From 879740d141131be88d6edaeb224e3629444664b6 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 29 Aug 2019 12:31:58 -0500 Subject: user/faad2: [CVE] bump to 2.9.0 --- user/faad2/APKBUILD | 47 +++++++++++++++++++++++++++++++++++++---------- user/faad2/automake.patch | 11 ----------- user/faad2/overflow.patch | 25 ------------------------- 3 files changed, 37 insertions(+), 46 deletions(-) delete mode 100644 user/faad2/automake.patch delete mode 100644 user/faad2/overflow.patch diff --git a/user/faad2/APKBUILD b/user/faad2/APKBUILD index 3794942b9..6b1fc47b1 100644 --- a/user/faad2/APKBUILD +++ b/user/faad2/APKBUILD @@ -1,7 +1,8 @@ # Maintainer: pkgname=faad2 -pkgver=2.8.8 -pkgrel=1 +pkgver=2.9.0 +_pkgver="$(printf '%s' "$pkgver" | tr . _)" +pkgrel=0 pkgdesc="ISO AAC audio decoder" url="https://www.audiocoding.com/" arch="all" @@ -10,23 +11,49 @@ license="GPL-2.0+" subpackages="$pkgname-dev $pkgname-doc" depends="" makedepends="autoconf automake libtool" -source="https://downloads.sourceforge.net/sourceforge/faac/$pkgname-$pkgver.tar.gz - overflow.patch - " +source="$pkgname-$pkgver.tar.gz::https://github.com/knik0/faad2/archive/$_pkgver.tar.gz" +builddir="$srcdir/$pkgname-$_pkgver" + +# secfixes: +# 2.8.8-r1: +# - CVE-2018-19502 +# - CVE-2019-15296 +# 2.8.8-r2: +# - CVE-2019-6956 +# - CVE-2018-20196 +# - CVE-2018-20199 +# - CVE-2018-20360 +# 2.9.0-r0: +# - CVE-2018-19503 +# - CVE-2018-19504 +# - CVE-2018-20194 +# - CVE-2018-20195 +# - CVE-2018-20197 +# - CVE-2018-20198 +# - CVE-2018-20357 +# - CVE-2018-20358 +# - CVE-2018-20359 +# - CVE-2018-20361 +# - CVE-2018-20362 + +prepare() { + default_prepare + ./bootstrap +} build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ - --prefix=/usr + --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --localstatedir=/var make } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } -sha512sums="3275d292b2a9fe984842962f4d81202894bddd17033f7cd6df95466554cc968dfcbf2890ae8b1df37da0cd25d645cca0a687f07e39b9fc37dd004fd5956a82af faad2-2.8.8.tar.gz -f9266ca424d1e4f5b46c2f6b4b1568caee86849d2b6edc3b6c1fb7cf08fd736c0a8fe2c096c3bc64674e4fa40619c24d45d6d6125f11360517feb09a5c996a34 overflow.patch" +sha512sums="1756b2672f9e438a56b11160ddc77fc721d85860eaa325a3ff01b51a2524baf4c1c61068a97cbc4e99d47e7643f10e1d6afb997eede3295b44551fe4661fb5dc faad2-2.9.0.tar.gz" diff --git a/user/faad2/automake.patch b/user/faad2/automake.patch deleted file mode 100644 index 809031eb0..000000000 --- a/user/faad2/automake.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- ./configure.in.orig 2012-12-31 10:42:26.394219312 +0000 -+++ ./configure.in 2012-12-31 10:42:43.294360781 +0000 -@@ -25,7 +25,7 @@ - AC_PROG_MAKE_SET - AC_CHECK_PROGS(RPMBUILD, rpmbuild, rpm) - --AM_CONFIG_HEADER(config.h) -+AC_CONFIG_HEADER(config.h) - - AC_ARG_WITH(xmms,[ --with-xmms compile XMMS-1 plugin], - WITHXMMS=$withval, WITHXMMS=no) diff --git a/user/faad2/overflow.patch b/user/faad2/overflow.patch deleted file mode 100644 index 5a198f8d8..000000000 --- a/user/faad2/overflow.patch +++ /dev/null @@ -1,25 +0,0 @@ ---- faad2/libfaad/bits.c 2007-11-01 13:33:29.000000000 +0100 -+++ faad2.new/libfaad/bits.c 2019-03-25 17:29:26.134199188 +0100 -@@ -167,7 +167,10 @@ - int words = bits >> 5; - int remainder = bits & 0x1F; - -- ld->bytes_left = ld->buffer_size - words*4; -+ if (ld->buffer_size < words * 4) -+ ld->bytes_left = 0; -+ else -+ ld->bytes_left = ld->buffer_size - words*4; - - if (ld->bytes_left >= 4) - { ---- faad2/libfaad/syntax.c 2019-03-25 17:57:36.930937066 +0100 -+++ faad2.new/libfaad/syntax.c 2019-03-25 17:49:26.135368525 +0100 -@@ -2292,6 +2292,8 @@ - while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld - DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1) - { -+ if (i >= MAX_CHANNELS - num_excl_chan - 7) -+ return n; - for (i = num_excl_chan; i < num_excl_chan+7; i++) - { - drc->exclude_mask[i] = faad_get1bit(ld -- cgit v1.2.3-60-g2f50 From 162826e7e57fa3f73d6fcf904e3a059286df3476 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 29 Aug 2019 12:42:23 -0500 Subject: user/irssi: [CVE] bump to 1.2.2 --- user/irssi/APKBUILD | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/user/irssi/APKBUILD b/user/irssi/APKBUILD index ffa7267ac..1d63fd4b2 100644 --- a/user/irssi/APKBUILD +++ b/user/irssi/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Kiyoshi Aman # Maintainer: Kiyoshi Aman pkgname=irssi -pkgver=1.2.1 +pkgver=1.2.2 pkgrel=0 pkgdesc="Text-based IRC client" url="https://irssi.org" @@ -14,9 +14,10 @@ source="https://github.com/irssi/irssi/releases/download/$pkgver/irssi-$pkgver.t # secfixes: irssi # 1.2.1-r0: # - CVE-2019-13045 +# 1.2.2-r0: +# - CVE-2019-15717 build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -31,12 +32,10 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } @@ -48,4 +47,4 @@ perl() { mv "$pkgdir"/usr/lib "$subpkgdir"/usr mv "$pkgdir"/usr/share/irssi/scripts "$subpkgdir"/usr/share/irssi } -sha512sums="67c4501b5a0055c1b24fa6753305658de809cd66e952e6f9233701a112989fd8721a065b1c681725b82346b40b53a29bd2b6b8b8315ac0ad196235a9e5156d5a irssi-1.2.1.tar.xz" +sha512sums="5444ac102ff9ad3a6399a47c967d138e181330dd226eac68886d35fee4ad455932b9306a367bee3478095158e41ba67fb46deb8f0a33512046b9b83bae37c610 irssi-1.2.2.tar.xz" -- cgit v1.2.3-60-g2f50 From bfc686181b6c0eaab1750e53c7597518d226941d Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 29 Aug 2019 13:08:34 -0500 Subject: user/libvorbis: new patch for CVE-2018-10392 (#157) Also, use upstream patch for CVE-2017-14160 --- user/libvorbis/APKBUILD | 17 ++++--- user/libvorbis/CVE-2017-14160-and-2018-10393.patch | 27 ++++++++++ user/libvorbis/CVE-2017-14160.patch | 58 ---------------------- user/libvorbis/CVE-2018-10392.patch | 25 ++++++++++ 4 files changed, 62 insertions(+), 65 deletions(-) create mode 100644 user/libvorbis/CVE-2017-14160-and-2018-10393.patch delete mode 100644 user/libvorbis/CVE-2017-14160.patch create mode 100644 user/libvorbis/CVE-2018-10392.patch diff --git a/user/libvorbis/APKBUILD b/user/libvorbis/APKBUILD index 2b5b41f4c..73520bf56 100644 --- a/user/libvorbis/APKBUILD +++ b/user/libvorbis/APKBUILD @@ -10,18 +10,21 @@ license="BSD-3-Clause" subpackages="$pkgname-dev $pkgname-doc" makedepends="libogg-dev" source="https://downloads.xiph.org/releases/vorbis/$pkgname-$pkgver.tar.xz - CVE-2017-14160.patch + CVE-2017-14160-and-2018-10393.patch + CVE-2018-10392.patch " # secfixes: +# 1.3.6-r1: +# - CVE-2018-10392 # 1.3.5-r4: -# - CVE-2017-14632 -# - CVE-2017-14633 +# - CVE-2017-14632 +# - CVE-2017-14633 # 1.3.5-r3: -# - CVE-2017-14160 +# - CVE-2017-14160 +# - CVE-2018-10393 build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -33,9 +36,9 @@ build() { } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } sha512sums="a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132 libvorbis-1.3.6.tar.xz -4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e CVE-2017-14160.patch" +332081da5dd8fb28ee70dfbc123e7fcef279317ee977be9da97e97a105e788da452c33097bf597f369fea0e49749f876a93d6af0fa2fa20405acbc57771c89a9 CVE-2017-14160-and-2018-10393.patch +294de5e0c40b64d495df7f53196260be5ffaba11c75fc4a1a54ec0c058eeba4793c1ef685c8cf866195a2972c91a7a896df5f05f478b7f25a564abb3f82f331f CVE-2018-10392.patch" diff --git a/user/libvorbis/CVE-2017-14160-and-2018-10393.patch b/user/libvorbis/CVE-2017-14160-and-2018-10393.patch new file mode 100644 index 000000000..3a7097ec7 --- /dev/null +++ b/user/libvorbis/CVE-2017-14160-and-2018-10393.patch @@ -0,0 +1,27 @@ +From 018ca26dece618457dd13585cad52941193c4a25 Mon Sep 17 00:00:00 2001 +From: Thomas Daede +Date: Wed, 9 May 2018 14:56:59 -0700 +Subject: [PATCH] CVE-2017-14160: fix bounds check on very low sample rates. + +--- + lib/psy.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/psy.c b/lib/psy.c +index 422c6f1..1310123 100644 +--- a/lib/psy.c ++++ b/lib/psy.c +@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b, + for (i = 0, x = 0.f;; i++, x += 1.f) { + + lo = b[i] >> 16; +- if( lo>=0 ) break; + hi = b[i] & 0xffff; ++ if( lo>=0 ) break; ++ if( hi>=n ) break; + + tN = N[hi] + N[-lo]; + tX = X[hi] - X[-lo]; +-- +2.22.0 + diff --git a/user/libvorbis/CVE-2017-14160.patch b/user/libvorbis/CVE-2017-14160.patch deleted file mode 100644 index 9ad9d18f7..000000000 --- a/user/libvorbis/CVE-2017-14160.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001 -Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org> -From: =?UTF-8?q?Guido=20G=C3=BCnther?= -Date: Wed, 15 Nov 2017 13:12:00 +0100 -Subject: [PATCH] CVE-2017-14160: make sure we don't overflow - ---- - lib/psy.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/lib/psy.c b/lib/psy.c -index 422c6f1e..8bbf6cf3 100644 ---- a/lib/psy.c -+++ b/lib/psy.c -@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,const long *b, - XY[i] = tXY; - } - -- for (i = 0, x = 0.f;; i++, x += 1.f) { -+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { - - lo = b[i] >> 16; - if( lo>=0 ) break; -@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,const long *b, - noise[i] = R - offset; - } - -- for ( ;; i++, x += 1.f) { -+ for ( ; i < n; i++, x += 1.f) { - - lo = b[i] >> 16; - hi = b[i] & 0xffff; - if(hi>=n)break; -- - tN = N[hi] - N[lo]; - tX = X[hi] - X[lo]; - tXX = XX[hi] - XX[lo]; -@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,const long *b, - - if (fixed <= 0) return; - -- for (i = 0, x = 0.f;; i++, x += 1.f) { -+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { - hi = i + fixed / 2; - lo = hi - fixed; - if(lo>=0)break; -@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,const long *b, - - if (R - offset < noise[i]) noise[i] = R - offset; - } -- for ( ;; i++, x += 1.f) { -+ for ( ; i < n; i++, x += 1.f) { - - hi = i + fixed / 2; - lo = hi - fixed; --- -2.15.0 - diff --git a/user/libvorbis/CVE-2018-10392.patch b/user/libvorbis/CVE-2018-10392.patch new file mode 100644 index 000000000..a12038a94 --- /dev/null +++ b/user/libvorbis/CVE-2018-10392.patch @@ -0,0 +1,25 @@ +From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001 +From: Thomas Daede +Date: Thu, 17 May 2018 16:19:19 -0700 +Subject: [PATCH] Sanity check number of channels in setup. + +Fixes #2335. +--- + lib/vorbisenc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c +index 4fc7b62..64a51b5 100644 +--- a/lib/vorbisenc.c ++++ b/lib/vorbisenc.c +@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){ + highlevel_encode_setup *hi=&ci->hi; + + if(ci==NULL)return(OV_EINVAL); ++ if(vi->channels<1||vi->channels>255)return(OV_EINVAL); + if(!hi->impulse_block_p)i0=1; + + /* too low/high an ATH floater is nonsensical, but doesn't break anything */ +-- +2.22.0 + -- cgit v1.2.3-60-g2f50 From 75224126165d3ed2a97b0773c4e5558e85244c9c Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 29 Aug 2019 13:19:27 -0500 Subject: user/pango: patch for CVE-2019-1010238 (#133) --- user/pango/APKBUILD | 14 +++++++++----- user/pango/CVE-2019-1010238.patch | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 5 deletions(-) create mode 100644 user/pango/CVE-2019-1010238.patch diff --git a/user/pango/APKBUILD b/user/pango/APKBUILD index aff854dc0..c26726d5d 100644 --- a/user/pango/APKBUILD +++ b/user/pango/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: pkgname=pango pkgver=1.42.4 -pkgrel=0 +pkgrel=1 pkgdesc="Library for laying out and rendering text" url="https://www.pango.org/" arch="all" @@ -12,10 +12,14 @@ makedepends="$depends_dev cairo-dev expat-dev fontconfig-dev freetype-dev fribidi-dev glib-dev gobject-introspection-dev harfbuzz-dev libxft-dev" install="$pkgname.pre-deinstall" triggers="$pkgname.trigger=/usr/lib/pango/*/modules" -source="https://download.gnome.org/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz" +source="https://download.gnome.org/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz + CVE-2019-1010238.patch" + +# secfixes: +# 1.42.4-r1: +# - CVE-2019-1010238 build () { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -26,9 +30,9 @@ build () { } package() { - cd "$builddir" mkdir -p "$pkgdir"/etc/pango make DESTDIR="$pkgdir" install } -sha512sums="993e97f647eba0c5ed90bcfcb8228bf67fa3f20b1f4331e4e40a30788d7c3ac55eee1209471bf21df125cb8fc6121acc8062a9da2f8a7d6cbe8e9ad13a9320dc pango-1.42.4.tar.xz" +sha512sums="993e97f647eba0c5ed90bcfcb8228bf67fa3f20b1f4331e4e40a30788d7c3ac55eee1209471bf21df125cb8fc6121acc8062a9da2f8a7d6cbe8e9ad13a9320dc pango-1.42.4.tar.xz +d11af8e56c59286f998d136d795d9ed22bea96b7dfaf4e02fe294ab0b147606ecb43ddfbd8caaa0eee1ee27b5a2f5c5a6f6f7a0b3193750649cf6b121cb6de50 CVE-2019-1010238.patch" diff --git a/user/pango/CVE-2019-1010238.patch b/user/pango/CVE-2019-1010238.patch new file mode 100644 index 000000000..cc65b3d53 --- /dev/null +++ b/user/pango/CVE-2019-1010238.patch @@ -0,0 +1,34 @@ +From 490f8979a260c16b1df055eab386345da18a2d54 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Wed, 10 Jul 2019 20:26:23 -0400 +Subject: [PATCH] bidi: Be safer against bad input + +Don't run off the end of an array that we +allocated to certain length. + +Closes: https://gitlab.gnome.org/GNOME/pango/issues/342 +--- + pango/pango-bidi-type.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/pango/pango-bidi-type.c b/pango/pango-bidi-type.c +index 3e46b66c..5c02dbbb 100644 +--- a/pango/pango-bidi-type.c ++++ b/pango/pango-bidi-type.c +@@ -181,8 +181,11 @@ pango_log2vis_get_embedding_levels (const gchar *text, + for (i = 0, p = text; p < text + length; p = g_utf8_next_char(p), i++) + { + gunichar ch = g_utf8_get_char (p); +- FriBidiCharType char_type; +- char_type = fribidi_get_bidi_type (ch); ++ FriBidiCharType char_type = fribidi_get_bidi_type (ch); ++ ++ if (i == n_chars) ++ break; ++ + bidi_types[i] = char_type; + ored_types |= char_type; + if (FRIBIDI_IS_STRONG (char_type)) +-- +2.22.0 + -- cgit v1.2.3-60-g2f50 From f0e2ba862dba46fc1243a15da47fab1ae3e9b7d6 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Mon, 2 Sep 2019 19:01:18 -0500 Subject: user/mpg123: bump to 1.25.12 This update fixes an out-of-bounds read and an invalid write. For more information, see http://www.mpg123.de/cgi-bin/news.cgi#2019-08-24 --- user/mpg123/APKBUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user/mpg123/APKBUILD b/user/mpg123/APKBUILD index 6948916b2..e21981859 100644 --- a/user/mpg123/APKBUILD +++ b/user/mpg123/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: A. Wilcox pkgname=mpg123 -pkgver=1.25.11 +pkgver=1.25.12 pkgrel=0 pkgdesc="Real time MPEG Audio player for Layers 1, 2 and 3" url="https://www.mpg123.org/" @@ -32,4 +32,4 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="986338d0f4829ec9e40990cb384746c7abfa80d3b3d5656b6dda73d03e2441c1f28ffbe7f3f82b0008a1c4ebcfa07aeffb493e95f13f7d04cbc818a09f1008ed mpg123-1.25.11.tar.bz2" +sha512sums="fa3c719c68dbe45b265fd7677d0932b07f6a14e7ffe365ede965ff1637e655c4b57c86f7e4cd60cace7df5fcc93d48e0d44f082931394b7c6ef19f5d11638eff mpg123-1.25.12.tar.bz2" -- cgit v1.2.3-60-g2f50 From 03ef76f450eda2661dff1b65f8dcd4b19b8bbfab Mon Sep 17 00:00:00 2001 From: Max Rees Date: Mon, 2 Sep 2019 19:16:27 -0500 Subject: user/vlc: [CVE] bump to 3.0.8 (#182) --- user/vlc/APKBUILD | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/user/vlc/APKBUILD b/user/vlc/APKBUILD index 2dc82dde6..3da8680d2 100644 --- a/user/vlc/APKBUILD +++ b/user/vlc/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Leonardo Arena # Maintainer: A. Wilcox pkgname=vlc -pkgver=3.0.7.1 -pkgrel=2 +pkgver=3.0.8 +pkgrel=0 pkgdesc="Multi-platform MPEG, VCD/DVD, and DivX player" triggers="vlc-libs.trigger=/usr/lib/vlc/plugins" pkgusers="vlc" @@ -11,7 +11,7 @@ pkggroups="vlc" url="https://www.videolan.org/vlc/" arch="all" license="GPL-2.0+" -options="!checkroot textrel" +options="textrel" subpackages="$pkgname-dev $pkgname-doc $pkgname-qt $pkgname-pulse $pkgname-daemon::noarch $pkgname-libs $pkgname-lang" depends="ttf-dejavu xdg-utils" @@ -43,12 +43,25 @@ source="https://get.videolan.org/vlc/$pkgver/vlc-$pkgver.tar.xz omxil-rpi-codecs.patch tar-compat.patch test-s390x.patch - vlc-libs.trigger " # secfixes: vlc_media_player # 3.0.4-r2: # - CVE-2018-19857 +# 3.0.8-r0: +# - CVE-2019-13602 +# - CVE-2019-13615 +# - CVE-2019-13962 +# - CVE-2019-14437 +# - CVE-2019-14438 +# - CVE-2019-14498 +# - CVE-2019-14533 +# - CVE-2019-14534 +# - CVE-2019-14535 +# - CVE-2019-14776 +# - CVE-2019-14777 +# - CVE-2019-14778 +# - CVE-2019-14970 prepare() { default_prepare @@ -57,7 +70,6 @@ prepare() { build() { local _arch_opts= - cd "$builddir" export CFLAGS="$CFLAGS -D_GNU_SOURCE" case "$CARCH" in @@ -127,7 +139,6 @@ build() { } package() { - cd "$builddir" make DESTDIR="$pkgdir" install # delete cache as it's autocreated by trigger rm -rf "$pkgdir"/usr/lib/vlc/plugins/plugins.dat @@ -137,7 +148,6 @@ package() { } check() { - cd "$builddir" make check } @@ -150,7 +160,7 @@ _mv() { pulse() { pkgdesc="PulseAudio support for VLC" depends="" - install_if="vlc pulseaudio" + install_if="vlc=$pkgver-r$pkgrel pulseaudio" mkdir -p "$subpkgdir"/usr/lib/vlc mv "$pkgdir"/usr/lib/vlc/libvlc_pulse* "$subpkgdir"/usr/lib/vlc/ } @@ -192,7 +202,7 @@ libs() { default_libs } -sha512sums="6b99ae0564630a7a7ca9187c3bb954c601e384522ce93460b73f2dbf31787ce5828daca9f31c781b97db77872d76b6a3e871ff3401d70f1b5829fee7c4e847fd vlc-3.0.7.1.tar.xz +sha512sums="5ade0b350e98fd6fa90035bffabda96f0addb3844a7c0a242b4db1cab6a746e1adb1d713ddcb48ae51a7d1736090f096f5d3b0637a9f958ccf4fcf27e838cf70 vlc-3.0.8.tar.xz 22d80df599b8b65a5439cefbb7140af8e9530f326d54945da3769af65f37518b99ec2cc8647aafd2763324a0698280915afe043cc87e5720c4694881ed35bffa check-headless.patch e214b407235cb3afb8bec93f20c9b42957b57e6fd3960679d3d4235e77762e03e64d03c01f00ef63d589e7c85aaad02ce6abbeeccd66b1867bc92451a5b5e9b0 disable-sub-autodetect-fuzzy-1-test.patch e063c727d952465bbea33f669db49190427521dc8e2291e9a5cbb0f5e8e879bd3ba76855e44bd4630948e30c4329d27bd928f95de20fe1050d5e839778a4d012 endian-fix.patch @@ -200,5 +210,4 @@ e063c727d952465bbea33f669db49190427521dc8e2291e9a5cbb0f5e8e879bd3ba76855e44bd463 35f83e38a6a0dd1e3c37e3dc6d63b1406d2f9454ed246854c1408d6f35ad74b743c5b0dbc19442bab65aad4268707ffa85bfda9e72b2d711c1d3412d955bf150 lua.patch e13e398b7bfd977f6e099bcb6cf8dc5cd5bad6dea3eff715881826246dc4329468846084aff2576de2b7fd28d3f06e7c327a6e4511a28d22e5cd198a81146c89 omxil-rpi-codecs.patch a117ca4d7fd66a5f959fdeaddfdce2f8442fe9f2c13995bb7f4792a7745c00813813aa962f76e957e3b0735344a5dc000e0644ce09f23458802a2932231655c3 tar-compat.patch -c0107655249687655846a9547ca1a5670b9207443180600e7a149c69ffb96d7226787c19b018d4033db9b284c1a5faa8d7d42188ed40c3b8bb051256febf11c5 test-s390x.patch -34d899b8b88de2058a8d64ce316389bd3437c0bbcd64a925eec4975adf2bc306a3a8d2e322bad5e3a18b5a28cbb5bf6705d8849dee655daf7e5a4bb007fe07e0 vlc-libs.trigger" +c0107655249687655846a9547ca1a5670b9207443180600e7a149c69ffb96d7226787c19b018d4033db9b284c1a5faa8d7d42188ed40c3b8bb051256febf11c5 test-s390x.patch" -- cgit v1.2.3-60-g2f50 From c1f0e5323ce8e2c68c22e2370311d6043861c4af Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 11 Sep 2019 23:40:37 -0500 Subject: system/libgcrypt: [CVE] bump to 1.8.5 (#119) --- system/libgcrypt/APKBUILD | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/system/libgcrypt/APKBUILD b/system/libgcrypt/APKBUILD index 13797a615..37fda1300 100644 --- a/system/libgcrypt/APKBUILD +++ b/system/libgcrypt/APKBUILD @@ -1,20 +1,21 @@ # Maintainer: A. Wilcox pkgname=libgcrypt -pkgver=1.8.4 +pkgver=1.8.5 pkgrel=0 pkgdesc="GnuPG cryptography library" url="https://www.gnupg.org" arch="all" license="LGPL-2.1+" depends="" -depends_dev="libgpg-error-dev" -makedepends="$depends_dev texinfo" +makedepends="libgpg-error-dev texinfo" subpackages="$pkgname-dev $pkgname-doc" source="https://www.gnupg.org/ftp/gcrypt/$pkgname/$pkgname-$pkgver.tar.bz2" -build() { - cd "$builddir" +# secfixes: +# 1.8.5-r0: +# - CVE-2019-13627 +build() { local _arch_configure= case "$CARCH" in arm*) @@ -40,14 +41,12 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make -j1 DESTDIR="$pkgdir" install rm -f ${pkgdir}/usr/share/info/dir } -sha512sums="b831fc337eb14806897e224b0d1e78d1f8e9db91dffa818a015a4aa104144e2d971e5a855904907ee2bb9990a9d526de32d6787e1cae98e28a65c3258b2b1ea1 libgcrypt-1.8.4.tar.bz2" +sha512sums="b55e16e838d1b1208e7673366971ae7c0f9c1c79e042f41c03d14ed74c5e387fa69ea81d5414ffda3d2b4f82ea5467fe13b00115727e257db22808cf351bde89 libgcrypt-1.8.5.tar.bz2" -- cgit v1.2.3-60-g2f50 From f446d9b9ff1db370d47e068d2a074f2b0830f02d Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 12 Sep 2019 02:15:41 -0500 Subject: system/curl: [CVE] bump to 7.66.0, fix network access violation --- system/curl/APKBUILD | 11 ++++++-- ...do-bounds-check-using-a-double-comparison.patch | 32 ---------------------- 2 files changed, 8 insertions(+), 35 deletions(-) delete mode 100644 system/curl/curl-do-bounds-check-using-a-double-comparison.patch diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD index aa6e4c9e7..2cba28dfc 100644 --- a/system/curl/APKBUILD +++ b/system/curl/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Ɓukasz Jendrysik # Maintainer: pkgname=curl -pkgver=7.65.3 +pkgver=7.66.0 pkgrel=0 pkgdesc="An URL retrival utility and library" url="https://curl.haxx.se" @@ -17,6 +17,9 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz" subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl" # secfixes: +# 7.66.0-r0: +# - CVE-2019-5481 +# - CVE-2019-5482 # 7.65.1-r0: # - CVE-2019-5435 # - CVE-2019-5436 @@ -91,7 +94,9 @@ build() { } check() { - make check + # -p: print log contents on test failure + # !1592: requires DNS access + make check TFLAGS='-p !1592' } package() { @@ -104,4 +109,4 @@ libcurl() { mv "$pkgdir"/usr/lib "$subpkgdir"/usr } -sha512sums="fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b curl-7.65.3.tar.xz" +sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 curl-7.66.0.tar.xz" diff --git a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch b/system/curl/curl-do-bounds-check-using-a-double-comparison.patch deleted file mode 100644 index 34e2b6c71..000000000 --- a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001 -From: Adam Sampson -Date: Wed, 9 Aug 2017 14:11:17 +0100 -Subject: [PATCH] curl: do bounds check using a double comparison - -The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't -complete: if the parsed number in num is larger than will fit in a long, -the conversion is undefined behaviour (causing test1427 to fail for me -on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting -rid of the cast means the comparison will be done using doubles. - -It might make more sense for the max argument to also be a double... - -Fixes #1750 -Closes #1749 ---- - src/tool_paramhlp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c -index b9dedc989e..85c5e79a7e 100644 ---- a/src/tool_paramhlp.c -+++ b/src/tool_paramhlp.c -@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max) - num = strtod(str, &endptr); - if(errno == ERANGE) - return PARAM_NUMBER_TOO_LARGE; -- if((long)num > max) { -+ if(num > max) { - /* too large */ - return PARAM_NUMBER_TOO_LARGE; - } -- cgit v1.2.3-60-g2f50 From bea0b80c420c12806a707363e61fd65e2889cb12 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 12 Sep 2019 05:11:43 -0500 Subject: system/curl: enable libssh2 support --- system/curl/APKBUILD | 1 + 1 file changed, 1 insertion(+) diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD index 2cba28dfc..5e767bcc8 100644 --- a/system/curl/APKBUILD +++ b/system/curl/APKBUILD @@ -86,6 +86,7 @@ build() { --prefix=/usr \ --enable-ipv6 \ --enable-unix-sockets \ + --with-libssh2 \ --without-libidn \ --without-libidn2 \ --disable-ldap \ -- cgit v1.2.3-60-g2f50 From 9131a5fae6a17355286ebd41b37756dd2870464c Mon Sep 17 00:00:00 2001 From: Max Rees Date: Fri, 13 Sep 2019 14:08:26 -0500 Subject: user/links: [NO CVE] bump to 2.20.1 This update fixes a DNS leak when using tor. For more information, consult the changelog: http://links.twibright.com/download/ChangeLo --- user/links/APKBUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user/links/APKBUILD b/user/links/APKBUILD index b3ade3cb2..5761ea7be 100644 --- a/user/links/APKBUILD +++ b/user/links/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: A. Wilcox pkgname=links -pkgver=2.19 +pkgver=2.20.1 pkgrel=0 pkgdesc="Text Web browser, similar to Lynx" url="http://links.twibright.com/" @@ -28,4 +28,4 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="8716cea6feb5a02b59d7e2dd5bfd0af9b2ac2a4427c0f98a3c8a8eaabca31e7a96c16888c0de19976749485b3cdbf75cbff88a37cd3b58700c1f090acec328ea links-2.19.tar.bz2" +sha512sums="c7258e303a2012e9016385abd1e8882ffec47dd3baf479a54448742e41b03508d874387af6ea97c7ef9c4d37f2eecbe7bc0121d923df79b0f455f4f466747ca2 links-2.20.1.tar.bz2" -- cgit v1.2.3-60-g2f50 From e0810a8bc36196b7141f4802b43f621e0358577d Mon Sep 17 00:00:00 2001 From: Max Rees Date: Fri, 13 Sep 2019 14:23:48 -0500 Subject: system/expat: [CVE] patch CVE-2019-15903 (#192) --- system/expat/APKBUILD | 10 ++- system/expat/CVE-2019-15903.patch | 181 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+), 3 deletions(-) create mode 100644 system/expat/CVE-2019-15903.patch diff --git a/system/expat/APKBUILD b/system/expat/APKBUILD index 088d9d9b1..4a6f547e3 100644 --- a/system/expat/APKBUILD +++ b/system/expat/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox pkgname=expat pkgver=2.2.7 -pkgrel=0 +pkgrel=1 pkgdesc="An XML Parser library written in C" url="https://libexpat.github.io/" arch="all" @@ -10,13 +10,16 @@ depends="" checkdepends="bash" makedepends="" subpackages="$pkgname-dev $pkgname-doc" -source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2" +source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2 + CVE-2019-15903.patch" # secfixes: # 2.2.1-r0: # - CVE-2016-9063 # 2.2.0-r1: # - CVE-2017-9233 +# 2.2.7-r1: +# - CVE-2019-15903 build() { ./configure \ @@ -35,4 +38,5 @@ package() { make DESTDIR="$pkgdir/" install } -sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00 expat-2.2.7.tar.bz2" +sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00 expat-2.2.7.tar.bz2 +02d1719307dffdab98e90f242a77aa61cab79ae63ea28d6fa1219b4191d7247e5c319d3adf9781c9086e392c05fd6b6558051b0792ade5cb6c64e7583c67a70d CVE-2019-15903.patch" diff --git a/system/expat/CVE-2019-15903.patch b/system/expat/CVE-2019-15903.patch new file mode 100644 index 000000000..c81e72bbb --- /dev/null +++ b/system/expat/CVE-2019-15903.patch @@ -0,0 +1,181 @@ +Grabbed from Debian since upstream patch does not apply to 2.2.7. + +https://sources.debian.org/patches/expat/2.2.7-2/CVE-2019-15903_Deny_internal_entities_closing_the_doctype.patch/ +https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43 + +From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 28 Aug 2019 00:24:59 +0200 +Subject: [PATCH 1/3] xmlparse.c: Deny internal entities closing the doctype + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 0553e3df..c29a6449 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -405,7 +405,7 @@ initializeEncoding(XML_Parser parser); + static enum XML_Error + doProlog(XML_Parser parser, const ENCODING *enc, const char *s, + const char *end, int tok, const char *next, const char **nextPtr, +- XML_Bool haveMore); ++ XML_Bool haveMore, XML_Bool allowClosingDoctype); + static enum XML_Error + processInternalEntity(XML_Parser parser, ENTITY *entity, + XML_Bool betweenDecl); +@@ -4232,7 +4232,7 @@ externalParEntProcessor(XML_Parser parse + + parser->m_processor = prologProcessor; + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error PTRCALL +@@ -4282,7 +4282,7 @@ prologProcessor(XML_Parser parser, + const char *next = s; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error +@@ -4293,7 +4293,8 @@ doProlog(XML_Parser parser, + int tok, + const char *next, + const char **nextPtr, +- XML_Bool haveMore) ++ XML_Bool haveMore, ++ XML_Bool allowClosingDoctype) + { + #ifdef XML_DTD + static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' }; +@@ -4472,6 +4473,11 @@ doProlog(XML_Parser parser, + } + break; + case XML_ROLE_DOCTYPE_CLOSE: ++ if (allowClosingDoctype != XML_TRUE) { ++ /* Must not close doctype from within expanded parameter entities */ ++ return XML_ERROR_INVALID_TOKEN; ++ } ++ + if (parser->m_doctypeName) { + parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName, + parser->m_doctypeSysid, parser->m_doctypePubid, 0); +@@ -5409,7 +5415,7 @@ processInternalEntity(XML_Parser parser, + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_FALSE); + } + else + #endif /* XML_DTD */ +@@ -5456,7 +5462,7 @@ internalEntityProcessor(XML_Parser parse + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_TRUE); + } + else + #endif /* XML_DTD */ +@@ -5483,7 +5489,7 @@ internalEntityProcessor(XML_Parser parse + parser->m_processor = prologProcessor; + tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + else + #endif /* XML_DTD */ + +From 438493691f1b8620a71d5aee658fe160103ff863 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 28 Aug 2019 15:14:19 +0200 +Subject: [PATCH 3/3] tests: Cover denying internal entities closing the + doctype + +diff --git a/tests/runtests.c b/tests/runtests.c +index b0d1b0af..e102a55e 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -8151,6 +8151,68 @@ START_TEST(test_misc_utf16le) + } + END_TEST + ++#ifdef XML_DTD ++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { ++ const char *const inputOne = "'>\n" ++ "\n" ++ "%e;"; ++ const char *const inputTwo = "'>\n" ++ "\n" ++ "%e2;"; ++ const char *const inputThree = "\n" ++ "\n" ++ "%e;"; ++ const char *const inputIssue317 = "\n" ++ "Hell'>\n" ++ "%foo;\n" ++ "]>\n" ++ "Hello, world"; ++ ++ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317}; ++ size_t inputIndex = 0; ++ ++ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) { ++ XML_Parser parser; ++ enum XML_Status parseResult; ++ int setParamEntityResult; ++ XML_Size lineNumber; ++ XML_Size columnNumber; ++ const char *const input = inputs[inputIndex]; ++ ++ parser = XML_ParserCreate(NULL); ++ setParamEntityResult ++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (setParamEntityResult != 1) ++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); ++ ++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0); ++ if (parseResult != XML_STATUS_ERROR) { ++ parseResult = XML_Parse(parser, "", 0, 1); ++ if (parseResult != XML_STATUS_ERROR) { ++ fail("Parsing was expected to fail but succeeded."); ++ } ++ } ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) ++ fail("Error code does not match XML_ERROR_INVALID_TOKEN"); ++ ++ lineNumber = XML_GetCurrentLineNumber(parser); ++ if (lineNumber != 4) ++ fail("XML_GetCurrentLineNumber does not work as expected."); ++ ++ columnNumber = XML_GetCurrentColumnNumber(parser); ++ if (columnNumber != 0) ++ fail("XML_GetCurrentColumnNumber does not work as expected."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++#endif + + static void + alloc_setup(void) +@@ -12251,6 +12313,10 @@ make_suite(void) + tcase_add_test(tc_misc, test_misc_features); + tcase_add_test(tc_misc, test_misc_attribute_leak); + tcase_add_test(tc_misc, test_misc_utf16le); ++#ifdef XML_DTD ++ tcase_add_test(tc_misc, ++ test_misc_deny_internal_entity_closing_doctype_issue_317); ++#endif + + suite_add_tcase(s, tc_alloc); + tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); -- cgit v1.2.3-60-g2f50 From 99cd353f10d8e0b327f269103c7dfca3fbad5885 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Fri, 13 Sep 2019 16:33:48 -0500 Subject: system/openssl: [CVE] bump to 1.0.2t (#198) --- system/openssl/APKBUILD | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD index 984cb486a..513b87d0d 100644 --- a/system/openssl/APKBUILD +++ b/system/openssl/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: A. Wilcox pkgname=openssl -pkgver=1.0.2s +pkgver=1.0.2t pkgrel=0 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url="https://www.openssl.org/" @@ -66,12 +66,12 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz # - CVE-2018-0734 # - CVE-2018-5407 # - CVE-2019-1559 - -builddir="$srcdir"/$pkgname-$pkgver +# 1.0.2t-r0: +# - CVE-2019-1547 +# - CVE-2019-1563 build() { local _target _optflags - cd "$builddir" # openssl will prepend crosscompile always core CC et al CC=${CC#${CROSS_COMPILE}} @@ -107,12 +107,10 @@ build() { } check() { - cd "$builddir" make -j1 test } package() { - cd "$builddir" make INSTALL_PREFIX="$pkgdir" MANDIR=/usr/share/man MANSUFFIX=ssl install # remove the script c_rehash rm "$pkgdir"/usr/bin/c_rehash @@ -144,7 +142,7 @@ dev() { default_dev } -sha512sums="9f745452c4f777df694158e95003cde78a2cf8199bc481a563ec36644664c3c1415a774779b9791dd18f2aeb57fa1721cb52b3db12d025955e970071d5b66d2a openssl-1.0.2s.tar.gz +sha512sums="0b88868933f42fab87e8b22449435a1091cc6e75f986aad6c173e01ad123161fcae8c226759073701bc65c9f2f0b6ce6a63a61203008ed873cfb6e484f32bc71 openssl-1.0.2t.tar.gz 58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4 0003-use-termios.patch c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae 0004-fix-default-ca-path-for-apps.patch 5d4191482f8bbf62c75fe6bc2d9587388022c3310703c2a913788a983b1d1406e706cf3916a5792604f0b0f220a87432d3b82b442cea9915f2abb6fdd8478fcb 0005-fix-parallel-build.patch -- cgit v1.2.3-60-g2f50 From b38e3feeab3ad2e4aa95d1b5a1cd5863185280c0 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 17 Sep 2019 14:15:45 -0500 Subject: user/wpa_supplicant: patch CVE-2019-16275 --- user/wpa_supplicant/APKBUILD | 6 ++- user/wpa_supplicant/CVE-2019-16275.patch | 73 ++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 user/wpa_supplicant/CVE-2019-16275.patch diff --git a/user/wpa_supplicant/APKBUILD b/user/wpa_supplicant/APKBUILD index 5d1a35b4e..dbd22b8c7 100644 --- a/user/wpa_supplicant/APKBUILD +++ b/user/wpa_supplicant/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=wpa_supplicant pkgver=2.9 -pkgrel=0 +pkgrel=1 pkgdesc="Utility providing key negotiation for WPA wireless networks" url="https://w1.fi/wpa_supplicant/" arch="all" @@ -17,6 +17,7 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz wpa_supplicant.conf dbus.patch eloop.patch + CVE-2019-16275.patch config wpa_cli.sh" @@ -32,6 +33,8 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz # - CVE-2017-13086 # - CVE-2017-13087 # - CVE-2017-13088 +# 2.9-r1: +# - CVE-2019-16275 prepare() { default_prepare @@ -104,5 +107,6 @@ sha512sums="37a33f22cab9d27084fbef29856eaea0f692ff339c5b38bd32402dccf293cb849afd f8b224b6c5a8adf378d8224beb49f2a99817d303f7e6a724943ecb3313ae85ce0fdd8291a20c95563470681ebf5d991ffa31094b9171e470e9690b38bba25738 wpa_supplicant.conf dac56bc505a51167042ebe548f0e81a20a5578f753af9bb7ec3335a542d799c6e8739681ef7c8f7747a9bc954f8aa6f1a147250eacba17fd7fff80c4e53638ed dbus.patch 2be055dd1f7da5a3d8e79c2f2c0220ddd31df309452da18f290144d2112d6dbde0fc633bb2ad02c386a39d7785323acaf5f70e5969995a1e8303a094eb5fe232 eloop.patch +63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch 221660fa0350442a7d8371686b2118861052a4613fb352b7f80079e3750b82f4e48efc378b9d617455007d1106552b695fdca506a3c338283986641f3848b202 config 45d3e70c47d0f7d6dc6730853af8cbcb40ed0713ee7b1069698f5a635939f273f66e72d4221e064c3c71a92154cf07841c8c0d4fc14d796dbb6fe0d92776ee2b wpa_cli.sh" diff --git a/user/wpa_supplicant/CVE-2019-16275.patch b/user/wpa_supplicant/CVE-2019-16275.patch new file mode 100644 index 000000000..d764a9db0 --- /dev/null +++ b/user/wpa_supplicant/CVE-2019-16275.patch @@ -0,0 +1,73 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + -- cgit v1.2.3-60-g2f50 From eb78aceece24112442a5bccc7ec52e99c0343a07 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 17 Sep 2019 14:39:56 -0500 Subject: user/faad2: 2.8.8-r2 no longer exists --- user/faad2/APKBUILD | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/user/faad2/APKBUILD b/user/faad2/APKBUILD index 6b1fc47b1..970d16f7e 100644 --- a/user/faad2/APKBUILD +++ b/user/faad2/APKBUILD @@ -18,21 +18,20 @@ builddir="$srcdir/$pkgname-$_pkgver" # 2.8.8-r1: # - CVE-2018-19502 # - CVE-2019-15296 -# 2.8.8-r2: -# - CVE-2019-6956 -# - CVE-2018-20196 -# - CVE-2018-20199 -# - CVE-2018-20360 # 2.9.0-r0: +# - CVE-2019-6956 # - CVE-2018-19503 # - CVE-2018-19504 # - CVE-2018-20194 # - CVE-2018-20195 +# - CVE-2018-20196 # - CVE-2018-20197 # - CVE-2018-20198 +# - CVE-2018-20199 # - CVE-2018-20357 # - CVE-2018-20358 # - CVE-2018-20359 +# - CVE-2018-20360 # - CVE-2018-20361 # - CVE-2018-20362 -- cgit v1.2.3-60-g2f50 From f6242ae2f1469ee2f390a4da8e686b0374048698 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 17 Sep 2019 16:02:23 -0500 Subject: user/opencv: patch CVE-2019-16249 --- user/opencv/APKBUILD | 10 +++++-- user/opencv/CVE-2019-16249.patch | 57 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 2 deletions(-) create mode 100644 user/opencv/CVE-2019-16249.patch diff --git a/user/opencv/APKBUILD b/user/opencv/APKBUILD index 76403ac60..a8a38c149 100644 --- a/user/opencv/APKBUILD +++ b/user/opencv/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: pkgname=opencv pkgver=4.1.1 -pkgrel=0 +pkgrel=1 pkgdesc="Computer vision and machine learning software library" url="https://opencv.org" arch="all" @@ -15,8 +15,13 @@ makedepends="cmake doxygen ffmpeg-dev gst-plugins-base-dev gtk+2.0-dev subpackages="$pkgname-dev $pkgname-libs" source="opencv-$pkgver.tar.gz::https://github.com/opencv/opencv/archive/$pkgver.tar.gz cmake-license.patch + CVE-2019-16249.patch " +# secfixes: +# 4.1.1-r1: +# - CVE-2019-16249 + prepare() { default_prepare # purge 3rd party except carotene @@ -61,4 +66,5 @@ package() { } sha512sums="80fa48d992ca06a2a4ab6740df6d8c21f4926165486b393969da2c5bbe2f3a0b799fb76dee5e3654e90c743e49bbd2b5b02ad59a4766896bbf4cd5b4e3251e0f opencv-4.1.1.tar.gz -ffa6930086051c545a44d28b8e428de7faaeecf961cdee6eef007b2b01db7e5897c6f184b1059df9763c1bcd90f88b9ead710dc13b51a608f21d683f55f39bd6 cmake-license.patch" +ffa6930086051c545a44d28b8e428de7faaeecf961cdee6eef007b2b01db7e5897c6f184b1059df9763c1bcd90f88b9ead710dc13b51a608f21d683f55f39bd6 cmake-license.patch +39f2f9abb1051220d6b842e9337c3636ee229781c7efcc92e987dae47ac82072dc95568e6a766e01329ee61c0a3be4efdd82aa3b56c011b44e175444d81c134d CVE-2019-16249.patch" diff --git a/user/opencv/CVE-2019-16249.patch b/user/opencv/CVE-2019-16249.patch new file mode 100644 index 000000000..a7f0027ac --- /dev/null +++ b/user/opencv/CVE-2019-16249.patch @@ -0,0 +1,57 @@ +From cd7fa04985b10db5e66de542725d0da57f0d10b6 Mon Sep 17 00:00:00 2001 +From: Vitaly Tuzov +Date: Tue, 17 Sep 2019 15:53:18 +0300 +Subject: [PATCH] Fixed out of bound reading in DIS optical flow evaluation + implementation + +--- + modules/video/src/dis_flow.cpp | 18 +++++------------- + 1 file changed, 5 insertions(+), 13 deletions(-) + +diff --git a/modules/video/src/dis_flow.cpp b/modules/video/src/dis_flow.cpp +index 85400c71ca7..a260b8726bb 100644 +--- a/modules/video/src/dis_flow.cpp ++++ b/modules/video/src/dis_flow.cpp +@@ -494,7 +494,6 @@ DISOpticalFlowImpl::PatchInverseSearch_ParBody::PatchInverseSearch_ParBody(DISOp + v_float32x4 w10v = v_setall_f32(w10); \ + v_float32x4 w11v = v_setall_f32(w11); \ + \ +- v_uint8x16 I0_row_16, I1_row_16, I1_row_shifted_16, I1_row_next_16, I1_row_next_shifted_16; \ + v_uint16x8 I0_row_8, I1_row_8, I1_row_shifted_8, I1_row_next_8, I1_row_next_shifted_8, tmp; \ + v_uint32x4 I0_row_4_left, I1_row_4_left, I1_row_shifted_4_left, I1_row_next_4_left, I1_row_next_shifted_4_left; \ + v_uint32x4 I0_row_4_right, I1_row_4_right, I1_row_shifted_4_right, I1_row_next_4_right, \ +@@ -502,29 +501,22 @@ DISOpticalFlowImpl::PatchInverseSearch_ParBody::PatchInverseSearch_ParBody(DISOp + v_float32x4 I_diff_left, I_diff_right; \ + \ + /* Preload and expand the first row of I1: */ \ +- I1_row_16 = v_load(I1_ptr); \ +- I1_row_shifted_16 = v_extract<1>(I1_row_16, I1_row_16); \ +- v_expand(I1_row_16, I1_row_8, tmp); \ +- v_expand(I1_row_shifted_16, I1_row_shifted_8, tmp); \ ++ I1_row_8 = v_load_expand(I1_ptr); \ ++ I1_row_shifted_8 = v_load_expand(I1_ptr + 1); \ + v_expand(I1_row_8, I1_row_4_left, I1_row_4_right); \ + v_expand(I1_row_shifted_8, I1_row_shifted_4_left, I1_row_shifted_4_right); \ + I1_ptr += I1_stride; + + #define HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION \ + /* Load the next row of I1: */ \ +- I1_row_next_16 = v_load(I1_ptr); \ +- /* Circular shift left by 1 element: */ \ +- I1_row_next_shifted_16 = v_extract<1>(I1_row_next_16, I1_row_next_16); \ +- /* Expand to 8 ushorts (we only need the first 8 values): */ \ +- v_expand(I1_row_next_16, I1_row_next_8, tmp); \ +- v_expand(I1_row_next_shifted_16, I1_row_next_shifted_8, tmp); \ ++ I1_row_next_8 = v_load_expand(I1_ptr); \ ++ I1_row_next_shifted_8 = v_load_expand(I1_ptr + 1); \ + /* Separate the left and right halves: */ \ + v_expand(I1_row_next_8, I1_row_next_4_left, I1_row_next_4_right); \ + v_expand(I1_row_next_shifted_8, I1_row_next_shifted_4_left, I1_row_next_shifted_4_right); \ + \ + /* Load current row of I0: */ \ +- I0_row_16 = v_load(I0_ptr); \ +- v_expand(I0_row_16, I0_row_8, tmp); \ ++ I0_row_8 = v_load_expand(I0_ptr); \ + v_expand(I0_row_8, I0_row_4_left, I0_row_4_right); \ + \ + /* Compute diffs between I0 and bilinearly interpolated I1: */ \ -- cgit v1.2.3-60-g2f50 From f5e2b019160afc329b746f9c6a890934e480611e Mon Sep 17 00:00:00 2001 From: Max Rees Date: Mon, 23 Sep 2019 06:11:32 -0500 Subject: user/vlc: fix initd / confd install --- user/vlc/APKBUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user/vlc/APKBUILD b/user/vlc/APKBUILD index 3da8680d2..e2a1dbf2a 100644 --- a/user/vlc/APKBUILD +++ b/user/vlc/APKBUILD @@ -189,8 +189,8 @@ daemon() { mkdir -p "$subpkgdir" cd "$pkgdir" - install -D -m755 ../../vlc.initd $subpkgdir/etc/init.d/vlc - install -D -m664 ../../vlc.confd $subpkgdir/etc/conf.d/vlc + install -D -m755 "$srcdir"/vlc.initd "$subpkgdir"/etc/init.d/vlc + install -D -m664 "$srcdir"/vlc.confd "$subpkgdir"/etc/conf.d/vlc install -d -o vlc -g vlc "$subpkgdir"/var/log/vlc } -- cgit v1.2.3-60-g2f50 From b0e0d5808b32e66e12d096a66854b7bc65d418f9 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Mon, 23 Sep 2019 06:29:38 -0500 Subject: user/vlc: no, really, I mean it this time :TM: --- user/vlc/APKBUILD | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/user/vlc/APKBUILD b/user/vlc/APKBUILD index e2a1dbf2a..6c9a23c97 100644 --- a/user/vlc/APKBUILD +++ b/user/vlc/APKBUILD @@ -43,6 +43,9 @@ source="https://get.videolan.org/vlc/$pkgver/vlc-$pkgver.tar.xz omxil-rpi-codecs.patch tar-compat.patch test-s390x.patch + + $pkgname.initd + $pkgname.confd " # secfixes: vlc_media_player @@ -210,4 +213,6 @@ e063c727d952465bbea33f669db49190427521dc8e2291e9a5cbb0f5e8e879bd3ba76855e44bd463 35f83e38a6a0dd1e3c37e3dc6d63b1406d2f9454ed246854c1408d6f35ad74b743c5b0dbc19442bab65aad4268707ffa85bfda9e72b2d711c1d3412d955bf150 lua.patch e13e398b7bfd977f6e099bcb6cf8dc5cd5bad6dea3eff715881826246dc4329468846084aff2576de2b7fd28d3f06e7c327a6e4511a28d22e5cd198a81146c89 omxil-rpi-codecs.patch a117ca4d7fd66a5f959fdeaddfdce2f8442fe9f2c13995bb7f4792a7745c00813813aa962f76e957e3b0735344a5dc000e0644ce09f23458802a2932231655c3 tar-compat.patch -c0107655249687655846a9547ca1a5670b9207443180600e7a149c69ffb96d7226787c19b018d4033db9b284c1a5faa8d7d42188ed40c3b8bb051256febf11c5 test-s390x.patch" +c0107655249687655846a9547ca1a5670b9207443180600e7a149c69ffb96d7226787c19b018d4033db9b284c1a5faa8d7d42188ed40c3b8bb051256febf11c5 test-s390x.patch +55e245190b443dde9c7215ea5210612fcca164900a9a4b025ccf0d1e3fc5206d00b52355b256974421e37c609875627f1db19f0f5a084511aec0daf677ecc9d6 vlc.initd +d89190dca1b8b2c3faca5863dc6c7e6eb24e05178e6f75ed752fd3c6a73cb8a42d2625b6e56453296b7096ea868be642ecd42745dac20e7f13fc67dd3c3c7c49 vlc.confd" -- cgit v1.2.3-60-g2f50 From 9d975a16f6054ccfa09bcd932da9f18eff7d37d1 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 24 Sep 2019 17:04:51 -0500 Subject: user/djvulibre: patch multiple CVEs (#185) --- user/djvulibre/APKBUILD | 25 ++++++-- user/djvulibre/CVE-2019-15142.patch | 94 +++++++++++++++++++++++++++++ user/djvulibre/CVE-2019-15143.patch | 46 ++++++++++++++ user/djvulibre/CVE-2019-15144.patch | 117 ++++++++++++++++++++++++++++++++++++ user/djvulibre/CVE-2019-15145.patch | 34 +++++++++++ 5 files changed, 310 insertions(+), 6 deletions(-) create mode 100644 user/djvulibre/CVE-2019-15142.patch create mode 100644 user/djvulibre/CVE-2019-15143.patch create mode 100644 user/djvulibre/CVE-2019-15144.patch create mode 100644 user/djvulibre/CVE-2019-15145.patch diff --git a/user/djvulibre/APKBUILD b/user/djvulibre/APKBUILD index a90485e6a..2b4a3ed0e 100644 --- a/user/djvulibre/APKBUILD +++ b/user/djvulibre/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=djvulibre pkgver=3.5.27 -pkgrel=0 +pkgrel=1 pkgdesc="Format for distributing documents and images" url="http://djvu.sourceforge.net/" arch="all" @@ -11,10 +11,20 @@ depends="" depends_dev="" makedepends="$depends_dev imagemagick libjpeg-turbo-dev tiff-dev" subpackages="$pkgname-dev $pkgname-doc" -source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz" +source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz + CVE-2019-15142.patch + CVE-2019-15143.patch + CVE-2019-15144.patch + CVE-2019-15145.patch" + +# secfixes: +# 3.5.27-r1: +# - CVE-2019-15142 +# - CVE-2019-15143 +# - CVE-2019-15144 +# - CVE-2019-15145 build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -26,13 +36,16 @@ build() { } check() { - cd "$builddir" + # This doesn't actually do anything yet make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } -sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252e4769e6534582b826e49bcfb490513179580fab9c3afa84aa92053ccebee djvulibre-3.5.27.tar.gz" +sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252e4769e6534582b826e49bcfb490513179580fab9c3afa84aa92053ccebee djvulibre-3.5.27.tar.gz +d9e4301fb98a35b8c2f1854eb4be53611f98b3fc9fdd357dd5502b5b189bdf61957a48b220f3ab7465bbf1df8606ce04513e10df74643a9e289c349f94721561 CVE-2019-15142.patch +3527e1c84f7c7d36f902cb3d7e9ddb6866acbdd4b47675ce3ffd164accf2e2931a4c6bbaae2ea775b4710d88ae34dd4dcd39a5846fce13bef2c82a99d608b8c1 CVE-2019-15143.patch +f8f1abf328a97d69514b2626e4c6449c0c7b7e2b5518d56bba6a61a944aaf4b7fffd1371c26396353728f6a1399c6d87492af5c17e6b623dae7751b81eac11f9 CVE-2019-15144.patch +790ef1e05874635c762600c990ecbd3e29e2eb01c59e25a0f8b2a15dbadbd3673d9dbb651d9dcb53fd3e5f4cb6bded47c3eefaaef8b4ccac39bd28f8bbec2068 CVE-2019-15145.patch" diff --git a/user/djvulibre/CVE-2019-15142.patch b/user/djvulibre/CVE-2019-15142.patch new file mode 100644 index 000000000..84ed64e24 --- /dev/null +++ b/user/djvulibre/CVE-2019-15142.patch @@ -0,0 +1,94 @@ +Lifted from SUSE: backport of two upstream commits + +https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e +https://sourceforge.net/p/djvu/djvulibre-git/ci/89d71b01d606e57ecec2c2930c145bb20ba5bbe3 +https://bugzilla.suse.com/show_bug.cgi?id=1146702#c3 +https://build.opensuse.org/package/view_file/graphics/djvulibre/djvulibre-CVE-2019-15142.patch + +Index: djvulibre-3.5.27/libdjvu/DjVmDir.cpp +=================================================================== +--- djvulibre-3.5.27.orig/libdjvu/DjVmDir.cpp 2014-07-08 23:15:07.000000000 +0200 ++++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp 2019-09-02 13:46:28.076374501 +0200 +@@ -300,36 +300,44 @@ DjVmDir::decode(const GP &gs + memcpy((char*) strings+strings_size, buffer, length); + } + DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); +- +- // Copy names into the files ++ int strings_size=strings.size(); ++ strings.resize(strings_size+3); ++ memset((char*) strings+strings_size, 0, 4); ++ ++ // Copy names into the files + const char * ptr=strings; + for(pos=files_list;pos;++pos) + { + GP file=files_list[pos]; +- ++ if (ptr >= (const char*)strings + strings_size) ++ G_THROW( "DjVu document is corrupted (DjVmDir)" ); + file->id=ptr; + ptr+=file->id.length()+1; + if (file->flags & File::HAS_NAME) + { +- file->name=ptr; +- ptr+=file->name.length()+1; +- } else ++ file->name=ptr; ++ ptr+=file->name.length()+1; ++ } ++ else + { + file->name=file->id; + } + if (file->flags & File::HAS_TITLE) + { +- file->title=ptr; +- ptr+=file->title.length()+1; +- } else +- file->title=file->id; +- /* msr debug: multipage file, file->title is null. ++ file->title=ptr; ++ ptr+=file->title.length()+1; ++ } ++ else ++ { ++ file->title=file->id; ++ } ++ /* msr debug: multipage file, file->title is null. + DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " << + file->offset << ", " << file->size << ", " << + file->is_page() << "\n"); */ + } + +- // Check that there is only one file with SHARED_ANNO flag on ++ // Check that there is only one file with SHARED_ANNO flag on + int shared_anno_cnt=0; + for(pos=files_list;pos;++pos) + { +Index: djvulibre-3.5.27/libdjvu/miniexp.cpp +=================================================================== +--- djvulibre-3.5.27.orig/libdjvu/miniexp.cpp 2015-02-11 05:35:37.000000000 +0100 ++++ djvulibre-3.5.27/libdjvu/miniexp.cpp 2019-09-02 13:46:28.072374476 +0200 +@@ -1028,7 +1028,7 @@ print_c_string(const char *s, char *d, i + { + if (char_quoted(c, flags)) + { +- char buffer[10]; ++ char buffer[16]; /* 10+1 */ + static const char *tr1 = "\"\\tnrbf"; + static const char *tr2 = "\"\\\t\n\r\b\f"; + buffer[0] = buffer[1] = 0; +Index: djvulibre-3.5.27/tools/csepdjvu.cpp +=================================================================== +--- djvulibre-3.5.27.orig/tools/csepdjvu.cpp 2014-07-24 23:12:05.000000000 +0200 ++++ djvulibre-3.5.27/tools/csepdjvu.cpp 2019-09-02 13:46:28.072374476 +0200 +@@ -1814,7 +1814,7 @@ main(int argc, const char **argv) + ByteStream::create(GURL::Filename::UTF8(arg),"rb"); + BufferByteStream ibs(*fbs); + do { +- char pagename[16]; ++ char pagename[20]; + sprintf(pagename, "p%04d.djvu", ++pageno); + if (opts.verbose > 1) + DjVuPrintErrorUTF8("%s","--------------------\n"); diff --git a/user/djvulibre/CVE-2019-15143.patch b/user/djvulibre/CVE-2019-15143.patch new file mode 100644 index 000000000..db04087e1 --- /dev/null +++ b/user/djvulibre/CVE-2019-15143.patch @@ -0,0 +1,46 @@ +From b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Tue, 26 Mar 2019 20:45:46 -0400 +Subject: [PATCH] fix for bug #297 + +--- + libdjvu/DjVmDir.cpp | 2 +- + libdjvu/GBitmap.cpp | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp +index 0a0fac6..5a49015 100644 +--- a/libdjvu/DjVmDir.cpp ++++ b/libdjvu/DjVmDir.cpp +@@ -309,7 +309,7 @@ DjVmDir::decode(const GP &gstr) + { + GP file=files_list[pos]; + if (ptr >= (const char*)strings + strings_size) +- G_THROW( "DjVu document is corrupted (DjVmDir)" ); ++ G_THROW( ByteStream::EndOfFile ); + file->id=ptr; + ptr+=file->id.length()+1; + if (file->flags & File::HAS_NAME) +diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp +index 0e487f0..c2fdbe4 100644 +--- a/libdjvu/GBitmap.cpp ++++ b/libdjvu/GBitmap.cpp +@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs) + int c = 0; + while (n >= 0) + { +- bs.read(&h, 1); ++ if (bs.read(&h, 1) <= 0) ++ G_THROW( ByteStream::EndOfFile ); + int x = h; + if (x >= (int)RUNOVERFLOWVALUE) + { +- bs.read(&h, 1); ++ if (bs.read(&h, 1) <= 0) ++ G_THROW( ByteStream::EndOfFile ); + x = h + ((x - (int)RUNOVERFLOWVALUE) << 8); + } + if (c+x > ncolumns) +-- +2.22.1 + diff --git a/user/djvulibre/CVE-2019-15144.patch b/user/djvulibre/CVE-2019-15144.patch new file mode 100644 index 000000000..1b0c71c5f --- /dev/null +++ b/user/djvulibre/CVE-2019-15144.patch @@ -0,0 +1,117 @@ +From e15d51510048927f172f1bf1f27ede65907d940d Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Mon, 8 Apr 2019 22:25:55 -0400 +Subject: [PATCH] bug 299 fixed + +--- + libdjvu/GContainer.h | 87 ++++++++++++++++++++++++-------------------- + 1 file changed, 48 insertions(+), 39 deletions(-) + +diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h +index 96b067c..0140211 100644 +--- a/libdjvu/GContainer.h ++++ b/libdjvu/GContainer.h +@@ -550,52 +550,61 @@ public: + template void + GArrayTemplate::sort(int lo, int hi) + { +- if (hi <= lo) +- return; +- if (hi > hibound || lo hibound || lo=lo) && !(data[j]<=tmp)) +- data[j+1] = data[j]; +- data[j+1] = tmp; ++ for (int i=lo+1; i<=hi; i++) ++ { ++ int j = i; ++ TYPE tmp = data[i]; ++ while ((--j>=lo) && !(data[j]<=tmp)) ++ data[j+1] = data[j]; ++ data[j+1] = tmp; ++ } ++ return; + } +- return; +- } +- // -- determine suitable quick-sort pivot +- TYPE tmp = data[lo]; +- TYPE pivot = data[(lo+hi)/2]; +- if (pivot <= tmp) +- { tmp = pivot; pivot=data[lo]; } +- if (data[hi] <= tmp) +- { pivot = tmp; } +- else if (data[hi] <= pivot) +- { pivot = data[hi]; } +- // -- partition set +- int h = hi; +- int l = lo; +- while (l < h) +- { +- while (! (pivot <= data[l])) l++; +- while (! (data[h] <= pivot)) h--; +- if (l < h) ++ // -- determine median-of-three pivot ++ TYPE tmp = data[lo]; ++ TYPE pivot = data[(lo+hi)/2]; ++ if (pivot <= tmp) ++ { tmp = pivot; pivot=data[lo]; } ++ if (data[hi] <= tmp) ++ { pivot = tmp; } ++ else if (data[hi] <= pivot) ++ { pivot = data[hi]; } ++ // -- partition set ++ int h = hi; ++ int l = lo; ++ while (l < h) + { +- tmp = data[l]; +- data[l] = data[h]; +- data[h] = tmp; +- l = l+1; +- h = h-1; ++ while (! (pivot <= data[l])) l++; ++ while (! (data[h] <= pivot)) h--; ++ if (l < h) ++ { ++ tmp = data[l]; ++ data[l] = data[h]; ++ data[h] = tmp; ++ l = l+1; ++ h = h-1; ++ } ++ } ++ // -- recurse, small partition first ++ // tail-recursion elimination ++ if (h - lo <= hi - l) { ++ sort(lo,h); ++ lo = l; // sort(l,hi) ++ } else { ++ sort(l,hi); ++ hi = h; // sort(lo,h) + } + } +- // -- recursively restart +- sort(lo, h); +- sort(l, hi); + } + + template inline TYPE& +-- +2.22.1 + diff --git a/user/djvulibre/CVE-2019-15145.patch b/user/djvulibre/CVE-2019-15145.patch new file mode 100644 index 000000000..2a545cee2 --- /dev/null +++ b/user/djvulibre/CVE-2019-15145.patch @@ -0,0 +1,34 @@ +From 9658b01431cd7ff6344d7787f855179e73fe81a7 Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Mon, 8 Apr 2019 22:55:38 -0400 +Subject: [PATCH] fix bug #298 + +--- + libdjvu/GBitmap.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h +index e8e0c9b..ca89a19 100644 +--- a/libdjvu/GBitmap.h ++++ b/libdjvu/GBitmap.h +@@ -566,7 +566,7 @@ GBitmap::operator[](int row) + { + if (!bytes) + uncompress(); +- if (row<0 || row>=nrows) { ++ if (row<0 || row>=nrows || !bytes) { + #ifndef NDEBUG + if (zerosize < bytes_per_row + border) + G_THROW( ERR_MSG("GBitmap.zero_small") ); +@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const + { + if (!bytes) + ((GBitmap*)this)->uncompress(); +- if (row<0 || row>=nrows) { ++ if (row<0 || row>=nrows || !bytes) { + #ifndef NDEBUG + if (zerosize < bytes_per_row + border) + G_THROW( ERR_MSG("GBitmap.zero_small") ); +-- +2.22.1 + -- cgit v1.2.3-60-g2f50