summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSheila Aman <sheila@vulpine.house>2021-07-27 11:42:45 +0000
committerSheila Aman <sheila@vulpine.house>2021-07-27 11:42:54 +0000
commit0802fb7eecef74b8858ca0ddc653555fce360c7a (patch)
tree78b7296529eac40d58f8e5e6ff69b4df22911ad8
parent10af1e653558803cd413bfd407ac133d7e2c5d1b (diff)
downloadpackages-0802fb7eecef74b8858ca0ddc653555fce360c7a.tar.gz
packages-0802fb7eecef74b8858ca0ddc653555fce360c7a.tar.bz2
packages-0802fb7eecef74b8858ca0ddc653555fce360c7a.tar.xz
packages-0802fb7eecef74b8858ca0ddc653555fce360c7a.zip
user/samurai: upgrade to 1.2
-rw-r--r--user/samurai/APKBUILD15
-rw-r--r--user/samurai/CVE-2021-30218.patch29
-rw-r--r--user/samurai/CVE-2021-30219.patch26
3 files changed, 67 insertions, 3 deletions
diff --git a/user/samurai/APKBUILD b/user/samurai/APKBUILD
index caf9f9fc4..11d65fecb 100644
--- a/user/samurai/APKBUILD
+++ b/user/samurai/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sheila Aman <sheila@vulpine.house>
# Maintainer: Sheila Aman <sheila@vulpine.house>
pkgname=samurai
-pkgver=1.1
+pkgver=1.2
pkgrel=0
pkgdesc="Pure-C drop-in replacement for ninja"
url="https://github.com/michaelforney/samurai"
@@ -13,7 +13,14 @@ makedepends=""
provides="ninja"
replaces="ninja"
subpackages="$pkgname-doc"
-source="https://github.com/michaelforney/samurai/releases/download/$pkgver/samurai-$pkgver.tar.gz"
+source="https://github.com/michaelforney/samurai/releases/download/$pkgver/samurai-$pkgver.tar.gz
+ CVE-2021-30218.patch
+ CVE-2021-30219.patch"
+
+# secfixes:
+# 1.2-r0:
+# - CVE-2021-30218
+# - CVE-2021-30219
build() {
make
@@ -25,4 +32,6 @@ package() {
ln -s samu ninja
}
-sha512sums="b27302c34d736f483909e57c8b162609eaa4c86571c1167b71a5564b521cc3af2861307a16bb6dca55e80952088989e9526b103160d2ea054d15f4ed85b1cedb samurai-1.1.tar.gz"
+sha512sums="bbe6a582c34b04f1df53b76c1647aa3e03c4698ebf7591a203935f11ffa05971bbcb86dc1a8c06aeb904cdc741abb08918122810fc47216fed0a6d9f87fd1225 samurai-1.2.tar.gz
+6e1c3a0bd92e006f364a81e9e51394f1bc583efa96120306fe33dc0a48cb4babaa8e8c97d754d3c37cda4b4936e77f64e4c138ccb8cfedfdce43adb09c393edb CVE-2021-30218.patch
+0504b137fc9ac113453075a22bdfac4ab7616f668e640b7125041400729aaecad1173c528934223246035f68a95d92c6a85e62d1ea5fea996d85647cb33483eb CVE-2021-30219.patch"
diff --git a/user/samurai/CVE-2021-30218.patch b/user/samurai/CVE-2021-30218.patch
new file mode 100644
index 000000000..1d6663865
--- /dev/null
+++ b/user/samurai/CVE-2021-30218.patch
@@ -0,0 +1,29 @@
+From e84b6d99c85043fa1ba54851ee500540ec206918 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Fri, 2 Apr 2021 17:27:48 -0700
+Subject: [PATCH] util: Check for NULL string in writefile
+
+This check was there previously, but was removed in f549b757 with
+the addition of a check during parse that every rule has rspfile
+if and only if it has rspfile_content. However, this fails to
+consider the possibility of those variables coming from the edge
+or global environment. So, re-add the check.
+
+Fixes #67.
+---
+ util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util.c b/util.c
+index ea5c3ce..2a59881 100644
+--- a/util.c
++++ b/util.c
+@@ -258,7 +258,7 @@ writefile(const char *name, struct string *s)
+ return -1;
+ }
+ ret = 0;
+- if (fwrite(s->s, 1, s->n, f) != s->n || fflush(f) != 0) {
++ if (s && (fwrite(s->s, 1, s->n, f) != s->n || fflush(f) != 0)) {
+ warn("write %s:", name);
+ ret = -1;
+ }
diff --git a/user/samurai/CVE-2021-30219.patch b/user/samurai/CVE-2021-30219.patch
new file mode 100644
index 000000000..fbc97b03d
--- /dev/null
+++ b/user/samurai/CVE-2021-30219.patch
@@ -0,0 +1,26 @@
+From d2af3bc375e2a77139c3a28d6128c60cd8d08655 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Sun, 4 Apr 2021 03:50:09 -0700
+Subject: [PATCH] parse: Check for non-empty command/rspfile/rspfile_content
+
+This matches ninja behavior and prevents the possibility of a rule
+with an empty (NULL) command string.
+
+Fixes #68.
+---
+ parse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/parse.c b/parse.c
+index f79a5ee..b4b98a1 100644
+--- a/parse.c
++++ b/parse.c
+@@ -42,6 +42,8 @@ parserule(struct scanner *s, struct environment *env)
+ var = scanname(s);
+ parselet(s, &val);
+ ruleaddvar(r, var, val);
++ if (!val)
++ continue;
+ if (strcmp(var, "command") == 0)
+ hascommand = true;
+ else if (strcmp(var, "rspfile") == 0)