Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/libesmtp: security bump to version 1.1.0
@ 2021-08-05 21:25 Fabrice Fontaine
  2021-08-05 21:48 ` Thomas Petazzoni
  0 siblings, 1 reply; 3+ messages in thread
From: Fabrice Fontaine @ 2021-08-05 21:25 UTC (permalink / raw)
  To: buildroot; +Cc: Eric Le Bihan, Fabrice Fontaine

After more than a decade, libESMTP version 1.0.6 is superceded. Despite
proving robust a little bitrot has occurred, especially regarding
OpenSSL support. The original application data APIs are prone to memory
leaks and are deprecated in favour of safer replacements. Version 1.1
updates libESMTP without breaking API and ABI compatibility and
provides a basis for future development.

In addition to updates to the codebase, documentation is modernised and
is more comprehensive.

All libESMTP users are encouraged to upgrade from version 1.0.6.

- Update license files
- Update indentation in hash file (two spaces)
- Switch to meson-package
- Handle threads and tls meson options
- libesmtp-config has been dropped:
  https://github.com/libesmtp/libESMTP/issues/8
- Fix CVE-2019-19977: libESMTP through 1.0.6 mishandles domain copying
  into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as
  demonstrated by a stack-based buffer over-read.

https://github.com/libesmtp/libESMTP/releases/tag/v1.1.0
https://libesmtp.github.io/changes-since-v1.0.6.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/libesmtp/Config.in     |  1 +
 package/libesmtp/libesmtp.hash |  6 +++---
 package/libesmtp/libesmtp.mk   | 24 +++++++++++++++++-------
 3 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/package/libesmtp/Config.in b/package/libesmtp/Config.in
index db2dc8ec9c..5c6a412134 100644
--- a/package/libesmtp/Config.in
+++ b/package/libesmtp/Config.in
@@ -1,6 +1,7 @@
 config BR2_PACKAGE_LIBESMTP
 	bool "libesmtp"
 	depends on !BR2_STATIC_LIBS
+	select BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4 if BR2_PACKAGE_LIBOPENSSL
 	help
 	  Library for sending emails through SMTP.
 
diff --git a/package/libesmtp/libesmtp.hash b/package/libesmtp/libesmtp.hash
index 9e1ca22b5b..596ed4eaca 100644
--- a/package/libesmtp/libesmtp.hash
+++ b/package/libesmtp/libesmtp.hash
@@ -1,4 +1,4 @@
 # Locally calculated
-sha256	d0a61a5c52d99fa7ce7d00ed0a07e341dbda67101dbed1ab0cdae3f37db4eb0b	libesmtp-1.0.6.tar.bz2
-sha256	32b1062f7da84967e7019d01ab805935caa7ab7321a7ced0e30ebe75e5df1670	COPYING
-sha256	f18a0811fa0e220ccbc42f661545e77f0388631e209585ed582a1c693029c6aa	COPYING.LIB
+sha256  32bc3614ca12d21c7d933f32d43410e8744b6f91fdca7732da9877a385e4e6c3  libesmtp-1.1.0.tar.gz
+sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING.GPL
+sha256  20c17d8b8c48a600800dfd14f95d5cb9ff47066a9641ddeab48dc54aec96e331  LICENSE
diff --git a/package/libesmtp/libesmtp.mk b/package/libesmtp/libesmtp.mk
index 1f5cdec191..10fe7bf324 100644
--- a/package/libesmtp/libesmtp.mk
+++ b/package/libesmtp/libesmtp.mk
@@ -4,14 +4,24 @@
 #
 ################################################################################
 
-LIBESMTP_VERSION = 1.0.6
-LIBESMTP_SOURCE = libesmtp-$(LIBESMTP_VERSION).tar.bz2
-LIBESMTP_SITE = http://sources.buildroot.net/libesmtp
+LIBESMTP_VERSION = 1.1.0
+LIBESMTP_SITE = $(call github,libesmtp,libESMTP,v$(LIBESMTP_VERSION))
 LIBESMTP_INSTALL_STAGING = YES
-LIBESMTP_CONFIG_SCRIPTS = libesmtp-config
-LIBESMTP_DEPENDENCIES = $(if $(BR2_PACKAGE_OPENSSL),openssl)
 LIBESMTP_LICENSE = GPL-2.0+ (examples), LGPL-2.1+ (library)
-LIBESMTP_LICENSE_FILES = COPYING COPYING.LIB
+LIBESMTP_LICENSE_FILES = COPYING.GPL LICENSE
 LIBESMTP_CPE_ID_VENDOR = libesmtp_project
 
-$(eval $(autotools-package))
+ifeq ($(BR2_PACKAGE_OPENSSL),y)
+LIBESMTP_CONF_OPTS += -Dtls=enabled
+LIBESMTP_DEPENDENCIES += openssl
+else
+LIBESMTP_CONF_OPTS += -Dtls=disabled
+endif
+
+ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
+LIBESMTP_CONF_OPTS += -Dpthreads=enabled
+else
+LIBESMTP_CONF_OPTS += -Dpthreads=disabled
+endif
+
+$(eval $(meson-package))
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libesmtp: security bump to version 1.1.0
  2021-08-05 21:25 [Buildroot] [PATCH 1/1] package/libesmtp: security bump to version 1.1.0 Fabrice Fontaine
@ 2021-08-05 21:48 ` Thomas Petazzoni
  2021-08-08 19:15   ` Peter Korsgaard
  0 siblings, 1 reply; 3+ messages in thread
From: Thomas Petazzoni @ 2021-08-05 21:48 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Eric Le Bihan, buildroot

On Thu,  5 Aug 2021 23:25:40 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> After more than a decade, libESMTP version 1.0.6 is superceded. Despite
> proving robust a little bitrot has occurred, especially regarding
> OpenSSL support. The original application data APIs are prone to memory
> leaks and are deprecated in favour of safer replacements. Version 1.1
> updates libESMTP without breaking API and ABI compatibility and
> provides a basis for future development.
> 
> In addition to updates to the codebase, documentation is modernised and
> is more comprehensive.
> 
> All libESMTP users are encouraged to upgrade from version 1.0.6.
> 
> - Update license files
> - Update indentation in hash file (two spaces)
> - Switch to meson-package
> - Handle threads and tls meson options
> - libesmtp-config has been dropped:
>   https://github.com/libesmtp/libESMTP/issues/8
> - Fix CVE-2019-19977: libESMTP through 1.0.6 mishandles domain copying
>   into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as
>   demonstrated by a stack-based buffer over-read.
> 
> https://github.com/libesmtp/libESMTP/releases/tag/v1.1.0
> https://libesmtp.github.io/changes-since-v1.0.6.html
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/libesmtp/Config.in     |  1 +
>  package/libesmtp/libesmtp.hash |  6 +++---
>  package/libesmtp/libesmtp.mk   | 24 +++++++++++++++++-------
>  3 files changed, 21 insertions(+), 10 deletions(-)

Wow, it's a massive bump for a security bump. So, I've applied to
master, but it's a bit risky. Could you make sure that collectd and
syslog-ng continue to build fine after this bump ?

Applied to master anyway, thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libesmtp: security bump to version 1.1.0
  2021-08-05 21:48 ` Thomas Petazzoni
@ 2021-08-08 19:15   ` Peter Korsgaard
  0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-08-08 19:15 UTC (permalink / raw)
  To: Thomas Petazzoni; +Cc: Eric Le Bihan, Fabrice Fontaine, buildroot

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > On Thu,  5 Aug 2021 23:25:40 +0200
 > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

 >> After more than a decade, libESMTP version 1.0.6 is superceded. Despite
 >> proving robust a little bitrot has occurred, especially regarding
 >> OpenSSL support. The original application data APIs are prone to memory
 >> leaks and are deprecated in favour of safer replacements. Version 1.1
 >> updates libESMTP without breaking API and ABI compatibility and
 >> provides a basis for future development.
 >> 
 >> In addition to updates to the codebase, documentation is modernised and
 >> is more comprehensive.
 >> 
 >> All libESMTP users are encouraged to upgrade from version 1.0.6.
 >> 
 >> - Update license files
 >> - Update indentation in hash file (two spaces)
 >> - Switch to meson-package
 >> - Handle threads and tls meson options
 >> - libesmtp-config has been dropped:
 >> https://github.com/libesmtp/libESMTP/issues/8
 >> - Fix CVE-2019-19977: libESMTP through 1.0.6 mishandles domain copying
 >> into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as
 >> demonstrated by a stack-based buffer over-read.
 >> 
 >> https://github.com/libesmtp/libESMTP/releases/tag/v1.1.0
 >> https://libesmtp.github.io/changes-since-v1.0.6.html
 >> 
 >> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 >> ---
 >> package/libesmtp/Config.in     |  1 +
 >> package/libesmtp/libesmtp.hash |  6 +++---
 >> package/libesmtp/libesmtp.mk   | 24 +++++++++++++++++-------
 >> 3 files changed, 21 insertions(+), 10 deletions(-)

 > Wow, it's a massive bump for a security bump. So, I've applied to
 > master, but it's a bit risky. Could you make sure that collectd and
 > syslog-ng continue to build fine after this bump ?

Yes, I also don't really like it for the stable branches :/

I think I will wait a bit before backporting.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-08 19:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-05 21:25 [Buildroot] [PATCH 1/1] package/libesmtp: security bump to version 1.1.0 Fabrice Fontaine
2021-08-05 21:48 ` Thomas Petazzoni
2021-08-08 19:15   ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox