From: Andre Heider Date: Sat, 14 Jan 2023 10:40:39 +0000 (+0100) Subject: lrzsz: update to v0.12.21rc and fix a CVE X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=6d6c4b21b5e2;p=feed%2Fpackages.git lrzsz: update to v0.12.21rc and fix a CVE This updates to v0.12.21rc from 1999 (sic), which was never officially released. There're fixes in there, and it's what debian ships, so let's use that too. While at it, use debian's autohell hack and package description too. Patch 1 fixes a hang with musl. Patch 2 fixes CVE-2018-10195, add PKG_CPE_ID while at it. Refesh the rest. Fixes: CVE-2018-10195 Signed-off-by: Andre Heider --- diff --git a/utils/lrzsz/Makefile b/utils/lrzsz/Makefile index 9eab1b6813..5eb6f81e85 100644 --- a/utils/lrzsz/Makefile +++ b/utils/lrzsz/Makefile @@ -8,16 +8,18 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lrzsz -PKG_VERSION:=0.12.20 -PKG_RELEASE:=3 +PKG_VERSION:=0.12.21 +PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://ohse.de/uwe/releases/ -PKG_HASH:=c28b36b14bddb014d9e9c97c52459852f97bd405f89113f30bee45ed92728ff1 +PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).orig.tar.gz +PKG_SOURCE_URL:=@DEBIAN/pool/main/l/lrzsz/ +PKG_HASH:=3262e5df47b108d33e184ff3bf5af14ddca1ac15118ac4ed9171a57c1593ae00 +PKG_BUILD_DIR=$(BUILD_DIR)/lrzsz-990823 PKG_MAINTAINER:=Hsing-Wang Liao PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=COPYING +PKG_CPE_ID:=cpe:/a:lrzsz_project PKG_INSTALL:=1 @@ -26,15 +28,24 @@ include $(INCLUDE_DIR)/package.mk define Package/lrzsz SECTION:=utils CATEGORY:=Utilities - TITLE:=X, Y and Z-modem protocols + TITLE:=Tools for zmodem/xmodem/ymodem file transfer URL:=https://ohse.de/uwe/software/lrzsz.html endef define Package/lrzsz/description - Transfer files in your login sessions. - Very leightweight and straight forward. - You just need a terminal client that can do - either X, Y or Z-modem file transfers. + lrzsz is a cosmetically modified zmodem/ymodem/xmodem package built + from the public-domain version of Chuck Forsberg's rzsz package. + + These programs use error correcting protocols ({z,x,y}modem) to send + (sz, sx, sb) and receive (rz, rx, rb) files over a dial-in serial port + from a variety of programs running under various operating systems. +endef + +# to stop automake from running, the bundled autohell crap is too old +define Build/Configure + touch $(PKG_BUILD_DIR)/* + touch $(PKG_BUILD_DIR)/*/* + $(call Build/Configure/Default) endef define Package/lrzsz/install diff --git a/utils/lrzsz/patches/001-siginterrupt-after-the-call-to-signal-otherwise-ymod.patch b/utils/lrzsz/patches/001-siginterrupt-after-the-call-to-signal-otherwise-ymod.patch new file mode 100644 index 0000000000..730d466897 --- /dev/null +++ b/utils/lrzsz/patches/001-siginterrupt-after-the-call-to-signal-otherwise-ymod.patch @@ -0,0 +1,22 @@ +From 89fef6d8dc539ed6225b46b8e755e08bbf48d27b Mon Sep 17 00:00:00 2001 +From: Uwe Ohse +Date: Sun, 1 Mar 2020 22:34:24 +0000 +Subject: [PATCH] siginterrupt after the call to signal, otherwise ymodem + transfer hangs. WTF? + +--- + src/zreadline.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/zreadline.c ++++ b/src/zreadline.c +@@ -71,6 +71,9 @@ readline_internal(unsigned int timeout) + vstringf("Calling read: alarm=%d Readnum=%d ", + n, readline_readnum); + signal(SIGALRM, zreadline_alarm_handler); ++#ifdef HAVE_SIGINTERRUPT ++ siginterrupt(SIGALRM,1); ++#endif + alarm(n); + } + else if (Verbose > 5) diff --git a/utils/lrzsz/patches/002-may-be-security-fix-avoid-possible-underflow.patch b/utils/lrzsz/patches/002-may-be-security-fix-avoid-possible-underflow.patch new file mode 100644 index 0000000000..81ec959639 --- /dev/null +++ b/utils/lrzsz/patches/002-may-be-security-fix-avoid-possible-underflow.patch @@ -0,0 +1,28 @@ +From a7c525191aa725f4ebb7b489cdd7dd854a4e42fb Mon Sep 17 00:00:00 2001 +From: Uwe Ohse +Date: Sun, 1 Mar 2020 22:35:28 +0000 +Subject: [PATCH] may-be-security-fix: avoid possible underflow + +Fixes: CVE-2018-10195 + +[a.heider: mention CVE in commit message] +--- + src/zm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/src/zm.c ++++ b/src/zm.c +@@ -432,10 +432,11 @@ zsdata(const char *buf, size_t length, i + VPRINTF(3,("zsdata: %lu %s", (unsigned long) length, + Zendnames[(frameend-ZCRCE)&3])); + crc = 0; +- do { ++ while (length>0) { + zsendline(*buf); crc = updcrc((0377 & *buf), crc); + buf++; +- } while (--length>0); ++ length--; ++ } + xsendline(ZDLE); xsendline(frameend); + crc = updcrc(frameend, crc); + diff --git a/utils/lrzsz/patches/100-install_delete_fix.patch b/utils/lrzsz/patches/100-install_delete_fix.patch index 7f3995d519..7263ab8434 100644 --- a/utils/lrzsz/patches/100-install_delete_fix.patch +++ b/utils/lrzsz/patches/100-install_delete_fix.patch @@ -1,6 +1,6 @@ --- a/src/Makefile.in +++ b/src/Makefile.in -@@ -372,13 +372,13 @@ install-exec-local: +@@ -414,13 +414,13 @@ install-exec-local: rm -f $(DESTDIR)/$(bindir)/`echo lsb | sed -e '$(transform)'` ln $(DESTDIR)/$(bindir)/`echo lsz |sed -e '$(transform)'` \ $(DESTDIR)/$(bindir)/`echo lsb |sed -e '$(transform)'` diff --git a/utils/lrzsz/patches/200-format.patch b/utils/lrzsz/patches/200-format.patch index 0e244a0e27..26b86c16a4 100644 --- a/utils/lrzsz/patches/200-format.patch +++ b/utils/lrzsz/patches/200-format.patch @@ -10,7 +10,7 @@ --- a/src/lrz.c +++ b/src/lrz.c -@@ -2319,7 +2319,7 @@ exec2(const char *s) +@@ -2296,7 +2296,7 @@ exec2(const char *s) if (*s == '!') ++s; io_mode(0,0); @@ -31,7 +31,7 @@ #endif --- a/src/lsz.c +++ b/src/lsz.c -@@ -1997,7 +1997,7 @@ zsendfdata (struct zm_fileinfo *zi) +@@ -1988,7 +1988,7 @@ zsendfdata (struct zm_fileinfo *zi) blklen = calc_blklen (total_sent); total_sent += blklen + OVERHEAD; if (Verbose > 2 && blklen != old) @@ -40,29 +40,9 @@ #ifdef HAVE_MMAP if (mm_addr) { if (zi->bytes_sent + blklen < mm_size) ---- a/src/tcp.c -+++ b/src/tcp.c -@@ -56,7 +56,7 @@ tcp_server (char *buf) - struct sockaddr_in s; - struct sockaddr_in t; - int on=1; -- size_t len; -+ socklen_t len; - - if ((sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { - error(1,errno,"socket"); -@@ -91,7 +91,7 @@ tcp_accept (int d) - { - int so; - struct sockaddr_in s; -- size_t namelen; -+ socklen_t namelen; - int num=0; - - namelen = sizeof(s); --- a/src/zm.c +++ b/src/zm.c -@@ -451,7 +451,7 @@ zsda32(const char *buf, size_t length, i +@@ -453,7 +453,7 @@ zsda32(const char *buf, size_t length, i int c; unsigned long crc; int i; @@ -73,7 +53,7 @@ zsendline_s(buf,length); --- a/src/zreadline.c +++ b/src/zreadline.c -@@ -68,13 +68,13 @@ readline_internal(unsigned int timeout) +@@ -68,7 +68,7 @@ readline_internal(unsigned int timeout) else if (n==0) n=1; if (Verbose > 5) @@ -81,6 +61,8 @@ + vstringf("Calling read: alarm=%u Readnum=%zu ", n, readline_readnum); signal(SIGALRM, zreadline_alarm_handler); + #ifdef HAVE_SIGINTERRUPT +@@ -77,7 +77,7 @@ readline_internal(unsigned int timeout) alarm(n); } else if (Verbose > 5)