[Buildroot] [PATCH 1/3] libgpgme: security bump to version 1.5.1

[Buildroot] [PATCH 1/3] libgpgme: security bump to version 1.5.1

[Gustavo Zacarias]

Fixes CVE-2014-3564 - heap-based buffer overflow in gpgsm status handler.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/libgpgme/libgpgme.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/libgpgme/libgpgme.mk b/package/libgpgme/libgpgme.mk
index ae9660f..ce8a61a 100644
--- a/package/libgpgme/libgpgme.mk
+++ b/package/libgpgme/libgpgme.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBGPGME_VERSION = 1.5.0
+LIBGPGME_VERSION = 1.5.1
 LIBGPGME_SITE = ftp://ftp.gnupg.org/gcrypt/gpgme
 LIBGPGME_SOURCE = gpgme-$(LIBGPGME_VERSION).tar.bz2
 LIBGPGME_LICENSE = LGPLv2.1+
-- 
1.8.5.5

[Buildroot] [PATCH 2/3] dhcpcd: security bump to version 6.4.3

[Gustavo Zacarias]

Issue and CVE req: http://seclists.org/oss-sec/2014/q3/261
Patch upstreamed in a subtly different way.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 .../dhcpcd/dhcpcd-0001-fix-build-with-ccache.patch | 44 ----------------------
 package/dhcpcd/dhcpcd.mk                           |  2 +-
 2 files changed, 1 insertion(+), 45 deletions(-)
 delete mode 100644 package/dhcpcd/dhcpcd-0001-fix-build-with-ccache.patch

diff --git a/package/dhcpcd/dhcpcd-0001-fix-build-with-ccache.patch b/package/dhcpcd/dhcpcd-0001-fix-build-with-ccache.patch
deleted file mode 100644
index 4b56e27..0000000
--- a/package/dhcpcd/dhcpcd-0001-fix-build-with-ccache.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-configure: support builds using ccache
-
-The configure script checks whether CC is executable by means of a check
-'type $CC'. However, when using ccache, CC is normally set to "ccache gcc"
-(using the appropriate paths). Such a compound string is not recognized by
-type, however, and thus configure bails out.
-
-This patch changes the check 'type $CC' with a compile test.
-
-Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
-
-Upstream status: backport of
-http://roy.marples.name/projects/dhcpcd/info/5f4bf91142fceac502c478886aeb5079a184bb43
-
-Note: a simplification of this patch was accepted upstream, but turns out to be
-non-usable by the Xtensa architecture. This was also reported upstream and
-should normally be reverted soon.
-
-diff -r 66c8bdc88858 configure
---- a/configure	Sat Jun 21 16:54:30 2014 +0200
-+++ b/configure	Sun Jun 29 15:42:08 2014 +0200
-@@ -272,8 +272,20 @@
- fi
- 
- echo "Using compiler .. $CC"
--if ! type "$CC" >/dev/null 2>&1; then
--	echo "$CC is not an executable"
-+cat <<EOF >_test.c
-+int main(void) {
-+	return 0;
-+}
-+EOF
-+_CC=true
-+if $CC _test.c -o _test >/dev/null 2>&1; then
-+	[ -x _test ] || _CC=false
-+else
-+	_CC=false
-+fi
-+rm -f _test.c _test
-+if ! $_CC; then
-+	echo "$CC does not create executables"
- 	exit 1
- fi
- [ "$CC" != cc ] && echo "CC=	$CC" >>$CONFIG_MK
diff --git a/package/dhcpcd/dhcpcd.mk b/package/dhcpcd/dhcpcd.mk
index 7a16f52..813a6cf 100644
--- a/package/dhcpcd/dhcpcd.mk
+++ b/package/dhcpcd/dhcpcd.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-DHCPCD_VERSION = 6.4.0
+DHCPCD_VERSION = 6.4.3
 DHCPCD_SOURCE = dhcpcd-$(DHCPCD_VERSION).tar.bz2
 DHCPCD_SITE = http://roy.marples.name/downloads/dhcpcd
 DHCPCD_DEPENDENCIES = host-pkgconf
-- 
1.8.5.5

[Buildroot] [PATCH 3/3] gnupg2: security bump to version 2.0.25

[Gustavo Zacarias]

Fixes CVE-2014-4617 (The do_uncompress function in g10/compress.c
allows context-dependent attackers to cause a denial of service
(infinite loop) via malformed compressed packets, as demonstrated by an
a3 01 5b ff byte sequence.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/gnupg2/gnupg2.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/gnupg2/gnupg2.mk b/package/gnupg2/gnupg2.mk
index fd35e6e..9502a82 100644
--- a/package/gnupg2/gnupg2.mk
+++ b/package/gnupg2/gnupg2.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-GNUPG2_VERSION = 2.0.23
+GNUPG2_VERSION = 2.0.25
 GNUPG2_SOURCE = gnupg-$(GNUPG2_VERSION).tar.bz2
 GNUPG2_SITE = ftp://ftp.gnupg.org/gcrypt/gnupg
 GNUPG2_LICENSE = GPLv3+
-- 
1.8.5.5

[Buildroot] [PATCH 1/3] libgpgme: security bump to version 1.5.1

[Thomas Petazzoni]

Dear Gustavo Zacarias,

On Mon,  4 Aug 2014 14:48:00 -0300, Gustavo Zacarias wrote:
> Fixes CVE-2014-3564 - heap-based buffer overflow in gpgsm status handler.
> 
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> ---
>  package/libgpgme/libgpgme.mk | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

All three patches applied, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com