This is a maintenance release of the current stable WebKitGTK+ version,
which contains mitigations for CVE-2017-5753 and CVE-2017-5715, the
vulnerabilities known as the "Spectre" attack. It also contains a fix
which allows building the reference documentation with newer gtk-doc
versions.
Release notes can be found in the announcement:
https://webkitgtk.org/2018/01/10/webkitgtk2.18.5-released.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4c5bc08ba3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the advisory (https://irssi.org/security/irssi_sa_2018_01.txt):
Multiple vulnerabilities have been located in Irssi.
(a) When the channel topic is set without specifying a sender, Irssi
may dereference NULL pointer. Found by Joseph Bisch. (CWE-476)
CVE-2018-5206 was assigned to this issue.
(b) When using incomplete escape codes, Irssi may access data beyond
the end of the string. (CWE-126) Found by Joseph Bisch.
CVE-2018-5205 was assigned to this issue.
(c) A calculation error in the completion code could cause a heap
buffer overflow when completing certain strings. (CWE-126) Found
by Joseph Bisch.
CVE-2018-5208 was assigned to this issue.
(d) When using an incomplete variable argument, Irssi may access data
beyond the end of the string. (CWE-126) Found by Joseph Bisch.
CVE-2018-5207 was assigned to this issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit aebdb1cd4b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Autotools-based packages that do not need C++ but check for it, and use
libtool, will fail to configure on distros that lack /lib/cpp.
This is the case for example on Arch Linux, where expat fails to build
with:
configure: error: in `/home/dkc/src/buildroot/build/build/expat-2.2.4':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
This is because libtool uses AC_PROC_CXXCPP, which can not be avoided,
and does require a cpp that passes some "sanity" checks (does not choke
on valid input, but does choke on invalid input). So we can use neither
/bin/false nor /bin/true...
We instead need something that can digest some basic C++ preprocessor
input. We can't use the target preprocessor: that does not work, because
it obviously has no C++ cupport:
arm-linux-cpp.br_real: error: conftest.cpp: C++ compiler not
installed on this system
We can however consider that the host machine does have a C++ compiler,
so we use the host' cpp, which is gcc's compiler wrapper that ends up
calling the host's C++ preprocessor.
That would give us a valid C++ preprocessor when we don't have one, in
fact. But autotools will then correctly fail anyway, because there is
indeed no C++ compiler at all, as we can see in this excerpt of a
configure log from expat:
checking whether we are using the GNU C++ compiler... no
checking whether false accepts -g... no
checking dependency style of false... none
checking how to run the C++ preprocessor... cpp
checking whether the false linker (/home/ymorin/dev/buildroot/O/host/bin/arm-linux-ld) supports shared libraries... yes
libtool.m4: error: problem compiling CXX test program
checking for false option to produce PIC... -DPIC
checking if false PIC flag -DPIC works... no
checking if false static flag works... no
checking if false supports -c -o file.o... no
checking if false supports -c -o file.o... (cached) no
checking whether the false linker (/home/ymorin/dev/buildroot/O/host/bin/arm-linux-ld) supports shared libraries... yes
So, using the host's C++ preprocessor (by way of gcc's wrapper) leads to
a working situation, where the end result is as expected.
Reported-by: Damien Riegel <damien.riegel@savoirfairelinux.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Damien Riegel <damien.riegel@savoirfairelinux.com>
Cc: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit bd39d11d2e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If we don't explicitly disable SELinux support in the host-tar build,
it might pick up system-wide installed SELinux libraries, causing the
tar in HOST_DIR/bin/ to depend on the host SELinux libraries, which is
not desirable to make the SDK portable/relocatable.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 121807c089)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
First, the .pc file was so far fixed as a post-configure hook of the
matchbox-fakekey package, by directly tweaking the .pc file installed in
staging by matchbox-lib. That's uterly wrong and bad.
So, we move the fix to matchbox-lib.
Second, it was incorreclty tweaking the .pc file when xlib_libXft was
not enabled, because only then a path to staging was present.
Third, even when xlib_libXft was enabled, the tweaking was still wrong,
because unnecessary.
Fix all that.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 84a2645e5b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
matchbox-lib build-depends on xlib_libXext, but forgets to select it.
It also build-depends on expat without selecting it, but it does need
it.
Fix that: select xlib_libXext, remove expat.
Add myself to developpers for matchbox packages.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 2cfda4704e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-15896 - Node.js was affected by OpenSSL vulnerability
CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake
failure. The result was that an active network attacker could send
application data to Node.js using the TLS or HTTP2 modules in a way that
bypassed TLS authentication and encryption.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump mfgtools to include the fix [1] for the C++ build issue reported
by the autobuilders.
This bump include only 4 small commits fixing memory leak and this
build issue.
Remove CPOL.htm (removed upstream) from MFGTOOLS_LICENSE_FILES but CPOL
license is still valid.
Add the README.txt file to MFGTOOLS_LICENSE_FILES since it contains
licensing informations:
Licenses:
- CPOL: MfgToolLib/XmlLite.CPP and XmlLite.h
- BSD: Others.
Add license file hash.
[1] b370a43e54
Fixes:
http://autobuild.buildroot.net/results/7c2bbbe13ab315684f3502afd96958a76879b1d5
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 34c4c0680a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old SGI site is not accessible anymore. Use the link from the README
file.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1fa2f7646f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains fixes for CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, and
CVE-2017-13856. Additionally, this release brings improvements in the
WebDriver spec-compliance, plugs several memory leaks in its GStreamer based
multimedia backend, and fixes a bug when handling cookie removal.
Release notes can be found in the announcement:
https://webkitgtk.org/2017/12/19/webkitgtk2.18.4-released.html
More details about the security fixes are provided in the following
WebKitGTK+ Security Advisory report:
https://webkitgtk.org/security/WSA-2017-0010.html
Last but not least, this new release includes the fix for honoring the
CMAKE_BUILD_TYPE value from CMake toolchain files and the corresponding
patch is removed.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fbf6a483e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
does not check for a trailing '\0' character in an xattr name, which allows
remote attackers to cause a denial of service (heap-based buffer over-read
and application crash) or possibly have unspecified other impact by sending
crafted data to the daemon.
For more details, see:
https://bugzilla.samba.org/show_bug.cgi?id=13112
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7f33f1d848)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
lldpd currently depends on a C++ compiler to configure properly, but
the package doesn't select that option, so builds fail if
BR2_TOOLCHAIN_BUILDROOT_CXX is not selected with following errors:
checking how to run the C++ preprocessor... /lib/cpp
configure: error: in `/home/dkc/src/buildroot/build-zii/build/lldpd-0.9.4':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
This package actually builds fine without C++, so drop this check in
configure.ac. Attached patch has already been accepted upstream [1].
[1] https://github.com/vincentbernat/lldpd/pull/261
[Peter: adjust autoreconf comment]
Signed-off-by: Damien Riegel <damien.riegel@savoirfairelinux.com>
Reviewed-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 18c9cda6e4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The gdb install target installs dynamic versions of libbfd and
libopcode, accidentally overwriting the binutils provided versions
(gdb itself links against the bundled static ones to avoid
version problems, so the dynamic ones are un-needed).
Prevent the installation by using the '--disable-install-libbfd'
configure option.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b54c793195)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://mariadb.com/kb/en/mariadb-10129-release-notes/
Changelog: https://mariadb.com/kb/en/mariadb-10129-changelog/
Fixes the following security vulnerabilities:
CVE-2017-10378 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily
exploitable vulnerability allows low privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server.
CVE-2017-10268 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Replication). Supported versions that are affected are
5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to
exploit vulnerability allows high privileged attacker with logon to the
infrastructure where MySQL Server executes to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized access to
critical data or complete access to all MySQL Server accessible data.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e299197a2c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
