diff options
| author |   Patrick J Volkerding <volkerdi@slackware.com> | 2020-11-25 23:25:45 +0000 |
|---|---|---|
| committer |   Eric Hameleers <alien@slackware.com> | 2020-11-26 08:59:52 +0100 |
| commit | 042736eeb574486635e076ffcc36593ac09c72ba (patch) | |
| tree | d80deda6acecf44b4591168f49716a68bbf50be8 /source | |
| parent | d4f3249a812a440339f94607fa9b69fc981a6f4b (diff) | |
| download | current-042736eeb574486635e076ffcc36593ac09c72ba.tar.gz current-042736eeb574486635e076ffcc36593ac09c72ba.tar.xz | |
Wed Nov 25 23:25:45 UTC 202020201125232545
ap/qpdf-10.0.4-x86_64-1.txz: Upgraded.
d/cmake-3.19.1-x86_64-1.txz: Upgraded.
n/bind-9.16.9-x86_64-1.txz: Upgraded.
This update fixes bugs, including a denial-of-service security issue:
After a Negative Trust Anchor (NTA) is added, BIND performs periodic
checks to see if it is still necessary. If BIND encountered a failure
while creating a query to perform such a check, it attempted to
dereference a NULL pointer, resulting in a crash. [GL #2244]
(* Security fix *)
n/cifs-utils-6.11-x86_64-2.txz: Rebuilt.
Patched to fix mounting CIFS shares when linked with libcap-ng-0.8.1.
Thanks to marrowsuck.
Diffstat (limited to 'source')
| -rwxr-xr-x | source/l/libsamplerate/libsamplerate.SlackBuild | 22 | ||||
| -rw-r--r-- | source/l/libsamplerate/slack-desc | 2 | ||||
| -rwxr-xr-x | source/n/bind/bind.SlackBuild | 2 | ||||
| -rwxr-xr-x | source/n/cifs-utils/cifs-utils.SlackBuild | 7 | ||||
| -rw-r--r-- | source/n/cifs-utils/cifs-utils.f4e7c84467152624a288351321c8664dbf3364af.patch | 101 | ||||
| -rw-r--r-- | source/n/libnfnetlink/libnfnetlink.url | 1 |
6 files changed, 129 insertions, 6 deletions
diff --git a/source/l/libsamplerate/libsamplerate.SlackBuild b/source/l/libsamplerate/libsamplerate.SlackBuild index 25d9419bc..7d9959d76 100755 --- a/source/l/libsamplerate/libsamplerate.SlackBuild +++ b/source/l/libsamplerate/libsamplerate.SlackBuild @@ -1,7 +1,25 @@ #!/bin/bash -# Slackware build script for libsamplerate -# Written by paul wisehart paul@1ud2.com +# Copyright 2018 paul wisehart <paul@1ud2.com> +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + # Modified by Robby Workman <rworkman@slackbuilds.org> cd $(dirname $0) ; CWD=$(pwd) diff --git a/source/l/libsamplerate/slack-desc b/source/l/libsamplerate/slack-desc index 16a64e2ab..151a39f94 100644 --- a/source/l/libsamplerate/slack-desc +++ b/source/l/libsamplerate/slack-desc @@ -15,5 +15,5 @@ libsamplerate: sample rate used by DAT players. SRC is capable of arbitrary and libsamplerate: varying conversions. SRC provides a small set of converters to allow libsamplerate: quality to be traded off against computation cost. libsamplerate: -libsamplerate: libsamplerate home: http://www.mega-nerd.com/SRC/ +libsamplerate: Homepage: http://www.mega-nerd.com/SRC/ libsamplerate: diff --git a/source/n/bind/bind.SlackBuild b/source/n/bind/bind.SlackBuild index 783ef548a..1b7af8957 100755 --- a/source/n/bind/bind.SlackBuild +++ b/source/n/bind/bind.SlackBuild @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=bind VERSION=${VERSION:-$(echo ${PKGNAM}-[0-9]*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-2} +BUILD=${BUILD:-1} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then diff --git a/source/n/cifs-utils/cifs-utils.SlackBuild b/source/n/cifs-utils/cifs-utils.SlackBuild index 04e7a31c8..a7af8f9f2 100755 --- a/source/n/cifs-utils/cifs-utils.SlackBuild +++ b/source/n/cifs-utils/cifs-utils.SlackBuild @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2012, 2018 Patrick J. Volkerding, Sebeka, Minnesota, USA +# Copyright 2012, 2018, 2020 Patrick J. Volkerding, Sebeka, Minnesota, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=cifs-utils VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -81,6 +81,9 @@ rm -rf $PKGNAM-$VERSION tar xvf $CWD/$PKGNAM-$VERSION.tar.?z* || exit 1 cd $PKGNAM-$VERSION +# Fix for new libcap-ng: +zcat $CWD/cifs-utils.f4e7c84467152624a288351321c8664dbf3364af.patch.gz | patch -p1 --verbose || exit 1 + chown -R root:root . find . \ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ diff --git a/source/n/cifs-utils/cifs-utils.f4e7c84467152624a288351321c8664dbf3364af.patch b/source/n/cifs-utils/cifs-utils.f4e7c84467152624a288351321c8664dbf3364af.patch new file mode 100644 index 000000000..ed319182c --- /dev/null +++ b/source/n/cifs-utils/cifs-utils.f4e7c84467152624a288351321c8664dbf3364af.patch @@ -0,0 +1,101 @@ +From f4e7c84467152624a288351321c8664dbf3364af Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabonas@archlinux.org> +Date: Sat, 21 Nov 2020 11:41:26 +0100 +Subject: [PATCH 1/2] mount.cifs: update the cap bounding set only when + CAP_SETPCAP is given + +libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error +of -4 when trying to update the capability bounding set without having the +CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng +silently skipped updating the bounding set and only updated the normal +CAPNG_SELECT_CAPS capabilities instead. + +Check beforehand whether we have CAP_SETPCAP, in which case we can use +CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set. +Otherwise, we can at least update the normal capabilities, but refrain from +trying to update the bounding set to avoid getting an error. + +Signed-off-by: Jonas Witschel <diabonas@archlinux.org> +--- + mount.cifs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 4feb397..88b8b69 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -338,6 +338,8 @@ static int set_password(struct parsed_mount_info *parsed_info, const char *src) + static int + drop_capabilities(int parent) + { ++ capng_select_t set = CAPNG_SELECT_CAPS; ++ + capng_setpid(getpid()); + capng_clear(CAPNG_SELECT_BOTH); + if (parent) { +@@ -355,7 +357,10 @@ drop_capabilities(int parent) + return EX_SYSERR; + } + } +- if (capng_apply(CAPNG_SELECT_BOTH)) { ++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { ++ set = CAPNG_SELECT_BOTH; ++ } ++ if (capng_apply(set)) { + fprintf(stderr, "Unable to apply new capability set.\n"); + return EX_SYSERR; + } +-- +2.29.2 + + +From 64dfbafe7a0639a96d67f0b840b6e6498e1f68a9 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabonas@archlinux.org> +Date: Sat, 21 Nov 2020 11:48:33 +0100 +Subject: [PATCH 2/2] cifs.upall: update the cap bounding set only when + CAP_SETPCAP is given + +libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error +of -4 when trying to update the capability bounding set without having the +CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng +silently skipped updating the bounding set and only updated the normal +CAPNG_SELECT_CAPS capabilities instead. + +Check beforehand whether we have CAP_SETPCAP, in which case we can use +CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set. +Otherwise, we can at least update the normal capabilities, but refrain from +trying to update the bounding set to avoid getting an error. + +Signed-off-by: Jonas Witschel <diabonas@archlinux.org> +--- + cifs.upcall.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 1559434..af1a0b0 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -88,6 +88,8 @@ typedef enum _sectype { + static int + trim_capabilities(bool need_environ) + { ++ capng_select_t set = CAPNG_SELECT_CAPS; ++ + capng_clear(CAPNG_SELECT_BOTH); + + /* SETUID and SETGID to change uid, gid, and grouplist */ +@@ -105,7 +107,10 @@ trim_capabilities(bool need_environ) + return 1; + } + +- if (capng_apply(CAPNG_SELECT_BOTH)) { ++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { ++ set = CAPNG_SELECT_BOTH; ++ } ++ if (capng_apply(set)) { + syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__); + return 1; + } +-- +2.29.2 + diff --git a/source/n/libnfnetlink/libnfnetlink.url b/source/n/libnfnetlink/libnfnetlink.url new file mode 100644 index 000000000..b3c122793 --- /dev/null +++ b/source/n/libnfnetlink/libnfnetlink.url @@ -0,0 +1 @@ +https://netfilter.org/projects/libnfnetlink/files |