Commit Graph

14 Commits

Author SHA1 Message Date
Daniel Lang
880e03ba75 package/cpio: drop CVE-2021-38185 from IGNORE_CVES
CVE-2021-38185 affects cpio <= 2.13.
The mentioned patches were removed in b0306d94 when bumping to 2.14.

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-20 19:34:55 +02:00
Peter Seiderer
b0306d94b2 package/cpio: bump version to 2.14
- remove 0001-Minor-fix.patch
  (from upstream, see [1])
- remove 0002-Rewrite-dynamic-string-support.patch
  (from upstream, see [2])
- remove 0003-Fix-previous-commit.patch
  (from upstream, see [3])

For details see [4].

[1] https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=641d3f489cf6238bb916368d4ba0d9325a235afb
[2] https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
[3] https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dfc801c44a93bed7b3951905b188823d6a0432c8
[4] https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00001.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-05-06 18:01:25 +02:00
Fabrice Fontaine
89857df2d1 package/cpio: fix CVE-2021-38185
GNU cpio through 2.13 allows attackers to execute arbitrary code via a
crafted pattern file, because of a dstring.c ds_fgetstr integer overflow
that triggers an out-of-bounds heap write. NOTE: it is unclear whether
there are common cases where the pattern file, associated with the -E
option, is untrusted data.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-08-20 10:08:22 +02:00
Fabrice Fontaine
282654ba47 package/cpio: add CPIO_CPE_ID_VENDOR
cpe:2.3🅰️gnu:cpio is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Acpio

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-18 21:49:00 +01:00
Bernd Kuhls
6c1e4d98f3 package/cpio: security bump to version 2.13
Removed patch fixing CVE-2016-2037 which was applied upstream.

This release fixes CVE-2015-1197, CVE-2016-2037, CVE-2019-14866.

Switched to .bz2 tarball.
Added hashes provided by upstream and license hash.

Release notes:
https://lists.gnu.org/archive/html/info-gnu/2019-11/msg00002.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-01-05 21:30:05 +01:00
Yann E. MORIN
48f2f4dd8e package/cpio: add host version
The latest cpio has a --reproducible option, which may come handy when
we try to, well, be reproducible...

Reported-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
[Atharva: don't force --bindir, as noticed by Arnout]
Signed-off-by: Atharva Lele <itsatharva@gmail.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Atharva Lele <itsatharva@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-07-17 08:47:34 +02:00
Yann E. MORIN
aec0e84de7 package/busybox: invert dependency with cpio
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2018-07-08 13:08:05 +02:00
Rahul Bedarkar
337aa51f3f boot, package: use SPDX short identifier for GPLv3/GPLv3+
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for GPLv3/GPLv3+ is GPL-3.0/GPL-3.0+.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv3\>/GPL-3.0/g'

Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-01 15:17:59 +02:00
Brian Redbeard
0f3627a91f package/cpio: Fix GNU Mirror Path
Replacing ftpmirror.gnu.org with BR2_GNU_MIRROR variable

Signed-off-by: Brian 'redbeard' Harrington <redbeard@coreos.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-02-06 19:13:47 +01:00
Gustavo Zacarias
63eaed6498 cpio: install to /bin and after busybox
As the usual rule consider full-blown packages superior to busybox,
hence build after it.
Also install cpio to /bin to override the busybox-provided one.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-10-02 16:33:07 +02:00
Gustavo Zacarias
845d71c65f cpio: bump to version 2.12
All patches upstream so drop them.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-10-02 16:32:56 +02:00
Romain Naour
f70c58c2c7 package/cpio: remove useless comment
This comment is about host-cpio which hasn't
been added in Buildroot.

Signed-off-by: Romain Naour <romain.naour@openwide.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-08-08 11:16:30 +02:00
Romain Naour
7d53040f33 package/cpio: add argp-standalone dependency with musl
Since argp-standalone is only available for uClibc-ng
and musl toolchains, add the dependendy only if it's
selected.

Signed-off-by: Romain Naour <romain.naour@openwide.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-08-08 11:16:04 +02:00
Clayton Shotwell
03d3df31f8 cpio: new package
Adding the cpio archive utility for the target and host. Patches have
been pulled from ArchLinux and Gentoo to fix CVE issues and compile
issues.

[Thomas: remove host variant of the package, as discussed during the
review of earlier version.]

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-18 17:43:19 +02:00