Merge branch 'cves.for.20190723' into 'master'

CVE patches for 2019-07-23 See merge request adelie/packages!298
author: A. Wilcox <awilcox@wilcox-tech.com> 2019-07-24 05:12:56 +0000
committer: A. Wilcox <awilcox@wilcox-tech.com> 2019-07-24 05:12:56 +0000
commit: 6574a30b9b98a3464ff4cebe381b3732a8dabfc3 (patch)
tree: 3111303ee53fc28d8203494e91b3e329f4eb0b1a
parent: 57ff2ddb06504d45f242b922d5f14e7ecaf1e534 (diff)
parent: 0dec8e672d9f4dcf03494c0a85b4296ea30c56b7 (diff)
download: packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.tar.gz
packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.tar.bz2
packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.tar.xz
packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.zip
9 files changed, 195 insertions, 53 deletions
diff --git a/system/bzip2/APKBUILD b/system/bzip2/APKBUILD
index 54b3e4d66..ed22b0137 100644
--- a/system/bzip2/APKBUILD
+++ b/system/bzip2/APKBUILD
@@ -1,28 +1,28 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=bzip2
-pkgver=1.0.6
-pkgrel=7
+pkgver=1.0.8
+pkgrel=0
 pkgdesc="A high-quality data compression program"
-url="http://sources.redhat.com/bzip2"
+url="https://www.sourceware.org/bzip2/"
 arch="all"
 license="BSD-4-Clause"
 depends=""
 subpackages="$pkgname-dev $pkgname-doc libbz2"
-source="https://downloads.sourceforge.net/bzip2/$pkgname-$pkgver.tar.gz
+source="https://sourceware.org/pub/bzip2/$pkgname-$pkgver.tar.gz
 	bzip2-1.0.4-makefile-CFLAGS.patch
-	bzip2-1.0.6-saneso.patch
+	bzip2-1.0.8-saneso.patch
 	bzip2-1.0.4-man-links.patch
 	bzip2-1.0.2-progress.patch
 	bzip2-1.0.3-no-test.patch
-	bzip2-1.0.4-POSIX-shell.patch
-	CVE-2016-3189.patch
 	"
+builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
 #   1.0.6-r5:
-#   - CVE-2016-3189
+#     - CVE-2016-3189
+#   1.0.8-r0:
+#     - CVE-2019-12900
 
-builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	default_prepare
 
@@ -64,11 +64,9 @@ libbz2() {
 	mv "$pkgdir"/usr/lib/*.so.* "$subpkgdir"/usr/lib/
 }
 
-sha512sums="00ace5438cfa0c577e5f578d8a808613187eff5217c35164ffe044fbafdfec9e98f4192c02a7d67e01e5a5ccced630583ad1003c37697219b0f147343a3fdd12  bzip2-1.0.6.tar.gz
+sha512sums="083f5e675d73f3233c7930ebe20425a533feedeaaa9d8cc86831312a6581cefbe6ed0d08d2fa89be81082f2a5abdabca8b3c080bf97218a1bd59dc118a30b9f3  bzip2-1.0.8.tar.gz
 58cc37430555520b6e35db2740e699cf37eacdd82989c21a222a593e36288710a0defb003662d4238235c12b3764bfc89cd646e6be9d0a08d54bd2c9baa6ad15  bzip2-1.0.4-makefile-CFLAGS.patch
-8a7528b5b931bb72f637c6940bc811d54fb816fd5bb453af56d9b4a87091004eb5e191ba799d972794b24c56cf8134344a618b58946d3f1d985c508f88190845  bzip2-1.0.6-saneso.patch
+bc52f6efc63ac8d06fcbbb0446cc9c8025964ba0651ef493b5a124e838bf03bebb0ef56247fdd007265c8ea091f3458e832a53856228e7fefa4d20a55065bba3  bzip2-1.0.8-saneso.patch
 2d9a306bc0f552a58916ebc702d32350a225103c487e070d2082121a54e07f1813d3228f43293cc80a4bee62053fd597294c99a1751b1685cd678f4e5c6a2fe7  bzip2-1.0.4-man-links.patch
 b6810c73428f17245e0d7c2decd00c88986cd8ad1cfe4982defe34bdab808d53870ed92cb513b2d00c15301747ceb6ca958fb0e0458d0663b7d8f7c524f7ba4e  bzip2-1.0.2-progress.patch
-aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030  bzip2-1.0.3-no-test.patch
-64ab461bf739c29615383750e7f260abb2d49df7eb23916940d512bd61fd9a37aaade4d8f6f94280c95fc781b8f92587ad4f3dda51e87dec7a92a7a6f8d8ae86  bzip2-1.0.4-POSIX-shell.patch
-cef6f448b661a775cc433f9636730e89c1285d07075536217657056be56e0a11e96f41f7c14f6ec59e235464b9ddd649a71fb8de1c60eda2fd5c2cdfbb6a8fdc  CVE-2016-3189.patch"
+aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030  bzip2-1.0.3-no-test.patch"
diff --git a/system/bzip2/bzip2-1.0.4-POSIX-shell.patch b/system/bzip2/bzip2-1.0.4-POSIX-shell.patch
deleted file mode 100644
index a5916eaff..000000000
--- a/system/bzip2/bzip2-1.0.4-POSIX-shell.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-bzgrep uses !/bin/sh but then uses the bashism ${var//} so replace those
-with calls to sed so POSIX shells work
-
-http://bugs.gentoo.org/193365
-
---- ./bzgrep
-+++ ./bzgrep
-@@ -63,10 +63,9 @@
-     bzip2 -cdfq "$i" | $grep $opt "$pat"
-     r=$?
-   else
--    j=${i//\\/\\\\}
--    j=${j//|/\\|}
--    j=${j//&/\\&}
--    j=`printf "%s" "$j" | tr '\n' ' '`
-+    # the backslashes here are doubled up as we have to escape each one for the
-+    # shell and then escape each one for the sed expression
-+    j=`printf "%s" "${i}" | sed -e 's:\\\\:\\\\\\\\:g' -e 's:[|]:\\\\|:g' -e 's:[&]:\\\\&:g' | tr '\n' ' '`
-     bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${j}:|"
-     r=$?
-   fi
diff --git a/system/bzip2/bzip2-1.0.6-saneso.patch b/system/bzip2/bzip2-1.0.6-saneso.patch
deleted file mode 100644
index 1968a63bf..000000000
--- a/system/bzip2/bzip2-1.0.6-saneso.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- ./Makefile-libbz2_so
-+++ ./Makefile-libbz2_so
-@@ -35,8 +35,8 @@
-       bzlib.o
- 
- all: $(OBJS)
--	$(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.6 $(OBJS)
--	$(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6
-+	$(CC) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.6 $(OBJS)
-+	$(CC) $(LDFLAGS) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6
- 	rm -f libbz2.so.1.0
- 	ln -s libbz2.so.1.0.6 libbz2.so.1.0
- 
diff --git a/system/bzip2/bzip2-1.0.8-saneso.patch b/system/bzip2/bzip2-1.0.8-saneso.patch
new file mode 100644
index 000000000..7aab257af
--- /dev/null
+++ b/system/bzip2/bzip2-1.0.8-saneso.patch
@@ -0,0 +1,13 @@
+--- bzip2-1.0.8/Makefile-libbz2_so	2019-07-13 17:50:05.000000000 +0000
++++ bzip2-1.0.8/Makefile-libbz2_so	2019-07-23 22:36:08.050034514 +0000
+@@ -35,8 +35,8 @@ OBJS= blocksort.o  \
+       bzlib.o
+ 
+ all: $(OBJS)
+-	$(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.8 $(OBJS)
+-	$(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8
++	$(CC) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS)
++	$(CC) $(LDFLAGS) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8
+ 	rm -f libbz2.so.1.0
+ 	ln -s libbz2.so.1.0.8 libbz2.so.1.0
+ 
diff --git a/system/libxslt/APKBUILD b/system/libxslt/APKBUILD
index 49a07d7cf..c387c6d45 100644
--- a/system/libxslt/APKBUILD
+++ b/system/libxslt/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libxslt
 pkgver=1.1.33
-pkgrel=1
+pkgrel=2
 pkgdesc="XML stylesheet transformation library"
 url="http://xmlsoft.org/XSLT/"
 arch="all"
@@ -10,13 +10,18 @@ license="SGI-B-2.0"
 makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python3-dev"
 subpackages="$pkgname-doc $pkgname-dev"
 source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz
-	CVE-2019-11068.patch"
+	CVE-2019-11068.patch
+	CVE-2019-13117.patch
+	CVE-2019-13118.patch"
 
 # secfixes:
 #   1.1.29-r1:
 #     - CVE-2017-5029
 #   1.1.33-r1:
 #     - CVE-2019-11068
+#   1.1.33-r2:
+#     - CVE-2019-13117
+#     - CVE-2019-13118
 
 build() {
 	./configure \
@@ -35,4 +40,6 @@ package() {
 }
 
 sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0  libxslt-1.1.33.tar.gz
-48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41  CVE-2019-11068.patch"
+48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41  CVE-2019-11068.patch
+b311e253a5c4f425f84344397974562a76b253ca14f63b48af7aa0faa561d5f728cb73ee63024993fad3ee7fc7eddb9c9d7310ab8faa5f6a14fd1c6d0037999f  CVE-2019-13117.patch
+44d3bb5dda6965f48e3af96c77ffa5f1f2e3c191cf1f28ac1b7b3501420393b5628b12b99fe4008b5056384dfebfdcbbee7625f0644cfc27101424a051415da0  CVE-2019-13118.patch"
diff --git a/system/libxslt/CVE-2019-13117.patch b/system/libxslt/CVE-2019-13117.patch
new file mode 100644
index 000000000..78ebb9075
--- /dev/null
+++ b/system/libxslt/CVE-2019-13117.patch
@@ -0,0 +1,29 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ 		tokens->tokens[tokens->nTokens].token = val - 1;
+ 		ix += len;
+ 		val = xmlStringCurrentChar(NULL, format+ix, &len);
+-	    }
++	    } else {
++                tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++                tokens->tokens[tokens->nTokens].width = 1;
++            }
+ 	} else if ( (val == (xmlChar)'A') ||
+ 		    (val == (xmlChar)'a') ||
+ 		    (val == (xmlChar)'I') ||
+-- 
+2.21.0
+
diff --git a/system/libxslt/CVE-2019-13118.patch b/system/libxslt/CVE-2019-13118.patch
new file mode 100644
index 000000000..b377f4bd6
--- /dev/null
+++ b/system/libxslt/CVE-2019-13118.patch
@@ -0,0 +1,71 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c         | 5 +++--
+ tests/docs/bug-222.xml    | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+     number = floor((scale * number + 0.5)) / scale;
+     if ((self->grouping != NULL) &&
+         (self->grouping[0] != 0)) {
++        int gchar;
+ 
+ 	len = xmlStrlen(self->grouping);
+-	pchar = xsltGetUTF8Char(self->grouping, &len);
++	gchar = xsltGetUTF8Char(self->grouping, &len);
+ 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ 				format_info.integer_digits,
+ 				format_info.group,
+-				pchar, len);
++				gchar, len);
+     } else
+ 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ 				format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 00000000..e3139698
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 00000000..e32dc473
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++  <xsl:decimal-format name="f" grouping-separator="⠢"/>
++  <xsl:template match="/">
++    <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++  </xsl:template>
++</xsl:stylesheet>
+-- 
+2.21.0
+
diff --git a/user/atril/APKBUILD b/user/atril/APKBUILD
index 5fd885123..d9f1127a9 100644
--- a/user/atril/APKBUILD
+++ b/user/atril/APKBUILD
@@ -13,7 +13,8 @@ makedepends="caja-dev djvulibre-dev gobject-introspection-dev gtk+3.0-dev
 	intltool itstool libgxps-dev libsecret-dev libsm-dev libspectre-dev
 	libxml2-dev libxml2-utils poppler-dev python3 tiff-dev"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
-source="https://pub.mate-desktop.org/releases/1.22/atril-$pkgver.tar.xz"
+source="https://pub.mate-desktop.org/releases/1.22/atril-$pkgver.tar.xz
+	CVE-2019-1010006.patch"
 
 build() {
 	cd "$builddir"
@@ -41,4 +42,5 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="838ae397c868ac417c9266e4a06525d66214650cf8647e91c1472d83d50c8954f6dbb29411384892a98f0929e1fbac9947118bd0db10d50400fc0d5270a3619d  atril-1.22.1.tar.xz"
+sha512sums="838ae397c868ac417c9266e4a06525d66214650cf8647e91c1472d83d50c8954f6dbb29411384892a98f0929e1fbac9947118bd0db10d50400fc0d5270a3619d  atril-1.22.1.tar.xz
+ea6db09fe033a8ddf6d90f080858057fad5452a23801e0f41f7a90ec352b71344e8b596a0913deabca333ff24dc5023628eab7c18bc526c0a7f8fb0d680acdf7  CVE-2019-1010006.patch"
diff --git a/user/atril/CVE-2019-1010006.patch b/user/atril/CVE-2019-1010006.patch
new file mode 100644
index 000000000..ce107d193
--- /dev/null
+++ b/user/atril/CVE-2019-1010006.patch
@@ -0,0 +1,56 @@
+From e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 Mon Sep 17 00:00:00 2001
+From: Jason Crain <jcrain@src.gnome.org>
+Date: Sat, 2 Dec 2017 20:24:33 -0600
+Subject: [PATCH] Fix overflow checks in tiff backend
+
+The overflow checks in tiff_document_render and
+tiff_document_get_thumbnail don't work when optimizations are enabled.
+Change the checks so they don't rely on undefined behavior.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=788980
+---
+ backend/tiff/tiff-document.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
+index 8f40934e..7bf95c2b 100644
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -284,12 +284,12 @@ tiff_document_render (EvDocument      *document,
+ 		return NULL;                
+ 	}
+ 	
+-	bytes = height * rowstride;
+-	if (bytes / rowstride != height) {
++	if (height >= INT_MAX / rowstride) {
+ 		g_warning("Overflow while rendering document.");
+ 		/* overflow */
+ 		return NULL;
+ 	}
++	bytes = height * rowstride;
+ 	
+ 	pixels = g_try_malloc (bytes);
+ 	if (!pixels) {
+@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument      *document,
+ 	if (width <= 0 || height <= 0)
+ 		return NULL;                
+ 
+-	rowstride = width * 4;
+-	if (rowstride / 4 != width)
++	if (width >= INT_MAX / 4)
+ 		/* overflow */
+ 		return NULL;                
++	rowstride = width * 4;
+         
+-	bytes = height * rowstride;
+-	if (bytes / rowstride != height)
++	if (height >= INT_MAX / rowstride)
+ 		/* overflow */
+ 		return NULL;                
++	bytes = height * rowstride;
+ 	
+ 	pixels = g_try_malloc (bytes);
+ 	if (!pixels)
+-- 
+2.21.0
+
author	A. Wilcox <awilcox@wilcox-tech.com>	2019-07-24 05:12:56 +0000
committer	A. Wilcox <awilcox@wilcox-tech.com>	2019-07-24 05:12:56 +0000
commit	6574a30b9b98a3464ff4cebe381b3732a8dabfc3 (patch)
tree	3111303ee53fc28d8203494e91b3e329f4eb0b1a
parent	57ff2ddb06504d45f242b922d5f14e7ecaf1e534 (diff)
parent	0dec8e672d9f4dcf03494c0a85b4296ea30c56b7 (diff)
download	packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.tar.gz packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.tar.bz2 packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.tar.xz packages-6574a30b9b98a3464ff4cebe381b3732a8dabfc3.zip