kumquat-buildroot/package/libarchive/libarchive.mk

132 lines
3.0 KiB
Makefile
Raw Normal View History

################################################################################
#
# libarchive
#
################################################################################
libarchive: security bump to version 3.3.2 CVE-2016-8687: Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename. CVE-2016-8688: The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c. CVE-2016-8689: The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive. CVE-2016-10209: The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file. CVE-2016-10349: The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. CVE-2016-10350: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. CVE-2017-5601: An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. Add upstream patch fixing the following issue: CVE-2017-14166: libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-09-09 22:02:53 +02:00
LIBARCHIVE_VERSION = 3.3.2
LIBARCHIVE_SITE = http://www.libarchive.org/downloads
LIBARCHIVE_INSTALL_STAGING = YES
LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause
LIBARCHIVE_LICENSE_FILES = COPYING
ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDTAR),y)
ifeq ($(BR2_STATIC_LIBS),y)
LIBARCHIVE_CONF_OPTS += --enable-bsdtar=static
else
LIBARCHIVE_CONF_OPTS += --enable-bsdtar=shared
endif
else
LIBARCHIVE_CONF_OPTS += --disable-bsdtar
endif
ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDCPIO),y)
ifeq ($(BR2_STATIC_LIBS),y)
LIBARCHIVE_CONF_OPTS += --enable-bsdcpio=static
else
LIBARCHIVE_CONF_OPTS += --enable-bsdcpio=shared
endif
else
LIBARCHIVE_CONF_OPTS += --disable-bsdcpio
endif
ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDCAT),y)
ifeq ($(BR2_STATIC_LIBS),y)
LIBARCHIVE_CONF_OPTS += --enable-bsdcat=static
else
LIBARCHIVE_CONF_OPTS += --enable-bsdcat=shared
endif
else
LIBARCHIVE_CONF_OPTS += --disable-bsdcat
endif
ifeq ($(BR2_PACKAGE_ACL),y)
LIBARCHIVE_DEPENDENCIES += acl
else
LIBARCHIVE_CONF_OPTS += --disable-acl
endif
ifeq ($(BR2_PACKAGE_ATTR),y)
LIBARCHIVE_DEPENDENCIES += attr
else
LIBARCHIVE_CONF_OPTS += --disable-xattr
endif
ifeq ($(BR2_PACKAGE_BZIP2),y)
LIBARCHIVE_CONF_OPTS += --with-bz2lib
LIBARCHIVE_DEPENDENCIES += bzip2
else
LIBARCHIVE_CONF_OPTS += --without-bz2lib
endif
ifeq ($(BR2_PACKAGE_EXPAT),y)
LIBARCHIVE_DEPENDENCIES += expat
else
LIBARCHIVE_CONF_OPTS += --without-expat
endif
ifeq ($(BR2_PACKAGE_LIBICONV),y)
LIBARCHIVE_DEPENDENCIES += libiconv
else
LIBARCHIVE_CONF_OPTS += --without-libiconv-prefix
endif
ifeq ($(BR2_PACKAGE_LIBXML2),y)
LIBARCHIVE_DEPENDENCIES += libxml2
LIBARCHIVE_CONF_ENV += XML2_CONFIG=$(STAGING_DIR)/usr/bin/xml2-config
else
LIBARCHIVE_CONF_OPTS += --without-xml2
endif
ifeq ($(BR2_PACKAGE_LZO),y)
LIBARCHIVE_DEPENDENCIES += lzo
else
LIBARCHIVE_CONF_OPTS += --without-lzo2
endif
ifeq ($(BR2_PACKAGE_NETTLE),y)
LIBARCHIVE_DEPENDENCIES += nettle
else
LIBARCHIVE_CONF_OPTS += --without-nettle
endif
ifeq ($(BR2_PACKAGE_OPENSSL),y)
LIBARCHIVE_DEPENDENCIES += openssl
else
LIBARCHIVE_CONF_OPTS += --without-openssl
endif
ifeq ($(BR2_PACKAGE_ZLIB),y)
LIBARCHIVE_DEPENDENCIES += zlib
else
LIBARCHIVE_CONF_OPTS += --without-zlib
endif
# libarchive requires LZMA with thread support in the toolchain
ifeq ($(BR2_TOOLCHAIN_HAS_THREADS)$(BR2_PACKAGE_XZ),yy)
LIBARCHIVE_DEPENDENCIES += xz
LIBARCHIVE_CONF_OPTS += --with-lzma
else
LIBARCHIVE_CONF_OPTS += --without-lzma
endif
# The only user of host-libarchive needs zlib support
HOST_LIBARCHIVE_DEPENDENCIES = host-zlib
HOST_LIBARCHIVE_CONF_OPTS = \
--disable-bsdtar \
--disable-bsdcpio \
--disable-bsdcat \
--disable-acl \
--disable-xattr \
--without-bz2lib \
--without-expat \
--without-libiconv-prefix \
--without-xml2 \
--without-lzo2 \
--without-nettle \
--without-openssl \
--without-lzma
$(eval $(autotools-package))
$(eval $(host-autotools-package))