CVS commit: pkgsrc/archivers/lz4

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/archivers/lz4
From: "Kimmo Suominen" <kim%netbsd.org@localhost>
Date: Fri, 6 Aug 2021 05:08:50 +0000

Module Name:    pkgsrc
Committed By:   kim
Date:           Fri Aug  6 05:08:50 UTC 2021

Modified Files:
        pkgsrc/archivers/lz4: Makefile distinfo
Added Files:
        pkgsrc/archivers/lz4/patches: patch-lib_lz4.c

Log Message:
Fix potential memory corruption with negative memmove() size

Addresses CVE-2021-3520

Ref: https://github.com/lz4/lz4/pull/972


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 pkgsrc/archivers/lz4/Makefile
cvs rdiff -u -r1.19 -r1.20 pkgsrc/archivers/lz4/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/archivers/lz4/patches/patch-lib_lz4.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/archivers/lz4/Makefile
diff -u pkgsrc/archivers/lz4/Makefile:1.22 pkgsrc/archivers/lz4/Makefile:1.23
--- pkgsrc/archivers/lz4/Makefile:1.22  Thu Jun  3 06:55:00 2021
+++ pkgsrc/archivers/lz4/Makefile       Fri Aug  6 05:08:50 2021
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.22 2021/06/03 06:55:00 nia Exp $
+# $NetBSD: Makefile,v 1.23 2021/08/06 05:08:50 kim Exp $
 
 DISTNAME=      lz4-1.9.3
+PKGREVISION=   1
 CATEGORIES=    archivers
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=lz4/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}

Index: pkgsrc/archivers/lz4/distinfo
diff -u pkgsrc/archivers/lz4/distinfo:1.19 pkgsrc/archivers/lz4/distinfo:1.20
--- pkgsrc/archivers/lz4/distinfo:1.19  Thu Nov 19 10:36:57 2020
+++ pkgsrc/archivers/lz4/distinfo       Fri Aug  6 05:08:50 2021
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.19 2020/11/19 10:36:57 adam Exp $
+$NetBSD: distinfo,v 1.20 2021/08/06 05:08:50 kim Exp $
 
 SHA1 (lz4-1.9.3.tar.gz) = 5a19554ef404a609123b756ddcbbb677df838f05
 RMD160 (lz4-1.9.3.tar.gz) = b933c4794c0b9634e453dba5875bf1b1b0b79e70
@@ -6,4 +6,5 @@ SHA512 (lz4-1.9.3.tar.gz) = c246b0bda881
 Size (lz4-1.9.3.tar.gz) = 320958 bytes
 SHA1 (patch-Makefile.inc) = 55d576430ed1a160709a56e104edc14cad88e5a9
 SHA1 (patch-lib_Makefile) = 8eda2146522bd2d5e418916fd99fb201810cb36d
+SHA1 (patch-lib_lz4.c) = 3bf75be43d585a613e56a21c1e7bdfff541371f4
 SHA1 (patch-programs_Makefile) = 671728182325f03164eb898d9d846fd2aa4353f7

Added files:

Index: pkgsrc/archivers/lz4/patches/patch-lib_lz4.c
diff -u /dev/null pkgsrc/archivers/lz4/patches/patch-lib_lz4.c:1.1
--- /dev/null   Fri Aug  6 05:08:50 2021
+++ pkgsrc/archivers/lz4/patches/patch-lib_lz4.c        Fri Aug  6 05:08:50 2021
@@ -0,0 +1,20 @@
+$NetBSD: patch-lib_lz4.c,v 1.1 2021/08/06 05:08:50 kim Exp $
+
+Fix potential memory corruption with negative memmove() size
+Ref: https://github.com/lz4/lz4/pull/972
+
+Addresses CVE-2021-3520
+
+https://github.com/lz4/lz4/commit/7a966c1511816b53ac93aa2f2a2ff97e036a4a60.patch
+
+--- lib/lz4.c
++++ lib/lz4.c
+@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
+                  const size_t dictSize         /* note : = 0 if noDict */
+                  )
+ {
+-    if (src == NULL) { return -1; }
++    if ((src == NULL) || (outputSize < 0)) { return -1; }
+ 
+     {   const BYTE* ip = (const BYTE*) src;
+         const BYTE* const iend = ip + srcSize;

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/sysutils/zoxide
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/sysutils/zoxide
Indexes:

Home | Main Index | Thread Index | Old Index