diff options
author | A. Wilcox <awilcox@wilcox-tech.com> | 2019-06-21 23:38:53 +0000 |
---|---|---|
committer | A. Wilcox <awilcox@wilcox-tech.com> | 2019-06-21 23:38:53 +0000 |
commit | fd45ed897742614bd2867cb46578557beb820026 (patch) | |
tree | 8eaa82bc50ad1a89272b146743ec1544163d48f3 | |
parent | 86d0de126ffdebdb8cee9581ce51c16a6f20b58b (diff) | |
parent | 332e0a40fabc1c4047a631273e5d5df46cbf4bb2 (diff) | |
download | packages-fd45ed897742614bd2867cb46578557beb820026.tar.gz packages-fd45ed897742614bd2867cb46578557beb820026.tar.bz2 packages-fd45ed897742614bd2867cb46578557beb820026.tar.xz packages-fd45ed897742614bd2867cb46578557beb820026.zip |
Merge branch 'cve' into 'master'
CVE bumps: part one
See merge request !249
26 files changed, 1176 insertions, 103 deletions
diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD index 1b53bd0a5..ac23280aa 100644 --- a/system/curl/APKBUILD +++ b/system/curl/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: pkgname=curl -pkgver=7.64.1 +pkgver=7.65.1 pkgrel=0 pkgdesc="An URL retrival utility and library" url="https://curl.haxx.se" @@ -17,6 +17,9 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz" subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl" # secfixes: +# 7.65.1-r0: +# - CVE-2019-5435 +# - CVE-2019-5436 # 7.64.0-r0: # - CVE-2019-3823 # - CVE-2019-3822 @@ -101,4 +104,4 @@ libcurl() { mv "$pkgdir"/usr/lib "$subpkgdir"/usr } -sha512sums="1629ba154691bf9d936e0bce69ec8fb54991a40d34bc16ffdfb117f91e3faa93164154fc9ae9043e963955862e69515018673b7239f2fd625684a59cdd1db81c curl-7.64.1.tar.xz" +sha512sums="aba2d979a416d14a0f0852d595665e49fc4f7bff3bee31f3a52b90ba9dc5ffdb09c092777f124215470b72c47ebca7ddb47844cbf5c0e9142099272b6ac55df4 curl-7.65.1.tar.xz" diff --git a/system/cvs/APKBUILD b/system/cvs/APKBUILD index 8dfcca172..f9160f62b 100644 --- a/system/cvs/APKBUILD +++ b/system/cvs/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=cvs pkgver=1.11.23 -pkgrel=1 +pkgrel=2 pkgdesc="Concurrent Versions System" url="https://www.nongnu.org/cvs/" arch="all" @@ -14,8 +14,15 @@ install= subpackages="$pkgname-doc" source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz cvs-musl.patch + CVE-2010-3846.patch + CVE-2017-12836.patch " +# secfixes: +# 1.11.23-r2: +# - CVE-2010-3846 +# - CVE-2017-12836 + build() { cd "$builddir" ./configure \ @@ -36,4 +43,6 @@ package() { } sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a cvs-1.11.23.tar.gz -7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch" +7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch +eed761af81c9bcd3edd898559e9be25c6612bdef19984cc6380a08039525179fa34d9ade6c55c1b4f23e495156b34cafeab3e63cfd120c0e68a42aa7992e5e85 CVE-2010-3846.patch +2775f5bde63d7eaee8c8f7467a8b43d533abbc172cf6b2d6ca7088203133a135e4e6a2a8028191d0102300913165dbd54fcf1f43683e742cb32f04ab06aca121 CVE-2017-12836.patch" diff --git a/system/cvs/CVE-2010-3846.patch b/system/cvs/CVE-2010-3846.patch new file mode 100644 index 000000000..e1560cef8 --- /dev/null +++ b/system/cvs/CVE-2010-3846.patch @@ -0,0 +1,167 @@ +From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001 +From: Larry Jones <lawrence.jones@siemens.com> +Date: Thu, 21 Oct 2010 10:08:16 +0200 +Subject: [PATCH] Fix for CVE-2010-3846 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Mallformed RCS revision (delete after the end of input file, or overlayed +deleted regions) screws output file image size computation. This leads to +write attempt after the allocated memory opening hiden memory corruption +driven by CVS server. + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/rcs.c | 52 +++++++++++++++++++++++++++++----------------------- + 1 files changed, 29 insertions(+), 23 deletions(-) + +diff --git a/src/rcs.c b/src/rcs.c +index 7d0d078..2f88f85 100644 +--- a/src/rcs.c ++++ b/src/rcs.c +@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + struct deltafrag *dfhead; + struct deltafrag **dftail; + struct deltafrag *df; +- unsigned long numlines, lastmodline, offset; ++ unsigned long numlines, offset; + struct linevector lines; + int err; + +@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + + /* New temp data structure to hold new org before + copy back into original structure. */ +- lines.nlines = lines.lines_alloced = numlines; ++ lines.lines_alloced = numlines; + lines.vector = xmalloc (numlines * sizeof *lines.vector); + + /* We changed the list order to first to last -- so the + list never gets larger than the size numlines. */ +- lastmodline = 0; ++ lines.nlines = 0; + + /* offset created when adding/removing lines + between new and original structure */ +@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + for (df = dfhead; df != NULL; ) + { + unsigned int ln; +- unsigned long deltaend; ++ unsigned long newpos = df->pos - offset; + +- if (df->pos > orig_lines->nlines) ++ if (newpos < lines.nlines || newpos > numlines) + err = 1; + + /* On error, just free the rest of the list. */ + if (!err) + { +- /* Here we need to get to the line where the next insert will ++ /* Here we need to get to the line where the next change will + begin, which is DF->pos in ORIG_LINES. We will fill up to + DF->pos - OFFSET in LINES with original items. */ +- for (deltaend = df->pos - offset; +- lastmodline < deltaend; +- lastmodline++) ++ while (lines.nlines < newpos) + { + /* we need to copy from the orig structure into new one */ +- lines.vector[lastmodline] = +- orig_lines->vector[lastmodline + offset]; +- lines.vector[lastmodline]->refcount++; ++ lines.vector[lines.nlines] = ++ orig_lines->vector[lines.nlines + offset]; ++ lines.vector[lines.nlines]->refcount++; ++ lines.nlines++; + } + + switch (df->type) +@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + struct line *q; + int nextline_newline; + size_t nextline_len; +- ++ ++ if (newpos + df->nlines > numlines) ++ { ++ err = 1; ++ break; ++ } + textend = df->new_lines + df->len; + nextline_newline = 0; + nextline_text = df->new_lines; +@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + q->has_newline = nextline_newline; + q->refcount = 1; + memcpy (q->text, nextline_text, nextline_len); +- lines.vector[lastmodline++] = q; +- offset--; ++ lines.vector[lines.nlines++] = q; + + nextline_text = (char *)p + 1; + nextline_newline = 0; +@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + q->has_newline = nextline_newline; + q->refcount = 1; + memcpy (q->text, nextline_text, nextline_len); +- lines.vector[lastmodline++] = q; ++ lines.vector[lines.nlines++] = q; + + /* For each line we add the offset between the #'s + decreases. */ +- offset--; ++ offset -= df->nlines; + break; + } + +@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + if (df->pos + df->nlines > orig_lines->nlines) + err = 1; + else if (delvers) ++ { + for (ln = df->pos; ln < df->pos + df->nlines; ++ln) ++ { + if (orig_lines->vector[ln]->refcount > 1) + /* Annotate needs this but, since the original + * vector is disposed of before returning from +@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + * there are multiple references. + */ + orig_lines->vector[ln]->vers = delvers; ++ } ++ } + break; + } + } +@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + else + { + /* add the rest of the remaining lines to the data vector */ +- for (; lastmodline < numlines; lastmodline++) ++ while (lines.nlines < numlines) + { + /* we need to copy from the orig structure into new one */ +- lines.vector[lastmodline] = orig_lines->vector[lastmodline ++ lines.vector[lines.nlines] = orig_lines->vector[lines.nlines + + offset]; +- lines.vector[lastmodline]->refcount++; ++ lines.vector[lines.nlines]->refcount++; ++ lines.nlines++; + } + + /* Move the lines vector to the original structure for output, + * first deleting the old. + */ + linevector_free (orig_lines); +- orig_lines->vector = lines.vector; +- orig_lines->lines_alloced = numlines; +- orig_lines->nlines = lines.nlines; ++ *orig_lines = lines; + } + + return !err; +-- +1.7.2.3 + diff --git a/system/cvs/CVE-2017-12836.patch b/system/cvs/CVE-2017-12836.patch new file mode 100644 index 000000000..770115a5e --- /dev/null +++ b/system/cvs/CVE-2017-12836.patch @@ -0,0 +1,58 @@ +From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Mon, 14 Aug 2017 10:32:25 +0200 +Subject: [PATCH] Fix CVE-2017-12836 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The hostname passed to RSH (ssh) client could be interpreted by +OpenSSH client as an option and lead to local command execution. + +This fix adds no-more-options "--" separator before the hostname +argument to the RSH client command. + +Original patch by Thorsten Glaser <tg@mirbsd.de> from +<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to +1.11.23. + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/client.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/client.c b/src/client.c +index 2bef1a0..e87cda9 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server) + char *cvs_rsh; + char *cvs_server = getenv ("CVS_SERVER"); + int i = 0; +- /* This needs to fit "rsh", "-b", "-l", "USER", "host", ++ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host", + "cmd (w/ args)", and NULL. We leave some room to grow. */ + char *rsh_argv[10]; + +@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server) + rsh_argv[i++] = root->username; + } + ++ /* Only non-option arguments from here. (CVE-2017-12836) */ ++ rsh_argv[i++] = "--"; ++ + rsh_argv[i++] = root->hostname; + rsh_argv[i++] = cvs_server; + rsh_argv[i++] = "server"; +@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server) + *p++ = root->username; + } + ++ *p++ = "--"; ++ + *p++ = root->hostname; + *p++ = command; + *p++ = NULL; +-- +2.9.5 + diff --git a/system/libssh2/APKBUILD b/system/libssh2/APKBUILD index 9f5b9c683..69989c72f 100644 --- a/system/libssh2/APKBUILD +++ b/system/libssh2/APKBUILD @@ -1,21 +1,16 @@ # Contributor: William Pitcock <nenolod@dereferenced.org> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libssh2 -pkgver=1.8.0 -pkgrel=2 -pkgdesc="library for accessing ssh1/ssh2 protocol servers" +pkgver=1.8.2 +pkgrel=0 +pkgdesc="Library for accessing SSH servers" url="https://libssh2.org/" arch="all" license="BSD-3-Clause" makedepends="openssl-dev zlib-dev" -subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc" +subpackages="$pkgname-dev $pkgname-doc" source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz" -prepare() { - update_config_sub - default_prepare -} - build() { ./configure \ --build=$CBUILD \ @@ -24,7 +19,8 @@ build() { --sysconfdir=/etc \ --mandir=/usr/share/man \ --infodir=/usr/share/info \ - --localstatedir=/var + --localstatedir=/var \ + --disable-rpath make } @@ -36,4 +32,4 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="289aa45c4f99653bebf5f99565fe9c519abc204feb2084b47b7cc3badc8bf4ecdedd49ea6acdce8eb902b3c00995d5f92a3ca77b2508b92f04ae0e7de7287558 libssh2-1.8.0.tar.gz" +sha512sums="390ab4ad93bb738415ec11a6eb92806c9b9e9e5d8ee7c442d841a58b4292c1c447a9bc99e153ba464e2e11f9c0d1913469303598c3046722d1ae821991e8cb93 libssh2-1.8.2.tar.gz" diff --git a/system/libxslt/APKBUILD b/system/libxslt/APKBUILD index 0ba2dd390..49a07d7cf 100644 --- a/system/libxslt/APKBUILD +++ b/system/libxslt/APKBUILD @@ -2,18 +2,21 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libxslt pkgver=1.1.33 -pkgrel=0 +pkgrel=1 pkgdesc="XML stylesheet transformation library" url="http://xmlsoft.org/XSLT/" arch="all" license="SGI-B-2.0" makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python3-dev" subpackages="$pkgname-doc $pkgname-dev" -source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz" +source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz + CVE-2019-11068.patch" # secfixes: # 1.1.29-r1: # - CVE-2017-5029 +# 1.1.33-r1: +# - CVE-2019-11068 build() { ./configure \ @@ -31,4 +34,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0 libxslt-1.1.33.tar.gz" +sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0 libxslt-1.1.33.tar.gz +48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41 CVE-2019-11068.patch" diff --git a/system/libxslt/CVE-2019-11068.patch b/system/libxslt/CVE-2019-11068.patch new file mode 100644 index 000000000..db0de8a55 --- /dev/null +++ b/system/libxslt/CVE-2019-11068.patch @@ -0,0 +1,120 @@ +From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sun, 24 Mar 2019 09:51:39 +0100 +Subject: [PATCH] Fix security framework bypass + +xsltCheckRead and xsltCheckWrite return -1 in case of error but callers +don't check for this condition and allow access. With a specially +crafted URL, xsltCheckRead could be tricked into returning an error +because of a supposedly invalid URL that would still be loaded +succesfully later on. + +Fixes #12. + +Thanks to Felix Wilhelm for the report. +--- + libxslt/documents.c | 18 ++++++++++-------- + libxslt/imports.c | 9 +++++---- + libxslt/transform.c | 9 +++++---- + libxslt/xslt.c | 9 +++++---- + 4 files changed, 25 insertions(+), 20 deletions(-) + +diff --git a/libxslt/documents.c b/libxslt/documents.c +index 3f3a7312..4aad11bb 100644 +--- a/libxslt/documents.c ++++ b/libxslt/documents.c +@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { + int res; + + res = xsltCheckRead(ctxt->sec, ctxt, URI); +- if (res == 0) { +- xsltTransformError(ctxt, NULL, NULL, +- "xsltLoadDocument: read rights for %s denied\n", +- URI); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(ctxt, NULL, NULL, ++ "xsltLoadDocument: read rights for %s denied\n", ++ URI); + return(NULL); + } + } +@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { + int res; + + res = xsltCheckRead(sec, NULL, URI); +- if (res == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsltLoadStyleDocument: read rights for %s denied\n", +- URI); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsltLoadStyleDocument: read rights for %s denied\n", ++ URI); + return(NULL); + } + } +diff --git a/libxslt/imports.c b/libxslt/imports.c +index 874870cc..3783b247 100644 +--- a/libxslt/imports.c ++++ b/libxslt/imports.c +@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { + int secres; + + secres = xsltCheckRead(sec, NULL, URI); +- if (secres == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsl:import: read rights for %s denied\n", +- URI); ++ if (secres <= 0) { ++ if (secres == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsl:import: read rights for %s denied\n", ++ URI); + goto error; + } + } +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 13793914..0636dbd0 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, + */ + if (ctxt->sec != NULL) { + ret = xsltCheckWrite(ctxt->sec, ctxt, filename); +- if (ret == 0) { +- xsltTransformError(ctxt, NULL, inst, +- "xsltDocumentElem: write rights for %s denied\n", +- filename); ++ if (ret <= 0) { ++ if (ret == 0) ++ xsltTransformError(ctxt, NULL, inst, ++ "xsltDocumentElem: write rights for %s denied\n", ++ filename); + xmlFree(URL); + xmlFree(filename); + return; +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 780a5ad7..a234eb79 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { + int res; + + res = xsltCheckRead(sec, NULL, filename); +- if (res == 0) { +- xsltTransformError(NULL, NULL, NULL, +- "xsltParseStylesheetFile: read rights for %s denied\n", +- filename); ++ if (res <= 0) { ++ if (res == 0) ++ xsltTransformError(NULL, NULL, NULL, ++ "xsltParseStylesheetFile: read rights for %s denied\n", ++ filename); + return(NULL); + } + } +-- +2.21.0 + diff --git a/system/lua5.3/APKBUILD b/system/lua5.3/APKBUILD index 1589f14d1..9a90fc7c9 100644 --- a/system/lua5.3/APKBUILD +++ b/system/lua5.3/APKBUILD @@ -3,7 +3,7 @@ pkgname=lua5.3 _pkgname=lua pkgver=5.3.5 _luaver=${pkgname#lua} -pkgrel=0 +pkgrel=1 pkgdesc="Light-weight programming language" url="https://www.lua.org/" arch="all" @@ -17,9 +17,14 @@ source="https://www.lua.org/ftp/$_pkgname-$pkgver.tar.gz lua-5.3-make.patch lua-5.3-module_paths.patch linenoise.patch + CVE-2019-6706.patch " builddir="$srcdir/$_pkgname-$pkgver" +# secfixes: lua +# 5.3.5-r1: +# - CVE-2019-6706.patch + prepare() { default_prepare cd "$builddir" @@ -134,4 +139,5 @@ libs() { sha512sums="4f9516acc4659dfd0a9e911bfa00c0788f0ad9348e5724fe8fb17aac59e9c0060a64378f82be86f8534e49c6c013e7488ad17321bafcc787831d3d67406bd0f4 lua-5.3.5.tar.gz 1bc6c623024c1738155b30ff9c0edcce0f336edc25aa20c3a1400c859421ea2015d75175cce8d515e055ac3e96028426b74812e04022af18a0ed4c4601556027 lua-5.3-make.patch bc68772390dc8d8940176af0b9fbacc0af61891b5d27de5f1466a4e7f9b3291a1c08ba5add829bc96b789a53fa5ec2dadaa096ca6eabe54ec27724fa2810940f lua-5.3-module_paths.patch -49880d1131b7bd2a3169a26f401769a91d9a6a62cefe68aa5a89097139289588b7ef753535a2d0ba7f45c0369c760554940fd810716b7b1353deace32432fcfe linenoise.patch" +49880d1131b7bd2a3169a26f401769a91d9a6a62cefe68aa5a89097139289588b7ef753535a2d0ba7f45c0369c760554940fd810716b7b1353deace32432fcfe linenoise.patch +77755c083630d48404178012d5947230675311a15f0f5e30efa72004edf3124615fa9080b739240213c013efb015689e09ee653a41d560964a3df78a8fe0fd8d CVE-2019-6706.patch" diff --git a/system/lua5.3/CVE-2019-6706.patch b/system/lua5.3/CVE-2019-6706.patch new file mode 100644 index 000000000..c35f81a4a --- /dev/null +++ b/system/lua5.3/CVE-2019-6706.patch @@ -0,0 +1,27 @@ +Lifted from Ubuntu: + +https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/lua5.3/5.3.3-1.1ubuntu1/lua5.3_5.3.3-1.1ubuntu1.debian.tar.xz +0c7d89b1413cc55f3aff5bbd40e5726b7d69b856befbbf32f00f58588dc4ce81 + +--- a/src/lapi.c ++++ b/src/lapi.c +@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State * + + LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1, + int fidx2, int n2) { +- LClosure *f1; +- UpVal **up1 = getupvalref(L, fidx1, n1, &f1); ++ UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */ + UpVal **up2 = getupvalref(L, fidx2, n2, NULL); ++ if (*up1 == *up2) return; /* Already joined */ ++ (*up2)->refcount++; ++ if (upisopen(*up2)) (*up2)->u.open.touched = 1; ++ luaC_upvalbarrier(L, *up2); + luaC_upvdeccount(L, *up1); + *up1 = *up2; +- (*up1)->refcount++; +- if (upisopen(*up1)) (*up1)->u.open.touched = 1; +- luaC_upvalbarrier(L, *up1); + } + + diff --git a/system/python3/APKBUILD b/system/python3/APKBUILD index abfc78b55..0bb9db2a2 100644 --- a/system/python3/APKBUILD +++ b/system/python3/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Kiyoshi Aman <kiyoshi.aman@gmail.com> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=python3 -pkgver=3.6.5 +pkgver=3.6.8 _basever="${pkgver%.*}" pkgrel=0 pkgdesc="A high-level scripting language" @@ -40,9 +40,20 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev xz-dev source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz musl-find_library.patch fix-xattrs-glibc.patch + CVE-2019-9636.patch + CVE-2019-9740-and-9947.patch + test-fix-selfsign-cert.patch " builddir="$srcdir/Python-$pkgver" +# secfixes: python +# 3.6.8-r0: +# - CVE-2018-14647 +# - CVE-2018-20406 +# - CVE-2019-9636 +# - CVE-2019-9740 +# - CVE-2019-9947 + prepare() { default_prepare @@ -161,6 +172,9 @@ wininst() { "$subpkgdir"/usr/lib/python$_basever/distutils/command } -sha512sums="6b26fcd296b9bd8e67861eff10d14db7507711ddba947288d16d6def53135c39326b7f969c04bb2b2993f924d9e7ad3f5c5282a3915760bc0885cf0a8ea5eb51 Python-3.6.5.tar.xz +sha512sums="b17867e451ebe662f50df83ed112d3656c089e7d750651ea640052b01b713b58e66aac9e082f71fd16f5b5510bc9b797f5ccd30f5399581e9aa406197f02938a Python-3.6.8.tar.xz ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch -37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch" +37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch +bf2ec0bdba63b714f99aa9783a31ab935b234cabe4dc482769462a55bd572c74e03f192fbc5e8a7e2b9a887a5eef7dc0c3819fb464b656f73b500d1b65b591ad CVE-2019-9636.patch +daae79c8d914f0afe3c09ef15fa2838958e3d9a45e37bb7ebf84ce431b3635f48744011c640e0f6696922db76da199a55befb3754e335660b6d25f3dad2a8c4e CVE-2019-9740-and-9947.patch +34bb7353e93f74a0f70d9b44f9bb9a6561c47a6d2169e08390818113bcb8b25c6660dfab2c2ef2aba6c08805e71719227baf01285da7f8276c61fba422a1bad2 test-fix-selfsign-cert.patch" diff --git a/system/python3/CVE-2019-9636.patch b/system/python3/CVE-2019-9636.patch new file mode 100644 index 000000000..45a2c8e97 --- /dev/null +++ b/system/python3/CVE-2019-9636.patch @@ -0,0 +1,150 @@ +From 23fc0416454c4ad5b9b23d520fbe6d89be3efc24 Mon Sep 17 00:00:00 2001 +From: Steve Dower <steve.dower@microsoft.com> +Date: Mon, 11 Mar 2019 21:34:03 -0700 +Subject: [PATCH] [3.6] bpo-36216: Add check for characters in netloc that + normalize to separators (GH-12201) (GH-12215) + +--- + Doc/library/urllib.parse.rst | 18 +++++++++++++++ + Lib/test/test_urlparse.py | 23 +++++++++++++++++++ + Lib/urllib/parse.py | 17 ++++++++++++++ + .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++ + 4 files changed, 61 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst + +diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst +index d991254d5ca1..647af613a315 100644 +--- a/Doc/library/urllib.parse.rst ++++ b/Doc/library/urllib.parse.rst +@@ -121,6 +121,11 @@ or on combining URL components into a URL string. + Unmatched square brackets in the :attr:`netloc` attribute will raise a + :exc:`ValueError`. + ++ Characters in the :attr:`netloc` attribute that decompose under NFKC ++ normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ++ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is ++ decomposed before parsing, no error will be raised. ++ + .. versionchanged:: 3.2 + Added IPv6 URL parsing capabilities. + +@@ -133,6 +138,10 @@ or on combining URL components into a URL string. + Out-of-range port numbers now raise :exc:`ValueError`, instead of + returning :const:`None`. + ++ .. versionchanged:: 3.6.9 ++ Characters that affect netloc parsing under NFKC normalization will ++ now raise :exc:`ValueError`. ++ + + .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None) + +@@ -256,10 +265,19 @@ or on combining URL components into a URL string. + Unmatched square brackets in the :attr:`netloc` attribute will raise a + :exc:`ValueError`. + ++ Characters in the :attr:`netloc` attribute that decompose under NFKC ++ normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ++ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is ++ decomposed before parsing, no error will be raised. ++ + .. versionchanged:: 3.6 + Out-of-range port numbers now raise :exc:`ValueError`, instead of + returning :const:`None`. + ++ .. versionchanged:: 3.6.9 ++ Characters that affect netloc parsing under NFKC normalization will ++ now raise :exc:`ValueError`. ++ + + .. function:: urlunsplit(parts) + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index be50b47603aa..e6638aee2244 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -1,3 +1,5 @@ ++import sys ++import unicodedata + import unittest + import urllib.parse + +@@ -984,6 +986,27 @@ def test_all(self): + expected.append(name) + self.assertCountEqual(urllib.parse.__all__, expected) + ++ def test_urlsplit_normalization(self): ++ # Certain characters should never occur in the netloc, ++ # including under normalization. ++ # Ensure that ALL of them are detected and cause an error ++ illegal_chars = '/:#?@' ++ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars} ++ denorm_chars = [ ++ c for c in map(chr, range(128, sys.maxunicode)) ++ if (hex_chars & set(unicodedata.decomposition(c).split())) ++ and c not in illegal_chars ++ ] ++ # Sanity check that we found at least one such character ++ self.assertIn('\u2100', denorm_chars) ++ self.assertIn('\uFF03', denorm_chars) ++ ++ for scheme in ["http", "https", "ftp"]: ++ for c in denorm_chars: ++ url = "{}://netloc{}false.netloc/path".format(scheme, c) ++ with self.subTest(url=url, char='{:04X}'.format(ord(c))): ++ with self.assertRaises(ValueError): ++ urllib.parse.urlsplit(url) + + class Utility_Tests(unittest.TestCase): + """Testcase to test the various utility functions in the urllib.""" +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 85e68c8b42c7..7b06f4d71d67 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -391,6 +391,21 @@ def _splitnetloc(url, start=0): + delim = min(delim, wdelim) # use earliest delim position + return url[start:delim], url[delim:] # return (domain, rest) + ++def _checknetloc(netloc): ++ if not netloc or not any(ord(c) > 127 for c in netloc): ++ return ++ # looking for characters like \u2100 that expand to 'a/c' ++ # IDNA uses NFKC equivalence, so normalize for this check ++ import unicodedata ++ netloc2 = unicodedata.normalize('NFKC', netloc) ++ if netloc == netloc2: ++ return ++ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay ++ for c in '/?#@:': ++ if c in netloc2: ++ raise ValueError("netloc '" + netloc2 + "' contains invalid " + ++ "characters under NFKC normalization") ++ + def urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: + <scheme>://<netloc>/<path>?<query>#<fragment> +@@ -420,6 +435,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + url, fragment = url.split('#', 1) + if '?' in url: + url, query = url.split('?', 1) ++ _checknetloc(netloc) + v = SplitResult(scheme, netloc, url, query, fragment) + _parse_cache[key] = v + return _coerce_result(v) +@@ -443,6 +459,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + url, fragment = url.split('#', 1) + if '?' in url: + url, query = url.split('?', 1) ++ _checknetloc(netloc) + v = SplitResult(scheme, netloc, url, query, fragment) + _parse_cache[key] = v + return _coerce_result(v) +diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst +new file mode 100644 +index 000000000000..5546394157f9 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst +@@ -0,0 +1,3 @@ ++Changes urlsplit() to raise ValueError when the URL contains characters that ++decompose under IDNA encoding (NFKC-normalization) into characters that ++affect how the URL is parsed. diff --git a/system/python3/CVE-2019-9740-and-9947.patch b/system/python3/CVE-2019-9740-and-9947.patch new file mode 100644 index 000000000..d387dd599 --- /dev/null +++ b/system/python3/CVE-2019-9740-and-9947.patch @@ -0,0 +1,147 @@ +From c50d437e942d4c4c45c8cd76329b05340c02eb31 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz> +Date: Wed, 8 May 2019 18:33:24 +0200 +Subject: [PATCH] bpo-30458: Disallow control chars in http URLs. (GH-12755) + (GH-13155) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected. + +Disable https related urllib tests on a build without ssl (GH-13032) +These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures. + +Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044) + +Co-Authored-By: Miro Hrončok <miro@hroncok.cz> +--- + Lib/http/client.py | 15 ++++++ + Lib/test/test_urllib.py | 53 +++++++++++++++++++ + Lib/test/test_xmlrpc.py | 7 ++- + .