[{"id":1765178,"web_url":"http://patchwork.ozlabs.org/comment/1765178/","msgid":"<878thpa6st.fsf@dell.be.48ers.dk>","list_archive_url":null,"date":"2017-09-08T09:17:06","subject":"Re: [Buildroot] [PATCH] libzip: security bump to version 1.3.0","submitter":{"id":42365,"url":"http://patchwork.ozlabs.org/api/people/42365/","name":"Peter Korsgaard","email":"peter@korsgaard.com"},"content":">>>>> \"Peter\" == Peter Korsgaard writes:\n\n > Fixes the following security issues:\n > CVE-2017-12858: Double free vulnerability in the _zip_dirent_read function\n > in zip_dirent.c in libzip allows attackers to have unspecified impact via\n > unknown vectors.\n\n > CVE-2017-14107: The _zip_read_eocd64 function in zip_open.c in libzip before\n > 1.3.0 mishandles EOCD records, which allows remote attackers to cause a\n > denial of service (memory allocation failure in _zip_cdir_grow in\n > zip_dirent.c) via a crafted ZIP archive.\n\n > For more details, see\n > https://blogs.gentoo.org/ago/2017/09/01/libzip-use-after-free-in-_zip_buffer_free-zip_buffer-c/\n > https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/\n\n > libzip-1.3.0 also adds optional bzip2 support, so handle that.\n\n > While we're at it, add a hash for the license file.\n\n > Signed-off-by: Peter Korsgaard \n\nCommitted, thanks.","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","buildroot@lists.busybox.net"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","buildroot@osuosl.org"],"Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=busybox.net\n\t(client-ip=140.211.166.133; helo=hemlock.osuosl.org;\n\tenvelope-from=buildroot-bounces@busybox.net;\n\treceiver=)","ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"dBELtL3n\"; dkim-atps=neutral"],"Received":["from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpWtN6Vcpz9s82\n\tfor ;\n\tFri, 8 Sep 2017 19:17:16 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby hemlock.osuosl.org (Postfix) with ESMTP id 36AE4829BF;\n\tFri, 8 Sep 2017 09:17:14 +0000 (UTC)","from hemlock.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id 0BAUD9-WiDEz; Fri, 8 Sep 2017 09:17:12 +0000 (UTC)","from ash.osuosl.org (ash.osuosl.org [140.211.166.34])\n\tby hemlock.osuosl.org (Postfix) with ESMTP id 5430A829A4;\n\tFri, 8 Sep 2017 09:17:12 +0000 (UTC)","from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\tby ash.osuosl.org (Postfix) with ESMTP id 9391E1C01CA\n\tfor ;\n\tFri, 8 Sep 2017 09:17:10 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n\tby silver.osuosl.org (Postfix) with ESMTP id 8C77C25990\n\tfor ;\n\tFri, 8 Sep 2017 09:17:10 +0000 (UTC)","from silver.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id ySwuJQu3glc1 for ;\n\tFri, 8 Sep 2017 09:17:10 +0000 (UTC)","from mail-wm0-f48.google.com (mail-wm0-f48.google.com\n\t[74.125.82.48])\n\tby silver.osuosl.org (Postfix) with ESMTPS id B1A77258C4\n\tfor ; Fri, 8 Sep 2017 09:17:09 +0000 (UTC)","by mail-wm0-f48.google.com with SMTP id i189so1090331wmf.1\n\tfor ; Fri, 08 Sep 2017 02:17:09 -0700 (PDT)","from dell.be.48ers.dk (d51A5BC31.access.telenet.be.\n\t[81.165.188.49])\n\tby smtp.gmail.com with ESMTPSA id d6sm523960edl.3.2017.09.08.02.17.06\n\tfor \n\t(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);\n\tFri, 08 Sep 2017 02:17:07 -0700 (PDT)","from peko by dell.be.48ers.dk with local (Exim 4.88)\n\t(envelope-from ) id 1dqFPO-0004mq-9H\n\tfor buildroot@buildroot.org; Fri, 08 Sep 2017 11:17:06 +0200"],"X-Virus-Scanned":["amavisd-new at osuosl.org","amavisd-new at osuosl.org"],"X-Greylist":"domain auto-whitelisted by SQLgrey-1.7.6","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;\n\th=sender:from:to:subject:references:date:in-reply-to:message-id\n\t:user-agent:mime-version;\n\tbh=+B3F6yHhjlTD27HW95S69rm3oaVDkzWhy+lRWUXp+3A=;\n\tb=dBELtL3ncJlymU5W6N3P59LMmBb3KS14UMG4rZ1F3I1wsWqwXZN12ptmWr6BiGvG/P\n\th0HkJCHNFiZxKcsMAR4t9uCmyGJWkFZjpJk/UsbOKE1lfzDPqeMPpzAfKYzaKRs4GLTx\n\t9zaSF93bgGhzNOnsqFEOCCU7KQwnBVhT1AeAkRn+EkYFiqWecUYy/mutTal4uHdA6H57\n\tt7SazlHqZlv/HyCt+mQAVdwfLjKbhXDfoZ3YByYpOuvqj1QYlX9MFVl724cQua2lycg3\n\t7krYKY8gPkFsCqgJIOFC7/jWVyTF4Y5LgVaDPhZN1azgP4GFXx4mFA6H0hw5fFl6Afvv\n\tjBuA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:sender:from:to:subject:references:date\n\t:in-reply-to:message-id:user-agent:mime-version;\n\tbh=+B3F6yHhjlTD27HW95S69rm3oaVDkzWhy+lRWUXp+3A=;\n\tb=RIX+uivSTG3RZhFU7VVwsgavUAvils+0mW5HdY+FfVqPMXPwaD32sPxEd2VlyeJUHP\n\tdKbQQIoueEXjT2GErtV6ORZ0RNejoAQnRcWmtw8lIQ3Y9AsZLH01NUPP4aolXzGDFNlF\n\tVwmx6KIYZ6+hnFbPbCk3746Nu9/lXLI1PbY2MH1vtnfBda91iLhZa/x//TCN9owQ47oS\n\tkGVDDhN0jZQAK7ch+jIPVDWz6RUmCYHQSkGSd3xSbRVJp3pU3yaaiiVpulsQOEI500up\n\tdVrGPwXK+wgWFbDEymoo2d3CG/hzU8z3xOByyclbA6hyR65O3HvQNAtqxYiLfrXb6U2v\n\toizg==","X-Gm-Message-State":"AHPjjUgO+vO9jmKmcHPWpgmRG77XIB8/bcrCH7575m5rAFlcoqgSBGDK\n\tk3Mrg55PwTsRnehek+E=","X-Google-Smtp-Source":"ADKCNb6fb6nlZl0Gl+JqXIsYFr9qg/4Ihu6sWelYOCPybkVXROxVs3ZNHZTXmh8bTRLDwFlG2+WtKQ==","X-Received":"by 10.80.181.86 with SMTP id z22mr1129051edd.58.1504862227784;\n\tFri, 08 Sep 2017 02:17:07 -0700 (PDT)","From":"Peter Korsgaard ","To":"buildroot@buildroot.org","References":"<20170907212133.10036-1-peter@korsgaard.com>","Date":"Fri, 08 Sep 2017 11:17:06 +0200","In-Reply-To":"<20170907212133.10036-1-peter@korsgaard.com> (Peter Korsgaard's\n\tmessage of \"Thu, 7 Sep 2017 23:21:33 +0200\")","Message-ID":"<878thpa6st.fsf@dell.be.48ers.dk>","User-Agent":"Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)","MIME-Version":"1.0","Subject":"Re: [Buildroot] [PATCH] libzip: security bump to version 1.3.0","X-BeenThere":"buildroot@busybox.net","X-Mailman-Version":"2.1.18-1","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@busybox.net","Sender":"\"buildroot\" "}},{"id":1787793,"web_url":"http://patchwork.ozlabs.org/comment/1787793/","msgid":"<87po9mu5fs.fsf@dell.be.48ers.dk>","list_archive_url":null,"date":"2017-10-16T21:51:51","subject":"Re: [Buildroot] [PATCH] libzip: security bump to version 1.3.0","submitter":{"id":42365,"url":"http://patchwork.ozlabs.org/api/people/42365/","name":"Peter Korsgaard","email":"peter@korsgaard.com"},"content":">>>>> \"Peter\" == Peter Korsgaard writes:\n\n > Fixes the following security issues:\n > CVE-2017-12858: Double free vulnerability in the _zip_dirent_read function\n > in zip_dirent.c in libzip allows attackers to have unspecified impact via\n > unknown vectors.\n\n > CVE-2017-14107: The _zip_read_eocd64 function in zip_open.c in libzip before\n > 1.3.0 mishandles EOCD records, which allows remote attackers to cause a\n > denial of service (memory allocation failure in _zip_cdir_grow in\n > zip_dirent.c) via a crafted ZIP archive.\n\n > For more details, see\n > https://blogs.gentoo.org/ago/2017/09/01/libzip-use-after-free-in-_zip_buffer_free-zip_buffer-c/\n > https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/\n\n > libzip-1.3.0 also adds optional bzip2 support, so handle that.\n\n > While we're at it, add a hash for the license file.\n\n > Signed-off-by: Peter Korsgaard \n\nCommitted to 2017.08.x, thanks.","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","buildroot@lists.busybox.net"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","buildroot@osuosl.org"],"Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=busybox.net\n\t(client-ip=140.211.166.137; helo=fraxinus.osuosl.org;\n\tenvelope-from=buildroot-bounces@busybox.net;\n\treceiver=)","ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"U0FRaYxB\"; dkim-atps=neutral"],"Received":["from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3yGBqm3bnSz9sRn\n\tfor ;\n\tTue, 17 Oct 2017 08:52:04 +1100 (AEDT)","from localhost (localhost [127.0.0.1])\n\tby fraxinus.osuosl.org (Postfix) with ESMTP id ABD5C86278;\n\tMon, 16 Oct 2017 21:52:00 +0000 (UTC)","from fraxinus.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id qQINgcBJKhkS; Mon, 16 Oct 2017 21:51:58 +0000 (UTC)","from ash.osuosl.org (ash.osuosl.org [140.211.166.34])\n\tby fraxinus.osuosl.org (Postfix) with ESMTP id AB2BA85FD5;\n\tMon, 16 Oct 2017 21:51:58 +0000 (UTC)","from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n\tby ash.osuosl.org (Postfix) with ESMTP id AA1FB1CEC57\n\tfor ;\n\tMon, 16 Oct 2017 21:51:56 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n\tby hemlock.osuosl.org (Postfix) with ESMTP id A402B8734B\n\tfor ;\n\tMon, 16 Oct 2017 21:51:56 +0000 (UTC)","from hemlock.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id orLbwHyWRRUu for ;\n\tMon, 16 Oct 2017 21:51:56 +0000 (UTC)","from mail-wm0-f42.google.com (mail-wm0-f42.google.com\n\t[74.125.82.42])\n\tby hemlock.osuosl.org (Postfix) with ESMTPS id E0370873F5\n\tfor ; Mon, 16 Oct 2017 21:51:55 +0000 (UTC)","by mail-wm0-f42.google.com with SMTP id m72so125230wmc.1\n\tfor ; Mon, 16 Oct 2017 14:51:55 -0700 (PDT)","from dell.be.48ers.dk (d51a5bc31.access.telenet.be.\n\t[81.165.188.49]) by smtp.gmail.com with ESMTPSA id\n\tl24sm5977545eda.1.2017.10.16.14.51.52 for \n\t(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);\n\tMon, 16 Oct 2017 14:51:52 -0700 (PDT)","from peko by dell.be.48ers.dk with local (Exim 4.88)\n\t(envelope-from ) id 1e4DId-0003Wi-8O\n\tfor buildroot@buildroot.org; Mon, 16 Oct 2017 23:51:51 +0200"],"X-Virus-Scanned":["amavisd-new at osuosl.org","amavisd-new at osuosl.org"],"X-Greylist":"domain auto-whitelisted by SQLgrey-1.7.6","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;\n\th=sender:from:to:subject:references:date:in-reply-to:message-id\n\t:user-agent:mime-version;\n\tbh=5tBoqGyfIbI306/EUVDmDQwrfflzL7VKEuVFUbOWxEc=;\n\tb=U0FRaYxBjyq55KNOs4Ttfz9hd29iL3YDdKNsXZzqIQ2wcpqhh30yO1q9D5q2LwmGhg\n\tiog7BOz6paCdGVb55DfqbZWhJqrNuBv5cJvvfWpFW1EaY0jXQEtnMaFxduMZNgQrqdpq\n\tgxQqi6bFoaaPIOxDQ5nYmN54sAdysOhTLhvYzYpLSIVJoG9dxxTpHxPBXcH61dZujrUf\n\tHoNYVd7p64/09VbaTnpbuquwbHWLNDeaQ7IrgyOrzORqFFct5BNbs8Q9f39529DWhgLO\n\te6gUCt4MBlIQL3AQvv2tAPqjviQBv+7gecYnswU1zGoizEy8dEtAQqRa4RMzkSDQ9RKv\n\tO9ug==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:sender:from:to:subject:references:date\n\t:in-reply-to:message-id:user-agent:mime-version;\n\tbh=5tBoqGyfIbI306/EUVDmDQwrfflzL7VKEuVFUbOWxEc=;\n\tb=SrvBK/NmEQTPceQ9SFnziHdToMJ3RqbH+uxyJxUw10gkZQbyNIvure+LkhS1DVKJrS\n\t3hMbVQiMRzFmWBZC0NFobgxdvQJVAfutzJ6djyct6hGX4mPyPP1J1k6ul840lXb01G7s\n\tTv/ccvGL8WrVRLC6WjtraBrjxj+HmSn5vZ5jHFu7pOwHWjS5gLjRvpRE6QWwxhOUU0EG\n\tuW/gTKM21rJNS6k7qS/uYKWfJXjr6t/Yym7iGIlpuv1rQLOBAvMOjDvmjP9H1qgJGwGm\n\twfY2un+gKSSe1jnM27L+j3i3epjAodnNd8HG6m20/RgI64Pxc2/LtqDHG+fe9yP1dOzF\n\t5BZg==","X-Gm-Message-State":"AMCzsaU3SQgDv/zf5xBJsgZZJ0DS3v6jXvCJiQhLqIdkETuz3G0SQu1f\n\tKY1zjgwPTOITqexsMKUY2k1JTesW","X-Google-Smtp-Source":"AOwi7QDkkPEdN+MPhAbphPO/nsoiiFWSHbF/TydN2N99NFyUlDsXzx66QIm1elFCu/RWjCHa3Dpvmw==","X-Received":"by 10.80.177.43 with SMTP id k40mr14593415edd.41.1508190713170; \n\tMon, 16 Oct 2017 14:51:53 -0700 (PDT)","From":"Peter Korsgaard ","To":"buildroot@buildroot.org","References":"<20170907212133.10036-1-peter@korsgaard.com>","Date":"Mon, 16 Oct 2017 23:51:51 +0200","In-Reply-To":"<20170907212133.10036-1-peter@korsgaard.com> (Peter Korsgaard's\n\tmessage of \"Thu, 7 Sep 2017 23:21:33 +0200\")","Message-ID":"<87po9mu5fs.fsf@dell.be.48ers.dk>","User-Agent":"Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)","MIME-Version":"1.0","Subject":"Re: [Buildroot] [PATCH] libzip: security bump to version 1.3.0","X-BeenThere":"buildroot@busybox.net","X-Mailman-Version":"2.1.18-1","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@busybox.net","Sender":"\"buildroot\" "}}]