...
 
Commits (3)
# Maintainer: Adelie Platform Group <adelie-devel@lists.adelielinux.org>
pkgname=binutils
pkgver=2.32
pkgrel=4
pkgrel=5
pkgdesc="Tools necessary to build programs"
url="https://www.gnu.org/software/binutils/"
depends=""
......@@ -32,6 +32,8 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
CVE-2019-12972.patch
CVE-2019-14250.patch
CVE-2019-14444.patch
CVE-2019-17450.patch
CVE-2019-17451.patch
BTS-170.patch
BTS-196.patch
"
......@@ -63,6 +65,9 @@ fi
# - CVE-2019-14250
# 2.32-r3:
# - CVE-2019-14444
# 2.32-r5:
# - CVE-2019-17450
# - CVE-2019-17451
build() {
local _sysroot=/
......@@ -158,5 +163,7 @@ c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be
9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42 CVE-2019-12972.patch
c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f CVE-2019-14250.patch
0942cc1a4c5ec03e931c6ebd15c5d60eae6be48cd0a3d9b7f6356f97361226bb6d53dbdcb01b20efcca0ccaf23764730d9bbad2c1bbe2ea6ca320e43b43b311b CVE-2019-14444.patch
4e8cbe3985ca4a7cb8954e4e03f094687985b3afec6bb14f1599665e0ab13e601b68cefdbb63e88f9dd59852036dcfee05af14014493c16c76dc38d406efc8fd CVE-2019-17450.patch
a71a035db5e14f105b5d58ec01ad250447f6282cae04e8c931fbdbf7adf118a065c6c9be9c72a204e0f8115b19598dc52f3953ae91200d48328b58cc274939d8 CVE-2019-17451.patch
d4543d2f77808d317d17a5f0eb9af21540ef8543fceaed4e3524213e31e058333321f3ba3b495199e3b57bfd0c4164929cf679369470389e26871b8895cb0110 BTS-170.patch
9cc17d9fe3fc1351d1f6b4fc1c916254529f3304c95db6f4698b867eeb623210b914dc798fb837eafbad2b287b78b31c4ed5482b3151a2992864da04e1dd5fac BTS-196.patch"
From 063c511bd79281f33fd33f0964541a73511b9e2b Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 9 Oct 2019 00:07:29 +1030
Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
PR 25078
* dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
recur_count. Error on recur_count reaching 100 rather than
info_ptr matching orig_info_ptr. Adjust calls.
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 575b082..d39f4fd 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -2812,13 +2812,13 @@ static bfd_boolean comp_unit_maybe_decode_line_info (struct comp_unit *,
struct dwarf2_debug *);
static bfd_boolean
-find_abstract_instance (struct comp_unit * unit,
- bfd_byte * orig_info_ptr,
- struct attribute * attr_ptr,
- const char ** pname,
- bfd_boolean * is_linkage,
- char ** filename_ptr,
- int * linenumber_ptr)
+find_abstract_instance (struct comp_unit *unit,
+ struct attribute *attr_ptr,
+ unsigned int recur_count,
+ const char **pname,
+ bfd_boolean *is_linkage,
+ char **filename_ptr,
+ int *linenumber_ptr)
{
bfd *abfd = unit->abfd;
bfd_byte *info_ptr;
@@ -2829,6 +2829,14 @@ find_abstract_instance (struct comp_unit * unit,
struct attribute attr;
const char *name = NULL;
+ if (recur_count == 100)
+ {
+ _bfd_error_handler
+ (_("DWARF error: abstract instance recursion detected"));
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+
/* DW_FORM_ref_addr can reference an entry in a different CU. It
is an offset from the .debug_info section, not the current CU. */
if (attr_ptr->form == DW_FORM_ref_addr)
@@ -2962,15 +2970,6 @@ find_abstract_instance (struct comp_unit * unit,
info_ptr, info_ptr_end);
if (info_ptr == NULL)
break;
- /* It doesn't ever make sense for DW_AT_specification to
- refer to the same DIE. Stop simple recursion. */
- if (info_ptr == orig_info_ptr)
- {
- _bfd_error_handler
- (_("DWARF error: abstract instance recursion detected"));
- bfd_set_error (bfd_error_bad_value);
- return FALSE;
- }
switch (attr.name)
{
case DW_AT_name:
@@ -2984,7 +2983,7 @@ find_abstract_instance (struct comp_unit * unit,
}
break;
case DW_AT_specification:
- if (!find_abstract_instance (unit, info_ptr, &attr,
+ if (!find_abstract_instance (unit, &attr, recur_count + 1,
&name, is_linkage,
filename_ptr, linenumber_ptr))
return FALSE;
@@ -3200,7 +3199,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
case DW_AT_abstract_origin:
case DW_AT_specification:
- if (!find_abstract_instance (unit, info_ptr, &attr,
+ if (!find_abstract_instance (unit, &attr, 0,
&func->name,
&func->is_linkage,
&func->file,
--
2.9.3
From 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 9 Oct 2019 10:47:13 +1030
Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
and ffffd5555453b140 result in a total size of 1. Reading the first
section of course overflows the buffer and tramples on other memory.
PR 25070
* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
total_size calculation.
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index d39f4fd..88aaa2d 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
for (total_size = 0;
msec;
msec = find_debug_info (debug_bfd, debug_sections, msec))
- total_size += msec->size;
+ {
+ /* Catch PR25070 testcase overflowing size calculation here. */
+ if (total_size + msec->size < total_size
+ || total_size + msec->size < msec->size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return FALSE;
+ }
+ total_size += msec->size;
+ }
stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
if (stash->info_ptr_memory == NULL)
--
2.9.3
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=exiv2
pkgver=0.27.2
pkgrel=0
pkgrel=1
pkgdesc="Exif, IPTC and XMP metadata library and tools"
url="https://www.exiv2.org/"
arch="all"
......@@ -11,7 +11,9 @@ depends_dev="expat-dev zlib-dev"
makedepends="$depends_dev bash cmake"
checkdepends="python3 libxml2 cmd:which"
subpackages="$pkgname-dev $pkgname-doc"
source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz"
source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz
https://dev.sick.bike/dist/exiv2-0.27.2-POC-file_issue_1019
CVE-2019-17402.patch"
builddir="$srcdir/$pkgname-$pkgver-Source"
# secfixes:
......@@ -82,10 +84,16 @@ builddir="$srcdir/$pkgname-$pkgver-Source"
# - CVE-2019-13112
# - CVE-2019-13113
# - CVE-2019-13114
# 0.27.2-r1:
# - CVE-2019-17402
prepare() {
default_prepare
mkdir build
# Remove #1019 POC after >= 0.27.2
mv "$srcdir/$pkgname-$pkgver-POC-file_issue_1019" \
test/data/POC-file_issue_1019
}
build() {
......@@ -106,4 +114,6 @@ package() {
make DESTDIR="$pkgdir" install
}
sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz"
sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz
cfe0b534c29c37e7b6e5a00e8ec320cb57eb17187813fe30677a097e930655f1b097ce77806e0124affbdc423b48d9910560158eed9d2d03418a824244dafba9 exiv2-0.27.2-POC-file_issue_1019
623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd CVE-2019-17402.patch"
From 683451567284005cd24e1ccb0a76ca401000968b Mon Sep 17 00:00:00 2001
From: Jens Georg <mail@jensge.org>
Date: Sun, 6 Oct 2019 15:05:20 +0200
Subject: [PATCH 1/2] crwimage: Check offset and size against total size
Corrupted or specially crafted CRW images might exceed the overall
buffersize.
Fixes #1019
---
src/crwimage_int.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
index 2474baace..3315b86d7 100644
--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
@@ -270,6 +270,9 @@ namespace Exiv2 {
#ifdef EXIV2_DEBUG_MESSAGES
std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
#endif
+ if (this->offset() + this->size() > size)
+ throw Error(kerOffsetOutOfRange);
+
readDirectory(pData + offset(), this->size(), byteOrder);
#ifdef EXIV2_DEBUG_MESSAGES
std::cout << "<---- 0x" << std::hex << tag() << "\n";
From 73b874fb14d02578f876aa7dd404cf7c07b6dc4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Mon, 7 Oct 2019 23:25:00 +0200
Subject: [PATCH 2/2] [tests] Add regression test for #1019
---
test/data/POC-file_issue_1019 | Bin 0 -> 10078 bytes
tests/bugfixes/github/test_issue_1019.py | 14 ++++++++++++++
tests/suite.conf | 1 +
3 files changed, 15 insertions(+)
create mode 100755 test/data/POC-file_issue_1019
create mode 100644 tests/bugfixes/github/test_issue_1019.py
diff --git a/tests/bugfixes/github/test_issue_1019.py b/tests/bugfixes/github/test_issue_1019.py
new file mode 100644
index 000000000..c2682f901
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_1019.py
@@ -0,0 +1,14 @@
+from system_tests import CaseMeta, path
+
+
+class OverreadInCiffDirectoryReadDirectory(metaclass=CaseMeta):
+
+ filename = path("$data_path/POC-file_issue_1019")
+ commands = ["$exiv2 -pv $filename"]
+ stdout = [""]
+ stderr = [
+ """$exiv2_exception_message $filename:
+$kerOffsetOutOfRange
+"""
+ ]
+ retval = [1]
diff --git a/tests/suite.conf b/tests/suite.conf
index 5b31930c1..dab7427b3 100644
--- a/tests/suite.conf
+++ b/tests/suite.conf
@@ -19,6 +19,7 @@ largeiptc_test: ${ENV:exiv2_path}/largeiptc-test${ENV:binary_extension}
easyaccess_test: ${ENV:exiv2_path}/easyaccess-test${ENV:binary_extension}
[variables]
+kerOffsetOutOfRange: Offset out of range
kerFailedToReadImageData: Failed to read image data
kerCorruptedMetadata: corrupted image metadata
kerInvalidMalloc: invalid memory allocation request
......@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=kauth
pkgver=5.54.0
pkgrel=0
pkgrel=1
pkgdesc="Framework for allowing software to gain temporary privileges"
url="https://www.kde.org/"
arch="all"
......@@ -11,10 +11,14 @@ depends=""
depends_dev="polkit-qt-1-dev qt5-qtbase-dev kcoreaddons-dev"
makedepends="$depends_dev cmake extra-cmake-modules qt5-qttools-dev doxygen"
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
source="https://download.kde.org/stable/frameworks/${pkgver%.*}/kauth-$pkgver.tar.xz"
source="https://download.kde.org/stable/frameworks/${pkgver%.*}/kauth-$pkgver.tar.xz
CVE-2019-7443.patch"
# secfixes:
# 5.54.0-r1:
# - CVE-2019-7443
build() {
cd "$builddir"
if [ "$CBUILD" != "$CHOST" ]; then
CMAKE_CROSSOPTS="-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_HOST_SYSTEM_NAME=Linux"
fi
......@@ -31,13 +35,12 @@ build() {
}
check() {
cd "$builddir"
CTEST_OUTPUT_ON_FAILURE=TRUE ctest -E KAuthHelperTest
}
package() {
cd "$builddir"
make DESTDIR="$pkgdir" install
}
sha512sums="f75c6f019d708409817a5b64d88033326a7d627cdee00e61280043d5cd8f65731f08d48405f50c7240f18670b25abfeea4b2af5966ebb2ee7e0f56669b5551c2 kauth-5.54.0.tar.xz"
sha512sums="f75c6f019d708409817a5b64d88033326a7d627cdee00e61280043d5cd8f65731f08d48405f50c7240f18670b25abfeea4b2af5966ebb2ee7e0f56669b5551c2 kauth-5.54.0.tar.xz
9cb0e37eedb5cee82c5e6d1b316f92f014c8850c9274a8d0c728f306ceabc35cbbec81b0057ebaf904bd48f3e07d6f83d91b0ef12602a0c1ba66b39a04bb45e4 CVE-2019-7443.patch"
From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Sat, 2 Feb 2019 14:35:25 +0100
Subject: Remove support for passing gui QVariants to KAuth helpers
Supporting gui variants is very dangerous since they can end up triggering
image loading plugins which are one of the biggest vectors for crashes, which
for very smart people mean possible code execution, which is very dangerous
in code that is executed as root.
We've checked all the KAuth helpers inside KDE git and none seems to be using
gui variants, so we're not actually limiting anything that people wanted to do.
Reviewed by security@kde.org and Aleix Pol
Issue reported by Fabian Vogt
---
src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++
src/kauthaction.h | 2 ++
2 files changed, 11 insertions(+)
diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
index 10c14c6..8f0d336 100644
--- a/src/backends/dbus/DBusHelperProxy.cpp
+++ b/src/backends/dbus/DBusHelperProxy.cpp
@@ -31,6 +31,8 @@
#include "kf5authadaptor.h"
#include "kauthdebug.h"
+extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper;
+
namespace KAuth
{
@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
return ActionReply::HelperBusyReply().serialized();
}
+ // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous
+ // since they end up calling the image loaders and thus are a vector for crashing → executing code
+ auto origMetaTypeGuiHelper = qMetaTypeGuiHelper;
+ qMetaTypeGuiHelper = nullptr;
+
QVariantMap args;
QDataStream s(&arguments, QIODevice::ReadOnly);
s >> args;
+ qMetaTypeGuiHelper = origMetaTypeGuiHelper;
+
m_currentAction = action;
emit remoteSignal(ActionStarted, action, QByteArray());
QEventLoop e;
diff --git a/src/kauthaction.h b/src/kauthaction.h
index c67a70a..01f3ba1 100644
--- a/src/kauthaction.h
+++ b/src/kauthaction.h
@@ -298,6 +298,8 @@ public:
* This method sets the variant map that the application
* can use to pass arbitrary data to the helper when executing the action.
*
+ * Only non-gui variants are supported.
+ *
* @param arguments The new arguments map
*/
void setArguments(const QVariantMap &arguments);
--
cgit v1.1