summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorA. Wilcox <awilcox@wilcox-tech.com>2019-07-24 05:12:56 +0000
committerA. Wilcox <awilcox@wilcox-tech.com>2019-07-24 05:12:56 +0000
commit6574a30b9b98a3464ff4cebe381b3732a8dabfc3 (patch)
tree3111303ee53fc28d8203494e91b3e329f4eb0b1a
parent57ff2ddb06504d45f242b922d5f14e7ecaf1e534 (diff)
parent0dec8e672d9f4dcf03494c0a85b4296ea30c56b7 (diff)
downloadpackages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.tar.gz
packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.tar.bz2
packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.tar.xz
packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.zip
Merge branch 'cves.for.20190723' into 'master'
CVE patches for 2019-07-23 See merge request adelie/packages!298
-rw-r--r--system/bzip2/APKBUILD26
-rw-r--r--system/bzip2/bzip2-1.0.4-POSIX-shell.patch21
-rw-r--r--system/bzip2/bzip2-1.0.6-saneso.patch13
-rw-r--r--system/bzip2/bzip2-1.0.8-saneso.patch13
-rw-r--r--system/libxslt/APKBUILD13
-rw-r--r--system/libxslt/CVE-2019-13117.patch29
-rw-r--r--system/libxslt/CVE-2019-13118.patch71
-rw-r--r--user/atril/APKBUILD6
-rw-r--r--user/atril/CVE-2019-1010006.patch56
9 files changed, 195 insertions, 53 deletions
diff --git a/system/bzip2/APKBUILD b/system/bzip2/APKBUILD
index 54b3e4d66..ed22b0137 100644
--- a/system/bzip2/APKBUILD
+++ b/system/bzip2/APKBUILD
@@ -1,28 +1,28 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=bzip2
-pkgver=1.0.6
-pkgrel=7
+pkgver=1.0.8
+pkgrel=0
pkgdesc="A high-quality data compression program"
-url="http://sources.redhat.com/bzip2"
+url="https://www.sourceware.org/bzip2/"
arch="all"
license="BSD-4-Clause"
depends=""
subpackages="$pkgname-dev $pkgname-doc libbz2"
-source="https://downloads.sourceforge.net/bzip2/$pkgname-$pkgver.tar.gz
+source="https://sourceware.org/pub/bzip2/$pkgname-$pkgver.tar.gz
bzip2-1.0.4-makefile-CFLAGS.patch
- bzip2-1.0.6-saneso.patch
+ bzip2-1.0.8-saneso.patch
bzip2-1.0.4-man-links.patch
bzip2-1.0.2-progress.patch
bzip2-1.0.3-no-test.patch
- bzip2-1.0.4-POSIX-shell.patch
- CVE-2016-3189.patch
"
+builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 1.0.6-r5:
-# - CVE-2016-3189
+# - CVE-2016-3189
+# 1.0.8-r0:
+# - CVE-2019-12900
-builddir="$srcdir"/$pkgname-$pkgver
prepare() {
default_prepare
@@ -64,11 +64,9 @@ libbz2() {
mv "$pkgdir"/usr/lib/*.so.* "$subpkgdir"/usr/lib/
}
-sha512sums="00ace5438cfa0c577e5f578d8a808613187eff5217c35164ffe044fbafdfec9e98f4192c02a7d67e01e5a5ccced630583ad1003c37697219b0f147343a3fdd12 bzip2-1.0.6.tar.gz
+sha512sums="083f5e675d73f3233c7930ebe20425a533feedeaaa9d8cc86831312a6581cefbe6ed0d08d2fa89be81082f2a5abdabca8b3c080bf97218a1bd59dc118a30b9f3 bzip2-1.0.8.tar.gz
58cc37430555520b6e35db2740e699cf37eacdd82989c21a222a593e36288710a0defb003662d4238235c12b3764bfc89cd646e6be9d0a08d54bd2c9baa6ad15 bzip2-1.0.4-makefile-CFLAGS.patch
-8a7528b5b931bb72f637c6940bc811d54fb816fd5bb453af56d9b4a87091004eb5e191ba799d972794b24c56cf8134344a618b58946d3f1d985c508f88190845 bzip2-1.0.6-saneso.patch
+bc52f6efc63ac8d06fcbbb0446cc9c8025964ba0651ef493b5a124e838bf03bebb0ef56247fdd007265c8ea091f3458e832a53856228e7fefa4d20a55065bba3 bzip2-1.0.8-saneso.patch
2d9a306bc0f552a58916ebc702d32350a225103c487e070d2082121a54e07f1813d3228f43293cc80a4bee62053fd597294c99a1751b1685cd678f4e5c6a2fe7 bzip2-1.0.4-man-links.patch
b6810c73428f17245e0d7c2decd00c88986cd8ad1cfe4982defe34bdab808d53870ed92cb513b2d00c15301747ceb6ca958fb0e0458d0663b7d8f7c524f7ba4e bzip2-1.0.2-progress.patch
-aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030 bzip2-1.0.3-no-test.patch
-64ab461bf739c29615383750e7f260abb2d49df7eb23916940d512bd61fd9a37aaade4d8f6f94280c95fc781b8f92587ad4f3dda51e87dec7a92a7a6f8d8ae86 bzip2-1.0.4-POSIX-shell.patch
-cef6f448b661a775cc433f9636730e89c1285d07075536217657056be56e0a11e96f41f7c14f6ec59e235464b9ddd649a71fb8de1c60eda2fd5c2cdfbb6a8fdc CVE-2016-3189.patch"
+aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030 bzip2-1.0.3-no-test.patch"
diff --git a/system/bzip2/bzip2-1.0.4-POSIX-shell.patch b/system/bzip2/bzip2-1.0.4-POSIX-shell.patch
deleted file mode 100644
index a5916eaff..000000000
--- a/system/bzip2/bzip2-1.0.4-POSIX-shell.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-bzgrep uses !/bin/sh but then uses the bashism ${var//} so replace those
-with calls to sed so POSIX shells work
-
-http://bugs.gentoo.org/193365
-
---- ./bzgrep
-+++ ./bzgrep
-@@ -63,10 +63,9 @@
- bzip2 -cdfq "$i" | $grep $opt "$pat"
- r=$?
- else
-- j=${i//\\/\\\\}
-- j=${j//|/\\|}
-- j=${j//&/\\&}
-- j=`printf "%s" "$j" | tr '\n' ' '`
-+ # the backslashes here are doubled up as we have to escape each one for the
-+ # shell and then escape each one for the sed expression
-+ j=`printf "%s" "${i}" | sed -e 's:\\\\:\\\\\\\\:g' -e 's:[|]:\\\\|:g' -e 's:[&]:\\\\&:g' | tr '\n' ' '`
- bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${j}:|"
- r=$?
- fi
diff --git a/system/bzip2/bzip2-1.0.6-saneso.patch b/system/bzip2/bzip2-1.0.6-saneso.patch
deleted file mode 100644
index 1968a63bf..000000000
--- a/system/bzip2/bzip2-1.0.6-saneso.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- ./Makefile-libbz2_so
-+++ ./Makefile-libbz2_so
-@@ -35,8 +35,8 @@
- bzlib.o
-
- all: $(OBJS)
-- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.6 $(OBJS)
-- $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6
-+ $(CC) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.6 $(OBJS)
-+ $(CC) $(LDFLAGS) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6
- rm -f libbz2.so.1.0
- ln -s libbz2.so.1.0.6 libbz2.so.1.0
-
diff --git a/system/bzip2/bzip2-1.0.8-saneso.patch b/system/bzip2/bzip2-1.0.8-saneso.patch
new file mode 100644
index 000000000..7aab257af
--- /dev/null
+++ b/system/bzip2/bzip2-1.0.8-saneso.patch
@@ -0,0 +1,13 @@
+--- bzip2-1.0.8/Makefile-libbz2_so 2019-07-13 17:50:05.000000000 +0000
++++ bzip2-1.0.8/Makefile-libbz2_so 2019-07-23 22:36:08.050034514 +0000
+@@ -35,8 +35,8 @@ OBJS= blocksort.o \
+ bzlib.o
+
+ all: $(OBJS)
+- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.8 $(OBJS)
+- $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8
++ $(CC) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS)
++ $(CC) $(LDFLAGS) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8
+ rm -f libbz2.so.1.0
+ ln -s libbz2.so.1.0.8 libbz2.so.1.0
+
diff --git a/system/libxslt/APKBUILD b/system/libxslt/APKBUILD
index 49a07d7cf..c387c6d45 100644
--- a/system/libxslt/APKBUILD
+++ b/system/libxslt/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=libxslt
pkgver=1.1.33
-pkgrel=1
+pkgrel=2
pkgdesc="XML stylesheet transformation library"
url="http://xmlsoft.org/XSLT/"
arch="all"
@@ -10,13 +10,18 @@ license="SGI-B-2.0"
makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python3-dev"
subpackages="$pkgname-doc $pkgname-dev"
source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz
- CVE-2019-11068.patch"
+ CVE-2019-11068.patch
+ CVE-2019-13117.patch
+ CVE-2019-13118.patch"
# secfixes:
# 1.1.29-r1:
# - CVE-2017-5029
# 1.1.33-r1:
# - CVE-2019-11068
+# 1.1.33-r2:
+# - CVE-2019-13117
+# - CVE-2019-13118
build() {
./configure \
@@ -35,4 +40,6 @@ package() {
}
sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0 libxslt-1.1.33.tar.gz
-48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41 CVE-2019-11068.patch"
+48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41 CVE-2019-11068.patch
+b311e253a5c4f425f84344397974562a76b253ca14f63b48af7aa0faa561d5f728cb73ee63024993fad3ee7fc7eddb9c9d7310ab8faa5f6a14fd1c6d0037999f CVE-2019-13117.patch
+44d3bb5dda6965f48e3af96c77ffa5f1f2e3c191cf1f28ac1b7b3501420393b5628b12b99fe4008b5056384dfebfdcbbee7625f0644cfc27101424a051415da0 CVE-2019-13118.patch"
diff --git a/system/libxslt/CVE-2019-13117.patch b/system/libxslt/CVE-2019-13117.patch
new file mode 100644
index 000000000..78ebb9075
--- /dev/null
+++ b/system/libxslt/CVE-2019-13117.patch
@@ -0,0 +1,29 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ tokens->tokens[tokens->nTokens].token = val - 1;
+ ix += len;
+ val = xmlStringCurrentChar(NULL, format+ix, &len);
+- }
++ } else {
++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++ tokens->tokens[tokens->nTokens].width = 1;
++ }
+ } else if ( (val == (xmlChar)'A') ||
+ (val == (xmlChar)'a') ||
+ (val == (xmlChar)'I') ||
+--
+2.21.0
+
diff --git a/system/libxslt/CVE-2019-13118.patch b/system/libxslt/CVE-2019-13118.patch
