Fixes CVE-2014-4617: The do_uncompress function in g10/compress.c in
GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent
attackers to cause a denial of service (infinite loop) via malformed
compressed packets, as demonstrated by an a3 01 5b ff byte sequence.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes runtime issues when built with gcc 4.9
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: note that readline is optional, drop trailing Config.in line]
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
CC: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
According to the documentation:
"Header: The file starts with a header. It contains the module name,
preferably in lowercase, enclosed between separators made of 80 hashes."
This patch makes the appropriate changes.
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a new patch to use pkg-config to detect openssl.
[Peter: fix minor typos in description]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- switch to BackPan in order to prevent build breakage
(like http://autobuild.buildroot.net/results/358/358f531f2db90b9bc3b1e4e2158c68d2bf6587fc/)
- add license file
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2014-0244 (Denial of service - CPU loop)
CVE-2014-3493 (Denial of service - Server crash/memory corruption)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2014-0244 (Denial of service - CPU loop)
CVE-2014-3493 (Denial of service - Server crash/memory corruption)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
- Add libtool versioning to the linker flags again. This was accidentially
removed in 0.4.20 but should not cause any problems on platforms other
than OS X (Sebastian Dröge)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit d3ccfa362b (avahi: run as avahi user/group instead of default)
changed avahi-autoipd to run as the avahi user, but forgot to update the
init script/systemd config to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tarball no longer available in .gz format. From the release notes:
- Fix list corruption when splitting code memory chunks, causing crashes
when allocating a lot of code memory and trying to free it later
(Tim-Philipp Müller)
- Add some extra checks for the number of variables used in ORC code to
prevent overflows and crashes in the compiler (Vincent Penquerc'h)
- Various compiler warnings, coverity warnings and static code analysis
fixes (Sebastian Dröge)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This helper was called when none of the sources or license
files were saved.
Now we handle license files separately from the sources,
this is no longer the case: they are only called when the
sources are not saved.
Rename the handler and change the warning message accordingly.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
As the legal-info infra only (rightfully) saves the tarballs of packages
that:
- we want to redistribute,
- and are not local,
- and are not overriden,
add a comment stating so.
This should clarify the code-block, which although trivial to read,
was not easy to interpret without thinking thouroughly about it.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Fabio Porcedda <fabio.porcedda@gmail.com>
Reviewed-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Even if we do not save the sources for local or overridden packages because
it is too complex, we can still quite easily save the license files.
Also, having the license files is a very important part of complying with
the licenses.
Move the copy of license files out of the non-local, non-overridden package
case, but still in the case where packages have a _SOURCE defined, to
avoid catching packages bundled in Buildroot (eg. mkpasswd et al.)
Reported-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Fabio Porcedda <fabio.porcedda@gmail.com>
Reviewed-by: Luca Ceresoli <luca@lucaceresoli.net>
Tested-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Currently, if a package is marked _REDISTRIBUTE = NO, then legal-info
will not try to extract it first.
If that package also declares some _LICENSE_FILES, legal-info fails
if it is the only action we're trying to run:
$ cat defconfig
BR2_arm=y
BR2_TOOLCHAIN_BUILDROOT_EGLIBC=y
BR2_PACKAGE_LIBFSLCODEC=y
$ make BR2_DEFCONFIG=$(pwd)/defconfig defconfig
$ make legal-info
[--SNIP--]
cat: /home/ymorin/dev/buildroot/O/build/libfslcodec-3.5.7-1.0.0/EULA: No such file or directory
Fix this by always having legal-info extract the archives if one or
more _LICENSE_FILES are specified.
We do this for all types of packages: overridden, local or 'normal'
remote packages. Even though we do not save the sources for the
overridden or local packages, we need to save their licensing info,
so we need to extract them.
This implies that we now need only PKG-source, not PKG-extract anymore,
as a dependency of legal-info for packages we want to save (ie.
redistributable, non-local and non-overriden packages.)
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Fabio Porcedda <fabio.porcedda@gmail.com>
Reviewed-by: Luca Ceresoli <luca@lucaceresoli.net>
Tested-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas: slightly reformat the Config.in help text. Add the 'LICENSE'
file to GEOIP_LICENSE_FILES.]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas: as noted by Arnout, remove trailing whitespace, and fix the
license to Artistic-2.0. Also, adjust the indentation in
package/Config.in to the new standard.]
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To be able to check the "dot" command availability in
"<pkg>-graph-depends" move the check to the "graph-depends-requirements" rule.
Also don't use a subshell for the exit command to be sure that the error
will be returned by the shell.
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>