tremor: security bump to fix CVE-2018-5146

Prevent out-of-bounds write in codebook decoding. Codebooks that are not an exact divisor of the partition size are now truncated to fit within the partition. Upstream has migrated from subversion to git, so change to git and bump the version to include the fix for CVE-2018-5146. While we're at it, also add a hash file. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-03-19 22:40:05 +01:00 · 2018-03-19 22:40:05 +01:00 · 80266c9505
parent 12262ab50d
commit 80266c9505
2 changed files with 6 additions and 3 deletions
--- a/package/tremor/tremor.hash
+++ b/package/tremor/tremor.hash
@ -0,0 +1,3 @@
+# Locally computed
+sha256 ba94cfdf886399c550f76908285bfa9e322f24085de6f1810c2abea565c13a15  tremor-7c30a66346199f3f09017a09567c6c8a3a0eedc8.tar.gz
+sha256 d2ab5758336489da61c12cc5bb757da5339c4ae9001f9bb0562b4370249af814  COPYING
--- a/package/tremor/tremor.mk
+++ b/package/tremor/tremor.mk
@ -4,9 +4,9 @@
 #
 ################################################################################

-TREMOR_SITE = http://svn.xiph.org/trunk/Tremor
-TREMOR_SITE_METHOD = svn
-TREMOR_VERSION = 19427
+TREMOR_VERSION = 7c30a66346199f3f09017a09567c6c8a3a0eedc8
+TREMOR_SITE = https://git.xiph.org/tremor.git
+TREMOR_SITE_METHOD = git
 TREMOR_LICENSE = BSD-3-Clause
 TREMOR_LICENSE_FILES = COPYING