From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Cc: Heiko Thiery <heiko.thiery@gmail.com>,
Andrey Yurovsky <yurovsky@gmail.com>
Subject: [Buildroot] [PATCH] package/rauc: security bump to version 1.15.2
Date: Fri, 27 Mar 2026 19:21:53 +0100 [thread overview]
Message-ID: <20260327182155.192855-1-peter@korsgaard.com> (raw)
Fixes the following security issue:
CVE-2026-34155: Improper Signing of Plain Bundles Exceeding 2 GiB
RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB
cause an integer overflow which results in a signature which covers only the
first few bytes of the payload. Given such a bundle with a legitimate
signature, an attacker can modify the part of the payload which is not
covered by the signature.
Bundles using the recommended 'verity' or 'crypt' formats are not affected.
For more details, see the advisory:
https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hx
https://github.com/rauc/rauc/releases/tag/v1.15.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/rauc/rauc.hash | 2 +-
package/rauc/rauc.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/rauc/rauc.hash b/package/rauc/rauc.hash
index ea537c63b6..edfefb5a7b 100644
--- a/package/rauc/rauc.hash
+++ b/package/rauc/rauc.hash
@@ -1,3 +1,3 @@
# Locally calculated after checking pgp signature
-sha256 603dafa5085b6b964c74d5f57a154a1489af2b415dd20c6ff1447815d02c094f rauc-1.15.1.tar.xz
+sha256 127a24cde208c65b837ae978c695a00730f1094ee8b6c7d48cf58ef846eae340 rauc-1.15.2.tar.xz
sha256 20e50fe7aae3e56378ebf0417d9de904f55a0e61e4df315333e632a4d3555d95 COPYING
diff --git a/package/rauc/rauc.mk b/package/rauc/rauc.mk
index ba30c70dad..54974abc09 100644
--- a/package/rauc/rauc.mk
+++ b/package/rauc/rauc.mk
@@ -4,7 +4,7 @@
#
################################################################################
-RAUC_VERSION = 1.15.1
+RAUC_VERSION = 1.15.2
RAUC_SITE = https://github.com/rauc/rauc/releases/download/v$(RAUC_VERSION)
RAUC_SOURCE = rauc-$(RAUC_VERSION).tar.xz
RAUC_LICENSE = LGPL-2.1
--
2.47.3
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next reply other threads:[~2026-03-27 18:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 18:21 Peter Korsgaard [this message]
2026-03-27 19:10 ` [Buildroot] [PATCH] package/rauc: security bump to version 1.15.2 Julien Olivain via buildroot
2026-04-03 10:28 ` Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260327182155.192855-1-peter@korsgaard.com \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=heiko.thiery@gmail.com \
--cc=yurovsky@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox