* [Buildroot] [PATCH 1/1] package/libcoap: bump to version 4.3.4
@ 2023-11-01 22:37 Fabrice Fontaine
2023-11-02 13:41 ` Thomas Petazzoni via buildroot
0 siblings, 1 reply; 2+ messages in thread
From: Fabrice Fontaine @ 2023-11-01 22:37 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine, Joris Lijssens
- Drop patch (already in version)
- LIBCOAP_IGNORE_CVES is not needed after bump
- Update hash of license file: LGPL-2.1 added when RIOT support with
https://github.com/obgm/libcoap/commit/8d869fff047d34a1c825ffc1bab5d3fde28c75b7
https://github.com/obgm/libcoap/blob/v4.3.4/ChangeLog
https://github.com/obgm/libcoap/compare/v4.3.1...v4.3.4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...0001-Backport-fix-for-CVE-2023-30362.patch | 59 -------------------
package/libcoap/libcoap.hash | 4 +-
package/libcoap/libcoap.mk | 6 +-
3 files changed, 3 insertions(+), 66 deletions(-)
delete mode 100644 package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
diff --git a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
deleted file mode 100644
index ddc5329299..0000000000
--- a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From c63ecbdc6b38cc7e571a72964fe9ca63834dcc89 Mon Sep 17 00:00:00 2001
-From: Jon Shallow <supjps-libcoap@jpshallow.com>
-Date: Wed, 6 Sep 2023 21:38:13 +0200
-Subject: [PATCH] Backport fix for CVE-2023-30362
-
-Upstream: https://github.com/obgm/libcoap/issues/1063#issuecomment-1626962307
-Signed-off-by: Daniel Lang <dalang@gmx.at>
----
- src/net.c | 34 +++++++++++++++++++++-------------
- 1 file changed, 21 insertions(+), 13 deletions(-)
-
-diff --git a/src/net.c b/src/net.c
-index 98859443..e259ab00 100644
---- a/src/net.c
-+++ b/src/net.c
-@@ -1305,19 +1305,27 @@ coap_send_internal(coap_session_t *session, coap_pdu_t *pdu) {
-
- /* Need to check that we are not seeing this proxy in the return loop */
- if (pdu->data && opt == NULL) {
-- if (pdu->used_size + 1 <= pdu->max_size) {
-- char *a_match;
-- size_t data_len = pdu->used_size - (pdu->data - pdu->token);
-- pdu->data[data_len] = '\000';
-- a_match = strstr((char*)pdu->data, cp);
-- if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
-- ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
-- a_match[len] == ' ')) {
-- coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
-- (char*)pdu->data);
-- coap_delete_pdu(pdu);
-- return (coap_mid_t)COAP_DROPPED_RESPONSE;
-- }
-+ char *a_match;
-+ size_t data_len;
-+
-+ if (pdu->used_size + 1 > pdu->max_size) {
-+ /* No space */
-+ return (coap_mid_t)COAP_DROPPED_RESPONSE;
-+ }
-+ if (!coap_pdu_resize(pdu, pdu->used_size + 1)) {
-+ /* Internal error */
-+ return (coap_mid_t)COAP_DROPPED_RESPONSE;
-+ }
-+ data_len = pdu->used_size - (pdu->data - pdu->token);
-+ pdu->data[data_len] = '\000';
-+ a_match = strstr((char*)pdu->data, cp);
-+ if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
-+ ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
-+ a_match[len] == ' ')) {
-+ coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
-+ (char*)pdu->data);
-+ coap_delete_pdu(pdu);
-+ return (coap_mid_t)COAP_DROPPED_RESPONSE;
- }
- }
- if (pdu->used_size + len + 1 <= pdu->max_size) {
---
-2.42.0
-
diff --git a/package/libcoap/libcoap.hash b/package/libcoap/libcoap.hash
index e0006b62af..20abb94f8f 100644
--- a/package/libcoap/libcoap.hash
+++ b/package/libcoap/libcoap.hash
@@ -1,4 +1,4 @@
# Locally calculated
-sha256 074a71deca01e06d3acb00a1416d0fbeb87d130f40a3c0f6fda3a5c711855dca libcoap-4.3.1.tar.gz
+sha256 ae61a48c21f7b40e1442c9e1da9aab9e6f2cf0deccb02f3fed4de232a0b0522e libcoap-4.3.4.tar.gz
sha256 09dd86a017bad210527085008cbf706609c58210897b69845af14099577e7eb7 COPYING
-sha256 5711e8bf7e94b59fcf0681d0f73752111bc196563b60f8568f19dacd0213192b LICENSE
+sha256 bdd94ddd8e75010aebd045ead1c951110788003395c708811d6960248acb3891 LICENSE
diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
index 94bfc59702..62f08a20e9 100644
--- a/package/libcoap/libcoap.mk
+++ b/package/libcoap/libcoap.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBCOAP_VERSION = 4.3.1
+LIBCOAP_VERSION = 4.3.4
LIBCOAP_SITE = $(call github,obgm,libcoap,v$(LIBCOAP_VERSION))
LIBCOAP_INSTALL_STAGING = YES
LIBCOAP_LICENSE = BSD-2-Clause
@@ -14,10 +14,6 @@ LIBCOAP_DEPENDENCIES = host-pkgconf
LIBCOAP_CONF_OPTS = \
--disable-examples --disable-examples-source --without-tinydtls
LIBCOAP_AUTORECONF = YES
-# 0001-Backport-fix-for-CVE-2023-30362.patch
-LIBCOAP_IGNORE_CVES += CVE-2023-30362
-# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117
-LIBCOAP_IGNORE_CVES += CVE-2023-35862
ifeq ($(BR2_PACKAGE_GNUTLS),y)
LIBCOAP_DEPENDENCIES += gnutls
--
2.42.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-11-02 13:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-01 22:37 [Buildroot] [PATCH 1/1] package/libcoap: bump to version 4.3.4 Fabrice Fontaine
2023-11-02 13:41 ` Thomas Petazzoni via buildroot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.