Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/libmodplug: update to git version
@ 2022-12-19 17:39 Gleb Mazovetskiy
  2022-12-29  9:27 ` Thomas Petazzoni via buildroot
  0 siblings, 1 reply; 2+ messages in thread
From: Gleb Mazovetskiy @ 2022-12-19 17:39 UTC (permalink / raw)
  To: buildroot; +Cc: Gleb Mazovetskiy, Samuel Martin

The libmodplug release has not been updated for over 5 years.
The git version contains many bug fixes, including for OOB
accesses, unaligned reads and writes, etc.

This git repository is the official home of libmodplug (by the original
author), however a new release does not seem likely anytime soon:
there are multiple open issues in the repository asking the author to
tag a release, all without a response.

Update buildroot to the current version of libmodplug from the official
git repository. The build system changed from autotools to cmake since
the last version.

Signed-off-by: Gleb Mazovetskiy <glex.spb@gmail.com>
---
 package/libmodplug/libmodplug.hash | 2 +-
 package/libmodplug/libmodplug.mk   | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libmodplug/libmodplug.hash b/package/libmodplug/libmodplug.hash
index e75152e27f..01ff71014c 100644
--- a/package/libmodplug/libmodplug.hash
+++ b/package/libmodplug/libmodplug.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  457ca5a6c179656d66c01505c0d95fafaead4329b9dbaa0f997d00a3508ad9de  libmodplug-0.8.9.0.tar.gz
+sha256  d145910ca10c3ecab0019d45be7e31ea6be1d1ee951ef0e1f747c9752d20f043  libmodplug-d1b97ed.tar.gz
 sha256  49942e7b3b175f549e751feb08b5270ca6f6c5fb7a1be9f9517db275ec32c92e  COPYING
diff --git a/package/libmodplug/libmodplug.mk b/package/libmodplug/libmodplug.mk
index 98c38a3b00..641ad64acb 100644
--- a/package/libmodplug/libmodplug.mk
+++ b/package/libmodplug/libmodplug.mk
@@ -4,11 +4,11 @@
 #
 ################################################################################
 
-LIBMODPLUG_VERSION = 0.8.9.0
-LIBMODPLUG_SITE = http://downloads.sourceforge.net/project/modplug-xmms/libmodplug/$(LIBMODPLUG_VERSION)
+LIBMODPLUG_VERSION = d1b97ed
+LIBMODPLUG_SITE = $(call github,Konstanty,libmodplug,$(LIBMODPLUG_VERSION))
 LIBMODPLUG_INSTALL_STAGING = YES
 LIBMODPLUG_LICENSE = Public Domain
 LIBMODPLUG_LICENSE_FILES = COPYING
 LIBMODPLUG_CPE_ID_VENDOR = konstanty_bialkowski
 
-$(eval $(autotools-package))
+$(eval $(cmake-package))
-- 
2.37.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libmodplug: update to git version
  2022-12-19 17:39 [Buildroot] [PATCH 1/1] package/libmodplug: update to git version Gleb Mazovetskiy
@ 2022-12-29  9:27 ` Thomas Petazzoni via buildroot
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Petazzoni via buildroot @ 2022-12-29  9:27 UTC (permalink / raw)
  To: Gleb Mazovetskiy; +Cc: Samuel Martin, buildroot

Hello,

On Mon, 19 Dec 2022 17:39:34 +0000
Gleb Mazovetskiy <glex.spb@gmail.com> wrote:

> The libmodplug release has not been updated for over 5 years.
> The git version contains many bug fixes, including for OOB
> accesses, unaligned reads and writes, etc.
> 
> This git repository is the official home of libmodplug (by the original
> author), however a new release does not seem likely anytime soon:
> there are multiple open issues in the repository asking the author to
> tag a release, all without a response.
> 
> Update buildroot to the current version of libmodplug from the official
> git repository. The build system changed from autotools to cmake since
> the last version.
> 
> Signed-off-by: Gleb Mazovetskiy <glex.spb@gmail.com>
> ---
>  package/libmodplug/libmodplug.hash | 2 +-
>  package/libmodplug/libmodplug.mk   | 6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)

I've applied, but with the following addition:

+# Our version is actually newer than this, but having this allows to
+# not have reports about CVEs for versions older than 0.8.9.0.
+LIBMODPLUG_CPE_ID_VERSION = 0.8.9.0

Indeed, with your change as-is, the results at
http://autobuild.buildroot.net/stats/master.html would have shown that
all known CVEs of libmodplug apply to our package... even though they
in fact affect older releases. This is due to the fact that with the
new version being a Git commit hash, it cannot be compared with the
stable version numbers known in the CVE database.

By making this variable value be 0.8.9.0, we allow the CVE matching
logic to exclude CVEs affecting versions older than 0.8.9.0, which we
now we are not affected by, as we have a newer code base than 0.8.9.0.

Thanks for your contribution!

Best regards,

Thomas Petazzoni
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-12-29  9:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-19 17:39 [Buildroot] [PATCH 1/1] package/libmodplug: update to git version Gleb Mazovetskiy
2022-12-29  9:27 ` Thomas Petazzoni via buildroot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox