Fixes the following security issues:
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion
Affected Node.js versions converted carriage returns in HTTP request
headers to a hyphen before parsing. This can lead to HTTP Request
Smuggling as it is a non-standard interpretation of the header.
Impacts:
All versions of the 14.x and 12.x releases line
- CVE-2020-8252: fs.realpath.native may cause buffer overflow
libuv's realpath implementation incorrectly determined the buffer size
which can result in a buffer overflow if the resolved path is longer than
256 bytes.
Impacts:
All versions of the 10.x release line
All versions of the 12.x release line
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
Adjust license hash for the addition of the BSD-3c licensed highlight.js:
6f8b7a85d2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b6d64d7fa4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The logic in libbacktrace/configure.ac to detect if __sync builtins
are available assumes they are as soon as target_subdir is not
empty, i.e when cross-compiling. However, some platforms do not have
__sync builtins, so help the configure script a bit.
"libbacktrace_cv_sys_sync=no" is lost when it is added to
HOST_GCC_COMMON_CONF_ENV because the environment is not exported
when executing the libbacktrace configure script.
Use target_configargs to force "libbacktrace_cv_sys_sync=no" when
executiong the libbacktrace configure script.
Fixes:
https://gitlab.com/bootlin/toolchains-builder/-/jobs/729359681
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Romain: use target_configargs="libbacktrace_cv_sys_sync=no"]
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0bec4c8a4a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When gdb is built from sources fetched from Git, it contains both the
gdb and the binutils code base. In order to really build only gdb, we
disable a number of binutils components in the
GDB_DISABLE_BINUTILS_CONF_OPTS variable: --disable-binutils,
--disable-ld, --disable-gas, etc. However, gprof was still being
built, so disable it as well.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 71719b91ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/76b580000e6311e88584874f942517badd6fadf6/
python-txtorcon DOES support python 2.x, but it contains some optional
python 3 / async code in controller_py3.py which is conditionally used from
controller.py:
try:
from .controller_py3 import _AsyncOnionAuthContext
HAVE_ASYNC = True
except Exception:
HAVE_ASYNC = False
pycompile unfortunately errors out on the async code:
../scripts/pycompile.py ..
error: File "/usr/lib/python2.7/site-packages/txtorcon/controller_py3.py", line 13
async def __aenter__(self):
^
SyntaxError: invalid syntax
As a workaround, simply drop the unusable _py3 file from TARGET_DIR if
building for python 2.x.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6728c67307)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The host-zstd-build step was not actually compiling the library:
make[1]: Entering directory '/buildroot/output/build/host-zstd-1.4.5/lib'
make[1]: Nothing to be done for 'default'.
make[1]: Leaving directory '/buildroot/output/build/host-zstd-1.4.5/lib'
and the actual compilation was part of the install step.
This is not how other Buildroot packages work.
Make sure to specify which library targets we want instead. The total amount
of compiled files does not change with this patch.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2e8bf36dc4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
fixes following in the generated cross-complation.conf file:
pkg_config_static = '$(if $(BR2_STATIC_LIBS),true,false)'
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 78da84eca9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When one GPL-licensed plugin was enabled, the license of
gst1-plugins-ugly would be "LGPL-2.1+ GPL-2.0", but licenses should be
comma separated, not space separated. So let's fix that to get the
expected value of "LGPL-2.1+, GPL-2.0".
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4626bafe5c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
PowerPC has two PLT models: BSS-PLT and Secure-PLT. BSS-PLT uses
runtime code generation to generate the PLT stubs. Secure-PLT was
introduced with GCC 4.1 and Binutils 2.17 (base has GCC 4.2.1 and
Binutils 2.17), and is a more secure PLT format, using a read-only
linkage table, with the dynamic linker populating a non-executable
index table.
