Age | Commit message (Collapse) | Author |
|
Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
See [1]
This reverts commit 4df4de2ac8bc0e80446e1ad0ce67eb244e2d2a32.
[1] http://lists.openembedded.org/pipermail/openembedded-core/2019-July/284859.html
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Include the fix by Mark Adler which has also been adopted by Debian.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Large zip files can cause unzip to crash, take a patch from Fedora to fix it.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Backport the patches for CVE-2014-9913 CVE-2016-9844
CVE-2016-9844:
Buffer overflow in the zi_short function in zipinfo.c in Info-Zip
UnZip 6.0 allows remote attackers to cause a denial of service
(crash) via a large compression method value in the central
directory file header.
CVE-2014-9913:
Buffer overflow in the list_files function in list.c in Info-Zip
UnZip 6.0 allows remote attackers to cause a denial of service
(crash) via vectors related to the compression method.
Patches come from:
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/archivers/unzip/ or
https://release.debian.org/proposed-updates/stable_diffs/unzip_6.0-16+deb8u3.debdiff
Bug-Debian: https://bugs.debian.org/847486
Bug-Ubuntu: https://launchpad.net/bugs/1643750
(LOCAL REV: NOT UPSTREAM) --send to oe-core on 20170222
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This fixes commit 763a3d424bccf559a8d6add3dc1f2746c82f2933
Output was strange when using unzip to extract zip file.
This patch fixed so.
[YOCTO #9551]
Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch avoids unzip fails to compile with compiler flags which elevate common string formatting issues into an error (-Wformat -Wformat-security -Werror=format-security).
[YOCTO #9551]
Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The currnet patches in OE-core doesn't have the "CVE:"
tag, now part of the policy of the patches.
This is patch add this tag to several patches. There might
be patches that I miss; the tag can be added in the future.
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
CVE-2015-7696: Fixes a heap overflow triggered by unzipping a file with password
CVE-2015-7697: Fixes a denial of service with a file that never finishes unzipping
References:
http://www.openwall.com/lists/oss-security/2015/10/11/5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7697
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
12-cve-2014-9636-test-compr-eb.patch is same as unzip-6.0_overflow3.diff,
is to fix CVE-2014-9636
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix:
cve-2014-8139
cve-2014-8140
cve-2014-8141
cve-2014-9636
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9636
unzip 6.0 allows remote attackers to cause a denial of service
(out-of-bounds read or write and crash) via an extra field with
an uncompressed size smaller than the compressed field size in a
zip archive that advertises STORED method compression.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1315
Buffer overflow in the charset_to_intern function in unix/unix.c in
Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code
via a crafted string, as demonstrated by converting a string from CP866
to UTF-8.
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Change Makefile to use LDFLAGS
Signed-off-by: Mikhail Durnev <Mikhail_Durnev@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Not only do we have to override things on the make line, but we
need to hack on configure as well to avoid certain behavior.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|