<rahul.jain@imgtec.com>: host mxa-00376f01.gslb.pphosted.com[185.132.180.163]
said: 550 5.1.1 User Unknown (in reply to RCPT TO command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit be7be1a086)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The oliseo.fr domain no longer responds to SMTP requests:
smtplib.SMTPRecipientsRefused: {'Guillaume Gardet <guillaume.gardet@oliseo.fr>': (550, b'5.1.2 <guillaume.gardet@oliseo.fr>: Recipient address rejected: Domain not found')}
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e79c34a521)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Glibc 2.33 removed `_STAT_VER`. On host machines, which updated to glibc
2.33, building host-fakeroot breaks:
```
In file included from communicate.h:20,
from libfakeroot.c:60:
libfakeroot.c: In function ‘chown’:
libfakeroot.c:99:40: error: ‘_STAT_VER’ undeclared (first use in this function)
99 | #define INT_NEXT_STAT(a,b) NEXT_STAT64(_STAT_VER,a,b)
```
The issue has been discussed on some package maintainer threads, e.g.:
https://bugs.archlinux.org/task/69572https://bugzilla.redhat.com/show_bug.cgi?id=1889862#c13
A patch series was prepared by Ilya Lipnitskiy which included two other
patches not related to the glibc 2.33 compatibility issue and submitted as
merge request for upstream:
https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg57280.html
Upstream accepted the merge request:
https://salsa.debian.org/clint/fakeroot/-/merge_requests/10
Note, that this patch series only contains the necessay patches for glibc
2.33 compatibility.
Tested on my Arch Linux machine, building a UBIFS/OverlayFS-based root
filesystem for an i.MX6ULL target board.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Tested-by: Bartosz Bilas <b.bilas@grinn-global.com>
[Peter: drop patch numbering (PATCH x/y) as pointed out by check-package]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f45925a951)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Unit tests fail to build with gcc 10 on:
[100%] Linking C executable NE10_dsp_unit_test_smoke
/home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/aarch64-none-linux-gnu/10.2.1/../../../../aarch64-none-linux-gnu/bin/ld: CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_suite_fft_float32.c.o:(.bss+0x0): multiple definition of `seatest_simple_test_result'; CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_main.c.o:(.bss+0x0): first defined here
So just disable them and, while at it, also disable examples which are
also enabled by default
Fixes:
- http://autobuild.buildroot.org/results/c658d52668825c26a15d6ac3ca538472cad5cd78
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c4bc257a09)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changes:
* Fix memory-related bugs in the JPEG-2000 codec resulting from
attempting to decode invalid code streams. (#264, #265)
This fix is associated with CVE-2021-26926 and CVE-2021-26927.
* Fix wrong return value under some compilers (#260)
* Fix CVE-2021-3272 heap buffer overflow in jp2_decode (#259)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 72b801010c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changes:
* Add JAS_VERSION_MAJOR, JAS_VERSION_MINOR, JAS_VERSION_PATCH for
easier access to the JasPer version.
* Fixes stack overflow bug on Windows, where variable-length
arrays are not available. (#256)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a5c61d59b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixing a regression introduced in 2.83. For more details,
see the announcement:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014640.html
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8fcdd2023e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2dada92a30)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The following vulnerabilities have been fixed:
- wnpa-sec-2021-01 USB HID dissector memory leak. Bug 17124.
CVE-2021-22173.
- wnpa-sec-2021-02 USB HID dissector crash. Bug 17165. CVE-2021-22174.
https://www.wireshark.org/docs/relnotes/wireshark-3.4.3.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 237df117c1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a
denial of service (segmentation fault) or possibly have unspecified other
impact via a crafted UTF-8 character sequence.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fd6f7061ca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2020-17525: Remote unauthenticated denial-of-service in Subversion
mod_authz_svn
Subversion's mod_authz_svn module will crash if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile option
and a client sends a request for a non-existing repository URL.
For more details, see the advisory:
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4109401acd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixing the following issue:
- Check contexts before importing them to reduce risk of extracted files
escaping context store
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime,
the go command, and the net/http package.
https://golang.org/doc/go1.15
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ccbbcca9b2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- cmd/go: packages using cgo can cause arbitrary code execution at build time
The go command may execute arbitrary code at build time when cgo is in use
on Windows. This may occur when running “go get”, or any other command
that builds code. Only users who build untrusted code (and don’t execute
it) are affected.
In addition to Windows users, this can also affect Unix users who have “.”
listed explicitly in their PATH and are running “go get” or build commands
outside of a module or with module mode disabled.
Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.
- crypto/elliptic: incorrect operations on the P-224 curve
The P224() Curve implementation can in rare circumstances generate
incorrect outputs, including returning invalid points from ScalarMult.
The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
support P-224 ECDSA keys, but they are not supported by publicly trusted
certificate authorities. No other standard library or golang.org/x/crypto
package supports or uses the P-224 curve.
The incorrect output was found by the elliptic-curve-differential-fuzzer
project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).
This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0e1b5aa572)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When a developer has package/pkg-<infra>.mk assigned to him/her in the
DEVELOPERS file, this has 3 implications:
(1) Patches adding new packages using this infrastructure are Cc'ed
to this developer. This is done by the analyze_patch() function,
which matches the regexp r"^\+\$\(eval
\$\((host-)?([^-]*)-package\)\)$" in the patch, i.e where an
added line contains a reference to the infra maintained by the
developer.
(2) Patches touching the package/pkg-<infra>.mk file itself are Cc'ed
to this developer.
(3) Any patch touching a package using this infra are also Cc'ed to
this developer.
Point (3) causes a significant amount of patches to be sent to
developers who have package/pkg-generic.mk and
package/pkg-autotools.mk assigned to them in the DEVELOPERS
file. Basically, all patches touching generic or autotools packages
get CC'ed to such developers, which causes a massive amount of patches
to be received.
So this patch adjusts the getdeveloperlib.py to drop point (3), but
preserves point (1) and (2). Indeed, it makes sense to be Cc'ed on new
package additions (to make a review that they use the package
infrastructure correctly), and it makes sense to be Cc'ed on patches
that touch the infrastructure code itself.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 38b0560f4e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-8694: Insufficient access control in the Linux kernel driver for
some Intel(R) Processors may allow an authenticated user to potentially
enable information disclosure via local access.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
- CVE-2020-8695: Observable discrepancy in the RAPL interface for some
Intel(R) Processors may allow a privileged user to potentially enable
information disclosure via local access.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
- CVE-2020-8698: Improper removal of sensitive information before storage or
transfer in some Intel(R) Processors may allow an authenticated user to
potentially enable information disclosure via local access.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9974d88362)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-26675: Remote (adjacent network) code execution flaw
- CVE-2021-26676: Remote stack information leak
For details, see the advisory:
https://www.openwall.com/lists/oss-security/2021/02/08/2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cf1dd7e007)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The memtester build system does not use CFLAGS/LDFLAGS variables.
Everything should be written to conf-cc and conf-ld.
Use '%' as sed expression delimiter because comma might appear in
LDFLAGS.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 25e09fdb9e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2021-3177: Python 3.x through 3.9.1 has a buffer overflow in
PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution
in certain Python applications that accept floating-point numbers as
untrusted input, as demonstrated by a 1e300 argument to
c_double.from_param. This occurs because sprintf is used unsafely.
For details, see the advisory:
https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5405b29570)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure on sparc64:
/home/giuliobenetti/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc64-buildroot-linux-gnu/9.3.0/../../../../sparc64-buildroot-linux-gnu/bin/ld: /tmp/ccylTux8.o: in function `find_kaslr_offsets':
/home/giuliobenetti/autobuild/run/instance-0/output-1/build/makedumpfile-1.6.8/makedumpfile.c:4017: undefined reference to `get_kaslr_offset'
Even if this build failure is only raised with version 1.6.8,
get_kaslr_offset was also undeclared on sparc64 in version 1.6.7
Fixes:
- http://autobuild.buildroot.org/results/1421f54f7599bba62c0a4bd5c65ce21c8cc7ee1a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 28df31e8dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixed the following security issue:
- CVE-2020-6097: An exploitable denial of service vulnerability exists in
the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1. A
specially crafted sequence of RRQ-Multicast requests trigger an assert()
call resulting in denial-of-service. An attacker can send a sequence of
malicious packets to trigger this vulnerability.
For more details, see the report:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5b36e91fda)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- wpa_supplicant P2P group information processing vulnerability (no CVE yet)
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners. The actual
parsing of that information validates field lengths appropriately, but
processing of the parsed information misses a length check when storing a
copy of the secondary device types. This can result in writing attacker
controlled data into the peer entry after the area assigned for the
secondary device type. The overflow can result in corrupting pointers
for heap allocations. This can result in an attacker within radio range
of the device running P2P discovery being able to cause unexpected
behavior, including termination of the wpa_supplicant process and
potentially arbitrary code execution.
For more details, see the advisory:
https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: keep _PATCH near _VERSION and _SITE]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 74c854bd51)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When a armv8 target is used in 32bits mode, xenomai fail to detect the
ARM architecture and abord the build. (__ARM_ARCH_7A__ is not defined
for armv8 cpus).
There are no autobuilder failures for this issue since cobalt is never
selected, but the following defconfig:
BR2_arm=y
BR2_cortex_a53=y
BR2_ARM_FPU_NEON_VFPV4=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_XENOMAI=y
BR2_PACKAGE_XENOMAI_COBALT=y
This was initialy reproduced using the raspberrypi3_defconfig with
Xenomai package with cobalt selected.
In order to use Xenomai on raspberrypi3 in 32 bits mode, one has to
select BR2_cortex_a7 instead of BR2_cortex_a53 (see a13a388dd4).
See:
https://gitlab.denx.de/Xenomai/xenomai/-/blob/v3.1/lib/cobalt/arch/arm/include/asm/xenomai/features.h#L52
Signed-off-by: Romain Naour <romain.naour@gmail.com>
[yann.morin.1998@free.fr:
- switch to independent conditional 'default y'
- slightly reword the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6490a11018)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There are no autobuilder failures for this issue, but the following
defconfig:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_XENOMAI=y
BR2_PACKAGE_XENOMAI_COBALT=y
See:
https://gitlab.denx.de/Xenomai/xenomai/-/blob/v3.1/lib/cobalt/arch/arm/include/asm/xenomai/features.h#L56
Signed-off-by: Romain Naour <romain.naour@gmail.com>
[yann.morin.1998@free.fr: fix the condition]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit cb380c2e11)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2020-11105: An issue was discovered in USC iLab cereal through
1.3.0. It employs caching of std::shared_ptr values, using the raw
pointer address as a unique identifier. This becomes problematic if an
std::shared_ptr variable goes out of scope and is freed, and a new
std::shared_ptr is allocated at the same address. Serialization fidelity
thereby becomes dependent upon memory layout. In short, serialized
std::shared_ptr variables cannot always be expected to serialize back
into their original values. This can have any number of consequences,
depending on the context within which this manifests.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 26a46564f3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This build failure is raised since bump to
7524160b29a476f7e87bc14fddf12d349f9a3c5e
Fixes:
- http://autobuild.buildroot.org/results/73efdacf237e3d567fa66f3b3f68e624f5e35bc7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 58fc4b5085)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump to the latest git commit as this will fix the following CVEs:
git log|grep CVE
sox-fmt: validate comments_bytes before use (CVE-2019-13590) [bug #325]
fix possible null pointer deref in lsx_make_lpf() (CVE-2019-8357)
fft4g: bail if size too large (CVE-2019-8356)
fix possible overflow in lsx_(re)valloc() size calculation (CVE-2019-8355)
fix possible buffer size overflow in lsx_make_lpf() (CVE-2019-8354)
xa: validate channel count (CVE-2017-18189)
aiff: fix crash on empty comment chunk (CVE-2017-15642)
adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
flac: fix crash on corrupt metadata (CVE-2017-15371)
wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370)
wav: fix crash writing header when channel count >64k (CVE-2017-11359)
hcom: fix crash on input with corrupt dictionary (CVE-2017-11358)
wav: fix crash if channel count is zero (CVE-2017-11332)
- Tweak configuration options due to
6ff0e9322f
- libgsm is now an optional dependency since
e548827ffc
- Add patch to put back --disable-stack-protector
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b6871f9d93)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ffmpeg has been dropped since version 14.4.2 (back in 2013) and
5ae4049727
--disable-gomp has also been removed since version 14.4.1 (back in 2012)
and
84eaacb54f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9829813427)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2020-28473: The package bottle from 0 and before 0.12.19 are vulnerable
to Web Cache Poisoning by using a vector called parameter cloaking. When
the attacker can separate query parameters using a semicolon (;), they can
cause a difference in the interpretation of the request between the proxy
(running with default configuration) and the server. This can result in
malicious requests being cached as completely safe ones, as the proxy would
usually not see the semicolon as a separator, and therefore would not
include it in a cache key of an unkeyed parameter.
In addition, bottle 0.12.18 fixed a compatibility issue with python 3.8+:
https://github.com/bottlepy/bottle/issues/1181
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 14cc349d26)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit f2d6c5ff90.
