diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/ghostscript-CVE-2020-15900.patch | 36 | ||||
-rw-r--r-- | gnu/packages/patches/ghostscript-freetype-compat.patch | 35 | ||||
-rw-r--r-- | gnu/packages/patches/libssh2-CVE-2019-17498.patch | 126 | ||||
-rw-r--r-- | gnu/packages/patches/python-CVE-2020-26116.patch | 47 |
4 files changed, 244 insertions, 0 deletions
diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch new file mode 100644 index 0000000000..b6658d7c7f --- /dev/null +++ b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch @@ -0,0 +1,36 @@ +Fix CVE-2020-15900. + +https://cve.circl.lu/cve/CVE-2020-15900 +https://artifex.com/security-advisories/CVE-2020-15900 + +Taken from upstream: +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b + +diff --git a/psi/zstring.c b/psi/zstring.c +--- a/psi/zstring.c ++++ b/psi/zstring.c +@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) + return 0; + found: + op->tas.type_attrs = op1->tas.type_attrs; +- op->value.bytes = ptr; +- r_set_size(op, size); ++ op->value.bytes = ptr; /* match */ ++ op->tas.rsize = size; /* match */ + push(2); +- op[-1] = *op1; +- r_set_size(op - 1, ptr - op[-1].value.bytes); +- op1->value.bytes = ptr + size; +- r_set_size(op1, count + (!forward ? (size - 1) : 0)); ++ op[-1] = *op1; /* pre */ ++ op[-3].value.bytes = ptr + size; /* post */ ++ if (forward) { ++ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ ++ op[-3].tas.rsize = count; /* post */ ++ } else { ++ op[-1].tas.rsize = count; /* pre */ ++ op[-3].tas.rsize -= count + size; /* post */ ++ } + make_true(op); + return 0; + } diff --git a/gnu/packages/patches/ghostscript-freetype-compat.patch b/gnu/packages/patches/ghostscript-freetype-compat.patch new file mode 100644 index 0000000000..cc225b5ad6 --- /dev/null +++ b/gnu/packages/patches/ghostscript-freetype-compat.patch @@ -0,0 +1,35 @@ +Fix build with FreeType 2.10.3 and newer. + +Taken from upstream: +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b9db7115fbe9623f989bfb47bbade + +diff --git a/base/fapi_ft.c b/base/fapi_ft.c +--- a/base/fapi_ft.c ++++ b/base/fapi_ft.c +@@ -125,7 +125,7 @@ static void + delete_inc_int_info(gs_fapi_server * a_server, + FT_IncrementalRec * a_inc_int_info); + +-FT_CALLBACK_DEF(void *) ++static void * + FF_alloc(FT_Memory memory, long size) + { + gs_memory_t *mem = (gs_memory_t *) memory->user; +@@ -133,7 +133,7 @@ FF_alloc(FT_Memory memory, long size) + return (gs_malloc(mem, size, 1, "FF_alloc")); + } + +-FT_CALLBACK_DEF(void *) ++static void * + FF_realloc(FT_Memory memory, long cur_size, long new_size, void *block) + { + gs_memory_t *mem = (gs_memory_t *) memory->user; +@@ -153,7 +153,7 @@ FT_CALLBACK_DEF(void *) + return (tmp); + } + +-FT_CALLBACK_DEF(void) ++static void + FF_free(FT_Memory memory, void *block) + { + gs_memory_t *mem = (gs_memory_t *) memory->user; diff --git a/gnu/packages/patches/libssh2-CVE-2019-17498.patch b/gnu/packages/patches/libssh2-CVE-2019-17498.patch new file mode 100644 index 0000000000..6f69e562e2 --- /dev/null +++ b/gnu/packages/patches/libssh2-CVE-2019-17498.patch @@ -0,0 +1,126 @@ +https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c.patch + +From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Fri, 30 Aug 2019 09:57:38 -0700 +Subject: [PATCH] packet.c: improve message parsing (#402) + +* packet.c: improve parsing of packets + +file: packet.c + +notes: +Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. +--- + src/packet.c | 68 ++++++++++++++++++++++------------------------------ + 1 file changed, 29 insertions(+), 39 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 38ab62944..2e01bfc5d 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message = NULL; +- char *language = NULL; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; + size_t message_len = 0; + size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; +@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ + +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = +- _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len = 0; +- } + if(session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); +@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + int always_display = data[1]; + + if(datalen >= 6) { +- message_len = _libssh2_ntohu32(data + 2); +- +- if(message_len <= (datalen - 10)) { +- /* 6 = packet_type(1) + display(1) + message_len(4) */ +- message = (char *) data + 6; +- language_len = _libssh2_ntohu32(data + 6 + +- message_len); +- +- if(language_len <= (datalen - 10 - message_len)) +- language = (char *) data + 10 + message_len; +- } ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 2; /* advance past type & always display */ ++ ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + } + + if(session->ssh_msg_debug) { +- LIBSSH2_DEBUG(session, always_display, message, +- message_len, language, language_len); ++ LIBSSH2_DEBUG(session, always_display, ++ (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } + } ++ + /* + * _libssh2_debug will actually truncate this for us so + * that it's not an inordinate about of data +@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if(datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch new file mode 100644 index 0000000000..dc0571e964 --- /dev/null +++ b/gnu/packages/patches/python-CVE-2020-26116.patch @@ -0,0 +1,47 @@ +Fix CVE-2020-26116: + +https://cve.circl.lu/cve/CVE-2020-26116 +https://bugs.python.org/issue39603 + +Taken from upstream (sans test and NEWS update): +https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf + +diff --git a/Lib/http/client.py b/Lib/http/client.py +--- a/Lib/http/client.py ++++ b/Lib/http/client.py +@@ -147,6 +147,10 @@ + # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") + # We are more lenient for assumed real world compatibility purposes. + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False, + else: + raise CannotSendRequest(self.__state) + ++ self._validate_method(method) ++ + # Save the method for use later in the response phase + self._method = method + +@@ -1177,6 +1183,15 @@ def _encode_request(self, request): + # ASCII also helps prevent CVE-2019-9740. + return request.encode('ascii') + ++ def _validate_method(self, method): ++ """Validate a method name for putrequest.""" ++ # prevent http header injection ++ match = _contains_disallowed_method_pchar_re.search(method) ++ if match: ++ raise ValueError( ++ f"method can't contain control characters. {method!r} " ++ f"(found at least {match.group()!r})") ++ + def _validate_path(self, url): + """Validate a url for putrequest.""" + # Prevent CVE-2019-9740. |