[Buildroot] [PATCH 1/5] package/unzip: make version compliant with release-monitoring

[Buildroot] [PATCH 1/5] package/unzip: make version compliant with release-monitoring

[Fabrice Fontaine]

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/unzip/unzip.mk | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/unzip/unzip.mk b/package/unzip/unzip.mk
index 1d972055de..d435fb6b5d 100644
--- a/package/unzip/unzip.mk
+++ b/package/unzip/unzip.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-UNZIP_VERSION = 60
-UNZIP_SOURCE = unzip$(UNZIP_VERSION).tgz
+UNZIP_VERSION = 6.0
+UNZIP_SOURCE = unzip$(subst .,,$(UNZIP_VERSION)).tgz
 UNZIP_SITE = ftp://ftp.info-zip.org/pub/infozip/src
 UNZIP_LICENSE = Info-ZIP
 UNZIP_LICENSE_FILES = LICENSE
-- 
2.29.2

[Buildroot] [PATCH 2/5] package/unzip: fix URL of patches

[Fabrice Fontaine]

https://sources.debian.org/data/main/u/unzip/6.0-25 is unreachable so
replace it by
https://sources.debian.org/data/main/u/unzip/6.0-26

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/unzip/unzip.mk | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/package/unzip/unzip.mk b/package/unzip/unzip.mk
index d435fb6b5d..0fb452a248 100644
--- a/package/unzip/unzip.mk
+++ b/package/unzip/unzip.mk
@@ -11,22 +11,22 @@ UNZIP_LICENSE = Info-ZIP
 UNZIP_LICENSE_FILES = LICENSE
 
 UNZIP_PATCH = \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/07-increase-size-of-cfactorstr.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/08-allow-greater-hostver-values.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/09-cve-2014-8139-crc-overflow.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/10-cve-2014-8140-test-compr-eb.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/11-cve-2014-8141-getzip64data.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/12-cve-2014-9636-test-compr-eb.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/14-cve-2015-7696.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/15-cve-2015-7697.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/17-restore-unix-timestamps-accurately.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/21-fix-warning-messages-on-big-files.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/07-increase-size-of-cfactorstr.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/08-allow-greater-hostver-values.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/09-cve-2014-8139-crc-overflow.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/10-cve-2014-8140-test-compr-eb.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/11-cve-2014-8141-getzip64data.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/12-cve-2014-9636-test-compr-eb.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/14-cve-2015-7696.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/15-cve-2015-7697.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/17-restore-unix-timestamps-accurately.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/21-fix-warning-messages-on-big-files.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
 
 $(eval $(cmake-package))
-- 
2.29.2

[Buildroot] [PATCH 3/5] package/unzip: add two debian security patches

[Fabrice Fontaine]

While at it, also update indentation in hash file

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/unzip/unzip.hash | 40 +++++++++++++++++++++-------------------
 package/unzip/unzip.mk   |  4 +++-
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/package/unzip/unzip.hash b/package/unzip/unzip.hash
index d05957d5e2..91cd448e46 100644
--- a/package/unzip/unzip.hash
+++ b/package/unzip/unzip.hash
@@ -1,20 +1,22 @@
 # Locally computed:
-sha256 036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 unzip60.tgz
-sha256 7469b81d5d29ac4fd670f7c86ba0cb9fa34f137a2d4d5198437d92ddf918984b LICENSE
-sha256 66a364d75cea29363768ca6d43dd11b9913a59e42b8da16c4f63516c3e4ce7c1 07-increase-size-of-cfactorstr.patch
-sha256 3a8cfd2702d220c6c119eaf805b018b66460284e585e92adc8a572d190471724 08-allow-greater-hostver-values.patch
-sha256 0a1b23118b2f4a3ed097348ab33050d4f79b3863ab30e6d64ac382589834e3de 09-cve-2014-8139-crc-overflow.patch
-sha256 32b1eda30644c44a8bdb9a02ff08bb2eca107f8eb16dda6992a9b778a0de395e 10-cve-2014-8140-test-compr-eb.patch
-sha256 1f60f6e28b36f3cddb7da64c528cfe29160cefa1232e13bb8a47561f574067a9 11-cve-2014-8141-getzip64data.patch
-sha256 c05885bb48b41603f0893ada88f15c0fae3b3f9f6489f24ad630a400f6271351 12-cve-2014-9636-test-compr-eb.patch
-sha256 788c29727ff0689c3b1828466127758426f6d2c769048aa985950373747c76f3 14-cve-2015-7696.patch
-sha256 e85dab65c3ebf3c4ab3359a4143cfd0efccfd1cac517a4e7bd5f518f41a02b6f 15-cve-2015-7697.patch
-sha256 95dd15d5d9cdf5cea18c357b152930d6d52660599e0fd4907d6405870fdd9fe1 16-fix-integer-underflow-csiz-decrypted.patch
-sha256 ea04cfc8b7ca3b3c03117da0d891870b8c542d26188ef5593fd7e479f4f29f4e 17-restore-unix-timestamps-accurately.patch
-sha256 1872ffdd4d82edd7b1e62c469642bf16a1ca12dd26d41bd3f0b44f0f7602eb63 18-cve-2014-9913-unzip-buffer-overflow.patch
-sha256 60840ea8f5d11a276972fb5b43652cdd49a9ed93b2cc0586ad309bf52104b012 19-cve-2016-9844-zipinfo-buffer-overflow.patch
-sha256 4eabc3faeddd56ebc3d5053486b61f8758d840902725fd555d3472cffb094437 20-cve-2018-1000035-unzip-buffer-overflow.patch
-sha256 df3b0eeea8dcc161a2565e306b5dda13d27de43145e198baaf0eab822321ee7e 21-fix-warning-messages-on-big-files.patch
-sha256 2cf5a89e921da99e883bcde0ea03e2c77ae9185f57efaf35e7d43bc24353cfdc 22-cve-2019-13232-fix-bug-in-undefer-input.patch
-sha256 c8e82c80fc7760f90567118a465e4cfa1b8e5d0a5723f9c70e3d21247e550615 23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
-sha256 37ba0bea723beeb22670babda18bd980368cc6591bc7bd9caa04f62692c7e5ac 24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
+sha256  036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37  unzip60.tgz
+sha256  7469b81d5d29ac4fd670f7c86ba0cb9fa34f137a2d4d5198437d92ddf918984b  LICENSE
+sha256  66a364d75cea29363768ca6d43dd11b9913a59e42b8da16c4f63516c3e4ce7c1  07-increase-size-of-cfactorstr.patch
+sha256  3a8cfd2702d220c6c119eaf805b018b66460284e585e92adc8a572d190471724  08-allow-greater-hostver-values.patch
+sha256  0a1b23118b2f4a3ed097348ab33050d4f79b3863ab30e6d64ac382589834e3de  09-cve-2014-8139-crc-overflow.patch
+sha256  32b1eda30644c44a8bdb9a02ff08bb2eca107f8eb16dda6992a9b778a0de395e  10-cve-2014-8140-test-compr-eb.patch
+sha256  1f60f6e28b36f3cddb7da64c528cfe29160cefa1232e13bb8a47561f574067a9  11-cve-2014-8141-getzip64data.patch
+sha256  c05885bb48b41603f0893ada88f15c0fae3b3f9f6489f24ad630a400f6271351  12-cve-2014-9636-test-compr-eb.patch
+sha256  788c29727ff0689c3b1828466127758426f6d2c769048aa985950373747c76f3  14-cve-2015-7696.patch
+sha256  e85dab65c3ebf3c4ab3359a4143cfd0efccfd1cac517a4e7bd5f518f41a02b6f  15-cve-2015-7697.patch
+sha256  95dd15d5d9cdf5cea18c357b152930d6d52660599e0fd4907d6405870fdd9fe1  16-fix-integer-underflow-csiz-decrypted.patch
+sha256  ea04cfc8b7ca3b3c03117da0d891870b8c542d26188ef5593fd7e479f4f29f4e  17-restore-unix-timestamps-accurately.patch
+sha256  1872ffdd4d82edd7b1e62c469642bf16a1ca12dd26d41bd3f0b44f0f7602eb63  18-cve-2014-9913-unzip-buffer-overflow.patch
+sha256  60840ea8f5d11a276972fb5b43652cdd49a9ed93b2cc0586ad309bf52104b012  19-cve-2016-9844-zipinfo-buffer-overflow.patch
+sha256  4eabc3faeddd56ebc3d5053486b61f8758d840902725fd555d3472cffb094437  20-cve-2018-1000035-unzip-buffer-overflow.patch
+sha256  df3b0eeea8dcc161a2565e306b5dda13d27de43145e198baaf0eab822321ee7e  21-fix-warning-messages-on-big-files.patch
+sha256  2cf5a89e921da99e883bcde0ea03e2c77ae9185f57efaf35e7d43bc24353cfdc  22-cve-2019-13232-fix-bug-in-undefer-input.patch
+sha256  c8e82c80fc7760f90567118a465e4cfa1b8e5d0a5723f9c70e3d21247e550615  23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
+sha256  37ba0bea723beeb22670babda18bd980368cc6591bc7bd9caa04f62692c7e5ac  24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
+sha256  c25fdc17e946e091ec801ad69a56e25c0b73b38c606da95bc602b7d48a46ac3f  25-cve-2019-13232-fix-bug-in-uzbunzip2.patch
+sha256  792ee836836d24ccee26592cb6bb4f4b3ca056c340bf49fc6f9abcfc5a294821  26-cve-2019-13232-fix-bug-in-uzinflate.patch
diff --git a/package/unzip/unzip.mk b/package/unzip/unzip.mk
index 0fb452a248..5efe5bcd09 100644
--- a/package/unzip/unzip.mk
+++ b/package/unzip/unzip.mk
@@ -27,6 +27,8 @@ UNZIP_PATCH = \
 	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/21-fix-warning-messages-on-big-files.patch \
 	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch \
 	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/25-cve-2019-13232-fix-bug-in-uzbunzip2.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/26-cve-2019-13232-fix-bug-in-uzinflate.patch
 
 $(eval $(cmake-package))
-- 
2.29.2

[Buildroot] [PATCH 4/5] package/unzip: add UNZIP_IGNORE_CVES entries

[Fabrice Fontaine]

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/unzip/unzip.mk | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/package/unzip/unzip.mk b/package/unzip/unzip.mk
index 5efe5bcd09..9eff5e0639 100644
--- a/package/unzip/unzip.mk
+++ b/package/unzip/unzip.mk
@@ -31,4 +31,31 @@ UNZIP_PATCH = \
 	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/25-cve-2019-13232-fix-bug-in-uzbunzip2.patch \
 	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/26-cve-2019-13232-fix-bug-in-uzinflate.patch
 
+# 07-increase-size-of-cfactorstr.patch
+UNZIP_IGNORE_CVES += CVE-2018-18384
+# 09-cve-2014-8139-crc-overflow.patch
+UNZIP_IGNORE_CVES += CVE-2014-8139
+# 10-cve-2014-8140-test-compr-eb.patch
+UNZIP_IGNORE_CVES += CVE-2014-8140
+# 11-cve-2014-8141-getzip64data.patch
+UNZIP_IGNORE_CVES += CVE-2014-8141
+# 12-cve-2014-9636-test-compr-eb.patch
+UNZIP_IGNORE_CVES += CVE-2014-9636
+# 14-cve-2015-7696.patch
+UNZIP_IGNORE_CVES += CVE-2015-7696
+# 15-cve-2015-7697.patch
+UNZIP_IGNORE_CVES += CVE-2015-7697
+# 18-cve-2014-9913-unzip-buffer-overflow
+UNZIP_IGNORE_CVES += CVE-2014-9913
+# 19-cve-2016-9844-zipinfo-buffer-overflow.patch
+UNZIP_IGNORE_CVES += CVE-2016-9844
+# 20-cve-2018-1000035-unzip-buffer-overflow.patch
+UNZIP_IGNORE_CVES += CVE-2018-1000035
+# 22-cve-2019-13232-fix-bug-in-undefer-input.patch
+# 23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
+# 24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
+# 25-cve-2019-13232-fix-bug-in-uzbunzip2.patch
+# 26-cve-2019-13232-fix-bug-in-uzinflate.patch
+UNZIP_IGNORE_CVES += CVE-2019-13232
+
 $(eval $(cmake-package))
-- 
2.29.2

[Buildroot] [PATCH 5/5] package/unzip: set UNZIP_CPE_ID_VALID

[Fabrice Fontaine]

cpe:2.3:a:unzip_project:unzip is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aunzip_project%3Aunzip

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/unzip/unzip.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/unzip/unzip.mk b/package/unzip/unzip.mk
index 9eff5e0639..e96a109c2e 100644
--- a/package/unzip/unzip.mk
+++ b/package/unzip/unzip.mk
@@ -9,6 +9,7 @@ UNZIP_SOURCE = unzip$(subst .,,$(UNZIP_VERSION)).tgz
 UNZIP_SITE = ftp://ftp.info-zip.org/pub/infozip/src
 UNZIP_LICENSE = Info-ZIP
 UNZIP_LICENSE_FILES = LICENSE
+UNZIP_CPE_ID_VALID = YES
 
 UNZIP_PATCH = \
 	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/07-increase-size-of-cfactorstr.patch \
-- 
2.29.2

[Buildroot] [PATCH 1/5] package/unzip: make version compliant with release-monitoring

[Thomas Petazzoni]

On Sun, 17 Jan 2021 18:52:04 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/unzip/unzip.mk | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 2/5] package/unzip: fix URL of patches

[Thomas Petazzoni]

On Sun, 17 Jan 2021 18:52:05 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> https://sources.debian.org/data/main/u/unzip/6.0-25 is unreachable so
> replace it by
> https://sources.debian.org/data/main/u/unzip/6.0-26
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

The problem is that this patch is not really going to fix it for the
long term. Stuff on sources.debian.org come and goes, which is why we
use snapshot.debian.org whenever possible.

So we should probably use
http://snapshot.debian.org/archive/debian-debug/20210110T203547Z/pool/main/u/unzip/unzip_6.0-26.debian.tar.xz
which contains all the Debian patches, but at a stable URL.

Could you have a look at doing this ?

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 5/5] package/unzip: set UNZIP_CPE_ID_VALID

[Thomas Petazzoni]

On Sun, 17 Jan 2021 18:52:08 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> cpe:2.3:a:unzip_project:unzip is a valid CPE identifier for this
> package:
> 
>   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aunzip_project%3Aunzip
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/unzip/unzip.mk | 1 +
>  1 file changed, 1 insertion(+)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com