All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/libglib2: security bump to version 2.66.7
@ 2021-02-27  9:04 Fabrice Fontaine
  2021-02-27 15:56 ` Yann E. MORIN
  2021-03-13 14:39 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2021-02-27  9:04 UTC (permalink / raw)
  To: buildroot

- Fix CVE-2021-27218: An issue was discovered in GNOME GLib before
  2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called
  with a buffer of 4GB or more on a 64-bit platform, the length would be
  truncated modulo 2**32, causing unintended length truncation.
- Fix CVE-2021-27219: An issue was discovered in GNOME GLib before
  2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an
  integer overflow on 64-bit platforms due to an implicit cast from 64
  bits to 32 bits. The overflow could potentially lead to memory
  corruption.

https://gitlab.gnome.org/GNOME/glib/-/blob/2.66.7/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/libglib2/0003-remove-cpp-requirement.patch | 2 +-
 package/libglib2/libglib2.hash                     | 4 ++--
 package/libglib2/libglib2.mk                       | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libglib2/0003-remove-cpp-requirement.patch b/package/libglib2/0003-remove-cpp-requirement.patch
index 72304fa4b1..25cb23c239 100644
--- a/package/libglib2/0003-remove-cpp-requirement.patch
+++ b/package/libglib2/0003-remove-cpp-requirement.patch
@@ -35,7 +35,7 @@ index 4bbf4c2..ac59f4e 100644
 @@ -1,4 +1,4 @@
 -project('glib', 'c', 'cpp',
 +project('glib', 'c',
-   version : '2.66.3',
+   version : '2.66.7',
    # NOTE: We keep this pinned at 0.49 because that's what Debian 10 ships
    meson_version : '>= 0.49.2',
 @@ -10,7 +10,6 @@ project('glib', 'c', 'cpp',
diff --git a/package/libglib2/libglib2.hash b/package/libglib2/libglib2.hash
index ac32f1b14b..7886bb5c59 100644
--- a/package/libglib2/libglib2.hash
+++ b/package/libglib2/libglib2.hash
@@ -1,4 +1,4 @@
-# https://download.gnome.org/sources/glib/2.66/glib-2.66.3.sha256sum
-sha256  79f31365a99cb1cc9db028625635d1438890702acde9e2802eae0acebcf7b5b1  glib-2.66.3.tar.xz
+# https://download.gnome.org/sources/glib/2.66/glib-2.66.7.sha256sum
+sha256  09f158769f6f26b31074e15b1ac80ec39b13b53102dfae66cfe826fb2cc65502  glib-2.66.7.tar.xz
 # License files, locally calculated
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING
diff --git a/package/libglib2/libglib2.mk b/package/libglib2/libglib2.mk
index c738415216..ffbb4c96b5 100644
--- a/package/libglib2/libglib2.mk
+++ b/package/libglib2/libglib2.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 LIBGLIB2_VERSION_MAJOR = 2.66
-LIBGLIB2_VERSION = $(LIBGLIB2_VERSION_MAJOR).3
+LIBGLIB2_VERSION = $(LIBGLIB2_VERSION_MAJOR).7
 LIBGLIB2_SOURCE = glib-$(LIBGLIB2_VERSION).tar.xz
 LIBGLIB2_SITE = http://ftp.gnome.org/pub/gnome/sources/glib/$(LIBGLIB2_VERSION_MAJOR)
 LIBGLIB2_LICENSE = LGPL-2.1+
-- 
2.30.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/libglib2: security bump to version 2.66.7
  2021-02-27  9:04 [Buildroot] [PATCH 1/1] package/libglib2: security bump to version 2.66.7 Fabrice Fontaine
@ 2021-02-27 15:56 ` Yann E. MORIN
  2021-03-13 14:39 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2021-02-27 15:56 UTC (permalink / raw)
  To: buildroot

