From patchwork Thu Jun 7 18:07:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabrice Fontaine X-Patchwork-Id: 926488 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Ht27iUCI"; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 411tmS3Kqgz9ry1 for ; Fri, 8 Jun 2018 04:07:20 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id A140388331; Thu, 7 Jun 2018 18:07:18 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDyP9AtMlmWf; Thu, 7 Jun 2018 18:07:17 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 0F0FE88308; Thu, 7 Jun 2018 18:07:17 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 1C52B1C288B for ; Thu, 7 Jun 2018 18:07:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 19FD888F80 for ; Thu, 7 Jun 2018 18:07:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hjyuHn+YURCZ for ; Thu, 7 Jun 2018 18:07:14 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr0-f180.google.com (mail-wr0-f180.google.com [209.85.128.180]) by hemlock.osuosl.org (Postfix) with ESMTPS id CFA008912A for ; Thu, 7 Jun 2018 18:07:13 +0000 (UTC) Received: by mail-wr0-f180.google.com with SMTP id o12-v6so10754282wrm.12 for ; Thu, 07 Jun 2018 11:07:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=sblkeJoiUXc1SJO7EXFVOFj54Ibl1I8j6fJjtq1rIcY=; b=Ht27iUCImmrjgYj59bFFe+nYR5JDiLI1SRRAcUG5sZm1OKkjagfDGqaczYvRPM5Irz pCx2AAuRL5dLvFnrbAMgFEhFC3RbUqAMJRp1A9+QPo+0yVOG/o4QRkTfCRFGHxgFcVSG LBLQksoHjAMbZTplanN8gO2uafeOPF/CSYeWgrx+5ryIWy2jV8TT9pxl6BfUDPXdqMlV t+ZGCJczA4771RP4KxBYkmP2WpJjgsfeNZSnJAWFekMRITRsPMxI3GhWZLxdyorglKx9 NWgDgAtrpgsriVA2+IND4AH3Nj1xMTpg6uzZIIEp59t1jSyb2MBKWVRoqbK4Z+djFIiJ quIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=sblkeJoiUXc1SJO7EXFVOFj54Ibl1I8j6fJjtq1rIcY=; b=RaRr5QKDuhjBNgX4TDsFESxOpgLjbPQ8ogTidxdEnKJupIlGVtjZY5Ep9awvd9sIlt 4+BZ2v1DBoXZbAzVnBapN219CPj2zBqxvrgobfZq9yBVQlFuTMlBzRlBt4BBn6sJO/bT hP8YP3rJBKHUKBZ7ZTWTcRnA74klFec1MMYHrWlFJ5LlENJ79+XVAqRDAvvo0dQEqJDQ FREEjsrgV1sAIa3Jf3YMfPqYi7oT4oyIQ63Yg8NO6orBpD8N68Lb/+LeJzt3m6KJqrEO Rlh6EPNSi83elXPVgpkq8uieJ4ZdjX8qORQi9iGok9s1fMWdxPZHtLd5TqZcG3K9c472 +REA== X-Gm-Message-State: APt69E0IzDuFIR6TLuTcED9itJX9zRyPq0Q4mBMwOG2ioFYf1tbwndZF Z9kJDWIGD7ERzfhuJDNSKWyHyQ== X-Google-Smtp-Source: ADUXVKJsQNuMnArgp0WhYGFn9utXTNkxJbIFzd/97VgFOjabMGrwLh4Xm5Do9wA2ZyHeb6csHb+1lg== X-Received: by 2002:a5d:46c6:: with SMTP id g6-v6mr2474753wrs.76.1528394832087; Thu, 07 Jun 2018 11:07:12 -0700 (PDT) Received: from fabrice-VirtualBox.home (ARennes-656-1-358-130.w86-214.abo.wanadoo.fr. [86.214.198.130]) by smtp.gmail.com with ESMTPSA id z13-v6sm3538429wrr.71.2018.06.07.11.07.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Jun 2018 11:07:11 -0700 (PDT) From: Fabrice Fontaine To: buildroot@buildroot.org Date: Thu, 7 Jun 2018 20:07:04 +0200 Message-Id: <20180607180704.12441-1-fontaine.fabrice@gmail.com> X-Mailer: git-send-email 2.14.1 Subject: [Buildroot] [PATCH 1/1] libxslt: security bump to version 1.3.2 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.24 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fabrice Fontaine MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" - Fix CVE-2017-5029 - Remove first patch (already in version) - Add a dependency to host-pkgconf and remove libxml2 options: see https://github.com/GNOME/libxslt/commit/abf537ebb2296cd3ae89989a17b0e1b5c79db107 - Add hash for license file Signed-off-by: Fabrice Fontaine --- ...ap-overread-in-xsltFormatNumberConversion.patch | 35 ---------------------- package/libxslt/libxslt.hash | 5 +++- package/libxslt/libxslt.mk | 10 +++---- 3 files changed, 8 insertions(+), 42 deletions(-) delete mode 100644 package/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch diff --git a/package/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch b/package/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch deleted file mode 100644 index 1ad494a6c0..0000000000 --- a/package/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch +++ /dev/null @@ -1,35 +0,0 @@ -From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 10 Jun 2016 14:23:58 +0200 -Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion - -An empty decimal-separator could cause a heap overread. This can be -exploited to leak a couple of bytes after the buffer that holds the -pattern string. - -Found with afl-fuzz and ASan. - -Signed-off-by: Baruch Siach ---- -Patch status: upstream commit eb1030de311 - - libxslt/numbers.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libxslt/numbers.c b/libxslt/numbers.c -index d1549b46ca26..e78c46b6357b 100644 ---- a/libxslt/numbers.c -+++ b/libxslt/numbers.c -@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self, - } - - /* We have finished the integer part, now work on fraction */ -- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) { -+ if ( (*the_format != 0) && -+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) { - format_info.add_decimal = TRUE; - the_format += xsltUTF8Size(the_format); /* Skip over the decimal */ - } --- -2.10.2 - diff --git a/package/libxslt/libxslt.hash b/package/libxslt/libxslt.hash index 8222bc590d..f28150b71e 100644 --- a/package/libxslt/libxslt.hash +++ b/package/libxslt/libxslt.hash @@ -1,2 +1,5 @@ # Locally calculated after checking pgp signature -sha256 b5976e3857837e7617b29f2249ebb5eeac34e249208d31f1fbf7a6ba7a4090ce libxslt-1.1.29.tar.gz +sha256 526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460 libxslt-1.1.32.tar.gz + +# Hash for license file: +sha256 7e48e290b6bfccc2ec1b297023a1d77f2fd87417f71fbb9f50aabef40a851819 COPYING diff --git a/package/libxslt/libxslt.mk b/package/libxslt/libxslt.mk index 868ba6a10f..972d5b80d5 100644 --- a/package/libxslt/libxslt.mk +++ b/package/libxslt/libxslt.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBXSLT_VERSION = 1.1.29 +LIBXSLT_VERSION = 1.1.32 LIBXSLT_SITE = ftp://xmlsoft.org/libxslt LIBXSLT_INSTALL_STAGING = YES LIBXSLT_LICENSE = MIT @@ -13,11 +13,9 @@ LIBXSLT_LICENSE_FILES = COPYING LIBXSLT_CONF_OPTS = \ --with-gnu-ld \ --without-debug \ - --without-python \ - --with-libxml-prefix=$(STAGING_DIR)/usr/ \ - --with-libxml-libs-prefix=$(STAGING_DIR)/usr/lib + --without-python LIBXSLT_CONFIG_SCRIPTS = xslt-config -LIBXSLT_DEPENDENCIES = libxml2 +LIBXSLT_DEPENDENCIES = host-pkgconf libxml2 # If we have enabled libgcrypt then use it, else disable crypto support. ifeq ($(BR2_PACKAGE_LIBGCRYPT),y) @@ -29,7 +27,7 @@ endif HOST_LIBXSLT_CONF_OPTS = --without-debug --without-python --without-crypto -HOST_LIBXSLT_DEPENDENCIES = host-libxml2 +HOST_LIBXSLT_DEPENDENCIES = host-pkgconf host-libxml2 $(eval $(autotools-package)) $(eval $(host-autotools-package))