* [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls
@ 2017-09-05 19:05 Baruch Siach
2017-09-05 19:05 ` [Buildroot] [PATCH 2/2] mbedtls: security bump to version 2.6.0 Baruch Siach
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Baruch Siach @ 2017-09-05 19:05 UTC (permalink / raw)
To: buildroot
mbedtls provided libraries are interdependent. libmbedtls depends on
libmbedx509. Both depend on libmbedcrypto. When compression is enabled
libz is also needed.
Fixes:
http://autobuild.buildroot.net/results/79d/79d9aff5edb6a767c38efb54256a4f20fc36a6ee/
Cc: J?rg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
package/shairport-sync/shairport-sync.mk | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/package/shairport-sync/shairport-sync.mk b/package/shairport-sync/shairport-sync.mk
index 208a9b3b1e33..75e1ae85e3d2 100644
--- a/package/shairport-sync/shairport-sync.mk
+++ b/package/shairport-sync/shairport-sync.mk
@@ -19,6 +19,8 @@ SHAIRPORT_SYNC_CONF_OPTS = --with-alsa \
--with-pipe \
--with-stdout
+SHAIRPORT_SYNC_CONF_ENV += LIBS="$(SHAIRPORT_SYNC_CONF_LIBS)"
+
# Avahi or tinysvcmdns (shaiport-sync bundles its own version of tinysvcmdns).
# Avahi support needs libavahi-client, which is built by avahi if avahi-daemon
# and dbus is selected. Since there is no BR2_PACKAGE_LIBAVAHI_CLIENT config
@@ -38,6 +40,10 @@ SHAIRPORT_SYNC_CONF_OPTS += --with-ssl=openssl
else
SHAIRPORT_SYNC_DEPENDENCIES += mbedtls
SHAIRPORT_SYNC_CONF_OPTS += --with-ssl=mbedtls
+SHAIRPORT_SYNC_CONF_LIBS += -lmbedx509 -lmbedcrypto
+ifeq ($(BR2_PACKAGE_MBEDTLS_COMPRESSION),y)
+SHAIRPORT_SYNC_CONF_LIBS += -lz
+endif
endif
ifeq ($(BR2_PACKAGE_SHAIRPORT_SYNC_LIBSOXR),y)
--
2.14.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/2] mbedtls: security bump to version 2.6.0
2017-09-05 19:05 [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls Baruch Siach
@ 2017-09-05 19:05 ` Baruch Siach
2017-09-07 9:18 ` Peter Korsgaard
2017-09-07 13:15 ` Peter Korsgaard
2017-09-05 19:44 ` [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls Thomas Petazzoni
2017-09-24 11:52 ` Arnout Vandecappelle
2 siblings, 2 replies; 7+ messages in thread
From: Baruch Siach @ 2017-09-05 19:05 UTC (permalink / raw)
To: buildroot
Fixes CVE-2017-14032: authentication bypass.
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
Add license hash.
Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
package/mbedtls/mbedtls.hash | 7 +++++--
package/mbedtls/mbedtls.mk | 2 +-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/package/mbedtls/mbedtls.hash b/package/mbedtls/mbedtls.hash
index 70a0dc506d93..d04b8677540a 100644
--- a/package/mbedtls/mbedtls.hash
+++ b/package/mbedtls/mbedtls.hash
@@ -1,2 +1,5 @@
-# From https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.2-2.1.7-and-1.3.19-released
-sha256 17dd98af7478aadacc480c7e4159e447353b5b2037c1b6d48ed4fd157fb1b018 mbedtls-2.4.2-apache.tgz
+# From https://tls.mbed.org/tech-updates/releases/mbedtls-2.6.0-2.1.9-and-1.3.21-released
+sha1 e914288da50977f541773f9d36e26f14926594a5 mbedtls-2.6.0-apache.tgz
+sha256 99bc9d4212d3d885eeb96273bcde8ecc649a481404b8d7ea7bb26397c9909687 mbedtls-2.6.0-apache.tgz
+# Locally calculated
+sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 apache-2.0.txt
diff --git a/package/mbedtls/mbedtls.mk b/package/mbedtls/mbedtls.mk
index a571ed0e52f1..64ce18cf6fe5 100644
--- a/package/mbedtls/mbedtls.mk
+++ b/package/mbedtls/mbedtls.mk
@@ -5,7 +5,7 @@
################################################################################
MBEDTLS_SITE = https://tls.mbed.org/code/releases
-MBEDTLS_VERSION = 2.4.2
+MBEDTLS_VERSION = 2.6.0
MBEDTLS_SOURCE = mbedtls-$(MBEDTLS_VERSION)-apache.tgz
MBEDTLS_CONF_OPTS = \
-DENABLE_PROGRAMS=$(if $(BR2_PACKAGE_MBEDTLS_PROGRAMS),ON,OFF) \
--
2.14.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls
2017-09-05 19:05 [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls Baruch Siach
2017-09-05 19:05 ` [Buildroot] [PATCH 2/2] mbedtls: security bump to version 2.6.0 Baruch Siach
@ 2017-09-05 19:44 ` Thomas Petazzoni
2017-09-06 5:30 ` Baruch Siach
2017-09-24 11:52 ` Arnout Vandecappelle
2 siblings, 1 reply; 7+ messages in thread
From: Thomas Petazzoni @ 2017-09-05 19:44 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 5 Sep 2017 22:05:25 +0300, Baruch Siach wrote:
> # Avahi or tinysvcmdns (shaiport-sync bundles its own version of tinysvcmdns).
> # Avahi support needs libavahi-client, which is built by avahi if avahi-daemon
> # and dbus is selected. Since there is no BR2_PACKAGE_LIBAVAHI_CLIENT config
> @@ -38,6 +40,10 @@ SHAIRPORT_SYNC_CONF_OPTS += --with-ssl=openssl
> else
> SHAIRPORT_SYNC_DEPENDENCIES += mbedtls
> SHAIRPORT_SYNC_CONF_OPTS += --with-ssl=mbedtls
> +SHAIRPORT_SYNC_CONF_LIBS += -lmbedx509 -lmbedcrypto
> +ifeq ($(BR2_PACKAGE_MBEDTLS_COMPRESSION),y)
> +SHAIRPORT_SYNC_CONF_LIBS += -lz
> +endif
> endif
This is crazy. Can we submit a mbedtls patch adding a pkg-config file ?
They are open to it it seems:
https://github.com/ARMmbed/mbedtls/issues/228. Of course,
shairport-sync would have to be modified to use it.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls
2017-09-05 19:44 ` [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls Thomas Petazzoni
@ 2017-09-06 5:30 ` Baruch Siach
0 siblings, 0 replies; 7+ messages in thread
From: Baruch Siach @ 2017-09-06 5:30 UTC (permalink / raw)
To: buildroot
Hi Thomas,
On Tue, Sep 05, 2017 at 09:44:47PM +0200, Thomas Petazzoni wrote:
> On Tue, 5 Sep 2017 22:05:25 +0300, Baruch Siach wrote:
>
> > # Avahi or tinysvcmdns (shaiport-sync bundles its own version of tinysvcmdns).
> > # Avahi support needs libavahi-client, which is built by avahi if avahi-daemon
> > # and dbus is selected. Since there is no BR2_PACKAGE_LIBAVAHI_CLIENT config
> > @@ -38,6 +40,10 @@ SHAIRPORT_SYNC_CONF_OPTS += --with-ssl=openssl
> > else
> > SHAIRPORT_SYNC_DEPENDENCIES += mbedtls
> > SHAIRPORT_SYNC_CONF_OPTS += --with-ssl=mbedtls
> > +SHAIRPORT_SYNC_CONF_LIBS += -lmbedx509 -lmbedcrypto
> > +ifeq ($(BR2_PACKAGE_MBEDTLS_COMPRESSION),y)
> > +SHAIRPORT_SYNC_CONF_LIBS += -lz
> > +endif
> > endif
>
> This is crazy. Can we submit a mbedtls patch adding a pkg-config file ?
> They are open to it it seems:
> https://github.com/ARMmbed/mbedtls/issues/228. Of course,
> shairport-sync would have to be modified to use it.
Crazy indeed. I'll see if I can do something about mbedtls pkg-config as time
permits. But I think we'll need this workaround for now.
BTW, this fix is independent of the mbedtls security bump, since the static
build issue affects the current mbedtls version as well.
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/2] mbedtls: security bump to version 2.6.0
2017-09-05 19:05 ` [Buildroot] [PATCH 2/2] mbedtls: security bump to version 2.6.0 Baruch Siach
@ 2017-09-07 9:18 ` Peter Korsgaard
2017-09-07 13:15 ` Peter Korsgaard
1 sibling, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2017-09-07 9:18 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Fixes CVE-2017-14032: authentication bypass.
> https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
> Add license hash.
> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/2] mbedtls: security bump to version 2.6.0
2017-09-05 19:05 ` [Buildroot] [PATCH 2/2] mbedtls: security bump to version 2.6.0 Baruch Siach
2017-09-07 9:18 ` Peter Korsgaard
@ 2017-09-07 13:15 ` Peter Korsgaard
1 sibling, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2017-09-07 13:15 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Fixes CVE-2017-14032: authentication bypass.
> https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
> Add license hash.
> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls
2017-09-05 19:05 [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls Baruch Siach
2017-09-05 19:05 ` [Buildroot] [PATCH 2/2] mbedtls: security bump to version 2.6.0 Baruch Siach
2017-09-05 19:44 ` [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls Thomas Petazzoni
@ 2017-09-24 11:52 ` Arnout Vandecappelle
2 siblings, 0 replies; 7+ messages in thread
From: Arnout Vandecappelle @ 2017-09-24 11:52 UTC (permalink / raw)
To: buildroot
On 05-09-17 21:05, Baruch Siach wrote:
> mbedtls provided libraries are interdependent. libmbedtls depends on
> libmbedx509. Both depend on libmbedcrypto. When compression is enabled
> libz is also needed.
>
> Fixes:
> http://autobuild.buildroot.net/results/79d/79d9aff5edb6a767c38efb54256a4f20fc36a6ee/
>
> Cc: J?rg Krause <joerg.krause@embedded.rocks>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Applied to master, thanks.
I also double-checked that shairport-sync is the only package that suffers from
this problem. Other packages (e.g. hiawatha, curl, ...) build fine statically.
Regards,
Arnout
> ---
> package/shairport-sync/shairport-sync.mk | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/package/shairport-sync/shairport-sync.mk b/package/shairport-sync/shairport-sync.mk
> index 208a9b3b1e33..75e1ae85e3d2 100644
> --- a/package/shairport-sync/shairport-sync.mk
> +++ b/package/shairport-sync/shairport-sync.mk
> @@ -19,6 +19,8 @@ SHAIRPORT_SYNC_CONF_OPTS = --with-alsa \
> --with-pipe \
> --with-stdout
>
> +SHAIRPORT_SYNC_CONF_ENV += LIBS="$(SHAIRPORT_SYNC_CONF_LIBS)"
> +
> # Avahi or tinysvcmdns (shaiport-sync bundles its own version of tinysvcmdns).
> # Avahi support needs libavahi-client, which is built by avahi if avahi-daemon
> # and dbus is selected. Since there is no BR2_PACKAGE_LIBAVAHI_CLIENT config
> @@ -38,6 +40,10 @@ SHAIRPORT_SYNC_CONF_OPTS += --with-ssl=openssl
> else
> SHAIRPORT_SYNC_DEPENDENCIES += mbedtls
> SHAIRPORT_SYNC_CONF_OPTS += --with-ssl=mbedtls
> +SHAIRPORT_SYNC_CONF_LIBS += -lmbedx509 -lmbedcrypto
> +ifeq ($(BR2_PACKAGE_MBEDTLS_COMPRESSION),y)
> +SHAIRPORT_SYNC_CONF_LIBS += -lz
> +endif
> endif
>
> ifeq ($(BR2_PACKAGE_SHAIRPORT_SYNC_LIBSOXR),y)
>
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-09-24 11:52 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-05 19:05 [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls Baruch Siach
2017-09-05 19:05 ` [Buildroot] [PATCH 2/2] mbedtls: security bump to version 2.6.0 Baruch Siach
2017-09-07 9:18 ` Peter Korsgaard
2017-09-07 13:15 ` Peter Korsgaard
2017-09-05 19:44 ` [Buildroot] [PATCH 1/2] shairport-sync: fix static link with mbedtls Thomas Petazzoni
2017-09-06 5:30 ` Baruch Siach
2017-09-24 11:52 ` Arnout Vandecappelle
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox