From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2, 1/1] package/netatalk: security bump to version 3.1.17
Date: Wed, 20 Sep 2023 19:42:32 +0200 [thread overview]
Message-ID: <20230920174232.GK512384@scaer> (raw)
In-Reply-To: <20230919205058.446156-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2023-09-19 22:50 +0200, Fabrice Fontaine spake thusly:
> - Drop patches (already in version) and so autoreconf
> - Update COPYING hash (gpl mailing address updated with
> https://github.com/Netatalk/netatalk/commit/9bd45cc06e02e9bbfe8156bb1e5e2843b7727a51
> https://github.com/Netatalk/netatalk/commit/6a5997fbd64d6cd5a5400ea6a0a930d005ed89df)
> - Fix CVE-2022-43634: This vulnerability allows remote attackers to
> execute arbitrary code on affected installations of Netatalk.
> Authentication is not required to exploit this vulnerability. The
> specific flaw exists within the dsi_writeinit function. The issue
> results from the lack of proper validation of the length of
> user-supplied data prior to copying it to a fixed-length heap-based
> buffer. An attacker can leverage this vulnerability to execute code in
> the context of root. Was ZDI-CAN-17646.
> - Fix CVE-2022-45188: Netatalk through 3.1.13 has an afp_getappl
> heap-based buffer overflow resulting in code execution via a crafted
> .appl file. This provides remote root access on some platforms such as
> FreeBSD (used for TrueNAS).
> - Fix CVE-2023-42464: Validate data type in dalloc_value_for_key()
>
> https://github.com/Netatalk/netatalk/blob/netatalk-3-1-17/NEWS
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> Changes v1 -> v2:
> - Update .checkpackageignore
>
> .checkpackageignore | 2 -
> ...ng-of-LD_LIBRARY_FLAGS-shlibpath_var.patch | 48 -------------------
> ..._compat.h-fix-build-with-libressl-2..patch | 43 -----------------
> package/netatalk/netatalk.hash | 10 ++--
> package/netatalk/netatalk.mk | 8 ++--
> 5 files changed, 8 insertions(+), 103 deletions(-)
> delete mode 100644 package/netatalk/0001-Fix-setting-of-LD_LIBRARY_FLAGS-shlibpath_var.patch
> delete mode 100644 package/netatalk/0002-etc-uams-openssl_compat.h-fix-build-with-libressl-2..patch
>
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 73a00d610c..8acd9558eb 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -947,8 +947,6 @@ package/neard/S53neard Indent Shellcheck Variables
> package/neardal/0001-lib-neardal.h-fix-build-with-gcc-10.patch Upstream
> package/neon/0001-Revert-Advertise-TS_SSL-feature-with-OpenSSL-1.1.0.patch Upstream
> package/neon/0002-configure.ac-fix-autoreconf.patch Upstream
> -package/netatalk/0001-Fix-setting-of-LD_LIBRARY_FLAGS-shlibpath_var.patch Upstream
> -package/netatalk/0002-etc-uams-openssl_compat.h-fix-build-with-libressl-2..patch Upstream
> package/netatalk/S50netatalk EmptyLastLine Indent Variables
> package/netcat/0001-signed-bit-counting.patch Sob Upstream
> package/netopeer2/S52netopeer2 Shellcheck Variables
> diff --git a/package/netatalk/0001-Fix-setting-of-LD_LIBRARY_FLAGS-shlibpath_var.patch b/package/netatalk/0001-Fix-setting-of-LD_LIBRARY_FLAGS-shlibpath_var.patch
> deleted file mode 100644
> index 01d5776596..0000000000
> --- a/package/netatalk/0001-Fix-setting-of-LD_LIBRARY_FLAGS-shlibpath_var.patch
> +++ /dev/null
> @@ -1,48 +0,0 @@
> -From 60d100713b5289948e9cdf5b0646ff3cdd2c206b Mon Sep 17 00:00:00 2001
> -From: "Arnout Vandecappelle (Essensium/Mind)" <arnout@mind.be>
> -Date: Mon, 17 Dec 2012 22:32:44 +0100
> -Subject: [PATCH] Fix setting of LD_LIBRARY_FLAGS ($shlibpath_var).
> -
> -LD_LIBRARY_PATH should not be set when cross-compiling, because it
> -adds the cross-libraries to the build's LD-path.
> -
> -Also the restoring of LD_LIBRARY_PATH was done incorrectly: it would
> -set LD_LIBRARY_PATH=LD_LIBRARY_PATH.
> -
> -Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
> ----
> - macros/db3-check.m4 | 6 +++---
> - 1 file changed, 3 insertions(+), 3 deletions(-)
> -
> -diff --git a/macros/db3-check.m4 b/macros/db3-check.m4
> -index 902220b..d5a5446 100644
> ---- a/macros/db3-check.m4
> -+++ b/macros/db3-check.m4
> -@@ -94,7 +94,7 @@ if test "x$bdb_required" = "xyes"; then
> - savedldflags="$LDFLAGS"
> - savedcppflags="$CPPFLAGS"
> - savedlibs="$LIBS"
> -- saved_shlibpath_var=$shlibpath_var
> -+ eval saved_shlibpath_var=\$$shlibpath_var
> -
> - dnl required BDB version: 4.6, because of cursor API change
> - DB_MAJOR_REQ=4
> -@@ -148,7 +148,7 @@ if test "x$bdb_required" = "xyes"; then
> - dnl -- LD_LIBRARY_PATH on many platforms. This will be fairly
> - dnl -- portable hopefully. Reference:
> - dnl -- http://lists.gnu.org/archive/html/autoconf/2009-03/msg00040.html
> -- eval export $shlibpath_var=$bdblibdir
> -+ test "$cross_compiling" = yes || eval export $shlibpath_var=$bdblibdir
> - NETATALK_BDB_TRY_LINK
> - eval export $shlibpath_var=$saved_shlibpath_var
> -
> -@@ -171,7 +171,7 @@ if test "x$bdb_required" = "xyes"; then
> - CPPFLAGS="-I${bdbdir}/include${subdir} $CPPFLAGS"
> - LDFLAGS="-L$bdblibdir $LDFLAGS"
> -
> -- eval export $shlibpath_var=$bdblibdir
> -+ test "$cross_compiling" = yes || eval export $shlibpath_var=$bdblibdir
> - NETATALK_BDB_TRY_LINK
> - eval export $shlibpath_var=$saved_shlibpath_var
> -
> ---
> diff --git a/package/netatalk/0002-etc-uams-openssl_compat.h-fix-build-with-libressl-2..patch b/package/netatalk/0002-etc-uams-openssl_compat.h-fix-build-with-libressl-2..patch
> deleted file mode 100644
> index 05913862f6..0000000000
> --- a/package/netatalk/0002-etc-uams-openssl_compat.h-fix-build-with-libressl-2..patch
> +++ /dev/null
> @@ -1,43 +0,0 @@
> -From 58ddc137021a938f37c3794305a839f8df449d3f Mon Sep 17 00:00:00 2001
> -From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -Date: Tue, 5 Apr 2022 23:59:15 +0200
> -Subject: [PATCH] etc/uams/openssl_compat.h: fix build with libressl >= 2.7.0
> -
> -Fix the following build failure with libressl >= 2.7.0 which added
> -DH_set0_pqg with
> -https://github.com/libressl-portable/openbsd/commit/848e2a019c796b685fc8c5848283b86e48fbe0bf:
> -
> -In file included from uams_dhx_passwd.c:35:
> -openssl_compat.h:15:19: error: static declaration of 'DH_set0_pqg' follows non-static declaration
> - 15 | inline static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
> - | ^~~~~~~~~~~
> -In file included from uams_dhx_passwd.c:33:
> -/home/autobuild/autobuild/instance-2/output-1/host/mips64-buildroot-linux-uclibc/sysroot/usr/include/openssl/dh.h:195:5: note: previous declaration of 'DH_set0_pqg' was here
> - 195 | int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
> - | ^~~~~~~~~~~
> -
> -Fixes:
> - - http://autobuild.buildroot.org/results/fc6e308f346570f8198542602bc8c1bdd0a4869e
> -
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -[Upstream status: not sent yet]
> ----
> - etc/uams/openssl_compat.h | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/etc/uams/openssl_compat.h b/etc/uams/openssl_compat.h
> -index ded377bc..5cc8de34 100644
> ---- a/etc/uams/openssl_compat.h
> -+++ b/etc/uams/openssl_compat.h
> -@@ -11,7 +11,7 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
> - #ifndef OPENSSL_COMPAT_H
> - #define OPENSSL_COMPAT_H
> -
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000L)
> - inline static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
> - {
> - /* If the fields p and g in d are NULL, the corresponding input
> ---
> -2.35.1
> -
> diff --git a/package/netatalk/netatalk.hash b/package/netatalk/netatalk.hash
> index 6dead5457c..a35e6bc36c 100644
> --- a/package/netatalk/netatalk.hash
> +++ b/package/netatalk/netatalk.hash
> @@ -1,7 +1,7 @@
> -# From http://sourceforge.net/projects/netatalk/files/netatalk/3.1.13/
> -md5 697421623c32ee0ab9c8076191766e5f netatalk-3.1.13.tar.bz2
> -sha1 16dd7fa84962a44b36b795b8c44393e728785947 netatalk-3.1.13.tar.bz2
> +# From http://sourceforge.net/projects/netatalk/files/netatalk/3.1.17/
> +md5 a6429a28948f85b69c9012fb437dd9c2 netatalk-3.1.17.tar.xz
> +sha1 bc6578d9fa874b3816fd4ddd60a30a8f3aadc71d netatalk-3.1.17.tar.xz
> # Locally computed
> -sha256 89ada6bcfe1b39ad94f58c236654d1d944f2645c3e7de98b3374e0bd37d5e05d netatalk-3.1.13.tar.bz2
> -sha256 32b1062f7da84967e7019d01ab805935caa7ab7321a7ced0e30ebe75e5df1670 COPYING
> +sha256 8c208e2c94bf3047db33cdbc3ce4325d2b80db61d6cc527f18f9dbd8e95b5cff netatalk-3.1.17.tar.xz
> +sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
> sha256 7599ae145e53be03a08f8b558b2f2e0c828e1630f1843cc04f41981b8cefcd65 COPYRIGHT
> diff --git a/package/netatalk/netatalk.mk b/package/netatalk/netatalk.mk
> index 7cc950beb6..a47bfa7e84 100644
> --- a/package/netatalk/netatalk.mk
> +++ b/package/netatalk/netatalk.mk
> @@ -4,11 +4,9 @@
> #
> ################################################################################
>
> -NETATALK_VERSION = 3.1.13
> -NETATALK_SITE = http://downloads.sourceforge.net/project/netatalk/netatalk/$(NETATALK_VERSION)
> -NETATALK_SOURCE = netatalk-$(NETATALK_VERSION).tar.bz2
> -# For 0001-Fix-setting-of-LD_LIBRARY_FLAGS-shlibpath_var.patch
> -NETATALK_AUTORECONF = YES
> +NETATALK_VERSION = 3.1.17
> +NETATALK_SITE = http://downloads.sourceforge.net/project/netatalk/netatalk-$(subst .,-,$(NETATALK_VERSION))
> +NETATALK_SOURCE = netatalk-$(NETATALK_VERSION).tar.xz
> NETATALK_CONFIG_SCRIPTS = netatalk-config
> NETATALK_DEPENDENCIES = host-pkgconf openssl berkeleydb libgcrypt libgpg-error \
> libevent
> --
> 2.40.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-09-20 17:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-19 20:50 [Buildroot] [PATCH v2, 1/1] package/netatalk: security bump to version 3.1.17 Fabrice Fontaine
2023-09-20 17:42 ` Yann E. MORIN [this message]
2023-09-25 7:54 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230920174232.GK512384@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.