diff options
author | Zach van Rijn <me@zv.io> | 2022-04-25 15:57:18 -0500 |
---|---|---|
committer | A. Wilcox <AWilcox@Wilcox-Tech.com> | 2022-05-01 17:06:42 -0500 |
commit | d505b70a4b404d526d43a2da7bbd5cc3653e8294 (patch) | |
tree | 5a29cda96e6b80b3338660d55ced3f76536a7e5d | |
parent | db78f87a0f47ba0362c30e510c3bc585bacfaf8b (diff) | |
download | packages-d505b70a4b404d526d43a2da7bbd5cc3653e8294.tar.gz packages-d505b70a4b404d526d43a2da7bbd5cc3653e8294.tar.bz2 packages-d505b70a4b404d526d43a2da7bbd5cc3653e8294.tar.xz packages-d505b70a4b404d526d43a2da7bbd5cc3653e8294.zip |
system/lz4: add patch for CVE-2021-3520. fixes #597.
-rw-r--r-- | system/lz4/APKBUILD | 11 | ||||
-rw-r--r-- | system/lz4/CVE-2021-3520.patch | 22 |
2 files changed, 29 insertions, 4 deletions
diff --git a/system/lz4/APKBUILD b/system/lz4/APKBUILD index 522ad2efe..a6b81eef4 100644 --- a/system/lz4/APKBUILD +++ b/system/lz4/APKBUILD @@ -2,21 +2,23 @@ # Maintainer: Dan Theisen <djt@hxx.in> pkgname=lz4 pkgver=1.9.3 -pkgrel=0 +pkgrel=1 pkgdesc="LZ4: Extremely Fast Compression algorithm" url="https://github.com/lz4/lz4" arch="all" license="BSD-2-Clause GPL-2.0-only" checkdepends="diffutils python3" subpackages="$pkgname-dev $pkgname-doc $pkgname-libs" -source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz" +source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz + CVE-2021-3520.patch + " case "$CARCH" in armhf) options="!check" ;; # FIXME esac # secfixes: -# 1.9.3-r0: +# 1.9.3-r1: # - CVE-2021-3520 build() { @@ -31,4 +33,5 @@ package() { make PREFIX="/usr" DESTDIR="$pkgdir" install } -sha512sums="c246b0bda881ee9399fa1be490fa39f43b291bb1d9db72dba8a85db1a50aad416a97e9b300eee3d2a4203c2bd88bda2762e81bc229c3aa409ad217eb306a454c lz4-1.9.3.tar.gz" +sha512sums="c246b0bda881ee9399fa1be490fa39f43b291bb1d9db72dba8a85db1a50aad416a97e9b300eee3d2a4203c2bd88bda2762e81bc229c3aa409ad217eb306a454c lz4-1.9.3.tar.gz +29038d80c4399ded52b49e69d0f0d80bef8bf424e3540de366ef539706c8c1119784d6137c96130f131239d74a4c110dd9790cae5c9b17c102820446582c5637 CVE-2021-3520.patch" diff --git a/system/lz4/CVE-2021-3520.patch b/system/lz4/CVE-2021-3520.patch new file mode 100644 index 000000000..053958dfe --- /dev/null +++ b/system/lz4/CVE-2021-3520.patch @@ -0,0 +1,22 @@ +From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001 +From: Jasper Lievisse Adriaanse <j@jasper.la> +Date: Fri, 26 Feb 2021 15:21:20 +0100 +Subject: [PATCH] Fix potential memory corruption with negative memmove() size + +--- + lib/lz4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/lz4.c b/lib/lz4.c +index 5f524d01d..c2f504ef3 100644 +--- a/lib/lz4.c ++++ b/lib/lz4.c +@@ -1749,7 +1749,7 @@ LZ4_decompress_generic( + const size_t dictSize /* note : = 0 if noDict */ + ) + { +- if (src == NULL) { return -1; } ++ if ((src == NULL) || (outputSize < 0)) { return -1; } + + { const BYTE* ip = (const BYTE*) src; + const BYTE* const iend = ip + srcSize; |