[Buildroot] [PATCH v2,1/2] package/mcrypt: drop package

Yann E. MORIN yann.morin.1998 at free.fr
Fri Aug 20 08:00:51 UTC 2021


Fabrice, All,

On 2021-08-20 00:09 +0200, Fabrice Fontaine spake thusly:
> Drop mcrypt which is a cryptographic package that is not maintained
> anymore. Here is an extract of https://en.wikipedia.org/wiki/Mcrypt:
> "The last update to libmcrypt was in 2007, despite years of unmerged
> patches. These facts have led security experts to declare mcrypt
> abandonware and discourage its use in new development."
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>

Both patches applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
> Changes v1 -> v2 (after review of Thomas Petazzoni and Yann E. Morin):
>  - Update commit message and Config.in.legacy
> 
>  Config.in.legacy                        | 10 +++
>  package/Config.in                       |  1 -
>  package/mcrypt/0001-CVE-2012-4409.patch | 25 -------
>  package/mcrypt/0002-CVE-2012-4426.patch | 35 ---------
>  package/mcrypt/0003-CVE-2012-4527.patch | 99 -------------------------
>  package/mcrypt/0004-no-rpath.patch      | 17 -----
>  package/mcrypt/Config.in                | 12 ---
>  package/mcrypt/mcrypt.hash              |  3 -
>  package/mcrypt/mcrypt.mk                | 24 ------
>  9 files changed, 10 insertions(+), 216 deletions(-)
>  delete mode 100644 package/mcrypt/0001-CVE-2012-4409.patch
>  delete mode 100644 package/mcrypt/0002-CVE-2012-4426.patch
>  delete mode 100644 package/mcrypt/0003-CVE-2012-4527.patch
>  delete mode 100644 package/mcrypt/0004-no-rpath.patch
>  delete mode 100644 package/mcrypt/Config.in
>  delete mode 100644 package/mcrypt/mcrypt.hash
>  delete mode 100644 package/mcrypt/mcrypt.mk
> 
> diff --git a/Config.in.legacy b/Config.in.legacy
> index 54476acf9a..7cb0c40782 100644
> --- a/Config.in.legacy
> +++ b/Config.in.legacy
> @@ -146,6 +146,16 @@ endif
>  
>  comment "Legacy options removed in 2021.08"
>  
> +config BR2_PACKAGE_MCRYPT
> +	bool "mcrypt package was removed"
> +	select BR2_LEGACY
> +	help
> +	  This package has been removed as "the last update to libmcrypt
> +	  was in 2007, despite years of unmerged patches. These facts
> +	  have led security experts to declare mcrypt abandonware and
> +	  discourage its use in new development" (extract from
> +	  https://en.wikipedia.org/wiki/Mcrypt).
> +
>  config BR2_PACKAGE_PHP_EXT_MCRYPT
>  	bool "PHP mcrypt extension removed"
>  	select BR2_LEGACY
> diff --git a/package/Config.in b/package/Config.in
> index 436bf2f56a..ab0f74b0e3 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2066,7 +2066,6 @@ menu "Miscellaneous"
>  	source "package/gsettings-desktop-schemas/Config.in"
>  	source "package/haveged/Config.in"
>  	source "package/linux-syscall-support/Config.in"
> -	source "package/mcrypt/Config.in"
>  	source "package/mobile-broadband-provider-info/Config.in"
>  	source "package/netdata/Config.in"
>  	source "package/proj/Config.in"
> diff --git a/package/mcrypt/0001-CVE-2012-4409.patch b/package/mcrypt/0001-CVE-2012-4409.patch
> deleted file mode 100644
> index 97c658bb2d..0000000000
> --- a/package/mcrypt/0001-CVE-2012-4409.patch
> +++ /dev/null
> @@ -1,25 +0,0 @@
> -From 3efb40e17ce4f76717ae17a1ce1e1f747ddf59fd Mon Sep 17 00:00:00 2001
> -From: Alon Bar-Lev <alon.barlev at gmail.com>
> -Date: Sat, 22 Dec 2012 22:37:06 +0200
> -Subject: [PATCH] cleanup: buffer overflow
> -
> ----
> - src/extra.c |    2 ++
> - 1 files changed, 2 insertions(+), 0 deletions(-)
> -
> -diff --git a/src/extra.c b/src/extra.c
> -index 3082f82..c7a1ac0 100644
> ---- a/src/extra.c
> -+++ b/src/extra.c
> -@@ -241,6 +241,8 @@ int check_file_head(FILE * fstream, char *algorithm, char *mode,
> - 		if (m_getbit(6, flags) == 1) { /* if the salt bit is set */
> - 			if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
> - 				*salt_size = m_setbit(0, sflag, 0);
> -+				if (*salt_size > sizeof(tmp_buf))
> -+					err_quit(_("Salt is too long\n"));
> - 				if (*salt_size > 0) {
> - 					fread(tmp_buf, 1, *salt_size,
> - 					      fstream);
> --- 
> -1.7.8.6
> -
> diff --git a/package/mcrypt/0002-CVE-2012-4426.patch b/package/mcrypt/0002-CVE-2012-4426.patch
> deleted file mode 100644
> index 708d4a579e..0000000000
> --- a/package/mcrypt/0002-CVE-2012-4426.patch
> +++ /dev/null
> @@ -1,35 +0,0 @@
> -Patch taken from gentoo.
> -
> -Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
> -
> ---- a/src/errors.c
> -+++ b/src/errors.c
> -@@ -25,24 +25,24 @@
> - 
> - void err_quit(char *errmsg)
> - {
> --	fprintf(stderr, errmsg);
> -+	fprintf(stderr, "%s", errmsg);
> - 	exit(-1);
> - }
> - 
> - void err_warn(char *errmsg)
> - {
> - 	if (quiet <= 1)
> --		fprintf(stderr, errmsg);
> -+		fprintf(stderr, "%s", errmsg);
> - }
> - 
> - void err_info(char *errmsg)
> - {
> - 	if (quiet == 0)
> --		fprintf(stderr, errmsg);
> -+		fprintf(stderr, "%s", errmsg);
> - }
> - 
> - void err_crit(char *errmsg)
> - {
> - 	if (quiet <= 2)
> --		fprintf(stderr, errmsg);
> -+		fprintf(stderr, "%s", errmsg);
> - }
> diff --git a/package/mcrypt/0003-CVE-2012-4527.patch b/package/mcrypt/0003-CVE-2012-4527.patch
> deleted file mode 100644
> index a8cf6f449a..0000000000
> --- a/package/mcrypt/0003-CVE-2012-4527.patch
> +++ /dev/null
> @@ -1,99 +0,0 @@
> -Fix for CVE-2012-4527.
> -Authored by Attila Bogar and Jean-Michel Vourgère <jmv_deb at nirgal.com>
> -
> -Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
> -
> -diff -Nura mcrypt-2.6.8.orig/src/mcrypt.c mcrypt-2.6.8/src/mcrypt.c
> ---- mcrypt-2.6.8.orig/src/mcrypt.c	2013-01-14 19:15:49.465925072 -0300
> -+++ mcrypt-2.6.8/src/mcrypt.c	2013-01-14 19:28:13.711478000 -0300
> -@@ -44,7 +44,9 @@
> - static char rcsid[] =
> -     "$Id: mcrypt.c,v 1.2 2007/11/07 17:10:21 nmav Exp $";
> - 
> --char tmperr[128];
> -+/* Temporary error message can contain one file name and 1k of text */
> -+#define ERRWIDTH ((PATH_MAX)+1024)
> -+char tmperr[ERRWIDTH];
> - unsigned int stream_flag = FALSE;
> - char *keymode = NULL;
> - char *mode = NULL;
> -@@ -482,7 +484,7 @@
> - #ifdef HAVE_STAT
> -       if (stream_flag == FALSE) {
> - 	 if (is_normal_file(file[i]) == FALSE) {
> --	    sprintf(tmperr,
> -+	    snprintf(tmperr, ERRWIDTH,
> - 		    _
> - 		    ("%s: %s is not a regular file. Skipping...\n"),
> - 		    program_name, file[i]);
> -@@ -501,7 +503,7 @@
> - 	    dinfile = file[i];
> - 	 if ((isatty(fileno((FILE *) (stdin))) == 1)
> - 	     && (stream_flag == TRUE) && (force == 0)) {	/* not a tty */
> --	    sprintf(tmperr,
> -+	    snprintf(tmperr, ERRWIDTH,
> - 		    _
> - 		    ("%s: Encrypted data will not be read from a terminal.\n"),
> - 		    program_name);
> -@@ -520,7 +522,7 @@
> - 	    einfile = file[i];
> - 	 if ((isatty(fileno((FILE *) (stdout))) == 1)
> - 	     && (stream_flag == TRUE) && (force == 0)) {	/* not a tty */
> --	    sprintf(tmperr,
> -+	    snprintf(tmperr, ERRWIDTH,
> - 		    _
> - 		    ("%s: Encrypted data will not be written to a terminal.\n"),
> - 		    program_name);
> -@@ -544,7 +546,7 @@
> - 	    strcpy(outfile, einfile);
> - 	    /* if file has already the .nc ignore it */
> - 	    if (strstr(outfile, ".nc") != NULL) {
> --	       sprintf(tmperr,
> -+	       snprintf(tmperr, ERRWIDTH,
> - 		       _
> - 		       ("%s: file %s has the .nc suffix... skipping...\n"),
> - 		       program_name, outfile);
> -@@ -590,10 +592,10 @@
> - 
> - 	 if (x == 0) {
> - 	    if (stream_flag == FALSE) {
> --	       sprintf(tmperr, _("File %s was decrypted.\n"), dinfile);
> -+	       snprintf(tmperr, ERRWIDTH, _("File %s was decrypted.\n"), dinfile);
> - 	       err_warn(tmperr);
> - 	    } else {
> --	       sprintf(tmperr, _("Stdin was decrypted.\n"));
> -+	       snprintf(tmperr, ERRWIDTH, _("Stdin was decrypted.\n"));
> - 	       err_warn(tmperr);
> - 	    }
> - #ifdef HAVE_STAT
> -@@ -610,7 +612,7 @@
> - 
> - 	 } else {
> - 	    if (stream_flag == FALSE) {
> --	       sprintf(tmperr,
> -+	       snprintf(tmperr, ERRWIDTH,
> - 		       _
> - 		       ("File %s was NOT decrypted successfully.\n"),
> - 		       dinfile);
> -@@ -636,10 +638,10 @@
> - 
> - 	 if (x == 0) {
> - 	    if (stream_flag == FALSE) {
> --	       sprintf(tmperr, _("File %s was encrypted.\n"), einfile);
> -+	       snprintf(tmperr, ERRWIDTH, _("File %s was encrypted.\n"), einfile);
> - 	       err_warn(tmperr);
> - 	    } else {
> --	       sprintf(tmperr, _("Stdin was encrypted.\n"));
> -+	       snprintf(tmperr, ERRWIDTH, _("Stdin was encrypted.\n"));
> - 	       err_warn(tmperr);
> - 	    }
> - #ifdef HAVE_STAT
> -@@ -655,7 +657,7 @@
> - 
> - 	 } else {
> - 	    if (stream_flag == FALSE) {
> --	       sprintf(tmperr,
> -+	       snprintf(tmperr, ERRWIDTH,
> - 		       _
> - 		       ("File %s was NOT encrypted successfully.\n"),
> - 		       einfile);
> diff --git a/package/mcrypt/0004-no-rpath.patch b/package/mcrypt/0004-no-rpath.patch
> deleted file mode 100644
> index a0813bcf00..0000000000
> --- a/package/mcrypt/0004-no-rpath.patch
> +++ /dev/null
> @@ -1,17 +0,0 @@
> -Patch out rpath hardcoding since it completely ignores --disable-rpath
> -and other configure ways.
> -
> -Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
> -
> -diff -Nura mcrypt-2.6.8.orig/config.rpath mcrypt-2.6.8/config.rpath
> ---- mcrypt-2.6.8.orig/config.rpath	2013-01-07 13:05:22.626883480 -0300
> -+++ mcrypt-2.6.8/config.rpath	2013-01-07 13:12:47.196090608 -0300
> -@@ -153,7 +153,7 @@
> -   # here allows them to be overridden if necessary.
> -   # Unlike libtool, we use -rpath here, not --rpath, since the documented
> -   # option of GNU ld is called -rpath, not --rpath.
> --  hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
> -+  hardcode_libdir_flag_spec=
> -   case "$host_os" in
> -     aix3* | aix4* | aix5*)
> -       # On AIX/PPC, the GNU linker is very broken
> diff --git a/package/mcrypt/Config.in b/package/mcrypt/Config.in
> deleted file mode 100644
> index e3b9541f04..0000000000
> --- a/package/mcrypt/Config.in
> +++ /dev/null
> @@ -1,12 +0,0 @@
> -config BR2_PACKAGE_MCRYPT
> -	bool "mcrypt"
> -	depends on BR2_USE_MMU # fork()
> -	select BR2_PACKAGE_LIBMCRYPT
> -	select BR2_PACKAGE_LIBMHASH
> -	help
> -	  MCrypt is a replacement for the old crypt() package and
> -	  crypt(1) command, with extensions.
> -	  It allows developers to use a wide range of encryption
> -	  functions, without making drastic changes to their code.
> -
> -	  http://mcrypt.sourceforge.net/
> diff --git a/package/mcrypt/mcrypt.hash b/package/mcrypt/mcrypt.hash
> deleted file mode 100644
> index c6c8871f4f..0000000000
> --- a/package/mcrypt/mcrypt.hash
> +++ /dev/null
> @@ -1,3 +0,0 @@
> -# Locally computed:
> -sha256  5145aa844e54cca89ddab6fb7dd9e5952811d8d787c4f4bf27eb261e6c182098  mcrypt-2.6.8.tar.gz
> -sha256  8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING
> diff --git a/package/mcrypt/mcrypt.mk b/package/mcrypt/mcrypt.mk
> deleted file mode 100644
> index a04b973750..0000000000
> --- a/package/mcrypt/mcrypt.mk
> +++ /dev/null
> @@ -1,24 +0,0 @@
> -################################################################################
> -#
> -# mcrypt
> -#
> -################################################################################
> -
> -MCRYPT_VERSION = 2.6.8
> -MCRYPT_SITE = http://downloads.sourceforge.net/project/mcrypt/MCrypt/$(MCRYPT_VERSION)
> -MCRYPT_DEPENDENCIES = libmcrypt libmhash \
> -	$(if $(BR2_PACKAGE_ZLIB),zlib) \
> -	$(if $(BR2_PACKAGE_LIBICONV),libiconv) \
> -	$(TARGET_NLS_DEPENDENCIES)
> -MCRYPT_CONF_OPTS = --with-libmcrypt-prefix=$(STAGING_DIR)/usr
> -MCRYPT_LICENSE = GPL-3.0
> -MCRYPT_LICENSE_FILES = COPYING
> -
> -# 0001-CVE-2012-4409.patch
> -MCRYPT_IGNORE_CVES += CVE-2012-4409
> -# 0002-CVE-2012-4426.patch
> -MCRYPT_IGNORE_CVES += CVE-2012-4426
> -# 0003-CVE-2012-4527.patch
> -MCRYPT_IGNORE_CVES += CVE-2012-4527
> -
> -$(eval $(autotools-package))
> -- 
> 2.30.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'


More information about the buildroot mailing list