Commit Graph

8 Commits

Author SHA1 Message Date
Peter Korsgaard
f77fb7b585 libzip: security bump to version 1.3.0
Fixes the following security issues:

CVE-2017-12858: Double free vulnerability in the _zip_dirent_read function
in zip_dirent.c in libzip allows attackers to have unspecified impact via
unknown vectors.

CVE-2017-14107: The _zip_read_eocd64 function in zip_open.c in libzip before
1.3.0 mishandles EOCD records, which allows remote attackers to cause a
denial of service (memory allocation failure in _zip_cdir_grow in
zip_dirent.c) via a crafted ZIP archive.

For more details, see
https://blogs.gentoo.org/ago/2017/09/01/libzip-use-after-free-in-_zip_buffer_free-zip_buffer-c/
https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/

libzip-1.3.0 also adds optional bzip2 support, so handle that.

While we're at it, add a hash for the license file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-09-08 11:16:56 +02:00
Adam Duskett
5dccd7249e package/lib*: fix wrapping of Config.in help text
The check-package script when ran gives warnings on text wrapping
on all of these Config files.  This patch cleans up all warnings
related to the text wrapping for the Config files starting with
lib in the package directory.

The appropriate indentation is: <tab><2 spaces><62 chars>
See http://nightly.buildroot.org/#writing-rules-config-in for more
information.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-07-31 19:10:08 +02:00
Bartosz Golaszewski
7d9d406832 libzip: depend on !BR2_STATIC_LIBS
Since version 1.2.0 libzip requires dynamic library capabilities. Add
it to Config.in and propagate this dependency to packages selecting
libzip.

Fixes:

  http://autobuild.buildroot.net/results/c50ffa5bf565e75333192edc89e2d39044d07f26/

Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-07-05 11:35:51 +02:00
Bartosz Golaszewski
7b846fc07f libzip: bump version to 1.2.0
It's a major release, but the API seems to be mostly
backwards-compatible. The only package depending on this library in
buildroot is libsigrok and it builds fine.

Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-07-02 00:43:31 +02:00
Rahul Bedarkar
9f59b378a3 boot, package: use SPDX short identifier for BSD-3c
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-3c is BSD-3-Clause.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-3c/BSD-3-Clause/g'

Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-01 15:26:57 +02:00
Gustavo Zacarias
7ccf520d1c libzip: add hash file
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-28 22:32:57 +02:00
Luca Ceresoli
b0b9606530 Remove trailing slash from all package site URLs
The recommended form is without the trailing slash. Buildroot will add a slash
between FOO_SITE and FOO_SOURCE as appropriate.

Reported-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-03-10 20:40:08 +01:00
Bartosz Golaszewski
083f853801 libzip: new package
[Peter: license is BSD-3c]
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-02-01 00:21:10 +01:00