Security fixes since 2.2.12:
- wnpa-sec-2018-15
The MP4 dissector could crash. (Bug 13777)
- wnpa-sec-2018-16
The ADB dissector could crash. (Bug 14460)
- wnpa-sec-2018-17
The IEEE 802.15.4 dissector could crash. (Bug 14468)
- wnpa-sec-2018-18
The NBAP dissector could crash. (Bug 14471)
- wnpa-sec-2018-19
The VLAN dissector could crash. (Bug 14469)
- wnpa-sec-2018-20
The LWAPP dissector could crash. (Bug 14467)
- wnpa-sec-2018-23
The Kerberos dissector could crash. (Bug 14576)
- wnpa-sec-2018-05
The IEEE 802.11 dissector could crash. Bug 14442, CVE-2018-7335
- wnpa-sec-2018-06
Multiple dissectors could go into large infinite loops. All ASN.1 BER dissectors (Bug 14444), along with the DICOM (Bug 14411), DMP (Bug 14408), LLTD (Bug 14419), OpenFlow (Bug 14420), RELOAD (Bug 14445), RPCoRDMA (Bug 14449), RPKI-Router (Bug 14414), S7COMM (Bug 14423), SCCP (Bug 14413), Thread (Bug 14428), Thrift (Bug 14379), USB (Bug 14421), and WCCP (Bug 14412) dissectors were susceptible.
- wnpa-sec-2018-07
The UMTS MAC dissector could crash. Bug 14339, CVE-2018-7334
- wnpa-sec-2018-09
The FCP dissector could crash. Bug 14374, CVE-2018-7336
- wnpa-sec-2018-10
The SIGCOMP dissector could crash. Bug 14398, CVE-2018-7320
- wnpa-sec-2018-11
The pcapng file parser could crash. Bug 14403, CVE-2018-7420
- wnpa-sec-2018-12
The IPMI dissector could crash. Bug 14409, CVE-2018-7417
- wnpa-sec-2018-13
The SIGCOMP dissector could crash. Bug 14410, CVE-2018-7418
- wnpa-sec-2018-14
The NBAP disssector could crash. Bug 14443, CVE-2018-7419
Full release notes:
https://www.wireshark.org/docs/relnotes/wireshark-2.2.14.html
Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c5c87c2bb6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the changelog:
2018-02-28 0.39
* Fixed a security issue with the form module (tx Orange Tsai)
* Fixed a security issue with the db module (tx Adrián Brav and Orange Tsai)
2016-07-08 0.38
..
* Fixed a potential remote exeution risk in `reparam` (tx Adrián Brav)
License files are still not included on pypi, so continue to use the git
repo. Upstream has unfortunately not tagged 0.39, so use the latest commit
on the 0.39 branch. A request to fix this has been submitted:
https://github.com/webpy/webpy/issues/449
0.39 now uses setuptools, so change the _SETUP_TYPE.
Add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ce559162fc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
webpy uses hashlib for session handling, so ensure it is available:
web/session.py: import hashlib
web/session.py: sha1 = hashlib.sha1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 543b0d50fb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#10856
The SSE_GENERIC target fails to build with a "sgemm_kernel.o: No such file
or directory" error. Several upstream bug reports exist for this:
https://github.com/xianyi/OpenBLAS/issues/502https://github.com/xianyi/OpenBLAS/issues/685
In both cases, upstream suggests using a different target definition
instead. E.G. from issue 685:
You may use NORTHWOOD on x86: make TARGET=NORTHWOOD that uses SSE2
instructions. It's very hard to find non-SSE2 x86 CPUs today. For x86-64
use the PRESCOTT target
So drop the SSE_GENERIC target. The only x86_64 variant we support not
covered by a more specific openblas target is the default variant, nocona
and jaguar.
Nocona was a Xeon variant of the P4 "Prescott" architecture, so use the
PRESCOTT openblas target:
https://en.wikipedia.org/wiki/Xeon#Nocona_and_Irwindale
Jaguar is from the Bobcat family, so use the BOBCAT openblas target:
https://en.wikipedia.org/wiki/List_of_AMD_microprocessors#Bobcat_core_architecture_(APU)
[Peter: add Jaguar as pointed out by Arnout]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5e6fa93483)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When the OpenCV3 Python support is enabled with Python 3.x, it builds
properly, and the resulting .so file is built for the target
architecture, but its name is wrong:
output/target/usr/lib/python3.6/site-packages/cv2.cpython-36m-x86_64-linux-gnu.so
This prevents Python 3.x from importing the module:
>>> import cv2
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'cv2'
In order to fix this, we simply need to pass PKG_PYTHON_DISTUTILS_ENV
in the environment. The Python module then gets named:
output/target/usr/lib/python3.6/site-packages/cv2.cpython-36m-arm-linux-gnueabi.so
And can be imported properly:
>>> import cv2
>>>
This solution was suggested by Arnout Vandecappelle in
https://stackoverflow.com/questions/49059035/buildroot-opencv3-python-package-builds-for-the-wrong-target.
With Python 2.x, the module is named just cv2.so so this problem isn't
visible. However, for consistency, we also pass
PKG_PYTHON_DISTUTILS_ENV when building against Python 2.x, by putting
the OPENCV3_CONF_ENV assignment inside the
BR2_PACKAGE_OPENCV3_LIB_PYTHON condition, but outside the
BR2_PACKAGE_PYTHON3/BR2_PACKAGE_PYTHON condition.
Signed-off-by: Sasha Shyrokov <alexander-shyrokov@idexx.com>
[Thomas: extend the commit log, apply the solution to Python 2.x.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8ba80282c3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When imake is installed on the host, it tries to include
freetype headers from host, so we must override ac_cv_path_IMAKE
to avoid this.
Extract from config.log:
configure:14803: checking if we should use imake to help
configure:14820: result: yes
configure:14829: checking for xmkmf
configure:14846: found /usr/bin/xmkmf
configure:14857: result: /usr/bin/xmkmf
configure:14920: testing Using /usr/bin/xmkmf ...
configure:15015: testing IMAKE_CFLAGS -I. -I/usr/include/freetype2
Signed-off-by: Valentin Korenblit <valentin.korenblit@smile.fr>
[Thomas: pass ac_cv_path_IMAKE="" as suggested by Romain Naour.]
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6d0316dc7b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
Constructed ASN.1 types with a recursive definition could exceed the stack
(CVE-2018-0739)
Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack.
There are no such structures used within SSL/TLS that come from untrusted
sources so this is considered safe.
Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733)
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
effectively reduced to only comparing the least significant bit of each
byte. This allows an attacker to forge messages that would be considered as
authenticated in an amount of tries lower than that guaranteed by the
security claims of the scheme. The module can only be compiled by the HP-UX
assembler, so that only HP-UX PA-RISC targets are affected.
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
This issue has been reported in a previous OpenSSL security advisory and a
fix was provided for OpenSSL 1.0.2. Due to the low severity no fix was
released at that time for OpenSSL 1.1.0. The fix is now available in
OpenSSL 1.1.0h.
There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this
defect would be very difficult to perform and are not believed likely.
Attacks against DH1024 are considered just feasible, because most of the
work necessary to deduce information about a private key may be performed
offline. The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the server
would have to share the DH1024 private key among multiple clients, which is
no longer an option since CVE-2016-0701.
This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
For more details, see https://www.openssl.org/news/secadv/20180327.txt
The copyright year changed in LICENSE, so adjust the hash to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6938c219d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-12627: dereference of a NULL pointer while processing the path
to the DTD.
xerces 3.2.1 includes this patch. But this version also added
AC_RUN_IFELSE to its configure script, making cross compilation harder.
Switching to cmake is also problematic since the minimum required cmake
version is 3.2.0. The host dependencies check currently allows minimum
cmake version 3.1.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 142c8cc8d5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix for CVE-2017-9798 is included in this release, so this patch is
removed.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Update commit log: not a security bump]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1cff68251e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Prevent out-of-bounds write in codebook decoding.
Codebooks that are not an exact divisor of the partition size are now
truncated to fit within the partition.
Upstream has migrated from subversion to git, so change to git and bump the
version to include the fix for CVE-2018-5146.
While we're at it, also add a hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 80266c9505)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
Use after free when server is disconnected during netsplits. Incomplete fix
of CVE-2017-7191. Found by Joseph Bisch. (CWE-416, CWE-825) -
CVE-2018-7054 [2] was assigned to this issue.
Use after free when SASL messages are received in unexpected order. Found
by Joseph Bisch. (CWE-416, CWE-691) - CVE-2018-7053 [3] was assigned to
this issue.
Null pointer dereference when an “empty” nick has been observed by Irssi.
Found by Joseph Bisch. (CWE-476, CWE-475) - CVE-2018-7050 [4] was assigned
to this issue.
When the number of windows exceed the available space, Irssi would crash due
to Null pointer dereference. Found by Joseph Bisch. (CWE-690) -
CVE-2018-7052 [5] was assigned to this issue.
Certain nick names could result in out of bounds access when printing theme
strings. Found by Oss-Fuzz. (CWE-126) - CVE-2018-7051 [6] was assigned to
this issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 181ef8a1d0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerabilities:
- CVE-2018-1000098: Crash when parsing SDP with an invalid media format
description
- CVE-2018-1000099: Crash when receiving SDP with invalid fmtp attribute
[Peter: add CVE info]
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ed0d9d6f36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Busybox 1.17.1 has added built-in TLS support. Unfortunately, it fails
to build on i686 with gcc 4.8, with:
networking/tls_pstm_mul_comba.c: In function 'pstm_mul_comba':
networking/tls_pstm_mul_comba.c:82:1: error: 'asm' operand has impossible constraints
asm( \
^
networking/tls_pstm_mul_comba.c:279:4: note: in expansion of macro 'MULADD'
MULADD(*tmpx++, *tmpy--);
^
make[3]: *** [networking/tls_pstm_mul_comba.o] Error 1
make[2]: *** [networking] Error 2
Since TLS support is a new feature in 1.27, and wasn't present until
now, let's disable it to avoid the build failure.
The bug has been reported upstream at
http://lists.busybox.net/pipermail/busybox/2017-July/085713.html.
Fixes:
http://autobuild.buildroot.net/results/d973f9a2fbf0f52104f4943b902183e9dbf163a7/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit d5507262f3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2018-5732: The DHCP client incorrectly handled certain malformed
responses. A remote attacker could use this issue to cause the DHCP
client to crash, resulting in a denial of service, or possibly execute
arbitrary code. In the default installation, attackers would be isolated
by the dhclient AppArmor profile.
CVE-2018-5733: The DHCP server incorrectly handled reference counting. A
remote attacker could possibly use this issue to cause the DHCP server
to crash, resulting in a denial of service.
Both issues are fixed in version 4.4.1. But we are close to release, so
backport the fixes instead of bumping version.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 047cec5993)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-7651: Unauthenticated clients can send a crafted CONNECT
packet which causes large amounts of memory use in the broker. If multiple
clients do this, an out of memory situation can occur and the system may
become unresponsive or the broker will be killed by the operating system.
The fix addresses the problem by limiting the permissible size for CONNECT
packet, and by adding a memory_limit configuration option that allows the
broker to self limit the amount of memory it uses.
The hash of new tarball is not (yet) available through download.php, so use
a locally calculated hash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f4df4a18e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop CVE 2017-9868 patch as that is now upstream.
1.4.14 is a bugfix release, fixing significant websocket performance /
correctness issues.
Use HTTPS for the download as the server uses HSTS, thus saving a redirect.
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1b76bf7669)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit e51d69a3b (mosquitto: specify that hash is taken from upstream)
changed the .hash description header, but the upstream hash only applies
to the tarball, not the patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1ef8c22393)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-6767: A stack-based buffer over-read in the ParseRiffHeaderConfig
function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to
cause a denial-of-service attack or possibly have unspecified other impact
via a maliciously crafted RF64 file.
CVE-2018-7253: The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file
of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service
(heap-based buffer over-read) or possibly overwrite the heap via a
maliciously crafted DSDIFF file.
CVE-2018-7254: The ParseCaffHeaderConfig function of the cli/caff.c file of
WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global
buffer over-read), or possibly trigger a buffer overflow or incorrect memory
allocation, via a maliciously crafted CAF file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4de7e07e6e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tar 1.30 changed the --numeric-owner output for filenames > 100 characters,
leading to hash mismatches for the tar archives we create ourselves from
git. This is really a fix for a bug in earlier tar versions regarding
deterministic output, so it is unlikely to be reverted in later versions.
For more details, see:
http://lists.busybox.net/pipermail/buildroot/2018-January/211222.html
To work around this issue, blacklist tar 1.30+ similar to how we do it for
pre-1.17 versions so Buildroot falls back to building host-tar.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b8fa273d50)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
host-{cmake,lzip,xz} needs host-tar to extract their source code tarball, so
we need to ensure that host-tar gets added to DEPENDENCIES_HOST_PREREQ
before these in case they are both needed, otherwise the tools will fail to
extract.
With the upcoming change to blacklist modern tar versions this situation is
likely to trigger more often.
The real solution to this issue is the <foo>_EXTRACT_DEPENDENCIES rework,
but that series is a bit too intrusive to add this close to 2018.02, so
therefore this hack.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7c09cb82b7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
