Baruch Siach [Sun, 22 Oct 2017 14:00:08 +0000 (16:00 +0200)]
sqlite: add security patches
CVE-2017-13685: The dump_callback function in SQLite 3.20.0 allows
remote attackers to cause a denial of service (EXC_BAD_ACCESS and
application crash) via a crafted file.
CVE-2017-15286: SQLite 3.20.1 has a NULL pointer dereference in
tableColumnList in shell.c
because it fails to consider certain cases where
`sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never
initialized.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit d3c96bd5a6d3d64ab9c61104c6078b4bc89b12ec) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building Python 3.x on MIPS with musl fails because the libffi code
uses a "#ifdef linux" test to decide if we're building on Linux or
not. When building with -std=c99, "linux" is not defined, so instead
of including <asm/sgidefs.h>, libffi's code tries to include
<sgidefs.h>, which doesn't exist on musl.
The right fix is to use __linux__, which is POSIX compliant, and
therefore defined even when -std=c99 is used.
Note that glibc and uClibc were not affected because they do provide a
<sgidefs.h> header in addition to the <asm/sgidefs.h> one.
Signed-off-by: Mauro Condarelli <mc5686@mclink.it>
[Thomas: reformat patch with Git, add a better commit log and description.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 4852f05907cd365825f37c283a415a77ba1fcba9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add DEPENDENCIES_HOST_PREREQ to the list of packages
That way packages included in that list like ccache will also be
regarded as a normal packages for targets like external-deps,
show-targets or legal-info
Signed-off-by: Alfredo Alvarez Fernandez <alfredo.alvarez_fernandez@nokia.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 862b76cfefc101943f09db2a73f5519f9a5bb2cb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
dependencies: always use HOSTCC_NOCACHE for DEPENDENCIES_HOST_PREREQ
Currently, HOSTCC and HOSTCXX are set to their _NOCACHE variants in the
'dependencies' target. This is needed because at that time, ccache is
not built yet - host-ccache is one of the dependencies. However, because
this override is only specified for the 'dependencies' target (and
thereby gets inherited by its dependencies), the override is only
applied when the package is reached through the 'dependencies' target.
This is not the case when one of DEPENDENCIES_HOST_PREREQ is built
directly from the command line, e.g. when doing 'make host-ccache'. So
in that case, ccache will be built with ccache... which fails of
course.
To fix this, directly apply the override to the DEPENCIES_HOST_PREREQ
targets.
Note that this only fixes the issue for 'make host-ccache', NOT for
e.g. 'make host-ccache-configure'.
Notice: Not applying XSA-237..244 as they are x86 only and have patch file
name conflicts between 2017.02.x and master.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 90b9b457ecd5e6ebea9d48f36c030b95ca67059b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 22 Oct 2017 11:15:08 +0000 (13:15 +0200)]
lame: security bump to version 3.100
Fixes the following security issues:
CVE-2017-9410: fill_buffer_resample function in libmp3lame/util.c heap-based
buffer over-read and ap
CVE-2017-9411: fill_buffer_resample function in libmp3lame/util.c invalid
memory read and application crash
CVE-2017-9412: unpack_read_samples function in frontend/get_audio.c invalid
memory read and application crash
Drop patches now upstream or no longer needed:
0001-configure.patch: Upstream as mentioned in patch description
0002-gtk1-ac-directives.patch: Upstream as mentioned in patch
description/release notes:
Resurrect Owen Taylor's code dated from 97-11-3 to properly deal with GTK1.
This was transplanted back from aclocal.m4 with a patch provided by Andres
Mejia. This change makes it easy to regenerate autotools' files with a simple
invocation of autoconf -vfi.
0003-msse.patch: Not needed as -march <x86-variant-with-msse-support>
nowadays implies -msse.
With these removed, autoreconf is no longer needed.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 7e3583dd558925a447eaa4367d659f39482fbbc0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 21 Oct 2017 17:20:33 +0000 (19:20 +0200)]
busybox: add upstream post-1.27.2 httpd fix
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ec58149009776f63767644f9a3409f420c271766) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adam Duskett [Tue, 5 Sep 2017 12:20:05 +0000 (08:20 -0400)]
busybox: bump to version 1.27.2
Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 5cdb463e442d63f0ba361e7348d0ed56cb9b63d0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 21 Oct 2017 19:12:59 +0000 (21:12 +0200)]
musl: add upstream security fix for CVE-2017-15650
>From the upstream announcement:
http://www.openwall.com/lists/oss-security/2017/10/19/5
Felix Wilhelm has discovered a flaw in the dns response parsing for
musl libc 1.1.16 that leads to overflow of a stack-based buffer.
Earlier versions are also affected.
When an application makes a request via getaddrinfo for both IPv4 and
IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
nameservers configured in resolv.conf can reply to both the A and AAAA
queries with A results. Since A records are smaller than AAAA records,
it's possible to fit more addresses than the precomputed bound, and a
buffer overflow occurs.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 209f42fd3a5f4357e22fb72f1597a6868566aabd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch fixes a bug with the BR2_TOOLCHAIN_HAS_THREADS variable
handling which causes CGO_ENABLED to be always 0.
Furthermore, it fixes the cross compilation options for the go
compiler: setting CGO_ENABLED should be done only for the target
compiler not the host one.
Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Acked-by: Christian Stewart <christian@paral.in>
(cherry picked from commit 80ea21bc3c2147adf810731b0b242e94a3ad294e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains bugfixes (many of them related to rendering, plus one
important fix for touch input) and many security fixes.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6d623e72770534c8e40e5afd7aa8fb77e49d1974) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
No corresponding WebKit Security Advisory (WSA) has been published.
All patches have been applied upstream.
This also bumps the required target GCC version, due to the WebKit code
now using more modern C++ features which were introduced in version
5.x of the compiler.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[Arnout:
- propagate dependency to midori;
- mention in commit message why patches were removed.] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 905b1ab5c21f39f9cd1777f6d5745c90d863da4b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Lothar Felten [Fri, 20 Oct 2017 11:19:17 +0000 (13:19 +0200)]
Config.in: fix help comment for gcc optimization
The default for is set to BR2_OPTIMIZE_S, the help comment designated
BR2_OPTIMIZE_0 as default.
Changed the help comment to show that BR2_OPTIMIZE_S is the default.
Signed-off-by: Lothar Felten <lothar.felten@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 4e09fd8bdef6ddea1097f91df07515abde389cd0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Alexander Mukhin [Wed, 18 Oct 2017 09:34:06 +0000 (12:34 +0300)]
wpa_supplicant: fix upstream URL
wpa_supplicant project URL has been changed to w1.fi/wpa_supplicant.
The old domain epitest.fi has expired.
Signed-off-by: Alexander Mukhin <alexander.i.mukhin@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 38e36cd0e1ec55743766e48564d952e38ff40113) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: also add patch 0001 as suggested by Jörg Krause] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 57c0a485cc0a5681e772ddaf1c886e810d3d7ae4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5259c5c8058aa2c9608fd202c35477015a41c326) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Alexander Mukhin [Thu, 14 Sep 2017 15:11:14 +0000 (18:11 +0300)]
hostapd: fix upstream URL
hostapd project URL has been changed to w1.fi/hostapd.
The old domain epitest.fi has expired.
Signed-off-by: Alexander Mukhin <alexander.i.mukhin@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 8a2396b90aeb411a856335d976a427eed6e115bc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 12 Oct 2017 21:17:52 +0000 (23:17 +0200)]
libnss: security bump to version 3.33
Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla
Network Security Service library, is prone to a use-after-free vulnerability
in the TLS 1.2 implementation when handshake hashes are generated. A remote
attacker can take advantage of this flaw to cause an application using the
nss library to crash, resulting in a denial of service, or potentially to
execute arbitrary code.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 746502418fbf603464efe0dfc77c6bc10b10603e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 12 Oct 2017 21:17:51 +0000 (23:17 +0200)]
libnspr: bump version to 4.17
libnss 3.33 needs libnspr >= 4.17.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b1363093248b6198eab285124b2c87411155a0a1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Cam Hutchison [Sun, 15 Oct 2017 00:57:19 +0000 (11:57 +1100)]
ifupdown-scripts: do not install .empty files
ifupdown-scripts has some .empty files to maintain empty directories
in git. Previously this package used to be part of the skeleton which
used SYSTEM_RSYNC to copy the directories to the target. When it was
split into a separate package, cp -a was used to do the copy instead,
which copies the .empty files.
Change to SYSTEM_RSYNC which excludes .empty files.
Signed-off-by: Cam Hutchison <camh@xdna.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 58b74e0dbf9b22d7dbc11127c29e23e234a9e8cf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
support/kconfig: fix usage typo and align verb tenses
Fix typo 'selectes' -> 'selects'.
Additionally, change 'will exclude' to 'excludes' to align with 'selects'.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 787f4fee7184e4b86343a1d6d60c303622d458b9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 46a54b6464d09edc36ae0d1d041f89ffd77b3ea1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/nginx/S50nginx: Do not assume start-stop-daemon knows -R.
start-stop-daemon fails on -R when not compiled with
CONFIG_FEATURE_START_STOP_DAEMON_FANCY. Thus, do not rely on -R
during stop to avoid a race condition during restart.
Use a sleep 1 during restart instead, as suggested by Peter Korsgaard
in <87bmluk4bm.fsf@dell.be.48ers.dk>.
Signed-off-by: Thomas Claveirole <thomas.claveirole@green-communications.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 99b8044a6714e925c504c0e3fc46f3730e0fe572) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Timothy Lee [Tue, 26 Sep 2017 06:04:33 +0000 (16:04 +1000)]
musl: add patch to fix build on ARMv4 with new binutils
New binutils (since 2.27.51) cannot build musl-1.1.16 due to breakage in ARMv4
atomics asm. This patch from upstream musl repository is needed until
musl-1.1.17 is released:
https://git.musl-libc.org/cgit/musl/commit/?id=b261a24256792177a5f0531dbb25cc6267220ca5
Signed-off-by: Timothy Lee <timothy.ty.lee@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 27cf2d3baf879f7314f12787982d8f4a5b4218cf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Dropped IUCODE_TOOL_CONF_ENV after version 2.2 added a configure check
for libargp:
https://gitlab.com/iucode-tool/iucode-tool/commit/b14bed6771e7ab48371b272a0c68dd017767142a
Added hash for license file.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 1462c07914f5e53cb7816ad86abee3e31b2bc1b6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libressl: fix musl build with older kernel headers
musl provides its own SYS_getrandom definition, but not GRND_NONBLOCK.
This breaks the build with kernel headers older than v3.17. Add a patch
adding a local definition of GRND_NONBLOCK to fix the build.
The following defconfig reproduces the build failure:
The getentropy_linux.c file is in upstream tarball, but not in its git
repository. It originates from OpenBSD. For this reason the patch is
against the tarball, but not git formatted.
Cc: Adam Duskett <aduskett@gmail.com> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
[Arnout: change filename to correspond to how git creates it] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7adc268b58a1eea9967ed5c7a3b7b4471575d73a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 4 Oct 2017 07:35:17 +0000 (09:35 +0200)]
libcurl: security bump to version 7.56.0
Drop upstreamed patch.
Fixes CVE-2017-1000254 - FTP PWD response parser out of bounds read:
https://curl.haxx.se/docs/adv_20171004.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9d95b93e5d36442979cdff7a9f3ee10b1eb9e0c7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-7471 - 9p: virtfs allows guest to change filesystem attributes on
host
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit af0f2d2bbcaca9000e62b5388f4c3cd8e700c6ff) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 28 Sep 2017 17:55:04 +0000 (14:55 -0300)]
qemu: drop obsolete "--disable-uuid" configuration parameter
./configure: --disable-uuid is obsolete, UUID support is always built
Change-Id: I9e278418d19e15bbbd3ea233658cd62f75e3385c Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f911406f4f36cb6be4bc82d7faae1a3c4f07fc59) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
/home/test/autobuild/run/instance-1/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libcrypto.a(c_zlib.o):
In function `zlib_stateful_expand_block':
c_zlib.c:(.text+0x54): undefined reference to `inflate'
/home/test/autobuild/run/instance-1/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libcrypto.a(c_zlib.o):
In function `zlib_stateful_compress_block':
c_zlib.c:(.text+0xd4): undefined reference to `deflate'
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit d2268adf5b9e19fba6094f53e397168c8a4b8abb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Evgeniy Didin [Fri, 22 Sep 2017 12:50:03 +0000 (15:50 +0300)]
qt: Allow enabling of QtWebKit with GCC 6+
Building Qt with QtWebKit on configuration step there is
a check which disables QtWebKit build with GCC 6+.
Back in the day nobody thought about building Qt with GCC
version greater than 5.x. And now with modern GCCs like
6.x and 7.x this assumption gets in the way.
Given in Buildroot today we don't have GCC older than 4.9
it should be safe to remove now meaningless check completely
by adding patch to qt.
Signed-off-by: Evgeniy Didin <didin@synopsys.com> Cc: Alexey Brodkin <abrodkin@synopsys.com> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f95bb8562ef02935d6fcf9b254060454e5be796c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Sun, 1 Oct 2017 15:21:30 +0000 (17:21 +0200)]
package/urg: fix extraction commands
Currently, the extraction commands entirely remove the urg directory,
which means the downloaded stamp will get removed, and thus a subsequent
build would try to re-download it.
It turns out that the directory extracted by urg is already correctly
named, so we just need to extract out of the build directory. This
highly simplifies the command.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9e943e852286d1f3f14b7f55e96c1e550affe571) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The configure test for NIS and NIS+ looks for the ypcat and nisls host
utilities, respectively. This is not compatible with cross compilation.
Disable both unconditionally.
Johan Oudinet [Mon, 25 Sep 2017 16:34:31 +0000 (18:34 +0200)]
ejabberd: Replace $(HOST_DIR) to /usr in ERL path
Previously, it was working by luck. Buildroot has fixed its definition
of HOST_DIR and pkg-autotools.mk uses the classical /usr prefix. So,
fix this sed expression to correctly replace $(HOST_DIR) by /usr in ERL
path.
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e6156615ecfb59d71aa5875fc206e4f1da80aec5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We sanity-check the host executables that they have a correct RPATH
pointing to the host libraries.
This is currently done by looking for all files in $(HOST_DIR) that
match the 'ELF executable' pattern (a bit more complex, but that's
idea).
However, when an executable is built with -fPIE of -fpie, it no longer
appears to be an 'ELF executable', but it rather looks like an 'ELF
sheard object' (like if it were an library.
So, we miss those files.
It turns out that the problem is a real one, because quite a few
mainline distros, expecially those based on Debian for example, have
already switched to generating PIE code by default, and thus we miss on
a whole class of systems..
We fix that by simply looking if we can find an ELF interpreter in each
file. If we there is one, this is an ELF executable; if not, it may be
anything else: we don't care (not even about ELF libraries).
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Arnout Vandecappelle <arnout@mind.be> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* On stop, use start-stop-daemon -R 1 to wait for the nginx processes
to actually stop. This fixes a race condition with restart, where
nginx fails to restart because start is called too early
w.r.t. stop. (This only works with Debian's start-stop-daemon,
however BusyBox's start-stop-daemon does not fail when given -R; it
just ignores the argument silently).
* Implement reload with an actual reload instead of a restart.
* Add force-reload.
Signed-off-by: Thomas Claveirole <thomas.claveirole@green-communications.fr> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 23094a0df9fc287f1c83fe2561a076d80c213015) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 13 Sep 2017 13:01:15 +0000 (15:01 +0200)]
bind: use http:// instead of ftp:// for site
To avoid issues with firewalls blocking ftp.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 771bb2d58d945ebd2909dc8ca5cccf30f189c581) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more details, see the release notes:
https://kb.isc.org/article/AA-01522
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f3e3b36159fa077400e7151b3e3d03082a897b2e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Integer overflow in the decode_digit function in puny_decode.c in
Libidn2 before 2.0.4 allows remote attackers to cause a denial of
service or possibly have unspecified other impact.
This issue also affects libidn.
Unfortunately, the patch also triggers reconf of the documentation
subdirectory, since lib/punycode.c is listed in GDOC_SRC that is defined
in doc/Makefile.am. Add autoreconf to handle that.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 49cb795f7965328ce7a57cbc3736b0fc03919fe7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 21 Sep 2017 07:04:16 +0000 (09:04 +0200)]
gdk-pixbuf: security bump to version 2.36.10
Fixes the following security issues:
CVE-2017-2862 - An exploitable heap overflow vulnerability exists in the
gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A
specially crafted jpeg file can cause a heap overflow resulting in remote
code execution. An attacker can send a file or url to trigger this
vulnerability.
CVE-2017-2870 - An exploitable integer overflow vulnerability exists in the
tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with
Clang. A specially crafted tiff file can cause a heap-overflow resulting in
remote code execution. An attacker can send a file or a URL to trigger this
vulnerability.
CVE-2017-6311 - gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows
context-dependent attackers to cause a denial of service (NULL pointer
dereference and application crash) via vectors related to printing an error
message.
The host version now needs the same workaround as we do for the target to
not pull in shared-mime-info.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3853675ae03df209253c34d292eb3b9535e3f68c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes
- CVE-2017-12150 (SMB1/2/3 connections may not require signing where
they should)
- CVE-2017-12151 (SMB3 connections don't keep encryption across DFS
redirects)
- CVE-2017-12163 (Server memory information leak over SMB1)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 48fcf6eaec352019356ec5554b3b6519ddf2e50d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-7555 - Augeas versions up to and including 1.8.0 are
vulnerable to heap-based buffer overflow due to improper handling of escaped
strings. Attacker could send crafted strings that would cause the
application using augeas to copy past the end of a buffer, leading to a
crash or possible code execution.
[Peter: extend description] Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 74ac045c80893177fc7a8b3672245bb9ab132773) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 18 Sep 2017 17:38:48 +0000 (19:38 +0200)]
cmake: explicitly disable openssl support for host-cmake
host-cmake will optionally link with openssl for the embedded copy of
libarchive if available, leaking host dependencies and possibly causing
build issues in case of compatibility issues - E.G. the host-cmake version
we have in 2017.02.x doesn't build against openssl-1.1.0+:
The openssl support in libarchive is unlikely to be needed, so explicitly
disable it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f87138339b17bc2b1d84c59ea176abb941413550) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/bluez5_utils: security bump version to 5.47
Fixes CVE-2017-1000250 - All versions of the SDP server in BlueZ 5.46 and
earlier are vulnerable to an information disclosure vulnerability which
allows remote attackers to obtain sensitive information from the bluetoothd
process memory. This vulnerability lies in the processing of SDP search
attribute requests.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 48fec2f39f31416e2066396dfa7dc05cae3a956c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/imagemagick: security bump to version 7.0.7-1
Quoting CVE-related issues from
https://github.com/ImageMagick/ImageMagick/blob/master/ChangeLog
2017-07-29 7.0.6-5 Glenn Randers-Pehrson <glennrp@image...>
* Fix improper use of NULL in the JNG decoder (CVE-2017-11750, Reference
https://github.com/ImageMagick/ImageMagick/issues/632).
When c-ares is not enabled libcurl enables the threaded DNS resolver by
default. Make sure the threaded resolvers is disabled when the toolchain
does not support threads.
Add upstream patch that fixes the configure option for disabling the
threaded resolver.
Petr Kulhavy [Mon, 11 Sep 2017 22:13:40 +0000 (00:13 +0200)]
download/git: force gzip compression level 6
Force gzip compression level 6 when calculating hash of a downloaded GIT repo.
To make sure the tar->gzip->checksum chain always provides consistent result.`
The script was relying on the default compression level, which must not be
necessarily consistent among different gzip versions. The level 6 is gzip's
current default compression level.
Signed-off-by: Petr Kulhavy <brain@jikos.cz> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 04a22cf1b521acb5634ed083e0381d42979d1698) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Max Filippov [Tue, 12 Sep 2017 03:37:43 +0000 (20:37 -0700)]
package/gcc: fix ICE on xtensa, PR target/82181
Memory references to DI mode objects could incorrectly be created at
offsets that are not supported by instructions l32i/s32i, resulting in
ICE at a stage when access to the object is split into access to its
subwords:
drivers/staging/rtl8188eu/core/rtw_ap.c:445:1:
internal compiler error: in change_address_1, at emit-rtl.c:2126
Fixes: https://lkml.org/lkml/2017/9/10/151 Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4fecb16cef7eec92d12d794348579cfd0ed756b7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 09:44:59 +0000 (11:44 +0200)]
supervisor: security bump to version 3.1.4
Fixes CVE-2017-11610 - The XML-RPC server in supervisor before 3.0.1, 3.1.x
before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote
authenticated users to execute arbitrary commands via a crafted XML-RPC
request, related to nested supervisord namespace lookups.
For more details, see
https://github.com/Supervisor/supervisor/issues/964
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 38a1c4821a163f932793a96e036f8fe451398506) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 09:17:55 +0000 (11:17 +0200)]
ruby: add upstream security patches bumping rubygems to 2.6.13
We unfortunately cannot use the upstream patches directly as they are not in
'patch -p1' format, so convert them and include instead.
Fixes:
CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications that include terminal escape
characters. Printing the gem specification would execute terminal escape
sequences.
CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications to cause a denial of service attack
against RubyGems clients who have issued a `query` command.
CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate
specification names, allowing a maliciously crafted gem to potentially
overwrite any file on the filesystem.
CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS
hijacking vulnerability that allows a MITM attacker to force the RubyGems
client to download and install gems from a server that the attacker
controls.
For more details, see
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 0e5448af5091ee208fdd38a4e221f444085dd0c8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 478ee139b2c34d34ec64f1a975c1b18dfbbd36d4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2016-8687: Stack-based buffer overflow in the safe_fprintf function
in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a
denial of service via a crafted non-printable multibyte character in a
filename.
CVE-2016-8688: The mtree bidder in libarchive 3.2.1 does not keep track
of line sizes when extending the read-ahead, which allows remote
attackers to cause a denial of service (crash) via a crafted file, which
triggers an invalid read in the (1) detect_form or (2) bid_entry
function in libarchive/archive_read_support_format_mtree.c.
CVE-2016-8689: The read_Header function in
archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote
attackers to cause a denial of service (out-of-bounds read) via multiple
EmptyStream attributes in a header in a 7zip archive.
CVE-2016-10209: The archive_wstring_append_from_mbs function in
archive_string.c in libarchive 3.2.2 allows remote attackers to cause a
denial of service (NULL pointer dereference and application crash) via a
crafted archive file.
CVE-2016-10349: The archive_le32dec function in archive_endian.h in
libarchive 3.2.2 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted file.
CVE-2016-10350: The archive_read_format_cab_read_header function in
archive_read_support_format_cab.c in libarchive 3.2.2 allows remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted file.
CVE-2017-5601: An error in the lha_read_file_header_1() function
(archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote
attackers to trigger an out-of-bounds read memory access and
subsequently cause a crash via a specially crafted archive.
Add upstream patch fixing the following issue:
CVE-2017-14166: libarchive 3.3.2 allows remote attackers to cause a
denial of service (xml_data heap-based buffer over-read and application
crash) via a crafted xar archive, related to the mishandling of empty
strings in the atol8 function in archive_read_support_format_xar.c.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f871b21c89e41dfddd60bb25cf55610cd4081eba) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
qt: add patch fixing build failure on ARMv8 in 32-bit mode
The Qt package currently fails to build on ARMv8 cores in 32-bit mode
(for example, if you select ARM and then Cortex-A53), because the ARM
atomic operation implementation in Qt checks if we're on ARMv7, then
on ARMv6, and otherwise falls back to an ARMv5 implementation. The
latter uses the swp instruction, which doesn't exist on ARMv8, causing
a build failure.
To solve this, we simply add a patch that uses the ARMv7 atomic
operations for ARMv8-A.
There is no autobuilder reference because we don't have any ARMv8
32-bit configuration in the autobuilders.
Cc: <ivychend@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 95389fe98c882f70cbbd25dc1c7ea1480991acef) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 21:21:33 +0000 (23:21 +0200)]
libzip: security bump to version 1.3.0
Fixes the following security issues:
CVE-2017-12858: Double free vulnerability in the _zip_dirent_read function
in zip_dirent.c in libzip allows attackers to have unspecified impact via
unknown vectors.
CVE-2017-14107: The _zip_read_eocd64 function in zip_open.c in libzip before
1.3.0 mishandles EOCD records, which allows remote attackers to cause a
denial of service (memory allocation failure in _zip_cdir_grow in
zip_dirent.c) via a crafted ZIP archive.
For more details, see
https://blogs.gentoo.org/ago/2017/09/01/libzip-use-after-free-in-_zip_buffer_free-zip_buffer-c/
https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/
libzip-1.3.0 also adds optional bzip2 support, so handle that.
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f77fb7b585b76b9c544b21fc3bf080660a54cb7b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 16:58:38 +0000 (18:58 +0200)]
unrar: security bump to version 5.5.8
Fixes the following security issues:
CVE-2017-12938 - UnRAR before 5.5.7 allows remote attackers to bypass a
directory-traversal protection mechanism via vectors involving a symlink to
the . directory, a symlink to the .. directory, and a regular file.
CVE-2017-12940 - libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read
in the EncodeFileName::Decode call within the Archive::ReadHeader15
function.
CVE-2017-12941 - libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read
in the Unpack::Unpack20 function.
CVE-2017-12942 - libunrar.a in UnRAR before 5.5.7 has a buffer overflow in
the Unpack::LongLZ function.
For more details, see
http://www.openwall.com/lists/oss-security/2017/08/14/3
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 322599744ca76d6b69960dc37c3cf3baea5dab2c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 7 Sep 2017 15:26:55 +0000 (17:26 +0200)]
strongswan: add upstream security patch
Fixes CVE-2017-11185: The gmp plugin in strongSwan before 5.6.0 allows
remote attackers to cause a denial of service (NULL pointer dereference and
daemon crash) via a crafted RSA signature.
For more details, see
https://www.strongswan.org/blog/2017/08/14/strongswan-vulnerability-%28cve-2017-11185%29.html
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2a59db1bb079dfd7cb40ffff7ac1cd550ff6662e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>