From patchwork Sun Jun 18 21:20:04 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 777506
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3wrRpS0SRrz9s2P
	for <incoming@patchwork.ozlabs.org>;
	Mon, 19 Jun 2017 07:20:15 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="ogbjAdJB"; dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 1C62A86E07;
	Sun, 18 Jun 2017 21:20:13 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id XbRk-vQPRGxa; Sun, 18 Jun 2017 21:20:12 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id 4E0C686DA1;
	Sun, 18 Jun 2017 21:20:12 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by ash.osuosl.org (Postfix) with ESMTP id BF02F1C409D
	for <buildroot@lists.busybox.net>;
	Sun, 18 Jun 2017 21:20:10 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id B785286DA1
	for <buildroot@lists.busybox.net>;
	Sun, 18 Jun 2017 21:20:10 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id s73ypQGJFbsH for <buildroot@lists.busybox.net>;
	Sun, 18 Jun 2017 21:20:09 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f66.google.com (mail-wm0-f66.google.com
	[74.125.82.66])
	by hemlock.osuosl.org (Postfix) with ESMTPS id 5122D86D93
	for <buildroot@buildroot.org>; Sun, 18 Jun 2017 21:20:09 +0000 (UTC)
Received: by mail-wm0-f66.google.com with SMTP id d64so13779723wmf.2
	for <buildroot@buildroot.org>; Sun, 18 Jun 2017 14:20:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=frSSVPOvVTGNgKNuX8KJfA/1QzBHpE4OZt/+kSFh5Dg=;
	b=ogbjAdJBePioElNPHo28Ws81NExP0/sn2sZOnxCGhRwk59xwN0Vy/VVi/JC3nDJZ96
	ADWA7ZDum8EkVeOx1J/Hg35GXwiyuNlGZle2R6KYFcaMCbZn16zubY+oJPr36eVvS9rR
	2u8YriZV/5MJRws0oMOnuX8dU7YHqGmn+fY19ssofCxk0RLNqPyVppGCJKbKN9VNhDpG
	3v7EvLlDjr71Z/9qIzanOL+oapDGaPxYtFdCOddOpa3Vv7CgpnMjlALLslOjbwRJrEV1
	Z1kcYXFAPKR5C0I/YigPt4ZR8vpEmQVXA6c9cAnmMSHdHX7i2XHvT+mO9p2wudZD1o7A
	VG7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=frSSVPOvVTGNgKNuX8KJfA/1QzBHpE4OZt/+kSFh5Dg=;
	b=aMySVtlKc9cN3Qg+8Hp/JCp2MYjrD9Foe9IWxawTWW5t+joK/twaW7if2N/RCG7GYP
	IgpfaHrMAGTf9g1yvRXTM2ax5Z6Hz9Cf1yZa9qjd8t62CGIjghBk2ZLgpsSiUfbmqjNE
	7d6qtRbGnmr7lwxS//avZXAzcxSQN1604KQCmM5JnIrxFi9B4Ls6jpSd+hONHxOxtuj6
	AlV22ruatpVB7s8p8kyJ+3IZ1FgE+1BcZPw6Gqy9jND8vA0ZQqYP1PPrQoorTegSt96m
	116mw1SEHWzZnO6xPxDhCHEmNXhTZa4R6yv2lu3D6mQqTKNN6ymbiMHx1DT/0RSG0yZR
	hVcA==
X-Gm-Message-State: AKS2vOy9J1MwuCJZot33V2JfcXKoQCP1DXSxi2uzdoO2ZKTitF1BeUke
	qg9bhkGoJiHjG3f9XOE=
X-Received: by 10.80.146.120 with SMTP id j53mr14770400eda.17.1497820807357;
	Sun, 18 Jun 2017 14:20:07 -0700 (PDT)
Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be.
	[81.165.188.49]) by smtp.gmail.com with ESMTPSA id
	c23sm3889985edc.34.2017.06.18.14.20.05
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Sun, 18 Jun 2017 14:20:06 -0700 (PDT)
Received: from peko by dell.be.48ers.dk with local (Exim 4.88)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1dMhc5-0008Kv-CL; Sun, 18 Jun 2017 23:20:05 +0200
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Sun, 18 Jun 2017 23:20:04 +0200
Message-Id: <20170618212004.32001-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.11.0
Subject: [Buildroot] [PATCH] expat: security bump to version 2.2.1
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fixes:

- CVE-2017-9233 - External entity infinite loop DoS. See:
  https://libexpat.github.io/doc/cve-2017-9233/

- CVE-2016-9063 -- Detect integer overflow

And further more:

- Fix regression from fix to CVE-2016-0718 cutting off longer tag names.

- Extend fix for CVE-2016-5300 (use getrandom() if available).

- Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
  version of SipHash).

Also add an upstream patch to fix detection of getrandom().

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...c-Fix-mis-detection-of-getrandom-on-Debia.patch | 29 ++++++++++++++++++++++
 package/expat/expat.hash                           |  8 +++---
 package/expat/expat.mk                             |  4 ++-
 3 files changed, 36 insertions(+), 5 deletions(-)
 create mode 100644 package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch

diff --git a/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch b/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
new file mode 100644
index 0000000000..a3025531e5
--- /dev/null
+++ b/package/expat/0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
@@ -0,0 +1,29 @@
+From 602e6c78ca750c082b72f8cdf4a38839b312959f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 18 Jun 2017 18:55:10 +0200
+Subject: [PATCH] configure.ac: Fix mis-detection of getrandom on Debian
+ GNU/kFreeBSD (#50)
+
+There is no such thing but we need to link (not just compile) to realize.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ expat/configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/expat/configure.ac b/expat/configure.ac
+index 1357c9a..444c002 100644
+--- a/expat/configure.ac
++++ b/expat/configure.ac
+@@ -130,7 +130,7 @@ AC_LINK_IFELSE([AC_LANG_SOURCE([
+ 
+ 
+ AC_MSG_CHECKING([for getrandom (Linux 3.17+, glibc 2.25+)])
+-AC_COMPILE_IFELSE([AC_LANG_SOURCE([
++AC_LINK_IFELSE([AC_LANG_SOURCE([
+   #include <stdlib.h>  /* for NULL */
+   #include <sys/random.h>
+   int main() {
+-- 
+2.11.0
+
diff --git a/package/expat/expat.hash b/package/expat/expat.hash
index 371abdec91..595597b6fd 100644
--- a/package/expat/expat.hash
+++ b/package/expat/expat.hash
@@ -1,5 +1,5 @@
-# From https://sourceforge.net/projects/expat/files/expat/2.2.0/
-md5	2f47841c829facb346eb6e3fab5212e2	expat-2.2.0.tar.bz2
-sha1	8453bc52324be4c796fd38742ec48470eef358b3	expat-2.2.0.tar.bz2
+# From https://sourceforge.net/projects/expat/files/expat/2.2.1/
+md5	d9c3baeab58774cefc2f04faf29f2cf8	expat-2.2.1.tar.bz2
+sha1	f45eb724f182776a9cacec9ed70d549e87198987	expat-2.2.1.tar.bz2
 # Calculated based on the hashes above
-sha256	d9e50ff2d19b3538bd2127902a89987474e1a4db8e43a66a4d1a712ab9a504ff	expat-2.2.0.tar.bz2
+sha256	1868cadae4c82a018e361e2b2091de103cd820aaacb0d6cfa49bd2cd83978885	expat-2.2.1.tar.bz2
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index e7bb74a966..bb6e627e5b 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-EXPAT_VERSION = 2.2.0
+EXPAT_VERSION = 2.2.1
 EXPAT_SITE = http://downloads.sourceforge.net/project/expat/expat/$(EXPAT_VERSION)
 EXPAT_SOURCE = expat-$(EXPAT_VERSION).tar.bz2
 EXPAT_INSTALL_STAGING = YES
@@ -14,6 +14,8 @@ EXPAT_DEPENDENCIES = host-pkgconf
 HOST_EXPAT_DEPENDENCIES = host-pkgconf
 EXPAT_LICENSE = MIT
 EXPAT_LICENSE_FILES = COPYING
+# for 0001-configure.ac-Fix-mis-detection-of-getrandom-on-Debia.patch
+EXPAT_AUTORECONF = YES
 
 $(eval $(autotools-package))
 $(eval $(host-autotools-package))