diff options
Diffstat (limited to 'user')
26 files changed, 716 insertions, 126 deletions
diff --git a/user/at-spi2-atk/APKBUILD b/user/at-spi2-atk/APKBUILD index b64c2e0f2..85a16db16 100644 --- a/user/at-spi2-atk/APKBUILD +++ b/user/at-spi2-atk/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: pkgname=at-spi2-atk -pkgver=2.34.2 +pkgver=2.38.0 pkgrel=0 pkgdesc="GTK+ module to bridge ATK to D-Bus at-spi" url="https://wiki.linuxfoundation.org/accessibility/d-bus" @@ -28,4 +28,4 @@ package() { DESTDIR="$pkgdir" ninja -C build install } -sha512sums="59e7ad5c944748ca00af8b0a9df03c9ffbc6afae6e65c25a2566a9e2a30e66724c4492076be1730c2894c636f82c795c533669572584d8d5675f68b349ad16c4 at-spi2-atk-2.34.2.tar.xz" +sha512sums="2f40ecbc55b0fbaa57ade952a75583bc8fbfde234cce9248489e9ae06e0597d98c2f4c77d8279758dec29da97e06cde5708d30a1238d91bebd023b2320f38528 at-spi2-atk-2.38.0.tar.xz" diff --git a/user/at-spi2-core/APKBUILD b/user/at-spi2-core/APKBUILD index 5788deb50..66b2ebcac 100644 --- a/user/at-spi2-core/APKBUILD +++ b/user/at-spi2-core/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: pkgname=at-spi2-core -pkgver=2.36.0 +pkgver=2.38.0 pkgrel=0 pkgdesc="Protocol definitions and daemon for D-Bus at-spi" url="https://wiki.linuxfoundation.org/accessibility/d-bus" @@ -26,4 +26,4 @@ package() { DESTDIR="$pkgdir" ninja -C builddir/ install } -sha512sums="f45d7e68bfcd9b93cebc47e30febce1ae6a4d9df2fbc9d5bdc25babb123c922d0f9a229485770b2f6ed386178144c20486fa3e46195041ea65a54ab019b1cbb6 at-spi2-core-2.36.0.tar.xz" +sha512sums="3a1eb27cff6e0dd03119b4f8361a3b6037b26c511e80e2d003d1d5c41fede6d49eb5e0ac1ee45cfb4f3ca8e53292a7e2da67df80be28e77014775e41777a96c1 at-spi2-core-2.38.0.tar.xz" diff --git a/user/bind/APKBUILD b/user/bind/APKBUILD index 2b39c5f1f..44cd5cf30 100644 --- a/user/bind/APKBUILD +++ b/user/bind/APKBUILD @@ -9,7 +9,7 @@ _p=${pkgver#*_p} _ver=${pkgver%_p*} _major=${pkgver%%.*} [ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p" -pkgrel=0 +pkgrel=1 pkgdesc="The ISC DNS server" url="https://www.isc.org/downloads/bind/" arch="all" diff --git a/user/bluez/APKBUILD b/user/bluez/APKBUILD index 6f90834b1..3d7c3736a 100644 --- a/user/bluez/APKBUILD +++ b/user/bluez/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=bluez -pkgver=5.54 -pkgrel=1 +pkgver=5.55 +pkgrel=0 pkgdesc="Linux Bluetooth protocol stack" url="http://www.bluez.org/" arch="all" @@ -10,8 +10,8 @@ depends="dbus elogind" makedepends="alsa-lib-dev dbus-dev eudev-dev glib-dev libical-dev linux-headers ncurses-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-libs $pkgname-bccmd - $pkgname-btmon $pkgname-cups $pkgname-deprecated $pkgname-hid2hci - $pkgname-obexd $pkgname-openrc $pkgname-tools" + $pkgname-btmgmt $pkgname-btmon $pkgname-cups $pkgname-deprecated + $pkgname-hid2hci $pkgname-obexd $pkgname-openrc $pkgname-tools" source="https://www.kernel.org/pub/linux/bluetooth/bluez-$pkgver.tar.xz https://ftp.gnu.org/gnu/readline/readline-8.0.tar.gz bluetooth.initd @@ -30,6 +30,8 @@ source="https://www.kernel.org/pub/linux/bluetooth/bluez-$pkgver.tar.xz " # secfixes: +# 5.55-r0: +# - CVE-2020-27153 # 5.54-r0: # - CVE-2020-0556 @@ -61,7 +63,8 @@ build() { --enable-library \ --enable-deprecated \ --enable-experimental \ - --enable-tools + --enable-tools \ + --enable-hid2hci make } @@ -91,6 +94,12 @@ btmon() { mv "$pkgdir"/usr/bin/btmon "$subpkgdir"/usr/bin/ } +btmgmt() { + pkgdesc="Bluez tool for the Bluetooth Management API" + install -Dm755 "$builddir"/tools/btmgmt -t \ + "$subpkgdir"/usr/bin +} + cups() { pkgdesc="BlueZ backend for CUPS" depends="cups" @@ -132,7 +141,7 @@ tools() { done } -sha512sums="e19d15d3a478a7af47c1921c8827843492e38787b1182152155bd3d8ad9e1d8ee25c5fda1f24e38c54ebbf946b09fe75007dca9a24d1c35f73303558e558dcbe bluez-5.54.tar.xz +sha512sums="9423cb60d15a6f068838497a1eaea9f5a32d70c07191c313ba821a6919d6e0c436ada4f547cc5f2db5eacc0123429ad54851f57df2554f61fa293743ec14a033 bluez-5.55.tar.xz 41759d27bc3a258fefd7f4ff3277fa6ab9c21abb7b160e1a75aa8eba547bd90b288514e76264bd94fb0172da8a4faa54aab2c07b68a0356918ecf7f1969e866f readline-8.0.tar.gz fc43c78ed248ea412529eed5ae8bb47bacca9bf5b3b10de121ddd4e792c85893561a88be4aa2c6318106e5d2146a721445152d44fa60ca257ca0b4eb87318c1e bluetooth.initd 8d7b7c8938a2316ce0a855e9bdf1ef8fcdf33d23f4011df828270a088b88b140a19c432e83fef15355d0829e3c86be05b63e7718fef88563254ea239b8dc12ac rfcomm.initd diff --git a/user/cifs-utils/APKBUILD b/user/cifs-utils/APKBUILD index 798bb8a1e..17b83ab41 100644 --- a/user/cifs-utils/APKBUILD +++ b/user/cifs-utils/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Francesco Colista <fcolista@alpinelinux.org> # Maintainer: Max Rees <maxcrees@me.com> pkgname=cifs-utils -pkgver=6.10 +pkgver=6.11 pkgrel=0 pkgdesc="CIFS filesystem user-space tools" url="https://wiki.samba.org/index.php/LinuxCIFS_utils" @@ -18,6 +18,10 @@ source="https://ftp.samba.org/pub/linux-cifs/$pkgname/$pkgname-$pkgver.tar.bz2 xattr_size_max.patch " +# secfixes: +# 6.11-r0: +# - CVE-2020-14342 + prepare() { default_prepare autoreconf -vif @@ -48,7 +52,7 @@ package() { chmod u+s "$pkgdir"/sbin/mount.cifs } -sha512sums="e19ca69b7948f01c1fd6a4ed069e00511588b903a5b8b0dc35ac1e00743170b9ca180b747c47d56cfacf273b296da21df60e1957404f26ebf2ba80bfa7e275cc cifs-utils-6.10.tar.bz2 +sha512sums="064c0ac75572fb44908390508462e4fdfe0686751149fd8b656a209dd961a5a24a7d9774c38c0e72fa5f9875b43aea7bf2de038c4e4a63a11664e71d9003100e cifs-utils-6.11.tar.bz2 99a2fab05bc2f14a600f89526ae0ed2c183cfa179fe386cb327075f710aee3aed5ae823f7c2f51913d1217c2371990d6d4609fdb8d80288bd3a6139df3c8aebe musl-fix-includes.patch f3acb4f7873628d67c7dfb2378135c302fe382e314277829ea5569710bac0ddb43684aa6d143327d735aec641997084eaa567823b534138ed884bd74044b652a respect-destdir.patch 2a9366ec1ddb0389c535d2fa889f63287cb8374535a47232de102c7e50b6874f67a3d5ef3318df23733300fd8459c7ec4b11f3211508aca7800b756119308e98 xattr_size_max.patch" diff --git a/user/claws-mail/APKBUILD b/user/claws-mail/APKBUILD index 72256b3a5..1554a00da 100644 --- a/user/claws-mail/APKBUILD +++ b/user/claws-mail/APKBUILD @@ -1,7 +1,7 @@ # Contributor: A. Wilcox <awilfox@adelielinux.org> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=claws-mail -pkgver=3.17.6 +pkgver=3.17.8 pkgrel=0 pkgdesc="User-friendly, lightweight, and fast email client" url="https://www.claws-mail.org/" @@ -15,6 +15,10 @@ makedepends="compface-dev curl-dev dbus-glib-dev enchant-dev gnutls-dev subpackages="$pkgname-doc $pkgname-lang" source="https://www.claws-mail.org/download.php?file=releases/claws-mail-$pkgver.tar.xz" +# secfixes: +# 3.17.8-r0: +# - CVE-2020-16094 + build() { ./configure \ --build=$CBUILD \ @@ -36,4 +40,4 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="07fdf7fce722ee1e50aa155bca720323a58842b372d8295bed33c7245fce5790a1bd3ed7462130664a218a804ab6bd1ba3663ee3e53fbbac6a4a477dd676ede0 claws-mail-3.17.6.tar.xz" +sha512sums="dc29c968dc81a184af8f66c1afe5c9d17558ce6a4a8b196136a9fb5deec96aa67eec42148ed0f4d6d6ee94aec2791247b9034090dac81beec193bd7d366617d7 claws-mail-3.17.8.tar.xz" diff --git a/user/confuse/APKBUILD b/user/confuse/APKBUILD index 4bdfa851f..fc31d73d1 100644 --- a/user/confuse/APKBUILD +++ b/user/confuse/APKBUILD @@ -1,10 +1,10 @@ # Contributor: Mira Ressel <aranea@aixah.de> # Maintainer: pkgname=confuse -pkgver=3.2.2 +pkgver=3.3 pkgrel=0 pkgdesc="Small configuration file parser library for C" -url=" " +url="https://github.com/martinh/libconfuse" arch="all" license="ISC" depends="" @@ -12,6 +12,10 @@ makedepends="" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" source="https://github.com/martinh/libconfuse/releases/download/v$pkgver/$pkgname-$pkgver.tar.xz" +# secfixes: +# 3.3-r0: +# - CVE-2018-19760 + build() { ./configure \ --build=$CBUILD \ @@ -34,4 +38,4 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="c6baea65e064fe7f2d1bde187c6dcbb7f03c31f5d777cb04576f9cc2d94e9c96b7ee202e030e9a2c7eb619deb240d9e76fb12b3528ae5aa0d3abe231354d12c9 confuse-3.2.2.tar.xz" +sha512sums="93cc62d98166199315f65a2f6f540a9c0d33592b69a2c6a57fd17f132aecc6ece39b9813b96c9a49ae2b66a99b7eba1188a9ce9e360e1c5fb4b973619e7088a0 confuse-3.3.tar.xz" diff --git a/user/eigen/APKBUILD b/user/eigen/APKBUILD index 125cf77fe..aa2a537d2 100644 --- a/user/eigen/APKBUILD +++ b/user/eigen/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Bradley J Chambers <brad.chambers@gmail.com> # Maintainer: pkgname=eigen -pkgver=3.3.7 +pkgver=3.3.8 pkgrel=0 pkgdesc="Eigen is a C++ template library for linear algebra" url="http://eigen.tuxfamily.org/index.php?title=Main_Page" @@ -11,12 +11,7 @@ license="MPL-2.0" depends="" makedepends="" subpackages="$pkgname-dev" -source="$pkgname-$pkgver.tar.gz::http://bitbucket.org/eigen/$pkgname/get/$pkgver.tar.gz" - -prepare() { - mv "$srcdir"/eigen-eigen-* "$builddir" # directory name contains hash - default_prepare -} +source="https://gitlab.com/libeigen/eigen/-/archive/$pkgver/eigen-$pkgver.tar.gz" package() { mkdir -p "$pkgdir"/usr/include/eigen3 @@ -24,4 +19,4 @@ package() { cp -r "$builddir"/unsupported "$pkgdir"/usr/include/eigen3 } -sha512sums="34cf600914cce719d61511577ef9cd26fbdcb7a6fad1d0ab8396f98b887fac6a5577d3967e84a8f56225cc50de38f3b91f34f447d14312028383e32b34ea1972 eigen-3.3.7.tar.gz" +sha512sums="5b4b5985b0294e07b3ed1155720cbbfea322fe9ccad0fc8b0a10060b136a9169a15d5b9cb7a434470cadd45dff0a43049edc20d2e1070005481a120212edc355 eigen-3.3.8.tar.gz" diff --git a/user/f2fs-tools/APKBUILD b/user/f2fs-tools/APKBUILD index 7784c170d..59246c22e 100644 --- a/user/f2fs-tools/APKBUILD +++ b/user/f2fs-tools/APKBUILD @@ -1,7 +1,7 @@ # Contributor: CyberLeo <cyberleo@cyberleo.net> # Maintainer: CyberLeo <cyberleo@cyberleo.net> pkgname=f2fs-tools -pkgver=1.13.0 +pkgver=1.14.0 pkgrel=0 pkgdesc="Tools for the Flash-Friendly File System (F2FS)" url="https://git.kernel.org/cgit/linux/kernel/git/jaegeuk/f2fs-tools.git" @@ -13,6 +13,14 @@ makedepends="automake autoconf bsd-compat-headers libtool util-linux-dev linux-h subpackages="$pkgname-doc $pkgname-dev $pkgname-libs" source="https://git.kernel.org/cgit/linux/kernel/git/jaegeuk/f2fs-tools.git/snapshot/$pkgname-$pkgver.tar.gz" +#secfixes: +# 1.14.0-r0: +# - CVE-2020-6104 +# - CVE-2020-6105 +# - CVE-2020-6106 +# - CVE-2020-6107 +# - CVE-2020-6108 + prepare() { default_prepare ./autogen.sh @@ -31,4 +39,4 @@ package() { install -D -m644 mkfs/f2fs_format_utils.h "$pkgdir"/usr/include/ } -sha512sums="fd920a19e8705a65395809aeef55791c5678ed31c026cdf41fc173e0dbcacdef1db7e0e184ec1aae8637b1784e2ad6e0207583e918255483fe43c73f89bd7f7f f2fs-tools-1.13.0.tar.gz" +sha512sums="951b74178f99722550e73f331be066f124f6ee6022710f6b47ae47390b978b08f12a7f2a268d82ca69a32bf440cd3ce3adddc8a4c49c32df83da87e7f659f98d f2fs-tools-1.14.0.tar.gz" diff --git a/user/freetype/APKBUILD b/user/freetype/APKBUILD index 78c8d96ae..88f531f10 100644 --- a/user/freetype/APKBUILD +++ b/user/freetype/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=freetype -pkgver=2.10.2 +pkgver=2.10.4 pkgrel=0 pkgdesc="TrueType font rendering library" url="https://www.freetype.org/" @@ -14,6 +14,8 @@ subpackages="$pkgname-dev $pkgname-doc" source="http://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar.xz" # secfixes: +# 2.10.4-r0: +# - CVE-2020-15999 # 2.9.1-r0: # - CVE-2018-6942 # 2.7.1-r1: @@ -37,4 +39,4 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="cf45089bd8893d7de2cdcb59d91bbb300e13dd0f0a9ef80ed697464ba7aeaf46a5a81b82b59638e6b21691754d8f300f23e1f0d11683604541d77f0f581affaa freetype-2.10.2.tar.xz" +sha512sums="827cda734aa6b537a8bcb247549b72bc1e082a5b32ab8d3cccb7cc26d5f6ee087c19ce34544fa388a1eb4ecaf97600dbabc3e10e950f2ba692617fee7081518f freetype-2.10.4.tar.xz" diff --git a/user/i3status/APKBUILD b/user/i3status/APKBUILD index 01e567cee..f143b6fc5 100644 --- a/user/i3status/APKBUILD +++ b/user/i3status/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: pkgname=i3status pkgver=2.13 -pkgrel=1 +pkgrel=2 pkgdesc="Status bar generator for dzen2, xmobar or similar" url="https://i3wm.org/i3status/" arch="all" diff --git a/user/libcroco/APKBUILD b/user/libcroco/APKBUILD index 209720aaa..4470ac952 100644 --- a/user/libcroco/APKBUILD +++ b/user/libcroco/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: pkgname=libcroco pkgver=0.6.13 -pkgrel=0 +pkgrel=1 pkgdesc="GNOME CSS 2 parsing and manipulation toolkit" url="https://gitlab.gnome.org/GNOME/libcroco" arch="all" @@ -11,11 +11,15 @@ subpackages="$pkgname-dev" depends="" makedepends="glib-dev libxml2-dev" checkdepends="cmd:which" -source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz" +source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz + CVE-2020-12825.patch + " # secfixes: # 0.6.12-r2: # - CVE-2017-7960 +# 0.6.13-r1: +# - CVE-2020-12825 build() { ./configure \ @@ -34,4 +38,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="038a3ac9d160a8cf86a8a88c34367e154ef26ede289c93349332b7bc449a5199b51ea3611cebf3a2416ae23b9e45ecf8f9c6b24ea6d16a5519b796d3c7e272d4 libcroco-0.6.13.tar.xz" +sha512sums="038a3ac9d160a8cf86a8a88c34367e154ef26ede289c93349332b7bc449a5199b51ea3611cebf3a2416ae23b9e45ecf8f9c6b24ea6d16a5519b796d3c7e272d4 libcroco-0.6.13.tar.xz +ae568a259a2a3a90f6cf107b4f0d5a0dbb6cb3a560262a43b96460457a4b72b7c5f45c2df9c061ed1f94c41b71bdcf69bd55582a77bf858e46c2c3c8a55fe6e3 CVE-2020-12825.patch" diff --git a/user/libcroco/CVE-2020-12825.patch b/user/libcroco/CVE-2020-12825.patch new file mode 100644 index 000000000..6fa66f659 --- /dev/null +++ b/user/libcroco/CVE-2020-12825.patch @@ -0,0 +1,187 @@ +From 44cbd1e718d6a08e59b9300280c340218a84e089 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro <mcatanzaro@gnome.org> +Date: Wed, 12 Aug 2020 13:54:15 -0500 +Subject: [PATCH] libcroco: Limit recursion in block and any productions + (CVE-2020-12825) + +If we don't have any limits, we can recurse forever and overflow the +stack. + +This is per https://gitlab.gnome.org/Archive/libcroco/-/issues/8 + +https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1404 +--- + src/cr-parser.c | 44 ++++++++++++++++++++++++++-------------- + 1 file changed, 29 insertions(+), 15 deletions(-) + +diff --git a/src/cr-parser.c b/src/st/croco/cr-parser.c +index 07f4ed9e8b..8304b75614 100644 +--- a/src/cr-parser.c ++++ b/src/cr-parser.c +@@ -136,6 +136,8 @@ struct _CRParserPriv { + + #define CHARS_TAB_SIZE 12 + ++#define RECURSIVE_CALLERS_LIMIT 100 ++ + /** + * IS_NUM: + *@a_char: the char to test. +@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this); + + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this); + +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this); ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this, ++ guint n_calls); + +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this); ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this, ++ guint n_calls); + + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this); + +@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) + cr_parser_try_to_skip_spaces_and_comments (a_this); + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + } while (status == CR_OK); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, +@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, 0); + CHECK_PARSING_STATUS (status, + FALSE); + goto done; +@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this) + + RECORD_INITIAL_POS (a_this, &init_pos); + +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + CHECK_PARSING_STATUS (status, FALSE); + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + + } while (status == CR_OK); + +@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this) + *in chapter 4.1 of the css2 spec. + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*; + *@param a_this the current instance of #CRParser. ++ *@param n_calls used to limit recursion depth + *FIXME: code this function. + */ + static enum CRStatus +-cr_parser_parse_block_core (CRParser * a_this) ++cr_parser_parse_block_core (CRParser * a_this, ++ guint n_calls) + { + CRToken *token = NULL; + CRInputPos init_pos; +@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this) + + g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR); + ++ if (n_calls > RECURSIVE_CALLERS_LIMIT) ++ return CR_ERROR; ++ + RECORD_INITIAL_POS (a_this, &init_pos); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token); +@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this) + } else if (token->type == CBO_TK) { + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, n_calls + 1); + CHECK_PARSING_STATUS (status, FALSE); + goto parse_block_content; + } else { + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); + token = NULL; +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + CHECK_PARSING_STATUS (status, FALSE); + goto parse_block_content; + } +@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this) + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, 0); + CHECK_PARSING_STATUS (status, FALSE); + ref++; + goto continue_parsing; +@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this) + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + if (status == CR_OK) { + ref++; + goto continue_parsing; +@@ -1161,10 +1170,12 @@ cr_parser_parse_value_core (CRParser * a_this) + * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*; + * + *@param a_this the current instance of #CRParser. ++ *@param n_calls used to limit recursion depth + *@return CR_OK upon successfull completion, an error code otherwise. + */ + static enum CRStatus +-cr_parser_parse_any_core (CRParser * a_this) ++cr_parser_parse_any_core (CRParser * a_this, ++ guint n_calls) + { + CRToken *token1 = NULL, + *token2 = NULL; +@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this) + + g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR); + ++ if (n_calls > RECURSIVE_CALLERS_LIMIT) ++ return CR_ERROR; ++ + RECORD_INITIAL_POS (a_this, &init_pos); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1); +@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this) + *We consider parameter as being an "any*" production. + */ + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this) + } + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this) + } + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +-- +GitLab + diff --git a/user/libjpeg-turbo/APKBUILD b/user/libjpeg-turbo/APKBUILD index cbecdd1a4..5910e7011 100644 --- a/user/libjpeg-turbo/APKBUILD +++ b/user/libjpeg-turbo/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libjpeg-turbo -pkgver=2.0.4 -pkgrel=1 +pkgver=2.0.5 +pkgrel=0 pkgdesc="Accelerated JPEG compression and decompression library" url="https://libjpeg-turbo.org/" arch="all" @@ -11,7 +11,6 @@ depends="" makedepends="cmake" subpackages="$pkgname-doc $pkgname-dev $pkgname-utils" source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz - CVE-2020-13790.patch " case "$CTARGET_ARCH" in @@ -63,5 +62,4 @@ utils() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="708c2e7418d9ed5abca313e2ff5a08f8176d79cad2127573cda6036583c201973db4cfb0eafc0fc8f57ecc7b000d2b4af95980de54de5a0aed45969e993a5bf9 libjpeg-turbo-2.0.4.tar.gz -83752558d0cf60508a9ccd55505b91f4faa22277537916629a045b2aaa0cb3649e2f90b0df26d389687dc4aba78bdf76e64fc5e5eb324a65026ec86cd95dbe6a CVE-2020-13790.patch" +sha512sums="5bf9ecf069b43783ff24365febf36dda69ccb92d6397efec6069b2b4f359bfd7b87934a6ce4311873220fccc73acabdacef5ce0604b79209eb1912e8ba478555 libjpeg-turbo-2.0.5.tar.gz" diff --git a/user/libjpeg-turbo/CVE-2020-13790.patch b/user/libjpeg-turbo/CVE-2020-13790.patch deleted file mode 100644 index aaeec0c9c..000000000 --- a/user/libjpeg-turbo/CVE-2020-13790.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 3de15e0c344d11d4b90f4a47136467053eb2d09a Mon Sep 17 00:00:00 2001 -From: DRC <information@libjpeg-turbo.org> -Date: Tue, 2 Jun 2020 14:15:37 -0500 -Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM - -This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to -include binary PPM files with maximum values < 255, thus preventing a -malformed binary PPM input file with those specifications from -triggering an overrun of the rescale array and potentially crashing -cjpeg, TJBench, or any program that uses the tjLoadImage() function. - -Fixes #433 - -diff --git a/rdppm.c b/rdppm.c -index 87bc33090..a8507b902 100644 ---- a/rdppm.c -+++ b/rdppm.c -@@ -5,7 +5,7 @@ - * Copyright (C) 1991-1997, Thomas G. Lane. - * Modified 2009 by Bill Allombert, Guido Vollbeding. - * libjpeg-turbo Modifications: -- * Copyright (C) 2015-2017, D. R. Commander. -+ * Copyright (C) 2015-2017, 2020, D. R. Commander. - * For conditions of distribution and use, see the accompanying README.ijg - * file. - * -@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) - /* On 16-bit-int machines we have to be careful of maxval = 65535 */ - source->rescale = (JSAMPLE *) - (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, -- (size_t)(((long)maxval + 1L) * -+ (size_t)(((long)MAX(maxval, 255) + 1L) * - sizeof(JSAMPLE))); - half_maxval = maxval / 2; - for (val = 0; val <= (long)maxval; val++) { diff --git a/user/libproxy/APKBUILD b/user/libproxy/APKBUILD index 1cdb0c9b5..7a13ebc05 100644 --- a/user/libproxy/APKBUILD +++ b/user/libproxy/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: pkgname=libproxy pkgver=0.4.15 -pkgrel=2 +pkgrel=3 pkgdesc="Library providing automatic proxy configuration management" url="http://libproxy.github.io/libproxy/" arch="all" @@ -14,8 +14,15 @@ subpackages="$pkgname-dev $pkgname-bin py3-$pkgname:py" source="$pkgname-$pkgver.tar.gz::https://github.com/libproxy/libproxy/archive/$pkgver.tar.gz libproxy-0.4.7-unistd.patch fix-includes.patch + CVE-2020-25219.patch + CVE-2020-26154.patch " +# secfixes: +# 0.4.15-r3: +# - CVE-2020-25219 +# - CVE-2020-26154 + build() { cmake \ -DCMAKE_INSTALL_PREFIX=/usr \ @@ -55,4 +62,6 @@ py() { sha512sums="8f68bd56e44aeb3f553f4657bef82a5d14302780508dafa32454d6f724b724c884ceed6042f8df53a081d26ea0b05598cf35eab44823257c47c5ef8afb36442b libproxy-0.4.15.tar.gz 9929c308195bc59c1b9a7ddaaf708fb831da83c5d86d7ce122cb9774c9b9b16aef3c17fb721356e33a865de1af27db493f29a99d292e1e258cd0135218cacd32 libproxy-0.4.7-unistd.patch -e35b4f806e5f60e9b184d64dceae62e6e343c367ee96d7e461388f2665fe2ab62170d41848c9da5322bb1719eff3bfaecb273e40a97ce940a5e88d29d03bd8d9 fix-includes.patch" +e35b4f806e5f60e9b184d64dceae62e6e343c367ee96d7e461388f2665fe2ab62170d41848c9da5322bb1719eff3bfaecb273e40a97ce940a5e88d29d03bd8d9 fix-includes.patch +908fbf49bec18764a8c2ab81ef5d5e6e1fc2423cf9a6608cc7d3a6d5ac44676e171646b0f95b39b7ade108afd62cc2ede8f7b57d6ba0d67025f30b18e5084292 CVE-2020-25219.patch +01c784a8016bb2a2bf5058b6af7fac29250542bfd4e0679a91fa223c821336d651f8f4a968763072edb86a78a743618c312a2daeb2963c8e5207109f2d26a18f CVE-2020-26154.patch" diff --git a/user/libproxy/CVE-2020-25219.patch b/user/libproxy/CVE-2020-25219.patch new file mode 100644 index 000000000..03cfbc00e --- /dev/null +++ b/user/libproxy/CVE-2020-25219.patch @@ -0,0 +1,57 @@ +From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro <mcatanzaro@gnome.org> +Date: Wed, 9 Sep 2020 11:12:02 -0500 +Subject: [PATCH] Rewrite url::recvline to be nonrecursive + +This function processes network input. It's semi-trusted, because the +PAC ought to be trusted. But we still shouldn't allow it to control how +far we recurse. A malicious PAC can cause us to overflow the stack by +sending a sufficiently-long line without any '\n' character. + +Also, this function failed to properly handle EINTR, so let's fix that +too, for good measure. + +Fixes #134 +--- + libproxy/url.cpp | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/libproxy/url.cpp b/libproxy/url.cpp +index ee776b2..68d69cd 100644 +--- a/libproxy/url.cpp ++++ b/libproxy/url.cpp +@@ -388,16 +388,24 @@ string url::to_string() const { + return m_orig; + } + +-static inline string recvline(int fd) { +- // Read a character. +- // If we don't get a character, return empty string. +- // If we are at the end of the line, return empty string. +- char c = '\0'; +- +- if (recv(fd, &c, 1, 0) != 1 || c == '\n') +- return ""; +- +- return string(1, c) + recvline(fd); ++static string recvline(int fd) { ++ string line; ++ int ret; ++ ++ // Reserve arbitrary amount of space to avoid small memory reallocations. ++ line.reserve(128); ++ ++ do { ++ char c; ++ ret = recv(fd, &c, 1, 0); ++ if (ret == 1) { ++ if (c == '\n') ++ return line; ++ line += c; ++ } ++ } while (ret == 1 || (ret == -1 && errno == EINTR)); ++ ++ return line; + } + + char* url::get_pac() { diff --git a/user/libproxy/CVE-2020-26154.patch b/user/libproxy/CVE-2020-26154.patch new file mode 100644 index 000000000..929083327 --- /dev/null +++ b/user/libproxy/CVE-2020-26154.patch @@ -0,0 +1,93 @@ +From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001 +From: Fei Li <lifeibiren@gmail.com> +Date: Fri, 17 Jul 2020 02:18:37 +0800 +Subject: [PATCH] Fix buffer overflow when PAC is enabled + +The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned +out to be the large PAC file (more than 102400 bytes) returned by a +local proxy program with no content-length present. +--- + libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++------------- + 1 file changed, 31 insertions(+), 13 deletions(-) + +diff --git a/libproxy/url.cpp b/libproxy/url.cpp +index ee776b2..8684086 100644 +--- a/libproxy/url.cpp ++++ b/libproxy/url.cpp +@@ -54,7 +54,7 @@ using namespace std; + #define PAC_MIME_TYPE_FB "text/plain" + + // This is the maximum pac size (to avoid memory attacks) +-#define PAC_MAX_SIZE 102400 ++#define PAC_MAX_SIZE 0x800000 + // This is the default block size to use when receiving via HTTP + #define PAC_HTTP_BLOCK_SIZE 512 + +@@ -478,15 +478,13 @@ char* url::get_pac() { + } + + // Get content +- unsigned int recvd = 0; +- buffer = new char[PAC_MAX_SIZE]; +- memset(buffer, 0, PAC_MAX_SIZE); ++ std::vector<char> dynamic_buffer; + do { + unsigned int chunk_length; + + if (chunked) { + // Discard the empty line if we received a previous chunk +- if (recvd > 0) recvline(sock); ++ if (!dynamic_buffer.empty()) recvline(sock); + + // Get the chunk-length line as an integer + if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break; +@@ -498,21 +496,41 @@ char* url::get_pac() { + + if (content_length >= PAC_MAX_SIZE) break; + +- while (content_length == 0 || recvd != content_length) { +- int r = recv(sock, buffer + recvd, +- content_length == 0 ? PAC_HTTP_BLOCK_SIZE +- : content_length - recvd, 0); ++ while (content_length == 0 || dynamic_buffer.size() != content_length) { ++ // Calculate length to recv ++ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE; ++ if (content_length > 0) ++ length_to_read = content_length - dynamic_buffer.size(); ++ ++ // Prepare buffer ++ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read); ++ ++ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0); ++ ++ // Shrink buffer to fit ++ if (r >= 0) ++ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r); ++ ++ // PAC size too large, discard ++ if (dynamic_buffer.size() >= PAC_MAX_SIZE) { ++ chunked = false; ++ dynamic_buffer.clear(); ++ break; ++ } ++ + if (r <= 0) { + chunked = false; + break; + } +- recvd += r; + } + } while (chunked); + +- if (content_length != 0 && string(buffer).size() != content_length) { +- delete[] buffer; +- buffer = NULL; ++ if (content_length == 0 || content_length == dynamic_buffer.size()) { ++ buffer = new char[dynamic_buffer.size() + 1]; ++ if (!dynamic_buffer.empty()) { ++ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size()); ++ } ++ buffer[dynamic_buffer.size()] = '\0'; + } + } + diff --git a/user/meson/APKBUILD b/user/meson/APKBUILD index d975e1460..5164bae64 100644 --- a/user/meson/APKBUILD +++ b/user/meson/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> # Maintainer: pkgname=meson -pkgver=0.52.1 +pkgver=0.55.3 pkgrel=0 pkgdesc="Fast, user-friendly build system" url="https://mesonbuild.com/" @@ -24,4 +24,4 @@ package() { python3 setup.py install --prefix=/usr --root="$pkgdir" } -sha512sums="81e8c5897ba5311ccffc401fd514bd9a67d16caaea1f28a5c5432605766341ecd82b70c05661fbbe0c9a6006ff5ea892950bbaa548e70c3f87350438775ea6fd meson-0.52.1.tar.gz" +sha512sums="afb0bb25b367e681131d920995124df4b06f6d144ae1a95ebec27be13e06fefbd95840e0287cd1d84bdbb8d9c115b589a833d847c60926f55e0f15749cf66bae meson-0.55.3.tar.gz" diff --git a/user/re2c/APKBUILD b/user/re2c/APKBUILD index aad7b839e..3293c610d 100644 --- a/user/re2c/APKBUILD +++ b/user/re2c/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Jeff Bilyk <jbilyk at gmail> # Maintainer: pkgname=re2c -pkgver=1.3 -pkgrel=1 +pkgver=2.0.3 +pkgrel=0 pkgdesc="Fast lexer generator for C and C++" url="http://re2c.org/" arch="all" @@ -12,13 +12,13 @@ checkdepends="bash" makedepends="" subpackages="$pkgname-doc" source="https://github.com/skvadrik/re2c/releases/download/$pkgver/$pkgname-$pkgver.tar.xz - CVE-2020-11958.patch " # secfixes: # 1.3-r1: # - CVE-2020-11958 + build() { ./configure \ --build=$CBUILD \ @@ -38,5 +38,4 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="c7084ab2399fb6b96cef74c1393715d90830f43b82b96af46feb71ef008c0215381c3dbea0b003ff810d869db6021e28001b9d588ad55c616642244b2da09c0e re2c-1.3.tar.xz -f4376b8e0724d500f665fa60dfd6fb35685a281af50c500d2ff90d781a829fb78f21e8c93c5745a4519acd55a62ec48a570dbfacf0a9ee977502e06f3e2e474a CVE-2020-11958.patch" +sha512sums="893c533e9847a6236d55ae65e413ddc48b7531b89f5552a3ad79beeac079317ceca4c35710f3c2d88a6de5a3c0a5070a24a8cffb1b4277578a41697ea0e3bf8c re2c-2.0.3.tar.xz" diff --git a/user/re2c/CVE-2020-11958.patch b/user/re2c/CVE-2020-11958.patch deleted file mode 100644 index b982b87e6..000000000 --- a/user/re2c/CVE-2020-11958.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001 -From: Ulya Trofimovich <skvadrik@gmail.com> -Date: Fri, 17 Apr 2020 22:47:14 +0100 -Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo). - -The crash happened in a rare case of a very long lexeme that doen't fit -into the buffer, forcing buffer reallocation. - -The crash was caused by an incorrect calculation of the shift offset -(it was smaller than necessary). As a consequence, the data from buffer -start and up to the beginning of the current lexeme was not discarded -(as it should have been), resulting in less free space for new data than -expected. ---- - src/parse/scanner.cc | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc -index 1d6e9efa..bd651314 100644 ---- a/src/parse/scanner.cc -+++ b/src/parse/scanner.cc -@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need) - if (!buf) fatal("out of memory"); - - memmove(buf, tok, copy); -- shift_ptrs_and_fpos(buf - bot); -+ shift_ptrs_and_fpos(buf - tok); - delete [] bot; - bot = buf; - - free = BSIZE - copy; - } - -+ DASSERT(lim + free <= bot + BSIZE); - if (!read(free)) { - eof = lim; - memset(lim, 0, YYMAXFILL); diff --git a/user/trojita/APKBUILD b/user/trojita/APKBUILD index c55e5453c..3dd6a5ab6 100644 --- a/user/trojita/APKBUILD +++ b/user/trojita/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Kiyoshi Aman <adelie@aerdan.vulpine.house> pkgname=trojita pkgver=0.7 -pkgrel=0 +pkgrel=1 pkgdesc="Qt-based IMAP email client" url="http://trojita.flaska.net/" arch="all" @@ -15,7 +15,15 @@ makedepends="cmake extra-cmake-modules zlib-dev qt5-qtbase-dev qt5-qtwebkit-dev qtkeychain-dev" source="https://sourceforge.net/projects/trojita/files/src/trojita-$pkgver.tar.xz use-qgpgme.patch - fix-gpg.patch" + fix-gpg.patch + CVE-2019-10734.patch + CVE-2020-15047.patch + " + +# secfixes: +# 0.7-r1: +# - CVE-2019-10734 +# - CVE-2020-15047 build() { if [ "$CBUILD" != "$CHOST" ]; then @@ -34,7 +42,8 @@ build() { } check() { - CTEST_OUTPUT_ON_FAILURE=TRUE ctest + # test_Html_formatting: requires X11 + CTEST_OUTPUT_ON_FAILURE=TRUE ctest -E test_Html_formatting } package() { @@ -43,4 +52,6 @@ package() { sha512sums="fe4d9316f97d913619f27d24a5023c3d8dd4a6b9fb058651be12c67188f394aa8cbb60c7593e5eb28fc12fc883b76deeeb5f4f631edd255fdec4c5862c9a91c8 trojita-0.7.tar.xz 740c2410d7236d722482f05dd1d2c681e35543620823cb7c1396710081f9de4f6ae530c5b5442ecf5d08a8e552f0697f3a35bf51e07a3b4336dec7021b665706 use-qgpgme.patch -9d0fbf7c0b0f6975990a7705f9d43043e5807401cee179d7a07f9514856332d6bb1aa8448e84d0083003c34a3bb181080b973e8c1f77d1b5a8930d07d57702da fix-gpg.patch" +9d0fbf7c0b0f6975990a7705f9d43043e5807401cee179d7a07f9514856332d6bb1aa8448e84d0083003c34a3bb181080b973e8c1f77d1b5a8930d07d57702da fix-gpg.patch +db96a566924b5d7b80787ab624af3726d5dd3459653192436a377d6482ab73801a7dcca1df1b1d937cf0d0798b827e04f8ef2c1124f91dc9da3e8036ef61e28a CVE-2019-10734.patch +2477612aca1e558fa3ba2b434a701cc255c573ac7e2001e7b5921c9b991f7c95720f53b70b49824e36bafb53ab53477950cb8d436e637fda4d59c7ec5883ce5f CVE-2020-15047.patch" diff --git a/user/trojita/CVE-2019-10734.patch b/user/trojita/CVE-2019-10734.patch new file mode 100644 index 000000000..d52edb042 --- /dev/null +++ b/user/trojita/CVE-2019-10734.patch @@ -0,0 +1,104 @@ +From 8db7f450d52539b4c72ee968384911b6813ad1e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= <jkt@kde.org> +Date: Thu, 25 Jun 2020 21:39:34 +0200 +Subject: [PATCH] Prevent a possible decryption oracle attack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Thanks to Jens Mueller (Ruhr-Uni Bochum and FH Münster) for reporting +this. The gist is that an attacker can embed arbitrary ciphertext into +their messages. Trojita decrypts that, and when we hit reply, the +original *cleartext* gets quoted and put into a reply for the attacker +to see. + +Fix this by not quoting any plaintext which originated in an encrypted +message. That's pretty draconian, but hey, it works and we never came up +with any better patch. Also, given that Trojita does not encrypt +outgoing messages yet, this is probably also a conservative thing to do. + +Change-Id: I84c45b9e707eb7c99eb7183c6ef59ef41cd62c43 +CVE: CVE-2019-10734 +BUG: 404697 +--- + src/Cryptography/GpgMe++.cpp | 2 ++ + src/Gui/MessageView.cpp | 9 ++++++++- + src/Gui/PartWidget.cpp | 8 ++++++++ + src/Imap/Model/ItemRoles.h | 2 +- + 4 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/Cryptography/GpgMe++.cpp b/src/Cryptography/GpgMe++.cpp +index e012f603..716b8aff 100644 +--- a/src/Cryptography/GpgMe++.cpp ++++ b/src/Cryptography/GpgMe++.cpp +@@ -267,6 +267,8 @@ QVariant GpgMePart::data(int role) const + switch (role) { + case Imap::Mailbox::RolePartSignatureVerifySupported: + return m_wasSigned; ++ case RolePartDecryptionSupported: ++ return m_isAllegedlyEncrypted; + case RolePartCryptoNotFinishedYet: + return m_waitingForData || + (m_crypto.valid() && +diff --git a/src/Gui/MessageView.cpp b/src/Gui/MessageView.cpp +index 7d649308..c95e0878 100644 +--- a/src/Gui/MessageView.cpp ++++ b/src/Gui/MessageView.cpp +@@ -354,7 +354,6 @@ bool MessageView::eventFilter(QObject *object, QEvent *event) + QString MessageView::quoteText() const + { + if (auto w = bodyWidget()) { +- QStringList quote = Composer::quoteText(w->quoteMe().split(QLatin1Char('\n'))); + const Imap::Message::Envelope &e = message.data(Imap::Mailbox::RoleMessageEnvelope).value<Imap::Message::Envelope>(); + QString sender; + if (!e.from.isEmpty()) +@@ -362,6 +361,14 @@ QString MessageView::quoteText() const + if (e.from.isEmpty()) + sender = tr("you"); + ++ if (messageModel->index(0, 0) /* fake message root */.child(0, 0) /* first MIME part */.data(Imap::Mailbox::RolePartDecryptionSupported).toBool()) { ++ // This is just an UX improvement shortcut: real filtering for CVE-2019-10734 is in ++ // MultipartSignedEncryptedWidget::quoteMe(). ++ // That is required because the encrypted part might not be the root part of the message. ++ return tr("On %1, %2 sent an encrypted message:\n> ...\n\n").arg(e.date.toLocalTime().toString(Qt::SystemLocaleLongDate), sender); ++ } ++ ++ QStringList quote = Composer::quoteText(w->quoteMe().split(QLatin1Char('\n'))); + // One extra newline at the end of the quoted text to separate the response + quote << QString(); + +diff --git a/src/Gui/PartWidget.cpp b/src/Gui/PartWidget.cpp +index bb27604d..96eff338 100644 +--- a/src/Gui/PartWidget.cpp ++++ b/src/Gui/PartWidget.cpp +@@ -378,6 +378,14 @@ void MultipartSignedEncryptedWidget::updateStatusIndicator() + + QString MultipartSignedEncryptedWidget::quoteMe() const + { ++ if (m_partIndex.data(Imap::Mailbox::RolePartDecryptionSupported).toBool()) { ++ // See CVE-2019-10734, the point is not to leak cleartext from encrypted content. Even when Trojita starts supporting ++ // encryption of outgoing mail, we will have to check whether the encrypted cleartext is from the same sender, whether ++ // it matches the list of recipients (which is dynamic and can be set later on), etc etc. ++ // TL;DR, this is a can of worms. ++ return tr("[Encrypted message]"); ++ } ++ + return quoteMeHelper(children()); + } + +diff --git a/src/Imap/Model/ItemRoles.h b/src/Imap/Model/ItemRoles.h +index 4588d4d0..00adb3bb 100644 +--- a/src/Imap/Model/ItemRoles.h ++++ b/src/Imap/Model/ItemRoles.h +@@ -193,7 +193,7 @@ enum { + RolePartSignatureVerifySupported, + /** @short Is the format of this particular multipart/encrypted supported and recognized? + +- See RolePartSignatureVerifySupported, this is an equivalent. ++ If true, this message part represents content of an encrypted message that Trojita can attempt to decrypt. + */ + RolePartDecryptionSupported, + /** @short Is there any point in waiting longer? +-- +GitLab + diff --git a/user/trojita/CVE-2020-15047.patch b/user/trojita/CVE-2020-15047.patch new file mode 100644 index 000000000..6199c01fd --- /dev/null +++ b/user/trojita/CVE-2020-15047.patch @@ -0,0 +1,88 @@ +From 77ddd5d44f2bf4155d0c9b6f7d05f01713b32d5d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= <jkt@kde.org> +Date: Thu, 25 Jun 2020 11:30:51 +0200 +Subject: [PATCH] SMTP: Do not ignore TLS errors + +This fixes a CVE-2020-15047 (category: CWE-295). Since commit 0083eea5ed +which added initial, experimental support for SMTP message submission, +we have apparently never implemented proper SSL/TLS error handling, and +the code has ever since just kept silently ignoring any certificate +verification errors. As a result, Trojita was susceptible to a MITM +attack when sending e-mails. The information leaked include user's +authentication details, including the password, and the content of sent +messages. + +Sorry for this :(. + +Now, this patch re-enabes proper TLS error handling. It was not possible +to directly re-use our code for TLS key pinning which we are using for +IMAP connections. In the Qt TLS code, the decision to accept or not +accept a TLS connection is a blocking one, so the IMAP code relies upon +the protocol state machine (i.e., another layer) for deciding whether to +use or not to use the just-established TLS connection. Implementing an +equivalent code in the SMTP library would be nice, but this hot-fix has +a priority. As a result, SMTP connections to hosts with, e.g., +self-signed TLS certs, are no longer possible. Let's hope that this is +not a practical problem with Lets Encrypt anymore. + +Thanks to Damian Poddebniak for reporting this bug. + +Change-Id: Icd6bbb2b0fb3e45159fc9699ebd07ab84262fe37 +CVE: CVE-2020-15047 +BUG: 423453 +--- + src/MSA/SMTP.cpp | 11 +++++++++-- + src/MSA/SMTP.h | 1 + + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/MSA/SMTP.cpp b/src/MSA/SMTP.cpp +index 3a054516..ac1eefc5 100644 +--- a/src/MSA/SMTP.cpp ++++ b/src/MSA/SMTP.cpp +@@ -21,6 +21,7 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + #include "SMTP.h" ++#include "UiUtils/Formatting.h" + + namespace MSA + { +@@ -32,8 +33,8 @@ SMTP::SMTP(QObject *parent, const QString &host, quint16 port, bool encryptedCon + user(user), failed(false), isWaitingForPassword(false), sendingMode(MODE_SMTP_INVALID) + { + qwwSmtp = new QwwSmtpClient(this); +- // FIXME: handle SSL errors properly +- connect(qwwSmtp, &QwwSmtpClient::sslErrors, qwwSmtp, &QwwSmtpClient::ignoreSslErrors); ++ // FIXME: handle SSL errors in the same way as we handle IMAP TLS errors, with key pinning, etc. ++ connect(qwwSmtp, &QwwSmtpClient::sslErrors, this, &SMTP::handleSslErrors); + connect(qwwSmtp, &QwwSmtpClient::connected, this, &AbstractMSA::sending); + connect(qwwSmtp, &QwwSmtpClient::done, this, &SMTP::handleDone); + connect(qwwSmtp, &QwwSmtpClient::socketError, this, &SMTP::handleError); +@@ -78,6 +79,12 @@ void SMTP::handleError(QAbstractSocket::SocketError err, const QString &msg) + emit error(msg); + } + ++void SMTP::handleSslErrors(const QList<QSslError>& errors) ++{ ++ auto msg = UiUtils::Formatting::sslErrorsToHtml(errors); ++ emit error(tr("<p>Cannot send message due to an SSL/TLS error</p>\n%1").arg(msg)); ++} ++ + void SMTP::setPassword(const QString &password) + { + pass = password; +diff --git a/src/MSA/SMTP.h b/src/MSA/SMTP.h +index 453407d3..913bb873 100644 +--- a/src/MSA/SMTP.h ++++ b/src/MSA/SMTP.h +@@ -43,6 +43,7 @@ public slots: + virtual void setPassword(const QString &password); + void handleDone(bool ok); + void handleError(QAbstractSocket::SocketError err, const QString &msg); ++ void handleSslErrors(const QList<QSslError>& errors); + private: + QwwSmtpClient *qwwSmtp; + QString host; +-- +GitLab + diff --git a/user/yubikey-personalization/APKBUILD b/user/yubikey-personalization/APKBUILD index 1db97be94..3ff2ce728 100644 --- a/user/yubikey-personalization/APKBUILD +++ b/user/yubikey-personalization/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Kiyoshi Aman <adelie@aerdan.vulpine.house> pkgname=yubikey-personalization pkgver=1.20.0 -pkgrel=0 +pkgrel=1 pkgdesc="Cross-platform library & tools for personalizing YubiKey devices" url="https://developers.yubico.com/yubikey-personalization/" arch="all" @@ -13,6 +13,7 @@ makedepends="yubico-c-dev libusb-dev json-c-dev asciidoctor subpackages="$pkgname-dev $pkgname-doc" source="yubikey-personalization-$pkgver.tar.gz::https://github.com/Yubico/yubikey-personalization/archive/v$pkgver.tar.gz use-asciidoctor.patch + json_c.patch " prepare() { @@ -40,4 +41,5 @@ package() { } sha512sums="a38b26700793f0a801e5f5889bbbce4a3f728d22aaecf8d0890f1b5135e67bed16a78b7a36dbc323c5d296901f6dd420fa658a982492a0cd9f0bbf95a5fbc823 yubikey-personalization-1.20.0.tar.gz -d6777a43e5e57430268bb50ab704641465a7314b15fc821d8bfa7f0c6510829d0118ced426cd5f8730589efe6264df6b82fc70e8bfe3d8b7d735e51339a25af2 use-asciidoctor.patch" +d6777a43e5e57430268bb50ab704641465a7314b15fc821d8bfa7f0c6510829d0118ced426cd5f8730589efe6264df6b82fc70e8bfe3d8b7d735e51339a25af2 use-asciidoctor.patch +a8bc7ae71d0a05476688abfaea070ca7dc2eaa68e033524d4a1b2b6240eec2932d867e9eeaa248874a04f254618cd79bf9ebaa17421938b0c2e62502bf90c055 json_c.patch" diff --git a/user/yubikey-personalization/json_c.patch b/user/yubikey-personalization/json_c.patch new file mode 100644 index 000000000..ca5a918d2 --- /dev/null +++ b/user/yubikey-personalization/json_c.patch @@ -0,0 +1,83 @@ +From 0aa2e2cae2e1777863993a10c809bb50f4cde7f8 Mon Sep 17 00:00:00 2001 +From: Christian Hesse <mail@eworm.de> +Date: Sat, 25 Apr 2020 20:55:28 +0200 +Subject: [PATCH] fix boolean value with json-c 0.14 + +Upstream removed the TRUE and FALSE defines in commit +0992aac61f8b087efd7094e9ac2b84fa9c040fcd. +--- + ykpers-json.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/ykpers-json.c b/ykpers-json.c +index a62e907..15ad380 100644 +--- a/ykpers-json.c ++++ b/ykpers-json.c +@@ -40,7 +40,7 @@ + #define yk_json_object_object_get(obj, key, value) json_object_object_get_ex(obj, key, &value) + #else + typedef int json_bool; +-#define yk_json_object_object_get(obj, key, value) (value = json_object_object_get(obj, key)) == NULL ? (json_bool)FALSE : (json_bool)TRUE ++#define yk_json_object_object_get(obj, key, value) (value = json_object_object_get(obj, key)) == NULL ? 0 : 1 + #endif + + static void set_json_value(struct map_st *p, int mode, json_object *options, YKP_CONFIG *cfg) { +@@ -50,7 +50,7 @@ static void set_json_value(struct map_st *p, int mode, json_object *options, YKP + if(p->mode && (mode & p->mode) == mode) { + json_object *joption; + json_bool ret = yk_json_object_object_get(options, p->json_text, joption); +- if(ret == TRUE && json_object_get_type(joption) == json_type_boolean) { ++ if(ret == 1 && json_object_get_type(joption) == json_type_boolean) { + int value = json_object_get_boolean(joption); + if(value == 1) { + p->setter(cfg, true); +@@ -230,20 +230,20 @@ int _ykp_json_import_cfg(YKP_CONFIG *cfg, const char *json, size_t len) { + ykp_errno = YKP_EINVAL; + goto out; + } +- if(yk_json_object_object_get(jobj, "yubiProdConfig", yprod_json) == FALSE) { ++ if(yk_json_object_object_get(jobj, "yubiProdConfig", yprod_json) == 0) { + ykp_errno = YKP_EINVAL; + goto out; + } +- if(yk_json_object_object_get(yprod_json, "mode", jmode) == FALSE) { ++ if(yk_json_object_object_get(yprod_json, "mode", jmode) == 0) { + ykp_errno = YKP_EINVAL; + goto out; + } +- if(yk_json_object_object_get(yprod_json, "options", options) == FALSE) { ++ if(yk_json_object_object_get(yprod_json, "options", options) == 0) { + ykp_errno = YKP_EINVAL; + goto out; + } + +- if(yk_json_object_object_get(yprod_json, "targetConfig", jtarget) == TRUE) { ++ if(yk_json_object_object_get(yprod_json, "targetConfig", jtarget) == 1) { + int target_config = json_object_get_int(jtarget); + int command; + if(target_config == 1) { +@@ -275,13 +275,13 @@ int _ykp_json_import_cfg(YKP_CONFIG *cfg, const char *json, size_t len) { + if(mode == MODE_OATH_HOTP) { + json_object *jdigits, *jrandom; + ykp_set_tktflag_OATH_HOTP(cfg, true); +- if(yk_json_object_object_get(options, "oathDigits", jdigits) == TRUE) { ++ if(yk_json_object_object_get(options, "oathDigits", jdigits) == 1) { + int digits = json_object_get_int(jdigits); + if(digits == 8) { + ykp_set_cfgflag_OATH_HOTP8(cfg, true); + } + } +- if(yk_json_object_object_get(options, "randomSeed", jrandom) == TRUE) { ++ if(yk_json_object_object_get(options, "randomSeed", jrandom) == 1) { + int random = json_object_get_boolean(jrandom); + int seed = 0; + if(random == 1) { +@@ -290,7 +290,7 @@ int _ykp_json_import_cfg(YKP_CONFIG *cfg, const char *json, size_t len) { + goto out; + } else { + json_object *jseed; +- if(yk_json_object_object_get(options, "fixedSeedvalue", jseed) == TRUE) { ++ if(yk_json_object_object_get(options, "fixedSeedvalue", jseed) == 1) { + seed = json_object_get_int(jseed); + } + } |