aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update for 2019.02.112019.02.112019.02.xGravatar Peter Korsgaard2020-04-092-2/+23
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/haproxy: security bump to version 1.9.15Gravatar Peter Korsgaard2020-04-092-2/+2
| | | | | | | | | | | | | - Fix CVE-2020-11100: In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. https://www.mail-archive.com/haproxy@formilux.org/msg36878.html Furthermore, 1.9.14 contains a number of bugfixes. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/hiredis: install alloc.hGravatar Fabrice Fontaine2020-04-091-1/+1
| | | | | | | | | | | | | This will fix build of collectd, proftpd ... with latest hiredis Fixes: - http://autobuild.buildroot.org/results/f5afe60defd63461a5fc06b26bd4759fb5f56a8f - http://autobuild.buildroot.org/results/45e980c85d170827d3a41e7443cf1088b2d59ead Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit b72be8c48b7c110f5e63e741599ceca1d0352fbc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gnutls: security bump to 3.6.13Gravatar Stefan Sørensen2020-04-092-3/+3
| | | | | | | | | | | | | | Fixes the following security issue: * CVE-2020-11501: It was found that GnuTLS 3.6.3 introduced a regression in the DTLS protocol implementation. This caused the DTLS client to not contribute any randomness to the DTLS negotiation breaking the security guarantees of the DTLS protocol. Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 170d06cfc629ec3526e196f767969fb29ba890e0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gnutls: bump version to 3.6.10Gravatar Bernd Kuhls2020-04-093-87/+3
| | | | | | | | | | | | Release notes: https://lists.gnupg.org/pipermail/gnutls-help/2019-September/004574.html Removed patch applied upstream, also removed autoreconf. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3029eb045c903c43564beec32f10b1fc3567f09b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gnutls: use __get_cpuid_count() only when availableGravatar Fabrice Fontaine2020-04-092-0/+84
| | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/4e874ed2fcc1f969f2f8ece88985ccd625f2c55b Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 53622826da5a303e6f99cc91b8a43a550eff7b86) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gnutls: bump version to 3.6.9Gravatar Bernd Kuhls2020-04-092-3/+3
| | | | | | | | | | Release notes: https://lists.gnupg.org/pipermail/gnutls-help/2019-July/004556.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit a9c509934e067716b0cf210b87c968ba69834d9f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gnutls: make the OpenSSL compatibility library optionalGravatar Carlos Santos2020-04-092-2/+14
| | | | | | | | | | | | | | | Add a BR2_PACKAGE_GNUTLS_OPENSSL option, disabled by default since it is not used by any package that depends on gnutls. The library is licensed under GPLv3, which can be a problem for embedded systems due to the so-called anti-tivoization clause. Signed-off-by: Carlos Santos <unixmania@gmail.com> [Thomas: don't repeat the license details for the gnutls-openssl case, simply append to them] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit d4c12d6bcdfc2813dfac3d207d980e0497d33f5d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gnutls: bump version to 3.6.8Gravatar Bernd Kuhls2020-04-092-3/+3
| | | | | | | | | | Release notes: https://lists.gnupg.org/pipermail/gnutls-help/2019-May/004527.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 9e2fcb2e251e0763c00583cc21d3e8cff968976f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gcc: pass -Wno-error to debug buildsGravatar James Hilliard2020-04-081-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | gcc fails to build in debug build with debug optimisations: BR2_x86_corei7=y BR2_ENABLE_DEBUG=y BR2_DEBUG_3=y BR2_OPTIMIZE_G=y BR2_TOOLCHAIN_BUILDROOT_GLIBC=y BR2_TOOLCHAIN_BUILDROOT_CXX=y which fails with: ../../../../libsanitizer/libbacktrace/../../libbacktrace/elf.c:772:21: error: ‘st.st_mode’ may be used uninitialized in this function [-Werror=maybe-uninitialized] return S_ISLNK (st.st_mode); ^ Upstream has been unable to reproduce/fix properly, details: https://gcc.gnu.org/legacy-ml/gcc-patches/2019-03/threads.html#00827 Upstream recommends passing -Wno-error as a workaround, see: https://gcc.gnu.org/pipermail/gcc-patches/2019-April/519867.html Reviewed-by: Romain Naour <romain.naour@gmail.com> Signed-off-by: James Hilliard <james.hilliard1@gmail.com> [yann.morin.1998@free.fr: add the reproducing defconfig] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit dcaf6e75acb4d21c2c31c70b054dac8d18710fcb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/pkg-generic.mk: also replace /lib by STAGING_DIR/lib in .la filesGravatar Thomas Petazzoni2020-04-081-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After the staging installation, we replace a number of paths in libtool .la files so that those paths point to STAGING_DIR instead of a location in the build machine. However, we replace only paths that start with /usr. And it turns out that the linux-pam package is configured with --libdir=/lib (linux-pam seems to always be installed in /lib rather than /usr/lib). Due to this, libpam.la contains the following line: libdir='/lib' When building a configuration that has: - BR2_ROOTFS_MERGED_USR=y - BR2_PACKAGE_LINUX_PAM=y - BR2_PACKAGE_POLKIT=y on a system that has its system-wide PAM library installed in /lib, the build fails with: /lib/libpam.so: file not recognized: File format not recognized For some reason, libtool searches only in STAGING_DIR/usr/lib, but when BR2_ROOTFS_MERGED_USR=y, STAGING_DIR/lib points to STAGING_DIR/usr/lib, so libtool finds libpam.la. And this libpam.la contains a bogus libdir='/lib' path. libtool then goes on, finds /lib/libpam.so, and links with it, causing the build failure. By doing the proper replacement of libdir='/lib', we have a correct libpam.la, and solve the build issue. There is no autobuilder failure associated to this issue, as it requires /lib/libpam.so to exist. This is the case on ArchLinux, on which Xogium reported the issue, which can also be reproduced in an ArchLinux container. Reported-by: Xogium <contact@xogium.me> Cc: Xogium <contact@xogium.me> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Tested-by: Yann E. MORIN <yann.morin.1998@free.fr> [yann.morin.1998@free.fr: - tested by manually creating a symlink to libpam.so in /lib ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 7ae7c82dd617cb76dd9f4e43b32eea151528d818) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/vlc: fix build with opencv3Gravatar Fabrice Fontaine2020-04-081-0/+42
| | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/210424bd33f660aa0757f62a558e1e03faf0f371 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 516b3737bfac5eed9f7cab3e5453a8dbba3727d9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 5, 6}.x seriesGravatar Peter Korsgaard2020-04-083-9/+9
| | | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 79c640e2e0d15e430a94915f48826b955f83cb63) [Peter: drop 5.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/kmscube: Use the official gitlab URLGravatar Fabio Estevam2020-04-081-1/+1
| | | | | | | | | | | | The cgit URL is a mirror of the gitlab repository. The README.md file of the kmscube project also points to the gitlab repository, so switch the URL accordingly. Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 8ab9acbed8a46e1ba60b3ad18a2d9ec8d8b852b5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/sysdig: update upstream URL in Config.inGravatar Peter Seiderer2020-04-081-1/+1
| | | | | | | | | | | | | | | | | The sysdig homepage we have points to an "on-sale" domain, that is purportedly serving malware while at it. Update to point to the wiki on github instead. Fixes #12746. Signed-off-by: Peter Seiderer <ps.report@gmx.net> [yann.morin.1998@free.fr: - use wiki instead of git repo - expand commit log ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit ca3166da48bbb4247f5823b2a53499c8959c4705) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ntp: security bump to version 4.2.8p14Gravatar Sébastien Szymanski2020-04-082-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "This release fixes three security issues in ntpd and provides 46 bugfixes and addresses 4 other issues." [1] NONE: Sec 3610: process_control() should bail earlier on short packets. MEDIUM: Sec 3596: Unauthenticated ntpd may be susceptible to IPv4 spoof attack from highly predictable transmit timestamps. MEDIUM: Sec 3592: DoS Attack on unauthenticated client. The fix for https://bugs.ntp.org/3445 introduced a bug whereby a system that is running ntp-4.2.8p12 (possibly earlier) or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim's next poll to its source to be delayed, for as long as the attack is maintained. [1] http://support.ntp.org/bin/view/Main/SecurityNotice#March_2020_ntp_4_2_8p14_NTP_Rele The copyright year has changed in the COPYRIGHT file, so adjust the hash to match and adjust the spacing to match recent agreements: @@ -3,7 +3,7 @@ jpg "Clone me," says Dolly sheepishly. - Last update: 2-Jan-2017 11:58 UTC + Last update: 4-Feb-2020 23:47 UTC __________________________________________________________________ The following copyright notice applies to all files collectively called @@ -32,7 +32,7 @@ Burnicki is: *********************************************************************** * * -* Copyright (c) Network Time Foundation 2011-2017 * +* Copyright (c) Network Time Foundation 2011-2020 * * * * All Rights Reserved * * * Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com> [Peter: clarify security impact, document COPYRIGHT change] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9daf7483e9cf86d86797e799c73be80dbbbb9acf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libopenssl: security bump to version 1.1.1fGravatar Sébastien Szymanski2020-04-082-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues (1.1.1e): CVE-2019-1551 [Low severity]: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Reported by OSS-Fuzz and Guido Vranken. https://www.openssl.org/news/secadv/20191206.txt CVE-2019-1563 [Low severity]: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Reported by Bernd Edlinger. https://www.openssl.org/news/secadv/20190910.txt Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com> [Peter: mention security impact] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d397b231b7c7f02f9c52d13ac9d3d82b39f4f4c5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libopenssl: move optionsGravatar Yann E. MORIN2020-04-082-16/+16
| | | | | | | | | | | | | | | | | | | Since e3159cad71 (package/libopenssl: move target arch selection to Config.in), we have a Config.in that contains a few options to configure libopenssl (openSSL, the original). As such, it makes sense to move the remaining options there too. We also move the condition there, mimicking what is done for the external toolchains' options too. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Matt Weber <matthew.weber@rockwellcollins.com> Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 27a2073a2d3beb32af199ad0e2f1efb36f431cce) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libopenssl: make use of linux-x86 for i386Gravatar Thomas Petazzoni2020-04-081-0/+1
| | | | | | | | | | | | | | | | | | | | | Tested with: BR2_x86_pentium4=y BR2_TOOLCHAIN_EXTERNAL=y BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-i386-pentium4-full-2019.05.1.tar.bz2" BR2_TOOLCHAIN_EXTERNAL_GCC_7=y BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_4=y BR2_TOOLCHAIN_EXTERNAL_LOCALE=y BR2_TOOLCHAIN_EXTERNAL_CXX=y BR2_INIT_NONE=y BR2_SYSTEM_BIN_SH_NONE=y BR2_PACKAGE_OPENSSL=y Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 03b39f7869859bbab692e7728af3009ed38998f8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libopenssl: make use of linux-generic64 for 64-bit archsGravatar Thomas Petazzoni2020-04-081-1/+2
| | | | | | | | | | | | | | | | | | | | | | It was tested with: BR2_mips64el=y BR2_MIPS_NABI64=y BR2_TOOLCHAIN_EXTERNAL=y BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-mips64-n64-full-2019.05.1.tar.bz2" BR2_TOOLCHAIN_EXTERNAL_GCC_5=y BR2_TOOLCHAIN_EXTERNAL_HEADERS_5_1=y BR2_TOOLCHAIN_EXTERNAL_LOCALE=y BR2_TOOLCHAIN_EXTERNAL_CXX=y BR2_INIT_NONE=y BR2_SYSTEM_BIN_SH_NONE=y BR2_PACKAGE_OPENSSL=y Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 1ebb35ee5fb7bd5e6278a84ac2c18aa0a38056fb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libopenssl: move target arch selection to Config.inGravatar Thomas Petazzoni2020-04-083-34/+32
| | | | | | | | | | | The logic to select the proper OpenSSL target arch in libopenssl.mk is not easy to read, so let's move it to Config.in where we have some nice constructs for that kind of value selection. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit e3159cad7174bfc029c8229d3c525b1545d695e8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/x11r7/xserver_xorg-server: bump version to 1.20.8Gravatar Bernd Kuhls2020-04-089-38/+5
| | | | | | | | | | | | Removed patch applied upstream: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2ef88c4d3a551ff7646bfb86550cae32b02a510 Removed md5 & sha1 hashes, not provided by upstream anymore. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 39472b50e06fef2327e4ab042dd8c1c28a311a10) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libsndfile: add upstream security fixesGravatar Fabrice Fontaine2020-04-085-0/+275
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Fix CVE-2017-6892: In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()" function (aiff.c) can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file. - Fix CVE-2017-8361: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. - Fix CVE-2017-8362: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file. - Fix CVE-2017-8363: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file. - Fix CVE-2017-8365: The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file. - Fix CVE-2017-12562: Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 76d5ab4d17fe00514c45323ab077d3b85a7add47) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* docs/manual: minor typo fixGravatar Nazım Gediz AYDINDOĞMUŞ2020-04-081-1/+1
| | | | | | | | | Definition of LIBFOO_USERS actually ends on 33rd line. Signed-off-by: Nazım Gediz Aydındoğmuş <gediz.aydindogmus@genemek.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 61f01794c806fc5e4e225436bff49be9febf6c23) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/kmscube: Change repository to gitlabGravatar Fabio Estevam2020-04-081-1/+1
| | | | | | | | | | | | | | | The https://cgit.freedesktop.org/mesa/kmscube repository is mirrored from https://gitlab.freedesktop.org/mesa/kmscube, so switch to the gitlab one. The other advantage of using the gitlab repository is that it can handle archive downloads, so switch to it. Suggested-by: Arnout Vandecappelle <arnout@mind.be> Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 396191b1562072de11a702ffb9d61e7de9f40c04) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* Makefile: make-4.3 now longer un-escapes \# in macrosGravatar Yaroslav Syrytsia2020-04-082-4/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | make-4.3 shipped with a backward incompatible change in how sharp signs are handled in macros. Previously, up to make 4.2, the sharp sign would always start a comment, unless backslash-escaped, even in a macro or a fucntion call. Now, the sharp sign is no longer starting a comment when it appears inside such a macro or function call. This behaviour was supposed to be in force since 3.81, but was not; 4.3 fixed the code to match the doc. As such, use of external toolchains is broken, as we use the sharp sign in the copy_toolchain_sysroot macro, in shell variable expansion to strip off any leading /: ${target\#/}. Fix that by applying the workaround suggested in the release annoucement [0], by using a variable to hold a sharp sign. [0] https://lists.gnu.org/archive/html/info-gnu/2020-01/msg00004.html Signed-off-by: Yaroslav Syrytsia <me@ys.lc> [yann.morin.1998@free.fr: - move the SHARP_SIGN definition out of Makefile and into support/ - expand the commit log ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 35c5cf56d21a250f8c86443a84e0b32301a70665) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gvfs: fix CVE-2019-12795Gravatar Fabrice Fontaine2020-04-072-0/+99
| | | | | | | | | | | | | | | daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit a9f38acbf2c28a9ec8c8e8e24e56b9ed4bc71778) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gvfs: fix CVE-2019-12449Gravatar Fabrice Fontaine2020-04-072-0/+87
| | | | | | | | | | | | An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit fc42ac086a1a897be5ca997e416040560aa15cb6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gvfs: fix CVE-2019-12447Gravatar Fabrice Fontaine2020-04-073-0/+129
| | | | | | | | | | | An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 062d0f6913ed6e787123b32d0d8ffe9703efe3ce) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gvfs: fix CVE-2019-12448Gravatar Fabrice Fontaine2020-04-072-0/+134
| | | | | | | | | | | An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c has race conditions because the admin backend doesn't implement query_info_on_read/write. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit e49aa31f5ccd19078765e170dbfd01ff6e7fcb14) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gvfs: fix CVE-2019-3827Gravatar Fabrice Fontaine2020-04-072-0/+49
| | | | | | | | | | | | | | | | An incorrect permission check in the admin backend in gvfs before version 1.39.4 was found that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is running. This vulnerability can be exploited by malicious programs running under privileges of users belonging to the wheel group to further escalate its privileges by modifying system files without user's knowledge. Successful exploitation requires uncommon system configuration. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 346040e269162cebfb5f127c3e6baaa128880f6c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/vala: fix wrapperGravatar Adam Duskett2020-04-071-1/+1
| | | | | | | | | | | Add double quotes around the $@ variable to prevent word splitting. Reported-by: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Adam Duskett <Aduskett@gmail.com> [yann.morin.1998@free.fr: s/globbing/word splitting/] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 30b6db05cb29b3a79c85f3bcc9c30a18d03c6cfa) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* docs/manual: small typo fixes and cleanupGravatar Merlin Büge2020-04-074-5/+5
| | | | | | | | | | Fix a few punctuation mistakes. The removed link is redundant, see the previous sentence. Signed-off-by: Merlin Büge <merlin.buege@tuhh.de> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 20bd811c7ed5240d6eccde918161222de3bb6b4d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libical: fix CVE-2016-9584Gravatar Fabrice Fontaine2020-04-072-0/+30
| | | | | | | | | | libical allows remote attackers to cause a denial of service (use-after-free) and possibly read heap memory via a crafted ics file. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 69b51259a2cccbbeff106b7d3536832ab999c0f1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/pure-ftpd: fix CVE-2020-9274Gravatar Fabrice Fontaine2020-04-072-0/+38
| | | | | | | | | | | | | | An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 1d8426b32cb030888cbd3d8abdc2b4dc70e987c8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/hiredis: security bump to version 0.14.1Gravatar Fabrice Fontaine2020-04-072-4/+4
| | | | | | | | | | | | - Fix CVE-2020-7105: async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a NULL pointer dereference because malloc return values are unchecked. - Update indentation of hash file (two spaces) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 40bc86afe9bf2bf2d443fcfc10d8ddb371598098) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/busybox: fix target-finalize hookGravatar Carlos Santos2020-04-071-2/+2
| | | | | | | | | | | It was searching for CONFIG_ASH=y and CONFIG_HUSH=y at $(@D)/.config, which does not contain the package build path at the target-finalize step. Use $(BUSYBOX_DIR), instead. Signed-off-by: Carlos Santos <unixmania@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 9ab1d565eef8935694d12bff2cd33c64b7a97f0f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/collectd: keep postgresql_default.conf when neededGravatar Pascal de Bruijn2020-04-071-0/+6
| | | | | | | | | | | $(TARGET_DIR)/usr/share/collectd/postgresql_default.conf should not be removed when postgresql support is enabled, as that module tries to load that file by default. Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 35e845700fb15b4ab30678c073300b508db4eb95) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/screen: add linux-pam optional dependencyGravatar Fabrice Fontaine2020-04-071-0/+7
| | | | | | | | | | linux-pam is an optional dependency for more than 5 years: https://git.savannah.gnu.org/cgit/screen.git/commit/src/configure.ac?h=screen-v4&id=a8dc1fb5b47ee52c79884fc5270805a3a39cda4a Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit c685bded08f02ded5d45136e7a1328354bf6515f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/{bluez5_utils, bluez5_utils-headers}: security bump to version 5.54Gravatar Jörg Krause2020-04-063-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issue: - CVE-2020-0556: Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html Changes since version 5.52: 5.54: Fix issue with HOGP to accept data only from bonded devices. Fix issue with A2DP sessions being connected at the same time. Fix issue with class UUID matches before connecting profile. Add support for handling MTU auto-tuning option for AVDTP. Add support for new policy for Just-Works repairing. Add support for Enhanced ATT bearer (EATT). 5.53: Fix issue with handling unregistration for advertisment. Fix issue with A2DP and handling recovering process. Fix issue with udpating input device information. Add support for loading blocked keys. Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3a678c952f4394b119d884ef22910f30860e1c2e) [Peter: mention security issue] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/{bluez5_utils, bluez5_utils-headers}: bump version to 5.52Gravatar Bernd Kuhls2020-04-063-3/+3
| | | | | | | | | Release notes: http://www.bluez.org/release-of-bluez-5-52/ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit f18f5c3aa7220d02e19d3b294ef4afbbda512034) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/{bluez5_utils, bluez5_utils-headers}: bump version to 5.51Gravatar Bernd Kuhls2020-04-064-71/+3
| | | | | | | | | | | Release notes: http://www.bluez.org/release-of-bluez-5-51/ Removed patch applied upstream. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 74f6a8f8e3c770639537ce51fef8e91e17cc59b8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bluez5_utils: fix build with kernel >= 5.2Gravatar Fabrice Fontaine2020-04-061-0/+68
| | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/1b965c5d9c782d6689041eeeb7be3be4a4854346 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 4666e85cfbd482766d0f685869689749f44aea0c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/civetweb: add zlib optional dependencyGravatar Fabrice Fontaine2020-04-061-0/+6
| | | | | | | | | | zlib is an optional dependency since version 1.11 and https://github.com/civetweb/civetweb/commit/6b8b15935378f71323ff95f907fa0d33841deac0 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 41dfe5707cc7704d74604879035882b01f349ce8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x seriesGravatar Peter Korsgaard2020-04-063-9/+9
| | | | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit caaee4fd66a111a3c58840a0d01b2812d70a2e90) [Peter: drop 5.4.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* toolchain/toolchain-external: fix call to check_kernel_headers_versionGravatar Thomas Petazzoni2020-04-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The external toolchain configure step calls the check_kernel_headers_version make function to compare the kernel headers version declared in the configuration with the actual kernel headers of the toolchain. This function takes 4 arguments, but due to a missing comma what should be the first two arguments are both passed into the first argument. Due to this, when check_kernel_headers_version does: if ! support/scripts/check-kernel-headers.sh $(1) $(2) $(3) \ $(if $(BR2_TOOLCHAIN_HEADERS_LATEST),$(4),strict); \ Then: $(1) contains "$(BUILD_DIR) $$(call toolchain_find_sysroot,$$(TOOLCHAIN_EXTERNAL_CC))" $(2) contains "$$(call qstrip,$$(BR2_TOOLCHAIN_HEADERS_AT_LEAST))" $(3) contains "$$(if $$(BR2_TOOLCHAIN_EXTERNAL_CUSTOM),loose,strict))" So from the point of view of check-kernel-headers.sh, it already has four arguments, and therefore the additional argument passed by: $(if $(BR2_TOOLCHAIN_HEADERS_LATEST),$(4),strict); \ is ignored, defeating the $(BR2_TOOLCHAIN_HEADERS_LATEST) test. The practical consequence is that a toolchain that has 5.4 kernel headers but declared as using 5.3 kernel headers does not abort the build, because the check is considered "loose" while it should be "strict". Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 96f8d0bb4605d119d9c52b22e0032935b1fe8a29) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/php: security bump to version 7.3.16Gravatar Peter Korsgaard2020-03-282-2/+2
| | | | | | | | Changelog: https://www.php.net/ChangeLog-7.php#7.3.16 Fixes CVE-2020-7064, CVE-2020-7065 & CVE-2020-7066. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/tor: security bump to version 3.5.10Gravatar Peter Korsgaard2020-03-282-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: - Fix a denial-of-service bug that could be used by anyone to consume a bunch of CPU on any Tor relay or authority, or by directories to consume a bunch of CPU on clients or hidden services. Because of the potential for CPU consumption to introduce observable timing patterns, we are treating this as a high-severity security issue. Fixes bug 33119; bugfix on 0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue as TROVE-2020-002 and CVE-2020-10592. - Correct how we use libseccomp. Particularly, stop assuming that rules are applied in a particular order or that more rules are processed after the first match. Neither is the case! In libseccomp <2.4.0 this lead to some rules having no effect. libseccomp 2.4.0 changed how rules are generated, leading to a different ordering, which in turn led to a fatal crash during startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by Peter Gerber. For more details, see the changelog: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.10 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* boot/barebox-aux: exclude git downloads from hash checkGravatar Yann E. MORIN2020-03-271-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When barebox, and thus barebox-aux, are downloaded from a git tree, then barebox-aux download fails because a hash check is attempted on the downloaded archive: Could not fetch special ref 'v2020.03.0'; assuming it is not special. ERROR: No hash found for barebox-aux-v2020.03.0.tar.gz This is because we only exclude from the check the archive of the bare barebox: BR_NO_CHECK_HASH_FOR += $(BAREBOX_SOURCE) However, the default name of an archive is based on the package name, which for barebox-aux is not 'barebox'. Since barebox-aux really uses the exact same source as the bare barebox, it should also share the archive name. This has two direct consequences and advantages: - the hash check is completely avoided for the barebox-aux archive; - the barebox-aux archive is not downloaded as it is already downloaded for barebox. Reported-by: Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Tested-by: Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 451ee6fa5454158b5d95cef0f404c0443dde868e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* boot/barebox-aux: store downloads in same dir as bare bareboxGravatar Yann E. MORIN2020-03-271-0/+2
| | | | | | | | | | | | barebox and barebox-aux are really the same package, from the same URL and the same version. They deserve being stored in the same directory. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Yegor Yefremov <yegorslists@googlemail.com> Tested-by: Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit ca7fa117b168e0de81dda35c8cabb615c352a0e9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>