From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. a0a3d81c123cece4c25227c71c983a45594715e7
Date: Wed, 06 Aug 2014 09:36:43 +0200 [thread overview]
Message-ID: <20140806073644.0216E215CD@argus.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 10543 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via a0a3d81c123cece4c25227c71c983a45594715e7 (commit)
via b283b2cf8ffbeea1ab19237ca82db95a45efbb47 (commit)
from c2f80e67a711eee43dd5c815defc689fc7604b64 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a0a3d81c123cece4c25227c71c983a45594715e7
Merge: b283b2c c2f80e6
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Aug 6 09:36:31 2014 +0200
Merge branch 'master' of git.ipfire.org:/pub/git/ipfire-2.x
commit b283b2cf8ffbeea1ab19237ca82db95a45efbb47
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Aug 6 09:30:13 2014 +0200
lzo: Downgrade to 2.0.6 (CVE-2014-4607 patched).
openvpn fails at lzo_init with lzo-2.07 and 2.08 on armv5tel.
-----------------------------------------------------------------------
Summary of changes:
lfs/lzo | 5 +-
src/patches/lzo-2.06-CVE-2014-4607.patch | 245 +++++++++++++++++++++++++++++++
2 files changed, 248 insertions(+), 2 deletions(-)
create mode 100755 src/patches/lzo-2.06-CVE-2014-4607.patch
Difference in files:
diff --git a/lfs/lzo b/lfs/lzo
index 1745f4c..19ad090 100644
--- a/lfs/lzo
+++ b/lfs/lzo
@@ -24,7 +24,7 @@
include Config
-VER = 2.08
+VER = 2.06
THISAPP = lzo-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = fcec64c26a0f4f4901468f360029678f
+$(DL_FILE)_MD5 = 95380bd4081f85ef08c5209f4107e9f8
install : $(TARGET)
@@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lzo-2.06-CVE-2014-4607.patch
cd $(DIR_APP) && ./configure --prefix=/usr --enable-shared
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
diff --git a/src/patches/lzo-2.06-CVE-2014-4607.patch b/src/patches/lzo-2.06-CVE-2014-4607.patch
new file mode 100755
index 0000000..d22c406
--- /dev/null
+++ b/src/patches/lzo-2.06-CVE-2014-4607.patch
@@ -0,0 +1,245 @@
+diff --git a/minilzo/minilzo.c b/minilzo/minilzo.c
+index 34ce0f0..ecfdf66 100644
+--- a/minilzo/minilzo.c
++++ b/minilzo/minilzo.c
+@@ -3547,6 +3547,8 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ #undef TEST_LBO
+ #undef NEED_IP
+ #undef NEED_OP
++#undef TEST_IV
++#undef TEST_OV
+ #undef HAVE_TEST_IP
+ #undef HAVE_TEST_OP
+ #undef HAVE_NEED_IP
+@@ -3561,6 +3563,7 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ # if (LZO_TEST_OVERRUN_INPUT >= 2)
+ # define NEED_IP(x) \
+ if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun
++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun
+ # endif
+ #endif
+
+@@ -3572,6 +3575,7 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ # undef TEST_OP
+ # define NEED_OP(x) \
+ if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun
++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun
+ # endif
+ #endif
+
+@@ -3602,11 +3606,13 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ # define HAVE_NEED_IP 1
+ #else
+ # define NEED_IP(x) ((void) 0)
++# define TEST_IV(x) ((void) 0)
+ #endif
+ #if defined(NEED_OP)
+ # define HAVE_NEED_OP 1
+ #else
+ # define NEED_OP(x) ((void) 0)
++# define TEST_OV(x) ((void) 0)
+ #endif
+
+ #if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP)
+@@ -3687,6 +3693,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ {
+ t += 255;
+ ip++;
++ TEST_IV(t);
+ NEED_IP(1);
+ }
+ t += 15 + *ip++;
+@@ -3835,6 +3842,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 31 + *ip++;
+@@ -3879,6 +3887,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 7 + *ip++;
+@@ -4073,6 +4082,8 @@ lookbehind_overrun:
+ #undef TEST_LBO
+ #undef NEED_IP
+ #undef NEED_OP
++#undef TEST_IV
++#undef TEST_OV
+ #undef HAVE_TEST_IP
+ #undef HAVE_TEST_OP
+ #undef HAVE_NEED_IP
+@@ -4087,6 +4098,7 @@ lookbehind_overrun:
+ # if (LZO_TEST_OVERRUN_INPUT >= 2)
+ # define NEED_IP(x) \
+ if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun
++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun
+ # endif
+ #endif
+
+@@ -4098,6 +4110,7 @@ lookbehind_overrun:
+ # undef TEST_OP
+ # define NEED_OP(x) \
+ if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun
++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun
+ # endif
+ #endif
+
+@@ -4128,11 +4141,13 @@ lookbehind_overrun:
+ # define HAVE_NEED_IP 1
+ #else
+ # define NEED_IP(x) ((void) 0)
++# define TEST_IV(x) ((void) 0)
+ #endif
+ #if defined(NEED_OP)
+ # define HAVE_NEED_OP 1
+ #else
+ # define NEED_OP(x) ((void) 0)
++# define TEST_OV(x) ((void) 0)
+ #endif
+
+ #if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP)
+@@ -4213,6 +4228,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ {
+ t += 255;
+ ip++;
++ TEST_IV(t);
+ NEED_IP(1);
+ }
+ t += 15 + *ip++;
+@@ -4361,6 +4377,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 31 + *ip++;
+@@ -4405,6 +4422,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 7 + *ip++;
+diff --git a/src/lzo1_d.ch b/src/lzo1_d.ch
+index 40a5bfd..c442d9c 100644
+--- a/src/lzo1_d.ch
++++ b/src/lzo1_d.ch
+@@ -76,6 +76,8 @@
+ #undef TEST_LBO
+ #undef NEED_IP
+ #undef NEED_OP
++#undef TEST_IV
++#undef TEST_OV
+ #undef HAVE_TEST_IP
+ #undef HAVE_TEST_OP
+ #undef HAVE_NEED_IP
+@@ -91,6 +93,7 @@
+ # if (LZO_TEST_OVERRUN_INPUT >= 2)
+ # define NEED_IP(x) \
+ if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun
++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun
+ # endif
+ #endif
+
+@@ -102,6 +105,7 @@
+ # undef TEST_OP /* don't need both of the tests here */
+ # define NEED_OP(x) \
+ if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun
++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun
+ # endif
+ #endif
+
+@@ -135,11 +139,13 @@
+ # define HAVE_NEED_IP 1
+ #else
+ # define NEED_IP(x) ((void) 0)
++# define TEST_IV(x) ((void) 0)
+ #endif
+ #if defined(NEED_OP)
+ # define HAVE_NEED_OP 1
+ #else
+ # define NEED_OP(x) ((void) 0)
++# define TEST_OV(x) ((void) 0)
+ #endif
+
+
+diff --git a/src/lzo1b_d.ch b/src/lzo1b_d.ch
+index fe5f361..36b4b6b 100644
+--- a/src/lzo1b_d.ch
++++ b/src/lzo1b_d.ch
+@@ -187,6 +187,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += (M4_MIN_LEN - M3_MIN_LEN) + *ip++;
+diff --git a/src/lzo1f_d.ch b/src/lzo1f_d.ch
+index 9e942f5..0c2199e 100644
+--- a/src/lzo1f_d.ch
++++ b/src/lzo1f_d.ch
+@@ -84,6 +84,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ {
+ t += 255;
+ ip++;
++ TEST_IV(t);
+ NEED_IP(1);
+ }
+ t += 31 + *ip++;
+@@ -138,6 +139,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 31 + *ip++;
+diff --git a/src/lzo1x_d.ch b/src/lzo1x_d.ch
+index 49cf326..c804cc7 100644
+--- a/src/lzo1x_d.ch
++++ b/src/lzo1x_d.ch
+@@ -120,6 +120,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ {
+ t += 255;
+ ip++;
++ TEST_IV(t);
+ NEED_IP(1);
+ }
+ t += 15 + *ip++;
+@@ -273,6 +274,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 31 + *ip++;
+@@ -317,6 +319,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 7 + *ip++;
+diff --git a/src/lzo2a_d.ch b/src/lzo2a_d.ch
+index 48e51ca..954f07e 100644
+--- a/src/lzo2a_d.ch
++++ b/src/lzo2a_d.ch
+@@ -131,6 +131,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += *ip++;
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2014-08-06 7:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140806073644.0216E215CD@argus.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox