Commit Graph

44656 Commits

Author SHA1 Message Date
Peter Korsgaard
6bdad8417d utils/getdeveloperlib.py: print warnings/errors to stderr
Instead of stdout where it gets mixed with the normal output, confusing
software parsing the output (E.G. get-developers -e as git sendemail.ccCmd).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 83f82bd67a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:48:36 +02:00
Peter Korsgaard
17e2e102dc package/tpm2-tools: drop unused dbus / libglib2 dependencies
tpm2-tools does not need dbus or libglib2, so remove them and the
corresponding toolchain dependencies.

The confusion may have come from the upstream travis configuration, which
also builds tpm2-abrmd (which uses dbus+libglib2).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f63a58c350)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:48:29 +02:00
Peter Korsgaard
c0b8ab6dae package/tpm2-tools: bump version to 3.1.4
Fixes a number of issues discovered post-3.1.3, including a completely
broken -T option handling.  For details, see:
https://github.com/tpm2-software/tpm2-tools/releases/tag/3.1.4

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b7a36629d6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:47:22 +02:00
Peter Korsgaard
0050961283 package/tpm2-tss: bump version to 2.1.2
Fixes a number of issues discovered post-2.1.1. For details, see:
https://github.com/tpm2-software/tpm2-tss/releases/tag/2.1.2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2c47079d38)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:47:03 +02:00
Peter Korsgaard
2fc6b8ad5f package/webkitgtk: bump version to 2.22.7
2.22.7 contains a number of bugfixes. From the announcement:

 - Fix rendering of glyphs in Hebrew (and possibly other languages) when
   Unicode NFC normalization is used.

 - Fix several crashes and race conditions.

https://webkitgtk.org/2019/03/01/webkitgtk2.22.7-released.html

Change SITE to https as the webserver uses HSTS.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d484ba63b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:45:59 +02:00
Peter Korsgaard
78c2b9252b package/libfuse: bump version to 2.9.9
Contains a number of fixes for issues discovered post-2.9.8.  From the
release notes:

- Fixed readdir bug when non-zero offsets are given to filler and the
  filesystem client, after reading a whole directory, re-reads it from a
  non-zero offset e.g.  by calling seekdir followed by readdir.

https://github.com/libfuse/libfuse/releases/tag/fuse-2.9.9

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b6d842fea)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:33:02 +02:00
Peter Korsgaard
d09d5a8411 package/libfuse: only install udev rules if (e)udev is enabled
No point in installing udev rules if nothing will use it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4cba22bbfa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:32:46 +02:00
Norbert Lange
4c5958664e package/libfuse: Install udev rules and set permissions
This fixes some omissions from the installation.

Install the udev rules.

Tell buildroot about the fuse device.

Apply setuid permissions on the fusermount tool.

Signed-off-by: Norbert Lange <norbert.lange@andritz.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ea62ff85b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:32:39 +02:00
Peter Korsgaard
ef4aa12229 package/go: security bump to version 1.11.6
Fixes the following security vulnerability:

CVE-2019-9741: An issue was discovered in net/http in Go 1.11.5.  CRLF
injection is possible if the attacker controls a url parameter, as
demonstrated by the second argument to http.NewRequest with \r\n followed by
an HTTP header or a Redis command.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 21:56:19 +02:00
Peter Korsgaard
d54047a1e0 package/wget: security bump to version 1.20.2
From NEWS:

* Changes in Wget 1.20.2
** Fixed a buffer overflow vulnerability

For more details, see the announcement:
https://lists.gnu.org/archive/html/info-gnu/2019-04/msg00000.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c21d440c8a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:43:49 +02:00
Peter Korsgaard
9f1a21a29c package/apache: security bump to version 2.4.39
Fixes the following security vulnerabilities:

  *) SECURITY: CVE-2019-0197 (cve.mitre.org)
     mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
     host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
     request from http/1.1 to http/2 that was not the first request on a
     connection could lead to a misconfiguration and crash. Servers that
     never enabled the h2 protocol or only enabled it for https: and
     did not set "H2Upgrade on" are unaffected by this issue.
     [Stefan Eissing]

  *) SECURITY: CVE-2019-0196 (cve.mitre.org)
     mod_http2: using fuzzed network input, the http/2 request
     handling could be made to access freed memory in string
     comparision when determining the method of a request and
     thus process the request incorrectly. [Stefan Eissing]

  *) SECURITY: CVE-2019-0211 (cve.mitre.org)
     MPMs unix: Fix a local priviledge escalation vulnerability by not
     maintaining each child's listener bucket number in the scoreboard,
     preventing unprivileged code like scripts run by/on the server (e.g. via
     mod_php) from modifying it persistently to abuse the priviledged main
     process.  [Charles Fol <folcharles gmail.com>, Yann Ylavic]

  *) SECURITY: CVE-2019-0196 (cve.mitre.org)
     mod_http2: using fuzzed network input, the http/2 request
     handling could be made to access freed memory in string
     comparision when determining the method of a request and
     thus process the request incorrectly. [Stefan Eissing]

  *) SECURITY: CVE-2019-0217 (cve.mitre.org)
     mod_auth_digest: Fix a race condition checking user credentials which
     could allow a user with valid credentials to impersonate another,
     under a threaded MPM.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]

  *) SECURITY: CVE-2019-0215 (cve.mitre.org)
     mod_ssl: Fix access control bypass for per-location/per-dir client
     certificate verification in TLSv1.3.

  *) SECURITY: CVE-2019-0220 (cve.mitre.org)
     Merge consecutive slashes in URL's. Opt-out with
     `MergeSlashes OFF`. [Eric Covener]

For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.39

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 556ad6c25b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:43:16 +02:00
Max Filippov
5a40c0126c package/binutils: fix loops relaxation in xtensa gas
Loop relaxation logic in xtensa gas may produce code in which LEND
register doesn't match actual zero overhead loop end. Fix relaxation
code so that it produces a literal or a pair of const16 instructions
with associated relocation record that works correctly in the presence
of other relaxations. This fixes crash in X11 server caused by window
movement.

Loop relaxation has limited of 32K range, this fix removes this
limitation.

Fixes:
http://autobuild.buildroot.net/results/e05522ce540f4ac23f9a3a8fec724694d9a23101/

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 2.32 patch]
(cherry picked from commit 197b5f9d1c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:42:41 +02:00
Fabrice Fontaine
e0f8bcf2dc package/gerbera: fix static build with openssl
Fixes:
 - http://autobuild.buildroot.org/results/10098c8972725d54b717ddc8ea41f4de5e5b066d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 38730bfdf6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:41:31 +02:00
Nityananda Padhan
3b5cb1fd42 package/libxslt: change download site to http
ftp is blocked on some (corporate) networks.

Signed-off-by: Nityananda Padhan <ntneitin@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 58ea5f5835)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:40:39 +02:00
Nityananda Padhan
cf94425209 package/libxml2: change download site to http
ftp is blocked on some (corporate) networks.

Signed-off-by: Nityananda Padhan <ntneitin@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 16e5ec5475)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:40:32 +02:00
Fabrice Fontaine
f08d01ed05 package/tiff: security bump to version 4.0.10
- Drop patch (already in version)
- Add hash for license file
- Fix around 10 CVEs:
  https://www.cvedetails.com/vulnerability-list/vendor_id-2224/product_id-3881/version_id-216413/
- Add an upstream patch for CVE-2019-6128

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f0d4873b3c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:39:29 +02:00
Norbert Lange
7c4be8b34d package/pkg-generic: depend on host-{xz, lzip} only for fitting archives
Currently, host-xz and host-lzip are built as soon as the
corresponding tools are not provided by the system, independently of
whether they are really needed by the Buildroot configuration. This is
particularly annoying for host-lzip, which is only needed for very few
packages.

This commit modifies the generic package infrastructure to only add
host-lzip and host-xz as dependencies when really needed.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
[Thomas:
 - improve commit log
 - as suggested by Yann E. Morin, make the lzip case similar to the xz
   case]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit 004960e967)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:38:18 +02:00
Arnout Vandecappelle (Essensium/Mind)
54d556c0b7 package/gstreamer1/gst-omx: make variant mutually exclusive
Commit cc41950950 added the GST_OMX_VARIANT option which gets a default
value that gets overridden by subsequent conditions. check-package
doesn't like that, so instead make the three cases explicitly mutually
exclusive.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5b217aad9c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:36:15 +02:00
Peter Korsgaard
5ac0076598 package/gstreamer1/gst-omx: default to pass --with-omx-target=generic
target defaults to none, which isn't a legal target:

configure: Using none as OpenMAX IL target
configure: error: invalid OpenMAX IL target, you must specify one of --with-omx-target={generic,rpi,bellagio,tizonia,zynqultrascaleplus}

Instead default to 'generic', fixing the build with E.G. nvidia-tegra23.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cc41950950)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:36:08 +02:00
Peter Korsgaard
200cacbf48 package/live555: security bump to version 2019.03.06
Fixes the following security issues:

- CVE-2019-6256: A Denial of Service issue was discovered in the LIVE555
  Streaming Media libraries as used in Live555 Media Server 0.93.  It can
  cause an RTSPServer crash in handleHTTPCmd_TunnelingPOST, when
  RTSP-over-HTTP tunneling is supported, via x-sessioncookie HTTP headers in
  a GET request and a POST request within the same TCP session.  This occurs
  because of a call to an incorrect virtual function pointer in the
  readSocket function in GroupsockHelper.cpp.

- CVE-2019-7314: liblivemedia in Live555 before 2019.02.03 mishandles the
  termination of an RTSP stream after RTP/RTCP-over-RTSP has been set up,
  which could lead to a Use-After-Free error that causes the RTSP server to
  crash (Segmentation fault) or possibly have unspecified other impact.

- CVE-2019-9215: n Live555 before 2019.02.27, malformed headers lead to
  invalid memory access in the parseAuthorizationHeader function.

The normal live555 web site is temporarily unavailable, so use an
alternative _SITE / drop upstream hash.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ed30a85e5a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:33:18 +02:00
Fabrice Fontaine
bc0e0efac8 package/rpm: security bump to 4.14.2.1
- Remove first and second patches (already in version)
- Remove third and fourth patches (not needed since:
  245b5a3b4b)
- Add hash for license file
- Drop autoreconf (as configure.ac is not patched anymore)
- Use new --with-crypto option
- Restrict symlink following on installation (CVE-2017-7500,
  CVE-2017-7501)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b4cc264d9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:29:51 +02:00
Bernd Kuhls
9c51de0bd1 package/znc: security bump to version 1.7.3
Changelog: https://wiki.znc.in/ChangeLog/1.7.3

Fixes CVE-2019-9917:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9917
- ZNC before 1.7.3-rc1 allows an existing remote user to cause a Denial
  of Service (crash) via invalid encoding.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 601d9cced0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:26:38 +02:00
Fabrice Fontaine
b39d75838b package/thttpd: security bump to version 2.29
- Switch site to "real" upstream instead of debian as debian does not
  have latest version
- Drop patch (not needed anymore as getline was renamed in my_getline)
- Add hash for license file
- Fix CVE-2013-0348 and CVE-2017-17663

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 48e6230e5f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:26:15 +02:00
Peter Korsgaard
1e91555584 package/dovecot: security bump to version 2.3.5.1
Fixes the following security issue:

 * CVE-2019-7524: Missing input buffer size validation leads into
   arbitrary buffer overflow when reading fts or pop3 uidl header
   from Dovecot index. Exploiting this requires direct write access to
   the index files.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e3c53aa8a1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:25:55 +02:00
Bernd Kuhls
9793d90f71 package/dovecot-pigeonhole: bump version to 0.5.5
Release notes:
https://www.dovecot.org/list/dovecot-news/2019-March/000400.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7cb7e663a8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:25:49 +02:00
Bernd Kuhls
2c8821e87f package/dovecot: bump version to 2.3.5
Release notes:
https://www.dovecot.org/list/dovecot-news/2019-March/000399.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b404245d6f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:25:35 +02:00
Fabrice Fontaine
a8a3a2b40a package/haproxy: disable on nios2 and microblaze
Fixes:
 - http://autobuild.buildroot.org/results/4d7be00514f5276a9fd533adfdbc3d5183bb59ca
 - http://autobuild.buildroot.org/results/64706f96db793777de9d3ec63b0a47d776cf33fd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d439d4428f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:23:31 +02:00
Max Filippov
84a6ea6cb5 package/binutils: xtensa: fix shrink_dynamic_reloc_sections
This fixes the following build error caused by link-time relaxation
removing copies of literals that reference undefined weak symbols with
PLT entries created due to -rdynamic option passed to g++ link command:

  ld: BFD (GNU Binutils) 2.31.1 internal error, aborting at
  elf32-xtensa.c:3292 in elf_xtensa_finish_dynamic_sections

Fixes:
http://autobuild.buildroot.net/results/d41/d41aae8a448c316187f9fbde40f1d077182bb244/
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 2.32 patch]
(cherry picked from commit 881dae3a9c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:19:33 +02:00
Peter Korsgaard
863761ff3c Update for 2019.02.1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-29 23:52:57 +01:00
Peter Korsgaard
8d2bdda23f Makefile: release: really drop build/docs from release tarball
Commit 15cb98769e (release: remove manual build files from release
tarballs) tried to remove the temporary files from the manual build from the
release tarball, but manual-clean only removes build/docs/manual and leaves
build/docs in the tarball.

Instead use 'make clean' to completely remove the build directory from the
tarball.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c24faa81e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-29 23:20:32 +01:00
Peter Korsgaard
99298ec02d {linux, linux-headers}: bump 4.{4, 9, 14, 19, 20}.x / 5.0.x series
Notice: 4.20.x is now EOL.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 5.0.x bump]
(cherry picked from commit 198b4cff10)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-29 14:48:46 +01:00
Peter Korsgaard
1cf12ba631 package/glibc: bump version for additional post-2.28 security fixes
Fixes the following security vulnerabilities:

  CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
  32 bits of a 64-bit register with with non-zero upper 32 bit.  When it
  happened, accessing the 32-bit size_t value as the full 64-bit register
  in the assembly string/memory functions would cause a buffer overflow.
  Reported by H.J. Lu.

  CVE-2019-7309: x86-64 memcmp used signed Jcc instructions to check
  size.  For x86-64, memcmp on an object size larger than SSIZE_MAX
  has undefined behavior.  On x32, the size_t argument may be passed
  in the lower 32 bits of the 64-bit RDX register with non-zero upper
  32 bits.  When it happened with the sign bit of RDX register set,
  memcmp gave the wrong result since it treated the size argument as
  zero.  Reported by H.J. Lu.

  CVE-2016-10739: The getaddrinfo function could successfully parse IPv4
  addresses with arbitrary trailing characters, potentially leading to data
  or command injection issues in applications.

  CVE-2019-9169: Attempted case-insensitive regular-expression match
  via proceed_next_node in posix/regexec.c leads to heap-based buffer
  over-read.  Reported by Hongxu Chen.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-29 14:44:52 +01:00
Fabrice Fontaine
15633cddd3 package/rdesktop: security bump to version 1.8.4
- Switch site to github
- Remove second patch (already in version)
- Add hash for license file
- Fix memory corruption in process_bitmap_data - CVE-2018-8794
- Fix remote code execution in process_bitmap_data - CVE-2018-8795
- Fix remote code execution in process_plane - CVE-2018-8797
- Fix Denial of Service in mcs_recv_connect_response - CVE-2018-20175
- Fix Denial of Service in mcs_parse_domain_params - CVE-2018-20175
- Fix Denial of Service in sec_parse_crypt_info - CVE-2018-20176
- Fix Denial of Service in sec_recv - CVE-2018-20176
- Fix minor information leak in rdpdr_process - CVE-2018-8791
- Fix Denial of Service in cssp_read_tsrequest - CVE-2018-8792
- Fix remote code execution in cssp_read_tsrequest - CVE-2018-8793
- Fix Denial of Service in process_bitmap_data - CVE-2018-8796
- Fix minor information leak in rdpsnd_process_ping - CVE-2018-8798
- Fix Denial of Service in process_secondary_order - CVE-2018-8799
- Fix remote code execution in in ui_clip_handle_data - CVE-2018-8800
- Fix major information leak in ui_clip_handle_data - CVE-2018-20174
- Fix memory corruption in rdp_in_unistr - CVE-2018-20177
- Fix Denial of Service in process_demand_active - CVE-2018-20178
- Fix remote code execution in lspci_process - CVE-2018-20179
- Fix remote code execution in rdpsnddbg_process - CVE-2018-20180
- Fix remote code execution in seamless_process - CVE-2018-20181
- Fix remote code execution in seamless_process_line - CVE-2018-20182

