>From the release notes:
- Extend pow tables for layer III to properly handle files with i-stereo and
5-bit scalefactors. Never observed them for real, just as fuzzed input to
trigger the read overflow. Note: This one goes on record as CVE-2017-11126,
calling remote denial of service. While the accesses are out of bounds for
the pow tables, they still are safely within libmpg123's memory (other
static tables). Just wrong values are used for computation, no actual crash
unless you use something like GCC's AddressSanitizer, nor any information
disclosure.
- Avoid left-shifts of negative integers in layer I decoding.
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop CVE 2017-9868 patch as that is now upstream.
1.4.14 is a bugfix release, fixing significant websocket performance /
correctness issues.
Use HTTPS for the download as the server uses HSTS, thus saving a redirect.
While we're at it, add hashes for the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2017-7890 - Buffer over-read into uninitialized memory. The GIF
decoding function gdImageCreateFromGifCtx in gd_gif_in.c (which can be
reached with a call to the imagecreatefromstring() function) uses
constant-sized color tables of size 3 * 256, but does not zero-out these
arrays before use.
CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229 -
Out-of-bonds access in oniguruma regexp library.
CVE-2017-11144 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before
7.1.7, the openssl extension PEM sealing code did not check the return value
of the OpenSSL sealing function, which could lead to a crash of the PHP
interpreter, related to an interpretation conflict for a negative number in
ext/openssl/openssl.c, and an OpenSSL documentation omission.
CVE-2017-11145 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before
7.1.7, lack of a bounds check in the date extension's timelib_meridian
parsing code could be used by attackers able to supply date strings to leak
information from the interpreter, related to an ext/date/lib/parse_date.c
out-of-bounds read affecting the php_parse_date function.
CVE-2017-11146 - In PHP through 5.6.31, 7.x through 7.0.21, and 7.1.x
through 7.1.7, lack of bounds checks in the date extension's
timelib_meridian parsing code could be used by attackers able to supply date
strings to leak information from the interpreter, related to
ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date
function. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2017-11145.
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add upstream patches fixing the following security issues:
CVE-2017-10971:
The endianess handling for X Events assumed a fixed size of X Event structures and
had a specific 32 byte stack buffer for that.
However "GenericEvents" can have any size, so if the events were sent in the wrong
endianess, this stack buffer could be overflowed easily.
So authenticated X users could overflow the stack in the X Server and with the X
server usually running as root gaining root prileveges.
CVE-2017-10972:
An information leak out of the X server due to an uninitialized stack area when swapping
event endianess.
For more details, see the advisory:
http://www.openwall.com/lists/oss-security/2017/07/06/6
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tarballs of the releases are now again available:
https://www.spinics.net/lists/linux-i2c/msg30349.html
So change back to that instead of getting the source code from git.
While we're at it, add a hash for the license file.
[Peter: Also update Config.in homepage URL as pointed out by Baruch]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It can be interesting to get the overlay from a remote server, rather
than expect it to be present locally.
Since that file can be any URL, we can't know its hash, so we just
exclude it.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
[Thomas: use DL_DIR instead of BR2_DL_DIR.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
currently, specifying a custom Xtrensa core is done with two variables:
- the core name
- the directory containing the overlay tarball
However, the core name only serves to construct the tarball name, and is
not used whatsoever to configure any of the toolchain components
(binutils, gcc or gdb), except through the files that are overlayed in
their respective source trees.
This has two main drawbacks:
- the overlay file must be named after the core,
- the tarball can not be compressed.
Furthermore, it also makes it extremely complex to implement a download
of that tarball.
So, those two variables can be squeezed into a single variable, that is
the complete path of the overlay tarball.
Update the qemu-xtensa defconfig accordingly.
Note: we do not add a legacy entry for BR2_XTENSA_CORE_NAME, since it
was previously a blind option in the last release, and there's been no
release since we removed BR2_XTENSA_CUSTOM_NAME. So, we just update the
legacy comments for BR2_XTENSA_CUSTOM_NAME, since that's all the user
could have seen in any of our releases so far.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Libressl is a fork of openssl from OpenSSL in 2014. Its goal is to
modernize the OpenSSL codebase, improve security, and apply best
practice development processes.
Right now, libressl is API compatible with OpenSSL 1.0.1, but does not
yet include all new APIs from OpenSSL 1.0.2 and later.
Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the advisory:
https://irssi.org/security/irssi_sa_2017_07.txt
Two vulnerabilities have been located in Irssi.
(a) When receiving messages with invalid time stamps, Irssi would try
to dereference a NULL pointer. Found by Brian 'geeknik' Carpenter
of Geeknik Labs. (CWE-690)
CVE-2017-10965 [2] was assigned to this bug
(b) While updating the internal nick list, Irssi may incorrectly use
the GHashTable interface and free the nick while updating it. This
will then result in use-after-free conditions on each access of
the hash table. Found by Brian 'geeknik' Carpenter of Geeknik
Labs. (CWE-416 caused by CWE-227)
CVE-2017-10966 [3] was assigned to this bug
Impact
------
(a) May result in denial of service (remote crash).
(b) Undefined behaviour.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While building I noticed:
>>> host-ccache 3.3.4 Building
conf.c: In function 'conf_create':
conf.c:314:2: warning: too many arguments for format [-Wformat-extra-args]
conf->cache_dir = format("/home/peko/.buildroot-ccache", get_home_directory());
^
As host-ccache gets installed into $(HOST_DIR) and is part of the SDK,
hardcoding the build user homedir isn't really nice for the relocatable
SDK feature (or simply for a SDK used by multiple users).
