diff --git a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch deleted file mode 100644 index ddc5329299..0000000000 --- a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch +++ /dev/null @@ -1,59 +0,0 @@ -From c63ecbdc6b38cc7e571a72964fe9ca63834dcc89 Mon Sep 17 00:00:00 2001 -From: Jon Shallow -Date: Wed, 6 Sep 2023 21:38:13 +0200 -Subject: [PATCH] Backport fix for CVE-2023-30362 - -Upstream: https://github.com/obgm/libcoap/issues/1063#issuecomment-1626962307 -Signed-off-by: Daniel Lang ---- - src/net.c | 34 +++++++++++++++++++++------------- - 1 file changed, 21 insertions(+), 13 deletions(-) - -diff --git a/src/net.c b/src/net.c -index 98859443..e259ab00 100644 ---- a/src/net.c -+++ b/src/net.c -@@ -1305,19 +1305,27 @@ coap_send_internal(coap_session_t *session, coap_pdu_t *pdu) { - - /* Need to check that we are not seeing this proxy in the return loop */ - if (pdu->data && opt == NULL) { -- if (pdu->used_size + 1 <= pdu->max_size) { -- char *a_match; -- size_t data_len = pdu->used_size - (pdu->data - pdu->token); -- pdu->data[data_len] = '\000'; -- a_match = strstr((char*)pdu->data, cp); -- if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') && -- ((size_t)(a_match - (char*)pdu->data + len) == data_len || -- a_match[len] == ' ')) { -- coap_log(LOG_WARNING, "Proxy loop detected '%s'\n", -- (char*)pdu->data); -- coap_delete_pdu(pdu); -- return (coap_mid_t)COAP_DROPPED_RESPONSE; -- } -+ char *a_match; -+ size_t data_len; -+ -+ if (pdu->used_size + 1 > pdu->max_size) { -+ /* No space */ -+ return (coap_mid_t)COAP_DROPPED_RESPONSE; -+ } -+ if (!coap_pdu_resize(pdu, pdu->used_size + 1)) { -+ /* Internal error */ -+ return (coap_mid_t)COAP_DROPPED_RESPONSE; -+ } -+ data_len = pdu->used_size - (pdu->data - pdu->token); -+ pdu->data[data_len] = '\000'; -+ a_match = strstr((char*)pdu->data, cp); -+ if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') && -+ ((size_t)(a_match - (char*)pdu->data + len) == data_len || -+ a_match[len] == ' ')) { -+ coap_log(LOG_WARNING, "Proxy loop detected '%s'\n", -+ (char*)pdu->data); -+ coap_delete_pdu(pdu); -+ return (coap_mid_t)COAP_DROPPED_RESPONSE; - } - } - if (pdu->used_size + len + 1 <= pdu->max_size) { --- -2.42.0 - diff --git a/package/libcoap/libcoap.hash b/package/libcoap/libcoap.hash index e0006b62af..20abb94f8f 100644 --- a/package/libcoap/libcoap.hash +++ b/package/libcoap/libcoap.hash @@ -1,4 +1,4 @@ # Locally calculated -sha256 074a71deca01e06d3acb00a1416d0fbeb87d130f40a3c0f6fda3a5c711855dca libcoap-4.3.1.tar.gz +sha256 ae61a48c21f7b40e1442c9e1da9aab9e6f2cf0deccb02f3fed4de232a0b0522e libcoap-4.3.4.tar.gz sha256 09dd86a017bad210527085008cbf706609c58210897b69845af14099577e7eb7 COPYING -sha256 5711e8bf7e94b59fcf0681d0f73752111bc196563b60f8568f19dacd0213192b LICENSE +sha256 bdd94ddd8e75010aebd045ead1c951110788003395c708811d6960248acb3891 LICENSE diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk index 94bfc59702..62f08a20e9 100644 --- a/package/libcoap/libcoap.mk +++ b/package/libcoap/libcoap.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBCOAP_VERSION = 4.3.1 +LIBCOAP_VERSION = 4.3.4 LIBCOAP_SITE = $(call github,obgm,libcoap,v$(LIBCOAP_VERSION)) LIBCOAP_INSTALL_STAGING = YES LIBCOAP_LICENSE = BSD-2-Clause @@ -14,10 +14,6 @@ LIBCOAP_DEPENDENCIES = host-pkgconf LIBCOAP_CONF_OPTS = \ --disable-examples --disable-examples-source --without-tinydtls LIBCOAP_AUTORECONF = YES -# 0001-Backport-fix-for-CVE-2023-30362.patch -LIBCOAP_IGNORE_CVES += CVE-2023-30362 -# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117 -LIBCOAP_IGNORE_CVES += CVE-2023-35862 ifeq ($(BR2_PACKAGE_GNUTLS),y) LIBCOAP_DEPENDENCIES += gnutls