lm-sensors is an optional dependency (enabled by default) since version
3.0.3 and
1b225cd7a0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patches (already in version) and so autoreconf
- Update indentation in hash file (two spaces)
https://sourceforge.net/p/atftp/code/ci/v0.7.4/tree/Changelog
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issue:
- CVE-2021-3177: Python 3.x through 3.9.1 has a buffer overflow in
PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution
in certain Python applications that accept floating-point numbers as
untrusted input, as demonstrated by a 1e300 argument to
c_double.from_param. This occurs because sprintf is used unsafely.
For details, see the advisory:
https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Rebased patches 1 and 4
- Dropped upstreamed patches 5 and 6
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
[yann.morin.1998@free.fr:
- update patches 1-2 with actual backports, as noticed by Stefan
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix the following build failure on sparc64:
/home/giuliobenetti/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc64-buildroot-linux-gnu/9.3.0/../../../../sparc64-buildroot-linux-gnu/bin/ld: /tmp/ccylTux8.o: in function `find_kaslr_offsets':
/home/giuliobenetti/autobuild/run/instance-0/output-1/build/makedumpfile-1.6.8/makedumpfile.c:4017: undefined reference to `get_kaslr_offset'
Even if this build failure is only raised with version 1.6.8,
get_kaslr_offset was also undeclared on sparc64 in version 1.6.7
Fixes:
- http://autobuild.buildroot.org/results/1421f54f7599bba62c0a4bd5c65ce21c8cc7ee1a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixed the following security issue:
- CVE-2020-6097: An exploitable denial of service vulnerability exists in
the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1. A
specially crafted sequence of RRQ-Multicast requests trigger an assert()
call resulting in denial-of-service. An attacker can send a sequence of
malicious packets to trigger this vulnerability.
For more details, see the report:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issue:
- wpa_supplicant P2P group information processing vulnerability (no CVE yet)
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners. The actual
parsing of that information validates field lengths appropriately, but
processing of the parsed information misses a length check when storing a
copy of the secondary device types. This can result in writing attacker
controlled data into the peer entry after the area assigned for the
secondary device type. The overflow can result in corrupting pointers
for heap allocations. This can result in an attacker within radio range
of the device running P2P discovery being able to cause unexpected
behavior, including termination of the wpa_supplicant process and
potentially arbitrary code execution.
For more details, see the advisory:
https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: keep _PATCH near _VERSION and _SITE]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When a armv8 target is used in 32bits mode, xenomai fail to detect the
ARM architecture and abord the build. (__ARM_ARCH_7A__ is not defined
for armv8 cpus).
There are no autobuilder failures for this issue since cobalt is never
selected, but the following defconfig:
BR2_arm=y
BR2_cortex_a53=y
BR2_ARM_FPU_NEON_VFPV4=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_XENOMAI=y
BR2_PACKAGE_XENOMAI_COBALT=y
This was initialy reproduced using the raspberrypi3_defconfig with
Xenomai package with cobalt selected.
In order to use Xenomai on raspberrypi3 in 32 bits mode, one has to
select BR2_cortex_a7 instead of BR2_cortex_a53 (see a13a388dd4).
See:
https://gitlab.denx.de/Xenomai/xenomai/-/blob/v3.1/lib/cobalt/arch/arm/include/asm/xenomai/features.h#L52
Signed-off-by: Romain Naour <romain.naour@gmail.com>
[yann.morin.1998@free.fr:
- switch to independent conditional 'default y'
- slightly reword the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
There are no autobuilder failures for this issue, but the following
defconfig:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_XENOMAI=y
BR2_PACKAGE_XENOMAI_COBALT=y
See:
https://gitlab.denx.de/Xenomai/xenomai/-/blob/v3.1/lib/cobalt/arch/arm/include/asm/xenomai/features.h#L56
Signed-off-by: Romain Naour <romain.naour@gmail.com>
[yann.morin.1998@free.fr: fix the condition]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Instead of using an external toolchain built specifically for the
autobuilders to test RISC-V 64/musl, use a pre-built Bootlin
toolchain.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Instead of using an external toolchain built specifically for the
autobuilders to test RISC-V 64/glibc, use a pre-built Bootlin
toolchain.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This patch drops the local syslog.conf in favor of the one shipped with
sysklogd. The upstream syslog.conf sample differs from the Buildroot
one primarily in shifting to /var/log/syslog as the default for log
messages. It also comes with a dedicated /var/log/kern.log and some
commented-out filtering examples.
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2020-11105: An issue was discovered in USC iLab cereal through
1.3.0. It employs caching of std::shared_ptr values, using the raw
pointer address as a unique identifier. This becomes problematic if an
std::shared_ptr variable goes out of scope and is freed, and a new
std::shared_ptr is allocated at the same address. Serialization fidelity
thereby becomes dependent upon memory layout. In short, serialized
std::shared_ptr variables cannot always be expected to serialize back
into their original values. This can have any number of consequences,
depending on the context within which this manifests.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump to the latest git commit as this will fix the following CVEs:
git log|grep CVE
sox-fmt: validate comments_bytes before use (CVE-2019-13590) [bug #325]
fix possible null pointer deref in lsx_make_lpf() (CVE-2019-8357)
fft4g: bail if size too large (CVE-2019-8356)
fix possible overflow in lsx_(re)valloc() size calculation (CVE-2019-8355)
fix possible buffer size overflow in lsx_make_lpf() (CVE-2019-8354)
xa: validate channel count (CVE-2017-18189)
aiff: fix crash on empty comment chunk (CVE-2017-15642)
adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
flac: fix crash on corrupt metadata (CVE-2017-15371)
wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370)
wav: fix crash writing header when channel count >64k (CVE-2017-11359)
hcom: fix crash on input with corrupt dictionary (CVE-2017-11358)
wav: fix crash if channel count is zero (CVE-2017-11332)
- Tweak configuration options due to
6ff0e9322f
- libgsm is now an optional dependency since
e548827ffc
- Add patch to put back --disable-stack-protector
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop upstream patch.
Use the new mode=release switch, this should automatically
disable features deemed not ready for use.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
