diff options
Diffstat (limited to 'user')
-rw-r--r-- | user/cyrus-sasl/APKBUILD | 10 | ||||
-rw-r--r-- | user/cyrus-sasl/CVE-2019-19906.patch | 25 | ||||
-rw-r--r-- | user/qemu/APKBUILD | 6 | ||||
-rw-r--r-- | user/qemu/CVE-2020-11102.patch | 144 | ||||
-rw-r--r-- | user/spice-gtk/APKBUILD | 18 | ||||
-rw-r--r-- | user/spice-gtk/macro.patch | 33 |
6 files changed, 227 insertions, 9 deletions
diff --git a/user/cyrus-sasl/APKBUILD b/user/cyrus-sasl/APKBUILD index be7505b82..b061d41ad 100644 --- a/user/cyrus-sasl/APKBUILD +++ b/user/cyrus-sasl/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: pkgname=cyrus-sasl pkgver=2.1.27 -pkgrel=0 +pkgrel=1 pkgdesc="Cyrus Simple Authentication Service Layer (SASL)" url="https://www.cyrusimap.org/sasl/" arch="all" @@ -15,11 +15,14 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-gssapi $pkgname-gs2 libsasl $pkgname-openrc" source="https://github.com/cyrusimap/$pkgname/releases/download/$pkgname-$pkgver/$pkgname-$pkgver.tar.gz saslauthd.initd + CVE-2019-19906.patch " # secfixes: # 2.1.26-r7: -# - CVE-2013-4122 +# - CVE-2013-4122 +# 2.1.27-r1: +# - CVE-2019-19906 build() { ./configure \ @@ -76,4 +79,5 @@ libsasl() { } sha512sums="d11549a99b3b06af79fc62d5478dba3305d7e7cc0824f4b91f0d2638daafbe940623eab235f85af9be38dcf5d42fc131db531c177040a85187aee5096b8df63b cyrus-sasl-2.1.27.tar.gz -71a00a22f91f0fb6ba2796acede321a0f071b1d7a99616f0e36c354213777f30575c340b6df392dcbfc103ba7640d046144882f6a7b505f59709bb5c429b44d8 saslauthd.initd" +71a00a22f91f0fb6ba2796acede321a0f071b1d7a99616f0e36c354213777f30575c340b6df392dcbfc103ba7640d046144882f6a7b505f59709bb5c429b44d8 saslauthd.initd +35d2fc8d1ea905898d526af515ee6c1c23f46092d2a034c7fa1b989ec2985ff68f74b7dc26e86525beecb6997562f29aea87a0c945953db1b6a0fac807c294ae CVE-2019-19906.patch" diff --git a/user/cyrus-sasl/CVE-2019-19906.patch b/user/cyrus-sasl/CVE-2019-19906.patch new file mode 100644 index 000000000..acdf68243 --- /dev/null +++ b/user/cyrus-sasl/CVE-2019-19906.patch @@ -0,0 +1,25 @@ +From dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1 Mon Sep 17 00:00:00 2001 +From: Quanah Gibson-Mount <quanah@symas.com> +Date: Tue, 18 Feb 2020 19:05:12 +0000 +Subject: [PATCH] Fix #587 + +Off by one error in common.c, CVE-2019-19906. + +Thanks to Stephan Zeisberg for reporting +--- + lib/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/common.c b/lib/common.c +index bc3bf1df..9969d6aa 100644 +--- a/lib/common.c ++++ b/lib/common.c +@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen, + + if (add==NULL) add = "(null)"; + +- addlen=strlen(add); /* only compute once */ ++ addlen=strlen(add)+1; /* only compute once */ + if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK) + return SASL_NOMEM; + diff --git a/user/qemu/APKBUILD b/user/qemu/APKBUILD index 579eed14f..bc3744541 100644 --- a/user/qemu/APKBUILD +++ b/user/qemu/APKBUILD @@ -6,7 +6,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=qemu pkgver=4.2.0 -pkgrel=0 +pkgrel=1 pkgdesc="Machine emulator and virtualisation software" url="https://www.qemu.org/" arch="all" @@ -160,6 +160,7 @@ source="https://download.qemu.org/$pkgname-$pkgver.tar.xz time64.patch MAP_SYNC-fix.patch CVE-2020-1711.patch + CVE-2020-11102.patch $pkgname-guest-agent.confd $pkgname-guest-agent.initd @@ -230,6 +231,8 @@ builddir="$srcdir/$pkgname-$pkgver" # - CVE-2020-1711 # - CVE-2020-7039 # - CVE-2020-8608 +# 4.2.0-r1: +# - CVE-2020-11102 prepare() { default_prepare # apply patches @@ -454,6 +457,7 @@ c6436b1cc986788baccd5fe0f9d23c7db9026f6b723260611cf894bd94ee830140a17ee5859efe0d 87f659800b78b31731ea1828a27a3762662ef124d10e942f6029b332d5e8cf4487f62a3d742ad59709c2eb9e3ae8af36fa849d6cbac89978a282d29786b9b41a time64.patch d7de79ea74e36702cac4a59e472564a55f0a663be7e63c3755e32b4b5dfbc04b390ee79f09f43f6ae706ee2aec9e005eade3c0fd4a202db60d11f436874a17d7 MAP_SYNC-fix.patch 0ea3745c45507c00c3c036241992d594b5f7e9aa1f0fa9b425dd222390066e1ea2d0aa4923bde0e7f27b7cc2f759a122ae4b600c2fa682a5aad509e7d03ccad9 CVE-2020-1711.patch +5d9e7e065c6716024eab4984331071f42dcd5363c5456023f81a3ef0329ae578348d0f875868f85c9e1fee5e435d86e2eb7e342a957c36cd099cb5d5d9f3a78d CVE-2020-11102.patch d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd 1cd24c2444c5935a763c501af2b0da31635aad9cf62e55416d6477fcec153cddbe7de205d99616def11b085e0dd366ba22463d2270f831d884edbc307c7864a6 qemu-guest-agent.initd 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules diff --git a/user/qemu/CVE-2020-11102.patch b/user/qemu/CVE-2020-11102.patch new file mode 100644 index 000000000..c437a7d47 --- /dev/null +++ b/user/qemu/CVE-2020-11102.patch @@ -0,0 +1,144 @@ +From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 24 Mar 2020 22:57:22 +0530 +Subject: [PATCH 1/1] net: tulip: check frame size and r/w data length + +Tulip network driver while copying tx/rx buffers does not check +frame size against r/w data length. This may lead to OOB buffer +access. Add check to avoid it. + +Limit iterations over descriptors to avoid potential infinite +loop issue in tulip_xmit_list_update. + +Reported-by: Li Qiang <pangpei.lq@antfin.com> +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Reported-by: Jason Wang <jasowang@redhat.com> +Tested-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + hw/net/tulip.c | 36 +++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index cfac271..1295f51 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size) + + trace_tulip_receive(buf, size); + +- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) { ++ if (size < 14 || size > sizeof(s->rx_frame) - 4 ++ || s->rx_frame_len || tulip_rx_stopped(s)) { + return 0; + } + +@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc, + return tulip_receive(qemu_get_nic_opaque(nc), buf, size); + } + +- + static NetClientInfo net_tulip_info = { + .type = NET_CLIENT_DRIVER_NIC, + .size = sizeof(NICState), +@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) { + /* Internal or external Loopback */ + tulip_receive(s, s->tx_frame, s->tx_frame_len); +- } else { ++ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) { + qemu_send_packet(qemu_get_queue(s->nic), + s->tx_frame, s->tx_frame_len); + } +@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + } + } + +-static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) ++static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) + { + int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK; + int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK; + ++ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len1) { + pci_dma_read(&s->dev, desc->buf_addr1, + s->tx_frame + s->tx_frame_len, len1); + s->tx_frame_len += len1; + } + ++ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len2) { + pci_dma_read(&s->dev, desc->buf_addr2, + s->tx_frame + s->tx_frame_len, len2); + s->tx_frame_len += len2; + } + desc->status = (len1 + len2) ? 0 : 0x7fffffff; ++ ++ return 0; + } + + static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n) +@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s) + + static void tulip_xmit_list_update(TULIPState *s) + { ++#define TULIP_DESC_MAX 128 ++ uint8_t i = 0; + struct tulip_descriptor desc; + + if (tulip_ts(s) != CSR5_TS_SUSPENDED) { + return; + } + +- for (;;) { ++ for (i = 0; i < TULIP_DESC_MAX; i++) { + tulip_desc_read(s, s->current_tx_desc, &desc); + tulip_dump_tx_descriptor(s, &desc); + +@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s) + s->tx_frame_len = 0; + } + +- tulip_copy_tx_buffers(s, &desc); +- +- if (desc.control & TDES1_LS) { +- tulip_tx(s, &desc); ++ if (!tulip_copy_tx_buffers(s, &desc)) { ++ if (desc.control & TDES1_LS) { ++ tulip_tx(s, &desc); ++ } + } + } + tulip_desc_write(s, s->current_tx_desc, &desc); +-- +1.8.3.1 + diff --git a/user/spice-gtk/APKBUILD b/user/spice-gtk/APKBUILD index 5c11142ba..fb44cc0ec 100644 --- a/user/spice-gtk/APKBUILD +++ b/user/spice-gtk/APKBUILD @@ -13,19 +13,25 @@ depends="gst-plugins-good" depends_dev="gobject-introspection-dev gtk+3.0-dev" makedepends="$depends_dev acl-dev bash cyrus-sasl-dev eudev-dev gst-plugins-base-dev gstreamer-dev gstreamer-tools gtk-doc - json-glib-dev libjpeg-turbo-dev libucontext-dev libusb-dev + json-glib-dev libjpeg-turbo-dev libucontext-dev libxrandr-dev lz4-dev meson openssl-dev opus-dev polkit-dev - py3-pyparsing py3-six spice-protocol usbredir-dev - usbutils zlib-dev" + py3-pyparsing py3-six spice-protocol + zlib-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang spicy spice-glib:glib" -source="https://www.spice-space.org/download/gtk/$pkgname-$pkgver.tar.xz" +source="https://www.spice-space.org/download/gtk/$pkgname-$pkgver.tar.xz + macro.patch + " build() { export CFLAGS="$CFLAGS -lucontext" # Note: pulseaudio support is disabled because it's deprecated. # Audio is still supported through gstreamer. + # + # USB redirection is disabled until there is reasonable belief + # that it is endian safe. + # https://gitlab.freedesktop.org/spice/spice-gtk/-/issues/120 meson \ --prefix=/usr \ --sysconfdir=/etc \ @@ -34,6 +40,7 @@ build() { --buildtype=release \ -Dcelt051=disabled \ -Dpulse=disabled \ + -Dusbredir=disabled \ . output ninja -C output } @@ -62,4 +69,5 @@ glib() { "$subpkgdir"/usr/lib/girepository-1.0/ } -sha512sums="27b44ac9f0cee2737ce03bb3f47c62fc0ee2402c291c49fc56cffc4ccb63e2cab001a68ba865a6375d82cb38444408d59c68469783ee4279fa818d8682e902f3 spice-gtk-0.38.tar.xz" +sha512sums="27b44ac9f0cee2737ce03bb3f47c62fc0ee2402c291c49fc56cffc4ccb63e2cab001a68ba865a6375d82cb38444408d59c68469783ee4279fa818d8682e902f3 spice-gtk-0.38.tar.xz +9bae6a1866c977d6b7e032e0fe1f8ce07ccfd8777e982453629d9dce284a6f02c68ab8b073865e3c36340e22dd2f83fbda4cabd3a5bc8a274b3a0bbf9c031ccd macro.patch" diff --git a/user/spice-gtk/macro.patch b/user/spice-gtk/macro.patch new file mode 100644 index 000000000..fc0787b93 --- /dev/null +++ b/user/spice-gtk/macro.patch @@ -0,0 +1,33 @@ +From 7363d1a0a640b6992d5967621e37c3376958d708 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Thu, 19 Mar 2020 15:50:45 +0000 +Subject: [PATCH] channel-main: Avoid macro side effects + +In big endian system GUINT32_TO_LE macro uses the parameter +multiple time causing serial to be incremented multiple times +instead of one. +Avoid side effects using a temporary variable. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +Acked-by: Victor Toso <victortoso@redhat.com> +--- + src/channel-main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 0a0b9ca..d7669e8 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -1384,7 +1384,8 @@ static void agent_clipboard_grab(SpiceMainChannel *channel, guint selection, + } + + if (test_agent_cap(channel, VD_AGENT_CAP_CLIPBOARD_GRAB_SERIAL)) { +- *(uint32_t *)grab = GUINT32_TO_LE(c->clipboard_serial[selection]++); ++ uint32_t serial = c->clipboard_serial[selection]++; ++ *(uint32_t *)grab = GUINT32_TO_LE(serial); + grab = (void *)grab + sizeof(uint32_t); + } + +-- +2.24.1 + |