From: Peter Korsgaard <peter@korsgaard.com>
To: Julien Olivain <ju.o@free.fr>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/xz: add security patches fixing CVE-2025-31115
Date: Wed, 14 May 2025 14:57:23 +0200 [thread overview]
Message-ID: <87a57ftkng.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20250509191040.253049-1-ju.o@free.fr> (Julien Olivain's message of "Fri, 9 May 2025 21:10:40 +0200")
>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes:
> This commit adds four upstream patches fixing the CVE-2025-31115
> vulnerability. The reason there is four patches instead of one is to
> exactly follow the advisory recommendation [1], which proposes the
> patch [2]. This patch is in fact a concatenation of four commits. In
> Buildroot, we track package patches as formatted by git, with extra
> "Upstream:" headers. The patch [2] was split here in four for a
> clearer traceability.
> With the addition of those patches, the XZ_IGNORE_CVES is set
> accordingly.
> Fixes:
> https://www.cve.org/CVERecord?id=CVE-2025-31115
> [1] https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2
> [2] https://tukaani.org/xz/xz-cve-2025-31115.patch
> Signed-off-by: Julien Olivain <ju.o@free.fr>
> ---
> Patch tested in:
> https://gitlab.com/jolivain/buildroot/-/jobs/9989403875
> Note: I am aware that another security bump was proposed in:
> https://patchwork.ozlabs.org/project/buildroot/patch/20250501092633.84651-1-kadambini.nema@gmail.com/
> This proposal is including both the major version bump (from 5.6.4 to
> 5.8.1) and the CVE-2025-31115 security fix. This makes LTS branch
> maintenance harder.
> I propose this patch instead to help the LTS branches. The 5.8.1
> bump can be applied right after.
Agreed. Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2025-05-14 12:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-09 19:10 [Buildroot] [PATCH 1/1] package/xz: add security patches fixing CVE-2025-31115 Julien Olivain
2025-05-14 12:57 ` Peter Korsgaard [this message]
2025-05-16 11:19 ` Arnout Vandecappelle via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a57ftkng.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=ju.o@free.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.