From patchwork Thu Nov 23 19:36:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?J=C3=B6rg_Krause?= X-Patchwork-Id: 840889 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3yjVSC6Hdgz9s9Y for ; Fri, 24 Nov 2017 06:55:55 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 66DCB88DBC; Thu, 23 Nov 2017 19:55:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GyquHj5oiWOY; Thu, 23 Nov 2017 19:55:48 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id DFEB988D63; Thu, 23 Nov 2017 19:55:47 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id BA06F1C0340 for ; Thu, 23 Nov 2017 19:36:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id A3D7B88A82 for ; Thu, 23 Nov 2017 19:36:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id so9a+x+8oZHi for ; Thu, 23 Nov 2017 19:36:49 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.141]) by hemlock.osuosl.org (Postfix) with ESMTPS id AA4CE88A50 for ; Thu, 23 Nov 2017 19:36:49 +0000 (UTC) Received: from submission (posteo.de [89.146.220.130]) by mout01.posteo.de (Postfix) with ESMTPS id A1C6520EB6 for ; Thu, 23 Nov 2017 20:36:46 +0100 (CET) Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 3yjV254w1Xz9rxF for ; Thu, 23 Nov 2017 20:36:45 +0100 (CET) Received: from mail.embedded.rocks ([127.0.0.1]) by localhost (mail.embedded.rocks [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id whn9OaxWscTR; Thu, 23 Nov 2017 20:36:44 +0100 (CET) Received: from nzxt.fritz.box (port-92-195-18-75.dynamic.qsc.de [92.195.18.75]) (Authenticated sender: joerg.krause@embedded.rocks) by mail.embedded.rocks (Postfix) with ESMTPSA; Thu, 23 Nov 2017 20:36:44 +0100 (CET) From: =?utf-8?q?J=C3=B6rg_Krause?= To: buildroot@buildroot.org Date: Thu, 23 Nov 2017 20:36:41 +0100 Message-Id: <20171123193641.6609-1-joerg.krause@embedded.rocks> X-Mailer: git-send-email 2.15.0 MIME-Version: 1.0 Subject: [Buildroot] [PATCH] shairport-sync: security bump to version 3.1.4 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.24 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The bundled tinysvcmdns library is affected by CVE-2017-12087 [1]: > An exploitable heap overflow vulnerability exists in the tinysvcmdns library > version 2016-07-18. A specially crafted packet can make the library overwrite > an arbitrary amount of data on the heap with attacker controlled values. An > attacker needs send a dns packet to trigger this vulnerability. shairport-sync has incorparated upstreams fixes in [2]. [1] https://bugs.launchpad.net/bugs/cve/2017-12087 [2] https://github.com/mikebrady/shairport-sync/commit/1dbdf94811b8315705dbac5ba9199d417231c5d3 Signed-off-by: Jörg Krause --- package/shairport-sync/shairport-sync.hash | 2 +- package/shairport-sync/shairport-sync.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/shairport-sync/shairport-sync.hash b/package/shairport-sync/shairport-sync.hash index eac39138db..08f22a0cf3 100644 --- a/package/shairport-sync/shairport-sync.hash +++ b/package/shairport-sync/shairport-sync.hash @@ -1,2 +1,2 @@ # Locally calculated -sha256 dd0484d7e8ee7631aee78c78b3762abbdba7ec3f2ee8cd6c1e361544c1414da3 shairport-sync-3.1.3.tar.gz +sha256 4c5a2ab40ef49896f5b6e59b20df4f621ebce47ee64d8571336f59820ae66379 shairport-sync-3.1.4.tar.gz diff --git a/package/shairport-sync/shairport-sync.mk b/package/shairport-sync/shairport-sync.mk index acca45c121..63289d4398 100644 --- a/package/shairport-sync/shairport-sync.mk +++ b/package/shairport-sync/shairport-sync.mk @@ -4,7 +4,7 @@ # ################################################################################ -SHAIRPORT_SYNC_VERSION = 3.1.3 +SHAIRPORT_SYNC_VERSION = 3.1.4 SHAIRPORT_SYNC_SITE = $(call github,mikebrady,shairport-sync,$(SHAIRPORT_SYNC_VERSION)) SHAIRPORT_SYNC_LICENSE = MIT, BSD-3-Clause