References to other distro/BSD transitions:
https://patchwork.openembedded.org/patch/106621/https://reviews.freebsd.org/D20598
Fixes a bug observed when creating SELinux policy where all apps
require execmem because the heap requires execute before this change.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f9b539bf40)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
According to the original patch message:
Some Broadcom set-top-box boards have PCI busses, but the GPU is
still probed through DT. We would dereference a null busid here
in that case.
Fixes a segfault on at least the RPi 4 w/ xserver 1.20.9, probably
others as well.
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6427ede939)
[Peter: move to 1.20.9 subdir]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2020-14342: It was found that cifs-utils' mount.cifs was
invoking a shell when requesting the Samba password, which could be used
to inject arbitrary commands. An attacker able to invoke mount.cifs with
special permission, such as via sudo rules, could use this flaw to
escalate their privileges.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ce0e86b293)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In the version bump to 6.10 the following changes were:
* Fix hash file to two spaces format
* Add patch to respect DESTDIR and optionally install man pages for
mount.smb3 by utilizing CONFIG_MAN.
* Pass -std=gnu11 to fix compile issues found with the sourcery-arm
toolchain with C99 style code errors in smbinfo.c and defintion of
'struct sa' uisng gnu11 for C11 GNU extensions.
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
CC: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3fe17ae48d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a530ca6bd9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable static building of external/squirrel to fix the following build
failure with RELRO:
/home/peko/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-musl/8.3.0/../../../../x86_64-buildroot-linux-musl/bin/ld: CMakeFiles/sq_static.dir/sq.c.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a PIE object; recompile with -fPIC
/home/peko/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-musl/8.3.0/../../../../x86_64-buildroot-linux-musl/bin/ld: final link failed: nonrepresentable section on output
collect2: error: ld returned 1 exit status
Fixes:
- http://autobuild.buildroot.org/results/46e8f5e622ce450a89bc6d70f4bfd38182557901
- http://autobuild.buildroot.org/results/a43720492d817e4555d728546da9114e3ccba952
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 80be040817)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The previous commit to this package
(37c5e903a7) introduced a bunch of patches
to fix a CVE. Unfortunatly only applying of the patches was tested but
not building the package.
This commit replaces a define that was introduced in a previous patch
upstream and caused the build failure.
Tested:
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: SKIPPED
br-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
sourcery-arm [6/6]: OK
Fixes:
- http://autobuild.buildroot.net/results/3f7fe8ad181318153c459ba5e1afbbc8b49d541c/
- and more
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b81307162)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, the cross-compilation.conf installed in
$(HOST_DIR)/etc/meson/cross-compilation.conf for use by the SDK is
generated in a post-install-staging hook of the toolchain package.
With per-package directory support enabled, this means that the
generated cross-compilation.conf contains references to the
per-package directory of the toolchain/ package, which is not want we
want:
[binaries]
c = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-gcc'
cpp = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-g++'
ar = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-ar'
strip = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-strip'
pkgconfig = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/usr/bin/pkg-config'
So instead, we generate this file in TOOLCHAIN_TARGET_FINALIZE_HOOKS,
so that the global paths are used:
[binaries]
c = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-gcc'
cpp = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-g++'
ar = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-ar'
strip = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-strip'
pkgconfig = '/home/thomas/projets/buildroot/output/host/usr/bin/pkg-config'
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 48d2606e28)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add several upstream patches that are made to fix this CVE. Since there
is still no dated plan to release a new version add this bunch of
patches.
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 37c5e903a7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Just like glibc, host-localedef needs python3 on the host to
build... since host-localedef is basically using the sources of glibc.
Fixes:
checking if /build/build/per-package/host-localedef/host/bin/ccache
/usr/bin/gcc is sufficient to build libc... yes
checking for x86_64-pc-linux-gnu-nm... /usr/bin/nm
checking for python3... no
checking for python... python
checking version of python... 2.7.18, bad
configure: error:
*** These critical programs are missing or too old: python
*** Check the INSTALL file for required versions.
As reported at:
http://lists.busybox.net/pipermail/buildroot/2020-September/291929.html
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6e73c71cc4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
