Merge branch 'cves.2020.02.28' into 'master'

CVE patches for 2020.02.28 See merge request adelie/packages!408
author: A. Wilcox <awilcox@wilcox-tech.com> 2020-03-10 02:44:11 +0000
committer: A. Wilcox <awilcox@wilcox-tech.com> 2020-03-10 02:44:11 +0000
commit: b2b91cc7b341c21dd2754f766e3688d1cd8683cd (patch)
tree: 89eb840eb4db48f40d8e3b4315b883b108d3b71e /user
parent: 757c7417918541af9e656e023b2ead86998a07d9 (diff)
parent: 2da62e2b9ab827bf6930e008d51cd0ab468dbd1b (diff)
download: packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.tar.gz
packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.tar.bz2
packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.tar.xz
packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.zip
16 files changed, 572 insertions, 26 deletions
diff --git a/user/djvulibre/APKBUILD b/user/djvulibre/APKBUILD
index 2b4a3ed0e..fa2ce6059 100644
--- a/user/djvulibre/APKBUILD
+++ b/user/djvulibre/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=djvulibre
 pkgver=3.5.27
-pkgrel=1
+pkgrel=2
 pkgdesc="Format for distributing documents and images"
 url="http://djvu.sourceforge.net/"
 arch="all"
@@ -15,7 +15,9 @@ source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz
 	CVE-2019-15142.patch
 	CVE-2019-15143.patch
 	CVE-2019-15144.patch
-	CVE-2019-15145.patch"
+	CVE-2019-15145.patch
+	CVE-2019-18804.patch
+	"
 
 # secfixes:
 #   3.5.27-r1:
@@ -23,6 +25,8 @@ source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz
 #     - CVE-2019-15143
 #     - CVE-2019-15144
 #     - CVE-2019-15145
+#   3.5.27-r2:
+#     - CVE-2019-18804
 
 build() {
 	./configure \
@@ -48,4 +52,5 @@ sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252
 d9e4301fb98a35b8c2f1854eb4be53611f98b3fc9fdd357dd5502b5b189bdf61957a48b220f3ab7465bbf1df8606ce04513e10df74643a9e289c349f94721561  CVE-2019-15142.patch
 3527e1c84f7c7d36f902cb3d7e9ddb6866acbdd4b47675ce3ffd164accf2e2931a4c6bbaae2ea775b4710d88ae34dd4dcd39a5846fce13bef2c82a99d608b8c1  CVE-2019-15143.patch
 f8f1abf328a97d69514b2626e4c6449c0c7b7e2b5518d56bba6a61a944aaf4b7fffd1371c26396353728f6a1399c6d87492af5c17e6b623dae7751b81eac11f9  CVE-2019-15144.patch
-790ef1e05874635c762600c990ecbd3e29e2eb01c59e25a0f8b2a15dbadbd3673d9dbb651d9dcb53fd3e5f4cb6bded47c3eefaaef8b4ccac39bd28f8bbec2068  CVE-2019-15145.patch"
+790ef1e05874635c762600c990ecbd3e29e2eb01c59e25a0f8b2a15dbadbd3673d9dbb651d9dcb53fd3e5f4cb6bded47c3eefaaef8b4ccac39bd28f8bbec2068  CVE-2019-15145.patch
+e5d6cd98f208db49880c6237f7cd8ab097d02f9771936c04a5acc48d9d18876d5cf48bcc61b14f1affc501ee63e8d6337fa83af259485ef35d4faa5086f06d10  CVE-2019-18804.patch"
diff --git a/user/djvulibre/CVE-2019-18804.patch b/user/djvulibre/CVE-2019-18804.patch
new file mode 100644
index 000000000..7c66c3989
--- /dev/null
+++ b/user/djvulibre/CVE-2019-18804.patch
@@ -0,0 +1,39 @@
+From c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125 Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Thu, 17 Oct 2019 22:20:31 -0400
+Subject: [PATCH] Fixed bug 309
+
+---
+ libdjvu/IW44EncodeCodec.cpp | 2 +-
+ tools/ddjvu.cpp             | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp
+index 00752a0..f81eaeb 100644
+--- a/libdjvu/IW44EncodeCodec.cpp
++++ b/libdjvu/IW44EncodeCodec.cpp
+@@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale)
+   int y = 0;
+   int s = scale*rowsize;
+   int s3 = s+s+s;
+-  h = ((h-1)/scale)+1;
++  h = (h>0) ? ((h-1)/scale)+1 : 0;
+   y += 1;
+   p += s;
+   while (y-3 < h)
+diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
+index 6d0df3b..7109952 100644
+--- a/tools/ddjvu.cpp
++++ b/tools/ddjvu.cpp
+@@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno)
+       prect.h = (ih * 100) / dpi;
+     }
+   /* Process aspect ratio */
+-  if (flag_aspect <= 0)
++  if (flag_aspect <= 0 && iw>0 && ih>0)
+     {
+       double dw = (double)iw / prect.w;
+       double dh = (double)ih / prect.h;
+-- 
+2.20.1
+
diff --git a/user/exiv2/APKBUILD b/user/exiv2/APKBUILD
index f1ca3f81f..fb710b602 100644
--- a/user/exiv2/APKBUILD
+++ b/user/exiv2/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=exiv2
 pkgver=0.27.2
-pkgrel=1
+pkgrel=2
 pkgdesc="Exif, IPTC and XMP metadata library and tools"
 url="https://www.exiv2.org/"
 arch="all"
@@ -12,8 +12,11 @@ checkdepends="python3 libxml2 cmd:which"
 makedepends="$depends_dev bash cmake"
 subpackages="$pkgname-dev $pkgname-doc"
 source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz
-	https://dev.sick.bike/dist/exiv2-0.27.2-POC-file_issue_1019
-	CVE-2019-17402.patch"
+	https://dev.sick.bike/dist/exiv2-$pkgver-POC-file_issue_1019
+	https://dev.sick.bike/dist/exiv2-$pkgver-Jp2Image_readMetadata_loop.poc
+	CVE-2019-17402.patch
+	CVE-2019-20421.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver-Source"
 
 # secfixes:
@@ -86,6 +89,8 @@ builddir="$srcdir/$pkgname-$pkgver-Source"
 #     - CVE-2019-13114
 #   0.27.2-r1:
 #     - CVE-2019-17402
+#   0.27.2-r2:
+#     - CVE-2019-20421
 
 prepare() {
 	default_prepare
@@ -93,6 +98,10 @@ prepare() {
 	# Remove #1019 POC after >= 0.27.2
 	mv "$srcdir/$pkgname-$pkgver-POC-file_issue_1019" \
 		test/data/POC-file_issue_1019
+
+	# Ditto
+	mv "$srcdir/$pkgname-$pkgver-Jp2Image_readMetadata_loop.poc" \
+		test/data/Jp2Image_readMetadata_loop.poc
 }
 
 build() {
@@ -112,4 +121,6 @@ package() {
 
 sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721  exiv2-0.27.2-Source.tar.gz
 cfe0b534c29c37e7b6e5a00e8ec320cb57eb17187813fe30677a097e930655f1b097ce77806e0124affbdc423b48d9910560158eed9d2d03418a824244dafba9  exiv2-0.27.2-POC-file_issue_1019
-623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd  CVE-2019-17402.patch"
+d2c0f59e9e2daf00066b0ad73253bb7bb09b3319606813f16478ef5717751e4cbb93d12f5c9339dae2965dcf6a63138bdb4205b698aeab57a75f97ddf458d4f7  exiv2-0.27.2-Jp2Image_readMetadata_loop.poc
+623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd  CVE-2019-17402.patch
+c819f06a194b8465c66ccd91b8373cb2a359e59bab7583a8abb873c2001efe6188ac8fa4717c6382d2f2396d25e79e7b397c5ebf000d35c4a7dae547db7bc77b  CVE-2019-20421.patch"
diff --git a/user/exiv2/CVE-2019-20421.patch b/user/exiv2/CVE-2019-20421.patch
new file mode 100644
index 000000000..bdc5449f2
--- /dev/null
+++ b/user/exiv2/CVE-2019-20421.patch
@@ -0,0 +1,116 @@
+From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
+From: clanmills <robin@clanmills.com>
+Date: Tue, 1 Oct 2019 17:39:44 +0100
+Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop
+
+---
+ src/jp2image.cpp                             |  25 +++++++++++++++----
+ tests/bugfixes/github/test_CVE_2017_17725.py |   4 +--
+ tests/bugfixes/github/test_issue_1011.py     |  13 ++++++++++
+ 4 files changed, 35 insertions(+), 7 deletions(-)
+ create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
+ create mode 100644 tests/bugfixes/github/test_issue_1011.py
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index d5cd1340a..0de088d62 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -18,10 +18,6 @@
+  * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
+  */
+ 
+-/*
+-  File:      jp2image.cpp
+-*/
+-
+ // *****************************************************************************
+ 
+ // included header files
+@@ -197,6 +193,16 @@ namespace Exiv2
+         return result;
+     }
+ 
++static void boxes_check(size_t b,size_t m)
++{
++    if ( b > m ) {
++#ifdef EXIV2_DEBUG_MESSAGES
++        std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
++#endif
++        throw Error(kerCorruptedMetadata);
++    }
++}
++
+     void Jp2Image::readMetadata()
+     {
+ #ifdef EXIV2_DEBUG_MESSAGES
+@@ -219,9 +225,12 @@ namespace Exiv2
+         Jp2BoxHeader      subBox    = {0,0};
+         Jp2ImageHeaderBox ihdr      = {0,0,0,0,0,0,0,0};
+         Jp2UuidBox        uuid      = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
++        size_t            boxes     = 0 ;
++        size_t            boxem     = 1000 ; // boxes max
+ 
+         while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
+         {
++            boxes_check(boxes++,boxem );
+             position   = io_->tell();
+             box.length = getLong((byte*)&box.length, bigEndian);
