[Buildroot] [PATCH] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587
Arnout Vandecappelle
arnout at mind.be
Tue Apr 19 20:32:15 UTC 2022
On 19/04/2022 13:34, Peter Korsgaard wrote:
> Fixes the following security issue:
>
> - CVE-2022-1271: Malicious filenames can make xzgrep to write to arbitrary
> files or (with a GNU sed extension) lead to arbitrary code execution.
>
> For more details, see the announcement and advisory:
>
> https://www.mail-archive.com/xz-devel@tukaani.org/msg00551.html
> https://www.zerodayinitiative.com/advisories/ZDI-22-619/
>
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> package/xz/xz.hash | 1 +
> package/xz/xz.mk | 4 ++++
> 2 files changed, 5 insertions(+)
>
> diff --git a/package/xz/xz.hash b/package/xz/xz.hash
> index 3dd0cbe459..9577e98e80 100644
> --- a/package/xz/xz.hash
> +++ b/package/xz/xz.hash
> @@ -1,5 +1,6 @@
> # Locally calculated after checking pgp signature
> sha256 5117f930900b341493827d63aa910ff5e011e0b994197c3b71c08a20228a42df xz-5.2.5.tar.bz2
> +sha256 98c6cb1042284fe704ec30083f3fc87364ce9ed2ea51f62bbb0ee9d3448717ec xzgrep-ZDI-CAN-16587.patch
>
> # Hash for license files
> sha256 bcb02973ef6e87ea73d331b3a80df7748407f17efdb784b61b47e0e610d3bb5c COPYING
> diff --git a/package/xz/xz.mk b/package/xz/xz.mk
> index af611975a0..cdb01e06a9 100644
> --- a/package/xz/xz.mk
> +++ b/package/xz/xz.mk
> @@ -13,6 +13,10 @@ XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
> XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
> XZ_CPE_ID_VENDOR = tukaani
>
> +XZ_PATCH = xzgrep-ZDI-CAN-16587.patch
> +# xzgrep-ZDI-CAN-16587.patch
> +XZ_IGNORE_CVES += CVE-2022-1271
> +
> ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
> XZ_CONF_OPTS += --enable-threads
> else
More information about the buildroot
mailing list