Merge branch 'cve' into 'master'

CVE bumps: part one See merge request !249
author: A. Wilcox <awilcox@wilcox-tech.com> 2019-06-21 23:38:53 +0000
committer: A. Wilcox <awilcox@wilcox-tech.com> 2019-06-21 23:38:53 +0000
commit: fd45ed897742614bd2867cb46578557beb820026 (patch)
tree: 8eaa82bc50ad1a89272b146743ec1544163d48f3 /system
parent: 86d0de126ffdebdb8cee9581ce51c16a6f20b58b (diff)
parent: 332e0a40fabc1c4047a631273e5d5df46cbf4bb2 (diff)
download: packages-fd45ed897742614bd2867cb46578557beb820026.tar.gz
packages-fd45ed897742614bd2867cb46578557beb820026.tar.bz2
packages-fd45ed897742614bd2867cb46578557beb820026.tar.xz
packages-fd45ed897742614bd2867cb46578557beb820026.zip
15 files changed, 833 insertions, 29 deletions
diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD
index 1b53bd0a5..ac23280aa 100644
--- a/system/curl/APKBUILD
+++ b/system/curl/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Łukasz Jendrysik <scadu@yandex.com>
 # Maintainer: 
 pkgname=curl
-pkgver=7.64.1
+pkgver=7.65.1
 pkgrel=0
 pkgdesc="An URL retrival utility and library"
 url="https://curl.haxx.se"
@@ -17,6 +17,9 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz"
 subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl"
 
 # secfixes:
+#   7.65.1-r0:
+#     - CVE-2019-5435
+#     - CVE-2019-5436
 #   7.64.0-r0:
 #     - CVE-2019-3823
 #     - CVE-2019-3822
@@ -101,4 +104,4 @@ libcurl() {
 	mv "$pkgdir"/usr/lib "$subpkgdir"/usr
 }
 
-sha512sums="1629ba154691bf9d936e0bce69ec8fb54991a40d34bc16ffdfb117f91e3faa93164154fc9ae9043e963955862e69515018673b7239f2fd625684a59cdd1db81c  curl-7.64.1.tar.xz"
+sha512sums="aba2d979a416d14a0f0852d595665e49fc4f7bff3bee31f3a52b90ba9dc5ffdb09c092777f124215470b72c47ebca7ddb47844cbf5c0e9142099272b6ac55df4  curl-7.65.1.tar.xz"
diff --git a/system/cvs/APKBUILD b/system/cvs/APKBUILD
index 8dfcca172..f9160f62b 100644
--- a/system/cvs/APKBUILD
+++ b/system/cvs/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=cvs
 pkgver=1.11.23
-pkgrel=1
+pkgrel=2
 pkgdesc="Concurrent Versions System"
 url="https://www.nongnu.org/cvs/"
 arch="all"
@@ -14,8 +14,15 @@ install=
 subpackages="$pkgname-doc"
 source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz
 	cvs-musl.patch
+	CVE-2010-3846.patch
+	CVE-2017-12836.patch
 	"
 
+# secfixes:
+#   1.11.23-r2:
+#     - CVE-2010-3846
+#     - CVE-2017-12836
+
 build() {
 	cd "$builddir"
 	./configure \
@@ -36,4 +43,6 @@ package() {
 }
 
 sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a  cvs-1.11.23.tar.gz
-7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245  cvs-musl.patch"
+7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245  cvs-musl.patch
+eed761af81c9bcd3edd898559e9be25c6612bdef19984cc6380a08039525179fa34d9ade6c55c1b4f23e495156b34cafeab3e63cfd120c0e68a42aa7992e5e85  CVE-2010-3846.patch
+2775f5bde63d7eaee8c8f7467a8b43d533abbc172cf6b2d6ca7088203133a135e4e6a2a8028191d0102300913165dbd54fcf1f43683e742cb32f04ab06aca121  CVE-2017-12836.patch"
diff --git a/system/cvs/CVE-2010-3846.patch b/system/cvs/CVE-2010-3846.patch
new file mode 100644
index 000000000..e1560cef8
--- /dev/null
+++ b/system/cvs/CVE-2010-3846.patch
@@ -0,0 +1,167 @@
+From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001
+From: Larry Jones <lawrence.jones@siemens.com>
+Date: Thu, 21 Oct 2010 10:08:16 +0200
+Subject: [PATCH] Fix for CVE-2010-3846
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Mallformed RCS revision (delete after the end of input file, or overlayed
+deleted regions) screws output file image size computation. This leads to
+write attempt after the allocated memory opening hiden memory corruption
+driven by CVS server.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/rcs.c |   52 +++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 29 insertions(+), 23 deletions(-)
+
+diff --git a/src/rcs.c b/src/rcs.c
+index 7d0d078..2f88f85 100644
+--- a/src/rcs.c
++++ b/src/rcs.c
+@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+     struct deltafrag *dfhead;
+     struct deltafrag **dftail;
+     struct deltafrag *df;
+-    unsigned long numlines, lastmodline, offset;
++    unsigned long numlines, offset;
+     struct linevector lines;
+     int err;
+ 
+@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 
+     /* New temp data structure to hold new org before
+        copy back into original structure. */
+-    lines.nlines = lines.lines_alloced = numlines;
++    lines.lines_alloced = numlines;
+     lines.vector = xmalloc (numlines * sizeof *lines.vector);
+ 
+     /* We changed the list order to first to last -- so the
+        list never gets larger than the size numlines. */
+-    lastmodline = 0; 
++    lines.nlines = 0; 
+ 
+     /* offset created when adding/removing lines
+        between new and original structure */
+@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+     for (df = dfhead; df != NULL; )
+     {
+ 	unsigned int ln;
+-	unsigned long deltaend;
++	unsigned long newpos = df->pos - offset;
+ 
+-	if (df->pos > orig_lines->nlines)
++	if (newpos < lines.nlines || newpos > numlines)
+ 	    err = 1;
+ 
+ 	/* On error, just free the rest of the list.  */
+ 	if (!err)
+ 	{
+-	    /* Here we need to get to the line where the next insert will
++	    /* Here we need to get to the line where the next change will
+ 	       begin, which is DF->pos in ORIG_LINES.  We will fill up to
+ 	       DF->pos - OFFSET in LINES with original items.  */
+-	    for (deltaend = df->pos - offset;
+-		 lastmodline < deltaend;
+-		 lastmodline++)
++	    while (lines.nlines < newpos)
+ 	    {
+ 		/* we need to copy from the orig structure into new one */
+-		lines.vector[lastmodline] =
+-			orig_lines->vector[lastmodline + offset];
+-		lines.vector[lastmodline]->refcount++;
++		lines.vector[lines.nlines] =
++			orig_lines->vector[lines.nlines + offset];
++		lines.vector[lines.nlines]->refcount++;
++		lines.nlines++;
+ 	    }
+ 
+ 	    switch (df->type)
+@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 		    struct line *q;
+ 		    int nextline_newline;
+ 		    size_t nextline_len;
+-		
++
++		    if (newpos + df->nlines > numlines)
++		    {
++			err = 1;
++			break;
++		    }
+ 		    textend = df->new_lines + df->len;
+ 		    nextline_newline = 0;
+ 		    nextline_text = df->new_lines;
+@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 			    q->has_newline = nextline_newline;
+ 			    q->refcount = 1;
+ 			    memcpy (q->text, nextline_text, nextline_len);
+-			    lines.vector[lastmodline++] = q;
+-			    offset--;
++			    lines.vector[lines.nlines++] = q;
+ 		    
+ 			    nextline_text = (char *)p + 1;
+ 			    nextline_newline = 0;
+@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 		    q->has_newline = nextline_newline;
+ 		    q->refcount = 1;
+ 		    memcpy (q->text, nextline_text, nextline_len);
+-		    lines.vector[lastmodline++] = q;
++		    lines.vector[lines.nlines++] = q;
+ 
+ 		    /* For each line we add the offset between the #'s
+ 		       decreases. */
+-		    offset--;
++		    offset -= df->nlines;
+ 		    break;
+ 		}
+ 
+@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 		    if (df->pos + df->nlines > orig_lines->nlines)
+ 			err = 1;
+ 		    else if (delvers)
++		    {
+ 			for (ln = df->pos; ln < df->pos + df->nlines; ++ln)
++			{
+ 			    if (orig_lines->vector[ln]->refcount > 1)
+ 				/* Annotate needs this but, since the original
+ 				 * vector is disposed of before returning from
+@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 				 * there are multiple references.
+ 				 */
+ 				orig_lines->vector[ln]->vers = delvers;
++			}
++		    }
+ 		    break;
+ 	    }
+ 	}
+@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+     else
+     {
+ 	/* add the rest of the remaining lines to the data vector */
+-	for (; lastmodline < numlines; lastmodline++)
++	while (lines.nlines < numlines)
+ 	{
+ 	    /* we need to copy from the orig structure into new one */
+-	    lines.vector[lastmodline] = orig_lines->vector[lastmodline
++	    lines.vector[lines.nlines] = orig_lines->vector[lines.nlines
+ 							   + offset];
+-	    lines.vector[lastmodline]->refcount++;
++	    lines.vector[lines.nlines]->refcount++;
++	    lines.nlines++;
+ 	}
+ 
+ 	/* Move the lines vector to the original structure for output,
+ 	 * first deleting the old.
+ 	 */
+ 	linevector_free (orig_lines);
+-	orig_lines->vector = lines.vector;
+-	orig_lines->lines_alloced = numlines;
+-	orig_lines->nlines = lines.nlines;
++	*orig_lines = lines;
+     }
+ 
+     return !err;
+-- 
+1.7.2.3
+
diff --git a/system/cvs/CVE-2017-12836.patch b/system/cvs/CVE-2017-12836.patch
new file mode 100644
index 000000000..770115a5e
--- /dev/null
+++ b/system/cvs/CVE-2017-12836.patch
@@ -0,0 +1,58 @@
+From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 14 Aug 2017 10:32:25 +0200
+Subject: [PATCH] Fix CVE-2017-12836
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The hostname passed to RSH (ssh) client could be interpreted by
+OpenSSH client as an option and lead to local command execution.
+
+This fix adds no-more-options "--" separator before the hostname
+argument to the RSH client command.
+
+Original patch by Thorsten Glaser <tg@mirbsd.de> from
+<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to
+1.11.23.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/client.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/client.c b/src/client.c
+index 2bef1a0..e87cda9 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server)
+     char *cvs_rsh;
+     char *cvs_server = getenv ("CVS_SERVER");
+     int i = 0;
+-    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
++    /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
+        "cmd (w/ args)", and NULL.  We leave some room to grow. */
+     char *rsh_argv[10];
+ 
+@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server)
+ 	rsh_argv[i++] = root->username;
+     }
+ 
++    /* Only non-option arguments from here. (CVE-2017-12836) */
++    rsh_argv[i++] = "--";
++
+     rsh_argv[i++] = root->hostname;
+     rsh_argv[i++] = cvs_server;
+     rsh_argv[i++] = "server";
+@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server)
+ 	    *p++ = root->username;
+ 	}
+ 
++	*p++ = "--";
++
+ 	*p++ = root->hostname;
+ 	*p++ = command;
+ 	*p++ = NULL;
+-- 
+2.9.5
+
diff --git a/system/libssh2/APKBUILD b/system/libssh2/APKBUILD
index 9f5b9c683..69989c72f 100644
--- a/system/libssh2/APKBUILD
+++ b/system/libssh2/APKBUILD
@@ -1,21 +1,16 @@
 # Contributor: William Pitcock <nenolod@dereferenced.org>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libssh2
-pkgver=1.8.0
-pkgrel=2
-pkgdesc="library for accessing ssh1/ssh2 protocol servers"
+pkgver=1.8.2
+pkgrel=0
+pkgdesc="Library for accessing SSH servers"
 url="https://libssh2.org/"
 arch="all"
 license="BSD-3-Clause"
 makedepends="openssl-dev zlib-dev"
-subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc"
+subpackages="$pkgname-dev $pkgname-doc"
 source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz"
 
-prepare() {
-	update_config_sub
-	default_prepare
-}
-
 build() {
 	./configure \
 		--build=$CBUILD \
@@ -24,7 +19,8 @@ build() {
 		--sysconfdir=/etc \
 		--mandir=/usr/share/man \
 		--infodir=/usr/share/info \
-		--localstatedir=/var
+		--localstatedir=/var \
+		--disable-rpath
 	make
 }
 
@@ -36,4 +32,4 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="289aa45c4f99653bebf5f99565fe9c519abc204feb2084b47b7cc3badc8bf4ecdedd49ea6acdce8eb902b3c00995d5f92a3ca77b2508b92f04ae0e7de7287558  libssh2-1.8.0.tar.gz"
+sha512sums="390ab4ad93bb738415ec11a6eb92806c9b9e9e5d8ee7c442d841a58b4292c1c447a9bc99e153ba464e2e11f9c0d1913469303598c3046722d1ae821991e8cb93  libssh2-1.8.2.tar.gz"
diff --git a/system/libxslt/APKBUILD b/system/libxslt/APKBUILD
index 0ba2dd390..49a07d7cf 100644
--- a/system/libxslt/APKBUILD
+++ b/system/libxslt/APKBUILD
@@ -2,18 +2,21 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libxslt
 pkgver=1.1.33
-pkgrel=0
+pkgrel=1
 pkgdesc="XML stylesheet transformation library"
 url="http://xmlsoft.org/XSLT/"
 arch="all"
 license="SGI-B-2.0"
 makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python3-dev"
 subpackages="$pkgname-doc $pkgname-dev"
-source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz"
+source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz
+	CVE-2019-11068.patch"
 
 # secfixes:
 #   1.1.29-r1:
 #     - CVE-2017-5029
+#   1.1.33-r1:
+#     - CVE-2019-11068
 
 build() {
 	./configure \
@@ -31,4 +34,5 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0  libxslt-1.1.33.tar.gz"
+sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0  libxslt-1.1.33.tar.gz
+48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41  CVE-2019-11068.patch"
diff --git a/system/libxslt/CVE-2019-11068.patch b/system/libxslt/CVE-2019-11068.patch
new file mode 100644
index 000000000..db0de8a55
--- /dev/null
+++ b/system/libxslt/CVE-2019-11068.patch
@@ -0,0 +1,120 @@
+From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: [PATCH] Fix security framework bypass
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c   |  9 +++++----
+ libxslt/transform.c |  9 +++++----
+ libxslt/xslt.c      |  9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312..4aad11bb 100644
+--- a/libxslt/documents.c
++++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
+-	if (res == 0) {
+-	    xsltTransformError(ctxt, NULL, NULL,
+-		 "xsltLoadDocument: read rights for %s denied\n",
+-			     URI);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(ctxt, NULL, NULL,
++                     "xsltLoadDocument: read rights for %s denied\n",
++                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, URI);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltLoadStyleDocument: read rights for %s denied\n",
+-			     URI);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsltLoadStyleDocument: read rights for %s denied\n",
++                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 874870cc..3783b247 100644
+--- a/libxslt/imports.c
++++ b/libxslt/imports.c
+@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ 	int secres;
+ 
+ 	secres = xsltCheckRead(sec, NULL, URI);
+-	if (secres == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsl:import: read rights for %s denied\n",
+-			     URI);
++	if (secres <= 0) {
++            if (secres == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsl:import: read rights for %s denied\n",
++                                 URI);
+ 	    goto error;
+ 	}
+     }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 13793914..0636dbd0 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+      */
+     if (ctxt->sec != NULL) {
+ 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+-	if (ret == 0) {
+-	    xsltTransformError(ctxt, NULL, inst,
+-		 "xsltDocumentElem: write rights for %s denied\n",
+-			     filename);
++	if (ret <= 0) {
++            if (ret == 0)
++                xsltTransformError(ctxt, NULL, inst,
++                     "xsltDocumentElem: write rights for %s denied\n",
++                                 filename);
+ 	    xmlFree(URL);
+ 	    xmlFree(filename);
+ 	    return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 780a5ad7..a234eb79 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, filename);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltParseStylesheetFile: read rights for %s denied\n",
+-			     filename);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsltParseStylesheetFile: read rights for %s denied\n",
++                                 filename);
+ 	    return(NULL);
+ 	}
+     }
+-- 
+2.21.0
+
diff --git a/system/lua5.3/APKBUILD b/system/lua5.3/APKBUILD
index 1589f14d1..9a90fc7c9 100644
--- a/system/lua5.3/APKBUILD
+++ b/system/lua5.3/APKBUILD
@@ -3,7 +3,7 @@ pkgname=lua5.3
 _pkgname=lua
 pkgver=5.3.5
 _luaver=${pkgname#lua}
-pkgrel=0
+pkgrel=1
 pkgdesc="Light-weight programming language"
 url="https://www.lua.org/"
 arch="all"
@@ -17,9 +17,14 @@ source="https://www.lua.org/ftp/$_pkgname-$pkgver.tar.gz
 	lua-5.3-make.patch
 	lua-5.3-module_paths.patch
 	linenoise.patch
+	CVE-2019-6706.patch
 	"
 builddir="$srcdir/$_pkgname-$pkgver"
 
+# secfixes: lua
+#   5.3.5-r1:
+#     - CVE-2019-6706.patch
+
 prepare() {
 	default_prepare
 	cd "$builddir"
@@ -134,4 +139,5 @@ libs() {
 sha512sums="4f9516acc4659dfd0a9e911bfa00c0788f0ad9348e5724fe8fb17aac59e9c0060a64378f82be86f8534e49c6c013e7488ad17321bafcc787831d3d67406bd0f4  lua-5.3.5.tar.gz
 1bc6c623024c1738155b30ff9c0edcce0f336edc25aa20c3a1400c859421ea2015d75175cce8d515e055ac3e96028426b74812e04022af18a0ed4c4601556027  lua-5.3-make.patch
 bc68772390dc8d8940176af0b9fbacc0af61891b5d27de5f1466a4e7f9b3291a1c08ba5add829bc96b789a53fa5ec2dadaa096ca6eabe54ec27724fa2810940f  lua-5.3-module_paths.patch
-49880d1131b7bd2a3169a26f401769a91d9a6a62cefe68aa5a89097139289588b7ef753535a2d0ba7f45c0369c760554940fd810716b7b1353deace32432fcfe  linenoise.patch"
+49880d1131b7bd2a3169a26f401769a91d9a6a62cefe68aa5a89097139289588b7ef753535a2d0ba7f45c0369c760554940fd810716b7b1353deace32432fcfe  linenoise.patch
+77755c083630d48404178012d5947230675311a15f0f5e30efa72004edf3124615fa9080b739240213c013efb015689e09ee653a41d560964a3df78a8fe0fd8d  CVE-2019-6706.patch"
diff --git a/system/lua5.3/CVE-2019-6706.patch b/system/lua5.3/CVE-2019-6706.patch
new file mode 100644
index 000000000..c35f81a4a
--- /dev/null
+++ b/system/lua5.3/CVE-2019-6706.patch
@@ -0,0 +1,27 @@
+Lifted from Ubuntu:
+
+https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/lua5.3/5.3.3-1.1ubuntu1/lua5.3_5.3.3-1.1ubuntu1.debian.tar.xz
+0c7d89b1413cc55f3aff5bbd40e5726b7d69b856befbbf32f00f58588dc4ce81
+
+--- a/src/lapi.c
++++ b/src/lapi.c
+@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
+ 
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+                                             int fidx2, int n2) {
+-  LClosure *f1;
+-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
++  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
+   UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
++  if (*up1 == *up2) return; /* Already joined */
++  (*up2)->refcount++;
++  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
++  luaC_upvalbarrier(L, *up2);
+   luaC_upvdeccount(L, *up1);
+   *up1 = *up2;
+-  (*up1)->refcount++;
+-  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
+-  luaC_upvalbarrier(L, *up1);
+ }
+ 
+ 
diff --git a/system/python3/APKBUILD b/system/python3/APKBUILD
index abfc78b55..0bb9db2a2 100644
--- a/system/python3/APKBUILD
+++ b/system/python3/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Kiyoshi Aman <kiyoshi.aman@gmail.com>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=python3
-pkgver=3.6.5
+pkgver=3.6.8
 _basever="${pkgver%.*}"
 pkgrel=0
 pkgdesc="A high-level scripting language"
@@ -40,9 +40,20 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev xz-dev
 source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
 	musl-find_library.patch
 	fix-xattrs-glibc.patch
+	CVE-2019-9636.patch
+	CVE-2019-9740-and-9947.patch
+	test-fix-selfsign-cert.patch
 	"
 builddir="$srcdir/Python-$pkgver"
 
+# secfixes: python
+#   3.6.8-r0:
+#     - CVE-2018-14647
+#     - CVE-2018-20406
+#     - CVE-2019-9636
+#     - CVE-2019-9740
+#     - CVE-2019-9947
+
 prepare() {
 	default_prepare
 
@@ -161,6 +172,9 @@ wininst() {
 		"$subpkgdir"/usr/lib/python$_basever/distutils/command
 }
 
-sha512sums="6b26fcd296b9bd8e67861eff10d14db7507711ddba947288d16d6def53135c39326b7f969c04bb2b2993f924d9e7ad3f5c5282a3915760bc0885cf0a8ea5eb51  Python-3.6.5.tar.xz
+sha512sums="b17867e451ebe662f50df83ed112d3656c089e7d750651ea640052b01b713b58e66aac9e082f71fd16f5b5510bc9b797f5ccd30f5399581e9aa406197f02938a  Python-3.6.8.tar.xz
 ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2  musl-find_library.patch
-37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad  fix-xattrs-glibc.patch"
+37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad  fix-xattrs-glibc.patch
+bf2ec0bdba63b714f99aa9783a31ab935b234cabe4dc482769462a55bd572c74e03f192fbc5e8a7e2b9a887a5eef7dc0c3819fb464b656f73b500d1b65b591ad  CVE-2019-9636.patch
+daae79c8d914f0afe3c09ef15fa2838958e3d9a45e37bb7ebf84ce431b3635f48744011c640e0f6696922db76da199a55befb3754e335660b6d25f3dad2a8c4e  CVE-2019-9740-and-9947.patch
+34bb7353e93f74a0f70d9b44f9bb9a6561c47a6d2169e08390818113bcb8b25c6660dfab2c2ef2aba6c08805e71719227baf01285da7f8276c61fba422a1bad2  test-fix-selfsign-cert.patch"
diff --git a/system/python3/CVE-2019-9636.patch b/system/python3/CVE-2019-9636.patch
new file mode 100644
index 000000000..45a2c8e97
--- /dev/null
+++ b/system/python3/CVE-2019-9636.patch
@@ -0,0 +1,150 @@
+From 23fc0416454c4ad5b9b23d520fbe6d89be3efc24 Mon Sep 17 00:00:00 2001
+From: Steve Dower <steve.dower@microsoft.com>
+Date: Mon, 11 Mar 2019 21:34:03 -0700
+Subject: [PATCH] [3.6] bpo-36216: Add check for characters in netloc that
+ normalize to separators (GH-12201) (GH-12215)
+
+---
+ Doc/library/urllib.parse.rst                  | 18 +++++++++++++++
+ Lib/test/test_urlparse.py                     | 23 +++++++++++++++++++
+ Lib/urllib/parse.py                           | 17 ++++++++++++++
+ .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst  |  3 +++
+ 4 files changed, 61 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+
+diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
+index d991254d5ca1..647af613a315 100644
+--- a/Doc/library/urllib.parse.rst
++++ b/Doc/library/urllib.parse.rst
+@@ -121,6 +121,11 @@ or on combining URL components into a URL string.
+    Unmatched square brackets in the :attr:`netloc` attribute will raise a
+    :exc:`ValueError`.
+ 
++   Characters in the :attr:`netloc` attribute that decompose under NFKC
++   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
++   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
++   decomposed before parsing, no error will be raised.
++
+    .. versionchanged:: 3.2
+       Added IPv6 URL parsing capabilities.
+ 
+@@ -133,6 +138,10 @@ or on combining URL components into a URL string.
+       Out-of-range port numbers now raise :exc:`ValueError`, instead of
+       returning :const:`None`.
+ 
++   .. versionchanged:: 3.6.9
++      Characters that affect netloc parsing under NFKC normalization will
++      now raise :exc:`ValueError`.
++
+ 
+ .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
+ 
+@@ -256,10 +265,19 @@ or on combining URL components into a URL string.
+    Unmatched square brackets in the :attr:`netloc` attribute will raise a
+    :exc:`ValueError`.
+ 
++   Characters in the :attr:`netloc` attribute that decompose under NFKC
++   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
++   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
++   decomposed before parsing, no error will be raised.
++
+    .. versionchanged:: 3.6
+       Out-of-range port numbers now raise :exc:`ValueError`, instead of
+       returning :const:`None`.
+ 
++   .. versionchanged:: 3.6.9
++      Characters that affect netloc parsing under NFKC normalization will
++      now raise :exc:`ValueError`.
++
+ 
+ .. function:: urlunsplit(parts)
+ 
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index be50b47603aa..e6638aee2244 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -1,3 +1,5 @@
++import sys
++import unicodedata
+ import unittest
+ import urllib.parse
+ 
+@@ -984,6 +986,27 @@ def test_all(self):
+                 expected.append(name)
+         self.assertCountEqual(urllib.parse.__all__, expected)
+ 
++    def test_urlsplit_normalization(self):
++        # Certain characters should never occur in the netloc,
++        # including under normalization.
++        # Ensure that ALL of them are detected and cause an error
++        illegal_chars = '/:#?@'
++        hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
++        denorm_chars = [
++            c for c in map(chr, range(128, sys.maxunicode))
++            if (hex_chars & set(unicodedata.decomposition(c).split()))
++            and c not in illegal_chars
++        ]
++        # Sanity check that we found at least one such character
++        self.assertIn('\u2100', denorm_chars)
++        self.assertIn('\uFF03', denorm_chars)
++
++        for scheme in ["http", "https", "ftp"]:
++            for c in denorm_chars:
++                url = "{}://netloc{}false.netloc/path".format(scheme, c)
++                with self.subTest(url=url, char='{:04X}'.format(ord(c))):
++                    with self.assertRaises(ValueError):
++                        urllib.parse.urlsplit(url)
+ 
+ class Utility_Tests(unittest.TestCase):
+     """Testcase to test the various utility functions in the urllib."""
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 85e68c8b42c7..7b06f4d71d67 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -391,6 +391,21 @@ def _splitnetloc(url, start=0):
+             delim = min(delim, wdelim)     # use earliest delim position
+     return url[start:delim], url[delim:]   # return (domain, rest)
+ 
++def _checknetloc(netloc):
++    if not netloc or not any(ord(c) > 127 for c in netloc):
++        return
++    # looking for characters like \u2100 that expand to 'a/c'
++    # IDNA uses NFKC equivalence, so normalize for this check
++    import unicodedata
++    netloc2 = unicodedata.normalize('NFKC', netloc)
++    if netloc == netloc2:
++        return
++    _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
++    for c in '/?#@:':
++        if c in netloc2:
++            raise ValueError("netloc '" + netloc2 + "' contains invalid " +
++                             "characters under NFKC normalization")
++
+ def urlsplit(url, scheme='', allow_fragments=True):
+     """Parse a URL into 5 components:
+     <scheme>://<netloc>/<path>?<query>#<fragment>
+@@ -420,6 +435,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+                 url, fragment = url.split('#', 1)
+             if '?' in url:
+                 url, query = url.split('?', 1)
++            _checknetloc(netloc)
+             v = SplitResult(scheme, netloc, url, query, fragment)
+             _parse_cache[key] = v
+             return _coerce_result(v)
+@@ -443,6 +459,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+         url, fragment = url.split('#', 1)
+     if '?' in url:
+         url, query = url.split('?', 1)
++    _checknetloc(netloc)
+     v = SplitResult(scheme, netloc, url, query, fragment)
+     _parse_cache[key] = v
+     return _coerce_result(v)
+diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+new file mode 100644
+index 000000000000..5546394157f9
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+@@ -0,0 +1,3 @@
++Changes urlsplit() to raise ValueError when the URL contains characters that
++decompose under IDNA encoding (NFKC-normalization) into characters that
++affect how the URL is parsed.
diff --git a/system/python3/CVE-2019-9740-and-9947.patch b/system/python3/CVE-2019-9740-and-9947.patch
new file mode 100644
index 000000000..d387dd599
--- /dev/null
+++ b/system/python3/CVE-2019-9740-and-9947.patch
@@ -0,0 +1,147 @@
+From c50d437e942d4c4c45c8cd76329b05340c02eb31 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Wed, 8 May 2019 18:33:24 +0200
+Subject: [PATCH] bpo-30458: Disallow control chars in http URLs. (GH-12755)
+ (GH-13155)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disallow control chars in http URLs in urllib.urlopen.  This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
+
+Disable https related urllib tests on a build without ssl (GH-13032)
+These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
+
+Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
+
+Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
+---
+ Lib/http/client.py                            | 15 ++++++
+ Lib/test/test_urllib.py                       | 53 +++++++++++++++++++
+ Lib/test/test_xmlrpc.py                       |  7 ++-
+ .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst  |  1 +
+ 4 files changed, 75 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+index baabfeb2ea8c..1a6bd8ac42eb 100644
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -141,6 +141,16 @@
+ _is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch
+ _is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search
+ 
++# These characters are not allowed within HTTP URL paths.
++#  See https://tools.ietf.org/html/rfc3986#section-3.3 and the
++#  https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
++# Prevents CVE-2019-9740.  Includes control characters such as \r\n.
++# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
++# Arguably only these _should_ allowed:
++#  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1111,6 +1121,11 @@ def putrequest(self, method, url, skip_host=False,
+         self._method = method
+         if not url:
+             url = '/'
++        # Prevent CVE-2019-9740.
++        match = _contains_disallowed_url_pchar_re.search(url)
++        if match:
++            raise InvalidURL(f"URL can't contain control characters. {url!r} "
++                             f"(found at least {match.group()!r})")
+         request = '%s %s %s' % (method, url, self._http_vsn_str)
+ 
+         # Non-ASCII characters should have been eliminated earlier
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index fa3757cc94be..649a5b81575b 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -329,6 +329,59 @@ def test_willclose(self):
+         finally:
+             self.unfakehttp()
+ 
++    @unittest.skipUnless(ssl, "ssl module required")
++    def test_url_with_control_char_rejected(self):
++        for char_no in list(range(0, 0x21)) + [0x7f]:
++            char = chr(char_no)
++            schemeless_url = f"//localhost:7777/test{char}/"
++            self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++            try:
++                # We explicitly test urllib.request.urlopen() instead of the top
++                # level 'def urlopen()' function defined in this... (quite ugly)
++                # test suite.  They use different url opening codepaths.  Plain
++                # urlopen uses FancyURLOpener which goes via a codepath that
++                # calls urllib.parse.quote() on the URL which makes all of the
++                # above attempts at injection within the url _path_ safe.
++                escaped_char_repr = repr(char).replace('\\', r'\\')
++                InvalidURL = http.client.InvalidURL
++                with self.assertRaisesRegex(
++                    InvalidURL, f"contain control.*{escaped_char_repr}"):
++                    urllib.request.urlopen(f"http:{schemeless_url}")
++                with self.assertRaisesRegex(
++                    InvalidURL, f"contain control.*{escaped_char_repr}"):
++                    urllib.request.urlopen(f"https:{schemeless_url}")
++                # This code path quotes the URL so there is no injection.
++                resp = urlopen(f"http:{schemeless_url}")
++                self.assertNotIn(char, resp.geturl())
++            finally:
++                self.unfakehttp()
++
++    @unittest.skipUnless(ssl, "ssl module required")
++    def test_url_with_newline_header_injection_rejected(self):
++        self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++        host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++        schemeless_url = "//" + host + ":8080/test/?test=a"
++        try:
++            # We explicitly test urllib.request.urlopen() instead of the top
++            # level 'def urlopen()' function defined in this... (quite ugly)
++            # test suite.  They use different url opening codepaths.  Plain
++            # urlopen uses FancyURLOpener which goes via a codepath that
++            # calls urllib.parse.quote() on the URL which makes all of the
++            # above attempts at injection within the url _path_ safe.
++            InvalidURL = http.client.InvalidURL
++            with self.assertRaisesRegex(
++                InvalidURL, r"contain control.*\\r.*(found at least . .)"):
++                urllib.request.urlopen(f"http:{schemeless_url}")
++            with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"):
++                urllib.request.urlopen(f"https:{schemeless_url}")
++            # This code path quotes the URL so there is no injection.
++            resp = urlopen(f"http:{schemeless_url}")
++            self.assertNotIn(' ', resp.geturl())
++            self.assertNotIn('\r', resp.geturl())
++            self.assertNotIn('\n', resp.geturl())
++        finally:
++            self.unfakehttp()
++
+     def test_read_0_9(self):
+         # "0.9" response accepted (but not "simple responses" without
+         # a status line)
+diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
+index 07f7ba0f00b5..fc601d455224 100644
+--- a/Lib/test/test_xmlrpc.py
++++ b/Lib/test/test_xmlrpc.py
+@@ -950,7 +950,12 @@ def test_unicode_host(self):
+     def test_partial_post(self):
+         # Check that a partial POST doesn't make the server loop: issue #14001.
+         conn = http.client.HTTPConnection(ADDR, PORT)
+-        conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
++        conn.send('POST /RPC2 HTTP/1.0\r\n'
++                  'Content-Length: 100\r\n\r\n'
++                  'bye HTTP/1.1\r\n'
++                  f'Host: {ADDR}:{PORT}\r\n'
++                  'Accept-Encoding: identity\r\n'
++                  'Content-Length: 0\r\n\r\n'.encode('ascii'))
+         conn.close()
+ 
+     def test_context_manager(self):
+diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+new file mode 100644
+index 000000000000..ed8027fb4d64
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+@@ -0,0 +1 @@
++Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request.  Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.
diff --git a/system/python3/test-fix-selfsign-cert.patch b/system/python3/test-fix-selfsign-cert.patch
new file mode 100644
index 000000000..eb6c9f355
--- /dev/null
+++ b/system/python3/test-fix-selfsign-cert.patch
@@ -0,0 +1,84 @@
+From 2b9d7abdbd4b41e2c624858f5bc80da59d8a681d Mon Sep 17 00:00:00 2001
+From: "Gregory P. Smith" <greg@krypto.org>
+Date: Wed, 8 May 2019 14:20:59 -0500
+Subject: [PATCH] [3.6] bpo-36816: Update the self-signed.pythontest.net cert
+ (GH-13192) (GH-13198)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We updated the server, our testsuite must match.
+
+https://bugs.python.org/issue36816
+
+✈️ CLE -> DEN ✈️ GH-pycon2019
+(cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1)
+
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/test/selfsigned_pythontestdotnet.pem      | 46 +++++++++++++------
+ .../2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst  |  1 +
+ 2 files changed, 33 insertions(+), 14 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst
+
+diff --git a/Lib/test/selfsigned_pythontestdotnet.pem b/Lib/test/selfsigned_pythontestdotnet.pem
+index b6d259bcb236..2b1760747bce 100644
+--- a/Lib/test/selfsigned_pythontestdotnet.pem
++++ b/Lib/test/selfsigned_pythontestdotnet.pem
+@@ -1,16 +1,34 @@
+ -----BEGIN CERTIFICATE-----
+-MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
+-BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
+-IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv
+-bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG
+-A1UEBhMCWFkxFzAVBgNVBAcMDkNhc3RsZSBBbnRocmF4MSMwIQYDVQQKDBpQeXRo
+-b24gU29mdHdhcmUgRm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0
+-aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ
+-Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm
+-Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv
+-EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl
+-bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+-AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h
+-TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515
+-C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM=
++MIIF9zCCA9+gAwIBAgIUH98b4Fw/DyugC9cV7VK7ZODzHsIwDQYJKoZIhvcNAQEL
++BQAwgYoxCzAJBgNVBAYTAlhZMRcwFQYDVQQIDA5DYXN0bGUgQW50aHJheDEYMBYG
++A1UEBwwPQXJndW1lbnQgQ2xpbmljMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUg
++Rm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0aG9udGVzdC5uZXQw
++HhcNMTkwNTA4MDEwMjQzWhcNMjcwNzI0MDEwMjQzWjCBijELMAkGA1UEBhMCWFkx
++FzAVBgNVBAgMDkNhc3RsZSBBbnRocmF4MRgwFgYDVQQHDA9Bcmd1bWVudCBDbGlu
++aWMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMSMwIQYDVQQD
++DBpzZWxmLXNpZ25lZC5weXRob250ZXN0Lm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
++ggIPADCCAgoCggIBAMKdJlyCThkahwoBb7pl5q64Pe9Fn5jrIvzsveHTc97TpjV2
++RLfICnXKrltPk/ohkVl6K5SUZQZwMVzFubkyxE0nZPHYHlpiKWQxbsYVkYv01rix
++IFdLvaxxbGYke2jwQao31s4o61AdlsfK1SdpHQUynBBMssqI3SB4XPmcA7e+wEEx
++jxjVish4ixA1vuIZOx8yibu+CFCf/geEjoBMF3QPdzULzlrCSw8k/45iZCSoNbvK
++DoL4TVV07PHOxpheDh8ZQmepGvU6pVqhb9m4lgmV0OGWHgozd5Ur9CbTVDmxIEz3
++TSoRtNJK7qtyZdGNqwjksQxgZTjM/d/Lm/BJG99AiOmYOjsl9gbQMZgvQmMAtUsI
++aMJnQuZ6R+KEpW/TR5qSKLWZSG45z/op+tzI2m+cE6HwTRVAWbcuJxcAA55MZjqU
++OOOu3BBYMjS5nf2sQ9uoXsVBFH7i0mQqoW1SLzr9opI8KsWwFxQmO2vBxWYaN+lH
++OmwBZBwyODIsmI1YGXmTp09NxRYz3Qe5GCgFzYowpMrcxUC24iduIdMwwhRM7rKg
++7GtIWMSrFfuI1XCLRmSlhDbhNN6fVg2f8Bo9PdH9ihiIyxSrc+FOUasUYCCJvlSZ
++8hFUlLvcmrZlWuazohm0lsXuMK1JflmQr/DA/uXxP9xzFfRy+RU3jDyxJbRHAgMB
++AAGjUzBRMB0GA1UdDgQWBBSQJyxiPMRK01i+0BsV9zUwDiBaHzAfBgNVHSMEGDAW
++gBSQJyxiPMRK01i+0BsV9zUwDiBaHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
++DQEBCwUAA4ICAQCR+7a7N/m+WLkxPPIA/CB4MOr2Uf8ixTv435Nyv6rXOun0+lTP
++ExSZ0uYQ+L0WylItI3cQHULldDueD+s8TGzxf5woaLKf6tqyr0NYhKs+UeNEzDnN
++9PHQIhX0SZw3XyXGUgPNBfRCg2ZDdtMMdOU4XlQN/IN/9hbYTrueyY7eXq9hmtI9
++1srftAMqr9SR1JP7aHI6DVgrEsZVMTDnfT8WmLSGLlY1HmGfdEn1Ip5sbo9uSkiH
++AEPgPfjYIvR5LqTOMn4KsrlZyBbFIDh9Sl99M1kZzgH6zUGVLCDg1y6Cms69fx/e
++W1HoIeVkY4b4TY7Bk7JsqyNhIuqu7ARaxkdaZWhYaA2YyknwANdFfNpfH+elCLIk
++BUt5S3f4i7DaUePTvKukCZiCq4Oyln7RcOn5If73wCeLB/ZM9Ei1HforyLWP1CN8
++XLfpHaoeoPSWIveI0XHUl65LsPN2UbMbul/F23hwl+h8+BLmyAS680Yhn4zEN6Ku
++B7Po90HoFa1Du3bmx4jsN73UkT/dwMTi6K072FbipnC1904oGlWmLwvAHvrtxxmL
++Pl3pvEaZIu8wa/PNF6Y7J7VIewikIJq6Ta6FrWeFfzMWOj2qA1ZZi6fUaDSNYvuV
++J5quYKCc/O+I/yDDf8wyBbZ/gvUXzUHTMYGG+bFrn1p7XDbYYeEJ6R/xEg==
+ -----END CERTIFICATE-----
+diff --git a/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst b/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst
+new file mode 100644
+index 000000000000..420dfe832366
+--- /dev/null
++++ b/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst
+@@ -0,0 +1 @@
++Update Lib/test/selfsigned_pythontestdotnet.pem to match self-signed.pythontest.net's new TLS certificate.
+\ No newline at end of file
diff --git a/system/sharutils/APKBUILD b/system/sharutils/APKBUILD
index 6a0d92e82..67b264b53 100644
--- a/system/sharutils/APKBUILD
+++ b/system/sharutils/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=sharutils
 pkgver=4.15.2
-pkgrel=1
+pkgrel=2
 pkgdesc="Utilities for manipulating shell archives"
 url="https://www.gnu.org/software/sharutils/"
 arch="all"
@@ -10,10 +10,14 @@ license="GPL-3.0+"
 depends="bzip2"
 makedepends_build="texinfo"
 subpackages="$pkgname-lang $pkgname-doc"
-source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"
+source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
+	CVE-2018-1000097.patch"
+
+# secfixes:
+#   4.15.2-r2:
+#     - CVE-2018-1000097
 
 build() {
-	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -26,15 +30,14 @@ build() {
 }
 
 check() {
-	cd "$builddir"
 	make check
 }
 
 package() {
-	cd "$builddir"
 	make DESTDIR="$pkgdir" install
 	rm "$pkgdir"/usr/lib/charset.alias
 	rmdir "$pkgdir"/usr/lib || true
 }
 
-sha512sums="80d0b804a0617e11e5c23dc0d59b218bbf93e40aaf5e9a5401a18ef9cb700390aab711e2b2e2f26c8fd5b8ef99a91d3405e01d02cadabcba7639979314e59f8d  sharutils-4.15.2.tar.xz"
+sha512sums="80d0b804a0617e11e5c23dc0d59b218bbf93e40aaf5e9a5401a18ef9cb700390aab711e2b2e2f26c8fd5b8ef99a91d3405e01d02cadabcba7639979314e59f8d  sharutils-4.15.2.tar.xz
+6415da74c4f6f203bc4ad617bd05fa6ac86e1079538236148763e0b5e81ca8ea4004ea58e9e4755ba371246a7c469ef1e421576260494043d3ce3fc80e73cf69  CVE-2018-1000097.patch"
diff --git a/system/sharutils/CVE-2018-1000097.patch b/system/sharutils/CVE-2018-1000097.patch
new file mode 100644
index 000000000..f61662040
--- /dev/null
+++ b/system/sharutils/CVE-2018-1000097.patch
@@ -0,0 +1,16 @@
+From: Petr Pisar
+Subject: Fix CVE-2018-1000097, heap buffer overflow in unshar
+Bug-Debian: https://bugs.debian.org/893525
+X-Debian-version: 1:4.15.2-3
+
+--- a/src/unshar.c
++++ b/src/unshar.c
+@@ -240,7 +240,7 @@
+       off_t position = ftello (file);
+ 
+       /* Read next line, fail if no more and no previous process.  */
+-      if (!fgets (rw_buffer, BUFSIZ, file))
++      if (!fgets (rw_buffer, rw_base_size, file))
+ 	{
+ 	  if (!start)
+ 	    error (0, 0, _("Found no shell commands in %s"), name);
author	A. Wilcox <awilcox@wilcox-tech.com>	2019-06-21 23:38:53 +0000
committer	A. Wilcox <awilcox@wilcox-tech.com>	2019-06-21 23:38:53 +0000
commit	fd45ed897742614bd2867cb46578557beb820026 (patch)
tree	8eaa82bc50ad1a89272b146743ec1544163d48f3 /system
parent	86d0de126ffdebdb8cee9581ce51c16a6f20b58b (diff)
parent	332e0a40fabc1c4047a631273e5d5df46cbf4bb2 (diff)
download	packages-fd45ed897742614bd2867cb46578557beb820026.tar.gz packages-fd45ed897742614bd2867cb46578557beb820026.tar.bz2 packages-fd45ed897742614bd2867cb46578557beb820026.tar.xz packages-fd45ed897742614bd2867cb46578557beb820026.zip