On 1/26/20 4:55 PM, Hauke Mehrtens wrote: > This backports some security relevant patches from libubox master. These > patches should not change the existing API and ABI so that old > applications still work like before without any recompilation. > Application can not also use more secure APIs. > > The new more secure interfaces are also available but not used. > > OpenWrt master and 19.07.0 already have these patches by using a more > recent libubox version. > > Signed-off-by: Hauke Mehrtens <ha...@hauke-m.de> > --- > > This should not change the libubox ABI, but backports most of the > changes which are in master. > > I hope I didn't miss anything important. > > package/libs/libubox/Makefile | 2 +- > ...-possible-uninitialized-struct-membe.patch | 39 +++++ > ...hn-fix-off-by-one-in-jshn_parse_file.patch | 39 +++++ > ...-attr-parsing-into-separate-function.patch | 97 +++++++++++ > ...-blob-introduce-blob_parse_untrusted.patch | 78 +++++++++ > ...ob-fix-OOB-access-in-blob_check_type.patch | 78 +++++++++ > ...eap-buffer-overflow-in-blobmsg_parse.patch | 32 ++++ > ...-length-check-does-not-perform-out-o.patch | 51 ++++++ > ...lobmsg_check_attr-by-blobmsg_check_a.patch | 132 +++++++++++++++ > ...-variants-for-all-attribute-checking.patch | 157 ++++++++++++++++++ > ...x-array-out-of-bounds-GCC-10-warning.patch | 39 +++++ > ...g-payload-len-passed-from-blobmsg_ch.patch | 38 +++++ > .../0012-jshn-prefer-snprintf-usage.patch | 61 +++++++ > ...msg-blobmsg_vprintf-prefer-vsnprintf.patch | 38 +++++ > ...blobmsg_json-fix-int16-serialization.patch | 41 +++++ > ...5-blobmsg_json-prefer-snprintf-usage.patch | 66 ++++++++ > ...parse-and-blobmsg_parse_array-oob-re.patch | 110 ++++++++++++ > ...b-Check-remaining-size-in-blob_parse.patch | 28 ++++ > 18 files changed, 1125 insertions(+), 1 deletion(-) > create mode 100644 > package/libs/libubox/patches/0001-blobmsg_json-fix-possible-uninitialized-struct-membe.patch > create mode 100644 > package/libs/libubox/patches/0002-jshn-fix-off-by-one-in-jshn_parse_file.patch > create mode 100644 > package/libs/libubox/patches/0003-blob-refactor-attr-parsing-into-separate-function.patch > create mode 100644 > package/libs/libubox/patches/0004-blob-introduce-blob_parse_untrusted.patch > create mode 100644 > package/libs/libubox/patches/0005-blob-fix-OOB-access-in-blob_check_type.patch > create mode 100644 > package/libs/libubox/patches/0006-blobmsg-fix-heap-buffer-overflow-in-blobmsg_parse.patch > create mode 100644 > package/libs/libubox/patches/0007-Ensure-blob_attr-length-check-does-not-perform-out-o.patch > create mode 100644 > package/libs/libubox/patches/0008-Replace-use-of-blobmsg_check_attr-by-blobmsg_check_a.patch > create mode 100644 > package/libs/libubox/patches/0009-blobmsg-add-_len-variants-for-all-attribute-checking.patch > create mode 100644 > package/libs/libubox/patches/0010-blobmsg-fix-array-out-of-bounds-GCC-10-warning.patch > create mode 100644 > package/libs/libubox/patches/0011-blobmsg-fix-wrong-payload-len-passed-from-blobmsg_ch.patch > create mode 100644 > package/libs/libubox/patches/0012-jshn-prefer-snprintf-usage.patch > create mode 100644 > package/libs/libubox/patches/0013-blobmsg-blobmsg_vprintf-prefer-vsnprintf.patch > create mode 100644 > package/libs/libubox/patches/0014-blobmsg_json-fix-int16-serialization.patch > create mode 100644 > package/libs/libubox/patches/0015-blobmsg_json-prefer-snprintf-usage.patch > create mode 100644 > package/libs/libubox/patches/0016-blobmsg-blobmsg_parse-and-blobmsg_parse_array-oob-re.patch > create mode 100644 > package/libs/libubox/patches/0017-blob-Check-remaining-size-in-blob_parse.patch >
I would drop the last patch 0017-blob-Check-remaining-size-in-blob_parse.patch and then apply this to 18.06. Hauke
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
