aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJ0WI <J0WI@users.noreply.github.com>2019-03-21 09:42:17 +0100
committerNatanael Copa <ncopa@alpinelinux.org>2020-01-23 17:08:13 +0100
commitd7288e99061f0ea9be587cba5712912f10de33f9 (patch)
tree71aaf030ac81cee59527056481583c085973249e
parent45e394536a3bf2a562ad861feeca530477d4dfd0 (diff)
downloadaports-d7288e99061f0ea9be587cba5712912f10de33f9.tar.bz2
aports-d7288e99061f0ea9be587cba5712912f10de33f9.tar.xz
main/libseccomp: upgrade to 2.4.2 (CVE-2019-9893)
fixes #10867
-rw-r--r--main/libseccomp/APKBUILD33
-rw-r--r--main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch36
2 files changed, 58 insertions, 11 deletions
diff --git a/main/libseccomp/APKBUILD b/main/libseccomp/APKBUILD
index f6eddb18f7..8be0cbfcd7 100644
--- a/main/libseccomp/APKBUILD
+++ b/main/libseccomp/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Contributor: Dan Williams <dan@ma.ssive.co>
pkgname=libseccomp
-pkgver=2.3.3
-pkgrel=1
+pkgver=2.4.2
+pkgrel=2
pkgdesc="An interface to the Linux Kernel's syscall filtering mechanism"
url="https://github.com/seccomp/libseccomp"
arch="all"
@@ -13,8 +13,13 @@ makedepends="$depends_dev"
checkdepends="bash"
subpackages="$pkgname-dev $pkgname-doc"
source="https://github.com/seccomp/libseccomp/releases/download/v$pkgver/libseccomp-$pkgver.tar.gz
- remove-redefinition-prctl.patch"
-builddir="$srcdir/libseccomp-$pkgver"
+ remove-redefinition-prctl.patch
+ tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
+ "
+
+# secfixes:
+# 2.4.0-r0:
+# - CVE-2019-9893
build() {
cd "$builddir"
@@ -25,20 +30,26 @@ build() {
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
- --localstatedir=/var \
- || return 1
- make || return 1
+ --localstatedir=/var
+ make
}
check() {
cd "$builddir"
- make check || return 1
+ # commit be65b26b67099be2b2b4890d736dbd1ad15adf36 adapted to new kernel 5.x syscalls
+ # as long as we are at 4.19 kernel, we need this change
+ case "$CARCH" in
+ ppc64le|s390x) rm -f tests/36-sim-ipc_syscalls.tests \
+ tests/37-sim-ipc_syscalls_be.tests;;
+ esac
+ make check
}
package() {
cd "$builddir"
- make DESTDIR="$pkgdir" install || return 1
+ make DESTDIR="$pkgdir" install
}
-sha512sums="845c7e0e916b5f5ad74da446ceff3250148b745c909185f6d5059e807d1b42fa6b74f356cce2a396bff0d4c7a3120e7cdad98d490a97d549327c7693fe1918be libseccomp-2.3.3.tar.gz
-f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f remove-redefinition-prctl.patch"
+sha512sums="375a3c7c658be6a08b9bb30963e10bb49e8e066119e0be6d3d97faac3db18b8e2c6938d8b5d3874b2f5331ec8295170112fbae83b5a3b5a5bebc0d6705bdfdbb libseccomp-2.4.2.tar.gz
+f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f remove-redefinition-prctl.patch
+e9c6adbc424c310802851ec486df23aedd8121397a9742f3a5ed4754a5eee7ec1701a6f5e220bb37911b8c48626ba00d70943fad43e489d740d0295e6e9b0dff tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch"
diff --git a/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch b/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
new file mode 100644
index 0000000000..5f688a4a7d
--- /dev/null
+++ b/main/libseccomp/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
@@ -0,0 +1,36 @@
+From 35803ceb43c453762a3ab5177c5f8d5dbb813478 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Tue, 5 Nov 2019 15:11:11 -0500
+Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
+
+We recently changed how libseccomp handles syscall numbers that are
+not defined natively, but we missed test #15.
+
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ tests/15-basic-resolver.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
+index 6badef1..0c1eefe 100644
+--- a/tests/15-basic-resolver.c
++++ b/tests/15-basic-resolver.c
+@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
+ unsigned int arch;
+ char *name = NULL;
+
+- if (seccomp_syscall_resolve_name("open") != __NR_open)
++ if (seccomp_syscall_resolve_name("open") != __SNR_open)
+ goto fail;
+- if (seccomp_syscall_resolve_name("read") != __NR_read)
++ if (seccomp_syscall_resolve_name("read") != __SNR_read)
+ goto fail;
+ if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
+ goto fail;
+
+ rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
+- if (rc != __NR_openat)
++ if (rc != __SNR_openat)
+ goto fail;
+
+ while ((arch = arch_list[iter++]) != -1) {