{"id":811185,"url":"http://patchwork.ozlabs.org/api/patches/811185/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20170907212133.10036-1-peter@korsgaard.com/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170907212133.10036-1-peter@korsgaard.com>","list_archive_url":null,"date":"2017-09-07T21:21:33","name":"libzip: security bump to version 1.3.0","commit_ref":"f77fb7b585b76b9c544b21fc3bf080660a54cb7b","pull_url":null,"state":"accepted","archived":false,"hash":"bce96767ecad48a88cd75bddb81593be892693fc","submitter":{"id":42365,"url":"http://patchwork.ozlabs.org/api/people/42365/?format=json","name":"Peter Korsgaard","email":"peter@korsgaard.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20170907212133.10036-1-peter@korsgaard.com/mbox/","series":[{"id":2068,"url":"http://patchwork.ozlabs.org/api/series/2068/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=2068","date":"2017-09-07T21:21:33","name":"libzip: security bump to version 1.3.0","version":1,"mbox":"http://patchwork.ozlabs.org/series/2068/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/811185/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/811185/checks/","tags":{},"related":[],"headers":{"Return-Path":"<buildroot-bounces@busybox.net>","X-Original-To":["incoming@patchwork.ozlabs.org","buildroot@lists.busybox.net"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","buildroot@osuosl.org"],"Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=busybox.net\n\t(client-ip=140.211.166.136; helo=silver.osuosl.org;\n\tenvelope-from=buildroot-bounces@busybox.net;\n\treceiver=<UNKNOWN>)","ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"VBfhx8p1\"; dkim-atps=neutral"],"Received":["from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpD0n397cz9s81\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri,  8 Sep 2017 07:21:44 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby silver.osuosl.org (Postfix) with ESMTP id A11F726B51;\n\tThu,  7 Sep 2017 21:21:41 +0000 (UTC)","from silver.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id n-c8934SuJJF; Thu,  7 Sep 2017 21:21:41 +0000 (UTC)","from ash.osuosl.org (ash.osuosl.org [140.211.166.34])\n\tby silver.osuosl.org (Postfix) with ESMTP id 011DF26D8E;\n\tThu,  7 Sep 2017 21:21:41 +0000 (UTC)","from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\tby ash.osuosl.org (Postfix) with ESMTP id 6F59C1C25A5\n\tfor <buildroot@lists.busybox.net>;\n\tThu,  7 Sep 2017 21:21:39 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n\tby silver.osuosl.org (Postfix) with ESMTP id 66EE626D8E\n\tfor <buildroot@lists.busybox.net>;\n\tThu,  7 Sep 2017 21:21:39 +0000 (UTC)","from silver.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id g9ch+Xj50cm7 for <buildroot@lists.busybox.net>;\n\tThu,  7 Sep 2017 21:21:38 +0000 (UTC)","from mail-wm0-f67.google.com (mail-wm0-f67.google.com\n\t[74.125.82.67])\n\tby silver.osuosl.org (Postfix) with ESMTPS id 72DB526B51\n\tfor <buildroot@buildroot.org>; Thu,  7 Sep 2017 21:21:38 +0000 (UTC)","by mail-wm0-f67.google.com with SMTP id x17so489330wmd.5\n\tfor <buildroot@buildroot.org>; Thu, 07 Sep 2017 14:21:38 -0700 (PDT)","from dell.be.48ers.dk (d51a5bc31.access.telenet.be.\n\t[81.165.188.49]) by smtp.gmail.com with ESMTPSA id\n\tr14sm91914edd.56.2017.09.07.14.21.35\n\t(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);\n\tThu, 07 Sep 2017 14:21:35 -0700 (PDT)","from peko by dell.be.48ers.dk with local (Exim 4.88)\n\t(envelope-from <peko@dell.be.48ers.dk>)\n\tid 1dq4Ew-0002ca-8A; Thu, 07 Sep 2017 23:21:34 +0200"],"X-Virus-Scanned":["amavisd-new at osuosl.org","amavisd-new at osuosl.org"],"X-Greylist":"domain auto-whitelisted by SQLgrey-1.7.6","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;\n\th=sender:from:to:cc:subject:date:message-id;\n\tbh=RXUe8olHLD6FYoaJ+Wk9Mq4mmuP4QtagdXJyObuSGlA=;\n\tb=VBfhx8p14dtra8sElSdpYEPIsvSPI+87T5B4ZrxBynbiDe9B9yP9jNsexFzWJZP9GK\n\tNjW/d6XxVoS2l07UX6ebZxT+fsU7Vy6fH7ekh97mgX8X1i6yKhw6/NNzwfuWLrBsUKNn\n\tVHBXvGJOMemmELqTpKTxJe/R4+NIrUCvXBuYW1fOrYv1a7hZYoftzCkh25WMwt7DgqpQ\n\tO917tNaHejprbbLNdqZ5Ly/i7l8b6ltOATUlOyf9PSBxDT8mIOmR9gb8HJDSyUMsS2BA\n\taBo+gzW4V1K7bNKzwQRuDGBiRH6dHnX4OfEEOwFK3MseSyx/5yS4FDlbe52XiN8bCI8o\n\ttS6A==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:sender:from:to:cc:subject:date:message-id;\n\tbh=RXUe8olHLD6FYoaJ+Wk9Mq4mmuP4QtagdXJyObuSGlA=;\n\tb=Zlo76NBgnY5ZkcIZrZC7vAbH7A2aLuKyAYD/2nyQP/vMh8Bi6gLJlz7V/oU7hir1Ma\n\tdZC5bM8LDcnkZJ/HjCzuEu1Ehtxd1QXPZ5KRgHNfknr8NbNA5fNvbyITSNKZh1WuoIWH\n\tOw9TOTxUlKuMk3W8x9Kq977oNGaEQqkLPfCmz8h7ilVP7Y+chWsy/Z29byCLrdHOhD3y\n\tADqpupqsjHLBfquG4v0Z7c2WmdOrd3gpE10fEeqRX6VHCCOYn3ar9q2Oe/njM6tcXbQ1\n\t5pcZtOr29Y9qMYoPb8RlGUa3oy0bxbCPMMvpVnOMJGSN1HUFyZye6mqC569zXJ01kZUH\n\tk5zw==","X-Gm-Message-State":"AHPjjUgKaBQJINlhrGmenXutskH2CWfia+g9dyrJvddGdHCJvcppFXqb\n\tfztnmm/QutJbH7LoVBI=","X-Google-Smtp-Source":"ADKCNb4OOLAzoudxEQ7E+hdyksJ/J+UDL1RfB36rdaVhhgw1zXKd0P0V/YYd49Ug8bivn4v7hjEm/g==","X-Received":"by 10.80.180.17 with SMTP id b17mr439419edh.130.1504819296454;\n\tThu, 07 Sep 2017 14:21:36 -0700 (PDT)","From":"Peter Korsgaard <peter@korsgaard.com>","To":"buildroot@buildroot.org","Date":"Thu,  7 Sep 2017 23:21:33 +0200","Message-Id":"<20170907212133.10036-1-peter@korsgaard.com>","X-Mailer":"git-send-email 2.11.0","Subject":"[Buildroot] [PATCH] libzip: security bump to version 1.3.0","X-BeenThere":"buildroot@busybox.net","X-Mailman-Version":"2.1.18-1","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.busybox.net>","List-Unsubscribe":"<http://lists.busybox.net/mailman/options/buildroot>,\n\t<mailto:buildroot-request@busybox.net?subject=unsubscribe>","List-Archive":"<http://lists.busybox.net/pipermail/buildroot/>","List-Post":"<mailto:buildroot@busybox.net>","List-Help":"<mailto:buildroot-request@busybox.net?subject=help>","List-Subscribe":"<http://lists.busybox.net/mailman/listinfo/buildroot>,\n\t<mailto:buildroot-request@busybox.net?subject=subscribe>","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@busybox.net","Sender":"\"buildroot\" <buildroot-bounces@busybox.net>"},"content":"Fixes the following security issues:\n\nCVE-2017-12858: Double free vulnerability in the _zip_dirent_read function\nin zip_dirent.c in libzip allows attackers to have unspecified impact via\nunknown vectors.\n\nCVE-2017-14107: The _zip_read_eocd64 function in zip_open.c in libzip before\n1.3.0 mishandles EOCD records, which allows remote attackers to cause a\ndenial of service (memory allocation failure in _zip_cdir_grow in\nzip_dirent.c) via a crafted ZIP archive.\n\nFor more details, see\nhttps://blogs.gentoo.org/ago/2017/09/01/libzip-use-after-free-in-_zip_buffer_free-zip_buffer-c/\nhttps://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/\n\nlibzip-1.3.0 also adds optional bzip2 support, so handle that.\n\nWhile we're at it, add a hash for the license file.\n\nSigned-off-by: Peter Korsgaard <peter@korsgaard.com>\n---\n package/libzip/libzip.hash | 3 ++-\n package/libzip/libzip.mk   | 9 ++++++++-\n 2 files changed, 10 insertions(+), 2 deletions(-)","diff":"diff --git a/package/libzip/libzip.hash b/package/libzip/libzip.hash\nindex 103c7619e2..d100982bc6 100644\n--- a/package/libzip/libzip.hash\n+++ b/package/libzip/libzip.hash\n@@ -1,2 +1,3 @@\n # Locally calculated\n-sha256\tffc0764395fba3d45dc5a6e32282788854618b9e9838337f8218b596007f1376\tlibzip-1.2.0.tar.xz\n+sha256\taa936efe34911be7acac2ab07fb5c8efa53ed9bb4d44ad1fe8bff19630e0d373  libzip-1.3.0.tar.xz\n+sha256  d159ae325ca0b8236c44dfd980ca99810dbcfc057b077c50dbbda1131cbd263a  LICENSE\ndiff --git a/package/libzip/libzip.mk b/package/libzip/libzip.mk\nindex a4012dd1e3..5ffa1cac00 100644\n--- a/package/libzip/libzip.mk\n+++ b/package/libzip/libzip.mk\n@@ -4,7 +4,7 @@\n #\n ################################################################################\n \n-LIBZIP_VERSION = 1.2.0\n+LIBZIP_VERSION = 1.3.0\n LIBZIP_SITE = http://www.nih.at/libzip\n LIBZIP_SOURCE = libzip-$(LIBZIP_VERSION).tar.xz\n LIBZIP_LICENSE = BSD-3-Clause\n@@ -12,4 +12,11 @@ LIBZIP_LICENSE_FILES = LICENSE\n LIBZIP_INSTALL_STAGING = YES\n LIBZIP_DEPENDENCIES = zlib\n \n+ifeq ($(BR2_PACKAGE_BZIP2),y)\n+LIBZIP_CONF_OPTS += --with-bzip2\n+LIBZIP_DEPENDENCIES += bzip2\n+else\n+LIBZIP_CONF_OPTS += --without-bzip2\n+endif\n+\n $(eval $(autotools-package))\n","prefixes":[]}