[Buildroot] [git commit branch/2023.02.x] package/libcoap: bump to version 4.3.4

Peter Korsgaard peter at korsgaard.com
Mon Mar 18 16:43:41 UTC 2024 

commit: https://git.buildroot.net/buildroot/commit/?id=8873d98abe2016ee77eb1bd6877749f19ee9d649
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2023.02.x

- Drop patch (already in version)
- LIBCOAP_IGNORE_CVES is not needed after bump
- Update hash of license file: LGPL-2.1 added when RIOT support with
  https://github.com/obgm/libcoap/commit/8d869fff047d34a1c825ffc1bab5d3fde28c75b7

https://github.com/obgm/libcoap/blob/v4.3.4/ChangeLog
https://github.com/obgm/libcoap/compare/v4.3.1...v4.3.4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
(cherry picked from commit f5d88d8db355870c89f9ab5fca375f60499f681e)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 .../0001-Backport-fix-for-CVE-2023-30362.patch     | 59 ----------------------
 package/libcoap/libcoap.hash                       |  4 +-
 package/libcoap/libcoap.mk                         |  6 +--
 3 files changed, 3 insertions(+), 66 deletions(-)

diff --git a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
deleted file mode 100644
index ddc5329299..0000000000
--- a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From c63ecbdc6b38cc7e571a72964fe9ca63834dcc89 Mon Sep 17 00:00:00 2001
-From: Jon Shallow <supjps-libcoap at jpshallow.com>
-Date: Wed, 6 Sep 2023 21:38:13 +0200
-Subject: [PATCH] Backport fix for CVE-2023-30362
-
-Upstream: https://github.com/obgm/libcoap/issues/1063#issuecomment-1626962307
-Signed-off-by: Daniel Lang <dalang at gmx.at>
----
- src/net.c | 34 +++++++++++++++++++++-------------
- 1 file changed, 21 insertions(+), 13 deletions(-)
-
-diff --git a/src/net.c b/src/net.c
-index 98859443..e259ab00 100644
---- a/src/net.c
-+++ b/src/net.c
-@@ -1305,19 +1305,27 @@ coap_send_internal(coap_session_t *session, coap_pdu_t *pdu) {
- 
-       /* Need to check that we are not seeing this proxy in the return loop */
-       if (pdu->data && opt == NULL) {
--        if (pdu->used_size + 1 <= pdu->max_size) {
--          char *a_match;
--          size_t data_len = pdu->used_size - (pdu->data - pdu->token);
--          pdu->data[data_len] = '\000';
--          a_match = strstr((char*)pdu->data, cp);
--          if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
--              ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
--               a_match[len] == ' ')) {
--            coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
--                     (char*)pdu->data);
--            coap_delete_pdu(pdu);
--            return (coap_mid_t)COAP_DROPPED_RESPONSE;
--          }
-+        char *a_match;
-+        size_t data_len;
-+
-+        if (pdu->used_size + 1 > pdu->max_size) {
-+          /* No space */
-+          return (coap_mid_t)COAP_DROPPED_RESPONSE;
-+        }
-+        if (!coap_pdu_resize(pdu, pdu->used_size + 1)) {
-+          /* Internal error */
-+          return (coap_mid_t)COAP_DROPPED_RESPONSE;
-+        }
-+        data_len = pdu->used_size - (pdu->data - pdu->token);
-+        pdu->data[data_len] = '\000';
-+        a_match = strstr((char*)pdu->data, cp);
-+        if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
-+            ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
-+             a_match[len] == ' ')) {
-+          coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
-+                   (char*)pdu->data);
-+          coap_delete_pdu(pdu);
-+          return (coap_mid_t)COAP_DROPPED_RESPONSE;
-         }
-       }
-       if (pdu->used_size + len + 1 <= pdu->max_size) {
--- 
-2.42.0
-
diff --git a/package/libcoap/libcoap.hash b/package/libcoap/libcoap.hash
index e0006b62af..20abb94f8f 100644
--- a/package/libcoap/libcoap.hash
+++ b/package/libcoap/libcoap.hash
@@ -1,4 +1,4 @@
 # Locally calculated
-sha256  074a71deca01e06d3acb00a1416d0fbeb87d130f40a3c0f6fda3a5c711855dca  libcoap-4.3.1.tar.gz
+sha256  ae61a48c21f7b40e1442c9e1da9aab9e6f2cf0deccb02f3fed4de232a0b0522e  libcoap-4.3.4.tar.gz
 sha256  09dd86a017bad210527085008cbf706609c58210897b69845af14099577e7eb7  COPYING
-sha256  5711e8bf7e94b59fcf0681d0f73752111bc196563b60f8568f19dacd0213192b  LICENSE
+sha256  bdd94ddd8e75010aebd045ead1c951110788003395c708811d6960248acb3891  LICENSE
diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
index 94bfc59702..62f08a20e9 100644
--- a/package/libcoap/libcoap.mk
+++ b/package/libcoap/libcoap.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCOAP_VERSION = 4.3.1
+LIBCOAP_VERSION = 4.3.4
 LIBCOAP_SITE = $(call github,obgm,libcoap,v$(LIBCOAP_VERSION))
 LIBCOAP_INSTALL_STAGING = YES
 LIBCOAP_LICENSE = BSD-2-Clause
@@ -14,10 +14,6 @@ LIBCOAP_DEPENDENCIES = host-pkgconf
 LIBCOAP_CONF_OPTS = \
 	--disable-examples --disable-examples-source --without-tinydtls
 LIBCOAP_AUTORECONF = YES
-# 0001-Backport-fix-for-CVE-2023-30362.patch
-LIBCOAP_IGNORE_CVES += CVE-2023-30362
-# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117
-LIBCOAP_IGNORE_CVES += CVE-2023-35862
 
 ifeq ($(BR2_PACKAGE_GNUTLS),y)
 LIBCOAP_DEPENDENCIES += gnutls

More information about the buildroot mailing list