21 files changed, 347 insertions, 126 deletions

diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD
index c4ae4fa31..d51d14ae7 100644
--- a/system/bubblewrap/APKBUILD
+++ b/system/bubblewrap/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Timo Teräs <timo.teras@iki.fi>
 # Maintainer: Max Rees <maxcrees@me.com>
 pkgname=bubblewrap
-pkgver=0.3.3
+pkgver=0.4.0
 pkgrel=0
 pkgdesc="Unprivileged sandboxing tool"
 url="https://github.com/projectatomic/bubblewrap"
@@ -9,21 +9,21 @@ arch="all"
 options="!check suid"  # requires suid to already be set in order to check
 license="LGPL-2.0+"
 makedepends="autoconf automake libcap-dev docbook-xsl"
-checkdepends="sudo"
+checkdepends="python3 sudo"
 subpackages="$pkgname-nosuid $pkgname-doc
 	$pkgname-bash-completion:bashcomp:noarch"
-source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz
+source="bubblewrap-$pkgver.tar.gz::https://github.com/containers/bubblewrap/archive/v$pkgver.tar.gz
 	realpath-workaround.patch
-	musl-fixes.patch
-	tests.patch"
+	tests.patch
+	"
 
 # secfixes:
 #   0.3.3-r0:
-#   - CVE-2019-12439
+#     - CVE-2019-12439
 
 prepare() {
-	srcdir= NOCONFIGURE=1 ./autogen.sh
 	default_prepare
+	NOCONFIGURE=1 ./autogen.sh
 }
 
 build() {
@@ -39,14 +39,16 @@ build() {
 }
 
 check() {
-	# Uses sudo to chown root and setuid $builddir/test-bwrap
+	# 1. chown root and chmod u+s $builddir/test-bwrap
+	# 2. Run abuild check (suid test)
+	# 3. Unset permissions on test-bwrap
+	# 4. Run abuild check again (nosuid test)
 	#
-	# As of 0.3.3-r0, all tests pass on ppc64 except those relating
-	# to bind mounts over symlinks. Those tests fail because musl's
-	# realpath depends on the availability of /proc, which is not
-	# available in the middle of the setup procedure since pivot_root
-	# has been performed at least once. They have been patched to be
-	# skipped.
+	# As of 0.4.0, all tests pass except those relating to bind mounts
+	# over symlinks. Those tests fail because musl's realpath depends on
+	# the availability of /proc, which is not available in the middle of
+	# the setup procedure since pivot_root has been performed at least
+	# once. They have been patched to be skipped.
 	make check
 }
 
@@ -72,7 +74,6 @@ bashcomp() {
 	mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/
 }
 
-sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae  bubblewrap-0.3.3.tar.gz
+sha512sums="1957126e13900bbb1c9c885802f513006313836826938555899a8ad0e6c3ba47478eae0cc90f4aceff228663379b45203dce4fa57d6bfc489984670571232b97  bubblewrap-0.4.0.tar.gz
 400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4  realpath-workaround.patch
-f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e  musl-fixes.patch
 d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd  tests.patch"
diff --git a/system/bubblewrap/musl-fixes.patch b/system/bubblewrap/musl-fixes.patch
deleted file mode 100644
index ecf626331..000000000
--- a/system/bubblewrap/musl-fixes.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- a/config.h.in
-+++ b/config.h.in
-@@ -102,3 +102,14 @@
- 
- /* Define to 1 if you need to in order for `stat' and other things to work. */
- #undef _POSIX_SOURCE
-+
-+/* taken from glibc unistd.h and fixes musl */
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) \
-+  (__extension__                                                              \
-+    ({ long int __result;                                                     \
-+       do __result = (long int) (expression);                                 \
-+       while (__result == -1L && errno == EINTR);                             \
-+       __result; }))
-+#endif
-+
diff --git a/system/gettext-tiny/APKBUILD b/system/gettext-tiny/APKBUILD
index ce62d5c99..a1d199ecd 100644
--- a/system/gettext-tiny/APKBUILD
+++ b/system/gettext-tiny/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=gettext-tiny
 pkgver=0.3.1_git20191130
-pkgrel=2
+pkgrel=3
 pkgdesc="An internationalisation and localisation system"
 url="https://github.com/sabotage-linux/gettext-tiny"
 arch="all"
@@ -16,6 +16,7 @@ source="https://distfiles.adelielinux.org/source/$pkgname-$pkgver.tar.xz
 	line-length.patch
 	respect-cflags.patch
 	stop-doing-macro-crap.patch
+	msgfmt-exit.patch
 	"
 
 build() {
@@ -30,4 +31,5 @@ sha512sums="a318135626a0403a30a81fa475f7e1878b8af5a87053b0e00876c73b591508f3cf1e
 8efbf9c11429ab26f3c15e00c34258200598833b8f846a23e4c8d95023c2184d9dcf9cbb48d58eec1604442691af76e6f8e904ad7348016c393257aa30eae7cd  keyword.patch
 0a26a8481bffe2ce8c73f7f500963aea9db8379fb87849142d8efabf1656604b22f6ad345483256f14c388466f2f44e5924b9f65d88f26867a753a96d1529270  line-length.patch
 b4e7db4e415f6bc31f2214f2044506ad18ea0bd3cae4200d93bbd34aa493c7478a7f953d0a7e08f29f0fd5a5d7b7cbfa2bcfd5692c37e423706a1c193239bf1d  respect-cflags.patch
-cd4cfc8cc6ea998f1e33ef666e3b9c3de3f3253994bccc942b177773c94f785e3892cb7d5f34bec1102dc7558236c07c5eac90e15d755e12ee06836336373526  stop-doing-macro-crap.patch"
+cd4cfc8cc6ea998f1e33ef666e3b9c3de3f3253994bccc942b177773c94f785e3892cb7d5f34bec1102dc7558236c07c5eac90e15d755e12ee06836336373526  stop-doing-macro-crap.patch
+0037a1347f9ac2aa6f68160441b83c35ce8128ca140be93f3c508e6cd02161e49edff82034877ed11c127886337455ff4ea941b6a14168c2ca69aa82a7cff8a5  msgfmt-exit.patch"
diff --git a/system/gettext-tiny/msgfmt-exit.patch b/system/gettext-tiny/msgfmt-exit.patch
new file mode 100644
index 000000000..f5ff3fbb8
--- /dev/null
+++ b/system/gettext-tiny/msgfmt-exit.patch
@@ -0,0 +1,36 @@
+From 0e62c2588742cfffd3dc81c09ecc8488c0ce25b9 Mon Sep 17 00:00:00 2001
+From: Max Rees <maxcrees@me.com>
+Date: Sun, 22 Mar 2020 20:20:15 -0500
+Subject: [PATCH] msgfmt: exit(1) if incorrectly used
+
+This prevents builds from continuing seemingly fine when they are
+actually not using this version of msgfmt correctly.
+---
+ src/msgfmt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/msgfmt.c b/src/msgfmt.c
+index aa16c5e..3de9a56 100644
+--- a/src/msgfmt.c
++++ b/src/msgfmt.c
+@@ -278,7 +278,7 @@ void set_file(int out, char* fn, FILE** dest) {
+ int main(int argc, char**argv) {
+ 	if (argc == 1) {
+ 		syntax();
+-		return 0;
++		return 1;
+ 	}
+ 
+ 	int arg = 1;
+@@ -376,7 +376,7 @@ int main(int argc, char**argv) {
+ 				streq(A+1, "D")
+ 			) {
+ 				syntax();
+-				return 0;
++				return 1;
+ 			} else if (streq(A+1, "l")) {
+ 				arg++;
+ 				locale = A;
+-- 
+2.25.1
+
diff --git a/system/ruby/APKBUILD b/system/ruby/APKBUILD
index 537c1010a..0cb185852 100644
--- a/system/ruby/APKBUILD
+++ b/system/ruby/APKBUILD
@@ -38,11 +38,13 @@
 #     - CVE-2019-16201
 #     - CVE-2019-16254
 #     - CVE-2019-16255
+#   2.5.7-r1:
+#     - CVE-2020-8130
 #
 pkgname=ruby
 pkgver=2.5.7
 _abiver="${pkgver%.*}.0"
-pkgrel=0
+pkgrel=1
 pkgdesc="An object-oriented language for quick and easy programming"
 url="https://www.ruby-lang.org/"
 arch="all"
@@ -76,6 +78,7 @@ source="https://cache.ruby-lang.org/pub/ruby/${pkgver%.*}/$pkgname-$pkgver.tar.x
 	test_insns-lower-recursion-depth.patch
 	fix-get_main_stack.patch
 	libedit-compat.patch
+	CVE-2020-8130.patch
 	"
 replaces="ruby-etc ruby-gems"
 
@@ -318,4 +321,5 @@ sha512sums="63b7c75fab44cd1bd22f22ddec00c740cf379ac7240da0dfafcec54347766695faef
 20e7e5ee9936a93872fe1ad836dd1fde001fe4a0e7ed54c26727ad83da3ceb0e6247681d9dd4f98a69e1b0250703ed8fc682d44075780d5f47faa1d5f58d2bdb  rubygems-avoid-platform-specific-gems.patch
 814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150  test_insns-lower-recursion-depth.patch
 e99b36940fa8fdd445d82738c70b8fc042cab042a4662cab156578aad2dac9673a96da22b6676aa36beac08070e92a7798c60d6f36eeb169216c4c51864ce2fe  fix-get_main_stack.patch
-6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2  libedit-compat.patch"
+6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2  libedit-compat.patch
+50b3a2aca1c0d7a7b557e030fbf57049512730cd6516cb6b26624855c25a20e84eef7f84ec9eafb94200de067ec67790e5fe0902e69681ac4de9195240b318dc  CVE-2020-8130.patch"
diff --git a/system/ruby/CVE-2020-8130.patch b/system/ruby/CVE-2020-8130.patch
new file mode 100644
index 000000000..3cb6e4adf
--- /dev/null
+++ b/system/ruby/CVE-2020-8130.patch
@@ -0,0 +1,18 @@
+Note: adjusted paths since it's being vendored inside ruby.
+
+From 5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Mon, 22 Jul 2019 10:23:43 +0900
+Subject: [PATCH] Use File.open explicitly.
+
+--- ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
++++ ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
+@@ -294,7 +294,7 @@ def egrep(pattern, *options)
+       matched = 0
+       each do |fn|
+         begin
+-          open(fn, "r", *options) do |inf|
++          File.open(fn, "r", *options) do |inf|
+             count = 0
+             inf.each do |line|
+               count += 1
diff --git a/user/checkbashisms/APKBUILD b/user/checkbashisms/APKBUILD
index 26345d0ac..b616e4fab 100644
--- a/user/checkbashisms/APKBUILD
+++ b/user/checkbashisms/APKBUILD
@@ -1,10 +1,10 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Max Rees <maxcrees@me.com>
 pkgname=checkbashisms
-pkgver=2.19.7
+pkgver=2.20.2
 pkgrel=0
 pkgdesc="Check shell scripts for POSIX compliance"
-url="https://tracker.debian.org/pkg/devscripts"
+url="https://salsa.debian.org/debian/devscripts"
 arch="noarch"
 license="GPL-2.0+"
 depends="perl"
@@ -37,4 +37,4 @@ bashcomp() {
 		"$subpkgdir/usr/share/bash-completion/completions/$pkgname"
 }
 
