[Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id

[Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id

[Marcus Hoffmann]

Can be found in this CVE entry for example:
https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
---
 package/libzlib/libzlib.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
index 933732d6ba..431c48739a 100644
--- a/package/libzlib/libzlib.mk
+++ b/package/libzlib/libzlib.mk
@@ -11,7 +11,7 @@ LIBZLIB_LICENSE = Zlib
 LIBZLIB_LICENSE_FILES = README
 LIBZLIB_INSTALL_STAGING = YES
 LIBZLIB_PROVIDES = zlib
-LIBZLIB_CPE_ID_VENDOR = gnu
+LIBZLIB_CPE_ID_VENDOR = zlib
 LIBZLIB_CPE_ID_PRODUCT = zlib
 
 # It is not possible to build only a shared version of zlib, so we build both
-- 
2.25.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [next v2 1/2] package/python-paho-mqtt: bump to 1.6.1

[Marcus Hoffmann]

We need to switch to the github download as the sdist published to pypi
doesn't package the epl-v20 license file isn't included there:

https://github.com/eclipse/paho.mqtt.python/pull/635

License changed to EPL-2.0 or EDLv1.0

Changelog:
https://github.com/eclipse/paho.mqtt.python/blob/master/ChangeLog.txt
Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
---
Changes v1 -> v2:
  - switch to github download to have license file in source tarball
  - update license hashes

 package/python-paho-mqtt/python-paho-mqtt.hash | 10 +++++-----
 package/python-paho-mqtt/python-paho-mqtt.mk   |  9 ++++-----
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/package/python-paho-mqtt/python-paho-mqtt.hash b/package/python-paho-mqtt/python-paho-mqtt.hash
index bf3993e919..dbf9ee89f6 100644
--- a/package/python-paho-mqtt/python-paho-mqtt.hash
+++ b/package/python-paho-mqtt/python-paho-mqtt.hash
@@ -1,6 +1,6 @@
-# md5 from https://pypi.python.org/pypi/paho-mqtt/json, sha256 locally computed
-md5  e3ac29cd5dc247a01083a2a8f3fddd08  paho-mqtt-1.4.0.tar.gz
-sha256  e440a052b46d222e184be3be38676378722072fcd4dfd2c8f509fb861a7b0b79  paho-mqtt-1.4.0.tar.gz
-sha256  76f13729e84e9222e543303df00f87d1b2c0995b6a505cd859a285667e44babb  LICENSE.txt
+# locally computed
+md5  00c3381d7deacc7ac8b220f3b9d689c6  python-paho-mqtt-1.6.1.tar.gz
+sha256	6e35c1be242a901fc9c00bad7d37b5cc4a497f398dfceb4ed0d8018a959be650  python-paho-mqtt-1.6.1.tar.gz
+sha256	66408b049249c3bdb0ba1ed285f5422ce67e371d40151bebd4d806af454ffe7c  LICENSE.txt
 sha256  e8cf7d54ea46c19aba793983889b7f7425e1ebfcaaccec764a7db091646e203c  edl-v10
-sha256  3b9be6b894d0769de796e653571ff6cef494913c0ce78c35a97db939e7d9087c  epl-v10
+sha256	8c349f80764d0648e645f41ef23772a70c995a0924b5235f735f4a3d09df127c  epl-v20
diff --git a/package/python-paho-mqtt/python-paho-mqtt.mk b/package/python-paho-mqtt/python-paho-mqtt.mk
index d192749e1e..3ff5f9e57a 100644
--- a/package/python-paho-mqtt/python-paho-mqtt.mk
+++ b/package/python-paho-mqtt/python-paho-mqtt.mk
@@ -4,11 +4,10 @@
 #
 ################################################################################
 
-PYTHON_PAHO_MQTT_VERSION = 1.4.0
-PYTHON_PAHO_MQTT_SOURCE = paho-mqtt-$(PYTHON_PAHO_MQTT_VERSION).tar.gz
-PYTHON_PAHO_MQTT_SITE = https://files.pythonhosted.org/packages/25/63/db25e62979c2a716a74950c9ed658dce431b5cb01fde29eb6cba9489a904
-PYTHON_PAHO_MQTT_LICENSE = EPL-1.0 or EDLv1.0
-PYTHON_PAHO_MQTT_LICENSE_FILES = LICENSE.txt edl-v10 epl-v10
+PYTHON_PAHO_MQTT_VERSION = 1.6.1
+PYTHON_PAHO_MQTT_SITE = $(call github,eclipse,paho.mqtt.python,v$(PYTHON_PAHO_MQTT_VERSION))
+PYTHON_PAHO_MQTT_LICENSE = EPL-2.0 or EDLv1.0
+PYTHON_PAHO_MQTT_LICENSE_FILES = LICENSE.txt epl-v20 edl-v10
 PYTHON_PAHO_MQTT_SETUP_TYPE = setuptools
 
 $(eval $(python-package))
-- 
2.25.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/libzlib: backport security fix for CVE-2022-37434

[Marcus Hoffmann]

See: https://security-tracker.debian.org/tracker/CVE-2022-37434
Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
---
 package/libzlib/0002-fix-CVE-2022-37434.patch | 35 +++++++++++++++++++
 .../0003-fix-CVE-2022-37434-regression.patch  | 32 +++++++++++++++++
 package/libzlib/libzlib.mk                    |  3 ++
 3 files changed, 70 insertions(+)
 create mode 100644 package/libzlib/0002-fix-CVE-2022-37434.patch
 create mode 100644 package/libzlib/0003-fix-CVE-2022-37434-regression.patch

diff --git a/package/libzlib/0002-fix-CVE-2022-37434.patch b/package/libzlib/0002-fix-CVE-2022-37434.patch
new file mode 100644
index 0000000000..a61be48536
--- /dev/null
+++ b/package/libzlib/0002-fix-CVE-2022-37434.patch
@@ -0,0 +1,35 @@
+From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Sat, 30 Jul 2022 15:51:11 -0700
+Subject: [PATCH] Fix a bug when getting a gzip header extra field with
+ inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+
+Backported from: eff308af425b67093bab25f80f1ae950166bece1
+Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
+---
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7be8c6366..7a7289749 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,9 +763,10 @@ int flush;
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
++                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
++                        len < state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
diff --git a/package/libzlib/0003-fix-CVE-2022-37434-regression.patch b/package/libzlib/0003-fix-CVE-2022-37434-regression.patch
new file mode 100644
index 0000000000..46a58710d2
--- /dev/null
+++ b/package/libzlib/0003-fix-CVE-2022-37434-regression.patch
@@ -0,0 +1,32 @@
+From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Mon, 8 Aug 2022 10:50:09 -0700
+Subject: [PATCH] Fix extra field processing bug that dereferences NULL
+ state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+
+Backported from: 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
+Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
+---
+ inflate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7a7289749..2a3c4fe98 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,10 +763,10 @@ int flush;
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
+-                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+                         state->head->extra != Z_NULL &&
+-                        len < state->head->extra_max) {
++                        (len = state->head->extra_len - state->length) <
++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
index 431c48739a..f75502326b 100644
--- a/package/libzlib/libzlib.mk
+++ b/package/libzlib/libzlib.mk
@@ -14,6 +14,9 @@ LIBZLIB_PROVIDES = zlib
 LIBZLIB_CPE_ID_VENDOR = zlib
 LIBZLIB_CPE_ID_PRODUCT = zlib
 
+# 0002-fix-CVE-2022-37434.patch
+LIBZLIB_IGNORE_CVES = CVE-2022-37434
+
 # It is not possible to build only a shared version of zlib, so we build both
 # shared and static, unless we only want the static libs, and we eventually
 # selectively remove what we do not want
-- 
2.25.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id

[Arnout Vandecappelle]

On 29/08/2022 19:14, Marcus Hoffmann wrote:
> Can be found in this CVE entry for example:
> https://nvd.nist.gov/vuln/detail/CVE-2022-37434
> 
> Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>

  Applied both to master, thanks.

  I extended the commit message with the URLs into the CPE database search for 
the right and the wrong vendor.

  Regards,
  Arnout

> ---
>   package/libzlib/libzlib.mk | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
> index 933732d6ba..431c48739a 100644
> --- a/package/libzlib/libzlib.mk
> +++ b/package/libzlib/libzlib.mk
> @@ -11,7 +11,7 @@ LIBZLIB_LICENSE = Zlib
>   LIBZLIB_LICENSE_FILES = README
>   LIBZLIB_INSTALL_STAGING = YES
>   LIBZLIB_PROVIDES = zlib
> -LIBZLIB_CPE_ID_VENDOR = gnu
> +LIBZLIB_CPE_ID_VENDOR = zlib
>   LIBZLIB_CPE_ID_PRODUCT = zlib
>   
>   # It is not possible to build only a shared version of zlib, so we build both
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [next v2 1/2] package/python-paho-mqtt: bump to 1.6.1

[Yann E. MORIN]

Marcus, All,

On 2022-08-29 19:14 +0200, Marcus Hoffmann spake thusly:
> We need to switch to the github download as the sdist published to pypi
> doesn't package the epl-v20 license file isn't included there:
> 
> https://github.com/eclipse/paho.mqtt.python/pull/635
> 
> License changed to EPL-2.0 or EDLv1.0

The LICENSE.txt file read *and*, not _or_, so I fixed that in the commit
log, and in the .mk [0]

> Changelog:
> https://github.com/eclipse/paho.mqtt.python/blob/master/ChangeLog.txt
> Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
> ---
> Changes v1 -> v2:
>   - switch to github download to have license file in source tarball
>   - update license hashes
> 
>  package/python-paho-mqtt/python-paho-mqtt.hash | 10 +++++-----
>  package/python-paho-mqtt/python-paho-mqtt.mk   |  9 ++++-----
>  2 files changed, 9 insertions(+), 10 deletions(-)
> 
> diff --git a/package/python-paho-mqtt/python-paho-mqtt.hash b/package/python-paho-mqtt/python-paho-mqtt.hash
> index bf3993e919..dbf9ee89f6 100644
> --- a/package/python-paho-mqtt/python-paho-mqtt.hash
> +++ b/package/python-paho-mqtt/python-paho-mqtt.hash
> @@ -1,6 +1,6 @@
> -# md5 from https://pypi.python.org/pypi/paho-mqtt/json, sha256 locally computed
> -md5  e3ac29cd5dc247a01083a2a8f3fddd08  paho-mqtt-1.4.0.tar.gz
> -sha256  e440a052b46d222e184be3be38676378722072fcd4dfd2c8f509fb861a7b0b79  paho-mqtt-1.4.0.tar.gz
> -sha256  76f13729e84e9222e543303df00f87d1b2c0995b6a505cd859a285667e44babb  LICENSE.txt
> +# locally computed
> +md5  00c3381d7deacc7ac8b220f3b9d689c6  python-paho-mqtt-1.6.1.tar.gz

md5 is weak, we only keep one when supplied by upstream, but we do not
add locally computed ones [1], so I dropped it.

[1] https://nightly.buildroot.org/manual.html#adding-packages-hash

> +sha256	6e35c1be242a901fc9c00bad7d37b5cc4a497f398dfceb4ed0d8018a959be650  python-paho-mqtt-1.6.1.tar.gz
> +sha256	66408b049249c3bdb0ba1ed285f5422ce67e371d40151bebd4d806af454ffe7c  LICENSE.txt

Fields are supposed to be separated by two spaces, not a TAB (though
that is supported for historical reasons).

>  sha256  e8cf7d54ea46c19aba793983889b7f7425e1ebfcaaccec764a7db091646e203c  edl-v10
> -sha256  3b9be6b894d0769de796e653571ff6cef494913c0ce78c35a97db939e7d9087c  epl-v10
> +sha256	8c349f80764d0648e645f41ef23772a70c995a0924b5235f735f4a3d09df127c  epl-v20
> diff --git a/package/python-paho-mqtt/python-paho-mqtt.mk b/package/python-paho-mqtt/python-paho-mqtt.mk
> index d192749e1e..3ff5f9e57a 100644
> --- a/package/python-paho-mqtt/python-paho-mqtt.mk
> +++ b/package/python-paho-mqtt/python-paho-mqtt.mk
> @@ -4,11 +4,10 @@
>  #
>  ################################################################################
>  
> -PYTHON_PAHO_MQTT_VERSION = 1.4.0
> -PYTHON_PAHO_MQTT_SOURCE = paho-mqtt-$(PYTHON_PAHO_MQTT_VERSION).tar.gz
> -PYTHON_PAHO_MQTT_SITE = https://files.pythonhosted.org/packages/25/63/db25e62979c2a716a74950c9ed658dce431b5cb01fde29eb6cba9489a904
> -PYTHON_PAHO_MQTT_LICENSE = EPL-1.0 or EDLv1.0
> -PYTHON_PAHO_MQTT_LICENSE_FILES = LICENSE.txt edl-v10 epl-v10
> +PYTHON_PAHO_MQTT_VERSION = 1.6.1
> +PYTHON_PAHO_MQTT_SITE = $(call github,eclipse,paho.mqtt.python,v$(PYTHON_PAHO_MQTT_VERSION))
> +PYTHON_PAHO_MQTT_LICENSE = EPL-2.0 or EDLv1.0

[0] here, I changed to: EPL-2.0, EDLv1.0

Applied to next with the above fixes, thanks.

Regards,
Yann E. MORIN.

> +PYTHON_PAHO_MQTT_LICENSE_FILES = LICENSE.txt epl-v20 edl-v10
>  PYTHON_PAHO_MQTT_SETUP_TYPE = setuptools
>  
>  $(eval $(python-package))
> -- 
> 2.25.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/libzlib: backport security fix for CVE-2022-37434

[Peter Korsgaard]

>>>>> "Marcus" == Marcus Hoffmann <marcus.hoffmann@othermo.de> writes:

 > See: https://security-tracker.debian.org/tracker/CVE-2022-37434
 > Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>

Committed to 2022.05.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id

[Peter Korsgaard]

>>>>> "Marcus" == Marcus Hoffmann <marcus.hoffmann@othermo.de> writes:

 > Can be found in this CVE entry for example:
 > https://nvd.nist.gov/vuln/detail/CVE-2022-37434

 > Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>

Committed to 2022.05.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 1/2] package/libzlib: fix CPE vendor id

[Marcus Hoffmann]

Can be found in this CVE entry for example:
https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
---
 package/libzlib/libzlib.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
index 933732d6ba..431c48739a 100644
--- a/package/libzlib/libzlib.mk
+++ b/package/libzlib/libzlib.mk
@@ -11,7 +11,7 @@ LIBZLIB_LICENSE = Zlib
 LIBZLIB_LICENSE_FILES = README
 LIBZLIB_INSTALL_STAGING = YES
 LIBZLIB_PROVIDES = zlib
-LIBZLIB_CPE_ID_VENDOR = gnu
+LIBZLIB_CPE_ID_VENDOR = zlib
 LIBZLIB_CPE_ID_PRODUCT = zlib
 
 # It is not possible to build only a shared version of zlib, so we build both
-- 
2.25.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot