Drop patch (already in version) https://github.com/libcgroup/libcgroup/releases/tag/v0.42.2 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- .../0001-cgrulesengd-remove-umask-0.patch | 33 ------------------- package/libcgroup/libcgroup.hash | 6 ++-- package/libcgroup/libcgroup.mk | 7 ++-- 3 files changed, 6 insertions(+), 40 deletions(-) delete mode 100644 package/libcgroup/0001-cgrulesengd-remove-umask-0.patch diff --git a/package/libcgroup/0001-cgrulesengd-remove-umask-0.patch b/package/libcgroup/0001-cgrulesengd-remove-umask-0.patch deleted file mode 100644 index 1d9077a2d6..0000000000 --- a/package/libcgroup/0001-cgrulesengd-remove-umask-0.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0d88b73d189ea3440ccaab00418d6469f76fa590 Mon Sep 17 00:00:00 2001 -From: Michal Hocko <mhocko@suse.com> -Date: Wed, 18 Jul 2018 11:24:29 +0200 -Subject: [PATCH] cgrulesengd: remove umask(0) - -One of our partners has noticed that cgred daemon is creating a log file -(/var/log/cgred) with too wide permissions (0666) and that is seen as -a security bug because an untrusted user can write to otherwise -restricted area. CVE-2018-14348 has been assigned to this issue. - -Signed-off-by: Michal Hocko <mhocko@suse.com> -Acked-by: Balbir Singh <bsingharora@gmail.com> -[Retrieved from: -https://github.com/libcgroup/libcgroup/commit/0d88b73d189ea3440ccaab00418d6469f76fa590] -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> ---- - src/daemon/cgrulesengd.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c -index ea51f11..0d288f3 100644 ---- a/src/daemon/cgrulesengd.c -+++ b/src/daemon/cgrulesengd.c -@@ -889,9 +889,6 @@ int cgre_start_daemon(const char *logp, const int logf, - } else if (pid > 0) { - exit(EXIT_SUCCESS); - } -- -- /* Change the file mode mask. */ -- umask(0); - } else { - flog(LOG_DEBUG, "Not using daemon mode\n"); - pid = getpid(); diff --git a/package/libcgroup/libcgroup.hash b/package/libcgroup/libcgroup.hash index 11423e269f..70671212ef 100644 --- a/package/libcgroup/libcgroup.hash +++ b/package/libcgroup/libcgroup.hash @@ -1,3 +1,5 @@ -# Locally computed: -sha256 e4e38bdc7ef70645ce33740ddcca051248d56b53283c0dc6d404e17706f6fb51 libcgroup-0.41.tar.bz2 +# From https://github.com/libcgroup/libcgroup/releases/download/v0.42.2/libcgroup-0.42.2.tar.bz2.sha256 +sha256 18939381324d418e11be4f5fdca37b01652c18917bfaf1f6b0c505f157e18d07 libcgroup-0.42.2.tar.bz2 + +# Hash for license file sha256 a9bdde5616ecdd1e980b44f360600ee8783b1f99b8cc83a2beb163a0a390e861 COPYING diff --git a/package/libcgroup/libcgroup.mk b/package/libcgroup/libcgroup.mk index a26d5f2ddf..ff0639946c 100644 --- a/package/libcgroup/libcgroup.mk +++ b/package/libcgroup/libcgroup.mk @@ -4,17 +4,14 @@ # ################################################################################ -LIBCGROUP_VERSION = 0.41 +LIBCGROUP_VERSION = 0.42.2 LIBCGROUP_SOURCE = libcgroup-$(LIBCGROUP_VERSION).tar.bz2 -LIBCGROUP_SITE = http://downloads.sourceforge.net/project/libcg/libcgroup/v$(LIBCGROUP_VERSION) +LIBCGROUP_SITE = https://github.com/libcgroup/libcgroup/releases/download/v$(LIBCGROUP_VERSION) LIBCGROUP_LICENSE = LGPL-2.1 LIBCGROUP_LICENSE_FILES = COPYING LIBCGROUP_DEPENDENCIES = host-bison host-flex LIBCGROUP_INSTALL_STAGING = YES -# 0001-cgrulesengd-remove-umask-0.patch -LIBCGROUP_IGNORE_CVES += CVE-2018-14348 - # Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h # large file support. See https://bugzilla.redhat.com/show_bug.cgi?id=574992 # for more information. -- 2.30.2
cpe:2.3:a:libcgroup_project:libcgroup is a valid CPE identifier for this package: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibcgroup_project%3Alibcgroup Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/libcgroup/libcgroup.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/package/libcgroup/libcgroup.mk b/package/libcgroup/libcgroup.mk index ff0639946c..156b066162 100644 --- a/package/libcgroup/libcgroup.mk +++ b/package/libcgroup/libcgroup.mk @@ -9,6 +9,7 @@ LIBCGROUP_SOURCE = libcgroup-$(LIBCGROUP_VERSION).tar.bz2 LIBCGROUP_SITE = https://github.com/libcgroup/libcgroup/releases/download/v$(LIBCGROUP_VERSION) LIBCGROUP_LICENSE = LGPL-2.1 LIBCGROUP_LICENSE_FILES = COPYING +LIBCGROUP_CPE_ID_VENDOR = libcgroup_project LIBCGROUP_DEPENDENCIES = host-bison host-flex LIBCGROUP_INSTALL_STAGING = YES -- 2.30.2
Fabrice, All, On 2021-04-16 22:34 +0200, Fabrice Fontaine spake thusly: > Drop patch (already in version) > > https://github.com/libcgroup/libcgroup/releases/tag/v0.42.2 > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Series of 2 applied to master, thanks. Regards, Yann E. MORIN. > --- > .../0001-cgrulesengd-remove-umask-0.patch | 33 ------------------- > package/libcgroup/libcgroup.hash | 6 ++-- > package/libcgroup/libcgroup.mk | 7 ++-- > 3 files changed, 6 insertions(+), 40 deletions(-) > delete mode 100644 package/libcgroup/0001-cgrulesengd-remove-umask-0.patch > > diff --git a/package/libcgroup/0001-cgrulesengd-remove-umask-0.patch b/package/libcgroup/0001-cgrulesengd-remove-umask-0.patch > deleted file mode 100644 > index 1d9077a2d6..0000000000 > --- a/package/libcgroup/0001-cgrulesengd-remove-umask-0.patch > +++ /dev/null > @@ -1,33 +0,0 @@ > -From 0d88b73d189ea3440ccaab00418d6469f76fa590 Mon Sep 17 00:00:00 2001 > -From: Michal Hocko <mhocko@suse.com> > -Date: Wed, 18 Jul 2018 11:24:29 +0200 > -Subject: [PATCH] cgrulesengd: remove umask(0) > - > -One of our partners has noticed that cgred daemon is creating a log file > -(/var/log/cgred) with too wide permissions (0666) and that is seen as > -a security bug because an untrusted user can write to otherwise > -restricted area. CVE-2018-14348 has been assigned to this issue. > - > -Signed-off-by: Michal Hocko <mhocko@suse.com> > -Acked-by: Balbir Singh <bsingharora@gmail.com> > -[Retrieved from: > -https://github.com/libcgroup/libcgroup/commit/0d88b73d189ea3440ccaab00418d6469f76fa590] > -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > ---- > - src/daemon/cgrulesengd.c | 3 --- > - 1 file changed, 3 deletions(-) > - > -diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c > -index ea51f11..0d288f3 100644 > ---- a/src/daemon/cgrulesengd.c > -+++ b/src/daemon/cgrulesengd.c > -@@ -889,9 +889,6 @@ int cgre_start_daemon(const char *logp, const int logf, > - } else if (pid > 0) { > - exit(EXIT_SUCCESS); > - } > -- > -- /* Change the file mode mask. */ > -- umask(0); > - } else { > - flog(LOG_DEBUG, "Not using daemon mode\n"); > - pid = getpid(); > diff --git a/package/libcgroup/libcgroup.hash b/package/libcgroup/libcgroup.hash > index 11423e269f..70671212ef 100644 > --- a/package/libcgroup/libcgroup.hash > +++ b/package/libcgroup/libcgroup.hash > @@ -1,3 +1,5 @@ > -# Locally computed: > -sha256 e4e38bdc7ef70645ce33740ddcca051248d56b53283c0dc6d404e17706f6fb51 libcgroup-0.41.tar.bz2 > +# From https://github.com/libcgroup/libcgroup/releases/download/v0.42.2/libcgroup-0.42.2.tar.bz2.sha256 > +sha256 18939381324d418e11be4f5fdca37b01652c18917bfaf1f6b0c505f157e18d07 libcgroup-0.42.2.tar.bz2 > + > +# Hash for license file > sha256 a9bdde5616ecdd1e980b44f360600ee8783b1f99b8cc83a2beb163a0a390e861 COPYING > diff --git a/package/libcgroup/libcgroup.mk b/package/libcgroup/libcgroup.mk > index a26d5f2ddf..ff0639946c 100644 > --- a/package/libcgroup/libcgroup.mk > +++ b/package/libcgroup/libcgroup.mk > @@ -4,17 +4,14 @@ > # > ################################################################################ > > -LIBCGROUP_VERSION = 0.41 > +LIBCGROUP_VERSION = 0.42.2 > LIBCGROUP_SOURCE = libcgroup-$(LIBCGROUP_VERSION).tar.bz2 > -LIBCGROUP_SITE = http://downloads.sourceforge.net/project/libcg/libcgroup/v$(LIBCGROUP_VERSION) > +LIBCGROUP_SITE = https://github.com/libcgroup/libcgroup/releases/download/v$(LIBCGROUP_VERSION) > LIBCGROUP_LICENSE = LGPL-2.1 > LIBCGROUP_LICENSE_FILES = COPYING > LIBCGROUP_DEPENDENCIES = host-bison host-flex > LIBCGROUP_INSTALL_STAGING = YES > > -# 0001-cgrulesengd-remove-umask-0.patch > -LIBCGROUP_IGNORE_CVES += CVE-2018-14348 > - > # Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h > # large file support. See https://bugzilla.redhat.com/show_bug.cgi?id=574992 > # for more information. > -- > 2.30.2 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------'
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > cpe:2.3:a:libcgroup_project:libcgroup is a valid CPE identifier for this > package: > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibcgroup_project%3Alibcgroup > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2021.02.x, thanks. -- Bye, Peter Korsgaard