+             box.type   = getLong((byte*)&box.type, bigEndian);
+@@ -251,8 +260,12 @@ namespace Exiv2
+ 
+                     while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
+                     {
++                        boxes_check(boxes++, boxem) ;
+                         subBox.length = getLong((byte*)&subBox.length, bigEndian);
+                         subBox.type   = getLong((byte*)&subBox.type, bigEndian);
++                        if (subBox.length > io_->size() ) {
++                            throw Error(kerCorruptedMetadata);
++                        }
+ #ifdef EXIV2_DEBUG_MESSAGES
+                         std::cout << "Exiv2::Jp2Image::readMetadata: "
+                         << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+@@ -308,7 +321,9 @@ namespace Exiv2
+                         }
+ 
+                         io_->seek(restore,BasicIo::beg);
+-                        io_->seek(subBox.length, Exiv2::BasicIo::cur);
++                        if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
++                            throw Error(kerCorruptedMetadata);
++                        }
+                         restore = io_->tell();
+                     }
+                     break;
+diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py
+index 1127b9806..670a75d8d 100644
+--- a/tests/bugfixes/github/test_CVE_2017_17725.py
++++ b/tests/bugfixes/github/test_CVE_2017_17725.py
+@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
+     filename = "$data_path/poc_2017-12-12_issue188"
+     commands = ["$exiv2 " + filename]
+     stdout = [""]
+-    stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
+-$addition_overflow_message
++    stderr = ["""$exiv2_exception_message """ + filename + """:
++$kerCorruptedMetadata
+ """]
+     retval = [1]
+diff --git a/tests/bugfixes/github/test_issue_1011.py b/tests/bugfixes/github/test_issue_1011.py
+new file mode 100644
+index 000000000..415861188
+--- /dev/null
++++ b/tests/bugfixes/github/test_issue_1011.py
+@@ -0,0 +1,13 @@
++# -*- coding: utf-8 -*-
++
++from system_tests import CaseMeta, path
++
++class Test_issue_1011(metaclass=CaseMeta):
++
++    filename = path("$data_path/Jp2Image_readMetadata_loop.poc")
++    commands = ["$exiv2 " + filename]
++    stdout   = [""]
++    stderr   = ["""$exiv2_exception_message """ + filename + """:
++$kerCorruptedMetadata
++"""]
++    retval = [1]
+\ No newline at end of file
diff --git a/user/hunspell/APKBUILD b/user/hunspell/APKBUILD
index 79da8d619..ec63c5414 100644
--- a/user/hunspell/APKBUILD
+++ b/user/hunspell/APKBUILD
@@ -1,7 +1,7 @@
-# Maintainer: 
+# Maintainer:
 pkgname=hunspell
 pkgver=1.7.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Spell checker and morphological analyzer library and program"
 url="https://hunspell.github.io/"
 arch="all"
@@ -9,7 +9,12 @@ license="GPL-2.0+ AND LGPL-2.0+ AND MPL-1.1"
 depends=""
 makedepends="ncurses-dev autoconf automake libtool"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
-source="$pkgname-$pkgver.tar.gz::https://github.com/hunspell/hunspell/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/hunspell/hunspell/archive/v$pkgver.tar.gz
+	CVE-2019-16707.patch"
+
+# secfixes:
+#   1.7.0-r1:
+#     - CVE-2019-16707
 
 prepare() {
 	default_prepare
@@ -35,4 +40,5 @@ package() {
 	make -j1 DESTDIR="$pkgdir" install
 }
 
-sha512sums="8149b2e8b703a0610c9ca5160c2dfad3cf3b85b16b3f0f5cfcb7ebb802473b2d499e8e2d0a637a97a37a24d62424e82d3880809210d3f043fa17a4970d47c903  hunspell-1.7.0.tar.gz"
+sha512sums="8149b2e8b703a0610c9ca5160c2dfad3cf3b85b16b3f0f5cfcb7ebb802473b2d499e8e2d0a637a97a37a24d62424e82d3880809210d3f043fa17a4970d47c903  hunspell-1.7.0.tar.gz
+e7674819a9da4c3d742d34338d68d137d8613f97be2d25bf20db5219d4dd626f59a63ed4757b92f34307f499f2d687014065cdea97b55c98db295a8290300d2d  CVE-2019-16707.patch"
diff --git a/user/hunspell/CVE-2019-16707.patch b/user/hunspell/CVE-2019-16707.patch
new file mode 100644
index 000000000..649eef5b2
--- /dev/null
+++ b/user/hunspell/CVE-2019-16707.patch
@@ -0,0 +1,22 @@
+From ac938e2ecb48ab4dd21298126c7921689d60571b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Tue, 12 Nov 2019 20:03:15 +0000
+Subject: [PATCH] invalid read memory access #624
+
+---
+ src/hunspell/suggestmgr.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/hunspell/suggestmgr.cxx b/src/hunspell/suggestmgr.cxx
+index dba084e9..c23f165a 100644
+--- a/src/hunspell/suggestmgr.cxx
++++ b/src/hunspell/suggestmgr.cxx
+@@ -2040,7 +2040,7 @@ int SuggestMgr::leftcommonsubstring(
+   int l2 = su2.size();
+   // decapitalize dictionary word
+   if (complexprefixes) {
+-    if (su1[l1 - 1] == su2[l2 - 1])
++    if (l1 && l2 && su1[l1 - 1] == su2[l2 - 1])
+       return 1;
+   } else {
+     unsigned short idx = su2.empty() ? 0 : (su2[0].h << 8) + su2[0].l;
diff --git a/user/libexif/APKBUILD b/user/libexif/APKBUILD
index de51ae7b0..06e1e832a 100644
--- a/user/libexif/APKBUILD
+++ b/user/libexif/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: 
 pkgname=libexif
 pkgver=0.6.21
-pkgrel=3
+pkgrel=4
 pkgdesc="Library to parse EXIF metadata"
 url="https://sourceforge.net/projects/libexif"
 arch="all"
@@ -10,14 +10,19 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
 depends=""
 makedepends=""
 source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.bz2
+	CVE-2016-6328.patch
 	CVE-2017-7544.patch
 	CVE-2018-20030.patch
+	CVE-2019-9278.patch
 	"
 
 # secfixes:
 #   0.6.21-r3:
 #     - CVE-2017-7544
 #     - CVE-2018-20030
+#   0.6.21-r4:
+#     - CVE-2016-6328
+#     - CVE-2019-9278
 
 prepare() {
 	default_prepare
@@ -41,5 +46,7 @@ package() {
 }
 
 sha512sums="4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35  libexif-0.6.21.tar.bz2
+c0d4c74207993efc373615ef2c797d720162a2ee6fd7ad026edf2ced4198d9b1165b88790c2af3194f6bb7c2de88d4672c041c2cff8a82c8914700633332b8c5  CVE-2016-6328.patch
 d529c6c5bd26dc21c0946702574184e1f61c2bfd4fb95b41e314f486a0dd55571963ff2cad566d2fb0804de3c0799bcd956c15a3dc10a520ce207728edad4e2d  CVE-2017-7544.patch
-0d6123bd275ace338ad9cebb31a2e714de0141b91860f07394b281686a5393566c3f4159679d4ba689ae7ea69ae2e412b158c3deb451c40c210b5817f6888bbc  CVE-2018-20030.patch"
+0d6123bd275ace338ad9cebb31a2e714de0141b91860f07394b281686a5393566c3f4159679d4ba689ae7ea69ae2e412b158c3deb451c40c210b5817f6888bbc  CVE-2018-20030.patch
+c30c03fefea94d175b94c9f0c4d60cbb3aa0ad78b0d29008975fbbb15c17f2907a16fd50970e5fa18d533d0ce291a5ee9b62934210cb40b0f463693460607738  CVE-2019-9278.patch"
diff --git a/user/libexif/CVE-2016-6328.patch b/user/libexif/CVE-2016-6328.patch
new file mode 100644
index 000000000..0568f27d2
--- /dev/null
+++ b/user/libexif/CVE-2016-6328.patch
@@ -0,0 +1,60 @@
+From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Tue, 25 Jul 2017 23:44:44 +0200
+Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
+ makernote entries.
+
+This should fix:
+https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
+---
+ libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index d03d159..ea0429a 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
++++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		case EXIF_FORMAT_SHORT:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 2)
++					break;
+ 				vs = exif_get_short (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%i ", vs);
+ 				len = strlen(val);
+ 				data += 2;
++				sizeleft -= 2;
+ 			}
+ 		  }
+ 		  break;
+ 		case EXIF_FORMAT_LONG:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 4)
++					break;
+ 				vl = exif_get_long (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ 				len = strlen(val);
+ 				data += 4;
++				sizeleft -= 4;
+ 			}
+ 		  }
+ 		  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		break;
+ 	}
+ 
+-	return (val);
++	return val;
+ }
diff --git a/user/libexif/CVE-2019-9278.patch b/user/libexif/CVE-2019-9278.patch
new file mode 100644
index 000000000..bd15e8d13
--- /dev/null
+++ b/user/libexif/CVE-2019-9278.patch
@@ -0,0 +1,85 @@
+From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Sat, 18 Jan 2020 09:29:42 +0100
+Subject: [PATCH] fix CVE-2019-9278
+
+avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away)
+
+check for the actual sizes, which should also handle the overflows
+document other places google patched, but do not seem relevant due to other restrictions
+
+fixes https://github.com/libexif/libexif/issues/26
+---
+ libexif/exif-data.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index a6f9c94..6332cd1 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
+ 		doff = offset + 8;
+ 
+ 	/* Sanity checks */
+-	if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
++	if (doff >= size) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+-				  "Tag data past end of buffer (%u > %u)", doff+s, size);	
++				  "Tag starts past end of buffer (%u > %u)", doff, size);
++		return 0;
++	}
++
++	if (s > size - doff) {
++		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
++				  "Tag data goes past end of buffer (%u > %u)", doff+s, size);
+ 		return 0;
+ 	}
+ 
+@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+ 			       unsigned int ds, ExifLong o, ExifLong s)
+ {
+ 	/* Sanity checks */
+-	if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
+-		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+-			  "Bogus thumbnail offset (%u) or size (%u).",
+-			  o, s);
++	if (o >= ds) {
++		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
++		return;
++	}
++	if (s > ds - o) {
++		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+ 		return;
+ 	}
+-
+ 	if (data->data) 
+ 		exif_mem_free (data->priv->mem, data->data);
+ 	if (!(data->data = exif_data_alloc (data, s))) {
+@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ 	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", 
+ 		  "IFD 0 at %i.", (int) offset);
+ 
+-	/* Sanity check the offset, being careful about overflow */
++	/* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
+ 	if (offset > ds || offset + 6 + 2 > ds)
+ 		return;
+ 
+@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ 
+ 	/* IFD 1 offset */
+ 	n = exif_get_short (d + 6 + offset, data->priv->order);
++	/* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
+ 	if (offset + 6 + 2 + 12 * n + 4 > ds)
+ 		return;
+ 
+@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ 			  "IFD 1 at %i.", (int) offset);
+ 
+-		/* Sanity check. */
+-		if (offset > ds || offset + 6 > ds) {
++		/* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
++		if (offset > ds - 6) {
+ 			exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ 				  "ExifData", "Bogus offset of IFD1.");
+ 		} else {
diff --git a/user/libgd/APKBUILD b/user/libgd/APKBUILD
index 27de81126..2a537dfca 100644
--- a/user/libgd/APKBUILD
+++ b/user/libgd/APKBUILD
@@ -2,20 +2,22 @@
 # Maintainer: 
 pkgname=libgd
 pkgver=2.2.5
-pkgrel=1
+pkgrel=2
 pkgdesc="Library for dynamic image creation"
 url="http://libgd.github.io/"
 arch="all"
 options="!check"  # Upstream bug 201 regression.
 license="MIT"
 depends=""
-makedepends="bash fontconfig-dev freetype-dev libjpeg-turbo-dev libpng-dev
-	libwebp-dev zlib-dev"
+makedepends="autoconf automake bash fontconfig-dev freetype-dev
+	libjpeg-turbo-dev libpng-dev libtool libwebp-dev tiff-dev zlib-dev
+	"
 subpackages="$pkgname-dev"
 replaces="gd"
 source="https://github.com/$pkgname/$pkgname/releases/download/gd-$pkgver/$pkgname-$pkgver.tar.xz
 	CVE-2016-7568.patch
 	CVE-2018-5711.patch
+	CVE-2018-14553.patch
 	CVE-2018-1000222.patch
 	CVE-2019-6977.patch
 	CVE-2019-6978.patch
@@ -27,6 +29,13 @@ source="https://github.com/$pkgname/$pkgname/releases/download/gd-$pkgver/$pkgna
 #     - CVE-2018-1000222
 #     - CVE-2019-6977
 #     - CVE-2019-6978
+#   2.2.5-r2:
+#     - CVE-2018-14553
+
+prepare() {
+	default_prepare
+	autoreconf -vif
+}
 
