During the CVE checking phase, we can still see a huge amount of
Python processes (actually 128) running on the host, even though
the CVE step is entirely ran in the main thread.
These are actually the worker processes spawned to check for the
packages URL statuses and the latest versions from release-monitoring.
This is because of an issue in Python's multiprocessing implementation:
https://bugs.python.org/issue34172
The problem was already there before the CVE matching step was
introduced, but because pkg-stat was terminating right after the
release-monitoring step, it went unnoticed.
Also, do not hold a reference to the multiprocessing pool from
the Package class, as this is not needed.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In Python 3, the functions from the subprocess module return bytes
(and no longer strings as in Python 2), which must be decoded for
further text operations.
Now, pkg-stats can be run in Python 3.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib
1.11.1 allows remote attackers to cause information disclosure
(heap-based buffer over-read) via a crafted audio file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In TagLib 1.11.1, the rebuildAggregateFrames function in
id3v2framefactory.cpp has a pointer to cast vulnerability, which allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted audio file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixing a number of issues. From the CHANGES file:
- Fixed creating and updating of MultiDict from a sequence of pairs and
keyword arguments. Previously passing a list argument modified it
inplace, and other sequences caused an error.
https://github.com/aio-libs/multidict/issues/457
- Fixed comparing with mapping: an exception raised in the __len__ method caused raising a SyntaxError.
https://github.com/aio-libs/multidict/issues/459
- Fixed comparing with mapping: all exceptions raised in the __getitem__
method were silenced.
https://github.com/aio-libs/multidict/issues/460>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building qdoc requires a llvm and clang for the host.
However, there is a limitation in the llvm and clang packages in
Buildroot, which makes it impossible to have a host variant without
a target variant.
So, propagate the dependencies of the target llvm and clang, to ensure
we can only have a host-llvm and -clang packages that are correctly
built.
Note that we do propagate all of the dependencies (instead of just the
architecture part), to be consistent.
Reported-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Seiderer <ps.report@gmx.net>
Cc: Julien Corjon <corjon.j@ecagroup.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The patch added by [1] to fix a segfault with elf2flt when binutils
2.33.1 is used on ARM, introduce a regression with previous binutils
version on m68k and ARM.
Theses issues has been reported upstreme [2] [3].
For now, disable binutils >= 2.33.1 for configurations using
BR2_BINFMT_FLAT.
[1] 2b064f86b6
[2] https://github.com/uclinux-dev/elf2flt/pull/16
[3] https://github.com/uclinux-dev/elf2flt/issues/12
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mosquitto 1.6.9 is a bugfix release, see the announcement:
https://mosquitto.org/blog/2020/02/version-1-6-9-released/
Also update the indentation of the hash file to 2 spaces,
and add URL of the GPG signature in hash file comment.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes the following CVEs:
- CVE-2020-9428:
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
the EAP dissector could crash. This was addressed in
epan/dissectors/packet-eap.c by using more careful sscanf parsing.
- CVE-2020-9429:
In Wireshark 3.2.0 to 3.2.1, the WireGuard dissector could crash.
This was addressed in epan/dissectors/packet-wireguard.c by
handling the situation where a certain data structure intentionally
has a NULL value.
- CVE-2020-9430:
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
the WiMax DLMAP dissector could crash.
This was addressed in plugins/epan/wimax/msg_dlmap.c by validating
a length field.
- CVE-2020-9431:
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
the LTE RRC dissector could leak memory. This was addressed in
epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 48cc1a89ae (package/linux-firmware: bump to version 20200122)
forgot to account for an update in the copyright year for the AMD blobs,
as well as a global update to the WHENCE file (which lists all the
blobs and their licenses).
Fixes:
http://autobuild.buildroot.org/results/372abcf91592ef4a1231de6364b0848ff131e432/
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a
stack-based buffer over-read.
Same patch as for CVE-2017-14160
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- update 0001-*.patch to also reference CVE-2018-10393
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not
validate the number of channels, which allows remote attackers to cause
a denial of service (heap-based buffer overflow or over-read) or
possibly have unspecified other impact via a crafted file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and
Android, has a buffer overflow in the dev_map_read function in
btt/devmap.c because the device and devno arrays are too small, as
demonstrated by an invalid free when using the btt program with a
crafted file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
While investigating [1] one units failed due to missing kernel option
CONFIG_BINFMT_MISC needed by "proc-sys-fs-binfmt_misc.mount" service.
It's because the kernel support autofs4 but not MISC binaries.
Since the systemd test infra use the default defconfig (vexpress),
we need to provide a linux fragment to enable CONFIG_BINFMT_MISC.
[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/454255917
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
[yann.morin.1998@free.fr:
- move the kernel config with the others in conf/
]
Tested-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read
has been detected in the pure_strcmp function in utils.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
listdir function in ls.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through
2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a
different issue than CVE-2020-6851.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
OpenJPEG through 2.3.1 has a heap-based buffer overflow in
opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of
opj_j2k_update_image_dimensions validation.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
In OpenJPEG 2.3.1, there is excessive iteration in the
opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could
leverage this vulnerability to cause a denial of service via a crafted
bmp file. This issue is similar to CVE-2018-6616.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
CVE-2019-16868 and CVE-2019-17073 are misclassified (by our CVE tracker)
as affecting emlog, while in fact it affects http://www.emlog.net.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
As of upstream commit 9cfefbd7fbdaa5ae769e3061c463f8345d146fb7
we must manually create symlinks as they are no longer present
in the archive but created at installation.
Fixes:
http://autobuild.buildroot.net/results/46fdacbe4064d72aaafa9f52741121d8e4fe64ab/
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libhttp/url.c in shellinabox through 2.20 has an implementation flaw in
the HTTP request parsing logic. By sending a crafted multipart/form-data
HTTP request, an attacker could exploit this to force shellinaboxd into
an infinite loop, exhausting available CPU resources and taking the
service down.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
An issue was discovered in Suricata 5.0.0. It is possible to
bypass/evade any tcp based signature by overlapping a TCP segment with a
fake FIN packet. The fake FIN packet is injected just before the PUSH
ACK packet we want to bypass. The PUSH ACK packet (containing the data)
will be ignored by Suricata because it overlaps the FIN packet (the
sequence and ack number are identical in the two packets). The client
will ignore the fake FIN packet because the ACK flag is not set. Both
linux and windows clients are ignoring the injected packet.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666
regardless of the configured umask, leading to disclosure of information
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
CVE-2019-13504 is misclassified (by our CVE tracker) as affecting
version 0.27.2, while in fact both commits that fixed this issue are
already in this version: bd0afe039043 and 54f0bebca032.
(From: https://security-tracker.debian.org/tracker/CVE-2019-13504)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input
file can result in an infinite loop and hang, with high CPU consumption.
Remote attackers could leverage this vulnerability to cause a denial of
service via a crafted file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Add an upstream patch to fix CVE-2018-19876: cairo 1.16.0, in
cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a
free function incompatible with WebKit's fastMalloc, leading to an
application crash with a "free(): invalid pointer" error.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
xlib_libXrandr is an optional dependency since version 1.7.0 and
6ee9faeffc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory
in crwimage_int.cpp, because there is no validation of the relationship
of the total size to the offset and size.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Fix CVE-2019-15682: RDesktop version 1.8.4 contains multiple
out-of-bound access read vulnerabilities in its code, which results in
a denial of service (DoS) condition. This attack appear to be
exploitable via network connectivity. These issues have been fixed in
version 1.8.5
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
keymaps and save-keymaps require kbd_mode and dumpkeys, respectively, so
remove them if the kbd package is not selected (e.g. devices with serial
console, only).
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
[yann.morin.1998@free.fr:
- expand to three commands to match the existing hook
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This CVE does not affect the boost package, but is misclassified by our
CVS tracker. As per the advisory:
Unspecified vulnerability in Boost before 6.x-1.03, a module for
Drupal, allows remote attackers to create new webroot directories
via unknown attack vectors.
Ignore the CVS, and expand a comment to explain it.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: expand the comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
openrc provides scripts that have been written for the big-gun kmod, and
so use options unknown to the busybox' provided applets:
- Busybox modprobe does not have a "--first-time" option,
- the "--verbose" option is just "-v",
- the "--use-blacklist" option is just "-b". Also blacklist support is
not selected in our default busybox configuration.
One of two options, is to "fix" or "adapt" openrc's scripts to busybox,
which means for the openrc package to go peek into files from the
busybox package, which is not nice, and can't work because that is not
available by the time we scan our Makefiles.
The other option, which this patch implements, is to just add a
dependency onto kmod and its tools.
Reported-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In all steps, we print the message indicating the start of the step
using the MESSAGE macro before running pre-hooks. Except in the image
installation step, where the message is printed after the pre-hooks.
Let's fix this inconsistency.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
