Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 004129e259)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ad104d1c63)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bc5ab96f7c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c29f2bff52)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8f6158c37f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b0696cb678)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c81289645f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 08a6aab0f0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 716b8c4e7b)
[Peter: drop 6.0.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Denial of service fixes:
Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote
attacker.
• An invalid array of fixed-length elements where the length of the
array is not a multiple of the length of the element would cause an
assertion failure in debug builds or an out-of-bounds read in
production builds. This was a regression in version 1.3.0.
(dbus#413, CVE-2022-42011; Simon McVittie)
• A syntactically invalid type signature with incorrectly nested
parentheses and curly brackets would cause an assertion failure in
debug builds. Similar messages could potentially result in a crash or
incorrect message processing in a production build, although we are
not aware of a practical example. (dbus#418, CVE-2022-42010;
Simon McVittie)
• A message in non-native endianness with out-of-band Unix file
descriptors would cause a use-after-free and possible memory
corruption in production builds, or an assertion failure in debug
builds. This was a regression in version 1.3.0. (dbus#417,
CVE-2022-42012; Simon McVittie)
https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.12.24/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 29586aed96)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit ff0d534051 (package/iwd: bump version to 1.19), we are no
longer patching configure.ac, so autoreconfigure isn't needed anymore.
Signed-off-by: Daniel Lang <d.lang@abatec.at>
[yann.morin.1998@free.fr: reword with reference to ff0d534051]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1db79dffca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix memory leak in EdDSA verify processing. (CVE-2022-38178)
- Fix memory leak in ECDSA verify processing. (CVE-2022-38177)
- Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was a stale CNAME
in the cache for an incoming query. (CVE-2022-3080)
- Prevent excessive resource use while processing large delegations.
(CVE-2022-2795)
https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_33/CHANGES
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8c31f3b50f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is stable bugfix release of libmdbx. So it is reasonable to backport
this patch to all applicable releases/branches of Buildroot.
Release notes for v0.11.12
--------------------------
Fixes:
- Fixed static assertion failure on platforms where the `off_t` type is wider
than corresponding fields of `struct flock` used for file locking (backport).
Now _libmdbx_ will use `fcntl64(F_GETLK64/F_SETLK64/F_SETLKW64)` if available.
- Fixed assertion check inside `page_retire_ex()` (backport).
Minors:
- Fixed `-Wint-to-pointer-cast` warnings while casting to `mdbx_tid_t` (backport).
- Removed needless `LockFileEx()` inside `mdbx_env_copy()` (backport).
The complete ChangeLog: https://gitflic.ru/project/erthink/libmdbx/blob?file=ChangeLog.md
Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dd2ded3355)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a bug fix and enhancement release on the 3.7.x branch.
https://lists.gnupg.org/pipermail/gnutls-help/2022-September/004765.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2acba99893)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release contains fixes for three minor memory safety problems.
None are believed to be exploitable, but we report most memory safety
problems as potential security vulnerabilities out of caution.
* ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
Reported by Qualys
* ssh-keygen(1): double free() in error path of file hashing step in
signing/verify code; GHPR333
* ssh-keysign(8): double-free in error path introduced in openssh-8.9
https://www.openssh.com/txt/release-9.1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bb571dc3e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, with security fixes for CVE-2022-32886 and CVE-2022-32912.
Release notes:
https://wpewebkit.org/release/wpewebkit-2.36.8.html
Accompanying security advisory:
https://wpewebkit.org/security/WSA-2022-0009.html
This also imports a build fix for ARM NEON targets.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fc523deaf9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ee62626e16)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ebc9beaa6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since 2.5.1, volk has been undergoing a relicensing from GPL-3.0+ to the
LGPL-3.0+, which is still not completely done by some large margin), so
it is still covered by the GPL-3.0+, but has parts already covered by
the LGPL-3.0+.
We so far only listed GPL-3.0+, but we also had the license file for the
LGPL-3.0+.
Add LGPL-3.0+ to the list of licenses; the COPYING file is the text of
the GPL-3.0+, so we already had it listed (note: the package has a
COPYING-GPL, but i's a symlink to COPYING).
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
[yann.morin.1998@free.fr:
- split out to its own patch
- explain why we don't add COPYING-GPL
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0a397fa638)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since volk 2.5.1, C++17 is required, and no Boost component is used
anymore.
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
[yann.morin.1998@free.fr: split out to its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 66215faa52)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.
This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.
https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2e4c0e722f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We can't use BR2_PACKAGE_LIBOPENSSL to force selecting libopenssl, as
it is part of a choice. Instead, we have a symbol explicitly to force
libopenssl: BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL.
Use that.
Reported-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 60f97ad95a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
At the moment rtl8189es module has -DCONFIG_LITTLE_ENDIAN hardcoded and
there is no way to override it. So to do this let's add a patch that is
pending upstream[1] to allow to override CFLAGS and then let's undefine
CONFIG_LITTLE_ENDIAN and define the correct endianness in rtl8189es.mk
Fixes:
http://autobuild.buildroot.net/results/3bcad5e88876c86a2a3338961ed20f28b5953779/
[1]: https://github.com/jwrdegoede/rtl8189ES_linux/pull/83
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 79a1c5dcad)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop have_mfpu_neon which has been added by commit
b07de37540 but is not recognized:
CMake Warning:
Manually-specified variables were not used by the project:
BUILD_DOC
BUILD_DOCS
BUILD_EXAMPLE
BUILD_EXAMPLES
BUILD_TEST
BUILD_TESTING
BUILD_TESTS
CMAKE_INSTALL_RUNSTATEDIR
have_mfpu_neon
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 27f6c1ab38)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
(https://github.com/redis/redis/blob/7.0.5/00-RELEASENOTES)
================================================================================
Redis 7.0.5 Released Wed Sep 21 20:00:00 IST 2022
================================================================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific
state, with a specially crafted COUNT argument, may cause an integer overflow,
a subsequent heap overflow, and potentially lead to remote code execution.
The problem affects Redis versions 7.0.0 or newer
[reported by Xion (SeungHyun Lee) of KAIST GoN].
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit af56cfe372)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is currently the latest version in the v16.x branch.
Patch 0001-add-qemu-wrapper-support.patch needs some minor adaptations
to resolve conflicts with other unrelated upstream changes. The other
patches are simply refreshed.
The license file is updates due to:
- Reformatting changes
- Addition of the mention of some files being under GPLv3, but it's
only the autoconf machinery: aclocal.m4 and config.guess, so it's
not relevant to add in our LICENSE variable.
- Addition of the mention of another file being under the MIT
license (install-sh), and MIT is already listed, and this file is
anyway only part of the autoconf machinery.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a8a65d0951)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 1facb09b94 ("package/nodejs:
build host-nodejs only if we're installing modules with NPM") forgot
to account for the dependency on Qemu. Now that nodejs no longer
depends on host-nodejs, but needs host-qemu, we need to make sure that
nodejs selects the relevant BR2_PACKAGE_HOST_QEMU options.
So this patch:
- Drops the dependency of BR2_PACKAGE_NODEJS_ARCH_SUPPORTS on
BR2_PACKAGE_QEMU_ARCH_SUPPORTS_TARGET, which was incorrect: we
don't care about running Qemu on the target. We care about
host-qemu supporting the emulation of the target architecture,
which is what BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS is for.
- Adds the dependency to the relevant BR2_PACKAGE_HOST_QEMU options
to BR2_PACKAGE_NODEJS, so that host-qemu is built with the
appropriate features needed to build the target nodejs.
- Removes the qemu related dependencies from host-nodejs, which does
not need Qemu at all.
Without this change the build of nodejs without npm enabled is broken
as the host-qemu that gets built does not have all the features that
are needed. There are no autobuild failures at this point, however.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a88ba1548a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building host-nodejs is no longer needed to build the target nodejs,
unless npm is needed during the build, which happens when
BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL is used.
We need to make that host-python3 is built with bz2 and ssl
support. Until now, it was done by the BR2_PACKAGE_HOST_NODEJS option,
but now that the target nodejs no longer depends on host-nodejs, we
are no longer guaranteed to have a host-python3 with bz2/ssl. To make
sure it is the case, we select the relevant options from
BR2_PACKAGE_NODEJS.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1facb09b94)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The target nodejs package is building those tools, and running them
under Qemu, so it is not necessary for the host variant to install
them.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ec5589611a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since upstream commit 79da2534737bd090b7000beed68d225618606e53,
present since NodeJS 16.0.0, another call to the torque tool is done
in tools/v8_gypfiles/v8.gyp, but our patch to wrap calls to such tools
under Qemu forgot this addition. Due to this, the build of NodeJS is
broken since the bump to v16 in Buildroot commit
07408779cc ("package/nodejs: bump to
16.15.0"). This issue is not visible in the autobuilders as it was
hidden by a previous build issue, itself fixed by "package/nodejs: fix
'Duplicate v8 target errors when cross-compiling' error".
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cf0ddc8970)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reported also via:
https://github.com/nodejs/node/issues/37441
Patched in:
5e533cb943
The error is:
```
ninja: Entering directory `out/Release'
ninja: error: obj.host/tools/v8_gypfiles/run_torque.ninja:1356: multiple rules generate gen/torque-generated/bit-fields.h [-w dupbuild=err]
make[2]: *** [Makefile:127: node] Error 1
make[1]: *** [package/pkg-generic.mk:293: <buildroot>/output/build/nodejs-16.15.0/.stamp_built] Error 2
make: *** [Makefile:84: _all] Error 2
```
Fixes:
http://autobuild.buildroot.net/results/7fe9132236ee8e3a86dd97fe96ffee42990c2d19/
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
[Thomas:
- regenerate patch as a git formatted patch, add a link to the
original location, add my own SoB to it
- improve commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5708c5b04f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is already another 0001 patch.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f85e2cfc6e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tinyproxy commit 84f203f and earlier does not process HTTP request lines
in the process_request() function and is using uninitialized buffers.
This vulnerability allows attackers to access sensitive information at
system runtime.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit eedd93f010)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libgbm isn't output/target specific, only one version is included
in gpu-core/usr/lib/libgbm.so.
Similarly only gbm.pc is included and not gbm_x11.pc.
Signed-off-by: Daniel Lang <d.lang@abatec.at>
Reviewed-by: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 711ec0ceaa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, with a configuration with an internal toolchain, and no other
package is selected [0], especially when one wants to generate an SDK or
a pre-built, pre-installed toolchain, running 'make' will only build
glibc (and its dependencies), and not the full toolchain, as one would
have expected, so there would be no host-final-gcc.
The reason is that 'toolchain' is a virtual package, so it is excluded
from PACKAGES, the list of packages enabled in the configuration. so it
is not a dependency of target-finalize, and so nothing pulls it in the
build.
The reason for excluding virtual packages from that list is not obvious.
When virtual packages were introduced in 7439824412 (packages: add
infrastructure for virtual packages), there was no BR2_PACKAGE_FOO
symbol for virtual packages (but there was BR2_PACKAGE_HAS_FOO), so
there was no telling that the virtual package was enabled, like we had
for the other kinds of packages (normal, bootloader, toolchain, or linux
kernel).
That caused issues, so in f674c428c2 (core/pkg-virtual: do not check
they are neabled [sic]), and then 3e1b33a534 (pkg-generic: improve
incorrectly used package detection), we explicitly excluded the virtual
packages from causing a build failure when something depended on them,
as we could not yet now whether a virtual package was actually enabled
or not.
Then, in 842ba7ecef (pkg-generic: fix rdepends and phony targets of
virtual packages), we eventually associated a virtual package to is
BR2_PACKAGE_HAS_FOO, which allows treating virtual packages like the
other kinds of packages. There, we explicitly kept virtual packages out
of the list, though (the reasoning was that virtual packages install
nothing in host/ or target/, so they do not directly contribute to the
final content, so we do not need to rsync them, so this was an
optimisation).
However, virtual packages are in fact actual generic packages, and it is
possible for virtual packages to actually provide content for the final
image. Even though we do not have any virtual package that has actual
_INSTALL_CMDS, we still have udev that provides a user for example;
virtual packages in br2-external trees may also very well provide
install commands (e.g. to install files common to their various
implementations).
So, there is currently no technical reason to exclude virtual packages
from PACKAGES, the list of packages enabled in the configuration.
Drop the excluding condition, and always add enabled package, whatever
their kind, to the list of enabled packages.
[0] defconfig to reproduce the issue:
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
# BR2_PACKAGE_IFUPDOWN_SCRIPTS is not set
# BR2_TARGET_ROOTFS_TAR is not set
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 02fe7c747b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Our current heirloom-mailx package is affected by CVE-2014-7844. It
has been fixed by a Debian patch
0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch, but it does rely
on other Debian patches as well.
Instead of bringing those patches locally, we just update the package
to use version 12.5-5 from Debian, including its patches.
The local patch
0001-Patched-out-SSL2-support-since-it-is-no-longer-suppo.patch is
removed as it is part of the Debian patches.
The remaining patch 0002-fix-libressl-support.patch is renumbered.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 15972770cf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It was fixed for musl during conversion to the new API in 0f519d0da
(released in 20220527).
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 68c32ce338)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
