* [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256
@ 2022-02-19 12:28 Fabrice Fontaine
2022-02-19 12:28 ` [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5 Fabrice Fontaine
2022-02-20 9:54 ` [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Yann E. MORIN
0 siblings, 2 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-02-19 12:28 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
Commit ab71ac15ddd7ed6a8ca83cbc23ea0b0cbb343f0f forgot to update sha256
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/expat/expat.hash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/expat/expat.hash b/package/expat/expat.hash
index 3129801668..a6f43af291 100644
--- a/package/expat/expat.hash
+++ b/package/expat/expat.hash
@@ -3,5 +3,5 @@ md5 a712d23b7afb32e7527cf0b3fd8f12ac expat-2.4.4.tar.xz
sha1 6028b04d3505fc519c4c7c6bd67e1ad1a08cd7b6 expat-2.4.4.tar.xz
# Locally calculated
-sha256 b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a expat-2.4.3.tar.xz
+sha256 b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a expat-2.4.4.tar.xz
sha256 8c6b5b6de8fae20b317f4992729abc0e520bfba4c7606cd1e9eeb87418eebdec COPYING
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5
2022-02-19 12:28 [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Fabrice Fontaine
@ 2022-02-19 12:28 ` Fabrice Fontaine
2022-02-20 9:55 ` Yann E. MORIN
2022-03-10 19:38 ` Peter Korsgaard
2022-02-20 9:54 ` [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Yann E. MORIN
1 sibling, 2 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-02-19 12:28 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
Security fixes:
#562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
sequences (e.g. from start tag names) to the XML
processing application on top of Expat can cause
arbitrary damage (e.g. code execution) depending
on how invalid UTF-8 is handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#561 CVE-2022-25236 -- Passing (one or more) namespace separator
characters in "xmlns[:prefix]" attribute values
made Expat send malformed tag names to the XML
processor on top of Expat which can cause
arbitrary damage (e.g. code execution) depending
on such unexpectable cases are handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
that could be triggered by e.g. a 2 megabytes
file with a large number of opening braces.
Expected impact is denial of service or potentially
arbitrary code execution.
#560 CVE-2022-25314 -- Fix integer overflow in function copyString;
only affects the encoding name parameter at parser creation
time which is often hardcoded (rather than user input),
takes a value in the gigabytes to trigger, and a 64-bit
machine. Expected impact is denial of service.
#559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
needs input in the gigabytes and a 64-bit machine.
Expected impact is denial of service or potentially
arbitrary code execution.
https://blog.hartwork.org/posts/expat-2-4-5-released/
https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/expat/expat.hash | 8 ++++----
package/expat/expat.mk | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/expat/expat.hash b/package/expat/expat.hash
index a6f43af291..cd2e8c7fb9 100644
--- a/package/expat/expat.hash
+++ b/package/expat/expat.hash
@@ -1,7 +1,7 @@
-# From https://sourceforge.net/projects/expat/files/expat/2.4.4/
-md5 a712d23b7afb32e7527cf0b3fd8f12ac expat-2.4.4.tar.xz
-sha1 6028b04d3505fc519c4c7c6bd67e1ad1a08cd7b6 expat-2.4.4.tar.xz
+# From https://sourceforge.net/projects/expat/files/expat/2.4.5/
+md5 9dc183e6c1eebc1b658c1e71be0885e1 expat-2.4.5.tar.xz
+sha1 360a49b55c442e91cb7b328bc0335083909ddf4f expat-2.4.5.tar.xz
# Locally calculated
-sha256 b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a expat-2.4.4.tar.xz
+sha256 f2af8fc7cdc63a87920da38cd6d12cb113c3c3a3f437495b1b6541e0cff32579 expat-2.4.5.tar.xz
sha256 8c6b5b6de8fae20b317f4992729abc0e520bfba4c7606cd1e9eeb87418eebdec COPYING
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index 250600c25e..7815d61027 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -4,7 +4,7 @@
#
################################################################################
-EXPAT_VERSION = 2.4.4
+EXPAT_VERSION = 2.4.5
EXPAT_SITE = http://downloads.sourceforge.net/project/expat/expat/$(EXPAT_VERSION)
EXPAT_SOURCE = expat-$(EXPAT_VERSION).tar.xz
EXPAT_INSTALL_STAGING = YES
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256
2022-02-19 12:28 [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Fabrice Fontaine
2022-02-19 12:28 ` [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5 Fabrice Fontaine
@ 2022-02-20 9:54 ` Yann E. MORIN
1 sibling, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2022-02-20 9:54 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
Fabrice, All,
On 2022-02-19 13:28 +0100, Fabrice Fontaine spake thusly:
> Commit ab71ac15ddd7ed6a8ca83cbc23ea0b0cbb343f0f forgot to update sha256
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/expat/expat.hash | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/expat/expat.hash b/package/expat/expat.hash
> index 3129801668..a6f43af291 100644
> --- a/package/expat/expat.hash
> +++ b/package/expat/expat.hash
> @@ -3,5 +3,5 @@ md5 a712d23b7afb32e7527cf0b3fd8f12ac expat-2.4.4.tar.xz
> sha1 6028b04d3505fc519c4c7c6bd67e1ad1a08cd7b6 expat-2.4.4.tar.xz
>
> # Locally calculated
> -sha256 b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a expat-2.4.3.tar.xz
> +sha256 b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a expat-2.4.4.tar.xz
... and so it seems you akso forgot to update the hash. ;-)
Applied to master with the hash fixed for real, thanks.
Regards,
Yann E. MORIN.
