summaryrefslogtreecommitdiff
path: root/user
diff options
context:
space:
mode:
authorA. Wilcox <awilcox@wilcox-tech.com>2019-08-04 22:53:11 +0000
committerA. Wilcox <awilcox@wilcox-tech.com>2019-08-04 22:53:11 +0000
commit2d76f59134fc1cbd5ea3704b6d79761ffa50d6a9 (patch)
treec99a2ff0b1366a5f6bb2d61b13916acb3012cea6 /user
parent8410df6cbcf43832292026f4487ca2642be5cf15 (diff)
parent3c0917832c46ca76601c4e2e7388c4570bfbcb86 (diff)
downloadpackages-2d76f59134fc1cbd5ea3704b6d79761ffa50d6a9.tar.gz
packages-2d76f59134fc1cbd5ea3704b6d79761ffa50d6a9.tar.bz2
packages-2d76f59134fc1cbd5ea3704b6d79761ffa50d6a9.tar.xz
packages-2d76f59134fc1cbd5ea3704b6d79761ffa50d6a9.zip
Merge branch 'cves' into 'master'
CVE catch up, part one See merge request adelie/packages!307
Diffstat (limited to 'user')
-rw-r--r--user/catdoc/APKBUILD12
-rw-r--r--user/catdoc/CVE-2017-11110.patch32
-rw-r--r--user/gnupg/APKBUILD8
-rw-r--r--user/id3lib/APKBUILD10
-rw-r--r--user/id3lib/CVE-2007-4460.patch54
-rw-r--r--user/libexif/APKBUILD20
-rw-r--r--user/libexif/CVE-2017-7544.patch30
-rw-r--r--user/libexif/CVE-2018-20030.patch115
-rw-r--r--user/libid3tag/APKBUILD20
-rw-r--r--user/libid3tag/CVE-2004-2779.patch32
-rw-r--r--user/libid3tag/CVE-2008-2109.patch11
-rw-r--r--user/libid3tag/CVE-2017-11550.patch33
-rw-r--r--user/libtasn1/APKBUILD10
-rw-r--r--user/libvncserver/APKBUILD8
-rw-r--r--user/libvncserver/CVE-2018-15127.patch44
-rw-r--r--user/ntfs-3g/APKBUILD12
-rw-r--r--user/ntfs-3g/CVE-2019-9755.patch63
-rw-r--r--user/oniguruma/APKBUILD15
-rw-r--r--user/oniguruma/CVE-2019-13224.patch41
-rw-r--r--user/oniguruma/CVE-2019-13225.patch69
-rw-r--r--user/openjpeg/APKBUILD10
-rw-r--r--user/openjpeg/CVE-2019-12973.patch152
-rw-r--r--user/openldap/APKBUILD15
-rw-r--r--user/openldap/CVE-2017-9287.patch28
-rw-r--r--user/openldap/libressl.patch65
-rw-r--r--user/openldap/openldap-mqtt-overlay.patch447
-rw-r--r--user/plib/APKBUILD8
-rw-r--r--user/plib/CVE-2011-4620.patch (renamed from user/plib/plib-1.8.5-CVE-2011-4620.patch)0
-rw-r--r--user/plib/CVE-2012-4552.patch (renamed from user/plib/plib-1.8.5-CVE-2012-4552.patch)0
-rw-r--r--user/py3-jinja2/APKBUILD12
-rw-r--r--user/subversion/APKBUILD13
-rw-r--r--user/subversion/apr-1.7.0.patch18
-rw-r--r--user/taglib/APKBUILD15
-rw-r--r--user/taglib/CVE-2017-12678.patch31
-rw-r--r--user/taglib/CVE-2018-11439.patch42
-rw-r--r--user/tcpdump/APKBUILD6
-rw-r--r--user/tcpdump/CVE-2017-16808.patch26
37 files changed, 897 insertions, 630 deletions
diff --git a/user/catdoc/APKBUILD b/user/catdoc/APKBUILD
index 2b6bc7d3d..4296c8167 100644
--- a/user/catdoc/APKBUILD
+++ b/user/catdoc/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=catdoc
pkgver=0.95
-pkgrel=1
+pkgrel=2
pkgdesc="Read information and data from Microsoft Office documents"
url="http://www.wagner.pp.ru/~vitus/software/catdoc/"
arch="all"
@@ -11,7 +11,12 @@ license="GPL-2.0-only"
depends=""
makedepends=""
subpackages="$pkgname-doc"
-source="http://ftp.wagner.pp.ru/pub/catdoc/catdoc-$pkgver.tar.gz"
+source="http://ftp.wagner.pp.ru/pub/catdoc/catdoc-$pkgver.tar.gz
+ CVE-2017-11110.patch"
+
+# secfixes:
+# 0.95-r2:
+# - CVE-2017-11110
build() {
cd "$builddir"
@@ -31,4 +36,5 @@ package() {
make -j1 install
}
-sha512sums="dd6bded4b6b70749c007256b182b063ff266f86d53024d8582001678821e8096c5b980bc8f43015d9c82bbe022d71d4ba5fe68aff31b2ff6db3688595e651b2c catdoc-0.95.tar.gz"
+sha512sums="dd6bded4b6b70749c007256b182b063ff266f86d53024d8582001678821e8096c5b980bc8f43015d9c82bbe022d71d4ba5fe68aff31b2ff6db3688595e651b2c catdoc-0.95.tar.gz
+15d1da9fe095c6e4a990faa22ee67952d91494057a1fd6334f2eb671898156c95245b54f229549a5662d13dec6ecc4e607583e865fb9775fea8d163755cf04b0 CVE-2017-11110.patch"
diff --git a/user/catdoc/CVE-2017-11110.patch b/user/catdoc/CVE-2017-11110.patch
new file mode 100644
index 000000000..d36d5d63c
--- /dev/null
+++ b/user/catdoc/CVE-2017-11110.patch
@@ -0,0 +1,32 @@
+Description: CVE-2017-11110: Heap buffer overflow in ole_init
+Origin: vendor, https://build.opensuse.org/package/view_file/openSUSE:Maintenance:6985/catdoc.openSUSE_Leap_42.2_Update/CVE-2017-11110.patch?rev=d437c3be72c2e5a3516b75f4e9de6b35
+Bug-Debian: https://bugs.debian.org/867717
+Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=1047877
+Forwarded: no
+Author: Andreas Stieger <astieger@suse.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2017-07-20
+
+--- a/src/ole.c
++++ b/src/ole.c
+@@ -106,6 +106,11 @@ FILE* ole_init(FILE *f, void *buffer, si
+ return NULL;
+ }
+ sectorSize = 1<<getshort(oleBuf,0x1e);
++ /* CVE-2017-11110 */
++ if (sectorSize < 4) {
++ fprintf(stderr, "sectorSize < 4 not supported\n");
++ return NULL;
++ }
+ shortSectorSize=1<<getshort(oleBuf,0x20);
+
+ /* Read BBD into memory */
+@@ -147,7 +152,7 @@ FILE* ole_init(FILE *f, void *buffer, si
+ }
+
+ fseek(newfile, 512+mblock*sectorSize, SEEK_SET);
+- if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i,
++ if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, /* >=4 for CVE-2017-11110 */
+ 1, sectorSize, newfile) != sectorSize) {
+ fprintf(stderr, "Error read MSAT!\n");
+ ole_finish();
diff --git a/user/gnupg/APKBUILD b/user/gnupg/APKBUILD
index 1d6d41f94..e8d3ff2f4 100644
--- a/user/gnupg/APKBUILD
+++ b/user/gnupg/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=gnupg
-pkgver=2.2.16
+pkgver=2.2.17
pkgrel=0
pkgdesc="GNU Privacy Guard 2 - PGP replacement"
url="https://www.gnupg.org/"
@@ -18,6 +18,10 @@ source="https://gnupg.org/ftp/gcrypt/$pkgname/$pkgname-$pkgver.tar.bz2
60-scdaemon.rules"
install="$pkgname.pre-install $pkgname.pre-upgrade"
+# secfixes:
+# 2.2.17-r0:
+# - CVE-2019-13050
+
build() {
./configure \
--build=$CBUILD \
@@ -46,7 +50,7 @@ package() {
install -Dm644 "$srcdir"/60-scdaemon.rules "$pkgdir"/lib/udev/rules.d
}
-sha512sums="0e0040905cc4d1d9d29e184cfeda520b43990e4ec459212537c0ce6092de987157e05b1d1a3022398d9b3cbaeea0f58a7e686745f96933e5ac26be4229162247 gnupg-2.2.16.tar.bz2
+sha512sums="a3cd094addac62b4b4ec1683005a2bec761ea2aacf6daf904316b1819f4f6a41f256a8d9452cf28cad71b3e68228465baa27ae0eb1fa734fa91542ef0f159c5d gnupg-2.2.17.tar.bz2
c6cc4595081c5b025913fa3ebecf0dff87a84f3c669e3fef106e4fa040f1d4314ee52dd4c0e0002b213034fb0810221cfdd0033eae5349b6e3978f05d08bcac7 0001-Include-sys-select.h-for-FD_SETSIZE.patch
b19a44dacf061dd02b439ab8bd820e3c721aab77168f705f5ce65661f26527b03ea88eec16d78486a633c474120589ec8736692ebff57ab9b95f52f57190ba6b fix-i18n.patch
4bfb9742279c2d1c872d63cd4bcb01f6a2a13d94618eff954d3a37451fa870a9bb29687330854ee47e8876d6e60dc81cb2569c3931beaefacda33db23c464402 60-scdaemon.rules"
diff --git a/user/id3lib/APKBUILD b/user/id3lib/APKBUILD
index 724429e96..957ed5eb0 100644
--- a/user/id3lib/APKBUILD
+++ b/user/id3lib/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=id3lib
pkgver=3.8.3
-pkgrel=1
+pkgrel=2
pkgdesc="Library for reading, writing, and manipulating ID3v2 tags"
url="http://id3lib.sourceforge.net"
arch="all"
@@ -15,8 +15,13 @@ source="https://downloads.sourceforge.net/project/id3lib/id3lib/$pkgver/id3lib-$
cstring.patch
modern-cpp.patch
test-expose-proper-stdlib-symbols.patch
+ CVE-2007-4460.patch
"
+# secfixes:
+# 3.8.3-r2:
+# - CVE-2007-4460
+
prepare() {
default_prepare
update_config_sub
@@ -49,4 +54,5 @@ package() {
sha512sums="3787e261f86933c1c2f2bff2c4b349b42f5d8636e489e4f39f9d75e6dfbdc79b87009a0f4ce4b786f2fb3dbc01ca9d56c4112095b46244f897e6c9a28573adaf id3lib-3.8.3.tar.gz
e379e848788f7fda3a86b02b9865dfe5db69d66ffcfb81184c1cd92f2f1ed7b4d40f13cc77f9de294afc13ae61ab50c3aa13f9a4cc4eb85cb7a727d25268ee6a cstring.patch
334eed099c93ea279d877437a92f684bfb0df12774fd7fffb628b6e8c4b17b17952d6f7c0bf0dff03a87887f0f1233c70d98b69f23580dcf3bf64c8d4b93fc85 modern-cpp.patch
-cd79daddffbafc11e555f16be827ccedc03e419b7c24ab1da1852af294dc486a0836d612318eb9861691ef8462ca38be41cfa2c12849f022ebb187c6ef95a1b9 test-expose-proper-stdlib-symbols.patch"
+cd79daddffbafc11e555f16be827ccedc03e419b7c24ab1da1852af294dc486a0836d612318eb9861691ef8462ca38be41cfa2c12849f022ebb187c6ef95a1b9 test-expose-proper-stdlib-symbols.patch
+97b1686ca3b7feefe7c2cc5f90a31f42fb55fd7baf45b0abe07c6d879bdf752f21305a6a883241c18e20847c43175c3d2c911dce14aa5f382f46bf44c07759f1 CVE-2007-4460.patch"
diff --git a/user/id3lib/CVE-2007-4460.patch b/user/id3lib/CVE-2007-4460.patch
new file mode 100644
index 000000000..36c84179f
--- /dev/null
+++ b/user/id3lib/CVE-2007-4460.patch
@@ -0,0 +1,54 @@
+This patch fixes an issues where temporary files were created in an insecure
+way.
