Bump to latest upstream commit as it fixes a huge number of CVEs. Some
of them can't be linked to a given commit (e.g.
https://github.com/ckolivas/lrzip/issues/67). Moreover, upstream does
not plan to tag a new release any time soon:
https://github.com/ckolivas/lrzip/issues/99
- Fix CVE-2017-8842: The bufRead::get() function in libzpaq/libzpaq.h in
liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial
of service (divide-by-zero error and application crash) via a crafted
archive.
- Fix CVE-2017-8843: The join_pthread function in stream.c in
liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a
crafted archive.
- Fix CVE-2017-8844: The read_1g function in stream.c in liblrzip.so in
lrzip 0.631 allows remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) or possibly have
unspecified other impact via a crafted archive.
- Fix CVE-2017-8845: The lzo1x_decompress function in lzo1x_d.ch in LZO
2.08, as used in lrzip 0.631, allows remote attackers to cause a
denial of service (invalid memory read and application crash) via a
crafted archive.
- Fix CVE-2017-8846: The read_stream function in stream.c in
liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial
of service (use-after-free and application crash) via a crafted
archive.
- Fix CVE-2017-8847: The bufRead::get() function in libzpaq/libzpaq.h in
liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a
crafted archive.
- Fix CVE-2017-9928: In lrzip 0.631, a stack buffer overflow was found
in the function get_fileinfo in lrzip.c:979, which allows attackers to
cause a denial of service via a crafted file.
- Fix CVE-2017-9929: In lrzip 0.631, a stack buffer overflow was found
in the function get_fileinfo in lrzip.c:1074, which allows attackers
to cause a denial of service via a crafted file.
- Fix CVE-2018-5747: In Long Range Zip (aka lrzip) 0.631, there is a
use-after-free in the ucompthread function (stream.c). Remote
attackers could leverage this vulnerability to cause a denial of
service via a crafted lrz file.
- Fix CVE-2018-11496: In Long Range Zip (aka lrzip) 0.631, there is a
use-after-free in read_stream in stream.c, because decompress_file in
lrzip.c lacks certain size validation.
Also:
- update indentation of hash file (two spaces)
- drop patch (already in version)
- manage host-nasm dependency which is enabled by default and has been
fixed by:
9f16f65705
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0f783ba66e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Mesa chooses the first platform specified in -Dplatforms as the default
EGL native platform. [0]
Configure Options
-D platforms=...
List the platforms (window systems) to support. Its argument is
a comma separated string such as -D platforms=x11,drm. It
decides the platforms a driver may support. The first listed
platform is also used by the main library to decide the native
platform.
This has the effect of breaking EGL applications running on X11 and
possibly Wayland when the first platform specified isn't x11 or wayland,
and EGL_PLATFORM isn't set.
Reorder the specified platforms to use x11, wayland, and drm before
surfaceless, as this is the order chosen by other common distributions,
such as Arch Linux [1], Debian [2], and Fedora [3].
Users preferring drm or surfaceless over x11 or wayland likely know how
to override the native EGL platform, and likely have x11 and wayland
disabled anyway.
[0] https://www.mesa3d.org/egl.html
[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/mesa#n45
[2] fb8c1efb57/debian/rules (L38)
[3] https://src.fedoraproject.org/rpms/mesa/blob/master/f/mesa.spec#_337
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8e79f54323)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
* (2.24.2) With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for a wrong
host. The attack has been made impossible by forbidding a newline
character in any value passed via the credential protocol.
* (2.24.3) With a crafted URL that contains a newline or empty host, or
lacks a scheme, the credential helper machinery can be fooled into
providing credential information that is not appropriate for the protocol
in use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Xtensa have added new relocation types R_XTENSA_[NP]DIFF{8,16,32} with
the same properties as the existing types R_XTENSA_DIFF{8,16,32}.
Add them to the list of ignored relocation types.
This fixes the following error when invoking elf2flt on xtensa binaries
built with the recent binutils:
ERROR: reloc type R_XTENSA_PDIFF32 unsupported in this context
Reported-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c99a3950d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libopcodes was installed in staging/ in commit 6a508d9361 (binutils:
Also install libopcodes in staging), but was not installed in target/
Starting with linux-5.6, perf (linux-tools) will link to libopcodes when
it is present. Since it is available in staging, the build succeeds.
However, libopcodes missing in target, perf fails at runtime:
perf: ...libopcodes-2.33.1.so: cannot open shared object file
Install libopcodes to target as well.
Signed-off-by: Lecopzer Chen <lecopzer@gmail.com>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit afceb76e43)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
CVE-2020-10029: Trigonometric functions on x86 targets suffered from stack
corruption when they were passed a pseudo-zero argument. Reported by Guido
Vranken / ForAllSecure Mayhem.
CVE-2020-1751: A defect in the PowerPC backtrace function could cause an
out-of-bounds write when executed in a signal frame context.
CVE-2020-1752: A use-after-free vulnerability in the glob function when
expanding ~user has been fixed.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6488684e2b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
- Improve mitigation for CVE-2019-14271 for some nscd configuration.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 21e4b43544)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-markdown2 through 2.3.8 allows XSS because element names are
mishandled unless a \w+ match succeeds. For example, an attack might use
elementname@ or elementname- with an onclick attribute.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 544007dcc4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To match the docker-engine version.
./support/testing/run-tests tests.package.test_docker_compose.TestDockerCompose
09:54:39 TestDockerCompose Starting
09:54:40 TestDockerCompose Building
10:45:33 TestDockerCompose Building done
10:46:30 TestDockerCompose Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 3121.828s
OK
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0a0e3017d7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Set PAHO_HIGH_PERFORMANCE to disable free redefiniton as suggested by
upstream in https://github.com/eclipse/paho.mqtt.c/issues/846.
This will avoid the following build failure on musl:
/tmp/instance-1/output-1/host/x86_64-buildroot-linux-musl/sysroot/usr/include/sched.h:80:17: error: expected declaration specifiers or '...' before string constant
void free(void *);
^
/tmp/instance-1/output-1/host/x86_64-buildroot-linux-musl/sysroot/usr/include/sched.h:80:17: error: expected declaration specifiers or '...' before numeric constant
void free(void *);
^
[ 35%] Building C object src/CMakeFiles/common_obj.dir/Base64.c.o
[ 36%] Building C object src/CMakeFiles/common_obj.dir/SHA1.c.o
make[3]: *** [src/CMakeFiles/common_obj.dir/build.make:284: src/CMakeFiles/common_obj.dir/MQTTReasonCodes.c.o] Error 1
Fixes:
- http://autobuild.buildroot.org/results//fbe57a1602fed331ddff3ff3560dce02573816ff
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e446f5ac02)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a
HandleCursorShape integer overflow and heap-based buffer overflow via a
large height or width value. NOTE: this may overlap CVE-2019-15690.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 705adbaf9a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add upstream patch to fix squashfs-tools build failures because
of missing external declaration for fwriter_buffer and
bwriter_buffer.
Fixes:
- http://autobuild.buildroot.net/results/6789b668898245926e0a3a3e7caf823dff515d71
/usr/bin/ld: read_fs.o:(.bss+0x0): multiple definition of `fwriter_buffer'; mksquashfs.o:(.bss+0x400c90): first defined here
/usr/bin/ld: read_fs.o:(.bss+0x8): multiple definition of `bwriter_buffer'; mksquashfs.o:(.bss+0x400c98): first defined here
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8d7b714027)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add two upstream patches fixing input_event time related
compile failures.
Fixes:
- http://autobuild.buildroot.net/results/3883a948e30cfd235cfca1fb8646fe8032f5e18d
keytable.c: In function 'test_event':
keytable.c:1536:11: error: 'struct input_event' has no member named 'time'; did you mean 'type'?
ev[i].time.tv_sec, ev[i].time.tv_usec,
^~~~
type
keytable.c:1536:30: error: 'struct input_event' has no member named 'time'; did you mean 'type'?
ev[i].time.tv_sec, ev[i].time.tv_usec,
^~~~
type
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cd27ee0a58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cvs is an old package, and it shows:
- CVS is licensed under GPL-1.0+ as stated in README (referenced in source
code) and COPYING files;
- COPYING.LIB also give the terms of LGPL-2.0+, and is referenced by a
few files, like lib/strnlen1.c, mostly vampirised rom older versions
of the GNU C library (glibc);
- additionally, the glob implementation was also grabbed from a more
recent (but still old) glibc version, and is LGPL-2.1+, but there is
no license file associated with it, so we use the header instead.
Also update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- LGPL-2.0+ is used, reference at least one file
- LGPL-2.1+ is also used
- reword commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 449ac1b6cb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Irrlicht fail to detect properly the NEON support on aarch64 or ARM with NEON FPU support.
While linking an application with libIrrlicht.so, we get an undefined reference to
png_init_filter_functions_neon.
Some files are missing in the libpng bundled in Irrlicht, in particular arm/arm_init.c [1],
so disable NEON support completely.
This can be reproduced by building minetest using this defconfig for aarch64:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_MINETEST=y
BR2_PACKAGE_MINETEST_CLIENT=y
BR2_PACKAGE_MINETEST_SERVER=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_XORG7=y
Or for ARM with NEON FPU support:
BR2_arm=y
BR2_cortex_a15=y
BR2_ARM_FPU_NEON=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_MINETEST=y
BR2_PACKAGE_MINETEST_CLIENT=y
BR2_PACKAGE_MINETEST_SERVER=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_XORG7=y
[1] https://github.com/glennrp/libpng/tree/v1.6.37/arm
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bf5f4f417a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.2.2 has a
heap-based buffer overflow during JPEG_MARKER_SOS handling because of a
missing length check.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit aab52d8722)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When we prepare the release, we generate the manual in various formats,
so that it can be consulted locally without needing the miriads of tools
needed to generate it.
However, this creates the temporary .br2-external.* files in the output
directory, and those end up in the release tarball.
This is not a problem in practice, but is not clean.
Run 'distclean' in the output directory, to get rid of everything but
the generated documentation.
Reported-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bee47598aa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2020-11945: An issue was discovered in Squid before 5.0.2. A
remote attacker can replay a sniffed Digest Authentication nonce to gain
access to resources that are otherwise forbidden. This occurs because
the attacker can overflow the nonce reference counter (a short integer).
Remote code execution may occur if the pooled token credentials are
freed (instead of replayed as valid credentials).
http://www.squid-cache.org/Advisories/SQUID-2020_4.txt
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b365c64236)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Under certain circumstances (host distribution, openssl version),
the qemu-system binary fail to start:
qemu-system-aarch64: symbol lookup error: /lib64/libssh.so.4: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
There is no problem when only host-qemu is built, but it's linked with /lib64/libcurl.so.4
$ make host-qemu
$ ldd output/host/bin/qemu-system-aarch64
[...]
libcurl.so.4 => /lib64/libcurl.so.4 (0x00007fb21cb57000)
libssh.so.4 => /lib64/libssh.so.4 (0x00007fb21c35d000)
libpsl.so.5 => /lib64/libpsl.so.5 (0x00007fb21c34a000)
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fb21c2b4000)
Note: /lib64/libcurl.so.4 is linked with libssh and libssl:
$ ldd /lib64/libcurl.so.4
[...]
libssh.so.4 => /lib64/libssh.so.4 (0x00007f90d8efd000)
libpsl.so.5 => /lib64/libpsl.so.5 (0x00007f90d8eea000)
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f90d8e54000)
Continue the build.
$ make
We can notice that qemu_aarch64_virt_defconfig set
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
So host-openssl package is built and this is the problem:
$ ldd output/host/bin/qemu-system-aarch64
[...]
libcurl.so.4 => /lib64/libcurl.so.4 (0x00007f3adb444000)
libssh.so.4 => /lib64/libssh.so.4 (0x00007f3adac4a000)
libpsl.so.5 => /lib64/libpsl.so.5 (0x00007f3adac37000)
libssl.so.1.1 => /home/naourr/buildroot/test/qemu_aarch64_virt_defconfig-master/host/lib/libssl.so.1.1 (0x00007f3adaba8000)
qemu-system-aarch64: symbol lookup error: /lib64/libssh.so.4: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
This is due to the build system trying to find libcurl using
pkg-config or curl-config.
libcurl is used by the QEMU Block driver for CURL images and
elf2dmp tool which is not needed.
Instead of adding host-libcurl dependency, we can disable it
entierely.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e30eaeb10e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is no host variant for SDL2 library in Buildroot.
So the qemu build system will try to detect automatically the
external SDL2 libraries installed on the host.
$ ldd output/host/bin/qemu-system-aarch64
[...]
libSDL2-2.0.so.0 => /lib64/libSDL2-2.0.so.0
Disable explicitely sdl2 options (named sdl) to improve the
build reproducibility.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 44e5da60b7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
bzip2 support is needed for reading bzip2-compressed dmg images.
But the host-bzip2 is missing from host qemu package dependency,
so the qemu build system will try to detect automatically the
external libbzip2 libraries installed on the host.
$ ldd output/host/bin/qemu-system-aarch64
[...]
libbz2.so.1 => /lib64/libbz2.so.1
or
libbz2.so.1.0 => output/host/lib/libbz2.so.1.0
if host-bzip2 is built before host-qemu.
Disable explicitely bzip2 options to improve the build
reproducibility.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 743fceb2ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The vnc support is enabled by default and the build system
will try to detect automatically some external libraries
installed on the host for vnc-png, vnc-jpeg and vnc-sasl.
$ ldd output/host/bin/qemu-system-aarch64
[...]
libpng16.so.16 => /lib64/libpng16.so.16
or
libpng16.so.16 => output/host/lib/libpng16.so.16
if host-libpng is built before host-qemu.
Disable explicitely thoses options to improve the build
reproducibility.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ece36b9a46)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is no host-libssh in Buildroot, avoid qemu build system
to find libssh from the host.
Under certain circumstances (host distribution, openssl version), the
qemu-system binary fail to start:
host/bin/qemu-system-aarch64: symbol lookup error: /lib64/libssh.so.4: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
$ ldd output/host/bin/qemu-system-aarch64
[...]
libssh.so.4 => /lib64/libssh.so.4
Explicitely disable libssh for the host variant.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0c4a80c7c4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