Now that libbsd can't be enabled for static builds, we can drop the
workaround specific to stress-ng.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 53213e762d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Static linking with libbsd fails because of multiple definition of the
strlcpy symbol. uClibc optionally provides these symbols.
So add a dependency on dynamic library to avoid a build failure with a
zeromq-enabled bitcoin or with stress-ng.
Fixes:
- http://autobuild.buildroot.org/results/ba87544d42ad5e77a27a7a504bc6336a06f6e291
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1edd0ac66a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For instance on risc-v 64 arch the build would otherwise fail because
of undefined ucontext_t because "-DOPENSSL_NO_ASYNC" would not propagate
through to CFLAGS in the Makefile.
Signed-off-by: Yann Sionneau <ysionneau@kalray.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a00b6354a2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit f4a61d1ae2 (package/pkg-meson.mk avoid host ccache detection)
forced the host C and C++ compilers so that meson does not try to
autodetect ccache, and instead relies on what we provide.
However, this incorrectly used single-expansion of variables in a
package infra.
For traditional builds, this is OK, because the value does not change
across packages.
However, for builds with per-package directories, this value only refers
to the generic path, which ill not exist until the end of the build when
all packages are aggregated in the host-finalize step.
Fix that by postponing the variable evaluation like all the others.
Reported-by: Xogium on IRC
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 548b8c5412)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using the headers from the kernel to be built, with the kernel
set to a custom version, and overriding the kernel sources with
LINUX_OVERRIDE_SRCDIR, the linux-headers package is still trying to
download an archive, and fails to validate its hash.
What is going on under the hood is that, with _OVERRIDE_SRCDIR, the
_VERSION of a package is set to 'custom'. Furthermore, the variable
BR_NO_CHECK_HASH_FOR is recursively expanded, so its value is only
evaluated when it is needed.
For linux-headers, we inherit the values from the linux package, and
the LINUX_HEADERS_VERSION takes the value from the configuration.
Thus we end up with the following situation:
LINUX_VERSION=custom
LINUX_HEADERS_VERSION=5.10 # For example
BR_NO_CHECK_HASH_FOR=... linux-custom.tar.gz ...
And thus the archive downloaded by linux-headers will not match any
exclusion, and since there will most probably not be a hash for it,
the download will fail, as was noticed and reported by Jarkko.
But in this case, what we really want is to really use the headers
from the kernel that we build, we do not even want to attempt a
download at all.
So, when using the headers from the kernel to be built, we also
propagate the LINUX_OVERRIDE_SRCDIR to linux-headers, so that we
also use the headers from the overridden sources.
Furthermore, in that configuration, we explicitly disallow
overriding the linux-headers specifically, as it does not make sense
(even though, if they were overridden to the same location, that'd
be OK, but to simplify the condition, we do not even check for that).
Reported-by: Jarkko Sakkinen <jjs@kapsi.fi>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit b9e7adc152)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the annoucement:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html
"There are broadly two sets of problems. The first is subtle errors in
dnsmasq's protections against the chronic weakness of the DNS protocol
to cache-poisoning attacks; the Birthday attack, Kaminsky, etc. [...]
[...] the second set of errors is a good old fashioned buffer overflow
in dnsmasq's DNSSEC code."
Fixes CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684,
CVE-2020-25685, CVE-2020-25686 and CVE-2020-25687
Details: https://www.jsof-tech.com/disclosures/dnspooq
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5cd5d85cda)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop Makefile modification for pkg-config. Build time PATH ensures that
the Buildroot pkg-config is used.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 62257b3247)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2020-7746 (https://nvd.nist.gov/vuln/detail/CVE-2020-7746)
The options parameter is not properly sanitized when it is processed.
When the options are processed, the existing options (or the defaults
options) are deeply merged with provided options. However, during this
operation, the keys of the object being set are not checked, leading to
a prototype pollution.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a20a86d7f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
chartjs 2.9.3 has a security vulnerability (CVE-2020-7746) which is not
detected by the CVE scripts, presumably because our version variable starts
with a 'v'.
Move that 'v' prefix out of the version variable to fix that.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0244b11597)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The check for a default route is inverted, causing the script to wait
for the timeout even when a default IPv6 route is available. Fix this up
so that it exits early as expected.
Reported-by: Bhattiprolu RaviKumar <ravikumar.bhattiprolu@gmail.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 09ad6f392f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
