subject:"\[OE\-core\] \[master\]\[PATCH\] 3\/5\] bzip2\: Security fix CVE\-2016\-3189"

Re: [OE-core] [master][PATCH] 3/5] bzip2: Security fix CVE-2016-3189

2016-08-08 Thread Alexander Kanavin


On 07/17/2016 02:04 AM, Armin Kuster wrote:

+Upstream-Status: Backport
+https://bugzilla.suse.com/attachment.cgi?id=681334
+
+CVE: CVE-2016-3189


Backport means the patch is taken from upstream development repository, 
and it's also good to provide a link to where it is in the upstream.


This looks like a distro vendor fix, so the upstream-status should be 
either pending or inappropriate (depending on the upstream development 
situation).



Alex
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [master][PATCH] 3/5] bzip2: Security fix CVE-2016-3189

2016-07-16 Thread Armin Kuster

From: Armin Kuster 

Affects bzip2 <= 1.0.6
CVSS v2 Base Score: 4.3 MEDIUM

Signed-off-by: Armin Kuster 
---
 .../bzip2/bzip2-1.0.6/CVE-2016-3189.patch  | 18 ++
 meta/recipes-extended/bzip2/bzip2_1.0.6.bb |  4 +++-
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2016-3189.patch

diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2016-3189.patch 
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2016-3189.patch
new file mode 100644
index 000..1d0c3a6
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2016-3189.patch
@@ -0,0 +1,18 @@
+Upstream-Status: Backport
+https://bugzilla.suse.com/attachment.cgi?id=681334
+
+CVE: CVE-2016-3189
+Signed-off-by: Armin Kuster 
+
+Index: bzip2-1.0.6/bzip2recover.c
+===
+--- bzip2-1.0.6.orig/bzip2recover.c
 bzip2-1.0.6/bzip2recover.c
+@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv )
+ bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+ bsPutUInt32 ( bsWr, blockCRC );
+ bsClose ( bsWr );
++outFile = NULL;
+  }
+  if (wrBlock >= rbCtr) break;
+  wrBlock++;
diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb 
b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
index f717d85..ef7bc89 100644
--- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
+++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
@@ -12,7 +12,9 @@ SRC_URI = "http://www.bzip.org/${PV}/${BP}.tar.gz \
file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch \
file://configure.ac;subdir=${BP} \
file://Makefile.am;subdir=${BP} \
-   file://run-ptest"
+   file://run-ptest \
+   file://CVE-2016-3189.patch \
+   "
 
 SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"
 SRC_URI[sha256sum] = 
"a2848f34fcd5d6cf47def00461fcb528a0484d8edef8208d6d2e2909dc61d9cd"
-- 
2.3.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [master][PATCH] 3/5] bzip2: Security fix CVE-2016-3189

[OE-core] [master][PATCH] 3/5] bzip2: Security fix CVE-2016-3189

2 matches

Site Navigation

Mail list logo

Footer information