* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
@ 2018-08-28 9:27 Baruch Siach
2018-08-28 11:18 ` Peter Korsgaard
2018-08-28 20:39 ` Thomas Petazzoni
0 siblings, 2 replies; 6+ messages in thread
From: Baruch Siach @ 2018-08-28 9:27 UTC (permalink / raw)
To: buildroot
Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
libsoup 2.63.2 allows attackers to have unspecified impact via an empty
hostname.
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
package/libsoup/libsoup.hash | 4 ++--
package/libsoup/libsoup.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/libsoup/libsoup.hash b/package/libsoup/libsoup.hash
index 6e1ff428afc0..666bbc278bf5 100644
--- a/package/libsoup/libsoup.hash
+++ b/package/libsoup/libsoup.hash
@@ -1,4 +1,4 @@
-# From http://ftp.gnome.org/pub/gnome/sources/libsoup/2.56/libsoup-2.56.1.sha256sum
-sha256 c32a46d77b4da433b51d8fd09a57a44b198e03bdc93e5219afcc687c7948eac3 libsoup-2.56.1.tar.xz
+# From https://ftp.gnome.org/pub/GNOME/sources/libsoup/2.62/libsoup-2.62.3.sha256sum
+sha256 d312ade547495c2093ff8bda61f9b9727a98cfdae339f3263277dd39c0451172 libsoup-2.62.3.tar.xz
# Locally calculated
sha256 b7993225104d90ddd8024fd838faf300bea5e83d91203eab98e29512acebd69c COPYING
diff --git a/package/libsoup/libsoup.mk b/package/libsoup/libsoup.mk
index a3ce686aa7d7..95bd68201065 100644
--- a/package/libsoup/libsoup.mk
+++ b/package/libsoup/libsoup.mk
@@ -4,8 +4,8 @@
#
################################################################################
-LIBSOUP_VERSION_MAJOR = 2.56
-LIBSOUP_VERSION = $(LIBSOUP_VERSION_MAJOR).1
+LIBSOUP_VERSION_MAJOR = 2.62
+LIBSOUP_VERSION = $(LIBSOUP_VERSION_MAJOR).3
LIBSOUP_SOURCE = libsoup-$(LIBSOUP_VERSION).tar.xz
LIBSOUP_SITE = http://ftp.gnome.org/pub/gnome/sources/libsoup/$(LIBSOUP_VERSION_MAJOR)
LIBSOUP_LICENSE = LGPL-2.0+
--
2.18.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
2018-08-28 9:27 [Buildroot] [PATCH] libsoup: security bump to version 2.62.3 Baruch Siach
@ 2018-08-28 11:18 ` Peter Korsgaard
2018-08-28 11:29 ` Baruch Siach
2018-08-28 20:39 ` Thomas Petazzoni
1 sibling, 1 reply; 6+ messages in thread
From: Peter Korsgaard @ 2018-08-28 11:18 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
> libsoup 2.63.2 allows attackers to have unspecified impact via an empty
> hostname.
> Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Thanks! I started looking at this myself, but got sidetracked.
Is 2.62.x the first release containing this fix? Should we also cherry
pick this for 2018.02.x / 2018.05.x or is there a smaller patch that
could be applied instead?
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
2018-08-28 11:18 ` Peter Korsgaard
@ 2018-08-28 11:29 ` Baruch Siach
2018-08-28 12:08 ` Peter Korsgaard
0 siblings, 1 reply; 6+ messages in thread
From: Baruch Siach @ 2018-08-28 11:29 UTC (permalink / raw)
To: buildroot
Hi Peter,
Peter Korsgaard writes:
>>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
>
> > Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
> > libsoup 2.63.2 allows attackers to have unspecified impact via an empty
> > hostname.
>
> > Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>
> Thanks! I started looking at this myself, but got sidetracked.
>
> Is 2.62.x the first release containing this fix? Should we also cherry
> pick this for 2018.02.x / 2018.05.x or is there a smaller patch that
> could be applied instead?
The upstream fix from the (stable) gnome-3-28 branch is:
https://gitlab.gnome.org/GNOME/libsoup/commit/c5c41ad1d36c1efb3226a74ac8ea591419882892
You can cherry pick it to the gnome-3-22 branch that carries 2.56.x.
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 6+ messages in thread* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
2018-08-28 11:29 ` Baruch Siach
@ 2018-08-28 12:08 ` Peter Korsgaard
2018-08-28 12:17 ` Baruch Siach
0 siblings, 1 reply; 6+ messages in thread
From: Peter Korsgaard @ 2018-08-28 12:08 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Hi Peter,
> Peter Korsgaard writes:
>>>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
>>
>> > Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
>> > libsoup 2.63.2 allows attackers to have unspecified impact via an empty
>> > hostname.
>>
>> > Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>> > Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>>
>> Thanks! I started looking at this myself, but got sidetracked.
>>
>> Is 2.62.x the first release containing this fix? Should we also cherry
>> pick this for 2018.02.x / 2018.05.x or is there a smaller patch that
>> could be applied instead?
> The upstream fix from the (stable) gnome-3-28 branch is:
> https://gitlab.gnome.org/GNOME/libsoup/commit/c5c41ad1d36c1efb3226a74ac8ea591419882892
> You can cherry pick it to the gnome-3-22 branch that carries 2.56.x.
Thanks. Is that the best solution or does upgrading to 2.62.x look
"safe" for 2018.02 / 2018.05 / 2018.08?
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
2018-08-28 12:08 ` Peter Korsgaard
@ 2018-08-28 12:17 ` Baruch Siach
0 siblings, 0 replies; 6+ messages in thread
From: Baruch Siach @ 2018-08-28 12:17 UTC (permalink / raw)
To: buildroot
Hi Peter,
Peter Korsgaard writes:
>>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> > Peter Korsgaard writes:
> >>>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> >>
> >> > Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
> >> > libsoup 2.63.2 allows attackers to have unspecified impact via an empty
> >> > hostname.
> >>
> >> > Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> >> > Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> >>
> >> Thanks! I started looking at this myself, but got sidetracked.
> >>
> >> Is 2.62.x the first release containing this fix? Should we also cherry
> >> pick this for 2018.02.x / 2018.05.x or is there a smaller patch that
> >> could be applied instead?
>
> > The upstream fix from the (stable) gnome-3-28 branch is:
>
> > https://gitlab.gnome.org/GNOME/libsoup/commit/c5c41ad1d36c1efb3226a74ac8ea591419882892
>
> > You can cherry pick it to the gnome-3-22 branch that carries 2.56.x.
>
> Thanks. Is that the best solution or does upgrading to 2.62.x look
> "safe" for 2018.02 / 2018.05 / 2018.08?
Patch backport would probably be safer for master and stable. I'll post
a patch.
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
2018-08-28 9:27 [Buildroot] [PATCH] libsoup: security bump to version 2.62.3 Baruch Siach
2018-08-28 11:18 ` Peter Korsgaard
@ 2018-08-28 20:39 ` Thomas Petazzoni
1 sibling, 0 replies; 6+ messages in thread
From: Thomas Petazzoni @ 2018-08-28 20:39 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 28 Aug 2018 12:27:26 +0300, Baruch Siach wrote:
> Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
> libsoup 2.63.2 allows attackers to have unspecified impact via an empty
> hostname.
>
> Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> ---
> package/libsoup/libsoup.hash | 4 ++--
> package/libsoup/libsoup.mk | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
Applied to next, thanks. The security fix has been added to master, so
we will have to pay attention when merging back next into master: the
security patch will be in package/libsoup/, but it should be removed,
because it won't apply on the new version of libsoup.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-08-28 20:39 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-28 9:27 [Buildroot] [PATCH] libsoup: security bump to version 2.62.3 Baruch Siach
2018-08-28 11:18 ` Peter Korsgaard
2018-08-28 11:29 ` Baruch Siach
2018-08-28 12:08 ` Peter Korsgaard
2018-08-28 12:17 ` Baruch Siach
2018-08-28 20:39 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.