> sha256 8c6b5b6de8fae20b317f4992729abc0e520bfba4c7606cd1e9eeb87418eebdec COPYING
> --
> 2.34.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5
2022-02-19 12:28 ` [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5 Fabrice Fontaine
@ 2022-02-20 9:55 ` Yann E. MORIN
2022-03-10 19:38 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2022-02-20 9:55 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
Fabrice, All,
On 2022-02-19 13:28 +0100, Fabrice Fontaine spake thusly:
> Security fixes:
> #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
> sequences (e.g. from start tag names) to the XML
> processing application on top of Expat can cause
> arbitrary damage (e.g. code execution) depending
> on how invalid UTF-8 is handled inside the XML
> processor; validation was not their job but Expat's.
> Exploits with code execution are known to exist.
> #561 CVE-2022-25236 -- Passing (one or more) namespace separator
> characters in "xmlns[:prefix]" attribute values
> made Expat send malformed tag names to the XML
> processor on top of Expat which can cause
> arbitrary damage (e.g. code execution) depending
> on such unexpectable cases are handled inside the XML
> processor; validation was not their job but Expat's.
> Exploits with code execution are known to exist.
> #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
> that could be triggered by e.g. a 2 megabytes
> file with a large number of opening braces.
> Expected impact is denial of service or potentially
> arbitrary code execution.
> #560 CVE-2022-25314 -- Fix integer overflow in function copyString;
> only affects the encoding name parameter at parser creation
> time which is often hardcoded (rather than user input),
> takes a value in the gigabytes to trigger, and a 64-bit
> machine. Expected impact is denial of service.
> #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
> needs input in the gigabytes and a 64-bit machine.
> Expected impact is denial of service or potentially
> arbitrary code execution.
>
> https://blog.hartwork.org/posts/expat-2-4-5-released/
> https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/expat/expat.hash | 8 ++++----
> package/expat/expat.mk | 2 +-
> 2 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/package/expat/expat.hash b/package/expat/expat.hash
> index a6f43af291..cd2e8c7fb9 100644
> --- a/package/expat/expat.hash
> +++ b/package/expat/expat.hash
> @@ -1,7 +1,7 @@
> -# From https://sourceforge.net/projects/expat/files/expat/2.4.4/
> -md5 a712d23b7afb32e7527cf0b3fd8f12ac expat-2.4.4.tar.xz
> -sha1 6028b04d3505fc519c4c7c6bd67e1ad1a08cd7b6 expat-2.4.4.tar.xz
> +# From https://sourceforge.net/projects/expat/files/expat/2.4.5/
> +md5 9dc183e6c1eebc1b658c1e71be0885e1 expat-2.4.5.tar.xz
> +sha1 360a49b55c442e91cb7b328bc0335083909ddf4f expat-2.4.5.tar.xz
>
> # Locally calculated
> -sha256 b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a expat-2.4.4.tar.xz
> +sha256 f2af8fc7cdc63a87920da38cd6d12cb113c3c3a3f437495b1b6541e0cff32579 expat-2.4.5.tar.xz
> sha256 8c6b5b6de8fae20b317f4992729abc0e520bfba4c7606cd1e9eeb87418eebdec COPYING
> diff --git a/package/expat/expat.mk b/package/expat/expat.mk
> index 250600c25e..7815d61027 100644
> --- a/package/expat/expat.mk
> +++ b/package/expat/expat.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -EXPAT_VERSION = 2.4.4
> +EXPAT_VERSION = 2.4.5
> EXPAT_SITE = http://downloads.sourceforge.net/project/expat/expat/$(EXPAT_VERSION)
> EXPAT_SOURCE = expat-$(EXPAT_VERSION).tar.xz
> EXPAT_INSTALL_STAGING = YES
> --
> 2.34.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5
2022-02-19 12:28 ` [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5 Fabrice Fontaine
2022-02-20 9:55 ` Yann E. MORIN
@ 2022-03-10 19:38 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-03-10 19:38 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Security fixes:
> #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
> sequences (e.g. from start tag names) to the XML
> processing application on top of Expat can cause
> arbitrary damage (e.g. code execution) depending
> on how invalid UTF-8 is handled inside the XML
> processor; validation was not their job but Expat's.
> Exploits with code execution are known to exist.
> #561 CVE-2022-25236 -- Passing (one or more) namespace separator
> characters in "xmlns[:prefix]" attribute values
> made Expat send malformed tag names to the XML
> processor on top of Expat which can cause
> arbitrary damage (e.g. code execution) depending
> on such unexpectable cases are handled inside the XML
> processor; validation was not their job but Expat's.
> Exploits with code execution are known to exist.
> #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
> that could be triggered by e.g. a 2 megabytes
> file with a large number of opening braces.
> Expected impact is denial of service or potentially
> arbitrary code execution.
> #560 CVE-2022-25314 -- Fix integer overflow in function copyString;
> only affects the encoding name parameter at parser creation
> time which is often hardcoded (rather than user input),
> takes a value in the gigabytes to trigger, and a 64-bit
> machine. Expected impact is denial of service.
> #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
> needs input in the gigabytes and a 64-bit machine.
> Expected impact is denial of service or potentially
> arbitrary code execution.
> https://blog.hartwork.org/posts/expat-2-4-5-released/
> https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2021.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-03-10 19:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-19 12:28 [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Fabrice Fontaine
2022-02-19 12:28 ` [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5 Fabrice Fontaine
2022-02-20 9:55 ` Yann E. MORIN
2022-03-10 19:38 ` Peter Korsgaard
2022-02-20 9:54 ` [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Yann E. MORIN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.