diff options
author | J0WI <J0WI@users.noreply.github.com> | 2019-03-21 09:42:17 +0100 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2020-01-23 17:08:13 +0100 |
commit | d7288e99061f0ea9be587cba5712912f10de33f9 (patch) | |
tree | 71aaf030ac81cee59527056481583c085973249e | |
parent | 45e394536a3bf2a562ad861feeca530477d4dfd0 (diff) | |
download | alpine_aports-d7288e99061f0ea9be587cba5712912f10de33f9.tar.bz2 alpine_aports-d7288e99061f0ea9be587cba5712912f10de33f9.tar.xz alpine_aports-d7288e99061f0ea9be587cba5712912f10de33f9.zip |
main/libseccomp: upgrade to 2.4.2 (CVE-2019-9893)
fixes #10867
-rw-r--r-- | main/libseccomp/APKBUILD | 33 | ||||
-rw-r--r-- | main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch | 36 |
2 files changed, 58 insertions, 11 deletions
diff --git a/main/libseccomp/APKBUILD b/main/libseccomp/APKBUILD index f6eddb18f7..8be0cbfcd7 100644 --- a/main/libseccomp/APKBUILD +++ b/main/libseccomp/APKBUILD | |||
@@ -2,8 +2,8 @@ | |||
2 | # Contributor: Carlo Landmeter <clandmeter@gmail.com> | 2 | # Contributor: Carlo Landmeter <clandmeter@gmail.com> |
3 | # Contributor: Dan Williams <dan@ma.ssive.co> | 3 | # Contributor: Dan Williams <dan@ma.ssive.co> |
4 | pkgname=libseccomp | 4 | pkgname=libseccomp |
5 | pkgver=2.3.3 | 5 | pkgver=2.4.2 |
6 | pkgrel=1 | 6 | pkgrel=2 |
7 | pkgdesc="An interface to the Linux Kernel's syscall filtering mechanism" | 7 | pkgdesc="An interface to the Linux Kernel's syscall filtering mechanism" |
8 | url="https://github.com/seccomp/libseccomp" | 8 | url="https://github.com/seccomp/libseccomp" |
9 | arch="all" | 9 | arch="all" |
@@ -13,8 +13,13 @@ makedepends="$depends_dev" | |||
13 | checkdepends="bash" | 13 | checkdepends="bash" |
14 | subpackages="$pkgname-dev $pkgname-doc" | 14 | subpackages="$pkgname-dev $pkgname-doc" |
15 | source="https://github.com/seccomp/libseccomp/releases/download/v$pkgver/libseccomp-$pkgver.tar.gz | 15 | source="https://github.com/seccomp/libseccomp/releases/download/v$pkgver/libseccomp-$pkgver.tar.gz |
16 | remove-redefinition-prctl.patch" | 16 | remove-redefinition-prctl.patch |
17 | builddir="$srcdir/libseccomp-$pkgver" | 17 | tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch |
18 | " | ||
19 | |||
20 | # secfixes: | ||
21 | # 2.4.0-r0: | ||
22 | # - CVE-2019-9893 | ||
18 | 23 | ||
19 | build() { | 24 | build() { |
20 | cd "$builddir" | 25 | cd "$builddir" |
@@ -25,20 +30,26 @@ build() { | |||
25 | --sysconfdir=/etc \ | 30 | --sysconfdir=/etc \ |
26 | --mandir=/usr/share/man \ | 31 | --mandir=/usr/share/man \ |
27 | --infodir=/usr/share/info \ | 32 | --infodir=/usr/share/info \ |
28 | --localstatedir=/var \ | 33 | --localstatedir=/var |
29 | || return 1 | 34 | make |
30 | make || return 1 | ||
31 | } | 35 | } |
32 | 36 | ||
33 | check() { | 37 | check() { |
34 | cd "$builddir" | 38 | cd "$builddir" |
35 | make check || return 1 | 39 | # commit be65b26b67099be2b2b4890d736dbd1ad15adf36 adapted to new kernel 5.x syscalls |
40 | # as long as we are at 4.19 kernel, we need this change | ||
41 | case "$CARCH" in | ||
42 | ppc64le|s390x) rm -f tests/36-sim-ipc_syscalls.tests \ | ||
43 | tests/37-sim-ipc_syscalls_be.tests;; | ||
44 | esac | ||
45 | make check | ||
36 | } | 46 | } |
37 | 47 | ||
38 | package() { | 48 | package() { |
39 | cd "$builddir" | 49 | cd "$builddir" |
40 | make DESTDIR="$pkgdir" install || return 1 | 50 | make DESTDIR="$pkgdir" install |
41 | } | 51 | } |
42 | 52 | ||
43 | sha512sums="845c7e0e916b5f5ad74da446ceff3250148b745c909185f6d5059e807d1b42fa6b74f356cce2a396bff0d4c7a3120e7cdad98d490a97d549327c7693fe1918be libseccomp-2.3.3.tar.gz | 53 | sha512sums="375a3c7c658be6a08b9bb30963e10bb49e8e066119e0be6d3d97faac3db18b8e2c6938d8b5d3874b2f5331ec8295170112fbae83b5a3b5a5bebc0d6705bdfdbb libseccomp-2.4.2.tar.gz |
44 | f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f remove-redefinition-prctl.patch" | 54 | f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f remove-redefinition-prctl.patch |
55 | e9c6adbc424c310802851ec486df23aedd8121397a9742f3a5ed4754a5eee7ec1701a6f5e220bb37911b8c48626ba00d70943fad43e489d740d0295e6e9b0dff tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch" | ||
diff --git a/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch b/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch new file mode 100644 index 0000000000..5f688a4a7d --- /dev/null +++ b/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 35803ceb43c453762a3ab5177c5f8d5dbb813478 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Moore <paul@paul-moore.com> | ||
3 | Date: Tue, 5 Nov 2019 15:11:11 -0500 | ||
4 | Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls | ||
5 | |||
6 | We recently changed how libseccomp handles syscall numbers that are | ||
7 | not defined natively, but we missed test #15. | ||
8 | |||
9 | Signed-off-by: Paul Moore <paul@paul-moore.com> | ||
10 | --- | ||
11 | tests/15-basic-resolver.c | 6 +++--- | ||
12 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
13 | |||
14 | diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c | ||
15 | index 6badef1..0c1eefe 100644 | ||
16 | --- a/tests/15-basic-resolver.c | ||
17 | +++ b/tests/15-basic-resolver.c | ||
18 | @@ -55,15 +55,15 @@ int main(int argc, char *argv[]) | ||
19 | unsigned int arch; | ||
20 | char *name = NULL; | ||
21 | |||
22 | - if (seccomp_syscall_resolve_name("open") != __NR_open) | ||
23 | + if (seccomp_syscall_resolve_name("open") != __SNR_open) | ||
24 | goto fail; | ||
25 | - if (seccomp_syscall_resolve_name("read") != __NR_read) | ||
26 | + if (seccomp_syscall_resolve_name("read") != __SNR_read) | ||
27 | goto fail; | ||
28 | if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR) | ||
29 | goto fail; | ||
30 | |||
31 | rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat"); | ||
32 | - if (rc != __NR_openat) | ||
33 | + if (rc != __SNR_openat) | ||
34 | goto fail; | ||
35 | |||
36 | while ((arch = arch_list[iter++]) != -1) { | ||