* [Buildroot] [PATCH] expat: security bump to version 2.2.1
@ 2017-06-18 21:20 Peter Korsgaard
2017-06-19 20:09 ` Thomas Petazzoni
2017-06-26 7:49 ` Peter Korsgaard
0 siblings, 2 replies; 6+ messages in thread
From: Peter Korsgaard @ 2017-06-18 21:20 UTC (permalink / raw)
To: buildroot
Fixes:
- CVE-2017-9233 - External entity infinite loop DoS. See:
https://libexpat.github.io/doc/cve-2017-9233/
- CVE-2016-9063 -- Detect integer overflow
And further more:
- Fix regression from fix to CVE-2016-0718 cutting off longer tag names.
- Extend fix for CVE-2016-5300 (use getrandom() if available).
- Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
version of SipHash).
Also add an upstream patch to fix detection of getrandom().
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...c-Fix-mis-detection-of-getrandom-on-Debia.patch | 29 ++++++++++++++++++++++
package/expat/expat.hash | 8 +++---
package/expat/expat.mk | 4 ++-
3 files changed, 36 insertions(+), 5 deletions(-)
create mode 100644 package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
diff --git a/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch b/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
new file mode 100644
index 0000000000..a3025531e5
--- /dev/null
+++ b/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
@@ -0,0 +1,29 @@
+From 602e6c78ca750c082b72f8cdf4a38839b312959f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 18 Jun 2017 18:55:10 +0200
+Subject: [PATCH] configure.ac: Fix mis-detection of getrandom on Debian
+ GNU/kFreeBSD (#50)
+
+There is no such thing but we need to link (not just compile) to realize.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ expat/configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/expat/configure.ac b/expat/configure.ac
+index 1357c9a..444c002 100644
+--- a/expat/configure.ac
++++ b/expat/configure.ac
+@@ -130,7 +130,7 @@ AC_LINK_IFELSE([AC_LANG_SOURCE([
+
+
+ AC_MSG_CHECKING([for getrandom (Linux 3.17+, glibc 2.25+)])
+-AC_COMPILE_IFELSE([AC_LANG_SOURCE([
++AC_LINK_IFELSE([AC_LANG_SOURCE([
+ #include <stdlib.h> /* for NULL */
+ #include <sys/random.h>
+ int main() {
+--
+2.11.0
+
diff --git a/package/expat/expat.hash b/package/expat/expat.hash
index 371abdec91..595597b6fd 100644
--- a/package/expat/expat.hash
+++ b/package/expat/expat.hash
@@ -1,5 +1,5 @@
-# From https://sourceforge.net/projects/expat/files/expat/2.2.0/
-md5 2f47841c829facb346eb6e3fab5212e2 expat-2.2.0.tar.bz2
-sha1 8453bc52324be4c796fd38742ec48470eef358b3 expat-2.2.0.tar.bz2
+# From https://sourceforge.net/projects/expat/files/expat/2.2.1/
+md5 d9c3baeab58774cefc2f04faf29f2cf8 expat-2.2.1.tar.bz2
+sha1 f45eb724f182776a9cacec9ed70d549e87198987 expat-2.2.1.tar.bz2
# Calculated based on the hashes above
-sha256 d9e50ff2d19b3538bd2127902a89987474e1a4db8e43a66a4d1a712ab9a504ff expat-2.2.0.tar.bz2
+sha256 1868cadae4c82a018e361e2b2091de103cd820aaacb0d6cfa49bd2cd83978885 expat-2.2.1.tar.bz2
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index e7bb74a966..bb6e627e5b 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -4,7 +4,7 @@
#
################################################################################
-EXPAT_VERSION = 2.2.0
+EXPAT_VERSION = 2.2.1
EXPAT_SITE = http://downloads.sourceforge.net/project/expat/expat/$(EXPAT_VERSION)
EXPAT_SOURCE = expat-$(EXPAT_VERSION).tar.bz2
EXPAT_INSTALL_STAGING = YES
@@ -14,6 +14,8 @@ EXPAT_DEPENDENCIES = host-pkgconf
HOST_EXPAT_DEPENDENCIES = host-pkgconf
EXPAT_LICENSE = MIT
EXPAT_LICENSE_FILES = COPYING
+# for 0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
+EXPAT_AUTORECONF = YES
$(eval $(autotools-package))
$(eval $(host-autotools-package))
--
2.11.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] expat: security bump to version 2.2.1
2017-06-18 21:20 [Buildroot] [PATCH] expat: security bump to version 2.2.1 Peter Korsgaard
@ 2017-06-19 20:09 ` Thomas Petazzoni
2017-06-20 5:12 ` xlcwu
2017-06-26 7:49 ` Peter Korsgaard
1 sibling, 1 reply; 6+ messages in thread
From: Thomas Petazzoni @ 2017-06-19 20:09 UTC (permalink / raw)
To: buildroot
Hello,
On Sun, 18 Jun 2017 23:20:04 +0200, Peter Korsgaard wrote:
> Fixes:
>
> - CVE-2017-9233 - External entity infinite loop DoS. See:
> https://libexpat.github.io/doc/cve-2017-9233/
>
> - CVE-2016-9063 -- Detect integer overflow
>
> And further more:
>
> - Fix regression from fix to CVE-2016-0718 cutting off longer tag names.
>
> - Extend fix for CVE-2016-5300 (use getrandom() if available).
>
> - Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
> version of SipHash).
>
> Also add an upstream patch to fix detection of getrandom().
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> ...c-Fix-mis-detection-of-getrandom-on-Debia.patch | 29 ++++++++++++++++++++++
> package/expat/expat.hash | 8 +++---
> package/expat/expat.mk | 4 ++-
> 3 files changed, 36 insertions(+), 5 deletions(-)
> create mode 100644 package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] expat: security bump to version 2.2.1
2017-06-19 20:09 ` Thomas Petazzoni
@ 2017-06-20 5:12 ` xlcwu
2017-06-20 5:45 ` Thomas Petazzoni
0 siblings, 1 reply; 6+ messages in thread
From: xlcwu @ 2017-06-20 5:12 UTC (permalink / raw)
To: buildroot
Hi Thomas and Peter,
patch failed need a little cosmetic:
a/expat/configure.ac -> a/configure.ac
b/expat/configure.ac -> b/configure.ac
$ git diff package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
diff --git a/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
b/package/expat/000
index a302553..e4fd7e8 100644
--- a/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
+++ b/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
@@ -8,13 +8,13 @@ There is no such thing but we need to link (not just
compile) to realize.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
- expat/configure.ac | 2 +-
+ configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/expat/configure.ac b/expat/configure.ac
+diff --git a/configure.ac b/configure.ac
index 1357c9a..444c002 100644
---- a/expat/configure.ac
-+++ b/expat/configure.ac
+--- a/configure.ac
++++ b/configure.ac
@@ -130,7 +130,7 @@ AC_LINK_IFELSE([AC_LANG_SOURCE([
xlcwu
On Tue, Jun 20, 2017 at 4:09 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Hello,
>
> On Sun, 18 Jun 2017 23:20:04 +0200, Peter Korsgaard wrote:
>> Fixes:
>>
>> - CVE-2017-9233 - External entity infinite loop DoS. See:
>> https://libexpat.github.io/doc/cve-2017-9233/
>>
>> - CVE-2016-9063 -- Detect integer overflow
>>
>> And further more:
>>
>> - Fix regression from fix to CVE-2016-0718 cutting off longer tag names.
>>
>> - Extend fix for CVE-2016-5300 (use getrandom() if available).
>>
>> - Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
>> version of SipHash).
>>
>> Also add an upstream patch to fix detection of getrandom().
>>
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>> ---
>> ...c-Fix-mis-detection-of-getrandom-on-Debia.patch | 29 ++++++++++++++++++++++
>> package/expat/expat.hash | 8 +++---
>> package/expat/expat.mk | 4 ++-
>> 3 files changed, 36 insertions(+), 5 deletions(-)
>> create mode 100644 package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
>
> Applied to master, thanks.
>
> Thomas
> --
> Thomas Petazzoni, CTO, Free Electrons
> Embedded Linux, Kernel and Android engineering
> http://free-electrons.com
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] expat: security bump to version 2.2.1
2017-06-20 5:12 ` xlcwu
@ 2017-06-20 5:45 ` Thomas Petazzoni
2017-06-20 12:09 ` Peter Korsgaard
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Petazzoni @ 2017-06-20 5:45 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 20 Jun 2017 13:12:23 +0800, xlcwu wrote:
> patch failed need a little cosmetic:
>
> a/expat/configure.ac -> a/configure.ac
> b/expat/configure.ac -> b/configure.ac
Thanks, I've fixed that:
https://git.buildroot.org/buildroot/commit/?id=1940a66114bb6962dfdcee928e5c5fa5f29c0be7
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] expat: security bump to version 2.2.1
2017-06-20 5:45 ` Thomas Petazzoni
@ 2017-06-20 12:09 ` Peter Korsgaard
0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2017-06-20 12:09 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@free-electrons.com> writes:
> Hello,
> On Tue, 20 Jun 2017 13:12:23 +0800, xlcwu wrote:
>> patch failed need a little cosmetic:
>>
>> a/expat/configure.ac -> a/configure.ac
>> b/expat/configure.ac -> b/configure.ac
> Thanks, I've fixed that:
> https://git.buildroot.org/buildroot/commit/?id=1940a66114bb6962dfdcee928e5c5fa5f29c0be7
> Best regards,
Sorry about that, it seems like I made a mistake when I moved from a
custom patch to picking the upstream one.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] expat: security bump to version 2.2.1
2017-06-18 21:20 [Buildroot] [PATCH] expat: security bump to version 2.2.1 Peter Korsgaard
2017-06-19 20:09 ` Thomas Petazzoni
@ 2017-06-26 7:49 ` Peter Korsgaard
1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2017-06-26 7:49 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes:
> - CVE-2017-9233 - External entity infinite loop DoS. See:
> https://libexpat.github.io/doc/cve-2017-9233/
> - CVE-2016-9063 -- Detect integer overflow
> And further more:
> - Fix regression from fix to CVE-2016-0718 cutting off longer tag names.
> - Extend fix for CVE-2016-5300 (use getrandom() if available).
> - Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
> version of SipHash).
> Also add an upstream patch to fix detection of getrandom().
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed this + fixup patch to 2017.02.x and 2017.05.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-06-26 7:49 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-18 21:20 [Buildroot] [PATCH] expat: security bump to version 2.2.1 Peter Korsgaard
2017-06-19 20:09 ` Thomas Petazzoni
2017-06-20 5:12 ` xlcwu
2017-06-20 5:45 ` Thomas Petazzoni
2017-06-20 12:09 ` Peter Korsgaard
2017-06-26 7:49 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.