* [Buildroot] [PATCH 1/1] package/libksba: security bump to version 1.6.2
@ 2022-11-15 16:27 Michael Fischer
2022-11-20 8:59 ` Yann E. MORIN
2022-11-23 9:46 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Michael Fischer @ 2022-11-15 16:27 UTC (permalink / raw)
To: buildroot; +Cc: Michael Fischer
A severe bug has been found in Libksba , the library used by GnuPG for parsing
the ASN.1 structures as used by S/MIME. The bug affects all versions of Libksba
before 1.6.2 and may be used for remote code execution.
Fix CVE-2022-3515
Signed-off-by: Michael Fischer <mf@go-sys.de>
---
package/libksba/libksba.hash | 2 +-
package/libksba/libksba.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/libksba/libksba.hash b/package/libksba/libksba.hash
index 422048be5f..77485c0cb6 100644
--- a/package/libksba/libksba.hash
+++ b/package/libksba/libksba.hash
@@ -1,5 +1,5 @@
# Locally calculated after checking pgp signature
-sha256 dad683e6f2d915d880aa4bed5cea9a115690b8935b78a1bbe01669189307a48b libksba-1.6.0.tar.bz2
+sha256 fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971 libksba-1.6.2.tar.bz2
# Hash for license files:
sha256 8f1b87e551d97b2b23b6d3403a5d598c63ea89824cb8ee351f631f6cab2beaa5 AUTHORS
diff --git a/package/libksba/libksba.mk b/package/libksba/libksba.mk
index ca5fc1d749..3a8b3fa502 100644
--- a/package/libksba/libksba.mk
+++ b/package/libksba/libksba.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBKSBA_VERSION = 1.6.0
+LIBKSBA_VERSION = 1.6.2
LIBKSBA_SOURCE = libksba-$(LIBKSBA_VERSION).tar.bz2
LIBKSBA_SITE = ftp://ftp.gnupg.org/gcrypt/libksba
LIBKSBA_LICENSE = LGPL-3.0+ or GPL-2.0+ (library, headers), GPL-3.0+ (manual, tests, build system)
--
2.20.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libksba: security bump to version 1.6.2
2022-11-15 16:27 [Buildroot] [PATCH 1/1] package/libksba: security bump to version 1.6.2 Michael Fischer
@ 2022-11-20 8:59 ` Yann E. MORIN
2022-11-23 9:46 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2022-11-20 8:59 UTC (permalink / raw)
To: Michael Fischer; +Cc: buildroot
Michael, All,
On 2022-11-15 17:27 +0100, Michael Fischer spake thusly:
> A severe bug has been found in Libksba , the library used by GnuPG for parsing
> the ASN.1 structures as used by S/MIME. The bug affects all versions of Libksba
> before 1.6.2 and may be used for remote code execution.
>
> Fix CVE-2022-3515
This CVE is still marked as "RESERVED" in the CVE database:
https://www.cve.org/CVERecord?id=CVE-2022-3515
But the explanations (as you quoted) are now public:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3515
https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
https://dev.gnupg.org/T6230
Funny. :-)
> Signed-off-by: Michael Fischer <mf@go-sys.de>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/libksba/libksba.hash | 2 +-
> package/libksba/libksba.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/libksba/libksba.hash b/package/libksba/libksba.hash
> index 422048be5f..77485c0cb6 100644
> --- a/package/libksba/libksba.hash
> +++ b/package/libksba/libksba.hash
> @@ -1,5 +1,5 @@
> # Locally calculated after checking pgp signature
> -sha256 dad683e6f2d915d880aa4bed5cea9a115690b8935b78a1bbe01669189307a48b libksba-1.6.0.tar.bz2
> +sha256 fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971 libksba-1.6.2.tar.bz2
>
> # Hash for license files:
> sha256 8f1b87e551d97b2b23b6d3403a5d598c63ea89824cb8ee351f631f6cab2beaa5 AUTHORS
> diff --git a/package/libksba/libksba.mk b/package/libksba/libksba.mk
> index ca5fc1d749..3a8b3fa502 100644
> --- a/package/libksba/libksba.mk
> +++ b/package/libksba/libksba.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -LIBKSBA_VERSION = 1.6.0
> +LIBKSBA_VERSION = 1.6.2
> LIBKSBA_SOURCE = libksba-$(LIBKSBA_VERSION).tar.bz2
> LIBKSBA_SITE = ftp://ftp.gnupg.org/gcrypt/libksba
> LIBKSBA_LICENSE = LGPL-3.0+ or GPL-2.0+ (library, headers), GPL-3.0+ (manual, tests, build system)
> --
> 2.20.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libksba: security bump to version 1.6.2
2022-11-15 16:27 [Buildroot] [PATCH 1/1] package/libksba: security bump to version 1.6.2 Michael Fischer
2022-11-20 8:59 ` Yann E. MORIN
@ 2022-11-23 9:46 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-11-23 9:46 UTC (permalink / raw)
To: Michael Fischer; +Cc: buildroot
>>>>> "Michael" == Michael Fischer <mf@go-sys.de> writes:
> A severe bug has been found in Libksba , the library used by GnuPG for parsing
> the ASN.1 structures as used by S/MIME. The bug affects all versions of Libksba
> before 1.6.2 and may be used for remote code execution.
> Fix CVE-2022-3515
> Signed-off-by: Michael Fischer <mf@go-sys.de>
Committed to 2022.08.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-23 9:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-15 16:27 [Buildroot] [PATCH 1/1] package/libksba: security bump to version 1.6.2 Michael Fischer
2022-11-20 8:59 ` Yann E. MORIN
2022-11-23 9:46 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.