As the warning shows, CCache replaces "%s" with the current user home
directory, so rewrite BR_CACHE_DIR to use this feature if it begins with
$HOME.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We no longer have automatic derivation of DEPENDENCIES for host
packages, so the comment that we don't want a host-busybox dependency
is no longer valid.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Passing the option --shebangdir=/usr/bin to the configuration script adds the
CPP definition EXECLINE_SHEBANGPREFIX to
execline-x.y.z/src/include/execline/config.h. It is used by `s6-rc-compile` from
the s6-rc package to set the path to the execline interpreter in the scripts it
generates.
So, when building the host variant of execline, this path will be used in the
target service scripts generated by the host variant of `s6-rc-compile`. If not
forced to /usr/bin, the location of the execline interpreter on the target, it
will default to $(HOST_DIR)/bin thus leading to non-working scripts on the
target.
So, restore this option for the host variant.
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since mtd was converted to the package infrastructure in commit
de4cf4e913 ("mtd: convert to gentargets,
add host package"), its host variant depended on host-e2fsprogs. At
the time, only a host variant of the mtd package was available.
When a target variant of mtd was introduced in commit
b50e0fa113 ("mtd: add option to build
mkfs.ubifs for target"), it depended on util-linux.
So today, the target variant continues to depend on util-linux, while
the host variant depends on e2fsprogs. What mkfs.ubifs really needs
is libuuid, which is provided by util-linux. It was in fact provided
by the fact that host-e2fsprogs depends on host-util-linux.
But really, host-e2fsprogs is not needed as a dependency, so use
host-util-linux to be consistent with the target variant.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Building the MTD test programs requires the MS_DIRSYNC, which is not
necessarily available on old build machines. But obviously, MTD test
programs are not needed, so we can simply disable them, as they were
prior to the migration to mtd 2.0.
Fixes:
http://autobuild.buildroot.net/results/21e1ad2a4560b6d3ba6490d20ae064246e66d5c1/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Libgrcrypt is a direct dependency of WebKitGTK+, and as such it
should be selected.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Thomas: add missing dependency on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This is needed for correctly building some CMake-based packages which
use this variable. For example, this is needed for WebKitGTK+ 2.16.x
to build correctly when an ARMv8 target is configured.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The needed functionality is already included into Python 3.6.x,
so these files can be now compiled without errors.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Changing setup type to setuptools avoids installing as zipped .egg
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since there is quite some duplication in the variables to be passed in
the make environment and as make options between the build and install
steps, this commit introduces LINUXPTP_MAKE_ENV and LINUXPTP_MAKE_OPTS
to avoid the duplication.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
incdefs.sh try to define some flags with user_flags() and kernel_flags()
functions. The later is looking at the kernel headers installed on the host
when KBUILD_OUTPUT is not set. If no kernel headers are installed on the host,
the grep fail and HAVE_ONESTEP_SYNC is not set on the command line:
see: grep: /usr/include/linux/net_tstamp.h: No such file or directory
So the missing.h define HWTSTAMP_TX_ONESTEP_SYNC which is also present in the
kernel headers installed in STAGING_DIR (toolchain w/ headers >= 3.2).
Indeed KBUILD_OUTPUT is empty because it's reset in the makefile, so move
KBUILD_OUTPUT in the enviroment while calling "make"/
Also set KBUILD_OUTPUT to STAGING_DIR to find net_tstamp.h.
While at it, use the same arguments for BUILD_CMDS and
INSTALL_TARGET_CMDS.
Thanks to Yann for the live review during the Buildroot summer camp.
Fixes:
http://autobuild.buildroot.net/results/364/36470db2c262d2e1fda5144a08cfe221831e093e
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Petr Kulhavy <brain@jikos.cz>
Cc: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Thanks to Yann for the live review during the Buildroot summer camp.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Petr Kulhavy <brain@jikos.cz>
Cc: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Change site to https to avoid a redirection.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The XVISOR_ARCH check added in commit
117fd5dfbc ("xvisor: fix build on
AArch64") broke Buildroot entirely on all architectures except ARM,
AArch64 and x86-64, because the $(error ...) test was not enclosed
inside a condition that made sure the xvisor package was enabled.
This commit fixes that, and allows Buildroot to be usable again on all
architectures.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Xvisor was failing to build on AArch64 with:
package/xvisor/xvisor.mk:60: *** No Xvisor defconfig name specified, check your BR2_PACKAGE_XVISOR_DEFCONFIG setting. Stop.
The first problem is that the Config.in file had a typo: it was using
BR2_AARCH64 instead of BR2_aarch64, and therefore the
BR2_PACKAGE_XVISOR_DEFCONFIG variable had no value.
Once this is fixed, another problem occurs: the ARCH variable needs to
be specified as "arm" for XVisor, for both ARM and AArch64. Therefore,
a XVISOR_ARCH variable is introduced, which is calculated according to
the Buildroot configuration options. Only x86-64, arm and aarch64 are
supported by Xvisor currently, so it remains simple.
Fixes:
http://autobuild.buildroot.net/results/1719a63ff257f13634a06a14327abfb327984101/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This simply updates to the latest stable release. WebKitGTK+ versions
in the 2.1x series avoid bumping the dependencies in order to allow
distributions to provide updates, therefore no new dependencies are
needed.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
