Fixes the following security issue:
- CVE-2021-3181: rfc822.c in Mutt through 2.0.4 allows remote attackers to
cause a denial of service (mailbox unavailability) by sending email
messages with sequences of semicolon characters in RFC822 address fields
(aka terminators of empty groups). A small email message from the
attacker can cause large memory consumption, and the victim may then be
unable to see email messages from other persons.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c1413cd94c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The host build of uboot-tools can occur early in the build process and may
require the creation of BINARIES_DIR before generation of an enabled envimage
and/or boot script binary. So to resolve this in proper way, separated the
build and installation part of uboot env/script in their respective commands.
Signed-off-by: Kalpesh Panchal <kalpesh.panchal@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d8db91fc6f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 4fea71ac78 (package/sudo: security bump to version 1.9.5p2)
removed the patch, but forgot to remove the now unneeded autoreconf. Fix
that.
Reported-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 84a8aac451)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Major changes between sudo 1.9.5p2 and 1.9.5p1
* Buildroot: dropped a patch that was included in the release.
* Fixed sudo's setprogname(3) emulation on systems that don't
provide it.
* Fixed a problem with the sudoers log server client where a partial
write to the server could result the sudo process consuming large
amounts of CPU time due to a cycle in the buffer queue. Bug #954.
* Added a missing dependency on libsudo_util in libsudo_eventlog.
Fixes a link error when building sudo statically.
* The user's KRB5CCNAME environment variable is now preserved when
performing PAM authentication. This fixes GSSAPI authentication
when the user has a non-default ccache.
* When invoked as sudoedit, the same set of command line options
are now accepted as for "sudo -e". The -H and -P options are
now rejected for sudoedit and "sudo -e" which matches the sudo
1.7 behavior. This is part of the fix for CVE-2021-3156.
* Fixed a potential buffer overflow when unescaping backslashes
in the command's arguments. Normally, sudo escapes special
characters when running a command via a shell (sudo -s or sudo
-i). However, it was also possible to run sudoedit with the -s
or -i flags in which case no escaping had actually been done,
making a buffer overflow possible. This fixes CVE-2021-3156.
https://www.sudo.ws/stable.html#1.9.5p2
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4fea71ac78)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
opentracing-cpp fails to build if clang-tidy is installed:
...
-- clang-tidy found: /usr/lib/llvm/11/bin/clang-tidy
-- Configuring done
-- Generating done
...
[ 25%] Building CXX object CMakeFiles/opentracing.dir/src/propagation.cpp.o
.../buildroot/output/build/opentracing-cpp-1.5.1/include/opentracing/string_view.h:5:10: error: 'algorithm' file not found [clang-diagnostic-error]
^
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:3:11: warning: '__llvm_libc' needs to be the outermost namespace [llvmlibc-implementation-in-namespace]
namespace opentracing {
^
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:11:3: warning: use '= default' to define a trivial default constructor [hicpp-use-equals-default,modernize-use-equals-default]
PropagationErrorCategory() {}
^ ~~
= default;
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:13:15: warning: use a trailing return type for this function [modernize-use-trailing-return-type]
const char* name() const noexcept override {
~~~~~~~~~~~ ^
auto -> const char*
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:13:15: warning: method 'name' can be made static [readability-convert-member-functions-to-static]
const char* name() const noexcept override {
^ ~~~~~~
static
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:17:24: warning: use a trailing return type for this function [modernize-use-trailing-return-type]
std::error_condition default_error_condition(int code) const
^
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:37:15: warning: use a trailing return type for this function [modernize-use-trailing-return-type]
std::string message(int code) const override {
^
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:58:28: warning: use a trailing return type for this function [modernize-use-trailing-return-type]
const std::error_category& propagation_error_category() {
^
226 warnings and 1 error generated.
Error while processing .../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp.
Suppressed 218 warnings (218 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
Found compiler error(s).
make[3]: *** [CMakeFiles/opentracing.dir/build.make:83: CMakeFiles/opentracing.dir/src/propagation.cpp.o] Error 1
make[3]: *** Waiting for unfinished jobs....
.../buildroot/output/build/opentracing-cpp-1.5.1/include/opentracing/string_view.h:5:10: error: 'algorithm' file not found [clang-diagnostic-error]
^
.../buildroot/output/build/opentracing-cpp-1.5.1/src/dynamic_load.cpp:4:
Disable the 'ENABLE_LINTING' option to avoid this influence.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit aede6dd7b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop libupnp18 as libupnp has been bumped to 1.14.x and 1.8.x will not
been fixed against CallStranger a.k.a. CVE-2020-12695
mpd and vlc are already compliant with libupnp 1.14.x (i.e those
packages use UpnpInit2 instead of the deprecated UpnpInit)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit eddc9df972)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Move site to Orange-OpenSource
- Drop patch (already in version)
- This version is compatible with libupnp 1.14.x to fix
CallStranger a.k.a. CVE-2020-12695
- Add threadutil license (BSD-3-Clause)
- Update hash in license file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a83073ac31)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- This version is compatible with libupnp 1.14.x which fix
CallStranger a.k.a. CVE-2020-12695
- Drop all patches (already in version)
- expat is not needed since version 1.5.0 and
a4f0cccd6a
- fmt is a mandatory dependency since version 1.5.0 and
fe81e5fc88
- spdlog is a mandatory dependency since version 1.5.0 and
615d698fe4
- pugixml is a mandatory dependency since version 1.5.0 and
c244006aa0
- libnpupnp can be used instead of libupnp since version 1.6.2 and
e648763626
- Set CXX_FILESYSTEM_NO_LINK_NEEDED to ON to avoid a build failure
due to check_cxx_source_runs which has been added with
8ea0fce24c
- Update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- libupnp and libnpupnp are mutually exclusive
- fix typo in npupnp package name
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 61b1107e30)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CallStranger a.k.a. CVE-2020-12695 as well as CVE-2020-13848
- Update indentation in hash file (two spaces)
- Backport all changes from libupnp18 to libupnp:
- Use COPYING instead of LICENSE (no license change)
- Add host-pkgconf dependency
- Add --enable-reuseaddr
- Add openssl optional dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 118648d161)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-36221: An integer underflow was discovered in OpenLDAP before
2.4.57 leading to slapd crashes in the Certificate Exact Assertion
processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
- CVE-2020-36222: A flaw was discovered in OpenLDAP before 2.4.57 leading to
an assertion failure in slapd in the saslAuthzTo validation, resulting in
denial of service.
- CVE-2020-36223: A flaw was discovered in OpenLDAP before 2.4.57 leading to
a slapd crash in the Values Return Filter control handling, resulting in
denial of service (double free and out-of-bounds read).
- CVE-2020-36224: A flaw was discovered in OpenLDAP before 2.4.57 leading to
an invalid pointer free and slapd crash in the saslAuthzTo processing,
resulting in denial of service.
- CVE-2020-36225: A flaw was discovered in OpenLDAP before 2.4.57 leading to
a double free and slapd crash in the saslAuthzTo processing, resulting in
denial of service.
- CVE-2020-36226: A flaw was discovered in OpenLDAP before 2.4.57 leading to
a memch->bv_len miscalculation and slapd crash in the saslAuthzTo
processing, resulting in denial of service.
- CVE-2020-36227: A flaw was discovered in OpenLDAP before 2.4.57 leading to
an infinite loop in slapd with the cancel_extop Cancel operation,
resulting in denial of service.
- CVE-2020-36228: An integer underflow was discovered in OpenLDAP before
2.4.57 leading to a slapd crash in the Certificate List Exact Assertion
processing, resulting in denial of service.
- CVE-2020-36229: A flaw was discovered in ldap_X509dn2bv in OpenLDAP before
2.4.57 leading to a slapd crash in the X.509 DN parsing in ad_keystring,
resulting in denial of service.
- CVE-2020-36230: A flaw was discovered in OpenLDAP before 2.4.57 leading in
an assertion failure in slapd in the X.509 DN parsing in decode.c
ber_next_element, resulting in denial of service.
https://www.openldap.org/software/release/changes.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 46c4c9684d)
[Peter: mark as security bump, add CVE info]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
