* [Buildroot] [PATCH 1/2] package/glibc: add CVE ignore for CVE-2023-4806
@ 2024-01-31 8:12 Peter Korsgaard
2024-01-31 8:12 ` [Buildroot] [PATCH 2/2] package/{glibc, localedef}: security bump to version glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0 Peter Korsgaard
2024-02-01 11:02 ` [Buildroot] [PATCH 1/2] package/glibc: add CVE ignore for CVE-2023-4806 Peter Korsgaard
0 siblings, 2 replies; 6+ messages in thread
From: Peter Korsgaard @ 2024-01-31 8:12 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour
Commit 8519de517e22 (package/{glibc, localedef}: security bump to version
glibc-2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701) correctly mentioned
CVE-2023-4806 in the commit message, but forgot to add an ignore for it.
Fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/glibc/glibc.mk | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 596697bb8f..d49da6457c 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -28,6 +28,10 @@ GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
# 2.38 and the version we're really using
GLIBC_IGNORE_CVES += CVE-2023-4527
+# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
+# 2.38 and the version we're really using
+GLIBC_IGNORE_CVES += CVE-2023-4806
+
# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between
# 2.38 and the version we're really using.
GLIBC_IGNORE_CVES += CVE-2023-4911
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/2] package/{glibc, localedef}: security bump to version glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0
2024-01-31 8:12 [Buildroot] [PATCH 1/2] package/glibc: add CVE ignore for CVE-2023-4806 Peter Korsgaard
@ 2024-01-31 8:12 ` Peter Korsgaard
2024-02-01 11:02 ` Peter Korsgaard
2024-02-01 11:02 ` [Buildroot] [PATCH 1/2] package/glibc: add CVE ignore for CVE-2023-4806 Peter Korsgaard
1 sibling, 1 reply; 6+ messages in thread
From: Peter Korsgaard @ 2024-01-31 8:12 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour, Thomas Petazzoni
Fixed the following security issues:
CVE-2023-6246: syslog: Fix heap buffer overflow in __vsyslog_internal
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0001;hb=HEAD
CVE-2023-6779: syslog: Heap buffer overflow in __vsyslog_internal
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0002;hb=HEAD
CVE-2023-6780: syslog: Integer overflow in __vsyslog_internal
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0003;hb=HEAD
For details, see the Qualys advisory:
https://www.openwall.com/lists/oss-security/2024/01/30/6
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/glibc/glibc.hash | 2 +-
package/glibc/glibc.mk | 14 +++++++++++++-
package/localedef/localedef.mk | 2 +-
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index 00d9f1c985..15ae55b9e6 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,5 +1,5 @@
# Locally calculated (fetched from Github)
-sha256 fd991e43997ff6e4994264c3cbc23fa87fa28b1b3c446eda8fc2d1d3834a2cfb glibc-2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701.tar.gz
+sha256 e38f4284d6909c6b5db7d79c6e450daeaf136a67e547290eec0b063a55eaaa42 glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0.tar.gz
# Hashes for license files
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index d49da6457c..d198d6f04c 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -7,7 +7,7 @@
# Generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
# When updating the version, please also update localedef
-GLIBC_VERSION = 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701
+GLIBC_VERSION = 2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0
# Upstream doesn't officially provide an https download link.
# There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
# sometimes the connection times out. So use an unofficial github mirror.
@@ -40,6 +40,18 @@ GLIBC_IGNORE_CVES += CVE-2023-4911
# 2.38 and the version we're really using.
GLIBC_IGNORE_CVES += CVE-2023-5156
+# Fixed by 23514c72b780f3da097ecf33a793b7ba9c2070d2, which is between
+# 2.38 and the version we're really using.
+GLIBC_IGNORE_CVES += CVE-2023-6246
+
+# Fixed by d0338312aace5bbfef85e03055e1212dd0e49578, which is between
+# 2.38 and the version we're really using.
+GLIBC_IGNORE_CVES += CVE-2023-6779
+
+# Fixed by d37c2b20a4787463d192b32041c3406c2bd91de0, which is between
+# 2.38 and the version we're really using.
+GLIBC_IGNORE_CVES += CVE-2023-6780
+
# All these CVEs are considered as not being security issues by
# upstream glibc:
# https://security-tracker.debian.org/tracker/CVE-2010-4756
diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
index ed6d4b4968..c017c0e00e 100644
--- a/package/localedef/localedef.mk
+++ b/package/localedef/localedef.mk
@@ -7,7 +7,7 @@
# Use the same VERSION and SITE as target glibc
# As in glibc.mk, generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701
+LOCALEDEF_VERSION = 2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0
LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
HOST_LOCALEDEF_DL_SUBDIR = glibc
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/glibc: add CVE ignore for CVE-2023-4806
2024-01-31 8:12 [Buildroot] [PATCH 1/2] package/glibc: add CVE ignore for CVE-2023-4806 Peter Korsgaard
2024-01-31 8:12 ` [Buildroot] [PATCH 2/2] package/{glibc, localedef}: security bump to version glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0 Peter Korsgaard
@ 2024-02-01 11:02 ` Peter Korsgaard
2024-02-28 21:02 ` Peter Korsgaard
1 sibling, 1 reply; 6+ messages in thread
From: Peter Korsgaard @ 2024-02-01 11:02 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour
On 31/01/2024 09.12, Peter Korsgaard wrote:
> Commit 8519de517e22 (package/{glibc, localedef}: security bump to version
> glibc-2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701) correctly mentioned
> CVE-2023-4806 in the commit message, but forgot to add an ignore for it.
>
> Fix that.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/{glibc, localedef}: security bump to version glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0
2024-01-31 8:12 ` [Buildroot] [PATCH 2/2] package/{glibc, localedef}: security bump to version glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0 Peter Korsgaard
@ 2024-02-01 11:02 ` Peter Korsgaard
2024-02-28 21:05 ` Peter Korsgaard
0 siblings, 1 reply; 6+ messages in thread
From: Peter Korsgaard @ 2024-02-01 11:02 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour, Thomas Petazzoni
On 31/01/2024 09.12, Peter Korsgaard wrote:
> Fixed the following security issues:
>
> CVE-2023-6246: syslog: Fix heap buffer overflow in __vsyslog_internal
> https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0001;hb=HEAD
>
> CVE-2023-6779: syslog: Heap buffer overflow in __vsyslog_internal
> https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0002;hb=HEAD
>
> CVE-2023-6780: syslog: Integer overflow in __vsyslog_internal
> https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0003;hb=HEAD
>
> For details, see the Qualys advisory:
> https://www.openwall.com/lists/oss-security/2024/01/30/6
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/glibc: add CVE ignore for CVE-2023-4806
2024-02-01 11:02 ` [Buildroot] [PATCH 1/2] package/glibc: add CVE ignore for CVE-2023-4806 Peter Korsgaard
@ 2024-02-28 21:02 ` Peter Korsgaard
0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2024-02-28 21:02 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> On 31/01/2024 09.12, Peter Korsgaard wrote:
>> Commit 8519de517e22 (package/{glibc, localedef}: security bump to version
>> glibc-2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701) correctly mentioned
>> CVE-2023-4806 in the commit message, but forgot to add an ignore for it.
>> Fix that.
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> Committed, thanks.
Committed to 2023.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/{glibc, localedef}: security bump to version glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0
2024-02-01 11:02 ` Peter Korsgaard
@ 2024-02-28 21:05 ` Peter Korsgaard
0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2024-02-28 21:05 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour, Thomas Petazzoni
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> On 31/01/2024 09.12, Peter Korsgaard wrote:
>> Fixed the following security issues:
>> CVE-2023-6246: syslog: Fix heap buffer overflow in
>> __vsyslog_internal
>> https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0001;hb=HEAD
>> CVE-2023-6779: syslog: Heap buffer overflow in __vsyslog_internal
>> https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0002;hb=HEAD
>> CVE-2023-6780: syslog: Integer overflow in __vsyslog_internal
>> https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0003;hb=HEAD
>> For details, see the Qualys advisory:
>> https://www.openwall.com/lists/oss-security/2024/01/30/6
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> Committed, thanks.
Committed to 2023.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-02-28 21:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-31 8:12 [Buildroot] [PATCH 1/2] package/glibc: add CVE ignore for CVE-2023-4806 Peter Korsgaard
2024-01-31 8:12 ` [Buildroot] [PATCH 2/2] package/{glibc, localedef}: security bump to version glibc-2.38-44-gd37c2b20a4787463d192b32041c3406c2bd91de0 Peter Korsgaard
2024-02-01 11:02 ` Peter Korsgaard
2024-02-28 21:05 ` Peter Korsgaard
2024-02-01 11:02 ` [Buildroot] [PATCH 1/2] package/glibc: add CVE ignore for CVE-2023-4806 Peter Korsgaard
2024-02-28 21:02 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox