summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/unzip
Commit message (Collapse)AuthorAgeFilesLines
* unzip: Port debian fixes for two CVEsRichard Purdie2022-07-083-0/+74
| | | | | | | | | | | | | | | | Add two fixes from debian for two CVEs. From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 I wans't able to get the reproducers to work but the added error checking isn't probably a bad thing. (From OE-Core rev: 097469513f6dea7c678438e71a152f4e77fe670d) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 054be00a632c2918dd1f973e76514e459fc6f017) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fix CVE-2021-4217Joe Slater2022-07-082-0/+68
| | | | | | | | | | | | Avoid a null pointer dereference. (From OE-Core rev: 357791da82f767ad695e4476aa12fea3d7db5e04) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 36db85b9b127e5a9f5d3d6e428168cf597ab95f3) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Exclude CVE-2008-0888 from cve-checkRichard Purdie2021-05-201-0/+3
| | | | | | | | | | | | The patch mentioned as the fix for the CVE is applied to the 6.0 source code. Zip versioning makes CPE entry changes hard. (From OE-Core rev: 4ff9d2c57d9cade1faa3916f171e5ad96ee32487) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8917e5ae2bb44d017fc0155f16632c5decadb0bd) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/recipes-extended: Add HOMEPAGE / DESCRIPTIONDorinda2021-03-181-0/+1
| | | | | | | | | | | | | | Added HOMEPAGE and DESCRIPTION for recipes with missing decriptions or homepage [YOCTO #13471] (From OE-Core rev: d2e54108558bcf3a44d65505a643ace5cf365d8a) Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cc6c7af900ae0196a62b7fa1375c55bbcd8e68b4) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Fix CVE-2019-13232Dan Tran2019-09-304-0/+513
| | | | | | | (From OE-Core rev: a9db9617349a766ffe0df724fff9266eb1667cdd) Signed-off-by: Dan Tran <dantran@microsoft.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Revert "unzip: fix CVE-2019-13232"Khem Raj2019-07-232-340/+0
| | | | | | | | | | | | | | See [1] This reverts commit 4df4de2ac8bc0e80446e1ad0ce67eb244e2d2a32. [1] http://lists.openembedded.org/pipermail/openembedded-core/2019-July/284859.html (From OE-Core rev: 14655b3a54d086cbbd702adf9446fabf57ce51b0) Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fix CVE-2019-13232Anuj Mittal2019-07-192-0/+340
| | | | | | | | | Include the fix by Mark Adler which has also been adopted by Debian. (From OE-Core rev: 4df4de2ac8bc0e80446e1ad0ce67eb244e2d2a32) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: actually apply CVE-2018-18384Ross Burton2018-11-091-0/+1
| | | | | | | (From OE-Core rev: d8e1b7afc536f989e7e6efdab0998d54f26ad1f6) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fix for CVE-2018-18384Changqing Li2018-11-071-0/+39
| | | | | | | (From OE-Core rev: 2ddb3b25ed063b47d3fe2b3e9e17b7f9d0e2a7e5) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: add nativesdk supportAndrej Valek2018-09-201-1/+1
| | | | | | | | (From OE-Core rev: 82886e19ba874a33e618a4854a32987884e2c058) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fix CVE-2018-1000035Changqing Li2018-08-202-0/+49
| | | | | | | (From OE-Core rev: f75289b9215580030540245cd0b5f945bfb05ffa) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fix symlink problemRoss Burton2018-07-302-0/+27
| | | | | | | | | Large zip files can cause unzip to crash, take a patch from Fedora to fix it. (From OE-Core rev: a001833b7c7a0a6eef88e053fe65e2a0c91ca7bc) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: refresh patchesRoss Burton2018-03-071-5/+7
| | | | | | | | | | | | | | | | | | | The patch tool will apply patches by default with "fuzz", which is where if the hunk context isn't present but what is there is close enough, it will force the patch in. Whilst this is useful when there's just whitespace changes, when applied to source it is possible for a patch applied with fuzz to produce broken code which still compiles (see #10450). This is obviously bad. We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For that to be realistic the existing patches with fuzz need to be rebased and reviewed. (From OE-Core rev: b45ce6dbbd459ecc96eae76b5695927dbda1dbb4) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* selftest: fix distrodata.py to use per-recipe UPSTREAM_VERSION_UNKNOWN settingAlexander Kanavin2017-08-161-0/+1
| | | | | | | | | | | ... instead of a global exception list which was problematic. [YOCTO #11896] (From OE-Core rev: 89dfede4ca795ba085f1ee7290c6dede573c11db) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: add missing CVE headers to patchesRoss Burton2017-04-142-2/+2
| | | | | | | (From OE-Core rev: de7ff341d18f46d68abeabcb53ba07d012090c15) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: CVE-2014-9913 CVE-2016-9844Zhixiong Chi2017-03-013-1/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Backport the patches for CVE-2014-9913 CVE-2016-9844 CVE-2016-9844: Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header. CVE-2014-9913: Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method. Patches come from: https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/archivers/unzip/ or https://release.debian.org/proposed-updates/stable_diffs/unzip_6.0-16+deb8u3.debdiff Bug-Debian: https://bugs.debian.org/847486 Bug-Ubuntu: https://launchpad.net/bugs/1643750 (LOCAL REV: NOT UPSTREAM) --send to oe-core on 20170222 (From OE-Core rev: fc386ed4afb76bd3e5a3afff54d7dc8dde14fe9c) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fixes strange outputEdwin Plauchu2016-09-031-120/+78
| | | | | | | | | | | | | | This fixes commit 763a3d424bccf559a8d6add3dc1f2746c82f2933 Output was strange when using unzip to extract zip file. This patch fixed so. [YOCTO #9551] (From OE-Core rev: 30486429ed228e387ee574c6990b361d2ade6a32) Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fix security issuesEdwin Plauchu2016-06-012-0/+140
| | | | | | | | | | | This patch avoids unzip fails to compile with compiler flags which elevate common string formatting issues into an error (-Wformat -Wformat-security -Werror=format-security). [YOCTO #9551] (From OE-Core rev: 2dd1c02fbc7492002df9030f50710e242369e8b2) Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: update SRC_URIRoss Burton2016-05-191-1/+1
| | | | | | | | | | | | The infozip FTP server appears to have been taken down, so change the SRC_URI to point at their SourceForge project. [ YOCTO #9655 ] (From OE-Core rev: 879b2c5ee2ae39d6c1ae9d44ab243d8c7b7874b4) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Explicitly set EXTRA_OEMAKE as requiredMike Crowe2016-02-101-1/+1
| | | | | | | | | | | This recipe currently relies on EXTRA_OEMAKE having been set to "-e MAKEFLAGS=" in bitbake.conf to operate. It is necessary to make this explicit so that the default in bitbake.conf can be changed. (From OE-Core rev: 9e38dc9b6b70b81d778c299f9a7fab30116c74fa) Signed-off-by: Mike Crowe <mac@mcrowe.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Add "CVE:" tag to current patches in OE-coreMariano Lopez2016-01-117-0/+7
| | | | | | | | | | | | | | The currnet patches in OE-core doesn't have the "CVE:" tag, now part of the policy of the patches. This is patch add this tag to several patches. There might be patches that I miss; the tag can be added in the future. (From OE-Core rev: 065ebeb3e15311d0d45385e15bf557b1c95b1669) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* package_regex.inc: split entries which blacklist specific versions to their ↵Alexander Kanavin2015-12-081-0/+4
| | | | | | | | | | recipes (From OE-Core rev: 1eb9e190ef3bb1170b3eaabd9f7900e7ce176624) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: rename patch to reflect CVE fixRoss Burton2015-11-162-1/+1
| | | | | | | (From OE-Core rev: e3d2974348bd830ec2fcf84ea08cbf38abbc0327) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: CVE-2015-7696, CVE-2015-7697Tudor Florea2015-11-023-0/+71
| | | | | | | | | | | | | | | | CVE-2015-7696: Fixes a heap overflow triggered by unzipping a file with password CVE-2015-7697: Fixes a denial of service with a file that never finishes unzipping References: http://www.openwall.com/lists/oss-security/2015/10/11/5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7696 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7697 (From OE-Core rev: a11b23a7d2a29414a4ea47c411f09a68b1b28e2d) Signed-off-by: Tudor Florea <tudor.florea@enea.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: drop 12-cve-2014-9636-test-compr-eb.patchRoy Li2015-07-012-46/+0
| | | | | | | | | | 12-cve-2014-9636-test-compr-eb.patch is same as unzip-6.0_overflow3.diff, is to fix CVE-2014-9636 (From OE-Core rev: 43cc77f6dd1615ec6797a159647a1ad677c1df23) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: fix four CVE defectsRoy Li2015-06-275-0/+278
| | | | | | | | | | | | | | Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix: cve-2014-8139 cve-2014-8140 cve-2014-8141 cve-2014-9636 (From OE-Core rev: 5e9f29b1c212f7a067772699e7fc9b6e233baa34) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315Roy Li2015-05-143-1/+451
| | | | | | | | | | | | | | | | | | | | | | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9636 unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1315 Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8. (From OE-Core rev: f86a178fd7036541a45bf31a46bddf634c133802) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Add ALTERNATIVE configurationSaul Wold2015-03-201-0/+7
| | | | | | | | | | | | | Since busybox also provides the unzip command use the update-alternatives mechanism to address this. [YOCTO #7446] (From OE-Core rev: 3e6654f7b7f8e0e18c8115513410ecb308a0ad5f) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Pass LDFLAGS to the linkerMikhail Durnev2014-01-292-2/+21
| | | | | | | | | Change Makefile to use LDFLAGS (From OE-Core rev: 4f211322eb1179db62c03616b4c113114c612cf8) Signed-off-by: Mikhail Durnev <Mikhail_Durnev@mentor.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Replace one-line DESCRIPTION with SUMMARYPaul Eggleton2014-01-021-1/+1
| | | | | | | | | | | | | | A lot of our recipes had short one-line DESCRIPTION values and no SUMMARY value set. In this case it's much better to just set SUMMARY since DESCRIPTION is defaulted from SUMMARY anyway and then the SUMMARY is at least useful. I also took the opportunity to fix up a lot of the new SUMMARY values, making them concisely explain the function of the recipe / package where possible. (From OE-Core rev: b8feee3cf21f70ba4ec3b822d2f596d4fc02a292) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: pay some attention to our CFLAGSJoe Slater2012-11-241-2/+7
| | | | | | | | | | | | Makefile makes use of CFLAGS_NOOPT. If we set that when calling make we can enable options like -g. The Makefile will override any optimization to -O3. (From OE-Core rev: 7f26794dc9f2e78ee8aed1e23752acb709345c6f) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* recipes-extended: replace virtclass-native(sdk) with class-native(sdk)Robert Yang2012-11-021-1/+1
| | | | | | | | | | | | | The overrides virtclass-native and virtclass-nativesdk are deprecated, which should be replaced by class-native and class-nativesdk. [YOCTO #3297] (From OE-Core rev: 528b4ab831c7b0bc1412318d29e2b7f9cf711d57) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Fix unpackaged files warningsRichard Purdie2012-03-161-1/+2
| | | | | | | | | WARNING: For recipe unzip, the following files/directories were installed but not shipped in any package: WARNING: /usr/man (From OE-Core rev: c07c236056ef5b2fe462c3025ac41bd618a62542) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Patch Upstream Status UpdatesSaul Wold2011-12-151-0/+2
| | | | | | | (From OE-Core rev: 0eb139619301d0efee330932eba3617dcb39284e) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* OECore license fixes: meta/*Elizabeth Flanagan2011-12-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a quick audit of only the most obviously wrong licenses found within OECore. These fixes fall into four areas: - LICENSE field had incorrect format so that the parser choked - LICENSE field has a license with no version - LICENSE field was actually incorrect - LICENSE field has an imaginary license that didn't exist This fixes most of the LICENSE warnings thrown, along with my prior commit adding additional licenses to common-licenses and additional SPDXLICENSEMAP entries. HOWEVER..... there is much to be done on the license front. For a list of recipes with licenses that need obvious fixing see: https://wiki.yoctoproject.org/wiki/License_Audit That said, I would suggest another license audit as I've found enough inconsistencies. A good suggestion is when in doubt, look at how openSuse or Gentoo or Debian license the package. (From OE-Core rev: 3083dd70b3a9fa01fcc3cf00373b05502505996e) Signed-off-by: Elizabeth Flanagan <elizabeth.flanagan@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* unzip: Avoid stripping binariesMark Hatle2011-06-232-2/+53
| | | | | | | | | | Not only do we have to override things on the make line, but we need to hack on configure as well to avoid certain behavior. (From OE-Core rev: 97a6bf1787995f15c8033bd26bdbe50c7efbbcfd) Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* SRC_URI Checksums AdditionalsSaul Wold2010-12-091-0/+3
| | | | Signed-off-by: Saul Wold <sgw@linux.intel.com>
* packages: Separate out most of the remaining packages into recipesRichard Purdie2010-09-011-0/+25
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>