Re: [ptxdist] [PATCH] file: upgrade to 5.17
What about this one? Greets Alex On Mon, Feb 17, 2014 at 09:09:05AM +0100, Alexander Dahl wrote: Version 5.17 fixes CVE-2014-1943. See: https://security-tracker.debian.org/tracker/CVE-2014-1943 Signed-off-by: Alexander Dahl p...@lespocky.de --- rules/file.make |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/file.make b/rules/file.make index 172037d..000fd13 100644 --- a/rules/file.make +++ b/rules/file.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_FILE) += file # # Paths and names # -FILE_VERSION := 5.11 -FILE_MD5 := 16a407bd66d6c7a832f3a5c0d609c27b +FILE_VERSION := 5.17 +FILE_MD5 := e19c47e069ced7b01ccb4db402cc01d3 FILE := file-$(FILE_VERSION) FILE_SUFFIX := tar.gz FILE_URL := ftp://ftp.astron.com/pub/file/$(FILE).$(FILE_SUFFIX) -- 1.7.10.4 -- »With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.« (Jean-Luc Picard, quoting Judge Aaron Satie) *** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601 D1D5 8FBA 7744 CC87 10D0 *** pgpuhKEOTMIYi.pgp Description: PGP signature -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH] file: upgrade to 5.17
Hei hei, On Wed, Mar 12, 2014 at 08:22:37AM +0100, Alexander Dahl wrote: What about this one? Only minutes later a new debian package appeared fixing CVE-2014-2270. I'll have a look into this, stay tuned. Alex -- »With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.« (Jean-Luc Picard, quoting Judge Aaron Satie) *** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601 D1D5 8FBA 7744 CC87 10D0 *** pgp8LnS6T9tEQ.pgp Description: PGP signature -- ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] ptxdist-2012.03.00 python2.6, hashlib.py, flup.py install fails ImportError: No module named _sha256
Hi, On Tuesday 11 March 2014 23:39:42 jdwilson wrote: [...] I have successfully built a target image that includes python2.6 and lighttpd which is part of ptxdist-2012.03.00. The intent was to use flup.py to provide fastcgi, wsgi capability. (This works in my dev env, under Ubuntu 12.04 LTS, python2.7.x). You should try PTXdist-2014.03.0 (coming soon) for reference. Maybe your issue is already solved. If it works, you can upgrade your project or backporting the required changes to your older PTXdist/BSP. [...] 1) How does one ensure ptxdist builds and installs openssl and then ensure that python will use the openssl module? The select other package nam in the menuconfig tells PTXdist to build this dependency first. Regards Juergen -- Pengutronix e.K. | Juergen Beisert | Linux Solutions for Science and Industry | http://www.pengutronix.de/ | -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 2/2] file: add security patches cherry-picked from upstream
Signed-off-by: Alexander Dahl p...@lespocky.de --- .../0001-Fix-memory-leak-Anatol-Belski.patch | 34 ...-in-out-of-bounds-calculations-Jan-Kaluza.patch | 23 + patches/file-5.17/series |5 +++ 3 files changed, 62 insertions(+) create mode 100644 patches/file-5.17/0001-Fix-memory-leak-Anatol-Belski.patch create mode 100644 patches/file-5.17/0002-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch create mode 100644 patches/file-5.17/series diff --git a/patches/file-5.17/0001-Fix-memory-leak-Anatol-Belski.patch b/patches/file-5.17/0001-Fix-memory-leak-Anatol-Belski.patch new file mode 100644 index 000..206e7eb --- /dev/null +++ b/patches/file-5.17/0001-Fix-memory-leak-Anatol-Belski.patch @@ -0,0 +1,34 @@ +From: Christos Zoulas chris...@zoulas.com +Date: Fri, 21 Feb 2014 14:32:48 + +Subject: [PATCH] Fix memory leak (Anatol Belski) + +Conflicts: + src/softmagic.c +--- + src/softmagic.c | 10 +++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/softmagic.c b/src/softmagic.c +index 5ed347e..7ee3f6f 100644 +--- a/src/softmagic.c b/src/softmagic.c +@@ -1755,12 +1755,16 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + ms-offset = soffset; + if (rv == 1) { + if ((ms-flags (MAGIC_MIME|MAGIC_APPLE)) == 0 +- file_printf(ms, F(m-desc, %u), offset) == -1) ++ file_printf(ms, F(m-desc, %u), offset) == -1) { ++ free(rbuf); + return -1; +- if (file_printf(ms, %s, rbuf) == -1) ++ } ++ if (file_printf(ms, %s, rbuf) == -1) { ++ free(rbuf); + return -1; +- free(rbuf); ++ } + } ++ free(rbuf); + return rv; + + case FILE_USE: diff --git a/patches/file-5.17/0002-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch b/patches/file-5.17/0002-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch new file mode 100644 index 000..e4c61ca --- /dev/null +++ b/patches/file-5.17/0002-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch @@ -0,0 +1,23 @@ +From: Christos Zoulas chris...@zoulas.com +Date: Tue, 4 Mar 2014 17:42:19 + +Subject: [PATCH] off by one in out of bounds calculations (Jan Kaluza) + +Conflicts: + src/softmagic.c +--- + src/softmagic.c |2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/softmagic.c b/src/softmagic.c +index 7ee3f6f..3919fa7 100644 +--- a/src/softmagic.c b/src/softmagic.c +@@ -71,7 +71,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *); + private void cvt_32(union VALUETYPE *, const struct magic *); + private void cvt_64(union VALUETYPE *, const struct magic *); + +-#define OFFSET_OOB(n, o, i) ((n) (o) || (i) = ((n) - (o))) ++#define OFFSET_OOB(n, o, i) ((n) (o) || (i) ((n) - (o))) + /* + * softmagic - lookup one file in parsed, in-memory copy of database + * Passed the name and FILE * of one file to be typed. diff --git a/patches/file-5.17/series b/patches/file-5.17/series new file mode 100644 index 000..6b27f34 --- /dev/null +++ b/patches/file-5.17/series @@ -0,0 +1,5 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-Fix-memory-leak-Anatol-Belski.patch +0002-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch +# 4440242115f6c92b22376f9aa65eca96 - git-ptx-patches magic -- 1.7.10.4 -- ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 1/2] file: upgrade to 5.17
Version 5.17 fixes CVE-2014-1943. See: https://security-tracker.debian.org/tracker/CVE-2014-1943 Signed-off-by: Alexander Dahl p...@lespocky.de --- rules/file.make |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/file.make b/rules/file.make index 172037d..000fd13 100644 --- a/rules/file.make +++ b/rules/file.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_FILE) += file # # Paths and names # -FILE_VERSION := 5.11 -FILE_MD5 := 16a407bd66d6c7a832f3a5c0d609c27b +FILE_VERSION := 5.17 +FILE_MD5 := e19c47e069ced7b01ccb4db402cc01d3 FILE := file-$(FILE_VERSION) FILE_SUFFIX:= tar.gz FILE_URL := ftp://ftp.astron.com/pub/file/$(FILE).$(FILE_SUFFIX) -- 1.7.10.4 -- ptxdist mailing list ptxdist@pengutronix.de