From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/sudo: security bump to version 1.9.15p5
Date: Mon, 8 Jan 2024 23:19:30 +0100 [thread overview]
Message-ID: <ZZx08mDAbYBN2hw8@landeda> (raw)
In-Reply-To: <20240107174655.910522-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2024-01-07 18:46 +0100, Fabrice Fontaine spake thusly:
> - Drop patch (already in version) and so also drop autoreconf
> - The sudoers plugin has been modified to make it more resilient to
> ROWHAMMER attacks on authentication and policy matching. This
> addresses CVE-2023-42465.
>
> https://www.sudo.ws/releases/stable/#1.9.15p5
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> .checkpackageignore | 1 -
> ...onfigure.ac-fix-openssl-static-build.patch | 47 -------------------
> package/sudo/sudo.hash | 2 +-
> package/sudo/sudo.mk | 6 +--
> 4 files changed, 3 insertions(+), 53 deletions(-)
> delete mode 100644 package/sudo/0001-configure.ac-fix-openssl-static-build.patch
>
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 1ddd13111a..6f67b4ba61 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1273,7 +1273,6 @@ package/start-stop-daemon/0001-add-uclibc-alias-and-musl.patch Upstream
> package/start-stop-daemon/0002-just-warn-on-missing-arch.patch Upstream
> package/statserial/0001-ncurses-link.patch Upstream
> package/stunnel/S50stunnel Indent Shellcheck Variables
> -package/sudo/0001-configure.ac-fix-openssl-static-build.patch Upstream
> package/supervisor/S99supervisord Variables
> package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
> package/suricata/S99suricata Shellcheck
> diff --git a/package/sudo/0001-configure.ac-fix-openssl-static-build.patch b/package/sudo/0001-configure.ac-fix-openssl-static-build.patch
> deleted file mode 100644
> index dc91af6119..0000000000
> --- a/package/sudo/0001-configure.ac-fix-openssl-static-build.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From 1fed5adc166d5f2190a6b6ad048ec2d803316327 Mon Sep 17 00:00:00 2001
> -From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -Date: Wed, 22 Feb 2023 10:13:30 +0100
> -Subject: [PATCH] configure.ac: fix openssl static build
> -
> -Do not use AX_APPEND_FLAG as it will break static builds by removing
> -duplicates such as -lz or -latomic which are needed by -lssl and
> --lcrypto. This will fix the following build failure with sparc which
> -needs -latomic:
> -
> -Checking for X509_STORE_CTX_get0_cert
> -configure:21215: /home/thomas/autobuild/instance-3/output-1/host/bin/sparc-buildroot-linux-uclibc-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -static -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DZLIB_CONST -static conftest.c -L/home/thomas/autobuild/instance-3/output-1/host/bin/../sparc-buildroot-linux-uclibc/sysroot/usr/lib -lssl -lz -pthread -latomic -lcrypto >&5
> -/home/thomas/autobuild/instance-3/output-1/host/lib/gcc/sparc-buildroot-linux-uclibc/10.4.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: /home/thomas/autobuild/instance-3/output-1/host/bin/../sparc-buildroot-linux-uclibc/sysroot/usr/lib/libcrypto.a(x509cset.o): in function `X509_CRL_up_ref':
> -x509cset.c:(.text+0x108): undefined reference to `__atomic_fetch_add_4'
> -
> -[...]
> -
> -In file included from ./hostcheck.c:38:
> -../../include/sudo_compat.h:342:41: error: conflicting types for 'ASN1_STRING_data'
> - 342 | # define ASN1_STRING_get0_data(x) ASN1_STRING_data(x)
> - | ^~~~~~~~~~~~~~~~
> -
> -Fixes:
> - - http://autobuild.buildroot.org/results/8be59dd94e4916f9457cb435104e36e62a28373b
> -
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -[Retrieved from:
> -https://github.com/sudo-project/sudo/commit/1fed5adc166d5f2190a6b6ad048ec2d803316327]
> ----
> - m4/openssl.m4 | 4 +++-
> - 1 file changed, 3 insertions(+), 1 deletion(-)
> -
> -diff --git a/m4/openssl.m4 b/m4/openssl.m4
> -index a2e4941ae8..b4cbd821db 100644
> ---- a/m4/openssl.m4
> -+++ b/m4/openssl.m4
> -@@ -44,7 +44,9 @@ AC_DEFUN([SUDO_CHECK_OPENSSL], [
> - SUDO_APPEND_LIBPATH([LIBTLS], [$f])
> - ;;
> - *)
> -- AX_APPEND_FLAG([$f], [LIBTLS])
> -+ # Do not use AX_APPEND_FLAG as it will break static builds by removing
> -+ # duplicates such as -lz or -latomic which are needed by -lssl and -lcrypto
> -+ LIBTLS="$LIBTLS $f"
> - ;;
> - esac
> - done
> diff --git a/package/sudo/sudo.hash b/package/sudo/sudo.hash
> index 720b21d849..066d3b9de6 100644
> --- a/package/sudo/sudo.hash
> +++ b/package/sudo/sudo.hash
> @@ -1,4 +1,4 @@
> # From: https://www.sudo.ws/getting/download/
> -sha256 92334a12bb93e0c056b09f53e255ccb7d6f67c6350e2813cd9593ceeca78560b sudo-1.9.13p3.tar.gz
> +sha256 558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558 sudo-1.9.15p5.tar.gz
> # Locally calculated
> sha256 ea33b3971e8e4d9657cd6794a952aaa71b22bd16745f1645455b6ead010e0a28 LICENSE.md
> diff --git a/package/sudo/sudo.mk b/package/sudo/sudo.mk
> index 73b3503e6a..c173781304 100644
> --- a/package/sudo/sudo.mk
> +++ b/package/sudo/sudo.mk
> @@ -4,8 +4,8 @@
> #
> ################################################################################
>
> -SUDO_VERSION_MAJOR = 1.9.13
> -SUDO_VERSION_MINOR = p3
> +SUDO_VERSION_MAJOR = 1.9.15
> +SUDO_VERSION_MINOR = p5
> SUDO_VERSION = $(SUDO_VERSION_MAJOR)$(SUDO_VERSION_MINOR)
> SUDO_SITE = https://www.sudo.ws/sudo/dist
> SUDO_LICENSE = ISC, BSD-3-Clause
> @@ -13,8 +13,6 @@ SUDO_LICENSE_FILES = LICENSE.md
> SUDO_CPE_ID_VERSION = $(SUDO_VERSION_MAJOR)
> SUDO_CPE_ID_UPDATE = $(SUDO_VERSION_MINOR)
> SUDO_SELINUX_MODULES = sudo
> -# We're patching m4/openssl.m4
> -SUDO_AUTORECONF = YES
> # This is to avoid sudo's make install from chown()ing files which fails
> SUDO_INSTALL_TARGET_OPTS = INSTALL_OWNER="" DESTDIR="$(TARGET_DIR)" install
> SUDO_CONF_OPTS = \
> --
> 2.43.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2024-01-08 22:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-07 17:46 [Buildroot] [PATCH 1/1] package/sudo: security bump to version 1.9.15p5 Fabrice Fontaine
2024-01-08 22:19 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZZx08mDAbYBN2hw8@landeda \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.