Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH-2023.02.x] package/{glibc, localedef}: security bump to 2.36-117
@ 2023-09-29 22:27 Peter Korsgaard
  2023-09-30 13:53 ` Romain Naour
  2023-09-30 14:20 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-09-29 22:27 UTC (permalink / raw)
  To: buildroot; +Cc: Romain Naour, Thomas Petazzoni

Fixes the following security issues:

CVE-2023-4527: If the system is configured in no-aaaa mode via
/etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
family, and a DNS response is received over TCP that is larger than
2048 bytes, getaddrinfo may potentially disclose stack contents via
the returned address data, or crash.

CVE-2023-4806: When an NSS plugin only implements the
_gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
memory that was freed during buffer resizing, potentially causing a
crash or read or write to arbitrary memory.

CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
AI_ALL and AI_V4MAPPED flags set.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/glibc/glibc.hash       | 2 +-
 package/glibc/glibc.mk         | 2 +-
 package/localedef/localedef.mk | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index 4ce4c6f6d1..1a66b66984 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,5 +1,5 @@
 # Locally calculated (fetched from Github)
-sha256  666482e657c319f7e139121121a0d97d303c65207b9f9730f42a3ee83c79f686  glibc-2.36-81-g4f4d7a13edfd2fdc57c9d76e1fd6d017fb47550c.tar.gz
+sha256  a4351e60a33e84236c1866c39eeab321f419dfdc274411b7d2615c9382ace351  glibc-2.36-117-g32957eb6a86acdbeec9f38a60a7d5a0ff32db03d.tar.gz
 
 # Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 354f035d33..42de53ffc5 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -7,7 +7,7 @@
 # Generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 # When updating the version, please also update localedef
-GLIBC_VERSION = 2.36-81-g4f4d7a13edfd2fdc57c9d76e1fd6d017fb47550c
+GLIBC_VERSION = 2.36-117-g32957eb6a86acdbeec9f38a60a7d5a0ff32db03d
 # Upstream doesn't officially provide an https download link.
 # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
 # sometimes the connection times out. So use an unofficial github mirror.
diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
index 6699840854..e71424490b 100644
--- a/package/localedef/localedef.mk
+++ b/package/localedef/localedef.mk
@@ -7,7 +7,7 @@
 # Use the same VERSION and SITE as target glibc
 # As in glibc.mk, generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.36-81-g4f4d7a13edfd2fdc57c9d76e1fd6d017fb47550c
+LOCALEDEF_VERSION = 2.36-117-g32957eb6a86acdbeec9f38a60a7d5a0ff32db03d
 LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
 LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
 HOST_LOCALEDEF_DL_SUBDIR = glibc
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH-2023.02.x] package/{glibc, localedef}: security bump to 2.36-117
  2023-09-29 22:27 [Buildroot] [PATCH-2023.02.x] package/{glibc, localedef}: security bump to 2.36-117 Peter Korsgaard
@ 2023-09-30 13:53 ` Romain Naour
  2023-09-30 14:20 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Romain Naour @ 2023-09-30 13:53 UTC (permalink / raw)
  To: Peter Korsgaard, buildroot; +Cc: Romain Naour, Thomas Petazzoni

Le 30/09/2023 à 00:27, Peter Korsgaard a écrit :
> Fixes the following security issues:
> 
> CVE-2023-4527: If the system is configured in no-aaaa mode via
> /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
> family, and a DNS response is received over TCP that is larger than
> 2048 bytes, getaddrinfo may potentially disclose stack contents via
> the returned address data, or crash.
> 
> CVE-2023-4806: When an NSS plugin only implements the
> _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
> memory that was freed during buffer resizing, potentially causing a
> crash or read or write to arbitrary memory.
> 
> CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
> an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
> AI_ALL and AI_V4MAPPED flags set.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Reviewed-by: Romain Naour <romain.naour@smile.fr>

Best regards,
Romain


> ---
>  package/glibc/glibc.hash       | 2 +-
>  package/glibc/glibc.mk         | 2 +-
>  package/localedef/localedef.mk | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
> index 4ce4c6f6d1..1a66b66984 100644
> --- a/package/glibc/glibc.hash
> +++ b/package/glibc/glibc.hash
> @@ -1,5 +1,5 @@
>  # Locally calculated (fetched from Github)
> -sha256  666482e657c319f7e139121121a0d97d303c65207b9f9730f42a3ee83c79f686  glibc-2.36-81-g4f4d7a13edfd2fdc57c9d76e1fd6d017fb47550c.tar.gz
> +sha256  a4351e60a33e84236c1866c39eeab321f419dfdc274411b7d2615c9382ace351  glibc-2.36-117-g32957eb6a86acdbeec9f38a60a7d5a0ff32db03d.tar.gz
>  
>  # Hashes for license files
>  sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 354f035d33..42de53ffc5 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -7,7 +7,7 @@
>  # Generate version string using:
>  #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
>  # When updating the version, please also update localedef
> -GLIBC_VERSION = 2.36-81-g4f4d7a13edfd2fdc57c9d76e1fd6d017fb47550c
> +GLIBC_VERSION = 2.36-117-g32957eb6a86acdbeec9f38a60a7d5a0ff32db03d
>  # Upstream doesn't officially provide an https download link.
>  # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
>  # sometimes the connection times out. So use an unofficial github mirror.
> diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
> index 6699840854..e71424490b 100644
> --- a/package/localedef/localedef.mk
> +++ b/package/localedef/localedef.mk
> @@ -7,7 +7,7 @@
>  # Use the same VERSION and SITE as target glibc
>  # As in glibc.mk, generate version string using:
>  #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
> -LOCALEDEF_VERSION = 2.36-81-g4f4d7a13edfd2fdc57c9d76e1fd6d017fb47550c
> +LOCALEDEF_VERSION = 2.36-117-g32957eb6a86acdbeec9f38a60a7d5a0ff32db03d
>  LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
>  LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
>  HOST_LOCALEDEF_DL_SUBDIR = glibc

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH-2023.02.x] package/{glibc, localedef}: security bump to 2.36-117
  2023-09-29 22:27 [Buildroot] [PATCH-2023.02.x] package/{glibc, localedef}: security bump to 2.36-117 Peter Korsgaard
  2023-09-30 13:53 ` Romain Naour
@ 2023-09-30 14:20 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-09-30 14:20 UTC (permalink / raw)
  To: buildroot; +Cc: Romain Naour, Thomas Petazzoni

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 > CVE-2023-4527: If the system is configured in no-aaaa mode via
 > /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
 > family, and a DNS response is received over TCP that is larger than
 > 2048 bytes, getaddrinfo may potentially disclose stack contents via
 > the returned address data, or crash.

 > CVE-2023-4806: When an NSS plugin only implements the
 > _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
 > memory that was freed during buffer resizing, potentially causing a
 > crash or read or write to arbitrary memory.

 > CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
 > an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
 > AI_ALL and AI_V4MAPPED flags set.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2023.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-09-30 14:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-29 22:27 [Buildroot] [PATCH-2023.02.x] package/{glibc, localedef}: security bump to 2.36-117 Peter Korsgaard
2023-09-30 13:53 ` Romain Naour
2023-09-30 14:20 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox