All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256
@ 2022-02-19 12:28 Fabrice Fontaine
  2022-02-19 12:28 ` [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5 Fabrice Fontaine
  2022-02-20  9:54 ` [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Yann E. MORIN
  0 siblings, 2 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-02-19 12:28 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

Commit ab71ac15ddd7ed6a8ca83cbc23ea0b0cbb343f0f forgot to update sha256

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/expat/expat.hash | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/expat/expat.hash b/package/expat/expat.hash
index 3129801668..a6f43af291 100644
--- a/package/expat/expat.hash
+++ b/package/expat/expat.hash
@@ -3,5 +3,5 @@ md5  a712d23b7afb32e7527cf0b3fd8f12ac  expat-2.4.4.tar.xz
 sha1  6028b04d3505fc519c4c7c6bd67e1ad1a08cd7b6  expat-2.4.4.tar.xz
 
 # Locally calculated
-sha256  b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a  expat-2.4.3.tar.xz
+sha256  b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a  expat-2.4.4.tar.xz
 sha256  8c6b5b6de8fae20b317f4992729abc0e520bfba4c7606cd1e9eeb87418eebdec  COPYING
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5
  2022-02-19 12:28 [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Fabrice Fontaine
@ 2022-02-19 12:28 ` Fabrice Fontaine
  2022-02-20  9:55   ` Yann E. MORIN
  2022-03-10 19:38   ` Peter Korsgaard
  2022-02-20  9:54 ` [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Yann E. MORIN
  1 sibling, 2 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-02-19 12:28 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

Security fixes:
 #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
       sequences (e.g. from start tag names) to the XML
       processing application on top of Expat can cause
       arbitrary damage (e.g. code execution) depending
       on how invalid UTF-8 is handled inside the XML
       processor; validation was not their job but Expat's.
       Exploits with code execution are known to exist.
 #561  CVE-2022-25236 -- Passing (one or more) namespace separator
       characters in "xmlns[:prefix]" attribute values
       made Expat send malformed tag names to the XML
       processor on top of Expat which can cause
       arbitrary damage (e.g. code execution) depending
       on such unexpectable cases are handled inside the XML
       processor; validation was not their job but Expat's.
       Exploits with code execution are known to exist.
 #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
       that could be triggered by e.g. a 2 megabytes
       file with a large number of opening braces.
       Expected impact is denial of service or potentially
       arbitrary code execution.
 #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
       only affects the encoding name parameter at parser creation
       time which is often hardcoded (rather than user input),
       takes a value in the gigabytes to trigger, and a 64-bit
       machine.  Expected impact is denial of service.
 #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
       needs input in the gigabytes and a 64-bit machine.
       Expected impact is denial of service or potentially
       arbitrary code execution.

https://blog.hartwork.org/posts/expat-2-4-5-released/
https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/expat/expat.hash | 8 ++++----
 package/expat/expat.mk   | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/expat/expat.hash b/package/expat/expat.hash
index a6f43af291..cd2e8c7fb9 100644
--- a/package/expat/expat.hash
+++ b/package/expat/expat.hash
@@ -1,7 +1,7 @@
-# From https://sourceforge.net/projects/expat/files/expat/2.4.4/
-md5  a712d23b7afb32e7527cf0b3fd8f12ac  expat-2.4.4.tar.xz
-sha1  6028b04d3505fc519c4c7c6bd67e1ad1a08cd7b6  expat-2.4.4.tar.xz
+# From https://sourceforge.net/projects/expat/files/expat/2.4.5/
+md5  9dc183e6c1eebc1b658c1e71be0885e1  expat-2.4.5.tar.xz
+sha1  360a49b55c442e91cb7b328bc0335083909ddf4f  expat-2.4.5.tar.xz
 
 # Locally calculated
-sha256  b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a  expat-2.4.4.tar.xz
+sha256  f2af8fc7cdc63a87920da38cd6d12cb113c3c3a3f437495b1b6541e0cff32579  expat-2.4.5.tar.xz
 sha256  8c6b5b6de8fae20b317f4992729abc0e520bfba4c7606cd1e9eeb87418eebdec  COPYING
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index 250600c25e..7815d61027 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-EXPAT_VERSION = 2.4.4
+EXPAT_VERSION = 2.4.5
 EXPAT_SITE = http://downloads.sourceforge.net/project/expat/expat/$(EXPAT_VERSION)
 EXPAT_SOURCE = expat-$(EXPAT_VERSION).tar.xz
 EXPAT_INSTALL_STAGING = YES
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256
  2022-02-19 12:28 [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Fabrice Fontaine
  2022-02-19 12:28 ` [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5 Fabrice Fontaine
@ 2022-02-20  9:54 ` Yann E. MORIN
  1 sibling, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2022-02-20  9:54 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

Fabrice, All,

On 2022-02-19 13:28 +0100, Fabrice Fontaine spake thusly:
> Commit ab71ac15ddd7ed6a8ca83cbc23ea0b0cbb343f0f forgot to update sha256
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/expat/expat.hash | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/expat/expat.hash b/package/expat/expat.hash
> index 3129801668..a6f43af291 100644
> --- a/package/expat/expat.hash
> +++ b/package/expat/expat.hash
> @@ -3,5 +3,5 @@ md5  a712d23b7afb32e7527cf0b3fd8f12ac  expat-2.4.4.tar.xz
>  sha1  6028b04d3505fc519c4c7c6bd67e1ad1a08cd7b6  expat-2.4.4.tar.xz
>  
>  # Locally calculated
> -sha256  b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a  expat-2.4.3.tar.xz
> +sha256  b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a  expat-2.4.4.tar.xz

... and so it seems you akso forgot to update the hash. ;-)

Applied to master with the hash fixed for real, thanks.

Regards,
Yann E. MORIN.

>  sha256  8c6b5b6de8fae20b317f4992729abc0e520bfba4c7606cd1e9eeb87418eebdec  COPYING
> -- 
> 2.34.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5
  2022-02-19 12:28 ` [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5 Fabrice Fontaine
@ 2022-02-20  9:55   ` Yann E. MORIN
  2022-03-10 19:38   ` Peter Korsgaard
  1 sibling, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2022-02-20  9:55 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

Fabrice, All,

On 2022-02-19 13:28 +0100, Fabrice Fontaine spake thusly:
> Security fixes:
>  #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
>        sequences (e.g. from start tag names) to the XML
>        processing application on top of Expat can cause
>        arbitrary damage (e.g. code execution) depending
>        on how invalid UTF-8 is handled inside the XML
>        processor; validation was not their job but Expat's.
>        Exploits with code execution are known to exist.
>  #561  CVE-2022-25236 -- Passing (one or more) namespace separator
>        characters in "xmlns[:prefix]" attribute values
>        made Expat send malformed tag names to the XML
>        processor on top of Expat which can cause
>        arbitrary damage (e.g. code execution) depending
>        on such unexpectable cases are handled inside the XML
>        processor; validation was not their job but Expat's.
>        Exploits with code execution are known to exist.
>  #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
>        that could be triggered by e.g. a 2 megabytes
>        file with a large number of opening braces.
>        Expected impact is denial of service or potentially
>        arbitrary code execution.
>  #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
>        only affects the encoding name parameter at parser creation
>        time which is often hardcoded (rather than user input),
>        takes a value in the gigabytes to trigger, and a 64-bit
>        machine.  Expected impact is denial of service.
>  #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
>        needs input in the gigabytes and a 64-bit machine.
>        Expected impact is denial of service or potentially
>        arbitrary code execution.
> 
> https://blog.hartwork.org/posts/expat-2-4-5-released/
> https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/expat/expat.hash | 8 ++++----
>  package/expat/expat.mk   | 2 +-
>  2 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/package/expat/expat.hash b/package/expat/expat.hash
> index a6f43af291..cd2e8c7fb9 100644
> --- a/package/expat/expat.hash
> +++ b/package/expat/expat.hash
> @@ -1,7 +1,7 @@
> -# From https://sourceforge.net/projects/expat/files/expat/2.4.4/
> -md5  a712d23b7afb32e7527cf0b3fd8f12ac  expat-2.4.4.tar.xz
> -sha1  6028b04d3505fc519c4c7c6bd67e1ad1a08cd7b6  expat-2.4.4.tar.xz
> +# From https://sourceforge.net/projects/expat/files/expat/2.4.5/
> +md5  9dc183e6c1eebc1b658c1e71be0885e1  expat-2.4.5.tar.xz
> +sha1  360a49b55c442e91cb7b328bc0335083909ddf4f  expat-2.4.5.tar.xz
>  
>  # Locally calculated
> -sha256  b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a  expat-2.4.4.tar.xz
> +sha256  f2af8fc7cdc63a87920da38cd6d12cb113c3c3a3f437495b1b6541e0cff32579  expat-2.4.5.tar.xz
>  sha256  8c6b5b6de8fae20b317f4992729abc0e520bfba4c7606cd1e9eeb87418eebdec  COPYING
> diff --git a/package/expat/expat.mk b/package/expat/expat.mk
> index 250600c25e..7815d61027 100644
> --- a/package/expat/expat.mk
> +++ b/package/expat/expat.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -EXPAT_VERSION = 2.4.4
> +EXPAT_VERSION = 2.4.5
>  EXPAT_SITE = http://downloads.sourceforge.net/project/expat/expat/$(EXPAT_VERSION)
>  EXPAT_SOURCE = expat-$(EXPAT_VERSION).tar.xz
>  EXPAT_INSTALL_STAGING = YES
> -- 
> 2.34.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5
  2022-02-19 12:28 ` [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5 Fabrice Fontaine
  2022-02-20  9:55   ` Yann E. MORIN
@ 2022-03-10 19:38   ` Peter Korsgaard
  1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-03-10 19:38 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Security fixes:
 >  #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
 >        sequences (e.g. from start tag names) to the XML
 >        processing application on top of Expat can cause
 >        arbitrary damage (e.g. code execution) depending
 >        on how invalid UTF-8 is handled inside the XML
 >        processor; validation was not their job but Expat's.
 >        Exploits with code execution are known to exist.
 >  #561  CVE-2022-25236 -- Passing (one or more) namespace separator
 >        characters in "xmlns[:prefix]" attribute values
 >        made Expat send malformed tag names to the XML
 >        processor on top of Expat which can cause
 >        arbitrary damage (e.g. code execution) depending
 >        on such unexpectable cases are handled inside the XML
 >        processor; validation was not their job but Expat's.
 >        Exploits with code execution are known to exist.
 >  #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
 >        that could be triggered by e.g. a 2 megabytes
 >        file with a large number of opening braces.
 >        Expected impact is denial of service or potentially
 >        arbitrary code execution.
 >  #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
 >        only affects the encoding name parameter at parser creation
 >        time which is often hardcoded (rather than user input),
 >        takes a value in the gigabytes to trigger, and a 64-bit
 >        machine.  Expected impact is denial of service.
 >  #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
 >        needs input in the gigabytes and a 64-bit machine.
 >        Expected impact is denial of service or potentially
 >        arbitrary code execution.

 > https://blog.hartwork.org/posts/expat-2-4-5-released/
 > https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2021.02.x and 2021.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-03-10 19:38 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-19 12:28 [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Fabrice Fontaine
2022-02-19 12:28 ` [Buildroot] [PATCH 2/2] package/expat: security bump to version 2.4.5 Fabrice Fontaine
2022-02-20  9:55   ` Yann E. MORIN
2022-03-10 19:38   ` Peter Korsgaard
2022-02-20  9:54 ` [Buildroot] [PATCH 1/2] package/expat: fix tarball sha256 Yann E. MORIN

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.