Fabrice, All,

On 2021-02-27 10:04 +0100, Fabrice Fontaine spake thusly:
> - Fix CVE-2021-27218: An issue was discovered in GNOME GLib before
>   2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called
>   with a buffer of 4GB or more on a 64-bit platform, the length would be
>   truncated modulo 2**32, causing unintended length truncation.
> - Fix CVE-2021-27219: An issue was discovered in GNOME GLib before
>   2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an
>   integer overflow on 64-bit platforms due to an implicit cast from 64
>   bits to 32 bits. The overflow could potentially lead to memory
>   corruption.
> 
> https://gitlab.gnome.org/GNOME/glib/-/blob/2.66.7/NEWS
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/libglib2/0003-remove-cpp-requirement.patch | 2 +-
>  package/libglib2/libglib2.hash                     | 4 ++--
>  package/libglib2/libglib2.mk                       | 2 +-
>  3 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/package/libglib2/0003-remove-cpp-requirement.patch b/package/libglib2/0003-remove-cpp-requirement.patch
> index 72304fa4b1..25cb23c239 100644
> --- a/package/libglib2/0003-remove-cpp-requirement.patch
> +++ b/package/libglib2/0003-remove-cpp-requirement.patch
> @@ -35,7 +35,7 @@ index 4bbf4c2..ac59f4e 100644
>  @@ -1,4 +1,4 @@
>  -project('glib', 'c', 'cpp',
>  +project('glib', 'c',
> -   version : '2.66.3',
> +   version : '2.66.7',
>     # NOTE: We keep this pinned at 0.49 because that's what Debian 10 ships
>     meson_version : '>= 0.49.2',
>  @@ -10,7 +10,6 @@ project('glib', 'c', 'cpp',
> diff --git a/package/libglib2/libglib2.hash b/package/libglib2/libglib2.hash
> index ac32f1b14b..7886bb5c59 100644
> --- a/package/libglib2/libglib2.hash
> +++ b/package/libglib2/libglib2.hash
> @@ -1,4 +1,4 @@
> -# https://download.gnome.org/sources/glib/2.66/glib-2.66.3.sha256sum
> -sha256  79f31365a99cb1cc9db028625635d1438890702acde9e2802eae0acebcf7b5b1  glib-2.66.3.tar.xz
> +# https://download.gnome.org/sources/glib/2.66/glib-2.66.7.sha256sum
> +sha256  09f158769f6f26b31074e15b1ac80ec39b13b53102dfae66cfe826fb2cc65502  glib-2.66.7.tar.xz
>  # License files, locally calculated
>  sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING
> diff --git a/package/libglib2/libglib2.mk b/package/libglib2/libglib2.mk
> index c738415216..ffbb4c96b5 100644
> --- a/package/libglib2/libglib2.mk
> +++ b/package/libglib2/libglib2.mk
> @@ -5,7 +5,7 @@
>  ################################################################################
>  
>  LIBGLIB2_VERSION_MAJOR = 2.66
> -LIBGLIB2_VERSION = $(LIBGLIB2_VERSION_MAJOR).3
> +LIBGLIB2_VERSION = $(LIBGLIB2_VERSION_MAJOR).7
>  LIBGLIB2_SOURCE = glib-$(LIBGLIB2_VERSION).tar.xz
>  LIBGLIB2_SITE = http://ftp.gnome.org/pub/gnome/sources/glib/$(LIBGLIB2_VERSION_MAJOR)
>  LIBGLIB2_LICENSE = LGPL-2.1+
> -- 
> 2.30.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/libglib2: security bump to version 2.66.7
  2021-02-27  9:04 [Buildroot] [PATCH 1/1] package/libglib2: security bump to version 2.66.7 Fabrice Fontaine
  2021-02-27 15:56 ` Yann E. MORIN
@ 2021-03-13 14:39 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-03-13 14:39 UTC (permalink / raw)
  To: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2021-27218: An issue was discovered in GNOME GLib before
 >   2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called
 >   with a buffer of 4GB or more on a 64-bit platform, the length would be
 >   truncated modulo 2**32, causing unintended length truncation.
 > - Fix CVE-2021-27219: An issue was discovered in GNOME GLib before
 >   2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an
 >   integer overflow on 64-bit platforms due to an implicit cast from 64
 >   bits to 32 bits. The overflow could potentially lead to memory
 >   corruption.

For 2020.02.x / 2020.11.x I have instead backported the CVE-2021.27218
fix. The CVE-2021-27219 fix adds a g_memdup2() function and changes a
bunch of callers to use that instead of g_memdup(), which is not quite
trivial to backport, so I have left that for now.
-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-13 14:39 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-27  9:04 [Buildroot] [PATCH 1/1] package/libglib2: security bump to version 2.66.7 Fabrice Fontaine
2021-02-27 15:56 ` Yann E. MORIN
2021-03-13 14:39 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.