summaryrefslogtreecommitdiff
path: root/user
diff options
context:
space:
mode:
Diffstat (limited to 'user')
-rw-r--r--user/djvulibre/APKBUILD11
-rw-r--r--user/djvulibre/CVE-2019-18804.patch39
-rw-r--r--user/exiv2/APKBUILD19
-rw-r--r--user/exiv2/CVE-2019-20421.patch116
-rw-r--r--user/hunspell/APKBUILD14
-rw-r--r--user/hunspell/CVE-2019-16707.patch22
-rw-r--r--user/libexif/APKBUILD11
-rw-r--r--user/libexif/CVE-2016-6328.patch60
-rw-r--r--user/libexif/CVE-2019-9278.patch85
-rw-r--r--user/libgd/APKBUILD16
-rw-r--r--user/libgd/CVE-2018-14553.patch99
-rw-r--r--user/librsvg/APKBUILD10
-rw-r--r--user/openjpeg/APKBUILD14
-rw-r--r--user/openjpeg/CVE-2020-6851.patch29
-rw-r--r--user/openjpeg/CVE-2020-8112.patch43
-rw-r--r--user/weechat/APKBUILD10
16 files changed, 572 insertions, 26 deletions
diff --git a/user/djvulibre/APKBUILD b/user/djvulibre/APKBUILD
index 2b4a3ed0e..fa2ce6059 100644
--- a/user/djvulibre/APKBUILD
+++ b/user/djvulibre/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=djvulibre
pkgver=3.5.27
-pkgrel=1
+pkgrel=2
pkgdesc="Format for distributing documents and images"
url="http://djvu.sourceforge.net/"
arch="all"
@@ -15,7 +15,9 @@ source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz
CVE-2019-15142.patch
CVE-2019-15143.patch
CVE-2019-15144.patch
- CVE-2019-15145.patch"
+ CVE-2019-15145.patch
+ CVE-2019-18804.patch
+ "
# secfixes:
# 3.5.27-r1:
@@ -23,6 +25,8 @@ source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz
# - CVE-2019-15143
# - CVE-2019-15144
# - CVE-2019-15145
+# 3.5.27-r2:
+# - CVE-2019-18804
build() {
./configure \
@@ -48,4 +52,5 @@ sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252
d9e4301fb98a35b8c2f1854eb4be53611f98b3fc9fdd357dd5502b5b189bdf61957a48b220f3ab7465bbf1df8606ce04513e10df74643a9e289c349f94721561 CVE-2019-15142.patch
3527e1c84f7c7d36f902cb3d7e9ddb6866acbdd4b47675ce3ffd164accf2e2931a4c6bbaae2ea775b4710d88ae34dd4dcd39a5846fce13bef2c82a99d608b8c1 CVE-2019-15143.patch
f8f1abf328a97d69514b2626e4c6449c0c7b7e2b5518d56bba6a61a944aaf4b7fffd1371c26396353728f6a1399c6d87492af5c17e6b623dae7751b81eac11f9 CVE-2019-15144.patch
-790ef1e05874635c762600c990ecbd3e29e2eb01c59e25a0f8b2a15dbadbd3673d9dbb651d9dcb53fd3e5f4cb6bded47c3eefaaef8b4ccac39bd28f8bbec2068 CVE-2019-15145.patch"
+790ef1e05874635c762600c990ecbd3e29e2eb01c59e25a0f8b2a15dbadbd3673d9dbb651d9dcb53fd3e5f4cb6bded47c3eefaaef8b4ccac39bd28f8bbec2068 CVE-2019-15145.patch
+e5d6cd98f208db49880c6237f7cd8ab097d02f9771936c04a5acc48d9d18876d5cf48bcc61b14f1affc501ee63e8d6337fa83af259485ef35d4faa5086f06d10 CVE-2019-18804.patch"
diff --git a/user/djvulibre/CVE-2019-18804.patch b/user/djvulibre/CVE-2019-18804.patch
new file mode 100644
index 000000000..7c66c3989
--- /dev/null
+++ b/user/djvulibre/CVE-2019-18804.patch
@@ -0,0 +1,39 @@
+From c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125 Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Thu, 17 Oct 2019 22:20:31 -0400
+Subject: [PATCH] Fixed bug 309
+
+---
+ libdjvu/IW44EncodeCodec.cpp | 2 +-
+ tools/ddjvu.cpp | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp
+index 00752a0..f81eaeb 100644
+--- a/libdjvu/IW44EncodeCodec.cpp
++++ b/libdjvu/IW44EncodeCodec.cpp
+@@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale)
+ int y = 0;
+ int s = scale*rowsize;
+ int s3 = s+s+s;
+- h = ((h-1)/scale)+1;
++ h = (h>0) ? ((h-1)/scale)+1 : 0;
+ y += 1;
+ p += s;
+ while (y-3 < h)
+diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
+index 6d0df3b..7109952 100644
+--- a/tools/ddjvu.cpp
++++ b/tools/ddjvu.cpp
+@@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno)
+ prect.h = (ih * 100) / dpi;
+ }
+ /* Process aspect ratio */
+- if (flag_aspect <= 0)
++ if (flag_aspect <= 0 && iw>0 && ih>0)
+ {
+ double dw = (double)iw / prect.w;
+ double dh = (double)ih / prect.h;
+--
+2.20.1
+
diff --git a/user/exiv2/APKBUILD b/user/exiv2/APKBUILD
index f1ca3f81f..fb710b602 100644
--- a/user/exiv2/APKBUILD
+++ b/user/exiv2/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=exiv2
pkgver=0.27.2
-pkgrel=1
+pkgrel=2
pkgdesc="Exif, IPTC and XMP metadata library and tools"
url="https://www.exiv2.org/"
arch="all"
@@ -12,8 +12,11 @@ checkdepends="python3 libxml2 cmd:which"
makedepends="$depends_dev bash cmake"
subpackages="$pkgname-dev $pkgname-doc"
source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz
- https://dev.sick.bike/dist/exiv2-0.27.2-POC-file_issue_1019
- CVE-2019-17402.patch"
+ https://dev.sick.bike/dist/exiv2-$pkgver-POC-file_issue_1019
+ https://dev.sick.bike/dist/exiv2-$pkgver-Jp2Image_readMetadata_loop.poc
+ CVE-2019-17402.patch
+ CVE-2019-20421.patch
+ "
builddir="$srcdir/$pkgname-$pkgver-Source"
# secfixes:
@@ -86,6 +89,8 @@ builddir="$srcdir/$pkgname-$pkgver-Source"
# - CVE-2019-13114
# 0.27.2-r1:
# - CVE-2019-17402
+# 0.27.2-r2:
+# - CVE-2019-20421
prepare() {
default_prepare
@@ -93,6 +98,10 @@ prepare() {
# Remove #1019 POC after >= 0.27.2
mv "$srcdir/$pkgname-$pkgver-POC-file_issue_1019" \
test/data/POC-file_issue_1019
+
+ # Ditto
+ mv "$srcdir/$pkgname-$pkgver-Jp2Image_readMetadata_loop.poc" \
+ test/data/Jp2Image_readMetadata_loop.poc
}
build() {
@@ -112,4 +121,6 @@ package() {
sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz
cfe0b534c29c37e7b6e5a00e8ec320cb57eb17187813fe30677a097e930655f1b097ce77806e0124affbdc423b48d9910560158eed9d2d03418a824244dafba9 exiv2-0.27.2-POC-file_issue_1019
-623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd CVE-2019-17402.patch"
+d2c0f59e9e2daf00066b0ad73253bb7bb09b3319606813f16478ef5717751e4cbb93d12f5c9339dae2965dcf6a63138bdb4205b698aeab57a75f97ddf458d4f7 exiv2-0.27.2-Jp2Image_readMetadata_loop.poc
+623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd CVE-2019-17402.patch
+c819f06a194b8465c66ccd91b8373cb2a359e59bab7583a8abb873c2001efe6188ac8fa4717c6382d2f2396d25e79e7b397c5ebf000d35c4a7dae547db7bc77b CVE-2019-20421.patch"
diff --git a/user/exiv2/CVE-2019-20421.patch b/user/exiv2/CVE-2019-20421.patch
new file mode 100644
index 000000000..bdc5449f2
--- /dev/null
+++ b/user/exiv2/CVE-2019-20421.patch
@@ -0,0 +1,116 @@
+From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
+From: clanmills <robin@clanmills.com>
+Date: Tue, 1 Oct 2019 17:39:44 +0100
+Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop
+
+---
+ src/jp2image.cpp | 25 +++++++++++++++----
+ tests/bugfixes/github/test_CVE_2017_17725.py | 4 +--
+ tests/bugfixes/github/test_issue_1011.py | 13 ++++++++++
+ 4 files changed, 35 insertions(+), 7 deletions(-)
+ create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
+ create mode 100644 tests/bugfixes/github/test_issue_1011.py
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index d5cd1340a..0de088d62 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -18,10 +18,6 @@
+ * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
+ */
+
+-/*
+- File: jp2image.cpp
+-*/
+-
+ // *****************************************************************************
+
+ // included header files
+@@ -197,6 +193,16 @@ namespace Exiv2
+ return result;
+ }
+
++static void boxes_check(size_t b,size_t m)
++{
++ if ( b > m ) {
++#ifdef EXIV2_DEBUG_MESSAGES
++ std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
++#endif
++ throw Error(kerCorruptedMetadata);
++ }
++}
++
+ void Jp2Image::readMetadata()
+ {
+ #ifdef EXIV2_DEBUG_MESSAGES
+@@ -219,9 +225,12 @@ namespace Exiv2
+ Jp2BoxHeader subBox = {0,0};
+ Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0};
+ Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
++ size_t boxes = 0 ;
++ size_t boxem = 1000 ; // boxes max
+
+ while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
+ {
++ boxes_check(boxes++,boxem );
+ position = io_->tell();
+ box.length = getLong((byte*)&box.length, bigEndian);
+ box.type = getLong((byte*)&box.type, bigEndian);
+@@ -251,8 +260,12 @@ namespace Exiv2
+
+ while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
+ {
++ boxes_check(boxes++, boxem) ;
+ subBox.length = getLong((byte*)&subBox.length, bigEndian);
+ subBox.type = getLong((byte*)&subBox.type, bigEndian);
++ if (subBox.length > io_->size() ) {
++ throw Error(kerCorruptedMetadata);
++ }
+ #ifdef EXIV2_DEBUG_MESSAGES
+ std::cout << "Exiv2::Jp2Image::readMetadata: "
+ << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+@@ -308,7 +321,9 @@ namespace Exiv2
+ }
+
+ io_->seek(restore,BasicIo::beg);
+- io_->seek(subBox.length, Exiv2::BasicIo::cur);
++ if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
++ throw Error(kerCorruptedMetadata);
++ }
+ restore = io_->tell();
+ }
+ break;
+diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py
+index 1127b9806..670a75d8d 100644
+--- a/tests/bugfixes/github/test_CVE_2017_17725.py
++++ b/tests/bugfixes/github/test_CVE_2017_17725.py
+@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
+ filename = "$data_path/poc_2017-12-12_issue188"
+ commands = ["$exiv2 " + filename]
+ stdout = [""]
+- stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
+-$addition_overflow_message
++ stderr = ["""$exiv2_exception_message """ + filename + """:
++$kerCorruptedMetadata
+ """]
+ retval = [1]
+diff --git a/tests/bugfixes/github/test_issue_1011.py b/tests/bugfixes/github/test_issue_1011.py
+new file mode 100644
+index 000000000..415861188
+--- /dev/null
++++ b/tests/bugfixes/github/test_issue_1011.py
+@@ -0,0 +1,13 @@
++# -*- coding: utf-8 -*-
++
++from system_tests import CaseMeta, path
++
++class Test_issue_1011(metaclass=CaseMeta):
++
++ filename = path("$data_path/Jp2Image_readMetadata_loop.poc")
++ commands = ["$exiv2 " + filename]
++ stdout = [""]
++ stderr = ["""$exiv2_exception_message """ + filename + """:
++$kerCorruptedMetadata
++"""]
++ retval = [1]
+\ No newline at end of file
diff --git a/user/hunspell/APKBUILD b/user/hunspell/APKBUILD
index 79da8d619..ec63c5414 100644
--- a/user/hunspell/APKBUILD
+++ b/user/hunspell/APKBUILD
@@ -1,7 +1,7 @@
-# Maintainer:
+# Maintainer:
pkgname=hunspell
pkgver=1.7.0
-pkgrel=0
+pkgrel=1
pkgdesc="Spell checker and morphological analyzer library and program"
url="https://hunspell.github.io/"
arch="all"
@@ -9,7 +9,12 @@ license="GPL-2.0+ AND LGPL-2.0+ AND MPL-1.1"
depends=""
makedepends="ncurses-dev autoconf automake libtool"
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
-source="$pkgname-$pkgver.tar.gz::https://github.com/hunspell/hunspell/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/hunspell/hunspell/archive/v$pkgver.tar.gz
+ CVE-2019-16707.patch"
+
+# secfixes:
+# 1.7.0-r1:
+# - CVE-2019-16707
prepare() {
default_prepare
@@ -35,4 +40,5 @@ package() {
make -j1 DESTDIR="$pkgdir" install
}
-sha512sums="8149b2e8b703a0610c9ca5160c2dfad3cf3b85b16b3f0f5cfcb7ebb802473b2d499e8e2d0a637a97a37a24d62424e82d3880809210d3f043fa17a4970d47c903 hunspell-1.7.0.tar.gz"
+sha512sums="8149b2e8b703a0610c9ca5160c2dfad3cf3b85b16b3f0f5cfcb7ebb802473b2d499e8e2d0a637a97a37a24d62424e82d3880809210d3f043fa17a4970d47c903 hunspell-1.7.0.tar.gz
+e7674819a9da4c3d742d34338d68d137d8613f97be2d25bf20db5219d4dd626f59a63ed4757b92f34307f499f2d687014065cdea97b55c98db295a8290300d2d CVE-2019-16707.patch"
diff --git a/user/hunspell/CVE-2019-16707.patch b/user/hunspell/CVE-2019-16707.patch
new file mode 100644
index 000000000..649eef5b2
--- /dev/null
+++ b/user/hunspell/CVE-2019-16707.patch
@@ -0,0 +1,22 @@
+From ac938e2ecb48ab4dd21298126c7921689d60571b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Tue, 12 Nov 2019 20:03:15 +0000
+Subject: [PATCH] invalid read memory access #624
+
+---
+ src/hunspell/suggestmgr.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/hunspell/suggestmgr.cxx b/src/hunspell/suggestmgr.cxx
+index dba084e9..c23f165a 100644
+--- a/src/hunspell/suggestmgr.cxx
++++ b/src/hunspell/suggestmgr.cxx
+@@ -2040,7 +2040,7 @@ int SuggestMgr::leftcommonsubstring(
+ int l2 = su2.size();
+ // decapitalize dictionary word
+ if (complexprefixes) {
+- if (su1[l1 - 1] == su2[l2 - 1])
++ if (l1 && l2 && su1[l1 - 1] == su2[l2 - 1])
+ return 1;
+ } else {
+ unsigned short idx = su2.empty() ? 0 : (su2[0].h << 8) + su2[0].l;
diff --git a/user/libexif/APKBUILD b/user/libexif/APKBUILD
index de51ae7b0..06e1e832a 100644
--- a/user/libexif/APKBUILD
+++ b/user/libexif/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer:
pkgname=libexif
pkgver=0.6.21
-pkgrel=3
+pkgrel=4
pkgdesc="Library to parse EXIF metadata"
url="https://sourceforge.net/projects/libexif"
arch="all"
@@ -10,14 +10,19 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
depends=""
makedepends=""
source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.bz2
+ CVE-2016-6328.patch
CVE-2017-7544.patch
CVE-2018-20030.patch
+ CVE-2019-9278.patch
"
# secfixes:
# 0.6.21-r3:
# - CVE-2017-7544
# - CVE-2018-20030
+# 0.6.21-r4:
+# - CVE-2016-6328
+# - CVE-2019-9278
prepare() {
default_prepare
@@ -41,5 +46,7 @@ package() {
}
sha512sums="4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35 libexif-0.6.21.tar.bz2
+c0d4c74207993efc373615ef2c797d720162a2ee6fd7ad026edf2ced4198d9b1165b88790c2af3194f6bb7c2de88d4672c041c2cff8a82c8914700633332b8c5 CVE-2016-6328.patch
d529c6c5bd26dc21c0946702574184e1f61c2bfd4fb95b41e314f486a0dd55571963ff2cad566d2fb0804de3c0799bcd956c15a3dc10a520ce207728edad4e2d CVE-2017-7544.patch
-0d6123bd275ace338ad9cebb31a2e714de0141b91860f07394b281686a5393566c3f4159679d4ba689ae7ea69ae2e412b158c3deb451c40c210b5817f6888bbc CVE-2018-20030.patch"
+0d6123bd275ace338ad9cebb31a2e714de0141b91860f07394b281686a5393566c3f4159679d4ba689ae7ea69ae2e412b158c3deb451c40c210b5817f6888bbc CVE-2018-20030.patch
+c30c03fefea94d175b94c9f0c4d60cbb3aa0ad78b0d29008975fbbb15c17f2907a16fd50970e5fa18d533d0ce291a5ee9b62934210cb40b0f463693460607738 CVE-2019-9278.patch"
diff --git a/user/libexif/CVE-2016-6328.patch b/user/libexif/CVE-2016-6328.patch
new file mode 100644
index 000000000..0568f27d2
--- /dev/null
+++ b/user/libexif/CVE-2016-6328.patch
@@ -0,0 +1,60 @@
+From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Tue, 25 Jul 2017 23:44:44 +0200
+Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
+ makernote entries.
+
+This should fix:
+https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
+---
+ libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index d03d159..ea0429a 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
++++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ case EXIF_FORMAT_SHORT:
+ {
+ const unsigned char *data = entry->data;
+- size_t k, len = strlen(val);
++ size_t k, len = strlen(val), sizeleft;
++
++ sizeleft = entry->size;
+ for(k=0; k<entry->components; k++) {
++ if (sizeleft < 2)
++ break;
+ vs = exif_get_short (data, entry->order);
+ snprintf (val+len, maxlen-len, "%i ", vs);
+ len = strlen(val);
+ data += 2;
++ sizeleft -= 2;
+ }
+ }
+ break;
+ case EXIF_FORMAT_LONG:
+ {
+ const unsigned char *data = entry->data;
+- size_t k, len = strlen(val);
++ size_t k, len = strlen(val), sizeleft;
++
++ sizeleft = entry->size;
+ for(k=0; k<entry->components; k++) {
++ if (sizeleft < 4)
++ break;
+ vl = exif_get_long (data, entry->order);
+ snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ len = strlen(val);
+ data += 4;
++ sizeleft -= 4;
+ }
+ }
+ break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ break;
+ }
+
+- return (val);
++ return val;
+ }
diff --git a/user/libexif/CVE-2019-9278.patch b/user/libexif/CVE-2019-9278.patch
new file mode 100644
index 000000000..bd15e8d13
--- /dev/null
+++ b/user/libexif/CVE-2019-9278.patch
@@ -0,0 +1,85 @@
+From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Sat, 18 Jan 2020 09:29:42 +0100
+Subject: [PATCH] fix CVE-2019-9278
+
+avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away)
+
+check for the actual sizes, which should also handle the overflows
+document other places google patched, but do not seem relevant due to other restrictions
+
+fixes https://github.com/libexif/libexif/issues/26
+---
+ libexif/exif-data.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index a6f9c94..6332cd1 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
+ doff = offset + 8;
+
+ /* Sanity checks */
+- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
++ if (doff >= size) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+- "Tag data past end of buffer (%u > %u)", doff+s, size);
++ "Tag starts past end of buffer (%u > %u)", doff, size);
++ return 0;
++ }
++
++ if (s > size - doff) {
++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
++ "Tag data goes past end of buffer (%u > %u)", doff+s, size);
+ return 0;
+ }
+
+@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+ unsigned int ds, ExifLong o, ExifLong s)
+ {
+ /* Sanity checks */
+- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
+- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+- "Bogus thumbnail offset (%u) or size (%u).",
+- o, s);
++ if (o >= ds) {
++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
++ return;
++ }
++ if (s > ds - o) {
++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+ return;
+ }
+-
+ if (data->data)
+ exif_mem_free (data->priv->mem, data->data);
+ if (!(data->data = exif_data_alloc (data, s))) {
+@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ "IFD 0 at %i.", (int) offset);
+
+- /* Sanity check the offset, being careful about overflow */
++ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
+ if (offset > ds || offset + 6 + 2 > ds)
+ return;
+
+@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+
+ /* IFD 1 offset */
+ n = exif_get_short (d + 6 + offset, data->priv->order);
++ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
+ if (offset + 6 + 2 + 12 * n + 4 > ds)
+ return;
+
+@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ "IFD 1 at %i.", (int) offset);
+
+- /* Sanity check. */
+- if (offset > ds || offset + 6 > ds) {
++ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
++ if (offset > ds - 6) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifData", "Bogus offset of IFD1.");
+ } else {
diff --git a/user/libgd/APKBUILD b/user/libgd/APKBUILD
index 27de81126..2a537dfca 100644
--- a/user/libgd/APKBUILD
+++ b/user/libgd/APKBUILD
@@ -2,20 +2,22 @@
# Maintainer:
pkgname=libgd
pkgver=2.2.5
-pkgrel=1
+pkgrel=2
pkgdesc="Library for dynamic image creation"
url="http://libgd.github.io/"
arch="all"
options="!check" # Upstream bug 201 regression.
license="MIT"
depends=""
-makedepends="bash fontconfig-dev freetype-dev libjpeg-turbo-dev libpng-dev
- libwebp-dev zlib-dev"
+makedepends="autoconf automake bash fontconfig-dev freetype-dev
+ libjpeg-turbo-dev libpng-dev libtool libwebp-dev tiff-dev zlib-dev
+ "
subpackages="$pkgname-dev"
replaces="gd"
source="https://github.com/$pkgname/$pkgname/releases/download/gd-$pkgver/$pkgname-$pkgver.tar.xz
CVE-2016-7568.patch
CVE-2018-5711.patch
+ CVE-2018-14553.patch
CVE-2018-1000222.patch
CVE-2019-6977.patch
CVE-2019-6978.patch
@@ -27,6 +29,13 @@ source="https://github.com/$pkgname/$pkgname/releases/download/gd-$pkgver/$pkgna
# - CVE-2018-1000222
# - CVE-2019-6977
# - CVE-2019-6978
+# 2.2.5-r2:
+# - CVE-2018-14553
+
+prepare() {
+ default_prepare
+ autoreconf -vif
+}
build() {
./configure \
@@ -58,6 +67,7 @@ dev() {
sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz
8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch
d6577566814cbe2d93b141a4216b32acdeb2989dc1712eb137565081b913151bbb4c69911c96b2bb7c90695078a85152d368aad183de494d1283fde25021751b CVE-2018-5711.patch
+353491fab6c6e0916dca910c9d14f0e0efab6d9d88c48f6f3f2f69e60312489039b25d26980e7c5c2c04ed9e56003b99eae77bd412fbbed1d8eb47d561f7af74 CVE-2018-14553.patch
d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch
df84e469515f684d79ebad163e137401627310a984ac1ae6a4d31b739b3dc6d9144f101e9bfc3211af1d7cdbaa827721d21a9fe528e69b9b60a943ec8a7ab74b CVE-2019-6977.patch
3bf31941365a878bef899afa14a89e4ad0fbfb3280d34b2118c8484698e15eff600751ae3ce146a4f006e6c21730cb18899bae3538f6cc2651025274b40cf1ca CVE-2019-6978.patch"
diff --git a/user/libgd/CVE-2018-14553.patch b/user/libgd/CVE-2018-14553.patch
new file mode 100644
index 000000000..7510101d1
--- /dev/null
+++ b/user/libgd/CVE-2018-14553.patch
@@ -0,0 +1,99 @@
+From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
+Date: Fri, 20 Dec 2019 12:03:33 -0300
+Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
+
+---
+ src/gd.c | 9 +--------
+ tests/gdimageclone/CMakeLists.txt | 1 +
+ tests/gdimageclone/Makemodule.am | 3 ++-
+ tests/gdimageclone/style.c | 30 ++++++++++++++++++++++++++++++
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+ create mode 100644 tests/gdimageclone/style.c
+
+diff --git a/src/gd.c b/src/gd.c
+index 592a0286..d564d1f9 100644
+--- a/src/gd.c
++++ b/src/gd.c
+@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ }
+ }
+
+- if (src->styleLength > 0) {
+- dst->styleLength = src->styleLength;
+- dst->stylePos = src->stylePos;
+- for (i = 0; i < src->styleLength; i++) {
+- dst->style[i] = src->style[i];
+- }
+- }
+-
+ dst->interlace = src->interlace;
+
+ dst->alphaBlendingFlag = src->alphaBlendingFlag;
+@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+
+ if (src->style) {
+ gdImageSetStyle(dst, src->style, src->styleLength);
++ dst->stylePos = src->stylePos;
+ }
+
+ for (i = 0; i < gdMaxColors; i++) {
+diff --git a/tests/gdimageclone/CMakeLists.txt b/tests/gdimageclone/CMakeLists.txt
+index e6ccc318..662f4e96 100644
+--- a/tests/gdimageclone/CMakeLists.txt
++++ b/tests/gdimageclone/CMakeLists.txt
+@@ -1,5 +1,6 @@
+ LIST(APPEND TESTS_FILES
+ bug00300
++ style
+ )
+
+ ADD_GD_TESTS()
+diff --git a/tests/gdimageclone/Makemodule.am b/tests/gdimageclone/Makemodule.am
+index 4b1b54c0..51abf5c1 100644
+--- a/tests/gdimageclone/Makemodule.am
++++ b/tests/gdimageclone/Makemodule.am
+@@ -1,5 +1,6 @@
+ libgd_test_programs += \
+- gdimageclone/bug00300
++ gdimageclone/bug00300 \
++ gdimageclone/style
+
+ EXTRA_DIST += \
+ gdimageclone/CMakeLists.txt
+diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c
+new file mode 100644
+index 00000000..c2b246ed
+--- /dev/null
++++ b/tests/gdimageclone/style.c
+@@ -0,0 +1,30 @@
++/**
++ * Cloning an image should exactly reproduce all style related data
++ */
++
++
++#include <string.h>
++#include "gd.h"
++#include "gdtest.h"
++
++
++int main()
++{
++ gdImagePtr im, clone;
++ int style[] = {0, 0, 0};
++
++ im = gdImageCreate(8, 8);
++ gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0]));
++
++ clone = gdImageClone(im);
++ gdTestAssert(clone != NULL);
++
++ gdTestAssert(clone->styleLength == im->styleLength);
++ gdTestAssert(clone->stylePos == im->stylePos);
++ gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0])));
++
++ gdImageDestroy(clone);
++ gdImageDestroy(im);
++
++ return gdNumFailures();
++}
diff --git a/user/librsvg/APKBUILD b/user/librsvg/APKBUILD
index eddc645dc..3fa19b15b 100644
--- a/user/librsvg/APKBUILD
+++ b/user/librsvg/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer:
pkgname=librsvg
-pkgver=2.40.20
-pkgrel=1
+pkgver=2.40.21
+pkgrel=0
pkgdesc="SAX-based renderer for SVG files into a GdkPixbuf"
url="https://wiki.gnome.org/action/show/Projects/LibRsvg"
arch="all"
@@ -14,6 +14,10 @@ makedepends="$depends_dev bzip2-dev cairo-dev glib-dev
gobject-introspection-dev"
source="https://download.gnome.org/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz"
+# secfixes:
+# 2.40.21-r0:
+# - CVE-2019-20446
+
build() {
./configure \
--build=$CBUILD \
@@ -33,4 +37,4 @@ package() {
rm -rf "$pkgdir"/usr/lib/mozilla
}
-sha512sums="cdd8224deb4c3786e29f48ed02c32ed9dff5cb15aba574a5ef845801ad3669cfcc3eedb9d359c22213dc7a29de24c363248825adad5877c40abf73b3688ff12f librsvg-2.40.20.tar.xz"
+sha512sums="db0563d8e0edaae642a6b2bcd239cf54191495058ac8c7ff614ebaf88c0e30bd58dbcd41f58d82a9d5ed200ced45fc5bae22f2ed3cf3826e9348a497009e1280 librsvg-2.40.21.tar.xz"
diff --git a/user/openjpeg/APKBUILD b/user/openjpeg/APKBUILD
index 680e1c8c2..54f9811ea 100644
--- a/user/openjpeg/APKBUILD
+++ b/user/openjpeg/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=openjpeg
pkgver=2.3.1
-pkgrel=2
+pkgrel=3
pkgdesc="Open-source implementation of JPEG 2000 image codec"
url="http://www.openjpeg.org/"
arch="all"
@@ -13,9 +13,15 @@ depends_dev="$pkgname-tools"
makedepends="libpng-dev tiff-dev lcms2-dev doxygen cmake"
subpackages="$pkgname-dev $pkgname-tools"
source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
- CVE-2019-12973.patch"
+ CVE-2019-12973.patch
+ CVE-2020-6851.patch
+ CVE-2020-8112.patch
+ "
# secfixes:
+# 2.3.1-r3:
+# - CVE-2020-6851
+# - CVE-2020-8112
# 2.3.1-r2:
# - CVE-2019-12973
# 2.3.0-r0:
@@ -52,4 +58,6 @@ tools() {
}
sha512sums="339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03 openjpeg-2.3.1.tar.gz
-472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516 CVE-2019-12973.patch"
+472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516 CVE-2019-12973.patch
+c8ffc926d91392b38250fd4e00fff5f93fbf5e17487d0e4a0184c9bd191aa2233c5c5dcf097dd62824714097bba2d8cc865bed31193d1a072aa954f216011297 CVE-2020-6851.patch
+9659e04087e0d80bf53555e9807aae59205adef2d49d7a49e05bf250c484a2e92132d471ec6076e57ca69b5ce98fd81462a6a8c01205ca7096781eec06e401cc CVE-2020-8112.patch"
diff --git a/user/openjpeg/CVE-2020-6851.patch b/user/openjpeg/CVE-2020-6851.patch
new file mode 100644
index 000000000..9a70291f5
--- /dev/null
+++ b/user/openjpeg/CVE-2020-6851.patch
@@ -0,0 +1,29 @@
+From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 11 Jan 2020 01:51:19 +0100
+Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose
+ coordinates are beyond INT_MAX (fixes #1228)
+
+---
+ src/lib/openjp2/j2k.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 14f6ff41a..922550eb1 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -9221,6 +9221,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image,
+ l_img_comp = p_image->comps;
+ for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
+ OPJ_INT32 l_h, l_w;
++ if (p_image->x0 > (OPJ_UINT32)INT_MAX ||
++ p_image->y0 > (OPJ_UINT32)INT_MAX ||
++ p_image->x1 > (OPJ_UINT32)INT_MAX ||
++ p_image->y1 > (OPJ_UINT32)INT_MAX) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "Image coordinates above INT_MAX are not supported\n");
++ return OPJ_FALSE;
++ }
+
+ l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,
+ (OPJ_INT32)l_img_comp->dx);
diff --git a/user/openjpeg/CVE-2020-8112.patch b/user/openjpeg/CVE-2020-8112.patch
new file mode 100644
index 000000000..95cb8095f
--- /dev/null
+++ b/user/openjpeg/CVE-2020-8112.patch
@@ -0,0 +1,43 @@
+From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 30 Jan 2020 00:59:57 +0100
+Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow
+
+That could lead to later assertion failures.
+
+Fixes #1231 / CVE-2020-8112
+---
+ src/lib/openjp2/tcd.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
+index deecc4dff..aa419030a 100644
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+ /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */
+ l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
+ l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
+- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
+- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
++ {
++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
++ (OPJ_INT32)l_pdx)) << l_pdx;
++ if (tmp > (OPJ_UINT32)INT_MAX) {
++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++ return OPJ_FALSE;
++ }
++ l_br_prc_x_end = (OPJ_INT32)tmp;
++ }
++ {
++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
++ (OPJ_INT32)l_pdy)) << l_pdy;
++ if (tmp > (OPJ_UINT32)INT_MAX) {
++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++ return OPJ_FALSE;
++ }
++ l_br_prc_y_end = (OPJ_INT32)tmp;
++ }
+ /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
+
+ l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
diff --git a/user/weechat/APKBUILD b/user/weechat/APKBUILD
index ddf80a03a..dfa1a3277 100644
--- a/user/weechat/APKBUILD
+++ b/user/weechat/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: zlg <zlg+adelie@zlg.space>
# Maintainer: Kiyoshi Aman <adelie@aerdan.vulpine.house>
pkgname=weechat
-pkgver=2.7
+pkgver=2.7.1
pkgrel=0
pkgdesc="Fast, light, extensible ncurses-based chat client"
url="https://www.weechat.org"
@@ -22,9 +22,11 @@ source="https://www.weechat.org/files/src/$pkgname-$pkgver.tar.gz"
# secfixes:
# 1.7.1-r0:
-# - CVE-2017-8073
+# - CVE-2017-8073
# 1.9.1-r0:
-# - CVE-2017-14727
+# - CVE-2017-14727
+# 2.7.1-r0:
+# - CVE-2020-8955
build() {
cmake \
@@ -59,4 +61,4 @@ _plugin() {
mv "$pkgdir"/$_dir/${_name}.so "$subpkgdir"/$_dir
}
-sha512sums="7a9205b6a3b7e338b14708e1b9aad4f2099506c46b1e86faf4fa94a105bc20b056a53ce3d003ae31ea1cdbab711ddd9dca7258a7d03f0f7af3703ebdbdfeb3d9 weechat-2.7.tar.gz"
+sha512sums="2d2f555a4c48dbfa60a97845657e041fcd37bdde01974b4a49ff2d0ef6b92f16147f84b0e60772e9f54ba3e05ae1772012d3551a5fbb8bdf8332a08ef63a352d weechat-2.7.1.tar.gz"