* [PR PATCH] Update tracker and libcue for CVE-2023-43641.
@ 2023-10-10 0:22 oreo639
2023-10-10 0:29 ` [PR PATCH] [Updated] " oreo639
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: oreo639 @ 2023-10-10 0:22 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1524 bytes --]
There is a new pull request by oreo639 against master on the void-packages repository
https://github.com/oreo639/void-packages trackercve
https://github.com/void-linux/void-packages/pull/46540
Update tracker and libcue for CVE-2023-43641.
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **briefly**
See here for more details: https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
The public example file only tests libcue, so that was all I could test, but the tracker update should also fix the sandbox escape issue.
<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->
<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64-musl
- armv7l
- armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/46540.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-trackercve-46540.patch --]
[-- Type: text/x-diff, Size: 4191 bytes --]
From 8913abb483e1b79ff775b47d27a62ad2e4fb34f0 Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:17:51 -0700
Subject: [PATCH 1/3] tracker: update to 3.6.0.
---
srcpkgs/tracker/template | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/srcpkgs/tracker/template b/srcpkgs/tracker/template
index 0ac5d828e786c..70d33f3d5cfc9 100644
--- a/srcpkgs/tracker/template
+++ b/srcpkgs/tracker/template
@@ -1,7 +1,7 @@
# Template file for 'tracker'
pkgname=tracker
-version=3.5.0
-revision=3
+version=3.6.0
+revision=1
build_style=meson
build_helper="gir"
configure_args="-Ddocs=false -Dman=true -Dstemmer=disabled
@@ -17,7 +17,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
homepage="https://wiki.gnome.org/Projects/Tracker"
changelog="https://gitlab.gnome.org/GNOME/tracker/-/raw/master/NEWS"
distfiles="${GNOME_SITE}/tracker/${version%.*}/tracker-${version}.tar.xz"
-checksum=13294275dbbbad9634b3a8390c08e6f12bebfe84f6ccafb72b27b0c23ba8da2f
+checksum=52592cfe19baffd16dbe47475be7da750dbd0b6333fd7acb60faa9da5bc40df2
make_check_pre="dbus-run-session"
if [ "$CROSS_BUILD" ]; then
From ed4b5ded08859b3880cbea110b27519f82e2926a Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:18:12 -0700
Subject: [PATCH 2/3] tracker-miners: update to 3.6.1.
---
srcpkgs/tracker-miners/template | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/srcpkgs/tracker-miners/template b/srcpkgs/tracker-miners/template
index a6e5aa5777024..0b97f47489f81 100644
--- a/srcpkgs/tracker-miners/template
+++ b/srcpkgs/tracker-miners/template
@@ -1,7 +1,7 @@
# Template file for 'tracker-miners'
pkgname=tracker-miners
-version=3.5.0
-revision=4
+version=3.6.1
+revision=1
build_style=meson
build_helper=qemu
# missing libgrss for miner_rss
@@ -27,7 +27,7 @@ license="GPL-2.0-or-later"
homepage="https://tracker.gnome.org/"
changelog="https://gitlab.gnome.org/GNOME/tracker-miners/-/raw/master/NEWS"
distfiles="${GNOME_SITE}/tracker-miners/${version%.*}/tracker-miners-${version}.tar.xz"
-checksum=17966603dc432a98526b490586a48acd7f9f59935f7895dfc51729a46a6901a3
+checksum=eef0e8d4aaca78feffb97d2f0957361869f53ea7768d1991385be51c17e8928e
make_check=no # relies on unsupported ops in chroot
tracker3-miners_package() {
From 661cdfeb07f91e5ec8927a1b4097a4b148d25d00 Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:18:39 -0700
Subject: [PATCH 3/3] libcue: add patch for CVE-2023-43641
---
...2c8bded8d24cfa0608b8e97f2eed210a920e.patch | 24 +++++++++++++++++++
srcpkgs/libcue/template | 2 +-
2 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
diff --git a/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch b/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
new file mode 100644
index 0000000000000..b38727fdcea65
--- /dev/null
+++ b/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
@@ -0,0 +1,24 @@
+From fdf72c8bded8d24cfa0608b8e97f2eed210a920e Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 27 Sep 2023 20:22:43 +0100
+Subject: [PATCH] Check that the array index isn't negative. This fixes
+ CVE-2023-43641.
+
+Signed-off-by: Kevin Backhouse <kevinbackhouse@github.com>
+---
+ cd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
++++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+
+ void track_set_index(Track *track, int i, long ind)
+ {
+- if (i > MAXINDEX) {
++ if (i < 0 || i > MAXINDEX) {
+ fprintf(stderr, "too many indexes\n");
+ return;
+ }
diff --git a/srcpkgs/libcue/template b/srcpkgs/libcue/template
index 496fd7927bcd9..dd21eb67027ab 100644
--- a/srcpkgs/libcue/template
+++ b/srcpkgs/libcue/template
@@ -1,7 +1,7 @@
# Template file for 'libcue'
pkgname=libcue
version=2.2.1
-revision=1
+revision=2
build_style=cmake
configure_args="-DBUILD_SHARED_LIBS=ON"
hostmakedepends="bison flex"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Updated] Update tracker and libcue for CVE-2023-43641.
2023-10-10 0:22 [PR PATCH] Update tracker and libcue for CVE-2023-43641 oreo639
@ 2023-10-10 0:29 ` oreo639
2023-10-10 0:31 ` oreo639
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: oreo639 @ 2023-10-10 0:29 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]
There is an updated pull request by oreo639 against master on the void-packages repository
https://github.com/oreo639/void-packages trackercve
https://github.com/void-linux/void-packages/pull/46540
Update tracker and libcue for CVE-2023-43641.
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **briefly**
See here for more details: https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
The public example file only tests libcue, so that was all I could test, but the tracker update should also fix the sandbox escape issue.
<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->
<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64-musl
- armv7l
- armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/46540.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-trackercve-46540.patch --]
[-- Type: text/x-diff, Size: 4314 bytes --]
From ac455dd454c71c84f657fab5cf76d857508cc80f Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:17:51 -0700
Subject: [PATCH 1/3] tracker: update to 3.6.0.
---
srcpkgs/tracker/template | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/srcpkgs/tracker/template b/srcpkgs/tracker/template
index 0ac5d828e786c..8ff814f374211 100644
--- a/srcpkgs/tracker/template
+++ b/srcpkgs/tracker/template
@@ -1,9 +1,9 @@
# Template file for 'tracker'
pkgname=tracker
-version=3.5.0
-revision=3
+version=3.6.0
+revision=1
build_style=meson
-build_helper="gir"
+build_helper="gir meson"
configure_args="-Ddocs=false -Dman=true -Dstemmer=disabled
-Dsystemd_user_services=false"
hostmakedepends="gettext pkg-config glib-devel vala asciidoc
@@ -17,7 +17,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
homepage="https://wiki.gnome.org/Projects/Tracker"
changelog="https://gitlab.gnome.org/GNOME/tracker/-/raw/master/NEWS"
distfiles="${GNOME_SITE}/tracker/${version%.*}/tracker-${version}.tar.xz"
-checksum=13294275dbbbad9634b3a8390c08e6f12bebfe84f6ccafb72b27b0c23ba8da2f
+checksum=52592cfe19baffd16dbe47475be7da750dbd0b6333fd7acb60faa9da5bc40df2
make_check_pre="dbus-run-session"
if [ "$CROSS_BUILD" ]; then
From 251e51419f6368adb71971b11b2e6c60aec0664b Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:18:12 -0700
Subject: [PATCH 2/3] tracker-miners: update to 3.6.1.
---
srcpkgs/tracker-miners/template | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/srcpkgs/tracker-miners/template b/srcpkgs/tracker-miners/template
index a6e5aa5777024..0b97f47489f81 100644
--- a/srcpkgs/tracker-miners/template
+++ b/srcpkgs/tracker-miners/template
@@ -1,7 +1,7 @@
# Template file for 'tracker-miners'
pkgname=tracker-miners
-version=3.5.0
-revision=4
+version=3.6.1
+revision=1
build_style=meson
build_helper=qemu
# missing libgrss for miner_rss
@@ -27,7 +27,7 @@ license="GPL-2.0-or-later"
homepage="https://tracker.gnome.org/"
changelog="https://gitlab.gnome.org/GNOME/tracker-miners/-/raw/master/NEWS"
distfiles="${GNOME_SITE}/tracker-miners/${version%.*}/tracker-miners-${version}.tar.xz"
-checksum=17966603dc432a98526b490586a48acd7f9f59935f7895dfc51729a46a6901a3
+checksum=eef0e8d4aaca78feffb97d2f0957361869f53ea7768d1991385be51c17e8928e
make_check=no # relies on unsupported ops in chroot
tracker3-miners_package() {
From 616e327702cc656d0c175f20d8a91c7f9866ac8a Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:18:39 -0700
Subject: [PATCH 3/3] libcue: add patch for CVE-2023-43641
---
...2c8bded8d24cfa0608b8e97f2eed210a920e.patch | 24 +++++++++++++++++++
srcpkgs/libcue/template | 2 +-
2 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
diff --git a/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch b/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
new file mode 100644
index 0000000000000..b38727fdcea65
--- /dev/null
+++ b/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
@@ -0,0 +1,24 @@
+From fdf72c8bded8d24cfa0608b8e97f2eed210a920e Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 27 Sep 2023 20:22:43 +0100
+Subject: [PATCH] Check that the array index isn't negative. This fixes
+ CVE-2023-43641.
+
+Signed-off-by: Kevin Backhouse <kevinbackhouse@github.com>
+---
+ cd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
++++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+
+ void track_set_index(Track *track, int i, long ind)
+ {
+- if (i > MAXINDEX) {
++ if (i < 0 || i > MAXINDEX) {
+ fprintf(stderr, "too many indexes\n");
+ return;
+ }
diff --git a/srcpkgs/libcue/template b/srcpkgs/libcue/template
index 496fd7927bcd9..dd21eb67027ab 100644
--- a/srcpkgs/libcue/template
+++ b/srcpkgs/libcue/template
@@ -1,7 +1,7 @@
# Template file for 'libcue'
pkgname=libcue
version=2.2.1
-revision=1
+revision=2
build_style=cmake
configure_args="-DBUILD_SHARED_LIBS=ON"
hostmakedepends="bison flex"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Updated] Update tracker and libcue for CVE-2023-43641.
2023-10-10 0:22 [PR PATCH] Update tracker and libcue for CVE-2023-43641 oreo639
2023-10-10 0:29 ` [PR PATCH] [Updated] " oreo639
@ 2023-10-10 0:31 ` oreo639
2023-10-10 0:52 ` oreo639
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: oreo639 @ 2023-10-10 0:31 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]
There is an updated pull request by oreo639 against master on the void-packages repository
https://github.com/oreo639/void-packages trackercve
https://github.com/void-linux/void-packages/pull/46540
Update tracker and libcue for CVE-2023-43641.
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **briefly**
See here for more details: https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
The public example file only tests libcue, so that was all I could test, but the tracker update should also fix the sandbox escape issue.
<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->
<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64-musl
- armv7l
- armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/46540.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-trackercve-46540.patch --]
[-- Type: text/x-diff, Size: 4508 bytes --]
From ae3530bb6ba183c8b962e35faa37b5b6ee46872d Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:17:51 -0700
Subject: [PATCH 1/3] tracker: update to 3.6.0.
---
srcpkgs/tracker/template | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/srcpkgs/tracker/template b/srcpkgs/tracker/template
index 0ac5d828e786c..6879299ebfe29 100644
--- a/srcpkgs/tracker/template
+++ b/srcpkgs/tracker/template
@@ -1,7 +1,7 @@
# Template file for 'tracker'
pkgname=tracker
-version=3.5.0
-revision=3
+version=3.6.0
+revision=1
build_style=meson
build_helper="gir"
configure_args="-Ddocs=false -Dman=true -Dstemmer=disabled
@@ -17,7 +17,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
homepage="https://wiki.gnome.org/Projects/Tracker"
changelog="https://gitlab.gnome.org/GNOME/tracker/-/raw/master/NEWS"
distfiles="${GNOME_SITE}/tracker/${version%.*}/tracker-${version}.tar.xz"
-checksum=13294275dbbbad9634b3a8390c08e6f12bebfe84f6ccafb72b27b0c23ba8da2f
+checksum=52592cfe19baffd16dbe47475be7da750dbd0b6333fd7acb60faa9da5bc40df2
make_check_pre="dbus-run-session"
if [ "$CROSS_BUILD" ]; then
@@ -31,7 +31,7 @@ fi
post_patch() {
if [ "$CROSS_BUILD" ]; then
# Tell the build system that we have internal fts5 in sqlite3
- vsed -i "/\[properties\]/a sqlite3_has_fts5 = 'true'" xbps_meson.cross
+ vsed -i "/\[properties\]/a sqlite3_has_fts5 = 'true'" ${XBPS_WRAPPERDIR}/meson/xbps_meson.cross
fi
}
From 7c8fdd9c5fe38c3d78afda76c3f5c7e59963ff3f Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:18:12 -0700
Subject: [PATCH 2/3] tracker-miners: update to 3.6.1.
---
srcpkgs/tracker-miners/template | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/srcpkgs/tracker-miners/template b/srcpkgs/tracker-miners/template
index a6e5aa5777024..0b97f47489f81 100644
--- a/srcpkgs/tracker-miners/template
+++ b/srcpkgs/tracker-miners/template
@@ -1,7 +1,7 @@
# Template file for 'tracker-miners'
pkgname=tracker-miners
-version=3.5.0
-revision=4
+version=3.6.1
+revision=1
build_style=meson
build_helper=qemu
# missing libgrss for miner_rss
@@ -27,7 +27,7 @@ license="GPL-2.0-or-later"
homepage="https://tracker.gnome.org/"
changelog="https://gitlab.gnome.org/GNOME/tracker-miners/-/raw/master/NEWS"
distfiles="${GNOME_SITE}/tracker-miners/${version%.*}/tracker-miners-${version}.tar.xz"
-checksum=17966603dc432a98526b490586a48acd7f9f59935f7895dfc51729a46a6901a3
+checksum=eef0e8d4aaca78feffb97d2f0957361869f53ea7768d1991385be51c17e8928e
make_check=no # relies on unsupported ops in chroot
tracker3-miners_package() {
From a0b4f875e6c93d479793a6b0a29a69884820c3f9 Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:18:39 -0700
Subject: [PATCH 3/3] libcue: add patch for CVE-2023-43641
---
...2c8bded8d24cfa0608b8e97f2eed210a920e.patch | 24 +++++++++++++++++++
srcpkgs/libcue/template | 2 +-
2 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
diff --git a/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch b/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
new file mode 100644
index 0000000000000..b38727fdcea65
--- /dev/null
+++ b/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
@@ -0,0 +1,24 @@
+From fdf72c8bded8d24cfa0608b8e97f2eed210a920e Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 27 Sep 2023 20:22:43 +0100
+Subject: [PATCH] Check that the array index isn't negative. This fixes
+ CVE-2023-43641.
+
+Signed-off-by: Kevin Backhouse <kevinbackhouse@github.com>
+---
+ cd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
++++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+
+ void track_set_index(Track *track, int i, long ind)
+ {
+- if (i > MAXINDEX) {
++ if (i < 0 || i > MAXINDEX) {
+ fprintf(stderr, "too many indexes\n");
+ return;
+ }
diff --git a/srcpkgs/libcue/template b/srcpkgs/libcue/template
index 496fd7927bcd9..dd21eb67027ab 100644
--- a/srcpkgs/libcue/template
+++ b/srcpkgs/libcue/template
@@ -1,7 +1,7 @@
# Template file for 'libcue'
pkgname=libcue
version=2.2.1
-revision=1
+revision=2
build_style=cmake
configure_args="-DBUILD_SHARED_LIBS=ON"
hostmakedepends="bison flex"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Updated] Update tracker and libcue for CVE-2023-43641.
2023-10-10 0:22 [PR PATCH] Update tracker and libcue for CVE-2023-43641 oreo639
2023-10-10 0:29 ` [PR PATCH] [Updated] " oreo639
2023-10-10 0:31 ` oreo639
@ 2023-10-10 0:52 ` oreo639
2023-10-10 1:00 ` oreo639
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: oreo639 @ 2023-10-10 0:52 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]
There is an updated pull request by oreo639 against master on the void-packages repository
https://github.com/oreo639/void-packages trackercve
https://github.com/void-linux/void-packages/pull/46540
Update tracker and libcue for CVE-2023-43641.
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **briefly**
See here for more details: https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
The public example file only tests libcue, so that was all I could test, but the tracker update should also fix the sandbox escape issue.
<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->
<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64-musl
- armv7l
- armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/46540.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-trackercve-46540.patch --]
[-- Type: text/x-diff, Size: 4717 bytes --]
From 97b22538eec88ba32451cadde1588debcc98f578 Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:17:51 -0700
Subject: [PATCH 1/3] tracker: update to 3.6.0.
---
srcpkgs/tracker/template | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/srcpkgs/tracker/template b/srcpkgs/tracker/template
index 0ac5d828e786c..8c5d6ab81c89e 100644
--- a/srcpkgs/tracker/template
+++ b/srcpkgs/tracker/template
@@ -1,11 +1,12 @@
# Template file for 'tracker'
pkgname=tracker
-version=3.5.0
-revision=3
+version=3.6.0
+revision=1
build_style=meson
-build_helper="gir"
+build_helper="gir qemu"
configure_args="-Ddocs=false -Dman=true -Dstemmer=disabled
-Dsystemd_user_services=false"
+meson_crossfile="xbps_meson.cross"
hostmakedepends="gettext pkg-config glib-devel vala asciidoc
python3-gobject"
makedepends="dbus-devel libglib-devel icu-devel json-glib-devel
@@ -17,7 +18,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
homepage="https://wiki.gnome.org/Projects/Tracker"
changelog="https://gitlab.gnome.org/GNOME/tracker/-/raw/master/NEWS"
distfiles="${GNOME_SITE}/tracker/${version%.*}/tracker-${version}.tar.xz"
-checksum=13294275dbbbad9634b3a8390c08e6f12bebfe84f6ccafb72b27b0c23ba8da2f
+checksum=52592cfe19baffd16dbe47475be7da750dbd0b6333fd7acb60faa9da5bc40df2
make_check_pre="dbus-run-session"
if [ "$CROSS_BUILD" ]; then
@@ -31,6 +32,7 @@ fi
post_patch() {
if [ "$CROSS_BUILD" ]; then
# Tell the build system that we have internal fts5 in sqlite3
+ cp ${XBPS_WRAPPERDIR}/meson/xbps_meson.cross xbps_meson.cross
vsed -i "/\[properties\]/a sqlite3_has_fts5 = 'true'" xbps_meson.cross
fi
}
From c2f20429b85cc48c9ab3ae620b1d21ac02561751 Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:18:12 -0700
Subject: [PATCH 2/3] tracker-miners: update to 3.6.1.
