diff options
author | A. Wilcox <awilcox@wilcox-tech.com> | 2019-08-04 22:53:11 +0000 |
---|---|---|
committer | A. Wilcox <awilcox@wilcox-tech.com> | 2019-08-04 22:53:11 +0000 |
commit | 2d76f59134fc1cbd5ea3704b6d79761ffa50d6a9 (patch) | |
tree | c99a2ff0b1366a5f6bb2d61b13916acb3012cea6 /user | |
parent | 8410df6cbcf43832292026f4487ca2642be5cf15 (diff) | |
parent | 3c0917832c46ca76601c4e2e7388c4570bfbcb86 (diff) | |
download | packages-2d76f59134fc1cbd5ea3704b6d79761ffa50d6a9.tar.gz packages-2d76f59134fc1cbd5ea3704b6d79761ffa50d6a9.tar.bz2 packages-2d76f59134fc1cbd5ea3704b6d79761ffa50d6a9.tar.xz packages-2d76f59134fc1cbd5ea3704b6d79761ffa50d6a9.zip |
Merge branch 'cves' into 'master'
CVE catch up, part one
See merge request adelie/packages!307
Diffstat (limited to 'user')
37 files changed, 897 insertions, 630 deletions
diff --git a/user/catdoc/APKBUILD b/user/catdoc/APKBUILD index 2b6bc7d3d..4296c8167 100644 --- a/user/catdoc/APKBUILD +++ b/user/catdoc/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=catdoc pkgver=0.95 -pkgrel=1 +pkgrel=2 pkgdesc="Read information and data from Microsoft Office documents" url="http://www.wagner.pp.ru/~vitus/software/catdoc/" arch="all" @@ -11,7 +11,12 @@ license="GPL-2.0-only" depends="" makedepends="" subpackages="$pkgname-doc" -source="http://ftp.wagner.pp.ru/pub/catdoc/catdoc-$pkgver.tar.gz" +source="http://ftp.wagner.pp.ru/pub/catdoc/catdoc-$pkgver.tar.gz + CVE-2017-11110.patch" + +# secfixes: +# 0.95-r2: +# - CVE-2017-11110 build() { cd "$builddir" @@ -31,4 +36,5 @@ package() { make -j1 install } -sha512sums="dd6bded4b6b70749c007256b182b063ff266f86d53024d8582001678821e8096c5b980bc8f43015d9c82bbe022d71d4ba5fe68aff31b2ff6db3688595e651b2c catdoc-0.95.tar.gz" +sha512sums="dd6bded4b6b70749c007256b182b063ff266f86d53024d8582001678821e8096c5b980bc8f43015d9c82bbe022d71d4ba5fe68aff31b2ff6db3688595e651b2c catdoc-0.95.tar.gz +15d1da9fe095c6e4a990faa22ee67952d91494057a1fd6334f2eb671898156c95245b54f229549a5662d13dec6ecc4e607583e865fb9775fea8d163755cf04b0 CVE-2017-11110.patch" diff --git a/user/catdoc/CVE-2017-11110.patch b/user/catdoc/CVE-2017-11110.patch new file mode 100644 index 000000000..d36d5d63c --- /dev/null +++ b/user/catdoc/CVE-2017-11110.patch @@ -0,0 +1,32 @@ +Description: CVE-2017-11110: Heap buffer overflow in ole_init +Origin: vendor, https://build.opensuse.org/package/view_file/openSUSE:Maintenance:6985/catdoc.openSUSE_Leap_42.2_Update/CVE-2017-11110.patch?rev=d437c3be72c2e5a3516b75f4e9de6b35 +Bug-Debian: https://bugs.debian.org/867717 +Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=1047877 +Forwarded: no +Author: Andreas Stieger <astieger@suse.com> +Reviewed-by: Salvatore Bonaccorso <carnil@debian.org> +Last-Update: 2017-07-20 + +--- a/src/ole.c ++++ b/src/ole.c +@@ -106,6 +106,11 @@ FILE* ole_init(FILE *f, void *buffer, si + return NULL; + } + sectorSize = 1<<getshort(oleBuf,0x1e); ++ /* CVE-2017-11110 */ ++ if (sectorSize < 4) { ++ fprintf(stderr, "sectorSize < 4 not supported\n"); ++ return NULL; ++ } + shortSectorSize=1<<getshort(oleBuf,0x20); + + /* Read BBD into memory */ +@@ -147,7 +152,7 @@ FILE* ole_init(FILE *f, void *buffer, si + } + + fseek(newfile, 512+mblock*sectorSize, SEEK_SET); +- if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, ++ if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, /* >=4 for CVE-2017-11110 */ + 1, sectorSize, newfile) != sectorSize) { + fprintf(stderr, "Error read MSAT!\n"); + ole_finish(); diff --git a/user/gnupg/APKBUILD b/user/gnupg/APKBUILD index 1d6d41f94..e8d3ff2f4 100644 --- a/user/gnupg/APKBUILD +++ b/user/gnupg/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=gnupg -pkgver=2.2.16 +pkgver=2.2.17 pkgrel=0 pkgdesc="GNU Privacy Guard 2 - PGP replacement" url="https://www.gnupg.org/" @@ -18,6 +18,10 @@ source="https://gnupg.org/ftp/gcrypt/$pkgname/$pkgname-$pkgver.tar.bz2 60-scdaemon.rules" install="$pkgname.pre-install $pkgname.pre-upgrade" +# secfixes: +# 2.2.17-r0: +# - CVE-2019-13050 + build() { ./configure \ --build=$CBUILD \ @@ -46,7 +50,7 @@ package() { install -Dm644 "$srcdir"/60-scdaemon.rules "$pkgdir"/lib/udev/rules.d } -sha512sums="0e0040905cc4d1d9d29e184cfeda520b43990e4ec459212537c0ce6092de987157e05b1d1a3022398d9b3cbaeea0f58a7e686745f96933e5ac26be4229162247 gnupg-2.2.16.tar.bz2 +sha512sums="a3cd094addac62b4b4ec1683005a2bec761ea2aacf6daf904316b1819f4f6a41f256a8d9452cf28cad71b3e68228465baa27ae0eb1fa734fa91542ef0f159c5d gnupg-2.2.17.tar.bz2 c6cc4595081c5b025913fa3ebecf0dff87a84f3c669e3fef106e4fa040f1d4314ee52dd4c0e0002b213034fb0810221cfdd0033eae5349b6e3978f05d08bcac7 0001-Include-sys-select.h-for-FD_SETSIZE.patch b19a44dacf061dd02b439ab8bd820e3c721aab77168f705f5ce65661f26527b03ea88eec16d78486a633c474120589ec8736692ebff57ab9b95f52f57190ba6b fix-i18n.patch 4bfb9742279c2d1c872d63cd4bcb01f6a2a13d94618eff954d3a37451fa870a9bb29687330854ee47e8876d6e60dc81cb2569c3931beaefacda33db23c464402 60-scdaemon.rules" diff --git a/user/id3lib/APKBUILD b/user/id3lib/APKBUILD index 724429e96..957ed5eb0 100644 --- a/user/id3lib/APKBUILD +++ b/user/id3lib/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=id3lib pkgver=3.8.3 -pkgrel=1 +pkgrel=2 pkgdesc="Library for reading, writing, and manipulating ID3v2 tags" url="http://id3lib.sourceforge.net" arch="all" @@ -15,8 +15,13 @@ source="https://downloads.sourceforge.net/project/id3lib/id3lib/$pkgver/id3lib-$ cstring.patch modern-cpp.patch test-expose-proper-stdlib-symbols.patch + CVE-2007-4460.patch " +# secfixes: +# 3.8.3-r2: +# - CVE-2007-4460 + prepare() { default_prepare update_config_sub @@ -49,4 +54,5 @@ package() { sha512sums="3787e261f86933c1c2f2bff2c4b349b42f5d8636e489e4f39f9d75e6dfbdc79b87009a0f4ce4b786f2fb3dbc01ca9d56c4112095b46244f897e6c9a28573adaf id3lib-3.8.3.tar.gz e379e848788f7fda3a86b02b9865dfe5db69d66ffcfb81184c1cd92f2f1ed7b4d40f13cc77f9de294afc13ae61ab50c3aa13f9a4cc4eb85cb7a727d25268ee6a cstring.patch 334eed099c93ea279d877437a92f684bfb0df12774fd7fffb628b6e8c4b17b17952d6f7c0bf0dff03a87887f0f1233c70d98b69f23580dcf3bf64c8d4b93fc85 modern-cpp.patch -cd79daddffbafc11e555f16be827ccedc03e419b7c24ab1da1852af294dc486a0836d612318eb9861691ef8462ca38be41cfa2c12849f022ebb187c6ef95a1b9 test-expose-proper-stdlib-symbols.patch" +cd79daddffbafc11e555f16be827ccedc03e419b7c24ab1da1852af294dc486a0836d612318eb9861691ef8462ca38be41cfa2c12849f022ebb187c6ef95a1b9 test-expose-proper-stdlib-symbols.patch +97b1686ca3b7feefe7c2cc5f90a31f42fb55fd7baf45b0abe07c6d879bdf752f21305a6a883241c18e20847c43175c3d2c911dce14aa5f382f46bf44c07759f1 CVE-2007-4460.patch" diff --git a/user/id3lib/CVE-2007-4460.patch b/user/id3lib/CVE-2007-4460.patch new file mode 100644 index 000000000..36c84179f --- /dev/null +++ b/user/id3lib/CVE-2007-4460.patch @@ -0,0 +1,54 @@ +This patch fixes an issues where temporary files were created in an insecure +way. + +It was first intruduced in version 3.8.3-7 and fixes +http://bugs.debian.org/438540 +--- a/src/tag_file.cpp ++++ b/src/tag_file.cpp +@@ -242,8 +242,8 @@ + strcpy(sTempFile, filename.c_str()); + strcat(sTempFile, sTmpSuffix.c_str()); + +-#if ((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP)) +- // This section is for Windows folk && gcc 3.x folk ++#if !defined(HAVE_MKSTEMP) ++ // This section is for Windows folk + fstream tmpOut; + createFile(sTempFile, tmpOut); + +@@ -257,7 +257,7 @@ + tmpOut.write((char *)tmpBuffer, nBytes); + } + +-#else //((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP)) ++#else //!defined(HAVE_MKSTEMP) + + // else we gotta make a temp file, copy the tag into it, copy the + // rest of the old file after the tag, delete the old file, rename +@@ -270,7 +270,7 @@ + //ID3_THROW_DESC(ID3E_NoFile, "couldn't open temp file"); + } + +- ofstream tmpOut(fd); ++ ofstream tmpOut(sTempFile); + if (!tmpOut) + { + tmpOut.close(); +@@ -285,14 +285,14 @@ + uchar tmpBuffer[BUFSIZ]; + while (file) + { +- file.read(tmpBuffer, BUFSIZ); ++ file.read((char *)tmpBuffer, BUFSIZ); + size_t nBytes = file.gcount(); +- tmpOut.write(tmpBuffer, nBytes); ++ tmpOut.write((char *)tmpBuffer, nBytes); + } + + close(fd); //closes the file + +-#endif ////((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP)) ++#endif ////!defined(HAVE_MKSTEMP) + + tmpOut.close(); + file.close(); diff --git a/user/libexif/APKBUILD b/user/libexif/APKBUILD index cfe2dd75f..71c9f7d06 100644 --- a/user/libexif/APKBUILD +++ b/user/libexif/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: pkgname=libexif pkgver=0.6.21 -pkgrel=2 +pkgrel=3 pkgdesc="Library to parse EXIF metadata" url="https://sourceforge.net/projects/libexif" arch="all" @@ -9,16 +9,21 @@ license="LGPL-2.0+" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" depends="" makedepends="" -source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.bz2" +source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.bz2 + CVE-2017-7544.patch + CVE-2018-20030.patch" + +# secfixes: +# 0.6.21-r3: +# - CVE-2017-7544 +# - CVE-2018-20030 prepare() { - cd "$builddir" update_config_sub default_prepare } build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -27,12 +32,13 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } -sha512sums="4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35 libexif-0.6.21.tar.bz2" + +sha512sums="4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35 libexif-0.6.21.tar.bz2 +d529c6c5bd26dc21c0946702574184e1f61c2bfd4fb95b41e314f486a0dd55571963ff2cad566d2fb0804de3c0799bcd956c15a3dc10a520ce207728edad4e2d CVE-2017-7544.patch +0d6123bd275ace338ad9cebb31a2e714de0141b91860f07394b281686a5393566c3f4159679d4ba689ae7ea69ae2e412b158c3deb451c40c210b5817f6888bbc CVE-2018-20030.patch" diff --git a/user/libexif/CVE-2017-7544.patch b/user/libexif/CVE-2017-7544.patch new file mode 100644 index 000000000..534817417 --- /dev/null +++ b/user/libexif/CVE-2017-7544.patch @@ -0,0 +1,30 @@ +From c39acd1692023b26290778a02a9232c873f9d71a Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <marcus@jet.franken.de> +Date: Tue, 25 Jul 2017 23:38:56 +0200 +Subject: [PATCH] On saving makernotes, make sure the makernote container tags + has a type with 1 byte components. + +Fixes (at least): + https://sourceforge.net/p/libexif/bugs/130 + https://sourceforge.net/p/libexif/bugs/129 +--- + libexif/exif-data.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index 67df4db..91f4c33 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e, + exif_mnote_data_set_offset (data->priv->md, *ds - 6); + exif_mnote_data_save (data->priv->md, &e->data, &e->size); + e->components = e->size; ++ if (exif_format_get_size (e->format) != 1) { ++ /* e->format is taken from input code, ++ * but we need to make sure it is a 1 byte ++ * entity due to the multiplication below. */ ++ e->format = EXIF_FORMAT_UNDEFINED; ++ } + } + } + diff --git a/user/libexif/CVE-2018-20030.patch b/user/libexif/CVE-2018-20030.patch new file mode 100644 index 000000000..837d003d7 --- /dev/null +++ b/user/libexif/CVE-2018-20030.patch @@ -0,0 +1,115 @@ +Edited slightly to backport to stable + +From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001 +From: Dan Fandrich <dan@coneharvesters.com> +Date: Fri, 12 Oct 2018 16:01:45 +0200 +Subject: [PATCH] Improve deep recursion detection in + exif_data_load_data_content. + +The existing detection was still vulnerable to pathological cases +causing DoS by wasting CPU. The new algorithm takes the number of tags +into account to make it harder to abuse by cases using shallow recursion +but with a very large number of tags. This improves on commit 5d28011c +which wasn't sufficient to counter this kind of case. + +The limitation in the previous fix was discovered by Laurent Delosieres, +Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned +the identifier CVE-2018-20030. +--- + libexif/exif-data.c | 45 +++++++++++++++++++++++++++++++++++++-------- + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index e35403d..a6f9c94 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -35,6 +35,7 @@ + #include <libexif/olympus/exif-mnote-data-olympus.h> + #include <libexif/pentax/exif-mnote-data-pentax.h> + ++#include <math.h> + #include <stdlib.h> + #include <stdio.h> + #include <string.h> +@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \ + break; \ + } + ++/*! Calculate the recursion cost added by one level of IFD loading. ++ * ++ * The work performed is related to the cost in the exponential relation ++ * work=1.1**cost ++ */ ++static unsigned int ++level_cost(unsigned int n) ++{ ++ static const double log_1_1 = 0.09531017980432493; ++ ++ /* Adding 0.1 protects against the case where n==1 */ ++ return ceil(log(n + 0.1)/log_1_1); ++} ++ + /*! Load data for an IFD. + * + * \param[in,out] data #ExifData +@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \ + * \param[in] d pointer to buffer containing raw IFD data + * \param[in] ds size of raw data in buffer at \c d + * \param[in] offset offset into buffer at \c d at which IFD starts +- * \param[in] recursion_depth number of times this function has been +- * recursively called without returning ++ * \param[in] recursion_cost factor indicating how expensive this recursive ++ * call could be + */ + static void + exif_data_load_data_content (ExifData *data, ExifIfd ifd, + const unsigned char *d, +- unsigned int ds, unsigned int offset, unsigned int recursion_depth) ++ unsigned int ds, unsigned int offset, unsigned int recursion_cost) + { + ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; + ExifShort n; +@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) + return; + +- if (recursion_depth > 30) { ++ if (recursion_cost > 170) { ++ /* ++ * recursion_cost is a logarithmic-scale indicator of how expensive this ++ * recursive call might end up being. It is an indicator of the depth of ++ * recursion as well as the potential for worst-case future recursive ++ * calls. Since it's difficult to tell ahead of time how often recursion ++ * will occur, this assumes the worst by assuming every tag could end up ++ * causing recursion. ++ * The value of 170 was chosen to limit typical EXIF structures to a ++ * recursive depth of about 6, but pathological ones (those with very ++ * many tags) to only 2. ++ */ + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", +- "Deep recursion detected!"); ++ "Deep/expensive recursion detected!"); + return; + } + +@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + switch (tag) { + case EXIF_TAG_EXIF_IFD_POINTER: + CHECK_REC (EXIF_IFD_EXIF); +- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_GPS_INFO_IFD_POINTER: + CHECK_REC (EXIF_IFD_GPS); +- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_INTEROPERABILITY_IFD_POINTER: + CHECK_REC (EXIF_IFD_INTEROPERABILITY); +- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: + thumbnail_offset = o; diff --git a/user/libid3tag/APKBUILD b/user/libid3tag/APKBUILD index df96d8b79..0984fc93f 100644 --- a/user/libid3tag/APKBUILD +++ b/user/libid3tag/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: pkgname=libid3tag pkgver=0.15.1b -pkgrel=9 +pkgrel=10 pkgdesc="Library for manipulating IDv3 tags in MP3 audio files" url="http://www.underbit.com/products/mad/" arch="all" @@ -11,17 +11,24 @@ depends="" makedepends="zlib-dev" subpackages="$pkgname-dev" source="ftp://ftp.mars.org/pub/mpeg/libid3tag-$pkgver.tar.gz - CVE-2008-2109.patch + CVE-2004-2779.patch + CVE-2017-11550.patch " +# secfixes: +# 0.15.1b-r8: +# - CVE-2008-2109 +# 0.15.1b-r10: +# - CVE-2004-2779 +# - CVE-2017-11550 +# - CVE-2017-11551 + prepare() { - cd "$builddir" update_config_sub default_prepare } build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -33,12 +40,10 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install mkdir -p "$pkgdir"/usr/lib/pkgconfig cat > "$pkgdir"/usr/lib/pkgconfig/id3tag.pc <<EOF @@ -57,4 +62,5 @@ EOF } sha512sums="ade7ce2a43c3646b4c9fdc642095174b9d4938b078b205cd40906d525acd17e87ad76064054a961f391edcba6495441450af2f68be69f116549ca666b069e6d3 libid3tag-0.15.1b.tar.gz -fc79d44ca9d1435ab5b11d4da6b46d3684827a1384a0156cd88242225f98f3a0668c0d6e6a88159f0c4985fcbdc636777c2f100d7f371eef258a6050d6fde567 CVE-2008-2109.patch" +4c27e104d45ae34affc1bef8ec613e65c7e4791185d2ef1cb27974ec7025c06c35d30d6278ce7e3107dff959bd55a708246c3c1a9d5ad7b093424cfb93b79f63 CVE-2004-2779.patch +6627d6e73958309b199a02cd6fa1008a81554151238d8a099dc27e535b8d14f7a9c1ba19894fdf2c927e59c0ca855d50b2f1289f116b45bc41e02d31659d1535 CVE-2017-11550.patch" diff --git a/user/libid3tag/CVE-2004-2779.patch b/user/libid3tag/CVE-2004-2779.patch new file mode 100644 index 000000000..b7e1e2280 --- /dev/null +++ b/user/libid3tag/CVE-2004-2779.patch @@ -0,0 +1,32 @@ +Lifted from Debian: +https://sources.debian.org/patches/libid3tag/0.15.1b-14/10_utf16.dpatch/ + +Also fixes: + +CVE-2008-2109 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480187#12 +CVE-2017-11551 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870333#10 + +Handle bogus UTF16 sequences that have a length that is not +an even number of 8 bit characters. + +--- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100 ++++ libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100 +@@ -282,5 +282,18 @@ + + free(utf16); + ++ if (end == *ptr && length % 2 != 0) ++ { ++ /* We were called with a bogus length. It should always ++ * be an even number. We can deal with this in a few ways: ++ * - Always give an error. ++ * - Try and parse as much as we can and ++ * - return an error if we're called again when we ++ * already tried to parse everything we can. ++ * - tell that we parsed it, which is what we do here. ++ */ ++ (*ptr)++; ++ } ++ + return ucs4; + } diff --git a/user/libid3tag/CVE-2008-2109.patch b/user/libid3tag/CVE-2008-2109.patch deleted file mode 100644 index 6226d14af..000000000 --- a/user/libid3tag/CVE-2008-2109.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/field.c.orig 2008-05-05 09:49:15.000000000 -0400 -+++ b/field.c 2008-05-05 09:49:25.000000000 -0400 -@@ -291,7 +291,7 @@ - - end = *ptr + length; - -- while (end - *ptr > 0) { -+ while (end - *ptr > 0 && **ptr != '\0') { - ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0); - if (ucs4 == 0) - goto fail; diff --git a/user/libid3tag/CVE-2017-11550.patch b/user/libid3tag/CVE-2017-11550.patch new file mode 100644 index 000000000..abf6cbd43 --- /dev/null +++ b/user/libid3tag/CVE-2017-11550.patch @@ -0,0 +1,33 @@ +Lifted from Debian: +https://sources.debian.org/patches/libid3tag/0.15.1b-14/11_unknown_encoding.dpatch/ + +In case of an unknown/invalid encoding, id3_parse_string() will +return NULL, but the return value wasn't checked resulting +in segfault in id3_ucs4_length(). This is the only place +the return value wasn't checked. + +--- libid3tag-0.15.1b/compat.gperf 2004-01-23 09:41:32.000000000 +0000 ++++ libid3tag-0.15.1b/compat.gperf 2007-01-14 14:36:53.000000000 +0000 +@@ -236,6 +236,10 @@ + + encoding = id3_parse_uint(&data, 1); + string = id3_parse_string(&data, end - data, encoding, 0); ++ if (!string) ++ { ++ continue; ++ } + + if (id3_ucs4_length(string) < 4) { + free(string); +--- libid3tag-0.15.1b/parse.c 2004-01-23 09:41:32.000000000 +0000 ++++ libid3tag-0.15.1b/parse.c 2007-01-14 14:37:34.000000000 +0000 +@@ -165,6 +165,9 @@ + case ID3_FIELD_TEXTENCODING_UTF_8: + ucs4 = id3_utf8_deserialize(ptr, length); + break; ++ default: ++ /* FIXME: Unknown encoding! Print warning? */ ++ return NULL; + } + + if (ucs4 && !full) { diff --git a/user/libtasn1/APKBUILD b/user/libtasn1/APKBUILD index faf3a82b2..f3fcce75d 100644 --- a/user/libtasn1/APKBUILD +++ b/user/libtasn1/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libtasn1 -pkgver=4.13 +pkgver=4.14 pkgrel=0 pkgdesc="Highly portable ASN.1 library" url="https://www.gnu.org/software/libtasn1/" @@ -13,10 +13,12 @@ source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz " # secfixes: +# 4.14-r0: +# - CVE-2018-1000654 # 4.13-r0: -# - CVE-2018-6003 +# - CVE-2018-6003 # 4.12-r1: -# - CVE-2017-10790 +# - CVE-2017-10790 build() { cd "$builddir" @@ -47,4 +49,4 @@ tools() { mv -i "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="bf5b60a296795e0a8a4a658c0106492393aa7ce698e785256b3427c17215c2a5b6178a61a2043c93ea4334f754eabece20221ac8fef0fd5644086a3891d98a9f libtasn1-4.13.tar.gz" +sha512sums="efdcf3729e9e057cafbfdc9929f08531de03cf3b64e7db62cb53c26bf34c8db4d73786fd853620ab1a10dbafe55e119ad17bfeb40e191071945c7b4db9c9e223 libtasn1-4.14.tar.gz" diff --git a/user/libvncserver/APKBUILD b/user/libvncserver/APKBUILD index 0801da573..764fec75a 100644 --- a/user/libvncserver/APKBUILD +++ b/user/libvncserver/APKBUILD @@ -14,13 +14,16 @@ depends_dev="libgcrypt-dev libjpeg-turbo-dev gnutls-dev libpng-dev libxi-dev libxinerama-dev libxrandr-dev libxtst-dev" makedepends="$depends_dev autoconf automake libtool" subpackages="$pkgname-dev" -source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz" +source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz + CVE-2018-15127.patch" builddir="$srcdir"/libvncserver-LibVNCServer-$pkgver # secfixes: # 0.9.11-r0: # - CVE-2016-9941 # - CVE-2016-9942 +# 0.9.12-r0: +# - CVE-2018-15127 build() { if [ "$CBUILD" != "$CHOST" ]; then @@ -45,4 +48,5 @@ package() { make install DESTDIR="$pkgdir" } -sha512sums="60ff1cc93a937d6f8f97449bc58b763095846207112f7b1b3c43eb2d74448b595d6da949903a764bd484ee54e38ff6277e882adbe965dd6d26ba15ef6ff6fcb8 LibVNCServer-0.9.12.tar.gz" +sha512sums="60ff1cc93a937d6f8f97449bc58b763095846207112f7b1b3c43eb2d74448b595d6da949903a764bd484ee54e38ff6277e882adbe965dd6d26ba15ef6ff6fcb8 LibVNCServer-0.9.12.tar.gz +8b5b6742e6c3a181c60652484b15ec42cc0a3acc1e82cef38e82b61f43f1de456d09731976f4e5dfab44abf3e551e22aaf4300cb8418cd8e136d705fcb2a7dbe CVE-2018-15127.patch" diff --git a/user/libvncserver/CVE-2018-15127.patch b/user/libvncserver/CVE-2018-15127.patch new file mode 100644 index 000000000..146243670 --- /dev/null +++ b/user/libvncserver/CVE-2018-15127.patch @@ -0,0 +1,44 @@ +From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Mon, 7 Jan 2019 10:40:01 +0100 +Subject: [PATCH] Limit lenght to INT_MAX bytes in + rfbProcessFileTransferReadBuffer() + +This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap +out-of-bound write access in rfbProcessFileTransferReadBuffer() when +reading a transfered file content in a server. The former fix did not +work on platforms with a 32-bit int type (expected by rfbReadExact()). + +CVE-2018-15127 +<https://github.com/LibVNC/libvncserver/issues/243> +<https://github.com/LibVNC/libvncserver/issues/273> +--- + libvncserver/rfbserver.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 7af84906..f2edbeea 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -88,6 +88,8 @@ + #include <errno.h> + /* strftime() */ + #include <time.h> ++/* INT_MAX */ ++#include <limits.h> + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF + will safely be allocated since this check will never trigger and malloc() can digest length+1 + without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ +- if(length == SIZE_MAX) { ++ if(length == SIZE_MAX || length > INT_MAX) { + rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); + rfbCloseClient(cl); + return NULL; diff --git a/user/ntfs-3g/APKBUILD b/user/ntfs-3g/APKBUILD index d403c4f42..aaa5be24b 100644 --- a/user/ntfs-3g/APKBUILD +++ b/user/ntfs-3g/APKBUILD @@ -5,7 +5,7 @@ pkgname=ntfs-3g _pkgname=ntfs-3g_ntfsprogs pkgver=2017.3.23 -pkgrel=1 +pkgrel=2 pkgdesc="Stable, full-featured, read-write NTFS" url="https://www.tuxera.com/community/open-source-ntfs-3g/" arch="all" @@ -13,9 +13,14 @@ options="!check" # No test suite. license="LGPL-2.1-only AND BSD-2-Clause AND GPL-2.0+ AND GPL-3.0+" makedepends="attr-dev util-linux-dev linux-headers fuse-dev" subpackages="$pkgname-doc $pkgname-dev $pkgname-libs" -source="https://tuxera.com/opensource/$_pkgname-$pkgver.tgz" +source="https://tuxera.com/opensource/$_pkgname-$pkgver.tgz + CVE-2019-9755.patch" builddir="$srcdir/$_pkgname-$pkgver" +# secfixes: +# 2017.3.23-r2: +# - CVE-2019-9755 + build() { cd "$builddir" ./configure \ @@ -37,4 +42,5 @@ package() { ln -s /bin/ntfs-3g "$pkgdir"/sbin/mount.ntfs } -sha512sums="3a607f0d7be35204c992d8931de0404fbc52032c13b4240d2c5e6f285c318a28eb2a385d7cf5ac4cd445876aee5baa5753bb636ada0d870d84a9d3fdbce794ef ntfs-3g_ntfsprogs-2017.3.23.tgz" +sha512sums="3a607f0d7be35204c992d8931de0404fbc52032c13b4240d2c5e6f285c318a28eb2a385d7cf5ac4cd445876aee5baa5753bb636ada0d870d84a9d3fdbce794ef