All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR
@ 2022-10-23  9:10 Fabrice Fontaine
  2022-10-23  9:10 ` [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4 Fabrice Fontaine
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-10-23  9:10 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

cpe:2.3:a:yann_collet:lz4, which was added by commit
63332c33aa0771532807fd2684d4eee4eb952435, was never a valid CPE
identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ayann_collet%3Alz4

cpe:2.3:a:lz4_project:lz4 is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alz4_project%3Alz4

While at it, also drop the note added by commit
45db4bb08e3e550db483d8745fe8aaede2fa7e98

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/lz4/lz4.mk | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index 9b9b6198c3..541a03473a 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -9,13 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
 LZ4_INSTALL_STAGING = YES
 LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
 LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
-LZ4_CPE_ID_VENDOR = yann_collet
-
-# CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
-# 1.9.2, while in fact this issue has been fixed since lz4-r130:
-# https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08
-# See https://github.com/lz4/lz4/issues/818
-LZ4_IGNORE_CVES += CVE-2014-4715
+LZ4_CPE_ID_VENDOR = lz4_project
 
 # 0001-Fix-potential-memory-corruption-with-negative-memmov.patch
 LZ4_IGNORE_CVES += CVE-2021-3520
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4
  2022-10-23  9:10 [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Fabrice Fontaine
@ 2022-10-23  9:10 ` Fabrice Fontaine
  2022-11-08 19:55   ` Peter Korsgaard
  2022-10-28  6:54 ` [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Thomas Petazzoni via buildroot
  2022-11-08 19:55 ` Peter Korsgaard
  2 siblings, 1 reply; 5+ messages in thread
From: Fabrice Fontaine @ 2022-10-23  9:10 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

LZ4 v1.9.4 is a maintenance release, featuring a substantial amount
(~350 commits) of minor fixes and improvements, making it a recommended
upgrade. The stable portion of liblz4 API is unmodified, making this
release a drop-in replacement for existing features.

- Drop patch (already in version)
- Update hash of lib/LICENSE (update in year with
  https://github.com/lz4/lz4/commit/87a80acbe7872b9da7d56f7005ffd1b715e87c93)

https://github.com/lz4/lz4/releases/tag/v1.9.4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...mory-corruption-with-negative-memmov.patch | 26 -------------------
 package/lz4/lz4.hash                          |  4 +--
 package/lz4/lz4.mk                            |  5 +---
 3 files changed, 3 insertions(+), 32 deletions(-)
 delete mode 100644 package/lz4/0001-Fix-potential-memory-corruption-with-negative-memmov.patch

diff --git a/package/lz4/0001-Fix-potential-memory-corruption-with-negative-memmov.patch b/package/lz4/0001-Fix-potential-memory-corruption-with-negative-memmov.patch
deleted file mode 100644
index 57e4e38f84..0000000000
--- a/package/lz4/0001-Fix-potential-memory-corruption-with-negative-memmov.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
-From: Jasper Lievisse Adriaanse <j@jasper.la>
-Date: Fri, 26 Feb 2021 15:21:20 +0100
-Subject: [PATCH] Fix potential memory corruption with negative memmove() size
-
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- lib/lz4.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/lz4.c b/lib/lz4.c
-index 5f524d0..c2f504e 100644
---- a/lib/lz4.c
-+++ b/lib/lz4.c
-@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
-                  const size_t dictSize         /* note : = 0 if noDict */
-                  )
- {
--    if (src == NULL) { return -1; }
-+    if ((src == NULL) || (outputSize < 0)) { return -1; }
- 
-     {   const BYTE* ip = (const BYTE*) src;
-         const BYTE* const iend = ip + srcSize;
--- 
-2.20.1
-
diff --git a/package/lz4/lz4.hash b/package/lz4/lz4.hash
index 0b03089ecd..04bd118cfe 100644
--- a/package/lz4/lz4.hash
+++ b/package/lz4/lz4.hash
@@ -1,4 +1,4 @@
 # sha256 locally computed
-sha256  030644df4611007ff7dc962d981f390361e6c97a34e5cbc393ddfbe019ffe2c1  lz4-1.9.3.tar.gz
-sha256  d15d99c8dc6b0ec22174c0e563a95bc40f9363ca7f9d9d793bb5c5a8e8d0af71  lib/LICENSE
+sha256  0b0e3aa07c8c063ddf40b082bdf7e37a1562bda40a0ff5272957f3e987e0e54b  lz4-1.9.4.tar.gz
+sha256  8b58c446121a109ccf32edc094bba3010a3d85e4ee3702950db55e4d3e87736c  lib/LICENSE
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  programs/COPYING
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index 541a03473a..5da1ae2703 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -4,16 +4,13 @@
 #
 ################################################################################
 
-LZ4_VERSION = 1.9.3
+LZ4_VERSION = 1.9.4
 LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
 LZ4_INSTALL_STAGING = YES
 LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
 LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
 LZ4_CPE_ID_VENDOR = lz4_project
 
-# 0001-Fix-potential-memory-corruption-with-negative-memmov.patch
-LZ4_IGNORE_CVES += CVE-2021-3520
-
 ifeq ($(BR2_STATIC_LIBS),y)
 LZ4_MAKE_OPTS += BUILD_SHARED=no
 else ifeq ($(BR2_SHARED_LIBS),y)
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR
  2022-10-23  9:10 [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Fabrice Fontaine
  2022-10-23  9:10 ` [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4 Fabrice Fontaine
@ 2022-10-28  6:54 ` Thomas Petazzoni via buildroot
  2022-11-08 19:55 ` Peter Korsgaard
  2 siblings, 0 replies; 5+ messages in thread
From: Thomas Petazzoni via buildroot @ 2022-10-28  6:54 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

On Sun, 23 Oct 2022 11:10:08 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> cpe:2.3:a:yann_collet:lz4, which was added by commit
> 63332c33aa0771532807fd2684d4eee4eb952435, was never a valid CPE
> identifier for this package:
> 
>   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ayann_collet%3Alz4
> 
> cpe:2.3:a:lz4_project:lz4 is a valid CPE identifier for this package:
> 
>   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alz4_project%3Alz4
> 
> While at it, also drop the note added by commit
> 45db4bb08e3e550db483d8745fe8aaede2fa7e98
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/lz4/lz4.mk | 8 +-------
>  1 file changed, 1 insertion(+), 7 deletions(-)

Both applied, thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR
  2022-10-23  9:10 [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Fabrice Fontaine
  2022-10-23  9:10 ` [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4 Fabrice Fontaine
  2022-10-28  6:54 ` [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Thomas Petazzoni via buildroot
@ 2022-11-08 19:55 ` Peter Korsgaard
  2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-11-08 19:55 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > cpe:2.3:a:yann_collet:lz4, which was added by commit
 > 63332c33aa0771532807fd2684d4eee4eb952435, was never a valid CPE
 > identifier for this package:

 >   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ayann_collet%3Alz4

 > cpe:2.3:a:lz4_project:lz4 is a valid CPE identifier for this package:

 >   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alz4_project%3Alz4

 > While at it, also drop the note added by commit
 > 45db4bb08e3e550db483d8745fe8aaede2fa7e98

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.08.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4
  2022-10-23  9:10 ` [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4 Fabrice Fontaine
@ 2022-11-08 19:55   ` Peter Korsgaard
  0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-11-08 19:55 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > LZ4 v1.9.4 is a maintenance release, featuring a substantial amount
 > (~350 commits) of minor fixes and improvements, making it a recommended
 > upgrade. The stable portion of liblz4 API is unmodified, making this
 > release a drop-in replacement for existing features.

 > - Drop patch (already in version)
 > - Update hash of lib/LICENSE (update in year with
 >   https://github.com/lz4/lz4/commit/87a80acbe7872b9da7d56f7005ffd1b715e87c93)

 > https://github.com/lz4/lz4/releases/tag/v1.9.4

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.08.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-11-08 19:56 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-23  9:10 [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Fabrice Fontaine
2022-10-23  9:10 ` [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4 Fabrice Fontaine
2022-11-08 19:55   ` Peter Korsgaard
2022-10-28  6:54 ` [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Thomas Petazzoni via buildroot
2022-11-08 19:55 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.