM_AST is not set
-# CONFIG_DRM_MGAG200 is not set
-# CONFIG_DRM_CIRRUS_QEMU is not set
-# CONFIG_DRM_RCAR_DW_HDMI is not set
-# CONFIG_DRM_QXL is not set
-# CONFIG_DRM_BOCHS is not set
-CONFIG_DRM_PANEL=y
-
-#
-# Display Panels
-#
-# CONFIG_DRM_PANEL_LVDS is not set
-# CONFIG_DRM_PANEL_SIMPLE is not set
-# CONFIG_DRM_PANEL_SAMSUNG_S6E8AA0 is not set
-CONFIG_DRM_BRIDGE=y
-CONFIG_DRM_PANEL_BRIDGE=y
-
-#
-# Display Interface Bridges
-#
-# CONFIG_DRM_ANALOGIX_ANX78XX is not set
-# CONFIG_DRM_DUMB_VGA_DAC is not set
-# CONFIG_DRM_LVDS_ENCODER is not set
-# CONFIG_DRM_MEGACHIPS_STDPXXXX_GE_B850V3_FW is not set
-# CONFIG_DRM_NXP_PTN3460 is not set
-# CONFIG_DRM_PARADE_PS8622 is not set
-# CONFIG_DRM_SIL_SII8620 is not set
-# CONFIG_DRM_SII902X is not set
-# CONFIG_DRM_TOSHIBA_TC358767 is not set
-# CONFIG_DRM_TI_TFP410 is not set
-# CONFIG_DRM_I2C_ADV7511 is not set
-# CONFIG_DRM_ARCPGU is not set
-# CONFIG_DRM_HISI_HIBMC is not set
-# CONFIG_DRM_TINYDRM is not set
-# CONFIG_DRM_LEGACY is not set
-# CONFIG_DRM_LIB_RANDOM is not set
-
-#
-# Frame buffer Devices
-#
-CONFIG_FB=y
-# CONFIG_FIRMWARE_EDID is not set
-CONFIG_FB_CMDLINE=y
-CONFIG_FB_NOTIFY=y
-CONFIG_FB_DDC=y
-# CONFIG_FB_BOOT_VESA_SUPPORT is not set
-CONFIG_FB_CFB_FILLRECT=y
-CONFIG_FB_CFB_COPYAREA=y
-CONFIG_FB_CFB_IMAGEBLIT=y
-# CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set
-CONFIG_FB_SYS_FILLRECT=m
-CONFIG_FB_SYS_COPYAREA=m
-CONFIG_FB_SYS_IMAGEBLIT=m
-# CONFIG_FB_PROVIDE_GET_FB_UNMAPPED_AREA is not set
-# CONFIG_FB_FOREIGN_ENDIAN is not set
-CONFIG_FB_SYS_FOPS=m
-CONFIG_FB_DEFERRED_IO=y
-# CONFIG_FB_SVGALIB is not set
-CONFIG_FB_MACMODES=y
-CONFIG_FB_BACKLIGHT=y
-CONFIG_FB_MODE_HELPERS=y
-CONFIG_FB_TILEBLITTING=y
-
-#
-# Frame buffer hardware drivers
-#
-# CONFIG_FB_CIRRUS is not set
-# CONFIG_FB_PM2 is not set
-# CONFIG_FB_CYBER2000 is not set
-CONFIG_FB_OF=y
-CONFIG_FB_CONTROL=y
-CONFIG_FB_PLATINUM=y
-CONFIG_FB_VALKYRIE=y
-CONFIG_FB_CT65550=y
-# CONFIG_FB_ASILIANT is not set
-CONFIG_FB_IMSTT=y
-# CONFIG_FB_VGA16 is not set
-# CONFIG_FB_UVESA is not set
-# CONFIG_FB_OPENCORES is not set
-# CONFIG_FB_S1D13XXX is not set
-CONFIG_FB_NVIDIA=y
-CONFIG_FB_NVIDIA_I2C=y
-# CONFIG_FB_NVIDIA_DEBUG is not set
-CONFIG_FB_NVIDIA_BACKLIGHT=y
-# CONFIG_FB_RIVA is not set
-# CONFIG_FB_I740 is not set
-CONFIG_FB_MATROX=y
-CONFIG_FB_MATROX_MILLENIUM=y
-CONFIG_FB_MATROX_MYSTIQUE=y
-# CONFIG_FB_MATROX_G is not set
-# CONFIG_FB_MATROX_I2C is not set
-CONFIG_FB_RADEON=y
-CONFIG_FB_RADEON_I2C=y
-CONFIG_FB_RADEON_BACKLIGHT=y
-# CONFIG_FB_RADEON_DEBUG is not set
-CONFIG_FB_ATY128=y
-CONFIG_FB_ATY128_BACKLIGHT=y
-CONFIG_FB_ATY=y
-CONFIG_FB_ATY_CT=y
-# CONFIG_FB_ATY_GENERIC_LCD is not set
-CONFIG_FB_ATY_GX=y
-CONFIG_FB_ATY_BACKLIGHT=y
-# CONFIG_FB_S3 is not set
-# CONFIG_FB_SAVAGE is not set
-# CONFIG_FB_SIS is not set
-# CONFIG_FB_NEOMAGIC is not set
-# CONFIG_FB_KYRO is not set
-CONFIG_FB_3DFX=y
-# CONFIG_FB_3DFX_ACCEL is not set
-CONFIG_FB_3DFX_I2C=y
-# CONFIG_FB_VOODOO1 is not set
-# CONFIG_FB_VT8623 is not set
-# CONFIG_FB_TRIDENT is not set
-# CONFIG_FB_ARK is not set
-# CONFIG_FB_PM3 is not set
-# CONFIG_FB_CARMINE is not set
-# CONFIG_FB_SMSCUFX is not set
-# CONFIG_FB_UDL is not set
-# CONFIG_FB_IBM_GXT4500 is not set
-# CONFIG_FB_VIRTUAL is not set
-# CONFIG_FB_METRONOME is not set
-# CONFIG_FB_MB862XX is not set
-# CONFIG_FB_BROADSHEET is not set
-# CONFIG_FB_AUO_K190X is not set
-# CONFIG_FB_SIMPLE is not set
-# CONFIG_FB_SM712 is not set
-CONFIG_BACKLIGHT_LCD_SUPPORT=y
-CONFIG_LCD_CLASS_DEVICE=m
-# CONFIG_LCD_PLATFORM is not set
-CONFIG_BACKLIGHT_CLASS_DEVICE=y
-CONFIG_BACKLIGHT_GENERIC=y
-# CONFIG_BACKLIGHT_PM8941_WLED is not set
-# CONFIG_BACKLIGHT_ADP8860 is not set
-# CONFIG_BACKLIGHT_ADP8870 is not set
-# CONFIG_BACKLIGHT_LM3639 is not set
-# CONFIG_BACKLIGHT_LV5207LP is not set
-# CONFIG_BACKLIGHT_BD6107 is not set
-# CONFIG_BACKLIGHT_ARCXCNN is not set
-CONFIG_VGASTATE=y
-CONFIG_HDMI=y
-
-#
-# Console display driver support
-#
-# CONFIG_VGA_CONSOLE is not set
-CONFIG_DUMMY_CONSOLE=y
-CONFIG_DUMMY_CONSOLE_COLUMNS=80
-CONFIG_DUMMY_CONSOLE_ROWS=25
-CONFIG_FRAMEBUFFER_CONSOLE=y
-CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
-# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
-CONFIG_LOGO=y
-CONFIG_LOGO_LINUX_MONO=y
-CONFIG_LOGO_LINUX_VGA16=y
-CONFIG_LOGO_LINUX_CLUT224=y
-CONFIG_SOUND=m
-CONFIG_SOUND_OSS_CORE=y
-CONFIG_SOUND_OSS_CORE_PRECLAIM=y
-CONFIG_SND=m
-CONFIG_SND_TIMER=m
-CONFIG_SND_PCM=m
-CONFIG_SND_HWDEP=m
-CONFIG_SND_SEQ_DEVICE=m
-CONFIG_SND_RAWMIDI=m
-CONFIG_SND_OSSEMUL=y
-CONFIG_SND_MIXER_OSS=m
-CONFIG_SND_PCM_OSS=m
-CONFIG_SND_PCM_OSS_PLUGINS=y
-CONFIG_SND_PCM_TIMER=y
-# CONFIG_SND_HRTIMER is not set
-# CONFIG_SND_DYNAMIC_MINORS is not set
-CONFIG_SND_SUPPORT_OLD_API=y
-CONFIG_SND_PROC_FS=y
-CONFIG_SND_VERBOSE_PROCFS=y
-# CONFIG_SND_VERBOSE_PRINTK is not set
-# CONFIG_SND_DEBUG is not set
-CONFIG_SND_VMASTER=y
-CONFIG_SND_SEQUENCER=m
-CONFIG_SND_SEQ_DUMMY=m
-CONFIG_SND_SEQUENCER_OSS=m
-CONFIG_SND_SEQ_MIDI_EVENT=m
-CONFIG_SND_SEQ_MIDI=m
-# CONFIG_SND_OPL3_LIB_SEQ is not set
-# CONFIG_SND_OPL4_LIB_SEQ is not set
-CONFIG_SND_DRIVERS=y
-CONFIG_SND_DUMMY=m
-# CONFIG_SND_ALOOP is not set
-# CONFIG_SND_VIRMIDI is not set
-# CONFIG_SND_MTPAV is not set
-# CONFIG_SND_SERIAL_U16550 is not set
-# CONFIG_SND_MPU401 is not set
-CONFIG_SND_PCI=y
-# CONFIG_SND_AD1889 is not set
-# CONFIG_SND_ALS300 is not set
-# CONFIG_SND_ALS4000 is not set
-# CONFIG_SND_ALI5451 is not set
-# CONFIG_SND_ATIIXP is not set
-# CONFIG_SND_ATIIXP_MODEM is not set
-# CONFIG_SND_AU8810 is not set
-# CONFIG_SND_AU8820 is not set
-# CONFIG_SND_AU8830 is not set
-# CONFIG_SND_AW2 is not set
-# CONFIG_SND_AZT3328 is not set
-# CONFIG_SND_BT87X is not set
-# CONFIG_SND_CA0106 is not set
-# CONFIG_SND_CMIPCI is not set
-# CONFIG_SND_OXYGEN is not set
-# CONFIG_SND_CS4281 is not set
-# CONFIG_SND_CS46XX is not set
-# CONFIG_SND_CTXFI is not set
-# CONFIG_SND_DARLA20 is not set
-# CONFIG_SND_GINA20 is not set
-# CONFIG_SND_LAYLA20 is not set
-# CONFIG_SND_DARLA24 is not set
-# CONFIG_SND_GINA24 is not set
-# CONFIG_SND_LAYLA24 is not set
-# CONFIG_SND_MONA is not set
-# CONFIG_SND_MIA is not set
-# CONFIG_SND_ECHO3G is not set
-# CONFIG_SND_INDIGO is not set
-# CONFIG_SND_INDIGOIO is not set
-# CONFIG_SND_INDIGODJ is not set
-# CONFIG_SND_INDIGOIOX is not set
-# CONFIG_SND_INDIGODJX is not set
-# CONFIG_SND_EMU10K1 is not set
-# CONFIG_SND_EMU10K1_SEQ is not set
-# CONFIG_SND_EMU10K1X is not set
-# CONFIG_SND_ENS1370 is not set
-# CONFIG_SND_ENS1371 is not set
-# CONFIG_SND_ES1938 is not set
-# CONFIG_SND_ES1968 is not set
-# CONFIG_SND_FM801 is not set
-# CONFIG_SND_HDSP is not set
-# CONFIG_SND_HDSPM is not set
-# CONFIG_SND_ICE1712 is not set
-# CONFIG_SND_ICE1724 is not set
-# CONFIG_SND_INTEL8X0 is not set
-# CONFIG_SND_INTEL8X0M is not set
-# CONFIG_SND_KORG1212 is not set
-# CONFIG_SND_LOLA is not set
-# CONFIG_SND_LX6464ES is not set
-# CONFIG_SND_MAESTRO3 is not set
-# CONFIG_SND_MIXART is not set
-# CONFIG_SND_NM256 is not set
-# CONFIG_SND_PCXHR is not set
-# CONFIG_SND_RIPTIDE is not set
-# CONFIG_SND_RME32 is not set
-# CONFIG_SND_RME96 is not set
-# CONFIG_SND_RME9652 is not set
-# CONFIG_SND_SE6X is not set
-# CONFIG_SND_SONICVIBES is not set
-# CONFIG_SND_TRIDENT is not set
-# CONFIG_SND_VIA82XX is not set
-# CONFIG_SND_VIA82XX_MODEM is not set
-# CONFIG_SND_VIRTUOSO is not set
-# CONFIG_SND_VX222 is not set
-# CONFIG_SND_YMFPCI is not set
-
-#
-# HD-Audio
-#
-# CONFIG_SND_HDA_INTEL is not set
-CONFIG_SND_HDA_PREALLOC_SIZE=64
-CONFIG_SND_PPC=y
-CONFIG_SND_POWERMAC=m
-CONFIG_SND_POWERMAC_AUTO_DRC=y
-CONFIG_SND_AOA=m
-CONFIG_SND_AOA_FABRIC_LAYOUT=m
-CONFIG_SND_AOA_ONYX=m
-CONFIG_SND_AOA_TAS=m
-CONFIG_SND_AOA_TOONIE=m
-CONFIG_SND_AOA_SOUNDBUS=m
-CONFIG_SND_AOA_SOUNDBUS_I2S=m
-CONFIG_SND_USB=y
-CONFIG_SND_USB_AUDIO=m
-# CONFIG_SND_USB_UA101 is not set
-# CONFIG_SND_USB_USX2Y is not set
-# CONFIG_SND_USB_CAIAQ is not set
-# CONFIG_SND_USB_6FIRE is not set
-# CONFIG_SND_USB_HIFACE is not set
-# CONFIG_SND_BCD2000 is not set
-# CONFIG_SND_USB_POD is not set
-# CONFIG_SND_USB_PODHD is not set
-# CONFIG_SND_USB_TONEPORT is not set
-# CONFIG_SND_USB_VARIAX is not set
-CONFIG_SND_PCMCIA=y
-# CONFIG_SND_VXPOCKET is not set
-# CONFIG_SND_PDAUDIOCF is not set
-# CONFIG_SND_SOC is not set
-
-#
-# HID support
-#
-CONFIG_HID=y
-# CONFIG_HID_BATTERY_STRENGTH is not set
-# CONFIG_HIDRAW is not set
-# CONFIG_UHID is not set
-CONFIG_HID_GENERIC=y
-
-#
-# Special HID drivers
-#
-CONFIG_HID_A4TECH=y
-# CONFIG_HID_ACCUTOUCH is not set
-# CONFIG_HID_ACRUX is not set
-CONFIG_HID_APPLE=y
-# CONFIG_HID_APPLEIR is not set
-# CONFIG_HID_ASUS is not set
-# CONFIG_HID_AUREAL is not set
-CONFIG_HID_BELKIN=y
-# CONFIG_HID_BETOP_FF is not set
-CONFIG_HID_CHERRY=y
-CONFIG_HID_CHICONY=y
-# CONFIG_HID_CORSAIR is not set
-# CONFIG_HID_PRODIKEYS is not set
-# CONFIG_HID_CMEDIA is not set
-CONFIG_HID_CYPRESS=y
-# CONFIG_HID_DRAGONRISE is not set
-# CONFIG_HID_EMS_FF is not set
-# CONFIG_HID_ELECOM is not set
-# CONFIG_HID_ELO is not set
-CONFIG_HID_EZKEY=y
-# CONFIG_HID_GEMBIRD is not set
-# CONFIG_HID_GFRM is not set
-# CONFIG_HID_HOLTEK is not set
-# CONFIG_HID_GT683R is not set
-# CONFIG_HID_KEYTOUCH is not set
-# CONFIG_HID_KYE is not set
-# CONFIG_HID_UCLOGIC is not set
-# CONFIG_HID_WALTOP is not set
-CONFIG_HID_GYRATION=y
-# CONFIG_HID_ICADE is not set
-CONFIG_HID_ITE=y
-# CONFIG_HID_TWINHAN is not set
-CONFIG_HID_KENSINGTON=y
-# CONFIG_HID_LCPOWER is not set
-# CONFIG_HID_LED is not set
-# CONFIG_HID_LENOVO is not set
-CONFIG_HID_LOGITECH=y
-# CONFIG_HID_LOGITECH_HIDPP is not set
-# CONFIG_LOGITECH_FF is not set
-# CONFIG_LOGIRUMBLEPAD2_FF is not set
-# CONFIG_LOGIG940_FF is not set
-# CONFIG_LOGIWHEELS_FF is not set
-# CONFIG_HID_MAGICMOUSE is not set
-# CONFIG_HID_MAYFLASH is not set
-CONFIG_HID_MICROSOFT=y
-CONFIG_HID_MONTEREY=y
-# CONFIG_HID_MULTITOUCH is not set
-# CONFIG_HID_NTI is not set
-CONFIG_HID_NTRIG=y
-# CONFIG_HID_ORTEK is not set
-CONFIG_HID_PANTHERLORD=y
-# CONFIG_PANTHERLORD_FF is not set
-# CONFIG_HID_PENMOUNT is not set
-CONFIG_HID_PETALYNX=y
-# CONFIG_HID_PICOLCD is not set
-# CONFIG_HID_PLANTRONICS is not set
-# CONFIG_HID_PRIMAX is not set
-# CONFIG_HID_RETRODE is not set
-# CONFIG_HID_ROCCAT is not set
-# CONFIG_HID_SAITEK is not set
-CONFIG_HID_SAMSUNG=y
-CONFIG_HID_SONY=y
-# CONFIG_SONY_FF is not set
-# CONFIG_HID_SPEEDLINK is not set
-# CONFIG_HID_STEELSERIES is not set
-CONFIG_HID_SUNPLUS=y
-# CONFIG_HID_RMI is not set
-# CONFIG_HID_GREENASIA is not set
-# CONFIG_HID_SMARTJOYPLUS is not set
-# CONFIG_HID_TIVO is not set
-CONFIG_HID_TOPSEED=y
-# CONFIG_HID_THINGM is not set
-# CONFIG_HID_THRUSTMASTER is not set
-# CONFIG_HID_UDRAW_PS3 is not set
-# CONFIG_HID_WACOM is not set
-# CONFIG_HID_WIIMOTE is not set
-# CONFIG_HID_XINMO is not set
-# CONFIG_HID_ZEROPLUS is not set
-# CONFIG_HID_ZYDACRON is not set
-# CONFIG_HID_SENSOR_HUB is not set
-# CONFIG_HID_ALPS is not set
-
-#
-# USB HID support
-#
-CONFIG_USB_HID=y
-# CONFIG_HID_PID is not set
-# CONFIG_USB_HIDDEV is not set
-
-#
-# I2C HID support
-#
-# CONFIG_I2C_HID is not set
-CONFIG_USB_OHCI_LITTLE_ENDIAN=y
-CONFIG_USB_SUPPORT=y
-CONFIG_USB_COMMON=y
-CONFIG_USB_ARCH_HAS_HCD=y
-CONFIG_USB=y
-CONFIG_USB_PCI=y
-# CONFIG_USB_ANNOUNCE_NEW_DEVICES is not set
-
-#
-# Miscellaneous USB options
-#
-CONFIG_USB_DEFAULT_PERSIST=y
-CONFIG_USB_DYNAMIC_MINORS=y
-# CONFIG_USB_OTG is not set
-# CONFIG_USB_OTG_WHITELIST is not set
-# CONFIG_USB_LEDS_TRIGGER_USBPORT is not set
-CONFIG_USB_MON=y
-# CONFIG_USB_WUSB_CBAF is not set
-
-#
-# USB Host Controller Drivers
-#
-# CONFIG_USB_C67X00_HCD is not set
-# CONFIG_USB_XHCI_HCD is not set
-CONFIG_USB_EHCI_HCD=m
-CONFIG_USB_EHCI_ROOT_HUB_TT=y
-CONFIG_USB_EHCI_TT_NEWSCHED=y
-CONFIG_USB_EHCI_PCI=m
-# CONFIG_XPS_USB_HCD_XILINX is not set
-# CONFIG_USB_EHCI_HCD_PPC_OF is not set
-# CONFIG_USB_EHCI_HCD_PLATFORM is not set
-# CONFIG_USB_OXU210HP_HCD is not set
-# CONFIG_USB_ISP116X_HCD is not set
-# CONFIG_USB_ISP1362_HCD is not set
-# CONFIG_USB_FOTG210_HCD is not set
-CONFIG_USB_OHCI_HCD=y
-# CONFIG_USB_OHCI_HCD_PPC_OF_BE is not set
-# CONFIG_USB_OHCI_HCD_PPC_OF_LE is not set
-# CONFIG_USB_OHCI_HCD_PPC_OF is not set
-CONFIG_USB_OHCI_HCD_PCI=y
-# CONFIG_USB_OHCI_HCD_PLATFORM is not set
-# CONFIG_USB_UHCI_HCD is not set
-# CONFIG_USB_SL811_HCD is not set
-# CONFIG_USB_R8A66597_HCD is not set
-# CONFIG_USB_HCD_BCMA is not set
-# CONFIG_USB_HCD_SSB is not set
-# CONFIG_USB_HCD_TEST_MODE is not set
-
-#
-# USB Device Class drivers
-#
-CONFIG_USB_ACM=m
-CONFIG_USB_PRINTER=m
-# CONFIG_USB_WDM is not set
-# CONFIG_USB_TMC is not set
-
-#
-# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
-#
-
-#
-# also be needed; see USB_STORAGE Help for more info
-#
-CONFIG_USB_STORAGE=m
-# CONFIG_USB_STORAGE_DEBUG is not set
-# CONFIG_USB_STORAGE_REALTEK is not set
-# CONFIG_USB_STORAGE_DATAFAB is not set
-# CONFIG_USB_STORAGE_FREECOM is not set
-# CONFIG_USB_STORAGE_ISD200 is not set
-# CONFIG_USB_STORAGE_USBAT is not set
-# CONFIG_USB_STORAGE_SDDR09 is not set
-# CONFIG_USB_STORAGE_SDDR55 is not set
-# CONFIG_USB_STORAGE_JUMPSHOT is not set
-# CONFIG_USB_STORAGE_ALAUDA is not set
-CONFIG_USB_STORAGE_ONETOUCH=m
-# CONFIG_USB_STORAGE_KARMA is not set
-# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
-# CONFIG_USB_STORAGE_ENE_UB6250 is not set
-# CONFIG_USB_UAS is not set
-
-#
-# USB Imaging devices
-#
-# CONFIG_USB_MDC800 is not set
-# CONFIG_USB_MICROTEK is not set
-# CONFIG_USBIP_CORE is not set
-# CONFIG_USB_MUSB_HDRC is not set
-# CONFIG_USB_DWC3 is not set
-# CONFIG_USB_DWC2 is not set
-# CONFIG_USB_CHIPIDEA is not set
-# CONFIG_USB_ISP1760 is not set
-
-#
-# USB port drivers
-#
-CONFIG_USB_SERIAL=m
-# CONFIG_USB_SERIAL_GENERIC is not set
-# CONFIG_USB_SERIAL_SIMPLE is not set
-# CONFIG_USB_SERIAL_AIRCABLE is not set
-# CONFIG_USB_SERIAL_ARK3116 is not set
-# CONFIG_USB_SERIAL_BELKIN is not set
-# CONFIG_USB_SERIAL_CH341 is not set
-# CONFIG_USB_SERIAL_WHITEHEAT is not set
-# CONFIG_USB_SERIAL_DIGI_ACCELEPORT is not set
-# CONFIG_USB_SERIAL_CP210X is not set
-# CONFIG_USB_SERIAL_CYPRESS_M8 is not set
-# CONFIG_USB_SERIAL_EMPEG is not set
-# CONFIG_USB_SERIAL_FTDI_SIO is not set
-CONFIG_USB_SERIAL_VISOR=m
-CONFIG_USB_SERIAL_IPAQ=m
-# CONFIG_USB_SERIAL_IR is not set
-# CONFIG_USB_SERIAL_EDGEPORT is not set
-# CONFIG_USB_SERIAL_EDGEPORT_TI is not set
-# CONFIG_USB_SERIAL_F81232 is not set
-# CONFIG_USB_SERIAL_F8153X is not set
-# CONFIG_USB_SERIAL_GARMIN is not set
-# CONFIG_USB_SERIAL_IPW is not set
-# CONFIG_USB_SERIAL_IUU is not set
-CONFIG_USB_SERIAL_KEYSPAN_PDA=m
-CONFIG_USB_SERIAL_KEYSPAN=m
-CONFIG_USB_SERIAL_KEYSPAN_MPR=y
-CONFIG_USB_SERIAL_KEYSPAN_USA28=y
-CONFIG_USB_SERIAL_KEYSPAN_USA28X=y
-CONFIG_USB_SERIAL_KEYSPAN_USA28XA=y
-CONFIG_USB_SERIAL_KEYSPAN_USA28XB=y
-CONFIG_USB_SERIAL_KEYSPAN_USA19=y
-CONFIG_USB_SERIAL_KEYSPAN_USA18X=y
-CONFIG_USB_SERIAL_KEYSPAN_USA19W=y
-CONFIG_USB_SERIAL_KEYSPAN_USA19QW=y
-CONFIG_USB_SERIAL_KEYSPAN_USA19QI=y
-CONFIG_USB_SERIAL_KEYSPAN_USA49W=y
-CONFIG_USB_SERIAL_KEYSPAN_USA49WLC=y
-# CONFIG_USB_SERIAL_KLSI is not set
-# CONFIG_USB_SERIAL_KOBIL_SCT is not set
-# CONFIG_USB_SERIAL_MCT_U232 is not set
-# CONFIG_USB_SERIAL_METRO is not set
-# CONFIG_USB_SERIAL_MOS7720 is not set
-# CONFIG_USB_SERIAL_MOS7840 is not set
-# CONFIG_USB_SERIAL_MXUPORT is not set
-# CONFIG_USB_SERIAL_NAVMAN is not set
-# CONFIG_USB_SERIAL_PL2303 is not set
-# CONFIG_USB_SERIAL_OTI6858 is not set
-# CONFIG_USB_SERIAL_QCAUX is not set
-# CONFIG_USB_SERIAL_QUALCOMM is not set
-# CONFIG_USB_SERIAL_SPCP8X5 is not set
-# CONFIG_USB_SERIAL_SAFE is not set
-# CONFIG_USB_SERIAL_SIERRAWIRELESS is not set
-# CONFIG_USB_SERIAL_SYMBOL is not set
-# CONFIG_USB_SERIAL_TI is not set
-# CONFIG_USB_SERIAL_CYBERJACK is not set
-# CONFIG_USB_SERIAL_XIRCOM is not set
-# CONFIG_USB_SERIAL_OPTION is not set
-# CONFIG_USB_SERIAL_OMNINET is not set
-# CONFIG_USB_SERIAL_OPTICON is not set
-# CONFIG_USB_SERIAL_XSENS_MT is not set
-# CONFIG_USB_SERIAL_WISHBONE is not set
-# CONFIG_USB_SERIAL_SSU100 is not set
-# CONFIG_USB_SERIAL_QT2 is not set
-# CONFIG_USB_SERIAL_UPD78F0730 is not set
-# CONFIG_USB_SERIAL_DEBUG is not set
-
-#
-# USB Miscellaneous drivers
-#
-# CONFIG_USB_EMI62 is not set
-# CONFIG_USB_EMI26 is not set
-# CONFIG_USB_ADUTUX is not set
-# CONFIG_USB_SEVSEG is not set
-# CONFIG_USB_RIO500 is not set
-# CONFIG_USB_LEGOTOWER is not set
-# CONFIG_USB_LCD is not set
-# CONFIG_USB_CYPRESS_CY7C63 is not set
-# CONFIG_USB_CYTHERM is not set
-# CONFIG_USB_IDMOUSE is not set
-# CONFIG_USB_FTDI_ELAN is not set
-CONFIG_USB_APPLEDISPLAY=m
-# CONFIG_USB_SISUSBVGA is not set
-# CONFIG_USB_LD is not set
-# CONFIG_USB_TRANCEVIBRATOR is not set
-# CONFIG_USB_IOWARRIOR is not set
-# CONFIG_USB_TEST is not set
-# CONFIG_USB_EHSET_TEST_FIXTURE is not set
-# CONFIG_USB_ISIGHTFW is not set
-# CONFIG_USB_YUREX is not set
-CONFIG_USB_EZUSB_FX2=m
-# CONFIG_USB_HUB_USB251XB is not set
-# CONFIG_USB_HSIC_USB3503 is not set
-# CONFIG_USB_HSIC_USB4604 is not set
-# CONFIG_USB_LINK_LAYER_TEST is not set
-# CONFIG_USB_CHAOSKEY is not set
-
-#
-# USB Physical Layer drivers
-#
-# CONFIG_USB_PHY is not set
-# CONFIG_NOP_USB_XCEIV is not set
-# CONFIG_USB_ISP1301 is not set
-# CONFIG_USB_GADGET is not set
-
-#
-# USB Power Delivery and Type-C drivers
-#
-# CONFIG_USB_LED_TRIG is not set
-# CONFIG_USB_ULPI_BUS is not set
-# CONFIG_UWB is not set
-# CONFIG_MMC is not set
-# CONFIG_MEMSTICK is not set
-CONFIG_NEW_LEDS=y
-CONFIG_LEDS_CLASS=y
-# CONFIG_LEDS_CLASS_FLASH is not set
-# CONFIG_LEDS_BRIGHTNESS_HW_CHANGED is not set
-
-#
-# LED drivers
-#
-# CONFIG_LEDS_BCM6328 is not set
-# CONFIG_LEDS_BCM6358 is not set
-# CONFIG_LEDS_LM3530 is not set
-# CONFIG_LEDS_LM3642 is not set
-# CONFIG_LEDS_PCA9532 is not set
-# CONFIG_LEDS_LP3944 is not set
-# CONFIG_LEDS_LP5521 is not set
-# CONFIG_LEDS_LP5523 is not set
-# CONFIG_LEDS_LP5562 is not set
-# CONFIG_LEDS_LP8501 is not set
-# CONFIG_LEDS_LP8860 is not set
-# CONFIG_LEDS_PCA955X is not set
-# CONFIG_LEDS_PCA963X is not set
-# CONFIG_LEDS_BD2802 is not set
-# CONFIG_LEDS_TCA6507 is not set
-# CONFIG_LEDS_TLC591XX is not set
-# CONFIG_LEDS_LM355x is not set
-# CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
-
-#
-# LED driver for blink(1) USB RGB LED is under Special HID drivers (HID_THINGM)
-#
-# CONFIG_LEDS_BLINKM is not set
-# CONFIG_LEDS_USER is not set
-
-#
-# LED Triggers
-#
-CONFIG_LEDS_TRIGGERS=y
-# CONFIG_LEDS_TRIGGER_TIMER is not set
-# CONFIG_LEDS_TRIGGER_ONESHOT is not set
-# CONFIG_LEDS_TRIGGER_DISK is not set
-# CONFIG_LEDS_TRIGGER_HEARTBEAT is not set
-# CONFIG_LEDS_TRIGGER_BACKLIGHT is not set
-# CONFIG_LEDS_TRIGGER_CPU is not set
-CONFIG_LEDS_TRIGGER_DEFAULT_ON=y
-
-#
-# iptables trigger is under Netfilter config (LED target)
-#
-# CONFIG_LEDS_TRIGGER_TRANSIENT is not set
-# CONFIG_LEDS_TRIGGER_CAMERA is not set
-# CONFIG_LEDS_TRIGGER_PANIC is not set
-# CONFIG_ACCESSIBILITY is not set
-# CONFIG_INFINIBAND is not set
-CONFIG_EDAC_ATOMIC_SCRUB=y
-CONFIG_EDAC_SUPPORT=y
-CONFIG_RTC_LIB=y
-CONFIG_RTC_CLASS=y
-CONFIG_RTC_HCTOSYS=y
-CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
-CONFIG_RTC_SYSTOHC=y
-CONFIG_RTC_SYSTOHC_DEVICE="rtc0"
-# CONFIG_RTC_DEBUG is not set
-CONFIG_RTC_NVMEM=y
-
-#
-# RTC interfaces
-#
-CONFIG_RTC_INTF_SYSFS=y
-CONFIG_RTC_INTF_PROC=y
-CONFIG_RTC_INTF_DEV=y
-# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set
-# CONFIG_RTC_DRV_TEST is not set
-
-#
-# I2C RTC drivers
-#
-# CONFIG_RTC_DRV_ABB5ZES3 is not set
-# CONFIG_RTC_DRV_ABX80X is not set
-# CONFIG_RTC_DRV_DS1307 is not set
-# CONFIG_RTC_DRV_DS1374 is not set
-# CONFIG_RTC_DRV_DS1672 is not set
-# CONFIG_RTC_DRV_HYM8563 is not set
-# CONFIG_RTC_DRV_MAX6900 is not set
-# CONFIG_RTC_DRV_RS5C372 is not set
-# CONFIG_RTC_DRV_ISL1208 is not set
-# CONFIG_RTC_DRV_ISL12022 is not set
-# CONFIG_RTC_DRV_X1205 is not set
-# CONFIG_RTC_DRV_PCF8523 is not set
-# CONFIG_RTC_DRV_PCF85063 is not set
-# CONFIG_RTC_DRV_PCF8563 is not set
-# CONFIG_RTC_DRV_PCF8583 is not set
-# CONFIG_RTC_DRV_M41T80 is not set
-# CONFIG_RTC_DRV_BQ32K is not set
-# CONFIG_RTC_DRV_S35390A is not set
-# CONFIG_RTC_DRV_FM3130 is not set
-# CONFIG_RTC_DRV_RX8010 is not set
-# CONFIG_RTC_DRV_RX8581 is not set
-# CONFIG_RTC_DRV_RX8025 is not set
-# CONFIG_RTC_DRV_EM3027 is not set
-# CONFIG_RTC_DRV_RV8803 is not set
-
-#
-# SPI RTC drivers
-#
-CONFIG_RTC_I2C_AND_SPI=y
-
-#
-# SPI and I2C RTC drivers
-#
-# CONFIG_RTC_DRV_DS3232 is not set
-# CONFIG_RTC_DRV_PCF2127 is not set
-# CONFIG_RTC_DRV_RV3029C2 is not set
-
-#
-# Platform RTC drivers
-#
-# CONFIG_RTC_DRV_CMOS is not set
-# CONFIG_RTC_DRV_DS1286 is not set
-# CONFIG_RTC_DRV_DS1511 is not set
-# CONFIG_RTC_DRV_DS1553 is not set
-# CONFIG_RTC_DRV_DS1685_FAMILY is not set
-# CONFIG_RTC_DRV_DS1742 is not set
-# CONFIG_RTC_DRV_DS2404 is not set
-# CONFIG_RTC_DRV_STK17TA8 is not set
-# CONFIG_RTC_DRV_M48T86 is not set
-# CONFIG_RTC_DRV_M48T35 is not set
-# CONFIG_RTC_DRV_M48T59 is not set
-# CONFIG_RTC_DRV_MSM6242 is not set
-# CONFIG_RTC_DRV_BQ4802 is not set
-# CONFIG_RTC_DRV_RP5C01 is not set
-# CONFIG_RTC_DRV_V3020 is not set
-# CONFIG_RTC_DRV_ZYNQMP is not set
-
-#
-# on-CPU RTC drivers
-#
-CONFIG_RTC_DRV_GENERIC=y
-# CONFIG_RTC_DRV_FTRTC010 is not set
-# CONFIG_RTC_DRV_SNVS is not set
-# CONFIG_RTC_DRV_R7301 is not set
-
-#
-# HID Sensor RTC drivers
-#
-# CONFIG_RTC_DRV_HID_SENSOR_TIME is not set
-# CONFIG_DMADEVICES is not set
-
-#
-# DMABUF options
-#
-CONFIG_SYNC_FILE=y
-# CONFIG_SW_SYNC is not set
-# CONFIG_AUXDISPLAY is not set
-# CONFIG_UIO is not set
-# CONFIG_VIRT_DRIVERS is not set
-
-#
-# Virtio drivers
-#
-# CONFIG_VIRTIO_PCI is not set
-# CONFIG_VIRTIO_MMIO is not set
-
-#
-# Microsoft Hyper-V guest support
-#
-# CONFIG_HYPERV_TSCPAGE is not set
-# CONFIG_STAGING is not set
-# CONFIG_HWSPINLOCK is not set
-
-#
-# Clock Source drivers
-#
-# CONFIG_ATMEL_PIT is not set
-# CONFIG_SH_TIMER_CMT is not set
-# CONFIG_SH_TIMER_MTU2 is not set
-# CONFIG_SH_TIMER_TMU is not set
-# CONFIG_EM_TIMER_STI is not set
-# CONFIG_MAILBOX is not set
-CONFIG_IOMMU_SUPPORT=y
-
-#
-# Generic IOMMU Pagetable Support
-#
-
-#
-# Remoteproc drivers
-#
-# CONFIG_REMOTEPROC is not set
-
-#
-# Rpmsg drivers
-#
-
-#
-# SOC (System On Chip) specific Drivers
-#
-
-#
-# Amlogic SoC drivers
-#
-
-#
-# Broadcom SoC drivers
-#
-
-#
-# i.MX SoC drivers
-#
-
-#
-# Qualcomm SoC drivers
-#
-# CONFIG_SUNXI_SRAM is not set
-# CONFIG_SOC_TI is not set
-# CONFIG_PM_DEVFREQ is not set
-# CONFIG_EXTCON is not set
-# CONFIG_MEMORY is not set
-# CONFIG_IIO is not set
-# CONFIG_NTB is not set
-# CONFIG_VME_BUS is not set
-# CONFIG_PWM is not set
-CONFIG_IRQCHIP=y
-CONFIG_ARM_GIC_MAX_NR=1
-# CONFIG_IPACK_BUS is not set
-# CONFIG_RESET_CONTROLLER is not set
-# CONFIG_FMC is not set
-
-#
-# PHY Subsystem
-#
-# CONFIG_GENERIC_PHY is not set
-# CONFIG_BCM_KONA_USB2_PHY is not set
-# CONFIG_PHY_PXA_28NM_HSIC is not set
-# CONFIG_PHY_PXA_28NM_USB2 is not set
-# CONFIG_POWERCAP is not set
-# CONFIG_MCB is not set
-
-#
-# Performance monitor support
-#
-# CONFIG_RAS is not set
-
-#
-# Android
-#
-# CONFIG_ANDROID is not set
-CONFIG_DAX=m
-CONFIG_NVMEM=y
-# CONFIG_STM is not set
-# CONFIG_INTEL_TH is not set
-# CONFIG_FPGA is not set
-
-#
-# FSI support
-#
-# CONFIG_FSI is not set
-
-#
-# File systems
-#
-CONFIG_EXT2_FS=y
-# CONFIG_EXT2_FS_XATTR is not set
-CONFIG_EXT3_FS=y
-CONFIG_EXT3_FS_POSIX_ACL=y
-# CONFIG_EXT3_FS_SECURITY is not set
-CONFIG_EXT4_FS=y
-CONFIG_EXT4_FS_POSIX_ACL=y
-# CONFIG_EXT4_FS_SECURITY is not set
-# CONFIG_EXT4_ENCRYPTION is not set
-# CONFIG_EXT4_DEBUG is not set
-CONFIG_JBD2=y
-# CONFIG_JBD2_DEBUG is not set
-CONFIG_FS_MBCACHE=y
-# CONFIG_REISERFS_FS is not set
-# CONFIG_JFS_FS is not set
-# CONFIG_XFS_FS is not set
-# CONFIG_GFS2_FS is not set
-# CONFIG_BTRFS_FS is not set
-# CONFIG_NILFS2_FS is not set
-# CONFIG_F2FS_FS is not set
-# CONFIG_FS_DAX is not set
-CONFIG_FS_POSIX_ACL=y
-CONFIG_EXPORTFS=y
-# CONFIG_EXPORTFS_BLOCK_OPS is not set
-CONFIG_FILE_LOCKING=y
-CONFIG_MANDATORY_FILE_LOCKING=y
-# CONFIG_FS_ENCRYPTION is not set
-CONFIG_FSNOTIFY=y
-CONFIG_DNOTIFY=y
-CONFIG_INOTIFY_USER=y
-# CONFIG_FANOTIFY is not set
-# CONFIG_QUOTA is not set
-# CONFIG_QUOTACTL is not set
-CONFIG_AUTOFS4_FS=m
-CONFIG_FUSE_FS=m
-# CONFIG_CUSE is not set
-# CONFIG_OVERLAY_FS is not set
-
-#
-# Caches
-#
-# CONFIG_FSCACHE is not set
-
-#
-# CD-ROM/DVD Filesystems
-#
-CONFIG_ISO9660_FS=y
-CONFIG_JOLIET=y
-CONFIG_ZISOFS=y
-CONFIG_UDF_FS=m
-CONFIG_UDF_NLS=y
-
-#
-# DOS/FAT/NT Filesystems
-#
-CONFIG_FAT_FS=m
-CONFIG_MSDOS_FS=m
-CONFIG_VFAT_FS=m
-CONFIG_FAT_DEFAULT_CODEPAGE=437
-CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
-# CONFIG_FAT_DEFAULT_UTF8 is not set
-# CONFIG_NTFS_FS is not set
-
-#
-# Pseudo filesystems
-#
-CONFIG_PROC_FS=y
-CONFIG_PROC_KCORE=y
-CONFIG_PROC_SYSCTL=y
-CONFIG_PROC_PAGE_MONITOR=y
-# CONFIG_PROC_CHILDREN is not set
-CONFIG_KERNFS=y
-CONFIG_SYSFS=y
-CONFIG_TMPFS=y
-# CONFIG_TMPFS_POSIX_ACL is not set
-# CONFIG_TMPFS_XATTR is not set
-# CONFIG_HUGETLB_PAGE is not set
-# CONFIG_CONFIGFS_FS is not set
-CONFIG_MISC_FILESYSTEMS=y
-# CONFIG_ORANGEFS_FS is not set
-# CONFIG_ADFS_FS is not set
-# CONFIG_AFFS_FS is not set
-# CONFIG_ECRYPT_FS is not set
-CONFIG_HFS_FS=m
-CONFIG_HFSPLUS_FS=m
-# CONFIG_HFSPLUS_FS_POSIX_ACL is not set
-# CONFIG_BEFS_FS is not set
-# CONFIG_BFS_FS is not set
-# CONFIG_EFS_FS is not set
-# CONFIG_CRAMFS is not set
-# CONFIG_SQUASHFS is not set
-# CONFIG_VXFS_FS is not set
-# CONFIG_MINIX_FS is not set
-# CONFIG_OMFS_FS is not set
-# CONFIG_HPFS_FS is not set
-# CONFIG_QNX4FS_FS is not set
-# CONFIG_QNX6FS_FS is not set
-# CONFIG_ROMFS_FS is not set
-# CONFIG_PSTORE is not set
-# CONFIG_SYSV_FS is not set
-# CONFIG_UFS_FS is not set
-CONFIG_NETWORK_FILESYSTEMS=y
-CONFIG_NFS_FS=y
-CONFIG_NFS_V2=y
-CONFIG_NFS_V3=y
-CONFIG_NFS_V3_ACL=y
-CONFIG_NFS_V4=y
-# CONFIG_NFS_SWAP is not set
-CONFIG_NFS_V4_1=y
-CONFIG_NFS_V4_2=y
-CONFIG_PNFS_FILE_LAYOUT=m
-CONFIG_PNFS_BLOCK=m
-CONFIG_PNFS_FLEXFILE_LAYOUT=m
-CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
-# CONFIG_NFS_V4_1_MIGRATION is not set
-CONFIG_NFS_V4_SECURITY_LABEL=y
-# CONFIG_NFS_USE_LEGACY_DNS is not set
-CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFSD=m
-CONFIG_NFSD_V2_ACL=y
-CONFIG_NFSD_V3=y
-CONFIG_NFSD_V3_ACL=y
-CONFIG_NFSD_V4=y
-# CONFIG_NFSD_BLOCKLAYOUT is not set
-# CONFIG_NFSD_SCSILAYOUT is not set
-# CONFIG_NFSD_FLEXFILELAYOUT is not set
-# CONFIG_NFSD_V4_SECURITY_LABEL is not set
-# CONFIG_NFSD_FAULT_INJECTION is not set
-CONFIG_GRACE_PERIOD=y
-CONFIG_LOCKD=y
-CONFIG_LOCKD_V4=y
-CONFIG_NFS_ACL_SUPPORT=y
-CONFIG_NFS_COMMON=y
-CONFIG_SUNRPC=y
-CONFIG_SUNRPC_GSS=y
-# CONFIG_SUNRPC_DEBUG is not set
-# CONFIG_CEPH_FS is not set
-# CONFIG_CIFS is not set
-# CONFIG_NCP_FS is not set
-# CONFIG_CODA_FS is not set
-# CONFIG_AFS_FS is not set
-CONFIG_NLS=y
-CONFIG_NLS_DEFAULT="iso8859-1"
-CONFIG_NLS_CODEPAGE_437=m
-# CONFIG_NLS_CODEPAGE_737 is not set
-# CONFIG_NLS_CODEPAGE_775 is not set
-# CONFIG_NLS_CODEPAGE_850 is not set
-# CONFIG_NLS_CODEPAGE_852 is not set
-# CONFIG_NLS_CODEPAGE_855 is not set
-# CONFIG_NLS_CODEPAGE_857 is not set
-# CONFIG_NLS_CODEPAGE_860 is not set
-# CONFIG_NLS_CODEPAGE_861 is not set
-# CONFIG_NLS_CODEPAGE_862 is not set
-# CONFIG_NLS_CODEPAGE_863 is not set
-# CONFIG_NLS_CODEPAGE_864 is not set
-# CONFIG_NLS_CODEPAGE_865 is not set
-# CONFIG_NLS_CODEPAGE_866 is not set
-# CONFIG_NLS_CODEPAGE_869 is not set
-# CONFIG_NLS_CODEPAGE_936 is not set
-# CONFIG_NLS_CODEPAGE_950 is not set
-# CONFIG_NLS_CODEPAGE_932 is not set
-# CONFIG_NLS_CODEPAGE_949 is not set
-# CONFIG_NLS_CODEPAGE_874 is not set
-# CONFIG_NLS_ISO8859_8 is not set
-# CONFIG_NLS_CODEPAGE_1250 is not set
-# CONFIG_NLS_CODEPAGE_1251 is not set
-# CONFIG_NLS_ASCII is not set
-CONFIG_NLS_ISO8859_1=m
-# CONFIG_NLS_ISO8859_2 is not set
-# CONFIG_NLS_ISO8859_3 is not set
-# CONFIG_NLS_ISO8859_4 is not set
-# CONFIG_NLS_ISO8859_5 is not set
-# CONFIG_NLS_ISO8859_6 is not set
-# CONFIG_NLS_ISO8859_7 is not set
-# CONFIG_NLS_ISO8859_9 is not set
-# CONFIG_NLS_ISO8859_13 is not set
-# CONFIG_NLS_ISO8859_14 is not set
-# CONFIG_NLS_ISO8859_15 is not set
-# CONFIG_NLS_KOI8_R is not set
-# CONFIG_NLS_KOI8_U is not set
-# CONFIG_NLS_MAC_ROMAN is not set
-# CONFIG_NLS_MAC_CELTIC is not set
-# CONFIG_NLS_MAC_CENTEURO is not set
-# CONFIG_NLS_MAC_CROATIAN is not set
-# CONFIG_NLS_MAC_CYRILLIC is not set
-# CONFIG_NLS_MAC_GAELIC is not set
-# CONFIG_NLS_MAC_GREEK is not set
-# CONFIG_NLS_MAC_ICELAND is not set
-# CONFIG_NLS_MAC_INUIT is not set
-# CONFIG_NLS_MAC_ROMANIAN is not set
-# CONFIG_NLS_MAC_TURKISH is not set
-CONFIG_NLS_UTF8=m
-CONFIG_BINARY_PRINTF=y
-
-#
-# Library routines
-#
-CONFIG_BITREVERSE=y
-# CONFIG_HAVE_ARCH_BITREVERSE is not set
-CONFIG_GENERIC_STRNCPY_FROM_USER=y
-CONFIG_GENERIC_STRNLEN_USER=y
-CONFIG_GENERIC_NET_UTILS=y
-CONFIG_GENERIC_PCI_IOMAP=y
-CONFIG_GENERIC_IO=y
-CONFIG_CRC_CCITT=y
-CONFIG_CRC16=y
-CONFIG_CRC_T10DIF=y
-CONFIG_CRC_ITU_T=m
-CONFIG_CRC32=y
-# CONFIG_CRC32_SELFTEST is not set
-CONFIG_CRC32_SLICEBY8=y
-# CONFIG_CRC32_SLICEBY4 is not set
-# CONFIG_CRC32_SARWATE is not set
-# CONFIG_CRC32_BIT is not set
-# CONFIG_CRC4 is not set
-# CONFIG_CRC7 is not set
-CONFIG_LIBCRC32C=m
-# CONFIG_CRC8 is not set
-# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
-# CONFIG_RANDOM32_SELFTEST is not set
-CONFIG_ZLIB_INFLATE=y
-CONFIG_ZLIB_DEFLATE=y
-CONFIG_LZO_COMPRESS=y
-CONFIG_LZO_DECOMPRESS=y
-CONFIG_LZ4_DECOMPRESS=y
-CONFIG_XZ_DEC=y
-CONFIG_XZ_DEC_X86=y
-CONFIG_XZ_DEC_POWERPC=y
-CONFIG_XZ_DEC_IA64=y
-CONFIG_XZ_DEC_ARM=y
-CONFIG_XZ_DEC_ARMTHUMB=y
-CONFIG_XZ_DEC_SPARC=y
-CONFIG_XZ_DEC_BCJ=y
-# CONFIG_XZ_DEC_TEST is not set
-CONFIG_DECOMPRESS_GZIP=y
-CONFIG_DECOMPRESS_BZIP2=y
-CONFIG_DECOMPRESS_LZMA=y
-CONFIG_DECOMPRESS_XZ=y
-CONFIG_DECOMPRESS_LZO=y
-CONFIG_DECOMPRESS_LZ4=y
-CONFIG_TEXTSEARCH=y
-CONFIG_TEXTSEARCH_KMP=m
-CONFIG_TEXTSEARCH_BM=m
-CONFIG_TEXTSEARCH_FSM=m
-CONFIG_INTERVAL_TREE=y
-CONFIG_ASSOCIATIVE_ARRAY=y
-CONFIG_HAS_IOMEM=y
-CONFIG_HAS_IOPORT_MAP=y
-CONFIG_HAS_DMA=y
-# CONFIG_DMA_NOOP_OPS is not set
-# CONFIG_DMA_VIRT_OPS is not set
-CONFIG_DQL=y
-CONFIG_GLOB=y
-# CONFIG_GLOB_SELFTEST is not set
-CONFIG_NLATTR=y
-CONFIG_GENERIC_ATOMIC64=y
-# CONFIG_CORDIC is not set
-# CONFIG_DDR is not set
-# CONFIG_IRQ_POLL is not set
-CONFIG_LIBFDT=y
-CONFIG_OID_REGISTRY=y
-CONFIG_FONT_SUPPORT=y
-# CONFIG_FONTS is not set
-CONFIG_FONT_8x8=y
-CONFIG_FONT_8x16=y
-# CONFIG_SG_SPLIT is not set
-CONFIG_SG_POOL=y
-CONFIG_ARCH_HAS_SG_CHAIN=y
-CONFIG_SBITMAP=y
-# CONFIG_STRING_SELFTEST is not set
-
-#
-# Kernel hacking
-#
-
-#
-# printk and dmesg options
-#
-# CONFIG_PRINTK_TIME is not set
-CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7
-CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
-# CONFIG_DYNAMIC_DEBUG is not set
-
-#
-# Compile-time checks and compiler options
-#
-# CONFIG_DEBUG_INFO is not set
-CONFIG_ENABLE_WARN_DEPRECATED=y
-CONFIG_ENABLE_MUST_CHECK=y
-CONFIG_FRAME_WARN=1024
-# CONFIG_STRIP_ASM_SYMS is not set
-# CONFIG_READABLE_ASM is not set
-# CONFIG_UNUSED_SYMBOLS is not set
-# CONFIG_PAGE_OWNER is not set
-CONFIG_DEBUG_FS=y
-# CONFIG_HEADERS_CHECK is not set
-# CONFIG_DEBUG_SECTION_MISMATCH is not set
-CONFIG_SECTION_MISMATCH_WARN_ONLY=y
-# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
-CONFIG_MAGIC_SYSRQ=y
-CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1
-CONFIG_MAGIC_SYSRQ_SERIAL=y
-CONFIG_DEBUG_KERNEL=y
-
-#
-# Memory Debugging
-#
-# CONFIG_PAGE_EXTENSION is not set
-# CONFIG_PAGE_POISONING is not set
-# CONFIG_DEBUG_PAGE_REF is not set
-# CONFIG_DEBUG_OBJECTS is not set
-# CONFIG_SLUB_DEBUG_ON is not set
-# CONFIG_SLUB_STATS is not set
-CONFIG_HAVE_DEBUG_KMEMLEAK=y
-# CONFIG_DEBUG_KMEMLEAK is not set
-# CONFIG_DEBUG_STACK_USAGE is not set
-# CONFIG_DEBUG_VM is not set
-CONFIG_DEBUG_MEMORY_INIT=y
-# CONFIG_DEBUG_HIGHMEM is not set
-CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
-# CONFIG_DEBUG_STACKOVERFLOW is not set
-# CONFIG_DEBUG_SHIRQ is not set
-
-#
-# Debug Lockups and Hangs
-#
-# CONFIG_SOFTLOCKUP_DETECTOR is not set
-CONFIG_DETECT_HUNG_TASK=y
-CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
-# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
-CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
-# CONFIG_WQ_WATCHDOG is not set
-# CONFIG_PANIC_ON_OOPS is not set
-CONFIG_PANIC_ON_OOPS_VALUE=0
-CONFIG_SCHED_DEBUG=y
-CONFIG_SCHED_INFO=y
-CONFIG_SCHEDSTATS=y
-# CONFIG_SCHED_STACK_END_CHECK is not set
-# CONFIG_DEBUG_TIMEKEEPING is not set
-
-#
-# Lock Debugging (spinlocks, mutexes, etc...)
-#
-# CONFIG_DEBUG_RT_MUTEXES is not set
-# CONFIG_DEBUG_SPINLOCK is not set
-# CONFIG_DEBUG_MUTEXES is not set
-# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
-# CONFIG_DEBUG_LOCK_ALLOC is not set
-# CONFIG_PROVE_LOCKING is not set
-# CONFIG_LOCK_STAT is not set
-# CONFIG_DEBUG_ATOMIC_SLEEP is not set
-# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
-# CONFIG_LOCK_TORTURE_TEST is not set
-# CONFIG_WW_MUTEX_SELFTEST is not set
-CONFIG_STACKTRACE=y
-# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set
-# CONFIG_DEBUG_KOBJECT is not set
-CONFIG_DEBUG_BUGVERBOSE=y
-# CONFIG_DEBUG_LIST is not set
-# CONFIG_DEBUG_PI_LIST is not set
-# CONFIG_DEBUG_SG is not set
-# CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_DEBUG_CREDENTIALS is not set
-
-#
-# RCU Debugging
-#
-# CONFIG_PROVE_RCU is not set
-# CONFIG_TORTURE_TEST is not set
-# CONFIG_RCU_PERF_TEST is not set
-# CONFIG_RCU_TORTURE_TEST is not set
-# CONFIG_RCU_TRACE is not set
-# CONFIG_RCU_EQS_DEBUG is not set
-# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
-# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
-# CONFIG_NOTIFIER_ERROR_INJECTION is not set
-# CONFIG_FAULT_INJECTION is not set
-CONFIG_LATENCYTOP=y
-CONFIG_NOP_TRACER=y
-CONFIG_HAVE_FUNCTION_TRACER=y
-CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
-CONFIG_HAVE_DYNAMIC_FTRACE=y
-CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
-CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
-CONFIG_TRACE_CLOCK=y
-CONFIG_RING_BUFFER=y
-CONFIG_EVENT_TRACING=y
-CONFIG_CONTEXT_SWITCH_TRACER=y
-CONFIG_RING_BUFFER_ALLOW_SWAP=y
-CONFIG_TRACING=y
-CONFIG_TRACING_SUPPORT=y
-CONFIG_FTRACE=y
-# CONFIG_FUNCTION_TRACER is not set
-# CONFIG_IRQSOFF_TRACER is not set
-# CONFIG_SCHED_TRACER is not set
-# CONFIG_HWLAT_TRACER is not set
-# CONFIG_ENABLE_DEFAULT_TRACERS is not set
-# CONFIG_FTRACE_SYSCALLS is not set
-# CONFIG_TRACER_SNAPSHOT is not set
-CONFIG_BRANCH_PROFILE_NONE=y
-# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-# CONFIG_PROFILE_ALL_BRANCHES is not set
-# CONFIG_STACK_TRACER is not set
-# CONFIG_BLK_DEV_IO_TRACE is not set
-CONFIG_UPROBE_EVENTS=y
-CONFIG_PROBE_EVENTS=y
-# CONFIG_HIST_TRIGGERS is not set
-# CONFIG_TRACEPOINT_BENCHMARK is not set
-# CONFIG_RING_BUFFER_BENCHMARK is not set
-# CONFIG_RING_BUFFER_STARTUP_TEST is not set
-# CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_DMA_API_DEBUG is not set
-
-#
-# Runtime Testing
-#
-# CONFIG_LKDTM is not set
-# CONFIG_TEST_LIST_SORT is not set
-# CONFIG_TEST_SORT is not set
-# CONFIG_BACKTRACE_SELF_TEST is not set
-# CONFIG_RBTREE_TEST is not set
-# CONFIG_INTERVAL_TREE_TEST is not set
-# CONFIG_PERCPU_TEST is not set
-# CONFIG_ATOMIC64_SELFTEST is not set
-# CONFIG_TEST_HEXDUMP is not set
-# CONFIG_TEST_STRING_HELPERS is not set
-# CONFIG_TEST_KSTRTOX is not set
-# CONFIG_TEST_PRINTF is not set
-# CONFIG_TEST_BITMAP is not set
-# CONFIG_TEST_UUID is not set
-# CONFIG_TEST_RHASHTABLE is not set
-# CONFIG_TEST_HASH is not set
-# CONFIG_TEST_LKM is not set
-# CONFIG_TEST_USER_COPY is not set
-# CONFIG_TEST_BPF is not set
-# CONFIG_TEST_FIRMWARE is not set
-# CONFIG_TEST_SYSCTL is not set
-# CONFIG_TEST_UDELAY is not set
-# CONFIG_TEST_STATIC_KEYS is not set
-# CONFIG_TEST_KMOD is not set
-# CONFIG_MEMTEST is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
-# CONFIG_SAMPLES is not set
-CONFIG_HAVE_ARCH_KGDB=y
-# CONFIG_KGDB is not set
-CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set
-# CONFIG_UBSAN is not set
-CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
-CONFIG_STRICT_DEVMEM=y
-# CONFIG_IO_STRICT_DEVMEM is not set
-# CONFIG_PPC_DISABLE_WERROR is not set
-CONFIG_PPC_WERROR=y
-CONFIG_PRINT_STACK_DEPTH=64
-# CONFIG_PPC_EMULATED_STATS is not set
-# CONFIG_CODE_PATCHING_SELFTEST is not set
-# CONFIG_FTR_FIXUP_SELFTEST is not set
-# CONFIG_MSI_BITMAP_SELFTEST is not set
-CONFIG_XMON=y
-CONFIG_XMON_DEFAULT=y
-CONFIG_XMON_DISASSEMBLY=y
-CONFIG_DEBUGGER=y
-# CONFIG_BDI_SWITCH is not set
-CONFIG_BOOTX_TEXT=y
-CONFIG_PPC_EARLY_DEBUG=y
-CONFIG_PPC_EARLY_DEBUG_BOOTX=y
-# CONFIG_PPC_EARLY_DEBUG_MEMCONS is not set
-# CONFIG_PPC_PTDUMP is not set
-
-#
-# Security options
-#
-CONFIG_KEYS=y
-# CONFIG_PERSISTENT_KEYRINGS is not set
-# CONFIG_BIG_KEYS is not set
-# CONFIG_ENCRYPTED_KEYS is not set
-# CONFIG_KEY_DH_OPERATIONS is not set
-# CONFIG_SECURITY_DMESG_RESTRICT is not set
-CONFIG_SECURITY=y
-# CONFIG_SECURITY_WRITABLE_HOOKS is not set
-CONFIG_SECURITYFS=y
-# CONFIG_SECURITY_NETWORK is not set
-# CONFIG_SECURITY_PATH is not set
-CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
-# CONFIG_HARDENED_USERCOPY is not set
-# CONFIG_FORTIFY_SOURCE is not set
-# CONFIG_STATIC_USERMODEHELPER is not set
-# CONFIG_SECURITY_SMACK is not set
-# CONFIG_SECURITY_TOMOYO is not set
-# CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
-CONFIG_SECURITY_YAMA=y
-# CONFIG_INTEGRITY is not set
-CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_DEFAULT_SECURITY=""
-CONFIG_CRYPTO=y
-
-#
-# Crypto core or helper
-#
-CONFIG_CRYPTO_ALGAPI=y
-CONFIG_CRYPTO_ALGAPI2=y
-CONFIG_CRYPTO_AEAD=y
-CONFIG_CRYPTO_AEAD2=y
-CONFIG_CRYPTO_BLKCIPHER=y
-CONFIG_CRYPTO_BLKCIPHER2=y
-CONFIG_CRYPTO_HASH=y
-CONFIG_CRYPTO_HASH2=y
-CONFIG_CRYPTO_RNG=y
-CONFIG_CRYPTO_RNG2=y
-CONFIG_CRYPTO_RNG_DEFAULT=y
-CONFIG_CRYPTO_AKCIPHER2=y
-CONFIG_CRYPTO_KPP2=y
-CONFIG_CRYPTO_ACOMP2=y
-# CONFIG_CRYPTO_RSA is not set
-# CONFIG_CRYPTO_DH is not set
-CONFIG_CRYPTO_ECDH=m
-CONFIG_CRYPTO_MANAGER=y
-CONFIG_CRYPTO_MANAGER2=y
-# CONFIG_CRYPTO_USER is not set
-CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
-CONFIG_CRYPTO_GF128MUL=m
-CONFIG_CRYPTO_NULL=y
-CONFIG_CRYPTO_NULL2=y
-CONFIG_CRYPTO_WORKQUEUE=y
-# CONFIG_CRYPTO_CRYPTD is not set
-# CONFIG_CRYPTO_MCRYPTD is not set
-CONFIG_CRYPTO_AUTHENC=y
-# CONFIG_CRYPTO_TEST is not set
-
-#
-# Authenticated Encryption with Associated Data
-#
-CONFIG_CRYPTO_CCM=m
-CONFIG_CRYPTO_GCM=m
-# CONFIG_CRYPTO_CHACHA20POLY1305 is not set
-CONFIG_CRYPTO_SEQIV=m
-CONFIG_CRYPTO_ECHAINIV=y
-
-#
-# Block modes
-#
-CONFIG_CRYPTO_CBC=y
-CONFIG_CRYPTO_CTR=m
-# CONFIG_CRYPTO_CTS is not set
-CONFIG_CRYPTO_ECB=m
-# CONFIG_CRYPTO_LRW is not set
-CONFIG_CRYPTO_PCBC=m
-# CONFIG_CRYPTO_XTS is not set
-# CONFIG_CRYPTO_KEYWRAP is not set
-
-#
-# Hash modes
-#
-CONFIG_CRYPTO_CMAC=m
-CONFIG_CRYPTO_HMAC=y
-# CONFIG_CRYPTO_XCBC is not set
-# CONFIG_CRYPTO_VMAC is not set
-
-#
-# Digest
-#
-CONFIG_CRYPTO_CRC32C=y
-# CONFIG_CRYPTO_CRC32 is not set
-CONFIG_CRYPTO_CRCT10DIF=y
-CONFIG_CRYPTO_GHASH=m
-# CONFIG_CRYPTO_POLY1305 is not set
-CONFIG_CRYPTO_MD4=m
-CONFIG_CRYPTO_MD5=y
-# CONFIG_CRYPTO_MD5_PPC is not set
-# CONFIG_CRYPTO_MICHAEL_MIC is not set
-# CONFIG_CRYPTO_RMD128 is not set
-# CONFIG_CRYPTO_RMD160 is not set
-# CONFIG_CRYPTO_RMD256 is not set
-# CONFIG_CRYPTO_RMD320 is not set
-CONFIG_CRYPTO_SHA1=y
-# CONFIG_CRYPTO_SHA1_PPC is not set
-CONFIG_CRYPTO_SHA256=y
-CONFIG_CRYPTO_SHA512=m
-# CONFIG_CRYPTO_SHA3 is not set
-CONFIG_CRYPTO_TGR192=m
-CONFIG_CRYPTO_WP512=m
-
-#
-# Ciphers
-#
-CONFIG_CRYPTO_AES=y
-# CONFIG_CRYPTO_AES_TI is not set
-CONFIG_CRYPTO_ANUBIS=m
-CONFIG_CRYPTO_ARC4=m
-CONFIG_CRYPTO_BLOWFISH=m
-CONFIG_CRYPTO_BLOWFISH_COMMON=m
-# CONFIG_CRYPTO_CAMELLIA is not set
-CONFIG_CRYPTO_CAST_COMMON=m
-CONFIG_CRYPTO_CAST5=m
-CONFIG_CRYPTO_CAST6=m
-CONFIG_CRYPTO_DES=y
-# CONFIG_CRYPTO_FCRYPT is not set
-CONFIG_CRYPTO_KHAZAD=m
-# CONFIG_CRYPTO_SALSA20 is not set
-# CONFIG_CRYPTO_CHACHA20 is not set
-# CONFIG_CRYPTO_SEED is not set
-CONFIG_CRYPTO_SERPENT=m
-CONFIG_CRYPTO_TEA=m
-CONFIG_CRYPTO_TWOFISH=m
-CONFIG_CRYPTO_TWOFISH_COMMON=m
-
-#
-# Compression
-#
-CONFIG_CRYPTO_DEFLATE=m
-# CONFIG_CRYPTO_LZO is not set
-# CONFIG_CRYPTO_842 is not set
-# CONFIG_CRYPTO_LZ4 is not set
-# CONFIG_CRYPTO_LZ4HC is not set
-
-#
-# Random Number Generation
-#
-# CONFIG_CRYPTO_ANSI_CPRNG is not set
-CONFIG_CRYPTO_DRBG_MENU=y
-CONFIG_CRYPTO_DRBG_HMAC=y
-# CONFIG_CRYPTO_DRBG_HASH is not set
-# CONFIG_CRYPTO_DRBG_CTR is not set
-CONFIG_CRYPTO_DRBG=y
-CONFIG_CRYPTO_JITTERENTROPY=y
-# CONFIG_CRYPTO_USER_API_HASH is not set
-# CONFIG_CRYPTO_USER_API_SKCIPHER is not set
-# CONFIG_CRYPTO_USER_API_RNG is not set
-# CONFIG_CRYPTO_USER_API_AEAD is not set
-CONFIG_CRYPTO_HW=y
-# CONFIG_CRYPTO_DEV_HIFN_795X is not set
-# CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC is not set
-# CONFIG_ASYMMETRIC_KEY_TYPE is not set
-
-#
-# Certificates for signature checking
-#
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
-# CONFIG_VIRTUALIZATION is not set
diff --git a/main/linux-vanilla/config-vanilla.ppc64le b/main/linux-vanilla/config-vanilla.ppc64le
index e3789414158..98760c960e9 100644
--- a/main/linux-vanilla/config-vanilla.ppc64le
+++ b/main/linux-vanilla/config-vanilla.ppc64le
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/powerpc 4.19.50 Kernel Configuration
+# Linux/powerpc 4.19.118 Kernel Configuration
#
#
@@ -1346,6 +1346,7 @@ CONFIG_OF_NET=y
CONFIG_OF_MDIO=y
CONFIG_OF_RESERVED_MEM=y
# CONFIG_OF_OVERLAY is not set
+CONFIG_OF_DMA_DEFAULT_COHERENT=y
CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
CONFIG_PARPORT=m
CONFIG_PARPORT_PC=m
@@ -1938,7 +1939,7 @@ CONFIG_SWPHY=y
#
# CONFIG_AMD_PHY is not set
# CONFIG_AQUANTIA_PHY is not set
-# CONFIG_ASIX_PHY is not set
+# CONFIG_AX88796B_PHY is not set
# CONFIG_AT803X_PHY is not set
# CONFIG_BCM7XXX_PHY is not set
# CONFIG_BCM87XX_PHY is not set
@@ -2617,10 +2618,10 @@ CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y
#
# Frame buffer Devices
#
-CONFIG_FB=y
-CONFIG_FIRMWARE_EDID=y
CONFIG_FB_CMDLINE=y
CONFIG_FB_NOTIFY=y
+CONFIG_FB=y
+CONFIG_FIRMWARE_EDID=y
CONFIG_FB_DDC=y
CONFIG_FB_CFB_FILLRECT=y
CONFIG_FB_CFB_COPYAREA=y
@@ -2922,7 +2923,6 @@ CONFIG_USB_STORAGE=m
# CONFIG_USB_EMI26 is not set
# CONFIG_USB_ADUTUX is not set
# CONFIG_USB_SEVSEG is not set
-# CONFIG_USB_RIO500 is not set
# CONFIG_USB_LEGOTOWER is not set
# CONFIG_USB_LCD is not set
# CONFIG_USB_CYPRESS_CY7C63 is not set
@@ -3199,7 +3199,6 @@ CONFIG_SPAPR_TCE_IOMMU=y
CONFIG_RPMSG=m
# CONFIG_RPMSG_CHAR is not set
CONFIG_RPMSG_VIRTIO=m
-# CONFIG_SOUNDWIRE is not set
#
# SOC (System On Chip) specific Drivers
diff --git a/main/linux-vanilla/config-vanilla.s390x b/main/linux-vanilla/config-vanilla.s390x
index b03e0169ad7..a6a27618340 100644
--- a/main/linux-vanilla/config-vanilla.s390x
+++ b/main/linux-vanilla/config-vanilla.s390x
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/s390 4.19.50 Kernel Configuration
+# Linux/s390 4.19.118 Kernel Configuration
#
#
@@ -1907,7 +1907,7 @@ CONFIG_PHYLIB=m
#
CONFIG_AMD_PHY=m
CONFIG_AQUANTIA_PHY=m
-# CONFIG_ASIX_PHY is not set
+# CONFIG_AX88796B_PHY is not set
CONFIG_AT803X_PHY=m
# CONFIG_BCM7XXX_PHY is not set
CONFIG_BCM87XX_PHY=m
@@ -2356,7 +2356,6 @@ CONFIG_S390_IOMMU=y
CONFIG_RPMSG=m
# CONFIG_RPMSG_CHAR is not set
CONFIG_RPMSG_VIRTIO=m
-# CONFIG_SOUNDWIRE is not set
#
# SOC (System On Chip) specific Drivers
diff --git a/main/linux-vanilla/config-vanilla.x86 b/main/linux-vanilla/config-vanilla.x86
index d1e91c9b9f0..d0de674ee49 100644
--- a/main/linux-vanilla/config-vanilla.x86
+++ b/main/linux-vanilla/config-vanilla.x86
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.19.50 Kernel Configuration
+# Linux/x86 4.19.118 Kernel Configuration
#
#
@@ -383,6 +383,9 @@ CONFIG_ARCH_USES_PG_UNCACHED=y
CONFIG_ARCH_RANDOM=y
CONFIG_X86_SMAP=y
CONFIG_X86_INTEL_UMIP=y
+CONFIG_X86_INTEL_TSX_MODE_OFF=y
+# CONFIG_X86_INTEL_TSX_MODE_ON is not set
+# CONFIG_X86_INTEL_TSX_MODE_AUTO is not set
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_SECCOMP=y
@@ -648,7 +651,7 @@ CONFIG_DCDBAS=m
CONFIG_DMIID=y
# CONFIG_DMI_SYSFS is not set
CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
-# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_ISCSI_IBFT is not set
CONFIG_FW_CFG_SYSFS=m
# CONFIG_FW_CFG_SYSFS_CMDLINE is not set
# CONFIG_GOOGLE_FIRMWARE is not set
@@ -1800,7 +1803,6 @@ CONFIG_REGMAP=y
CONFIG_REGMAP_I2C=m
CONFIG_REGMAP_SPI=m
CONFIG_REGMAP_IRQ=y
-CONFIG_REGMAP_SOUNDWIRE=m
CONFIG_DMA_SHARED_BUFFER=y
# CONFIG_DMA_FENCE_TRACE is not set
@@ -2799,7 +2801,7 @@ CONFIG_SWPHY=y
CONFIG_SFP=m
CONFIG_AMD_PHY=m
CONFIG_AQUANTIA_PHY=m
-# CONFIG_ASIX_PHY is not set
+# CONFIG_AX88796B_PHY is not set
CONFIG_AT803X_PHY=m
CONFIG_BCM7XXX_PHY=m
CONFIG_BCM87XX_PHY=m
@@ -4996,10 +4998,10 @@ CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y
#
# Frame buffer Devices
#
-CONFIG_FB=y
-# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CMDLINE=y
CONFIG_FB_NOTIFY=y
+CONFIG_FB=y
+# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_DDC=m
CONFIG_FB_BOOT_VESA_SUPPORT=y
CONFIG_FB_CFB_FILLRECT=y
@@ -5860,7 +5862,6 @@ CONFIG_USB_EMI62=m
CONFIG_USB_EMI26=m
CONFIG_USB_ADUTUX=m
CONFIG_USB_SEVSEG=m
-CONFIG_USB_RIO500=m
# CONFIG_USB_LEGOTOWER is not set
CONFIG_USB_LCD=m
CONFIG_USB_CYPRESS_CY7C63=m
@@ -6447,7 +6448,6 @@ CONFIG_SOUNDWIRE=y
#
# SoundWire Devices
#
-CONFIG_SOUNDWIRE_BUS=m
CONFIG_SOUNDWIRE_CADENCE=m
CONFIG_SOUNDWIRE_INTEL=m
diff --git a/main/linux-vanilla/config-vanilla.x86_64 b/main/linux-vanilla/config-vanilla.x86_64
index 167890ded23..aad290f9fa0 100644
--- a/main/linux-vanilla/config-vanilla.x86_64
+++ b/main/linux-vanilla/config-vanilla.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 4.19.50 Kernel Configuration
+# Linux/x86_64 4.19.118 Kernel Configuration
#
#
@@ -391,6 +391,9 @@ CONFIG_X86_SMAP=y
CONFIG_X86_INTEL_UMIP=y
# CONFIG_X86_INTEL_MPX is not set
CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+CONFIG_X86_INTEL_TSX_MODE_OFF=y
+# CONFIG_X86_INTEL_TSX_MODE_ON is not set
+# CONFIG_X86_INTEL_TSX_MODE_AUTO is not set
CONFIG_EFI=y
CONFIG_EFI_STUB=y
# CONFIG_EFI_MIXED is not set
@@ -660,7 +663,7 @@ CONFIG_DCDBAS=m
CONFIG_DMIID=y
# CONFIG_DMI_SYSFS is not set
CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
-# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_ISCSI_IBFT is not set
CONFIG_FW_CFG_SYSFS=m
# CONFIG_FW_CFG_SYSFS_CMDLINE is not set
# CONFIG_GOOGLE_FIRMWARE is not set
@@ -1843,7 +1846,6 @@ CONFIG_REGMAP=y
CONFIG_REGMAP_I2C=m
CONFIG_REGMAP_SPI=m
CONFIG_REGMAP_IRQ=y
-CONFIG_REGMAP_SOUNDWIRE=m
CONFIG_DMA_SHARED_BUFFER=y
# CONFIG_DMA_FENCE_TRACE is not set
@@ -2850,7 +2852,7 @@ CONFIG_SWPHY=y
CONFIG_SFP=m
CONFIG_AMD_PHY=m
CONFIG_AQUANTIA_PHY=m
-# CONFIG_ASIX_PHY is not set
+# CONFIG_AX88796B_PHY is not set
CONFIG_AT803X_PHY=m
CONFIG_BCM7XXX_PHY=m
CONFIG_BCM87XX_PHY=m
@@ -5010,10 +5012,10 @@ CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y
#
# Frame buffer Devices
#
-CONFIG_FB=y
-# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CMDLINE=y
CONFIG_FB_NOTIFY=y
+CONFIG_FB=y
+# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_DDC=m
CONFIG_FB_BOOT_VESA_SUPPORT=y
CONFIG_FB_CFB_FILLRECT=y
@@ -5871,7 +5873,6 @@ CONFIG_USB_EMI62=m
CONFIG_USB_EMI26=m
CONFIG_USB_ADUTUX=m
CONFIG_USB_SEVSEG=m
-CONFIG_USB_RIO500=m
# CONFIG_USB_LEGOTOWER is not set
CONFIG_USB_LCD=m
CONFIG_USB_CYPRESS_CY7C63=m
@@ -6501,7 +6502,6 @@ CONFIG_SOUNDWIRE=y
#
# SoundWire Devices
#
-CONFIG_SOUNDWIRE_BUS=m
CONFIG_SOUNDWIRE_CADENCE=m
CONFIG_SOUNDWIRE_INTEL=m
diff --git a/main/linux-vanilla/config-virt.aarch64 b/main/linux-vanilla/config-virt.aarch64
index 9a587f93bf3..c50622561e5 100644
--- a/main/linux-vanilla/config-virt.aarch64
+++ b/main/linux-vanilla/config-virt.aarch64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 4.19.50 Kernel Configuration
+# Linux/arm64 4.19.118 Kernel Configuration
#
#
@@ -531,6 +531,7 @@ CONFIG_ARM_SCPI_POWER_DOMAIN=m
# CONFIG_FIRMWARE_MEMMAP is not set
CONFIG_DMIID=y
CONFIG_DMI_SYSFS=m
+# CONFIG_ISCSI_IBFT is not set
CONFIG_FW_CFG_SYSFS=m
# CONFIG_FW_CFG_SYSFS_CMDLINE is not set
CONFIG_HAVE_ARM_SMCCC=y
@@ -1580,6 +1581,7 @@ CONFIG_ALLOW_DEV_COREDUMP=y
# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
# CONFIG_TEST_ASYNC_DRIVER_PROBE is not set
CONFIG_GENERIC_CPU_AUTOPROBE=y
+CONFIG_GENERIC_CPU_VULNERABILITIES=y
CONFIG_REGMAP=y
CONFIG_REGMAP_I2C=m
CONFIG_REGMAP_MMIO=y
@@ -2125,6 +2127,7 @@ CONFIG_ETHERNET=y
# CONFIG_NET_VENDOR_ALTEON is not set
# CONFIG_ALTERA_TSE is not set
CONFIG_NET_VENDOR_AMAZON=y
+# CONFIG_ENA_ETHERNET is not set
# CONFIG_NET_VENDOR_AMD is not set
# CONFIG_NET_XGENE is not set
# CONFIG_NET_XGENE_V2 is not set
@@ -2218,7 +2221,7 @@ CONFIG_SWPHY=y
#
# CONFIG_AMD_PHY is not set
# CONFIG_AQUANTIA_PHY is not set
-# CONFIG_ASIX_PHY is not set
+# CONFIG_AX88796B_PHY is not set
# CONFIG_AT803X_PHY is not set
# CONFIG_BCM7XXX_PHY is not set
# CONFIG_BCM87XX_PHY is not set
@@ -2970,10 +2973,10 @@ CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=m
#
# Frame buffer Devices
#
-CONFIG_FB=m
-# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CMDLINE=y
CONFIG_FB_NOTIFY=y
+CONFIG_FB=m
+# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CFB_FILLRECT=m
CONFIG_FB_CFB_COPYAREA=m
CONFIG_FB_CFB_IMAGEBLIT=m
@@ -3255,7 +3258,6 @@ CONFIG_USB_UAS=m
# CONFIG_USB_EMI26 is not set
# CONFIG_USB_ADUTUX is not set
# CONFIG_USB_SEVSEG is not set
-# CONFIG_USB_RIO500 is not set
# CONFIG_USB_LEGOTOWER is not set
# CONFIG_USB_LCD is not set
# CONFIG_USB_CYPRESS_CY7C63 is not set
diff --git a/main/linux-vanilla/config-virt.x86 b/main/linux-vanilla/config-virt.x86
index b9982f37ffb..acfcb0fc55c 100644
--- a/main/linux-vanilla/config-virt.x86
+++ b/main/linux-vanilla/config-virt.x86
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.19.50 Kernel Configuration
+# Linux/x86 4.19.118 Kernel Configuration
#
#
@@ -377,6 +377,9 @@ CONFIG_ARCH_USES_PG_UNCACHED=y
CONFIG_ARCH_RANDOM=y
# CONFIG_X86_SMAP is not set
CONFIG_X86_INTEL_UMIP=y
+CONFIG_X86_INTEL_TSX_MODE_OFF=y
+# CONFIG_X86_INTEL_TSX_MODE_ON is not set
+# CONFIG_X86_INTEL_TSX_MODE_AUTO is not set
# CONFIG_EFI is not set
CONFIG_SECCOMP=y
CONFIG_HZ_100=y
@@ -609,7 +612,7 @@ CONFIG_FIRMWARE_MEMMAP=y
CONFIG_DMIID=y
# CONFIG_DMI_SYSFS is not set
CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
-# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_ISCSI_IBFT is not set
CONFIG_FW_CFG_SYSFS=m
# CONFIG_FW_CFG_SYSFS_CMDLINE is not set
# CONFIG_GOOGLE_FIRMWARE is not set
@@ -2100,7 +2103,7 @@ CONFIG_PHYLIB=m
#
# CONFIG_AMD_PHY is not set
# CONFIG_AQUANTIA_PHY is not set
-# CONFIG_ASIX_PHY is not set
+# CONFIG_AX88796B_PHY is not set
# CONFIG_AT803X_PHY is not set
# CONFIG_BCM7XXX_PHY is not set
# CONFIG_BCM87XX_PHY is not set
@@ -2844,10 +2847,10 @@ CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=m
#
# Frame buffer Devices
#
-CONFIG_FB=m
-# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CMDLINE=y
CONFIG_FB_NOTIFY=y
+CONFIG_FB=m
+# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CFB_FILLRECT=m
CONFIG_FB_CFB_COPYAREA=m
CONFIG_FB_CFB_IMAGEBLIT=m
@@ -3121,7 +3124,6 @@ CONFIG_USB_UAS=m
# CONFIG_USB_EMI26 is not set
# CONFIG_USB_ADUTUX is not set
# CONFIG_USB_SEVSEG is not set
-# CONFIG_USB_RIO500 is not set
# CONFIG_USB_LEGOTOWER is not set
# CONFIG_USB_LCD is not set
# CONFIG_USB_CYPRESS_CY7C63 is not set
diff --git a/main/linux-vanilla/config-virt.x86_64 b/main/linux-vanilla/config-virt.x86_64
index 63da460c64e..6448072900a 100644
--- a/main/linux-vanilla/config-virt.x86_64
+++ b/main/linux-vanilla/config-virt.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 4.19.50 Kernel Configuration
+# Linux/x86_64 4.19.118 Kernel Configuration
#
#
@@ -377,6 +377,9 @@ CONFIG_ARCH_RANDOM=y
CONFIG_X86_INTEL_UMIP=y
# CONFIG_X86_INTEL_MPX is not set
# CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS is not set
+CONFIG_X86_INTEL_TSX_MODE_OFF=y
+# CONFIG_X86_INTEL_TSX_MODE_ON is not set
+# CONFIG_X86_INTEL_TSX_MODE_AUTO is not set
CONFIG_EFI=y
CONFIG_EFI_STUB=y
# CONFIG_EFI_MIXED is not set
@@ -614,7 +617,7 @@ CONFIG_FIRMWARE_MEMMAP=y
CONFIG_DMIID=y
# CONFIG_DMI_SYSFS is not set
CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
-# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_ISCSI_IBFT is not set
CONFIG_FW_CFG_SYSFS=m
# CONFIG_FW_CFG_SYSFS_CMDLINE is not set
# CONFIG_GOOGLE_FIRMWARE is not set
@@ -2151,7 +2154,7 @@ CONFIG_PHYLIB=m
#
# CONFIG_AMD_PHY is not set
# CONFIG_AQUANTIA_PHY is not set
-# CONFIG_ASIX_PHY is not set
+# CONFIG_AX88796B_PHY is not set
# CONFIG_AT803X_PHY is not set
# CONFIG_BCM7XXX_PHY is not set
# CONFIG_BCM87XX_PHY is not set
@@ -2902,10 +2905,10 @@ CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=m
#
# Frame buffer Devices
#
-CONFIG_FB=m
-# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CMDLINE=y
CONFIG_FB_NOTIFY=y
+CONFIG_FB=m
+# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_CFB_FILLRECT=m
CONFIG_FB_CFB_COPYAREA=m
CONFIG_FB_CFB_IMAGEBLIT=m
@@ -3184,7 +3187,6 @@ CONFIG_USB_UAS=m
# CONFIG_USB_EMI26 is not set
# CONFIG_USB_ADUTUX is not set
# CONFIG_USB_SEVSEG is not set
-# CONFIG_USB_RIO500 is not set
# CONFIG_USB_LEGOTOWER is not set
# CONFIG_USB_LCD is not set
# CONFIG_USB_CYPRESS_CY7C63 is not set
diff --git a/main/mariadb-connector-c/APKBUILD b/main/mariadb-connector-c/APKBUILD
index 0d01de5763f..90e853563bf 100644
--- a/main/mariadb-connector-c/APKBUILD
+++ b/main/mariadb-connector-c/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mariadb-connector-c
pkgver=3.0.8
-pkgrel=0
+pkgrel=1
pkgdesc="The MariaDB Native Client library (C driver)"
url="https://mariadb.org/"
arch="all"
@@ -10,12 +10,17 @@ depends_dev="openssl-dev zlib-dev"
makedepends="$depends_dev cmake"
replaces="mariadb-client-libs"
subpackages="$pkgname-dev"
-source="https://downloads.mariadb.org/interstitial/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz
+source="https://downloads.mariadb.com/Connectors/c/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz
cmake.patch
fix-ucontext-header.patch
+ CVE-2020-13249.patch
"
builddir="$srcdir/mariadb-connector-c-$pkgver-src"
+# secfixes:
+# 3.0.8-r1:
+# - CVE-2020-13249
+
build() {
cd "$builddir"
if [ "$CBUILD" != "$CHOST" ]; then
@@ -57,7 +62,7 @@ dev() {
replaces="mariadb-dev"
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-
sha512sums="d9f970c7ac164ef7d8dd748bf2f749cc1f877a9c8f68a1d57e9ff62d95046bb9505619feca1f1d0d1cdefc1ac49489742aadf4ad9e47c8e6a9b8b40c56eed788 mariadb-connector-c-3.0.8-src.tar.gz
027a9d383ce27a527b77ac06b9505709cad8fe0173455863590f502996966300fedea87687630113d74e5b9be5349217b18206c2dbb89f7064129cb5417e44cf cmake.patch
-ad52cccb5517d11838bf16aee5aff63d87075e9ef5787e726d8bfea2854d3e2b5fa7aa94c0e93b1f7e7e21f48d21b1b6fcdd161fadb9999dcc7a3a5b8e12d883 fix-ucontext-header.patch"
+ad52cccb5517d11838bf16aee5aff63d87075e9ef5787e726d8bfea2854d3e2b5fa7aa94c0e93b1f7e7e21f48d21b1b6fcdd161fadb9999dcc7a3a5b8e12d883 fix-ucontext-header.patch
+4370a517bc082e5aca8ebc0abf1ace7742af6cffc7f0c12b70705b31885a573192bbac473a9d0322582e64a75698db86bd36db23558dd1c1e1eaf693632a559f CVE-2020-13249.patch"
diff --git a/main/mariadb-connector-c/CVE-2020-13249.patch b/main/mariadb-connector-c/CVE-2020-13249.patch
new file mode 100644
index 00000000000..8f58063c4ee
--- /dev/null
+++ b/main/mariadb-connector-c/CVE-2020-13249.patch
@@ -0,0 +1,154 @@
+diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c
+index 4c1108b..1f04c35 100644
+--- a/libmariadb/mariadb_lib.c
++++ b/libmariadb/mariadb_lib.c
+@@ -76,6 +76,8 @@
+ #define ASYNC_CONTEXT_DEFAULT_STACK_SIZE (4096*15)
+ #define MA_RPL_VERSION_HACK "5.5.5-"
+
++#define CHARSET_NAME_LEN 64
++
+ #undef max_allowed_packet
+ #undef net_buffer_length
+ extern ulong max_allowed_packet; /* net.c */
+@@ -2029,6 +2031,7 @@ mysql_send_query(MYSQL* mysql, const char* query, unsigned long length)
+
+ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ {
++ uchar *end= mysql->net.read_pos+length;
+ size_t item_len;
+ mysql->affected_rows= net_field_length_ll(&pos);
+ mysql->insert_id= net_field_length_ll(&pos);
+@@ -2036,10 +2039,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ pos+=2;
+ mysql->warning_count=uint2korr(pos);
+ pos+=2;
+- if (pos < mysql->net.read_pos+length)
++ if (pos > end)
++ goto corrupted;
++ if (pos < end)
+ {
+ if ((item_len= net_field_length(&pos)))
+ mysql->info=(char*) pos;
++ if (pos + item_len > end)
++ goto corrupted;
+
+ /* check if server supports session tracking */
+ if (mysql->server_capabilities & CLIENT_SESSION_TRACKING)
+@@ -2050,23 +2057,26 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ if (mysql->server_status & SERVER_SESSION_STATE_CHANGED)
+ {
+ int i;
+- if (pos < mysql->net.read_pos + length)
++ if (pos < end)
+ {
+ LIST *session_item;
+ MYSQL_LEX_STRING *str= NULL;
+ enum enum_session_state_type si_type;
+ uchar *old_pos= pos;
+- size_t item_len= net_field_length(&pos); /* length for all items */
++
++ item_len= net_field_length(&pos); /* length for all items */
++ if (pos + item_len > end)
++ goto corrupted;
++ end= pos + item_len;
+
+ /* length was already set, so make sure that info will be zero terminated */
+ if (mysql->info)
+ *old_pos= 0;
+
+- while (item_len > 0)
++ while (pos < end)
+ {
+ size_t plen;
+ char *data;
+- old_pos= pos;
+ si_type= (enum enum_session_state_type)net_field_length(&pos);
+ switch(si_type) {
+ case SESSION_TRACK_SCHEMA:
+@@ -2076,15 +2086,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ if (si_type != SESSION_TRACK_STATE_CHANGE)
+ net_field_length(&pos); /* ignore total length, item length will follow next */
+ plen= net_field_length(&pos);
++ if (pos + plen > end)
++ goto corrupted;
+ if (!ma_multi_malloc(0,
+ &session_item, sizeof(LIST),
+ &str, sizeof(MYSQL_LEX_STRING),
+ &data, plen,
+ NULL))
+- {
+- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);
+- return -1;
+- }
++ goto oom;
+ str->length= plen;
+ str->str= data;
+ memcpy(str->str, (char *)pos, plen);
+@@ -2107,29 +2116,28 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ if (!strncmp(str->str, "character_set_client", str->length))
+ set_charset= 1;
+ plen= net_field_length(&pos);
++ if (pos + plen > end)
++ goto corrupted;
+ if (!ma_multi_malloc(0,
+ &session_item, sizeof(LIST),
+ &str, sizeof(MYSQL_LEX_STRING),
+ &data, plen,
+ NULL))
+- {
+- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);
+- return -1;
+- }
++ goto oom;
+ str->length= plen;
+ str->str= data;
+ memcpy(str->str, (char *)pos, plen);
+ pos+= plen;
+ session_item->data= str;
+ mysql->extension->session_state[si_type].list= list_add(mysql->extension->session_state[si_type].list, session_item);
+- if (set_charset &&
++ if (set_charset && str->length < CHARSET_NAME_LEN &&
+ strncmp(mysql->charset->csname, str->str, str->length) != 0)
+ {
+- char cs_name[64];
+- MARIADB_CHARSET_INFO *cs_info;
++ char cs_name[CHARSET_NAME_LEN];
++ const MARIADB_CHARSET_INFO *cs_info;
+ memcpy(cs_name, str->str, str->length);
+ cs_name[str->length]= 0;
+- if ((cs_info = (MARIADB_CHARSET_INFO *)mysql_find_charset_name(cs_name)))
++ if ((cs_info = mysql_find_charset_name(cs_name)))
+ mysql->charset= cs_info;
+ }
+ }
+@@ -2137,10 +2145,11 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ default:
+ /* not supported yet */
+ plen= net_field_length(&pos);
++ if (pos + plen > end)
++ goto corrupted;
+ pos+= plen;
+ break;
+ }
+- item_len-= (pos - old_pos);
+ }
+ }
+ for (i= SESSION_TRACK_BEGIN; i <= SESSION_TRACK_END; i++)
+@@ -2155,6 +2164,16 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)
+ else if (mysql->server_capabilities & CLIENT_SESSION_TRACKING)
+ ma_clear_session_state(mysql);
+ return(0);
++
++oom:
++ ma_clear_session_state(mysql);
++ SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);
++ return -1;
++
++corrupted:
++ ma_clear_session_state(mysql);
++ SET_CLIENT_ERROR(mysql, CR_MALFORMED_PACKET, SQLSTATE_UNKNOWN, 0);
++ return -1;
+ }
+
+ int mthd_my_read_query_result(MYSQL *mysql)
diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD
index d6782d02ccf..74757d0bd18 100644
--- a/main/mariadb/APKBUILD
+++ b/main/mariadb/APKBUILD
@@ -6,7 +6,7 @@
# Contributor: Marcel Haazen <marcel@haazen.xyz>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mariadb
-pkgver=10.3.17
+pkgver=10.3.25
pkgrel=0
pkgdesc="A fast SQL database server"
url="https://www.mariadb.org/"
@@ -19,7 +19,7 @@ checkdepends="perl"
_mytopdeps="perl perl-dbi perl-dbd-mysql perl-getopt-long perl-socket perl-term-readkey"
depends_dev="openssl-dev zlib-dev mariadb-connector-c-dev"
makedepends="$depends_dev bison cmake curl-dev libaio-dev libarchive-dev libevent-dev
- libxml2-dev ncurses-dev pcre-dev readline-dev xz-dev linux-headers
+ libxml2-dev ncurses-dev pcre-dev readline-dev xz-dev linux-headers linux-pam-dev
$_mytopdeps"
install="$pkgname.pre-install $pkgname-common.post-upgrade"
subpackages="$pkgname-static $pkgname-test:mytest $pkgname-embedded-dev:_embedded_dev
@@ -27,7 +27,7 @@ subpackages="$pkgname-static $pkgname-test:mytest $pkgname-embedded-dev:_embedde
$pkgname-client $pkgname-bench $pkgname-backup $pkgname-embedded $pkgname-mytop
$pkgname-server-utils:_server_utils
mysql mysql-client:_compat_client mysql-bench:_compat_bench"
-options="!checkroot"
+options="!checkroot suid"
_enable_rocksdb=YES
case "$CARCH" in
@@ -49,6 +49,18 @@ source="https://downloads.mariadb.org/interstitial/mariadb-$pkgver/source/mariad
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 10.3.25-r0:
+# - CVE-2020-15180
+# 10.3.23-r0:
+# - CVE-2020-2752
+# - CVE-2020-2760
+# - CVE-2020-2812
+# - CVE-2020-2814
+# 10.3.22-r0:
+# - CVE-2020-2574
+# 10.3.20-r0:
+# - CVE-2019-2938
+# - CVE-2019-2974
# 10.3.17-r0:
# - CVE-2019-2805
# - CVE-2019-2740
@@ -148,7 +160,6 @@ build() {
-DPLUGIN_ROCKSDB=$_enable_rocksdb \
-DPLUGIN_SPHINX=NO \
-DPLUGIN_TOKUDB=NO \
- -DPLUGIN_AUTH_PAM=NO \
-DPLUGIN_AUTH_GSSAPI=NO \
-DPLUGIN_AUTH_GSSAPI_CLIENT=OFF \
-DPLUGIN_CRACKLIB_PASSWORD_CHECK=NO \
@@ -431,7 +442,7 @@ _plugin_rocksdb() {
"$subpkgdir"/usr/lib/mariadb/plugin/ha_rocksdb.so
}
-sha512sums="6fba995d8c284a12f19ee5635f5d69d8fa89fc314f512cd1764b2c4593933baf71a472ddce630463debd3bfbafa1cf5afee3f40d3c4062242f58cea16259561e mariadb-10.3.17.tar.gz
+sha512sums="9504e401db3b65b2b2bd4d3c91a468d357e82fdafbf90d54539a291e46570c2bed66ae047b17b9da95e925f8970fa048d329ba06c2dd6de7d46d5a0f2aad1f4d mariadb-10.3.25.tar.gz
c352969f6665b0ffa387f7b185a5dea7751f4b16c12c809627857b27321efa09159369d7dd5c852d6159a9f173cb895fb601f0c52a1fa6e3527899520030964c mariadb.initd
ecfea6503edd301bb628e2a44f36315079efa70e7615ff06b27714397332034f02e68ef40d4d5c761942e024ed1993621127c9df80b7e2327c68b1d839a7a322 fix-c11-atomics-check.patch
e9ae4613f1d8c5f0a59b39a3548c46e50674ae78e7457d0e64c49f7e1573125c13634bbce7e29179bb8865a423171f852f43b96f7ef95619a95f02edcfc71efd ppc-remove-glibc-dep.patch
diff --git a/main/mcpp/APKBUILD b/main/mcpp/APKBUILD
index 85aaff93b30..f102d1dc8ec 100644
--- a/main/mcpp/APKBUILD
+++ b/main/mcpp/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=mcpp
pkgver=2.7.2
-pkgrel=1
+pkgrel=2
pkgdesc="A portable C preprocessor"
url="http://mcpp.sourceforge.net"
arch="all"
@@ -13,7 +13,12 @@ makedepends=""
subpackages="$pkgname-dev $pkgname-doc $pkgname-libs"
source="https://downloads.sourceforge.net/${pkgname}/${pkgname}-${pkgver}.tar.gz
01-zeroc-fixes.patch
- 02-gniibe-fixes.patch"
+ 02-gniibe-fixes.patch
+ CVE-2019-14274.patch"
+
+# secfixes:
+# 2.7.2-r2:
+# - CVE-2019-14274
prepare() {
cd "$builddir"
@@ -45,12 +50,7 @@ package() {
"$pkgdir"/usr/share/licenses/$pkgname/LICENSE || return 1
}
-md5sums="512de48c87ab023a69250edc7a0c7b05 mcpp-2.7.2.tar.gz
-e231a2c976ccf14b548deaee840faeb7 01-zeroc-fixes.patch
-1801827678e80d0ef73655a88064a35b 02-gniibe-fixes.patch"
-sha256sums="3b9b4421888519876c4fc68ade324a3bbd81ceeb7092ecdbbc2055099fcb8864 mcpp-2.7.2.tar.gz
-6ed331f58edc7a24e769ac065ab43ed9f09f06487fda37095cacd413b81f522c 01-zeroc-fixes.patch
-30a790e63e387a95e45c2b73b3942948e1e852155250dd769a5598c33d374504 02-gniibe-fixes.patch"
sha512sums="1ca885cb13fdb684de9d0595a9215b52f48a93a69077d82cdcacafe40d9a61fb77b00a3ff2b8890e7bc0a0fcc0c8d70d4093c00c280351cd4459aba67c573235 mcpp-2.7.2.tar.gz
86b2e851490e180dfe3028a5a37019ea423924c921ab053a642fb78d4533a87f913ede2928daf9da4daf60e67795a24521186b40c76961ae99ebeb75f8aa95ad 01-zeroc-fixes.patch
-a31a0f2e7430381e5e62ea4257a35891ce9d2f3beed60c6caad3b6d298a58557e9c850223840ef8c6f6c2e8139cf4a4edf29ac93b2532680feafba503fcfaf6d 02-gniibe-fixes.patch"
+a31a0f2e7430381e5e62ea4257a35891ce9d2f3beed60c6caad3b6d298a58557e9c850223840ef8c6f6c2e8139cf4a4edf29ac93b2532680feafba503fcfaf6d 02-gniibe-fixes.patch
+12a72a2c527358effc4ed8e0c5f80f1a06a005ba3b050c7d99a4aa67ad5fe7e4c4c2a75d0808382b67e359076c5bac6065ec284d32f55e7e31466331a47db882 CVE-2019-14274.patch"
diff --git a/main/mcpp/CVE-2019-14274.patch b/main/mcpp/CVE-2019-14274.patch
new file mode 100644
index 00000000000..717b16fe9dd
--- /dev/null
+++ b/main/mcpp/CVE-2019-14274.patch
@@ -0,0 +1,52 @@
+Description: Fix for a bug reported to sourceforge.net #13
+ by fixing error messages.
+ Also, fix erroneous messages.
+Author: NIIBE Yutaka
+
+Index: mcpp/src/support.c
+===================================================================
+--- mcpp.orig/src/support.c
++++ mcpp/src/support.c
+@@ -822,7 +822,7 @@ escape:
+ if (diag && iscntrl( c) && ((char_type[ c] & SPA) == 0)
+ && (warn_level & 1))
+ cwarn(
+- "Illegal control character %.0s0lx%02x in quotation" /* _W1_ */
++ "Illegal control character %.0s0x%02x in quotation" /* _W1_ */
+ , NULL, (long) c, NULL);
+ *out_p++ = c;
+ chk_limit:
+@@ -861,10 +861,10 @@ chk_limit:
+ if (mcpp_mode != POST_STD && option_flags.lang_asm) {
+ /* STD, KR */
+ if (warn_level & 1)
+- cwarn( unterm_char, out, 0L, NULL); /* _W1_ */
++ cwarn( unterm_char, NULL, (long)delim, NULL); /* _W1_ */
+ goto done;
+ } else {
+- cerror( unterm_char, out, 0L, skip); /* _E_ */
++ cerror( unterm_char, NULL, (long)delim, skip); /* _E_ */
+ }
+ } else {
+ cerror( "Unterminated header name %s%.0ld%s" /* _E_ */
+@@ -875,9 +875,9 @@ chk_limit:
+ if (mcpp_mode != POST_STD && option_flags.lang_asm) {
+ /* STD, KR */
+ if (warn_level & 1)
+- cwarn( empty_const, out, 0L, skip); /* _W1_ */
++ cwarn( empty_const, NULL, (long)delim, skip); /* _W1_ */
+ } else {
+- cerror( empty_const, out, 0L, skip); /* _E_ */
++ cerror( empty_const, NULL, (long)delim, skip); /* _E_ */
+ out_p = NULL;
+ goto done;
+ }
+@@ -1774,7 +1774,7 @@ not_comment:
+ default:
+ if (iscntrl( c)) {
+ cerror( /* Skip the control character */
+- "Illegal control character %.0s0x%lx, skipped the character" /* _E_ */
++ "Illegal control character %.0s0x%02x, skipped the character" /* _E_ */
+ , NULL, (long) c, NULL);
+ } else { /* Any valid character */
+ *tp++ = c;
diff --git a/main/mkinitfs/APKBUILD b/main/mkinitfs/APKBUILD
index 92c7deaf5bc..aa130af24ef 100644
--- a/main/mkinitfs/APKBUILD
+++ b/main/mkinitfs/APKBUILD
@@ -2,7 +2,7 @@
pkgname=mkinitfs
pkgver=3.4.1
_ver=${pkgver%_git*}
-pkgrel=0
+pkgrel=1
pkgdesc="Tool to generate initramfs images for Alpine"
url="https://git.alpinelinux.org/cgit/mkinitfs"
arch="all"
@@ -17,6 +17,7 @@ subpackages="$pkgname-doc"
install="$pkgname.pre-upgrade $pkgname.post-install $pkgname.post-upgrade"
triggers="$pkgname.trigger=/usr/share/kernel/*"
source="https://dev.alpinelinux.org/archive/$pkgname/$pkgname-$_ver.tar.xz
+ add-feature-rpirtc.patch
"
builddir="$srcdir/$pkgname-$_ver"
@@ -31,4 +32,5 @@ package() {
make install DESTDIR="$pkgdir"
}
-sha512sums="3839f3ec4ca9f7318a611397c7190d19ae2267f31ffa97bb3777a024940799bccef3db7374d3c840b95290c493b2d3795ed2d03d72eb984c202de00c182eef77 mkinitfs-3.4.1.tar.xz"
+sha512sums="3839f3ec4ca9f7318a611397c7190d19ae2267f31ffa97bb3777a024940799bccef3db7374d3c840b95290c493b2d3795ed2d03d72eb984c202de00c182eef77 mkinitfs-3.4.1.tar.xz
+52a53a936cbe3771c5316cf5c40ef14eca31556f5559af98389955d1924509db65c550f07eaa9af2afe294dc79eaeb916499b8c9e7386646c40419d868b32d28 add-feature-rpirtc.patch"
diff --git a/main/mkinitfs/add-feature-rpirtc.patch b/main/mkinitfs/add-feature-rpirtc.patch
new file mode 100644
index 00000000000..b011427d661
--- /dev/null
+++ b/main/mkinitfs/add-feature-rpirtc.patch
@@ -0,0 +1,44 @@
+From 9750fe09a0c322f3d669a31179c87ffade7b1dd7 Mon Sep 17 00:00:00 2001
+From: Henrik Riomar <henrik.riomar@gmail.com>
+Date: Tue, 15 Oct 2019 12:59:43 +0200
+Subject: [PATCH] add feature rpirtc
+
+Add new feature rpi rtc allowing a hw rtc to be used.
+
+The init script in Alpine Linux since v3.9 looks for /dev/rtc, if
+not found it will switch to swclock.
+
+To make this check work on a Rasberry PI with a mounted rtc and
+the following in usercfg.txt
+ dtoverlay=i2c-rtc,ds3231
+we must have rtc drivers available already initramfs.
+
+(cherry picked from commit 89f9c4fb0dd3a69dea4cb7ecead55692c9732e06)
+---
+ Makefile | 1 +
+ features.d/rpirtc.modules | 1 +
+ 2 files changed, 2 insertions(+)
+ create mode 100644 features.d/rpirtc.modules
+
+diff --git a/Makefile b/Makefile
+index c48c568..ae1d1ce 100644
+--- a/Makefile
++++ b/Makefile
+@@ -43,6 +43,7 @@ CONF_FILES := mkinitfs.conf \
+ features.d/raid.files \
+ features.d/raid.modules \
+ features.d/reiserfs.modules \
++ features.d/rpirtc.modules \
+ features.d/scsi.modules \
+ features.d/squashfs.modules \
+ features.d/ubifs.modules \
+diff --git a/features.d/rpirtc.modules b/features.d/rpirtc.modules
+new file mode 100644
+index 0000000..91c8ad3
+--- /dev/null
++++ b/features.d/rpirtc.modules
+@@ -0,0 +1 @@
++kernel/drivers/rtc/rtc-ds1307.ko
+--
+2.24.1
+
diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD
index 390644b80f1..321287eea67 100644
--- a/main/musl/APKBUILD
+++ b/main/musl/APKBUILD
@@ -1,13 +1,14 @@
-# Contributor: William Pitcock <nenolod@dereferenced.org>
+# Contributor: Ariadne Conill <ariadne@dereferenced.org>
# Maintainer: Timo Teräs <timo.teras@iki.fi>
pkgname=musl
pkgver=1.1.20
-pkgrel=5
+pkgrel=6
pkgdesc="the musl c library (libc) implementation"
url="http://www.musl-libc.org/"
arch="all"
license="MIT"
subpackages="$pkgname-dev $pkgname-dbg libc6-compat:compat:noarch"
+options="lib64"
case "$BOOTSTRAP" in
nocc) pkgname="musl-dev"; subpackages="";;
nolibc) ;;
@@ -21,6 +22,8 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz
0001-fix-getaddrinfo-regression-with-AI_ADDRCONFIG-on-som.patch
s390x-fadv.patch
+ wcsnrtombs-cve-2020-28928.diff
+
ldconfig
__stack_chk_fail_local.c
getconf.c
@@ -29,6 +32,8 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz
"
# secfixes:
+# 1.1.20-r6:
+# - CVE-2020-28928
# 1.1.20-r5:
# - CVE-2019-14697
# 1.1.15-r4:
@@ -157,6 +162,7 @@ sha512sums="d3a7a30aa375ca50d7dcfbd618581d59e1aa5378417f50a0ca5510099336fd74cc9d
ab34509cec7419c11352094ed6acf14e5766b314bd2b96506a0d0203e61e90e85ea9a121f1fefc0d00bcba381778d579ea2c02325605344530420305fcf1a0d0 0001-fix-race-condition-in-file-locking.patch
20f9db1f96d4867fb0e4d4e1b4b323e1871ce5660896c8608f7a5147d247f6c6840f84eff25ae8f8b7cf04af0f586afed00acb6abcbedd4240a4678359fa6dc9 0001-fix-getaddrinfo-regression-with-AI_ADDRCONFIG-on-som.patch
e9c9135f6dc3260e62ae6e9c45f3c43574af6ff2c2bfe411eb83f7e80d13bb8c86425cb41fc961e27f7bc15f679db1fbfb267e401bbe81d6cd5b872eb9b1f471 s390x-fadv.patch
+35dc5df28d90d1c84f9100116b63ba9e7fd44a20f512d12760da5e01f1aec4e799f726cbafb586bae568ff4f6d5a70948f1bf9fb901f1ca7dfcdf35c5d7510a6 wcsnrtombs-cve-2020-28928.diff
8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f ldconfig
062bb49fa54839010acd4af113e20f7263dde1c8a2ca359b5fb2661ef9ed9d84a0f7c3bc10c25dcfa10bb3c5a4874588dff636ac43d5dbb3d748d75400756d0b __stack_chk_fail_local.c
0d80f37b34a35e3d14b012257c50862dfeb9d2c81139ea2dfa101d981d093b009b9fa450ba27a708ac59377a48626971dfc58e20a3799084a65777a0c32cbc7d getconf.c
diff --git a/main/musl/wcsnrtombs-cve-2020-28928.diff b/main/musl/wcsnrtombs-cve-2020-28928.diff
new file mode 100644
index 00000000000..8465f9422a8
--- /dev/null
+++ b/main/musl/wcsnrtombs-cve-2020-28928.diff
@@ -0,0 +1,65 @@
+diff --git a/src/multibyte/wcsnrtombs.c b/src/multibyte/wcsnrtombs.c
+index 676932b5..95e25e70 100644
+--- a/src/multibyte/wcsnrtombs.c
++++ b/src/multibyte/wcsnrtombs.c
+@@ -1,41 +1,33 @@
+ #include <wchar.h>
++#include <limits.h>
++#include <string.h>
+
+ size_t wcsnrtombs(char *restrict dst, const wchar_t **restrict wcs, size_t wn, size_t n, mbstate_t *restrict st)
+ {
+- size_t l, cnt=0, n2;
+- char *s, buf[256];
+ const wchar_t *ws = *wcs;
+- const wchar_t *tmp_ws;
+-
+- if (!dst) s = buf, n = sizeof buf;
+- else s = dst;
+-
+- while ( ws && n && ( (n2=wn)>=n || n2>32 ) ) {
+- if (n2>=n) n2=n;
+- tmp_ws = ws;
+- l = wcsrtombs(s, &ws, n2, 0);
+- if (!(l+1)) {
+- cnt = l;
+- n = 0;
++ size_t cnt = 0;
++ if (!dst) n=0;
++ while (ws && wn) {
++ char tmp[MB_LEN_MAX];
++ size_t l = wcrtomb(n<MB_LEN_MAX ? tmp : dst, *ws, 0);
++ if (l==-1) {
++ cnt = -1;
+ break;
+ }
+- if (s != buf) {
+- s += l;
++ if (dst) {
++ if (n<MB_LEN_MAX) {
++ if (l>n) break;
++ memcpy(dst, tmp, l);
++ }
++ dst += l;
+ n -= l;
+ }
+- wn = ws ? wn - (ws - tmp_ws) : 0;
+- cnt += l;
+- }
+- if (ws) while (n && wn) {
+- l = wcrtomb(s, *ws, 0);
+- if ((l+1)<=1) {
+- if (!l) ws = 0;
+- else cnt = l;
++ if (!*ws) {
++ ws = 0;
+ break;
+ }
+- ws++; wn--;
+- /* safe - this loop runs fewer than sizeof(buf) times */
+- s+=l; n-=l;
++ ws++;
++ wn--;
+ cnt += l;
+ }
+ if (dst) *wcs = ws;
diff --git a/main/net-snmp/APKBUILD b/main/net-snmp/APKBUILD
index 6974991722c..a2a91ead28d 100644
--- a/main/net-snmp/APKBUILD
+++ b/main/net-snmp/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=net-snmp
pkgver=5.8
-pkgrel=0
+pkgrel=1
pkgdesc="Simple Network Management Protocol"
url="http://www.net-snmp.org/"
arch="all"
@@ -17,6 +17,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-agent-libs:alibs
source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz
netsnmp-swinst-crash.patch
fix-includes.patch
+ report-empty-strings-correctly.patch
snmpd.initd
snmpd.confd
@@ -144,6 +145,7 @@ tools() {
sha512sums="27895a583b23f3e14c48562bc32f3ba83513d81aa848e878be9a3650f0458d45950635c937ef627135f80b757b663e71fab9a3bde4fd91889153998ae3468fe7 net-snmp-5.8.tar.gz
4ad92f50b14d5e27ba86256cc532a2dd055502f4d5fbb1700434f9f01f881fd09bb1eadb94e727554e1470f036707558314c64a66d0376b54e71ab31d5e4baa3 netsnmp-swinst-crash.patch
87a552bd2e41684bba6e87fbcf6454a85ee912d7a339411fda24cebddf7661f0856729e076a917920a542cf84b687ffd90a091daa15f2c48f0ff64f3a53c0ddb fix-includes.patch
+633fbf574a76f63b0ae5340cd86439ca89ef2621b890917c35a884fe2d41052d4ec65c88f0d3f94f2bb3481b2bc1989647d3e697f7995b72abee47799300c26b report-empty-strings-correctly.patch
896ef65a6f420073746470cdbd0de8f356c5b936d35e131754905b3d4323c24dcd3a09e0cc8bd90b12e3402f01e478f927f0e4163cb85cb0cc03db3c2e0491f4 snmpd.initd
fb101aa758d741ed3ea88b11f1cd49cfd04bd03ce62435f3acb17724748131c57f00b71fd45cb7e7871d65a1aab576652cd6e158b6406aa6d0998582b8235ef5 snmpd.confd
073fd2b83eedd6eda1f7345350268ce7946ef6d67a8f26f7c232e46feb75babf68272ae12071a2f9ea76ede71393b3ae4672d3cd47cfd14ab77e3a6482f2e124 snmptrapd.confd"
diff --git a/main/net-snmp/report-empty-strings-correctly.patch b/main/net-snmp/report-empty-strings-correctly.patch
new file mode 100644
index 00000000000..b1520d9b645
--- /dev/null
+++ b/main/net-snmp/report-empty-strings-correctly.patch
@@ -0,0 +1,110 @@
+From d0787a2c86a80e31756965c436fac67b7d1c0f9b Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Fri, 11 Oct 2019 20:09:08 -0700
+Subject: [PATCH] HOST-RESOURCES-MIB, UCD-SNMP-MIB: Report empty strings
+ correctly
+
+See also https://github.com/net-snmp/net-snmp/issues/26.
+
+Fixes: 9b9c0e287b4d ("MIBs: Use asprintf() instead of snprintf() to prevent truncation")
+---
+ agent/mibgroup/host/hrh_filesys.c | 5 +++--
+ agent/mibgroup/ucd-snmp/disk.c | 3 ++-
+ agent/mibgroup/ucd-snmp/disk_hw.c | 3 ++-
+ agent/mibgroup/ucd-snmp/proc.c | 4 ++--
+ 4 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/agent/mibgroup/host/hrh_filesys.c b/agent/mibgroup/host/hrh_filesys.c
+index 354416157..073a37e98 100644
+--- a/agent/mibgroup/host/hrh_filesys.c
++++ b/agent/mibgroup/host/hrh_filesys.c
+@@ -219,6 +219,7 @@ var_hrhfilesys(struct variable *vp,
+ {
+ int fsys_idx;
+ static char *string;
++ static char empty_str[1];
+
+ fsys_idx =
+ header_hrhfilesys(vp, name, length, exact, var_len, write_method);
+@@ -235,7 +236,7 @@ var_hrhfilesys(struct variable *vp,
+ *var_len = 0;
+ if (asprintf(&string, "%s", HRFS_entry->path) >= 0)
+ *var_len = strlen(string);
+- return (u_char *) string;
++ return (u_char *)(string ? string : empty_str);
+ case HRFSYS_RMOUNT:
+ free(string);
+ if (HRFS_entry->flags & NETSNMP_FS_FLAG_REMOTE) {
+@@ -245,7 +246,7 @@ var_hrhfilesys(struct variable *vp,
+ string = strdup("");
+ }
+ *var_len = string ? strlen(string) : 0;
+- return (u_char *) string;
++ return (u_char *)(string ? string : empty_str);
+
+ case HRFSYS_TYPE:
+ fsys_type_id[fsys_type_len - 1] =
+diff --git a/agent/mibgroup/ucd-snmp/disk.c b/agent/mibgroup/ucd-snmp/disk.c
+index d827dcc18..52062352e 100644
+--- a/agent/mibgroup/ucd-snmp/disk.c
++++ b/agent/mibgroup/ucd-snmp/disk.c
+@@ -825,6 +825,7 @@ var_extensible_disk(struct variable *vp,
+ struct dsk_entry entry;
+ static long long_ret;
+ static char *errmsg;
++ static char empty_str[1];
+
+ tryAgain:
+ if (header_simple_table
+@@ -926,7 +927,7 @@ var_extensible_disk(struct variable *vp,
+ *var_len = strlen(errmsg);
+ }
+ }
+- return (u_char *) (errmsg);
++ return (u_char *)(errmsg ? errmsg : empty_str);
+ }
+ return NULL;
+ }
+diff --git a/agent/mibgroup/ucd-snmp/disk_hw.c b/agent/mibgroup/ucd-snmp/disk_hw.c
+index cc5da14de..e8b09a238 100644
+--- a/agent/mibgroup/ucd-snmp/disk_hw.c
++++ b/agent/mibgroup/ucd-snmp/disk_hw.c
+@@ -314,6 +314,7 @@ var_extensible_disk(struct variable *vp,
+ unsigned long long val;
+ static long long_ret;
+ static char *errmsg;
++ static char empty_str[1];
+ netsnmp_cache *cache;
+
+ /* Update the fsys H/W module */
+@@ -432,7 +433,7 @@ var_extensible_disk(struct variable *vp,
+ >= 0)) {
+ *var_len = strlen(errmsg);
+ }
+- return (u_char *) errmsg;
++ return (u_char *)(errmsg ? errmsg : empty_str);
+ }
+ return NULL;
+ }
+diff --git a/agent/mibgroup/ucd-snmp/proc.c b/agent/mibgroup/ucd-snmp/proc.c
+index 57aa2d58a..8eb5fa7ac 100644
+--- a/agent/mibgroup/ucd-snmp/proc.c
++++ b/agent/mibgroup/ucd-snmp/proc.c
+@@ -265,7 +265,7 @@ var_extensible_proc(struct variable *vp,
+ struct myproc *proc;
+ static long long_ret;
+ static char *errmsg;
+-
++ static char empty_str[1];
+
+ if (header_simple_table
+ (vp, name, length, exact, var_len, write_method, numprocs))
+@@ -328,7 +328,7 @@ var_extensible_proc(struct variable *vp,
+ }
+ }
+ *var_len = errmsg ? strlen(errmsg) : 0;
+- return ((u_char *) errmsg);
++ return (u_char *)(errmsg ? errmsg : empty_str);
+ case ERRORFIX:
+ *write_method = fixProcError;
+ long_return = fixproc.result;
diff --git a/main/nghttp2/APKBUILD b/main/nghttp2/APKBUILD
index e56ee298b3d..99b98129119 100644
--- a/main/nghttp2/APKBUILD
+++ b/main/nghttp2/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=nghttp2
pkgver=1.35.1
-pkgrel=1
+pkgrel=2
pkgdesc="Experimental HTTP/2 client, server and proxy"
url="https://nghttp2.org"
arch="all"
@@ -14,10 +14,13 @@ source="https://github.com/tatsuhiro-t/$pkgname/releases/download/v$pkgver/nghtt
0001-nghttpx-Fix-request-stall.patch
0002-Add-nghttp2_option_set_max_outbound_ack.patch
0003-Don-t-read-too-greedily.patch
+ CVE-2020-11080.patch
"
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
+# 1.35.1-r2:
+# - CVE-2020-11080
# 1.35.1-r1:
# - CVE-2019-9511
# - CVE-2019-9513
@@ -63,4 +66,5 @@ sha512sums="fcd3f79f913afbeee1c75003bb39df918e6122bbf728b3ad4192d5849d8fb96705e0
d3f6a66ad6522babb5ad2b3721d52c1c2af88e57ed2895cf87037da1032ca42dcb95dacc23ea277b9507b4116cec117b5c9a3313759dc56b48199b687b74dd9a remove-mruby-tests.patch
2a44858219275f69b7380358a07cfa6ed73e506519969e074196205c686e19e2f422181cacde8b6051fda1be744550958b3e3f3ad600f9ed2f3bdf4ef9d1d54a 0001-nghttpx-Fix-request-stall.patch
2f98c77b1590f2c85de9f0ddcaaf997a1ac513428127796bc1b598c70e8d557cc2402fecdedb2329267ab7903bc163f099acfca8ca44f3a4c74958b57c27f8b2 0002-Add-nghttp2_option_set_max_outbound_ack.patch
-ca4b196f86d2193052ff427904e6232a2c3fb2c998ffc76e7b6def4c8297031f047dc5fac7036d774bacd878fb21c5afb87fcced3d3e2f477c8275b869a8aa9c 0003-Don-t-read-too-greedily.patch"
+ca4b196f86d2193052ff427904e6232a2c3fb2c998ffc76e7b6def4c8297031f047dc5fac7036d774bacd878fb21c5afb87fcced3d3e2f477c8275b869a8aa9c 0003-Don-t-read-too-greedily.patch
+60219ba3cb97d5164a544813f54e483299989b6fa2b41a3cb6cfa4730e4de0c775a109331a341d1e8a0e22166ad8df35dd214a6d49c0b0ebab9b709e0592c3d6 CVE-2020-11080.patch"
diff --git a/main/nghttp2/CVE-2020-11080.patch b/main/nghttp2/CVE-2020-11080.patch
new file mode 100644
index 00000000000..622ad844daf
--- /dev/null
+++ b/main/nghttp2/CVE-2020-11080.patch
@@ -0,0 +1,332 @@
+From 336a98feb0d56b9ac54e12736b18785c27f75090 Mon Sep 17 00:00:00 2001
+From: James M Snell <jasnell@gmail.com>
+Date: Fri, 17 Apr 2020 16:53:51 -0700
+Subject: [PATCH 1/2] Implement max settings option
+Upstream: yes
+Source: https://github.com/nghttp2/nghttp2/commit/c3b46625633cd9a4519f6fbcd9048127b84a5514.patch
+
+---
+ doc/CMakeLists.txt | 1 +
+ doc/Makefile.am | 1 +
+ lib/includes/nghttp2/nghttp2.h | 23 +++++++++++++
+ lib/nghttp2_helper.c | 2 ++
+ lib/nghttp2_option.c | 5 +++
+ lib/nghttp2_option.h | 5 +++
+ lib/nghttp2_session.c | 21 ++++++++++++
+ lib/nghttp2_session.h | 2 ++
+ tests/main.c | 2 ++
+ tests/nghttp2_session_test.c | 61 ++++++++++++++++++++++++++++++++++
+ tests/nghttp2_session_test.h | 1 +
+ 11 files changed, 124 insertions(+)
+
+diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
+index 34c027929..f3aec84da 100644
+--- a/doc/CMakeLists.txt
++++ b/doc/CMakeLists.txt
+@@ -42,6 +42,7 @@ set(APIDOCS
+ nghttp2_option_set_no_recv_client_magic.rst
+ nghttp2_option_set_peer_max_concurrent_streams.rst
+ nghttp2_option_set_user_recv_extension_type.rst
++ nghttp2_option_set_max_settings.rst
+ nghttp2_pack_settings_payload.rst
+ nghttp2_priority_spec_check_default.rst
+ nghttp2_priority_spec_default_init.rst
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index 4d73cef50..f073bfa4c 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -69,6 +69,7 @@ APIDOCS= \
+ nghttp2_option_set_peer_max_concurrent_streams.rst \
+ nghttp2_option_set_user_recv_extension_type.rst \
+ nghttp2_option_set_max_outbound_ack.rst \
++ nghttp2_option_set_max_settings.rst \
+ nghttp2_pack_settings_payload.rst \
+ nghttp2_priority_spec_check_default.rst \
+ nghttp2_priority_spec_default_init.rst \
+diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
+index e3aeb9fed..9be6eea5c 100644
+--- a/lib/includes/nghttp2/nghttp2.h
++++ b/lib/includes/nghttp2/nghttp2.h
+@@ -228,6 +228,13 @@ typedef struct {
+ */
+ #define NGHTTP2_CLIENT_MAGIC_LEN 24
+
++/**
++ * @macro
++ *
++ * The default max number of settings per SETTINGS frame
++ */
++#define NGHTTP2_DEFAULT_MAX_SETTINGS 32
++
+ /**
+ * @enum
+ *
+@@ -398,6 +405,11 @@ typedef enum {
+ * receives an other type of frame.
+ */
+ NGHTTP2_ERR_SETTINGS_EXPECTED = -536,
++ /**
++ * When a local endpoint receives too many settings entries
++ * in a single SETTINGS frame.
++ */
++ NGHTTP2_ERR_TOO_MANY_SETTINGS = -537,
+ /**
+ * The errors < :enum:`NGHTTP2_ERR_FATAL` mean that the library is
+ * under unexpected condition and processing was terminated (e.g.,
+@@ -2659,6 +2671,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_no_closed_streams(nghttp2_option *option,
+ NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option,
+ size_t val);
+
++/**
++ * @function
++ *
++ * This function sets the maximum number of SETTINGS entries per
++ * SETTINGS frame that will be accepted. If more than those entries
++ * are received, the peer is considered to be misbehaving and session
++ * will be closed. The default value is 32.
++ */
++NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option,
++ size_t val);
++
+ /**
+ * @function
+ *
+diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
+index 91136a619..0bd541472 100644
+--- a/lib/nghttp2_helper.c
++++ b/lib/nghttp2_helper.c
+@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_code) {
+ case NGHTTP2_ERR_FLOODED:
+ return "Flooding was detected in this HTTP/2 session, and it must be "
+ "closed";
++ case NGHTTP2_ERR_TOO_MANY_SETTINGS:
++ return "SETTINGS frame contained more than the maximum allowed entries";
+ default:
+ return "Unknown error code";
+ }
+diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
+index e53f22d36..34348e660 100644
+--- a/lib/nghttp2_option.c
++++ b/lib/nghttp2_option.c
+@@ -121,3 +121,8 @@ void nghttp2_option_set_max_outbound_ack(nghttp2_option *option, size_t val) {
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK;
+ option->max_outbound_ack = val;
+ }
++
++void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) {
++ option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS;
++ option->max_settings = val;
++}
+diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
+index 1f740aaa6..939729fdc 100644
+--- a/lib/nghttp2_option.h
++++ b/lib/nghttp2_option.h
+@@ -67,6 +67,7 @@ typedef enum {
+ NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9,
+ NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
+ NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
++ NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
+ } nghttp2_option_flag;
+
+ /**
+@@ -85,6 +86,10 @@ struct nghttp2_option {
+ * NGHTTP2_OPT_MAX_OUTBOUND_ACK
+ */
+ size_t max_outbound_ack;
++ /**
++ * NGHTTP2_OPT_MAX_SETTINGS
++ */
++ size_t max_settings;
+ /**
+ * Bitwise OR of nghttp2_option_flag to determine that which fields
+ * are specified.
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 563ccd7de..415e34776 100644
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -458,6 +458,7 @@ static int session_new(nghttp2_session **session_ptr,
+
+ (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+ (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
++ (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+
+ if (option) {
+ if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
+@@ -521,6 +522,11 @@ static int session_new(nghttp2_session **session_ptr,
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) {
+ (*session_ptr)->max_outbound_ack = option->max_outbound_ack;
+ }
++
++ if ((option->opt_set_mask & NGHTTP2_OPT_MAX_SETTINGS) &&
++ option->max_settings) {
++ (*session_ptr)->max_settings = option->max_settings;
++ }
+ }
+
+ rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
+@@ -5657,6 +5663,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+ iframe->max_niv =
+ iframe->frame.hd.length / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH + 1;
+
++ if (iframe->max_niv - 1 > session->max_settings) {
++ rv = nghttp2_session_terminate_session_with_reason(
++ session, NGHTTP2_ENHANCE_YOUR_CALM,
++ "SETTINGS: too many setting entries");
++ if (nghttp2_is_fatal(rv)) {
++ return rv;
++ }
++ return (ssize_t)inlen;
++ }
++
+ iframe->iv = nghttp2_mem_malloc(mem, sizeof(nghttp2_settings_entry) *
+ iframe->max_niv);
+
+@@ -7425,6 +7441,11 @@ static int nghttp2_session_upgrade_internal(nghttp2_session *session,
+ if (settings_payloadlen % NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH) {
+ return NGHTTP2_ERR_INVALID_ARGUMENT;
+ }
++ /* SETTINGS frame contains too many settings */
++ if (settings_payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH
++ > session->max_settings) {
++ return NGHTTP2_ERR_TOO_MANY_SETTINGS;
++ }
+ rv = nghttp2_frame_unpack_settings_payload2(&iv, &niv, settings_payload,
+ settings_payloadlen, mem);
+ if (rv != 0) {
+diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
+index d20827315..07bfbb6c9 100644
+--- a/lib/nghttp2_session.h
++++ b/lib/nghttp2_session.h
+@@ -267,6 +267,8 @@ struct nghttp2_session {
+ /* The maximum length of header block to send. Calculated by the
+ same way as nghttp2_hd_deflate_bound() does. */
+ size_t max_send_header_block_length;
++ /* The maximum number of settings accepted per SETTINGS frame. */
++ size_t max_settings;
+ /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
+ uint32_t next_stream_id;
+ /* The last stream ID this session initiated. For client session,
+diff --git a/tests/main.c b/tests/main.c
+index 41e0b03eb..67eb4a1c2 100644
+--- a/tests/main.c
++++ b/tests/main.c
+@@ -317,6 +317,8 @@ int main() {
+ test_nghttp2_session_set_local_window_size) ||
+ !CU_add_test(pSuite, "session_cancel_from_before_frame_send",
+ test_nghttp2_session_cancel_from_before_frame_send) ||
++ !CU_add_test(pSuite, "session_too_many_settings",
++ test_nghttp2_session_too_many_settings) ||
+ !CU_add_test(pSuite, "session_removed_closed_stream",
+ test_nghttp2_session_removed_closed_stream) ||
+ !CU_add_test(pSuite, "session_pause_data",
+diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
+index 6eb8e244d..33ee3ad84 100644
+--- a/tests/nghttp2_session_test.c
++++ b/tests/nghttp2_session_test.c
+@@ -10614,6 +10614,67 @@ void test_nghttp2_session_cancel_from_before_frame_send(void) {
+ nghttp2_session_del(session);
+ }
+
++void test_nghttp2_session_too_many_settings(void) {
++ nghttp2_session *session;
++ nghttp2_option *option;
++ nghttp2_session_callbacks callbacks;
++ nghttp2_frame frame;
++ nghttp2_bufs bufs;
++ nghttp2_buf *buf;
++ ssize_t rv;
++ my_user_data ud;
++ nghttp2_settings_entry iv[3];
++ nghttp2_mem *mem;
++ nghttp2_outbound_item *item;
++
++ mem = nghttp2_mem_default();
++ frame_pack_bufs_init(&bufs);
++
++ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
++ callbacks.on_frame_recv_callback = on_frame_recv_callback;
++ callbacks.send_callback = null_send_callback;
++
++ nghttp2_option_new(&option);
++ nghttp2_option_set_max_settings(option, 1);
++
++ nghttp2_session_client_new2(&session, &callbacks, &ud, option);
++
++ CU_ASSERT(1 == session->max_settings);
++
++ nghttp2_option_del(option);
++
++ iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE;
++ iv[0].value = 3000;
++
++ iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE;
++ iv[1].value = 16384;
++
++ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, dup_iv(iv, 2),
++ 2);
++
++ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings);
++
++ CU_ASSERT(0 == rv);
++ CU_ASSERT(nghttp2_bufs_len(&bufs) > 0);
++
++ nghttp2_frame_settings_free(&frame.settings, mem);
++
++ buf = &bufs.head->buf;
++ assert(nghttp2_bufs_len(&bufs) == nghttp2_buf_len(buf));
++
++ ud.frame_recv_cb_called = 0;
++
++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
++
++ item = nghttp2_session_get_next_ob_item(session);
++ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type);
++
++ nghttp2_bufs_reset(&bufs);
++ nghttp2_bufs_free(&bufs);
++ nghttp2_session_del(session);
++}
++
+ static void
+ prepare_session_removed_closed_stream(nghttp2_session *session,
+ nghttp2_hd_deflater *deflater) {
+diff --git a/tests/nghttp2_session_test.h b/tests/nghttp2_session_test.h
+index e872c5d0b..818c808d0 100644
+--- a/tests/nghttp2_session_test.h
++++ b/tests/nghttp2_session_test.h
+@@ -156,6 +156,7 @@ void test_nghttp2_session_repeated_priority_change(void);
+ void test_nghttp2_session_repeated_priority_submission(void);
+ void test_nghttp2_session_set_local_window_size(void);
+ void test_nghttp2_session_cancel_from_before_frame_send(void);
++void test_nghttp2_session_too_many_settings(void);
+ void test_nghttp2_session_removed_closed_stream(void);
+ void test_nghttp2_session_pause_data(void);
+ void test_nghttp2_session_no_closed_streams(void);
+
+From f8da73bd042f810f34d19f9eae02b46d870af394 Mon Sep 17 00:00:00 2001
+From: James M Snell <jasnell@gmail.com>
+Date: Sun, 19 Apr 2020 09:12:24 -0700
+Subject: [PATCH 2/2] Earlier check for settings flood
+
+---
+ lib/nghttp2_session.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 415e34776..39f81f498 100644
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -5653,6 +5653,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+ break;
+ }
+
++ /* Check the settings flood counter early to be safe */
++ if (session->obq_flood_counter_ >= session->max_outbound_ack &&
++ !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) {
++ return NGHTTP2_ERR_FLOODED;
++ }
++
+ iframe->state = NGHTTP2_IB_READ_SETTINGS;
+
+ if (iframe->payloadleft) {
diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD
index e120a363078..c615f3ba968 100644
--- a/main/nginx/APKBUILD
+++ b/main/nginx/APKBUILD
@@ -4,6 +4,8 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 1.14.2-r5:
+# - CVE-2019-20372
# 1.14.1-r2:
# - CVE-2019-9511
# - CVE-2019-9513
@@ -19,7 +21,7 @@ pkgname=nginx
# NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)!
# Odd-numbered versions are mainline (development) versions.
pkgver=1.14.2
-pkgrel=4
+pkgrel=5
# Revision of nginx-tests to use for check().
_tests_hgrev=d6daf03478ad
_njs_ver=0.2.0
@@ -47,6 +49,7 @@ source="https://nginx.org/download/$pkgname-$pkgver.tar.gz
CVE-2019-9511.patch
CVE-2019-9513.patch
CVE-2019-9516.patch
+ CVE-2019-20372.patch
nginx.conf
default.conf
@@ -305,6 +308,7 @@ cd6983c164383100e0239be85dfeddc7879ab9c29589aecdd9bb4b6772d1f0a5d4cd70bf728d0fb5
8418b905011d429a7183843af7fbbc7ec37d01f33c9f9742a2b2de08a0e036af97577988425254ce6a541db34f05d47c05edfe613d417f3e402a044a3f455d3a CVE-2019-9511.patch
8575dfa2484ef6979b83d6cc51b2492498c4a4b5fbda677c0986db1de32fc80c9bf0bb93f75582d51bee7d226a138a423aa41dd7b3320588bb019e4474e5c558 CVE-2019-9513.patch
949f1fe5c83148f99919384b7117d330bf361a2b7c76807d41017f14349b853ec8f6fdab33d290ca455fbe18150047412bb220838c867708cb56c4e5ec6746fd CVE-2019-9516.patch
+3d70fecd28a3c7b126aa06404ebb3a0fa71659abb710ecf441208b6735bda80493265410bebb4cecbb2fffa589fede75897b7f7d2da9def2482c75ac85b02b30 CVE-2019-20372.patch
ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41 nginx.conf
0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf
09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb nginx.logrotate
diff --git a/main/nginx/CVE-2019-20372.patch b/main/nginx/CVE-2019-20372.patch
new file mode 100644
index 00000000000..7329261e556
--- /dev/null
+++ b/main/nginx/CVE-2019-20372.patch
@@ -0,0 +1,28 @@
+From c1be55f97211d38b69ac0c2027e6812ab8b1b94e Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
+index 4ffb2cc8ad..76e6705889 100644
+--- a/src/http/ngx_http_special_response.c
++++ b/src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+ return ngx_http_named_location(r, &uri);
+ }
+
++ r->expect_tested = 1;
++
++ if (ngx_http_discard_request_body(r) != NGX_OK) {
++ r->keepalive = 0;
++ }
++
+ location = ngx_list_push(&r->headers_out.headers);
+
+ if (location == NULL) {
diff --git a/main/ngircd/APKBUILD b/main/ngircd/APKBUILD
index da71f4a6e49..f931173b115 100644
--- a/main/ngircd/APKBUILD
+++ b/main/ngircd/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ngircd
pkgver=24
-pkgrel=4
+pkgrel=5
pkgdesc="Next Generation IRC Daemon"
url="https://ngircd.barton.de/"
arch="all"
@@ -12,6 +12,7 @@ makedepends="openssl-dev zlib-dev linux-pam-dev"
subpackages="$pkgname-doc"
install="$pkgname.pre-install"
source="https://ngircd.barton.de/pub/ngircd/ngircd-$pkgver.tar.xz
+ CVE-2020-14148.patch
$pkgname.initd
"
_builddir="$srcdir"/$pkgname-$pkgver
@@ -24,6 +25,10 @@ prepare() {
done
}
+# secfixes:
+# 24-r5:
+# - CVE-2020-14148
+
build() {
cd "$_builddir"
./configure \
@@ -45,10 +50,6 @@ package() {
make DESTDIR="$pkgdir" install || return 1
install -Dm755 ../$pkgname.initd "$pkgdir"/etc/init.d/$pkgname
}
-
-md5sums="81b9c5ae283d07aab35ce16eaf49e458 ngircd-24.tar.xz
-51c3679a7c1f2f5522031fa856e34734 ngircd.initd"
-sha256sums="173fa0ea10788a8ba08ef2f7e64ea8951d7c88862e744128c8b87bae424b1008 ngircd-24.tar.xz
-890d0dc433a8d7f082c35ba806bac53f19d2d4352fcb7127cc28741abcbd6a75 ngircd.initd"
sha512sums="d176ec4eb3e780aa8b5efb722c8c0f6fc1a7ac3c06e2039019e6e602aad64ca5357762f1549e117f6e452fe6314fb6cf5bc31a9fdbec1a08cc6d2a344c0bf49f ngircd-24.tar.xz
+3863bab40dcb0283127497efa117ceaab3f4d1d427399ad262a1a3b24d50ff663578579639c9ea39b9be41698ad13767ee575071e46e8ba80eebbda1f3d58881 CVE-2020-14148.patch
50339507917c956a38451394a8a5996337ff29948944ff6aa40ed39f6dd3d6bfdfb864d60a24199c0a86a01e18a71f213efa6cfb2857a320f31b9fcfb92c6ac1 ngircd.initd"
diff --git a/main/ngircd/CVE-2020-14148.patch b/main/ngircd/CVE-2020-14148.patch
new file mode 100644
index 00000000000..2f2d2b5038e
--- /dev/null
+++ b/main/ngircd/CVE-2020-14148.patch
@@ -0,0 +1,37 @@
+From 02cf31c0e267a4c9a7656d43ad3ad4eeb37fc9c5 Mon Sep 17 00:00:00 2001
+From: Alexander Barton <alex@barton.de>
+Date: Mon, 25 May 2020 23:43:29 +0200
+Subject: [PATCH] IRC_SERVER: Make sure that the client sent a prefix
+
+The SERVER command is only valid with a prefix when received from other
+servers, so make sure that there is one and disconnect the peer if not
+(instead of crashing ...).
+
+This obsoletes PR #275.
+
+Thanks Hilko Bengen (hillu) for finding & reporting this as well for the
+patch & pull request! But I think this is the "more correct" fix.
+---
+ src/ngircd/irc-server.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/ngircd/irc-server.c b/src/ngircd/irc-server.c
+index 317a3e1a..10f1ef69 100644
+--- a/src/ngircd/irc-server.c
++++ b/src/ngircd/irc-server.c
+@@ -186,6 +186,15 @@ IRC_SERVER( CLIENT *Client, REQUEST *Req )
+ if (!Client_CheckID(Client, Req->argv[0]))
+ return DISCONNECTED;
+
++ if (!Req->prefix) {
++ /* We definitely need a prefix here! */
++ Log(LOG_ALERT, "Got SERVER command without prefix! (on connection %d)",
++ Client_Conn(Client));
++ Conn_Close(Client_Conn(Client), NULL,
++ "SERVER command without prefix", true);
++ return DISCONNECTED;
++ }
++
+ from = Client_Search( Req->prefix );
+ if (! from) {
+ /* Uh, Server, that introduced the new server is unknown?! */
diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD
index 27b0bd811c9..4d3c13cdfe0 100644
--- a/main/nodejs/APKBUILD
+++ b/main/nodejs/APKBUILD
@@ -3,9 +3,25 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Contributor: Dave Esaias <dave@containership.io>
# Contributor: Tadahisa Kamijo <kamijin@live.jp>
+# Contributor: Eivind Uggedal <eu@eju.no>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 10.19.0-r0:
+# - CVE-2019-15606
+# - CVE-2019-15605
+# - CVE-2019-15604
+# 10.16.3-r0:
+# - CVE-2019-9511
+# - CVE-2019-9512
+# - CVE-2019-9513
+# - CVE-2019-9514
+# - CVE-2019-9515
+# - CVE-2019-9516
+# - CVE-2019-9517
+# - CVE-2019-9518
+# 10.15.3-r0:
+# - CVE-2019-5737
# 10.14.0-r0:
# - CVE-2018-12121
# - CVE-2018-12122
@@ -33,7 +49,7 @@
pkgname=nodejs
# Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
# Odd-numbered versions are supported only for 9 months by upstream.
-pkgver=10.14.2
+pkgver=10.19.0
pkgrel=0
pkgdesc="JavaScript runtime built on V8 engine - LTS version"
url="https://nodejs.org/"
@@ -43,7 +59,7 @@ depends="ca-certificates"
depends_dev="libuv"
# gold is needed for mksnapshot
makedepends="$depends_dev python2 openssl-dev zlib-dev libuv-dev linux-headers
- paxmark binutils-gold http-parser-dev ca-certificates c-ares-dev"
+ paxmark binutils-gold ca-certificates c-ares-dev"
subpackages="$pkgname-dev $pkgname-doc npm::noarch"
provides="nodejs-lts=$pkgver" # for backward compatibility
replaces="nodejs-current nodejs-lts" # nodejs-lts for backward compatibility
@@ -57,7 +73,7 @@ prepare() {
default_prepare
# Remove bundled dependencies that we're not using.
- rm -rf deps/http_parser deps/openssl deps/uv deps/zlib
+ rm -rf deps/openssl deps/uv deps/zlib
}
build() {
@@ -72,7 +88,6 @@ build() {
--shared-zlib \
--shared-libuv \
--shared-openssl \
- --shared-http-parser \
--shared-cares \
--openssl-use-def-ca-store
@@ -102,9 +117,17 @@ package() {
paxmark -m "$pkgdir"/usr/bin/node
cp -pr "$pkgdir"/usr/lib/node_modules/npm/man "$pkgdir"/usr/share
- local d; for d in doc html man; do
+ local d; for d in docs man; do
rm -r "$pkgdir"/usr/lib/node_modules/npm/$d
done
+
+ # XXX: Workaround for https://github.com/npm/cli/issues/780.
+ (cd "$pkgdir"/usr/share/man/man5 && find * \
+ -type f ! \( -name 'package-json.*' -or -name 'npmrc.*' -or -name 'npm-*' \) \
+ -exec mv {} npm-{} \;)
+ (cd "$pkgdir"/usr/share/man/man7 && find * \
+ -type f ! \( -name 'semver.*' -or -name 'npm-*' \) \
+ -exec mv {} npm-{} \;)
}
dev() {
@@ -126,6 +149,6 @@ npm() {
mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/
}
-sha512sums="72e78f8839543826025549022df9f23a71be3507261a387f82142d71d24065a23f9b905d7fd95a0940ac68355bfe0d81ee50c320eb46493e10e417cd975d3c8e node-v10.14.2.tar.gz
+sha512sums="59f584e27dfd99453a031722ca3e094d658a90e77316a85a7048868fe6a6164b8aef0f03b60cbe681ace273d902434210bf3cd10a638583b74264d8b42bf2565 node-v10.19.0.tar.gz
9d09a88074bf0093f35c5b610e73ebf4c5381df2a2b29feb69da1af0b18776a683b13f1276375bbcfc60936cc27769539e1f01b4ba94b22cad2d5f4daae14c46 dont-run-gyp-files-for-bundled-deps.patch
4fd3f10bd82d1e851ed000169c2635c001a4a051283edf96f1efb2260e2d395199dd5843f79f1cff8f2c0c65462c44241c508ea67835dfbd9880d9196fae290a link-with-libatomic-on-mips32.patch"
diff --git a/main/nrpe/APKBUILD b/main/nrpe/APKBUILD
index 44d2b163ab7..c09b953a029 100644
--- a/main/nrpe/APKBUILD
+++ b/main/nrpe/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Jeff Bilyk <jbilyk@gmail.com>
pkgname=nrpe
pkgver=3.2.1
-pkgrel=0
+pkgrel=2
pkgusers="nagios"
pkggroups="nagios"
pkgdesc="NRPE allows you to remotely execute Nagios plugins on other Linux/Unix machines."
diff --git a/main/ntfs-3g/APKBUILD b/main/ntfs-3g/APKBUILD
index 9f63527fe11..8c2695bc2dc 100644
--- a/main/ntfs-3g/APKBUILD
+++ b/main/ntfs-3g/APKBUILD
@@ -4,18 +4,24 @@
pkgname=ntfs-3g
_pkgreal=ntfs-3g_ntfsprogs
pkgver=2017.3.23
-pkgrel=1
+pkgrel=2
pkgdesc="Stable, full-featured, read-write NTFS"
-url="http://www.tuxera.com/community/ntfs-3g-download/"
+url="https://www.tuxera.com/community/ntfs-3g-download/"
arch="all"
-license="GPL"
+license="GPL-2.0-or-later AND LGPL-2.0-or-later"
+options="!check" # No test suite
makedepends="attr-dev util-linux-dev linux-headers"
subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-progs"
-source="http://tuxera.com/opensource/$_pkgreal-$pkgver.tgz"
+source="https://tuxera.com/opensource/ntfs-3g_ntfsprogs-$pkgver.tgz
+ CVE-2019-9755.patch
+ "
builddir="$srcdir/$_pkgreal-$pkgver"
+# secfixes:
+# 2017.3.23-r2:
+# - CVE-2019-9755
+
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -29,7 +35,6 @@ build() {
package() {
pkgdesc="$pkgdesc (driver)"
- cd "$builddir"
mkdir -p "$pkgdir"/lib
make -j1 DESTDIR="$pkgdir" LDCONFIG=: install
ln -s /bin/ntfs-3g "$pkgdir"/sbin/mount.ntfs
@@ -44,4 +49,5 @@ progs() {
rm -fr "$subpkgdir"/lib "$subpkgdir"/usr/lib
}
-sha512sums="3a607f0d7be35204c992d8931de0404fbc52032c13b4240d2c5e6f285c318a28eb2a385d7cf5ac4cd445876aee5baa5753bb636ada0d870d84a9d3fdbce794ef ntfs-3g_ntfsprogs-2017.3.23.tgz"
+sha512sums="3a607f0d7be35204c992d8931de0404fbc52032c13b4240d2c5e6f285c318a28eb2a385d7cf5ac4cd445876aee5baa5753bb636ada0d870d84a9d3fdbce794ef ntfs-3g_ntfsprogs-2017.3.23.tgz
+d071cf6c3ee38963df0286049196cb3bab050460e0b541f3cf5d217c874d247878cb6dcca2d6d68c562447f8956e0511dd93552c5647dda88b69be880b5cd9f8 CVE-2019-9755.patch"
diff --git a/main/ntfs-3g/CVE-2019-9755.patch b/main/ntfs-3g/CVE-2019-9755.patch
new file mode 100644
index 00000000000..577f1686282
--- /dev/null
+++ b/main/ntfs-3g/CVE-2019-9755.patch
@@ -0,0 +1,62 @@
+From 85c1634a26faa572d3c558d4cf8aaaca5202d4e9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@wanadoo.fr>
+Date: Wed, 19 Dec 2018 15:57:50 +0100
+Subject: [PATCH] Fixed reporting an error when failed to build the mountpoint
+
+The size check was inefficient because getcwd() uses an unsigned int
+argument.
+---
+ src/lowntfs-3g.c | 6 +++++-
+ src/ntfs-3g.c | 6 +++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/lowntfs-3g.c b/src/lowntfs-3g.c
+index 993867fa..0660439b 100644
+--- a/src/lowntfs-3g.c
++++ b/src/lowntfs-3g.c
+@@ -4323,7 +4323,8 @@
+ else {
+ ctx->abs_mnt_point = (char*)ntfs_malloc(PATH_MAX);
+ if (ctx->abs_mnt_point) {
+- if (getcwd(ctx->abs_mnt_point,
++ if ((strlen(opts.mnt_point) < PATH_MAX)
++ && getcwd(ctx->abs_mnt_point,
+ PATH_MAX - strlen(opts.mnt_point) - 1)) {
+ strcat(ctx->abs_mnt_point, "/");
+ strcat(ctx->abs_mnt_point, opts.mnt_point);
+@@ -4331,6 +4332,9 @@
+ /* Solaris also wants the absolute mount point */
+ opts.mnt_point = ctx->abs_mnt_point;
+ #endif /* defined(__sun) && defined (__SVR4) */
++ } else {
++ free(ctx->abs_mnt_point);
++ ctx->abs_mnt_point = (char*)NULL;
+ }
+ }
+ }
+diff --git a/src/ntfs-3g.c b/src/ntfs-3g.c
+index 6ce89fef..4e0912ae 100644
+--- a/src/ntfs-3g.c
++++ b/src/ntfs-3g.c
+@@ -4123,7 +4123,8 @@
+ else {
+ ctx->abs_mnt_point = (char*)ntfs_malloc(PATH_MAX);
+ if (ctx->abs_mnt_point) {
+- if (getcwd(ctx->abs_mnt_point,
++ if ((strlen(opts.mnt_point) < PATH_MAX)
++ && getcwd(ctx->abs_mnt_point,
+ PATH_MAX - strlen(opts.mnt_point) - 1)) {
+ strcat(ctx->abs_mnt_point, "/");
+ strcat(ctx->abs_mnt_point, opts.mnt_point);
+@@ -4131,6 +4132,9 @@
+ /* Solaris also wants the absolute mount point */
+ opts.mnt_point = ctx->abs_mnt_point;
+ #endif /* defined(__sun) && defined (__SVR4) */
++ } else {
++ free(ctx->abs_mnt_point);
++ ctx->abs_mnt_point = (char*)NULL;
+ }
+ }
+ }
+--
+2.22.0
diff --git a/main/oniguruma/APKBUILD b/main/oniguruma/APKBUILD
index 618fe360133..097507c6534 100644
--- a/main/oniguruma/APKBUILD
+++ b/main/oniguruma/APKBUILD
@@ -1,21 +1,22 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=oniguruma
-pkgver=6.9.1
-pkgrel=0
+pkgver=6.9.4
+pkgrel=1
pkgdesc="a regular expressions library"
url="http://www.geocities.jp/kosako3/oniguruma/"
arch="all"
license="BSD"
makedepends="automake autoconf libtool"
subpackages="$pkgname-dev"
-source="$pkgname-$pkgver.tar.gz::https://github.com/kkos/$pkgname/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/kkos/$pkgname/archive/v$pkgver.tar.gz
+ CVE-2020-26159.patch::https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0.patch
+ "
builddir="$srcdir"/$pkgname-$pkgver
-check() {
- cd "$builddir"
- make check
-}
+# secfixes:
+# 6.9.4-r1:
+# - CVE-2020-26159
prepare() {
cd "$builddir"
@@ -35,9 +36,15 @@ build() {
make
}
+check() {
+ cd "$builddir"
+ make check
+}
+
package() {
cd "$builddir"
make DESTDIR="$pkgdir" install
}
-sha512sums="a1af020f2042dba2423fb0d0db1ca2c30413c4e950493ac44caa11f616adec98c24df6882413548540095d7f3d8a295afd3ce51e8349ea92fa13d900ee58b126 oniguruma-6.9.1.tar.gz"
+sha512sums="28a618c31db047c19dfb0e519d849ff33dd9d027abb154df341bc9c4a3ee738144007cfa95066e8714b0e1a0133ccfb6e629e9b7483cb3f9fb3a890156d769cb oniguruma-6.9.4.tar.gz
+90c42c91004eb9df89adcedb79bc175a52b596031cb2aacb891282e5ed3183ca991ac7fda1cb7a507f2e6cc9dceba78fa8291a312c23c56d457e75d31729a2df CVE-2020-26159.patch"
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD
index 4847320d682..f41d037b8ae 100644
--- a/main/openjpeg/APKBUILD
+++ b/main/openjpeg/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=openjpeg
pkgver=2.3.0
-pkgrel=3
+pkgrel=6
pkgdesc="Open-source implementation of JPEG2000 image codec"
url="http://www.openjpeg.org/"
arch="all"
@@ -16,11 +16,14 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v
CVE-2018-14423.patch
CVE-2018-6616.patch
CVE-2018-5785.patch
+ CVE-2018-21010.patch
+ CVE-2020-6851.patch
+ CVE-2020-8112.patch
+ CVE-2019-12973.patch
+ CVE-2020-15389.patch
"
-builddir="${srcdir}/$pkgname-$pkgver"
build() {
- cd "$builddir"
cmake . \
-DCMAKE_INSTALL_PREFIX=/usr \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
@@ -30,6 +33,14 @@ build() {
}
# secfixes:
+# 2.3.0-r6:
+# - CVE-2019-12973
+# - CVE-2020-15389
+# 2.3.0-r5:
+# - CVE-2020-6851
+# - CVE-2020-8112
+# 2.3.0-r4:
+# - CVE-2018-21010
# 2.3.0-r3:
# - CVE-2018-5785
# 2.3.0-r2:
@@ -53,7 +64,6 @@ build() {
# - CVE-2016-9581
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
@@ -68,4 +78,9 @@ sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520
24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch
4292a05e63ec1ba1ec30e02cd981e9aab617e42831a799bc777b03174bcbc4c49d8b45534668a5237f06c0361865b0ff9bd71f40e2fcab370af6cf9c256c8537 CVE-2018-14423.patch
9c5eccb7b00e8ed6e473db61aaaf9d37462b9a5c5efabb2af3e0d701922c54827aee55253404c149605fa9103adf6f4375a684c89f17a7fe7bdf85988b5db222 CVE-2018-6616.patch
-ec48472de6c6d34abff949bbae1ae1e92e0b59939c13345a3a69c8219fdf91ea2c07dda59fe212a88212b3116cae1fb8c47aa5d12b84af669a28aa52864f55de CVE-2018-5785.patch"
+ec48472de6c6d34abff949bbae1ae1e92e0b59939c13345a3a69c8219fdf91ea2c07dda59fe212a88212b3116cae1fb8c47aa5d12b84af669a28aa52864f55de CVE-2018-5785.patch
+544828e20f50dc7e4a3367de646dc69f70fff48d66a6bbc1b27c317778e7739e276891e84a76435144e697605796c77a47b0a3424e0fa3eeb2e647480c1c034a CVE-2018-21010.patch
+c8ffc926d91392b38250fd4e00fff5f93fbf5e17487d0e4a0184c9bd191aa2233c5c5dcf097dd62824714097bba2d8cc865bed31193d1a072aa954f216011297 CVE-2020-6851.patch
+9659e04087e0d80bf53555e9807aae59205adef2d49d7a49e05bf250c484a2e92132d471ec6076e57ca69b5ce98fd81462a6a8c01205ca7096781eec06e401cc CVE-2020-8112.patch
+472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516 CVE-2019-12973.patch
+f36ea384272b3918d194f7d64bcc321a66fa6ebb2d73ece3d69225f883ec8a2777284f633902cf954f9a847bd758da2c36c74d8ef28c4cd82a3bf076e326c611 CVE-2020-15389.patch"
diff --git a/main/openjpeg/CVE-2018-21010.patch b/main/openjpeg/CVE-2018-21010.patch
new file mode 100644
index 00000000000..d0ae536f412
--- /dev/null
+++ b/main/openjpeg/CVE-2018-21010.patch
@@ -0,0 +1,179 @@
+From 2e5ab1d9987831c981ff05862e8ccf1381ed58ea Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 27 Nov 2018 23:31:30 +0100
+Subject: [PATCH] color_apply_icc_profile: avoid potential heap buffer overflow
+
+Derived from a patch by Thuan Pham
+---
+ src/bin/common/color.c | 154 ++++++++++++++++++++++-------------------
+ 1 file changed, 82 insertions(+), 72 deletions(-)
+
+diff --git a/src/bin/common/color.c b/src/bin/common/color.c
+index a97d49f12..d3a2f38d7 100644
+--- a/src/bin/common/color.c
++++ b/src/bin/common/color.c
+@@ -597,82 +597,92 @@ void color_apply_icc_profile(opj_image_t *image)
+ }
+
+ if (image->numcomps > 2) { /* RGB, RGBA */
+- if (prec <= 8) {
+- unsigned char *inbuf, *outbuf, *in, *out;
+-
+- max = max_w * max_h;
+- nr_samples = (size_t)(max * 3U * sizeof(unsigned char));
+- in = inbuf = (unsigned char*)opj_image_data_alloc(nr_samples);
+- out = outbuf = (unsigned char*)opj_image_data_alloc(nr_samples);
+-
+- if (inbuf == NULL || outbuf == NULL) {
+- goto fails0;
+- }
+-
+- r = image->comps[0].data;
+- g = image->comps[1].data;
+- b = image->comps[2].data;
+-
+- for (i = 0U; i < max; ++i) {
+- *in++ = (unsigned char) * r++;
+- *in++ = (unsigned char) * g++;
+- *in++ = (unsigned char) * b++;
+- }
+-
+- cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max);
+-
+- r = image->comps[0].data;
+- g = image->comps[1].data;
+- b = image->comps[2].data;
+-
+- for (i = 0U; i < max; ++i) {
+- *r++ = (int) * out++;
+- *g++ = (int) * out++;
+- *b++ = (int) * out++;
+- }
+- ok = 1;
++ if ((image->comps[0].w == image->comps[1].w &&
++ image->comps[0].w == image->comps[2].w) &&
++ (image->comps[0].h == image->comps[1].h &&
++ image->comps[0].h == image->comps[2].h)) {
++ if (prec <= 8) {
++ unsigned char *inbuf, *outbuf, *in, *out;
++
++ max = max_w * max_h;
++ nr_samples = (size_t)(max * 3U * sizeof(unsigned char));
++ in = inbuf = (unsigned char*)opj_image_data_alloc(nr_samples);
++ out = outbuf = (unsigned char*)opj_image_data_alloc(nr_samples);
++
++ if (inbuf == NULL || outbuf == NULL) {
++ goto fails0;
++ }
++
++ r = image->comps[0].data;
++ g = image->comps[1].data;
++ b = image->comps[2].data;
++
++ for (i = 0U; i < max; ++i) {
++ *in++ = (unsigned char) * r++;
++ *in++ = (unsigned char) * g++;
++ *in++ = (unsigned char) * b++;
++ }
++
++ cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max);
++
++ r = image->comps[0].data;
++ g = image->comps[1].data;
++ b = image->comps[2].data;
++
++ for (i = 0U; i < max; ++i) {
++ *r++ = (int) * out++;
++ *g++ = (int) * out++;
++ *b++ = (int) * out++;
++ }
++ ok = 1;
+
+ fails0:
+- opj_image_data_free(inbuf);
+- opj_image_data_free(outbuf);
+- } else { /* prec > 8 */
+- unsigned short *inbuf, *outbuf, *in, *out;
+-
+- max = max_w * max_h;
+- nr_samples = (size_t)(max * 3U * sizeof(unsigned short));
+- in = inbuf = (unsigned short*)opj_image_data_alloc(nr_samples);
+- out = outbuf = (unsigned short*)opj_image_data_alloc(nr_samples);
+-
+- if (inbuf == NULL || outbuf == NULL) {
+- goto fails1;
+- }
+-
+- r = image->comps[0].data;
+- g = image->comps[1].data;
+- b = image->comps[2].data;
+-
+- for (i = 0U ; i < max; ++i) {
+- *in++ = (unsigned short) * r++;
+- *in++ = (unsigned short) * g++;
+- *in++ = (unsigned short) * b++;
+- }
+-
+- cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max);
+-
+- r = image->comps[0].data;
+- g = image->comps[1].data;
+- b = image->comps[2].data;
+-
+- for (i = 0; i < max; ++i) {
+- *r++ = (int) * out++;
+- *g++ = (int) * out++;
+- *b++ = (int) * out++;
+- }
+- ok = 1;
++ opj_image_data_free(inbuf);
++ opj_image_data_free(outbuf);
++ } else { /* prec > 8 */
++ unsigned short *inbuf, *outbuf, *in, *out;
++
++ max = max_w * max_h;
++ nr_samples = (size_t)(max * 3U * sizeof(unsigned short));
++ in = inbuf = (unsigned short*)opj_image_data_alloc(nr_samples);
++ out = outbuf = (unsigned short*)opj_image_data_alloc(nr_samples);
++
++ if (inbuf == NULL || outbuf == NULL) {
++ goto fails1;
++ }
++
++ r = image->comps[0].data;
++ g = image->comps[1].data;
++ b = image->comps[2].data;
++
++ for (i = 0U ; i < max; ++i) {
++ *in++ = (unsigned short) * r++;
++ *in++ = (unsigned short) * g++;
++ *in++ = (unsigned short) * b++;
++ }
++
++ cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max);
++
++ r = image->comps[0].data;
++ g = image->comps[1].data;
++ b = image->comps[2].data;
++
++ for (i = 0; i < max; ++i) {
++ *r++ = (int) * out++;
++ *g++ = (int) * out++;
++ *b++ = (int) * out++;
++ }
++ ok = 1;
+
+ fails1:
+- opj_image_data_free(inbuf);
+- opj_image_data_free(outbuf);
++ opj_image_data_free(inbuf);
++ opj_image_data_free(outbuf);
++ }
++ } else {
++ fprintf(stderr,
++ "[ERROR] Image components should have the same width and height\n");
++ cmsDeleteTransform(transform);
++ return;
+ }
+ } else { /* image->numcomps <= 2 : GRAY, GRAYA */
+ if (prec <= 8) {
diff --git a/main/openjpeg/CVE-2019-12973.patch b/main/openjpeg/CVE-2019-12973.patch
new file mode 100644
index 00000000000..0d330ae6d92
--- /dev/null
+++ b/main/openjpeg/CVE-2019-12973.patch
@@ -0,0 +1,152 @@
+From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Sat, 16 Mar 2019 19:57:27 +0800
+Subject: [PATCH 1/2] convertbmp: detect invalid file dimensions early
+
+width/length dimensions read from bmp headers are not necessarily
+valid. For instance they may have been maliciously set to very large
+values with the intention to cause DoS (large memory allocation, stack
+overflow). In these cases we want to detect the invalid size as early
+as possible.
+
+This commit introduces a counter which verifies that the number of
+written bytes corresponds to the advertized width/length.
+
+See commit 8ee335227bbc for details.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+---
+ src/bin/jp2/convertbmp.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index 0af52f816..ec34f535b 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
+ {
+- OPJ_UINT32 x, y;
++ OPJ_UINT32 x, y, written;
+ OPJ_UINT8 *pix;
+ const OPJ_UINT8 *beyond;
+
+ beyond = pData + stride * height;
+ pix = pData;
+- x = y = 0U;
++ x = y = written = 0U;
+ while (y < height) {
+ int c = getc(IN);
+ if (c == EOF) {
+@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
++ written++;
+ }
+ } else { /* absolute mode */
+ c = getc(IN);
+@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ c1 = (OPJ_UINT8)getc(IN);
+ }
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
++ written++;
+ }
+ if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
+ getc(IN);
+@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ }
+ }
+ } /* while(y < height) */
++ if (written != width * height) {
++ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
++ return OPJ_FALSE;
++ }
+ return OPJ_TRUE;
+ }
+
+
+From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Sat, 16 Mar 2019 20:09:59 +0800
+Subject: [PATCH 2/2] bmp_read_rle4_data(): avoid potential infinite loop
+
+---
+ src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index ec34f535b..2fc4e9bc4 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ while (y < height) {
+ int c = getc(IN);
+ if (c == EOF) {
+- break;
++ return OPJ_FALSE;
+ }
+
+ if (c) { /* encoded mode */
+- int j;
+- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN);
++ int j, c1_int;
++ OPJ_UINT8 c1;
++
++ c1_int = getc(IN);
++ if (c1_int == EOF) {
++ return OPJ_FALSE;
++ }
++ c1 = (OPJ_UINT8)c1_int;
+
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ } else { /* absolute mode */
+ c = getc(IN);
+ if (c == EOF) {
+- break;
++ return OPJ_FALSE;
+ }
+
+ if (c == 0x00) { /* EOL */
+@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ break;
+ } else if (c == 0x02) { /* MOVE by dxdy */
+ c = getc(IN);
++ if (c == EOF) {
++ return OPJ_FALSE;
++ }
+ x += (OPJ_UINT32)c;
+ c = getc(IN);
++ if (c == EOF) {
++ return OPJ_FALSE;
++ }
+ y += (OPJ_UINT32)c;
+ pix = pData + y * stride + x;
+ } else { /* 03 .. 255 : absolute mode */
+@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+ if ((j & 1) == 0) {
+- c1 = (OPJ_UINT8)getc(IN);
++ int c1_int;
++ c1_int = getc(IN);
++ if (c1_int == EOF) {
++ return OPJ_FALSE;
++ }
++ c1 = (OPJ_UINT8)c1_int;
+ }
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
+ written++;
+ }
+ if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
+- getc(IN);
++ c = getc(IN);
++ if (c == EOF) {
++ return OPJ_FALSE;
++ }
+ }
+ }
+ }
diff --git a/main/openjpeg/CVE-2020-15389.patch b/main/openjpeg/CVE-2020-15389.patch
new file mode 100644
index 00000000000..f5737a3b245
--- /dev/null
+++ b/main/openjpeg/CVE-2020-15389.patch
@@ -0,0 +1,39 @@
+From e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 28 Jun 2020 14:19:59 +0200
+Subject: [PATCH] opj_decompress: fix double-free on input directory with mix
+ of valid and invalid images (CVE-2020-15389)
+
+Fixes #1261
+
+Credits to @Ruia-ruia for reporting and analysis.
+---
+ src/bin/jp2/opj_decompress.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
+index 7eeb0952f..2634907f0 100644
+--- a/src/bin/jp2/opj_decompress.c
++++ b/src/bin/jp2/opj_decompress.c
+@@ -1316,10 +1316,6 @@ static opj_image_t* upsample_image_components(opj_image_t* original)
+ int main(int argc, char **argv)
+ {
+ opj_decompress_parameters parameters; /* decompression parameters */
+- opj_image_t* image = NULL;
+- opj_stream_t *l_stream = NULL; /* Stream */
+- opj_codec_t* l_codec = NULL; /* Handle to a decompressor */
+- opj_codestream_index_t* cstr_index = NULL;
+
+ OPJ_INT32 num_images, imageno;
+ img_fol_t img_fol;
+@@ -1393,6 +1389,10 @@ int main(int argc, char **argv)
+
+ /*Decoding image one by one*/
+ for (imageno = 0; imageno < num_images ; imageno++) {
++ opj_image_t* image = NULL;
++ opj_stream_t *l_stream = NULL; /* Stream */
++ opj_codec_t* l_codec = NULL; /* Handle to a decompressor */
++ opj_codestream_index_t* cstr_index = NULL;
+
+ if (!parameters.quiet) {
+ fprintf(stderr, "\n");
diff --git a/main/openjpeg/CVE-2020-6851.patch b/main/openjpeg/CVE-2020-6851.patch
new file mode 100644
index 00000000000..9a70291f50e
--- /dev/null
+++ b/main/openjpeg/CVE-2020-6851.patch
@@ -0,0 +1,29 @@
+From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 11 Jan 2020 01:51:19 +0100
+Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose
+ coordinates are beyond INT_MAX (fixes #1228)
+
+---
+ src/lib/openjp2/j2k.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 14f6ff41a..922550eb1 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -9221,6 +9221,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image,
+ l_img_comp = p_image->comps;
+ for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
+ OPJ_INT32 l_h, l_w;
++ if (p_image->x0 > (OPJ_UINT32)INT_MAX ||
++ p_image->y0 > (OPJ_UINT32)INT_MAX ||
++ p_image->x1 > (OPJ_UINT32)INT_MAX ||
++ p_image->y1 > (OPJ_UINT32)INT_MAX) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "Image coordinates above INT_MAX are not supported\n");
++ return OPJ_FALSE;
++ }
+
+ l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,
+ (OPJ_INT32)l_img_comp->dx);
diff --git a/main/openjpeg/CVE-2020-8112.patch b/main/openjpeg/CVE-2020-8112.patch
new file mode 100644
index 00000000000..95cb8095f56
--- /dev/null
+++ b/main/openjpeg/CVE-2020-8112.patch
@@ -0,0 +1,43 @@
+From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 30 Jan 2020 00:59:57 +0100
+Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow
+
+That could lead to later assertion failures.
+
+Fixes #1231 / CVE-2020-8112
+---
+ src/lib/openjp2/tcd.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
+index deecc4dff..aa419030a 100644
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+ /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */
+ l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
+ l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
+- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
+- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
++ {
++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
++ (OPJ_INT32)l_pdx)) << l_pdx;
++ if (tmp > (OPJ_UINT32)INT_MAX) {
++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++ return OPJ_FALSE;
++ }
++ l_br_prc_x_end = (OPJ_INT32)tmp;
++ }
++ {
++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
++ (OPJ_INT32)l_pdy)) << l_pdy;
++ if (tmp > (OPJ_UINT32)INT_MAX) {
++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++ return OPJ_FALSE;
++ }
++ l_br_prc_y_end = (OPJ_INT32)tmp;
++ }
+ /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
+
+ l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD
index 76ed26f8f88..eaa032f2757 100644
--- a/main/openldap/APKBUILD
+++ b/main/openldap/APKBUILD
@@ -2,6 +2,12 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 2.4.48-r2:
+# - CVE-2020-25709
+# - CVE-2020-25710
+# - CVE-2020-25692
+# 2.4.48-r1:
+# - CVE-2020-12243
# 2.4.48-r0:
# - CVE-2019-13565
# - CVE-2019-13057
@@ -13,7 +19,7 @@
#
pkgname=openldap
pkgver=2.4.48
-pkgrel=0
+pkgrel=2
pkgdesc="LDAP Server"
url="http://www.openldap.org/"
arch="all"
@@ -36,9 +42,14 @@ source="https://www.openldap.org/software/download/OpenLDAP/$pkgname-release/$pk
fix-manpages.patch
configs.patch
cacheflush.patch
+ CVE-2020-25709.patch
+ CVE-2020-25710.patch
+ CVE-2020-25692.patch
+ CVE-2020-12243.patch
slapd.initd
slapd.confd
+
"
builddir="$srcdir/$pkgname-$pkgver"
@@ -225,5 +236,9 @@ sha512sums="cf694a415be0bd55cc7f606099da2ed461748efd276561944cd29d7f5a8252a9be79
8c4244d316a05870dd1147b2ab7ddbcfd7626b5dce2f5a0e72f066dc635c2edb4f1ea3be88c6fec2d5ab016001be16bedef70f2ce0695c3cd96f69e1614ff177 fix-manpages.patch
0d2e570ddcb7ace1221abad9fc1d3dd0d00d6948340df69879b449959a68feee6a0ad8e17ef9971b35986293e16fc9d8e88de81815fedd5ea6a952eb085406ca configs.patch
60c1ec62003a33036de68402544e25a71715ed124a3139056a94ed1ba02fb8148ee510ab8f182a308105a2f744b9787e67112bcd8cd0d800cdb6f5409c4f63ff cacheflush.patch
+61d2d02b733011eefaac0681b7f6274e416dac4d420b354e37f51b07cc42dab61c798fbe5fab36f47079962046f309373b41886b4632e86dc08d5bfe59b275f7 CVE-2020-25709.patch
+abb7f43b6379fe6c03e583dc3a2c861c573ad6b83710954e35928e0449a1b78e259d8d5c6b7c33747b347ab67388d4894980a954d5ddb24b51a693b9c43798f2 CVE-2020-25710.patch
+023b32e1a8e61c96b77723dfe39d33de170af684e29defdb34c14719b77fa0e9a101f8aaafe378afb30bf5ca732cf7209ef291089d7524b2301a97c102f5f6e4 CVE-2020-25692.patch
+fddf5cf57c5b4b1d0e148ce850aafe5791dd7772727c824e858fe97e375871d2d3f622894d978444f7c5d8d64160c6fd766ae91de5eac3eb7f5292ceaaf599ea CVE-2020-12243.patch
0c3606e4dad1b32f1c4b62f2bc1990a4c9f7ccd10c7b50e623309ba9df98064e68fc42a7242450f32fb6e5fa2203609d3d069871b5ae994cd4b227a078c93532 slapd.initd
64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a slapd.confd"
diff --git a/main/openldap/CVE-2020-12243.patch b/main/openldap/CVE-2020-12243.patch
new file mode 100644
index 00000000000..d8e10f5bc66
--- /dev/null
+++ b/main/openldap/CVE-2020-12243.patch
@@ -0,0 +1,125 @@
+From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 16 Apr 2020 01:08:19 +0100
+Subject: [PATCH] ITS#9202 limit depth of nested filters
+
+Using a hardcoded limit for now; no reasonable apps
+should ever run into it.
+---
+ servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
+index 3252cf2a7..ed57bbd7b 100644
+--- a/servers/slapd/filter.c
++++ b/servers/slapd/filter.c
+@@ -37,11 +37,16 @@
+ const Filter *slap_filter_objectClass_pres;
+ const struct berval *slap_filterstr_objectClass_pres;
+
++#ifndef SLAPD_MAX_FILTER_DEPTH
++#define SLAPD_MAX_FILTER_DEPTH 5000
++#endif
++
+ static int get_filter_list(
+ Operation *op,
+ BerElement *ber,
+ Filter **f,
+- const char **text );
++ const char **text,
++ int depth );
+
+ static int get_ssa(
+ Operation *op,
+@@ -80,12 +85,13 @@ filter_destroy( void )
+ return;
+ }
+
+-int
+-get_filter(
++static int
++get_filter0(
+ Operation *op,
+ BerElement *ber,
+ Filter **filt,
+- const char **text )
++ const char **text,
++ int depth )
+ {
+ ber_tag_t tag;
+ ber_len_t len;
+@@ -126,6 +132,11 @@ get_filter(
+ *
+ */
+
++ if( depth > SLAPD_MAX_FILTER_DEPTH ) {
++ *text = "filter nested too deeply";
++ return SLAPD_DISCONNECT;
++ }
++
+ tag = ber_peek_tag( ber, &len );
+
+ if( tag == LBER_ERROR ) {
+@@ -221,7 +232,7 @@ get_filter(
+
+ case LDAP_FILTER_AND:
+ Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
+- err = get_filter_list( op, ber, &f.f_and, text );
++ err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
+ if ( err != LDAP_SUCCESS ) {
+ break;
+ }
+@@ -234,7 +245,7 @@ get_filter(
+
+ case LDAP_FILTER_OR:
+ Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
+- err = get_filter_list( op, ber, &f.f_or, text );
++ err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
+ if ( err != LDAP_SUCCESS ) {
+ break;
+ }
+@@ -248,7 +259,7 @@ get_filter(
+ case LDAP_FILTER_NOT:
+ Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
+ (void) ber_skip_tag( ber, &len );
+- err = get_filter( op, ber, &f.f_not, text );
++ err = get_filter0( op, ber, &f.f_not, text, depth+1 );
+ if ( err != LDAP_SUCCESS ) {
+ break;
+ }
+@@ -311,10 +322,22 @@ get_filter(
+ return( err );
+ }
+
++int
++get_filter(
++ Operation *op,
++ BerElement *ber,
++ Filter **filt,
++ const char **text )
++{
++ return get_filter0( op, ber, filt, text, 0 );
++}
++
++
+ static int
+ get_filter_list( Operation *op, BerElement *ber,
+ Filter **f,
+- const char **text )
++ const char **text,
++ int depth )
+ {
+ Filter **new;
+ int err;
+@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
+ tag != LBER_DEFAULT;
+ tag = ber_next_element( ber, &len, last ) )
+ {
+- err = get_filter( op, ber, new, text );
++ err = get_filter0( op, ber, new, text, depth );
+ if ( err != LDAP_SUCCESS )
+ return( err );
+ new = &(*new)->f_next;
+--
+GitLab
+
diff --git a/main/openldap/CVE-2020-25692.patch b/main/openldap/CVE-2020-25692.patch
new file mode 100644
index 00000000000..941a4f56be3
--- /dev/null
+++ b/main/openldap/CVE-2020-25692.patch
@@ -0,0 +1,27 @@
+From 4c774220a752bf8e3284984890dc0931fe73165d Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 19 Oct 2020 14:03:41 +0100
+Subject: [PATCH] ITS#9370 check for equality rule on old_rdn
+
+Just skip normalization if there's no equality rule. We accept
+DNs without equality rules already.
+---
+ servers/slapd/modrdn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
+index c73dd8dba..a22975540 100644
+--- a/servers/slapd/modrdn.c
++++ b/servers/slapd/modrdn.c
+@@ -505,7 +505,7 @@ slap_modrdn2mods(
+ mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
+ ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value );
+ mod_tmp->sml_values[1].bv_val = NULL;
+- if( desc->ad_type->sat_equality->smr_normalize) {
++ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) {
+ mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
+ (void) (*desc->ad_type->sat_equality->smr_normalize)(
+ SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
+--
+GitLab
+
diff --git a/main/openldap/CVE-2020-25709.patch b/main/openldap/CVE-2020-25709.patch
new file mode 100644
index 00000000000..d38c9d241da
--- /dev/null
+++ b/main/openldap/CVE-2020-25709.patch
@@ -0,0 +1,26 @@
+From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 2 Nov 2020 13:12:10 +0000
+Subject: [PATCH] ITS#9383 remove assert in certificateListValidate
+
+---
+ servers/slapd/schema_init.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index ea0d67aa6..28f9e71a1 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in )
+ /* Optional version */
+ if ( tag == LBER_INTEGER ) {
+ tag = ber_get_int( ber, &version );
+- assert( tag == LBER_INTEGER );
+- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
++ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
+ }
+ tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */
+ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+--
+GitLab
+
diff --git a/main/openldap/CVE-2020-25710.patch b/main/openldap/CVE-2020-25710.patch
new file mode 100644
index 00000000000..9b9bae8b31f
--- /dev/null
+++ b/main/openldap/CVE-2020-25710.patch
@@ -0,0 +1,27 @@
+From bdb0d459187522a6063df13871b82ba8dcc6efe2 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 2 Nov 2020 16:01:14 +0000
+Subject: [PATCH] ITS#9384 remove assert in obsolete csnNormalize23()
+
+---
+ servers/slapd/schema_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 5812bc4b6..ea0d67aa6 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -5327,8 +5327,8 @@ csnNormalize23(
+ }
+ *ptr = '\0';
+
+- assert( ptr == &bv.bv_val[bv.bv_len] );
+- if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
++ if ( ptr != &bv.bv_val[bv.bv_len] ||
++ csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+--
+GitLab
+
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index e9c16f3f7b8..22090b345c1 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openssl
-pkgver=1.1.1d
+pkgver=1.1.1k
_abiver=${pkgver%.*}
pkgrel=0
pkgdesc="Toolkit for Transport Layer Security (TLS)"
@@ -12,7 +12,9 @@ makedepends_build="perl"
makedepends_host="linux-headers"
makedepends="$makedepends_host $makedepends_build"
subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto$_abiver:_libcrypto libssl$_abiver:_libssl"
-source="https://www.openssl.org/source/openssl-$pkgver.tar.gz"
+source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
+ man-section.patch
+ "
case "$CARCH" in
s390x) options="$options !check";; # FIXME: test hangs
esac
@@ -20,6 +22,19 @@ esac
builddir="$srcdir/openssl-$pkgver"
# secfixes:
+# 1.1.1k-r0:
+# - CVE-2021-3449
+# - CVE-2021-3450
+# 1.1.1j-r0:
+# - CVE-2021-23841
+# - CVE-2021-23840
+# - CVE-2021-23839
+# 1.1.1i-r0:
+# - CVE-2020-1971
+# 1.1.1g-r0:
+# - CVE-2020-1967
+# 1.1.1d-r2:
+# - CVE-2019-1551
# 1.1.1d-r0:
# - CVE-2019-1547
# - CVE-2019-1549
@@ -107,4 +122,5 @@ _libssl() {
done
}
-sha512sums="2bc9f528c27fe644308eb7603c992bac8740e9f0c3601a130af30c9ffebbf7e0f5c28b76a00bbb478bad40fbe89b4223a58d604001e1713da71ff4b7fe6a08a7 openssl-1.1.1d.tar.gz"
+sha512sums="73cd042d4056585e5a9dd7ab68e7c7310a3a4c783eafa07ab0b560e7462b924e4376436a6d38a155c687f6942a881cfc0c1b9394afcde1d8c46bf396e7d51121 openssl-1.1.1k.tar.gz
+43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch"
diff --git a/main/openssl/man-section.patch b/main/openssl/man-section.patch
new file mode 100644
index 00000000000..0606897f45e
--- /dev/null
+++ b/main/openssl/man-section.patch
@@ -0,0 +1,54 @@
+From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
+Date: Sun, 5 Nov 2017 15:09:09 +0100
+Subject: man-section
+
+---
+ Configurations/unix-Makefile.tmpl | 6 ++++--
+ util/process_docs.pl | 3 ++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 1292053546f5..c034d21884d8 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -183,7 +183,8 @@ HTMLDIR=$(DOCDIR)/html
+ # MANSUFFIX is for the benefit of anyone who may want to have a suffix
+ # appended after the manpage file section number. "ssl" is popular,
+ # resulting in files such as config.5ssl rather than config.5.
+-MANSUFFIX=
++MANSUFFIX=ssl
++MANSECTION=SSL
+ HTMLSUFFIX=html
+
+ # For "optional" echo messages, to get "real" silence
+@@ -726,7 +727,8 @@ uninstall_runtime: uninstall_programs uninstall_runtime_libs
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(ECHO) "*** Installing manpages"
+ $(PERL) $(SRCDIR)/util/process_docs.pl \
+- "--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
++ "--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX) \
++ --mansection=$(MANSECTION)
+
+ uninstall_man_docs:
+ @$(ECHO) "*** Uninstalling manpages"
+diff --git a/util/process_docs.pl b/util/process_docs.pl
+index 30b149eb8fcc..424155ea808e 100755
+--- a/util/process_docs.pl
++++ b/util/process_docs.pl
+@@ -37,6 +37,7 @@ GetOptions(\%options,
+ 'type=s', # The result type, 'man' or 'html'
+ 'suffix:s', # Suffix to add to the extension.
+ # Only used with type=man
++ 'mansection:s', # Section to put to manpage in
+ 'remove', # To remove files rather than writing them
+ 'dry-run|n', # Only output file names on STDOUT
+ 'debug|D+',
+@@ -97,7 +98,7 @@ foreach my $section (sort @{$options{section}}) {
+ my $name = uc $podname;
+ my $suffix = { man => ".$podinfo{section}".($options{suffix} // ""),
+ html => ".html" } -> {$options{type}};
+- my $generate = { man => "pod2man --name=$name --section=$podinfo{section} --center=OpenSSL --release=$config{version} \"$podpath\"",
++ my $generate = { man => "pod2man --name=$name --section=$podinfo{section}$options{mansection} --center=OpenSSL --release=$config{version} \"$podpath\"",
+ html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=man1:man3:man5:man7 \"--infile=$podpath\" \"--title=$podname\" --quiet"
+ } -> {$options{type}};
+ my $output_dir = catdir($options{destdir}, "man$podinfo{section}");
diff --git a/main/patch/APKBUILD b/main/patch/APKBUILD
index 0e02115e46a..ce6fe783616 100644
--- a/main/patch/APKBUILD
+++ b/main/patch/APKBUILD
@@ -27,6 +27,7 @@ builddir="$srcdir"/$pkgname-$pkgver
# 2.7.6-r6:
# - CVE-2018-1000156
# - CVE-2019-13638
+# - CVE-2018-20969
# 2.7.6-r5:
# - CVE-2019-13636
# 2.7.6-r2:
diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD
index da65eef6bb4..d7f05247b89 100644
--- a/main/pcre/APKBUILD
+++ b/main/pcre/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=pcre
pkgver=8.42
-pkgrel=1
+pkgrel=2
pkgdesc="Perl-compatible regular expression library"
url="http://pcre.sourceforge.net"
arch="all"
@@ -12,9 +12,13 @@ makedepends=""
checkdepends="paxmark"
subpackages="$pkgname-dev $pkgname-doc $pkgname-tools
libpcrecpp libpcre16 libpcre32"
-source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2
+source="https://ftp.pcre.org/pub/pcre/pcre-$pkgver.tar.bz2
+ CVE-2020-14155.patch
"
+
# secfixes:
+# 8.42-r2:
+# - CVE-2020-14155
# 8.40-r2:
# - CVE-2017-7186
# 7.8-r0:
@@ -94,4 +98,5 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="b47b923108f6ee0c31409b79d0888314271b482a22590e164d02f21d2112fba22dd0342c24f9ba0f5fcc5b8c65550bad08c476e30a2fc79b34ecf4601ed82f3d pcre-8.42.tar.bz2"
+sha512sums="b47b923108f6ee0c31409b79d0888314271b482a22590e164d02f21d2112fba22dd0342c24f9ba0f5fcc5b8c65550bad08c476e30a2fc79b34ecf4601ed82f3d pcre-8.42.tar.bz2
+23baa5fbaff7b52e861a539a83ad4406937d7a8a85d2a4e2419d0bea99204659e350caab68091d6354842297df2bb3097204bc63c4e1d3d9d1b94427efc46748 CVE-2020-14155.patch"
diff --git a/main/pcre/CVE-2020-14155.patch b/main/pcre/CVE-2020-14155.patch
new file mode 100644
index 00000000000..3bfa119f3b5
--- /dev/null
+++ b/main/pcre/CVE-2020-14155.patch
@@ -0,0 +1,31 @@
+pcre: Fix int overflow when parsing "?C<arg>" callout args.
+
+Numerical args must be 0-255, so this shouldn't break correct usage.
+
+--- a/pcre_compile.c 2020/02/10 17:01:27 1760
++++ b/pcre_compile.c 2020/02/10 17:17:34 1761
+@@ -7130,17 +7130,19 @@
+ int n = 0;
+ ptr++;
+ while(IS_DIGIT(*ptr))
++ {
+ n = n * 10 + *ptr++ - CHAR_0;
++ if (n > 255)
++ {
++ *errorcodeptr = ERR38;
++ goto FAILED;
++ }
++ }
+ if (*ptr != CHAR_RIGHT_PARENTHESIS)
+ {
+ *errorcodeptr = ERR39;
+ goto FAILED;
+ }
+- if (n > 255)
+- {
+- *errorcodeptr = ERR38;
+- goto FAILED;
+- }
+ *code++ = n;
+ PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */
+ PUT(code, LINK_SIZE, 0); /* Default length */
diff --git a/main/perl-datetime-timezone/APKBUILD b/main/perl-datetime-timezone/APKBUILD
index 74a39f43ae6..87cef23fdb3 100644
--- a/main/perl-datetime-timezone/APKBUILD
+++ b/main/perl-datetime-timezone/APKBUILD
@@ -1,50 +1,39 @@
-# Automatically generated by apkbuild-cpan, template 2
+# Automatically generated by apkbuild-cpan, template 3
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=perl-datetime-timezone
+#_pkgreal is used by apkbuild-cpan to find modules at MetaCpan
_pkgreal=DateTime-TimeZone
-pkgver=2.19
+pkgver=2.43
pkgrel=0
pkgdesc="Time zone object base class and factory"
-url="http://search.cpan.org/dist/DateTime-TimeZone/"
+url="https://metacpan.org/release/DateTime-TimeZone/"
arch="noarch"
-license="GPL PerlArtistic"
-cpandepends="perl-class-singleton perl-params-validationcompiler perl-namespace-autoclean perl-try-tiny perl-module-runtime perl-specio"
-cpanmakedepends=""
-cpancheckdepends="perl-test-requires perl-test-fatal"
-depends="$cpandepends"
-makedepends="perl-dev $cpanmakedepends"
-options="!check" # disable due to circular dependency with perl-datetime
-#checkdepends="perl-datetime $cpancheckdepends"
-checkdepends="$cpancheckdepends"
+license="GPL-1.0-or-later OR Artistic-1.0-Perl"
+depends="perl perl-specio perl-params-validationcompiler perl-module-runtime
+ perl-try-tiny perl-namespace-autoclean perl-class-singleton"
+makedepends="perl-dev"
+checkdepends="perl-test-fatal perl-test-requires"
subpackages="$pkgname-doc"
-source="http://search.cpan.org/CPAN/authors/id/D/DR/DROLSKY/$_pkgreal-$pkgver.tar.gz"
+source="https://cpan.metacpan.org/authors/id/D/DR/DROLSKY/DateTime-TimeZone-$pkgver.tar.gz"
builddir="$srcdir/$_pkgreal-$pkgver"
-prepare() {
- default_prepare
-
- cd "$builddir"
+build() {
export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}')
PERL_MM_USE_DEFAULT=1 perl -I. Makefile.PL INSTALLDIRS=vendor
+ make
}
-build() {
- cd "$builddir"
+check() {
export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}')
- make
+ make test
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete
}
-check() {
- cd "$builddir"
- export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}')
- make test
-}
-sha512sums="77c40e390da5747d10135dbe3652051e727a42e57eee7d7659d48bb284e64b94b006b6b7c0deea2354e46e2f50aeacff9299f4ca2a0c221de59d58e869f929eb DateTime-TimeZone-2.19.tar.gz"
+
+sha512sums="4e9bf442775ba58c6539a88e3e15ef8fc93aa4dbc6916034eeb0505930ee3cd83ce3d6de6f0e6c437a60fbdde3ecef0842740430f6af8579d0bbda2332bd7bc0 DateTime-TimeZone-2.43.tar.gz"
diff --git a/main/perl-dbi/APKBUILD b/main/perl-dbi/APKBUILD
index b594ee5f2ab..6cd331207c2 100644
--- a/main/perl-dbi/APKBUILD
+++ b/main/perl-dbi/APKBUILD
@@ -2,34 +2,31 @@
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
pkgname=perl-dbi
_realpkgname=DBI
-pkgver=1.642
+pkgver=1.643
pkgrel=0
pkgdesc="Database independent interface for Perl"
-url="http://search.cpan.org/dist/${_realpkgname}"
+url="http://search.cpan.org/dist/$_realpkgname"
arch="all"
-license="GPL PerlArtistic"
-depends=
-makedepends="perl perl-dev"
+license="GPL-1.0-or-later OR Artistic-1.0-Perl"
+depends="perl"
+makedepends="perl-dev"
subpackages="$pkgname-doc"
-source="http://www.cpan.org/authors/id/T/TI/TIMB/${_realpkgname}-$pkgver.tar.gz"
-builddir="$srcdir"/${_realpkgname}-$pkgver
+source="http://www.cpan.org/authors/id/T/TI/TIMB/$_realpkgname-$pkgver.tar.gz"
+builddir="$srcdir"/$_realpkgname-$pkgver
build() {
- cd "$builddir"
PERL_MM_USE_DEFAULT=1 perl Makefile.PL INSTALLDIRS=vendor
make
}
-check () {
- cd "$builddir"
+check() {
make test
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
- # creates file collision among perl modules
- find "$pkgdir" -name perllocal.pod -delete
+ # creates file collision among perl modules
+ find "$pkgdir" -name perllocal.pod -delete
}
-sha512sums="088161a004893a495b740c323acdfe096936812f8f1b12c0ae4b5b23a6dced01761be5589be5e2e66661bdeffd043504097213e713c0258fe1db2a60156ea079 DBI-1.642.tar.gz"
+sha512sums="03812f3eb1e43c8290dadb8cb14bbced9ec6e237228ea2a2ba91f22e52143906a91a7e82945dab30b1d1b9fc925073721111adafd9a09fac070808ab88f908b8 DBI-1.643.tar.gz"
diff --git a/main/perl-mozilla-ca/APKBUILD b/main/perl-mozilla-ca/APKBUILD
index b4de335ecd3..81fde271fb5 100644
--- a/main/perl-mozilla-ca/APKBUILD
+++ b/main/perl-mozilla-ca/APKBUILD
@@ -3,37 +3,34 @@
# Maintainer: Kiyoshi Aman <kiyoshi.aman@gmail.com>
pkgname=perl-mozilla-ca
_pkgreal=Mozilla-CA
-pkgver=20160104
+pkgver=20200520
pkgrel=0
pkgdesc="Mozilla's CA cert bundle in PEM format"
-url="http://search.cpan.org/dist/Mozilla-CA/"
+url="https://metacpan.org/release/Mozilla-CA"
arch="noarch"
license="GPL PerlArtistic"
-cpandepends=""
-cpanmakedepends=""
-depends="$cpandepends"
-makedepends="perl-dev $cpanmakedepends"
+makedepends="perl-dev"
subpackages="$pkgname-doc"
-source="http://search.cpan.org/CPAN/authors/id/A/AB/ABH/$_pkgreal-$pkgver.tar.gz"
-
-_builddir="$srcdir/$_pkgreal-$pkgver"
+source="https://search.cpan.org/CPAN/authors/id/A/AB/ABH/$_pkgreal-$pkgver.tar.gz"
+builddir="$srcdir/$_pkgreal-$pkgver"
prepare() {
- cd "$_builddir"
+ default_prepare
+
PERL_MM_USE_DEFAULT=1 perl Makefile.PL INSTALLDIRS=vendor
}
build() {
- cd "$_builddir"
- make && make test
+ make
+}
+
+check() {
+ make test
}
package() {
- cd "$_builddir"
- make DESTDIR="$pkgdir" install || return 1
+ make DESTDIR="$pkgdir" install
find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete
}
-md5sums="1b91edb15953a8188f011ab5ff433300 Mozilla-CA-20160104.tar.gz"
-sha256sums="27a7069a243162b65ada4194ff9d21b6ebc304af723eb5d3972fb74c11b03f2a Mozilla-CA-20160104.tar.gz"
-sha512sums="3b416d45ce82d2a0be5f8a3f61506deba48c9208e579e418addb2ff8920599aa4b4ab52f7ff4b8aaf274cf4cf2da8d30f7775f9663c6d9d3aae92f7a1cf6292b Mozilla-CA-20160104.tar.gz"
+sha512sums="5bc7c43c55baa3f878fd2dbf1c85d6b20dcdc9e54ae073d1be4f6b808fa5a4b1205428b7967b5f752b31a62464a8b5cc67b32b3f70b834a4da9c39efe3d5d59f Mozilla-CA-20200520.tar.gz"
diff --git a/main/perl/APKBUILD b/main/perl/APKBUILD
index 3206f319773..f81086cee34 100644
--- a/main/perl/APKBUILD
+++ b/main/perl/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=perl
pkgver=5.26.3
-pkgrel=0
+pkgrel=1
pkgdesc="Larry Wall's Practical Extraction and Report Language"
url="http://www.perl.org/"
arch="all"
@@ -15,9 +15,16 @@ makedepends="bzip2-dev zlib-dev"
subpackages="$pkgname-doc $pkgname-dev $pkgname-utils::noarch miniperl"
source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz
CVE-2018-12015.patch
+ CVE-2020-10543.patch
+ CVE-2020-10878.patch
+ CVE-2020-12723.patch
"
# secfixes:
+# 5.26.3-r1:
+# - CVE-2020-10543
+# - CVE-2020-10878
+# - CVE-2020-12723
# 5.26.3-r0:
# - CVE-2018-18311
# - CVE-2018-18312
@@ -161,4 +168,7 @@ utils() {
}
sha512sums="03914ed51163c998a6afa45610a13cf50124a2c68d291c344b0d52fa15c27fc5d5d4f5dc117516078a03dfd51250097b87c8d5e2b17c7858a4c8c536aecd05af perl-5.26.3.tar.gz
-feda381bd3230443341b99135bac4d6010e9d28b619d9fb57f2dda2c29b8877f012f76d31631e5227ef79e73e0b2b162548fa24704752e61f10c05d015c68916 CVE-2018-12015.patch"
+feda381bd3230443341b99135bac4d6010e9d28b619d9fb57f2dda2c29b8877f012f76d31631e5227ef79e73e0b2b162548fa24704752e61f10c05d015c68916 CVE-2018-12015.patch
+d084db26a6a86bcea0d8f0ecaf63581aae2fb718d92330036464e5c6530480d9bd6624762d54d4d348fdd17f6858be524286fda868f8da3ae943ceae80fec099 CVE-2020-10543.patch
+d8eda9f6bd4ab81c7008697308c081be459f0b9a22bc64dd7841eb7111a98dbe967ff161c22f87bec90487ae2720e2f33c87a6d42a9b9c8af50d65dc558ce40a CVE-2020-10878.patch
+b20c3b94ed675cca255583f7fe826e7e66b0bc05b90fc67f5b717e9204a37f87845fec78752e8fd135f2694d49dd4ccd0c875ab8d7ea1541f804bf270a10f181 CVE-2020-12723.patch"
diff --git a/main/perl/CVE-2020-10543.patch b/main/perl/CVE-2020-10543.patch
new file mode 100644
index 00000000000..a585eb74a92
--- /dev/null
+++ b/main/perl/CVE-2020-10543.patch
@@ -0,0 +1,32 @@
+From 897d1f7fd515b828e4b198d8b8bef76c6faf03ed Mon Sep 17 00:00:00 2001
+From: John Lightsey <jd@cpanel.net>
+Date: Wed, 20 Nov 2019 20:02:45 -0600
+Subject: [PATCH] regcomp.c: Prevent integer overflow from nested regex
+ quantifiers.
+
+(CVE-2020-10543) On 32bit systems the size calculations for nested regular
+expression quantifiers could overflow causing heap memory corruption.
+
+Fixes: Perl/perl5-security#125
+(cherry picked from commit bfd31397db5dc1a5c5d3e0a1f753a4f89a736e71)
+---
+ regcomp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/regcomp.c b/regcomp.c
+index 93c8d98fbb0..5f86be8086d 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -5489,6 +5489,12 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ RExC_precomp)));
+ }
+
++ if ( ( minnext > 0 && mincount >= SSize_t_MAX / minnext )
++ || min >= SSize_t_MAX - minnext * mincount )
++ {
++ FAIL("Regexp out of space");
++ }
++
+ min += minnext * mincount;
+ is_inf_internal |= deltanext == SSize_t_MAX
+ || (maxcount == REG_INFTY && minnext + deltanext > 0);
diff --git a/main/perl/CVE-2020-10878.patch b/main/perl/CVE-2020-10878.patch
new file mode 100644
index 00000000000..4bd3cd92e74
--- /dev/null
+++ b/main/perl/CVE-2020-10878.patch
@@ -0,0 +1,148 @@
+From 011cd8913d3a230b8d30b156b848585c7c4c1597 Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <hv@crypt.org>
+Date: Tue, 18 Feb 2020 13:51:16 +0000
+Subject: [PATCH] study_chunk: extract rck_elide_nothing
+
+(CVE-2020-10878)
+
+(cherry picked from commit a3a7598c8ec6efb0eb9c0b786d80c4d2a3751b70)
+---
+ embed.fnc | 1 +
+ embed.h | 1 +
+ proto.h | 3 +++
+ regcomp.c | 70 ++++++++++++++++++++++++++++++++++---------------------
+ 4 files changed, 48 insertions(+), 27 deletions(-)
+
+diff --git a/embed.fnc b/embed.fnc
+index e762fe1eecc..cf892771631 100644
+--- a/embed.fnc
++++ b/embed.fnc
+@@ -2477,6 +2477,7 @@ Es |SSize_t|study_chunk |NN RExC_state_t *pRExC_state \
+ |I32 stopparen|U32 recursed_depth \
+ |NULLOK regnode_ssc *and_withp \
+ |U32 flags|U32 depth
++Es |void |rck_elide_nothing|NN regnode *node
+ EsRn |U32 |add_data |NN RExC_state_t* const pRExC_state \
+ |NN const char* const s|const U32 n
+ rs |void |re_croak2 |bool utf8|NN const char* pat1|NN const char* pat2|...
+diff --git a/embed.h b/embed.h
+index a5416a1148d..886551ce5c6 100644
+--- a/embed.h
++++ b/embed.h
+@@ -1202,6 +1202,7 @@
+ #define output_or_return_posix_warnings(a,b,c) S_output_or_return_posix_warnings(aTHX_ a,b,c)
+ #define parse_lparen_question_flags(a) S_parse_lparen_question_flags(aTHX_ a)
+ #define populate_ANYOF_from_invlist(a,b) S_populate_ANYOF_from_invlist(aTHX_ a,b)
++#define rck_elide_nothing(a) S_rck_elide_nothing(aTHX_ a)
+ #define reg(a,b,c,d) S_reg(aTHX_ a,b,c,d)
+ #define reg2Lanode(a,b,c,d) S_reg2Lanode(aTHX_ a,b,c,d)
+ #define reg_node(a,b) S_reg_node(aTHX_ a,b)
+diff --git a/proto.h b/proto.h
+index 66bb29b1321..d3f8802c1d8 100644
+--- a/proto.h
++++ b/proto.h
+@@ -5485,6 +5485,9 @@ STATIC void S_parse_lparen_question_flags(pTHX_ RExC_state_t *pRExC_state);
+ STATIC void S_populate_ANYOF_from_invlist(pTHX_ regnode *node, SV** invlist_ptr);
+ #define PERL_ARGS_ASSERT_POPULATE_ANYOF_FROM_INVLIST \
+ assert(node); assert(invlist_ptr)
++STATIC void S_rck_elide_nothing(pTHX_ regnode *node);
++#define PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING \
++ assert(node)
+ PERL_STATIC_NO_RET void S_re_croak2(pTHX_ bool utf8, const char* pat1, const char* pat2, ...)
+ __attribute__noreturn__;
+ #define PERL_ARGS_ASSERT_RE_CROAK2 \
+diff --git a/regcomp.c b/regcomp.c
+index dd18add1db2..0a9c6a8085a 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -4093,7 +4093,44 @@ S_unwind_scan_frames(pTHX_ const void *p)
+ } while (f);
+ }
+
++/* Follow the next-chain of the current node and optimize away
++ all the NOTHINGs from it.
++ */
++STATIC void
++S_rck_elide_nothing(pTHX_ regnode *node)
++{
++ dVAR;
+
++ PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING;
++
++ if (OP(node) != CURLYX) {
++ const int max = (reg_off_by_arg[OP(node)]
++ ? I32_MAX
++ /* I32 may be smaller than U16 on CRAYs! */
++ : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
++ int off = (reg_off_by_arg[OP(node)] ? ARG(node) : NEXT_OFF(node));
++ int noff;
++ regnode *n = node;
++
++ /* Skip NOTHING and LONGJMP. */
++ while (
++ (n = regnext(n))
++ && (
++ (PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
++ || ((OP(n) == LONGJMP) && (noff = ARG(n)))
++ )
++ && off + noff < max
++ ) {
++ off += noff;
++ }
++ if (reg_off_by_arg[OP(node)])
++ ARG(node) = off;
++ else
++ NEXT_OFF(node) = off;
++ }
++ return;
++}
++
+ STATIC SSize_t
+ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ SSize_t *minlenp, SSize_t *deltap,
+@@ -4277,28 +4315,10 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ */
+ JOIN_EXACT(scan,&min_subtract, &unfolded_multi_char, 0);
+
+- /* Follow the next-chain of the current node and optimize
+- away all the NOTHINGs from it. */
+- if (OP(scan) != CURLYX) {
+- const int max = (reg_off_by_arg[OP(scan)]
+- ? I32_MAX
+- /* I32 may be smaller than U16 on CRAYs! */
+- : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
+- int off = (reg_off_by_arg[OP(scan)] ? ARG(scan) : NEXT_OFF(scan));
+- int noff;
+- regnode *n = scan;
+-
+- /* Skip NOTHING and LONGJMP. */
+- while ((n = regnext(n))
+- && ((PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
+- || ((OP(n) == LONGJMP) && (noff = ARG(n))))
+- && off + noff < max)
+- off += noff;
+- if (reg_off_by_arg[OP(scan)])
+- ARG(scan) = off;
+- else
+- NEXT_OFF(scan) = off;
+- }
++ /* Follow the next-chain of the current node and optimize
++ away all the NOTHINGs from it.
++ */
++ rck_elide_nothing(scan);
+
+ /* The principal pseudo-switch. Cannot be a switch, since we
+ look into several different things. */
+@@ -5425,11 +5445,7 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n",
+ if (data && (fl & SF_HAS_EVAL))
+ data->flags |= SF_HAS_EVAL;
+ optimize_curly_tail:
+- if (OP(oscan) != CURLYX) {
+- while (PL_regkind[OP(next = regnext(oscan))] == NOTHING
+- && NEXT_OFF(next))
+- NEXT_OFF(oscan) += NEXT_OFF(next);
+- }
++ rck_elide_nothing(oscan);
+ continue;
+
+ default:
diff --git a/main/perl/CVE-2020-12723.patch b/main/perl/CVE-2020-12723.patch
new file mode 100644
index 00000000000..657f0c7cc21
--- /dev/null
+++ b/main/perl/CVE-2020-12723.patch
@@ -0,0 +1,277 @@
+From 3f4ba871d2d397dcd4386ed75e05353c36135c29 Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <hv@crypt.org>
+Date: Sat, 11 Apr 2020 14:10:24 +0100
+Subject: [PATCH] study_chunk: avoid mutating regexp program within GOSUB
+
+gh16947 and gh17743: studying GOSUB may restudy in an inner call
+(via a mix of recursion and enframing) something that an outer call
+is in the middle of looking at. Let the outer frame deal with it.
+
+(CVE-2020-12723)
+
+(cherry picked from commit c031e3ec7c713077659f5f7dc6638d926c69d7b2)
+---
+ embed.fnc | 2 +-
+ embed.h | 2 +-
+ proto.h | 2 +-
+ regcomp.c | 48 ++++++++++++++++++++++++++++++++----------------
+ t/re/pat.t | 26 +++++++++++++++++++++++++-
+ 5 files changed, 60 insertions(+), 20 deletions(-)
+
+diff --git a/embed.fnc b/embed.fnc
+index cf892771631..4b1ba282779 100644
+--- a/embed.fnc
++++ b/embed.fnc
+@@ -2476,7 +2476,7 @@ Es |SSize_t|study_chunk |NN RExC_state_t *pRExC_state \
+ |NULLOK struct scan_data_t *data \
+ |I32 stopparen|U32 recursed_depth \
+ |NULLOK regnode_ssc *and_withp \
+- |U32 flags|U32 depth
++ |U32 flags|U32 depth|bool was_mutate_ok
+ Es |void |rck_elide_nothing|NN regnode *node
+ EsR |SV * |get_ANYOFM_contents|NN const regnode * n
+ EsRn |U32 |add_data |NN RExC_state_t* const pRExC_state \
+diff --git a/embed.h b/embed.h
+index 886551ce5c6..50fcabc140b 100644
+--- a/embed.h
++++ b/embed.h
+@@ -1232,7 +1232,7 @@
+ #define ssc_is_cp_posixl_init S_ssc_is_cp_posixl_init
+ #define ssc_or(a,b,c) S_ssc_or(aTHX_ a,b,c)
+ #define ssc_union(a,b,c) S_ssc_union(aTHX_ a,b,c)
+-#define study_chunk(a,b,c,d,e,f,g,h,i,j,k) S_study_chunk(aTHX_ a,b,c,d,e,f,g,h,i,j,k)
++#define study_chunk(a,b,c,d,e,f,g,h,i,j,k,l) S_study_chunk(aTHX_ a,b,c,d,e,f,g,h,i,j,k,l)
+ # endif
+ # if defined(PERL_IN_REGCOMP_C) || defined (PERL_IN_DUMP_C)
+ #define _invlist_dump(a,b,c,d) Perl__invlist_dump(aTHX_ a,b,c,d)
+diff --git a/proto.h b/proto.h
+index d3f8802c1d8..e276f69bd1c 100644
+--- a/proto.h
++++ b/proto.h
+@@ -5596,7 +5596,7 @@ PERL_STATIC_INLINE void S_ssc_union(pTHX_ regnode_ssc *ssc, SV* const invlist, c
+ #define PERL_ARGS_ASSERT_SSC_UNION \
+ assert(ssc); assert(invlist)
+ #endif
+-STATIC SSize_t S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, SSize_t *minlenp, SSize_t *deltap, regnode *last, struct scan_data_t *data, I32 stopparen, U32 recursed_depth, regnode_ssc *and_withp, U32 flags, U32 depth);
++STATIC SSize_t S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, SSize_t *minlenp, SSize_t *deltap, regnode *last, struct scan_data_t *data, I32 stopparen, U32 recursed_depth, regnode_ssc *and_withp, U32 flags, U32 depth, bool was_mutate_ok);
+ #define PERL_ARGS_ASSERT_STUDY_CHUNK \
+ assert(pRExC_state); assert(scanp); assert(minlenp); assert(deltap); assert(last)
+ #endif
+diff --git a/regcomp.c b/regcomp.c
+index 0a9c6a8085a..e66032a16ad 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -111,6 +111,7 @@ typedef struct scan_frame {
+ U32 prev_recursed_depth;
+ I32 stopparen; /* what stopparen do we use */
+ U32 is_top_frame; /* what flags do we use? */
++ bool in_gosub; /* this or an outer frame is for GOSUB */
+
+ struct scan_frame *this_prev_frame; /* this previous frame */
+ struct scan_frame *prev_frame; /* previous frame */
+@@ -4225,7 +4226,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ I32 stopparen,
+ U32 recursed_depth,
+ regnode_ssc *and_withp,
+- U32 flags, U32 depth)
++ U32 flags, U32 depth, bool was_mutate_ok)
+ /* scanp: Start here (read-write). */
+ /* deltap: Write maxlen-minlen here. */
+ /* last: Stop before this one. */
+@@ -4303,6 +4304,10 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ node length to get a real minimum (because
+ the folded version may be shorter) */
+ bool unfolded_multi_char = FALSE;
++ /* avoid mutating ops if we are anywhere within the recursed or
++ * enframed handling for a GOSUB: the outermost level will handle it.
++ */
++ bool mutate_ok = was_mutate_ok && !(frame && frame->in_gosub);
+ /* Peephole optimizer: */
+ DEBUG_STUDYDATA("Peep", data, depth, is_inf);
+ DEBUG_PEEP("Peep", scan, depth, flags);
+@@ -4313,7 +4318,8 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ * parsing code, as each (?:..) is handled by a different invocation of
+ * reg() -- Yves
+ */
+- JOIN_EXACT(scan,&min_subtract, &unfolded_multi_char, 0);
++ if (mutate_ok)
++ JOIN_EXACT(scan,&min_subtract, &unfolded_multi_char, 0);
+
+ /* Follow the next-chain of the current node and optimize
+ away all the NOTHINGs from it.
+@@ -4345,7 +4351,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ /* DEFINEP study_chunk() recursion */
+ (void)study_chunk(pRExC_state, &scan, &minlen,
+ &deltanext, next, &data_fake, stopparen,
+- recursed_depth, NULL, f, depth+1);
++ recursed_depth, NULL, f, depth+1, mutate_ok);
+
+ scan = next;
+ } else
+@@ -4413,7 +4419,8 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ /* recurse study_chunk() for each BRANCH in an alternation */
+ minnext = study_chunk(pRExC_state, &scan, minlenp,
+ &deltanext, next, &data_fake, stopparen,
+- recursed_depth, NULL, f,depth+1);
++ recursed_depth, NULL, f, depth+1,
++ mutate_ok);
+
+ if (min1 > minnext)
+ min1 = minnext;
+@@ -4480,9 +4487,10 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ }
+ }
+
+- if (PERL_ENABLE_TRIE_OPTIMISATION &&
+- OP( startbranch ) == BRANCH )
+- {
++ if (PERL_ENABLE_TRIE_OPTIMISATION
++ && OP(startbranch) == BRANCH
++ && mutate_ok
++ ) {
+ /* demq.
+
+ Assuming this was/is a branch we are dealing with: 'scan'
+@@ -4933,6 +4941,9 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ newframe->stopparen = stopparen;
+ newframe->prev_recursed_depth = recursed_depth;
+ newframe->this_prev_frame= frame;
++ newframe->in_gosub = (
++ (frame && frame->in_gosub) || OP(scan) == GOSUB
++ );
+
+ DEBUG_STUDYDATA("frame-new", data, depth, is_inf);
+ DEBUG_PEEP("fnew", scan, depth, flags);
+@@ -5153,7 +5164,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ (mincount == 0
+ ? (f & ~SCF_DO_SUBSTR)
+ : f)
+- ,depth+1);
++ , depth+1, mutate_ok);
+
+ if (flags & SCF_DO_STCLASS)
+ data->start_class = oclass;
+@@ -5221,7 +5232,9 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ if ( OP(oscan) == CURLYX && data
+ && data->flags & SF_IN_PAR
+ && !(data->flags & SF_HAS_EVAL)
+- && !deltanext && minnext == 1 ) {
++ && !deltanext && minnext == 1
++ && mutate_ok
++ ) {
+ /* Try to optimize to CURLYN. */
+ regnode *nxt = NEXTOPER(oscan) + EXTRA_STEP_2ARGS;
+ regnode * const nxt1 = nxt;
+@@ -5267,10 +5280,10 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ && !(data->flags & SF_HAS_EVAL)
+ && !deltanext /* atom is fixed width */
+ && minnext != 0 /* CURLYM can't handle zero width */
+-
+ /* Nor characters whose fold at run-time may be
+ * multi-character */
+ && ! (RExC_seen & REG_UNFOLDED_MULTI_SEEN)
++ && mutate_ok
+ ) {
+ /* XXXX How to optimize if data == 0? */
+ /* Optimize to a simpler form. */
+@@ -5318,7 +5331,8 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ /* Optimize again: */
+ /* recurse study_chunk() on optimised CURLYX => CURLYM */
+ study_chunk(pRExC_state, &nxt1, minlenp, &deltanext, nxt,
+- NULL, stopparen, recursed_depth, NULL, 0,depth+1);
++ NULL, stopparen, recursed_depth, NULL, 0,
++ depth+1, mutate_ok);
+ }
+ else
+ oscan->flags = 0;
+@@ -5735,7 +5749,8 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n",
+ /* recurse study_chunk() for lookahead body */
+ minnext = study_chunk(pRExC_state, &nscan, minlenp, &deltanext,
+ last, &data_fake, stopparen,
+- recursed_depth, NULL, f, depth+1);
++ recursed_depth, NULL, f, depth+1,
++ mutate_ok);
+ if (scan->flags) {
+ if (deltanext) {
+ FAIL("Variable length lookbehind not implemented");
+@@ -5827,7 +5842,7 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n",
+ *minnextp = study_chunk(pRExC_state, &nscan, minnextp,
+ &deltanext, last, &data_fake,
+ stopparen, recursed_depth, NULL,
+- f,depth+1);
++ f, depth+1, mutate_ok);
+ if (scan->flags) {
+ if (deltanext) {
+ FAIL("Variable length lookbehind not implemented");
+@@ -5988,7 +6003,8 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n",
+ /* optimise study_chunk() for TRIE */
+ minnext = study_chunk(pRExC_state, &scan, minlenp,
+ &deltanext, (regnode *)nextbranch, &data_fake,
+- stopparen, recursed_depth, NULL, f,depth+1);
++ stopparen, recursed_depth, NULL, f, depth+1,
++ mutate_ok);
+ }
+ if (nextbranch && PL_regkind[OP(nextbranch)]==BRANCH)
+ nextbranch= regnext((regnode*)nextbranch);
+@@ -7673,7 +7689,7 @@ Perl_re_op_compile(pTHX_ SV ** const patternp, int pat_count,
+ &data, -1, 0, NULL,
+ SCF_DO_SUBSTR | SCF_WHILEM_VISITED_POS | stclass_flag
+ | (restudied ? SCF_TRIE_DOING_RESTUDY : 0),
+- 0);
++ 0, TRUE);
+
+
+ CHECK_RESTUDY_GOTO_butfirst(LEAVE_with_name("study_chunk"));
+@@ -7802,7 +7818,7 @@ Perl_re_op_compile(pTHX_ SV ** const patternp, int pat_count,
+ SCF_DO_STCLASS_AND|SCF_WHILEM_VISITED_POS|(restudied
+ ? SCF_TRIE_DOING_RESTUDY
+ : 0),
+- 0);
++ 0, TRUE);
+
+ CHECK_RESTUDY_GOTO_butfirst(NOOP);
+
+diff --git a/t/re/pat.t b/t/re/pat.t
+index 1d98fe77d7f..1488259b020 100644
+--- a/t/re/pat.t
++++ b/t/re/pat.t
+@@ -23,7 +23,7 @@ BEGIN {
+ skip_all('no re module') unless defined &DynaLoader::boot_DynaLoader;
+ skip_all_without_unicode_tables();
+
+-plan tests => 840; # Update this when adding/deleting tests.
++plan tests => 844; # Update this when adding/deleting tests.
+
+ run_tests() unless caller;
+
+@@ -1948,6 +1948,30 @@ EOP
+ fresh_perl_is('m m0*0+\Rm', "",{},"Undefined behavior in address sanitizer");
+ }
+
++ # gh16947: test regexp corruption (GOSUB)
++ {
++ fresh_perl_is(q{
++ 'xy' =~ /x(?0)|x(?|y|y)/ && print 'ok'
++ }, 'ok', {}, 'gh16947: test regexp corruption (GOSUB)');
++ }
++ # gh16947: test fix doesn't break SUSPEND
++ {
++ fresh_perl_is(q{ 'sx' =~ m{ss++}i; print 'ok' },
++ 'ok', {}, "gh16947: test fix doesn't break SUSPEND");
++ }
++
++ # gh17743: more regexp corruption via GOSUB
++ {
++ fresh_perl_is(q{
++ "0" =~ /((0(?0)|000(?|0000|0000)(?0))|)/; print "ok"
++ }, 'ok', {}, 'gh17743: test regexp corruption (1)');
++
++ fresh_perl_is(q{
++ "000000000000" =~ /(0(())(0((?0)())|000(?|\x{ef}\x{bf}\x{bd}|\x{ef}\x{bf}\x{bd}))|)/;
++ print "ok"
++ }, 'ok', {}, 'gh17743: test regexp corruption (2)');
++ }
++
+ } # End of sub run_tests
+
+ 1;
diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD
index 38327e8b0a5..f84e75d753d 100644
--- a/main/postgresql/APKBUILD
+++ b/main/postgresql/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: G.J.R. Timmer <gjr.timmer@gmail.com>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=postgresql
-pkgver=11.5
+pkgver=11.11
pkgrel=0
pkgdesc="A sophisticated object-relational DBMS"
url="https://www.postgresql.org/"
@@ -36,37 +36,48 @@ builddir="$srcdir/$pkgname-$pkgver"
options="!checkroot"
# secfixes:
+# 11.11-r0:
+# - CVE-2021-3393
+# 11.10-r0:
+# - CVE-2020-25694
+# - CVE-2020-25695
+# - CVE-2020-25696
+# 11.9-r0:
+# - CVE-2020-14349
+# - CVE-2020-14350
+# 11.7-r0:
+# - CVE-2020-1720
# 11.5-r0:
-# - CVE-2019-10208
-# - CVE-2019-10209
+# - CVE-2019-10208
+# - CVE-2019-10209
# 11.4-r0:
-# - CVE-2019-10164
+# - CVE-2019-10164
# 11.3-r0:
-# - CVE-2019-10129
-# - CVE-2019-10130
+# - CVE-2019-10129
+# - CVE-2019-10130
# 11.1-r0:
-# - CVE-2018-16850
+# - CVE-2018-16850
# 10.5-r0:
-# - CVE-2018-10915
-# - CVE-2018-10925
+# - CVE-2018-10915
+# - CVE-2018-10925
# 10.4-r0:
-# - CVE-2018-1115
+# - CVE-2018-1115
# 10.3-r0:
-# - CVE-2018-1058
+# - CVE-2018-1058
# 10.2-r0:
-# - CVE-2018-1052
-# - CVE-2018-1053
+# - CVE-2018-1052
+# - CVE-2018-1053
# 10.1-r0:
-# - CVE-2017-15098
-# - CVE-2017-15099
+# - CVE-2017-15098
+# - CVE-2017-15099
# 9.6.4-r0:
-# - CVE-2017-7546
-# - CVE-2017-7547
-# - CVE-2017-7548
+# - CVE-2017-7546
+# - CVE-2017-7547
+# - CVE-2017-7548
# 9.6.3-r0:
-# - CVE-2017-7484
-# - CVE-2017-7485
-# - CVE-2017-7486
+# - CVE-2017-7484
+# - CVE-2017-7485
+# - CVE-2017-7486
prepare() {
default_prepare
@@ -307,7 +318,7 @@ _submv() {
done
}
-sha512sums="537148079dc6c33cfb9bf9722171e524707b42ef01369deb968d0d6e8fa9b7f16f6ce67139d9dc45fb7385defbf56aa2c0affe5ee9d76e996f31e47486192141 postgresql-11.5.tar.bz2
+sha512sums="8d38e6b7826e73191159f1ee69efde28adc061e0041eb136f55681503a189355b869b2ff312860325d454c1f95367d921fb61dd2de31f584261f165f229bcdb9 postgresql-11.11.tar.bz2
1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch
5f9d8bb4957194069d01af8ab3abc6d4d83a7e7f8bd7ebe1caae5361d621a3e58f91b14b952958138a794e0a80bc154fbb7e3e78d211e2a95b9b7901335de854 perl-rpath.patch
8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch
diff --git a/main/ppp/APKBUILD b/main/ppp/APKBUILD
index a51e463a736..de71cfacc5e 100644
--- a/main/ppp/APKBUILD
+++ b/main/ppp/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ppp
pkgver=2.4.7
-pkgrel=6
+pkgrel=7
pkgdesc="A daemon which implements the PPP protocol for dial-up networking"
url="http://www.samba.org/ppp/"
arch="all"
@@ -26,11 +26,19 @@ source="https://ftp.samba.org/pub/ppp/ppp-$pkgver.tar.gz
musl-fix-headers.patch
fix-paths.patch
0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch
+ radius-Prevent-buffer-overflow-in-rc_mksid.patch
+ fix-bound-check-eap.patch
+ pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch
ip-down
ip-up
pppd.initd"
_builddir="$srcdir"/$pkgname-$pkgver
+
+# secfixes:
+# 2.4.7-r7:
+# - CVE-2020-8597
+
prepare() {
local i
cd "$_builddir"
@@ -177,6 +185,9 @@ fccc7a6809ae4a617796ccf1d2132de8edb1cc0c71d76a95393585a5970b92be2a54da558702db35
2f071ea9db15e4abf1bed6cce8130dc81b710a31bfef5fa8f9370c353f845dbc47674b1551b8e040478e5156add6f98d480530206125e8bb308f0f4288d1eec6 musl-fix-headers.patch
8384afb992a98a7f97b484866e6aa1b1de51e901d7837f84f7ce2beba6815591450fab43957f03b65804424c4940c59640a9cd878979240a171aa77427e9c4ff fix-paths.patch
b490971d03fef4de66b61123f80a0087270bcb88466ae8ed98ea9a08b35d4c7c46b2dadd304e2970a4206bb5760a14370d7e3873de6240119d88e927ecef840c 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch
+d175085eaa93ccf8ade7be4f9818efe353017da7cec41d9312ad2c6685e3763834aff76d673e9d2bb0b44336f926537569ddb86a6035ec33ab8b6a7de2340132 radius-Prevent-buffer-overflow-in-rc_mksid.patch
+ba0c062f93400008ddf47897ac2ab6a2f5017bc7f4167d1a93dd3a5c04068a922490eb4082b0da80f0c3aea6c87fdfbca3568548724a0abc148588ab86a6df32 fix-bound-check-eap.patch
+ce1bf3298f3f99a7de643bd070cb0e7e7b1dd9621926637ffc93fd2ef552781424ce9a68c88de6eb25dc2593d543e8e329eccc2d00982bde2493e8efb7903051 pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch
160260bd2a788beaac395eadb38efbfd1e0e1a458fe151555acacf2c4f3a12381d644672c664f9793db6e3459a4f05a54e3ff6d407b0d37e8014b15bd0f11bcc ip-down
8258c95a6b6e8e94d6001b5cd3a99bd3270f29ba0f2e5050a26c8d5f1b67eead8d039e71ce86a784d45e620047b0a2bb14b258d80a9ea62084ba588a4c2e2d84 ip-up
bd6f43588b037367ffdb57f5e331492dcaa5969003e219c2dc8b90e6be1aa407282ff6114b91d1379ebeff766983fa0622456520cc0ac592b4f0b1496acf21bf pppd.initd"
diff --git a/main/ppp/fix-bound-check-eap.patch b/main/ppp/fix-bound-check-eap.patch
new file mode 100644
index 00000000000..746eb70961a
--- /dev/null
+++ b/main/ppp/fix-bound-check-eap.patch
@@ -0,0 +1,40 @@
+From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 15:53:28 +1100
+Subject: [PATCH] pppd: Fix bounds check in EAP code
+
+Given that we have just checked vallen < len, it can never be the case
+that vallen >= len + sizeof(rhostname). This fixes the check so we
+actually avoid overflowing the rhostname array.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/eap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f5..1b93db0 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+ }
+
+ /* Not so likely to happen. */
+- if (vallen >= len + sizeof (rhostname)) {
++ if (len - vallen >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+ }
+
+ /* Not so likely to happen. */
+- if (vallen >= len + sizeof (rhostname)) {
++ if (len - vallen >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ rhostname[sizeof (rhostname) - 1] = '\0';
+--
+2.25.0
+
diff --git a/main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch b/main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch
new file mode 100644
index 00000000000..e5442079ef0
--- /dev/null
+++ b/main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch
@@ -0,0 +1,64 @@
+From 8d45443bb5c9372b4c6a362ba2f443d41c5636af Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 16:31:42 +1100
+Subject: [PATCH] pppd: Ignore received EAP messages when not doing EAP
+
+This adds some basic checks to the subroutines of eap_input to check
+that we have requested or agreed to doing EAP authentication before
+doing any processing on the received packet. The motivation is to
+make it harder for a malicious peer to disrupt the operation of pppd
+by sending unsolicited EAP packets. Note that eap_success() already
+has a check that the EAP client state is reasonable, and does nothing
+(apart from possibly printing a debug message) if not.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/eap.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 1b93db0..082e953 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1328,6 +1328,12 @@ int len;
+ int fd;
+ #endif /* USE_SRP */
+
++ /*
++ * Ignore requests if we're not open
++ */
++ if (esp->es_client.ea_state <= eapClosed)
++ return;
++
+ /*
+ * Note: we update es_client.ea_id *only if* a Response
+ * message is being generated. Otherwise, we leave it the
+@@ -1736,6 +1742,12 @@ int len;
+ u_char dig[SHA_DIGESTSIZE];
+ #endif /* USE_SRP */
+
++ /*
++ * Ignore responses if we're not open
++ */
++ if (esp->es_server.ea_state <= eapClosed)
++ return;
++
+ if (esp->es_server.ea_id != id) {
+ dbglog("EAP: discarding Response %d; expected ID %d", id,
+ esp->es_server.ea_id);
+@@ -2047,6 +2059,12 @@ u_char *inp;
+ int id;
+ int len;
+ {
++ /*
++ * Ignore failure messages if we're not open
++ */
++ if (esp->es_client.ea_state <= eapClosed)
++ return;
++
+ if (!eap_client_active(esp)) {
+ dbglog("EAP unexpected failure message in state %s (%d)",
+ eap_state_name(esp->es_client.ea_state),
+--
+2.24.1
+
diff --git a/main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch b/main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch
new file mode 100644
index 00000000000..112b2598020
--- /dev/null
+++ b/main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch
@@ -0,0 +1,33 @@
+From 858976b1fc3107f1261aae337831959b511b83c2 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Sat, 4 Jan 2020 12:01:32 +1100
+Subject: [PATCH] radius: Prevent buffer overflow in rc_mksid()
+
+On some systems getpid() can return a value greater than 65535.
+Increase the size of buf[] to allow for this, and use slprintf()
+to make sure we never overflow it.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/plugins/radius/util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c
+index 6f976a7..740131e 100644
+--- a/pppd/plugins/radius/util.c
++++ b/pppd/plugins/radius/util.c
+@@ -73,9 +73,9 @@ void rc_mdelay(int msecs)
+ char *
+ rc_mksid (void)
+ {
+- static char buf[15];
++ static char buf[32];
+ static unsigned short int cnt = 0;
+- sprintf (buf, "%08lX%04X%02hX",
++ slprintf(buf, sizeof(buf), "%08lX%04X%02hX",
+ (unsigned long int) time (NULL),
+ (unsigned int) getpid (),
+ cnt & 0xFF);
+--
+2.24.1
+
diff --git a/main/putty/APKBUILD b/main/putty/APKBUILD
index b225b29c44e..eff722a14a3 100644
--- a/main/putty/APKBUILD
+++ b/main/putty/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Jeff Bilyk <jbilyk@alpinelinux.org>
pkgname=putty
-pkgver=0.71
-pkgrel=1
+pkgver=0.74
+pkgrel=0
pkgdesc="SSH and telnet client"
url="https://www.chiark.greenend.org.uk/~sgtatham/putty/"
arch="all"
@@ -14,6 +14,11 @@ options="!check" # no test suite
builddir="$srcdir"/putty-$pkgver
# secfixes:
+# 0.74-r0:
+# - CVE-2020-14002
+# 0.73-r0:
+# - CVE-2019-17068
+# - CVE-2019-17069
# 0.71-r0:
# - CVE-2019-9894
# - CVE-2019-9895
@@ -34,5 +39,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="f8791210bd5925b26d51b13f0558eea15dbac40808051165b236d6436226f5c2b0aa7d69288ed9e2bddc1066455678cfd0af73ef6b715a136c42f3b6f754ac07 putty-0.71.tar.gz
+sha512sums="0da86849ea764cd88643bd2c1984ac7211ae72dd7c41232307b1960a29ca9518044b022d87c60272d6db71a3357026862a112bedb90ee732b41494fca3acde9b putty-0.74.tar.gz
b10b2332ca0592db5664311d1bba7549ded79f16f6eef13dab3caca21626d97657f31e8603766e00b1a06f42cf229107eb53929730fe48e97cfc9216093fcc4c fix-ppc64le-disable-werror.patch"
diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD
index aa686a8e73d..479ba87cf7d 100644
--- a/main/py-django/APKBUILD
+++ b/main/py-django/APKBUILD
@@ -2,8 +2,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=py-django
_pkgname=Django
-pkgver=1.11.23
-pkgrel=0
+pkgver=1.11.29
+pkgrel=1
pkgdesc="A high-level Python Web framework"
url="http://djangoproject.com/"
arch="noarch"
@@ -12,10 +12,22 @@ depends="py-tz"
makedepends="python2-dev python3-dev py-setuptools"
options="!check" # some depends missing, others in community/testing
subpackages="py2-${pkgname#py-}:_py2 py3-${pkgname#py-}:_py3"
-source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz"
+source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
+ CVE-2020-24583.patch
+ CVE-2020-24584.patch
+ "
builddir="$srcdir"/$_pkgname-$pkgver
# secfixes:
+# 1.11.29-r1:
+# - CVE-2020-24583
+# - CVE-2020-24584
+# 1.11.29-r0:
+# - CVE-2020-9402
+# 1.11.28-r0:
+# - CVE-2020-7471
+# 1.11.27-r0:
+# - CVE-2019-19844
# 1.11.23-r0:
# - CVE-2019-14232
# - CVE-2019-14233
@@ -93,4 +105,6 @@ _py() {
done
}
-sha512sums="c4c5d82e4ecf1a100637ac32eafd3fb0d7690ba5c0cb884846f31c434c0cb1282d94149e031c577d676570f3b331c2a320d58f34f40ac02deae089c4b61c65ea Django-1.11.23.tar.gz"
+sha512sums="dc8d1c5c09f998bf7015967961247e56a9c1dd55701534c6bce6dac2270a5531e1162d9bcbf5ec5f4d411d2d0dc820c82fd9b69628c5ff944bb9f1a22290a562 Django-1.11.29.tar.gz
+e4eda8069558471268f2e8a705877b3f682adac80221ade5ba742476f897eb3a13d82af7367083b707186e4a49de4f7a6beaadc05274d10b9c88cb2f169ff1a9 CVE-2020-24583.patch
+4fde0868b63a739c28e066665e098bb7a667fe81311a839ff7d1dfff13cb67751271be6e88b4f245aa3ebcbd2bb856730418f3006f7820405cd54bf951e98faf CVE-2020-24584.patch"
diff --git a/main/py-django/CVE-2020-24583.patch b/main/py-django/CVE-2020-24583.patch
new file mode 100644
index 00000000000..b21c6b8ead5
--- /dev/null
+++ b/main/py-django/CVE-2020-24583.patch
@@ -0,0 +1,29 @@
+From bbf6bd8a50a02d5015a2b0043abfbf2b4e6acce6 Mon Sep 17 00:00:00 2001
+From: Leo <thinkabit.ukim@gmail.com>
+Date: Fri, 11 Dec 2020 02:07:01 -0300
+Subject: [PATCH 1/2] CVE-2020-24583
+
+---
+ django/core/files/storage.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/django/core/files/storage.py b/django/core/files/storage.py
+index 98c89dd..9643198 100644
+--- a/django/core/files/storage.py
++++ b/django/core/files/storage.py
+@@ -310,9 +310,9 @@ class FileSystemStorage(Storage):
+ if not os.path.exists(directory):
+ try:
+ if self.directory_permissions_mode is not None:
+- # os.makedirs applies the global umask, so we reset it,
+- # for consistency with file_permissions_mode behavior.
+- old_umask = os.umask(0)
++ # Set the umask because os.makedirs() doesn't apply the "mode"
++ # argument to intermediate-level directories.
++ old_umask = os.umask(0o777 & ~self.directory_permissions_mode)
+ try:
+ os.makedirs(directory, self.directory_permissions_mode)
+ finally:
+--
+2.29.2
+
diff --git a/main/py-django/CVE-2020-24584.patch b/main/py-django/CVE-2020-24584.patch
new file mode 100644
index 00000000000..fa4dc132a5f
--- /dev/null
+++ b/main/py-django/CVE-2020-24584.patch
@@ -0,0 +1,30 @@
+From 13e83e6f60d9ed91316c975425bc4b89c130ec9c Mon Sep 17 00:00:00 2001
+From: Leo <thinkabit.ukim@gmail.com>
+Date: Fri, 11 Dec 2020 02:08:48 -0300
+Subject: [PATCH 2/2] CVE-2020-24584
+
+---
+ django/core/cache/backends/filebased.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/django/core/cache/backends/filebased.py b/django/core/cache/backends/filebased.py
+index 7c2c5c7..88cebef 100644
+--- a/django/core/cache/backends/filebased.py
++++ b/django/core/cache/backends/filebased.py
+@@ -102,8 +102,13 @@ class FileBasedCache(BaseCache):
+
+ def _createdir(self):
+ if not os.path.exists(self._dir):
++ # Set the umask because os.makedirs() doesn't apply the "mode" argument
++ # to intermediate-level directories.
++ old_umask = os.umask(0o077)
+ try:
+ os.makedirs(self._dir, 0o700)
++ finally:
++ os.umask(old_umask)
+ except OSError as e:
+ if e.errno != errno.EEXIST:
+ raise EnvironmentError(
+--
+2.29.2
+
diff --git a/main/python2/APKBUILD b/main/python2/APKBUILD
index 2c9dead826d..cb184e6193d 100644
--- a/main/python2/APKBUILD
+++ b/main/python2/APKBUILD
@@ -2,9 +2,9 @@
pkgname=python2
# the python2-tkinter's pkgver needs to be synchronized with this.
-pkgver=2.7.16
+pkgver=2.7.18
_verbase=${pkgver%.*}
-pkgrel=1
+pkgrel=0
pkgdesc="A high-level scripting language"
url="https://www.python.org"
arch="all"
@@ -19,12 +19,14 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev
source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
musl-find_library.patch
unchecked-ioctl.patch
- CVE-2019-9636.patch
- CVE-2019-9948.patch
"
builddir="$srcdir/Python-$pkgver"
# secfixes:
+# 2.7.18-r0:
+# - CVE-2019-18348
+# 2.7.17-r0:
+# - CVE-2019-15903
# 2.7.16-r1:
# - CVE-2019-9636
# - CVE-2019-9948
@@ -142,8 +144,6 @@ wininst() {
"$subpkgdir"/usr/lib/python$_verbase/distutils/command
}
-sha512sums="16e814e8dcffc707b595ca2919bd2fa3db0d15794c63d977364652c4a5b92e90e72b8c9e1cc83b5020398bd90a1b397dbdd7cb931c49f1aa4af6ef95414b43e0 Python-2.7.16.tar.xz
+sha512sums="a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c Python-2.7.18.tar.xz
ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch
-5a8e013a4132d71c4360771f130d27b37275ae59330cf9a75378dc8a11236017f540eb224f2a148984e82ca3fb6b29129375b1080ba05b81044faa717520ab82 unchecked-ioctl.patch
-54086e7b4d3597969b945b1460fe578ff3a13289703d58d79b8f00f644eccc4acc11fc6128b7b114f022a6f6cedc91e02eead6373bac0d36e22eb580a1becb53 CVE-2019-9636.patch
-2f9523bd3e39c4831110821d93aef1562ca80708f1b553428eb5c228cdf2192feb13d7aef41097a5df4b4243da8b8f7247f691c0ab73967b0bf2bf6a1a0d487f CVE-2019-9948.patch"
+5a8e013a4132d71c4360771f130d27b37275ae59330cf9a75378dc8a11236017f540eb224f2a148984e82ca3fb6b29129375b1080ba05b81044faa717520ab82 unchecked-ioctl.patch"
diff --git a/main/python2/CVE-2019-16935.patch b/main/python2/CVE-2019-16935.patch
new file mode 100644
index 00000000000..632a3e77b37
--- /dev/null
+++ b/main/python2/CVE-2019-16935.patch
@@ -0,0 +1,92 @@
+From 8eb64155ff26823542ccf0225b3d57b6ae36ea89 Mon Sep 17 00:00:00 2001
+From: Dong-hee Na <donghee.na92@gmail.com>
+Date: Tue, 1 Oct 2019 19:58:01 +0900
+Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
+ (GH-16447)
+
+Escape the server title of DocXMLRPCServer.DocXMLRPCServer
+when rendering the document page as HTML.
+---
+ Lib/DocXMLRPCServer.py | 13 +++++++++++-
+ Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++
+ .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+
+diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
+index 4064ec2e48d4d..90b037dd35d6b 100644
+--- a/Lib/DocXMLRPCServer.py
++++ b/Lib/DocXMLRPCServer.py
+@@ -20,6 +20,16 @@
+ CGIXMLRPCRequestHandler,
+ resolve_dotted_attribute)
+
++
++def _html_escape_quote(s):
++ s = s.replace("&", "&amp;") # Must be done first!
++ s = s.replace("<", "&lt;")
++ s = s.replace(">", "&gt;")
++ s = s.replace('"', "&quot;")
++ s = s.replace('\'', "&#x27;")
++ return s
++
++
+ class ServerHTMLDoc(pydoc.HTMLDoc):
+ """Class used to generate pydoc HTML document for a server"""
+
+@@ -210,7 +220,8 @@ def generate_html_documentation(self):
+ methods
+ )
+
+- return documenter.page(self.server_title, documentation)
++ title = _html_escape_quote(self.server_title)
++ return documenter.page(title, documentation)
+
+ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
+ """XML-RPC and documentation request handler class.
+diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
+index 4dff4159e2466..c45b892b8b3e7 100644
+--- a/Lib/test/test_docxmlrpc.py
++++ b/Lib/test/test_docxmlrpc.py
+@@ -1,5 +1,6 @@
+ from DocXMLRPCServer import DocXMLRPCServer
+ import httplib
++import re
+ import sys
+ from test import test_support
+ threading = test_support.import_module('threading')
+@@ -176,6 +177,25 @@ def test_autolink_dotted_methods(self):
+ self.assertIn("""Try&nbsp;self.<strong>add</strong>,&nbsp;too.""",
+ response.read())
+
++ def test_server_title_escape(self):
++ """Test that the server title and documentation
++ are escaped for HTML.
++ """
++ self.serv.set_server_title('test_title<script>')
++ self.serv.set_server_documentation('test_documentation<script>')
++ self.assertEqual('test_title<script>', self.serv.server_title)
++ self.assertEqual('test_documentation<script>',
++ self.serv.server_documentation)
++
++ generated = self.serv.generate_html_documentation()
++ title = re.search(r'<title>(.+?)</title>', generated).group()
++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
++ self.assertEqual('<title>Python: test_title&lt;script&gt;</title>',
++ title)
++ self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>',
++ documentation)
++
++
+ def test_main():
+ test_support.run_unittest(DocXMLRPCHTTPGETServer)
+
+diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+new file mode 100644
+index 0000000000000..8f02baed9ebe5
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+@@ -0,0 +1,3 @@
++Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
++when rendering the document page as HTML.
++(Contributed by Dong-hee Na in :issue:`38243`.)
diff --git a/main/python3/APKBUILD b/main/python3/APKBUILD
index 461feb5f52a..aae515bf833 100644
--- a/main/python3/APKBUILD
+++ b/main/python3/APKBUILD
@@ -5,7 +5,7 @@ pkgname=python3
# the python2-tkinter's pkgver needs to be synchronized with this.
pkgver=3.6.9
_basever="${pkgver%.*}"
-pkgrel=2
+pkgrel=3
pkgdesc="A high-level scripting language"
url="https://www.python.org"
arch="all"
@@ -20,10 +20,13 @@ source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
musl-find_library.patch
CVE-2019-16056.patch
CVE-2019-16935.patch
+ CVE-2020-14422.patch
"
builddir="$srcdir/Python-$pkgver"
# secfixes:
+# 3.6.9-r3:
+# - CVE-2020-14422
# 3.6.9-r2:
# - CVE-2019-16935
# 3.6.9-r1:
@@ -164,4 +167,5 @@ sha512sums="05de9c6f44d96a52bfce10ede4312de892573edaf8bece65926d19973a3a800d65ee
37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch
ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch
e8708c4fef1b591dd7251b36a785f9bc6472f2a25fba11bc4116814e93e770230ebd0016285c28d9065c49c5bf2be10f72182e23fb2767e1875ef20c94b5c97c CVE-2019-16056.patch
-7f94d887c81f79d90afd4a9621547c13cbdd0232250f62a686b26a63160a4d286a6db9b342d06b9b63af64f994835b489c37bab499a2093c3c2585dc7a04d8a1 CVE-2019-16935.patch"
+7f94d887c81f79d90afd4a9621547c13cbdd0232250f62a686b26a63160a4d286a6db9b342d06b9b63af64f994835b489c37bab499a2093c3c2585dc7a04d8a1 CVE-2019-16935.patch
+cdf2f0ae115d2a37bae4828c6d13e102a030054e2ee71a1c30b12fd2c0864a25908ef30e73c099fd2b49f5e10cef6f8ed126c06f0c2cf660dfce0fec07f6f74c CVE-2020-14422.patch"
diff --git a/main/python3/CVE-2020-14422.patch b/main/python3/CVE-2020-14422.patch
new file mode 100644
index 00000000000..28fdff66f48
--- /dev/null
+++ b/main/python3/CVE-2020-14422.patch
@@ -0,0 +1,74 @@
+From cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9 Mon Sep 17 00:00:00 2001
+From: Tapas Kundu <39723251+tapakund@users.noreply.github.com>
+Date: Wed, 1 Jul 2020 01:00:22 +0530
+Subject: [PATCH] [3.6] bpo-41004: Resolve hash collisions for IPv4Interface
+ and IPv6Interface (GH-21033) (GH-21232)
+
+CVE-2020-14422
+The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
+of generating constant hash values of 32 and 128 respectively causing hash collisions.
+The fix uses the hash() function to generate hash values for the objects
+instead of XOR operation
+(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
+
+Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
+
+Signed-off-by: Tapas Kundu <tkundu@vmware.com>
+---
+ Lib/ipaddress.py | 4 ++--
+ Lib/test/test_ipaddress.py | 11 +++++++++++
+ .../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 +
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 583f02ad54275..98492136ca5f4 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1418,7 +1418,7 @@ def __lt__(self, other):
+ return False
+
+ def __hash__(self):
+- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+
+ __reduce__ = _IPAddressBase.__reduce__
+
+@@ -2092,7 +2092,7 @@ def __lt__(self, other):
+ return False
+
+ def __hash__(self):
+- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+
+ __reduce__ = _IPAddressBase.__reduce__
+
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 1cef4217bc883..7de444af4aa57 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -1990,6 +1990,17 @@ def testsixtofour(self):
+ sixtofouraddr.sixtofour)
+ self.assertFalse(bad_addr.sixtofour)
+
++ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++ def testV4HashIsNotConstant(self):
++ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
++ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
++ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
++
++ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++ def testV6HashIsNotConstant(self):
++ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
++ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
++ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
+
+ if __name__ == '__main__':
+ unittest.main()
+diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+new file mode 100644
+index 0000000000000..f5a9db52fff52
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+@@ -0,0 +1 @@
++CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
diff --git a/main/ruby/APKBUILD b/main/ruby/APKBUILD
index 026de8a999c..7139b67e280 100644
--- a/main/ruby/APKBUILD
+++ b/main/ruby/APKBUILD
@@ -3,6 +3,9 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
#
# secfixes:
+# 2.5.8-r0:
+# - CVE-2020-16255
+# - CVE-2020-10933
# 2.5.7-r0:
# - CVE-2019-16255
# - CVE-2019-16254
@@ -38,7 +41,7 @@
# - CVE-2017-17405
#
pkgname=ruby
-pkgver=2.5.7
+pkgver=2.5.8
_abiver="${pkgver%.*}.0"
pkgrel=0
pkgdesc="An object-oriented language for quick and easy programming"
@@ -351,7 +354,7 @@ _mvgem() {
done
}
-sha512sums="6c4219e1ac316fb00cdd5ff2ac6292448e6ddf49f25eda91426f8e0072288e8849d5c623bf9d532b8e93997b23dddc24718921d92b74983aac8fdb50db4ee809 ruby-2.5.7.tar.gz
+sha512sums="ec8bf18b5ef8bf14a568dfb50cbddcc4bb13241f07b0de969e7b60cc261fb4e08fefeb5236bcf620bc690af112a9ab7f7c89f5b8a03fd3430e58804227b5041f ruby-2.5.8.tar.gz
cfdc5ea3b2e2ea69c51f38e8e2180cb1dc27008ca55cc6301f142ebafdbab31c3379b3b6bba9ff543153876dd98ed2ad194df3255b7ea77a62e931c935f80538 rubygems-avoid-platform-specific-gems.patch
814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150 test_insns-lower-recursion-depth.patch
8d730f02f76e53799f1c220eb23e3d2305940bb31216a7ab1e42d3256149c0721c7d173cdbfe505023b1af2f5cb3faa233dcc1b5d560fa8f980c17c2d29a9d81 fix-get_main_stack.patch"
diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD
index dd140dc680d..18a6dfce1dd 100644
--- a/main/samba/APKBUILD
+++ b/main/samba/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=samba
pkgver=4.8.12
-pkgrel=0
+pkgrel=2
pkgdesc="Tools to access a server's filespace and printers via SMB"
url="https://www.samba.org/"
arch="all"
@@ -78,6 +78,8 @@ source="
netapp.patch
bind-9.12.patch
missing-headers.patch
+ samba-4.9.14-security-2019-10-29.patch
+ samba-4.9.17-security-2020-01-21.patch
$pkgname.initd
$pkgname.confd
$pkgname.logrotate
@@ -86,13 +88,19 @@ pkggroups="winbind"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 4.8.12-r2:
+# - CVE-2019-14902
+# - CVE-2019-14907
+# 4.8.12-r1:
+# - CVE-2019-10218
+# - CVE-2019-14833
+# - CVE-2019-14847
# 4.8.12-r0:
# - CVE-2018-16860
# 4.8.11-r0:
# - CVE-2018-14629
# - CVE-2019-3880
# 4.8.7-r0:
-# - CVE-2018-14629
# - CVE-2018-16841
# - CVE-2018-16851
# - CVE-2018-16853
@@ -570,6 +578,8 @@ a99e771f28d787dc22e832b97aa48a1c5e13ddc0c030c501a3c12819ff6e62800ef084b62930abe8
202667cb0383414d9289cd67574f5e1140c9a0ff63bb82a746a59b2397a00db15654bfb30cb5ec1cd68a097899be0f849d9aab4c0d210152386c9e66c640f0c0 netapp.patch
27f12c8395be25d9806d232cc30334f2f7c7d175971d2d1944dd886d699e0381a6f222c17e3d7bc087cf7a29bfb3e98cf25ba98f414c4afe0297b9d134a28bd8 bind-9.12.patch
c0afe8b1dfddc5290c9aa611163d20adc3a546f54bba0081f739cda4255829f1a72bae422b6cb049aca82e58d4daf63ad5553f4c5c51671019bfbbc2781460f0 missing-headers.patch
+8386db1209721fabb6acf52e498082ac3e70cd3a4454c54416b02aaa67b2906212383da7ddc06f77ca29cfbb9033407b1e958bcd9c7cdf369fe501f310a0f973 samba-4.9.14-security-2019-10-29.patch
+b00163634fb262777cc8992192150beb5dc2dc45ace823557f1a35fe2448ab3559b7503db96b07c6a9382ddb62a3bd6f4e68e1849f64ec472dbea8abc6b54572 samba-4.9.17-security-2020-01-21.patch
96070e2461370437f48571e7de550c13a332fef869480cfe92e7cac73a998f6c2ee85d2580df58211953bebd0e577691aa710c8edddf3ea0f30e9d47d0a2fd44 samba.initd
e2b49cb394e758447ca97de155a61b4276499983a0a5c00b44ae621c5559b759a766f8d1c8d3ee98ad5560f4064a847a7a20cfa2e14f85c061bec8b80fd649eb samba.confd
3458a4e1f8a8b44c966afb339b2dca51615be049f594c14911fc4d8203623deee416b6fe881436e246fc7d49c97a2b3bf9c5f33ba774302b24190a1103d6b67d samba.logrotate"
diff --git a/main/samba/samba-4.9.14-security-2019-10-29.patch b/main/samba/samba-4.9.14-security-2019-10-29.patch
new file mode 100644
index 00000000000..84de9eeb9aa
--- /dev/null
+++ b/main/samba/samba-4.9.14-security-2019-10-29.patch
@@ -0,0 +1,539 @@
+From fc6022b9b19473076c4236fdf4ac474f44ca73e2 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 5 Aug 2019 13:39:53 -0700
+Subject: [PATCH 1/7] CVE-2019-10218 - s3: libsmb: Protect SMB1 client code
+ from evil server returned names.
+
+Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/libsmb/clilist.c | 75 ++++++++++++++++++++++++++++++++++++++++
+ source3/libsmb/proto.h | 3 ++
+ 2 files changed, 78 insertions(+)
+
+diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
+index 5cb1fce4338..4f518339e2b 100644
+--- a/source3/libsmb/clilist.c
++++ b/source3/libsmb/clilist.c
+@@ -24,6 +24,66 @@
+ #include "trans2.h"
+ #include "../libcli/smb/smbXcli_base.h"
+
++/****************************************************************************
++ Check if a returned directory name is safe.
++****************************************************************************/
++
++static NTSTATUS is_bad_name(bool windows_names, const char *name)
++{
++ const char *bad_name_p = NULL;
++
++ bad_name_p = strchr(name, '/');
++ if (bad_name_p != NULL) {
++ /*
++ * Windows and POSIX names can't have '/'.
++ * Server is attacking us.
++ */
++ return NT_STATUS_INVALID_NETWORK_RESPONSE;
++ }
++ if (windows_names) {
++ bad_name_p = strchr(name, '\\');
++ if (bad_name_p != NULL) {
++ /*
++ * Windows names can't have '\\'.
++ * Server is attacking us.
++ */
++ return NT_STATUS_INVALID_NETWORK_RESPONSE;
++ }
++ }
++ return NT_STATUS_OK;
++}
++
++/****************************************************************************
++ Check if a returned directory name is safe. Disconnect if server is
++ sending bad names.
++****************************************************************************/
++
++NTSTATUS is_bad_finfo_name(const struct cli_state *cli,
++ const struct file_info *finfo)
++{
++ NTSTATUS status = NT_STATUS_OK;
++ bool windows_names = true;
++
++ if (cli->requested_posix_capabilities & CIFS_UNIX_POSIX_PATHNAMES_CAP) {
++ windows_names = false;
++ }
++ if (finfo->name != NULL) {
++ status = is_bad_name(windows_names, finfo->name);
++ if (!NT_STATUS_IS_OK(status)) {
++ DBG_ERR("bad finfo->name\n");
++ return status;
++ }
++ }
++ if (finfo->short_name != NULL) {
++ status = is_bad_name(windows_names, finfo->short_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ DBG_ERR("bad finfo->short_name\n");
++ return status;
++ }
++ }
++ return NT_STATUS_OK;
++}
++
+ /****************************************************************************
+ Calculate a safe next_entry_offset.
+ ****************************************************************************/
+@@ -492,6 +552,13 @@ static NTSTATUS cli_list_old_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ TALLOC_FREE(finfo);
+ return NT_STATUS_NO_MEMORY;
+ }
++
++ status = is_bad_finfo_name(state->cli, finfo);
++ if (!NT_STATUS_IS_OK(status)) {
++ smbXcli_conn_disconnect(state->cli->conn, status);
++ TALLOC_FREE(finfo);
++ return status;
++ }
+ }
+ *pfinfo = finfo;
+ return NT_STATUS_OK;
+@@ -727,6 +794,14 @@ static void cli_list_trans_done(struct tevent_req *subreq)
+ ff_eos = true;
+ break;
+ }
++
++ status = is_bad_finfo_name(state->cli, finfo);
++ if (!NT_STATUS_IS_OK(status)) {
++ smbXcli_conn_disconnect(state->cli->conn, status);
++ tevent_req_nterror(req, status);
++ return;
++ }
++
+ if (!state->first && (state->mask[0] != '\0') &&
+ strcsequal(finfo->name, state->mask)) {
+ DEBUG(1, ("Error: Looping in FIND_NEXT as name %s has "
+diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
+index 2bd61b1d2c2..e708e911b97 100644
+--- a/source3/libsmb/proto.h
++++ b/source3/libsmb/proto.h
+@@ -722,6 +722,9 @@ NTSTATUS cli_posix_whoami(struct cli_state *cli,
+
+ /* The following definitions come from libsmb/clilist.c */
+
++NTSTATUS is_bad_finfo_name(const struct cli_state *cli,
++ const struct file_info *finfo);
++
+ NTSTATUS cli_list_old(struct cli_state *cli,const char *Mask,uint16_t attribute,
+ NTSTATUS (*fn)(const char *, struct file_info *,
+ const char *, void *), void *state);
+--
+2.17.1
+
+
+From 167f78aa97af6502cb2027dc9dad40399b0a9c4f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 6 Aug 2019 12:08:09 -0700
+Subject: [PATCH 2/7] CVE-2019-10218 - s3: libsmb: Protect SMB2 client code
+ from evil server returned names.
+
+Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/libsmb/cli_smb2_fnum.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
+index 1cfa50ffbac..3cdf68dc24b 100644
+--- a/source3/libsmb/cli_smb2_fnum.c
++++ b/source3/libsmb/cli_smb2_fnum.c
+@@ -1017,6 +1017,13 @@ NTSTATUS cli_smb2_list(struct cli_state *cli,
+ goto fail;
+ }
+
++ /* Protect against server attack. */
++ status = is_bad_finfo_name(cli, finfo);
++ if (!NT_STATUS_IS_OK(status)) {
++ smbXcli_conn_disconnect(cli->conn, status);
++ goto fail;
++ }
++
+ if (dir_check_ftype((uint32_t)finfo->mode,
+ (uint32_t)attribute)) {
+ /*
+--
+2.17.1
+
+
+From e6de467a763b93152eef27726957a32879268fb7 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Thu, 19 Sep 2019 11:50:01 +1200
+Subject: [PATCH 3/7] CVE-2019-14833: Use utf8 characters in the unacceptable
+ password
+
+This shows that the "check password script" handling has a bug.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ selftest/knownfail.d/unacceptable-passwords | 1 +
+ selftest/target/Samba4.pm | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 selftest/knownfail.d/unacceptable-passwords
+
+diff --git a/selftest/knownfail.d/unacceptable-passwords b/selftest/knownfail.d/unacceptable-passwords
+new file mode 100644
+index 00000000000..75fa2fc32b8
+--- /dev/null
++++ b/selftest/knownfail.d/unacceptable-passwords
+@@ -0,0 +1 @@
++^samba.tests.samba_tool.user_check_password_script.samba.tests.samba_tool.user_check_password_script.UserCheckPwdTestCase.test_checkpassword_unacceptable\(chgdcpass:local\)
+\ No newline at end of file
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index b565d466477..d7c22ce4e23 100755
+--- a/selftest/target/Samba4.pm
++++ b/selftest/target/Samba4.pm
+@@ -1986,7 +1986,7 @@ sub provision_chgdcpass($$)
+ my $extra_provision_options = undef;
+ # This environment disallows the use of this password
+ # (and also removes the default AD complexity checks)
+- my $unacceptable_password = "widk3Dsle32jxdBdskldsk55klASKQ";
++ my $unacceptable_password = "Paßßword-widk3Dsle32jxdBdskldsk55klASKQ";
+ push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
+ my $ret = $self->provision($prefix,
+ "domain controller",
+--
+2.17.1
+
+
+From 70078d4ddf3b842eeadee058dadeef82ec4edf0b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
+Date: Tue, 6 Aug 2019 16:32:32 +0200
+Subject: [PATCH 4/7] CVE-2019-14833 dsdb: send full password to check password
+ script
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+utf8_len represents the number of characters (not bytes) of the
+password. If the password includes multi-byte characters it is required
+to write the total number of bytes to the check password script.
+Otherwise the last bytes of the password string would be ignored.
+
+Therefore we rename utf8_len to be clear what it does and does
+not represent.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438
+
+Signed-off-by: Björn Baumbach <bb@sernet.de>
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ selftest/knownfail.d/unacceptable-passwords | 1 -
+ source4/dsdb/common/util.c | 33 +++++++++++++++++----
+ 2 files changed, 27 insertions(+), 7 deletions(-)
+ delete mode 100644 selftest/knownfail.d/unacceptable-passwords
+
+diff --git a/selftest/knownfail.d/unacceptable-passwords b/selftest/knownfail.d/unacceptable-passwords
+deleted file mode 100644
+index 75fa2fc32b8..00000000000
+--- a/selftest/knownfail.d/unacceptable-passwords
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba.tests.samba_tool.user_check_password_script.samba.tests.samba_tool.user_check_password_script.UserCheckPwdTestCase.test_checkpassword_unacceptable\(chgdcpass:local\)
+\ No newline at end of file
+diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
+index 18f700370a3..c7893bff43b 100644
+--- a/source4/dsdb/common/util.c
++++ b/source4/dsdb/common/util.c
+@@ -2088,21 +2088,36 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx,
+ const uint32_t pwdProperties,
+ const uint32_t minPwdLength)
+ {
+- const char *utf8_pw = (const char *)utf8_blob->data;
+- size_t utf8_len = strlen_m(utf8_pw);
+ char *password_script = NULL;
++ const char *utf8_pw = (const char *)utf8_blob->data;
++
++ /*
++ * This looks strange because it is.
++ *
++ * The check for the number of characters in the password
++ * should clearly not be against the byte length, or else a
++ * single UTF8 character would count for more than one.
++ *
++ * We have chosen to use the number of 16-bit units that the
++ * password encodes to as the measure of length. This is not
++ * the same as the number of codepoints, if a password
++ * contains a character beyond the Basic Multilingual Plane
++ * (above 65535) it will count for more than one "character".
++ */
++
++ size_t password_characters_roughly = strlen_m(utf8_pw);
+
+ /* checks if the "minPwdLength" property is satisfied */
+- if (minPwdLength > utf8_len) {
++ if (minPwdLength > password_characters_roughly) {
+ return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
+ }
+
+- /* checks the password complexity */
++ /* We might not be asked to check the password complexity */
+ if (!(pwdProperties & DOMAIN_PASSWORD_COMPLEX)) {
+ return SAMR_VALIDATION_STATUS_SUCCESS;
+ }
+
+- if (utf8_len == 0) {
++ if (password_characters_roughly == 0) {
+ return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+ }
+
+@@ -2110,6 +2125,7 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx,
+ if (password_script != NULL && *password_script != '\0') {
+ int check_ret = 0;
+ int error = 0;
++ ssize_t nwritten = 0;
+ struct tevent_context *event_ctx = NULL;
+ struct tevent_req *req = NULL;
+ struct samba_runcmd_state *run_cmd = NULL;
+@@ -2134,7 +2150,12 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx,
+ tevent_timeval_current_ofs(10, 0),
+ 100, 100, cmd, NULL);
+ run_cmd = tevent_req_data(req, struct samba_runcmd_state);
+- if (write(run_cmd->fd_stdin, utf8_pw, utf8_len) != utf8_len) {
++ nwritten = write(run_cmd->fd_stdin,
++ utf8_blob->data,
++ utf8_blob->length);
++ if (nwritten != utf8_blob->length) {
++ close(run_cmd->fd_stdin);
++ run_cmd->fd_stdin = -1;
+ TALLOC_FREE(password_script);
+ TALLOC_FREE(event_ctx);
+ return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
+--
+2.17.1
+
+
+From ea39bdd6293041af668f1bfdfea39a725733bad3 Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Fri, 3 May 2019 17:27:51 +1200
+Subject: [PATCH 5/7] CVE-2019-14847 dsdb/modules/dirsync: ensure attrs exist
+ (CID 1107212)
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
+(cherry picked from commit 23f72c4d712f8d1fec3d67a66d477709d5b0abe2)
+---
+ source4/dsdb/samdb/ldb_modules/dirsync.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c
+index b5510eccd24..62a66fef8d4 100644
+--- a/source4/dsdb/samdb/ldb_modules/dirsync.c
++++ b/source4/dsdb/samdb/ldb_modules/dirsync.c
+@@ -343,6 +343,10 @@ skip:
+
+ attr = dsdb_attribute_by_lDAPDisplayName(dsc->schema,
+ el->name);
++ if (attr == NULL) {
++ continue;
++ }
++
+ keep = false;
+
+ if (attr->linkID & 1) {
+--
+2.17.1
+
+
+From bdb3e3f669bd991da819040e726e003e4e2b841d Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 15 Oct 2019 16:28:46 +1300
+Subject: [PATCH 6/7] CVE-2019-14847 dsdb: Demonstrate the correct interaction
+ of ranged_results style attributes and dirsync
+
+Incremental results are provided by a flag on the dirsync control, not
+by changing the attribute name.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ selftest/knownfail.d/dirsync | 1 +
+ source4/dsdb/tests/python/dirsync.py | 26 ++++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+ create mode 100644 selftest/knownfail.d/dirsync
+
+diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync
+new file mode 100644
+index 00000000000..bc49fe0d9bb
+--- /dev/null
++++ b/selftest/knownfail.d/dirsync
+@@ -0,0 +1 @@
++^samba4.ldap.dirsync.python\(ad_dc_ntvfs\).__main__.ExtendedDirsyncTests.test_dirsync_linkedattributes_range\(
+\ No newline at end of file
+diff --git a/source4/dsdb/tests/python/dirsync.py b/source4/dsdb/tests/python/dirsync.py
+index 136f4d3bba6..b6f7022a50b 100755
+--- a/source4/dsdb/tests/python/dirsync.py
++++ b/source4/dsdb/tests/python/dirsync.py
+@@ -28,6 +28,7 @@ from samba.tests.subunitrun import TestProgram, SubunitOptions
+ import samba.getopt as options
+ import base64
+
++import ldb
+ from ldb import LdbError, SCOPE_BASE
+ from ldb import Message, MessageElement, Dn
+ from ldb import FLAG_MOD_ADD, FLAG_MOD_DELETE
+@@ -590,6 +591,31 @@ class SimpleDirsyncTests(DirsyncBaseTests):
+
+ class ExtendedDirsyncTests(SimpleDirsyncTests):
+
++ def test_dirsync_linkedattributes_range(self):
++ self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
++ res = self.ldb_admin.search(self.base_dn,
++ attrs=["member;range=1-1"],
++ expression="(name=Administrators)",
++ controls=["dirsync:1:0:0"])
++
++ self.assertTrue(len(res) > 0)
++ self.assertTrue(res[0].get("member;range=1-1") is None)
++ self.assertTrue(res[0].get("member") is not None)
++ self.assertTrue(len(res[0].get("member")) > 0)
++
++ def test_dirsync_linkedattributes_range_user(self):
++ self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
++ try:
++ res = self.ldb_simple.search(self.base_dn,
++ attrs=["member;range=1-1"],
++ expression="(name=Administrators)",
++ controls=["dirsync:1:0:0"])
++ except LdbError as e:
++ (num, _) = e.args
++ self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS)
++ else:
++ self.fail()
++
+ def test_dirsync_linkedattributes(self):
+ flag_incr_linked = 2147483648
+ self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
+--
+2.17.1
+
+
+From 77b10b360f4ffb7ac90bc5fce0a80306515c1aca Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 15 Oct 2019 15:44:34 +1300
+Subject: [PATCH 7/7] CVE-2019-14847 dsdb: Correct behaviour of ranged_results
+ when combined with dirsync
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ selftest/knownfail.d/dirsync | 1 -
+ source4/dsdb/samdb/ldb_modules/dirsync.c | 11 ++++----
+ .../dsdb/samdb/ldb_modules/ranged_results.c | 25 ++++++++++++++++---
+ 3 files changed, 28 insertions(+), 9 deletions(-)
+ delete mode 100644 selftest/knownfail.d/dirsync
+
+diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync
+deleted file mode 100644
+index bc49fe0d9bb..00000000000
+--- a/selftest/knownfail.d/dirsync
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba4.ldap.dirsync.python\(ad_dc_ntvfs\).__main__.ExtendedDirsyncTests.test_dirsync_linkedattributes_range\(
+\ No newline at end of file
+diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c
+index 62a66fef8d4..4ac5faad403 100644
+--- a/source4/dsdb/samdb/ldb_modules/dirsync.c
++++ b/source4/dsdb/samdb/ldb_modules/dirsync.c
+@@ -998,7 +998,7 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req
+ }
+
+ /*
+- * check if there's an extended dn control
++ * check if there's a dirsync control
+ */
+ control = ldb_request_get_control(req, LDB_CONTROL_DIRSYNC_OID);
+ if (control == NULL) {
+@@ -1327,11 +1327,12 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req
+
+ }
+ /*
+- * Remove our control from the list of controls
++ * Mark dirsync control as uncritical (done)
++ *
++ * We need this so ranged_results knows how to behave with
++ * dirsync
+ */
+- if (!ldb_save_controls(control, req, NULL)) {
+- return ldb_operr(ldb);
+- }
++ control->critical = false;
+ dsc->schema = dsdb_get_schema(ldb, dsc);
+ /*
+ * At the begining we make the hypothesis that we will return a complete
+diff --git a/source4/dsdb/samdb/ldb_modules/ranged_results.c b/source4/dsdb/samdb/ldb_modules/ranged_results.c
+index 13bf3a2d0a9..98438799997 100644
+--- a/source4/dsdb/samdb/ldb_modules/ranged_results.c
++++ b/source4/dsdb/samdb/ldb_modules/ranged_results.c
+@@ -35,14 +35,14 @@
+ struct rr_context {
+ struct ldb_module *module;
+ struct ldb_request *req;
++ bool dirsync_in_use;
+ };
+
+ static struct rr_context *rr_init_context(struct ldb_module *module,
+ struct ldb_request *req)
+ {
+- struct rr_context *ac;
+-
+- ac = talloc_zero(req, struct rr_context);
++ struct ldb_control *dirsync_control = NULL;
++ struct rr_context *ac = talloc_zero(req, struct rr_context);
+ if (ac == NULL) {
+ ldb_set_errstring(ldb_module_get_ctx(module), "Out of Memory");
+ return NULL;
+@@ -51,6 +51,16 @@ static struct rr_context *rr_init_context(struct ldb_module *module,
+ ac->module = module;
+ ac->req = req;
+
++ /*
++ * check if there's a dirsync control (as there is an
++ * interaction between these modules)
++ */
++ dirsync_control = ldb_request_get_control(req,
++ LDB_CONTROL_DIRSYNC_OID);
++ if (dirsync_control != NULL) {
++ ac->dirsync_in_use = true;
++ }
++
+ return ac;
+ }
+
+@@ -82,6 +92,15 @@ static int rr_search_callback(struct ldb_request *req, struct ldb_reply *ares)
+ ares->response, ares->error);
+ }
+
++ if (ac->dirsync_in_use) {
++ /*
++ * We return full attribute values when mixed with
++ * dirsync
++ */
++ return ldb_module_send_entry(ac->req,
++ ares->message,
++ ares->controls);
++ }
+ /* LDB_REPLY_ENTRY */
+
+ temp_ctx = talloc_new(ac->req);
+--
+2.17.1
+
diff --git a/main/samba/samba-4.9.17-security-2020-01-21.patch b/main/samba/samba-4.9.17-security-2020-01-21.patch
new file mode 100644
index 00000000000..4847a8660ba
--- /dev/null
+++ b/main/samba/samba-4.9.17-security-2020-01-21.patch
@@ -0,0 +1,1662 @@
+From 77d55b64af6acd38a08096b89ee051bc4ce72f43 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Thu, 28 Nov 2019 17:16:16 +1300
+Subject: [PATCH 01/13] CVE-2019-14902 selftest: Add test for replication of
+ inherited security descriptors
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ selftest/knownfail.d/repl_secdesc | 2 +
+ source4/selftest/tests.py | 5 +
+ source4/torture/drs/python/repl_secdesc.py | 258 +++++++++++++++++++++
+ 3 files changed, 265 insertions(+)
+ create mode 100644 selftest/knownfail.d/repl_secdesc
+ create mode 100644 source4/torture/drs/python/repl_secdesc.py
+
+diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
+new file mode 100644
+index 00000000000..2aa24c61375
+--- /dev/null
++++ b/selftest/knownfail.d/repl_secdesc
+@@ -0,0 +1,2 @@
++^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict
++^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index 2ec0bee923b..7244535791d 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -1004,6 +1004,11 @@ for env in ['vampire_dc', 'promoted_dc']:
+ extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
+ environ={'DC1': "$DC_SERVER", 'DC2': '$%s_SERVER' % env.upper()},
+ extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
++ planoldpythontestsuite(env, "repl_secdesc",
++ name="samba4.drs.repl_secdesc.python(%s)" % env,
++ extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
++ environ={'DC1': "$DC_SERVER", 'DC2': '$SERVER'},
++ extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
+ planoldpythontestsuite(env, "repl_move",
+ extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
+ name="samba4.drs.repl_move.python(%s)" % env,
+diff --git a/source4/torture/drs/python/repl_secdesc.py b/source4/torture/drs/python/repl_secdesc.py
+new file mode 100644
+index 00000000000..4ed449a8a18
+--- /dev/null
++++ b/source4/torture/drs/python/repl_secdesc.py
+@@ -0,0 +1,258 @@
++#!/usr/bin/env python3
++# -*- coding: utf-8 -*-
++#
++# Unix SMB/CIFS implementation.
++# Copyright (C) Catalyst.Net Ltd. 2017
++# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2019
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++#
++import drs_base
++import ldb
++import samba
++from samba import sd_utils
++from ldb import LdbError
++
++class ReplAclTestCase(drs_base.DrsBaseTestCase):
++
++ def setUp(self):
++ super(ReplAclTestCase, self).setUp()
++ self.sd_utils_dc1 = sd_utils.SDUtils(self.ldb_dc1)
++ self.sd_utils_dc2 = sd_utils.SDUtils(self.ldb_dc2)
++
++ self.ou = samba.tests.create_test_ou(self.ldb_dc1,
++ "test_acl_inherit")
++
++ # disable replication for the tests so we can control at what point
++ # the DCs try to replicate
++ self._disable_all_repl(self.dnsname_dc1)
++ self._disable_all_repl(self.dnsname_dc2)
++
++ # make sure DCs are synchronized before the test
++ self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1, forced=True)
++ self._net_drs_replicate(DC=self.dnsname_dc1, fromDC=self.dnsname_dc2, forced=True)
++
++ def tearDown(self):
++ self.ldb_dc1.delete(self.ou, ["tree_delete:1"])
++
++ # re-enable replication
++ self._enable_all_repl(self.dnsname_dc1)
++ self._enable_all_repl(self.dnsname_dc2)
++
++ super(ReplAclTestCase, self).tearDown()
++
++ def test_acl_inheirt_new_object_1_pass(self):
++ # Set the inherited ACL on the parent OU
++ mod = "(A;CIOI;GA;;;SY)"
++ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++
++ # Make a new object
++ dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
++ self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"})
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Confirm inherited ACLs are identical
++
++ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
++ self.sd_utils_dc2.get_sd_as_sddl(dn))
++
++ def test_acl_inheirt_new_object(self):
++ # Set the inherited ACL on the parent OU
++ mod = "(A;CIOI;GA;;;SY)"
++ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++
++ # Replicate to DC2
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Make a new object
++ dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
++ self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"})
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Confirm inherited ACLs are identical
++
++ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
++ self.sd_utils_dc2.get_sd_as_sddl(dn))
++
++ def test_acl_inherit_existing_object(self):
++ # Make a new object
++ dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
++ self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"})
++
++ try:
++ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
++ base=dn,
++ attrs=[])
++ self.fail()
++ except LdbError as err:
++ enum = err.args[0]
++ self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Confirm it is now replicated
++ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
++ base=dn,
++ attrs=[])
++
++ # Set the inherited ACL on the parent OU
++ mod = "(A;CIOI;GA;;;SY)"
++ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++
++ # Replicate to DC2
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Confirm inherited ACLs are identical
++
++ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
++ self.sd_utils_dc2.get_sd_as_sddl(dn))
++
++ def test_acl_inheirt_existing_object_1_pass(self):
++ # Make a new object
++ dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
++ self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"})
++
++ try:
++ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
++ base=dn,
++ attrs=[])
++ self.fail()
++ except LdbError as err:
++ enum = err.args[0]
++ self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
++
++ # Set the inherited ACL on the parent OU
++ mod = "(A;CIOI;GA;;;SY)"
++ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++
++ # Replicate to DC2
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Confirm inherited ACLs are identical
++
++ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
++ self.sd_utils_dc2.get_sd_as_sddl(dn))
++
++ def test_acl_inheirt_renamed_object(self):
++ # Make a new object
++ new_ou = samba.tests.create_test_ou(self.ldb_dc1,
++ "acl_test_l2")
++
++ sub_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
++
++ try:
++ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
++ base=new_ou,
++ attrs=[])
++ self.fail()
++ except LdbError as err:
++ enum = err.args[0]
++ self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Confirm it is now replicated
++ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
++ base=new_ou,
++ attrs=[])
++
++ # Set the inherited ACL on the parent OU on DC1
++ mod = "(A;CIOI;GA;;;SY)"
++ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++
++ # Replicate to DC2
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Rename to under self.ou
++
++ self.ldb_dc1.rename(new_ou, sub_ou_dn)
++
++ # Replicate to DC2
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Confirm inherited ACLs are identical
++ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn),
++ self.sd_utils_dc2.get_sd_as_sddl(sub_ou_dn))
++
++
++ def test_acl_inheirt_renamed_object_in_conflict(self):
++ # Make a new object to be renamed under self.ou
++ new_ou = samba.tests.create_test_ou(self.ldb_dc1,
++ "acl_test_l2")
++
++ # Make a new OU under self.ou (on DC2)
++ sub_ou_dn = ldb.Dn(self.ldb_dc2, "OU=l2,%s" % self.ou)
++ self.ldb_dc2.add({"dn": sub_ou_dn,
++ "objectclass": "organizationalUnit"})
++
++ # Set the inherited ACL on the parent OU
++ mod = "(A;CIOI;GA;;;SY)"
++ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++
++ # Replicate to DC2
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Rename to under self.ou
++ self.ldb_dc1.rename(new_ou, sub_ou_dn)
++
++ # Replicate to DC2 (will cause a conflict, DC1 to win, version
++ # is higher since named twice)
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ children = self.ldb_dc2.search(scope=ldb.SCOPE_ONELEVEL,
++ base=self.ou,
++ attrs=[])
++ for child in children:
++ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn),
++ self.sd_utils_dc2.get_sd_as_sddl(child.dn))
++
++ # Replicate back
++ self._net_drs_replicate(DC=self.dnsname_dc1,
++ fromDC=self.dnsname_dc2,
++ forced=True)
++
++ for child in children:
++ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(child.dn),
++ self.sd_utils_dc2.get_sd_as_sddl(child.dn))
+--
+2.17.1
+
+
+From c5a005a45389c8d8fc0eae7137eab1904ea92d42 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 10 Dec 2019 15:16:24 +1300
+Subject: [PATCH 02/13] CVE-2019-14902 selftest: Add test for a special case
+ around replicated renames
+
+It appears Samba is currently string-name based in the ACL inheritence code.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ selftest/knownfail.d/repl_secdesc | 1 +
+ source4/torture/drs/python/repl_secdesc.py | 69 ++++++++++++++++++++++
+ 2 files changed, 70 insertions(+)
+
+diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
+index 2aa24c61375..7d554ff237a 100644
+--- a/selftest/knownfail.d/repl_secdesc
++++ b/selftest/knownfail.d/repl_secdesc
+@@ -1,2 +1,3 @@
+ ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict
+ ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object
++^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object
+diff --git a/source4/torture/drs/python/repl_secdesc.py b/source4/torture/drs/python/repl_secdesc.py
+index 4ed449a8a18..58861af3bac 100644
+--- a/source4/torture/drs/python/repl_secdesc.py
++++ b/source4/torture/drs/python/repl_secdesc.py
+@@ -211,6 +211,75 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ self.sd_utils_dc2.get_sd_as_sddl(sub_ou_dn))
+
+
++ def test_acl_inheirt_renamed_child_object(self):
++ # Make a new OU
++ new_ou = samba.tests.create_test_ou(self.ldb_dc1,
++ "acl_test_l2")
++
++ # Here is where the new OU will end up at the end.
++ sub2_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
++
++ sub3_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l3,%s" % new_ou)
++ sub3_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l3,%s" % sub2_ou_dn_final)
++
++ self.ldb_dc1.add({"dn": sub3_ou_dn,
++ "objectclass": "organizationalUnit"})
++
++ sub4_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l4,%s" % sub3_ou_dn)
++ sub4_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l4,%s" % sub3_ou_dn_final)
++
++ self.ldb_dc1.add({"dn": sub4_ou_dn,
++ "objectclass": "organizationalUnit"})
++
++ try:
++ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
++ base=new_ou,
++ attrs=[])
++ self.fail()
++ except LdbError as err:
++ enum = err.args[0]
++ self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Confirm it is now replicated
++ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
++ base=new_ou,
++ attrs=[])
++
++ #
++ # Given a tree new_ou -> l3 -> l4
++ #
++
++ # Set the inherited ACL on the grandchild OU (l3) on DC1
++ mod = "(A;CIOI;GA;;;SY)"
++ self.sd_utils_dc1.dacl_add_ace(sub3_ou_dn, mod)
++
++ # Rename new_ou (l2) to under self.ou (this must happen second). If the
++ # inheritence between l3 and l4 is name-based, this could
++ # break.
++
++ # The tree is now self.ou -> l2 -> l3 -> l4
++
++ self.ldb_dc1.rename(new_ou, sub2_ou_dn_final)
++
++ # Replicate to DC2
++
++ self._net_drs_replicate(DC=self.dnsname_dc2,
++ fromDC=self.dnsname_dc1,
++ forced=True)
++
++ # Confirm set ACLs (on l3 ) are identical.
++ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn_final),
++ self.sd_utils_dc2.get_sd_as_sddl(sub3_ou_dn_final))
++
++ # Confirm inherited ACLs (from l3 to l4) are identical.
++ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub4_ou_dn_final),
++ self.sd_utils_dc2.get_sd_as_sddl(sub4_ou_dn_final))
++
++
+ def test_acl_inheirt_renamed_object_in_conflict(self):
+ # Make a new object to be renamed under self.ou
+ new_ou = samba.tests.create_test_ou(self.ldb_dc1,
+--
+2.17.1
+
+
+From 4afff32debe5ea4bf1219f42c3042eb65c3e1d6b Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 16 Dec 2019 11:29:27 +1300
+Subject: [PATCH 03/13] selftest: Add test to confirm ACL inheritence really
+ happens
+
+While we have a seperate test (sec_descriptor.py) that confirms inheritance in
+general we want to lock in these specific patterns as this test covers
+rename.
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/torture/drs/python/repl_secdesc.py | 115 +++++++++++++++++----
+ 1 file changed, 94 insertions(+), 21 deletions(-)
+
+diff --git a/source4/torture/drs/python/repl_secdesc.py b/source4/torture/drs/python/repl_secdesc.py
+index 58861af3bac..58212907e23 100644
+--- a/source4/torture/drs/python/repl_secdesc.py
++++ b/source4/torture/drs/python/repl_secdesc.py
+@@ -28,6 +28,10 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+
+ def setUp(self):
+ super(ReplAclTestCase, self).setUp()
++ self.mod = "(A;CIOI;GA;;;SY)"
++ self.mod_becomes = "(A;OICIIO;GA;;;SY)"
++ self.mod_inherits_as = "(A;OICIIOID;GA;;;SY)"
++
+ self.sd_utils_dc1 = sd_utils.SDUtils(self.ldb_dc1)
+ self.sd_utils_dc2 = sd_utils.SDUtils(self.ldb_dc2)
+
+@@ -54,8 +58,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+
+ def test_acl_inheirt_new_object_1_pass(self):
+ # Set the inherited ACL on the parent OU
+- mod = "(A;CIOI;GA;;;SY)"
+- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
++
++ # Assert ACL set stuck as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
+
+ # Make a new object
+ dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
+@@ -65,15 +72,24 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ fromDC=self.dnsname_dc1,
+ forced=True)
+
+- # Confirm inherited ACLs are identical
++ # Assert ACL replicated as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc2.get_sd_as_sddl(self.ou))
+
++ # Confirm inherited ACLs are identical and were inherited
++
++ self.assertIn(self.mod_inherits_as,
++ self.sd_utils_dc1.get_sd_as_sddl(dn))
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
+ self.sd_utils_dc2.get_sd_as_sddl(dn))
+
+ def test_acl_inheirt_new_object(self):
+ # Set the inherited ACL on the parent OU
+- mod = "(A;CIOI;GA;;;SY)"
+- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
++
++ # Assert ACL set stuck as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
+
+ # Replicate to DC2
+
+@@ -89,8 +105,14 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ fromDC=self.dnsname_dc1,
+ forced=True)
+
+- # Confirm inherited ACLs are identical
++ # Assert ACL replicated as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc2.get_sd_as_sddl(self.ou))
+
++ # Confirm inherited ACLs are identical and were inheritied
++
++ self.assertIn(self.mod_inherits_as,
++ self.sd_utils_dc1.get_sd_as_sddl(dn))
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
+ self.sd_utils_dc2.get_sd_as_sddl(dn))
+
+@@ -118,8 +140,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ attrs=[])
+
+ # Set the inherited ACL on the parent OU
+- mod = "(A;CIOI;GA;;;SY)"
+- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
++
++ # Assert ACL set stuck as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
+
+ # Replicate to DC2
+
+@@ -127,8 +152,14 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ fromDC=self.dnsname_dc1,
+ forced=True)
+
+- # Confirm inherited ACLs are identical
++ # Confirm inherited ACLs are identical and were inherited
+
++ # Assert ACL replicated as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc2.get_sd_as_sddl(self.ou))
++
++ self.assertIn(self.mod_inherits_as,
++ self.sd_utils_dc1.get_sd_as_sddl(dn))
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
+ self.sd_utils_dc2.get_sd_as_sddl(dn))
+
+@@ -147,8 +178,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
+
+ # Set the inherited ACL on the parent OU
+- mod = "(A;CIOI;GA;;;SY)"
+- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
++
++ # Assert ACL set as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
+
+ # Replicate to DC2
+
+@@ -156,8 +190,14 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ fromDC=self.dnsname_dc1,
+ forced=True)
+
+- # Confirm inherited ACLs are identical
++ # Assert ACL replicated as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc2.get_sd_as_sddl(self.ou))
+
++ # Confirm inherited ACLs are identical and were inherited
++
++ self.assertIn(self.mod_inherits_as,
++ self.sd_utils_dc1.get_sd_as_sddl(dn))
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
+ self.sd_utils_dc2.get_sd_as_sddl(dn))
+
+@@ -187,8 +227,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ attrs=[])
+
+ # Set the inherited ACL on the parent OU on DC1
+- mod = "(A;CIOI;GA;;;SY)"
+- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
++
++ # Assert ACL set as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
+
+ # Replicate to DC2
+
+@@ -196,6 +239,10 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ fromDC=self.dnsname_dc1,
+ forced=True)
+
++ # Assert ACL replicated as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc2.get_sd_as_sddl(self.ou))
++
+ # Rename to under self.ou
+
+ self.ldb_dc1.rename(new_ou, sub_ou_dn)
+@@ -206,7 +253,9 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ fromDC=self.dnsname_dc1,
+ forced=True)
+
+- # Confirm inherited ACLs are identical
++ # Confirm inherited ACLs are identical and were inherited
++ self.assertIn(self.mod_inherits_as,
++ self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn))
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn),
+ self.sd_utils_dc2.get_sd_as_sddl(sub_ou_dn))
+
+@@ -254,8 +303,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ #
+
+ # Set the inherited ACL on the grandchild OU (l3) on DC1
+- mod = "(A;CIOI;GA;;;SY)"
+- self.sd_utils_dc1.dacl_add_ace(sub3_ou_dn, mod)
++ self.sd_utils_dc1.dacl_add_ace(sub3_ou_dn, self.mod)
++
++ # Assert ACL set stuck as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn))
+
+ # Rename new_ou (l2) to under self.ou (this must happen second). If the
+ # inheritence between l3 and l4 is name-based, this could
+@@ -265,17 +317,26 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+
+ self.ldb_dc1.rename(new_ou, sub2_ou_dn_final)
+
++ # Assert ACL set remained as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn_final))
++
+ # Replicate to DC2
+
+ self._net_drs_replicate(DC=self.dnsname_dc2,
+ fromDC=self.dnsname_dc1,
+ forced=True)
+
+- # Confirm set ACLs (on l3 ) are identical.
++ # Confirm set ACLs (on l3 ) are identical and were inherited
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc2.get_sd_as_sddl(sub3_ou_dn_final))
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn_final),
+ self.sd_utils_dc2.get_sd_as_sddl(sub3_ou_dn_final))
+
+- # Confirm inherited ACLs (from l3 to l4) are identical.
++ # Confirm inherited ACLs (from l3 to l4) are identical
++ # and where inherited
++ self.assertIn(self.mod_inherits_as,
++ self.sd_utils_dc1.get_sd_as_sddl(sub4_ou_dn_final))
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub4_ou_dn_final),
+ self.sd_utils_dc2.get_sd_as_sddl(sub4_ou_dn_final))
+
+@@ -291,8 +352,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ "objectclass": "organizationalUnit"})
+
+ # Set the inherited ACL on the parent OU
+- mod = "(A;CIOI;GA;;;SY)"
+- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
++ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
++
++ # Assert ACL set stuck as expected
++ self.assertIn(self.mod_becomes,
++ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
+
+ # Replicate to DC2
+
+@@ -302,6 +366,8 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+
+ # Rename to under self.ou
+ self.ldb_dc1.rename(new_ou, sub_ou_dn)
++ self.assertIn(self.mod_inherits_as,
++ self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn))
+
+ # Replicate to DC2 (will cause a conflict, DC1 to win, version
+ # is higher since named twice)
+@@ -314,6 +380,8 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ base=self.ou,
+ attrs=[])
+ for child in children:
++ self.assertIn(self.mod_inherits_as,
++ self.sd_utils_dc2.get_sd_as_sddl(child.dn))
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn),
+ self.sd_utils_dc2.get_sd_as_sddl(child.dn))
+
+@@ -322,6 +390,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
+ fromDC=self.dnsname_dc2,
+ forced=True)
+
++ self.assertIn(self.mod_inherits_as,
++ self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn))
++
+ for child in children:
++ self.assertIn(self.mod_inherits_as,
++ self.sd_utils_dc1.get_sd_as_sddl(child.dn))
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(child.dn),
+ self.sd_utils_dc2.get_sd_as_sddl(child.dn))
+--
+2.17.1
+
+
+From 17215b36b22d309a58a3b7bd08123f06e89657c9 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 26 Nov 2019 15:44:32 +1300
+Subject: [PATCH 04/13] CVE-2019-14902 dsdb: Explain that
+ descriptor_sd_propagation_recursive() is proctected by a transaction
+
+This means we can trust the DB did not change between the two search
+requests.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/descriptor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
+index 9018b750ab5..fb2854438e1 100644
+--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
++++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
+@@ -1199,6 +1199,9 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
+ * LDB_SCOPE_SUBTREE searches are expensive.
+ *
+ * Note: that we do not search for deleted/recycled objects
++ *
++ * We know this is safe against a rename race as we are in the
++ * prepare_commit(), so must be in a transaction.
+ */
+ ret = dsdb_module_search(module,
+ change,
+--
+2.17.1
+
+
+From 589d1e4846bbac0e5388af3ef0c6d6c41b5ff991 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 26 Nov 2019 16:17:32 +1300
+Subject: [PATCH 05/13] CVE-2019-14902 dsdb: Add comments explaining why SD
+ propagation needs to be done here
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/descriptor.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
+index fb2854438e1..7070affa645 100644
+--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
++++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
+@@ -876,6 +876,9 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
+ return ldb_oom(ldb);
+ }
+
++ /*
++ * Force SD propagation on children of this record
++ */
+ ret = dsdb_module_schedule_sd_propagation(module, nc_root,
+ dn, false);
+ if (ret != LDB_SUCCESS) {
+@@ -966,6 +969,10 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
+ return ldb_oom(ldb);
+ }
+
++ /*
++ * Force SD propagation on this record (get a new
++ * inherited SD from the potentially new parent
++ */
+ ret = dsdb_module_schedule_sd_propagation(module, nc_root,
+ newdn, true);
+ if (ret != LDB_SUCCESS) {
+--
+2.17.1
+
+
+From 0fa9a362e55abb289cbf0fe24baa09c45af4837e Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 6 Dec 2019 17:54:23 +1300
+Subject: [PATCH 06/13] CVE-2019-14902 dsdb: Ensure we honour both
+ change->force_self and change->force_children
+
+If we are renaming a DN we can be in a situation where we need to
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/descriptor.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
+index 7070affa645..b9f465fc36f 100644
+--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
++++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
+@@ -1291,6 +1291,13 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
+
+ if (cur != NULL) {
+ DLIST_REMOVE(change->children, cur);
++ } else if (i == 0) {
++ /*
++ * in the change->force_self case
++ * res->msgs[0]->elements was not overwritten,
++ * so set cur here
++ */
++ cur = change;
+ }
+
+ for (c = stopped_stack; c; c = stopped_stack) {
+--
+2.17.1
+
+
+From 9ac2b09fa5a2de44967a0b190918825e7dca8d53 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 6 Dec 2019 18:05:54 +1300
+Subject: [PATCH 07/13] CVE-2019-14902 repl_meta_data: schedule SD propagation
+ to a renamed DN
+
+We need to check the SD of the parent if we rename, it is not the same as an incoming SD change.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+index 04a51ecab51..52ff3d75ee2 100644
+--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
++++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+@@ -6290,7 +6290,22 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
+ ar->index_current, msg->num_elements);
+
+ if (renamed) {
+- sd_updated = true;
++ /*
++ * This is an new name for this object, so we must
++ * inherit from the parent
++ *
++ * This is needed because descriptor is above
++ * repl_meta_data in the module stack, so this will
++ * not be trigered 'naturally' by the flow of
++ * operations.
++ */
++ ret = dsdb_module_schedule_sd_propagation(ar->module,
++ ar->objs->partition_dn,
++ msg->dn,
++ true);
++ if (ret != LDB_SUCCESS) {
++ return ldb_operr(ldb);
++ }
+ }
+
+ if (sd_updated && !isDeleted) {
+--
+2.17.1
+
+
+From 9e6b09e0fd52c664de7f0589074fef872c753fa2 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 26 Nov 2019 15:50:35 +1300
+Subject: [PATCH 08/13] CVE-2019-14902 repl_meta_data: Fix issue where
+ inherited Security Descriptors were not replicated.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ selftest/knownfail.d/repl_secdesc | 1 -
+ .../dsdb/samdb/ldb_modules/repl_meta_data.c | 22 ++++++++++++++++++-
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
+index 7d554ff237a..13a9ce458dd 100644
+--- a/selftest/knownfail.d/repl_secdesc
++++ b/selftest/knownfail.d/repl_secdesc
+@@ -1,3 +1,2 @@
+ ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict
+-^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object
+ ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object
+diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+index 52ff3d75ee2..9812ded99fb 100644
+--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
++++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+@@ -5527,6 +5527,15 @@ static int replmd_replicated_apply_add(struct replmd_replicated_request *ar)
+ replmd_ldb_message_sort(msg, ar->schema);
+
+ if (!remote_isDeleted) {
++ /*
++ * Ensure any local ACL inheritence is applied from
++ * the parent object.
++ *
++ * This is needed because descriptor is above
++ * repl_meta_data in the module stack, so this will
++ * not be trigered 'naturally' by the flow of
++ * operations.
++ */
+ ret = dsdb_module_schedule_sd_propagation(ar->module,
+ ar->objs->partition_dn,
+ msg->dn, true);
+@@ -6309,9 +6318,20 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
+ }
+
+ if (sd_updated && !isDeleted) {
++ /*
++ * This is an existing object, so there is no need to
++ * inherit from the parent, but we must inherit any
++ * incoming changes to our child objects.
++ *
++ * This is needed because descriptor is above
++ * repl_meta_data in the module stack, so this will
++ * not be trigered 'naturally' by the flow of
++ * operations.
++ */
+ ret = dsdb_module_schedule_sd_propagation(ar->module,
+ ar->objs->partition_dn,
+- msg->dn, true);
++ msg->dn,
++ false);
+ if (ret != LDB_SUCCESS) {
+ return ldb_operr(ldb);
+ }
+--
+2.17.1
+
+
+From 7071888d5b556213be79545cac059a8b3f62baee Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 6 Dec 2019 18:26:42 +1300
+Subject: [PATCH 09/13] CVE-2019-14902 repl_meta_data: Set renamed = true (and
+ so do SD inheritance) after any rename
+
+Previously if there was a conflict, but the incoming object would still
+win, this was not marked as a rename, and so inheritence was not done.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ selftest/knownfail.d/repl_secdesc | 1 -
+ source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 +++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
+index 13a9ce458dd..9dd632d99ed 100644
+--- a/selftest/knownfail.d/repl_secdesc
++++ b/selftest/knownfail.d/repl_secdesc
+@@ -1,2 +1 @@
+-^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict
+ ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object
+diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+index 9812ded99fb..e67c3b0281e 100644
+--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
++++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+@@ -6134,6 +6134,19 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
+ * replmd_replicated_apply_search_callback())
+ */
+ ret = replmd_replicated_handle_rename(ar, msg, ar->req, &renamed);
++
++ /*
++ * This looks strange, but we must set this after any
++ * rename, otherwise the SD propegation will not
++ * happen (which might matter if we have a new parent)
++ *
++ * The additional case of calling
++ * replmd_op_name_modify_callback (below) is:
++ * - a no-op if there was no name change
++ * and
++ * - called in the default case regardless.
++ */
++ renamed = true;
+ }
+
+ if (ret != LDB_SUCCESS) {
+--
+2.17.1
+
+
+From 16b377276ee82c04d069666e53deaa95a7633dd4 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Thu, 12 Dec 2019 14:44:57 +1300
+Subject: [PATCH 10/13] CVE-2019-14902 dsdb: Change basis of descriptor module
+ deferred processing to be GUIDs
+
+We can not process on the basis of a DN, as the DN may have changed in a rename,
+not only that this module can see, but also from repl_meta_data below.
+
+Therefore remove all the complex tree-based change processing, leaving only
+a tree-based sort of the possible objects to be changed, and a single
+stopped_dn variable containing the DN to stop processing below (after
+a no-op change).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ selftest/knownfail.d/repl_secdesc | 1 -
+ source4/dsdb/samdb/ldb_modules/acl_util.c | 4 +-
+ source4/dsdb/samdb/ldb_modules/descriptor.c | 296 +++++++++---------
+ .../dsdb/samdb/ldb_modules/repl_meta_data.c | 7 +-
+ source4/dsdb/samdb/samdb.h | 2 +-
+ 5 files changed, 156 insertions(+), 154 deletions(-)
+ delete mode 100644 selftest/knownfail.d/repl_secdesc
+
+diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
+deleted file mode 100644
+index 9dd632d99ed..00000000000
+--- a/selftest/knownfail.d/repl_secdesc
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object
+diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
+index 6d645b10fe2..b9931795e19 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
++++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
+@@ -286,7 +286,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
+
+ int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
+ struct ldb_dn *nc_root,
+- struct ldb_dn *dn,
++ struct GUID guid,
+ bool include_self)
+ {
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+@@ -299,7 +299,7 @@ int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
+ }
+
+ op->nc_root = nc_root;
+- op->dn = dn;
++ op->guid = guid;
+ op->include_self = include_self;
+
+ ret = dsdb_module_extended(module, op, NULL,
+diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
+index b9f465fc36f..daa08c2ebc7 100644
+--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
++++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
+@@ -46,9 +46,8 @@
+
+ struct descriptor_changes {
+ struct descriptor_changes *prev, *next;
+- struct descriptor_changes *children;
+ struct ldb_dn *nc_root;
+- struct ldb_dn *dn;
++ struct GUID guid;
+ bool force_self;
+ bool force_children;
+ struct ldb_dn *stopped_dn;
+@@ -771,7 +770,8 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
+ current_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
+- DSDB_SEARCH_SHOW_RECYCLED,
++ DSDB_SEARCH_SHOW_RECYCLED |
++ DSDB_SEARCH_SHOW_EXTENDED_DN,
+ req);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
+@@ -832,7 +832,7 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
+ user_sd = old_sd;
+ }
+
+- sd = get_new_descriptor(module, dn, req,
++ sd = get_new_descriptor(module, current_res->msgs[0]->dn, req,
+ objectclass, parent_sd,
+ user_sd, old_sd, sd_flags);
+ if (sd == NULL) {
+@@ -869,18 +869,32 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
+ return ldb_oom(ldb);
+ }
+ } else if (cmp_ret != 0) {
++ struct GUID guid;
+ struct ldb_dn *nc_root;
++ NTSTATUS status;
+
+- ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root);
++ ret = dsdb_find_nc_root(ldb,
++ msg,
++ current_res->msgs[0]->dn,
++ &nc_root);
+ if (ret != LDB_SUCCESS) {
+ return ldb_oom(ldb);
+ }
+
++ status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn,
++ &guid,
++ "GUID");
++ if (!NT_STATUS_IS_OK(status)) {
++ return ldb_operr(ldb);
++ }
++
+ /*
+ * Force SD propagation on children of this record
+ */
+- ret = dsdb_module_schedule_sd_propagation(module, nc_root,
+- dn, false);
++ ret = dsdb_module_schedule_sd_propagation(module,
++ nc_root,
++ guid,
++ false);
+ if (ret != LDB_SUCCESS) {
+ return ldb_operr(ldb);
+ }
+@@ -963,20 +977,31 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
+
+ if (ldb_dn_compare(olddn, newdn) != 0) {
+ struct ldb_dn *nc_root;
++ struct GUID guid;
+
+ ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
+ if (ret != LDB_SUCCESS) {
+ return ldb_oom(ldb);
+ }
+
+- /*
+- * Force SD propagation on this record (get a new
+- * inherited SD from the potentially new parent
+- */
+- ret = dsdb_module_schedule_sd_propagation(module, nc_root,
+- newdn, true);
+- if (ret != LDB_SUCCESS) {
+- return ldb_operr(ldb);
++ ret = dsdb_module_guid_by_dn(module,
++ olddn,
++ &guid,
++ req);
++ if (ret == LDB_SUCCESS) {
++ /*
++ * Without disturbing any errors if the olddn
++ * does not exit, force SD propagation on
++ * this record (get a new inherited SD from
++ * the potentially new parent
++ */
++ ret = dsdb_module_schedule_sd_propagation(module,
++ nc_root,
++ guid,
++ true);
++ if (ret != LDB_SUCCESS) {
++ return ldb_operr(ldb);
++ }
+ }
+ }
+
+@@ -992,9 +1017,7 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct dsdb_extended_sec_desc_propagation_op *op;
+ TALLOC_CTX *parent_mem = NULL;
+- struct descriptor_changes *parent_change = NULL;
+ struct descriptor_changes *c;
+- int ret;
+
+ op = talloc_get_type(req->op.extended.data,
+ struct dsdb_extended_sec_desc_propagation_op);
+@@ -1011,32 +1034,6 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
+
+ parent_mem = descriptor_private->trans_mem;
+
+- for (c = descriptor_private->changes; c; c = c->next) {
+- ret = ldb_dn_compare(c->nc_root, op->nc_root);
+- if (ret != 0) {
+- continue;
+- }
+-
+- ret = ldb_dn_compare(c->dn, op->dn);
+- if (ret == 0) {
+- if (op->include_self) {
+- c->force_self = true;
+- } else {
+- c->force_children = true;
+- }
+- return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
+- }
+-
+- ret = ldb_dn_compare_base(c->dn, op->dn);
+- if (ret != 0) {
+- continue;
+- }
+-
+- parent_mem = c;
+- parent_change = c;
+- break;
+- }
+-
+ c = talloc_zero(parent_mem, struct descriptor_changes);
+ if (c == NULL) {
+ return ldb_module_oom(module);
+@@ -1045,21 +1042,14 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
+ if (c->nc_root == NULL) {
+ return ldb_module_oom(module);
+ }
+- c->dn = ldb_dn_copy(c, op->dn);
+- if (c->dn == NULL) {
+- return ldb_module_oom(module);
+- }
++ c->guid = op->guid;
+ if (op->include_self) {
+ c->force_self = true;
+ } else {
+ c->force_children = true;
+ }
+
+- if (parent_change != NULL) {
+- DLIST_ADD_END(parent_change->children, c);
+- } else {
+- DLIST_ADD_END(descriptor_private->changes, c);
+- }
++ DLIST_ADD_END(descriptor_private->changes, c);
+
+ return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
+ }
+@@ -1179,41 +1169,75 @@ static int descriptor_sd_propagation_msg_sort(struct ldb_message **m1,
+ return ldb_dn_compare(dn2, dn1);
+ }
+
+-static int descriptor_sd_propagation_dn_sort(struct ldb_dn *dn1,
+- struct ldb_dn *dn2)
+-{
+- /*
+- * This sorts in tree order, parents first
+- */
+- return ldb_dn_compare(dn2, dn1);
+-}
+-
+ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
+ struct descriptor_changes *change)
+ {
+- struct ldb_context *ldb = ldb_module_get_ctx(module);
++ struct ldb_result *guid_res = NULL;
+ struct ldb_result *res = NULL;
+ unsigned int i;
+ const char * const no_attrs[] = { "@__NONE__", NULL };
+- struct descriptor_changes *c;
+- struct descriptor_changes *stopped_stack = NULL;
+- enum ldb_scope scope;
++ struct ldb_dn *stopped_dn = NULL;
++ struct GUID_txt_buf guid_buf;
+ int ret;
++ bool stop = false;
+
+ /*
+- * First confirm this object has children, or exists (depending on change->force_self)
++ * First confirm this object has children, or exists
++ * (depending on change->force_self)
+ *
+ * LDB_SCOPE_SUBTREE searches are expensive.
+ *
+- * Note: that we do not search for deleted/recycled objects
+- *
+ * We know this is safe against a rename race as we are in the
+ * prepare_commit(), so must be in a transaction.
+ */
++
++ /* Find the DN by GUID, as this is stable under rename */
++ ret = dsdb_module_search(module,
++ change,
++ &guid_res,
++ change->nc_root,
++ LDB_SCOPE_SUBTREE,
++ no_attrs,
++ DSDB_FLAG_NEXT_MODULE |
++ DSDB_FLAG_AS_SYSTEM |
++ DSDB_SEARCH_SHOW_DELETED |
++ DSDB_SEARCH_SHOW_RECYCLED,
++ NULL, /* parent_req */
++ "(objectGUID=%s)",
++ GUID_buf_string(&change->guid,
++ &guid_buf));
++
++ if (ret != LDB_SUCCESS) {
++ return ret;
++ }
++
++ if (guid_res->count != 1) {
++ /*
++ * We were just given this GUID during the same
++ * transaction, if it is missing this is a big
++ * problem.
++ *
++ * Cleanup of tombstones does not trigger this module
++ * as it just does a delete.
++ */
++ ldb_asprintf_errstring(ldb_module_get_ctx(module),
++ "failed to find GUID %s under %s "
++ "for transaction-end SD inheritance: %d results",
++ GUID_buf_string(&change->guid,
++ &guid_buf),
++ ldb_dn_get_linearized(change->nc_root),
++ guid_res->count);
++ return LDB_ERR_OPERATIONS_ERROR;
++ }
++
++ /*
++ * OK, so there was a parent, are there children? Note: that
++ * this time we do not search for deleted/recycled objects
++ */
+ ret = dsdb_module_search(module,
+ change,
+ &res,
+- change->dn,
++ guid_res->msgs[0]->dn,
+ LDB_SCOPE_ONELEVEL,
+ no_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+@@ -1221,26 +1245,55 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
+ NULL, /* parent_req */
+ "(objectClass=*)");
+ if (ret != LDB_SUCCESS) {
++ /*
++ * LDB_ERR_NO_SUCH_OBJECT, say if the DN was a deleted
++ * object, is ignored by the caller
++ */
+ return ret;
+ }
+
+ if (res->count == 0 && !change->force_self) {
++ /* All done, no children */
+ TALLOC_FREE(res);
+ return LDB_SUCCESS;
+- } else if (res->count == 0 && change->force_self) {
+- scope = LDB_SCOPE_BASE;
+- } else {
+- scope = LDB_SCOPE_SUBTREE;
+ }
+
+ /*
++ * First, if we are in force_self mode (eg renamed under new
++ * parent) then apply the SD to the top object
++ */
++ if (change->force_self) {
++ ret = descriptor_sd_propagation_object(module,
++ guid_res->msgs[0],
++ &stop);
++ if (ret != LDB_SUCCESS) {
++ TALLOC_FREE(guid_res);
++ return ret;
++ }
++
++ if (stop == true && !change->force_children) {
++ /* There was no change, nothing more to do */
++ TALLOC_FREE(guid_res);
++ return LDB_SUCCESS;
++ }
++
++ if (res->count == 0) {
++ /* All done! */
++ TALLOC_FREE(guid_res);
++ return LDB_SUCCESS;
++ }
++ }
++
++ /*
++ * Look for children
++ *
+ * Note: that we do not search for deleted/recycled objects
+ */
+ ret = dsdb_module_search(module,
+ change,
+ &res,
+- change->dn,
+- scope,
++ guid_res->msgs[0]->dn,
++ LDB_SCOPE_SUBTREE,
+ no_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM,
+@@ -1253,90 +1306,39 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
+ TYPESAFE_QSORT(res->msgs, res->count,
+ descriptor_sd_propagation_msg_sort);
+
+- for (c = change->children; c; c = c->next) {
+- struct ldb_message *msg = NULL;
+-
+- BINARY_ARRAY_SEARCH_P(res->msgs, res->count, dn, c->dn,
+- descriptor_sd_propagation_dn_sort,
+- msg);
+-
+- if (msg == NULL) {
+- ldb_debug(ldb, LDB_DEBUG_WARNING,
+- "descriptor_sd_propagation_recursive: "
+- "%s not found under %s",
+- ldb_dn_get_linearized(c->dn),
+- ldb_dn_get_linearized(change->dn));
+- continue;
+- }
+-
+- msg->elements = (struct ldb_message_element *)c;
+- }
+-
+- DLIST_ADD(stopped_stack, change);
+-
+- if (change->force_self) {
+- i = 0;
+- } else {
+- i = 1;
+- }
+-
+- for (; i < res->count; i++) {
+- struct descriptor_changes *cur;
+- bool stop = false;
+-
+- cur = talloc_get_type(res->msgs[i]->elements,
+- struct descriptor_changes);
+- res->msgs[i]->elements = NULL;
+- res->msgs[i]->num_elements = 0;
+-
+- if (cur != NULL) {
+- DLIST_REMOVE(change->children, cur);
+- } else if (i == 0) {
++ /* We start from 1, the top object has been done */
++ for (i = 1; i < res->count; i++) {
++ /*
++ * ldb_dn_compare_base() does not match for NULL but
++ * this is clearer
++ */
++ if (stopped_dn != NULL) {
++ ret = ldb_dn_compare_base(stopped_dn,
++ res->msgs[i]->dn);
+ /*
+- * in the change->force_self case
+- * res->msgs[0]->elements was not overwritten,
+- * so set cur here
++ * Skip further processing of this
++ * sub-subtree
+ */
+- cur = change;
+- }
+-
+- for (c = stopped_stack; c; c = stopped_stack) {
+- ret = ldb_dn_compare_base(c->dn,
+- res->msgs[i]->dn);
+- if (ret == 0) {
+- break;
+- }
+-
+- c->stopped_dn = NULL;
+- DLIST_REMOVE(stopped_stack, c);
+- }
+-
+- if (cur != NULL) {
+- DLIST_ADD(stopped_stack, cur);
+- }
+-
+- if (stopped_stack->stopped_dn != NULL) {
+- ret = ldb_dn_compare_base(stopped_stack->stopped_dn,
+- res->msgs[i]->dn);
+ if (ret == 0) {
+ continue;
+ }
+- stopped_stack->stopped_dn = NULL;
+ }
+-
+- ret = descriptor_sd_propagation_object(module, res->msgs[i],
++ ret = descriptor_sd_propagation_object(module,
++ res->msgs[i],
+ &stop);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+- if (cur != NULL && cur->force_children) {
+- continue;
+- }
+-
+ if (stop) {
+- stopped_stack->stopped_dn = res->msgs[i]->dn;
+- continue;
++ /*
++ * If this child didn't change, then nothing
++ * under it needs to change
++ *
++ * res has been sorted into tree order so the
++ * next few entries can be skipped
++ */
++ stopped_dn = res->msgs[i]->dn;
+ }
+ }
+
+diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+index e67c3b0281e..a2a6bcc98f3 100644
+--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
++++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+@@ -5538,7 +5538,8 @@ static int replmd_replicated_apply_add(struct replmd_replicated_request *ar)
+ */
+ ret = dsdb_module_schedule_sd_propagation(ar->module,
+ ar->objs->partition_dn,
+- msg->dn, true);
++ ar->objs->objects[ar->index_current].object_guid,
++ true);
+ if (ret != LDB_SUCCESS) {
+ return replmd_replicated_request_error(ar, ret);
+ }
+@@ -6323,7 +6324,7 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
+ */
+ ret = dsdb_module_schedule_sd_propagation(ar->module,
+ ar->objs->partition_dn,
+- msg->dn,
++ ar->objs->objects[ar->index_current].object_guid,
+ true);
+ if (ret != LDB_SUCCESS) {
+ return ldb_operr(ldb);
+@@ -6343,7 +6344,7 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
+ */
+ ret = dsdb_module_schedule_sd_propagation(ar->module,
+ ar->objs->partition_dn,
+- msg->dn,
++ ar->objs->objects[ar->index_current].object_guid,
+ false);
+ if (ret != LDB_SUCCESS) {
+ return ldb_operr(ldb);
+diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
+index e1b0e4aa4e3..3f47b863a83 100644
+--- a/source4/dsdb/samdb/samdb.h
++++ b/source4/dsdb/samdb/samdb.h
+@@ -338,7 +338,7 @@ struct dsdb_extended_allocate_rid {
+ #define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID "1.3.6.1.4.1.7165.4.4.7"
+ struct dsdb_extended_sec_desc_propagation_op {
+ struct ldb_dn *nc_root;
+- struct ldb_dn *dn;
++ struct GUID guid;
+ bool include_self;
+ };
+
+--
+2.17.1
+
+
+From 030fa9e5455125e30b71c90be80baadb657d8993 Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Fri, 24 May 2019 13:37:00 +0000
+Subject: [PATCH 11/13] CVE-2019-14907 lib/util/charset: clang: Fix Value
+ stored to 'reason' is never read warning
+
+Fixes:
+
+lib/util/charset/convert_string.c:301:5: warning: Value stored to 'reason' is never read <--[clang]
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208
+
+Signed-off-by: Noel Power <noel.power@suse.com>
+Reviewed-by: Gary Lockyer gary@catalyst.net.nz
+(cherry picked from commit add47e288bc80c1bf45765d1588a9fa5998ea677)
+---
+ lib/util/charset/convert_string.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c
+index 196302aacfd..34facab6fe6 100644
+--- a/lib/util/charset/convert_string.c
++++ b/lib/util/charset/convert_string.c
+@@ -300,13 +300,13 @@ bool convert_string_handle(struct smb_iconv_handle *ic,
+ {
+ reason="No more room";
+ if (from == CH_UNIX) {
+- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s'\n",
++ DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n",
+ charset_name(ic, from), charset_name(ic, to),
+- (unsigned int)srclen, (unsigned int)destlen, (const char *)src));
++ (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason));
+ } else {
+- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u\n",
++ DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+ charset_name(ic, from), charset_name(ic, to),
+- (unsigned int)srclen, (unsigned int)destlen));
++ (unsigned int)srclen, (unsigned int)destlen, reason));
+ }
+ break;
+ }
+--
+2.17.1
+
+
+From ad0e68d354ad33c577dbf146fc4a1b8254857558 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 29 Nov 2019 20:58:47 +1300
+Subject: [PATCH 12/13] CVE-2019-14907 lib/util: Do not print the failed to
+ convert string into the logs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The string may be in another charset, or may be sensitive and
+certainly may not be terminated. It is not safe to just print.
+
+Found by Robert Święcki using a fuzzer he wrote for smbd.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+
+(adapted from master commit)
+---
+ lib/util/charset/convert_string.c | 33 +++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c
+index 34facab6fe6..b546e056953 100644
+--- a/lib/util/charset/convert_string.c
++++ b/lib/util/charset/convert_string.c
+@@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic,
+ switch(errno) {
+ case EINVAL:
+ reason="Incomplete multibyte sequence";
+- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
+- reason, (const char *)src));
++ DBG_NOTICE("Conversion error: %s\n",
++ reason);
+ break;
+ case E2BIG:
+ {
+ reason="No more room";
+ if (from == CH_UNIX) {
+- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n",
+- charset_name(ic, from), charset_name(ic, to),
+- (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason));
++ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
++ charset_name(ic, from), charset_name(ic, to),
++ (unsigned int)srclen, (unsigned int)destlen, reason);
+ } else {
+- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+- charset_name(ic, from), charset_name(ic, to),
+- (unsigned int)srclen, (unsigned int)destlen, reason));
++ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
++ charset_name(ic, from), charset_name(ic, to),
++ (unsigned int)srclen, (unsigned int)destlen, reason);
+ }
+ break;
+ }
+ case EILSEQ:
+ reason="Illegal multibyte sequence";
+- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
+- reason, (const char *)src));
++ DBG_NOTICE("convert_string_internal: Conversion error: %s\n",
++ reason);
+ break;
+ default:
+- DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n",
+- reason, (const char *)src));
++ DBG_ERR("convert_string_internal: Conversion error: %s\n",
++ reason);
+ break;
+ }
+ /* smb_panic(reason); */
+@@ -427,16 +427,19 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic,
+ switch(errno) {
+ case EINVAL:
+ reason="Incomplete multibyte sequence";
+- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
++ DBG_NOTICE("Conversion error: %s\n",
++ reason);
+ break;
+ case E2BIG:
+ goto convert;
+ case EILSEQ:
+ reason="Illegal multibyte sequence";
+- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
++ DBG_NOTICE("Conversion error: %s\n",
++ reason);
+ break;
+ default:
+- DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf));
++ DBG_ERR("Conversion error: %s\n",
++ reason);
+ break;
+ }
+ /* smb_panic(reason); */
+--
+2.17.1
+
+
diff --git a/main/screen/APKBUILD b/main/screen/APKBUILD
index 01aa27a8a6c..35fe650db2e 100644
--- a/main/screen/APKBUILD
+++ b/main/screen/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=screen
pkgver=4.6.2
-pkgrel=0
+pkgrel=1
pkgdesc="A window manager that multiplexes a physical terminal"
url="http://ftp.gnu.org/gnu/screen/"
arch="all"
@@ -10,9 +10,15 @@ license="GPL-3.0-or-later"
options="!check" # No test suite.
makedepends="ncurses-dev ncurses"
subpackages="$pkgname-doc"
-source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz"
+source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+ CVE-2020-9366.patch
+ "
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 4.6.2-r1:
+# - CVE-2020-9366
+
build() {
cd "$builddir"
./configure \
@@ -38,4 +44,5 @@ package() {
install -Dm644 etc/screenrc "$pkgdir"/etc/skel/.screenrc
}
-sha512sums="224bd16ad5ae501d1b8bb7d2ba9cc19e6a0743de5a5b320109c2f6bf3b1ca564cc7094ed9211be13733d9d769cde77d13fe236341d448cad0518038ab1e85c99 screen-4.6.2.tar.gz"
+sha512sums="224bd16ad5ae501d1b8bb7d2ba9cc19e6a0743de5a5b320109c2f6bf3b1ca564cc7094ed9211be13733d9d769cde77d13fe236341d448cad0518038ab1e85c99 screen-4.6.2.tar.gz
+7cf69866a2c6e18a72b8df90550d12294c95245a39b1c16a5de9eb1dbaf732d1474af7e0f9d42941286911e136e437f8029cd134858c456eaabee6ef6cfce111 CVE-2020-9366.patch"
diff --git a/main/screen/CVE-2020-9366.patch b/main/screen/CVE-2020-9366.patch
new file mode 100644
index 00000000000..81b56b4bc56
--- /dev/null
+++ b/main/screen/CVE-2020-9366.patch
@@ -0,0 +1,42 @@
+From 68386dfb1fa33471372a8cd2e74686758a2f527b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
+Date: Thu, 30 Jan 2020 17:56:27 +0100
+Subject: Fix out of bounds access when setting w_xtermosc after OSC 49
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+echo -e "\e]49\e; \n\ec"
+crashes screen.
+
+This happens because 49 is divided by 10 and used as table index
+resulting in access to w_xtermosc[4], which is out of bounds with table
+itself being size 4. Increase size of table by 1 to 5, which is enough
+for all current uses.
+
+As this overwrites memory based on user input it is potential security
+issue.
+
+Reported-by: pippin@gimp.org
+Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
+---
+ src/window.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/window.h b/src/window.h
+index fbe98dc..11d2a9e 100644
+--- a/window.h
++++ b/window.h
+@@ -237,7 +237,7 @@ struct win
+ char w_vbwait;
+ char w_norefresh; /* dont redisplay when switching to that win */
+ #ifdef RXVT_OSC
+- char w_xtermosc[4][MAXSTR]; /* special xterm/rxvt escapes */
++ char w_xtermosc[5][MAXSTR]; /* special xterm/rxvt escapes */
+ #endif
+ int w_mouse; /* mouse mode 0,9,1000 */
+ int w_extmouse; /* extended mouse mode 0,1006 */
+--
+cgit v1.2.1
+
+
diff --git a/main/sdl/APKBUILD b/main/sdl/APKBUILD
index 5176d28b426..889be742dff 100644
--- a/main/sdl/APKBUILD
+++ b/main/sdl/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=sdl
pkgver=1.2.15
-pkgrel=10
+pkgrel=11
pkgdesc="A library for portable low-level access to a video framebuffer, audio output, mouse, and keyboard"
url="http://www.libsdl.org"
arch="all"
@@ -28,10 +28,13 @@ source="https://www.libsdl.org/release/SDL-$pkgver.tar.gz
0001-CVE-2019-7636.patch
0001-CVE-2019-7637.patch
0002-CVE-2019-7637.patch
+ CVE-2019-13616.patch::https://hg.libsdl.org/SDL/raw-diff/ad1bbfbca760/src/video/SDL_bmp.c
"
builddir="$srcdir"/SDL-$pkgver
# secfixes:
+# 1.2.15-r11:
+# - CVE-2019-13616
# 1.2.15-r10:
# - CVE-2019-7572
# - CVE-2019-7573
@@ -39,7 +42,6 @@ builddir="$srcdir"/SDL-$pkgver
# - CVE-2019-7575
# - CVE-2019-7576
# - CVE-2019-7577
-# - CVE-2019-7577
# - CVE-2019-7578
# - CVE-2019-7635
# - CVE-2019-7636
@@ -47,13 +49,11 @@ builddir="$srcdir"/SDL-$pkgver
# - CVE-2019-7638
prepare() {
- cd "$builddir"
update_config_sub
default_prepare
}
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -70,7 +70,6 @@ build() {
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
@@ -89,4 +88,5 @@ a31d5c685fafbca72fdc5336343b74b90b1bfd5af4b6f632b4d8271bb1a218ec6419a7994290f65e
8e2c04d8a8167c479f56aa2b363bd3b5ee302c473642717445385210871e0c7b6bfb3020c553c4b0ca849b8a290602b20e7e398d396fdbf47980c38b0969f230 0002-CVE-2019-7635.patch
8e9fa28015e64f08d7d8124398ee5b268546105b73313490cfffdd547e67e729455535407177827e485c4132badfc48a73cce18c0ff7ff8a1c8706613acf180c 0001-CVE-2019-7636.patch
0ad1e445a067afb726df48eac55d593075c945199bd718b4116af84c15df6f5c095f541a5c8a008aef4474dda874e68517236f2f37e1539e0e5684240b058231 0001-CVE-2019-7637.patch
-105378cf7609872198c83b8824a1c36463b01f5696cda6c184252b728cdd1054cdc2e68a338f5d728facd182628d2a8b29b961664e89d7f9022abc0268c9afc1 0002-CVE-2019-7637.patch"
+105378cf7609872198c83b8824a1c36463b01f5696cda6c184252b728cdd1054cdc2e68a338f5d728facd182628d2a8b29b961664e89d7f9022abc0268c9afc1 0002-CVE-2019-7637.patch
+1b97970d0bcb7c49a3edfab2dd8c622a591ee64543ebe9e03b1de29a5cfb87820100444ff5ba0ce319911d1020ad94f6a8678c31aa13e370d1c9aeed6e3fd669 CVE-2019-13616.patch"
diff --git a/main/sdl_image/APKBUILD b/main/sdl_image/APKBUILD
index 39ee67a53d6..dbb3d172f58 100644
--- a/main/sdl_image/APKBUILD
+++ b/main/sdl_image/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=sdl_image
pkgver=1.2.12
-pkgrel=4
+pkgrel=5
pkgdesc="A simple library to load images of various formats as SDL surfaces"
url="http://www.libsdl.org/projects/SDL_image/"
arch="all"
@@ -12,7 +12,13 @@ depends=""
makedepends="sdl-dev libpng-dev libjpeg-turbo-dev libwebp-dev tiff-dev zlib-dev"
install=""
subpackages="$pkgname-dev"
-source="https://www.libsdl.org/projects/SDL_image/release/SDL_image-${pkgver}.tar.gz"
+source="https://www.libsdl.org/projects/SDL_image/release/SDL_image-${pkgver}.tar.gz
+ CVE-2019-13616.patch
+ "
+
+# secfixes:
+# 1.2.12-r5:
+# - CVE-2019-13616
builddir="$srcdir"/SDL_image-$pkgver
prepare() {
@@ -38,4 +44,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="0e71b280abc2a7f15755e4480a3c1b52d41f9f8b0c9216a6f5bd9fc0e939456fb5d6c10419e1d1904785783f9a1891ead278c03e88b0466fecc6871c3ca40136 SDL_image-1.2.12.tar.gz"
+sha512sums="0e71b280abc2a7f15755e4480a3c1b52d41f9f8b0c9216a6f5bd9fc0e939456fb5d6c10419e1d1904785783f9a1891ead278c03e88b0466fecc6871c3ca40136 SDL_image-1.2.12.tar.gz
+0ae144202435ad35e5ff6ae6b73592cd8ef68dba2704e09ba22f2b9e9d98f547f2ead28327be0594897f2165d2bf5c26f07e8ef72760527e8d9e4e593e8e5f60 CVE-2019-13616.patch"
diff --git a/main/sdl_image/CVE-2019-13616.patch b/main/sdl_image/CVE-2019-13616.patch
new file mode 100644
index 00000000000..f2ed7c6aa07
--- /dev/null
+++ b/main/sdl_image/CVE-2019-13616.patch
@@ -0,0 +1,16 @@
+diff --git a/IMG_bmp.c b/IMG_bmp.c
+index b3c7580..bfadd45 100644
+--- a/IMG_bmp.c
++++ b/IMG_bmp.c
+@@ -272,6 +272,11 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
+ biClrUsed = SDL_ReadLE32(src);
+ biClrImportant = SDL_ReadLE32(src);
+ }
++ if (biWidth <= 0 || biHeight == 0) {
++ IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ if (biHeight < 0) {
+ topDown = SDL_TRUE;
+ biHeight = -biHeight;
diff --git a/main/smokeping/APKBUILD b/main/smokeping/APKBUILD
index c8a9fe1451d..3efc760689d 100644
--- a/main/smokeping/APKBUILD
+++ b/main/smokeping/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=smokeping
pkgver=2.7.3
-pkgrel=3
+pkgrel=4
pkgdesc="Smokeping network latency monitoring"
pkgusers="smokeping"
pkggroups="smokeping"
@@ -38,6 +38,7 @@ depends="
perl-snmp-session
perl-uri
rrdtool
+ ttf-dejavu
"
makedepends="
openssl-dev
diff --git a/main/spamassassin/APKBUILD b/main/spamassassin/APKBUILD
index 0d4fc2da147..b416ce28ac1 100644
--- a/main/spamassassin/APKBUILD
+++ b/main/spamassassin/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
pkgname=spamassassin
_pkgreal=Mail-SpamAssassin
-pkgver=3.4.2
+pkgver=3.4.3
pkgrel=0
pkgdesc="The Powerful #1 Open-Source Spam Filter"
url="http://search.cpan.org/dist/Mail-SpamAssassin/"
@@ -23,6 +23,9 @@ source="http://search.cpan.org/CPAN/authors/id/K/KM/KMCGRAIL/${_pkgreal#*-}/$_pk
builddir="$srcdir/$_pkgreal-$pkgver"
# secfixes:
+# 3.4.3-r0:
+# - CVE-2019-12420
+# - CVE-2018-11805
# 3.4.2-r0:
# - CVE-2016-1238
# - CVE-2017-15705
@@ -79,7 +82,7 @@ cpan() {
sed -i '/^#\*/d' "$subpkgdir"/etc/mail/$pkgname/user_prefs
}
-sha512sums="85e3d78bb885ad1d0bf2066d1bc919d6ad5e9f86795069397e7c28cc1ba02870566ec014c08c81f68e7ed03b7f60d2de0b9730b3415b35d848abde2c8920a28f Mail-SpamAssassin-3.4.2.tar.gz
+sha512sums="d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a Mail-SpamAssassin-3.4.3.tar.gz
0a22933290a3abd147689bf3a9de4b6b277628c22966f353c5da932cd98560babf1d0bb9d92c456ea24decfb5af0bbc960192d29a90d9cab437e7986c75c8278 spamd.initd
274d3aa0d9aab05e83c8d5ad3e93a457649360021a67c8cb19088365bed681ebe26889cfa86f8c46a6044c7ee969231f2a71e3227adf8ad9e38d0286b9caf48d spamd.confd
c8c00e4281cefd5e5e15507c8890264a25aa59663c57ccdf7a77905e2550999cfbbfa7271189a9491b0a0e98dff432361f13becdb99e1b583cd9d45d68022a47 spamd.crond
diff --git a/main/spl-vanilla/APKBUILD b/main/spl-vanilla/APKBUILD
index 369d5b3fad3..6949cec9c06 100644
--- a/main/spl-vanilla/APKBUILD
+++ b/main/spl-vanilla/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-vanilla}
_kpkg=linux-$_flavor
-_kver=4.19.52
+_kver=4.19.118
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/sprunge/APKBUILD b/main/sprunge/APKBUILD
index f663d800b9b..4d1f651abd2 100644
--- a/main/sprunge/APKBUILD
+++ b/main/sprunge/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=sprunge
pkgver=0.6
-pkgrel=0
+pkgrel=1
pkgdesc="Helper script to paste things to http://sprunge.us"
url="http://sprunge.us"
arch="noarch"
@@ -33,10 +33,10 @@ package() {
tpaste() {
cd "$_builddir"
- url="http://tpaste.us"
+ url="https://tpaste.us"
pkgdesc="Helper script to paste things to $url"
mkdir -p "$subpkgdir"/usr/bin
- printf "#!/bin/sh\n\nexec curl -F 'tpaste=<-' http://tpaste.us" > \
+ printf "#!/bin/sh\n\nexec curl -F 'tpaste=<-' https://tpaste.us" > \
"$subpkgdir"/usr/bin/tpaste || return 1
chmod 755 "$subpkgdir"/usr/bin/tpaste || return 1
}
diff --git a/main/sqlite/APKBUILD b/main/sqlite/APKBUILD
index 6199bec0248..b97b3891eca 100644
--- a/main/sqlite/APKBUILD
+++ b/main/sqlite/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
pkgname=sqlite
pkgver=3.28.0
-pkgrel=1
+pkgrel=3
pkgdesc="C library that implements an SQL database engine"
url="https://www.sqlite.org/"
arch="all"
@@ -32,14 +32,22 @@ builddir="$srcdir/$pkgname-autoconf-$_ver"
source="https://www.sqlite.org/2019/$pkgname-autoconf-$_ver.tar.gz
license.txt
CVE-2019-16168.patch
+ CVE-2019-19242.patch
+ CVE-2019-19244.patch
+ CVE-2020-11655.patch
"
# secfixes:
+# 3.28.0-r3:
+# - CVE-2020-11655
+# 3.28.0-r2:
+# - CVE-2019-19242
+# - CVE-2019-19244
# 3.28.0-r1:
# - CVE-2019-16168
# 3.28.0-r0:
-# - CVE-2019-5018
-# - CVE-2019-8457
+# - CVE-2019-5018
+# - CVE-2019-8457
# additional CFLAGS to set
_amalgamation="-DSQLITE_ENABLE_FTS4 \
@@ -106,7 +114,9 @@ static() {
mkdir -p "$subpkgdir"/usr/lib
mv "$pkgdir"/usr/lib/lib*.a "$subpkgdir"/usr/lib/
}
-
sha512sums="e800c0d9e6c8c01ccf1d714c6c4da4b98e9610c4c06557dda6393d0792a8ae09788703d4a74dcb21844c49b3629ff7ed95a4a86ff79872aafd2b49c672c7a570 sqlite-autoconf-3280000.tar.gz
5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9 license.txt
-db937bc87068b486e5163a5493acba2d7b89aa6b45d55cbc1c8b53e6889c53e6be060997f340dfad44c3df328c7891b49277f56299a9531248381a214fb4079d CVE-2019-16168.patch"
+db937bc87068b486e5163a5493acba2d7b89aa6b45d55cbc1c8b53e6889c53e6be060997f340dfad44c3df328c7891b49277f56299a9531248381a214fb4079d CVE-2019-16168.patch
+e0cbb73e56cfd37cb5fbc5b003a40d1853fb527a63319ff78dbcd9d15d9469f75451f4abd572d5a2a1e936c8739f8f031428090b48368f28f97ba6fbf0654dbe CVE-2019-19242.patch
+e7982014a62b4fa465918fd65384cec406ea09598f3e0511eb2b68f618983b2f29a932267397aff9b88b97367dc8e05c4074fa8e276e3f4294ac019df498a724 CVE-2019-19244.patch
+c9d9f440543fa59fb4cb75d069b69adcccfdeb1c31bc9bd8d2f27b178013ea72934f6301d3df28e37a67cb6dbc38b2fc7bf87bacd93d756a62f3bf59a52ab3f2 CVE-2020-11655.patch"
diff --git a/main/sqlite/CVE-2019-19242.patch b/main/sqlite/CVE-2019-19242.patch
new file mode 100644
index 00000000000..a9e13dbeaac
--- /dev/null
+++ b/main/sqlite/CVE-2019-19242.patch
@@ -0,0 +1,18 @@
+diff --git a/sqlite3.c b/sqlite3.c
+index b40ca97..dc9583d 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -100365,7 +100365,12 @@ expr_code_doover:
+ ** constant.
+ */
+ int iReg = sqlite3ExprCodeTarget(pParse, pExpr->pLeft,target);
+- int aff = sqlite3TableColumnAffinity(pExpr->y.pTab, pExpr->iColumn);
++ int aff;
++ if( pExpr->y.pTab ){
++ aff = sqlite3TableColumnAffinity(pExpr->y.pTab, pExpr->iColumn);
++ }else{
++ aff = pExpr->affinity;
++ }
+ if( aff!=SQLITE_AFF_BLOB ){
+ static const char zAff[] = "B\000C\000D\000E";
+ assert( SQLITE_AFF_BLOB=='A' );
diff --git a/main/sqlite/CVE-2019-19244.patch b/main/sqlite/CVE-2019-19244.patch
new file mode 100644
index 00000000000..3d4e2df8e2a
--- /dev/null
+++ b/main/sqlite/CVE-2019-19244.patch
@@ -0,0 +1,12 @@
+diff --git a/sqlite3.c b/sqlite3.c
+index 8fd740b..bd647ca 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -131679,6 +131679,7 @@ SQLITE_PRIVATE int sqlite3Select(
+ */
+ if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct
+ && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0
++ && p->pWin==0
+ ){
+ p->selFlags &= ~SF_Distinct;
+ pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0);
diff --git a/main/sqlite/CVE-2020-11655.patch b/main/sqlite/CVE-2020-11655.patch
new file mode 100644
index 00000000000..ee58cf62e87
--- /dev/null
+++ b/main/sqlite/CVE-2020-11655.patch
@@ -0,0 +1,24 @@
+From 660733d19a17c9927275dbcde537d12531a8d121 Mon Sep 17 00:00:00 2001
+From: Leonardo Arena <rnalrd@alpinelinux.org>
+Date: Thu, 7 May 2020 12:37:05 +0000
+Subject: [PATCH] CVE-2020-11655
+
+---
+ sqlite3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 55dc686..f0ccb2d 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -133217,6 +133217,7 @@ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){
+ struct AggInfo_func *pFunc;
+ int nReg = pAggInfo->nFunc + pAggInfo->nColumn;
+ if( nReg==0 ) return;
++ if( pParse->nErr ) return;
+ #ifdef SQLITE_DEBUG
+ /* Verify that all AggInfo registers are within the range specified by
+ ** AggInfo.mnReg..AggInfo.mxReg */
+--
+2.26.0
+
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index c5884e07cea..c6e0ec7acc4 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=squid
-pkgver=4.8
+pkgver=4.13
pkgrel=0
pkgdesc="A full-featured Web proxy cache server."
url="http://www.squid-cache.org"
@@ -29,8 +29,25 @@ builddir="$srcdir"/$pkgname-$pkgver
options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox
# secfixes:
+# 4.13-r0:
+# - CVE-2020-15810
+# - CVE-2020-15811
+# - CVE-2020-24606
+# 4.11-r0:
+# - CVE-2019-12519
+# - CVE-2019-12521
+# - CVE-2020-11945
+# 4.10-r0:
+# - CVE-2019-12528
+# - CVE-2020-8449
+# - CVE-2020-8450
+# - CVE-2020-8517
+# 4.8-r1:
+# - CVE-2019-18679
# 4.8-r0:
# - CVE-2019-13345
+# - CVE-2019-12529
+# - CVE-2019-12525
# 3.5.27-r2:
# - CVE-2018-1000024
# - CVE-2018-1000027
@@ -103,7 +120,8 @@ squid_kerb_auth() {
install -d "$subpkgdir"/usr/lib/squid
mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/
}
-sha512sums="2223f299950ded074faca6e3d09c15bc26e8644c3019b36a612f5d424e25b02a528c4b3c8a9463864f71edc29f17c5662f16ffda18c76317405cb97657e5e823 squid-4.8.tar.xz
+
+sha512sums="06807f82ed01e12afe2dd843aa0a94f69c351765b1889c4c5c3da1cf2ecb06ac3a4be6a24a62f04397299c8fc0df5397f76f64df5422ff78b37a9382d5fdf7fc squid-4.13.tar.xz
15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd
7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd
89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate"
diff --git a/main/sudo/APKBUILD b/main/sudo/APKBUILD
index d3864dc0e55..41da639eb88 100644
--- a/main/sudo/APKBUILD
+++ b/main/sudo/APKBUILD
@@ -8,7 +8,7 @@ if [ "${pkgver%_*}" != "$pkgver" ]; then
else
_realver=$pkgver
fi
-pkgrel=2
+pkgrel=3
pkgdesc="Give certain users the ability to run some commands as root"
url="https://www.sudo.ws/sudo/"
arch="all"
@@ -20,10 +20,15 @@ source="https://www.sudo.ws/dist/sudo-${_realver}.tar.gz
fix-cross-compile.patch
fix-tests.patch
libcrypt.patch
+ CVE-2019-14287.patch
+ CVE-2019-18634.patch
"
options="suid"
# secfixes:
+# 1.8.25_p1-r3:
+# - CVE-2019-14287
+# - CVE-2019-18634
# 1.8.20_p2-r0:
# - CVE-2017-1000368
@@ -67,4 +72,6 @@ package() {
sha512sums="b1445be688d3c1dd7efbdfab68977a7a9b6fd6887191dc99ca717117eec0a550492642556cd55ca5873d054ddc5ccc2b87b2c34602e1ffc729ab6fbc4e523a72 sudo-1.8.25p1.tar.gz
f0f462f40502da2194310fe4a72ec1a16ba40f95a821ba9aa6aabaa423d28c4ab26b684afa7fb81c2407cf60de9327bdab01de51b878c5d4de49b0d62645f53c fix-cross-compile.patch
b2d7816d334826545420c578114e5af361ced65c00e5bfc2e0b16f3c9325aa9d2b902defeebb181da3cf7bc6aba3a59a496293d2f11d83c9793f11138ba50343 fix-tests.patch
-0fa06d13d202ee5ab58596413a7498b3e9b6925e87385bb876f5e0b29b22010a84918686a5974de87392ab18158e883da343fe6a14448a4e273eaa1bb81f5995 libcrypt.patch"
+0fa06d13d202ee5ab58596413a7498b3e9b6925e87385bb876f5e0b29b22010a84918686a5974de87392ab18158e883da343fe6a14448a4e273eaa1bb81f5995 libcrypt.patch
+bad0eda3a7473e4b13d2d9744c41d37bd1c2f4a50491e7e6c6e2cdb67f98eea5d595ead70ab7ac93444d41d1c9f65d83e67f905614869b9df0bd59365fefae1f CVE-2019-14287.patch
+171cdd24833da4fa819003dbe38b247537d27fa7306f3e78eb4b2e28ccf66e06f02a2104d051d75a42197959489bedfb6633f5efbd436903746e667b79d59ee6 CVE-2019-18634.patch"
diff --git a/main/sudo/CVE-2019-14287.patch b/main/sudo/CVE-2019-14287.patch
new file mode 100644
index 00000000000..1229c5cf543
--- /dev/null
+++ b/main/sudo/CVE-2019-14287.patch
@@ -0,0 +1,260 @@
+Treat an ID of -1 as invalid since that means "no change".
+Fixes CVE-2019-14287.
+Found by Joe Vennix from Apple Information Security.
+
+Patch ported from:
+
+* https://www.sudo.ws/repos/sudo/rev/83db8dba09e7
+* https://www.sudo.ws/repos/sudo/rev/db06a8336c09
+
+--- a/lib/util/strtoid.c Sun Oct 06 10:46:18 2019 -0600
++++ b/lib/util/strtoid.c Thu Oct 10 10:04:13 2019 -0600
+@@ -49,6 +49,27 @@
+ #include "sudo_util.h"
+
+ /*
++ * Make sure that the ID ends with a valid separator char.
++ */
++static bool
++valid_separator(const char *p, const char *ep, const char *sep)
++{
++ bool valid = false;
++ debug_decl(valid_separator, SUDO_DEBUG_UTIL)
++
++ if (ep != p) {
++ /* check for valid separator (including '\0') */
++ if (sep == NULL)
++ sep = "";
++ do {
++ if (*ep == *sep)
++ valid = true;
++ } while (*sep++ != '\0');
++ }
++ debug_return_bool(valid);
++}
++
++/*
+ * Parse a uid/gid in string form.
+ * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
+ * If endp is non-NULL it is set to the next char after the ID.
+@@ -62,38 +83,35 @@
+ char *ep;
+ id_t ret = 0;
+ long long llval;
+- bool valid = false;
+ debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+
+ /* skip leading space so we can pick up the sign, if any */
+ while (isspace((unsigned char)*p))
+ p++;
+- if (sep == NULL)
+- sep = "";
++
++ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
+ errno = 0;
+ llval = strtoll(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
++ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
++ errno = ERANGE;
++ if (errstr != NULL)
++ *errstr = N_("value too large");
++ goto done;
+ }
+- if (!valid) {
++ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
++ errno = ERANGE;
++ if (errstr != NULL)
++ *errstr = N_("value too small");
++ goto done;
++ }
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
+ if (errstr != NULL)
+ *errstr = N_("invalid value");
+ errno = EINVAL;
+ goto done;
+ }
+- if (errno == ERANGE) {
+- if (errstr != NULL) {
+- if (llval == LLONG_MAX)
+- *errstr = N_("value too large");
+- else
+- *errstr = N_("value too small");
+- }
+- goto done;
+- }
+ ret = (id_t)llval;
+ if (errstr != NULL)
+ *errstr = NULL;
+@@ -108,30 +126,15 @@
+ {
+ char *ep;
+ id_t ret = 0;
+- bool valid = false;
+ debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+
+ /* skip leading space so we can pick up the sign, if any */
+ while (isspace((unsigned char)*p))
+ p++;
+- if (sep == NULL)
+- sep = "";
++
+ errno = 0;
+ if (*p == '-') {
+ long lval = strtol(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
+- }
+- if (!valid) {
+- if (errstr != NULL)
+- *errstr = N_("invalid value");
+- errno = EINVAL;
+- goto done;
+- }
+ if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
+ errno = ERANGE;
+ if (errstr != NULL)
+@@ -144,28 +147,31 @@
+ *errstr = N_("value too small");
+ goto done;
+ }
+- ret = (id_t)lval;
+- } else {
+- unsigned long ulval = strtoul(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
+- }
+- if (!valid) {
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || lval == -1) {
+ if (errstr != NULL)
+ *errstr = N_("invalid value");
+ errno = EINVAL;
+ goto done;
+ }
++ ret = (id_t)lval;
++ } else {
++ unsigned long ulval = strtoul(p, &ep, 10);
+ if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
+ errno = ERANGE;
+ if (errstr != NULL)
+ *errstr = N_("value too large");
+ goto done;
+ }
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
++ if (errstr != NULL)
++ *errstr = N_("invalid value");
++ errno = EINVAL;
++ goto done;
++ }
+ ret = (id_t)ulval;
+ }
+ if (errstr != NULL)
+
+
+--- a/lib/util/regress/atofoo/atofoo_test.c Thu Oct 10 10:04:13 2019 -0600
++++ b/lib/util/regress/atofoo/atofoo_test.c Thu Oct 10 10:04:13 2019 -0600
+@@ -26,6 +26,7 @@
+ #else
+ # include "compat/stdbool.h"
+ #endif
++#include <errno.h>
+
+ #include "sudo_compat.h"
+ #include "sudo_util.h"
+@@ -80,15 +81,20 @@
+ id_t id;
+ const char *sep;
+ const char *ep;
++ int errnum;
+ } strtoid_data[] = {
+- { "0,1", 0, ",", "," },
+- { "10", 10, NULL, NULL },
+- { "-2", -2, NULL, NULL },
++ { "0,1", 0, ",", ",", 0 },
++ { "10", 10, NULL, NULL, 0 },
++ { "-1", 0, NULL, NULL, EINVAL },
++ { "4294967295", 0, NULL, NULL, EINVAL },
++ { "4294967296", 0, NULL, NULL, ERANGE },
++ { "-2147483649", 0, NULL, NULL, ERANGE },
++ { "-2", -2, NULL, NULL, 0 },
+ #if SIZEOF_ID_T != SIZEOF_LONG_LONG
+- { "-2", (id_t)4294967294U, NULL, NULL },
++ { "-2", (id_t)4294967294U, NULL, NULL, 0 },
+ #endif
+- { "4294967294", (id_t)4294967294U, NULL, NULL },
+- { NULL, 0, NULL, NULL }
++ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 },
++ { NULL, 0, NULL, NULL, 0 }
+ };
+
+ static int
+@@ -104,11 +110,23 @@
+ (*ntests)++;
+ errstr = "some error";
+ value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr);
+- if (errstr != NULL) {
+- if (d->id != (id_t)-1) {
+- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
++ if (d->errnum != 0) {
++ if (errstr == NULL) {
++ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d",
++ d->idstr, d->errnum);
++ errors++;
++ } else if (value != 0) {
++ sudo_warnx_nodebug("FAIL: %s should return 0 on error",
++ d->idstr);
++ errors++;
++ } else if (errno != d->errnum) {
++ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d",
++ d->idstr, errno, d->errnum);
+ errors++;
+ }
++ } else if (errstr != NULL) {
++ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
++ errors++;
+ } else if (value != d->id) {
+ sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id);
+ errors++;
+diff -r 83db8dba09e7 -r db06a8336c09 plugins/sudoers/regress/testsudoers/test5.out.ok
+--- a/plugins/sudoers/regress/testsudoers/test5.out.ok Thu Oct 10 10:04:13 2019 -0600
++++ b/plugins/sudoers/regress/testsudoers/test5.out.ok Thu Oct 10 10:04:13 2019 -0600
+@@ -4,7 +4,7 @@
+ Entries for user root:
+
+ Command unmatched
+-testsudoers: test5.inc should be owned by gid 4294967295
++testsudoers: test5.inc should be owned by gid 4294967294
+ Parse error in sudoers near line 1.
+
+ Entries for user root:
+diff -r 83db8dba09e7 -r db06a8336c09 plugins/sudoers/regress/testsudoers/test5.sh
+--- a/plugins/sudoers/regress/testsudoers/test5.sh Thu Oct 10 10:04:13 2019 -0600
++++ b/plugins/sudoers/regress/testsudoers/test5.sh Thu Oct 10 10:04:13 2019 -0600
+@@ -24,7 +24,7 @@
+
+ # Test group writable
+ chmod 664 $TESTFILE
+-./testsudoers -U $MYUID -G -1 root id <<EOF
++./testsudoers -U $MYUID -G -2 root id <<EOF
+ #include $TESTFILE
+ EOF
+
+
diff --git a/main/sudo/CVE-2019-18634.patch b/main/sudo/CVE-2019-18634.patch
new file mode 100644
index 00000000000..4d0fdd41d5d
--- /dev/null
+++ b/main/sudo/CVE-2019-18634.patch
@@ -0,0 +1,98 @@
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Wed, 29 Jan 2020 20:15:21 -0700
+Subject: Fix a buffer overflow when pwfeedback is enabled and input is a not a
+ tty. In getln() if the user enters ^U (erase line) and the write(2) fails,
+ the remaining buffer size is reset but the current pointer is not. While
+ here, fix an incorrect break for erase when write(2) fails. Also disable
+ pwfeedback when input is not a tty as it cannot work. CVE-2019-18634 Credit:
+ Joe Vennix from Apple Information Security.
+Origin: https://github.com/sudo-project/sudo/commit/b5d2010b6514ff45693509273bb07df3abb0bf0a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18634
+Bug-Debian: https://bugs.debian.org/950371
+
+--HG--
+branch : 1.8
+[Salvatore Bonaccorso: Backport to 1.8.19p1. Changes from ab2cba0f5d8b ("Print
+a warning for password read issues. Issues include: timeout at the password
+prompt, read error while reading the password, and EOF reading the password.")
+upstream in 1.8.26 changes signature of getln function.]
+---
+ src/tgetpass.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/src/tgetpass.c
++++ b/src/tgetpass.c
+@@ -48,7 +48,7 @@ static volatile sig_atomic_t signo[NSIG]
+
+ static bool tty_present(void);
+ static void tgetpass_handler(int);
+-static char *getln(int, char *, size_t, int);
++static char *getln(int, char *, size_t, bool);
+ static char *sudo_askpass(const char *, const char *);
+
+ static int
+@@ -90,6 +90,7 @@ tgetpass(const char *prompt, int timeout
+ static const char *askpass;
+ static char buf[SUDO_CONV_REPL_MAX + 1];
+ int i, input, output, save_errno, neednl = 0, need_restart;
++ bool feedback = ISSET(flags, TGP_MASK);
+ debug_decl(tgetpass, SUDO_DEBUG_CONV)
+
+ (void) fflush(stdout);
+@@ -136,7 +137,7 @@ restart:
+ */
+ if (!ISSET(flags, TGP_ECHO)) {
+ for (;;) {
+- if (ISSET(flags, TGP_MASK))
++ if (feedback)
+ neednl = sudo_term_cbreak(input);
+ else
+ neednl = sudo_term_noecho(input);
+@@ -150,6 +151,9 @@ restart:
+ }
+ }
+ }
++ /* Only use feedback mode when we can disable echo. */
++ if (!neednl)
++ feedback = false;
+
+ /*
+ * Catch signals that would otherwise cause the user to end
+@@ -175,7 +179,7 @@ restart:
+
+ if (timeout > 0)
+ alarm(timeout);
+- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK));
++ pass = getln(input, buf, sizeof(buf), feedback);
+ alarm(0);
+ save_errno = errno;
+
+@@ -294,7 +298,7 @@ sudo_askpass(const char *askpass, const
+ extern int sudo_term_erase, sudo_term_kill;
+
+ static char *
+-getln(int fd, char *buf, size_t bufsiz, int feedback)
++getln(int fd, char *buf, size_t bufsiz, bool feedback)
+ {
+ size_t left = bufsiz;
+ ssize_t nr = -1;
+@@ -316,15 +320,15 @@ getln(int fd, char *buf, size_t bufsiz,
+ while (cp > buf) {
+ if (write(fd, "\b \b", 3) == -1)
+ break;
+- --cp;
++ cp--;
+ }
++ cp = buf;
+ left = bufsiz;
+ continue;
+ } else if (c == sudo_term_erase) {
+ if (cp > buf) {
+- if (write(fd, "\b \b", 3) == -1)
+- break;
+- --cp;
++ ignore_result(write(fd, "\b \b", 3));
++ cp--;
+ left++;
+ }
+ continue;
diff --git a/main/tcpdump/APKBUILD b/main/tcpdump/APKBUILD
index aa29f90dc81..a24b2ea322a 100644
--- a/main/tcpdump/APKBUILD
+++ b/main/tcpdump/APKBUILD
@@ -1,18 +1,49 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=tcpdump
-pkgver=4.9.2
-pkgrel=4
+pkgver=4.9.3
+pkgrel=1
pkgdesc="A tool for network monitoring and data acquisition"
url="http://www.tcpdump.org"
arch="all"
license="BSD-3-Clause"
-depends=""
+options="!check" # fail on ppc64le
makedepends="libpcap-dev openssl-dev perl"
subpackages="$pkgname-doc"
-source="http://www.$pkgname.org/release/$pkgname-$pkgver.tar.gz"
-options="!check"
+source="http://www.$pkgname.org/release/$pkgname-$pkgver.tar.gz
+ CVE-2020-8037.patch
+ "
# secfixes:
+# 4.9.3-r1:
+# - CVE-2020-8037
+# 4.9.3-r0:
+# - CVE-2017-16808 # (AoE)
+# - CVE-2018-14468 # (FrameRelay)
+# - CVE-2018-14469 # (IKEv1)
+# - CVE-2018-14470 # (BABEL)
+# - CVE-2018-14466 # (AFS/RX)
+# - CVE-2018-14461 # (LDP)
+# - CVE-2018-14462 # (ICMP)
+# - CVE-2018-14465 # (RSVP)
+# - CVE-2018-14881 # (BGP)
+# - CVE-2018-14464 # (LMP)
+# - CVE-2018-14463 # (VRRP)
+# - CVE-2018-14467 # (BGP)
+# - CVE-2018-10103 # (SMB - partially fixed, but SMB printing disabled)
+# - CVE-2018-10105 # (SMB - too unreliably reproduced, SMB printing disabled)
+# - CVE-2018-14880 # (OSPF6)
+# - CVE-2018-16451 # (SMB)
+# - CVE-2018-14882 # (RPL)
+# - CVE-2018-16227 # (802.11)
+# - CVE-2018-16229 # (DCCP)
+# - CVE-2018-16301 # (was fixed in libpcap)
+# - CVE-2018-16230 # (BGP)
+# - CVE-2018-16452 # (SMB)
+# - CVE-2018-16300 # (BGP)
+# - CVE-2018-16228 # (HNCP)
+# - CVE-2019-15166 # (LMP)
+# - CVE-2019-15167 # (VRRP)
+# - CVE-2018-14879 # (tcpdump -V)
# 4.9.0-r0:
# - CVE-2016-7922
# - CVE-2016-7923
@@ -60,10 +91,6 @@ options="!check"
builddir="$srcdir"/$pkgname-$pkgver
-prepare() {
- cd "$builddir"
- update_config_sub
-}
build () {
cd "$builddir"
@@ -88,4 +115,5 @@ package() {
rm -f "$pkgdir"/usr/sbin/tcpdump.4*
}
-sha512sums="e1bc19a5867d6e3628f3941bdf3ec831bf13784f1233ca1bccc46aac1702f47ee9357d7ff0ca62cddf211b3c8884488c21144cabddd92c861e32398cd8f7c44b tcpdump-4.9.2.tar.gz"
+sha512sums="3aec673f78b996a4df884b1240e5d0a26a2ca81ee7aca8a2e6d50255bb53476e008a5ced4409e278a956710d8a4d31d85bbb800c9f1aab92b0b1046b59292a22 tcpdump-4.9.3.tar.gz
+f53b5557ad2c68c28bbd6121b637ade43937ce4956fa9c2c8b187e8c62726c018509eb728f7f7479d078c9018f091f64114944b2d6106e6214662899f880445a CVE-2020-8037.patch"
diff --git a/main/tcpdump/CVE-2020-8037.patch b/main/tcpdump/CVE-2020-8037.patch
new file mode 100644
index 00000000000..2852845eb74
--- /dev/null
+++ b/main/tcpdump/CVE-2020-8037.patch
@@ -0,0 +1,63 @@
+From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Sat, 18 Apr 2020 14:04:59 -0700
+Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer.
+
+The buffer should be big enough to hold the captured data, but it
+doesn't need to be big enough to hold the entire on-the-network packet,
+if we haven't captured all of it.
+
+(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+---
+ print-ppp.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/print-ppp.c b/print-ppp.c
+index 891761728..33fb03412 100644
+--- a/print-ppp.c
++++ b/print-ppp.c
+@@ -1367,19 +1367,29 @@ print_bacp_config_options(netdissect_options *ndo,
+ return 0;
+ }
+
++/*
++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
++ * The length argument is the on-the-wire length, not the captured
++ * length; we can only un-escape the captured part.
++ */
+ static void
+ ppp_hdlc(netdissect_options *ndo,
+ const u_char *p, int length)
+ {
++ u_int caplen = ndo->ndo_snapend - p;
+ u_char *b, *t, c;
+ const u_char *s;
+- int i, proto;
++ u_int i;
++ int proto;
+ const void *se;
+
++ if (caplen == 0)
++ return;
++
+ if (length <= 0)
+ return;
+
+- b = (u_char *)malloc(length);
++ b = (u_char *)malloc(caplen);
+ if (b == NULL)
+ return;
+
+@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
+ * Do this so that we dont overwrite the original packet
+ * contents.
+ */
+- for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
++ for (s = p, t = b, i = caplen; i != 0; i--) {
+ c = *s++;
+ if (c == 0x7d) {
+- if (i <= 1 || !ND_TTEST(*s))
++ if (i <= 1)
+ break;
+ i--;
+ c = *s++ ^ 0x20;
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 9143b94c1aa..ae10a014cb8 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
pkgver=4.0.10
-pkgrel=2
+pkgrel=3
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="http://www.libtiff.org"
arch="all"
@@ -17,9 +17,12 @@ source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
CVE-2018-12900.patch
CVE-2019-14973-rebased.patch
CVE-2019-17546.patch
+ CVE-2019-6128.patch
"
# secfixes:
+# 4.0.10-r3:
+# - CVE-2019-6128
# 4.0.10-r2:
# - CVE-2019-10927
# 4.0.10-r1:
@@ -101,4 +104,5 @@ tools() {
sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 tiff-4.0.10.tar.gz
c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch
4567184ea17028dbf90753dbebce221881ec26632d88f02d4f6b56556fc19bb9134523f16487707fdd908f21c7bc4660103d0a95f3ccf0890ad4f0d93e81c503 CVE-2019-14973-rebased.patch
-140a6f435a682c5fd2a56e364e0d7448e56b8bf20c8db45db8b15ffd711fa6449f6cdaecab417d7fa96fc832d8eebd40423658153c05dd4f25f769b4b346d5f1 CVE-2019-17546.patch"
+140a6f435a682c5fd2a56e364e0d7448e56b8bf20c8db45db8b15ffd711fa6449f6cdaecab417d7fa96fc832d8eebd40423658153c05dd4f25f769b4b346d5f1 CVE-2019-17546.patch
+f9031d51f50ccfa2c3be96978fb5ac670b83237dec1c6b5b3d51d26af1d0266afd94a8f1c7df9b73dfeb5b4f06d0e66c164dfd6c672887a008f5c9cd675be173 CVE-2019-6128.patch"
diff --git a/main/tiff/CVE-2019-6128.patch b/main/tiff/CVE-2019-6128.patch
new file mode 100644
index 00000000000..178566f8834
--- /dev/null
+++ b/main/tiff/CVE-2019-6128.patch
@@ -0,0 +1,36 @@
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 01d8502ecf7a8a7f015e49ca9378a1a741cbc06b..9492f1cf1212177bf7e97d307757d0977c898e90 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -118,12 +118,14 @@ main(int argc, char* argv[])
+ shortv != PHOTOMETRIC_PALETTE) {
+ fprintf(stderr, "%s: Expecting a palette image.\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
+ fprintf(stderr,
+ "%s: No colormap (not a valid palette image).\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ bitspersample = 0;
+@@ -131,11 +133,14 @@ main(int argc, char* argv[])
+ if (bitspersample != 8) {
+ fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ out = TIFFOpen(argv[optind+1], "w");
+- if (out == NULL)
++ if (out == NULL) {
++ (void) TIFFClose(in);
+ return (-2);
++ }
+ cpTags(in, out);
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
+
diff --git a/main/tzdata/APKBUILD b/main/tzdata/APKBUILD
index f971dc226e1..3d271c761f3 100644
--- a/main/tzdata/APKBUILD
+++ b/main/tzdata/APKBUILD
@@ -2,18 +2,14 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=tzdata
-pkgver=2019c
-_tzcodever=2019c
+pkgver=2020c
+_tzcodever=2020c
_ptzver=0.5
-pkgrel=0
+pkgrel=1
pkgdesc="Timezone data"
url="https://www.iana.org/time-zones"
arch="all"
license="Public-Domain"
-depends=""
-depends_dev=""
-makedepends=""
-install=""
subpackages="$pkgname-doc"
source="https://www.iana.org/time-zones/repository/releases/tzcode$_tzcodever.tar.gz
https://www.iana.org/time-zones/repository/releases/tzdata$pkgver.tar.gz
@@ -24,11 +20,10 @@ source="https://www.iana.org/time-zones/repository/releases/tzcode$_tzcodever.ta
builddir="$srcdir"
_timezones="africa antarctica asia australasia europe northamerica \
- southamerica pacificnew etcetera backward systemv factory"
+ southamerica etcetera backward factory"
options="!check" # Testsuite require nsgmls (SP)
build() {
- cd "$builddir"
make cc="${CC:-gcc}" CFLAGS="$CFLAGS -DHAVE_STDINT_H=1"
TZDIR="/usr/share/zoneinfo"
@@ -37,13 +32,11 @@ build() {
}
package() {
- cd "$builddir"
+ ./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo $_timezones
+ ./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/right -L leapseconds $_timezones
+ #./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/posix $_timezones
- ./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo ${_timezones}
- ./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/right -L leapseconds ${_timezones}
- #./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/posix ${_timezones}
-
- ./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo -p America/New_York
+ ./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo -p America/New_York
install -m444 -t "$pkgdir"/usr/share/zoneinfo iso3166.tab zone1970.tab zone.tab
mkdir -p "$pkgdir"/usr/sbin
@@ -57,8 +50,8 @@ package() {
"$pkgdir"/usr/bin/posixtz
}
-sha512sums="61ef36385f501c338c263081486de0d1fccd454b86f8777b0dbad4ea3f21bbde059d0a91c23e207b167ed013127d3db8b7528f0188814a8b44d1f946b19d9b8b tzcode2019c.tar.gz
-2921cbb2fd44a6b8f7f2ed42c13fbae28195aa5c2eeefa70396bc97cdbaad679c6cc3c143da82cca5b0279065c02389e9af536904288c12886bf345baa8c6565 tzdata2019c.tar.gz
+sha512sums="c77fa69d2a005ba7cff602b2267983fd01613f81385bc13c90b9581d69fb0ac73491641cac81e0e5d7dd00ed120c45103859902c2d10da9d25c98b33354f88f7 tzcode2020c.tar.gz
+bbd66fe236ba0949261cb238bfed454c03b4500b239dc38f1b8fef8d229136f5964c1a8386fe54484e4e5e34a3c28a7b66ee7374ff7e0dd07865d78fc53bf96c tzdata2020c.tar.gz
68dbaab9f4aef166ac2f2d40b49366527b840bebe17a47599fe38345835e4adb8a767910745ece9c384b57af815a871243c3e261a29f41d71f8054df3061b3fd posixtz-0.5.tar.xz
0f2a10ee2bb4007f57b59123d1a0b8ef6accf99e568f21537f0bb19f290fff46e24050f55f12569d7787be600e1b62aa790ea85a333153f3ea081a812c81b1b5 0001-posixtz-ensure-the-file-offset-we-pass-to-lseek-is-o.patch
fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4 0002-fix-implicit-declaration-warnings-by-including-strin.patch"
diff --git a/main/unbound/APKBUILD b/main/unbound/APKBUILD
index 420fb34e3f3..2d3c22a8727 100644
--- a/main/unbound/APKBUILD
+++ b/main/unbound/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=unbound
pkgver=1.8.3
-pkgrel=2
+pkgrel=4
pkgdesc="Unbound is a validating, recursive, and caching DNS resolver"
url="http://unbound.net/"
arch="all"
@@ -21,6 +21,8 @@ source="https://unbound.net/downloads/$pkgname-$pkgver.tar.gz
conf.patch
update-unbound-root-hints
CVE-2019-16866.patch
+ CVE-2019-18934.patch
+ CVE-2020-12662_CVE-2020-12663.patch
migrate-dnscache-to-unbound
root.hints
$pkgname.initd
@@ -28,7 +30,12 @@ source="https://unbound.net/downloads/$pkgname-$pkgver.tar.gz
"
builddir="$srcdir/$pkgname-$pkgver"
-# secfixes
+# secfixes:
+# 1.8.3-r4:
+# - CVE-2020-12662
+# - CVE-2020-12663
+# 1.8.3-r3:
+# - CVE-2019-18934
# 1.8.3-r2:
# - CVE-2019-16866
@@ -107,7 +114,9 @@ sha512sums="545486ccce288a6ef1937d82653a43a11dbd3aec7b8d0036e7fd107e537cdfc935de
bd51769e3e2d6035df1abbf220038a56a69795a092b5f31005e1910c6c88e334d7e71fe16d874885ef74c597f3a1d7af50f9ad9736ba7ebb10ae50178828661c conf.patch
b16b7b15392c0d560718ee543f1eebc5617085fb30d61cddc20dd948bd8b1634ee5b2de1c9cb172a6c0d1c5bbaf98b6fd39816d39c72a43ff619455449e668ac update-unbound-root-hints
da578f620bc1abca4a53bb3448c023c59ccd33c0d560603ab5e6caf7eebd8e4d8a2401f2e4ebbcf1124f168699be02a489ae27d7b723f9b67678592ecea30529 CVE-2019-16866.patch
-b26a13c1c88da9611a65705dc59f7233c5e0f6aced0d7d66c18536a969a2de627ca5d4bb55eedd81f2f040fa11bde48eaaeca2850f376e72e7a531678a259131 migrate-dnscache-to-unbound
+b2ae6363d89c4effa9e926210c4b876eb8fefa79bf459047107e6fb8eb8aca2b9844a4a8bdabe361248be2eeb36519aac7bbc4fe7b805447958088bcc18a83d2 CVE-2019-18934.patch
+9362936e4ce7c3f391590526423c7f13c596bc71db6b643056bcf885797a26ea74e44e920383b6af6ac56294f5dc9529dded96645f519a377269f920e9a8cf68 CVE-2020-12662_CVE-2020-12663.patch
0dca3470ed4ca9b76d6f47f5d20e92924e6648f0870d8594fe6735d8f1cdfeeee7296301066c2a8b2b94f7daed86c15efe00c301ca27e435e5dd2c85508dc9c8 root.hints
+b26a13c1c88da9611a65705dc59f7233c5e0f6aced0d7d66c18536a969a2de627ca5d4bb55eedd81f2f040fa11bde48eaaeca2850f376e72e7a531678a259131 migrate-dnscache-to-unbound
a2b39cb00d342c3bae70ae714dc2bd7c15d0475b35f7afff11fb0bd4c1786f83dd5425a5900a7b4d6c17915a6c546e37f82404bceb44f79c054629e999f23152 unbound.initd
40c660f275a78f93677761f52bdf7ef151941e8469dd17767a947dbe575880e0d113c320d15c7ea7e12ef636d8ec9453eeae804619678293fa35e3d4c7e75a71 unbound.confd"
diff --git a/main/unbound/CVE-2019-18934.patch b/main/unbound/CVE-2019-18934.patch
new file mode 100644
index 00000000000..8d37b9b212b
--- /dev/null
+++ b/main/unbound/CVE-2019-18934.patch
@@ -0,0 +1,218 @@
+diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
+index c8400c6..9e916d6 100644
+--- a/ipsecmod/ipsecmod.c
++++ b/ipsecmod/ipsecmod.c
+@@ -161,6 +161,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
+ return 1;
+ }
+
++/**
++ * Check if the string passed is a valid domain name with safe characters to
++ * pass to a shell.
++ * This will only allow:
++ * - digits
++ * - alphas
++ * - hyphen (not at the start)
++ * - dot (not at the start, or the only character)
++ * - underscore
++ * @param s: pointer to the string.
++ * @param slen: string's length.
++ * @return true if s only contains safe characters; false otherwise.
++ */
++static int
++domainname_has_safe_characters(char* s, size_t slen) {
++ size_t i;
++ for(i = 0; i < slen; i++) {
++ if(s[i] == '\0') return 1;
++ if((s[i] == '-' && i != 0)
++ || (s[i] == '.' && (i != 0 || s[1] == '\0'))
++ || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
++ || (s[i] >= 'A' && s[i] <= 'Z')
++ || (s[i] >= 'a' && s[i] <= 'z')) {
++ continue;
++ }
++ return 0;
++ }
++ return 1;
++}
++
++/**
++ * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
++ * a shell.
++ * This is only relevant for checking the gateway when the gateway type is 3
++ * (domainname).
++ * @param s: pointer to the string.
++ * @param slen: string's length.
++ * @return true if s contains only safe characters; false otherwise.
++ */
++static int
++ipseckey_has_safe_characters(char* s, size_t slen) {
++ int precedence, gateway_type, algorithm;
++ char* gateway;
++ gateway = (char*)calloc(slen, sizeof(char));
++ if(!gateway) {
++ log_err("ipsecmod: out of memory when calling the hook");
++ return 0;
++ }
++ if(sscanf(s, "%d %d %d %s ",
++ &precedence, &gateway_type, &algorithm, gateway) != 4) {
++ free(gateway);
++ return 0;
++ }
++ if(gateway_type != 3) {
++ free(gateway);
++ return 1;
++ }
++ if(domainname_has_safe_characters(gateway, slen)) {
++ free(gateway);
++ return 1;
++ }
++ free(gateway);
++ return 0;
++}
++
+ /**
+ * Prepare the data and call the hook.
+ *
+@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
+ {
+ size_t slen, tempdata_len, tempstring_len, i;
+ char str[65535], *s, *tempstring;
+- int w;
++ int w = 0, w_temp, qtype;
+ struct ub_packed_rrset_key* rrset_key;
+ struct packed_rrset_data* rrset_data;
+ uint8_t *tempdata;
+@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
+ memset(s, 0, slen);
+
+ /* Copy the hook into the buffer. */
+- sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
++ w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
++ w += sldns_str_print(&s, &slen, " ");
+ /* Copy the qname into the buffer. */
+ tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
+ qstate->qinfo.qname_len);
+@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
+ log_err("ipsecmod: out of memory when calling the hook");
+ return 0;
+ }
+- sldns_str_print(&s, &slen, "\"%s\"", tempstring);
++ if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
++ log_err("ipsecmod: qname has unsafe characters");
++ free(tempstring);
++ return 0;
++ }
++ w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
+ free(tempstring);
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
++ w += sldns_str_print(&s, &slen, " ");
+ /* Copy the IPSECKEY TTL into the buffer. */
+ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+- sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
++ w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
+- /* Copy the A/AAAA record(s) into the buffer. Start and end this section
+- * with a double quote. */
++ w += sldns_str_print(&s, &slen, " ");
+ rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
+ qstate->return_msg->rep);
++ /* Double check that the records are indeed A/AAAA.
++ * This should never happen as this function is only executed for A/AAAA
++ * queries but make sure we don't pass anything other than A/AAAA to the
++ * shell. */
++ qtype = ntohs(rrset_key->rk.type);
++ if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
++ log_err("ipsecmod: Answer is not of A or AAAA type");
++ return 0;
++ }
+ rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
+- sldns_str_print(&s, &slen, "\"");
++ /* Copy the A/AAAA record(s) into the buffer. Start and end this section
++ * with a double quote. */
++ w += sldns_str_print(&s, &slen, "\"");
+ for(i=0; i<rrset_data->count; i++) {
+ if(i > 0) {
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
++ w += sldns_str_print(&s, &slen, " ");
+ }
+ /* Ignore the first two bytes, they are the rr_data len. */
+- w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
++ w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
+ rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
+- if(w < 0) {
++ if(w_temp < 0) {
+ /* Error in printout. */
+- return -1;
+- } else if((size_t)w >= slen) {
++ log_err("ipsecmod: Error in printing IP address");
++ return 0;
++ } else if((size_t)w_temp >= slen) {
+ s = NULL; /* We do not want str to point outside of buffer. */
+ slen = 0;
+- return -1;
++ log_err("ipsecmod: shell command too long");
++ return 0;
+ } else {
+- s += w;
+- slen -= w;
++ s += w_temp;
++ slen -= w_temp;
++ w += w_temp;
+ }
+ }
+- sldns_str_print(&s, &slen, "\"");
++ w += sldns_str_print(&s, &slen, "\"");
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
++ w += sldns_str_print(&s, &slen, " ");
+ /* Copy the IPSECKEY record(s) into the buffer. Start and end this section
+ * with a double quote. */
+- sldns_str_print(&s, &slen, "\"");
++ w += sldns_str_print(&s, &slen, "\"");
+ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+ for(i=0; i<rrset_data->count; i++) {
+ if(i > 0) {
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
++ w += sldns_str_print(&s, &slen, " ");
+ }
+ /* Ignore the first two bytes, they are the rr_data len. */
+ tempdata = rrset_data->rr_data[i] + 2;
+ tempdata_len = rrset_data->rr_len[i] - 2;
+ /* Save the buffer pointers. */
+ tempstring = s; tempstring_len = slen;
+- w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
+- NULL, 0);
++ w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
++ &slen, NULL, 0);
+ /* There was an error when parsing the IPSECKEY; reset the buffer
+ * pointers to their previous values. */
+- if(w == -1){
++ if(w_temp == -1) {
+ s = tempstring; slen = tempstring_len;
++ } else if(w_temp > 0) {
++ if(!ipseckey_has_safe_characters(
++ tempstring, tempstring_len - slen)) {
++ log_err("ipsecmod: ipseckey has unsafe characters");
++ return 0;
++ }
++ w += w_temp;
+ }
+ }
+- sldns_str_print(&s, &slen, "\"");
+- verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
++ w += sldns_str_print(&s, &slen, "\"");
++ if(w >= (int)sizeof(str)) {
++ log_err("ipsecmod: shell command too long");
++ return 0;
++ }
++ verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
+ /* ipsecmod-hook should return 0 on success. */
+ if(system(str) != 0)
+ return 0;
diff --git a/main/unbound/CVE-2020-12662_CVE-2020-12663.patch b/main/unbound/CVE-2020-12662_CVE-2020-12663.patch
new file mode 100644
index 00000000000..961d4d16e05
--- /dev/null
+++ b/main/unbound/CVE-2020-12662_CVE-2020-12663.patch
@@ -0,0 +1,948 @@
+diff --git a/iterator/iter_delegpt.c b/iterator/iter_delegpt.c
+index f88b3e1..9a672b0 100644
+--- a/iterator/iter_delegpt.c
++++ b/iterator/iter_delegpt.c
+@@ -84,7 +84,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
+ }
+ for(a = dp->target_list; a; a = a->next_target) {
+ if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen,
+- a->bogus, a->lame, a->tls_auth_name))
++ a->bogus, a->lame, a->tls_auth_name, NULL))
+ return NULL;
+ }
+ return copy;
+@@ -161,7 +161,7 @@ delegpt_find_addr(struct delegpt* dp, struct sockaddr_storage* addr,
+ int
+ delegpt_add_target(struct delegpt* dp, struct regional* region,
+ uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
+- socklen_t addrlen, uint8_t bogus, uint8_t lame)
++ socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions)
+ {
+ struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen);
+ log_assert(!dp->dp_type_mlc);
+@@ -176,13 +176,14 @@ delegpt_add_target(struct delegpt* dp, struct regional* region,
+ if(ns->got4 && ns->got6)
+ ns->resolved = 1;
+ }
+- return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL);
++ return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL,
++ additions);
+ }
+
+ int
+ delegpt_add_addr(struct delegpt* dp, struct regional* region,
+ struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus,
+- uint8_t lame, char* tls_auth_name)
++ uint8_t lame, char* tls_auth_name, int* additions)
+ {
+ struct delegpt_addr* a;
+ log_assert(!dp->dp_type_mlc);
+@@ -194,6 +195,8 @@ delegpt_add_addr(struct delegpt* dp, struct regional* region,
+ a->lame = 0;
+ return 1;
+ }
++ if(additions)
++ *additions = 1;
+
+ a = (struct delegpt_addr*)regional_alloc(region,
+ sizeof(struct delegpt_addr));
+@@ -382,10 +385,10 @@ delegpt_from_message(struct dns_msg* msg, struct regional* region)
+ continue;
+
+ if(ntohs(s->rk.type) == LDNS_RR_TYPE_A) {
+- if(!delegpt_add_rrset_A(dp, region, s, 0))
++ if(!delegpt_add_rrset_A(dp, region, s, 0, NULL))
+ return NULL;
+ } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_AAAA) {
+- if(!delegpt_add_rrset_AAAA(dp, region, s, 0))
++ if(!delegpt_add_rrset_AAAA(dp, region, s, 0, NULL))
+ return NULL;
+ }
+ }
+@@ -416,7 +419,7 @@ delegpt_rrset_add_ns(struct delegpt* dp, struct regional* region,
+
+ int
+ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
+- struct ub_packed_rrset_key* ak, uint8_t lame)
++ struct ub_packed_rrset_key* ak, uint8_t lame, int* additions)
+ {
+ struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data;
+ size_t i;
+@@ -432,7 +435,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
+ memmove(&sa.sin_addr, d->rr_data[i]+2, INET_SIZE);
+ if(!delegpt_add_target(dp, region, ak->rk.dname,
+ ak->rk.dname_len, (struct sockaddr_storage*)&sa,
+- len, (d->security==sec_status_bogus), lame))
++ len, (d->security==sec_status_bogus), lame, additions))
+ return 0;
+ }
+ return 1;
+@@ -440,7 +443,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
+
+ int
+ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
+- struct ub_packed_rrset_key* ak, uint8_t lame)
++ struct ub_packed_rrset_key* ak, uint8_t lame, int* additions)
+ {
+ struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data;
+ size_t i;
+@@ -456,7 +459,7 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
+ memmove(&sa.sin6_addr, d->rr_data[i]+2, INET6_SIZE);
+ if(!delegpt_add_target(dp, region, ak->rk.dname,
+ ak->rk.dname_len, (struct sockaddr_storage*)&sa,
+- len, (d->security==sec_status_bogus), lame))
++ len, (d->security==sec_status_bogus), lame, additions))
+ return 0;
+ }
+ return 1;
+@@ -464,20 +467,33 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
+
+ int
+ delegpt_add_rrset(struct delegpt* dp, struct regional* region,
+- struct ub_packed_rrset_key* rrset, uint8_t lame)
++ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions)
+ {
+ if(!rrset)
+ return 1;
+ if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_NS)
+ return delegpt_rrset_add_ns(dp, region, rrset, lame);
+ else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_A)
+- return delegpt_add_rrset_A(dp, region, rrset, lame);
++ return delegpt_add_rrset_A(dp, region, rrset, lame, additions);
+ else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_AAAA)
+- return delegpt_add_rrset_AAAA(dp, region, rrset, lame);
++ return delegpt_add_rrset_AAAA(dp, region, rrset, lame,
++ additions);
+ log_warn("Unknown rrset type added to delegpt");
+ return 1;
+ }
+
++void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype)
++{
++ if(ns) {
++ if(qtype == LDNS_RR_TYPE_A)
++ ns->got4 = 2;
++ else if(qtype == LDNS_RR_TYPE_AAAA)
++ ns->got6 = 2;
++ if(ns->got4 && ns->got6)
++ ns->resolved = 1;
++ }
++}
++
+ void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg)
+ {
+ struct reply_info* rep = (struct reply_info*)msg->entry.data;
+@@ -487,14 +503,7 @@ void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg)
+ if(FLAGS_GET_RCODE(rep->flags) != 0 || rep->an_numrrsets == 0) {
+ struct delegpt_ns* ns = delegpt_find_ns(dp, msg->key.qname,
+ msg->key.qname_len);
+- if(ns) {
+- if(msg->key.qtype == LDNS_RR_TYPE_A)
+- ns->got4 = 1;
+- else if(msg->key.qtype == LDNS_RR_TYPE_AAAA)
+- ns->got6 = 1;
+- if(ns->got4 && ns->got6)
+- ns->resolved = 1;
+- }
++ delegpt_mark_neg(ns, msg->key.qtype);
+ }
+ }
+
+diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h
+index 6c08826..138eb6e 100644
+--- a/iterator/iter_delegpt.h
++++ b/iterator/iter_delegpt.h
+@@ -106,9 +106,10 @@ struct delegpt_ns {
+ * and marked true if got4 and got6 are both true.
+ */
+ int resolved;
+- /** if the ipv4 address is in the delegpt */
++ /** if the ipv4 address is in the delegpt, 0=not, 1=yes 2=negative,
++ * negative means it was done, but no content. */
+ uint8_t got4;
+- /** if the ipv6 address is in the delegpt */
++ /** if the ipv6 address is in the delegpt, 0=not, 1=yes 2=negative */
+ uint8_t got6;
+ /**
+ * If the name is parent-side only and thus dispreferred.
+@@ -215,11 +216,12 @@ int delegpt_rrset_add_ns(struct delegpt* dp, struct regional* regional,
+ * @param addrlen: the length of addr.
+ * @param bogus: security status for the address, pass true if bogus.
+ * @param lame: address is lame.
++ * @param additions: will be set to 1 if a new address is added
+ * @return false on error.
+ */
+ int delegpt_add_target(struct delegpt* dp, struct regional* regional,
+ uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
+- socklen_t addrlen, uint8_t bogus, uint8_t lame);
++ socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions);
+
+ /**
+ * Add A RRset to delegpt.
+@@ -227,10 +229,11 @@ int delegpt_add_target(struct delegpt* dp, struct regional* regional,
+ * @param regional: where to allocate the info.
+ * @param rrset: RRset A to add.
+ * @param lame: rrset is lame, disprefer it.
++ * @param additions: will be set to 1 if a new address is added
+ * @return 0 on alloc error.
+ */
+ int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional,
+- struct ub_packed_rrset_key* rrset, uint8_t lame);
++ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
+
+ /**
+ * Add AAAA RRset to delegpt.
+@@ -238,10 +241,11 @@ int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional,
+ * @param regional: where to allocate the info.
+ * @param rrset: RRset AAAA to add.
+ * @param lame: rrset is lame, disprefer it.
++ * @param additions: will be set to 1 if a new address is added
+ * @return 0 on alloc error.
+ */
+ int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional,
+- struct ub_packed_rrset_key* rrset, uint8_t lame);
++ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
+
+ /**
+ * Add any RRset to delegpt.
+@@ -250,10 +254,11 @@ int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional,
+ * @param regional: where to allocate the info.
+ * @param rrset: RRset to add, NS, A, AAAA.
+ * @param lame: rrset is lame, disprefer it.
++ * @param additions: will be set to 1 if a new address is added
+ * @return 0 on alloc error.
+ */
+ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
+- struct ub_packed_rrset_key* rrset, uint8_t lame);
++ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
+
+ /**
+ * Add address to the delegation point. No servername is associated or checked.
+@@ -264,11 +269,12 @@ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
+ * @param bogus: if address is bogus.
+ * @param lame: if address is lame.
+ * @param tls_auth_name: TLS authentication name (or NULL).
++ * @param additions: will be set to 1 if a new address is added
+ * @return false on error.
+ */
+ int delegpt_add_addr(struct delegpt* dp, struct regional* regional,
+ struct sockaddr_storage* addr, socklen_t addrlen,
+- uint8_t bogus, uint8_t lame, char* tls_auth_name);
++ uint8_t bogus, uint8_t lame, char* tls_auth_name, int* additions);
+
+ /**
+ * Find NS record in name list of delegation point.
+@@ -341,6 +347,14 @@ size_t delegpt_count_targets(struct delegpt* dp);
+ struct delegpt* delegpt_from_message(struct dns_msg* msg,
+ struct regional* regional);
+
++/**
++ * Mark negative return in delegation point for specific nameserver.
++ * sets the got4 or got6 to negative, updates the ns->resolved.
++ * @param ns: the nameserver in the delegpt.
++ * @param qtype: A or AAAA (host order).
++ */
++void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype);
++
+ /**
+ * Add negative message to delegation point.
+ * @param dp: delegation point.
+diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
+index cceec3d..aae934d 100644
+--- a/iterator/iter_scrub.c
++++ b/iterator/iter_scrub.c
+@@ -185,8 +185,9 @@ mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg,
+ /** Get target name of a CNAME */
+ static int
+ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
+- size_t* snamelen)
++ size_t* snamelen, sldns_buffer* pkt)
+ {
++ size_t oldpos, dlen;
+ if(rrset->rr_count != 1) {
+ struct rr_parse* sig;
+ verbose(VERB_ALGO, "Found CNAME rrset with "
+@@ -204,6 +205,19 @@ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
+ *sname = rrset->rr_first->ttl_data + sizeof(uint32_t)
+ + sizeof(uint16_t); /* skip ttl, rdatalen */
+ *snamelen = rrset->rr_first->size - sizeof(uint16_t);
++
++ if(rrset->rr_first->outside_packet) {
++ if(!dname_valid(*sname, *snamelen))
++ return 0;
++ return 1;
++ }
++ oldpos = sldns_buffer_position(pkt);
++ sldns_buffer_set_position(pkt, (size_t)(*sname - sldns_buffer_begin(pkt)));
++ dlen = pkt_dname_len(pkt);
++ sldns_buffer_set_position(pkt, oldpos);
++ if(dlen == 0)
++ return 0; /* parse fail on the rdata name */
++ *snamelen = dlen;
+ return 1;
+ }
+
+@@ -215,7 +229,7 @@ synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
+ /* we already know that sname is a strict subdomain of DNAME owner */
+ uint8_t* dtarg = NULL;
+ size_t dtarglen;
+- if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen))
++ if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt))
+ return 0;
+ if(qnamelen <= dname_rrset->dname_len)
+ return 0;
+@@ -388,7 +402,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
+ /* check next cname */
+ uint8_t* t = NULL;
+ size_t tlen = 0;
+- if(!parse_get_cname_target(nx, &t, &tlen))
++ if(!parse_get_cname_target(nx, &t, &tlen, pkt))
+ return 0;
+ if(dname_pkt_compare(pkt, alias, t) == 0) {
+ /* it's OK and better capitalized */
+@@ -439,7 +453,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
+ size_t tlen = 0;
+ if(synth_cname(sname, snamelen, nx, alias,
+ &aliaslen, pkt) &&
+- parse_get_cname_target(rrset, &t, &tlen) &&
++ parse_get_cname_target(rrset, &t, &tlen, pkt) &&
+ dname_pkt_compare(pkt, alias, t) == 0) {
+ /* the synthesized CNAME equals the
+ * current CNAME. This CNAME is the
+@@ -460,7 +474,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
+ }
+
+ /* move to next name in CNAME chain */
+- if(!parse_get_cname_target(rrset, &sname, &snamelen))
++ if(!parse_get_cname_target(rrset, &sname, &snamelen, pkt))
+ return 0;
+ prev = rrset;
+ rrset = rrset->rrset_all_next;
+diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
+index 2ab55ce..3c14de8 100644
+--- a/iterator/iter_utils.c
++++ b/iterator/iter_utils.c
+@@ -1142,7 +1142,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
+ log_rrset_key(VERB_ALGO, "found parent-side", akey);
+ ns->done_pside4 = 1;
+ /* a negative-cache-element has no addresses it adds */
+- if(!delegpt_add_rrset_A(dp, region, akey, 1))
++ if(!delegpt_add_rrset_A(dp, region, akey, 1, NULL))
+ log_err("malloc failure in lookup_parent_glue");
+ lock_rw_unlock(&akey->entry.lock);
+ }
+@@ -1154,7 +1154,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
+ log_rrset_key(VERB_ALGO, "found parent-side", akey);
+ ns->done_pside6 = 1;
+ /* a negative-cache-element has no addresses it adds */
+- if(!delegpt_add_rrset_AAAA(dp, region, akey, 1))
++ if(!delegpt_add_rrset_AAAA(dp, region, akey, 1, NULL))
+ log_err("malloc failure in lookup_parent_glue");
+ lock_rw_unlock(&akey->entry.lock);
+ }
+diff --git a/iterator/iterator.c b/iterator/iterator.c
+index 1e0113a..9d36660 100644
+--- a/iterator/iterator.c
++++ b/iterator/iterator.c
+@@ -72,6 +72,8 @@
+ /* in msec */
+ int UNKNOWN_SERVER_NICENESS = 376;
+
++static void target_count_increase_nx(struct iter_qstate* iq, int num);
++
+ int
+ iter_init(struct module_env* env, int id)
+ {
+@@ -150,6 +152,7 @@ iter_new(struct module_qstate* qstate, int id)
+ iq->sent_count = 0;
+ iq->ratelimit_ok = 0;
+ iq->target_count = NULL;
++ iq->dp_target_count = 0;
+ iq->wait_priming_stub = 0;
+ iq->refetch_glue = 0;
+ iq->dnssec_expected = 0;
+@@ -221,6 +224,7 @@ final_state(struct iter_qstate* iq)
+ static void
+ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
+ {
++ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
+ struct iter_qstate* super_iq = (struct iter_qstate*)super->minfo[id];
+
+ if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
+@@ -246,7 +250,11 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
+ super->region, super_iq->dp))
+ log_err("out of memory adding missing");
+ }
++ delegpt_mark_neg(dpns, qstate->qinfo.qtype);
+ dpns->resolved = 1; /* mark as failed */
++ if((dpns->got4 == 2 || !ie->supports_ipv4) &&
++ (dpns->got6 == 2 || !ie->supports_ipv6))
++ target_count_increase_nx(super_iq, 1);
+ }
+ if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS) {
+ /* prime failed to get delegation */
+@@ -621,7 +629,7 @@ static void
+ target_count_create(struct iter_qstate* iq)
+ {
+ if(!iq->target_count) {
+- iq->target_count = (int*)calloc(2, sizeof(int));
++ iq->target_count = (int*)calloc(3, sizeof(int));
+ /* if calloc fails we simply do not track this number */
+ if(iq->target_count)
+ iq->target_count[0] = 1;
+@@ -634,6 +642,15 @@ target_count_increase(struct iter_qstate* iq, int num)
+ target_count_create(iq);
+ if(iq->target_count)
+ iq->target_count[1] += num;
++ iq->dp_target_count++;
++}
++
++static void
++target_count_increase_nx(struct iter_qstate* iq, int num)
++{
++ target_count_create(iq);
++ if(iq->target_count)
++ iq->target_count[2] += num;
+ }
+
+ /**
+@@ -656,13 +673,15 @@ target_count_increase(struct iter_qstate* iq, int num)
+ * @param subq_ret: if newly allocated, the subquerystate, or NULL if it does
+ * not need initialisation.
+ * @param v: if true, validation is done on the subquery.
++ * @param detached: true if this qstate should not attach to the subquery
+ * @return false on error (malloc).
+ */
+ static int
+ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
+ uint16_t qclass, struct module_qstate* qstate, int id,
+ struct iter_qstate* iq, enum iter_state initial_state,
+- enum iter_state finalstate, struct module_qstate** subq_ret, int v)
++ enum iter_state finalstate, struct module_qstate** subq_ret, int v,
++ int detached)
+ {
+ struct module_qstate* subq = NULL;
+ struct iter_qstate* subiq = NULL;
+@@ -689,11 +708,23 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
+ valrec = 1;
+ }
+
+- /* attach subquery, lookup existing or make a new one */
+- fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
+- if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, valrec,
+- &subq)) {
+- return 0;
++ if(detached) {
++ struct mesh_state* sub = NULL;
++ fptr_ok(fptr_whitelist_modenv_add_sub(
++ qstate->env->add_sub));
++ if(!(*qstate->env->add_sub)(qstate, &qinf,
++ qflags, prime, valrec, &subq, &sub)){
++ return 0;
++ }
++ }
++ else {
++ /* attach subquery, lookup existing or make a new one */
++ fptr_ok(fptr_whitelist_modenv_attach_sub(
++ qstate->env->attach_sub));
++ if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime,
++ valrec, &subq)) {
++ return 0;
++ }
+ }
+ *subq_ret = subq;
+ if(subq) {
+@@ -716,6 +747,7 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
+ subiq->target_count = iq->target_count;
+ if(iq->target_count)
+ iq->target_count[0] ++; /* extra reference */
++ subiq->dp_target_count = 0;
+ subiq->num_current_queries = 0;
+ subiq->depth = iq->depth+1;
+ outbound_list_init(&subiq->outlist);
+@@ -759,7 +791,7 @@ prime_root(struct module_qstate* qstate, struct iter_qstate* iq, int id,
+ * the normal INIT state logic (which would cause an infloop). */
+ if(!generate_sub_request((uint8_t*)"\000", 1, LDNS_RR_TYPE_NS,
+ qclass, qstate, id, iq, QUERYTARGETS_STATE, PRIME_RESP_STATE,
+- &subq, 0)) {
++ &subq, 0, 0)) {
+ verbose(VERB_ALGO, "could not prime root");
+ return 0;
+ }
+@@ -850,7 +882,7 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq, int id,
+ * redundant INIT state processing. */
+ if(!generate_sub_request(stub_dp->name, stub_dp->namelen,
+ LDNS_RR_TYPE_NS, qclass, qstate, id, iq,
+- QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0)) {
++ QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0, 0)) {
+ verbose(VERB_ALGO, "could not prime stub");
+ errinf(qstate, "could not generate lookup for stub prime");
+ (void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+@@ -1025,7 +1057,7 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
+ if(!generate_sub_request(s->rk.dname, s->rk.dname_len,
+ ntohs(s->rk.type), ntohs(s->rk.rrset_class),
+ qstate, id, iq,
+- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
+ verbose(VERB_ALGO, "could not generate addr check");
+ return;
+ }
+@@ -1069,7 +1101,7 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
+ iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
+ if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
+ LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
+- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
+ verbose(VERB_ALGO, "could not generate ns check");
+ return;
+ }
+@@ -1126,7 +1158,7 @@ generate_dnskey_prefetch(struct module_qstate* qstate,
+ iq->dp->name, LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass);
+ if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
+ LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass, qstate, id, iq,
+- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) {
++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) {
+ /* we'll be slower, but it'll work */
+ verbose(VERB_ALGO, "could not generate dnskey prefetch");
+ return;
+@@ -1315,6 +1347,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
+ iq->refetch_glue = 0;
+ iq->query_restart_count++;
+ iq->sent_count = 0;
++ iq->dp_target_count = 0;
+ sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
+ if(qstate->env->cfg->qname_minimisation)
+ iq->minimisation_state = INIT_MINIMISE_STATE;
+@@ -1693,7 +1726,7 @@ generate_parentside_target_query(struct module_qstate* qstate,
+ {
+ struct module_qstate* subq;
+ if(!generate_sub_request(name, namelen, qtype, qclass, qstate,
+- id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0))
++ id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0))
+ return 0;
+ if(subq) {
+ struct iter_qstate* subiq =
+@@ -1744,7 +1777,7 @@ generate_target_query(struct module_qstate* qstate, struct iter_qstate* iq,
+ {
+ struct module_qstate* subq;
+ if(!generate_sub_request(name, namelen, qtype, qclass, qstate,
+- id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0))
++ id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0))
+ return 0;
+ log_nametypeclass(VERB_QUERY, "new target", name, qtype, qclass);
+ return 1;
+@@ -1783,6 +1816,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
+ "number of glue fetches %d", s, iq->target_count[1]);
+ return 0;
+ }
++ if(iq->dp_target_count > MAX_DP_TARGET_COUNT) {
++ char s[LDNS_MAX_DOMAINLEN+1];
++ dname_str(qstate->qinfo.qname, s);
++ verbose(VERB_QUERY, "request %s has exceeded the maximum "
++ "number of glue fetches %d to a single delegation point",
++ s, iq->dp_target_count);
++ return 0;
++ }
+
+ iter_mark_cycle_targets(qstate, iq->dp);
+ missing = (int)delegpt_count_missing_targets(iq->dp);
+@@ -1896,7 +1937,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
+ for(a = p->target_list; a; a=a->next_target) {
+ (void)delegpt_add_addr(iq->dp, qstate->region,
+ &a->addr, a->addrlen, a->bogus,
+- a->lame, a->tls_auth_name);
++ a->lame, a->tls_auth_name, NULL);
+ }
+ }
+ iq->dp->has_parent_side_NS = 1;
+@@ -1913,6 +1954,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
+ iq->refetch_glue = 1;
+ iq->query_restart_count++;
+ iq->sent_count = 0;
++ iq->dp_target_count = 0;
+ if(qstate->env->cfg->qname_minimisation)
+ iq->minimisation_state = INIT_MINIMISE_STATE;
+ return next_state(iq, INIT_REQUEST_STATE);
+@@ -2078,7 +2120,7 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
+ iq->dsns_point, LDNS_RR_TYPE_NS, iq->qchase.qclass);
+ if(!generate_sub_request(iq->dsns_point, iq->dsns_point_len,
+ LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
+- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) {
++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) {
+ errinf_dname(qstate, "for DS query parent-child nameserver search, could not generate NS lookup for", iq->dsns_point);
+ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
+@@ -2136,6 +2178,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+ errinf(qstate, "exceeded the maximum number of sends");
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
++ if(iq->target_count && iq->target_count[2] > MAX_TARGET_NX) {
++ verbose(VERB_QUERY, "request has exceeded the maximum "
++ " number of nxdomain nameserver lookups with %d",
++ iq->target_count[2]);
++ errinf(qstate, "exceeded the maximum nameserver nxdomains");
++ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
++ }
+
+ /* Make sure we have a delegation point, otherwise priming failed
+ * or another failure occurred */
+@@ -2240,12 +2289,41 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+ iq->qinfo_out.qtype, iq->qinfo_out.qclass,
+ qstate->query_flags, qstate->region,
+ qstate->env->scratch, 0);
+- if(msg && msg->rep->an_numrrsets == 0
+- && FLAGS_GET_RCODE(msg->rep->flags) ==
++ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
+ LDNS_RCODE_NOERROR)
+ /* no need to send query if it is already
+- * cached as NOERROR/NODATA */
++ * cached as NOERROR */
+ return 1;
++ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
++ LDNS_RCODE_NXDOMAIN &&
++ qstate->env->need_to_validate &&
++ qstate->env->cfg->harden_below_nxdomain) {
++ if(msg->rep->security == sec_status_secure) {
++ iq->response = msg;
++ return final_state(iq);
++ }
++ if(msg->rep->security == sec_status_unchecked) {
++ struct module_qstate* subq = NULL;
++ if(!generate_sub_request(
++ iq->qinfo_out.qname,
++ iq->qinfo_out.qname_len,
++ iq->qinfo_out.qtype,
++ iq->qinfo_out.qclass,
++ qstate, id, iq,
++ INIT_REQUEST_STATE,
++ FINISHED_STATE, &subq, 1, 1))
++ verbose(VERB_ALGO,
++ "could not validate NXDOMAIN "
++ "response");
++ }
++ }
++ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
++ LDNS_RCODE_NXDOMAIN) {
++ /* return and add a label in the next
++ * minimisation iteration.
++ */
++ return 1;
++ }
+ }
+ }
+ if(iq->minimisation_state == SKIP_MINIMISE_STATE) {
+@@ -2321,6 +2399,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+ * generated query will immediately be discarded due to depth and
+ * that servfail is cached, which is not good as opportunism goes. */
+ if(iq->depth < ie->max_dependency_depth
++ && iq->num_target_queries == 0
++ && (!iq->target_count || iq->target_count[2]==0)
+ && iq->sent_count < TARGET_FETCH_STOP) {
+ tf_policy = ie->target_fetch_policy[iq->depth];
+ }
+@@ -2366,6 +2446,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+ iq->num_current_queries++; /* RespState decrements it*/
+ iq->referral_count++; /* make sure we don't loop */
+ iq->sent_count = 0;
++ iq->dp_target_count = 0;
+ iq->state = QUERY_RESP_STATE;
+ return 1;
+ }
+@@ -2453,6 +2534,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+ iq->num_current_queries++; /* RespState decrements it*/
+ iq->referral_count++; /* make sure we don't loop */
+ iq->sent_count = 0;
++ iq->dp_target_count = 0;
+ iq->state = QUERY_RESP_STATE;
+ return 1;
+ }
+@@ -2747,7 +2829,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+ /* Make subrequest to validate intermediate
+ * NXDOMAIN if harden-below-nxdomain is
+ * enabled. */
+- if(qstate->env->cfg->harden_below_nxdomain) {
++ if(qstate->env->cfg->harden_below_nxdomain &&
++ qstate->env->need_to_validate) {
+ struct module_qstate* subq = NULL;
+ log_query_info(VERB_QUERY,
+ "schedule NXDOMAIN validation:",
+@@ -2759,16 +2842,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+ iq->response->qinfo.qclass,
+ qstate, id, iq,
+ INIT_REQUEST_STATE,
+- FINISHED_STATE, &subq, 1))
++ FINISHED_STATE, &subq, 1, 1))
+ verbose(VERB_ALGO,
+ "could not validate NXDOMAIN "
+ "response");
+- outbound_list_clear(&iq->outlist);
+- iq->num_current_queries = 0;
+- fptr_ok(fptr_whitelist_modenv_detach_subs(
+- qstate->env->detach_subs));
+- (*qstate->env->detach_subs)(qstate);
+- iq->num_target_queries = 0;
+ }
+ }
+ return next_state(iq, QUERYTARGETS_STATE);
+@@ -2852,6 +2929,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+ /* Count this as a referral. */
+ iq->referral_count++;
+ iq->sent_count = 0;
++ iq->dp_target_count = 0;
+ /* see if the next dp is a trust anchor, or a DS was sent
+ * along, indicating dnssec is expected for next zone */
+ iq->dnssec_expected = iter_indicates_dnssec(qstate->env,
+@@ -2928,6 +3006,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+ iq->dsns_point = NULL;
+ iq->auth_zone_response = 0;
+ iq->sent_count = 0;
++ iq->dp_target_count = 0;
+ if(iq->minimisation_state != MINIMISE_STATE)
+ /* Only count as query restart when it is not an extra
+ * query as result of qname minimisation. */
+@@ -3120,7 +3199,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
+ if(!generate_sub_request(qstate->qinfo.qname,
+ qstate->qinfo.qname_len, qstate->qinfo.qtype,
+ qstate->qinfo.qclass, qstate, id, iq,
+- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
+ verbose(VERB_ALGO, "could not generate prime check");
+ }
+ generate_a_aaaa_check(qstate, iq, id);
+@@ -3148,6 +3227,7 @@ static void
+ processTargetResponse(struct module_qstate* qstate, int id,
+ struct module_qstate* forq)
+ {
++ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
+ struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
+ struct iter_qstate* foriq = (struct iter_qstate*)forq->minfo[id];
+ struct ub_packed_rrset_key* rrset;
+@@ -3185,7 +3265,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
+ log_rrset_key(VERB_ALGO, "add parentside glue to dp",
+ iq->pside_glue);
+ if(!delegpt_add_rrset(foriq->dp, forq->region,
+- iq->pside_glue, 1))
++ iq->pside_glue, 1, NULL))
+ log_err("out of memory adding pside glue");
+ }
+
+@@ -3196,6 +3276,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
+ * response type was ANSWER. */
+ rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep);
+ if(rrset) {
++ int additions = 0;
+ /* if CNAMEs have been followed - add new NS to delegpt. */
+ /* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */
+ if(!delegpt_find_ns(foriq->dp, rrset->rk.dname,
+@@ -3207,13 +3288,23 @@ processTargetResponse(struct module_qstate* qstate, int id,
+ }
+ /* if dpns->lame then set the address(es) lame too */
+ if(!delegpt_add_rrset(foriq->dp, forq->region, rrset,
+- dpns->lame))
++ dpns->lame, &additions))
+ log_err("out of memory adding targets");
++ if(!additions) {
++ /* no new addresses, increase the nxns counter, like
++ * this could be a list of wildcards with no new
++ * addresses */
++ target_count_increase_nx(foriq, 1);
++ }
+ verbose(VERB_ALGO, "added target response");
+ delegpt_log(VERB_ALGO, foriq->dp);
+ } else {
+ verbose(VERB_ALGO, "iterator TargetResponse failed");
++ delegpt_mark_neg(dpns, qstate->qinfo.qtype);
+ dpns->resolved = 1; /* fail the target */
++ if((dpns->got4 == 2 || !ie->supports_ipv4) &&
++ (dpns->got6 == 2 || !ie->supports_ipv6))
++ target_count_increase_nx(foriq, 1);
+ }
+ }
+
+@@ -3387,7 +3478,7 @@ processCollectClass(struct module_qstate* qstate, int id)
+ qstate->qinfo.qname_len, qstate->qinfo.qtype,
+ c, qstate, id, iq, INIT_REQUEST_STATE,
+ FINISHED_STATE, &subq,
+- (int)!(qstate->query_flags&BIT_CD))) {
++ (int)!(qstate->query_flags&BIT_CD), 0)) {
+ errinf(qstate, "could not generate class ANY"
+ " lookup query");
+ return error_response(qstate, id,
+diff --git a/iterator/iterator.h b/iterator/iterator.h
+index a2f1b57..53dcab3 100644
+--- a/iterator/iterator.h
++++ b/iterator/iterator.h
+@@ -55,6 +55,11 @@ struct rbtree_type;
+
+ /** max number of targets spawned for a query and its subqueries */
+ #define MAX_TARGET_COUNT 64
++/** max number of target lookups per qstate, per delegation point */
++#define MAX_DP_TARGET_COUNT 16
++/** max number of nxdomains allowed for target lookups for a query and
++ * its subqueries */
++#define MAX_TARGET_NX 5
+ /** max number of query restarts. Determines max number of CNAME chain. */
+ #define MAX_RESTART_COUNT 8
+ /** max number of referrals. Makes sure resolver does not run away */
+@@ -305,9 +310,14 @@ struct iter_qstate {
+ int sent_count;
+
+ /** number of target queries spawned in [1], for this query and its
+- * subqueries, the malloced-array is shared, [0] refcount. */
++ * subqueries, the malloced-array is shared, [0] refcount.
++ * in [2] the number of nxdomains is counted. */
+ int* target_count;
+
++ /** number of target lookups per delegation point. Reset to 0 after
++ * receiving referral answer. Not shared with subqueries. */
++ int dp_target_count;
++
+ /** if true, already tested for ratelimiting and passed the test */
+ int ratelimit_ok;
+
+diff --git a/services/cache/dns.c b/services/cache/dns.c
+index aa4efec..affe837 100644
+--- a/services/cache/dns.c
++++ b/services/cache/dns.c
+@@ -272,7 +272,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass,
+ akey = rrset_cache_lookup(env->rrset_cache, ns->name,
+ ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
+ if(akey) {
+- if(!delegpt_add_rrset_A(dp, region, akey, 0)) {
++ if(!delegpt_add_rrset_A(dp, region, akey, 0, NULL)) {
+ lock_rw_unlock(&akey->entry.lock);
+ return 0;
+ }
+@@ -292,7 +292,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass,
+ akey = rrset_cache_lookup(env->rrset_cache, ns->name,
+ ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0);
+ if(akey) {
+- if(!delegpt_add_rrset_AAAA(dp, region, akey, 0)) {
++ if(!delegpt_add_rrset_AAAA(dp, region, akey, 0, NULL)) {
+ lock_rw_unlock(&akey->entry.lock);
+ return 0;
+ }
+@@ -326,7 +326,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
+ akey = rrset_cache_lookup(env->rrset_cache, ns->name,
+ ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
+ if(akey) {
+- if(!delegpt_add_rrset_A(dp, region, akey, ns->lame)) {
++ if(!delegpt_add_rrset_A(dp, region, akey, ns->lame,
++ NULL)) {
+ lock_rw_unlock(&akey->entry.lock);
+ return 0;
+ }
+@@ -346,7 +347,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
+ akey = rrset_cache_lookup(env->rrset_cache, ns->name,
+ ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0);
+ if(akey) {
+- if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame)) {
++ if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame,
++ NULL)) {
+ lock_rw_unlock(&akey->entry.lock);
+ return 0;
+ }
+diff --git a/util/data/dname.c b/util/data/dname.c
+index 9f25e1e..27ff07d 100644
+--- a/util/data/dname.c
++++ b/util/data/dname.c
+@@ -233,17 +233,28 @@ int
+ dname_pkt_compare(sldns_buffer* pkt, uint8_t* d1, uint8_t* d2)
+ {
+ uint8_t len1, len2;
++ int count1 = 0, count2 = 0;
+ log_assert(pkt && d1 && d2);
+ len1 = *d1++;
+ len2 = *d2++;
+ while( len1 != 0 || len2 != 0 ) {
+ /* resolve ptrs */
+ if(LABEL_IS_PTR(len1)) {
++ if((size_t)PTR_OFFSET(len1, *d1)
++ >= sldns_buffer_limit(pkt))
++ return -1;
++ if(count1++ > MAX_COMPRESS_PTRS)
++ return -1;
+ d1 = sldns_buffer_at(pkt, PTR_OFFSET(len1, *d1));
+ len1 = *d1++;
+ continue;
+ }
+ if(LABEL_IS_PTR(len2)) {
++ if((size_t)PTR_OFFSET(len2, *d2)
++ >= sldns_buffer_limit(pkt))
++ return 1;
++ if(count2++ > MAX_COMPRESS_PTRS)
++ return 1;
+ d2 = sldns_buffer_at(pkt, PTR_OFFSET(len2, *d2));
+ len2 = *d2++;
+ continue;
+@@ -302,12 +313,18 @@ dname_pkt_hash(sldns_buffer* pkt, uint8_t* dname, hashvalue_type h)
+ uint8_t labuf[LDNS_MAX_LABELLEN+1];
+ uint8_t lablen;
+ int i;
++ int count = 0;
+
+ /* preserve case of query, make hash label by label */
+ lablen = *dname++;
+ while(lablen) {
+ if(LABEL_IS_PTR(lablen)) {
+ /* follow pointer */
++ if((size_t)PTR_OFFSET(lablen, *dname)
++ >= sldns_buffer_limit(pkt))
++ return h;
++ if(count++ > MAX_COMPRESS_PTRS)
++ return h;
+ dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
+ lablen = *dname++;
+ continue;
+@@ -341,6 +358,9 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
+ return;
+ }
+ /* follow pointer */
++ if((size_t)PTR_OFFSET(lablen, *dname)
++ >= sldns_buffer_limit(pkt))
++ return;
+ dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
+ lablen = *dname++;
+ continue;
+@@ -369,6 +389,7 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
+ void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname)
+ {
+ uint8_t lablen;
++ int count = 0;
+ if(!out) out = stdout;
+ if(!dname) return;
+
+@@ -382,6 +403,15 @@ void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname)
+ fputs("??compressionptr??", out);
+ return;
+ }
++ if((size_t)PTR_OFFSET(lablen, *dname)
++ >= sldns_buffer_limit(pkt)) {
++ fputs("??compressionptr??", out);
++ return;
++ }
++ if(count++ > MAX_COMPRESS_PTRS) {
++ fputs("??compressionptr??", out);
++ return;
++ }
+ dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
+ lablen = *dname++;
+ continue;
+diff --git a/util/data/msgparse.c b/util/data/msgparse.c
+index fb31237..7c32618 100644
+--- a/util/data/msgparse.c
++++ b/util/data/msgparse.c
+@@ -55,7 +55,11 @@ smart_compare(sldns_buffer* pkt, uint8_t* dnow,
+ {
+ if(LABEL_IS_PTR(*dnow)) {
+ /* ptr points to a previous dname */
+- uint8_t* p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1]));
++ uint8_t* p;
++ if((size_t)PTR_OFFSET(dnow[0], dnow[1])
++ >= sldns_buffer_limit(pkt))
++ return -1;
++ p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1]));
+ if( p == dprfirst || p == dprlast )
+ return 0;
+ /* prev dname is also a ptr, both ptrs are the same. */
+
diff --git a/main/unzip/APKBUILD b/main/unzip/APKBUILD
index 9afa36c04f1..3dc0ea49f38 100644
--- a/main/unzip/APKBUILD
+++ b/main/unzip/APKBUILD
@@ -3,7 +3,7 @@
pkgname=unzip
pkgver=6.0
_pkgver=${pkgver//./}
-pkgrel=4
+pkgrel=6
pkgdesc="Extract PKZIP-compatible .zip files"
url="http://www.info-zip.org/UnZip.html"
arch="all"
@@ -11,7 +11,7 @@ license="custom"
subpackages="$pkgname-doc"
options="!check"
# normally ftp://ftp.info-zip.org/pub/infozip/src/$pkgname$_pkgver.zip
-source="https://dev.alpinelinux.org/archive/unzip/$pkgname$_pkgver.tgz
+source="https://dev.alpinelinux.org/archive/unzip/unzip$_pkgver.tgz
10-unzip-handle-pkware-verify.patch
20-unzip-uidgid-fix.patch
unzip-6.0-heap-overflow-infloop.patch
@@ -22,25 +22,26 @@ source="https://dev.alpinelinux.org/archive/unzip/$pkgname$_pkgver.tgz
CVE-2016-9844.patch
CVE-2018-1000035.patch
fix-CVE-2014-8139.patch
+ CVE-2019-13232.patch
"
builddir="$srcdir/$pkgname$_pkgver"
# secfixes:
+# 6.0-r6:
+# - CVE-2019-13232
# 6.0-r3:
-# - CVE-2014-8139
-# - CVE-2014-8140
-# - CVE-2014-8141
-# - CVE-2014-9636
-# - CVE-2014-9913
-# - CVE-2016-9844
-# - CVE-2018-1000035
+# - CVE-2014-8139
+# - CVE-2014-8140
+# - CVE-2014-8141
+# - CVE-2014-9636
+# - CVE-2014-9913
+# - CVE-2016-9844
+# - CVE-2018-1000035
# 6.0-r1:
-# - CVE-2015-7696
-# - CVE-2015-7697
+# - CVE-2015-7696
+# - CVE-2015-7697
build() {
- cd "$builddir"
-
make -f unix/Makefile \
CC="${CHOST}-gcc" \
LOCAL_ZIP="${CFLAGS} ${CPPFLAGS}" \
@@ -48,11 +49,9 @@ build() {
}
package() {
- cd "$builddir"
-
make -f unix/Makefile \
- MANDIR=${pkgdir}/usr/share/man/man1/ \
- prefix=${pkgdir}/usr install
+ MANDIR=$pkgdir/usr/share/man/man1/ \
+ prefix=$pkgdir/usr install
install -Dm644 LICENSE \
"$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
@@ -67,4 +66,5 @@ b1e3fac6a787828efaaef8ec7cc52e1573aea27a6f29830af37ec4ba8bcd2a6488c953ab10eee056
9a62286acdbd5bf5f679d813017b93c25bdb06edaf48b2b53d3281ce3c30587158a777b07457c574d72350499f786dac6b4493092d7e08c17c07cb65ecc513b6 CVE-2014-9913.patch
8c4a4313072ff0d87eadb0f5472eb48f2802b835dd282305811a96de87a41fed48be60fbdd434e6b6359418f0559f7793deaa1d68161a0c0ead9f8574bb9f14c CVE-2016-9844.patch
6f757385a23fe6a034f676df6bf233243afa8743761e3d715e532d066fcd7dc8f8dcd6192be693258f3855837e5534490784378768abe7ce710fb869258d49b7 CVE-2018-1000035.patch
-13f9c54fcdde478c4afe391c8e7ef9c31b03228aaace5da38382612951cbfd60710fd3d931569297953be32b2c5906715aed4b1c05e28cc8fccbb27f38b57550 fix-CVE-2014-8139.patch"
+13f9c54fcdde478c4afe391c8e7ef9c31b03228aaace5da38382612951cbfd60710fd3d931569297953be32b2c5906715aed4b1c05e28cc8fccbb27f38b57550 fix-CVE-2014-8139.patch
+d11758bda3b022f1adb4031bfbc770c6391e3470f3126ec5a4d3d2800d5452245eee26256f539d60adee33f01ba8ba8345299736cd9568da1242f6f739e4a598 CVE-2019-13232.patch"
diff --git a/main/unzip/CVE-2019-13232.patch b/main/unzip/CVE-2019-13232.patch
new file mode 100644
index 00000000000..01e343a356f
--- /dev/null
+++ b/main/unzip/CVE-2019-13232.patch
@@ -0,0 +1,487 @@
+From 47b3ceae397d21bf822bc2ac73052a4b1daf8e1c Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Tue, 11 Jun 2019 22:01:18 -0700
+Subject: [PATCH] Detect and reject a zip bomb using overlapped entries.
+
+This detects an invalid zip file that has at least one entry that
+overlaps with another entry or with the central directory to the
+end of the file. A Fifield zip bomb uses overlapped local entries
+to vastly increase the potential inflation ratio. Such an invalid
+zip file is rejected.
+
+See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
+analysis, construction, and examples of such zip bombs.
+
+The detection maintains a list of covered spans of the zip files
+so far, where the central directory to the end of the file and any
+bytes preceding the first entry at zip file offset zero are
+considered covered initially. Then as each entry is decompressed
+or tested, it is considered covered. When a new entry is about to
+be processed, its initial offset is checked to see if it is
+contained by a covered span. If so, the zip file is rejected as
+invalid.
+
+This commit depends on a preceding commit: "Fix bug in
+undefer_input() that misplaced the input state."
+---
+ extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ globals.c | 1 +
+ globals.h | 3 +
+ process.c | 11 ++++
+ unzip.h | 1 +
+ 5 files changed, 205 insertions(+), 1 deletion(-)
+
+diff --git a/extract.c b/extract.c
+index 1acd769..0973a33 100644
+--- a/extract.c
++++ b/extract.c
+@@ -319,6 +319,125 @@ static ZCONST char Far UnsupportedExtraField[] =
+ "\nerror: unsupported extra-field compression type (%u)--skipping\n";
+ static ZCONST char Far BadExtraFieldCRC[] =
+ "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
++static ZCONST char Far NotEnoughMemCover[] =
++ "error: not enough memory for bomb detection\n";
++static ZCONST char Far OverlappedComponents[] =
++ "error: invalid zip file with overlapped components (possible zip bomb)\n";
++
++
++
++
++
++/* A growable list of spans. */
++typedef zoff_t bound_t;
++typedef struct {
++ bound_t beg; /* start of the span */
++ bound_t end; /* one past the end of the span */
++} span_t;
++typedef struct {
++ span_t *span; /* allocated, distinct, and sorted list of spans */
++ size_t num; /* number of spans in the list */
++ size_t max; /* allocated number of spans (num <= max) */
++} cover_t;
++
++/*
++ * Return the index of the first span in cover whose beg is greater than val.
++ * If there is no such span, then cover->num is returned.
++ */
++static size_t cover_find(cover, val)
++ cover_t *cover;
++ bound_t val;
++{
++ size_t lo = 0, hi = cover->num;
++ while (lo < hi) {
++ size_t mid = (lo + hi) >> 1;
++ if (val < cover->span[mid].beg)
++ hi = mid;
++ else
++ lo = mid + 1;
++ }
++ return hi;
++}
++
++/* Return true if val lies within any one of the spans in cover. */
++static int cover_within(cover, val)
++ cover_t *cover;
++ bound_t val;
++{
++ size_t pos = cover_find(cover, val);
++ return pos > 0 && val < cover->span[pos - 1].end;
++}
++
++/*
++ * Add a new span to the list, but only if the new span does not overlap any
++ * spans already in the list. The new span covers the values beg..end-1. beg
++ * must be less than end.
++ *
++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
++ * the list as needed. On success, 0 is returned. If the new span overlaps any
++ * existing spans, then 1 is returned and the new span is not added to the
++ * list. If the new span is invalid because beg is greater than or equal to
++ * end, then -1 is returned. If the list needs to be grown but the memory
++ * allocation fails, then -2 is returned.
++ */
++static int cover_add(cover, beg, end)
++ cover_t *cover;
++ bound_t beg;
++ bound_t end;
++{
++ size_t pos;
++ int prec, foll;
++
++ if (beg >= end)
++ /* The new span is invalid. */
++ return -1;
++
++ /* Find where the new span should go, and make sure that it does not
++ overlap with any existing spans. */
++ pos = cover_find(cover, beg);
++ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
++ (pos < cover->num && end > cover->span[pos].beg))
++ return 1;
++
++ /* Check for adjacencies. */
++ prec = pos > 0 && beg == cover->span[pos - 1].end;
++ foll = pos < cover->num && end == cover->span[pos].beg;
++ if (prec && foll) {
++ /* The new span connects the preceding and following spans. Merge the
++ following span into the preceding span, and delete the following
++ span. */
++ cover->span[pos - 1].end = cover->span[pos].end;
++ cover->num--;
++ memmove(cover->span + pos, cover->span + pos + 1,
++ (cover->num - pos) * sizeof(span_t));
++ }
++ else if (prec)
++ /* The new span is adjacent only to the preceding span. Extend the end
++ of the preceding span. */
++ cover->span[pos - 1].end = end;
++ else if (foll)
++ /* The new span is adjacent only to the following span. Extend the
++ beginning of the following span. */
++ cover->span[pos].beg = beg;
++ else {
++ /* The new span has gaps between both the preceding and the following
++ spans. Assure that there is room and insert the span. */
++ if (cover->num == cover->max) {
++ size_t max = cover->max == 0 ? 16 : cover->max << 1;
++ span_t *span = realloc(cover->span, max * sizeof(span_t));
++ if (span == NULL)
++ return -2;
++ cover->span = span;
++ cover->max = max;
++ }
++ memmove(cover->span + pos + 1, cover->span + pos,
++ (cover->num - pos) * sizeof(span_t));
++ cover->num++;
++ cover->span[pos].beg = beg;
++ cover->span[pos].end = end;
++ }
++ return 0;
++}
+
+
+
+@@ -374,6 +493,29 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ }
+ #endif /* !SFX || SFX_EXDIR */
+
++ /* One more: initialize cover structure for bomb detection. Start with a
++ span that covers the central directory though the end of the file. */
++ if (G.cover == NULL) {
++ G.cover = malloc(sizeof(cover_t));
++ if (G.cover == NULL) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ ((cover_t *)G.cover)->span = NULL;
++ ((cover_t *)G.cover)->max = 0;
++ }
++ ((cover_t *)G.cover)->num = 0;
++ if ((G.extra_bytes != 0 &&
++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++ cover_add((cover_t *)G.cover,
++ G.extra_bytes + G.ecrec.offset_start_central_directory,
++ G.ziplen) != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++
+ /*---------------------------------------------------------------------------
+ The basic idea of this function is as follows. Since the central di-
+ rectory lies at the end of the zipfile and the member files lie at the
+@@ -591,7 +733,8 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ if (error > error_in_archive)
+ error_in_archive = error;
+ /* ...and keep going (unless disk full or user break) */
+- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
++ error == PK_BOMB) {
+ /* clear reached_end to signal premature stop ... */
+ reached_end = FALSE;
+ /* ... and cancel scanning the central directory */
+@@ -1060,6 +1203,11 @@ static int extract_or_test_entrylist(__G__ numchunk,
+
+ /* seek_zipf(__G__ pInfo->offset); */
+ request = G.pInfo->offset + G.extra_bytes;
++ if (cover_within((cover_t *)G.cover, request)) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+ inbuf_offset = request % INBUFSIZ;
+ bufstart = request - inbuf_offset;
+
+@@ -1591,6 +1739,18 @@ static int extract_or_test_entrylist(__G__ numchunk,
+ return IZ_CTRLC; /* cancel operation by user request */
+ }
+ #endif
++ error = cover_add((cover_t *)G.cover, request,
++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
++ if (error < 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ if (error != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+ #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */
+ UserStop();
+ #endif
+@@ -1992,6 +2152,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */
+ }
+
+ undefer_input(__G);
++
++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
++ /* skip over data descriptor (harder than it sounds, due to signature
++ * ambiguity)
++ */
++# define SIG 0x08074b50
++# define LOW 0xffffffff
++ uch buf[12];
++ unsigned shy = 12 - readbuf((char *)buf, 12);
++ ulg crc = shy ? 0 : makelong(buf);
++ ulg clen = shy ? 0 : makelong(buf + 4);
++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
++ if (crc == SIG && /* if not SIG, no signature */
++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */
++ (clen == SIG && /* if not SIG, no signature */
++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */
++ (ulen == SIG && /* if not SIG, no signature */
++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
++ /* if not SIG, have signature */
++ )))))
++ /* skip four more bytes to account for signature */
++ shy += 4 - readbuf((char *)buf, 4);
++ if (G.zip64)
++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
++ if (shy)
++ error = PK_ERR;
++ }
++
+ return error;
+
+ } /* end function extract_or_test_member() */
+diff --git a/globals.c b/globals.c
+index fa8cca5..1e0f608 100644
+--- a/globals.c
++++ b/globals.c
+@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor()
+ # if (!defined(NO_TIMESTAMPS))
+ uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */
+ # endif
++ G.cover = NULL; /* not allocated yet */
+ #endif
+
+ uO.lflag=(-1);
+diff --git a/globals.h b/globals.h
+index 11b7215..2bdcdeb 100644
+--- a/globals.h
++++ b/globals.h
+@@ -260,12 +260,15 @@ typedef struct Globals {
+ ecdir_rec ecrec; /* used in unzip.c, extract.c */
+ z_stat statbuf; /* used by main, mapname, check_for_newer */
+
++ int zip64; /* true if Zip64 info in extra field */
++
+ int mem_mode;
+ uch *outbufptr; /* extract.c static */
+ ulg outsize; /* extract.c static */
+ int reported_backslash; /* extract.c static */
+ int disk_full;
+ int newfile;
++ void **cover; /* used in extract.c for bomb detection */
+
+ int didCRlast; /* fileio static */
+ ulg numlines; /* fileio static: number of lines printed */
+diff --git a/process.c b/process.c
+index 1e9a1e1..d2e4dc3 100644
+--- a/process.c
++++ b/process.c
+@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */
+ }
+ #endif
+
++ /* Free the cover span list and the cover structure. */
++ if (G.cover != NULL) {
++ free(*(G.cover));
++ free(G.cover);
++ G.cover = NULL;
++ }
++
+ } /* end function free_G_buffers() */
+
+
+@@ -1890,6 +1897,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
+ #define Z64FLGS 0xffff
+ #define Z64FLGL 0xffffffff
+
++ G.zip64 = FALSE;
++
+ if (ef_len == 0 || ef_buf == NULL)
+ return PK_COOL;
+
+@@ -1927,6 +1936,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
+ #if 0
+ break; /* Expect only one EF_PKSZ64 block. */
+ #endif /* 0 */
++
++ G.zip64 = TRUE;
+ }
+
+ /* Skip this extra field block. */
+diff --git a/unzip.h b/unzip.h
+index 5b2a326..ed24a5b 100644
+--- a/unzip.h
++++ b/unzip.h
+@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec {
+ #define PK_NOZIP 9 /* zipfile not found */
+ #define PK_PARAM 10 /* bad or illegal parameters specified */
+ #define PK_FIND 11 /* no files found */
++#define PK_BOMB 12 /* likely zip bomb */
+ #define PK_DISK 50 /* disk full */
+ #define PK_EOF 51 /* unexpected EOF */
+
+From 6d351831be705cc26d897db44f878a978f4138fc Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Thu, 25 Jul 2019 20:43:17 -0700
+Subject: [PATCH] Do not raise a zip bomb alert for a misplaced central
+ directory.
+
+There is a zip-like file in the Firefox distribution, omni.ja,
+which is a zip container with the central directory placed at the
+start of the file instead of after the local entries as required
+by the zip standard. This commit marks the actual location of the
+central directory, as well as the end of central directory records,
+as disallowed locations. This now permits such containers to not
+raise a zip bomb alert, where in fact there are no overlaps.
+---
+ extract.c | 25 +++++++++++++++++++------
+ process.c | 6 ++++++
+ unzpriv.h | 10 ++++++++++
+ 3 files changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index 0973a33..1b73cb0 100644
+--- a/extract.c
++++ b/extract.c
+@@ -493,8 +493,11 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ }
+ #endif /* !SFX || SFX_EXDIR */
+
+- /* One more: initialize cover structure for bomb detection. Start with a
+- span that covers the central directory though the end of the file. */
++ /* One more: initialize cover structure for bomb detection. Start with
++ spans that cover any extra bytes at the start, the central directory,
++ the end of central directory record (including the Zip64 end of central
++ directory locator, if present), and the Zip64 end of central directory
++ record, if present. */
+ if (G.cover == NULL) {
+ G.cover = malloc(sizeof(cover_t));
+ if (G.cover == NULL) {
+@@ -506,15 +509,25 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ ((cover_t *)G.cover)->max = 0;
+ }
+ ((cover_t *)G.cover)->num = 0;
+- if ((G.extra_bytes != 0 &&
+- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+- cover_add((cover_t *)G.cover,
++ if (cover_add((cover_t *)G.cover,
+ G.extra_bytes + G.ecrec.offset_start_central_directory,
+- G.ziplen) != 0) {
++ G.extra_bytes + G.ecrec.offset_start_central_directory +
++ G.ecrec.size_central_directory) != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
++ if ((G.extra_bytes != 0 &&
++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++ (G.ecrec.have_ecr64 &&
++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
++ G.ecrec.ec64_end) != 0) ||
++ cover_add((cover_t *)G.cover, G.ecrec.ec_start,
++ G.ecrec.ec_end) != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+
+ /*---------------------------------------------------------------------------
+ The basic idea of this function is as follows. Since the central di-
+diff --git a/process.c b/process.c
+index d2e4dc3..d75d405 100644
+--- a/process.c
++++ b/process.c
+@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */
+
+ /* Now, we are (almost) sure that we have a Zip64 archive. */
+ G.ecrec.have_ecr64 = 1;
++ G.ecrec.ec_start -= ECLOC64_SIZE+4;
++ G.ecrec.ec64_start = ecrec64_start_offset;
++ G.ecrec.ec64_end = ecrec64_start_offset +
++ 12 + makeint64(&byterec[ECREC64_LENGTH]);
+
+ /* Update the "end-of-central-dir offset" for later checks. */
+ G.real_ecrec_offset = ecrec64_start_offset;
+@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */
+ makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
+ G.ecrec.zipfile_comment_length =
+ makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
++ G.ecrec.ec_start = G.real_ecrec_offset;
++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
+
+ /* Now, we have to read the archive comment, BEFORE the file pointer
+ is moved away backwards to seek for a Zip64 ECLOC64 structure.
+diff --git a/unzpriv.h b/unzpriv.h
+index dc9eff5..297b3c7 100644
+--- a/unzpriv.h
++++ b/unzpriv.h
+@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf {
+ int have_ecr64; /* valid Zip64 ecdir-record exists */
+ int is_zip64_archive; /* Zip64 ecdir-record is mandatory */
+ ush zipfile_comment_length;
++ zusz_t ec_start, ec_end; /* offsets of start and end of the
++ end of central directory record,
++ including if present the Zip64
++ end of central directory locator,
++ which immediately precedes the
++ end of central directory record */
++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these
++ are the offsets of the start and
++ end of the Zip64 end of central
++ directory record */
+ } ecdir_rec;
+
+
+From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Mon, 27 May 2019 08:20:32 -0700
+Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state.
+
+---
+ fileio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fileio.c b/fileio.c
+index c042987..bc00d74 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -530,8 +530,10 @@ void undefer_input(__G)
+ * This condition was checked when G.incnt_leftover was set > 0 in
+ * defer_leftover_input(), and it is NOT allowed to touch G.csize
+ * before calling undefer_input() when (G.incnt_leftover > 0)
+- * (single exception: see read_byte()'s "G.csize <= 0" handling) !!
++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !!
+ */
++ if (G.csize < 0L)
++ G.csize = 0L;
+ G.incnt = G.incnt_leftover + (int)G.csize;
+ G.inptr = G.inptr_leftover - (int)G.csize;
+ G.incnt_leftover = 0;
+
diff --git a/main/vala/APKBUILD b/main/vala/APKBUILD
index 2562e810829..7211952d16a 100644
--- a/main/vala/APKBUILD
+++ b/main/vala/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=vala
-pkgver=0.42.4
+pkgver=0.42.7
pkgrel=0
pkgdesc="Compiler for the GObject type system"
url="http://live.gnome.org/Vala"
@@ -29,5 +29,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="897658874d89f7e34a6167cd055fa64c8fc4a870330a734ea20bd526a79d8d35033325b23e8533bcf59f02e7157310632ebfb5305619505d37fbdc2fd6343330 vala-0.42.4.tar.xz
+sha512sums="d9044b126c91f3b1835a7182a054464339e4e2e52e63df90f43d2d5d9cba06fd6bb7eed5f6aa4d502f43f0a1232610d39d244952cfca54f63eb019e764899eca vala-0.42.7.tar.xz
2c999fb516dd6ed74cb05307c0725bb20d6112cd1a2427a742a9856e1167fe39f9a71253f4dd9d0f53a88a9f29229063e53262b8257f60a71d0cfb168e3f7eb8 version.patch"
diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD
index b958663863c..c9be138a5ac 100644
--- a/main/vim/APKBUILD
+++ b/main/vim/APKBUILD
@@ -18,7 +18,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
-# 8.1.1365:
+# 8.1.1365-r0:
# - CVE-2019-12735
# 8.0.1521-r0:
# - CVE-2017-6350
diff --git a/main/wpa_supplicant/APKBUILD b/main/wpa_supplicant/APKBUILD
index c177a73001a..f8863a7b335 100644
--- a/main/wpa_supplicant/APKBUILD
+++ b/main/wpa_supplicant/APKBUILD
@@ -60,16 +60,6 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
# - CVE-2019-9497
# - CVE-2019-9498
# - CVE-2019-9499
-# 2.7-r0:
-# - CVE-2017-13077
-# - CVE-2017-13078
-# - CVE-2017-13079
-# - CVE-2017-13080
-# - CVE-2017-13081
-# - CVE-2017-13082
-# - CVE-2017-13086
-# - CVE-2017-13087
-# - CVE-2017-13088
# 2.6-r14:
# - CVE-2018-14526
# 2.6-r7:
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index e62b69efa8e..4dd44ef9a07 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
-pkgver=4.11.2
-pkgrel=0
+pkgver=4.11.4
+pkgrel=2
pkgdesc="Xen hypervisor"
url="https://www.xenproject.org/"
arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8
@@ -12,7 +12,7 @@ depends="bash iproute2 logrotate"
depends_dev="openssl-dev python2-dev e2fsprogs-dev gettext zlib-dev ncurses-dev
dev86 texinfo perl pciutils-dev glib-dev yajl-dev libnl3-dev
spice-dev gnutls-dev curl-dev libaio-dev lzo-dev xz-dev util-linux-dev
- e2fsprogs-dev linux-headers argp-standalone perl-dev flex bison"
+ linux-headers argp-standalone perl-dev flex bison"
makedepends="$depends_dev autoconf automake libtool dnsmasq"
options="!strip"
@@ -115,48 +115,89 @@ options="!strip"
# 4.10.1-r0:
# - CVE-2018-10472 XSA-258
# - CVE-2018-10471 XSA-259
-# 4.10-1-r1:
+# 4.10.1-r1:
# - CVE-2018-8897 XSA-260
# - CVE-2018-10982 XSA-261
# - CVE-2018-10981 XSA-262
# 4.11.0-r0:
-# - CVE-2018-3639 XSA-263
-# - CVE-2018-128911 XSA-264
-# - CVE-2018-12893 XSA-265
-# - CVE-2018-12892 XSA-266
-# - CVE-2018-3665 XSA-267
+# - CVE-2018-3639 XSA-263
+# - CVE-2018-12891 XSA-264
+# - CVE-2018-12893 XSA-265
+# - CVE-2018-12892 XSA-266
+# - CVE-2018-3665 XSA-267
# 4.11.1-r0:
-# - CVE-2018-15469 XSA-268
-# - CVE-2018-15468 XSA-269
-# - CVE-2018-15470 XSA-272
-# - CVE-2018-3620 XSA-273
-# - CVE-2018-3646 XSA-273
-# - CVE-2018-19961 XSA-275
-# - CVE-2018-19962 XSA-275
-# - CVE-2018-19963 XSA-276
-# - CVE-2018-19964 XSA-277
-# - CVE-2018-18883 XSA-278
-# - CVE-2018-19965 XSA-279
-# - CVE-2018-19966 XSA-280
-# - CVE-2018-19967 XSA-282
+# - CVE-2018-15469 XSA-268
+# - CVE-2018-15468 XSA-269
+# - CVE-2018-15470 XSA-272
+# - CVE-2018-3620 XSA-273
+# - CVE-2018-3646 XSA-273
+# - CVE-2018-19961 XSA-275
+# - CVE-2018-19962 XSA-275
+# - CVE-2018-19963 XSA-276
+# - CVE-2018-19964 XSA-277
+# - CVE-2018-18883 XSA-278
+# - CVE-2018-19965 XSA-279
+# - CVE-2018-19966 XSA-280
+# - CVE-2018-19967 XSA-282
# 4.11.1-r2:
-# - CVE-2018-12126 XSA-297
-# - CVE-2018-12127 XSA-297
-# - CVE-2018-12130 XSA-297
-# - CVE-2019-11091 XSA-297
+# - CVE-2018-12126 XSA-297
+# - CVE-2018-12127 XSA-297
+# - CVE-2018-12130 XSA-297
+# - CVE-2019-11091 XSA-297
# 4.11.2-r0:
-# - CVE-????-????? XSA-284
-# - CVE-????-????? XSA-285
-# - CVE-????-????? XSA-286
-# - CVE-????-????? XSA-287
-# - CVE-????-????? XSA-288
-# - CVE-????-????? XSA-290
-# - CVE-????-????? XSA-291
-# - CVE-????-????? XSA-292
-# - CVE-????-????? XSA-293
-# - CVE-????-????? XSA-294
-# - CVE-????-????? XSA-295
-# - CVE-????-????? XSA-296
+# - CVE-2019-17340 XSA-284
+# - CVE-2019-17341 XSA-285
+# - CVE-2017-17342 XSA-287
+# - CVE-2019-17343 XSA-288
+# - CVE-2017-17344 XSA-290
+# - CVE-2019-17345 XSA-291
+# - CVE-2019-17346 XSA-292
+# - CVE-2019-17347 XSA-293
+# - CVE-2019-17348 XSA-294
+# - CVE-2019-17349 CVE-2019-17350 XSA-295
+# - CVE-2019-18420 XSA-296
+# 4.11.2-r1:
+# - CVE-2019-18425 XSA-298
+# - CVE-2019-18421 XSA-299
+# - CVE-2019-18423 XSA-301
+# - CVE-2019-18424 XSA-302
+# - CVE-2019-18422 XSA-303
+# - CVE-2018-12207 XSA-304
+# - CVE-2019-11135 XSA-305
+# 4.11.3-r0:
+# - CVE-2019-19579 XSA-306
+# 4.11.3-r1:
+# - CVE-2019-19582 XSA-307
+# - CVE-2019-19583 XSA-308
+# - CVE-2019-19578 XSA-309
+# - CVE-2019-19580 XSA-310
+# - CVE-2019-19577 XSA-311
+# 4.11.3-r2:
+# - CVE-2020-11740 CVE-2020-11741 XSA-313
+# - CVE-2020-11739 XSA-314
+# - CVE-2020-11743 XSA-316
+# - CVE-2020-11742 XSA-318
+# 4.11.4-r0:
+# - XSA-312
+# - CVE-2020-0543 XSA-320
+# - CVE-2020-15566 XSA-317
+# - CVE-2020-15563 XSA-319
+# - CVE-2020-15565 XSA-321
+# - CVE-2020-15564 XSA-327
+# - CVE-2020-15567 XSA-328
+# 4.11.4-r1:
+# - CVE-2020-14364 XSA-335
+# 4.11.4-r2:
+# - CVE-2020-25602 XSA-333
+# - CVE-2020-25604 XSA-336
+# - CVE-2020-25595 XSA-337
+# - CVE-2020-25597 XSA-338
+# - CVE-2020-25596 XSA-339
+# - CVE-2020-25603 XSA-340
+# - CVE-2020-25600 XSA-342
+# - CVE-2020-25599 XSA-343
+# - CVE-2020-25601 XSA-344
+
case "$CARCH" in
x86*)
@@ -224,6 +265,36 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
hotplug-Linux-iscsi-block-handle-lun-1.patch
+ xsa320-4.11-1.patch
+ xsa320-4.11-2.patch
+ xsa320-4.11-3.patch
+ xsa317.patch
+ xsa319.patch
+ xsa328-4.11-1.patch
+ xsa328-4.11-2.patch
+ xsa321-4.11-1.patch
+ xsa321-4.11-2.patch
+ xsa321-4.11-3.patch
+ xsa321-4.11-4.patch
+ xsa321-4.11-5.patch
+ xsa321-4.11-6.patch
+ xsa321-4.11-7.patch
+ xsa327.patch
+ xsa335-qemu.patch
+ xsa333.patch
+ xsa336-4.11.patch
+ xsa337-4.12-1.patch
+ xsa337-4.12-2.patch
+ xsa338.patch
+ xsa339.patch
+ xsa340.patch
+ xsa342-4.13.patch
+ xsa343-4.11-1.patch
+ xsa343-4.11-2.patch
+ xsa343-4.11-3.patch
+ xsa344-4.11-1.patch
+ xsa344-4.11-2.patch
+
xenstored.initd
xenstored.confd
xenconsoled.initd
@@ -456,8 +527,7 @@ EOF
EOF
}
-
-sha512sums="48d3d926d35eb56c79c06d0abc6e6be2564fadb43367cc7f46881c669a75016707672179c2cca1c4cfb14af2cefd46e2e7f99470cddf7df2886d8435a2de814e xen-4.11.2.tar.gz
+sha512sums="8383f0b369fa08c8ecfdd68f902a2aaad140146a183131c50c020fe04c2f1e829c219b9bd9923fa8f1c180e1e7c6e73d0d68b7015fc39fd3b7f59e55c680cedb xen-4.11.4.tar.gz
2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz
@@ -480,6 +550,35 @@ e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3a
69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch
2094ea964fa610b2bf72fd2c7ede7e954899a75c0f5b08030cf1d74460fb759ade84866176e32f8fe29c921dfdc6dafd2b31e23ab9b0a3874d3dceeabdd1913b xenqemu-xattr-size-max.patch
8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch
+325f66b008a76ff569fdca430e2926633996511f1bd7dcd375259377e4c88758b13c95ee66b8edaa5ffebc3d927442409dc36bd8e35b2c928e43d82a539583cf xsa317.patch
+d57d8cfd749df1816060345bedd9fa7ef2381ea9d85562ddf0c39ffe832ca56834c3e8c1fb67a64fd5631fd219c4d66a3ef655dca0989bf39911c87e0145717f xsa319.patch
+9d61608159802d5ba79e42253b7e391bc14bbf809f0a59ab64585d594e8f414ed7005cbca18e9db16157406f3a0c3ad2a262cbe431ef52507b2329e4fd999198 xsa320-4.11-1.patch
+9f42a03b11095807e2812e0a95df47722f3f41d4928bbde9c7e642f3001f4c97f29c226340e78cbda3fe35667ee88aa702bf374f012a27cb96d6d6e24162bb8c xsa320-4.11-2.patch
+81004539674d7dcb48c259bbcbf9e8e33e55c0af044d3be09f517e8cb850bf1068029802c941760287f9e4e83dbe4113d732d5425c9aa48accfe8d2071ff6caa xsa320-4.11-3.patch
+53c3e7d8e4a0fbfe162571bd296a8d234caccfdd38958c62e54643189bc6cd22379da81fd465597779c3141a4694bb9c38848467cd7a81b1a400881ba8f1c053 xsa321-4.11-1.patch
+21752f53231e20a5ddbc198cf630861d1809e0254d313329f819450a7d966d301a37fb689b126c137338732fd077e73dbb78735b833222116493e6b2e782dc00 xsa321-4.11-2.patch
+ebd933135d3df4d1c431be22d96f5d9e5af2670cbd188d8db1510fe3eaad0f31309ba7f6a817ea59010524e290ff7279d6d120f3241aa34d960eb3872e5bbc9f xsa321-4.11-3.patch
+922f46623c1dca5d067e7897fe2cf0e3045ea7bf26f1aab12935c47a4a764ddb3e9cef2c8efef29f933aab9351a301572c0ea21ef84514cfba06d6159500876a xsa321-4.11-4.patch
+0c4932886cfb7495fbe1007cb0a9562341c1a33243fd64274b4bb02e7094842bfb2766ef2a8f5ac41c586ffece029f332302f4e3e2271d9f3b9ce4af97dafc4d xsa321-4.11-5.patch
+a7dd96126a4869771366cf5316d451531063009b3c1cc556ba7ede43d4b927c97c146a973c74159aae7f1bc226dbd03e8456ca1d8e9c3f75d91759b1c6be0930 xsa321-4.11-6.patch
+11cae33936a0c2cf6f3376bc431cb850b0af41eb43fc0d160a203f728284882cf2c1e048fbafba2a0125dfd35782fb6d9d267373519340b965ac0249cb60e7ec xsa321-4.11-7.patch
+83823056dbd0142585d8b0fb9b3179ac8cc099a21ee489008a4cfb1f310daae72dff1fb6c7cd3a1c8ca5cec43a6b964587d8121a2423226baad0bcd302e73263 xsa327.patch
+60481beb932cb47b0a3025a41a7ec752afda063375f8f2087363ad729dbb7f93190f06b2f15e1cee562c619c16548a3cd729ba292670ef9d500cf4442c4905bb xsa328-4.11-1.patch
+29a9c01db993438d4d789c3d2151e54d04f93c2da4d01791b578a7a3ec95b8bc5144d9717698e7daacde0cef0553b55db47483bebdc1021ff7a315d557031dc0 xsa328-4.11-2.patch
+a18f552845ca105ce846ff8281b6c5b10f45301571f3163a33a6c212b87b742bb039f15c2d346bd34a9fdedd8a007fd9e51f319900cb8ee05febf178ed6ef8b0 xsa335-qemu.patch
+7457a53eee28044143800124f422d530c49f7ee976ed5a5ff74e25100fc7ea364b8cd4f690b55dc308fe028bbaaf73164f994abab70d6388901199c8415eded1 xsa333.patch
+1da6cc1fe8b3a88c36fd1dcb5d2e10437686f417f7a096d7c3945bbd492c7c0e14d9ad4aeecdcdc03958c3b50f777ec797d917b3c7b00cb93ff461c24cef6c85 xsa336-4.11.patch
+4cf0a5776162297ecad3c8ff3bb67003a86cbf70fe4150d5a1dfc4cd9fef2d0b02fe6bb83547d11330124665546e3319e7e7155b7f253551785aaacc902bb439 xsa337-4.12-1.patch
+9fb56b526cebe73d78c8a921882bbc084bd0772dbfd06890d28ce5407e72394d90c44da6e78f6b86df25af4354fec9cf9327dd019553a6d4e7f54663a7821268 xsa337-4.12-2.patch
+11a637e6de41012046115ed66e95e7fec90a3c274030dc1617dbcee4cc3b88dfa812e21323a628e27356aedfbaa094508fbdedc340dc37db29960ff6d4ef9921 xsa338.patch
+7eaa70d891cdfd60001308c6b88f635048babdd1ba2952bcc88322b2096bafd1aee6a3f7dc1f4188fa7c44217c4d9bcaadf4bdd274d95762b0646e65f6b9659e xsa339.patch
+2d4b2887f1a779267c15b16bd83d78ca84ceaaf9cad08a64162c28440527d3ac8edf80c8c2916e152bdf9e0e3e768c316d95dfa4c362c7a34dfb3348e8a2c568 xsa340.patch
+c61fe4121c7a9314a8c3514dcdd62779dd11a90c2edb33cc1df55131477af7a1ec2c8a6dc15ad6d0975b335170d23c2b0057c55bd9923d20c4d4b31934c2f675 xsa342-4.13.patch
+17bc6a485905107f7cb119b6eac0d9cc594bfd9b87e69e7e40f8140e14bba82cffd76736ad2fc9fa2b73c16f6e21539a44d12a41fe64a59689d53472bb0a3553 xsa343-4.11-1.patch
+f9890c921302f703fc9d0912040e99f789b611a1c9962a04be2c226fbc96e85ae80d85379012a7ec9b81f7ecc743530213819791f1713d3f692a6d76964575f7 xsa343-4.11-2.patch
+10bce11fe8fb33234bdebfa37f7f28eeb9e2c687190656a8047e4050f392cb898564e6d118591b94ab7530ea2d80442ee4b9578ce400b764f7095dcf814d2274 xsa343-4.11-3.patch
+3ddb65370b20916a43b64a21c49fb7b1da3c807c1bc163676a94c2f593174c436008ba9ef2c36d109a0d80cc410856d152bb0f95d8b53bc13ef047ccf105a947 xsa344-4.11-1.patch
+c5a387f0a2e9e9920ece246b49a269fd7e826b26b4b6a08bbfa45b9f351ce7cef47148d6411a6fe3f5eec9e7dd507d820b126ead9f6a562b2ec8d3038e65fe36 xsa344-4.11-2.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd
diff --git a/main/xen/xsa317.patch b/main/xen/xsa317.patch
new file mode 100644
index 00000000000..20e2c643d06
--- /dev/null
+++ b/main/xen/xsa317.patch
@@ -0,0 +1,50 @@
+From aeb46e92f915f19a61d5a8a1f4b696793f64e6fb Mon Sep 17 00:00:00 2001
+From: Julien Grall <jgrall@amazon.com>
+Date: Thu, 19 Mar 2020 13:17:31 +0000
+Subject: [PATCH] xen/common: event_channel: Don't ignore error in
+ get_free_port()
+
+Currently, get_free_port() is assuming that the port has been allocated
+when evtchn_allocate_port() is not return -EBUSY.
+
+However, the function may return an error when:
+ - We exhausted all the event channels. This can happen if the limit
+ configured by the administrator for the guest ('max_event_channels'
+ in xl cfg) is higher than the ABI used by the guest. For instance,
+ if the guest is using 2L, the limit should not be higher than 4095.
+ - We cannot allocate memory (e.g Xen has not more memory).
+
+Users of get_free_port() (such as EVTCHNOP_alloc_unbound) will validly
+assuming the port was valid and will next call evtchn_from_port(). This
+will result to a crash as the memory backing the event channel structure
+is not present.
+
+Fixes: 368ae9a05fe ("xen/pvshim: forward evtchn ops between L0 Xen and L2 DomU")
+Signed-off-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/common/event_channel.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
+index e86e2bfab0..a8d182b584 100644
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -195,10 +195,10 @@ static int get_free_port(struct domain *d)
+ {
+ int rc = evtchn_allocate_port(d, port);
+
+- if ( rc == -EBUSY )
+- continue;
+-
+- return port;
++ if ( rc == 0 )
++ return port;
++ else if ( rc != -EBUSY )
++ return rc;
+ }
+
+ return -ENOSPC;
+--
+2.17.1
+
diff --git a/main/xen/xsa319.patch b/main/xen/xsa319.patch
new file mode 100644
index 00000000000..769443c900e
--- /dev/null
+++ b/main/xen/xsa319.patch
@@ -0,0 +1,27 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/shadow: correct an inverted conditional in dirty VRAM tracking
+
+This originally was "mfn_x(mfn) == INVALID_MFN". Make it like this
+again, taking the opportunity to also drop the unnecessary nearby
+braces.
+
+This is XSA-319.
+
+Fixes: 246a5a3377c2 ("xen: Use a typesafe to define INVALID_MFN")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -3252,10 +3252,8 @@ int shadow_track_dirty_vram(struct domai
+ int dirty = 0;
+ paddr_t sl1ma = dirty_vram->sl1ma[i];
+
+- if ( !mfn_eq(mfn, INVALID_MFN) )
+- {
++ if ( mfn_eq(mfn, INVALID_MFN) )
+ dirty = 1;
+- }
+ else
+ {
+ page = mfn_to_page(mfn);
diff --git a/main/xen/xsa320-4.11-1.patch b/main/xen/xsa320-4.11-1.patch
new file mode 100644
index 00000000000..24daff99447
--- /dev/null
+++ b/main/xen/xsa320-4.11-1.patch
@@ -0,0 +1,133 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/spec-ctrl: CPUID/MSR definitions for Special Register Buffer Data Sampling
+
+This is part of XSA-320 / CVE-2020-0543
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Wei Liu <wl@xen.org>
+
+diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
+index 194615bfc5..9be18ac99f 100644
+--- a/docs/misc/xen-command-line.markdown
++++ b/docs/misc/xen-command-line.markdown
+@@ -489,10 +489,10 @@ accounting for hardware capabilities as enumerated via CPUID.
+
+ Currently accepted:
+
+-The Speculation Control hardware features `md-clear`, `ibrsb`, `stibp`, `ibpb`,
+-`l1d-flush` and `ssbd` are used by default if available and applicable. They can
+-be ignored, e.g. `no-ibrsb`, at which point Xen won't use them itself, and
+-won't offer them to guests.
++The Speculation Control hardware features `srbds-ctrl`, `md-clear`, `ibrsb`,
++`stibp`, `ibpb`, `l1d-flush` and `ssbd` are used by default if available and
++applicable. They can be ignored, e.g. `no-ibrsb`, at which point Xen won't
++use them itself, and won't offer them to guests.
+
+ ### cpuid\_mask\_cpu (AMD only)
+ > `= fam_0f_rev_c | fam_0f_rev_d | fam_0f_rev_e | fam_0f_rev_f | fam_0f_rev_g | fam_10_rev_b | fam_10_rev_c | fam_11_rev_b`
+diff --git a/tools/libxl/libxl_cpuid.c b/tools/libxl/libxl_cpuid.c
+index 5a1702d703..1235c8b91e 100644
+--- a/tools/libxl/libxl_cpuid.c
++++ b/tools/libxl/libxl_cpuid.c
+@@ -202,6 +202,7 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str)
+
+ {"avx512-4vnniw",0x00000007, 0, CPUID_REG_EDX, 2, 1},
+ {"avx512-4fmaps",0x00000007, 0, CPUID_REG_EDX, 3, 1},
++ {"srbds-ctrl", 0x00000007, 0, CPUID_REG_EDX, 9, 1},
+ {"md-clear", 0x00000007, 0, CPUID_REG_EDX, 10, 1},
+ {"ibrsb", 0x00000007, 0, CPUID_REG_EDX, 26, 1},
+ {"stibp", 0x00000007, 0, CPUID_REG_EDX, 27, 1},
+diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
+index 4c9af6b7f0..8fb54c3001 100644
+--- a/tools/misc/xen-cpuid.c
++++ b/tools/misc/xen-cpuid.c
+@@ -142,6 +142,7 @@ static const char *str_7d0[32] =
+ {
+ [ 2] = "avx512_4vnniw", [ 3] = "avx512_4fmaps",
+
++ /* 8 */ [ 9] = "srbds-ctrl",
+ [10] = "md-clear",
+ /* 12 */ [13] = "tsx-force-abort",
+
+diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c
+index 04aefa555d..b8e5b6fe67 100644
+--- a/xen/arch/x86/cpuid.c
++++ b/xen/arch/x86/cpuid.c
+@@ -58,6 +58,11 @@ static int __init parse_xen_cpuid(const char *s)
+ if ( !val )
+ setup_clear_cpu_cap(X86_FEATURE_SSBD);
+ }
++ else if ( (val = parse_boolean("srbds-ctrl", s, ss)) >= 0 )
++ {
++ if ( !val )
++ setup_clear_cpu_cap(X86_FEATURE_SRBDS_CTRL);
++ }
+ else
+ rc = -EINVAL;
+
+diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c
+index ccb316c547..256e58d82b 100644
+--- a/xen/arch/x86/msr.c
++++ b/xen/arch/x86/msr.c
+@@ -154,6 +154,7 @@ int guest_rdmsr(const struct vcpu *v, uint32_t msr, uint64_t *val)
+ /* Write-only */
+ case MSR_TSX_FORCE_ABORT:
+ case MSR_TSX_CTRL:
++ case MSR_MCU_OPT_CTRL:
+ /* Not offered to guests. */
+ goto gp_fault;
+
+@@ -243,6 +244,7 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val)
+ /* Read-only */
+ case MSR_TSX_FORCE_ABORT:
+ case MSR_TSX_CTRL:
++ case MSR_MCU_OPT_CTRL:
+ /* Not offered to guests. */
+ goto gp_fault;
+
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index ab196b156d..94ab8dd786 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -365,12 +365,13 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
+ printk("Speculative mitigation facilities:\n");
+
+ /* Hardware features which pertain to speculative mitigations. */
+- printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
++ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
+ (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "",
+ (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "",
+ (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "",
+ (_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "",
+ (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "",
++ (_7d0 & cpufeat_mask(X86_FEATURE_SRBDS_CTRL)) ? " SRBDS_CTRL" : "",
+ (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "",
+ (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "",
+ (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "",
+diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h
+index 1761a01f1f..480d1d8102 100644
+--- a/xen/include/asm-x86/msr-index.h
++++ b/xen/include/asm-x86/msr-index.h
+@@ -177,6 +177,9 @@
+ #define MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490
+ #define MSR_IA32_VMX_VMFUNC 0x491
+
++#define MSR_MCU_OPT_CTRL 0x00000123
++#define MCU_OPT_CTRL_RNGDS_MITG_DIS (_AC(1, ULL) << 0)
++
+ /* K7/K8 MSRs. Not complete. See the architecture manual for a more
+ complete list. */
+ #define MSR_K7_EVNTSEL0 0xc0010000
+diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h
+index a14d8a7013..9d210e74a0 100644
+--- a/xen/include/public/arch-x86/cpufeatureset.h
++++ b/xen/include/public/arch-x86/cpufeatureset.h
+@@ -242,6 +242,7 @@ XEN_CPUFEATURE(IBPB, 8*32+12) /*A IBPB support only (no IBRS, used by
+ /* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */
+ XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions */
+ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single Precision */
++XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */
+ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */
+ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */
+ XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by Intel) */
diff --git a/main/xen/xsa320-4.11-2.patch b/main/xen/xsa320-4.11-2.patch
new file mode 100644
index 00000000000..243ec4c7446
--- /dev/null
+++ b/main/xen/xsa320-4.11-2.patch
@@ -0,0 +1,179 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/spec-ctrl: Mitigate the Special Register Buffer Data Sampling sidechannel
+
+See patch documentation and comments.
+
+This is part of XSA-320 / CVE-2020-0543
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
+index 9be18ac99f..3356e59fee 100644
+--- a/docs/misc/xen-command-line.markdown
++++ b/docs/misc/xen-command-line.markdown
+@@ -1858,7 +1858,7 @@ false disable the quirk workaround, which is also the default.
+ ### spec-ctrl (x86)
+ > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>,
+ > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu,
+-> l1d-flush}=<bool> ]`
++> l1d-flush,srb-lock}=<bool> ]`
+
+ Controls for speculative execution sidechannel mitigations. By default, Xen
+ will pick the most appropriate mitigations based on compiled in support,
+@@ -1930,6 +1930,12 @@ Irrespective of Xen's setting, the feature is virtualised for HVM guests to
+ use. By default, Xen will enable this mitigation on hardware believed to be
+ vulnerable to L1TF.
+
++On hardware supporting SRBDS_CTRL, the `srb-lock=` option can be used to force
++or prevent Xen from protect the Special Register Buffer from leaking stale
++data. By default, Xen will enable this mitigation, except on parts where MDS
++is fixed and TAA is fixed/mitigated (in which case, there is believed to be no
++way for an attacker to obtain the stale data).
++
+ ### sync\_console
+ > `= <boolean>`
+
+diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c
+index 4c12794809..30e1bd5cd3 100644
+--- a/xen/arch/x86/acpi/power.c
++++ b/xen/arch/x86/acpi/power.c
+@@ -266,6 +266,9 @@ static int enter_state(u32 state)
+ ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr);
+ spec_ctrl_exit_idle(ci);
+
++ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
++ wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
++
+ done:
+ spin_debug_enable();
+ local_irq_restore(flags);
+diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
+index 0887806e85..d24d215946 100644
+--- a/xen/arch/x86/smpboot.c
++++ b/xen/arch/x86/smpboot.c
+@@ -369,12 +369,14 @@ void start_secondary(void *unused)
+ microcode_resume_cpu(cpu);
+
+ /*
+- * If MSR_SPEC_CTRL is available, apply Xen's default setting and discard
+- * any firmware settings. Note: MSR_SPEC_CTRL may only become available
+- * after loading microcode.
++ * If any speculative control MSRs are available, apply Xen's default
++ * settings. Note: These MSRs may only become available after loading
++ * microcode.
+ */
+ if ( boot_cpu_has(X86_FEATURE_IBRSB) )
+ wrmsrl(MSR_SPEC_CTRL, default_xen_spec_ctrl);
++ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
++ wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
+
+ tsx_init(); /* Needs microcode. May change HLE/RTM feature bits. */
+
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 94ab8dd786..a306d10c34 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -63,6 +63,9 @@ static unsigned int __initdata l1d_maxphysaddr;
+ static bool __initdata cpu_has_bug_msbds_only; /* => minimal HT impact. */
+ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. */
+
++static int8_t __initdata opt_srb_lock = -1;
++uint64_t __read_mostly default_xen_mcu_opt_ctrl;
++
+ static int __init parse_bti(const char *s)
+ {
+ const char *ss;
+@@ -166,6 +169,7 @@ static int __init parse_spec_ctrl(const char *s)
+ opt_ibpb = false;
+ opt_ssbd = false;
+ opt_l1d_flush = 0;
++ opt_srb_lock = 0;
+ }
+ else if ( val > 0 )
+ rc = -EINVAL;
+@@ -231,6 +235,8 @@ static int __init parse_spec_ctrl(const char *s)
+ opt_eager_fpu = val;
+ else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 )
+ opt_l1d_flush = val;
++ else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 )
++ opt_srb_lock = val;
+ else
+ rc = -EINVAL;
+
+@@ -394,7 +400,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
+ "\n");
+
+ /* Settings for Xen's protection, irrespective of guests. */
+- printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s\n",
++ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n",
+ thunk == THUNK_NONE ? "N/A" :
+ thunk == THUNK_RETPOLINE ? "RETPOLINE" :
+ thunk == THUNK_LFENCE ? "LFENCE" :
+@@ -405,6 +411,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
+ (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-",
+ !(caps & ARCH_CAPS_TSX_CTRL) ? "" :
+ (opt_tsx & 1) ? " TSX+" : " TSX-",
++ !boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ? "" :
++ opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-",
+ opt_ibpb ? " IBPB" : "",
+ opt_l1d_flush ? " L1D_FLUSH" : "",
+ opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "");
+@@ -1196,6 +1204,34 @@ void __init init_speculation_mitigations(void)
+ tsx_init();
+ }
+
++ /* Calculate suitable defaults for MSR_MCU_OPT_CTRL */
++ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
++ {
++ uint64_t val;
++
++ rdmsrl(MSR_MCU_OPT_CTRL, val);
++
++ /*
++ * On some SRBDS-affected hardware, it may be safe to relax srb-lock
++ * by default.
++ *
++ * On parts which enumerate MDS_NO and not TAA_NO, TSX is the only way
++ * to access the Fill Buffer. If TSX isn't available (inc. SKU
++ * reasons on some models), or TSX is explicitly disabled, then there
++ * is no need for the extra overhead to protect RDRAND/RDSEED.
++ */
++ if ( opt_srb_lock == -1 &&
++ (caps & (ARCH_CAPS_MDS_NO|ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO &&
++ (!cpu_has_hle || ((caps & ARCH_CAPS_TSX_CTRL) && opt_tsx == 0)) )
++ opt_srb_lock = 0;
++
++ val &= ~MCU_OPT_CTRL_RNGDS_MITG_DIS;
++ if ( !opt_srb_lock )
++ val |= MCU_OPT_CTRL_RNGDS_MITG_DIS;
++
++ default_xen_mcu_opt_ctrl = val;
++ }
++
+ print_details(thunk, caps);
+
+ /*
+@@ -1227,6 +1263,9 @@ void __init init_speculation_mitigations(void)
+
+ wrmsrl(MSR_SPEC_CTRL, bsp_delay_spec_ctrl ? 0 : default_xen_spec_ctrl);
+ }
++
++ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
++ wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
+ }
+
+ static void __init __maybe_unused build_assertions(void)
+diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h
+index 333d180b7e..bf10d2ce5c 100644
+--- a/xen/include/asm-x86/spec_ctrl.h
++++ b/xen/include/asm-x86/spec_ctrl.h
+@@ -46,6 +46,8 @@ extern int8_t opt_pv_l1tf_hwdom, opt_pv_l1tf_domu;
+ */
+ extern paddr_t l1tf_addr_mask, l1tf_safe_maddr;
+
++extern uint64_t default_xen_mcu_opt_ctrl;
++
+ static inline void init_shadow_spec_ctrl_state(void)
+ {
+ struct cpu_info *info = get_cpu_info();
diff --git a/main/xen/xsa320-4.11-3.patch b/main/xen/xsa320-4.11-3.patch
new file mode 100644
index 00000000000..ff7990b2027
--- /dev/null
+++ b/main/xen/xsa320-4.11-3.patch
@@ -0,0 +1,57 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/spec-ctrl: Allow the RDRAND/RDSEED features to be hidden
+
+RDRAND/RDSEED can be hidden using cpuid= to mitigate SRBDS if microcode
+isn't available.
+
+This is part of XSA-320 / CVE-2020-0543.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Julien Grall <jgrall@amazon.com>
+
+diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
+index 3356e59fee..ac397e7de0 100644
+--- a/docs/misc/xen-command-line.markdown
++++ b/docs/misc/xen-command-line.markdown
+@@ -487,12 +487,18 @@ choice of `dom0-kernel` is deprecated and not supported by all Dom0 kernels.
+ This option allows for fine tuning of the facilities Xen will use, after
+ accounting for hardware capabilities as enumerated via CPUID.
+
++Unless otherwise noted, options only have any effect in their negative form,
++to hide the named feature(s). Ignoring a feature using this mechanism will
++cause Xen not to use the feature, nor offer them as usable to guests.
++
+ Currently accepted:
+
+ The Speculation Control hardware features `srbds-ctrl`, `md-clear`, `ibrsb`,
+ `stibp`, `ibpb`, `l1d-flush` and `ssbd` are used by default if available and
+-applicable. They can be ignored, e.g. `no-ibrsb`, at which point Xen won't
+-use them itself, and won't offer them to guests.
++applicable. They can all be ignored.
++
++`rdrand` and `rdseed` can be ignored, as a mitigation to XSA-320 /
++CVE-2020-0543.
+
+ ### cpuid\_mask\_cpu (AMD only)
+ > `= fam_0f_rev_c | fam_0f_rev_d | fam_0f_rev_e | fam_0f_rev_f | fam_0f_rev_g | fam_10_rev_b | fam_10_rev_c | fam_11_rev_b`
+diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c
+index b8e5b6fe67..78d08dbb32 100644
+--- a/xen/arch/x86/cpuid.c
++++ b/xen/arch/x86/cpuid.c
+@@ -63,6 +63,16 @@ static int __init parse_xen_cpuid(const char *s)
+ if ( !val )
+ setup_clear_cpu_cap(X86_FEATURE_SRBDS_CTRL);
+ }
++ else if ( (val = parse_boolean("rdrand", s, ss)) >= 0 )
++ {
++ if ( !val )
++ setup_clear_cpu_cap(X86_FEATURE_RDRAND);
++ }
++ else if ( (val = parse_boolean("rdseed", s, ss)) >= 0 )
++ {
++ if ( !val )
++ setup_clear_cpu_cap(X86_FEATURE_RDSEED);
++ }
+ else
+ rc = -EINVAL;
+
diff --git a/main/xen/xsa321-4.11-1.patch b/main/xen/xsa321-4.11-1.patch
new file mode 100644
index 00000000000..da52db67f0f
--- /dev/null
+++ b/main/xen/xsa321-4.11-1.patch
@@ -0,0 +1,31 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: vtd: improve IOMMU TLB flush
+
+Do not limit PSI flushes to order 0 pages, in order to avoid doing a
+full TLB flush if the passed in page has an order greater than 0 and
+is aligned. Should increase the performance of IOMMU TLB flushes when
+dealing with page orders greater than 0.
+
+This is part of XSA-321.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/drivers/passthrough/vtd/iommu.c
++++ b/xen/drivers/passthrough/vtd/iommu.c
+@@ -612,13 +612,14 @@ static int __must_check iommu_flush_iotl
+ if ( iommu_domid == -1 )
+ continue;
+
+- if ( page_count != 1 || gfn == gfn_x(INVALID_GFN) )
++ if ( !page_count || (page_count & (page_count - 1)) ||
++ gfn == gfn_x(INVALID_GFN) || !IS_ALIGNED(gfn, page_count) )
+ rc = iommu_flush_iotlb_dsi(iommu, iommu_domid,
+ 0, flush_dev_iotlb);
+ else
+ rc = iommu_flush_iotlb_psi(iommu, iommu_domid,
+ (paddr_t)gfn << PAGE_SHIFT_4K,
+- PAGE_ORDER_4K,
++ get_order_from_pages(page_count),
+ !dma_old_pte_present,
+ flush_dev_iotlb);
+
diff --git a/main/xen/xsa321-4.11-2.patch b/main/xen/xsa321-4.11-2.patch
new file mode 100644
index 00000000000..573bd8e7427
--- /dev/null
+++ b/main/xen/xsa321-4.11-2.patch
@@ -0,0 +1,175 @@
+From: <security@xenproject.org>
+Subject: vtd: prune (and rename) cache flush functions
+
+Rename __iommu_flush_cache to iommu_sync_cache and remove
+iommu_flush_cache_page. Also remove the iommu_flush_cache_entry
+wrapper and just use iommu_sync_cache instead. Note the _entry suffix
+was meaningless as the wrapper was already taking a size parameter in
+bytes. While there also constify the addr parameter.
+
+No functional change intended.
+
+This is part of XSA-321.
+
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/drivers/passthrough/vtd/extern.h
++++ b/xen/drivers/passthrough/vtd/extern.h
+@@ -37,8 +37,7 @@ void disable_qinval(struct iommu *iommu)
+ int enable_intremap(struct iommu *iommu, int eim);
+ void disable_intremap(struct iommu *iommu);
+
+-void iommu_flush_cache_entry(void *addr, unsigned int size);
+-void iommu_flush_cache_page(void *addr, unsigned long npages);
++void iommu_sync_cache(const void *addr, unsigned int size);
+ int iommu_alloc(struct acpi_drhd_unit *drhd);
+ void iommu_free(struct acpi_drhd_unit *drhd);
+
+--- a/xen/drivers/passthrough/vtd/intremap.c
++++ b/xen/drivers/passthrough/vtd/intremap.c
+@@ -231,7 +231,7 @@ static void free_remap_entry(struct iomm
+ iremap_entries, iremap_entry);
+
+ update_irte(iommu, iremap_entry, &new_ire, false);
+- iommu_flush_cache_entry(iremap_entry, sizeof(*iremap_entry));
++ iommu_sync_cache(iremap_entry, sizeof(*iremap_entry));
+ iommu_flush_iec_index(iommu, 0, index);
+
+ unmap_vtd_domain_page(iremap_entries);
+@@ -403,7 +403,7 @@ static int ioapic_rte_to_remap_entry(str
+ }
+
+ update_irte(iommu, iremap_entry, &new_ire, !init);
+- iommu_flush_cache_entry(iremap_entry, sizeof(*iremap_entry));
++ iommu_sync_cache(iremap_entry, sizeof(*iremap_entry));
+ iommu_flush_iec_index(iommu, 0, index);
+
+ unmap_vtd_domain_page(iremap_entries);
+@@ -694,7 +694,7 @@ static int msi_msg_to_remap_entry(
+ update_irte(iommu, iremap_entry, &new_ire, msi_desc->irte_initialized);
+ msi_desc->irte_initialized = true;
+
+- iommu_flush_cache_entry(iremap_entry, sizeof(*iremap_entry));
++ iommu_sync_cache(iremap_entry, sizeof(*iremap_entry));
+ iommu_flush_iec_index(iommu, 0, index);
+
+ unmap_vtd_domain_page(iremap_entries);
+--- a/xen/drivers/passthrough/vtd/iommu.c
++++ b/xen/drivers/passthrough/vtd/iommu.c
+@@ -158,7 +158,8 @@ static void __init free_intel_iommu(stru
+ }
+
+ static int iommus_incoherent;
+-static void __iommu_flush_cache(void *addr, unsigned int size)
++
++void iommu_sync_cache(const void *addr, unsigned int size)
+ {
+ int i;
+ static unsigned int clflush_size = 0;
+@@ -173,16 +174,6 @@ static void __iommu_flush_cache(void *ad
+ cacheline_flush((char *)addr + i);
+ }
+
+-void iommu_flush_cache_entry(void *addr, unsigned int size)
+-{
+- __iommu_flush_cache(addr, size);
+-}
+-
+-void iommu_flush_cache_page(void *addr, unsigned long npages)
+-{
+- __iommu_flush_cache(addr, PAGE_SIZE * npages);
+-}
+-
+ /* Allocate page table, return its machine address */
+ u64 alloc_pgtable_maddr(struct acpi_drhd_unit *drhd, unsigned long npages)
+ {
+@@ -207,7 +198,7 @@ u64 alloc_pgtable_maddr(struct acpi_drhd
+ vaddr = __map_domain_page(cur_pg);
+ memset(vaddr, 0, PAGE_SIZE);
+
+- iommu_flush_cache_page(vaddr, 1);
++ iommu_sync_cache(vaddr, PAGE_SIZE);
+ unmap_domain_page(vaddr);
+ cur_pg++;
+ }
+@@ -242,7 +233,7 @@ static u64 bus_to_context_maddr(struct i
+ }
+ set_root_value(*root, maddr);
+ set_root_present(*root);
+- iommu_flush_cache_entry(root, sizeof(struct root_entry));
++ iommu_sync_cache(root, sizeof(struct root_entry));
+ }
+ maddr = (u64) get_context_addr(*root);
+ unmap_vtd_domain_page(root_entries);
+@@ -300,7 +291,7 @@ static u64 addr_to_dma_page_maddr(struct
+ */
+ dma_set_pte_readable(*pte);
+ dma_set_pte_writable(*pte);
+- iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
++ iommu_sync_cache(pte, sizeof(struct dma_pte));
+ }
+
+ if ( level == 2 )
+@@ -674,7 +665,7 @@ static int __must_check dma_pte_clear_on
+
+ dma_clear_pte(*pte);
+ spin_unlock(&hd->arch.mapping_lock);
+- iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
++ iommu_sync_cache(pte, sizeof(struct dma_pte));
+
+ if ( !this_cpu(iommu_dont_flush_iotlb) )
+ rc = iommu_flush_iotlb_pages(domain, addr >> PAGE_SHIFT_4K, 1);
+@@ -716,7 +707,7 @@ static void iommu_free_page_table(struct
+ iommu_free_pagetable(dma_pte_addr(*pte), next_level);
+
+ dma_clear_pte(*pte);
+- iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
++ iommu_sync_cache(pte, sizeof(struct dma_pte));
+ }
+
+ unmap_vtd_domain_page(pt_vaddr);
+@@ -1449,7 +1440,7 @@ int domain_context_mapping_one(
+ context_set_address_width(*context, agaw);
+ context_set_fault_enable(*context);
+ context_set_present(*context);
+- iommu_flush_cache_entry(context, sizeof(struct context_entry));
++ iommu_sync_cache(context, sizeof(struct context_entry));
+ spin_unlock(&iommu->lock);
+
+ /* Context entry was previously non-present (with domid 0). */
+@@ -1602,7 +1593,7 @@ int domain_context_unmap_one(
+
+ context_clear_present(*context);
+ context_clear_entry(*context);
+- iommu_flush_cache_entry(context, sizeof(struct context_entry));
++ iommu_sync_cache(context, sizeof(struct context_entry));
+
+ iommu_domid= domain_iommu_domid(domain, iommu);
+ if ( iommu_domid == -1 )
+@@ -1828,7 +1819,7 @@ static int __must_check intel_iommu_map_
+
+ *pte = new;
+
+- iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
++ iommu_sync_cache(pte, sizeof(struct dma_pte));
+ spin_unlock(&hd->arch.mapping_lock);
+ unmap_vtd_domain_page(page);
+
+@@ -1862,7 +1853,7 @@ int iommu_pte_flush(struct domain *d, u6
+ int iommu_domid;
+ int rc = 0;
+
+- iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
++ iommu_sync_cache(pte, sizeof(struct dma_pte));
+
+ for_each_drhd_unit ( drhd )
+ {
+@@ -2725,7 +2716,7 @@ static int __init intel_iommu_quarantine
+ dma_set_pte_addr(*pte, maddr);
+ dma_set_pte_readable(*pte);
+ }
+- iommu_flush_cache_page(parent, 1);
++ iommu_sync_cache(parent, PAGE_SIZE);
+
+ unmap_vtd_domain_page(parent);
+ parent = map_vtd_domain_page(maddr);
diff --git a/main/xen/xsa321-4.11-3.patch b/main/xen/xsa321-4.11-3.patch
new file mode 100644
index 00000000000..3a5455e0248
--- /dev/null
+++ b/main/xen/xsa321-4.11-3.patch
@@ -0,0 +1,82 @@
+From: <security@xenproject.org>
+Subject: x86/iommu: introduce a cache sync hook
+
+The hook is only implemented for VT-d and it uses the already existing
+iommu_sync_cache function present in VT-d code. The new hook is
+added so that the cache can be flushed by code outside of VT-d when
+using shared page tables.
+
+Note that alloc_pgtable_maddr must use the now locally defined
+sync_cache function, because IOMMU ops are not yet setup the first
+time the function gets called during IOMMU initialization.
+
+No functional change intended.
+
+This is part of XSA-321.
+
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/drivers/passthrough/vtd/extern.h
++++ b/xen/drivers/passthrough/vtd/extern.h
+@@ -37,7 +37,6 @@ void disable_qinval(struct iommu *iommu)
+ int enable_intremap(struct iommu *iommu, int eim);
+ void disable_intremap(struct iommu *iommu);
+
+-void iommu_sync_cache(const void *addr, unsigned int size);
+ int iommu_alloc(struct acpi_drhd_unit *drhd);
+ void iommu_free(struct acpi_drhd_unit *drhd);
+
+--- a/xen/drivers/passthrough/vtd/iommu.c
++++ b/xen/drivers/passthrough/vtd/iommu.c
+@@ -159,7 +159,7 @@ static void __init free_intel_iommu(stru
+
+ static int iommus_incoherent;
+
+-void iommu_sync_cache(const void *addr, unsigned int size)
++static void sync_cache(const void *addr, unsigned int size)
+ {
+ int i;
+ static unsigned int clflush_size = 0;
+@@ -198,7 +198,7 @@ u64 alloc_pgtable_maddr(struct acpi_drhd
+ vaddr = __map_domain_page(cur_pg);
+ memset(vaddr, 0, PAGE_SIZE);
+
+- iommu_sync_cache(vaddr, PAGE_SIZE);
++ sync_cache(vaddr, PAGE_SIZE);
+ unmap_domain_page(vaddr);
+ cur_pg++;
+ }
+@@ -2760,6 +2760,7 @@ const struct iommu_ops intel_iommu_ops =
+ .iotlb_flush_all = iommu_flush_iotlb_all,
+ .get_reserved_device_memory = intel_iommu_get_reserved_device_memory,
+ .dump_p2m_table = vtd_dump_p2m_table,
++ .sync_cache = sync_cache,
+ };
+
+ /*
+--- a/xen/include/asm-x86/iommu.h
++++ b/xen/include/asm-x86/iommu.h
+@@ -98,6 +98,13 @@ extern bool untrusted_msi;
+ int pi_update_irte(const struct pi_desc *pi_desc, const struct pirq *pirq,
+ const uint8_t gvec);
+
++#define iommu_sync_cache(addr, size) ({ \
++ const struct iommu_ops *ops = iommu_get_ops(); \
++ \
++ if ( ops->sync_cache ) \
++ ops->sync_cache(addr, size); \
++})
++
+ #endif /* !__ARCH_X86_IOMMU_H__ */
+ /*
+ * Local variables:
+--- a/xen/include/xen/iommu.h
++++ b/xen/include/xen/iommu.h
+@@ -161,6 +161,7 @@ struct iommu_ops {
+ void (*update_ire_from_apic)(unsigned int apic, unsigned int reg, unsigned int value);
+ unsigned int (*read_apic_from_ire)(unsigned int apic, unsigned int reg);
+ int (*setup_hpet_msi)(struct msi_desc *);
++ void (*sync_cache)(const void *addr, unsigned int size);
+ #endif /* CONFIG_X86 */
+ int __must_check (*suspend)(void);
+ void (*resume)(void);
diff --git a/main/xen/xsa321-4.11-4.patch b/main/xen/xsa321-4.11-4.patch
new file mode 100644
index 00000000000..24cea6d8af3
--- /dev/null
+++ b/main/xen/xsa321-4.11-4.patch
@@ -0,0 +1,36 @@
+From: <security@xenproject.org>
+Subject: vtd: don't assume addresses are aligned in sync_cache
+
+Current code in sync_cache assume that the address passed in is
+aligned to a cache line size. Fix the code to support passing in
+arbitrary addresses not necessarily aligned to a cache line size.
+
+This is part of XSA-321.
+
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/drivers/passthrough/vtd/iommu.c
++++ b/xen/drivers/passthrough/vtd/iommu.c
+@@ -161,8 +161,8 @@ static int iommus_incoherent;
+
+ static void sync_cache(const void *addr, unsigned int size)
+ {
+- int i;
+- static unsigned int clflush_size = 0;
++ static unsigned long clflush_size = 0;
++ const void *end = addr + size;
+
+ if ( !iommus_incoherent )
+ return;
+@@ -170,8 +170,9 @@ static void sync_cache(const void *addr,
+ if ( clflush_size == 0 )
+ clflush_size = get_cache_line_size();
+
+- for ( i = 0; i < size; i += clflush_size )
+- cacheline_flush((char *)addr + i);
++ addr -= (unsigned long)addr & (clflush_size - 1);
++ for ( ; addr < end; addr += clflush_size )
++ cacheline_flush((char *)addr);
+ }
+
+ /* Allocate page table, return its machine address */
diff --git a/main/xen/xsa321-4.11-5.patch b/main/xen/xsa321-4.11-5.patch
new file mode 100644
index 00000000000..9d47529bded
--- /dev/null
+++ b/main/xen/xsa321-4.11-5.patch
@@ -0,0 +1,24 @@
+From: <security@xenproject.org>
+Subject: x86/alternative: introduce alternative_2
+
+It's based on alternative_io_2 without inputs or outputs but with an
+added memory clobber.
+
+This is part of XSA-321.
+
+Acked-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/include/asm-x86/alternative.h
++++ b/xen/include/asm-x86/alternative.h
+@@ -113,6 +113,11 @@ extern void alternative_instructions(voi
+ #define alternative(oldinstr, newinstr, feature) \
+ asm volatile (ALTERNATIVE(oldinstr, newinstr, feature) : : : "memory")
+
++#define alternative_2(oldinstr, newinstr1, feature1, newinstr2, feature2) \
++ asm volatile (ALTERNATIVE_2(oldinstr, newinstr1, feature1, \
++ newinstr2, feature2) \
++ : : : "memory")
++
+ /*
+ * Alternative inline assembly with input.
+ *
diff --git a/main/xen/xsa321-4.11-6.patch b/main/xen/xsa321-4.11-6.patch
new file mode 100644
index 00000000000..f74a2c4feab
--- /dev/null
+++ b/main/xen/xsa321-4.11-6.patch
@@ -0,0 +1,91 @@
+From: <security@xenproject.org>
+Subject: vtd: optimize CPU cache sync
+
+Some VT-d IOMMUs are non-coherent, which requires a cache write back
+in order for the changes made by the CPU to be visible to the IOMMU.
+This cache write back was unconditionally done using clflush, but there are
+other more efficient instructions to do so, hence implement support
+for them using the alternative framework.
+
+This is part of XSA-321.
+
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/drivers/passthrough/vtd/extern.h
++++ b/xen/drivers/passthrough/vtd/extern.h
+@@ -63,7 +63,6 @@ int __must_check qinval_device_iotlb_syn
+ u16 did, u16 size, u64 addr);
+
+ unsigned int get_cache_line_size(void);
+-void cacheline_flush(char *);
+ void flush_all_cache(void);
+
+ u64 alloc_pgtable_maddr(struct acpi_drhd_unit *drhd, unsigned long npages);
+--- a/xen/drivers/passthrough/vtd/iommu.c
++++ b/xen/drivers/passthrough/vtd/iommu.c
+@@ -31,6 +31,7 @@
+ #include <xen/pci_regs.h>
+ #include <xen/keyhandler.h>
+ #include <asm/msi.h>
++#include <asm/nops.h>
+ #include <asm/irq.h>
+ #include <asm/hvm/vmx/vmx.h>
+ #include <asm/p2m.h>
+@@ -172,7 +173,42 @@ static void sync_cache(const void *addr,
+
+ addr -= (unsigned long)addr & (clflush_size - 1);
+ for ( ; addr < end; addr += clflush_size )
+- cacheline_flush((char *)addr);
++/*
++ * The arguments to a macro must not include preprocessor directives. Doing so
++ * results in undefined behavior, so we have to create some defines here in
++ * order to avoid it.
++ */
++#if defined(HAVE_AS_CLWB)
++# define CLWB_ENCODING "clwb %[p]"
++#elif defined(HAVE_AS_XSAVEOPT)
++# define CLWB_ENCODING "data16 xsaveopt %[p]" /* clwb */
++#else
++# define CLWB_ENCODING ".byte 0x66, 0x0f, 0xae, 0x30" /* clwb (%%rax) */
++#endif
++
++#define BASE_INPUT(addr) [p] "m" (*(const char *)(addr))
++#if defined(HAVE_AS_CLWB) || defined(HAVE_AS_XSAVEOPT)
++# define INPUT BASE_INPUT
++#else
++# define INPUT(addr) "a" (addr), BASE_INPUT(addr)
++#endif
++ /*
++ * Note regarding the use of NOP_DS_PREFIX: it's faster to do a clflush
++ * + prefix than a clflush + nop, and hence the prefix is added instead
++ * of letting the alternative framework fill the gap by appending nops.
++ */
++ alternative_io_2(".byte " __stringify(NOP_DS_PREFIX) "; clflush %[p]",
++ "data16 clflush %[p]", /* clflushopt */
++ X86_FEATURE_CLFLUSHOPT,
++ CLWB_ENCODING,
++ X86_FEATURE_CLWB, /* no outputs */,
++ INPUT(addr));
++#undef INPUT
++#undef BASE_INPUT
++#undef CLWB_ENCODING
++
++ alternative_2("", "sfence", X86_FEATURE_CLFLUSHOPT,
++ "sfence", X86_FEATURE_CLWB);
+ }
+
+ /* Allocate page table, return its machine address */
+--- a/xen/drivers/passthrough/vtd/x86/vtd.c
++++ b/xen/drivers/passthrough/vtd/x86/vtd.c
+@@ -53,11 +53,6 @@ unsigned int get_cache_line_size(void)
+ return ((cpuid_ebx(1) >> 8) & 0xff) * 8;
+ }
+
+-void cacheline_flush(char * addr)
+-{
+- clflush(addr);
+-}
+-
+ void flush_all_cache()
+ {
+ wbinvd();
diff --git a/main/xen/xsa321-4.11-7.patch b/main/xen/xsa321-4.11-7.patch
new file mode 100644
index 00000000000..65c4a4c84db
--- /dev/null
+++ b/main/xen/xsa321-4.11-7.patch
@@ -0,0 +1,164 @@
+From: <security@xenproject.org>
+Subject: x86/ept: flush cache when modifying PTEs and sharing page tables
+
+Modifications made to the page tables by EPT code need to be written
+to memory when the page tables are shared with the IOMMU, as Intel
+IOMMUs can be non-coherent and thus require changes to be written to
+memory in order to be visible to the IOMMU.
+
+In order to achieve this make sure data is written back to memory
+after writing an EPT entry when the recalc bit is not set in
+atomic_write_ept_entry. If such bit is set, the entry will be
+adjusted and atomic_write_ept_entry will be called a second time
+without the recalc bit set. Note that when splitting a super page the
+new tables resulting of the split should also be written back.
+
+Failure to do so can allow devices behind the IOMMU access to the
+stale super page, or cause coherency issues as changes made by the
+processor to the page tables are not visible to the IOMMU.
+
+This allows to remove the VT-d specific iommu_pte_flush helper, since
+the cache write back is now performed by atomic_write_ept_entry, and
+hence iommu_iotlb_flush can be used to flush the IOMMU TLB. The newly
+used method (iommu_iotlb_flush) can result in less flushes, since it
+might sometimes be called rightly with 0 flags, in which case it
+becomes a no-op.
+
+This is part of XSA-321.
+
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/mm/p2m-ept.c
++++ b/xen/arch/x86/mm/p2m-ept.c
+@@ -90,6 +90,19 @@ static int atomic_write_ept_entry(ept_en
+
+ write_atomic(&entryptr->epte, new.epte);
+
++ /*
++ * The recalc field on the EPT is used to signal either that a
++ * recalculation of the EMT field is required (which doesn't effect the
++ * IOMMU), or a type change. Type changes can only be between ram_rw,
++ * logdirty and ioreq_server: changes to/from logdirty won't work well with
++ * an IOMMU anyway, as IOMMU #PFs are not synchronous and will lead to
++ * aborts, and changes to/from ioreq_server are already fully flushed
++ * before returning to guest context (see
++ * XEN_DMOP_map_mem_type_to_ioreq_server).
++ */
++ if ( !new.recalc && iommu_hap_pt_share )
++ iommu_sync_cache(entryptr, sizeof(*entryptr));
++
+ if ( unlikely(oldmfn != mfn_x(INVALID_MFN)) )
+ put_page(mfn_to_page(_mfn(oldmfn)));
+
+@@ -319,6 +332,9 @@ static bool_t ept_split_super_page(struc
+ break;
+ }
+
++ if ( iommu_hap_pt_share )
++ iommu_sync_cache(table, EPT_PAGETABLE_ENTRIES * sizeof(ept_entry_t));
++
+ unmap_domain_page(table);
+
+ /* Even failed we should install the newly allocated ept page. */
+@@ -378,6 +394,9 @@ static int ept_next_level(struct p2m_dom
+ if ( !next )
+ return GUEST_TABLE_MAP_FAILED;
+
++ if ( iommu_hap_pt_share )
++ iommu_sync_cache(next, EPT_PAGETABLE_ENTRIES * sizeof(ept_entry_t));
++
+ rc = atomic_write_ept_entry(ept_entry, e, next_level);
+ ASSERT(rc == 0);
+ }
+@@ -875,7 +894,7 @@ out:
+ need_modify_vtd_table )
+ {
+ if ( iommu_hap_pt_share )
+- rc = iommu_pte_flush(d, gfn, &ept_entry->epte, order, vtd_pte_present);
++ rc = iommu_flush_iotlb(d, gfn, vtd_pte_present, 1u << order);
+ else
+ {
+ if ( iommu_flags )
+--- a/xen/drivers/passthrough/vtd/iommu.c
++++ b/xen/drivers/passthrough/vtd/iommu.c
+@@ -612,10 +612,8 @@ static int __must_check iommu_flush_all(
+ return rc;
+ }
+
+-static int __must_check iommu_flush_iotlb(struct domain *d,
+- unsigned long gfn,
+- bool_t dma_old_pte_present,
+- unsigned int page_count)
++int iommu_flush_iotlb(struct domain *d, unsigned long gfn,
++ bool dma_old_pte_present, unsigned int page_count)
+ {
+ struct domain_iommu *hd = dom_iommu(d);
+ struct acpi_drhd_unit *drhd;
+@@ -1880,53 +1878,6 @@ static int __must_check intel_iommu_unma
+ return dma_pte_clear_one(d, (paddr_t)gfn << PAGE_SHIFT_4K);
+ }
+
+-int iommu_pte_flush(struct domain *d, u64 gfn, u64 *pte,
+- int order, int present)
+-{
+- struct acpi_drhd_unit *drhd;
+- struct iommu *iommu = NULL;
+- struct domain_iommu *hd = dom_iommu(d);
+- bool_t flush_dev_iotlb;
+- int iommu_domid;
+- int rc = 0;
+-
+- iommu_sync_cache(pte, sizeof(struct dma_pte));
+-
+- for_each_drhd_unit ( drhd )
+- {
+- iommu = drhd->iommu;
+- if ( !test_bit(iommu->index, &hd->arch.iommu_bitmap) )
+- continue;
+-
+- flush_dev_iotlb = !!find_ats_dev_drhd(iommu);
+- iommu_domid= domain_iommu_domid(d, iommu);
+- if ( iommu_domid == -1 )
+- continue;
+-
+- rc = iommu_flush_iotlb_psi(iommu, iommu_domid,
+- (paddr_t)gfn << PAGE_SHIFT_4K,
+- order, !present, flush_dev_iotlb);
+- if ( rc > 0 )
+- {
+- iommu_flush_write_buffer(iommu);
+- rc = 0;
+- }
+- }
+-
+- if ( unlikely(rc) )
+- {
+- if ( !d->is_shutting_down && printk_ratelimit() )
+- printk(XENLOG_ERR VTDPREFIX
+- " d%d: IOMMU pages flush failed: %d\n",
+- d->domain_id, rc);
+-
+- if ( !is_hardware_domain(d) )
+- domain_crash(d);
+- }
+-
+- return rc;
+-}
+-
+ static int __init vtd_ept_page_compatible(struct iommu *iommu)
+ {
+ u64 ept_cap, vtd_cap = iommu->cap;
+--- a/xen/include/asm-x86/iommu.h
++++ b/xen/include/asm-x86/iommu.h
+@@ -87,8 +87,9 @@ int iommu_setup_hpet_msi(struct msi_desc
+
+ /* While VT-d specific, this must get declared in a generic header. */
+ int adjust_vtd_irq_affinities(void);
+-int __must_check iommu_pte_flush(struct domain *d, u64 gfn, u64 *pte,
+- int order, int present);
++int __must_check iommu_flush_iotlb(struct domain *d, unsigned long gfn,
++ bool dma_old_pte_present,
++ unsigned int page_count);
+ bool_t iommu_supports_eim(void);
+ int iommu_enable_x2apic_IR(void);
+ void iommu_disable_x2apic_IR(void);
diff --git a/main/xen/xsa327.patch b/main/xen/xsa327.patch
new file mode 100644
index 00000000000..0541cfa0df8
--- /dev/null
+++ b/main/xen/xsa327.patch
@@ -0,0 +1,63 @@
+From 030300ebbb86c40c12db038714479d746167c767 Mon Sep 17 00:00:00 2001
+From: Julien Grall <jgrall@amazon.com>
+Date: Tue, 26 May 2020 18:31:33 +0100
+Subject: [PATCH] xen: Check the alignment of the offset pased via
+ VCPUOP_register_vcpu_info
+
+Currently a guest is able to register any guest physical address to use
+for the vcpu_info structure as long as the structure can fits in the
+rest of the frame.
+
+This means a guest can provide an address that is not aligned to the
+natural alignment of the structure.
+
+On Arm 32-bit, unaligned access are completely forbidden by the
+hypervisor. This will result to a data abort which is fatal.
+
+On Arm 64-bit, unaligned access are only forbidden when used for atomic
+access. As the structure contains fields (such as evtchn_pending_self)
+that are updated using atomic operations, any unaligned access will be
+fatal as well.
+
+While the misalignment is only fatal on Arm, a generic check is added
+as an x86 guest shouldn't sensibly pass an unaligned address (this
+would result to a split lock).
+
+This is XSA-327.
+
+Reported-by: Julien Grall <jgrall@amazon.com>
+Signed-off-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+---
+ xen/common/domain.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/xen/common/domain.c b/xen/common/domain.c
+index 7cc9526139a6..e9be05f1d05f 100644
+--- a/xen/common/domain.c
++++ b/xen/common/domain.c
+@@ -1227,10 +1227,20 @@ int map_vcpu_info(struct vcpu *v, unsigned long gfn, unsigned offset)
+ void *mapping;
+ vcpu_info_t *new_info;
+ struct page_info *page;
++ unsigned int align;
+
+ if ( offset > (PAGE_SIZE - sizeof(vcpu_info_t)) )
+ return -EINVAL;
+
++#ifdef CONFIG_COMPAT
++ if ( has_32bit_shinfo(d) )
++ align = alignof(new_info->compat);
++ else
++#endif
++ align = alignof(*new_info);
++ if ( offset & (align - 1) )
++ return -EINVAL;
++
+ if ( !mfn_eq(v->vcpu_info_mfn, INVALID_MFN) )
+ return -EINVAL;
+
+--
+2.17.1
+
diff --git a/main/xen/xsa328-4.11-1.patch b/main/xen/xsa328-4.11-1.patch
new file mode 100644
index 00000000000..50df012f3ed
--- /dev/null
+++ b/main/xen/xsa328-4.11-1.patch
@@ -0,0 +1,118 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/EPT: ept_set_middle_entry() related adjustments
+
+ept_split_super_page() wants to further modify the newly allocated
+table, so have ept_set_middle_entry() return the mapped pointer rather
+than tearing it down and then getting re-established right again.
+
+Similarly ept_next_level() wants to hand back a mapped pointer of
+the next level page, so re-use the one established by
+ept_set_middle_entry() in case that path was taken.
+
+Pull the setting of suppress_ve ahead of insertion into the higher level
+table, and don't have ept_split_super_page() set the field a 2nd time.
+
+This is part of XSA-328.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/mm/p2m-ept.c
++++ b/xen/arch/x86/mm/p2m-ept.c
+@@ -228,8 +228,9 @@ static void ept_p2m_type_to_flags(struct
+ #define GUEST_TABLE_SUPER_PAGE 2
+ #define GUEST_TABLE_POD_PAGE 3
+
+-/* Fill in middle levels of ept table */
+-static int ept_set_middle_entry(struct p2m_domain *p2m, ept_entry_t *ept_entry)
++/* Fill in middle level of ept table; return pointer to mapped new table. */
++static ept_entry_t *ept_set_middle_entry(struct p2m_domain *p2m,
++ ept_entry_t *ept_entry)
+ {
+ mfn_t mfn;
+ ept_entry_t *table;
+@@ -237,7 +238,12 @@ static int ept_set_middle_entry(struct p
+
+ mfn = p2m_alloc_ptp(p2m, 0);
+ if ( mfn_eq(mfn, INVALID_MFN) )
+- return 0;
++ return NULL;
++
++ table = map_domain_page(mfn);
++
++ for ( i = 0; i < EPT_PAGETABLE_ENTRIES; i++ )
++ table[i].suppress_ve = 1;
+
+ ept_entry->epte = 0;
+ ept_entry->mfn = mfn_x(mfn);
+@@ -249,14 +255,7 @@ static int ept_set_middle_entry(struct p
+
+ ept_entry->suppress_ve = 1;
+
+- table = map_domain_page(mfn);
+-
+- for ( i = 0; i < EPT_PAGETABLE_ENTRIES; i++ )
+- table[i].suppress_ve = 1;
+-
+- unmap_domain_page(table);
+-
+- return 1;
++ return table;
+ }
+
+ /* free ept sub tree behind an entry */
+@@ -294,10 +293,10 @@ static bool_t ept_split_super_page(struc
+
+ ASSERT(is_epte_superpage(ept_entry));
+
+- if ( !ept_set_middle_entry(p2m, &new_ept) )
++ table = ept_set_middle_entry(p2m, &new_ept);
++ if ( !table )
+ return 0;
+
+- table = map_domain_page(_mfn(new_ept.mfn));
+ trunk = 1UL << ((level - 1) * EPT_TABLE_ORDER);
+
+ for ( i = 0; i < EPT_PAGETABLE_ENTRIES; i++ )
+@@ -308,7 +307,6 @@ static bool_t ept_split_super_page(struc
+ epte->sp = (level > 1);
+ epte->mfn += i * trunk;
+ epte->snp = (iommu_enabled && iommu_snoop);
+- epte->suppress_ve = 1;
+
+ ept_p2m_type_to_flags(p2m, epte, epte->sa_p2mt, epte->access);
+
+@@ -347,8 +345,7 @@ static int ept_next_level(struct p2m_dom
+ ept_entry_t **table, unsigned long *gfn_remainder,
+ int next_level)
+ {
+- unsigned long mfn;
+- ept_entry_t *ept_entry, e;
++ ept_entry_t *ept_entry, *next = NULL, e;
+ u32 shift, index;
+
+ shift = next_level * EPT_TABLE_ORDER;
+@@ -373,19 +370,17 @@ static int ept_next_level(struct p2m_dom
+ if ( read_only )
+ return GUEST_TABLE_MAP_FAILED;
+
+- if ( !ept_set_middle_entry(p2m, ept_entry) )
++ next = ept_set_middle_entry(p2m, ept_entry);
++ if ( !next )
+ return GUEST_TABLE_MAP_FAILED;
+- else
+- e = atomic_read_ept_entry(ept_entry); /* Refresh */
++ /* e is now stale and hence may not be used anymore below. */
+ }
+-
+ /* The only time sp would be set here is if we had hit a superpage */
+- if ( is_epte_superpage(&e) )
++ else if ( is_epte_superpage(&e) )
+ return GUEST_TABLE_SUPER_PAGE;
+
+- mfn = e.mfn;
+ unmap_domain_page(*table);
+- *table = map_domain_page(_mfn(mfn));
++ *table = next ?: map_domain_page(_mfn(e.mfn));
+ *gfn_remainder &= (1UL << shift) - 1;
+ return GUEST_TABLE_NORMAL_PAGE;
+ }
diff --git a/main/xen/xsa328-4.11-2.patch b/main/xen/xsa328-4.11-2.patch
new file mode 100644
index 00000000000..14c0d36e442
--- /dev/null
+++ b/main/xen/xsa328-4.11-2.patch
@@ -0,0 +1,48 @@
+From: <security@xenproject.org>
+Subject: x86/ept: atomically modify entries in ept_next_level
+
+ept_next_level was passing a live PTE pointer to ept_set_middle_entry,
+which was then modified without taking into account that the PTE could
+be part of a live EPT table. This wasn't a security issue because the
+pages returned by p2m_alloc_ptp are zeroed, so adding such an entry
+before actually initializing it didn't allow a guest to access
+physical memory addresses it wasn't supposed to access.
+
+This is part of XSA-328.
+
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/mm/p2m-ept.c
++++ b/xen/arch/x86/mm/p2m-ept.c
+@@ -348,6 +348,8 @@ static int ept_next_level(struct p2m_dom
+ ept_entry_t *ept_entry, *next = NULL, e;
+ u32 shift, index;
+
++ ASSERT(next_level);
++
+ shift = next_level * EPT_TABLE_ORDER;
+
+ index = *gfn_remainder >> shift;
+@@ -364,16 +366,20 @@ static int ept_next_level(struct p2m_dom
+
+ if ( !is_epte_present(&e) )
+ {
++ int rc;
++
+ if ( e.sa_p2mt == p2m_populate_on_demand )
+ return GUEST_TABLE_POD_PAGE;
+
+ if ( read_only )
+ return GUEST_TABLE_MAP_FAILED;
+
+- next = ept_set_middle_entry(p2m, ept_entry);
++ next = ept_set_middle_entry(p2m, &e);
+ if ( !next )
+ return GUEST_TABLE_MAP_FAILED;
+- /* e is now stale and hence may not be used anymore below. */
++
++ rc = atomic_write_ept_entry(ept_entry, e, next_level);
++ ASSERT(rc == 0);
+ }
+ /* The only time sp would be set here is if we had hit a superpage */
+ else if ( is_epte_superpage(&e) )
diff --git a/main/xen/xsa333.patch b/main/xen/xsa333.patch
new file mode 100644
index 00000000000..6b86c942faa
--- /dev/null
+++ b/main/xen/xsa333.patch
@@ -0,0 +1,39 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/pv: Handle the Intel-specific MSR_MISC_ENABLE correctly
+
+This MSR doesn't exist on AMD hardware, and switching away from the safe
+functions in the common MSR path was an erroneous change.
+
+Partially revert the change.
+
+This is XSA-333.
+
+Fixes: 4fdc932b3cc ("x86/Intel: drop another 32-bit leftover")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Wei Liu <wl@xen.org>
+
+diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
+index efeb2a727e..6332c74b80 100644
+--- a/xen/arch/x86/pv/emul-priv-op.c
++++ b/xen/arch/x86/pv/emul-priv-op.c
+@@ -924,7 +924,8 @@ static int read_msr(unsigned int reg, uint64_t *val,
+ return X86EMUL_OKAY;
+
+ case MSR_IA32_MISC_ENABLE:
+- rdmsrl(reg, *val);
++ if ( rdmsr_safe(reg, *val) )
++ break;
+ *val = guest_misc_enable(*val);
+ return X86EMUL_OKAY;
+
+@@ -1059,7 +1060,8 @@ static int write_msr(unsigned int reg, uint64_t val,
+ break;
+
+ case MSR_IA32_MISC_ENABLE:
+- rdmsrl(reg, temp);
++ if ( rdmsr_safe(reg, temp) )
++ break;
+ if ( val != guest_misc_enable(temp) )
+ goto invalid;
+ return X86EMUL_OKAY;
diff --git a/main/xen/xsa335-qemu.patch b/main/xen/xsa335-qemu.patch
new file mode 100644
index 00000000000..320b4197820
--- /dev/null
+++ b/main/xen/xsa335-qemu.patch
@@ -0,0 +1,84 @@
+From c5bd2924c6d6a5bcbffb8b5e7798a88970131c07 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 17 Aug 2020 08:34:22 +0200
+Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 5abd128b6bc5..5234dcc73fea 100644
+--- a/tools/qemu-xen/hw/usb/core.c
++++ b/tools/qemu-xen/hw/usb/core.c
+@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+ int request, value, index;
++ unsigned int setup_len;
+
+ if (p->iov.size != 8) {
+ p->status = USB_RET_STALL;
+@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+ usb_packet_copy(p, s->setup_buf, p->iov.size);
+ s->setup_index = 0;
+ p->actual_length = 0;
+- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+- if (s->setup_len > sizeof(s->data_buf)) {
++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++ if (setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
++ setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
++ s->setup_len = setup_len;
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+ int i, request, value, index;
++ unsigned int setup_len;
+
+ for (i = 0; i < 8; i++) {
+ s->setup_buf[i] = p->parameter >> (i*8);
+ }
+
+ s->setup_state = SETUP_STATE_PARAM;
+- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+ s->setup_index = 0;
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+ index = (s->setup_buf[5] << 8) | s->setup_buf[4];
+
+- if (s->setup_len > sizeof(s->data_buf)) {
++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++ if (setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
++ setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
++ s->setup_len = setup_len;
+
+ if (p->pid == USB_TOKEN_OUT) {
+ usb_packet_copy(p, s->data_buf, s->setup_len);
+--
+2.18.4
diff --git a/main/xen/xsa336-4.11.patch b/main/xen/xsa336-4.11.patch
new file mode 100644
index 00000000000..305f6876b9e
--- /dev/null
+++ b/main/xen/xsa336-4.11.patch
@@ -0,0 +1,256 @@
+From: Roger Pau Monné <roger.pau@citrix.com>
+Subject: x86/vpt: fix race when migrating timers between vCPUs
+
+The current vPT code will migrate the emulated timers between vCPUs
+(change the pt->vcpu field) while just holding the destination lock,
+either from create_periodic_time or pt_adjust_global_vcpu_target if
+the global target is adjusted. Changing the periodic_timer vCPU field
+in this way creates a race where a third party could grab the lock in
+the unlocked region of pt_adjust_global_vcpu_target (or before
+create_periodic_time performs the vcpu change) and then release the
+lock from a different vCPU, creating a locking imbalance.
+
+Introduce a per-domain rwlock in order to protect periodic_time
+migration between vCPU lists. Taking the lock in read mode prevents
+any timer from being migrated to a different vCPU, while taking it in
+write mode allows performing migration of timers across vCPUs. The
+per-vcpu locks are still used to protect all the other fields from the
+periodic_timer struct.
+
+Note that such migration shouldn't happen frequently, and hence
+there's no performance drop as a result of such locking.
+
+This is XSA-336.
+
+Reported-by: Igor Druzhinin <igor.druzhinin@citrix.com>
+Tested-by: Igor Druzhinin <igor.druzhinin@citrix.com>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -627,6 +627,8 @@ int hvm_domain_initialise(struct domain
+ /* need link to containing domain */
+ d->arch.hvm_domain.pl_time->domain = d;
+
++ rwlock_init(&d->arch.hvm_domain.pl_time->pt_migrate);
++
+ /* Set the default IO Bitmap. */
+ if ( is_hardware_domain(d) )
+ {
+--- a/xen/arch/x86/hvm/vpt.c
++++ b/xen/arch/x86/hvm/vpt.c
+@@ -152,23 +152,32 @@ static int pt_irq_masked(struct periodic
+ return 1;
+ }
+
+-static void pt_lock(struct periodic_time *pt)
++static void pt_vcpu_lock(struct vcpu *v)
+ {
+- struct vcpu *v;
++ read_lock(&v->domain->arch.hvm_domain.pl_time->pt_migrate);
++ spin_lock(&v->arch.hvm_vcpu.tm_lock);
++}
+
+- for ( ; ; )
+- {
+- v = pt->vcpu;
+- spin_lock(&v->arch.hvm_vcpu.tm_lock);
+- if ( likely(pt->vcpu == v) )
+- break;
+- spin_unlock(&v->arch.hvm_vcpu.tm_lock);
+- }
++static void pt_vcpu_unlock(struct vcpu *v)
++{
++ spin_unlock(&v->arch.hvm_vcpu.tm_lock);
++ read_unlock(&v->domain->arch.hvm_domain.pl_time->pt_migrate);
++}
++
++static void pt_lock(struct periodic_time *pt)
++{
++ /*
++ * We cannot use pt_vcpu_lock here, because we need to acquire the
++ * per-domain lock first and then (re-)fetch the value of pt->vcpu, or
++ * else we might be using a stale value of pt->vcpu.
++ */
++ read_lock(&pt->vcpu->domain->arch.hvm_domain.pl_time->pt_migrate);
++ spin_lock(&pt->vcpu->arch.hvm_vcpu.tm_lock);
+ }
+
+ static void pt_unlock(struct periodic_time *pt)
+ {
+- spin_unlock(&pt->vcpu->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_unlock(pt->vcpu);
+ }
+
+ static void pt_process_missed_ticks(struct periodic_time *pt)
+@@ -218,7 +227,7 @@ void pt_save_timer(struct vcpu *v)
+ if ( v->pause_flags & VPF_blocked )
+ return;
+
+- spin_lock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_lock(v);
+
+ list_for_each_entry ( pt, head, list )
+ if ( !pt->do_not_freeze )
+@@ -226,7 +235,7 @@ void pt_save_timer(struct vcpu *v)
+
+ pt_freeze_time(v);
+
+- spin_unlock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_unlock(v);
+ }
+
+ void pt_restore_timer(struct vcpu *v)
+@@ -234,7 +243,7 @@ void pt_restore_timer(struct vcpu *v)
+ struct list_head *head = &v->arch.hvm_vcpu.tm_list;
+ struct periodic_time *pt;
+
+- spin_lock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_lock(v);
+
+ list_for_each_entry ( pt, head, list )
+ {
+@@ -247,7 +256,7 @@ void pt_restore_timer(struct vcpu *v)
+
+ pt_thaw_time(v);
+
+- spin_unlock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_unlock(v);
+ }
+
+ static void pt_timer_fn(void *data)
+@@ -272,7 +281,7 @@ int pt_update_irq(struct vcpu *v)
+ uint64_t max_lag;
+ int irq, pt_vector = -1;
+
+- spin_lock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_lock(v);
+
+ earliest_pt = NULL;
+ max_lag = -1ULL;
+@@ -300,14 +309,14 @@ int pt_update_irq(struct vcpu *v)
+
+ if ( earliest_pt == NULL )
+ {
+- spin_unlock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_unlock(v);
+ return -1;
+ }
+
+ earliest_pt->irq_issued = 1;
+ irq = earliest_pt->irq;
+
+- spin_unlock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_unlock(v);
+
+ switch ( earliest_pt->source )
+ {
+@@ -377,12 +386,12 @@ void pt_intr_post(struct vcpu *v, struct
+ if ( intack.source == hvm_intsrc_vector )
+ return;
+
+- spin_lock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_lock(v);
+
+ pt = is_pt_irq(v, intack);
+ if ( pt == NULL )
+ {
+- spin_unlock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_unlock(v);
+ return;
+ }
+
+@@ -421,7 +430,7 @@ void pt_intr_post(struct vcpu *v, struct
+ cb = pt->cb;
+ cb_priv = pt->priv;
+
+- spin_unlock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_unlock(v);
+
+ if ( cb != NULL )
+ cb(v, cb_priv);
+@@ -432,12 +441,12 @@ void pt_migrate(struct vcpu *v)
+ struct list_head *head = &v->arch.hvm_vcpu.tm_list;
+ struct periodic_time *pt;
+
+- spin_lock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_lock(v);
+
+ list_for_each_entry ( pt, head, list )
+ migrate_timer(&pt->timer, v->processor);
+
+- spin_unlock(&v->arch.hvm_vcpu.tm_lock);
++ pt_vcpu_unlock(v);
+ }
+
+ void create_periodic_time(
+@@ -455,7 +464,7 @@ void create_periodic_time(
+
+ destroy_periodic_time(pt);
+
+- spin_lock(&v->arch.hvm_vcpu.tm_lock);
++ write_lock(&v->domain->arch.hvm_domain.pl_time->pt_migrate);
+
+ pt->pending_intr_nr = 0;
+ pt->do_not_freeze = 0;
+@@ -504,7 +513,7 @@ void create_periodic_time(
+ init_timer(&pt->timer, pt_timer_fn, pt, v->processor);
+ set_timer(&pt->timer, pt->scheduled);
+
+- spin_unlock(&v->arch.hvm_vcpu.tm_lock);
++ write_unlock(&v->domain->arch.hvm_domain.pl_time->pt_migrate);
+ }
+
+ void destroy_periodic_time(struct periodic_time *pt)
+@@ -529,30 +538,20 @@ void destroy_periodic_time(struct period
+
+ static void pt_adjust_vcpu(struct periodic_time *pt, struct vcpu *v)
+ {
+- int on_list;
+-
+ ASSERT(pt->source == PTSRC_isa || pt->source == PTSRC_ioapic);
+
+ if ( pt->vcpu == NULL )
+ return;
+
+- pt_lock(pt);
+- on_list = pt->on_list;
+- if ( pt->on_list )
+- list_del(&pt->list);
+- pt->on_list = 0;
+- pt_unlock(pt);
+-
+- spin_lock(&v->arch.hvm_vcpu.tm_lock);
++ write_lock(&pt->vcpu->domain->arch.hvm_domain.pl_time->pt_migrate);
+ pt->vcpu = v;
+- if ( on_list )
++ if ( pt->on_list )
+ {
+- pt->on_list = 1;
++ list_del(&pt->list);
+ list_add(&pt->list, &v->arch.hvm_vcpu.tm_list);
+-
+ migrate_timer(&pt->timer, v->processor);
+ }
+- spin_unlock(&v->arch.hvm_vcpu.tm_lock);
++ write_unlock(&pt->vcpu->domain->arch.hvm_domain.pl_time->pt_migrate);
+ }
+
+ void pt_adjust_global_vcpu_target(struct vcpu *v)
+--- a/xen/include/asm-x86/hvm/vpt.h
++++ b/xen/include/asm-x86/hvm/vpt.h
+@@ -133,6 +133,13 @@ struct pl_time { /* platform time */
+ struct RTCState vrtc;
+ struct HPETState vhpet;
+ struct PMTState vpmt;
++ /*
++ * rwlock to prevent periodic_time vCPU migration. Take the lock in read
++ * mode in order to prevent the vcpu field of periodic_time from changing.
++ * Lock must be taken in write mode when changes to the vcpu field are
++ * performed, as it allows exclusive access to all the timers of a domain.
++ */
++ rwlock_t pt_migrate;
+ /* guest_time = Xen sys time + stime_offset */
+ int64_t stime_offset;
+ /* Ensures monotonicity in appropriate timer modes. */
diff --git a/main/xen/xsa337-4.12-1.patch b/main/xen/xsa337-4.12-1.patch
new file mode 100644
index 00000000000..c8d3b1f4e24
--- /dev/null
+++ b/main/xen/xsa337-4.12-1.patch
@@ -0,0 +1,92 @@
+From: Roger Pau Monné <roger.pau@citrix.com>
+Subject: x86/msi: get rid of read_msi_msg
+
+It's safer and faster to just use the cached last written
+(untranslated) MSI message stored in msi_desc for the single user that
+calls read_msi_msg.
+
+This also prevents relying on the data read from the device MSI
+registers in order to figure out the index into the IOMMU interrupt
+remapping table, which is not safe.
+
+This is part of XSA-337.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Requested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/msi.c
++++ b/xen/arch/x86/msi.c
+@@ -192,59 +192,6 @@ void msi_compose_msg(unsigned vector, co
+ MSI_DATA_VECTOR(vector);
+ }
+
+-static bool read_msi_msg(struct msi_desc *entry, struct msi_msg *msg)
+-{
+- switch ( entry->msi_attrib.type )
+- {
+- case PCI_CAP_ID_MSI:
+- {
+- struct pci_dev *dev = entry->dev;
+- int pos = entry->msi_attrib.pos;
+- u16 data, seg = dev->seg;
+- u8 bus = dev->bus;
+- u8 slot = PCI_SLOT(dev->devfn);
+- u8 func = PCI_FUNC(dev->devfn);
+-
+- msg->address_lo = pci_conf_read32(seg, bus, slot, func,
+- msi_lower_address_reg(pos));
+- if ( entry->msi_attrib.is_64 )
+- {
+- msg->address_hi = pci_conf_read32(seg, bus, slot, func,
+- msi_upper_address_reg(pos));
+- data = pci_conf_read16(seg, bus, slot, func,
+- msi_data_reg(pos, 1));
+- }
+- else
+- {
+- msg->address_hi = 0;
+- data = pci_conf_read16(seg, bus, slot, func,
+- msi_data_reg(pos, 0));
+- }
+- msg->data = data;
+- break;
+- }
+- case PCI_CAP_ID_MSIX:
+- {
+- void __iomem *base = entry->mask_base;
+-
+- if ( unlikely(!msix_memory_decoded(entry->dev,
+- entry->msi_attrib.pos)) )
+- return false;
+- msg->address_lo = readl(base + PCI_MSIX_ENTRY_LOWER_ADDR_OFFSET);
+- msg->address_hi = readl(base + PCI_MSIX_ENTRY_UPPER_ADDR_OFFSET);
+- msg->data = readl(base + PCI_MSIX_ENTRY_DATA_OFFSET);
+- break;
+- }
+- default:
+- BUG();
+- }
+-
+- if ( iommu_intremap )
+- iommu_read_msi_from_ire(entry, msg);
+-
+- return true;
+-}
+-
+ static int write_msi_msg(struct msi_desc *entry, struct msi_msg *msg)
+ {
+ entry->msg = *msg;
+@@ -322,10 +269,7 @@ void set_msi_affinity(struct irq_desc *d
+
+ ASSERT(spin_is_locked(&desc->lock));
+
+- memset(&msg, 0, sizeof(msg));
+- if ( !read_msi_msg(msi_desc, &msg) )
+- return;
+-
++ msg = msi_desc->msg;
+ msg.data &= ~MSI_DATA_VECTOR_MASK;
+ msg.data |= MSI_DATA_VECTOR(desc->arch.vector);
+ msg.address_lo &= ~MSI_ADDR_DEST_ID_MASK;
diff --git a/main/xen/xsa337-4.12-2.patch b/main/xen/xsa337-4.12-2.patch
new file mode 100644
index 00000000000..aa2fb57162c
--- /dev/null
+++ b/main/xen/xsa337-4.12-2.patch
@@ -0,0 +1,182 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/MSI-X: restrict reading of table/PBA bases from BARs
+
+When assigned to less trusted or un-trusted guests, devices may change
+state behind our backs (they may e.g. get reset by means we may not know
+about). Therefore we should avoid reading BARs from hardware once a
+device is no longer owned by Dom0. Furthermore when we can't read a BAR,
+or when we read zero, we shouldn't instead use the caller provided
+address unless that caller can be trusted.
+
+Re-arrange the logic in msix_capability_init() such that only Dom0 (and
+only if the device isn't DomU-owned yet) or calls through
+PHYSDEVOP_prepare_msix will actually result in the reading of the
+respective BAR register(s). Additionally do so only as long as in-use
+table entries are known (note that invocation of PHYSDEVOP_prepare_msix
+counts as a "pseudo" entry). In all other uses the value already
+recorded will get used instead.
+
+Clear the recorded values in _pci_cleanup_msix() as well as on the one
+affected error path. (Adjust this error path to also avoid blindly
+disabling MSI-X when it was enabled on entry to the function.)
+
+While moving around variable declarations (in many cases to reduce their
+scopes), also adjust some of their types.
+
+This is part of XSA-337.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+
+--- a/xen/arch/x86/msi.c
++++ b/xen/arch/x86/msi.c
+@@ -790,16 +790,14 @@ static int msix_capability_init(struct p
+ {
+ struct arch_msix *msix = dev->msix;
+ struct msi_desc *entry = NULL;
+- int vf;
+ u16 control;
+ u64 table_paddr;
+ u32 table_offset;
+- u8 bir, pbus, pslot, pfunc;
+ u16 seg = dev->seg;
+ u8 bus = dev->bus;
+ u8 slot = PCI_SLOT(dev->devfn);
+ u8 func = PCI_FUNC(dev->devfn);
+- bool maskall = msix->host_maskall;
++ bool maskall = msix->host_maskall, zap_on_error = false;
+
+ ASSERT(pcidevs_locked());
+
+@@ -837,43 +835,45 @@ static int msix_capability_init(struct p
+ /* Locate MSI-X table region */
+ table_offset = pci_conf_read32(seg, bus, slot, func,
+ msix_table_offset_reg(pos));
+- bir = (u8)(table_offset & PCI_MSIX_BIRMASK);
+- table_offset &= ~PCI_MSIX_BIRMASK;
++ if ( !msix->used_entries &&
++ (!msi ||
++ (is_hardware_domain(current->domain) &&
++ (dev->domain == current->domain || dev->domain == dom_io))) )
++ {
++ unsigned int bir = table_offset & PCI_MSIX_BIRMASK, pbus, pslot, pfunc;
++ int vf;
++ paddr_t pba_paddr;
++ unsigned int pba_offset;
+
+- if ( !dev->info.is_virtfn )
+- {
+- pbus = bus;
+- pslot = slot;
+- pfunc = func;
+- vf = -1;
+- }
+- else
+- {
+- pbus = dev->info.physfn.bus;
+- pslot = PCI_SLOT(dev->info.physfn.devfn);
+- pfunc = PCI_FUNC(dev->info.physfn.devfn);
+- vf = PCI_BDF2(dev->bus, dev->devfn);
+- }
+-
+- table_paddr = read_pci_mem_bar(seg, pbus, pslot, pfunc, bir, vf);
+- WARN_ON(msi && msi->table_base != table_paddr);
+- if ( !table_paddr )
+- {
+- if ( !msi || !msi->table_base )
++ if ( !dev->info.is_virtfn )
+ {
+- pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos),
+- control & ~PCI_MSIX_FLAGS_ENABLE);
+- xfree(entry);
+- return -ENXIO;
++ pbus = bus;
++ pslot = slot;
++ pfunc = func;
++ vf = -1;
++ }
++ else
++ {
++ pbus = dev->info.physfn.bus;
++ pslot = PCI_SLOT(dev->info.physfn.devfn);
++ pfunc = PCI_FUNC(dev->info.physfn.devfn);
++ vf = PCI_BDF2(dev->bus, dev->devfn);
+ }
+- table_paddr = msi->table_base;
+- }
+- table_paddr += table_offset;
+
+- if ( !msix->used_entries )
+- {
+- u64 pba_paddr;
+- u32 pba_offset;
++ table_paddr = read_pci_mem_bar(seg, pbus, pslot, pfunc, bir, vf);
++ WARN_ON(msi && msi->table_base != table_paddr);
++ if ( !table_paddr )
++ {
++ if ( !msi || !msi->table_base )
++ {
++ pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos),
++ control & ~PCI_MSIX_FLAGS_ENABLE);
++ xfree(entry);
++ return -ENXIO;
++ }
++ table_paddr = msi->table_base;
++ }
++ table_paddr += table_offset & ~PCI_MSIX_BIRMASK;
+
+ msix->nr_entries = nr_entries;
+ msix->table.first = PFN_DOWN(table_paddr);
+@@ -894,7 +894,19 @@ static int msix_capability_init(struct p
+ BITS_TO_LONGS(nr_entries) - 1);
+ WARN_ON(rangeset_overlaps_range(mmio_ro_ranges, msix->pba.first,
+ msix->pba.last));
++
++ zap_on_error = true;
+ }
++ else if ( !msix->table.first )
++ {
++ pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos),
++ control);
++ xfree(entry);
++ return -ENODATA;
++ }
++ else
++ table_paddr = (msix->table.first << PAGE_SHIFT) +
++ (table_offset & ~PCI_MSIX_BIRMASK & ~PAGE_MASK);
+
+ if ( entry )
+ {
+@@ -905,8 +917,16 @@ static int msix_capability_init(struct p
+
+ if ( idx < 0 )
+ {
++ if ( zap_on_error )
++ {
++ msix->table.first = 0;
++ msix->pba.first = 0;
++
++ control &= ~PCI_MSIX_FLAGS_ENABLE;
++ }
++
+ pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos),
+- control & ~PCI_MSIX_FLAGS_ENABLE);
++ control);
+ xfree(entry);
+ return idx;
+ }
+@@ -1102,9 +1122,14 @@ static void _pci_cleanup_msix(struct arc
+ if ( rangeset_remove_range(mmio_ro_ranges, msix->table.first,
+ msix->table.last) )
+ WARN();
++ msix->table.first = 0;
++ msix->table.last = 0;
++
+ if ( rangeset_remove_range(mmio_ro_ranges, msix->pba.first,
+ msix->pba.last) )
+ WARN();
++ msix->pba.first = 0;
++ msix->pba.last = 0;
+ }
+ }
+
diff --git a/main/xen/xsa338.patch b/main/xen/xsa338.patch
new file mode 100644
index 00000000000..776521990e7
--- /dev/null
+++ b/main/xen/xsa338.patch
@@ -0,0 +1,42 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: evtchn: relax port_is_valid()
+
+To avoid ports potentially becoming invalid behind the back of certain
+other functions (due to ->max_evtchn shrinking) because of
+- a guest invoking evtchn_reset() and from a 2nd vCPU opening new
+ channels in parallel (see also XSA-343),
+- alloc_unbound_xen_event_channel() produced channels living above the
+ 2-level range (see also XSA-342),
+drop the max_evtchns check from port_is_valid(). For a port for which
+the function once returned "true", the returned value may not turn into
+"false" later on. The function's result may only depend on bounds which
+can only ever grow (which is the case for d->valid_evtchns).
+
+This also eliminates a false sense of safety, utilized by some of the
+users (see again XSA-343): Without a suitable lock held, d->max_evtchns
+may change at any time, and hence deducing that certain other operations
+are safe when port_is_valid() returned true is not legitimate. The
+opportunities to abuse this may get widened by the change here
+(depending on guest and host configuration), but will be taken care of
+by the other XSA.
+
+This is XSA-338.
+
+Fixes: 48974e6ce52e ("evtchn: use a per-domain variable for the max number of event channels")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+---
+v5: New, split from larger patch.
+
+--- a/xen/include/xen/event.h
++++ b/xen/include/xen/event.h
+@@ -107,8 +107,6 @@ void notify_via_xen_event_channel(struct
+
+ static inline bool_t port_is_valid(struct domain *d, unsigned int p)
+ {
+- if ( p >= d->max_evtchns )
+- return 0;
+ return p < read_atomic(&d->valid_evtchns);
+ }
+
diff --git a/main/xen/xsa339.patch b/main/xen/xsa339.patch
new file mode 100644
index 00000000000..3311ae093fd
--- /dev/null
+++ b/main/xen/xsa339.patch
@@ -0,0 +1,76 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/pv: Avoid double exception injection
+
+There is at least one path (SYSENTER with NT set, Xen converts to #GP) which
+ends up injecting the #GP fault twice, first in compat_sysenter(), and then a
+second time in compat_test_all_events(), due to the stale TBF_EXCEPTION left
+in TRAPBOUNCE_flags.
+
+The guest kernel sees the second fault first, which is a kernel level #GP
+pointing at the head of the #GP handler, and is therefore a userspace
+trigger-able DoS.
+
+This particular bug has bitten us several times before, so rearrange
+{compat_,}create_bounce_frame() to clobber TRAPBOUNCE on success, rather than
+leaving this task to one area of code which isn't used uniformly.
+
+Other scenarios which might result in a double injection (e.g. two calls
+directly to compat_create_bounce_frame) will now crash the guest, which is far
+more obvious than letting the kernel run with corrupt state.
+
+This is XSA-339
+
+Fixes: fdac9515607b ("x86: clear EFLAGS.NT in SYSENTER entry path")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
+index c3e62f8734..73619f57ca 100644
+--- a/xen/arch/x86/x86_64/compat/entry.S
++++ b/xen/arch/x86/x86_64/compat/entry.S
+@@ -78,7 +78,6 @@ compat_process_softirqs:
+ sti
+ .Lcompat_bounce_exception:
+ call compat_create_bounce_frame
+- movb $0, TRAPBOUNCE_flags(%rdx)
+ jmp compat_test_all_events
+
+ ALIGN
+@@ -352,7 +351,13 @@ __UNLIKELY_END(compat_bounce_null_selector)
+ movl %eax,UREGS_cs+8(%rsp)
+ movl TRAPBOUNCE_eip(%rdx),%eax
+ movl %eax,UREGS_rip+8(%rsp)
++
++ /* Trapbounce complete. Clobber state to avoid an erroneous second injection. */
++ xor %eax, %eax
++ mov %ax, TRAPBOUNCE_cs(%rdx)
++ mov %al, TRAPBOUNCE_flags(%rdx)
+ ret
++
+ .section .fixup,"ax"
+ .Lfx13:
+ xorl %edi,%edi
+diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
+index 1e880eb9f6..71a00e846b 100644
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -90,7 +90,6 @@ process_softirqs:
+ sti
+ .Lbounce_exception:
+ call create_bounce_frame
+- movb $0, TRAPBOUNCE_flags(%rdx)
+ jmp test_all_events
+
+ ALIGN
+@@ -512,6 +511,11 @@ UNLIKELY_START(z, create_bounce_frame_bad_bounce_ip)
+ jmp asm_domain_crash_synchronous /* Does not return */
+ __UNLIKELY_END(create_bounce_frame_bad_bounce_ip)
+ movq %rax,UREGS_rip+8(%rsp)
++
++ /* Trapbounce complete. Clobber state to avoid an erroneous second injection. */
++ xor %eax, %eax
++ mov %rax, TRAPBOUNCE_eip(%rdx)
++ mov %al, TRAPBOUNCE_flags(%rdx)
+ ret
+
+ .pushsection .fixup, "ax", @progbits
diff --git a/main/xen/xsa340.patch b/main/xen/xsa340.patch
new file mode 100644
index 00000000000..38d04da4650
--- /dev/null
+++ b/main/xen/xsa340.patch
@@ -0,0 +1,65 @@
+From: Julien Grall <jgrall@amazon.com>
+Subject: xen/evtchn: Add missing barriers when accessing/allocating an event channel
+
+While the allocation of a bucket is always performed with the per-domain
+lock, the bucket may be accessed without the lock taken (for instance, see
+evtchn_send()).
+
+Instead such sites relies on port_is_valid() to return a non-zero value
+when the port has a struct evtchn associated to it. The function will
+mostly check whether the port is less than d->valid_evtchns as all the
+buckets/event channels should be allocated up to that point.
+
+Unfortunately a compiler is free to re-order the assignment in
+evtchn_allocate_port() so it would be possible to have d->valid_evtchns
+updated before the new bucket has finish to allocate.
+
+Additionally on Arm, even if this was compiled "correctly", the
+processor can still re-order the memory access.
+
+Add a write memory barrier in the allocation side and a read memory
+barrier when the port is valid to prevent any re-ordering issue.
+
+This is XSA-340.
+
+Reported-by: Julien Grall <jgrall@amazon.com>
+Signed-off-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -178,6 +178,13 @@ int evtchn_allocate_port(struct domain *
+ return -ENOMEM;
+ bucket_from_port(d, port) = chn;
+
++ /*
++ * d->valid_evtchns is used to check whether the bucket can be
++ * accessed without the per-domain lock. Therefore,
++ * d->valid_evtchns should be seen *after* the new bucket has
++ * been setup.
++ */
++ smp_wmb();
+ write_atomic(&d->valid_evtchns, d->valid_evtchns + EVTCHNS_PER_BUCKET);
+ }
+
+--- a/xen/include/xen/event.h
++++ b/xen/include/xen/event.h
+@@ -107,7 +107,17 @@ void notify_via_xen_event_channel(struct
+
+ static inline bool_t port_is_valid(struct domain *d, unsigned int p)
+ {
+- return p < read_atomic(&d->valid_evtchns);
++ if ( p >= read_atomic(&d->valid_evtchns) )
++ return false;
++
++ /*
++ * The caller will usually access the event channel afterwards and
++ * may be done without taking the per-domain lock. The barrier is
++ * going in pair the smp_wmb() barrier in evtchn_allocate_port().
++ */
++ smp_rmb();
++
++ return true;
+ }
+
+ static inline struct evtchn *evtchn_from_port(struct domain *d, unsigned int p)
diff --git a/main/xen/xsa342-4.13.patch b/main/xen/xsa342-4.13.patch
new file mode 100644
index 00000000000..334baf1b69c
--- /dev/null
+++ b/main/xen/xsa342-4.13.patch
@@ -0,0 +1,145 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: evtchn/x86: enforce correct upper limit for 32-bit guests
+
+The recording of d->max_evtchns in evtchn_2l_init(), in particular with
+the limited set of callers of the function, is insufficient. Neither for
+PV nor for HVM guests the bitness is known at domain_create() time, yet
+the upper bound in 2-level mode depends upon guest bitness. Recording
+too high a limit "allows" x86 32-bit domains to open not properly usable
+event channels, management of which (inside Xen) would then result in
+corruption of the shared info and vCPU info structures.
+
+Keep the upper limit dynamic for the 2-level case, introducing a helper
+function to retrieve the effective limit. This helper is now supposed to
+be private to the event channel code. The used in do_poll() and
+domain_dump_evtchn_info() weren't consistent with port uses elsewhere
+and hence get switched to port_is_valid().
+
+Furthermore FIFO mode's setup_ports() gets adjusted to loop only up to
+the prior ABI limit, rather than all the way up to the new one.
+
+Finally a word on the change to do_poll(): Accessing ->max_evtchns
+without holding a suitable lock was never safe, as it as well as
+->evtchn_port_ops may change behind do_poll()'s back. Using
+port_is_valid() instead widens some the window for potential abuse,
+until we've dealt with the race altogether (see XSA-343).
+
+This is XSA-342.
+
+Reported-by: Julien Grall <jgrall@amazon.com>
+Fixes: 48974e6ce52e ("evtchn: use a per-domain variable for the max number of event channels")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+
+--- a/xen/common/event_2l.c
++++ b/xen/common/event_2l.c
+@@ -103,7 +103,6 @@ static const struct evtchn_port_ops evtc
+ void evtchn_2l_init(struct domain *d)
+ {
+ d->evtchn_port_ops = &evtchn_port_ops_2l;
+- d->max_evtchns = BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d);
+ }
+
+ /*
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -151,7 +151,7 @@ static void free_evtchn_bucket(struct do
+
+ int evtchn_allocate_port(struct domain *d, evtchn_port_t port)
+ {
+- if ( port > d->max_evtchn_port || port >= d->max_evtchns )
++ if ( port > d->max_evtchn_port || port >= max_evtchns(d) )
+ return -ENOSPC;
+
+ if ( port_is_valid(d, port) )
+@@ -1396,13 +1396,11 @@ static void domain_dump_evtchn_info(stru
+
+ spin_lock(&d->event_lock);
+
+- for ( port = 1; port < d->max_evtchns; ++port )
++ for ( port = 1; port_is_valid(d, port); ++port )
+ {
+ const struct evtchn *chn;
+ char *ssid;
+
+- if ( !port_is_valid(d, port) )
+- continue;
+ chn = evtchn_from_port(d, port);
+ if ( chn->state == ECS_FREE )
+ continue;
+--- a/xen/common/event_fifo.c
++++ b/xen/common/event_fifo.c
+@@ -478,7 +478,7 @@ static void cleanup_event_array(struct d
+ d->evtchn_fifo = NULL;
+ }
+
+-static void setup_ports(struct domain *d)
++static void setup_ports(struct domain *d, unsigned int prev_evtchns)
+ {
+ unsigned int port;
+
+@@ -488,7 +488,7 @@ static void setup_ports(struct domain *d
+ * - save its pending state.
+ * - set default priority.
+ */
+- for ( port = 1; port < d->max_evtchns; port++ )
++ for ( port = 1; port < prev_evtchns; port++ )
+ {
+ struct evtchn *evtchn;
+
+@@ -546,6 +546,8 @@ int evtchn_fifo_init_control(struct evtc
+ if ( !d->evtchn_fifo )
+ {
+ struct vcpu *vcb;
++ /* Latch the value before it changes during setup_event_array(). */
++ unsigned int prev_evtchns = max_evtchns(d);
+
+ for_each_vcpu ( d, vcb ) {
+ rc = setup_control_block(vcb);
+@@ -562,8 +564,7 @@ int evtchn_fifo_init_control(struct evtc
+ goto error;
+
+ d->evtchn_port_ops = &evtchn_port_ops_fifo;
+- d->max_evtchns = EVTCHN_FIFO_NR_CHANNELS;
+- setup_ports(d);
++ setup_ports(d, prev_evtchns);
+ }
+ else
+ rc = map_control_block(v, gfn, offset);
+--- a/xen/common/schedule.c
++++ b/xen/common/schedule.c
+@@ -1434,7 +1434,7 @@ static long do_poll(struct sched_poll *s
+ goto out;
+
+ rc = -EINVAL;
+- if ( port >= d->max_evtchns )
++ if ( !port_is_valid(d, port) )
+ goto out;
+
+ rc = 0;
+--- a/xen/include/xen/event.h
++++ b/xen/include/xen/event.h
+@@ -105,6 +105,12 @@ void notify_via_xen_event_channel(struct
+ #define bucket_from_port(d, p) \
+ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET])
+
++static inline unsigned int max_evtchns(const struct domain *d)
++{
++ return d->evtchn_fifo ? EVTCHN_FIFO_NR_CHANNELS
++ : BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d);
++}
++
+ static inline bool_t port_is_valid(struct domain *d, unsigned int p)
+ {
+ if ( p >= read_atomic(&d->valid_evtchns) )
+--- a/xen/include/xen/sched.h
++++ b/xen/include/xen/sched.h
+@@ -382,7 +382,6 @@ struct domain
+ /* Event channel information. */
+ struct evtchn *evtchn; /* first bucket only */
+ struct evtchn **evtchn_group[NR_EVTCHN_GROUPS]; /* all other buckets */
+- unsigned int max_evtchns; /* number supported by ABI */
+ unsigned int max_evtchn_port; /* max permitted port number */
+ unsigned int valid_evtchns; /* number of allocated event channels */
+ spinlock_t event_lock;
diff --git a/main/xen/xsa343-4.11-1.patch b/main/xen/xsa343-4.11-1.patch
new file mode 100644
index 00000000000..32ac1ea9094
--- /dev/null
+++ b/main/xen/xsa343-4.11-1.patch
@@ -0,0 +1,190 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: evtchn: evtchn_reset() shouldn't succeed with still-open ports
+
+While the function closes all ports, it does so without holding any
+lock, and hence racing requests may be issued causing new ports to get
+opened. This would have been problematic in particular if such a newly
+opened port had a port number above the new implementation limit (i.e.
+when switching from FIFO to 2-level) after the reset, as prior to
+"evtchn: relax port_is_valid()" this could have led to e.g.
+evtchn_close()'s "BUG_ON(!port_is_valid(d2, port2))" to trigger.
+
+Introduce a counter of active ports and check that it's (still) no
+larger then the number of Xen internally used ones after obtaining the
+necessary lock in evtchn_reset().
+
+As to the access model of the new {active,xen}_evtchns fields - while
+all writes get done using write_atomic(), reads ought to use
+read_atomic() only when outside of a suitably locked region.
+
+Note that as of now evtchn_bind_virq() and evtchn_bind_ipi() don't have
+a need to call check_free_port().
+
+This is part of XSA-343.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -188,6 +188,8 @@ int evtchn_allocate_port(struct domain *
+ write_atomic(&d->valid_evtchns, d->valid_evtchns + EVTCHNS_PER_BUCKET);
+ }
+
++ write_atomic(&d->active_evtchns, d->active_evtchns + 1);
++
+ return 0;
+ }
+
+@@ -211,11 +213,26 @@ static int get_free_port(struct domain *
+ return -ENOSPC;
+ }
+
++/*
++ * Check whether a port is still marked free, and if so update the domain
++ * counter accordingly. To be used on function exit paths.
++ */
++static void check_free_port(struct domain *d, evtchn_port_t port)
++{
++ if ( port_is_valid(d, port) &&
++ evtchn_from_port(d, port)->state == ECS_FREE )
++ write_atomic(&d->active_evtchns, d->active_evtchns - 1);
++}
++
+ void evtchn_free(struct domain *d, struct evtchn *chn)
+ {
+ /* Clear pending event to avoid unexpected behavior on re-bind. */
+ evtchn_port_clear_pending(d, chn);
+
++ if ( consumer_is_xen(chn) )
++ write_atomic(&d->xen_evtchns, d->xen_evtchns - 1);
++ write_atomic(&d->active_evtchns, d->active_evtchns - 1);
++
+ /* Reset binding to vcpu0 when the channel is freed. */
+ chn->state = ECS_FREE;
+ chn->notify_vcpu_id = 0;
+@@ -258,6 +275,7 @@ static long evtchn_alloc_unbound(evtchn_
+ alloc->port = port;
+
+ out:
++ check_free_port(d, port);
+ spin_unlock(&d->event_lock);
+ rcu_unlock_domain(d);
+
+@@ -351,6 +369,7 @@ static long evtchn_bind_interdomain(evtc
+ bind->local_port = lport;
+
+ out:
++ check_free_port(ld, lport);
+ spin_unlock(&ld->event_lock);
+ if ( ld != rd )
+ spin_unlock(&rd->event_lock);
+@@ -484,7 +503,7 @@ static long evtchn_bind_pirq(evtchn_bind
+ struct domain *d = current->domain;
+ struct vcpu *v = d->vcpu[0];
+ struct pirq *info;
+- int port, pirq = bind->pirq;
++ int port = 0, pirq = bind->pirq;
+ long rc;
+
+ if ( (pirq < 0) || (pirq >= d->nr_pirqs) )
+@@ -532,6 +551,7 @@ static long evtchn_bind_pirq(evtchn_bind
+ arch_evtchn_bind_pirq(d, pirq);
+
+ out:
++ check_free_port(d, port);
+ spin_unlock(&d->event_lock);
+
+ return rc;
+@@ -1005,10 +1025,10 @@ int evtchn_unmask(unsigned int port)
+ return 0;
+ }
+
+-
+ int evtchn_reset(struct domain *d)
+ {
+ unsigned int i;
++ int rc = 0;
+
+ if ( d != current->domain && !d->controller_pause_count )
+ return -EINVAL;
+@@ -1018,7 +1038,9 @@ int evtchn_reset(struct domain *d)
+
+ spin_lock(&d->event_lock);
+
+- if ( d->evtchn_fifo )
++ if ( d->active_evtchns > d->xen_evtchns )
++ rc = -EAGAIN;
++ else if ( d->evtchn_fifo )
+ {
+ /* Switching back to 2-level ABI. */
+ evtchn_fifo_destroy(d);
+@@ -1027,7 +1049,7 @@ int evtchn_reset(struct domain *d)
+
+ spin_unlock(&d->event_lock);
+
+- return 0;
++ return rc;
+ }
+
+ static long evtchn_set_priority(const struct evtchn_set_priority *set_priority)
+@@ -1213,10 +1235,9 @@ int alloc_unbound_xen_event_channel(
+
+ spin_lock(&ld->event_lock);
+
+- rc = get_free_port(ld);
++ port = rc = get_free_port(ld);
+ if ( rc < 0 )
+ goto out;
+- port = rc;
+ chn = evtchn_from_port(ld, port);
+
+ rc = xsm_evtchn_unbound(XSM_TARGET, ld, chn, remote_domid);
+@@ -1232,7 +1253,10 @@ int alloc_unbound_xen_event_channel(
+
+ spin_unlock(&chn->lock);
+
++ write_atomic(&ld->xen_evtchns, ld->xen_evtchns + 1);
++
+ out:
++ check_free_port(ld, port);
+ spin_unlock(&ld->event_lock);
+
+ return rc < 0 ? rc : port;
+@@ -1308,6 +1332,7 @@ int evtchn_init(struct domain *d)
+ return -EINVAL;
+ }
+ evtchn_from_port(d, 0)->state = ECS_RESERVED;
++ write_atomic(&d->active_evtchns, 0);
+
+ #if MAX_VIRT_CPUS > BITS_PER_LONG
+ d->poll_mask = xzalloc_array(unsigned long,
+@@ -1335,6 +1360,8 @@ void evtchn_destroy(struct domain *d)
+ for ( i = 0; port_is_valid(d, i); i++ )
+ evtchn_close(d, i, 0);
+
++ ASSERT(!d->active_evtchns);
++
+ clear_global_virq_handlers(d);
+
+ evtchn_fifo_destroy(d);
+--- a/xen/include/xen/sched.h
++++ b/xen/include/xen/sched.h
+@@ -345,6 +345,16 @@ struct domain
+ struct evtchn **evtchn_group[NR_EVTCHN_GROUPS]; /* all other buckets */
+ unsigned int max_evtchn_port; /* max permitted port number */
+ unsigned int valid_evtchns; /* number of allocated event channels */
++ /*
++ * Number of in-use event channels. Writers should use write_atomic().
++ * Readers need to use read_atomic() only when not holding event_lock.
++ */
++ unsigned int active_evtchns;
++ /*
++ * Number of event channels used internally by Xen (not subject to
++ * EVTCHNOP_reset). Read/write access like for active_evtchns.
++ */
++ unsigned int xen_evtchns;
+ spinlock_t event_lock;
+ const struct evtchn_port_ops *evtchn_port_ops;
+ struct evtchn_fifo_domain *evtchn_fifo;
diff --git a/main/xen/xsa343-4.11-2.patch b/main/xen/xsa343-4.11-2.patch
new file mode 100644
index 00000000000..de42de4e357
--- /dev/null
+++ b/main/xen/xsa343-4.11-2.patch
@@ -0,0 +1,290 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: evtchn: convert per-channel lock to be IRQ-safe
+
+... in order for send_guest_{global,vcpu}_virq() to be able to make use
+of it.
+
+This is part of XSA-343.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Julien Grall <jgrall@amazon.com>
+
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -248,6 +248,7 @@ static long evtchn_alloc_unbound(evtchn_
+ int port;
+ domid_t dom = alloc->dom;
+ long rc;
++ unsigned long flags;
+
+ d = rcu_lock_domain_by_any_id(dom);
+ if ( d == NULL )
+@@ -263,14 +264,14 @@ static long evtchn_alloc_unbound(evtchn_
+ if ( rc )
+ goto out;
+
+- spin_lock(&chn->lock);
++ spin_lock_irqsave(&chn->lock, flags);
+
+ chn->state = ECS_UNBOUND;
+ if ( (chn->u.unbound.remote_domid = alloc->remote_dom) == DOMID_SELF )
+ chn->u.unbound.remote_domid = current->domain->domain_id;
+ evtchn_port_init(d, chn);
+
+- spin_unlock(&chn->lock);
++ spin_unlock_irqrestore(&chn->lock, flags);
+
+ alloc->port = port;
+
+@@ -283,26 +284,32 @@ static long evtchn_alloc_unbound(evtchn_
+ }
+
+
+-static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn)
++static unsigned long double_evtchn_lock(struct evtchn *lchn,
++ struct evtchn *rchn)
+ {
+- if ( lchn < rchn )
++ unsigned long flags;
++
++ if ( lchn <= rchn )
+ {
+- spin_lock(&lchn->lock);
+- spin_lock(&rchn->lock);
++ spin_lock_irqsave(&lchn->lock, flags);
++ if ( lchn != rchn )
++ spin_lock(&rchn->lock);
+ }
+ else
+ {
+- if ( lchn != rchn )
+- spin_lock(&rchn->lock);
++ spin_lock_irqsave(&rchn->lock, flags);
+ spin_lock(&lchn->lock);
+ }
++
++ return flags;
+ }
+
+-static void double_evtchn_unlock(struct evtchn *lchn, struct evtchn *rchn)
++static void double_evtchn_unlock(struct evtchn *lchn, struct evtchn *rchn,
++ unsigned long flags)
+ {
+- spin_unlock(&lchn->lock);
+ if ( lchn != rchn )
+- spin_unlock(&rchn->lock);
++ spin_unlock(&lchn->lock);
++ spin_unlock_irqrestore(&rchn->lock, flags);
+ }
+
+ static long evtchn_bind_interdomain(evtchn_bind_interdomain_t *bind)
+@@ -312,6 +319,7 @@ static long evtchn_bind_interdomain(evtc
+ int lport, rport = bind->remote_port;
+ domid_t rdom = bind->remote_dom;
+ long rc;
++ unsigned long flags;
+
+ if ( rdom == DOMID_SELF )
+ rdom = current->domain->domain_id;
+@@ -347,7 +355,7 @@ static long evtchn_bind_interdomain(evtc
+ if ( rc )
+ goto out;
+
+- double_evtchn_lock(lchn, rchn);
++ flags = double_evtchn_lock(lchn, rchn);
+
+ lchn->u.interdomain.remote_dom = rd;
+ lchn->u.interdomain.remote_port = rport;
+@@ -364,7 +372,7 @@ static long evtchn_bind_interdomain(evtc
+ */
+ evtchn_port_set_pending(ld, lchn->notify_vcpu_id, lchn);
+
+- double_evtchn_unlock(lchn, rchn);
++ double_evtchn_unlock(lchn, rchn, flags);
+
+ bind->local_port = lport;
+
+@@ -387,6 +395,7 @@ int evtchn_bind_virq(evtchn_bind_virq_t
+ struct domain *d = current->domain;
+ int virq = bind->virq, vcpu = bind->vcpu;
+ int rc = 0;
++ unsigned long flags;
+
+ if ( (virq < 0) || (virq >= ARRAY_SIZE(v->virq_to_evtchn)) )
+ return -EINVAL;
+@@ -419,14 +428,14 @@ int evtchn_bind_virq(evtchn_bind_virq_t
+
+ chn = evtchn_from_port(d, port);
+
+- spin_lock(&chn->lock);
++ spin_lock_irqsave(&chn->lock, flags);
+
+ chn->state = ECS_VIRQ;
+ chn->notify_vcpu_id = vcpu;
+ chn->u.virq = virq;
+ evtchn_port_init(d, chn);
+
+- spin_unlock(&chn->lock);
++ spin_unlock_irqrestore(&chn->lock, flags);
+
+ v->virq_to_evtchn[virq] = bind->port = port;
+
+@@ -443,6 +452,7 @@ static long evtchn_bind_ipi(evtchn_bind_
+ struct domain *d = current->domain;
+ int port, vcpu = bind->vcpu;
+ long rc = 0;
++ unsigned long flags;
+
+ if ( (vcpu < 0) || (vcpu >= d->max_vcpus) ||
+ (d->vcpu[vcpu] == NULL) )
+@@ -455,13 +465,13 @@ static long evtchn_bind_ipi(evtchn_bind_
+
+ chn = evtchn_from_port(d, port);
+
+- spin_lock(&chn->lock);
++ spin_lock_irqsave(&chn->lock, flags);
+
+ chn->state = ECS_IPI;
+ chn->notify_vcpu_id = vcpu;
+ evtchn_port_init(d, chn);
+
+- spin_unlock(&chn->lock);
++ spin_unlock_irqrestore(&chn->lock, flags);
+
+ bind->port = port;
+
+@@ -505,6 +515,7 @@ static long evtchn_bind_pirq(evtchn_bind
+ struct pirq *info;
+ int port = 0, pirq = bind->pirq;
+ long rc;
++ unsigned long flags;
+
+ if ( (pirq < 0) || (pirq >= d->nr_pirqs) )
+ return -EINVAL;
+@@ -537,14 +548,14 @@ static long evtchn_bind_pirq(evtchn_bind
+ goto out;
+ }
+
+- spin_lock(&chn->lock);
++ spin_lock_irqsave(&chn->lock, flags);
+
+ chn->state = ECS_PIRQ;
+ chn->u.pirq.irq = pirq;
+ link_pirq_port(port, chn, v);
+ evtchn_port_init(d, chn);
+
+- spin_unlock(&chn->lock);
++ spin_unlock_irqrestore(&chn->lock, flags);
+
+ bind->port = port;
+
+@@ -565,6 +576,7 @@ int evtchn_close(struct domain *d1, int
+ struct evtchn *chn1, *chn2;
+ int port2;
+ long rc = 0;
++ unsigned long flags;
+
+ again:
+ spin_lock(&d1->event_lock);
+@@ -664,14 +676,14 @@ int evtchn_close(struct domain *d1, int
+ BUG_ON(chn2->state != ECS_INTERDOMAIN);
+ BUG_ON(chn2->u.interdomain.remote_dom != d1);
+
+- double_evtchn_lock(chn1, chn2);
++ flags = double_evtchn_lock(chn1, chn2);
+
+ evtchn_free(d1, chn1);
+
+ chn2->state = ECS_UNBOUND;
+ chn2->u.unbound.remote_domid = d1->domain_id;
+
+- double_evtchn_unlock(chn1, chn2);
++ double_evtchn_unlock(chn1, chn2, flags);
+
+ goto out;
+
+@@ -679,9 +691,9 @@ int evtchn_close(struct domain *d1, int
+ BUG();
+ }
+
+- spin_lock(&chn1->lock);
++ spin_lock_irqsave(&chn1->lock, flags);
+ evtchn_free(d1, chn1);
+- spin_unlock(&chn1->lock);
++ spin_unlock_irqrestore(&chn1->lock, flags);
+
+ out:
+ if ( d2 != NULL )
+@@ -701,13 +713,14 @@ int evtchn_send(struct domain *ld, unsig
+ struct evtchn *lchn, *rchn;
+ struct domain *rd;
+ int rport, ret = 0;
++ unsigned long flags;
+
+ if ( !port_is_valid(ld, lport) )
+ return -EINVAL;
+
+ lchn = evtchn_from_port(ld, lport);
+
+- spin_lock(&lchn->lock);
++ spin_lock_irqsave(&lchn->lock, flags);
+
+ /* Guest cannot send via a Xen-attached event channel. */
+ if ( unlikely(consumer_is_xen(lchn)) )
+@@ -742,7 +755,7 @@ int evtchn_send(struct domain *ld, unsig
+ }
+
+ out:
+- spin_unlock(&lchn->lock);
++ spin_unlock_irqrestore(&lchn->lock, flags);
+
+ return ret;
+ }
+@@ -1232,6 +1245,7 @@ int alloc_unbound_xen_event_channel(
+ {
+ struct evtchn *chn;
+ int port, rc;
++ unsigned long flags;
+
+ spin_lock(&ld->event_lock);
+
+@@ -1244,14 +1258,14 @@ int alloc_unbound_xen_event_channel(
+ if ( rc )
+ goto out;
+
+- spin_lock(&chn->lock);
++ spin_lock_irqsave(&chn->lock, flags);
+
+ chn->state = ECS_UNBOUND;
+ chn->xen_consumer = get_xen_consumer(notification_fn);
+ chn->notify_vcpu_id = lvcpu;
+ chn->u.unbound.remote_domid = remote_domid;
+
+- spin_unlock(&chn->lock);
++ spin_unlock_irqrestore(&chn->lock, flags);
+
+ write_atomic(&ld->xen_evtchns, ld->xen_evtchns + 1);
+
+@@ -1274,11 +1288,12 @@ void notify_via_xen_event_channel(struct
+ {
+ struct evtchn *lchn, *rchn;
+ struct domain *rd;
++ unsigned long flags;
+
+ ASSERT(port_is_valid(ld, lport));
+ lchn = evtchn_from_port(ld, lport);
+
+- spin_lock(&lchn->lock);
++ spin_lock_irqsave(&lchn->lock, flags);
+
+ if ( likely(lchn->state == ECS_INTERDOMAIN) )
+ {
+@@ -1288,7 +1303,7 @@ void notify_via_xen_event_channel(struct
+ evtchn_port_set_pending(rd, rchn->notify_vcpu_id, rchn);
+ }
+
+- spin_unlock(&lchn->lock);
++ spin_unlock_irqrestore(&lchn->lock, flags);
+ }
+
+ void evtchn_check_pollers(struct domain *d, unsigned int port)
diff --git a/main/xen/xsa343-4.11-3.patch b/main/xen/xsa343-4.11-3.patch
new file mode 100644
index 00000000000..b2c898989ea
--- /dev/null
+++ b/main/xen/xsa343-4.11-3.patch
@@ -0,0 +1,381 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: evtchn: address races with evtchn_reset()
+
+Neither d->evtchn_port_ops nor max_evtchns(d) may be used in an entirely
+lock-less manner, as both may change by a racing evtchn_reset(). In the
+common case, at least one of the domain's event lock or the per-channel
+lock needs to be held. In the specific case of the inter-domain sending
+by evtchn_send() and notify_via_xen_event_channel() holding the other
+side's per-channel lock is sufficient, as the channel can't change state
+without both per-channel locks held. Without such a channel changing
+state, evtchn_reset() can't complete successfully.
+
+Lock-free accesses continue to be permitted for the shim (calling some
+otherwise internal event channel functions), as this happens while the
+domain is in effectively single-threaded mode. Special care also needs
+taking for the shim's marking of in-use ports as ECS_RESERVED (allowing
+use of such ports in the shim case is okay because switching into and
+hence also out of FIFO mode is impossible there).
+
+As a side effect, certain operations on Xen bound event channels which
+were mistakenly permitted so far (e.g. unmask or poll) will be refused
+now.
+
+This is part of XSA-343.
+
+Reported-by: Julien Grall <jgrall@amazon.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Julien Grall <jgrall@amazon.com>
+
+--- a/xen/arch/x86/irq.c
++++ b/xen/arch/x86/irq.c
+@@ -2367,14 +2367,24 @@ static void dump_irqs(unsigned char key)
+
+ for ( i = 0; i < action->nr_guests; i++ )
+ {
++ struct evtchn *evtchn;
++ unsigned int pending = 2, masked = 2;
++
+ d = action->guest[i];
+ pirq = domain_irq_to_pirq(d, irq);
+ info = pirq_info(d, pirq);
++ evtchn = evtchn_from_port(d, info->evtchn);
++ local_irq_disable();
++ if ( spin_trylock(&evtchn->lock) )
++ {
++ pending = evtchn_is_pending(d, evtchn);
++ masked = evtchn_is_masked(d, evtchn);
++ spin_unlock(&evtchn->lock);
++ }
++ local_irq_enable();
+ printk("%u:%3d(%c%c%c)",
+- d->domain_id, pirq,
+- evtchn_port_is_pending(d, info->evtchn) ? 'P' : '-',
+- evtchn_port_is_masked(d, info->evtchn) ? 'M' : '-',
+- (info->masked ? 'M' : '-'));
++ d->domain_id, pirq, "-P?"[pending],
++ "-M?"[masked], info->masked ? 'M' : '-');
+ if ( i != action->nr_guests )
+ printk(",");
+ }
+--- a/xen/arch/x86/pv/shim.c
++++ b/xen/arch/x86/pv/shim.c
+@@ -616,8 +616,11 @@ void pv_shim_inject_evtchn(unsigned int
+ if ( port_is_valid(guest, port) )
+ {
+ struct evtchn *chn = evtchn_from_port(guest, port);
++ unsigned long flags;
+
++ spin_lock_irqsave(&chn->lock, flags);
+ evtchn_port_set_pending(guest, chn->notify_vcpu_id, chn);
++ spin_unlock_irqrestore(&chn->lock, flags);
+ }
+ }
+
+--- a/xen/common/event_2l.c
++++ b/xen/common/event_2l.c
+@@ -63,8 +63,10 @@ static void evtchn_2l_unmask(struct doma
+ }
+ }
+
+-static bool evtchn_2l_is_pending(const struct domain *d, evtchn_port_t port)
++static bool evtchn_2l_is_pending(const struct domain *d,
++ const struct evtchn *evtchn)
+ {
++ evtchn_port_t port = evtchn->port;
+ unsigned int max_ports = BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d);
+
+ ASSERT(port < max_ports);
+@@ -72,8 +74,10 @@ static bool evtchn_2l_is_pending(const s
+ guest_test_bit(d, port, &shared_info(d, evtchn_pending)));
+ }
+
+-static bool evtchn_2l_is_masked(const struct domain *d, evtchn_port_t port)
++static bool evtchn_2l_is_masked(const struct domain *d,
++ const struct evtchn *evtchn)
+ {
++ evtchn_port_t port = evtchn->port;
+ unsigned int max_ports = BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d);
+
+ ASSERT(port < max_ports);
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -156,8 +156,9 @@ int evtchn_allocate_port(struct domain *
+
+ if ( port_is_valid(d, port) )
+ {
+- if ( evtchn_from_port(d, port)->state != ECS_FREE ||
+- evtchn_port_is_busy(d, port) )
++ const struct evtchn *chn = evtchn_from_port(d, port);
++
++ if ( chn->state != ECS_FREE || evtchn_is_busy(d, chn) )
+ return -EBUSY;
+ }
+ else
+@@ -770,6 +771,7 @@ void send_guest_vcpu_virq(struct vcpu *v
+ unsigned long flags;
+ int port;
+ struct domain *d;
++ struct evtchn *chn;
+
+ ASSERT(!virq_is_global(virq));
+
+@@ -780,7 +782,10 @@ void send_guest_vcpu_virq(struct vcpu *v
+ goto out;
+
+ d = v->domain;
+- evtchn_port_set_pending(d, v->vcpu_id, evtchn_from_port(d, port));
++ chn = evtchn_from_port(d, port);
++ spin_lock(&chn->lock);
++ evtchn_port_set_pending(d, v->vcpu_id, chn);
++ spin_unlock(&chn->lock);
+
+ out:
+ spin_unlock_irqrestore(&v->virq_lock, flags);
+@@ -809,7 +814,9 @@ static void send_guest_global_virq(struc
+ goto out;
+
+ chn = evtchn_from_port(d, port);
++ spin_lock(&chn->lock);
+ evtchn_port_set_pending(d, chn->notify_vcpu_id, chn);
++ spin_unlock(&chn->lock);
+
+ out:
+ spin_unlock_irqrestore(&v->virq_lock, flags);
+@@ -819,6 +826,7 @@ void send_guest_pirq(struct domain *d, c
+ {
+ int port;
+ struct evtchn *chn;
++ unsigned long flags;
+
+ /*
+ * PV guests: It should not be possible to race with __evtchn_close(). The
+@@ -833,7 +841,9 @@ void send_guest_pirq(struct domain *d, c
+ }
+
+ chn = evtchn_from_port(d, port);
++ spin_lock_irqsave(&chn->lock, flags);
+ evtchn_port_set_pending(d, chn->notify_vcpu_id, chn);
++ spin_unlock_irqrestore(&chn->lock, flags);
+ }
+
+ static struct domain *global_virq_handlers[NR_VIRQS] __read_mostly;
+@@ -1028,12 +1038,15 @@ int evtchn_unmask(unsigned int port)
+ {
+ struct domain *d = current->domain;
+ struct evtchn *evtchn;
++ unsigned long flags;
+
+ if ( unlikely(!port_is_valid(d, port)) )
+ return -EINVAL;
+
+ evtchn = evtchn_from_port(d, port);
++ spin_lock_irqsave(&evtchn->lock, flags);
+ evtchn_port_unmask(d, evtchn);
++ spin_unlock_irqrestore(&evtchn->lock, flags);
+
+ return 0;
+ }
+@@ -1446,8 +1459,8 @@ static void domain_dump_evtchn_info(stru
+
+ printk(" %4u [%d/%d/",
+ port,
+- evtchn_port_is_pending(d, port),
+- evtchn_port_is_masked(d, port));
++ evtchn_is_pending(d, chn),
++ evtchn_is_masked(d, chn));
+ evtchn_port_print_state(d, chn);
+ printk("]: s=%d n=%d x=%d",
+ chn->state, chn->notify_vcpu_id, chn->xen_consumer);
+--- a/xen/common/event_fifo.c
++++ b/xen/common/event_fifo.c
+@@ -295,23 +295,26 @@ static void evtchn_fifo_unmask(struct do
+ evtchn_fifo_set_pending(v, evtchn);
+ }
+
+-static bool evtchn_fifo_is_pending(const struct domain *d, evtchn_port_t port)
++static bool evtchn_fifo_is_pending(const struct domain *d,
++ const struct evtchn *evtchn)
+ {
+- const event_word_t *word = evtchn_fifo_word_from_port(d, port);
++ const event_word_t *word = evtchn_fifo_word_from_port(d, evtchn->port);
+
+ return word && guest_test_bit(d, EVTCHN_FIFO_PENDING, word);
+ }
+
+-static bool_t evtchn_fifo_is_masked(const struct domain *d, evtchn_port_t port)
++static bool_t evtchn_fifo_is_masked(const struct domain *d,
++ const struct evtchn *evtchn)
+ {
+- const event_word_t *word = evtchn_fifo_word_from_port(d, port);
++ const event_word_t *word = evtchn_fifo_word_from_port(d, evtchn->port);
+
+ return !word || guest_test_bit(d, EVTCHN_FIFO_MASKED, word);
+ }
+
+-static bool_t evtchn_fifo_is_busy(const struct domain *d, evtchn_port_t port)
++static bool_t evtchn_fifo_is_busy(const struct domain *d,
++ const struct evtchn *evtchn)
+ {
+- const event_word_t *word = evtchn_fifo_word_from_port(d, port);
++ const event_word_t *word = evtchn_fifo_word_from_port(d, evtchn->port);
+
+ return word && guest_test_bit(d, EVTCHN_FIFO_LINKED, word);
+ }
+--- a/xen/include/asm-x86/event.h
++++ b/xen/include/asm-x86/event.h
+@@ -47,4 +47,10 @@ static inline bool arch_virq_is_global(u
+ return true;
+ }
+
++#ifdef CONFIG_PV_SHIM
++# include <asm/pv/shim.h>
++# define arch_evtchn_is_special(chn) \
++ (pv_shim && (chn)->port && (chn)->state == ECS_RESERVED)
++#endif
++
+ #endif
+--- a/xen/include/xen/event.h
++++ b/xen/include/xen/event.h
+@@ -125,6 +125,24 @@ static inline struct evtchn *evtchn_from
+ return bucket_from_port(d, p) + (p % EVTCHNS_PER_BUCKET);
+ }
+
++/*
++ * "usable" as in "by a guest", i.e. Xen consumed channels are assumed to be
++ * taken care of separately where used for Xen's internal purposes.
++ */
++static bool evtchn_usable(const struct evtchn *evtchn)
++{
++ if ( evtchn->xen_consumer )
++ return false;
++
++#ifdef arch_evtchn_is_special
++ if ( arch_evtchn_is_special(evtchn) )
++ return true;
++#endif
++
++ BUILD_BUG_ON(ECS_FREE > ECS_RESERVED);
++ return evtchn->state > ECS_RESERVED;
++}
++
+ /* Wait on a Xen-attached event channel. */
+ #define wait_on_xen_event_channel(port, condition) \
+ do { \
+@@ -157,19 +175,24 @@ int evtchn_reset(struct domain *d);
+
+ /*
+ * Low-level event channel port ops.
++ *
++ * All hooks have to be called with a lock held which prevents the channel
++ * from changing state. This may be the domain event lock, the per-channel
++ * lock, or in the case of sending interdomain events also the other side's
++ * per-channel lock. Exceptions apply in certain cases for the PV shim.
+ */
+ struct evtchn_port_ops {
+ void (*init)(struct domain *d, struct evtchn *evtchn);
+ void (*set_pending)(struct vcpu *v, struct evtchn *evtchn);
+ void (*clear_pending)(struct domain *d, struct evtchn *evtchn);
+ void (*unmask)(struct domain *d, struct evtchn *evtchn);
+- bool (*is_pending)(const struct domain *d, evtchn_port_t port);
+- bool (*is_masked)(const struct domain *d, evtchn_port_t port);
++ bool (*is_pending)(const struct domain *d, const struct evtchn *evtchn);
++ bool (*is_masked)(const struct domain *d, const struct evtchn *evtchn);
+ /*
+ * Is the port unavailable because it's still being cleaned up
+ * after being closed?
+ */
+- bool (*is_busy)(const struct domain *d, evtchn_port_t port);
++ bool (*is_busy)(const struct domain *d, const struct evtchn *evtchn);
+ int (*set_priority)(struct domain *d, struct evtchn *evtchn,
+ unsigned int priority);
+ void (*print_state)(struct domain *d, const struct evtchn *evtchn);
+@@ -185,38 +208,67 @@ static inline void evtchn_port_set_pendi
+ unsigned int vcpu_id,
+ struct evtchn *evtchn)
+ {
+- d->evtchn_port_ops->set_pending(d->vcpu[vcpu_id], evtchn);
++ if ( evtchn_usable(evtchn) )
++ d->evtchn_port_ops->set_pending(d->vcpu[vcpu_id], evtchn);
+ }
+
+ static inline void evtchn_port_clear_pending(struct domain *d,
+ struct evtchn *evtchn)
+ {
+- d->evtchn_port_ops->clear_pending(d, evtchn);
++ if ( evtchn_usable(evtchn) )
++ d->evtchn_port_ops->clear_pending(d, evtchn);
+ }
+
+ static inline void evtchn_port_unmask(struct domain *d,
+ struct evtchn *evtchn)
+ {
+- d->evtchn_port_ops->unmask(d, evtchn);
++ if ( evtchn_usable(evtchn) )
++ d->evtchn_port_ops->unmask(d, evtchn);
+ }
+
+-static inline bool evtchn_port_is_pending(const struct domain *d,
+- evtchn_port_t port)
++static inline bool evtchn_is_pending(const struct domain *d,
++ const struct evtchn *evtchn)
+ {
+- return d->evtchn_port_ops->is_pending(d, port);
++ return evtchn_usable(evtchn) && d->evtchn_port_ops->is_pending(d, evtchn);
+ }
+
+-static inline bool evtchn_port_is_masked(const struct domain *d,
+- evtchn_port_t port)
++static inline bool evtchn_port_is_pending(struct domain *d, evtchn_port_t port)
+ {
+- return d->evtchn_port_ops->is_masked(d, port);
++ struct evtchn *evtchn = evtchn_from_port(d, port);
++ bool rc;
++ unsigned long flags;
++
++ spin_lock_irqsave(&evtchn->lock, flags);
++ rc = evtchn_is_pending(d, evtchn);
++ spin_unlock_irqrestore(&evtchn->lock, flags);
++
++ return rc;
++}
++
++static inline bool evtchn_is_masked(const struct domain *d,
++ const struct evtchn *evtchn)
++{
++ return !evtchn_usable(evtchn) || d->evtchn_port_ops->is_masked(d, evtchn);
++}
++
++static inline bool evtchn_port_is_masked(struct domain *d, evtchn_port_t port)
++{
++ struct evtchn *evtchn = evtchn_from_port(d, port);
++ bool rc;
++ unsigned long flags;
++
++ spin_lock_irqsave(&evtchn->lock, flags);
++ rc = evtchn_is_masked(d, evtchn);
++ spin_unlock_irqrestore(&evtchn->lock, flags);
++
++ return rc;
+ }
+
+-static inline bool evtchn_port_is_busy(const struct domain *d,
+- evtchn_port_t port)
++static inline bool evtchn_is_busy(const struct domain *d,
++ const struct evtchn *evtchn)
+ {
+ return d->evtchn_port_ops->is_busy &&
+- d->evtchn_port_ops->is_busy(d, port);
++ d->evtchn_port_ops->is_busy(d, evtchn);
+ }
+
+ static inline int evtchn_port_set_priority(struct domain *d,
+@@ -225,6 +277,8 @@ static inline int evtchn_port_set_priori
+ {
+ if ( !d->evtchn_port_ops->set_priority )
+ return -ENOSYS;
++ if ( !evtchn_usable(evtchn) )
++ return -EACCES;
+ return d->evtchn_port_ops->set_priority(d, evtchn, priority);
+ }
+
diff --git a/main/xen/xsa344-4.11-1.patch b/main/xen/xsa344-4.11-1.patch
new file mode 100644
index 00000000000..43ad9e59848
--- /dev/null
+++ b/main/xen/xsa344-4.11-1.patch
@@ -0,0 +1,132 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: evtchn: arrange for preemption in evtchn_destroy()
+
+Especially closing of fully established interdomain channels can take
+quite some time, due to the locking involved. Therefore we shouldn't
+assume we can clean up still active ports all in one go. Besides adding
+the necessary preemption check, also avoid pointlessly starting from
+(or now really ending at) 0; 1 is the lowest numbered port which may
+need closing.
+
+Since we're now reducing ->valid_evtchns, free_xen_event_channel(),
+and (at least to be on the safe side) notify_via_xen_event_channel()
+need to cope with attempts to close / unbind from / send through already
+closed (and no longer valid, as per port_is_valid()) ports.
+
+This is part of XSA-344.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+
+--- a/xen/common/domain.c
++++ b/xen/common/domain.c
+@@ -646,7 +646,6 @@ int domain_kill(struct domain *d)
+ if ( d->is_dying != DOMDYING_alive )
+ return domain_kill(d);
+ d->is_dying = DOMDYING_dying;
+- evtchn_destroy(d);
+ gnttab_release_mappings(d);
+ tmem_destroy(d->tmem_client);
+ vnuma_destroy(d->vnuma);
+@@ -654,6 +653,9 @@ int domain_kill(struct domain *d)
+ d->tmem_client = NULL;
+ /* fallthrough */
+ case DOMDYING_dying:
++ rc = evtchn_destroy(d);
++ if ( rc )
++ break;
+ rc = domain_relinquish_resources(d);
+ if ( rc != 0 )
+ break;
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -1291,7 +1291,16 @@ int alloc_unbound_xen_event_channel(
+
+ void free_xen_event_channel(struct domain *d, int port)
+ {
+- BUG_ON(!port_is_valid(d, port));
++ if ( !port_is_valid(d, port) )
++ {
++ /*
++ * Make sure ->is_dying is read /after/ ->valid_evtchns, pairing
++ * with the spin_barrier() and BUG_ON() in evtchn_destroy().
++ */
++ smp_rmb();
++ BUG_ON(!d->is_dying);
++ return;
++ }
+
+ evtchn_close(d, port, 0);
+ }
+@@ -1303,7 +1312,17 @@ void notify_via_xen_event_channel(struct
+ struct domain *rd;
+ unsigned long flags;
+
+- ASSERT(port_is_valid(ld, lport));
++ if ( !port_is_valid(ld, lport) )
++ {
++ /*
++ * Make sure ->is_dying is read /after/ ->valid_evtchns, pairing
++ * with the spin_barrier() and BUG_ON() in evtchn_destroy().
++ */
++ smp_rmb();
++ ASSERT(ld->is_dying);
++ return;
++ }
++
+ lchn = evtchn_from_port(ld, lport);
+
+ spin_lock_irqsave(&lchn->lock, flags);
+@@ -1375,8 +1394,7 @@ int evtchn_init(struct domain *d)
+ return 0;
+ }
+
+-
+-void evtchn_destroy(struct domain *d)
++int evtchn_destroy(struct domain *d)
+ {
+ unsigned int i;
+
+@@ -1385,14 +1403,29 @@ void evtchn_destroy(struct domain *d)
+ spin_barrier(&d->event_lock);
+
+ /* Close all existing event channels. */
+- for ( i = 0; port_is_valid(d, i); i++ )
++ for ( i = d->valid_evtchns; --i; )
++ {
+ evtchn_close(d, i, 0);
+
++ /*
++ * Avoid preempting when called from domain_create()'s error path,
++ * and don't check too often (choice of frequency is arbitrary).
++ */
++ if ( i && !(i & 0x3f) && d->is_dying != DOMDYING_dead &&
++ hypercall_preempt_check() )
++ {
++ write_atomic(&d->valid_evtchns, i);
++ return -ERESTART;
++ }
++ }
++
+ ASSERT(!d->active_evtchns);
+
+ clear_global_virq_handlers(d);
+
+ evtchn_fifo_destroy(d);
++
++ return 0;
+ }
+
+
+--- a/xen/include/xen/sched.h
++++ b/xen/include/xen/sched.h
+@@ -135,7 +135,7 @@ struct evtchn
+ } __attribute__((aligned(64)));
+
+ int evtchn_init(struct domain *d); /* from domain_create */
+-void evtchn_destroy(struct domain *d); /* from domain_kill */
++int evtchn_destroy(struct domain *d); /* from domain_kill */
+ void evtchn_destroy_final(struct domain *d); /* from complete_domain_destroy */
+
+ struct waitqueue_vcpu;
diff --git a/main/xen/xsa344-4.11-2.patch b/main/xen/xsa344-4.11-2.patch
new file mode 100644
index 00000000000..0f5c2136564
--- /dev/null
+++ b/main/xen/xsa344-4.11-2.patch
@@ -0,0 +1,203 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: evtchn: arrange for preemption in evtchn_reset()
+
+Like for evtchn_destroy() looping over all possible event channels to
+close them can take a significant amount of time. Unlike done there, we
+can't alter domain properties (i.e. d->valid_evtchns) here. Borrow, in a
+lightweight form, the paging domctl continuation concept, redirecting
+the continuations to different sub-ops. Just like there this is to be
+able to allow for predictable overall results of the involved sub-ops:
+Racing requests should either complete or be refused.
+
+Note that a domain can't interfere with an already started (by a remote
+domain) reset, due to being paused. It can prevent a remote reset from
+happening by leaving a reset unfinished, but that's only going to affect
+itself.
+
+This is part of XSA-344.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+
+--- a/xen/common/domain.c
++++ b/xen/common/domain.c
+@@ -1105,7 +1105,7 @@ void domain_unpause_except_self(struct d
+ domain_unpause(d);
+ }
+
+-int domain_soft_reset(struct domain *d)
++int domain_soft_reset(struct domain *d, bool resuming)
+ {
+ struct vcpu *v;
+ int rc;
+@@ -1119,7 +1119,7 @@ int domain_soft_reset(struct domain *d)
+ }
+ spin_unlock(&d->shutdown_lock);
+
+- rc = evtchn_reset(d);
++ rc = evtchn_reset(d, resuming);
+ if ( rc )
+ return rc;
+
+--- a/xen/common/domctl.c
++++ b/xen/common/domctl.c
+@@ -648,12 +648,22 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
+ }
+
+ case XEN_DOMCTL_soft_reset:
++ case XEN_DOMCTL_soft_reset_cont:
+ if ( d == current->domain ) /* no domain_pause() */
+ {
+ ret = -EINVAL;
+ break;
+ }
+- ret = domain_soft_reset(d);
++ ret = domain_soft_reset(d, op->cmd == XEN_DOMCTL_soft_reset_cont);
++ if ( ret == -ERESTART )
++ {
++ op->cmd = XEN_DOMCTL_soft_reset_cont;
++ if ( !__copy_field_to_guest(u_domctl, op, cmd) )
++ ret = hypercall_create_continuation(__HYPERVISOR_domctl,
++ "h", u_domctl);
++ else
++ ret = -EFAULT;
++ }
+ break;
+
+ case XEN_DOMCTL_destroydomain:
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -1051,7 +1051,7 @@ int evtchn_unmask(unsigned int port)
+ return 0;
+ }
+
+-int evtchn_reset(struct domain *d)
++int evtchn_reset(struct domain *d, bool resuming)
+ {
+ unsigned int i;
+ int rc = 0;
+@@ -1059,11 +1059,40 @@ int evtchn_reset(struct domain *d)
+ if ( d != current->domain && !d->controller_pause_count )
+ return -EINVAL;
+
+- for ( i = 0; port_is_valid(d, i); i++ )
++ spin_lock(&d->event_lock);
++
++ /*
++ * If we are resuming, then start where we stopped. Otherwise, check
++ * that a reset operation is not already in progress, and if none is,
++ * record that this is now the case.
++ */
++ i = resuming ? d->next_evtchn : !d->next_evtchn;
++ if ( i > d->next_evtchn )
++ d->next_evtchn = i;
++
++ spin_unlock(&d->event_lock);
++
++ if ( !i )
++ return -EBUSY;
++
++ for ( ; port_is_valid(d, i); i++ )
++ {
+ evtchn_close(d, i, 1);
+
++ /* NB: Choice of frequency is arbitrary. */
++ if ( !(i & 0x3f) && hypercall_preempt_check() )
++ {
++ spin_lock(&d->event_lock);
++ d->next_evtchn = i;
++ spin_unlock(&d->event_lock);
++ return -ERESTART;
++ }
++ }
++
+ spin_lock(&d->event_lock);
+
++ d->next_evtchn = 0;
++
+ if ( d->active_evtchns > d->xen_evtchns )
+ rc = -EAGAIN;
+ else if ( d->evtchn_fifo )
+@@ -1198,7 +1227,8 @@ long do_event_channel_op(int cmd, XEN_GU
+ break;
+ }
+
+- case EVTCHNOP_reset: {
++ case EVTCHNOP_reset:
++ case EVTCHNOP_reset_cont: {
+ struct evtchn_reset reset;
+ struct domain *d;
+
+@@ -1211,9 +1241,13 @@ long do_event_channel_op(int cmd, XEN_GU
+
+ rc = xsm_evtchn_reset(XSM_TARGET, current->domain, d);
+ if ( !rc )
+- rc = evtchn_reset(d);
++ rc = evtchn_reset(d, cmd == EVTCHNOP_reset_cont);
+
+ rcu_unlock_domain(d);
++
++ if ( rc == -ERESTART )
++ rc = hypercall_create_continuation(__HYPERVISOR_event_channel_op,
++ "ih", EVTCHNOP_reset_cont, arg);
+ break;
+ }
+
+--- a/xen/include/public/domctl.h
++++ b/xen/include/public/domctl.h
+@@ -1121,7 +1121,10 @@ struct xen_domctl {
+ #define XEN_DOMCTL_iomem_permission 20
+ #define XEN_DOMCTL_ioport_permission 21
+ #define XEN_DOMCTL_hypercall_init 22
+-#define XEN_DOMCTL_arch_setup 23 /* Obsolete IA64 only */
++#ifdef __XEN__
++/* #define XEN_DOMCTL_arch_setup 23 Obsolete IA64 only */
++#define XEN_DOMCTL_soft_reset_cont 23
++#endif
+ #define XEN_DOMCTL_settimeoffset 24
+ #define XEN_DOMCTL_getvcpuaffinity 25
+ #define XEN_DOMCTL_real_mode_area 26 /* Obsolete PPC only */
+--- a/xen/include/public/event_channel.h
++++ b/xen/include/public/event_channel.h
+@@ -74,6 +74,9 @@
+ #define EVTCHNOP_init_control 11
+ #define EVTCHNOP_expand_array 12
+ #define EVTCHNOP_set_priority 13
++#ifdef __XEN__
++#define EVTCHNOP_reset_cont 14
++#endif
+ /* ` } */
+
+ typedef uint32_t evtchn_port_t;
+--- a/xen/include/xen/event.h
++++ b/xen/include/xen/event.h
+@@ -163,7 +163,7 @@ void evtchn_check_pollers(struct domain
+ void evtchn_2l_init(struct domain *d);
+
+ /* Close all event channels and reset to 2-level ABI. */
+-int evtchn_reset(struct domain *d);
++int evtchn_reset(struct domain *d, bool resuming);
+
+ /*
+ * Low-level event channel port ops.
+--- a/xen/include/xen/sched.h
++++ b/xen/include/xen/sched.h
+@@ -355,6 +355,8 @@ struct domain
+ * EVTCHNOP_reset). Read/write access like for active_evtchns.
+ */
+ unsigned int xen_evtchns;
++ /* Port to resume from in evtchn_reset(), when in a continuation. */
++ unsigned int next_evtchn;
+ spinlock_t event_lock;
+ const struct evtchn_port_ops *evtchn_port_ops;
+ struct evtchn_fifo_domain *evtchn_fifo;
+@@ -608,7 +610,7 @@ int domain_shutdown(struct domain *d, u8
+ void domain_resume(struct domain *d);
+ void domain_pause_for_debugger(void);
+
+-int domain_soft_reset(struct domain *d);
++int domain_soft_reset(struct domain *d, bool resuming);
+
+ int vcpu_start_shutdown_deferral(struct vcpu *v);
+ void vcpu_end_shutdown_deferral(struct vcpu *v);
diff --git a/main/xorg-server/APKBUILD b/main/xorg-server/APKBUILD
index 767e58f1908..85779043935 100644
--- a/main/xorg-server/APKBUILD
+++ b/main/xorg-server/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xorg-server
pkgver=1.20.3
-pkgrel=1
+pkgrel=2
pkgdesc="X.Org X servers"
url="http://xorg.freedesktop.org"
arch="all"
@@ -61,10 +61,19 @@ source="https://www.x.org/releases/individual/xserver/$pkgname-$pkgver.tar.bz2
autoconfig-sis.patch
fix-musl-arm.patch
20-modules.conf
+ CVE-2020-14345.patch
+ CVE-2020-14346.patch
+ CVE-2020-14361.patch
+ CVE-2020-14362.patch
"
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
+# 1.20.3-r2:
+# - CVE-2020-14345
+# - CVE-2020-14346
+# - CVE-2020-14361
+# - CVE-2020-14362
# 1.20.3-r0:
# - CVE-2018-14665
# 1.19.5-r0:
@@ -181,8 +190,13 @@ xwayland() {
mv "$pkgdir"/usr/bin/Xwayland "$subpkgdir"/usr/bin/
}
+
sha512sums="ee44554f86df4297f54c5871fe7a18954eeef4338775a25f36d6577b279c4775f61128da71b86cfaeadcc080838d6749dede138d4db178866579da2056543fba xorg-server-1.20.3.tar.bz2
4dcaa60fbfc61636e7220a24a72bba19984a6dc752061cb40b1bd566c0e614d08927b6c223ffaaaa05636765fddacdc3113fde55d25fd09cd0c786ff44f51447 autoconfig-nvidia.patch
30a78f4278edd535c45ee3f80933427cb029a13abaa4b041f816515fdd8f64f00b9c6aef50d4eba2aaf0d4f333e730399864fd97fa18891273601c77a6637200 autoconfig-sis.patch
b799e757a22a61ac283adbd7a8df1ad4eccce0bb6cac38a0c962ba8438bba3cf6637a65bb64859e7b32399fca672283a49960207e186c271ba574580de360d09 fix-musl-arm.patch
-95036f2452732cc31f6b646da9f46b7be30f4c9392724386b02f67fece1f506b00e15d14cbd8cf0ce75ca1fd144b4bea7e59288d4aaf4d6c1e06e5168931eb67 20-modules.conf"
+95036f2452732cc31f6b646da9f46b7be30f4c9392724386b02f67fece1f506b00e15d14cbd8cf0ce75ca1fd144b4bea7e59288d4aaf4d6c1e06e5168931eb67 20-modules.conf
+3e411cb0af272b3f89ce9b8bb7e35eef703b4a01d8722331aaf3d365cd7867a28deee8d5224ceb8fe0cd63e9cf600f05d7360aa5ffb4c0ae2655e80e6430f7f9 CVE-2020-14345.patch
+6981bb37302e6c6afc6e389698eef1e1021577a6ac54a81ec0470cc198a975274db8a2b6d9ecd0b22a1c8bb6aff07d37030c3cd451467452e6a05203f942e296 CVE-2020-14346.patch
+4acf43c8a08a3ee3012cf9ae1af517bf8f7cc493316e6d9f5b55f39b205f22406b757618024e70ed98f9c56baa238ed166bcf8aa26995d33183e1e323c48f9c8 CVE-2020-14361.patch
+0fa92233e405b74de6dc4ee144d995581f0ab7fbf7ee5f8410e4a842496724ac9425ed6406881d005e4fc70d01d4d05c4aff83491683f3e270e9ba360cb94d52 CVE-2020-14362.patch"
diff --git a/main/xorg-server/CVE-2020-14345.patch b/main/xorg-server/CVE-2020-14345.patch
new file mode 100644
index 00000000000..677bcbce382
--- /dev/null
+++ b/main/xorg-server/CVE-2020-14345.patch
@@ -0,0 +1,178 @@
+From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:46:32 +0200
+Subject: [PATCH] Correct bounds checking in XkbSetNames()
+
+CVE-2020-14345 / ZDI 11428
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index d93078a6e3..8e016cd746 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
+ #define CHK_REQ_KEY_RANGE(err,first,num,r) \
+ CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
+
++static Bool
++_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
++ char *cstuff = (char *)stuff;
++ char *cfrom = (char *)from;
++ char *cto = (char *)to;
++
++ return cfrom < cto &&
++ cfrom >= cstuff &&
++ cfrom < cstuff + ((size_t)client->req_len << 2) &&
++ cto >= cstuff &&
++ cto <= cstuff + ((size_t)client->req_len << 2);
++}
++
+ /***====================================================================***/
+
+ int
+@@ -4048,6 +4061,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
+ return BadAccess;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
++ return BadLength;
+ old = tmp;
+ tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
+ if (!tmp) {
+@@ -4077,6 +4092,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ }
+ width = (CARD8 *) tmp;
+ tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
++ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
++ return BadLength;
+ type = &xkb->map->types[stuff->firstKTLevel];
+ for (i = 0; i < stuff->nKTLevels; i++, type++) {
+ if (width[i] == 0)
+@@ -4086,6 +4103,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ type->num_levels, width[i]);
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
++ return BadLength;
+ tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
+ if (!tmp) {
+ client->errorValue = bad;
+@@ -4098,6 +4117,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = 0x08;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->indicators)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
+ client->swapped, &bad);
+ if (!tmp) {
+@@ -4110,6 +4132,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = 0x09;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->virtualMods)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
+ (CARD32) stuff->virtualMods,
+ client->swapped, &bad);
+@@ -4123,6 +4148,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = 0x0a;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->groupNames)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
+ (CARD32) stuff->groupNames,
+ client->swapped, &bad);
+@@ -4144,9 +4172,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ stuff->nKeys);
+ return BadValue;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
++ return BadLength;
+ tmp += stuff->nKeys;
+ }
+ if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + (stuff->nKeyAliases * 2)))
++ return BadLength;
+ tmp += stuff->nKeyAliases * 2;
+ }
+ if (stuff->which & XkbRGNamesMask) {
+@@ -4154,6 +4187,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
+ return BadValue;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + stuff->nRadioGroups))
++ return BadLength;
+ tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
+ if (!tmp) {
+ client->errorValue = bad;
+@@ -4347,6 +4383,8 @@ ProcXkbSetNames(ClientPtr client)
+ /* check device-independent stuff */
+ tmp = (CARD32 *) &stuff[1];
+
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbKeycodesNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4354,6 +4392,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbGeometryNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4361,6 +4401,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbSymbolsNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4368,6 +4410,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbPhysSymbolsNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4375,6 +4419,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbTypesNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4382,6 +4428,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbCompatNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+--
+GitLab
+
diff --git a/main/xorg-server/CVE-2020-14346.patch b/main/xorg-server/CVE-2020-14346.patch
new file mode 100644
index 00000000000..a2b771c2cfb
--- /dev/null
+++ b/main/xorg-server/CVE-2020-14346.patch
@@ -0,0 +1,31 @@
+From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:49:04 +0200
+Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
+
+CVE-2020-14346 / ZDI-CAN-11429
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ Xi/xichangehierarchy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index cbdd912581..504defe566 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ if (!stuff->num_changes)
+ return rc;
+
+- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
++ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
+
+ any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+ while (stuff->num_changes--) {
+--
+GitLab
+
diff --git a/main/xorg-server/CVE-2020-14361.patch b/main/xorg-server/CVE-2020-14361.patch
new file mode 100644
index 00000000000..f17d8e7fc0d
--- /dev/null
+++ b/main/xorg-server/CVE-2020-14361.patch
@@ -0,0 +1,31 @@
+From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:52:29 +0200
+Subject: [PATCH] Fix XkbSelectEvents() integer underflow
+
+CVE-2020-14361 ZDI-CAN 11573
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ xkb/xkbSwap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
+index 1c1ed5ff46..50cabb90e5 100644
+--- a/xkb/xkbSwap.c
++++ b/xkb/xkbSwap.c
+@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
+ register unsigned bit, ndx, maskLeft, dataLeft, size;
+
+ from.c8 = (CARD8 *) &stuff[1];
+- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
++ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
+ maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
+ for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
+ if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
+--
+GitLab
+
diff --git a/main/xorg-server/CVE-2020-14362.patch b/main/xorg-server/CVE-2020-14362.patch
new file mode 100644
index 00000000000..8f168044739
--- /dev/null
+++ b/main/xorg-server/CVE-2020-14362.patch
@@ -0,0 +1,65 @@
+From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:55:01 +0200
+Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
+
+CVE-2020-14362 ZDI-CAN-11574
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ record/record.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index f2d38c877e..be154525d2 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
+ } /* SProcRecordQueryVersion */
+
+ static int _X_COLD
+-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
++SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+ {
+ int i;
+ XID *pClientID;
+@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+ swapl(&stuff->nRanges);
+ pClientID = (XID *) &stuff[1];
+ if (stuff->nClients >
+- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
+ return BadLength;
+ for (i = 0; i < stuff->nClients; i++, pClientID++) {
+ swapl(pClientID);
+ }
+ if (stuff->nRanges >
+- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ - stuff->nClients)
+ return BadLength;
+ RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
+
+ swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+- if ((status = SwapCreateRegister((void *) stuff)) != Success)
++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+ return status;
+ return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
+
+ swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+- if ((status = SwapCreateRegister((void *) stuff)) != Success)
++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+ return status;
+ return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+--
+GitLab
+
diff --git a/main/xorgproto/APKBUILD b/main/xorgproto/APKBUILD
index 16c6da7d1e1..3dca1958590 100644
--- a/main/xorgproto/APKBUILD
+++ b/main/xorgproto/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: prspkt <prspkt@protonmail.com>
pkgname=xorgproto
pkgver=2018.4
-pkgrel=0
+pkgrel=1
pkgdesc="Combined X.Org X11 protocol headers"
url="https://xorg.freedesktop.org"
arch="noarch"
@@ -68,6 +68,7 @@ package() {
rm -f "$pkgdir"/usr/include/X11/extensions/windows*
rm -f "$pkgdir"/usr/lib/pkgconfig/apple*
rm -f "$pkgdir"/usr/lib/pkgconfig/windows*
+ rm -f "$pkgdir"/usr/include/X11/extensions/XKBgeom.h # libx11-dev >= 1.6.9-r0
}
sha512sums="2db682d10280ca58cdc04d8eb9fef30c111d4cd379de9fec86cff317865b859a576de5426447be9231d24be9762cc1d684c57383a99ad499398e8b7d62b1c03c xorgproto-2018.4.tar.bz2"
diff --git a/main/xtables-addons-vanilla/APKBUILD b/main/xtables-addons-vanilla/APKBUILD
index aa0f0c5854c..ec77c540fb2 100644
--- a/main/xtables-addons-vanilla/APKBUILD
+++ b/main/xtables-addons-vanilla/APKBUILD
@@ -7,7 +7,7 @@ _rel=0
_flavor=${FLAVOR:-vanilla}
_kpkg=linux-$_flavor
-_kver=4.19.52
+_kver=4.19.118
_krel=0
_kpkgver="$_kver-r$_krel"
diff --git a/main/zeromq/APKBUILD b/main/zeromq/APKBUILD
index 2c63c2d4cda..27d59249afe 100644
--- a/main/zeromq/APKBUILD
+++ b/main/zeromq/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=zeromq
-pkgver=4.3.2
+pkgver=4.3.3
pkgrel=0
pkgdesc="The ZeroMQ messaging library and tools"
url="http://www.zeromq.org/"
@@ -16,10 +16,12 @@ source="https://github.com/zeromq/libzmq/releases/download/v$pkgver/$pkgname-$pk
"
# secfixes:
+# 4.3.3-r0:
+# - CVE-2020-15166
# 4.3.2-r0:
-# - CVE-2019-13132
+# - CVE-2019-13132
# 4.3.1-r0:
-# - CVE-2019-6250
+# - CVE-2019-6250
build() {
cd "$builddir"
@@ -44,5 +46,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="b6251641e884181db9e6b0b705cced7ea4038d404bdae812ff47bdd0eed12510b6af6846b85cb96898e253ccbac71eca7fe588673300ddb9c3109c973250c8e4 zeromq-4.3.2.tar.gz
+sha512sums="4c18d784085179c5b1fcb753a93813095a12c8d34970f2e1bfca6499be6c9d67769c71c68b7ca54ff181b20390043170e89733c22f76ff1ea46494814f7095b1 zeromq-4.3.3.tar.gz
64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660 test-driver.patch"
diff --git a/main/zfs-vanilla/APKBUILD b/main/zfs-vanilla/APKBUILD
index 3157d55e8c2..0579950dd8f 100644
--- a/main/zfs-vanilla/APKBUILD
+++ b/main/zfs-vanilla/APKBUILD
@@ -8,7 +8,7 @@ _rel=0
_flavor=${FLAVOR:-vanilla}
_kpkg=linux-$_flavor
-_kver=4.19.52
+_kver=4.19.118
_krel=0
_kpkgver="$_kver-r$_krel"