* [Buildroot] [git commit branch/2021.08.x] package/lrzip: security bump to version 0.641
@ 2021-10-27 10:07 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2021-10-27 10:07 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=20ce8f444983c8c5d9f66c2dbd46339153a329a2
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2021.08.x
- Fix CVE-2021-27347: Use after free in lzma_decompress_buf function in
stream.c in Irzip 0.631 allows attackers to cause Denial of Service
(DoS) via a crafted compressed file.
- Fix CVE-2021-27345: A null pointer dereference was discovered in
ucompthread in stream.c in Irzip 0.631 which allows attackers to cause
a denial of service (DOS) via a crafted compressed file.
- Fix CVE-2020-25467: A null pointer dereference was discovered
lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker
to cause a denial of service (DOS) via a crafted compressed file.
- lz4 is a mandatory dependency since version 0.640 and
https://github.com/ckolivas/lrzip/commit/3345a239b7f5353a1c1296d6a5d6b90729d4b669
https://github.com/ckolivas/lrzip/compare/7f3bf46203bf45ea115d8bd9f310ea219be88af4...v0.641
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3332c143c0675818beeebf1be6880dc282527519)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/lrzip/Config.in | 1 +
package/lrzip/lrzip.hash | 2 +-
package/lrzip/lrzip.mk | 6 +++---
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/package/lrzip/Config.in b/package/lrzip/Config.in
index 885b84dbb0..870094796b 100644
--- a/package/lrzip/Config.in
+++ b/package/lrzip/Config.in
@@ -5,6 +5,7 @@ config BR2_PACKAGE_LRZIP
depends on BR2_TOOLCHAIN_HAS_THREADS
depends on BR2_INSTALL_LIBSTDCPP
select BR2_PACKAGE_ZLIB
+ select BR2_PACKAGE_LZ4
select BR2_PACKAGE_LZO
select BR2_PACKAGE_BZIP2
help
diff --git a/package/lrzip/lrzip.hash b/package/lrzip/lrzip.hash
index 3e188c41e5..19295383c3 100644
--- a/package/lrzip/lrzip.hash
+++ b/package/lrzip/lrzip.hash
@@ -1,3 +1,3 @@
# Locally computed:
-sha256 4d31c429491f1378e868afe06867f68f8b1332fdca0758de24cc4da22103acfb lrzip-7f3bf46203bf45ea115d8bd9f310ea219be88af4.tar.gz
+sha256 9b6b4bb1ae76dafbaab96ec9d50d41af5fed45a6c4f2e06feea828c2cd8025c0 lrzip-0.641.tar.gz
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/package/lrzip/lrzip.mk b/package/lrzip/lrzip.mk
index 7419bb1ed9..409d9912d8 100644
--- a/package/lrzip/lrzip.mk
+++ b/package/lrzip/lrzip.mk
@@ -4,12 +4,12 @@
#
################################################################################
-LRZIP_VERSION = 7f3bf46203bf45ea115d8bd9f310ea219be88af4
-LRZIP_SITE = $(call github,ckolivas,lrzip,$(LRZIP_VERSION))
+LRZIP_VERSION = 0.641
+LRZIP_SITE = $(call github,ckolivas,lrzip,v$(LRZIP_VERSION))
LRZIP_AUTORECONF = YES
LRZIP_LICENSE = GPL-2.0+
LRZIP_LICENSE_FILES = COPYING
-LRZIP_DEPENDENCIES = zlib lzo bzip2
+LRZIP_DEPENDENCIES = zlib lz4 lzo bzip2
ifeq ($(BR2_i386)$(BR2_x86_64),y)
LRZIP_DEPENDENCIES += host-nasm
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-10-27 10:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-27 10:07 [Buildroot] [git commit branch/2021.08.x] package/lrzip: security bump to version 0.641 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.