kumquat-buildroot/package/patch/patch.mk

################################################################################
#
# patch
#
################################################################################

PATCH_VERSION = 2.7.6
PATCH_SOURCE = patch-$(PATCH_VERSION).tar.xz
PATCH_SITE = $(BR2_GNU_MIRROR)/patch
PATCH_LICENSE = GPL-3.0+
PATCH_LICENSE_FILES = COPYING
PATCH_CPE_ID_VENDOR = gnu

# 0001-Fix-segfault-with-mangled-rename-patch.patch
PATCH_IGNORE_CVES += CVE-2018-6951

# 0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
PATCH_IGNORE_CVES += CVE-2018-1000156

# 0004-Invoke-ed-directly-instead-of-using-the-shell.patch
PATCH_IGNORE_CVES += CVE-2018-20969 CVE-2019-13638

# 0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
PATCH_IGNORE_CVES += CVE-2019-13636

ifeq ($(BR2_PACKAGE_ATTR),y)
PATCH_CONF_OPTS += --enable-xattr
PATCH_DEPENDENCIES += attr
else
PATCH_CONF_OPTS += --disable-xattr
endif

$(eval $(autotools-package))
Normalize separator size to 80 Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2013-06-06 01:53:30 +02:00			`################################################################################`
Add support for several new utilities 2003-02-12 11:40:28 +01:00			`#`
			`# patch`
			`#`
Normalize separator size to 80 Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2013-06-06 01:53:30 +02:00			`################################################################################`
patch: needs toolchain with wchar * Patch needs a toolchain with WCHAR support * Use real upstream gnu mirror Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2010-12-17 16:29:09 +01:00
patch: security bump to version 2.7.6 Fixes CVE-2016-10713: Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file. Add upstream patch fixing CVE-2018-6951: There is a segmentation fault, associated with a NULL pointer dereference, leading to a denial of service in the intuit_diff_type function in pch.c, aka a "mangled rename" issue. This bump does NOT fix CVE-2018-6952. See upstream bug #53133 (https://savannah.gnu.org/bugs/index.php?53133). Add license file hash. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-02-23 06:22:31 +01:00			`PATCH_VERSION = 2.7.6`
change package tarball compression to xz whenever possible [Peter: leave change xz tarball format to not end up with circular deps] Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2013-09-06 08:14:15 +02:00			`PATCH_SOURCE = patch-$(PATCH_VERSION).tar.xz`
patch: needs toolchain with wchar * Patch needs a toolchain with WCHAR support * Use real upstream gnu mirror Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2010-12-17 16:29:09 +01:00			`PATCH_SITE = $(BR2_GNU_MIRROR)/patch`
boot, package: use SPDX short identifier for GPLv3/GPLv3+ We want to use SPDX identifier for license string as much as possible. SPDX short identifier for GPLv3/GPLv3+ is GPL-3.0/GPL-3.0+. This change is done using following command. find . -name "*.mk" \| xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv3\>/GPL-3.0/g' Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com> Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-03-30 15:43:33 +02:00			`PATCH_LICENSE = GPL-3.0+`
patch: fix license information Signed-off-by: Simon Dawson <spdawson@gmail.com> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2013-05-08 01:40:07 +02:00			`PATCH_LICENSE_FILES = COPYING`
package/patch: add PATCH_CPE_ID_VENDOR cpe:2.3:a:gnu:patch is a valid CPE identifier for this package: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Apatch Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2021-01-17 12:43:00 +01:00			`PATCH_CPE_ID_VENDOR = gnu`
Add support for several new utilities 2003-02-12 11:40:28 +01:00
package/patch: annote CVE-2018-6951 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2020-03-03 20:46:59 +01:00			`# 0001-Fix-segfault-with-mangled-rename-patch.patch`
			`PATCH_IGNORE_CVES += CVE-2018-6951`

package/patch: annotate CVE-2018-1000156 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2020-03-03 20:47:00 +01:00			`# 0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch`
			`PATCH_IGNORE_CVES += CVE-2018-1000156`

package/patch: fix CVE-2018-20969 do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2020-03-03 20:47:01 +01:00			`# 0004-Invoke-ed-directly-instead-of-using-the-shell.patch`
package/patch: annotate CVE-2019-13638 GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2020-03-03 20:47:03 +01:00			`PATCH_IGNORE_CVES += CVE-2018-20969 CVE-2019-13638`
package/patch: fix CVE-2018-20969 do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2020-03-03 20:47:01 +01:00
package/patch: fix CVE-2019-13636 In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2020-03-03 20:47:02 +01:00			`# 0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch`
			`PATCH_IGNORE_CVES += CVE-2019-13636`

package/patch: add optional support for attr When attr was compiled before, patch will use it as optional dependency: $ output/host/usr/bin/x86_64-linux-readelf -a output/target/usr/bin/patch \| grep NEEDED 0x0000000000000001 (NEEDED) Shared library: [libattr.so.1] 0x0000000000000001 (NEEDED) Shared library: [libc.so.1] Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-02-21 10:50:05 +01:00			`ifeq ($(BR2_PACKAGE_ATTR),y)`
package/patch: fix xattr option The name of the configure option is, and has always been, --enable-xattr, not --enable-attr. Otherwise, configure whines: configure: WARNING: unrecognized options: --enable-attr Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-05-06 13:57:51 +02:00			`PATCH_CONF_OPTS += --enable-xattr`
package/patch: add optional support for attr When attr was compiled before, patch will use it as optional dependency: $ output/host/usr/bin/x86_64-linux-readelf -a output/target/usr/bin/patch \| grep NEEDED 0x0000000000000001 (NEEDED) Shared library: [libattr.so.1] 0x0000000000000001 (NEEDED) Shared library: [libc.so.1] Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-02-21 10:50:05 +01:00			`PATCH_DEPENDENCIES += attr`
			`else`
package/patch: fix xattr option The name of the configure option is, and has always been, --enable-xattr, not --enable-attr. Otherwise, configure whines: configure: WARNING: unrecognized options: --enable-attr Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-05-06 13:57:51 +02:00			`PATCH_CONF_OPTS += --disable-xattr`
package/patch: add optional support for attr When attr was compiled before, patch will use it as optional dependency: $ output/host/usr/bin/x86_64-linux-readelf -a output/target/usr/bin/patch \| grep NEEDED 0x0000000000000001 (NEEDED) Shared library: [libattr.so.1] 0x0000000000000001 (NEEDED) Shared library: [libc.so.1] Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-02-21 10:50:05 +01:00			`endif`

all packages: rename XXXTARGETS to xxx-package Also remove the redundant $(call ...). This is a purely mechanical change, performed with find package linux toolchain boot -name \*.mk \| \ xargs sed -i -e 's/$(eval $(call GENTARGETS))/$(eval $(generic-package))/' \ -e 's/$(eval $(call AUTOTARGETS))/$(eval $(autotools-package))/' \ -e 's/$(eval $(call CMAKETARGETS))/$(eval $(cmake-package))/' Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2012-07-03 00:07:32 +02:00			`$(eval $(autotools-package))`