Fixes:
CVE-2016-2118 - A man in the middle can intercept any DCERPC traffic
between a client and a server in order toimpersonate the client and get
the same privileges as the authenticated user account.
CVE-2016-2115 - The protection of DCERPC communication over ncacn_np
(which is the default for most the file server related protocols) is
inherited from the underlying SMB connection. Samba doesn't enforce SMB
signing for this kind of SMB connections by default, which makes man in
the middle attacks possible.
CVE-2016-2114 - Due to a bug Samba doesn't enforce required smb signing,
even if explicitly configured.
CVE-2016-2113 - Man in the middle attacks are possible for client
triggered LDAP connections (with ldaps://) and ncacn_http connections
(with https://).
CVE-2016-2112 - A man in the middle is able to downgrade LDAP
connections to no integrity protection. It's possible to attack client
and server with this.
CVE-2016-2111 - When Samba is configured as Domain Controller it allows
remote attackers to spoof the computer name of a secure channel's
endpoints, and obtain sensitive session information, by running a
crafted application and leveraging the ability to sniff network traffic.
CVE-2016-2110 - The feature negotiation of NTLMSSP is not downgrade
protected. A man in the middle is able to clear even required flags,
especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.
CVE-2015-5370 - Errors in Samba DCE-RPC code can lead to denial of
service (crashes and high cpu consumption) and man in the middle
attacks.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
And upstream switches tarball name yet again, so adjust SOURCE.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The conditional is wrong, it was check for BR2_PACKAGE_MESA3D_OPENGL_ES
(correct, means GLESv2 support) and BR2_PACKAGE_MESA3D_OPENGL_GLES
(incorrect, there's no such symbol).
So now check for BR2_PACKAGE_MESA3D_OPENGL_EGL (EGL support) plus
BR2_PACKAGE_MESA3D_OPENGL_ES (GLESv2 support), both are required.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop 0003-iproute2-fix-building-with-musl.patch since it's upstream.
Add gentoo patch to allow for non-iptables builds.
Add new musl build fix.
Tweak 0001-Avoid-in6_addr-redefinition.patch since the first chunk is no
longer required.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
So far, our LDFLAGS for the BR2_BINFMT_FLAT case were only used on
Blackfin. However, passing -elf2flt in LDFLAGS is wrong. Indeed,
LDFLAGS are not linker flags, but flags passed to the compiler when
linking.
If you pass -elf2flt to the compiler when linking, it is understood as
"-e lf2flt", i.e "the entry point is named lf2flt", which isn't
exactly the intention. We in fact need to pass -Wl,-elf2flt in LDFLAGS
as well, so that the compiler passes -elf2flt down to the linker.
For some reason, this option does not cause an issue with the Blackfin
toolchain, but it does with either a Buildroot toolchain for Cortex-M
or an OSELAS toolchain for Cortex-M. We have verified that passing
-Wl,-elf2flt continues to work with the Blackfin toolchain.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While musl has recently gained noMMU support for the sh2 platform, we
don't support this yet. So for the time being, let's not show musl as
an available C library on noMMU platforms. This is for example
important on ARM noMMU: ARM is supported by musl, but not its noMMU
variants.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
glibc is not available for noMMU platforms, so it doesn't make sense
to show the comment about glibc requiring dynamic libraries on noMMU
platforms.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building the musl C library on Thumb (Thumb1, not Thumb2), fails with:
{standard input}:20: Error: only lo regs allowed with immediate -- `mov fp,#0'
{standard input}:21: Error: only lo regs allowed with immediate -- `mov lr,#0'
{standard input}:25: Error: unshifted register required -- `and ip,a1,#-16'
Since there are no cores that we support that are Thumb1 only, use the
same solution as the one used by glibc: build the C library in ARM
mode.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The context functions in uClibc unconditionally use the classic ARM
instruction set.
On platforms that do support the ARM instruction set, there is no problem -
However, on platforms that only support the Thumb instruction set, the
context functions cannot be built since the assembler code is not
Thumb-ready. Therefore, these functions must be disabled on such
platforms. All Thumb1 platforms support ARM instructions, so this is
only relevant for Thumb2-only platforms (i.e., Cortex-M).
Note that some packages require the context functions, so these will
fail to build on these platforms. It is worth mentioning that musl
also doesn't provide the context functions, and those are rarely
used. Affected packages will be handled in later patches.
[Peter: slightly reworded]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The uClibc patches to simplify the ARM Thumb configuration options
have been merged, but instead of being 5 separate patches, they have
been merged as a single patch.
This commit updates the Buildroot uClibc package to use the patch that
was actually upstreamed.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 11573f5a14 ("sawman: remove
package"), we removed the sawman package, but forgot to remove the
hash file of that package. This commit finalizes the removal by
getting rid of the hash file.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2015-6360: Prevent potential DoS attack due to lack of bounds
checking on RTP header CSRC count and extension header length.
Also, add a hash file.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since quite some time, the kernel and bootloader communities consider
zImage as the default format for kernel images on ARM, replacing
uImage. The load address information in uImage is no longer needed,
since the kernel is position-independent in terms of physical address,
except on a few old platforms. For most people, using zImage is simply
better/simpler, so let's switch to zImage as the default image format
on ARM.
All defconfigs are updated: 46 defconfigs no longer need to select
explicitly zImage because it's the default, and 16 defconfigs now need
to explicitly select uImage because that's no longer the default.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Matt Weber <matt@thewebers.ws>
Acked-by: Julien Boibessot <julien.boibessot@armadeus.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From configure.ac lines 83-89:
AC_ARG_ENABLE(egl, [ --disable-egl],,
enable_egl=yes)
AM_CONDITIONAL(ENABLE_EGL, test x$enable_egl = xyes)
if test x$enable_egl = xyes; then
AC_DEFINE([ENABLE_EGL], [1], [Build Weston with
EGL support])
PKG_CHECK_MODULES(EGL, [egl glesv2])
PKG_CHECK_MODULES([EGL_TESTS], [egl glesv2 wayland-client
wayland-egl])
It also requires wayland-egl which is only provided by mesa3d for now,
hence make it conditional on mesa3d egl+gles.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes (no CVEs yet):
Buffer over-write in finfo_open with malformed magic file.
Invalid memory write in phar on filename with \0 in name.
Parsing of tar file with duplicate filenames causes memory leak.
php_snmp_error() Format String Vulnerability.
Integer Overflow in php_raw_url_encode.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Release notes at http://fastd.readthedocs.org/en/v18/releases/v18.html
First patch rebased, second patch removed (gone upstream). Using tarball
and hashes instead of git now.
Signed-off-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
>From v6 to v7 just few changes were made for performance improvement and
compatibility.
Switched from git download to source tarballs and hashes.
Signed-off-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Patches upstream so drop them.
The 'bat' binary utility was renamed to 'alsabat' probably to avoid some
clash, keep the old .config symbol to avoid pointless legacy.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Drop 0001-add-missing-include.patch since it's upstream.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>