summaryrefslogtreecommitdiff
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/bubblewrap/APKBUILD33
-rw-r--r--system/bubblewrap/musl-fixes.patch17
-rw-r--r--system/gettext-tiny/APKBUILD6
-rw-r--r--system/gettext-tiny/msgfmt-exit.patch36
-rw-r--r--system/ruby/APKBUILD8
-rw-r--r--system/ruby/CVE-2020-8130.patch18
6 files changed, 81 insertions, 37 deletions
diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD
index c4ae4fa31..d51d14ae7 100644
--- a/system/bubblewrap/APKBUILD
+++ b/system/bubblewrap/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Timo Teräs <timo.teras@iki.fi>
# Maintainer: Max Rees <maxcrees@me.com>
pkgname=bubblewrap
-pkgver=0.3.3
+pkgver=0.4.0
pkgrel=0
pkgdesc="Unprivileged sandboxing tool"
url="https://github.com/projectatomic/bubblewrap"
@@ -9,21 +9,21 @@ arch="all"
options="!check suid" # requires suid to already be set in order to check
license="LGPL-2.0+"
makedepends="autoconf automake libcap-dev docbook-xsl"
-checkdepends="sudo"
+checkdepends="python3 sudo"
subpackages="$pkgname-nosuid $pkgname-doc
$pkgname-bash-completion:bashcomp:noarch"
-source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz
+source="bubblewrap-$pkgver.tar.gz::https://github.com/containers/bubblewrap/archive/v$pkgver.tar.gz
realpath-workaround.patch
- musl-fixes.patch
- tests.patch"
+ tests.patch
+ "
# secfixes:
# 0.3.3-r0:
-# - CVE-2019-12439
+# - CVE-2019-12439
prepare() {
- srcdir= NOCONFIGURE=1 ./autogen.sh
default_prepare
+ NOCONFIGURE=1 ./autogen.sh
}
build() {
@@ -39,14 +39,16 @@ build() {
}
check() {
- # Uses sudo to chown root and setuid $builddir/test-bwrap
+ # 1. chown root and chmod u+s $builddir/test-bwrap
+ # 2. Run abuild check (suid test)
+ # 3. Unset permissions on test-bwrap
+ # 4. Run abuild check again (nosuid test)
#
- # As of 0.3.3-r0, all tests pass on ppc64 except those relating
- # to bind mounts over symlinks. Those tests fail because musl's
- # realpath depends on the availability of /proc, which is not
- # available in the middle of the setup procedure since pivot_root
- # has been performed at least once. They have been patched to be
- # skipped.
+ # As of 0.4.0, all tests pass except those relating to bind mounts
+ # over symlinks. Those tests fail because musl's realpath depends on
+ # the availability of /proc, which is not available in the middle of
+ # the setup procedure since pivot_root has been performed at least
+ # once. They have been patched to be skipped.
make check
}
@@ -72,7 +74,6 @@ bashcomp() {
mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/
}
-sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae bubblewrap-0.3.3.tar.gz
+sha512sums="1957126e13900bbb1c9c885802f513006313836826938555899a8ad0e6c3ba47478eae0cc90f4aceff228663379b45203dce4fa57d6bfc489984670571232b97 bubblewrap-0.4.0.tar.gz
400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4 realpath-workaround.patch
-f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch
d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd tests.patch"
diff --git a/system/bubblewrap/musl-fixes.patch b/system/bubblewrap/musl-fixes.patch
deleted file mode 100644
index ecf626331..000000000
--- a/system/bubblewrap/musl-fixes.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- a/config.h.in
-+++ b/config.h.in
-@@ -102,3 +102,14 @@
-
- /* Define to 1 if you need to in order for `stat' and other things to work. */
- #undef _POSIX_SOURCE
-+
-+/* taken from glibc unistd.h and fixes musl */
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) \
-+ (__extension__ \
-+ ({ long int __result; \
-+ do __result = (long int) (expression); \
-+ while (__result == -1L && errno == EINTR); \
-+ __result; }))
-+#endif
-+
diff --git a/system/gettext-tiny/APKBUILD b/system/gettext-tiny/APKBUILD
index ce62d5c99..a1d199ecd 100644
--- a/system/gettext-tiny/APKBUILD
+++ b/system/gettext-tiny/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=gettext-tiny
pkgver=0.3.1_git20191130
-pkgrel=2
+pkgrel=3
pkgdesc="An internationalisation and localisation system"
url="https://github.com/sabotage-linux/gettext-tiny"
arch="all"
@@ -16,6 +16,7 @@ source="https://distfiles.adelielinux.org/source/$pkgname-$pkgver.tar.xz
line-length.patch
respect-cflags.patch
stop-doing-macro-crap.patch
+ msgfmt-exit.patch
"
build() {
@@ -30,4 +31,5 @@ sha512sums="a318135626a0403a30a81fa475f7e1878b8af5a87053b0e00876c73b591508f3cf1e
8efbf9c11429ab26f3c15e00c34258200598833b8f846a23e4c8d95023c2184d9dcf9cbb48d58eec1604442691af76e6f8e904ad7348016c393257aa30eae7cd keyword.patch
0a26a8481bffe2ce8c73f7f500963aea9db8379fb87849142d8efabf1656604b22f6ad345483256f14c388466f2f44e5924b9f65d88f26867a753a96d1529270 line-length.patch
b4e7db4e415f6bc31f2214f2044506ad18ea0bd3cae4200d93bbd34aa493c7478a7f953d0a7e08f29f0fd5a5d7b7cbfa2bcfd5692c37e423706a1c193239bf1d respect-cflags.patch
-cd4cfc8cc6ea998f1e33ef666e3b9c3de3f3253994bccc942b177773c94f785e3892cb7d5f34bec1102dc7558236c07c5eac90e15d755e12ee06836336373526 stop-doing-macro-crap.patch"
+cd4cfc8cc6ea998f1e33ef666e3b9c3de3f3253994bccc942b177773c94f785e3892cb7d5f34bec1102dc7558236c07c5eac90e15d755e12ee06836336373526 stop-doing-macro-crap.patch
+0037a1347f9ac2aa6f68160441b83c35ce8128ca140be93f3c508e6cd02161e49edff82034877ed11c127886337455ff4ea941b6a14168c2ca69aa82a7cff8a5 msgfmt-exit.patch"
diff --git a/system/gettext-tiny/msgfmt-exit.patch b/system/gettext-tiny/msgfmt-exit.patch
new file mode 100644
index 000000000..f5ff3fbb8
--- /dev/null
+++ b/system/gettext-tiny/msgfmt-exit.patch
@@ -0,0 +1,36 @@
+From 0e62c2588742cfffd3dc81c09ecc8488c0ce25b9 Mon Sep 17 00:00:00 2001
+From: Max Rees <maxcrees@me.com>
+Date: Sun, 22 Mar 2020 20:20:15 -0500
+Subject: [PATCH] msgfmt: exit(1) if incorrectly used
+
+This prevents builds from continuing seemingly fine when they are
+actually not using this version of msgfmt correctly.
+---
+ src/msgfmt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/msgfmt.c b/src/msgfmt.c
+index aa16c5e..3de9a56 100644
+--- a/src/msgfmt.c
++++ b/src/msgfmt.c
+@@ -278,7 +278,7 @@ void set_file(int out, char* fn, FILE** dest) {
+ int main(int argc, char**argv) {
+ if (argc == 1) {
+ syntax();
+- return 0;
++ return 1;
+ }
+
+ int arg = 1;
+@@ -376,7 +376,7 @@ int main(int argc, char**argv) {
+ streq(A+1, "D")
+ ) {
+ syntax();
+- return 0;
++ return 1;
+ } else if (streq(A+1, "l")) {
+ arg++;
+ locale = A;
+--
+2.25.1
+
diff --git a/system/ruby/APKBUILD b/system/ruby/APKBUILD
index 537c1010a..0cb185852 100644
--- a/system/ruby/APKBUILD
+++ b/system/ruby/APKBUILD
@@ -38,11 +38,13 @@
# - CVE-2019-16201
# - CVE-2019-16254
# - CVE-2019-16255
+# 2.5.7-r1:
+# - CVE-2020-8130
#
pkgname=ruby
pkgver=2.5.7
_abiver="${pkgver%.*}.0"
-pkgrel=0
+pkgrel=1
pkgdesc="An object-oriented language for quick and easy programming"
url="https://www.ruby-lang.org/"
arch="all"
@@ -76,6 +78,7 @@ source="https://cache.ruby-lang.org/pub/ruby/${pkgver%.*}/$pkgname-$pkgver.tar.x
test_insns-lower-recursion-depth.patch
fix-get_main_stack.patch
libedit-compat.patch
+ CVE-2020-8130.patch
"
replaces="ruby-etc ruby-gems"
@@ -318,4 +321,5 @@ sha512sums="63b7c75fab44cd1bd22f22ddec00c740cf379ac7240da0dfafcec54347766695faef
20e7e5ee9936a93872fe1ad836dd1fde001fe4a0e7ed54c26727ad83da3ceb0e6247681d9dd4f98a69e1b0250703ed8fc682d44075780d5f47faa1d5f58d2bdb rubygems-avoid-platform-specific-gems.patch
814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150 test_insns-lower-recursion-depth.patch
e99b36940fa8fdd445d82738c70b8fc042cab042a4662cab156578aad2dac9673a96da22b6676aa36beac08070e92a7798c60d6f36eeb169216c4c51864ce2fe fix-get_main_stack.patch
-6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2 libedit-compat.patch"
+6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2 libedit-compat.patch
+50b3a2aca1c0d7a7b557e030fbf57049512730cd6516cb6b26624855c25a20e84eef7f84ec9eafb94200de067ec67790e5fe0902e69681ac4de9195240b318dc CVE-2020-8130.patch"
diff --git a/system/ruby/CVE-2020-8130.patch b/system/ruby/CVE-2020-8130.patch
new file mode 100644
index 000000000..3cb6e4adf
--- /dev/null
+++ b/system/ruby/CVE-2020-8130.patch
@@ -0,0 +1,18 @@
+Note: adjusted paths since it's being vendored inside ruby.
+
+From 5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Mon, 22 Jul 2019 10:23:43 +0900
+Subject: [PATCH] Use File.open explicitly.
+
+--- ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
++++ ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
+@@ -294,7 +294,7 @@ def egrep(pattern, *options)
+ matched = 0
+ each do |fn|
+ begin
+- open(fn, "r", *options) do |inf|
++ File.open(fn, "r", *options) do |inf|
+ count = 0
+ inf.each do |line|
+ count += 1