Fixes CVE-2017-7651: Unauthenticated clients can send a crafted CONNECT
packet which causes large amounts of memory use in the broker. If multiple
clients do this, an out of memory situation can occur and the system may
become unresponsive or the broker will be killed by the operating system.
The fix addresses the problem by limiting the permissible size for CONNECT
packet, and by adding a memory_limit configuration option that allows the
broker to self limit the amount of memory it uses.
The hash of new tarball is not (yet) available through download.php, so use
a locally calculated hash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f4df4a18e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop CVE 2017-9868 patch as that is now upstream.
1.4.14 is a bugfix release, fixing significant websocket performance /
correctness issues.
Use HTTPS for the download as the server uses HSTS, thus saving a redirect.
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1b76bf7669)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit e51d69a3b (mosquitto: specify that hash is taken from upstream)
changed the .hash description header, but the upstream hash only applies
to the tarball, not the patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1ef8c22393)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-6767: A stack-based buffer over-read in the ParseRiffHeaderConfig
function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to
cause a denial-of-service attack or possibly have unspecified other impact
via a maliciously crafted RF64 file.
CVE-2018-7253: The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file
of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service
(heap-based buffer over-read) or possibly overwrite the heap via a
maliciously crafted DSDIFF file.
CVE-2018-7254: The ParseCaffHeaderConfig function of the cli/caff.c file of
WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global
buffer over-read), or possibly trigger a buffer overflow or incorrect memory
allocation, via a maliciously crafted CAF file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4de7e07e6e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tar 1.30 changed the --numeric-owner output for filenames > 100 characters,
leading to hash mismatches for the tar archives we create ourselves from
git. This is really a fix for a bug in earlier tar versions regarding
deterministic output, so it is unlikely to be reverted in later versions.
For more details, see:
http://lists.busybox.net/pipermail/buildroot/2018-January/211222.html
To work around this issue, blacklist tar 1.30+ similar to how we do it for
pre-1.17 versions so Buildroot falls back to building host-tar.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b8fa273d50)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
host-{cmake,lzip,xz} needs host-tar to extract their source code tarball, so
we need to ensure that host-tar gets added to DEPENDENCIES_HOST_PREREQ
before these in case they are both needed, otherwise the tools will fail to
extract.
With the upcoming change to blacklist modern tar versions this situation is
likely to trigger more often.
The real solution to this issue is the <foo>_EXTRACT_DEPENDENCIES rework,
but that series is a bit too intrusive to add this close to 2018.02, so
therefore this hack.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7c09cb82b7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-1000156: arbitrary command execution in ed-style patches.
Depend on MMU for now, because the patch adds a fork() call. Upstream
later switched to gnulib provided execute(), so this dependency can be
dropped on the next version bump.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f4a4df2084)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c3e1d9849a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2016-10713: Out-of-bounds access within pch_write_line() in
pch.c can possibly lead to DoS via a crafted input file.
Add upstream patch fixing CVE-2018-6951: There is a segmentation fault,
associated with a NULL pointer dereference, leading to a denial of
service in the intuit_diff_type function in pch.c, aka a "mangled
rename" issue.
This bump does NOT fix CVE-2018-6952. See upstream bug #53133
(https://savannah.gnu.org/bugs/index.php?53133).
Add license file hash.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 38d8d86d31)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2018-0487: Remote attackers can execute arbitrary code or cause a
denial of service (buffer overflow) via a crafted certificate chain that
is mishandled during RSASSA-PSS signature verification within a TLS or
DTLS session.
CVE-2018-0488: When the truncated HMAC extension and CBC are used,
allows remote attackers to execute arbitrary code or cause a denial of
service (heap corruption) via a crafted application packet within a TLS
or DTLS session.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3b7a59304a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2018-6789: Meh Chang discovered a buffer overflow flaw in a utility
function used in the SMTP listener of Exim, a mail transport agent. A
remote attacker can take advantage of this flaw to cause a denial of
service, or potentially the execution of arbitrary code via a specially
crafted message.
Dropped ChangeLog hunk and adjusted file path of upstream commit so it
applies to tarball.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8343069e2c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-5378
It was discovered that the Quagga BGP daemon, bgpd, does not
properly bounds check data sent with a NOTIFY to a peer, if an
attribute length is invalid. A configured BGP peer can take
advantage of this bug to read memory from the bgpd process or cause
a denial of service (daemon crash).
https://www.quagga.net/security/Quagga-2018-0543.txt
CVE-2018-5379
It was discovered that the Quagga BGP daemon, bgpd, can double-free
memory when processing certain forms of UPDATE message, containing
cluster-list and/or unknown attributes, resulting in a denial of
service (bgpd daemon crash).
https://www.quagga.net/security/Quagga-2018-1114.txt
CVE-2018-5380
It was discovered that the Quagga BGP daemon, bgpd, does not
properly handle internal BGP code-to-string conversion tables.
https://www.quagga.net/security/Quagga-2018-1550.txt
CVE-2018-5381
It was discovered that the Quagga BGP daemon, bgpd, can enter an
infinite loop if sent an invalid OPEN message by a configured peer.
A configured peer can take advantage of this flaw to cause a denial
of service (bgpd daemon not responding to any other events; BGP
sessions will drop and not be reestablished; unresponsive CLI
interface).
https://www.quagga.net/security/Quagga-2018-1975.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 157a198d30)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://mariadb.com/kb/en/mariadb-10131-release-notes/
Changelog: https://mariadb.com/kb/en/mariadb-10131-changelog/
Fixes the following security vulnerabilities:
CVE-2018-2562 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server : Partition). Supported versions that are affected are
5.5.58 and prior, 5.6.38 and prior and 5.7.19 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server as well as unauthorized update, insert or
delete access to some of MySQL Server accessible data.
CVE-2018-2622 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are 5.5.58
and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
CVE-2018-2640 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
CVE-2018-2665 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
CVE-2018-2668 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
CVE-2018-2612 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.6.38 and
prior and 5.7.20 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical data or all
MySQL Server accessible data and unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fcdaab19bb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When compiling host-jq with gcc 6+, running it gives an immediate segfault.
Reported upstream: https://github.com/stedolan/jq/issues/1598
The issue can be solved by compiling with _GNU_SOURCE as extra preprocessor
define. Once the issue is solved upstream, this change can be reverted.
As the issue will normally be the same for target, apply the same fix there.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 21114013e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
Drop 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch and
0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch as they are
now upstream, and add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eca03d6774)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1f11463b3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2017-14632: Libvorbis 1.3.5 allows Remote Code Execution upon freeing
uninitialized memory in the function vorbis_analysis_headerout() in info.c
when vi->channels<=0, a similar issue to Mozilla bug 550184.
CVE-2017-14633: In libvorbis 1.3.5, an out-of-bounds array read
vulnerability exists in the function mapping0_forward() in mapping0.c, which
may lead to DoS when operating on a crafted audio file with
vorbis_analysis().
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cc9282ae8c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-1000041: information disclosure via a crafted SVG file.
Bump to the latest (maybe last) release in the 2.40.x series. Newer
versions require a Rust compiler.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4020c5a7b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-15873: Integer overflow in decompress_bunzip2.c leads to a read
access violation
CVE-2017-15874: Integer overflow in decompress_unlzma.c leads to a read
access violation
Cc: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6665360b6d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The QT5TOOLS_SOURCE variable uses mismatch QT5BASE_VERSION variable.
This commit fixes the typo by using the appropriate QT5TOOLS_VERSION
variable.
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7c384c3b0f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The QT53D_SOURCE variable uses mismatch QT5SVG_VERSION variable.
This commit fixes the typo by using the appropriate QT53D_VERSION
variable.
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit caa3f12fd6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-8872: An attackers can cause a denial of service (buffer
over-read) or information disclosure.
Patch from the upstream bug tracker.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 86e027f6d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop direct sed'ing of config.h for HAVE_CONNTRACK, HAVE_LUASCRIPT, and
HAVE_DBUS. Use MAKE_OPTS COPTS parameters instead, like we do already
for all other options.
Rename DNSMASQ_ENABLE_LUA to DNSMASQ_TWEAK_LIBLUA since it now does only
that.
Merge two conntrack and three dbus conditional sections.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 1042fea88a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-10790: NULL pointer dereference and crash when reading crafted
input
CVE-2018-6003: Stack exhaustion due to indefinite recursion during BER
decoding
Add license files hashes.
Cc: Stefan Fröberg <stefan.froberg@petroprogram.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9ac75335bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixed or improved security issues:
CVE-2016-1549 (fixed in 4.2.8p7; this release adds protection): A
malicious authenticated peer can create arbitrarily-many ephemeral
associations in order to win the clock selection algorithm
CVE-2018-7182: Buffer read overrun leads to undefined behavior and
information leak
CVE-2018-7170: Multiple authenticated ephemeral associations
CVE-2018-7184: Interleaved symmetric mode cannot recover from bad
state
CVE-2018-7185: Unauthenticated packet can reset authenticated
interleaved association
CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit
Drop patch #3. libntpq_a_CFLAGS now includes NTP_HARD_CFLAGS via
AM_CFLAGS.
Add license file hash.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit da05d74805)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If OpenSSL is selected, --enable-openssl-random should be explicitly
enabled for consistency with the disable case.
[Peter: tweak commit text]
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 905677cbd5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The isc assertions from the bundled bind dns library are
using the __FILE__ macro for debug messages (see
dhcp-4.3.5/bind/bind-9.9.9-P3/lib/isc/include/isc/assertions.h).
Disabling the assertions gains:
- reproducible builds (no build time paths in the executable)
- space saving on the target:
dhcpd: 1.9M -> 1.6M
dhcrelay: 1.6M -> 1.3M
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3d1a7a8620)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
from https://www.postgresql.org/about/news/1829/
Fixes:
[1] CVE-2018-1052: Fix the processing of partition keys containing multiple
expressions
[2] CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are
non-world-readable
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
