diff options
author | A. Wilcox <awilcox@wilcox-tech.com> | 2020-03-10 02:44:11 +0000 |
---|---|---|
committer | A. Wilcox <awilcox@wilcox-tech.com> | 2020-03-10 02:44:11 +0000 |
commit | b2b91cc7b341c21dd2754f766e3688d1cd8683cd (patch) | |
tree | 89eb840eb4db48f40d8e3b4315b883b108d3b71e /user | |
parent | 757c7417918541af9e656e023b2ead86998a07d9 (diff) | |
parent | 2da62e2b9ab827bf6930e008d51cd0ab468dbd1b (diff) | |
download | packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.tar.gz packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.tar.bz2 packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.tar.xz packages-b2b91cc7b341c21dd2754f766e3688d1cd8683cd.zip |
Merge branch 'cves.2020.02.28' into 'master'
CVE patches for 2020.02.28
See merge request adelie/packages!408
Diffstat (limited to 'user')
-rw-r--r-- | user/djvulibre/APKBUILD | 11 | ||||
-rw-r--r-- | user/djvulibre/CVE-2019-18804.patch | 39 | ||||
-rw-r--r-- | user/exiv2/APKBUILD | 19 | ||||
-rw-r--r-- | user/exiv2/CVE-2019-20421.patch | 116 | ||||
-rw-r--r-- | user/hunspell/APKBUILD | 14 | ||||
-rw-r--r-- | user/hunspell/CVE-2019-16707.patch | 22 | ||||
-rw-r--r-- | user/libexif/APKBUILD | 11 | ||||
-rw-r--r-- | user/libexif/CVE-2016-6328.patch | 60 | ||||
-rw-r--r-- | user/libexif/CVE-2019-9278.patch | 85 | ||||
-rw-r--r-- | user/libgd/APKBUILD | 16 | ||||
-rw-r--r-- | user/libgd/CVE-2018-14553.patch | 99 | ||||
-rw-r--r-- | user/librsvg/APKBUILD | 10 | ||||
-rw-r--r-- | user/openjpeg/APKBUILD | 14 | ||||
-rw-r--r-- | user/openjpeg/CVE-2020-6851.patch | 29 | ||||
-rw-r--r-- | user/openjpeg/CVE-2020-8112.patch | 43 | ||||
-rw-r--r-- | user/weechat/APKBUILD | 10 |
16 files changed, 572 insertions, 26 deletions
diff --git a/user/djvulibre/APKBUILD b/user/djvulibre/APKBUILD index 2b4a3ed0e..fa2ce6059 100644 --- a/user/djvulibre/APKBUILD +++ b/user/djvulibre/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=djvulibre pkgver=3.5.27 -pkgrel=1 +pkgrel=2 pkgdesc="Format for distributing documents and images" url="http://djvu.sourceforge.net/" arch="all" @@ -15,7 +15,9 @@ source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz CVE-2019-15142.patch CVE-2019-15143.patch CVE-2019-15144.patch - CVE-2019-15145.patch" + CVE-2019-15145.patch + CVE-2019-18804.patch + " # secfixes: # 3.5.27-r1: @@ -23,6 +25,8 @@ source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz # - CVE-2019-15143 # - CVE-2019-15144 # - CVE-2019-15145 +# 3.5.27-r2: +# - CVE-2019-18804 build() { ./configure \ @@ -48,4 +52,5 @@ sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252 d9e4301fb98a35b8c2f1854eb4be53611f98b3fc9fdd357dd5502b5b189bdf61957a48b220f3ab7465bbf1df8606ce04513e10df74643a9e289c349f94721561 CVE-2019-15142.patch 3527e1c84f7c7d36f902cb3d7e9ddb6866acbdd4b47675ce3ffd164accf2e2931a4c6bbaae2ea775b4710d88ae34dd4dcd39a5846fce13bef2c82a99d608b8c1 CVE-2019-15143.patch f8f1abf328a97d69514b2626e4c6449c0c7b7e2b5518d56bba6a61a944aaf4b7fffd1371c26396353728f6a1399c6d87492af5c17e6b623dae7751b81eac11f9 CVE-2019-15144.patch -790ef1e05874635c762600c990ecbd3e29e2eb01c59e25a0f8b2a15dbadbd3673d9dbb651d9dcb53fd3e5f4cb6bded47c3eefaaef8b4ccac39bd28f8bbec2068 CVE-2019-15145.patch" +790ef1e05874635c762600c990ecbd3e29e2eb01c59e25a0f8b2a15dbadbd3673d9dbb651d9dcb53fd3e5f4cb6bded47c3eefaaef8b4ccac39bd28f8bbec2068 CVE-2019-15145.patch +e5d6cd98f208db49880c6237f7cd8ab097d02f9771936c04a5acc48d9d18876d5cf48bcc61b14f1affc501ee63e8d6337fa83af259485ef35d4faa5086f06d10 CVE-2019-18804.patch" diff --git a/user/djvulibre/CVE-2019-18804.patch b/user/djvulibre/CVE-2019-18804.patch new file mode 100644 index 000000000..7c66c3989 --- /dev/null +++ b/user/djvulibre/CVE-2019-18804.patch @@ -0,0 +1,39 @@ +From c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125 Mon Sep 17 00:00:00 2001 +From: Leon Bottou <leon@bottou.org> +Date: Thu, 17 Oct 2019 22:20:31 -0400 +Subject: [PATCH] Fixed bug 309 + +--- + libdjvu/IW44EncodeCodec.cpp | 2 +- + tools/ddjvu.cpp | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp +index 00752a0..f81eaeb 100644 +--- a/libdjvu/IW44EncodeCodec.cpp ++++ b/libdjvu/IW44EncodeCodec.cpp +@@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale) + int y = 0; + int s = scale*rowsize; + int s3 = s+s+s; +- h = ((h-1)/scale)+1; ++ h = (h>0) ? ((h-1)/scale)+1 : 0; + y += 1; + p += s; + while (y-3 < h) +diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp +index 6d0df3b..7109952 100644 +--- a/tools/ddjvu.cpp ++++ b/tools/ddjvu.cpp +@@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno) + prect.h = (ih * 100) / dpi; + } + /* Process aspect ratio */ +- if (flag_aspect <= 0) ++ if (flag_aspect <= 0 && iw>0 && ih>0) + { + double dw = (double)iw / prect.w; + double dh = (double)ih / prect.h; +-- +2.20.1 + diff --git a/user/exiv2/APKBUILD b/user/exiv2/APKBUILD index f1ca3f81f..fb710b602 100644 --- a/user/exiv2/APKBUILD +++ b/user/exiv2/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=exiv2 pkgver=0.27.2 -pkgrel=1 +pkgrel=2 pkgdesc="Exif, IPTC and XMP metadata library and tools" url="https://www.exiv2.org/" arch="all" @@ -12,8 +12,11 @@ checkdepends="python3 libxml2 cmd:which" makedepends="$depends_dev bash cmake" subpackages="$pkgname-dev $pkgname-doc" source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz - https://dev.sick.bike/dist/exiv2-0.27.2-POC-file_issue_1019 - CVE-2019-17402.patch" + https://dev.sick.bike/dist/exiv2-$pkgver-POC-file_issue_1019 + https://dev.sick.bike/dist/exiv2-$pkgver-Jp2Image_readMetadata_loop.poc + CVE-2019-17402.patch + CVE-2019-20421.patch + " builddir="$srcdir/$pkgname-$pkgver-Source" # secfixes: @@ -86,6 +89,8 @@ builddir="$srcdir/$pkgname-$pkgver-Source" # - CVE-2019-13114 # 0.27.2-r1: # - CVE-2019-17402 +# 0.27.2-r2: +# - CVE-2019-20421 prepare() { default_prepare @@ -93,6 +98,10 @@ prepare() { # Remove #1019 POC after >= 0.27.2 mv "$srcdir/$pkgname-$pkgver-POC-file_issue_1019" \ test/data/POC-file_issue_1019 + + # Ditto + mv "$srcdir/$pkgname-$pkgver-Jp2Image_readMetadata_loop.poc" \ + test/data/Jp2Image_readMetadata_loop.poc } build() { @@ -112,4 +121,6 @@ package() { sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz cfe0b534c29c37e7b6e5a00e8ec320cb57eb17187813fe30677a097e930655f1b097ce77806e0124affbdc423b48d9910560158eed9d2d03418a824244dafba9 exiv2-0.27.2-POC-file_issue_1019 -623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd CVE-2019-17402.patch" +d2c0f59e9e2daf00066b0ad73253bb7bb09b3319606813f16478ef5717751e4cbb93d12f5c9339dae2965dcf6a63138bdb4205b698aeab57a75f97ddf458d4f7 exiv2-0.27.2-Jp2Image_readMetadata_loop.poc +623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd CVE-2019-17402.patch +c819f06a194b8465c66ccd91b8373cb2a359e59bab7583a8abb873c2001efe6188ac8fa4717c6382d2f2396d25e79e7b397c5ebf000d35c4a7dae547db7bc77b CVE-2019-20421.patch" diff --git a/user/exiv2/CVE-2019-20421.patch b/user/exiv2/CVE-2019-20421.patch new file mode 100644 index 000000000..bdc5449f2 --- /dev/null +++ b/user/exiv2/CVE-2019-20421.patch @@ -0,0 +1,116 @@ +From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001 +From: clanmills <robin@clanmills.com> +Date: Tue, 1 Oct 2019 17:39:44 +0100 +Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop + +--- + src/jp2image.cpp | 25 +++++++++++++++---- + tests/bugfixes/github/test_CVE_2017_17725.py | 4 +-- + tests/bugfixes/github/test_issue_1011.py | 13 ++++++++++ + 4 files changed, 35 insertions(+), 7 deletions(-) + create mode 100755 test/data/Jp2Image_readMetadata_loop.poc + create mode 100644 tests/bugfixes/github/test_issue_1011.py + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index d5cd1340a..0de088d62 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -18,10 +18,6 @@ + * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA. + */ + +-/* +- File: jp2image.cpp +-*/ +- + // ***************************************************************************** + + // included header files +@@ -197,6 +193,16 @@ namespace Exiv2 + return result; + } + ++static void boxes_check(size_t b,size_t m) ++{ ++ if ( b > m ) { ++#ifdef EXIV2_DEBUG_MESSAGES ++ std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl; ++#endif ++ throw Error(kerCorruptedMetadata); ++ } ++} ++ + void Jp2Image::readMetadata() + { + #ifdef EXIV2_DEBUG_MESSAGES +@@ -219,9 +225,12 @@ namespace Exiv2 + Jp2BoxHeader subBox = {0,0}; + Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0}; + Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; ++ size_t boxes = 0 ; ++ size_t boxem = 1000 ; // boxes max + + while (io_->read((byte*)&box, sizeof(box)) == sizeof(box)) + { ++ boxes_check(boxes++,boxem ); + position = io_->tell(); + box.length = getLong((byte*)&box.length, bigEndian); + box.type = getLong((byte*)&box.type, bigEndian); +@@ -251,8 +260,12 @@ namespace Exiv2 + + while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length ) + { ++ boxes_check(boxes++, boxem) ; + subBox.length = getLong((byte*)&subBox.length, bigEndian); + subBox.type = getLong((byte*)&subBox.type, bigEndian); ++ if (subBox.length > io_->size() ) { ++ throw Error(kerCorruptedMetadata); ++ } + #ifdef EXIV2_DEBUG_MESSAGES + std::cout << "Exiv2::Jp2Image::readMetadata: " + << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl; +@@ -308,7 +321,9 @@ namespace Exiv2 + } + + io_->seek(restore,BasicIo::beg); +- io_->seek(subBox.length, Exiv2::BasicIo::cur); ++ if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) { ++ throw Error(kerCorruptedMetadata); ++ } + restore = io_->tell(); + } + break; +diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py +index 1127b9806..670a75d8d 100644 +--- a/tests/bugfixes/github/test_CVE_2017_17725.py ++++ b/tests/bugfixes/github/test_CVE_2017_17725.py +@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): + filename = "$data_path/poc_2017-12-12_issue188" + commands = ["$exiv2 " + filename] + stdout = [""] +- stderr = ["""$exiv2_overflow_exception_message """ + filename + """: +-$addition_overflow_message ++ stderr = ["""$exiv2_exception_message """ + filename + """: ++$kerCorruptedMetadata + """] + retval = [1] +diff --git a/tests/bugfixes/github/test_issue_1011.py b/tests/bugfixes/github/test_issue_1011.py +new file mode 100644 +index 000000000..415861188 +--- /dev/null ++++ b/tests/bugfixes/github/test_issue_1011.py +@@ -0,0 +1,13 @@ ++# -*- coding: utf-8 -*- ++ ++from system_tests import CaseMeta, path ++ ++class Test_issue_1011(metaclass=CaseMeta): ++ ++ filename = path("$data_path/Jp2Image_readMetadata_loop.poc") ++ commands = ["$exiv2 " + filename] ++ stdout = [""] ++ stderr = ["""$exiv2_exception_message """ + filename + """: ++$kerCorruptedMetadata ++"""] ++ retval = [1] +\ No newline at end of file diff --git a/user/hunspell/APKBUILD b/user/hunspell/APKBUILD index 79da8d619..ec63c5414 100644 --- a/user/hunspell/APKBUILD +++ b/user/hunspell/APKBUILD @@ -1,7 +1,7 @@ -# Maintainer: +# Maintainer: pkgname=hunspell pkgver=1.7.0 -pkgrel=0 +pkgrel=1 pkgdesc="Spell checker and morphological analyzer library and program" url="https://hunspell.github.io/" arch="all" @@ -9,7 +9,12 @@ license="GPL-2.0+ AND LGPL-2.0+ AND MPL-1.1" depends="" makedepends="ncurses-dev autoconf automake