diff options
-rw-r--r-- | system/git/APKBUILD | 6 | ||||
-rw-r--r-- | system/nss/APKBUILD | 13 | ||||
-rw-r--r-- | system/openssl/APKBUILD | 6 | ||||
-rw-r--r-- | user/firefox-esr/APKBUILD | 4 | ||||
-rw-r--r-- | user/firefox-esr/seccomp-membarrier.patch | 12 | ||||
-rw-r--r-- | user/libslirp/APKBUILD | 13 | ||||
-rw-r--r-- | user/libslirp/git-describe.patch | 24 | ||||
-rw-r--r-- | user/re2c/APKBUILD | 13 | ||||
-rw-r--r-- | user/re2c/CVE-2020-11958.patch | 37 | ||||
-rw-r--r-- | user/tcpdump/APKBUILD | 9 | ||||
-rw-r--r-- | user/tcpdump/CVE-2018-19519.patch | 10 |
11 files changed, 118 insertions, 29 deletions
diff --git a/system/git/APKBUILD b/system/git/APKBUILD index e8f9a27b0..04762f7ef 100644 --- a/system/git/APKBUILD +++ b/system/git/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=git -pkgver=2.25.3 +pkgver=2.25.4 pkgrel=0 pkgdesc="Distributed version control system" url="https://www.git-scm.com/" @@ -32,6 +32,8 @@ source="https://www.kernel.org/pub/software/scm/git/git-$pkgver.tar.xz _gitcoredir=/usr/libexec/git-core # secfixes: +# 2.25.4-r0: +# - CVE-2020-11008 # 2.25.3-r0: # - CVE-2020-5260 # 2.24.1-r0: @@ -164,7 +166,7 @@ subtree() { make install prefix=/usr DESTDIR="$subpkgdir" } -sha512sums="1ea2f0727baa29200f33469463c3b6db04a2e228e83ff552faa47fefe31063d92966d7502b2f13546c36cfc2756d42d71a26e41141c0fb972af9d6760f3aa471 git-2.25.3.tar.xz +sha512sums="ca2ecc561d06dbb393fe47d445f0d69423d114766d9bcc125ef1d6d37e350ad903c456540cea420c1a51635b750cde3901e4196f29ce95b315fda11270173450 git-2.25.4.tar.xz 0a0935d876024d96156df3aeec06b47fd9e370484d4552786c450cb500ae671a631e64c30994ec39f43a2f313f75d68909688ea92b47327d1af65e365dc77480 dont-test-other-encodings.patch 89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a git-daemon.initd fbf1f425206a76e2a8f82342537ed939ff7e623d644c086ca2ced5f69b36734695f9f80ebda1728f75a94d6cd2fcb71bf845b64239368caab418e4d368c141ec git-daemon.confd" diff --git a/system/nss/APKBUILD b/system/nss/APKBUILD index 687e938fd..944668272 100644 --- a/system/nss/APKBUILD +++ b/system/nss/APKBUILD @@ -3,7 +3,7 @@ pkgname=nss pkgver=3.51 _ver=$(printf '%s' "$pkgver" | tr . _) -pkgrel=0 +pkgrel=1 pkgdesc="Mozilla Network Security Services" url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS" arch="all" @@ -49,6 +49,17 @@ build() { case "$CARCH" in *64* | s390x) export USE_64=1;; esac + + # This actually enables -mvsx and -mcrypto too, and those can't + # be turned off separately in this case: + # + # altivec-types.h:20:1: error: use of _long long_ in AltiVec + # types is invalid without _-mvsx_ + # + # typedef __vector signed long long vec_s64; + # ^~~~~~~ + export NSS_DISABLE_ALTIVEC=1 + make -j 1 -C nss/coreconf make -j 1 -C nss/lib/dbm make -j 1 -C nss diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD index de6ae0084..dde5f8603 100644 --- a/system/openssl/APKBUILD +++ b/system/openssl/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=openssl -pkgver=1.1.1f +pkgver=1.1.1g pkgrel=0 pkgdesc="Toolkit for SSL and TLS" url="https://www.openssl.org/" @@ -58,6 +58,8 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz # - CVE-2019-1563 # 1.1.1d-r0: # - CVE-2019-1551 +# 1.1.1g-r0: +# - CVE-2020-1967 build() { # openssl will prepend crosscompile always core CC et al @@ -127,6 +129,6 @@ libssl() { done } -sha512sums="b00bd9b5ad5298fbceeec6bb19c1ab0c106ca5cfb31178497c58bf7e0e0cf30fcc19c20f84e23af31cc126bf2447d3e4f8461db97bafa7bd78f69561932f000c openssl-1.1.1f.tar.gz +sha512sums="01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab openssl-1.1.1g.tar.gz c164dd528d7408b8b2a52a0b181f2066ff00feb635df863bdeb4ce879db9ecdf7dd9033bb14b63ee5239aa814d5d777a86bb99cc37ecedae2d77a6bd86144b88 ppc-auxv.patch e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch" diff --git a/user/firefox-esr/APKBUILD b/user/firefox-esr/APKBUILD index a04dacd5f..8dfad228a 100644 --- a/user/firefox-esr/APKBUILD +++ b/user/firefox-esr/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=firefox-esr pkgver=68.7.0 -pkgrel=0 +pkgrel=1 pkgdesc="Firefox web browser (extended support release)" url="https://www.mozilla.org/firefox/" arch="all" @@ -42,6 +42,7 @@ source="https://ftp.mozilla.org/pub/firefox/releases/$_ffxver/source/firefox-$_f ppc32-fix.patch rust-32bit.patch rust-config.patch + seccomp-membarrier.patch shut-up-warning.patch skia-sucks1.patch skia-sucks2.patch @@ -247,6 +248,7 @@ e61664bc93eadce5016a06a4d0684b34a05074f1815e88ef2613380d7b369c6fd305fb34f83b5eb1 06a3f4ee6d3726adf3460952fcbaaf24bb15ef8d15b3357fdd1766c7a62b00bd53a1e943b5df7f4e1a69f4fae0d44b64fae1e027d7812499c77894975969ea10 ppc32-fix.patch 7c615703dc9b8427eeadd13bc9beda02e1c3d986cac1167feaf48fdfdcc15b7456460d4d58f301054cf459242ee75bbcd76bf67e26c2a443bc5655975d24ca1b rust-32bit.patch 45613d476e85fe333ef8091acce4806803953c1a99de4f03ff577cf20c5a1a3d635d0589e1490da104ef80721f4f1b1d35045af3c6892c1a468fa84095f27ad8 rust-config.patch +36369f2e237e894b2f9e70ffa0579bb3cddf1efa638a36b3469e9f529c28d7b72611fa426c5534d93094a8deb1376f43f6661447072dc6dfc6191ca5eebd4604 seccomp-membarrier.patch 39ddb15d1453a8412275c36fc8db3befc69dffd4a362e932d280fb7fd1190db595a2af9b468ee49e0714f5e9df6e48eb5794122a64fa9f30d689de8693acbb15 shut-up-warning.patch e751ffab263f03d4c74feebc617e3af115b1b53cf54fe16c3acc585eec67773f37aa8de4c19599fa6478179b01439025112ef2b759aa9923c9900e7081cb65a9 skia-sucks1.patch 9152bd3e6dc446337e6a2ed602279c620aedecc796ba28e777854c4f41fcf3067f9ebd086a4b63a6b76c2e69ec599ac6435b8eeda4f7488b1c45f69113facba4 skia-sucks2.patch diff --git a/user/firefox-esr/seccomp-membarrier.patch b/user/firefox-esr/seccomp-membarrier.patch new file mode 100644 index 000000000..be1744113 --- /dev/null +++ b/user/firefox-esr/seccomp-membarrier.patch @@ -0,0 +1,12 @@ +musl ldso issues a membarrier when setting up TLS + +--- firefox-68.7.0/security/sandbox/linux/SandboxFilter.cpp 2020-04-03 19:30:03.000000000 +0000 ++++ firefox-68.7.0/security/sandbox/linux/SandboxFilter.cpp 2020-04-19 04:59:30.280000000 +0000 +@@ -529,6 +529,7 @@ class SandboxPolicyCommon : public Sandb + + // ipc::Shmem; also, glibc when creating threads: + case __NR_mprotect: ++ case __NR_membarrier: + return Allow(); + + // madvise hints used by malloc; see bug 1303813 and bug 1364533 diff --git a/user/libslirp/APKBUILD b/user/libslirp/APKBUILD index 07d7eea31..bd88d3957 100644 --- a/user/libslirp/APKBUILD +++ b/user/libslirp/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Max Rees <maxcrees@me.com> pkgname=libslirp -pkgver=4.2.0 +pkgver=4.3.0 pkgrel=0 