Switched _SITE to https and _SOURCE to .gz because upstream does not
provide a .xz tarball anymore.
Fixes CVE 2022-0547, changelog:
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f9c448a016)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
allows a remote web server to exfiltrate media files.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c7520b7ea1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
introspection needs host-doxygen and host-python-lxml since the addition
of the package in commit c9a3c10417 and
2e5b13f970
../output-1/build/wireplumber-0.4.8/docs/meson.build:14:0: ERROR: python3 is missing modules: lxml
Doxygen is required to build just the bare minimal (not the full
documentation) since
93c2e7d686
Fixes:
- http://autobuild.buildroot.org/results/24c524d86a3e2e67305f698644be9b15d4562488
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3e1de2ef06)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV
files. This issue triggered in function WavpackPackSamples of file
src/pack_utils.c, tainted variable cnt is too large, that makes pointer
sptr read beyond heap bound.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a9bff8a0b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable sample and tests (which are built by default since version 2.1:
530b272350)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e1d0ac062c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 5c05744eca.
This doesn't work with the gnupg v1/v2 handling here:
package/gcr/Config.in:1:error: recursive dependency detected!
package/gcr/Config.in:1: symbol BR2_PACKAGE_GCR depends on BR2_PACKAGE_GNUPG
package/gnupg/Config.in:1: symbol BR2_PACKAGE_GNUPG is selected by BR2_PACKAGE_GNUPG2
package/gnupg2/Config.in:5: symbol BR2_PACKAGE_GNUPG2 is selected by BR2_PACKAGE_GCR
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The check_package_get_latest_version_by_distro() function analyzes the
data returned by release-monitoring.org. For two of our
packages (bento4 and qextserialport), release-monitoring.org returns
something that is a bit odd: it returns an entry with a
"stable_versions" field that contains an empty array. Our code was
ready to have or not have a "stable_versions" entry, but when it is
present, we assumed it was not an empty array. These two packages, for
some reason, break this assumption.
In order to solve this problem, this commit is more careful, and uses
the stable_versions field only if it exists and it has at least one
entry. The code is also reworked as a sequence of "if...elif...else"
to be more readable.
This fixes the following exception when running pkg-stats on the full
package set:
Task exception was never retrieved
future: <Task finished name='Task-10772' coro=<check_package_latest_version_get() done, defined at ./support/scripts/pkg-stats:532> exception=IndexError('list index out of range')>
Traceback (most recent call last):
File "./support/scripts/pkg-stats", line 535, in check_package_latest_version_get
if await check_package_get_latest_version_by_distro(session, pkg):
File "./support/scripts/pkg-stats", line 489, in check_package_get_latest_version_by_distro
version = data['stable_versions'][0] if 'stable_versions' in data else data['version'] if 'version' in data else None
IndexError: list index out of range
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: non-sequence tests as True]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c72f3f2b43)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
for non-prime moduli.
Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.
It is possible to trigger the infinite loop by crafting a certificate that
has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the certificate
signature, any process that parses an externally supplied certificate may
thus be subject to a denial of service attack. The infinite loop can also
be reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.
Thus vulnerable situations include:
- TLS clients consuming server certificates
- TLS servers consuming client certificates
- Hosting providers taking certificates or private keys from customers
- Certificate authorities parsing certification requests from subscribers
- Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the attacker
can control the parameter values are vulnerable to this DoS issue.
(CVE-2022-0778)
[Tomáš Mráz]
*) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
to the list of ciphersuites providing Perfect Forward Secrecy as
required by SECLEVEL >= 3.
[Dmitry Belyavskiy, Nicola Tuveri]
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 66868e9fab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In the list of full distribution, the FAQ contains a link to Emdebian.
This project stopped receiving updates in 2014 and the main web page does not exist anymore.
This replace the entry with a link to the Debian ports page.
Signed-off-by: Yannick Brosseau <yannick.brosseau@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit db2b8a1ce2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libfcgi raises the following build failure with glibc 2.34 and gcc
11.2.0:
In file included from /home/peko/autobuild/instance-1/output-1/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include/features.h:488,
from /home/peko/autobuild/instance-1/output-1/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include/bits/libc-header-start.h:33,
from /home/peko/autobuild/instance-1/output-1/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include/stdio.h:27,
from /home/peko/autobuild/instance-1/output-1/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include/fcgi_stdio.h:18,
from boinc_fcgi.h:19,
from coproc.cpp:22:
/home/peko/autobuild/instance-1/output-1/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include/wchar.h:582:24: error: 'malloc' attribute argument 1 is ambiguous
582 | __attribute_malloc__ __attr_dealloc_fclose;
| ^~~~~~~~~~~~~~~~~~~~~
RawTherapee has the same kind of issue:
- https://github.com/Beep6581/RawTherapee/issues/6324
- https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101747
Fixes:
- http://autobuild.buildroot.org/results/232dae62570ed7927a10864d83dccaf9b6214500
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 54cb3b506d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since gcr selects gnupg2, it's incompatible with gnupg. Add this
dependency and corresponding comment.
While we're at it, also hide the existing comment when
!BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5783a418f4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openssl handling needs shared library support since commit
67cebbdf5f however this is not needed
since version 2 and
333fa84e8e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 19294eb352)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
samba:ppp, added by commit 63332c33aa, has
been deprecated in February 2020:
<cpe-item name="cpe:/a:samba:ppp:2.4.7" deprecated="true" deprecation_date="2020-02-24T15:55:39.787Z">
<cpe-23:cpe23-item name="cpe:2.3🅰️samba:ppp:2.4.7:*:*:*:*:*:*:*">
cpe:2.3🅰️point-to-point_protocol_project:point-to-point_protocol is the
correct CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apoint-to-point_protocol_project%3Apoint-to-point_protocol
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9051a63221)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Technologic Systems has rebranded as embeddedTS with the current
domain eventually going offline. Update web/doc URLs to correct
resource locations.
Signed-off-by: Kris Bahnsen <kris@embeddedTS.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0b058e15f5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a patch release for version 2 & 2.4, fixing a regression
introduced in 2.4.1.
https://github.com/cisco/libsrtp/releases/tag/v2.4.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 232868ffd3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop custom install rules which were added since commit
676797d57f. Indeed, they result in a
broken installation. Especially, they are trying to "guess" what must
be installed based on BR2_ARCH but oprofile has its own logic. For
example, goldmont microarchitecture files must be installed in i386
directory even if this architecture is 64 bits:
0ad5a9e6af
This will result in the following runtime failure:
oprofile: could not open unit mask description file /usr/share/oprofile//i386/goldmont/unit_masks
Unable to find info for event cpu_clk_unhalted
Fixes:
- https://bugs.buildroot.org/show_bug.cgi?id=14641
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5259807318)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When enabling MariaDB (BR2_PACKAGE_MARIADB=y) and systemd
(BR2_INIT_SYSTEMD=y) in buildroot, the mysqld.service fail to start
with a permission error. See output of command:
journalctl --unit=mysqld
Which shows:
systemd[1]: Starting MySQL database server...
install[102]: install: can't create directory '/var/log/mysql': Permission denied
systemd[1]: mysqld.service: Control process exited, code=exited, status=1/FAILURE
Since the service file includes the "User=mysql" directive, the
"ExecStartPre=" is executed as this user, which does not have
permission to create a directory in "/var/log".
This commit fixes this issue by adding the "!" prefix, which will
execute the command with full privileges. See the systemd.service manual
page entry for "ExecStart=", table "Special executable prefixes":
https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=
or https://github.com/systemd/systemd/blob/v250/man/systemd.service.xml#L339
Moreover, the "mysql_install_db" invocation does not need this special
prefix, as the "/var/lib/mysql" directory on target is already owned
by the "mysql" user. The "chown" command is also useless and is
removed in this commit.
Reported-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Tested-By: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit fd03d4f057)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gdb's AC_LIB_HAVE_LINKFLAGS macro hardcodes a search starting with
/usr/lib/ which can lead to libgmp from the wrong architecture with the
result that the test fails. Even if a libgmp is found there it is now
the one that should be used.
This is the same macro used for expat and lzma for which there are
already specific CONF_OPTS flags added here. Add the same flag for
libgmp and move the handling down so that it is logically grouped with
the other similar options.
Note that there is no --with(out)-gmp flag to configure, as the
dependency is mandatory, so only the --with-libgmp-prefix option is
specified.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 9fa5d641ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using uboot's legacy build system, the 'make uboot-menuconfig'
and 'make uboot-savedefconfig' targets are not available as they
are created by 'kconfig-package'.
Signed-off-by: Simon Doppler <dopsi@dopsi.ch>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ca9e55ad11)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Dependency on sqlite has been removed since v17.04.0-ce.
See: https://github.com/moby/moby/pull/30208
Signed-off-by: TIAN Yuanhao <tianyuanhao3@163.com>
Reviewed-by: Christian Stewart <christian@paral.in>
Tested-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6105ad3f72)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The http://www.directfb.org/ has been down since 2015.
Use the Buildroot backup download site.
Fixes:
- https://bugs.busybox.net/show_bug.cgi?id=13126
Signed-off-by: Andrei Gherghescu <andrei.gherghescu@protonmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 89ab2a5a3f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Links were aimed at the methods.co.nz domain, which is now returning
404s. The current situation of AsciiDoc is unclear to me: the Fedora
package points to this website, they own asciidoc.org, Wikipedia points
to this project as well but their Git repo's README includes the
following paragraph:
> AsciiDoc.py is a legacy processor for this syntax, handling an older
> rendition of AsciiDoc. As such, this will not properly handle the
> current AsciiDoc specification. It is suggested that unless you
> specifically require the AsciiDoc.py toolchain, you should find a
> processor that handles the modern AsciiDoc syntax.
https://github.com/asciidoc-py/asciidoc-py/blob/10.1.3/README.md
"AsciiDoc specification" pointing towards:
https://projects.eclipse.org/projects/asciidoc.asciidoc-lang
Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit efcb7eeabc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a bug fix release which addresses quite a number of issues
https://www.mail-archive.com/haproxy@formilux.org/msg41404.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f82a835825)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop custom install rules which have been added since the addition of
the package in commit 2d837933e5 but are
now resulting in a broken installion
Fixes:
- https://bugs.buildroot.org/show_bug.cgi?id=14636
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d1debbb4c7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- fix CVE-2021-30560
- remove merged patch, drop autoreconf
- moved from xmlsoft.org to gnome.org
- spaces in hash file
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[yann.morin.1998@free.fr:
- drop autoreconf as no longer patching
- also switch home in Config.in
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit acf5b437cc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure without libvirtd raised since the
addition of the package in commit
ccfc90e101 and
89064c9e37:
../output-1/build/libvirt-7.10.0/meson.build:1518:2: ERROR: Problem encountered: Requested the Interface driver without netcf or udev and libvirtd support
Fixes:
- http://autobuild.buildroot.org/results/e43101c6d7f626439ef800263b8f5dfa99ce850b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 87f1dd7b52)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove override of FOO_{CONF_OPTS,DEPENDENCIES} in conditional
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3d7f852ac5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 949aee6377)
[Peter: drop 5.16.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a minor corrective release over GDB 11.1, fixing the following issues:
PR sim/28302 (gdb fails to build with glibc 2.34)
PR build/28318 (std::thread support configure check does not use
CXX_DIALECT)
PR gdb/28405 (arm-none-eabi: internal-error: ptid_t
remote_target::select_thread_for_ambiguous_stop_reply(const
target_waitstatus*): Assertion `first_resumed_thread != nullptr'
failed)
PR tui/28483 ([gdb/tui] breakpoint creation not displayed)
PR build/28555 (uclibc compile failure since commit 4655f8509fd44e6efabefa373650d9982ff37fd6)
PR rust/28637 (Rust characters will be encoded using DW_ATE_UTF)
PR gdb/28758 (GDB 11 doesn't work correctly on binaries with a SHT_RELR (.relr.dyn) section)
PR gdb/28785 (Support SHT_RELR (.relr.dyn) section)
Drop patch 0006-sim-filter-out-SIGSTKSZ-PR-sim-28302.patch, which was
merged upstream as commit 17d6f2152b583cdc7defafa7813b727a304bac5b.
Drop patch 0008-Fix-build-on-rhES5.patch, which was merged upstream as
commit df9ebc472a162306dee8ba6e02b99963c2babb7c?
Drop patch 0009-gdbserver-aarch64-support.patch, which was merged
upstream as commit eb79b2318066cafb75ffdce310e3bbd44f7c79e3.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 8cfbda109f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.17.8 includes a security fix to the regexp/syntax package, as well as bug
fixes to the compiler, runtime, the go command, and the crypto/x509, and net
packages.
https://go.dev/doc/devel/release#go1.17.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1cd8faa8d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gdk-pixbuf-xlib dependency is needed since bump of gdk-pixbuf to version
2.42.2 in commit a7b51ed301 to avoid the
following "hidden" warnings:
Warning: GTK version 2.24.33 was found, but at least one supporting
library (gdk-pixbuf-xlib-2.0) was not, so GTK can't be used.
Perhaps some of the development packages are not installed?
Warning: The GTK libraries do not seem to be available; the
`xscreensaver-demo' program requires them.
Warning: The GDK-Pixbuf library was not found.
The PNG library is being used instead.
Some of the demos will not use images as much as they could.
You should consider installing GDK-Pixbuf and re-running
configure.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 35f02050be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Deprecated Xlib integration for GdkPixbuf.
gdk-pixbuf-xlib has been deprecated and split off of gdk-pixbuf since
version 2.42.0 and
3362e94c25
resulting in the following "hidden" warnings with xscreensaver since
commit a7b51ed301:
Warning: GTK version 2.24.33 was found, but at least one supporting
library (gdk-pixbuf-xlib-2.0) was not, so GTK can't be used.
Perhaps some of the development packages are not installed?
Warning: The GTK libraries do not seem to be available; the
`xscreensaver-demo' program requires them.
Warning: The GDK-Pixbuf library was not found.
The PNG library is being used instead.
Some of the demos will not use images as much as they could.
You should consider installing GDK-Pixbuf and re-running
configure.
https://gitlab.gnome.org/Archive/gdk-pixbuf-xlib
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 559df4ef28)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release contains a security fix in seatd-launch which prevents
removal of files that the calling user did not have privileges to
remove. Release notes:
https://git.sr.ht/~kennylevinsen/seatd/refs/0.6.4
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 41139cb099)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure without threads raised since bump to
version 3.7.3 in commit 212b020bb4:
kx.c: In function '_gnutls_nss_keylog_write':
kx.c:164:33: error: 'keylog_mutex' undeclared (first use in this function); did you mean 'keylog_once'?
164 | if (gnutls_static_mutex_lock(&keylog_mutex) < 0) {
| ^~~~~~~~~~~~
| keylog_once
Fixes:
- http://autobuild.buildroot.org/results/e092bc11ce4b5908cb6285aa77a3594b8626eeec
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2f4f57b62b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2022-0554: Use of Out-of-range Pointer Offset in GitHub
repository vim/vim prior to 8.2.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 28c9cb5ff3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following security issues (i.e. CVE-2021-37706, CVE-2021-41141,
CVE-2021-43804, CVE-2021-43845, CVE-2022-21722 and CVE-2022-21723):
- Potential integer underflow upon receiving STUN message
(GHSA-2qpg-f6wf-w984)
- Use after free of dialog set (GHSA-ffff-m5fm-qm62)
- Missing unreleased of locks in failure cases (GHSA-8fmx-hqw7-6gmc)
- Potential out-of-bounds read when parsing RTCP BYE message
(GHSA-3qx3-cg72-wrh9)
- Prevent OOB read for RTCP XR block (GHSA-r374-qrwv-86hh)
- Potential buffer overflow in pjsua_player_create(),
pjsua_recorder_create(), pjmedia_wav_player_create(), and
pjsua_call_dump() (GHSA-qcvw-h34v-c7r9)
- Potential out-of-bound read during RTP/RTCP parsing
(GHSA-m66q-q64c-hv36)
- Prevent OOB read in multipart parsing (GHSA-7fw8-54cv-r7pm)
- Use after free of dialog set (GHSA-ffff-m5fm-qm62)
https://github.com/pjsip/pjproject/releases/tag/2.12
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5ed26bb378)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following security issues:
- [CVE-2022-23308] Use-after-free of ID and IDREF attributes
- Use-after-free in xmlXIncludeCopyRange
- Fix Null-deref-in-xmlSchemaGetComponentTargetNs
- Fix memory leak in xmlXPathCompNodeTest
- Fix null pointer deref in xmlStringGetNodeList
- Fix several memory leaks found by Coverity
https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.9.13
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4b67038473)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
