From patchwork Wed Feb 12 19:46:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Markus Klotzbuecher X-Patchwork-Id: 1237059 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mkio.de Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mkio.de header.i=@mkio.de header.a=rsa-sha256 header.s=default header.b=UzLYEsqi; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48Hqsm5tc2z9sPF for ; Thu, 13 Feb 2020 06:47:05 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4A514810E3; Wed, 12 Feb 2020 20:46:56 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=mkio.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mkio.de header.i=@mkio.de header.b="UzLYEsqi"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id CC9B480E9E; Wed, 12 Feb 2020 20:46:53 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-relay.contabo.net (mail-relay.contabo.net [167.86.79.29]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5E5FB80E9E for ; Wed, 12 Feb 2020 20:46:51 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=mkio.de Authentication-Results: phobos.denx.de; spf=none smtp.mailfrom=mk@mkio.de Received: from pxmg2.contabo.net (localhost.localdomain [127.0.0.1]) by mail-relay.contabo.net (Proxmox) with ESMTP id 8F7C710123B for ; Wed, 12 Feb 2020 20:46:48 +0100 (CET) Received: from m2731.contabo.net (m2731.contabo.net [193.34.145.203]) by mail-relay.contabo.net (Proxmox) with ESMTPS id 1BCA2100A82 for ; Wed, 12 Feb 2020 20:46:48 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mkio.de; s=default; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject: To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3uWuAtVToy0BnpytFUcYQ8UwEcXSsKNjgVpG8eX5k1M=; b=UzLYEsqiMcA+ytPX4sY7HC1PPM S4oY8taM6o9mGaZ/Q5znP1E04y2qsSXt55wiigN/DUqy5XsAnNf/M/PdwWs7ym2X3wK+dhRAqhevp 6WsVDqjq2tRiebvk1n4NsVCzrqF2b6bDuewT9VQU7sIWng5jAcwGnZFVqkUyFxic4XoEch3OWLuBD 47fb8BGpIcF/YXjbJ0Xk01+5bBTWI4s5aR8W8HCeCux5c/tWmNbTEwgmP6iCvDzlrpCFeOEjyRKAE t0LUrdWI1wNTdj8KiboL9GQniQzC6ruAuAi9eh50JjRLkkyI2yWSUCY7UT9Vm08lhT0qUNUyPcGEd WQBER9HA==; Received: from [78.43.53.173] (port=60566 helo=e495.int.kistler.com) by m2731.contabo.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from ) id 1j1xy9-00EMea-Vq for u-boot@lists.denx.de; Wed, 12 Feb 2020 20:46:47 +0100 From: Markus Klotzbuecher To: u-boot@lists.denx.de Subject: [PATCH 0/2] moveconfig fixes Date: Wed, 12 Feb 2020 20:46:43 +0100 Message-Id: <20200212194645.1765445-1-mk@mkio.de> X-Mailer: git-send-email 2.25.0 MIME-Version: 1.0 X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - m2731.contabo.net X-AntiAbuse: Original Domain - lists.denx.de X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - mkio.de X-Get-Message-Sender-Via: m2731.contabo.net: authenticated_id: mk@mkio.de X-Authenticated-Sender: m2731.contabo.net: mk@mkio.de X-Source: X-Source-Args: X-Source-Dir: X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.1 at phobos.denx.de X-Virus-Status: Clean Two fixes to moveconfig: the first addresses a potential security issue reported by Heinrich Schuchardt caused by using the Python built-in eval to expand CONFIG_ value expressions. Running moveconfig on a maliciously prepared CONFIG could lead to execution of arbitrary Python code. The second is a Python3 bugfix. Markus Klotzbuecher (2): moveconfig: replace unsafe eval with asteval moveconfig: convert ps.stderr to string tools/moveconfig.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)