From c6f2b6e5cd89d70a3838a5bfb8da888d5dd1ce1e Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Mon, 20 Apr 2020 18:29:34 -0500
Subject: [PATCH 1/5] system/git: [CVE] bump to 2.25.4
---
system/git/APKBUILD | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/system/git/APKBUILD b/system/git/APKBUILD
index e8f9a27b05..04762f7ef4 100644
--- a/system/git/APKBUILD
+++ b/system/git/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Åukasz Jendrysik <scadu@yandex.com>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=git
-pkgver=2.25.3
+pkgver=2.25.4
pkgrel=0
pkgdesc="Distributed version control system"
url="https://www.git-scm.com/"
@@ -32,6 +32,8 @@ source="https://www.kernel.org/pub/software/scm/git/git-$pkgver.tar.xz
_gitcoredir=/usr/libexec/git-core
# secfixes:
+# 2.25.4-r0:
+# - CVE-2020-11008
# 2.25.3-r0:
# - CVE-2020-5260
# 2.24.1-r0:
@@ -164,7 +166,7 @@ subtree() {
make install prefix=/usr DESTDIR="$subpkgdir"
}
-sha512sums="1ea2f0727baa29200f33469463c3b6db04a2e228e83ff552faa47fefe31063d92966d7502b2f13546c36cfc2756d42d71a26e41141c0fb972af9d6760f3aa471 git-2.25.3.tar.xz
+sha512sums="ca2ecc561d06dbb393fe47d445f0d69423d114766d9bcc125ef1d6d37e350ad903c456540cea420c1a51635b750cde3901e4196f29ce95b315fda11270173450 git-2.25.4.tar.xz
0a0935d876024d96156df3aeec06b47fd9e370484d4552786c450cb500ae671a631e64c30994ec39f43a2f313f75d68909688ea92b47327d1af65e365dc77480 dont-test-other-encodings.patch
89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a git-daemon.initd
fbf1f425206a76e2a8f82342537ed939ff7e623d644c086ca2ced5f69b36734695f9f80ebda1728f75a94d6cd2fcb71bf845b64239368caab418e4d368c141ec git-daemon.confd"
--
GitLab
From 7dfa609028c77ce914bec3ad48f58b34fc1129b6 Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Mon, 20 Apr 2020 18:32:56 -0500
Subject: [PATCH 2/5] user/re2c: patch CVE-2020-11958
https://www.openwall.com/lists/oss-security/2020/04/19/1
---
user/re2c/APKBUILD | 13 +++++++++---
user/re2c/CVE-2020-11958.patch | 37 ++++++++++++++++++++++++++++++++++
2 files changed, 47 insertions(+), 3 deletions(-)
create mode 100644 user/re2c/CVE-2020-11958.patch
diff --git a/user/re2c/APKBUILD b/user/re2c/APKBUILD
index d039a5baf4..aad7b839e8 100644
--- a/user/re2c/APKBUILD
+++ b/user/re2c/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer:
pkgname=re2c
pkgver=1.3
-pkgrel=0
+pkgrel=1
pkgdesc="Fast lexer generator for C and C++"
url="http://re2c.org/"
arch="all"
@@ -11,7 +11,13 @@ depends=""
checkdepends="bash"
makedepends=""
subpackages="$pkgname-doc"
-source="https://github.com/skvadrik/re2c/releases/download/$pkgver/$pkgname-$pkgver.tar.xz"
+source="https://github.com/skvadrik/re2c/releases/download/$pkgver/$pkgname-$pkgver.tar.xz
+ CVE-2020-11958.patch
+ "
+
+# secfixes:
+# 1.3-r1:
+# - CVE-2020-11958
build() {
./configure \
@@ -32,4 +38,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="c7084ab2399fb6b96cef74c1393715d90830f43b82b96af46feb71ef008c0215381c3dbea0b003ff810d869db6021e28001b9d588ad55c616642244b2da09c0e re2c-1.3.tar.xz"
+sha512sums="c7084ab2399fb6b96cef74c1393715d90830f43b82b96af46feb71ef008c0215381c3dbea0b003ff810d869db6021e28001b9d588ad55c616642244b2da09c0e re2c-1.3.tar.xz
+f4376b8e0724d500f665fa60dfd6fb35685a281af50c500d2ff90d781a829fb78f21e8c93c5745a4519acd55a62ec48a570dbfacf0a9ee977502e06f3e2e474a CVE-2020-11958.patch"
diff --git a/user/re2c/CVE-2020-11958.patch b/user/re2c/CVE-2020-11958.patch
new file mode 100644
index 0000000000..b982b87e65
--- /dev/null
+++ b/user/re2c/CVE-2020-11958.patch
@@ -0,0 +1,37 @@
+From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Fri, 17 Apr 2020 22:47:14 +0100
+Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo).
+
+The crash happened in a rare case of a very long lexeme that doen't fit
+into the buffer, forcing buffer reallocation.
+
+The crash was caused by an incorrect calculation of the shift offset
+(it was smaller than necessary). As a consequence, the data from buffer
+start and up to the beginning of the current lexeme was not discarded
+(as it should have been), resulting in less free space for new data than
+expected.
+---
+ src/parse/scanner.cc | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc
+index 1d6e9efa..bd651314 100644
+--- a/src/parse/scanner.cc
++++ b/src/parse/scanner.cc
+@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need)
+ if (!buf) fatal("out of memory");
+
+ memmove(buf, tok, copy);
+- shift_ptrs_and_fpos(buf - bot);
++ shift_ptrs_and_fpos(buf - tok);
+ delete [] bot;
+ bot = buf;
+
+ free = BSIZE - copy;
+ }
+
++ DASSERT(lim + free <= bot + BSIZE);
+ if (!read(free)) {
+ eof = lim;
+ memset(lim, 0, YYMAXFILL);
--
GitLab
From 9725eeb5cc1649d1f15f24a508f13ff762032f24 Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Tue, 21 Apr 2020 12:57:34 -0500
Subject: [PATCH 3/5] system/openssl: [CVE] bump to 1.1.1g (#268)
https://www.openssl.org/news/secadv/20200421.txt
---
system/openssl/APKBUILD | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD
index de6ae00845..dde5f86031 100644
--- a/system/openssl/APKBUILD
+++ b/system/openssl/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=openssl
-pkgver=1.1.1f
+pkgver=1.1.1g
pkgrel=0
pkgdesc="Toolkit for SSL and TLS"
url="https://www.openssl.org/"
@@ -58,6 +58,8 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
# - CVE-2019-1563
# 1.1.1d-r0:
# - CVE-2019-1551
+# 1.1.1g-r0:
+# - CVE-2020-1967
build() {
# openssl will prepend crosscompile always core CC et al
@@ -127,6 +129,6 @@ libssl() {
done
}
-sha512sums="b00bd9b5ad5298fbceeec6bb19c1ab0c106ca5cfb31178497c58bf7e0e0cf30fcc19c20f84e23af31cc126bf2447d3e4f8461db97bafa7bd78f69561932f000c openssl-1.1.1f.tar.gz
+sha512sums="01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab openssl-1.1.1g.tar.gz
c164dd528d7408b8b2a52a0b181f2066ff00feb635df863bdeb4ce879db9ecdf7dd9033bb14b63ee5239aa814d5d777a86bb99cc37ecedae2d77a6bd86144b88 ppc-auxv.patch
e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch"
--
GitLab
From f58efe23e016a57672e127d949784f408c0d470c Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Fri, 24 Apr 2020 17:02:53 -0500
Subject: [PATCH 4/5] user/libslirp: [CVE] bump to 4.3.0
---
user/libslirp/APKBUILD | 13 +++++++++----
user/libslirp/git-describe.patch | 24 ++++++++++++++++++++++++
2 files changed, 33 insertions(+), 4 deletions(-)
create mode 100644 user/libslirp/git-describe.patch
diff --git a/user/libslirp/APKBUILD b/user/libslirp/APKBUILD
index 07d7eea318..bd88d39573 100644
--- a/user/libslirp/APKBUILD
+++ b/user/libslirp/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Max Rees <maxcrees@me.com>
pkgname=libslirp
-pkgver=4.2.0
+pkgver=4.3.0
pkgrel=0
pkgdesc="A general-purpose TCP/IP emulator"
url="https://gitlab.freedesktop.org/slirp/libslirp"
@@ -10,10 +10,14 @@ license="BSD-3-Clause AND MIT"
depends=""
makedepends="glib-dev meson"
subpackages="$pkgname-dev"
-source="https://gitlab.freedesktop.org/slirp/libslirp/-/archive/v$pkgver/libslirp-v$pkgver.tar.gz
+source="https://elmarco.fedorapeople.org/libslirp-$pkgver.tar.xz
+ git-describe.patch
static.patch
"
-builddir="$srcdir/libslirp-v$pkgver"
+
+# secfixes:
+# 4.3.0-r0:
+# - CVE-2020-1983
build() {
meson \
@@ -30,5 +34,6 @@ package() {
DESTDIR="$pkgdir" ninja -C output install
}
-sha512sums="514744ac8325857915b9946a76f4a55d48c8361b6167cd69c533086928ae06f059d923c5f057e92a0915921bb363b69d34a939a0bcc28233515125a5d1858d25 libslirp-v4.2.0.tar.gz
+sha512sums="656a57878354b893503af69dfb11ab93dcf4728cc68bd0b6aa352073cbcf1b558924a5932e1996011002f72f5bddfb22ddaffc5a88078a61862c630d908e8beb libslirp-4.3.0.tar.xz
+fb66abe30c7b36c93bf759960275119c6d34e57861efe0cdc147a606a7a13b2d29f0f77dfe99326539800bd4ded9e39c736abd9d4ca9d6f16df2d50fd70fb7f6 git-describe.patch
bb1bb5443d8083099d2a270b78b7ec74daa26634b2062d2c30460ed118b333942a9a555c96910216bb746311ae021d457f39a304a60fe07a3908a0c315a7c756 static.patch"
diff --git a/user/libslirp/git-describe.patch b/user/libslirp/git-describe.patch
new file mode 100644
index 0000000000..9cc66bbad5
--- /dev/null
+++ b/user/libslirp/git-describe.patch
@@ -0,0 +1,24 @@
+Otherwise you might get "-dirty" in the pc: version
+
+--- libslirp-4.3.0/build-aux/git-version-gen 2020-04-23 06:09:44.166262600 -0500
++++ libslirp-4.3.0/build-aux/git-version-gen 2020-04-24 15:08:09.450004079 -0500
+@@ -133,19 +133,6 @@ fi
+
+ v=`echo "$v" |sed 's/^v//'`
+
+-# Don't declare a version "dirty" merely because a time stamp has changed.
+-git update-index --refresh > /dev/null 2>&1
+-
+-dirty=`sh -c 'git diff-index --name-only HEAD' 2>/dev/null` || dirty=
+-case "$dirty" in
+- '') ;;
+- *) # Append the suffix only if there isn't one already.
+- case $v in
+- *-dirty) ;;
+- *) v="$v-dirty" ;;
+- esac ;;
+-esac
+-
+ # Omit the trailing newline, so that m4_esyscmd can use the result directly.
+ echo "$v" | tr -d "$nl"
+
--
GitLab
From 5df19234b438dd8d1d876033a8987e563c033c1a Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Wed, 29 Apr 2020 12:21:14 -0500
Subject: [PATCH 5/5] user/tcpdump: remove old patch for CVE-2018-19519
This was fixed upstream in a different way, but the patch was still
being applied with some fuzz.
https://github.com/the-tcpdump-group/tcpdump/commit/511915bef7e4de2f31b8d9f581b4a44b0cfbcf53
---
user/tcpdump/APKBUILD | 9 +++------
user/tcpdump/CVE-2018-19519.patch | 10 ----------
2 files changed, 3 insertions(+), 16 deletions(-)
delete mode 100644 user/tcpdump/CVE-2018-19519.patch
diff --git a/user/tcpdump/APKBUILD b/user/tcpdump/APKBUILD
index f39d5c9d5c..d2d2ec909d 100644
--- a/user/tcpdump/APKBUILD
+++ b/user/tcpdump/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Dan Theisen <djt@hxx.in>
pkgname=tcpdump
pkgver=4.9.3
-pkgrel=0
+pkgrel=1
pkgdesc="A tool for network monitoring and data acquisition"
url="http://www.tcpdump.org"
arch="all"
@@ -10,9 +10,7 @@ license="BSD-3-Clause"
depends=""
makedepends="libpcap-dev openssl-dev perl"
subpackages="$pkgname-doc"
-source="http://www.tcpdump.org/release/$pkgname-$pkgver.tar.gz
- CVE-2018-19519.patch
- "
+source="http://www.tcpdump.org/release/$pkgname-$pkgver.tar.gz"
# secfixes:
# 4.9.2-r1:
@@ -67,5 +65,4 @@ package() {
rm -f "$pkgdir"/usr/sbin/tcpdump.4*
}
-sha512sums="3aec673f78b996a4df884b1240e5d0a26a2ca81ee7aca8a2e6d50255bb53476e008a5ced4409e278a956710d8a4d31d85bbb800c9f1aab92b0b1046b59292a22 tcpdump-4.9.3.tar.gz
-eb4232e434064ec59b07840aa394cfcc05c89e817f2d4ebeb4da1dbb1c910fe1805857356d6304ebdb16e32aa6476ce90f164aabc60501b493fd5601b380af7e CVE-2018-19519.patch"
+sha512sums="3aec673f78b996a4df884b1240e5d0a26a2ca81ee7aca8a2e6d50255bb53476e008a5ced4409e278a956710d8a4d31d85bbb800c9f1aab92b0b1046b59292a22 tcpdump-4.9.3.tar.gz"
diff --git a/user/tcpdump/CVE-2018-19519.patch b/user/tcpdump/CVE-2018-19519.patch
deleted file mode 100644
index ac3293927a..0000000000
--- a/user/tcpdump/CVE-2018-19519.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- tcpdump-4.9.2/print-hncp.c.old 2017-09-03 23:17:14.000000000 +0000
-+++ tcpdump-4.9.2/print-hncp.c 2018-12-07 19:31:24.360000000 +0000
-@@ -228,6 +228,7 @@
- snprintf(buf, sizeof(buf), "%s/%d", ipaddr_string(ndo, &addr), plen);
- plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
- } else {
-+ buf[0] = '\0';
- plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
- }
-
--
GitLab