[v3] package/chicken: security bump to 5.4.0

Message ID	20240821124414.8330-1-wdouglass@carnegierobotics.com
State	Changes Requested
Headers	show Return-Path: <buildroot-bounces@buildroot.org> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=34.202.193.197; helo=sendmail.purelymail.com; envelope-from=git@douglass.dev; receiver=<UNKNOWN> DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org E8E1480A7E Feedback-ID: 3578:1022:null:purelymail To: buildroot@buildroot.org Date: Wed, 21 Aug 2024 08:44:14 -0400 Message-Id: <20240821124414.8330-1-wdouglass@carnegierobotics.com> In-Reply-To: <20240820232730.60670833@windsurf> References: <20240820232730.60670833@windsurf> MIME-Version: 1.0 X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dmarc=fail (p=quarantine dis=none) header.from=carnegierobotics.com Subject: [Buildroot] [PATCH v3] package/chicken: security bump to 5.4.0 Precedence: list From: Woodrow Douglass via buildroot <buildroot@buildroot.org> Reply-To: Woodrow Douglass <wdouglass@carnegierobotics.com> Cc: Woodrow Douglass <wdouglass@carnegierobotics.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" <buildroot-bounces@buildroot.org>
Series	[v3] package/chicken: security bump to 5.4.0 \| expand [v3] package/chicken: security bump to 5.4.0

Message ID

20240821124414.8330-1-wdouglass@carnegierobotics.com

State

Changes Requested

Headers

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=34.202.193.197;
 helo=sendmail.purelymail.com; envelope-from=git@douglass.dev;
 receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org E8E1480A7E
Feedback-ID: 3578:1022:null:purelymail
To: buildroot@buildroot.org
Date: Wed, 21 Aug 2024 08:44:14 -0400
Message-Id: <20240821124414.8330-1-wdouglass@carnegierobotics.com>
In-Reply-To: <20240820232730.60670833@windsurf>
References: <20240820232730.60670833@windsurf>
MIME-Version: 1.0
X-Mailman-Original-Authentication-Results: smtp1.osuosl.org;
 dmarc=fail (p=quarantine dis=none)
 header.from=carnegierobotics.com
Subject: [Buildroot] [PATCH v3] package/chicken: security bump to 5.4.0
X-BeenThere: buildroot@buildroot.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.buildroot.org>
List-Unsubscribe: <https://lists.buildroot.org/mailman/options/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=unsubscribe>
List-Archive: <http://lists.buildroot.org/pipermail/buildroot/>
List-Post: <mailto:buildroot@buildroot.org>
List-Help: <mailto:buildroot-request@buildroot.org?subject=help>
List-Subscribe: <https://lists.buildroot.org/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=subscribe>
From: Woodrow Douglass via buildroot <buildroot@buildroot.org>
Reply-To: Woodrow Douglass <wdouglass@carnegierobotics.com>
Cc: Woodrow Douglass <wdouglass@carnegierobotics.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@buildroot.org
Sender: "buildroot" <buildroot-bounces@buildroot.org>

Series

[v3] package/chicken: security bump to 5.4.0 | expand

Commit Message

Woodrow Douglass Aug. 21, 2024, 12:44 p.m. UTC

This release includes a fix for CVE-2022-45145

Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com>

--
Changes v2 -> v3:
  - Add this changelog to commit message
  - Add Signed-off-by to commit message

Changes v1 -> v2:
  - Update version numbers in hash file

Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com>
---
 package/chicken/chicken.hash | 4 ++--
 package/chicken/chicken.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

Comments

Thomas Petazzoni Aug. 24, 2024, 7:07 a.m. UTC | #1

On Wed, 21 Aug 2024 08:44:14 -0400
Woodrow Douglass via buildroot <buildroot@buildroot.org> wrote:

> This release includes a fix for CVE-2022-45145
> 
> Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com>
> 
> --
> Changes v2 -> v3:
>   - Add this changelog to commit message
>   - Add Signed-off-by to commit message
> 
> Changes v1 -> v2:
>   - Update version numbers in hash file
> 
> Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com>
> ---
>  package/chicken/chicken.hash | 4 ++--
>  package/chicken/chicken.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)

Sorry to be annoying, but this patch breaks the legal information for
this package:

>>> chicken 5.4.0 Patching
>>> chicken 5.4.0 Collecting legal info
ERROR: while checking hashes from package/chicken/chicken.hash
ERROR: LICENSE has wrong sha256 hash:
ERROR: expected: b434ac92e094214136a6b5032f0dc9da97f22cef084ac1d0131b02a09e2caa37
ERROR: got     : c0ed699d5c4a8687f90a6488244f7f57d48a7f2d42bb7461b08a0d69a07d4f58
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
make: *** [package/chicken/chicken.mk:46: chicken-legal-info] Error 1

So the hash of the license file needs to be updated *and* an
explanation about the changes in the license files must be added in the
commit log.

Also, please note that updating from 5.3.0 to 5.4.0 is OK as the
package is new in 2024.08, but as it fixes a security issue, we need to
have this fix in master, and therefore a more minimal update to 5.3.1
would have been preferable for master (and the update to 5.4.0 in our
next branch). But again, as this package is new, I think it is OK to
upgrade to 5.4.0 even in our master branch.

Thomas

Woodrow Douglass Aug. 26, 2024, 1:07 p.m. UTC | #2

On 8/24/24 03:07, Thomas Petazzoni wrote:
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.
>
>
> On Wed, 21 Aug 2024 08:44:14 -0400
> Woodrow Douglass via buildroot <buildroot@buildroot.org> wrote:
>
>> This release includes a fix for CVE-2022-45145
>>
>> Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com>
>>
>> --
>> Changes v2 -> v3:
>>    - Add this changelog to commit message
>>    - Add Signed-off-by to commit message
>>
>> Changes v1 -> v2:
>>    - Update version numbers in hash file
>>
>> Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com>
>> ---
>>   package/chicken/chicken.hash | 4 ++--
>>   package/chicken/chicken.mk   | 2 +-
>>   2 files changed, 3 insertions(+), 3 deletions(-)
> Sorry to be annoying, but this patch breaks the legal information for


Not annoying at all, it's my lack of diligence, I'm sorry. I'll add 
`make chicken-legal-info` to my list of things i do to test.


> this package:
>
>>>> chicken 5.4.0 Patching
>>>> chicken 5.4.0 Collecting legal info
> ERROR: while checking hashes from package/chicken/chicken.hash
> ERROR: LICENSE has wrong sha256 hash:
> ERROR: expected: b434ac92e094214136a6b5032f0dc9da97f22cef084ac1d0131b02a09e2caa37
> ERROR: got     : c0ed699d5c4a8687f90a6488244f7f57d48a7f2d42bb7461b08a0d69a07d4f58
> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> make: *** [package/chicken/chicken.mk:46: chicken-legal-info] Error 1
>
> So the hash of the license file needs to be updated *and* an
> explanation about the changes in the license files must be added in the
> commit log.
>
> Also, please note that updating from 5.3.0 to 5.4.0 is OK as the
> package is new in 2024.08, but as it fixes a security issue, we need to
> have this fix in master, and therefore a more minimal update to 5.3.1
> would have been preferable for master (and the update to 5.4.0 in our
> next branch). But again, as this package is new, I think it is OK to
> upgrade to 5.4.0 even in our master branch.
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com


I'll send a revision of the patch soon


Thanks,
Woodrow Douglass

diff --git a/package/chicken/chicken.hash b/package/chicken/chicken.hash
index 5a553da792..0a3b0b15ce 100644
--- a/package/chicken/chicken.hash
+++ b/package/chicken/chicken.hash
@@ -1,4 +1,4 @@ 
-# From https://code.call-cc.org/releases/5.3.0/chicken-5.3.0.tar.gz.sha256
-sha256  c3ad99d8f9e17ed810912ef981ac3b0c2e2f46fb0ecc033b5c3b6dca1bdb0d76  chicken-5.3.0.tar.gz
+# From https://code.call-cc.org/releases/5.4.0/chicken-5.4.0.tar.gz.sha256
+sha256  3c5d4aa61c1167bf6d9bf9eaf891da7630ba9f5f3c15bf09515a7039bfcdec5f  chicken-5.4.0.tar.gz
 # Locally computed
 sha256  b434ac92e094214136a6b5032f0dc9da97f22cef084ac1d0131b02a09e2caa37  LICENSE
diff --git a/package/chicken/chicken.mk b/package/chicken/chicken.mk
index 0000fc635e..ca5f756995 100644
--- a/package/chicken/chicken.mk
+++ b/package/chicken/chicken.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-CHICKEN_VERSION = 5.3.0
+CHICKEN_VERSION = 5.4.0
 CHICKEN_SITE = https://code.call-cc.org/releases/$(CHICKEN_VERSION)
 CHICKEN_LICENSE = BSD-3-Clause
 CHICKEN_LICENSE_FILES = LICENSE