diff options
Diffstat (limited to 'system')
-rw-r--r-- | system/abuild/APKBUILD | 10 | ||||
-rw-r--r-- | system/abuild/apkpath.patch | 25 | ||||
-rw-r--r-- | system/abuild/fix-apk-invocation.patch | 29 | ||||
-rw-r--r-- | system/argon2/APKBUILD | 5 | ||||
-rw-r--r-- | system/musl/APKBUILD | 6 | ||||
-rw-r--r-- | system/musl/CVE-2020-28928.patch | 112 |
6 files changed, 123 insertions, 64 deletions
diff --git a/system/abuild/APKBUILD b/system/abuild/APKBUILD index 53d53a818..1ec934da1 100644 --- a/system/abuild/APKBUILD +++ b/system/abuild/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=abuild -pkgver=3.4.1 -pkgrel=2 +pkgver=3.4.2 +pkgrel=0 pkgdesc="Script to build APK packages" url="https://code.foxkit.us/adelie/abuild" arch="all" @@ -19,8 +19,6 @@ makedepends="$makedepends_host $makedepends_build" subpackages="abuild-rootbld:_rootbld:noarch $pkgname-doc" install="$pkgname.pre-install $pkgname.pre-upgrade" source="https://distfiles.adelielinux.org/source/abuild-$pkgver.tar.xz - apkpath.patch - fix-apk-invocation.patch keyhole.patch " @@ -55,7 +53,5 @@ _rootbld() { mkdir -p "$subpkgdir" } -sha512sums="6446171cc68d8341b5267816e7a05e0dc7b8a4e89c8c8410ae61e9501b163cc32db888476b14f032c16ef15bdd4dd4844e087394c2d061db8281f7bdfb34d450 abuild-3.4.1.tar.xz -bc373c93344d498a48675256bb26cf9bebac74f54d8e53a09c0975e3047c481ee35c6b88e5de392efd2d0ce2a8de23ebbf0822e1a093ee01ea99349f238c62f7 apkpath.patch -4ae8a0d7efb94e8390250c2c43294ba40afcf27409257cccffb9315f00e887972e29573ddbfb830a82eab473c6d292fe7a1bf30fb9761b6fa24b8fe8c0940c79 fix-apk-invocation.patch +sha512sums="9bdeb31f54879878697b4a5436ec2bc7764e1b9840798e913ba3dd47c344437e362a3067b89440ca8a7940af1efcaa83a24e7c1077187f924bf73fb058f97fbf abuild-3.4.2.tar.xz 757d750d4b5c88bf00774b64f2b93a9461e03f284d9423dc58c581e1309f276628de3114fcb510afd7c3cd55ceb721c1278e42756977c97ebe2597207805318d keyhole.patch" diff --git a/system/abuild/apkpath.patch b/system/abuild/apkpath.patch deleted file mode 100644 index 4390fe0b0..000000000 --- a/system/abuild/apkpath.patch +++ /dev/null @@ -1,25 +0,0 @@ -From d9811dee71cfafde1fe6d596a2b9922b60dd0c4f Mon Sep 17 00:00:00 2001 -From: "A. Wilcox" <AWilcox@Wilcox-Tech.com> -Date: Fri, 21 Feb 2020 19:28:36 -0600 -Subject: [PATCH] abuild: Solve, once and for all, 'apk: not found' - ---- - abuild.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/abuild.in b/abuild.in -index 1b8898b..2212789 100644 ---- a/abuild.in -+++ b/abuild.in -@@ -23,7 +23,7 @@ fi - # defaults - : ${FAKEROOT:="fakeroot"} - : ${SUDO_APK:="abuild-apk"} --: ${APK:="apk"} -+: ${APK:="/sbin/apk"} - : ${ADDUSER:="abuild-adduser"} - : ${ADDGROUP:="abuild-addgroup"} - --- -2.25.0 - diff --git a/system/abuild/fix-apk-invocation.patch b/system/abuild/fix-apk-invocation.patch deleted file mode 100644 index 71bc3d1c9..000000000 --- a/system/abuild/fix-apk-invocation.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 9f703d3222a6a8d52ac560035fb1a988d2f9bff7 Mon Sep 17 00:00:00 2001 -From: "A. Wilcox" <AWilcox@Wilcox-Tech.com> -Date: Thu, 27 Feb 2020 04:41:04 -0600 -Subject: [PATCH] abuild: Use $APK instead of apk - -This is the only appearance of `apk` in the source. Appears accidental. - -Fixes: 41343329 ("abuild: fix dependency tracing for cross builds") -Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com> ---- - abuild.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/abuild.in b/abuild.in -index 2212789..7daa366 100644 ---- a/abuild.in -+++ b/abuild.in -@@ -1255,7 +1255,7 @@ trace_apk_deps() { - autodeps="$autodeps pc:$pcprefix$i" - elif subpkg_provides_pc "$i" \ - || $APK $apkroot info --quiet --installed "pc:$i"; then -- local provider="$(apk $apkroot search --quiet "pc:$i")" -+ local provider="$($APK $apkroot search --quiet "pc:$i")" - if list_has "$provider" $depends_dev; then - warning "$provider should be removed from depends_dev" - fi --- -2.25.1 - diff --git a/system/argon2/APKBUILD b/system/argon2/APKBUILD index 42d459e1f..c7a1bd6c2 100644 --- a/system/argon2/APKBUILD +++ b/system/argon2/APKBUILD @@ -4,7 +4,7 @@ pkgname=argon2 _pkgname=phc-winner-argon2 pkgver=20190702 -pkgrel=0 +pkgrel=1 pkgdesc="Password hashing library" url="https://github.com/P-H-C/phc-winner-argon2" arch="all" @@ -30,7 +30,8 @@ package() { sed -i 's#libdir=${prefix}/lib#libdir=/lib#' "$builddir"/libargon2.pc make OPTTARGET=none DESTDIR="$pkgdir" LIBRARY_REL=lib install # ...but cryptsetup needs this in /lib for early-boot - mv "$pkgdir"/usr/lib "$pkgdir"/ + mkdir "$pkgdir"/lib + mv "$pkgdir"/usr/lib/lib* "$pkgdir"/lib } sha512sums="0a4cb89e8e63399f7df069e2862ccd05308b7652bf4ab74372842f66bcc60776399e0eaf979a7b7e31436b5e6913fe5b0a6949549d8c82ebd06e0629b106e85f argon2-20190702.tar.gz" diff --git a/system/musl/APKBUILD b/system/musl/APKBUILD index 8517b148b..735541e51 100644 --- a/system/musl/APKBUILD +++ b/system/musl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=musl pkgver=1.2.0 -pkgrel=1 +pkgrel=2 pkgdesc="System library (libc) implementation" url="https://www.musl-libc.org/" arch="all" @@ -27,6 +27,7 @@ source="https://musl.libc.org/releases/$pkgname-$pkgver.tar.gz handle-aux-at_base.patch fgetspent_r.patch threads_minus_1.patch + CVE-2020-28928.patch ldconfig getent.c @@ -38,6 +39,8 @@ source="https://musl.libc.org/releases/$pkgname-$pkgver.tar.gz # - CVE-2016-8859 # 1.1.23-r2: # - CVE-2019-14697 +# 1.2.0-r2: +# - CVE-2020-28928 build() { [ "$BOOTSTRAP" = "nocc" ] && return 0 @@ -123,6 +126,7 @@ f01ab92b9d385c15369c0bb7d95e1bc06a009c8851e363517d0ba1bae3fc2647af69fc2f363b5d96 6a7ff16d95b5d1be77e0a0fbb245491817db192176496a57b22ab037637d97a185ea0b0d19da687da66c2a2f5578e4343d230f399d49fe377d8f008410974238 handle-aux-at_base.patch ded41235148930f8cf781538f7d63ecb0c65ea4e8ce792565f3649ee2523592a76b2a166785f0b145fc79f5852fd1fb1729a7a09110b3b8f85cba3912e790807 fgetspent_r.patch 68830961e297d9a499f3b609be84848ad5d3326a1af56e9e54a40ecd972c48da11532c51da572d45e0df3574d63191e7ae0d3a1b84a029365f8d00691de96952 threads_minus_1.patch +343ac5e5365cf98a5d5b7bc192c671733fdba27f06b83484f1ac7647154228745415f62dd676029de538460f8b35e0a70ca453a0f8b73226ed1c420099b1cf90 CVE-2020-28928.patch cb71d29a87f334c75ecbc911becde7be825ab30d8f39fa6d64cb53812a7c9abaf91d9804c72540e5be3ddd3c84cfe7fd9632274309005cb8bcdf9a9b09b4b923 ldconfig 378d70e65bcc65bb4e1415354cecfa54b0c1146dfb24474b69e418cdbf7ad730472cd09f6f103e1c99ba6c324c9560bccdf287f5889bbc3ef0bdf0e08da47413 getent.c 9d42d66fb1facce2b85dad919be5be819ee290bd26ca2db00982b2f8e055a0196290a008711cbe2b18ec9eee8d2270e3b3a4692c5a1b807013baa5c2b70a2bbf iconv.c" diff --git a/system/musl/CVE-2020-28928.patch b/system/musl/CVE-2020-28928.patch new file mode 100644 index 000000000..cc668e149 --- /dev/null +++ b/system/musl/CVE-2020-28928.patch @@ -0,0 +1,112 @@ +From 3ab2a4e02682df1382955071919d8aa3c3ec40d4 Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Thu, 19 Nov 2020 17:12:43 -0500 +Subject: [PATCH] rewrite wcsnrtombs to fix buffer overflow and other bugs + +the original wcsnrtombs implementation, which has been largely +untouched since 0.5.0, attempted to build input-length-limiting +conversion on top of wcsrtombs, which only limits output length. as +best I recall, this choice was made out of a mix of disdain over +having yet another variant function to implement (added in POSIX 2008; +not standard C) and preference not to switch things around and +implement the wcsrtombs in terms of the more general new function, +probably over namespace issues. the strategy employed was to impose +output limits that would ensure the input limit wasn't exceeded, then +finish up the tail character-at-a-time. unfortunately, none of that +worked correctly. + +first, the logic in the wcsrtombs loop was wrong in that it could +easily get stuck making no forward progress, by imposing an output +limit too small to convert even one character. + +the character-at-a-time loop that followed was even worse. it made no +effort to ensure that the converted multibyte character would fit in +the remaining output space, only that there was a nonzero amount of +output space remaining. it also employed an incorrect interpretation +of wcrtomb's interface contract for converting the null character, +thereby failing to act on end of input, and remaining space accounting +was subject to unsigned wrap-around. together these errors allow +unbounded overflow of the destination buffer, controlled by input +length limit and input wchar_t string contents. + +given the extent to which this function was broken, it's plausible +that most applications that would have been rendered exploitable were +sufficiently broken not to be usable in the first place. however, it's +also plausible that common (especially ASCII-only) inputs succeeded in +the wcsrtombs loop, which mostly worked, while leaving the wildly +erroneous code in the second loop exposed to particular non-ASCII +inputs. + +CVE-2020-28928 has been assigned for this issue. +--- + src/multibyte/wcsnrtombs.c | 46 ++++++++++++++++---------------------- + 1 file changed, 19 insertions(+), 27 deletions(-) + +diff --git a/src/multibyte/wcsnrtombs.c b/src/multibyte/wcsnrtombs.c +index 676932b5..95e25e70 100644 +--- a/src/multibyte/wcsnrtombs.c ++++ b/src/multibyte/wcsnrtombs.c +@@ -1,41 +1,33 @@ + #include <wchar.h> ++#include <limits.h> ++#include <string.h> + + size_t wcsnrtombs(char *restrict dst, const wchar_t **restrict wcs, size_t wn, size_t n, mbstate_t *restrict st) + { +- size_t l, cnt=0, n2; +- char *s, buf[256]; + const wchar_t *ws = *wcs; +- const wchar_t *tmp_ws; +- +- if (!dst) s = buf, n = sizeof buf; +- else s = dst; +- +- while ( ws && n && ( (n2=wn)>=n || n2>32 ) ) { +- if (n2>=n) n2=n; +- tmp_ws = ws; +- l = wcsrtombs(s, &ws, n2, 0); +- if (!(l+1)) { +- cnt = l; +- n = 0; ++ size_t cnt = 0; ++ if (!dst) n=0; ++ while (ws && wn) { ++ char tmp[MB_LEN_MAX]; ++ size_t l = wcrtomb(n<MB_LEN_MAX ? tmp : dst, *ws, 0); ++ if (l==-1) { ++ cnt = -1; + break; + } +- if (s != buf) { +- s += l; ++ if (dst) { ++ if (n<MB_LEN_MAX) { ++ if (l>n) break; ++ memcpy(dst, tmp, l); ++ } ++ dst += l; + n -= l; + } +- wn = ws ? wn - (ws - tmp_ws) : 0; +- cnt += l; +- } +- if (ws) while (n && wn) { +- l = wcrtomb(s, *ws, 0); +- if ((l+1)<=1) { +- if (!l) ws = 0; +- else cnt = l; ++ if (!*ws) { ++ ws = 0; + break; + } +- ws++; wn--; +- /* safe - this loop runs fewer than sizeof(buf) times */ +- s+=l; n-=l; ++ ws++; ++ wn--; + cnt += l; + } + if (dst) *wcs = ws; +-- +2.25.4 + |