[Buildroot] [PATCH v2,1/2] package/mcrypt: drop package
Yann E. MORIN
yann.morin.1998 at free.fr
Fri Aug 20 08:00:51 UTC 2021
Fabrice, All,
On 2021-08-20 00:09 +0200, Fabrice Fontaine spake thusly:
> Drop mcrypt which is a cryptographic package that is not maintained
> anymore. Here is an extract of https://en.wikipedia.org/wiki/Mcrypt:
> "The last update to libmcrypt was in 2007, despite years of unmerged
> patches. These facts have led security experts to declare mcrypt
> abandonware and discourage its use in new development."
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Both patches applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> Changes v1 -> v2 (after review of Thomas Petazzoni and Yann E. Morin):
> - Update commit message and Config.in.legacy
>
> Config.in.legacy | 10 +++
> package/Config.in | 1 -
> package/mcrypt/0001-CVE-2012-4409.patch | 25 -------
> package/mcrypt/0002-CVE-2012-4426.patch | 35 ---------
> package/mcrypt/0003-CVE-2012-4527.patch | 99 -------------------------
> package/mcrypt/0004-no-rpath.patch | 17 -----
> package/mcrypt/Config.in | 12 ---
> package/mcrypt/mcrypt.hash | 3 -
> package/mcrypt/mcrypt.mk | 24 ------
> 9 files changed, 10 insertions(+), 216 deletions(-)
> delete mode 100644 package/mcrypt/0001-CVE-2012-4409.patch
> delete mode 100644 package/mcrypt/0002-CVE-2012-4426.patch
> delete mode 100644 package/mcrypt/0003-CVE-2012-4527.patch
> delete mode 100644 package/mcrypt/0004-no-rpath.patch
> delete mode 100644 package/mcrypt/Config.in
> delete mode 100644 package/mcrypt/mcrypt.hash
> delete mode 100644 package/mcrypt/mcrypt.mk
>
> diff --git a/Config.in.legacy b/Config.in.legacy
> index 54476acf9a..7cb0c40782 100644
> --- a/Config.in.legacy
> +++ b/Config.in.legacy
> @@ -146,6 +146,16 @@ endif
>
> comment "Legacy options removed in 2021.08"
>
> +config BR2_PACKAGE_MCRYPT
> + bool "mcrypt package was removed"
> + select BR2_LEGACY
> + help
> + This package has been removed as "the last update to libmcrypt
> + was in 2007, despite years of unmerged patches. These facts
> + have led security experts to declare mcrypt abandonware and
> + discourage its use in new development" (extract from
> + https://en.wikipedia.org/wiki/Mcrypt).
> +
> config BR2_PACKAGE_PHP_EXT_MCRYPT
> bool "PHP mcrypt extension removed"
> select BR2_LEGACY
> diff --git a/package/Config.in b/package/Config.in
> index 436bf2f56a..ab0f74b0e3 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2066,7 +2066,6 @@ menu "Miscellaneous"
> source "package/gsettings-desktop-schemas/Config.in"
> source "package/haveged/Config.in"
> source "package/linux-syscall-support/Config.in"
> - source "package/mcrypt/Config.in"
> source "package/mobile-broadband-provider-info/Config.in"
> source "package/netdata/Config.in"
> source "package/proj/Config.in"
> diff --git a/package/mcrypt/0001-CVE-2012-4409.patch b/package/mcrypt/0001-CVE-2012-4409.patch
> deleted file mode 100644
> index 97c658bb2d..0000000000
> --- a/package/mcrypt/0001-CVE-2012-4409.patch
> +++ /dev/null
> @@ -1,25 +0,0 @@
> -From 3efb40e17ce4f76717ae17a1ce1e1f747ddf59fd Mon Sep 17 00:00:00 2001
> -From: Alon Bar-Lev <alon.barlev at gmail.com>
> -Date: Sat, 22 Dec 2012 22:37:06 +0200
> -Subject: [PATCH] cleanup: buffer overflow
> -
> ----
> - src/extra.c | 2 ++
> - 1 files changed, 2 insertions(+), 0 deletions(-)
> -
> -diff --git a/src/extra.c b/src/extra.c
> -index 3082f82..c7a1ac0 100644
> ---- a/src/extra.c
> -+++ b/src/extra.c
> -@@ -241,6 +241,8 @@ int check_file_head(FILE * fstream, char *algorithm, char *mode,
> - if (m_getbit(6, flags) == 1) { /* if the salt bit is set */
> - if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
> - *salt_size = m_setbit(0, sflag, 0);
> -+ if (*salt_size > sizeof(tmp_buf))
> -+ err_quit(_("Salt is too long\n"));
> - if (*salt_size > 0) {
> - fread(tmp_buf, 1, *salt_size,
> - fstream);
> ---
> -1.7.8.6
> -
> diff --git a/package/mcrypt/0002-CVE-2012-4426.patch b/package/mcrypt/0002-CVE-2012-4426.patch
> deleted file mode 100644
> index 708d4a579e..0000000000
> --- a/package/mcrypt/0002-CVE-2012-4426.patch
> +++ /dev/null
> @@ -1,35 +0,0 @@
> -Patch taken from gentoo.
> -
> -Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
> -
> ---- a/src/errors.c
> -+++ b/src/errors.c
> -@@ -25,24 +25,24 @@
> -
> - void err_quit(char *errmsg)
> - {
> -- fprintf(stderr, errmsg);
> -+ fprintf(stderr, "%s", errmsg);
> - exit(-1);
> - }
> -
> - void err_warn(char *errmsg)
> - {
> - if (quiet <= 1)
> -- fprintf(stderr, errmsg);
> -+ fprintf(stderr, "%s", errmsg);
> - }
> -
> - void err_info(char *errmsg)
> - {
> - if (quiet == 0)
> -- fprintf(stderr, errmsg);
> -+ fprintf(stderr, "%s", errmsg);
> - }
> -
> - void err_crit(char *errmsg)
> - {
> - if (quiet <= 2)
> -- fprintf(stderr, errmsg);
> -+ fprintf(stderr, "%s", errmsg);
> - }
> diff --git a/package/mcrypt/0003-CVE-2012-4527.patch b/package/mcrypt/0003-CVE-2012-4527.patch
> deleted file mode 100644
> index a8cf6f449a..0000000000
> --- a/package/mcrypt/0003-CVE-2012-4527.patch
> +++ /dev/null
> @@ -1,99 +0,0 @@
> -Fix for CVE-2012-4527.
> -Authored by Attila Bogar and Jean-Michel Vourgère <jmv_deb at nirgal.com>
> -
> -Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
> -
> -diff -Nura mcrypt-2.6.8.orig/src/mcrypt.c mcrypt-2.6.8/src/mcrypt.c
> ---- mcrypt-2.6.8.orig/src/mcrypt.c 2013-01-14 19:15:49.465925072 -0300
> -+++ mcrypt-2.6.8/src/mcrypt.c 2013-01-14 19:28:13.711478000 -0300
> -@@ -44,7 +44,9 @@
> - static char rcsid[] =
> - "$Id: mcrypt.c,v 1.2 2007/11/07 17:10:21 nmav Exp $";
> -
> --char tmperr[128];
> -+/* Temporary error message can contain one file name and 1k of text */
> -+#define ERRWIDTH ((PATH_MAX)+1024)
> -+char tmperr[ERRWIDTH];
> - unsigned int stream_flag = FALSE;
> - char *keymode = NULL;
> - char *mode = NULL;
> -@@ -482,7 +484,7 @@
> - #ifdef HAVE_STAT
> - if (stream_flag == FALSE) {
> - if (is_normal_file(file[i]) == FALSE) {
> -- sprintf(tmperr,
> -+ snprintf(tmperr, ERRWIDTH,
> - _
> - ("%s: %s is not a regular file. Skipping...\n"),
> - program_name, file[i]);
> -@@ -501,7 +503,7 @@
> - dinfile = file[i];
> - if ((isatty(fileno((FILE *) (stdin))) == 1)
> - && (stream_flag == TRUE) && (force == 0)) { /* not a tty */
> -- sprintf(tmperr,
> -+ snprintf(tmperr, ERRWIDTH,
> - _
> - ("%s: Encrypted data will not be read from a terminal.\n"),
> - program_name);
> -@@ -520,7 +522,7 @@
> - einfile = file[i];
> - if ((isatty(fileno((FILE *) (stdout))) == 1)
> - && (stream_flag == TRUE) && (force == 0)) { /* not a tty */
> -- sprintf(tmperr,
> -+ snprintf(tmperr, ERRWIDTH,
> - _
> - ("%s: Encrypted data will not be written to a terminal.\n"),
> - program_name);
> -@@ -544,7 +546,7 @@
> - strcpy(outfile, einfile);
> - /* if file has already the .nc ignore it */
> - if (strstr(outfile, ".nc") != NULL) {
> -- sprintf(tmperr,
> -+ snprintf(tmperr, ERRWIDTH,
> - _
> - ("%s: file %s has the .nc suffix... skipping...\n"),
> - program_name, outfile);
> -@@ -590,10 +592,10 @@
> -
> - if (x == 0) {
> - if (stream_flag == FALSE) {
> -- sprintf(tmperr, _("File %s was decrypted.\n"), dinfile);
> -+ snprintf(tmperr, ERRWIDTH, _("File %s was decrypted.\n"), dinfile);
> - err_warn(tmperr);
> - } else {
> -- sprintf(tmperr, _("Stdin was decrypted.\n"));
> -+ snprintf(tmperr, ERRWIDTH, _("Stdin was decrypted.\n"));
> - err_warn(tmperr);
> - }
> - #ifdef HAVE_STAT
> -@@ -610,7 +612,7 @@
> -
> - } else {
> - if (stream_flag == FALSE) {
> -- sprintf(tmperr,
> -+ snprintf(tmperr, ERRWIDTH,
> - _
> - ("File %s was NOT decrypted successfully.\n"),
> - dinfile);
> -@@ -636,10 +638,10 @@
> -
> - if (x == 0) {
> - if (stream_flag == FALSE) {
> -- sprintf(tmperr, _("File %s was encrypted.\n"), einfile);
> -+ snprintf(tmperr, ERRWIDTH, _("File %s was encrypted.\n"), einfile);
> - err_warn(tmperr);
> - } else {
> -- sprintf(tmperr, _("Stdin was encrypted.\n"));
> -+ snprintf(tmperr, ERRWIDTH, _("Stdin was encrypted.\n"));
> - err_warn(tmperr);
> - }
> - #ifdef HAVE_STAT
> -@@ -655,7 +657,7 @@
> -
> - } else {
> - if (stream_flag == FALSE) {
> -- sprintf(tmperr,
> -+ snprintf(tmperr, ERRWIDTH,
> - _
> - ("File %s was NOT encrypted successfully.\n"),
> - einfile);
> diff --git a/package/mcrypt/0004-no-rpath.patch b/package/mcrypt/0004-no-rpath.patch
> deleted file mode 100644
> index a0813bcf00..0000000000
> --- a/package/mcrypt/0004-no-rpath.patch
> +++ /dev/null
> @@ -1,17 +0,0 @@
> -Patch out rpath hardcoding since it completely ignores --disable-rpath
> -and other configure ways.
> -
> -Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
> -
> -diff -Nura mcrypt-2.6.8.orig/config.rpath mcrypt-2.6.8/config.rpath
> ---- mcrypt-2.6.8.orig/config.rpath 2013-01-07 13:05:22.626883480 -0300
> -+++ mcrypt-2.6.8/config.rpath 2013-01-07 13:12:47.196090608 -0300
> -@@ -153,7 +153,7 @@
> - # here allows them to be overridden if necessary.
> - # Unlike libtool, we use -rpath here, not --rpath, since the documented
> - # option of GNU ld is called -rpath, not --rpath.
> -- hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
> -+ hardcode_libdir_flag_spec=
> - case "$host_os" in
> - aix3* | aix4* | aix5*)
> - # On AIX/PPC, the GNU linker is very broken
> diff --git a/package/mcrypt/Config.in b/package/mcrypt/Config.in
> deleted file mode 100644
> index e3b9541f04..0000000000
> --- a/package/mcrypt/Config.in
> +++ /dev/null
> @@ -1,12 +0,0 @@
> -config BR2_PACKAGE_MCRYPT
> - bool "mcrypt"
> - depends on BR2_USE_MMU # fork()
> - select BR2_PACKAGE_LIBMCRYPT
> - select BR2_PACKAGE_LIBMHASH
> - help
> - MCrypt is a replacement for the old crypt() package and
> - crypt(1) command, with extensions.
> - It allows developers to use a wide range of encryption
> - functions, without making drastic changes to their code.
> -
> - http://mcrypt.sourceforge.net/
> diff --git a/package/mcrypt/mcrypt.hash b/package/mcrypt/mcrypt.hash
> deleted file mode 100644
> index c6c8871f4f..0000000000
> --- a/package/mcrypt/mcrypt.hash
> +++ /dev/null
> @@ -1,3 +0,0 @@
> -# Locally computed:
> -sha256 5145aa844e54cca89ddab6fb7dd9e5952811d8d787c4f4bf27eb261e6c182098 mcrypt-2.6.8.tar.gz
> -sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING
> diff --git a/package/mcrypt/mcrypt.mk b/package/mcrypt/mcrypt.mk
> deleted file mode 100644
> index a04b973750..0000000000
> --- a/package/mcrypt/mcrypt.mk
> +++ /dev/null
> @@ -1,24 +0,0 @@
> -################################################################################
> -#
> -# mcrypt
> -#
> -################################################################################
> -
> -MCRYPT_VERSION = 2.6.8
> -MCRYPT_SITE = http://downloads.sourceforge.net/project/mcrypt/MCrypt/$(MCRYPT_VERSION)
> -MCRYPT_DEPENDENCIES = libmcrypt libmhash \
> - $(if $(BR2_PACKAGE_ZLIB),zlib) \
> - $(if $(BR2_PACKAGE_LIBICONV),libiconv) \
> - $(TARGET_NLS_DEPENDENCIES)
> -MCRYPT_CONF_OPTS = --with-libmcrypt-prefix=$(STAGING_DIR)/usr
> -MCRYPT_LICENSE = GPL-3.0
> -MCRYPT_LICENSE_FILES = COPYING
> -
> -# 0001-CVE-2012-4409.patch
> -MCRYPT_IGNORE_CVES += CVE-2012-4409
> -# 0002-CVE-2012-4426.patch
> -MCRYPT_IGNORE_CVES += CVE-2012-4426
> -# 0003-CVE-2012-4527.patch
> -MCRYPT_IGNORE_CVES += CVE-2012-4527
> -
> -$(eval $(autotools-package))
> --
> 2.30.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list