* [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR
@ 2022-10-23 9:10 Fabrice Fontaine
2022-10-23 9:10 ` [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4 Fabrice Fontaine
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-10-23 9:10 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
cpe:2.3:a:yann_collet:lz4, which was added by commit
63332c33aa0771532807fd2684d4eee4eb952435, was never a valid CPE
identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ayann_collet%3Alz4
cpe:2.3:a:lz4_project:lz4 is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alz4_project%3Alz4
While at it, also drop the note added by commit
45db4bb08e3e550db483d8745fe8aaede2fa7e98
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/lz4/lz4.mk | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index 9b9b6198c3..541a03473a 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -9,13 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
LZ4_INSTALL_STAGING = YES
LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
-LZ4_CPE_ID_VENDOR = yann_collet
-
-# CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
-# 1.9.2, while in fact this issue has been fixed since lz4-r130:
-# https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08
-# See https://github.com/lz4/lz4/issues/818
-LZ4_IGNORE_CVES += CVE-2014-4715
+LZ4_CPE_ID_VENDOR = lz4_project
# 0001-Fix-potential-memory-corruption-with-negative-memmov.patch
LZ4_IGNORE_CVES += CVE-2021-3520
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread* [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4
2022-10-23 9:10 [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Fabrice Fontaine
@ 2022-10-23 9:10 ` Fabrice Fontaine
2022-11-08 19:55 ` Peter Korsgaard
2022-10-28 6:54 ` [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Thomas Petazzoni via buildroot
2022-11-08 19:55 ` Peter Korsgaard
2 siblings, 1 reply; 5+ messages in thread
From: Fabrice Fontaine @ 2022-10-23 9:10 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
LZ4 v1.9.4 is a maintenance release, featuring a substantial amount
(~350 commits) of minor fixes and improvements, making it a recommended
upgrade. The stable portion of liblz4 API is unmodified, making this
release a drop-in replacement for existing features.
- Drop patch (already in version)
- Update hash of lib/LICENSE (update in year with
https://github.com/lz4/lz4/commit/87a80acbe7872b9da7d56f7005ffd1b715e87c93)
https://github.com/lz4/lz4/releases/tag/v1.9.4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...mory-corruption-with-negative-memmov.patch | 26 -------------------
package/lz4/lz4.hash | 4 +--
package/lz4/lz4.mk | 5 +---
3 files changed, 3 insertions(+), 32 deletions(-)
delete mode 100644 package/lz4/0001-Fix-potential-memory-corruption-with-negative-memmov.patch
diff --git a/package/lz4/0001-Fix-potential-memory-corruption-with-negative-memmov.patch b/package/lz4/0001-Fix-potential-memory-corruption-with-negative-memmov.patch
deleted file mode 100644
index 57e4e38f84..0000000000
--- a/package/lz4/0001-Fix-potential-memory-corruption-with-negative-memmov.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
-From: Jasper Lievisse Adriaanse <j@jasper.la>
-Date: Fri, 26 Feb 2021 15:21:20 +0100
-Subject: [PATCH] Fix potential memory corruption with negative memmove() size
-
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- lib/lz4.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/lz4.c b/lib/lz4.c
-index 5f524d0..c2f504e 100644
---- a/lib/lz4.c
-+++ b/lib/lz4.c
-@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
- const size_t dictSize /* note : = 0 if noDict */
- )
- {
-- if (src == NULL) { return -1; }
-+ if ((src == NULL) || (outputSize < 0)) { return -1; }
-
- { const BYTE* ip = (const BYTE*) src;
- const BYTE* const iend = ip + srcSize;
---
-2.20.1
-
diff --git a/package/lz4/lz4.hash b/package/lz4/lz4.hash
index 0b03089ecd..04bd118cfe 100644
--- a/package/lz4/lz4.hash
+++ b/package/lz4/lz4.hash
@@ -1,4 +1,4 @@
# sha256 locally computed
-sha256 030644df4611007ff7dc962d981f390361e6c97a34e5cbc393ddfbe019ffe2c1 lz4-1.9.3.tar.gz
-sha256 d15d99c8dc6b0ec22174c0e563a95bc40f9363ca7f9d9d793bb5c5a8e8d0af71 lib/LICENSE
+sha256 0b0e3aa07c8c063ddf40b082bdf7e37a1562bda40a0ff5272957f3e987e0e54b lz4-1.9.4.tar.gz
+sha256 8b58c446121a109ccf32edc094bba3010a3d85e4ee3702950db55e4d3e87736c lib/LICENSE
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 programs/COPYING
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index 541a03473a..5da1ae2703 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -4,16 +4,13 @@
#
################################################################################
-LZ4_VERSION = 1.9.3
+LZ4_VERSION = 1.9.4
LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
LZ4_INSTALL_STAGING = YES
LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
LZ4_CPE_ID_VENDOR = lz4_project
-# 0001-Fix-potential-memory-corruption-with-negative-memmov.patch
-LZ4_IGNORE_CVES += CVE-2021-3520
-
ifeq ($(BR2_STATIC_LIBS),y)
LZ4_MAKE_OPTS += BUILD_SHARED=no
else ifeq ($(BR2_SHARED_LIBS),y)
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR
2022-10-23 9:10 [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Fabrice Fontaine
2022-10-23 9:10 ` [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4 Fabrice Fontaine
@ 2022-10-28 6:54 ` Thomas Petazzoni via buildroot
2022-11-08 19:55 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Thomas Petazzoni via buildroot @ 2022-10-28 6:54 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
On Sun, 23 Oct 2022 11:10:08 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> cpe:2.3:a:yann_collet:lz4, which was added by commit
> 63332c33aa0771532807fd2684d4eee4eb952435, was never a valid CPE
> identifier for this package:
>
> https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ayann_collet%3Alz4
>
> cpe:2.3:a:lz4_project:lz4 is a valid CPE identifier for this package:
>
> https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alz4_project%3Alz4
>
> While at it, also drop the note added by commit
> 45db4bb08e3e550db483d8745fe8aaede2fa7e98
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/lz4/lz4.mk | 8 +-------
> 1 file changed, 1 insertion(+), 7 deletions(-)
Both applied, thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR
2022-10-23 9:10 [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Fabrice Fontaine
2022-10-23 9:10 ` [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4 Fabrice Fontaine
2022-10-28 6:54 ` [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Thomas Petazzoni via buildroot
@ 2022-11-08 19:55 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-11-08 19:55 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> cpe:2.3:a:yann_collet:lz4, which was added by commit
> 63332c33aa0771532807fd2684d4eee4eb952435, was never a valid CPE
> identifier for this package:
> https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ayann_collet%3Alz4
> cpe:2.3:a:lz4_project:lz4 is a valid CPE identifier for this package:
> https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alz4_project%3Alz4
> While at it, also drop the note added by commit
> 45db4bb08e3e550db483d8745fe8aaede2fa7e98
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2022.08.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-11-08 19:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-23 9:10 [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Fabrice Fontaine
2022-10-23 9:10 ` [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4 Fabrice Fontaine
2022-11-08 19:55 ` Peter Korsgaard
2022-10-28 6:54 ` [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Thomas Petazzoni via buildroot
2022-11-08 19:55 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.