* [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id
@ 2022-08-29 17:14 Marcus Hoffmann
2022-08-29 17:14 ` [Buildroot] [next v2 1/2] package/python-paho-mqtt: bump to 1.6.1 Marcus Hoffmann
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Marcus Hoffmann @ 2022-08-29 17:14 UTC (permalink / raw)
To: buildroot; +Cc: Davide Viti, Asaf Kahlon
Can be found in this CVE entry for example:
https://nvd.nist.gov/vuln/detail/CVE-2022-37434
Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
---
package/libzlib/libzlib.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
index 933732d6ba..431c48739a 100644
--- a/package/libzlib/libzlib.mk
+++ b/package/libzlib/libzlib.mk
@@ -11,7 +11,7 @@ LIBZLIB_LICENSE = Zlib
LIBZLIB_LICENSE_FILES = README
LIBZLIB_INSTALL_STAGING = YES
LIBZLIB_PROVIDES = zlib
-LIBZLIB_CPE_ID_VENDOR = gnu
+LIBZLIB_CPE_ID_VENDOR = zlib
LIBZLIB_CPE_ID_PRODUCT = zlib
# It is not possible to build only a shared version of zlib, so we build both
--
2.25.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [next v2 1/2] package/python-paho-mqtt: bump to 1.6.1
2022-08-29 17:14 [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id Marcus Hoffmann
@ 2022-08-29 17:14 ` Marcus Hoffmann
2022-08-31 20:24 ` Yann E. MORIN
2022-08-29 17:14 ` [Buildroot] [PATCH 2/2] package/libzlib: backport security fix for CVE-2022-37434 Marcus Hoffmann
2022-08-30 21:29 ` [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id Arnout Vandecappelle
2 siblings, 1 reply; 6+ messages in thread
From: Marcus Hoffmann @ 2022-08-29 17:14 UTC (permalink / raw)
To: buildroot; +Cc: Davide Viti, Asaf Kahlon
We need to switch to the github download as the sdist published to pypi
doesn't package the epl-v20 license file isn't included there:
https://github.com/eclipse/paho.mqtt.python/pull/635
License changed to EPL-2.0 or EDLv1.0
Changelog:
https://github.com/eclipse/paho.mqtt.python/blob/master/ChangeLog.txt
Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
---
Changes v1 -> v2:
- switch to github download to have license file in source tarball
- update license hashes
package/python-paho-mqtt/python-paho-mqtt.hash | 10 +++++-----
package/python-paho-mqtt/python-paho-mqtt.mk | 9 ++++-----
2 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/package/python-paho-mqtt/python-paho-mqtt.hash b/package/python-paho-mqtt/python-paho-mqtt.hash
index bf3993e919..dbf9ee89f6 100644
--- a/package/python-paho-mqtt/python-paho-mqtt.hash
+++ b/package/python-paho-mqtt/python-paho-mqtt.hash
@@ -1,6 +1,6 @@
-# md5 from https://pypi.python.org/pypi/paho-mqtt/json, sha256 locally computed
-md5 e3ac29cd5dc247a01083a2a8f3fddd08 paho-mqtt-1.4.0.tar.gz
-sha256 e440a052b46d222e184be3be38676378722072fcd4dfd2c8f509fb861a7b0b79 paho-mqtt-1.4.0.tar.gz
-sha256 76f13729e84e9222e543303df00f87d1b2c0995b6a505cd859a285667e44babb LICENSE.txt
+# locally computed
+md5 00c3381d7deacc7ac8b220f3b9d689c6 python-paho-mqtt-1.6.1.tar.gz
+sha256 6e35c1be242a901fc9c00bad7d37b5cc4a497f398dfceb4ed0d8018a959be650 python-paho-mqtt-1.6.1.tar.gz
+sha256 66408b049249c3bdb0ba1ed285f5422ce67e371d40151bebd4d806af454ffe7c LICENSE.txt
sha256 e8cf7d54ea46c19aba793983889b7f7425e1ebfcaaccec764a7db091646e203c edl-v10
-sha256 3b9be6b894d0769de796e653571ff6cef494913c0ce78c35a97db939e7d9087c epl-v10
+sha256 8c349f80764d0648e645f41ef23772a70c995a0924b5235f735f4a3d09df127c epl-v20
diff --git a/package/python-paho-mqtt/python-paho-mqtt.mk b/package/python-paho-mqtt/python-paho-mqtt.mk
index d192749e1e..3ff5f9e57a 100644
--- a/package/python-paho-mqtt/python-paho-mqtt.mk
+++ b/package/python-paho-mqtt/python-paho-mqtt.mk
@@ -4,11 +4,10 @@
#
################################################################################
-PYTHON_PAHO_MQTT_VERSION = 1.4.0
-PYTHON_PAHO_MQTT_SOURCE = paho-mqtt-$(PYTHON_PAHO_MQTT_VERSION).tar.gz
-PYTHON_PAHO_MQTT_SITE = https://files.pythonhosted.org/packages/25/63/db25e62979c2a716a74950c9ed658dce431b5cb01fde29eb6cba9489a904
-PYTHON_PAHO_MQTT_LICENSE = EPL-1.0 or EDLv1.0
-PYTHON_PAHO_MQTT_LICENSE_FILES = LICENSE.txt edl-v10 epl-v10
+PYTHON_PAHO_MQTT_VERSION = 1.6.1
+PYTHON_PAHO_MQTT_SITE = $(call github,eclipse,paho.mqtt.python,v$(PYTHON_PAHO_MQTT_VERSION))
+PYTHON_PAHO_MQTT_LICENSE = EPL-2.0 or EDLv1.0
+PYTHON_PAHO_MQTT_LICENSE_FILES = LICENSE.txt epl-v20 edl-v10
PYTHON_PAHO_MQTT_SETUP_TYPE = setuptools
$(eval $(python-package))
--
2.25.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/2] package/libzlib: backport security fix for CVE-2022-37434
2022-08-29 17:14 [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id Marcus Hoffmann
2022-08-29 17:14 ` [Buildroot] [next v2 1/2] package/python-paho-mqtt: bump to 1.6.1 Marcus Hoffmann
@ 2022-08-29 17:14 ` Marcus Hoffmann
2022-09-18 7:43 ` Peter Korsgaard
2022-08-30 21:29 ` [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id Arnout Vandecappelle
2 siblings, 1 reply; 6+ messages in thread
From: Marcus Hoffmann @ 2022-08-29 17:14 UTC (permalink / raw)
To: buildroot; +Cc: Davide Viti, Asaf Kahlon
See: https://security-tracker.debian.org/tracker/CVE-2022-37434
Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
---
package/libzlib/0002-fix-CVE-2022-37434.patch | 35 +++++++++++++++++++
.../0003-fix-CVE-2022-37434-regression.patch | 32 +++++++++++++++++
package/libzlib/libzlib.mk | 3 ++
3 files changed, 70 insertions(+)
create mode 100644 package/libzlib/0002-fix-CVE-2022-37434.patch
create mode 100644 package/libzlib/0003-fix-CVE-2022-37434-regression.patch
diff --git a/package/libzlib/0002-fix-CVE-2022-37434.patch b/package/libzlib/0002-fix-CVE-2022-37434.patch
new file mode 100644
index 0000000000..a61be48536
--- /dev/null
+++ b/package/libzlib/0002-fix-CVE-2022-37434.patch
@@ -0,0 +1,35 @@
+From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Sat, 30 Jul 2022 15:51:11 -0700
+Subject: [PATCH] Fix a bug when getting a gzip header extra field with
+ inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+
+Backported from: eff308af425b67093bab25f80f1ae950166bece1
+Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
+---
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7be8c6366..7a7289749 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,9 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
++ len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+- state->head->extra != Z_NULL) {
+- len = state->head->extra_len - state->length;
++ state->head->extra != Z_NULL &&
++ len < state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
diff --git a/package/libzlib/0003-fix-CVE-2022-37434-regression.patch b/package/libzlib/0003-fix-CVE-2022-37434-regression.patch
new file mode 100644
index 0000000000..46a58710d2
--- /dev/null
+++ b/package/libzlib/0003-fix-CVE-2022-37434-regression.patch
@@ -0,0 +1,32 @@
+From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Mon, 8 Aug 2022 10:50:09 -0700
+Subject: [PATCH] Fix extra field processing bug that dereferences NULL
+ state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+
+Backported from: 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
+Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
+---
+ inflate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7a7289749..2a3c4fe98 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,10 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
+- len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+ state->head->extra != Z_NULL &&
+- len < state->head->extra_max) {
++ (len = state->head->extra_len - state->length) <
++ state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
index 431c48739a..f75502326b 100644
--- a/package/libzlib/libzlib.mk
+++ b/package/libzlib/libzlib.mk
@@ -14,6 +14,9 @@ LIBZLIB_PROVIDES = zlib
LIBZLIB_CPE_ID_VENDOR = zlib
LIBZLIB_CPE_ID_PRODUCT = zlib
+# 0002-fix-CVE-2022-37434.patch
+LIBZLIB_IGNORE_CVES = CVE-2022-37434
+
# It is not possible to build only a shared version of zlib, so we build both
# shared and static, unless we only want the static libs, and we eventually
# selectively remove what we do not want
--
2.25.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id
2022-08-29 17:14 [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id Marcus Hoffmann
2022-08-29 17:14 ` [Buildroot] [next v2 1/2] package/python-paho-mqtt: bump to 1.6.1 Marcus Hoffmann
2022-08-29 17:14 ` [Buildroot] [PATCH 2/2] package/libzlib: backport security fix for CVE-2022-37434 Marcus Hoffmann
@ 2022-08-30 21:29 ` Arnout Vandecappelle
2 siblings, 0 replies; 6+ messages in thread
From: Arnout Vandecappelle @ 2022-08-30 21:29 UTC (permalink / raw)
To: Marcus Hoffmann, buildroot; +Cc: Davide Viti, Asaf Kahlon
On 29/08/2022 19:14, Marcus Hoffmann wrote:
> Can be found in this CVE entry for example:
> https://nvd.nist.gov/vuln/detail/CVE-2022-37434
>
> Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Applied both to master, thanks.
I extended the commit message with the URLs into the CPE database search for
the right and the wrong vendor.
Regards,
Arnout
> ---
> package/libzlib/libzlib.mk | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
> index 933732d6ba..431c48739a 100644
> --- a/package/libzlib/libzlib.mk
> +++ b/package/libzlib/libzlib.mk
> @@ -11,7 +11,7 @@ LIBZLIB_LICENSE = Zlib
> LIBZLIB_LICENSE_FILES = README
> LIBZLIB_INSTALL_STAGING = YES
> LIBZLIB_PROVIDES = zlib
> -LIBZLIB_CPE_ID_VENDOR = gnu
> +LIBZLIB_CPE_ID_VENDOR = zlib
> LIBZLIB_CPE_ID_PRODUCT = zlib
>
> # It is not possible to build only a shared version of zlib, so we build both
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [next v2 1/2] package/python-paho-mqtt: bump to 1.6.1
2022-08-29 17:14 ` [Buildroot] [next v2 1/2] package/python-paho-mqtt: bump to 1.6.1 Marcus Hoffmann
@ 2022-08-31 20:24 ` Yann E. MORIN
0 siblings, 0 replies; 6+ messages in thread
From: Yann E. MORIN @ 2022-08-31 20:24 UTC (permalink / raw)
To: Marcus Hoffmann; +Cc: Davide Viti, Asaf Kahlon, buildroot
Marcus, All,
On 2022-08-29 19:14 +0200, Marcus Hoffmann spake thusly:
> We need to switch to the github download as the sdist published to pypi
> doesn't package the epl-v20 license file isn't included there:
>
> https://github.com/eclipse/paho.mqtt.python/pull/635
>
> License changed to EPL-2.0 or EDLv1.0
The LICENSE.txt file read *and*, not _or_, so I fixed that in the commit
log, and in the .mk [0]
> Changelog:
> https://github.com/eclipse/paho.mqtt.python/blob/master/ChangeLog.txt
> Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
> ---
> Changes v1 -> v2:
> - switch to github download to have license file in source tarball
> - update license hashes
>
> package/python-paho-mqtt/python-paho-mqtt.hash | 10 +++++-----
> package/python-paho-mqtt/python-paho-mqtt.mk | 9 ++++-----
> 2 files changed, 9 insertions(+), 10 deletions(-)
>
> diff --git a/package/python-paho-mqtt/python-paho-mqtt.hash b/package/python-paho-mqtt/python-paho-mqtt.hash
> index bf3993e919..dbf9ee89f6 100644
> --- a/package/python-paho-mqtt/python-paho-mqtt.hash
> +++ b/package/python-paho-mqtt/python-paho-mqtt.hash
> @@ -1,6 +1,6 @@
> -# md5 from https://pypi.python.org/pypi/paho-mqtt/json, sha256 locally computed
> -md5 e3ac29cd5dc247a01083a2a8f3fddd08 paho-mqtt-1.4.0.tar.gz
> -sha256 e440a052b46d222e184be3be38676378722072fcd4dfd2c8f509fb861a7b0b79 paho-mqtt-1.4.0.tar.gz
> -sha256 76f13729e84e9222e543303df00f87d1b2c0995b6a505cd859a285667e44babb LICENSE.txt
> +# locally computed
> +md5 00c3381d7deacc7ac8b220f3b9d689c6 python-paho-mqtt-1.6.1.tar.gz
md5 is weak, we only keep one when supplied by upstream, but we do not
add locally computed ones [1], so I dropped it.
[1] https://nightly.buildroot.org/manual.html#adding-packages-hash
> +sha256 6e35c1be242a901fc9c00bad7d37b5cc4a497f398dfceb4ed0d8018a959be650 python-paho-mqtt-1.6.1.tar.gz
> +sha256 66408b049249c3bdb0ba1ed285f5422ce67e371d40151bebd4d806af454ffe7c LICENSE.txt
Fields are supposed to be separated by two spaces, not a TAB (though
that is supported for historical reasons).
> sha256 e8cf7d54ea46c19aba793983889b7f7425e1ebfcaaccec764a7db091646e203c edl-v10
> -sha256 3b9be6b894d0769de796e653571ff6cef494913c0ce78c35a97db939e7d9087c epl-v10
> +sha256 8c349f80764d0648e645f41ef23772a70c995a0924b5235f735f4a3d09df127c epl-v20
> diff --git a/package/python-paho-mqtt/python-paho-mqtt.mk b/package/python-paho-mqtt/python-paho-mqtt.mk
> index d192749e1e..3ff5f9e57a 100644
> --- a/package/python-paho-mqtt/python-paho-mqtt.mk
> +++ b/package/python-paho-mqtt/python-paho-mqtt.mk
> @@ -4,11 +4,10 @@
> #
> ################################################################################
>
> -PYTHON_PAHO_MQTT_VERSION = 1.4.0
> -PYTHON_PAHO_MQTT_SOURCE = paho-mqtt-$(PYTHON_PAHO_MQTT_VERSION).tar.gz
> -PYTHON_PAHO_MQTT_SITE = https://files.pythonhosted.org/packages/25/63/db25e62979c2a716a74950c9ed658dce431b5cb01fde29eb6cba9489a904
> -PYTHON_PAHO_MQTT_LICENSE = EPL-1.0 or EDLv1.0
> -PYTHON_PAHO_MQTT_LICENSE_FILES = LICENSE.txt edl-v10 epl-v10
> +PYTHON_PAHO_MQTT_VERSION = 1.6.1
> +PYTHON_PAHO_MQTT_SITE = $(call github,eclipse,paho.mqtt.python,v$(PYTHON_PAHO_MQTT_VERSION))
> +PYTHON_PAHO_MQTT_LICENSE = EPL-2.0 or EDLv1.0
[0] here, I changed to: EPL-2.0, EDLv1.0
Applied to next with the above fixes, thanks.
Regards,
Yann E. MORIN.
> +PYTHON_PAHO_MQTT_LICENSE_FILES = LICENSE.txt epl-v20 edl-v10
> PYTHON_PAHO_MQTT_SETUP_TYPE = setuptools
>
> $(eval $(python-package))
> --
> 2.25.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/libzlib: backport security fix for CVE-2022-37434
2022-08-29 17:14 ` [Buildroot] [PATCH 2/2] package/libzlib: backport security fix for CVE-2022-37434 Marcus Hoffmann
@ 2022-09-18 7:43 ` Peter Korsgaard
0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2022-09-18 7:43 UTC (permalink / raw)
To: Marcus Hoffmann; +Cc: Davide Viti, Asaf Kahlon, buildroot
>>>>> "Marcus" == Marcus Hoffmann <marcus.hoffmann@othermo.de> writes:
> See: https://security-tracker.debian.org/tracker/CVE-2022-37434
> Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Committed to 2022.05.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-09-18 7:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-29 17:14 [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id Marcus Hoffmann
2022-08-29 17:14 ` [Buildroot] [next v2 1/2] package/python-paho-mqtt: bump to 1.6.1 Marcus Hoffmann
2022-08-31 20:24 ` Yann E. MORIN
2022-08-29 17:14 ` [Buildroot] [PATCH 2/2] package/libzlib: backport security fix for CVE-2022-37434 Marcus Hoffmann
2022-09-18 7:43 ` Peter Korsgaard
2022-08-30 21:29 ` [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id Arnout Vandecappelle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.