Commit Graph

55920 Commits

Author SHA1 Message Date
Peter Seiderer
42c80b515a package/imagemagick: disable remaining config options (heic, jxl, openjp2)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 00:39:17 +01:00
Peter Seiderer
2f47cfade4 package/imagemagick: add optional libraw support
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 00:39:09 +01:00
Peter Seiderer
d6667f3141 package/imagemagick: add optional zstd support
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 00:38:57 +01:00
Peter Seiderer
32479efafe package/imagemagick: add optional libzip support
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 00:38:42 +01:00
Peter Seiderer
a11b6beab9 package/imagemagick: security bump to version 7.0.10-62
Fixes the following security issue:

CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and
7.0.10-57 in gem.c.  This flaw allows an attacker who submits a crafted file
that is processed by ImageMagick to trigger undefined behavior through a
division by zero.  The highest threat from this vulnerability is to system
availability.

For more details, see the bugtracker:
https://github.com/ImageMagick/ImageMagick/issues/3077

- bump version to 7.0.10-62
- update license file hash (copyright year update)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Peter: mention security fix]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-27 00:28:41 +01:00
Markus Mayer
ba05d01476 package/readline: disable bracketed paste by default
As of readline 8.1, "bracketed paste" is enabled by default. However,
the feature causes control characters to appear in captured (telnet)
session output. This can throw off pattern matching if the output is to
be processed by scripts.

Let's keep the previous default of leaving this feature disabled and
provide a configuration option for users to enable it.

Signed-off-by: Markus Mayer <mmayer@broadcom.com>
[yann.morin.1998@free.fr:
  - explicit enable/disable
  - no indentation in conditional block
  - rewrap help text
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-26 22:42:56 +01:00
Romain Naour
8ef20378b7 package/qemu: disable tests
tests/fp/fp-bench.c use fenv.h that is not always provided
by the libc (uClibc).

To workaround this issue, add an new meson option to
disable tests while building Qemu.

Fixes:
http://autobuild.buildroot.net/results/53f5d8baa994d599b9da013ee643b82353366ec3/build-end.log

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-26 09:32:20 +01:00
Fabrice Fontaine
6e9409ea3b package/botan: avoid empty -l
Add upstream patch to fix upstream commit
af63fe89228172e5a395f7e6491fae3bfa9da4b1 which was added to buildroot in
commit d71de4143d

Fixes:
 - http://autobuild.buildroot.org/results/801007860b7787b28b2b2e3611b59350034a3694

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:58:22 +01:00
Fabrice Fontaine
1b3c8ce97f package/libuwsc: disable example
BUILD_EXAMPLE=OFF is already passed by cmake-package

Fixes:
 - http://autobuild.buildroot.org/results/f5256d5a3a86112f008506f1910d0600c491a2a0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:47:05 +01:00
Fabrice Fontaine
ceb2317a7a package/brltty: fix build with gcc < 5
Fix build of brltty in version 6.2 with gcc < 5

Fixes:
 - http://autobuild.buildroot.org/results/b758c6ffc7a14b24d5482e65ba6f90bc046ebd01

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: do an actual backport]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:38:16 +01:00
Fabrice Fontaine
c79f050de7 package/babeltrace2: link with libatomic if needed
Fix build of babeltrace2 in version 2.0.3 with Bootlin SPARC uclibc
toolchain added with commit 1348c569d0

Fixes:
 - http://autobuild.buildroot.org/results/31770bf70f9ce4e3be8fb310d084b214820c6829

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:27:20 +01:00
Fabrice Fontaine
51b5df23b2 package/elfutils: link with libatomic if needed
Fix build of elfutils 0.181 with Bootlin SPARC uclibc toolchain added
with commit 1348c569d0

Fixes:
 - http://autobuild.buildroot.org/results/31ce9e3861c6229a7869a15d322f5d2f5bfc6165

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:21:38 +01:00
Fabrice Fontaine
aead2e1ec2 package/intel-mediasdk: disable samples and tutorials
Disable samples and tutorials which are enabled by default and fail to
build with gcc 10 without upstream commit:
c7d40371eb

Fixes:
 - http://autobuild.buildroot.org/results/9ee28e5dc0b2ba854766d9bc82b95c28be2722d3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-25 22:11:40 +01:00
Peter Korsgaard
7cb44a2011 package/nodejs: security bump to version v12.21.0
Fixes the following security issues:

CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion

Affected Node.js versions are vulnerable to denial of service attacks when
too many connection attempts with an 'unknownProtocol' are established.
This leads to a leak of file descriptors.  If a file descriptor limit is
configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g.  a file.  If no
file descriptor limit is configured, then this lead to an excessive memory
usage and cause the system to run out of memory.

CVE-2021-22884: DNS rebinding in --inspect

Affected Node.js versions are vulnerable to denial of service attacks when
the whitelist includes “localhost6”.  When “localhost6” is not present in
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e.,
over network.  If the attacker controls the victim's DNS server or can spoof
its responses, the DNS rebinding protection can be bypassed by using the
“localhost6” domain.  As long as the attacker uses the “localhost6” domain,
they can still apply the attack described in CVE-2018-7160.

For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-25 21:29:29 +01:00
Andreas Klinger
81e0421285 package/ply: build needs flex and bison
Building needs flex and bison installed on the host system.

Fixes:
http://autobuild.buildroot.net/results/7cfe75725f4746367f2870ee9545f31ba56f6ec1

Signed-off-by: Andreas Klinger <ak@it-klinger.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-25 20:30:20 +01:00
Fabrice Fontaine
028aa3986d package/screen: add SCREEN_CPE_ID_VENDOR
cpe:2.3🅰️gnu:screen is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Ascreen

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-25 20:11:22 +01:00
Fabrice Fontaine
879772f8e7 package/xterm: add XTERM_CPE_ID_VENDOR
cpe:2.3🅰️invisible-island:xterm is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ainvisible-island%3Axterm

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-25 20:11:11 +01:00
Peter Korsgaard
4e6ee9eb53 package/python3: security bump to version 3.9.2
Fixes the following security issue:

- CVE-2021-23336: urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a
  query args separator
  https://bugs.python.org/issue42967

And fixes a number of issues. For details, see the changelog:
https://docs.python.org/release/3.9.2/whatsnew/changelog.html

Drop the now upstreamed security patch and update the license hash for a
change of copyright year:

-2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Python Software Foundation;
+2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Python Software Foundation;

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-25 08:10:36 +01:00
Vincent Fazio
b50eef1dfd support/download: drop sub-second precision in tarball creation
Some download backends, like svn, will provide timestamps with a
sub-second precision, e.g.

    $ svn info --show-item last-changed-date [...]
    2021-02-19T20:22:34.889717Z

However, the PAX headers do not accept sub-second precision, leading to
failure to download from subversion:

    tar: Time stamp is out of allowed range
    tar: Exiting with failure status due to previous errors
    make[1]: *** [package/pkg-generic.mk:148: [...]/build/subversion-1886712/.stamp_downloaded] Error 1

Fix that by massaging the timestamp to drop the sub-second part. We
do that in the generic helper, rather than the svn backend, so that
all callers to the generic helper benefit from this, as this is more
an internal details of the tarball limitations, than of the backends
themselves.

Reported-by: Roosen Henri <Henri.Roosen@ginzinger.com>
Signed-off-by: Vincent Fazio <vfazio@xes-inc.com>
[yann.morin.1998@free.fr:
  - add Henri as reporter
  - move it out of the svn backend, and to the generic helper
  - reword the commit log accordingly
  - use an explicit time format rather than -Iseconds
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-22 23:01:27 +01:00
Peter Korsgaard
6376decbda package/bind: security bump to version 9.11.28
Fixes the following security issue:

- CVE-2020-8625: When tkey-gssapi-keytab or tkey-gssapi-credential was
  configured, a specially crafted GSS-TSIG query could cause a buffer
  overflow in the ISC implementation of SPNEGO (a protocol enabling
  negotiation of the security mechanism to use for GSSAPI authentication).
  This flaw could be exploited to crash named.  Theoretically, it also
  enabled remote code execution, but achieving the latter is very difficult
  in real-world conditions

For details, see the advisory:
https://kb.isc.org/docs/cve-2020-8625

In addition, 9.11.26-27 fixed a number of issues, see the release notes for
details:
https://downloads.isc.org/isc/bind9/9.11.28/RELEASE-NOTES-bind-9.11.28.html

Drop now upstreamed patches, update the GPG key for the 2021-2022 variant
and update the COPYRIGHT hash for a change of year:

-Copyright (C) 1996-2020  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2021  Internet Systems Consortium, Inc. ("ISC")

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-22 14:35:10 +01:00
Ryan Barnett
e41b170b32 package/fakeroot: fix glibc detection on patch for new wrappers
Commit f45925a951 add the patch:

0003-libfakeroot.c-add-wrappers-for-new-glibc-2.33-symbol.patch

which allowed fakeroot to be compiled with GLIBC 2.33 or above.
However, this introduce a bug for building with a non-GLIBC based
toolchain as a GLIBC macro - __GLIBC_PREREQ - is used on the same line
as the detection of GLIBC.

Fix this by backporting the fix to this incorrect macro from upstream
commit:

8090dffdad

CC: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-21 23:55:38 +01:00
Stefan Ott
048f772354 package/unbound: bump to version 1.13.1
This release contains a number of bug fixes. There is added support
for the EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID
option (RFC 5001). Unbound control has added commands to enable and
disable rpz processing. Reply callbacks have a start time passed to
them that can be used to calculate time, these are callbacks for
response processing. With the option serve-original-ttl the TTL served
in responses is the original, not counted down, value, for when in
front of authority service.

https://github.com/NLnetLabs/unbound/releases/tag/release-1.13.1

Signed-off-by: Stefan Ott <stefan@ott.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-21 08:55:37 +01:00
Peter Seiderer
f204e58740 package/irqbalance: fix irqbalance/irqbalance-ui socket communication
Add patch to fix irqbalance/irqbalance-ui socket communication by
fixing uint64_t printf format usage.

Fixes:

  $ irqbalance-ui
  Invalid data sent.  Unexpected token: (null)TYPE

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
  - do an actual backport as upstream applied the patch
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-21 08:49:20 +01:00
Scott Fan
6c5caa8f43 package/open62541: fix library version definition
Manually specified version must start with letter 'v',
otherwise, the generated version macro will be zero
in the <build_dir>/src_generated/open62541/config.h file:
  #define UA_OPEN62541_VER_MAJOR 0
  #define UA_OPEN62541_VER_MINOR 0
  #define UA_OPEN62541_VER_PATCH 0

Reference from the following link:
https://open62541.org/doc/current/building.html

Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-20 23:12:54 +01:00
Romain Naour
03c3fbd81c support/scripts/boot-qemu-image.py: properly catch timeout
As reported on IRC by sephthir, the gitlab test of the defconfig
qemu_sparc_ss10_defconfig doesn't error out while the system
is not working properly.

This is because we explicitly wait for the timeout as an expected
condition, but do not check for it. Indeed, pexpect.expect() returns
the index of the matching condition in the list of expected conditions,
but we just ignore the return code, so we are not able to differentiate
between a successful login (or prompt) from a timeout.

By default, pexepect.expect() raises the pexpect.TIMEOUT exception on a
timeout, and we are already prepared to catch and handle that exception.
But because pexpect.TIMEOUT is passed as an expected condition, the
exception is not raised.

Remove pexpect.TIMEOUT from the list of expected conditions, so that the
exception is properly raised again, and so that we can catch it.

The qemu_sparc_ss10_defconfig is already fixed by
4d16e6f532.

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-20 22:44:29 +01:00
Peter Seiderer
4a95f38f30 package/irqbalance: fix sysv startup script (add mkdir /run/irqbalance)
- add mkdir -p /run/irqbalance to sysv startup script needed to
  create socket /run/irqbalance/irqbalance<pid>.sock

Fixes:

  - Bug 13541 [1]

  daemon.warn /usr/sbin/irqbalance: Daemon couldn't be bound to the file-based socket.

[1] https://bugs.busybox.net/show_bug.cgi?id=13541

Reported-by: Alfredo Pons Menargues <alfredo.pons@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: only create in start case]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-20 18:36:39 +01:00
Peter Seiderer
60518c1d76 package/irqbalance: fix systemd startup script (add RuntimeDirectory)
- add RuntimeDirectory=irqbalance to create /run/irqbalanace needed to
  create socket /run/irqbalance/irqbalance<pid>.sock

Fixes:

  - Bug 13541 [1]

  /usr/sbin/irqbalance[158]: Daemon couldn't be bound to the file-based socket.

[1] https://bugs.busybox.net/show_bug.cgi?id=13541

Reported-by: Alfredo Pons Menargues <alfredo.pons@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-20 18:36:28 +01:00
Scott Fan
d1054e851c DEVELOPERS: remove Scott Fan
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-20 17:48:10 +01:00
Thomas Petazzoni
ee8b680816 utils/scanpypi: use python3 explicitly
scanpypi is python3 compatible. In addition, it executes the setup.py
of Python modules to extract the relevant information. Since these are
more and more commonly using python3 constructs, using "python" to run
scanpypi causes problems on systems that have python2 installed as
python, when trying to parse setup.py scripts with python3 constructs.

Fixes part of #13516.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-20 17:42:46 +01:00
Jörg Krause
3590ebec28 package/taglib: drop config options to enable MP4/ASF support
Both options where removed in git commit dd846904cbc1ef3ee628d77f0c9df88ef8967816
back in year 2011.

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
[yann.morin.1998@free.fr: drop the legacy handling]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-20 17:16:05 +01:00
Romain Naour
f826a944ae package/rust: disable ninja
Ninja has recently be enabled as the default build system to build
llvm fork for rust compiler [1]. But we can still use Make if
"ninja = false" is provided in config.toml.

Ninja support can be enabled by a following patch.

[1] 30b7dac745

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1019386205

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-20 17:02:51 +01:00
Bartosz Bilas
86fbba8b81 package/cegui: use plain assignemnt for first _CONF_OPTS
Commit 689b9c1a7c (package/cegui: disable xerces support) added
an unconditional assignment to _CONF_OPTS before all the conditional
ones, but used the append-assignment instead of the traditional plain
assignment.

Fix that by removing the append-assignment.

Use that opportunity to also move the first item of this multi-line
assignment, to its own line.

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[yann.morin.1998@free.fr:
  - reference the exact commit that introduce the issue
  - also move the first item to its own line
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-19 22:46:29 +01:00
Peter Korsgaard
82abd78a01 package/python-django: security bump to version 3.0.13
Fixes the following security issue:

- CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

  Django contains a copy of urllib.parse.parse_qsl() which was added to
  backport some security fixes.  A further security fix has been issued
  recently such that parse_qsl() no longer allows using ; as a query
  parameter separator by default.  Django now includes this fix.  See
  bpo-42967 for further details.

