NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8a41504896
kumquat-buildroot/package/lrzip/lrzip.mk

22 lines
579 B
Makefile
Raw Normal View History

package/lrzip: new package lrzip is a compression utility that excels at compressing large files (usually > 10-50 MB) Signed-off-by: Sam Lancia <sam@gpsm.co.uk> [Thomas: license is GPL-2.0+, not GPL-2.0] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-09-08 10:03:16 +02:00
################################################################################
#
# lrzip
#
################################################################################
package/lrzip: bump to 7f3bf46203bf45ea115d8bd9f310ea219be88af4 This bump contains only one commit that fix a build failure with asm: https://github.com/ckolivas/lrzip/commit/844b8c057c8c7372ca41ad2efdbf849f45c24506 Fixes: - http://autobuild.buildroot.org/results/800d8a97966ef75dbf20e85ec8a02766ba02cc76 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-23 10:36:23 +02:00
LRZIP_VERSION = 7f3bf46203bf45ea115d8bd9f310ea219be88af4
package/lrzip: security bump to 8781292dd5833c04eeead51d4a5bd02dc6432dc7 Bump to latest upstream commit as it fixes a huge number of CVEs. Some of them can't be linked to a given commit (e.g. https://github.com/ckolivas/lrzip/issues/67). Moreover, upstream does not plan to tag a new release any time soon: https://github.com/ckolivas/lrzip/issues/99 - Fix CVE-2017-8842: The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted archive. - Fix CVE-2017-8843: The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive. - Fix CVE-2017-8844: The read_1g function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted archive. - Fix CVE-2017-8845: The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in lrzip 0.631, allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted archive. - Fix CVE-2017-8846: The read_stream function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted archive. - Fix CVE-2017-8847: The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive. - Fix CVE-2017-9928: In lrzip 0.631, a stack buffer overflow was found in the function get_fileinfo in lrzip.c:979, which allows attackers to cause a denial of service via a crafted file. - Fix CVE-2017-9929: In lrzip 0.631, a stack buffer overflow was found in the function get_fileinfo in lrzip.c:1074, which allows attackers to cause a denial of service via a crafted file. - Fix CVE-2018-5747: In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in the ucompthread function (stream.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file. - Fix CVE-2018-11496: In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in read_stream in stream.c, because decompress_file in lrzip.c lacks certain size validation. Also: - update indentation of hash file (two spaces) - drop patch (already in version) - manage host-nasm dependency which is enabled by default and has been fixed by: https://github.com/ckolivas/lrzip/commit/9f16f65705e2f1e11c41647405adcce6a12d286c Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-16 10:19:38 +02:00
LRZIP_SITE = $(call github,ckolivas,lrzip,$(LRZIP_VERSION))
package/lrzip: new package lrzip is a compression utility that excels at compressing large files (usually > 10-50 MB) Signed-off-by: Sam Lancia <sam@gpsm.co.uk> [Thomas: license is GPL-2.0+, not GPL-2.0] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-09-08 10:03:16 +02:00
LRZIP_AUTORECONF = YES
LRZIP_LICENSE = GPL-2.0+
LRZIP_LICENSE_FILES = COPYING
LRZIP_DEPENDENCIES = zlib lzo bzip2
package/lrzip: security bump to 8781292dd5833c04eeead51d4a5bd02dc6432dc7 Bump to latest upstream commit as it fixes a huge number of CVEs. Some of them can't be linked to a given commit (e.g. https://github.com/ckolivas/lrzip/issues/67). Moreover, upstream does not plan to tag a new release any time soon: https://github.com/ckolivas/lrzip/issues/99 - Fix CVE-2017-8842: The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted archive. - Fix CVE-2017-8843: The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive. - Fix CVE-2017-8844: The read_1g function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted archive. - Fix CVE-2017-8845: The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in lrzip 0.631, allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted archive. - Fix CVE-2017-8846: The read_stream function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted archive. - Fix CVE-2017-8847: The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive. - Fix CVE-2017-9928: In lrzip 0.631, a stack buffer overflow was found in the function get_fileinfo in lrzip.c:979, which allows attackers to cause a denial of service via a crafted file. - Fix CVE-2017-9929: In lrzip 0.631, a stack buffer overflow was found in the function get_fileinfo in lrzip.c:1074, which allows attackers to cause a denial of service via a crafted file. - Fix CVE-2018-5747: In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in the ucompthread function (stream.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file. - Fix CVE-2018-11496: In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in read_stream in stream.c, because decompress_file in lrzip.c lacks certain size validation. Also: - update indentation of hash file (two spaces) - drop patch (already in version) - manage host-nasm dependency which is enabled by default and has been fixed by: https://github.com/ckolivas/lrzip/commit/9f16f65705e2f1e11c41647405adcce6a12d286c Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-16 10:19:38 +02:00
ifeq ($(BR2_i386)$(BR2_x86_64),y)
LRZIP_DEPENDENCIES += host-nasm
LRZIP_CONF_OPTS += --enable-asm
else
LRZIP_CONF_OPTS += --disable-asm
endif
package/lrzip: new package lrzip is a compression utility that excels at compressing large files (usually > 10-50 MB) Signed-off-by: Sam Lancia <sam@gpsm.co.uk> [Thomas: license is GPL-2.0+, not GPL-2.0] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-09-08 10:03:16 +02:00
$(eval $(autotools-package))
Reference in New Issue Copy Permalink