Merge branch 'cves.2019.10.16' into 'master'

CVE patches for 2019.10.16

See merge request adelie/packages!366

11 files changed, 526 insertions, 17 deletions

diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD
index 682f2e93c..f5defac52 100644
--- a/system/binutils/APKBUILD
+++ b/system/binutils/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Adelie Platform Group <adelie-devel@lists.adelielinux.org>
 pkgname=binutils
 pkgver=2.32
-pkgrel=4
+pkgrel=5
 pkgdesc="Tools necessary to build programs"
 url="https://www.gnu.org/software/binutils/"
 depends=""
@@ -32,6 +32,8 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
 	CVE-2019-12972.patch
 	CVE-2019-14250.patch
 	CVE-2019-14444.patch
+	CVE-2019-17450.patch
+	CVE-2019-17451.patch
 	BTS-170.patch
 	BTS-196.patch
 	"
@@ -63,6 +65,9 @@ fi
 #     - CVE-2019-14250
 #   2.32-r3:
 #     - CVE-2019-14444
+#   2.32-r5:
+#     - CVE-2019-17450
+#     - CVE-2019-17451
 
 build() {
 	local _sysroot=/
@@ -158,5 +163,7 @@ c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be
 9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42  CVE-2019-12972.patch
 c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f  CVE-2019-14250.patch
 0942cc1a4c5ec03e931c6ebd15c5d60eae6be48cd0a3d9b7f6356f97361226bb6d53dbdcb01b20efcca0ccaf23764730d9bbad2c1bbe2ea6ca320e43b43b311b  CVE-2019-14444.patch
+4e8cbe3985ca4a7cb8954e4e03f094687985b3afec6bb14f1599665e0ab13e601b68cefdbb63e88f9dd59852036dcfee05af14014493c16c76dc38d406efc8fd  CVE-2019-17450.patch
+a71a035db5e14f105b5d58ec01ad250447f6282cae04e8c931fbdbf7adf118a065c6c9be9c72a204e0f8115b19598dc52f3953ae91200d48328b58cc274939d8  CVE-2019-17451.patch
 d4543d2f77808d317d17a5f0eb9af21540ef8543fceaed4e3524213e31e058333321f3ba3b495199e3b57bfd0c4164929cf679369470389e26871b8895cb0110  BTS-170.patch
 9cc17d9fe3fc1351d1f6b4fc1c916254529f3304c95db6f4698b867eeb623210b914dc798fb837eafbad2b287b78b31c4ed5482b3151a2992864da04e1dd5fac  BTS-196.patch"
diff --git a/system/binutils/CVE-2019-17450.patch b/system/binutils/CVE-2019-17450.patch
new file mode 100644
index 000000000..edc0e94df
--- /dev/null
+++ b/system/binutils/CVE-2019-17450.patch
@@ -0,0 +1,87 @@
+From 063c511bd79281f33fd33f0964541a73511b9e2b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 00:07:29 +1030
+Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
+
+	PR 25078
+	* dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
+	recur_count.  Error on recur_count reaching 100 rather than
+	info_ptr matching orig_info_ptr.  Adjust calls.
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 575b082..d39f4fd 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -2812,13 +2812,13 @@ static bfd_boolean comp_unit_maybe_decode_line_info (struct comp_unit *,
+ 						     struct dwarf2_debug *);
+ 
+ static bfd_boolean
+-find_abstract_instance (struct comp_unit *   unit,
+-			bfd_byte *           orig_info_ptr,
+-			struct attribute *   attr_ptr,
+-			const char **        pname,
+-			bfd_boolean *        is_linkage,
+-			char **              filename_ptr,
+-			int *                linenumber_ptr)
++find_abstract_instance (struct comp_unit *unit,
++			struct attribute *attr_ptr,
++			unsigned int recur_count,
++			const char **pname,
++			bfd_boolean *is_linkage,
++			char **filename_ptr,
++			int *linenumber_ptr)
+ {
+   bfd *abfd = unit->abfd;
+   bfd_byte *info_ptr;
+@@ -2829,6 +2829,14 @@ find_abstract_instance (struct comp_unit *   unit,
+   struct attribute attr;
+   const char *name = NULL;
+ 
++  if (recur_count == 100)
++    {
++      _bfd_error_handler
++	(_("DWARF error: abstract instance recursion detected"));
++      bfd_set_error (bfd_error_bad_value);
++      return FALSE;
++    }
++
+   /* DW_FORM_ref_addr can reference an entry in a different CU. It
+      is an offset from the .debug_info section, not the current CU.  */
+   if (attr_ptr->form == DW_FORM_ref_addr)
+@@ -2962,15 +2970,6 @@ find_abstract_instance (struct comp_unit *   unit,
+ 					 info_ptr, info_ptr_end);
+ 	      if (info_ptr == NULL)
+ 		break;
+-	      /* It doesn't ever make sense for DW_AT_specification to
+-		 refer to the same DIE.  Stop simple recursion.  */
+-	      if (info_ptr == orig_info_ptr)
+-		{
+-		  _bfd_error_handler
+-		    (_("DWARF error: abstract instance recursion detected"));
+-		  bfd_set_error (bfd_error_bad_value);
+-		  return FALSE;
+-		}
+ 	      switch (attr.name)
+ 		{
+ 		case DW_AT_name:
+@@ -2984,7 +2983,7 @@ find_abstract_instance (struct comp_unit *   unit,
+ 		    }
+ 		  break;
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
++		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
+ 					       &name, is_linkage,
+ 					       filename_ptr, linenumber_ptr))
+ 		    return FALSE;
+@@ -3200,7 +3199,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 
+ 		case DW_AT_abstract_origin:
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
++		  if (!find_abstract_instance (unit, &attr, 0,
+ 					       &func->name,
+ 					       &func->is_linkage,
+ 					       &func->file,
+-- 
+2.9.3
+
diff --git a/system/binutils/CVE-2019-17451.patch b/system/binutils/CVE-2019-17451.patch
new file mode 100644
index 000000000..f6af71601
--- /dev/null
+++ b/system/binutils/CVE-2019-17451.patch
@@ -0,0 +1,38 @@
+From 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 10:47:13 +1030
+Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
+
+Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
+and ffffd5555453b140 result in a total size of 1.  Reading the first
+section of course overflows the buffer and tramples on other memory.
+
+	PR 25070
+	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+	total_size calculation.
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index d39f4fd..88aaa2d 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
+       for (total_size = 0;
+ 	   msec;
+ 	   msec = find_debug_info (debug_bfd, debug_sections, msec))
+-	total_size += msec->size;
++	{
++	  /* Catch PR25070 testcase overflowing size calculation here.  */
++	  if (total_size + msec->size < total_size
++	      || total_size + msec->size < msec->size)
++	    {
++	      bfd_set_error (bfd_error_no_memory);
++	      return FALSE;
++	    }
++	  total_size += msec->size;
++	}
+ 
+       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+       if (stash->info_ptr_memory == NULL)
+-- 
+2.9.3
+
diff --git a/system/libssh2/APKBUILD b/system/libssh2/APKBUILD
index 401fa2cf0..010c6834d 100644
--- a/system/libssh2/APKBUILD
+++ b/system/libssh2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libssh2
 pkgver=1.9.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Library for accessing SSH servers"
 url="https://libssh2.org/"
 arch="all"
@@ -11,7 +11,12 @@ checkdepends="openssh-server"
 makedepends="openssl-dev zlib-dev"
 subpackages="$pkgname-dev $pkgname-doc"
 source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz
-	test-sshd.patch"
+	test-sshd.patch
+	CVE-2019-17498.patch"
+
+# secfixes:
+#   1.9.0-r1:
+#     - CVE-2019-17498
 
 build() {
 	./configure \
@@ -35,4 +40,5 @@ package() {
 }
 
 sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17  libssh2-1.9.0.tar.gz
-eef3c43184d53a3c655915ad61d182a88d9cced75ba8f8dde73ccf771ff4aeaa0f26e95aeb53601d7c47d96a2421c98678e9baf497f3883faa4427a091eea62c  test-sshd.patch"
+eef3c43184d53a3c655915ad61d182a88d9cced75ba8f8dde73ccf771ff4aeaa0f26e95aeb53601d7c47d96a2421c98678e9baf497f3883faa4427a091eea62c  test-sshd.patch
+102542a2023d53f7684c99a89fa4c592ee4ababc09bc174c52cd20f7f21b4c5878a89bae7e20c3438490666b7b0758caba5cf82c2b2965e1e58e02d5c1f4ea47  CVE-2019-17498.patch"
diff --git a/system/libssh2/CVE-2019-17498.patch b/system/libssh2/CVE-2019-17498.patch
new file mode 100644
index 000000000..a908c9974
--- /dev/null
+++ b/system/libssh2/CVE-2019-17498.patch
@@ -0,0 +1,210 @@
+From b9aa7c2495694d0527e4e7fd560a3f0f18556c72 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:14:19 -0700
+Subject: [PATCH 1/5] packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG, additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST
+---
+ src/packet.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 38ab6294..ac69768c 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -537,26 +537,26 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+         case SSH_MSG_DEBUG:
+             if(datalen >= 2) {
+                 int always_display = data[1];
+-
++            
+                 if(datalen >= 6) {
+-                    message_len = _libssh2_ntohu32(data + 2);
+-
+-                    if(message_len <= (datalen - 10)) {
+-                        /* 6 = packet_type(1) + display(1) + message_len(4) */
+-                        message = (char *) data + 6;
+-                        language_len = _libssh2_ntohu32(data + 6 +
+-                                                        message_len);
+-
+-                        if(language_len <= (datalen - 10 - message_len))
+-                            language = (char *) data + 10 + message_len;
+-                    }
++                    struct string_buf buf;
++                    buf.data = (unsigned char *)data;
++                    buf.dataptr = buf.data;
++                    buf.len = datalen;
++                    buf.dataptr += 2; /* advance past type & always display */
++
++                    _libssh2_get_string(&buf, &message, &message_len);
++                    _libssh2_get_string(&buf, &language, &language_len);
+                 }
+ 
+                 if(session->ssh_msg_debug) {
+-                    LIBSSH2_DEBUG(session, always_display, message,
+-                                  message_len, language, language_len);
++                    LIBSSH2_DEBUG(session, always_display,
++                                  (const char *)message,
++                                  message_len, (const char *)language,
++                                  language_len);
+                 }
+             }
++
+             /*
+              * _libssh2_debug will actually truncate this for us so
+              * that it's not an inordinate about of data
+@@ -579,7 +579,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(datalen >= (6 + len)) {
++                if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
+
+From 8b3cf0b17c1b84a138bed9423a9e0743452b4de9 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:15:33 -0700
+Subject: [PATCH 2/5] stray whitespace
+
+---
+ src/packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index ac69768c..8908b2c5 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -537,7 +537,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+         case SSH_MSG_DEBUG:
+             if(datalen >= 2) {
+                 int always_display = data[1];
+-            
++
+                 if(datalen >= 6) {
+                     struct string_buf buf;
+                     buf.data = (unsigned char *)data;
+
+From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:24:22 -0700
+Subject: [PATCH 3/5] fixed type issue, updated SSH_MSG_DISCONNECT
+
+SSH_MSG_DISCONNECT now also uses  _libssh2_get API.
+---
+ src/packet.c | 40 +++++++++++++++-------------------------
+ 1 file changed, 15 insertions(+), 25 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 8908b2c5..97f0cdd4 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
++    unsigned char *message = NULL;
++    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
++                uint32_t reason = 0;
++                struct string_buf buf;
++                buf.data = (unsigned char *)data;
++                buf.dataptr = buf.data;
++                buf.len = datalen;
++                buf.dataptr++; /* advance past type */
+ 
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
++                _libssh2_get_u32(&buf, &reason);
++                _libssh2_get_string(&buf, &message, &message_len);
++                _libssh2_get_string(&buf, &language, &language_len);
+ 
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
++                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++                                       message_len, (const char *)language,
++                                       language_len);
+                 }
++
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
+
+From 77616117cc9dbbdd0fe1157098435bff73a83a0f Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:26:32 -0700
+Subject: [PATCH 4/5] fixed stray (
+
+bad paste
+---
+ src/packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 97f0cdd4..bd4c39e4 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) {
++                if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
+
+From 436c45dc143cadc8c59afac6c4255be332856581 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:29:00 -0700
+Subject: [PATCH 5/5] added additional parentheses for clarity
+
+---
+ src/packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index bd4c39e4..2e01bfc5 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) {
++                if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
diff --git a/user/aspell/APKBUILD b/user/aspell/APKBUILD
index bce270974..16a53c7e7 100644
--- a/user/aspell/APKBUILD
+++ b/user/aspell/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 # Maintainer: 
 pkgname=aspell
-pkgver=0.60.7
+pkgver=0.60.8
 pkgrel=0
 pkgdesc="Libre spell checker software"
 url="http://aspell.net/"
@@ -14,6 +14,10 @@ subpackages="$pkgname-compat::noarch $pkgname-dev $pkgname-doc
 	$pkgname-lang"
 source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz"
 
+# secfixes:
+#   0.60.8-r0:
+#     - CVE-2019-17544
+
 build() {
 	LIBS="-ltinfo" ./configure \
 		--build=$CBUILD \
@@ -42,4 +46,4 @@ compat() {
 	mv spell ispell "$subpkgdir"/usr/bin/
 }
 
-sha512sums="6f5fcd1c29164ee18f205594b66f382b51d19b17686293a931ca92c1442d3f7228627ca7d604d860551d0d367ac34dfb2ae34170a844f51e84e390fb1edc4535  aspell-0.60.7.tar.gz"
+sha512sums="8ef4952c553b6234dfe777240d2d97beb13ef9201e18d56bee3b5068d13525db3625b7130d9f5122f7c529da0ccb0c70eb852a81472a7d15fb7c4ee5ba21cd29  aspell-0.60.8.tar.gz"
diff --git a/user/bind/APKBUILD b/user/bind/APKBUILD
index 3f142bcfc..4945c0222 100644
--- a/user/bind/APKBUILD
+++ b/user/bind/APKBUILD
@@ -4,7 +4,7 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Dan Theisen <djt@hxx.in>
 pkgname=bind
-pkgver=9.14.6
+pkgver=9.14.7
 _p=${pkgver#*_p}
 _ver=${pkgver%_p*}
 _major=${pkgver%%.*}
@@ -40,6 +40,9 @@ source="https://ftp.isc.org/isc/${pkgname}${_major}/$_ver/$pkgname-$_ver.tar.gz
 builddir="$srcdir/$pkgname-$_ver"
 
 # secfixes:
+#   9.14.7-r0:
+#     - CVE-2019-6475
+#     - CVE-2019-6476
 #   9.14.3:
 #     - CVE-2018-5744
 #     - CVE-2018-5745
@@ -147,7 +150,7 @@ tools() {
 	done
 }
 
-sha512sums="129cb6c8e18fabf9f9fda91afa06fccf65e7009b2e8f9f7c1960f0039d35c22614986fbea36ca0b7bbc74995e380df083a641cf51601a0cf0c87e7dbb77a0366  bind-9.14.6.tar.gz
+sha512sums="e1837ebfbbc60487f5f0e67fb9e935588fd6e5ffe55cdc9dc77e3ce63cd6fc4f076f4eb282cc4f51701ddda3e51e8f15255db5a3841f9fe92a4fb4207d806740  bind-9.14.7.tar.gz
 7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6  bind.so_bsdcompat.patch
 196c0a3b43cf89e8e3547d7fb63a93ff9a3306505658dfd9aa78e6861be6b226580b424dd3dd44b955b2d9f682b1dc62c457f3ac29ce86200ef070140608c015  named.initd
 127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf  named.confd
diff --git a/user/exiv2/APKBUILD b/user/exiv2/APKBUILD
index 791fcb610..82aa2a958 100644
--- a/user/exiv2/APKBUILD
+++ b/user/exiv2/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=exiv2
 pkgver=0.27.2
-pkgrel=0
+pkgrel=1
 pkgdesc="Exif, IPTC and XMP metadata library and tools"
 url="https://www.exiv2.org/"
 arch="all"
@@ -11,7 +11,9 @@ depends_dev="expat-dev zlib-dev"
 makedepends="$depends_dev bash cmake"
 checkdepends="python3 libxml2 cmd:which"
 subpackages="$pkgname-dev $pkgname-doc"
-source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz"
+source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz
+	https://dev.sick.bike/dist/exiv2-0.27.2-POC-file_issue_1019
+	CVE-2019-17402.patch"
 builddir="$srcdir/$pkgname-$pkgver-Source"
 
 # secfixes:
@@ -82,10 +84,16 @@ builddir="$srcdir/$pkgname-$pkgver-Source"
 #     - CVE-2019-13112
 #     - CVE-2019-13113
 #     - CVE-2019-13114
+#   0.27.2-r1:
+#     - CVE-2019-17402
 
 prepare() {
 	default_prepare
 	mkdir build
+
+	# Remove #1019 POC after >= 0.27.2
+	mv "$srcdir/$pkgname-$pkgver-POC-file_issue_1019" \
+		test/data/POC-file_issue_1019
 }
 
 build() {
@@ -106,4 +114,6 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721  exiv2-0.27.2-Source.tar.gz"
+sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721  exiv2-0.27.2-Source.tar.gz
+cfe0b534c29c37e7b6e5a00e8ec320cb57eb17187813fe30677a097e930655f1b097ce77806e0124affbdc423b48d9910560158eed9d2d03418a824244dafba9  exiv2-0.27.2-POC-file_issue_1019
+623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd  CVE-2019-17402.patch"
diff --git a/user/exiv2/CVE-2019-17402.patch b/user/exiv2/CVE-2019-17402.patch
new file mode 100644
index 000000000..f54b511b0
--- /dev/null
+++ b/user/exiv2/CVE-2019-17402.patch
@@ -0,0 +1,73 @@
+From 683451567284005cd24e1ccb0a76ca401000968b Mon Sep 17 00:00:00 2001
+From: Jens Georg <mail@jensge.org>
+Date: Sun, 6 Oct 2019 15:05:20 +0200
+Subject: [PATCH 1/2] crwimage: Check offset and size against total size
+
+Corrupted or specially crafted CRW images might exceed the overall
+buffersize.
+
+Fixes #1019
+---
+ src/crwimage_int.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
+index 2474baace..3315b86d7 100644
+--- a/src/crwimage_int.cpp
++++ b/src/crwimage_int.cpp
+@@ -270,6 +270,9 @@ namespace Exiv2 {
+ #ifdef EXIV2_DEBUG_MESSAGES
+         std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
+ #endif
++        if (this->offset() + this->size() > size)
++            throw Error(kerOffsetOutOfRange);
++
+         readDirectory(pData + offset(), this->size(), byteOrder);
+ #ifdef EXIV2_DEBUG_MESSAGES
+         std::cout << "<---- 0x" << std::hex << tag() << "\n";
+
+From 73b874fb14d02578f876aa7dd404cf7c07b6dc4e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Mon, 7 Oct 2019 23:25:00 +0200
+Subject: [PATCH 2/2] [tests] Add regression test for #1019
+
+---
+ test/data/POC-file_issue_1019            | Bin 0 -> 10078 bytes
+ tests/bugfixes/github/test_issue_1019.py |  14 ++++++++++++++
+ tests/suite.conf                         |   1 +
+ 3 files changed, 15 insertions(+)
+ create mode 100755 test/data/POC-file_issue_1019
+ create mode 100644 tests/bugfixes/github/test_issue_1019.py
+
+diff --git a/tests/bugfixes/github/test_issue_1019.py b/tests/bugfixes/github/test_issue_1019.py
+new file mode 100644
+index 000000000..c2682f901
+--- /dev/null
++++ b/tests/bugfixes/github/test_issue_1019.py
+@@ -0,0 +1,14 @@
++from system_tests import CaseMeta, path
++
++
++class OverreadInCiffDirectoryReadDirectory(metaclass=CaseMeta):
++
++    filename = path("$data_path/POC-file_issue_1019")
++    commands = ["$exiv2 -pv $filename"]
++    stdout = [""]
++    stderr = [
++        """$exiv2_exception_message $filename:
++$kerOffsetOutOfRange
++"""
++    ]
++    retval = [1]
+diff --git a/tests/suite.conf b/tests/suite.conf
+index 5b31930c1..dab7427b3 100644
+--- a/tests/suite.conf
++++ b/tests/suite.conf
+@@ -19,6 +19,7 @@ largeiptc_test: ${ENV:exiv2_path}/largeiptc-test${ENV:binary_extension}
+ easyaccess_test: ${ENV:exiv2_path}/easyaccess-test${ENV:binary_extension}
+ 
+ [variables]
++kerOffsetOutOfRange: Offset out of range
+ kerFailedToReadImageData: Failed to read image data
+ kerCorruptedMetadata: corrupted image metadata
+ kerInvalidMalloc: invalid memory allocation request
diff --git a/user/kauth/APKBUILD b/user/kauth/APKBUILD
index 543f87712..351d00f50 100644
--- a/user/kauth/APKBUILD
+++ b/user/kauth/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=kauth
 pkgver=5.54.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Framework for allowing software to gain temporary privileges"
 url="https://www.kde.org/"
 arch="all"
@@ -11,10 +11,14 @@ depends=""
 depends_dev="polkit-qt-1-dev qt5-qtbase-dev kcoreaddons-dev"
 makedepends="$depends_dev cmake extra-cmake-modules qt5-qttools-dev doxygen"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
-source="https://download.kde.org/stable/frameworks/${pkgver%.*}/kauth-$pkgver.tar.xz"
+source="https://download.kde.org/stable/frameworks/${pkgver%.*}/kauth-$pkgver.tar.xz
+	CVE-2019-7443.patch"
+
+# secfixes:
+#   5.54.0-r1:
+#     - CVE-2019-7443
 
 build() {
-	cd "$builddir"
 	if [ "$CBUILD" != "$CHOST" ]; then
 		CMAKE_CROSSOPTS="-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_HOST_SYSTEM_NAME=Linux"
 	fi
@@ -31,13 +35,12 @@ build() {
 }
 
 check() {
-	cd "$builddir"
 	CTEST_OUTPUT_ON_FAILURE=TRUE ctest -E KAuthHelperTest
 }
 
 package() {
-	cd "$builddir"
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="f75c6f019d708409817a5b64d88033326a7d627cdee00e61280043d5cd8f65731f08d48405f50c7240f18670b25abfeea4b2af5966ebb2ee7e0f56669b5551c2  kauth-5.54.0.tar.xz"
+sha512sums="f75c6f019d708409817a5b64d88033326a7d627cdee00e61280043d5cd8f65731f08d48405f50c7240f18670b25abfeea4b2af5966ebb2ee7e0f56669b5551c2  kauth-5.54.0.tar.xz
+9cb0e37eedb5cee82c5e6d1b316f92f014c8850c9274a8d0c728f306ceabc35cbbec81b0057ebaf904bd48f3e07d6f83d91b0ef12602a0c1ba66b39a04bb45e4  CVE-2019-7443.patch"
diff --git a/user/kauth/CVE-2019-7443.patch b/user/kauth/CVE-2019-7443.patch
new file mode 100644
index 000000000..5b11cd8f5
--- /dev/null
+++ b/user/kauth/CVE-2019-7443.patch
@@ -0,0 +1,68 @@
+From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sat, 2 Feb 2019 14:35:25 +0100
+Subject: Remove support for passing gui QVariants to KAuth helpers
+
+Supporting gui variants is very dangerous since they can end up triggering
+image loading plugins which are one of the biggest vectors for crashes, which
+for very smart people mean possible code execution, which is very dangerous
+in code that is executed as root.
+
+We've checked all the KAuth helpers inside KDE git and none seems to be using
+gui variants, so we're not actually limiting anything that people wanted to do.
+
+Reviewed by security@kde.org and Aleix Pol
+
+Issue reported by Fabian Vogt
+---
+ src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++
+ src/kauthaction.h                     | 2 ++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index 10c14c6..8f0d336 100644
+--- a/src/backends/dbus/DBusHelperProxy.cpp
++++ b/src/backends/dbus/DBusHelperProxy.cpp
+@@ -31,6 +31,8 @@
+ #include "kf5authadaptor.h"
+ #include "kauthdebug.h"
+ 
++extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper;
++
+ namespace KAuth
+ {
+ 
+@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+         return ActionReply::HelperBusyReply().serialized();
+     }
+ 
++    // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous
++    // since they end up calling the image loaders and thus are a vector for crashing → executing code
++    auto origMetaTypeGuiHelper = qMetaTypeGuiHelper;
++    qMetaTypeGuiHelper = nullptr;
++
+     QVariantMap args;
+     QDataStream s(&arguments, QIODevice::ReadOnly);
+     s >> args;
+ 
++    qMetaTypeGuiHelper = origMetaTypeGuiHelper;
++
+     m_currentAction = action;
+     emit remoteSignal(ActionStarted, action, QByteArray());
+     QEventLoop e;
+diff --git a/src/kauthaction.h b/src/kauthaction.h
+index c67a70a..01f3ba1 100644
+--- a/src/kauthaction.h
++++ b/src/kauthaction.h
+@@ -298,6 +298,8 @@ public:
+      * This method sets the variant map that the application
+      * can use to pass arbitrary data to the helper when executing the action.
+      *
++     * Only non-gui variants are supported.
++     *
+      * @param arguments The new arguments map
+      */
+     void setArguments(const QVariantMap &arguments);
+-- 
+cgit v1.1
+