package/libcoap: bump to version 4.3.4

- Drop patch (already in version) - LIBCOAP_IGNORE_CVES is not needed after bump - Update hash of license file: LGPL-2.1 added when RIOT support with 8d869fff04 https://github.com/obgm/libcoap/blob/v4.3.4/ChangeLog https://github.com/obgm/libcoap/compare/v4.3.1...v4.3.4 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-11-01 23:37:19 +01:00 · 2023-11-01 23:37:19 +01:00 · f5d88d8db3
commit f5d88d8db3
parent 522f25ed42
3 changed files with 3 additions and 66 deletions
--- a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
+++ b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
@ -1,59 +0,0 @@
-From c63ecbdc6b38cc7e571a72964fe9ca63834dcc89 Mon Sep 17 00:00:00 2001
-From: Jon Shallow <supjps-libcoap@jpshallow.com>
-Date: Wed, 6 Sep 2023 21:38:13 +0200
-Subject: [PATCH] Backport fix for CVE-2023-30362
-
-Upstream: https://github.com/obgm/libcoap/issues/1063#issuecomment-1626962307
-Signed-off-by: Daniel Lang <dalang@gmx.at>
---
- src/net.c | 34 +++++++++++++++++++++-------------
- 1 file changed, 21 insertions(+), 13 deletions(-)
-
-diff --git a/src/net.c b/src/net.c
-index 98859443..e259ab00 100644
--- a/src/net.c
-+++ b/src/net.c
-@@ -1305,19 +1305,27 @@ coap_send_internal(coap_session_t *session, coap_pdu_t *pdu) {
- 
-       /* Need to check that we are not seeing this proxy in the return loop */
-       if (pdu->data && opt == NULL) {
-        if (pdu->used_size + 1 <= pdu->max_size) {
-          char *a_match;
-          size_t data_len = pdu->used_size - (pdu->data - pdu->token);
-          pdu->data[data_len] = '\000';
-          a_match = strstr((char*)pdu->data, cp);
-          if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
-              ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
-               a_match[len] == ' ')) {
-            coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
-                     (char*)pdu->data);
-            coap_delete_pdu(pdu);
-            return (coap_mid_t)COAP_DROPPED_RESPONSE;
-          }
-+        char *a_match;
-+        size_t data_len;
-+
-+        if (pdu->used_size + 1 > pdu->max_size) {
-+          /* No space */
-+          return (coap_mid_t)COAP_DROPPED_RESPONSE;
-+        }
-+        if (!coap_pdu_resize(pdu, pdu->used_size + 1)) {
-+          /* Internal error */
-+          return (coap_mid_t)COAP_DROPPED_RESPONSE;
-+        }
-+        data_len = pdu->used_size - (pdu->data - pdu->token);
-+        pdu->data[data_len] = '\000';
-+        a_match = strstr((char*)pdu->data, cp);
-+        if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
-+            ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
-+             a_match[len] == ' ')) {
-+          coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
-+                   (char*)pdu->data);
-+          coap_delete_pdu(pdu);
-+          return (coap_mid_t)COAP_DROPPED_RESPONSE;
-         }
-       }
-       if (pdu->used_size + len + 1 <= pdu->max_size) {
-- 
-2.42.0
-
--- a/package/libcoap/libcoap.hash
+++ b/package/libcoap/libcoap.hash
@ -1,4 +1,4 @@
 # Locally calculated
-sha256  074a71deca01e06d3acb00a1416d0fbeb87d130f40a3c0f6fda3a5c711855dca  libcoap-4.3.1.tar.gz
+sha256  ae61a48c21f7b40e1442c9e1da9aab9e6f2cf0deccb02f3fed4de232a0b0522e  libcoap-4.3.4.tar.gz
 sha256  09dd86a017bad210527085008cbf706609c58210897b69845af14099577e7eb7  COPYING
-sha256  5711e8bf7e94b59fcf0681d0f73752111bc196563b60f8568f19dacd0213192b  LICENSE
+sha256  bdd94ddd8e75010aebd045ead1c951110788003395c708811d6960248acb3891  LICENSE
--- a/package/libcoap/libcoap.mk
+++ b/package/libcoap/libcoap.mk
@ -4,7 +4,7 @@
 #
 ################################################################################

-LIBCOAP_VERSION = 4.3.1
+LIBCOAP_VERSION = 4.3.4
 LIBCOAP_SITE = $(call github,obgm,libcoap,v$(LIBCOAP_VERSION))
 LIBCOAP_INSTALL_STAGING = YES
 LIBCOAP_LICENSE = BSD-2-Clause
@ -14,10 +14,6 @@ LIBCOAP_DEPENDENCIES = host-pkgconf
 LIBCOAP_CONF_OPTS = \
 	--disable-examples --disable-examples-source --without-tinydtls
 LIBCOAP_AUTORECONF = YES
-# 0001-Backport-fix-for-CVE-2023-30362.patch
-LIBCOAP_IGNORE_CVES += CVE-2023-30362
-# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117
-LIBCOAP_IGNORE_CVES += CVE-2023-35862

 ifeq ($(BR2_PACKAGE_GNUTLS),y)
 LIBCOAP_DEPENDENCIES += gnutls