tremor: security bump to fix CVE-2018-5146

Prevent out-of-bounds write in codebook decoding.

Codebooks that are not an exact divisor of the partition size are now
truncated to fit within the partition.

Upstream has migrated from subversion to git, so change to git and bump the
version to include the fix for CVE-2018-5146.

While we're at it, also add a hash file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/tremor/tremor.hash b/package/tremor/tremor.hash
new file mode 100644 (file)
index 0000000..89661a6
--- /dev/null
+++ b/package/tremor/tremor.hash
@@ -0,0 +1,3 @@
+# Locally computed
+sha256 ba94cfdf886399c550f76908285bfa9e322f24085de6f1810c2abea565c13a15  tremor-7c30a66346199f3f09017a09567c6c8a3a0eedc8.tar.gz
+sha256 d2ab5758336489da61c12cc5bb757da5339c4ae9001f9bb0562b4370249af814  COPYING

diff --git a/package/tremor/tremor.mk b/package/tremor/tremor.mk
index 05996e2a8ad88a081a4a2fc740b0e4f4d4e03111..835fe36172e28e11891b092f0834d00bb7268854 100644 (file)
--- a/package/tremor/tremor.mk
+++ b/package/tremor/tremor.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-TREMOR_SITE = http://svn.xiph.org/trunk/Tremor
-TREMOR_SITE_METHOD = svn
-TREMOR_VERSION = 19427
+TREMOR_VERSION = 7c30a66346199f3f09017a09567c6c8a3a0eedc8
+TREMOR_SITE = https://git.xiph.org/tremor.git
+TREMOR_SITE_METHOD = git
 TREMOR_LICENSE = BSD-3-Clause
 TREMOR_LICENSE_FILES = COPYING