Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 63dfbca2c3ad509504e9118a49d396210917b079) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 28 Feb 2018 23:11:40 +0000 (00:11 +0100)]
mosquitto: security bump to version 1.4.15
Fixes CVE-2017-7651: Unauthenticated clients can send a crafted CONNECT
packet which causes large amounts of memory use in the broker. If multiple
clients do this, an out of memory situation can occur and the system may
become unresponsive or the broker will be killed by the operating system.
The fix addresses the problem by limiting the permissible size for CONNECT
packet, and by adding a memory_limit configuration option that allows the
broker to self limit the amount of memory it uses.
The hash of new tarball is not (yet) available through download.php, so use
a locally calculated hash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f4df4a18e5dd4702f842e61ee815f13afd93c366) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 11 Jul 2017 09:57:13 +0000 (11:57 +0200)]
mosquitto: bump version to 1.4.14
Drop CVE 2017-9868 patch as that is now upstream.
1.4.14 is a bugfix release, fixing significant websocket performance /
correctness issues.
Use HTTPS for the download as the server uses HSTS, thus saving a redirect.
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1b76bf7669d6482e61a82be9cd5d3c8806dabba6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 2 Jul 2017 13:19:55 +0000 (15:19 +0200)]
mosquitto: clarify that patch hash is locally calculated
Commit e51d69a3b (mosquitto: specify that hash is taken from upstream)
changed the .hash description header, but the upstream hash only applies
to the tarball, not the patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1ef8c2239339f52e35572e485db306df9012d500) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 27 Feb 2018 21:26:52 +0000 (22:26 +0100)]
wavpack: add upstream security fixes
Fixes the following security issues:
CVE-2018-6767: A stack-based buffer over-read in the ParseRiffHeaderConfig
function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to
cause a denial-of-service attack or possibly have unspecified other impact
via a maliciously crafted RF64 file.
CVE-2018-7253: The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file
of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service
(heap-based buffer over-read) or possibly overwrite the heap via a
maliciously crafted DSDIFF file.
CVE-2018-7254: The ParseCaffHeaderConfig function of the cli/caff.c file of
WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global
buffer over-read), or possibly trigger a buffer overflow or incorrect memory
allocation, via a maliciously crafted CAF file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4de7e07e6efba7dae79a7f61f397864873272fd3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patches downloaded from Github are not stable, so bring them in the
tree.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0a2576d37ebb4175aea1daf3c14c947df39cdcaa) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 27 Feb 2018 08:55:41 +0000 (09:55 +0100)]
check-host-tar.sh: blacklist tar 1.30+
Tar 1.30 changed the --numeric-owner output for filenames > 100 characters,
leading to hash mismatches for the tar archives we create ourselves from
git. This is really a fix for a bug in earlier tar versions regarding
deterministic output, so it is unlikely to be reverted in later versions.
For more details, see:
http://lists.busybox.net/pipermail/buildroot/2018-January/211222.html
To work around this issue, blacklist tar 1.30+ similar to how we do it for
pre-1.17 versions so Buildroot falls back to building host-tar.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b8fa273d500b44153e9939f0a100e97db2ff63ed) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 27 Feb 2018 08:55:40 +0000 (09:55 +0100)]
dependencies.mk: check for valid host-tar before other host dependencies
host-{cmake,lzip,xz} needs host-tar to extract their source code tarball, so
we need to ensure that host-tar gets added to DEPENDENCIES_HOST_PREREQ
before these in case they are both needed, otherwise the tools will fail to
extract.
With the upcoming change to blacklist modern tar versions this situation is
likely to trigger more often.
The real solution to this issue is the <foo>_EXTRACT_DEPENDENCIES rework,
but that series is a bit too intrusive to add this close to 2018.02, so
therefore this hack.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7c09cb82b75f30eba7a9daaae5e77a604f6e49c1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-1000156: arbitrary command execution in ed-style patches.
Depend on MMU for now, because the patch adds a fork() call. Upstream
later switched to gnulib provided execute(), so this dependency can be
dropped on the next version bump.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f4a4df2084b923f29eca2130976ca10a7aa6b719) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c3e1d9849a72495f799b007260bbcdc61fc78da3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Fri, 23 Feb 2018 05:22:31 +0000 (07:22 +0200)]
patch: security bump to version 2.7.6
Fixes CVE-2016-10713: Out-of-bounds access within pch_write_line() in
pch.c can possibly lead to DoS via a crafted input file.
Add upstream patch fixing CVE-2018-6951: There is a segmentation fault,
associated with a NULL pointer dereference, leading to a denial of
service in the intuit_diff_type function in pch.c, aka a "mangled
rename" issue.
This bump does NOT fix CVE-2018-6952. See upstream bug #53133
(https://savannah.gnu.org/bugs/index.php?53133).
Add license file hash.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 38d8d86d31147ef83d1d79f67b7ae90e4cefaaea) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Fri, 23 Feb 2018 04:56:11 +0000 (06:56 +0200)]
mbedtls: security bump to version 2.7.0
CVE-2018-0487: Remote attackers can execute arbitrary code or cause a
denial of service (buffer overflow) via a crafted certificate chain that
is mishandled during RSASSA-PSS signature verification within a TLS or
DTLS session.
CVE-2018-0488: When the truncated HMAC extension and CBC are used,
allows remote attackers to execute arbitrary code or cause a denial of
service (heap corruption) via a crafted application packet within a TLS
or DTLS session.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3b7a59304a9c377b9aec1303d85a60d019b4b9b2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 19 Feb 2018 16:14:35 +0000 (17:14 +0100)]
exim: add upstream security fix
Fixes the following security issue:
CVE-2018-6789: Meh Chang discovered a buffer overflow flaw in a utility
function used in the SMTP listener of Exim, a mail transport agent. A
remote attacker can take advantage of this flaw to cause a denial of
service, or potentially the execution of arbitrary code via a specially
crafted message.
Dropped ChangeLog hunk and adjusted file path of upstream commit so it
applies to tarball.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8343069e2c3cc79ad14600816a772fcd7592e291) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 19 Feb 2018 15:50:59 +0000 (16:50 +0100)]
quagga: add upstream security fixes
Fixes the following security issues:
CVE-2018-5378
It was discovered that the Quagga BGP daemon, bgpd, does not
properly bounds check data sent with a NOTIFY to a peer, if an
attribute length is invalid. A configured BGP peer can take
advantage of this bug to read memory from the bgpd process or cause
a denial of service (daemon crash).
It was discovered that the Quagga BGP daemon, bgpd, can double-free
memory when processing certain forms of UPDATE message, containing
cluster-list and/or unknown attributes, resulting in a denial of
service (bgpd daemon crash).
It was discovered that the Quagga BGP daemon, bgpd, can enter an
infinite loop if sent an invalid OPEN message by a configured peer.
A configured peer can take advantage of this flaw to cause a denial
of service (bgpd daemon not responding to any other events; BGP
sessions will drop and not be reestablished; unresponsive CLI
interface).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 157a198d304224c12fa0d91d977a6619d021f5c6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2018-2562 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server : Partition). Supported versions that are affected are
5.5.58 and prior, 5.6.38 and prior and 5.7.19 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server as well as unauthorized update, insert or
delete access to some of MySQL Server accessible data.
CVE-2018-2622 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are 5.5.58
and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
CVE-2018-2640 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
CVE-2018-2665 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
CVE-2018-2668 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
CVE-2018-2612 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.6.38 and
prior and 5.7.20 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical data or all
MySQL Server accessible data and unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fcdaab19bb564af01016b6632736f98baecbd22c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
jq: compile as _GNU_SOURCE to fix segfault when compiled with gcc 6
When compiling host-jq with gcc 6+, running it gives an immediate segfault.
Reported upstream: https://github.com/stedolan/jq/issues/1598
The issue can be solved by compiling with _GNU_SOURCE as extra preprocessor
define. Once the issue is solved upstream, this change can be reverted.
As the issue will normally be the same for target, apply the same fix there.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 21114013e83a67fd6b84e1d911ee503be3f0e35d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 16 Mar 2018 21:35:29 +0000 (22:35 +0100)]
libvorbis: security bump to version 1.3.6
Fixes CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
Drop 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch and
0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch as they are
now upstream, and add a hash for the license file while we're at it.
Peter Korsgaard [Fri, 16 Feb 2018 08:09:55 +0000 (09:09 +0100)]
libvorbis: add upstream security fixes
Fixes the following security issues:
CVE-2017-14632: Libvorbis 1.3.5 allows Remote Code Execution upon freeing
uninitialized memory in the function vorbis_analysis_headerout() in info.c
when vi->channels<=0, a similar issue to Mozilla bug 550184.
CVE-2017-14633: In libvorbis 1.3.5, an out-of-bounds array read
vulnerability exists in the function mapping0_forward() in mapping0.c, which
may lead to DoS when operating on a crafted audio file with
vorbis_analysis().
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cc9282ae8c346c0b46fb249008696f6e9bc35f2c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adam Duskett [Mon, 20 Nov 2017 15:03:25 +0000 (10:03 -0500)]
libxml2: bump to 2.9.7
Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit a54794e6525444f1031d468e2d16889df334b626) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Samuel Martin [Fri, 3 Nov 2017 10:36:53 +0000 (11:36 +0100)]
package/libxml2: add license hash
Signed-off-by: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit fd313f8dc610fc051f3f2c416e103d9a874caaa0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Mon, 2 Oct 2017 17:38:26 +0000 (20:38 +0300)]
dnsmasq: simplify build configuration
Drop direct sed'ing of config.h for HAVE_CONNTRACK, HAVE_LUASCRIPT, and
HAVE_DBUS. Use MAKE_OPTS COPTS parameters instead, like we do already
for all other options.
Rename DNSMASQ_ENABLE_LUA to DNSMASQ_TWEAK_LIBLUA since it now does only
that.
Merge two conntrack and three dbus conditional sections.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 1042fea88aea4ebddcac5e215286394f1ad012b4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Wed, 7 Mar 2018 06:59:41 +0000 (08:59 +0200)]
ntp: fix build without SSP support
In version 4.2.8p11 ntp changed its configure script build hardening
parameter to '--with-hardenfile'. Update the parameter name to avoid
-fstack-protector-all when the toolchain does not support this option.
Baruch Siach [Tue, 6 Mar 2018 17:00:47 +0000 (19:00 +0200)]
ntp: security bump to version 4.2.8p11
Fixed or improved security issues:
CVE-2016-1549 (fixed in 4.2.8p7; this release adds protection): A
malicious authenticated peer can create arbitrarily-many ephemeral
associations in order to win the clock selection algorithm
CVE-2018-7182: Buffer read overrun leads to undefined behavior and
information leak
Adam Duskett [Tue, 7 Nov 2017 21:29:06 +0000 (16:29 -0500)]
ntp: no longer require openssl
4.2.8p10 no longer requires openssl to compile.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a2111258ace2fc4d01a6bb3d3287ec0115eef29) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The isc assertions from the bundled bind dns library are
using the __FILE__ macro for debug messages (see
dhcp-4.3.5/bind/bind-9.9.9-P3/lib/isc/include/isc/assertions.h).
Disabling the assertions gains:
- reproducible builds (no build time paths in the executable)
- space saving on the target:
dhcpd: 1.9M -> 1.6M
dhcrelay: 1.6M -> 1.3M
Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3d1a7a86205a31625a8d5e8666ae7eb357e0de75) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 1 Feb 2018 15:48:31 +0000 (16:48 +0100)]
Makefile, manual, website: Bump copyright year
Happy 2018!
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 676400379abfdb7d1346c12ab592a88012b2fd5b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adam Duskett [Sat, 3 Mar 2018 18:09:37 +0000 (13:09 -0500)]
postgresql: security bump to 9.6.8
Helps mitigate CVE-2018-1058
see: https://www.postgresql.org/about/news/1834/ for more information bugfixes. Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Tue, 30 Jan 2018 04:07:19 +0000 (02:07 -0200)]
eudev: fix printf usage in init script
Using a variable in a printf format string may lead to undesirable
results if the variable contains format controls, so replace
printf "foo $var bar"
by
printf "foo %s bar" "$var"
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6298ed8bf46dd546d4ee7244136f2f9bad82ecad) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 3f568fe09948369831c36a713f5a47fe4c2d19b6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 28 Jan 2018 22:33:10 +0000 (23:33 +0100)]
dovecot: add upstream security fix for CVE-2017-15132
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL
authentication results in a memory leak in dovecot's auth client used by
login processes. The leak has impact in high performance configuration
where same login processes are reused and can cause the process to crash due
to memory exhaustion.
For more details, see:
http://www.openwall.com/lists/oss-security/2018/01/25/4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 28adb37be48566ede823969c284c1490b456530a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 28 Jan 2018 22:02:56 +0000 (23:02 +0100)]
openocd: add security fix for CVE-2018-5704
Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP
POST for sending data to 127.0.0.1 port 4444, which allows remote attackers
to conduct cross-protocol scripting attacks, and consequently execute
arbitrary commands, via a crafted web site.
For more details, see:
https://sourceforge.net/p/openocd/mailman/message/36188041/
CVE-2018-5336: Multiple dissectors could crash
https://www.wireshark.org/security/wnpa-sec-2018-01.html
For more information, see the release notes:
https://www.wireshark.org/docs/relnotes/wireshark-2.2.12.html
While we are at it, also add as hash for license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2d920ad1b40967ae9241eaaa551d7d13c19f1b14) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Mark Hirota [Sat, 27 Jan 2018 01:08:43 +0000 (17:08 -0800)]
ccache: bump to version 3.3.5
(Likely) fixes #10536
https://bugs.buildroot.org/show_bug.cgi?id=10536
Signed-off-by: Mark Hirota <markhirota@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 01955b5b6ed6999295d108db789d44c6fc370efc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Fri, 26 Jan 2018 00:16:52 +0000 (22:16 -0200)]
util-linux: disable useless programs in the host package
Disable all programs that depend on ncurses, as well as utilities that
are useless on the host: agetty, chfn-chsh, chmem, login, lslogins,
mesg, more, newgrp, nologin, nsenter, pg, rfkill, schedutils, setpriv,
setterm, su, sulogin, tunelp, ul, unshare, uuidd, vipw, wall, wdctl,
write, zramctl.
Also add dependency on host-zlib if host cramfs utils are to be built.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 67170b76af912bebcdab3aa88a4ac9e5b35d6273) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE-2018-4088, CVE-2017-13885,
CVE-2017-7165, CVE-2017-13884, CVE-2017-7160, CVE-2017-7153,
CVE-2017-7153, CVE-2017-7161, and CVE-2018-4096. Additionally, it solves
a GStreamer deadlock when stopping video playback, and contains fixes
and improvements for the WebDriver implementation.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 54798893b858c597eb70c387400866bfbfb9f0be) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Nowadays libtasn1 is always required and if not present the CMake
configuration step would fail.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d052ed473dfbee1eabe9eca1185cea5d3e743b9f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gary Bisson [Wed, 24 Jan 2018 17:15:38 +0000 (18:15 +0100)]
fis: fix typo in build command
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 840d1a8d56eb3807b1f2b3ab16974f2f0abe9c94) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SQUID-2018:2 Due to incorrect pointer handling Squid is vulnerable to
denial of service attack when processing ESI responses or downloading
intermediate CA certificates.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f481c83b96c76d59a420e5f6559c02cb5d329d3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 22 Jan 2018 19:54:16 +0000 (20:54 +0100)]
squid: bump version to 3.5.27
And add a hash for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 001b834aacef82a6205f5b319037d42d0fdb13cd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a5dd72181e1a79ffe65c788a2c1db9acdf6aa933) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Ed Blake [Thu, 18 Jan 2018 18:05:31 +0000 (18:05 +0000)]
rpcbind: Backport fixes to memory leak security fix
Commit 954509f added a security fix for CVE-2017-8779, involving
pairing all svc_getargs() calls with svc_freeargs() to avoid a memory
leak. However it also introduced a couple of issues:
- The call to svc_freeargs() from rpcbproc_callit_com() may result in
an attempt to free static memory, resulting in undefined behaviour.
- A typo in the svc_freeargs() call from pmapproc_dump() causes NIS
(aka ypbind) to fail.
Backport upstream fixes for these issues to version 0.2.3.
Signed-off-by: Ed Blake <ed.blake@sondrel.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 5a9a95d0eb15c189f1361c12c105eb0ba8842c77) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
iputils: fix ping and traceroute6 executable permissions
The iputils executables are installed without the setuid bit set,
which prevents some programs from working.
This patch adds a permission table to fix the permissions of the ping
and traceroute6 executables.
Signed-off-by: Einar Jon Gunnarsson <tolvupostur@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b0e2d00289eeb1a7201ba49e5cedfd3175f92140) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 17 Jan 2018 07:42:43 +0000 (08:42 +0100)]
bind: security bump to version 9.11.2-P1
Fixes the following security issue:
CVE-2017-3145: Improper sequencing during cleanup can lead to a
use-after-free error, triggering an assertion failure and crash in
named.
For more details, see the advisory:
https://lists.isc.org/pipermail/bind-announce/2018-January/001072.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit d72a2b9247d885c4fc5c2ca6066d3ae6a27a8653) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot's "make nconfig" command stopped working a while ago on
Gentoo systems. Running the command would result in a crash.
The issue is caused by lxdialog's cflags which are also used to build
nconfig; It would detect *ncursesw* and turn on WIDECHAR support --
but the Makefile would still link to plain *ncurses* while building
nconfig (which was built without WIDECHAR support).
This would cause a crash after using *wattrset* on a WINDOW instance.
WIDECHAR *wattrset* would try to set the _color member in the WINDOW
struct which does not exist in the NON-WIDECHAR ncurses instance. It
would end up clobbering data outside the struct (usually _line entries).
An upstream patch fixes the issue, so we're applying it to Buildroot's
kconfig.
Signed-off-by: Guillermo A. Amaral <g@maral.me> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 8aa4ee2b02abe2a04b15ee3ef53887ade9a4afc4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Tue, 9 Jan 2018 20:13:06 +0000 (21:13 +0100)]
package/ti-cgt-pru: bump to 2.2.1
See: http://www.ti.com/tool/download/PRU-CGT-2-2
The ti-cgt-pru v2.1.x installer are affected by a bug with recent
distribution (Fedora 27 and Ubuntu 17.10) using kernel 4.13 or 4.14
with a glibc 2.26.
The installer is stuck in a futex(wait) system call.
Signed-off-by: Romain Naour <romain.naour@gmail.com> Cc: Ash Charles <ash.charles@savoirfairelinux.com> Cc: Matthew Weber <matthew.weber@rockwellcollins.com> Tested-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 0e162b932d67668a4f075da803efb62b01ec917d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Jan 2018 22:14:02 +0000 (23:14 +0100)]
system: only expose getty options for busybox and sysvinit
Only busybox and sysvinit handle the BR2_TARGET_GENERIC_GETTY_TERM and
BR2_TARGET_GENERIC_GETTY_OPTIONS options; the other init systems do
not.
So, protect those options behind appropriate dependencies on busybox
or sysvinit.
Fixes #10301.
Reported-by: Michael Heinemann <posted@heine.so> Suggested-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 5e23eb5da7b3848cc6b317af9d8c23aac3a13260) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 10 Jan 2018 22:03:03 +0000 (23:03 +0100)]
mcookie: correct wrong memset argument
Fixes #10216
Building mcookie generates a warning about possible wrong arguments to
memset:
mcookie.c:207:26: warning: argument to ‘sizeof’ in ‘memset’ call is the same expression
as the destination; did you mean to dereference it? [-Wsizeof-pointer-memaccess]
memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
ctx is a pointer to a structure, so the code should use the size of the
structure and not the size of the pointer when it tries to clear the
structure, similar to how it got fixed upstream back in 2009:
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 40f4191f2a1246b792ffc0c02b6c9bd2d62649f2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Jan 2018 22:40:52 +0000 (23:40 +0100)]
lz4: install programs as well as libraries
Prior to commit 8ad38a4fc2007df4bee9a941aed46c8771b6a84c
("package/lz4: bump version to r131"), the lz4 package was installing
both libraries and programs, but this commit changed the behavior to
only install libraries.
The contributor might have been confused by the fact that the build
command was "$(MAKE) ... -C $(@D) liblz4", suggesting that only the
library was built. But since the install command was "$(MAKE) ... -C
$(@D) install", the programs were effectively built as part of the
install step, and installed as well.
Since it makes sense for lz4 to also installs its programs, this
commit adjusts the package accordingly.
It is worth mentioning that using the "all" target during the build
step is important. Indeed, otherwise the programs/Makefile has a
"default" target that doesn't build everything (especially the lz4c
program) and it end up being built as part of the install step, due to
how the makefile dependencies are handled in the lz4 project. To make
sure that everything gets built during the build step, we explicitly
use the "all" target.
Fixes bug #9996
Reported-by: Jamin Collins <jamin.collins@gmail.com> Initial-analysis-by: Arnout Vandecappelle <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f1c11f79a64387c1f1749550804f8aae0cfa7a7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Sun, 26 Mar 2017 19:52:39 +0000 (21:52 +0200)]
lz4: pass {TARGET,HOST}_CONFIGURE_OPTS in the environment
{TARGET,HOST}_CONFIGURE_OPTS are currently passed as $(MAKE) argument,
which causes some CPPFLAGS/CFLAGS defined by the package build system to
be overridden, leading to build failures. This commit changes the lz4
package to pass {TARGET,HOST}_CONFIGURE_OPTS through the environment to
avoid this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f4dc73568b08bd96aa659c5ef29226349dee05de) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Jan 2018 22:03:59 +0000 (23:03 +0100)]
busybox: don't remove S01logging when CONFIG_SYSLOGD is disabled
The current busybox.mk explicitly removes S01logging if CONFIG_SYSLOGD
is disabled in the Busybox configuration. However:
- This causes the removal of the S01logging script potentially
installed by another package (currently syslog-ng, rsyslog and
sysklogd can all install a S01logging script).
- We generally don't try to clean-up stuff that we may have installed
in a previous make invocation and that is no longer needed
following a configuration change.
Fixes bug #10176
Reported-by: Karl Krach <mail@kkrach.de> Fix-provided-by: Karl Krach <mail@kkrach.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 84e835ea9261b3e844f1a18489dd89253e3eb839) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Jan 2018 21:19:14 +0000 (22:19 +0100)]
package/kmsxx: don't install static libraries when BR2_SHARED_STATIC_LIBS=y
The kmsxx build system can only build either shared libraries *or*
static libraries, not both. Therefore, the build currently fails when
BR2_SHARED_STATIC_LIBS=y because we try to install the static
libraries, that haven't been built.
We fix this by not installing the static libraries when
BR2_SHARED_STATIC_LIBS=y, making BR2_SHARED_STATIC_LIBS=y essentially
the same as BR2_SHARED_LIBS=y for this package.
Fixes bug #10331.
Reported-by: Frederic MATHIEU <frederic.mathieu@dualis.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 28d5ca9c96f5144e86fac7ec6485fa5634cd6e97) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Jan 2018 19:53:58 +0000 (20:53 +0100)]
package/avahi: fix typo in avahi_tmpfiles.conf
There is an obvious typo in avahi_tmpfiles.conf: avahi-autoipd is
badly spelled.
Fixes bug #10641.
Reported-by: Michael Heinemann <posted@heine.so> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit c427ce4d9f54d9b6433969ecb0fc8a4a5a9ba9b5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>