[Buildroot] [git commit branch/2020.02.x] package/brotli: security update to version 1.0.9

Peter Korsgaard peter at korsgaard.com
Fri Sep 11 21:04:39 UTC 2020


commit: https://git.buildroot.net/buildroot/commit/?id=51c21c223d52f79c2b66cb4ad9697b0c70b12b58
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2020.02.x

Contains fixes for overflows when input chunks are larger than 2 GiB,
an uninitialized data access, and minor correctness and performance
improvements. There does not seem to be any CVEs filed, but there is
a security notice in the release notes at:

  https://github.com/google/brotli/releases/tag/v1.0.9

Patch "0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch"
is rebased against the latest upstream changes.

Signed-off-by: Adrian Perez de Castro <aperez at igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
(cherry picked from commit 777bbd1b07f0279230acd925a83035aa3d7793d6)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 ...-using-BUILD_SHARED_LIBS-to-choose-static.patch | 92 +++++++++-------------
 package/brotli/brotli.hash                         |  2 +-
 package/brotli/brotli.mk                           |  2 +-
 3 files changed, 41 insertions(+), 55 deletions(-)

diff --git a/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch b/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch
index ae5386b1ce..2a3204fc34 100644
--- a/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch
+++ b/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch
@@ -1,6 +1,6 @@
-From 7289e5a378ba13801996a84d89d8fe95c3fc4c11 Mon Sep 17 00:00:00 2001
+From 6cb16322decd643fed9de332d9cda77f7738b7af Mon Sep 17 00:00:00 2001
 From: Adrian Perez de Castro <aperez at igalia.com>
-Date: Mon, 26 Mar 2018 19:08:31 +0100
+Date: Mon, 7 Sep 2020 12:14:22 +0300
 Subject: [PATCH] CMake: Allow using BUILD_SHARED_LIBS to choose static/shared
  libs
 
@@ -18,16 +18,16 @@ This way, the following will both work as expected:
 
 This is helpful for distributions which need (or want) to build only
 static libraries.
----
- CMakeLists.txt        | 42 ++++++++++++++----------------------------
- c/fuzz/test_fuzzer.sh |  6 +++---
- 2 files changed, 17 insertions(+), 31 deletions(-)
 
 Signed-off-by: Adrian Perez de Castro <aperez at igalia.com>
-Upstream-Status: Submitted [https://github.com/google/brotli/pull/655]
+[Upstream status: https://github.com/google/brotli/pull/655]
+---
+ CMakeLists.txt        | 46 ++++++++++++++-----------------------------
+ c/fuzz/test_fuzzer.sh |  6 +++---
+ 2 files changed, 18 insertions(+), 34 deletions(-)
 
 diff --git a/CMakeLists.txt b/CMakeLists.txt
-index fc45f80..3f87f13 100644
+index 4ff3401..f889311 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
 @@ -6,6 +6,8 @@ cmake_minimum_required(VERSION 2.8.6)
@@ -36,10 +36,10 @@ index fc45f80..3f87f13 100644
  
 +option(BUILD_SHARED_LIBS "Build shared libraries" ON)
 +
- # If Brotli is being bundled in another project, we don't want to
- # install anything.  However, we want to let people override this, so
- # we'll use the BROTLI_BUNDLED_MODE variable to let them do that; just
-@@ -114,10 +116,6 @@ set(BROTLI_LIBRARIES_CORE brotlienc brotlidec brotlicommon)
+ if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
+   message(STATUS "Setting build type to Release as none was specified.")
+   set(CMAKE_BUILD_TYPE "Release" CACHE STRING "Choose the type of build." FORCE)
+@@ -137,10 +139,6 @@ set(BROTLI_LIBRARIES_CORE brotlienc brotlidec brotlicommon)
  set(BROTLI_LIBRARIES ${BROTLI_LIBRARIES_CORE} ${LIBM_LIBRARY})
  mark_as_advanced(BROTLI_LIBRARIES)
  
@@ -50,14 +50,20 @@ index fc45f80..3f87f13 100644
  if(${CMAKE_SYSTEM_NAME} MATCHES "Linux")
    add_definitions(-DOS_LINUX)
  elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
-@@ -137,24 +135,22 @@ endfunction()
- transform_sources_list("scripts/sources.lst" "${CMAKE_CURRENT_BINARY_DIR}/sources.lst.cmake")
+@@ -161,29 +159,25 @@ transform_sources_list("scripts/sources.lst" "${CMAKE_CURRENT_BINARY_DIR}/source
  include("${CMAKE_CURRENT_BINARY_DIR}/sources.lst.cmake")
  
--add_library(brotlicommon SHARED ${BROTLI_COMMON_C})
--add_library(brotlidec SHARED ${BROTLI_DEC_C})
--add_library(brotlienc SHARED ${BROTLI_ENC_C})
--
+ if(BROTLI_EMSCRIPTEN)
+-  set(BROTLI_SHARED_LIBS "")
+-else()
+-  set(BROTLI_SHARED_LIBS brotlicommon brotlidec brotlienc)
+-  add_library(brotlicommon SHARED ${BROTLI_COMMON_C})
+-  add_library(brotlidec SHARED ${BROTLI_DEC_C})
+-  add_library(brotlienc SHARED ${BROTLI_ENC_C})
++  set(BUILD_SHARED_LIBS OFF)
+ endif()
+ 
+-set(BROTLI_STATIC_LIBS brotlicommon-static brotlidec-static brotlienc-static)
 -add_library(brotlicommon-static STATIC ${BROTLI_COMMON_C})
 -add_library(brotlidec-static STATIC ${BROTLI_DEC_C})
 -add_library(brotlienc-static STATIC ${BROTLI_ENC_C})
@@ -68,27 +74,27 @@ index fc45f80..3f87f13 100644
  # Older CMake versions does not understand INCLUDE_DIRECTORIES property.
  include_directories(${BROTLI_INCLUDE_DIRS})
  
+-foreach(lib IN LISTS BROTLI_SHARED_LIBS)
+-  target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" )
+-  string(TOUPPER "${lib}" LIB)
+-  set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION")
+-endforeach()
 +if(BUILD_SHARED_LIBS)
 +  foreach(lib brotlicommon brotlidec brotlienc)
 +    target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" )
 +    string(TOUPPER "${lib}" LIB)
-+    set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION" )
++    set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION")
 +  endforeach()
 +endif()
-+
- foreach(lib brotlicommon brotlidec brotlienc)
--  target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" )
--  string(TOUPPER "${lib}" LIB)
--  set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION" )
--endforeach()
--
--foreach(lib brotlicommon brotlidec brotlienc brotlicommon-static brotlidec-static brotlienc-static)
+ 
+-foreach(lib IN LISTS BROTLI_SHARED_LIBS BROTLI_STATIC_LIBS)
++foreach(lib brotlicommon brotlidec brotlienc)
    target_link_libraries(${lib} ${LIBM_LIBRARY})
    set_property(TARGET ${lib} APPEND PROPERTY INCLUDE_DIRECTORIES ${BROTLI_INCLUDE_DIRS})
    set_target_properties(${lib} PROPERTIES
-@@ -167,9 +163,6 @@ endforeach()
- target_link_libraries(brotlidec brotlicommon)
+@@ -200,9 +194,6 @@ target_link_libraries(brotlidec brotlicommon)
  target_link_libraries(brotlienc brotlicommon)
+ endif()
  
 -target_link_libraries(brotlidec-static brotlicommon-static)
 -target_link_libraries(brotlienc-static brotlicommon-static)
@@ -96,7 +102,7 @@ index fc45f80..3f87f13 100644
  # For projects stuck on older versions of CMake, this will set the
  # BROTLI_INCLUDE_DIRS and BROTLI_LIBRARIES variables so they still
  # have a relatively easy way to use Brotli:
-@@ -183,7 +176,7 @@ endif()
+@@ -216,7 +207,7 @@ endif()
  
  # Build the brotli executable
  add_executable(brotli ${BROTLI_CLI_C})
@@ -104,8 +110,8 @@ index fc45f80..3f87f13 100644
 +target_link_libraries(brotli ${BROTLI_LIBRARIES})
  
  # Installation
- if(NOT BROTLI_BUNDLED_MODE)
-@@ -199,13 +192,6 @@ if(NOT BROTLI_BUNDLED_MODE)
+ if(NOT BROTLI_EMSCRIPTEN)
+@@ -233,13 +224,6 @@ if(NOT BROTLI_BUNDLED_MODE)
      RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
    )
  
@@ -119,26 +125,6 @@ index fc45f80..3f87f13 100644
    install(
      DIRECTORY ${BROTLI_INCLUDE_DIRS}/brotli
      DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}"
-diff --git a/c/fuzz/test_fuzzer.sh b/c/fuzz/test_fuzzer.sh
-index 9985194..4b99947 100755
---- a/c/fuzz/test_fuzzer.sh
-+++ b/c/fuzz/test_fuzzer.sh
-@@ -13,12 +13,12 @@ mkdir bin
- cd bin
- 
- cmake $BROTLI -DCMAKE_C_COMPILER="$CC" \
--    -DBUILD_TESTING=OFF -DENABLE_SANITIZER=address
--make -j$(nproc) brotlidec-static
-+    -DBUILD_TESTING=OFF -DBUILD_SHARED_LIBS=OFF -DENABLE_SANITIZER=address
-+make -j$(nproc) brotlidec
- 
- ${CC} -o run_decode_fuzzer -std=c99 -fsanitize=address -I$SRC/include \
-     $SRC/fuzz/decode_fuzzer.c $SRC/fuzz/run_decode_fuzzer.c \
--    ./libbrotlidec-static.a ./libbrotlicommon-static.a
-+    ./libbrotlidec.a ./libbrotlicommon.a
- 
- mkdir decode_corpora
- unzip $BROTLI/java/org/brotli/integration/fuzz_data.zip -d decode_corpora
 -- 
-2.19.1
+2.28.0
 
diff --git a/package/brotli/brotli.hash b/package/brotli/brotli.hash
index 82163040d1..22f894c403 100644
--- a/package/brotli/brotli.hash
+++ b/package/brotli/brotli.hash
@@ -1,5 +1,5 @@
 # Locally generated:
-sha512  a82362aa36d2f2094bca0b2808d9de0d57291fb3a4c29d7c0ca0a37e73087ec5ac4df299c8c363e61106fccf2fe7f58b5cf76eb97729e2696058ef43b1d3930a  v1.0.7.tar.gz
+sha512  b8e2df955e8796ac1f022eb4ebad29532cb7e3aa6a4b6aee91dbd2c7d637eee84d9a144d3e878895bb5e62800875c2c01c8f737a1261020c54feacf9f676b5f5  v1.0.9.tar.gz
 
 # Hash for license files:
 sha512  bae78184c2f50f86d8c727826d3982c469454c42b9af81f4ef007e39036434fa894cf5be3bf5fc65b7de2301f0a72d067a8186e303327db8a96bd14867e0a3a8  LICENSE
diff --git a/package/brotli/brotli.mk b/package/brotli/brotli.mk
index 134f480895..5209d3186b 100644
--- a/package/brotli/brotli.mk
+++ b/package/brotli/brotli.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BROTLI_VERSION = 1.0.7
+BROTLI_VERSION = 1.0.9
 BROTLI_SOURCE = v$(BROTLI_VERSION).tar.gz
 BROTLI_SITE = https://github.com/google/brotli/archive
 BROTLI_LICENSE = MIT


More information about the buildroot mailing list