From c1f0e5323ce8e2c68c22e2370311d6043861c4af Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 11 Sep 2019 23:40:37 -0500 Subject: system/libgcrypt: [CVE] bump to 1.8.5 (#119) --- system/libgcrypt/APKBUILD | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'system') diff --git a/system/libgcrypt/APKBUILD b/system/libgcrypt/APKBUILD index 13797a615..37fda1300 100644 --- a/system/libgcrypt/APKBUILD +++ b/system/libgcrypt/APKBUILD @@ -1,20 +1,21 @@ # Maintainer: A. Wilcox pkgname=libgcrypt -pkgver=1.8.4 +pkgver=1.8.5 pkgrel=0 pkgdesc="GnuPG cryptography library" url="https://www.gnupg.org" arch="all" license="LGPL-2.1+" depends="" -depends_dev="libgpg-error-dev" -makedepends="$depends_dev texinfo" +makedepends="libgpg-error-dev texinfo" subpackages="$pkgname-dev $pkgname-doc" source="https://www.gnupg.org/ftp/gcrypt/$pkgname/$pkgname-$pkgver.tar.bz2" -build() { - cd "$builddir" +# secfixes: +# 1.8.5-r0: +# - CVE-2019-13627 +build() { local _arch_configure= case "$CARCH" in arm*) @@ -40,14 +41,12 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make -j1 DESTDIR="$pkgdir" install rm -f ${pkgdir}/usr/share/info/dir } -sha512sums="b831fc337eb14806897e224b0d1e78d1f8e9db91dffa818a015a4aa104144e2d971e5a855904907ee2bb9990a9d526de32d6787e1cae98e28a65c3258b2b1ea1 libgcrypt-1.8.4.tar.bz2" +sha512sums="b55e16e838d1b1208e7673366971ae7c0f9c1c79e042f41c03d14ed74c5e387fa69ea81d5414ffda3d2b4f82ea5467fe13b00115727e257db22808cf351bde89 libgcrypt-1.8.5.tar.bz2" -- cgit v1.2.3-70-g09d2 From f446d9b9ff1db370d47e068d2a074f2b0830f02d Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 12 Sep 2019 02:15:41 -0500 Subject: system/curl: [CVE] bump to 7.66.0, fix network access violation --- system/curl/APKBUILD | 11 ++++++-- ...do-bounds-check-using-a-double-comparison.patch | 32 ---------------------- 2 files changed, 8 insertions(+), 35 deletions(-) delete mode 100644 system/curl/curl-do-bounds-check-using-a-double-comparison.patch (limited to 'system') diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD index aa6e4c9e7..2cba28dfc 100644 --- a/system/curl/APKBUILD +++ b/system/curl/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Ɓukasz Jendrysik # Maintainer: pkgname=curl -pkgver=7.65.3 +pkgver=7.66.0 pkgrel=0 pkgdesc="An URL retrival utility and library" url="https://curl.haxx.se" @@ -17,6 +17,9 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz" subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl" # secfixes: +# 7.66.0-r0: +# - CVE-2019-5481 +# - CVE-2019-5482 # 7.65.1-r0: # - CVE-2019-5435 # - CVE-2019-5436 @@ -91,7 +94,9 @@ build() { } check() { - make check + # -p: print log contents on test failure + # !1592: requires DNS access + make check TFLAGS='-p !1592' } package() { @@ -104,4 +109,4 @@ libcurl() { mv "$pkgdir"/usr/lib "$subpkgdir"/usr } -sha512sums="fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b curl-7.65.3.tar.xz" +sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 curl-7.66.0.tar.xz" diff --git a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch b/system/curl/curl-do-bounds-check-using-a-double-comparison.patch deleted file mode 100644 index 34e2b6c71..000000000 --- a/system/curl/curl-do-bounds-check-using-a-double-comparison.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001 -From: Adam Sampson -Date: Wed, 9 Aug 2017 14:11:17 +0100 -Subject: [PATCH] curl: do bounds check using a double comparison - -The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't -complete: if the parsed number in num is larger than will fit in a long, -the conversion is undefined behaviour (causing test1427 to fail for me -on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting -rid of the cast means the comparison will be done using doubles. - -It might make more sense for the max argument to also be a double... - -Fixes #1750 -Closes #1749 ---- - src/tool_paramhlp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c -index b9dedc989e..85c5e79a7e 100644 ---- a/src/tool_paramhlp.c -+++ b/src/tool_paramhlp.c -@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max) - num = strtod(str, &endptr); - if(errno == ERANGE) - return PARAM_NUMBER_TOO_LARGE; -- if((long)num > max) { -+ if(num > max) { - /* too large */ - return PARAM_NUMBER_TOO_LARGE; - } -- cgit v1.2.3-70-g09d2 From bea0b80c420c12806a707363e61fd65e2889cb12 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 12 Sep 2019 05:11:43 -0500 Subject: system/curl: enable libssh2 support --- system/curl/APKBUILD | 1 + 1 file changed, 1 insertion(+) (limited to 'system') diff --git a/system/curl/APKBUILD b/system/curl/APKBUILD index 2cba28dfc..5e767bcc8 100644 --- a/system/curl/APKBUILD +++ b/system/curl/APKBUILD @@ -86,6 +86,7 @@ build() { --prefix=/usr \ --enable-ipv6 \ --enable-unix-sockets \ + --with-libssh2 \ --without-libidn \ --without-libidn2 \ --disable-ldap \ -- cgit v1.2.3-70-g09d2 From e0810a8bc36196b7141f4802b43f621e0358577d Mon Sep 17 00:00:00 2001 From: Max Rees Date: Fri, 13 Sep 2019 14:23:48 -0500 Subject: system/expat: [CVE] patch CVE-2019-15903 (#192) --- system/expat/APKBUILD | 10 ++- system/expat/CVE-2019-15903.patch | 181 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+), 3 deletions(-) create mode 100644 system/expat/CVE-2019-15903.patch (limited to 'system') diff --git a/system/expat/APKBUILD b/system/expat/APKBUILD index 088d9d9b1..4a6f547e3 100644 --- a/system/expat/APKBUILD +++ b/system/expat/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox pkgname=expat pkgver=2.2.7 -pkgrel=0 +pkgrel=1 pkgdesc="An XML Parser library written in C" url="https://libexpat.github.io/" arch="all" @@ -10,13 +10,16 @@ depends="" checkdepends="bash" makedepends="" subpackages="$pkgname-dev $pkgname-doc" -source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2" +source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2 + CVE-2019-15903.patch" # secfixes: # 2.2.1-r0: # - CVE-2016-9063 # 2.2.0-r1: # - CVE-2017-9233 +# 2.2.7-r1: +# - CVE-2019-15903 build() { ./configure \ @@ -35,4 +38,5 @@ package() { make DESTDIR="$pkgdir/" install } -sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00 expat-2.2.7.tar.bz2" +sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00 expat-2.2.7.tar.bz2 +02d1719307dffdab98e90f242a77aa61cab79ae63ea28d6fa1219b4191d7247e5c319d3adf9781c9086e392c05fd6b6558051b0792ade5cb6c64e7583c67a70d CVE-2019-15903.patch" diff --git a/system/expat/CVE-2019-15903.patch b/system/expat/CVE-2019-15903.patch new file mode 100644 index 000000000..c81e72bbb --- /dev/null +++ b/system/expat/CVE-2019-15903.patch @@ -0,0 +1,181 @@ +Grabbed from Debian since upstream patch does not apply to 2.2.7. + +https://sources.debian.org/patches/expat/2.2.7-2/CVE-2019-15903_Deny_internal_entities_closing_the_doctype.patch/ +https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43 + +From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 28 Aug 2019 00:24:59 +0200 +Subject: [PATCH 1/3] xmlparse.c: Deny internal entities closing the doctype + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 0553e3df..c29a6449 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -405,7 +405,7 @@ initializeEncoding(XML_Parser parser); + static enum XML_Error + doProlog(XML_Parser parser, const ENCODING *enc, const char *s, + const char *end, int tok, const char *next, const char **nextPtr, +- XML_Bool haveMore); ++ XML_Bool haveMore, XML_Bool allowClosingDoctype); + static enum XML_Error + processInternalEntity(XML_Parser parser, ENTITY *entity, + XML_Bool betweenDecl); +@@ -4232,7 +4232,7 @@ externalParEntProcessor(XML_Parser parse + + parser->m_processor = prologProcessor; + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error PTRCALL +@@ -4282,7 +4282,7 @@ prologProcessor(XML_Parser parser, + const char *next = s; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, +- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + + static enum XML_Error +@@ -4293,7 +4293,8 @@ doProlog(XML_Parser parser, + int tok, + const char *next, + const char **nextPtr, +- XML_Bool haveMore) ++ XML_Bool haveMore, ++ XML_Bool allowClosingDoctype) + { + #ifdef XML_DTD + static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' }; +@@ -4472,6 +4473,11 @@ doProlog(XML_Parser parser, + } + break; + case XML_ROLE_DOCTYPE_CLOSE: ++ if (allowClosingDoctype != XML_TRUE) { ++ /* Must not close doctype from within expanded parameter entities */ ++ return XML_ERROR_INVALID_TOKEN; ++ } ++ + if (parser->m_doctypeName) { + parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName, + parser->m_doctypeSysid, parser->m_doctypePubid, 0); +@@ -5409,7 +5415,7 @@ processInternalEntity(XML_Parser parser, + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_FALSE); + } + else + #endif /* XML_DTD */ +@@ -5456,7 +5462,7 @@ internalEntityProcessor(XML_Parser parse + if (entity->is_param) { + int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, +- next, &next, XML_FALSE); ++ next, &next, XML_FALSE, XML_TRUE); + } + else + #endif /* XML_DTD */ +@@ -5483,7 +5489,7 @@ internalEntityProcessor(XML_Parser parse + parser->m_processor = prologProcessor; + tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)!parser->m_parsingStatus.finalBuffer); ++ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); + } + else + #endif /* XML_DTD */ + +From 438493691f1b8620a71d5aee658fe160103ff863 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 28 Aug 2019 15:14:19 +0200 +Subject: [PATCH 3/3] tests: Cover denying internal entities closing the + doctype + +diff --git a/tests/runtests.c b/tests/runtests.c +index b0d1b0af..e102a55e 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -8151,6 +8151,68 @@ START_TEST(test_misc_utf16le) + } + END_TEST + ++#ifdef XML_DTD ++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { ++ const char *const inputOne = "'>\n" ++ "\n" ++ "%e;"; ++ const char *const inputTwo = "'>\n" ++ "\n" ++ "%e2;"; ++ const char *const inputThree = "\n" ++ "\n" ++ "%e;"; ++ const char *const inputIssue317 = "\n" ++ "Hell'>\n" ++ "%foo;\n" ++ "]>\n" ++ "Hello, world"; ++ ++ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317}; ++ size_t inputIndex = 0; ++ ++ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) { ++ XML_Parser parser; ++ enum XML_Status parseResult; ++ int setParamEntityResult; ++ XML_Size lineNumber; ++ XML_Size columnNumber; ++ const char *const input = inputs[inputIndex]; ++ ++ parser = XML_ParserCreate(NULL); ++ setParamEntityResult ++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (setParamEntityResult != 1) ++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); ++ ++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0); ++ if (parseResult != XML_STATUS_ERROR) { ++ parseResult = XML_Parse(parser, "", 0, 1); ++ if (parseResult != XML_STATUS_ERROR) { ++ fail("Parsing was expected to fail but succeeded."); ++ } ++ } ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) ++ fail("Error code does not match XML_ERROR_INVALID_TOKEN"); ++ ++ lineNumber = XML_GetCurrentLineNumber(parser); ++ if (lineNumber != 4) ++ fail("XML_GetCurrentLineNumber does not work as expected."); ++ ++ columnNumber = XML_GetCurrentColumnNumber(parser); ++ if (columnNumber != 0) ++ fail("XML_GetCurrentColumnNumber does not work as expected."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++#endif + + static void + alloc_setup(void) +@@ -12251,6 +12313,10 @@ make_suite(void) + tcase_add_test(tc_misc, test_misc_features); + tcase_add_test(tc_misc, test_misc_attribute_leak); + tcase_add_test(tc_misc, test_misc_utf16le); ++#ifdef XML_DTD ++ tcase_add_test(tc_misc, ++ test_misc_deny_internal_entity_closing_doctype_issue_317); ++#endif + + suite_add_tcase(s, tc_alloc); + tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); -- cgit v1.2.3-70-g09d2 From 99cd353f10d8e0b327f269103c7dfca3fbad5885 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Fri, 13 Sep 2019 16:33:48 -0500 Subject: system/openssl: [CVE] bump to 1.0.2t (#198) --- system/openssl/APKBUILD | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'system') diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD index 984cb486a..513b87d0d 100644 --- a/system/openssl/APKBUILD +++ b/system/openssl/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: A. Wilcox pkgname=openssl -pkgver=1.0.2s +pkgver=1.0.2t pkgrel=0 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url="https://www.openssl.org/" @@ -66,12 +66,12 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz # - CVE-2018-0734 # - CVE-2018-5407 # - CVE-2019-1559 - -builddir="$srcdir"/$pkgname-$pkgver +# 1.0.2t-r0: +# - CVE-2019-1547 +# - CVE-2019-1563 build() { local _target _optflags - cd "$builddir" # openssl will prepend crosscompile always core CC et al CC=${CC#${CROSS_COMPILE}} @@ -107,12 +107,10 @@ build() { } check() { - cd "$builddir" make -j1 test } package() { - cd "$builddir" make INSTALL_PREFIX="$pkgdir" MANDIR=/usr/share/man MANSUFFIX=ssl install # remove the script c_rehash rm "$pkgdir"/usr/bin/c_rehash @@ -144,7 +142,7 @@ dev() { default_dev } -sha512sums="9f745452c4f777df694158e95003cde78a2cf8199bc481a563ec36644664c3c1415a774779b9791dd18f2aeb57fa1721cb52b3db12d025955e970071d5b66d2a openssl-1.0.2s.tar.gz +sha512sums="0b88868933f42fab87e8b22449435a1091cc6e75f986aad6c173e01ad123161fcae8c226759073701bc65c9f2f0b6ce6a63a61203008ed873cfb6e484f32bc71 openssl-1.0.2t.tar.gz 58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4 0003-use-termios.patch c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae 0004-fix-default-ca-path-for-apps.patch 5d4191482f8bbf62c75fe6bc2d9587388022c3310703c2a913788a983b1d1406e706cf3916a5792604f0b0f220a87432d3b82b442cea9915f2abb6fdd8478fcb 0005-fix-parallel-build.patch -- cgit v1.2.3-70-g09d2