kumquat-buildroot/package/shellinabox/shellinabox.mk
Fabrice Fontaine 5553223297 package/shellinabox: fix CVE-2018-16789
libhttp/url.c in shellinabox through 2.20 has an implementation flaw in
the HTTP request parsing logic. By sending a crafted multipart/form-data
HTTP request, an attacker could exploit this to force shellinaboxd into
an infinite loop, exhausting available CPU resources and taking the
service down.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:36:09 +01:00

33 lines
1.1 KiB
Makefile

################################################################################
#
# shellinabox
#
################################################################################
SHELLINABOX_VERSION = 2.20
SHELLINABOX_SITE = $(call github,shellinabox,shellinabox,v$(SHELLINABOX_VERSION))
SHELLINABOX_LICENSE = GPL-2.0 with OpenSSL exception
SHELLINABOX_LICENSE_FILES = COPYING GPL-2
# 0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
SHELLINABOX_IGNORE_CVES += CVE-2018-16789
# Fetching from Github, and patching Makefile.am, so we need to autoreconf
SHELLINABOX_AUTORECONF = YES
# The OpenSSL support is supposed to be optional, but in practice,
# with OpenSSL disabled, it fails to build. See
# https://github.com/shellinabox/shellinabox/issues/385.
SHELLINABOX_DEPENDENCIES = zlib openssl
SHELLINABOX_CONF_OPTS = \
--disable-runtime-loading \
--enable-ssl
# musl's implementation of utmpx is a dummy one, and some aspects of
# it cause build failures in shellinabox
ifeq ($(BR2_TOOLCHAIN_USES_MUSL),y)
SHELLINABOX_CONF_OPTS += --disable-utmp
endif
$(eval $(autotools-package))