Commit 40a51211 authored by Ariadne Conill's avatar Ariadne Conill 🐰

main/samurai: add mitigations for CVE-2021-30218 and CVE-2021-30219

parent 157669a8
......@@ -2,17 +2,24 @@
# Maintainer: Drew DeVault <sir@cmpwn.com>
pkgname=samurai
pkgver=1.2
pkgrel=0
pkgrel=1
pkgdesc="ninja-compatible build tool written in C"
url="https://github.com/michaelforney/samurai"
arch="all"
license="Apache-2.0"
options="!check" # No test suite.
subpackages="$pkgname-doc"
source="https://github.com/michaelforney/samurai/releases/download/$pkgver/samurai-$pkgver.tar.gz"
source="https://github.com/michaelforney/samurai/releases/download/$pkgver/samurai-$pkgver.tar.gz
CVE-2021-30218.patch
CVE-2021-30219.patch"
provides="ninja"
replaces="ninja"
# secfixes:
# 1.2-r1:
# - CVE-2021-30218
# - CVE-2021-30219
build() {
make
}
......@@ -22,4 +29,8 @@ package() {
ln -s samu "$pkgdir"/usr/bin/ninja
}
sha512sums="bbe6a582c34b04f1df53b76c1647aa3e03c4698ebf7591a203935f11ffa05971bbcb86dc1a8c06aeb904cdc741abb08918122810fc47216fed0a6d9f87fd1225 samurai-1.2.tar.gz"
sha512sums="
bbe6a582c34b04f1df53b76c1647aa3e03c4698ebf7591a203935f11ffa05971bbcb86dc1a8c06aeb904cdc741abb08918122810fc47216fed0a6d9f87fd1225 samurai-1.2.tar.gz
6e1c3a0bd92e006f364a81e9e51394f1bc583efa96120306fe33dc0a48cb4babaa8e8c97d754d3c37cda4b4936e77f64e4c138ccb8cfedfdce43adb09c393edb CVE-2021-30218.patch
0504b137fc9ac113453075a22bdfac4ab7616f668e640b7125041400729aaecad1173c528934223246035f68a95d92c6a85e62d1ea5fea996d85647cb33483eb CVE-2021-30219.patch
"
From e84b6d99c85043fa1ba54851ee500540ec206918 Mon Sep 17 00:00:00 2001
From: Michael Forney <mforney@mforney.org>
Date: Fri, 2 Apr 2021 17:27:48 -0700
Subject: [PATCH] util: Check for NULL string in writefile
This check was there previously, but was removed in f549b757 with
the addition of a check during parse that every rule has rspfile
if and only if it has rspfile_content. However, this fails to
consider the possibility of those variables coming from the edge
or global environment. So, re-add the check.
Fixes #67.
---
util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util.c b/util.c
index ea5c3ce..2a59881 100644
--- a/util.c
+++ b/util.c
@@ -258,7 +258,7 @@ writefile(const char *name, struct string *s)
return -1;
}
ret = 0;
- if (fwrite(s->s, 1, s->n, f) != s->n || fflush(f) != 0) {
+ if (s && (fwrite(s->s, 1, s->n, f) != s->n || fflush(f) != 0)) {
warn("write %s:", name);
ret = -1;
}
From d2af3bc375e2a77139c3a28d6128c60cd8d08655 Mon Sep 17 00:00:00 2001
From: Michael Forney <mforney@mforney.org>
Date: Sun, 4 Apr 2021 03:50:09 -0700
Subject: [PATCH] parse: Check for non-empty command/rspfile/rspfile_content
This matches ninja behavior and prevents the possibility of a rule
with an empty (NULL) command string.
Fixes #68.
---
parse.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/parse.c b/parse.c
index f79a5ee..b4b98a1 100644
--- a/parse.c
+++ b/parse.c
@@ -42,6 +42,8 @@ parserule(struct scanner *s, struct environment *env)
var = scanname(s);
parselet(s, &val);
ruleaddvar(r, var, val);
+ if (!val)
+ continue;
if (strcmp(var, "command") == 0)
hascommand = true;
else if (strcmp(var, "rspfile") == 0)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment