kumquat-buildroot/package/unzip/unzip.mk

################################################################################
#
# unzip
#
################################################################################

UNZIP_VERSION = 6.0
UNZIP_SOURCE = unzip_$(UNZIP_VERSION).orig.tar.gz
UNZIP_PATCH = unzip_$(UNZIP_VERSION)-26.debian.tar.xz
UNZIP_SITE = https://snapshot.debian.org/archive/debian/20210110T204103Z/pool/main/u/unzip
UNZIP_LICENSE = Info-ZIP
UNZIP_LICENSE_FILES = LICENSE
UNZIP_CPE_ID_VENDOR = unzip_project

# unzip_$(UNZIP_VERSION)-26.debian.tar.xz has patches to fix:
UNZIP_IGNORE_CVES = \
	CVE-2014-8139 \
	CVE-2014-8140 \
	CVE-2014-8141 \
	CVE-2014-9636 \
	CVE-2014-9913 \
	CVE-2015-7696 \
	CVE-2015-7697 \
	CVE-2016-9844 \
	CVE-2018-18384 \
	CVE-2018-1000035 \
	CVE-2019-13232

$(eval $(cmake-package))
unzip: new package Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net> Cc: Romain Naour <romain.naour@openwide.fr> Cc: Jan Pedersen <jp@jp-embedded.com> Cc: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-12-01 11:53:29 +01:00			`################################################################################`
			`#`
			`# unzip`
			`#`
			`################################################################################`

package/unzip: make version compliant with release-monitoring Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2021-01-17 18:52:04 +01:00			`UNZIP_VERSION = 6.0`
package/unzip: switch to debian https://sources.debian.org/data/main/u/unzip/6.0-25 is unreachable so switch to the debian archive provided by snapshot.debian.org to retrieve all debian patches at once. While at it, also update indentation in hash file and add UNZIP_IGNORE_CVES entries. The Debian patch archive we refernce brings in a large set of patches, some of them fixing CVEs. Since we only cary the Debian patch archive as a single entity, just refer to it to identify all the CVEs the individual patches there in are fixng. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> [yann.morin.1998@free.fr: - don't wrap _SITE line that is anyway too long even when wrapped - don't enumerate Debian patches one by one, just refere to them globally - as a consequence, reorder CVEs ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> 2021-01-18 23:14:19 +01:00			`UNZIP_SOURCE = unzip_$(UNZIP_VERSION).orig.tar.gz`
			`UNZIP_PATCH = unzip_$(UNZIP_VERSION)-26.debian.tar.xz`
			`UNZIP_SITE = https://snapshot.debian.org/archive/debian/20210110T204103Z/pool/main/u/unzip`
unzip: new package Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net> Cc: Romain Naour <romain.naour@openwide.fr> Cc: Jan Pedersen <jp@jp-embedded.com> Cc: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-12-01 11:53:29 +01:00			`UNZIP_LICENSE = Info-ZIP`
			`UNZIP_LICENSE_FILES = LICENSE`
package: drop _CPE_ID_VALID, use _CPE_ID_VENDOR FOO_CPE_ID_VALID really ought to be an internal implementaion detail. Packages that really want to trigger their CPE defintitions really should set one of the actual variables to a meaningful value. There are two CPE-related variables that we could chose to set to replace FOO_CPE_ID_VALID: FOO_CPE_ID_VENDOR and FOO_CPE_ID_PRODUCT. Between those two, _VENDOR more often diverges from the default than _PRODUCT does, so that's what we use. ---8<------8<------8<------8<------8<--- #!/bin/bash # Replace FOO_CPE_ID_VALID = YES with FOO_CPE_ID_VENDOR = foo_project for i in $(git grep -l -E '[^)]_CPE_ID_VALID = YES' package support); do pkg="$(basename "${i%/*}")" sed -r -i -e "s/_CPE_ID_VALID = YES/_CPE_ID_VENDOR = ${pkg}_project/" "${i}" done ---8<------8<------8<------8<------8<--- Reported-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Cc: Matthew Weber <matthew.weber@rockwellcollins.com> Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com> [Peter: update cpe-test comment to reflect pkg3 change] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2021-03-05 23:27:44 +01:00			`UNZIP_CPE_ID_VENDOR = unzip_project`
unzip: new package Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net> Cc: Romain Naour <romain.naour@openwide.fr> Cc: Jan Pedersen <jp@jp-embedded.com> Cc: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-12-01 11:53:29 +01:00
package/unzip: switch to debian https://sources.debian.org/data/main/u/unzip/6.0-25 is unreachable so switch to the debian archive provided by snapshot.debian.org to retrieve all debian patches at once. While at it, also update indentation in hash file and add UNZIP_IGNORE_CVES entries. The Debian patch archive we refernce brings in a large set of patches, some of them fixing CVEs. Since we only cary the Debian patch archive as a single entity, just refer to it to identify all the CVEs the individual patches there in are fixng. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> [yann.morin.1998@free.fr: - don't wrap _SITE line that is anyway too long even when wrapped - don't enumerate Debian patches one by one, just refere to them globally - as a consequence, reorder CVEs ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> 2021-01-18 23:14:19 +01:00			`# unzip_$(UNZIP_VERSION)-26.debian.tar.xz has patches to fix:`
			`UNZIP_IGNORE_CVES = \`
			`CVE-2014-8139 \`
			`CVE-2014-8140 \`
			`CVE-2014-8141 \`
			`CVE-2014-9636 \`
			`CVE-2014-9913 \`
			`CVE-2015-7696 \`
			`CVE-2015-7697 \`
			`CVE-2016-9844 \`
			`CVE-2018-18384 \`
			`CVE-2018-1000035 \`
			`CVE-2019-13232`
package/unzip: add security and bug fix patches from Debian Debian bug #741384: Buffer overflow Debian bug #744212: Buffer overflow CVE-2014-8139: CRC32 verification heap-based overflow CVE-2014-8140: Out-of-bounds write issue in test_compr_eb() CVE-2014-8141: Out-of-bounds read issues in getZip64Data() CVE-2014-9636: Heap overflow CVE-2015-7696: Heap overflow when extracting password-protected archive CVE-2015-7697: Infinite loop when extracting password-protected archive Red Hat Bugzilla #1260944: Unsigned overflow on invalid input Debian bug #842993: Do not ignore Unix Timestamps CVE-2014-9913: Buffer overflow CVE-2016-9844: Buffer overflow in zipinfo CVE-2018-1000035: Buffer overflow in password protected ZIP archives Cc: Luca Ceresoli <luca@lucaceresoli.net> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2019-02-22 06:36:34 +01:00
unzip: new package Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net> Cc: Romain Naour <romain.naour@openwide.fr> Cc: Jan Pedersen <jp@jp-embedded.com> Cc: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-12-01 11:53:29 +01:00			`$(eval $(cmake-package))`