Tue Jan 25 06:16:36 UTC 202220220125061636

It may look like we're currently experiencing more stuckness, but this will
lead us to Quality. We'll have this release in the can before you know it.
a/aaa_glibc-solibs-2.33-x86_64-5.txz:  Rebuilt.
a/aaa_libraries-15.0-x86_64-16.txz:  Rebuilt.
  Rebuilt to pick up the patched libexpat.so.1.8.3.
a/kernel-firmware-20220124_eb8ea1b-noarch-1.txz:  Upgraded.
a/kernel-generic-5.15.16-x86_64-2.txz:  Upgraded.
a/kernel-huge-5.15.16-x86_64-2.txz:  Upgraded.
  -9P_FSCACHE n
   9P_FS m -> y
  Thanks to peake.
a/kernel-modules-5.15.16-x86_64-2.txz:  Upgraded.
a/mkinitrd-1.4.11-x86_64-27.txz:  Rebuilt.
  mkinitrd_command_generator.sh: properly detect partitions of a RAID device.
  Thanks to perrin4869.
a/util-linux-2.37.3-x86_64-1.txz:  Upgraded.
  This release fixes two security mount(8) and umount(8) issues:
  An issue related to parsing the /proc/self/mountinfo file allows an
  unprivileged user to unmount other user's filesystems that are either
  world-writable themselves or mounted in a world-writable directory.
  Improper UID check in libmount allows an unprivileged user to unmount
  FUSE filesystems of users with similar UID.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3995
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3996
  (* Security fix *)
ap/vim-8.2.4212-x86_64-1.txz:  Upgraded.
d/git-2.35.0-x86_64-1.txz:  Upgraded.
d/kernel-headers-5.15.16-x86-2.txz:  Upgraded.
k/kernel-source-5.15.16-noarch-2.txz:  Upgraded.
l/expat-2.4.3-x86_64-2.txz:  Rebuilt.
  Fix signed integer overflow in function XML_GetBuffer for when
  XML_CONTEXT_BYTES is defined to >0 (which is both common and
  default). Impact is denial of service or other undefined behavior.
  While we're here, also patch a memory leak on output file opening error.
  Thanks to marav.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852
  (* Security fix *)
l/fluidsynth-2.2.5-x86_64-1.txz:  Upgraded.
l/glibc-2.33-x86_64-5.txz:  Rebuilt.
  This update patches two security issues:
  Unexpected return value from glibc's realpath().
  Off-by-one buffer overflow/underflow in glibc's getcwd().
  Thanks to Qualys Research Labs for reporting these issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3998
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3999
  (* Security fix *)
l/glibc-i18n-2.33-x86_64-5.txz:  Rebuilt.
l/glibc-profile-2.33-x86_64-5.txz:  Rebuilt.
l/tdb-1.4.6-x86_64-1.txz:  Upgraded.
x/xf86-input-libinput-1.2.1-x86_64-1.txz:  Upgraded.
xap/mozilla-thunderbird-91.5.1-x86_64-1.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.5.1/releasenotes/
xap/vim-gvim-8.2.4212-x86_64-1.txz:  Upgraded.
isolinux/initrd.img:  Rebuilt.
kernels/*:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.

1 files changed, 115 insertions, 0 deletions

diff --git a/source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch b/source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch
new file mode 100644
index 000000000..c2b55ca85
--- /dev/null
+++ b/source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch
@@ -0,0 +1,115 @@
+From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 22 Jan 2022 17:48:00 +0100
+Subject: [PATCH 1/3] lib: Detect and prevent integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d54af683..5ce31402 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+     if (keep > XML_CONTEXT_BYTES)
+       keep = XML_CONTEXT_BYTES;
++    /* Detect and prevent integer overflow */
++    if (keep > INT_MAX - neededSize) {
++      parser->m_errorCode = XML_ERROR_NO_MEMORY;
++      return NULL;
++    }
+     neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+     if (neededSize
+
+From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 23 Jan 2022 18:17:04 +0100
+Subject: [PATCH 2/3] tests: Cover integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/tests/runtests.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index e89e8220..579dad1a 100644
+--- a/expat/tests/runtests.c
++++ b/expat/tests/runtests.c
+@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
+ }
+ END_TEST
+ 
++/* Test for signed integer overflow CVE-2022-23852 */
++#if defined(XML_CONTEXT_BYTES)
++START_TEST(test_get_buffer_3_overflow) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++  assert(parser != NULL);
++
++  const char *const text = "\n";
++  const int expectedKeepValue = (int)strlen(text);
++
++  // After this call, variable "keep" in XML_GetBuffer will
++  // have value expectedKeepValue
++  if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
++      == XML_STATUS_ERROR)
++    xml_failure(parser);
++
++  assert(expectedKeepValue > 0);
++  if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
++    fail("enlarging buffer not failed");
++
++  XML_ParserFree(parser);
++}
++END_TEST
++#endif // defined(XML_CONTEXT_BYTES)
++
+ /* Test position information macros */
+ START_TEST(test_byte_info_at_end) {
+   const char *text = "<doc></doc>";
+@@ -11731,6 +11755,9 @@ make_suite(void) {
+   tcase_add_test(tc_basic, test_empty_parse);
+   tcase_add_test(tc_basic, test_get_buffer_1);
+   tcase_add_test(tc_basic, test_get_buffer_2);
++#if defined(XML_CONTEXT_BYTES)
++  tcase_add_test(tc_basic, test_get_buffer_3_overflow);
++#endif
+   tcase_add_test(tc_basic, test_byte_info_at_end);
+   tcase_add_test(tc_basic, test_byte_info_at_error);
+   tcase_add_test(tc_basic, test_byte_info_at_cdata);
+
+From 99cec436fbd9444f57ee74ca8ae4c0a13e561a4f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 22 Jan 2022 17:49:17 +0100
+Subject: [PATCH 3/3] Changes: Document CVE-2022-23852
+
+---
+ expat/Changes | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/expat/Changes b/expat/Changes
+index 7540d38c..64d75d05 100644
+--- a/expat/Changes
++++ b/expat/Changes
+@@ -2,6 +2,18 @@ NOTE: We are looking for help with a few things:
+       https://github.com/libexpat/libexpat/labels/help%20wanted
+       If you can help, please get in touch.  Thanks!
+ 
++Release x.x.x xxx xxxxxxx xx xxxx
++        Security fixes:
++            #550  CVE-2022-23852 -- Fix signed integer overflow
++                    (undefined behavior) in function XML_GetBuffer
++                    (that is also called by function XML_Parse internally)
++                    for when XML_CONTEXT_BYTES is defined to >0 (which is both
++                    common and default).
++                    Impact is denial of service or more.
++
++        Special thanks to:
++            Samanta Navarro
++
+ Release 2.4.3 Sun January 16 2022
+         Security fixes:
+        #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places