diff options
-rw-r--r-- | system/binutils/APKBUILD | 6 | ||||
-rw-r--r-- | system/binutils/CVE-2019-14444.patch | 28 | ||||
-rw-r--r-- | system/e2fsprogs/APKBUILD | 10 | ||||
-rw-r--r-- | system/e2fsprogs/CVE-2019-5094.patch | 211 | ||||
-rw-r--r-- | system/python3/APKBUILD | 8 | ||||
-rw-r--r-- | system/python3/CVE-2019-16056.patch | 131 |
6 files changed, 389 insertions, 5 deletions
diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD index 33e6579c0..8304e5c7d 100644 --- a/system/binutils/APKBUILD +++ b/system/binutils/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Adelie Platform Group <adelie-devel@lists.adelielinux.org> pkgname=binutils pkgver=2.32 -pkgrel=2 +pkgrel=3 pkgdesc="Tools necessary to build programs" url="https://www.gnu.org/software/binutils/" depends="" @@ -30,6 +30,7 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz CVE-2019-9077.patch CVE-2019-12972.patch CVE-2019-14250.patch + CVE-2019-14444.patch BTS-170.patch BTS-196.patch " @@ -59,6 +60,8 @@ fi # - CVE-2019-9077 # - CVE-2019-12972 # - CVE-2019-14250 +# 2.32-r3: +# - CVE-2019-14444 build() { local _sysroot=/ @@ -152,5 +155,6 @@ a46b9211608e2f35219b95363a5ba90506742dcb9e4bd4a43915af6c0b3e74bd8339a8318dc2923c c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be34df4954dbf02feb5232ebbecc596277fc2fe63673ed347c CVE-2019-9077.patch 9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42 CVE-2019-12972.patch c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f CVE-2019-14250.patch +0942cc1a4c5ec03e931c6ebd15c5d60eae6be48cd0a3d9b7f6356f97361226bb6d53dbdcb01b20efcca0ccaf23764730d9bbad2c1bbe2ea6ca320e43b43b311b CVE-2019-14444.patch d4543d2f77808d317d17a5f0eb9af21540ef8543fceaed4e3524213e31e058333321f3ba3b495199e3b57bfd0c4164929cf679369470389e26871b8895cb0110 BTS-170.patch 9cc17d9fe3fc1351d1f6b4fc1c916254529f3304c95db6f4698b867eeb623210b914dc798fb837eafbad2b287b78b31c4ed5482b3151a2992864da04e1dd5fac BTS-196.patch" diff --git a/system/binutils/CVE-2019-14444.patch b/system/binutils/CVE-2019-14444.patch new file mode 100644 index 000000000..43d4e2a91 --- /dev/null +++ b/system/binutils/CVE-2019-14444.patch @@ -0,0 +1,28 @@ +From e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 5 Aug 2019 10:40:35 +0100 +Subject: [PATCH] Catch potential integer overflow in readelf when processing + corrupt binaries. + + PR 24829 + * readelf.c (apply_relocations): Catch potential integer overflow + whilst checking reloc location against section size. +--- + binutils/readelf.c | 2 +- + +diff --git a/binutils/readelf.c b/binutils/readelf.c +index b896ad9..e785fde 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -13366,7 +13366,7 @@ apply_relocations (Filedata * filedata, + } + + rloc = start + rp->r_offset; +- if ((rloc + reloc_size) > end || (rloc < start)) ++ if (rloc >= end || (rloc + reloc_size) > end || (rloc < start)) + { + warn (_("skipping invalid relocation offset 0x%lx in section %s\n"), + (unsigned long) rp->r_offset, +-- +2.9.3 + diff --git a/system/e2fsprogs/APKBUILD b/system/e2fsprogs/APKBUILD index 30d291ec0..ba7869fe8 100644 --- a/system/e2fsprogs/APKBUILD +++ b/system/e2fsprogs/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=e2fsprogs pkgver=1.45.3 -pkgrel=0 +pkgrel=1 pkgdesc="Standard ext2/3/4 filesystem utilities" url="http://e2fsprogs.sourceforge.net" arch="all" @@ -13,8 +13,13 @@ makedepends="$depends_dev linux-headers" subpackages="$pkgname-lang $pkgname-dev $pkgname-doc libcom_err $pkgname-libs" source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz header-fix.patch + CVE-2019-5094.patch " +# secfixes: +# 1.45.3-r1: +# - CVE-2019-5094 + build () { ./configure \ --build=$CBUILD \ @@ -55,4 +60,5 @@ libcom_err() { } sha512sums="9f898d353af48a1d357cb01f64187b6dfef671bb2e0450438530fe4fa9454fccc6b755c9469d81e702e6d85a4defd02ae0a493897a4b3284cb112e8444c9bf52 e2fsprogs-1.45.3.tar.xz -34ca45c64a132bb4b507cd4ffb763c6d1b7979eccfed20f63417e514871b47639d32f2a3ecff090713c21a0f02ac503d5093960c80401d64081c592d01af279d header-fix.patch" +34ca45c64a132bb4b507cd4ffb763c6d1b7979eccfed20f63417e514871b47639d32f2a3ecff090713c21a0f02ac503d5093960c80401d64081c592d01af279d header-fix.patch +f82cf01938eb150446a7014ba48d51578ace42aecd427e225a3640033a4d8f2ec5a29dd02a3c0dfa45d2140cb2187303397c2d0124a2f987304c25182cc9578a CVE-2019-5094.patch" diff --git a/system/e2fsprogs/CVE-2019-5094.patch b/system/e2fsprogs/CVE-2019-5094.patch new file mode 100644 index 000000000..21baf660a --- /dev/null +++ b/system/e2fsprogs/CVE-2019-5094.patch @@ -0,0 +1,211 @@ +From 8dbe7b475ec5e91ed767239f0e85880f416fc384 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Sun, 1 Sep 2019 00:59:16 -0400 +Subject: libsupport: add checks to prevent buffer overrun bugs in quota code + +A maliciously corrupted file systems can trigger buffer overruns in +the quota code used by e2fsck. To fix this, add sanity checks to the +quota header fields as well as to block number references in the quota +tree. + +Addresses: CVE-2019-5094 +Addresses: TALOS-2019-0887 +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + lib/support/mkquota.c | 1 + + lib/support/quotaio_tree.c | 71 ++++++++++++++++++++++++++++++---------------- + lib/support/quotaio_v2.c | 28 ++++++++++++++++++ + 3 files changed, 76 insertions(+), 24 deletions(-) + +diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c +index 0b9e7665..ddb53124 100644 +--- a/lib/support/mkquota.c ++++ b/lib/support/mkquota.c +@@ -671,6 +671,7 @@ errcode_t quota_compare_and_update(quota_ctx_t qctx, enum quota_type qtype, + err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data); + if (err) { + log_debug("Error scanning dquots"); ++ *usage_inconsistent = 1; + goto out_close_qh; + } + +diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c +index a7c2028c..6cc4fb5b 100644 +--- a/lib/support/quotaio_tree.c ++++ b/lib/support/quotaio_tree.c +@@ -540,6 +540,17 @@ struct dquot *qtree_read_dquot(struct quota_handle *h, qid_t id) + return dquot; + } + ++static int check_reference(struct quota_handle *h, unsigned int blk) ++{ ++ if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) { ++ log_err("Illegal reference (%u >= %u) in %s quota file", ++ blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks, ++ quota_type2name(h->qh_type)); ++ return -1; ++ } ++ return 0; ++} ++ + /* + * Scan all dquots in file and call callback on each + */ +@@ -558,7 +569,7 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap, + int entries, i; + + if (!buf) +- return 0; ++ return -1; + + set_bit(bitmap, blk); + read_blk(dquot->dq_h, blk, buf); +@@ -580,23 +591,12 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap, + return entries; + } + +-static void check_reference(struct quota_handle *h, unsigned int blk) +-{ +- if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) +- log_err("Illegal reference (%u >= %u) in %s quota file. " +- "Quota file is probably corrupted.\n" +- "Please run e2fsck (8) to fix it.", +- blk, +- h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks, +- quota_type2name(h->qh_type)); +-} +- + static int report_tree(struct dquot *dquot, unsigned int blk, int depth, + char *bitmap, + int (*process_dquot) (struct dquot *, void *), + void *data) + { +- int entries = 0, i; ++ int entries = 0, ret, i; + dqbuf_t buf = getdqbuf(); + __le32 *ref = (__le32 *) buf; + +@@ -607,22 +607,40 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth, + if (depth == QT_TREEDEPTH - 1) { + for (i = 0; i < QT_BLKSIZE >> 2; i++) { + blk = ext2fs_le32_to_cpu(ref[i]); +- check_reference(dquot->dq_h, blk); +- if (blk && !get_bit(bitmap, blk)) +- entries += report_block(dquot, blk, bitmap, +- process_dquot, data); ++ if (check_reference(dquot->dq_h, blk)) { ++ entries = -1; ++ goto errout; ++ } ++ if (blk && !get_bit(bitmap, blk)) { ++ ret = report_block(dquot, blk, bitmap, ++ process_dquot, data); ++ if (ret < 0) { ++ entries = ret; ++ goto errout; ++ } ++ entries += ret; ++ } + } + } else { + for (i = 0; i < QT_BLKSIZE >> 2; i++) { + blk = ext2fs_le32_to_cpu(ref[i]); + if (blk) { +- check_reference(dquot->dq_h, blk); +- entries += report_tree(dquot, blk, depth + 1, +- bitmap, process_dquot, +- data); ++ if (check_reference(dquot->dq_h, blk)) { ++ entries = -1; ++ goto errout; ++ } ++ ret = report_tree(dquot, blk, depth + 1, ++ bitmap, process_dquot, ++ data); ++ if (ret < 0) { ++ entries = ret; ++ goto errout; ++ } ++ entries += ret; + } + } + } ++errout: + freedqbuf(buf); + return entries; + } +@@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handle *h, + int (*process_dquot) (struct dquot *, void *), + void *data) + { ++ int ret; + char *bitmap; + struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi; + struct qtree_mem_dqinfo *info = &v2info->dqi_qtree; +@@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handle *h, + ext2fs_free_mem(&dquot); + return -1; + } +- v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap, +- process_dquot, data); ++ ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data); ++ if (ret < 0) ++ goto errout; ++ v2info->dqi_used_entries = ret; + v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks); ++ ret = 0; ++errout: + ext2fs_free_mem(&bitmap); + ext2fs_free_mem(&dquot); +- return 0; ++ return ret; + } +diff --git a/lib/support/quotaio_v2.c b/lib/support/quotaio_v2.c +index 38be2a34..73906676 100644 +--- a/lib/support/quotaio_v2.c ++++ b/lib/support/quotaio_v2.c +@@ -175,6 +175,8 @@ static int v2_check_file(struct quota_handle *h, int type, int fmt) + static int v2_init_io(struct quota_handle *h) + { + struct v2_disk_dqinfo ddqinfo; ++ struct v2_mem_dqinfo *info; ++ __u64 filesize; + + h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size = + sizeof(struct v2r1_disk_dqblk); +@@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handle *h) + sizeof(ddqinfo)) != sizeof(ddqinfo)) + return -1; + v2_disk2memdqinfo(&h->qh_info, &ddqinfo); ++ ++ /* Check to make sure quota file info is sane */ ++ info = &h->qh_info.u.v2_mdqi; ++ if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize)) ++ return -1; ++ if ((filesize > (1U << 31)) || ++ (info->dqi_qtree.dqi_blocks > ++ (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) { ++ log_err("Quota inode %u corrupted: file size %llu; " ++ "dqi_blocks %u", h->qh_qf.ino, ++ filesize, info->dqi_qtree.dqi_blocks); ++ return -1; ++ } ++ if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) { ++ log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u", ++ h->qh_qf.ino, info->dqi_qtree.dqi_free_blk, ++ info->dqi_qtree.dqi_blocks); ++ return -1; ++ } ++ if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) { ++ log_err("Quota inode %u corrupted: free_entry %u; " ++ "dqi_blocks %u", h->qh_qf.ino, ++ info->dqi_qtree.dqi_free_entry, ++ info->dqi_qtree.dqi_blocks); ++ return -1; ++ } + return 0; + } + +-- +cgit 1.2-0.3.lf.el7 + diff --git a/system/python3/APKBUILD b/system/python3/APKBUILD index 250f259b6..4fefa4e22 100644 --- a/system/python3/APKBUILD +++ b/system/python3/APKBUILD @@ -3,7 +3,7 @@ pkgname=python3 pkgver=3.6.9 _basever="${pkgver%.*}" -pkgrel=0 +pkgrel=1 pkgdesc="A high-level scripting language" url="https://www.python.org" arch="all" @@ -40,6 +40,7 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev xz-dev source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz musl-find_library.patch fix-xattrs-glibc.patch + CVE-2019-16056.patch " builddir="$srcdir/Python-$pkgver" @@ -57,6 +58,8 @@ builddir="$srcdir/Python-$pkgver" # - CVE-2018-20852 # - CVE-2019-5010 # - CVE-2019-9948 +# 3.6.9-r1: +# - CVE-2019-16056 prepare() { default_prepare @@ -184,4 +187,5 @@ wininst() { sha512sums="05de9c6f44d96a52bfce10ede4312de892573edaf8bece65926d19973a3a800d65eed7a857af945f69efcfb25efa3788e7a54016b03d80b611eb51c3ea074819 Python-3.6.9.tar.xz ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch -37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch" +37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch +1f1eb61355eb7832bef8e9c3915895cc3b2966a30c809371430b4416260452cd39c48ba593b2259574867bd1e8fea98efbc45c4b0bd95aeb0690c8514b380ea0 CVE-2019-16056.patch" diff --git a/system/python3/CVE-2019-16056.patch b/system/python3/CVE-2019-16056.patch new file mode 100644 index 000000000..b2f5ce826 --- /dev/null +++ b/system/python3/CVE-2019-16056.patch @@ -0,0 +1,131 @@ +From 13a19139b5e76175bc95294d54afc9425e4f36c9 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Fri, 9 Aug 2019 08:22:19 -0700 +Subject: [PATCH] bpo-34155: Dont parse domains containing @ (GH-13079) + (GH-14826) + +Before: + + >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses + (Address(display_name='', username='a', domain='malicious.org'),) + + >>> parseaddr('a@malicious.org@important.com') + ('', 'a@malicious.org') + + After: + + >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses + (Address(display_name='', username='', domain=''),) + + >>> parseaddr('a@malicious.org@important.com') + ('', 'a@') + +https://bugs.python.org/issue34155 +(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9) + +Co-authored-by: jpic <jpic@users.noreply.github.com> +--- + Lib/email/_header_value_parser.py | 2 ++ + Lib/email/_parseaddr.py | 11 ++++++++++- + Lib/test/test_email/test__header_value_parser.py | 10 ++++++++++ + Lib/test/test_email/test_email.py | 14 ++++++++++++++ + .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 + + 5 files changed, 37 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst + +diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py +index 737951e4b1b1..bc9c9b6241d4 100644 +--- a/Lib/email/_header_value_parser.py ++++ b/Lib/email/_header_value_parser.py +@@ -1561,6 +1561,8 @@ def get_domain(value): + token, value = get_dot_atom(value) + except errors.HeaderParseError: + token, value = get_atom(value) ++ if value and value[0] == '@': ++ raise errors.HeaderParseError('Invalid Domain') + if leader is not None: + token[:0] = [leader] + domain.append(token) +diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py +index cdfa3729adc7..41ff6f8c000d 100644 +--- a/Lib/email/_parseaddr.py ++++ b/Lib/email/_parseaddr.py +@@ -379,7 +379,12 @@ def getaddrspec(self): + aslist.append('@') + self.pos += 1 + self.gotonext() +- return EMPTYSTRING.join(aslist) + self.getdomain() ++ domain = self.getdomain() ++ if not domain: ++ # Invalid domain, return an empty address instead of returning a ++ # local part to denote failed parsing. ++ return EMPTYSTRING ++ return EMPTYSTRING.join(aslist) + domain + + def getdomain(self): + """Get the complete domain name from an address.""" +@@ -394,6 +399,10 @@ def getdomain(self): + elif self.field[self.pos] == '.': + self.pos += 1 + sdlist.append('.') ++ elif self.field[self.pos] == '@': ++ # bpo-34155: Don't parse domains with two `@` like ++ # `a@malicious.org@important.com`. ++ return EMPTYSTRING + elif self.field[self.pos] in self.atomends: + break + else: +diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py +index a2c900fa7fd2..02ef3e1006c6 100644 +--- a/Lib/test/test_email/test__header_value_parser.py ++++ b/Lib/test/test_email/test__header_value_parser.py +@@ -1418,6 +1418,16 @@ def test_get_addr_spec_dot_atom(self): + self.assertEqual(addr_spec.domain, 'example.com') + self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com') + ++ def test_get_addr_spec_multiple_domains(self): ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@a.star@example.com') ++ ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@a@example.com') ++ ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@172.17.0.1@example.com') ++ + # get_obs_route + + def test_get_obs_route_simple(self): +diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py +index f97ccc6711cc..68d052279987 100644 +--- a/Lib/test/test_email/test_email.py ++++ b/Lib/test/test_email/test_email.py +@@ -3035,6 +3035,20 @@ def test_parseaddr_empty(self): + self.assertEqual(utils.parseaddr('<>'), ('', '')) + self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '') + ++ def test_parseaddr_multiple_domains(self): ++ self.assertEqual( ++ utils.parseaddr('a@b@c'), ++ ('', '') ++ ) ++ self.assertEqual( ++ utils.parseaddr('a@b.c@c'), ++ ('', '') ++ ) ++ self.assertEqual( ++ utils.parseaddr('a@172.17.0.1@c'), ++ ('', '') ++ ) ++ + def test_noquote_dump(self): + self.assertEqual( + utils.formataddr(('A Silly Person', 'person@dom.ain')), +diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst +new file mode 100644 +index 000000000000..50292e29ed1d +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst +@@ -0,0 +1 @@ ++Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic. |