diff options
-rw-r--r-- | system/bzip2/APKBUILD | 26 | ||||
-rw-r--r-- | system/bzip2/bzip2-1.0.4-POSIX-shell.patch | 21 | ||||
-rw-r--r-- | system/bzip2/bzip2-1.0.6-saneso.patch | 13 | ||||
-rw-r--r-- | system/bzip2/bzip2-1.0.8-saneso.patch | 13 | ||||
-rw-r--r-- | system/libxslt/APKBUILD | 13 | ||||
-rw-r--r-- | system/libxslt/CVE-2019-13117.patch | 29 | ||||
-rw-r--r-- | system/libxslt/CVE-2019-13118.patch | 71 | ||||
-rw-r--r-- | user/atril/APKBUILD | 6 | ||||
-rw-r--r-- | user/atril/CVE-2019-1010006.patch | 56 |
9 files changed, 195 insertions, 53 deletions
diff --git a/system/bzip2/APKBUILD b/system/bzip2/APKBUILD index 54b3e4d66..ed22b0137 100644 --- a/system/bzip2/APKBUILD +++ b/system/bzip2/APKBUILD @@ -1,28 +1,28 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=bzip2 -pkgver=1.0.6 -pkgrel=7 +pkgver=1.0.8 +pkgrel=0 pkgdesc="A high-quality data compression program" -url="http://sources.redhat.com/bzip2" +url="https://www.sourceware.org/bzip2/" arch="all" license="BSD-4-Clause" depends="" subpackages="$pkgname-dev $pkgname-doc libbz2" -source="https://downloads.sourceforge.net/bzip2/$pkgname-$pkgver.tar.gz +source="https://sourceware.org/pub/bzip2/$pkgname-$pkgver.tar.gz bzip2-1.0.4-makefile-CFLAGS.patch - bzip2-1.0.6-saneso.patch + bzip2-1.0.8-saneso.patch bzip2-1.0.4-man-links.patch bzip2-1.0.2-progress.patch bzip2-1.0.3-no-test.patch - bzip2-1.0.4-POSIX-shell.patch - CVE-2016-3189.patch " +builddir="$srcdir/$pkgname-$pkgver" # secfixes: # 1.0.6-r5: -# - CVE-2016-3189 +# - CVE-2016-3189 +# 1.0.8-r0: +# - CVE-2019-12900 -builddir="$srcdir"/$pkgname-$pkgver prepare() { default_prepare @@ -64,11 +64,9 @@ libbz2() { mv "$pkgdir"/usr/lib/*.so.* "$subpkgdir"/usr/lib/ } -sha512sums="00ace5438cfa0c577e5f578d8a808613187eff5217c35164ffe044fbafdfec9e98f4192c02a7d67e01e5a5ccced630583ad1003c37697219b0f147343a3fdd12 bzip2-1.0.6.tar.gz +sha512sums="083f5e675d73f3233c7930ebe20425a533feedeaaa9d8cc86831312a6581cefbe6ed0d08d2fa89be81082f2a5abdabca8b3c080bf97218a1bd59dc118a30b9f3 bzip2-1.0.8.tar.gz 58cc37430555520b6e35db2740e699cf37eacdd82989c21a222a593e36288710a0defb003662d4238235c12b3764bfc89cd646e6be9d0a08d54bd2c9baa6ad15 bzip2-1.0.4-makefile-CFLAGS.patch -8a7528b5b931bb72f637c6940bc811d54fb816fd5bb453af56d9b4a87091004eb5e191ba799d972794b24c56cf8134344a618b58946d3f1d985c508f88190845 bzip2-1.0.6-saneso.patch +bc52f6efc63ac8d06fcbbb0446cc9c8025964ba0651ef493b5a124e838bf03bebb0ef56247fdd007265c8ea091f3458e832a53856228e7fefa4d20a55065bba3 bzip2-1.0.8-saneso.patch 2d9a306bc0f552a58916ebc702d32350a225103c487e070d2082121a54e07f1813d3228f43293cc80a4bee62053fd597294c99a1751b1685cd678f4e5c6a2fe7 bzip2-1.0.4-man-links.patch b6810c73428f17245e0d7c2decd00c88986cd8ad1cfe4982defe34bdab808d53870ed92cb513b2d00c15301747ceb6ca958fb0e0458d0663b7d8f7c524f7ba4e bzip2-1.0.2-progress.patch -aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030 bzip2-1.0.3-no-test.patch -64ab461bf739c29615383750e7f260abb2d49df7eb23916940d512bd61fd9a37aaade4d8f6f94280c95fc781b8f92587ad4f3dda51e87dec7a92a7a6f8d8ae86 bzip2-1.0.4-POSIX-shell.patch -cef6f448b661a775cc433f9636730e89c1285d07075536217657056be56e0a11e96f41f7c14f6ec59e235464b9ddd649a71fb8de1c60eda2fd5c2cdfbb6a8fdc CVE-2016-3189.patch" +aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030 bzip2-1.0.3-no-test.patch" diff --git a/system/bzip2/bzip2-1.0.4-POSIX-shell.patch b/system/bzip2/bzip2-1.0.4-POSIX-shell.patch deleted file mode 100644 index a5916eaff..000000000 --- a/system/bzip2/bzip2-1.0.4-POSIX-shell.patch +++ /dev/null @@ -1,21 +0,0 @@ -bzgrep uses !