Chris Lesiak [Mon, 30 Apr 2018 17:14:11 +0000 (12:14 -0500)]
Makefile: Update mtime of $(TARGET_DIR)/usr in target-finalize
The systemd ConditionNeedsUpdate option is useful when offline updates
of the vendor operating system resources in /usr require updating of
/etc or /var on the next following boot.
Two examples of services making use of this option are
systemd-hwdb-update.service and systemd-sysusers.service.
ConditionNeedsUpdate=/etc will be true if the mtime of /etc/.updated
is older than the mtime of /usr. After services conditional on
ConditionNeedsUpdate have run, systemd-update-done.service will
synch the mtime of /usr to /etc/.updated so that the condition will
be false on subsequent boots.
For systems with writable /usr partitions where updates are done to
the running system, the update program will touch /usr as a final step.
But with Buildroot, where updates are often done by dumping a new
image onto the device, and where /usr is on a filesystem mounted
read-only, touching /usr as part of the update process is not practical.
Instead, it should be done a build time.
For testers, please note that systemd-update-done in v234 added a
regression where the mtime of /etc/.updated is set to the current time
instead of the mtime or /usr. This will be fixed in v239.
For more details, see:
http://0pointer.de/public/systemd-man/systemd.unit.html
http://0pointer.de/public/systemd-man/systemd-update-done.service.html
Signed-off-by: Chris Lesiak <chris.lesiak@licor.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bbe5c6dad4da9cd174d5ef21caa73557e4592b31) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Stefan Becker [Wed, 2 May 2018 09:05:08 +0000 (12:05 +0300)]
host-mkpasswd: fix crash on Fedora 28 build host
crypt() is an optional glibc feature. Some distros, like Fedora 28, are
phasing it out to be replaced with libxcrypt [1]. Unfortunately this
change is only ABI compatible, not source code compatible, i.e. the code
will compile with warnings about undefined crypt(), but the resulting
binary will crash.
Follow the guidance in the Fedora bug and include crypt.h when
_XOPEN_CRYPT is not defined.
Signed-off-by: Stefan Becker <chemobejk@gmail.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3c514c2dc5186c4357b2c0fc2e1c4b47e0f555c7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Stefan Becker [Wed, 2 May 2018 11:14:48 +0000 (14:14 +0300)]
package/python: add upstream GCC8 build fix
Fedora 28 switched to GCC8.
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
[Thomas: fixup location of SoB in the patch.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a1b7f5e64d392a802adb586b97deea0a6f4f500e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Stefan Becker [Wed, 2 May 2018 10:09:04 +0000 (13:09 +0300)]
Config.in: add BR2_HOST_GCC_AT_LEAST_8
Fedora 28 switched to GCC 8.x.
Signed-off-by: Stefan Becker <chemobejk@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e13ab2e04a300f332d80f9b81c8830df07e3fd61) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
John Keeping [Tue, 1 May 2018 12:28:41 +0000 (13:28 +0100)]
core/pkg-generic: only save latest package list
When rebuilding a package, simply appending the package's file list to
the global list means that the package list grows for every rebuild, as
does the time taken to check for files installed by multiple packages.
Furthermore, we get false positives where a file is reported as being
installed by multiple copies of the same package.
With this approach we may end up with orphaned files in the target
filesystem if a package that has been updated and rebuilt no longer
installs the same set of files, but we know that only a clean build will
produce reliable results. In fact it may be helpful to identify these
orphaned files as evidence that the build is not clean.
Signed-off-by: John Keeping <john@metanate.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d3dca1e9936bcaa0eed226a5bcb8c6a4d1fd1472) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Fri, 20 Apr 2018 14:07:13 +0000 (16:07 +0200)]
bluez5_utils: add patch to fix readline issue
Since bluez5_utils 5.48, some code using readline was compiled even if
readline was not available. After this issue was reported upstream, a
patch was proposed by an upstream developer to address the issue. This
commit integrates this patch (under review upstream), which fixes the
problem.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d4158df6c19c76ea3405975b87f13b1c092a40e0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 30 Apr 2018 12:04:59 +0000 (14:04 +0200)]
sdl2_image: security bump to version 2.0.3
Fixes the following security issues:
CVE-2017-12122: An exploitable code execution vulnerability exists in the
ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted
ILBM image can cause a heap overflow resulting in code execution. An
attacker can display a specially crafted image to trigger this
vulnerability.
CVE-2017-14440: An exploitable code execution vulnerability exists in the
ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted
ILBM image can cause a stack overflow resulting in code execution. An
attacker can display a specially crafted image to trigger this
vulnerability.
CVE-2017-14441: An exploitable code execution vulnerability exists in the
ICO image rendering functionality of SDL2_image-2.0.2. A specially crafted
ICO image can cause an integer overflow, cascading to a heap overflow
resulting in code execution. An attacker can display a specially crafted
image to trigger this vulnerability.
CVE-2017-14442: An exploitable code execution vulnerability exists in the
BMP image rendering functionality of SDL2_image-2.0.2. A specially crafted
BMP image can cause a stack overflow resulting in code execution. An
attacker can display a specially crafted image to trigger this
vulnerability.
CVE-2017-14448: An exploitable code execution vulnerability exists in the
XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted
XCF image can cause a heap overflow resulting in code execution. An
attacker can display a specially crafted image to trigger this
vulnerability.
CVE-2017-14449: A double-Free vulnerability exists in the XCF image
rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image
can cause a Double-Free situation to occur. An attacker can display a
specially crafted image to trigger this vulnerability.
CVE-2017-14450: A buffer overflow vulnerability exists in the GIF image
parsing functionality of SDL2_image-2.0.2. A specially crafted GIF image
can lead to a buffer overflow on a global section. An attacker can display
an image to trigger this vulnerability.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5fb8fbbb3e776a186731ae929244a82ea2db1878) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 30 Apr 2018 12:04:58 +0000 (14:04 +0200)]
sdl2: bump version to 2.0.8
Drop now upstreamed patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f26654596ecfe40963cb51ba939c00de458fa82e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libtomcrypt installs its headers by default in /usr/local/include under
the staging sysroot. This path is not in the default search patch of
some toolchains. This breaks the build of dropbear. Set the PREFIX make
variable to fix that.
While at it, split the long install command for better readability.
Eric Le Bihan [Sat, 28 Apr 2018 22:14:13 +0000 (00:14 +0200)]
support/testing: set $USER in rust tests
When the run-time tests to build rust and rust-bin packages are run via Docker,
the $USER environment variable is not set, which makes cargo fail when
initializing the test project.
So add it to make cargo happy.
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 09a5eb427a6d9160e74ab56941640c02334eabf1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Jonas Zaddach [Tue, 10 Apr 2018 19:37:22 +0000 (12:37 -0700)]
package/gdb: don't remove support files if python chosen
If one wants to use GDB with python support on the target, you need the support
files installed by GDB. These get usually deleted to save some space, so I just
wrapped the Makefile code deleting them in a conditional block depending on if
python support is active or not.
Signed-off-by: Jonas Zaddach <jzaddach@cisco.com> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Thomas:
- use positive logic "if python is disabled"
- put the comment inside the condition, as suggested by Arnout] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fa5ca6974d2504dccc35f43dcabcf30f076d8685) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CMake < 3.11 doesn't support add_library() without any source file
(i.e add_library(foo SHARED)). But flann CMake use a trick that use
an empty string "" as source list (i.e add_library(foo SHARED "")).
This look like a bug in CMake < 3.11.
With CMake >= 3.11, the new behaviour of add_library() break the
existing flann CMake code.
>From CMake Changelog [1]:
"add_library() and add_executable() commands can now be called without
any sources and will not complain as long as sources are added later
via the target_sources() command."
Note: flann CMake code doesn't use target_sources() since no source file
are provided intentionally since the flann shared library is created by
linking with the flann_cpp_s static library with this line:
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 062dcceed0ba0d2b1929597ad9b0393dbdb21628) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 54e210522faf7dff3e68e22bb802102f891098c8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 23 Apr 2018 19:59:54 +0000 (21:59 +0200)]
support/testing: fix Marvell ATF source code
The version of the ARM Trusted Firmware from Marvell was a Git branch,
not a Git commit, leading to unreproducible results. So let's use a
Git commit instead, which is the latest available from the branch that
was previously used.
More specifically, this branch has recently seen a fix that is needed
for ATF to build properly with recent gcc versions:
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ac260a2acec20f30705fdfd3911ff966c1f4a0df) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 23 Apr 2018 19:59:53 +0000 (21:59 +0200)]
configs/solidrun_macchiatobin_*: use a Git commit for ATF
The version of the ARM Trusted Firmware from Marvell was a Git branch,
not a Git commit, leading to unreproducible results. So let's use a
Git commit instead, which is the latest available from the branch that
was previously used.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Tested-by: Sergey Matyukevich <geomatsi@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c0f8d166214d54cedd4b3d09bccf5bb59205e301) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 23 Apr 2018 20:14:56 +0000 (22:14 +0200)]
support/testing: fix ATF Vexpress test case
This test case currently fails to build with:
./build/juno/release/bl1/context_mgmt.o: In function `cm_prepare_el3_exit':
context_mgmt.c:(.text.cm_prepare_el3_exit+0x54): undefined reference to `cm_set_next_context'
context_mgmt.c:(.text.cm_prepare_el3_exit+0x54): relocation truncated to fit: R_AARCH64_JUMP26 against undefined symbol `cm_set_next_context'
This issue has been fixed upstream in commit 10c252c14b7f446c0b49ef1aafbd5d37804577dd, available since v1.3. So
while we bump, let's bump to the latest version of ATF, v1.5.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e74a7cd1e0a85718dfc20dc4d94a5cac051d2514) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The release announcement mentions these security fixes:
Defend against Bellcore glitch attacks by verifying the results of RSA
private key operations.
Fix implementation of the truncated HMAC extension. The previous
implementation allowed an offline 2^80 brute force attack on the HMAC
key of a single, uninterrupted connection (with no resumption of the
session).
In commit 2a27294e9ade6130a12ced9a1f152c51431a870e ("grub2: force
-fno-stack-protector in CFLAGS"), a fix was made to the grub2 package
to make it build properly even when SSP support is enabled.
syslog-ng: bump version header in conf file to 3.10
Remove a runtime warning message about configuration file being too old.
Do the same as commit 3dad25466d "syslog-ng: Bump version header in conf
file to 3.9". Package version of syslog-ng is 3.10.1, so bump version
number in syslog-ng.conf to 3.10.
Also add a comment to avoid the same warning message reappears when the
package is bumped.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@datacom.ind.br> Cc: Chris Packham <judge.packham@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 905f8d814ad21af9c3fd22ececce0824cb20db80) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/wmctrl: x-includes and x-libraries must be set for cross-compiling
set x-includes and x-libraries configure option for cross-compiling.
wmctrl can use poisoned paths if these options are not passed to
configure script.
usb_modeswitch: set CXX to false when C++ is missing
Similar to the openocd fix in commit 5966e2dc54 (package/openocd: fix
fallout after no-C++ fixups) the jimctl that is bundled with
usb_modeswitch also wants to find a binary. This broke with commit 4cd1ab158 (core: alternate solution to disable C++). Revert to 'false'
instead of 'no' here as well.
qt53d: install missing QML modules, plugins and examples
Some files were missing on the first build of qt53d but added later:
- by qt5base for the plugins because it copies the whole /usr/lib/qt/plugins
directory
- by qt5declarative for the QML modules because it copies the whole
/usr/qml directory
Also, the qt53d examples were not installed if
BR2_PACKAGE_QT5BASE_EXAMPLES was set.
Signed-off-by: Romain Reignier <rom.reignier@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4fd448c9c1e3ed7ca0f09441bf8a854eb9130190) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Thu, 12 Apr 2018 11:50:09 +0000 (13:50 +0200)]
support/scripts/fix-rpath: exclude /lib/firmware in the target
The /lib/firmware directory contains random firmware for various
devices. It happens that some of them might be or appear to be ELF
files, but they shouldn't be checked by fix-rpath. For example, one of
the Qualcomm VPU firmware file appears to be an ELF file, but patchelf
isn't happy about it:
Even though patchelf definitely shouldn't crash, it anyway doesn't
make sense to check ELF files in /lib/firmware, so let's exclude this
directory from our check.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 184cb52f6d9368c333c79665080e7808c5713117) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Revert "package/bash: add /bin/bash to /etc/shells"
Commit 4d279697af added /bin/bash to /etc/shells. In the default
skeleton, however, /etc/shells doesn't exist, so in fact it creates
this file, containing only /bin/bash. Therefore, when bash is selected,
/bin/sh does not appear in /etc/shells and bash is the only shell
allowed. Since /bin/sh is the shell that is used for root in the
default skeleton's /etc/passwd, root is no longer able to log in.
The proper solution is to add all available shells to /etc/shells. For
now, however, just revert commit 4d279697af as a stop-gap measure. That
way, the default situation still works, and only people who update
/etc/passwd with additional logins but don't update /etc/shells will
suffer.
Fixes CVE-2018-1000156: arbitrary command execution in ed-style patches.
Depend on MMU for now, because the patch adds a fork() call. Upstream
later switched to gnulib provided execute(), so this dependency can be
dropped on the next version bump.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f4a4df2084b923f29eca2130976ca10a7aa6b719) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Where _estrdup is the actual function implemented by the PHP core. If
this header file is not included, and some code uses estrdup, one ends
up with an undefined reference. This happens when libexpat support is
enabled. This commit adds a PHP patch that fixes this issue. The patch
has been submitted upstream through a Github pull request.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fc4b66dbc1b71e871129ce14b289fcda6eb3ea10) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- wnpa-sec-2018-15
The MP4 dissector could crash. (Bug 13777)
- wnpa-sec-2018-16
The ADB dissector could crash. (Bug 14460)
- wnpa-sec-2018-17
The IEEE 802.15.4 dissector could crash. (Bug 14468)
- wnpa-sec-2018-18
The NBAP dissector could crash. (Bug 14471)
- wnpa-sec-2018-19
The VLAN dissector could crash. (Bug 14469)
- wnpa-sec-2018-20
The LWAPP dissector could crash. (Bug 14467)
- wnpa-sec-2018-23
The Kerberos dissector could crash. (Bug 14576)
- wnpa-sec-2018-05
The IEEE 802.11 dissector could crash. Bug 14442, CVE-2018-7335
- wnpa-sec-2018-06
Multiple dissectors could go into large infinite loops. All ASN.1 BER dissectors (Bug 14444), along with the DICOM (Bug 14411), DMP (Bug 14408), LLTD (Bug 14419), OpenFlow (Bug 14420), RELOAD (Bug 14445), RPCoRDMA (Bug 14449), RPKI-Router (Bug 14414), S7COMM (Bug 14423), SCCP (Bug 14413), Thread (Bug 14428), Thrift (Bug 14379), USB (Bug 14421), and WCCP (Bug 14412) dissectors were susceptible.
- wnpa-sec-2018-07
The UMTS MAC dissector could crash. Bug 14339, CVE-2018-7334
- wnpa-sec-2018-09
The FCP dissector could crash. Bug 14374, CVE-2018-7336
- wnpa-sec-2018-10
The SIGCOMP dissector could crash. Bug 14398, CVE-2018-7320
- wnpa-sec-2018-11
The pcapng file parser could crash. Bug 14403, CVE-2018-7420
- wnpa-sec-2018-12
The IPMI dissector could crash. Bug 14409, CVE-2018-7417
- wnpa-sec-2018-13
The SIGCOMP dissector could crash. Bug 14410, CVE-2018-7418
- wnpa-sec-2018-14
The NBAP disssector could crash. Bug 14443, CVE-2018-7419
board/atmel: use correct sam-ba binary in flasher.sh script
Instead of using the install of sam-ba under host/opt directly, use the symlink
created in host/bin. The side effect of doing this instead allows the correct
sam-ba binary to be used based on the host arch being 32 bit or 64 bit.
Signed-off-by: Joshua Henderson <joshua.henderson@microchip.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e1452fe8434c4613d1727034db525c0a9bbc6dfd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When the internal PCRE library of PHP is used, it tries to use a JIT
engine, which is only available on some architectures.
However, the mechanism used to disable JIT has changed in recent PHP
versions, and it now has a proper --without-pcre-jit option. Switch
over to that to properly disable JIT on unsupported platforms.
It has been tested to fix the build of PHP on ARC and Microblaze.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9850612ea5e9fc9c377d11ec9c2930bfd812754a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
postgresql: propagate BR2_USE_MMU dependency to Config.in comment
The BR2_PACKAGE_POSTGRESQL option depends on BR2_USE_MMU, so the
Config.in comment about the dynamic library dependency should only be
displayed if the BR2_USE_MMU requirement is met.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9fec3eb9131dba46cbf8474a7def05a076990079) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Giulio Benetti [Mon, 13 Nov 2017 18:41:54 +0000 (19:41 +0100)]
qt5base: correct eglfs support in qmake.conf.in
Setting EGLFS_DEVICE_INTEGRATION at the end of qmake.conf like is done
by commit 0c219ddb8a doesn't work correctly: it has to be set before the
include(../common/linux_device_post.conf)
Instead of appending to the file, change it into a qmake.conf.in
template file that contains a placeholder for the
EGLFS_DEVICE_INTEGRATION assignment and update it with sed. Since the
sed always has to be executed, this removes the need for a separate
QT5BASE_CONFIGURE_QMAKE_CONFIG definition.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[Arnout: simplify the replacement, move sunxi-mali support to a
separate patch] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 81fb33af2a6e4f4d379da3372b2a607b7ae1a21f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 5 Apr 2018 06:42:15 +0000 (08:42 +0200)]
python-webpy: use webpy-0.39 tag
No functional change, but upstream has now tagged the release, so use the
tag instead of the sha1.
https://github.com/webpy/webpy/issues/449
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 01320bb9ff297bac38a4c9bc32ae505ac79d600f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 4 Apr 2018 15:51:32 +0000 (17:51 +0200)]
python-webpy: security bump to version 0.39
>From the changelog:
2018-02-28 0.39
* Fixed a security issue with the form module (tx Orange Tsai)
* Fixed a security issue with the db module (tx Adrián Brav and Orange Tsai)
2016-07-08 0.38
..
* Fixed a potential remote exeution risk in `reparam` (tx Adrián Brav)
License files are still not included on pypi, so continue to use the git
repo. Upstream has unfortunately not tagged 0.39, so use the latest commit
on the 0.39 branch. A request to fix this has been submitted:
https://github.com/webpy/webpy/issues/449
0.39 now uses setuptools, so change the _SETUP_TYPE.
Add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ce559162fca39c273583bea0dbed643229769d8c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 543b0d50fbbb552296749d0cf18443aacfc6e58d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Stefan Becker [Tue, 3 Apr 2018 06:11:38 +0000 (09:11 +0300)]
package/systemd: add upstream build fix #8456
Signed-off-by: Stefan Becker <chemobejk@gmail.com> Tested-by: Joseph Kogut <joseph.kogut@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 794d16fcacfc5c8e041452da67ee12aaab36f441) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The license information in qt5script was just copied from all the other
qt5 modules, but it is different (and complicated).
- libQt5Script itself contains the third-party JavaScriptCore source.
JavaScriptCore has a number of licenses: BSD-2-Clause, BSD-3-Clause,
LGPL-2.0+, LGPL-2.1+. Since it is all linked together, the end
result will be BSD-3-Clause and LGPL-2.1+.
The different BSD licenses are all slightly different (different
authors, which affects the third clause in particular). Only one
separate license file is provided, so let's use that one.
There is an LGPL-2.0 license file, which is slightly different from
the top-level LICENSE.LGPLv21, so let's add that one as well.
- libQt5Script also contains Qt-specific code which is all licensed
under LGPL-2.1 only. This is covered by the LICENSE.LGPLv21 file.
It merges with the LGPL-2.1+ from JavaScriptCore but limits it to
2.1 only.
- libQt5ScriptTools is a separate libary containing just the script
debugger. It is covered by the usual Qt license:
* LGPL-2.1 or LGPL-3.0 with exception for Qt 5.6;
* LGPL-3.0 or GPL-2.0+ for Qt 5.9 (actually it is GPL-2.0 or GPL-3.0
or any later version approved by the KDE Qt foundation, but let's
keep it simple :-). Note that there is no LICENSE.GPLv2 provided,
only LICENSE.GPLv3. Also, there is an LGPL_EXCEPTION.txt file but
no mention of an exception anywhere in the sources.
Update the license information with all of the above. Also add hashes
for the new license files from JavaScriptCore.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit d9ec8526bb68ea50a8e9b9847ab119c6248c66fd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
tar 1.27 subtly changed the tar format when a GNU long link entry is added
(which is done for path elements > 100 characters). The code used to set
the permission mode of the link entry to 0:
header = start_private_header ("././@LongLink", size, time (NULL));
FILL (header->header.mtime, '0');
FILL (header->header.mode, '0');
FILL (header->header.uid, '0');
FILL (header->header.gid, '0');
FILL (header->header.devmajor, 0);
FILL (header->header.devminor, 0);
This got dropped in 1.27 by commit df7b55a8f6354e3 (Fix some problems with
negative and out-of-range integers), so the settings from
start_private_header() are used directly - Which are:
The end result is that tar >= 1.27 sets mode to 644.
The consequence of this is that we create different tar files when long path
names are encountered (which often happens when a package downloads a
specific sha1 from a git repo) depending on the host tar version used,
causing hash mismatches.
As a workaround, bump our minimum tar version to 1.27. It would be nicer to
only do this if we have packages from bzr/git/hg enabled, but that is an
exercise for later.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cdac332d20d2d1326dee0111e188fa214549122b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
"""
This is a bugfix release, but it primarily disables the UDP protocol by
default.
In the last few days reports of UDP amplification attacks utilizing
inesure memcached instances have surfaced. Attackers are able to set
large values into memcached, then send requests via spoofed UDP packets.
Memcached will then send a very large number of very large UDP packets
back in response.
"""
Signed-off-by: Christopher McCrory <chrismcc@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f03cf639cfba961ca4cbfb73435f23b951941685) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Christopher McCrory <chrismcc@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b773c33bf18d82e4cf7d0712dfe88a0bae61c865) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gaël PORTAY [Fri, 2 Mar 2018 16:28:12 +0000 (11:28 -0500)]
qt5webkit: fix build issue with 32-bits armv8-a
Adds WTF platform support for the 32-bits armv8-a architectures.
Fixes:
In file included from ./config.h:30:0,
from ...
./wtf/Platform.h:323:6: error: #error "Not supported ARM architecture"
# error "Not supported ARM architecture"
^~~~~
from this defconfig:
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
[Thomas: rework to continue supporting pre-gcc-4.6 toolchains, extend
the commit log after doing more testing.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Reviewed-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5e58509bfe497c5e85db58f8213b0a44ac79dd3f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
where variable FOO_BASE_NAME is clashing between these two packages.
Specific cases where this clash is already existing are:
- alljoyn-base
- alljoyn-tcl-base
- perl-xml-sax-base
The problem is generic and can occur for a number of variables in Buildroot.
A non-exhaustive list:
<pkg>_BASE and <pkg>_BASE_NAME
<pkg>_BASE_NAME and <pkg>_RAW_BASE_NAME
<pkg>_DIR and <pkg>_DL_DIR
<pkg>_VERSION and <pkg>_DL_VERSION
<pkg>_SOURCE and <pkg>_TARGET_SOURCE
<pkg>_INSTALL_IMAGES and <pkg>_TARGET_INSTALL_IMAGES (same for _STAGING and _TARGET)
<pkg>_LICENSE_FILES and <pkg>_MANIFEST_LICENSE_FILES
<pkg>_DEPENDENCIES and <pkg>_FINAL_DEPENDENCIES
One solution is to use another separator than '_' to separate the
package name from the rest of the variable name. For example, a double
underscore:
FOO__NAME
FOO__BASE_NAME
FOO_BASE__NAME
FOO_BASE__BASE_NAME
However, making that change for only this case means that the variable
naming is no longer consistent. And making the change for all variables has
a large impact, also on certain user scripts.
For now, keep it simple, and rename FOO_BASE_NAME into FOO_BASENAME, so that
the variables become:
FOO_NAME
FOO_BASENAME
FOO_BASE_NAME
FOO_BASE_BASENAME
For consistency, also adapt FOO_RAW_BASE_NAME. Since FOO_RAW_BASENAME would
still pose a conflict with a package called 'foo-raw', take the opportunity
to rename it into FOO_BASENAME_RAW instead, which does not pose a conflict
as we have no variable called FOO_RAW.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Reviewed-by: Sam Voss <sam.voss@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 83d2644b1197564358b6cd87b2f221d79671b5cc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It should be "host gnupg" and not "host-gnupg" to be consistent with
all other Config.in.host options.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 083716cdfbc42ac5cd53d3d10ac76a57427c11af) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In both cases, upstream suggests using a different target definition
instead. E.G. from issue 685:
You may use NORTHWOOD on x86: make TARGET=NORTHWOOD that uses SSE2
instructions. It's very hard to find non-SSE2 x86 CPUs today. For x86-64
use the PRESCOTT target
So drop the SSE_GENERIC target. The only x86_64 variant we support not
covered by a more specific openblas target is the default variant, nocona
and jaguar.
Nocona was a Xeon variant of the P4 "Prescott" architecture, so use the
PRESCOTT openblas target:
[Peter: add Jaguar as pointed out by Arnout] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5e6fa93483caac317ab8844feb2ae9c07078a6c8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sasha Shyrokov [Tue, 6 Mar 2018 15:58:10 +0000 (10:58 -0500)]
opencv3: fix Python module build for Python 3.x
When the OpenCV3 Python support is enabled with Python 3.x, it builds
properly, and the resulting .so file is built for the target
architecture, but its name is wrong:
This solution was suggested by Arnout Vandecappelle in
https://stackoverflow.com/questions/49059035/buildroot-opencv3-python-package-builds-for-the-wrong-target.
With Python 2.x, the module is named just cv2.so so this problem isn't
visible. However, for consistency, we also pass
PKG_PYTHON_DISTUTILS_ENV when building against Python 2.x, by putting
the OPENCV3_CONF_ENV assignment inside the
BR2_PACKAGE_OPENCV3_LIB_PYTHON condition, but outside the
BR2_PACKAGE_PYTHON3/BR2_PACKAGE_PYTHON condition.
Signed-off-by: Sasha Shyrokov <alexander-shyrokov@idexx.com>
[Thomas: extend the commit log, apply the solution to Python 2.x.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8ba80282c3bb580c6a45ea114e70acac98fe1690) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Sun, 4 Mar 2018 15:06:06 +0000 (16:06 +0100)]
package/kodi: remove imx support
https://git.buildroot.net/buildroot/commit/?id=266208972192f1e0869f89d7be941de6294a810a
broke imx support in Kodi because previously the G2D libraries were
part of the imx-gpu-viv package:
CMake Error at /usr/share/cmake-3.7/Modules/FindPackageHandleStandardArgs.cmake:138 (message):
Could NOT find IMX (missing: G2D_LIBRARY)
Adjusting the Kodi package to use the imx-gpu-g2d as well still does
not provide a working build:
/home/buildroot/br4/output/build/kodi-17.6-Krypton/xbmc/linux/imx/IMX.cpp: In member function 'void CIMX::Deinitialize()':
/home/buildroot/br4/output/build/kodi-17.6-Krypton/xbmc/linux/imx/IMX.cpp:79:21: error: 'DCIC_IOC_STOP_VSYNC' was not declared in this scope
ioctl(m_fddcic, DCIC_IOC_STOP_VSYNC, 0);
^~~~~~~~~~~~~~~~~~~
/home/buildroot/br4/output/build/kodi-17.6-Krypton/xbmc/linux/imx/IMX.cpp: In member function 'bool CIMX::UpdateDCIC()':
/home/buildroot/br4/output/build/kodi-17.6-Krypton/xbmc/linux/imx/IMX.cpp:109:19: error: 'DCIC_IOC_STOP_VSYNC' was not declared in this scope
ioctl(m_fddcic, DCIC_IOC_STOP_VSYNC, 0);
^~~~~~~~~~~~~~~~~~~
/home/buildroot/br4/output/build/kodi-17.6-Krypton/xbmc/linux/imx/IMX.cpp:115:21: error: 'DCIC_IOC_START_VSYNC' was not declared in this scope
ioctl(m_fddcic, DCIC_IOC_START_VSYNC, 0);
^~~~~~~~~~~~~~~~~~~~
/home/buildroot/br4/output/build/kodi-17.6-Krypton/xbmc/linux/imx/IMX.cpp: In member function 'virtual void CIMX::Process()':
/home/buildroot/br4/output/build/kodi-17.6-Krypton/xbmc/linux/imx/IMX.cpp:125:19: error: 'DCIC_IOC_START_VSYNC' was not declared in this scope
ioctl(m_fddcic, DCIC_IOC_START_VSYNC, 0);
^~~~~~~~~~~~~~~~~~~~
/home/buildroot/br4/output/build/kodi-17.6-Krypton/xbmc/linux/imx/IMX.cpp:131:19: error: 'DCIC_IOC_STOP_VSYNC' was not declared in this scope
ioctl(m_fddcic, DCIC_IOC_STOP_VSYNC, 0);
^~~~~~~~~~~~~~~~~~~
Although it might be possible to fix these bugs with something like
as done in
https://raw.githubusercontent.com/LibreELEC/LibreELEC.tv/libreelec-7.0/projects/imx6/patches/kodi/imx6-jarvis.patch
we would still try to ride a dead horse. The upcoming Kodi version
18.0-Leia will remove imx support completely, see upstream PR 12990.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Reviewed-by: Gary Bisson <gary.bisson@boundarydevices.com>
[Thomas: keep an explicit -DENABLE_IMX=OFF in CONF_OPTS.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 878716830bfbdf76b69f69a18b53ae56fdbf8365) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/xterm: Avoid freetype2 path poisoning using imake
When imake is installed on the host, it tries to include
freetype headers from host, so we must override ac_cv_path_IMAKE
to avoid this.
Extract from config.log:
configure:14803: checking if we should use imake to help
configure:14820: result: yes
configure:14829: checking for xmkmf
configure:14846: found /usr/bin/xmkmf
configure:14857: result: /usr/bin/xmkmf
configure:14920: testing Using /usr/bin/xmkmf ...
configure:15015: testing IMAKE_CFLAGS -I. -I/usr/include/freetype2
Signed-off-by: Valentin Korenblit <valentin.korenblit@smile.fr>
[Thomas: pass ac_cv_path_IMAKE="" as suggested by Romain Naour.] Reviewed-by: Romain Naour <romain.naour@smile.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6d0316dc7b14f6cd2d44e92c6ab581a6ab385234) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 31 Mar 2018 10:27:11 +0000 (12:27 +0200)]
ktap: bump version for linux-4.8 support
Fixes #10776
The upstream git repo contains a number of fixes for building against newer
kernel versions, so bump the version.
git shortlog eb66d40310c93dc82bc8eac889744c1ed1f01f7b..
Alain Kalker (2):
uprobe: Print the symbol, not the matching pattern
uprobe: Blacklist uretprobes on _start
Aleksa Sarai (2):
runtime: update GFP_WAIT to GFP_RECLAIM
userspace: fix up argument parsing NULL dereference
Alexey Makhalov (1):
Fix building for v4.8 kernel
Azat Khuzhin (12):
Use get_unused_fd_flags(0) instead of get_unused_fd()
Support trace_seq::seq
Ignore separate debug files (*.dwo)
Use trace_seq_has_overflowed()
makefile: split vim plugins installing into separate target
makefile: use DESTDIR for install (allow to change install dir)
makefile: install: create dirs
makefile: use ldflags for linking ktap
makefile: add CPPFLAGS to KTAPC_CFLAGS, to allow change default flags
ignore: exclude /debian
Support compilation for 4.2 (ftrace_events cleanup)
runtime: fix building on 4.3
Jovi Zhangwei (11):
Merge pull request #84 from azat/linux-3.19-fixes-v3
Merge pull request #85 from azat/debian-preparations-v2
Merge pull request #88 from NanXiao/master
Merge pull request #89 from NanXiao/patch-1
Merge pull request #91 from NanXiao/patch-1
Merge pull request #90 from azat/linux-4.2-compilation-fixes
Merge pull request #99 from cyphar/fix-null-deref
Merge pull request #98 from cyphar/fix-gfp-reclaim
Merge pull request #97 from azat/fix-building-4.3-__GFP_RECLAIM
Merge pull request #103 from ackalker/blacklist
Merge pull request #104 from YustasSwamp/master
Nan Xiao (3):
Update tutorial.md
Update Makefile
Fix memory leak issue in main function.
WEI ZHANG (1):
ktap: Change the copyright to Huawei Technologies
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a612c9ed9d7fde40a4e5bfe851e9a8ee7228bf2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
utils/genrandconfig: use --no-check-certificate in wget by default
A number of autobuilder failures are due to the fact that autobuilder
instances use old distributions, with old SSL certificates, and
therefore wget aborts with an error "The certificate of `xyz.org' is
not trusted.".
In order to avoid such failures that are not very interesting in the
context of the autobuilders, we pass --no-check-certificate to
wget. The integrity of the downloaded files is anyway verified by the
hashes, and this is only meant to be used in the context of
testing/CI, not in production.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0866a280e40a7a2c7d7d50cc7e87c3f4652aff0a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 31 Mar 2018 06:11:55 +0000 (08:11 +0200)]
nodejs: security bump to version 8.11.1
Fixes the following security issues:
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious
website could use a DNS rebinding attack to trick a web browser to bypass
same-origin-policy checks and allow HTTP connections to localhost or to
hosts on the local network, potentially to an open inspector port as a
debugger, therefore gaining full code execution access. The inspector now
only allows connections that have a browser Host value of localhost or
localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths could
be used to cause a denial of service if an attacker were able to have a
specially crafted path string passed through one of the impacted 'path'
module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The
Node.js HTTP parser allowed for spaces inside Content-Length header
values. Such values now lead to rejected connections in the same way as
non-numeric values.
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7f02604553bc3c8449d6a112818f038e99abbdaf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Sat, 31 Mar 2018 12:52:50 +0000 (14:52 +0200)]
support/check-uniq-files: support weird locales and filenames
Currently, when a filename contains characters not representable in the
user's locale, we fail hard, especially when the host python is python3.
This is because python2 and python3 handle encoding/decoding strings
differently, with python3 presumable doing the right thing, but it
breaks on some systems, while python2 presumable does the wrong thing,
but it works everywhere. (Just joking, obviously...)
Part of the issue being that the csv reader in python2 is broken with
UTF8.
We fix the issue by ditching the csv reader, and simply read the file in
binary mode, manually partitioning the lines on the first comma.
Then, we use the binary-encoded (really, un-encoded) package names and
filenames as values and keys, respectively.
Finally, for each filename or package we need to print, we try to decode
them with the defaults for the user settings, but catch any decoding
exception and fall back to dumping the raw, binary values. Which codec
is used by default differs between Python version, but in all cases
something sane is printed at least.
Thanks a lot to Arnout for the live help doing this patch. :-)
Thomas Petazzoni [Sat, 31 Mar 2018 06:47:09 +0000 (08:47 +0200)]
support/config-fragments/autobuild: fix SSP in br-nios2-glibc
Commit c8680956819fae8776d7bd6d1f0e67a7b6436672 ("toolchain: fix
detection of SSP support") fixed the SSP check so that it does the
correct thing for nios2 toolchains. While this commit fixed the
description of the Sourcery NIOSII toolchain, it didn't fix the
description for the autobuilders of the br-nios2-glibc toolchain,
causing some build failures. This commit adjusts br-nios2-glibc.config
to indicate that the toolchain doesn't have SSP support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0e4de0f2db5f7a252d4b8a4cac752fac9ca2deb3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Tue, 27 Mar 2018 11:00:22 +0000 (13:00 +0200)]
core: alternate solution to disable C++
Some packages that use libtool really need some love to be able to
disable C++ support.
This is because libtool will want to call AC_PROG_CXXCPP as soon as CXX
is set non-empty to something different from 'no'. Then, AC_PROG_CXXCPP
will want a C++ preprocessor that works on valid input *and* fail on
invalid input.
So, providing 'false' as the C++ compiler will then require that we do
have a working C++ preprocessor. Which is totally counter-productive
since we do not have a C++ compiler to start with...
bd39d11d2e (core/infra: fix build on toolchain without C++) was a
previous attempt at fixing this, by using the host's C++ preprocessor.
However, that is very incorrect (that's my code, I can say so!) because
the set of defines will most probably be different for the host and the
target, thus causing all sorts of trouble. For example, on ARM we'd have
to include different headers for soft-float vs hard-float, which is
decided based on a macro, which is not defined for x86, and thus may
redirect to the wrong (and missing) header.
Instead, we notice that libtool uses the magic value 'no' to decide that
a C++ compiler is not available, in which case it skips the call to
AC_PROG_CXXCPP.
Given that 'no' is not provided by any package in Debian and
derivatives, as well as in Fedora, we can assume that no system will
have an executable called 'no'. Hence, we use that as a magic value to
disable C++ detection altogether.
Fixes: #10846 (again) Reported-by: Damien Riegel <damien.riegel@savoirfairelinux.com> Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Damien Riegel <damien.riegel@savoirfairelinux.com> Cc: Peter Seiderer <ps.report@gmx.net> Cc: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Cc: Peter Korsgaard <peter@korsgaard.com> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Tested-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4cd1ab15886a408b897104709ff87f15cc88ba16) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 29 Mar 2018 14:52:09 +0000 (16:52 +0200)]
libopenssl: security bump to version 1.0.2o
Fixes the following security issues:
Constructed ASN.1 types with a recursive definition could exceed the stack
(CVE-2018-0739)
Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack.
There are no such structures used within SSL/TLS that come from untrusted
sources so this is considered safe.
Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733)
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
effectively reduced to only comparing the least significant bit of each
byte. This allows an attacker to forge messages that would be considered as
authenticated in an amount of tries lower than that guaranteed by the
security claims of the scheme. The module can only be compiled by the HP-UX
assembler, so that only HP-UX PA-RISC targets are affected.
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
This issue has been reported in a previous OpenSSL security advisory and a
fix was provided for OpenSSL 1.0.2. Due to the low severity no fix was
released at that time for OpenSSL 1.1.0. The fix is now available in
OpenSSL 1.1.0h.
There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this
defect would be very difficult to perform and are not believed likely.
Attacks against DH1024 are considered just feasible, because most of the
work necessary to deduce information about a private key may be performed
offline. The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the server
would have to share the DH1024 private key among multiple clients, which is
no longer an option since CVE-2016-0701.
This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
For more details, see https://www.openssl.org/news/secadv/20180327.txt
The copyright year changed in LICENSE, so adjust the hash to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6938c219d80e2267f8e25f3fc37f955ab723cc55) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 6205b75873c (sngrep: gnutls support also needs libgcrypt) ensured
that --with-gnutls is only used when both gnutls and libgcrypt are enabled,
but it didn't ensure libgcrypt gets built before sngrep or told the
configure script where to find libgcrypt-config, breaking the build.
Fix both issues.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ae7d59eaae1c55d707b2a70437a84c280f598572) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>