From patchwork Sun Jan 17 17:52:06 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Fabrice Fontaine <fontaine.fabrice@gmail.com>
X-Patchwork-Id: 1427822
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net
 (client-ip=140.211.166.136; helo=silver.osuosl.org;
 envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=o+NQLhfT;
	dkim-atps=neutral
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DJjJL1Tyjz9sWb
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Mon, 18 Jan 2021 04:55:45 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id CCCF122CB0;
	Sun, 17 Jan 2021 17:55:41 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id T-x1ez5Rrc+R; Sun, 17 Jan 2021 17:55:39 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id BCFBB2048E;
	Sun, 17 Jan 2021 17:55:39 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
 by ash.osuosl.org (Postfix) with ESMTP id D6C551BF578
 for <buildroot@lists.busybox.net>; Sun, 17 Jan 2021 17:55:36 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by hemlock.osuosl.org (Postfix) with ESMTP id D3AEE86F93
 for <buildroot@lists.busybox.net>; Sun, 17 Jan 2021 17:55:36 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 8v9Miz4E7kmk for <buildroot@lists.busybox.net>;
 Sun, 17 Jan 2021 17:55:35 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
 by hemlock.osuosl.org (Postfix) with ESMTPS id 72BCB86F1B
 for <buildroot@buildroot.org>; Sun, 17 Jan 2021 17:55:35 +0000 (UTC)
Received: by mail-wm1-f45.google.com with SMTP id i63so11604250wma.4
 for <buildroot@buildroot.org>; Sun, 17 Jan 2021 09:55:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=90mEtZj7ZMP5XZOwLr1fN4cRlbHS0QRpWFzWAxzN1bs=;
 b=o+NQLhfTcrtIAF0AHhBjgbHAxW4+U+2QZ+fdlot7iZujTYaC4CXz9zN8nAaGK9PWgH
 03TyqWQpre8SP4nzVpaBS626q1BuJliRiVc33wgKZVceMfHrs2tQQwiU4dAbQoswxadt
 kMlzv/3MudaX7UvYW/5Qpq8wl7VAgn8b35PIC0Y5Dn2cmLr5j917R557OIeaW9dRMmmE
 34iFKe9re9dXtsgPwKoHJzHuQRJ1M4WNnlrGSWbpaRevUsCeUpeGu9xoAsaFcM3XdvRq
 WmP+3zYs3P79X0Q8CUQryPptVVWJHVlV+J6JD6w7j+19K84+lFuvcNKf+12DIQ3K7K0f
 QMrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=90mEtZj7ZMP5XZOwLr1fN4cRlbHS0QRpWFzWAxzN1bs=;
 b=KTWaLelw8jWxwuly5s4rEgbW/NyBTTCTwjqVIZpTo6l+wbPBzyWE7X/Bzkhc0vMIeS
 +mfMPhjHlGhPqqZNfTIi5CTNyYmgkCp7/xPr45xNF2GsNVwxjUT/fwpbWB/bWvLFDN9M
 19JwZfB2XPXDtDMUUVrzFQfldsa3fq/52I8gFIcNeZc/HLDxBDduKhh4x/EVgB7lNQe4
 lum6wx0akOJfkUPtn0BzuhqW/5jtFmR5nhFWPegoURszWvLFDlpnd7XJFzbwMilQBUCN
 M50Cw48PeETRPiCpIwQ043boHPqGfXqeL/WeFmZQFki3DvQn2sH47GitdrntrqjbLly1
 22mw==
X-Gm-Message-State: AOAM532JGJNh7WXyCqw7ufZr7EcuFgAG6Ly9WTLnYsXNSv5se55uQZ1m
 fQeub03sz15YYFDQUSKrcBtd8cHybSv97sbg
X-Google-Smtp-Source: 
 ABdhPJzxSkdXr5yc4s6RVKCDrsAvG++jDwfIJvf+tXiiljIiBvKYLcEO4KeHBuAsxmdmELXehZzBpQ==
X-Received: by 2002:a1c:1dc2:: with SMTP id
 d185mr9262920wmd.175.1610906133377;
 Sun, 17 Jan 2021 09:55:33 -0800 (PST)
Received: from kali.home
 (2a01cb0881b76d00c2afd0dfa851d2b9.ipv6.abo.wanadoo.fr.
 [2a01:cb08:81b7:6d00:c2af:d0df:a851:d2b9])
 by smtp.gmail.com with ESMTPSA id o13sm28063996wrh.88.2021.01.17.09.55.32
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 17 Jan 2021 09:55:32 -0800 (PST)
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Sun, 17 Jan 2021 18:52:06 +0100
Message-Id: <20210117175208.366428-3-fontaine.fabrice@gmail.com>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20210117175208.366428-1-fontaine.fabrice@gmail.com>
References: <20210117175208.366428-1-fontaine.fabrice@gmail.com>
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 3/5] package/unzip: add two debian security
 patches
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Luca Ceresoli <luca@lucaceresoli.net>,
 Samuel Martin <s.martin49@gmail.com>,
 Fabrice Fontaine <fontaine.fabrice@gmail.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

While at it, also update indentation in hash file

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/unzip/unzip.hash | 40 +++++++++++++++++++++-------------------
 package/unzip/unzip.mk   |  4 +++-
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/package/unzip/unzip.hash b/package/unzip/unzip.hash
index d05957d5e2..91cd448e46 100644
--- a/package/unzip/unzip.hash
+++ b/package/unzip/unzip.hash
@@ -1,20 +1,22 @@
 # Locally computed:
-sha256 036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 unzip60.tgz
-sha256 7469b81d5d29ac4fd670f7c86ba0cb9fa34f137a2d4d5198437d92ddf918984b LICENSE
-sha256 66a364d75cea29363768ca6d43dd11b9913a59e42b8da16c4f63516c3e4ce7c1 07-increase-size-of-cfactorstr.patch
-sha256 3a8cfd2702d220c6c119eaf805b018b66460284e585e92adc8a572d190471724 08-allow-greater-hostver-values.patch
-sha256 0a1b23118b2f4a3ed097348ab33050d4f79b3863ab30e6d64ac382589834e3de 09-cve-2014-8139-crc-overflow.patch
-sha256 32b1eda30644c44a8bdb9a02ff08bb2eca107f8eb16dda6992a9b778a0de395e 10-cve-2014-8140-test-compr-eb.patch
-sha256 1f60f6e28b36f3cddb7da64c528cfe29160cefa1232e13bb8a47561f574067a9 11-cve-2014-8141-getzip64data.patch
-sha256 c05885bb48b41603f0893ada88f15c0fae3b3f9f6489f24ad630a400f6271351 12-cve-2014-9636-test-compr-eb.patch
-sha256 788c29727ff0689c3b1828466127758426f6d2c769048aa985950373747c76f3 14-cve-2015-7696.patch
-sha256 e85dab65c3ebf3c4ab3359a4143cfd0efccfd1cac517a4e7bd5f518f41a02b6f 15-cve-2015-7697.patch
-sha256 95dd15d5d9cdf5cea18c357b152930d6d52660599e0fd4907d6405870fdd9fe1 16-fix-integer-underflow-csiz-decrypted.patch
-sha256 ea04cfc8b7ca3b3c03117da0d891870b8c542d26188ef5593fd7e479f4f29f4e 17-restore-unix-timestamps-accurately.patch
-sha256 1872ffdd4d82edd7b1e62c469642bf16a1ca12dd26d41bd3f0b44f0f7602eb63 18-cve-2014-9913-unzip-buffer-overflow.patch
-sha256 60840ea8f5d11a276972fb5b43652cdd49a9ed93b2cc0586ad309bf52104b012 19-cve-2016-9844-zipinfo-buffer-overflow.patch
-sha256 4eabc3faeddd56ebc3d5053486b61f8758d840902725fd555d3472cffb094437 20-cve-2018-1000035-unzip-buffer-overflow.patch
-sha256 df3b0eeea8dcc161a2565e306b5dda13d27de43145e198baaf0eab822321ee7e 21-fix-warning-messages-on-big-files.patch
-sha256 2cf5a89e921da99e883bcde0ea03e2c77ae9185f57efaf35e7d43bc24353cfdc 22-cve-2019-13232-fix-bug-in-undefer-input.patch
-sha256 c8e82c80fc7760f90567118a465e4cfa1b8e5d0a5723f9c70e3d21247e550615 23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
-sha256 37ba0bea723beeb22670babda18bd980368cc6591bc7bd9caa04f62692c7e5ac 24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
+sha256  036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37  unzip60.tgz
+sha256  7469b81d5d29ac4fd670f7c86ba0cb9fa34f137a2d4d5198437d92ddf918984b  LICENSE
+sha256  66a364d75cea29363768ca6d43dd11b9913a59e42b8da16c4f63516c3e4ce7c1  07-increase-size-of-cfactorstr.patch
+sha256  3a8cfd2702d220c6c119eaf805b018b66460284e585e92adc8a572d190471724  08-allow-greater-hostver-values.patch
+sha256  0a1b23118b2f4a3ed097348ab33050d4f79b3863ab30e6d64ac382589834e3de  09-cve-2014-8139-crc-overflow.patch
+sha256  32b1eda30644c44a8bdb9a02ff08bb2eca107f8eb16dda6992a9b778a0de395e  10-cve-2014-8140-test-compr-eb.patch
+sha256  1f60f6e28b36f3cddb7da64c528cfe29160cefa1232e13bb8a47561f574067a9  11-cve-2014-8141-getzip64data.patch
+sha256  c05885bb48b41603f0893ada88f15c0fae3b3f9f6489f24ad630a400f6271351  12-cve-2014-9636-test-compr-eb.patch
+sha256  788c29727ff0689c3b1828466127758426f6d2c769048aa985950373747c76f3  14-cve-2015-7696.patch
+sha256  e85dab65c3ebf3c4ab3359a4143cfd0efccfd1cac517a4e7bd5f518f41a02b6f  15-cve-2015-7697.patch
+sha256  95dd15d5d9cdf5cea18c357b152930d6d52660599e0fd4907d6405870fdd9fe1  16-fix-integer-underflow-csiz-decrypted.patch
+sha256  ea04cfc8b7ca3b3c03117da0d891870b8c542d26188ef5593fd7e479f4f29f4e  17-restore-unix-timestamps-accurately.patch
+sha256  1872ffdd4d82edd7b1e62c469642bf16a1ca12dd26d41bd3f0b44f0f7602eb63  18-cve-2014-9913-unzip-buffer-overflow.patch
+sha256  60840ea8f5d11a276972fb5b43652cdd49a9ed93b2cc0586ad309bf52104b012  19-cve-2016-9844-zipinfo-buffer-overflow.patch
+sha256  4eabc3faeddd56ebc3d5053486b61f8758d840902725fd555d3472cffb094437  20-cve-2018-1000035-unzip-buffer-overflow.patch
+sha256  df3b0eeea8dcc161a2565e306b5dda13d27de43145e198baaf0eab822321ee7e  21-fix-warning-messages-on-big-files.patch
+sha256  2cf5a89e921da99e883bcde0ea03e2c77ae9185f57efaf35e7d43bc24353cfdc  22-cve-2019-13232-fix-bug-in-undefer-input.patch
+sha256  c8e82c80fc7760f90567118a465e4cfa1b8e5d0a5723f9c70e3d21247e550615  23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
+sha256  37ba0bea723beeb22670babda18bd980368cc6591bc7bd9caa04f62692c7e5ac  24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
+sha256  c25fdc17e946e091ec801ad69a56e25c0b73b38c606da95bc602b7d48a46ac3f  25-cve-2019-13232-fix-bug-in-uzbunzip2.patch
+sha256  792ee836836d24ccee26592cb6bb4f4b3ca056c340bf49fc6f9abcfc5a294821  26-cve-2019-13232-fix-bug-in-uzinflate.patch
diff --git a/package/unzip/unzip.mk b/package/unzip/unzip.mk
index 0fb452a248..5efe5bcd09 100644
--- a/package/unzip/unzip.mk
+++ b/package/unzip/unzip.mk
@@ -27,6 +27,8 @@ UNZIP_PATCH = \
 	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/21-fix-warning-messages-on-big-files.patch \
 	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch \
 	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch \
-	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/25-cve-2019-13232-fix-bug-in-uzbunzip2.patch \
+	https://sources.debian.org/data/main/u/unzip/6.0-26/debian/patches/26-cve-2019-13232-fix-bug-in-uzinflate.patch
 
 $(eval $(cmake-package))