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 992e84c49e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 11:16:53 +01:00
Fabrice Fontaine
18c18e572e package/pure-ftpd: add optional openldap dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4f67a6c7d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 11:15:25 +01:00
Peter Korsgaard
53711fdce9 package/libcurl: bump to version 7.64.1
Contains a number of fixes for issues discovered post-7.64.0.  For details,
see the list of changes:

https://curl.haxx.se/changes.html#7_64_1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 48da1bc9fd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 11:14:31 +01:00
Fabrice Fontaine
8d06dd1f55 package/wavemon: remove NPTL dependency
wavemon does not use pthread_mutexattr_setrobust since version 0.8.2 and
d271685e03

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8cefb9bb7f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 11:13:34 +01:00
Artem Senichev
d4b4a30139 package/kexec: enable powerpc64 platform
kexec has fully support of ppc64 platform:
https://www.kernel.org/doc/Documentation/kdump/kdump.txt
Added BR2_powerpc64 platform support.

Signed-off-by: Artem Senichev <artemsen@gmail.com>
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7c0a3f8795)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 11:12:34 +01:00
Bernd Kuhls
b360fce5b0 package/clamav: security bump to version 0.101.2
Release notes:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html

- Fixes for the following vulnerabilities affecting 0.101.1 and prior:
  - CVE-2019-1787:
    An out-of-bounds heap read condition may occur when scanning PDF
    documents. The defect is a failure to correctly keep track of the number
    of bytes remaining in a buffer when indexing file data.
  - CVE-2019-1789:
    An out-of-bounds heap read condition may occur when scanning PE files
    (i.e. Windows EXE and DLL files) that have been packed using Aspack as a
    result of inadequate bound-checking.
  - CVE-2019-1788:
    An out-of-bounds heap write condition may occur when scanning OLE2 files
    such as Microsoft Office 97-2003 documents. The invalid write happens when
    an invalid pointer is mistakenly used to initialize a 32bit integer to
    zero. This is likely to crash the application.

- Fixes for the following vulnerabilities affecting 0.101.1 and 0.101.0 only:
  - CVE-2019-1786:
    An out-of-bounds heap read condition may occur when scanning malformed PDF
    documents as a result of improper bounds-checking.
  - CVE-2019-1785:
    A path-traversal write condition may occur as a result of improper input
    validation when scanning RAR archives. Issue reported by aCaB.
  - CVE-2019-1798:
    A use-after-free condition may occur as a result of improper error
    handling when scanning nested RAR archives. Issue reported by David L.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4037c0a397)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:53:59 +01:00
Fabrice Fontaine
ddf456af89 package/swupdate: fix static build without lua
The lua_swupdate.so library was still built (without any object files)
and linked against swupdate even when HAVE_LUA was not set. This fails
in some static-only configurations.

Fixes:
 - http://autobuild.buildroot.org/results/c11c4d26983e0347d96f3dda62e6d72b031967bb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit b251f50c8d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:51:16 +01:00
Peter Korsgaard
13724665e9 package/busybox: busybox.config: enable base64 applet
base64 reuses the uuencode logic, so only adds very little extra overhead,
is enabled by default upstream and is used more often than uuencode - So
enable it in the default busybox config.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 855a863ae9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:49:51 +01:00
Fabrice Fontaine
d6c086a50e package/git: use pkg-config to get ssl dependencies
On some architectures, atomic binutils are provided by the libatomic
library from gcc. Linking with libatomic is therefore necessary,
otherwise the build fails with:

/home/test/autobuild/run/instance-2/output/host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libssl.a(ssl_cert.o): In function `CRYPTO_DOWN_REF':
/home/test/autobuild/run/instance-2/output/build/libopenssl-1.1.1a/include/internal/refcount.h:50: undefined reference to `__atomic_fetch_sub_4'

This is often for example the case on sparcv8 32 bit.

To fix this issue, use pkg-config to retrieve openssl dependencies
including atomic library, these dependencies must be passed to
LIB_4_CRYPTO IN GIT_MAKE_OPTS

Fixes:
 - http://autobuild.buildroot.org/results/3093897d14a854a7252b25b2fa1f8fdcbb26c9b7

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1ae9640a9f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:47:59 +01:00
Fabrice Fontaine
2f44db5554 package/fetchmail: fix shared build
Update second patch to fix shared build

Fixes:
 - http://autobuild.buildroot.org/results/c27b9c82e68ade29b45dc84ecce5fe6653fbb7da

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3dc3b4c279)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:37:13 +01:00
Fabrice Fontaine
6d5939af2c package/fetchmail: use pkg-config to find openssl
openssl can have multiples dependencies such as libatomic on sparcv8
32 bits so drop first patch and add a new patch to use pkg-config

Fixes:
 - http://autobuild.buildroot.org/results/58e5aa7c6ba8fe7474071d7a3cba6ed3a1b4cff4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3aa3a72b45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:37:05 +01:00
Fabrice Fontaine
55893e0cbe package/owfs: add optional libftdi dependency
ftdi support has been added in version 3.1p2 and
2982df8ca6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0d060f855f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:35:18 +01:00
Fabrice Fontaine
c4a74eae16 package/libftdi1: fix libftdi1-config
Add libftdi1-config to LIBFTDI1_CONFIG_SCRIPTS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7eea3ae224)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:35:10 +01:00
Fabrice Fontaine
6474c6a02f package/owfs: drop unneeded first patch
Patch is not needed since version 3.1p2 and
2982df8ca6
because localtime_r is now correctly checked

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ff75269b9a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:34:56 +01:00
Fabrice Fontaine
e5377e9545 package/gerbera: fix static build with ffmpeg
Fixes:
 - http://autobuild.buildroot.org/results/2b99fabd798db84a0fce26ad696c58e54c6ff626
 - http://autobuild.buildroot.org/results/95e410e5ab34c6d4626a58f97c0d2d5e6829a300

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8795cb2082)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:32:26 +01:00
Baruch Siach
5cfc8b4686 package/putty: fix build with uClibc
Add patches fixing a number of build issues with uClibc. The issue fixed
in patch #2 has been reported upstream. Patch #3 has been suggested by
upstream but not applied yet.

Drop the _SUBDIR assignment. The configure script moved to top level
directory since upstream commit a947c49bec3 from 2014. This allows
AUTORECONF to find configure.ac.

Fixes:
http://autobuild.buildroot.net/results/801/801e2b2909363b5dcd9735362bb921e017569edc/
http://autobuild.buildroot.net/results/398/3984c6cdd3398645c8ad98bbe23af9090cf4bfcf/
http://autobuild.buildroot.net/results/632/632f93046f9cceffd9b604911542426c10967e0f/

Cc: Alexander Dahl <post@lespocky.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 35b72be8fe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:24:50 +01:00
Baruch Siach
dc7e68c8dd package/putty: enable static build
Add upstream patch fixing build when NO_GSSAPI is defined which is the
case on static builds.

Cc: Alexander Dahl <post@lespocky.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a6f73f3d26)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:24:40 +01:00
Baruch Siach
709ae653f3 putty: security bump to version 0.71
CVE-2019-9894: A remotely triggerable memory overwrite in RSA key
exchange can occur before host key verification.

CVE-2019-9895: A remotely triggerable buffer overflow exists in any kind
of server-to-client forwarding.

CVE-2019-9897: Multiple denial-of-service attacks that can be triggered
by writing to the terminal.

CVE-2019-9898: Potential recycling of random numbers used in
cryptography.

Disable static build for now. When building statically configure defines
NO_GSSAPI. Build with NO_GSSAPI is currently broken. The issue has been
reported upstream.

Cc: Alexander Dahl <post@lespocky.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b6f47c0a43)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:24:19 +01:00