main/nmap: fix CVE-2018-15173 and CVE-2017-18594

ref #10899 Closes !810
author: Leo <thinkabit.ukim@gmail.com> 2019-10-24 23:44:42 -0300
committer: Kevin Daudt <kdaudt@alpinelinux.org> 2019-10-28 21:11:47 +0000
commit: 2c2f9f27c8ac931989d3a5975e6f7356494150f0 (patch)
tree: e29dbdfecc35b7c13ed0b08c817ea8f2a37e9939
parent: 84e3b8b062591cb33f03fdf4b6cdb31d1fd4a1d8 (diff)
download: aports-2c2f9f27c8ac931989d3a5975e6f7356494150f0.tar.bz2
aports-2c2f9f27c8ac931989d3a5975e6f7356494150f0.tar.xz
3 files changed, 77 insertions, 3 deletions
diff --git a/main/nmap/APKBUILD b/main/nmap/APKBUILD
index a71a7e0f1a..ddb1a3df43 100644
--- a/main/nmap/APKBUILD
+++ b/main/nmap/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
 pkgname=nmap
 pkgver=7.70
-pkgrel=3
+pkgrel=4
 pkgdesc="A network exploration tool and security/port scanner"
 url="http://nmap.org"
 arch="all"
@@ -16,9 +16,17 @@ subpackages="
 	$pkgname-nping
 	$pkgname-ncat"
 source="https://nmap.org/dist/$pkgname-$pkgver.tar.bz2
-	fortify-source.patch"
+	fortify-source.patch
+	CVE-2017-18594.patch
+	CVE-2018-15173.patch
+	"
 builddir="$srcdir"/$pkgname-$pkgver
 
+# secfixes:
+#   7.70-r4:
+#     - CVE-2017-18594
+#     - CVE-2018-15173
+
 prepare() {
 	default_prepare
 	update_config_sub
@@ -85,4 +93,6 @@ nping() {
 }
 
 sha512sums="084c148b022ff6550e269d976d0077f7932a10e2ef218236fe13aa3a70b4eb6506df03329868fc68cb3ce78e4360b200f5a7a491d3145028fed679ef1c9ecae5  nmap-7.70.tar.bz2
-2d1f6e290723ac643f456a0e1ac95c4c966106cf2ab743839d25c835bf0141dc2d6bfee19285c3518d4c5f553b0505dabe5a496b769ba47b7adb03e791f05b8d  fortify-source.patch"
+2d1f6e290723ac643f456a0e1ac95c4c966106cf2ab743839d25c835bf0141dc2d6bfee19285c3518d4c5f553b0505dabe5a496b769ba47b7adb03e791f05b8d  fortify-source.patch
+a3edb3dc75d4dfa20ebed17b97044f1024b1a9d58145bfc31f3e8bd9d299f047aae47c146866fdfa62fab18383f60dd1ae41091adda0ff7db4a017756886d97d  CVE-2017-18594.patch
+819b194f533300e05e87efe05bcf8d6964d3fff29c1e9aa8fd2202eddf419733e8cda9984f505ef675a94edc2172d0485f5f5c933e6a1f7759277cc01b52406a  CVE-2018-15173.patch"
diff --git a/main/nmap/CVE-2017-18594.patch b/main/nmap/CVE-2017-18594.patch
new file mode 100644
index 0000000000..d6cbce77e7
--- /dev/null
+++ b/main/nmap/CVE-2017-18594.patch
@@ -0,0 +1,30 @@
+diff --git a/nse_libssh2.cc b/nse_libssh2.cc
+index bf721b6..22f5bbf 100644
+--- a/nse_libssh2.cc
++++ b/nse_libssh2.cc
+@@ -13,7 +13,6 @@ extern "C" {
+ #include "libssh2.h"
+ }
+ 
+-#include "nse_debug.h"
+ #include "nse_nsock.h"
+ #include "nse_utility.h"
+ 
+@@ -296,6 +295,7 @@ static int do_session_handshake (lua_State *L, int status, lua_KContext ctx) {
+ 
+     if (rc) {
+         libssh2_session_free(sshu->session);
++        sshu->session = NULL;
+         return luaL_error(L, "Unable to complete libssh2 handshake.");
+     }
+ 
+@@ -479,7 +479,7 @@ static int userauth_list (lua_State *L, int status, lua_KContext ctx) {
+ }
+ 
+ /*
+-* Returns list of supported authenication methods
++* Returns list of supported authentication methods
+ */
+ static int l_userauth_list (lua_State *L) {
+     return userauth_list(L, 0, 0);
+
diff --git a/main/nmap/CVE-2018-15173.patch b/main/nmap/CVE-2018-15173.patch
new file mode 100644
index 0000000000..b9620c4ca4
--- /dev/null
+++ b/main/nmap/CVE-2018-15173.patch
@@ -0,0 +1,34 @@
+diff --git a/service_scan.cc b/service_scan.cc
+index 9780ae3..ec8d48d 100644
+--- a/service_scan.cc
++++ b/service_scan.cc
+@@ -489,6 +489,15 @@ void ServiceProbeMatch::InitMatch(const char *matchtext, int lineno) {
+   if (pcre_errptr != NULL)
+     fatal("%s: failed to pcre_study regexp on line %d of nmap-service-probes: %s\n", __func__, lineno, pcre_errptr);
+ 
++  // Set some limits to avoid evil match cases.
++  // These are flexible; if they cause problems, increase them.
++#ifdef PCRE_ERROR_MATCHLIMIT
++  regex_extra->match_limit = 100000; // 100K
++#endif
++#ifdef PCRE_ERROR_RECURSIONLIMIT
++  regex_extra->match_limit_recursion = 10000; // 10K
++#endif
++
+   free(modestr);
+   free(flags);
+ 
+@@ -568,6 +577,12 @@ const struct MatchDetails *ServiceProbeMatch::testMatch(const u8 *buf, int bufle
+       if (o.debugging || o.verbose > 1)
+         error("Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service %s with the regex '%s'", servicename, matchstr);
+     } else
++#endif // PCRE_ERROR_MATCHLIMIT
++#ifdef PCRE_ERROR_RECURSIONLIMIT
++    if (rc == PCRE_ERROR_RECURSIONLIMIT) {
++      if (o.debugging || o.verbose > 1)
++        error("Warning: Hit PCRE_ERROR_RECURSIONLIMIT when probing for service %s with the regex '%s'", servicename, matchstr);
++    } else
+ #endif // PCRE_ERROR_MATCHLIMIT
+       if (rc != PCRE_ERROR_NOMATCH) {
+         fatal("Unexpected PCRE error (%d) when probing for service %s with the regex '%s'", rc, servicename, matchstr);
+
author	Leo <thinkabit.ukim@gmail.com>	2019-10-24 23:44:42 -0300
committer	Kevin Daudt <kdaudt@alpinelinux.org>	2019-10-28 21:11:47 +0000
commit	2c2f9f27c8ac931989d3a5975e6f7356494150f0 (patch)
tree	e29dbdfecc35b7c13ed0b08c817ea8f2a37e9939
parent	84e3b8b062591cb33f03fdf4b6cdb31d1fd4a1d8 (diff)
download	aports-2c2f9f27c8ac931989d3a5975e6f7356494150f0.tar.bz2 aports-2c2f9f27c8ac931989d3a5975e6f7356494150f0.tar.xz