Re: [Buildroot] [PATCH 1/1] package/micropython: security bump to version 1.22.0

From: Peter Korsgaard <peter@korsgaard.com>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Chris Packham <judge.packham@gmail.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/micropython: security bump to version 1.22.0
Date: Sat, 13 Jan 2024 14:33:00 +0100	[thread overview]
Message-ID: <87ttnhtl2r.fsf@48ers.dk> (raw)
In-Reply-To: <20240108220026.435160-1-fontaine.fabrice@gmail.com> (Fabrice Fontaine's message of "Mon, 8 Jan 2024 23:00:26 +0100")

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Use official tarball
 > - Update hash of license file (some packages have been added or removed
 >   but the list of licenses is the same)
 > - Fix CVE-2023-7158: A vulnerability was found in MicroPython up to
 >   1.21.0. It has been classified as critical. Affected is the function
 >   slice_indices of the file objslice.c. The manipulation leads to
 >   heap-based buffer overflow. It is possible to launch the attack
 >   remotely. The exploit has been disclosed to the public and may be
 >   used. Upgrading to version 1.22.0 is able to address this issue. It is
 >   recommended to upgrade the affected component. The identifier of this
 >   vulnerability is VDB-249180.

Committed to 2023.02.x and 2023.11.x, thanks.

What about micropython-lib? Do we need to update that one as well to
match the version of micropython?

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 > ---
 >  package/micropython/micropython.hash | 4 ++--
 >  package/micropython/micropython.mk   | 5 +++--
 >  2 files changed, 5 insertions(+), 4 deletions(-)

 > diff --git a/package/micropython/micropython.hash b/package/micropython/micropython.hash
 > index 7bff7de4e2..43551866b9 100644
 > --- a/package/micropython/micropython.hash
 > +++ b/package/micropython/micropython.hash
 > @@ -1,3 +1,3 @@
 >  #locally computed
 > -sha256  c980ad7e742491df0dc10db2958137dbbf9aa7a8009e102fc75f4c0cac2d6b5e  micropython-1.19.1.tar.gz
 > -sha256  0f678c2abd7fe2cfca36693630506bbcbdfc219bd04bf4a02fe3b094ae4c666f  LICENSE
 > +sha256  a042764f0b6f6d92b267454c5bd5afcb83fc3900119f2583672aac571e661924  micropython-1.22.0.tar.xz
 > +sha256  d9e0e0395867c899090e150213bc2b417e970c17355a8d48300089875b3c8037  LICENSE
 > diff --git a/package/micropython/micropython.mk b/package/micropython/micropython.mk
 > index d73cdb28db..7dbca0f1c2 100644
 > --- a/package/micropython/micropython.mk
 > +++ b/package/micropython/micropython.mk
 > @@ -4,8 +4,9 @@
 >  #
 >  ################################################################################

 > -MICROPYTHON_VERSION = 1.19.1
 > -MICROPYTHON_SITE = $(call github,micropython,micropython,v$(MICROPYTHON_VERSION))
 > +MICROPYTHON_VERSION = 1.22.0
 > +MICROPYTHON_SITE = https://micropython.org/resources/source
 > +MICROPYTHON_SOURCE = micropython-$(MICROPYTHON_VERSION).tar.xz
 >  # Micropython has a lot of code copied from other projects, and also a number
 >  # of submodules for various libs. However, we don't even clone the submodules,
 >  # and most of the copied code is not used in the unix build.
 > -- 

 > 2.43.0

 > _______________________________________________
 > buildroot mailing list
 > buildroot@buildroot.org
 > https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot