[Buildroot] [git commit] package/dmidecode: bump to version 3.5

[Buildroot] [git commit] package/dmidecode: bump to version 3.5

[Peter Korsgaard]

commit: https://git.buildroot.net/buildroot/commit/?id=c97f27283b36ffc39dfb6223caee6055997b3234
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

For change log, see:
https://git.savannah.gnu.org/cgit/dmidecode.git/tree/NEWS?h=dmidecode-3-5

Note: this patch also adds a comment about pgp signature verification in
the hash file.

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/dmidecode/dmidecode.hash | 5 +++--
 package/dmidecode/dmidecode.mk   | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/package/dmidecode/dmidecode.hash b/package/dmidecode/dmidecode.hash
index ec5484e667..654c4cc537 100644
--- a/package/dmidecode/dmidecode.hash
+++ b/package/dmidecode/dmidecode.hash
@@ -1,3 +1,4 @@
-# Locally computed
-sha256  43cba851d8467c9979ccdbeab192eb6638c7d3a697eba5ddb779da8837542212  dmidecode-3.4.tar.xz
+# Locally computed after checking pgp signature from:
+# https://download.savannah.gnu.org/releases/dmidecode/dmidecode-3.5.tar.xz.sig
+sha256  79d76735ee8e25196e2a722964cf9683f5a09581503537884b256b01389cc073  dmidecode-3.5.tar.xz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  LICENSE
diff --git a/package/dmidecode/dmidecode.mk b/package/dmidecode/dmidecode.mk
index 352cdb106c..353978daa9 100644
--- a/package/dmidecode/dmidecode.mk
+++ b/package/dmidecode/dmidecode.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-DMIDECODE_VERSION = 3.4
+DMIDECODE_VERSION = 3.5
 DMIDECODE_SOURCE = dmidecode-$(DMIDECODE_VERSION).tar.xz
 DMIDECODE_SITE = http://download.savannah.gnu.org/releases/dmidecode
 DMIDECODE_LICENSE = GPL-2.0+
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/dmidecode: bump to version 3.5

[Thomas Petazzoni via buildroot]

Hello Peter,

On Tue, 27 Jun 2023 07:48:40 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:

> commit: https://git.buildroot.net/buildroot/commit/?id=c97f27283b36ffc39dfb6223caee6055997b3234
> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> 
> For change log, see:
> https://git.savannah.gnu.org/cgit/dmidecode.git/tree/NEWS?h=dmidecode-3-5
> 
> Note: this patch also adds a comment about pgp signature verification in
> the hash file.
> 
> Signed-off-by: Julien Olivain <ju.o@free.fr>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

FYI: this is a security bump, as it fixes
https://nvd.nist.gov/vuln/detail/CVE-2023-30630. "Dmidecode before 3.5
allows -dump-bin to overwrite a local file. This has security relevance
because, for example, execution of Dmidecode via Sudo is plausible."

Therefore, it needs to be backported to 2023.02.x and 2023.05.x, or
alternatively:

  https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f387e87091c25e7d5b8c2bb348bb206
  https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c81f74e1ca4e7706f70bdda72e6f2

need to be backported. However, there are only 20 commits between
dmidecode 3.4 (which is in Buildroot 2023.02.x) and dmidecode 3.5
(which fixes this CVE):

484f8935b0fc768841f43fa388b191196b5e12fd (tag: dmidecode-3-5) Set the version to 3.5
8baf2f508c6eb5359f12c911a0d58b893c12f1ca Fix a build warning when USE_MMAP isn't set
b9ebecc6391c4ad36ce0088b93ca8333c2f05ee7 dmioem: HPE type 242: Fix ID on 32-bit systems
189ca352e9341778c21e95c27817574b2876ede7 Ensure /dev/mem is a character device file
8427888ccf068f2ae1105e0c9276a15191a16ee5 dmidecode: Use the right variable for -s bios-revision/firmware-revision
6ca381c1247c81f74e1ca4e7706f70bdda72e6f2 dmidecode: Do not let --dump-bin overwrite an existing file
d8cfbc808f387e87091c25e7d5b8c2bb348bb206 dmidecode: Write the whole dump file at once
39b2dd7b6ab719b920e96ed832cfb4bdd664e808 dmidecode: Split table fetching from decoding
11b168f206efe5b3ebe2f1e587fb3d816d6c4a6f dmioem: Avoid intermediate buffer (HPE type 216)
9d2bbd5db427b063da137d9016fe6628038334eb dmioem: Decode HPE OEM Record 216
3d6835047f80691678e5db3127f9d573956413f0 dmidecode: Drop the CPUID exception list
c1a2520433a31294fe9a0ccb52136d048f2d76e6 dmidecode: Add a --no-quirks option
67dc0b27d50e3986d5e7cd35ec25cc5901a2e9e9 dmidecode: Fortify entry point length checks
f8016734735486c99eacc1bca975913535905c1f dmioem: Typo fix (Virutal -> Virtual)
90d1323a8d14acbf32154c03074e3caf94b1e7a1 dmioem: Decode HPE OEM Record 242
f50b925c8d43ab2470fe750c49bd33c9a5f3bd1d dmioem: Update HPE OEM Record 238
ac24b672dee81cdbfb35b69b38459a1352dcbe8a dmioem: Decode HPE OEM Record 230
c3357b532941a8df387618e692e522cc7a43b3e8 dmioem: Fix segmentation fault in dmi_hp_240_attr()
a1a2258ffbe450e8561ee833787da9321fa734b0 dmioem: Decode HPE OEM Record 224
fb8766a9d26053b3ad5f6228ffaf09690b7cac90 NEWS: Fix typo

So getting dmidecode 3.5 in Buildroot 2023.02 and 2023.05 is probably OK.

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/dmidecode: bump to version 3.5

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > Hello Peter,
 > On Tue, 27 Jun 2023 07:48:40 +0200
 > Peter Korsgaard <peter@korsgaard.com> wrote:

 >> commit: https://git.buildroot.net/buildroot/commit/?id=c97f27283b36ffc39dfb6223caee6055997b3234
 >> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
 >> 
 >> For change log, see:
 >> https://git.savannah.gnu.org/cgit/dmidecode.git/tree/NEWS?h=dmidecode-3-5
 >> 
 >> Note: this patch also adds a comment about pgp signature verification in
 >> the hash file.
 >> 
 >> Signed-off-by: Julien Olivain <ju.o@free.fr>
 >> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

 > FYI: this is a security bump, as it fixes
 > https://nvd.nist.gov/vuln/detail/CVE-2023-30630. "Dmidecode before 3.5
 > allows -dump-bin to overwrite a local file. This has security relevance
 > because, for example, execution of Dmidecode via Sudo is plausible."

OK. Somewhat unlikely threat model expecting people to run dmidecode
-dump-bin on untrusted machines in directories with other files, but oh well.

 > So getting dmidecode 3.5 in Buildroot 2023.02 and 2023.05 is probably OK.

Yes, I'll do that. Thanks for the heads up!

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/dmidecode: bump to version 3.5

[Thomas Petazzoni via buildroot]

On Tue, 29 Aug 2023 10:55:08 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:

>  > FYI: this is a security bump, as it fixes
>  > https://nvd.nist.gov/vuln/detail/CVE-2023-30630. "Dmidecode before 3.5
>  > allows -dump-bin to overwrite a local file. This has security relevance
>  > because, for example, execution of Dmidecode via Sudo is plausible."  
> 
> OK. Somewhat unlikely threat model expecting people to run dmidecode
> -dump-bin on untrusted machines in directories with other files, but oh well.

Yeah, but the CVE pops up in my list of CVEs to fix :-)

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot