diff options
| author | kim <kim@pkgsrc.org> | 2021-08-06 05:08:50 +0000 |
|---|---|---|
| committer | kim <kim@pkgsrc.org> | 2021-08-06 05:08:50 +0000 |
| commit | a72eadccefcc67b50f4bacc83b90037791e2e507 (patch) | |
| tree | 9cdc4c8e24d863bf79e069a4f686a8a3ad38252e | |
| parent | 436e0ba58725bb09e4070c8e1502526b25c139b0 (diff) | |
| download | pkgsrc-a72eadccefcc67b50f4bacc83b90037791e2e507.tar.gz | |
Fix potential memory corruption with negative memmove() size
Addresses CVE-2021-3520
Ref: https://github.com/lz4/lz4/pull/972
| -rw-r--r-- | archivers/lz4/Makefile | 3 | ||||
| -rw-r--r-- | archivers/lz4/distinfo | 3 | ||||
| -rw-r--r-- | archivers/lz4/patches/patch-lib_lz4.c | 20 |
3 files changed, 24 insertions, 2 deletions
diff --git a/archivers/lz4/Makefile b/archivers/lz4/Makefile index 621df1bfd90..f82cf4354bc 100644 --- a/archivers/lz4/Makefile +++ b/archivers/lz4/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.22 2021/06/03 06:55:00 nia Exp $ +# $NetBSD: Makefile,v 1.23 2021/08/06 05:08:50 kim Exp $ DISTNAME= lz4-1.9.3 +PKGREVISION= 1 CATEGORIES= archivers MASTER_SITES= ${MASTER_SITE_GITHUB:=lz4/} GITHUB_TAG= v${PKGVERSION_NOREV} diff --git a/archivers/lz4/distinfo b/archivers/lz4/distinfo index fe92331e66a..e3ffa85b095 100644 --- a/archivers/lz4/distinfo +++ b/archivers/lz4/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.19 2020/11/19 10:36:57 adam Exp $ +$NetBSD: distinfo,v 1.20 2021/08/06 05:08:50 kim Exp $ SHA1 (lz4-1.9.3.tar.gz) = 5a19554ef404a609123b756ddcbbb677df838f05 RMD160 (lz4-1.9.3.tar.gz) = b933c4794c0b9634e453dba5875bf1b1b0b79e70 @@ -6,4 +6,5 @@ SHA512 (lz4-1.9.3.tar.gz) = c246b0bda881ee9399fa1be490fa39f43b291bb1d9db72dba8a8 Size (lz4-1.9.3.tar.gz) = 320958 bytes SHA1 (patch-Makefile.inc) = 55d576430ed1a160709a56e104edc14cad88e5a9 SHA1 (patch-lib_Makefile) = 8eda2146522bd2d5e418916fd99fb201810cb36d +SHA1 (patch-lib_lz4.c) = 3bf75be43d585a613e56a21c1e7bdfff541371f4 SHA1 (patch-programs_Makefile) = 671728182325f03164eb898d9d846fd2aa4353f7 diff --git a/archivers/lz4/patches/patch-lib_lz4.c b/archivers/lz4/patches/patch-lib_lz4.c new file mode 100644 index 00000000000..4761e0e4340 --- /dev/null +++ b/archivers/lz4/patches/patch-lib_lz4.c @@ -0,0 +1,20 @@ +$NetBSD: patch-lib_lz4.c,v 1.1 2021/08/06 05:08:50 kim Exp $ + +Fix potential memory corruption with negative memmove() size +Ref: https://github.com/lz4/lz4/pull/972 + +Addresses CVE-2021-3520 + +https://github.com/lz4/lz4/commit/7a966c1511816b53ac93aa2f2a2ff97e036a4a60.patch + +--- lib/lz4.c ++++ lib/lz4.c +@@ -1749,7 +1749,7 @@ LZ4_decompress_generic( + const size_t dictSize /* note : = 0 if noDict */ + ) + { +- if (src == NULL) { return -1; } ++ if ((src == NULL) || (outputSize < 0)) { return -1; } + + { const BYTE* ip = (const BYTE*) src; + const BYTE* const iend = ip + srcSize; |