diff options
Diffstat (limited to 'gnu/packages/patches')
| -rw-r--r-- | gnu/packages/patches/byobu-writable-status.patch | 10 | ||||
| -rw-r--r-- | gnu/packages/patches/openssh-CVE-2018-15473.patch | 165 | ||||
| -rw-r--r-- | gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch | 62 | ||||
| -rw-r--r-- | gnu/packages/patches/soundtouch-CVE-2018-1000223.patch | 143 | ||||
| -rw-r--r-- | gnu/packages/patches/soundtouch-CVE-2018-14044-14045.patch | 138 |
5 files changed, 286 insertions, 232 deletions
diff --git a/gnu/packages/patches/byobu-writable-status.patch b/gnu/packages/patches/byobu-writable-status.patch index 2858280273..31dc1f2fd3 100644 --- a/gnu/packages/patches/byobu-writable-status.patch +++ b/gnu/packages/patches/byobu-writable-status.patch @@ -1,13 +1,13 @@ Skeleton status files are installed read-only. When copying to the config dir upon initialization, make sure they end up writable. ---- byobu-5.98/usr/bin/byobu-janitor.in -+++ byobu-5.98/usr/bin/byobu-janitor.in +--- byobu-5.127/usr/bin/byobu-janitor.in ++++ byobu-5.127/usr/bin/byobu-janitor.in @@ -82,6 +82,7 @@ if [ ! -r "$BYOBU_CONFIG_DIR/$f" ]; then # Copy from skeleton, if possible cp -f "$BYOBU_PREFIX/share/$PKG/status/$f" "$BYOBU_CONFIG_DIR/$f" + chmod +w "$BYOBU_CONFIG_DIR/$f" - # Enable ec2_cost, if we're in ec2 and seeding a new setup - if metadata_available; then - $BYOBU_SED_INLINE -e "s/#ec2_cost/ec2_cost/g" "$($BYOBU_READLINK -f $BYOBU_CONFIG_DIR/$f)" + fi + done + diff --git a/gnu/packages/patches/openssh-CVE-2018-15473.patch b/gnu/packages/patches/openssh-CVE-2018-15473.patch deleted file mode 100644 index 26b2dc59c3..0000000000 --- a/gnu/packages/patches/openssh-CVE-2018-15473.patch +++ /dev/null @@ -1,165 +0,0 @@ -Fix CVE-2018-15473, a method by which remote clients can enumerate -usernames on the server: - -http://seclists.org/oss-sec/2018/q3/124 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473 - -Patch adapted from upstream source repository: - -https://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8 - -From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001 -From: "[email protected]" <[email protected]> -Date: Tue, 31 Jul 2018 03:10:27 +0000 -Subject: [PATCH] upstream: delay bailout for invalid authentic - -=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?= -=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?= -=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d ---- - auth2-gss.c | 11 +++++++---- - auth2-hostbased.c | 11 ++++++----- - auth2-pubkey.c | 25 +++++++++++++++---------- - 3 files changed, 28 insertions(+), 19 deletions(-) - -# Adapted from upstream to apply to OpenSSH 7.7p1. -diff --git a/auth2-gss.c b/auth2-gss.c -index 589283b7..1d7cfb39 100644 ---- a/auth2-gss.c -+++ b/auth2-gss.c -@@ -69,9 +69,6 @@ userauth_gssapi(struct ssh *ssh) - u_int len; - u_char *doid = NULL; - -- if (!authctxt->valid || authctxt->user == NULL) -- return (0); -- - mechs = packet_get_int(); - if (mechs == 0) { - debug("Mechanism negotiation is not supported"); -diff --git a/auth2-gss.c b/auth2-gss.c -index 47308c5c..9351e042 100644 ---- a/auth2-gss.c -+++ b/auth2-gss.c -@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh) - return (0); - } - -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", __func__); -+ free(doid); -+ return (0); -+ } -+ - if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { - if (ctxt != NULL) - ssh_gssapi_delete_ctx(&ctxt); -diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index 60159a56..35939329 100644 ---- a/auth2-hostbased.c -+++ b/auth2-hostbased.c -@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh) - size_t alen, blen, slen; - int r, pktype, authenticated = 0; - -- if (!authctxt->valid) { -- debug2("%s: disabled because of invalid user", __func__); -- return 0; -- } - /* XXX use sshkey_froms() */ - if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || - (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || -@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh) - goto done; - } - -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", __func__); -+ goto done; -+ } -+ - if ((b = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); - /* reconstruct packet */ -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index c4d0f790..e1c15040 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh) - { - Authctxt *authctxt = ssh->authctxt; - struct passwd *pw = authctxt->pw; -- struct sshbuf *b; -+ struct sshbuf *b = NULL; - struct sshkey *key = NULL; -- char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; -- u_char *pkblob, *sig, have_sig; -+ char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; -+ u_char *pkblob = NULL, *sig = NULL, have_sig; - size_t blen, slen; - int r, pktype; - int authenticated = 0; - struct sshauthopt *authopts = NULL; - -- if (!authctxt->valid) { -- debug2("%s: disabled because of invalid user", __func__); -- return 0; -- } - if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || - (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || - (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) -@@ -167,6 +163,11 @@ userauth_pubkey(struct ssh *ssh) - fatal("%s: sshbuf_put_string session id: %s", - __func__, ssh_err(r)); - } -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", -+ __func__); -+ goto done; -+ } - /* reconstruct packet */ - xasprintf(&userstyle, "%s%s%s", authctxt->user, - authctxt->style ? ":" : "", -@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh) - #ifdef DEBUG_PK - sshbuf_dump(b, stderr); - #endif -- - /* test for correct signature */ - authenticated = 0; - if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && -@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh) - authenticated = 1; - } - sshbuf_free(b); -- free(sig); - auth2_record_key(authctxt, authenticated, key); - } else { - debug("%s: test pkalg %s pkblob %s%s%s", -@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh) - if ((r = sshpkt_get_end(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); - -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", -+ __func__); -+ goto done; -+ } - /* XXX fake reply and always send PK_OK ? */ - /* - * XXX this allows testing whether a user is allowed -@@ -238,6 +242,7 @@ done: - free(pkblob); - free(key_s); - free(ca_s); -+ free(sig); - return authenticated; - } - --- -2.18.0 diff --git a/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch deleted file mode 100644 index 74613cb632..0000000000 --- a/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch +++ /dev/null @@ -1,62 +0,0 @@ -Fix CVE-2017-10788: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788 - -Patch written to match corrected documentation specifications: - -Old: http://web.archive.org/web/20161220021610/https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html -New: https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html - -The patch itself is from https://github.com/perl5-dbi/DBD-mysql/issues/120#issuecomment-312420660. - -From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001 -From: Pali <[email protected]> -Date: Sun, 25 Jun 2017 10:07:39 +0200 -Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close() - -Ignore return value from mysql_stmt_close() and also its error message -because it points to freed memory after mysql_stmt_close() was called. ---- - dbdimp.c | 8 ++------ - mysql.xs | 7 ++----- - 2 files changed, 4 insertions(+), 11 deletions(-) - -diff --git a/dbdimp.c b/dbdimp.c -index c60a5f6..a6410e5 100644 ---- a/dbdimp.c -+++ b/dbdimp.c -@@ -4894,12 +4894,8 @@ void dbd_st_destroy(SV *sth, imp_sth_t *imp_sth) { - - if (imp_sth->stmt) - { -- if (mysql_stmt_close(imp_sth->stmt)) -- { -- do_error(DBIc_PARENT_H(imp_sth), mysql_stmt_errno(imp_sth->stmt), -- mysql_stmt_error(imp_sth->stmt), -- mysql_stmt_sqlstate(imp_sth->stmt)); -- } -+ mysql_stmt_close(imp_sth->stmt); -+ imp_sth->stmt= NULL; - } - #endif - -diff --git a/mysql.xs b/mysql.xs -index 55376e1..affde59 100644 ---- a/mysql.xs -+++ b/mysql.xs -@@ -434,11 +434,8 @@ do(dbh, statement, attr=Nullsv, ...) - if (bind) - Safefree(bind); - -- if(mysql_stmt_close(stmt)) -- { -- fprintf(stderr, "\n failed while closing the statement"); -- fprintf(stderr, "\n %s", mysql_stmt_error(stmt)); -- } -+ mysql_stmt_close(stmt); -+ stmt= NULL; - - if (retval == -2) /* -2 means error */ - { --- -1.7.9.5 diff --git a/gnu/packages/patches/soundtouch-CVE-2018-1000223.patch b/gnu/packages/patches/soundtouch-CVE-2018-1000223.patch new file mode 100644 index 0000000000..961a183565 --- /dev/null +++ b/gnu/packages/patches/soundtouch-CVE-2018-1000223.patch @@ -0,0 +1,143 @@ +Fix CVE-2018-1000223: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000223 +https://gitlab.com/soundtouch/soundtouch/issues/6 + +Patches copied from upstream source repository: + +https://gitlab.com/soundtouch/soundtouch/commit/9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e +https://gitlab.com/soundtouch/soundtouch/commit/e0240689056e4182fffdc2a16aa6e3425a15e275 +https://gitlab.com/soundtouch/soundtouch/commit/46531e5b92dd80dd9a7947463d6224fc7cb21967 + +From 9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e Mon Sep 17 00:00:00 2001 +From: oparviainen <[email protected]> +Date: Sun, 12 Aug 2018 20:24:37 +0300 +Subject: [PATCH] Added minimum size check for WAV header block lengh values + +--- + source/SoundStretch/WavFile.cpp | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp +index 7e7ade2..68818c9 100644 +--- a/source/SoundStretch/WavFile.cpp ++++ b/source/SoundStretch/WavFile.cpp +@@ -530,7 +530,11 @@ int WavInFile::readHeaderBlock() + // read length of the format field
+ if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
+ // swap byte order if necessary
+- _swap32(nLen); // int format_len;
++ _swap32(nLen);
++
++ // verify that header length isn't smaller than expected
++ if (nLen < sizeof(header.format) - 8) return -1;
++
+ header.format.format_len = nLen;
+
+ // calculate how much length differs from expected
+@@ -572,6 +576,10 @@ int WavInFile::readHeaderBlock() + if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
+ // swap byte order if necessary
+ _swap32(nLen); // int fact_len;
++
++ // verify that fact length isn't smaller than expected
++ if (nLen < sizeof(header.fact) - 8) return -1;
++
+ header.fact.fact_len = nLen;
+
+ // calculate how much length differs from expected
+-- +2.18.0 + +From e0240689056e4182fffdc2a16aa6e3425a15e275 Mon Sep 17 00:00:00 2001 +From: oparviainen <[email protected]> +Date: Mon, 13 Aug 2018 19:16:16 +0300 +Subject: [PATCH] Fixed WavFile header/fact not-too-small check + +--- + source/SoundStretch/WavFile.cpp | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp +index 4af7a4c..3421bca 100644 +--- a/source/SoundStretch/WavFile.cpp ++++ b/source/SoundStretch/WavFile.cpp +@@ -518,13 +518,13 @@ int WavInFile::readHeaderBlock() + // swap byte order if necessary
+ _swap32(nLen);
+
+- // verify that header length isn't smaller than expected
+- if (nLen < sizeof(header.format) - 8) return -1;
++ // calculate how much length differs from expected
++ nDump = nLen - ((int)sizeof(header.format) - 8);
+
+- header.format.format_len = nLen;
++ // verify that header length isn't smaller than expected structure
++ if (nDump < 0) return -1;
+
+- // calculate how much length differs from expected
+- nDump = nLen - ((int)sizeof(header.format) - 8);
++ header.format.format_len = nLen;
+
+ // if format_len is larger than expected, read only as much data as we've space for
+ if (nDump > 0)
+@@ -561,16 +561,16 @@ int WavInFile::readHeaderBlock() + // read length of the fact field
+ if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
+ // swap byte order if necessary
+- _swap32(nLen); // int fact_len;
+-
+- // verify that fact length isn't smaller than expected
+- if (nLen < sizeof(header.fact) - 8) return -1;
+-
+- header.fact.fact_len = nLen;
++ _swap32(nLen);
+
+ // calculate how much length differs from expected
+ nDump = nLen - ((int)sizeof(header.fact) - 8);
+
++ // verify that fact length isn't smaller than expected structure
++ if (nDump < 0) return -1;
++
++ header.fact.fact_len = nLen;
++
+ // if format_len is larger than expected, read only as much data as we've space for
+ if (nDump > 0)
+ {
+-- +2.18.0 + +From 46531e5b92dd80dd9a7947463d6224fc7cb21967 Mon Sep 17 00:00:00 2001 +From: olli <[email protected]> +Date: Mon, 13 Aug 2018 19:42:58 +0300 +Subject: [PATCH] Improved WavFile header/fact not-too-small check + +--- + source/SoundStretch/WavFile.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp +index 3421bca..9d90b8a 100644 +--- a/source/SoundStretch/WavFile.cpp ++++ b/source/SoundStretch/WavFile.cpp +@@ -522,7 +522,7 @@ int WavInFile::readHeaderBlock() + nDump = nLen - ((int)sizeof(header.format) - 8);
+
+ // verify that header length isn't smaller than expected structure
+- if (nDump < 0) return -1;
++ if ((nLen < 0) || (nDump < 0)) return -1;
+
+ header.format.format_len = nLen;
+
+@@ -567,7 +567,7 @@ int WavInFile::readHeaderBlock() + nDump = nLen - ((int)sizeof(header.fact) - 8);
+
+ // verify that fact length isn't smaller than expected structure
+- if (nDump < 0) return -1;
++ if ((nLen < 0) || (nDump < 0)) return -1;
+
+ header.fact.fact_len = nLen;
+
+-- +2.18.0 + diff --git a/gnu/packages/patches/soundtouch-CVE-2018-14044-14045.patch b/gnu/packages/patches/soundtouch-CVE-2018-14044-14045.patch new file mode 100644 index 0000000000..cc0282fc7b --- /dev/null +++ b/gnu/packages/patches/soundtouch-CVE-2018-14044-14045.patch @@ -0,0 +1,138 @@ +Fix CVE-2018-14044 and CVE-2018-14045: + +https://gitlab.com/soundtouch/soundtouch/issues/7 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14044 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14045 + +Patch copied from upstream source repository: + +https://gitlab.com/soundtouch/soundtouch/commit/107f2c5d201a4dfea1b7f15c5957ff2ac9e5f260 + +From 107f2c5d201a4dfea1b7f15c5957ff2ac9e5f260 Mon Sep 17 00:00:00 2001 +From: oparviainen <[email protected]> +Date: Sun, 12 Aug 2018 20:00:56 +0300 +Subject: [PATCH] Replaced illegal-number-of-channel assertions with run-time + exception + +--- + include/FIFOSamplePipe.h | 12 ++++++++++++ + include/STTypes.h | 3 +++ + source/SoundTouch/FIFOSampleBuffer.cpp | 3 ++- + source/SoundTouch/RateTransposer.cpp | 5 ++--- + source/SoundTouch/SoundTouch.cpp | 8 ++------ + source/SoundTouch/TDStretch.cpp | 5 ++--- + 6 files changed, 23 insertions(+), 13 deletions(-) + +diff --git a/include/FIFOSamplePipe.h b/include/FIFOSamplePipe.h +index 4ec9275..b08f836 100644 +--- a/include/FIFOSamplePipe.h ++++ b/include/FIFOSamplePipe.h +@@ -51,6 +51,18 @@ namespace soundtouch + /// Abstract base class for FIFO (first-in-first-out) sample processing classes.
+ class FIFOSamplePipe
+ {
++protected:
++
++ bool verifyNumberOfChannels(int nChannels) const
++ {
++ if ((nChannels > 0) && (nChannels <= SOUNDTOUCH_MAX_CHANNELS))
++ {
++ return true;
++ }
++ ST_THROW_RT_ERROR("Error: Illegal number of channels");
++ return false;
++ }
++
+ public:
+ // virtual default destructor
+ virtual ~FIFOSamplePipe() {}
+diff --git a/include/STTypes.h b/include/STTypes.h +index 03e7e07..862505e 100644 +--- a/include/STTypes.h ++++ b/include/STTypes.h +@@ -56,6 +56,9 @@ typedef unsigned long ulong; +
+ namespace soundtouch
+ {
++ /// Max allowed number of channels
++ #define SOUNDTOUCH_MAX_CHANNELS 16
++
+ /// Activate these undef's to overrule the possible sampletype
+ /// setting inherited from some other header file:
+ //#undef SOUNDTOUCH_INTEGER_SAMPLES
+diff --git a/source/SoundTouch/FIFOSampleBuffer.cpp b/source/SoundTouch/FIFOSampleBuffer.cpp +index f0d5e42..706e869 100644 +--- a/source/SoundTouch/FIFOSampleBuffer.cpp ++++ b/source/SoundTouch/FIFOSampleBuffer.cpp +@@ -73,7 +73,8 @@ void FIFOSampleBuffer::setChannels(int numChannels) + {
+ uint usedBytes;
+
+- assert(numChannels > 0);
++ if (!verifyNumberOfChannels(numChannels)) return;
++
+ usedBytes = channels * samplesInBuffer;
+ channels = (uint)numChannels;
+ samplesInBuffer = usedBytes / channels;
+diff --git a/source/SoundTouch/RateTransposer.cpp b/source/SoundTouch/RateTransposer.cpp +index 8b66be3..d115a4c 100644 +--- a/source/SoundTouch/RateTransposer.cpp ++++ b/source/SoundTouch/RateTransposer.cpp +@@ -179,11 +179,10 @@ void RateTransposer::processSamples(const SAMPLETYPE *src, uint nSamples) + // Sets the number of channels, 1 = mono, 2 = stereo
+ void RateTransposer::setChannels(int nChannels)
+ {
+- assert(nChannels > 0);
++ if (!verifyNumberOfChannels(nChannels) ||
++ (pTransposer->numChannels == nChannels)) return;
+
+- if (pTransposer->numChannels == nChannels) return;
+ pTransposer->setChannels(nChannels);
+-
+ inputBuffer.setChannels(nChannels);
+ midBuffer.setChannels(nChannels);
+ outputBuffer.setChannels(nChannels);
+diff --git a/source/SoundTouch/SoundTouch.cpp b/source/SoundTouch/SoundTouch.cpp +index 7b6756b..06bdd56 100644 +--- a/source/SoundTouch/SoundTouch.cpp ++++ b/source/SoundTouch/SoundTouch.cpp +@@ -139,18 +139,14 @@ uint SoundTouch::getVersionId() + // Sets the number of channels, 1 = mono, 2 = stereo
+ void SoundTouch::setChannels(uint numChannels)
+ {
+- /*if (numChannels != 1 && numChannels != 2)
+- {
+- //ST_THROW_RT_ERROR("Illegal number of channels");
+- return;
+- }*/
++ if (!verifyNumberOfChannels(numChannels)) return;
++
+ channels = numChannels;
+ pRateTransposer->setChannels((int)numChannels);
+ pTDStretch->setChannels((int)numChannels);
+ }
+
+
+-
+ // Sets new rate control value. Normal rate = 1.0, smaller values
+ // represent slower rate, larger faster rates.
+ void SoundTouch::setRate(double newRate)
+diff --git a/source/SoundTouch/TDStretch.cpp b/source/SoundTouch/TDStretch.cpp +index 149cdb9..be2dc88 100644 +--- a/source/SoundTouch/TDStretch.cpp ++++ b/source/SoundTouch/TDStretch.cpp +@@ -588,9 +588,8 @@ void TDStretch::setTempo(double newTempo) + // Sets the number of channels, 1 = mono, 2 = stereo
+ void TDStretch::setChannels(int numChannels)
+ {
+- assert(numChannels > 0);
+- if (channels == numChannels) return;
+-// assert(numChannels == 1 || numChannels == 2);
++ if (!verifyNumberOfChannels(numChannels) ||
++ (channels == numChannels)) return;
+
+ channels = numChannels;
+ inputBuffer.setChannels(channels);
+-- +2.18.0 + |