Commit Graph

50587 Commits

Author SHA1 Message Date
Fabrice Fontaine
1c85b1d63e package/rocksdb: fix C++ tests
This will fix a build failure on xtensa and nios2 that missed
-faligned-new

Fixes:
 - http://autobuild.buildroot.org/results/58bf25a16984c4d5f3ce0e26a56712410b67c53a
 - http://autobuild.buildroot.org/results/718fee3d20ef00ffa5c3e617a036cf2b82c97411

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:41:36 +01:00
Fabrice Fontaine
0bb5d1ceca package/libvncserver: fix pkg-config file
This will fix a build failure with vlc and without zlib

Fixes:
 - http://autobuild.buildroot.org/results/7d5f5980f1ba248a1d95b380d422eaeeaca265f8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:39:59 +01:00
Titouan Christophe
54645c0b39 support/scripts/pkg-stats: clear multiprocessing pools after use
During the CVE checking phase, we can still see a huge amount of
Python processes (actually 128) running on the host, even though
the CVE step is entirely ran in the main thread.

These are actually the worker processes spawned to check for the
packages URL statuses and the latest versions from release-monitoring.
This is because of an issue in Python's multiprocessing implementation:
https://bugs.python.org/issue34172

The problem was already there before the CVE matching step was
introduced, but because pkg-stat was terminating right after the
release-monitoring step, it went unnoticed.

Also, do not hold a reference to the multiprocessing pool from
the Package class, as this is not needed.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:35:39 +01:00
Titouan Christophe
304b141a97 support/scripts/pkg-stats: decode subprocess output for python3
In Python 3, the functions from the subprocess module return bytes
(and no longer strings as in Python 2), which must be decoded for
further text operations.

Now, pkg-stats can be run in Python 3.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:35:26 +01:00
Fabrice Fontaine
70b2411cee package/taglib: fix CVE-2018-11439
The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib
1.11.1 allows remote attackers to cause information disclosure
(heap-based buffer over-read) via a crafted audio file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:33:57 +01:00
Fabrice Fontaine
85ed0d1c09 package/taglib: fix CVE-2017-12678
In TagLib 1.11.1, the rebuildAggregateFrames function in
id3v2framefactory.cpp has a pointer to cast vulnerability, which allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted audio file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:33:45 +01:00
James Hilliard
62355ebd4f package/python-multidict: bump to version 4.7.5
Bugfix release, fixing a number of issues. From the CHANGES file:

- Fixed creating and updating of MultiDict from a sequence of pairs and
  keyword arguments.  Previously passing a list argument modified it
  inplace, and other sequences caused an error.
  https://github.com/aio-libs/multidict/issues/457

- Fixed comparing with mapping: an exception raised in the __len__ method caused raising a SyntaxError.
  https://github.com/aio-libs/multidict/issues/459

- Fixed comparing with mapping: all exceptions raised in the __getitem__
  method were silenced.
  https://github.com/aio-libs/multidict/issues/460>

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:28:32 +01:00
Peter Korsgaard
c7a9e2be8a linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:24:50 +01:00
Yann E. MORIN
546a4e1c1f package/qt5tools: hide qdoc with llvm dependencies
Building qdoc requires a llvm and clang for the host.

However, there is a limitation in the llvm and clang packages in
Buildroot, which makes it impossible to have a host variant without
a target variant.

So, propagate the dependencies of the target llvm and clang, to ensure
we can only have a host-llvm and -clang packages that are correctly
built.

Note that we do propagate all of the dependencies (instead of just the
architecture part), to be consistent.

Reported-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Seiderer <ps.report@gmx.net>
Cc: Julien Corjon <corjon.j@ecagroup.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:12:41 +01:00
Romain Naour
aa3622758b package/elf2flt: remove backported patch
The patch added by [1] to fix a segfault with elf2flt when binutils
2.33.1 is used on ARM, introduce a regression with previous binutils
version on m68k and ARM.

Theses issues has been reported upstream [2] [3] but there is no
definitive solution.

The binutils 2.33.1 has been disabled for configurations using
BR2_BINFMT_FLAT by the previous commit, so we can safely remove
the patch.

Fixes:
[acpica-20191018]
http://autobuild.buildroot.net/results/81ee33eb606062a62765d95b66a26f130d280c53
[augeas-1.12.0]
http://autobuild.buildroot.net/results/4e1f7f335d2c853e2a5e6ad96c14157ba8f003c7
[cairo-1.16.0]
http://autobuild.buildroot.net/results/976d99bc9b052f8d9429e666ac7fff7768ffff6b
[fontconfig-2.13.1]
http://autobuild.buildroot.net/results/4a5a8cb6411d709acb7ea8c83b3c8e45fdc0a10b
[gptfdisk-1.0.4]
http://autobuild.buildroot.net/results/6db5f9d8663730a54b04c1e624438095598b2573
[libopenssl-1.1.1d]
http://autobuild.buildroot.net/results/acf87e81130e85e7fb05edf5f6dedf095f16e226
[mimic-1.1.0]
http://autobuild.buildroot.net/results/61f53630ed85ee0d0d6dbf71012db77f4d7986ad
Maybe more...

[1] 2b064f86b6
[2] https://github.com/uclinux-dev/elf2flt/pull/16
[3] https://github.com/uclinux-dev/elf2flt/issues/12

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:10:48 +01:00
Romain Naour
24708b598a package/binutils: disable binutils >= 2.33.1 for configurations using BR2_BINFMT_FLAT
The patch added by [1] to fix a segfault with elf2flt when binutils
2.33.1 is used on ARM, introduce a regression with previous binutils
version on m68k and ARM.

Theses issues has been reported upstreme [2] [3].

For now, disable binutils >= 2.33.1 for configurations using
BR2_BINFMT_FLAT.

[1] 2b064f86b6
[2] https://github.com/uclinux-dev/elf2flt/pull/16
[3] https://github.com/uclinux-dev/elf2flt/issues/12

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:10:02 +01:00
Yegor Yefremov
5075afc87b package/python-setuptools-scm-git-archive: depends on python-setuptools-scm
python-setuptools-scm-git-archive requires python-setuptools-scm package so
add it to its dependencies.

Fixes:
http://autobuild.buildroot.net/results/b356c948cf2b22534ca333cfe34dee31371c0007

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:01:48 +01:00
Romain Naour
8742bf3d9b package/lxc: cgroups: initialize cpuset properly
The tests.package.test_lxc.TestLxc failure on gitlab
is similar to the issue reported by [1] and fixed by [2].

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255988

[1] https://github.com/NixOS/nixpkgs/issues/75467#issuecomment-569386159
[2] https://github.com/lxc/lxc/pull/3109

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Jérôme Pouiller <jezz@sysmic.org>
Cc: Patrick Havelange <patrick.havelange@essensium.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 23:00:22 +01:00
Titouan Christophe
447b648e53 package/mosquitto: bump to v1.6.9
mosquitto 1.6.9 is a bugfix release, see the announcement:
https://mosquitto.org/blog/2020/02/version-1-6-9-released/

Also update the indentation of the hash file to 2 spaces,
and add URL of the GPG signature in hash file comment.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 22:53:54 +01:00
Titouan Christophe
2d4a99d56e package/wireshark: security bump to v3.2.2
This fixes the following CVEs:
 - CVE-2020-9428:
   In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
   the EAP dissector could crash. This was addressed in
   epan/dissectors/packet-eap.c by using more careful sscanf parsing.

 - CVE-2020-9429:
   In Wireshark 3.2.0 to 3.2.1, the WireGuard dissector could crash.
   This was addressed in epan/dissectors/packet-wireguard.c by
   handling the situation where a certain data structure intentionally
   has a NULL value.

 - CVE-2020-9430:
   In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
   the WiMax DLMAP dissector could crash.
   This was addressed in plugins/epan/wimax/msg_dlmap.c by validating
   a length field.

 - CVE-2020-9431:
   In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
   the LTE RRC dissector could leak memory. This was addressed in
   epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-02 22:49:45 +01:00
Yann E. MORIN
9d856fb44c package/linux-firmware: fix hashes for license files
Commit 48cc1a89ae (package/linux-firmware: bump to version 20200122)
forgot to account for an update in the copyright year for the AMD blobs,
as well as a global update to the WHENCE file (which lists all the
blobs and their licenses).

Fixes:
    http://autobuild.buildroot.org/results/372abcf91592ef4a1231de6364b0848ff131e432/

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 19:21:35 +01:00
Yann E. MORIN
dabb5181ad package/systemd: also fix rpath for machine-id-setup
Fixes: #12576

Reported-by: Melanie <melanie@trash-mail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 19:16:31 +01:00
Yann E. MORIN
0ae12f05ee package/systemd: also fix rpath for nspawn
Fixes:
    http://autobuild.buildroot.org/results/e03ae6a3209eea00459b94cee9c10fd4f2184fec/

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <aduskett@gmail.com>
Cc: Jérémy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 19:15:50 +01:00
Fabrice Fontaine
e21730db5c package/libvorbis: annote CVE-2018-10393
bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a
stack-based buffer over-read.

Same patch as for CVE-2017-14160

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - update 0001-*.patch to also reference CVE-2018-10393
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 19:13:45 +01:00
Fabrice Fontaine
3321eef6f2 package/libvorbis: fix CVE-2018-10392
mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not
validate the number of channels, which allows remote attackers to cause
a denial of service (heap-based buffer overflow or over-read) or
possibly have unspecified other impact via a crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 19:08:58 +01:00
Fabrice Fontaine
8c0ecc91b5 package/blktrace: fix CVE-2018-10689
blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and
Android, has a buffer overflow in the dev_map_read function in
btt/devmap.c because the device and devno arrays are too small, as
demonstrated by an invalid free when using the btt program with a
crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 18:53:42 +01:00
Romain Naour
b1e4404c04 support/testing: test_systemd.py: add linux fragment to enable CONFIG_BINFMT_MISC
While investigating [1] one units failed due to missing kernel option
CONFIG_BINFMT_MISC needed by "proc-sys-fs-binfmt_misc.mount" service.

It's because the kernel support autofs4 but not MISC binaries.

Since the systemd test infra use the default defconfig (vexpress),
we need to provide a linux fragment to enable CONFIG_BINFMT_MISC.

[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/454255917

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
[yann.morin.1998@free.fr:
  - move the kernel config with the others in conf/
]
Tested-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 18:43:42 +01:00
Romain Naour
0fd23c3e28 package/systemd: random-seed: add missing header for GRND_NONBLOCK
GRND_NONBLOCK has been introduced with the 3.17 kernel version [1]
while adding getrandom(2) system call.

The header missing_random.h is needed for random-seed.c when building
with old toolchain, such Sourcery CodeBench ARM 2014.05 (kernel headers
3.13).

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255917

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=c6e9d6f38894798696f23c8084ca7edbf16ee895

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 17:32:29 +01:00
James Hilliard
4401126167 package/ser2net: bump to version 4.1.2
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 16:55:28 +01:00
James Hilliard
8a4354218c package/gensio: bump to version 1.5.3
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 16:47:37 +01:00
James Hilliard
05b2c42b13 package/gensio: add patch fixing expected identifier before token error
Fixes:
http://autobuild.buildroot.net/results/d33c6cc6154607c6f1f8fdde3569cfcc4b9d2330/

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 16:46:02 +01:00
Fabrice Fontaine
6ef8420dd8 package/pure-ftpd: fix CVE-2020-9365
An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read
has been detected in the pure_strcmp function in utils.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 14:20:42 +01:00
Fabrice Fontaine
cb7ac0c12e package/pure-ftpd: fix CVE-2019-20176
In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
listdir function in ls.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 14:20:39 +01:00
Fabrice Fontaine
190964b668 package/openjpeg: fix CVE-2020-8112
opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through
2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a
different issue than CVE-2020-6851.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 10:42:34 +01:00
Fabrice Fontaine
a3b1f2885e package/openjpeg: fix CVE-2020-6851
OpenJPEG through 2.3.1 has a heap-based buffer overflow in
opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of
opj_j2k_update_image_dimensions validation.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 10:42:32 +01:00
Fabrice Fontaine
5934e676f3 package/openjpeg: fix CVE-2019-12973
In OpenJPEG 2.3.1, there is excessive iteration in the
opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could
leverage this vulnerability to cause a denial of service via a crafted
bmp file. This issue is similar to CVE-2018-6616.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 10:42:29 +01:00
Fabrice Fontaine
32d9a95d94 package/emlog: annotate CVE-2019-16868 and CVE-2019-17073
CVE-2019-16868 and CVE-2019-17073 are misclassified (by our CVE tracker)
as affecting emlog, while in fact it affects http://www.emlog.net.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 10:34:50 +01:00
James Hilliard
23d12793d5 package/linux-firmware: add missing symlinks
As of upstream commit 9cfefbd7fbdaa5ae769e3061c463f8345d146fb7
we must manually create symlinks as they are no longer present
in the archive but created at installation.

Fixes:
    http://autobuild.buildroot.net/results/46fdacbe4064d72aaafa9f52741121d8e4fe64ab/

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:44:41 +01:00
Fabrice Fontaine
5553223297 package/shellinabox: fix CVE-2018-16789
libhttp/url.c in shellinabox through 2.20 has an implementation flaw in
the HTTP request parsing logic. By sending a crafted multipart/form-data
HTTP request, an attacker could exploit this to force shellinaboxd into
an infinite loop, exhausting available CPU resources and taking the
service down.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:36:09 +01:00
Fabrice Fontaine
2914843b39 package/suricata: fix CVE-2019-18792
An issue was discovered in Suricata 5.0.0. It is possible to
bypass/evade any tcp based signature by overlapping a TCP segment with a
fake FIN packet. The fake FIN packet is injected just before the PUSH
ACK packet we want to bypass. The PUSH ACK packet (containing the data)
will be ignored by Suricata because it overlaps the FIN packet (the
sequence and ack number are identical in the two packets). The client
will ignore the fake FIN packet because the ACK flag is not set. Both
linux and windows clients are ignoring the injected packet.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:36:06 +01:00
Fabrice Fontaine
7d74283309 package/libcgroup: fix CVE-2018-14348
libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666
regardless of the configured umask, leading to disclosure of information

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:36:04 +01:00
Romain Naour
c623d89b4b configs:nitrogen{6sx, 6x, 7, 8m}: fix typo in kernel headers version
A typo has been introduced during the last version bump [1].

[1] 00252b101a

Fixes:
[nitrogen6sx]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255632
[nitrogen6x]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255635
[nitrogen7]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255638
[nitrogen6m8]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255640

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Gary Bisson <bisson.gary@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:30:56 +01:00
Fabrice Fontaine
4815bbc7b0 package/exiv2: annotate CVE-2019-13504
CVE-2019-13504 is misclassified (by our CVE tracker) as affecting
version 0.27.2, while in fact both commits that fixed this issue are
already in this version: bd0afe039043 and 54f0bebca032.

(From: https://security-tracker.debian.org/tracker/CVE-2019-13504)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-01 08:25:26 +01:00
Fabrice Fontaine
d8be0e4cd4 package/exiv2: fix CVE-2019-20421
In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input
file can result in an infinite loop and hang, with high CPU consumption.
Remote attackers could leverage this vulnerability to cause a denial of
service via a crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 23:20:35 +01:00
Fabrice Fontaine
91b150dc33 package/cairo: fix CVE-2018-19876
Add an upstream patch to fix CVE-2018-19876: cairo 1.16.0, in
cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a
free function incompatible with WebKit's fastMalloc, leading to an
application crash with a "free(): invalid pointer" error.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 23:17:29 +01:00
Fabrice Fontaine
9675c3fbe8 package/rdesktop: add xlib_libXrandr optional dependency
xlib_libXrandr is an optional dependency since version 1.7.0 and
6ee9faeffc

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 23:17:29 +01:00
Fabrice Fontaine
d383b46ac1 package/exiv2: fix CVE-2019-17402
Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory
in crwimage_int.cpp, because there is no validation of the relationship
of the total size to the offset and size.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 23:10:32 +01:00
Fabrice Fontaine
ffb50125b0 package/rdesktop: security bump to version 1.8.6
- Fix CVE-2019-15682: RDesktop version 1.8.4 contains multiple
  out-of-bound access read vulnerabilities in its code, which results in
  a denial of service (DoS) condition. This attack appear to be
  exploitable via network connectivity. These issues have been fixed in
  version 1.8.5
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 22:45:28 +01:00
Carlos Santos
0acd05423d package/openrc: remove keymaps units if kbd package is not selected
keymaps and save-keymaps require kbd_mode and dumpkeys, respectively, so
remove them if the kbd package is not selected (e.g. devices with serial
console, only).

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
[yann.morin.1998@free.fr:
  - expand to three commands to match the existing hook
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 22:14:50 +01:00
Fabrice Fontaine
03cb3f61a0 package/qpdf: fix comment
Commit 3f9bcc01b3 forgot to update comment

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 20:25:34 +01:00
Fabrice Fontaine
3f9bcc01b3 package/qpdf: needs wchar
Upstream was not too keen [0] on applying fixes for toolchains without
wchar, so just require that.

The sole user selecting qpdf already depends on wchar, so update the
comment accordingly.

[0] https://github.com/qpdf/qpdf/pull/405#issuecomment-592971907

Fixes:
 - http://autobuild.buildroot.org/results/99c82d4775ed44bd04d0a48188ff590dcba73d69

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: drop the patch, add the dependency]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 19:26:38 +01:00
Carlos Santos
4e3e53483c package/openrc: fix post-install-target addition
OPENRC_POST_TARGET_INSTALL_HOOKS -> OPENRC_POST_INSTALL_TARGET_HOOKS

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 19:24:16 +01:00
Fabrice Fontaine
c8c5660a81 package/boost: annotate _IGNORE_CVES for CVE-2009-3654
This CVE does not affect the boost package, but is misclassified by our
CVS tracker. As per the advisory:

    Unspecified vulnerability in Boost before 6.x-1.03, a module for
    Drupal, allows remote attackers to create new webroot directories
    via unknown attack vectors.

Ignore the CVS, and expand a comment to explain it.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: expand the comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-29 18:17:37 +01:00
Nayna Jain
bfbe6b9235 package/kexec-lite: Bump the version
Upstream changes include:

kexec: improve kexec_file_load error message

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 17:50:34 +01:00
Heiko Thiery
3883517b56 package/libgdiplus: backport of fix for GifQuantizeBuffer
In newer version of giflib the GifQuantizeBuffer code was removed.

libgdiplus included the needed function by their own:
(https://github.com/mono/libgdiplus/pull/575).

This patch will become obsolete once libgdiplus is bumped to version 6.x.

Fixes:
http://autobuild.buildroot.net/results/46c5cf068cf9ea50e53491870d9dbf3f134c8c22

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-29 17:47:47 +01:00