From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/rauc: security bump to version 1.15.2
Date: Fri, 3 Apr 2026 12:28:34 +0200 [thread overview]
Message-ID: <20260403102834.210907-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260327182155.192855-1-peter@korsgaard.com>
In reply of:
> Fixes the following security issue:
>
> CVE-2026-34155: Improper Signing of Plain Bundles Exceeding 2 GiB
>
> RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB
> cause an integer overflow which results in a signature which covers only the
> first few bytes of the payload. Given such a bundle with a legitimate
> signature, an attacker can modify the part of the payload which is not
> covered by the signature.
>
> Bundles using the recommended 'verity' or 'crypt' formats are not affected.
>
> For more details, see the advisory:
> https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hx
>
> https://github.com/rauc/rauc/releases/tag/v1.15.2
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to 2026.02.x. Thanks
> ---
> package/rauc/rauc.hash | 2 +-
> package/rauc/rauc.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/rauc/rauc.hash b/package/rauc/rauc.hash
> index ea537c63b6..edfefb5a7b 100644
> --- a/package/rauc/rauc.hash
> +++ b/package/rauc/rauc.hash
> @@ -1,3 +1,3 @@
> # Locally calculated after checking pgp signature
> -sha256 603dafa5085b6b964c74d5f57a154a1489af2b415dd20c6ff1447815d02c094f rauc-1.15.1.tar.xz
> +sha256 127a24cde208c65b837ae978c695a00730f1094ee8b6c7d48cf58ef846eae340 rauc-1.15.2.tar.xz
> sha256 20e50fe7aae3e56378ebf0417d9de904f55a0e61e4df315333e632a4d3555d95 COPYING
> diff --git a/package/rauc/rauc.mk b/package/rauc/rauc.mk
> index ba30c70dad..54974abc09 100644
> --- a/package/rauc/rauc.mk
> +++ b/package/rauc/rauc.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -RAUC_VERSION = 1.15.1
> +RAUC_VERSION = 1.15.2
> RAUC_SITE = https://github.com/rauc/rauc/releases/download/v$(RAUC_VERSION)
> RAUC_SOURCE = rauc-$(RAUC_VERSION).tar.xz
> RAUC_LICENSE = LGPL-2.1
> --
> 2.47.3
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2026-04-03 10:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 18:21 [Buildroot] [PATCH] package/rauc: security bump to version 1.15.2 Peter Korsgaard
2026-03-27 19:10 ` Julien Olivain via buildroot
2026-04-03 10:28 ` Thomas Perale via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260403102834.210907-1-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=peter@korsgaard.com \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox