All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
@ 2018-08-28  9:27 Baruch Siach
  2018-08-28 11:18 ` Peter Korsgaard
  2018-08-28 20:39 ` Thomas Petazzoni
  0 siblings, 2 replies; 6+ messages in thread
From: Baruch Siach @ 2018-08-28  9:27 UTC (permalink / raw)
  To: buildroot

Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
libsoup 2.63.2 allows attackers to have unspecified impact via an empty
hostname.

Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
 package/libsoup/libsoup.hash | 4 ++--
 package/libsoup/libsoup.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libsoup/libsoup.hash b/package/libsoup/libsoup.hash
index 6e1ff428afc0..666bbc278bf5 100644
--- a/package/libsoup/libsoup.hash
+++ b/package/libsoup/libsoup.hash
@@ -1,4 +1,4 @@
-# From http://ftp.gnome.org/pub/gnome/sources/libsoup/2.56/libsoup-2.56.1.sha256sum
-sha256	c32a46d77b4da433b51d8fd09a57a44b198e03bdc93e5219afcc687c7948eac3  libsoup-2.56.1.tar.xz
+# From https://ftp.gnome.org/pub/GNOME/sources/libsoup/2.62/libsoup-2.62.3.sha256sum
+sha256	d312ade547495c2093ff8bda61f9b9727a98cfdae339f3263277dd39c0451172  libsoup-2.62.3.tar.xz
 # Locally calculated
 sha256  b7993225104d90ddd8024fd838faf300bea5e83d91203eab98e29512acebd69c  COPYING
diff --git a/package/libsoup/libsoup.mk b/package/libsoup/libsoup.mk
index a3ce686aa7d7..95bd68201065 100644
--- a/package/libsoup/libsoup.mk
+++ b/package/libsoup/libsoup.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-LIBSOUP_VERSION_MAJOR = 2.56
-LIBSOUP_VERSION = $(LIBSOUP_VERSION_MAJOR).1
+LIBSOUP_VERSION_MAJOR = 2.62
+LIBSOUP_VERSION = $(LIBSOUP_VERSION_MAJOR).3
 LIBSOUP_SOURCE = libsoup-$(LIBSOUP_VERSION).tar.xz
 LIBSOUP_SITE = http://ftp.gnome.org/pub/gnome/sources/libsoup/$(LIBSOUP_VERSION_MAJOR)
 LIBSOUP_LICENSE = LGPL-2.0+
-- 
2.18.0

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
  2018-08-28  9:27 [Buildroot] [PATCH] libsoup: security bump to version 2.62.3 Baruch Siach
@ 2018-08-28 11:18 ` Peter Korsgaard
  2018-08-28 11:29   ` Baruch Siach
  2018-08-28 20:39 ` Thomas Petazzoni
  1 sibling, 1 reply; 6+ messages in thread
From: Peter Korsgaard @ 2018-08-28 11:18 UTC (permalink / raw)
  To: buildroot

>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:

 > Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
 > libsoup 2.63.2 allows attackers to have unspecified impact via an empty
 > hostname.

 > Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 > Signed-off-by: Baruch Siach <baruch@tkos.co.il>

Thanks! I started looking at this myself, but got sidetracked.

Is 2.62.x the first release containing this fix? Should we also cherry
pick this for 2018.02.x / 2018.05.x or is there a smaller patch that
could be applied instead?

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
  2018-08-28 11:18 ` Peter Korsgaard
@ 2018-08-28 11:29   ` Baruch Siach
  2018-08-28 12:08     ` Peter Korsgaard
  0 siblings, 1 reply; 6+ messages in thread
From: Baruch Siach @ 2018-08-28 11:29 UTC (permalink / raw)
  To: buildroot

Hi Peter,

Peter Korsgaard writes:

>>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
>
>  > Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
>  > libsoup 2.63.2 allows attackers to have unspecified impact via an empty
>  > hostname.
>
>  > Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>  > Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>
> Thanks! I started looking at this myself, but got sidetracked.
>
> Is 2.62.x the first release containing this fix? Should we also cherry
> pick this for 2018.02.x / 2018.05.x or is there a smaller patch that
> could be applied instead?

The upstream fix from the (stable) gnome-3-28 branch is:

  https://gitlab.gnome.org/GNOME/libsoup/commit/c5c41ad1d36c1efb3226a74ac8ea591419882892

You can cherry pick it to the gnome-3-22 branch that carries 2.56.x.

baruch

--
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
  2018-08-28 11:29   ` Baruch Siach
@ 2018-08-28 12:08     ` Peter Korsgaard
  2018-08-28 12:17       ` Baruch Siach
  0 siblings, 1 reply; 6+ messages in thread
From: Peter Korsgaard @ 2018-08-28 12:08 UTC (permalink / raw)
  To: buildroot

>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:

 > Hi Peter,
 > Peter Korsgaard writes:

 >>>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
 >> 
 >> > Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
 >> > libsoup 2.63.2 allows attackers to have unspecified impact via an empty
 >> > hostname.
 >> 
 >> > Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 >> > Signed-off-by: Baruch Siach <baruch@tkos.co.il>
 >> 
 >> Thanks! I started looking at this myself, but got sidetracked.
 >> 
 >> Is 2.62.x the first release containing this fix? Should we also cherry
 >> pick this for 2018.02.x / 2018.05.x or is there a smaller patch that
 >> could be applied instead?

 > The upstream fix from the (stable) gnome-3-28 branch is:

 >   https://gitlab.gnome.org/GNOME/libsoup/commit/c5c41ad1d36c1efb3226a74ac8ea591419882892

 > You can cherry pick it to the gnome-3-22 branch that carries 2.56.x.

Thanks. Is that the best solution or does upgrading to 2.62.x look
"safe" for 2018.02 / 2018.05 / 2018.08?

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
  2018-08-28 12:08     ` Peter Korsgaard
@ 2018-08-28 12:17       ` Baruch Siach
  0 siblings, 0 replies; 6+ messages in thread
From: Baruch Siach @ 2018-08-28 12:17 UTC (permalink / raw)
  To: buildroot

Hi Peter,

Peter Korsgaard writes:
>>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
>  > Peter Korsgaard writes:
>  >>>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
>  >>
>  >> > Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
>  >> > libsoup 2.63.2 allows attackers to have unspecified impact via an empty
>  >> > hostname.
>  >>
>  >> > Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>  >> > Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>  >>
>  >> Thanks! I started looking at this myself, but got sidetracked.
>  >>
>  >> Is 2.62.x the first release containing this fix? Should we also cherry
>  >> pick this for 2018.02.x / 2018.05.x or is there a smaller patch that
>  >> could be applied instead?
>
>  > The upstream fix from the (stable) gnome-3-28 branch is:
>
>  >   https://gitlab.gnome.org/GNOME/libsoup/commit/c5c41ad1d36c1efb3226a74ac8ea591419882892
>
>  > You can cherry pick it to the gnome-3-22 branch that carries 2.56.x.
>
> Thanks. Is that the best solution or does upgrading to 2.62.x look
> "safe" for 2018.02 / 2018.05 / 2018.08?

Patch backport would probably be safer for master and stable. I'll post
a patch.

baruch

--
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] libsoup: security bump to version 2.62.3
  2018-08-28  9:27 [Buildroot] [PATCH] libsoup: security bump to version 2.62.3 Baruch Siach
  2018-08-28 11:18 ` Peter Korsgaard
@ 2018-08-28 20:39 ` Thomas Petazzoni
  1 sibling, 0 replies; 6+ messages in thread
From: Thomas Petazzoni @ 2018-08-28 20:39 UTC (permalink / raw)
  To: buildroot

Hello,

On Tue, 28 Aug 2018 12:27:26 +0300, Baruch Siach wrote:
> Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
> libsoup 2.63.2 allows attackers to have unspecified impact via an empty
> hostname.
> 
> Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> ---
>  package/libsoup/libsoup.hash | 4 ++--
>  package/libsoup/libsoup.mk   | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)

Applied to next, thanks. The security fix has been added to master, so
we will have to pay attention when merging back next into master: the
security patch will be in package/libsoup/, but it should be removed,
because it won't apply on the new version of libsoup.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-08-28 20:39 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-28  9:27 [Buildroot] [PATCH] libsoup: security bump to version 2.62.3 Baruch Siach
2018-08-28 11:18 ` Peter Korsgaard
2018-08-28 11:29   ` Baruch Siach
2018-08-28 12:08     ` Peter Korsgaard
2018-08-28 12:17       ` Baruch Siach
2018-08-28 20:39 ` Thomas Petazzoni

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.