From 1adf0b06988b43752ed02a6b9ae308e0c09f88f5 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sun, 16 Oct 2022 00:26:05 +0200 Subject: [PATCH] package/lrzip: security bump to version 0.651 - Fix CVE-2022-26291: lrzip v0.641 was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted Irz file. - Use official tarball and so drop autoreconf https://github.com/ckolivas/lrzip/blob/v0.651/WHATS-NEW Signed-off-by: Fabrice Fontaine Signed-off-by: Peter Korsgaard (cherry picked from commit edbdad93979ce8521653b4031235fd0fa9d438c9) Signed-off-by: Peter Korsgaard --- package/lrzip/lrzip.hash | 2 +- package/lrzip/lrzip.mk | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/lrzip/lrzip.hash b/package/lrzip/lrzip.hash index 19295383c3..cb03ff07cc 100644 --- a/package/lrzip/lrzip.hash +++ b/package/lrzip/lrzip.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 9b6b4bb1ae76dafbaab96ec9d50d41af5fed45a6c4f2e06feea828c2cd8025c0 lrzip-0.641.tar.gz +sha256 48bd8decb097c1596c9b3777959cd3e332819434ed77a2823e65aa436f1602f9 lrzip-0.651.tar.xz sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/lrzip/lrzip.mk b/package/lrzip/lrzip.mk index 27d9fde204..0375696414 100644 --- a/package/lrzip/lrzip.mk +++ b/package/lrzip/lrzip.mk @@ -4,9 +4,9 @@ # ################################################################################ -LRZIP_VERSION = 0.641 -LRZIP_SITE = $(call github,ckolivas,lrzip,v$(LRZIP_VERSION)) -LRZIP_AUTORECONF = YES +LRZIP_VERSION = 0.651 +LRZIP_SOURCE = lrzip-$(LRZIP_VERSION).tar.xz +LRZIP_SITE = http://ck.kolivas.org/apps/lrzip LRZIP_LICENSE = GPL-2.0+ LRZIP_LICENSE_FILES = COPYING LRZIP_CPE_ID_VENDOR = long_range_zip_project