 build() {
 	./configure \
@@ -58,6 +67,7 @@ dev() {
 sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b  libgd-2.2.5.tar.xz
 8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716  CVE-2016-7568.patch
 d6577566814cbe2d93b141a4216b32acdeb2989dc1712eb137565081b913151bbb4c69911c96b2bb7c90695078a85152d368aad183de494d1283fde25021751b  CVE-2018-5711.patch
+353491fab6c6e0916dca910c9d14f0e0efab6d9d88c48f6f3f2f69e60312489039b25d26980e7c5c2c04ed9e56003b99eae77bd412fbbed1d8eb47d561f7af74  CVE-2018-14553.patch
 d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b  CVE-2018-1000222.patch
 df84e469515f684d79ebad163e137401627310a984ac1ae6a4d31b739b3dc6d9144f101e9bfc3211af1d7cdbaa827721d21a9fe528e69b9b60a943ec8a7ab74b  CVE-2019-6977.patch
 3bf31941365a878bef899afa14a89e4ad0fbfb3280d34b2118c8484698e15eff600751ae3ce146a4f006e6c21730cb18899bae3538f6cc2651025274b40cf1ca  CVE-2019-6978.patch"
diff --git a/user/libgd/CVE-2018-14553.patch b/user/libgd/CVE-2018-14553.patch
new file mode 100644
index 000000000..7510101d1
--- /dev/null
+++ b/user/libgd/CVE-2018-14553.patch
@@ -0,0 +1,99 @@
+From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
+Date: Fri, 20 Dec 2019 12:03:33 -0300
+Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
+
+---
+ src/gd.c                          |  9 +--------
+ tests/gdimageclone/CMakeLists.txt |  1 +
+ tests/gdimageclone/Makemodule.am  |  3 ++-
+ tests/gdimageclone/style.c        | 30 ++++++++++++++++++++++++++++++
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+ create mode 100644 tests/gdimageclone/style.c
+
+diff --git a/src/gd.c b/src/gd.c
+index 592a0286..d564d1f9 100644
+--- a/src/gd.c
++++ b/src/gd.c
+@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ 		}
+ 	}
+ 
+-	if (src->styleLength > 0) {
+-		dst->styleLength = src->styleLength;
+-		dst->stylePos    = src->stylePos;
+-		for (i = 0; i < src->styleLength; i++) {
+-			dst->style[i] = src->style[i];
+-		}
+-	}
+-
+ 	dst->interlace   = src->interlace;
+ 
+ 	dst->alphaBlendingFlag = src->alphaBlendingFlag;
+@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ 
+ 	if (src->style) {
+ 		gdImageSetStyle(dst, src->style, src->styleLength);
++		dst->stylePos = src->stylePos;
+ 	}
+ 
+ 	for (i = 0; i < gdMaxColors; i++) {
+diff --git a/tests/gdimageclone/CMakeLists.txt b/tests/gdimageclone/CMakeLists.txt
+index e6ccc318..662f4e96 100644
+--- a/tests/gdimageclone/CMakeLists.txt
++++ b/tests/gdimageclone/CMakeLists.txt
+@@ -1,5 +1,6 @@
+ LIST(APPEND TESTS_FILES
+ 	bug00300
++	style
+ )
+ 
+ ADD_GD_TESTS()
+diff --git a/tests/gdimageclone/Makemodule.am b/tests/gdimageclone/Makemodule.am
+index 4b1b54c0..51abf5c1 100644
+--- a/tests/gdimageclone/Makemodule.am
++++ b/tests/gdimageclone/Makemodule.am
+@@ -1,5 +1,6 @@
+ libgd_test_programs += \
+-	gdimageclone/bug00300
++	gdimageclone/bug00300 \
++	gdimageclone/style
+ 
+ EXTRA_DIST += \
+ 	gdimageclone/CMakeLists.txt
+diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c
+new file mode 100644
+index 00000000..c2b246ed
+--- /dev/null
++++ b/tests/gdimageclone/style.c
+@@ -0,0 +1,30 @@
++/**
++ * Cloning an image should exactly reproduce all style related data
++ */
++
++
++#include <string.h>
++#include "gd.h"
++#include "gdtest.h"
++
++
++int main()
++{
++    gdImagePtr im, clone;
++    int style[] = {0, 0, 0};
++
++    im = gdImageCreate(8, 8);
++    gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0]));
++
++    clone = gdImageClone(im);
++    gdTestAssert(clone != NULL);
++
++    gdTestAssert(clone->styleLength == im->styleLength);
++    gdTestAssert(clone->stylePos == im->stylePos);
++    gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0])));
++
++    gdImageDestroy(clone);
++    gdImageDestroy(im);
++
++    return gdNumFailures();
++}
diff --git a/user/librsvg/APKBUILD b/user/librsvg/APKBUILD
index eddc645dc..3fa19b15b 100644
--- a/user/librsvg/APKBUILD
+++ b/user/librsvg/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: 
 pkgname=librsvg
-pkgver=2.40.20
-pkgrel=1
+pkgver=2.40.21
+pkgrel=0
 pkgdesc="SAX-based renderer for SVG files into a GdkPixbuf"
 url="https://wiki.gnome.org/action/show/Projects/LibRsvg"
 arch="all"
@@ -14,6 +14,10 @@ makedepends="$depends_dev bzip2-dev cairo-dev glib-dev
 	gobject-introspection-dev"
 source="https://download.gnome.org/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz"
 
+# secfixes:
+#   2.40.21-r0:
+#     - CVE-2019-20446
+
 build() {
 	./configure \
 		--build=$CBUILD \
@@ -33,4 +37,4 @@ package() {
 	rm -rf "$pkgdir"/usr/lib/mozilla
 }
 
-sha512sums="cdd8224deb4c3786e29f48ed02c32ed9dff5cb15aba574a5ef845801ad3669cfcc3eedb9d359c22213dc7a29de24c363248825adad5877c40abf73b3688ff12f  librsvg-2.40.20.tar.xz"
+sha512sums="db0563d8e0edaae642a6b2bcd239cf54191495058ac8c7ff614ebaf88c0e30bd58dbcd41f58d82a9d5ed200ced45fc5bae22f2ed3cf3826e9348a497009e1280  librsvg-2.40.21.tar.xz"
diff --git a/user/openjpeg/APKBUILD b/user/openjpeg/APKBUILD
index 680e1c8c2..54f9811ea 100644
--- a/user/openjpeg/APKBUILD
+++ b/user/openjpeg/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=openjpeg
 pkgver=2.3.1
-pkgrel=2
+pkgrel=3
 pkgdesc="Open-source implementation of JPEG 2000 image codec"
 url="http://www.openjpeg.org/"
 arch="all"
@@ -13,9 +13,15 @@ depends_dev="$pkgname-tools"
 makedepends="libpng-dev tiff-dev lcms2-dev doxygen cmake"
 subpackages="$pkgname-dev $pkgname-tools"
 source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
-	CVE-2019-12973.patch"
+	CVE-2019-12973.patch
+	CVE-2020-6851.patch
+	CVE-2020-8112.patch
+	"
 
 # secfixes:
+#   2.3.1-r3:
+#     - CVE-2020-6851
+#     - CVE-2020-8112
 #   2.3.1-r2:
 #     - CVE-2019-12973
 #   2.3.0-r0:
@@ -52,4 +58,6 @@ tools() {
 }
 
 sha512sums="339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03  openjpeg-2.3.1.tar.gz
-472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516  CVE-2019-12973.patch"
+472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516  CVE-2019-12973.patch
+c8ffc926d91392b38250fd4e00fff5f93fbf5e17487d0e4a0184c9bd191aa2233c5c5dcf097dd62824714097bba2d8cc865bed31193d1a072aa954f216011297  CVE-2020-6851.patch
+9659e04087e0d80bf53555e9807aae59205adef2d49d7a49e05bf250c484a2e92132d471ec6076e57ca69b5ce98fd81462a6a8c01205ca7096781eec06e401cc  CVE-2020-8112.patch"
diff --git a/user/openjpeg/CVE-2020-6851.patch b/user/openjpeg/CVE-2020-6851.patch
new file mode 100644
index 000000000..9a70291f5
--- /dev/null
+++ b/user/openjpeg/CVE-2020-6851.patch
@@ -0,0 +1,29 @@
+From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 11 Jan 2020 01:51:19 +0100
+Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose
+ coordinates are beyond INT_MAX (fixes #1228)
+
+---
+ src/lib/openjp2/j2k.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 14f6ff41a..922550eb1 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -9221,6 +9221,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image,
+     l_img_comp = p_image->comps;
+     for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
+         OPJ_INT32 l_h, l_w;
++        if (p_image->x0 > (OPJ_UINT32)INT_MAX ||
++                p_image->y0 > (OPJ_UINT32)INT_MAX ||
++                p_image->x1 > (OPJ_UINT32)INT_MAX ||
++                p_image->y1 > (OPJ_UINT32)INT_MAX) {
++            opj_event_msg(p_manager, EVT_ERROR,
++                          "Image coordinates above INT_MAX are not supported\n");
++            return OPJ_FALSE;
++        }
+ 
+         l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,
+                          (OPJ_INT32)l_img_comp->dx);
diff --git a/user/openjpeg/CVE-2020-8112.patch b/user/openjpeg/CVE-2020-8112.patch
new file mode 100644
index 000000000..95cb8095f
--- /dev/null
+++ b/user/openjpeg/CVE-2020-8112.patch
@@ -0,0 +1,43 @@
+From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 30 Jan 2020 00:59:57 +0100
+Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow
+
+That could lead to later assertion failures.
+
+Fixes #1231 / CVE-2020-8112
+---
+ src/lib/openjp2/tcd.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
+index deecc4dff..aa419030a 100644
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+             /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000)  */
+             l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
+             l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
+-            l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
+-            l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
++            {
++                OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
++                                  (OPJ_INT32)l_pdx)) << l_pdx;
++                if (tmp > (OPJ_UINT32)INT_MAX) {
++                    opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++                    return OPJ_FALSE;
++                }
++                l_br_prc_x_end = (OPJ_INT32)tmp;
++            }
++            {
++                OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
++                                  (OPJ_INT32)l_pdy)) << l_pdy;
++                if (tmp > (OPJ_UINT32)INT_MAX) {
++                    opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++                    return OPJ_FALSE;
++                }
++                l_br_prc_y_end = (OPJ_INT32)tmp;
++            }
+             /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
+ 
+             l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
diff --git a/user/weechat/APKBUILD b/user/weechat/APKBUILD
index ddf80a03a..dfa1a3277 100644
--- a/user/weechat/APKBUILD
+++ b/user/weechat/APKBUILD
@@ -2,7 +2,7 @@
 # Contributor: zlg <zlg+adelie@zlg.space>
 # Maintainer: Kiyoshi Aman <adelie@aerdan.vulpine.house>
 pkgname=weechat
-pkgver=2.7
+pkgver=2.7.1
 pkgrel=0
 pkgdesc="Fast, light, extensible ncurses-based chat client"
 url="https://www.weechat.org"
@@ -22,9 +22,11 @@ source="https://www.weechat.org/files/src/$pkgname-$pkgver.tar.gz"
 
 # secfixes:
 #   1.7.1-r0:
-#   - CVE-2017-8073
+#     - CVE-2017-8073
 #   1.9.1-r0:
-#   - CVE-2017-14727
+#     - CVE-2017-14727
+#   2.7.1-r0:
+#     - CVE-2020-8955
 
 build() {
 	cmake \
@@ -59,4 +61,4 @@ _plugin() {
 	mv "$pkgdir"/$_dir/${_name}.so "$subpkgdir"/$_dir
 }
 
-sha512sums="7a9205b6a3b7e338b14708e1b9aad4f2099506c46b1e86faf4fa94a105bc20b056a53ce3d003ae31ea1cdbab711ddd9dca7258a7d03f0f7af3703ebdbdfeb3d9  weechat-2.7.tar.gz"
+sha512sums="2d2f555a4c48dbfa60a97845657e041fcd37bdde01974b4a49ff2d0ef6b92f16147f84b0e60772e9f54ba3e05ae1772012d3551a5fbb8bdf8332a08ef63a352d  weechat-2.7.1.tar.gz"
author	A. Wilcox <awilcox@wilcox-tech.com>	2020-03-10 02:44:11 +0000
committer	A. Wilcox <awilcox@wilcox-tech.com>	2020-03-10 02:44:11 +0000
commit	b2b91cc7b341c21dd2754f766e3688d1cd8683cd (patch)
tree	89eb840eb4db48f40d8e3b4315b883b108d3b71e /user
parent	757c7417918541af9e656e023b2ead86998a07d9 (diff)
parent	2da62e2b9ab827bf6930e008d51cd0ab468dbd1b (diff)
download	packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.tar.gz packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.tar.bz2 packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.tar.xz packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.zip