Merge branch 'bump/misc/2020.03.23' into 'master'

Miscellaneous bumps for 2020.03.23

See merge request adelie/packages!417

6 files changed, 81 insertions, 37 deletions

diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD
index c4ae4fa31..d51d14ae7 100644
--- a/system/bubblewrap/APKBUILD
+++ b/system/bubblewrap/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Timo Teräs <timo.teras@iki.fi>
 # Maintainer: Max Rees <maxcrees@me.com>
 pkgname=bubblewrap
-pkgver=0.3.3
+pkgver=0.4.0
 pkgrel=0
 pkgdesc="Unprivileged sandboxing tool"
 url="https://github.com/projectatomic/bubblewrap"
@@ -9,21 +9,21 @@ arch="all"
 options="!check suid"  # requires suid to already be set in order to check
 license="LGPL-2.0+"
 makedepends="autoconf automake libcap-dev docbook-xsl"
-checkdepends="sudo"
+checkdepends="python3 sudo"
 subpackages="$pkgname-nosuid $pkgname-doc
 	$pkgname-bash-completion:bashcomp:noarch"
-source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz
+source="bubblewrap-$pkgver.tar.gz::https://github.com/containers/bubblewrap/archive/v$pkgver.tar.gz
 	realpath-workaround.patch
-	musl-fixes.patch
-	tests.patch"
+	tests.patch
+	"
 
 # secfixes:
 #   0.3.3-r0:
-#   - CVE-2019-12439
+#     - CVE-2019-12439
 
 prepare() {
-	srcdir= NOCONFIGURE=1 ./autogen.sh
 	default_prepare
+	NOCONFIGURE=1 ./autogen.sh
 }
 
 build() {
@@ -39,14 +39,16 @@ build() {
 }
 
 check() {
-	# Uses sudo to chown root and setuid $builddir/test-bwrap
+	# 1. chown root and chmod u+s $builddir/test-bwrap
+	# 2. Run abuild check (suid test)
+	# 3. Unset permissions on test-bwrap
+	# 4. Run abuild check again (nosuid test)
 	#
-	# As of 0.3.3-r0, all tests pass on ppc64 except those relating
-	# to bind mounts over symlinks. Those tests fail because musl's
-	# realpath depends on the availability of /proc, which is not
-	# available in the middle of the setup procedure since pivot_root
-	# has been performed at least once. They have been patched to be
-	# skipped.
+	# As of 0.4.0, all tests pass except those relating to bind mounts
+	# over symlinks. Those tests fail because musl's realpath depends on
+	# the availability of /proc, which is not available in the middle of
+	# the setup procedure since pivot_root has been performed at least
+	# once. They have been patched to be skipped.
 	make check
 }
 
@@ -72,7 +74,6 @@ bashcomp() {
 	mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/
 }
 
-sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae  bubblewrap-0.3.3.tar.gz
+sha512sums="1957126e13900bbb1c9c885802f513006313836826938555899a8ad0e6c3ba47478eae0cc90f4aceff228663379b45203dce4fa57d6bfc489984670571232b97  bubblewrap-0.4.0.tar.gz
 400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4  realpath-workaround.patch
-f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e  musl-fixes.patch
 d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd  tests.patch"
diff --git a/system/bubblewrap/musl-fixes.patch b/system/bubblewrap/musl-fixes.patch
deleted file mode 100644
index ecf626331..000000000
--- a/system/bubblewrap/musl-fixes.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- a/config.h.in
-+++ b/config.h.in
-@@ -102,3 +102,14 @@
- 
- /* Define to 1 if you need to in order for `stat' and other things to work. */
- #undef _POSIX_SOURCE
-+
-+/* taken from glibc unistd.h and fixes musl */
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) \
-+  (__extension__                                                              \
-+    ({ long int __result;                                                     \
-+       do __result = (long int) (expression);                                 \
-+       while (__result == -1L && errno == EINTR);                             \
-+       __result; }))
-+#endif
-+
diff --git a/system/gettext-tiny/APKBUILD b/system/gettext-tiny/APKBUILD
index ce62d5c99..a1d199ecd 100644
--- a/system/gettext-tiny/APKBUILD
+++ b/system/gettext-tiny/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=gettext-tiny
 pkgver=0.3.1_git20191130
-pkgrel=2
+pkgrel=3
 pkgdesc="An internationalisation and localisation system"
 url="https://github.com/sabotage-linux/gettext-tiny"
 arch="all"
@@ -16,6 +16,7 @@ source="https://distfiles.adelielinux.org/source/$pkgname-$pkgver.tar.xz
 	line-length.patch
 	respect-cflags.patch
 	stop-doing-macro-crap.patch
+	msgfmt-exit.patch
 	"
 
 build() {
@@ -30,4 +31,5 @@ sha512sums="a318135626a0403a30a81fa475f7e1878b8af5a87053b0e00876c73b591508f3cf1e
 8efbf9c11429ab26f3c15e00c34258200598833b8f846a23e4c8d95023c2184d9dcf9cbb48d58eec1604442691af76e6f8e904ad7348016c393257aa30eae7cd  keyword.patch
 0a26a8481bffe2ce8c73f7f500963aea9db8379fb87849142d8efabf1656604b22f6ad345483256f14c388466f2f44e5924b9f65d88f26867a753a96d1529270  line-length.patch
 b4e7db4e415f6bc31f2214f2044506ad18ea0bd3cae4200d93bbd34aa493c7478a7f953d0a7e08f29f0fd5a5d7b7cbfa2bcfd5692c37e423706a1c193239bf1d  respect-cflags.patch
-cd4cfc8cc6ea998f1e33ef666e3b9c3de3f3253994bccc942b177773c94f785e3892cb7d5f34bec1102dc7558236c07c5eac90e15d755e12ee06836336373526  stop-doing-macro-crap.patch"
+cd4cfc8cc6ea998f1e33ef666e3b9c3de3f3253994bccc942b177773c94f785e3892cb7d5f34bec1102dc7558236c07c5eac90e15d755e12ee06836336373526  stop-doing-macro-crap.patch
+0037a1347f9ac2aa6f68160441b83c35ce8128ca140be93f3c508e6cd02161e49edff82034877ed11c127886337455ff4ea941b6a14168c2ca69aa82a7cff8a5  msgfmt-exit.patch"
diff --git a/system/gettext-tiny/msgfmt-exit.patch b/system/gettext-tiny/msgfmt-exit.patch
new file mode 100644
index 000000000..f5ff3fbb8
--- /dev/null
+++ b/system/gettext-tiny/msgfmt-exit.patch
@@ -0,0 +1,36 @@
+From 0e62c2588742cfffd3dc81c09ecc8488c0ce25b9 Mon Sep 17 00:00:00 2001
+From: Max Rees <maxcrees@me.com>
+Date: Sun, 22 Mar 2020 20:20:15 -0500
+Subject: [PATCH] msgfmt: exit(1) if incorrectly used
+
+This prevents builds from continuing seemingly fine when they are
+actually not using this version of msgfmt correctly.
+---
+ src/msgfmt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/msgfmt.c b/src/msgfmt.c
+index aa16c5e..3de9a56 100644
+--- a/src/msgfmt.c
++++ b/src/msgfmt.c
+@@ -278,7 +278,7 @@ void set_file(int out, char* fn, FILE** dest) {
+ int main(int argc, char**argv) {
+ 	if (argc == 1) {
+ 		syntax();
+-		return 0;
++		return 1;
+ 	}
+ 
+ 	int arg = 1;
+@@ -376,7 +376,7 @@ int main(int argc, char**argv) {
+ 				streq(A+1, "D")
+ 			) {
+ 				syntax();
+-				return 0;
++				return 1;
+ 			} else if (streq(A+1, "l")) {
+ 				arg++;
+ 				locale = A;
+-- 
+2.25.1
+
diff --git a/system/ruby/APKBUILD b/system/ruby/APKBUILD
index 537c1010a..0cb185852 100644
--- a/system/ruby/APKBUILD
+++ b/system/ruby/APKBUILD
@@ -38,11 +38,13 @@
 #     - CVE-2019-16201
 #     - CVE-2019-16254
 #     - CVE-2019-16255
+#   2.5.7-r1:
+#     - CVE-2020-8130
 #
 pkgname=ruby
 pkgver=2.5.7
 _abiver="${pkgver%.*}.0"
-pkgrel=0
+pkgrel=1
 pkgdesc="An object-oriented language for quick and easy programming"
 url="https://www.ruby-lang.org/"
 arch="all"
@@ -76,6 +78,7 @@ source="https://cache.ruby-lang.org/pub/ruby/${pkgver%.*}/$pkgname-$pkgver.tar.x
 	test_insns-lower-recursion-depth.patch
 	fix-get_main_stack.patch
 	libedit-compat.patch
+	CVE-2020-8130.patch
 	"
 replaces="ruby-etc ruby-gems"
 
@@ -318,4 +321,5 @@ sha512sums="63b7c75fab44cd1bd22f22ddec00c740cf379ac7240da0dfafcec54347766695faef
 20e7e5ee9936a93872fe1ad836dd1fde001fe4a0e7ed54c26727ad83da3ceb0e6247681d9dd4f98a69e1b0250703ed8fc682d44075780d5f47faa1d5f58d2bdb  rubygems-avoid-platform-specific-gems.patch
 814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150  test_insns-lower-recursion-depth.patch
 e99b36940fa8fdd445d82738c70b8fc042cab042a4662cab156578aad2dac9673a96da22b6676aa36beac08070e92a7798c60d6f36eeb169216c4c51864ce2fe  fix-get_main_stack.patch
-6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2  libedit-compat.patch"
+6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2  libedit-compat.patch
+50b3a2aca1c0d7a7b557e030fbf57049512730cd6516cb6b26624855c25a20e84eef7f84ec9eafb94200de067ec67790e5fe0902e69681ac4de9195240b318dc  CVE-2020-8130.patch"
diff --git a/system/ruby/CVE-2020-8130.patch b/system/ruby/CVE-2020-8130.patch
new file mode 100644
index 000000000..3cb6e4adf
--- /dev/null
+++ b/system/ruby/CVE-2020-8130.patch
@@ -0,0 +1,18 @@
+Note: adjusted paths since it's being vendored inside ruby.
+
+From 5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Mon, 22 Jul 2019 10:23:43 +0900
+Subject: [PATCH] Use File.open explicitly.
+
+--- ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
++++ ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
+@@ -294,7 +294,7 @@ def egrep(pattern, *options)
+       matched = 0
+       each do |fn|
+         begin
+-          open(fn, "r", *options) do |inf|
++          File.open(fn, "r", *options) do |inf|
+             count = 0
+             inf.each do |line|
+               count += 1