Commit Graph

42 Commits

Author SHA1 Message Date
Gustavo Zacarias
ab61031a34 nss: security bump to version 3.23
Fixes:
CVE-2016-1950 - Fixed a heap-based buffer overflow related to the
parsing of certain ASN.1 structures. An attacker could create a
specially-crafted certificate which, when parsed by NSS, would cause a
crash or execution of arbitrary code with the permissions of the user.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-03-31 03:43:58 +02:00
Gustavo Zacarias
09f0b8c353 libnss: security bump to version 3.22.2
Fixes:
CVE-2016-1950 - heap-based buffer overflow related to the parsing of
certain ASN.1 structures. An attacker could create a specially-crafted
certificate which, when parsed by NSS, would cause a crash or execution
of arbitrary code with the permissions of the user.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-03-09 13:14:13 +01:00
Gustavo Zacarias
6b63783daf libnss: bump to version 4.22.1
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-02-24 22:14:44 +01:00
Gustavo Zacarias
b8fb4903fb libnss: add build workaround for older gcc versions
nss uses some #pragma directives that require newish (>= 4.6) versions
of gcc, so disable Werror when building with older versions to avoid the
build from breaking unfairly.
However make this a gcc >= 4.8 conditional since the kludge is called so
(NSS_NO_GCC48) and other bits might depend upon it.

Upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1226179

Fixes:
http://autobuild.buildroot.net/results/ebd/ebd0647eb1eef41a7fb6e5f5bab18d4d12168661/

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-01-22 10:10:34 +01:00
Gustavo Zacarias
c0e48bb721 libnss: bump to version 3.21
Disable gtests since they require C++ support.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-11-21 09:30:37 +01:00
Gustavo Zacarias
513908ba8f libnss: bump to version 3.20
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-10-03 15:14:32 +02:00
Gustavo Zacarias
6d52d92319 libnss: security bump to version 3.19.2
Fixes:
CVE-2015-2730, CVE-2015-2721, and probably others.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-18 11:33:29 +02:00
Gustavo Zacarias
f4716f79a0 packages: remove (non-)lfs dependencies and tweaks
Now that largefile is mandatory removes package dependencies and
conditionals.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-01 22:47:22 +02:00
Gustavo Zacarias
cc6be50e07 libnss: bump to version 3.17.4
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-02-17 14:03:08 +01:00
Peter Korsgaard
298cd8eaa2 package/*: rename patches according to the new policy
Autogenerated from rename-patch.py (http://patchwork.ozlabs.org/patch/403345)

Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-02-03 14:52:56 +01:00
Jerzy Grzegorek
27dd32942e package: indentation cleanup
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-12-30 11:17:03 +01:00
Gustavo Zacarias
6efc256a77 libnss: security bump to version 3.17.3
Fixes CVE-2014-1569 - The definite_length_decoder function in
lib/util/quickder.c in Mozilla Network Security Services (NSS) before
3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding
of an ASN.1 length is properly formed, which allows remote attackers to
conduct data-smuggling attacks by using a long byte sequence for an
encoding.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-12-16 23:48:32 +01:00
Thomas Petazzoni
665e13c85e Rename BR2_PREFER_STATIC_LIB to BR2_STATIC_LIBS
Since a while, the semantic of BR2_PREFER_STATIC_LIB has been changed
from "prefer static libraries when possible" to "use only static
libraries". The former semantic didn't make much sense, since the user
had absolutely no control/idea of which package would use static
libraries, and which packages would not. Therefore, for quite some
time, we have been starting to enforce that BR2_PREFER_STATIC_LIB
should really build everything with static libraries.

As a consequence, this patch renames BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS, and adjust the Config.in option accordingly.

This also helps preparing the addition of other options to select
shared, shared+static or just static.

Note that we have verified that this commit can be reproduced by
simply doing a global rename of BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS plus adding BR2_PREFER_STATIC_LIB to Config.in.legacy.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
2014-12-11 22:48:13 +01:00
Samuel Martin
40a53388ea package/libnss: need dynamic library support
Fixes:
  http://autobuild.buildroot.net/results/e01733c4b8c23f62e2081f0c4aadc16e22c4a2c4/

Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-12-07 21:21:53 +01:00
Jerzy Grzegorek
e800531761 package: indentation cleanup
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-02 23:27:01 +01:00
Gustavo Zacarias
e5ca8de85e libnss: bump to version 3.17.2
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-10-14 17:27:46 +02:00
Gustavo Zacarias
0901d9049e libnss: security bump to version 3.17.1
Fixes CVE-2014-1568 RSA signature forgery attack.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-09-25 21:41:07 +02:00
Gustavo Zacarias
90dcbfc4be libnss: bump to version 3.17
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-09-11 22:45:46 +02:00
Gustavo Zacarias
4acf096333 libnss: bump to version 3.16.3
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-08 07:42:57 +02:00
Baruch Siach
ea7bb05c7b libnss: don't use target CFLAGS with host toolchain
The OPTIMIZER variable is used to construct CFLAGS for host toolchain.
This breaks the build since we set it to TARGET_CFLAGS, and these may not be
supported by host toolchain. Augment the cross-compile patch to handle
OPTIMIZER so that we can initialize it to TARGET_OPTIMIZER, and override it
when used with host toolchain.

Fixes:
http://autobuild.buildroot.net/results/3f1/3f1afc1b58cb6fe53c438b55f169e2a78238806d/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-01 12:57:02 +02:00
Gustavo Zacarias
286cbaf328 libnss: security bump to version 3.16.1
Fixes:

CVE-2014-1492 - The cert_TestHostName function in lib/certdb/certdb.c in
the certificate-checking implementation in Mozilla Network Security
Services (NSS) before 3.16 accepts a wildcard character that is embedded
in an internationalized domain name's U-label, which might allow
man-in-the-middle attackers to spoof SSL servers via a crafted
certificate.

CVE-2014-1491 - Mozilla Network Security Services (NSS) before 3.15.4,
as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3,
Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does
not properly restrict public values in Diffie-Hellman key exchanges,
which makes it easier for remote attackers to bypass cryptographic
protection mechanisms in ticket handling by leveraging use of a certain
value.

CVE-2014-1490 - Race condition in libssl in Mozilla Network Security
Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0,
Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before
2.24, and other products, allows remote attackers to cause a denial of
service (use-after-free) or possibly have unspecified other impact via
vectors involving a resumption handshake that triggers incorrect
replacement of a session ticket.

CVE-2013-1740 - The ssl_Do1stHandshake function in sslsecur.c in libssl
in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS
False Start feature is enabled, allows man-in-the-middle attackers to
spoof SSL servers by using an arbitrary X.509 certificate during certain
handshake traffic.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-06-18 23:58:25 +02:00
Vicente Olivert Riera
89e8b2437c libnss: Enable for MIPS64 n32 platforms
After talking with upstream we concluded that MIPS64 n32 is treated as a
32-bit architecture by libnss because it has 32-bit pointers, so
USE_64=1 should not be set in that case.

Upstream bug:
   https://bugzilla.mozilla.org/show_bug.cgi?id=1010730

WRT:
   http://git.buildroot.net/buildroot/commit/?id=73e6ae0fe6a69f88183ae33401f2314088b5f799

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-05-26 22:12:52 +02:00
Vicente Olivert Riera
73e6ae0fe6 libnss: Disable for MIPS64 n32 platforms
This package fails to compile for MIPS64 n32 platforms. We are in
conversations with upstream to fix this problem. Meanwhile we disable
this package until we fix it.

Fixes:
   http://autobuild.buildroot.net/results/0e3/0e3f1482d6f2f9bddc53d4e78b575120a2729e1d/

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-05-16 21:19:18 +02:00
Jerzy Grzegorek
c4cc84afc6 package: unification of use $(subst [._-], [._-], $(<PKG>_VERSION)) macro
Currently, there are five packages which use 'subst' macro to change their version.

* Three of them (ebtables, icu, perl) use this macro "in place" :

   EBTABLES_SITE = http://downloads.sourceforge.net/project/ebtables/ebtables/ebtables-$(subst .,-,$(EBTABLES_VERSION))

   ICU_SOURCE = icu4c-$(subst .,_,$(ICU_VERSION))-src.tgz

   PERL_CROSS_OLD_POD = perl$(subst .,,$(PERL_CROSS_BASE_VERSION))delta.pod
   PERL_CROSS_NEW_POD = perl$(subst .,,$(PERL_VERSION))delta.pod

* Two of them (boost, libnss) use an additional variable :

   BOOST_FILE_VERSION = $(subst .,_,$(BOOST_VERSION))
   BOOST_SOURCE = boost_$(BOOST_FILE_VERSION).tar.bz2

   LIBNSS_SITE_VERSION = $(subst .,_,$(LIBNSS_VERSION))
   LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(LIBNSS_SITE_VERSION)_RTM/src

* Additionally two packages (duma, rings) doesn't use it at all :

   DUMA_VERSION = 2_5_15
   DUMA_SITE = http://downloads.sourceforge.net/project/duma/duma/2.5.15

   RINGS_VERSION_MAJOR = 1.3.0
   RINGS_SUBDIR  = rings-v_1_3_0

This commit makes changes to use 'subst' macro "in place", in all of them.

Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-01-14 14:54:31 +01:00
Jerzy Grzegorek
3033bc0c6e package: remove the empty trailing line(s)
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-01-04 10:39:29 +01:00
Thomas De Schampheleire
3d86d29bf0 packages: remove package clean commands
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2013-12-08 19:42:34 +01:00
Chris Zankel
354cab0ee8 libnspr: Add dependency on !BR2_xtensa and !BR2_bfin
Xtensa is not yet supported in libnspr. Also add dependencies to libnss,
which requires libnspr, and ecryptfs-utils, which requires libnss.

Fixes (xtensa)
http://autobuild.buildroot.net/results/14b/14ba6426edbffa100de924aa69157b3f59368ff2/

Fixes (blackfin)
http://autobuild.buildroot.net/results/dd3/dd353703ed94cec48cd126d80cd2f1b039811be4/

[baruch: fix summary, add autobuild reference, add comment dependency,
 add blackfin]

Signed-off-by: Chris Zankel <chris@zankel.net>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2013-11-28 23:29:47 +01:00
Gustavo Zacarias
51b3db5eaa libnss: security bump to version 3.14.5
Fixes CVE-2013-5605.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2013-11-27 13:56:28 +01:00
Thomas De Schampheleire
be084204eb Config.in files: add missing dependencies to toolchain option comments
When a package A depends on config option B and toolchain option C, then
the comment that is given when C is not fulfilled should also depend on B.
For example:

config BR2_PACKAGE_A
	depends on BR2_B
	depends on BR2_LARGEFILE
	depends on BR2_WCHAR

comment "A needs a toolchain w/ largefile, wchar"
	depends on !BR2_LARGEFILE || !BR2_WCHAR

This comment should actually be:

comment "A needs a toolchain w/ largefile, wchar"
	depends on BR2_B
	depends on !BR2_LARGEFILE || !BR2_WCHAR

or if possible (typically when B is a package config option declared in that
same Config.in file):

if BR2_B

comment "A needs a toolchain w/ largefile, wchar"
	depends on !BR2_LARGEFILE || !BR2_WCHAR

[other config options depending on B]

endif

Otherwise, the comment would be visible even though the other dependencies
are not met.

This patch adds such missing dependencies, and changes existing such
dependencies from
  depends on BR2_BASE_DEP && !BR2_TOOLCHAIN_USES_GLIBC
to
  depends on BR2_BASE_DEP
  depends on !BR2_TOOLCHAIN_USES_GLIBC
so that (positive) base dependencies are separate from the (negative)
toolchain dependencies. This strategy makes it easier to write such comments
(because one can simply copy the base dependency from the actual package
config option), but also avoids complex and long boolean expressions.

Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
 (untested)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2013-11-10 23:59:57 +01:00
Thomas De Schampheleire
66bb10b7b0 Config.in files: unify comments of toolchain option dependencies
This patch lines up the comments in Config.in files that clarify which
toolchain options the package depends on.

Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2013-10-14 22:45:57 +02:00
Mischa Jonker
d1a16db85d libnspr: Add dependency on !BR2_arc
ARC is not supported yet in libnspr.

v2: Propagate to ecryptfs-utils as well

Signed-off-by: Mischa Jonker <mjonker@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2013-07-31 18:03:26 +02:00
Alexandre Belloni
8dfd59d114 Normalize separator size to 80
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-06-06 22:30:24 +02:00
Peter Korsgaard
1ba51d2fbd Merge branch 'next' 2013-06-02 16:33:05 +02:00
Gustavo Zacarias
9d63d3dc36 libnss: bump to version 3.14.3
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-05-26 22:13:11 +02:00
Gustavo Zacarias
13cdffe529 libnss/libnspr: unavailable comment should be OR and not AND
Otherwise the comment would only show up when both conditions are true
instead of any of them.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-05-12 09:23:25 +02:00
Gustavo Zacarias
8b827859f9 libnss: fix build failures
Such as
http://autobuild.buildroot.net/results/2ca1d135269a67201e6b4d995ce8fbe94db1ed3f

The mozilla build system passes all of the different ways of CFLAGS
(OPTIMIZER, XCFLAGS, OS_CFLAGS) even when building host tools
(nsintall).
The best way around this without patching libnss is just building the
host tools first without any CFLAGS and then going on with the rest.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2012-12-16 10:01:19 +01:00
Thomas Petazzoni
a0767d84b0 libnspr: requires thread support in toolchain
Fixes

 http://autobuild.buildroot.org/results/58e0784e2289a60fa51589d2ce0a7a8ffe40f07e/build-end.log

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2012-09-18 21:30:22 +02:00
Yann E. MORIN
d59cd114d6 package/libnss: also install a pkg-config file
Some packages use pkg-config to check for libnss.

Add our own .pc file (vampirised from Debian).

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2012-08-24 23:40:28 +02:00
Arnout Vandecappelle (Essensium/Mind)
adbe85c752 libnss: fix 64-bit build
On some architectures (found on x86_64, but probably others too),
libnss builds with -m32 unless it is configured for 64-bit build.  So
force 64-bit build on 64-bit architectures.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2012-07-17 23:52:22 +02:00
Arnout Vandecappelle (Essensium/Mind)
e1502ebc0c all packages: rename XXXTARGETS to xxx-package
Also remove the redundant $(call ...).

This is a purely mechanical change, performed with
find package linux toolchain boot -name \*.mk | \
  xargs sed -i -e 's/$(eval $(call GENTARGETS))/$(eval $(generic-package))/' \
               -e 's/$(eval $(call AUTOTARGETS))/$(eval $(autotools-package))/' \
               -e 's/$(eval $(call CMAKETARGETS))/$(eval $(cmake-package))/'

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2012-07-17 20:23:05 +02:00
Thomas Petazzoni
0849e8193e package: remove useless arguments from GENTARGETS
Thanks to the pkgparentdir and pkgname functions, we can rewrite the
GENTARGETS macro in a way that avoids the need for each package to
repeat its name and the directory in which it is present.

[Peter: pkgdir->pkgparentdir]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2011-09-29 23:09:58 +02:00
Will Newton
2016db44e8 package: add libnss
NSS is the Network Security Services library developed as part of
the Mozilla project. It provides similar functions to OpenSSL but
allows MPL, GPL and LGPL licensing.

[Peter: fix target install]
Signed-off-by: Will Newton <will.newton@imgtec.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2011-07-11 00:44:00 +02:00