11 files changed, 133 insertions, 50 deletions
diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD
index c4ae4fa31..866bdb468 100644
--- a/system/bubblewrap/APKBUILD
+++ b/system/bubblewrap/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Timo Teräs <timo.teras@iki.fi>
 # Maintainer: Max Rees <maxcrees@me.com>
 pkgname=bubblewrap
-pkgver=0.3.3
+pkgver=0.4.1
 pkgrel=0
 pkgdesc="Unprivileged sandboxing tool"
 url="https://github.com/projectatomic/bubblewrap"
@@ -9,21 +9,23 @@ arch="all"
 options="!check suid"  # requires suid to already be set in order to check
 license="LGPL-2.0+"
 makedepends="autoconf automake libcap-dev docbook-xsl"
-checkdepends="sudo"
+checkdepends="python3 sudo"
 subpackages="$pkgname-nosuid $pkgname-doc
 	$pkgname-bash-completion:bashcomp:noarch"
-source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz
+source="bubblewrap-$pkgver.tar.gz::https://github.com/containers/bubblewrap/archive/v$pkgver.tar.gz
 	realpath-workaround.patch
-	musl-fixes.patch
-	tests.patch"
+	tests.patch
+	"
 
 # secfixes:
 #   0.3.3-r0:
-#   - CVE-2019-12439
+#     - CVE-2019-12439
+#   0.4.1-r0:
+#     - GHSA-j2qp-rvxj-43vj
 
 prepare() {
-	srcdir= NOCONFIGURE=1 ./autogen.sh
 	default_prepare
+	NOCONFIGURE=1 ./autogen.sh
 }
 
 build() {
@@ -39,14 +41,16 @@ build() {
 }
 
 check() {
-	# Uses sudo to chown root and setuid $builddir/test-bwrap
+	# 1. chown root and chmod u+s $builddir/test-bwrap
+	# 2. Run abuild check (suid test)
+	# 3. Unset permissions on test-bwrap
+	# 4. Run abuild check again (nosuid test)
 	#
-	# As of 0.3.3-r0, all tests pass on ppc64 except those relating
-	# to bind mounts over symlinks. Those tests fail because musl's
-	# realpath depends on the availability of /proc, which is not
-	# available in the middle of the setup procedure since pivot_root
-	# has been performed at least once. They have been patched to be
-	# skipped.
+	# As of 0.4.1, all tests pass except those relating to bind mounts
+	# over symlinks. Those tests fail because musl's realpath depends on
+	# the availability of /proc, which is not available in the middle of
+	# the setup procedure since pivot_root has been performed at least
+	# once. They have been patched to be skipped.
 	make check
 }
 
@@ -72,7 +76,6 @@ bashcomp() {
 	mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/
 }
 
-sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae  bubblewrap-0.3.3.tar.gz
+sha512sums="83e036e242503e1364b2d0052bba5127175891203c57bd22ba47a1b1e934fdca64ca620cd0e48c903fa2bc7cdcf92339b8a7fcb8716b54c2e28034b6d6f86adc  bubblewrap-0.4.1.tar.gz
 400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4  realpath-workaround.patch
-f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e  musl-fixes.patch
 d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd  tests.patch"
diff --git a/system/bubblewrap/musl-fixes.patch b/system/bubblewrap/musl-fixes.patch
deleted file mode 100644
index ecf626331..000000000
--- a/system/bubblewrap/musl-fixes.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- a/config.h.in
-+++ b/config.h.in
-@@ -102,3 +102,14 @@
- 
- /* Define to 1 if you need to in order for `stat' and other things to work. */
- #undef _POSIX_SOURCE
-+
-+/* taken from glibc unistd.h and fixes musl */
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) \
-+  (__extension__                                                              \
-+    ({ long int __result;                                                     \
-+       do __result = (long int) (expression);                                 \
-+       while (__result == -1L && errno == EINTR);                             \
-+       __result; }))
-+#endif
-+
diff --git a/system/gettext-tiny/APKBUILD b/system/gettext-tiny/APKBUILD
index ce62d5c99..a1d199ecd 100644
--- a/system/gettext-tiny/APKBUILD
+++ b/system/gettext-tiny/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=gettext-tiny
 pkgver=0.3.1_git20191130
-pkgrel=2
+pkgrel=3
 pkgdesc="An internationalisation and localisation system"
 url="https://github.com/sabotage-linux/gettext-tiny"
 arch="all"
@@ -16,6 +16,7 @@ source="https://distfiles.adelielinux.org/source/$pkgname-$pkgver.tar.xz
 	line-length.patch
 	respect-cflags.patch
 	stop-doing-macro-crap.patch
+	msgfmt-exit.patch
 	"
 
 build() {
@@ -30,4 +31,5 @@ sha512sums="a318135626a0403a30a81fa475f7e1878b8af5a87053b0e00876c73b591508f3cf1e
 8efbf9c11429ab26f3c15e00c34258200598833b8f846a23e4c8d95023c2184d9dcf9cbb48d58eec1604442691af76e6f8e904ad7348016c393257aa30eae7cd  keyword.patch
 0a26a8481bffe2ce8c73f7f500963aea9db8379fb87849142d8efabf1656604b22f6ad345483256f14c388466f2f44e5924b9f65d88f26867a753a96d1529270  line-length.patch
 b4e7db4e415f6bc31f2214f2044506ad18ea0bd3cae4200d93bbd34aa493c7478a7f953d0a7e08f29f0fd5a5d7b7cbfa2bcfd5692c37e423706a1c193239bf1d  respect-cflags.patch
-cd4cfc8cc6ea998f1e33ef666e3b9c3de3f3253994bccc942b177773c94f785e3892cb7d5f34bec1102dc7558236c07c5eac90e15d755e12ee06836336373526  stop-doing-macro-crap.patch"
+cd4cfc8cc6ea998f1e33ef666e3b9c3de3f3253994bccc942b177773c94f785e3892cb7d5f34bec1102dc7558236c07c5eac90e15d755e12ee06836336373526  stop-doing-macro-crap.patch
+0037a1347f9ac2aa6f68160441b83c35ce8128ca140be93f3c508e6cd02161e49edff82034877ed11c127886337455ff4ea941b6a14168c2ca69aa82a7cff8a5  msgfmt-exit.patch"
diff --git a/system/gettext-tiny/msgfmt-exit.patch b/system/gettext-tiny/msgfmt-exit.patch
new file mode 100644
index 000000000..f5ff3fbb8
--- /dev/null
+++ b/system/gettext-tiny/msgfmt-exit.patch
@@ -0,0 +1,36 @@
+From 0e62c2588742cfffd3dc81c09ecc8488c0ce25b9 Mon Sep 17 00:00:00 2001
+From: Max Rees <maxcrees@me.com>
+Date: Sun, 22 Mar 2020 20:20:15 -0500
+Subject: [PATCH] msgfmt: exit(1) if incorrectly used
+
+This prevents builds from continuing seemingly fine when they are
+actually not using this version of msgfmt correctly.
+---
+ src/msgfmt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/msgfmt.c b/src/msgfmt.c
+index aa16c5e..3de9a56 100644
+--- a/src/msgfmt.c
++++ b/src/msgfmt.c
+@@ -278,7 +278,7 @@ void set_file(int out, char* fn, FILE** dest) {
+ int main(int argc, char**argv) {
+ 	if (argc == 1) {
+ 		syntax();
+-		return 0;
++		return 1;
+ 	}
+ 
+ 	int arg = 1;
+@@ -376,7 +376,7 @@ int main(int argc, char**argv) {
+ 				streq(A+1, "D")
+ 			) {
+ 				syntax();
+-				return 0;
++				return 1;
+ 			} else if (streq(A+1, "l")) {
+ 				arg++;
+ 				locale = A;
+-- 
+2.25.1
+
diff --git a/system/lvm2/APKBUILD b/system/lvm2/APKBUILD
index 4bb0d5d0c..3baea9c09 100644
--- a/system/lvm2/APKBUILD
+++ b/system/lvm2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Dan Theisen <djt@hxx.in>
 pkgname=lvm2
 pkgver=2.03.08
-pkgrel=0
+pkgrel=1
 pkgdesc="Logical Volume Manager 2 utilities"
 url="https://sourceware.org/lvm2/"
 arch="all"
@@ -88,7 +88,7 @@ udev() {
 
 
 sha512sums="411c76de2acd8d7d707b60a4aab3f846004a1fbdc7b1d3f34d21af8ed45716adc0516b11491a26261580da7396d13a506e3994b32f5d1cefdf49c97e5d62d2e3  LVM2.2.03.08.tgz
-62dd89e626adc86d1f9d7c575517b4454a362868e2fd3399813b61c1cc407316156456348cd4e8148542ee26124739d6c0e72f3dddee66662a40ca86f1bc3abd  fix-stdio-usage.patch
+bc4473c2f48ff6cab121f92211cd1b67589a6abadd8e32ffa366fed6ddbf9c87be695aa54a6e97b5b79203bf1a7d22cdb5974da84d38b4977592ef7a061612e7  fix-stdio-usage.patch
 9272ec8c5184ef5dc776ead8f74132e072b7563b5119a3a38b712f00d92a1e3878c9b3a54eb2b01dcba038110c686b39d4c17ecd0eb258537e9217d7ed03c408  mallinfo.patch
 d190c40a137b006d7b63298069c93ff08d2804b990e85d44739cd7c48beec9a569903b98f0d940895fc7365723ba886acd7ef0e08f1f65a1a391d1c448ce080e  mlockall-default-config.patch
 a853078660fd2fd943538924f56e81dc5793294e26b8f61d93e6188893f15f4a438d33792b341c1865d61e03f4a371b7c7ee0db5f4130ef7cb7aeaeb9290086a  lvm.initd
diff --git a/system/lvm2/fix-stdio-usage.patch b/system/lvm2/fix-stdio-usage.patch
index d5cc43f65..6b7ee0eaa 100644
--- a/system/lvm2/fix-stdio-usage.patch
+++ b/system/lvm2/fix-stdio-usage.patch
@@ -1,6 +1,6 @@
---- ./tools/lvmcmdline.c
-+++ ./tools/lvmcmdline.c
-@@ -1252,7 +1252,7 @@
+--- LVM2.2.03.08/tools/lvmcmdline.c	2020-02-11 03:59:27.000000000 -0600
++++ LVM2.2.03.08/tools/lvmcmdline.c	2020-03-22 16:17:35.470100377 -0500
+@@ -3233,7 +3233,7 @@ static int _check_standard_fds(void)
  	int err = is_valid_fd(STDERR_FILENO);
  
  	if (!is_valid_fd(STDIN_FILENO) &&
@@ -9,7 +9,7 @@
  		if (err)
  			perror("stdin stream open");
  		else
-@@ -1262,7 +1262,7 @@
+@@ -3243,7 +3243,7 @@ static int _check_standard_fds(void)
  	}
  
  	if (!is_valid_fd(STDOUT_FILENO) &&
@@ -18,7 +18,7 @@
  		if (err)
  			perror("stdout stream open");
  		/* else no stdout */
-@@ -1270,7 +1270,7 @@
+@@ -3251,7 +3251,7 @@ static int _check_standard_fds(void)
  	}
  
  	if (!is_valid_fd(STDERR_FILENO) &&
@@ -27,3 +27,23 @@
  		printf("stderr stream open: %s\n",
  		       strerror(errno));
  		return 0;
+--- LVM2.2.03.08/lib/commands/toolcontext.c	2020-02-11 03:59:27.000000000 -0600
++++ LVM2.2.03.08/lib/commands/toolcontext.c	2020-03-22 16:18:35.130101016 -0500
+@@ -1599,7 +1599,7 @@ struct cmd_context *create_toolcontext(u
+ 	/* FIXME Make this configurable? */
+ 	reset_lvm_errno(1);
+ 
+-#ifndef VALGRIND_POOL
++#if !defined(VALGRIND_POOL) && defined(__GLIBC__)
+ 	/* Set in/out stream buffering before glibc */
+ 	if (set_buffering
+ #ifdef SYS_gettid
+@@ -1980,7 +1980,7 @@ void destroy_toolcontext(struct cmd_cont
+ 
+ 	if (cmd->pending_delete_mem)
+ 		dm_pool_destroy(cmd->pending_delete_mem);
+-#ifndef VALGRIND_POOL
++#if !defined(VALGRIND_POOL) && defined(__GLIBC__)
+ 	if (cmd->linebuffer) {
+ 		/* Reset stream buffering to defaults */
+ 		if (is_valid_fd(STDIN_FILENO) &&
diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD
index 070d3d0e2..812836bc9 100644
--- a/system/openssl/APKBUILD
+++ b/system/openssl/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=openssl
-pkgver=1.1.1d
+pkgver=1.1.1e
 pkgrel=0
 pkgdesc="Toolkit for SSL and TLS"
 url="https://www.openssl.org/"
@@ -12,7 +12,7 @@ makedepends_build="perl"
 subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.1:libcrypto
 	libssl1.1:libssl"
 source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
-	CVE-2019-1551.patch
+	ppc-auxv.patch
 	ppc64.patch
 	"
 
@@ -127,6 +127,6 @@ libssl() {
 	done
 }
 
-sha512sums="2bc9f528c27fe644308eb7603c992bac8740e9f0c3601a130af30c9ffebbf7e0f5c28b76a00bbb478bad40fbe89b4223a58d604001e1713da71ff4b7fe6a08a7  openssl-1.1.1d.tar.gz
-11ca61515a89766241fe0fae27f3b39767128915f288ea88840bf93e8b50ac416024cb2153efcdf2658d3e82a8e4250a0c069333dbd7347475f9dafcc45370b5  CVE-2019-1551.patch
-66bbb0ae769643c8a0b1501d9c8466f08f0d8b3b2bc4fcc2c0c054ab1971ced85c07aa0e4b8168a4394d0ae407dfbd26066a7a068602ce5b58e459b12ce6d36a  ppc64.patch"
+sha512sums="dbc2124f6ce9f1927e2f5e03101ed565d4e52ef09d620200f5cd9372c88c65dd7d74b24b31a8bf404713a5adfab80e0c3b25bf538c52702c4c3af1d80aef16c2  openssl-1.1.1e.tar.gz
+c164dd528d7408b8b2a52a0b181f2066ff00feb635df863bdeb4ce879db9ecdf7dd9033bb14b63ee5239aa814d5d777a86bb99cc37ecedae2d77a6bd86144b88  ppc-auxv.patch
+e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509  ppc64.patch"
diff --git a/system/openssl/ppc-auxv.patch b/system/openssl/ppc-auxv.patch
new file mode 100644
index 000000000..e19d8df1f
--- /dev/null
+++ b/system/openssl/ppc-auxv.patch
@@ -0,0 +1,17 @@
+--- openssl-1.1.1e/crypto/ppccap.c.old	2020-03-17 14:31:17.000000000 +0000
++++ openssl-1.1.1e/crypto/ppccap.c	2020-03-30 06:32:25.943988524 +0000
+@@ -207,11 +207,9 @@
+         return 0;
+ }
+ 
+-#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
+-# if __GLIBC_PREREQ(2, 16)
+-#  include <sys/auxv.h>
+-#  define OSSL_IMPLEMENT_GETAUXVAL
+-# endif
++#if defined(__linux__)
++# include <sys/auxv.h>
++# define OSSL_IMPLEMENT_GETAUXVAL
+ #endif
+ 
+ /* I wish <sys/auxv.h> was universally available */
diff --git a/system/openssl/ppc64.patch b/system/openssl/ppc64.patch
index 5f79c4ddc..c75ceedba 100644
--- a/system/openssl/ppc64.patch
+++ b/system/openssl/ppc64.patch
@@ -78,7 +78,7 @@ diff --git a/Configure b/Configure
 index 22082deb4c7..e303d98deb3 100755
 --- a/Configure
 +++ b/Configure
-@@ -1411,8 +1410,15 @@
+@@ -1402,8 +1402,15 @@
  my %predefined_C = compiler_predefined($config{CROSS_COMPILE}.$config{CC});
  my %predefined_CXX = $config{CXX}
      ? compiler_predefined($config{CROSS_COMPILE}.$config{CXX})
diff --git a/system/ruby/APKBUILD b/system/ruby/APKBUILD
index 537c1010a..0cb185852 100644
--- a/system/ruby/APKBUILD
+++ b/system/ruby/APKBUILD
@@ -38,11 +38,13 @@
 #     - CVE-2019-16201
 #     - CVE-2019-16254
 #     - CVE-2019-16255
+#   2.5.7-r1:
+#     - CVE-2020-8130
 #
 pkgname=ruby
 pkgver=2.5.7
 _abiver="${pkgver%.*}.0"
-pkgrel=0
+pkgrel=1
 pkgdesc="An object-oriented language for quick and easy programming"
 url="https://www.ruby-lang.org/"
 arch="all"
@@ -76,6 +78,7 @@ source="https://cache.ruby-lang.org/pub/ruby/${pkgver%.*}/$pkgname-$pkgver.tar.x
 	test_insns-lower-recursion-depth.patch
 	fix-get_main_stack.patch
 	libedit-compat.patch
+	CVE-2020-8130.patch
 	"
 replaces="ruby-etc ruby-gems"
 
@@ -318,4 +321,5 @@ sha512sums="63b7c75fab44cd1bd22f22ddec00c740cf379ac7240da0dfafcec54347766695faef
 20e7e5ee9936a93872fe1ad836dd1fde001fe4a0e7ed54c26727ad83da3ceb0e6247681d9dd4f98a69e1b0250703ed8fc682d44075780d5f47faa1d5f58d2bdb  rubygems-avoid-platform-specific-gems.patch
 814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150  test_insns-lower-recursion-depth.patch
 e99b36940fa8fdd445d82738c70b8fc042cab042a4662cab156578aad2dac9673a96da22b6676aa36beac08070e92a7798c60d6f36eeb169216c4c51864ce2fe  fix-get_main_stack.patch
-6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2  libedit-compat.patch"
+6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2  libedit-compat.patch
+50b3a2aca1c0d7a7b557e030fbf57049512730cd6516cb6b26624855c25a20e84eef7f84ec9eafb94200de067ec67790e5fe0902e69681ac4de9195240b318dc  CVE-2020-8130.patch"
diff --git a/system/ruby/CVE-2020-8130.patch b/system/ruby/CVE-2020-8130.patch
new file mode 100644
index 000000000..3cb6e4adf
--- /dev/null
+++ b/system/ruby/CVE-2020-8130.patch
@@ -0,0 +1,18 @@
+Note: adjusted paths since it's being vendored inside ruby.
+
+From 5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Mon, 22 Jul 2019 10:23:43 +0900
+Subject: [PATCH] Use File.open explicitly.
+
+--- ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
++++ ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb
+@@ -294,7 +294,7 @@ def egrep(pattern, *options)
+       matched = 0
+       each do |fn|
+         begin
+-          open(fn, "r", *options) do |inf|
++          File.open(fn, "r", *options) do |inf|
+             count = 0
+             inf.each do |line|
+               count += 1