aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update for 2018.11.42018.11.42018.11.xGravatar Peter Korsgaard2019-03-282-2/+14
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/rdesktop: security bump to version 1.8.4Gravatar Fabrice Fontaine2019-03-283-135/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Switch site to github - Remove second patch (already in version) - Add hash for license file - Fix memory corruption in process_bitmap_data - CVE-2018-8794 - Fix remote code execution in process_bitmap_data - CVE-2018-8795 - Fix remote code execution in process_plane - CVE-2018-8797 - Fix Denial of Service in mcs_recv_connect_response - CVE-2018-20175 - Fix Denial of Service in mcs_parse_domain_params - CVE-2018-20175 - Fix Denial of Service in sec_parse_crypt_info - CVE-2018-20176 - Fix Denial of Service in sec_recv - CVE-2018-20176 - Fix minor information leak in rdpdr_process - CVE-2018-8791 - Fix Denial of Service in cssp_read_tsrequest - CVE-2018-8792 - Fix remote code execution in cssp_read_tsrequest - CVE-2018-8793 - Fix Denial of Service in process_bitmap_data - CVE-2018-8796 - Fix minor information leak in rdpsnd_process_ping - CVE-2018-8798 - Fix Denial of Service in process_secondary_order - CVE-2018-8799 - Fix remote code execution in in ui_clip_handle_data - CVE-2018-8800 - Fix major information leak in ui_clip_handle_data - CVE-2018-20174 - Fix memory corruption in rdp_in_unistr - CVE-2018-20177 - Fix Denial of Service in process_demand_active - CVE-2018-20178 - Fix remote code execution in lspci_process - CVE-2018-20179 - Fix remote code execution in rdpsnddbg_process - CVE-2018-20180 - Fix remote code execution in seamless_process - CVE-2018-20181 - Fix remote code execution in seamless_process_line - CVE-2018-20182 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 992e84c49ebfdef2fbe2fa3d475e0a388cf59218) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/clamav: security bump to version 0.101.2Gravatar Bernd Kuhls2019-03-282-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Release notes: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html - Fixes for the following vulnerabilities affecting 0.101.1 and prior: - CVE-2019-1787: An out-of-bounds heap read condition may occur when scanning PDF documents. The defect is a failure to correctly keep track of the number of bytes remaining in a buffer when indexing file data. - CVE-2019-1789: An out-of-bounds heap read condition may occur when scanning PE files (i.e. Windows EXE and DLL files) that have been packed using Aspack as a result of inadequate bound-checking. - CVE-2019-1788: An out-of-bounds heap write condition may occur when scanning OLE2 files such as Microsoft Office 97-2003 documents. The invalid write happens when an invalid pointer is mistakenly used to initialize a 32bit integer to zero. This is likely to crash the application. - Fixes for the following vulnerabilities affecting 0.101.1 and 0.101.0 only: - CVE-2019-1786: An out-of-bounds heap read condition may occur when scanning malformed PDF documents as a result of improper bounds-checking. - CVE-2019-1785: A path-traversal write condition may occur as a result of improper input validation when scanning RAR archives. Issue reported by aCaB. - CVE-2019-1798: A use-after-free condition may occur as a result of improper error handling when scanning nested RAR archives. Issue reported by David L. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 4037c0a39717df45d8fbaeb7dcaebaaa5cd2facb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/clamav: link with libatomic when neededGravatar Bernd Kuhls2019-03-281-0/+4
| | | | | | | | | | | | | | | | Configure check for OpenSSL fails: /accts/mlweber1/rclinux/rc-buildroot-test/scripts/instance-3/output/host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libcrypto.a(threads_pthread.o): In function `CRYPTO_atomic_add': threads_pthread.c:(.text+0x1dc): undefined reference to `__atomic_is_lock_free' threads_pthread.c:(.text+0x1f4): undefined reference to `__atomic_fetch_add_4' Fixes http://autobuild.buildroot.net/results/cae8da81adff3ba493154e0ba8b21d90367f82eb/ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 50610dccfaa7badd4a995693107280de07bfe742) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/clamav: needs wcharGravatar Bernd Kuhls2019-03-281-2/+4
| | | | | | | | | | Fixes http://autobuild.buildroot.net/results/77c/77cd536a0fab78eabe27e055d28db2da354008d7/ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 25ff9dc1fb45e0325b51de4b0687766dee0888bc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* clamav: needs C++Gravatar Fabrice Fontaine2019-03-281-2/+3
| | | | | | | | | | | | | | clamav needs C++ since bump to version 0.101.1 and https://github.com/Cisco-Talos/clamav-devel/commit/d39cb6581f3c854476044f069d2393fc44702c36 Fixes: - http://autobuild.buildroot.org/results/be14aa571309cda32a5963feed9fd7f220e87fe6 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Acked-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 4d85d5038ec0a7fb127cd58a48dfd7113c9c22c4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/clamav: bump version to 0.101.1Gravatar Bernd Kuhls2019-03-283-79/+2
| | | | | | | | | Removed patch applied upstream. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0e424610bc356aebb7325ca212f1095d152bb65b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/swupdate: fix static build without luaGravatar Fabrice Fontaine2019-03-281-0/+62
| | | | | | | | | | | | | | The lua_swupdate.so library was still built (without any object files) and linked against swupdate even when HAVE_LUA was not set. This fails in some static-only configurations. Fixes: - http://autobuild.buildroot.org/results/c11c4d26983e0347d96f3dda62e6d72b031967bb Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit b251f50c8d555bdbbd2f7bd378fdb3d3de7fe84d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/git: use pkg-config to get ssl dependenciesGravatar Fabrice Fontaine2019-03-281-2/+2
| | | | | | | | | | | | | | | | | | | | | | | On some architectures, atomic binutils are provided by the libatomic library from gcc. Linking with libatomic is therefore necessary, otherwise the build fails with: /home/test/autobuild/run/instance-2/output/host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libssl.a(ssl_cert.o): In function `CRYPTO_DOWN_REF': /home/test/autobuild/run/instance-2/output/build/libopenssl-1.1.1a/include/internal/refcount.h:50: undefined reference to `__atomic_fetch_sub_4' This is often for example the case on sparcv8 32 bit. To fix this issue, use pkg-config to retrieve openssl dependencies including atomic library, these dependencies must be passed to LIB_4_CRYPTO IN GIT_MAKE_OPTS Fixes: - http://autobuild.buildroot.org/results/3093897d14a854a7252b25b2fa1f8fdcbb26c9b7 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 1ae9640a9fc11c315aeb989941d9555065da8b24) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/fetchmail: fix shared buildGravatar Fabrice Fontaine2019-03-281-1/+1
| | | | | | | | | | | | Update second patch to fix shared build Fixes: - http://autobuild.buildroot.org/results/c27b9c82e68ade29b45dc84ecce5fe6653fbb7da Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3dc3b4c2798ff76666ba6b3b83ae5942b76e6091) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/fetchmail: use pkg-config to find opensslGravatar Fabrice Fontaine2019-03-284-36/+70
| | | | | | | | | | | | | openssl can have multiples dependencies such as libatomic on sparcv8 32 bits so drop first patch and add a new patch to use pkg-config Fixes: - http://autobuild.buildroot.org/results/58e5aa7c6ba8fe7474071d7a3cba6ed3a1b4cff4 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3aa3a72b45238c4cf240b947531d253a53a46d35) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/putty: fix build with uClibcGravatar Baruch Siach2019-03-283-1/+134
| | | | | | | | | | | | | | | | | | | | | Add patches fixing a number of build issues with uClibc. The issue fixed in patch #2 has been reported upstream. Patch #3 has been suggested by upstream but not applied yet. Drop the _SUBDIR assignment. The configure script moved to top level directory since upstream commit a947c49bec3 from 2014. This allows AUTORECONF to find configure.ac. Fixes: http://autobuild.buildroot.net/results/801/801e2b2909363b5dcd9735362bb921e017569edc/ http://autobuild.buildroot.net/results/398/3984c6cdd3398645c8ad98bbe23af9090cf4bfcf/ http://autobuild.buildroot.net/results/632/632f93046f9cceffd9b604911542426c10967e0f/ Cc: Alexander Dahl <post@lespocky.de> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 35b72be8fea5c3b6426441a9efa18a2ad3c319a2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/putty: enable static buildGravatar Baruch Siach2019-03-282-3/+268
| | | | | | | | | | | Add upstream patch fixing build when NO_GSSAPI is defined which is the case on static builds. Cc: Alexander Dahl <post@lespocky.de> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit a6f73f3d26ce723657e764424b8a4f32cd6f53cd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* putty: security bump to version 0.71Gravatar Baruch Siach2019-03-283-6/+10
| | | | | | | | | | | | | | | | | | | | | | | | CVE-2019-9894: A remotely triggerable memory overwrite in RSA key exchange can occur before host key verification. CVE-2019-9895: A remotely triggerable buffer overflow exists in any kind of server-to-client forwarding. CVE-2019-9897: Multiple denial-of-service attacks that can be triggered by writing to the terminal. CVE-2019-9898: Potential recycling of random numbers used in cryptography. Disable static build for now. When building statically configure defines NO_GSSAPI. Build with NO_GSSAPI is currently broken. The issue has been reported upstream. Cc: Alexander Dahl <post@lespocky.de> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b6f47c0a4327074c0aff80cc2b2e22e5c8eef692) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/x11r7/xlib_libXdmcp: security bump version to 1.1.3Gravatar Bernd Kuhls2019-03-272-3/+8
| | | | | | | | | | | | Fixes CVE-2017-2625: https://lists.x.org/archives/xorg-announce/2019-March/002974.html Added all hashes provided by upstream and license hash. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 8a60253925c7730f3b9ca65edf38c729192b27b5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libseccomp: security bump to version 2.4.0Gravatar Peter Korsgaard2019-03-273-9/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | >From the advisory: Jann Horn identified a problem in current versions of libseccomp where the library did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE). Jann has done a search using codesearch.debian.net and it would appear that only systemd and Tor are using libseccomp in such a way as to trigger the bad code. In the case of systemd this appears to affect the socket address family and scheduling class filters. In the case of Tor it appears that the bad filters could impact the memory addresses passed to mprotect(2). The libseccomp v2.4.0 release fixes this problem, and should be a direct drop-in replacement for previous v2.x releases. https://www.openwall.com/lists/oss-security/2019/03/15/1 v2.4.0 adds a new scmp_api_level utility, so update 0001-remove-static.patch to match. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 02300786c2fcba2cf641a040a2d87c4022ddb7fc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libssh2: security bump to latest gitGravatar Peter Korsgaard2019-03-273-53/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump the version to latest git to fix the following security issues: CVE-2019-3855 Possible integer overflow in transport read allows out-of-bounds write URL: https://www.libssh2.org/CVE-2019-3855.html Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch CVE-2019-3856 Possible integer overflow in keyboard interactive handling allows out-of-bounds write URL: https://www.libssh2.org/CVE-2019-3856.html Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch CVE-2019-3857 Possible integer overflow leading to zero-byte allocation and out-of-bounds write URL: https://www.libssh2.org/CVE-2019-3857.html Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch CVE-2019-3858 Possible zero-byte allocation leading to an out-of-bounds read URL: https://www.libssh2.org/CVE-2019-3858.html Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch CVE-2019-3859 Out-of-bounds reads with specially crafted payloads due to unchecked use of `_libssh2_packet_require` and `_libssh2_packet_requirev` URL: https://www.libssh2.org/CVE-2019-3859.html Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch CVE-2019-3860 Out-of-bounds reads with specially crafted SFTP packets URL: https://www.libssh2.org/CVE-2019-3860.html Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch CVE-2019-3861 Out-of-bounds reads with specially crafted SSH packets URL: https://www.libssh2.org/CVE-2019-3861.html Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch CVE-2019-3862 Out-of-bounds memory comparison URL: https://www.libssh2.org/CVE-2019-3862.html Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch CVE-2019-3863 Integer overflow in user authenicate keyboard interactive allows out-of-bounds writes URL: https://www.libssh2.org/CVE-2019-3863.html Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.txt Drop 0003-openssl-fix-dereferencing-ambiguity-potentially-caus.patch as that is now upstream. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit f4f7dd9557cf139f6014ada77e947152d5a82fb3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jq: security bump to version 1.6Gravatar Fabrice Fontaine2019-03-272-4/+5
| | | | | | | | | | | | - Fix CVE-2015-8863 and CVE-2016-4074: https://github.com/stedolan/jq/issues/1406 - Add hash for license file - Disable oniguruma (enabled by default) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 3a026d650ced90ee6de5b13daa3b93ba1ca0a1cc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mariadb: security bump to version 10.3.13Gravatar Ryan Coe2019-03-272-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Release notes: https://mariadb.com/kb/en/library/mariadb-10313-release-notes/ Changelog: https://mariadb.com/kb/en/mariadb-10313-changelog/ Fixes the following security vulnerabilities: CVE-2019-2510 - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVE-2019-2537 - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Note that the hash for README.md changed due to Travis CI and Appveyor CI updates. Signed-off-by: Ryan Coe <bluemrp9@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f389df2334750194b0a19cb5dff86739f2bf7e2d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/binutils: upstream fixes for 2.31.1Gravatar Norbert Lange2019-03-273-0/+1296
| | | | | | | | | | | | | Combining musl and binutils 2.31.1 will produce static applications that crash immediately. This commit picks up 3 upstream commits to remedy this. See https://sourceware.org/bugzilla/show_bug.cgi?id=23428 Signed-off-by: Norbert Lange <nolange79@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 0c34e138b597668a79fc7e71f339a556a6b695e9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/kf5-modemmanager-qt: link with libatomic when neededGravatar Fabrice Fontaine2019-03-271-0/+5
| | | | | | | | | | | | | | | | | | On some architectures, atomic binutils are provided by the libatomic library from gcc. Linking with libatomic is therefore necessary, otherwise the build fails with: sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line This is often for example the case on sparcv8 32 bit. Fixes: - http://autobuild.buildroot.org/results/b941a3deaa57cac79f1686d47ca6ababf2f0d5e4 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3cb7546d95bbe227562040d6439b0ab4b62b7c9b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/fltk: add optional xlib_libXrender dependencyGravatar Fabrice Fontaine2019-03-271-0/+7
| | | | | | | | | | | xlib_libXrender is enabled by default and has been added since version 1.3.4-1 and https://github.com/fltk/fltk/commit/a6c4b29a184ce7708819f4706877eedcd99a30f5 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 65895f36eea0139c3d590cd5982be5504b2de9ce) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/cups: security bump to version 2.2.10Gravatar Fabrice Fontaine2019-03-273-191/+2
| | | | | | | | | | | - Fixes CVE-2018-4700: Linux session cookies used a predictable random number seed: https://github.com/apple/cups/releases/tag/v2.2.10. - Remove fifth patch (already in version) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 260d9e534268083e7aa89e1bdb47bb8f3668a052) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/nodejs: security bump to version 8.15.1Gravatar Peter Korsgaard2019-03-262-3/+3
| | | | | | | | | | | | | | Fixes the following security issues: Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737) OpenSSL: 0-byte record padding oracle (CVE-2019-1559) For more details, see the CHANGELOG: https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.1 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 18ae511d81846b9f28b34940e5f36d3ca95648f0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/samba4: security bump to version 4.9.5Gravatar Bernd Kuhls2019-03-252-3/+3
| | | | | | | | | | | | Release notes: https://www.samba.org/samba/history/samba-4.9.5.html Fixes CVE-2019-3824: ldb: Out of bound read in ldb_wildcard_compare Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit e7d67faac5be820b1c8019eb249adf8765d4cf42) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/beecrypt: fix build without C++Gravatar Fabrice Fontaine2019-03-251-0/+27
| | | | | | | | | | | | | | | | | | Do not check for C++ compiler as C++ support has been disabled since commit dd4d3c18d6753e1224fbe59d91a4b44f39bc38c0 otherwise build will fail on toolchains without a working C++ compiler: checking how to run the C++ preprocessor... /lib/cpp configure: error: in `/data/buildroot/buildroot-test/instance-1/output/build/beecrypt-4.2.1': configure: error: C++ preprocessor "/lib/cpp" fails sanity check Fixes: - http://autobuild.buildroot.org/results/3c79cc68f1b088ad24daf7f9bd70718d702be577 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 6255c816232468b2e92cffcfa835aa79d8fcae04) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/x11r7/xapp_xdm: security bump to version 1.1.12Gravatar Bernd Kuhls2019-03-252-3/+8
| | | | | | | | | | | | | | Fixes CVE-2013-2179. Release notes: https://lists.x.org/archives/xorg-announce/2019-March/002959.html Added all license hashes provided by upstream and license hash. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 2776484107b8f8640e0771c3ffe45b62a78920fb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/avahi: add upstream security fixGravatar Artem Panfilov2019-03-251-0/+48
| | | | | | | | | | | | | | Fixes CVE-2017-6519: avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 1e17adf1c5ee1cecd747f84fff8f6261c1e8a476) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/go: set GOCACHE to a host pathGravatar Christian Stewart2019-03-251-0/+4
| | | | | | | | | | | Set the GOCACHE environment variable properly. It was previously unset, and defaults to $HOME/.cache/go-build. Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3909423f1ccf186bd064e225ecb064ca1ece0310) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/openjpeg: security bump to latest git versionGravatar Peter Korsgaard2019-03-253-30/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Current git contains fixes for a number of post-2.3.0 security issues: git shortlog --no-merges -i --grep cve --grep overflow --grep zero v2.3.0.. Even Rouault (2): Avoid out-of-bounds write overflow due to uint32 overflow computation on images with huge dimensions. color_apply_icc_profile: avoid potential heap buffer overflow Hugo Lefeuvre (4): convertbmp: fix issues with zero bitmasks jp3d/jpwl convert: fix write stack buffer overflow jp2: convert: fix null pointer dereference convertbmp: detect invalid file dimensions early Karol Babioch (2): jp3d: Replace sprintf() by snprintf() in volumetobin() opj_mj2_extract: Check provided output prefix for length Stefan Weil (1): Fix some potential overflow issues (#1161) Young_X (5): [MJ2] To avoid divisions by zero / undefined behaviour on shift [JPWL] fix CVE-2018-16375 [JPWL] imagetotga(): fix read heap buffer overflow if numcomps < 3 (#987) [JPWL] opj_compress: reorder checks related to code block dimensions to avoid potential int overflow [JP3D] To avoid divisions by zero / undefined behaviour on shift (CVE-2018-14423 ichlubna (1): openjp3d: Int overflow fixed (#1159) setharnold (1): fix unchecked integer multiplication overflow Drop now upstreamed 0004-install-static-lib.patch. Add a hash for the LICENSE file. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit a5e8c81875a26551e780e409a0647916e626c969) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mosquitto: bump version to 1.5.8Gravatar Peter Korsgaard2019-03-252-2/+2
| | | | | | | | | | | Bugfix release, fixing a number of issues discovered post-1.5.7 https://mosquitto.org/blog/2019/02/version-1-5-8-released/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 24cc2eaa335a34633b71a7db7c972ab64b5e7739) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/php: security bump to version 7.2.16Gravatar Peter Korsgaard2019-03-253-82/+2
| | | | | | | | | | | | | php-7.2.16 fixes a number of security issues (no CVE known, bugtracker issues not yet public): https://www.php.net/ChangeLog-7.php#7.2.16 Drop 0004-OPcache-flock-mechanism-is-obviously-linux-so-force-.patch as the flock detection has been removed since commit 9222702633 (Avoid dependency on "struct flock" fields order.) Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9a455a6c9bd45c2620e0e6ade2c89f7b99c6a28a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* ntp: security bump to version 4.2.8p13Gravatar Baruch Siach2019-03-254-60/+5
| | | | | | | | | | | | | | Fixes CVE-2019-8936: Crafted null dereference attack in authenticated mode 6 packet. Drop upstream patches. Update COPYRIGHT file hash; text formatting (line width) changes. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7ffdc08f04a87b0dd6f2bba250627389ce79a776) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/file: security bump to version 5.36Gravatar Baruch Siach2019-03-252-6/+8
| | | | | | | | | | | | | | | CVE-2019-8906: do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused. CVE-2019-8904: do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf. Update license files hashes; removal of trailing white spaces. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 14d6e6df7bcfd7d46811a812610ec87b0b249088) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/wireshark: add optional spandsp dependencyGravatar Fabrice Fontaine2019-03-251-0/+7
| | | | | | | Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit ee772dad7b76dcc49bc86b5a232ccdcedec60904) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/xen: fix build with gcc 8.1Gravatar Fabrice Fontaine2019-03-251-0/+79
| | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/df5abe6ca8b4c8935f3d5c257aef816190771200 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 9b2bf1b7458891ae652e3493ae87d1f7c4776a8b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* qt5webkit: select leveldb package and memenvGravatar Gaël PORTAY2019-03-252-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the build issue reported by autobuilder [0]. /home/naourr/work/instance-2/output/build/qt5webkit-5.9.1/Source/WebCore//.obj/platform/leveldb/LevelDBDatabase.o: In function `WebCore::LevelDBDatabase::openInMemory(WebCore::LevelDBComparator const*)': LevelDBDatabase.cpp.text._ZN7WebCore15LevelDBDatabase12openInMemoryEPKNS_17LevelDBComparatorE+0x34): undefined reference to `leveldb::NewMemEnv(leveldb::Env*)' collect2: error: ld returned 1 exit status make[3]: *** [Makefile.api:97: ../lib/libQt5WebKit.so.5.9.1] Error 1 The issue happens when both packages leveldb and qt5webkit are enabled. QtWebKit builds its own copy of leveldb [1] (as a third-party) if the system does not provided it (i.e. buildroot). It builds it differently and this is the origin of that issue. Instead of using the Makefile provided by leveldb [2], QtWebKit uses qmake to build that library [3]. The missing symbol issue happens because the symbol leveldb::NewMemEnv is bundled in the static library libmemenv.a (aside libleveldb.so). This static library consists of this single symbol which is like an extra that is built but *NOT* shipped by default at installation in the staging directory. Unfortunatly, that symbol is required later by WebCore [4]. The copy built by QtWebKit is an all-in-one library including both libleveldb and libmemenv; thus QtWebKit links against libleveldb only. Also, the linker finds the buildroot's copy first (not the third-party): that explains why it is complaining about a missing symbol. That copy does not have the symbol leveldb::NewMemEnv. Fortunatly, QtWebKit provides a facility to link against the system leveldb package. The qmake flag WEBKIT_CONFIG+=use_system_leveldb tells Qt5WebKit to link against libleveldb *AND* libmemenv [5]. To fix that issue, this commit selects the package leveldb that now installs the libmemenv static library and its header. It ensures that QtWebKit has everything it needs to be built. It also sets the appropriate qmake configure flags to tell QtWebKit to use the leveldb copy built by buildroot instead of the bundled one. [0]: http://autobuild.buildroot.net/results/46033e82adf592c3b92c6d50cfaf45bd58beeaa4 [1]: https://github.com/qt/qtwebkit/tree/5.9/Source/ThirdParty/leveldb [2]: https://github.com/qt/qtwebkit/blob/5.9/Source/ThirdParty/leveldb/Makefile#L167-L169 [3]: https://github.com/qt/qtwebkit/blob/5.9/Source/ThirdParty/leveldb/Target.pri#L80 [4]: https://github.com/qt/qtwebkit/blob/5.9/Source/WebCore/platform/leveldb/LevelDBDatabase.cpp#L185 [5]: https://github.com/qt/qtwebkit/blob/5.9/Source/WebCore/WebCore.pri#L254 [6]: https://github.com/google/leveldb/commit/739c25100e46576cdcdfff2d6f43f9f7008103c7 Signed-off-by: Gaël PORTAY <gael.portay@collabora.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 2d7c746ed8c89ad262ef0c6db5460ade1fc35973) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* leveldb: generate pic for static librariesGravatar Gaël PORTAY2019-03-251-0/+52
| | | | | | | | | | | | | | | | | | | | | | | | The project's static libraries are not compiled with the -fPIC compiler flag. This prevents dynamic libraries to link against those libraries. This commit adds a patch that sets the -fPIC compiler flag to the list of CFLAGS/CXXFLAGS. The project now generates position independant code for all of its outputs (i.e. not limited anymore to its shared libraries). Fixes: /home/gportay/src/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-amd-linux-gnu/6.2.0/../../../../x86_64-amd-linux-gnu/bin/ld: /home/gportay/src/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libmemenv.a(memenv.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC /home/gportay/src/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libmemenv.a: error adding symbols: Bad value collect2: error: ld returned 1 exit status Signed-off-by: Gaël PORTAY <gael.portay@collabora.com> [Arnout: renumber patch] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 088f261dbb89bb48a918a3153f293b86708c8a58) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* leveldb: install memenv static library and headerGravatar Gaël PORTAY2019-03-251-0/+2
| | | | | | | | | | | | | | | | The project builds a tiny static library that consists of a single symbol which creates an in-memory LevelDB database. That library is not installed by default and may be used by other projects. This commit installs in the staging directory the libmemenv.a static library and the memenv.h header file. Signed-off-by: Gaël PORTAY <gael.portay@collabora.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 16f847340d07dce620e4c3fc0a099aa79898d86a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libopenssl: security bump to version 1.0.2rGravatar Peter Korsgaard2019-03-242-5/+5
| | | | | | | | | | | | | | | | | | | | Fixes the following security issue: 0-byte record padding oracle (CVE-2019-1559) If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. For more details, see the advisory: https://mta.openssl.org/pipermail/openssl-announce/2019-February/000148.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/vsftpd: add patch to fix hangGravatar Abdelmalek Benelouezzane2019-03-191-0/+87
| | | | | | | | | | | | | | This fixes a hang due to SIGCHLD not being handled correctly by vsftpd. The patch comes from fedora and didn't make its way to upstream yet. More information about the bug can be found in: - https://bugzilla.redhat.com/show_bug.cgi?id=1198259 Signed-off-by: Abdelmalek Benelouezzane <abdelmalek.benelouezzane@savoirfairelinux.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 498dff7ea1ef7d975f09fd3d7f1cce8d40b47a8b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/wireshark: fix build with uclibcGravatar Fabrice Fontaine2019-03-191-0/+75
| | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/c41d42fe3489bc63c42e7ce7a9eccb1b4ca7b9b2 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit e68fdaf4146000c5bf331171c719e353e3385aa9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/wireshark: security bump to version 2.6.7Gravatar Fabrice Fontaine2019-03-192-3/+3
| | | | | | | | | Fixes CVE-2019-9208, CVE-2019-9209 and CVE-2019-9214 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 1de1fcb4d810cc9443c3fe4c1c108e649be83726) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/busybox: udhcp CVE-2019-5747 patchGravatar Jared Bents2019-03-192-0/+59
| | | | | | | | | | | | | | | Patch to resolve CVE-2019-5747 which affects versions prior to 1.30.0 More information can be found at: https://nvd.nist.gov/vuln/detail/CVE-2019-5747 This applies to both master and 2019.02 Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit a49e8f34fffffaa7839861049add77fe6f4d7967) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/busybox: udhcp CVE-2018-20679 patchGravatar Jared Bents2019-03-191-0/+136
| | | | | | | | | | | | | | | Patch to resolve CVE-2018-20679 which affects versions prior to 1.30.0 More information can be found at: https://nvd.nist.gov/vuln/detail/CVE-2018-20679 This applies to both master and 2019.02 Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit d65d1d066ba895f3ccb277d24199019663801721) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/efl: fix build with mesaGravatar Vadim Kochan2019-03-191-0/+34
| | | | | | | | | | | | | | | | | | | | | efl does not compile with mesa without OpenGL ES because it checks for GL_ES_VERSION_2_0 and declares own GLintptr and GLsizeiptr types if such version is not defined, but mesa declares them too for OpenGL version 1.5, so fix it by add check also for OpenGL 1.5 where these types are defined. Use patch from: https://git.enlightenment.org/core/efl.git/commit/?id=0d2b624f1e24240a1c4e651aa1cfe9a8dd10a573 Fixes: http://autobuild.buildroot.net/results/62ca120f1e54e8c3ae445f98b2624b526569f007 Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 579dfd94990449be719529f8b4c0589ddd060498) Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 3cd71635f7f47d2ee12df0ffed754f373ac4dbd1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libsoxr: add patch to add Libs.private in soxr.pcGravatar Jörg Krause2019-03-171-0/+43
| | | | | | | | | | | If libsoxr is build statically against libavutil other applications needs to know that they must link with `-lavutil` when building in a static context. Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 1f551e92dc53e51d43537bbe9f2cb1209ab0c17f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* Revert "package/libsoxr: add avutil to soxr.pc"Gravatar Jörg Krause2019-03-171-33/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit d81870ae8129389a62df80c9c8c9165d334b6921. The patch attempts to fix static linking with libsoxr when it build with avutils. The `Libs.private` field should not contain the full absolute path to the static library, but only the link flags for private libraries, e.g `-lm`. Buildroots pkg-config prepends the sysroot to the value found in `Libs.private` resulting in a malformed linker flag if libavutil is found: ``` -L/home/test/autobuild/run/instance-3/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -lsoxr /home/test/autobuild/run/instance-3/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/home/test/autobuild/run/instance-3/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libavutil.a ``` .. or if libavutils is not found: ``` -L/home/test/autobuild/run/instance-1/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -lsoxr AVUTIL_LIBRARIES-NOTFOUND ``` Revert this commit and replace the patch by a follow-up patch which only adds `-lavutil` to `Libs.private` in case it is found and used by libsoxr. Fixes: http://autobuild.buildroot.net/results/6eb4e2c9bd3884ab0152ddf873c20e62f0941181/ http://autobuild.buildroot.net/results/07207b0a58a08bf7c2cb78345a58244b5e6aab0e/ Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit bb271e9d188b336c2238421061e97003dcc98665) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/systemd: fix "Timed out waiting for device /dev/console."Gravatar Xavier Ruppen2019-03-171-6/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Buildroot built with systemd fails to open a login prompt on the serial port when /dev/console is specified as BR2_TARGET_GENERIC_GETTY_PORT (which is its default value): systemd[1]: dev-console.device: Job dev-console.device/start timed out. systemd[1]: Timed out waiting for device /dev/console. systemd[1]: Dependency failed for Serial Getty on console. systemd[1]: serial-getty@console.service: Job serial-getty@console.service/start failed with result 'dependency'. systemd[1]: dev-console.device: Job dev-console.device/start failed with result 'timeout'. systemd[1]: Reached target Login Prompts. systemd[1]: Reached target Multi-User System. According to this issue on Github [1], serial-getty@.service should not be instantiated on /dev/console, console-getty@.service should be used instead. This stems from the fact that there should be no dependency on /dev/console. [1] https://github.com/systemd/systemd/issues/10914 Signed-off-by: Xavier Ruppen <xruppen@gmail.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> [Peter: drop SERVICE variable as suggested by Yann] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 940e7deab09e34585a5b70dd6ce1c9afd22fd8f3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gst-plugins-bad: disable spandspGravatar Fabrice Fontaine2019-03-171-1/+2
| | | | | | | | | | | | | gst-plugins-bad does not build with spandsp so disable it (it's already disabled in gst1-plugins-bad) Fixes: - http://autobuild.buildroot.org/results/842ca572b7810bca70846274262a6fcdb38df49 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b20f8a893f17d139ceafb512f3ccd207770844fe) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>