package/lrzip: security bump to version 0.641

- Fix CVE-2021-27347: Use after free in lzma_decompress_buf function in
  stream.c in Irzip 0.631 allows attackers to cause Denial of Service
  (DoS) via a crafted compressed file.
- Fix CVE-2021-27345: A null pointer dereference was discovered in
  ucompthread in stream.c in Irzip 0.631 which allows attackers to cause
  a denial of service (DOS) via a crafted compressed file.
- Fix CVE-2020-25467: A null pointer dereference was discovered
  lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker
  to cause a denial of service (DOS) via a crafted compressed file.
- lz4 is a mandatory dependency since version 0.640 and
  3345a239b7

7f3bf46203...v0.641

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/lrzip/Config.in

@@ -5,6 +5,7 @@ config BR2_PACKAGE_LRZIP
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	depends on BR2_INSTALL_LIBSTDCPP
 	select BR2_PACKAGE_ZLIB
+	select BR2_PACKAGE_LZ4
 	select BR2_PACKAGE_LZO
 	select BR2_PACKAGE_BZIP2
 	help

package/lrzip/lrzip.hash

@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  4d31c429491f1378e868afe06867f68f8b1332fdca0758de24cc4da22103acfb  lrzip-7f3bf46203bf45ea115d8bd9f310ea219be88af4.tar.gz
+sha256  9b6b4bb1ae76dafbaab96ec9d50d41af5fed45a6c4f2e06feea828c2cd8025c0  lrzip-0.641.tar.gz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING

package/lrzip/lrzip.mk

@@ -4,12 +4,12 @@
 #
 ################################################################################
 
-LRZIP_VERSION = 7f3bf46203bf45ea115d8bd9f310ea219be88af4
-LRZIP_SITE = $(call github,ckolivas,lrzip,$(LRZIP_VERSION))
+LRZIP_VERSION = 0.641
+LRZIP_SITE = $(call github,ckolivas,lrzip,v$(LRZIP_VERSION))
 LRZIP_AUTORECONF = YES
 LRZIP_LICENSE = GPL-2.0+
 LRZIP_LICENSE_FILES = COPYING
-LRZIP_DEPENDENCIES = zlib lzo bzip2
+LRZIP_DEPENDENCIES = zlib lz4 lzo bzip2
 
 ifeq ($(BR2_i386)$(BR2_x86_64),y)
 LRZIP_DEPENDENCIES += host-nasm