summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorA. Wilcox <awilcox@wilcox-tech.com>2020-06-04 01:08:19 +0000
committerA. Wilcox <awilcox@wilcox-tech.com>2020-06-04 01:08:19 +0000
commit925fabf5441a16a7d347fed2b3bd36ef46fc1f62 (patch)
treeb94adbbf7965292c0a94e6ab8719bacbc73efa7e
parent62d1b55bc2450280702234aa414761df0865332b (diff)
parent98a725069b0538ef835c6aed5895425b52db7e0e (diff)
downloadpackages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.tar.gz
packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.tar.bz2
packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.tar.xz
packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.zip
Merge branch 'sec/2020.05.10' into 'master'
Security updates for 2020.05.10 See merge request adelie/packages!448
-rw-r--r--user/firefox-esr/APKBUILD17
-rw-r--r--user/firefox-esr/rust-config.patch20
-rw-r--r--user/firefox-esr/seccomp-membarrier.patch12
-rw-r--r--user/firefox-esr/seccomp-musl.patch49
-rw-r--r--user/firefox-esr/seccomp-time64.patch112
-rw-r--r--user/net-snmp/APKBUILD4
-rw-r--r--user/thunderbird/APKBUILD12
-rw-r--r--user/thunderbird/rust-config.patch20
8 files changed, 182 insertions, 64 deletions
diff --git a/user/firefox-esr/APKBUILD b/user/firefox-esr/APKBUILD
index 82a4e5276..f780d8765 100644
--- a/user/firefox-esr/APKBUILD
+++ b/user/firefox-esr/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Molly Miller <adelie@m-squa.red>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=firefox-esr
-pkgver=68.8.0
+pkgver=68.9.0
pkgrel=0
pkgdesc="Firefox web browser (extended support release)"
url="https://www.mozilla.org/firefox/"
@@ -41,8 +41,8 @@ source="https://ftp.mozilla.org/pub/firefox/releases/$_ffxver/source/firefox-$_f
mozilla-build-arm.patch
ppc32-fix.patch
rust-32bit.patch
- rust-config.patch
- seccomp-membarrier.patch
+ seccomp-musl.patch
+ seccomp-time64.patch
shut-up-warning.patch
skia-sucks1.patch
skia-sucks2.patch
@@ -126,6 +126,11 @@ ldpath="$_mozappdir"
# - CVE-2020-12387
# - CVE-2020-12392
# - CVE-2020-12395
+# 68.9.0-r0:
+# - CVE-2020-12399
+# - CVE-2020-12405
+# - CVE-2020-12406
+# - CVE-2020-12410
unpack() {
default_unpack
@@ -241,7 +246,7 @@ package() {
EOF
}
-sha512sums="139a63dc85ae76a50da6be9a31425f97144e6c7e4a65b0f3009a84eb5c8c9566f6bb331e26590f8aecd5045c4d730ab4e848cf7220f3444a31147b5533c742b3 firefox-68.8.0esr.source.tar.xz
+sha512sums="98431800d80f7c680aef9eede29df8217810912a319a7f7f8c2e637c43ecd4f4e29223a417afb2a6315e825f979453ff6e6b5a575649aba5cc63ce5956375bb8 firefox-68.9.0esr.source.tar.xz
16e814e8dcffc707b595ca2919bd2fa3db0d15794c63d977364652c4a5b92e90e72b8c9e1cc83b5020398bd90a1b397dbdd7cb931c49f1aa4af6ef95414b43e0 Python-2.7.16.tar.xz
f82758d279cd12a1b30a9b36ac3c265cfb137df3db7ae185f2c538504e46fa70ace1b051fce847356851062b5cc9cd741a6d33d54f8cd103aa0c8272cb19ccc4 mozconfig
ace7492f4fb0523c7340fdc09c831906f74fddad93822aff367135538dacd3f56288b907f5a04f53f94c76e722ba0bab73e28d83ec12d3e672554712e6b08613 bad-google-code.patch
@@ -252,8 +257,8 @@ de8e3b15cd7dffb0eca5a729434986e5916234914cdc5fdcdbbc67d8bb439a535ed932293518dd74
e61664bc93eadce5016a06a4d0684b34a05074f1815e88ef2613380d7b369c6fd305fb34f83b5eb18b9e3138273ea8ddcfdcb1084fdcaa922a1e5b30146a3b18 mozilla-build-arm.patch
06a3f4ee6d3726adf3460952fcbaaf24bb15ef8d15b3357fdd1766c7a62b00bd53a1e943b5df7f4e1a69f4fae0d44b64fae1e027d7812499c77894975969ea10 ppc32-fix.patch
7c615703dc9b8427eeadd13bc9beda02e1c3d986cac1167feaf48fdfdcc15b7456460d4d58f301054cf459242ee75bbcd76bf67e26c2a443bc5655975d24ca1b rust-32bit.patch
-45613d476e85fe333ef8091acce4806803953c1a99de4f03ff577cf20c5a1a3d635d0589e1490da104ef80721f4f1b1d35045af3c6892c1a468fa84095f27ad8 rust-config.patch
-36369f2e237e894b2f9e70ffa0579bb3cddf1efa638a36b3469e9f529c28d7b72611fa426c5534d93094a8deb1376f43f6661447072dc6dfc6191ca5eebd4604 seccomp-membarrier.patch
+efc77a320850e10e8b99e6fb5d3dd28a3044e287fd87efbdf95807de26a6885235b2d994743cb374345d91a0353abd70a5790b829e37b717b77605e24d4f7f98 seccomp-musl.patch
+4b20dfa3ef3d470af069a274c53ea35c67d2d123f1b543ee243e7038ed94f5a1a6121f1f67713a9442e246b979c042f11efc7a6c32d0b8d3fd2c448dd1258733 seccomp-time64.patch
39ddb15d1453a8412275c36fc8db3befc69dffd4a362e932d280fb7fd1190db595a2af9b468ee49e0714f5e9df6e48eb5794122a64fa9f30d689de8693acbb15 shut-up-warning.patch
e751ffab263f03d4c74feebc617e3af115b1b53cf54fe16c3acc585eec67773f37aa8de4c19599fa6478179b01439025112ef2b759aa9923c9900e7081cb65a9 skia-sucks1.patch
9152bd3e6dc446337e6a2ed602279c620aedecc796ba28e777854c4f41fcf3067f9ebd086a4b63a6b76c2e69ec599ac6435b8eeda4f7488b1c45f69113facba4 skia-sucks2.patch
diff --git a/user/firefox-esr/rust-config.patch b/user/firefox-esr/rust-config.patch
deleted file mode 100644
index eab72a0e4..000000000
--- a/user/firefox-esr/rust-config.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff -urw firefox-68.0-old/build/moz.configure/rust.configure firefox-68.0/build/moz.configure/rust.configure
---- firefox-68.0-old/build/moz.configure/rust.configure 2019-07-07 15:56:29.345963800 +0000
-+++ firefox-68.0/build/moz.configure/rust.configure 2019-07-07 16:19:25.990645334 +0000
-@@ -193,12 +193,16 @@
- ambiguous = set()
- per_raw_os = {}
- for t in out:
-+ if 'fuchsia' in t: continue
- t = split_triplet(t, allow_unknown=True)
- endianness = t.endianness
- if t.cpu.startswith('thumb') and endianness not in ('big', 'little'):
- endianness = 'little'
- key = (t.cpu, endianness, t.os)
- if key in per_os:
-+ # hax to allow Adélie toolchains to work
-+ if 'foxkit' in per_os[key].alias:
-+ continue
- previous = per_os[key]
- per_raw_os[(previous.cpu, previous.endianness,
- previous.raw_os)] = previous
diff --git a/user/firefox-esr/seccomp-membarrier.patch b/user/firefox-esr/seccomp-membarrier.patch
deleted file mode 100644
index be1744113..000000000
--- a/user/firefox-esr/seccomp-membarrier.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-musl ldso issues a membarrier when setting up TLS
-
---- firefox-68.7.0/security/sandbox/linux/SandboxFilter.cpp 2020-04-03 19:30:03.000000000 +0000
-+++ firefox-68.7.0/security/sandbox/linux/SandboxFilter.cpp 2020-04-19 04:59:30.280000000 +0000
-@@ -529,6 +529,7 @@ class SandboxPolicyCommon : public Sandb
-
- // ipc::Shmem; also, glibc when creating threads:
- case __NR_mprotect:
-+ case __NR_membarrier:
- return Allow();
-
- // madvise hints used by malloc; see bug 1303813 and bug 1364533
diff --git a/user/firefox-esr/seccomp-musl.patch b/user/firefox-esr/seccomp-musl.patch
new file mode 100644
index 000000000..edd4a3024
--- /dev/null
+++ b/user/firefox-esr/seccomp-musl.patch
@@ -0,0 +1,49 @@
+Backport of https://hg.mozilla.org/mozilla-central/rev/a0be746532f437055e4190cc8db802ad1239405e
+
+diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
+--- a/security/sandbox/linux/SandboxFilter.cpp
++++ b/security/sandbox/linux/SandboxFilter.cpp
+@@ -419,16 +419,20 @@ class SandboxPolicyCommon : public Sandb
+ case __NR_faccessat:
+ return Trap(AccessAtTrap, mBroker);
+ CASES_FOR_stat:
+ return Trap(StatTrap, mBroker);
+ CASES_FOR_lstat:
+ return Trap(LStatTrap, mBroker);
+ CASES_FOR_fstatat:
+ return Trap(StatAtTrap, mBroker);
++ // Used by new libc and Rust's stdlib, if available.
