package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587

Fixes the following security issue:

- CVE-2022-1271: Malicious filenames can make xzgrep to write to arbitrary
  files or (with a GNU sed extension) lead to arbitrary code execution.

For more details, see the announcement and advisory:

https://www.mail-archive.com/xz-devel@tukaani.org/msg00551.html
https://www.zerodayinitiative.com/advisories/ZDI-22-619/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/xz/xz.hash

@@ -1,5 +1,6 @@
 # Locally calculated after checking pgp signature
 sha256  5117f930900b341493827d63aa910ff5e011e0b994197c3b71c08a20228a42df  xz-5.2.5.tar.bz2
+sha256  98c6cb1042284fe704ec30083f3fc87364ce9ed2ea51f62bbb0ee9d3448717ec  xzgrep-ZDI-CAN-16587.patch
 
 # Hash for license files
 sha256  bcb02973ef6e87ea73d331b3a80df7748407f17efdb784b61b47e0e610d3bb5c  COPYING

package/xz/xz.mk

@@ -13,6 +13,10 @@ XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
 XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
 XZ_CPE_ID_VENDOR = tukaani
 
+XZ_PATCH = xzgrep-ZDI-CAN-16587.patch
+# xzgrep-ZDI-CAN-16587.patch
+XZ_IGNORE_CVES += CVE-2022-1271
+
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
 XZ_CONF_OPTS += --enable-threads
 else