-sha512sums="6e31862bc8f0d43678341f40ec527d76cdccc2e6e50c231eb7c6a1eb442f48b6c62e94126644224e9fdbef583be3166e2c7cc65ea15de4a7c20605089b708eb7  devscripts_2.19.7.tar.xz"
+sha512sums="d9147604a718582a19c036a040c62612427163146048dbf9e3665545072e8132d08f51dccfd3f0a01453c0405a0326dad8f83afd10270eec5c69fa0612cb8510  devscripts_2.20.2.tar.xz"
diff --git a/user/fuse3/APKBUILD b/user/fuse3/APKBUILD
index 821be29db..14cafec71 100644
--- a/user/fuse3/APKBUILD
+++ b/user/fuse3/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Max Rees <maxcrees@me.com>
 pkgname=fuse3
 _pkgname=fuse
-pkgver=3.9.0
+pkgver=3.9.1
 pkgrel=0
 pkgdesc="The reference implementation of the Linux FUSE (Filesystem in Userspace) interface"
 url="https://github.com/libfuse/libfuse"
@@ -26,18 +26,26 @@ builddir="$srcdir/$_pkgname-$pkgver"
 #     - CVE-2018-10906
 
 build() {
+	# The examples are required for the tests to work, and aren't
+	# otherwise installed
+
 	meson \
 		--prefix=/usr \
 		--sysconfdir=/etc \
 		--mandir=/usr/share/man \
 		--localstatedir=/var \
 		--buildtype=release \
-		-Dexamples=false \
+		-Dexamples=true \
 		. output
 	ninja -C output
 }
 
 check() {
+	# Recommended procedure:
+	# 1. modprobe fuse
+	# 2. chown root and chmod u+s $builddir/output/util/fusermount3
+	# 3. abuild check
+
 	cd "$builddir"/output
 	python3 -m pytest test/
 }
@@ -72,6 +80,6 @@ openrc() {
 	install_if="openrc fuse-common=$pkgver-r$pkgrel"
 }
 
-sha512sums="0c96df5db4d0ceb7885ddb6f6c05b523ee7e179f8f411ad0614caecb9fa0f5fd682ab9bf4dfdaa3aff9d90c18b8947a122ee376328535e49fa6091d784aa0cb7  fuse-3.9.0.tar.xz
+sha512sums="295bb62274264789c977a1fee78c6c122a2f227ae85d750b8519cafbdcf6551499b77cf021d83cc8261831e29761c166d84a4e50bdebb4191c76bcad1d15d329  fuse-3.9.1.tar.xz
 1a9e1d1e8a7b0778ffde328e4322c73b5d57ec98d52767c846d755cce861ab27989823a75b6c5f994432ddb77fa351dfa4a8f948c9467c5f7d5f471e4608358b  fix-realpath.patch
 7f6a503ef23cfa8b809c544375c2d83ad56525269b48ad1a7dff0ce36f4bf2f2a3fafed9dc70a71ff6281b261db5f01829e16c06f041921a5d8c8d715a04a8c1  fuse.initd"
diff --git a/user/libslirp/APKBUILD b/user/libslirp/APKBUILD
new file mode 100644
index 000000000..07d7eea31
--- /dev/null
+++ b/user/libslirp/APKBUILD
@@ -0,0 +1,34 @@
+# Maintainer: Max Rees <maxcrees@me.com>
+pkgname=libslirp
+pkgver=4.2.0
+pkgrel=0
+pkgdesc="A general-purpose TCP/IP emulator"
+url="https://gitlab.freedesktop.org/slirp/libslirp"
+arch="all"
+options="!check"  # No test suite.
+license="BSD-3-Clause AND MIT"
+depends=""
+makedepends="glib-dev meson"
+subpackages="$pkgname-dev"
+source="https://gitlab.freedesktop.org/slirp/libslirp/-/archive/v$pkgver/libslirp-v$pkgver.tar.gz
+	static.patch
+	"
+builddir="$srcdir/libslirp-v$pkgver"
+
+build() {
+	meson \
+		--prefix=/usr \
+		--sysconfdir=/etc \
+		--mandir=/usr/share/man \
+		--localstatedir=/var \
+		--buildtype=release \
+		. output
+	ninja -C output
+}
+
+package() {
+	DESTDIR="$pkgdir" ninja -C output install
+}
+
+sha512sums="514744ac8325857915b9946a76f4a55d48c8361b6167cd69c533086928ae06f059d923c5f057e92a0915921bb363b69d34a939a0bcc28233515125a5d1858d25  libslirp-v4.2.0.tar.gz
+bb1bb5443d8083099d2a270b78b7ec74daa26634b2062d2c30460ed118b333942a9a555c96910216bb746311ae021d457f39a304a60fe07a3908a0c315a7c756  static.patch"
diff --git a/user/libslirp/static.patch b/user/libslirp/static.patch
new file mode 100644
index 000000000..46451a168
--- /dev/null
+++ b/user/libslirp/static.patch
@@ -0,0 +1,14 @@
+library = shared
+both_libraries = shared and static (needed by qemu)
+
+--- libslirp-v4.2.0/meson.build	2020-03-17 10:07:35.000000000 +0000
++++ libslirp-v4.2.0/meson.build	2020-03-24 20:41:57.030331048 +0000
+@@ -100,7 +100,7 @@ configure_file(
+   configuration : conf
+ )
+ 
+-lib = library('slirp', sources,
++lib = both_libraries('slirp', sources,
+   version : lt_version,
+   c_args : cargs,
+   link_args : vflag,
diff --git a/user/libzip/APKBUILD b/user/libzip/APKBUILD
index 379075ae7..62a55bfba 100644
--- a/user/libzip/APKBUILD
+++ b/user/libzip/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Max Rees <maxcrees@me.com>
 pkgname=libzip
-pkgver=1.5.2
+pkgver=1.6.1
 pkgrel=0
 pkgdesc="C library for manipulating ZIP archives"
 url="https://libzip.org/"
@@ -11,7 +11,7 @@ arch="all"
 license="BSD-3-Clause"
 depends=""
 depends_dev="zlib-dev"
-makedepends="$depends_dev cmake openssl-dev perl"
+makedepends="$depends_dev cmake groff openssl-dev perl"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-tools"
 source="https://libzip.org/download/$pkgname-$pkgver.tar.xz"
 
@@ -44,4 +44,4 @@ tools() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr
 }
 
-sha512sums="1e6d48ddbac4d270f70b314f6ada3c93a3196a8cc3b8d17c6cf5ea8409ff29f36ac351206675f9d81351fcf633b0c15d7b0b5530c30c4140e4fe55e64c602643  libzip-1.5.2.tar.xz"
+sha512sums="dcf3790933c95f66bdcbdb276497b36e57776103b0b1064a94479e84eaa0a09df8dd91509cb4ccab3a6724f0650f076ca1e332d73acc94b653e99a3e94a64574  libzip-1.6.1.tar.xz"
diff --git a/user/pixman/APKBUILD b/user/pixman/APKBUILD
index d36f5a1ee..50ff4f981 100644
--- a/user/pixman/APKBUILD
+++ b/user/pixman/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=pixman
 pkgver=0.38.4
-pkgrel=0
+pkgrel=1
 pkgdesc="Low-level pixel manipulation library"
 url="https://www.X.Org/"
 arch="all"
@@ -14,11 +14,13 @@ source="https://www.X.Org/releases/individual/lib/$pkgname-$pkgver.tar.bz2
 	"
 
 build() {
+	# Static is needed by qemu
+
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
 		--prefix=/usr \
-		--disable-static \
+		--enable-static \
 		--disable-openmp \
 		--disable-arm-iwmmxt
 	make
diff --git a/user/qemu/APKBUILD b/user/qemu/APKBUILD
index e64bb2510..579eed14f 100644
--- a/user/qemu/APKBUILD
+++ b/user/qemu/APKBUILD
@@ -2,10 +2,11 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
+# Contributor: Max Rees <maxcrees@me.com>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=qemu
-pkgver=3.0.0
-pkgrel=5
+pkgver=4.2.0
+pkgrel=0
 pkgdesc="Machine emulator and virtualisation software"
 url="https://www.qemu.org/"
 arch="all"
@@ -27,13 +28,14 @@ makedepends="
 	libjpeg-turbo-dev
 	libnfs-dev
 	libpng-dev
-	libssh2-dev
+	libslirp-dev
 	libusb-dev
 	libx11-dev
 	libxml2-dev
 	linux-headers
 	lzo-dev
 	ncurses-dev
+	py3-sphinx
 	python3
 	snappy-dev
 	spice-dev
@@ -109,7 +111,6 @@ _system_subsystems="
 	system-or1k
 	system-ppc
 	system-ppc64
-	system-ppcemb
 	system-riscv32
 	system-riscv64
 	system-s390x
@@ -151,13 +152,14 @@ source="https://download.qemu.org/$pkgname-$pkgver.tar.xz
 	ncurses.patch
 	ignore-signals-33-and-64-to-allow-golang-emulation.patch
 	0001-linux-user-fix-build-with-musl-on-ppc64le.patch
-	fix-sockios-header.patch
 	test-crypto-ivgen-skip-essiv.patch
 	ppc32-musl-support.patch
 	signal-fixes.patch
 	sysinfo-header.patch
 	fix-lm32-underlinking.patch
 	time64.patch
+	MAP_SYNC-fix.patch
+	CVE-2020-1711.patch
 
 	$pkgname-guest-agent.confd
 	$pkgname-guest-agent.initd
@@ -168,31 +170,66 @@ builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
 #   2.8.1-r1:
-#   - CVE-2016-7994
-#   - CVE-2016-7995
-#   - CVE-2016-8576
-#   - CVE-2016-8577
-#   - CVE-2016-8578
-#   - CVE-2016-8668
-#   - CVE-2016-8909
-#   - CVE-2016-8910
-#   - CVE-2016-9101
-#   - CVE-2016-9102
-#   - CVE-2016-9103
-#   - CVE-2016-9104
-#   - CVE-2016-9105
-#   - CVE-2016-9106
-#   - CVE-2017-2615
-#   - CVE-2017-2620
-#   - CVE-2017-5525
-#   - CVE-2017-5552
-#   - CVE-2017-5578
-#   - CVE-2017-5579
-#   - CVE-2017-5667
-#   - CVE-2017-5856
-#   - CVE-2017-5857
-#   - CVE-2017-5898
-#   - CVE-2017-5931
+#     - CVE-2016-7994
+#     - CVE-2016-7995
+#     - CVE-2016-8576
+#     - CVE-2016-8577
+#     - CVE-2016-8578
+#     - CVE-2016-8668
+#     - CVE-2016-8909
+#     - CVE-2016-8910
+#     - CVE-2016-9101
+#     - CVE-2016-9102
+#     - CVE-2016-9103
+#     - CVE-2016-9104
+#     - CVE-2016-9105
+#     - CVE-2016-9106
+#     - CVE-2017-2615
+#     - CVE-2017-2620
+#     - CVE-2017-5525
+#     - CVE-2017-5552
+#     - CVE-2017-5578
+#     - CVE-2017-5579
+#     - CVE-2017-5667
+#     - CVE-2017-5856
+#     - CVE-2017-5857
+#     - CVE-2017-5898
+#     - CVE-2017-5931
+#   4.2.0-r0:
+#     - CVE-2018-10839
+#     - CVE-2018-16847
+#     - CVE-2018-16867
+#     - CVE-2018-16872
+#     - CVE-2018-17958
+#     - CVE-2018-17962
+#     - CVE-2018-17963
+#     - CVE-2018-18849
+#     - CVE-2018-18954
+#     - CVE-2018-19364
+#     - CVE-2018-19489
+#     - CVE-2018-20123
+#     - CVE-2018-20124
+#     - CVE-2018-20125
+#     - CVE-2018-20126
+#     - CVE-2018-20191
+#     - CVE-2018-20216
+#     - CVE-2018-20815
+#     - CVE-2019-3812
+#     - CVE-2019-5008
+#     - CVE-2019-6501
+#     - CVE-2019-6778
+#     - CVE-2019-8934
+#     - CVE-2019-9824
+#     - CVE-2019-12068
+#     - CVE-2019-12155
+#     - CVE-2019-13164
+#     - CVE-2019-14378
+#     - CVE-2019-15034
+#     - CVE-2019-15890
+#     - CVE-2019-20382
+#     - CVE-2020-1711
+#     - CVE-2020-7039
+#     - CVE-2020-8608
 
 prepare() {
 	default_prepare  # apply patches
@@ -218,6 +255,7 @@ _compile_common() {
 		--disable-gcrypt \
 		--cc="${CC:-gcc}" \
 		--python="/usr/bin/python3" \
+		--enable-slirp=system \
 		"$@"
 	make ARFLAGS="rc"
 }
@@ -233,7 +271,6 @@ _compile_system() {
 		--enable-cap-ng \
 		--enable-linux-aio \
 		--enable-usb-redir \
-		--enable-libssh2 \
 		--enable-vhost-net \
 		--enable-snappy \
 		--enable-tpm \
@@ -248,16 +285,19 @@ _compile_system() {
 
 build() {
 	local systems
+
 	mkdir -p "$builddir"/build \
 		"$builddir"/build-user \
 		"$builddir"/build-gtk
 
+	msg "Building -user..."
 	cd "$builddir"/build-user
 	_compile_common \
 		--enable-linux-user \
 		--disable-system \
 		--static
 
+	msg "Building -system..."
 	cd "$builddir"/build
 	_compile_system \
 		--enable-vnc \
@@ -268,10 +308,10 @@ build() {
 		--disable-gtk
 
 	if [ -n "$_arch" ]; then
+		msg "Building -gtk..."
 		cd "$builddir"/build-gtk
 		_compile_system \
 			--enable-gtk \
-			--with-gtkabi=3.0 \
 			--disable-vnc \
 			--disable-spice \
 			--disable-guest-agent \
@@ -287,9 +327,11 @@ check() {
 }
 
 package() {
+	msg "Installing -user..."
 	cd "$builddir"/build-user
 	make DESTDIR="$pkgdir" install
 
+	msg "Installing -system..."
 	cd "$builddir"/build
 	make DESTDIR="$pkgdir" install
 
@@ -395,7 +437,7 @@ guest() {
 		"$subpkgdir"/etc/conf.d/$pkgname-guest-agent
 }
 
-sha512sums="a764302f50b9aca4134bbbc1f361b98e71240cdc7b25600dfe733bf4cf17bd86000bd28357697b08f3b656899dceb9e459350b8d55557817444ed5d7fa380a5a  qemu-3.0.0.tar.xz
+sha512sums="2a79973c2b07c53e8c57a808ea8add7b6b2cbca96488ed5d4b669ead8c9318907dec2b6109f180fc8ca8f04c0f73a56e82b3a527b5626b799d7e849f2474ec56  qemu-4.2.0.tar.xz
 405008589cad1c8b609eca004d520bf944366e8525f85a19fc6e283c95b84b6c2429822ba064675823ab69f1406a57377266a65021623d1cd581e7db000134fd  0001-elfload-load-PIE-executables-to-right-address.patch
 1ac043312864309e19f839a699ab2485bca51bbf3d5fdb39f1a87b87e3cbdd8cbda1a56e6b5c9ffccd65a8ac2f600da9ceb8713f4dbba26f245bc52bcd8a1c56  0001-linux-user-fix-build-with-musl-on-aarch64.patch
 224f5b44da749921e8a821359478c5238d8b6e24a9c0b4c5738c34e82f3062ec4639d495b8b5883d304af4a0d567e38aa6623aac1aa3a7164a5757c036528ac0  musl-F_SHLCK-and-F_EXLCK.patch
@@ -404,13 +446,14 @@ sha512sums="a764302f50b9aca4134bbbc1f361b98e71240cdc7b25600dfe733bf4cf17bd86000b
 b6ed02aaf95a9bb30a5f107d35371207967edca058f3ca11348b0b629ea7a9c4baa618db68a3df72199eea6d86d14ced74a5a229d17604cc3f0adedcfeae7a73  ncurses.patch
 fd178f2913639a0c33199b3880cb17536961f2b3ff171c12b27f4be6bca032d6b88fd16302d09c692bb34883346babef5c44407a6804b20a39a465bb2bc85136  ignore-signals-33-and-64-to-allow-golang-emulation.patch
 d8933df9484158c2b4888254e62117d78f8ed7c18527b249419f39c2b2ab1afa148010884b40661f8965f1ef3105580fceffdfddbb2c9221dc1c62066722ba65  0001-linux-user-fix-build-with-musl-on-ppc64le.patch
-39590476a4ebd7c1e79a4f0451b24c75b1817a2a83abaa1f71bb60b225d772152f0af8f3e51ff65645e378c536ffa6ff551dade52884d03a14b7c6a19c5c97d4  fix-sockios-header.patch
 8b8db136f78bd26b5da171effa9e11016ec2bc3e2fc8107228b5543b47aa370978ed883794aa4f917f334e284a5b49e82070e1da2d31d49301195b6713a48eff  test-crypto-ivgen-skip-essiv.patch
 fb0130fa4e8771b23ae337ea3e5e29fd5f7dcfe7f9f7a68968f5b059bb4dd1336b0d04c118840d55885bc784a96a99b28aeacbc6a5549b2e6750c9d3099a897c  ppc32-musl-support.patch
 c6436b1cc986788baccd5fe0f9d23c7db9026f6b723260611cf894bd94ee830140a17ee5859efe0dad0ca3bfe9caae1269bc5c9ab4c6e696f35c7857c1b5c86b  signal-fixes.patch
 698f6b134f4ca87f4de62caf7a656841a40a451b8686ca95928f67a296e58a7493d432d9baa5f6360917865aa4929600baf1699993b0600923a066ca9d45d1da  sysinfo-header.patch
 2828cc612539aa93b5789de7de6d4f85d3cf82311484c0fe91fdd3efeb972057e2baa2a3809ed633d6caa1785642d49196cb282b095d7553c510c47ce7d6a702  fix-lm32-underlinking.patch
 87f659800b78b31731ea1828a27a3762662ef124d10e942f6029b332d5e8cf4487f62a3d742ad59709c2eb9e3ae8af36fa849d6cbac89978a282d29786b9b41a  time64.patch
+d7de79ea74e36702cac4a59e472564a55f0a663be7e63c3755e32b4b5dfbc04b390ee79f09f43f6ae706ee2aec9e005eade3c0fd4a202db60d11f436874a17d7  MAP_SYNC-fix.patch
+0ea3745c45507c00c3c036241992d594b5f7e9aa1f0fa9b425dd222390066e1ea2d0aa4923bde0e7f27b7cc2f759a122ae4b600c2fa682a5aad509e7d03ccad9  CVE-2020-1711.patch
 d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f  qemu-guest-agent.confd
 1cd24c2444c5935a763c501af2b0da31635aad9cf62e55416d6477fcec153cddbe7de205d99616def11b085e0dd366ba22463d2270f831d884edbc307c7864a6  qemu-guest-agent.initd
 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2  80-kvm.rules
diff --git a/user/qemu/CVE-2020-1711.patch b/user/qemu/CVE-2020-1711.patch
new file mode 100644
index 000000000..c57b5c984
--- /dev/null
+++ b/user/qemu/CVE-2020-1711.patch
@@ -0,0 +1,61 @@
+From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
+From: Felipe Franciosi <felipe@nutanix.com>
+Date: Thu, 23 Jan 2020 12:44:59 +0000
+Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+
+When querying an iSCSI server for the provisioning status of blocks (via
+GET LBA STATUS), Qemu only validates that the response descriptor zero's
+LBA matches the one requested. Given the SCSI spec allows servers to
+respond with the status of blocks beyond the end of the LUN, Qemu may
+have its heap corrupted by clearing/setting too many bits at the end of
+its allocmap for the LUN.
+
+A malicious guest in control of the iSCSI server could carefully program
+Qemu's heap (by selectively setting the bitmap) and then smash it.
+
+This limits the number of bits that iscsi_co_block_status() will try to
+update in the allocmap so it can't overflow the bitmap.
+
+Fixes: CVE-2020-1711
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
+Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
+Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ block/iscsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 2aea7e3f13..cbd57294ab 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+     struct scsi_get_lba_status *lbas = NULL;
+     struct scsi_lba_status_descriptor *lbasd = NULL;
+     struct IscsiTask iTask;
+-    uint64_t lba;
++    uint64_t lba, max_bytes;
+     int ret;
+ 
+     iscsi_co_init_iscsitask(iscsilun, &iTask);
+@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+     }
+ 
+     lba = offset / iscsilun->block_size;
++    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
+ 
+     qemu_mutex_lock(&iscsilun->mutex);
+ retry:
+@@ -764,7 +765,7 @@ retry:
+         goto out_unlock;
+     }
+ 
+-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
++    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
+ 
+     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+-- 
+2.25.1
+
diff --git a/user/qemu/MAP_SYNC-fix.patch b/user/qemu/MAP_SYNC-fix.patch
new file mode 100644
index 000000000..e13609d73
--- /dev/null
+++ b/user/qemu/MAP_SYNC-fix.patch
@@ -0,0 +1,22 @@
+diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c
+index f7f177d..7598960 100644
+--- a/util/mmap-alloc.c
++++ b/util/mmap-alloc.c
+@@ -10,14 +10,16 @@
+  * later.  See the COPYING file in the top-level directory.
+  */
+ 
++#include "qemu/osdep.h"
++
+ #ifdef CONFIG_LINUX
+ #include <linux/mman.h>
++#include <asm-generic/mman.h> /* for ppc64le */
+ #else  /* !CONFIG_LINUX */
+ #define MAP_SYNC              0x0
+ #define MAP_SHARED_VALIDATE   0x0
+ #endif /* CONFIG_LINUX */
+ 
+-#include "qemu/osdep.h"
+ #include "qemu/mmap-alloc.h"
+ #include "qemu/host-utils.h"
+ 
diff --git a/user/qemu/fix-sockios-header.patch b/user/qemu/fix-sockios-header.patch
deleted file mode 100644
index 1f3cd767c..000000000
--- a/user/qemu/fix-sockios-header.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 43d0562..afa0ac4 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -59,6 +59,7 @@ int __clone2(int (*fn)(void *), void *child_stack_base,
- #include <linux/icmp.h>
- #include <linux/icmpv6.h>
- #include <linux/errqueue.h>
-+#include <linux/sockios.h>
- #include <linux/random.h>
- #include "qemu-common.h"
- #ifdef CONFIG_TIMERFD
- #include <sys/timerfd.h>
diff --git a/user/spice-gtk/APKBUILD b/user/spice-gtk/APKBUILD
index c613828bc..5c11142ba 100644
--- a/user/spice-gtk/APKBUILD
+++ b/user/spice-gtk/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Max Rees <maxcrees@me.com>
 pkgname=spice-gtk
-pkgver=0.37
+pkgver=0.38
 pkgrel=0
 pkgdesc="A GTK+ widget for SPICE clients"
 url="https://www.spice-space.org/"
@@ -12,42 +12,38 @@ license="LGPL-2.1+ AND LGPL-2.0+ AND BSD-3-Clause AND MIT AND GPL-3.0+ AND LGPL-
 depends="gst-plugins-good"
 depends_dev="gobject-introspection-dev gtk+3.0-dev"
 makedepends="$depends_dev acl-dev bash cyrus-sasl-dev eudev-dev
-	gst-plugins-base-dev gstreamer-dev gstreamer-tools json-glib-dev
-	libjpeg-turbo-dev libusb-dev libxrandr-dev lz4-dev openssl-dev
-	opus-dev polkit-dev polkit-dev spice-protocol usbredir-dev
+	gst-plugins-base-dev gstreamer-dev gstreamer-tools gtk-doc
+	json-glib-dev libjpeg-turbo-dev libucontext-dev libusb-dev
+	libxrandr-dev lz4-dev meson openssl-dev opus-dev polkit-dev
+	py3-pyparsing py3-six spice-protocol usbredir-dev
 	usbutils zlib-dev"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang spicy
 	spice-glib:glib"
-source="https://www.spice-space.org/download/gtk/$pkgname-$pkgver.tar.bz2"
+source="https://www.spice-space.org/download/gtk/$pkgname-$pkgver.tar.xz"
 
 build() {
+	export CFLAGS="$CFLAGS -lucontext"
+
 	# Note: pulseaudio support is disabled because it's deprecated.
 	# Audio is still supported through gstreamer.
-	./configure \
-		--build=$CBUILD \
-		--host=$CHOST \
+	meson \
 		--prefix=/usr \
 		--sysconfdir=/etc \
 		--mandir=/usr/share/man \
-		--with-gtk=3.0 \
-		--with-audio=gstreamer \
-		--disable-celt051 \
-		--disable-werror \
-		--enable-lz4 \
-		--enable-opus \
-		--enable-smartcard=no \
-		--enable-usbredir=yes \
-		--enable-polkit=yes \
-		--enable-pulse=no
-	make
+		--localstatedir=/var \
+		--buildtype=release \
+		-Dcelt051=disabled \
+		-Dpulse=disabled \
+		. output
+	ninja -C output
 }
 
 check() {
-	make check
+	ninja -C output test
 }
 
 package() {
-	make -j1 DESTDIR="$pkgdir" install
+	DESTDIR="$pkgdir" ninja -C output install
 }
 
 spicy() {
@@ -66,4 +62,4 @@ glib() {
 		"$subpkgdir"/usr/lib/girepository-1.0/
 }
 
-sha512sums="a0a20bc6f25337d86e57fe1fc9586c4cc84457fc8c38cdcc5a728990a69018da0fca3ab5aa63349786b5a7508c82b716c94803eefb3495cffb7df4526db2d029  spice-gtk-0.37.tar.bz2"
+sha512sums="27b44ac9f0cee2737ce03bb3f47c62fc0ee2402c291c49fc56cffc4ccb63e2cab001a68ba865a6375d82cb38444408d59c68469783ee4279fa818d8682e902f3  spice-gtk-0.38.tar.xz"
diff --git a/user/spice-protocol/APKBUILD b/user/spice-protocol/APKBUILD
index e31c8544a..1fb5b5c3c 100644
--- a/user/spice-protocol/APKBUILD
+++ b/user/spice-protocol/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=spice-protocol
-pkgver=0.14.0
+pkgver=0.14.1
 pkgrel=0
 pkgdesc="Spice protocol header files"
 url="https://www.spice-space.org/"
@@ -28,4 +28,4 @@ package() {
 	make pkgconfigdir=/usr/lib/pkgconfig DESTDIR="$pkgdir" install
 }
 
