* [Buildroot] [PATCH 1/1] libxslt: security bump to version 1.3.2
@ 2018-06-07 18:07 Fabrice Fontaine
2018-06-08 14:29 ` Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Fabrice Fontaine @ 2018-06-07 18:07 UTC (permalink / raw)
To: buildroot
- Fix CVE-2017-5029
- Remove first patch (already in version)
- Add a dependency to host-pkgconf and remove libxml2 options: see
https://github.com/GNOME/libxslt/commit/abf537ebb2296cd3ae89989a17b0e1b5c79db107
- Add hash for license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...ap-overread-in-xsltFormatNumberConversion.patch | 35 ----------------------
package/libxslt/libxslt.hash | 5 +++-
package/libxslt/libxslt.mk | 10 +++----
3 files changed, 8 insertions(+), 42 deletions(-)
delete mode 100644 package/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
diff --git a/package/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch b/package/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
deleted file mode 100644
index 1ad494a6c0..0000000000
--- a/package/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Fri, 10 Jun 2016 14:23:58 +0200
-Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
-
-An empty decimal-separator could cause a heap overread. This can be
-exploited to leak a couple of bytes after the buffer that holds the
-pattern string.
-
-Found with afl-fuzz and ASan.
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
----
-Patch status: upstream commit eb1030de311
-
- libxslt/numbers.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index d1549b46ca26..e78c46b6357b 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
- }
-
- /* We have finished the integer part, now work on fraction */
-- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
-+ if ( (*the_format != 0) &&
-+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
- format_info.add_decimal = TRUE;
- the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
- }
---
-2.10.2
-
diff --git a/package/libxslt/libxslt.hash b/package/libxslt/libxslt.hash
index 8222bc590d..f28150b71e 100644
--- a/package/libxslt/libxslt.hash
+++ b/package/libxslt/libxslt.hash
@@ -1,2 +1,5 @@
# Locally calculated after checking pgp signature
-sha256 b5976e3857837e7617b29f2249ebb5eeac34e249208d31f1fbf7a6ba7a4090ce libxslt-1.1.29.tar.gz
+sha256 526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460 libxslt-1.1.32.tar.gz
+
+# Hash for license file:
+sha256 7e48e290b6bfccc2ec1b297023a1d77f2fd87417f71fbb9f50aabef40a851819 COPYING
diff --git a/package/libxslt/libxslt.mk b/package/libxslt/libxslt.mk
index 868ba6a10f..972d5b80d5 100644
--- a/package/libxslt/libxslt.mk
+++ b/package/libxslt/libxslt.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBXSLT_VERSION = 1.1.29
+LIBXSLT_VERSION = 1.1.32
LIBXSLT_SITE = ftp://xmlsoft.org/libxslt
LIBXSLT_INSTALL_STAGING = YES
LIBXSLT_LICENSE = MIT
@@ -13,11 +13,9 @@ LIBXSLT_LICENSE_FILES = COPYING
LIBXSLT_CONF_OPTS = \
--with-gnu-ld \
--without-debug \
- --without-python \
- --with-libxml-prefix=$(STAGING_DIR)/usr/ \
- --with-libxml-libs-prefix=$(STAGING_DIR)/usr/lib
+ --without-python
LIBXSLT_CONFIG_SCRIPTS = xslt-config
-LIBXSLT_DEPENDENCIES = libxml2
+LIBXSLT_DEPENDENCIES = host-pkgconf libxml2
# If we have enabled libgcrypt then use it, else disable crypto support.
ifeq ($(BR2_PACKAGE_LIBGCRYPT),y)
@@ -29,7 +27,7 @@ endif
HOST_LIBXSLT_CONF_OPTS = --without-debug --without-python --without-crypto
-HOST_LIBXSLT_DEPENDENCIES = host-libxml2
+HOST_LIBXSLT_DEPENDENCIES = host-pkgconf host-libxml2
$(eval $(autotools-package))
$(eval $(host-autotools-package))
--
2.14.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 1/1] libxslt: security bump to version 1.3.2
2018-06-07 18:07 [Buildroot] [PATCH 1/1] libxslt: security bump to version 1.3.2 Fabrice Fontaine
@ 2018-06-08 14:29 ` Peter Korsgaard
2018-06-17 15:51 ` Peter Korsgaard
2018-07-17 7:29 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2018-06-08 14:29 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2017-5029
> - Remove first patch (already in version)
> - Add a dependency to host-pkgconf and remove libxml2 options: see
> https://github.com/GNOME/libxslt/commit/abf537ebb2296cd3ae89989a17b0e1b5c79db107
> - Add hash for license file
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 1/1] libxslt: security bump to version 1.3.2
2018-06-07 18:07 [Buildroot] [PATCH 1/1] libxslt: security bump to version 1.3.2 Fabrice Fontaine
2018-06-08 14:29 ` Peter Korsgaard
@ 2018-06-17 15:51 ` Peter Korsgaard
2018-07-17 7:29 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2018-06-17 15:51 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2017-5029
> - Remove first patch (already in version)
> - Add a dependency to host-pkgconf and remove libxml2 options: see
> https://github.com/GNOME/libxslt/commit/abf537ebb2296cd3ae89989a17b0e1b5c79db107
> - Add hash for license file
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2018.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 1/1] libxslt: security bump to version 1.3.2
2018-06-07 18:07 [Buildroot] [PATCH 1/1] libxslt: security bump to version 1.3.2 Fabrice Fontaine
2018-06-08 14:29 ` Peter Korsgaard
2018-06-17 15:51 ` Peter Korsgaard
@ 2018-07-17 7:29 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2018-07-17 7:29 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2017-5029
> - Remove first patch (already in version)
> - Add a dependency to host-pkgconf and remove libxml2 options: see
> https://github.com/GNOME/libxslt/commit/abf537ebb2296cd3ae89989a17b0e1b5c79db107
> - Add hash for license file
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2018.05.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-07-17 7:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-07 18:07 [Buildroot] [PATCH 1/1] libxslt: security bump to version 1.3.2 Fabrice Fontaine
2018-06-08 14:29 ` Peter Korsgaard
2018-06-17 15:51 ` Peter Korsgaard
2018-07-17 7:29 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.