---
srcpkgs/tracker-miners/template | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/srcpkgs/tracker-miners/template b/srcpkgs/tracker-miners/template
index a6e5aa5777024..0b97f47489f81 100644
--- a/srcpkgs/tracker-miners/template
+++ b/srcpkgs/tracker-miners/template
@@ -1,7 +1,7 @@
# Template file for 'tracker-miners'
pkgname=tracker-miners
-version=3.5.0
-revision=4
+version=3.6.1
+revision=1
build_style=meson
build_helper=qemu
# missing libgrss for miner_rss
@@ -27,7 +27,7 @@ license="GPL-2.0-or-later"
homepage="https://tracker.gnome.org/"
changelog="https://gitlab.gnome.org/GNOME/tracker-miners/-/raw/master/NEWS"
distfiles="${GNOME_SITE}/tracker-miners/${version%.*}/tracker-miners-${version}.tar.xz"
-checksum=17966603dc432a98526b490586a48acd7f9f59935f7895dfc51729a46a6901a3
+checksum=eef0e8d4aaca78feffb97d2f0957361869f53ea7768d1991385be51c17e8928e
make_check=no # relies on unsupported ops in chroot
tracker3-miners_package() {
From 4537ebab095287fe2393ff3e99ac0639d899ee7f Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:18:39 -0700
Subject: [PATCH 3/3] libcue: add patch for CVE-2023-43641
---
...2c8bded8d24cfa0608b8e97f2eed210a920e.patch | 24 +++++++++++++++++++
srcpkgs/libcue/template | 2 +-
2 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
diff --git a/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch b/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
new file mode 100644
index 0000000000000..b38727fdcea65
--- /dev/null
+++ b/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
@@ -0,0 +1,24 @@
+From fdf72c8bded8d24cfa0608b8e97f2eed210a920e Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 27 Sep 2023 20:22:43 +0100
+Subject: [PATCH] Check that the array index isn't negative. This fixes
+ CVE-2023-43641.
+
+Signed-off-by: Kevin Backhouse <kevinbackhouse@github.com>
+---
+ cd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
++++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+
+ void track_set_index(Track *track, int i, long ind)
+ {
+- if (i > MAXINDEX) {
++ if (i < 0 || i > MAXINDEX) {
+ fprintf(stderr, "too many indexes\n");
+ return;
+ }
diff --git a/srcpkgs/libcue/template b/srcpkgs/libcue/template
index 496fd7927bcd9..dd21eb67027ab 100644
--- a/srcpkgs/libcue/template
+++ b/srcpkgs/libcue/template
@@ -1,7 +1,7 @@
# Template file for 'libcue'
pkgname=libcue
version=2.2.1
-revision=1
+revision=2
build_style=cmake
configure_args="-DBUILD_SHARED_LIBS=ON"
hostmakedepends="bison flex"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Update tracker and libcue for CVE-2023-43641.
2023-10-10 0:22 [PR PATCH] Update tracker and libcue for CVE-2023-43641 oreo639
` (2 preceding siblings ...)
2023-10-10 0:52 ` oreo639
@ 2023-10-10 1:00 ` oreo639
2023-10-10 1:39 ` [PR PATCH] [Updated] " oreo639
2023-10-10 2:14 ` [PR PATCH] [Merged]: " sgn
5 siblings, 0 replies; 7+ messages in thread
From: oreo639 @ 2023-10-10 1:00 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 234 bytes --]
New comment by oreo639 on void-packages repository
https://github.com/void-linux/void-packages/pull/46540#issuecomment-1754145458
Comment:
Fails to configure on 32-bit musl due to y2k38 checks failing, should I patch out the check?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Updated] Update tracker and libcue for CVE-2023-43641.
2023-10-10 0:22 [PR PATCH] Update tracker and libcue for CVE-2023-43641 oreo639
` (3 preceding siblings ...)
2023-10-10 1:00 ` oreo639
@ 2023-10-10 1:39 ` oreo639
2023-10-10 2:14 ` [PR PATCH] [Merged]: " sgn
5 siblings, 0 replies; 7+ messages in thread
From: oreo639 @ 2023-10-10 1:39 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]
There is an updated pull request by oreo639 against master on the void-packages repository
https://github.com/oreo639/void-packages trackercve
https://github.com/void-linux/void-packages/pull/46540
Update tracker and libcue for CVE-2023-43641.
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **briefly**
See here for more details: https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
The public example file only tests libcue, so that was all I could test, but the tracker update should also fix the sandbox escape issue.
<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->
<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64-musl
- armv7l
- armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/46540.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-trackercve-46540.patch --]
[-- Type: text/x-diff, Size: 5073 bytes --]
From 73f680414c1c21571dcd41f3f2de047a0525e8c2 Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:17:51 -0700
Subject: [PATCH 1/3] tracker: update to 3.6.0.
---
srcpkgs/tracker/template | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/srcpkgs/tracker/template b/srcpkgs/tracker/template
index 0ac5d828e786c..066fd816dae67 100644
--- a/srcpkgs/tracker/template
+++ b/srcpkgs/tracker/template
@@ -1,9 +1,9 @@
# Template file for 'tracker'
pkgname=tracker
-version=3.5.0
-revision=3
+version=3.6.0
+revision=1
build_style=meson
-build_helper="gir"
+build_helper="gir qemu"
configure_args="-Ddocs=false -Dman=true -Dstemmer=disabled
-Dsystemd_user_services=false"
hostmakedepends="gettext pkg-config glib-devel vala asciidoc
@@ -17,11 +17,12 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
homepage="https://wiki.gnome.org/Projects/Tracker"
changelog="https://gitlab.gnome.org/GNOME/tracker/-/raw/master/NEWS"
distfiles="${GNOME_SITE}/tracker/${version%.*}/tracker-${version}.tar.xz"
-checksum=13294275dbbbad9634b3a8390c08e6f12bebfe84f6ccafb72b27b0c23ba8da2f
+checksum=52592cfe19baffd16dbe47475be7da750dbd0b6333fd7acb60faa9da5bc40df2
make_check_pre="dbus-run-session"
if [ "$CROSS_BUILD" ]; then
hostmakedepends+=" dbus"
+ configure_args+=" --cross-file=${XBPS_WRAPPERDIR}/meson/xbps_sqlite.cross"
fi
if [ "${XBPS_TARGET_WORDSIZE}" = "32" ]; then
@@ -31,7 +32,15 @@ fi
post_patch() {
if [ "$CROSS_BUILD" ]; then
# Tell the build system that we have internal fts5 in sqlite3
- vsed -i "/\[properties\]/a sqlite3_has_fts5 = 'true'" xbps_meson.cross
+ cat > "${XBPS_WRAPPERDIR}/meson/xbps_sqlite.cross" <<-EOF
+ [properties]
+ sqlite3_has_fts5 = 'true'
+ EOF
+ fi
+
+ # Patch out error due to y2k38 on musl
+ if [ "$XBPS_TARGET_LIBC" = "musl" ] && [ "$XBPS_TARGET_WORDSIZE" = "32" ]; then
+ vsed -e "s/error('Libc implementation has broken 4-digit years implementation.')/year_modifier = '%2C%y'/" -i meson.build
fi
}
From 65aa70752aa02bea896c1fe45d359311f7288d7d Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:18:12 -0700
Subject: [PATCH 2/3] tracker-miners: update to 3.6.1.
---
srcpkgs/tracker-miners/template | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/srcpkgs/tracker-miners/template b/srcpkgs/tracker-miners/template
index a6e5aa5777024..0b97f47489f81 100644
--- a/srcpkgs/tracker-miners/template
+++ b/srcpkgs/tracker-miners/template
@@ -1,7 +1,7 @@
# Template file for 'tracker-miners'
pkgname=tracker-miners
-version=3.5.0
-revision=4
+version=3.6.1
+revision=1
build_style=meson
build_helper=qemu
# missing libgrss for miner_rss
@@ -27,7 +27,7 @@ license="GPL-2.0-or-later"
homepage="https://tracker.gnome.org/"
changelog="https://gitlab.gnome.org/GNOME/tracker-miners/-/raw/master/NEWS"
distfiles="${GNOME_SITE}/tracker-miners/${version%.*}/tracker-miners-${version}.tar.xz"
-checksum=17966603dc432a98526b490586a48acd7f9f59935f7895dfc51729a46a6901a3
+checksum=eef0e8d4aaca78feffb97d2f0957361869f53ea7768d1991385be51c17e8928e
make_check=no # relies on unsupported ops in chroot
tracker3-miners_package() {
From 415a53361309e9437e3773eeb1be51fd4163683a Mon Sep 17 00:00:00 2001
From: oreo639 <oreo6391@gmail.com>
Date: Mon, 9 Oct 2023 17:18:39 -0700
Subject: [PATCH 3/3] libcue: add patch for CVE-2023-43641
---
...2c8bded8d24cfa0608b8e97f2eed210a920e.patch | 24 +++++++++++++++++++
srcpkgs/libcue/template | 2 +-
2 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
diff --git a/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch b/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
new file mode 100644
index 0000000000000..b38727fdcea65
--- /dev/null
+++ b/srcpkgs/libcue/patches/fdf72c8bded8d24cfa0608b8e97f2eed210a920e.patch
@@ -0,0 +1,24 @@
+From fdf72c8bded8d24cfa0608b8e97f2eed210a920e Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 27 Sep 2023 20:22:43 +0100
+Subject: [PATCH] Check that the array index isn't negative. This fixes
+ CVE-2023-43641.
+
+Signed-off-by: Kevin Backhouse <kevinbackhouse@github.com>
+---
+ cd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
++++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+
+ void track_set_index(Track *track, int i, long ind)
+ {
+- if (i > MAXINDEX) {
++ if (i < 0 || i > MAXINDEX) {
+ fprintf(stderr, "too many indexes\n");
+ return;
+ }
diff --git a/srcpkgs/libcue/template b/srcpkgs/libcue/template
index 496fd7927bcd9..dd21eb67027ab 100644
--- a/srcpkgs/libcue/template
+++ b/srcpkgs/libcue/template
@@ -1,7 +1,7 @@
# Template file for 'libcue'
pkgname=libcue
version=2.2.1
-revision=1
+revision=2
build_style=cmake
configure_args="-DBUILD_SHARED_LIBS=ON"
hostmakedepends="bison flex"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Merged]: Update tracker and libcue for CVE-2023-43641.
2023-10-10 0:22 [PR PATCH] Update tracker and libcue for CVE-2023-43641 oreo639
` (4 preceding siblings ...)
2023-10-10 1:39 ` [PR PATCH] [Updated] " oreo639
@ 2023-10-10 2:14 ` sgn
5 siblings, 0 replies; 7+ messages in thread
From: sgn @ 2023-10-10 2:14 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1370 bytes --]
There's a merged pull request on the void-packages repository
Update tracker and libcue for CVE-2023-43641.
https://github.com/void-linux/void-packages/pull/46540
Description:
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **briefly**
See here for more details: https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
The public example file only tests libcue, so that was all I could test, but the tracker update should also fix the sandbox escape issue.
<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->
<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64-musl
- armv7l
- armv6l-musl
-->
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-10-10 2:14 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-10 0:22 [PR PATCH] Update tracker and libcue for CVE-2023-43641 oreo639
2023-10-10 0:29 ` [PR PATCH] [Updated] " oreo639
2023-10-10 0:31 ` oreo639
2023-10-10 0:52 ` oreo639
2023-10-10 1:00 ` oreo639
2023-10-10 1:39 ` [PR PATCH] [Updated] " oreo639
2023-10-10 2:14 ` [PR PATCH] [Merged]: " sgn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).