* [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2
@ 2020-02-28 22:12 Fabrice Fontaine
2020-02-28 22:12 ` [Buildroot] [PATCH v2, 2/3] package/libarchive: add lz4 optional dependency Fabrice Fontaine
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Fabrice Fontaine @ 2020-02-28 22:12 UTC (permalink / raw)
To: buildroot
- Fix CVE-2020-9308: archive_read_support_format_rar5.c in libarchive
before 3.4.2 attempts to unpack a RAR5 file with an invalid or
corrupted header (such as a header size of zero), leading to a SIGSEGV
or possibly unspecified other impact.
- Add new mbedtls optional dependency and use --with-nettle to enable
nettle support, see
https://github.com/libarchive/libarchive/commit/f96a71144b7725ca4a94d84bd27d7dca8c2f58d2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
Changes v1 -> v2:
- Add --without-mbedtls to host variant
package/libarchive/libarchive.hash | 2 +-
package/libarchive/libarchive.mk | 11 ++++++++++-
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/package/libarchive/libarchive.hash b/package/libarchive/libarchive.hash
index b01d6368a5..9da4eb3baa 100644
--- a/package/libarchive/libarchive.hash
+++ b/package/libarchive/libarchive.hash
@@ -1,4 +1,4 @@
# From https://www.libarchive.de/downloads/sha256sums
-sha256 fcf87f3ad8db2e4f74f32526dee62dd1fb9894782b0a503a89c9d7a70a235191 libarchive-3.4.1.tar.gz
+sha256 b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176 libarchive-3.4.2.tar.gz
# Locally computed:
sha256 e1e3d4ba9d0b0ccba333b5f5539f7c6c9a3ef3d57a96cd165d2c45eaa1cd026d COPYING
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index e256b72289..b7ae5fb0cf 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBARCHIVE_VERSION = 3.4.1
+LIBARCHIVE_VERSION = 3.4.2
LIBARCHIVE_SITE = https://www.libarchive.de/downloads
LIBARCHIVE_INSTALL_STAGING = YES
LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0
@@ -84,8 +84,16 @@ else
LIBARCHIVE_CONF_OPTS += --without-lzo2
endif
+ifeq ($(BR2_PACKAGE_MBEDTLS),y)
+LIBARCHIVE_DEPENDENCIES += mbedtls
+LIBARCHIVE_CONF_OPTS += --with-mbedtls
+else
+LIBARCHIVE_CONF_OPTS += --without-mbedtls
+endif
+
ifeq ($(BR2_PACKAGE_NETTLE),y)
LIBARCHIVE_DEPENDENCIES += nettle
+LIBARCHIVE_CONF_OPTS += --with-nettle
else
LIBARCHIVE_CONF_OPTS += --without-nettle
endif
@@ -123,6 +131,7 @@ HOST_LIBARCHIVE_CONF_OPTS = \
--without-libiconv-prefix \
--without-xml2 \
--without-lzo2 \
+ --without-mbedtls \
--without-nettle \
--without-openssl \
--without-lzma
--
2.25.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH v2, 2/3] package/libarchive: add lz4 optional dependency
2020-02-28 22:12 [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2 Fabrice Fontaine
@ 2020-02-28 22:12 ` Fabrice Fontaine
2020-04-25 19:56 ` Thomas Petazzoni
2020-02-28 22:12 ` [Buildroot] [PATCH v2, 3/3] package/libarchive: add zstd " Fabrice Fontaine
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Fabrice Fontaine @ 2020-02-28 22:12 UTC (permalink / raw)
To: buildroot
lz4 is available since version 3.2.0 and
https://github.com/libarchive/libarchive/commit/724f3f918e509ddca60ce62fad696d7621d3623d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/libarchive/libarchive.mk | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index b7ae5fb0cf..d07f0776a6 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -78,6 +78,12 @@ else
LIBARCHIVE_CONF_OPTS += --without-xml2
endif
+ifeq ($(BR2_PACKAGE_LZ4),y)
+LIBARCHIVE_DEPENDENCIES += lz4
+else
+LIBARCHIVE_CONF_OPTS += --without-lz4
+endif
+
ifeq ($(BR2_PACKAGE_LZO),y)
LIBARCHIVE_DEPENDENCIES += lzo
else
@@ -130,6 +136,7 @@ HOST_LIBARCHIVE_CONF_OPTS = \
--without-expat \
--without-libiconv-prefix \
--without-xml2 \
+ --without-lz4 \
--without-lzo2 \
--without-mbedtls \
--without-nettle \
--
2.25.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH v2, 3/3] package/libarchive: add zstd optional dependency
2020-02-28 22:12 [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2 Fabrice Fontaine
2020-02-28 22:12 ` [Buildroot] [PATCH v2, 2/3] package/libarchive: add lz4 optional dependency Fabrice Fontaine
@ 2020-02-28 22:12 ` Fabrice Fontaine
2020-04-25 19:56 ` Thomas Petazzoni
2020-02-29 16:47 ` [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2 Yann E. MORIN
2020-03-14 17:39 ` Peter Korsgaard
3 siblings, 1 reply; 9+ messages in thread
From: Fabrice Fontaine @ 2020-02-28 22:12 UTC (permalink / raw)
To: buildroot
zstd is available since version 3.3.3 and
https://github.com/libarchive/libarchive/commit/26838cf5c17642f57192753cc5c3880b16b65ba3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/libarchive/libarchive.mk | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index d07f0776a6..c3fe63526a 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -116,6 +116,12 @@ else
LIBARCHIVE_CONF_OPTS += --without-zlib
endif
+ifeq ($(BR2_PACKAGE_ZSTD),y)
+LIBARCHIVE_DEPENDENCIES += zstd
+else
+LIBARCHIVE_CONF_OPTS += --without-zstd
+endif
+
# libarchive requires LZMA with thread support in the toolchain
ifeq ($(BR2_TOOLCHAIN_HAS_THREADS)$(BR2_PACKAGE_XZ),yy)
LIBARCHIVE_DEPENDENCIES += xz
@@ -141,7 +147,8 @@ HOST_LIBARCHIVE_CONF_OPTS = \
--without-mbedtls \
--without-nettle \
--without-openssl \
- --without-lzma
+ --without-lzma \
+ --without-zstd
$(eval $(autotools-package))
$(eval $(host-autotools-package))
--
2.25.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2
2020-02-28 22:12 [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2 Fabrice Fontaine
2020-02-28 22:12 ` [Buildroot] [PATCH v2, 2/3] package/libarchive: add lz4 optional dependency Fabrice Fontaine
2020-02-28 22:12 ` [Buildroot] [PATCH v2, 3/3] package/libarchive: add zstd " Fabrice Fontaine
@ 2020-02-29 16:47 ` Yann E. MORIN
2020-03-14 17:39 ` Peter Korsgaard
3 siblings, 0 replies; 9+ messages in thread
From: Yann E. MORIN @ 2020-02-29 16:47 UTC (permalink / raw)
To: buildroot
Fabrice, All,
On 2020-02-28 23:12 +0100, Fabrice Fontaine spake thusly:
> - Fix CVE-2020-9308: archive_read_support_format_rar5.c in libarchive
> before 3.4.2 attempts to unpack a RAR5 file with an invalid or
> corrupted header (such as a header size of zero), leading to a SIGSEGV
> or possibly unspecified other impact.
> - Add new mbedtls optional dependency and use --with-nettle to enable
> nettle support, see
> https://github.com/libarchive/libarchive/commit/f96a71144b7725ca4a94d84bd27d7dca8c2f58d2
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
I applied to master, but I forcefulyl disable the new optional
dependency to mbedtls for master (as it is a new feature).
Care to resend a update patch that just adds the new mbedtls dependency?
Thanks!
Regards,
Yann E. MORIN.
> ---
> Changes v1 -> v2:
> - Add --without-mbedtls to host variant
>
> package/libarchive/libarchive.hash | 2 +-
> package/libarchive/libarchive.mk | 11 ++++++++++-
> 2 files changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/package/libarchive/libarchive.hash b/package/libarchive/libarchive.hash
> index b01d6368a5..9da4eb3baa 100644
> --- a/package/libarchive/libarchive.hash
> +++ b/package/libarchive/libarchive.hash
> @@ -1,4 +1,4 @@
> # From https://www.libarchive.de/downloads/sha256sums
> -sha256 fcf87f3ad8db2e4f74f32526dee62dd1fb9894782b0a503a89c9d7a70a235191 libarchive-3.4.1.tar.gz
> +sha256 b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176 libarchive-3.4.2.tar.gz
> # Locally computed:
> sha256 e1e3d4ba9d0b0ccba333b5f5539f7c6c9a3ef3d57a96cd165d2c45eaa1cd026d COPYING
> diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
> index e256b72289..b7ae5fb0cf 100644
> --- a/package/libarchive/libarchive.mk
> +++ b/package/libarchive/libarchive.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -LIBARCHIVE_VERSION = 3.4.1
> +LIBARCHIVE_VERSION = 3.4.2
> LIBARCHIVE_SITE = https://www.libarchive.de/downloads
> LIBARCHIVE_INSTALL_STAGING = YES
> LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0
> @@ -84,8 +84,16 @@ else
> LIBARCHIVE_CONF_OPTS += --without-lzo2
> endif
>
> +ifeq ($(BR2_PACKAGE_MBEDTLS),y)
> +LIBARCHIVE_DEPENDENCIES += mbedtls
> +LIBARCHIVE_CONF_OPTS += --with-mbedtls
> +else
> +LIBARCHIVE_CONF_OPTS += --without-mbedtls
> +endif
> +
> ifeq ($(BR2_PACKAGE_NETTLE),y)
> LIBARCHIVE_DEPENDENCIES += nettle
> +LIBARCHIVE_CONF_OPTS += --with-nettle
> else
> LIBARCHIVE_CONF_OPTS += --without-nettle
> endif
> @@ -123,6 +131,7 @@ HOST_LIBARCHIVE_CONF_OPTS = \
> --without-libiconv-prefix \
> --without-xml2 \
> --without-lzo2 \
> + --without-mbedtls \
> --without-nettle \
> --without-openssl \
> --without-lzma
> --
> 2.25.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2
2020-02-28 22:12 [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2 Fabrice Fontaine
` (2 preceding siblings ...)
2020-02-29 16:47 ` [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2 Yann E. MORIN
@ 2020-03-14 17:39 ` Peter Korsgaard
3 siblings, 0 replies; 9+ messages in thread
From: Peter Korsgaard @ 2020-03-14 17:39 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2020-9308: archive_read_support_format_rar5.c in libarchive
> before 3.4.2 attempts to unpack a RAR5 file with an invalid or
> corrupted header (such as a header size of zero), leading to a SIGSEGV
> or possibly unspecified other impact.
> - Add new mbedtls optional dependency and use --with-nettle to enable
> nettle support, see
> https://github.com/libarchive/libarchive/commit/f96a71144b7725ca4a94d84bd27d7dca8c2f58d2
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2:
> - Add --without-mbedtls to host variant
Committed to 2019.11.x, thanks.
According to https://security-tracker.debian.org/tracker/CVE-2020-9308,
the rar5 support was only added in 3.4.0, so the 3.3.3 version we have
in 2019.02.x is not affected.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH v2, 2/3] package/libarchive: add lz4 optional dependency
2020-02-28 22:12 ` [Buildroot] [PATCH v2, 2/3] package/libarchive: add lz4 optional dependency Fabrice Fontaine
@ 2020-04-25 19:56 ` Thomas Petazzoni
2020-05-08 10:06 ` Peter Korsgaard
0 siblings, 1 reply; 9+ messages in thread
From: Thomas Petazzoni @ 2020-04-25 19:56 UTC (permalink / raw)
To: buildroot
On Fri, 28 Feb 2020 23:12:35 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> lz4 is available since version 3.2.0 and
> https://github.com/libarchive/libarchive/commit/724f3f918e509ddca60ce62fad696d7621d3623d
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/libarchive/libarchive.mk | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
> index b7ae5fb0cf..d07f0776a6 100644
> --- a/package/libarchive/libarchive.mk
> +++ b/package/libarchive/libarchive.mk
> @@ -78,6 +78,12 @@ else
> LIBARCHIVE_CONF_OPTS += --without-xml2
> endif
>
> +ifeq ($(BR2_PACKAGE_LZ4),y)
> +LIBARCHIVE_DEPENDENCIES += lz4
I've added an explicit --with-lz4 here and applied. Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH v2, 3/3] package/libarchive: add zstd optional dependency
2020-02-28 22:12 ` [Buildroot] [PATCH v2, 3/3] package/libarchive: add zstd " Fabrice Fontaine
@ 2020-04-25 19:56 ` Thomas Petazzoni
2020-05-08 10:07 ` Peter Korsgaard
0 siblings, 1 reply; 9+ messages in thread
From: Thomas Petazzoni @ 2020-04-25 19:56 UTC (permalink / raw)
To: buildroot
On Fri, 28 Feb 2020 23:12:36 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> zstd is available since version 3.3.3 and
> https://github.com/libarchive/libarchive/commit/26838cf5c17642f57192753cc5c3880b16b65ba3
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/libarchive/libarchive.mk | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
I applied this one... and then reverted because in the mean time
another patch from Thomas DS was merged, which was doing the same thing.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH v2, 2/3] package/libarchive: add lz4 optional dependency
2020-04-25 19:56 ` Thomas Petazzoni
@ 2020-05-08 10:06 ` Peter Korsgaard
0 siblings, 0 replies; 9+ messages in thread
From: Peter Korsgaard @ 2020-05-08 10:06 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
> On Fri, 28 Feb 2020 23:12:35 +0100
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>> lz4 is available since version 3.2.0 and
>> https://github.com/libarchive/libarchive/commit/724f3f918e509ddca60ce62fad696d7621d3623d
>>
>> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>> ---
>> package/libarchive/libarchive.mk | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
>> index b7ae5fb0cf..d07f0776a6 100644
>> --- a/package/libarchive/libarchive.mk
>> +++ b/package/libarchive/libarchive.mk
>> @@ -78,6 +78,12 @@ else
>> LIBARCHIVE_CONF_OPTS += --without-xml2
>> endif
>>
>> +ifeq ($(BR2_PACKAGE_LZ4),y)
>> +LIBARCHIVE_DEPENDENCIES += lz4
> I've added an explicit --with-lz4 here and applied. Thanks!
Committed to 2020.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH v2, 3/3] package/libarchive: add zstd optional dependency
2020-04-25 19:56 ` Thomas Petazzoni
@ 2020-05-08 10:07 ` Peter Korsgaard
0 siblings, 0 replies; 9+ messages in thread
From: Peter Korsgaard @ 2020-05-08 10:07 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
> On Fri, 28 Feb 2020 23:12:36 +0100
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>> zstd is available since version 3.3.3 and
>> https://github.com/libarchive/libarchive/commit/26838cf5c17642f57192753cc5c3880b16b65ba3
>>
>> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>> ---
>> package/libarchive/libarchive.mk | 9 ++++++++-
>> 1 file changed, 8 insertions(+), 1 deletion(-)
> I applied this one... and then reverted because in the mean time
> another patch from Thomas DS was merged, which was doing the same thing.
Committed to 2020.02.x + the partial revert, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-05-08 10:07 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-28 22:12 [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2 Fabrice Fontaine
2020-02-28 22:12 ` [Buildroot] [PATCH v2, 2/3] package/libarchive: add lz4 optional dependency Fabrice Fontaine
2020-04-25 19:56 ` Thomas Petazzoni
2020-05-08 10:06 ` Peter Korsgaard
2020-02-28 22:12 ` [Buildroot] [PATCH v2, 3/3] package/libarchive: add zstd " Fabrice Fontaine
2020-04-25 19:56 ` Thomas Petazzoni
2020-05-08 10:07 ` Peter Korsgaard
2020-02-29 16:47 ` [Buildroot] [PATCH v2, 1/3] package/libarchive: security bump to version 3.4.2 Yann E. MORIN
2020-03-14 17:39 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.