+
+It was first intruduced in version 3.8.3-7 and fixes
+http://bugs.debian.org/438540
+--- a/src/tag_file.cpp
++++ b/src/tag_file.cpp
+@@ -242,8 +242,8 @@
+ strcpy(sTempFile, filename.c_str());
+ strcat(sTempFile, sTmpSuffix.c_str());
+
+-#if ((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP))
+- // This section is for Windows folk && gcc 3.x folk
++#if !defined(HAVE_MKSTEMP)
++ // This section is for Windows folk
+ fstream tmpOut;
+ createFile(sTempFile, tmpOut);
+
+@@ -257,7 +257,7 @@
+ tmpOut.write((char *)tmpBuffer, nBytes);
+ }
+
+-#else //((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP))
++#else //!defined(HAVE_MKSTEMP)
+
+ // else we gotta make a temp file, copy the tag into it, copy the
+ // rest of the old file after the tag, delete the old file, rename
+@@ -270,7 +270,7 @@
+ //ID3_THROW_DESC(ID3E_NoFile, "couldn't open temp file");
+ }
+
+- ofstream tmpOut(fd);
++ ofstream tmpOut(sTempFile);
+ if (!tmpOut)
+ {
+ tmpOut.close();
+@@ -285,14 +285,14 @@
+ uchar tmpBuffer[BUFSIZ];
+ while (file)
+ {
+- file.read(tmpBuffer, BUFSIZ);
++ file.read((char *)tmpBuffer, BUFSIZ);
+ size_t nBytes = file.gcount();
+- tmpOut.write(tmpBuffer, nBytes);
++ tmpOut.write((char *)tmpBuffer, nBytes);
+ }
+
+ close(fd); //closes the file
+
+-#endif ////((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP))
++#endif ////!defined(HAVE_MKSTEMP)
+
+ tmpOut.close();
+ file.close();
diff --git a/user/libexif/APKBUILD b/user/libexif/APKBUILD
index cfe2dd75f..71c9f7d06 100644
--- a/user/libexif/APKBUILD
+++ b/user/libexif/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer:
pkgname=libexif
pkgver=0.6.21
-pkgrel=2
+pkgrel=3
pkgdesc="Library to parse EXIF metadata"
url="https://sourceforge.net/projects/libexif"
arch="all"
@@ -9,16 +9,21 @@ license="LGPL-2.0+"
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
depends=""
makedepends=""
-source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.bz2"
+source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.bz2
+ CVE-2017-7544.patch
+ CVE-2018-20030.patch"
+
+# secfixes:
+# 0.6.21-r3:
+# - CVE-2017-7544
+# - CVE-2018-20030
prepare() {
- cd "$builddir"
update_config_sub
default_prepare
}
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -27,12 +32,13 @@ build() {
}
check() {
- cd "$builddir"
make check
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
-sha512sums="4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35 libexif-0.6.21.tar.bz2"
+
+sha512sums="4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35 libexif-0.6.21.tar.bz2
+d529c6c5bd26dc21c0946702574184e1f61c2bfd4fb95b41e314f486a0dd55571963ff2cad566d2fb0804de3c0799bcd956c15a3dc10a520ce207728edad4e2d CVE-2017-7544.patch
+0d6123bd275ace338ad9cebb31a2e714de0141b91860f07394b281686a5393566c3f4159679d4ba689ae7ea69ae2e412b158c3deb451c40c210b5817f6888bbc CVE-2018-20030.patch"
diff --git a/user/libexif/CVE-2017-7544.patch b/user/libexif/CVE-2017-7544.patch
new file mode 100644
index 000000000..534817417
--- /dev/null
+++ b/user/libexif/CVE-2017-7544.patch
@@ -0,0 +1,30 @@
+From c39acd1692023b26290778a02a9232c873f9d71a Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Tue, 25 Jul 2017 23:38:56 +0200
+Subject: [PATCH] On saving makernotes, make sure the makernote container tags
+ has a type with 1 byte components.
+
+Fixes (at least):
+ https://sourceforge.net/p/libexif/bugs/130
+ https://sourceforge.net/p/libexif/bugs/129
+---
+ libexif/exif-data.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 67df4db..91f4c33 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
+ exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ e->components = e->size;
++ if (exif_format_get_size (e->format) != 1) {
++ /* e->format is taken from input code,
++ * but we need to make sure it is a 1 byte
++ * entity due to the multiplication below. */
++ e->format = EXIF_FORMAT_UNDEFINED;
++ }
+ }
+ }
+
diff --git a/user/libexif/CVE-2018-20030.patch b/user/libexif/CVE-2018-20030.patch
new file mode 100644
index 000000000..837d003d7
--- /dev/null
+++ b/user/libexif/CVE-2018-20030.patch
@@ -0,0 +1,115 @@
+Edited slightly to backport to stable
+
+From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Fri, 12 Oct 2018 16:01:45 +0200
+Subject: [PATCH] Improve deep recursion detection in
+ exif_data_load_data_content.
+
+The existing detection was still vulnerable to pathological cases
+causing DoS by wasting CPU. The new algorithm takes the number of tags
+into account to make it harder to abuse by cases using shallow recursion
+but with a very large number of tags. This improves on commit 5d28011c
+which wasn't sufficient to counter this kind of case.
+
+The limitation in the previous fix was discovered by Laurent Delosieres,
+Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned
+the identifier CVE-2018-20030.
+---
+ libexif/exif-data.c | 45 +++++++++++++++++++++++++++++++++++++--------
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index e35403d..a6f9c94 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -35,6 +35,7 @@
+ #include <libexif/olympus/exif-mnote-data-olympus.h>
+ #include <libexif/pentax/exif-mnote-data-pentax.h>
+
++#include <math.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \
+ break; \
+ }
+
++/*! Calculate the recursion cost added by one level of IFD loading.
++ *
++ * The work performed is related to the cost in the exponential relation
++ * work=1.1**cost
++ */
++static unsigned int
++level_cost(unsigned int n)
++{
++ static const double log_1_1 = 0.09531017980432493;
++
++ /* Adding 0.1 protects against the case where n==1 */
++ return ceil(log(n + 0.1)/log_1_1);
++}
++
+ /*! Load data for an IFD.
+ *
+ * \param[in,out] data #ExifData
+@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \
+ * \param[in] d pointer to buffer containing raw IFD data
+ * \param[in] ds size of raw data in buffer at \c d
+ * \param[in] offset offset into buffer at \c d at which IFD starts
+- * \param[in] recursion_depth number of times this function has been
+- * recursively called without returning
++ * \param[in] recursion_cost factor indicating how expensive this recursive
++ * call could be
+ */
+ static void
+ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ const unsigned char *d,
+- unsigned int ds, unsigned int offset, unsigned int recursion_depth)
++ unsigned int ds, unsigned int offset, unsigned int recursion_cost)
+ {
+ ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
+ ExifShort n;
+@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
+ return;
+
+- if (recursion_depth > 30) {
++ if (recursion_cost > 170) {
++ /*
++ * recursion_cost is a logarithmic-scale indicator of how expensive this
++ * recursive call might end up being. It is an indicator of the depth of
++ * recursion as well as the potential for worst-case future recursive
++ * calls. Since it's difficult to tell ahead of time how often recursion
++ * will occur, this assumes the worst by assuming every tag could end up
++ * causing recursion.
++ * The value of 170 was chosen to limit typical EXIF structures to a
++ * recursive depth of about 6, but pathological ones (those with very
++ * many tags) to only 2.
++ */
+ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+- "Deep recursion detected!");
++ "Deep/expensive recursion detected!");
+ return;
+ }
+
+@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ switch (tag) {
+ case EXIF_TAG_EXIF_IFD_POINTER:
+ CHECK_REC (EXIF_IFD_EXIF);
+- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
++ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
++ recursion_cost + level_cost(n));
+ break;
+ case EXIF_TAG_GPS_INFO_IFD_POINTER:
+ CHECK_REC (EXIF_IFD_GPS);
+- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
++ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
++ recursion_cost + level_cost(n));
+ break;
+ case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
+ CHECK_REC (EXIF_IFD_INTEROPERABILITY);
+- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
++ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
++ recursion_cost + level_cost(n));
+ break;
+ case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
+ thumbnail_offset = o;
diff --git a/user/libid3tag/APKBUILD b/user/libid3tag/APKBUILD
index df96d8b79..0984fc93f 100644
--- a/user/libid3tag/APKBUILD
+++ b/user/libid3tag/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer:
pkgname=libid3tag
pkgver=0.15.1b
-pkgrel=9
+pkgrel=10
pkgdesc="Library for manipulating IDv3 tags in MP3 audio files"
url="http://www.underbit.com/products/mad/"
arch="all"
@@ -11,17 +11,24 @@ depends=""
makedepends="zlib-dev"
subpackages="$pkgname-dev"
source="ftp://ftp.mars.org/pub/mpeg/libid3tag-$pkgver.tar.gz
- CVE-2008-2109.patch
+ CVE-2004-2779.patch
+ CVE-2017-11550.patch
"
+# secfixes:
+# 0.15.1b-r8:
+# - CVE-2008-2109
+# 0.15.1b-r10:
+# - CVE-2004-2779
+# - CVE-2017-11550
+# - CVE-2017-11551
+
prepare() {
- cd "$builddir"
update_config_sub
default_prepare
}
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -33,12 +40,10 @@ build() {
}
check() {
- cd "$builddir"
make check
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
mkdir -p "$pkgdir"/usr/lib/pkgconfig
cat > "$pkgdir"/usr/lib/pkgconfig/id3tag.pc <<EOF
@@ -57,4 +62,5 @@ EOF
}
sha512sums="ade7ce2a43c3646b4c9fdc642095174b9d4938b078b205cd40906d525acd17e87ad76064054a961f391edcba6495441450af2f68be69f116549ca666b069e6d3 libid3tag-0.15.1b.tar.gz
-fc79d44ca9d1435ab5b11d4da6b46d3684827a1384a0156cd88242225f98f3a0668c0d6e6a88159f0c4985fcbdc636777c2f100d7f371eef258a6050d6fde567 CVE-2008-2109.patch"
+4c27e104d45ae34affc1bef8ec613e65c7e4791185d2ef1cb27974ec7025c06c35d30d6278ce7e3107dff959bd55a708246c3c1a9d5ad7b093424cfb93b79f63 CVE-2004-2779.patch
+6627d6e73958309b199a02cd6fa1008a81554151238d8a099dc27e535b8d14f7a9c1ba19894fdf2c927e59c0ca855d50b2f1289f116b45bc41e02d31659d1535 CVE-2017-11550.patch"
diff --git a/user/libid3tag/CVE-2004-2779.patch b/user/libid3tag/CVE-2004-2779.patch
new file mode 100644
index 000000000..b7e1e2280
--- /dev/null
+++ b/user/libid3tag/CVE-2004-2779.patch
@@ -0,0 +1,32 @@
+Lifted from Debian:
+https://sources.debian.org/patches/libid3tag/0.15.1b-14/10_utf16.dpatch/
+
+Also fixes:
+
+CVE-2008-2109 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480187#12
+CVE-2017-11551 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870333#10
+
+Handle bogus UTF16 sequences that have a length that is not
+an even number of 8 bit characters.
+
+--- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100
++++ libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100
+@@ -282,5 +282,18 @@
+
+ free(utf16);
+
++ if (end == *ptr && length % 2 != 0)
++ {
++ /* We were called with a bogus length. It should always
++ * be an even number. We can deal with this in a few ways:
++ * - Always give an error.
++ * - Try and parse as much as we can and
++ * - return an error if we're called again when we
++ * already tried to parse everything we can.
++ * - tell that we parsed it, which is what we do here.
++ */
++ (*ptr)++;
++ }
++
+ return ucs4;
+ }
diff --git a/user/libid3tag/CVE-2008-2109.patch b/user/libid3tag/CVE-2008-2109.patch
deleted file mode 100644
index 6226d14af..000000000
--- a/user/libid3tag/CVE-2008-2109.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/field.c.orig 2008-05-05 09:49:15.000000000 -0400
-+++ b/field.c 2008-05-05 09:49:25.000000000 -0400
-@@ -291,7 +291,7 @@
-
- end = *ptr + length;
-
-- while (end - *ptr > 0) {
-+ while (end - *ptr > 0 && **ptr != '\0') {
- ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
- if (ucs4 == 0)
- goto fail;
diff --git a/user/libid3tag/CVE-2017-11550.patch b/user/libid3tag/CVE-2017-11550.patch
new file mode 100644
index 000000000..abf6cbd43
--- /dev/null
+++ b/user/libid3tag/CVE-2017-11550.patch
@@ -0,0 +1,33 @@
+Lifted from Debian:
+https://sources.debian.org/patches/libid3tag/0.15.1b-14/11_unknown_encoding.dpatch/
+
+In case of an unknown/invalid encoding, id3_parse_string() will
+return NULL, but the return value wasn't checked resulting
+in segfault in id3_ucs4_length(). This is the only place
+the return value wasn't checked.
+
+--- libid3tag-0.15.1b/compat.gperf 2004-01-23 09:41:32.000000000 +0000
++++ libid3tag-0.15.1b/compat.gperf 2007-01-14 14:36:53.000000000 +0000
+@@ -236,6 +236,10 @@
+
+ encoding = id3_parse_uint(&data, 1);
+ string = id3_parse_string(&data, end - data, encoding, 0);
++ if (!string)
++ {
++ continue;
++ }
+
+ if (id3_ucs4_length(string) < 4) {
+ free(string);
+--- libid3tag-0.15.1b/parse.c 2004-01-23 09:41:32.000000000 +0000
++++ libid3tag-0.15.1b/parse.c 2007-01-14 14:37:34.000000000 +0000
+@@ -165,6 +165,9 @@
+ case ID3_FIELD_TEXTENCODING_UTF_8:
+ ucs4 = id3_utf8_deserialize(ptr, length);
+ break;
++ default:
++ /* FIXME: Unknown encoding! Print warning? */
++ return NULL;
+ }
+
+ if (ucs4 && !full) {
diff --git a/user/libtasn1/APKBUILD b/user/libtasn1/APKBUILD
index faf3a82b2..f3fcce75d 100644
--- a/user/libtasn1/APKBUILD
+++ b/user/libtasn1/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=libtasn1
-pkgver=4.13
+pkgver=4.14
pkgrel=0
pkgdesc="Highly portable ASN.1 library"
url="https://www.gnu.org/software/libtasn1/"
@@ -13,10 +13,12 @@ source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
"
# secfixes:
+# 4.14-r0:
+# - CVE-2018-1000654
# 4.13-r0:
-# - CVE-2018-6003
+# - CVE-2018-6003
# 4.12-r1:
-# - CVE-2017-10790
+# - CVE-2017-10790
build() {
cd "$builddir"
@@ -47,4 +49,4 @@ tools() {
mv -i "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="bf5b60a296795e0a8a4a658c0106492393aa7ce698e785256b3427c17215c2a5b6178a61a2043c93ea4334f754eabece20221ac8fef0fd5644086a3891d98a9f libtasn1-4.13.tar.gz"
+sha512sums="efdcf3729e9e057cafbfdc9929f08531de03cf3b64e7db62cb53c26bf34c8db4d73786fd853620ab1a10dbafe55e119ad17bfeb40e191071945c7b4db9c9e223 libtasn1-4.14.tar.gz"
diff --git a/user/libvncserver/APKBUILD b/user/libvncserver/APKBUILD
index 0801da573..764fec75a 100644
--- a/user/libvncserver/APKBUILD
+++ b/user/libvncserver/APKBUILD
@@ -14,13 +14,16 @@ depends_dev="libgcrypt-dev libjpeg-turbo-dev gnutls-dev libpng-dev
libxi-dev libxinerama-dev libxrandr-dev libxtst-dev"
makedepends="$depends_dev autoconf automake libtool"
subpackages="$pkgname-dev"
-source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz"
+source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz
+ CVE-2018-15127.patch"
builddir="$srcdir"/libvncserver-LibVNCServer-$pkgver
# secfixes:
# 0.9.11-r0:
# - CVE-2016-9941
# - CVE-2016-9942
+# 0.9.12-r0:
+# - CVE-2018-15127
build() {
if [ "$CBUILD" != "$CHOST" ]; then
@@ -45,4 +48,5 @@ package() {
make install DESTDIR="$pkgdir"
}
-sha512sums="60ff1cc93a937d6f8f97449bc58b763095846207112f7b1b3c43eb2d74448b595d6da949903a764bd484ee54e38ff6277e882adbe965dd6d26ba15ef6ff6fcb8 LibVNCServer-0.9.12.tar.gz"
+sha512sums="60ff1cc93a937d6f8f97449bc58b763095846207112f7b1b3c43eb2d74448b595d6da949903a764bd484ee54e38ff6277e882adbe965dd6d26ba15ef6ff6fcb8 LibVNCServer-0.9.12.tar.gz
+8b5b6742e6c3a181c60652484b15ec42cc0a3acc1e82cef38e82b61f43f1de456d09731976f4e5dfab44abf3e551e22aaf4300cb8418cd8e136d705fcb2a7dbe CVE-2018-15127.patch"
diff --git a/user/libvncserver/CVE-2018-15127.patch b/user/libvncserver/CVE-2018-15127.patch
new file mode 100644
index 000000000..146243670
--- /dev/null
+++ b/user/libvncserver/CVE-2018-15127.patch
@@ -0,0 +1,44 @@
+From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 7 Jan 2019 10:40:01 +0100
+Subject: [PATCH] Limit lenght to INT_MAX bytes in
+ rfbProcessFileTransferReadBuffer()
+
+This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
+out-of-bound write access in rfbProcessFileTransferReadBuffer() when
+reading a transfered file content in a server. The former fix did not
+work on platforms with a 32-bit int type (expected by rfbReadExact()).
+
+CVE-2018-15127
+<https://github.com/LibVNC/libvncserver/issues/243>
+<https://github.com/LibVNC/libvncserver/issues/273>
+---
+ libvncserver/rfbserver.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index 7af84906..f2edbeea 100644
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -88,6 +88,8 @@
+ #include <errno.h>
+ /* strftime() */
+ #include <time.h>
++/* INT_MAX */
++#include <limits.h>
+
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ #include "rfbssl.h"
+@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
+ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
+ will safely be allocated since this check will never trigger and malloc() can digest length+1
+ without problems as length is a uint32_t.
++ We also later pass length to rfbReadExact() that expects a signed int type and
++ that might wrap on platforms with a 32-bit int type if length is bigger
++ than 0X7FFFFFFF.
+ */
+- if(length == SIZE_MAX) {
++ if(length == SIZE_MAX || length > INT_MAX) {
+ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
+ rfbCloseClient(cl);
+ return NULL;
diff --git a/user/ntfs-3g/APKBUILD b/user/ntfs-3g/APKBUILD
index d403c4f42..aaa5be24b 100644
--- a/user/ntfs-3g/APKBUILD
+++ b/user/ntfs-3g/APKBUILD
@@ -5,7 +5,7 @@
pkgname=ntfs-3g
_pkgname=ntfs-3g_ntfsprogs
pkgver=2017.3.23
-pkgrel=1
+pkgrel=2
pkgdesc="Stable, full-featured, read-write NTFS"
url="https://www.tuxera.com/community/open-source-ntfs-3g/"
arch="all"
@@ -13,9 +13,14 @@ options="!check" # No test suite.
license="LGPL-2.1-only AND BSD-2-Clause AND GPL-2.0+ AND GPL-3.0+"
makedepends="attr-dev util-linux-dev linux-headers fuse-dev"
subpackages="$pkgname-doc $pkgname-dev $pkgname-libs"
-source="https://tuxera.com/opensource/$_pkgname-$pkgver.tgz"
+source="https://tuxera.com/opensource/$_pkgname-$pkgver.tgz
+ CVE-2019-9755.patch"
builddir="$srcdir/$_pkgname-$pkgver"
+# secfixes:
+# 2017.3.23-r2:
+# - CVE-2019-9755
+
build() {
cd "$builddir"
./configure \
@@ -37,4 +42,5 @@ package() {
ln -s /bin/ntfs-3g "$pkgdir"/sbin/mount.ntfs
}
-sha512sums="3a607f0d7be35204c992d8931de0404fbc52032c13b4240d2c5e6f285c318a28eb2a385d7cf5ac4cd445876aee5baa5753bb636ada0d870d84a9d3fdbce794ef ntfs-3g_ntfsprogs-2017.3.23.tgz"
+sha512sums="3a607f0d7be35204c992d8931de0404fbc52032c13b4240d2c5e6f285c318a28eb2a385d7cf5ac4cd445876aee5baa5753bb636ada0d870d84a9d3fdbce794ef ntfs-3g_ntfsprogs-2017.3.23.tgz
+c79ae27e3c9490f0f893a16f27bb19c2cef2fe7b098aabca392163f4105b7ee9797b648d1013ce4c096adf639f6da2b8c43829cfabcc6ac3208c07454a6c0c5c CVE-2019-9755.patch"
diff --git a/user/ntfs-3g/CVE-2019-9755.patch b/user/ntfs-3g/CVE-2019-9755.patch
new file mode 100644
index 000000000..d1a95541f
--- /dev/null
+++ b/user/ntfs-3g/CVE-2019-9755.patch
@@ -0,0 +1,63 @@
+From 85c1634a26faa572d3c558d4cf8aaaca5202d4e9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@wanadoo.fr>
+Date: Wed, 19 Dec 2018 15:57:50 +0100
+Subject: [PATCH] Fixed reporting an error when failed to build the mountpoint
+
+The size check was inefficient because getcwd() uses an unsigned int
+argument.
+---
+ src/lowntfs-3g.c | 6 +++++-
+ src/ntfs-3g.c | 6 +++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/lowntfs-3g.c b/src/lowntfs-3g.c
+index 993867fa..0660439b 100644
+--- a/src/lowntfs-3g.c
++++ b/src/lowntfs-3g.c
+@@ -4411,7 +4411,8 @@ int main(int argc, char *argv[])
+ else {
+ ctx->abs_mnt_point = (char*)ntfs_malloc(PATH_MAX);
+ if (ctx->abs_mnt_point) {
+- if (getcwd(ctx->abs_mnt_point,
++ if ((strlen(opts.mnt_point) < PATH_MAX)
++ && getcwd(ctx->abs_mnt_point,
+ PATH_MAX - strlen(opts.mnt_point) - 1)) {
+ strcat(ctx->abs_mnt_point, "/");
+ strcat(ctx->abs_mnt_point, opts.mnt_point);
+@@ -4419,6 +4420,9 @@ int main(int argc, char *argv[])
+ /* Solaris also wants the absolute mount point */
+ opts.mnt_point = ctx->abs_mnt_point;
+ #endif /* defined(__sun) && defined (__SVR4) */
++ } else {
++ free(ctx->abs_mnt_point);
++ ctx->abs_mnt_point = (char*)NULL;
+ }
+ }
+ }
+diff --git a/src/ntfs-3g.c b/src/ntfs-3g.c
+index 6ce89fef..4e0912ae 100644
+--- a/src/ntfs-3g.c
++++ b/src/ntfs-3g.c
+@@ -4148,7 +4148,8 @@ int main(int argc, char *argv[])
+ else {
+ ctx->abs_mnt_point = (char*)ntfs_malloc(PATH_MAX);
+ if (ctx->abs_mnt_point) {
+- if (getcwd(ctx->abs_mnt_point,
++ if ((strlen(opts.mnt_point) < PATH_MAX)
++ && getcwd(ctx->abs_mnt_point,
+ PATH_MAX - strlen(opts.mnt_point) - 1)) {
+ strcat(ctx->abs_mnt_point, "/");
+ strcat(ctx->abs_mnt_point, opts.mnt_point);
+@@ -4156,6 +4157,9 @@ int main(int argc, char *argv[])
+ /* Solaris also wants the absolute mount point */
+ opts.mnt_point = ctx->abs_mnt_point;
+ #endif /* defined(__sun) && defined (__SVR4) */
++ } else {
++ free(ctx->abs_mnt_point);
++ ctx->abs_mnt_point = (char*)NULL;
+ }
+ }
+ }
+--
+2.22.0
+
diff --git a/user/oniguruma/APKBUILD b/user/oniguruma/APKBUILD
index 7df3e3af5..b62084508 100644
--- a/user/oniguruma/APKBUILD
+++ b/user/oniguruma/APKBUILD
@@ -3,15 +3,22 @@
# Maintainer: Samuel Holland <samuel@sholland.org>
pkgname=oniguruma
pkgver=6.9.2
-pkgrel=0
+pkgrel=1
pkgdesc="A regular expression library"
url="https://github.com/kkos/oniguruma"
arch="all"
license="BSD-2-Clause"
subpackages="$pkgname-dev"
-source="https://github.com/kkos/$pkgname/releases/download/v$pkgver/onig-$pkgver.tar.gz"
+source="https://github.com/kkos/$pkgname/releases/download/v$pkgver/onig-$pkgver.tar.gz
+ CVE-2019-13224.patch
+ CVE-2019-13225.patch"
builddir="$srcdir/onig-$pkgver"
+# secfixes:
+# 6.9.2-r1:
+# - CVE-2019-13224
+# - CVE-2019-13225
+
build() {
./configure \
--build=$CBUILD \
@@ -32,4 +39,6 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="c10134e42a3c0b0eeae2027ffb7a3e1bcc9228dee286f6b6e997f8a73d717217fa74de0e19c40975d2e78044c8c4f029eb622f90c8eb4fdc4667eb4804e97001 onig-6.9.2.tar.gz"
+sha512sums="c10134e42a3c0b0eeae2027ffb7a3e1bcc9228dee286f6b6e997f8a73d717217fa74de0e19c40975d2e78044c8c4f029eb622f90c8eb4fdc4667eb4804e97001 onig-6.9.2.tar.gz
+7f1b42e1ceb6e9addf87bbd456848afd9db3b721352157e3a7362354c3a4cabd58fac202d199d9f9c2f08f0c5c98e3de8583367e7716028278dae96c3d6bb43a CVE-2019-13224.patch
+4c1df67369055f945c49d579c3f2ae5ffc41bb1c8a2510555908f07691c669b290accd9152f017e02a2a21f8a365c9ffd8fab42a3d11409150551f0c0c919dc7 CVE-2019-13225.patch"
diff --git a/user/oniguruma/CVE-2019-13224.patch b/user/oniguruma/CVE-2019-13224.patch
new file mode 100644
index 000000000..22bc6bd2f
--- /dev/null
+++ b/user/oniguruma/CVE-2019-13224.patch
@@ -0,0 +1,41 @@
+From 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Thu, 27 Jun 2019 17:25:26 +0900
+Subject: [PATCH] Fix CVE-2019-13224: don't allow different encodings for
+ onig_new_deluxe()
+
+---
+ src/regext.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/regext.c b/src/regext.c
+index fa4b360..965c793 100644
+--- a/src/regext.c
++++ b/src/regext.c
+@@ -29,6 +29,7 @@
+
+ #include "regint.h"
+
++#if 0
+ static void
+ conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
+ {
+@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e
+
+ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
++#endif
+
+ extern int
+ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+ if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
+
+ if (ci->pattern_enc != ci->target_enc) {
+- r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
+- &cpat, &cpat_end);
+- if (r != 0) return r;
++ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
+ else {
+ cpat = (UChar* )pattern;
diff --git a/user/oniguruma/CVE-2019-13225.patch b/user/oniguruma/CVE-2019-13225.patch
new file mode 100644
index 000000000..26e296d8d
--- /dev/null
+++ b/user/oniguruma/CVE-2019-13225.patch
@@ -0,0 +1,69 @@
+From c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Thu, 27 Jun 2019 14:11:55 +0900
+Subject: [PATCH] Fix CVE-2019-13225: problem in converting if-then-else
+ pattern to bytecode.
+
+---
+ src/regcomp.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/src/regcomp.c b/src/regcomp.c
+index c2c04a4..ff3431f 100644
+--- a/src/regcomp.c
++++ b/src/regcomp.c
+@@ -1307,8 +1307,9 @@ compile_length_bag_node(BagNode* node, regex_t* reg)
+ len += tlen;
+ }
+
++ len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END;
++
+ if (IS_NOT_NULL(Else)) {
+- len += SIZE_OP_JUMP;
+ tlen = compile_length_tree(Else, reg);
+ if (tlen < 0) return tlen;
+ len += tlen;
+@@ -1455,7 +1456,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
+
+ case BAG_IF_ELSE:
+ {
+- int cond_len, then_len, jump_len;
++ int cond_len, then_len, else_len, jump_len;
+ Node* cond = NODE_BAG_BODY(node);
+ Node* Then = node->te.Then;
+ Node* Else = node->te.Else;
+@@ -1472,8 +1473,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
+ else
+ then_len = 0;
+
+- jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END;
+- if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP;
++ jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP;
+
+ r = add_op(reg, OP_PUSH);
+ if (r != 0) return r;
+@@ -1490,11 +1490,20 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
+ }
+
+ if (IS_NOT_NULL(Else)) {
+- int else_len = compile_length_tree(Else, reg);
+- r = add_op(reg, OP_JUMP);
+- if (r != 0) return r;
+- COP(reg)->jump.addr = else_len + SIZE_INC_OP;
++ else_len = compile_length_tree(Else, reg);
++ if (else_len < 0) return else_len;
++ }
++ else
++ else_len = 0;
+
++ r = add_op(reg, OP_JUMP);
++ if (r != 0) return r;
++ COP(reg)->jump.addr = SIZE_OP_ATOMIC_END + else_len + SIZE_INC_OP;
++
++ r = add_op(reg, OP_ATOMIC_END);
++ if (r != 0) return r;
++
++ if (IS_NOT_NULL(Else)) {
+ r = compile_tree(Else, reg, env);
+ }
+ }
diff --git a/user/openjpeg/APKBUILD b/user/openjpeg/APKBUILD
index c549987d8..e454afa61 100644
--- a/user/openjpeg/APKBUILD
+++ b/user/openjpeg/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=openjpeg
pkgver=2.3.1
-pkgrel=1
+pkgrel=2
pkgdesc="Open-source implementation of JPEG 2000 image codec"
url="http://www.openjpeg.org/"
arch="all"
@@ -11,7 +11,8 @@ license="BSD-2-Clause-NetBSD"
depends_dev="$pkgname-tools"
makedepends="libpng-dev tiff-dev lcms2-dev doxygen cmake"
subpackages="$pkgname-dev $pkgname-tools"
-source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
+ CVE-2019-12973.patch"
build() {
cmake . \
@@ -23,6 +24,8 @@ build() {
}
# secfixes:
+# 2.3.1-r2:
+# - CVE-2019-12973
# 2.3.0-r0:
# - CVE-2017-14039
# 2.2.0-r2:
@@ -47,4 +50,5 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03 openjpeg-2.3.1.tar.gz"
+sha512sums="339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03 openjpeg-2.3.1.tar.gz
+472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516 CVE-2019-12973.patch"
diff --git a/user/openjpeg/CVE-2019-12973.patch b/user/openjpeg/CVE-2019-12973.patch
new file mode 100644
index 000000000..0d330ae6d
--- /dev/null
+++ b/user/openjpeg/CVE-2019-12973.patch
@@ -0,0 +1,152 @@
+From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Sat, 16 Mar 2019 19:57:27 +0800
+Subject: [PATCH 1/2] convertbmp: detect invalid file dimensions early
+
+width/length dimensions read from bmp headers are not necessarily
+valid. For instance they may have been maliciously set to very large
+values with the intention to cause DoS (large memory allocation, stack
+overflow). In these cases we want to detect the invalid size as early
+as possible.
