summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorA. Wilcox <awilcox@wilcox-tech.com>2019-09-28 16:44:20 +0000
committerA. Wilcox <awilcox@wilcox-tech.com>2019-09-28 16:44:20 +0000
commitf1c09d5fa75c5b60749189cb1e7a7eeb132cc75e (patch)
treec5b251ee42a12d3377d3c329db37801abd2fa8b7
parent392df44317bc4ddfbf182293305442712d6ce863 (diff)
parent9d975a16f6054ccfa09bcd932da9f18eff7d37d1 (diff)
downloadpackages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.tar.gz
packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.tar.bz2
packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.tar.xz
packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.zip
Merge branch 'cves.2019.08.29' into 'master'
Misc. security updates See merge request adelie/packages!336
-rw-r--r--system/curl/APKBUILD12
-rw-r--r--system/curl/curl-do-bounds-check-using-a-double-comparison.patch32
-rw-r--r--system/expat/APKBUILD10
-rw-r--r--system/expat/CVE-2019-15903.patch181
-rw-r--r--system/libgcrypt/APKBUILD15
-rw-r--r--system/openssl/APKBUILD12
-rw-r--r--user/djvulibre/APKBUILD25
-rw-r--r--user/djvulibre/CVE-2019-15142.patch94
-rw-r--r--user/djvulibre/CVE-2019-15143.patch46
-rw-r--r--user/djvulibre/CVE-2019-15144.patch117
-rw-r--r--user/djvulibre/CVE-2019-15145.patch34
-rw-r--r--user/faad2/APKBUILD46
-rw-r--r--user/faad2/automake.patch11
-rw-r--r--user/faad2/overflow.patch25
-rw-r--r--user/irssi/APKBUILD9
-rw-r--r--user/libvorbis/APKBUILD17
-rw-r--r--user/libvorbis/CVE-2017-14160-and-2018-10393.patch27
-rw-r--r--user/libvorbis/CVE-2017-14160.patch58
-rw-r--r--user/libvorbis/CVE-2018-10392.patch25
-rw-r--r--user/links/APKBUILD4
-rw-r--r--user/mpg123/APKBUILD4
-rw-r--r--user/opencv/APKBUILD10
-rw-r--r--user/opencv/CVE-2019-16249.patch57
-rw-r--r--user/pango/APKBUILD14
-rw-r--r--user/pango/CVE-2019-1010238.patch34
-rw-r--r--user/vlc/APKBUILD38
-rw-r--r--user/wpa_supplicant/APKBUILD6
-rw-r--r--user/wpa_supplicant/CVE-2019-16275.patch73
28 files changed, 837 insertions, 199 deletions
diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD
index aa6e4c9e7..5e767bcc8 100644
--- a/system/curl/APKBUILD
+++ b/system/curl/APKBUILD
@@ -3,7 +3,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer:
pkgname=curl
-pkgver=7.65.3
+pkgver=7.66.0
pkgrel=0
pkgdesc="An URL retrival utility and library"
url="https://curl.haxx.se"
@@ -17,6 +17,9 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl"
# secfixes:
+# 7.66.0-r0:
+# - CVE-2019-5481
+# - CVE-2019-5482
# 7.65.1-r0:
# - CVE-2019-5435
# - CVE-2019-5436
@@ -83,6 +86,7 @@ build() {
--prefix=/usr \
--enable-ipv6 \
--enable-unix-sockets \
+ --with-libssh2 \
--without-libidn \
--without-libidn2 \
--disable-ldap \
@@ -91,7 +95,9 @@ build() {
}
check() {
- make check
+ # -p: print log contents on test failure
+ # !1592: requires DNS access
+ make check TFLAGS='-p !1592'
}
package() {
@@ -104,4 +110,4 @@ libcurl() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr
}
-sha512sums="fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b curl-7.65.3.tar.xz"
+sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 curl-7.66.0.tar.xz"
diff --git a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch b/system/curl/curl-do-bounds-check-using-a-double-comparison.patch
deleted file mode 100644
index 34e2b6c71..000000000
--- a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001
-From: Adam Sampson <ats@offog.org>
-Date: Wed, 9 Aug 2017 14:11:17 +0100
-Subject: [PATCH] curl: do bounds check using a double comparison
-
-The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
-complete: if the parsed number in num is larger than will fit in a long,
-the conversion is undefined behaviour (causing test1427 to fail for me
-on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting
-rid of the cast means the comparison will be done using doubles.
-
-It might make more sense for the max argument to also be a double...
-
-Fixes #1750
-Closes #1749
----
- src/tool_paramhlp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
-index b9dedc989e..85c5e79a7e 100644
---- a/src/tool_paramhlp.c
-+++ b/src/tool_paramhlp.c
-@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max)
- num = strtod(str, &endptr);
- if(errno == ERANGE)
- return PARAM_NUMBER_TOO_LARGE;
-- if((long)num > max) {
-+ if(num > max) {
- /* too large */
- return PARAM_NUMBER_TOO_LARGE;
- }
diff --git a/system/expat/APKBUILD b/system/expat/APKBUILD
index 088d9d9b1..4a6f547e3 100644
--- a/system/expat/APKBUILD
+++ b/system/expat/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=expat
pkgver=2.2.7
-pkgrel=0
+pkgrel=1
pkgdesc="An XML Parser library written in C"
url="https://libexpat.github.io/"
arch="all"
@@ -10,13 +10,16 @@ depends=""
checkdepends="bash"
makedepends=""
subpackages="$pkgname-dev $pkgname-doc"
-source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2"
+source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2
+ CVE-2019-15903.patch"
# secfixes:
# 2.2.1-r0:
# - CVE-2016-9063
# 2.2.0-r1:
# - CVE-2017-9233
+# 2.2.7-r1:
+# - CVE-2019-15903
build() {
./configure \
@@ -35,4 +38,5 @@ package() {
make DESTDIR="$pkgdir/" install
}
-sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00 expat-2.2.7.tar.bz2"
+sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00 expat-2.2.7.tar.bz2
+02d1719307dffdab98e90f242a77aa61cab79ae63ea28d6fa1219b4191d7247e5c319d3adf9781c9086e392c05fd6b6558051b0792ade5cb6c64e7583c67a70d CVE-2019-15903.patch"
diff --git a/system/expat/CVE-2019-15903.patch b/system/expat/CVE-2019-15903.patch
new file mode 100644
index 000000000..c81e72bbb
--- /dev/null
+++ b/system/expat/CVE-2019-15903.patch
@@ -0,0 +1,181 @@
+Grabbed from Debian since upstream patch does not apply to 2.2.7.
+
+https://sources.debian.org/patches/expat/2.2.7-2/CVE-2019-15903_Deny_internal_entities_closing_the_doctype.patch/
+https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
+
+From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 28 Aug 2019 00:24:59 +0200
+Subject: [PATCH 1/3] xmlparse.c: Deny internal entities closing the doctype
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 0553e3df..c29a6449 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -405,7 +405,7 @@ initializeEncoding(XML_Parser parser);
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
+ const char *end, int tok, const char *next, const char **nextPtr,
+- XML_Bool haveMore);
++ XML_Bool haveMore, XML_Bool allowClosingDoctype);
+ static enum XML_Error
+ processInternalEntity(XML_Parser parser, ENTITY *entity,
+ XML_Bool betweenDecl);
+@@ -4232,7 +4232,7 @@ externalParEntProcessor(XML_Parser parse
+
+ parser->m_processor = prologProcessor;
+ return doProlog(parser, parser->m_encoding, s, end, tok, next,
+- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+
+ static enum XML_Error PTRCALL
+@@ -4282,7 +4282,7 @@ prologProcessor(XML_Parser parser,
+ const char *next = s;
+ int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ return doProlog(parser, parser->m_encoding, s, end, tok, next,
+- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+
+ static enum XML_Error
+@@ -4293,7 +4293,8 @@ doProlog(XML_Parser parser,
+ int tok,
+ const char *next,
+ const char **nextPtr,
+- XML_Bool haveMore)
++ XML_Bool haveMore,
++ XML_Bool allowClosingDoctype)
+ {
+ #ifdef XML_DTD
+ static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
+@@ -4472,6 +4473,11 @@ doProlog(XML_Parser parser,
+ }
+ break;
+ case XML_ROLE_DOCTYPE_CLOSE:
++ if (allowClosingDoctype != XML_TRUE) {
++ /* Must not close doctype from within expanded parameter entities */
++ return XML_ERROR_INVALID_TOKEN;
++ }
++
+ if (parser->m_doctypeName) {
+ parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
+ parser->m_doctypeSysid, parser->m_doctypePubid, 0);
+@@ -5409,7 +5415,7 @@ processInternalEntity(XML_Parser parser,
+ if (entity->is_param) {
+ int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+- next, &next, XML_FALSE);
++ next, &next, XML_FALSE, XML_FALSE);
+ }
+ else
+ #endif /* XML_DTD */
+@@ -5456,7 +5462,7 @@ internalEntityProcessor(XML_Parser parse
+ if (entity->is_param) {
+ int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+- next, &next, XML_FALSE);
++ next, &next, XML_FALSE, XML_TRUE);
+ }
+ else
+ #endif /* XML_DTD */
+@@ -5483,7 +5489,7 @@ internalEntityProcessor(XML_Parser parse
+ parser->m_processor = prologProcessor;
+ tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+- (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ else
+ #endif /* XML_DTD */
+
+From 438493691f1b8620a71d5aee658fe160103ff863 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 28 Aug 2019 15:14:19 +0200
+Subject: [PATCH 3/3] tests: Cover denying internal entities closing the
+ doctype
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index b0d1b0af..e102a55e 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -8151,6 +8151,68 @@ START_TEST(test_misc_utf16le)
+ }
+ END_TEST
+
++#ifdef XML_DTD
++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
++ const char *const inputOne = "<!DOCTYPE d [\n"
++ "<!ENTITY % e ']><d/>'>\n"
++ "\n"
++ "%e;";
++ const char *const inputTwo = "<!DOCTYPE d [\n"
++ "<!ENTITY % e1 ']><d/>'><!ENTITY % e2 '&e1;'>\n"
++ "\n"
++ "%e2;";
++ const char *const inputThree = "<!DOCTYPE d [\n"
++ "<!ENTITY % e ']><d'>\n"
++ "\n"
++ "%e;";
++ const char *const inputIssue317 = "<!DOCTYPE doc [\n"
++ "<!ENTITY % foo ']>\n"
++ "<doc>Hell<oc (#PCDATA)*>'>\n"
++ "%foo;\n"
++ "]>\n"
++ "<doc>Hello, world</dVc>";
++
++ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
++ size_t inputIndex = 0;
++
++ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
++ XML_Parser parser;
++ enum XML_Status parseResult;
++ int setParamEntityResult;
++ XML_Size lineNumber;
++ XML_Size columnNumber;
++ const char *const input = inputs[inputIndex];
++
++ parser = XML_ParserCreate(NULL);
++ setParamEntityResult
++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++ if (setParamEntityResult != 1)
++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
++
++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
++ if (parseResult != XML_STATUS_ERROR) {
++ parseResult = XML_Parse(parser, "", 0, 1);
++ if (parseResult != XML_STATUS_ERROR) {
++ fail("Parsing was expected to fail but succeeded.");
++ }
++ }
++
++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
++ fail("Error code does not match XML_ERROR_INVALID_TOKEN");
++
++ lineNumber = XML_GetCurrentLineNumber(parser);
++ if (lineNumber != 4)
++ fail("XML_GetCurrentLineNumber does not work as expected.");
++
++ columnNumber = XML_GetCurrentColumnNumber(parser);
++ if (columnNumber != 0)
++ fail("XML_GetCurrentColumnNumber does not work as expected.");
++
++ XML_ParserFree(parser);
++ }
++}
++END_TEST
++#endif
+
+ static void
+ alloc_setup(void)
+@@ -12251,6 +12313,10 @@ make_suite(void)
+ tcase_add_test(tc_misc, test_misc_features);
+ tcase_add_test(tc_misc, test_misc_attribute_leak);
+ tcase_add_test(tc_misc, test_misc_utf16le);
++#ifdef XML_DTD
++ tcase_add_test(tc_misc,
++ test_misc_deny_internal_entity_closing_doctype_issue_317);
++#endif
+
+ suite_add_tcase(s, tc_alloc);
+ tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
diff --git a/system/libgcrypt/APKBUILD b/system/libgcrypt/APKBUILD
index 13797a615..37fda1300 100644
--- a/system/libgcrypt/APKBUILD
+++ b/system/libgcrypt/APKBUILD
@@ -1,20 +1,21 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=libgcrypt
-pkgver=1.8.4
+pkgver=1.8.5
pkgrel=0
pkgdesc="GnuPG cryptography library"
url="https://www.gnupg.org"
arch="all"
license="LGPL-2.1+"
depends=""
-depends_dev="libgpg-error-dev"
-makedepends="$depends_dev texinfo"
+makedepends="libgpg-error-dev texinfo"
subpackages="$pkgname-dev $pkgname-doc"
source="https://www.gnupg.org/ftp/gcrypt/$pkgname/$pkgname-$pkgver.tar.bz2"
-build() {
- cd "$builddir"
+# secfixes:
+# 1.8.5-r0:
+# - CVE-2019-13627
+build() {
local _arch_configure=
case "$CARCH" in
arm*)
@@ -40,14 +41,12 @@ build() {
}
check() {
- cd "$builddir"
make check
}
package() {
- cd "$builddir"
make -j1 DESTDIR="$pkgdir" install
rm -f ${pkgdir}/usr/share/info/dir
}
-sha512sums="b831fc337eb14806897e224b0d1e78d1f8e9db91dffa818a015a4aa104144e2d971e5a855904907ee2bb9990a9d526de32d6787e1cae98e28a65c3258b2b1ea1 libgcrypt-1.8.4.tar.bz2"
+sha512sums="b55e16e838d1b1208e7673366971ae7c0f9c1c79e042f41c03d14ed74c5e387fa69ea81d5414ffda3d2b4f82ea5467fe13b00115727e257db22808cf351bde89 libgcrypt-1.8.5.tar.bz2"
diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD
index 984cb486a..513b87d0d 100644
--- a/system/openssl/APKBUILD
+++ b/system/openssl/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=openssl
-pkgver=1.0.2s
+pkgver=1.0.2t
pkgrel=0
pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
url="https://www.openssl.org/"
@@ -66,12 +66,12 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
# - CVE-2018-0734
# - CVE-2018-5407
# - CVE-2019-1559
-
-builddir="$srcdir"/$pkgname-$pkgver
+# 1.0.2t-r0:
+# - CVE-2019-1547
+# - CVE-2019-1563
build() {
local _target _optflags
- cd "$builddir"
# openssl will prepend crosscompile always core CC et al
CC=${CC#${CROSS_COMPILE}}
@@ -107,12 +107,10 @@ build() {
}
check() {
- cd "$builddir"
make -j1 test
}
package() {
- cd "$builddir"
make INSTALL_PREFIX="$pkgdir" MANDIR=/usr/share/man MANSUFFIX=ssl install
# remove the script c_rehash
rm "$pkgdir"/usr/bin/c_rehash
@@ -144,7 +142,7 @@ dev() {
default_dev
}
-sha512sums="9f745452c4f777df694158e95003cde78a2cf8199bc481a563ec36644664c3c1415a774779b9791dd18f2aeb57fa1721cb52b3db12d025955e970071d5b66d2a openssl-1.0.2s.tar.gz
+sha512sums="0b88868933f42fab87e8b22449435a1091cc6e75f986aad6c173e01ad123161fcae8c226759073701bc65c9f2f0b6ce6a63a61203008ed873cfb6e484f32bc71 openssl-1.0.2t.tar.gz
58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4 0003-use-termios.patch
c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae 0004-fix-default-ca-path-for-apps.patch
5d4191482f8bbf62c75fe6bc2d9587388022c3310703c2a913788a983b1d1406e706cf3916a5792604f0b0f220a87432d3b82b442cea9915f2abb6fdd8478fcb 0005-fix-parallel-build.patch
diff --git a/user/djvulibre/APKBUILD b/user/djvulibre/APKBUILD
index a90485e6a..2b4a3ed0e 100644
--- a/user/djvulibre/APKBUILD
+++ b/user/djvulibre/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=djvulibre
pkgver=3.5.27
-pkgrel=0
+pkgrel=1
pkgdesc="Format for distributing documents and images"
url="http://djvu.sourceforge.net/"
arch="all"
@@ -11,10 +11,20 @@ depends=""
depends_dev=""
makedepends="$depends_dev imagemagick libjpeg-turbo-dev tiff-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz"
+source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz
+ CVE-2019-15142.patch
+ CVE-2019-15143.patch
+ CVE-2019-15144.patch
+ CVE-2019-15145.patch"
+
+# secfixes:
+# 3.5.27-r1:
+# - CVE-2019-15142
+# - CVE-2019-15143
+# - CVE-2019-15144
+# - CVE-2019-15145
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -26,13 +36,16 @@ build() {
}
check() {
- cd "$builddir"
+ # This doesn't actually do anything yet
make check
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
-sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252e4769e6534582b826e49bcfb490513179580fab9c3afa84aa92053ccebee djvulibre-3.5.27.tar.gz"
+sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252e4769e6534582b826e49bcfb490513179580fab9c3afa84aa92053ccebee djvulibre-3.5.27.tar.gz
+d9e4301fb98a35b8c2f1854eb4be53611f98b3fc9fdd357dd5502b5b189bdf61957a48b220f3ab7465bbf1df8606ce04513e10df74643a9e289c349f94721561 CVE-2019-15142.patch
+3527e1c84f7c7d36f902cb3d7e9ddb6866acbdd4b47675ce3ffd164accf2e2931a4c6bbaae2ea775b4710d88ae34dd4dcd39a5846fce13bef2c82a99d608b8c1 CVE-2019-15143.patch
+f8f1abf328a97d69514b2626e4c6449c0c7b7e2b5518d56bba6a61a944aaf4b7fffd1371c26396353728f6a1399c6d87492af5c17e6b623dae7751b81eac11f9 CVE-2019-15144.patch
+790ef1e05874635c762600c990ecbd3e29e2eb01c59e25a0f8b2a15dbadbd3673d9dbb651d9dcb53fd3e5f4cb6bded47c3eefaaef8b4ccac39bd28f8bbec2068 CVE-2019-15145.patch"
diff --git a/user/djvulibre/CVE-2019-15142.patch b/user/djvulibre/CVE-2019-15142.patch
new file mode 100644
index 000000000..84ed64e24
--- /dev/null
+++ b/user/djvulibre/CVE-2019-15142.patch
@@ -0,0 +1,94 @@
+Lifted from SUSE: backport of two upstream commits
+
+https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e
+https://sourceforge.net/p/djvu/djvulibre-git/ci/89d71b01d606e57ecec2c2930c145bb20ba5bbe3
+https://bugzilla.suse.com/show_bug.cgi?id=1146702#c3
+https://build.opensuse.org/package/view_file/graphics/djvulibre/djvulibre-CVE-2019-15142.patch
+
+Index: djvulibre-3.5.27/libdjvu/DjVmDir.cpp
+===================================================================
+--- djvulibre-3.5.27.orig/libdjvu/DjVmDir.cpp 2014-07-08 23:15:07.000000000 +0200
++++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp 2019-09-02 13:46:28.076374501 +0200
+@@ -300,36 +300,44 @@ DjVmDir::decode(const GP<ByteStream> &gs
+ memcpy((char*) strings+strings_size, buffer, length);
+ }
+ DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
+-
+- // Copy names into the files
++ int strings_size=strings.size();
++ strings.resize(strings_size+3);
++ memset((char*) strings+strings_size, 0, 4);
++
++ // Copy names into the files
+ const char * ptr=strings;
+ for(pos=files_list;pos;++pos)
+ {
+ GP<File> file=files_list[pos];
+-
++ if (ptr >= (const char*)strings + strings_size)
++ G_THROW( "DjVu document is corrupted (DjVmDir)" );
+ file->id=ptr;
+ ptr+=file->id.length()+1;
+ if (file->flags & File::HAS_NAME)
+ {
+- file->name=ptr;
+- ptr+=file->name.length()+1;
+- } else
++ file->name=ptr;
++ ptr+=file->name.length()+1;
++ }
++ else
+ {
+ file->name=file->id;
+ }
+ if (file->flags & File::HAS_TITLE)
+ {
+- file->title=ptr;
+- ptr+=file->title.length()+1;
+- } else
+- file->title=file->id;
+- /* msr debug: multipage file, file->title is null.
++ file->title=ptr;
++ ptr+=file->title.length()+1;
++ }
++ else
++ {
++ file->title=file->id;
++ }
++ /* msr debug: multipage file, file->title is null.
+ DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " <<
+ file->offset << ", " << file->size << ", " <<
+ file->is_page() << "\n"); */
+ }
+
+- // Check that there is only one file with SHARED_ANNO flag on
++ // Check that there is only one file with SHARED_ANNO flag on
+ int shared_anno_cnt=0;
+ for(pos=files_list;pos;++pos)
+ {
+Index: djvulibre-3.5.27/libdjvu/miniexp.cpp
+===================================================================
+--- djvulibre-3.5.27.orig/libdjvu/miniexp.cpp 2015-02-11 05:35:37.000000000 +0100
++++ djvulibre-3.5.27/libdjvu/miniexp.cpp 2019-09-02 13:46:28.072374476 +0200
+@@ -1028,7 +1028,7 @@ print_c_string(const char *s, char *d, i
+ {
+ if (char_quoted(c, flags))
+ {
+- char buffer[10];
++ char buffer[16]; /* 10+1 */
+ static const char *tr1 = "\"\\tnrbf";
+ static const char *tr2 = "\"\\\t\n\r\b\f";
+ buffer[0] = buffer[1] = 0;
+Index: djvulibre-3.5.27/tools/csepdjvu.cpp
+===================================================================
+--- djvulibre-3.5.27.orig/tools/csepdjvu.cpp 2014-07-24 23:12:05.000000000 +0200
++++ djvulibre-3.5.27/tools/csepdjvu.cpp 2019-09-02 13:46:28.072374476 +0200
+@@ -1814,7 +1814,7 @@ main(int argc, const char **argv)
+ ByteStream::create(GURL::Filename::UTF8(arg),"rb");
+ BufferByteStream ibs(*fbs);
+ do {
+- char pagename[16];
++ char pagename[20];
+ sprintf(pagename, "p%04d.djvu", ++pageno);
+ if (opts.verbose > 1)
+ DjVuPrintErrorUTF8("%s","--------------------\n");
diff --git a/user/djvulibre/CVE-2019-15143.patch b/user/djvulibre/CVE-2019-15143.patch
new file mode 100644
index 000000000..db04087e1
--- /dev/null
+++ b/user/djvulibre/CVE-2019-15143.patch
@@ -0,0 +1,46 @@
+From b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Tue, 26 Mar 2019 20:45:46 -0400
+Subject: [PATCH] fix for bug #297
+
+---
+ libdjvu/DjVmDir.cpp | 2 +-
+ libdjvu/GBitmap.cpp | 6 ++++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
+index 0a0fac6..5a49015 100644
+--- a/libdjvu/DjVmDir.cpp
++++ b/libdjvu/DjVmDir.cpp
+@@ -309,7 +309,7 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
+ {
+ GP<File> file=files_list[pos];
+ if (ptr >= (const char*)strings + strings_size)
+- G_THROW( "DjVu document is corrupted (DjVmDir)" );
++ G_THROW( ByteStream::EndOfFile );
+ file->id=ptr;
+ ptr+=file->id.length()+1;
+ if (file->flags & File::HAS_NAME)
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index 0e487f0..c2fdbe4 100644
+--- a/libdjvu/GBitmap.cpp
++++ b/libdjvu/GBitmap.cpp
+@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs)
+ int c = 0;
+ while (n >= 0)
+ {
+- bs.read(&h, 1);
++ if (bs.read(&h, 1) <= 0)
++ G_THROW( ByteStream::EndOfFile );
+ int x = h;
+ if (x >= (int)RUNOVERFLOWVALUE)
+ {
+- bs.read(&h, 1);
++ if (bs.read(&h, 1) <= 0)
++ G_THROW( ByteStream::EndOfFile );
+ x = h + ((x - (int)RUNOVERFLOWVALUE) << 8);
+ }
+ if (c+x > ncolumns)
+--
+2.22.1
+
diff --git a/user/djvulibre/CVE-2019-15144.patch b/user/djvulibre/CVE-2019-15144.patch
new file mode 100644
index 000000000..1b0c71c5f
--- /dev/null
+++ b/user/djvulibre/CVE-2019-15144.patch
@@ -0,0 +1,117 @@
+From e15d51510048927f172f1bf1f27ede65907d940d Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Mon, 8 Apr 2019 22:25:55 -0400
+Subject: [PATCH] bug 299 fixed
+
+---
+ libdjvu/GContainer.h | 87 ++++++++++++++++++++++++--------------------
+ 1 file changed, 48 insertions(+), 39 deletions(-)
+
+diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h
+index 96b067c..0140211 100644
+--- a/libdjvu/GContainer.h
++++ b/libdjvu/GContainer.h
+@@ -550,52 +550,61 @@ public:
+ template <class TYPE> void
+ GArrayTemplate<TYPE>::sort(int lo, int hi)
+ {
+- if (hi <= lo)
+- return;
+- if (hi > hibound || lo<lobound)
+- G_THROW( ERR_MSG("GContainer.illegal_subscript") );
+ TYPE *data = (TYPE*)(*this);
+- // Test for insertion sort
+- if (hi <= lo + 50)
++ while(true)
+ {
+- for (int i=lo+1; i<=hi; i++)
++ if (hi <= lo)
++ return;
++ if (hi > hibound || lo<lobound)
++ G_THROW( ERR_MSG("GContainer.illegal_subscript") );
++ // Test for insertion sort
++ if (hi <= lo + 50)
+ {
+- int j = i;
+- TYPE tmp = data[i];
+- while ((--j>=lo) && !(data[j]<=tmp))
+- data[j+1] = data[j];
+- data[j+1] = tmp;
++ for (int i=lo+1; i<=hi; i++)
++ {
++ int j = i;
++ TYPE tmp = data[i];
++ while ((--j>=lo) && !(data[j]<=tmp))
++ data[j+1] = data[j];
++ data[j+1] = tmp;
++ }
++ return;
+ }
+- return;
+- }
+- // -- determine suitable quick-sort pivot
+- TYPE tmp = data[lo];
+- TYPE pivot = data[(lo+hi)/2];
+- if (pivot <= tmp)
+- { tmp = pivot; pivot=data[lo]; }
+- if (data[hi] <= tmp)
+- { pivot = tmp; }
+- else if (data[hi] <= pivot)
+- { pivot = data[hi]; }
+- // -- partition set
+- int h = hi;
+- int l = lo;
+- while (l < h)
+- {
+- while (! (pivot <= data[l])) l++;
+- while (! (data[h] <= pivot)) h--;
+- if (l < h)
++ // -- determine median-of-three pivot
++ TYPE tmp = data[lo];
++ TYPE pivot = data[(lo+hi)/2];
++ if (pivot <= tmp)
++ { tmp = pivot; pivot=data[lo]; }
++ if (data[hi] <= tmp)
++ { pivot = tmp; }
++ else if (data[hi] <= pivot)
++ { pivot = data[hi]; }
++ // -- partition set
++ int h = hi;
++ int l = lo;
++ while (l < h)
+ {
+- tmp = data[l];
+- data[l] = data[h];
+- data[h] = tmp;
+- l = l+1;
+- h = h-1;
++ while (! (pivot <= data[l])) l++;
++ while (! (data[h] <= pivot)) h--;
++ if (l < h)
++ {
++ tmp = data[l];
++ data[l] = data[h];
++ data[h] = tmp;
++ l = l+1;
++ h = h-1;
++ }
++ }
++ // -- recurse, small partition first
++ // tail-recursion elimination
++ if (h - lo <= hi - l) {
++ sort(lo,h);
++ lo = l; // sort(l,hi)
++ } else {
++ sort(l,hi);
++ hi = h; // sort(lo,h)
+ }
+ }
+- // -- recursively restart
+- sort(lo, h);
+- sort(l, hi);
+ }
+
+ template<class TYPE> inline TYPE&
+--
+2.22.1
+
diff --git a/user/djvulibre/CVE-2019-15145.patch b/user/djvulibre/CVE-2019-15145.patch
new file mode 100644
index 000000000..2a545cee2
--- /dev/null
+++ b/user/djvulibre/CVE-2019-15145.patch
@@ -0,0 +1,34 @@
+From 9658b01431cd7ff6344d7787f855179e73fe81a7 Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Mon, 8 Apr 2019 22:55:38 -0400
+Subject: [PATCH] fix bug #298
+
+---
+ libdjvu/GBitmap.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h
+index e8e0c9b..ca89a19 100644
+--- a/libdjvu/GBitmap.h
++++ b/libdjvu/GBitmap.h
+@@ -566,7 +566,7 @@ GBitmap::operator[](int row)
+ {
+ if (!bytes)
+ uncompress();
+- if (row<0 || row>=nrows) {
++ if (row<0 || row>=nrows || !bytes) {
+ #ifndef NDEBUG
+ if (zerosize < bytes_per_row + border)
+ G_THROW( ERR_MSG("GBitmap.zero_small") );
+@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const
+ {
+ if (!bytes)
+ ((GBitmap*)this)->uncompress();
+- if (row<0 || row>=nrows) {
++ if (row<0 || row>=nrows || !bytes) {
+ #ifndef NDEBUG
+ if (zerosize < bytes_per_row + border)
+ G_THROW( ERR_MSG("GBitmap.zero_small") );
+--
+2.22.1
+
diff --git a/user/faad2/APKBUILD b/user/faad2/APKBUILD
index 3794942b9..970d16f7e 100644
--- a/user/faad2/APKBUILD
+++ b/user/faad2/APKBUILD
@@ -1,7 +1,8 @@
# Maintainer:
pkgname=faad2
-pkgver=2.8.8
-pkgrel=1
+pkgver=2.9.0
+_pkgver="$(printf '%s' "$pkgver" | tr . _)"
+pkgrel=0
pkgdesc="ISO AAC audio decoder"
url="https://www.audiocoding.com/"
arch="all"
@@ -10,23 +11,48 @@ license="GPL-2.0+"
subpackages="$pkgname-dev $pkgname-doc"
depends=""
makedepends="autoconf automake libtool"
-source="https://downloads.sourceforge.net/sourceforge/faac/$pkgname-$pkgver.tar.gz
- overflow.patch
- "
+source="$pkgname-$pkgver.tar.gz::https://github.com/knik0/faad2/archive/$_pkgver.tar.gz"
+builddir="$srcdir/$pkgname-$_pkgver"
+
+# secfixes:
+# 2.8.8-r1:
+# - CVE-2018-19502
+# - CVE-2019-15296
+# 2.9.0-r0:
+# - CVE-2019-6956
+# - CVE-2018-19503
+# - CVE-2018-19504
+# - CVE-2018-20194
+# - CVE-2018-20195
+# - CVE-2018-20196
+# - CVE-2018-20197
+# - CVE-2018-20198
+# - CVE-2018-20199
+# - CVE-2018-20357
+# - CVE-2018-20358
+# - CVE-2018-20359
+# - CVE-2018-20360
+# - CVE-2018-20361
+# - CVE-2018-20362
+
+prepare() {
+ default_prepare
+ ./bootstrap
+}
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
- --prefix=/usr
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --mandir=/usr/share/man \
+ --localstatedir=/var
make
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
-sha512sums="3275d292b2a9fe984842962f4d81202894bddd17033f7cd6df95466554cc968dfcbf2890ae8b1df37da0cd25d645cca0a687f07e39b9fc37dd004fd5956a82af faad2-2.8.8.tar.gz
-f9266ca424d1e4f5b46c2f6b4b1568caee86849d2b6edc3b6c1fb7cf08fd736c0a8fe2c096c3bc64674e4fa40619c24d45d6d6125f11360517feb09a5c996a34 overflow.patch"
+sha512sums="1756b2672f9e438a56b11160ddc77fc721d85860eaa325a3ff01b51a2524baf4c1c61068a97cbc4e99d47e7643f10e1d6afb997eede3295b44551fe4661fb5dc faad2-2.9.0.tar.gz"
diff --git a/user/faad2/automake.patch b/user/faad2/automake.patch
deleted file mode 100644
index 809031eb0..000000000
--- a/user/faad2/automake.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- ./configure.in.orig 2012-12-31 10:42:26.394219312 +0000
-+++ ./configure.in 2012-12-31 10:42:43.294360781 +0000
-@@ -25,7 +25,7 @@
- AC_PROG_MAKE_SET
- AC_CHECK_PROGS(RPMBUILD, rpmbuild, rpm)
-
--AM_CONFIG_HEADER(config.h)
-+AC_CONFIG_HEADER(config.h)
-
- AC_ARG_WITH(xmms,[ --with-xmms compile XMMS-1 plugin],
- WITHXMMS=$withval, WITHXMMS=no)
diff --git a/user/faad2/overflow.patch b/user/faad2/overflow.patch
deleted file mode 100644
index 5a198f8d8..000000000
--- a/user/faad2/overflow.patch
+++ /dev/null
@@ -1,25 +0,0 @@
---- faad2/libfaad/bits.c 2007-11-01 13:33:29.000000000 +0100
-+++ faad2.new/libfaad/bits.c 2019-03-25 17:29:26.134199188 +0100
-@@ -167,7 +167,10 @@
- int words = bits >> 5;
- int remainder = bits & 0x1F;
-
-- ld->bytes_left = ld->buffer_size - words*4;
-+ if (ld->buffer_size < words * 4)
-+ ld->bytes_left = 0;
-+ else
-+ ld->bytes_left = ld->buffer_size - words*4;
-
- if (ld->bytes_left >= 4)
- {
---- faad2/libfaad/syntax.c 2019-03-25 17:57:36.930937066 +0100
-+++ faad2.new/libfaad/syntax.c 2019-03-25 17:49:26.135368525 +0100
-@@ -2292,6 +2292,8 @@
- while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
- DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
- {
-+ if (i >= MAX_CHANNELS - num_excl_chan - 7)
-+ return n;
- for (i = num_excl_chan; i < num_excl_chan+7; i++)
- {
- drc->exclude_mask[i] = faad_get1bit(ld
diff --git a/user/irssi/APKBUILD b/user/irssi/APKBUILD
index ffa7267ac..1d63fd4b2 100644
--- a/user/irssi/APKBUILD
+++ b/user/irssi/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Kiyoshi Aman <kiyoshi.aman+adelie@gmail.com>
# Maintainer: Kiyoshi Aman <kiyoshi.aman+adelie@gmail.com>
pkgname=irssi
-pkgver=1.2.1
+pkgver=1.2.2
pkgrel=0
pkgdesc="Text-based IRC client"
url="https://irssi.org"
@@ -14,9 +14,10 @@ source="https://github.com/irssi/irssi/releases/download/$pkgver/irssi-$pkgver.t
# secfixes: irssi
# 1.2.1-r0:
# - CVE-2019-13045
+# 1.2.2-r0:
+# - CVE-2019-15717
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -31,12 +32,10 @@ build() {
}
check() {
- cd "$builddir"
make check
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
@@ -48,4 +47,4 @@ perl() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr
mv "$pkgdir"/usr/share/irssi/scripts "$subpkgdir"/usr/share/irssi
}
-sha512sums="67c4501b5a0055c1b24fa6753305658de809cd66e952e6f9233701a112989fd8721a065b1c681725b82346b40b53a29bd2b6b8b8315ac0ad196235a9e5156d5a irssi-1.2.1.tar.xz"
+sha512sums="5444ac102ff9ad3a6399a47c967d138e181330dd226eac68886d35fee4ad455932b9306a367bee3478095158e41ba67fb46deb8f0a33512046b9b83bae37c610 irssi-1.2.2.tar.xz"
diff --git a/user/libvorbis/APKBUILD b/user/libvorbis/APKBUILD
index 2b5b41f4c..73520bf56 100644
--- a/user/libvorbis/APKBUILD
+++ b/user/libvorbis/APKBUILD
@@ -10,18 +10,21 @@ license="BSD-3-Clause"
subpackages="$pkgname-dev $pkgname-doc"
makedepends="libogg-dev"
source="https://downloads.xiph.org/releases/vorbis/$pkgname-$pkgver.tar.xz
- CVE-2017-14160.patch
+ CVE-2017-14160-and-2018-10393.patch
+ CVE-2018-10392.patch
"
# secfixes:
+# 1.3.6-r1:
+# - CVE-2018-10392
# 1.3.5-r4:
-# - CVE-2017-14632
-# - CVE-2017-14633
+# - CVE-2017-14632
+# - CVE-2017-14633
# 1.3.5-r3:
-# - CVE-2017-14160
+# - CVE-2017-14160
+# - CVE-2018-10393
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -33,9 +36,9 @@ build() {
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
sha512sums="a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132 libvorbis-1.3.6.tar.xz
-4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e CVE-2017-14160.patch"
+332081da5dd8fb28ee70dfbc123e7fcef279317ee977be9da97e97a105e788da452c33097bf597f369fea0e49749f876a93d6af0fa2fa20405acbc57771c89a9 CVE-2017-14160-and-2018-10393.patch
+294de5e0c40b64d495df7f53196260be5ffaba11c75fc4a1a54ec0c058eeba4793c1ef685c8cf866195a2972c91a7a896df5f05f478b7f25a564abb3f82f331f CVE-2018-10392.patch"
diff --git a/user/libvorbis/CVE-2017-14160-and-2018-10393.patch b/user/libvorbis/CVE-2017-14160-and-2018-10393.patch
new file mode 100644
index 000000000..3a7097ec7
--- /dev/null
+++ b/user/libvorbis/CVE-2017-14160-and-2018-10393.patch
@@ -0,0 +1,27 @@
+From 018ca26dece618457dd13585cad52941193c4a25 Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Wed, 9 May 2018 14:56:59 -0700
+Subject: [PATCH] CVE-2017-14160: fix bounds check on very low sample rates.
+
+---
+ lib/psy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/psy.c b/lib/psy.c
+index 422c6f1..1310123 100644
+--- a/lib/psy.c
++++ b/lib/psy.c
+@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b,
+ for (i = 0, x = 0.f;; i++, x += 1.f) {
+
+ lo = b[i] >> 16;
+- if( lo>=0 ) break;
+ hi = b[i] & 0xffff;
++ if( lo>=0 ) break;
++ if( hi>=n ) break;
+
+ tN = N[hi] + N[-lo];
+ tX = X[hi] - X[-lo];
+--
+2.22.0
+
diff --git a/user/libvorbis/CVE-2017-14160.patch b/user/libvorbis/CVE-2017-14160.patch
deleted file mode 100644
index 9ad9d18f7..000000000
--- a/user/libvorbis/CVE-2017-14160.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001
-Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org>
-From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
-Date: Wed, 15 Nov 2017 13:12:00 +0100
-Subject: [PATCH] CVE-2017-14160: make sure we don't overflow
-
----
- lib/psy.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/lib/psy.c b/lib/psy.c
-index 422c6f1e..8bbf6cf3 100644
---- a/lib/psy.c
-+++ b/lib/psy.c
-@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,const long *b,
- XY[i] = tXY;
- }
-
-- for (i = 0, x = 0.f;; i++, x += 1.f) {
-+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
-
- lo = b[i] >> 16;
- if( lo>=0 ) break;
-@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,const long *b,
- noise[i] = R - offset;
- }
-
-- for ( ;; i++, x += 1.f) {
-+ for ( ; i < n; i++, x += 1.f) {
-
- lo = b[i] >> 16;
- hi = b[i] & 0xffff;
- if(hi>=n)break;
--
- tN = N[hi] - N[lo];
- tX = X[hi] - X[lo];
- tXX = XX[hi] - XX[lo];
-@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,const long *b,
-
- if (fixed <= 0) return;
-
-- for (i = 0, x = 0.f;; i++, x += 1.f) {
-+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
- hi = i + fixed / 2;
- lo = hi - fixed;
- if(lo>=0)break;
-@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,const long *b,
-
- if (R - offset < noise[i]) noise[i] = R - offset;
- }
-- for ( ;; i++, x += 1.f) {
-+ for ( ; i < n; i++, x += 1.f) {
-
- hi = i + fixed / 2;
- lo = hi - fixed;
---
-2.15.0
-
diff --git a/user/libvorbis/CVE-2018-10392.patch b/user/libvorbis/CVE-2018-10392.patch
new file mode 100644
index 000000000..a12038a94
--- /dev/null
+++ b/user/libvorbis/CVE-2018-10392.patch
@@ -0,0 +1,25 @@
+From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Thu, 17 May 2018 16:19:19 -0700
+Subject: [PATCH] Sanity check number of channels in setup.
+
+Fixes #2335.
+---
+ lib/vorbisenc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c
+index 4fc7b62..64a51b5 100644
+--- a/lib/vorbisenc.c
++++ b/lib/vorbisenc.c
+@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){
+ highlevel_encode_setup *hi=&ci->hi;
+
+ if(ci==NULL)return(OV_EINVAL);
++ if(vi->channels<1||vi->channels>255)return(OV_EINVAL);
+ if(!hi->impulse_block_p)i0=1;
+
+ /* too low/high an ATH floater is nonsensical, but doesn't break anything */
+--
+2.22.0
+
diff --git a/user/links/APKBUILD b/user/links/APKBUILD
index b3ade3cb2..5761ea7be 100644
--- a/user/links/APKBUILD
+++ b/user/links/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=links
-pkgver=2.19
+pkgver=2.20.1
pkgrel=0
pkgdesc="Text Web browser, similar to Lynx"
url="http://links.twibright.com/"
@@ -28,4 +28,4 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="8716cea6feb5a02b59d7e2dd5bfd0af9b2ac2a4427c0f98a3c8a8eaabca31e7a96c16888c0de19976749485b3cdbf75cbff88a37cd3b58700c1f090acec328ea links-2.19.tar.bz2"
+sha512sums="c7258e303a2012e9016385abd1e8882ffec47dd3baf479a54448742e41b03508d874387af6ea97c7ef9c4d37f2eecbe7bc0121d923df79b0f455f4f466747ca2 links-2.20.1.tar.bz2"
diff --git a/user/mpg123/APKBUILD b/user/mpg123/APKBUILD
index 6948916b2..e21981859 100644
--- a/user/mpg123/APKBUILD
+++ b/user/mpg123/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=mpg123
-pkgver=1.25.11
+pkgver=1.25.12
pkgrel=0
pkgdesc="Real time MPEG Audio player for Layers 1, 2 and 3"
url="https://www.mpg123.org/"
@@ -32,4 +32,4 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="986338d0f4829ec9e40990cb384746c7abfa80d3b3d5656b6dda73d03e2441c1f28ffbe7f3f82b0008a1c4ebcfa07aeffb493e95f13f7d04cbc818a09f1008ed mpg123-1.25.11.tar.bz2"
+sha512sums="fa3c719c68dbe45b265fd7677d0932b07f6a14e7ffe365ede965ff1637e655c4b57c86f7e4cd60cace7df5fcc93d48e0d44f082931394b7c6ef19f5d11638eff mpg123-1.25.12.tar.bz2"
diff --git a/user/opencv/APKBUILD b/user/opencv/APKBUILD
index 76403ac60..a8a38c149 100644
--- a/user/opencv/APKBUILD
+++ b/user/opencv/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer:
pkgname=opencv
pkgver=4.1.1
-pkgrel=0
+pkgrel=1
pkgdesc="Computer vision and machine learning software library"
url="https://opencv.org"
arch="all"
@@ -15,8 +15,13 @@ makedepends="cmake doxygen ffmpeg-dev gst-plugins-base-dev gtk+2.0-dev
subpackages="$pkgname-dev $pkgname-libs"
source="opencv-$pkgver.tar.gz::https://github.com/opencv/opencv/archive/$pkgver.tar.gz
cmake-license.patch
+ CVE-2019-16249.patch
"
+# secfixes:
+# 4.1.1-r1:
+# - CVE-2019-16249
+
prepare() {
default_prepare
# purge 3rd party except carotene
@@ -61,4 +66,5 @@ package() {
}
sha512sums="80fa48d992ca06a2a4ab6740df6d8c21f4926165486b393969da2c5bbe2f3a0b799fb76dee5e3654e90c743e49bbd2b5b02ad59a4766896bbf4cd5b4e3251e0f opencv-4.1.1.tar.gz
-ffa6930086051c545a44d28b8e428de7faaeecf961cdee6eef007b2b01db7e5897c6f184b1059df9763c1bcd90f88b9ead710dc13b51a608f21d683f55f39bd6 cmake-license.patch"
+ffa6930086051c545a44d28b8e428de7faaeecf961cdee6eef007b2b01db7e5897c6f184b1059df9763c1bcd90f88b9ead710dc13b51a608f21d683f55f39bd6 cmake-license.patch
+39f2f9abb1051220d6b842e9337c3636ee229781c7efcc92e987dae47ac82072dc95568e6a766e01329ee61c0a3be4efdd82aa3b56c011b44e175444d81c134d CVE-2019-16249.patch"
diff --git a/user/opencv/CVE-2019-16249.patch b/user/opencv/CVE-2019-16249.patch
new file mode 100644
index 000000000..a7f0027ac
--- /dev/null
+++ b/user/opencv/CVE-2019-16249.patch
@@ -0,0 +1,57 @@
+From cd7fa04985b10db5e66de542725d0da57f0d10b6 Mon Sep 17 00:00:00 2001
+From: Vitaly Tuzov <terfendail@mediana.jetos.com>
+Date: Tue, 17 Sep 2019 15:53:18 +0300
