[Buildroot] [PATCH] package/glibc: bump version for additional post-2.30 security fixes

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH] package/glibc: bump version for additional post-2.30 security fixes
@ 2020-05-12  7:22 Peter Korsgaard
  2020-05-12  7:31 ` Romain Naour
  0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2020-05-12  7:22 UTC (permalink / raw)
  To: buildroot

Fixes the following security vulnerabilities:

CVE-2020-10029: Trigonometric functions on x86 targets suffered from stack
  corruption when they were passed a pseudo-zero argument.  Reported by Guido
  Vranken / ForAllSecure Mayhem.

CVE-2020-1751: A defect in the PowerPC backtrace function could cause an
  out-of-bounds write when executed in a signal frame context.

CVE-2020-1752: A use-after-free vulnerability in the glob function when
  expanding ~user has been fixed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 .../glibc.hash                                                  | 2 +-
 package/glibc/glibc.mk                                          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename package/glibc/{2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91 => 2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427}/glibc.hash (70%)

diff --git a/package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash b/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
similarity index 70%
rename from package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash
rename to package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
index 4283ea04b4..6677d32db9 100644
--- a/package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash
+++ b/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
@@ -1,5 +1,5 @@
 # Locally calculated (fetched from Github)
-sha256  fe1ca8099bc2cda997d8a585f1a512e59df56c52c9c7363a4058da2725c8f4a9  glibc-2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91.tar.gz
+sha256  4462f56696332efbc5b0c2f86d7aa75a2a02c3d44bc4345fa42b5bab1225de5c  glibc-2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427.tar.gz
 
 # Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 2ca73343b3..4621c9c2f9 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -17,7 +17,7 @@ else
 # Generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 # When updating the version, please also update localedef
-GLIBC_VERSION = 2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91
+GLIBC_VERSION = 2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427
 # Upstream doesn't officially provide an https download link.
 # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
 # sometimes the connection times out. So use an unofficial github mirror.
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [Buildroot] [PATCH] package/glibc: bump version for additional post-2.30 security fixes
  2020-05-12  7:22 [Buildroot] [PATCH] package/glibc: bump version for additional post-2.30 security fixes Peter Korsgaard
@ 2020-05-12  7:31 ` Romain Naour
  2020-05-12  8:53   ` Peter Korsgaard
  0 siblings, 1 reply; 3+ messages in thread
From: Romain Naour @ 2020-05-12  7:31 UTC (permalink / raw)
  To: buildroot

Hi Peter,

Le 12/05/2020 ? 09:22, Peter Korsgaard a ?crit?:
> Fixes the following security vulnerabilities:
> 
> CVE-2020-10029: Trigonometric functions on x86 targets suffered from stack
>   corruption when they were passed a pseudo-zero argument.  Reported by Guido
>   Vranken / ForAllSecure Mayhem.
> 
> CVE-2020-1751: A defect in the PowerPC backtrace function could cause an
>   out-of-bounds write when executed in a signal frame context.
> 
> CVE-2020-1752: A use-after-free vulnerability in the glob function when
>   expanding ~user has been fixed.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  .../glibc.hash                                                  | 2 +-
>  package/glibc/glibc.mk                                          | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>  rename package/glibc/{2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91 => 2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427}/glibc.hash (70%)
> 
> diff --git a/package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash b/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
> similarity index 70%
> rename from package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash
> rename to package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
> index 4283ea04b4..6677d32db9 100644
> --- a/package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash
> +++ b/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
> @@ -1,5 +1,5 @@
>  # Locally calculated (fetched from Github)
> -sha256  fe1ca8099bc2cda997d8a585f1a512e59df56c52c9c7363a4058da2725c8f4a9  glibc-2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91.tar.gz
> +sha256  4462f56696332efbc5b0c2f86d7aa75a2a02c3d44bc4345fa42b5bab1225de5c  glibc-2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427.tar.gz
>  
>  # Hashes for license files
>  sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 2ca73343b3..4621c9c2f9 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -17,7 +17,7 @@ else
>  # Generate version string using:
>  #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
>  # When updating the version, please also update localedef

We should keep localdef package at the same version as glibc :)

Best regards,
Romain

> -GLIBC_VERSION = 2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91
> +GLIBC_VERSION = 2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427
>  # Upstream doesn't officially provide an https download link.
>  # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
>  # sometimes the connection times out. So use an unofficial github mirror.
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Buildroot] [PATCH] package/glibc: bump version for additional post-2.30 security fixes
  2020-05-12  7:31 ` Romain Naour
@ 2020-05-12  8:53   ` Peter Korsgaard
  0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-05-12  8:53 UTC (permalink / raw)
  To: buildroot

>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:

 > Hi Peter,
 > Le 12/05/2020 ? 09:22, Peter Korsgaard a ?crit?:
 >> Fixes the following security vulnerabilities:
 >> 
 >> CVE-2020-10029: Trigonometric functions on x86 targets suffered from stack
 >> corruption when they were passed a pseudo-zero argument.  Reported by Guido
 >> Vranken / ForAllSecure Mayhem.
 >> 
 >> CVE-2020-1751: A defect in the PowerPC backtrace function could cause an
 >> out-of-bounds write when executed in a signal frame context.
 >> 
 >> CVE-2020-1752: A use-after-free vulnerability in the glob function when
 >> expanding ~user has been fixed.
 >> 
 >> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 >> ---
 >> .../glibc.hash                                                  | 2 +-
 >> package/glibc/glibc.mk                                          | 2 +-
 >> 2 files changed, 2 insertions(+), 2 deletions(-)
 >> rename package/glibc/{2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91 => 2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427}/glibc.hash (70%)
 >> 
 >> diff --git a/package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash b/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
 >> similarity index 70%
 >> rename from package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash
 >> rename to package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
 >> index 4283ea04b4..6677d32db9 100644
 >> --- a/package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash
 >> +++ b/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
 >> @@ -1,5 +1,5 @@
 >> # Locally calculated (fetched from Github)
 >> -sha256  fe1ca8099bc2cda997d8a585f1a512e59df56c52c9c7363a4058da2725c8f4a9  glibc-2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91.tar.gz
 >> +sha256  4462f56696332efbc5b0c2f86d7aa75a2a02c3d44bc4345fa42b5bab1225de5c  glibc-2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427.tar.gz
 >> 
 >> # Hashes for license files
 >> sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
 >> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
 >> index 2ca73343b3..4621c9c2f9 100644
 >> --- a/package/glibc/glibc.mk
 >> +++ b/package/glibc/glibc.mk
 >> @@ -17,7 +17,7 @@ else
 >> # Generate version string using:
 >> #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 >> # When updating the version, please also update localedef

 > We should keep localdef package at the same version as glibc :)

Argh, indeed. Will fix.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-05-12  8:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-05-12  7:22 [Buildroot] [PATCH] package/glibc: bump version for additional post-2.30 security fixes Peter Korsgaard
2020-05-12  7:31 ` Romain Naour
2020-05-12  8:53   ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.