From 80666c2496ecb09578daeb4a295b1fc90cd68bbb Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Thu, 19 Oct 2023 19:14:05 +0000 Subject: Thu Oct 19 19:14:05 UTC 2023 ap/texinfo-7.1-x86_64-1.txz: Upgraded. kde/attica-5.111.0-x86_64-1.txz: Upgraded. kde/baloo-5.111.0-x86_64-1.txz: Upgraded. kde/bluez-qt-5.111.0-x86_64-1.txz: Upgraded. kde/breeze-icons-5.111.0-noarch-1.txz: Upgraded. kde/extra-cmake-modules-5.111.0-x86_64-1.txz: Upgraded. kde/frameworkintegration-5.111.0-x86_64-1.txz: Upgraded. kde/kactivities-5.111.0-x86_64-1.txz: Upgraded. kde/kactivities-stats-5.111.0-x86_64-1.txz: Upgraded. kde/kapidox-5.111.0-x86_64-1.txz: Upgraded. kde/karchive-5.111.0-x86_64-1.txz: Upgraded. kde/kauth-5.111.0-x86_64-1.txz: Upgraded. kde/kbookmarks-5.111.0-x86_64-1.txz: Upgraded. kde/kcalendarcore-5.111.0-x86_64-1.txz: Upgraded. kde/kcmutils-5.111.0-x86_64-1.txz: Upgraded. kde/kcodecs-5.111.0-x86_64-1.txz: Upgraded. kde/kcompletion-5.111.0-x86_64-1.txz: Upgraded. kde/kconfig-5.111.0-x86_64-1.txz: Upgraded. kde/kconfigwidgets-5.111.0-x86_64-1.txz: Upgraded. kde/kcontacts-5.111.0-x86_64-1.txz: Upgraded. kde/kcoreaddons-5.111.0-x86_64-1.txz: Upgraded. kde/kcrash-5.111.0-x86_64-1.txz: Upgraded. kde/kdav-5.111.0-x86_64-1.txz: Upgraded. kde/kdbusaddons-5.111.0-x86_64-1.txz: Upgraded. kde/kdeclarative-5.111.0-x86_64-1.txz: Upgraded. kde/kded-5.111.0-x86_64-1.txz: Upgraded. kde/kdelibs4support-5.111.0-x86_64-1.txz: Upgraded. kde/kdesignerplugin-5.111.0-x86_64-1.txz: Upgraded. kde/kdesu-5.111.0-x86_64-1.txz: Upgraded. kde/kdewebkit-5.111.0-x86_64-1.txz: Upgraded. kde/kdnssd-5.111.0-x86_64-1.txz: Upgraded. kde/kdoctools-5.111.0-x86_64-1.txz: Upgraded. kde/kemoticons-5.111.0-x86_64-1.txz: Upgraded. kde/kfilemetadata-5.111.0-x86_64-1.txz: Upgraded. kde/kglobalaccel-5.111.0-x86_64-1.txz: Upgraded. kde/kguiaddons-5.111.0-x86_64-1.txz: Upgraded. kde/kholidays-5.111.0-x86_64-1.txz: Upgraded. kde/khtml-5.111.0-x86_64-1.txz: Upgraded. kde/ki18n-5.111.0-x86_64-1.txz: Upgraded. kde/kiconthemes-5.111.0-x86_64-1.txz: Upgraded. kde/kidletime-5.111.0-x86_64-1.txz: Upgraded. kde/kimageformats-5.111.0-x86_64-1.txz: Upgraded. kde/kinit-5.111.0-x86_64-1.txz: Upgraded. kde/kio-5.111.0-x86_64-1.txz: Upgraded. kde/kirigami2-5.111.0-x86_64-1.txz: Upgraded. kde/kitemmodels-5.111.0-x86_64-1.txz: Upgraded. kde/kitemviews-5.111.0-x86_64-1.txz: Upgraded. kde/kjobwidgets-5.111.0-x86_64-1.txz: Upgraded. kde/kjs-5.111.0-x86_64-1.txz: Upgraded. kde/kjsembed-5.111.0-x86_64-1.txz: Upgraded. kde/kmediaplayer-5.111.0-x86_64-1.txz: Upgraded. kde/knewstuff-5.111.0-x86_64-1.txz: Upgraded. kde/knotifications-5.111.0-x86_64-1.txz: Upgraded. kde/knotifyconfig-5.111.0-x86_64-1.txz: Upgraded. kde/kpackage-5.111.0-x86_64-1.txz: Upgraded. kde/kparts-5.111.0-x86_64-1.txz: Upgraded. kde/kpeople-5.111.0-x86_64-1.txz: Upgraded. kde/kplotting-5.111.0-x86_64-1.txz: Upgraded. kde/kpty-5.111.0-x86_64-1.txz: Upgraded. kde/kquickcharts-5.111.0-x86_64-1.txz: Upgraded. kde/kross-5.111.0-x86_64-1.txz: Upgraded. kde/krunner-5.111.0-x86_64-1.txz: Upgraded. kde/kservice-5.111.0-x86_64-1.txz: Upgraded. kde/ktexteditor-5.111.0-x86_64-1.txz: Upgraded. kde/ktextwidgets-5.111.0-x86_64-1.txz: Upgraded. kde/kunitconversion-5.111.0-x86_64-1.txz: Upgraded. kde/kwallet-5.111.0-x86_64-1.txz: Upgraded. kde/kwayland-5.111.0-x86_64-1.txz: Upgraded. kde/kwidgetsaddons-5.111.0-x86_64-1.txz: Upgraded. kde/kwindowsystem-5.111.0-x86_64-1.txz: Upgraded. kde/kxmlgui-5.111.0-x86_64-1.txz: Upgraded. kde/kxmlrpcclient-5.111.0-x86_64-1.txz: Upgraded. kde/modemmanager-qt-5.111.0-x86_64-1.txz: Upgraded. kde/networkmanager-qt-5.111.0-x86_64-1.txz: Upgraded. kde/oxygen-icons5-5.111.0-noarch-1.txz: Upgraded. kde/plasma-framework-5.111.0-x86_64-1.txz: Upgraded. kde/prison-5.111.0-x86_64-1.txz: Upgraded. kde/purpose-5.111.0-x86_64-1.txz: Upgraded. kde/qqc2-desktop-style-5.111.0-x86_64-1.txz: Upgraded. kde/solid-5.111.0-x86_64-1.txz: Upgraded. kde/sonnet-5.111.0-x86_64-1.txz: Upgraded. kde/syndication-5.111.0-x86_64-1.txz: Upgraded. kde/syntax-highlighting-5.111.0-x86_64-1.txz: Upgraded. kde/threadweaver-5.111.0-x86_64-1.txz: Upgraded. l/harfbuzz-8.2.2-x86_64-1.txz: Upgraded. l/nodejs-21.0.0-x86_64-1.txz: Upgraded. l/pipewire-0.3.83-x86_64-1.txz: Upgraded. n/dhcpcd-10.0.4-x86_64-1.txz: Upgraded. n/httpd-2.4.58-x86_64-1.txz: Upgraded. This update fixes bugs and security issues: moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST. low: mod_macro buffer over-read. low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0. For more information, see: https://downloads.apache.org/httpd/CHANGES_2.4.58 https://www.cve.org/CVERecord?id=CVE-2023-45802 https://www.cve.org/CVERecord?id=CVE-2023-31122 https://www.cve.org/CVERecord?id=CVE-2023-43622 (* Security fix *) n/nftables-1.0.9-x86_64-1.txz: Upgraded. x/egl-wayland-1.1.13-x86_64-1.txz: Upgraded. xap/mozilla-thunderbird-115.3.3-x86_64-1.txz: Upgraded. This is a bugfix release. For more information, see: https://www.mozilla.org/en-US/thunderbird/115.3.3/releasenotes/ xfce/xfce4-dev-tools-4.18.1-x86_64-1.txz: Upgraded. --- .../5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch | 248 --------------------- source/n/nftables/nftables.SlackBuild | 5 +- 2 files changed, 1 insertion(+), 252 deletions(-) delete mode 100644 source/n/nftables/5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch (limited to 'source/n/nftables') diff --git a/source/n/nftables/5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch b/source/n/nftables/5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch deleted file mode 100644 index 26eb9b2fc..000000000 --- a/source/n/nftables/5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch +++ /dev/null @@ -1,248 +0,0 @@ -From 5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso -Date: Tue, 18 Jul 2023 23:10:01 +0200 -Subject: meta: stash context statement length when generating payload/meta - dependency - -... meta mark set ip dscp - -generates an implicit dependency from the inet family to match on meta -nfproto ip. - -The length of this implicit expression is incorrectly adjusted to the -statement length, ie. relational to compare meta nfproto takes 4 bytes -instead of 1 byte. The evaluation of 'ip dscp' under the meta mark -statement triggers this implicit dependency which should not consider -the context statement length since it is added before the statement -itself. - -This problem shows when listing the ruleset, since netlink_parse_cmp() -where left->len < right->len, hence handling the implicit dependency as -a concatenation, but it is actually a bug in the evaluation step that -leads to incorrect bytecode. - -Fixes: 3c64ea7995cb ("evaluate: honor statement length in integer evaluation") -Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand") -Tested-by: Brian Davidson -Signed-off-by: Pablo Neira Ayuso ---- - src/payload.c | 13 +++++++ - tests/py/inet/meta.t | 5 +++ - tests/py/inet/meta.t.json | 86 ++++++++++++++++++++++++++++++++++++++++++++ - tests/py/inet/meta.t.payload | 40 +++++++++++++++++++++ - 4 files changed, 144 insertions(+) - -diff --git a/src/payload.c b/src/payload.c -index f67b5407..7862745b 100644 ---- a/src/payload.c -+++ b/src/payload.c -@@ -409,6 +409,7 @@ static int payload_add_dependency(struct eval_ctx *ctx, - const struct proto_hdr_template *tmpl; - struct expr *dep, *left, *right; - struct proto_ctx *pctx; -+ unsigned int stmt_len; - struct stmt *stmt; - int protocol; - -@@ -429,11 +430,16 @@ static int payload_add_dependency(struct eval_ctx *ctx, - constant_data_ptr(protocol, tmpl->len)); - - dep = relational_expr_alloc(&expr->location, OP_EQ, left, right); -+ -+ stmt_len = ctx->stmt_len; -+ ctx->stmt_len = 0; -+ - stmt = expr_stmt_alloc(&dep->location, dep); - if (stmt_evaluate(ctx, stmt) < 0) { - return expr_error(ctx->msgs, expr, - "dependency statement is invalid"); - } -+ ctx->stmt_len = stmt_len; - - if (ctx->inner_desc) { - if (tmpl->meta_key) -@@ -543,6 +549,7 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, - const struct hook_proto_desc *h; - const struct proto_desc *desc; - struct proto_ctx *pctx; -+ unsigned int stmt_len; - struct stmt *stmt; - uint16_t type; - -@@ -559,12 +566,18 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, - "protocol specification is invalid " - "for this family"); - -+ stmt_len = ctx->stmt_len; -+ ctx->stmt_len = 0; -+ - stmt = meta_stmt_meta_iiftype(&expr->location, type); - if (stmt_evaluate(ctx, stmt) < 0) { - return expr_error(ctx->msgs, expr, - "dependency statement is invalid"); - } - *res = stmt; -+ -+ ctx->stmt_len = stmt_len; -+ - return 0; - } - -diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t -index 374738a7..5c062b39 100644 ---- a/tests/py/inet/meta.t -+++ b/tests/py/inet/meta.t -@@ -25,3 +25,8 @@ meta mark set ct mark >> 8;ok - meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok - ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok - ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok -+ -+meta mark set ip dscp;ok -+meta mark set ip dscp | 0x40;ok -+meta mark set ip6 dscp;ok -+meta mark set ip6 dscp | 0x40;ok -diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json -index 92a1f9bf..3ba0fd1d 100644 ---- a/tests/py/inet/meta.t.json -+++ b/tests/py/inet/meta.t.json -@@ -440,3 +440,89 @@ - } - ] - -+# meta mark set ip dscp -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip" -+ } -+ } -+ } -+ } -+] -+ -+# meta mark set ip dscp | 0x40 -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "|": [ -+ { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip" -+ } -+ }, -+ 64 -+ ] -+ } -+ } -+ } -+] -+ -+# meta mark set ip6 dscp -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip6" -+ } -+ } -+ } -+ } -+] -+ -+# meta mark set ip6 dscp | 0x40 -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "|": [ -+ { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip6" -+ } -+ }, -+ 64 -+ ] -+ } -+ } -+ } -+] -+ -diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload -index ea540907..c53b5077 100644 ---- a/tests/py/inet/meta.t.payload -+++ b/tests/py/inet/meta.t.payload -@@ -133,3 +133,43 @@ inet test-inet input - [ meta load mark => reg 9 ] - [ lookup reg 1 set __set%d ] - -+# meta mark set ip dscp -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x00000002 ] -+ [ payload load 1b @ network header + 1 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] -+ [ meta set mark with reg 1 ] -+ -+# meta mark set ip dscp | 0x40 -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x00000002 ] -+ [ payload load 1b @ network header + 1 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] -+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] -+ [ meta set mark with reg 1 ] -+ -+# meta mark set ip6 dscp -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x0000000a ] -+ [ payload load 2b @ network header + 0 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] -+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] -+ [ meta set mark with reg 1 ] -+ -+# meta mark set ip6 dscp | 0x40 -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x0000000a ] -+ [ payload load 2b @ network header + 0 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] -+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] -+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] -+ [ meta set mark with reg 1 ] -+ --- -cgit v1.2.3 - diff --git a/source/n/nftables/nftables.SlackBuild b/source/n/nftables/nftables.SlackBuild index a48cd1c32..c5d15fe72 100755 --- a/source/n/nftables/nftables.SlackBuild +++ b/source/n/nftables/nftables.SlackBuild @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=nftables VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-2} +BUILD=${BUILD:-1} NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} @@ -78,9 +78,6 @@ find . \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ -exec chmod 644 {} \+ -# Upstream patch: -cat $CWD/5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch | patch -p1 --verbose || exit 1 - CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ LIBS="-lncursesw" \ -- cgit v1.2.3-80-g2a13