ntfs-3g_ntfsprogs-2017.3.23.tgz +c79ae27e3c9490f0f893a16f27bb19c2cef2fe7b098aabca392163f4105b7ee9797b648d1013ce4c096adf639f6da2b8c43829cfabcc6ac3208c07454a6c0c5c CVE-2019-9755.patch" diff --git a/user/ntfs-3g/CVE-2019-9755.patch b/user/ntfs-3g/CVE-2019-9755.patch new file mode 100644 index 000000000..d1a95541f --- /dev/null +++ b/user/ntfs-3g/CVE-2019-9755.patch @@ -0,0 +1,63 @@ +From 85c1634a26faa572d3c558d4cf8aaaca5202d4e9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@wanadoo.fr> +Date: Wed, 19 Dec 2018 15:57:50 +0100 +Subject: [PATCH] Fixed reporting an error when failed to build the mountpoint + +The size check was inefficient because getcwd() uses an unsigned int +argument. +--- + src/lowntfs-3g.c | 6 +++++- + src/ntfs-3g.c | 6 +++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/lowntfs-3g.c b/src/lowntfs-3g.c +index 993867fa..0660439b 100644 +--- a/src/lowntfs-3g.c ++++ b/src/lowntfs-3g.c +@@ -4411,7 +4411,8 @@ int main(int argc, char *argv[]) + else { + ctx->abs_mnt_point = (char*)ntfs_malloc(PATH_MAX); + if (ctx->abs_mnt_point) { +- if (getcwd(ctx->abs_mnt_point, ++ if ((strlen(opts.mnt_point) < PATH_MAX) ++ && getcwd(ctx->abs_mnt_point, + PATH_MAX - strlen(opts.mnt_point) - 1)) { + strcat(ctx->abs_mnt_point, "/"); + strcat(ctx->abs_mnt_point, opts.mnt_point); +@@ -4419,6 +4420,9 @@ int main(int argc, char *argv[]) + /* Solaris also wants the absolute mount point */ + opts.mnt_point = ctx->abs_mnt_point; + #endif /* defined(__sun) && defined (__SVR4) */ ++ } else { ++ free(ctx->abs_mnt_point); ++ ctx->abs_mnt_point = (char*)NULL; + } + } + } +diff --git a/src/ntfs-3g.c b/src/ntfs-3g.c +index 6ce89fef..4e0912ae 100644 +--- a/src/ntfs-3g.c ++++ b/src/ntfs-3g.c +@@ -4148,7 +4148,8 @@ int main(int argc, char *argv[]) + else { + ctx->abs_mnt_point = (char*)ntfs_malloc(PATH_MAX); + if (ctx->abs_mnt_point) { +- if (getcwd(ctx->abs_mnt_point, ++ if ((strlen(opts.mnt_point) < PATH_MAX) ++ && getcwd(ctx->abs_mnt_point, + PATH_MAX - strlen(opts.mnt_point) - 1)) { + strcat(ctx->abs_mnt_point, "/"); + strcat(ctx->abs_mnt_point, opts.mnt_point); +@@ -4156,6 +4157,9 @@ int main(int argc, char *argv[]) + /* Solaris also wants the absolute mount point */ + opts.mnt_point = ctx->abs_mnt_point; + #endif /* defined(__sun) && defined (__SVR4) */ ++ } else { ++ free(ctx->abs_mnt_point); ++ ctx->abs_mnt_point = (char*)NULL; + } + } + } +-- +2.22.0 + diff --git a/user/oniguruma/APKBUILD b/user/oniguruma/APKBUILD index 7df3e3af5..b62084508 100644 --- a/user/oniguruma/APKBUILD +++ b/user/oniguruma/APKBUILD @@ -3,15 +3,22 @@ # Maintainer: Samuel Holland <samuel@sholland.org> pkgname=oniguruma pkgver=6.9.2 -pkgrel=0 +pkgrel=1 pkgdesc="A regular expression library" url="https://github.com/kkos/oniguruma" arch="all" license="BSD-2-Clause" subpackages="$pkgname-dev" -source="https://github.com/kkos/$pkgname/releases/download/v$pkgver/onig-$pkgver.tar.gz" +source="https://github.com/kkos/$pkgname/releases/download/v$pkgver/onig-$pkgver.tar.gz + CVE-2019-13224.patch + CVE-2019-13225.patch" builddir="$srcdir/onig-$pkgver" +# secfixes: +# 6.9.2-r1: +# - CVE-2019-13224 +# - CVE-2019-13225 + build() { ./configure \ --build=$CBUILD \ @@ -32,4 +39,6 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="c10134e42a3c0b0eeae2027ffb7a3e1bcc9228dee286f6b6e997f8a73d717217fa74de0e19c40975d2e78044c8c4f029eb622f90c8eb4fdc4667eb4804e97001 onig-6.9.2.tar.gz" +sha512sums="c10134e42a3c0b0eeae2027ffb7a3e1bcc9228dee286f6b6e997f8a73d717217fa74de0e19c40975d2e78044c8c4f029eb622f90c8eb4fdc4667eb4804e97001 onig-6.9.2.tar.gz +7f1b42e1ceb6e9addf87bbd456848afd9db3b721352157e3a7362354c3a4cabd58fac202d199d9f9c2f08f0c5c98e3de8583367e7716028278dae96c3d6bb43a CVE-2019-13224.patch +4c1df67369055f945c49d579c3f2ae5ffc41bb1c8a2510555908f07691c669b290accd9152f017e02a2a21f8a365c9ffd8fab42a3d11409150551f0c0c919dc7 CVE-2019-13225.patch" diff --git a/user/oniguruma/CVE-2019-13224.patch b/user/oniguruma/CVE-2019-13224.patch new file mode 100644 index 000000000..22bc6bd2f --- /dev/null +++ b/user/oniguruma/CVE-2019-13224.patch @@ -0,0 +1,41 @@ +From 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 Mon Sep 17 00:00:00 2001 +From: "K.Kosako" <kosako@sofnec.co.jp> +Date: Thu, 27 Jun 2019 17:25:26 +0900 +Subject: [PATCH] Fix CVE-2019-13224: don't allow different encodings for + onig_new_deluxe() + +--- + src/regext.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/regext.c b/src/regext.c +index fa4b360..965c793 100644 +--- a/src/regext.c ++++ b/src/regext.c +@@ -29,6 +29,7 @@ + + #include "regint.h" + ++#if 0 + static void + conv_ext0be32(const UChar* s, const UChar* end, UChar* conv) + { +@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e + + return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION; + } ++#endif + + extern int + onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, +@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end, + if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL; + + if (ci->pattern_enc != ci->target_enc) { +- r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end, +- &cpat, &cpat_end); +- if (r != 0) return r; ++ return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION; + } + else { + cpat = (UChar* )pattern; diff --git a/user/oniguruma/CVE-2019-13225.patch b/user/oniguruma/CVE-2019-13225.patch new file mode 100644 index 000000000..26e296d8d --- /dev/null +++ b/user/oniguruma/CVE-2019-13225.patch @@ -0,0 +1,69 @@ +From c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c Mon Sep 17 00:00:00 2001 +From: "K.Kosako" <kosako@sofnec.co.jp> +Date: Thu, 27 Jun 2019 14:11:55 +0900 +Subject: [PATCH] Fix CVE-2019-13225: problem in converting if-then-else + pattern to bytecode. + +--- + src/regcomp.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/src/regcomp.c b/src/regcomp.c +index c2c04a4..ff3431f 100644 +--- a/src/regcomp.c ++++ b/src/regcomp.c +@@ -1307,8 +1307,9 @@ compile_length_bag_node(BagNode* node, regex_t* reg) + len += tlen; + } + ++ len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END; ++ + if (IS_NOT_NULL(Else)) { +- len += SIZE_OP_JUMP; + tlen = compile_length_tree(Else, reg); + if (tlen < 0) return tlen; + len += tlen; +@@ -1455,7 +1456,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env) + + case BAG_IF_ELSE: + { +- int cond_len, then_len, jump_len; ++ int cond_len, then_len, else_len, jump_len; + Node* cond = NODE_BAG_BODY(node); + Node* Then = node->te.Then; + Node* Else = node->te.Else; +@@ -1472,8 +1473,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env) + else + then_len = 0; + +- jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END; +- if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP; ++ jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP; + + r = add_op(reg, OP_PUSH); + if (r != 0) return r; +@@ -1490,11 +1490,20 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env) + } + + if (IS_NOT_NULL(Else)) { +- int else_len = compile_length_tree(Else, reg); +- r = add_op(reg, OP_JUMP); +- if (r != 0) return r; +- COP(reg)->jump.addr = else_len + SIZE_INC_OP; ++ else_len = compile_length_tree(Else, reg); ++ if (else_len < 0) return else_len; ++ } ++ else ++ else_len = 0; + ++ r = add_op(reg, OP_JUMP); ++ if (r != 0) return r; ++ COP(reg)->jump.addr = SIZE_OP_ATOMIC_END + else_len + SIZE_INC_OP; ++ ++ r = add_op(reg, OP_ATOMIC_END); ++ if (r != 0) return r; ++ ++ if (IS_NOT_NULL(Else)) { + r = compile_tree(Else, reg, env); + } + } diff --git a/user/openjpeg/APKBUILD b/user/openjpeg/APKBUILD index c549987d8..e454afa61 100644 --- a/user/openjpeg/APKBUILD +++ b/user/openjpeg/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=openjpeg pkgver=2.3.1 -pkgrel=1 +pkgrel=2 pkgdesc="Open-source implementation of JPEG 2000 image codec" url="http://www.openjpeg.org/" arch="all" @@ -11,7 +11,8 @@ license="BSD-2-Clause-NetBSD" depends_dev="$pkgname-tools" makedepends="libpng-dev tiff-dev lcms2-dev doxygen cmake" subpackages="$pkgname-dev $pkgname-tools" -source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz" +source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz + CVE-2019-12973.patch" build() { cmake . \ @@ -23,6 +24,8 @@ build() { } # secfixes: +# 2.3.1-r2: +# - CVE-2019-12973 # 2.3.0-r0: # - CVE-2017-14039 # 2.2.0-r2: @@ -47,4 +50,5 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03 openjpeg-2.3.1.tar.gz" +sha512sums="339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03 openjpeg-2.3.1.tar.gz +472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516 CVE-2019-12973.patch" diff --git a/user/openjpeg/CVE-2019-12973.patch b/user/openjpeg/CVE-2019-12973.patch new file mode 100644 index 000000000..0d330ae6d --- /dev/null +++ b/user/openjpeg/CVE-2019-12973.patch @@ -0,0 +1,152 @@ +From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001 +From: Young Xiao <YangX92@hotmail.com> +Date: Sat, 16 Mar 2019 19:57:27 +0800 +Subject: [PATCH 1/2] convertbmp: detect invalid file dimensions early + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +See commit 8ee335227bbc for details. + +Signed-off-by: Young Xiao <YangX92@hotmail.com> +--- + src/bin/jp2/convertbmp.