Commit Graph

50808 Commits

Author SHA1 Message Date
Fabrice Fontaine
a3b1f2885e package/openjpeg: fix CVE-2020-6851
OpenJPEG through 2.3.1 has a heap-based buffer overflow in
opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of
opj_j2k_update_image_dimensions validation.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 10:42:32 +01:00
Fabrice Fontaine
5934e676f3 package/openjpeg: fix CVE-2019-12973
In OpenJPEG 2.3.1, there is excessive iteration in the
opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could
leverage this vulnerability to cause a denial of service via a crafted
bmp file. This issue is similar to CVE-2018-6616.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 10:42:29 +01:00
Fabrice Fontaine
32d9a95d94 package/emlog: annotate CVE-2019-16868 and CVE-2019-17073
CVE-2019-16868 and CVE-2019-17073 are misclassified (by our CVE tracker)
as affecting emlog, while in fact it affects http://www.emlog.net.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 10:34:50 +01:00
James Hilliard
23d12793d5 package/linux-firmware: add missing symlinks
As of upstream commit 9cfefbd7fbdaa5ae769e3061c463f8345d146fb7
we must manually create symlinks as they are no longer present
in the archive but created at installation.

Fixes:
    http://autobuild.buildroot.net/results/46fdacbe4064d72aaafa9f52741121d8e4fe64ab/

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:44:41 +01:00
Fabrice Fontaine
5553223297 package/shellinabox: fix CVE-2018-16789
libhttp/url.c in shellinabox through 2.20 has an implementation flaw in
the HTTP request parsing logic. By sending a crafted multipart/form-data
HTTP request, an attacker could exploit this to force shellinaboxd into
an infinite loop, exhausting available CPU resources and taking the
service down.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:36:09 +01:00
Fabrice Fontaine
2914843b39 package/suricata: fix CVE-2019-18792
An issue was discovered in Suricata 5.0.0. It is possible to
bypass/evade any tcp based signature by overlapping a TCP segment with a
fake FIN packet. The fake FIN packet is injected just before the PUSH
ACK packet we want to bypass. The PUSH ACK packet (containing the data)
will be ignored by Suricata because it overlaps the FIN packet (the
sequence and ack number are identical in the two packets). The client
will ignore the fake FIN packet because the ACK flag is not set. Both
linux and windows clients are ignoring the injected packet.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:36:06 +01:00
Fabrice Fontaine
7d74283309 package/libcgroup: fix CVE-2018-14348
libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666
regardless of the configured umask, leading to disclosure of information

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:36:04 +01:00
Romain Naour
c623d89b4b configs:nitrogen{6sx, 6x, 7, 8m}: fix typo in kernel headers version
A typo has been introduced during the last version bump [1].

[1] 00252b101a

Fixes:
[nitrogen6sx]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255632
[nitrogen6x]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255635
[nitrogen7]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255638
[nitrogen6m8]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255640

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Gary Bisson <bisson.gary@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:30:56 +01:00
Fabrice Fontaine
4815bbc7b0 package/exiv2: annotate CVE-2019-13504
CVE-2019-13504 is misclassified (by our CVE tracker) as affecting
version 0.27.2, while in fact both commits that fixed this issue are
already in this version: bd0afe039043 and 54f0bebca032.

(From: https://security-tracker.debian.org/tracker/CVE-2019-13504)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:25:26 +01:00
Fabrice Fontaine
d8be0e4cd4 package/exiv2: fix CVE-2019-20421
In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input
file can result in an infinite loop and hang, with high CPU consumption.
Remote attackers could leverage this vulnerability to cause a denial of
service via a crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 23:20:35 +01:00
Fabrice Fontaine
91b150dc33 package/cairo: fix CVE-2018-19876
Add an upstream patch to fix CVE-2018-19876: cairo 1.16.0, in
cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a
free function incompatible with WebKit's fastMalloc, leading to an
application crash with a "free(): invalid pointer" error.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 23:17:29 +01:00
Fabrice Fontaine
9675c3fbe8 package/rdesktop: add xlib_libXrandr optional dependency
xlib_libXrandr is an optional dependency since version 1.7.0 and
6ee9faeffc

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 23:17:29 +01:00
Fabrice Fontaine
d383b46ac1 package/exiv2: fix CVE-2019-17402
Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory
in crwimage_int.cpp, because there is no validation of the relationship
of the total size to the offset and size.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 23:10:32 +01:00
Fabrice Fontaine
ffb50125b0 package/rdesktop: security bump to version 1.8.6
- Fix CVE-2019-15682: RDesktop version 1.8.4 contains multiple
  out-of-bound access read vulnerabilities in its code, which results in
  a denial of service (DoS) condition. This attack appear to be
  exploitable via network connectivity. These issues have been fixed in
  version 1.8.5
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 22:45:28 +01:00
Carlos Santos
0acd05423d package/openrc: remove keymaps units if kbd package is not selected
keymaps and save-keymaps require kbd_mode and dumpkeys, respectively, so
remove them if the kbd package is not selected (e.g. devices with serial
console, only).

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
[yann.morin.1998@free.fr:
  - expand to three commands to match the existing hook
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 22:14:50 +01:00
Fabrice Fontaine
03cb3f61a0 package/qpdf: fix comment
Commit 3f9bcc01b3 forgot to update comment

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 20:25:34 +01:00
Fabrice Fontaine
3f9bcc01b3 package/qpdf: needs wchar
Upstream was not too keen [0] on applying fixes for toolchains without
wchar, so just require that.

The sole user selecting qpdf already depends on wchar, so update the
comment accordingly.

[0] https://github.com/qpdf/qpdf/pull/405#issuecomment-592971907

Fixes:
 - http://autobuild.buildroot.org/results/99c82d4775ed44bd04d0a48188ff590dcba73d69

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: drop the patch, add the dependency]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 19:26:38 +01:00
Carlos Santos
4e3e53483c package/openrc: fix post-install-target addition
OPENRC_POST_TARGET_INSTALL_HOOKS -> OPENRC_POST_INSTALL_TARGET_HOOKS

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 19:24:16 +01:00
Fabrice Fontaine
c8c5660a81 package/boost: annotate _IGNORE_CVES for CVE-2009-3654
This CVE does not affect the boost package, but is misclassified by our
CVS tracker. As per the advisory:

    Unspecified vulnerability in Boost before 6.x-1.03, a module for
    Drupal, allows remote attackers to create new webroot directories
    via unknown attack vectors.

Ignore the CVS, and expand a comment to explain it.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: expand the comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 18:17:37 +01:00
Nayna Jain
bfbe6b9235 package/kexec-lite: Bump the version
Upstream changes include:

kexec: improve kexec_file_load error message

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 17:50:34 +01:00
Heiko Thiery
3883517b56 package/libgdiplus: backport of fix for GifQuantizeBuffer
In newer version of giflib the GifQuantizeBuffer code was removed.

libgdiplus included the needed function by their own:
(https://github.com/mono/libgdiplus/pull/575).

This patch will become obsolete once libgdiplus is bumped to version 6.x.

Fixes:
http://autobuild.buildroot.net/results/46c5cf068cf9ea50e53491870d9dbf3f134c8c22

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 17:47:47 +01:00
Yann E. MORIN
4cc586695f package/openrc: needs kmod
openrc provides scripts that have been written for the big-gun kmod, and
so use options unknown to the busybox' provided applets:

  - Busybox modprobe does not have a "--first-time" option,
  - the "--verbose" option is just "-v",
  - the "--use-blacklist" option is just "-b". Also blacklist support is
    not selected in our default busybox configuration.

One of two options, is to "fix" or "adapt" openrc's scripts to busybox,
which means for the openrc package to go peek into files from the
busybox package, which is not nice, and can't work because that is not
available by the time we scan our Makefiles.

The other option, which this patch implements, is to just add a
dependency onto kmod and its tools.

Reported-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 17:47:47 +01:00
Thomas Petazzoni
15e96f9417 package/pkg-generic.mk: in image install, print message before pre-hooks
In all steps, we print the message indicating the start of the step
using the MESSAGE macro before running pre-hooks. Except in the image
installation step, where the message is printed after the pre-hooks.

Let's fix this inconsistency.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 17:47:47 +01:00
Pascal de Bruijn
891c5b7b4b package/exim: fix systemd service binary path
modern versions of exim are installed into sbin not bin

Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 17:47:47 +01:00
Fabrice Fontaine
6785c19bf5 package/libarchive: security bump to version 3.4.2
- Fix CVE-2020-9308: archive_read_support_format_rar5.c in libarchive
  before 3.4.2 attempts to unpack a RAR5 file with an invalid or
  corrupted header (such as a header size of zero), leading to a SIGSEGV
  or possibly unspecified other impact.
- use --with-nettle to enable nettle support, see
  f96a71144b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - drop new optional dependency to mbedtsl, forced off for now
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 17:43:59 +01:00
Fabrice Fontaine
71d6e2cc05 package/lxc: fix build with ultrasparc
Fixes:
 - http://autobuild.buildroot.org/results/17c2319850f02f24da6fbef9656c07f86fdc5a3a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 17:37:54 +01:00
Fabrice Fontaine
8d76402ee1 package/libssh2: fix CVE-2019-17498
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in
packet.c has an integer overflow in a bounds check, enabling an attacker
to specify an arbitrary (out-of-bounds) offset for a subsequent memory
read. A crafted SSH server may be able to disclose sensitive information
or cause a denial of service condition on the client system when a user
connects to the server.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 17:31:50 +01:00
Fabrice Fontaine
2f813df3d9 package/poco: PDF needs XML, JSON and Util
PDF needs XML, JSON and Util since version 1.9.0 and
c5acb2ac27

Fixes:
 - http://autobuild.buildroot.org/results/294b604a0e37aafbe085f0e6f0d1a83ab110c3a4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 17:27:28 +01:00
Fabrice Fontaine
d0063f2ff1 package/dnsmasq: fix CVE-2019-14834
A vulnerability was found in dnsmasq before version 2.81, where the
memory leak allows remote attackers to cause a denial of service
(memory consumption) via vectors involving DHCP response creation.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 16:12:08 +01:00
Fabrice Fontaine
4390b365a2 package/lz4: security bump to version 1.9.2
- Fix CVE-2019-17543: LZ4 before 1.9.2 has a heap-based buffer overflow
  in LZ4_write32 (related to LZ4_compress_destSize), affecting
  applications that call LZ4_compress_fast with a large input. (This
  issue can also lead to data corruption.) NOTE: the vendor states "only
  a few specific / uncommon usages of the API are at risk."
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 08:39:06 +01:00
Fabrice Fontaine
df1d834420 package/squid: security bump to version 4.10
Drop patch (already in version)
Update indentation of hash file (two spaces)

Fix the following issues:
 - CVE-2020-8517: Buffer Overflow issue in ext_lm_group_acl helper.
 - CVE-2019-12528: Information Disclosure issue in FTP Gateway.
 - CVE-2020-8449, CVE-2020-8450: Improper Input Validation issues in
   HTTP Request processing.
 - CVE-2019-18679: Information Disclosure issue in HTTP Digest
   Authentication.
 - CVE-2019-18678: HTTP Request Splitting issue in HTTP message
   processing.
 - CVE-2019-18677: Cross-Site Request Forgery issue in HTTP Request
   processing.
 - CVE-2019-12523, CVE-2019-18676: Multiple issues in URI processing.
 - CVE-2019-12526: Heap Overflow issue in URN processing.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 08:36:30 +01:00
Fabrice Fontaine
141ec69812 package/zsh: security bump to version 5.8
- Fix CVE-2019-20044: In Zsh before 5.8, attackers able to execute
  commands can regain privileges dropped by the --no-PRIVILEGED option.
  Zsh fails to overwrite the saved uid, so the original privileges can
  be restored by executing MODULE_PATH=/dir/with/module zmodload with a
  module that calls setuid().
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 08:36:11 +01:00
Fabrice Fontaine
8619025300 package/ntfs-3g: annotate _IGNORE_CVES for the included security patch
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 08:35:40 +01:00
Fabrice Fontaine
16d3e1734e package/linknx: host-pkgconf is mandatory
host-pkgconf is a mandatory dependency, this will fix per-package build

Fixes:
 - http://autobuild.buildroot.org/results/cfda0ce53165bb22b691b5b6510f0ab096a41e17

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-28 07:35:45 +01:00
Peter Korsgaard
993ddd2765 package/qt5: drop QT5_VERSION_LATEST symbol
Now that all the references to this symbol are gone, remove the blind
symbol.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:56:04 +01:00
Peter Korsgaard
f88e67a1db package/libv4l: drop QT5_VERSION_LATEST logic
Now that the version selection has been removed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:56:00 +01:00
Peter Korsgaard
ec99c3a765 package/libmediaart: drop QT5_VERSION_LATEST logic
Now that the version selection has been removed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:55:54 +01:00
Peter Korsgaard
41425ef67a package/kf5: drop QT5_VERSION_LATEST logic
Now that the version selection has been removed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:55:50 +01:00
Peter Korsgaard
dad59b831e package/gst1-plugins-good: drop QT5_VERSION_LATEST logic
Now that the version selection has been removed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:55:45 +01:00
Peter Korsgaard
ce0eaca1ea package/cutelyst: drop QT5_VERSION_LATEST logic
Now that the version selection has been removed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:55:21 +01:00
Peter Korsgaard
80dd5c98f4 package/qt5xmlpatterns: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:55:04 +01:00
Peter Korsgaard
83f8813d41 package/qt5x11extras: drop qt 5.6 support
And get rid of the 5.12.7 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:53:41 +01:00
Peter Korsgaard
55e5b3464b package/qt5webview: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:53:34 +01:00
Peter Korsgaard
9c59c74714 package/qt5websockets: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:53:30 +01:00
Peter Korsgaard
1b15344f43 package/qt5webkit-examples: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:53:26 +01:00
Peter Korsgaard
68917a6fe5 package/qt5webkit: drop qt 5.6 support
And get rid of the 5.9.1 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:53:23 +01:00
Peter Korsgaard
d2b562b5ff package/qt5webengine: drop qt 5.6 support
And get rid of the 5.12.7 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:53:18 +01:00
Peter Korsgaard
f57ab9d1d2 package/qt5webchannel: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:53:08 +01:00
Peter Korsgaard
7a962dacdc package/qt5wayland: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:53:04 +01:00
Peter Korsgaard
8f6092dbb6 package/qt5virtualkeyboard: drop qt 5.6 support
And get rid of the 5.12.7 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-27 23:53:01 +01:00