Merge branch '3.2' into 3.3

2017-02-13 08:42:59 +11:00 · 2017-02-13 08:42:59 +11:00 · b004988a07
commit b004988a07
parent 95ec9b1f08 7719e0381e
5 changed files with 47 additions and 6 deletions
--- a/ddrescue/.md5sum
+++ b/ddrescue/.md5sum
@ -1 +1 @@
-7801daa8db1fde557540d2cbfaeef416  ddrescue-1.21.tar.lz
+49c845ed89d25b534842e40366154cb4  ddrescue-1.22.tar.lz
--- a/ddrescue/Pkgfile
+++ b/ddrescue/Pkgfile
@ -4,7 +4,7 @@
 # Packager: Danny Rawlins, crux at romster dot me

 name=ddrescue
-version=1.21
+version=1.22
 release=1
 source=(https://ftp.gnu.org/gnu/$name/$name-$version.tar.lz)

--- a/ntfs-3g/.md5sum
+++ b/ntfs-3g/.md5sum
@ -1 +1,2 @@
+0631dbc17722d13b1a6ce5427e064356  CVE-2017-0358.patch
 ccbe8672d0f757bd0c975b50aa4c512e  ntfs-3g_ntfsprogs-2016.2.22.tgz
--- a/ntfs-3g/CVE-2017-0358.patch
+++ b/ntfs-3g/CVE-2017-0358.patch
@ -0,0 +1,38 @@
+http://seclists.org/oss-sec/2017/q1/259
+CVE-2017-0358 ntfs-3g: modprobe influence vulnerability via environment variables
+--- ntfs-3g/src/lowntfs-3g.c	2016-12-31 08:56:59.011749600 +0100
+++ ntfs-3g/src/lowntfs-3g.c	2017-01-05 14:41:52.041473700 +0100
+@@ -3827,13 +3827,14 @@
+ 	struct stat st;
+ 	pid_t pid;
+ 	const char *cmd = "/sbin/modprobe";
+	char *env = (char*)NULL;
+ 	struct timespec req = { 0, 100000000 };   /* 100 msec */
+ 	fuse_fstype fstype;
+         
+ 	if (!stat(cmd, &st) && !geteuid()) {
+ 		pid = fork();
+ 		if (!pid) {
+-			execl(cmd, cmd, "fuse", NULL);
+			execle(cmd, cmd, "fuse", NULL, &env);
+ 			_exit(1);
+ 		} else if (pid != -1)
+ 			waitpid(pid, NULL, 0);
+--- ntfs-3g/src/ntfs-3g.c	2017-02-04 23:30:23.825889593 +0100
+++ ntfs-3g/src/nfts-3g.c	2017-02-04 23:30:42.572542756 +0100
+@@ -3612,13 +3612,14 @@
+ 	struct stat st;
+ 	pid_t pid;
+ 	const char *cmd = "/sbin/modprobe";
+	char *env = (char*)NULL;
+ 	struct timespec req = { 0, 100000000 };   /* 100 msec */
+ 	fuse_fstype fstype;
+ 	
+ 	if (!stat(cmd, &st) && !geteuid()) {
+ 		pid = fork();
+ 		if (!pid) {
+-			execl(cmd, cmd, "fuse", NULL);
+			execle(cmd, cmd, "fuse", NULL, &env);
+ 			_exit(1);
+ 		} else if (pid != -1)
+ 			waitpid(pid, NULL, 0);
--- a/ntfs-3g/Pkgfile
+++ b/ntfs-3g/Pkgfile
@ -1,17 +1,19 @@
 # Description: Freely available NTFS driver with read and write support.
-# URL: http://www.tuxera.com/community/ntfs-3g-download/
+# URL: https://www.tuxera.com/community/ntfs-3g-download/
 # Maintainer: Danny Rawlins, crux at romster dot me
-# Packager: Danny Rawlins, crux at romster dot me
 # Depends on: fuse

 name=ntfs-3g
 version=2016.2.22
-release=3
-source=(http://tuxera.com/opensource/ntfs-3g_ntfsprogs-$version.tgz)
+release=4
+source=(https://tuxera.com/opensource/ntfs-3g_ntfsprogs-$version.tgz
+	CVE-2017-0358.patch)

 build() {
 	cd ntfs-3g_ntfsprogs-$version

+	patch -p1 -i $SRC/CVE-2017-0358.patch
+
 	install -d $PKG/lib

 	./configure \