/bin/sh but then uses the bashism ${var//} so replace those -with calls to sed so POSIX shells work - -http://bugs.gentoo.org/193365 - ---- ./bzgrep -+++ ./bzgrep -@@ -63,10 +63,9 @@ - bzip2 -cdfq "$i" | $grep $opt "$pat" - r=$? - else -- j=${i//\\/\\\\} -- j=${j//|/\\|} -- j=${j//&/\\&} -- j=`printf "%s" "$j" | tr '\n' ' '` -+ # the backslashes here are doubled up as we have to escape each one for the -+ # shell and then escape each one for the sed expression -+ j=`printf "%s" "${i}" | sed -e 's:\\\\:\\\\\\\\:g' -e 's:[|]:\\\\|:g' -e 's:[&]:\\\\&:g' | tr '\n' ' '` - bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${j}:|" - r=$? - fi diff --git a/system/bzip2/bzip2-1.0.6-saneso.patch b/system/bzip2/bzip2-1.0.6-saneso.patch deleted file mode 100644 index 1968a63bf..000000000 --- a/system/bzip2/bzip2-1.0.6-saneso.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- ./Makefile-libbz2_so -+++ ./Makefile-libbz2_so -@@ -35,8 +35,8 @@ - bzlib.o - - all: $(OBJS) -- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.6 $(OBJS) -- $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6 -+ $(CC) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.6 $(OBJS) -+ $(CC) $(LDFLAGS) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6 - rm -f libbz2.so.1.0 - ln -s libbz2.so.1.0.6 libbz2.so.1.0 - diff --git a/system/bzip2/bzip2-1.0.8-saneso.patch b/system/bzip2/bzip2-1.0.8-saneso.patch new file mode 100644 index 000000000..7aab257af --- /dev/null +++ b/system/bzip2/bzip2-1.0.8-saneso.patch @@ -0,0 +1,13 @@ +--- bzip2-1.0.8/Makefile-libbz2_so 2019-07-13 17:50:05.000000000 +0000 ++++ bzip2-1.0.8/Makefile-libbz2_so 2019-07-23 22:36:08.050034514 +0000 +@@ -35,8 +35,8 @@ OBJS= blocksort.o \ + bzlib.o + + all: $(OBJS) +- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.8 $(OBJS) +- $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8 ++ $(CC) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS) ++ $(CC) $(LDFLAGS) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8 + rm -f libbz2.so.1.0 + ln -s libbz2.so.1.0.8 libbz2.so.1.0 + diff --git a/system/libxslt/APKBUILD b/system/libxslt/APKBUILD index 49a07d7cf..c387c6d45 100644 --- a/system/libxslt/APKBUILD +++ b/system/libxslt/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libxslt pkgver=1.1.33 -pkgrel=1 +pkgrel=2 pkgdesc="XML stylesheet transformation library" url="http://xmlsoft.org/XSLT/" arch="all" @@ -10,13 +10,18 @@ license="SGI-B-2.0" makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python3-dev" subpackages="$pkgname-doc $pkgname-dev" source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz - CVE-2019-11068.patch" + CVE-2019-11068.patch + CVE-2019-13117.patch + CVE-2019-13118.patch" # secfixes: # 1.1.29-r1: # - CVE-2017-5029 # 1.1.33-r1: # - CVE-2019-11068 +# 1.1.33-r2: +# - CVE-2019-13117 +# - CVE-2019-13118 build() { ./configure \ @@ -35,4 +40,6 @@ package() { } sha512sums="ebbe438a38bf6355950167d3b580edc22baa46a77068c18c42445c1c9c716d42bed3b30c5cd5bec359ab32d03843224dae458e9e32dc61693e7cf4bab23536e0 libxslt-1.1.33.tar.gz -48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41 CVE-2019-11068.patch" +48982b7486351d1eb2853f963db14381dd983c2b4347b7cbeb4507258146ebd8fca125506b2d15d4cbfd2e9ef3fef6341de41a2bfdffc3b0f6bea272b37d9e41 CVE-2019-11068.patch +b311e253a5c4f425f84344397974562a76b253ca14f63b48af7aa0faa561d5f728cb73ee63024993fad3ee7fc7eddb9c9d7310ab8faa5f6a14fd1c6d0037999f CVE-2019-13117.patch +44d3bb5dda6965f48e3af96c77ffa5f1f2e3c191cf1f28ac1b7b3501420393b5628b12b99fe4008b5056384dfebfdcbbee7625f0644cfc27101424a051415da0 CVE-2019-13118.patch" diff --git a/system/libxslt/CVE-2019-13117.patch b/system/libxslt/CVE-2019-13117.patch new file mode 100644 index 000000000..78ebb9075 --- /dev/null +++ b/system/libxslt/CVE-2019-13117.patch @@ -0,0 +1,29 @@ +From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 27 Apr 2019 11:19:48 +0200 +Subject: [PATCH] Fix uninitialized read of xsl:number token + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 89e1f668..75c31eba 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format, + tokens->tokens[tokens->nTokens].token = val - 1; + ix += len; + val = xmlStringCurrentChar(NULL, format+ix, &len); +- } ++ } else { ++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0'; ++ tokens->tokens[tokens->nTokens].width = 1; ++ } + } else if ( (val == (xmlChar)'A') || + (val == (xmlChar)'a') || + (val == (xmlChar)'I') || +-- +2.21.0 + diff --git a/system/libxslt/CVE-2019-13118.patch b/system/libxslt/CVE-2019-13118.patch new file mode 100644 index 000000000..b377f4bd6 --- /dev/null +++ b/system/libxslt/CVE-2019-13118.patch @@ -0,0 +1,71 @@ +From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 3 Jun 2019 13:14:45 +0200 +Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars + +The character type in xsltFormatNumberConversion was too narrow and +an invalid character/length combination could be passed to +xsltNumberFormatDecimal, resulting in an uninitialized read. + +Found by OSS-Fuzz. +--- + libxslt/numbers.c | 5 +++-- + tests/docs/bug-222.xml | 1 + + tests/general/bug-222.out | 2 ++ + tests/general/bug-222.xsl | 6 ++++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + create mode 100644 tests/docs/bug-222.xml + create mode 100644 tests/general/bug-222.out + create mode 100644 tests/general/bug-222.xsl + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index f1ed8846..20b99d5a 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: + number = floor((scale * number + 0.5)) / scale; + if ((self->grouping != NULL) && + (self->grouping[0] != 0)) { ++ int gchar; + + len = xmlStrlen(self->grouping); +- pchar = xsltGetUTF8Char(self->grouping, &len); ++ gchar = xsltGetUTF8Char(self->grouping, &len); + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, + format_info.group, +- pchar, len); ++ gchar, len); + } else + xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], + format_info.integer_digits, +diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml +new file mode 100644 +index 00000000..69d62f2c +--- /dev/null ++++ b/tests/docs/bug-222.xml +@@ -0,0 +1 @@ ++<doc/> +diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out +new file mode 100644 +index 00000000..e3139698 +--- /dev/null ++++ b/tests/general/bug-222.out +@@ -0,0 +1,2 @@ ++<?xml version="1.0"?