pkgdesc="A general-purpose TCP/IP emulator" url="https://gitlab.freedesktop.org/slirp/libslirp" @@ -10,10 +10,14 @@ license="BSD-3-Clause AND MIT" depends="" makedepends="glib-dev meson" subpackages="$pkgname-dev" -source="https://gitlab.freedesktop.org/slirp/libslirp/-/archive/v$pkgver/libslirp-v$pkgver.tar.gz +source="https://elmarco.fedorapeople.org/libslirp-$pkgver.tar.xz + git-describe.patch static.patch " -builddir="$srcdir/libslirp-v$pkgver" + +# secfixes: +# 4.3.0-r0: +# - CVE-2020-1983 build() { meson \ @@ -30,5 +34,6 @@ package() { DESTDIR="$pkgdir" ninja -C output install } -sha512sums="514744ac8325857915b9946a76f4a55d48c8361b6167cd69c533086928ae06f059d923c5f057e92a0915921bb363b69d34a939a0bcc28233515125a5d1858d25 libslirp-v4.2.0.tar.gz +sha512sums="656a57878354b893503af69dfb11ab93dcf4728cc68bd0b6aa352073cbcf1b558924a5932e1996011002f72f5bddfb22ddaffc5a88078a61862c630d908e8beb libslirp-4.3.0.tar.xz +fb66abe30c7b36c93bf759960275119c6d34e57861efe0cdc147a606a7a13b2d29f0f77dfe99326539800bd4ded9e39c736abd9d4ca9d6f16df2d50fd70fb7f6 git-describe.patch bb1bb5443d8083099d2a270b78b7ec74daa26634b2062d2c30460ed118b333942a9a555c96910216bb746311ae021d457f39a304a60fe07a3908a0c315a7c756 static.patch" diff --git a/user/libslirp/git-describe.patch b/user/libslirp/git-describe.patch new file mode 100644 index 000000000..9cc66bbad --- /dev/null +++ b/user/libslirp/git-describe.patch @@ -0,0 +1,24 @@ +Otherwise you might get "-dirty" in the pc: version + +--- libslirp-4.3.0/build-aux/git-version-gen 2020-04-23 06:09:44.166262600 -0500 ++++ libslirp-4.3.0/build-aux/git-version-gen 2020-04-24 15:08:09.450004079 -0500 +@@ -133,19 +133,6 @@ fi + + v=`echo "$v" |sed 's/^v//'` + +-# Don't declare a version "dirty" merely because a time stamp has changed. +-git update-index --refresh > /dev/null 2>&1 +- +-dirty=`sh -c 'git diff-index --name-only HEAD' 2>/dev/null` || dirty= +-case "$dirty" in +- '') ;; +- *) # Append the suffix only if there isn't one already. +- case $v in +- *-dirty) ;; +- *) v="$v-dirty" ;; +- esac ;; +-esac +- + # Omit the trailing newline, so that m4_esyscmd can use the result directly. + echo "$v" | tr -d "$nl" + diff --git a/user/re2c/APKBUILD b/user/re2c/APKBUILD index d039a5baf..aad7b839e 100644 --- a/user/re2c/APKBUILD +++ b/user/re2c/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: pkgname=re2c pkgver=1.3 -pkgrel=0 +pkgrel=1 pkgdesc="Fast lexer generator for C and C++" url="http://re2c.org/" arch="all" @@ -11,7 +11,13 @@ depends="" checkdepends="bash" makedepends="" subpackages="$pkgname-doc" -source="https://github.com/skvadrik/re2c/releases/download/$pkgver/$pkgname-$pkgver.tar.xz" +source="https://github.com/skvadrik/re2c/releases/download/$pkgver/$pkgname-$pkgver.tar.xz + CVE-2020-11958.patch + " + +# secfixes: +# 1.3-r1: +# - CVE-2020-11958 build() { ./configure \ @@ -32,4 +38,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="c7084ab2399fb6b96cef74c1393715d90830f43b82b96af46feb71ef008c0215381c3dbea0b003ff810d869db6021e28001b9d588ad55c616642244b2da09c0e re2c-1.3.tar.xz" +sha512sums="c7084ab2399fb6b96cef74c1393715d90830f43b82b96af46feb71ef008c0215381c3dbea0b003ff810d869db6021e28001b9d588ad55c616642244b2da09c0e re2c-1.3.tar.xz +f4376b8e0724d500f665fa60dfd6fb35685a281af50c500d2ff90d781a829fb78f21e8c93c5745a4519acd55a62ec48a570dbfacf0a9ee977502e06f3e2e474a CVE-2020-11958.patch" diff --git a/user/re2c/CVE-2020-11958.patch b/user/re2c/CVE-2020-11958.patch new file mode 100644 index 000000000..b982b87e6 --- /dev/null +++ b/user/re2c/CVE-2020-11958.patch @@ -0,0 +1,37 @@ +From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich <skvadrik@gmail.com> +Date: Fri, 17 Apr 2020 22:47:14 +0100 +Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo). + +The crash happened in a rare case of a very long lexeme that doen't fit +into the buffer, forcing buffer reallocation. + +The crash was caused by an incorrect calculation of the shift offset +(it was smaller than necessary). As a consequence, the data from buffer +start and up to the beginning of the current lexeme was not discarded +(as it should have been), resulting in less free space for new data than +expected. +--- + src/parse/scanner.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc +index 1d6e9efa..bd651314 100644 +--- a/src/parse/scanner.cc ++++ b/src/parse/scanner.cc +@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need) + if (!buf) fatal("out of memory"); + + memmove(buf, tok, copy); +- shift_ptrs_and_fpos(buf - bot); ++ shift_ptrs_and_fpos(buf - tok); + delete [] bot; + bot = buf; + + free = BSIZE - copy; + } + ++ DASSERT(lim + free <= bot + BSIZE); + if (!read(free)) { + eof = lim; + memset(lim, 0, YYMAXFILL); diff --git a/user/tcpdump/APKBUILD b/user/tcpdump/APKBUILD index f39d5c9d5..d2d2ec909 100644 --- a/user/tcpdump/APKBUILD +++ b/user/tcpdump/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Dan Theisen <djt@hxx.in> pkgname=tcpdump pkgver=4.9.3 -pkgrel=0 +pkgrel=1 pkgdesc="A tool for network monitoring and data acquisition" url="http://www.tcpdump.org" arch="all" @@ -10,9 +10,7 @@ license="BSD-3-Clause" depends="" makedepends="libpcap-dev openssl-dev perl" subpackages="$pkgname-doc" -source="http://www.tcpdump.org/release/$pkgname-$pkgver.tar.gz - CVE-2018-19519.patch - " +source="http://www.tcpdump.org/release/$pkgname-$pkgver.tar.gz" # secfixes: # 4.9.2-r1: @@ -67,5 +65,4 @@ package() { rm -f "$pkgdir"/usr/sbin/tcpdump.4* } -sha512sums="3aec673f78b996a4df884b1240e5d0a26a2ca81ee7aca8a2e6d50255bb53476e008a5ced4409e278a956710d8a4d31d85bbb800c9f1aab92b0b1046b59292a22 tcpdump-4.9.3.tar.gz -eb4232e434064ec59b07840aa394cfcc05c89e817f2d4ebeb4da1dbb1c910fe1805857356d6304ebdb16e32aa6476ce90f164aabc60501b493fd5601b380af7e CVE-2018-19519.patch" +sha512sums="3aec673f78b996a4df884b1240e5d0a26a2ca81ee7aca8a2e6d50255bb53476e008a5ced4409e278a956710d8a4d31d85bbb800c9f1aab92b0b1046b59292a22 tcpdump-4.9.3.tar.gz" diff --git a/user/tcpdump/CVE-2018-19519.patch b/user/tcpdump/CVE-2018-19519.patch deleted file mode 100644 index ac3293927..000000000 --- a/user/tcpdump/CVE-2018-19519.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- tcpdump-4.9.2/print-hncp.c.old 2017-09-03 23:17:14.000000000 +0000 -+++ tcpdump-4.9.2/print-hncp.c 2018-12-07 19:31:24.360000000 +0000 -@@ -228,6 +228,7 @@ - snprintf(buf, sizeof(buf), "%s/%d", ipaddr_string(ndo, &addr), plen); - plenbytes += 1 + IPV4_MAPPED_HEADING_LEN; - } else { -+ buf[0] = '\0'; - plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf)); - } - |