From patchwork Wed Apr  8 09:50:55 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Titouan Christophe <titouan.christophe@railnova.eu>
X-Patchwork-Id: 1267844
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=busybox.net (client-ip=140.211.166.138;
	helo=whitealder.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=railnova.eu
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=railnova-eu.20150623.gappssmtp.com
	header.i=@railnova-eu.20150623.gappssmtp.com
	header.a=rsa-sha256 header.s=20150623 header.b=f8aQVM9U;
	dkim-atps=neutral
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 48y00W2kmPz9sSG
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Wed,  8 Apr 2020 19:51:22 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id C4C4D86DAF;
	Wed,  8 Apr 2020 09:51:19 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id nHTZmR1iIc8a; Wed,  8 Apr 2020 09:51:17 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by whitealder.osuosl.org (Postfix) with ESMTP id 339BF86E1F;
	Wed,  8 Apr 2020 09:51:17 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	by ash.osuosl.org (Postfix) with ESMTP id A0BF71BF855
	for <buildroot@lists.busybox.net>;
	Wed,  8 Apr 2020 09:51:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id 8739420421
	for <buildroot@lists.busybox.net>;
	Wed,  8 Apr 2020 09:51:15 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ko1SHieH2g+0 for <buildroot@lists.busybox.net>;
	Wed,  8 Apr 2020 09:51:12 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com
	[209.85.221.54])
	by silver.osuosl.org (Postfix) with ESMTPS id 6186120366
	for <buildroot@buildroot.org>; Wed,  8 Apr 2020 09:51:12 +0000 (UTC)
Received: by mail-wr1-f54.google.com with SMTP id h9so7059501wrc.8
	for <buildroot@buildroot.org>; Wed, 08 Apr 2020 02:51:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=railnova-eu.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=W0mN2zyXcjtyF9W4hAmmsWcnvUufz/BztTyVRdoVONM=;
	b=f8aQVM9UypuaZKHIf2OSZ0zkACOcMEv1k+Mf/oG+mjrqQos/sQZ83UWJdZzmj0JmV7
	dbVaZlpeWPJzNZWQ+1p0dA95E+DNqBoHZBuZhMnJbwzMwFMNL3g0NEdOXSpyGIJc/2w2
	g8W5PaeHA7uHxlhx/ZvAYuGtvTdeqVZ4EbGZR9lCyTPkI2H0EVKnnHoImTmo8M6jwjfz
	jKzg0gLXXZuf+kAKMyvSd+elP8MRk0yosXOHkIP61yPpXwLML9Nq80JAiDcchD5ktVO/
	lqF5ZNLGELgty0k2hm94NC6hHRAMZ4GQpg04TArDdYueGB/lOjXzXdv5l/yhMG/bCMTK
	PQBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=W0mN2zyXcjtyF9W4hAmmsWcnvUufz/BztTyVRdoVONM=;
	b=h2vJS9YyWn2Cpa5tZw632bdpspp9zqfFoNmW5CCNMnOuN9kUmzEvTi3Ee3+qibQcKY
	VQYaw1HaPJdxkeQOCNAaewWH9HHb2xAEB5xvrtVfCnd1uTMoKRGNIfSZvyc5fFhu/kjr
	+QUwH1SY1U7IqgSnbxgaEt//jZRL3W2vYQdwcptTxMBz6XWT5btBsP44NSuaU3U7E5d7
	sNDly/VfLaVyKqQb0uurpTovBmgkkx4EfTzY50C6UG6VrDRzlr7iKUfbhfIC674UwXoY
	q83zYWvrhVScHmAwynrM2gGKWRdDmdUZGd4wN8khahcTiJa0zyNSbAbNZms8cAfFc5Qn
	aBHg==
X-Gm-Message-State: AGi0PuYHR7ufjn8FXAqteeS9CIKY0DJY8SHziaDpRvnDq1zQo8uVTmMG
	/yXZG3/nv567ZWFi/AXVoQyAnwxBJqM=
X-Google-Smtp-Source: 
 APiQypL96GQ0UD0boC88yceeMPksqUVo1QsijyYIUvo1RsfI1zwHxQhvj1clpFGWSsLLbkNEFMb+kA==
X-Received: by 2002:a5d:6102:: with SMTP id v2mr7417954wrt.298.1586339470224;
	Wed, 08 Apr 2020 02:51:10 -0700 (PDT)
Received: from localhost.localdomain
	([2a02:a03f:63d3:7700:5fb9:2a66:a7a8:378f])
	by smtp.gmail.com with ESMTPSA id
	l5sm146807wrm.66.2020.04.08.02.51.09
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Wed, 08 Apr 2020 02:51:09 -0700 (PDT)
From: Titouan Christophe <titouan.christophe@railnova.eu>
To: buildroot@buildroot.org
Date: Wed,  8 Apr 2020 11:50:55 +0200
Message-Id: <20200408095055.26514-1-titouan.christophe@railnova.eu>
X-Mailer: git-send-email 2.24.1
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/1] package/thrift: security bump to v0.13
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Patrick Havelange <patrick.havelange@essensium.com>,
	Titouan Christophe <titouan.christophe@railnova.eu>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Drop patch because the linker error no longer appears on br-x86-64-musl.

v0.13.0 fixes the following CVEs:

CVE-2019-0205: In Apache Thrift all versions up to and including 0.12.0,
a server or client may run into an endless loop when feed with specific
input data. Because the issue had already been partially fixed in version
0.11.0, depending on the installed version it affects only certain
language bindings.

CVE-2019-0210: In Apache Thrift 0.9.3 to 0.12.0, a server implemented
in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with
invalid input data.

Also update the hash file to the new two-spaces convention

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
---
 ...ipedTransport-peek-to-avoid-linker-e.patch | 31 -------------------
 package/thrift/thrift.hash                    |  6 ++--
 package/thrift/thrift.mk                      |  2 +-
 3 files changed, 4 insertions(+), 35 deletions(-)
 delete mode 100644 package/thrift/0001-Force-to-keep-TPipedTransport-peek-to-avoid-linker-e.patch

diff --git a/package/thrift/0001-Force-to-keep-TPipedTransport-peek-to-avoid-linker-e.patch b/package/thrift/0001-Force-to-keep-TPipedTransport-peek-to-avoid-linker-e.patch
deleted file mode 100644
index 92c55d05a4..0000000000
--- a/package/thrift/0001-Force-to-keep-TPipedTransport-peek-to-avoid-linker-e.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From f87ae3963e651fe9f4b3125192c77aae86c007e0 Mon Sep 17 00:00:00 2001
-From: Patrick Havelange <patrick.havelange@essensium.com>
-Date: Mon, 21 Jan 2019 09:49:23 +0100
-Subject: [PATCH] Force to keep TPipedTransport::peek() to avoid linker error.
-
-Otherwise got the "defined in discarded section" linker error
-with x86-64-musl toolchain. This is probably a toolchain issue - the
-compiler shouldn't remove that function.
-
-Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
-Upstream-status: Not Applicable
----
- lib/cpp/src/thrift/transport/TTransportUtils.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/cpp/src/thrift/transport/TTransportUtils.h b/lib/cpp/src/thrift/transport/TTransportUtils.h
-index f3b4c5a..7589182 100644
---- a/lib/cpp/src/thrift/transport/TTransportUtils.h
-+++ b/lib/cpp/src/thrift/transport/TTransportUtils.h
-@@ -114,7 +114,7 @@ public:
- 
-   bool isOpen() { return srcTrans_->isOpen(); }
- 
--  bool peek() {
-+  bool __attribute__ ((used)) peek() {
-     if (rPos_ >= rLen_) {
-       // Double the size of the underlying buffer if it is full
-       if (rLen_ == rBufSize_) {
--- 
-2.17.1
-
diff --git a/package/thrift/thrift.hash b/package/thrift/thrift.hash
index 7aca8b5a7e..f342dc348d 100644
--- a/package/thrift/thrift.hash
+++ b/package/thrift/thrift.hash
@@ -1,4 +1,4 @@
-# From https://www.apache.org/dist/thrift/0.12.0/thrift-0.12.0.tar.gz.sha256
-sha256  c336099532b765a6815173f62df0ed897528a9d551837d627c1f87fadad90428	thrift-0.12.0.tar.gz
+# From https://www.apache.org/dist/thrift/0.13.0/thrift-0.13.0.tar.gz.sha256
+sha256  7ad348b88033af46ce49148097afe354d513c1fca7c607b59c33ebb6064b5179  thrift-0.13.0.tar.gz
 # License files, locally calculated
-sha256  23df881cec3192d1f4474633c14eb2ec30a45b84f8daeb82b9de5d2bd3ac8218        LICENSE
+sha256  23df881cec3192d1f4474633c14eb2ec30a45b84f8daeb82b9de5d2bd3ac8218  LICENSE
diff --git a/package/thrift/thrift.mk b/package/thrift/thrift.mk
index 4260fe7e1c..8ad37b6b2e 100644
--- a/package/thrift/thrift.mk
+++ b/package/thrift/thrift.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-THRIFT_VERSION = 0.12.0
+THRIFT_VERSION = 0.13.0
 THRIFT_SITE = http://www.us.apache.org/dist/thrift/$(THRIFT_VERSION)
 THRIFT_LICENSE = Apache-2.0
 THRIFT_LICENSE_FILES = LICENSE