Fixes the following security issues:
- CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
unauthenticated clients.
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered
to the library, but the server application never receives them. For more
information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
- Stack overflow on server running PUB/XPUB socket (CURVE disabled).
The PUB/XPUB subscription store (mtrie) is traversed using recursive
function calls. In the remove (unsubscription) case, the recursive calls
are NOT tail calls, so even with optimizations the stack grows linearly
with the length of a subscription topic. Topics are under the control of
remote clients - they can send a subscription to arbitrary length topics.
An attacker can thus cause a server to create an mtrie sufficiently large
such that, when unsubscribing, traversal will cause a stack overflow. For
more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
- Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
Messages with metadata are never processed by PUB sockets, but the
metadata is kept referenced in the PUB object and never freed. For more
information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
- Memory leak in client induced by malicious server(s) without CURVE/ZAP.
When a pipe processes a delimiter and is already not in active state but
still has an unfinished message, the message is leaked.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
- Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
By crafting a packet which is not valid ZMTP v2/v3, and which has two
messages larger than 8192 bytes, the decoder can be tricked into changing
the recorded size of the 8192 bytes static buffer, which then gets
overflown by the next message. The content that gets written in the
overflown memory is entirely decided by the sender.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
Drop now upstreamed patches, autoreconf and reformat hash file with 2 space
delimiters.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit [1] in U-Boot upstrea, there is no necessity to pass extra
metadata_csum option due to changed env location in U-Boot so we can
drop it completely.
[1] 76db1681da52342ca9f4fb7e6787bd83cc82f429:
stm32mp1: use a specific SD/eMMC partition for U-Boot enviromnent
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[yann.morin.1998@free.fr: 76db1681d referecnes a U-Boot commit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
kbd uses _Generic since version 2.2.90 and
da5feb8fd9
However, _Generic is not available until gcc 4.9:
https://gcc.gnu.org/wiki/C11Status
As a result, build with gcc 4.8 fails on:
setleds.c:352:3: warning: implicit declaration of function '_Generic' [-Wimplicit-function-declaration]
ndefflags = BITMASK_SET(BITMASK_UNSET(odefflags, ndef), nval);
^
setleds.c:22:2: error: expected expression before 'unsigned'
unsigned char: (unsigned char)(~(x)) \
^
Fixes:
- http://autobuild.buildroot.org/results/b74ecdda44543da1d47fa2c027fb046a3ca1e2d1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: propagate the MMU dependency to the comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libcap has been drroped since version 0.11.0 and
906c0766df
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
IPython-enabled pdb.
This package can be very helpful when someone wants to debug
a Python application on the board itself.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
On aarch64 With the config option "--enable-mpers=check" the configure.ac
script searchs for a 32bit compiler. When a matching compiler is found
in the PATH some compatiblity checks are done. This can fail when the
available kernel headers on host and buildroot target does not match.
Since buildroot does not support 32bit binaries when building for 64bit
architecture (no -m32 option) we can disable this option unconditionally.
When disabling unconditionally also the configuration for toolchain using
MUSL can be removed.
Cc: Baruch Siach <baruch@tkos.co.il>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Force GIT_VERSION to avoid git version logic that takes the Buildroot
git commit id.
Update LICENSE hash; copyright year update.
Format hashes file with two space delimiters.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package uses gcc filename without absolute path, which breaks
the host build if host and target compiler have the same filename.
(Can happen with an external toolchain).
This patch adds the variables for the host as overrides,
as they are otherwise not picked up from the environment.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Adding htpdate, a time syncronization software based on http.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Parallel build is fixed since version 1.9.2 and
375d2de089
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Fix CVE-2020-15503: LibRaw before 0.20-RC1 lacks a thumbnail size
range check. This affects decoders/unpack_thumb.cpp,
postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example,
malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without
validating T.tlength.
- zlib is an optional dependency since
b63f017b06
Also update indentation in hash file (two spaces) as well as README.md
hash, no license changes:
- d1975cb0e0
- d38361b76e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Both patches are now upstream and can be dropped:
- 7cfaa9dede0f7f711a0fb961559e9629e7c7a259 is "MakeHeader.py: Fix for
non-utf8 environments"
- dfd9279f87791e36a5212726781c31fbe7110361 is "Resolve complation
issues with -fno-common (default from gcc-10)"
The license file hash is changed due to the removal of one empty line:
@@ -353,4 +353,3 @@
applicable licenses of the version of PLPA used in your combined work,
provided that you include the source code of such version of PLPA when
and as the GNU GPL requires distribution of source code.
-
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Easyframes uses fork when capturing frames in a pcap file, therefore
add the dependency BR2_USE_MMU.
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The custom UBoot version was not correctly specified, causing the latest
one to be selected instead:
/home/ymorin/dev/buildroot/buildroot/configs/odroidc2_defconfig:25:warning:
symbol value '"2020.07"' invalid for BR2_TARGET_UBOOT_CUSTOM_VERSION
Fixes:
https://gitlab.com/ymorin/buildroot/-/jobs/723411844
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Dagg Stompler <daggs@gmx.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Contains fixes for overflows when input chunks are larger than 2 GiB,
an uninitialized data access, and minor correctness and performance
improvements. There does not seem to be any CVEs filed, but there is
a security notice in the release notes at:
https://github.com/google/brotli/releases/tag/v1.0.9
Patch "0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch"
is rebased against the latest upstream changes.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
graphical is equivalent to the sysvinit runlevel 5
multi-user is equivalent to a runlevel between 2 and 4
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update hash of COPYING and add CREDITS to license files as most of the
original COPYING content moved to CREDITS and COPYING now contains
GPL-2.0+ text since version 2.0.90 and
1304c0c11c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
opcua-asyncio is an asyncio-based asynchronous OPC UA client
based on python-opcua, removing hacks for support of
python < 3.6.
Asynchronous programming allows for simpler code (e.g. less need
for locks) and potentially performance gains.
More information is available at :
https://github.com/FreeOpcUa/opcua-asyncio.
Signed-off-by: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
demosaic packs have been removed since version 0.19.0 and
b85690eb48
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Ordinary local file IO is blocking, and cannot easily and
portably made asynchronous.
This means doing file IO may interfere with asyncio applications,
which shouldn’t block the executing thread. aiofiles helps
with this y introducing asynchronous versions of files
that support delegating operations to a separate thread pool.
More information is available at :
https://pypi.org/project/aiofiles.
Signed-off-by: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
janus-gateway comes with an example website to test its features.
Since the bump to 0.10.3, this website takes 1.8MiB uncompressed on
the target, among which is a 1MiB video sample which does not compress
well.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Drop first patch (not needed since
e2ff9cf32d)
- Drop second and third patch (already in version)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>