From patchwork Thu Dec 10 22:08:53 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Fabrice Fontaine <fontaine.fabrice@gmail.com>
X-Patchwork-Id: 1414591
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net
 (client-ip=140.211.166.136; helo=silver.osuosl.org;
 envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=EHOKXnVT;
	dkim-atps=neutral
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4CsSl56DVTz9sW9
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Fri, 11 Dec 2020 09:09:53 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id D81D620506;
	Thu, 10 Dec 2020 22:09:51 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ZIpQyuyA6rgB; Thu, 10 Dec 2020 22:09:48 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id 77BC12034A;
	Thu, 10 Dec 2020 22:09:48 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by ash.osuosl.org (Postfix) with ESMTP id E0A5D1BF9C2
 for <buildroot@lists.busybox.net>; Thu, 10 Dec 2020 22:09:20 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by silver.osuosl.org (Postfix) with ESMTP id D9C7A2001F
 for <buildroot@lists.busybox.net>; Thu, 10 Dec 2020 22:09:20 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id YkAhDpF9STCn for <buildroot@lists.busybox.net>;
 Thu, 10 Dec 2020 22:09:20 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by silver.osuosl.org (Postfix) with ESMTPS id DB9FD2001E
 for <buildroot@buildroot.org>; Thu, 10 Dec 2020 22:09:19 +0000 (UTC)
Received: by mail-wm1-f44.google.com with SMTP id k10so5980342wmi.3
 for <buildroot@buildroot.org>; Thu, 10 Dec 2020 14:09:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=qIpfy6b0CumG8zAunbNrNU58aned9YDsT0chvH1uOpw=;
 b=EHOKXnVTjY8aDaXFhOfzYZccKyIGxhxrKvN413rjHLmPCYDELwMwaXvtWxmJvkQ2zG
 1JTb4YGfbw/iQk4L7j/L+FwuyYvLObXU7rM4dFaeL1kCdaAhk6JTdj0VeoCT0ouG73FH
 WTfrzdLnD+TIpEjQCDJOpyP4m2KnHglVa5MBeH9F5X5knPMXjktDau/Bk0mp0khTUNkj
 /2Plelb8ktT9kCLJ7+EHlyHhRnEgfLVReHCpndG+mK79cYkcRAuaDbkSYQSaT6MHdvPM
 SAz783qCDZfKVAXAm4yBAuMXq3KvaUeDkr3lSpK7g4EgnlYzPx6hZBsPFNuSYucqfxNI
 sCCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=qIpfy6b0CumG8zAunbNrNU58aned9YDsT0chvH1uOpw=;
 b=e1DA3kW6hueV8fMmrXzlmZbdGoihcNi+I8s/J6ZxSCKXzeX6HrCa5ZmIllkDpj0rNg
 5/MaesLEQacO3HkoVbtL7+dV24mfJ6takGa6FwpsLfnWxcu6OZZf0tW7kFfYDYXCNV/2
 sf0umu+aBpaAE17EpkO58tjlLHd7o9hhkC+i0D0cTruBtw4qraD4YGICopjhc3D+e9kM
 5uXwMEgOBRFYOwfkL9wtoJK2wkPlBwnbwqeoMJ6eNuecm2zRE2NtLEmJivMgVZCB1/Kp
 gr20sq3ql9+zVYHvEFhwOERw1R76rZbo1nu2LXeZhWbc6bkioYxTeZUXwmlcwe6/mi/S
 0+0A==
X-Gm-Message-State: AOAM533u+l3U6670XaHAmjlcELdK9TVDXP+rQvIlfPGJk4YxAWQeau03
 wBmo7lO+ycDP95o6s+6LA+q58cCCNHg=
X-Google-Smtp-Source: 
 ABdhPJww9agTzCCE2Mx0ZulFwrlUh4K7LubH07nLTvwodZw3PirO7KafL4aSEpSCgfkRrDOQMhIsaQ==
X-Received: by 2002:a1c:1d08:: with SMTP id d8mr10575712wmd.159.1607638157978;
 Thu, 10 Dec 2020 14:09:17 -0800 (PST)
Received: from kali.home
 (2a01cb0881b76d00c2afd0dfa851d2b9.ipv6.abo.wanadoo.fr.
 [2a01:cb08:81b7:6d00:c2af:d0df:a851:d2b9])
 by smtp.gmail.com with ESMTPSA id q4sm11052941wmc.2.2020.12.10.14.09.16
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 10 Dec 2020 14:09:16 -0800 (PST)
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Thu, 10 Dec 2020 23:08:53 +0100
Message-Id: <20201210220853.375772-1-fontaine.fabrice@gmail.com>
X-Mailer: git-send-email 2.29.2
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/1] package/sqlcipher: security bump to version
 4.4.2
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fix CVE-2020-27207: Zetetic SQLCipher 4.x before 4.4.1 has a
use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in
sqlite3.c. A remote denial of service attack can be performed. For
example, a SQL injection can be used to execute the crafted SQL command
sequence. After that, some unexpected RAM data is read.

https://www.zetetic.net/blog/2020/11/25/sqlcipher-442-release

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/sqlcipher/sqlcipher.hash | 2 +-
 package/sqlcipher/sqlcipher.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/sqlcipher/sqlcipher.hash b/package/sqlcipher/sqlcipher.hash
index c37db7a20a..96a6a74013 100644
--- a/package/sqlcipher/sqlcipher.hash
+++ b/package/sqlcipher/sqlcipher.hash
@@ -1,3 +1,3 @@
 # locally computed
-sha256  fccb37e440ada898902b294d02cde7af9e8706b185d77ed9f6f4d5b18b4c305f  sqlcipher-4.3.0.tar.gz
+sha256  87458e0e16594b3ba6c7a1f046bc1ba783d002d35e0e7b61bb6b7bb862f362a7  sqlcipher-4.4.2.tar.gz
 sha256  3eee3c7964a9becc94d747bd36703d31fc86eb994680b06a61bfd4f2661eaac8  LICENSE
diff --git a/package/sqlcipher/sqlcipher.mk b/package/sqlcipher/sqlcipher.mk
index 14290745aa..5a9a77c1ee 100644
--- a/package/sqlcipher/sqlcipher.mk
+++ b/package/sqlcipher/sqlcipher.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SQLCIPHER_VERSION = 4.3.0
+SQLCIPHER_VERSION = 4.4.2
 SQLCIPHER_SITE = $(call github,sqlcipher,sqlcipher,v$(SQLCIPHER_VERSION))
 SQLCIPHER_LICENSE = BSD-3-Clause
 SQLCIPHER_LICENSE_FILES = LICENSE