++ // We don't have broker support yet so claim it does not exist.
++ case __NR_statx:
++ return Error(ENOSYS);
+ case __NR_chmod:
+ return Trap(ChmodTrap, mBroker);
+ case __NR_link:
+ return Trap(LinkTrap, mBroker);
+ case __NR_mkdir:
+ return Trap(MkdirTrap, mBroker);
+ case __NR_symlink:
+ return Trap(SymlinkTrap, mBroker);
+@@ -538,16 +542,20 @@ class SandboxPolicyCommon : public Sandb
+ .ElseIf(advice == MADV_HUGEPAGE, Allow())
+ .ElseIf(advice == MADV_NOHUGEPAGE, Allow())
+ #ifdef MOZ_ASAN
+ .ElseIf(advice == MADV_DONTDUMP, Allow())
+ #endif
+ .Else(InvalidSyscall());
+ }
+
++ // musl libc will set this up in pthreads support.
++ case __NR_membarrier:
++ return Allow();
++
+ // Signal handling
+ #if defined(ANDROID) || defined(MOZ_ASAN)
+ case __NR_sigaltstack:
+ #endif
+ CASES_FOR_sigreturn:
+ CASES_FOR_sigprocmask:
+ CASES_FOR_sigaction:
+ return Allow();
+
+
diff --git a/user/firefox-esr/seccomp-time64.patch b/user/firefox-esr/seccomp-time64.patch
new file mode 100644
index 000000000..72cc28b5d
--- /dev/null
+++ b/user/firefox-esr/seccomp-time64.patch
@@ -0,0 +1,112 @@
+This drops the use of the chromium sandbox syscall headers which were
+defining syscall numbers if they were undefined. This masked the time64
+issue initially since while musl renamed several of the time32 syscall
+numbers to catch breakage like this, these headers were silently
+bringing them back. I did this by comparing the syscall numbers provided
+by the chromium and musl headers and redefining the generic names to
+their time64 counterparts.
+
+For gettimeofday and settimeofday there does not appear to be a time64
+counterpart so I have defined them as the time32 versions. For
+settimeofday this should not matter (the seccomp filter will block this
+by virture of not being on the whitelist - no content process needs to
+set the time anyway).
+
+It is not possible to entirely block the usage of time32 syscalls
+because musl uses them internally when it can or in fallback paths.
+
+I did not check the MIPS headers since we don't currently ship a MIPS
+port, so in the future those includes should be examined and dropped
+too...
+
+--- firefox-68.8.0/security/sandbox/chromium/sandbox/linux/system_headers/linux_syscalls.h 2020-04-29 16:49:45.000000000 -0500
++++ firefox-68.8.0/security/sandbox/chromium/sandbox/linux/system_headers/linux_syscalls.h 2020-05-20 03:09:47.369457646 -0500
+@@ -8,18 +8,7 @@
+
+ #ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
+ #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
+-
+-#if defined(__x86_64__)
+-#include "sandbox/linux/system_headers/x86_64_linux_syscalls.h"
+-#endif
+-
+-#if defined(__i386__)
+-#include "sandbox/linux/system_headers/x86_32_linux_syscalls.h"
+-#endif
+-
+-#if defined(__arm__) && defined(__ARM_EABI__)
+-#include "sandbox/linux/system_headers/arm_linux_syscalls.h"
+-#endif
++#include <sys/syscall.h>
+
+ #if defined(__mips__) && (_MIPS_SIM == _ABIO32)
+ #include "sandbox/linux/system_headers/mips_linux_syscalls.h"
+@@ -33,5 +22,36 @@
+ #include "sandbox/linux/system_headers/arm64_linux_syscalls.h"
+ #endif
+
++#if !defined(__NR_clock_getres) && defined(__NR_clock_getres_time64)
++#define __NR_clock_getres __NR_clock_getres_time64
++#endif
++#if !defined(__NR_clock_gettime) && defined(__NR_clock_gettime64)
++#define __NR_clock_gettime __NR_clock_gettime64
++#endif
++#if !defined(__NR_clock_nanosleep) && defined(__NR_clock_nanosleep_time64)
++#define __NR_clock_nanosleep __NR_clock_nanosleep_time64
++#endif
++#if !defined(__NR_clock_settime) && defined(__NR_clock_settime64)
++#define __NR_clock_settime __NR_clock_settime64
++#endif
++#if !defined(__NR_gettimeofday) && defined(__NR_gettimeofday_time32)
++#define __NR_gettimeofday __NR_gettimeofday_time32
++#endif
++#if !defined(__NR_settimeofday) && defined(__NR_settimeofday_time32)
++#define __NR_settimeofday __NR_settimeofday_time32
++#endif
++#if !defined(__NR_timer_gettime) && defined(__NR_timer_gettime64)
++#define __NR_timer_gettime __NR_timer_gettime64
++#endif
++#if !defined(__NR_timer_settime) && defined(__NR_timer_settime64)
++#define __NR_timer_settime __NR_timer_settime64
++#endif
++#if !defined(__NR_timerfd_gettime) && defined(__NR_timerfd_gettime64)
++#define __NR_timerfd_gettime __NR_timerfd_gettime64
++#endif
++#if !defined(__NR_timerfd_settime) && defined(__NR_timerfd_settime64)
++#define __NR_timerfd_settime __NR_timerfd_settime64
++#endif
++
+ #endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
+
+--- firefox-68.8.0/security/sandbox/linux/SandboxFilter.cpp 2020-04-29 16:49:45.000000000 -0500
++++ firefox-68.8.0/security/sandbox/linux/SandboxFilter.cpp 2020-05-19 23:33:27.829642593 -0500
+@@ -478,6 +478,9 @@ class SandboxPolicyCommon : public Sandb
+
+ // Thread synchronization
+ case __NR_futex:
++#ifdef __NR_futex_time64
++ case __NR_futex_time64:
++#endif
+ // FIXME: This could be more restrictive....
+ return Allow();
+
+@@ -488,6 +491,9 @@ class SandboxPolicyCommon : public Sandb
+ case __NR_epoll_pwait:
+ case __NR_epoll_ctl:
+ case __NR_ppoll:
++#ifdef __NR_ppoll_time64
++ case __NR_ppoll_time64:
++#endif
+ case __NR_poll:
+ return Allow();
+
+@@ -1017,6 +1023,9 @@ class ContentSandboxPolicy : public Sand
+
+ CASES_FOR_select:
+ case __NR_pselect6:
++#ifdef __NR_pselect6_time64
++ case __NR_pselect6_time64:
++#endif
+ return Allow();
+
+ CASES_FOR_getdents:
diff --git a/user/net-snmp/APKBUILD b/user/net-snmp/APKBUILD
index 3fc1bceb4..8dea420b2 100644
--- a/user/net-snmp/APKBUILD
+++ b/user/net-snmp/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer:
pkgname=net-snmp
pkgver=5.8
-pkgrel=0
+pkgrel=1
pkgdesc="Simple Network Management Protocol"
url="http://www.net-snmp.org/"
arch="all"
@@ -74,7 +74,7 @@ package() {
install -m644 -D "$srcdir"/snmpd.confd "$pkgdir"/etc/conf.d/snmpd
install -m644 -D "$srcdir"/snmptrapd.confd \
"$pkgdir"/etc/conf.d/snmptrapd
- install -m644 -D EXAMPLE.conf "$pkgdir"/etc/snmp/snmpd.conf
+ install -m600 -D EXAMPLE.conf "$pkgdir"/etc/snmp/snmpd.conf
echo "authCommunity log,execute,net public" > "$pkgdir"/etc/snmp/snmptrapd.conf
mkdir -p "$pkgdir"/var/lib/net-snmp
find "$pkgdir" -name perllocal.pod -delete
diff --git a/user/thunderbird/APKBUILD b/user/thunderbird/APKBUILD
index 1270dcbc3..fc2887d63 100644
--- a/user/thunderbird/APKBUILD
+++ b/user/thunderbird/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=thunderbird
-pkgver=68.7.0
+pkgver=68.9.0
pkgrel=0
pkgdesc="Email client from Mozilla"
url="https://www.thunderbird.net/"
@@ -36,7 +36,6 @@ source="https://archive.mozilla.org/pub/thunderbird/releases/$pkgver/source/thun
fix-mutex-build.patch
fix-seccomp-bpf.patch
mozilla-build-arm.patch
- rust-config.patch
shut-up-warning.patch
skia-sucks1.patch
skia-sucks2.patch
@@ -70,6 +69,12 @@ ldpath="$_mozappdir"
# - CVE-2020-6821
# - CVE-2020-6822
# - CVE-2020-6825
+# 68.9.0-r0:
+# - CVE-2020-6831
+# - CVE-2020-12387
+# - CVE-2020-12392
+# - CVE-2020-12395
+# - CVE-2020-12397
unpack() {
default_unpack
@@ -164,7 +169,7 @@ package() {
${pkgdir}/usr/share/applications/thunderbird.desktop
}
-sha512sums="fae763030b7a54930291a10f298b7fa4ffc400849082f576556b9040d095f1007ae686daf1241dff8b73bac35c14acf21c156a18a3e16d62a7719c6cc34e4d1f thunderbird-68.7.0.source.tar.xz
+sha512sums="891472c95ba6ff46061131504e89010da512a84b0e1dea0482e603fd4c87f11e099280a245c7dd9fc9320c48229c26602565c089d86f1a1f4271b29b6fc606f0 thunderbird-68.9.0.source.tar.xz
16e814e8dcffc707b595ca2919bd2fa3db0d15794c63d977364652c4a5b92e90e72b8c9e1cc83b5020398bd90a1b397dbdd7cb931c49f1aa4af6ef95414b43e0 Python-2.7.16.tar.xz
5519234df2934ac2f3d76c8cad7e4f0fe15cf83ea4beb32c6489d8b7839b3ebea88bdb342e0d2a9c1c7c95e9455d234b0a5aa0e73446fd8027b520f080a2bb5b mozconfig
ace7492f4fb0523c7340fdc09c831906f74fddad93822aff367135538dacd3f56288b907f5a04f53f94c76e722ba0bab73e28d83ec12d3e672554712e6b08613 bad-google-code.patch
@@ -172,7 +177,6 @@ ace7492f4fb0523c7340fdc09c831906f74fddad93822aff367135538dacd3f56288b907f5a04f53
c0b2bf43206c2a5154e560ef30189a1062ae856861b39f52ce69002390ff9972d43e387bfd2bf8d2ab3cac621987bc042c8c0a8b4cf90ae05717ca7705271880 fix-mutex-build.patch
70863b985427b9653ce5e28d6064f078fb6d4ccf43dd1b68e72f97f44868fc0ce063161c39a4e77a0a1a207b7365d5dc7a7ca5e68c726825eba814f2b93e2f5d fix-seccomp-bpf.patch
e61664bc93eadce5016a06a4d0684b34a05074f1815e88ef2613380d7b369c6fd305fb34f83b5eb18b9e3138273ea8ddcfdcb1084fdcaa922a1e5b30146a3b18 mozilla-build-arm.patch
-45613d476e85fe333ef8091acce4806803953c1a99de4f03ff577cf20c5a1a3d635d0589e1490da104ef80721f4f1b1d35045af3c6892c1a468fa84095f27ad8 rust-config.patch
39ddb15d1453a8412275c36fc8db3befc69dffd4a362e932d280fb7fd1190db595a2af9b468ee49e0714f5e9df6e48eb5794122a64fa9f30d689de8693acbb15 shut-up-warning.patch
e751ffab263f03d4c74feebc617e3af115b1b53cf54fe16c3acc585eec67773f37aa8de4c19599fa6478179b01439025112ef2b759aa9923c9900e7081cb65a9 skia-sucks1.patch
9152bd3e6dc446337e6a2ed602279c620aedecc796ba28e777854c4f41fcf3067f9ebd086a4b63a6b76c2e69ec599ac6435b8eeda4f7488b1c45f69113facba4 skia-sucks2.patch
diff --git a/user/thunderbird/rust-config.patch b/user/thunderbird/rust-config.patch
deleted file mode 100644
index eab72a0e4..000000000
--- a/user/thunderbird/rust-config.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff -urw firefox-68.0-old/build/moz.configure/rust.configure firefox-68.0/build/moz.configure/rust.configure
---- firefox-68.0-old/build/moz.configure/rust.configure 2019-07-07 15:56:29.345963800 +0000
-+++ firefox-68.0/build/moz.configure/rust.configure 2019-07-07 16:19:25.990645334 +0000
-@@ -193,12 +193,16 @@
- ambiguous = set()
- per_raw_os = {}
- for t in out:
-+ if 'fuchsia' in t: continue
- t = split_triplet(t, allow_unknown=True)
- endianness = t.endianness
- if t.cpu.startswith('thumb') and endianness not in ('big', 'little'):
- endianness = 'little'
- key = (t.cpu, endianness, t.os)
- if key in per_os:
-+ # hax to allow Adélie toolchains to work
-+ if 'foxkit' in per_os[key].alias:
-+ continue
- previous = per_os[key]
- per_raw_os[(previous.cpu, previous.endianness,
- previous.raw_os)] = previous