new file mode 100644
index 000000000..b377f4bd6
--- /dev/null
+++ b/system/libxslt/CVE-2019-13118.patch
@@ -0,0 +1,71 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 +++--
+ tests/docs/bug-222.xml | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+ number = floor((scale * number + 0.5)) / scale;
+ if ((self->grouping != NULL) &&
+ (self->grouping[0] != 0)) {
++ int gchar;
+
+ len = xmlStrlen(self->grouping);
+- pchar = xsltGetUTF8Char(self->grouping, &len);
++ gchar = xsltGetUTF8Char(self->grouping, &len);
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+ format_info.group,
+- pchar, len);
++ gchar, len);
+ } else
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 00000000..e3139698
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 00000000..e32dc473
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++ <xsl:decimal-format name="f" grouping-separator="⠢"/>
++ <xsl:template match="/">
++ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++ </xsl:template>
++</xsl:stylesheet>
+--
+2.21.0
+
diff --git a/user/atril/APKBUILD b/user/atril/APKBUILD
index 5fd885123..d9f1127a9 100644
--- a/user/atril/APKBUILD
+++ b/user/atril/APKBUILD
@@ -13,7 +13,8 @@ makedepends="caja-dev djvulibre-dev gobject-introspection-dev gtk+3.0-dev
intltool itstool libgxps-dev libsecret-dev libsm-dev libspectre-dev
libxml2-dev libxml2-utils poppler-dev python3 tiff-dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
-source="https://pub.mate-desktop.org/releases/1.22/atril-$pkgver.tar.xz"
+source="https://pub.mate-desktop.org/releases/1.22/atril-$pkgver.tar.xz
+ CVE-2019-1010006.patch"
build() {
cd "$builddir"
@@ -41,4 +42,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="838ae397c868ac417c9266e4a06525d66214650cf8647e91c1472d83d50c8954f6dbb29411384892a98f0929e1fbac9947118bd0db10d50400fc0d5270a3619d atril-1.22.1.tar.xz"
+sha512sums="838ae397c868ac417c9266e4a06525d66214650cf8647e91c1472d83d50c8954f6dbb29411384892a98f0929e1fbac9947118bd0db10d50400fc0d5270a3619d atril-1.22.1.tar.xz
+ea6db09fe033a8ddf6d90f080858057fad5452a23801e0f41f7a90ec352b71344e8b596a0913deabca333ff24dc5023628eab7c18bc526c0a7f8fb0d680acdf7 CVE-2019-1010006.patch"
diff --git a/user/atril/CVE-2019-1010006.patch b/user/atril/CVE-2019-1010006.patch
new file mode 100644
index 000000000..ce107d193
--- /dev/null
+++ b/user/atril/CVE-2019-1010006.patch
@@ -0,0 +1,56 @@
+From e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 Mon Sep 17 00:00:00 2001
+From: Jason Crain <jcrain@src.gnome.org>
+Date: Sat, 2 Dec 2017 20:24:33 -0600
+Subject: [PATCH] Fix overflow checks in tiff backend
+
+The overflow checks in tiff_document_render and
+tiff_document_get_thumbnail don't work when optimizations are enabled.
+Change the checks so they don't rely on undefined behavior.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=788980
+---
+ backend/tiff/tiff-document.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
+index 8f40934e..7bf95c2b 100644
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -284,12 +284,12 @@ tiff_document_render (EvDocument *document,
+ return NULL;
+ }
+
+- bytes = height * rowstride;
+- if (bytes / rowstride != height) {
++ if (height >= INT_MAX / rowstride) {
+ g_warning("Overflow while rendering document.");
+ /* overflow */
+ return NULL;
+ }
++ bytes = height * rowstride;
+
+ pixels = g_try_malloc (bytes);
+ if (!pixels) {
+@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument *document,
+ if (width <= 0 || height <= 0)
+ return NULL;
+
+- rowstride = width * 4;
+- if (rowstride / 4 != width)
++ if (width >= INT_MAX / 4)
+ /* overflow */
+ return NULL;
++ rowstride = width * 4;
+
+- bytes = height * rowstride;
+- if (bytes / rowstride != height)
++ if (height >= INT_MAX / rowstride)
+ /* overflow */
+ return NULL;
++ bytes = height * rowstride;
+
+ pixels = g_try_malloc (bytes);
+ if (!pixels)
+--
+2.21.0
+