* [Buildroot] [PATCH] shairport-sync: security bump to version 3.1.4
@ 2017-11-23 19:36 Jörg Krause
2017-11-23 20:10 ` Thomas Petazzoni
0 siblings, 1 reply; 2+ messages in thread
From: Jörg Krause @ 2017-11-23 19:36 UTC (permalink / raw)
To: buildroot
The bundled tinysvcmdns library is affected by CVE-2017-12087 [1]:
> An exploitable heap overflow vulnerability exists in the tinysvcmdns library
> version 2016-07-18. A specially crafted packet can make the library overwrite
> an arbitrary amount of data on the heap with attacker controlled values. An
> attacker needs send a dns packet to trigger this vulnerability.
shairport-sync has incorparated upstreams fixes in [2].
[1] https://bugs.launchpad.net/bugs/cve/2017-12087
[2] https://github.com/mikebrady/shairport-sync/commit/1dbdf94811b8315705dbac5ba9199d417231c5d3
Signed-off-by: J?rg Krause <joerg.krause@embedded.rocks>
---
package/shairport-sync/shairport-sync.hash | 2 +-
package/shairport-sync/shairport-sync.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/shairport-sync/shairport-sync.hash b/package/shairport-sync/shairport-sync.hash
index eac39138db..08f22a0cf3 100644
--- a/package/shairport-sync/shairport-sync.hash
+++ b/package/shairport-sync/shairport-sync.hash
@@ -1,2 +1,2 @@
# Locally calculated
-sha256 dd0484d7e8ee7631aee78c78b3762abbdba7ec3f2ee8cd6c1e361544c1414da3 shairport-sync-3.1.3.tar.gz
+sha256 4c5a2ab40ef49896f5b6e59b20df4f621ebce47ee64d8571336f59820ae66379 shairport-sync-3.1.4.tar.gz
diff --git a/package/shairport-sync/shairport-sync.mk b/package/shairport-sync/shairport-sync.mk
index acca45c121..63289d4398 100644
--- a/package/shairport-sync/shairport-sync.mk
+++ b/package/shairport-sync/shairport-sync.mk
@@ -4,7 +4,7 @@
#
################################################################################
-SHAIRPORT_SYNC_VERSION = 3.1.3
+SHAIRPORT_SYNC_VERSION = 3.1.4
SHAIRPORT_SYNC_SITE = $(call github,mikebrady,shairport-sync,$(SHAIRPORT_SYNC_VERSION))
SHAIRPORT_SYNC_LICENSE = MIT, BSD-3-Clause
--
2.15.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [Buildroot] [PATCH] shairport-sync: security bump to version 3.1.4
2017-11-23 19:36 [Buildroot] [PATCH] shairport-sync: security bump to version 3.1.4 Jörg Krause
@ 2017-11-23 20:10 ` Thomas Petazzoni
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Petazzoni @ 2017-11-23 20:10 UTC (permalink / raw)
To: buildroot
Hello,
On Thu, 23 Nov 2017 20:36:41 +0100, J?rg Krause wrote:
> The bundled tinysvcmdns library is affected by CVE-2017-12087 [1]:
>
> > An exploitable heap overflow vulnerability exists in the tinysvcmdns library
> > version 2016-07-18. A specially crafted packet can make the library overwrite
> > an arbitrary amount of data on the heap with attacker controlled values. An
> > attacker needs send a dns packet to trigger this vulnerability.
>
> shairport-sync has incorparated upstreams fixes in [2].
>
> [1] https://bugs.launchpad.net/bugs/cve/2017-12087
> [2] https://github.com/mikebrady/shairport-sync/commit/1dbdf94811b8315705dbac5ba9199d417231c5d3
>
> Signed-off-by: J?rg Krause <joerg.krause@embedded.rocks>
> ---
> package/shairport-sync/shairport-sync.hash | 2 +-
> package/shairport-sync/shairport-sync.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-11-23 20:10 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-23 19:36 [Buildroot] [PATCH] shairport-sync: security bump to version 3.1.4 Jörg Krause
2017-11-23 20:10 ` Thomas Petazzoni
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox