This is a maintenance release of the current stable WebKitGTK+ version,
which contains bugfixes; mostly for crashes and rendering issues, plus
one important fix for the layout or Arabic text.
Even though an acconpanying security advisory has not been published
for this release, the release contains fixes for several crashes (one
of them for the decoder of the very common GIF image format), which
arguably can be considered potential security issues.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e3459fd9c5cc4ddb04d22b534ef66b441e1aea71) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 26 Oct 2017 12:52:47 +0000 (14:52 +0200)]
openssh: security bump to version 7.6p1
Fixes CVE-2017-15906 - The process_open function in sftp-server.c in OpenSSH
before 7.6 does not properly prevent write operations in readonly mode,
which allows attackers to create zero-length files.
For more details, see the release notes:
https://www.openssh.com/txt/release-7.6
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 70663a9a4fcb9211fcef7668a8a35de11cc54775) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patches downloaded from Github are not stable, so bring them in the
tree.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4e7522aacd4e76c0ab5e602ade9a60f5a4473939) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
AOF flush on SHUTDOWN did not cared to really write the AOF buffers
(not in the kernel but in the Redis process memory) to disk before exiting.
Calling SHUTDOWN during traffic resulted into not every operation to be
persisted on disk.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 751cd4cfab88ff15143d13eccf87f982a274e4e3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 26 Oct 2017 12:18:43 +0000 (14:18 +0200)]
sdl2: security bump to version 2.0.7
Fixes CVE-2017-2888 - An exploitable integer overflow vulnerability exists
when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can
cause an integer overflow resulting in too little memory being allocated
which can lead to a buffer overflow and potential code execution. An
attacker can provide a specially crafted image file to trigger this
vulnerability.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 07a9f0200cfd1c34f33e8054f62b990d05ccb934) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The configure script automatically enables support for the raspberry pi
video backend if it detects the rpi-userland package. Unfortunately it
hardcodes a number of include/linker paths unsuitable for cross compilation,
breaking the build:
if test x$enable_video = xyes -a x$enable_video_rpi = xyes; then
..
RPI_CFLAGS="-I/opt/vc/include -I/opt/vc/include/interface/vcos/pthreads -I/opt/vc/include/interface/vmcs_host/linux"
RPI_LDFLAGS="-L/opt/vc/lib -lbcm_host"
fi
So explicitly disable it until the configure script is fixed.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3a798acf239dee04d573f575337bf823c13020fd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 23 Oct 2017 23:13:17 +0000 (01:13 +0200)]
libcurl: security bump to version 7.56.1
Fixes CVE-2017-1000257 - IMAP FETCH response out of bounds read
https://curl.haxx.se/docs/adv_20171023.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 62d4dd2999a0446c2b868a7c6fbcc764a470493d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 23 Oct 2017 23:08:36 +0000 (01:08 +0200)]
irssi: security bump to version 1.0.5
Fixes the following security issues:
(a) When installing themes with unterminated colour formatting
sequences, Irssi may access data beyond the end of the
string. (CWE-126) Found by Hanno Böck.
CVE-2017-15228 was assigned to this issue.
(b) While waiting for the channel synchronisation, Irssi may
incorrectly fail to remove destroyed channels from the query list,
resulting in use after free conditions when updating the state
later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672)
CVE-2017-15227 was assigned to this issue.
(c) Certain incorrectly formatted DCC CTCP messages could cause NULL
pointer dereference. Found by Joseph Bisch. This is a separate,
but similar issue to CVE-2017-9468. (CWE-690)
CVE-2017-15721 was assigned to this issue.
(d) Overlong nicks or targets may result in a NULL pointer dereference
while splitting the message. Found by Joseph Bisch. (CWE-690)
CVE-2017-15723 was assigned to this issue.
(e) In certain cases Irssi may fail to verify that a Safe channel ID
is long enough, causing reads beyond the end of the string. Found
by Joseph Bisch. (CWE-126)
CVE-2017-15722 was assigned to this issue.
For more details, see the advisory:
https://irssi.org/security/irssi_sa_2017_10.txt
While we're at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a9a4ec0dcce4500319e00e7d875414d6bc6606fa) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 25 Oct 2017 20:16:13 +0000 (22:16 +0200)]
nodejs: security bump to version 6.11.5
Fixes CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with windowBits
set to 8. On some versions this crashes Node and you cannot recover from
it, while on some versions it throws an exception. Node.js will now
gracefully set windowBits to 9 replicating the legacy behavior to avoid a
DOS vector.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Drop 0002-inspector-don-t-build-when-ssl-support-is-disabled.patch as that
is now upstream:
Building Python 3.x on MIPS with musl fails because the libffi code
uses a "#ifdef linux" test to decide if we're building on Linux or
not. When building with -std=c99, "linux" is not defined, so instead
of including <asm/sgidefs.h>, libffi's code tries to include
<sgidefs.h>, which doesn't exist on musl.
The right fix is to use __linux__, which is POSIX compliant, and
therefore defined even when -std=c99 is used.
Note that glibc and uClibc were not affected because they do provide a
<sgidefs.h> header in addition to the <asm/sgidefs.h> one.
Signed-off-by: Mauro Condarelli <mc5686@mclink.it>
[Thomas: reformat patch with Git, add a better commit log and description.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 4852f05907cd365825f37c283a415a77ba1fcba9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add DEPENDENCIES_HOST_PREREQ to the list of packages
That way packages included in that list like ccache will also be
regarded as a normal packages for targets like external-deps,
show-targets or legal-info
Signed-off-by: Alfredo Alvarez Fernandez <alfredo.alvarez_fernandez@nokia.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 862b76cfefc101943f09db2a73f5519f9a5bb2cb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
dependencies: always use HOSTCC_NOCACHE for DEPENDENCIES_HOST_PREREQ
Currently, HOSTCC and HOSTCXX are set to their _NOCACHE variants in the
'dependencies' target. This is needed because at that time, ccache is
not built yet - host-ccache is one of the dependencies. However, because
this override is only specified for the 'dependencies' target (and
thereby gets inherited by its dependencies), the override is only
applied when the package is reached through the 'dependencies' target.
This is not the case when one of DEPENDENCIES_HOST_PREREQ is built
directly from the command line, e.g. when doing 'make host-ccache'. So
in that case, ccache will be built with ccache... which fails of
course.
To fix this, directly apply the override to the DEPENCIES_HOST_PREREQ
targets.
Note that this only fixes the issue for 'make host-ccache', NOT for
e.g. 'make host-ccache-configure'.
Peter Korsgaard [Sun, 22 Oct 2017 11:15:08 +0000 (13:15 +0200)]
lame: security bump to version 3.100
Fixes the following security issues:
CVE-2017-9410: fill_buffer_resample function in libmp3lame/util.c heap-based
buffer over-read and ap
CVE-2017-9411: fill_buffer_resample function in libmp3lame/util.c invalid
memory read and application crash
CVE-2017-9412: unpack_read_samples function in frontend/get_audio.c invalid
memory read and application crash
Drop patches now upstream or no longer needed:
0001-configure.patch: Upstream as mentioned in patch description
0002-gtk1-ac-directives.patch: Upstream as mentioned in patch
description/release notes:
Resurrect Owen Taylor's code dated from 97-11-3 to properly deal with GTK1.
This was transplanted back from aclocal.m4 with a patch provided by Andres
Mejia. This change makes it easy to regenerate autotools' files with a simple
invocation of autoconf -vfi.
0003-msse.patch: Not needed as -march <x86-variant-with-msse-support>
nowadays implies -msse.
With these removed, autoreconf is no longer needed.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 7e3583dd558925a447eaa4367d659f39482fbbc0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 21 Oct 2017 19:12:59 +0000 (21:12 +0200)]
musl: add upstream security fix for CVE-2017-15650
>From the upstream announcement:
http://www.openwall.com/lists/oss-security/2017/10/19/5
Felix Wilhelm has discovered a flaw in the dns response parsing for
musl libc 1.1.16 that leads to overflow of a stack-based buffer.
Earlier versions are also affected.
When an application makes a request via getaddrinfo for both IPv4 and
IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
nameservers configured in resolv.conf can reply to both the A and AAAA
queries with A results. Since A records are smaller than AAAA records,
it's possible to fit more addresses than the precomputed bound, and a
buffer overflow occurs.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 209f42fd3a5f4357e22fb72f1597a6868566aabd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch fixes a bug with the BR2_TOOLCHAIN_HAS_THREADS variable
handling which causes CGO_ENABLED to be always 0.
Furthermore, it fixes the cross compilation options for the go
compiler: setting CGO_ENABLED should be done only for the target
compiler not the host one.
Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Acked-by: Christian Stewart <christian@paral.in>
(cherry picked from commit 80ea21bc3c2147adf810731b0b242e94a3ad294e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains bugfixes (many of them related to rendering, plus one
important fix for touch input) and many security fixes.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6d623e72770534c8e40e5afd7aa8fb77e49d1974) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
No corresponding WebKit Security Advisory (WSA) has been published.
All patches have been applied upstream.
This also bumps the required target GCC version, due to the WebKit code
now using more modern C++ features which were introduced in version
5.x of the compiler.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[Arnout:
- propagate dependency to midori;
- mention in commit message why patches were removed.] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 905b1ab5c21f39f9cd1777f6d5745c90d863da4b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Lothar Felten [Fri, 20 Oct 2017 11:19:17 +0000 (13:19 +0200)]
Config.in: fix help comment for gcc optimization
The default for is set to BR2_OPTIMIZE_S, the help comment designated
BR2_OPTIMIZE_0 as default.
Changed the help comment to show that BR2_OPTIMIZE_S is the default.
Signed-off-by: Lothar Felten <lothar.felten@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 4e09fd8bdef6ddea1097f91df07515abde389cd0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 21 Oct 2017 09:25:15 +0000 (11:25 +0200)]
musl: add upstream security fix for CVE-2017-15650
>From the upstream announcement:
http://www.openwall.com/lists/oss-security/2017/10/19/5
Felix Wilhelm has discovered a flaw in the dns response parsing for
musl libc 1.1.16 that leads to overflow of a stack-based buffer.
Earlier versions are also affected.
When an application makes a request via getaddrinfo for both IPv4 and
IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
nameservers configured in resolv.conf can reply to both the A and AAAA
queries with A results. Since A records are smaller than AAAA records,
it's possible to fit more addresses than the precomputed bound, and a
buffer overflow occurs.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Alexander Mukhin [Wed, 18 Oct 2017 09:34:06 +0000 (12:34 +0300)]
wpa_supplicant: fix upstream URL
wpa_supplicant project URL has been changed to w1.fi/wpa_supplicant.
The old domain epitest.fi has expired.
Signed-off-by: Alexander Mukhin <alexander.i.mukhin@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 38e36cd0e1ec55743766e48564d952e38ff40113) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: also add patch 0001 as suggested by Jörg Krause] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 57c0a485cc0a5681e772ddaf1c886e810d3d7ae4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5259c5c8058aa2c9608fd202c35477015a41c326) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 12 Oct 2017 21:17:52 +0000 (23:17 +0200)]
libnss: security bump to version 3.33
Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla
Network Security Service library, is prone to a use-after-free vulnerability
in the TLS 1.2 implementation when handshake hashes are generated. A remote
attacker can take advantage of this flaw to cause an application using the
nss library to crash, resulting in a denial of service, or potentially to
execute arbitrary code.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 746502418fbf603464efe0dfc77c6bc10b10603e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 12 Oct 2017 21:17:51 +0000 (23:17 +0200)]
libnspr: bump version to 4.17
libnss 3.33 needs libnspr >= 4.17.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b1363093248b6198eab285124b2c87411155a0a1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Alexander Mukhin [Thu, 14 Sep 2017 15:11:14 +0000 (18:11 +0300)]
hostapd: fix upstream URL
hostapd project URL has been changed to w1.fi/hostapd.
The old domain epitest.fi has expired.
Signed-off-by: Alexander Mukhin <alexander.i.mukhin@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 8a2396b90aeb411a856335d976a427eed6e115bc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
support/kconfig: fix usage typo and align verb tenses
Fix typo 'selectes' -> 'selects'.
Additionally, change 'will exclude' to 'excludes' to align with 'selects'.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 787f4fee7184e4b86343a1d6d60c303622d458b9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 46a54b6464d09edc36ae0d1d041f89ffd77b3ea1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Dropped IUCODE_TOOL_CONF_ENV after version 2.2 added a configure check
for libargp:
https://gitlab.com/iucode-tool/iucode-tool/commit/b14bed6771e7ab48371b272a0c68dd017767142a
Added hash for license file.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 1462c07914f5e53cb7816ad86abee3e31b2bc1b6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 4 Oct 2017 07:35:17 +0000 (09:35 +0200)]
libcurl: security bump to version 7.56.0
Drop upstreamed patch.
Fixes CVE-2017-1000254 - FTP PWD response parser out of bounds read:
https://curl.haxx.se/docs/adv_20171004.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9d95b93e5d36442979cdff7a9f3ee10b1eb9e0c7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When c-ares is not enabled libcurl enables the threaded DNS resolver by
default. Make sure the threaded resolvers is disabled when the toolchain
does not support threads.
Add upstream patch that fixes the configure option for disabling the
threaded resolver.
CVE-2017-7471 - 9p: virtfs allows guest to change filesystem attributes on
host
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit af0f2d2bbcaca9000e62b5388f4c3cd8e700c6ff) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 40c5fff46629ac4f0f55165f9c3594980a4700ef) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Andrey Yurovsky [Fri, 10 Feb 2017 19:08:15 +0000 (11:08 -0800)]
package: qemu: bump version to 2.8.0
This adds a CPU definition for the Cortex A7 along with improvements described
here: http://wiki.qemu-project.org/ChangeLog/2.8
Tested on an ARM Cortex A7 target (both target and host builds). The change log
does not describe any incompatible changes that would affect buildroot targets
as far as I am aware.
Signed-off-by: Andrey Yurovsky <yurovsky@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f56b13897b9f30c78d7ccd78a25b1e985179d2ab) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Evgeniy Didin [Fri, 22 Sep 2017 12:50:03 +0000 (15:50 +0300)]
qt: Allow enabling of QtWebKit with GCC 6+
Building Qt with QtWebKit on configuration step there is
a check which disables QtWebKit build with GCC 6+.
Back in the day nobody thought about building Qt with GCC
version greater than 5.x. And now with modern GCCs like
6.x and 7.x this assumption gets in the way.
Given in Buildroot today we don't have GCC older than 4.9
it should be safe to remove now meaningless check completely
by adding patch to qt.
Signed-off-by: Evgeniy Didin <didin@synopsys.com> Cc: Alexey Brodkin <abrodkin@synopsys.com> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f95bb8562ef02935d6fcf9b254060454e5be796c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Integer overflow in the decode_digit function in puny_decode.c in
Libidn2 before 2.0.4 allows remote attackers to cause a denial of
service or possibly have unspecified other impact.
This issue also affects libidn.
Unfortunately, the patch also triggers reconf of the documentation
subdirectory, since lib/punycode.c is listed in GDOC_SRC that is defined
in doc/Makefile.am. Add autoreconf to handle that.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 49cb795f7965328ce7a57cbc3736b0fc03919fe7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop meson changes for 2017.02.x] Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3a5d4db9549f6a777b06819bc00146a30d687d22) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Openjpeg is written in C, but with the move to CMake the build system now
errors out if a C++ compiler isn't available. Fix it by patching the
CMakeLists.txt to not require C++ support.
Peter Korsgaard [Wed, 13 Sep 2017 13:01:15 +0000 (15:01 +0200)]
bind: use http:// instead of ftp:// for site
To avoid issues with firewalls blocking ftp.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 771bb2d58d945ebd2909dc8ca5cccf30f189c581) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more details, see the release notes:
https://kb.isc.org/article/AA-01522
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f3e3b36159fa077400e7151b3e3d03082a897b2e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 21 Sep 2017 07:04:16 +0000 (09:04 +0200)]
gdk-pixbuf: security bump to version 2.36.10
Fixes the following security issues:
CVE-2017-2862 - An exploitable heap overflow vulnerability exists in the
gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A
specially crafted jpeg file can cause a heap overflow resulting in remote
code execution. An attacker can send a file or url to trigger this
vulnerability.
CVE-2017-2870 - An exploitable integer overflow vulnerability exists in the
tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with
Clang. A specially crafted tiff file can cause a heap-overflow resulting in
remote code execution. An attacker can send a file or a URL to trigger this
vulnerability.
CVE-2017-6311 - gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows
context-dependent attackers to cause a denial of service (NULL pointer
dereference and application crash) via vectors related to printing an error
message.
The host version now needs the same workaround as we do for the target to
not pull in shared-mime-info.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3853675ae03df209253c34d292eb3b9535e3f68c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gustavo Zacarias [Thu, 23 Feb 2017 19:44:48 +0000 (16:44 -0300)]
gdk-pixbuf: copy loaders.cache later on
Trying to copy loaders.cache from host-gdk-pixbuf to the gdk-pixbuf
build directory in the post-patch hook is too early when using TLP (it
breaks horribly) since host-gdk-pixbuf isn't built yet during the
massive unpack/patch cycle.
Switch it to the pre-build hook instead which ensures that gdk-pixbuf
dependencies were already built.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 1f4e1656bc1176442671104acde1e4033377636e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gustavo Zacarias [Wed, 22 Feb 2017 19:14:08 +0000 (16:14 -0300)]
gdk-pixbuf: bump to version 2.36.5
This release needs a new tweak regarding loaders.cache - it's now used
to build the thumbnailer.
Since we already generate it using the host variant for the target we
can re-use this for the build step.
It's not necessary to used the tweaked version since the build one is
only used to account for mime types, not the plugins/loaders themselves.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 487b419cc647da18f04a98ee69c160705f0c44e8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes
- CVE-2017-12150 (SMB1/2/3 connections may not require signing where
they should)
- CVE-2017-12151 (SMB3 connections don't keep encryption across DFS
redirects)
- CVE-2017-12163 (Server memory information leak over SMB1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 18 Sep 2017 17:38:48 +0000 (19:38 +0200)]
cmake: explicitly disable openssl support for host-cmake
host-cmake will optionally link with openssl for the embedded copy of
libarchive if available, leaking host dependencies and possibly causing
build issues in case of compatibility issues - E.G. the host-cmake version
we have in 2017.02.x doesn't build against openssl-1.1.0+:
The openssl support in libarchive is unlikely to be needed, so explicitly
disable it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f87138339b17bc2b1d84c59ea176abb941413550) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 13 Sep 2017 12:13:01 +0000 (14:13 +0200)]
bluez5_utils: add upstream security fix for CVE-2017-1000250
Fixes CVE-2017-1000250 - All versions of the SDP server in BlueZ 5.46 and
earlier are vulnerable to an information disclosure vulnerability which
allows remote attackers to obtain sensitive information from the bluetoothd
process memory. This vulnerability lies in the processing of SDP search
attribute requests.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/imagemagick: security bump to version 7.0.7-1
Quoting CVE-related issues from
https://github.com/ImageMagick/ImageMagick/blob/master/ChangeLog
2017-07-29 7.0.6-5 Glenn Randers-Pehrson <glennrp@image...>
* Fix improper use of NULL in the JNG decoder (CVE-2017-11750, Reference
https://github.com/ImageMagick/ImageMagick/issues/632).
Petr Kulhavy [Mon, 11 Sep 2017 22:13:40 +0000 (00:13 +0200)]
download/git: force gzip compression level 6
Force gzip compression level 6 when calculating hash of a downloaded GIT repo.
To make sure the tar->gzip->checksum chain always provides consistent result.`
The script was relying on the default compression level, which must not be
necessarily consistent among different gzip versions. The level 6 is gzip's
current default compression level.
Signed-off-by: Petr Kulhavy <brain@jikos.cz> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 04a22cf1b521acb5634ed083e0381d42979d1698) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 09:44:59 +0000 (11:44 +0200)]
supervisor: security bump to version 3.1.4
Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x
before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote
authenticated users to execute arbitrary commands via a crafted XML-RPC
request, related to nested supervisord namespace lookups.
For more details, see
https://github.com/Supervisor/supervisor/issues/964
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 38a1c4821a163f932793a96e036f8fe451398506) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
projects / coffee / buildroot.git / log