From patchwork Sat Apr 11 13:36:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Andr=C3=A9_Zwing?= X-Patchwork-Id: 1269339 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=dawncrow.de Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=dawncrow.de header.i=@dawncrow.de header.a=rsa-sha256 header.s=strato-dkim-0002 header.b=r/QqpmpZ; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48zwzt3Grwz9sSt for ; Sat, 11 Apr 2020 23:42:33 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id ABA9087D9D; Sat, 11 Apr 2020 13:42:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vNUMZb6+yheY; Sat, 11 Apr 2020 13:42:27 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 6BE1887A52; Sat, 11 Apr 2020 13:42:27 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 2F2351BF34D for ; Sat, 11 Apr 2020 13:42:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 2C00286DF3 for ; Sat, 11 Apr 2020 13:42:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3wJbQTZe3Ac3 for ; Sat, 11 Apr 2020 13:42:25 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mo4-p00-ob.smtp.rzone.de (mo4-p00-ob.smtp.rzone.de [85.215.255.23]) by whitealder.osuosl.org (Postfix) with ESMTPS id AC06C86DC1 for ; Sat, 11 Apr 2020 13:42:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1586612542; s=strato-dkim-0002; d=dawncrow.de; h=Message-Id:Date:Subject:To:From:X-RZG-CLASS-ID:X-RZG-AUTH:From: Subject:Sender; bh=0W4xnzmzyUgoawslmmW8G9bkaSBOBAg+hHr7KCJZkWE=; b=r/QqpmpZOc/7sIrr0GMWq6STRumdNJ1Rclzh7Wi8k6MfnK642agxqkLOSh3HAvsspm 4hzNfusorYe3yu9aOOKoB2qtEMhK9uEnsgvLf400OFJqHGCIZeaUPcLrxGb+Tf+xiJPN X/OKMuIjVmiCPi4e1oLBv/LktT/XDNcqe/VF2Dnn6lDroMsKkDkNIxmbe46m64VifM0U U33vpRKBAi/KaSGHEQHVoCj+gmiFWGxc5rA/BetbYZeSYbo3942baun4YrS+MDmeXl3V mxAQbYI4BzuV0S8D4hzAQwFqQICegRzl5S0suNwTSsExsI2YG/iMyEE1BWVzfdtFiy/o SePg== X-RZG-AUTH: ":ImkWY2CseuihIZy6ZWWciR6unPhpN+aXzZGGjY6ptdusOaLnXzn3ovD/FrlcNw==" X-RZG-CLASS-ID: mo00 Received: from tesla.fritz.box by smtp.strato.de (RZmta 46.2.1 DYNA|AUTH) with ESMTPSA id a09a24w3BDaJ83A (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate) for ; Sat, 11 Apr 2020 15:36:19 +0200 (CEST) From: =?utf-8?q?Andr=C3=A9_Hentschel?= To: buildroot@buildroot.org Date: Sat, 11 Apr 2020 15:36:14 +0200 Message-Id: <20200411133616.31897-1-nerv@dawncrow.de> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Signed-off-by: André Hentschel --- package/p7zip/0001-CVE-2016-9296.patch | 25 +++++++++++++++++++++++++ package/p7zip/p7zip.mk | 3 +++ 2 files changed, 28 insertions(+) create mode 100644 package/p7zip/0001-CVE-2016-9296.patch diff --git a/package/p7zip/0001-CVE-2016-9296.patch b/package/p7zip/0001-CVE-2016-9296.patch new file mode 100644 index 0000000000..6e6fc9f58f --- /dev/null +++ b/package/p7zip/0001-CVE-2016-9296.patch @@ -0,0 +1,25 @@ +From: Robert Luberda +Date: Sat, 19 Nov 2016 08:48:08 +0100 +Subject: Fix nullptr dereference (CVE-2016-9296) + +Patch taken from https://sourceforge.net/p/p7zip/bugs/185/ + +Signed-off-by: André Hentschel +--- + CPP/7zip/Archive/7z/7zIn.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/CPP/7zip/Archive/7z/7zIn.cpp b/CPP/7zip/Archive/7z/7zIn.cpp +index b0c6b98..7c6dde2 100644 +--- a/CPP/7zip/Archive/7z/7zIn.cpp ++++ b/CPP/7zip/Archive/7z/7zIn.cpp +@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedStreams( + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + diff --git a/package/p7zip/p7zip.mk b/package/p7zip/p7zip.mk index ff0dd01e02..66d3198c17 100644 --- a/package/p7zip/p7zip.mk +++ b/package/p7zip/p7zip.mk @@ -10,6 +10,9 @@ P7ZIP_SITE = http://downloads.sourceforge.net/project/p7zip/p7zip/$(P7ZIP_VERSIO P7ZIP_LICENSE = LGPL-2.1+ with unRAR restriction P7ZIP_LICENSE_FILES = DOC/License.txt +# 0001-CVE-2016-9296.patch +P7ZIP_IGNORE_CVES += CVE-2016-9296 + # p7zip buildsystem is a mess: it plays dirty tricks with CFLAGS and # CXXFLAGS, so we can't pass them. Instead, it accepts ALLFLAGS_C # and ALLFLAGS_CPP as variables to pass the CFLAGS and CXXFLAGS. From patchwork Sat Apr 11 13:36:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Andr=C3=A9_Zwing?= X-Patchwork-Id: 1269337 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=dawncrow.de Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=dawncrow.de header.i=@dawncrow.de header.a=rsa-sha256 header.s=strato-dkim-0002 header.b=qiq+ZZH9; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48zwrx4J0Nz9sSq for ; Sat, 11 Apr 2020 23:36:33 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id B6E4B86A02; Sat, 11 Apr 2020 13:36:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yx9dErbzz6Ji; Sat, 11 Apr 2020 13:36:26 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id CD17C86B50; Sat, 11 Apr 2020 13:36:26 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 9257A1BF95D for ; Sat, 11 Apr 2020 13:36:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 8B2D88508E for ; Sat, 11 Apr 2020 13:36:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoV0eoGzuTx4 for ; Sat, 11 Apr 2020 13:36:22 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mo4-p00-ob.smtp.rzone.de (mo4-p00-ob.smtp.rzone.de [85.215.255.24]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 4197A84F7A for ; Sat, 11 Apr 2020 13:36:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1586612180; s=strato-dkim-0002; d=dawncrow.de; h=References:In-Reply-To:Message-Id:Date:Subject:To:From: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=MgwOaOV683cRXeAnNsmTuNQGIUGr90BJFoMBFAEjwWs=; b=qiq+ZZH9y9lHFxusToksisqHo2J34cT6j36N9qPH8ZQ3YjicZDqpEfEDUUaGBM1ZkY 9Usju7l4/TxE6GHVcRpFCGJZmHPFB2v6g29YdVxIMUlUIm12lwtSf5lxCMzSPWbGVoTb b40jsXf1OtrTN7OObnvCdLZ+/u74ByGJsp3xNgfm5gG/YEveRrTMjfDYFbUt9cL2ZN1w RyHU2Jvl3s9K99jvUQQJ7K8/b2euMzBoAOO/VSvr/soqJ+BIO1hGzaY6KMl94ile4fpE OePg0+yGGe7YShsbYFhZlvNrzcEfakKii+5KpMZ/Kmo4qSEemMnE9GT8B/4pW+MVMQ1W xQLA== X-RZG-AUTH: ":ImkWY2CseuihIZy6ZWWciR6unPhpN+aXzZGGjY6ptdusOaLnXzn3ovD/FrlcNw==" X-RZG-CLASS-ID: mo00 Received: from tesla.fritz.box by smtp.strato.de (RZmta 46.2.1 DYNA|AUTH) with ESMTPSA id a09a24w3BDaK83C (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate) for ; Sat, 11 Apr 2020 15:36:20 +0200 (CEST) From: =?utf-8?q?Andr=C3=A9_Hentschel?= To: buildroot@buildroot.org Date: Sat, 11 Apr 2020 15:36:16 +0200 Message-Id: <20200411133616.31897-3-nerv@dawncrow.de> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200411133616.31897-1-nerv@dawncrow.de> References: <20200411133616.31897-1-nerv@dawncrow.de> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 3/3] package/p7zip: fix CVE-2018-5996 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Signed-off-by: André Hentschel --- package/p7zip/0003-CVE-2018-5996.patch | 223 +++++++++++++++++++++++++ package/p7zip/p7zip.mk | 2 + 2 files changed, 225 insertions(+) create mode 100644 package/p7zip/0003-CVE-2018-5996.patch diff --git a/package/p7zip/0003-CVE-2018-5996.patch b/package/p7zip/0003-CVE-2018-5996.patch new file mode 100644 index 0000000000..dc3e90ad3a --- /dev/null +++ b/package/p7zip/0003-CVE-2018-5996.patch @@ -0,0 +1,223 @@ +From: Robert Luberda +Date: Sun, 28 Jan 2018 23:47:40 +0100 +Subject: CVE-2018-5996 + +Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by +applying a few changes from 7Zip 18.00-beta. + +Bug-Debian: https://bugs.debian.org/#888314 + +Signed-off-by: André Hentschel +--- + CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++---- + CPP/7zip/Compress/Rar1Decoder.h | 1 + + CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++- + CPP/7zip/Compress/Rar2Decoder.h | 1 + + CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++--- + CPP/7zip/Compress/Rar3Decoder.h | 2 ++ + 6 files changed, 42 insertions(+), 8 deletions(-) + +diff --git a/CPP/7zip/Compress/Rar1Decoder.cpp b/CPP/7zip/Compress/Rar1Decoder.cpp +index 1aaedcc..68030c7 100644 +--- a/CPP/7zip/Compress/Rar1Decoder.cpp ++++ b/CPP/7zip/Compress/Rar1Decoder.cpp +@@ -29,7 +29,7 @@ public: + }; + */ + +-CDecoder::CDecoder(): m_IsSolid(false) { } ++CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { } + + void CDecoder::InitStructures() + { +@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * + InitData(); + if (!m_IsSolid) + { ++ _errorMode = false; + InitStructures(); + InitHuff(); + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (m_UnpackSize > 0) + { + GetFlagsBuf(); +@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream + const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress) + { + try { return CodeReal(inStream, outStream, inSize, outSize, progress); } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(const CLzOutWindowException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + } + + STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size) +diff --git a/CPP/7zip/Compress/Rar1Decoder.h b/CPP/7zip/Compress/Rar1Decoder.h +index 630f089..01b606b 100644 +--- a/CPP/7zip/Compress/Rar1Decoder.h ++++ b/CPP/7zip/Compress/Rar1Decoder.h +@@ -39,6 +39,7 @@ public: + + Int64 m_UnpackSize; + bool m_IsSolid; ++ bool _errorMode; + + UInt32 ReadBits(int numBits); + HRESULT CopyBlock(UInt32 distance, UInt32 len); +diff --git a/CPP/7zip/Compress/Rar2Decoder.cpp b/CPP/7zip/Compress/Rar2Decoder.cpp +index b3f2b4b..0580c8d 100644 +--- a/CPP/7zip/Compress/Rar2Decoder.cpp ++++ b/CPP/7zip/Compress/Rar2Decoder.cpp +@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 << 20; + static const UInt32 kWindowReservSize = (1 << 22) + 256; + + CDecoder::CDecoder(): +- m_IsSolid(false) ++ m_IsSolid(false), ++ m_TablesOK(false) + { + } + +@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBits) { return m_InBitStream.ReadBits(numB + + bool CDecoder::ReadTables(void) + { ++ m_TablesOK = false; ++ + Byte levelLevels[kLevelTableSize]; + Byte newLevels[kMaxTableSize]; + m_AudioMode = (ReadBits(1) == 1); +@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void) + } + + memcpy(m_LastLevels, newLevels, kMaxTableSize); ++ m_TablesOK = true; ++ + return true; + } + +@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * + return S_FALSE; + } + ++ if (!m_TablesOK) ++ return S_FALSE; ++ + UInt64 startPos = m_OutWindowStream.GetProcessedSize(); + while (pos < unPackSize) + { +diff --git a/CPP/7zip/Compress/Rar2Decoder.h b/CPP/7zip/Compress/Rar2Decoder.h +index 3a0535c..0e9005f 100644 +--- a/CPP/7zip/Compress/Rar2Decoder.h ++++ b/CPP/7zip/Compress/Rar2Decoder.h +@@ -139,6 +139,7 @@ class CDecoder : + + UInt64 m_PackSize; + bool m_IsSolid; ++ bool m_TablesOK; + + void InitStructures(); + UInt32 ReadBits(unsigned numBits); +diff --git a/CPP/7zip/Compress/Rar3Decoder.cpp b/CPP/7zip/Compress/Rar3Decoder.cpp +index 3bf2513..6cb8a6a 100644 +--- a/CPP/7zip/Compress/Rar3Decoder.cpp ++++ b/CPP/7zip/Compress/Rar3Decoder.cpp +@@ -92,7 +92,8 @@ CDecoder::CDecoder(): + _writtenFileSize(0), + _vmData(0), + _vmCode(0), +- m_IsSolid(false) ++ m_IsSolid(false), ++ _errorMode(false) + { + Ppmd7_Construct(&_ppmd); + } +@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing) + return InitPPM(); + } + ++ TablesRead = false; ++ TablesOK = false; ++ + _lzMode = true; + PrevAlignBits = 0; + PrevAlignCount = 0; +@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing) + } + } + } ++ if (InputEofError()) ++ return S_FALSE; ++ + TablesRead = true; + + // original code has check here: +@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing) + RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize])); + + memcpy(m_LastLevels, newLevels, kTablesSizesSum); ++ ++ TablesOK = true; ++ + return S_OK; + } + +@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress) + PpmEscChar = 2; + PpmError = true; + InitFilters(); ++ _errorMode = false; + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (!m_IsSolid || !TablesRead) + { + bool keepDecompressing; +@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress) + bool keepDecompressing; + if (_lzMode) + { ++ if (!TablesOK) ++ return S_FALSE; + RINOK(DecodeLZ(keepDecompressing)) + } + else +@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream + _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1; + return CodeReal(progress); + } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + // CNewException is possible here. But probably CNewException is caused + // by error in data stream. + } +diff --git a/CPP/7zip/Compress/Rar3Decoder.h b/CPP/7zip/Compress/Rar3Decoder.h +index c130cec..2f72d7d 100644 +--- a/CPP/7zip/Compress/Rar3Decoder.h ++++ b/CPP/7zip/Compress/Rar3Decoder.h +@@ -192,6 +192,7 @@ class CDecoder: + UInt32 _lastFilter; + + bool m_IsSolid; ++ bool _errorMode; + + bool _lzMode; + bool _unsupportedFilter; +@@ -200,6 +201,7 @@ class CDecoder: + UInt32 PrevAlignCount; + + bool TablesRead; ++ bool TablesOK; + + CPpmd7 _ppmd; + int PpmEscChar; diff --git a/package/p7zip/p7zip.mk b/package/p7zip/p7zip.mk index be95995bab..59cd9b7e95 100644 --- a/package/p7zip/p7zip.mk +++ b/package/p7zip/p7zip.mk @@ -14,6 +14,8 @@ P7ZIP_LICENSE_FILES = DOC/License.txt P7ZIP_IGNORE_CVES += CVE-2016-9296 # 0002-CVE-2017-17969.patch P7ZIP_IGNORE_CVES += CVE-2017-17969 +# 0003-CVE-2018-5996.patch +P7ZIP_IGNORE_CVES += CVE-2018-5996 # p7zip buildsystem is a mess: it plays dirty tricks with CFLAGS and # CXXFLAGS, so we can't pass them. Instead, it accepts ALLFLAGS_C