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 + + 4 files changed, 75 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst + +diff --git a/Lib/http/client.py b/Lib/http/client.py +index baabfeb2ea8c..1a6bd8ac42eb 100644 +--- a/Lib/http/client.py ++++ b/Lib/http/client.py +@@ -141,6 +141,16 @@ + _is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch + _is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search + ++# These characters are not allowed within HTTP URL paths. ++# See https://tools.ietf.org/html/rfc3986#section-3.3 and the ++# https://tools.ietf.org/html/rfc3986#appendix-A pchar definition. ++# Prevents CVE-2019-9740. Includes control characters such as \r\n. ++# We don't restrict chars above \x7f as putrequest() limits us to ASCII. ++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]') ++# Arguably only these _should_ allowed: ++# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") ++# We are more lenient for assumed real world compatibility purposes. ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -1111,6 +1121,11 @@ def putrequest(self, method, url, skip_host=False, + self._method = method + if not url: + url = '/' ++ # Prevent CVE-2019-9740. ++ match = _contains_disallowed_url_pchar_re.search(url) ++ if match: ++ raise InvalidURL(f"URL can't contain control characters. {url!r} " ++ f"(found at least {match.group()!r})") + request = '%s %s %s' % (method, url, self._http_vsn_str) + + # Non-ASCII characters should have been eliminated earlier +diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py +index fa3757cc94be..649a5b81575b 100644 +--- a/Lib/test/test_urllib.py ++++ b/Lib/test/test_urllib.py +@@ -329,6 +329,59 @@ def test_willclose(self): + finally: + self.unfakehttp() + ++ @unittest.skipUnless(ssl, "ssl module required") ++ def test_url_with_control_char_rejected(self): ++ for char_no in list(range(0, 0x21)) + [0x7f]: ++ char = chr(char_no) ++ schemeless_url = f"//localhost:7777/test{char}/" ++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") ++ try: ++ # We explicitly test urllib.request.urlopen() instead of the top ++ # level 'def urlopen()' function defined in this... (quite ugly) ++ # test suite. They use different url opening codepaths. Plain ++ # urlopen uses FancyURLOpener which goes via a codepath that ++ # calls urllib.parse.quote() on the URL which makes all of the ++ # above attempts at injection within the url _path_ safe. ++ escaped_char_repr = repr(char).replace('\\', r'\\') ++ InvalidURL = http.client.InvalidURL ++ with self.assertRaisesRegex( ++ InvalidURL, f"contain control.*{escaped_char_repr}"): ++ urllib.request.urlopen(f"http:{schemeless_url}") ++ with self.assertRaisesRegex( ++ InvalidURL, f"contain control.*{escaped_char_repr}"): ++ urllib.request.urlopen(f"https:{schemeless_url}") ++ # This code path quotes the URL so there is no injection. ++ resp = urlopen(f"http:{schemeless_url}") ++ self.assertNotIn(char, resp.geturl()) ++ finally: ++ self.unfakehttp() ++ ++ @unittest.skipUnless(ssl, "ssl module required") ++ def test_url_with_newline_header_injection_rejected(self): ++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") ++ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123" ++ schemeless_url = "//" + host + ":8080/test/?test=a" ++ try: ++ # We explicitly test urllib.request.urlopen() instead of the top ++ # level 'def urlopen()' function defined in this... (quite ugly) ++ # test suite. They use different url opening codepaths. Plain ++ # urlopen uses FancyURLOpener which goes via a codepath that ++ # calls urllib.parse.quote() on the URL which makes all of the ++ # above attempts at injection within the url _path_ safe. ++ InvalidURL = http.client.InvalidURL ++ with self.assertRaisesRegex( ++ InvalidURL, r"contain control.*\\r.*(found at least . .)"): ++ urllib.request.urlopen(f"http:{schemeless_url}") ++ with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"): ++ urllib.request.urlopen(f"https:{schemeless_url}") ++ # This code path quotes the URL so there is no injection. ++ resp = urlopen(f"http:{schemeless_url}") ++ self.assertNotIn(' ', resp.geturl()) ++ self.assertNotIn('\r', resp.geturl()) ++ self.assertNotIn('\n', resp.geturl()) ++ finally: ++ self.unfakehttp() ++ + def test_read_0_9(self): + # "0.9" response accepted (but not "simple responses" without + # a status line) +diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py +index 07f7ba0f00b5..fc601d455224 100644 +--- a/Lib/test/test_xmlrpc.py ++++ b/Lib/test/test_xmlrpc.py +@@ -950,7 +950,12 @@ def test_unicode_host(self): + def test_partial_post(self): + # Check that a partial POST doesn't make the server loop: issue #14001. + conn = http.client.HTTPConnection(ADDR, PORT) +- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye') ++ conn.send('POST /RPC2 HTTP/1.0\r\n' ++ 'Content-Length: 100\r\n\r\n' ++ 'bye HTTP/1.1\r\n' ++ f'Host: {ADDR}:{PORT}\r\n' ++ 'Accept-Encoding: identity\r\n' ++ 'Content-Length: 0\r\n\r\n'.encode('ascii')) + conn.close() + + def test_context_manager(self): +diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst +new file mode 100644 +index 000000000000..ed8027fb4d64 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst +@@ -0,0 +1 @@ ++Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised. diff --git a/system/python3/test-fix-selfsign-cert.patch b/system/python3/test-fix-selfsign-cert.patch new file mode 100644 index 000000000..eb6c9f355 --- /dev/null +++ b/system/python3/test-fix-selfsign-cert.patch @@ -0,0 +1,84 @@ +From 2b9d7abdbd4b41e2c624858f5bc80da59d8a681d Mon Sep 17 00:00:00 2001 +From: "Gregory P. Smith" <greg@krypto.org> +Date: Wed, 8 May 2019 14:20:59 -0500 +Subject: [PATCH] [3.6] bpo-36816: Update the self-signed.pythontest.net cert + (GH-13192) (GH-13198) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We updated the server, our testsuite must match. + +https://bugs.python.org/issue36816 + +✈️ CLE -> DEN ✈️ GH-pycon2019 +(cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1) + +Co-authored-by: Gregory P. Smith <greg@krypto.org> +--- + Lib/test/selfsigned_pythontestdotnet.pem | 46 +++++++++++++------ + .../2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst | 1 + + 2 files changed, 33 insertions(+), 14 deletions(-) + create mode 100644 Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst + +diff --git a/Lib/test/selfsigned_pythontestdotnet.pem b/Lib/test/selfsigned_pythontestdotnet.pem +index b6d259bcb236..2b1760747bce 100644 +--- a/Lib/test/selfsigned_pythontestdotnet.pem ++++ b/Lib/test/selfsigned_pythontestdotnet.pem +@@ -1,16 +1,34 @@ + -----BEGIN CERTIFICATE----- +-MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV +-BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u +-IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv +-bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG +-A1UEBhMCWFkxFzAVBgNVBAcMDkNhc3RsZSBBbnRocmF4MSMwIQYDVQQKDBpQeXRo +-b24gU29mdHdhcmUgRm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0 +-aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ +-Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm +-Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv +-EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl +-bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN +-AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h +-TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515 +-C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM= ++MIIF9zCCA9+gAwIBAgIUH98b4Fw/DyugC9cV7VK7ZODzHsIwDQYJKoZIhvcNAQEL ++BQAwgYoxCzAJBgNVBAYTAlhZMRcwFQYDVQQIDA5DYXN0bGUgQW50aHJheDEYMBYG ++A1UEBwwPQXJndW1lbnQgQ2xpbmljMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUg ++Rm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0aG9udGVzdC5uZXQw ++HhcNMTkwNTA4MDEwMjQzWhcNMjcwNzI0MDEwMjQzWjCBijELMAkGA1UEBhMCWFkx ++FzAVBgNVBAgMDkNhc3RsZSBBbnRocmF4MRgwFgYDVQQHDA9Bcmd1bWVudCBDbGlu ++aWMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMSMwIQYDVQQD ++DBpzZWxmLXNpZ25lZC5weXRob250ZXN0Lm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD ++ggIPADCCAgoCggIBAMKdJlyCThkahwoBb7pl5q64Pe9Fn5jrIvzsveHTc97TpjV2 ++RLfICnXKrltPk/ohkVl6K5SUZQZwMVzFubkyxE0nZPHYHlpiKWQxbsYVkYv01rix ++IFdLvaxxbGYke2jwQao31s4o61AdlsfK1SdpHQUynBBMssqI3SB4XPmcA7e+wEEx ++jxjVish4ixA1vuIZOx8yibu+CFCf/geEjoBMF3QPdzULzlrCSw8k/45iZCSoNbvK ++DoL4TVV07PHOxpheDh8ZQmepGvU6pVqhb9m4lgmV0OGWHgozd5Ur9CbTVDmxIEz3 ++TSoRtNJK7qtyZdGNqwjksQxgZTjM/d/Lm/BJG99AiOmYOjsl9gbQMZgvQmMAtUsI ++aMJnQuZ6R+KEpW/TR5qSKLWZSG45z/op+tzI2m+cE6HwTRVAWbcuJxcAA55MZjqU ++OOOu3BBYMjS5nf2sQ9uoXsVBFH7i0mQqoW1SLzr9opI8KsWwFxQmO2vBxWYaN+lH ++OmwBZBwyODIsmI1YGXmTp09NxRYz3Qe5GCgFzYowpMrcxUC24iduIdMwwhRM7rKg ++7GtIWMSrFfuI1XCLRmSlhDbhNN6fVg2f8Bo9PdH9ihiIyxSrc+FOUasUYCCJvlSZ ++8hFUlLvcmrZlWuazohm0lsXuMK1JflmQr/DA/uXxP9xzFfRy+RU3jDyxJbRHAgMB ++AAGjUzBRMB0GA1UdDgQWBBSQJyxiPMRK01i+0BsV9zUwDiBaHzAfBgNVHSMEGDAW ++gBSQJyxiPMRK01i+0BsV9zUwDiBaHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 ++DQEBCwUAA4ICAQCR+7a7N/m+WLkxPPIA/CB4MOr2Uf8ixTv435Nyv6rXOun0+lTP ++ExSZ0uYQ+L0WylItI3cQHULldDueD+s8TGzxf5woaLKf6tqyr0NYhKs+UeNEzDnN ++9PHQIhX0SZw3XyXGUgPNBfRCg2ZDdtMMdOU4XlQN/IN/9hbYTrueyY7eXq9hmtI9 ++1srftAMqr9SR1JP7aHI6DVgrEsZVMTDnfT8WmLSGLlY1HmGfdEn1Ip5sbo9uSkiH ++AEPgPfjYIvR5LqTOMn4KsrlZyBbFIDh9Sl99M1kZzgH6zUGVLCDg1y6Cms69fx/e ++W1HoIeVkY4b4TY7Bk7JsqyNhIuqu7ARaxkdaZWhYaA2YyknwANdFfNpfH+elCLIk ++BUt5S3f4i7DaUePTvKukCZiCq4Oyln7RcOn5If73wCeLB/ZM9Ei1HforyLWP1CN8 ++XLfpHaoeoPSWIveI0XHUl65LsPN2UbMbul/F23hwl+h8+BLmyAS680Yhn4zEN6Ku ++B7Po90HoFa1Du3bmx4jsN73UkT/dwMTi6K072FbipnC1904oGlWmLwvAHvrtxxmL ++Pl3pvEaZIu8wa/PNF6Y7J7VIewikIJq6Ta6FrWeFfzMWOj2qA1ZZi6fUaDSNYvuV ++J5quYKCc/O+I/yDDf8wyBbZ/gvUXzUHTMYGG+bFrn1p7XDbYYeEJ6R/xEg== + -----END CERTIFICATE----- +diff --git a/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst b/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst +new file mode 100644 +index 000000000000..420dfe832366 +--- /dev/null ++++ b/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst +@@ -0,0 +1 @@ ++Update Lib/test/selfsigned_pythontestdotnet.pem to match self-signed.pythontest.net's new TLS certificate. +\ No newline at end of file diff --git a/system/sharutils/APKBUILD b/system/sharutils/APKBUILD index 6a0d92e82..67b264b53 100644 --- a/system/sharutils/APKBUILD +++ b/system/sharutils/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=sharutils pkgver=4.15.2 -pkgrel=1 +pkgrel=2 pkgdesc="Utilities for manipulating shell archives" url="https://www.gnu.org/software/sharutils/" arch="all" @@ -10,10 +10,14 @@ license="GPL-3.0+" depends="bzip2" makedepends_build="texinfo" subpackages="$pkgname-lang $pkgname-doc" -source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz" +source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz + CVE-2018-1000097.patch" + +# secfixes: +# 4.15.2-r2: +# - CVE-2018-1000097 build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -26,15 +30,14 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install rm "$pkgdir"/usr/lib/charset.alias rmdir "$pkgdir"/usr/lib || true } -sha512sums="80d0b804a0617e11e5c23dc0d59b218bbf93e40aaf5e9a5401a18ef9cb700390aab711e2b2e2f26c8fd5b8ef99a91d3405e01d02cadabcba7639979314e59f8d sharutils-4.15.2.tar.xz" +sha512sums="80d0b804a0617e11e5c23dc0d59b218bbf93e40aaf5e9a5401a18ef9cb700390aab711e2b2e2f26c8fd5b8ef99a91d3405e01d02cadabcba7639979314e59f8d sharutils-4.15.2.tar.xz +6415da74c4f6f203bc4ad617bd05fa6ac86e1079538236148763e0b5e81ca8ea4004ea58e9e4755ba371246a7c469ef1e421576260494043d3ce3fc80e73cf69 CVE-2018-1000097.patch" diff --git a/system/sharutils/CVE-2018-1000097.patch b/system/sharutils/CVE-2018-1000097.patch new file mode 100644 index 000000000..f61662040 --- /dev/null +++ b/system/sharutils/CVE-2018-1000097.patch @@ -0,0 +1,16 @@ +From: Petr Pisar +Subject: Fix CVE-2018-1000097, heap buffer overflow in unshar +Bug-Debian: https://bugs.debian.org/893525 +X-Debian-version: 1:4.15.2-3 + +--- a/src/unshar.c ++++ b/src/unshar.c +@@ -240,7 +240,7 @@ + off_t position = ftello (file); + + /* Read next line, fail if no more and no previous process. */ +- if (!fgets (rw_buffer, BUFSIZ, file)) ++ if (!fgets (rw_buffer, rw_base_size, file)) + { + if (!start) + error (0, 0, _("Found no shell commands in %s"), name); diff --git a/user/cairo/APKBUILD b/user/cairo/APKBUILD index 36e88f395..bfb290d7b 100644 --- a/user/cairo/APKBUILD +++ b/user/cairo/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: pkgname=cairo pkgver=1.16.0 -pkgrel=0 +pkgrel=1 pkgdesc="A vector graphics library" url="https://cairographics.org/" arch="all" @@ -18,10 +18,14 @@ _ultver="2016-04-23" source="https://cairographics.org/releases/$pkgname-$pkgver.tar.xz fontconfig-ultimate-$_ultver.tar.gz::https://github.com/bohoomil/fontconfig-ultimate/archive/$_ultver.tar.gz musl-stacksize.patch + CVE-2018-19876.patch " +# secfixes: +# 1.16.0-r1: +# - CVE-2018-19876 + prepare() { - cd "$builddir" default_prepare # infinality @@ -32,7 +36,6 @@ prepare() { } build() { - cd "$builddir" autoreconf -vif ./configure \ --build=$CBUILD \ @@ -58,7 +61,6 @@ build() { } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } @@ -78,4 +80,5 @@ tools() { sha512sums="9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz d8185f4ec74f44c4746acf7e79bba7ff7ffd9d35bdabeb25e10b4e12825942d910931aa857f1645e5c8185bcb40a1f1ffe1e7e647428e9ea66618b2aec52fac3 fontconfig-ultimate-2016-04-23.tar.gz -86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0 musl-stacksize.patch" +86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0 musl-stacksize.patch +9020c596caa54a2ac435d5dae0f121d36d3c3f34d487b9c1032665b1bd15813506adf31984e34b5dd328ee0e068de0627e1d061230758328cae4fa993c3a9209 CVE-2018-19876.patch" diff --git a/user/cairo/CVE-2018-19876.patch b/user/cairo/CVE-2018-19876.patch new file mode 100644 index 000000000..33731e4fc --- /dev/null +++ b/user/cairo/CVE-2018-19876.patch @@ -0,0 +1,30 @@ +From 90e85c2493fdfa3551f202ff10282463f1e36645 Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos <cgarcia@igalia.com> +Date: Mon, 19 Nov 2018 12:33:07 +0100 +Subject: [PATCH] ft: Use FT_Done_MM_Var instead of free when available in + cairo_ft_apply_variations + +Fixes a crash when using freetype >= 2.9 +--- + src/cairo-ft-font.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c +index 325dd61b4..981973f78 100644 +--- a/src/cairo-ft-font.c ++++ b/src/cairo-ft-font.c +@@ -2393,7 +2393,11 @@ skip: + done: + free (coords); + free (current_coords); ++#if HAVE_FT_DONE_MM_VAR ++ FT_Done_MM_Var (face->glyph->library, ft_mm_var); ++#else + free (ft_mm_var); ++#endif + } + } + +-- +2.21.0 + diff --git a/user/flac/APKBUILD b/user/flac/APKBUILD index 0588e8fc2..363d5b3ac 100644 --- a/user/flac/APKBUILD +++ b/user/flac/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=flac pkgver=1.3.2 -pkgrel=2 +pkgrel=3 pkgdesc="Free Lossless Audio Codec" url="https://xiph.org/flac/" arch="all" @@ -11,11 +11,13 @@ subpackages="$pkgname-dev $pkgname-doc" depends= makedepends="libogg-dev" source="https://downloads.xiph.org/releases/flac/flac-${pkgver}.tar.xz - " + CVE-2017-6888.patch" -build() { - cd "$builddir" +# secfixes: +# 1.3.2-r3: +# - CVE-2017-6888 +build() { local _arch_conf case "${CARCH}" in ppc*) _arch_conf="--enable-altivec" ;; @@ -37,16 +39,15 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install install -Dm0644 COPYING.Xiph \ "$pkgdir"/usr/share/licenses/$pkgname/COPYING.Xiph } -sha512sums="63910e8ebbe508316d446ffc9eb6d02efbd5f47d29d2ea7864da9371843c8e671854db6e89ba043fe08aef1845b8ece70db80f1cce853f591ca30d56ef7c3a15 flac-1.3.2.tar.xz" +sha512sums="63910e8ebbe508316d446ffc9eb6d02efbd5f47d29d2ea7864da9371843c8e671854db6e89ba043fe08aef1845b8ece70db80f1cce853f591ca30d56ef7c3a15 flac-1.3.2.tar.xz +ea241ba68a4e8d91d5db555ec8c459cff48ad8c3de511d0a92d4feb8b946a2173422015fdc9604240035ef315132fe4062ab3e6d4bc2d79aa1aed18defa32301 CVE-2017-6888.patch" diff --git a/user/flac/CVE-2017-6888.patch b/user/flac/CVE-2017-6888.patch new file mode 100644 index 000000000..080160bfb --- /dev/null +++ b/user/flac/CVE-2017-6888.patch @@ -0,0 +1,27 @@ +From 4f47b63e9c971e6391590caf00a0f2a5ed612e67 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo <erikd@mega-nerd.com> +Date: Sat, 8 Apr 2017 18:34:49 +1000 +Subject: [PATCH] stream_decoder.c: Fix a memory leak + +Leak reported by Secunia Research. +--- + src/libFLAC/stream_decoder.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c +index 14d5fe7f..a5527511 100644 +--- a/src/libFLAC/stream_decoder.c ++++ b/src/libFLAC/stream_decoder.c +@@ -1753,6 +1753,9 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre + } + memset (obj->comments[i].entry, 0, obj->comments[i].length) ; + if (!FLAC__bitreader_read_byte_block_aligned_no_crc(decoder->private_->input, obj->comments[i].entry, obj->comments[i].length)) { ++ /* Current i-th entry is bad, so we delete it. */ ++ free (obj->comments[i].entry) ; ++ obj->comments[i].entry = NULL ; + obj->num_comments = i; + goto skip; + } +-- +2.11.0 + diff --git a/user/libice/APKBUILD b/user/libice/APKBUILD index 8d2fea498..1ea5a767f 100644 --- a/user/libice/APKBUILD +++ b/user/libice/APKBUILD @@ -1,19 +1,28 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libice pkgver=1.0.9 -pkgrel=3 +pkgrel=4 pkgdesc="X11 Inter-Client Exchange library" url="https://www.X.Org/" arch="all" license="MIT" depends= -makedepends="util-macros xmlto xorgproto-dev xtrans" +makedepends="libbsd-dev util-macros xmlto xorgproto-dev xtrans" checkdepends="check-dev" subpackages="$pkgname-dev $pkgname-doc" -source="https://www.X.Org/releases/individual/lib/libICE-$pkgver.tar.bz2" - +source="https://www.X.Org/releases/individual/lib/libICE-$pkgver.tar.bz2 + CVE-2017-2626.patch" builddir="$srcdir/libICE-$pkgver" +# secfixes: +# 1.0.9-r4: +# - CVE-2017-2626 + +prepare() { + default_prepare + autoreconf -vif +} + build() { cd "$builddir" ./configure \ @@ -38,4 +47,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="daa8126ee5279c08f801274a2754132762dea2a40f4733c4b0bf8e8bdad61cba826939a2e067beb3524e256a98a2b83f23c8d4643f3e75a284ab02cc73da41b7 libICE-1.0.9.tar.bz2" +sha512sums="daa8126ee5279c08f801274a2754132762dea2a40f4733c4b0bf8e8bdad61cba826939a2e067beb3524e256a98a2b83f23c8d4643f3e75a284ab02cc73da41b7 libICE-1.0.9.tar.bz2 +83e53a4b48c429c7fad8f4feba1b9261e1ff26d995a729e7d38f1aac29cf5f69ffeb83a1733f3e624b09ae0ee97f09be8380ab0d59fb51436e1b537461a6943c CVE-2017-2626.patch" diff --git a/user/libice/CVE-2017-2626.patch b/user/libice/CVE-2017-2626.patch new file mode 100644 index 000000000..ea2d8835b --- /dev/null +++ b/user/libice/CVE-2017-2626.patch @@ -0,0 +1,142 @@ +From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires <benjamin.tissoires@gmail.com> +Date: Tue, 4 Apr 2017 19:12:53 +0200 +Subject: Use getentropy() if arc4random_buf() is not available + +This allows to fix CVE-2017-2626 on Linux platforms without pulling in +libbsd. +The libc getentropy() is available since glibc 2.25 but also on OpenBSD. +For Linux, we need at least a v3.17 kernel. If the recommended +arc4random_buf() function is not available, emulate it by first trying +to use getentropy() on a supported glibc and kernel. If the call fails, +fall back to the current (partly vulnerable) code. + +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> +Reviewed-by: Mark Kettenis <kettenis@openbsd.org> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + configure.ac | 2 +- + src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++----------------- + 2 files changed, 47 insertions(+), 20 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 458882a..c971ab6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type]) + + # Checks for library functions. + AC_CHECK_LIB([bsd], [arc4random_buf]) +-AC_CHECK_FUNCS([asprintf arc4random_buf]) ++AC_CHECK_FUNCS([asprintf arc4random_buf getentropy]) + + # Allow checking code with lint, sparse, etc. + XORG_WITH_LINT +diff --git a/src/iceauth.c b/src/iceauth.c +index ed31683..de4785b 100644 +--- a/src/iceauth.c ++++ b/src/iceauth.c +@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium + + static int was_called_state; + +-/* +- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by +- * the SI. It is not part of standard ICElib. +- */ ++#ifndef HAVE_ARC4RANDOM_BUF + +- +-char * +-IceGenerateMagicCookie ( ++static void ++emulate_getrandom_buf ( ++ char *auth, + int len + ) + { +- char *auth; +-#ifndef HAVE_ARC4RANDOM_BUF + long ldata[2]; + int seed; + int value; + int i; +-#endif + +- if ((auth = malloc (len + 1)) == NULL) +- return (NULL); +- +-#ifdef HAVE_ARC4RANDOM_BUF +- arc4random_buf(auth, len); +-#else + #ifdef ITIMER_REAL + { + struct timeval now; +@@ -76,13 +64,13 @@ IceGenerateMagicCookie ( + ldata[0] = now.tv_sec; + ldata[1] = now.tv_usec; + } +-#else ++#else /* ITIMER_REAL */ + { + long time (); + ldata[0] = time ((long *) 0); + ldata[1] = getpid (); + } +-#endif ++#endif /* ITIMER_REAL */ + seed = (ldata[0]) + (ldata[1] << 16); + srand (seed); + for (i = 0; i < len; i++) +@@ -90,7 +78,46 @@ IceGenerateMagicCookie ( + value = rand (); + auth[i] = value & 0xff; + } +-#endif ++} ++ ++static void ++arc4random_buf ( ++ char *auth, ++ int len ++) ++{ ++ int ret; ++ ++#if HAVE_GETENTROPY ++ /* weak emulation of arc4random through the entropy libc */ ++ ret = getentropy (auth, len); ++ if (ret == 0) ++ return; ++#endif /* HAVE_GETENTROPY */ ++ ++ emulate_getrandom_buf (auth, len); ++} ++ ++#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ ++ ++/* ++ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by ++ * the SI. It is not part of standard ICElib. ++ */ ++ ++ ++char * ++IceGenerateMagicCookie ( ++ int len ++) ++{ ++ char *auth; ++ ++ if ((auth = malloc (len + 1)) == NULL) ++ return (NULL); ++ ++ arc4random_buf (auth, len); ++ + auth[len] = '\0'; + return (auth); + } +-- +cgit v1.1 + diff --git a/user/libssh2/APKBUILD b/user/libssh2/APKBUILD deleted file mode 100644 index cb6e11f97..000000000 --- a/user/libssh2/APKBUILD +++ /dev/null @@ -1,40 +0,0 @@ -# Contributor: William Pitcock <nenolod@dereferenced.org> -# Maintainer: -pkgname=libssh2 -pkgver=1.8.2 -pkgrel=0 -pkgdesc="Library for accessing SSH servers" -url="https://libssh2.org/" -arch="all" -options="!check" # Requires deprecated UsePrivilegeSeparation option. -license="BSD-3-Clause" -makedepends_host="openssl-dev zlib-dev" -subpackages="$pkgname-dev $pkgname-doc" -source="https://libssh2.org/download/libssh2-$pkgver.tar.gz" - -build() { - cd "$builddir" - ./configure \ - --build=$CBUILD \ - --host=$CHOST \ - --prefix=/usr \ - --sysconfdir=/etc \ - --mandir=/usr/share/man \ - --infodir=/usr/share/info \ - --localstatedir=/var \ - --with-libssl-prefix="${CBUILDROOT}"/usr \ - --disable-rpath - make -} - -check() { - cd "$builddir" - make check -} - -package() { - cd "$builddir" - make DESTDIR="$pkgdir" install -} - -sha512sums="390ab4ad93bb738415ec11a6eb92806c9b9e9e5d8ee7c442d841a58b4292c1c447a9bc99e153ba464e2e11f9c0d1913469303598c3046722d1ae821991e8cb93 libssh2-1.8.2.tar.gz" diff --git a/user/postgresql/APKBUILD b/user/postgresql/APKBUILD index 7fed2351e..996168875 100644 --- a/user/postgresql/APKBUILD +++ b/user/postgresql/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=postgresql -pkgver=10.5 +pkgver=10.8 pkgrel=0 pkgdesc="Featureful object-relational database system (RDBMS)" url="https://www.postgresql.org/" @@ -35,23 +35,26 @@ source="https://ftp.postgresql.org/pub/source/v$pkgver/$pkgname-$pkgver.tar.bz2 # secfixes: # 9.6.4-r0: -# - CVE-2017-7546 -# - CVE-2017-7547 -# - CVE-2017-7548 +# - CVE-2017-7546 +# - CVE-2017-7547 +# - CVE-2017-7548 # 9.6.3-r0: -# - CVE-2017-7484 -# - CVE-2017-7485 -# - CVE-2017-7486 +# - CVE-2017-7484 +# - CVE-2017-7485 +# - CVE-2017-7486 # 10.1-r0: -# - CVE-2017-15098 -# - CVE-2017-15099 +# - CVE-2017-15098 +# - CVE-2017-15099 # 10.2-r0: -# - CVE-2018-1052 -# - CVE-2018-1053 +# - CVE-2018-1052 +# - CVE-2018-1053 # 10.3-r0: -# - CVE-2018-1058 +# - CVE-2018-1058 # 10.4-r0: -# - CVE-2018-1115 +# - CVE-2018-1115 +# 10.8-r0: +# - CVE-2018-16850 +# - CVE-2019-10130 prepare() { default_prepare @@ -249,7 +252,7 @@ _submv() { done } -sha512sums="1bad30ae88beca66f7e8b99b82e7f02aac1e9230b328e6e5a762a704cdd9dc767d924f5a66c68c93586badfef91b7ff336120a567ce970eaa58bb44c662ad48c postgresql-10.5.tar.bz2 +sha512sums="c9cd0298f553e13e32d4315e17e9e61c1fd011391c5203282d9040f26fd08c85f749e6f2cea3bcc42d1ca153a1272bcd773196ef3bf2bdfb74cd12c5f523b7ca postgresql-10.8.tar.bz2 1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch 5f9d8bb4957194069d01af8ab3abc6d4d83a7e7f8bd7ebe1caae5361d621a3e58f91b14b952958138a794e0a80bc154fbb7e3e78d211e2a95b9b7901335de854 perl-rpath.patch 8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch diff --git a/user/tiff/APKBUILD b/user/tiff/APKBUILD index 7bb89ee3e..c3f0590f9 100644 --- a/user/tiff/APKBUILD +++ b/user/tiff/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=tiff pkgver=4.0.10 -pkgrel=0 +pkgrel=1 pkgdesc="Library to read, create, and manipulate TIFF image files" url="http://www.libtiff.org/" arch="all" @@ -13,8 +13,13 @@ depends_dev="zlib-dev libjpeg-turbo-dev" makedepends="libtool autoconf automake $depends_dev" subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz + CVE-2019-6128.patch + CVE-2019-7663.patch " -# secfixes: +# secfixes: libtiff +# 4.0.10-r1: +# - CVE-2019-6128 +# - CVE-2019-7663 # 4.0.9-r1: # - CVE-2017-18013 # 4.0.9-r0: @@ -64,4 +69,6 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 tiff-4.0.10.tar.gz" +sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 tiff-4.0.10.tar.gz +8dc336e6c863524e3622f61ec6583eebe13fde55649cd8c812e3f6752242a23ff72cfb680dfcbe47d1503a058f5f9001415ae112220729e4ab50fe81190e327e CVE-2019-6128.patch +6fb7e9aa0afbae96fd6e78c2401262e496f5d62980ea02712bc43f8749341d030df3625f10413f5ed3e130e88d609c2374ae69807a1f9e54ed91cbd8411aab62 CVE-2019-7663.patch" diff --git a/user/tiff/CVE-2019-6128.patch b/user/tiff/CVE-2019-6128.patch new file mode 100644 index 000000000..1b15b6f01 --- /dev/null +++ b/user/tiff/CVE-2019-6128.patch @@ -0,0 +1,49 @@ +From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001 +From: Scott Gayou <github.scott@gmail.com> +Date: Wed, 23 Jan 2019 15:03:53 -0500 +Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128. + +pal2rgb failed to free memory on a few errors. This was reported +here: http://bugzilla.maptools.org/show_bug.cgi?id=2836. +--- + tools/pal2rgb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01d8502e..9492f1cf 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); +-- +2.21.0 + diff --git a/user/tiff/CVE-2019-7663.patch b/user/tiff/CVE-2019-7663.patch new file mode 100644 index 000000000..8049566c6 --- /dev/null +++ b/user/tiff/CVE-2019-7663.patch @@ -0,0 +1,37 @@ +From 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard <miniupnp@free.fr> +Date: Tue, 29 Jan 2019 11:21:47 +0100 +Subject: [PATCH] TIFFWriteDirectoryTagTransferfunction() : fix NULL + dereferencing + +http://bugzilla.maptools.org/show_bug.cgi?id=2833 + +we must check the pointer is not NULL before memcmp() the memory +--- + libtiff/tif_dirwrite.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index c15a28db..ef30c869 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir + n=3; + if (n==3) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[2] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) + n=2; + } + if (n==2) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[1] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) + n=1; + } + if (n==0) +-- +2.21.0 + |