lrzsz: update to v0.12.21rc and fix a CVE

This updates to v0.12.21rc from 1999 (sic), which was never officially released. There're fixes in there, and it's what debian ships, so let's use that too. While at it, use debian's autohell hack and package description too. Patch 1 fixes a hang with musl. Patch 2 fixes CVE-2018-10195, add PKG_CPE_ID while at it. Refesh the rest. Fixes: CVE-2018-10195 Signed-off-by: Andre Heider <a.heider@gmail.com>
author: Andre Heider <a.heider@gmail.com> 2023-01-14 11:40:39 +0100
committer: Andre Heider <a.heider@gmail.com> 2023-01-15 15:14:06 +0100
commit: 6d6c4b21b5e22a9f1058db5b61521a298e00a5f0 (patch)
tree: 6ccf5a56557853c24bd86acd39b0c36cab2de5eb /utils/lrzsz
parent: 947210e2d2127c395a0dfd3e468f2e6296d17f24 (diff)
5 files changed, 78 insertions, 35 deletions
diff --git a/utils/lrzsz/Makefile b/utils/lrzsz/Makefile
index 9eab1b681..5eb6f81e8 100644
--- a/utils/lrzsz/Makefile
+++ b/utils/lrzsz/Makefile
@@ -8,16 +8,18 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=lrzsz
-PKG_VERSION:=0.12.20
-PKG_RELEASE:=3
+PKG_VERSION:=0.12.21
+PKG_RELEASE:=1
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://ohse.de/uwe/releases/
-PKG_HASH:=c28b36b14bddb014d9e9c97c52459852f97bd405f89113f30bee45ed92728ff1
+PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).orig.tar.gz
+PKG_SOURCE_URL:=@DEBIAN/pool/main/l/lrzsz/
+PKG_HASH:=3262e5df47b108d33e184ff3bf5af14ddca1ac15118ac4ed9171a57c1593ae00
+PKG_BUILD_DIR=$(BUILD_DIR)/lrzsz-990823
 
 PKG_MAINTAINER:=Hsing-Wang Liao <kuoruan@gmail.com>
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=COPYING
+PKG_CPE_ID:=cpe:/a:lrzsz_project
 
 PKG_INSTALL:=1
 
@@ -26,15 +28,24 @@ include $(INCLUDE_DIR)/package.mk
 define Package/lrzsz
   SECTION:=utils
   CATEGORY:=Utilities
-  TITLE:=X, Y and Z-modem protocols
+  TITLE:=Tools for zmodem/xmodem/ymodem file transfer
   URL:=https://ohse.de/uwe/software/lrzsz.html
 endef
 
 define Package/lrzsz/description
-	Transfer files in your login sessions.
-	Very leightweight and straight forward.
-	You just need a terminal client that can do
-	either X, Y or Z-modem file transfers.
+  lrzsz is a cosmetically modified zmodem/ymodem/xmodem package built
+  from the public-domain version of Chuck Forsberg's rzsz package.
+
+  These programs use error correcting protocols ({z,x,y}modem) to send
+  (sz, sx, sb) and receive (rz, rx, rb) files over a dial-in serial port
+  from a variety of programs running under various operating systems.
+endef
+
+# to stop automake from running, the bundled autohell crap is too old
+define Build/Configure
+	touch $(PKG_BUILD_DIR)/*
+	touch $(PKG_BUILD_DIR)/*/*
+	$(call Build/Configure/Default)
 endef
 
 define Package/lrzsz/install
diff --git a/utils/lrzsz/patches/001-siginterrupt-after-the-call-to-signal-otherwise-ymod.patch b/utils/lrzsz/patches/001-siginterrupt-after-the-call-to-signal-otherwise-ymod.patch
new file mode 100644
index 000000000..730d46689
--- /dev/null
+++ b/utils/lrzsz/patches/001-siginterrupt-after-the-call-to-signal-otherwise-ymod.patch
@@ -0,0 +1,22 @@
+From 89fef6d8dc539ed6225b46b8e755e08bbf48d27b Mon Sep 17 00:00:00 2001
+From: Uwe Ohse <uwe@ohse.de>
+Date: Sun, 1 Mar 2020 22:34:24 +0000
+Subject: [PATCH] siginterrupt after the call to signal, otherwise ymodem
+ transfer hangs. WTF?
+
+---
+ src/zreadline.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/zreadline.c
++++ b/src/zreadline.c
+@@ -71,6 +71,9 @@ readline_internal(unsigned int timeout)
+ 			vstringf("Calling read: alarm=%d  Readnum=%d ",
+ 			  n, readline_readnum);
+ 		signal(SIGALRM, zreadline_alarm_handler); 
++#ifdef HAVE_SIGINTERRUPT
++		siginterrupt(SIGALRM,1);
++#endif  
+ 		alarm(n);
+ 	}
+ 	else if (Verbose > 5)
diff --git a/utils/lrzsz/patches/002-may-be-security-fix-avoid-possible-underflow.patch b/utils/lrzsz/patches/002-may-be-security-fix-avoid-possible-underflow.patch
new file mode 100644
index 000000000..81ec95963
--- /dev/null
+++ b/utils/lrzsz/patches/002-may-be-security-fix-avoid-possible-underflow.patch
@@ -0,0 +1,28 @@
+From a7c525191aa725f4ebb7b489cdd7dd854a4e42fb Mon Sep 17 00:00:00 2001
+From: Uwe Ohse <uwe@ohse.de>
+Date: Sun, 1 Mar 2020 22:35:28 +0000
+Subject: [PATCH] may-be-security-fix: avoid possible underflow
+
+Fixes: CVE-2018-10195
+
+[a.heider: mention CVE in commit message]
+---
+ src/zm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/src/zm.c
++++ b/src/zm.c
+@@ -432,10 +432,11 @@ zsdata(const char *buf, size_t length, i
+ 	VPRINTF(3,("zsdata: %lu %s", (unsigned long) length, 
+ 		Zendnames[(frameend-ZCRCE)&3]));
+ 	crc = 0;
+-	do {
++	while (length>0) {
+ 		zsendline(*buf); crc = updcrc((0377 & *buf), crc);
+ 		buf++;
+-	} while (--length>0);
++		length--;
++	}
+ 	xsendline(ZDLE); xsendline(frameend);
+ 	crc = updcrc(frameend, crc);
+ 
diff --git a/utils/lrzsz/patches/100-install_delete_fix.patch b/utils/lrzsz/patches/100-install_delete_fix.patch
index 7f3995d51..7263ab843 100644
--- a/utils/lrzsz/patches/100-install_delete_fix.patch
+++ b/utils/lrzsz/patches/100-install_delete_fix.patch
@@ -1,6 +1,6 @@
 --- a/src/Makefile.in
 +++ b/src/Makefile.in
-@@ -372,13 +372,13 @@ install-exec-local:
+@@ -414,13 +414,13 @@ install-exec-local:
  	rm -f $(DESTDIR)/$(bindir)/`echo lsb | sed -e '$(transform)'`
  	ln $(DESTDIR)/$(bindir)/`echo lsz |sed -e '$(transform)'` \
  		$(DESTDIR)/$(bindir)/`echo lsb |sed -e '$(transform)'` 
diff --git a/utils/lrzsz/patches/200-format.patch b/utils/lrzsz/patches/200-format.patch
index 0e244a0e2..26b86c16a 100644
--- a/utils/lrzsz/patches/200-format.patch
+++ b/utils/lrzsz/patches/200-format.patch
@@ -10,7 +10,7 @@
  
 --- a/src/lrz.c
 +++ b/src/lrz.c
-@@ -2319,7 +2319,7 @@ exec2(const char *s)
+@@ -2296,7 +2296,7 @@ exec2(const char *s)
  	if (*s == '!')
  		++s;
  	io_mode(0,0);
@@ -31,7 +31,7 @@
  #endif
 --- a/src/lsz.c
 +++ b/src/lsz.c
-@@ -1997,7 +1997,7 @@ zsendfdata (struct zm_fileinfo *zi)
+@@ -1988,7 +1988,7 @@ zsendfdata (struct zm_fileinfo *zi)
  		blklen = calc_blklen (total_sent);
  		total_sent += blklen + OVERHEAD;
  		if (Verbose > 2 && blklen != old)
@@ -40,29 +40,9 @@
  #ifdef HAVE_MMAP
  		if (mm_addr) {
  			if (zi->bytes_sent + blklen < mm_size)
---- a/src/tcp.c
-+++ b/src/tcp.c
-@@ -56,7 +56,7 @@ tcp_server (char *buf)
- 	struct sockaddr_in s;
- 	struct sockaddr_in t;
- 	int on=1;
--	size_t len;
-+	socklen_t len;
- 
- 	if ((sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
- 		error(1,errno,"socket");
-@@ -91,7 +91,7 @@ tcp_accept (int d)
- {
- 	int so;
- 	struct  sockaddr_in s;
--	size_t namelen;
-+	socklen_t namelen;
- 	int num=0;
- 
- 	namelen = sizeof(s);
 --- a/src/zm.c
 +++ b/src/zm.c
-@@ -451,7 +451,7 @@ zsda32(const char *buf, size_t length, i
+@@ -453,7 +453,7 @@ zsda32(const char *buf, size_t length, i
  	int c;
  	unsigned long crc;
  	int i;
@@ -73,7 +53,7 @@
  	zsendline_s(buf,length);
 --- a/src/zreadline.c
 +++ b/src/zreadline.c
-@@ -68,13 +68,13 @@ readline_internal(unsigned int timeout)
+@@ -68,7 +68,7 @@ readline_internal(unsigned int timeout)
  		else if (n==0)
  			n=1;
  		if (Verbose > 5)
@@ -81,6 +61,8 @@
 +			vstringf("Calling read: alarm=%u  Readnum=%zu ",
  			  n, readline_readnum);
  		signal(SIGALRM, zreadline_alarm_handler); 
+ #ifdef HAVE_SIGINTERRUPT
+@@ -77,7 +77,7 @@ readline_internal(unsigned int timeout)
  		alarm(n);
  	}
  	else if (Verbose > 5)
author	Andre Heider <a.heider@gmail.com>	2023-01-14 11:40:39 +0100
committer	Andre Heider <a.heider@gmail.com>	2023-01-15 15:14:06 +0100
commit	6d6c4b21b5e22a9f1058db5b61521a298e00a5f0 (patch)
tree	6ccf5a56557853c24bd86acd39b0c36cab2de5eb /utils/lrzsz
parent	947210e2d2127c395a0dfd3e468f2e6296d17f24 (diff)