summaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2020-15900.patch36
-rw-r--r--gnu/packages/patches/ghostscript-freetype-compat.patch35
-rw-r--r--gnu/packages/patches/libssh2-CVE-2019-17498.patch126
-rw-r--r--gnu/packages/patches/python-CVE-2020-26116.patch47
4 files changed, 244 insertions, 0 deletions
diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
new file mode 100644
index 0000000000..b6658d7c7f
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
@@ -0,0 +1,36 @@
+Fix CVE-2020-15900.
+
+https://cve.circl.lu/cve/CVE-2020-15900
+https://artifex.com/security-advisories/CVE-2020-15900
+
+Taken from upstream:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
+
+diff --git a/psi/zstring.c b/psi/zstring.c
+--- a/psi/zstring.c
++++ b/psi/zstring.c
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
+ return 0;
+ found:
+ op->tas.type_attrs = op1->tas.type_attrs;
+- op->value.bytes = ptr;
+- r_set_size(op, size);
++ op->value.bytes = ptr; /* match */
++ op->tas.rsize = size; /* match */
+ push(2);
+- op[-1] = *op1;
+- r_set_size(op - 1, ptr - op[-1].value.bytes);
+- op1->value.bytes = ptr + size;
+- r_set_size(op1, count + (!forward ? (size - 1) : 0));
++ op[-1] = *op1; /* pre */
++ op[-3].value.bytes = ptr + size; /* post */
++ if (forward) {
++ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
++ op[-3].tas.rsize = count; /* post */
++ } else {
++ op[-1].tas.rsize = count; /* pre */
++ op[-3].tas.rsize -= count + size; /* post */
++ }
+ make_true(op);
+ return 0;
+ }
diff --git a/gnu/packages/patches/ghostscript-freetype-compat.patch b/gnu/packages/patches/ghostscript-freetype-compat.patch
new file mode 100644
index 0000000000..cc225b5ad6
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-freetype-compat.patch
@@ -0,0 +1,35 @@
+Fix build with FreeType 2.10.3 and newer.
+
+Taken from upstream:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b9db7115fbe9623f989bfb47bbade
+
+diff --git a/base/fapi_ft.c b/base/fapi_ft.c
+--- a/base/fapi_ft.c
++++ b/base/fapi_ft.c
+@@ -125,7 +125,7 @@ static void
+ delete_inc_int_info(gs_fapi_server * a_server,
+ FT_IncrementalRec * a_inc_int_info);
+
+-FT_CALLBACK_DEF(void *)
++static void *
+ FF_alloc(FT_Memory memory, long size)
+ {
+ gs_memory_t *mem = (gs_memory_t *) memory->user;
+@@ -133,7 +133,7 @@ FF_alloc(FT_Memory memory, long size)
+ return (gs_malloc(mem, size, 1, "FF_alloc"));
+ }
+
+-FT_CALLBACK_DEF(void *)
++static void *
+ FF_realloc(FT_Memory memory, long cur_size, long new_size, void *block)
+ {
+ gs_memory_t *mem = (gs_memory_t *) memory->user;
+@@ -153,7 +153,7 @@ FT_CALLBACK_DEF(void *)
+ return (tmp);
+ }
+
+-FT_CALLBACK_DEF(void)
++static void
+ FF_free(FT_Memory memory, void *block)
+ {
+ gs_memory_t *mem = (gs_memory_t *) memory->user;
diff --git a/gnu/packages/patches/libssh2-CVE-2019-17498.patch b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
new file mode 100644
index 0000000000..6f69e562e2
--- /dev/null
+++ b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
@@ -0,0 +1,126 @@
+https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c.patch
+
+From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+
+* packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+---
+ src/packet.c | 68 ++++++++++++++++++++++------------------------------
+ 1 file changed, 29 insertions(+), 39 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 38ab62944..2e01bfc5d 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ size_t datalen, int macstate)
+ {
+ int rc = 0;
+- char *message = NULL;
+- char *language = NULL;
++ unsigned char *message = NULL;
++ unsigned char *language = NULL;
+ size_t message_len = 0;
+ size_t language_len = 0;
+ LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+
+ case SSH_MSG_DISCONNECT:
+ if(datalen >= 5) {
+- size_t reason = _libssh2_ntohu32(data + 1);
++ uint32_t reason = 0;
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr++; /* advance past type */
+
+- if(datalen >= 9) {
+- message_len = _libssh2_ntohu32(data + 5);
++ _libssh2_get_u32(&buf, &reason);
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
+
+- if(message_len < datalen-13) {
+- /* 9 = packet_type(1) + reason(4) + message_len(4) */
+- message = (char *) data + 9;
+-
+- language_len =
+- _libssh2_ntohu32(data + 9 + message_len);
+- language = (char *) data + 9 + message_len + 4;
+-
+- if(language_len > (datalen-13-message_len)) {
+- /* bad input, clear info */
+- language = message = NULL;
+- language_len = message_len = 0;
+- }
+- }
+- else
+- /* bad size, clear it */
+- message_len = 0;
+- }
+ if(session->ssh_msg_disconnect) {
+- LIBSSH2_DISCONNECT(session, reason, message,
+- message_len, language, language_len);
++ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
++
+ _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+ "Disconnect(%d): %s(%s)", reason,
+ message, language);
+@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ int always_display = data[1];
+
+ if(datalen >= 6) {
+- message_len = _libssh2_ntohu32(data + 2);
+-
+- if(message_len <= (datalen - 10)) {
+- /* 6 = packet_type(1) + display(1) + message_len(4) */
+- message = (char *) data + 6;
+- language_len = _libssh2_ntohu32(data + 6 +
+- message_len);
+-
+- if(language_len <= (datalen - 10 - message_len))
+- language = (char *) data + 10 + message_len;
+- }
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr += 2; /* advance past type & always display */
++
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
+ }
+
+ if(session->ssh_msg_debug) {
+- LIBSSH2_DEBUG(session, always_display, message,
+- message_len, language, language_len);
++ LIBSSH2_DEBUG(session, always_display,
++ (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
+ }
++
+ /*
+ * _libssh2_debug will actually truncate this for us so
+ * that it's not an inordinate about of data
+@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ uint32_t len = 0;
+ unsigned char want_reply = 0;
+ len = _libssh2_ntohu32(data + 1);
+- if(datalen >= (6 + len)) {
++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+ want_reply = data[5 + len];
+ _libssh2_debug(session,
+ LIBSSH2_TRACE_CONN,
diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch
new file mode 100644
index 0000000000..dc0571e964
--- /dev/null
+++ b/gnu/packages/patches/python-CVE-2020-26116.patch
@@ -0,0 +1,47 @@
+Fix CVE-2020-26116:
+
+https://cve.circl.lu/cve/CVE-2020-26116
+https://bugs.python.org/issue39603
+
+Taken from upstream (sans test and NEWS update):
+https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -147,6 +147,10 @@
+ # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+ # We are more lenient for assumed real world compatibility purposes.
+
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
+ else:
+ raise CannotSendRequest(self.__state)
+
++ self._validate_method(method)
++
+ # Save the method for use later in the response phase
+ self._method = method
+
+@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
+ # ASCII also helps prevent CVE-2019-9740.
+ return request.encode('ascii')
+
++ def _validate_method(self, method):
++ """Validate a method name for putrequest."""
++ # prevent http header injection
++ match = _contains_disallowed_method_pchar_re.search(method)
++ if match:
++ raise ValueError(
++ f"method can't contain control characters. {method!r} "
++ f"(found at least {match.group()!r})")
++
+ def _validate_path(self, url):
+ """Validate a url for putrequest."""
+ # Prevent CVE-2019-9740.