Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1
@ 2022-07-19 22:21 Fabrice Fontaine
  2022-07-23 15:03 ` Arnout Vandecappelle
  2022-08-14 18:59 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-07-19 22:21 UTC (permalink / raw)
  To: buildroot; +Cc: Matt Weber, Fabrice Fontaine

- Fix CVE-2022-33070: Protobuf-c v1.4.0 was discovered to contain an
  invalid arithmetic shift via the function parse_tag_and_wiretype in
  protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause
  a Denial of Service (DoS) via unspecified vectors.
- Use official tarball (and so drop autoreconf)
- Update hash of COPYING (year updated with
  https://github.com/protobuf-c/protobuf-c/commit/471aaa5f6d54406c6c17bf3179d5aea18f15073b)

https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/protobuf-c/protobuf-c.hash | 4 ++--
 package/protobuf-c/protobuf-c.mk   | 6 ++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/package/protobuf-c/protobuf-c.hash b/package/protobuf-c/protobuf-c.hash
index 13e1b474bc..ec00442277 100644
--- a/package/protobuf-c/protobuf-c.hash
+++ b/package/protobuf-c/protobuf-c.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  1068bca1e9870e9492096f97c409cd15f10c5019c183e52ec6d53e8d18630cbf  protobuf-c-1.4.0.tar.gz
-sha256  20e800cad4550f4b19bb37fc9577dac21de13333ae66497c4c45ae489c35c34a  LICENSE
+sha256  4cc4facd508172f3e0a4d3a8736225d472418aee35b4ad053384b137b220339f  protobuf-c-1.4.1.tar.gz
+sha256  b8999cb392cc5bbe8cd679de59584ad8d2f26033123e76f1d662fa14b9d4f287  LICENSE
diff --git a/package/protobuf-c/protobuf-c.mk b/package/protobuf-c/protobuf-c.mk
index 7dd3b09a6c..0742a33db2 100644
--- a/package/protobuf-c/protobuf-c.mk
+++ b/package/protobuf-c/protobuf-c.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-PROTOBUF_C_VERSION = 1.4.0
-PROTOBUF_C_SITE = $(call github,protobuf-c,protobuf-c,v$(PROTOBUF_C_VERSION))
+PROTOBUF_C_VERSION = 1.4.1
+PROTOBUF_C_SITE = https://github.com/protobuf-c/protobuf-c/releases/download/v$(PROTOBUF_C_VERSION)
 PROTOBUF_C_DEPENDENCIES = host-protobuf-c
 HOST_PROTOBUF_C_DEPENDENCIES = host-protobuf host-pkgconf
 PROTOBUF_C_MAKE = $(MAKE1)
@@ -14,8 +14,6 @@ PROTOBUF_C_INSTALL_STAGING = YES
 PROTOBUF_C_LICENSE = BSD-2-Clause
 PROTOBUF_C_LICENSE_FILES = LICENSE
 PROTOBUF_C_CPE_ID_VENDOR = protobuf-c_project
-PROTOBUF_C_AUTORECONF = YES
-HOST_PROTOBUF_C_AUTORECONF = YES
 
 # host-protobuf needs c++11 (since 3.6.0)
 HOST_PROTOBUF_C_CONF_ENV += CXXFLAGS="$(HOST_CXXFLAGS) -std=c++11"
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1
  2022-07-19 22:21 [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1 Fabrice Fontaine
@ 2022-07-23 15:03 ` Arnout Vandecappelle
  2022-08-14 18:59 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Arnout Vandecappelle @ 2022-07-23 15:03 UTC (permalink / raw)
  To: Fabrice Fontaine, buildroot; +Cc: Matt Weber



On 20/07/2022 00:21, Fabrice Fontaine wrote:
> - Fix CVE-2022-33070: Protobuf-c v1.4.0 was discovered to contain an
>    invalid arithmetic shift via the function parse_tag_and_wiretype in
>    protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause
>    a Denial of Service (DoS) via unspecified vectors.
> - Use official tarball (and so drop autoreconf)
> - Update hash of COPYING (year updated with
>    https://github.com/protobuf-c/protobuf-c/commit/471aaa5f6d54406c6c17bf3179d5aea18f15073b)
> 
> https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

  Applied to master, thanks.

  Regards,
  Arnout

> ---
>   package/protobuf-c/protobuf-c.hash | 4 ++--
>   package/protobuf-c/protobuf-c.mk   | 6 ++----
>   2 files changed, 4 insertions(+), 6 deletions(-)
> 
> diff --git a/package/protobuf-c/protobuf-c.hash b/package/protobuf-c/protobuf-c.hash
> index 13e1b474bc..ec00442277 100644
> --- a/package/protobuf-c/protobuf-c.hash
> +++ b/package/protobuf-c/protobuf-c.hash
> @@ -1,3 +1,3 @@
>   # Locally calculated
> -sha256  1068bca1e9870e9492096f97c409cd15f10c5019c183e52ec6d53e8d18630cbf  protobuf-c-1.4.0.tar.gz
> -sha256  20e800cad4550f4b19bb37fc9577dac21de13333ae66497c4c45ae489c35c34a  LICENSE
> +sha256  4cc4facd508172f3e0a4d3a8736225d472418aee35b4ad053384b137b220339f  protobuf-c-1.4.1.tar.gz
> +sha256  b8999cb392cc5bbe8cd679de59584ad8d2f26033123e76f1d662fa14b9d4f287  LICENSE
> diff --git a/package/protobuf-c/protobuf-c.mk b/package/protobuf-c/protobuf-c.mk
> index 7dd3b09a6c..0742a33db2 100644
> --- a/package/protobuf-c/protobuf-c.mk
> +++ b/package/protobuf-c/protobuf-c.mk
> @@ -4,8 +4,8 @@
>   #
>   ################################################################################
>   
> -PROTOBUF_C_VERSION = 1.4.0
> -PROTOBUF_C_SITE = $(call github,protobuf-c,protobuf-c,v$(PROTOBUF_C_VERSION))
> +PROTOBUF_C_VERSION = 1.4.1
> +PROTOBUF_C_SITE = https://github.com/protobuf-c/protobuf-c/releases/download/v$(PROTOBUF_C_VERSION)
>   PROTOBUF_C_DEPENDENCIES = host-protobuf-c
>   HOST_PROTOBUF_C_DEPENDENCIES = host-protobuf host-pkgconf
>   PROTOBUF_C_MAKE = $(MAKE1)
> @@ -14,8 +14,6 @@ PROTOBUF_C_INSTALL_STAGING = YES
>   PROTOBUF_C_LICENSE = BSD-2-Clause
>   PROTOBUF_C_LICENSE_FILES = LICENSE
>   PROTOBUF_C_CPE_ID_VENDOR = protobuf-c_project
> -PROTOBUF_C_AUTORECONF = YES
> -HOST_PROTOBUF_C_AUTORECONF = YES
>   
>   # host-protobuf needs c++11 (since 3.6.0)
>   HOST_PROTOBUF_C_CONF_ENV += CXXFLAGS="$(HOST_CXXFLAGS) -std=c++11"
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1
  2022-07-19 22:21 [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1 Fabrice Fontaine
  2022-07-23 15:03 ` Arnout Vandecappelle
@ 2022-08-14 18:59 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-08-14 18:59 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Matt Weber, buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2022-33070: Protobuf-c v1.4.0 was discovered to contain an
 >   invalid arithmetic shift via the function parse_tag_and_wiretype in
 >   protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause
 >   a Denial of Service (DoS) via unspecified vectors.
 > - Use official tarball (and so drop autoreconf)
 > - Update hash of COPYING (year updated with
 >   https://github.com/protobuf-c/protobuf-c/commit/471aaa5f6d54406c6c17bf3179d5aea18f15073b)

 > https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.05.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-14 19:00 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-19 22:21 [Buildroot] [PATCH 1/1] package/protobuf-c: security bump to version 1.4.1 Fabrice Fontaine
2022-07-23 15:03 ` Arnout Vandecappelle
2022-08-14 18:59 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox