[Buildroot] [PATCH 1/1] package/wayland: bump to version 1.21.0

[Buildroot] [PATCH 1/1] package/wayland: bump to version 1.21.0

[James Hilliard]

Drop patches which are now upstream.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
---
 .../wayland/0001-build-set-c_std-c99.patch    |  34 ------
 ...on-t-rely-on-implicit-GNU-extensions.patch | 108 ------------------
 package/wayland/wayland.hash                  |   6 +-
 package/wayland/wayland.mk                    |   4 +-
 4 files changed, 5 insertions(+), 147 deletions(-)
 delete mode 100644 package/wayland/0001-build-set-c_std-c99.patch
 delete mode 100644 package/wayland/0002-build-don-t-rely-on-implicit-GNU-extensions.patch

diff --git a/package/wayland/0001-build-set-c_std-c99.patch b/package/wayland/0001-build-set-c_std-c99.patch
deleted file mode 100644
index 69f728aa11..0000000000
--- a/package/wayland/0001-build-set-c_std-c99.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 40c275f642e3895aeb748403fcdfd92d7d875d65 Mon Sep 17 00:00:00 2001
-From: Simon Ser <contact@emersion.fr>
-Date: Mon, 10 Jan 2022 14:54:02 +0100
-Subject: [PATCH] build: set c_std=c99
-
-Set explicitly the C standard to use to make sure we don't use
-features not available on our target platforms.
-
-Signed-off-by: Simon Ser <contact@emersion.fr>
-
-[Retrieved from:
-https://gitlab.freedesktop.org/wayland/wayland/-/commit/40c275f642e3895aeb748403fcdfd92d7d875d65]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- meson.build | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/meson.build b/meson.build
-index cab267e9..e9691ffe 100644
---- a/meson.build
-+++ b/meson.build
-@@ -5,7 +5,8 @@ project(
- 	meson_version: '>= 0.52.1',
- 	default_options: [
- 		'warning_level=2',
--		'buildtype=debugoptimized'
-+		'buildtype=debugoptimized',
-+		'c_std=c99',
- 	]
- )
- wayland_version = meson.project_version().split('.')
--- 
-GitLab
-
diff --git a/package/wayland/0002-build-don-t-rely-on-implicit-GNU-extensions.patch b/package/wayland/0002-build-don-t-rely-on-implicit-GNU-extensions.patch
deleted file mode 100644
index fcafa98f46..0000000000
--- a/package/wayland/0002-build-don-t-rely-on-implicit-GNU-extensions.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 0d314c4a04ef1b86a1ea66107b2d1a8d1bcd93b9 Mon Sep 17 00:00:00 2001
-From: Simon Ser <contact@emersion.fr>
-Date: Mon, 10 Jan 2022 14:51:55 +0100
-Subject: [PATCH] build: don't rely on implicit GNU extensions
-
-Currently libwayland assumes GNU extensions will be available, but
-doesn't define the C standard to use. Instead, let's unconditionally
-enable POSIX extensions, and enable GNU extensions on a case-by-case
-basis as needed.
-
-Signed-off-by: Simon Ser <contact@emersion.fr>
-Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
-[james.hilliard1@gmail.com: backport from upstream commit
-0d314c4a04ef1b86a1ea66107b2d1a8d1bcd93b9]
----
- cursor/xcursor.c        |  1 +
- meson.build             | 10 ++++++++--
- tests/display-test.c    |  1 +
- tests/event-loop-test.c |  1 +
- tests/fixed-test.c      |  1 +
- 5 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/cursor/xcursor.c b/cursor/xcursor.c
-index 0506680..188be7c 100644
---- a/cursor/xcursor.c
-+++ b/cursor/xcursor.c
-@@ -23,6 +23,7 @@
-  * SOFTWARE.
-  */
- 
-+#define _GNU_SOURCE
- #include "xcursor.h"
- #include <stdio.h>
- #include <stdlib.h>
-diff --git a/meson.build b/meson.build
-index 07bbd29..cab267e 100644
---- a/meson.build
-+++ b/meson.build
-@@ -14,6 +14,12 @@ config_h = configuration_data()
- config_h.set_quoted('PACKAGE', meson.project_name())
- config_h.set_quoted('PACKAGE_VERSION', meson.project_version())
- 
-+cc_args = []
-+if host_machine.system() != 'freebsd'
-+	cc_args += ['-D_POSIX_C_SOURCE=200809L']
-+endif
-+add_project_arguments(cc_args, language: 'c')
-+
- compiler_flags = [
- 	'-Wno-unused-parameter',
- 	'-Wstrict-prototypes',
-@@ -79,7 +85,7 @@ if get_option('libraries')
- 	]
- 
- 	foreach d: decls
--		if not cc.has_header_symbol(d['header'], d['symbol'], dependencies: epoll_dep)
-+		if not cc.has_header_symbol(d['header'], d['symbol'], dependencies: epoll_dep, args: cc_args)
- 			error('@0@ is needed to compile Wayland libraries'.format(d['symbol']))
- 		endif
- 	endforeach
-@@ -87,7 +93,7 @@ if get_option('libraries')
- 	rt_dep = []
- 	if not cc.has_function('clock_gettime', prefix: '#include <time.h>')
- 		rt_dep = cc.find_library('rt')
--		if not cc.has_function('clock_gettime', prefix: '#include <time.h>', dependencies: rt_dep)
-+		if not cc.has_function('clock_gettime', prefix: '#include <time.h>', dependencies: rt_dep, args: cc_args)
- 			error('clock_gettime not found')
- 		endif
- 	endif
-diff --git a/tests/display-test.c b/tests/display-test.c
-index 763adc9..a6f410d 100644
---- a/tests/display-test.c
-+++ b/tests/display-test.c
-@@ -24,6 +24,7 @@
-  * SOFTWARE.
-  */
- 
-+#define _GNU_SOURCE
- #include <stdbool.h>
- #include <stdio.h>
- #include <stdlib.h>
-diff --git a/tests/event-loop-test.c b/tests/event-loop-test.c
-index 9d43c91..a51ba8f 100644
---- a/tests/event-loop-test.c
-+++ b/tests/event-loop-test.c
-@@ -24,6 +24,7 @@
-  * SOFTWARE.
-  */
- 
-+#define _GNU_SOURCE
- #include <stdlib.h>
- #include <stdint.h>
- #include <assert.h>
-diff --git a/tests/fixed-test.c b/tests/fixed-test.c
-index 47a4dae..0b58797 100644
---- a/tests/fixed-test.c
-+++ b/tests/fixed-test.c
-@@ -23,6 +23,7 @@
-  * SOFTWARE.
-  */
- 
-+#define _GNU_SOURCE
- #include <stdlib.h>
- #include <stdio.h>
- #include <assert.h>
--- 
-2.25.1
-
diff --git a/package/wayland/wayland.hash b/package/wayland/wayland.hash
index cd4cb1a474..1c7fe705e1 100644
--- a/package/wayland/wayland.hash
+++ b/package/wayland/wayland.hash
@@ -1,6 +1,6 @@
-# From https://lists.freedesktop.org/archives/wayland-devel/2021-December/042064.html
-sha256  b8a034154c7059772e0fdbd27dbfcda6c732df29cae56a82274f6ec5d7cd8725  wayland-1.20.0.tar.xz
-sha512  e8a1f410994b947f850799bdd0d95a2429d8467f853e62a0ab3915a4e9fe130f8aa977e03715114ab740c6ec546edea63d275ce7f927d4f3029ea126e6a7d215  wayland-1.20.0.tar.xz
+# From https://lists.freedesktop.org/archives/wayland-devel/2022-June/042268.html
+sha256  6dc64d7fc16837a693a51cfdb2e568db538bfdc9f457d4656285bb9594ef11ac  wayland-1.21.0.tar.xz
+sha512  5575216d30fdf5c63caa6bcad071e15f2a4f3acb12df776806073f65db37a50b5b5b3cc7957c5497636f4ac01893e2eaab26e453ded44b287acde01762f5fdc3  wayland-1.21.0.tar.xz
 
 # Locally calculated
 sha256  6eefcb023622a463168a5c20add95fd24a38c7482622a9254a23b99b7c153061  COPYING
diff --git a/package/wayland/wayland.mk b/package/wayland/wayland.mk
index 4c19875bba..0a6e5e9ec7 100644
--- a/package/wayland/wayland.mk
+++ b/package/wayland/wayland.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-WAYLAND_VERSION = 1.20.0
-WAYLAND_SITE = https://wayland.freedesktop.org/releases
+WAYLAND_VERSION = 1.21.0
+WAYLAND_SITE = https://gitlab.freedesktop.org/wayland/wayland/-/releases/$(WAYLAND_VERSION)/downloads
 WAYLAND_SOURCE = wayland-$(WAYLAND_VERSION).tar.xz
 WAYLAND_LICENSE = MIT
 WAYLAND_LICENSE_FILES = COPYING
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wayland: bump to version 1.21.0

[Thomas Petazzoni]

On Sat, 17 Sep 2022 15:53:00 -0600
James Hilliard <james.hilliard1@gmail.com> wrote:

> Drop patches which are now upstream.
> 
> Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
> ---
>  .../wayland/0001-build-set-c_std-c99.patch    |  34 ------
>  ...on-t-rely-on-implicit-GNU-extensions.patch | 108 ------------------
>  package/wayland/wayland.hash                  |   6 +-
>  package/wayland/wayland.mk                    |   4 +-
>  4 files changed, 5 insertions(+), 147 deletions(-)
>  delete mode 100644 package/wayland/0001-build-set-c_std-c99.patch
>  delete mode 100644 package/wayland/0002-build-don-t-rely-on-implicit-GNU-extensions.patch

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wayland: bump to version 1.21.0

[Quentin Schulz via buildroot]

Hi all,

Cc'ing Peter.

Can this be merged back to 2022.02.x and 2022.08.x as a security fix please?

Versions before 1.20.91 are vulnerable to 
https://nvd.nist.gov/vuln/detail/CVE-2021-3782.

Thanks,
Quentin

On 9/17/22 23:53, James Hilliard wrote:
> Drop patches which are now upstream.
> 
> Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
> ---
>   .../wayland/0001-build-set-c_std-c99.patch    |  34 ------
>   ...on-t-rely-on-implicit-GNU-extensions.patch | 108 ------------------
>   package/wayland/wayland.hash                  |   6 +-
>   package/wayland/wayland.mk                    |   4 +-
>   4 files changed, 5 insertions(+), 147 deletions(-)
>   delete mode 100644 package/wayland/0001-build-set-c_std-c99.patch
>   delete mode 100644 package/wayland/0002-build-don-t-rely-on-implicit-GNU-extensions.patch
> 
> diff --git a/package/wayland/0001-build-set-c_std-c99.patch b/package/wayland/0001-build-set-c_std-c99.patch
> deleted file mode 100644
> index 69f728aa11..0000000000
> --- a/package/wayland/0001-build-set-c_std-c99.patch
> +++ /dev/null
> @@ -1,34 +0,0 @@
> -From 40c275f642e3895aeb748403fcdfd92d7d875d65 Mon Sep 17 00:00:00 2001
> -From: Simon Ser <contact@emersion.fr>
> -Date: Mon, 10 Jan 2022 14:54:02 +0100
> -Subject: [PATCH] build: set c_std=c99
> -
> -Set explicitly the C standard to use to make sure we don't use
> -features not available on our target platforms.
> -
> -Signed-off-by: Simon Ser <contact@emersion.fr>
> -
> -[Retrieved from:
> -https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.freedesktop.org_wayland_wayland_-2D_commit_40c275f642e3895aeb748403fcdfd92d7d875d65&d=DwICAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gkdvtCPbbGSVcFPgwKGENWmUnotcgLFoCLStfh-7BcjMPijnwJeD-eu13g9C3Nvz&s=5-9KliKLjDbRGj_rjnky6w4a9gzUAx2a7nzwikNoRUo&e= ]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - meson.build | 3 ++-
> - 1 file changed, 2 insertions(+), 1 deletion(-)
> -
> -diff --git a/meson.build b/meson.build
> -index cab267e9..e9691ffe 100644
> ---- a/meson.build
> -+++ b/meson.build
> -@@ -5,7 +5,8 @@ project(
> - 	meson_version: '>= 0.52.1',
> - 	default_options: [
> - 		'warning_level=2',
> --		'buildtype=debugoptimized'
> -+		'buildtype=debugoptimized',
> -+		'c_std=c99',
> - 	]
> - )
> - wayland_version = meson.project_version().split('.')
> ---
> -GitLab
> -
> diff --git a/package/wayland/0002-build-don-t-rely-on-implicit-GNU-extensions.patch b/package/wayland/0002-build-don-t-rely-on-implicit-GNU-extensions.patch
> deleted file mode 100644
> index fcafa98f46..0000000000
> --- a/package/wayland/0002-build-don-t-rely-on-implicit-GNU-extensions.patch
> +++ /dev/null
> @@ -1,108 +0,0 @@
> -From 0d314c4a04ef1b86a1ea66107b2d1a8d1bcd93b9 Mon Sep 17 00:00:00 2001
> -From: Simon Ser <contact@emersion.fr>
> -Date: Mon, 10 Jan 2022 14:51:55 +0100
> -Subject: [PATCH] build: don't rely on implicit GNU extensions
> -
> -Currently libwayland assumes GNU extensions will be available, but
> -doesn't define the C standard to use. Instead, let's unconditionally
> -enable POSIX extensions, and enable GNU extensions on a case-by-case
> -basis as needed.
> -
> -Signed-off-by: Simon Ser <contact@emersion.fr>
> -Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
> -[james.hilliard1@gmail.com: backport from upstream commit
> -0d314c4a04ef1b86a1ea66107b2d1a8d1bcd93b9]
> ----
> - cursor/xcursor.c        |  1 +
> - meson.build             | 10 ++++++++--
> - tests/display-test.c    |  1 +
> - tests/event-loop-test.c |  1 +
> - tests/fixed-test.c      |  1 +
> - 5 files changed, 12 insertions(+), 2 deletions(-)
> -
> -diff --git a/cursor/xcursor.c b/cursor/xcursor.c
> -index 0506680..188be7c 100644
> ---- a/cursor/xcursor.c
> -+++ b/cursor/xcursor.c
> -@@ -23,6 +23,7 @@
> -  * SOFTWARE.
> -  */
> -
> -+#define _GNU_SOURCE
> - #include "xcursor.h"
> - #include <stdio.h>
> - #include <stdlib.h>
> -diff --git a/meson.build b/meson.build
> -index 07bbd29..cab267e 100644
> ---- a/meson.build
> -+++ b/meson.build
> -@@ -14,6 +14,12 @@ config_h = configuration_data()
> - config_h.set_quoted('PACKAGE', meson.project_name())
> - config_h.set_quoted('PACKAGE_VERSION', meson.project_version())
> -
> -+cc_args = []
> -+if host_machine.system() != 'freebsd'
> -+	cc_args += ['-D_POSIX_C_SOURCE=200809L']
> -+endif
> -+add_project_arguments(cc_args, language: 'c')
> -+
> - compiler_flags = [
> - 	'-Wno-unused-parameter',
> - 	'-Wstrict-prototypes',
> -@@ -79,7 +85,7 @@ if get_option('libraries')
> - 	]
> -
> - 	foreach d: decls
> --		if not cc.has_header_symbol(d['header'], d['symbol'], dependencies: epoll_dep)
> -+		if not cc.has_header_symbol(d['header'], d['symbol'], dependencies: epoll_dep, args: cc_args)
> - 			error('@0@ is needed to compile Wayland libraries'.format(d['symbol']))
> - 		endif
> - 	endforeach
> -@@ -87,7 +93,7 @@ if get_option('libraries')
> - 	rt_dep = []
> - 	if not cc.has_function('clock_gettime', prefix: '#include <time.h>')
> - 		rt_dep = cc.find_library('rt')
> --		if not cc.has_function('clock_gettime', prefix: '#include <time.h>', dependencies: rt_dep)
> -+		if not cc.has_function('clock_gettime', prefix: '#include <time.h>', dependencies: rt_dep, args: cc_args)
> - 			error('clock_gettime not found')
> - 		endif
> - 	endif
> -diff --git a/tests/display-test.c b/tests/display-test.c
> -index 763adc9..a6f410d 100644
> ---- a/tests/display-test.c
> -+++ b/tests/display-test.c
> -@@ -24,6 +24,7 @@
> -  * SOFTWARE.
> -  */
> -
> -+#define _GNU_SOURCE
> - #include <stdbool.h>
> - #include <stdio.h>
> - #include <stdlib.h>
> -diff --git a/tests/event-loop-test.c b/tests/event-loop-test.c
> -index 9d43c91..a51ba8f 100644
> ---- a/tests/event-loop-test.c
> -+++ b/tests/event-loop-test.c
> -@@ -24,6 +24,7 @@
> -  * SOFTWARE.
> -  */
> -
> -+#define _GNU_SOURCE
> - #include <stdlib.h>
> - #include <stdint.h>
> - #include <assert.h>
> -diff --git a/tests/fixed-test.c b/tests/fixed-test.c
> -index 47a4dae..0b58797 100644
> ---- a/tests/fixed-test.c
> -+++ b/tests/fixed-test.c
> -@@ -23,6 +23,7 @@
> -  * SOFTWARE.
> -  */
> -
> -+#define _GNU_SOURCE
> - #include <stdlib.h>
> - #include <stdio.h>
> - #include <assert.h>
> ---
> -2.25.1
> -
> diff --git a/package/wayland/wayland.hash b/package/wayland/wayland.hash
> index cd4cb1a474..1c7fe705e1 100644
> --- a/package/wayland/wayland.hash
> +++ b/package/wayland/wayland.hash
> @@ -1,6 +1,6 @@
> -# From https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.freedesktop.org_archives_wayland-2Ddevel_2021-2DDecember_042064.html&d=DwICAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gkdvtCPbbGSVcFPgwKGENWmUnotcgLFoCLStfh-7BcjMPijnwJeD-eu13g9C3Nvz&s=HJGnEyJNAhDlQUHzGPjwhHsnP_axDkeP2O27H2XH744&e=
> -sha256  b8a034154c7059772e0fdbd27dbfcda6c732df29cae56a82274f6ec5d7cd8725  wayland-1.20.0.tar.xz
> -sha512  e8a1f410994b947f850799bdd0d95a2429d8467f853e62a0ab3915a4e9fe130f8aa977e03715114ab740c6ec546edea63d275ce7f927d4f3029ea126e6a7d215  wayland-1.20.0.tar.xz
> +# From https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.freedesktop.org_archives_wayland-2Ddevel_2022-2DJune_042268.html&d=DwICAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gkdvtCPbbGSVcFPgwKGENWmUnotcgLFoCLStfh-7BcjMPijnwJeD-eu13g9C3Nvz&s=8sbNBXCbWHskG5c1-AYEZZXxCB_AxZ8ZulaU8jjjuvo&e=
> +sha256  6dc64d7fc16837a693a51cfdb2e568db538bfdc9f457d4656285bb9594ef11ac  wayland-1.21.0.tar.xz
> +sha512  5575216d30fdf5c63caa6bcad071e15f2a4f3acb12df776806073f65db37a50b5b5b3cc7957c5497636f4ac01893e2eaab26e453ded44b287acde01762f5fdc3  wayland-1.21.0.tar.xz
>   
>   # Locally calculated
>   sha256  6eefcb023622a463168a5c20add95fd24a38c7482622a9254a23b99b7c153061  COPYING
> diff --git a/package/wayland/wayland.mk b/package/wayland/wayland.mk
> index 4c19875bba..0a6e5e9ec7 100644
> --- a/package/wayland/wayland.mk
> +++ b/package/wayland/wayland.mk
> @@ -4,8 +4,8 @@
>   #
>   ################################################################################
>   
> -WAYLAND_VERSION = 1.20.0
> -WAYLAND_SITE = https://urldefense.proofpoint.com/v2/url?u=https-3A__wayland.freedesktop.org_releases&d=DwICAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gkdvtCPbbGSVcFPgwKGENWmUnotcgLFoCLStfh-7BcjMPijnwJeD-eu13g9C3Nvz&s=agz4qQ9q8rd794aDcN4iSMzXxN25JybdyV0outK4UvU&e=
> +WAYLAND_VERSION = 1.21.0
> +WAYLAND_SITE = https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.freedesktop.org_wayland_wayland_-2D_releases_-24-28WAYLAND-5FVERSION-29_downloads&d=DwICAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gkdvtCPbbGSVcFPgwKGENWmUnotcgLFoCLStfh-7BcjMPijnwJeD-eu13g9C3Nvz&s=Q1G1HWD5Npyv7Z63esB-vPy1u36r0lnkOwULmuVua1c&e=
>   WAYLAND_SOURCE = wayland-$(WAYLAND_VERSION).tar.xz
>   WAYLAND_LICENSE = MIT
>   WAYLAND_LICENSE_FILES = COPYING
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wayland: bump to version 1.21.0

[Peter Korsgaard]

>>>>> "Quentin" == Quentin Schulz <quentin.schulz@theobroma-systems.com> writes:

Hello,

 > Can this be merged back to 2022.02.x and 2022.08.x as a security fix please?

 > Versions before 1.20.91 are vulnerable to
 > https://nvd.nist.gov/vuln/detail/CVE-2021-3782.

Thanks for the heads up. 2022.08.x is now EOL, but we can do it for
2022.02.x.

What are the reverse dependencies? We're currently using 1.19.0 on
2022.02.x, so perhaps it would be safer to instead just backport the
fix:

https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2

Is this something you can do (and have a setup to verify on?)

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wayland: bump to version 1.21.0

[Quentin Schulz via buildroot]

Hi Peter,

On 12/14/22 20:15, Peter Korsgaard wrote:
>>>>>> "Quentin" == Quentin Schulz <quentin.schulz@theobroma-systems.com> writes:
> 
> Hello,
> 
>   > Can this be merged back to 2022.02.x and 2022.08.x as a security fix please?
> 
>   > Versions before 1.20.91 are vulnerable to
>   > https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2021-3782__;!!OOPJP91ZZw!ht7B4n-NHoUinOJyrCggycWhjw_79i_yqZiuq1exA7VMLcIwTf2Lzwu1iL-UviZg2Eb9AzmymXXtdALNJ-9-_K3yl5hV3g$ .
> 
> Thanks for the heads up. 2022.08.x is now EOL, but we can do it for
> 2022.02.x.
> 
> What are the reverse dependencies? We're currently using 1.19.0 on
> 2022.02.x, so perhaps it would be safer to instead just backport the
> fix:
> 
> https://urldefense.com/v3/__https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2__;!!OOPJP91ZZw!ht7B4n-NHoUinOJyrCggycWhjw_79i_yqZiuq1exA7VMLcIwTf2Lzwu1iL-UviZg2Eb9AzmymXXtdALNJ-9-_K3HtNL-tw$
>

It cleanly applies after 
https://gitlab.freedesktop.org/wayland/wayland/-/commit/03e8a1f84b6a15c9531db1ca8d0a25f9fcffaf25 
is applied too. So that could be an option too yes.

> Is this something you can do (and have a setup to verify on?)
>
The commit specifies: "This would currently take a massive amount of RAM 
[...] take an improbable amount of RAM to hit this, and a client could 
still exhaust all RAM in this way, but our goal is to prevent overflow 
and undefined behaviour."

In the merge request there's some rought estimate: "conservatiely 416G 
of memory allocation to get to this point. We do touch it all, so it 
needs to exist as RAM or swap." and later on "if you can convince the 
compositor to hold a ton of references to the pool, you could make it 
happen with fewer objects; wl_shm_buffer_ref_pool() exists and asserts 
that the external + internal refcount stays positive. So I think you'd 
'just' need to get it to take (2 << 31) external refs, then you'd only 
need a single live client buffer to break the addition test we do in the 
unref path.".

There doesn't seem to be an exploit PoC available somewhere (as is often 
the case) and I wouldn't even have a machine at hand with that much 
RAM/swap to test this properly if there was one.

As for the reverse dependencies, I was planning on doing a simple test 
with weston (which is the only compositor we use) but that is of the 
same version in 2022.02.x that it is in master so that won't tell us much.

Are you concerned about something specifically? Is there something you'd 
want me to check?

Cheers,
Quentin
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wayland: bump to version 1.21.0

[Peter Korsgaard]

>>>>> "Quentin" == Quentin Schulz <quentin.schulz@theobroma-systems.com> writes:

Hi,

 > It cleanly applies after
 > https://gitlab.freedesktop.org/wayland/wayland/-/commit/03e8a1f84b6a15c9531db1ca8d0a25f9fcffaf25 
 > is applied too. So that could be an option too yes.

OK, good. Then I would prefer that for 2022.02.x.


 > There doesn't seem to be an exploit PoC available somewhere (as is
 > often the case) and I wouldn't even have a machine at hand with that
 > much RAM/swap to test this properly if there was one.

It indeed doesn't sound like a very relatistic vulnerability for a
Buildroot system. I guess you flagged it just because it comes up by the
CVE scan rather than any real concerns about the vulnerability?


 > As for the reverse dependencies, I was planning on doing a simple test
 > with weston (which is the only compositor we use) but that is of the 
 > same version in 2022.02.x that it is in master so that won't tell us much.

 > Are you concerned about something specifically? Is there something
 > you'd want me to check?

No, nothing specific - We just don't have any runtime tests for wayland,
so it is handy if you have a working setup where you can do a quick
smoke test.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot