All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/file: security bump to version 5.36
@ 2019-03-12 12:12 Baruch Siach
  2019-03-12 15:20 ` Peter Korsgaard
  2019-03-25 16:36 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Baruch Siach @ 2019-03-12 12:12 UTC (permalink / raw)
  To: buildroot

CVE-2019-8906: do_core_note in readelf.c in libmagic.a in file 5.35 has
an out-of-bounds read because memcpy is misused.

CVE-2019-8904: do_bid_note in readelf.c in libmagic.a in file 5.35 has a
stack-based buffer over-read, related to file_printf and file_vprintf.

Update license files hashes; removal of trailing white spaces.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
 package/file/file.hash | 12 +++++++-----
 package/file/file.mk   |  2 +-
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/package/file/file.hash b/package/file/file.hash
index c279dff6e160..7948e856ee9c 100644
--- a/package/file/file.hash
+++ b/package/file/file.hash
@@ -1,5 +1,7 @@
-# Locally calculated
-sha256 f15a50dbbfa83fec0bd1161e8e191b092ec832720e30cd14536e044ac623b20a  file-5.34.tar.gz
-sha256 3c0ad13c36f891a9b4f951e59eb2fc108065a46f849697cc6fd3cdb41cc23a3d  COPYING
-sha256 d98ee4d8d95e7d021a5dfc41f137ecc3b624a7b98e8bd793130202d12a21ed57  src/mygetopt.h
-sha256 85e358d575ad4ac5b38b623a25b24246ccff3c7e680d930c0a9ff5228fe434b6  src/vasprintf.c
+# Locally calculated after verifying signature
+# ftp://ftp.astron.com/pub/file/file-5.36.tar.gz.asc
+# using key BE04995BA8F90ED0C0C176C471112AB16CB33B3A
+sha256 fb608290c0fd2405a8f63e5717abf6d03e22e183fb21884413d1edd918184379  file-5.36.tar.gz
+sha256 0bfa856a9930bddadbef95d1be1cf4e163c0be618e76ea3275caaf255283e274  COPYING
+sha256 4ccb60d623884ef637af4a5bc16b2cb350163e2135e967655837336019a64462  src/mygetopt.h
+sha256 7ac061e1a1c840c4dfa0573aec6f3497676c9295b5ec4190d3576646eb1646bf  src/vasprintf.c
diff --git a/package/file/file.mk b/package/file/file.mk
index b5b12978bc49..1a835015a779 100644
--- a/package/file/file.mk
+++ b/package/file/file.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-FILE_VERSION = 5.34
+FILE_VERSION = 5.36
 FILE_SITE = ftp://ftp.astron.com/pub/file
 FILE_DEPENDENCIES = host-file zlib
 HOST_FILE_DEPENDENCIES = host-zlib
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [Buildroot] [PATCH] package/file: security bump to version 5.36
  2019-03-12 12:12 [Buildroot] [PATCH] package/file: security bump to version 5.36 Baruch Siach
@ 2019-03-12 15:20 ` Peter Korsgaard
  2019-03-25 16:36 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-03-12 15:20 UTC (permalink / raw)
  To: buildroot

>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:

 > CVE-2019-8906: do_core_note in readelf.c in libmagic.a in file 5.35 has
 > an out-of-bounds read because memcpy is misused.

 > CVE-2019-8904: do_bid_note in readelf.c in libmagic.a in file 5.35 has a
 > stack-based buffer over-read, related to file_printf and file_vprintf.

 > Update license files hashes; removal of trailing white spaces.

 > Signed-off-by: Baruch Siach <baruch@tkos.co.il>

Committed, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Buildroot] [PATCH] package/file: security bump to version 5.36
  2019-03-12 12:12 [Buildroot] [PATCH] package/file: security bump to version 5.36 Baruch Siach
  2019-03-12 15:20 ` Peter Korsgaard
@ 2019-03-25 16:36 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-03-25 16:36 UTC (permalink / raw)
  To: buildroot

>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:

 > CVE-2019-8906: do_core_note in readelf.c in libmagic.a in file 5.35 has
 > an out-of-bounds read because memcpy is misused.

 > CVE-2019-8904: do_bid_note in readelf.c in libmagic.a in file 5.35 has a
 > stack-based buffer over-read, related to file_printf and file_vprintf.

 > Update license files hashes; removal of trailing white spaces.

 > Signed-off-by: Baruch Siach <baruch@tkos.co.il>

Committed to 2018.02.x, 2018.11.x and 2019.02.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-03-25 16:36 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-12 12:12 [Buildroot] [PATCH] package/file: security bump to version 5.36 Baruch Siach
2019-03-12 15:20 ` Peter Korsgaard
2019-03-25 16:36 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.