* [Buildroot] [PATCH] faad2: security bump to version 2.8.1
@ 2017-08-09 5:02 Baruch Siach
2017-08-09 12:42 ` Arnout Vandecappelle
2017-09-05 21:33 ` Peter Korsgaard
0 siblings, 2 replies; 5+ messages in thread
From: Baruch Siach @ 2017-08-09 5:02 UTC (permalink / raw)
To: buildroot
Fixes: CVE-2017-9218, CVE-2017-9219, CVE-2017-9220, CVE-2017-9221,
CVE-2017-9222, CVE-2017-9223, CVE-2017-9253, CVE-2017-9254,
CVE-2017-9255, CVE-2017-9256, CVE-2017-9257
http://seclists.org/fulldisclosure/2017/Jun/32
Switch to .tar.bz2 to save some bandwidth.
Add autoreconf since unfortunately upstream tarball does not ship the
configure script.
Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
package/faad2/faad2.hash | 6 +++---
package/faad2/faad2.mk | 8 ++++++--
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/package/faad2/faad2.hash b/package/faad2/faad2.hash
index 691645b7c07e..d298e909a97c 100644
--- a/package/faad2/faad2.hash
+++ b/package/faad2/faad2.hash
@@ -1,4 +1,4 @@
-# From http://sourceforge.net/projects/faac/files/faad2-src/faad2-2.7/ (used by upstream):
-sha1 80eaaa5cc576c35dd28863767b795c50cbcc0511 faad2-2.7.tar.gz
+# From http://sourceforge.net/projects/faac/files/faad2-src/faad2-2.8.0/ (used by upstream):
+sha1 a5caa71cd915acd502d96cba56f38296277f2350 faad2-2.8.1.tar.bz2
# Locally computed
-sha256 ee26ed1e177c0cd8fa8458a481b14a0b24ca0b51468c8b4c8b676fd3ceccd330 faad2-2.7.tar.gz
+sha256 f4042496f6b0a60f5ded6acd11093230044ef8a2fd965360c1bbd5b58780933d faad2-2.8.1.tar.bz2
diff --git a/package/faad2/faad2.mk b/package/faad2/faad2.mk
index d7b55d3efaef..fa965fe5909c 100644
--- a/package/faad2/faad2.mk
+++ b/package/faad2/faad2.mk
@@ -4,10 +4,14 @@
#
################################################################################
-FAAD2_VERSION = 2.7
-FAAD2_SITE = http://downloads.sourceforge.net/project/faac/faad2-src/faad2-$(FAAD2_VERSION)
+FAAD2_VERSION_MAJOR = 2.8
+FAAD2_VERSION = $(FAAD2_VERSION_MAJOR).1
+FAAD2_SITE = http://downloads.sourceforge.net/project/faac/faad2-src/faad2-$(FAAD2_VERSION_MAJOR).0
+FAAD2_SOURCE = faad2-$(FAAD2_VERSION).tar.bz2
FAAD2_LICENSE = GPL-2.0
FAAD2_LICENSE_FILES = COPYING
+# No configure script in upstream tarball
+FAAD2_AUTORECONF = YES
# frontend/faad calls frexp()
FAAD2_CONF_ENV = LIBS=-lm
FAAD2_INSTALL_STAGING = YES
--
2.13.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] faad2: security bump to version 2.8.1
2017-08-09 5:02 [Buildroot] [PATCH] faad2: security bump to version 2.8.1 Baruch Siach
@ 2017-08-09 12:42 ` Arnout Vandecappelle
2017-08-09 15:16 ` Baruch Siach
2017-09-05 21:33 ` Peter Korsgaard
1 sibling, 1 reply; 5+ messages in thread
From: Arnout Vandecappelle @ 2017-08-09 12:42 UTC (permalink / raw)
To: buildroot
Hi Baruch,
On 09-08-17 07:02, Baruch Siach wrote:
> Fixes: CVE-2017-9218, CVE-2017-9219, CVE-2017-9220, CVE-2017-9221,
> CVE-2017-9222, CVE-2017-9223, CVE-2017-9253, CVE-2017-9254,
> CVE-2017-9255, CVE-2017-9256, CVE-2017-9257
>
> http://seclists.org/fulldisclosure/2017/Jun/32
[snip]
> -FAAD2_VERSION = 2.7
> -FAAD2_SITE = http://downloads.sourceforge.net/project/faac/faad2-src/faad2-$(FAAD2_VERSION)
> +FAAD2_VERSION_MAJOR = 2.8
> +FAAD2_VERSION = $(FAAD2_VERSION_MAJOR).1
Hm, "security bumps" are typically only affecting the minor version number,
this smells like a major bump... Or does faad have a slightly unconventional
version numbering scheme?
> +FAAD2_SITE = http://downloads.sourceforge.net/project/faac/faad2-src/faad2-$(FAAD2_VERSION_MAJOR).0
> +FAAD2_SOURCE = faad2-$(FAAD2_VERSION).tar.bz2
Gah, what kind of stupid download URL is that :-)
Regards,
Arnout
> FAAD2_LICENSE = GPL-2.0
> FAAD2_LICENSE_FILES = COPYING
> +# No configure script in upstream tarball
> +FAAD2_AUTORECONF = YES
> # frontend/faad calls frexp()
> FAAD2_CONF_ENV = LIBS=-lm
> FAAD2_INSTALL_STAGING = YES
>
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] faad2: security bump to version 2.8.1
2017-08-09 12:42 ` Arnout Vandecappelle
@ 2017-08-09 15:16 ` Baruch Siach
2017-08-09 21:12 ` Arnout Vandecappelle
0 siblings, 1 reply; 5+ messages in thread
From: Baruch Siach @ 2017-08-09 15:16 UTC (permalink / raw)
To: buildroot
Hi Arnout,
On Wed, Aug 09, 2017 at 02:42:36PM +0200, Arnout Vandecappelle wrote:
> On 09-08-17 07:02, Baruch Siach wrote:
> > Fixes: CVE-2017-9218, CVE-2017-9219, CVE-2017-9220, CVE-2017-9221,
> > CVE-2017-9222, CVE-2017-9223, CVE-2017-9253, CVE-2017-9254,
> > CVE-2017-9255, CVE-2017-9256, CVE-2017-9257
> >
> > http://seclists.org/fulldisclosure/2017/Jun/32
> [snip]
> > -FAAD2_VERSION = 2.7
> > -FAAD2_SITE = http://downloads.sourceforge.net/project/faac/faad2-src/faad2-$(FAAD2_VERSION)
> > +FAAD2_VERSION_MAJOR = 2.8
> > +FAAD2_VERSION = $(FAAD2_VERSION_MAJOR).1
>
> Hm, "security bumps" are typically only affecting the minor version number,
> this smells like a major bump... Or does faad have a slightly unconventional
> version numbering scheme?
It's only called _MAJOR here because I reuse that in the URL, in line with the
DRY principle.
Although version 2.8.0 (followed by 2.8.1 a week later) is the first release
since February 2009, it does not contain a lot of code changes. I guess that
the disclosed security issue were the main motivation of the release at this
point.
> > +FAAD2_SITE = http://downloads.sourceforge.net/project/faac/faad2-src/faad2-$(FAAD2_VERSION_MAJOR).0
> > +FAAD2_SOURCE = faad2-$(FAAD2_VERSION).tar.bz2
>
> Gah, what kind of stupid download URL is that :-)
Well, that's upstream.
> > FAAD2_LICENSE = GPL-2.0
> > FAAD2_LICENSE_FILES = COPYING
> > +# No configure script in upstream tarball
> > +FAAD2_AUTORECONF = YES
> > # frontend/faad calls frexp()
> > FAAD2_CONF_ENV = LIBS=-lm
> > FAAD2_INSTALL_STAGING = YES
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] faad2: security bump to version 2.8.1
2017-08-09 15:16 ` Baruch Siach
@ 2017-08-09 21:12 ` Arnout Vandecappelle
0 siblings, 0 replies; 5+ messages in thread
From: Arnout Vandecappelle @ 2017-08-09 21:12 UTC (permalink / raw)
To: buildroot
On 09-08-17 17:16, Baruch Siach wrote:
> Hi Arnout,
>
> On Wed, Aug 09, 2017 at 02:42:36PM +0200, Arnout Vandecappelle wrote:
>> On 09-08-17 07:02, Baruch Siach wrote:
>>> Fixes: CVE-2017-9218, CVE-2017-9219, CVE-2017-9220, CVE-2017-9221,
>>> CVE-2017-9222, CVE-2017-9223, CVE-2017-9253, CVE-2017-9254,
>>> CVE-2017-9255, CVE-2017-9256, CVE-2017-9257
>>>
>>> http://seclists.org/fulldisclosure/2017/Jun/32
>> [snip]
>>> -FAAD2_VERSION = 2.7
>>> -FAAD2_SITE = http://downloads.sourceforge.net/project/faac/faad2-src/faad2-$(FAAD2_VERSION)
>>> +FAAD2_VERSION_MAJOR = 2.8
>>> +FAAD2_VERSION = $(FAAD2_VERSION_MAJOR).1
>>
>> Hm, "security bumps" are typically only affecting the minor version number,
>> this smells like a major bump... Or does faad have a slightly unconventional
>> version numbering scheme?
>
> It's only called _MAJOR here because I reuse that in the URL, in line with the
> DRY principle.
>
> Although version 2.8.0 (followed by 2.8.1 a week later) is the first release
> since February 2009, it does not contain a lot of code changes. I guess that
> the disclosed security issue were the main motivation of the release at this
> point.
OK, applied to master, thanks.
Regards,
Arnout
>
>>> +FAAD2_SITE = http://downloads.sourceforge.net/project/faac/faad2-src/faad2-$(FAAD2_VERSION_MAJOR).0
>>> +FAAD2_SOURCE = faad2-$(FAAD2_VERSION).tar.bz2
>>
>> Gah, what kind of stupid download URL is that :-)
>
> Well, that's upstream.
>
>>> FAAD2_LICENSE = GPL-2.0
>>> FAAD2_LICENSE_FILES = COPYING
>>> +# No configure script in upstream tarball
>>> +FAAD2_AUTORECONF = YES
>>> # frontend/faad calls frexp()
>>> FAAD2_CONF_ENV = LIBS=-lm
>>> FAAD2_INSTALL_STAGING = YES
>
> baruch
>
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] faad2: security bump to version 2.8.1
2017-08-09 5:02 [Buildroot] [PATCH] faad2: security bump to version 2.8.1 Baruch Siach
2017-08-09 12:42 ` Arnout Vandecappelle
@ 2017-09-05 21:33 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2017-09-05 21:33 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Fixes: CVE-2017-9218, CVE-2017-9219, CVE-2017-9220, CVE-2017-9221,
> CVE-2017-9222, CVE-2017-9223, CVE-2017-9253, CVE-2017-9254,
> CVE-2017-9255, CVE-2017-9256, CVE-2017-9257
> http://seclists.org/fulldisclosure/2017/Jun/32
> Switch to .tar.bz2 to save some bandwidth.
> Add autoreconf since unfortunately upstream tarball does not ship the
> configure script.
> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-09-05 21:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-09 5:02 [Buildroot] [PATCH] faad2: security bump to version 2.8.1 Baruch Siach
2017-08-09 12:42 ` Arnout Vandecappelle
2017-08-09 15:16 ` Baruch Siach
2017-08-09 21:12 ` Arnout Vandecappelle
2017-09-05 21:33 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.