Commit Graph

50587 Commits

Author SHA1 Message Date
Titouan Christophe
28adf09b89 support/scripts/pkg-stats: clear multiprocessing pools after use
During the CVE checking phase, we can still see a huge amount of
Python processes (actually 128) running on the host, even though
the CVE step is entirely ran in the main thread.

These are actually the worker processes spawned to check for the
packages URL statuses and the latest versions from release-monitoring.
This is because of an issue in Python's multiprocessing implementation:
https://bugs.python.org/issue34172

The problem was already there before the CVE matching step was
introduced, but because pkg-stat was terminating right after the
release-monitoring step, it went unnoticed.

Also, do not hold a reference to the multiprocessing pool from
the Package class, as this is not needed.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-07 15:59:08 +01:00
Titouan Christophe
fb05ab2242 support/scripts/pkg-stats: decode subprocess output for python3
In Python 3, the functions from the subprocess module return bytes
(and no longer strings as in Python 2), which must be decoded for
further text operations.

Now, pkg-stats can be run in Python 3.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-07 15:59:04 +01:00
Thomas Petazzoni
1097c0427d support/scripts/pkg-stats: properly ignore CVEs in <pkg>_IGNORE_CVES
It seems like throughout the series that the CVE pkg-stats support
went through, the support for ignoring CVEs in the per-package
<pkg>_IGNORE_CVES variable was forgotten.

Let's re-introduce this, which is now very simple thanks to the CVE
class, its .identifier() propertly and the .is_cve_ignored() method of
the Package class

Cc: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-07 15:58:41 +01:00
Peter Seiderer
3cbf70366f package/bcm2835: bump version to 1.62
Changelog (since 1.60):
  - 1.61 2020-01-11 Fixed errors in the documentation for bcm2835_spi_write.
    Fixes issue seen on Raspberry Pi 4 boards where 64-bit off_t is used by
    default via -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64. The offset was
    being incorrectly converted, this way is clearer and fixes the problem.
    Contributed by Jonathan Perkin.
  - 1.62 2020-01-12 Fixed a problem that could cause compile failures with
    size_t and off_t

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:39:52 +01:00
Mark Corbin
5fe6b78299 boot/opensbi: bump to version 0.6
Tested with qemu_riscv32_virt_defconfig and
qemu_riscv64_virt_defconfig using Buildroot host-qemu 4.2.0.

Signed-off-by: Mark Corbin <mark@dibsco.co.uk>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:36:31 +01:00
Peter Seiderer
d161108ba9 package/gstreamer1/gstreamer1: update tools comment
The tools option installs more than gst-launch and gst-inspect, so
simplify its prompt to just "install tools", and update the Config.in
help text. While at it, we list them alphabetically.

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:35:33 +01:00
Peter Seiderer
a5d14dc131 package/gstreamer1/gst1-plugins-base: add tools option
Add tools option to disable building/installing of gst-discoverer,
gst-device-monitor and gst-play command line tools (similar to
BR2_PACKAGE_GSTREAMER1_INSTALL_TOOLS).

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:26:53 +01:00
Eugen Hristev
df49c9cb45 package/fswebcam: bump to latest version
Bump to latest git version.

Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:19:20 +01:00
Maeva Manuel
3ded657da1 configs/freescale_imx8qmmek: new defconfig
This patch documents the Buildroot support for the NXP i.MX8QM MEK board.

You will find a reference to the board on nxp.com:
https://www.nxp.com/design/development-boards/i.mx-evaluation-and-development-boards/i.mx-8quadmax-multisensory-enablement-kit-mek:MCIMX8QM-CPU

You can also find the get started guide here:
https://www.nxp.com/document/guide/get-started-with-the-i.mx-8quadmax-mek:GS-iMX-8QM-MEK

Signed-off-by: Maeva Manuel <maeva.manuel@oss.nxp.com>
Tested-by: Julien Olivain <julien.olivain@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:16:44 +01:00
Maeva Manuel
78995fb1d7 package/freescale-imx/firmware-imx: add support for i.MX8QM
Signed-off-by: Maeva Manuel <maeva.manuel@oss.nxp.com>
Tested-by: Julien Olivain <julien.olivain@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:12:29 +01:00
Peter Seiderer
157974248f package/libevdev: convert to meson
- drop legacy patch 0001-configure-add-disable-runtime-tests-option.patch
  and use -Dtests=disabled instead

- drop host-pkgconf dependency as pkgconf is only used in case tests
  are enabled to find the check package (checked via meson output -
  no 'Found pkg-config' - and via strace)

- update host-python dependency to host-python3 as the script
  libevdev/make-event-names.py which is used to generate the
  header file event-names.h is updated to python3:
  '#!/usr/bin/env python3'
  This made no difference with autotools build as the script
  was called with '$(PYTHON) libevdev/make-event-names.py'.

  We use BR2_PYTHON3_HOST_DEPENDENCY instead of depending on
  host-python3, to use any available Python 3.x interpreter on the
  build machine instead of building our own, if possible.

- add patch to fix tools compile with older toolchains adding
  the local include path (only the meson build is affected)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:09:24 +01:00
Peter Seiderer
ceeb3ff41e package/libevdev: bump version to 1.9.0
And update hash file formatting (2 spaces).

For details see [1] and [2].

[1] https://lists.freedesktop.org/archives/input-tools/2020-February/001529.html
[2] https://lists.freedesktop.org/archives/input-tools/2020-March/001530.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:08:25 +01:00
Peter Seiderer
672e2bf52e package/libevdev: add host-python dependency
Fixes:

  checking for a Python interpreter with version >= 2.6... none
  configure: error: no suitable Python interpreter found

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:08:14 +01:00
Peter Seiderer
93490c2583 package/libevdev: add host-python dependency
Fixes:

  checking for a Python interpreter with version >= 2.6... none
  configure: error: no suitable Python interpreter found

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:03:50 +01:00
Ryan Coe
486da6067d package/libite: bump version to 2.1.2
The hash for LICENSE has changed due to the copyright being updated and
the note about licensing types has been moved to the bottom.

The hash for chomp.c has been changed due to the copyright being updated and
code changes in that file.

Changelog:
https://github.com/troglobit/libite/releases/tag/v2.1.2

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 21:13:45 +01:00
Ryan Coe
897462ed5f package/inadyn: bump version to 2.6
Changelog:
https://github.com/troglobit/inadyn/releases/tag/v2.6

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 21:09:54 +01:00
Ryan Coe
92b5a202e8 package/inadyn: remove dependency on libite
The dependency for libite was removed in upstream commit e27bfbf
dating back a couple of years.

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 21:09:32 +01:00
Pierre-Jean Texier
7df15b5c1e package/ipset: bump to version 7.6
See full changelog http://ipset.netfilter.org/changelog.html

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 21:06:47 +01:00
James Hilliard
148e983614 package/wayland-protocols: bump to version 1.20
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 21:05:57 +01:00
Antoine Tenart
790465d439 package/linux-firmware: add option for Microchip VSC85xx networking PHYs
This patch adds an option to support installing firmware files for the
Microchip/Microsemi VSC85xx networking PHY family.

There is a mismatch between Linux and Linux-firmware on the name of the
PHY (Microchip vs Microsemi), due to the acquisition of Microsemi by
Microchip. We chose here the name in Linux-firmware, but mentioned the
other one in the Kconfig help of the option.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-05 18:24:58 +01:00
Antoine Tenart
7f24e92751 package/linux-firmware: fix special cases of symlinks
Some symlinks were not created correctly when installing the
Linux-firmware package. This patch fixes the support for all symlinks of
the form:

  a/foo -> bar
  a/foo -> b/bar
  a/foo -> ../b/bar

With this patch all forms of symlinks described in the WHENCE file
should be supported, whether they are in nested directories, or in
non-existing ones.

As some symlinks could be in directories that do not exist, we must
maje sure to canonicalize the path before testing the linked-to file.

We compared the symlinks installed pre-20200122 to what we have now, and
it seems we're handling all of them with this patch.

Fixes: 55df4059d2 ("package/linux-firmware: fix symlink support")
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
[yann.morin.1998@free.fr:
  - use readlink in canonicalize-missing mode, to avoid
    creating-then-removing directories
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Antoine Tenart <antoine.tenart@bootlin.com>
Reviewed-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-05 18:22:05 +01:00
Peter Seiderer
99e7cf6de7 package/mesa3d: fix nouveau std::isinf related compile failure
Activate already existing mesa3d solution for the isinf compile
failure for uclibc based toolchains instead of using a custom
workaround.

- remove 0005-src-gallium-drivers-nouveau-codegen-nv50_ir_ra.cpp-p.patch
- add 0004-c99_math-import-isinf-for-uclibc-based-toolchains.patch

Fixes:
  http://autobuild.buildroot.net/results/cbefc5d4a4fefb674e596400fa1d2698cd89c5b3/
  http://autobuild.buildroot.net/results/dc974da012f53fa4ed3be616f937b0afae423d66/

  ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp: In member function 'bool nv50_ir::GCRA::simplify()':
  ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1348:19: error: expected unqualified-id before '(' token
            if (std::isinf(bestScore)) {
                     ^

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-05 18:19:41 +01:00
Adam Duskett
47b348114d package/nodejs: bump version to v12.16.1
Fixes a number of regressions introduced in v12.16.0:
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.16.1

Tested on Debian 9 and Ubuntu 18.04

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-05 18:04:20 +01:00
Fabrice Fontaine
3426b37ebb package/libsndfile: fix CVE-2019-3832
It was discovered the fix for CVE-2018-19758 (libsndfile) was not
complete and still allows a read beyond the limits of a buffer in
wav_write_header() function in wav.c. A local attacker may use this flaw
to make the application crash.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-05 16:42:47 +01:00
Fabrice Fontaine
27acdca7ee package/libsndfile: fix CVE-2018-19758
There is a heap-based buffer over-read at wav.c in wav_write_header in
libsndfile 1.0.28 that will cause a denial of service.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-05 16:41:57 +01:00
Yann E. MORIN
9e2128bf50 Makefile: work around a bug in newly released make 4.3
Several users of rolling-release distributions have been reporting on
IRC that Buildroot is broken now that they have switched to the newly
released make 4.3.

It turns out that the constructs we use to generated and include the
internal br2-external related fragments is no longer working with
make-4.3.

Indeed, an upstream bug report [0] seems to imply that it so far was
working by chance. There has been no further feedback, whether this is
really considered a fix for a previous ill-defined behaviour, or an
actual regression...

In the meantime, we add a workaround, suggested in that same bug report,
that fixes the issue for make 4.3, and that should not break on older
make versions either (verified on all relevant versions: from 3.81,
3.82, 4.0, 4.1, and 4.2).

[0] https://savannah.gnu.org/bugs/?57676

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Mircea Gliga <mgliga@bitdefender.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-05 16:39:53 +01:00
Fabrice Fontaine
faf755b491 package/jhead: security bump to version 3.04
- Fix CVE-2019-1010301: jhead 3.03 is affected by: Buffer Overflow. The
  impact is: Denial of service. The component is: gpsinfo.c Line 151
  ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG
  file.
- Fix CVE-2019-1010302: jhead 3.03 is affected by: Incorrect Access
  Control. The impact is: Denial of service. The component is: iptc.c
  Line 122 show_IPTC(). The attack vector is: the victim must open a
  specially crafted JPEG file.
- Fix CVE-2019-19035: jhead 3.03 is affected by: heap-based buffer
  over-read. The impact is: Denial of service. The component is:
  ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is:
  Open a specially crafted JPEG file.
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-05 16:35:42 +01:00
Peter Korsgaard
cba42d7f55 package/python-django: security bump to version 3.0.4
Fixes the following security vulnerabilities:

- CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS
  functions and aggregates on Oracle.
  GIS functions and aggregates on Oracle were subject to SQL injection,
  using a suitably crafted tolerance.

For more details, see the advisory:
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-05 16:35:37 +01:00
Peter Seiderer
75c5cc23b4 package/mesa3d: fix linux/kcmp.h related compile failure
Add upstream patch [1].

Fixes:

  http://autobuild.buildroot.net/results/df5bcb8e4f6e98c4de347abbbe91e10a98047422

  ../src/util/os_file.c:37:24: fatal error: linux/kcmp.h: No such file or directory

[1] https://cgit.freedesktop.org/mesa/mesa/commit/?id=f7bfb10c69dfe48a91e35523cb5ee641bdbf6988

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-04 19:21:10 +01:00
Peter Korsgaard
06417e97e3 utils/genrandconfig: drop outdated python-nfc check
Commit 9ea528f84b (package/python-nfc: bump to version 0.13.5) changed the
python-nfc package to download from github, so the package no longer needs
bzr on the host.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-04 19:08:12 +01:00
Peter Seiderer
7e87817d2c package/fbgrab: bump version to 1.3.1 and update projct URL
- bump version to 1.3.1
  Changelog:
  * Incorrect alpha value when converting 32-bit framebuffers.
  * Documentation for github instead of own homepage.

- update project URL

Fixes bug 12606 ([1]).

[1] https://bugs.busybox.net/show_bug.cgi?id=12606

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Timo Ketola <timo.ketola@exertus.fi>
Acked-by: Timo Ketola <timo.ketola@exertus.fi>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-04 19:03:21 +01:00
Peter Seiderer
6494ddaf96 package/gst1-plugins-base: fix static linking
Add patch to fix static linking of tools.

Fixes:

  http://autobuild.buildroot.net/results/b33019b3c9ad856aced34215c69bb292b536e25e

  .../bin/ld: .../usr/lib/libgstreamer-1.0.a(gstplugin.c.o): in function `gst_plugin_register_func':
  gstplugin.c:(.text+0x3bc): undefined reference to `g_module_make_resident'
  .../bin/ld: .../usr/lib/libgstreamer-1.0.a(gstplugin.c.o): in function `_priv_gst_plugin_load_file_for_registry':
  gstplugin.c:(.text+0x1228): undefined reference to `g_module_supported'
  .../bin/ld: gstplugin.c:(.text+0x126c): undefined reference to `g_module_open'
  .../bin/ld: gstplugin.c:(.text+0x1368): undefined reference to `g_module_symbol'
  .../bin/ld: gstplugin.c:(.text+0x1494): undefined reference to `g_module_supported'
  .../bin/ld: gstplugin.c:(.text+0x17f4): undefined reference to `g_module_close'
  .../bin/ld: gstplugin.c:(.text+0x1a2c): undefined reference to `g_module_error'

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-04 00:00:37 +01:00
Peter Korsgaard
22e833af5e Config.in: drop BR2_NEEDS_HOST_{JAVAC,JAR}
With classpath removed, no packages select these symbols any more - So drop
them and their corresponding logic in dependencies.sh / genrandconfig.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-03 23:55:48 +01:00
James Hilliard
d8fd0b242b package/classpath: drop package
This package has been abandoned by upstream since 2016 and has not
had a release since 2012. In addition the GNU Compiler for Java
that classpath was written to be used with has been removed as of
GCC 7.

It is no longer feasible to support classpath as it requires a java
compiler capable of producing java 1.5 compatible bytecode which is
not possible on hosts with a recent java compiler.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-03 23:49:49 +01:00
James Hilliard
fcb7b2a572 package/jamvm: drop package
JamVM has not had a release since 2014 and is unmaintained.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-03 23:47:03 +01:00
Alexander Sverdlin
fccdc6bd0b package/mini-snmpd: bump to version 1.6
Drop both patches:

 - 0001-Prepend-zero-byte-before-unsigned-integers.patch is upstream
   as of 949ae648bf7c654b8fae607a0988bfa672607156

 - 0002-mib.c-allow-unsigned-integers-to-have-an-extra-byte.patch is
   upstream as of

Use the systemd unit file provided by the upstream project instead of
our own, just add an /etc/default/ file to add the -a option to
preserve the same behavior.

This new version now needs pkg-config.

v1.6 changelog:

Bug fix release.

- Fix #16: regression in ifTable for point-to-point interfaces
- Fix #17: major memory leak in Linux backend
- Fix #18: consistent timeout handling in .conf file and command line

v1.5 changelog:

Major feature release.  Support for TCP-MIB, UDP-MIB, IP-MIB,
ifXTable with 64-bit counters.

- Majority of new features from [NDM Systems][]
- CVE fixes from [Cisco Talos Intelligence Group][talos]

- Add support for ifXTable (64-bit counters), from NDM Systems
- Add support for TCP-MIB, from NDM Systems
- Add support for UDP-MIB, from NDM Systems
- Add support for IP-MIB, from NDM Systems
- Add support for ifType
- Add support for ifMtu
- Binary and man page renamed: `mini_snmpd` --> `mini-snmpd`
- New command line option `-l LEVEL` replaces `--verbose`
- New command line option `-v` to show program version
- Create PID file when daemon is ready to receive signals
- Add support for systemd unit file on Linux
- Add support for /etc/mini-snmpd.conf, disabled by default

- CVE-2020-6060: Fix stack overflow in client connection handler
- CVE-2020-6059: Fix out-of-bounds read in parsing of SNMP packet
- CVE-2020-6058: Fix out-of-bounds read in parsing of SNMP packet
- Let `-s` flag control use of syslog, when running in foreground
- Removed all (known) GNU:isms; i.e., `__progname` and `%m`

Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-03 23:18:58 +01:00
James Hilliard
9b21a07b86 package/python-jinja2: fix async removal paths
Fixes:
http://autobuild.buildroot.net/results/dd5/dd5f151b2c9872476ab63c529468d0b37a0374f5/

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-03 22:47:46 +01:00
Fabrice Fontaine
401d18b2e9 package/zziplib: fix CVE-2018-17828
Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers to
overwrite arbitrary files via a .. (dot dot) in a zip file, because of
the function unzzip_cat in the bins/unzzipcat-mem.c file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-03 22:42:04 +01:00
Fabrice Fontaine
ffd556f407 package/zziplib: fix CVE-2018-16548
An issue was discovered in ZZIPlib through 0.13.69. There is a memory
leak triggered in the function __zzip_parse_root_directory in zip.c,
which will lead to a denial of service attack.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-03 22:42:01 +01:00
Fabrice Fontaine
77d2c77d29 package/patch: annotate CVE-2019-13638
GNU patch through 2.7.6 is vulnerable to OS shell command injection that
can be exploited by opening a crafted patch file that contains an ed
style diff payload with shell metacharacters. The ed editor does not
need to be present on the vulnerable system. This is different from
CVE-2018-1000156.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-03 22:39:09 +01:00
Fabrice Fontaine
ad9c33935b package/patch: fix CVE-2019-13636
In GNU patch through 2.7.6, the following of symlinks is mishandled in
certain cases other than input files. This affects inp.c and util.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-03 22:39:09 +01:00
Fabrice Fontaine
0835550ce9 package/patch: fix CVE-2018-20969
do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings
beginning with a ! character. NOTE: this is the same commit as for
CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to
a shell metacharacter.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-03 22:39:09 +01:00
Fabrice Fontaine
1a953aac95 package/patch: annotate CVE-2018-1000156
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-03 22:39:09 +01:00
Fabrice Fontaine
8105f4f597 package/patch: annote CVE-2018-6951
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-03 22:39:09 +01:00
Thomas Petazzoni
98e11e8c8f Makefile: remove bogus comment
The comment "Check files that are touched by more than one package"
was previously located right before the calls to the check-uniq-files
script. However, this script and the logic calling it have been
removed in commit 2496189a42 ("core:
drop check-uniq-files"), so the comment no longer makes any sense:
let's drop it.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-03 22:30:14 +01:00
Antoine Tenart
55df4059d2 package/linux-firmware: fix symlink support
Since Linux-firmware's commit 9cfefbd7fbda ("Remove duplicate symlinks")
symlinks aren't distributed anymore. They are rather created at
installation time by a script provided in the project, copy-firmware.sh.
The description of the symlinks is done in the WHENCE file. Since the
bump to version 20200122, in commit 48cc1a89ae, installation for many
firmwares was broken as Buildroot tried to install missing symlinks from
Linux-firmware.

The fix is not only to remove now missing symlinks, but to add logic to
create those symlinks as kernel modules will depend on them. The
solution taken by this patch is to create dynamically symlinks based on
their description in the WHENCE file *and* only if the file they'll
point to was installed in the target directory.

Fixes: 48cc1a89ae ("package/linux-firmware: bump to version 20200122")
Cc: james.hilliard1@gmail.com
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
[yann.morin.1998@free.fr:
  - don't use a post-install hook
  - consolidate grep+sed into a single sed
  - split long ling
  - detect ln error and exit
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-03 22:15:57 +01:00
Fabrice Fontaine
05bf029c11 package/libvncserver: fix CVE-2019-15681
LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a
memory leak (CWE-655) in VNC server code, which allow an attacker to
read stack memory and can be abused for information disclosure. Combined
with another vulnerability, it can be used to leak stack memory and
bypass ASLR. This attack appear to be exploitable via network
connectivity. These vulnerabilities have been fixed in commit
d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-03 22:10:16 +01:00
Fabrice Fontaine
b10cee5326 package/libvncserver: fix CVE-2018-20750
LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability
in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-03 22:10:09 +01:00
Yann E. MORIN
8b3f8df76e Revert "package/linux-firmware: add missing symlinks"
This reverts commit 23d12793d5, which was
intended for the next branch, not master.

Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Antoine Tenart <antoine.tenart@bootlin.com>
Cc: Baruch Siach <baruch@tkos.co.il>
2020-03-03 16:37:21 +01:00
Peter Korsgaard
338e2b5ba1 Update for 2020.02-rc3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-03 00:03:08 +01:00