-sha512sums="797df5f529731e9fd395b5946af2490ecf02c26982cc4a0aef24c1766887a35222f68525a996f8bc7459c2c4a25fde0c9a10c489ee6cab6eed7a68a9b5d90f76  spice-protocol-0.14.0.tar.bz2"
+sha512sums="88b0e652564a1f826ee6d3c165ab05c40d13f366567db3840805f03d433d13d7f722225219c26759770d2cde33221fe6d97528521d0eb14bc069cd7ce9af8482  spice-protocol-0.14.1.tar.bz2"
diff --git a/user/spice/APKBUILD b/user/spice/APKBUILD
index ef57a810c..a78551cb6 100644
--- a/user/spice/APKBUILD
+++ b/user/spice/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: A. Wilcox <awilfox@adelielinux.org>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=spice
-pkgver=0.14.2
+pkgver=0.14.3
 pkgrel=0
 pkgdesc="Solution for seamless access to virtual machines"
 url="https://www.spice-space.org/"
@@ -39,4 +39,4 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="1093b618ea4a7ff31944429ce2903abecfc8d20c35f2d9c8c837a6e053ee429c0115e40665542637a717869209523ac05d15cdb5e77563102d5d3915e4aaaf76  spice-0.14.2.tar.bz2"
+sha512sums="9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4  spice-0.14.3.tar.bz2"
diff --git a/user/sshfs/APKBUILD b/user/sshfs/APKBUILD
index c6fe305e9..d3f1ce3f0 100644
--- a/user/sshfs/APKBUILD
+++ b/user/sshfs/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Max Rees <maxcrees@me.com>
 pkgname=sshfs
-pkgver=3.6.0
+pkgver=3.7.0
 pkgrel=0
 pkgdesc="FUSE client based on the SSH File Transfer Protocol"
 url="https://github.com/libfuse/sshfs"
@@ -9,7 +9,7 @@ arch="all"
 options="!check"  # Requires fuse kernel module to be loaded and local ssh server
 license="GPL-2.0-only AND GPL-2.0+ AND LGPL-2.1-only"
 depends="openssh-client"
-#checkdepends="py3-pytest cmd:which"
+#checkdepends="cmd:which openssh-server openssh-sftp-server py3-pytest"
 makedepends="fuse3-dev glib-dev meson coreutils py3-docutils"
 subpackages="$pkgname-doc"
 source="https://github.com/libfuse/$pkgname/releases/download/$pkgname-$pkgver/$pkgname-$pkgver.tar.xz"
@@ -32,6 +32,16 @@ build() {
 }
 
 check() {
+	# This test requires a running SSH server on localhost, with the
+	# current user being able to login without a password. Recommended
+	# procedure:
+	#
+	# 1. Setup sshd - make sure sftp subsystem is enabled
+	# 2. Ensure current user has a SSH key configured in ~/.ssh/config and
+	#    ~/.ssh/authorized_keys
+	# 3. Test `ssh localhost`
+	# 4. Run `abuild check`
+
 	cd "$builddir"/output
 	python3 -m pytest test/
 }
@@ -40,4 +50,4 @@ package() {
 	DESTDIR="$pkgdir" ninja -C output install
 }
 
-sha512sums="fe34d7bbb76bea6aedf96b4ce7500ad6d81230cca9a43b831302159e5926797a243b7d1675d23ba101057ef247f64ad7df18a73d20578e84b9524218d9ff97bd  sshfs-3.6.0.tar.xz"
+sha512sums="bd8bcd45dd9a5e9686c6fb442e877ffdb592ba0d3424d5dab84a955bfafb17e8666abefba6857467833f5b285842bdadd5a9b6c9e8128ac2e564c36df79aa570  sshfs-3.7.0.tar.xz"
diff --git a/user/youtube-dl/APKBUILD b/user/youtube-dl/APKBUILD
index ed99fcb7b..424f883b1 100644
--- a/user/youtube-dl/APKBUILD
+++ b/user/youtube-dl/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Timo Teräs <timo.teras@iki.fi>
 # Maintainer: Max Rees <maxcrees@me.com>
 pkgname=youtube-dl
-pkgver=2020.03.08
+pkgver=2020.03.24
 pkgrel=0
 pkgdesc="Command-line program to download videos from YouTube and many other sites"
 url="https://youtube-dl.org"
@@ -66,5 +66,5 @@ fishcomp() {
 		"$subpkgdir/usr/share/fish/completions/"
 }
 
-sha512sums="09636e3ec526dbcb043cf61ed4dda5c5c00fac2ecd741bf3cb338ca8de72d1395a95a6189bccced140ca1c37eb3f693332e757ff01eb1a25279b100ccdf39b65  youtube-dl-2020.03.08.tar.gz
+sha512sums="421c0ae412977cdf94d079aa7982360ffdfc4271bb7af27a598adbdb8454c2044e5c44ff3a9f339e9b0989c1264223ca83bba6a9151d01052f8f72c076d9e369  youtube-dl-2020.03.24.tar.gz
 5760d06e6bbc1eee2c6be2d1f580f86b3cfa5f4bc44a62fb8145ce1cd41352ecf2f65d65d79a2d7f1ec129a34c28a7ec3d0d328c907e743bfcea54c65c71285d  tumblr.patch"