CVE-2017-8872: An attackers can cause a denial of service (buffer
over-read) or information disclosure.
Patch from the upstream bug tracker.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 86e027f6d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop direct sed'ing of config.h for HAVE_CONNTRACK, HAVE_LUASCRIPT, and
HAVE_DBUS. Use MAKE_OPTS COPTS parameters instead, like we do already
for all other options.
Rename DNSMASQ_ENABLE_LUA to DNSMASQ_TWEAK_LIBLUA since it now does only
that.
Merge two conntrack and three dbus conditional sections.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 1042fea88a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-10790: NULL pointer dereference and crash when reading crafted
input
CVE-2018-6003: Stack exhaustion due to indefinite recursion during BER
decoding
Add license files hashes.
Cc: Stefan Fröberg <stefan.froberg@petroprogram.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9ac75335bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixed or improved security issues:
CVE-2016-1549 (fixed in 4.2.8p7; this release adds protection): A
malicious authenticated peer can create arbitrarily-many ephemeral
associations in order to win the clock selection algorithm
CVE-2018-7182: Buffer read overrun leads to undefined behavior and
information leak
CVE-2018-7170: Multiple authenticated ephemeral associations
CVE-2018-7184: Interleaved symmetric mode cannot recover from bad
state
CVE-2018-7185: Unauthenticated packet can reset authenticated
interleaved association
CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit
Drop patch #3. libntpq_a_CFLAGS now includes NTP_HARD_CFLAGS via
AM_CFLAGS.
Add license file hash.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit da05d74805)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If OpenSSL is selected, --enable-openssl-random should be explicitly
enabled for consistency with the disable case.
[Peter: tweak commit text]
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 905677cbd5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The isc assertions from the bundled bind dns library are
using the __FILE__ macro for debug messages (see
dhcp-4.3.5/bind/bind-9.9.9-P3/lib/isc/include/isc/assertions.h).
Disabling the assertions gains:
- reproducible builds (no build time paths in the executable)
- space saving on the target:
dhcpd: 1.9M -> 1.6M
dhcrelay: 1.6M -> 1.3M
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3d1a7a8620)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
from https://www.postgresql.org/about/news/1829/
Fixes:
[1] CVE-2018-1052: Fix the processing of partition keys containing multiple
expressions
[2] CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are
non-world-readable
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Using a variable in a printf format string may lead to undesirable
results if the variable contains format controls, so replace
printf "foo $var bar"
by
printf "foo %s bar" "$var"
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6298ed8bf4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Replace (echo "msg" && exit 1) by { echo "msg"; exit 1; }.
The (list) compound command runs in a subshell, so the "exit" interrupts
the subshell, not the main script. Examples:
$ sh -c "echo 1; (exit 1); echo 2"
1
2
$ sh -c "echo 1; { exit 1; }; echo 2"
1
$
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 3f568fe099)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL
authentication results in a memory leak in dovecot's auth client used by
login processes. The leak has impact in high performance configuration
where same login processes are reused and can cause the process to crash due
to memory exhaustion.
For more details, see:
http://www.openwall.com/lists/oss-security/2018/01/25/4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 28adb37be4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP
POST for sending data to 127.0.0.1 port 4444, which allows remote attackers
to conduct cross-protocol scripting attacks, and consequently execute
arbitrary commands, via a crafted web site.
For more details, see:
https://sourceforge.net/p/openocd/mailman/message/36188041/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8fb8dddbf4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a01d75d125)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable all programs that depend on ncurses, as well as utilities that
are useless on the host: agetty, chfn-chsh, chmem, login, lslogins,
mesg, more, newgrp, nologin, nsenter, pg, rfkill, schedutils, setpriv,
setterm, su, sulogin, tunelp, ul, unshare, uuidd, vipw, wall, wdctl,
write, zramctl.
Also add dependency on host-zlib if host cramfs utils are to be built.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 67170b76af)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE-2018-4088, CVE-2017-13885,
CVE-2017-7165, CVE-2017-13884, CVE-2017-7160, CVE-2017-7153,
CVE-2017-7153, CVE-2017-7161, and CVE-2018-4096. Additionally, it solves
a GStreamer deadlock when stopping video playback, and contains fixes
and improvements for the WebDriver implementation.
Release notes can be found in the announcement:
https://webkitgtk.org/2018/01/24/webkitgtk2.18.6-released.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 54798893b8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Nowadays libtasn1 is always required and if not present the CMake
configuration step would fail.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d052ed473d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
