With Microblaze Gcc version < 8.x the build hangs due to bug 85862:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85862
To avoid this, the libnss package has a !BR2_TOOLCHAIN_HAS_GCC_BUG_85862
dependency. However, gcc bug 85862 only triggers when optimization is
enabled, so we can work around the issue by passing -O0, which is what
we do in other Buildroot packages to work around this bug.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently libnss is configured with BUILD_OPT=1 and due to that that
it doesn't take into account Buildroot TARGET_CFLAGS nor
TARGET_LDFLAGS resulting in pre-chosen optimizations and debugging
symbols being used.
We can't pass TARGET_CFLAGS through CFLAGS or similar otherwise other
internal libnss one will be overwritten (i.e. -fPIC), so we prefer to
append TARGET_CFLAGS at the end of Linux.mk as well as TARGET_LDFLAGS
according to internal libnss Makefile system's names. And obviously
remove BUILD_OPT=1 from BUILD_VARS.
This reveals hidden bugs when building with -Os due to bogus
uninitialized warnings from gcc turned into errors because of -Werror,
so we explicitly pass NSS_ENABLE_WERROR=0 to avoid the use of -Werror.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[Thomas: drop the libnss patches, and pass NSS_ENABLE_WERROR instead]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
(3.41) CVE-2018-12404: Cache side-channel variant of the Bleichenbacher
attack
(3.42.1) CVE-2018-18508: Add additional null checks to several CMS functions
to fix a rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak for the
discovery and fixes
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2018-12384: NSS responded to an SSLv2-compatible ClientHello with a
ServerHello that had an all-zero random.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
uClibc implements RTLD_NOLOAD for quite some time now. Remove the patch
adding a dummy definition of RTLD_NOLOAD.
Cc: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla
Network Security Service library, is prone to a use-after-free vulnerability
in the TLS 1.2 implementation when handshake hashes are generated. A remote
attacker can take advantage of this flaw to cause an application using the
nss library to crash, resulting in a denial of service, or potentially to
execute arbitrary code.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The check-package script when ran gives warnings on ordering issues
on all of these Config files. This patch cleans up all warnings
related to the ordering in the Config files for packages starting with
the letter l in the package directory.
The appropriate ordering is: type, default, depends on, select, help
See http://nightly.buildroot.org/#_config_files for more information.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
CVE-2017-5461 - Out-of-bounds write in Base64 encoding in NSS. Might cause
remote arbitrary code execution
(https://access.redhat.com/errata/RHSA-2017:1100).
CVE-2017-5462 - DRBG flaw in NSS
Drop 0001-cross-compile.patch and TARGET* variables. Upstream Makefile now
allows override of CC, so use TARGET_CONFIGURE_OPTS instead.
Drop upstream 0003-it-uninitialized-fix.patch.
Renumber the remaining patch.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for MPLv1.0/MPLv1.1/MPLv2.0 is MPL-1.0/MPL-1.1/
MPL-2.0.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/MPLv([1-2]\.[0-1])/MPL-\1/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2016-1950 - Fixed a heap-based buffer overflow related to the
parsing of certain ASN.1 structures. An attacker could create a
specially-crafted certificate which, when parsed by NSS, would cause a
crash or execution of arbitrary code with the permissions of the user.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2016-1950 - heap-based buffer overflow related to the parsing of
certain ASN.1 structures. An attacker could create a specially-crafted
certificate which, when parsed by NSS, would cause a crash or execution
of arbitrary code with the permissions of the user.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
nss uses some #pragma directives that require newish (>= 4.6) versions
of gcc, so disable Werror when building with older versions to avoid the
build from breaking unfairly.
However make this a gcc >= 4.8 conditional since the kludge is called so
(NSS_NO_GCC48) and other bits might depend upon it.
Upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1226179
Fixes:
http://autobuild.buildroot.net/results/ebd/ebd0647eb1eef41a7fb6e5f5bab18d4d12168661/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Disable gtests since they require C++ support.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now that largefile is mandatory removes package dependencies and
conditionals.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Autogenerated from rename-patch.py (http://patchwork.ozlabs.org/patch/403345)
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2014-1569 - The definite_length_decoder function in
lib/util/quickder.c in Mozilla Network Security Services (NSS) before
3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding
of an ASN.1 length is properly formed, which allows remote attackers to
conduct data-smuggling attacks by using a long byte sequence for an
encoding.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since a while, the semantic of BR2_PREFER_STATIC_LIB has been changed
from "prefer static libraries when possible" to "use only static
libraries". The former semantic didn't make much sense, since the user
had absolutely no control/idea of which package would use static
libraries, and which packages would not. Therefore, for quite some
time, we have been starting to enforce that BR2_PREFER_STATIC_LIB
should really build everything with static libraries.
As a consequence, this patch renames BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS, and adjust the Config.in option accordingly.
This also helps preparing the addition of other options to select
shared, shared+static or just static.
Note that we have verified that this commit can be reproduced by
simply doing a global rename of BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS plus adding BR2_PREFER_STATIC_LIB to Config.in.legacy.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
The OPTIMIZER variable is used to construct CFLAGS for host toolchain.
This breaks the build since we set it to TARGET_CFLAGS, and these may not be
supported by host toolchain. Augment the cross-compile patch to handle
OPTIMIZER so that we can initialize it to TARGET_OPTIMIZER, and override it
when used with host toolchain.
Fixes:
http://autobuild.buildroot.net/results/3f1/3f1afc1b58cb6fe53c438b55f169e2a78238806d/
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2014-1492 - The cert_TestHostName function in lib/certdb/certdb.c in
the certificate-checking implementation in Mozilla Network Security
Services (NSS) before 3.16 accepts a wildcard character that is embedded
in an internationalized domain name's U-label, which might allow
man-in-the-middle attackers to spoof SSL servers via a crafted
certificate.
CVE-2014-1491 - Mozilla Network Security Services (NSS) before 3.15.4,
as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3,
Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does
not properly restrict public values in Diffie-Hellman key exchanges,
which makes it easier for remote attackers to bypass cryptographic
protection mechanisms in ticket handling by leveraging use of a certain
value.
CVE-2014-1490 - Race condition in libssl in Mozilla Network Security
Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0,
Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before
2.24, and other products, allows remote attackers to cause a denial of
service (use-after-free) or possibly have unspecified other impact via
vectors involving a resumption handshake that triggers incorrect
replacement of a session ticket.
CVE-2013-1740 - The ssl_Do1stHandshake function in sslsecur.c in libssl
in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS
False Start feature is enabled, allows man-in-the-middle attackers to
spoof SSL servers by using an arbitrary X.509 certificate during certain
handshake traffic.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
