summaryrefslogtreecommitdiff
path: root/system
diff options
context:
space:
mode:
authorA. Wilcox <awilcox@wilcox-tech.com>2019-10-17 00:32:50 +0000
committerA. Wilcox <awilcox@wilcox-tech.com>2019-10-17 00:32:50 +0000
commitc665adb6aa1d2253d650989bd6f72ceca79747d1 (patch)
tree186a1b93a14ea53d9635984fddf50e82ad3eb92a /system
parente4100adf318e482a9932afcdea301b2339967698 (diff)
parent3bd6d256fad70f5c9089bcde94480eca572693d5 (diff)
downloadpackages-c665adb6aa1d2253d650989bd6f72ceca79747d1.tar.gz
packages-c665adb6aa1d2253d650989bd6f72ceca79747d1.tar.bz2
packages-c665adb6aa1d2253d650989bd6f72ceca79747d1.tar.xz
packages-c665adb6aa1d2253d650989bd6f72ceca79747d1.zip
Merge branch 'cves.2019.10.16' into 'master'
CVE patches for 2019.10.16 See merge request adelie/packages!366
Diffstat (limited to 'system')
-rw-r--r--system/binutils/APKBUILD9
-rw-r--r--system/binutils/CVE-2019-17450.patch87
-rw-r--r--system/binutils/CVE-2019-17451.patch38
-rw-r--r--system/libssh2/APKBUILD12
-rw-r--r--system/libssh2/CVE-2019-17498.patch210
5 files changed, 352 insertions, 4 deletions
diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD
index 682f2e93c..f5defac52 100644
--- a/system/binutils/APKBUILD
+++ b/system/binutils/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Adelie Platform Group <adelie-devel@lists.adelielinux.org>
pkgname=binutils
pkgver=2.32
-pkgrel=4
+pkgrel=5
pkgdesc="Tools necessary to build programs"
url="https://www.gnu.org/software/binutils/"
depends=""
@@ -32,6 +32,8 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
CVE-2019-12972.patch
CVE-2019-14250.patch
CVE-2019-14444.patch
+ CVE-2019-17450.patch
+ CVE-2019-17451.patch
BTS-170.patch
BTS-196.patch
"
@@ -63,6 +65,9 @@ fi
# - CVE-2019-14250
# 2.32-r3:
# - CVE-2019-14444
+# 2.32-r5:
+# - CVE-2019-17450
+# - CVE-2019-17451
build() {
local _sysroot=/
@@ -158,5 +163,7 @@ c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be
9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42 CVE-2019-12972.patch
c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f CVE-2019-14250.patch
0942cc1a4c5ec03e931c6ebd15c5d60eae6be48cd0a3d9b7f6356f97361226bb6d53dbdcb01b20efcca0ccaf23764730d9bbad2c1bbe2ea6ca320e43b43b311b CVE-2019-14444.patch
+4e8cbe3985ca4a7cb8954e4e03f094687985b3afec6bb14f1599665e0ab13e601b68cefdbb63e88f9dd59852036dcfee05af14014493c16c76dc38d406efc8fd CVE-2019-17450.patch
+a71a035db5e14f105b5d58ec01ad250447f6282cae04e8c931fbdbf7adf118a065c6c9be9c72a204e0f8115b19598dc52f3953ae91200d48328b58cc274939d8 CVE-2019-17451.patch
d4543d2f77808d317d17a5f0eb9af21540ef8543fceaed4e3524213e31e058333321f3ba3b495199e3b57bfd0c4164929cf679369470389e26871b8895cb0110 BTS-170.patch
9cc17d9fe3fc1351d1f6b4fc1c916254529f3304c95db6f4698b867eeb623210b914dc798fb837eafbad2b287b78b31c4ed5482b3151a2992864da04e1dd5fac BTS-196.patch"
diff --git a/system/binutils/CVE-2019-17450.patch b/system/binutils/CVE-2019-17450.patch
new file mode 100644
index 000000000..edc0e94df
--- /dev/null
+++ b/system/binutils/CVE-2019-17450.patch
@@ -0,0 +1,87 @@
+From 063c511bd79281f33fd33f0964541a73511b9e2b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 00:07:29 +1030
+Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
+
+ PR 25078
+ * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
+ recur_count. Error on recur_count reaching 100 rather than
+ info_ptr matching orig_info_ptr. Adjust calls.
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 575b082..d39f4fd 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -2812,13 +2812,13 @@ static bfd_boolean comp_unit_maybe_decode_line_info (struct comp_unit *,
+ struct dwarf2_debug *);
+
+ static bfd_boolean
+-find_abstract_instance (struct comp_unit * unit,
+- bfd_byte * orig_info_ptr,
+- struct attribute * attr_ptr,
+- const char ** pname,
+- bfd_boolean * is_linkage,
+- char ** filename_ptr,
+- int * linenumber_ptr)
++find_abstract_instance (struct comp_unit *unit,
++ struct attribute *attr_ptr,
++ unsigned int recur_count,
++ const char **pname,
++ bfd_boolean *is_linkage,
++ char **filename_ptr,
++ int *linenumber_ptr)
+ {
+ bfd *abfd = unit->abfd;
+ bfd_byte *info_ptr;
+@@ -2829,6 +2829,14 @@ find_abstract_instance (struct comp_unit * unit,
+ struct attribute attr;
+ const char *name = NULL;
+
++ if (recur_count == 100)
++ {
++ _bfd_error_handler
++ (_("DWARF error: abstract instance recursion detected"));
++ bfd_set_error (bfd_error_bad_value);
++ return FALSE;
++ }
++
+ /* DW_FORM_ref_addr can reference an entry in a different CU. It
+ is an offset from the .debug_info section, not the current CU. */
+ if (attr_ptr->form == DW_FORM_ref_addr)
+@@ -2962,15 +2970,6 @@ find_abstract_instance (struct comp_unit * unit,
+ info_ptr, info_ptr_end);
+ if (info_ptr == NULL)
+ break;
+- /* It doesn't ever make sense for DW_AT_specification to
+- refer to the same DIE. Stop simple recursion. */
+- if (info_ptr == orig_info_ptr)
+- {
+- _bfd_error_handler
+- (_("DWARF error: abstract instance recursion detected"));
+- bfd_set_error (bfd_error_bad_value);
+- return FALSE;
+- }
+ switch (attr.name)
+ {
+ case DW_AT_name:
+@@ -2984,7 +2983,7 @@ find_abstract_instance (struct comp_unit * unit,
+ }
+ break;
+ case DW_AT_specification:
+- if (!find_abstract_instance (unit, info_ptr, &attr,
++ if (!find_abstract_instance (unit, &attr, recur_count + 1,
+ &name, is_linkage,
+ filename_ptr, linenumber_ptr))
+ return FALSE;
+@@ -3200,7 +3199,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+
+ case DW_AT_abstract_origin:
+ case DW_AT_specification:
+- if (!find_abstract_instance (unit, info_ptr, &attr,
++ if (!find_abstract_instance (unit, &attr, 0,
+ &func->name,
+ &func->is_linkage,
+ &func->file,
+--
+2.9.3
+
diff --git a/system/binutils/CVE-2019-17451.patch b/system/binutils/CVE-2019-17451.patch
new file mode 100644
index 000000000..f6af71601
--- /dev/null
+++ b/system/binutils/CVE-2019-17451.patch
@@ -0,0 +1,38 @@
+From 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 10:47:13 +1030
+Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
+
+Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
+and ffffd5555453b140 result in a total size of 1. Reading the first
+section of course overflows the buffer and tramples on other memory.
+
+ PR 25070
+ * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+ total_size calculation.
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index d39f4fd..88aaa2d 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
+ for (total_size = 0;
+ msec;
+ msec = find_debug_info (debug_bfd, debug_sections, msec))
+- total_size += msec->size;
++ {
++ /* Catch PR25070 testcase overflowing size calculation here. */
++ if (total_size + msec->size < total_size
++ || total_size + msec->size < msec->size)
++ {
++ bfd_set_error (bfd_error_no_memory);
++ return FALSE;
++ }
++ total_size += msec->size;
++ }
+
+ stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+ if (stash->info_ptr_memory == NULL)
+--
+2.9.3
+
diff --git a/system/libssh2/APKBUILD b/system/libssh2/APKBUILD
index 401fa2cf0..010c6834d 100644
--- a/system/libssh2/APKBUILD
+++ b/system/libssh2/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=libssh2
pkgver=1.9.0
-pkgrel=0
+pkgrel=1
pkgdesc="Library for accessing SSH servers"
url="https://libssh2.org/"
arch="all"
@@ -11,7 +11,12 @@ checkdepends="openssh-server"
makedepends="openssl-dev zlib-dev"
subpackages="$pkgname-dev $pkgname-doc"
source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz
- test-sshd.patch"
+ test-sshd.patch
+ CVE-2019-17498.patch"
+
+# secfixes:
+# 1.9.0-r1:
+# - CVE-2019-17498
build() {
./configure \
@@ -35,4 +40,5 @@ package() {
}
sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz
-eef3c43184d53a3c655915ad61d182a88d9cced75ba8f8dde73ccf771ff4aeaa0f26e95aeb53601d7c47d96a2421c98678e9baf497f3883faa4427a091eea62c test-sshd.patch"
+eef3c43184d53a3c655915ad61d182a88d9cced75ba8f8dde73ccf771ff4aeaa0f26e95aeb53601d7c47d96a2421c98678e9baf497f3883faa4427a091eea62c test-sshd.patch
+102542a2023d53f7684c99a89fa4c592ee4ababc09bc174c52cd20f7f21b4c5878a89bae7e20c3438490666b7b0758caba5cf82c2b2965e1e58e02d5c1f4ea47 CVE-2019-17498.patch"
diff --git a/system/libssh2/CVE-2019-17498.patch b/system/libssh2/CVE-2019-17498.patch
new file mode 100644
index 000000000..a908c9974
--- /dev/null
+++ b/system/libssh2/CVE-2019-17498.patch
@@ -0,0 +1,210 @@
+From b9aa7c2495694d0527e4e7fd560a3f0f18556c72 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:14:19 -0700
+Subject: [PATCH 1/5] packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG, additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST
+---
+ src/packet.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 38ab6294..ac69768c 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -537,26 +537,26 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ case SSH_MSG_DEBUG:
+ if(datalen >= 2) {
+ int always_display = data[1];
+-
++
+ if(datalen >= 6) {
+- message_len = _libssh2_ntohu32(data + 2);
+-
+- if(message_len <= (datalen - 10)) {
+- /* 6 = packet_type(1) + display(1) + message_len(4) */
+- message = (char *) data + 6;
+- language_len = _libssh2_ntohu32(data + 6 +
+- message_len);
+-
+- if(language_len <= (datalen - 10 - message_len))
+- language = (char *) data + 10 + message_len;
+- }
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr += 2; /* advance past type & always display */
++
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
+ }
+
+ if(session->ssh_msg_debug) {
+- LIBSSH2_DEBUG(session, always_display, message,
+- message_len, language, language_len);
++ LIBSSH2_DEBUG(session, always_display,
++ (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
+ }
++
+ /*
+ * _libssh2_debug will actually truncate this for us so
+ * that it's not an inordinate about of data
+@@ -579,7 +579,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ uint32_t len = 0;
+ unsigned char want_reply = 0;
+ len = _libssh2_ntohu32(data + 1);
+- if(datalen >= (6 + len)) {
++ if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) {
+ want_reply = data[5 + len];
+ _libssh2_debug(session,
+ LIBSSH2_TRACE_CONN,
+
+From 8b3cf0b17c1b84a138bed9423a9e0743452b4de9 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:15:33 -0700
+Subject: [PATCH 2/5] stray whitespace
+
+---
+ src/packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index ac69768c..8908b2c5 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -537,7 +537,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ case SSH_MSG_DEBUG:
+ if(datalen >= 2) {
+ int always_display = data[1];
+-
++
+ if(datalen >= 6) {
+ struct string_buf buf;
+ buf.data = (unsigned char *)data;
+
+From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:24:22 -0700
+Subject: [PATCH 3/5] fixed type issue, updated SSH_MSG_DISCONNECT
+
+SSH_MSG_DISCONNECT now also uses _libssh2_get API.
+---
+ src/packet.c | 40 +++++++++++++++-------------------------
+ 1 file changed, 15 insertions(+), 25 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 8908b2c5..97f0cdd4 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ size_t datalen, int macstate)
+ {
+ int rc = 0;
+- char *message = NULL;
+- char *language = NULL;
++ unsigned char *message = NULL;
++ unsigned char *language = NULL;
+ size_t message_len = 0;
+ size_t language_len = 0;
+ LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+
+ case SSH_MSG_DISCONNECT:
+ if(datalen >= 5) {
+- size_t reason = _libssh2_ntohu32(data + 1);
++ uint32_t reason = 0;
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr++; /* advance past type */
+
+- if(datalen >= 9) {
+- message_len = _libssh2_ntohu32(data + 5);
++ _libssh2_get_u32(&buf, &reason);
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
+
+- if(message_len < datalen-13) {
+- /* 9 = packet_type(1) + reason(4) + message_len(4) */
+- message = (char *) data + 9;
+-
+- language_len =
+- _libssh2_ntohu32(data + 9 + message_len);
+- language = (char *) data + 9 + message_len + 4;
+-
+- if(language_len > (datalen-13-message_len)) {
+- /* bad input, clear info */
+- language = message = NULL;
+- language_len = message_len = 0;
+- }
+- }
+- else
+- /* bad size, clear it */
+- message_len = 0;
+- }
+ if(session->ssh_msg_disconnect) {
+- LIBSSH2_DISCONNECT(session, reason, message,
+- message_len, language, language_len);
++ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
++
+ _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+ "Disconnect(%d): %s(%s)", reason,
+ message, language);
+
+From 77616117cc9dbbdd0fe1157098435bff73a83a0f Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:26:32 -0700
+Subject: [PATCH 4/5] fixed stray (
+
+bad paste
+---
+ src/packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 97f0cdd4..bd4c39e4 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ uint32_t len = 0;
+ unsigned char want_reply = 0;
+ len = _libssh2_ntohu32(data + 1);
+- if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) {
++ if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) {
+ want_reply = data[5 + len];
+ _libssh2_debug(session,
+ LIBSSH2_TRACE_CONN,
+
+From 436c45dc143cadc8c59afac6c4255be332856581 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:29:00 -0700
+Subject: [PATCH 5/5] added additional parentheses for clarity
+
+---
+ src/packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index bd4c39e4..2e01bfc5 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ uint32_t len = 0;
+ unsigned char want_reply = 0;
+ len = _libssh2_ntohu32(data + 1);
+- if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) {
++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+ want_reply = data[5 + len];
+ _libssh2_debug(session,
+ LIBSSH2_TRACE_CONN,
generated by cgit v1.2.3-60-g2f50 (git 2.42.0) at 2024-07-07 06:24:25 +0000