diff options
-rw-r--r-- | system/bubblewrap/APKBUILD | 8 | ||||
-rw-r--r-- | user/apache-httpd/APKBUILD | 9 | ||||
-rw-r--r-- | user/cbindgen/APKBUILD | 6 | ||||
-rw-r--r-- | user/libnftnl/APKBUILD | 9 | ||||
-rw-r--r-- | user/libnftnl/nft-flowtable-test.patch | 37 | ||||
-rw-r--r-- | user/nftables/APKBUILD | 6 | ||||
-rw-r--r-- | user/qt5-qtbase/APKBUILD | 11 | ||||
-rw-r--r-- | user/qt5-qtbase/CVE-2020-0569.patch | 29 | ||||
-rw-r--r-- | user/qt5-qtbase/CVE-2020-0570.patch | 55 |
9 files changed, 114 insertions, 56 deletions
diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD index d51d14ae7..866bdb468 100644 --- a/system/bubblewrap/APKBUILD +++ b/system/bubblewrap/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Timo Teräs <timo.teras@iki.fi> # Maintainer: Max Rees <maxcrees@me.com> pkgname=bubblewrap -pkgver=0.4.0 +pkgver=0.4.1 pkgrel=0 pkgdesc="Unprivileged sandboxing tool" url="https://github.com/projectatomic/bubblewrap" @@ -20,6 +20,8 @@ source="bubblewrap-$pkgver.tar.gz::https://github.com/containers/bubblewrap/arch # secfixes: # 0.3.3-r0: # - CVE-2019-12439 +# 0.4.1-r0: +# - GHSA-j2qp-rvxj-43vj prepare() { default_prepare @@ -44,7 +46,7 @@ check() { # 3. Unset permissions on test-bwrap # 4. Run abuild check again (nosuid test) # - # As of 0.4.0, all tests pass except those relating to bind mounts + # As of 0.4.1, all tests pass except those relating to bind mounts # over symlinks. Those tests fail because musl's realpath depends on # the availability of /proc, which is not available in the middle of # the setup procedure since pivot_root has been performed at least @@ -74,6 +76,6 @@ bashcomp() { mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/ } -sha512sums="1957126e13900bbb1c9c885802f513006313836826938555899a8ad0e6c3ba47478eae0cc90f4aceff228663379b45203dce4fa57d6bfc489984670571232b97 bubblewrap-0.4.0.tar.gz +sha512sums="83e036e242503e1364b2d0052bba5127175891203c57bd22ba47a1b1e934fdca64ca620cd0e48c903fa2bc7cdcf92339b8a7fcb8716b54c2e28034b6d6f86adc bubblewrap-0.4.1.tar.gz 400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4 realpath-workaround.patch d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd tests.patch" diff --git a/user/apache-httpd/APKBUILD b/user/apache-httpd/APKBUILD index 6488ffa9f..48fcaf26d 100644 --- a/user/apache-httpd/APKBUILD +++ b/user/apache-httpd/APKBUILD @@ -2,8 +2,8 @@ # Maintainer: Kiyoshi Aman <adelie@aerdan.vulpine.house> pkgname=apache-httpd _pkgreal=httpd -pkgver=2.4.41 -pkgrel=1 +pkgver=2.4.43 +pkgrel=0 pkgdesc="Open-source HTTP server" url="https://httpd.apache.org" arch="all" @@ -37,6 +37,9 @@ builddir="$srcdir/$_pkgreal-$pkgver" options="suid !check" # secfixes: http_server +# 2.4.43-r0: +# - CVE-2020-1934 +# - CVE-2020-1927 # 2.4.34-r0: # - CVE-2017-15710 # - CVE-2017-15715 @@ -143,7 +146,7 @@ ldap() { "$subpkgdir"/usr/libexec/apache2 } -sha512sums="02807a576ea29bd93e648c68e3ad853d5e4971177a0881d6a4873e9c4c5afd6d56877454b666429e70732488a258e0333a0f354d9dbbfd89fc3b38f12f0a0dce httpd-2.4.41.tar.gz +sha512sums="d9879b8f8ef7d94dee1024e9c25b56d963a3b072520878a88a044629ad577c109a5456791b39016bf4f6672c04bf4a0e5cfd32381211e9acdc81d4a50b359e5e httpd-2.4.43.tar.gz c8bc2bb06ae51b0956e0ee673e80c444551c9b33dfcbb845106477c46d9e52786a8896022e1f00102264fecdf66e35e47fc6cf0abe9836fa536735cff4e6adf4 adelie.layout 336e81fa0d08f8fbe6243d52bd59b12cf2e925deb49b29d7a22953c5d40a951b6b753f51e5a396752cb0bbaf1cf25b1358902f375fb65639d00e62db7ae55ff2 apache-httpd.confd 5762d53f39ce7ecd730e05ddf6c063ede65cd75b9e7d67217784c80366646491ef9474306e8eb119c8fb5b4358407b07636a4e9cd82325d8df4e3e00dabc3459 apache-httpd.initd diff --git a/user/cbindgen/APKBUILD b/user/cbindgen/APKBUILD index 2a735e5ce..8d0a30b7e 100644 --- a/user/cbindgen/APKBUILD +++ b/user/cbindgen/APKBUILD @@ -1,9 +1,9 @@ # Contributor: Leo <thinkabit.ukim@gmail.com> # Contributor: Gentoo Rust Maintainers <rust@gentoo.org> # Contributor: Samuel Holland <samuel@sholland.org> -# Maintainer: Molly Miller <adelie@m-squa.red> +# Maintainer: Molly Miller <sysvinit@adelielinux.org> pkgname=cbindgen -pkgver=0.12.1 +pkgver=0.13.2 pkgrel=0 pkgdesc="Tool to generate C bindings from Rust code" url="https://github.com/eqrion/cbindgen" @@ -102,7 +102,7 @@ package() { } -sha512sums="851f82cfdd4304dc57dab1a145f78a05a6c5f05ad607d27e0ae909920a5d99013ffb7f7e87950541bda98462f73f0c338d9761b94a96c3073f39163c2ddacf08 cbindgen-0.12.1.tar.gz +sha512sums="2e894c6cf2b08321418ef78228fbebb5f504aea1576b8e159b4d8d66442cb65cee4f611f0ce13fa58539c08fe21932358fcfead52acbe5413adc9fdba05faf66 cbindgen-0.13.2.tar.gz a637466a380748f939b3af090b8c0333f35581925bc03f4dda9b3f95d338836403cf5487ae3af9ff68f8245a837f8ab061aabe57a126a6a2c20f2e972c77d1fa ansi_term-0.11.0.tar.gz 4554ca7dedb4c2e8693e5847ef1fe66161ed4cb2c19156bb03f41ce7e7ea21838369dabaf447a60d1468de8bfbb7087438c12934c4569dde63df074f168569ad atty-0.2.13.tar.gz ad89b3798845e23737a620bba581c2ff1ff3e15bac12555c765e201d2c0b90ecea0cdbc5b5b1a3fa9858c385e8e041f8226f5acfae5bbbe9925643fff2bf3f0b bitflags-1.2.1.tar.gz diff --git a/user/libnftnl/APKBUILD b/user/libnftnl/APKBUILD index b634ff0c2..2456f0522 100644 --- a/user/libnftnl/APKBUILD +++ b/user/libnftnl/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> # Contributor: Luis Ressel <aranea@aixah.de> -# Maintainer: +# Maintainer: Molly Miller <sysvinit@adelielinux.org> pkgname=libnftnl -pkgver=1.1.5 +pkgver=1.1.6 pkgrel=0 pkgdesc="Netfilter library providing interface to the nf_tables subsystem" url="https://netfilter.org/projects/libnftnl" @@ -12,7 +12,6 @@ depends="" makedepends="libmnl-dev" subpackages="$pkgname-dev" source="https://netfilter.org/projects/libnftnl/files/$pkgname-$pkgver.tar.bz2 - nft-flowtable-test.patch " build() { @@ -34,5 +33,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="a0495e1a99ea9efcf3994db48e50943023ff3d8101055887574ff4eb6b0df8600cf7db68a9c91ca02bbbcc1f01099b008649f88321bb956897bcc90eb4167ee7 libnftnl-1.1.5.tar.bz2 -0978037a5dec71a96f5713dbc5a4dc8dc30b7b37d79ec7dd6ec8b201740303785c3625c21a2388f8fd5d9d446f8706ac14d0bf5909a48ed3ef3e7417173dd2c8 nft-flowtable-test.patch" +sha512sums="3de13cb667060f0942c8dd9e139ee8c7aff1854c544793774a827c01d06e432a4ce05d54846e1062aa620b5e54533da09daa9588467866c82c9119ef4cfbb57d libnftnl-1.1.6.tar.bz2 +" diff --git a/user/libnftnl/nft-flowtable-test.patch b/user/libnftnl/nft-flowtable-test.patch deleted file mode 100644 index 719c1f2cf..000000000 --- a/user/libnftnl/nft-flowtable-test.patch +++ /dev/null @@ -1,37 +0,0 @@ -From b2388765e0c4405442faa13845419f6a35d0134c Mon Sep 17 00:00:00 2001 -From: Phil Sutter <phil@nwl.cc> -Date: Mon, 2 Dec 2019 18:29:56 +0100 -Subject: tests: flowtable: Don't check NFTNL_FLOWTABLE_SIZE - -Marshalling code around that attribute has been dropped by commit -d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") so it's value is -lost during the test. - -Assuming that NFTNL_FLOWTABLE_SIZE will receive kernel support at a -later point, leave the test code in place but just comment it out. - -Fixes: d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") -Signed-off-by: Phil Sutter <phil@nwl.cc> -Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - tests/nft-flowtable-test.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tests/nft-flowtable-test.c b/tests/nft-flowtable-test.c -index 3edb00d..8ab8d4c 100644 ---- a/tests/nft-flowtable-test.c -+++ b/tests/nft-flowtable-test.c -@@ -33,9 +33,11 @@ static void cmp_nftnl_flowtable(struct nftnl_flowtable *a, struct nftnl_flowtabl - if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_USE) != - nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_USE)) - print_err("Flowtable use mismatches"); -+#if 0 - if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_SIZE) != - nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_SIZE)) - print_err("Flowtable size mismatches"); -+#endif - if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_FLAGS) != - nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_FLAGS)) - print_err("Flowtable flags mismatches"); --- -2.24.1 diff --git a/user/nftables/APKBUILD b/user/nftables/APKBUILD index 41e356d37..bc96a18f1 100644 --- a/user/nftables/APKBUILD +++ b/user/nftables/APKBUILD @@ -2,9 +2,9 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # Contributor: Francesco Colista <fcolista@alpinelinux.org> # Contributor: Luis Ressel <aranea@aixah.de> -# Maintainer: +# Maintainer: Molly Miller <sysvinit@adelielinux.org> pkgname=nftables -pkgver=0.9.3 +pkgver=0.9.4 pkgrel=0 pkgdesc="Netfilter tables userspace tools" url="https://netfilter.org/projects/nftables" @@ -47,7 +47,7 @@ package() { install -Dm644 "$srcdir"/$pkgname.confd "$pkgdir"/etc/conf.d/$pkgname } -sha512sums="d264f6fc75c95510e29fe7d5b82ae418d502f40437b098ba6117ffb1374d9989d70a7296e2e58c5fb25142145a987bb9c160902637899f892589809f9541db43 nftables-0.9.3.tar.bz2 +sha512sums="cef5b5f26f3a2893a3eb1323f1f0ecfd6e2865e0eb040e9b7da5824e5be2274b888e661abe96e828add9e951f47303e30cb7c9238d267a031c0f99b5f3b6e2c0 nftables-0.9.4.tar.bz2 f7b18945f0ab8be2a8725fa902cb2499de0a886076ae4cc337ebd845b3ae08f05a75b1680b428075d42558e7953014a227405e748741e6ebc3a7ac84bbf4beaa asciidoctor.patch 4eb1adf003dfcaad65c91af6ca88d91b7904c471aefae67e7d3c2f8e053e1ac196d3437a45d1fed5a855b876a0f1fc58a724e381d2acf1164d9120cadee73eef nftables.confd 58daafb012b7cd0248a7db6e10f6a667e683347aaea7eaa78cb88780272f334e00913cea3fd39a22a4a72acc27fabd101944b40916f4b534ddeb509bd0232017 nftables.initd" diff --git a/user/qt5-qtbase/APKBUILD b/user/qt5-qtbase/APKBUILD index 18b5b88ad..4cb68524d 100644 --- a/user/qt5-qtbase/APKBUILD +++ b/user/qt5-qtbase/APKBUILD @@ -2,7 +2,7 @@ pkgname=qt5-qtbase _pkgname=qtbase-everywhere-src pkgver=5.12.6 -pkgrel=0 +pkgrel=1 pkgdesc="Cross-platform application and UI framework" url="https://www.qt.io/" arch="all" @@ -27,6 +27,8 @@ source="https://download.qt.io/official_releases/qt/${pkgver%.*}/$pkgver/submodu link-to-execinfo.patch qt-musl-iconv-no-bom.patch time64.patch + CVE-2020-0569.patch + CVE-2020-0570.patch " # secfixes: qt @@ -36,6 +38,9 @@ source="https://download.qt.io/official_releases/qt/${pkgver%.*}/$pkgver/submodu # - CVE-2018-19870 # - CVE-2018-19871 # - CVE-2018-19873 +# 5.12.6-r1: +# - CVE-2020-0569 +# - CVE-2020-0570 _qt5_prefix=/usr/lib/qt5 _qt5_datadir=/usr/share/qt5 @@ -175,4 +180,6 @@ sha512sums="5fb82d903b0db95c23c55785047722dea7979e7f94ecaaf374e0c73b4787aabd768a d00dc607b71a93132f756b952871df9197cfd6d78cc3617544bfa11d7f0eea21ce5dd0d1aeb69dd2702a5694a63d3802accc76499dbf414c01eb56421698cb0c big-endian-scroll-wheel.patch ee78a44e28ba5f728914bfc3d8d5b467896c7de11a02d54b0bce11e40a4338b1f776c1fcc30cbd436df4f548c1ab0b4fe801f01b162ddd5c0f892893e227acfd link-to-execinfo.patch e3982b2df2ab4ba53b7a1329a9eb928eb1fee813c61cf6ac03d3300a767ffb57f019ac0fd89f633cac2330549446ff3d43344871296bf362815e7ebffadefa6b qt-musl-iconv-no-bom.patch -436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c time64.patch" +436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c time64.patch +ddeb0a59cf0901b38669314fd2f14dffba63c6cbd06a3d864cd329081cc2b10323ec52053a6ffe7baf5ee8a1e137331acfe5d874c03596660630dd151828da56 CVE-2020-0569.patch +b5973799d6dc7c03124b7df5424e5fa84cb81ec3b997e039b84cca21852abaf4ff61780b99c47f1fd6ce64ae61f61b2458ca2929e068644f1973a6f1c53a4d64 CVE-2020-0570.patch" diff --git a/user/qt5-qtbase/CVE-2020-0569.patch b/user/qt5-qtbase/CVE-2020-0569.patch new file mode 100644 index 000000000..fa0efdce3 --- /dev/null +++ b/user/qt5-qtbase/CVE-2020-0569.patch @@ -0,0 +1,29 @@ +From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001 +From: Olivier Goffart <ogoffart@woboq.com> +Date: Fri, 8 Nov 2019 11:30:40 +0100 +Subject: Do not load plugin from the $PWD + +I see no reason why this would make sense to look for plugins in the current +directory. And when there are plugins there, it may actually be wrong + +Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5 +Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> +--- + src/corelib/plugin/qpluginloader.cpp | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp +index cadff4f32b..c2443dbdda 100644 +--- a/src/corelib/plugin/qpluginloader.cpp ++++ b/src/corelib/plugin/qpluginloader.cpp +@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName) + paths.append(fileName.left(slash)); // don't include the '/' + } else { + paths = QCoreApplication::libraryPaths(); +- paths.prepend(QStringLiteral(".")); // search in current dir first + } + + for (const QString &path : qAsConst(paths)) { +-- +cgit v1.2.1 + diff --git a/user/qt5-qtbase/CVE-2020-0570.patch b/user/qt5-qtbase/CVE-2020-0570.patch new file mode 100644 index 000000000..dcf507c0d --- /dev/null +++ b/user/qt5-qtbase/CVE-2020-0570.patch @@ -0,0 +1,55 @@ +From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001 +From: Thiago Macieira <thiago.macieira@intel.com> +Date: Fri, 10 Jan 2020 09:26:27 -0800 +Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD + +I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to +find libraries in a haswell/ subdir of the main path, but we only need +to do that transformation if the library is contains at least one +directory seprator. That is, if the user asks to load "lib/foo", then we +should try "lib/haswell/foo" (often, the path prefix will be absolute). + +When the library name the user requested has no directory separators, we +let dlopen() do the transformation for us. Testing on Linux confirms +glibc does so: + +$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor + 1972475: find library=libXcursor.so.1 [0]; searching + 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1 + 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1 + 1972475: trying file=/usr/lib64/libXcursor.so.1 + 1972475: calling init: /usr/lib64/libXcursor.so.1 + 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0] + +Fixes: QTBUG-81272 +Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb +Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> +--- + src/corelib/plugin/qlibrary_unix.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp +index f0de1010d7..135b82cd37 100644 +--- a/src/corelib/plugin/qlibrary_unix.cpp ++++ b/src/corelib/plugin/qlibrary_unix.cpp +@@ -1,7 +1,7 @@ + /**************************************************************************** + ** + ** Copyright (C) 2016 The Qt Company Ltd. +-** Copyright (C) 2018 Intel Corporation ++** Copyright (C) 2020 Intel Corporation + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtCore module of the Qt Toolkit. +@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys() + for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) { + if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix))) + continue; ++ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/'))) ++ continue; + if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix))) + continue; + if (loadHints & QLibrary::LoadArchiveMemberHint) { +-- +cgit v1.2.1 + |