From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] irssi: security bump to version 1.0.2
Date: Tue, 14 Mar 2017 16:00:39 +0100 [thread overview]
Message-ID: <20170314150039.9913-1-peter@korsgaard.com> (raw)
Fixes CWE-416 (use after free condition during netjoin processing). No CVE
assigned yet:
https://irssi.org/security/irssi_sa_2017_03.txt
Notice that the 0.8.x series is not believed to be vulnerable to this
specific issue. From the advisory:
Affected versions
-----------------
Irssi up to and including 1.0.1
We believe Irssi 0.8.21 and prior are not affected since a different
code path causes the netjoins to be flushed prior to reaching the use
after free condition.
Openssl is no longer optional, so select it and drop the enable/disable
handling.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
| 1 +
| 2 +-
| 11 ++---------
3 files changed, 4 insertions(+), 10 deletions(-)
--git a/package/irssi/Config.in b/package/irssi/Config.in
index 7d2920178..2cdd06c87 100644
--- a/package/irssi/Config.in
+++ b/package/irssi/Config.in
@@ -2,6 +2,7 @@ config BR2_PACKAGE_IRSSI
bool "irssi"
select BR2_PACKAGE_LIBGLIB2
select BR2_PACKAGE_NCURSES
+ select BR2_PACKAGE_OPENSSL
depends on BR2_USE_WCHAR # libglib2
depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
depends on BR2_USE_MMU # fork()
--git a/package/irssi/irssi.hash b/package/irssi/irssi.hash
index b1048bf8f..f1472e04b 100644
--- a/package/irssi/irssi.hash
+++ b/package/irssi/irssi.hash
@@ -1,2 +1,2 @@
# Locally calculated after checking pgp signature
-sha256 e433063b8714dcf17438126902c9a9d5c97944b3185ecd0fc5ae25c4959bf35a irssi-0.8.21.tar.xz
+sha256 5c1c3cc2caf103aad073fadeb000e0f8cb3b416833a7f43ceb8bd9fcf275fbe9 irssi-1.0.2.tar.xz
--git a/package/irssi/irssi.mk b/package/irssi/irssi.mk
index e467f8989..7df7bbc44 100644
--- a/package/irssi/irssi.mk
+++ b/package/irssi/irssi.mk
@@ -4,27 +4,20 @@
#
################################################################################
-IRSSI_VERSION = 0.8.21
+IRSSI_VERSION = 1.0.2
IRSSI_SOURCE = irssi-$(IRSSI_VERSION).tar.xz
# Do not use the github helper here. The generated tarball is *NOT* the
# same as the one uploaded by upstream for the release.
IRSSI_SITE = https://github.com/irssi/irssi/releases/download/$(IRSSI_VERSION)
IRSSI_LICENSE = GPLv2+
IRSSI_LICENSE_FILES = COPYING
-IRSSI_DEPENDENCIES = host-pkgconf libglib2 ncurses
+IRSSI_DEPENDENCIES = host-pkgconf libglib2 ncurses openssl
IRSSI_CONF_OPTS = \
--disable-glibtest \
--with-ncurses=$(STAGING_DIR)/usr \
--without-perl
-ifeq ($(BR2_PACKAGE_OPENSSL),y)
-IRSSI_CONF_OPTS += --enable-ssl
-IRSSI_DEPENDENCIES += openssl
-else
-IRSSI_CONF_OPTS += --disable-ssl
-endif
-
ifeq ($(BR2_PACKAGE_IRSSI_PROXY),y)
IRSSI_CONF_OPTS += --with-proxy
# If shared libs are disabled, 'proxy' has to go in the list of built-in
--
2.11.0
next reply other threads:[~2017-03-14 15:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-14 15:00 Peter Korsgaard [this message]
2017-03-14 21:01 ` [Buildroot] [PATCH] irssi: security bump to version 1.0.2 Thomas Petazzoni
2017-03-14 21:21 ` Peter Korsgaard
2017-03-14 21:33 ` Thomas Petazzoni
2017-03-15 10:52 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170314150039.9913-1-peter@korsgaard.com \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox