diff options
Diffstat (limited to 'main')
43 files changed, 2026 insertions, 142 deletions
diff --git a/main/bind/CVE-2020-8619.patch b/main/bind/CVE-2020-8619.patch new file mode 100644 index 0000000000..e6d305bdb8 --- /dev/null +++ b/main/bind/CVE-2020-8619.patch @@ -0,0 +1,545 @@ +From 569cc155b8680d8ed12db1fabbe20947db24a0f9 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Tue, 2 Jun 2020 12:38:40 +1000 +Subject: [PATCH] Remove INSIST from from new_reference + +RBTDB node can now appear on the deadnodes lists following the changes +to decrement_reference in 176b23b6cd98e5b58f832902fdbe964ee5f762d0 to +defer checking of node->down when the tree write lock is not held. The +node should be unlinked instead. +--- + lib/dns/rbtdb.c | 173 ++++++++++++++++++++++++++++-------------------- + 1 file changed, 100 insertions(+), 73 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index bfe3538a59..87fbdb317b 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -1858,8 +1858,13 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { + * Caller must be holding the node lock. + */ + static inline void +-new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, ++ isc_rwlocktype_t locktype) { ++ if (locktype == isc_rwlocktype_write && ISC_LINK_LINKED(node, deadlink)) ++ { ++ ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum], node, ++ deadlink); ++ } + if (isc_refcount_increment0(&node->references) == 0) { + /* this is the first reference to the node */ + isc_refcount_increment0( +@@ -1877,13 +1882,14 @@ is_leaf(dns_rbtnode_t *node) { + } + + static inline void +-send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { ++send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, ++ isc_rwlocktype_t locktype) { + isc_event_t *ev; + dns_db_t *db; + + ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE, + prune_tree, node, sizeof(isc_event_t)); +- new_reference(rbtdb, node); ++ new_reference(rbtdb, node, locktype); + db = NULL; + attach((dns_db_t *)rbtdb, &db); + ev->ev_sender = db; +@@ -1919,7 +1925,7 @@ cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) { + node->data == NULL); + + if (is_leaf(node) && rbtdb->task != NULL) { +- send_to_prune_tree(rbtdb, node); ++ send_to_prune_tree(rbtdb, node, isc_rwlocktype_write); + } else if (node->down == NULL && node->data == NULL) { + /* + * Not a interior node and not needing to be +@@ -1987,7 +1993,7 @@ reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, + } + } + +- new_reference(rbtdb, node); ++ new_reference(rbtdb, node, locktype); + + NODE_UNLOCK(nodelock, locktype); + } +@@ -2122,15 +2128,17 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, + * periodic walk-through). + */ + if (!pruning && is_leaf(node) && rbtdb->task != NULL) { +- send_to_prune_tree(rbtdb, node); ++ send_to_prune_tree(rbtdb, node, isc_rwlocktype_write); + no_reference = false; + } else { + delete_node(rbtdb, node); + } + } else { + INSIST(node->data == NULL); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); +- ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink); ++ if (!ISC_LINK_LINKED(node, deadlink)) { ++ ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, ++ deadlink); ++ } + } + + restore_locks: +@@ -2200,16 +2208,13 @@ prune_tree(isc_task_t *task, isc_event_t *event) { + + /* + * We need to gain a reference to the node before +- * decrementing it in the next iteration. In addition, +- * if the node is in the dead-nodes list, extract it +- * from the list beforehand as we do in +- * reactivate_node(). ++ * decrementing it in the next iteration. + */ + if (ISC_LINK_LINKED(parent, deadlink)) { + ISC_LIST_UNLINK(rbtdb->deadnodes[locknum], + parent, deadlink); + } +- new_reference(rbtdb, parent); ++ new_reference(rbtdb, parent, isc_rwlocktype_write); + } else { + parent = NULL; + } +@@ -2976,7 +2981,7 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { + * We increment the reference count on node to ensure that + * search->zonecut_rdataset will still be valid later. + */ +- new_reference(search->rbtdb, node); ++ new_reference(search->rbtdb, node, isc_rwlocktype_read); + search->zonecut = node; + search->zonecut_rdataset = found; + search->need_cleanup = true; +@@ -3028,7 +3033,8 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { + + static inline void + bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header, +- isc_stdtime_t now, dns_rdataset_t *rdataset) { ++ isc_stdtime_t now, isc_rwlocktype_t locktype, ++ dns_rdataset_t *rdataset) { + unsigned char *raw; /* RDATASLAB */ + + /* +@@ -3043,7 +3049,7 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header, + return; + } + +- new_reference(rbtdb, node); ++ new_reference(rbtdb, node, locktype); + + INSIST(rdataset->methods == NULL); /* We must be disassociated. */ + +@@ -3148,12 +3154,12 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep, + NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock), + isc_rwlocktype_read); + bind_rdataset(search->rbtdb, node, search->zonecut_rdataset, +- search->now, rdataset); ++ search->now, isc_rwlocktype_read, rdataset); + if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL) + { + bind_rdataset(search->rbtdb, node, + search->zonecut_sigrdataset, search->now, +- sigrdataset); ++ isc_rwlocktype_read, sigrdataset); + } + NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock), + isc_rwlocktype_read); +@@ -3818,18 +3824,21 @@ again: + foundname, NULL); + if (result == ISC_R_SUCCESS) { + if (nodep != NULL) { +- new_reference(search->rbtdb, +- node); ++ new_reference( ++ search->rbtdb, node, ++ isc_rwlocktype_read); + *nodep = node; + } + bind_rdataset(search->rbtdb, node, + found, search->now, ++ isc_rwlocktype_read, + rdataset); + if (foundsig != NULL) { +- bind_rdataset(search->rbtdb, +- node, foundsig, +- search->now, +- sigrdataset); ++ bind_rdataset( ++ search->rbtdb, node, ++ foundsig, search->now, ++ isc_rwlocktype_read, ++ sigrdataset); + } + } + } else if (found == NULL && foundsig == NULL) { +@@ -4114,7 +4123,8 @@ found: + * ensure that search->zonecut_rdataset will + * still be valid later. + */ +- new_reference(search.rbtdb, node); ++ new_reference(search.rbtdb, node, ++ isc_rwlocktype_read); + search.zonecut = node; + search.zonecut_rdataset = header; + search.zonecut_sigrdataset = NULL; +@@ -4292,7 +4302,7 @@ found: + goto node_exit; + } + if (nodep != NULL) { +- new_reference(search.rbtdb, node); ++ new_reference(search.rbtdb, node, isc_rwlocktype_read); + *nodep = node; + } + if ((search.rbtversion->secure == dns_db_secure && +@@ -4300,10 +4310,10 @@ found: + (search.options & DNS_DBFIND_FORCENSEC) != 0) + { + bind_rdataset(search.rbtdb, node, nsecheader, 0, +- rdataset); ++ isc_rwlocktype_read, rdataset); + if (nsecsig != NULL) { + bind_rdataset(search.rbtdb, node, nsecsig, 0, +- sigrdataset); ++ isc_rwlocktype_read, sigrdataset); + } + } + if (wild) { +@@ -4376,7 +4386,7 @@ found: + + if (nodep != NULL) { + if (!at_zonecut) { +- new_reference(search.rbtdb, node); ++ new_reference(search.rbtdb, node, isc_rwlocktype_read); + } else { + search.need_cleanup = false; + } +@@ -4384,10 +4394,11 @@ found: + } + + if (type != dns_rdatatype_any) { +- bind_rdataset(search.rbtdb, node, found, 0, rdataset); ++ bind_rdataset(search.rbtdb, node, found, 0, isc_rwlocktype_read, ++ rdataset); + if (foundsig != NULL) { + bind_rdataset(search.rbtdb, node, foundsig, 0, +- sigrdataset); ++ isc_rwlocktype_read, sigrdataset); + } + } + +@@ -4570,8 +4581,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { + * We increment the reference count on node to ensure that + * search->zonecut_rdataset will still be valid later. + */ +- new_reference(search->rbtdb, node); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++ new_reference(search->rbtdb, node, locktype); + search->zonecut = node; + search->zonecut_rdataset = dname_header; + search->zonecut_sigrdataset = sigdname_header; +@@ -4679,14 +4689,15 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node, + } + result = DNS_R_DELEGATION; + if (nodep != NULL) { +- new_reference(search->rbtdb, node); ++ new_reference(search->rbtdb, node, locktype); + *nodep = node; + } + bind_rdataset(search->rbtdb, node, found, search->now, +- rdataset); ++ locktype, rdataset); + if (foundsig != NULL) { + bind_rdataset(search->rbtdb, node, foundsig, +- search->now, sigrdataset); ++ search->now, locktype, ++ sigrdataset); + } + if (need_headerupdate(found, search->now) || + (foundsig != NULL && +@@ -4795,13 +4806,13 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, + if (result != ISC_R_SUCCESS) { + goto unlock_node; + } +- bind_rdataset(search->rbtdb, node, found, now, ++ bind_rdataset(search->rbtdb, node, found, now, locktype, + rdataset); + if (foundsig != NULL) { + bind_rdataset(search->rbtdb, node, foundsig, +- now, sigrdataset); ++ now, locktype, sigrdataset); + } +- new_reference(search->rbtdb, node); ++ new_reference(search->rbtdb, node, locktype); + *nodep = node; + result = DNS_R_COVERINGNSEC; + } else if (!empty_node) { +@@ -5026,18 +5037,18 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0 && + nsecheader != NULL) { + if (nodep != NULL) { +- new_reference(search.rbtdb, node); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++ new_reference(search.rbtdb, node, locktype); + *nodep = node; + } + bind_rdataset(search.rbtdb, node, nsecheader, +- search.now, rdataset); ++ search.now, locktype, rdataset); + if (need_headerupdate(nsecheader, search.now)) { + update = nsecheader; + } + if (nsecsig != NULL) { + bind_rdataset(search.rbtdb, node, nsecsig, +- search.now, sigrdataset); ++ search.now, locktype, ++ sigrdataset); + if (need_headerupdate(nsecsig, search.now)) { + updatesig = nsecsig; + } +@@ -5052,18 +5063,18 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + */ + if (nsheader != NULL) { + if (nodep != NULL) { +- new_reference(search.rbtdb, node); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++ new_reference(search.rbtdb, node, locktype); + *nodep = node; + } + bind_rdataset(search.rbtdb, node, nsheader, search.now, +- rdataset); ++ locktype, rdataset); + if (need_headerupdate(nsheader, search.now)) { + update = nsheader; + } + if (nssig != NULL) { + bind_rdataset(search.rbtdb, node, nssig, +- search.now, sigrdataset); ++ search.now, locktype, ++ sigrdataset); + if (need_headerupdate(nssig, search.now)) { + updatesig = nssig; + } +@@ -5084,8 +5095,7 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + */ + + if (nodep != NULL) { +- new_reference(search.rbtdb, node); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++ new_reference(search.rbtdb, node, locktype); + *nodep = node; + } + +@@ -5117,13 +5127,14 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN || + result == DNS_R_NCACHENXRRSET) + { +- bind_rdataset(search.rbtdb, node, found, search.now, rdataset); ++ bind_rdataset(search.rbtdb, node, found, search.now, locktype, ++ rdataset); + if (need_headerupdate(found, search.now)) { + update = found; + } + if (!NEGATIVE(found) && foundsig != NULL) { + bind_rdataset(search.rbtdb, node, foundsig, search.now, +- sigrdataset); ++ locktype, sigrdataset); + if (need_headerupdate(foundsig, search.now)) { + updatesig = foundsig; + } +@@ -5282,15 +5293,15 @@ cache_findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options, + } + + if (nodep != NULL) { +- new_reference(search.rbtdb, node); +- INSIST(!ISC_LINK_LINKED(node, deadlink)); ++ new_reference(search.rbtdb, node, locktype); + *nodep = node; + } + +- bind_rdataset(search.rbtdb, node, found, search.now, rdataset); ++ bind_rdataset(search.rbtdb, node, found, search.now, locktype, ++ rdataset); + if (foundsig != NULL) { + bind_rdataset(search.rbtdb, node, foundsig, search.now, +- sigrdataset); ++ locktype, sigrdataset); + } + + if (need_headerupdate(found, search.now) || +@@ -5653,10 +5664,11 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + } + } + if (found != NULL) { +- bind_rdataset(rbtdb, rbtnode, found, now, rdataset); ++ bind_rdataset(rbtdb, rbtnode, found, now, isc_rwlocktype_read, ++ rdataset); + if (foundsig != NULL) { + bind_rdataset(rbtdb, rbtnode, foundsig, now, +- sigrdataset); ++ isc_rwlocktype_read, sigrdataset); + } + } + +@@ -5747,9 +5759,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + } + } + if (found != NULL) { +- bind_rdataset(rbtdb, rbtnode, found, now, rdataset); ++ bind_rdataset(rbtdb, rbtnode, found, now, locktype, rdataset); + if (!NEGATIVE(found) && foundsig != NULL) { +- bind_rdataset(rbtdb, rbtnode, foundsig, now, ++ bind_rdataset(rbtdb, rbtnode, foundsig, now, locktype, + sigrdataset); + } + } +@@ -5917,6 +5929,9 @@ resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) { + return (result); + } + ++/* ++ * node write lock must be held. ++ */ + static void + resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, + rdatasetheader_t *header) { +@@ -5928,7 +5943,8 @@ resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, + header->heap_index); + header->heap_index = 0; + if (version != NULL) { +- new_reference(rbtdb, header->node); ++ new_reference(rbtdb, header->node, ++ isc_rwlocktype_write); + ISC_LIST_APPEND(version->resigned_list, header, link); + } + } +@@ -5959,6 +5975,9 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion, + RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write); + } + ++/* ++ * write lock on rbtnode must be held. ++ */ + static isc_result_t + add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + rbtdb_version_t *rbtversion, rdatasetheader_t *newheader, +@@ -6085,9 +6104,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + free_rdataset(rbtdb, rbtdb->common.mctx, + newheader); + if (addedrdataset != NULL) { +- bind_rdataset(rbtdb, rbtnode, +- topheader, now, +- addedrdataset); ++ bind_rdataset( ++ rbtdb, rbtnode, ++ topheader, now, ++ isc_rwlocktype_write, ++ addedrdataset); + } + return (DNS_R_UNCHANGED); + } +@@ -6147,6 +6168,7 @@ find_header: + free_rdataset(rbtdb, rbtdb->common.mctx, newheader); + if (addedrdataset != NULL) { + bind_rdataset(rbtdb, rbtnode, header, now, ++ isc_rwlocktype_write, + addedrdataset); + } + return (DNS_R_UNCHANGED); +@@ -6258,6 +6280,7 @@ find_header: + free_rdataset(rbtdb, rbtdb->common.mctx, newheader); + if (addedrdataset != NULL) { + bind_rdataset(rbtdb, rbtnode, header, now, ++ isc_rwlocktype_write, + addedrdataset); + } + return (ISC_R_SUCCESS); +@@ -6307,6 +6330,7 @@ find_header: + free_rdataset(rbtdb, rbtdb->common.mctx, newheader); + if (addedrdataset != NULL) { + bind_rdataset(rbtdb, rbtnode, header, now, ++ isc_rwlocktype_write, + addedrdataset); + } + return (ISC_R_SUCCESS); +@@ -6504,7 +6528,8 @@ find_header: + } + + if (addedrdataset != NULL) { +- bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset); ++ bind_rdataset(rbtdb, rbtnode, newheader, now, ++ isc_rwlocktype_write, addedrdataset); + } + + return (ISC_R_SUCCESS); +@@ -7045,13 +7070,15 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + } + + if (result == ISC_R_SUCCESS && newrdataset != NULL) { +- bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset); ++ bind_rdataset(rbtdb, rbtnode, newheader, 0, ++ isc_rwlocktype_write, newrdataset); + } + + if (result == DNS_R_NXRRSET && newrdataset != NULL && + (options & DNS_DBSUB_WANTOLD) != 0) + { +- bind_rdataset(rbtdb, rbtnode, header, 0, newrdataset); ++ bind_rdataset(rbtdb, rbtnode, header, 0, isc_rwlocktype_write, ++ newrdataset); + } + + unlock: +@@ -7929,8 +7956,7 @@ getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) { + /* Note that the access to origin_node doesn't require a DB lock */ + onode = (dns_rbtnode_t *)rbtdb->origin_node; + if (onode != NULL) { +- new_reference(rbtdb, onode); +- ++ new_reference(rbtdb, onode, isc_rwlocktype_none); + *nodep = rbtdb->origin_node; + } else { + INSIST(IS_CACHE(rbtdb)); +@@ -8123,7 +8149,8 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *foundname) { + * Found something; pass back the answer and unlock + * the bucket. + */ +- bind_rdataset(rbtdb, header->node, header, 0, rdataset); ++ bind_rdataset(rbtdb, header->node, header, 0, ++ isc_rwlocktype_read, rdataset); + + if (foundname != NULL) { + dns_rbt_fullnamefromnode(header->node, foundname); +@@ -9130,7 +9157,7 @@ rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) { + isc_rwlocktype_read); + + bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now, +- rdataset); ++ isc_rwlocktype_read, rdataset); + + NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_read); +@@ -9585,7 +9612,7 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep, + result = ISC_R_SUCCESS; + } + +- new_reference(rbtdb, node); ++ new_reference(rbtdb, node, isc_rwlocktype_none); + + *nodep = rbtdbiter->node; + +@@ -10498,7 +10525,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked, + * We first need to gain a new reference to the node to meet a + * requirement of decrement_reference(). + */ +- new_reference(rbtdb, header->node); ++ new_reference(rbtdb, header->node, isc_rwlocktype_write); + decrement_reference(rbtdb, header->node, 0, + isc_rwlocktype_write, + tree_locked ? isc_rwlocktype_write +-- +GitLab diff --git a/main/bluez/APKBUILD b/main/bluez/APKBUILD index 7a6788eacb..e431f069e5 100644 --- a/main/bluez/APKBUILD +++ b/main/bluez/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=bluez pkgver=5.50 -pkgrel=1 +pkgrel=2 pkgdesc="Tools for the Bluetooth protocol stack" url="http://www.bluez.org/" arch="all" @@ -25,10 +25,13 @@ source="https://www.kernel.org/pub/linux/bluetooth/bluez-$pkgver.tar.xz disable-lock-test.patch fix-endianness.patch CVE-2020-0556.patch + CVE-2020-27153.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 5.50-r2: +# - CVE-2020-27153 # 5.50-r1: # - CVE-2020-0556 @@ -126,4 +129,5 @@ d5fd1c962bd846eaa6fff879bab85f753eb367d514f82d133b5d3242e1da989af5eddd942c60a87d 41ce7ccf78cca97563f0ef31e01dac6eb4484c24fe57be360b5e8de8c5bff5845e9d395766f891bd3f123788344456c88c9fc00cd1bb7c6a1dca89d09f19172b bluez-5.40-obexd_without_systemd-1.patch 04c4889372c8e790bb338dde7ffa76dc32fcf7370025c71b9184fcf17fd01ade4a6613d84d648303af3bbc54043ad489f29fc0cd4679ec8c9029dcb846d7e026 disable-lock-test.patch 118d55183860f395fc4bdc93efffb13902ebf7388cad722b9061cd2860d404333e500af521741c3d92c0f8a161f6810348fbeb6682e49c372383f417aed8c76a fix-endianness.patch -1f7c41399e746942e091db22c1b42a0bd87dafd83c5074a34c24f51efd88ed4d2957308f9b4da0fdcd6cd99ea5b9e1885d628ae01ddde56cf31140ccc895be61 CVE-2020-0556.patch" +1f7c41399e746942e091db22c1b42a0bd87dafd83c5074a34c24f51efd88ed4d2957308f9b4da0fdcd6cd99ea5b9e1885d628ae01ddde56cf31140ccc895be61 CVE-2020-0556.patch +c8e65bdfb5edc8edd0d1f9a153a7d5b953f0c5700aa61645af251cd857117990090a27c0ee133056fc045d0f6b6a3c1aad60ff0dfd3707c2c5ba29c518fccca8 CVE-2020-27153.patch" diff --git a/main/bluez/CVE-2020-27153.patch b/main/bluez/CVE-2020-27153.patch new file mode 100644 index 0000000000..48a346fe2c --- /dev/null +++ b/main/bluez/CVE-2020-27153.patch @@ -0,0 +1,95 @@ +Adapted from https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a + +diff --git a/src/shared/att.c b/src/shared/att.c +index 0ea6d55..b0fdb8e 100644 +--- a/src/shared/att.c ++++ b/src/shared/att.c +@@ -62,6 +62,7 @@ struct bt_att { + struct queue *ind_queue; /* Queued ATT protocol indications */ + struct att_send_op *pending_ind; + struct queue *write_queue; /* Queue of PDUs ready to send */ ++ bool in_disc; /* Cleanup queues on disconnect_cb */ + bool writer_active; + + struct queue *notify_list; /* List of registered callbacks */ +@@ -211,8 +212,10 @@ static void destroy_att_send_op(void *data) + free(op); + } + +-static void cancel_att_send_op(struct att_send_op *op) ++static void cancel_att_send_op(void *data) + { ++ struct att_send_op *op = data; ++ + if (op->destroy) + op->destroy(op->user_data); + +@@ -572,11 +575,6 @@ static bool disconnect_cb(struct io *io, void *user_data) + att->io = NULL; + att->fd = -1; + +- /* Notify request callbacks */ +- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op); +- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op); +- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op); +- + if (att->pending_req) { + disc_att_send_op(att->pending_req); + att->pending_req = NULL; +@@ -589,6 +587,15 @@ static bool disconnect_cb(struct io *io, void *user_data) + + bt_att_ref(att); + ++ att->in_disc = true; ++ ++ /* Notify request callbacks */ ++ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op); ++ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op); ++ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op); ++ ++ att->in_disc = false; ++ + queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err)); + + bt_att_unregister_all(att); +@@ -1306,6 +1313,30 @@ static bool match_op_id(const void *a, const void *b) + return op->id == id; + } + ++static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id) ++{ ++ struct att_send_op *op; ++ ++ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id)); ++ if (op) ++ goto done; ++ ++ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id)); ++ if (op) ++ goto done; ++ ++ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id)); ++ ++done: ++ if (!op) ++ return false; ++ ++ /* Just cancel since disconnect_cb will be cleaning up */ ++ cancel_att_send_op(op); ++ ++ return true; ++} ++ + bool bt_att_cancel(struct bt_att *att, unsigned int id) + { + struct att_send_op *op; +@@ -1325,6 +1356,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id) + return true; + } + ++ if (att->in_disc) ++ return bt_att_disc_cancel(att, id); ++ + op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id)); + if (op) + goto done; diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD index 3c7166e23d..127c7292d8 100644 --- a/main/cups/APKBUILD +++ b/main/cups/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cups pkgver=2.2.12 -pkgrel=0 +pkgrel=1 pkgdesc="The CUPS Printing System" url="https://www.cups.org/" arch="all" @@ -20,10 +20,15 @@ source="https://github.com/apple/cups/releases/download/v$pkgver/cups-$pkgver-so cupsd.initd cups-no-export-ssllibs.patch default-config-no-gssapi.patch + CVE-2019-8842.patch + CVE-2020-3898.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 2.2.12-r1: +# - CVE-2019-8842 +# - CVE-2020-3898 # 2.2.12-r0: # - CVE-2019-8696 # - CVE-2019-8675 @@ -134,4 +139,6 @@ sha512sums="b8e7be512938ad388d469d093ad0c882ab42ea1408c27a91340f8424aa0e79e588df cf64211da59e79285f99d437c02fdd7db462855fb2920ec9563ba47bd8a9e5cbd10555094940ceedeb41ac805c4f0ddb9147481470112a11a76220d0298aef79 cups.logrotate 2c2683f755a220166b3a1653fdd1a6daa9718c8f0bbdff2e2d5e61d1133306260d63a83d3ff41619b5cf84c4913fae5822b79553e2822858f38fa3613f4c7082 cupsd.initd 7a8cd9ac33b0dd4627c72df4275db8ccd7cf8e201bce3833719b42f532f526bb347b842e3ea1ef0d61855b5c6e1088b5d20b68942f2c2c0acf504d8d9728efd3 cups-no-export-ssllibs.patch -98bb97f4af69ea286fc3d398b8e57c32440e6b2d49fb7f79b418a4fe7f13441f3a610f65d3433d10d971ade808233c0b29b4d66160623ccaae919179384be918 default-config-no-gssapi.patch" +98bb97f4af69ea286fc3d398b8e57c32440e6b2d49fb7f79b418a4fe7f13441f3a610f65d3433d10d971ade808233c0b29b4d66160623ccaae919179384be918 default-config-no-gssapi.patch +1a6dc3560c78eef28cad977abde076c02791e34fc05e53ce3137ac4ff1feb2f6bae5f64ba8733f44280ac4273d825372b29b15da6bb179776496f62a7d06462d CVE-2019-8842.patch +560466d3721cd105ef1e6aa03d0cb6c55964e94f06fe80e2f8570d481941cfd03ac6940d0108e111ea7f4bee55460b93423975410890e105902c5a4ce3b79d77 CVE-2020-3898.patch" diff --git a/main/cups/CVE-2019-8842.patch b/main/cups/CVE-2019-8842.patch new file mode 100644 index 0000000000..2e1a212239 --- /dev/null +++ b/main/cups/CVE-2019-8842.patch @@ -0,0 +1,13 @@ +diff --git a/cups/ipp.c b/cups/ipp.c +index b0762fd..dba4f31 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -2960,7 +2960,7 @@ ippReadIO(void *src, /* I - Data source */ + * Read 32-bit "extension" tag... + */ + +- if ((*cb)(src, buffer, 4) < 1) ++ if ((*cb)(src, buffer, 4) < 4) + { + DEBUG_puts("1ippReadIO: Callback returned EOF/error"); + _cupsBufferRelease((char *)buffer); diff --git a/main/cups/CVE-2020-3898.patch b/main/cups/CVE-2020-3898.patch new file mode 100644 index 0000000000..d797a0be1a --- /dev/null +++ b/main/cups/CVE-2020-3898.patch @@ -0,0 +1,14 @@ +diff --git a/cups/ppd.c b/cups/ppd.c +index 58d92c1..5bc7939 100644 +--- a/cups/ppd.c ++++ b/cups/ppd.c +@@ -1730,8 +1730,7 @@ _ppdOpen( + constraint->choice1, constraint->option2, + constraint->choice2)) + { +- case 0 : /* Error */ +- case 1 : /* Error */ ++ default : /* Error */ + pg->ppd_status = PPD_BAD_UI_CONSTRAINTS; + goto error; + diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index 8af79f2f03..3431a71ebf 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=curl pkgver=7.64.0 -pkgrel=4 +pkgrel=5 pkgdesc="URL retrival utility and library" url="https://curl.haxx.se" arch="all" @@ -22,11 +22,14 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz CVE-2019-5482.patch CVE-2020-8169.patch CVE-2020-8177.patch + CVE-2020-8231.patch " options="!check" # sftp tests failing builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 7.66.0-r5: +# - CVE-2020-8231 # 7.64.0-r4: # - CVE-2020-8169 # - CVE-2020-8177 @@ -139,4 +142,5 @@ c629a1b36920a3f8eab3321b0222e203f53f29e5947d39a0c32e0a7de2d8ab2182c3d6bbb0828847 37161e4d94cdb1add2216b031f70d7ae84451229dffe48ca9856bb311e88678f0e11baab6bb4da0386ed31e8467aa51fabaf6122f876ef9bc0003638d07f22cf CVE-2019-5481.patch 6703658d9212bb87de22fabd996e8f8eb8c98aa4c015b1daa4c1a15f503c4a5530dafbcc1817032d973ef94ac29fe7b8ee16426e443b20d0bcdbe5d7f0209ffb CVE-2019-5482.patch 4950975d59bdf8398dd5f4b8338e5f76ae3752247be9054a28753351bcddb46f71a8bd601dba31da1b6b3fbbfbe6192f33a6500144d89f2cfdfb47161e3addba CVE-2020-8169.patch -250359963230de2970ab4a56d731312f0772d6f89672b4189e7d6aa8553cb9efd8808221f418a1b7778f7b9e52a45738451aec2d4a0e73e084a748cff1b3d6da CVE-2020-8177.patch" +250359963230de2970ab4a56d731312f0772d6f89672b4189e7d6aa8553cb9efd8808221f418a1b7778f7b9e52a45738451aec2d4a0e73e084a748cff1b3d6da CVE-2020-8177.patch +d5f4421e5ac6f89220d00fb156c803edbb64679e9064ca8328269eea3582ee7780f77522b5069a1288cc09e968567175c94139249cc337906243c95d0bc3e684 CVE-2020-8231.patch" diff --git a/main/curl/CVE-2020-8231.patch b/main/curl/CVE-2020-8231.patch new file mode 100644 index 0000000000..0d6a76d94d --- /dev/null +++ b/main/curl/CVE-2020-8231.patch @@ -0,0 +1,123 @@ +Based on https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8 + +Didn't apply cleanly, fixed up lib/urldata.h and lib/url.c, ignored 2 changes in lib/multi.c +that refer to things that do not yet exist in this version of curl + +diff --git a/lib/connect.c b/lib/connect.c +index 0a7475c..b3d4057 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -1356,15 +1356,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */ + } + + struct connfind { +- struct connectdata *tofind; +- bool found; ++ long id_tofind; ++ struct connectdata *found; + }; + + static int conn_is_conn(struct connectdata *conn, void *param) + { + struct connfind *f = (struct connfind *)param; +- if(conn == f->tofind) { +- f->found = TRUE; ++ if(conn->connection_id == f->id_tofind) { ++ f->found = conn; + return 1; + } + return 0; +@@ -1386,21 +1386,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data, + * - that is associated with a multi handle, and whose connection + * was detached with CURLOPT_CONNECT_ONLY + */ +- if(data->state.lastconnect && (data->multi_easy || data->multi)) { +- struct connectdata *c = data->state.lastconnect; ++ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) { ++ struct connectdata *c; + struct connfind find; +- find.tofind = data->state.lastconnect; +- find.found = FALSE; ++ find.id_tofind = data->state.lastconnect_id; ++ find.found = NULL; + + Curl_conncache_foreach(data, data->multi_easy? + &data->multi_easy->conn_cache: + &data->multi->conn_cache, &find, conn_is_conn); + + if(!find.found) { +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + return CURL_SOCKET_BAD; + } + ++ c = find.found; + if(connp) { + /* only store this if the caller cares for it */ + *connp = c; +diff --git a/lib/easy.c b/lib/easy.c +index b648e80..7b0ea9a 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -831,8 +831,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + + /* the connection cache is setup on demand */ + outcurl->state.conn_cache = NULL; +- +- outcurl->state.lastconnect = NULL; ++ outcurl->state.lastconnect_id = -1; + + outcurl->progress.flags = data->progress.flags; + outcurl->progress.callback = data->progress.callback; +diff --git a/lib/multi.c b/lib/multi.c +index e10e752..02687dd 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -454,6 +454,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi, + data->state.conn_cache = &data->share->conn_cache; + else + data->state.conn_cache = &multi->conn_cache; ++ data->state.lastconnect_id = -1; + + #ifdef USE_LIBPSL + /* Do the same for PSL. */ +@@ -669,11 +670,11 @@ static CURLcode multi_done(struct Curl_easy *data, + CONN_UNLOCK(data); + if(Curl_conncache_return_conn(data, conn)) { + /* remember the most recently used connection */ +- data->state.lastconnect = conn; ++ data->state.lastconnect_id = conn->connection_id; + infof(data, "%s\n", buffer); + } + else +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + } + + Curl_free_request_state(data); +diff --git a/lib/url.c b/lib/url.c +index 47fc66a..f0a880f 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -617,7 +617,7 @@ CURLcode Curl_open(struct Curl_easy **curl) + Curl_initinfo(data); + + /* most recent connection is not yet defined */ +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + + data->progress.flags |= PGRS_HIDE; + data->state.current_speed = -1; /* init to negative == impossible */ +diff --git a/lib/urldata.h b/lib/urldata.h +index fbb8b64..6586986 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1332,7 +1332,7 @@ struct UrlState { + /* buffers to store authentication data in, as parsed from input options */ + struct curltime keeps_speed; /* for the progress meter really */ + +- struct connectdata *lastconnect; /* The last connection, NULL if undefined */ ++ long lastconnect_id; /* The last connection, -1 if undefined */ + + char *headerbuff; /* allocated buffer to store headers in */ + size_t headersize; /* size of the allocation */ diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD index 3d7caebb5a..3ca3451bfc 100644 --- a/main/dovecot/APKBUILD +++ b/main/dovecot/APKBUILD @@ -6,7 +6,7 @@ pkgname=dovecot pkgver=2.3.10.1 _pkgvermajor=2.3 -pkgrel=0 +pkgrel=1 _pigeonholever=0.5.10 _pigeonholevermajor=${_pigeonholever%.*} pkgdesc="IMAP and POP3 server" @@ -61,6 +61,8 @@ source="https://www.dovecot.org/releases/$_pkgvermajor/$pkgname-$pkgver.tar.gz skip-iconv-check.patch split-protocols.patch default-config.patch + CVE-2020-12673.patch + CVE-2020-12674.patch dovecot.logrotate dovecot.initd " @@ -68,6 +70,9 @@ builddir="$srcdir/$pkgname-$pkgver" _builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever" # secfixes: +# 2.3.10.1-r1: +# - CVE-2020-12673 +# - CVE-2020-12674 # 2.3.10.1-r0: # - CVE-2020-10957 # - CVE-2020-10958 @@ -314,5 +319,7 @@ f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch 794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5 split-protocols.patch 0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07 default-config.patch +54d5b1bfbc9fcdc00a5c943420bcbbfc8f0107ab2ff160ef0b2f73093a23766e0fcdb4cfc7944def40526414f97aff818cac6bdec155a6f3962f477b210a8ed5 CVE-2020-12673.patch +3599ca53dff1234dcea483006a82ec7276c1feee8df4f1df50f0b080202e351dd34e011af1bbdbdce1d9db54761beb0890b0be6e4ce7ed86e62513896c072e0c CVE-2020-12674.patch 9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0 dovecot.logrotate d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70 dovecot.initd" diff --git a/main/dovecot/CVE-2020-12673.patch b/main/dovecot/CVE-2020-12673.patch new file mode 100644 index 0000000000..9dd26e0350 --- /dev/null +++ b/main/dovecot/CVE-2020-12673.patch @@ -0,0 +1,31 @@ +From fb246611e62ad8c5a95b0ca180a63f17aa34b0d8 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Mon, 18 May 2020 12:33:39 +0300 +Subject: [PATCH] lib-ntlm: Check buffer length on responses + +Add missing check for buffer length. + +If this is not checked, it is possible to send message which +causes read past buffer bug. + +Broken in c7480644202e5451fbed448508ea29a25cffc99c +--- + src/lib-ntlm/ntlm-message.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c +index 160b9f918c..a29413b47e 100644 +--- a/src/lib-ntlm/ntlm-message.c ++++ b/src/lib-ntlm/ntlm-message.c +@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer, + if (length == 0 && space == 0) + return TRUE; + ++ if (length > data_size) { ++ *error = "buffer length out of bounds"; ++ return FALSE; ++ } ++ + if (offset >= data_size) { + *error = "buffer offset out of bounds"; + return FALSE; diff --git a/main/dovecot/CVE-2020-12674.patch b/main/dovecot/CVE-2020-12674.patch new file mode 100644 index 0000000000..a9dca2a82d --- /dev/null +++ b/main/dovecot/CVE-2020-12674.patch @@ -0,0 +1,22 @@ +From 69ad3c902ea4bbf9f21ab1857d8923f975dc6145 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Wed, 6 May 2020 13:40:36 +0300 +Subject: [PATCH] auth: mech-rpa - Fail on zero len buffer + +--- + src/auth/mech-rpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c +index 08298ebdd6..2de8705b4f 100644 +--- a/src/auth/mech-rpa.c ++++ b/src/auth/mech-rpa.c +@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data, + return 0; + + len = *p++; +- if (p + len > end) ++ if (p + len > end || len == 0) + return 0; + + *buffer = p_malloc(pool, len); diff --git a/main/jbig2dec/APKBUILD b/main/jbig2dec/APKBUILD index b4396b7869..670eff8d95 100644 --- a/main/jbig2dec/APKBUILD +++ b/main/jbig2dec/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=jbig2dec pkgver=0.15 -pkgrel=0 +pkgrel=1 pkgdesc="JBIG2 image compression format decoder" url="https://www.ghostscript.com/jbig2dec.html" arch="all" @@ -10,7 +10,13 @@ license="GPL-2.0-or-later" makedepends="autoconf automake libtool" checkdepends="python2" subpackages="$pkgname-dev $pkgname-doc" -source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs924/jbig2dec-0.15.tar.gz" +source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs924/jbig2dec-0.15.tar.gz + CVE-2020-12268.patch + " + +# secfixes: +# 0.15-r1: +# - CVE-2020-12268 builddir="$srcdir/$pkgname-$pkgver" @@ -44,4 +50,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="142acf0c47be094232ff21074414be5cf633a7008b2095d60b8878c4e125966f36632d8db191959ae1ac4b12b8fdc78139f67cd531717d203864b459d2570369 jbig2dec-0.15.tar.gz" +sha512sums="142acf0c47be094232ff21074414be5cf633a7008b2095d60b8878c4e125966f36632d8db191959ae1ac4b12b8fdc78139f67cd531717d203864b459d2570369 jbig2dec-0.15.tar.gz +e33c6a942af79dfb98c8160bccb0d7e6965d90b77f4e8e370787a9c0af0273001f02d5591b92d4285b901182ea335eb09854ce2fa995266837156b568747aa24 CVE-2020-12268.patch" diff --git a/main/jbig2dec/CVE-2020-12268.patch b/main/jbig2dec/CVE-2020-12268.patch new file mode 100644 index 0000000000..773515ae2d --- /dev/null +++ b/main/jbig2dec/CVE-2020-12268.patch @@ -0,0 +1,44 @@ +From 0726320a4b55078e9d8deb590e477d598b3da66e Mon Sep 17 00:00:00 2001 +From: Robin Watts <Robin.Watts@artifex.com> +Date: Mon, 27 Jan 2020 10:12:24 -0800 +Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in + jbig2_image_compose. + +With extreme values of x/y/w/h we can get overflow. Test for this +and exit safely. + +Thanks for OSS-Fuzz for reporting. +--- + jbig2_image.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/jbig2_image.c b/jbig2_image.c +index 22e21ef..100263d 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -33,6 +33,9 @@ + #if !defined (INT32_MAX) + #define INT32_MAX 0x7fffffff + #endif ++#if !defined (UINT32_MAX) ++#define UINT32_MAX 0xffffffffu ++#endif + + /* allocate a Jbig2Image structure and its associated bitmap */ + Jbig2Image * +@@ -258,6 +261,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + if (src == NULL) + return 0; + ++ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) || ++ (UINT32_MAX - src->height < (y > 0 ? y : -y))) ++ { ++#ifdef JBIG2_DEBUG ++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image"); ++#endif ++ return 0; ++ } ++ + /* The optimized code for the OR operator below doesn't + handle the source image partially placed outside the + destination (above and/or to the left). The affected diff --git a/main/krb5/APKBUILD b/main/krb5/APKBUILD index a07d7c4106..595c44a0b7 100644 --- a/main/krb5/APKBUILD +++ b/main/krb5/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=krb5 pkgver=1.15.5 -pkgrel=0 +pkgrel=1 case $pkgver in *.*.*) _ver=${pkgver%.*};; @@ -21,6 +21,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-server $pkgname-server-ldap:ldap $pkgname-pkinit $pkgname-libs" source="https://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver.tar.gz mit-krb5_krb5-config_LDFLAGS.patch + CVE-2020-28196.patch krb5kadmind.initd krb5kdc.initd @@ -29,6 +30,8 @@ source="https://web.mit.edu/kerberos/dist/krb5/${_ver}/krb5-$pkgver.tar.gz builddir="$srcdir"/krb5-$pkgver # secfixes: +# 1.15.5-r1: +# - CVE-2020-28196 # 1.15.4-r0: # - CVE-2018-20217 # 1.15.3-r0: @@ -114,6 +117,7 @@ libs() { } sha512sums="cf2c5764a081acc44c416108da40f76dafa5c764d1fb842cba1736942999548962a57c64e67924a409c068b1b8ed824f17857ea9a34594724f70903e555505b5 krb5-1.15.5.tar.gz 5a3782ff17b383f8cd0415fd13538ab56afd788130d6ad640e9f2682b7deaae7f25713ce358058ed771091040dccf62a3bc87e6fd473d505ec189a95debcc801 mit-krb5_krb5-config_LDFLAGS.patch +d7b4b55f01f8e70c0b1c9390ba1753d590253ac9ab39aaf22da15b6169506d019923837bb18d856b0c4508afc9c387180068dfe0c6847d6bd7d0970b34769a97 CVE-2020-28196.patch 43b9885b7eb8d0d60920def688de482f2b1701288f9acb1bb21dc76b2395428ff304961959eb04ba5eafd0412bae35668d6d2c8223424b9337bc051eadf51682 krb5kadmind.initd ede15f15bbbc9d0227235067abe15245bb9713aea260d397379c63275ce74aea0db6c91c15d599e40c6e89612d76f3a0f8fdd21cbafa3f30d426d4310d3e2cec krb5kdc.initd 45be0d421efd41e9dd056125a750c90856586e990317456b68170d733b03cba9ecd18ab87603b20e49575e7839fb4a6d628255533f2631f9e8ddb7f3cc493a90 krb5kpropd.initd" diff --git a/main/krb5/CVE-2018-20217.patch b/main/krb5/CVE-2018-20217.patch deleted file mode 100644 index 80f2d55058..0000000000 --- a/main/krb5/CVE-2018-20217.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 5e6d1796106df8ba6bc1973ee0917c170d929086 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris <iboukris@gmail.com> -Date: Mon, 3 Dec 2018 02:33:07 +0200 -Subject: [PATCH] Ignore password attributes for S4U2Self requests - -For consistency with Windows KDCs, allow protocol transition to work -even if the password has expired or needs changing. - -Also, when looking up an enterprise principal with an AS request, -treat ERR_KEY_EXP as confirmation that the client is present in the -realm. - -[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited -commit message] - -ticket: 8763 (new) -tags: pullup -target_version: 1.17 ---- - src/kdc/kdc_util.c | 5 +++++ - src/lib/krb5/krb/s4u_creds.c | 2 +- - src/tests/gssapi/t_s4u.py | 8 ++++++++ - 3 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 6d53173fb0..6517a213cd 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -1607,6 +1607,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, - - memset(&no_server, 0, sizeof(no_server)); - -+ /* Ignore password expiration and needchange attributes (as Windows -+ * does), since S4U2Self is not password authentication. */ -+ princ->pw_expiration = 0; -+ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE); -+ - code = validate_as_request(kdc_active_realm, request, *princ, - no_server, kdc_time, status, &e_data); - if (code) { -diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c -index d2fdcb3f16..614ed41908 100644 ---- a/src/lib/krb5/krb/s4u_creds.c -+++ b/src/lib/krb5/krb/s4u_creds.c -@@ -116,7 +116,7 @@ s4u_identify_user(krb5_context context, - code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL, - opts, krb5_get_as_key_noop, &userid, &use_master, - NULL); -- if (code == 0 || code == KRB5_PREAUTH_FAILED) { -+ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) { - *canon_user = userid.user; - userid.user = NULL; - code = 0; -diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py -index fd29e1a270..84f3fbd752 100755 ---- a/src/tests/gssapi/t_s4u.py -+++ b/src/tests/gssapi/t_s4u.py -@@ -19,6 +19,14 @@ - # Get forwardable creds for service1 in the default cache. - realm.kinit(service1, None, ['-f', '-k']) - -+# Try S4U2Self for user with a restricted password. -+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ]) -+realm.run(['./t_s4u', 'e:user', '-']) -+realm.run([kadminl, 'modprinc', '-needchange', -+ '-pwexpire', '1/1/2000', realm.user_princ]) -+realm.run(['./t_s4u', 'e:user', '-']) -+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ]) -+ - # Try krb5 -> S4U2Proxy with forwardable user creds. This should fail - # at the S4U2Proxy step since the DB2 back end currently has no - # support for allowing it. diff --git a/main/krb5/CVE-2020-28196.patch b/main/krb5/CVE-2020-28196.patch new file mode 100644 index 0000000000..4d6b423838 --- /dev/null +++ b/main/krb5/CVE-2020-28196.patch @@ -0,0 +1,100 @@ +From 2289312180a5162114037df8eaa4f4f990d67447 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Sat, 31 Oct 2020 17:07:05 -0400 +Subject: [PATCH] Add recursion limit for ASN.1 indefinite lengths + +The libkrb5 ASN.1 decoder supports BER indefinite lengths. It +computes the tag length using recursion; the lack of a recursion limit +allows an attacker to overrun the stack and cause the process to +crash. Reported by Demi Obenour. + +CVE-2020-28196: + +In MIT krb5 releases 1.11 and later, an unauthenticated attacker can +cause a denial of service for any client or server to which it can +send an ASN.1-encoded Kerberos message of sufficient length. + +ticket: 8959 (new) +tags: pullup +target_version: 1.18-next +target_version: 1.17-next + +(cherry picked from commit 57415dda6cf04e73ffc3723be518eddfae599bfd) +--- + src/lib/krb5/asn.1/asn1_encode.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c +index a7423b642..8c0cda852 100644 +--- a/src/lib/krb5/asn.1/asn1_encode.c ++++ b/src/lib/krb5/asn.1/asn1_encode.c +@@ -393,7 +393,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len, size_t *retlen) + static asn1_error_code + get_tag(const unsigned char *asn1, size_t len, taginfo *tag_out, + const unsigned char **contents_out, size_t *clen_out, +- const unsigned char **remainder_out, size_t *rlen_out) ++ const unsigned char **remainder_out, size_t *rlen_out, int recursion) + { + asn1_error_code ret; + unsigned char o; +@@ -431,9 +431,11 @@ get_tag(const unsigned char *asn1, size_t len, taginfo *tag_out, + /* Indefinite form (should not be present in DER, but we accept it). */ + if (tag_out->construction != CONSTRUCTED) + return ASN1_MISMATCH_INDEF; ++ if (recursion >= 32) ++ return ASN1_OVERFLOW; + p = asn1; + while (!(len >= 2 && p[0] == 0 && p[1] == 0)) { +- ret = get_tag(p, len, &t, &c, &clen, &p, &len); ++ ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1); + if (ret) + return ret; + } +@@ -652,7 +654,7 @@ split_der(asn1buf *buf, unsigned char *const *der, size_t len, + const unsigned char *contents, *remainder; + size_t clen, rlen; + +- ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen); ++ ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0); + if (ret) + return ret; + if (rlen != 0) +@@ -1259,7 +1261,7 @@ decode_atype(const taginfo *t, const unsigned char *asn1, + const unsigned char *rem; + size_t rlen; + if (!tag->implicit) { +- ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen); ++ ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0); + if (ret) + return ret; + /* Note: we don't check rlen (it should be 0). */ +@@ -1481,7 +1483,7 @@ decode_sequence(const unsigned char *asn1, size_t len, + for (i = 0; i < seq->n_fields; i++) { + if (len == 0) + break; +- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len); ++ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0); + if (ret) + goto error; + /* +@@ -1539,7 +1541,7 @@ decode_sequence_of(const unsigned char *asn1, size_t len, + *seq_out = NULL; + *count_out = 0; + while (len > 0) { +- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len); ++ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0); + if (ret) + goto error; + if (!check_atype_tag(elemtype, &t)) { +@@ -1625,7 +1627,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a, + + *retrep = NULL; + ret = get_tag((unsigned char *)code->data, code->length, &t, &contents, +- &clen, &remainder, &rlen); ++ &clen, &remainder, &rlen, 0); + if (ret) + return ret; + /* rlen should be 0, but we don't check it (and due to padding in +-- +2.20.4 + diff --git a/main/mariadb-connector-c/APKBUILD b/main/mariadb-connector-c/APKBUILD index 0d01de5763..90e853563b 100644 --- a/main/mariadb-connector-c/APKBUILD +++ b/main/mariadb-connector-c/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mariadb-connector-c pkgver=3.0.8 -pkgrel=0 +pkgrel=1 pkgdesc="The MariaDB Native Client library (C driver)" url="https://mariadb.org/" arch="all" @@ -10,12 +10,17 @@ depends_dev="openssl-dev zlib-dev" makedepends="$depends_dev cmake" replaces="mariadb-client-libs" subpackages="$pkgname-dev" -source="https://downloads.mariadb.org/interstitial/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz +source="https://downloads.mariadb.com/Connectors/c/connector-c-$pkgver/mariadb-connector-c-$pkgver-src.tar.gz cmake.patch fix-ucontext-header.patch + CVE-2020-13249.patch " builddir="$srcdir/mariadb-connector-c-$pkgver-src" +# secfixes: +# 3.0.8-r1: +# - CVE-2020-13249 + build() { cd "$builddir" if [ "$CBUILD" != "$CHOST" ]; then @@ -57,7 +62,7 @@ dev() { replaces="mariadb-dev" mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } - sha512sums="d9f970c7ac164ef7d8dd748bf2f749cc1f877a9c8f68a1d57e9ff62d95046bb9505619feca1f1d0d1cdefc1ac49489742aadf4ad9e47c8e6a9b8b40c56eed788 mariadb-connector-c-3.0.8-src.tar.gz 027a9d383ce27a527b77ac06b9505709cad8fe0173455863590f502996966300fedea87687630113d74e5b9be5349217b18206c2dbb89f7064129cb5417e44cf cmake.patch -ad52cccb5517d11838bf16aee5aff63d87075e9ef5787e726d8bfea2854d3e2b5fa7aa94c0e93b1f7e7e21f48d21b1b6fcdd161fadb9999dcc7a3a5b8e12d883 fix-ucontext-header.patch" +ad52cccb5517d11838bf16aee5aff63d87075e9ef5787e726d8bfea2854d3e2b5fa7aa94c0e93b1f7e7e21f48d21b1b6fcdd161fadb9999dcc7a3a5b8e12d883 fix-ucontext-header.patch +4370a517bc082e5aca8ebc0abf1ace7742af6cffc7f0c12b70705b31885a573192bbac473a9d0322582e64a75698db86bd36db23558dd1c1e1eaf693632a559f CVE-2020-13249.patch" diff --git a/main/mariadb-connector-c/CVE-2020-13249.patch b/main/mariadb-connector-c/CVE-2020-13249.patch new file mode 100644 index 0000000000..8f58063c4e --- /dev/null +++ b/main/mariadb-connector-c/CVE-2020-13249.patch @@ -0,0 +1,154 @@ +diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c +index 4c1108b..1f04c35 100644 +--- a/libmariadb/mariadb_lib.c ++++ b/libmariadb/mariadb_lib.c +@@ -76,6 +76,8 @@ + #define ASYNC_CONTEXT_DEFAULT_STACK_SIZE (4096*15) + #define MA_RPL_VERSION_HACK "5.5.5-" + ++#define CHARSET_NAME_LEN 64 ++ + #undef max_allowed_packet + #undef net_buffer_length + extern ulong max_allowed_packet; /* net.c */ +@@ -2029,6 +2031,7 @@ mysql_send_query(MYSQL* mysql, const char* query, unsigned long length) + + int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + { ++ uchar *end= mysql->net.read_pos+length; + size_t item_len; + mysql->affected_rows= net_field_length_ll(&pos); + mysql->insert_id= net_field_length_ll(&pos); +@@ -2036,10 +2039,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + pos+=2; + mysql->warning_count=uint2korr(pos); + pos+=2; +- if (pos < mysql->net.read_pos+length) ++ if (pos > end) ++ goto corrupted; ++ if (pos < end) + { + if ((item_len= net_field_length(&pos))) + mysql->info=(char*) pos; ++ if (pos + item_len > end) ++ goto corrupted; + + /* check if server supports session tracking */ + if (mysql->server_capabilities & CLIENT_SESSION_TRACKING) +@@ -2050,23 +2057,26 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (mysql->server_status & SERVER_SESSION_STATE_CHANGED) + { + int i; +- if (pos < mysql->net.read_pos + length) ++ if (pos < end) + { + LIST *session_item; + MYSQL_LEX_STRING *str= NULL; + enum enum_session_state_type si_type; + uchar *old_pos= pos; +- size_t item_len= net_field_length(&pos); /* length for all items */ ++ ++ item_len= net_field_length(&pos); /* length for all items */ ++ if (pos + item_len > end) ++ goto corrupted; ++ end= pos + item_len; + + /* length was already set, so make sure that info will be zero terminated */ + if (mysql->info) + *old_pos= 0; + +- while (item_len > 0) ++ while (pos < end) + { + size_t plen; + char *data; +- old_pos= pos; + si_type= (enum enum_session_state_type)net_field_length(&pos); + switch(si_type) { + case SESSION_TRACK_SCHEMA: +@@ -2076,15 +2086,14 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (si_type != SESSION_TRACK_STATE_CHANGE) + net_field_length(&pos); /* ignore total length, item length will follow next */ + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + if (!ma_multi_malloc(0, + &session_item, sizeof(LIST), + &str, sizeof(MYSQL_LEX_STRING), + &data, plen, + NULL)) +- { +- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); +- return -1; +- } ++ goto oom; + str->length= plen; + str->str= data; + memcpy(str->str, (char *)pos, plen); +@@ -2107,29 +2116,28 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + if (!strncmp(str->str, "character_set_client", str->length)) + set_charset= 1; + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + if (!ma_multi_malloc(0, + &session_item, sizeof(LIST), + &str, sizeof(MYSQL_LEX_STRING), + &data, plen, + NULL)) +- { +- SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); +- return -1; +- } ++ goto oom; + str->length= plen; + str->str= data; + memcpy(str->str, (char *)pos, plen); + pos+= plen; + session_item->data= str; + mysql->extension->session_state[si_type].list= list_add(mysql->extension->session_state[si_type].list, session_item); +- if (set_charset && ++ if (set_charset && str->length < CHARSET_NAME_LEN && + strncmp(mysql->charset->csname, str->str, str->length) != 0) + { +- char cs_name[64]; +- MARIADB_CHARSET_INFO *cs_info; ++ char cs_name[CHARSET_NAME_LEN]; ++ const MARIADB_CHARSET_INFO *cs_info; + memcpy(cs_name, str->str, str->length); + cs_name[str->length]= 0; +- if ((cs_info = (MARIADB_CHARSET_INFO *)mysql_find_charset_name(cs_name))) ++ if ((cs_info = mysql_find_charset_name(cs_name))) + mysql->charset= cs_info; + } + } +@@ -2137,10 +2145,11 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + default: + /* not supported yet */ + plen= net_field_length(&pos); ++ if (pos + plen > end) ++ goto corrupted; + pos+= plen; + break; + } +- item_len-= (pos - old_pos); + } + } + for (i= SESSION_TRACK_BEGIN; i <= SESSION_TRACK_END; i++) +@@ -2155,6 +2164,16 @@ int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length) + else if (mysql->server_capabilities & CLIENT_SESSION_TRACKING) + ma_clear_session_state(mysql); + return(0); ++ ++oom: ++ ma_clear_session_state(mysql); ++ SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); ++ return -1; ++ ++corrupted: ++ ma_clear_session_state(mysql); ++ SET_CLIENT_ERROR(mysql, CR_MALFORMED_PACKET, SQLSTATE_UNKNOWN, 0); ++ return -1; + } + + int mthd_my_read_query_result(MYSQL *mysql) diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD index 390644b80f..321287eea6 100644 --- a/main/musl/APKBUILD +++ b/main/musl/APKBUILD @@ -1,13 +1,14 @@ -# Contributor: William Pitcock <nenolod@dereferenced.org> +# Contributor: Ariadne Conill <ariadne@dereferenced.org> # Maintainer: Timo Teräs <timo.teras@iki.fi> pkgname=musl pkgver=1.1.20 -pkgrel=5 +pkgrel=6 pkgdesc="the musl c library (libc) implementation" url="http://www.musl-libc.org/" arch="all" license="MIT" subpackages="$pkgname-dev $pkgname-dbg libc6-compat:compat:noarch" +options="lib64" case "$BOOTSTRAP" in nocc) pkgname="musl-dev"; subpackages="";; nolibc) ;; @@ -21,6 +22,8 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz 0001-fix-getaddrinfo-regression-with-AI_ADDRCONFIG-on-som.patch s390x-fadv.patch + wcsnrtombs-cve-2020-28928.diff + ldconfig __stack_chk_fail_local.c getconf.c @@ -29,6 +32,8 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz " # secfixes: +# 1.1.20-r6: +# - CVE-2020-28928 # 1.1.20-r5: # - CVE-2019-14697 # 1.1.15-r4: @@ -157,6 +162,7 @@ sha512sums="d3a7a30aa375ca50d7dcfbd618581d59e1aa5378417f50a0ca5510099336fd74cc9d ab34509cec7419c11352094ed6acf14e5766b314bd2b96506a0d0203e61e90e85ea9a121f1fefc0d00bcba381778d579ea2c02325605344530420305fcf1a0d0 0001-fix-race-condition-in-file-locking.patch 20f9db1f96d4867fb0e4d4e1b4b323e1871ce5660896c8608f7a5147d247f6c6840f84eff25ae8f8b7cf04af0f586afed00acb6abcbedd4240a4678359fa6dc9 0001-fix-getaddrinfo-regression-with-AI_ADDRCONFIG-on-som.patch e9c9135f6dc3260e62ae6e9c45f3c43574af6ff2c2bfe411eb83f7e80d13bb8c86425cb41fc961e27f7bc15f679db1fbfb267e401bbe81d6cd5b872eb9b1f471 s390x-fadv.patch +35dc5df28d90d1c84f9100116b63ba9e7fd44a20f512d12760da5e01f1aec4e799f726cbafb586bae568ff4f6d5a70948f1bf9fb901f1ca7dfcdf35c5d7510a6 wcsnrtombs-cve-2020-28928.diff 8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f ldconfig 062bb49fa54839010acd4af113e20f7263dde1c8a2ca359b5fb2661ef9ed9d84a0f7c3bc10c25dcfa10bb3c5a4874588dff636ac43d5dbb3d748d75400756d0b __stack_chk_fail_local.c 0d80f37b34a35e3d14b012257c50862dfeb9d2c81139ea2dfa101d981d093b009b9fa450ba27a708ac59377a48626971dfc58e20a3799084a65777a0c32cbc7d getconf.c diff --git a/main/musl/wcsnrtombs-cve-2020-28928.diff b/main/musl/wcsnrtombs-cve-2020-28928.diff new file mode 100644 index 0000000000..8465f9422a --- /dev/null +++ b/main/musl/wcsnrtombs-cve-2020-28928.diff @@ -0,0 +1,65 @@ +diff --git a/src/multibyte/wcsnrtombs.c b/src/multibyte/wcsnrtombs.c +index 676932b5..95e25e70 100644 +--- a/src/multibyte/wcsnrtombs.c ++++ b/src/multibyte/wcsnrtombs.c +@@ -1,41 +1,33 @@ + #include <wchar.h> ++#include <limits.h> ++#include <string.h> + + size_t wcsnrtombs(char *restrict dst, const wchar_t **restrict wcs, size_t wn, size_t n, mbstate_t *restrict st) + { +- size_t l, cnt=0, n2; +- char *s, buf[256]; + const wchar_t *ws = *wcs; +- const wchar_t *tmp_ws; +- +- if (!dst) s = buf, n = sizeof buf; +- else s = dst; +- +- while ( ws && n && ( (n2=wn)>=n || n2>32 ) ) { +- if (n2>=n) n2=n; +- tmp_ws = ws; +- l = wcsrtombs(s, &ws, n2, 0); +- if (!(l+1)) { +- cnt = l; +- n = 0; ++ size_t cnt = 0; ++ if (!dst) n=0; ++ while (ws && wn) { ++ char tmp[MB_LEN_MAX]; ++ size_t l = wcrtomb(n<MB_LEN_MAX ? tmp : dst, *ws, 0); ++ if (l==-1) { ++ cnt = -1; + break; + } +- if (s != buf) { +- s += l; ++ if (dst) { ++ if (n<MB_LEN_MAX) { ++ if (l>n) break; ++ memcpy(dst, tmp, l); ++ } ++ dst += l; + n -= l; + } +- wn = ws ? wn - (ws - tmp_ws) : 0; +- cnt += l; +- } +- if (ws) while (n && wn) { +- l = wcrtomb(s, *ws, 0); +- if ((l+1)<=1) { +- if (!l) ws = 0; +- else cnt = l; ++ if (!*ws) { ++ ws = 0; + break; + } +- ws++; wn--; +- /* safe - this loop runs fewer than sizeof(buf) times */ +- s+=l; n-=l; ++ ws++; ++ wn--; + cnt += l; + } + if (dst) *wcs = ws; diff --git a/main/nrpe/APKBUILD b/main/nrpe/APKBUILD index 44d2b163ab..c09b953a02 100644 --- a/main/nrpe/APKBUILD +++ b/main/nrpe/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Jeff Bilyk <jbilyk@gmail.com> pkgname=nrpe pkgver=3.2.1 -pkgrel=0 +pkgrel=2 pkgusers="nagios" pkggroups="nagios" pkgdesc="NRPE allows you to remotely execute Nagios plugins on other Linux/Unix machines." diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD index c6e075176b..eaa032f275 100644 --- a/main/openldap/APKBUILD +++ b/main/openldap/APKBUILD @@ -2,6 +2,10 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 2.4.48-r2: +# - CVE-2020-25709 +# - CVE-2020-25710 +# - CVE-2020-25692 # 2.4.48-r1: # - CVE-2020-12243 # 2.4.48-r0: @@ -15,7 +19,7 @@ # pkgname=openldap pkgver=2.4.48 -pkgrel=1 +pkgrel=2 pkgdesc="LDAP Server" url="http://www.openldap.org/" arch="all" @@ -38,11 +42,14 @@ source="https://www.openldap.org/software/download/OpenLDAP/$pkgname-release/$pk fix-manpages.patch configs.patch cacheflush.patch + CVE-2020-25709.patch + CVE-2020-25710.patch + CVE-2020-25692.patch + CVE-2020-12243.patch slapd.initd slapd.confd - CVE-2020-12243.patch::https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440.patch " builddir="$srcdir/$pkgname-$pkgver" @@ -229,6 +236,9 @@ sha512sums="cf694a415be0bd55cc7f606099da2ed461748efd276561944cd29d7f5a8252a9be79 8c4244d316a05870dd1147b2ab7ddbcfd7626b5dce2f5a0e72f066dc635c2edb4f1ea3be88c6fec2d5ab016001be16bedef70f2ce0695c3cd96f69e1614ff177 fix-manpages.patch 0d2e570ddcb7ace1221abad9fc1d3dd0d00d6948340df69879b449959a68feee6a0ad8e17ef9971b35986293e16fc9d8e88de81815fedd5ea6a952eb085406ca configs.patch 60c1ec62003a33036de68402544e25a71715ed124a3139056a94ed1ba02fb8148ee510ab8f182a308105a2f744b9787e67112bcd8cd0d800cdb6f5409c4f63ff cacheflush.patch +61d2d02b733011eefaac0681b7f6274e416dac4d420b354e37f51b07cc42dab61c798fbe5fab36f47079962046f309373b41886b4632e86dc08d5bfe59b275f7 CVE-2020-25709.patch +abb7f43b6379fe6c03e583dc3a2c861c573ad6b83710954e35928e0449a1b78e259d8d5c6b7c33747b347ab67388d4894980a954d5ddb24b51a693b9c43798f2 CVE-2020-25710.patch +023b32e1a8e61c96b77723dfe39d33de170af684e29defdb34c14719b77fa0e9a101f8aaafe378afb30bf5ca732cf7209ef291089d7524b2301a97c102f5f6e4 CVE-2020-25692.patch +fddf5cf57c5b4b1d0e148ce850aafe5791dd7772727c824e858fe97e375871d2d3f622894d978444f7c5d8d64160c6fd766ae91de5eac3eb7f5292ceaaf599ea CVE-2020-12243.patch 0c3606e4dad1b32f1c4b62f2bc1990a4c9f7ccd10c7b50e623309ba9df98064e68fc42a7242450f32fb6e5fa2203609d3d069871b5ae994cd4b227a078c93532 slapd.initd -64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a slapd.confd -d4d8bec1c23c73e7126462bfe2e51cb603d1e83be4c64698ac167f221d515554b3b0e311f9789450b5c4c206c09cbdad1842b0b5b2364919967195da4ea6d833 CVE-2020-12243.patch" +64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a slapd.confd" diff --git a/main/openldap/CVE-2020-12243.patch b/main/openldap/CVE-2020-12243.patch new file mode 100644 index 0000000000..d8e10f5bc6 --- /dev/null +++ b/main/openldap/CVE-2020-12243.patch @@ -0,0 +1,125 @@ +From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Thu, 16 Apr 2020 01:08:19 +0100 +Subject: [PATCH] ITS#9202 limit depth of nested filters + +Using a hardcoded limit for now; no reasonable apps +should ever run into it. +--- + servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 9 deletions(-) + +diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c +index 3252cf2a7..ed57bbd7b 100644 +--- a/servers/slapd/filter.c ++++ b/servers/slapd/filter.c +@@ -37,11 +37,16 @@ + const Filter *slap_filter_objectClass_pres; + const struct berval *slap_filterstr_objectClass_pres; + ++#ifndef SLAPD_MAX_FILTER_DEPTH ++#define SLAPD_MAX_FILTER_DEPTH 5000 ++#endif ++ + static int get_filter_list( + Operation *op, + BerElement *ber, + Filter **f, +- const char **text ); ++ const char **text, ++ int depth ); + + static int get_ssa( + Operation *op, +@@ -80,12 +85,13 @@ filter_destroy( void ) + return; + } + +-int +-get_filter( ++static int ++get_filter0( + Operation *op, + BerElement *ber, + Filter **filt, +- const char **text ) ++ const char **text, ++ int depth ) + { + ber_tag_t tag; + ber_len_t len; +@@ -126,6 +132,11 @@ get_filter( + * + */ + ++ if( depth > SLAPD_MAX_FILTER_DEPTH ) { ++ *text = "filter nested too deeply"; ++ return SLAPD_DISCONNECT; ++ } ++ + tag = ber_peek_tag( ber, &len ); + + if( tag == LBER_ERROR ) { +@@ -221,7 +232,7 @@ get_filter( + + case LDAP_FILTER_AND: + Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); +- err = get_filter_list( op, ber, &f.f_and, text ); ++ err = get_filter_list( op, ber, &f.f_and, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -234,7 +245,7 @@ get_filter( + + case LDAP_FILTER_OR: + Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); +- err = get_filter_list( op, ber, &f.f_or, text ); ++ err = get_filter_list( op, ber, &f.f_or, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -248,7 +259,7 @@ get_filter( + case LDAP_FILTER_NOT: + Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); + (void) ber_skip_tag( ber, &len ); +- err = get_filter( op, ber, &f.f_not, text ); ++ err = get_filter0( op, ber, &f.f_not, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -311,10 +322,22 @@ get_filter( + return( err ); + } + ++int ++get_filter( ++ Operation *op, ++ BerElement *ber, ++ Filter **filt, ++ const char **text ) ++{ ++ return get_filter0( op, ber, filt, text, 0 ); ++} ++ ++ + static int + get_filter_list( Operation *op, BerElement *ber, + Filter **f, +- const char **text ) ++ const char **text, ++ int depth ) + { + Filter **new; + int err; +@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber, + tag != LBER_DEFAULT; + tag = ber_next_element( ber, &len, last ) ) + { +- err = get_filter( op, ber, new, text ); ++ err = get_filter0( op, ber, new, text, depth ); + if ( err != LDAP_SUCCESS ) + return( err ); + new = &(*new)->f_next; +-- +GitLab + diff --git a/main/openldap/CVE-2020-25692.patch b/main/openldap/CVE-2020-25692.patch new file mode 100644 index 0000000000..941a4f56be --- /dev/null +++ b/main/openldap/CVE-2020-25692.patch @@ -0,0 +1,27 @@ +From 4c774220a752bf8e3284984890dc0931fe73165d Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 19 Oct 2020 14:03:41 +0100 +Subject: [PATCH] ITS#9370 check for equality rule on old_rdn + +Just skip normalization if there's no equality rule. We accept +DNs without equality rules already. +--- + servers/slapd/modrdn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c +index c73dd8dba..a22975540 100644 +--- a/servers/slapd/modrdn.c ++++ b/servers/slapd/modrdn.c +@@ -505,7 +505,7 @@ slap_modrdn2mods( + mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value ); + mod_tmp->sml_values[1].bv_val = NULL; +- if( desc->ad_type->sat_equality->smr_normalize) { ++ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + (void) (*desc->ad_type->sat_equality->smr_normalize)( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, +-- +GitLab + diff --git a/main/openldap/CVE-2020-25709.patch b/main/openldap/CVE-2020-25709.patch new file mode 100644 index 0000000000..d38c9d241d --- /dev/null +++ b/main/openldap/CVE-2020-25709.patch @@ -0,0 +1,26 @@ +From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 2 Nov 2020 13:12:10 +0000 +Subject: [PATCH] ITS#9383 remove assert in certificateListValidate + +--- + servers/slapd/schema_init.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index ea0d67aa6..28f9e71a1 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in ) + /* Optional version */ + if ( tag == LBER_INTEGER ) { + tag = ber_get_int( ber, &version ); +- assert( tag == LBER_INTEGER ); +- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; ++ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; + } + tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; +-- +GitLab + diff --git a/main/openldap/CVE-2020-25710.patch b/main/openldap/CVE-2020-25710.patch new file mode 100644 index 0000000000..9b9bae8b31 --- /dev/null +++ b/main/openldap/CVE-2020-25710.patch @@ -0,0 +1,27 @@ +From bdb0d459187522a6063df13871b82ba8dcc6efe2 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 2 Nov 2020 16:01:14 +0000 +Subject: [PATCH] ITS#9384 remove assert in obsolete csnNormalize23() + +--- + servers/slapd/schema_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 5812bc4b6..ea0d67aa6 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -5327,8 +5327,8 @@ csnNormalize23( + } + *ptr = '\0'; + +- assert( ptr == &bv.bv_val[bv.bv_len] ); +- if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) { ++ if ( ptr != &bv.bv_val[bv.bv_len] || ++ csnValidate( syntax, &bv ) != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + +-- +GitLab + diff --git a/main/pcre/APKBUILD b/main/pcre/APKBUILD index da65eef6bb..d7f05247b8 100644 --- a/main/pcre/APKBUILD +++ b/main/pcre/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=pcre pkgver=8.42 -pkgrel=1 +pkgrel=2 pkgdesc="Perl-compatible regular expression library" url="http://pcre.sourceforge.net" arch="all" @@ -12,9 +12,13 @@ makedepends="" checkdepends="paxmark" subpackages="$pkgname-dev $pkgname-doc $pkgname-tools libpcrecpp libpcre16 libpcre32" -source="ftp://ftp.csx.cam.ac.uk/pub/software/programming/$pkgname/$pkgname-$pkgver.tar.bz2 +source="https://ftp.pcre.org/pub/pcre/pcre-$pkgver.tar.bz2 + CVE-2020-14155.patch " + # secfixes: +# 8.42-r2: +# - CVE-2020-14155 # 8.40-r2: # - CVE-2017-7186 # 7.8-r0: @@ -94,4 +98,5 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="b47b923108f6ee0c31409b79d0888314271b482a22590e164d02f21d2112fba22dd0342c24f9ba0f5fcc5b8c65550bad08c476e30a2fc79b34ecf4601ed82f3d pcre-8.42.tar.bz2" +sha512sums="b47b923108f6ee0c31409b79d0888314271b482a22590e164d02f21d2112fba22dd0342c24f9ba0f5fcc5b8c65550bad08c476e30a2fc79b34ecf4601ed82f3d pcre-8.42.tar.bz2 +23baa5fbaff7b52e861a539a83ad4406937d7a8a85d2a4e2419d0bea99204659e350caab68091d6354842297df2bb3097204bc63c4e1d3d9d1b94427efc46748 CVE-2020-14155.patch" diff --git a/main/pcre/CVE-2020-14155.patch b/main/pcre/CVE-2020-14155.patch new file mode 100644 index 0000000000..3bfa119f3b --- /dev/null +++ b/main/pcre/CVE-2020-14155.patch @@ -0,0 +1,31 @@ +pcre: Fix int overflow when parsing "?C<arg>" callout args. + +Numerical args must be 0-255, so this shouldn't break correct usage. + +--- a/pcre_compile.c 2020/02/10 17:01:27 1760 ++++ b/pcre_compile.c 2020/02/10 17:17:34 1761 +@@ -7130,17 +7130,19 @@ + int n = 0; + ptr++; + while(IS_DIGIT(*ptr)) ++ { + n = n * 10 + *ptr++ - CHAR_0; ++ if (n > 255) ++ { ++ *errorcodeptr = ERR38; ++ goto FAILED; ++ } ++ } + if (*ptr != CHAR_RIGHT_PARENTHESIS) + { + *errorcodeptr = ERR39; + goto FAILED; + } +- if (n > 255) +- { +- *errorcodeptr = ERR38; +- goto FAILED; +- } + *code++ = n; + PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */ + PUT(code, LINK_SIZE, 0); /* Default length */ diff --git a/main/perl-datetime-timezone/APKBUILD b/main/perl-datetime-timezone/APKBUILD index 74a39f43ae..87cef23fdb 100644 --- a/main/perl-datetime-timezone/APKBUILD +++ b/main/perl-datetime-timezone/APKBUILD @@ -1,50 +1,39 @@ -# Automatically generated by apkbuild-cpan, template 2 +# Automatically generated by apkbuild-cpan, template 3 # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=perl-datetime-timezone +#_pkgreal is used by apkbuild-cpan to find modules at MetaCpan _pkgreal=DateTime-TimeZone -pkgver=2.19 +pkgver=2.43 pkgrel=0 pkgdesc="Time zone object base class and factory" -url="http://search.cpan.org/dist/DateTime-TimeZone/" +url="https://metacpan.org/release/DateTime-TimeZone/" arch="noarch" -license="GPL PerlArtistic" -cpandepends="perl-class-singleton perl-params-validationcompiler perl-namespace-autoclean perl-try-tiny perl-module-runtime perl-specio" -cpanmakedepends="" -cpancheckdepends="perl-test-requires perl-test-fatal" -depends="$cpandepends" -makedepends="perl-dev $cpanmakedepends" -options="!check" # disable due to circular dependency with perl-datetime -#checkdepends="perl-datetime $cpancheckdepends" -checkdepends="$cpancheckdepends" +license="GPL-1.0-or-later OR Artistic-1.0-Perl" +depends="perl perl-specio perl-params-validationcompiler perl-module-runtime + perl-try-tiny perl-namespace-autoclean perl-class-singleton" +makedepends="perl-dev" +checkdepends="perl-test-fatal perl-test-requires" subpackages="$pkgname-doc" -source="http://search.cpan.org/CPAN/authors/id/D/DR/DROLSKY/$_pkgreal-$pkgver.tar.gz" +source="https://cpan.metacpan.org/authors/id/D/DR/DROLSKY/DateTime-TimeZone-$pkgver.tar.gz" builddir="$srcdir/$_pkgreal-$pkgver" -prepare() { - default_prepare - - cd "$builddir" +build() { export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}') PERL_MM_USE_DEFAULT=1 perl -I. Makefile.PL INSTALLDIRS=vendor + make } -build() { - cd "$builddir" +check() { export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}') - make + make test } package() { - cd "$builddir" make DESTDIR="$pkgdir" install find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete } -check() { - cd "$builddir" - export CFLAGS=$(perl -MConfig -E 'say $Config{ccflags}') - make test -} -sha512sums="77c40e390da5747d10135dbe3652051e727a42e57eee7d7659d48bb284e64b94b006b6b7c0deea2354e46e2f50aeacff9299f4ca2a0c221de59d58e869f929eb DateTime-TimeZone-2.19.tar.gz" + +sha512sums="4e9bf442775ba58c6539a88e3e15ef8fc93aa4dbc6916034eeb0505930ee3cd83ce3d6de6f0e6c437a60fbdde3ecef0842740430f6af8579d0bbda2332bd7bc0 DateTime-TimeZone-2.43.tar.gz" diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD index 435c0428f4..6179607fc1 100644 --- a/main/postgresql/APKBUILD +++ b/main/postgresql/APKBUILD @@ -2,7 +2,7 @@ # Contributor: G.J.R. Timmer <gjr.timmer@gmail.com> # Contributor: Jakub Jirutka <jakub@jirutka.cz> pkgname=postgresql -pkgver=11.9 +pkgver=11.10 pkgrel=0 pkgdesc="A sophisticated object-relational DBMS" url="https://www.postgresql.org/" @@ -36,6 +36,10 @@ builddir="$srcdir/$pkgname-$pkgver" options="!checkroot" # secfixes: +# 11.10-r0: +# - CVE-2020-25694 +# - CVE-2020-25695 +# - CVE-2020-25696 # 11.9-r0: # - CVE-2020-14349 # - CVE-2020-14350 @@ -312,7 +316,7 @@ _submv() { done } -sha512sums="2c5c2f51aa01f02af4aa0849441767383e30fef69dd52efa442892f39d2456bfa8bf01f633a265e00eca0745e792609d2c1d33f77d8f29a02f5f374c84f2bf6e postgresql-11.9.tar.bz2 +sha512sums="0cc0e9b0f76e00727dc699ea59a45d760d37d91ec736a62cbc9bda3e38eb1ef1565e4e399dd3ae96bad87f866e56e364f916de7740d8be6e1cfc2bf654dfbb68 postgresql-11.10.tar.bz2 1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch 5f9d8bb4957194069d01af8ab3abc6d4d83a7e7f8bd7ebe1caae5361d621a3e58f91b14b952958138a794e0a80bc154fbb7e3e78d211e2a95b9b7901335de854 perl-rpath.patch 8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD index b5168c142b..479ba87cf7 100644 --- a/main/py-django/APKBUILD +++ b/main/py-django/APKBUILD @@ -3,7 +3,7 @@ pkgname=py-django _pkgname=Django pkgver=1.11.29 -pkgrel=0 +pkgrel=1 pkgdesc="A high-level Python Web framework" url="http://djangoproject.com/" arch="noarch" @@ -12,10 +12,16 @@ depends="py-tz" makedepends="python2-dev python3-dev py-setuptools" options="!check" # some depends missing, others in community/testing subpackages="py2-${pkgname#py-}:_py2 py3-${pkgname#py-}:_py3" -source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz" +source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz + CVE-2020-24583.patch + CVE-2020-24584.patch + " builddir="$srcdir"/$_pkgname-$pkgver # secfixes: +# 1.11.29-r1: +# - CVE-2020-24583 +# - CVE-2020-24584 # 1.11.29-r0: # - CVE-2020-9402 # 1.11.28-r0: @@ -99,4 +105,6 @@ _py() { done } -sha512sums="dc8d1c5c09f998bf7015967961247e56a9c1dd55701534c6bce6dac2270a5531e1162d9bcbf5ec5f4d411d2d0dc820c82fd9b69628c5ff944bb9f1a22290a562 Django-1.11.29.tar.gz" +sha512sums="dc8d1c5c09f998bf7015967961247e56a9c1dd55701534c6bce6dac2270a5531e1162d9bcbf5ec5f4d411d2d0dc820c82fd9b69628c5ff944bb9f1a22290a562 Django-1.11.29.tar.gz +e4eda8069558471268f2e8a705877b3f682adac80221ade5ba742476f897eb3a13d82af7367083b707186e4a49de4f7a6beaadc05274d10b9c88cb2f169ff1a9 CVE-2020-24583.patch +4fde0868b63a739c28e066665e098bb7a667fe81311a839ff7d1dfff13cb67751271be6e88b4f245aa3ebcbd2bb856730418f3006f7820405cd54bf951e98faf CVE-2020-24584.patch" diff --git a/main/py-django/CVE-2020-24583.patch b/main/py-django/CVE-2020-24583.patch new file mode 100644 index 0000000000..b21c6b8ead --- /dev/null +++ b/main/py-django/CVE-2020-24583.patch @@ -0,0 +1,29 @@ +From bbf6bd8a50a02d5015a2b0043abfbf2b4e6acce6 Mon Sep 17 00:00:00 2001 +From: Leo <thinkabit.ukim@gmail.com> +Date: Fri, 11 Dec 2020 02:07:01 -0300 +Subject: [PATCH 1/2] CVE-2020-24583 + +--- + django/core/files/storage.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/django/core/files/storage.py b/django/core/files/storage.py +index 98c89dd..9643198 100644 +--- a/django/core/files/storage.py ++++ b/django/core/files/storage.py +@@ -310,9 +310,9 @@ class FileSystemStorage(Storage): + if not os.path.exists(directory): + try: + if self.directory_permissions_mode is not None: +- # os.makedirs applies the global umask, so we reset it, +- # for consistency with file_permissions_mode behavior. +- old_umask = os.umask(0) ++ # Set the umask because os.makedirs() doesn't apply the "mode" ++ # argument to intermediate-level directories. ++ old_umask = os.umask(0o777 & ~self.directory_permissions_mode) + try: + os.makedirs(directory, self.directory_permissions_mode) + finally: +-- +2.29.2 + diff --git a/main/py-django/CVE-2020-24584.patch b/main/py-django/CVE-2020-24584.patch new file mode 100644 index 0000000000..fa4dc132a5 --- /dev/null +++ b/main/py-django/CVE-2020-24584.patch @@ -0,0 +1,30 @@ +From 13e83e6f60d9ed91316c975425bc4b89c130ec9c Mon Sep 17 00:00:00 2001 +From: Leo <thinkabit.ukim@gmail.com> +Date: Fri, 11 Dec 2020 02:08:48 -0300 +Subject: [PATCH 2/2] CVE-2020-24584 + +--- + django/core/cache/backends/filebased.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/django/core/cache/backends/filebased.py b/django/core/cache/backends/filebased.py +index 7c2c5c7..88cebef 100644 +--- a/django/core/cache/backends/filebased.py ++++ b/django/core/cache/backends/filebased.py +@@ -102,8 +102,13 @@ class FileBasedCache(BaseCache): + + def _createdir(self): + if not os.path.exists(self._dir): ++ # Set the umask because os.makedirs() doesn't apply the "mode" argument ++ # to intermediate-level directories. ++ old_umask = os.umask(0o077) + try: + os.makedirs(self._dir, 0o700) ++ finally: ++ os.umask(old_umask) + except OSError as e: + if e.errno != errno.EEXIST: + raise EnvironmentError( +-- +2.29.2 + diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD index bea34bb801..c6e0ec7acc 100644 --- a/main/squid/APKBUILD +++ b/main/squid/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=squid -pkgver=4.10 +pkgver=4.13 pkgrel=0 pkgdesc="A full-featured Web proxy cache server." url="http://www.squid-cache.org" @@ -29,6 +29,14 @@ builddir="$srcdir"/$pkgname-$pkgver options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox # secfixes: +# 4.13-r0: +# - CVE-2020-15810 +# - CVE-2020-15811 +# - CVE-2020-24606 +# 4.11-r0: +# - CVE-2019-12519 +# - CVE-2019-12521 +# - CVE-2020-11945 # 4.10-r0: # - CVE-2019-12528 # - CVE-2020-8449 @@ -112,7 +120,8 @@ squid_kerb_auth() { install -d "$subpkgdir"/usr/lib/squid mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/ } -sha512sums="033891f84789fe23a23fabcfb6f51a5b044c16892600f94380b5f0bcbceaef67b95c7047154d940511146248ca9846a949f00a609c6ed27f9af8829325eb08e0 squid-4.10.tar.xz + +sha512sums="06807f82ed01e12afe2dd843aa0a94f69c351765b1889c4c5c3da1cf2ecb06ac3a4be6a24a62f04397299c8fc0df5397f76f64df5422ff78b37a9382d5fdf7fc squid-4.13.tar.xz 15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate" diff --git a/main/tcpdump/APKBUILD b/main/tcpdump/APKBUILD index b06d0b297a..97112e5802 100644 --- a/main/tcpdump/APKBUILD +++ b/main/tcpdump/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=tcpdump pkgver=4.9.3 -pkgrel=0 +pkgrel=1 pkgdesc="A tool for network monitoring and data acquisition" url="http://www.tcpdump.org" arch="all" @@ -9,9 +9,13 @@ license="BSD-3-Clause" options="!check" # fail on ppc64le makedepends="libpcap-dev openssl-dev perl" subpackages="$pkgname-doc" -source="http://www.$pkgname.org/release/$pkgname-$pkgver.tar.gz" +source="http://www.$pkgname.org/release/$pkgname-$pkgver.tar.gz + CVE-2020-8037.patch + " # secfixes: +# 4.9.3-r1: +# - CVE-2020-8037 # 4.9.3-r0: # - CVE-2017-16808 (AoE) # - CVE-2018-14468 (FrameRelay) @@ -111,4 +115,5 @@ package() { rm -f "$pkgdir"/usr/sbin/tcpdump.4* } -sha512sums="3aec673f78b996a4df884b1240e5d0a26a2ca81ee7aca8a2e6d50255bb53476e008a5ced4409e278a956710d8a4d31d85bbb800c9f1aab92b0b1046b59292a22 tcpdump-4.9.3.tar.gz" +sha512sums="3aec673f78b996a4df884b1240e5d0a26a2ca81ee7aca8a2e6d50255bb53476e008a5ced4409e278a956710d8a4d31d85bbb800c9f1aab92b0b1046b59292a22 tcpdump-4.9.3.tar.gz +f53b5557ad2c68c28bbd6121b637ade43937ce4956fa9c2c8b187e8c62726c018509eb728f7f7479d078c9018f091f64114944b2d6106e6214662899f880445a CVE-2020-8037.patch" diff --git a/main/tcpdump/CVE-2020-8037.patch b/main/tcpdump/CVE-2020-8037.patch new file mode 100644 index 0000000000..2852845eb7 --- /dev/null +++ b/main/tcpdump/CVE-2020-8037.patch @@ -0,0 +1,63 @@ +From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001 +From: Guy Harris <guy@alum.mit.edu> +Date: Sat, 18 Apr 2020 14:04:59 -0700 +Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer. + +The buffer should be big enough to hold the captured data, but it +doesn't need to be big enough to hold the entire on-the-network packet, +if we haven't captured all of it. + +(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334) +--- + print-ppp.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/print-ppp.c b/print-ppp.c +index 891761728..33fb03412 100644 +--- a/print-ppp.c ++++ b/print-ppp.c +@@ -1367,19 +1367,29 @@ print_bacp_config_options(netdissect_options *ndo, + return 0; + } + ++/* ++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes. ++ * The length argument is the on-the-wire length, not the captured ++ * length; we can only un-escape the captured part. ++ */ + static void + ppp_hdlc(netdissect_options *ndo, + const u_char *p, int length) + { ++ u_int caplen = ndo->ndo_snapend - p; + u_char *b, *t, c; + const u_char *s; +- int i, proto; ++ u_int i; ++ int proto; + const void *se; + ++ if (caplen == 0) ++ return; ++ + if (length <= 0) + return; + +- b = (u_char *)malloc(length); ++ b = (u_char *)malloc(caplen); + if (b == NULL) + return; + +@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo, + * Do this so that we dont overwrite the original packet + * contents. + */ +- for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) { ++ for (s = p, t = b, i = caplen; i != 0; i--) { + c = *s++; + if (c == 0x7d) { +- if (i <= 1 || !ND_TTEST(*s)) ++ if (i <= 1) + break; + i--; + c = *s++ ^ 0x20; diff --git a/main/tzdata/APKBUILD b/main/tzdata/APKBUILD index f70b03cab1..3d271c761f 100644 --- a/main/tzdata/APKBUILD +++ b/main/tzdata/APKBUILD @@ -5,7 +5,7 @@ pkgname=tzdata pkgver=2020c _tzcodever=2020c _ptzver=0.5 -pkgrel=0 +pkgrel=1 pkgdesc="Timezone data" url="https://www.iana.org/time-zones" arch="all" @@ -32,11 +32,11 @@ build() { } package() { - ./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo $_timezones - ./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/right -L leapseconds $_timezones - #./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/posix $_timezones + ./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo $_timezones + ./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/right -L leapseconds $_timezones + #./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo/posix $_timezones - ./zic -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo -p America/New_York + ./zic -b fat -y ./yearistype -d "$pkgdir"/usr/share/zoneinfo -p America/New_York install -m444 -t "$pkgdir"/usr/share/zoneinfo iso3166.tab zone1970.tab zone.tab mkdir -p "$pkgdir"/usr/sbin diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index c58c8f4c22..cdd5e4beef 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -167,7 +167,6 @@ options="!strip" # 4.11.3-r0: # - CVE-2019-19579 XSA-306 # 4.11.3-r1: -# - CVE-2019-19579 XSA-306 # - CVE-2019-19582 XSA-307 # - CVE-2019-19583 XSA-308 # - CVE-2019-19578 XSA-309 diff --git a/main/xorg-server/APKBUILD b/main/xorg-server/APKBUILD index 767e58f190..8577904393 100644 --- a/main/xorg-server/APKBUILD +++ b/main/xorg-server/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=xorg-server pkgver=1.20.3 -pkgrel=1 +pkgrel=2 pkgdesc="X.Org X servers" url="http://xorg.freedesktop.org" arch="all" @@ -61,10 +61,19 @@ source="https://www.x.org/releases/individual/xserver/$pkgname-$pkgver.tar.bz2 autoconfig-sis.patch fix-musl-arm.patch 20-modules.conf + CVE-2020-14345.patch + CVE-2020-14346.patch + CVE-2020-14361.patch + CVE-2020-14362.patch " builddir="$srcdir"/$pkgname-$pkgver # secfixes: +# 1.20.3-r2: +# - CVE-2020-14345 +# - CVE-2020-14346 +# - CVE-2020-14361 +# - CVE-2020-14362 # 1.20.3-r0: # - CVE-2018-14665 # 1.19.5-r0: @@ -181,8 +190,13 @@ xwayland() { mv "$pkgdir"/usr/bin/Xwayland "$subpkgdir"/usr/bin/ } + sha512sums="ee44554f86df4297f54c5871fe7a18954eeef4338775a25f36d6577b279c4775f61128da71b86cfaeadcc080838d6749dede138d4db178866579da2056543fba xorg-server-1.20.3.tar.bz2 4dcaa60fbfc61636e7220a24a72bba19984a6dc752061cb40b1bd566c0e614d08927b6c223ffaaaa05636765fddacdc3113fde55d25fd09cd0c786ff44f51447 autoconfig-nvidia.patch 30a78f4278edd535c45ee3f80933427cb029a13abaa4b041f816515fdd8f64f00b9c6aef50d4eba2aaf0d4f333e730399864fd97fa18891273601c77a6637200 autoconfig-sis.patch b799e757a22a61ac283adbd7a8df1ad4eccce0bb6cac38a0c962ba8438bba3cf6637a65bb64859e7b32399fca672283a49960207e186c271ba574580de360d09 fix-musl-arm.patch -95036f2452732cc31f6b646da9f46b7be30f4c9392724386b02f67fece1f506b00e15d14cbd8cf0ce75ca1fd144b4bea7e59288d4aaf4d6c1e06e5168931eb67 20-modules.conf" +95036f2452732cc31f6b646da9f46b7be30f4c9392724386b02f67fece1f506b00e15d14cbd8cf0ce75ca1fd144b4bea7e59288d4aaf4d6c1e06e5168931eb67 20-modules.conf +3e411cb0af272b3f89ce9b8bb7e35eef703b4a01d8722331aaf3d365cd7867a28deee8d5224ceb8fe0cd63e9cf600f05d7360aa5ffb4c0ae2655e80e6430f7f9 CVE-2020-14345.patch +6981bb37302e6c6afc6e389698eef1e1021577a6ac54a81ec0470cc198a975274db8a2b6d9ecd0b22a1c8bb6aff07d37030c3cd451467452e6a05203f942e296 CVE-2020-14346.patch +4acf43c8a08a3ee3012cf9ae1af517bf8f7cc493316e6d9f5b55f39b205f22406b757618024e70ed98f9c56baa238ed166bcf8aa26995d33183e1e323c48f9c8 CVE-2020-14361.patch +0fa92233e405b74de6dc4ee144d995581f0ab7fbf7ee5f8410e4a842496724ac9425ed6406881d005e4fc70d01d4d05c4aff83491683f3e270e9ba360cb94d52 CVE-2020-14362.patch" diff --git a/main/xorg-server/CVE-2020-14345.patch b/main/xorg-server/CVE-2020-14345.patch new file mode 100644 index 0000000000..677bcbce38 --- /dev/null +++ b/main/xorg-server/CVE-2020-14345.patch @@ -0,0 +1,178 @@ +From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Tue, 18 Aug 2020 14:46:32 +0200 +Subject: [PATCH] Correct bounds checking in XkbSetNames() + +CVE-2020-14345 / ZDI 11428 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> +--- + xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index d93078a6e3..8e016cd746 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT; + #define CHK_REQ_KEY_RANGE(err,first,num,r) \ + CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue) + ++static Bool ++_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) { ++ char *cstuff = (char *)stuff; ++ char *cfrom = (char *)from; ++ char *cto = (char *)to; ++ ++ return cfrom < cto && ++ cfrom >= cstuff && ++ cfrom < cstuff + ((size_t)client->req_len << 2) && ++ cto >= cstuff && ++ cto <= cstuff + ((size_t)client->req_len << 2); ++} ++ + /***====================================================================***/ + + int +@@ -4048,6 +4061,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = _XkbErrCode2(0x04, stuff->firstType); + return BadAccess; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes)) ++ return BadLength; + old = tmp; + tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad); + if (!tmp) { +@@ -4077,6 +4092,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + } + width = (CARD8 *) tmp; + tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels)); ++ if (!_XkbCheckRequestBounds(client, stuff, width, tmp)) ++ return BadLength; + type = &xkb->map->types[stuff->firstKTLevel]; + for (i = 0; i < stuff->nKTLevels; i++, type++) { + if (width[i] == 0) +@@ -4086,6 +4103,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + type->num_levels, width[i]); + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i])) ++ return BadLength; + tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad); + if (!tmp) { + client->errorValue = bad; +@@ -4098,6 +4117,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = 0x08; + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + Ones(stuff->indicators))) ++ return BadLength; + tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators, + client->swapped, &bad); + if (!tmp) { +@@ -4110,6 +4132,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = 0x09; + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + Ones(stuff->virtualMods))) ++ return BadLength; + tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods, + (CARD32) stuff->virtualMods, + client->swapped, &bad); +@@ -4123,6 +4148,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = 0x0a; + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + Ones(stuff->groupNames))) ++ return BadLength; + tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups, + (CARD32) stuff->groupNames, + client->swapped, &bad); +@@ -4144,9 +4172,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + stuff->nKeys); + return BadValue; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys)) ++ return BadLength; + tmp += stuff->nKeys; + } + if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) { ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + (stuff->nKeyAliases * 2))) ++ return BadLength; + tmp += stuff->nKeyAliases * 2; + } + if (stuff->which & XkbRGNamesMask) { +@@ -4154,6 +4187,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups); + return BadValue; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + stuff->nRadioGroups)) ++ return BadLength; + tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad); + if (!tmp) { + client->errorValue = bad; +@@ -4347,6 +4383,8 @@ ProcXkbSetNames(ClientPtr client) + /* check device-independent stuff */ + tmp = (CARD32 *) &stuff[1]; + ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbKeycodesNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4354,6 +4392,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbGeometryNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4361,6 +4401,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbSymbolsNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4368,6 +4410,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbPhysSymbolsNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4375,6 +4419,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbTypesNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4382,6 +4428,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbCompatNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +-- +GitLab + diff --git a/main/xorg-server/CVE-2020-14346.patch b/main/xorg-server/CVE-2020-14346.patch new file mode 100644 index 0000000000..a2b771c2cf --- /dev/null +++ b/main/xorg-server/CVE-2020-14346.patch @@ -0,0 +1,31 @@ +From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Tue, 18 Aug 2020 14:49:04 +0200 +Subject: [PATCH] Fix XIChangeHierarchy() integer underflow + +CVE-2020-14346 / ZDI-CAN-11429 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> +--- + Xi/xichangehierarchy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index cbdd912581..504defe566 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) + if (!stuff->num_changes) + return rc; + +- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); ++ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq); + + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; + while (stuff->num_changes--) { +-- +GitLab + diff --git a/main/xorg-server/CVE-2020-14361.patch b/main/xorg-server/CVE-2020-14361.patch new file mode 100644 index 0000000000..f17d8e7fc0 --- /dev/null +++ b/main/xorg-server/CVE-2020-14361.patch @@ -0,0 +1,31 @@ +From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Tue, 18 Aug 2020 14:52:29 +0200 +Subject: [PATCH] Fix XkbSelectEvents() integer underflow + +CVE-2020-14361 ZDI-CAN 11573 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> +--- + xkb/xkbSwap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c +index 1c1ed5ff46..50cabb90e5 100644 +--- a/xkb/xkbSwap.c ++++ b/xkb/xkbSwap.c +@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client) + register unsigned bit, ndx, maskLeft, dataLeft, size; + + from.c8 = (CARD8 *) &stuff[1]; +- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq); ++ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq); + maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); + for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { + if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify)) +-- +GitLab + diff --git a/main/xorg-server/CVE-2020-14362.patch b/main/xorg-server/CVE-2020-14362.patch new file mode 100644 index 0000000000..8f16804473 --- /dev/null +++ b/main/xorg-server/CVE-2020-14362.patch @@ -0,0 +1,65 @@ +From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Tue, 18 Aug 2020 14:55:01 +0200 +Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow + +CVE-2020-14362 ZDI-CAN-11574 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> +--- + record/record.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/record/record.c b/record/record.c +index f2d38c877e..be154525d2 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client) + } /* SProcRecordQueryVersion */ + + static int _X_COLD +-SwapCreateRegister(xRecordRegisterClientsReq * stuff) ++SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) + { + int i; + XID *pClientID; +@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff) + swapl(&stuff->nRanges); + pClientID = (XID *) &stuff[1]; + if (stuff->nClients > +- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) ++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)) + return BadLength; + for (i = 0; i < stuff->nClients; i++, pClientID++) { + swapl(pClientID); + } + if (stuff->nRanges > +- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) ++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) + - stuff->nClients) + return BadLength; + RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); +@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client) + + swaps(&stuff->length); + REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); +- if ((status = SwapCreateRegister((void *) stuff)) != Success) ++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) + return status; + return ProcRecordCreateContext(client); + } /* SProcRecordCreateContext */ +@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client) + + swaps(&stuff->length); + REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); +- if ((status = SwapCreateRegister((void *) stuff)) != Success) ++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) + return status; + return ProcRecordRegisterClients(client); + } /* SProcRecordRegisterClients */ +-- +GitLab + |