Re: [Buildroot] [PATCH 1/1] package/micropython: security bump to version 1.22.0

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Chris Packham <judge.packham@gmail.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/micropython: security bump to version 1.22.0
Date: Mon, 8 Jan 2024 23:20:22 +0100	[thread overview]
Message-ID: <ZZx1Jp2GjNB2HiA5@landeda> (raw)
In-Reply-To: <20240108220026.435160-1-fontaine.fabrice@gmail.com>

Fabrice, All,

On 2024-01-08 23:00 +0100, Fabrice Fontaine spake thusly:
> - Use official tarball
> - Update hash of license file (some packages have been added or removed
>   but the list of licenses is the same)
> - Fix CVE-2023-7158: A vulnerability was found in MicroPython up to
>   1.21.0. It has been classified as critical. Affected is the function
>   slice_indices of the file objslice.c. The manipulation leads to
>   heap-based buffer overflow. It is possible to launch the attack
>   remotely. The exploit has been disclosed to the public and may be
>   used. Upgrading to version 1.22.0 is able to address this issue. It is
>   recommended to upgrade the affected component. The identifier of this
>   vulnerability is VDB-249180.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/micropython/micropython.hash | 4 ++--
>  package/micropython/micropython.mk   | 5 +++--
>  2 files changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/package/micropython/micropython.hash b/package/micropython/micropython.hash
> index 7bff7de4e2..43551866b9 100644
> --- a/package/micropython/micropython.hash
> +++ b/package/micropython/micropython.hash
> @@ -1,3 +1,3 @@
>  #locally computed
> -sha256  c980ad7e742491df0dc10db2958137dbbf9aa7a8009e102fc75f4c0cac2d6b5e  micropython-1.19.1.tar.gz
> -sha256  0f678c2abd7fe2cfca36693630506bbcbdfc219bd04bf4a02fe3b094ae4c666f  LICENSE
> +sha256  a042764f0b6f6d92b267454c5bd5afcb83fc3900119f2583672aac571e661924  micropython-1.22.0.tar.xz
> +sha256  d9e0e0395867c899090e150213bc2b417e970c17355a8d48300089875b3c8037  LICENSE
> diff --git a/package/micropython/micropython.mk b/package/micropython/micropython.mk
> index d73cdb28db..7dbca0f1c2 100644
> --- a/package/micropython/micropython.mk
> +++ b/package/micropython/micropython.mk
> @@ -4,8 +4,9 @@
>  #
>  ################################################################################
>  
> -MICROPYTHON_VERSION = 1.19.1
> -MICROPYTHON_SITE = $(call github,micropython,micropython,v$(MICROPYTHON_VERSION))
> +MICROPYTHON_VERSION = 1.22.0
> +MICROPYTHON_SITE = https://micropython.org/resources/source
> +MICROPYTHON_SOURCE = micropython-$(MICROPYTHON_VERSION).tar.xz
>  # Micropython has a lot of code copied from other projects, and also a number
>  # of submodules for various libs. However, we don't even clone the submodules,
>  # and most of the copied code is not used in the unix build.
> -- 
> 2.43.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot