security update to LZO 2.07, CVE-2014-4607

'Fixed a potential integer overflow condition in the "safe" decompressor variants which could result in a possible buffer overrun when processing maliciously crafted compressed input data. As this issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (2^24 bytes) compressed bytes within a single function call, the practical implications are limited.' See http://www.openwall.com/lists/oss-security/2014/06/26/20 for more details, there are also some embedded copies of "minilzo" from the same source in various other programs which are also affected by this
2014-06-26 22:52:52 +00:00 · 2014-06-26 22:52:52 +00:00 · 9ecbdf1562
commit 9ecbdf1562
parent 0e0b010ad2
2 changed files with 4 additions and 5 deletions
--- a/archivers/lzo2/Makefile
+++ b/archivers/lzo2/Makefile
@ -1,10 +1,9 @@
-# $OpenBSD: Makefile,v 1.9 2013/04/04 16:03:55 brad Exp $
+# $OpenBSD: Makefile,v 1.10 2014/06/26 22:52:52 sthen Exp $

 COMMENT=	portable speedy lossless data compression library

-DISTNAME=	lzo-2.06
+DISTNAME=	lzo-2.07
 PKGNAME=	${DISTNAME:S/lzo/lzo2/}
-REVISION=	0
 CATEGORIES=	archivers devel
 MASTER_SITES=	${HOMEPAGE}download/
 SHARED_LIBS +=	lzo2	0.0 # .2.0
--- a/archivers/lzo2/distinfo
+++ b/archivers/lzo2/distinfo
@ -1,2 +1,2 @@
-SHA256 (lzo-2.06.tar.gz) = /3nm+DbWLT+G72zok+1l0H5jjvTTy5UpY0cbQjTUPnM=
-SIZE (lzo-2.06.tar.gz) = 583045
+SHA256 (lzo-2.07.tar.gz) = kpjM9D+FbvAGQ9EQBCsv7+aUtWnBYa7wxvjkraWQ5tQ=
+SIZE (lzo-2.07.tar.gz) = 587089