Alexander Mukhin [Thu, 14 Sep 2017 15:11:14 +0000 (18:11 +0300)]
hostapd: fix upstream URL
hostapd project URL has been changed to w1.fi/hostapd.
The old domain epitest.fi has expired.
Signed-off-by: Alexander Mukhin <alexander.i.mukhin@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 8a2396b90aeb411a856335d976a427eed6e115bc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
support/kconfig: fix usage typo and align verb tenses
Fix typo 'selectes' -> 'selects'.
Additionally, change 'will exclude' to 'excludes' to align with 'selects'.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 787f4fee7184e4b86343a1d6d60c303622d458b9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 46a54b6464d09edc36ae0d1d041f89ffd77b3ea1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Dropped IUCODE_TOOL_CONF_ENV after version 2.2 added a configure check
for libargp:
https://gitlab.com/iucode-tool/iucode-tool/commit/b14bed6771e7ab48371b272a0c68dd017767142a
Added hash for license file.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 1462c07914f5e53cb7816ad86abee3e31b2bc1b6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 4 Oct 2017 07:35:17 +0000 (09:35 +0200)]
libcurl: security bump to version 7.56.0
Drop upstreamed patch.
Fixes CVE-2017-1000254 - FTP PWD response parser out of bounds read:
https://curl.haxx.se/docs/adv_20171004.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9d95b93e5d36442979cdff7a9f3ee10b1eb9e0c7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When c-ares is not enabled libcurl enables the threaded DNS resolver by
default. Make sure the threaded resolvers is disabled when the toolchain
does not support threads.
Add upstream patch that fixes the configure option for disabling the
threaded resolver.
CVE-2017-7471 - 9p: virtfs allows guest to change filesystem attributes on
host
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit af0f2d2bbcaca9000e62b5388f4c3cd8e700c6ff) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 40c5fff46629ac4f0f55165f9c3594980a4700ef) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Andrey Yurovsky [Fri, 10 Feb 2017 19:08:15 +0000 (11:08 -0800)]
package: qemu: bump version to 2.8.0
This adds a CPU definition for the Cortex A7 along with improvements described
here: http://wiki.qemu-project.org/ChangeLog/2.8
Tested on an ARM Cortex A7 target (both target and host builds). The change log
does not describe any incompatible changes that would affect buildroot targets
as far as I am aware.
Signed-off-by: Andrey Yurovsky <yurovsky@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f56b13897b9f30c78d7ccd78a25b1e985179d2ab) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Evgeniy Didin [Fri, 22 Sep 2017 12:50:03 +0000 (15:50 +0300)]
qt: Allow enabling of QtWebKit with GCC 6+
Building Qt with QtWebKit on configuration step there is
a check which disables QtWebKit build with GCC 6+.
Back in the day nobody thought about building Qt with GCC
version greater than 5.x. And now with modern GCCs like
6.x and 7.x this assumption gets in the way.
Given in Buildroot today we don't have GCC older than 4.9
it should be safe to remove now meaningless check completely
by adding patch to qt.
Signed-off-by: Evgeniy Didin <didin@synopsys.com> Cc: Alexey Brodkin <abrodkin@synopsys.com> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f95bb8562ef02935d6fcf9b254060454e5be796c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Integer overflow in the decode_digit function in puny_decode.c in
Libidn2 before 2.0.4 allows remote attackers to cause a denial of
service or possibly have unspecified other impact.
This issue also affects libidn.
Unfortunately, the patch also triggers reconf of the documentation
subdirectory, since lib/punycode.c is listed in GDOC_SRC that is defined
in doc/Makefile.am. Add autoreconf to handle that.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 49cb795f7965328ce7a57cbc3736b0fc03919fe7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop meson changes for 2017.02.x] Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3a5d4db9549f6a777b06819bc00146a30d687d22) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Openjpeg is written in C, but with the move to CMake the build system now
errors out if a C++ compiler isn't available. Fix it by patching the
CMakeLists.txt to not require C++ support.
Peter Korsgaard [Wed, 13 Sep 2017 13:01:15 +0000 (15:01 +0200)]
bind: use http:// instead of ftp:// for site
To avoid issues with firewalls blocking ftp.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 771bb2d58d945ebd2909dc8ca5cccf30f189c581) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more details, see the release notes:
https://kb.isc.org/article/AA-01522
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f3e3b36159fa077400e7151b3e3d03082a897b2e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 21 Sep 2017 07:04:16 +0000 (09:04 +0200)]
gdk-pixbuf: security bump to version 2.36.10
Fixes the following security issues:
CVE-2017-2862 - An exploitable heap overflow vulnerability exists in the
gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A
specially crafted jpeg file can cause a heap overflow resulting in remote
code execution. An attacker can send a file or url to trigger this
vulnerability.
CVE-2017-2870 - An exploitable integer overflow vulnerability exists in the
tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with
Clang. A specially crafted tiff file can cause a heap-overflow resulting in
remote code execution. An attacker can send a file or a URL to trigger this
vulnerability.
CVE-2017-6311 - gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows
context-dependent attackers to cause a denial of service (NULL pointer
dereference and application crash) via vectors related to printing an error
message.
The host version now needs the same workaround as we do for the target to
not pull in shared-mime-info.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3853675ae03df209253c34d292eb3b9535e3f68c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gustavo Zacarias [Thu, 23 Feb 2017 19:44:48 +0000 (16:44 -0300)]
gdk-pixbuf: copy loaders.cache later on
Trying to copy loaders.cache from host-gdk-pixbuf to the gdk-pixbuf
build directory in the post-patch hook is too early when using TLP (it
breaks horribly) since host-gdk-pixbuf isn't built yet during the
massive unpack/patch cycle.
Switch it to the pre-build hook instead which ensures that gdk-pixbuf
dependencies were already built.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 1f4e1656bc1176442671104acde1e4033377636e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gustavo Zacarias [Wed, 22 Feb 2017 19:14:08 +0000 (16:14 -0300)]
gdk-pixbuf: bump to version 2.36.5
This release needs a new tweak regarding loaders.cache - it's now used
to build the thumbnailer.
Since we already generate it using the host variant for the target we
can re-use this for the build step.
It's not necessary to used the tweaked version since the build one is
only used to account for mime types, not the plugins/loaders themselves.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 487b419cc647da18f04a98ee69c160705f0c44e8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes
- CVE-2017-12150 (SMB1/2/3 connections may not require signing where
they should)
- CVE-2017-12151 (SMB3 connections don't keep encryption across DFS
redirects)
- CVE-2017-12163 (Server memory information leak over SMB1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 18 Sep 2017 17:38:48 +0000 (19:38 +0200)]
cmake: explicitly disable openssl support for host-cmake
host-cmake will optionally link with openssl for the embedded copy of
libarchive if available, leaking host dependencies and possibly causing
build issues in case of compatibility issues - E.G. the host-cmake version
we have in 2017.02.x doesn't build against openssl-1.1.0+:
The openssl support in libarchive is unlikely to be needed, so explicitly
disable it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f87138339b17bc2b1d84c59ea176abb941413550) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 13 Sep 2017 12:13:01 +0000 (14:13 +0200)]
bluez5_utils: add upstream security fix for CVE-2017-1000250
Fixes CVE-2017-1000250 - All versions of the SDP server in BlueZ 5.46 and
earlier are vulnerable to an information disclosure vulnerability which
allows remote attackers to obtain sensitive information from the bluetoothd
process memory. This vulnerability lies in the processing of SDP search
attribute requests.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/imagemagick: security bump to version 7.0.7-1
Quoting CVE-related issues from
https://github.com/ImageMagick/ImageMagick/blob/master/ChangeLog
2017-07-29 7.0.6-5 Glenn Randers-Pehrson <glennrp@image...>
* Fix improper use of NULL in the JNG decoder (CVE-2017-11750, Reference
https://github.com/ImageMagick/ImageMagick/issues/632).
Petr Kulhavy [Mon, 11 Sep 2017 22:13:40 +0000 (00:13 +0200)]
download/git: force gzip compression level 6
Force gzip compression level 6 when calculating hash of a downloaded GIT repo.
To make sure the tar->gzip->checksum chain always provides consistent result.`
The script was relying on the default compression level, which must not be
necessarily consistent among different gzip versions. The level 6 is gzip's
current default compression level.
Signed-off-by: Petr Kulhavy <brain@jikos.cz> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 04a22cf1b521acb5634ed083e0381d42979d1698) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 09:44:59 +0000 (11:44 +0200)]
supervisor: security bump to version 3.1.4
Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x
before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote
authenticated users to execute arbitrary commands via a crafted XML-RPC
request, related to nested supervisord namespace lookups.
For more details, see
https://github.com/Supervisor/supervisor/issues/964
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 38a1c4821a163f932793a96e036f8fe451398506) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 09:17:55 +0000 (11:17 +0200)]
ruby: add upstream security patches bumping rubygems to 2.6.13
We unfortunately cannot use the upstream patches directly as they are not in
'patch -p1' format, so convert them and include instead.
Fixes:
CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications that include terminal escape
characters. Printing the gem specification would execute terminal escape
sequences.
CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications to cause a denial of service attack
against RubyGems clients who have issued a `query` command.
CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate
specification names, allowing a maliciously crafted gem to potentially
overwrite any file on the filesystem.
CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS
hijacking vulnerability that allows a MITM attacker to force the RubyGems
client to download and install gems from a server that the attacker
controls.
For more details, see
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 0e5448af5091ee208fdd38a4e221f444085dd0c8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 478ee139b2c34d34ec64f1a975c1b18dfbbd36d4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2016-8687: Stack-based buffer overflow in the safe_fprintf function
in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a
denial of service via a crafted non-printable multibyte character in a
filename.
CVE-2016-8688: The mtree bidder in libarchive 3.2.1 does not keep track
of line sizes when extending the read-ahead, which allows remote
attackers to cause a denial of service (crash) via a crafted file, which
triggers an invalid read in the (1) detect_form or (2) bid_entry
function in libarchive/archive_read_support_format_mtree.c.
CVE-2016-8689: The read_Header function in
archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote
attackers to cause a denial of service (out-of-bounds read) via multiple
EmptyStream attributes in a header in a 7zip archive.
CVE-2016-10209: The archive_wstring_append_from_mbs function in
archive_string.c in libarchive 3.2.2 allows remote attackers to cause a
denial of service (NULL pointer dereference and application crash) via a
crafted archive file.
CVE-2016-10349: The archive_le32dec function in archive_endian.h in
libarchive 3.2.2 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted file.
CVE-2016-10350: The archive_read_format_cab_read_header function in
archive_read_support_format_cab.c in libarchive 3.2.2 allows remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted file.
CVE-2017-5601: An error in the lha_read_file_header_1() function
(archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote
attackers to trigger an out-of-bounds read memory access and
subsequently cause a crash via a specially crafted archive.
Add upstream patch fixing the following issue:
CVE-2017-14166: libarchive 3.3.2 allows remote attackers to cause a
denial of service (xml_data heap-based buffer over-read and application
crash) via a crafted xar archive, related to the mishandling of empty
strings in the atol8 function in archive_read_support_format_xar.c.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f871b21c89e41dfddd60bb25cf55610cd4081eba) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
qt: add patch fixing build failure on ARMv8 in 32-bit mode
The Qt package currently fails to build on ARMv8 cores in 32-bit mode
(for example, if you select ARM and then Cortex-A53), because the ARM
atomic operation implementation in Qt checks if we're on ARMv7, then
on ARMv6, and otherwise falls back to an ARMv5 implementation. The
latter uses the swp instruction, which doesn't exist on ARMv8, causing
a build failure.
To solve this, we simply add a patch that uses the ARMv7 atomic
operations for ARMv8-A.
There is no autobuilder reference because we don't have any ARMv8
32-bit configuration in the autobuilders.
Cc: <ivychend@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 95389fe98c882f70cbbd25dc1c7ea1480991acef) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patches downloaded from Github are not stable, so bring them in the
tree.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 35bc55eaaae8d9d463d3fddcf0b200685014865a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 16:58:38 +0000 (18:58 +0200)]
unrar: security bump to version 5.5.8
Fixes the following security issues:
CVE-2017-12938 - UnRAR before 5.5.7 allows remote attackers to bypass a
directory-traversal protection mechanism via vectors involving a symlink to
the . directory, a symlink to the .. directory, and a regular file.
CVE-2017-12940 - libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read
in the EncodeFileName::Decode call within the Archive::ReadHeader15
function.
CVE-2017-12941 - libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read
in the Unpack::Unpack20 function.
CVE-2017-12942 - libunrar.a in UnRAR before 5.5.7 has a buffer overflow in
the Unpack::LongLZ function.
For more details, see
http://www.openwall.com/lists/oss-security/2017/08/14/3
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 322599744ca76d6b69960dc37c3cf3baea5dab2c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 15:26:55 +0000 (17:26 +0200)]
strongswan: add upstream security patch
Fixes CVE-2017-11185: The gmp plugin in strongSwan before 5.6.0 allows
remote attackers to cause a denial of service (NULL pointer dereference and
daemon crash) via a crafted RSA signature.
For more details, see
https://www.strongswan.org/blog/2017/08/14/strongswan-vulnerability-%28cve-2017-11185%29.html
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2a59db1bb079dfd7cb40ffff7ac1cd550ff6662e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 15:07:54 +0000 (17:07 +0200)]
libsoup: security bump to version 2.56.1
Fixes CVE-2017-2885: stack based buffer overflow with HTTP Chunked Encoding
For more details, see
https://bugzilla.gnome.org/show_bug.cgi?id=785774
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0f5398f0e61992bd836474b7350c16f00459d0a5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3b85d24c1d927590ed3a336794562e9a512fc216) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Max Filippov [Tue, 12 Sep 2017 20:52:37 +0000 (13:52 -0700)]
package/gcc: fix ICE on xtensa, PR target/82181
Memory references to DI mode objects could incorrectly be created at
offsets that are not supported by instructions l32i/s32i, resulting in
ICE at a stage when access to the object is split into access to its
subwords:
drivers/staging/rtl8188eu/core/rtw_ap.c:445:1:
internal compiler error: in change_address_1, at emit-rtl.c:2126
Fixes: https://lkml.org/lkml/2017/9/10/151 Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 21 May 2017 18:14:09 +0000 (20:14 +0200)]
package/botan: security bump to version 1.10.16
Fixes CVE-2017-2801: A programming error exists in a way Randombit Botan
cryptographic library version 2.0.1 implements x500 string comparisons which
could lead to certificate verification issues and abuse. A specially
crafted X509 certificate would need to be delivered to the client or server
application in order to trigger this vulnerability.
[Peter: extend commit message with security fixes info] Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 033aa8d4e9ad13ee56dbb372ad45a7d83bca4f53) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Olivier Schonken [Mon, 28 Aug 2017 13:54:35 +0000 (15:54 +0200)]
openjpeg: security bump to version 2.2.0
Fixes the following security issues:
CVE-2016-10504: Heap-based buffer overflow vulnerability in the
opj_mqc_byteout function in mqc.c in OpenJPEG before 2.2.0 allows remote
attackers to cause a denial of service (application crash) via a crafted bmp
file.
CVE-2016-10505: NULL pointer dereference vulnerabilities in the imagetopnm
function in convert.c, sycc444_to_rgb function in color.c,
color_esycc_to_rgb function in color.c, and sycc422_to_rgb function in
color.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of
service (application crash) via crafted j2k files.
CVE-2016-10506: Division-by-zero vulnerabilities in the functions
opj_pi_next_cprl, opj_pi_next_pcrl, and opj_pi_next_rpcl in pi.c in OpenJPEG
before 2.2.0 allow remote attackers to cause a denial of service
(application crash) via crafted j2k files.
CVE-2016-10507: Integer overflow vulnerability in the bmp24toimage function
in convertbmp.c in OpenJPEG before 2.2.0 allows remote attackers to cause a
denial of service (heap-based buffer over-read and application crash) via a
crafted bmp file.
[Peter: extend commit message with security fixes info] Signed-off-by: Olivier Schonken <olivier.schonken@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 37b2fe73cff726ac05cdb200e803f267a48721f9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 6 Sep 2017 15:40:39 +0000 (17:40 +0200)]
subversion: security bump to version 1.9.7
Fixes CVE-2017-9800: Arbitrary code execution on clients through malicious
svn+ssh URLs in svn:externals and svn:sync-from-url
For more details, see
http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit c6b793779c32120bc9ff9334aad4d772d6ee49f1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 6 Sep 2017 14:00:37 +0000 (16:00 +0200)]
file: security bump to version 5.32
Fixes CVE-2017-1000249 - Stack buffer overflow with a specially crafted
.notes section in an ELF binary file.
For more details, see: http://www.openwall.com/lists/oss-security/2017/09/05/3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 89a38e6397fb316792da19fbde4bfa4f9c43fb52) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Max Filippov [Tue, 5 Sep 2017 22:41:29 +0000 (15:41 -0700)]
package/binutils: fix crash caused by buggy xtensa overlay
In some xtensa configurations there may be system/user registers in
xtensa-modules with negative index. ISA initialization for such config
may clobber heap and result in program termination.
Don't update lookup table entries for register with negative indices.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adam Duskett [Tue, 5 Sep 2017 12:20:10 +0000 (08:20 -0400)]
postgresql: security bump to version 9.6.5
Fixes the following security issues (9.6.4):
CVE-2017-7546: Empty password accepted in some authentication methods
CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges
CVE-2017-7548: lo_put() function ignores ACLs
For more info, see https://www.postgresql.org/about/news/1772/
[Peter: extend commit message with security fixes info] Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 95e284bd2732390eb34cb72c798032fd7ac8920c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Adam Duskett <aduskett@gmail.com>
[Thomas: improved commit log, from Baruch suggestion.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit d8bc440e3a6cd7245374c7d905911361987cb2f8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 1 Sep 2017 22:37:48 +0000 (00:37 +0200)]
transmission: gtk option needs libgtk3
Fixes the following configure issue:
checking for GTK... no
configure: error: Package requirements (gtk+-3.0 >= 3.4.0
glib-2.0 >= 2.32.0
gio-2.0 >= 2.26.0,
gmodule-2.0 >= 2.32.0
gthread-2.0 >= 2.32.0) were not met:
libgtk2 support was dropped in commit cdd71c642724 ((trunk gtk) #4970 remove
deprecated GTK+ API calls, raise GTK+ dependency to 3.2) which was part of
transmission-2.61.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a2935ee28886b5198093c824c4ee4892d02d10c6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Erico Nunes [Wed, 30 Aug 2017 01:47:56 +0000 (03:47 +0200)]
grub2: force -fno-stack-protector in CFLAGS
grub2 fails to configure when BR2_SSP_ALL is enabled, with the following
configure error:
checking whether -fno-asynchronous-unwind-tables works... yes
checking whether -fno-unwind-tables works... yes
checking for target linking format... unknown
configure: error: no suitable link format found
This can be worked around by enforcing -fno-stack-protector in the
package CFLAGS in a way that overrides the SSP flag, as is already done
for the valgrind package.
Fixes bug #10261.
Signed-off-by: Erico Nunes <nunes.erico@gmail.com> Reported-by: Dr I J Ormshaw <ian_ormshaw@waters.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 2a27294e9ade6130a12ced9a1f152c51431a870e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Wed, 30 Aug 2017 12:01:04 +0000 (15:01 +0300)]
gnupg: security bump to version 1.4.22
Mitigate a flush+reload side-channel attack on RSA secret keys
dubbed "Sliding right into disaster". For details see
<https://eprint.iacr.org/2017/627>. [CVE-2017-7526]
Switch to https site for better firewall compatibility and security.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 453ca1d6ad6aa3d55f44734ed8479ac5fa909d8a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Kurt Van Dijck [Fri, 25 Aug 2017 21:11:10 +0000 (23:11 +0200)]
bcusdk: eibd: drop local clock_gettime in USB backends
clock_gettime is defined locally, and calls pth_int_time, which
in turn calls clock_gettime.
The USB backend shouldn't overrule clock_gettime in the first place.
This patch fixes this endless recursion by removing the local defition.
Signed-off-by: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit bc4f5598dccc191a1e2c6268fdcef1935e2fa212) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Martin Bark [Sun, 4 Jun 2017 19:53:55 +0000 (20:53 +0100)]
package/connman: bump version to 1.34
Signed-off-by: Martin Bark <martin@barkynet.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 579568ce09a94e2f55bf80d57fc2dfac577e8d4f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>