[PATCH] expat: security bump to version 2.2.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] expat: security bump to version 2.2.1

Peter Korsgaard-2
Fixes:

- CVE-2017-9233 - External entity infinite loop DoS. See:
  https://libexpat.github.io/doc/cve-2017-9233/

- CVE-2016-9063 -- Detect integer overflow

And further more:

- Fix regression from fix to CVE-2016-0718 cutting off longer tag names.

- Extend fix for CVE-2016-5300 (use getrandom() if available).

- Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
  version of SipHash).

Also add an upstream patch to fix detection of getrandom().

Signed-off-by: Peter Korsgaard <[hidden email]>
---
 ...c-Fix-mis-detection-of-getrandom-on-Debia.patch | 29 ++++++++++++++++++++++
 package/expat/expat.hash                           |  8 +++---
 package/expat/expat.mk                             |  4 ++-
 3 files changed, 36 insertions(+), 5 deletions(-)
 create mode 100644 package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch

diff --git a/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch b/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
new file mode 100644
index 0000000000..a3025531e5
--- /dev/null
+++ b/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
@@ -0,0 +1,29 @@
+From 602e6c78ca750c082b72f8cdf4a38839b312959f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <[hidden email]>
+Date: Sun, 18 Jun 2017 18:55:10 +0200
+Subject: [PATCH] configure.ac: Fix mis-detection of getrandom on Debian
+ GNU/kFreeBSD (#50)
+
+There is no such thing but we need to link (not just compile) to realize.
+
+Signed-off-by: Peter Korsgaard <[hidden email]>
+---
+ expat/configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/expat/configure.ac b/expat/configure.ac
+index 1357c9a..444c002 100644
+--- a/expat/configure.ac
++++ b/expat/configure.ac
+@@ -130,7 +130,7 @@ AC_LINK_IFELSE([AC_LANG_SOURCE([
+
+
+ AC_MSG_CHECKING([for getrandom (Linux 3.17+, glibc 2.25+)])
+-AC_COMPILE_IFELSE([AC_LANG_SOURCE([
++AC_LINK_IFELSE([AC_LANG_SOURCE([
+   #include <stdlib.h>  /* for NULL */
+   #include <sys/random.h>
+   int main() {
+--
+2.11.0
+
diff --git a/package/expat/expat.hash b/package/expat/expat.hash
index 371abdec91..595597b6fd 100644
--- a/package/expat/expat.hash
+++ b/package/expat/expat.hash
@@ -1,5 +1,5 @@
-# From https://sourceforge.net/projects/expat/files/expat/2.2.0/
-md5 2f47841c829facb346eb6e3fab5212e2 expat-2.2.0.tar.bz2
-sha1 8453bc52324be4c796fd38742ec48470eef358b3 expat-2.2.0.tar.bz2
+# From https://sourceforge.net/projects/expat/files/expat/2.2.1/
+md5 d9c3baeab58774cefc2f04faf29f2cf8 expat-2.2.1.tar.bz2
+sha1 f45eb724f182776a9cacec9ed70d549e87198987 expat-2.2.1.tar.bz2
 # Calculated based on the hashes above
-sha256 d9e50ff2d19b3538bd2127902a89987474e1a4db8e43a66a4d1a712ab9a504ff expat-2.2.0.tar.bz2
+sha256 1868cadae4c82a018e361e2b2091de103cd820aaacb0d6cfa49bd2cd83978885 expat-2.2.1.tar.bz2
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index e7bb74a966..bb6e627e5b 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-EXPAT_VERSION = 2.2.0
+EXPAT_VERSION = 2.2.1
 EXPAT_SITE = http://downloads.sourceforge.net/project/expat/expat/$(EXPAT_VERSION)
 EXPAT_SOURCE = expat-$(EXPAT_VERSION).tar.bz2
 EXPAT_INSTALL_STAGING = YES
@@ -14,6 +14,8 @@ EXPAT_DEPENDENCIES = host-pkgconf
 HOST_EXPAT_DEPENDENCIES = host-pkgconf
 EXPAT_LICENSE = MIT
 EXPAT_LICENSE_FILES = COPYING
+# for 0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
+EXPAT_AUTORECONF = YES
 
 $(eval $(autotools-package))
 $(eval $(host-autotools-package))
--
2.11.0

_______________________________________________
buildroot mailing list
[hidden email]
http://lists.busybox.net/mailman/listinfo/buildroot
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] expat: security bump to version 2.2.1

Thomas Petazzoni-2
Hello,

On Sun, 18 Jun 2017 23:20:04 +0200, Peter Korsgaard wrote:

> Fixes:
>
> - CVE-2017-9233 - External entity infinite loop DoS. See:
>   https://libexpat.github.io/doc/cve-2017-9233/
>
> - CVE-2016-9063 -- Detect integer overflow
>
> And further more:
>
> - Fix regression from fix to CVE-2016-0718 cutting off longer tag names.
>
> - Extend fix for CVE-2016-5300 (use getrandom() if available).
>
> - Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
>   version of SipHash).
>
> Also add an upstream patch to fix detection of getrandom().
>
> Signed-off-by: Peter Korsgaard <[hidden email]>
> ---
>  ...c-Fix-mis-detection-of-getrandom-on-Debia.patch | 29 ++++++++++++++++++++++
>  package/expat/expat.hash                           |  8 +++---
>  package/expat/expat.mk                             |  4 ++-
>  3 files changed, 36 insertions(+), 5 deletions(-)
>  create mode 100644 package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch

Applied to master, thanks.

Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
_______________________________________________
buildroot mailing list
[hidden email]
http://lists.busybox.net/mailman/listinfo/buildroot
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] expat: security bump to version 2.2.1

xlcwu
Hi Thomas and Peter,

patch failed need a little cosmetic:

a/expat/configure.ac -> a/configure.ac
b/expat/configure.ac -> b/configure.ac

$ git diff package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
diff --git a/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
b/package/expat/000
index a302553..e4fd7e8 100644
--- a/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
+++ b/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
@@ -8,13 +8,13 @@ There is no such thing but we need to link (not just
compile) to realize.

 Signed-off-by: Peter Korsgaard <[hidden email]>
 ---
- expat/configure.ac | 2 +-
+ configure.ac | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

-diff --git a/expat/configure.ac b/expat/configure.ac
+diff --git a/configure.ac b/configure.ac
 index 1357c9a..444c002 100644
---- a/expat/configure.ac
-+++ b/expat/configure.ac
+--- a/configure.ac
++++ b/configure.ac
 @@ -130,7 +130,7 @@ AC_LINK_IFELSE([AC_LANG_SOURCE([


xlcwu


On Tue, Jun 20, 2017 at 4:09 AM, Thomas Petazzoni
<[hidden email]> wrote:

> Hello,
>
> On Sun, 18 Jun 2017 23:20:04 +0200, Peter Korsgaard wrote:
>> Fixes:
>>
>> - CVE-2017-9233 - External entity infinite loop DoS. See:
>>   https://libexpat.github.io/doc/cve-2017-9233/
>>
>> - CVE-2016-9063 -- Detect integer overflow
>>
>> And further more:
>>
>> - Fix regression from fix to CVE-2016-0718 cutting off longer tag names.
>>
>> - Extend fix for CVE-2016-5300 (use getrandom() if available).
>>
>> - Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
>>   version of SipHash).
>>
>> Also add an upstream patch to fix detection of getrandom().
>>
>> Signed-off-by: Peter Korsgaard <[hidden email]>
>> ---
>>  ...c-Fix-mis-detection-of-getrandom-on-Debia.patch | 29 ++++++++++++++++++++++
>>  package/expat/expat.hash                           |  8 +++---
>>  package/expat/expat.mk                             |  4 ++-
>>  3 files changed, 36 insertions(+), 5 deletions(-)
>>  create mode 100644 package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
>
> Applied to master, thanks.
>
> Thomas
> --
> Thomas Petazzoni, CTO, Free Electrons
> Embedded Linux, Kernel and Android engineering
> http://free-electrons.com
> _______________________________________________
> buildroot mailing list
> [hidden email]
> http://lists.busybox.net/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
[hidden email]
http://lists.busybox.net/mailman/listinfo/buildroot
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] expat: security bump to version 2.2.1

Thomas Petazzoni-2
Hello,

On Tue, 20 Jun 2017 13:12:23 +0800, xlcwu wrote:

> patch failed need a little cosmetic:
>
> a/expat/configure.ac -> a/configure.ac
> b/expat/configure.ac -> b/configure.ac

Thanks, I've fixed that:

  https://git.buildroot.org/buildroot/commit/?id=1940a66114bb6962dfdcee928e5c5fa5f29c0be7

Best regards,

Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
_______________________________________________
buildroot mailing list
[hidden email]
http://lists.busybox.net/mailman/listinfo/buildroot
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] expat: security bump to version 2.2.1

Peter Korsgaard-2
>>>>> "Thomas" == Thomas Petazzoni <[hidden email]> writes:

 > Hello,
 > On Tue, 20 Jun 2017 13:12:23 +0800, xlcwu wrote:

 >> patch failed need a little cosmetic:
 >>
 >> a/expat/configure.ac -> a/configure.ac
 >> b/expat/configure.ac -> b/configure.ac

 > Thanks, I've fixed that:

 >   https://git.buildroot.org/buildroot/commit/?id=1940a66114bb6962dfdcee928e5c5fa5f29c0be7

 > Best regards,

Sorry about that, it seems like I made a mistake when I moved from a
custom patch to picking the upstream one.

--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
[hidden email]
http://lists.busybox.net/mailman/listinfo/buildroot
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] expat: security bump to version 2.2.1

Peter Korsgaard-2
In reply to this post by Peter Korsgaard-2
>>>>> "Peter" == Peter Korsgaard <[hidden email]> writes:

 > Fixes:
 > - CVE-2017-9233 - External entity infinite loop DoS. See:
 >   https://libexpat.github.io/doc/cve-2017-9233/

 > - CVE-2016-9063 -- Detect integer overflow

 > And further more:

 > - Fix regression from fix to CVE-2016-0718 cutting off longer tag names.

 > - Extend fix for CVE-2016-5300 (use getrandom() if available).

 > - Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
 >   version of SipHash).

 > Also add an upstream patch to fix detection of getrandom().

 > Signed-off-by: Peter Korsgaard <[hidden email]>

Committed this + fixup patch to 2017.02.x and 2017.05.x, thanks.

--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
[hidden email]
http://lists.busybox.net/mailman/listinfo/buildroot