All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641
@ 2021-10-26 17:09 Fabrice Fontaine
  2021-10-26 18:39 ` Peter Korsgaard
  2021-10-27 10:09 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2021-10-26 17:09 UTC (permalink / raw)
  To: buildroot; +Cc: Sam Lancia, Fabrice Fontaine

- Fix CVE-2021-27347: Use after free in lzma_decompress_buf function in
  stream.c in Irzip 0.631 allows attackers to cause Denial of Service
  (DoS) via a crafted compressed file.
- Fix CVE-2021-27345: A null pointer dereference was discovered in
  ucompthread in stream.c in Irzip 0.631 which allows attackers to cause
  a denial of service (DOS) via a crafted compressed file.
- Fix CVE-2020-25467: A null pointer dereference was discovered
  lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker
  to cause a denial of service (DOS) via a crafted compressed file.
- lz4 is a mandatory dependency since version 0.640 and
  https://github.com/ckolivas/lrzip/commit/3345a239b7f5353a1c1296d6a5d6b90729d4b669

https://github.com/ckolivas/lrzip/compare/7f3bf46203bf45ea115d8bd9f310ea219be88af4...v0.641

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/lrzip/Config.in  | 1 +
 package/lrzip/lrzip.hash | 2 +-
 package/lrzip/lrzip.mk   | 6 +++---
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/package/lrzip/Config.in b/package/lrzip/Config.in
index 885b84dbb0..870094796b 100644
--- a/package/lrzip/Config.in
+++ b/package/lrzip/Config.in
@@ -5,6 +5,7 @@ config BR2_PACKAGE_LRZIP
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	depends on BR2_INSTALL_LIBSTDCPP
 	select BR2_PACKAGE_ZLIB
+	select BR2_PACKAGE_LZ4
 	select BR2_PACKAGE_LZO
 	select BR2_PACKAGE_BZIP2
 	help
diff --git a/package/lrzip/lrzip.hash b/package/lrzip/lrzip.hash
index 3e188c41e5..19295383c3 100644
--- a/package/lrzip/lrzip.hash
+++ b/package/lrzip/lrzip.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  4d31c429491f1378e868afe06867f68f8b1332fdca0758de24cc4da22103acfb  lrzip-7f3bf46203bf45ea115d8bd9f310ea219be88af4.tar.gz
+sha256  9b6b4bb1ae76dafbaab96ec9d50d41af5fed45a6c4f2e06feea828c2cd8025c0  lrzip-0.641.tar.gz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/lrzip/lrzip.mk b/package/lrzip/lrzip.mk
index 7419bb1ed9..409d9912d8 100644
--- a/package/lrzip/lrzip.mk
+++ b/package/lrzip/lrzip.mk
@@ -4,12 +4,12 @@
 #
 ################################################################################
 
-LRZIP_VERSION = 7f3bf46203bf45ea115d8bd9f310ea219be88af4
-LRZIP_SITE = $(call github,ckolivas,lrzip,$(LRZIP_VERSION))
+LRZIP_VERSION = 0.641
+LRZIP_SITE = $(call github,ckolivas,lrzip,v$(LRZIP_VERSION))
 LRZIP_AUTORECONF = YES
 LRZIP_LICENSE = GPL-2.0+
 LRZIP_LICENSE_FILES = COPYING
-LRZIP_DEPENDENCIES = zlib lzo bzip2
+LRZIP_DEPENDENCIES = zlib lz4 lzo bzip2
 
 ifeq ($(BR2_i386)$(BR2_x86_64),y)
 LRZIP_DEPENDENCIES += host-nasm
-- 
2.33.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641
  2021-10-26 17:09 [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641 Fabrice Fontaine
@ 2021-10-26 18:39 ` Peter Korsgaard
  2021-10-27 10:09 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-10-26 18:39 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Sam Lancia, buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2021-27347: Use after free in lzma_decompress_buf function in
 >   stream.c in Irzip 0.631 allows attackers to cause Denial of Service
 >   (DoS) via a crafted compressed file.
 > - Fix CVE-2021-27345: A null pointer dereference was discovered in
 >   ucompthread in stream.c in Irzip 0.631 which allows attackers to cause
 >   a denial of service (DOS) via a crafted compressed file.
 > - Fix CVE-2020-25467: A null pointer dereference was discovered
 >   lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker
 >   to cause a denial of service (DOS) via a crafted compressed file.
 > - lz4 is a mandatory dependency since version 0.640 and
 >   https://github.com/ckolivas/lrzip/commit/3345a239b7f5353a1c1296d6a5d6b90729d4b669

 > https://github.com/ckolivas/lrzip/compare/7f3bf46203bf45ea115d8bd9f310ea219be88af4...v0.641

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641
  2021-10-26 17:09 [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641 Fabrice Fontaine
  2021-10-26 18:39 ` Peter Korsgaard
@ 2021-10-27 10:09 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-10-27 10:09 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Sam Lancia, buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2021-27347: Use after free in lzma_decompress_buf function in
 >   stream.c in Irzip 0.631 allows attackers to cause Denial of Service
 >   (DoS) via a crafted compressed file.
 > - Fix CVE-2021-27345: A null pointer dereference was discovered in
 >   ucompthread in stream.c in Irzip 0.631 which allows attackers to cause
 >   a denial of service (DOS) via a crafted compressed file.
 > - Fix CVE-2020-25467: A null pointer dereference was discovered
 >   lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker
 >   to cause a denial of service (DOS) via a crafted compressed file.
 > - lz4 is a mandatory dependency since version 0.640 and
 >   https://github.com/ckolivas/lrzip/commit/3345a239b7f5353a1c1296d6a5d6b90729d4b669

 > https://github.com/ckolivas/lrzip/compare/7f3bf46203bf45ea115d8bd9f310ea219be88af4...v0.641

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2021.02.x and 2021.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-27 10:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-26 17:09 [Buildroot] [PATCH 1/1] package/lrzip: security bump to version 0.641 Fabrice Fontaine
2021-10-26 18:39 ` Peter Korsgaard
2021-10-27 10:09 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.