From ae74897d321c65aca844b23e4ae780fdd915185f Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Wed, 16 Mar 2022 01:46:29 +0000 Subject: Wed Mar 16 01:46:29 UTC 2022 l/jasper-3.0.3-x86_64-1.txz: Upgraded. l/qt5-5.15.3_20220312_33a3f16f-x86_64-1.txz: Upgraded. If a 32-bit userspace is detected, then: export QTWEBENGINE_CHROMIUM_FLAGS="--disable-seccomp-filter-sandbox" This works around crashes occuring with 32-bit QtWebEngine applications. Thanks to alienBOB. n/krb5-1.19.3-x86_64-1.txz: Upgraded. n/samba-4.15.6-x86_64-1.txz: Upgraded. n/stunnel-5.63-x86_64-1.txz: Upgraded. --- source/l/qt5/profile.d/qt5.csh | 10 +++++ source/l/qt5/profile.d/qt5.sh | 9 +++++ .../d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch | 43 ---------------------- source/n/krb5/krb5.SlackBuild | 4 +- source/n/samba/samba.SlackBuild | 2 +- source/n/samba/samba.url | 4 +- 6 files changed, 23 insertions(+), 49 deletions(-) delete mode 100644 source/n/krb5/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch (limited to 'source') diff --git a/source/l/qt5/profile.d/qt5.csh b/source/l/qt5/profile.d/qt5.csh index ec1ecd9be..0c3f10d42 100644 --- a/source/l/qt5/profile.d/qt5.csh +++ b/source/l/qt5/profile.d/qt5.csh @@ -15,3 +15,13 @@ if ( ! $?QT5DIR ) then endif endif set path = ( $path $QT5DIR/bin ) +# Unfortunately Chromium and derived projects (including QtWebEngine) seem +# to be suffering some bitrot when it comes to 32-bit support, so we are +# forced to disable the seccomp filter sandbox on 32-bit or else all of these +# applications crash. If anyone has a patch that gets these things running on +# 32-bit without this workaround, please let volkerdi or alienBOB know, or +# post your solution on LQ. Thanks. :-) +file /bin/cat | grep -wq 32-bit +if ( "$?" == "0" ) then + setenv QTWEBENGINE_CHROMIUM_FLAGS="--disable-seccomp-filter-sandbox" +endif diff --git a/source/l/qt5/profile.d/qt5.sh b/source/l/qt5/profile.d/qt5.sh index 8ee075e17..c7495e374 100644 --- a/source/l/qt5/profile.d/qt5.sh +++ b/source/l/qt5/profile.d/qt5.sh @@ -15,3 +15,12 @@ else fi PATH="$PATH:$QT5DIR/bin" export QT5DIR +# Unfortunately Chromium and derived projects (including QtWebEngine) seem +# to be suffering some bitrot when it comes to 32-bit support, so we are +# forced to disable the seccomp filter sandbox on 32-bit or else all of these +# applications crash. If anyone has a patch that gets these things running on +# 32-bit without this workaround, please let volkerdi or alienBOB know, or +# post your solution on LQ. Thanks. :-) +if file /bin/cat | grep -wq 32-bit ; then + export QTWEBENGINE_CHROMIUM_FLAGS="--disable-seccomp-filter-sandbox" +fi diff --git a/source/n/krb5/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch b/source/n/krb5/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch deleted file mode 100644 index 7623d8292..000000000 --- a/source/n/krb5/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 3 Aug 2021 01:15:27 -0400 -Subject: [PATCH] Fix KDC null deref on TGS inner body null server - -After the KDC decodes a FAST inner body, it does not check for a null -server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this -would typically result in an error from krb5_unparse_name(), but with -the addition of get_local_tgt() it results in a null dereference. Add -a null check. - -Reported by Joseph Sutton of Catalyst. - -CVE-2021-37750: - -In MIT krb5 releases 1.14 and later, an authenticated attacker can -cause a null dereference in the KDC by sending a FAST TGS request with -no server field. - -ticket: 9008 (new) -tags: pullup -target_version: 1.19-next -target_version: 1.18-next ---- - src/kdc/do_tgs_req.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 582e497cc9..32dc65fa8e 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, - status = "FIND_FAST"; - goto cleanup; - } -+ if (sprinc == NULL) { -+ status = "NULL_SERVER"; -+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; -+ goto cleanup; -+ } - - errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server, - &local_tgt, &local_tgt_storage, &local_tgt_key); diff --git a/source/n/krb5/krb5.SlackBuild b/source/n/krb5/krb5.SlackBuild index 668d6ce7e..fbc5123a4 100755 --- a/source/n/krb5/krb5.SlackBuild +++ b/source/n/krb5/krb5.SlackBuild @@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=krb5 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-3} +BUILD=${BUILD:-1} if [ -z "$ARCH" ]; then case "$( uname -m )" in @@ -79,8 +79,6 @@ find . \ sed -i "/KRB5ROOT=/s/\/local//" src/util/ac_check_krb5.m4 -cat $CWD/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch | patch -p1 --verbose || exit 1 - cd src CFLAGS="$SLKCFLAGS" \ diff --git a/source/n/samba/samba.SlackBuild b/source/n/samba/samba.SlackBuild index 33b57590a..0761cb69d 100755 --- a/source/n/samba/samba.SlackBuild +++ b/source/n/samba/samba.SlackBuild @@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=samba VERSION=${VERSION:-$(echo samba-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-3} +BUILD=${BUILD:-1} if [ -e $CWD/machine.conf ]; then . $CWD/machine.conf ] diff --git a/source/n/samba/samba.url b/source/n/samba/samba.url index a2d7b167a..c666fbc64 100644 --- a/source/n/samba/samba.url +++ b/source/n/samba/samba.url @@ -1,2 +1,2 @@ -https://download.samba.org/pub/samba/stable/samba-4.15.5.tar.gz -https://download.samba.org/pub/samba/stable/samba-4.15.5.tar.asc +https://download.samba.org/pub/samba/stable/samba-4.15.6.tar.gz +https://download.samba.org/pub/samba/stable/samba-4.15.6.tar.asc -- cgit v1.2.3