Baruch Siach [Wed, 7 Mar 2018 06:59:41 +0000 (08:59 +0200)]
ntp: fix build without SSP support
In version 4.2.8p11 ntp changed its configure script build hardening
parameter to '--with-hardenfile'. Update the parameter name to avoid
-fstack-protector-all when the toolchain does not support this option.
Baruch Siach [Tue, 6 Mar 2018 17:00:47 +0000 (19:00 +0200)]
ntp: security bump to version 4.2.8p11
Fixed or improved security issues:
CVE-2016-1549 (fixed in 4.2.8p7; this release adds protection): A
malicious authenticated peer can create arbitrarily-many ephemeral
associations in order to win the clock selection algorithm
CVE-2018-7182: Buffer read overrun leads to undefined behavior and
information leak
Adam Duskett [Tue, 7 Nov 2017 21:29:06 +0000 (16:29 -0500)]
ntp: no longer require openssl
4.2.8p10 no longer requires openssl to compile.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a2111258ace2fc4d01a6bb3d3287ec0115eef29) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The isc assertions from the bundled bind dns library are
using the __FILE__ macro for debug messages (see
dhcp-4.3.5/bind/bind-9.9.9-P3/lib/isc/include/isc/assertions.h).
Disabling the assertions gains:
- reproducible builds (no build time paths in the executable)
- space saving on the target:
dhcpd: 1.9M -> 1.6M
dhcrelay: 1.6M -> 1.3M
Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3d1a7a86205a31625a8d5e8666ae7eb357e0de75) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 1 Feb 2018 15:48:31 +0000 (16:48 +0100)]
Makefile, manual, website: Bump copyright year
Happy 2018!
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 676400379abfdb7d1346c12ab592a88012b2fd5b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adam Duskett [Sat, 3 Mar 2018 18:09:37 +0000 (13:09 -0500)]
postgresql: security bump to 9.6.8
Helps mitigate CVE-2018-1058
see: https://www.postgresql.org/about/news/1834/ for more information bugfixes. Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Tue, 30 Jan 2018 04:07:19 +0000 (02:07 -0200)]
eudev: fix printf usage in init script
Using a variable in a printf format string may lead to undesirable
results if the variable contains format controls, so replace
printf "foo $var bar"
by
printf "foo %s bar" "$var"
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6298ed8bf46dd546d4ee7244136f2f9bad82ecad) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 3f568fe09948369831c36a713f5a47fe4c2d19b6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 28 Jan 2018 22:33:10 +0000 (23:33 +0100)]
dovecot: add upstream security fix for CVE-2017-15132
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL
authentication results in a memory leak in dovecot's auth client used by
login processes. The leak has impact in high performance configuration
where same login processes are reused and can cause the process to crash due
to memory exhaustion.
For more details, see:
http://www.openwall.com/lists/oss-security/2018/01/25/4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 28adb37be48566ede823969c284c1490b456530a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 28 Jan 2018 22:02:56 +0000 (23:02 +0100)]
openocd: add security fix for CVE-2018-5704
Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP
POST for sending data to 127.0.0.1 port 4444, which allows remote attackers
to conduct cross-protocol scripting attacks, and consequently execute
arbitrary commands, via a crafted web site.
For more details, see:
https://sourceforge.net/p/openocd/mailman/message/36188041/
CVE-2018-5336: Multiple dissectors could crash
https://www.wireshark.org/security/wnpa-sec-2018-01.html
For more information, see the release notes:
https://www.wireshark.org/docs/relnotes/wireshark-2.2.12.html
While we are at it, also add as hash for license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2d920ad1b40967ae9241eaaa551d7d13c19f1b14) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Mark Hirota [Sat, 27 Jan 2018 01:08:43 +0000 (17:08 -0800)]
ccache: bump to version 3.3.5
(Likely) fixes #10536
https://bugs.buildroot.org/show_bug.cgi?id=10536
Signed-off-by: Mark Hirota <markhirota@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 01955b5b6ed6999295d108db789d44c6fc370efc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Fri, 26 Jan 2018 00:16:52 +0000 (22:16 -0200)]
util-linux: disable useless programs in the host package
Disable all programs that depend on ncurses, as well as utilities that
are useless on the host: agetty, chfn-chsh, chmem, login, lslogins,
mesg, more, newgrp, nologin, nsenter, pg, rfkill, schedutils, setpriv,
setterm, su, sulogin, tunelp, ul, unshare, uuidd, vipw, wall, wdctl,
write, zramctl.
Also add dependency on host-zlib if host cramfs utils are to be built.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 67170b76af912bebcdab3aa88a4ac9e5b35d6273) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE-2018-4088, CVE-2017-13885,
CVE-2017-7165, CVE-2017-13884, CVE-2017-7160, CVE-2017-7153,
CVE-2017-7153, CVE-2017-7161, and CVE-2018-4096. Additionally, it solves
a GStreamer deadlock when stopping video playback, and contains fixes
and improvements for the WebDriver implementation.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 54798893b858c597eb70c387400866bfbfb9f0be) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Nowadays libtasn1 is always required and if not present the CMake
configuration step would fail.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d052ed473dfbee1eabe9eca1185cea5d3e743b9f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gary Bisson [Wed, 24 Jan 2018 17:15:38 +0000 (18:15 +0100)]
fis: fix typo in build command
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 840d1a8d56eb3807b1f2b3ab16974f2f0abe9c94) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SQUID-2018:2 Due to incorrect pointer handling Squid is vulnerable to
denial of service attack when processing ESI responses or downloading
intermediate CA certificates.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f481c83b96c76d59a420e5f6559c02cb5d329d3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 22 Jan 2018 19:54:16 +0000 (20:54 +0100)]
squid: bump version to 3.5.27
And add a hash for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 001b834aacef82a6205f5b319037d42d0fdb13cd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a5dd72181e1a79ffe65c788a2c1db9acdf6aa933) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Ed Blake [Thu, 18 Jan 2018 18:05:31 +0000 (18:05 +0000)]
rpcbind: Backport fixes to memory leak security fix
Commit 954509f added a security fix for CVE-2017-8779, involving
pairing all svc_getargs() calls with svc_freeargs() to avoid a memory
leak. However it also introduced a couple of issues:
- The call to svc_freeargs() from rpcbproc_callit_com() may result in
an attempt to free static memory, resulting in undefined behaviour.
- A typo in the svc_freeargs() call from pmapproc_dump() causes NIS
(aka ypbind) to fail.
Backport upstream fixes for these issues to version 0.2.3.
Signed-off-by: Ed Blake <ed.blake@sondrel.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 5a9a95d0eb15c189f1361c12c105eb0ba8842c77) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
iputils: fix ping and traceroute6 executable permissions
The iputils executables are installed without the setuid bit set,
which prevents some programs from working.
This patch adds a permission table to fix the permissions of the ping
and traceroute6 executables.
Signed-off-by: Einar Jon Gunnarsson <tolvupostur@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b0e2d00289eeb1a7201ba49e5cedfd3175f92140) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 17 Jan 2018 07:42:43 +0000 (08:42 +0100)]
bind: security bump to version 9.11.2-P1
Fixes the following security issue:
CVE-2017-3145: Improper sequencing during cleanup can lead to a
use-after-free error, triggering an assertion failure and crash in
named.
For more details, see the advisory:
https://lists.isc.org/pipermail/bind-announce/2018-January/001072.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit d72a2b9247d885c4fc5c2ca6066d3ae6a27a8653) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot's "make nconfig" command stopped working a while ago on
Gentoo systems. Running the command would result in a crash.
The issue is caused by lxdialog's cflags which are also used to build
nconfig; It would detect *ncursesw* and turn on WIDECHAR support --
but the Makefile would still link to plain *ncurses* while building
nconfig (which was built without WIDECHAR support).
This would cause a crash after using *wattrset* on a WINDOW instance.
WIDECHAR *wattrset* would try to set the _color member in the WINDOW
struct which does not exist in the NON-WIDECHAR ncurses instance. It
would end up clobbering data outside the struct (usually _line entries).
An upstream patch fixes the issue, so we're applying it to Buildroot's
kconfig.
Signed-off-by: Guillermo A. Amaral <g@maral.me> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 8aa4ee2b02abe2a04b15ee3ef53887ade9a4afc4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Tue, 9 Jan 2018 20:13:06 +0000 (21:13 +0100)]
package/ti-cgt-pru: bump to 2.2.1
See: http://www.ti.com/tool/download/PRU-CGT-2-2
The ti-cgt-pru v2.1.x installer are affected by a bug with recent
distribution (Fedora 27 and Ubuntu 17.10) using kernel 4.13 or 4.14
with a glibc 2.26.
The installer is stuck in a futex(wait) system call.
Signed-off-by: Romain Naour <romain.naour@gmail.com> Cc: Ash Charles <ash.charles@savoirfairelinux.com> Cc: Matthew Weber <matthew.weber@rockwellcollins.com> Tested-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 0e162b932d67668a4f075da803efb62b01ec917d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Jan 2018 22:14:02 +0000 (23:14 +0100)]
system: only expose getty options for busybox and sysvinit
Only busybox and sysvinit handle the BR2_TARGET_GENERIC_GETTY_TERM and
BR2_TARGET_GENERIC_GETTY_OPTIONS options; the other init systems do
not.
So, protect those options behind appropriate dependencies on busybox
or sysvinit.
Fixes #10301.
Reported-by: Michael Heinemann <posted@heine.so> Suggested-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 5e23eb5da7b3848cc6b317af9d8c23aac3a13260) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 10 Jan 2018 22:03:03 +0000 (23:03 +0100)]
mcookie: correct wrong memset argument
Fixes #10216
Building mcookie generates a warning about possible wrong arguments to
memset:
mcookie.c:207:26: warning: argument to ‘sizeof’ in ‘memset’ call is the same expression
as the destination; did you mean to dereference it? [-Wsizeof-pointer-memaccess]
memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
ctx is a pointer to a structure, so the code should use the size of the
structure and not the size of the pointer when it tries to clear the
structure, similar to how it got fixed upstream back in 2009:
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 40f4191f2a1246b792ffc0c02b6c9bd2d62649f2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Jan 2018 22:40:52 +0000 (23:40 +0100)]
lz4: install programs as well as libraries
Prior to commit 8ad38a4fc2007df4bee9a941aed46c8771b6a84c
("package/lz4: bump version to r131"), the lz4 package was installing
both libraries and programs, but this commit changed the behavior to
only install libraries.
The contributor might have been confused by the fact that the build
command was "$(MAKE) ... -C $(@D) liblz4", suggesting that only the
library was built. But since the install command was "$(MAKE) ... -C
$(@D) install", the programs were effectively built as part of the
install step, and installed as well.
Since it makes sense for lz4 to also installs its programs, this
commit adjusts the package accordingly.
It is worth mentioning that using the "all" target during the build
step is important. Indeed, otherwise the programs/Makefile has a
"default" target that doesn't build everything (especially the lz4c
program) and it end up being built as part of the install step, due to
how the makefile dependencies are handled in the lz4 project. To make
sure that everything gets built during the build step, we explicitly
use the "all" target.
Fixes bug #9996
Reported-by: Jamin Collins <jamin.collins@gmail.com> Initial-analysis-by: Arnout Vandecappelle <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f1c11f79a64387c1f1749550804f8aae0cfa7a7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Sun, 26 Mar 2017 19:52:39 +0000 (21:52 +0200)]
lz4: pass {TARGET,HOST}_CONFIGURE_OPTS in the environment
{TARGET,HOST}_CONFIGURE_OPTS are currently passed as $(MAKE) argument,
which causes some CPPFLAGS/CFLAGS defined by the package build system to
be overridden, leading to build failures. This commit changes the lz4
package to pass {TARGET,HOST}_CONFIGURE_OPTS through the environment to
avoid this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f4dc73568b08bd96aa659c5ef29226349dee05de) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Jan 2018 22:03:59 +0000 (23:03 +0100)]
busybox: don't remove S01logging when CONFIG_SYSLOGD is disabled
The current busybox.mk explicitly removes S01logging if CONFIG_SYSLOGD
is disabled in the Busybox configuration. However:
- This causes the removal of the S01logging script potentially
installed by another package (currently syslog-ng, rsyslog and
sysklogd can all install a S01logging script).
- We generally don't try to clean-up stuff that we may have installed
in a previous make invocation and that is no longer needed
following a configuration change.
Fixes bug #10176
Reported-by: Karl Krach <mail@kkrach.de> Fix-provided-by: Karl Krach <mail@kkrach.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 84e835ea9261b3e844f1a18489dd89253e3eb839) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Jan 2018 21:19:14 +0000 (22:19 +0100)]
package/kmsxx: don't install static libraries when BR2_SHARED_STATIC_LIBS=y
The kmsxx build system can only build either shared libraries *or*
static libraries, not both. Therefore, the build currently fails when
BR2_SHARED_STATIC_LIBS=y because we try to install the static
libraries, that haven't been built.
We fix this by not installing the static libraries when
BR2_SHARED_STATIC_LIBS=y, making BR2_SHARED_STATIC_LIBS=y essentially
the same as BR2_SHARED_LIBS=y for this package.
Fixes bug #10331.
Reported-by: Frederic MATHIEU <frederic.mathieu@dualis.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 28d5ca9c96f5144e86fac7ec6485fa5634cd6e97) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 10 Jan 2018 19:53:58 +0000 (20:53 +0100)]
package/avahi: fix typo in avahi_tmpfiles.conf
There is an obvious typo in avahi_tmpfiles.conf: avahi-autoipd is
badly spelled.
Fixes bug #10641.
Reported-by: Michael Heinemann <posted@heine.so> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit c427ce4d9f54d9b6433969ecb0fc8a4a5a9ba9b5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains mitigations for CVE-2017-5753 and CVE-2017-5715, the
vulnerabilities known as the "Spectre" attack. It also contains a fix
which allows building the reference documentation with newer gtk-doc
versions.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4c5bc08ba3198075dcf6f96b34684d577cfe5a69) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 7 Jan 2018 21:03:18 +0000 (22:03 +0100)]
irssi: security bump to version 1.0.6
>From the advisory (https://irssi.org/security/irssi_sa_2018_01.txt):
Multiple vulnerabilities have been located in Irssi.
(a) When the channel topic is set without specifying a sender, Irssi
may dereference NULL pointer. Found by Joseph Bisch. (CWE-476)
CVE-2018-5206 was assigned to this issue.
(b) When using incomplete escape codes, Irssi may access data beyond
the end of the string. (CWE-126) Found by Joseph Bisch.
CVE-2018-5205 was assigned to this issue.
(c) A calculation error in the completion code could cause a heap
buffer overflow when completing certain strings. (CWE-126) Found
by Joseph Bisch.
CVE-2018-5208 was assigned to this issue.
(d) When using an incomplete variable argument, Irssi may access data
beyond the end of the string. (CWE-126) Found by Joseph Bisch.
CVE-2018-5207 was assigned to this issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit aebdb1cd4b4034542eb7c50fc4b6a265c5ba5c77) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Wed, 3 Jan 2018 17:39:52 +0000 (18:39 +0100)]
core/infra: fix build on toolchain without C++
Autotools-based packages that do not need C++ but check for it, and use
libtool, will fail to configure on distros that lack /lib/cpp.
This is the case for example on Arch Linux, where expat fails to build
with:
configure: error: in `/home/dkc/src/buildroot/build/build/expat-2.2.4':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
This is because libtool uses AC_PROC_CXXCPP, which can not be avoided,
and does require a cpp that passes some "sanity" checks (does not choke
on valid input, but does choke on invalid input). So we can use neither
/bin/false nor /bin/true...
We instead need something that can digest some basic C++ preprocessor
input. We can't use the target preprocessor: that does not work, because
it obviously has no C++ cupport:
arm-linux-cpp.br_real: error: conftest.cpp: C++ compiler not
installed on this system
We can however consider that the host machine does have a C++ compiler,
so we use the host' cpp, which is gcc's compiler wrapper that ends up
calling the host's C++ preprocessor.
That would give us a valid C++ preprocessor when we don't have one, in
fact. But autotools will then correctly fail anyway, because there is
indeed no C++ compiler at all, as we can see in this excerpt of a
configure log from expat:
checking whether we are using the GNU C++ compiler... no
checking whether false accepts -g... no
checking dependency style of false... none
checking how to run the C++ preprocessor... cpp
checking whether the false linker (/home/ymorin/dev/buildroot/O/host/bin/arm-linux-ld) supports shared libraries... yes
libtool.m4: error: problem compiling CXX test program
checking for false option to produce PIC... -DPIC
checking if false PIC flag -DPIC works... no
checking if false static flag works... no
checking if false supports -c -o file.o... no
checking if false supports -c -o file.o... (cached) no
checking whether the false linker (/home/ymorin/dev/buildroot/O/host/bin/arm-linux-ld) supports shared libraries... yes
So, using the host's C++ preprocessor (by way of gcc's wrapper) leads to
a working situation, where the end result is as expected.
Reported-by: Damien Riegel <damien.riegel@savoirfairelinux.com> Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Damien Riegel <damien.riegel@savoirfairelinux.com> Cc: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Cc: Peter Korsgaard <peter@korsgaard.com> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit bd39d11d2eaa679f09ab49fd3e4cd5511a168d1c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-15365 - Replication in sql/event_data_objects.cc occurs before ACL
checks.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ca1f2d266ddba2f530731e91ebbf792638cee8bb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 12 Oct 2017 23:33:32 +0000 (20:33 -0300)]
coreutils: expand list of files moved from /usr/bin to /bin
BusyBox installs kill, link, mktemp, nice and printenv on /bin, so
ensure that coreutils replaces them.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 443897bce4b01eae98155ac947d3387e6a2f289e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Fri, 29 Dec 2017 20:26:08 +0000 (21:26 +0100)]
tar: do not build SELinux support for host variant
If we don't explicitly disable SELinux support in the host-tar build,
it might pick up system-wide installed SELinux libraries, causing the
tar in HOST_DIR/bin/ to depend on the host SELinux libraries, which is
not desirable to make the SDK portable/relocatable.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 121807c08927c0a0d04c965beb6a8785ea89e47f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Sat, 23 Dec 2017 16:15:40 +0000 (17:15 +0100)]
package/matchbox-lib: correctly fix the .pc file
First, the .pc file was so far fixed as a post-configure hook of the
matchbox-fakekey package, by directly tweaking the .pc file installed in
staging by matchbox-lib. That's uterly wrong and bad.
So, we move the fix to matchbox-lib.
Second, it was incorreclty tweaking the .pc file when xlib_libXft was
not enabled, because only then a path to staging was present.
Third, even when xlib_libXft was enabled, the tweaking was still wrong,
because unnecessary.
Fix all that.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 84a2645e5b2600d28d91005937c17bec554dd4d1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Marcus Folkesson [Wed, 27 Dec 2017 12:35:55 +0000 (13:35 +0100)]
libiio: fix libavahi-client dependency
Avahi needs avahi-daemon and D-Bus to build avahi-client.
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 18e00edb7796790b1ac1a0f6982ab8e25e27c691) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 30 Dec 2017 23:34:32 +0000 (00:34 +0100)]
nodejs: security bump to version 6.12.2
Fixes CVE-2017-15896 - Node.js was affected by OpenSSL vulnerability
CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake
failure. The result was that an active network attacker could send
application data to Node.js using the TLS or HTTP2 modules in a way that
bypassed TLS authentication and encryption.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Tue, 26 Dec 2017 13:19:21 +0000 (14:19 +0100)]
package/mfgtools: bump to 0.02
Bump mfgtools to include the fix [1] for the C++ build issue reported
by the autobuilders.
This bump include only 4 small commits fixing memory leak and this
build issue.
Remove CPOL.htm (removed upstream) from MFGTOOLS_LICENSE_FILES but CPOL
license is still valid.
Add the README.txt file to MFGTOOLS_LICENSE_FILES since it contains
licensing informations:
Licenses:
- CPOL: MfgToolLib/XmlLite.CPP and XmlLite.h
- BSD: Others.
This is a maintenance release of the current stable WebKitGTK+ version,
which contains fixes for CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, and
CVE-2017-13856. Additionally, this release brings improvements in the
WebDriver spec-compliance, plugs several memory leaks in its GStreamer based
multimedia backend, and fixes a bug when handling cookie removal.
More details about the security fixes are provided in the following
WebKitGTK+ Security Advisory report:
https://webkitgtk.org/security/WSA-2017-0010.html
Last but not least, this new release includes the fix for honoring the
CMAKE_BUILD_TYPE value from CMake toolchain files and the corresponding
patch is removed.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fbf6a483e00a87fb561fa5fe9a423c4a14867f50) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit e7f82694cfe98f659ff08b5834e32f8996ca55c5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 19 Dec 2017 11:56:28 +0000 (12:56 +0100)]
rsync: add upstream security fix for CVE-2017-16548
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
does not check for a trailing '\0' character in an xattr name, which allows
remote attackers to cause a denial of service (heap-based buffer over-read
and application crash) or possibly have unspecified other impact by sending
crafted data to the daemon.
For more details, see:
https://bugzilla.samba.org/show_bug.cgi?id=13112
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7f33f1d848908975b513f852873ae4fdb2702183) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Damien Riegel [Mon, 18 Dec 2017 21:19:35 +0000 (16:19 -0500)]
lldpd: remove check on CXX compiler
lldpd currently depends on a C++ compiler to configure properly, but
the package doesn't select that option, so builds fail if
BR2_TOOLCHAIN_BUILDROOT_CXX is not selected with following errors:
checking how to run the C++ preprocessor... /lib/cpp
configure: error: in `/home/dkc/src/buildroot/build-zii/build/lldpd-0.9.4':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
This package actually builds fine without C++, so drop this check in
configure.ac. Attached patch has already been accepted upstream [1].
Peter Seiderer [Fri, 8 Dec 2017 21:29:52 +0000 (22:29 +0100)]
gdb: prevent installation of libbfd.so and libopcode.so
The gdb install target installs dynamic versions of libbfd and
libopcode, accidentally overwriting the binutils provided versions
(gdb itself links against the bundled static ones to avoid
version problems, so the dynamic ones are un-needed).
Prevent the installation by using the '--disable-install-libbfd'
configure option.
Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b54c7931952874a814e48df75093e13ad955604f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>