diff options
Diffstat (limited to 'system')
-rw-r--r-- | system/abuild/APKBUILD | 2 | ||||
-rw-r--r-- | system/adelie-base/APKBUILD | 2 | ||||
-rw-r--r-- | system/cryptsetup/APKBUILD | 2 | ||||
-rw-r--r-- | system/gettys-openrc/APKBUILD | 4 | ||||
-rw-r--r-- | system/gettys-openrc/gettys.initd | 8 | ||||
-rw-r--r-- | system/lvm2/APKBUILD | 44 | ||||
-rw-r--r-- | system/patch/APKBUILD | 18 | ||||
-rw-r--r-- | system/patch/CVE-2018-6952.patch | 30 | ||||
-rw-r--r-- | system/patch/CVE-2019-13636.patch | 108 | ||||
-rw-r--r-- | system/patch/CVE-2019-13638.patch | 38 | ||||
-rw-r--r-- | system/s6-linux-init/APKBUILD | 17 |
11 files changed, 221 insertions, 52 deletions
diff --git a/system/abuild/APKBUILD b/system/abuild/APKBUILD index ff09dbd2f..46495b93f 100644 --- a/system/abuild/APKBUILD +++ b/system/abuild/APKBUILD @@ -3,7 +3,7 @@ pkgname=abuild pkgver=3.3.1 pkgrel=1 pkgdesc="Script to build APK packages" -url="https://code.foxkit.us/adelie/aports" +url="https://code.foxkit.us/adelie/abuild" arch="all" license="GPL-2.0-only" depends="fakeroot sudo pax-utils openssl apk-tools>=2.0.7-r1 libc-utils diff --git a/system/adelie-base/APKBUILD b/system/adelie-base/APKBUILD index 766378d3d..d432f7138 100644 --- a/system/adelie-base/APKBUILD +++ b/system/adelie-base/APKBUILD @@ -72,7 +72,7 @@ doc() { posix() { # We pull in vim for /usr/bin/ex, until apk has an alternatives system depends="adelie-base at bc cflow cxref ed fcron heirloom-devtools - heirloom-pax mailx mawk uucp vim" + heirloom-pax mailx mawk uucp utmps vim" pkgdesc="$pkgdesc - Additional POSIX tools" mkdir -p "$subpkgdir" return 0 diff --git a/system/cryptsetup/APKBUILD b/system/cryptsetup/APKBUILD index 533f036f8..5116640ac 100644 --- a/system/cryptsetup/APKBUILD +++ b/system/cryptsetup/APKBUILD @@ -12,7 +12,7 @@ makedepends_build="" makedepends_host="lvm2-dev openssl-dev popt-dev util-linux-dev json-c-dev argon2-dev" makedepends="$makedepends_build $makedepends_host" -checkdepends="device-mapper sharutils debianutils-which bash" +checkdepends="bash debianutils-which lvm2 sharutils" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-libs $pkgname-openrc" source="https://www.kernel.org/pub/linux/utils/$pkgname/v${pkgver%.*}/$pkgname-$pkgver.tar.gz dmcrypt.confd diff --git a/system/gettys-openrc/APKBUILD b/system/gettys-openrc/APKBUILD index bacb96d11..cde63a648 100644 --- a/system/gettys-openrc/APKBUILD +++ b/system/gettys-openrc/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Laurent Bercot <ska-adelie@skarnet.org> # Maintainer: Laurent Bercot <ska-adelie@skarnet.org> pkgname=gettys-openrc -pkgver=0.0.2.0 +pkgver=0.0.2.1 pkgrel=0 pkgdesc="Dynamic getty services" url="https://adelielinux.org/" @@ -21,4 +21,4 @@ package() { } sha512sums="50039958291cd546c51ce5a30d319f5c5cf7d310fb3cd9f7ad1632fa4bc55775cdac740f76886ff5869a2cfa3f345e760672cebf7727c7ca2514358bcc17e531 gettys.confd -ad086549334cf2ff49bf95eb7d89aed8497a7533487aa4770d0fed884baab648c5da5f4db7ba8b7613d2dc5eea5d165a484ee7029fe660e97791f954aff171b3 gettys.initd" +4fdb5e177bc6862e8b55c1252079a2ee31d25e157cd6a36bae766e25d2a79ba4b731d35660e01b38325bf8ae8a9ea9ccfddb5ec662ba1bb76e71ce9372ab608a gettys.initd" diff --git a/system/gettys-openrc/gettys.initd b/system/gettys-openrc/gettys.initd index 5181d9af2..a1fbb2082 100644 --- a/system/gettys-openrc/gettys.initd +++ b/system/gettys-openrc/gettys.initd @@ -47,8 +47,12 @@ start() { for i in $GETTYS ; do if test -c /dev/"$i" ; then - makeservice "$i" - ln -nsf "/var/lib/s6/services/getty-$i" "/run/service/getty-$i" + if test -d "/etc/s6-linux-init/current/run-image/service/getty-$i" ; then + : + else + makeservice "$i" + ln -nsf "/var/lib/s6/services/getty-$i" "/run/service/getty-$i" + fi fi done diff --git a/system/lvm2/APKBUILD b/system/lvm2/APKBUILD index f00157787..842dee2fa 100644 --- a/system/lvm2/APKBUILD +++ b/system/lvm2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Dan Theisen <djt@hxx.in> pkgname=lvm2 pkgver=2.03.05 -pkgrel=1 +pkgrel=2 pkgdesc="Logical Volume Manager 2 utilities" url="https://sourceware.org/lvm2/" arch="all" @@ -14,6 +14,7 @@ depends_dev="linux-headers" makedepends_build="coreutils libaio-dev" makedepends_host="$depends_dev util-linux-dev" makedepends="$makedepends_build $makedepends_host" +replaces="device-mapper $pkgname-dmeventd" source="https://mirrors.kernel.org/sourceware/$pkgname/LVM2.$pkgver.tgz fix-stdio-usage.patch mallinfo.patch @@ -25,11 +26,7 @@ source="https://mirrors.kernel.org/sourceware/$pkgname/LVM2.$pkgver.tgz subpackages=" $pkgname-dev $pkgname-doc - $pkgname-dmeventd $pkgname-openrc - device-mapper:dm - device-mapper-libs:dm_libs - device-mapper-event-libs:dm_event_libs $pkgname-libs $pkgname-udev " @@ -66,43 +63,14 @@ package() { install -d "$pkgdir"/etc/lvm/archive "$pkgdir"/etc/lvm/backup install -Dm755 "$srcdir"/lvm.initd "$pkgdir"/etc/init.d/lvm install -Dm644 "$srcdir"/lvm.confd "$pkgdir"/etc/conf.d/lvm - ln -s libdevmapper.so.1.02 "$pkgdir"/lib/libdevmapper.so -} - -dmeventd() { - pkgdesc="Device-mapper event daemon" - mkdir -p "$subpkgdir"/sbin - mv "$pkgdir"/sbin/dmeventd "$subpkgdir"/sbin/ - install -Dm755 "$srcdir"/dmeventd.initd "$subpkgdir"/etc/init.d/dmeventd -} - -dm() { - pkgdesc="Device mapper userspace library and tools from LVM2" - mkdir -p "$subpkgdir"/sbin "$subpkgdir"/lib - mv "$pkgdir"/sbin/dm* "$subpkgdir"/sbin/ + install -Dm755 "$srcdir"/dmeventd.initd "$pkgdir"/etc/init.d/dmeventd } libs() { - pkgdesc="LVM2 shared libraries" - depends="" - mkdir -p "$subpkgdir"/lib - mv "$pkgdir"/lib/liblvm2*.so.* "$subpkgdir"/lib/ - mv "$pkgdir"/lib/libdevmapper-event-lvm2*.so.* "$subpkgdir"/lib/ - mv "$pkgdir"/lib/device-mapper "$subpkgdir"/lib/ -} - -dm_libs() { - pkgdesc="Device-mapper shared library" - depends="" - mkdir -p "$subpkgdir"/lib - mv "$pkgdir"/lib/libdevmapper.so.* "$subpkgdir"/lib/ -} + replaces="device-mapper-libs device-mapper-event-libs" + default_libs -dm_event_libs() { - pkgdesc="Device-mapper event daemon shared library" - depends="" - mkdir -p "$subpkgdir"/lib - mv "$pkgdir"/lib/libdevmapper-event.so.* "$subpkgdir"/lib/ + mv "$pkgdir/lib/device-mapper" "$subpkgdir/lib/" } udev() { diff --git a/system/patch/APKBUILD b/system/patch/APKBUILD index 175bb7a67..292076831 100644 --- a/system/patch/APKBUILD +++ b/system/patch/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Kiyoshi Aman <kiyoshi.aman+adelie@gmail.com> pkgname=patch pkgver=2.7.6 -pkgrel=3 +pkgrel=4 pkgdesc="Utility to apply diffs to files" url="https://www.gnu.org/software/patch/patch.html" arch="all" @@ -12,9 +12,12 @@ checkdepends="bash ed" install="" subpackages="$pkgname-doc" source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz - CVE-2018-6951.patch allow-missing.patch CVE-2018-1000156.patch + CVE-2018-6951.patch + CVE-2018-6952.patch + CVE-2019-13636.patch + CVE-2019-13638.patch " builddir="$srcdir"/$pkgname-$pkgver @@ -23,6 +26,10 @@ builddir="$srcdir"/$pkgname-$pkgver # - CVE-2018-6951 # 2.7.6-r3: # - CVE-2018-1000156.patc +# 2.7.6-r4: +# - CVE-2018-6952 +# - CVE-2019-13636 +# - CVE-2019-13638 build() { cd "$builddir" @@ -51,6 +58,9 @@ package() { } sha512sums="fcca87bdb67a88685a8a25597f9e015f5e60197b9a269fa350ae35a7991ed8da553939b4bbc7f7d3cfd863c67142af403b04165633acbce4339056a905e87fbd patch-2.7.6.tar.xz -db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0 CVE-2018-6951.patch 317c922c3adcf347024a9ffd2374a1827b19cc1f275a90e195e070cbcf16fb47788b14ffd18365ae5e1f867ed650e6f9aed6acf287bfc427107f3ed8bcd2b3af allow-missing.patch -93414b33413b493eaa15027dfbe39c00eb1c556acf9f30af4c0ca113303867c5e7ad441c2596a7f9d060b8b67735a2a1c8be5db3c779ea47302f616ef8530d5d CVE-2018-1000156.patch" +93414b33413b493eaa15027dfbe39c00eb1c556acf9f30af4c0ca113303867c5e7ad441c2596a7f9d060b8b67735a2a1c8be5db3c779ea47302f616ef8530d5d CVE-2018-1000156.patch +db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0 CVE-2018-6951.patch +99df964d826d400f87e9b82bf2600d8663c59bb8f9bf4aec082adc8cf6261744f37d416e15492d6e883202ade521d4436cb41c91f516085c3e6ce8e01a8956fb CVE-2018-6952.patch +cecb80d8d48dfe66bc13c22a5ed0eb52157cc85a1b74d03d4a8ea1ebcfe5d59bae975aec34ac685adc71129dcdb794579fee0e221144412a7c1fa71c460f63c1 CVE-2019-13636.patch +d60f8c2364fca9b73aa73b5914cfd6571d11528d13fa7703ccfa93730cbdf8a6e4c9ca04cb7d02a40d33c38075890790b490052d5217e728b0948991da937980 CVE-2019-13638.patch" diff --git a/system/patch/CVE-2018-6952.patch b/system/patch/CVE-2018-6952.patch new file mode 100644 index 000000000..d9ad374a2 --- /dev/null +++ b/system/patch/CVE-2018-6952.patch @@ -0,0 +1,30 @@ +From 9c986353e420ead6e706262bf204d6e03322c300 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Fri, 17 Aug 2018 13:35:40 +0200 +Subject: Fix swapping fake lines in pch_swap + +* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a +blank line in the middle of a context-diff hunk: that empty line stays +in the middle of the hunk and isn't swapped. + +Fixes: https://savannah.gnu.org/bugs/index.php?53133 +--- + src/pch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pch.c b/src/pch.c +index e92bc64..a500ad9 100644 +--- a/src/pch.c ++++ b/src/pch.c +@@ -2122,7 +2122,7 @@ pch_swap (void) + } + if (p_efake >= 0) { /* fix non-freeable ptr range */ + if (p_efake <= i) +- n = p_end - i + 1; ++ n = p_end - p_ptrn_lines; + else + n = -i; + p_efake += n; +-- +cgit v1.0-41-gc330 + diff --git a/system/patch/CVE-2019-13636.patch b/system/patch/CVE-2019-13636.patch new file mode 100644 index 000000000..e62c3d417 --- /dev/null +++ b/system/patch/CVE-2019-13636.patch @@ -0,0 +1,108 @@ +From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Mon, 15 Jul 2019 16:21:48 +0200 +Subject: Don't follow symlinks unless --follow-symlinks is given + +* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file, +append_to_file): Unless the --follow-symlinks option is given, open files with +the O_NOFOLLOW flag to avoid following symlinks. So far, we were only doing +that consistently for input files. +* src/util.c (create_backup): When creating empty backup files, (re)create them +with O_CREAT | O_EXCL to avoid following symlinks in that case as well. +--- + src/inp.c | 12 ++++++++++-- + src/util.c | 14 +++++++++++--- + 2 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/inp.c b/src/inp.c +index 32d0919..22d7473 100644 +--- a/src/inp.c ++++ b/src/inp.c +@@ -238,8 +238,13 @@ plan_a (char const *filename) + { + if (S_ISREG (instat.st_mode)) + { +- int ifd = safe_open (filename, O_RDONLY|binary_transput, 0); ++ int flags = O_RDONLY | binary_transput; + size_t buffered = 0, n; ++ int ifd; ++ ++ if (! follow_symlinks) ++ flags |= O_NOFOLLOW; ++ ifd = safe_open (filename, flags, 0); + if (ifd < 0) + pfatal ("can't open file %s", quotearg (filename)); + +@@ -340,6 +345,7 @@ plan_a (char const *filename) + static void + plan_b (char const *filename) + { ++ int flags = O_RDONLY | binary_transput; + int ifd; + FILE *ifp; + int c; +@@ -353,7 +359,9 @@ plan_b (char const *filename) + + if (instat.st_size == 0) + filename = NULL_DEVICE; +- if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0 ++ if (! follow_symlinks) ++ flags |= O_NOFOLLOW; ++ if ((ifd = safe_open (filename, flags, 0)) < 0 + || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r"))) + pfatal ("Can't open file %s", quotearg (filename)); + if (TMPINNAME_needs_removal) +diff --git a/src/util.c b/src/util.c +index 1cc08ba..fb38307 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original) + + try_makedirs_errno = ENOENT; + safe_unlink (bakname); +- while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0) ++ while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0) + { + if (errno != try_makedirs_errno) + pfatal ("Can't create file %s", quotearg (bakname)); +@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode, + static void + copy_to_fd (const char *from, int tofd) + { ++ int from_flags = O_RDONLY | O_BINARY; + int fromfd; + ssize_t i; + +- if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0) ++ if (! follow_symlinks) ++ from_flags |= O_NOFOLLOW; ++ if ((fromfd = safe_open (from, from_flags, 0)) < 0) + pfatal ("Can't reopen file %s", quotearg (from)); + while ((i = read (fromfd, buf, bufsize)) != 0) + { +@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost, + else + { + assert (S_ISREG (mode)); ++ if (! follow_symlinks) ++ to_flags |= O_NOFOLLOW; + tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode, + to_dir_known_to_exist); + copy_to_fd (from, tofd); +@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost, + void + append_to_file (char const *from, char const *to) + { ++ int to_flags = O_WRONLY | O_APPEND | O_BINARY; + int tofd; + +- if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0) ++ if (! follow_symlinks) ++ to_flags |= O_NOFOLLOW; ++ if ((tofd = safe_open (to, to_flags, 0)) < 0) + pfatal ("Can't reopen file %s", quotearg (to)); + copy_to_fd (from, tofd); + if (close (tofd) != 0) +-- +cgit v1.0-41-gc330 + diff --git a/system/patch/CVE-2019-13638.patch b/system/patch/CVE-2019-13638.patch new file mode 100644 index 000000000..38caff628 --- /dev/null +++ b/system/patch/CVE-2019-13638.patch @@ -0,0 +1,38 @@ +From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Fri, 6 Apr 2018 19:36:15 +0200 +Subject: Invoke ed directly instead of using the shell + +* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell +command to avoid quoting vulnerabilities. +--- + src/pch.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/pch.c b/src/pch.c +index 4fd5a05..16e001a 100644 +--- a/src/pch.c ++++ b/src/pch.c +@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname, + *outname_needs_removal = true; + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + } +- sprintf (buf, "%s %s%s", editor_program, +- verbosity == VERBOSE ? "" : "- ", +- outname); + fflush (stdout); + + pid = fork(); +@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname, + else if (pid == 0) + { + dup2 (tmpfd, 0); +- execl ("/bin/sh", "sh", "-c", buf, (char *) 0); ++ assert (outname[0] != '!' && outname[0] != '-'); ++ execlp (editor_program, editor_program, "-", outname, (char *) NULL); + _exit (2); + } + else +-- +cgit v1.0-41-gc330 + diff --git a/system/s6-linux-init/APKBUILD b/system/s6-linux-init/APKBUILD index aed46e575..d1cead76d 100644 --- a/system/s6-linux-init/APKBUILD +++ b/system/s6-linux-init/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Laurent Bercot <ska-adelie@skarnet.org> pkgname=s6-linux-init pkgver=1.0.2.0 -pkgrel=0 +pkgrel=1 pkgdesc="A s6-based init system" url="https://skarnet.org/software/$pkgname/" arch="all" @@ -11,11 +11,11 @@ license="ISC" _skalibs_version=2.8.1.0 depends="execline s6 s6-linux-init-common" makedepends="skalibs-dev>=$_skalibs_version execline-dev s6-dev utmps-dev" -subpackages="$pkgname-common:common:noarch $pkgname-libs $pkgname-dev $pkgname-libs-dev:libsdev $pkgname-doc" +subpackages="$pkgname-common:common:noarch $pkgname-early-getty:earlygetty:noarch $pkgname-libs $pkgname-dev $pkgname-libs-dev:libsdev $pkgname-doc" source="https://skarnet.org/software/$pkgname/$pkgname-$pkgver.tar.gz rc.init runlevel rc.shutdown reboot.sh" install="$pkgname.post-install $pkgname.post-upgrade $pkgname.pre-deinstall" provides="/sbin/init=0" - +_earlytty=tty2 build() { cd "$builddir" @@ -46,6 +46,7 @@ package() { ./s6-linux-init-maker \ -u catchlog \ + -G "/sbin/agetty -- 38400 $_earlytty linux" \ -1 \ -L \ -p "/usr/bin:/usr/sbin:/bin:/sbin" \ @@ -77,6 +78,16 @@ common() { } +earlygetty() { + pkgdesc="Files for an early getty on $_earlytty" + depends="s6-linux-init-common" + svcimg="$pkgdir/etc/s6-linux-init/current/run-image/service" + subsvcimg="$subpkgdir/etc/s6-linux-init/current/run-image/service" + mkdir -p -m 0755 "$subsvcimg" + mv "$svcimg/s6-linux-init-early-getty" "$subsvcimg/getty-$_earlytty" +} + + libs() { pkgdesc="$pkgdesc (shared libraries)" depends="skalibs-libs>=$_skalibs_version" |