* [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641
@ 2021-10-26 17:09 Fabrice Fontaine
2021-10-26 18:39 ` Peter Korsgaard
2021-10-27 10:09 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2021-10-26 17:09 UTC (permalink / raw)
To: buildroot; +Cc: Sam Lancia, Fabrice Fontaine
- Fix CVE-2021-27347: Use after free in lzma_decompress_buf function in
stream.c in Irzip 0.631 allows attackers to cause Denial of Service
(DoS) via a crafted compressed file.
- Fix CVE-2021-27345: A null pointer dereference was discovered in
ucompthread in stream.c in Irzip 0.631 which allows attackers to cause
a denial of service (DOS) via a crafted compressed file.
- Fix CVE-2020-25467: A null pointer dereference was discovered
lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker
to cause a denial of service (DOS) via a crafted compressed file.
- lz4 is a mandatory dependency since version 0.640 and
https://github.com/ckolivas/lrzip/commit/3345a239b7f5353a1c1296d6a5d6b90729d4b669
https://github.com/ckolivas/lrzip/compare/7f3bf46203bf45ea115d8bd9f310ea219be88af4...v0.641
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/lrzip/Config.in | 1 +
package/lrzip/lrzip.hash | 2 +-
package/lrzip/lrzip.mk | 6 +++---
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/package/lrzip/Config.in b/package/lrzip/Config.in
index 885b84dbb0..870094796b 100644
--- a/package/lrzip/Config.in
+++ b/package/lrzip/Config.in
@@ -5,6 +5,7 @@ config BR2_PACKAGE_LRZIP
depends on BR2_TOOLCHAIN_HAS_THREADS
depends on BR2_INSTALL_LIBSTDCPP
select BR2_PACKAGE_ZLIB
+ select BR2_PACKAGE_LZ4
select BR2_PACKAGE_LZO
select BR2_PACKAGE_BZIP2
help
diff --git a/package/lrzip/lrzip.hash b/package/lrzip/lrzip.hash
index 3e188c41e5..19295383c3 100644
--- a/package/lrzip/lrzip.hash
+++ b/package/lrzip/lrzip.hash
@@ -1,3 +1,3 @@
# Locally computed:
-sha256 4d31c429491f1378e868afe06867f68f8b1332fdca0758de24cc4da22103acfb lrzip-7f3bf46203bf45ea115d8bd9f310ea219be88af4.tar.gz
+sha256 9b6b4bb1ae76dafbaab96ec9d50d41af5fed45a6c4f2e06feea828c2cd8025c0 lrzip-0.641.tar.gz
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/package/lrzip/lrzip.mk b/package/lrzip/lrzip.mk
index 7419bb1ed9..409d9912d8 100644
--- a/package/lrzip/lrzip.mk
+++ b/package/lrzip/lrzip.mk
@@ -4,12 +4,12 @@
#
################################################################################
-LRZIP_VERSION = 7f3bf46203bf45ea115d8bd9f310ea219be88af4
-LRZIP_SITE = $(call github,ckolivas,lrzip,$(LRZIP_VERSION))
+LRZIP_VERSION = 0.641
+LRZIP_SITE = $(call github,ckolivas,lrzip,v$(LRZIP_VERSION))
LRZIP_AUTORECONF = YES
LRZIP_LICENSE = GPL-2.0+
LRZIP_LICENSE_FILES = COPYING
-LRZIP_DEPENDENCIES = zlib lzo bzip2
+LRZIP_DEPENDENCIES = zlib lz4 lzo bzip2
ifeq ($(BR2_i386)$(BR2_x86_64),y)
LRZIP_DEPENDENCIES += host-nasm
--
2.33.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641
2021-10-26 17:09 [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641 Fabrice Fontaine
@ 2021-10-26 18:39 ` Peter Korsgaard
2021-10-27 10:09 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-10-26 18:39 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Sam Lancia, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2021-27347: Use after free in lzma_decompress_buf function in
> stream.c in Irzip 0.631 allows attackers to cause Denial of Service
> (DoS) via a crafted compressed file.
> - Fix CVE-2021-27345: A null pointer dereference was discovered in
> ucompthread in stream.c in Irzip 0.631 which allows attackers to cause
> a denial of service (DOS) via a crafted compressed file.
> - Fix CVE-2020-25467: A null pointer dereference was discovered
> lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker
> to cause a denial of service (DOS) via a crafted compressed file.
> - lz4 is a mandatory dependency since version 0.640 and
> https://github.com/ckolivas/lrzip/commit/3345a239b7f5353a1c1296d6a5d6b90729d4b669
> https://github.com/ckolivas/lrzip/compare/7f3bf46203bf45ea115d8bd9f310ea219be88af4...v0.641
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641
2021-10-26 17:09 [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641 Fabrice Fontaine
2021-10-26 18:39 ` Peter Korsgaard
@ 2021-10-27 10:09 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-10-27 10:09 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Sam Lancia, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2021-27347: Use after free in lzma_decompress_buf function in
> stream.c in Irzip 0.631 allows attackers to cause Denial of Service
> (DoS) via a crafted compressed file.
> - Fix CVE-2021-27345: A null pointer dereference was discovered in
> ucompthread in stream.c in Irzip 0.631 which allows attackers to cause
> a denial of service (DOS) via a crafted compressed file.
> - Fix CVE-2020-25467: A null pointer dereference was discovered
> lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker
> to cause a denial of service (DOS) via a crafted compressed file.
> - lz4 is a mandatory dependency since version 0.640 and
> https://github.com/ckolivas/lrzip/commit/3345a239b7f5353a1c1296d6a5d6b90729d4b669
> https://github.com/ckolivas/lrzip/compare/7f3bf46203bf45ea115d8bd9f310ea219be88af4...v0.641
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2021.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-27 10:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-26 17:09 [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641 Fabrice Fontaine
2021-10-26 18:39 ` Peter Korsgaard
2021-10-27 10:09 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.