Commit 9092d9ca authored by J0WI's avatar J0WI Committed by Natanael Copa

main/libseccomp: upgrade to 2.4.2 (CVE-2019-9893)

parent d69c3c39
......@@ -2,8 +2,8 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Contributor: Dan Williams <dan@ma.ssive.co>
pkgname=libseccomp
pkgver=2.3.3
pkgrel=1
pkgver=2.4.2
pkgrel=2
pkgdesc="An interface to the Linux Kernel's syscall filtering mechanism"
url="https://github.com/seccomp/libseccomp"
arch="all"
......@@ -13,8 +13,13 @@ makedepends="$depends_dev"
checkdepends="bash"
subpackages="$pkgname-dev $pkgname-doc"
source="https://github.com/seccomp/libseccomp/releases/download/v$pkgver/libseccomp-$pkgver.tar.gz
remove-redefinition-prctl.patch"
builddir="$srcdir/libseccomp-$pkgver"
remove-redefinition-prctl.patch
tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch
"
# secfixes:
# 2.4.0-r0:
# - CVE-2019-9893
build() {
cd "$builddir"
......@@ -25,20 +30,26 @@ build() {
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--localstatedir=/var \
|| return 1
make || return 1
--localstatedir=/var
make
}
check() {
cd "$builddir"
make check || return 1
# commit be65b26b67099be2b2b4890d736dbd1ad15adf36 adapted to new kernel 5.x syscalls
# as long as we are at 4.19 kernel, we need this change
case "$CARCH" in
ppc64le|s390x) rm -f tests/36-sim-ipc_syscalls.tests \
tests/37-sim-ipc_syscalls_be.tests;;
esac
make check
}
package() {
cd "$builddir"
make DESTDIR="$pkgdir" install || return 1
make DESTDIR="$pkgdir" install
}
sha512sums="845c7e0e916b5f5ad74da446ceff3250148b745c909185f6d5059e807d1b42fa6b74f356cce2a396bff0d4c7a3120e7cdad98d490a97d549327c7693fe1918be libseccomp-2.3.3.tar.gz
f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f remove-redefinition-prctl.patch"
sha512sums="375a3c7c658be6a08b9bb30963e10bb49e8e066119e0be6d3d97faac3db18b8e2c6938d8b5d3874b2f5331ec8295170112fbae83b5a3b5a5bebc0d6705bdfdbb libseccomp-2.4.2.tar.gz
f2c31dcafdc9a1ad78e32e76b75e1c1603071eaa3f979e1f2483b879a34ad07e0a4ef3642196a695415cdf81e1ed2bf325175872fb4e203ef9d0e668c287493f remove-redefinition-prctl.patch
e9c6adbc424c310802851ec486df23aedd8121397a9742f3a5ed4754a5eee7ec1701a6f5e220bb37911b8c48626ba00d70943fad43e489d740d0295e6e9b0dff tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-syscalls.patch"
From 35803ceb43c453762a3ab5177c5f8d5dbb813478 Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Tue, 5 Nov 2019 15:11:11 -0500
Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
We recently changed how libseccomp handles syscall numbers that are
not defined natively, but we missed test #15.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
tests/15-basic-resolver.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
index 6badef1..0c1eefe 100644
--- a/tests/15-basic-resolver.c
+++ b/tests/15-basic-resolver.c
@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
unsigned int arch;
char *name = NULL;
- if (seccomp_syscall_resolve_name("open") != __NR_open)
+ if (seccomp_syscall_resolve_name("open") != __SNR_open)
goto fail;
- if (seccomp_syscall_resolve_name("read") != __NR_read)
+ if (seccomp_syscall_resolve_name("read") != __SNR_read)
goto fail;
if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
goto fail;
rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
- if (rc != __NR_openat)
+ if (rc != __SNR_openat)
goto fail;
while ((arch = arch_list[iter++]) != -1) {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment