main/mbedtls: security upgrade to 3.6.1

https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.1 update security issues tracking url as https://tls.mbed.org/security redirect to https://www.trustedfirmware.org/projects/mbed-tls/
2024-09-20 11:23:16 +00:00 · 2024-08-30 15:23:27 +02:00 · 2024-08-30 15:23:27 +02:00 · 92ba5559a4
commit 92ba5559a4
parent b700ee7529
2 changed files with 24 additions and 5 deletions
--- a/main/mbedtls/APKBUILD
+++ b/main/mbedtls/APKBUILD
@ -2,9 +2,9 @@
 # Contributor: Łukasz Jendrysik <scadu@yandex.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mbedtls
-pkgver=3.6.0 # long-time support branch
+pkgver=3.6.1 # long-time support branch
 pkgrel=0
-_framework_commit=f1aa3f5c96da714f06dd4e23d84ba18e4f3cf359
+_framework_commit=053518c2ca152b6ae5e791b5d655e539de8bee3e
 pkgdesc="Light-weight cryptographic and SSL/TLS library"
 url="https://www.trustedfirmware.org/projects/mbed-tls/"
 arch="all"
@ -13,12 +13,17 @@ makedepends="cmake perl python3 samurai"
 subpackages="$pkgname-static $pkgname-dev $pkgname-utils"
 source="$pkgname-$pkgver.tar.gz::https://github.com/ARMmbed/mbedtls/archive/v$pkgver.tar.gz
 	$pkgname-framework-$_framework_commit.tar.gz::https://github.com/Mbed-TLS/mbedtls-framework/archive/$_framework_commit.tar.gz
+	gcc14.patch
 	"

 # Track security issues
-# https://tls.mbed.org/security
+# https://mbed-tls.readthedocs.io/en/latest/security-advisories/

 # secfixes:
+#   3.6.1-r0:
+#     - CVE-2024-45157
+#     - CVE-2024-45158
+#     - CVE-2024-45159
 #   2.28.8-r0:
 #     - CVE-2024-28960
 #   2.28.7-r0:
@ -100,6 +105,7 @@ static() {
 }

 sha512sums="
-7e50cf2bb2c9abeb56f18a25bc126b96ac5e3329702cf5b2e266df6b649b9544ab5f2ac00bd57e06091e10cdcf907e600c14eb415942d028000d7b6f1c0cfa42  mbedtls-3.6.0.tar.gz
-9f415f96d6b6c6750dad900e6bc8d5f641e6c322d0cb19143218a4b4e7aee5fa6a7a15fe388b883f5d08b49f2e508c6c4838706133768aa668b972343e547c07  mbedtls-framework-f1aa3f5c96da714f06dd4e23d84ba18e4f3cf359.tar.gz
+e7985a4e7e07328ae55fdad5212f71ac6af903f2b670c6d4bc2a8d6a4b9b7343697a2fd350a836b9425590c838615cd5b2fa851940bd137bb759fa35cd9f0ee8  mbedtls-3.6.1.tar.gz
+178ad7a40ba1c367f67fa47c49b4ccffe00506e1407c6988cac8b14a3f66773319eeb74fb505f085f7541c65096c3700d889112836ebd26a28f23f5b0cbb5bfc  mbedtls-framework-053518c2ca152b6ae5e791b5d655e539de8bee3e.tar.gz
+3c07e8f773295a08b1f215b64f1f62e194ec4fa54b6485107a3db0d731e12df1a88321852dd5caeb5f1f4931695168c9618f316cfecfd92c42c88f610285cef6  gcc14.patch
 "
--- a/main/mbedtls/gcc14.patch
+++ b/main/mbedtls/gcc14.patch
@ -0,0 +1,13 @@
+Ref https://github.com/Mbed-TLS/mbedtls/issues/9003
+
+--- a/library/common.h
+++ b/library/common.h
+@@ -199,7 +199,7 @@ static inline void mbedtls_xor(unsigned
+         uint8x16_t x = veorq_u8(v1, v2);
+         vst1q_u8(r + i, x);
+     }
+-#if defined(__IAR_SYSTEMS_ICC__)
+#if defined(__IAR_SYSTEMS_ICC__) || defined(MBEDTLS_COMPILER_IS_GCC)
+     /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+      * where n is a constant multiple of 16.
+      * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time