+Subject: [PATCH] Fixed out of bound reading in DIS optical flow evaluation
+ implementation
+
+---
+ modules/video/src/dis_flow.cpp | 18 +++++-------------
+ 1 file changed, 5 insertions(+), 13 deletions(-)
+
+diff --git a/modules/video/src/dis_flow.cpp b/modules/video/src/dis_flow.cpp
+index 85400c71ca7..a260b8726bb 100644
+--- a/modules/video/src/dis_flow.cpp
++++ b/modules/video/src/dis_flow.cpp
+@@ -494,7 +494,6 @@ DISOpticalFlowImpl::PatchInverseSearch_ParBody::PatchInverseSearch_ParBody(DISOp
+ v_float32x4 w10v = v_setall_f32(w10); \
+ v_float32x4 w11v = v_setall_f32(w11); \
+ \
+- v_uint8x16 I0_row_16, I1_row_16, I1_row_shifted_16, I1_row_next_16, I1_row_next_shifted_16; \
+ v_uint16x8 I0_row_8, I1_row_8, I1_row_shifted_8, I1_row_next_8, I1_row_next_shifted_8, tmp; \
+ v_uint32x4 I0_row_4_left, I1_row_4_left, I1_row_shifted_4_left, I1_row_next_4_left, I1_row_next_shifted_4_left; \
+ v_uint32x4 I0_row_4_right, I1_row_4_right, I1_row_shifted_4_right, I1_row_next_4_right, \
+@@ -502,29 +501,22 @@ DISOpticalFlowImpl::PatchInverseSearch_ParBody::PatchInverseSearch_ParBody(DISOp
+ v_float32x4 I_diff_left, I_diff_right; \
+ \
+ /* Preload and expand the first row of I1: */ \
+- I1_row_16 = v_load(I1_ptr); \
+- I1_row_shifted_16 = v_extract<1>(I1_row_16, I1_row_16); \
+- v_expand(I1_row_16, I1_row_8, tmp); \
+- v_expand(I1_row_shifted_16, I1_row_shifted_8, tmp); \
++ I1_row_8 = v_load_expand(I1_ptr); \
++ I1_row_shifted_8 = v_load_expand(I1_ptr + 1); \
+ v_expand(I1_row_8, I1_row_4_left, I1_row_4_right); \
+ v_expand(I1_row_shifted_8, I1_row_shifted_4_left, I1_row_shifted_4_right); \
+ I1_ptr += I1_stride;
+
+ #define HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION \
+ /* Load the next row of I1: */ \
+- I1_row_next_16 = v_load(I1_ptr); \
+- /* Circular shift left by 1 element: */ \
+- I1_row_next_shifted_16 = v_extract<1>(I1_row_next_16, I1_row_next_16); \
+- /* Expand to 8 ushorts (we only need the first 8 values): */ \
+- v_expand(I1_row_next_16, I1_row_next_8, tmp); \
+- v_expand(I1_row_next_shifted_16, I1_row_next_shifted_8, tmp); \
++ I1_row_next_8 = v_load_expand(I1_ptr); \
++ I1_row_next_shifted_8 = v_load_expand(I1_ptr + 1); \
+ /* Separate the left and right halves: */ \
+ v_expand(I1_row_next_8, I1_row_next_4_left, I1_row_next_4_right); \
+ v_expand(I1_row_next_shifted_8, I1_row_next_shifted_4_left, I1_row_next_shifted_4_right); \
+ \
+ /* Load current row of I0: */ \
+- I0_row_16 = v_load(I0_ptr); \
+- v_expand(I0_row_16, I0_row_8, tmp); \
++ I0_row_8 = v_load_expand(I0_ptr); \
+ v_expand(I0_row_8, I0_row_4_left, I0_row_4_right); \
+ \
+ /* Compute diffs between I0 and bilinearly interpolated I1: */ \
diff --git a/user/pango/APKBUILD b/user/pango/APKBUILD
index aff854dc0..c26726d5d 100644
--- a/user/pango/APKBUILD
+++ b/user/pango/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer:
pkgname=pango
pkgver=1.42.4
-pkgrel=0
+pkgrel=1
pkgdesc="Library for laying out and rendering text"
url="https://www.pango.org/"
arch="all"
@@ -12,10 +12,14 @@ makedepends="$depends_dev cairo-dev expat-dev fontconfig-dev freetype-dev
fribidi-dev glib-dev gobject-introspection-dev harfbuzz-dev libxft-dev"
install="$pkgname.pre-deinstall"
triggers="$pkgname.trigger=/usr/lib/pango/*/modules"
-source="https://download.gnome.org/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz"
+source="https://download.gnome.org/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz
+ CVE-2019-1010238.patch"
+
+# secfixes:
+# 1.42.4-r1:
+# - CVE-2019-1010238
build () {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -26,9 +30,9 @@ build () {
}
package() {
- cd "$builddir"
mkdir -p "$pkgdir"/etc/pango
make DESTDIR="$pkgdir" install
}
-sha512sums="993e97f647eba0c5ed90bcfcb8228bf67fa3f20b1f4331e4e40a30788d7c3ac55eee1209471bf21df125cb8fc6121acc8062a9da2f8a7d6cbe8e9ad13a9320dc pango-1.42.4.tar.xz"
+sha512sums="993e97f647eba0c5ed90bcfcb8228bf67fa3f20b1f4331e4e40a30788d7c3ac55eee1209471bf21df125cb8fc6121acc8062a9da2f8a7d6cbe8e9ad13a9320dc pango-1.42.4.tar.xz
+d11af8e56c59286f998d136d795d9ed22bea96b7dfaf4e02fe294ab0b147606ecb43ddfbd8caaa0eee1ee27b5a2f5c5a6f6f7a0b3193750649cf6b121cb6de50 CVE-2019-1010238.patch"
diff --git a/user/pango/CVE-2019-1010238.patch b/user/pango/CVE-2019-1010238.patch
new file mode 100644
index 000000000..cc65b3d53
--- /dev/null
+++ b/user/pango/CVE-2019-1010238.patch
@@ -0,0 +1,34 @@
+From 490f8979a260c16b1df055eab386345da18a2d54 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Wed, 10 Jul 2019 20:26:23 -0400
+Subject: [PATCH] bidi: Be safer against bad input
+
+Don't run off the end of an array that we
+allocated to certain length.
+
+Closes: https://gitlab.gnome.org/GNOME/pango/issues/342
+---
+ pango/pango-bidi-type.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/pango/pango-bidi-type.c b/pango/pango-bidi-type.c
+index 3e46b66c..5c02dbbb 100644
+--- a/pango/pango-bidi-type.c
++++ b/pango/pango-bidi-type.c
+@@ -181,8 +181,11 @@ pango_log2vis_get_embedding_levels (const gchar *text,
+ for (i = 0, p = text; p < text + length; p = g_utf8_next_char(p), i++)
+ {
+ gunichar ch = g_utf8_get_char (p);
+- FriBidiCharType char_type;
+- char_type = fribidi_get_bidi_type (ch);
++ FriBidiCharType char_type = fribidi_get_bidi_type (ch);
++
++ if (i == n_chars)
++ break;
++
+ bidi_types[i] = char_type;
+ ored_types |= char_type;
+ if (FRIBIDI_IS_STRONG (char_type))
+--
+2.22.0
+
diff --git a/user/vlc/APKBUILD b/user/vlc/APKBUILD
index 2dc82dde6..6c9a23c97 100644
--- a/user/vlc/APKBUILD
+++ b/user/vlc/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=vlc
-pkgver=3.0.7.1
-pkgrel=2
+pkgver=3.0.8
+pkgrel=0
pkgdesc="Multi-platform MPEG, VCD/DVD, and DivX player"
triggers="vlc-libs.trigger=/usr/lib/vlc/plugins"
pkgusers="vlc"
@@ -11,7 +11,7 @@ pkggroups="vlc"
url="https://www.videolan.org/vlc/"
arch="all"
license="GPL-2.0+"
-options="!checkroot textrel"
+options="textrel"
subpackages="$pkgname-dev $pkgname-doc $pkgname-qt $pkgname-pulse
$pkgname-daemon::noarch $pkgname-libs $pkgname-lang"
depends="ttf-dejavu xdg-utils"
@@ -43,12 +43,28 @@ source="https://get.videolan.org/vlc/$pkgver/vlc-$pkgver.tar.xz
omxil-rpi-codecs.patch
tar-compat.patch
test-s390x.patch
- vlc-libs.trigger
+
+ $pkgname.initd
+ $pkgname.confd
"
# secfixes: vlc_media_player
# 3.0.4-r2:
# - CVE-2018-19857
+# 3.0.8-r0:
+# - CVE-2019-13602
+# - CVE-2019-13615
+# - CVE-2019-13962
+# - CVE-2019-14437
+# - CVE-2019-14438
+# - CVE-2019-14498
+# - CVE-2019-14533
+# - CVE-2019-14534
+# - CVE-2019-14535
+# - CVE-2019-14776
+# - CVE-2019-14777
+# - CVE-2019-14778
+# - CVE-2019-14970
prepare() {
default_prepare
@@ -57,7 +73,6 @@ prepare() {
build() {
local _arch_opts=
- cd "$builddir"
export CFLAGS="$CFLAGS -D_GNU_SOURCE"
case "$CARCH" in
@@ -127,7 +142,6 @@ build() {
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
# delete cache as it's autocreated by trigger
rm -rf "$pkgdir"/usr/lib/vlc/plugins/plugins.dat
@@ -137,7 +151,6 @@ package() {
}
check() {
- cd "$builddir"
make check
}
@@ -150,7 +163,7 @@ _mv() {
pulse() {
pkgdesc="PulseAudio support for VLC"
depends=""
- install_if="vlc pulseaudio"
+ install_if="vlc=$pkgver-r$pkgrel pulseaudio"
mkdir -p "$subpkgdir"/usr/lib/vlc
mv "$pkgdir"/usr/lib/vlc/libvlc_pulse* "$subpkgdir"/usr/lib/vlc/
}
@@ -179,8 +192,8 @@ daemon() {
mkdir -p "$subpkgdir"
cd "$pkgdir"
- install -D -m755 ../../vlc.initd $subpkgdir/etc/init.d/vlc
- install -D -m664 ../../vlc.confd $subpkgdir/etc/conf.d/vlc
+ install -D -m755 "$srcdir"/vlc.initd "$subpkgdir"/etc/init.d/vlc
+ install -D -m664 "$srcdir"/vlc.confd "$subpkgdir"/etc/conf.d/vlc
install -d -o vlc -g vlc "$subpkgdir"/var/log/vlc
}
@@ -192,7 +205,7 @@ libs() {
default_libs
}
-sha512sums="6b99ae0564630a7a7ca9187c3bb954c601e384522ce93460b73f2dbf31787ce5828daca9f31c781b97db77872d76b6a3e871ff3401d70f1b5829fee7c4e847fd vlc-3.0.7.1.tar.xz
+sha512sums="5ade0b350e98fd6fa90035bffabda96f0addb3844a7c0a242b4db1cab6a746e1adb1d713ddcb48ae51a7d1736090f096f5d3b0637a9f958ccf4fcf27e838cf70 vlc-3.0.8.tar.xz
22d80df599b8b65a5439cefbb7140af8e9530f326d54945da3769af65f37518b99ec2cc8647aafd2763324a0698280915afe043cc87e5720c4694881ed35bffa check-headless.patch
e214b407235cb3afb8bec93f20c9b42957b57e6fd3960679d3d4235e77762e03e64d03c01f00ef63d589e7c85aaad02ce6abbeeccd66b1867bc92451a5b5e9b0 disable-sub-autodetect-fuzzy-1-test.patch
e063c727d952465bbea33f669db49190427521dc8e2291e9a5cbb0f5e8e879bd3ba76855e44bd4630948e30c4329d27bd928f95de20fe1050d5e839778a4d012 endian-fix.patch
@@ -201,4 +214,5 @@ e063c727d952465bbea33f669db49190427521dc8e2291e9a5cbb0f5e8e879bd3ba76855e44bd463
e13e398b7bfd977f6e099bcb6cf8dc5cd5bad6dea3eff715881826246dc4329468846084aff2576de2b7fd28d3f06e7c327a6e4511a28d22e5cd198a81146c89 omxil-rpi-codecs.patch
a117ca4d7fd66a5f959fdeaddfdce2f8442fe9f2c13995bb7f4792a7745c00813813aa962f76e957e3b0735344a5dc000e0644ce09f23458802a2932231655c3 tar-compat.patch
c0107655249687655846a9547ca1a5670b9207443180600e7a149c69ffb96d7226787c19b018d4033db9b284c1a5faa8d7d42188ed40c3b8bb051256febf11c5 test-s390x.patch
-34d899b8b88de2058a8d64ce316389bd3437c0bbcd64a925eec4975adf2bc306a3a8d2e322bad5e3a18b5a28cbb5bf6705d8849dee655daf7e5a4bb007fe07e0 vlc-libs.trigger"
+55e245190b443dde9c7215ea5210612fcca164900a9a4b025ccf0d1e3fc5206d00b52355b256974421e37c609875627f1db19f0f5a084511aec0daf677ecc9d6 vlc.initd
+d89190dca1b8b2c3faca5863dc6c7e6eb24e05178e6f75ed752fd3c6a73cb8a42d2625b6e56453296b7096ea868be642ecd42745dac20e7f13fc67dd3c3c7c49 vlc.confd"
diff --git a/user/wpa_supplicant/APKBUILD b/user/wpa_supplicant/APKBUILD
index 5d1a35b4e..dbd22b8c7 100644
--- a/user/wpa_supplicant/APKBUILD
+++ b/user/wpa_supplicant/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=wpa_supplicant
pkgver=2.9
-pkgrel=0
+pkgrel=1
pkgdesc="Utility providing key negotiation for WPA wireless networks"
url="https://w1.fi/wpa_supplicant/"
arch="all"
@@ -17,6 +17,7 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
wpa_supplicant.conf
dbus.patch
eloop.patch
+ CVE-2019-16275.patch
config
wpa_cli.sh"
@@ -32,6 +33,8 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
# - CVE-2017-13086
# - CVE-2017-13087
# - CVE-2017-13088
+# 2.9-r1:
+# - CVE-2019-16275
prepare() {
default_prepare
@@ -104,5 +107,6 @@ sha512sums="37a33f22cab9d27084fbef29856eaea0f692ff339c5b38bd32402dccf293cb849afd
f8b224b6c5a8adf378d8224beb49f2a99817d303f7e6a724943ecb3313ae85ce0fdd8291a20c95563470681ebf5d991ffa31094b9171e470e9690b38bba25738 wpa_supplicant.conf
dac56bc505a51167042ebe548f0e81a20a5578f753af9bb7ec3335a542d799c6e8739681ef7c8f7747a9bc954f8aa6f1a147250eacba17fd7fff80c4e53638ed dbus.patch
2be055dd1f7da5a3d8e79c2f2c0220ddd31df309452da18f290144d2112d6dbde0fc633bb2ad02c386a39d7785323acaf5f70e5969995a1e8303a094eb5fe232 eloop.patch
+63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch
221660fa0350442a7d8371686b2118861052a4613fb352b7f80079e3750b82f4e48efc378b9d617455007d1106552b695fdca506a3c338283986641f3848b202 config
45d3e70c47d0f7d6dc6730853af8cbcb40ed0713ee7b1069698f5a635939f273f66e72d4221e064c3c71a92154cf07841c8c0d4fc14d796dbb6fe0d92776ee2b wpa_cli.sh"
diff --git a/user/wpa_supplicant/CVE-2019-16275.patch b/user/wpa_supplicant/CVE-2019-16275.patch
new file mode 100644
index 000000000..d764a9db0
--- /dev/null
+++ b/user/wpa_supplicant/CVE-2019-16275.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ "hostapd_notif_assoc: Skip event with no address");
+ return -1;
+ }
++
++ if (is_multicast_ether_addr(addr) ||
++ is_zero_ether_addr(addr) ||
++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++ " in received indication - ignore this indication silently",
++ __func__, MAC2STR(addr));
++ return 0;
++ }
++
+ random_add_randomness(addr, ETH_ALEN);
+
+ hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ fc = le_to_host16(mgmt->frame_control);
+ stype = WLAN_FC_GET_STYPE(fc);
+
++ if (is_multicast_ether_addr(mgmt->sa) ||
++ is_zero_ether_addr(mgmt->sa) ||
++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++ " in received frame - ignore this frame silently",
++ MAC2STR(mgmt->sa));
++ return 0;
++ }
++
+ if (stype == WLAN_FC_STYPE_BEACON) {
+ handle_beacon(hapd, mgmt, len, fi);
+ return 1;
+--
+2.20.1
+