From patchwork Tue Jan 19 15:46:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas De Schampheleire X-Patchwork-Id: 1428704 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=vgaBfZaz; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DKtL80y1bz9sVF for ; Wed, 20 Jan 2021 02:46:23 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 297628453B; Tue, 19 Jan 2021 15:46:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iSRGtLN0GOIW; Tue, 19 Jan 2021 15:46:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 9D1F5848AB; Tue, 19 Jan 2021 15:46:21 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 2BE131BF308 for ; Tue, 19 Jan 2021 15:46:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 28321848AB for ; Tue, 19 Jan 2021 15:46:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQQg2f2w409c for ; Tue, 19 Jan 2021 15:46:19 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 7996B8453B for ; Tue, 19 Jan 2021 15:46:19 +0000 (UTC) Received: by mail-qk1-f179.google.com with SMTP id 143so22183939qke.10 for ; Tue, 19 Jan 2021 07:46:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=rL3Ecm0p2orGpvxxaUm461fFY69lwJN1oOuBenJGIJk=; b=vgaBfZazkS1fFrIsB8kdYTWEgjpLs5mff/P7DZCfcg6HGwD+D6gjr3upNlWfEAwLxb xVt0IGpMdk5SrCcvKm0HPCm4jKu2sKmGw5YvsTxSKCjEZi0cic86WEHP/r6232h29ojs Bc6wOk/EGnqdHvXEd0ydUuWr2A4vHENh56svMZlJ0cneSd2RqCS+46f2pAeoFjG+r3VN 8qk8hV0ewlq0Bnm/cVA2yKSrc7MNJI1ytKAF3YMAMe8I/plqOlouufNiAA0tUGABw1zj iEFknDxwS1VGhCbWCRnorHx1lrj30+b5rXNNarTUyXkrjoslM8XUqGLuWkOxrctsaVdU 5hwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=rL3Ecm0p2orGpvxxaUm461fFY69lwJN1oOuBenJGIJk=; b=lLlWBTh2k9a5huYiXAQ77iSGZ+U/h08BCcwBhPBO0Elu+tm2bk2/+2ZDRalJLjFNgn iD4V7zdXW8C5Lupir1YWnvtdwLHYs4USY3T+tCe+Lx8U2xCd3Qc11sKh567tLy7H4AXG 44QdLcc3SqeHzWj5NBMEEctLKFb26MRk4WadhjYfyEEYebOBeE3LG2wMsKwZETiMoq33 cS7EaJHpO9VGayUsb6f3y+jn8yU6hcN4P2J7UbAZ99anjKHhN7O4G9g1GevQgTXx0Lik Tg/mN5ecM5DucD8U0/hpbvVze9hIxu4YXImDtWlDQEq1g9FkbrtdOS+4xGrYeenJWn6z +NlQ== X-Gm-Message-State: AOAM532jFL/M1pq/DgLQrJuy5keJSZ0/DUsUBZ+EarUdCs2RZn5WorqV JWTzjjxReowBcdk5Jo4s/DRvpHWBSGhFDQ== X-Google-Smtp-Source: ABdhPJwti8KW9OJP5TDxKmuZdYUqECrsW8qeqTycJpsACD+qqONUUa6kVBQroQ9h9kC6sfZS/rQyOQ== X-Received: by 2002:a37:a355:: with SMTP id m82mr5086351qke.74.1611071178516; Tue, 19 Jan 2021 07:46:18 -0800 (PST) Received: from localhost (ptr-5gw9txf6g5tndjqqqz.18120a2.ip6.access.telenet.be. [2a02:1810:510:3800:1b15:18e4:57d1:eb]) by smtp.gmail.com with ESMTPSA id i3sm12420226qtd.95.2021.01.19.07.46.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Jan 2021 07:46:17 -0800 (PST) From: Thomas De Schampheleire To: buildroot@buildroot.org Date: Tue, 19 Jan 2021 16:46:04 +0100 Message-Id: <20210119154607.11101-1-patrickdepinguin@gmail.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Subject: [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Petazzoni , Thomas De Schampheleire Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Thomas De Schampheleire chartjs 2.9.3 has a security vulnerability (CVE-2020-7746) which is not detected by the CVE scripts, presumably because our version variable starts with a 'v'. Move that 'v' prefix out of the version variable to fix that. Signed-off-by: Thomas De Schampheleire --- package/chartjs/chartjs.hash | 2 +- package/chartjs/chartjs.mk | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/chartjs/chartjs.hash b/package/chartjs/chartjs.hash index d2426ea614..a029d16ab1 100644 --- a/package/chartjs/chartjs.hash +++ b/package/chartjs/chartjs.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 8079d8fd39131fcfaec33f1c7799412bcf8e051e25b10bd6e37fc16159417aa1 chartjs-v2.9.3.tar.gz +sha256 8079d8fd39131fcfaec33f1c7799412bcf8e051e25b10bd6e37fc16159417aa1 chartjs-2.9.3.tar.gz sha256 7b43caae91f31b18dc81fae6e0f7aa1acbecaa6d84e3249905cbe15308307d67 LICENSE.md diff --git a/package/chartjs/chartjs.mk b/package/chartjs/chartjs.mk index 171e0a4a7c..960b3e24af 100644 --- a/package/chartjs/chartjs.mk +++ b/package/chartjs/chartjs.mk @@ -4,8 +4,8 @@ # ################################################################################ -CHARTJS_VERSION = v2.9.3 -CHARTJS_SITE = $(call github,chartjs,Chart.js,$(CHARTJS_VERSION)) +CHARTJS_VERSION = 2.9.3 +CHARTJS_SITE = $(call github,chartjs,Chart.js,v$(CHARTJS_VERSION)) CHARTJS_LICENSE = MIT CHARTJS_LICENSE_FILES = LICENSE.md From patchwork Tue Jan 19 15:46:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas De Schampheleire X-Patchwork-Id: 1428705 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=UbNsMUwV; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DKtLC3CvYz9sVF for ; Wed, 20 Jan 2021 02:46:26 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 401EC8591B; Tue, 19 Jan 2021 15:46:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id adHAc1UNBbvI; Tue, 19 Jan 2021 15:46:24 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id A3B8185EA5; Tue, 19 Jan 2021 15:46:24 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 8DD7A1BF308 for ; Tue, 19 Jan 2021 15:46:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 8A48785EA5 for ; Tue, 19 Jan 2021 15:46:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3-UC18vYN2I for ; Tue, 19 Jan 2021 15:46:22 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-qv1-f42.google.com (mail-qv1-f42.google.com [209.85.219.42]) by hemlock.osuosl.org (Postfix) with ESMTPS id CA6788591B for ; Tue, 19 Jan 2021 15:46:22 +0000 (UTC) Received: by mail-qv1-f42.google.com with SMTP id s6so9314566qvn.6 for ; Tue, 19 Jan 2021 07:46:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Hqwjqn+19N9Z9phqfWZXhoSaJcaRc177F6VcrwLTe/0=; b=UbNsMUwVbc04ybdW5ZdI/61lTNJ8LA/nJWAx/rFew4cajw1WMDlYT+2QfcWWa3EDde hEST70NJVZN0IW54WsnUvF+8lHFP2IgKrVW4cR05hIb8Fvwz0FEhPu2/Xa9Vi66pp2rL pjOCqr+T8zrqtjBSqcx2YeuFcGWAYHGAhUy8DpA9Zrd/vuVURshlwLO1Rfdee81WCIz8 TMQl0SNQO+b3u2biDC2jXSRM8aV+Ms/vsnyzsUIKXsX0+Smhr6PyNHT49G4MH3B++/P5 +rfPxeTtC20qdWl72pSEVhVjD9m4rM2O8kzZ937TeQhoDPpHhDfXHyDZe6Eh2baE+i13 B23g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Hqwjqn+19N9Z9phqfWZXhoSaJcaRc177F6VcrwLTe/0=; b=avd+4piGTIrv7AD5zfwVsPfSOna5mEQnaXtYqfZu1304BPwGK15nkv2kN4e+Jol4HF +Y2ZqlQAPReh/Zfe/CBvKX09GtYHySgnW773zVdIisMlmn3+aq7cDRaQ3RT6vRi1wUy2 BRhRrNJenf1FxAH+CyjG9/SLrqWX52bGsoQ2Ghi52DjSDRkXQQkjKbM31F0QscAjd0la xgfiBuHjEvnDQ1vmzfcVYbwW0RmRPy9ZOFPMXWE4MjfXLrERvjAjg8F7/VSd5vIh3dPa kRYaEDlx3a2RJ4ElKhpsEIG2EAEvjI4A2t7svP2jGgtXVf+OW7ueXUVvrDqklJg9zS3S uhzw== X-Gm-Message-State: AOAM530zVzX2vE68iXXMwUNBY5ywg+UfrBrvBxlC+hBqvzXZyHLJaZ1a uBuIti8yPddPLQAxC8WyrBW/iztkLe0pZA== X-Google-Smtp-Source: ABdhPJxV1CqCpLnyDAmBjmxZA28kkCiyI3crtF9MdmMgOlwAbtVQxZ5IsmANJ/lxkM0aMX4sudtCsQ== X-Received: by 2002:a05:6214:714:: with SMTP id b20mr4781174qvz.36.1611071181871; Tue, 19 Jan 2021 07:46:21 -0800 (PST) Received: from localhost (ptr-5gw9txf6g5tndjqqqz.18120a2.ip6.access.telenet.be. [2a02:1810:510:3800:1b15:18e4:57d1:eb]) by smtp.gmail.com with ESMTPSA id v67sm150734qkd.94.2021.01.19.07.46.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Jan 2021 07:46:21 -0800 (PST) From: Thomas De Schampheleire To: buildroot@buildroot.org Date: Tue, 19 Jan 2021 16:46:05 +0100 Message-Id: <20210119154607.11101-2-patrickdepinguin@gmail.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210119154607.11101-1-patrickdepinguin@gmail.com> References: <20210119154607.11101-1-patrickdepinguin@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 2/2] package/chartjs: security bump to 2.9.4 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Petazzoni , Thomas De Schampheleire , Joeri Barbarien Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Joeri Barbarien CVE-2020-7746 (https://nvd.nist.gov/vuln/detail/CVE-2020-7746) The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution. Signed-off-by: Thomas De Schampheleire --- package/chartjs/chartjs.hash | 2 +- package/chartjs/chartjs.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/chartjs/chartjs.hash b/package/chartjs/chartjs.hash index a029d16ab1..de4d6d4ebf 100644 --- a/package/chartjs/chartjs.hash +++ b/package/chartjs/chartjs.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 8079d8fd39131fcfaec33f1c7799412bcf8e051e25b10bd6e37fc16159417aa1 chartjs-2.9.3.tar.gz +sha256 9ef3697e279a585c79730f35dba16ad4e24ddeed49a150adb341c31f191fb78e chartjs-2.9.4.tar.gz sha256 7b43caae91f31b18dc81fae6e0f7aa1acbecaa6d84e3249905cbe15308307d67 LICENSE.md diff --git a/package/chartjs/chartjs.mk b/package/chartjs/chartjs.mk index 960b3e24af..82c86dc6cc 100644 --- a/package/chartjs/chartjs.mk +++ b/package/chartjs/chartjs.mk @@ -4,7 +4,7 @@ # ################################################################################ -CHARTJS_VERSION = 2.9.3 +CHARTJS_VERSION = 2.9.4 CHARTJS_SITE = $(call github,chartjs,Chart.js,v$(CHARTJS_VERSION)) CHARTJS_LICENSE = MIT CHARTJS_LICENSE_FILES = LICENSE.md