mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-17 06:19:56 +00:00
Code Issues Projects Releases Wiki Activity
Files
dcaed52ddec055ee8486e5a5b201307d651b8aff
poky/meta/recipes-extended/zip/zip_3.0.bb
T
Mikko Rapeli 615cb60fd4 zip: whitelist CVE-2018-13410 and CVE-2018-13684 
https://nvd.nist.gov/vuln/detail/CVE-2018-13410 is disputed and
also Debian considers it not a vulnerability:

https://security-tracker.debian.org/tracker/CVE-2018-13410

http://seclists.org/fulldisclosure/2018/Jul/24
"Negligible security impact, would involve that a untrusted party controls the -TT value."

https://nvd.nist.gov/vuln/detail/CVE-2018-13684 is not for zip, also Debian concludes this:

https://security-tracker.debian.org/tracker/CVE-2018-13684

"NOT-FOR-US: smart contract implementation for ZIP"

(From OE-Core rev: 06b72a91b6dcf63fed437fd2105c59e922ba6525)

Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2021-01-16 22:39:36 +00:00

53 lines
1.7 KiB
BlitzBasic
Raw Blame History

SUMMARY = "Compressor/archiver for creating and modifying .zip files"
HOMEPAGE = "http://www.info-zip.org"
SECTION = "console/utils"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=04d43c5d70b496c032308106e26ae17d"
PR = "r2"
S = "${WORKDIR}/zip30"
SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/Zip%203.x%20%28latest%29/3.0/zip30.tar.gz \
file://fix-security-format.patch \
file://10-remove-build-date.patch \
file://zipnote-crashes-with-segfault.patch \
"
UPSTREAM_VERSION_UNKNOWN = "1"
SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
# Disputed and also Debian doesn't consider a vulnerability
CVE_CHECK_WHITELIST += "CVE-2018-13410"
# Not for zip but for smart contract implementation for it
CVE_CHECK_WHITELIST += "CVE-2018-13684"
# zip.inc sets CFLAGS, but what Makefile actually uses is
# CFLAGS_NOOPT. It will also force -O3 optimization, overriding
# whatever we set.
EXTRA_OEMAKE = "'CC=${CC}' 'BIND=${CC}' 'AS=${CC} -c' 'CPP=${CPP}' \
'CFLAGS=-I. -DUNIX ${CFLAGS}' \
'CFLAGS_NOOPT=-I. -DUNIX ${CFLAGS}' \
'INSTALL=install' 'INSTALL_D=install -d' \
'BINFLAGS=0755'"
do_compile() {
oe_runmake -f unix/Makefile flags IZ_BZIP2=no_such_directory
sed -i 's#LFLAGS1=""#LFLAGS1="${LDFLAGS}"#' flags
oe_runmake -f unix/Makefile generic IZ_BZIP2=no_such_directory
}
do_install() {
oe_runmake -f unix/Makefile prefix=${D}${prefix} \
BINDIR=${D}${bindir} MANDIR=${D}${mandir}/man1 \
install
}
BBCLASSEXTEND = "native"
# exclude version 2.3.2 which triggers a false positive
UPSTREAM_CHECK_REGEX = "^zip(?P<pver>(?!232).+)\.tgz"
Reference in New Issue View Git Blame Copy Permalink