aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* support/download: Fix tarball generation with symlinks pointing to ./somethingGravatar Jean-pierre Cartal2021-03-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a --transform expression is provided, it is by default also applied to the target of a symlink. When we create tarballs (from git or svn checkouts), we use a --transform expression to replace the leading ./ with the package name and version. This causes issues when a package contains symlinks that points to ./something, as the leading './' is also replaced. Fix that by using the 'S' transformation scope flag, as described in the tar manual: https://www.gnu.org/software/tar/manual/html_node/transform.html#transform In addition, several transformation scope flags are supported, that control to what files transformations apply. These are: ‘r’ Apply transformation to regular archive members. ‘R’ Do not apply transformation to regular archive members. ‘s’ Apply transformation to symbolic link targets. ‘S’ Do not apply transformation to symbolic link targets. ‘h’ Apply transformation to hard link targets. ‘H’ Do not apply transformation to hard link targets. Default is ‘rsh’ [...]. Fixes: #13616 Signed-off-by: Jean-pierre Cartal <jpcartal@free.fr> Tested-by: Yann E. MORIN <yann.morin.1998@free.fr> Acked-by: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/zstd: security bump to version 1.4.9Gravatar Fabrice Fontaine2021-03-232-3/+3
| | | | | | | | | | | | | | | Fix CVE-2021-24032: Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties. https://github.com/facebook/zstd/releases/tag/v1.4.9 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 74ed1b5ca09ac02a354245dc662d4cd8d11727e8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/zstd: bump to version 1.4.8Gravatar Fabrice Fontaine2021-03-233-44/+4
| | | | | | | | | | | | | Drop patch (already in version) https://github.com/facebook/zstd/releases/tag/v1.4.7 https://github.com/facebook/zstd/releases/tag/v1.4.8 (No 1.4.6 release) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 202c083f4a6d0ea10d408ed80dd4acdf31db16e0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: update Nicolas Serafini e-mail addressGravatar Nicolas Serafini2021-03-231-1/+1
| | | | | | | Signed-off-by: Nicolas Serafini <nicolas.serafini@ik.me> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit cd9ffd94737ce76664394972dbcdce2828f5e0f6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mosquitto: security bump to v1.6.14Gravatar Titouan Christophe2021-03-232-3/+3
| | | | | | | | This is a bugfix release and include a minor security fix. Read the announcement on https://mosquitto.org/blog/2021/03/version-2-0-9-released/ Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/batman-adv: add note about linux mainline kernel module alternativeGravatar Peter Seiderer2021-03-231-0/+2
| | | | | | | | | | | | | Since version 2.6.38 batman-adv is integreated into the linux mainline kernel ([1], [2]) so add a note about it in the Config.in help text. [1] https://kernelnewbies.org/Linux_2_6_38 [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c6c8fea29769d998d94fcec9b9f14d4b52b349d3 Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 8ec31f1bc325d8544c8da2922d857272900f3ded) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/batman-adv: fix compile with BR2_PACKAGE_BATMAN_ADV_BATMAN_V disabledGravatar Peter Seiderer2021-03-231-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | Commit e8b1eeb2f3f5 (package/batman-adv: fix compile with BR2_PACKAGE_BATMAN_ADV_BATMAN_V disabled) was tested against an RPi4 linux kernel already enabling the build-in batman-adv module inlcusive batman-v, hence it missed the case where the in-tree module is not enabled. Taking a deeper look at the configure script gen-compat-autoconf.sh reveals that the batman feature options must be explicitly set to 'y' or 'n' to work as expected. Fixes: ERROR: modpost: "batadv_v_mesh_free" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined! ERROR: modpost: "batadv_v_mesh_init" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined! ERROR: modpost: "batadv_v_hardif_init" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined! ERROR: modpost: "batadv_v_init" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined! Reported-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Seiderer <ps.report@gmx.net> [yann.morin.1998@free.fr: add blurb about tests on previous commit] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 20b9724ee25d61d6ee23a43057886d64eb8ddbda) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/batman-adv: fix compile with BR2_PACKAGE_BATMAN_ADV_BATMAN_V disabledGravatar Peter Seiderer2021-03-231-4/+6
| | | | | | | | | | | | | | | | | | | | | | The given 'CONFIG_BATMAN_ADV_BATMAN_V=' is enough to trigger the wrong code compile path in net/batman-adv/bat_v.h missing the static inline dummy implementations. Fixes: ERROR: modpost: "batadv_v_mesh_free" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined! ERROR: modpost: "batadv_v_mesh_init" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined! ERROR: modpost: "batadv_v_hardif_init" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined! ERROR: modpost: "batadv_v_init" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined! Signed-off-by: Peter Seiderer <ps.report@gmx.net> [yann.morin.1998@free.fr: - move all conditional options together - slight cleanup/reorganise ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit e8b1eeb2f3f5f0bfd089704ccad57e5665f5813a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* support/dependencies: detect and bailout when PATH contains spaces/TABsGravatar Yann E. MORIN2021-03-211-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In Makefiles, variables are split, filtered, and otherwise mangled on a space as a separator. In a shell, they will also be split on TABs. We split and filter and iterate on variables in a lot of places, and most importantly, spaces in PATH is very seldom tested, if at all, so a lot of packages will not be working properly in such a situation. For example, the config.guess contains constructs that are not resilient to a space in PATH: PATH=$PATH:/.attbin ; export PATH Also, our fakedate will iterate over PATH: for P in `echo $PATH | tr ':' ' '`; do Those are only two cases, but the first means basically all autotools-based packages are susceptible to subtle breakage. Furthermore, Buildroot itself does not support that the top-level or output directories are in a path with spaces anyway. So, instead of chasing all cases that might be potentially broken, let's just detect the case and bail out, like we already do when PATH contains a \n, or when it contains the current working directory. Reported-by: Dan Raymond <draymond@foxvalley.net> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit e36974d9e8c30227dc492c03737ef5951452cb29) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/sconeserver: pcre is optional, not mandatoryGravatar Fabrice Fontaine2021-03-212-2/+4
| | | | | | | | | | pcre is optional not mandatory since https://github.com/sconemad/sconeserver/commit/98ec61436c9ea68ffe2d70a818c1175dcafa2a79 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 754633fe8c306190c00087662df42f5b740c8754) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/sconeserver: drop unrecognized optionsGravatar Fabrice Fontaine2021-03-212-34/+2
| | | | | | | | | | | | | | | | | | | | | | | Drop Magick++-config, lettuce and ui options which are not recognized since latest bump in commit ca17e0c7a02298b0250cdc121bcacef0b58fffe1 (back in 2018). Indeed: - Magick++-config is not used since https://github.com/sconemad/sconeserver/commit/b025999b8a9a9715b72d0fc8ccbf0888e163388f - Experimental UI and lettuce modules have been dropped since https://github.com/sconemad/sconeserver/commit/ccc1efdb8981fbef63a714ff6315c8a18372090a Moreover, replace sconesite-image by image (broken since 2013 and https://github.com/sconemad/sconeserver/commit/7693301fdb0076bf7676eb2db278c2f015ac7157) As UI and lettuce options are broken since a long time, it does not seem useful to add entries in Config.in.legacy Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit d3b818c3cf0990117a8b59fcfc6c212f310ae6ec) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/protobuf: disable package if binutils is affected from bug 21464Gravatar Giulio Benetti2021-03-201-0/+1
| | | | | | | | | | | | | This package is affected from binutils bug 21464, since there is no workaround, let's disable it. Fixes: http://autobuild.buildroot.net/results/908/9084cd777aefe0fa8235514c33767d8640ad7a5b/ Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 9e71b6e2cb28a66e116019bf8808fb48cef1d7b9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* toolchain: introduce BR2_TOOLCHAIN_HAS_BINUTILS_BUG_21464Gravatar Giulio Benetti2021-03-201-0/+6
| | | | | | | | | | | | | | | | | | The OpenRISC binutils is affected by a linker bug (binutils bug 21464) for which no workaround exists. This causes build breakage in a number of packages, so this commit introduces a BR2_TOOLCHAIN_HAS_BINUTILS_BUG_21464 option to identify this bug. As all binutils versions are affected, this option is true whenever the configuration targets OpenRISC. The bug was already reported and it's been recently updated: https://sourceware.org/bugzilla/show_bug.cgi?id=21464 Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 227cefef41f4edd4eaae3c2068fb41d236370f29) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: Add Ryan Barnett for opkg and opkg-utilsGravatar Ryan Barnett2021-03-201-0/+2
| | | | | | | Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit c994860de5431bda81569eb0e745bdb4339b195f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/docker-containerd: security bump to 1.4.4Gravatar Christian Stewart2021-03-202-2/+2
| | | | | | | | | | | | | | | | | | | | | Security fix for CVE-2021-21334: https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4 Other changes: - Fix container create in CRI to prevent possible environment variable leak between containers - Update shim server to return grpc NotFound error - Add bounds on max oom_score_adj value for shim's AdjustOOMScore - Update task manager to use fresh context when calling shim shutdown - Update Docker resolver to avoid possible concurrent map access panic - Update shim's log file open flags to avoid containerd hang on syscall open - Fix incorrect usage calculation Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 43a766e92d3b147c2118b9eb1ae008026d94f995) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-rpi-ws281x: set proper licenseGravatar Grzegorz Blach2021-03-201-1/+1
| | | | | | | | | | The license is BSD-2-Clause, not MIT. Signed-off-by: Grzegorz Blach <grzegorz@blach.pl> [yann.morin.1998@free.fr: split off into its own commit] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 7b5d624bb66f29a20c96fcfc85741cdd61154eef) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* boot/grub2: Backport 2021/03/02 securify fixesGravatar Stefan Sørensen2021-03-20121-1/+26015
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Details: https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html As detailed in commit 7e64a050fbd9add07ed84d48054ffee1b659d079, it is difficult to utilize the upstream patches directly, so a number of patches include changes to generated files so that we don't need invoke the gentpl.py script. In addition to the security fixes, these required patches has been backported: f76a27996 efi: Make shim_lock GUID and protocol type public 04ae030d0 efi: Return grub_efi_status_t from grub_efi_get_variable() ac5c93675 efi: Add a function to read EFI variables with attributes d7e54b2e5 efi: Add secure boot detection The following security issues are fixed: CVE-2020-14372 grub2: The acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled CWE-184 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H GRUB2 enables the use of the command acpi even when Secure Boot is signaled by the firmware. An attacker with local root privileges to can drop a small SSDT in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT then gets run by the kernel and it overwrites the kernel lock down configuration enabling the attacker to load unsigned kernel modules and kexec unsigned code. Reported-by: Máté Kukri ******************************************************************************* CVE-2020-25632 grub2: Use-after-free in rmmod command CWE-416 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload a module used as dependency without checking if any other dependent module is still loaded. This leads to an use-after-free scenario possibly allowing an attacker to execute arbitrary code and by-pass Secure Boot protections. Reported-by: Chris Coulson (Canonical) ******************************************************************************* CVE-2020-25647 grub2: Out-of-bound write in grub_usb_device_initialize() CWE-787 6.9/CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H grub_usb_device_initialize() is called to handle USB device initialization. It reads out the descriptors it needs from the USB device and uses that data to fill in some USB data structures. grub_usb_device_initialize() performs very little bounds checking and simply assumes the USB device provides sane values. This behavior can trigger memory corruption. If properly exploited, this would lead to arbitrary code execution allowing the attacker to by-pass Secure Boot mechanism. Reported-by: Joseph Tartaro (IOActive) and Ilja van Sprundel (IOActive) ******************************************************************************* CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline CWE-121 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H grub_parser_split_cmdline() expands variable names present in the supplied command line in to their corresponding variable contents and uses a 1kB stack buffer for temporary storage without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution. An attacker may use this to circumvent Secure Boot protections. Reported-by: Chris Coulson (Canonical) ******************************************************************************* CVE-2020-27779 grub2: The cutmem command allows privileged user to remove memory regions when Secure Boot is enabled CWE-285 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H The GRUB2's cutmem command does not honor Secure Boot locking. This allows an privileged attacker to remove address ranges from memory creating an opportunity to circumvent Secure Boot protections after proper triage about grub's memory layout. Reported-by: Teddy Reed ******************************************************************************* CVE-2021-3418 - grub2: GRUB 2.05 reintroduced CVE-2020-15705 CWE-281 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H The GRUB2 upstream reintroduced the CVE-2020-15705. This refers to a distro specific flaw which made upstream in the mentioned version. If certificates that signed GRUB2 are installed into db, GRUB2 can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in Secure Boot mode and will implement lock down, yet it could have been tampered. This flaw only affects upstream and distributions using the shim_lock verifier. Reported-by: Dimitri John Ledkov (Canonical) ******************************************************************************* CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser CWE-787 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H The option parser in GRUB2 allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. Reported-by: Daniel Axtens (IBM) ******************************************************************************* CVE-2021-20233 grub2: Heap out-of-bound write due to mis-calculation of space required for quoting CWE-787 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters. This allow an attacker to corrupt memory by one byte for each quote in the input. Reported-by: Daniel Axtens (IBM) ******************************************************************************* Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 1bad50722007620c233e5efeb423876e7e428af1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* boot/uboot: fix kconfig with per-package directories and host-makeGravatar Nicolas Toromanoff2021-03-201-0/+1
| | | | | | | | | | | | | | If PER_PACKAGE_DIRECTORIES=Y and using host-make package (because BR2_FORCE_HOST_BUILD=Y or local make is too old) .stamp_dotconfig target needs per-package/uboot/host/bin/host-make that doesn't exist yet. Add host-make into UBOOT_KCONFIG_DEPENDENCIES. Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 3cf8173e5c3d23c3b147a3a083082409f09869ee) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/opkg-utils: add missing dependencies for host buildGravatar Ryan Barnett2021-03-201-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | opkg-utils is a collection of bash and python scripts which require additional commands/tools be available for the bash scripts. The full list of dependencies that the opkg-util scripts require is: bash binutils bzip2 coreutils diffutils findutils grep gzip lz4 python3 sed tar xz The Buildroot manual requires a few packages (bash, binutils, bzip2, gzip, sed and tar) to be installed on the host system, so we need not add those. Additionally, and even though they are not in that list, that grep and find are also required (we already make extensive use of both everywhere, so it is as good as them being in the list). We have a host variant for coreutils, but only for systems that do not already have a recent-enough one, i.e. that provides 'realpath' and 'ln --relative'. opkg-utils uses neither, so can rely on the ones on the system. Only add dependencies on the remaining host tools: diffutils, lz4, and xz. Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com> [yann.morin.1998@free.fr: - drop excessive dependencies, - reword the commit log accordingly ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 9521492bd0706fbb5c81e87b65ad25898f974f4d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/diffutils: add host packageGravatar Ryan Barnett2021-03-201-0/+1
| | | | | | | Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 819637e0e977493bcb176a82981b6916aeca8793) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/opkg-utils: remove build stepGravatar Ryan Barnett2021-03-201-4/+1
| | | | | | | | | | | | | | | | opkg-utils is a package that only provides bash and python scripts. Upon further inspection of the Makefile for the package, invoking `make` only ever builds the manpage. The previous commit dropped the installation of the manpage. This makes the build step unnecessary so remove it. Add a comment to explain the situation Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com> [yann.morin.1998@free.fr: reword commit log] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 05bf014f56c0c99f08c93db7829e8fd53af3c9a8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/opkg-utils: install only utility scriptsGravatar Ryan Barnett2021-03-202-1/+51
| | | | | | | | | | | | | | | | | | When `make install` is run to install the opkg-utils scripts, it also invokes building of the man page for opkg-build. The generation of the man page requires `pod2man` executable which is a part of perl. Since buildroot does not support man pages in the host directory, patch the opkg-utils Makefile to separate the installation of man pages and utility scripts. With the options to install man pages and utils separately, only install the opkg-utils scripts. Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 0424eee0ee63e6ad85f3ce8ec24d1bb23088fd02) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: remove myself for aufsGravatar Christian Stewart2021-03-191-3/+0
| | | | | | | | | | Aufs has been deprecated for the purposes of Docker/containers since overlay2 became the mainline kernel module of choice. Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 8a99b47ec2606141560ddba769ad8d1d35baf252) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mbedtls: security bump to version 2.6.10Gravatar Fabrice Fontaine2021-03-192-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | - Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating |A| - |B| where |B| is larger than |A| and has more limbs (so the function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only applications calling mbedtls_mpi_sub_abs() directly are affected: all calls inside the library were safe since this function is only called with |A| >= |B|. - Fix an errorneous estimation for an internal buffer in mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd value the function might fail to write a private RSA keys of the largest supported size. - Fix a stack buffer overflow with mbedtls_net_poll() and mbedtls_net_recv_timeout() when given a file descriptor that is beyond FD_SETSIZE. - Guard against strong local side channel attack against base64 tables by making access aceess to them use constant flow code. https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> [yann.morin.1998@free.fr: fix the hash after upstream mess-up] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 694c7d3ecee92eae84e9781acca4e5630b92d427) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/transmission: fix sysv init script (name vs. exec)Gravatar Peter Seiderer2021-03-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | With the start-stop-daemon enabled (instead of the busybox applet), stopping transmission emits spurious warnings: $ /etc/init.d/S92transmission stop Stopping bittorrent client transmission-daemon... start-stop-daemon: warning: this system is not able to track process names longer than 15 characters, please use --exec instead of --name. Update our startup script to match what was done upstream 9 years ago: https://trac.transmissionbt.com/ticket/4724 https://trac.transmissionbt.com/wiki/Scripts/initd?action=diff&version=24&old_version=23 Partially fixes: - https://bugs.busybox.net/show_bug.cgi?id=13576 Reported-by: ingineru_de_sistem@yahoo.com Signed-off-by: Peter Seiderer <ps.report@gmx.net> [yann.morin.1998@free.fr: - reword commit log - add reference to upstream ticket and changeset ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 45d326a08c7838658f1ed9813967ea8caeff7495) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/sysvinit: add patch to fix compile without stack-protector supportGravatar Peter Seiderer2021-03-191-0/+33
| | | | | | | | | | | | | | | | | | In Buildroot, the SSP flags are passed via the wrapper, and only flags supported by the toolchain will be used. Add patch to remove '-fstack-protector-strong' compile flag. Fixes: .../aarch64-buildroot-linux-uclibc/bin/ld: runlevel.o: in function `main': runlevel.c:(.text.startup+0x4): undefined reference to `__stack_chk_guard' .../aarch64-buildroot-linux-uclibc/bin/ld: cannot find -lssp_nonshared .../aarch64-buildroot-linux-uclibc/bin/ld: cannot find -lssp Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 50cbac5099b1767c8f69509a900dae2b58ca66ff) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/wolfssl: security bump to version 4.7.0Gravatar Fabrice Fontaine2021-03-162-2/+2
| | | | | | | | | | | | | | | Fix CVE-2021-3336: DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers. https://github.com/wolfSSL/wolfssl/releases/tag/v4.7.0-stable Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 238b5df775ac67f0e43afbbf3f2a5e72be275795) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libjpeg: fix LIBJPEG_SITEGravatar Yann E. MORIN2021-03-161-1/+1
| | | | | | | | | | | | Commit b83184de674a (package/libjpeg: switch to s.b.o. as source site) improperly added a trailing slash '/' at the end of LIBJPEG_SITE, causing builds to fail: package/libjpeg/libjpeg.mk:35: *** LIBJPEG_SITE (http://sources.buildroot.org/libjpeg/) cannot have a trailing slash. Stop. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 308f4428c8d8cbe6ea563b295f590a4c3da23646) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/asterisk: fix build failure due to gcc bug 93847Gravatar Giulio Benetti2021-03-161-0/+8
| | | | | | | | | | | | | | | | The asterisk package exhibits gcc bug 93847 when built for the Nios2 architecture with optimization enabled, which causes a build failure. As done for other packages in Buildroot work around this gcc bug by setting optimization to -O0 if BR2_TOOLCHAIN_HAS_GCC_BUG_93847=y. Fixes: http://autobuild.buildroot.net/results/24c0a6ca3b272711a1e6ceaa033925182d0d49c4 Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 830fb82822c4a0948fd2dc45ec7851908220e801) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/asterisk: remove default -O3 optimization flagGravatar Giulio Benetti2021-03-161-0/+3
| | | | | | | | | | | Actually asterisk package gets built with -O3 cflag since it's defaulted into its sources, but it's not what we want, so let's empty its OPTIMIZE Makefile variable letting Buildroot CFLAGS to take place instead. Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit eaba3c8e131e21c4bae79483211685942e035300) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libjpeg: switch to s.b.o. as source siteGravatar Yann E. MORIN2021-03-161-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #13581 The tarball for version 9d, released 2020-01-12, has been silently replaced upstream (a unicode BOM was removed from a few files), causing hash mismatch. This means that all our versions since 2020.02 will fail the hash check, and fallback to using s.b.o. so we can't update the copy we have on s.b.o. As a consequence, we can't update the hash in master (soon 2021.02) otherwise it would not match what we have on s.b.o. This means that users will see hash mismatch by default, which is not very nice. Although we can't do anything for all previous releases, we can still try to paper over the problem for the future ones, like 2021.02, by switching the upstream to be s.b.o. Sigh... :-( Reported-by: Nick Shaforostov <mshaforostov@airmusictech.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b83184de674a6d68e110d5666685edb0a7374d74) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jasper: bump version to 2.0.26Gravatar Michael Vetter2021-03-162-2/+2
| | | | | | | | | | | Changes: * Fix JP2 decoder bug that can cause a null pointer dereference for some invalid CDEF boxes. (#268) Signed-off-by: Michael Vetter <jubalh@iodoru.org> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 5742a0f33e285e27c5ae37b32cf5570bfa856946) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot-pigeonhole: bump version to 0.5.14Gravatar Bernd Kuhls2021-03-162-2/+2
| | | | | | | | | | Release notes: https://dovecot.org/pipermail/dovecot-news/2021-March/000456.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9b29e94980c134065f360a4beaa70be86bb0befd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot: bump version to 2.3.14Gravatar Bernd Kuhls2021-03-162-2/+2
| | | | | | | | | | Release notes: https://dovecot.org/pipermail/dovecot-news/2021-March/000455.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 5a16d4536066281054305bdaec43023a52281074) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gnuchess: security bump to version 6.2.7Gravatar Fabrice Fontaine2021-03-162-3/+3
| | | | | | | | | | | | | | | | Fix CVE-2019-15767: In GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_load function in frontend/cmd.cc via a crafted chess position in an EPD file. Update indentation in hash file (two spaces) https://lists.gnu.org/archive/html/info-gnu-chess/2020-04/msg00000.html https://lists.gnu.org/archive/html/info-gnu-chess/2020-05/msg00000.html Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 5d9fb6a2ae94238c7b5a80e9d780c162023ba7e9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/sox: fix static build with magicGravatar Fabrice Fontaine2021-03-161-0/+48
| | | | | | | | | | | | | This build failure is raised since bump to 7524160b29a476f7e87bc14fddf12d349f9a3c5e Fixes: - http://autobuild.buildroot.org/results/d96f27cd96926060046e2e1115777f5bceda3741 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 183d583fb5f19eb11637873d73e13fe14536efa6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libebml: security bump to version 1.4.2Gravatar Fabrice Fontaine2021-03-142-2/+2
| | | | | | | | | | | | | Fix CVE-2021-3405: A flaw was found in libebml before 1.4.2. A heap overflow bug exists in the implementation of EbmlString::ReadData and EbmlUnicodeString::ReadData in libebml. https://github.com/Matroska-Org/libebml/blob/release-1.4.2/ChangeLog Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ff18652b425c001ae06ce717790ebe2068735bc2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libebml: bump to version 1.4.0Gravatar Fabrice Fontaine2021-03-142-3/+3
| | | | | | | | | Update indentation in hash file (two spaces) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 89fe7e140b67fbd4e202572c615bf407029b50d4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/wpa_supplicant: add upstream 2021-1 security fixGravatar Peter Korsgaard2021-03-142-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issue: - wpa_supplicant P2P provision discovery processing vulnerability (no CVE yet) A vulnerability was discovered in how wpa_supplicant processes P2P (Wi-Fi Direct) provision discovery requests. Under a corner case condition, an invalid Provision Discovery Request frame could end up reaching a state where the oldest peer entry needs to be removed. With a suitably constructed invalid frame, this could result in use (read+write) of freed memory. This can result in an attacker within radio range of the device running P2P discovery being able to cause unexpected behavior, including termination of the wpa_supplicant process and potentially code execution. For more details, see the advisory: https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com> [yann.morin.1998@free.fr: actually add the patch URL to the patch list] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 9ada4eb2f1c3d67ee49f6f5466738bcd821fc647) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python{3}-pyyaml: switch to setuptoolsGravatar Asaf Kahlon2021-03-141-1/+1
| | | | | | | | | | | | | Since version 5.4.0 pyyaml uses setuptools (see https://github.com/yaml/pyyaml/blob/master/CHANGES) Fixes: - http://autobuild.buildroot.net/results/bc36ae51a1e4d70c5fd2a3eb4b458aba4220f2dc Signed-off-by: Asaf Kahlon <asafka7@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d64a905d9f8ec61eb4390f7b0317f070c6869ed5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-pyyaml: security bump to version 5.4.1Gravatar Fabrice Fontaine2021-03-142-5/+5
| | | | | | | | | | | | | | | | | | | | | Fix CVE-2020-14343: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. Update hash of LICENSE file (update in year: https://github.com/yaml/pyyaml/commit/58d0cb7ee09954c67fabfbd714c5673b03e7a9e1) https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit de43a9775d4646035b18eb5737e5fa4cd2eeedea) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/redis: security bump to version 5.0.12 (CVE-2021-21309)Gravatar Thomas De Schampheleire2021-03-132-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | References: https://github.com/redis/redis/security/advisories/GHSA-hgj8-vff2-7cjf https://nvd.nist.gov/vuln/detail/CVE-2021-21309 "Impact: An integer overflow bug in 32-bit Redis version 4.0 or newer could be exploited to corrupt the heap and potentially result with remote code execution. Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger several integer overflow scenarios, which would result with buffer overflow and heap corruption. We believe this could in certain conditions be exploited for remote code execution. By default, authenticated Redis users have access to all configuration parameters and can therefore use the “CONFIG SET proto-max-bulk-len” to change the safe default, making the system vulnerable. This problem only affects 32-bit Redis (on a 32-bit system, or as a 32-bit executable running on a 64-bit system). Patches The problem is fixed in version 6.2, and the fix is back ported to 6.0.11 and 5.0.11. Make sure you use one of these versions if you're running 32-bit Redis. " Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> [Peter: update to 5.0.12 to fix build on !glibc] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 10}.x seriesGravatar Peter Korsgaard2021-03-133-11/+11
| | | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f6e9e22ac99eb6cc2d6470b4edd289bf1b4381dc) [Peter: drop 5.10.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/prosody: security bump to 0.11.8Gravatar Francois Perrad2021-03-132-5/+5
| | | | | | | | | | | | | | | | | | From the release notes: https://blog.prosody.im/prosody-0.11.8-released/ This release also fixes a security issue, where channel binding, which connects the authentication layer (i.e. SASL) with the security layer (i.e. TLS) to detect man-in-the-middle attacks, could be used on connections encrypted with TLS 1.3, despite the holy texts declaring this undefined. https://issues.prosody.im/1542 Signed-off-by: Francois Perrad <francois.perrad@gadz.org> [Peter: mark as security bump, expand commit text] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9aba85e3f509498426bd37df8a043fdaa8220953) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/prosody: bump to version 0.11.7Gravatar Francois Perrad2021-03-132-5/+5
| | | | | | | Signed-off-by: Francois Perrad <francois.perrad@gadz.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 0f5e9efbd82c6a25f93f156080b8d613c8f9792a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/prosody: bump to version 0.11.6Gravatar Francois Perrad2021-03-132-5/+5
| | | | | | | Signed-off-by: Francois Perrad <francois.perrad@gadz.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit a925b4ee14741d102f9dc9ab9ae9093a3fc55337) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/prosody: bump to version 0.11.5Gravatar Francois Perrad2021-03-132-5/+5
| | | | | | | Signed-off-by: Francois Perrad <francois.perrad@gadz.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 4db08ef8607aad9928a66cb62f23edee8d55144e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/util-linux: disable runuser for the host buildGravatar Peter Seiderer2021-03-131-0/+1
| | | | | | | | | | | | | | | | | | | | runuser allows running commands as another user, but needs to run as root to be able to setuid(). But Buildroot does not require running as root, and so runuser can't be used. Incientally, that fixes host build in case unsuitable libs are found on the system: http://lists.busybox.net/pipermail/buildroot/2021-February/304261.html Reported-by: GA K <guyarkam@gmail.com> Signed-off-by: Peter Seiderer <ps.report@gmx.net> [yann.morin.1998@free.fr: - expand the commit log with a more fundamental explanation that runuser can't be used anyway ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 955d6c099b2035dcca47554a735a4c700b5d3e1e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/privoxy: security bump to version 3.0.32Gravatar Peter Korsgaard2021-03-132-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Privoxy 3.0.32 fixes a number of security issues: - Security/Reliability: - ssplit(): Remove an assertion that could be triggered with a crafted CGI request. Commit 2256d7b4d67. OVE-20210203-0001. Reported by: Joshua Rogers (Opera) - cgi_send_banner(): Overrule invalid image types. Prevents a crash with a crafted CGI request if Privoxy is toggled off. Commit e711c505c48. OVE-20210206-0001. Reported by: Joshua Rogers (Opera) - socks5_connect(): Don't try to send credentials when none are configured. Fixes a crash due to a NULL-pointer dereference when the socks server misbehaves. Commit 85817cc55b9. OVE-20210207-0001. Reported by: Joshua Rogers (Opera) - chunked_body_is_complete(): Prevent an invalid read of size two. Commit a912ba7bc9c. OVE-20210205-0001. Reported by: Joshua Rogers (Opera) - Obsolete pcre: Prevent invalid memory accesses with an invalid pattern passed to pcre_compile(). Note that the obsolete pcre code is scheduled to be removed before the 3.0.33 release. There has been a warning since 2008 already. Commit 28512e5b624. OVE-20210222-0001. Reported by: Joshua Rogers (Opera) for more details, see the announcement: https://www.openwall.com/lists/oss-security/2021/02/28/1 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit e276d14cd846d396fd8e7c4fcc1f2c4c5613ba65) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/openssh: security bump to version 8.4p1Gravatar Christian Stewart2021-03-132-3/+3
| | | | | | | | | | | | | | | Fixes CVE-2020-15778: scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778 Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6609cd0d8894771126cd82d95deb10180cb6cf41) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>