From 9ecbdf15627ffe1ce0f989ff1907706f55ea644d Mon Sep 17 00:00:00 2001 From: sthen Date: Thu, 26 Jun 2014 22:52:52 +0000 Subject: [PATCH] security update to LZO 2.07, CVE-2014-4607 'Fixed a potential integer overflow condition in the "safe" decompressor variants which could result in a possible buffer overrun when processing maliciously crafted compressed input data. As this issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (2^24 bytes) compressed bytes within a single function call, the practical implications are limited.' See http://www.openwall.com/lists/oss-security/2014/06/26/20 for more details, there are also some embedded copies of "minilzo" from the same source in various other programs which are also affected by this --- archivers/lzo2/Makefile | 5 ++--- archivers/lzo2/distinfo | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/archivers/lzo2/Makefile b/archivers/lzo2/Makefile index 8142be9f444..873de47732a 100644 --- a/archivers/lzo2/Makefile +++ b/archivers/lzo2/Makefile @@ -1,10 +1,9 @@ -# $OpenBSD: Makefile,v 1.9 2013/04/04 16:03:55 brad Exp $ +# $OpenBSD: Makefile,v 1.10 2014/06/26 22:52:52 sthen Exp $ COMMENT= portable speedy lossless data compression library -DISTNAME= lzo-2.06 +DISTNAME= lzo-2.07 PKGNAME= ${DISTNAME:S/lzo/lzo2/} -REVISION= 0 CATEGORIES= archivers devel MASTER_SITES= ${HOMEPAGE}download/ SHARED_LIBS += lzo2 0.0 # .2.0 diff --git a/archivers/lzo2/distinfo b/archivers/lzo2/distinfo index e9b86e92998..6cf2c7de10c 100644 --- a/archivers/lzo2/distinfo +++ b/archivers/lzo2/distinfo @@ -1,2 +1,2 @@ -SHA256 (lzo-2.06.tar.gz) = /3nm+DbWLT+G72zok+1l0H5jjvTTy5UpY0cbQjTUPnM= -SIZE (lzo-2.06.tar.gz) = 583045 +SHA256 (lzo-2.07.tar.gz) = kpjM9D+FbvAGQ9EQBCsv7+aUtWnBYa7wxvjkraWQ5tQ= +SIZE (lzo-2.07.tar.gz) = 587089