openembedded-core.git/meta/recipes-extended/unzip, branch master Mirror of openembedded-core unzip: add missing CVE headers to patches 2017-04-13T22:58:17+00:00 Ross Burton ross.burton@intel.com 2017-04-13T22:36:43+00:00 de7ff341d18f46d68abeabcb53ba07d012090c15 Signed-off-by: Ross Burton <ross.burton@intel.com> 
Signed-off-by: Ross Burton <ross.burton@intel.com>
unzip: CVE-2014-9913 CVE-2016-9844 2017-03-01T12:54:21+00:00 Zhixiong Chi zhixiong.chi@windriver.com 2017-02-22T07:14:42+00:00 fc386ed4afb76bd3e5a3afff54d7dc8dde14fe9c Backport the patches for CVE-2014-9913 CVE-2016-9844 CVE-2016-9844: Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header. CVE-2014-9913: Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method. Patches come from: https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/archivers/unzip/ or https://release.debian.org/proposed-updates/stable_diffs/unzip_6.0-16+deb8u3.debdiff Bug-Debian: https://bugs.debian.org/847486 Bug-Ubuntu: https://launchpad.net/bugs/1643750 (LOCAL REV: NOT UPSTREAM) --send to oe-core on 20170222 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Backport the patches for CVE-2014-9913 CVE-2016-9844

CVE-2016-9844:
Buffer overflow in the zi_short function in zipinfo.c in Info-Zip
UnZip 6.0 allows remote attackers to cause a denial of service
(crash) via a large compression method value in the central
directory file header.
CVE-2014-9913:
Buffer overflow in the list_files function in list.c in Info-Zip
UnZip 6.0 allows remote attackers to cause a denial of service
(crash) via vectors related to the compression method.

Patches come from:
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/archivers/unzip/  or
https://release.debian.org/proposed-updates/stable_diffs/unzip_6.0-16+deb8u3.debdiff

Bug-Debian: https://bugs.debian.org/847486
Bug-Ubuntu: https://launchpad.net/bugs/1643750

(LOCAL REV: NOT UPSTREAM) --send to oe-core on 20170222

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
unzip: fixes strange output 2016-09-03T08:58:27+00:00 Edwin Plauchu edwin.plauchu.camacho@intel.com 2016-08-30T02:17:13+00:00 30486429ed228e387ee574c6990b361d2ade6a32 This fixes commit 763a3d424bccf559a8d6add3dc1f2746c82f2933 Output was strange when using unzip to extract zip file. This patch fixed so. [YOCTO #9551] Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
This fixes commit 763a3d424bccf559a8d6add3dc1f2746c82f2933

Output was strange when using unzip to extract zip file.
This patch fixed so.

[YOCTO #9551]

Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
unzip: fix security issues 2016-06-01T07:04:12+00:00 Edwin Plauchu edwin.plauchu.camacho@intel.com 2016-05-27T20:29:21+00:00 2dd1c02fbc7492002df9030f50710e242369e8b2 This patch avoids unzip fails to compile with compiler flags which elevate common string formatting issues into an error (-Wformat -Wformat-security -Werror=format-security). [YOCTO #9551] Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
This patch avoids unzip fails to compile with compiler flags which elevate common string formatting issues into an error (-Wformat -Wformat-security -Werror=format-security).

[YOCTO #9551]

Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
unzip: update SRC_URI 2016-05-19T21:31:34+00:00 Ross Burton ross.burton@intel.com 2016-05-19T10:43:17+00:00 879b2c5ee2ae39d6c1ae9d44ab243d8c7b7874b4 The infozip FTP server appears to have been taken down, so change the SRC_URI to point at their SourceForge project. [ YOCTO #9655 ] Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The infozip FTP server appears to have been taken down, so change the SRC_URI to
point at their SourceForge project.

[ YOCTO #9655 ]

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
unzip: Explicitly set EXTRA_OEMAKE as required 2016-02-10T15:51:05+00:00 Mike Crowe mac@mcrowe.com 2016-02-05T18:04:28+00:00 9e38dc9b6b70b81d778c299f9a7fab30116c74fa This recipe currently relies on EXTRA_OEMAKE having been set to "-e MAKEFLAGS=" in bitbake.conf to operate. It is necessary to make this explicit so that the default in bitbake.conf can be changed. Signed-off-by: Mike Crowe <mac@mcrowe.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
This recipe currently relies on EXTRA_OEMAKE having been set to
"-e MAKEFLAGS=" in bitbake.conf to operate. It is necessary to make this
explicit so that the default in bitbake.conf can be changed.

Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add "CVE:" tag to current patches in OE-core 2016-01-11T23:23:18+00:00 Mariano Lopez mariano.lopez@linux.intel.com 2016-01-08T12:03:58+00:00 065ebeb3e15311d0d45385e15bf557b1c95b1669 The currnet patches in OE-core doesn't have the "CVE:" tag, now part of the policy of the patches. This is patch add this tag to several patches. There might be patches that I miss; the tag can be added in the future. Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The currnet patches in OE-core doesn't have the "CVE:"
tag, now part of the policy of the patches.

This is patch add this tag to several patches. There might
be patches that I miss; the tag can be added in the future.

Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
package_regex.inc: split entries which blacklist specific versions to their recipes 2015-12-08T10:20:09+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2015-11-16T14:34:03+00:00 1eb9e190ef3bb1170b3eaabd9f7900e7ce176624 Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
unzip: rename patch to reflect CVE fix 2015-11-16T11:32:43+00:00 Ross Burton ross.burton@intel.com 2015-11-04T11:23:06+00:00 e3d2974348bd830ec2fcf84ea08cbf38abbc0327 Signed-off-by: Ross Burton <ross.burton@intel.com> 
Signed-off-by: Ross Burton <ross.burton@intel.com>
unzip: CVE-2015-7696, CVE-2015-7697 2015-11-02T12:25:41+00:00 Tudor Florea tudor.florea@enea.com 2015-10-29T00:14:18+00:00 a11b23a7d2a29414a4ea47c411f09a68b1b28e2d CVE-2015-7696: Fixes a heap overflow triggered by unzipping a file with password CVE-2015-7697: Fixes a denial of service with a file that never finishes unzipping References: http://www.openwall.com/lists/oss-security/2015/10/11/5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7696 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7697 Signed-off-by: Tudor Florea <tudor.florea@enea.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
CVE-2015-7696: Fixes a heap overflow triggered by unzipping a file with password
CVE-2015-7697: Fixes a denial of service with a file that never finishes unzipping

References:
http://www.openwall.com/lists/oss-security/2015/10/11/5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7697

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>