+
+This commit introduces a counter which verifies that the number of
+written bytes corresponds to the advertized width/length.
+
+See commit 8ee335227bbc for details.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+---
+ src/bin/jp2/convertbmp.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index 0af52f816..ec34f535b 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
+ {
+- OPJ_UINT32 x, y;
++ OPJ_UINT32 x, y, written;
+ OPJ_UINT8 *pix;
+ const OPJ_UINT8 *beyond;
+
+ beyond = pData + stride * height;
+ pix = pData;
+- x = y = 0U;
++ x = y = written = 0U;
+ while (y < height) {
+ int c = getc(IN);
+ if (c == EOF) {
+@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
++ written++;
+ }
+ } else { /* absolute mode */
+ c = getc(IN);
+@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ c1 = (OPJ_UINT8)getc(IN);
+ }
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
++ written++;
+ }
+ if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
+ getc(IN);
+@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ }
+ }
+ } /* while(y < height) */
++ if (written != width * height) {
++ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
++ return OPJ_FALSE;
++ }
+ return OPJ_TRUE;
+ }
+
+
+From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Sat, 16 Mar 2019 20:09:59 +0800
+Subject: [PATCH 2/2] bmp_read_rle4_data(): avoid potential infinite loop
+
+---
+ src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index ec34f535b..2fc4e9bc4 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ while (y < height) {
+ int c = getc(IN);
+ if (c == EOF) {
+- break;
++ return OPJ_FALSE;
+ }
+
+ if (c) { /* encoded mode */
+- int j;
+- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN);
++ int j, c1_int;
++ OPJ_UINT8 c1;
++
++ c1_int = getc(IN);
++ if (c1_int == EOF) {
++ return OPJ_FALSE;
++ }
++ c1 = (OPJ_UINT8)c1_int;
+
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ } else { /* absolute mode */
+ c = getc(IN);
+ if (c == EOF) {
+- break;
++ return OPJ_FALSE;
+ }
+
+ if (c == 0x00) { /* EOL */
+@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ break;
+ } else if (c == 0x02) { /* MOVE by dxdy */
+ c = getc(IN);
++ if (c == EOF) {
++ return OPJ_FALSE;
++ }
+ x += (OPJ_UINT32)c;
+ c = getc(IN);
++ if (c == EOF) {
++ return OPJ_FALSE;
++ }
+ y += (OPJ_UINT32)c;
+ pix = pData + y * stride + x;
+ } else { /* 03 .. 255 : absolute mode */
+@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+ if ((j & 1) == 0) {
+- c1 = (OPJ_UINT8)getc(IN);
++ int c1_int;
++ c1_int = getc(IN);
++ if (c1_int == EOF) {
++ return OPJ_FALSE;
++ }
++ c1 = (OPJ_UINT8)c1_int;
+ }
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
+ written++;
+ }
+ if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
+- getc(IN);
++ c = getc(IN);
++ if (c == EOF) {
++ return OPJ_FALSE;
++ }
+ }
+ }
+ }
diff --git a/user/openldap/APKBUILD b/user/openldap/APKBUILD
index 22d31dac7..3f84e64c7 100644
--- a/user/openldap/APKBUILD
+++ b/user/openldap/APKBUILD
@@ -2,15 +2,18 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 2.4.48-r0:
+# - CVE-2019-13057
+# - CVE-2019-13565
# 2.4.46:
-# - CVE-2017-14159
-# - CVE-2017-17740
+# - CVE-2017-14159
+# - CVE-2017-17740
# 2.4.44-r5:
-# - CVE-2017-9287
+# - CVE-2017-9287
#
pkgname=openldap
-pkgver=2.4.47
-pkgrel=1
+pkgver=2.4.48
+pkgrel=0
pkgdesc="LDAP Server"
url="http://www.openldap.org/"
arch="all"
@@ -202,7 +205,7 @@ _submv() {
done
}
-sha512sums="d424079e34207e3d24383a2bea70a07ded40714982a6767174d2b2cb208cd94feab5ef12157accae915b8e404e5773a7547aaef65f06b44dc3cc09c6a64d5a11 openldap-2.4.47.tgz
+sha512sums="cf694a415be0bd55cc7f606099da2ed461748efd276561944cd29d7f5a8252a9be799d8778fac2d4fa9f382731eb4ca48c6b85630cb58a3b8249843561ae8feb openldap-2.4.48.tgz
5d34d49eabe7cb66cf8284cc3bd9730fa23df4932df68549e242d250ee50d40c434ae074ebc720d5fbcd9d16587c9333c5598d30a5f1177caa61461ab7771f38 openldap-2.4-ppolicy.patch
44d97efb25d4f39ab10cd5571db43f3bfa7c617a5bb087085ae16c0298aca899b55c8742a502121ba743a73e6d77cd2056bc96cee63d6d0862dabc8fb5574357 openldap-2.4.11-libldap_r.patch
8c4244d316a05870dd1147b2ab7ddbcfd7626b5dce2f5a0e72f066dc635c2edb4f1ea3be88c6fec2d5ab016001be16bedef70f2ce0695c3cd96f69e1614ff177 fix-manpages.patch
diff --git a/user/openldap/CVE-2017-9287.patch b/user/openldap/CVE-2017-9287.patch
deleted file mode 100644
index 1599c1331..000000000
--- a/user/openldap/CVE-2017-9287.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e Mon Sep 17 00:00:00 2001
-From: Ryan Tandy <ryan@nardis.ca>
-Date: Wed, 17 May 2017 20:07:39 -0700
-Subject: [PATCH] ITS#8655 fix double free on paged search with pagesize 0
-
-Fixes a double free when a search includes the Paged Results control
-with a page size of 0 and the search base matches the filter.
----
- servers/slapd/back-mdb/search.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c
-index 301d1a4..43442aa 100644
---- a/servers/slapd/back-mdb/search.c
-+++ b/servers/slapd/back-mdb/search.c
-@@ -1066,7 +1066,8 @@ notfound:
- /* check size limit */
- if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
- if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {
-- mdb_entry_return( op, e );
-+ if (e != base)
-+ mdb_entry_return( op, e );
- e = NULL;
- send_paged_response( op, rs, &lastid, tentries );
- goto done;
---
-1.7.10.4
-
diff --git a/user/openldap/libressl.patch b/user/openldap/libressl.patch
deleted file mode 100644
index ac0106418..000000000
--- a/user/openldap/libressl.patch
+++ /dev/null
@@ -1,65 +0,0 @@
---- a/libraries/libldap/tls_o.c.orig 2017-06-04 16:31:28 UTC
-+++ b/libraries/libldap/tls_o.c
-@@ -47,7 +47,7 @@
- #include <ssl.h>
- #endif
-
--#if OPENSSL_VERSION_NUMBER >= 0x10100000
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
- #define ASN1_STRING_data(x) ASN1_STRING_get0_data(x)
- #endif
-
-@@ -157,7 +157,7 @@ tlso_init( void )
- (void) tlso_seed_PRNG( lo->ldo_tls_randfile );
- #endif
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000
-+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
- SSL_load_error_strings();
- SSL_library_init();
- OpenSSL_add_all_digests();
-@@ -205,7 +205,7 @@ static void
- tlso_ctx_ref( tls_ctx *ctx )
- {
- tlso_ctx *c = (tlso_ctx *)ctx;
--#if OPENSSL_VERSION_NUMBER < 0x10100000
-+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
- #define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1, CRYPTO_LOCK_SSL_CTX )
- #endif
- SSL_CTX_up_ref( c );
-@@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *
- if (!x) return LDAP_INVALID_CREDENTIALS;
-
- xn = X509_get_subject_name(x);
--#if OPENSSL_VERSION_NUMBER < 0x10100000
-+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
- der_dn->bv_len = i2d_X509_NAME( xn, NULL );
- der_dn->bv_val = xn->bytes->data;
- #else
-@@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval
- return LDAP_INVALID_CREDENTIALS;
-
- xn = X509_get_subject_name(x);
--#if OPENSSL_VERSION_NUMBER < 0x10100000
-+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
- der_dn->bv_len = i2d_X509_NAME( xn, NULL );
- der_dn->bv_val = xn->bytes->data;
- #else
-@@ -721,7 +721,7 @@ struct tls_data {
- Sockbuf_IO_Desc *sbiod;
- };
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000
-+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
- #define BIO_set_init(b, x) b->init = x
- #define BIO_set_data(b, x) b->ptr = x
- #define BIO_clear_flags(b, x) b->flags &= ~(x)
-@@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str )
- return tlso_bio_write( b, str, strlen( str ) );
- }
-
--#if OPENSSL_VERSION_NUMBER >= 0x10100000
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
- struct bio_method_st {
- int type;
- const char *name;
diff --git a/user/openldap/openldap-mqtt-overlay.patch b/user/openldap/openldap-mqtt-overlay.patch
deleted file mode 100644
index 795480f1e..000000000
--- a/user/openldap/openldap-mqtt-overlay.patch
+++ /dev/null
@@ -1,447 +0,0 @@
-diff --git a/contrib/slapd-modules/mqtt/Makefile b/contrib/slapd-modules/mqtt/Makefile
-new file mode 100644
-index 0000000..2cb4db7
---- /dev/null
-+++ b/contrib/slapd-modules/mqtt/Makefile
-@@ -0,0 +1,45 @@
-+# $OpenLDAP$
-+
-+LDAP_SRC = ../../..
-+LDAP_BUILD = ../../..
-+LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
-+LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
-+ $(LDAP_BUILD)/libraries/liblber/liblber.la
-+
-+LIBTOOL = $(LDAP_BUILD)/libtool
-+CC = gcc
-+OPT = -g -O2 -Wall
-+DEFS =
-+INCS = $(LDAP_INC)
-+LIBS = $(LDAP_LIB) -lmosquitto
-+
-+PROGRAMS = mqtt.la
-+LTVER = 0:0:0
-+
-+prefix=/usr/local
-+exec_prefix=$(prefix)
-+ldap_subdir=/openldap
-+
-+libdir=$(exec_prefix)/lib
-+libexecdir=$(exec_prefix)/libexec
-+moduledir = $(libdir)$(ldap_subdir)
-+
-+.SUFFIXES: .c .o .lo
-+
-+.c.lo:
-+ $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
-+
-+all: $(PROGRAMS)
-+
-+mqtt.la: mqtt.lo
-+ $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
-+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
-+
-+clean:
-+ rm -rf *.o *.lo *.la .libs
-+
-+install: $(PROGRAMS)
-+ mkdir -p $(DESTDIR)$(moduledir)
-+ for p in $(PROGRAMS) ; do \
-+ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
-+ done
-diff --git a/contrib/slapd-modules/mqtt/mqtt.c b/contrib/slapd-modules/mqtt/mqtt.c
-new file mode 100644
-index 0000000..b3a0a31
---- /dev/null
-+++ b/contrib/slapd-modules/mqtt/mqtt.c
-@@ -0,0 +1,389 @@
-+/* $OpenLDAP$ */
-+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
-+ *
-+ * Copyright 2014 Timo Teräs <timo.teras@iki.fi>.
-+ * All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted only as authorized by the OpenLDAP
-+ * Public License.
-+ *
-+ * A copy of this license is available in file LICENSE in the
-+ * top-level directory of the distribution or, alternatively, at
-+ * http://www.OpenLDAP.org/license.html.
-+ */
-+/* mqtt-overlay
-+ *
-+ * This is an OpenLDAP overlay that... */
-+
-+#include <mosquitto.h>
-+#include <unistd.h>
-+
-+#include "portable.h"
-+#include "slap.h"
-+#include "config.h"
-+
-+typedef struct mqtt_notify_t {
-+ struct mqtt_notify_t *next;
-+ char *topic;
-+ char *dn_group_str;
-+ char *oc_group_str;
-+ char *str_member;
-+
-+ struct berval ndn_group;
-+ ObjectClass *oc_group;
-+ AttributeDescription *ad_member;
-+ int notify_pending;
-+} mqtt_notify_t;
-+
-+typedef struct mqtt_t {
-+ struct mosquitto *mq;
-+ int port;
-+ char *hostname, *username, *password;
-+ mqtt_notify_t *notify_map;
-+} mqtt_t;
-+
-+static ConfigDriver mqtt_config_notify;
-+
-+static ConfigTable mqttcfg[] = {
-+ { "mqtt-hostname", "hostname", 2, 2, 0,
-+ ARG_STRING|ARG_OFFSET, (void *)offsetof(mqtt_t, hostname),
-+ "( OLcfgCtAt:5.1 NAME 'olcMqttHostname' "
-+ "DESC 'Hostname of MQTT broker' "
-+ "SYNTAX OMsDirectoryString SINGLE-VALUE )",
-+ NULL, NULL },
-+ { "mqtt-port", "port", 2, 2, 0,
-+ ARG_INT|ARG_OFFSET, (void *)offsetof(mqtt_t, port),
-+ "( OLcfgCtAt:5.2 NAME 'olcMqttPort' "
-+ "DESC 'Port of MQTT broker' "
-+ "SYNTAX OMsInteger SINGLE-VALUE )",
-+ NULL, NULL },
-+ { "mqtt-username", "username", 2, 2, 0,
-+ ARG_STRING|ARG_OFFSET, (void *)offsetof(mqtt_t, username),
-+ "( OLcfgCtAt:5.3 NAME 'olcMqttUsername' "
-+ "DESC 'Username for MQTT broker' "
-+ "SYNTAX OMsDirectoryString SINGLE-VALUE )",
-+ NULL, NULL },
-+ { "mqtt-password", "password", 2, 2, 0,
-+ ARG_STRING|ARG_OFFSET, (void *)offsetof(mqtt_t, password),
-+ "( OLcfgCtAt:5.4 NAME 'olcMqttPassword' "
-+ "DESC 'Password for MQTT broker' "
-+ "SYNTAX OMsDirectoryString SINGLE-VALUE )",
-+ NULL, NULL },
-+ { "mqtt-notify-password", "topic> <group-dn> <group-oc> <member-ad", 2, 5, 0,
-+ ARG_MAGIC, mqtt_config_notify,
-+ "( OLcfgCtAt:5.5 NAME 'olcMqttNotifyPassword' "
-+ "DESC 'Notify password change on <topic>, optionally checking that the object is in the specified group.'"
-+ "SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )",
-+ NULL, NULL },
-+ { NULL, NULL, 0, 0, 0, ARG_IGNORED }
-+};
-+
-+static ConfigOCs mqttocs[] = {
-+ { "( OLcfgCtOc:5.1 "
-+ "NAME 'olcMqttConfig' "
-+ "DESC 'MQTT configuration' "
-+ "SUP olcOverlayConfig "
-+ "MAY ( "
-+ "olcMqttHostname "
-+ "$ olcMqttPort"
-+ "$ olcMqttUsername"
-+ "$ olcMqttPassword"
-+ "$ olcMqttNotifyPassword"
-+ " ) )",
-+ Cft_Overlay, mqttcfg },
-+
-+ { NULL, 0, NULL }
-+};
-+
-+static int mqtt_init(BackendInfo *bi)
-+{
-+ return mosquitto_lib_init();
-+}
-+
-+static int mqtt_destroy(BackendInfo *bi)
-+{
-+ return mosquitto_lib_cleanup();
-+}
-+
-+static const char *ca_arg(ConfigArgs *c, int n)
-+{
-+ return (c->argc <= n) ? NULL : c->argv[n];
-+}
-+
-+static void free_notify(mqtt_notify_t *n)
-+{
-+ ch_free(n->topic);
-+ ch_free(n->oc_group_str);
-+ ch_free(n->str_member);
-+ ch_free(n->dn_group_str);
-+ if (!BER_BVISNULL(&n->ndn_group))
-+ ber_memfree(n->ndn_group.bv_val);
-+ ch_free(n);
-+}
-+
-+static void free_all_notifies(mqtt_t *mqtt)
-+{
-+ mqtt_notify_t *n, *next;
-+
-+ for (n = mqtt->notify_map; n; n = next) {
-+ next = n->next;
-+ free_notify(n);
-+ }
-+ mqtt->notify_map = NULL;
-+}
-+
-+static int mqtt_config_notify(ConfigArgs *c)
-+{
-+ slap_overinst *on = (slap_overinst *)c->bi;
-+ mqtt_t *mqtt = (mqtt_t *) on->on_bi.bi_private;
-+ mqtt_notify_t *n, **pprev;
-+ const char *text = NULL;
-+ struct berval bv = BER_BVNULL, ndn = BER_BVNULL;
-+ int rc, i;
-+
-+ switch (c->op) {
-+ case SLAP_CONFIG_EMIT:
-+ for (i = 0, n = mqtt->notify_map; n; n = n->next, i++) {
-+ char *ptr = c->cr_msg, *end = &c->cr_msg[sizeof(c->cr_msg)-1];
-+
-+ ptr += snprintf(ptr, end-ptr, SLAP_X_ORDERED_FMT "%s", i, n->topic);
-+ if (n->dn_group_str)
-+ ptr += snprintf(ptr, end-ptr, " \"%s\"", n->dn_group_str);
-+ if (n->oc_group_str)
-+ ptr += snprintf(ptr, end-ptr, " \"%s\"", n->oc_group_str);
-+ if (n->str_member)
-+ ptr += snprintf(ptr, end-ptr, " \"%s\"", n->str_member);
-+
-+ bv.bv_val = c->cr_msg;
-+ bv.bv_len = ptr - bv.bv_val;
-+ value_add_one(&c->rvalue_vals, &bv);
-+ }
-+ return 0;
-+ case LDAP_MOD_DELETE:
-+ if (c->valx < 0) {
-+ free_all_notifies(mqtt);
-+ } else {
-+ pprev = &mqtt->notify_map;
-+ n = mqtt->notify_map;
-+ for (i = 0; i < c->valx; i++) {
-+ pprev = &n->next;
-+ n = n->next;
-+ }
-+ *pprev = n->next;
-+ free_notify(n);
-+ }
-+ return 0;
-+ }
-+
-+ const char *groupdn = ca_arg(c, 2);
-+ const char *oc_name = ca_arg(c, 3);
-+ const char *ad_name = ca_arg(c, 4);
-+ ObjectClass *oc = NULL;
-+ AttributeDescription *ad = NULL;
-+
-+ if (groupdn) {
-+ oc = oc_find(oc_name ?: SLAPD_GROUP_CLASS);
-+ if (oc == NULL) {
-+ Debug(LDAP_DEBUG_ANY, "mqtt_db_open: unable to find objectClass=\"%s\"\n",
-+ oc_name, 0, 0);
-+ return 1;
-+ }
-+
-+ rc = slap_str2ad(ad_name ?: SLAPD_GROUP_ATTR, &ad, &text);
-+ if (rc != LDAP_SUCCESS) {
-+ Debug(LDAP_DEBUG_ANY, "mqtt_db_config_notify: unable to find attribute=\"%s\": %s (%d)\n",
-+ ad_name, text, rc);
-+ return rc;
-+ }
-+
-+ ber_str2bv(groupdn, 0, 0, &bv);
-+ rc = dnNormalize(0, NULL, NULL, &bv, &ndn, NULL);
-+ if (rc != LDAP_SUCCESS) {
-+ Debug(LDAP_DEBUG_ANY, "mqtt_db_config_notify: DN normalization failed for \"%s\": %d\n",
-+ groupdn, rc, 0);
-+ return rc;
-+ }
-+ }
-+
-+ n = ch_calloc(1, sizeof(*n));
-+ n->topic = ch_strdup(c->argv[1]);
-+ n->dn_group_str = groupdn ? ch_strdup(groupdn) : NULL;
-+ n->oc_group_str = oc_name ? ch_strdup(oc_name) : NULL;
-+ n->str_member = ad_name ? ch_strdup(ad_name) : NULL;
-+ n->ndn_group = ndn;
-+ n->oc_group = oc;
-+ n->ad_member = ad;
-+
-+ for (pprev = &mqtt->notify_map; *pprev; pprev = &(*pprev)->next);
-+ *pprev = n;
-+
-+ return 0;
-+}
-+
-+static void mqtt_send_notify(mqtt_t *mqtt, mqtt_notify_t *n)
-+{
-+ Debug(LDAP_DEBUG_TRACE, "mqtt_send_notify: pub on topic '%s'\n", n->topic, 0, 0);
-+ n->notify_pending = mosquitto_publish(mqtt->mq, NULL, n->topic, 0, NULL, 1, true) == MOSQ_ERR_NO_CONN;
-+}
-+
-+static void mqtt_on_connect(struct mosquitto *mq, void *obj, int rc)
-+{
-+ slap_overinst *on = (slap_overinst *) obj;
-+ mqtt_t *mqtt = (mqtt_t *) on->on_bi.bi_private;
-+ mqtt_notify_t *n;
-+
-+ Debug(LDAP_DEBUG_TRACE, "mqtt_on_connect: connected with status %d\n", rc, 0, 0);
-+ if (rc != 0)
-+ return;
-+
-+ for (n = mqtt->notify_map; n; n = n->next)
-+ if (n->notify_pending)
-+ mqtt_send_notify(mqtt, n);
-+}
-+
-+static int mqtt_db_init(BackendDB *be, ConfigReply *cr)
-+{
-+ slap_overinst *on = (slap_overinst *) be->bd_info;
-+
-+ Debug(LDAP_DEBUG_TRACE, "mqtt_db_init: initialize overlay\n", 0, 0, 0);
-+ on->on_bi.bi_private = ch_calloc(1, sizeof(mqtt_t));
-+
-+ return 0;
-+}
-+
-+static int mqtt_db_destroy(BackendDB *be, ConfigReply *cr)
-+{
-+ slap_overinst *on = (slap_overinst *) be->bd_info;
-+ mqtt_t *mqtt = on->on_bi.bi_private;
-+
-+ Debug(LDAP_DEBUG_TRACE, "mqtt_db_destroy: destroy overlay\n", 0, 0, 0);
-+ free_all_notifies(mqtt);
-+ ch_free(mqtt);
-+
-+ return 0;
-+}
-+
-+static int mqtt_db_open(BackendDB *be, ConfigReply *cr)
-+{
-+ slap_overinst *on = (slap_overinst *) be->bd_info;
-+ mqtt_t *mqtt = (mqtt_t *) on->on_bi.bi_private;
-+ struct mosquitto *mq;
-+ char id[256];
-+ int n;
-+
-+ n = snprintf(id, sizeof(id), "openldap-mqtt/%d/", getpid());
-+ gethostname(&id[n], sizeof(id) - n);
-+
-+ Debug(LDAP_DEBUG_TRACE, "mqtt_db_open, id='%s'\n", id, 0, 0);
-+ mqtt->mq = mq = mosquitto_new(id, true, on);
-+ if (!mq) return 1;
-+
-+ if (mqtt->username && mqtt->password)
-+ mosquitto_username_pw_set(mq, mqtt->username, mqtt->password);
-+
-+ mosquitto_connect_callback_set(mq, mqtt_on_connect);
-+ mosquitto_connect_async(mq, mqtt->hostname ?: "127.0.0.1", mqtt->port ?: 1883, 60);
-+ mosquitto_loop_start(mq);
-+
-+ return 0;
-+}
-+
-+static int mqtt_db_close(BackendDB *be, ConfigReply *cr)
-+{
-+ slap_overinst *on = (slap_overinst *) be->bd_info;
-+ mqtt_t *mqtt = (mqtt_t *) on->on_bi.bi_private;
-+
-+ Debug(LDAP_DEBUG_TRACE, "mqtt_db_close\n", 0, 0, 0);
-+ mosquitto_disconnect(mqtt->mq);
-+ mosquitto_loop_stop(mqtt->mq, false);
-+ mosquitto_destroy(mqtt->mq);
-+
-+ free(mqtt->hostname); mqtt->hostname = NULL;
-+ free(mqtt->username); mqtt->username = NULL;
-+ free(mqtt->password); mqtt->password = NULL;
-+
-+ return 0;
-+}
-+
-+static int mqtt_response(Operation *op, SlapReply *rs)
-+{
-+ slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
-+ mqtt_t *mqtt = (mqtt_t *) on->on_bi.bi_private;
-+ Attribute *a;
-+ Modifications *m;
-+ bool change = false;
-+
-+ switch (op->o_tag) {
-+ case LDAP_REQ_ADD:
-+ for (a = op->ora_e->e_attrs; a; a = a->a_next) {
-+ if (a->a_desc == slap_schema.si_ad_userPassword) {
-+ change = true;
-+ break;
-+ }
-+ }
-+ break;
-+ case LDAP_REQ_MODIFY:
-+ for (m = op->orm_modlist; m; m = m->sml_next) {
-+ if (m->sml_desc == slap_schema.si_ad_userPassword) {
-+ change = true;
-+ break;
-+ }
-+ }
-+ break;
-+ case LDAP_REQ_EXTENDED:
-+ if (ber_bvcmp(&slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid) == 0)
-+ change = true;
-+ break;
-+ }
-+
-+ if (change) {
-+ mqtt_notify_t *n;
-+ int r, cache;
-+
-+ for (n = mqtt->notify_map; n; n = n->next) {
-+ if (n->oc_group) {
-+ cache = op->o_do_not_cache;
-+ op->o_do_not_cache = 1;
-+ r = backend_group(op, NULL, &n->ndn_group, &op->o_req_ndn, n->oc_group, n->ad_member);
-+ op->o_do_not_cache = cache;
-+ } else {
-+ r = 0;
-+ }
-+
-+ Debug(LDAP_DEBUG_TRACE, "tested o_req_ndn='%s' in ndn_group='%s' r=%d\n",
-+ op->o_req_ndn.bv_val, n->ndn_group.bv_val, r);
-+
-+ if (r == 0)
-+ mqtt_send_notify(mqtt, n);
-+ }
-+ }
-+
-+ return SLAP_CB_CONTINUE;
-+}
-+
-+static int mqtt_init_overlay()
-+{
-+ static slap_overinst ov;
-+ int rc;
-+
-+ ov.on_bi.bi_type = "mqtt";
-+ ov.on_bi.bi_init = mqtt_init;
-+ ov.on_bi.bi_destroy = mqtt_destroy;
-+ ov.on_bi.bi_db_init = mqtt_db_init;
-+ ov.on_bi.bi_db_destroy = mqtt_db_destroy;
-+ ov.on_bi.bi_db_open = mqtt_db_open;
-+ ov.on_bi.bi_db_close = mqtt_db_close;
-+ ov.on_bi.bi_cf_ocs = mqttocs;
-+ ov.on_response = mqtt_response;
-+
-+ rc = config_register_schema(mqttcfg, mqttocs);
-+ if (rc) return rc;
-+
-+ return overlay_register(&ov);
-+}
-+
-+int init_module(int argc, char *argv[])
-+{
-+ return mqtt_init_overlay();
-+}
-
diff --git a/user/plib/APKBUILD b/user/plib/APKBUILD
index fe02621ac..46a6ce3d6 100644
--- a/user/plib/APKBUILD
+++ b/user/plib/APKBUILD
@@ -14,8 +14,8 @@ subpackages="$pkgname-dev"
source="http://plib.sourceforge.net/dist/plib-$pkgver.tar.gz
fix-openflight.patch
joystick.patch
- plib-1.8.5-CVE-2011-4620.patch
- plib-1.8.5-CVE-2012-4552.patch
+ CVE-2011-4620.patch
+ CVE-2012-4552.patch
shared.patch
"
@@ -49,6 +49,6 @@ package() {
sha512sums="17154cc77243fe576c2bcbcb0285b98aef1a0634658f5473e95fe0ac8fa3ed477dbe5620e44ccf0b7cc616f812af0cd44d6fcbba0c563180d3b61c9d6f158e1d plib-1.8.5.tar.gz
fac9c78a57a0c564c46d586ebf541b45cf7dc838387498f3263bac78f0f78c53c85000667d6dfd349e328b1cd4254ac0d786dd825aefbe957f94e6d3b91ec41b fix-openflight.patch
d9909c81fe2ed696c639623c532cb16a1378b0e2843ccbef00bb16bc6459cc7c708b2b0903dbdc89e6fb05522debd79f0f88b311bf12c3d415e303591033f0a8 joystick.patch
-c046cf65e80629f238aaba724f522c31b434f5c9687ea02b019846ce3469c6b074bd014f81a7a4e6b43db7b084f4dcd9d4c04b557dbc1b8b8ca00f2d782fdf1c plib-1.8.5-CVE-2011-4620.patch
-a09462ecb085703aae7cd3b77954cc800410aa37a9616255cca2f21456e6d5dcf8ead3f684c98236deb1455c6a034dc8ec874bafdbab003f7a63517ea1f8350d plib-1.8.5-CVE-2012-4552.patch
+c046cf65e80629f238aaba724f522c31b434f5c9687ea02b019846ce3469c6b074bd014f81a7a4e6b43db7b084f4dcd9d4c04b557dbc1b8b8ca00f2d782fdf1c CVE-2011-4620.patch
+a09462ecb085703aae7cd3b77954cc800410aa37a9616255cca2f21456e6d5dcf8ead3f684c98236deb1455c6a034dc8ec874bafdbab003f7a63517ea1f8350d CVE-2012-4552.patch
8f4fcbf3a07f64212b3ce891a4629fb45b1c62b251730a9d5f7da6e6fe65c39540f80519e97cf6a45c32f950f25e4d383ba891a6c0a92ae8a37089e51c0c5020 shared.patch"
diff --git a/user/plib/plib-1.8.5-CVE-2011-4620.patch b/user/plib/CVE-2011-4620.patch
index 41fac5fe4..41fac5fe4 100644
--- a/user/plib/plib-1.8.5-CVE-2011-4620.patch
+++ b/user/plib/CVE-2011-4620.patch
diff --git a/user/plib/plib-1.8.5-CVE-2012-4552.patch b/user/plib/CVE-2012-4552.patch
index 78f1b22ae..78f1b22ae 100644
--- a/user/plib/plib-1.8.5-CVE-2012-4552.patch
+++ b/user/plib/CVE-2012-4552.patch
diff --git a/user/py3-jinja2/APKBUILD b/user/py3-jinja2/APKBUILD
index 71a4c2313..457262361 100644
--- a/user/py3-jinja2/APKBUILD
+++ b/user/py3-jinja2/APKBUILD
@@ -4,7 +4,7 @@ pkgname=py3-jinja2
_pkgname=Jinja2
_p="${_pkgname#?}"
_p="${_pkgname%"$_p"}"
-pkgver=2.10
+pkgver=2.10.1
pkgrel=0
pkgdesc="A small but fast and easy to use stand-alone template engine written in pure python."
url="https://pypi.python.org/pypi/Jinja2"
@@ -16,20 +16,20 @@ checkdepends="py3-pytest py3-markupsafe"
source="$pkgname-$pkgver.tar.gz::https://files.pythonhosted.org/packages/source/$_p/$_pkgname/$_pkgname-$pkgver.tar.gz"
builddir="$srcdir/$_pkgname-$pkgver"
+# secfixes: jinja2
+# 2.10.1-r0:
+# - CVE-2019-10906
+
build() {
- cd "$builddir"
python3 setup.py build
}
check() {
- cd "$builddir"
PYTHONPATH="$builddir:$PYTHONPATH" pytest
}
package() {
- cd "$builddir"
python3 setup.py install --prefix=/usr --root="$pkgdir"
-
}
-sha512sums="0ea7371be67ffcf19e46dfd06523a45a0806e678a407d54f5f2f3e573982f0959cf82ec5d07b203670309928a62ef71109701ab16547a9bba2ebcdc178cb67f2 py3-jinja2-2.10.tar.gz"
+sha512sums="a00153a0e07bb7d67f301b4eaf7af657726a1985e9ffc7ae2d76bdbb4c062d672efc8065e398767e1039b18a483a0092e206deac91e4047aad64920b56869623 py3-jinja2-2.10.1.tar.gz"
diff --git a/user/subversion/APKBUILD b/user/subversion/APKBUILD
index 9cb297aa6..f05892f09 100644
--- a/user/subversion/APKBUILD
+++ b/user/subversion/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: A. Wilcox <awilfox@adelielinux.org>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=subversion
-pkgver=1.12.0
-pkgrel=1
+pkgver=1.12.2
+pkgrel=0
pkgdesc="Version control system from 2000"
url="https://subversion.apache.org/"
arch="all"
@@ -18,10 +18,14 @@ makedepends="apr-dev apr-util-dev cyrus-sasl-dev db-dev dbus-dev file-dev
subpackages="$pkgname-dev $pkgname-doc $pkgname-gnome $pkgname-kwallet
$pkgname-pl $pkgname-lang"
source="https://www-eu.apache.org/dist/subversion/subversion-$pkgver.tar.bz2
- apr-1.7.0.patch
python3-bang.patch
"
+# secfixes:
+# 1.12.2-r0:
+# - CVE-2018-11782
+# - CVE-2019-0203
+
build() {
# this is only needed for autogen.sh
_PATH=$PATH
@@ -85,6 +89,5 @@ pl() {
mv "$pkgdir"/usr/lib/*perl* "$subpkgdir"/usr/lib/
}
-sha512sums="87a00b23bdac63124fa00642e2ac7e6f7818b092bc6422cabdeb2ca8fbc8c481fb8c1e4fbd86aac94e8e1fc099fa163aa0609aca23265ceb96ef4ebe78a64c13 subversion-1.12.0.tar.bz2
-71b22f08a972a51347af00f979c4ec540c5795b44f3ced07ab2fcf8b1294b59add945983af4a63815d9f5d3b0ba88c24320cf2ec21189bf48c0ec46c7c0b48cf apr-1.7.0.patch
+sha512sums="b1f859b460afa54598778d8633f648acb4fa46138f7d6f0c1451e3c6a1de71df859233cd9ac7f19f0f20d7237ed3988f0a38da7552ffa58391e19d957bc7c136 subversion-1.12.2.tar.bz2
1b96b791f70c2f6e05da8dbc9d42ccadf4603f25392c6676c4e30ecdb142ce74dd9b8dc27dc68b1cb461f4409d79c4c2aeed1d39a5a442d9349079a819358f5a python3-bang.patch"
diff --git a/user/subversion/apr-1.7.0.patch b/user/subversion/apr-1.7.0.patch
deleted file mode 100644
index a74e5e454..000000000
--- a/user/subversion/apr-1.7.0.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- subversion-1.11.1/build/ac-macros/swig.m4
-+++ subversion-1.11.1/build/ac-macros/swig.m4
-@@ -137,13 +137,13 @@
- AC_CACHE_CHECK([for apr_int64_t Python/C API format string],
- [svn_cv_pycfmt_apr_int64_t], [
- if test "x$svn_cv_pycfmt_apr_int64_t" = "x"; then
-- AC_EGREP_CPP([MaTcHtHiS +\"lld\" +EnDeNd],
-+ AC_EGREP_CPP([MaTcHtHiS +\"ll(\" *\")?d\" +EnDeNd],
- [#include <apr.h>
- MaTcHtHiS APR_INT64_T_FMT EnDeNd],
- [svn_cv_pycfmt_apr_int64_t="L"])
- fi
- if test "x$svn_cv_pycfmt_apr_int64_t" = "x"; then
-- AC_EGREP_CPP([MaTcHtHiS +\"ld\" +EnDeNd],r
-+ AC_EGREP_CPP([MaTcHtHiS +\"l(\" *\")?d\" +EnDeNd],r
- [#include <apr.h>
- MaTcHtHiS APR_INT64_T_FMT EnDeNd],
- [svn_cv_pycfmt_apr_int64_t="l"])
diff --git a/user/taglib/APKBUILD b/user/taglib/APKBUILD
index 60586f78e..0b7731116 100644
--- a/user/taglib/APKBUILD
+++ b/user/taglib/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=taglib
pkgver=1.11.1
-pkgrel=2
+pkgrel=3
pkgdesc="Library for manipulating audio file metadata"
url="https://taglib.org/"
arch="all"
@@ -10,7 +10,14 @@ license="LGPL-2.1-only AND MPL-1.1"
depends=""
makedepends="cmake zlib-dev"
subpackages="$pkgname-dev"
-source="http://taglib.org/releases/taglib-$pkgver.tar.gz"
+source="http://taglib.org/releases/taglib-$pkgver.tar.gz
+ CVE-2017-12678.patch
+ CVE-2018-11439.patch"
+
+# secfixes:
+# 1.11.1-r3:
+# - CVE-2017-12678
+# - CVE-2018-11439
build() {
cd "$builddir"
@@ -27,4 +34,6 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="7846775c4954ea948fe4383e514ba7c11f55d038ee06b6ea5a0a1c1069044b348026e76b27aa4ba1c71539aa8143e1401fab39184cc6e915ba0ae2c06133cb98 taglib-1.11.1.tar.gz"
+sha512sums="7846775c4954ea948fe4383e514ba7c11f55d038ee06b6ea5a0a1c1069044b348026e76b27aa4ba1c71539aa8143e1401fab39184cc6e915ba0ae2c06133cb98 taglib-1.11.1.tar.gz
+e50810e8d790c490b7d6752c4bf65da812b7534b9920c505d83b8bd0d67fe9991b4db488b6a63e69b206bbcb3cf80754018b17294b5832dd05bfad9a0fbc56c6 CVE-2017-12678.patch
+9a118f9410404996bf3879325f77fcfb638f6cc71b4e258d9786bd741c2c45f26385a6049788ef6ebc56c7c987bd7ef6267a461f4478f5d52d236b035287cdf2 CVE-2018-11439.patch"
diff --git a/user/taglib/CVE-2017-12678.patch b/user/taglib/CVE-2017-12678.patch
new file mode 100644
index 000000000..71081c6d6
--- /dev/null
+++ b/user/taglib/CVE-2017-12678.patch
@@ -0,0 +1,31 @@
+From cb9f07d9dcd791b63e622da43f7b232adaec0a9a Mon Sep 17 00:00:00 2001
+From: "Stephen F. Booth" <me@sbooth.org>
+Date: Sat, 30 Sep 2017 10:15:41 -0500
+Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame
+ (#831)
+
+If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
+which causes problems in rebuildAggregateFrames() when it is assumed
+that TDRC is a TextIdentificationFrame
+---
+ taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+index 759a9b7be..9347ab869 100644
+--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
++++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const
+ tag->frameList("TDAT").size() == 1)
+ {
+ TextIdentificationFrame *tdrc =
+- static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
++ dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+ UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
+
+- if(tdrc->fieldList().size() == 1 &&
++ if(tdrc &&
++ tdrc->fieldList().size() == 1 &&
+ tdrc->fieldList().front().size() == 4 &&
+ tdat->data().size() >= 5)
+ {
diff --git a/user/taglib/CVE-2018-11439.patch b/user/taglib/CVE-2018-11439.patch
new file mode 100644
index 000000000..20b777e74
--- /dev/null
+++ b/user/taglib/CVE-2018-11439.patch
@@ -0,0 +1,42 @@
+From 2c4ae870ec086f2ddd21a47861a3709c36faac45 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Tue, 9 Oct 2018 18:46:55 -0500
+Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
+ (#869)
+
+CVE-2018-11439 is caused by a failure to check the minimum length
+of a ogg flac header. This header is detailed in full at:
+https://xiph.org/flac/ogg_mapping.html. Added more strict checking
+for entire header.
+---
+ taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
+index 53d04508a..07ea9dccc 100644
+--- a/taglib/ogg/flac/oggflacfile.cpp
++++ b/taglib/ogg/flac/oggflacfile.cpp
+@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
+
+ if(!metadataHeader.startsWith("fLaC")) {
+ // FLAC 1.1.2+
++ // See https://xiph.org/flac/ogg_mapping.html for the header specification.
++ if(metadataHeader.size() < 13)
++ return;
++
++ if(metadataHeader[0] != 0x7f)
++ return;
++
+ if(metadataHeader.mid(1, 4) != "FLAC")
+ return;
+
+- if(metadataHeader[5] != 1)
+- return; // not version 1
++ if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
++ return; // not version 1.0
++
++ if(metadataHeader.mid(9, 4) != "fLaC")
++ return;
+
+ metadataHeader = metadataHeader.mid(13);
+ }
diff --git a/user/tcpdump/APKBUILD b/user/tcpdump/APKBUILD
index 7adeefa35..d273d4acc 100644
--- a/user/tcpdump/APKBUILD
+++ b/user/tcpdump/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Dan Theisen <djt@hxx.in>
pkgname=tcpdump
pkgver=4.9.2
-pkgrel=1
+pkgrel=2
pkgdesc="A tool for network monitoring and data acquisition"
url="http://www.tcpdump.org"
arch="all"
@@ -11,12 +11,15 @@ depends=""
makedepends="libpcap-dev openssl-dev perl"
subpackages="$pkgname-doc"
source="http://www.tcpdump.org/release/$pkgname-$pkgver.tar.gz
+ CVE-2017-16808.patch
CVE-2018-19519.patch
"
# secfixes:
# 4.9.2-r1:
# - CVE-2018-19519
+# 4.9.2-r2:
+# - CVE-2017-16808
build () {
cd "$builddir"
@@ -42,4 +45,5 @@ package() {
}
sha512sums="e1bc19a5867d6e3628f3941bdf3ec831bf13784f1233ca1bccc46aac1702f47ee9357d7ff0ca62cddf211b3c8884488c21144cabddd92c861e32398cd8f7c44b tcpdump-4.9.2.tar.gz
+d7f4761bee96ec69cdb93602ea59518f238089967d1ede4e91d139febe0ffe0818d49ad19b96c741a379938c369952405dadd3be2766b6524c43c70066cb4fc4 CVE-2017-16808.patch
eb4232e434064ec59b07840aa394cfcc05c89e817f2d4ebeb4da1dbb1c910fe1805857356d6304ebdb16e32aa6476ce90f164aabc60501b493fd5601b380af7e CVE-2018-19519.patch"
diff --git a/user/tcpdump/CVE-2017-16808.patch b/user/tcpdump/CVE-2017-16808.patch
new file mode 100644
index 000000000..6b41aad8c
--- /dev/null
+++ b/user/tcpdump/CVE-2017-16808.patch
@@ -0,0 +1,26 @@
+From 28f610026d901660dd370862b62ec328727446a2 Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <denis@ovsienko.info>
+Date: Thu, 31 Aug 2017 21:15:37 +0100
+Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check.
+
+In aoev1_reserve_print() check bounds before trying to print an Ethernet
+address.
+
+This fixes a buffer over-read discovered by Bhargava Shastry,
+SecT/TU Berlin.
+---
+ print-aoe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/print-aoe.c b/print-aoe.c
+index 97e93df2e..2c78a55d3 100644
+--- a/print-aoe.c
++++ b/print-aoe.c
+@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo,
+ goto invalid;
+ /* addresses */
+ for (i = 0; i < nmacs; i++) {
++ ND_TCHECK2(*cp, ETHER_ADDR_LEN);
+ ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp)));
+ cp += ETHER_ADDR_LEN;
+ }