Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.5.0
@ 2022-10-26 19:36 Fabrice Fontaine
  2022-10-26 19:51 ` Thomas Petazzoni via buildroot
  2022-11-05 21:42 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-10-26 19:36 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

Expat 2.5.0 has been released earlier today. Most importantly, this
release fixes CVE-2022-43680: a heap use-after-free vulnerability after
overeager destruction of a shared DTD in function
XML_ExternalEntityParserCreate in out-of-memory situations, with
expected impact of denial of service or potentially arbitrary code
execution.

https://blog.hartwork.org/posts/expat-2-5-0-released
https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/expat/expat.hash | 8 ++++----
 package/expat/expat.mk   | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/expat/expat.hash b/package/expat/expat.hash
index 15e64a4dc8..c6c25aa3e0 100644
--- a/package/expat/expat.hash
+++ b/package/expat/expat.hash
@@ -1,7 +1,7 @@
-# From https://sourceforge.net/projects/expat/files/expat/2.4.9/
-md5  8d7fcf7d02d08bf79d9ae5c21cc72c03  expat-2.4.9.tar.xz
-sha1  be91118bc495ce49b04a3fd0f27df2fb5a843e9b  expat-2.4.9.tar.xz
+# From https://sourceforge.net/projects/expat/files/expat/2.5.0/
+md5  ac6677b6d1b95d209ab697ce8b688704  expat-2.5.0.tar.xz
+sha1  5178e13c1e34f4643d5118d5758babfe0e836fe2  expat-2.5.0.tar.xz
 
 # Locally calculated
-sha256  6e8c0728fe5c7cd3f93a6acce43046c5e4736c7b4b68e032e9350daa0efc0354  expat-2.4.9.tar.xz
+sha256  ef2420f0232c087801abf705e89ae65f6257df6b7931d37846a193ef2e8cdcbe  expat-2.5.0.tar.xz
 sha256  122f2c27000472a201d337b9b31f7eb2b52d091b02857061a8880371612d9534  COPYING
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index 59854d0ee8..6f22024cc0 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-EXPAT_VERSION = 2.4.9
+EXPAT_VERSION = 2.5.0
 EXPAT_SITE = http://downloads.sourceforge.net/project/expat/expat/$(EXPAT_VERSION)
 EXPAT_SOURCE = expat-$(EXPAT_VERSION).tar.xz
 EXPAT_INSTALL_STAGING = YES
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.5.0
  2022-10-26 19:36 [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.5.0 Fabrice Fontaine
@ 2022-10-26 19:51 ` Thomas Petazzoni via buildroot
  2022-11-05 21:42 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2022-10-26 19:51 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

On Wed, 26 Oct 2022 21:36:58 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> Expat 2.5.0 has been released earlier today. Most importantly, this
> release fixes CVE-2022-43680: a heap use-after-free vulnerability after
> overeager destruction of a shared DTD in function
> XML_ExternalEntityParserCreate in out-of-memory situations, with
> expected impact of denial of service or potentially arbitrary code
> execution.
> 
> https://blog.hartwork.org/posts/expat-2-5-0-released
> https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/expat/expat.hash | 8 ++++----
>  package/expat/expat.mk   | 2 +-
>  2 files changed, 5 insertions(+), 5 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.5.0
  2022-10-26 19:36 [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.5.0 Fabrice Fontaine
  2022-10-26 19:51 ` Thomas Petazzoni via buildroot
@ 2022-11-05 21:42 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-11-05 21:42 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Expat 2.5.0 has been released earlier today. Most importantly, this
 > release fixes CVE-2022-43680: a heap use-after-free vulnerability after
 > overeager destruction of a shared DTD in function
 > XML_ExternalEntityParserCreate in out-of-memory situations, with
 > expected impact of denial of service or potentially arbitrary code
 > execution.

 > https://blog.hartwork.org/posts/expat-2-5-0-released
 > https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.08.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-05 21:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-26 19:36 [Buildroot] [PATCH 1/1] package/expat: security bump to version 2.5.0 Fabrice Fontaine
2022-10-26 19:51 ` Thomas Petazzoni via buildroot
2022-11-05 21:42 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox