From 85fd60643dcfdcc871af86aaeac45d158466af26 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Mon, 23 Mar 2020 22:14:43 -0500 Subject: system/ruby: patch CVE-2020-8130 --- system/ruby/APKBUILD | 8 ++++++-- system/ruby/CVE-2020-8130.patch | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 system/ruby/CVE-2020-8130.patch (limited to 'system') diff --git a/system/ruby/APKBUILD b/system/ruby/APKBUILD index 537c1010a..0cb185852 100644 --- a/system/ruby/APKBUILD +++ b/system/ruby/APKBUILD @@ -38,11 +38,13 @@ # - CVE-2019-16201 # - CVE-2019-16254 # - CVE-2019-16255 +# 2.5.7-r1: +# - CVE-2020-8130 # pkgname=ruby pkgver=2.5.7 _abiver="${pkgver%.*}.0" -pkgrel=0 +pkgrel=1 pkgdesc="An object-oriented language for quick and easy programming" url="https://www.ruby-lang.org/" arch="all" @@ -76,6 +78,7 @@ source="https://cache.ruby-lang.org/pub/ruby/${pkgver%.*}/$pkgname-$pkgver.tar.x test_insns-lower-recursion-depth.patch fix-get_main_stack.patch libedit-compat.patch + CVE-2020-8130.patch " replaces="ruby-etc ruby-gems" @@ -318,4 +321,5 @@ sha512sums="63b7c75fab44cd1bd22f22ddec00c740cf379ac7240da0dfafcec54347766695faef 20e7e5ee9936a93872fe1ad836dd1fde001fe4a0e7ed54c26727ad83da3ceb0e6247681d9dd4f98a69e1b0250703ed8fc682d44075780d5f47faa1d5f58d2bdb rubygems-avoid-platform-specific-gems.patch 814fe6359505b70d8ff680adf22f20a74b4dbd3fecc9a63a6c2456ee9824257815929917b6df5394ed069a6869511b8c6dce5b95b4acbbb7867c1f3a975a0150 test_insns-lower-recursion-depth.patch e99b36940fa8fdd445d82738c70b8fc042cab042a4662cab156578aad2dac9673a96da22b6676aa36beac08070e92a7798c60d6f36eeb169216c4c51864ce2fe fix-get_main_stack.patch -6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2 libedit-compat.patch" +6b88fccce164db1d8beb16adeffdd7effd077e9842b7f61deddebeb39afcf9b839192b68a43ce66a1ff0c9aeaacc4f13a0ee56184c22e822cd8b10a07a1c87b2 libedit-compat.patch +50b3a2aca1c0d7a7b557e030fbf57049512730cd6516cb6b26624855c25a20e84eef7f84ec9eafb94200de067ec67790e5fe0902e69681ac4de9195240b318dc CVE-2020-8130.patch" diff --git a/system/ruby/CVE-2020-8130.patch b/system/ruby/CVE-2020-8130.patch new file mode 100644 index 000000000..3cb6e4adf --- /dev/null +++ b/system/ruby/CVE-2020-8130.patch @@ -0,0 +1,18 @@ +Note: adjusted paths since it's being vendored inside ruby. + +From 5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Mon, 22 Jul 2019 10:23:43 +0900 +Subject: [PATCH] Use File.open explicitly. + +--- ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb ++++ ruby-2.5.7/gems/rake-12.3.0/lib/rake/file_list.rb +@@ -294,7 +294,7 @@ def egrep(pattern, *options) + matched = 0 + each do |fn| + begin +- open(fn, "r", *options) do |inf| ++ File.open(fn, "r", *options) do |inf| + count = 0 + inf.each do |line| + count += 1 -- cgit v1.2.3-70-g09d2 From 6c3b706e304a6ff23339e3595717d95863474e34 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 24 Mar 2020 01:34:41 -0500 Subject: system/gettext-tiny: fix msgfmt exit status when misused --- system/gettext-tiny/APKBUILD | 6 ++++-- system/gettext-tiny/msgfmt-exit.patch | 36 +++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 system/gettext-tiny/msgfmt-exit.patch (limited to 'system') diff --git a/system/gettext-tiny/APKBUILD b/system/gettext-tiny/APKBUILD index ce62d5c99..a1d199ecd 100644 --- a/system/gettext-tiny/APKBUILD +++ b/system/gettext-tiny/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=gettext-tiny pkgver=0.3.1_git20191130 -pkgrel=2 +pkgrel=3 pkgdesc="An internationalisation and localisation system" url="https://github.com/sabotage-linux/gettext-tiny" arch="all" @@ -16,6 +16,7 @@ source="https://distfiles.adelielinux.org/source/$pkgname-$pkgver.tar.xz line-length.patch respect-cflags.patch stop-doing-macro-crap.patch + msgfmt-exit.patch " build() { @@ -30,4 +31,5 @@ sha512sums="a318135626a0403a30a81fa475f7e1878b8af5a87053b0e00876c73b591508f3cf1e 8efbf9c11429ab26f3c15e00c34258200598833b8f846a23e4c8d95023c2184d9dcf9cbb48d58eec1604442691af76e6f8e904ad7348016c393257aa30eae7cd keyword.patch 0a26a8481bffe2ce8c73f7f500963aea9db8379fb87849142d8efabf1656604b22f6ad345483256f14c388466f2f44e5924b9f65d88f26867a753a96d1529270 line-length.patch b4e7db4e415f6bc31f2214f2044506ad18ea0bd3cae4200d93bbd34aa493c7478a7f953d0a7e08f29f0fd5a5d7b7cbfa2bcfd5692c37e423706a1c193239bf1d respect-cflags.patch -cd4cfc8cc6ea998f1e33ef666e3b9c3de3f3253994bccc942b177773c94f785e3892cb7d5f34bec1102dc7558236c07c5eac90e15d755e12ee06836336373526 stop-doing-macro-crap.patch" +cd4cfc8cc6ea998f1e33ef666e3b9c3de3f3253994bccc942b177773c94f785e3892cb7d5f34bec1102dc7558236c07c5eac90e15d755e12ee06836336373526 stop-doing-macro-crap.patch +0037a1347f9ac2aa6f68160441b83c35ce8128ca140be93f3c508e6cd02161e49edff82034877ed11c127886337455ff4ea941b6a14168c2ca69aa82a7cff8a5 msgfmt-exit.patch" diff --git a/system/gettext-tiny/msgfmt-exit.patch b/system/gettext-tiny/msgfmt-exit.patch new file mode 100644 index 000000000..f5ff3fbb8 --- /dev/null +++ b/system/gettext-tiny/msgfmt-exit.patch @@ -0,0 +1,36 @@ +From 0e62c2588742cfffd3dc81c09ecc8488c0ce25b9 Mon Sep 17 00:00:00 2001 +From: Max Rees +Date: Sun, 22 Mar 2020 20:20:15 -0500 +Subject: [PATCH] msgfmt: exit(1) if incorrectly used + +This prevents builds from continuing seemingly fine when they are +actually not using this version of msgfmt correctly. +--- + src/msgfmt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/msgfmt.c b/src/msgfmt.c +index aa16c5e..3de9a56 100644 +--- a/src/msgfmt.c ++++ b/src/msgfmt.c +@@ -278,7 +278,7 @@ void set_file(int out, char* fn, FILE** dest) { + int main(int argc, char**argv) { + if (argc == 1) { + syntax(); +- return 0; ++ return 1; + } + + int arg = 1; +@@ -376,7 +376,7 @@ int main(int argc, char**argv) { + streq(A+1, "D") + ) { + syntax(); +- return 0; ++ return 1; + } else if (streq(A+1, "l")) { + arg++; + locale = A; +-- +2.25.1 + -- cgit v1.2.3-70-g09d2 From 5c377a414af8ade03074a03857cf64a7482300a8 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 24 Mar 2020 01:36:35 -0500 Subject: system/bubblewrap: bump to 0.4.0 --- system/bubblewrap/APKBUILD | 33 +++++++++++++++++---------------- system/bubblewrap/musl-fixes.patch | 17 ----------------- 2 files changed, 17 insertions(+), 33 deletions(-) delete mode 100644 system/bubblewrap/musl-fixes.patch (limited to 'system') diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD index c4ae4fa31..d51d14ae7 100644 --- a/system/bubblewrap/APKBUILD +++ b/system/bubblewrap/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Timo Teräs # Maintainer: Max Rees pkgname=bubblewrap -pkgver=0.3.3 +pkgver=0.4.0 pkgrel=0 pkgdesc="Unprivileged sandboxing tool" url="https://github.com/projectatomic/bubblewrap" @@ -9,21 +9,21 @@ arch="all" options="!check suid" # requires suid to already be set in order to check license="LGPL-2.0+" makedepends="autoconf automake libcap-dev docbook-xsl" -checkdepends="sudo" +checkdepends="python3 sudo" subpackages="$pkgname-nosuid $pkgname-doc $pkgname-bash-completion:bashcomp:noarch" -source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz +source="bubblewrap-$pkgver.tar.gz::https://github.com/containers/bubblewrap/archive/v$pkgver.tar.gz realpath-workaround.patch - musl-fixes.patch - tests.patch" + tests.patch + " # secfixes: # 0.3.3-r0: -# - CVE-2019-12439 +# - CVE-2019-12439 prepare() { - srcdir= NOCONFIGURE=1 ./autogen.sh default_prepare + NOCONFIGURE=1 ./autogen.sh } build() { @@ -39,14 +39,16 @@ build() { } check() { - # Uses sudo to chown root and setuid $builddir/test-bwrap + # 1. chown root and chmod u+s $builddir/test-bwrap + # 2. Run abuild check (suid test) + # 3. Unset permissions on test-bwrap + # 4. Run abuild check again (nosuid test) # - # As of 0.3.3-r0, all tests pass on ppc64 except those relating - # to bind mounts over symlinks. Those tests fail because musl's - # realpath depends on the availability of /proc, which is not - # available in the middle of the setup procedure since pivot_root - # has been performed at least once. They have been patched to be - # skipped. + # As of 0.4.0, all tests pass except those relating to bind mounts + # over symlinks. Those tests fail because musl's realpath depends on + # the availability of /proc, which is not available in the middle of + # the setup procedure since pivot_root has been performed at least + # once. They have been patched to be skipped. make check } @@ -72,7 +74,6 @@ bashcomp() { mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/ } -sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae bubblewrap-0.3.3.tar.gz +sha512sums="1957126e13900bbb1c9c885802f513006313836826938555899a8ad0e6c3ba47478eae0cc90f4aceff228663379b45203dce4fa57d6bfc489984670571232b97 bubblewrap-0.4.0.tar.gz 400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4 realpath-workaround.patch -f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd tests.patch" diff --git a/system/bubblewrap/musl-fixes.patch b/system/bubblewrap/musl-fixes.patch deleted file mode 100644 index ecf626331..000000000 --- a/system/bubblewrap/musl-fixes.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- a/config.h.in -+++ b/config.h.in -@@ -102,3 +102,14 @@ - - /* Define to 1 if you need to in order for `stat' and other things to work. */ - #undef _POSIX_SOURCE -+ -+/* taken from glibc unistd.h and fixes musl */ -+#ifndef TEMP_FAILURE_RETRY -+#define TEMP_FAILURE_RETRY(expression) \ -+ (__extension__ \ -+ ({ long int __result; \ -+ do __result = (long int) (expression); \ -+ while (__result == -1L && errno == EINTR); \ -+ __result; })) -+#endif -+ -- cgit v1.2.3-70-g09d2