From: Peter Korsgaard Date: Fri, 13 Dec 2019 13:55:52 +0000 (+0100) Subject: package/glibc: bump version for post-2.30 security fixes X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=bda95544b90af692fe9a33234caaa9f77b9a1e9e;p=buildroot.git package/glibc: bump version for post-2.30 security fixes Fixes the following security vulnerability: - CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. Reported by Marcin Koƛcielnicki. Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni --- diff --git a/package/glibc/2.30-1-gbe9a328c93834648e0bec106a1f86357d1a8c7e1/glibc.hash b/package/glibc/2.30-1-gbe9a328c93834648e0bec106a1f86357d1a8c7e1/glibc.hash deleted file mode 100644 index 276cd6f7c0..0000000000 --- a/package/glibc/2.30-1-gbe9a328c93834648e0bec106a1f86357d1a8c7e1/glibc.hash +++ /dev/null @@ -1,7 +0,0 @@ -# Locally calculated (fetched from Github) -sha256 5abb12ac8b756ec900c9d800860041a7920c6b335338af1cba15bab20d54119f glibc-2.30-1-gbe9a328c93834648e0bec106a1f86357d1a8c7e1.tar.gz - -# Hashes for license files -sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING -sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB -sha256 35bdb41dc0bcb10702ddacbd51ec4c0fe6fb3129f734e8c85fc02e4d3eb0ce3f LICENSES diff --git a/package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash b/package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash new file mode 100644 index 0000000000..4283ea04b4 --- /dev/null +++ b/package/glibc/2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91/glibc.hash @@ -0,0 +1,7 @@ +# Locally calculated (fetched from Github) +sha256 fe1ca8099bc2cda997d8a585f1a512e59df56c52c9c7363a4058da2725c8f4a9 glibc-2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91.tar.gz + +# Hashes for license files +sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING +sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB +sha256 35bdb41dc0bcb10702ddacbd51ec4c0fe6fb3129f734e8c85fc02e4d3eb0ce3f LICENSES diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk index 1b38f8aedb..c77105ec61 100644 --- a/package/glibc/glibc.mk +++ b/package/glibc/glibc.mk @@ -16,7 +16,7 @@ GLIBC_SITE = $(call github,c-sky,glibc,$(GLIBC_VERSION)) else # Generate version string using: # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2- -GLIBC_VERSION = 2.30-1-gbe9a328c93834648e0bec106a1f86357d1a8c7e1 +GLIBC_VERSION = 2.30-20-g50f20fe506abb8853641006a7b90a81af21d7b91 # Upstream doesn't officially provide an https download link. # There is one (https://sourceware.org/git/glibc.git) but it's not reliable, # sometimes the connection times out. So use an unofficial github mirror.