[1/2] package/mcrypt: drop package

Message ID	20210805174252.2661314-1-fontaine.fabrice@gmail.com
State	Superseded
Headers	show Return-Path: <buildroot-bounces@busybox.net> From: Fabrice Fontaine <fontaine.fabrice@gmail.com> To: buildroot@buildroot.org Date: Thu, 5 Aug 2021 19:42:51 +0200 Message-Id: <20210805174252.2661314-1-fontaine.fabrice@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 1/2] package/mcrypt: drop package Precedence: list Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>
Series	[1/2] package/mcrypt: drop package \| expand [1/2] package/mcrypt: drop package [2/2] package/libmcrypt: drop package

Message ID

20210805174252.2661314-1-fontaine.fabrice@gmail.com

State

Superseded

Headers

From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Thu,  5 Aug 2021 19:42:51 +0200
Message-Id: <20210805174252.2661314-1-fontaine.fabrice@gmail.com>
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/2] package/mcrypt: drop package
Precedence: list
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Series

[1/2] package/mcrypt: drop package | expand

Commit Message

Fabrice Fontaine Aug. 5, 2021, 5:42 p.m. UTC

Drop mcrypt which is not maintained anymore (no release since 2008).

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 Config.in.legacy                        |  7 ++
 package/Config.in                       |  1 -
 package/mcrypt/0001-CVE-2012-4409.patch | 25 -------
 package/mcrypt/0002-CVE-2012-4426.patch | 35 ---------
 package/mcrypt/0003-CVE-2012-4527.patch | 99 -------------------------
 package/mcrypt/0004-no-rpath.patch      | 17 -----
 package/mcrypt/Config.in                | 12 ---
 package/mcrypt/mcrypt.hash              |  3 -
 package/mcrypt/mcrypt.mk                | 24 ------
 9 files changed, 7 insertions(+), 216 deletions(-)
 delete mode 100644 package/mcrypt/0001-CVE-2012-4409.patch
 delete mode 100644 package/mcrypt/0002-CVE-2012-4426.patch
 delete mode 100644 package/mcrypt/0003-CVE-2012-4527.patch
 delete mode 100644 package/mcrypt/0004-no-rpath.patch
 delete mode 100644 package/mcrypt/Config.in
 delete mode 100644 package/mcrypt/mcrypt.hash
 delete mode 100644 package/mcrypt/mcrypt.mk

Comments

Thomas Petazzoni Aug. 19, 2021, 9:05 p.m. UTC | #1

Hello Fabrice,

On Thu,  5 Aug 2021 19:42:51 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> Drop mcrypt which is not maintained anymore (no release since 2008).
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  Config.in.legacy                        |  7 ++
>  package/Config.in                       |  1 -
>  package/mcrypt/0001-CVE-2012-4409.patch | 25 -------
>  package/mcrypt/0002-CVE-2012-4426.patch | 35 ---------
>  package/mcrypt/0003-CVE-2012-4527.patch | 99 -------------------------
>  package/mcrypt/0004-no-rpath.patch      | 17 -----
>  package/mcrypt/Config.in                | 12 ---
>  package/mcrypt/mcrypt.hash              |  3 -
>  package/mcrypt/mcrypt.mk                | 24 ------
>  9 files changed, 7 insertions(+), 216 deletions(-)
>  delete mode 100644 package/mcrypt/0001-CVE-2012-4409.patch
>  delete mode 100644 package/mcrypt/0002-CVE-2012-4426.patch
>  delete mode 100644 package/mcrypt/0003-CVE-2012-4527.patch
>  delete mode 100644 package/mcrypt/0004-no-rpath.patch
>  delete mode 100644 package/mcrypt/Config.in
>  delete mode 100644 package/mcrypt/mcrypt.hash
>  delete mode 100644 package/mcrypt/mcrypt.mk

Do we have a good reason to drop these packages? We have lots of
packages with no upstream activity, and we drop them only when there is
some particular issue. What prompted you to propose these packages for
removal ?

Thanks,

Thomas

Fabrice Fontaine Aug. 19, 2021, 9:21 p.m. UTC | #2

Hello Thomas,

Le jeu. 19 août 2021 à 23:05, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> a écrit :
>
> Hello Fabrice,
>
> On Thu,  5 Aug 2021 19:42:51 +0200
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> > Drop mcrypt which is not maintained anymore (no release since 2008).
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > ---
> >  Config.in.legacy                        |  7 ++
> >  package/Config.in                       |  1 -
> >  package/mcrypt/0001-CVE-2012-4409.patch | 25 -------
> >  package/mcrypt/0002-CVE-2012-4426.patch | 35 ---------
> >  package/mcrypt/0003-CVE-2012-4527.patch | 99 -------------------------
> >  package/mcrypt/0004-no-rpath.patch      | 17 -----
> >  package/mcrypt/Config.in                | 12 ---
> >  package/mcrypt/mcrypt.hash              |  3 -
> >  package/mcrypt/mcrypt.mk                | 24 ------
> >  9 files changed, 7 insertions(+), 216 deletions(-)
> >  delete mode 100644 package/mcrypt/0001-CVE-2012-4409.patch
> >  delete mode 100644 package/mcrypt/0002-CVE-2012-4426.patch
> >  delete mode 100644 package/mcrypt/0003-CVE-2012-4527.patch
> >  delete mode 100644 package/mcrypt/0004-no-rpath.patch
> >  delete mode 100644 package/mcrypt/Config.in
> >  delete mode 100644 package/mcrypt/mcrypt.hash
> >  delete mode 100644 package/mcrypt/mcrypt.mk
>
> Do we have a good reason to drop these packages? We have lots of
> packages with no upstream activity, and we drop them only when there is
> some particular issue. What prompted you to propose these packages for
> removal ?
Because it is a cryptographic package, here is an extract of
https://en.wikipedia.org/wiki/Mcrypt:
"The last update to libmcrypt was in 2007, despite years of unmerged
patches. These facts have led security experts to declare mcrypt
abandonware and discourage its use in new development."
>
> Thanks,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
Best Regards,

Fabrice

Yann E. MORIN Aug. 19, 2021, 9:58 p.m. UTC | #3

Fabrice, All,

On 2021-08-19 23:21 +0200, Fabrice Fontaine spake thusly:
> Le jeu. 19 août 2021 à 23:05, Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> a écrit :
> >
> > Hello Fabrice,
> >
> > On Thu,  5 Aug 2021 19:42:51 +0200
> > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> >
> > > Drop mcrypt which is not maintained anymore (no release since 2008).
[--SNIP--]
> > Do we have a good reason to drop these packages? We have lots of
> > packages with no upstream activity, and we drop them only when there is
> > some particular issue. What prompted you to propose these packages for
> > removal ?
> Because it is a cryptographic package, here is an extract of
> https://en.wikipedia.org/wiki/Mcrypt:
> "The last update to libmcrypt was in 2007, despite years of unmerged
> patches. These facts have led security experts to declare mcrypt
> abandonware and discourage its use in new development."

OK, with such explanations, that makes sense.

Can you please resubmit both patches with tese in the commit log?

Regards,
Yann E. MORIN.

diff --git a/Config.in.legacy b/Config.in.legacy
index 54476acf9a..1d34f81815 100644
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -146,6 +146,13 @@  endif
 
 comment "Legacy options removed in 2021.08"
 
+config BR2_PACKAGE_MCRYPT
+	bool "mcrypt package was removed"
+	select BR2_LEGACY
+	help
+	  This package has been removed as it is not maintained anymore
+	  (no release since 2008).
+
 config BR2_PACKAGE_PHP_EXT_MCRYPT
 	bool "PHP mcrypt extension removed"
 	select BR2_LEGACY
diff --git a/package/Config.in b/package/Config.in
index 436bf2f56a..ab0f74b0e3 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2066,7 +2066,6 @@  menu "Miscellaneous"
 	source "package/gsettings-desktop-schemas/Config.in"
 	source "package/haveged/Config.in"
 	source "package/linux-syscall-support/Config.in"
-	source "package/mcrypt/Config.in"
 	source "package/mobile-broadband-provider-info/Config.in"
 	source "package/netdata/Config.in"
 	source "package/proj/Config.in"
diff --git a/package/mcrypt/0001-CVE-2012-4409.patch b/package/mcrypt/0001-CVE-2012-4409.patch
deleted file mode 100644
index 97c658bb2d..0000000000
--- a/package/mcrypt/0001-CVE-2012-4409.patch
+++ /dev/null
@@ -1,25 +0,0 @@ 
-From 3efb40e17ce4f76717ae17a1ce1e1f747ddf59fd Mon Sep 17 00:00:00 2001
-From: Alon Bar-Lev <alon.barlev@gmail.com>
-Date: Sat, 22 Dec 2012 22:37:06 +0200
-Subject: [PATCH] cleanup: buffer overflow
-
----
- src/extra.c |    2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
-
-diff --git a/src/extra.c b/src/extra.c
-index 3082f82..c7a1ac0 100644
---- a/src/extra.c
-+++ b/src/extra.c
-@@ -241,6 +241,8 @@ int check_file_head(FILE * fstream, char *algorithm, char *mode,
- 		if (m_getbit(6, flags) == 1) { /* if the salt bit is set */
- 			if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
- 				*salt_size = m_setbit(0, sflag, 0);
-+				if (*salt_size > sizeof(tmp_buf))
-+					err_quit(_("Salt is too long\n"));
- 				if (*salt_size > 0) {
- 					fread(tmp_buf, 1, *salt_size,
- 					      fstream);
--- 
-1.7.8.6
-
diff --git a/package/mcrypt/0002-CVE-2012-4426.patch b/package/mcrypt/0002-CVE-2012-4426.patch
deleted file mode 100644
index 708d4a579e..0000000000
--- a/package/mcrypt/0002-CVE-2012-4426.patch
+++ /dev/null
@@ -1,35 +0,0 @@ 
-Patch taken from gentoo.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
---- a/src/errors.c
-+++ b/src/errors.c
-@@ -25,24 +25,24 @@
- 
- void err_quit(char *errmsg)
- {
--	fprintf(stderr, errmsg);
-+	fprintf(stderr, "%s", errmsg);
- 	exit(-1);
- }
- 
- void err_warn(char *errmsg)
- {
- 	if (quiet <= 1)
--		fprintf(stderr, errmsg);
-+		fprintf(stderr, "%s", errmsg);
- }
- 
- void err_info(char *errmsg)
- {
- 	if (quiet == 0)
--		fprintf(stderr, errmsg);
-+		fprintf(stderr, "%s", errmsg);
- }
- 
- void err_crit(char *errmsg)
- {
- 	if (quiet <= 2)
--		fprintf(stderr, errmsg);
-+		fprintf(stderr, "%s", errmsg);
- }
diff --git a/package/mcrypt/0003-CVE-2012-4527.patch b/package/mcrypt/0003-CVE-2012-4527.patch
deleted file mode 100644
index a8cf6f449a..0000000000
--- a/package/mcrypt/0003-CVE-2012-4527.patch
+++ /dev/null
@@ -1,99 +0,0 @@ 
-Fix for CVE-2012-4527.
-Authored by Attila Bogar and Jean-Michel Vourgère <jmv_deb@nirgal.com>
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff -Nura mcrypt-2.6.8.orig/src/mcrypt.c mcrypt-2.6.8/src/mcrypt.c
---- mcrypt-2.6.8.orig/src/mcrypt.c	2013-01-14 19:15:49.465925072 -0300
-+++ mcrypt-2.6.8/src/mcrypt.c	2013-01-14 19:28:13.711478000 -0300
-@@ -44,7 +44,9 @@
- static char rcsid[] =
-     "$Id: mcrypt.c,v 1.2 2007/11/07 17:10:21 nmav Exp $";
- 
--char tmperr[128];
-+/* Temporary error message can contain one file name and 1k of text */
-+#define ERRWIDTH ((PATH_MAX)+1024)
-+char tmperr[ERRWIDTH];
- unsigned int stream_flag = FALSE;
- char *keymode = NULL;
- char *mode = NULL;
-@@ -482,7 +484,7 @@
- #ifdef HAVE_STAT
-       if (stream_flag == FALSE) {
- 	 if (is_normal_file(file[i]) == FALSE) {
--	    sprintf(tmperr,
-+	    snprintf(tmperr, ERRWIDTH,
- 		    _
- 		    ("%s: %s is not a regular file. Skipping...\n"),
- 		    program_name, file[i]);
-@@ -501,7 +503,7 @@
- 	    dinfile = file[i];
- 	 if ((isatty(fileno((FILE *) (stdin))) == 1)
- 	     && (stream_flag == TRUE) && (force == 0)) {	/* not a tty */
--	    sprintf(tmperr,
-+	    snprintf(tmperr, ERRWIDTH,
- 		    _
- 		    ("%s: Encrypted data will not be read from a terminal.\n"),
- 		    program_name);
-@@ -520,7 +522,7 @@
- 	    einfile = file[i];
- 	 if ((isatty(fileno((FILE *) (stdout))) == 1)
- 	     && (stream_flag == TRUE) && (force == 0)) {	/* not a tty */
--	    sprintf(tmperr,
-+	    snprintf(tmperr, ERRWIDTH,
- 		    _
- 		    ("%s: Encrypted data will not be written to a terminal.\n"),
- 		    program_name);
-@@ -544,7 +546,7 @@
- 	    strcpy(outfile, einfile);
- 	    /* if file has already the .nc ignore it */
- 	    if (strstr(outfile, ".nc") != NULL) {
--	       sprintf(tmperr,
-+	       snprintf(tmperr, ERRWIDTH,
- 		       _
- 		       ("%s: file %s has the .nc suffix... skipping...\n"),
- 		       program_name, outfile);
-@@ -590,10 +592,10 @@
- 
- 	 if (x == 0) {
- 	    if (stream_flag == FALSE) {
--	       sprintf(tmperr, _("File %s was decrypted.\n"), dinfile);
-+	       snprintf(tmperr, ERRWIDTH, _("File %s was decrypted.\n"), dinfile);
- 	       err_warn(tmperr);
- 	    } else {
--	       sprintf(tmperr, _("Stdin was decrypted.\n"));
-+	       snprintf(tmperr, ERRWIDTH, _("Stdin was decrypted.\n"));
- 	       err_warn(tmperr);
- 	    }
- #ifdef HAVE_STAT
-@@ -610,7 +612,7 @@
- 
- 	 } else {
- 	    if (stream_flag == FALSE) {
--	       sprintf(tmperr,
-+	       snprintf(tmperr, ERRWIDTH,
- 		       _
- 		       ("File %s was NOT decrypted successfully.\n"),
- 		       dinfile);
-@@ -636,10 +638,10 @@
- 
- 	 if (x == 0) {
- 	    if (stream_flag == FALSE) {
--	       sprintf(tmperr, _("File %s was encrypted.\n"), einfile);
-+	       snprintf(tmperr, ERRWIDTH, _("File %s was encrypted.\n"), einfile);
- 	       err_warn(tmperr);
- 	    } else {
--	       sprintf(tmperr, _("Stdin was encrypted.\n"));
-+	       snprintf(tmperr, ERRWIDTH, _("Stdin was encrypted.\n"));
- 	       err_warn(tmperr);
- 	    }
- #ifdef HAVE_STAT
-@@ -655,7 +657,7 @@
- 
- 	 } else {
- 	    if (stream_flag == FALSE) {
--	       sprintf(tmperr,
-+	       snprintf(tmperr, ERRWIDTH,
- 		       _
- 		       ("File %s was NOT encrypted successfully.\n"),
- 		       einfile);
diff --git a/package/mcrypt/0004-no-rpath.patch b/package/mcrypt/0004-no-rpath.patch
deleted file mode 100644
index a0813bcf00..0000000000
--- a/package/mcrypt/0004-no-rpath.patch
+++ /dev/null
@@ -1,17 +0,0 @@ 
-Patch out rpath hardcoding since it completely ignores --disable-rpath
-and other configure ways.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff -Nura mcrypt-2.6.8.orig/config.rpath mcrypt-2.6.8/config.rpath
---- mcrypt-2.6.8.orig/config.rpath	2013-01-07 13:05:22.626883480 -0300
-+++ mcrypt-2.6.8/config.rpath	2013-01-07 13:12:47.196090608 -0300
-@@ -153,7 +153,7 @@
-   # here allows them to be overridden if necessary.
-   # Unlike libtool, we use -rpath here, not --rpath, since the documented
-   # option of GNU ld is called -rpath, not --rpath.
--  hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-+  hardcode_libdir_flag_spec=
-   case "$host_os" in
-     aix3* | aix4* | aix5*)
-       # On AIX/PPC, the GNU linker is very broken
diff --git a/package/mcrypt/Config.in b/package/mcrypt/Config.in
deleted file mode 100644
index e3b9541f04..0000000000
--- a/package/mcrypt/Config.in
+++ /dev/null
@@ -1,12 +0,0 @@ 
-config BR2_PACKAGE_MCRYPT
-	bool "mcrypt"
-	depends on BR2_USE_MMU # fork()
-	select BR2_PACKAGE_LIBMCRYPT
-	select BR2_PACKAGE_LIBMHASH
-	help
-	  MCrypt is a replacement for the old crypt() package and
-	  crypt(1) command, with extensions.
-	  It allows developers to use a wide range of encryption
-	  functions, without making drastic changes to their code.
-
-	  http://mcrypt.sourceforge.net/
diff --git a/package/mcrypt/mcrypt.hash b/package/mcrypt/mcrypt.hash
deleted file mode 100644
index c6c8871f4f..0000000000
--- a/package/mcrypt/mcrypt.hash
+++ /dev/null
@@ -1,3 +0,0 @@ 
-# Locally computed:
-sha256  5145aa844e54cca89ddab6fb7dd9e5952811d8d787c4f4bf27eb261e6c182098  mcrypt-2.6.8.tar.gz
-sha256  8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING
diff --git a/package/mcrypt/mcrypt.mk b/package/mcrypt/mcrypt.mk
deleted file mode 100644
index a04b973750..0000000000
--- a/package/mcrypt/mcrypt.mk
+++ /dev/null
@@ -1,24 +0,0 @@ 
-################################################################################
-#
-# mcrypt
-#
-################################################################################
-
-MCRYPT_VERSION = 2.6.8
-MCRYPT_SITE = http://downloads.sourceforge.net/project/mcrypt/MCrypt/$(MCRYPT_VERSION)
-MCRYPT_DEPENDENCIES = libmcrypt libmhash \
-	$(if $(BR2_PACKAGE_ZLIB),zlib) \
-	$(if $(BR2_PACKAGE_LIBICONV),libiconv) \
-	$(TARGET_NLS_DEPENDENCIES)
-MCRYPT_CONF_OPTS = --with-libmcrypt-prefix=$(STAGING_DIR)/usr
-MCRYPT_LICENSE = GPL-3.0
-MCRYPT_LICENSE_FILES = COPYING
-
-# 0001-CVE-2012-4409.patch
-MCRYPT_IGNORE_CVES += CVE-2012-4409
-# 0002-CVE-2012-4426.patch
-MCRYPT_IGNORE_CVES += CVE-2012-4426
-# 0003-CVE-2012-4527.patch
-MCRYPT_IGNORE_CVES += CVE-2012-4527
-
-$(eval $(autotools-package))