* [Buildroot] [git commit branch/2022.02.x] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587
@ 2022-05-22 10:29 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2022-05-22 10:29 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=f9332d7aae9d0e4bbe07ff90171ac46e636854ce
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x
Fixes the following security issue:
- CVE-2022-1271: Malicious filenames can make xzgrep to write to arbitrary
files or (with a GNU sed extension) lead to arbitrary code execution.
For more details, see the announcement and advisory:
https://www.mail-archive.com/xz-devel@tukaani.org/msg00551.html
https://www.zerodayinitiative.com/advisories/ZDI-22-619/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 3c1324248d7855b35652ed367ec815429d559a7e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/xz/xz.hash | 1 +
package/xz/xz.mk | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/package/xz/xz.hash b/package/xz/xz.hash
index 3dd0cbe459..9577e98e80 100644
--- a/package/xz/xz.hash
+++ b/package/xz/xz.hash
@@ -1,5 +1,6 @@
# Locally calculated after checking pgp signature
sha256 5117f930900b341493827d63aa910ff5e011e0b994197c3b71c08a20228a42df xz-5.2.5.tar.bz2
+sha256 98c6cb1042284fe704ec30083f3fc87364ce9ed2ea51f62bbb0ee9d3448717ec xzgrep-ZDI-CAN-16587.patch
# Hash for license files
sha256 bcb02973ef6e87ea73d331b3a80df7748407f17efdb784b61b47e0e610d3bb5c COPYING
diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index af611975a0..cdb01e06a9 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -13,6 +13,10 @@ XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
XZ_CPE_ID_VENDOR = tukaani
+XZ_PATCH = xzgrep-ZDI-CAN-16587.patch
+# xzgrep-ZDI-CAN-16587.patch
+XZ_IGNORE_CVES += CVE-2022-1271
+
ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
XZ_CONF_OPTS += --enable-threads
else
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-05-22 10:33 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-22 10:29 [Buildroot] [git commit branch/2022.02.x] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.