* [Buildroot] [PATCH] package/enlightenment: security bump to version 0.25.4
@ 2023-10-01 18:11 Daniel Lang
2023-10-01 18:58 ` Peter Korsgaard
2023-10-13 15:00 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Daniel Lang @ 2023-10-01 18:11 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour
This is a bugfix release which fixes a CVE.
See:
https://www.enlightenment.org/news/2022-09-15-enlightenment-0.25.4
CVE-2022-37706 "enlightenment_sys in Enlightenment before 0.25.4 allows
local users to gain privileges because it is setuid root, and the system
library function mishandles pathnames that begin with a /dev/..
substring."
Hashes were never part of the online news page, therefore mark them as
locally computed.
Signed-off-by: Daniel Lang <dalang@gmx.at>
---
package/enlightenment/enlightenment.hash | 5 +++--
package/enlightenment/enlightenment.mk | 2 +-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/package/enlightenment/enlightenment.hash b/package/enlightenment/enlightenment.hash
index 2d977b86f7..ed5d6b24ef 100644
--- a/package/enlightenment/enlightenment.hash
+++ b/package/enlightenment/enlightenment.hash
@@ -1,4 +1,5 @@
-# From https://www.enlightenment.org/news/2022-01-03-enlightenment-0.25.1
-sha256 2cf05fe3d96ef35e823619dbc0ac513ecabcae2186800ecd804924a637112444 enlightenment-0.25.1.tar.xz
+# From https://www.enlightenment.org/news/2022-09-15-enlightenment-0.25.4
+sha256 56db5d206b821b9a8831d26e713e410ac70b2255a6f43fcdf7c01eefde23b7a2 enlightenment-0.25.4.tar.xz
+# Locally computed
sha256 8d2fbc393e967cd6f5b8559d1744881a6a1ceb3ec6e1c2368c3916809ffccb8d COPYING
sha256 cdc77ee1732455b203610f923fe4196046b3f7509038c48dc0b0c7e3492c23f3 src/modules/wl_weekeyboard/themes/default/fonts/LICENSE.txt
diff --git a/package/enlightenment/enlightenment.mk b/package/enlightenment/enlightenment.mk
index 95670e800d..836c6e581d 100644
--- a/package/enlightenment/enlightenment.mk
+++ b/package/enlightenment/enlightenment.mk
@@ -4,7 +4,7 @@
#
################################################################################
-ENLIGHTENMENT_VERSION = 0.25.1
+ENLIGHTENMENT_VERSION = 0.25.4
ENLIGHTENMENT_SOURCE = enlightenment-$(ENLIGHTENMENT_VERSION).tar.xz
ENLIGHTENMENT_SITE = https://download.enlightenment.org/rel/apps/enlightenment
ENLIGHTENMENT_LICENSE = BSD-2-Clause, OFL-1.1 (font)
--
2.42.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/enlightenment: security bump to version 0.25.4
2023-10-01 18:11 [Buildroot] [PATCH] package/enlightenment: security bump to version 0.25.4 Daniel Lang
@ 2023-10-01 18:58 ` Peter Korsgaard
2023-10-13 15:00 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-10-01 18:58 UTC (permalink / raw)
To: Daniel Lang; +Cc: Romain Naour, buildroot
>>>>> "Daniel" == Daniel Lang <dalang@gmx.at> writes:
> This is a bugfix release which fixes a CVE.
> See:
> https://www.enlightenment.org/news/2022-09-15-enlightenment-0.25.4
> CVE-2022-37706 "enlightenment_sys in Enlightenment before 0.25.4 allows
> local users to gain privileges because it is setuid root, and the system
> library function mishandles pathnames that begin with a /dev/..
> substring."
> Hashes were never part of the online news page, therefore mark them as
> locally computed.
> Signed-off-by: Daniel Lang <dalang@gmx.at>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/enlightenment: security bump to version 0.25.4
2023-10-01 18:11 [Buildroot] [PATCH] package/enlightenment: security bump to version 0.25.4 Daniel Lang
2023-10-01 18:58 ` Peter Korsgaard
@ 2023-10-13 15:00 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-10-13 15:00 UTC (permalink / raw)
To: Daniel Lang; +Cc: Romain Naour, buildroot
>>>>> "Daniel" == Daniel Lang <dalang@gmx.at> writes:
> This is a bugfix release which fixes a CVE.
> See:
> https://www.enlightenment.org/news/2022-09-15-enlightenment-0.25.4
> CVE-2022-37706 "enlightenment_sys in Enlightenment before 0.25.4 allows
> local users to gain privileges because it is setuid root, and the system
> library function mishandles pathnames that begin with a /dev/..
> substring."
> Hashes were never part of the online news page, therefore mark them as
> locally computed.
> Signed-off-by: Daniel Lang <dalang@gmx.at>
Committed to 2023.02.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-10-13 15:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-01 18:11 [Buildroot] [PATCH] package/enlightenment: security bump to version 0.25.4 Daniel Lang
2023-10-01 18:58 ` Peter Korsgaard
2023-10-13 15:00 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox