lrzsz: update to v0.12.21rc and fix a CVE
authorAndre Heider <a.heider@gmail.com>
Sat, 14 Jan 2023 10:40:39 +0000 (11:40 +0100)
committerAndre Heider <a.heider@gmail.com>
Sun, 15 Jan 2023 14:14:06 +0000 (15:14 +0100)
This updates to v0.12.21rc from 1999 (sic), which was never officially
released. There're fixes in there, and it's what debian ships, so let's
use that too. While at it, use debian's autohell hack and package
description too.

Patch 1 fixes a hang with musl.
Patch 2 fixes CVE-2018-10195, add PKG_CPE_ID while at it.

Refesh the rest.

Fixes: CVE-2018-10195
Signed-off-by: Andre Heider <a.heider@gmail.com>
utils/lrzsz/Makefile
utils/lrzsz/patches/001-siginterrupt-after-the-call-to-signal-otherwise-ymod.patch [new file with mode: 0644]
utils/lrzsz/patches/002-may-be-security-fix-avoid-possible-underflow.patch [new file with mode: 0644]
utils/lrzsz/patches/100-install_delete_fix.patch
utils/lrzsz/patches/200-format.patch

index 9eab1b68139fad323c1835dddbad33a9f0d28894..5eb6f81e850f457513992321439f041195948452 100644 (file)
@@ -8,16 +8,18 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=lrzsz
-PKG_VERSION:=0.12.20
-PKG_RELEASE:=3
+PKG_VERSION:=0.12.21
+PKG_RELEASE:=1
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://ohse.de/uwe/releases/
-PKG_HASH:=c28b36b14bddb014d9e9c97c52459852f97bd405f89113f30bee45ed92728ff1
+PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).orig.tar.gz
+PKG_SOURCE_URL:=@DEBIAN/pool/main/l/lrzsz/
+PKG_HASH:=3262e5df47b108d33e184ff3bf5af14ddca1ac15118ac4ed9171a57c1593ae00
+PKG_BUILD_DIR=$(BUILD_DIR)/lrzsz-990823
 
 PKG_MAINTAINER:=Hsing-Wang Liao <kuoruan@gmail.com>
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=COPYING
+PKG_CPE_ID:=cpe:/a:lrzsz_project
 
 PKG_INSTALL:=1
 
@@ -26,15 +28,24 @@ include $(INCLUDE_DIR)/package.mk
 define Package/lrzsz
   SECTION:=utils
   CATEGORY:=Utilities
-  TITLE:=X, Y and Z-modem protocols
+  TITLE:=Tools for zmodem/xmodem/ymodem file transfer
   URL:=https://ohse.de/uwe/software/lrzsz.html
 endef
 
 define Package/lrzsz/description
-       Transfer files in your login sessions.
-       Very leightweight and straight forward.
-       You just need a terminal client that can do
-       either X, Y or Z-modem file transfers.
+  lrzsz is a cosmetically modified zmodem/ymodem/xmodem package built
+  from the public-domain version of Chuck Forsberg's rzsz package.
+
+  These programs use error correcting protocols ({z,x,y}modem) to send
+  (sz, sx, sb) and receive (rz, rx, rb) files over a dial-in serial port
+  from a variety of programs running under various operating systems.
+endef
+
+# to stop automake from running, the bundled autohell crap is too old
+define Build/Configure
+       touch $(PKG_BUILD_DIR)/*
+       touch $(PKG_BUILD_DIR)/*/*
+       $(call Build/Configure/Default)
 endef
 
 define Package/lrzsz/install
diff --git a/utils/lrzsz/patches/001-siginterrupt-after-the-call-to-signal-otherwise-ymod.patch b/utils/lrzsz/patches/001-siginterrupt-after-the-call-to-signal-otherwise-ymod.patch
new file mode 100644 (file)
index 0000000..730d466
--- /dev/null
@@ -0,0 +1,22 @@
+From 89fef6d8dc539ed6225b46b8e755e08bbf48d27b Mon Sep 17 00:00:00 2001
+From: Uwe Ohse <uwe@ohse.de>
+Date: Sun, 1 Mar 2020 22:34:24 +0000
+Subject: [PATCH] siginterrupt after the call to signal, otherwise ymodem
+ transfer hangs. WTF?
+
+---
+ src/zreadline.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/zreadline.c
++++ b/src/zreadline.c
+@@ -71,6 +71,9 @@ readline_internal(unsigned int timeout)
+                       vstringf("Calling read: alarm=%d  Readnum=%d ",
+                         n, readline_readnum);
+               signal(SIGALRM, zreadline_alarm_handler); 
++#ifdef HAVE_SIGINTERRUPT
++              siginterrupt(SIGALRM,1);
++#endif  
+               alarm(n);
+       }
+       else if (Verbose > 5)
diff --git a/utils/lrzsz/patches/002-may-be-security-fix-avoid-possible-underflow.patch b/utils/lrzsz/patches/002-may-be-security-fix-avoid-possible-underflow.patch
new file mode 100644 (file)
index 0000000..81ec959
--- /dev/null
@@ -0,0 +1,28 @@
+From a7c525191aa725f4ebb7b489cdd7dd854a4e42fb Mon Sep 17 00:00:00 2001
+From: Uwe Ohse <uwe@ohse.de>
+Date: Sun, 1 Mar 2020 22:35:28 +0000
+Subject: [PATCH] may-be-security-fix: avoid possible underflow
+
+Fixes: CVE-2018-10195
+
+[a.heider: mention CVE in commit message]
+---
+ src/zm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/src/zm.c
++++ b/src/zm.c
+@@ -432,10 +432,11 @@ zsdata(const char *buf, size_t length, i
+       VPRINTF(3,("zsdata: %lu %s", (unsigned long) length, 
+               Zendnames[(frameend-ZCRCE)&3]));
+       crc = 0;
+-      do {
++      while (length>0) {
+               zsendline(*buf); crc = updcrc((0377 & *buf), crc);
+               buf++;
+-      } while (--length>0);
++              length--;
++      }
+       xsendline(ZDLE); xsendline(frameend);
+       crc = updcrc(frameend, crc);
index 7f3995d519f4898f9df458600d30425d4cae6120..7263ab8434802c4706dca19cff7844cf0e47be32 100644 (file)
@@ -1,6 +1,6 @@
 --- a/src/Makefile.in
 +++ b/src/Makefile.in
-@@ -372,13 +372,13 @@ install-exec-local:
+@@ -414,13 +414,13 @@ install-exec-local:
        rm -f $(DESTDIR)/$(bindir)/`echo lsb | sed -e '$(transform)'`
        ln $(DESTDIR)/$(bindir)/`echo lsz |sed -e '$(transform)'` \
                $(DESTDIR)/$(bindir)/`echo lsb |sed -e '$(transform)'` 
index 0e244a0e27bb74350ad643d5a88318566b81e754..26b86c16a42da26ddc59c29bb9b3205b03801235 100644 (file)
@@ -10,7 +10,7 @@
  
 --- a/src/lrz.c
 +++ b/src/lrz.c
-@@ -2319,7 +2319,7 @@ exec2(const char *s)
+@@ -2296,7 +2296,7 @@ exec2(const char *s)
        if (*s == '!')
                ++s;
        io_mode(0,0);
@@ -31,7 +31,7 @@
  #endif
 --- a/src/lsz.c
 +++ b/src/lsz.c
-@@ -1997,7 +1997,7 @@ zsendfdata (struct zm_fileinfo *zi)
+@@ -1988,7 +1988,7 @@ zsendfdata (struct zm_fileinfo *zi)
                blklen = calc_blklen (total_sent);
                total_sent += blklen + OVERHEAD;
                if (Verbose > 2 && blklen != old)
  #ifdef HAVE_MMAP
                if (mm_addr) {
                        if (zi->bytes_sent + blklen < mm_size)
---- a/src/tcp.c
-+++ b/src/tcp.c
-@@ -56,7 +56,7 @@ tcp_server (char *buf)
-       struct sockaddr_in s;
-       struct sockaddr_in t;
-       int on=1;
--      size_t len;
-+      socklen_t len;
-       if ((sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
-               error(1,errno,"socket");
-@@ -91,7 +91,7 @@ tcp_accept (int d)
- {
-       int so;
-       struct  sockaddr_in s;
--      size_t namelen;
-+      socklen_t namelen;
-       int num=0;
-       namelen = sizeof(s);
 --- a/src/zm.c
 +++ b/src/zm.c
-@@ -451,7 +451,7 @@ zsda32(const char *buf, size_t length, i
+@@ -453,7 +453,7 @@ zsda32(const char *buf, size_t length, i
        int c;
        unsigned long crc;
        int i;
@@ -73,7 +53,7 @@
        zsendline_s(buf,length);
 --- a/src/zreadline.c
 +++ b/src/zreadline.c
-@@ -68,13 +68,13 @@ readline_internal(unsigned int timeout)
+@@ -68,7 +68,7 @@ readline_internal(unsigned int timeout)
                else if (n==0)
                        n=1;
                if (Verbose > 5)
@@ -81,6 +61,8 @@
 +                      vstringf("Calling read: alarm=%u  Readnum=%zu ",
                          n, readline_readnum);
                signal(SIGALRM, zreadline_alarm_handler); 
+ #ifdef HAVE_SIGINTERRUPT
+@@ -77,7 +77,7 @@ readline_internal(unsigned int timeout)
                alarm(n);
        }
        else if (Verbose > 5)