For more details, see the advisory:
https://www.djangoproject.com/weblog/2021/feb/19/security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-19 22:36:22 +01:00
Fabrice Fontaine
d71de4143d package/botan: fix build with -latomic
Static build with toolchains needing -latomic (e.g sparc) is broken
since version 2.17.0 and
88af81b889

Fixes:
 - http://autobuild.buildroot.org/results/5c03ee53a34a3cdb409cffcda76e5cc2c723778b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-19 22:33:45 +01:00
Fabrice Fontaine
452f9ca82f package/libselinux: fix build with musl 1.2.2
Fixes:
 - http://autobuild.buildroot.org/results/34b010e76d65cf1d79ef53207cbc00a86674e17a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-19 22:31:15 +01:00
John Keeping
a6aeee74d3 package/libusb: apply upstream patch to fix descriptor parsing
v1.0.24 of libusb has a bug in the Linux backend where it fails to
enumerate any device with more than one configuration.  Backport the
upstream patch which fixes this as otherwise libusb based applications
are unable to communicate with any devices advertising more than one
configuration.

Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-02-19 22:25:43 +01:00
Peter Korsgaard
d8447af9d8 docs/website: update for 2020.02.11
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-17 21:04:31 +01:00
Peter Korsgaard
947e9219bc Update for 2020.02.11
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 08e03785d3)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-17 21:00:07 +01:00
Peter Korsgaard
b284c1a4f3 docs/website: update for 2020.11.3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-17 19:44:35 +01:00
Peter Korsgaard
ecbfbabcf7 Update for 2020.11.3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 610e67b1fc)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-17 19:43:17 +01:00
Peter Korsgaard
21eb777551 Update for 2021.02-rc2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-17 17:50:51 +01:00
Fabrice Fontaine
91b39d039e package/perl-extutils-pkgconfig: set PATH to BR_PATH
Set PATH to BR_PATH to allow perl-extutils-pkgconfig to find pkg-config
binary

Fixes:
 - http://autobuild.buildroot.org/results/d87787fbf2a8cb9bbaa3b59d1e8004ad1459536a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-17 17:25:26 +01:00
Peter Korsgaard
4745a484a6 package/libopenssl: security bump to version 1.1.1j
Fixes the following security issues:

- CVE-2021-23841: Null pointer deref in X509_issuer_and_serial_hash()

  The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
  create a unique hash value based on the issuer and serial number data
  contained within an X509 certificate.  However it fails to correctly
  handle any errors that may occur while parsing the issuer field (which
  might occur if the issuer field is maliciously constructed).  This may
  subsequently result in a NULL pointer deref and a crash leading to a
  potential denial of service attack.

  The function X509_issuer_and_serial_hash() is never directly called by
  OpenSSL itself so applications are only vulnerable if they use this
  function directly and they use it on certificates that may have been
  obtained from untrusted sources.

- CVE-2021-23839: Incorrect SSLv2 rollback protection

  OpenSSL 1.0.2 supports SSLv2.  If a client attempts to negotiate SSLv2
  with a server that is configured to support both SSLv2 and more recent SSL
  and TLS versions then a check is made for a version rollback attack when
  unpadding an RSA signature.  Clients that support SSL or TLS versions
  greater than SSLv2 are supposed to use a special form of padding.  A
  server that supports greater than SSLv2 is supposed to reject connection
  attempts from a client where this special form of padding is present,
  because this indicates that a version rollback has occurred (i.e.  both
  client and server support greater than SSLv2, and yet this is the version
  that is being requested).

  The implementation of this padding check inverted the logic so that the
  connection attempt is accepted if the padding is present, and rejected if
  it is absent.  This means that such as server will accept a connection if
  a version rollback attack has occurred.  Further the server will
  erroneously reject a connection if a normal SSLv2 connection attempt is
  made.

  OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable
  to this issue.  The underlying error is in the implementation of the
  RSA_padding_check_SSLv23() function.  This also affects the
  RSA_SSLV23_PADDING padding mode used by various other functions.  Although
  1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still
  exists, as does the RSA_SSLV23_PADDING padding mode.  Applications that
  directly call that function or use that padding mode will encounter this
  issue.  However since there is no support for the SSLv2 protocol in 1.1.1
  this is considered a bug and not a security issue in that version.

- CVE-2021-23840: Integer overflow in CipherUpdate

  Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may
  overflow the output length argument in some cases where the input length
  is close to the maximum permissable length for an integer on the platform.
  In such cases the return value from the function call will be 1
  (indicating success), but the output length value will be negative.  This
  could cause applications to behave incorrectly or crash.

For more details, see the advisory:
https://www.openssl.org/news/secadv/20210216.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-17 08:17:44 +01:00
Heiko Thiery
5b844d50d8 support/scripts/pkg-stats: add ignored_cves to json output
Add the list of <pkg>_IGNORE_CVES to the json output to show that we have a
known cause (available patch or the CVE is not valid for our package
configuration) that a affected CVE is not reported.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-02-16 23:15:06 +01:00
Thomas De Schampheleire
8efa82a41d package/openblas: fix detection of gfortran compiler
The compiler detection since openblas 0.3.8 added support for gcc 10, but
this broke detection of compilers created with crosstool-ng, or other
toolchains that have a package version containing a version like x.y.z where
at least one of x, y or z have more than one digit, for example
"Crosstool-NG 1.24.0".

See the reported issue for more details [1].

Backport the upstream patch that fixes it.

[1] https://github.com/xianyi/OpenBLAS/issues/3099

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-02-16 23:10:57 +01:00
Thomas De Schampheleire
6f29cdeee4 package/openblas: allow disabling multithreading
Buildroot would automatically enable multithreading in OpenBLAS if the
architecture supports it. However, one may want to avoid OpenBLAS creating
threads itself and configure single-threaded operation. To accommodate this
use case, add a config option for multithreading.

When multithreading is disabled but OpenBLAS functions are called in the
same application by multiple threads, then locking is mandatory. The
USE_LOCKING flag was added in version 0.3.7 with following release note:

    a new option USE_LOCKING was added to ensure thread safety when OpenBLAS
    itself is built without multithreading but will be called from multiple
    threads.

However, if one knows that OpenBLAS will only be called from single-threaded
applications, then passing USE_LOCKING is not necessary, so make it a config
option too.

When multithreading is enabled, locking is implicitly enabled inside
openblas, so only provide the locking option when multithreading is
disabled.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-02-16 23:10:57 +01:00
Fabrice Fontaine
7d73bc5216 package/flashrom: fix build on riscv
Retrieve an upstream patch to fix build with riscv as it fails to
retrieve architecture due to "Use sigaction with SA_RESTART instead"
being caught before riscv:

exec: export LC_ALL=C ; { /home/fabrice/buildroot/output/host/bin/riscv32-linux-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -E archtest.c 2>/dev/null | grep -v ^# | grep ' | cut -f 2 -d' ; }
Use sigaction with SA_RESTART instead
riscv

Fixes:
 - http://autobuild.buildroot.org/results/61ac6c9bfcd3bd9306aa49faf47b9f16e5abe846

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-02-16 23:02:37 +01:00
Fabrice Fontaine
7ecf22a2fe package/gdk-pixbuf: fix static build
Fix static build failure which is raised since the switch to
meson-package in commit a7b51ed301

Fixes:
 - http://autobuild.buildroot.org/results/6cd54c497f5d19342ec94ece713547b887e4c02d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Arnout: add link to upstream MR]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-02-16 23:01:10 +01:00
Peter Korsgaard
824473576e package/wpewebkit: bump version to 2.30.5
Bugfix release, fixing a number of issues:

- Fix RunLoop objects leaked in worker threads.
- Fix JavaScriptCore AArch64 LLInt build with JIT disabled.
- Use Internet Explorer quirk for Google Docs.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-16 21:51:28 +01:00
Peter Korsgaard
157dc4e3cf package/webkitgtk: security bump to version 2.30.5
Fixes the following security issue:

- CVE-2020-13558: Processing maliciously crafted web content may lead to
  arbitrary code execution.  Description: A use after free issue in the
  AudioSourceProviderGStreamer class was addressed with improved memory
  management

For more details, see the advisory:
https://webkitgtk.org/security/WSA-2021-0001.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-16 21:51:20 +01:00