From: Peter Korsgaard <peter@korsgaard.com>
To: Francois Perrad <francois.perrad@gadz.org>
Cc: buildroot@busybox.net
Subject: Re: [Buildroot] [PATCH] package/libarchive: bump to version 3.7.6
Date: Sat, 19 Oct 2024 21:16:34 +0200 [thread overview]
Message-ID: <8734krdht9.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20240925133735.3899867-1-francois.perrad@gadz.org> (Francois Perrad's message of "Wed, 25 Sep 2024 15:37:34 +0200")
>>>>> "Francois" == Francois Perrad <francois.perrad@gadz.org> writes:
> Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Looking at https://github.com/libarchive/libarchive/releases I see that
this fixes a number of security issues, so it should be marked as a
security bump:
Security fixes:
fix multiple vulnerabilities identified by SAST (#2251, #2256)
cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
lzop: prevent integer overflow (#2174)
rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
rar4: fix OOB in delta and audio filter (#2148, #2149)
rar4: fix out of boundary access with large files (#2179)
rar4: add boundary checks to rgb filter (#2210)
rar4: fix OOB access with unicode filenames (#2203)
rar5: clear 'data ready' cache on window buffer reallocs (#2265)
rpm: calculate huge header sizes correctly (#2158)
unzip: unify EOF handling (#2175)
util: fix out of boundary access in mktemp functions (#2160)
uu: stop processing if lines are too long (#2168)
In addition, 3.7.7 has been released with more security fixes - Care to
send a patch?
Committed to 2024.02.x and 2024.08.x after marking as a security bump,
thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2024-10-19 19:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-25 13:37 [Buildroot] [PATCH] package/libarchive: bump to version 3.7.6 Francois Perrad
2024-10-02 21:11 ` Thomas Petazzoni via buildroot
2024-10-19 19:16 ` Peter Korsgaard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8734krdht9.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
--cc=francois.perrad@gadz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.