Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.9.git;a=commitdiff;h=4cf7af479227db652a6ed127f08eb84c62d394b1
commit 4cf7af479227db652a6ed127f08eb84c62d394b1 Author: kikadf <[email protected]> Date: Wed Aug 20 11:00:21 2014 +0200 lzo-2.06-2arcturus1-x86_64 * Fix CVE-2014-4607 diff --git a/source/lib/lzo/CVE-2014-4607.patch b/source/lib/lzo/CVE-2014-4607.patch new file mode 100644 index 0000000..a0fdd26 --- /dev/null +++ b/source/lib/lzo/CVE-2014-4607.patch @@ -0,0 +1,242 @@ +Description: CVE-2014-4607 lzo: lzo1x_decompress_safe() integer overflow +Origin: https://git.centos.org/raw/rpms!lzo.git/24e0bd6a43820ba4b8cdcf361556aa939bad89ff/SOURCES!lzo-2.06-CVE-2014-4607.patch +Bug-Debian: http://bugs.debian.org/752861 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1112418 +Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=883947 +Forwarded: not-needed +Last-Update: 2014-08-02 +Applied-Upstream: 2.07 + +--- a/minilzo/minilzo.c ++++ b/minilzo/minilzo.c +@@ -3547,6 +3547,8 @@ DO_COMPRESS ( const lzo_bytep in , + #undef TEST_LBO + #undef NEED_IP + #undef NEED_OP ++#undef TEST_IV ++#undef TEST_OV + #undef HAVE_TEST_IP + #undef HAVE_TEST_OP + #undef HAVE_NEED_IP +@@ -3561,6 +3563,7 @@ DO_COMPRESS ( const lzo_bytep in , + # if (LZO_TEST_OVERRUN_INPUT >= 2) + # define NEED_IP(x) \ + if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun + # endif + #endif + +@@ -3572,6 +3575,7 @@ DO_COMPRESS ( const lzo_bytep in , + # undef TEST_OP + # define NEED_OP(x) \ + if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun + # endif + #endif + +@@ -3602,11 +3606,13 @@ DO_COMPRESS ( const lzo_bytep in , + # define HAVE_NEED_IP 1 + #else + # define NEED_IP(x) ((void) 0) ++# define TEST_IV(x) ((void) 0) + #endif + #if defined(NEED_OP) + # define HAVE_NEED_OP 1 + #else + # define NEED_OP(x) ((void) 0) ++# define TEST_OV(x) ((void) 0) + #endif + + #if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP) +@@ -3687,6 +3693,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lz + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 15 + *ip++; +@@ -3835,6 +3842,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -3879,6 +3887,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 7 + *ip++; +@@ -4073,6 +4082,8 @@ lookbehind_overrun: + #undef TEST_LBO + #undef NEED_IP + #undef NEED_OP ++#undef TEST_IV ++#undef TEST_OV + #undef HAVE_TEST_IP + #undef HAVE_TEST_OP + #undef HAVE_NEED_IP +@@ -4087,6 +4098,7 @@ lookbehind_overrun: + # if (LZO_TEST_OVERRUN_INPUT >= 2) + # define NEED_IP(x) \ + if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun + # endif + #endif + +@@ -4098,6 +4110,7 @@ lookbehind_overrun: + # undef TEST_OP + # define NEED_OP(x) \ + if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun + # endif + #endif + +@@ -4128,11 +4141,13 @@ lookbehind_overrun: + # define HAVE_NEED_IP 1 + #else + # define NEED_IP(x) ((void) 0) ++# define TEST_IV(x) ((void) 0) + #endif + #if defined(NEED_OP) + # define HAVE_NEED_OP 1 + #else + # define NEED_OP(x) ((void) 0) ++# define TEST_OV(x) ((void) 0) + #endif + + #if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP) +@@ -4213,6 +4228,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lz + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 15 + *ip++; +@@ -4361,6 +4377,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -4405,6 +4422,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 7 + *ip++; +--- a/src/lzo1_d.ch ++++ b/src/lzo1_d.ch +@@ -76,6 +76,8 @@ + #undef TEST_LBO + #undef NEED_IP + #undef NEED_OP ++#undef TEST_IV ++#undef TEST_OV + #undef HAVE_TEST_IP + #undef HAVE_TEST_OP + #undef HAVE_NEED_IP +@@ -91,6 +93,7 @@ + # if (LZO_TEST_OVERRUN_INPUT >= 2) + # define NEED_IP(x) \ + if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun + # endif + #endif + +@@ -102,6 +105,7 @@ + # undef TEST_OP /* don't need both of the tests here */ + # define NEED_OP(x) \ + if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun + # endif + #endif + +@@ -135,11 +139,13 @@ + # define HAVE_NEED_IP 1 + #else + # define NEED_IP(x) ((void) 0) ++# define TEST_IV(x) ((void) 0) + #endif + #if defined(NEED_OP) + # define HAVE_NEED_OP 1 + #else + # define NEED_OP(x) ((void) 0) ++# define TEST_OV(x) ((void) 0) + #endif + + +--- a/src/lzo1b_d.ch ++++ b/src/lzo1b_d.ch +@@ -187,6 +187,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += (M4_MIN_LEN - M3_MIN_LEN) + *ip++; +--- a/src/lzo1f_d.ch ++++ b/src/lzo1f_d.ch +@@ -84,6 +84,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lz + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -138,6 +139,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +--- a/src/lzo1x_d.ch ++++ b/src/lzo1x_d.ch +@@ -120,6 +120,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lz + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 15 + *ip++; +@@ -273,6 +274,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -317,6 +319,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 7 + *ip++; +--- a/src/lzo2a_d.ch ++++ b/src/lzo2a_d.ch +@@ -131,6 +131,7 @@ DO_DECOMPRESS ( const lzo_bytep in , + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += *ip++; diff --git a/source/lib/lzo/FrugalBuild b/source/lib/lzo/FrugalBuild index a467446..7ed7478 100644 --- a/source/lib/lzo/FrugalBuild +++ b/source/lib/lzo/FrugalBuild @@ -3,7 +3,7 @@ pkgname=lzo pkgver=2.06 -pkgrel=1 +pkgrel=2arcturus1 pkgdesc="A real-time data compression library" url="http://www.oberhumer.com/opensource/lzo/"; depends=('glibc') @@ -15,4 +15,9 @@ source=($url/download/$pkgname-$pkgver.tar.gz) Fconfopts+=" --enable-shared" sha1sums=('a11768b8a168ec607750842bbef406f11547b904') +# FSA fix *** +source=(${source[@]} CVE-2014-4607.patch) +sha1sums=(${sha1sums[@]} '0c80230721bd63f9f9ed792a975905c7febb6531') +# *********** + # optimization OK _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
