Merge branch 'cves.2019.08.29' into 'master'

Misc. security updates See merge request adelie/packages!336
author: A. Wilcox <awilcox@wilcox-tech.com> 2019-09-28 16:44:20 +0000
committer: A. Wilcox <awilcox@wilcox-tech.com> 2019-09-28 16:44:20 +0000
commit: f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e (patch)
tree: c5b251ee42a12d3377d3c329db37801abd2fa8b7 /system
parent: 392df44317bc4ddfbf182293305442712d6ce863 (diff)
parent: 9d975a16f6054ccfa09bcd932da9f18eff7d37d1 (diff)
download: packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.tar.gz
packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.tar.bz2
packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.tar.xz
packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.zip
6 files changed, 209 insertions, 53 deletions
diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD
index aa6e4c9e7..5e767bcc8 100644
--- a/system/curl/APKBUILD
+++ b/system/curl/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Łukasz Jendrysik <scadu@yandex.com>
 # Maintainer: 
 pkgname=curl
-pkgver=7.65.3
+pkgver=7.66.0
 pkgrel=0
 pkgdesc="An URL retrival utility and library"
 url="https://curl.haxx.se"
@@ -17,6 +17,9 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz"
 subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl"
 
 # secfixes:
+#   7.66.0-r0:
+#     - CVE-2019-5481
+#     - CVE-2019-5482
 #   7.65.1-r0:
 #     - CVE-2019-5435
 #     - CVE-2019-5436
@@ -83,6 +86,7 @@ build() {
 		--prefix=/usr \
 		--enable-ipv6 \
 		--enable-unix-sockets \
+		--with-libssh2 \
 		--without-libidn \
 		--without-libidn2 \
 		--disable-ldap \
@@ -91,7 +95,9 @@ build() {
 }
 
 check() {
-	make check
+	# -p: print log contents on test failure
+	# !1592: requires DNS access
+	make check TFLAGS='-p !1592'
 }
 
 package() {
@@ -104,4 +110,4 @@ libcurl() {
 	mv "$pkgdir"/usr/lib "$subpkgdir"/usr
 }
 
-sha512sums="fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b  curl-7.65.3.tar.xz"
+sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35  curl-7.66.0.tar.xz"
diff --git a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch b/system/curl/curl-do-bounds-check-using-a-double-comparison.patch
deleted file mode 100644
index 34e2b6c71..000000000
--- a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001
-From: Adam Sampson <ats@offog.org>
-Date: Wed, 9 Aug 2017 14:11:17 +0100
-Subject: [PATCH] curl: do bounds check using a double comparison
-
-The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
-complete: if the parsed number in num is larger than will fit in a long,
-the conversion is undefined behaviour (causing test1427 to fail for me
-on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7).  Getting
-rid of the cast means the comparison will be done using doubles.
-
-It might make more sense for the max argument to also be a double...
-
-Fixes #1750
-Closes #1749
----
- src/tool_paramhlp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
-index b9dedc989e..85c5e79a7e 100644
---- a/src/tool_paramhlp.c
-+++ b/src/tool_paramhlp.c
-@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max)
-     num = strtod(str, &endptr);
-     if(errno == ERANGE)
-       return PARAM_NUMBER_TOO_LARGE;
--    if((long)num > max) {
-+    if(num > max) {
-       /* too large */
-       return PARAM_NUMBER_TOO_LARGE;
-     }
diff --git a/system/expat/APKBUILD b/system/expat/APKBUILD
index 088d9d9b1..4a6f547e3 100644
--- a/system/expat/APKBUILD
+++ b/system/expat/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=expat
 pkgver=2.2.7
-pkgrel=0
+pkgrel=1
 pkgdesc="An XML Parser library written in C"
 url="https://libexpat.github.io/"
 arch="all"
@@ -10,13 +10,16 @@ depends=""
 checkdepends="bash"
 makedepends=""
 subpackages="$pkgname-dev $pkgname-doc"
-source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2"
+source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2
+	CVE-2019-15903.patch"
 
 # secfixes:
 #   2.2.1-r0:
 #     - CVE-2016-9063
 #   2.2.0-r1:
 #     - CVE-2017-9233
+#   2.2.7-r1:
+#     - CVE-2019-15903
 
 build() {
 	./configure \
@@ -35,4 +38,5 @@ package() {
 	make DESTDIR="$pkgdir/" install
 }
 
-sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00  expat-2.2.7.tar.bz2"
+sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00  expat-2.2.7.tar.bz2
+02d1719307dffdab98e90f242a77aa61cab79ae63ea28d6fa1219b4191d7247e5c319d3adf9781c9086e392c05fd6b6558051b0792ade5cb6c64e7583c67a70d  CVE-2019-15903.patch"
diff --git a/system/expat/CVE-2019-15903.patch b/system/expat/CVE-2019-15903.patch
new file mode 100644
index 000000000..c81e72bbb
--- /dev/null
+++ b/system/expat/CVE-2019-15903.patch
@@ -0,0 +1,181 @@
+Grabbed from Debian since upstream patch does not apply to 2.2.7.
+
+https://sources.debian.org/patches/expat/2.2.7-2/CVE-2019-15903_Deny_internal_entities_closing_the_doctype.patch/
+https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
+
+From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 28 Aug 2019 00:24:59 +0200
+Subject: [PATCH 1/3] xmlparse.c: Deny internal entities closing the doctype
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 0553e3df..c29a6449 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -405,7 +405,7 @@ initializeEncoding(XML_Parser parser);
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
+          const char *end, int tok, const char *next, const char **nextPtr,
+-         XML_Bool haveMore);
++         XML_Bool haveMore, XML_Bool allowClosingDoctype);
+ static enum XML_Error
+ processInternalEntity(XML_Parser parser, ENTITY *entity,
+                       XML_Bool betweenDecl);
+@@ -4232,7 +4232,7 @@ externalParEntProcessor(XML_Parser parse
+ 
+   parser->m_processor = prologProcessor;
+   return doProlog(parser, parser->m_encoding, s, end, tok, next,
+-                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ 
+ static enum XML_Error PTRCALL
+@@ -4282,7 +4282,7 @@ prologProcessor(XML_Parser parser,
+   const char *next = s;
+   int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+   return doProlog(parser, parser->m_encoding, s, end, tok, next,
+-                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ 
+ static enum XML_Error
+@@ -4293,7 +4293,8 @@ doProlog(XML_Parser parser,
+          int tok,
+          const char *next,
+          const char **nextPtr,
+-         XML_Bool haveMore)
++         XML_Bool haveMore,
++         XML_Bool allowClosingDoctype)
+ {
+ #ifdef XML_DTD
+   static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
+@@ -4472,6 +4473,11 @@ doProlog(XML_Parser parser,
+       }
+       break;
+     case XML_ROLE_DOCTYPE_CLOSE:
++      if (allowClosingDoctype != XML_TRUE) {
++        /* Must not close doctype from within expanded parameter entities */
++        return XML_ERROR_INVALID_TOKEN;
++      }
++
+       if (parser->m_doctypeName) {
+         parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
+                                 parser->m_doctypeSysid, parser->m_doctypePubid, 0);
+@@ -5409,7 +5415,7 @@ processInternalEntity(XML_Parser parser,
+   if (entity->is_param) {
+     int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+-                      next, &next, XML_FALSE);
++                      next, &next, XML_FALSE, XML_FALSE);
+   }
+   else
+ #endif /* XML_DTD */
+@@ -5456,7 +5462,7 @@ internalEntityProcessor(XML_Parser parse
+   if (entity->is_param) {
+     int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+-                      next, &next, XML_FALSE);
++                      next, &next, XML_FALSE, XML_TRUE);
+   }
+   else
+ #endif /* XML_DTD */
+@@ -5483,7 +5489,7 @@ internalEntityProcessor(XML_Parser parse
+     parser->m_processor = prologProcessor;
+     tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+     return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+-                    (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++                    (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+   }
+   else
+ #endif /* XML_DTD */
+
+From 438493691f1b8620a71d5aee658fe160103ff863 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 28 Aug 2019 15:14:19 +0200
+Subject: [PATCH 3/3] tests: Cover denying internal entities closing the
+ doctype
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index b0d1b0af..e102a55e 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -8151,6 +8151,68 @@ START_TEST(test_misc_utf16le)
+ }
+ END_TEST
+ 
++#ifdef XML_DTD
++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
++  const char *const inputOne = "<!DOCTYPE d [\n"
++                               "<!ENTITY % e ']><d/>'>\n"
++                               "\n"
++                               "%e;";
++  const char *const inputTwo = "<!DOCTYPE d [\n"
++                               "<!ENTITY % e1 ']><d/>'><!ENTITY % e2 '&e1;'>\n"
++                               "\n"
++                               "%e2;";
++  const char *const inputThree = "<!DOCTYPE d [\n"
++                                 "<!ENTITY % e ']><d'>\n"
++                                 "\n"
++                                 "%e;";
++  const char *const inputIssue317 = "<!DOCTYPE doc [\n"
++                                    "<!ENTITY % foo ']>\n"
++                                    "<doc>Hell<oc (#PCDATA)*>'>\n"
++                                    "%foo;\n"
++                                    "]>\n"
++                                    "<doc>Hello, world</dVc>";
++
++  const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
++  size_t inputIndex = 0;
++
++  for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
++    XML_Parser parser;
++    enum XML_Status parseResult;
++    int setParamEntityResult;
++    XML_Size lineNumber;
++    XML_Size columnNumber;
++    const char *const input = inputs[inputIndex];
++
++    parser = XML_ParserCreate(NULL);
++    setParamEntityResult
++        = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++    if (setParamEntityResult != 1)
++      fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
++
++    parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
++    if (parseResult != XML_STATUS_ERROR) {
++      parseResult = XML_Parse(parser, "", 0, 1);
++      if (parseResult != XML_STATUS_ERROR) {
++        fail("Parsing was expected to fail but succeeded.");
++      }
++    }
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
++      fail("Error code does not match XML_ERROR_INVALID_TOKEN");
++
++    lineNumber = XML_GetCurrentLineNumber(parser);
++    if (lineNumber != 4)
++      fail("XML_GetCurrentLineNumber does not work as expected.");
++
++    columnNumber = XML_GetCurrentColumnNumber(parser);
++    if (columnNumber != 0)
++      fail("XML_GetCurrentColumnNumber does not work as expected.");
++
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++#endif
+ 
+ static void
+ alloc_setup(void)
+@@ -12251,6 +12313,10 @@ make_suite(void)
+     tcase_add_test(tc_misc, test_misc_features);
+     tcase_add_test(tc_misc, test_misc_attribute_leak);
+     tcase_add_test(tc_misc, test_misc_utf16le);
++#ifdef XML_DTD
++  tcase_add_test(tc_misc,
++                 test_misc_deny_internal_entity_closing_doctype_issue_317);
++#endif
+ 
+     suite_add_tcase(s, tc_alloc);
+     tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
diff --git a/system/libgcrypt/APKBUILD b/system/libgcrypt/APKBUILD
index 13797a615..37fda1300 100644
--- a/system/libgcrypt/APKBUILD
+++ b/system/libgcrypt/APKBUILD
@@ -1,20 +1,21 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libgcrypt
-pkgver=1.8.4
+pkgver=1.8.5
 pkgrel=0
 pkgdesc="GnuPG cryptography library"
 url="https://www.gnupg.org"
 arch="all"
 license="LGPL-2.1+"
 depends=""
-depends_dev="libgpg-error-dev"
-makedepends="$depends_dev texinfo"
+makedepends="libgpg-error-dev texinfo"
 subpackages="$pkgname-dev $pkgname-doc"
 source="https://www.gnupg.org/ftp/gcrypt/$pkgname/$pkgname-$pkgver.tar.bz2"
 
-build() {
-	cd "$builddir"
+# secfixes:
+#   1.8.5-r0:
+#     - CVE-2019-13627
 
+build() {
 	local _arch_configure=
 	case "$CARCH" in
 	arm*)
@@ -40,14 +41,12 @@ build() {
 }
 
 check() {
-	cd "$builddir"
 	make check
 }
 
 package() {
-	cd "$builddir"
 	make -j1 DESTDIR="$pkgdir" install
 	rm -f ${pkgdir}/usr/share/info/dir
 }
 
-sha512sums="b831fc337eb14806897e224b0d1e78d1f8e9db91dffa818a015a4aa104144e2d971e5a855904907ee2bb9990a9d526de32d6787e1cae98e28a65c3258b2b1ea1  libgcrypt-1.8.4.tar.bz2"
+sha512sums="b55e16e838d1b1208e7673366971ae7c0f9c1c79e042f41c03d14ed74c5e387fa69ea81d5414ffda3d2b4f82ea5467fe13b00115727e257db22808cf351bde89  libgcrypt-1.8.5.tar.bz2"
diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD
index 984cb486a..513b87d0d 100644
--- a/system/openssl/APKBUILD
+++ b/system/openssl/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=openssl
-pkgver=1.0.2s
+pkgver=1.0.2t
 pkgrel=0
 pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
 url="https://www.openssl.org/"
@@ -66,12 +66,12 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
 #     - CVE-2018-0734
 #     - CVE-2018-5407
 #     - CVE-2019-1559
-
-builddir="$srcdir"/$pkgname-$pkgver
+#   1.0.2t-r0:
+#     - CVE-2019-1547
+#     - CVE-2019-1563
 
 build() {
 	local _target _optflags
-	cd "$builddir"
 
 	# openssl will prepend crosscompile always core CC et al
 	CC=${CC#${CROSS_COMPILE}}
@@ -107,12 +107,10 @@ build() {
 }
 
 check() {
-	cd "$builddir"
 	make -j1 test
 }
 
 package() {
-	cd "$builddir"
 	make INSTALL_PREFIX="$pkgdir" MANDIR=/usr/share/man MANSUFFIX=ssl install
 	# remove the script c_rehash
 	rm "$pkgdir"/usr/bin/c_rehash
@@ -144,7 +142,7 @@ dev() {
 	default_dev
 }
 
-sha512sums="9f745452c4f777df694158e95003cde78a2cf8199bc481a563ec36644664c3c1415a774779b9791dd18f2aeb57fa1721cb52b3db12d025955e970071d5b66d2a  openssl-1.0.2s.tar.gz
+sha512sums="0b88868933f42fab87e8b22449435a1091cc6e75f986aad6c173e01ad123161fcae8c226759073701bc65c9f2f0b6ce6a63a61203008ed873cfb6e484f32bc71  openssl-1.0.2t.tar.gz
 58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4  0003-use-termios.patch
 c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae  0004-fix-default-ca-path-for-apps.patch
 5d4191482f8bbf62c75fe6bc2d9587388022c3310703c2a913788a983b1d1406e706cf3916a5792604f0b0f220a87432d3b82b442cea9915f2abb6fdd8478fcb  0005-fix-parallel-build.patch
author	A. Wilcox <awilcox@wilcox-tech.com>	2019-09-28 16:44:20 +0000
committer	A. Wilcox <awilcox@wilcox-tech.com>	2019-09-28 16:44:20 +0000
commit	f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e (patch)
tree	c5b251ee42a12d3377d3c329db37801abd2fa8b7 /system
parent	392df44317bc4ddfbf182293305442712d6ce863 (diff)
parent	9d975a16f6054ccfa09bcd932da9f18eff7d37d1 (diff)
download	packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.tar.gz packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.tar.bz2 packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.tar.xz packages-f1c09d5fa75c5b60749189cb1e7a7eeb132cc75e.zip