From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2D1B9C4706C for ; Sat, 13 Jan 2024 13:33:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id D34A840960; Sat, 13 Jan 2024 13:33:09 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org D34A840960 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jyezIIYS8Jpm; Sat, 13 Jan 2024 13:33:09 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp4.osuosl.org (Postfix) with ESMTP id 0F36640951; Sat, 13 Jan 2024 13:33:08 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 0F36640951 Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 7C5BF1BF325 for ; Sat, 13 Jan 2024 13:33:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 5583340950 for ; Sat, 13 Jan 2024 13:33:06 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 5583340950 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zhcCTgXTeXKz for ; Sat, 13 Jan 2024 13:33:05 +0000 (UTC) Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::224]) by smtp4.osuosl.org (Postfix) with ESMTPS id 0880240951 for ; Sat, 13 Jan 2024 13:33:04 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 0880240951 Received: by mail.gandi.net (Postfix) with ESMTPSA id 9B1DFE0003; Sat, 13 Jan 2024 13:33:01 +0000 (UTC) Received: from peko by dell.be.48ers.dk with local (Exim 4.96) (envelope-from ) id 1rOe8C-00CzG7-36; Sat, 13 Jan 2024 14:33:00 +0100 From: Peter Korsgaard To: Fabrice Fontaine References: <20240108220026.435160-1-fontaine.fabrice@gmail.com> Date: Sat, 13 Jan 2024 14:33:00 +0100 In-Reply-To: <20240108220026.435160-1-fontaine.fabrice@gmail.com> (Fabrice Fontaine's message of "Mon, 8 Jan 2024 23:00:26 +0100") Message-ID: <87ttnhtl2r.fsf@48ers.dk> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 X-GND-Sasl: peter@korsgaard.com Subject: Re: [Buildroot] [PATCH 1/1] package/micropython: security bump to version 1.22.0 X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Chris Packham , buildroot@buildroot.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" >>>>> "Fabrice" == Fabrice Fontaine writes: > - Use official tarball > - Update hash of license file (some packages have been added or removed > but the list of licenses is the same) > - Fix CVE-2023-7158: A vulnerability was found in MicroPython up to > 1.21.0. It has been classified as critical. Affected is the function > slice_indices of the file objslice.c. The manipulation leads to > heap-based buffer overflow. It is possible to launch the attack > remotely. The exploit has been disclosed to the public and may be > used. Upgrading to version 1.22.0 is able to address this issue. It is > recommended to upgrade the affected component. The identifier of this > vulnerability is VDB-249180. Committed to 2023.02.x and 2023.11.x, thanks. What about micropython-lib? Do we need to update that one as well to match the version of micropython? > Signed-off-by: Fabrice Fontaine > --- > package/micropython/micropython.hash | 4 ++-- > package/micropython/micropython.mk | 5 +++-- > 2 files changed, 5 insertions(+), 4 deletions(-) > diff --git a/package/micropython/micropython.hash b/package/micropython/micropython.hash > index 7bff7de4e2..43551866b9 100644 > --- a/package/micropython/micropython.hash > +++ b/package/micropython/micropython.hash > @@ -1,3 +1,3 @@ > #locally computed > -sha256 c980ad7e742491df0dc10db2958137dbbf9aa7a8009e102fc75f4c0cac2d6b5e micropython-1.19.1.tar.gz > -sha256 0f678c2abd7fe2cfca36693630506bbcbdfc219bd04bf4a02fe3b094ae4c666f LICENSE > +sha256 a042764f0b6f6d92b267454c5bd5afcb83fc3900119f2583672aac571e661924 micropython-1.22.0.tar.xz > +sha256 d9e0e0395867c899090e150213bc2b417e970c17355a8d48300089875b3c8037 LICENSE > diff --git a/package/micropython/micropython.mk b/package/micropython/micropython.mk > index d73cdb28db..7dbca0f1c2 100644 > --- a/package/micropython/micropython.mk > +++ b/package/micropython/micropython.mk > @@ -4,8 +4,9 @@ > # > ################################################################################ > -MICROPYTHON_VERSION = 1.19.1 > -MICROPYTHON_SITE = $(call github,micropython,micropython,v$(MICROPYTHON_VERSION)) > +MICROPYTHON_VERSION = 1.22.0 > +MICROPYTHON_SITE = https://micropython.org/resources/source > +MICROPYTHON_SOURCE = micropython-$(MICROPYTHON_VERSION).tar.xz > # Micropython has a lot of code copied from other projects, and also a number > # of submodules for various libs. However, we don't even clone the submodules, > # and most of the copied code is not used in the unix build. > -- > 2.43.0 > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot