From 800bf65adca7d68dcbe551a74c62985c34c0f81f Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Sat, 18 Sep 2021 20:58:14 +0200 Subject: [PATCH] package/libyang: security bump to version 1.0.240 Fixes the following security issues: - CVE-2021-28902: In function read_yin_container() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash. - CVE-2021-28903: A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). lyxml_parse_elem() function will be called recursively, which will consume stack space and lead to crash. - CVE-2021-28904: In function ext_get_plugin() in libyang <= v1.0.225, it doesn't check whether the value of revision is NULL. If revision is NULL, the operation of strcmp(revision, ext_plugins[u].revision) will lead to a crash. - CVE-2021-28905: In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL. But in some cases, node->module can be null, which triggers a reachable assertion (CWE-617). - CVE-2021-28906: In function read_yin_leaf() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash. Signed-off-by: Peter Korsgaard Signed-off-by: Yann E. MORIN --- package/libyang/libyang.hash | 2 +- package/libyang/libyang.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libyang/libyang.hash b/package/libyang/libyang.hash index 94685cb4de..755ecf390a 100644 --- a/package/libyang/libyang.hash +++ b/package/libyang/libyang.hash @@ -1,3 +1,3 @@ # Locally calculated -sha256 1b736443d2c69b5d7a71ac412655e6edab0647b18f35f7bf504b0a24e06cb046 libyang-1.0.225.tar.gz +sha256 8576cad398b451b1c622b0652a2030fcf83ee1d9a39e6cd93d17b0a5a43118d6 libyang-1.0.240.tar.gz sha256 f942fe693e03e4e3ff67a351c00dc8f468a042e0d7273b0aa6bc53060b568112 LICENSE diff --git a/package/libyang/libyang.mk b/package/libyang/libyang.mk index ed61ec97d2..f784367ea3 100644 --- a/package/libyang/libyang.mk +++ b/package/libyang/libyang.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBYANG_VERSION = 1.0.225 +LIBYANG_VERSION = 1.0.240 LIBYANG_SITE = $(call github,CESNET,libyang,v$(LIBYANG_VERSION)) LIBYANG_LICENSE = BSD-3-Clause LIBYANG_LICENSE_FILES = LICENSE -- 2.30.2