* [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1
@ 2022-07-19 22:21 Fabrice Fontaine
2022-07-23 15:03 ` Arnout Vandecappelle
2022-08-14 18:59 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-07-19 22:21 UTC (permalink / raw)
To: buildroot; +Cc: Matt Weber, Fabrice Fontaine
- Fix CVE-2022-33070: Protobuf-c v1.4.0 was discovered to contain an
invalid arithmetic shift via the function parse_tag_and_wiretype in
protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause
a Denial of Service (DoS) via unspecified vectors.
- Use official tarball (and so drop autoreconf)
- Update hash of COPYING (year updated with
https://github.com/protobuf-c/protobuf-c/commit/471aaa5f6d54406c6c17bf3179d5aea18f15073b)
https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/protobuf-c/protobuf-c.hash | 4 ++--
package/protobuf-c/protobuf-c.mk | 6 ++----
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/package/protobuf-c/protobuf-c.hash b/package/protobuf-c/protobuf-c.hash
index 13e1b474bc..ec00442277 100644
--- a/package/protobuf-c/protobuf-c.hash
+++ b/package/protobuf-c/protobuf-c.hash
@@ -1,3 +1,3 @@
# Locally calculated
-sha256 1068bca1e9870e9492096f97c409cd15f10c5019c183e52ec6d53e8d18630cbf protobuf-c-1.4.0.tar.gz
-sha256 20e800cad4550f4b19bb37fc9577dac21de13333ae66497c4c45ae489c35c34a LICENSE
+sha256 4cc4facd508172f3e0a4d3a8736225d472418aee35b4ad053384b137b220339f protobuf-c-1.4.1.tar.gz
+sha256 b8999cb392cc5bbe8cd679de59584ad8d2f26033123e76f1d662fa14b9d4f287 LICENSE
diff --git a/package/protobuf-c/protobuf-c.mk b/package/protobuf-c/protobuf-c.mk
index 7dd3b09a6c..0742a33db2 100644
--- a/package/protobuf-c/protobuf-c.mk
+++ b/package/protobuf-c/protobuf-c.mk
@@ -4,8 +4,8 @@
#
################################################################################
-PROTOBUF_C_VERSION = 1.4.0
-PROTOBUF_C_SITE = $(call github,protobuf-c,protobuf-c,v$(PROTOBUF_C_VERSION))
+PROTOBUF_C_VERSION = 1.4.1
+PROTOBUF_C_SITE = https://github.com/protobuf-c/protobuf-c/releases/download/v$(PROTOBUF_C_VERSION)
PROTOBUF_C_DEPENDENCIES = host-protobuf-c
HOST_PROTOBUF_C_DEPENDENCIES = host-protobuf host-pkgconf
PROTOBUF_C_MAKE = $(MAKE1)
@@ -14,8 +14,6 @@ PROTOBUF_C_INSTALL_STAGING = YES
PROTOBUF_C_LICENSE = BSD-2-Clause
PROTOBUF_C_LICENSE_FILES = LICENSE
PROTOBUF_C_CPE_ID_VENDOR = protobuf-c_project
-PROTOBUF_C_AUTORECONF = YES
-HOST_PROTOBUF_C_AUTORECONF = YES
# host-protobuf needs c++11 (since 3.6.0)
HOST_PROTOBUF_C_CONF_ENV += CXXFLAGS="$(HOST_CXXFLAGS) -std=c++11"
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1
2022-07-19 22:21 [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1 Fabrice Fontaine
@ 2022-07-23 15:03 ` Arnout Vandecappelle
2022-08-14 18:59 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Arnout Vandecappelle @ 2022-07-23 15:03 UTC (permalink / raw)
To: Fabrice Fontaine, buildroot; +Cc: Matt Weber
On 20/07/2022 00:21, Fabrice Fontaine wrote:
> - Fix CVE-2022-33070: Protobuf-c v1.4.0 was discovered to contain an
> invalid arithmetic shift via the function parse_tag_and_wiretype in
> protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause
> a Denial of Service (DoS) via unspecified vectors.
> - Use official tarball (and so drop autoreconf)
> - Update hash of COPYING (year updated with
> https://github.com/protobuf-c/protobuf-c/commit/471aaa5f6d54406c6c17bf3179d5aea18f15073b)
>
> https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> package/protobuf-c/protobuf-c.hash | 4 ++--
> package/protobuf-c/protobuf-c.mk | 6 ++----
> 2 files changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/package/protobuf-c/protobuf-c.hash b/package/protobuf-c/protobuf-c.hash
> index 13e1b474bc..ec00442277 100644
> --- a/package/protobuf-c/protobuf-c.hash
> +++ b/package/protobuf-c/protobuf-c.hash
> @@ -1,3 +1,3 @@
> # Locally calculated
> -sha256 1068bca1e9870e9492096f97c409cd15f10c5019c183e52ec6d53e8d18630cbf protobuf-c-1.4.0.tar.gz
> -sha256 20e800cad4550f4b19bb37fc9577dac21de13333ae66497c4c45ae489c35c34a LICENSE
> +sha256 4cc4facd508172f3e0a4d3a8736225d472418aee35b4ad053384b137b220339f protobuf-c-1.4.1.tar.gz
> +sha256 b8999cb392cc5bbe8cd679de59584ad8d2f26033123e76f1d662fa14b9d4f287 LICENSE
> diff --git a/package/protobuf-c/protobuf-c.mk b/package/protobuf-c/protobuf-c.mk
> index 7dd3b09a6c..0742a33db2 100644
> --- a/package/protobuf-c/protobuf-c.mk
> +++ b/package/protobuf-c/protobuf-c.mk
> @@ -4,8 +4,8 @@
> #
> ################################################################################
>
> -PROTOBUF_C_VERSION = 1.4.0
> -PROTOBUF_C_SITE = $(call github,protobuf-c,protobuf-c,v$(PROTOBUF_C_VERSION))
> +PROTOBUF_C_VERSION = 1.4.1
> +PROTOBUF_C_SITE = https://github.com/protobuf-c/protobuf-c/releases/download/v$(PROTOBUF_C_VERSION)
> PROTOBUF_C_DEPENDENCIES = host-protobuf-c
> HOST_PROTOBUF_C_DEPENDENCIES = host-protobuf host-pkgconf
> PROTOBUF_C_MAKE = $(MAKE1)
> @@ -14,8 +14,6 @@ PROTOBUF_C_INSTALL_STAGING = YES
> PROTOBUF_C_LICENSE = BSD-2-Clause
> PROTOBUF_C_LICENSE_FILES = LICENSE
> PROTOBUF_C_CPE_ID_VENDOR = protobuf-c_project
> -PROTOBUF_C_AUTORECONF = YES
> -HOST_PROTOBUF_C_AUTORECONF = YES
>
> # host-protobuf needs c++11 (since 3.6.0)
> HOST_PROTOBUF_C_CONF_ENV += CXXFLAGS="$(HOST_CXXFLAGS) -std=c++11"
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1
2022-07-19 22:21 [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1 Fabrice Fontaine
2022-07-23 15:03 ` Arnout Vandecappelle
@ 2022-08-14 18:59 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-08-14 18:59 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Matt Weber, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2022-33070: Protobuf-c v1.4.0 was discovered to contain an
> invalid arithmetic shift via the function parse_tag_and_wiretype in
> protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause
> a Denial of Service (DoS) via unspecified vectors.
> - Use official tarball (and so drop autoreconf)
> - Update hash of COPYING (year updated with
> https://github.com/protobuf-c/protobuf-c/commit/471aaa5f6d54406c6c17bf3179d5aea18f15073b)
> https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2022.05.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-14 19:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-19 22:21 [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1 Fabrice Fontaine
2022-07-23 15:03 ` Arnout Vandecappelle
2022-08-14 18:59 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.