From b0a8dcde2dc3e27d03c82b4a5eaae8040064d95d Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 16 Oct 2019 15:44:47 -0500 Subject: user/bind: [CVE] bump to 9.14.7 --- user/bind/APKBUILD | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'user') diff --git a/user/bind/APKBUILD b/user/bind/APKBUILD index 3f142bcfc..4945c0222 100644 --- a/user/bind/APKBUILD +++ b/user/bind/APKBUILD @@ -4,7 +4,7 @@ # Contributor: Natanael Copa # Maintainer: Dan Theisen pkgname=bind -pkgver=9.14.6 +pkgver=9.14.7 _p=${pkgver#*_p} _ver=${pkgver%_p*} _major=${pkgver%%.*} @@ -40,6 +40,9 @@ source="https://ftp.isc.org/isc/${pkgname}${_major}/$_ver/$pkgname-$_ver.tar.gz builddir="$srcdir/$pkgname-$_ver" # secfixes: +# 9.14.7-r0: +# - CVE-2019-6475 +# - CVE-2019-6476 # 9.14.3: # - CVE-2018-5744 # - CVE-2018-5745 @@ -147,7 +150,7 @@ tools() { done } -sha512sums="129cb6c8e18fabf9f9fda91afa06fccf65e7009b2e8f9f7c1960f0039d35c22614986fbea36ca0b7bbc74995e380df083a641cf51601a0cf0c87e7dbb77a0366 bind-9.14.6.tar.gz +sha512sums="e1837ebfbbc60487f5f0e67fb9e935588fd6e5ffe55cdc9dc77e3ce63cd6fc4f076f4eb282cc4f51701ddda3e51e8f15255db5a3841f9fe92a4fb4207d806740 bind-9.14.7.tar.gz 7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch 196c0a3b43cf89e8e3547d7fb63a93ff9a3306505658dfd9aa78e6861be6b226580b424dd3dd44b955b2d9f682b1dc62c457f3ac29ce86200ef070140608c015 named.initd 127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf named.confd -- cgit v1.2.3-70-g09d2 From df9cac7a84d0c945f54c5b537adcc490a8291b75 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 16 Oct 2019 15:52:28 -0500 Subject: user/aspell: [CVE] bump to 0.60.8 --- user/aspell/APKBUILD | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'user') diff --git a/user/aspell/APKBUILD b/user/aspell/APKBUILD index bce270974..16a53c7e7 100644 --- a/user/aspell/APKBUILD +++ b/user/aspell/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Valery Kartel # Maintainer: pkgname=aspell -pkgver=0.60.7 +pkgver=0.60.8 pkgrel=0 pkgdesc="Libre spell checker software" url="http://aspell.net/" @@ -14,6 +14,10 @@ subpackages="$pkgname-compat::noarch $pkgname-dev $pkgname-doc $pkgname-lang" source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz" +# secfixes: +# 0.60.8-r0: +# - CVE-2019-17544 + build() { LIBS="-ltinfo" ./configure \ --build=$CBUILD \ @@ -42,4 +46,4 @@ compat() { mv spell ispell "$subpkgdir"/usr/bin/ } -sha512sums="6f5fcd1c29164ee18f205594b66f382b51d19b17686293a931ca92c1442d3f7228627ca7d604d860551d0d367ac34dfb2ae34170a844f51e84e390fb1edc4535 aspell-0.60.7.tar.gz" +sha512sums="8ef4952c553b6234dfe777240d2d97beb13ef9201e18d56bee3b5068d13525db3625b7130d9f5122f7c529da0ccb0c70eb852a81472a7d15fb7c4ee5ba21cd29 aspell-0.60.8.tar.gz" -- cgit v1.2.3-70-g09d2 From 2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 16 Oct 2019 16:21:21 -0500 Subject: user/kauth: patch CVE-2019-7443 (#213) --- user/kauth/APKBUILD | 15 ++++++---- user/kauth/CVE-2019-7443.patch | 68 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 6 deletions(-) create mode 100644 user/kauth/CVE-2019-7443.patch (limited to 'user') diff --git a/user/kauth/APKBUILD b/user/kauth/APKBUILD index 543f87712..351d00f50 100644 --- a/user/kauth/APKBUILD +++ b/user/kauth/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=kauth pkgver=5.54.0 -pkgrel=0 +pkgrel=1 pkgdesc="Framework for allowing software to gain temporary privileges" url="https://www.kde.org/" arch="all" @@ -11,10 +11,14 @@ depends="" depends_dev="polkit-qt-1-dev qt5-qtbase-dev kcoreaddons-dev" makedepends="$depends_dev cmake extra-cmake-modules qt5-qttools-dev doxygen" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" -source="https://download.kde.org/stable/frameworks/${pkgver%.*}/kauth-$pkgver.tar.xz" +source="https://download.kde.org/stable/frameworks/${pkgver%.*}/kauth-$pkgver.tar.xz + CVE-2019-7443.patch" + +# secfixes: +# 5.54.0-r1: +# - CVE-2019-7443 build() { - cd "$builddir" if [ "$CBUILD" != "$CHOST" ]; then CMAKE_CROSSOPTS="-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_HOST_SYSTEM_NAME=Linux" fi @@ -31,13 +35,12 @@ build() { } check() { - cd "$builddir" CTEST_OUTPUT_ON_FAILURE=TRUE ctest -E KAuthHelperTest } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } -sha512sums="f75c6f019d708409817a5b64d88033326a7d627cdee00e61280043d5cd8f65731f08d48405f50c7240f18670b25abfeea4b2af5966ebb2ee7e0f56669b5551c2 kauth-5.54.0.tar.xz" +sha512sums="f75c6f019d708409817a5b64d88033326a7d627cdee00e61280043d5cd8f65731f08d48405f50c7240f18670b25abfeea4b2af5966ebb2ee7e0f56669b5551c2 kauth-5.54.0.tar.xz +9cb0e37eedb5cee82c5e6d1b316f92f014c8850c9274a8d0c728f306ceabc35cbbec81b0057ebaf904bd48f3e07d6f83d91b0ef12602a0c1ba66b39a04bb45e4 CVE-2019-7443.patch" diff --git a/user/kauth/CVE-2019-7443.patch b/user/kauth/CVE-2019-7443.patch new file mode 100644 index 000000000..5b11cd8f5 --- /dev/null +++ b/user/kauth/CVE-2019-7443.patch @@ -0,0 +1,68 @@ +From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Sat, 2 Feb 2019 14:35:25 +0100 +Subject: Remove support for passing gui QVariants to KAuth helpers + +Supporting gui variants is very dangerous since they can end up triggering +image loading plugins which are one of the biggest vectors for crashes, which +for very smart people mean possible code execution, which is very dangerous +in code that is executed as root. + +We've checked all the KAuth helpers inside KDE git and none seems to be using +gui variants, so we're not actually limiting anything that people wanted to do. + +Reviewed by security@kde.org and Aleix Pol + +Issue reported by Fabian Vogt +--- + src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++ + src/kauthaction.h | 2 ++ + 2 files changed, 11 insertions(+) + +diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp +index 10c14c6..8f0d336 100644 +--- a/src/backends/dbus/DBusHelperProxy.cpp ++++ b/src/backends/dbus/DBusHelperProxy.cpp +@@ -31,6 +31,8 @@ + #include "kf5authadaptor.h" + #include "kauthdebug.h" + ++extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper; ++ + namespace KAuth + { + +@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra + return ActionReply::HelperBusyReply().serialized(); + } + ++ // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous ++ // since they end up calling the image loaders and thus are a vector for crashing → executing code ++ auto origMetaTypeGuiHelper = qMetaTypeGuiHelper; ++ qMetaTypeGuiHelper = nullptr; ++ + QVariantMap args; + QDataStream s(&arguments, QIODevice::ReadOnly); + s >> args; + ++ qMetaTypeGuiHelper = origMetaTypeGuiHelper; ++ + m_currentAction = action; + emit remoteSignal(ActionStarted, action, QByteArray()); + QEventLoop e; +diff --git a/src/kauthaction.h b/src/kauthaction.h +index c67a70a..01f3ba1 100644 +--- a/src/kauthaction.h ++++ b/src/kauthaction.h +@@ -298,6 +298,8 @@ public: + * This method sets the variant map that the application + * can use to pass arbitrary data to the helper when executing the action. + * ++ * Only non-gui variants are supported. ++ * + * @param arguments The new arguments map + */ + void setArguments(const QVariantMap &arguments); +-- +cgit v1.1 + -- cgit v1.2.3-70-g09d2 From 3bd6d256fad70f5c9089bcde94480eca572693d5 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 16 Oct 2019 16:52:54 -0500 Subject: user/exiv2: patch CVE-2019-17402 --- user/exiv2/APKBUILD | 16 +++++++-- user/exiv2/CVE-2019-17402.patch | 73 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+), 3 deletions(-) create mode 100644 user/exiv2/CVE-2019-17402.patch (limited to 'user') diff --git a/user/exiv2/APKBUILD b/user/exiv2/APKBUILD index 791fcb610..82aa2a958 100644 --- a/user/exiv2/APKBUILD +++ b/user/exiv2/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox pkgname=exiv2 pkgver=0.27.2 -pkgrel=0 +pkgrel=1 pkgdesc="Exif, IPTC and XMP metadata library and tools" url="https://www.exiv2.org/" arch="all" @@ -11,7 +11,9 @@ depends_dev="expat-dev zlib-dev" makedepends="$depends_dev bash cmake" checkdepends="python3 libxml2 cmd:which" subpackages="$pkgname-dev $pkgname-doc" -source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz" +source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz + https://dev.sick.bike/dist/exiv2-0.27.2-POC-file_issue_1019 + CVE-2019-17402.patch" builddir="$srcdir/$pkgname-$pkgver-Source" # secfixes: @@ -82,10 +84,16 @@ builddir="$srcdir/$pkgname-$pkgver-Source" # - CVE-2019-13112 # - CVE-2019-13113 # - CVE-2019-13114 +# 0.27.2-r1: +# - CVE-2019-17402 prepare() { default_prepare mkdir build + + # Remove #1019 POC after >= 0.27.2 + mv "$srcdir/$pkgname-$pkgver-POC-file_issue_1019" \ + test/data/POC-file_issue_1019 } build() { @@ -106,4 +114,6 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz" +sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz +cfe0b534c29c37e7b6e5a00e8ec320cb57eb17187813fe30677a097e930655f1b097ce77806e0124affbdc423b48d9910560158eed9d2d03418a824244dafba9 exiv2-0.27.2-POC-file_issue_1019 +623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd CVE-2019-17402.patch" diff --git a/user/exiv2/CVE-2019-17402.patch b/user/exiv2/CVE-2019-17402.patch new file mode 100644 index 000000000..f54b511b0 --- /dev/null +++ b/user/exiv2/CVE-2019-17402.patch @@ -0,0 +1,73 @@ +From 683451567284005cd24e1ccb0a76ca401000968b Mon Sep 17 00:00:00 2001 +From: Jens Georg +Date: Sun, 6 Oct 2019 15:05:20 +0200 +Subject: [PATCH 1/2] crwimage: Check offset and size against total size + +Corrupted or specially crafted CRW images might exceed the overall +buffersize. + +Fixes #1019 +--- + src/crwimage_int.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp +index 2474baace..3315b86d7 100644 +--- a/src/crwimage_int.cpp ++++ b/src/crwimage_int.cpp +@@ -270,6 +270,9 @@ namespace Exiv2 { + #ifdef EXIV2_DEBUG_MESSAGES + std::cout << "Reading directory 0x" << std::hex << tag() << "\n"; + #endif ++ if (this->offset() + this->size() > size) ++ throw Error(kerOffsetOutOfRange); ++ + readDirectory(pData + offset(), this->size(), byteOrder); + #ifdef EXIV2_DEBUG_MESSAGES + std::cout << "<---- 0x" << std::hex << tag() << "\n"; + +From 73b874fb14d02578f876aa7dd404cf7c07b6dc4e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Mon, 7 Oct 2019 23:25:00 +0200 +Subject: [PATCH 2/2] [tests] Add regression test for #1019 + +--- + test/data/POC-file_issue_1019 | Bin 0 -> 10078 bytes + tests/bugfixes/github/test_issue_1019.py | 14 ++++++++++++++ + tests/suite.conf | 1 + + 3 files changed, 15 insertions(+) + create mode 100755 test/data/POC-file_issue_1019 + create mode 100644 tests/bugfixes/github/test_issue_1019.py + +diff --git a/tests/bugfixes/github/test_issue_1019.py b/tests/bugfixes/github/test_issue_1019.py +new file mode 100644 +index 000000000..c2682f901 +--- /dev/null ++++ b/tests/bugfixes/github/test_issue_1019.py +@@ -0,0 +1,14 @@ ++from system_tests import CaseMeta, path ++ ++ ++class OverreadInCiffDirectoryReadDirectory(metaclass=CaseMeta): ++ ++ filename = path("$data_path/POC-file_issue_1019") ++ commands = ["$exiv2 -pv $filename"] ++ stdout = [""] ++ stderr = [ ++ """$exiv2_exception_message $filename: ++$kerOffsetOutOfRange ++""" ++ ] ++ retval = [1] +diff --git a/tests/suite.conf b/tests/suite.conf +index 5b31930c1..dab7427b3 100644 +--- a/tests/suite.conf ++++ b/tests/suite.conf +@@ -19,6 +19,7 @@ largeiptc_test: ${ENV:exiv2_path}/largeiptc-test${ENV:binary_extension} + easyaccess_test: ${ENV:exiv2_path}/easyaccess-test${ENV:binary_extension} + + [variables] ++kerOffsetOutOfRange: Offset out of range + kerFailedToReadImageData: Failed to read image data + kerCorruptedMetadata: corrupted image metadata + kerInvalidMalloc: invalid memory allocation request -- cgit v1.2.3-70-g09d2