Fixes the following security issues:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo.
This may result in unexpected behavior when running a go program which
uses cgo.
This may occur when running an untrusted module which contains directories
with newline characters in their names. Modules which are retrieved using
the go command, i.e. via "go get", are not affected (modules retrieved
using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the
setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was
executed with standard I/O file descriptors closed, opening any files
could result in unexpected content being read/written with elevated
prilieges. Similarly if a setuid/setgid program was terminated, either
via panic or signal, it could leak the contents of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when
running any other command which builds untrusted code. This is can by
triggered by linker flags, specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues
https://go.dev/issue/60305 and https://go.dev/issue/60306.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch cleans up board/zynqmp shellcheck issues.
Signed-off-by: Neal Frager <neal.frager@amd.com>
[Peter: wrap long lines, use quotes around entire word]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch cleans up board/zynq shellcheck issues.
Signed-off-by: Neal Frager <neal.frager@amd.com>
[Peter: use ${} for variables, quotes around entire word]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The default kernel configuration for s390x enable a lot of
drivers by default so increase the image site to 120M.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4364600444
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Artefact (British) and Artifact (American) are both valid spelling
but ARTIFACTS_URL is used in the emulator code.
Surprisingly, the url actually use "artefacts"
http://autobuild.buildroot.net/artefacts
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes
(see https://github.com/redis/redis/blob/7.0/00-RELEASENOTES):
================================================================================
Redis 7.0.11 Released Mon Apr 17 16:00:00 IST 2023
================================================================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create
an invalid hash field that will crash Redis on access
...
================================================================================
Redis 7.0.10 Released Mon Mar 20 16:00:00 IST 2023
================================================================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service
...
================================================================================
Redis 7.0.9 Released Tue Feb 28 12:00:00 IST 2023
================================================================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD
commands can trigger an integer overflow, resulting in a runtime assertion
and termination of the Redis server process.
* (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially
crafted pattern to trigger a denial-of-service attack on Redis, causing it to
hang and consume 100% CPU time.
...
================================================================================
Redis 7.0.8 Released Mon Jan 16 12:00:00 IDT 2023
================================================================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO
commands can drive Redis to OOM panic
* (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER
commands can lead to denial-of-service
...
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
And restore support for MIPS64, which is supported by Lightning.
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump the package version to 2.41.0. For the release announcement and
notes, see [1].
Link: https://lore.kernel.org/git/xmqqleh3a3wm.fsf@gitster.g/ [1]
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
git-formatted patches due to the upstream repo using git:
http://git.tvdr.de/?p=vdr.git
Sent patches upstream and added Upstream: tags.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Pillow is mandatory dependency since version 3.3.0.
Signed-off-by: Witold Lipieta <witold.lipieta@thaumatec.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
The commit f69c972ae6 (support/testing/tests/package/test_kexec.py:
new runtime test) was tested locally with a qemu version (>= 7.x) more
recent than the one available in our buidroot/base Docker image (5.2).
As a consequence, that test fails to run in gitlab-ci as reported by [1].
Remove "dtb-kaslr-seed=off" from the Qemu command line and pass
a custom devicetree to qemu virt machine. This devicetree is
based on qemu aarch64 5.2 dts with kaslr-seed set 0.
The qemu aarch64 devicetree has been exported [2] and updated with the
following method:
qemu-system-aarch64 -machine virt -machine dumpdtb=qemu-aarch64-virt-5.2-machine.dtb
dtc -I dtb qemu-aarch64-virt-5.2-machine.dtb > qemu-aarch64-virt-5.2-machine.dts
edit the dts and replace kaslr-seed parameter by "kaslr-seed = <0 0>;"
As soon as our buidroot/base Docker image is updated and a newer qemu version
is available, we can safely revert this change and use the initial method.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4322819092
[1] http://lists.busybox.net/pipermail/buildroot/2023-May/668091.html
[2] https://u-boot.readthedocs.io/en/latest/develop/devicetree/dt_qemu.html#obtaining-the-qemu-devicetree
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Signed-off-by: Julien Olivain <ju.o@free.fr>
Tested-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Fixes:
http://autobuild.buildroot.net/results/37e5075a5c790d5c96bdc72c44d4362a16ae00bb/
Commit b41ff7dd46 (package/sdl2_net: bump version to 2.2.0) forgot to
update the license hash / filename, breaking the build.
Upstream renamed COPYING.txt to LICENSE.txt, changed white space and updated
the copyright years, so update the hash to match:
diff -uw sdl2_net-2.0.1/COPYING.txt sdl2_net-2.2.0/LICENSE.txt
--- sdl2_net-2.0.1/COPYING.txt 2016-01-03 08:57:09.000000000 +0100
+++ sdl2_net-2.2.0/LICENSE.txt 2022-08-17 18:55:22.000000000 +0200
@@ -1,6 +1,4 @@
-/*
- SDL_net: An example cross-platform network library for use with SDL
- Copyright (C) 1997-2016 Sam Lantinga <slouken@libsdl.org>
+Copyright (C) 1997-2022 Sam Lantinga <slouken@libsdl.org>
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
@@ -17,4 +15,4 @@
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
-*/
+
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The bump to 11.4.0 in commit f1e3d02cd4 missed
0001-or1k-Add-mcmodel-option-to-handle-large-GOTs.patch, so add it back
again to keep checkpackage happy.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported [1], the test TestIPythonPy3 fail since it was updated
to 8.6.0 release just after 2022.11.
ModuleNotFoundError: No module named 'stack_data'
Indeed there is no such python3-stack-data in Buildroot.
For example, Fedora packaging added python3-stack-data while updating
to ipython 8.0.1.
With python-stack-data added, the test TestIPythonPy3 still fail
with:
ModuleNotFoundError: No module named 'sqlite3'
Since ipython 8 sqlite3 fallback imports has been removed [2].
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4322819089
[1] http://lists.busybox.net/pipermail/buildroot/2023-May/668086.html
[2] 7a0bdabecf
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
'earlyoom --help' still says 'earlyoom 1.6' though it's already
version 1.7. '-DVERSION' flag value should be either unhardcoded,
either updated with each package version bump.
Signed-off-by: Sergey Bobrenok <SIBobrenok@sberdevices.ru>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
'/etc/init.d/S02earlyoom start' simply prints 'OK' instead of
'Starting earlyoom: OK' because of a typo in the printf function call.
Signed-off-by: Sergey Bobrenok <SIBobrenok@sberdevices.ru>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
earlyoom.mk file explicitly sets 'PREFIX=/usr', and the init script
fails to start earlyoom because of a nonexistent executable path:
# /etc/init.d/S02earlyoom start
start-stop-daemon: unable to stat /bin/earlyoom (No such file or directory)
FAIL
Signed-off-by: Sergey Bobrenok <SIBobrenok@sberdevices.ru>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
