diff options
-rw-r--r-- | user/samurai/APKBUILD | 15 | ||||
-rw-r--r-- | user/samurai/CVE-2021-30218.patch | 29 | ||||
-rw-r--r-- | user/samurai/CVE-2021-30219.patch | 26 |
3 files changed, 67 insertions, 3 deletions
diff --git a/user/samurai/APKBUILD b/user/samurai/APKBUILD index caf9f9fc4..11d65fecb 100644 --- a/user/samurai/APKBUILD +++ b/user/samurai/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Sheila Aman <sheila@vulpine.house> # Maintainer: Sheila Aman <sheila@vulpine.house> pkgname=samurai -pkgver=1.1 +pkgver=1.2 pkgrel=0 pkgdesc="Pure-C drop-in replacement for ninja" url="https://github.com/michaelforney/samurai" @@ -13,7 +13,14 @@ makedepends="" provides="ninja" replaces="ninja" subpackages="$pkgname-doc" -source="https://github.com/michaelforney/samurai/releases/download/$pkgver/samurai-$pkgver.tar.gz" +source="https://github.com/michaelforney/samurai/releases/download/$pkgver/samurai-$pkgver.tar.gz + CVE-2021-30218.patch + CVE-2021-30219.patch" + +# secfixes: +# 1.2-r0: +# - CVE-2021-30218 +# - CVE-2021-30219 build() { make @@ -25,4 +32,6 @@ package() { ln -s samu ninja } -sha512sums="b27302c34d736f483909e57c8b162609eaa4c86571c1167b71a5564b521cc3af2861307a16bb6dca55e80952088989e9526b103160d2ea054d15f4ed85b1cedb samurai-1.1.tar.gz" +sha512sums="bbe6a582c34b04f1df53b76c1647aa3e03c4698ebf7591a203935f11ffa05971bbcb86dc1a8c06aeb904cdc741abb08918122810fc47216fed0a6d9f87fd1225 samurai-1.2.tar.gz +6e1c3a0bd92e006f364a81e9e51394f1bc583efa96120306fe33dc0a48cb4babaa8e8c97d754d3c37cda4b4936e77f64e4c138ccb8cfedfdce43adb09c393edb CVE-2021-30218.patch +0504b137fc9ac113453075a22bdfac4ab7616f668e640b7125041400729aaecad1173c528934223246035f68a95d92c6a85e62d1ea5fea996d85647cb33483eb CVE-2021-30219.patch" diff --git a/user/samurai/CVE-2021-30218.patch b/user/samurai/CVE-2021-30218.patch new file mode 100644 index 000000000..1d6663865 --- /dev/null +++ b/user/samurai/CVE-2021-30218.patch @@ -0,0 +1,29 @@ +From e84b6d99c85043fa1ba54851ee500540ec206918 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Fri, 2 Apr 2021 17:27:48 -0700 +Subject: [PATCH] util: Check for NULL string in writefile + +This check was there previously, but was removed in f549b757 with +the addition of a check during parse that every rule has rspfile +if and only if it has rspfile_content. However, this fails to +consider the possibility of those variables coming from the edge +or global environment. So, re-add the check. + +Fixes #67. +--- + util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util.c b/util.c +index ea5c3ce..2a59881 100644 +--- a/util.c ++++ b/util.c +@@ -258,7 +258,7 @@ writefile(const char *name, struct string *s) + return -1; + } + ret = 0; +- if (fwrite(s->s, 1, s->n, f) != s->n || fflush(f) != 0) { ++ if (s && (fwrite(s->s, 1, s->n, f) != s->n || fflush(f) != 0)) { + warn("write %s:", name); + ret = -1; + } diff --git a/user/samurai/CVE-2021-30219.patch b/user/samurai/CVE-2021-30219.patch new file mode 100644 index 000000000..fbc97b03d --- /dev/null +++ b/user/samurai/CVE-2021-30219.patch @@ -0,0 +1,26 @@ +From d2af3bc375e2a77139c3a28d6128c60cd8d08655 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sun, 4 Apr 2021 03:50:09 -0700 +Subject: [PATCH] parse: Check for non-empty command/rspfile/rspfile_content + +This matches ninja behavior and prevents the possibility of a rule +with an empty (NULL) command string. + +Fixes #68. +--- + parse.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/parse.c b/parse.c +index f79a5ee..b4b98a1 100644 +--- a/parse.c ++++ b/parse.c +@@ -42,6 +42,8 @@ parserule(struct scanner *s, struct environment *env) + var = scanname(s); + parselet(s, &val); + ruleaddvar(r, var, val); ++ if (!val) ++ continue; + if (strcmp(var, "command") == 0) + hascommand = true; + else if (strcmp(var, "rspfile") == 0) |