summaryrefslogtreecommitdiff
path: root/user
diff options
context:
space:
mode:
Diffstat (limited to 'user')
-rw-r--r--user/cbindgen/APKBUILD6
-rw-r--r--user/qt5-qtbase/APKBUILD11
-rw-r--r--user/qt5-qtbase/CVE-2020-0569.patch29
-rw-r--r--user/qt5-qtbase/CVE-2020-0570.patch55
4 files changed, 96 insertions, 5 deletions
diff --git a/user/cbindgen/APKBUILD b/user/cbindgen/APKBUILD
index 2a735e5ce..8d0a30b7e 100644
--- a/user/cbindgen/APKBUILD
+++ b/user/cbindgen/APKBUILD
@@ -1,9 +1,9 @@
# Contributor: Leo <thinkabit.ukim@gmail.com>
# Contributor: Gentoo Rust Maintainers <rust@gentoo.org>
# Contributor: Samuel Holland <samuel@sholland.org>
-# Maintainer: Molly Miller <adelie@m-squa.red>
+# Maintainer: Molly Miller <sysvinit@adelielinux.org>
pkgname=cbindgen
-pkgver=0.12.1
+pkgver=0.13.2
pkgrel=0
pkgdesc="Tool to generate C bindings from Rust code"
url="https://github.com/eqrion/cbindgen"
@@ -102,7 +102,7 @@ package() {
}
-sha512sums="851f82cfdd4304dc57dab1a145f78a05a6c5f05ad607d27e0ae909920a5d99013ffb7f7e87950541bda98462f73f0c338d9761b94a96c3073f39163c2ddacf08 cbindgen-0.12.1.tar.gz
+sha512sums="2e894c6cf2b08321418ef78228fbebb5f504aea1576b8e159b4d8d66442cb65cee4f611f0ce13fa58539c08fe21932358fcfead52acbe5413adc9fdba05faf66 cbindgen-0.13.2.tar.gz
a637466a380748f939b3af090b8c0333f35581925bc03f4dda9b3f95d338836403cf5487ae3af9ff68f8245a837f8ab061aabe57a126a6a2c20f2e972c77d1fa ansi_term-0.11.0.tar.gz
4554ca7dedb4c2e8693e5847ef1fe66161ed4cb2c19156bb03f41ce7e7ea21838369dabaf447a60d1468de8bfbb7087438c12934c4569dde63df074f168569ad atty-0.2.13.tar.gz
ad89b3798845e23737a620bba581c2ff1ff3e15bac12555c765e201d2c0b90ecea0cdbc5b5b1a3fa9858c385e8e041f8226f5acfae5bbbe9925643fff2bf3f0b bitflags-1.2.1.tar.gz
diff --git a/user/qt5-qtbase/APKBUILD b/user/qt5-qtbase/APKBUILD
index 18b5b88ad..4cb68524d 100644
--- a/user/qt5-qtbase/APKBUILD
+++ b/user/qt5-qtbase/APKBUILD
@@ -2,7 +2,7 @@
pkgname=qt5-qtbase
_pkgname=qtbase-everywhere-src
pkgver=5.12.6
-pkgrel=0
+pkgrel=1
pkgdesc="Cross-platform application and UI framework"
url="https://www.qt.io/"
arch="all"
@@ -27,6 +27,8 @@ source="https://download.qt.io/official_releases/qt/${pkgver%.*}/$pkgver/submodu
link-to-execinfo.patch
qt-musl-iconv-no-bom.patch
time64.patch
+ CVE-2020-0569.patch
+ CVE-2020-0570.patch
"
# secfixes: qt
@@ -36,6 +38,9 @@ source="https://download.qt.io/official_releases/qt/${pkgver%.*}/$pkgver/submodu
# - CVE-2018-19870
# - CVE-2018-19871
# - CVE-2018-19873
+# 5.12.6-r1:
+# - CVE-2020-0569
+# - CVE-2020-0570
_qt5_prefix=/usr/lib/qt5
_qt5_datadir=/usr/share/qt5
@@ -175,4 +180,6 @@ sha512sums="5fb82d903b0db95c23c55785047722dea7979e7f94ecaaf374e0c73b4787aabd768a
d00dc607b71a93132f756b952871df9197cfd6d78cc3617544bfa11d7f0eea21ce5dd0d1aeb69dd2702a5694a63d3802accc76499dbf414c01eb56421698cb0c big-endian-scroll-wheel.patch
ee78a44e28ba5f728914bfc3d8d5b467896c7de11a02d54b0bce11e40a4338b1f776c1fcc30cbd436df4f548c1ab0b4fe801f01b162ddd5c0f892893e227acfd link-to-execinfo.patch
e3982b2df2ab4ba53b7a1329a9eb928eb1fee813c61cf6ac03d3300a767ffb57f019ac0fd89f633cac2330549446ff3d43344871296bf362815e7ebffadefa6b qt-musl-iconv-no-bom.patch
-436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c time64.patch"
+436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c time64.patch
+ddeb0a59cf0901b38669314fd2f14dffba63c6cbd06a3d864cd329081cc2b10323ec52053a6ffe7baf5ee8a1e137331acfe5d874c03596660630dd151828da56 CVE-2020-0569.patch
+b5973799d6dc7c03124b7df5424e5fa84cb81ec3b997e039b84cca21852abaf4ff61780b99c47f1fd6ce64ae61f61b2458ca2929e068644f1973a6f1c53a4d64 CVE-2020-0570.patch"
diff --git a/user/qt5-qtbase/CVE-2020-0569.patch b/user/qt5-qtbase/CVE-2020-0569.patch
new file mode 100644
index 000000000..fa0efdce3
--- /dev/null
+++ b/user/qt5-qtbase/CVE-2020-0569.patch
@@ -0,0 +1,29 @@
+From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001
+From: Olivier Goffart <ogoffart@woboq.com>
+Date: Fri, 8 Nov 2019 11:30:40 +0100
+Subject: Do not load plugin from the $PWD
+
+I see no reason why this would make sense to look for plugins in the current
+directory. And when there are plugins there, it may actually be wrong
+
+Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+---
+ src/corelib/plugin/qpluginloader.cpp | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp
+index cadff4f32b..c2443dbdda 100644
+--- a/src/corelib/plugin/qpluginloader.cpp
++++ b/src/corelib/plugin/qpluginloader.cpp
+@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName)
+ paths.append(fileName.left(slash)); // don't include the '/'
+ } else {
+ paths = QCoreApplication::libraryPaths();
+- paths.prepend(QStringLiteral(".")); // search in current dir first
+ }
+
+ for (const QString &path : qAsConst(paths)) {
+--
+cgit v1.2.1
+
diff --git a/user/qt5-qtbase/CVE-2020-0570.patch b/user/qt5-qtbase/CVE-2020-0570.patch
new file mode 100644
index 000000000..dcf507c0d
--- /dev/null
+++ b/user/qt5-qtbase/CVE-2020-0570.patch
@@ -0,0 +1,55 @@
+From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001
+From: Thiago Macieira <thiago.macieira@intel.com>
+Date: Fri, 10 Jan 2020 09:26:27 -0800
+Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD
+
+I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to
+find libraries in a haswell/ subdir of the main path, but we only need
+to do that transformation if the library is contains at least one
+directory seprator. That is, if the user asks to load "lib/foo", then we
+should try "lib/haswell/foo" (often, the path prefix will be absolute).
+
+When the library name the user requested has no directory separators, we
+let dlopen() do the transformation for us. Testing on Linux confirms
+glibc does so:
+
+$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor
+ 1972475: find library=libXcursor.so.1 [0]; searching
+ 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1
+ 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1
+ 1972475: trying file=/usr/lib64/libXcursor.so.1
+ 1972475: calling init: /usr/lib64/libXcursor.so.1
+ 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0]
+
+Fixes: QTBUG-81272
+Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+---
+ src/corelib/plugin/qlibrary_unix.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
+index f0de1010d7..135b82cd37 100644
+--- a/src/corelib/plugin/qlibrary_unix.cpp
++++ b/src/corelib/plugin/qlibrary_unix.cpp
+@@ -1,7 +1,7 @@
+ /****************************************************************************
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2018 Intel Corporation
++** Copyright (C) 2020 Intel Corporation
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys()
+ for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
+ if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
+ continue;
++ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
++ continue;
+ if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
+ continue;
+ if (loadHints & QLibrary::LoadArchiveMemberHint) {
+--
+cgit v1.2.1
+