main/libseccomp: upgrade to 2.4.2 (CVE-2019-9893)

fixes #10867
author: J0WI <J0WI@users.noreply.github.com> 2019-03-21 09:42:17 +0100
committer: Natanael Copa <ncopa@alpinelinux.org> 2020-01-23 17:08:13 +0100
commit: d7288e99061f0ea9be587cba5712912f10de33f9 (patch)
tree: 71aaf030ac81cee59527056481583c085973249e
parent: 45e394536a3bf2a562ad861feeca530477d4dfd0 (diff)
download: alpine_aports-d7288e99061f0ea9be587cba5712912f10de33f9.tar.bz2
alpine_aports-d7288e99061f0ea9be587cba5712912f10de33f9.tar.xz
alpine_aports-d7288e99061f0ea9be587cba5712912f10de33f9.zip
2 files changed, 58 insertions, 11 deletions
diff --git a/main/libseccomp/APKBUILD b/main/libseccomp/APKBUILD
index f6eddb18f7..8be0cbfcd7 100644
--- a/main/libseccomp/APKBUILD
+++ b/main/libseccomp/APKBUILD
@@ -2,8 +2,8 @@
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Contributor: Dan Williams <dan@ma.ssive.co>
 pkgname=libseccomp
-pkgver=2.3.3
+pkgver=2.4.2
-pkgrel=1
+pkgrel=2
 pkgdesc="An interface to the Linux Kernel's syscall filtering mechanism"
 url="https://github.com/seccomp/libseccomp"
 arch="all"
@@ -13,8 +13,13 @@ makedepends="$depends_dev"
 checkdepends="bash"
 subpackages="$pkgname-dev $pkgname-doc"
 source="https://github.com/seccomp/libseccomp/releases/download/v$pkgver/libseccomp-$pkgver.tar.gz
-        remove-redefinition-prctl.patch"
+        remove-redefinition-prctl.patch
-builddir="$srcdir/libseccomp-$pkgver"
+        tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
+        "
+# secfixes:
+#   2.4.0-r0:
+#     - CVE-2019-9893
 build() {
        cd "$builddir"
@@ -25,20 +30,26 @@ build() {
                --sysconfdir=/etc \
                --mandir=/usr/share/man \
                --infodir=/usr/share/info \
-                --localstatedir=/var \
+                --localstatedir=/var
-                || return 1
+        make
-        make || return 1
 }
 check() {
        cd "$builddir"
-        make check || return 1
+        # commit be65b26b67099be2b2b4890d736dbd1ad15adf36 adapted to new kernel 5.x syscalls
+        # as long as we are at 4.19 kernel, we need this change
+        case "$CARCH" in
+                ppc64le|s390x) rm -f tests/36-sim-ipc_syscalls.tests \
+                                     tests/37-sim-ipc_syscalls_be.tests;;
+        esac
+        make check
 }
 package() {
        cd "$builddir"
-        make DESTDIR="$pkgdir" install || return 1
+        make DESTDIR="$pkgdir" install
 }
-sha512sums="845c7e0e916b5f5ad74da446ceff3250148b745c909185f6d5059e807d1b42fa6b74f356cce2a396bff0d4c7a3120e7cdad98d490a97d549327c7693fe1918be  libseccomp-2.3.3.tar.gz
+sha512sums="375a3c7c658be6a08b9bb30963e10bb49e8e066119e0be6d3d97faac3db18b8e2c6938d8b5d3874b2f5331ec8295170112fbae83b5a3b5a5bebc0d6705bdfdbb  libseccomp-2.4.2.tar.gz
-f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f  remove-redefinition-prctl.patch"
+f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f  remove-redefinition-prctl.patch
+e9c6adbc424c310802851ec486df23aedd8121397a9742f3a5ed4754a5eee7ec1701a6f5e220bb37911b8c48626ba00d70943fad43e489d740d0295e6e9b0dff  tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch"
diff --git a/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch b/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
new file mode 100644
index 0000000000..5f688a4a7d
--- /dev/null
+++ b/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
@@ -0,0 +1,36 @@
+From 35803ceb43c453762a3ab5177c5f8d5dbb813478 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Tue, 5 Nov 2019 15:11:11 -0500
+Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
+We recently changed how libseccomp handles syscall numbers that are
+not defined natively, but we missed test #15.
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ tests/15-basic-resolver.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
+index 6badef1..0c1eefe 100644
+--- a/tests/15-basic-resolver.c
+++ b/tests/15-basic-resolver.c
+@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
+        unsigned int arch;
+        char *name = NULL;
+ 
+-       if (seccomp_syscall_resolve_name("open") != __NR_open)
+       if (seccomp_syscall_resolve_name("open") != __SNR_open)
+                goto fail;
+-       if (seccomp_syscall_resolve_name("read") != __NR_read)
+       if (seccomp_syscall_resolve_name("read") != __SNR_read)
+                goto fail;
+        if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
+                goto fail;
+ 
+        rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
+-       if (rc != __NR_openat)
+       if (rc != __SNR_openat)
+                goto fail;
+ 
+        while ((arch = arch_list[iter++]) != -1) {
author	J0WI <J0WI@users.noreply.github.com>	2019-03-21 09:42:17 +0100
committer	Natanael Copa <ncopa@alpinelinux.org>	2020-01-23 17:08:13 +0100
commit	d7288e99061f0ea9be587cba5712912f10de33f9 (patch)
tree	71aaf030ac81cee59527056481583c085973249e
parent	45e394536a3bf2a562ad861feeca530477d4dfd0 (diff)
download	alpine_aports-d7288e99061f0ea9be587cba5712912f10de33f9.tar.bz2 alpine_aports-d7288e99061f0ea9be587cba5712912f10de33f9.tar.xz alpine_aports-d7288e99061f0ea9be587cba5712912f10de33f9.zip

diff --git a/main/libseccomp/APKBUILD b/main/libseccomp/APKBUILD index f6eddb18f7..8be0cbfcd7 100644 --- a/main/libseccomp/APKBUILD +++ b/main/libseccomp/APKBUILD
@@ -2,8 +2,8 @@
2	# Contributor: Carlo Landmeter <clandmeter@gmail.com>	2	# Contributor: Carlo Landmeter <clandmeter@gmail.com>
3	# Contributor: Dan Williams <dan@ma.ssive.co>	3	# Contributor: Dan Williams <dan@ma.ssive.co>
4	pkgname=libseccomp	4	pkgname=libseccomp
5	pkgver=2.3.3	5	pkgver=2.4.2
6	pkgrel=1	6	pkgrel=2
7	pkgdesc="An interface to the Linux Kernel's syscall filtering mechanism"	7	pkgdesc="An interface to the Linux Kernel's syscall filtering mechanism"
8	url="https://github.com/seccomp/libseccomp"	8	url="https://github.com/seccomp/libseccomp"
9	arch="all"	9	arch="all"
@@ -13,8 +13,13 @@ makedepends="$depends_dev"
13	checkdepends="bash"	13	checkdepends="bash"
14	subpackages="$pkgname-dev $pkgname-doc"	14	subpackages="$pkgname-dev $pkgname-doc"
15	source="https://github.com/seccomp/libseccomp/releases/download/v$pkgver/libseccomp-$pkgver.tar.gz	15	source="https://github.com/seccomp/libseccomp/releases/download/v$pkgver/libseccomp-$pkgver.tar.gz
16	remove-redefinition-prctl.patch"	16	remove-redefinition-prctl.patch
17	builddir="$srcdir/libseccomp-$pkgver"	17	tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
		18	"
		19
		20	# secfixes:
		21	# 2.4.0-r0:
		22	# - CVE-2019-9893
18		23
19	build() {	24	build() {
20	cd "$builddir"	25	cd "$builddir"
@@ -25,20 +30,26 @@ build() {
25	--sysconfdir=/etc \	30	--sysconfdir=/etc \
26	--mandir=/usr/share/man \	31	--mandir=/usr/share/man \
27	--infodir=/usr/share/info \	32	--infodir=/usr/share/info \
28	--localstatedir=/var \	33	--localstatedir=/var
29	\|\| return 1	34	make
30	make \|\| return 1
31	}	35	}
32		36
33	check() {	37	check() {
34	cd "$builddir"	38	cd "$builddir"
35	make check \|\| return 1	39	# commit be65b26b67099be2b2b4890d736dbd1ad15adf36 adapted to new kernel 5.x syscalls
		40	# as long as we are at 4.19 kernel, we need this change
		41	case "$CARCH" in
		42	ppc64le\|s390x) rm -f tests/36-sim-ipc_syscalls.tests \
		43	tests/37-sim-ipc_syscalls_be.tests;;
		44	esac
		45	make check
36	}	46	}
37		47
38	package() {	48	package() {
39	cd "$builddir"	49	cd "$builddir"
40	make DESTDIR="$pkgdir" install \|\| return 1	50	make DESTDIR="$pkgdir" install
41	}	51	}
42		52
43	sha512sums="845c7e0e916b5f5ad74da446ceff3250148b745c909185f6d5059e807d1b42fa6b74f356cce2a396bff0d4c7a3120e7cdad98d490a97d549327c7693fe1918be libseccomp-2.3.3.tar.gz	53	sha512sums="375a3c7c658be6a08b9bb30963e10bb49e8e066119e0be6d3d97faac3db18b8e2c6938d8b5d3874b2f5331ec8295170112fbae83b5a3b5a5bebc0d6705bdfdbb libseccomp-2.4.2.tar.gz
44	f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f remove-redefinition-prctl.patch"	54	f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f remove-redefinition-prctl.patch
		55	e9c6adbc424c310802851ec486df23aedd8121397a9742f3a5ed4754a5eee7ec1701a6f5e220bb37911b8c48626ba00d70943fad43e489d740d0295e6e9b0dff tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch"


diff --git a/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch b/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch new file mode 100644 index 0000000000..5f688a4a7d --- /dev/null +++ b/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
@@ -0,0 +1,36 @@
		1	From 35803ceb43c453762a3ab5177c5f8d5dbb813478 Mon Sep 17 00:00:00 2001
		2	From: Paul Moore <paul@paul-moore.com>
		3	Date: Tue, 5 Nov 2019 15:11:11 -0500
		4	Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
		5
		6	We recently changed how libseccomp handles syscall numbers that are
		7	not defined natively, but we missed test #15.
		8
		9	Signed-off-by: Paul Moore <paul@paul-moore.com>
		10	---
		11	tests/15-basic-resolver.c \| 6 +++---
		12	1 file changed, 3 insertions(+), 3 deletions(-)
		13
		14	diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
		15	index 6badef1..0c1eefe 100644
		16	--- a/tests/15-basic-resolver.c
		17	+++ b/tests/15-basic-resolver.c
		18	@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
		19	unsigned int arch;
		20	char *name = NULL;
		21
		22	- if (seccomp_syscall_resolve_name("open") != __NR_open)
		23	+ if (seccomp_syscall_resolve_name("open") != __SNR_open)
		24	goto fail;
		25	- if (seccomp_syscall_resolve_name("read") != __NR_read)
		26	+ if (seccomp_syscall_resolve_name("read") != __SNR_read)
		27	goto fail;
		28	if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
		29	goto fail;
		30
		31	rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
		32	- if (rc != __NR_openat)
		33	+ if (rc != __SNR_openat)
		34	goto fail;
		35
		36	while ((arch = arch_list[iter++]) != -1) {