All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/liburiparser: security bump to version 0.9.6
@ 2022-01-06 22:39 Fabrice Fontaine
  2022-01-07 17:08 ` Peter Korsgaard
  2022-01-26 20:32 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-01-06 22:39 UTC (permalink / raw)
  To: buildroot; +Cc: Bernd Kuhls, Fabrice Fontaine

- Fixed: [CVE-2021-46141]
  Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner*
  functions where the text range in .hostText would not be duped using
  malloc but remain unchanged (and hence "not owned") for URIs with
  an IPv4 or IPv6 address hostname; depending on how an application
  uses uriparser, this could lead the application into a use-after-free
  situation.
  As the second half, fix uriFreeUriMembers* functions that would not
  free .hostText memory for URIs with an IPv4 or IPv6 address host;
  also, calling uriFreeUriMembers* multiple times on a URI of this
  very nature would result in trying to free pointers to stack
  (rather than heap) memory.
- Fixed: [CVE-2021-46142]
  Fix functions uriNormalizeSyntax* for out-of-memory situations
  (i.e. malloc returning NULL) for URIs containing empty segments
  (any of user info, host text, query, or fragment) where previously
  pointers to stack (rather than heap) memory were freed.

https://github.com/uriparser/uriparser/blob/uriparser-0.9.6/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/liburiparser/liburiparser.hash | 2 +-
 package/liburiparser/liburiparser.mk   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/liburiparser/liburiparser.hash b/package/liburiparser/liburiparser.hash
index 60acca2215..8b40807541 100644
--- a/package/liburiparser/liburiparser.hash
+++ b/package/liburiparser/liburiparser.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  dd8061eba7f2e66c151722e6db0b27c972baa6215cf16f135dbe0f0a4bc6606c  uriparser-0.9.5.tar.bz2
+sha256  a288a06668528c19e85e38c508335938e1de6fdd4b8f2072401b4533fcebf644  uriparser-0.9.6.tar.xz
 sha256  287f09e6546a9610f949f89e8fb937cacfeabd7bfaa8c8a0c18312193bf04ad3  COPYING
diff --git a/package/liburiparser/liburiparser.mk b/package/liburiparser/liburiparser.mk
index c7bc604ece..c9903bd74f 100644
--- a/package/liburiparser/liburiparser.mk
+++ b/package/liburiparser/liburiparser.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-LIBURIPARSER_VERSION = 0.9.5
-LIBURIPARSER_SOURCE = uriparser-$(LIBURIPARSER_VERSION).tar.bz2
+LIBURIPARSER_VERSION = 0.9.6
+LIBURIPARSER_SOURCE = uriparser-$(LIBURIPARSER_VERSION).tar.xz
 LIBURIPARSER_SITE = https://github.com/uriparser/uriparser/releases/download/uriparser-$(LIBURIPARSER_VERSION)
 LIBURIPARSER_LICENSE = BSD-3-Clause
 LIBURIPARSER_LICENSE_FILES = COPYING
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/liburiparser: security bump to version 0.9.6
  2022-01-06 22:39 [Buildroot] [PATCH 1/1] package/liburiparser: security bump to version 0.9.6 Fabrice Fontaine
@ 2022-01-07 17:08 ` Peter Korsgaard
  2022-01-26 20:32 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-01-07 17:08 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Bernd Kuhls, buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fixed: [CVE-2021-46141]
 >   Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner*
 >   functions where the text range in .hostText would not be duped using
 >   malloc but remain unchanged (and hence "not owned") for URIs with
 >   an IPv4 or IPv6 address hostname; depending on how an application
 >   uses uriparser, this could lead the application into a use-after-free
 >   situation.
 >   As the second half, fix uriFreeUriMembers* functions that would not
 >   free .hostText memory for URIs with an IPv4 or IPv6 address host;
 >   also, calling uriFreeUriMembers* multiple times on a URI of this
 >   very nature would result in trying to free pointers to stack
 >   (rather than heap) memory.
 > - Fixed: [CVE-2021-46142]
 >   Fix functions uriNormalizeSyntax* for out-of-memory situations
 >   (i.e. malloc returning NULL) for URIs containing empty segments
 >   (any of user info, host text, query, or fragment) where previously
 >   pointers to stack (rather than heap) memory were freed.

 > https://github.com/uriparser/uriparser/blob/uriparser-0.9.6/ChangeLog

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/liburiparser: security bump to version 0.9.6
  2022-01-06 22:39 [Buildroot] [PATCH 1/1] package/liburiparser: security bump to version 0.9.6 Fabrice Fontaine
  2022-01-07 17:08 ` Peter Korsgaard
@ 2022-01-26 20:32 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-01-26 20:32 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Bernd Kuhls, buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fixed: [CVE-2021-46141]
 >   Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner*
 >   functions where the text range in .hostText would not be duped using
 >   malloc but remain unchanged (and hence "not owned") for URIs with
 >   an IPv4 or IPv6 address hostname; depending on how an application
 >   uses uriparser, this could lead the application into a use-after-free
 >   situation.
 >   As the second half, fix uriFreeUriMembers* functions that would not
 >   free .hostText memory for URIs with an IPv4 or IPv6 address host;
 >   also, calling uriFreeUriMembers* multiple times on a URI of this
 >   very nature would result in trying to free pointers to stack
 >   (rather than heap) memory.
 > - Fixed: [CVE-2021-46142]
 >   Fix functions uriNormalizeSyntax* for out-of-memory situations
 >   (i.e. malloc returning NULL) for URIs containing empty segments
 >   (any of user info, host text, query, or fragment) where previously
 >   pointers to stack (rather than heap) memory were freed.

 > https://github.com/uriparser/uriparser/blob/uriparser-0.9.6/ChangeLog

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2021.02.x and 2021.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-01-26 20:32 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-06 22:39 [Buildroot] [PATCH 1/1] package/liburiparser: security bump to version 0.9.6 Fabrice Fontaine
2022-01-07 17:08 ` Peter Korsgaard
2022-01-26 20:32 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.