When I initially made the CVE cells collapsible, I neglected to
count the unsure CVEs. This patch adds unsure CVEs to the cell collapsing
calcualation to ensure that cells with lots of unsure CVEs actually get collapsed.
This patch also removes the "+ 1" from the cve_total calculation,
which fixes the cve_total being off-by-one.
I'm not sure *why* I did that in the first place.
demo:
https://sen-h.codeberg.page/pkg-stats-demos/@pages/add-unsure_cves-to-cve_total-calc.html
Signed-off-by: Sen Hastings <sen@hastings.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 87b8428c4017b220afe950aae3a673870698d986)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We got following error with --enable-static:
checking whether to build static libraries... yes
configure: error: Static linking is not supported as it disables dlopen() and certain security features (e.g. RELRO, ASLR)
Fixes:
http://autobuild.buildroot.org/results/b55/b553898381ff0fdf5dd705fbb11b469b7564c6e6
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7b43e248180ad3b3dd1804687bc4457f29a88137)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security fixes:
- gzip: prevent a hang when processing a malformed gzip inside a gzip
(#2366, OSS-Fuzz)
- tar: don't crash on truncated tar archives (#2364, OSS-Fuzz)
- tar: fix two leaks in tar header parsing (#2377)
Important bugfixes:
- 7-zip: read/write symlink paths as UTF-8 (#2252)
- cpio: exit with an error code if an entry could not be extracted (#2371)
- rar5: report encrypted entries (#2096)
- tar: fix truncation of entry pathnames in specific archives (#2360)
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 55d0c9a9a6f89ed5c4d2e0d25cf499f180a99ee1)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The denx.de/wiki/U-Boot link now redirects to docs.u-boot.org/en/latest
Replace the link to the new location for the U-Boot documentation
Signed-off-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 164d9f0546372eb076506eebc8f88c6c4a544a36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Grab commit 778d326740f9893c398f959b419629935b613099 from upstream to
fix the build on mips64 and mips64el when the n32 ABI is used.
Fixes:
http://autobuild.buildroot.net/results/27123bf0ddc84599bceb02ac987327817d498659/
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 90167378de)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The 2023.2 version forgets to populate the iHT structure before accessing
it, leading to a segfault. Add a patch submitted upstream to fix that.
Notice that this is fixed in the 2024.1 version as there ReadBinaryFile()
now calls ReadHeaderTableDetails():
3a0f879c61 (diff-404aa20e03f1035b725ac1ea6e64c28477bb65c1663da67f64ffdb1a60552cee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add patch to fix build failure introduced in bump to version 8.10.0.
Fixes:
https://autobuild.buildroot.org/results/2d553687a32651f81813c82d7bbf9bb11fd3eca5/
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 16ce77ad7d3a05addc1962b455242199a93f3811)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For change log, see:
https://github.com/eclipse/mosquitto/blob/v2.0.19/ChangeLog.txt
The change log mention 2 security related fixes.
There is no allocated CVE.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bd127d0c3ffc57646f4908264728da4ea074241b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a test that runs the dtc commandline tools. To test devicetree
compilation, we use an example devicetree from the dtc project. The
example source is GPL-2.0+ licensed.
Signed-off-by: Brandon Maier <brandon.maier@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 9b690341602388b54c596c4510d770f58f4ad227)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
linux-pam 1.2.0 removed the use of yywrap, so the flex dependency is not
needed now (host-flex is still needed).
Fixes: #47
Signed-off-by: Damien Thébault <damien.thebault@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 600e273487baf76d4469bca43d42bd2c4b364db8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 86bb1b236 "boot/grub2: needs host-python3" [1] introduced a
dependency on host-python3.
Since grub does not have any specific requirements on host Python
modules, or recent host Python version, this commit replaces the
host-python3 dependency with BR2_PYTHON3_HOST_DEPENDENCY. This will
skip the host-python3 compilation if a sufficient version (3.4 or
greater at the time of this commit) is already present on host. This
will save build time.
This optimization was suggested by Peter, in [2].
Note 1: this commit was checked to ensure that grub is building with
Python 3.4.
Note 2: BR2_PYTHON3_HOST_DEPENDENCY was introduced in commit b60729784
"support/dependencies: add a check for python3" [3].
[1] 86bb1b2360
[2] https://lists.buildroot.org/pipermail/buildroot/2024-September/763967.html
[3] b60729784a
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a71fda371c1785f9e4364f05ab0a632e1946c53)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The previous repo is not available anymore.
Fixes:
https://autobuild.buildroot.org/results/8c8b073ce163131763fca978b400e596fcf39e62
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4e5fd24c8b7438672c475d0559200ff72c4b1cc7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3.7.5 fixed a number of security issues:
fix multiple vulnerabilities identified by SAST (#2251, #2256)
cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
lzop: prevent integer overflow (#2174)
rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
rar4: fix OOB in delta and audio filter (#2148, #2149)
rar4: fix out of boundary access with large files (#2179)
rar4: add boundary checks to rgb filter (#2210)
rar4: fix OOB access with unicode filenames (#2203)
rar5: clear 'data ready' cache on window buffer reallocs (#2265)
rpm: calculate huge header sizes correctly (#2158)
unzip: unify EOF handling (#2175)
util: fix out of boundary access in mktemp functions (#2160)
uu: stop processing if lines are too long (#2168)
And 3.7.6 fixed a tar regression introduced in 3.7.5
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ab3c84e5e2391a7832f6baa2f20b28661f55dd2c)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Doctoring a defconfig is tedious, and it is not easy to update a
defconfig, as it requires manual copy-pasting, adding comments and so
on...
Instead, just require defconfigs to be generated with 'savedefconfig'.
Any details can/must be provided in the commit log.
Reported-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 17bdd10cb350e9c45926c2a5a05f278d104ee4c9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2024-35235: Cupsd Listen arbitrary chmod 0140777
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6fhttps://www.openwall.com/lists/oss-security/2024/06/11/1
Drop cups hash patches which are now upstream.
Rebase remaining patches.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8d835ffc524e2dab66ce1421240b9eb93c8f8f6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://www.python.org/downloads/release/python-31110/
Fixes CVE-2024-4032, CVE-2024-6232, CVE-2024-6923, CVE-2024-7592,
CVE-2024-8088 and CVE-2023-27043.
The fixes for bundled libexpat are irrelevant for us because external expat
is used.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This version fixes an out-of-bound reads in the MLSD command, so upgrading is recommended.
It also improves compatibility with various systems.
Update the COPYING hash because of a change in copyright year
Signed-off-by: Michael Fischer <mf@go-sys.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5271e90a6a2cc7633f3f917391865d2f9df54142)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also add a missing article one line above.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Arnout: fix additional typo]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 4390361bb517db2e9764b512304f3de41458c666)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream curl commit f057de5a1a950 ("libcurl.pc: add `Requires.private`,
`Requires` for static linking") deals with proper pkg-config
configuration since version 8.9.0.
Our local libcurl.pc modification we added back in commit 61d322c3d2
(package/cURL: fix static link whith openSSL) is no longer needed.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
[yann.morin.1998@free.fr: this is not a "revert", reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a5cef5339bd26f9d161d080d352d4adfe7627434)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2023-7256: Clean up sock_initaddress() and its callers to avoid
double frees in some cases.
CVE-2024-8006: Fix pcap_findalldevs_ex() not to crash if passed a
file:// URL with a path to a directory that cannot be opened.
Changelog: bbcbc9174d/CHANGES
Signed-off-by: Akhilesh Nema <nemaakhilesh@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0982498c6735a2d90b5540370d17e48c31c962bc)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