> ++1⠢0 +diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl +new file mode 100644 +index 00000000..e32dc473 +--- /dev/null ++++ b/tests/general/bug-222.xsl +@@ -0,0 +1,6 @@ ++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> ++ <xsl:decimal-format name="f" grouping-separator="⠢"/> ++ <xsl:template match="/"> ++ <xsl:value-of select="format-number(10,'#⠢0','f')"/> ++ </xsl:template> ++</xsl:stylesheet> +-- +2.21.0 + diff --git a/user/atril/APKBUILD b/user/atril/APKBUILD index 5fd885123..d9f1127a9 100644 --- a/user/atril/APKBUILD +++ b/user/atril/APKBUILD @@ -13,7 +13,8 @@ makedepends="caja-dev djvulibre-dev gobject-introspection-dev gtk+3.0-dev intltool itstool libgxps-dev libsecret-dev libsm-dev libspectre-dev libxml2-dev libxml2-utils poppler-dev python3 tiff-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" -source="https://pub.mate-desktop.org/releases/1.22/atril-$pkgver.tar.xz" +source="https://pub.mate-desktop.org/releases/1.22/atril-$pkgver.tar.xz + CVE-2019-1010006.patch" build() { cd "$builddir" @@ -41,4 +42,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="838ae397c868ac417c9266e4a06525d66214650cf8647e91c1472d83d50c8954f6dbb29411384892a98f0929e1fbac9947118bd0db10d50400fc0d5270a3619d atril-1.22.1.tar.xz" +sha512sums="838ae397c868ac417c9266e4a06525d66214650cf8647e91c1472d83d50c8954f6dbb29411384892a98f0929e1fbac9947118bd0db10d50400fc0d5270a3619d atril-1.22.1.tar.xz +ea6db09fe033a8ddf6d90f080858057fad5452a23801e0f41f7a90ec352b71344e8b596a0913deabca333ff24dc5023628eab7c18bc526c0a7f8fb0d680acdf7 CVE-2019-1010006.patch" diff --git a/user/atril/CVE-2019-1010006.patch b/user/atril/CVE-2019-1010006.patch new file mode 100644 index 000000000..ce107d193 --- /dev/null +++ b/user/atril/CVE-2019-1010006.patch @@ -0,0 +1,56 @@ +From e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 Mon Sep 17 00:00:00 2001 +From: Jason Crain <jcrain@src.gnome.org> +Date: Sat, 2 Dec 2017 20:24:33 -0600 +Subject: [PATCH] Fix overflow checks in tiff backend + +The overflow checks in tiff_document_render and +tiff_document_get_thumbnail don't work when optimizations are enabled. +Change the checks so they don't rely on undefined behavior. + +https://bugzilla.gnome.org/show_bug.cgi?id=788980 +--- + backend/tiff/tiff-document.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c +index 8f40934e..7bf95c2b 100644 +--- a/backend/tiff/tiff-document.c ++++ b/backend/tiff/tiff-document.c +@@ -284,12 +284,12 @@ tiff_document_render (EvDocument *document, + return NULL; + } + +- bytes = height * rowstride; +- if (bytes / rowstride != height) { ++ if (height >= INT_MAX / rowstride) { + g_warning("Overflow while rendering document."); + /* overflow */ + return NULL; + } ++ bytes = height * rowstride; + + pixels = g_try_malloc (bytes); + if (!pixels) { +@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument *document, + if (width <= 0 || height <= 0) + return NULL; + +- rowstride = width * 4; +- if (rowstride / 4 != width) ++ if (width >= INT_MAX / 4) + /* overflow */ + return NULL; ++ rowstride = width * 4; + +- bytes = height * rowstride; +- if (bytes / rowstride != height) ++ if (height >= INT_MAX / rowstride) + /* overflow */ + return NULL; ++ bytes = height * rowstride; + + pixels = g_try_malloc (bytes); + if (!pixels) +-- +2.21.0 + |