libtool" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" -source="$pkgname-$pkgver.tar.gz::https://github.com/hunspell/hunspell/archive/v$pkgver.tar.gz" +source="$pkgname-$pkgver.tar.gz::https://github.com/hunspell/hunspell/archive/v$pkgver.tar.gz + CVE-2019-16707.patch" + +# secfixes: +# 1.7.0-r1: +# - CVE-2019-16707 prepare() { default_prepare @@ -35,4 +40,5 @@ package() { make -j1 DESTDIR="$pkgdir" install } -sha512sums="8149b2e8b703a0610c9ca5160c2dfad3cf3b85b16b3f0f5cfcb7ebb802473b2d499e8e2d0a637a97a37a24d62424e82d3880809210d3f043fa17a4970d47c903 hunspell-1.7.0.tar.gz" +sha512sums="8149b2e8b703a0610c9ca5160c2dfad3cf3b85b16b3f0f5cfcb7ebb802473b2d499e8e2d0a637a97a37a24d62424e82d3880809210d3f043fa17a4970d47c903 hunspell-1.7.0.tar.gz +e7674819a9da4c3d742d34338d68d137d8613f97be2d25bf20db5219d4dd626f59a63ed4757b92f34307f499f2d687014065cdea97b55c98db295a8290300d2d CVE-2019-16707.patch" diff --git a/user/hunspell/CVE-2019-16707.patch b/user/hunspell/CVE-2019-16707.patch new file mode 100644 index 000000000..649eef5b2 --- /dev/null +++ b/user/hunspell/CVE-2019-16707.patch @@ -0,0 +1,22 @@ +From ac938e2ecb48ab4dd21298126c7921689d60571b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com> +Date: Tue, 12 Nov 2019 20:03:15 +0000 +Subject: [PATCH] invalid read memory access #624 + +--- + src/hunspell/suggestmgr.cxx | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/hunspell/suggestmgr.cxx b/src/hunspell/suggestmgr.cxx +index dba084e9..c23f165a 100644 +--- a/src/hunspell/suggestmgr.cxx ++++ b/src/hunspell/suggestmgr.cxx +@@ -2040,7 +2040,7 @@ int SuggestMgr::leftcommonsubstring( + int l2 = su2.size(); + // decapitalize dictionary word + if (complexprefixes) { +- if (su1[l1 - 1] == su2[l2 - 1]) ++ if (l1 && l2 && su1[l1 - 1] == su2[l2 - 1]) + return 1; + } else { + unsigned short idx = su2.empty() ? 0 : (su2[0].h << 8) + su2[0].l; diff --git a/user/libexif/APKBUILD b/user/libexif/APKBUILD index de51ae7b0..06e1e832a 100644 --- a/user/libexif/APKBUILD +++ b/user/libexif/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: pkgname=libexif pkgver=0.6.21 -pkgrel=3 +pkgrel=4 pkgdesc="Library to parse EXIF metadata" url="https://sourceforge.net/projects/libexif" arch="all" @@ -10,14 +10,19 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" depends="" makedepends="" source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.bz2 + CVE-2016-6328.patch CVE-2017-7544.patch CVE-2018-20030.patch + CVE-2019-9278.patch " # secfixes: # 0.6.21-r3: # - CVE-2017-7544 # - CVE-2018-20030 +# 0.6.21-r4: +# - CVE-2016-6328 +# - CVE-2019-9278 prepare() { default_prepare @@ -41,5 +46,7 @@ package() { } sha512sums="4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35 libexif-0.6.21.tar.bz2 +c0d4c74207993efc373615ef2c797d720162a2ee6fd7ad026edf2ced4198d9b1165b88790c2af3194f6bb7c2de88d4672c041c2cff8a82c8914700633332b8c5 CVE-2016-6328.patch d529c6c5bd26dc21c0946702574184e1f61c2bfd4fb95b41e314f486a0dd55571963ff2cad566d2fb0804de3c0799bcd956c15a3dc10a520ce207728edad4e2d CVE-2017-7544.patch -0d6123bd275ace338ad9cebb31a2e714de0141b91860f07394b281686a5393566c3f4159679d4ba689ae7ea69ae2e412b158c3deb451c40c210b5817f6888bbc CVE-2018-20030.patch" +0d6123bd275ace338ad9cebb31a2e714de0141b91860f07394b281686a5393566c3f4159679d4ba689ae7ea69ae2e412b158c3deb451c40c210b5817f6888bbc CVE-2018-20030.patch +c30c03fefea94d175b94c9f0c4d60cbb3aa0ad78b0d29008975fbbb15c17f2907a16fd50970e5fa18d533d0ce291a5ee9b62934210cb40b0f463693460607738 CVE-2019-9278.patch" diff --git a/user/libexif/CVE-2016-6328.patch b/user/libexif/CVE-2016-6328.patch new file mode 100644 index 000000000..0568f27d2 --- /dev/null +++ b/user/libexif/CVE-2016-6328.patch @@ -0,0 +1,60 @@ +From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <marcus@jet.franken.de> +Date: Tue, 25 Jul 2017 23:44:44 +0200 +Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax + makernote entries. + +This should fix: +https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328 +--- + libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c +index d03d159..ea0429a 100644 +--- a/libexif/pentax/mnote-pentax-entry.c ++++ b/libexif/pentax/mnote-pentax-entry.c +@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, + case EXIF_FORMAT_SHORT: + { + const unsigned char *data = entry->data; +- size_t k, len = strlen(val); ++ size_t k, len = strlen(val), sizeleft; ++ ++ sizeleft = entry->size; + for(k=0; k<entry->components; k++) { ++ if (sizeleft < 2) ++ break; + vs = exif_get_short (data, entry->order); + snprintf (val+len, maxlen-len, "%i ", vs); + len = strlen(val); + data += 2; ++ sizeleft -= 2; + } + } + break; + case EXIF_FORMAT_LONG: + { + const unsigned char *data = entry->data; +- size_t k, len = strlen(val); ++ size_t k, len = strlen(val), sizeleft; ++ ++ sizeleft = entry->size; + for(k=0; k<entry->components; k++) { ++ if (sizeleft < 4) ++ break; + vl = exif_get_long (data, entry->order); + snprintf (val+len, maxlen-len, "%li", (long int) vl); + len = strlen(val); + data += 4; ++ sizeleft -= 4; + } + } + break; +@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, + break; + } + +- return (val); ++ return val; + } diff --git a/user/libexif/CVE-2019-9278.patch b/user/libexif/CVE-2019-9278.patch new file mode 100644 index 000000000..bd15e8d13 --- /dev/null +++ b/user/libexif/CVE-2019-9278.patch @@ -0,0 +1,85 @@ +From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <meissner@suse.de> +Date: Sat, 18 Jan 2020 09:29:42 +0100 +Subject: [PATCH] fix CVE-2019-9278 + +avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away) + +check for the actual sizes, which should also handle the overflows +document other places google patched, but do not seem relevant due to other restrictions + +fixes https://github.com/libexif/libexif/issues/26 +--- + libexif/exif-data.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index a6f9c94..6332cd1 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry, + doff = offset + 8; + + /* Sanity checks */ +- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) { ++ if (doff >= size) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", +- "Tag data past end of buffer (%u > %u)", doff+s, size); ++ "Tag starts past end of buffer (%u > %u)", doff, size); ++ return 0; ++ } ++ ++ if (s > size - doff) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", ++ "Tag data goes past end of buffer (%u > %u)", doff+s, size); + return 0; + } + +@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, + unsigned int ds, ExifLong o, ExifLong s) + { + /* Sanity checks */ +- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) { +- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", +- "Bogus thumbnail offset (%u) or size (%u).", +- o, s); ++ if (o >= ds) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); ++ return; ++ } ++ if (s > ds - o) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); + return; + } +- + if (data->data) + exif_mem_free (data->priv->mem, data->data); + if (!(data->data = exif_data_alloc (data, s))) { +@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "IFD 0 at %i.", (int) offset); + +- /* Sanity check the offset, being careful about overflow */ ++ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */ + if (offset > ds || offset + 6 + 2 > ds) + return; + +@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, + + /* IFD 1 offset */ + n = exif_get_short (d + 6 + offset, data->priv->order); ++ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */ + if (offset + 6 + 2 + 12 * n + 4 > ds) + return; + +@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "IFD 1 at %i.", (int) offset); + +- /* Sanity check. */ +- if (offset > ds || offset + 6 > ds) { ++ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */ ++ if (offset > ds - 6) { + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifData", "Bogus offset of IFD1."); + } else { diff --git a/user/libgd/APKBUILD b/user/libgd/APKBUILD index 27de81126..2a537dfca 100644 --- a/user/libgd/APKBUILD +++ b/user/libgd/APKBUILD @@ -2,20 +2,22 @@ # Maintainer: pkgname=libgd pkgver=2.2.5 -pkgrel=1 +pkgrel=2 pkgdesc="Library for dynamic image creation" url="http://libgd.github.io/" arch="all" options="!check" # Upstream bug 201 regression. license="MIT" depends="" -makedepends="bash fontconfig-dev freetype-dev libjpeg-turbo-dev libpng-dev - libwebp-dev zlib-dev" +makedepends="autoconf automake bash fontconfig-dev freetype-dev + libjpeg-turbo-dev libpng-dev libtool libwebp-dev tiff-dev zlib-dev + " subpackages="$pkgname-dev" replaces="gd" source="https://github.com/$pkgname/$pkgname/releases/download/gd-$pkgver/$pkgname-$pkgver.tar.xz CVE-2016-7568.patch CVE-2018-5711.patch + CVE-2018-14553.patch CVE-2018-1000222.patch CVE-2019-6977.patch CVE-2019-6978.patch @@ -27,6 +29,13 @@ source="https://github.com/$pkgname/$pkgname/releases/download/gd-$pkgver/$pkgna # - CVE-2018-1000222 # - CVE-2019-6977 # - CVE-2019-6978 +# 2.2.5-r2: +# - CVE-2018-14553 + +prepare() { + default_prepare + autoreconf -vif +} build() { ./configure \ @@ -58,6 +67,7 @@ dev() { sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz 8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch d6577566814cbe2d93b141a4216b32acdeb2989dc1712eb137565081b913151bbb4c69911c96b2bb7c90695078a85152d368aad183de494d1283fde25021751b CVE-2018-5711.patch +353491fab6c6e0916dca910c9d14f0e0efab6d9d88c48f6f3f2f69e60312489039b25d26980e7c5c2c04ed9e56003b99eae77bd412fbbed1d8eb47d561f7af74 CVE-2018-14553.patch d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch df84e469515f684d79ebad163e137401627310a984ac1ae6a4d31b739b3dc6d9144f101e9bfc3211af1d7cdbaa827721d21a9fe528e69b9b60a943ec8a7ab74b CVE-2019-6977.patch 3bf31941365a878bef899afa14a89e4ad0fbfb3280d34b2118c8484698e15eff600751ae3ce146a4f006e6c21730cb18899bae3538f6cc2651025274b40cf1ca CVE-2019-6978.patch" diff --git a/user/libgd/CVE-2018-14553.patch b/user/libgd/CVE-2018-14553.patch new file mode 100644 index 000000000..7510101d1 --- /dev/null +++ b/user/libgd/CVE-2018-14553.patch @@ -0,0 +1,99 @@ +From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com> +Date: Fri, 20 Dec 2019 12:03:33 -0300 +Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone() + +--- + src/gd.c | 9 +-------- + tests/gdimageclone/CMakeLists.txt | 1 + + tests/gdimageclone/Makemodule.am | 3 ++- + tests/gdimageclone/style.c | 30 ++++++++++++++++++++++++++++++ + 5 files changed, 35 insertions(+), 9 deletions(-) + create mode 100644 tests/gdimageclone/style.c + +diff --git a/src/gd.c b/src/gd.c +index 592a0286..d564d1f9 100644 +--- a/src/gd.c ++++ b/src/gd.c +@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { + } + } + +- if (src->styleLength > 0) { +- dst->styleLength = src->styleLength; +- dst->stylePos = src->stylePos; +- for (i = 0; i < src->styleLength; i++) { +- dst->style[i] = src->style[i]; +- } +- } +- + dst->interlace = src->interlace; + + dst->alphaBlendingFlag = src->alphaBlendingFlag; +@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { + + if (src->style) { + gdImageSetStyle(dst, src->style, src->styleLength); ++ dst->stylePos = src->stylePos; + } + + for (i = 0; i < gdMaxColors; i++) { +diff --git a/tests/gdimageclone/CMakeLists.txt b/tests/gdimageclone/CMakeLists.txt +index e6ccc318..662f4e96 100644 +--- a/tests/gdimageclone/CMakeLists.txt ++++ b/tests/gdimageclone/CMakeLists.txt +@@ -1,5 +1,6 @@ + LIST(APPEND TESTS_FILES + bug00300 ++ style + ) + + ADD_GD_TESTS() +diff --git a/tests/gdimageclone/Makemodule.am b/tests/gdimageclone/Makemodule.am +index 4b1b54c0..51abf5c1 100644 +--- a/tests/gdimageclone/Makemodule.am ++++ b/tests/gdimageclone/Makemodule.am +@@ -1,5 +1,6 @@ + libgd_test_programs += \ +- gdimageclone/bug00300 ++ gdimageclone/bug00300 \ ++ gdimageclone/style + + EXTRA_DIST += \ + gdimageclone/CMakeLists.txt +diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c +new file mode 100644 +index 00000000..c2b246ed +--- /dev/null ++++ b/tests/gdimageclone/style.c +@@ -0,0 +1,30 @@ ++/** ++ * Cloning an image should exactly reproduce all style related data ++ */ ++ ++ ++#include <string.h> ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++int main() ++{ ++ gdImagePtr im, clone; ++ int style[] = {0, 0, 0}; ++ ++ im = gdImageCreate(8, 8); ++ gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0])); ++ ++ clone = gdImageClone(im); ++ gdTestAssert(clone != NULL); ++ ++ gdTestAssert(clone->styleLength == im->styleLength); ++ gdTestAssert(clone->stylePos == im->stylePos); ++ gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0]))); ++ ++ gdImageDestroy(clone); ++ gdImageDestroy(im); ++ ++ return gdNumFailures(); ++} diff --git a/user/librsvg/APKBUILD b/user/librsvg/APKBUILD index eddc645dc..3fa19b15b 100644 --- a/user/librsvg/APKBUILD +++ b/user/librsvg/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: pkgname=librsvg -pkgver=2.40.20 -pkgrel=1 +pkgver=2.40.21 +pkgrel=0 pkgdesc="SAX-based renderer for SVG files into a GdkPixbuf" url="https://wiki.gnome.org/action/show/Projects/LibRsvg" arch="all" @@ -14,6 +14,10 @@ makedepends="$depends_dev bzip2-dev cairo-dev glib-dev gobject-introspection-dev" source="https://download.gnome.org/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz" +# secfixes: +# 2.40.21-r0: +# - CVE-2019-20446 + build() { ./configure \ --build=$CBUILD \ @@ -33,4 +37,4 @@ package() { rm -rf "$pkgdir"/usr/lib/mozilla } -sha512sums="cdd8224deb4c3786e29f48ed02c32ed9dff5cb15aba574a5ef845801ad3669cfcc3eedb9d359c22213dc7a29de24c363248825adad5877c40abf73b3688ff12f librsvg-2.40.20.tar.xz" +sha512sums="db0563d8e0edaae642a6b2bcd239cf54191495058ac8c7ff614ebaf88c0e30bd58dbcd41f58d82a9d5ed200ced45fc5bae22f2ed3cf3826e9348a497009e1280 librsvg-2.40.21.tar.xz" diff --git a/user/openjpeg/APKBUILD b/user/openjpeg/APKBUILD index 680e1c8c2..54f9811ea 100644 --- a/user/openjpeg/APKBUILD +++ b/user/openjpeg/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=openjpeg pkgver=2.3.1 -pkgrel=2 +pkgrel=3 pkgdesc="Open-source implementation of JPEG 2000 image codec" url="http://www.openjpeg.org/" arch="all" @@ -13,9 +13,15 @@ depends_dev="$pkgname-tools" makedepends="libpng-dev tiff-dev lcms2-dev doxygen cmake" subpackages="$pkgname-dev $pkgname-tools" source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz - CVE-2019-12973.patch" + CVE-2019-12973.patch + CVE-2020-6851.patch + CVE-2020-8112.patch + " # secfixes: +# 2.3.1-r3: +# - CVE-2020-6851 +# - CVE-2020-8112 # 2.3.1-r2: # - CVE-2019-12973 # 2.3.0-r0: @@ -52,4 +58,6 @@ tools() { } sha512sums="339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03 openjpeg-2.3.1.tar.gz -472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516 CVE-2019-12973.patch" +472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516 CVE-2019-12973.patch +c8ffc926d91392b38250fd4e00fff5f93fbf5e17487d0e4a0184c9bd191aa2233c5c5dcf097dd62824714097bba2d8cc865bed31193d1a072aa954f216011297 CVE-2020-6851.patch +9659e04087e0d80bf53555e9807aae59205adef2d49d7a49e05bf250c484a2e92132d471ec6076e57ca69b5ce98fd81462a6a8c01205ca7096781eec06e401cc CVE-2020-8112.patch" diff --git a/user/openjpeg/CVE-2020-6851.patch b/user/openjpeg/CVE-2020-6851.patch new file mode 100644 index 000000000..9a70291f5 --- /dev/null +++ b/user/openjpeg/CVE-2020-6851.patch @@ -0,0 +1,29 @@ +From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sat, 11 Jan 2020 01:51:19 +0100 +Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose + coordinates are beyond INT_MAX (fixes #1228) + +--- + src/lib/openjp2/j2k.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 14f6ff41a..922550eb1 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -9221,6 +9221,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, + l_img_comp = p_image->comps; + for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { + OPJ_INT32 l_h, l_w; ++ if (p_image->x0 > (OPJ_UINT32)INT_MAX || ++ p_image->y0 > (OPJ_UINT32)INT_MAX || ++ p_image->x1 > (OPJ_UINT32)INT_MAX || ++ p_image->y1 > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Image coordinates above INT_MAX are not supported\n"); ++ return OPJ_FALSE; ++ } + + l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0, + (OPJ_INT32)l_img_comp->dx); diff --git a/user/openjpeg/CVE-2020-8112.patch b/user/openjpeg/CVE-2020-8112.patch new file mode 100644 index 000000000..95cb8095f --- /dev/null +++ b/user/openjpeg/CVE-2020-8112.patch @@ -0,0 +1,43 @@ +From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 30 Jan 2020 00:59:57 +0100 +Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow + +That could lead to later assertion failures. + +Fixes #1231 / CVE-2020-8112 +--- + src/lib/openjp2/tcd.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c +index deecc4dff..aa419030a 100644 +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, + /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ + l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; + l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; +- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; +- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; ++ { ++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, ++ (OPJ_INT32)l_pdx)) << l_pdx; ++ if (tmp > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); ++ return OPJ_FALSE; ++ } ++ l_br_prc_x_end = (OPJ_INT32)tmp; ++ } ++ { ++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, ++ (OPJ_INT32)l_pdy)) << l_pdy; ++ if (tmp > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); ++ return OPJ_FALSE; ++ } ++ l_br_prc_y_end = (OPJ_INT32)tmp; ++ } + /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ + + l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)(( diff --git a/user/weechat/APKBUILD b/user/weechat/APKBUILD index ddf80a03a..dfa1a3277 100644 --- a/user/weechat/APKBUILD +++ b/user/weechat/APKBUILD @@ -2,7 +2,7 @@ # Contributor: zlg <zlg+adelie@zlg.space> # Maintainer: Kiyoshi Aman <adelie@aerdan.vulpine.house> pkgname=weechat -pkgver=2.7 +pkgver=2.7.1 pkgrel=0 pkgdesc="Fast, light, extensible ncurses-based chat client" url="https://www.weechat.org" @@ -22,9 +22,11 @@ source="https://www.weechat.org/files/src/$pkgname-$pkgver.tar.gz" # secfixes: # 1.7.1-r0: -# - CVE-2017-8073 +# - CVE-2017-8073 # 1.9.1-r0: -# - CVE-2017-14727 +# - CVE-2017-14727 +# 2.7.1-r0: +# - CVE-2020-8955 build() { cmake \ @@ -59,4 +61,4 @@ _plugin() { mv "$pkgdir"/$_dir/${_name}.so "$subpkgdir"/$_dir } -sha512sums="7a9205b6a3b7e338b14708e1b9aad4f2099506c46b1e86faf4fa94a105bc20b056a53ce3d003ae31ea1cdbab711ddd9dca7258a7d03f0f7af3703ebdbdfeb3d9 weechat-2.7.tar.gz" +sha512sums="2d2f555a4c48dbfa60a97845657e041fcd37bdde01974b4a49ff2d0ef6b92f16147f84b0e60772e9f54ba3e05ae1772012d3551a5fbb8bdf8332a08ef63a352d weechat-2.7.1.tar.gz" |