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 0af52f816..ec34f535b 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++ written++; + } + } else { /* absolute mode */ + c = getc(IN); +@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + c1 = (OPJ_UINT8)getc(IN); + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++ written++; + } + if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ + getc(IN); +@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + } + } + } /* while(y < height) */ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } + return OPJ_TRUE; + } + + +From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001 +From: Young Xiao <YangX92@hotmail.com> +Date: Sat, 16 Mar 2019 20:09:59 +0800 +Subject: [PATCH 2/2] bmp_read_rle4_data(): avoid potential infinite loop + +--- + src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index ec34f535b..2fc4e9bc4 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + while (y < height) { + int c = getc(IN); + if (c == EOF) { +- break; ++ return OPJ_FALSE; + } + + if (c) { /* encoded mode */ +- int j; +- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN); ++ int j, c1_int; ++ OPJ_UINT8 c1; ++ ++ c1_int = getc(IN); ++ if (c1_int == EOF) { ++ return OPJ_FALSE; ++ } ++ c1 = (OPJ_UINT8)c1_int; + + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { +@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + } else { /* absolute mode */ + c = getc(IN); + if (c == EOF) { +- break; ++ return OPJ_FALSE; + } + + if (c == 0x00) { /* EOL */ +@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + break; + } else if (c == 0x02) { /* MOVE by dxdy */ + c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + x += (OPJ_UINT32)c; + c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + y += (OPJ_UINT32)c; + pix = pData + y * stride + x; + } else { /* 03 .. 255 : absolute mode */ +@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + if ((j & 1) == 0) { +- c1 = (OPJ_UINT8)getc(IN); ++ int c1_int; ++ c1_int = getc(IN); ++ if (c1_int == EOF) { ++ return OPJ_FALSE; ++ } ++ c1 = (OPJ_UINT8)c1_int; + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; + } + if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ +- getc(IN); ++ c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + } + } + } diff --git a/user/openldap/APKBUILD b/user/openldap/APKBUILD index 22d31dac7..3f84e64c7 100644 --- a/user/openldap/APKBUILD +++ b/user/openldap/APKBUILD @@ -2,15 +2,18 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 2.4.48-r0: +# - CVE-2019-13057 +# - CVE-2019-13565 # 2.4.46: -# - CVE-2017-14159 -# - CVE-2017-17740 +# - CVE-2017-14159 +# - CVE-2017-17740 # 2.4.44-r5: -# - CVE-2017-9287 +# - CVE-2017-9287 # pkgname=openldap -pkgver=2.4.47 -pkgrel=1 +pkgver=2.4.48 +pkgrel=0 pkgdesc="LDAP Server" url="http://www.openldap.org/" arch="all" @@ -202,7 +205,7 @@ _submv() { done } -sha512sums="d424079e34207e3d24383a2bea70a07ded40714982a6767174d2b2cb208cd94feab5ef12157accae915b8e404e5773a7547aaef65f06b44dc3cc09c6a64d5a11 openldap-2.4.47.tgz +sha512sums="cf694a415be0bd55cc7f606099da2ed461748efd276561944cd29d7f5a8252a9be799d8778fac2d4fa9f382731eb4ca48c6b85630cb58a3b8249843561ae8feb openldap-2.4.48.tgz 5d34d49eabe7cb66cf8284cc3bd9730fa23df4932df68549e242d250ee50d40c434ae074ebc720d5fbcd9d16587c9333c5598d30a5f1177caa61461ab7771f38 openldap-2.4-ppolicy.patch 44d97efb25d4f39ab10cd5571db43f3bfa7c617a5bb087085ae16c0298aca899b55c8742a502121ba743a73e6d77cd2056bc96cee63d6d0862dabc8fb5574357 openldap-2.4.11-libldap_r.patch 8c4244d316a05870dd1147b2ab7ddbcfd7626b5dce2f5a0e72f066dc635c2edb4f1ea3be88c6fec2d5ab016001be16bedef70f2ce0695c3cd96f69e1614ff177 fix-manpages.patch diff --git a/user/openldap/CVE-2017-9287.patch b/user/openldap/CVE-2017-9287.patch deleted file mode 100644 index 1599c1331..000000000 --- a/user/openldap/CVE-2017-9287.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e Mon Sep 17 00:00:00 2001 -From: Ryan Tandy <ryan@nardis.ca> -Date: Wed, 17 May 2017 20:07:39 -0700 -Subject: [PATCH] ITS#8655 fix double free on paged search with pagesize 0 - -Fixes a double free when a search includes the Paged Results control -with a page size of 0 and the search base matches the filter. ---- - servers/slapd/back-mdb/search.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c -index 301d1a4..43442aa 100644 ---- a/servers/slapd/back-mdb/search.c -+++ b/servers/slapd/back-mdb/search.c -@@ -1066,7 +1066,8 @@ notfound: - /* check size limit */ - if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) { - if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) { -- mdb_entry_return( op, e ); -+ if (e != base) -+ mdb_entry_return( op, e ); - e = NULL; - send_paged_response( op, rs, &lastid, tentries ); - goto done; --- -1.7.10.4 - diff --git a/user/openldap/libressl.patch b/user/openldap/libressl.patch deleted file mode 100644 index ac0106418..000000000 --- a/user/openldap/libressl.patch +++ /dev/null @@ -1,65 +0,0 @@ ---- a/libraries/libldap/tls_o.c.orig 2017-06-04 16:31:28 UTC -+++ b/libraries/libldap/tls_o.c -@@ -47,7 +47,7 @@ - #include <ssl.h> - #endif - --#if OPENSSL_VERSION_NUMBER >= 0x10100000 -+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) - #define ASN1_STRING_data(x) ASN1_STRING_get0_data(x) - #endif - -@@ -157,7 +157,7 @@ tlso_init( void ) - (void) tlso_seed_PRNG( lo->ldo_tls_randfile ); - #endif - --#if OPENSSL_VERSION_NUMBER < 0x10100000 -+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) - SSL_load_error_strings(); - SSL_library_init(); - OpenSSL_add_all_digests(); -@@ -205,7 +205,7 @@ static void - tlso_ctx_ref( tls_ctx *ctx ) - { - tlso_ctx *c = (tlso_ctx *)ctx; --#if OPENSSL_VERSION_NUMBER < 0x10100000 -+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) - #define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1, CRYPTO_LOCK_SSL_CTX ) - #endif - SSL_CTX_up_ref( c ); -@@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval * - if (!x) return LDAP_INVALID_CREDENTIALS; - - xn = X509_get_subject_name(x); --#if OPENSSL_VERSION_NUMBER < 0x10100000 -+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) - der_dn->bv_len = i2d_X509_NAME( xn, NULL ); - der_dn->bv_val = xn->bytes->data; - #else -@@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval - return LDAP_INVALID_CREDENTIALS; - - xn = X509_get_subject_name(x); --#if OPENSSL_VERSION_NUMBER < 0x10100000 -+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) - der_dn->bv_len = i2d_X509_NAME( xn, NULL ); - der_dn->bv_val = xn->bytes->data; - #else -@@ -721,7 +721,7 @@ struct tls_data { - Sockbuf_IO_Desc *sbiod; - }; - --#if OPENSSL_VERSION_NUMBER < 0x10100000 -+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) - #define BIO_set_init(b, x) b->init = x - #define BIO_set_data(b, x) b->ptr = x - #define BIO_clear_flags(b, x) b->flags &= ~(x) -@@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str ) - return tlso_bio_write( b, str, strlen( str ) ); - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000 -+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) - struct bio_method_st { - int type; - const char *name; diff --git a/user/openldap/openldap-mqtt-overlay.patch b/user/openldap/openldap-mqtt-overlay.patch deleted file mode 100644 index 795480f1e..000000000 --- a/user/openldap/openldap-mqtt-overlay.patch +++ /dev/null @@ -1,447 +0,0 @@ -diff --git a/contrib/slapd-modules/mqtt/Makefile b/contrib/slapd-modules/mqtt/Makefile -new file mode 100644 -index 0000000..2cb4db7 ---- /dev/null -+++ b/contrib/slapd-modules/mqtt/Makefile -@@ -0,0 +1,45 @@ -+# $OpenLDAP$ -+ -+LDAP_SRC = ../../.. -+LDAP_BUILD = ../../.. -+LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd -+LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ -+ $(LDAP_BUILD)/libraries/liblber/liblber.la -+ -+LIBTOOL = $(LDAP_BUILD)/libtool -+CC = gcc -+OPT = -g -O2 -Wall -+DEFS = -+INCS = $(LDAP_INC) -+LIBS = $(LDAP_LIB) -lmosquitto -+ -+PROGRAMS = mqtt.la -+LTVER = 0:0:0 -+ -+prefix=/usr/local -+exec_prefix=$(prefix) -+ldap_subdir=/openldap -+ -+libdir=$(exec_prefix)/lib -+libexecdir=$(exec_prefix)/libexec -+moduledir = $(libdir)$(ldap_subdir) -+ -+.SUFFIXES: .c .o .lo -+ -+.c.lo: -+ $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< -+ -+all: $(PROGRAMS) -+ -+mqtt.la: mqtt.lo -+ $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ -+ -rpath $(moduledir) -module -o $@ $? $(LIBS) -+ -+clean: -+ rm -rf *.o *.lo *.la .libs -+ -+install: $(PROGRAMS) -+ mkdir -p $(DESTDIR)$(moduledir) -+ for p in $(PROGRAMS) ; do \ -+ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ -+ done -diff --git a/contrib/slapd-modules/mqtt/mqtt.c b/contrib/slapd-modules/mqtt/mqtt.c -new file mode 100644 -index 0000000..b3a0a31 ---- /dev/null -+++ b/contrib/slapd-modules/mqtt/mqtt.c -@@ -0,0 +1,389 @@ -+/* $OpenLDAP$ */ -+/* This work is part of OpenLDAP Software <http://www.openldap.org/>. -+ * -+ * Copyright 2014 Timo Teräs <timo.teras@iki.fi>. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted only as authorized by the OpenLDAP -+ * Public License. -+ * -+ * A copy of this license is available in file LICENSE in the -+ * top-level directory of the distribution or, alternatively, at -+ * http://www.OpenLDAP.org/license.html. -+ */ -+/* mqtt-overlay -+ * -+ * This is an OpenLDAP overlay that... */ -+ -+#include <mosquitto.h> -+#include <unistd.h> -+ -+#include "portable.h" -+#include "slap.h" -+#include "config.h" -+ -+typedef struct mqtt_notify_t { -+ struct mqtt_notify_t *next; -+ char *topic; -+ char *dn_group_str; -+ char *oc_group_str; -+ char *str_member; -+ -+ struct berval ndn_group; -+ ObjectClass *oc_group; -+ AttributeDescription *ad_member; -+ int notify_pending; -+} mqtt_notify_t; -+ -+typedef struct mqtt_t { -+ struct mosquitto *mq; -+ int port; -+ char *hostname, *username, *password; -+ mqtt_notify_t *notify_map; -+} mqtt_t; -+ -+static ConfigDriver mqtt_config_notify; -+ -+static ConfigTable mqttcfg[] = { -+ { "mqtt-hostname", "hostname", 2, 2, 0, -+ ARG_STRING|ARG_OFFSET, (void *)offsetof(mqtt_t, hostname), -+ "( OLcfgCtAt:5.1 NAME 'olcMqttHostname' " -+ "DESC 'Hostname of MQTT broker' " -+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", -+ NULL, NULL }, -+ { "mqtt-port", "port", 2, 2, 0, -+ ARG_INT|ARG_OFFSET, (void *)offsetof(mqtt_t, port), -+ "( OLcfgCtAt:5.2 NAME 'olcMqttPort' " -+ "DESC 'Port of MQTT broker' " -+ "SYNTAX OMsInteger SINGLE-VALUE )", -+ NULL, NULL }, -+ { "mqtt-username", "username", 2, 2, 0, -+ ARG_STRING|ARG_OFFSET, (void *)offsetof(mqtt_t, username), -+ "( OLcfgCtAt:5.3 NAME 'olcMqttUsername' " -+ "DESC 'Username for MQTT broker' " -+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", -+ NULL, NULL }, -+ { "mqtt-password", "password", 2, 2, 0, -+ ARG_STRING|ARG_OFFSET, (void *)offsetof(mqtt_t, password), -+ "( OLcfgCtAt:5.4 NAME 'olcMqttPassword' " -+ "DESC 'Password for MQTT broker' " -+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", -+ NULL, NULL }, -+ { "mqtt-notify-password", "topic> <group-dn> <group-oc> <member-ad", 2, 5, 0, -+ ARG_MAGIC, mqtt_config_notify, -+ "( OLcfgCtAt:5.5 NAME 'olcMqttNotifyPassword' " -+ "DESC 'Notify password change on <topic>, optionally checking that the object is in the specified group.'" -+ "SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", -+ NULL, NULL }, -+ { NULL, NULL, 0, 0, 0, ARG_IGNORED } -+}; -+ -+static ConfigOCs mqttocs[] = { -+ { "( OLcfgCtOc:5.1 " -+ "NAME 'olcMqttConfig' " -+ "DESC 'MQTT configuration' " -+ "SUP olcOverlayConfig " -+ "MAY ( " -+ "olcMqttHostname " -+ "$ olcMqttPort" -+ "$ olcMqttUsername" -+ "$ olcMqttPassword" -+ "$ olcMqttNotifyPassword" -+ " ) )", -+ Cft_Overlay, mqttcfg }, -+ -+ { NULL, 0, NULL } -+}; -+ -+static int mqtt_init(BackendInfo *bi) -+{ -+ return mosquitto_lib_init(); -+} -+ -+static int mqtt_destroy(BackendInfo *bi) -+{ -+ return mosquitto_lib_cleanup(); -+} -+ -+static const char *ca_arg(ConfigArgs *c, int n) -+{ -+ return (c->argc <= n) ? NULL : c->argv[n]; -+} -+ -+static void free_notify(mqtt_notify_t *n) -+{ -+ ch_free(n->topic); -+ ch_free(n->oc_group_str); -+ ch_free(n->str_member); -+ ch_free(n->dn_group_str); -+ if (!BER_BVISNULL(&n->ndn_group)) -+ ber_memfree(n->ndn_group.bv_val); -+ ch_free(n); -+} -+ -+static void free_all_notifies(mqtt_t *mqtt) -+{ -+ mqtt_notify_t *n, *next; -+ -+ for (n = mqtt->notify_map; n; n = next) { -+ next = n->next; -+ free_notify(n); -+ } -+ mqtt->notify_map = NULL; -+} -+ -+static int mqtt_config_notify(ConfigArgs *c) -+{ -+ slap_overinst *on = (slap_overinst *)c->bi; -+ mqtt_t *mqtt = (mqtt_t *) on->on_bi.bi_private; -+ mqtt_notify_t *n, **pprev; -+ const char *text = NULL; -+ struct berval bv = BER_BVNULL, ndn = BER_BVNULL; -+ int rc, i; -+ -+ switch (c->op) { -+ case SLAP_CONFIG_EMIT: -+ for (i = 0, n = mqtt->notify_map; n; n = n->next, i++) { -+ char *ptr = c->cr_msg, *end = &c->cr_msg[sizeof(c->cr_msg)-1]; -+ -+ ptr += snprintf(ptr, end-ptr, SLAP_X_ORDERED_FMT "%s", i, n->topic); -+ if (n->dn_group_str) -+ ptr += snprintf(ptr, end-ptr, " \"%s\"", n->dn_group_str); -+ if (n->oc_group_str) -+ ptr += snprintf(ptr, end-ptr, " \"%s\"", n->oc_group_str); -+ if (n->str_member) -+ ptr += snprintf(ptr, end-ptr, " \"%s\"", n->str_member); -+ -+ bv.bv_val = c->cr_msg; -+ bv.bv_len = ptr - bv.bv_val; -+ value_add_one(&c->rvalue_vals, &bv); -+ } -+ return 0; -+ case LDAP_MOD_DELETE: -+ if (c->valx < 0) { -+ free_all_notifies(mqtt); -+ } else { -+ pprev = &mqtt->notify_map; -+ n = mqtt->notify_map; -+ for (i = 0; i < c->valx; i++) { -+ pprev = &n->next; -+ n = n->next; -+ } -+ *pprev = n->next; -+ free_notify(n); -+ } -+ return 0; -+ } -+ -+ const char *groupdn = ca_arg(c, 2); -+ const char *oc_name = ca_arg(c, 3); -+ const char *ad_name = ca_arg(c, 4); -+ ObjectClass *oc = NULL; -+ AttributeDescription *ad = NULL; -+ -+ if (groupdn) { -+ oc = oc_find(oc_name ?: SLAPD_GROUP_CLASS); -+ if (oc == NULL) { -+ Debug(LDAP_DEBUG_ANY, "mqtt_db_open: unable to find objectClass=\"%s\"\n", -+ oc_name, 0, 0); -+ return 1; -+ } -+ -+ rc = slap_str2ad(ad_name ?: SLAPD_GROUP_ATTR, &ad, &text); -+ if (rc != LDAP_SUCCESS) { -+ Debug(LDAP_DEBUG_ANY, "mqtt_db_config_notify: unable to find attribute=\"%s\": %s (%d)\n", -+ ad_name, text, rc); -+ return rc; -+ } -+ -+ ber_str2bv(groupdn, 0, 0, &bv); -+ rc = dnNormalize(0, NULL, NULL, &bv, &ndn, NULL); -+ if (rc != LDAP_SUCCESS) { -+ Debug(LDAP_DEBUG_ANY, "mqtt_db_config_notify: DN normalization failed for \"%s\": %d\n", -+ groupdn, rc, 0); -+ return rc; -+ } -+ } -+ -+ n = ch_calloc(1, sizeof(*n)); -+ n->topic = ch_strdup(c->argv[1]); -+ n->dn_group_str = groupdn ? ch_strdup(groupdn) : NULL; -+ n->oc_group_str = oc_name ? ch_strdup(oc_name) : NULL; -+ n->str_member = ad_name ? ch_strdup(ad_name) : NULL; -+ n->ndn_group = ndn; -+ n->oc_group = oc; -+ n->ad_member = ad; -+ -+ for (pprev = &mqtt->notify_map; *pprev; pprev = &(*pprev)->next); -+ *pprev = n; -+ -+ return 0; -+} -+ -+static void mqtt_send_notify(mqtt_t *mqtt, mqtt_notify_t *n) -+{ -+ Debug(LDAP_DEBUG_TRACE, "mqtt_send_notify: pub on topic '%s'\n", n->topic, 0, 0); -+ n->notify_pending = mosquitto_publish(mqtt->mq, NULL, n->topic, 0, NULL, 1, true) == MOSQ_ERR_NO_CONN; -+} -+ -+static void mqtt_on_connect(struct mosquitto *mq, void *obj, int rc) -+{ -+ slap_overinst *on = (slap_overinst *) obj; -+ mqtt_t *mqtt = (mqtt_t *) on->on_bi.bi_private; -+ mqtt_notify_t *n; -+ -+ Debug(LDAP_DEBUG_TRACE, "mqtt_on_connect: connected with status %d\n", rc, 0, 0); -+ if (rc != 0) -+ return; -+ -+ for (n = mqtt->notify_map; n; n = n->next) -+ if (n->notify_pending) -+ mqtt_send_notify(mqtt, n); -+} -+ -+static int mqtt_db_init(BackendDB *be, ConfigReply *cr) -+{ -+ slap_overinst *on = (slap_overinst *) be->bd_info; -+ -+ Debug(LDAP_DEBUG_TRACE, "mqtt_db_init: initialize overlay\n", 0, 0, 0); -+ on->on_bi.bi_private = ch_calloc(1, sizeof(mqtt_t)); -+ -+ return 0; -+} -+ -+static int mqtt_db_destroy(BackendDB *be, ConfigReply *cr) -+{ -+ slap_overinst *on = (slap_overinst *) be->bd_info; -+ mqtt_t *mqtt = on->on_bi.bi_private; -+ -+ Debug(LDAP_DEBUG_TRACE, "mqtt_db_destroy: destroy overlay\n", 0, 0, 0); -+ free_all_notifies(mqtt); -+ ch_free(mqtt); -+ -+ return 0; -+} -+ -+static int mqtt_db_open(BackendDB *be, ConfigReply *cr) -+{ -+ slap_overinst *on = (slap_overinst *) be->bd_info; -+ mqtt_t *mqtt = (mqtt_t *) on->on_bi.bi_private; -+ struct mosquitto *mq; -+ char id[256]; -+ int n; -+ -+ n = snprintf(id, sizeof(id), "openldap-mqtt/%d/", getpid()); -+ gethostname(&id[n], sizeof(id) - n); -+ -+ Debug(LDAP_DEBUG_TRACE, "mqtt_db_open, id='%s'\n", id, 0, 0); -+ mqtt->mq = mq = mosquitto_new(id, true, on); -+ if (!mq) return 1; -+ -+ if (mqtt->username && mqtt->password) -+ mosquitto_username_pw_set(mq, mqtt->username, mqtt->password); -+ -+ mosquitto_connect_callback_set(mq, mqtt_on_connect); -+ mosquitto_connect_async(mq, mqtt->hostname ?: "127.0.0.1", mqtt->port ?: 1883, 60); -+ mosquitto_loop_start(mq); -+ -+ return 0; -+} -+ -+static int mqtt_db_close(BackendDB *be, ConfigReply *cr) -+{ -+ slap_overinst *on = (slap_overinst *) be->bd_info; -+ mqtt_t *mqtt = (mqtt_t *) on->on_bi.bi_private; -+ -+ Debug(LDAP_DEBUG_TRACE, "mqtt_db_close\n", 0, 0, 0); -+ mosquitto_disconnect(mqtt->mq); -+ mosquitto_loop_stop(mqtt->mq, false); -+ mosquitto_destroy(mqtt->mq); -+ -+ free(mqtt->hostname); mqtt->hostname = NULL; -+ free(mqtt->username); mqtt->username = NULL; -+ free(mqtt->password); mqtt->password = NULL; -+ -+ return 0; -+} -+ -+static int mqtt_response(Operation *op, SlapReply *rs) -+{ -+ slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; -+ mqtt_t *mqtt = (mqtt_t *) on->on_bi.bi_private; -+ Attribute *a; -+ Modifications *m; -+ bool change = false; -+ -+ switch (op->o_tag) { -+ case LDAP_REQ_ADD: -+ for (a = op->ora_e->e_attrs; a; a = a->a_next) { -+ if (a->a_desc == slap_schema.si_ad_userPassword) { -+ change = true; -+ break; -+ } -+ } -+ break; -+ case LDAP_REQ_MODIFY: -+ for (m = op->orm_modlist; m; m = m->sml_next) { -+ if (m->sml_desc == slap_schema.si_ad_userPassword) { -+ change = true; -+ break; -+ } -+ } -+ break; -+ case LDAP_REQ_EXTENDED: -+ if (ber_bvcmp(&slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid) == 0) -+ change = true; -+ break; -+ } -+ -+ if (change) { -+ mqtt_notify_t *n; -+ int r, cache; -+ -+ for (n = mqtt->notify_map; n; n = n->next) { -+ if (n->oc_group) { -+ cache = op->o_do_not_cache; -+ op->o_do_not_cache = 1; -+ r = backend_group(op, NULL, &n->ndn_group, &op->o_req_ndn, n->oc_group, n->ad_member); -+ op->o_do_not_cache = cache; -+ } else { -+ r = 0; -+ } -+ -+ Debug(LDAP_DEBUG_TRACE, "tested o_req_ndn='%s' in ndn_group='%s' r=%d\n", -+ op->o_req_ndn.bv_val, n->ndn_group.bv_val, r); -+ -+ if (r == 0) -+ mqtt_send_notify(mqtt, n); -+ } -+ } -+ -+ return SLAP_CB_CONTINUE; -+} -+ -+static int mqtt_init_overlay() -+{ -+ static slap_overinst ov; -+ int rc; -+ -+ ov.on_bi.bi_type = "mqtt"; -+ ov.on_bi.bi_init = mqtt_init; -+ ov.on_bi.bi_destroy = mqtt_destroy; -+ ov.on_bi.bi_db_init = mqtt_db_init; -+ ov.on_bi.bi_db_destroy = mqtt_db_destroy; -+ ov.on_bi.bi_db_open = mqtt_db_open; -+ ov.on_bi.bi_db_close = mqtt_db_close; -+ ov.on_bi.bi_cf_ocs = mqttocs; -+ ov.on_response = mqtt_response; -+ -+ rc = config_register_schema(mqttcfg, mqttocs); -+ if (rc) return rc; -+ -+ return overlay_register(&ov); -+} -+ -+int init_module(int argc, char *argv[]) -+{ -+ return mqtt_init_overlay(); -+} - diff --git a/user/plib/APKBUILD b/user/plib/APKBUILD index fe02621ac..46a6ce3d6 100644 --- a/user/plib/APKBUILD +++ b/user/plib/APKBUILD @@ -14,8 +14,8 @@ subpackages="$pkgname-dev" source="http://plib.sourceforge.net/dist/plib-$pkgver.tar.gz fix-openflight.patch joystick.patch - plib-1.8.5-CVE-2011-4620.patch - plib-1.8.5-CVE-2012-4552.patch + CVE-2011-4620.patch + CVE-2012-4552.patch shared.patch " @@ -49,6 +49,6 @@ package() { sha512sums="17154cc77243fe576c2bcbcb0285b98aef1a0634658f5473e95fe0ac8fa3ed477dbe5620e44ccf0b7cc616f812af0cd44d6fcbba0c563180d3b61c9d6f158e1d plib-1.8.5.tar.gz fac9c78a57a0c564c46d586ebf541b45cf7dc838387498f3263bac78f0f78c53c85000667d6dfd349e328b1cd4254ac0d786dd825aefbe957f94e6d3b91ec41b fix-openflight.patch d9909c81fe2ed696c639623c532cb16a1378b0e2843ccbef00bb16bc6459cc7c708b2b0903dbdc89e6fb05522debd79f0f88b311bf12c3d415e303591033f0a8 joystick.patch -c046cf65e80629f238aaba724f522c31b434f5c9687ea02b019846ce3469c6b074bd014f81a7a4e6b43db7b084f4dcd9d4c04b557dbc1b8b8ca00f2d782fdf1c plib-1.8.5-CVE-2011-4620.patch -a09462ecb085703aae7cd3b77954cc800410aa37a9616255cca2f21456e6d5dcf8ead3f684c98236deb1455c6a034dc8ec874bafdbab003f7a63517ea1f8350d plib-1.8.5-CVE-2012-4552.patch +c046cf65e80629f238aaba724f522c31b434f5c9687ea02b019846ce3469c6b074bd014f81a7a4e6b43db7b084f4dcd9d4c04b557dbc1b8b8ca00f2d782fdf1c CVE-2011-4620.patch +a09462ecb085703aae7cd3b77954cc800410aa37a9616255cca2f21456e6d5dcf8ead3f684c98236deb1455c6a034dc8ec874bafdbab003f7a63517ea1f8350d CVE-2012-4552.patch 8f4fcbf3a07f64212b3ce891a4629fb45b1c62b251730a9d5f7da6e6fe65c39540f80519e97cf6a45c32f950f25e4d383ba891a6c0a92ae8a37089e51c0c5020 shared.patch" diff --git a/user/plib/plib-1.8.5-CVE-2011-4620.patch b/user/plib/CVE-2011-4620.patch index 41fac5fe4..41fac5fe4 100644 --- a/user/plib/plib-1.8.5-CVE-2011-4620.patch +++ b/user/plib/CVE-2011-4620.patch diff --git a/user/plib/plib-1.8.5-CVE-2012-4552.patch b/user/plib/CVE-2012-4552.patch index 78f1b22ae..78f1b22ae 100644 --- a/user/plib/plib-1.8.5-CVE-2012-4552.patch +++ b/user/plib/CVE-2012-4552.patch diff --git a/user/py3-jinja2/APKBUILD b/user/py3-jinja2/APKBUILD index 71a4c2313..457262361 100644 --- a/user/py3-jinja2/APKBUILD +++ b/user/py3-jinja2/APKBUILD @@ -4,7 +4,7 @@ pkgname=py3-jinja2 _pkgname=Jinja2 _p="${_pkgname#?}" _p="${_pkgname%"$_p"}" -pkgver=2.10 +pkgver=2.10.1 pkgrel=0 pkgdesc="A small but fast and easy to use stand-alone template engine written in pure python." url="https://pypi.python.org/pypi/Jinja2" @@ -16,20 +16,20 @@ checkdepends="py3-pytest py3-markupsafe" source="$pkgname-$pkgver.tar.gz::https://files.pythonhosted.org/packages/source/$_p/$_pkgname/$_pkgname-$pkgver.tar.gz" builddir="$srcdir/$_pkgname-$pkgver" +# secfixes: jinja2 +# 2.10.1-r0: +# - CVE-2019-10906 + build() { - cd "$builddir" python3 setup.py build } check() { - cd "$builddir" PYTHONPATH="$builddir:$PYTHONPATH" pytest } package() { - cd "$builddir" python3 setup.py install --prefix=/usr --root="$pkgdir" - } -sha512sums="0ea7371be67ffcf19e46dfd06523a45a0806e678a407d54f5f2f3e573982f0959cf82ec5d07b203670309928a62ef71109701ab16547a9bba2ebcdc178cb67f2 py3-jinja2-2.10.tar.gz" +sha512sums="a00153a0e07bb7d67f301b4eaf7af657726a1985e9ffc7ae2d76bdbb4c062d672efc8065e398767e1039b18a483a0092e206deac91e4047aad64920b56869623 py3-jinja2-2.10.1.tar.gz" diff --git a/user/subversion/APKBUILD b/user/subversion/APKBUILD index 9cb297aa6..f05892f09 100644 --- a/user/subversion/APKBUILD +++ b/user/subversion/APKBUILD @@ -1,8 +1,8 @@ # Contributor: A. Wilcox <awilfox@adelielinux.org> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=subversion -pkgver=1.12.0 -pkgrel=1 +pkgver=1.12.2 +pkgrel=0 pkgdesc="Version control system from 2000" url="https://subversion.apache.org/" arch="all" @@ -18,10 +18,14 @@ makedepends="apr-dev apr-util-dev cyrus-sasl-dev db-dev dbus-dev file-dev subpackages="$pkgname-dev $pkgname-doc $pkgname-gnome $pkgname-kwallet $pkgname-pl $pkgname-lang" source="https://www-eu.apache.org/dist/subversion/subversion-$pkgver.tar.bz2 - apr-1.7.0.patch python3-bang.patch " +# secfixes: +# 1.12.2-r0: +# - CVE-2018-11782 +# - CVE-2019-0203 + build() { # this is only needed for autogen.sh _PATH=$PATH @@ -85,6 +89,5 @@ pl() { mv "$pkgdir"/usr/lib/*perl* "$subpkgdir"/usr/lib/ } -sha512sums="87a00b23bdac63124fa00642e2ac7e6f7818b092bc6422cabdeb2ca8fbc8c481fb8c1e4fbd86aac94e8e1fc099fa163aa0609aca23265ceb96ef4ebe78a64c13 subversion-1.12.0.tar.bz2 -71b22f08a972a51347af00f979c4ec540c5795b44f3ced07ab2fcf8b1294b59add945983af4a63815d9f5d3b0ba88c24320cf2ec21189bf48c0ec46c7c0b48cf apr-1.7.0.patch +sha512sums="b1f859b460afa54598778d8633f648acb4fa46138f7d6f0c1451e3c6a1de71df859233cd9ac7f19f0f20d7237ed3988f0a38da7552ffa58391e19d957bc7c136 subversion-1.12.2.tar.bz2 1b96b791f70c2f6e05da8dbc9d42ccadf4603f25392c6676c4e30ecdb142ce74dd9b8dc27dc68b1cb461f4409d79c4c2aeed1d39a5a442d9349079a819358f5a python3-bang.patch" diff --git a/user/subversion/apr-1.7.0.patch b/user/subversion/apr-1.7.0.patch deleted file mode 100644 index a74e5e454..000000000 --- a/user/subversion/apr-1.7.0.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- subversion-1.11.1/build/ac-macros/swig.m4 -+++ subversion-1.11.1/build/ac-macros/swig.m4 -@@ -137,13 +137,13 @@ - AC_CACHE_CHECK([for apr_int64_t Python/C API format string], - [svn_cv_pycfmt_apr_int64_t], [ - if test "x$svn_cv_pycfmt_apr_int64_t" = "x"; then -- AC_EGREP_CPP([MaTcHtHiS +\"lld\" +EnDeNd], -+ AC_EGREP_CPP([MaTcHtHiS +\"ll(\" *\")?d\" +EnDeNd], - [#include <apr.h> - MaTcHtHiS APR_INT64_T_FMT EnDeNd], - [svn_cv_pycfmt_apr_int64_t="L"]) - fi - if test "x$svn_cv_pycfmt_apr_int64_t" = "x"; then -- AC_EGREP_CPP([MaTcHtHiS +\"ld\" +EnDeNd],r -+ AC_EGREP_CPP([MaTcHtHiS +\"l(\" *\")?d\" +EnDeNd],r - [#include <apr.h> - MaTcHtHiS APR_INT64_T_FMT EnDeNd], - [svn_cv_pycfmt_apr_int64_t="l"]) diff --git a/user/taglib/APKBUILD b/user/taglib/APKBUILD index 60586f78e..0b7731116 100644 --- a/user/taglib/APKBUILD +++ b/user/taglib/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=taglib pkgver=1.11.1 -pkgrel=2 +pkgrel=3 pkgdesc="Library for manipulating audio file metadata" url="https://taglib.org/" arch="all" @@ -10,7 +10,14 @@ license="LGPL-2.1-only AND MPL-1.1" depends="" makedepends="cmake zlib-dev" subpackages="$pkgname-dev" -source="http://taglib.org/releases/taglib-$pkgver.tar.gz" +source="http://taglib.org/releases/taglib-$pkgver.tar.gz + CVE-2017-12678.patch + CVE-2018-11439.patch" + +# secfixes: +# 1.11.1-r3: +# - CVE-2017-12678 +# - CVE-2018-11439 build() { cd "$builddir" @@ -27,4 +34,6 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="7846775c4954ea948fe4383e514ba7c11f55d038ee06b6ea5a0a1c1069044b348026e76b27aa4ba1c71539aa8143e1401fab39184cc6e915ba0ae2c06133cb98 taglib-1.11.1.tar.gz" +sha512sums="7846775c4954ea948fe4383e514ba7c11f55d038ee06b6ea5a0a1c1069044b348026e76b27aa4ba1c71539aa8143e1401fab39184cc6e915ba0ae2c06133cb98 taglib-1.11.1.tar.gz +e50810e8d790c490b7d6752c4bf65da812b7534b9920c505d83b8bd0d67fe9991b4db488b6a63e69b206bbcb3cf80754018b17294b5832dd05bfad9a0fbc56c6 CVE-2017-12678.patch +9a118f9410404996bf3879325f77fcfb638f6cc71b4e258d9786bd741c2c45f26385a6049788ef6ebc56c7c987bd7ef6267a461f4478f5d52d236b035287cdf2 CVE-2018-11439.patch" diff --git a/user/taglib/CVE-2017-12678.patch b/user/taglib/CVE-2017-12678.patch new file mode 100644 index 000000000..71081c6d6 --- /dev/null +++ b/user/taglib/CVE-2017-12678.patch @@ -0,0 +1,31 @@ +From cb9f07d9dcd791b63e622da43f7b232adaec0a9a Mon Sep 17 00:00:00 2001 +From: "Stephen F. Booth" <me@sbooth.org> +Date: Sat, 30 Sep 2017 10:15:41 -0500 +Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame + (#831) + +If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame +which causes problems in rebuildAggregateFrames() when it is assumed +that TDRC is a TextIdentificationFrame +--- + taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp +index 759a9b7be..9347ab869 100644 +--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp ++++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp +@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const + tag->frameList("TDAT").size() == 1) + { + TextIdentificationFrame *tdrc = +- static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front()); ++ dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front()); + UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front()); + +- if(tdrc->fieldList().size() == 1 && ++ if(tdrc && ++ tdrc->fieldList().size() == 1 && + tdrc->fieldList().front().size() == 4 && + tdat->data().size() >= 5) + { diff --git a/user/taglib/CVE-2018-11439.patch b/user/taglib/CVE-2018-11439.patch new file mode 100644 index 000000000..20b777e74 --- /dev/null +++ b/user/taglib/CVE-2018-11439.patch @@ -0,0 +1,42 @@ +From 2c4ae870ec086f2ddd21a47861a3709c36faac45 Mon Sep 17 00:00:00 2001 +From: Scott Gayou <github.scott@gmail.com> +Date: Tue, 9 Oct 2018 18:46:55 -0500 +Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868) + (#869) + +CVE-2018-11439 is caused by a failure to check the minimum length +of a ogg flac header. This header is detailed in full at: +https://xiph.org/flac/ogg_mapping.html. Added more strict checking +for entire header. +--- + taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp +index 53d04508a..07ea9dccc 100644 +--- a/taglib/ogg/flac/oggflacfile.cpp ++++ b/taglib/ogg/flac/oggflacfile.cpp +@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan() + + if(!metadataHeader.startsWith("fLaC")) { + // FLAC 1.1.2+ ++ // See https://xiph.org/flac/ogg_mapping.html for the header specification. ++ if(metadataHeader.size() < 13) ++ return; ++ ++ if(metadataHeader[0] != 0x7f) ++ return; ++ + if(metadataHeader.mid(1, 4) != "FLAC") + return; + +- if(metadataHeader[5] != 1) +- return; // not version 1 ++ if(metadataHeader[5] != 1 && metadataHeader[6] != 0) ++ return; // not version 1.0 ++ ++ if(metadataHeader.mid(9, 4) != "fLaC") ++ return; + + metadataHeader = metadataHeader.mid(13); + } diff --git a/user/tcpdump/APKBUILD b/user/tcpdump/APKBUILD index 7adeefa35..d273d4acc 100644 --- a/user/tcpdump/APKBUILD +++ b/user/tcpdump/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Dan Theisen <djt@hxx.in> pkgname=tcpdump pkgver=4.9.2 -pkgrel=1 +pkgrel=2 pkgdesc="A tool for network monitoring and data acquisition" url="http://www.tcpdump.org" arch="all" @@ -11,12 +11,15 @@ depends="" makedepends="libpcap-dev openssl-dev perl" subpackages="$pkgname-doc" source="http://www.tcpdump.org/release/$pkgname-$pkgver.tar.gz + CVE-2017-16808.patch CVE-2018-19519.patch " # secfixes: # 4.9.2-r1: # - CVE-2018-19519 +# 4.9.2-r2: +# - CVE-2017-16808 build () { cd "$builddir" @@ -42,4 +45,5 @@ package() { } sha512sums="e1bc19a5867d6e3628f3941bdf3ec831bf13784f1233ca1bccc46aac1702f47ee9357d7ff0ca62cddf211b3c8884488c21144cabddd92c861e32398cd8f7c44b tcpdump-4.9.2.tar.gz +d7f4761bee96ec69cdb93602ea59518f238089967d1ede4e91d139febe0ffe0818d49ad19b96c741a379938c369952405dadd3be2766b6524c43c70066cb4fc4 CVE-2017-16808.patch eb4232e434064ec59b07840aa394cfcc05c89e817f2d4ebeb4da1dbb1c910fe1805857356d6304ebdb16e32aa6476ce90f164aabc60501b493fd5601b380af7e CVE-2018-19519.patch" diff --git a/user/tcpdump/CVE-2017-16808.patch b/user/tcpdump/CVE-2017-16808.patch new file mode 100644 index 000000000..6b41aad8c --- /dev/null +++ b/user/tcpdump/CVE-2017-16808.patch @@ -0,0 +1,26 @@ +From 28f610026d901660dd370862b62ec328727446a2 Mon Sep 17 00:00:00 2001 +From: Denis Ovsienko <denis@ovsienko.info> +Date: Thu, 31 Aug 2017 21:15:37 +0100 +Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check. + +In aoev1_reserve_print() check bounds before trying to print an Ethernet +address. + +This fixes a buffer over-read discovered by Bhargava Shastry, +SecT/TU Berlin. +--- + print-aoe.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/print-aoe.c b/print-aoe.c +index 97e93df2e..2c78a55d3 100644 +--- a/print-aoe.c ++++ b/print-aoe.c +@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo, + goto invalid; + /* addresses */ + for (i = 0; i < nmacs; i++) { ++ ND_TCHECK2(*cp, ETHER_ADDR_LEN); + ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp))); + cp += ETHER_ADDR_LEN; + } |