Kevin Joly (kevin.joly@sensefly.com)<mailto:kevin.joly@sensefly.com>
Your message couldn't be delivered to the recipient because you don't have permission to send to it.
Looking at his LinkedIn profile, he left SenseFly in January 2019,
which quite certainly explains why his @sensefly.com e-mail address is
no longer working.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 55814b8ef9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is no option BR2_TARGET_GRUB2_AARCH64_EFI but
BR2_TARGET_GRUB2_ARM64_EFI in grub2 package.
BR2_TARGET_GRUB2_ARM64_EFI was introduced by the commit [1].
[1] 273a27804a
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Erico Nunes <nunes.erico@gmail.com>
Reviewed-by: Erico Nunes <nunes.erico@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0525ca4711)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
AST-2019-004: Crash when negotiating for T.38 with a declined stream
When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint
responds with a declined media stream a crash will then occur in Asterisk.
https://downloads.asterisk.org/pub/security/AST-2019-004.pdf
AST-2019-005: Remote Crash Vulnerability in audio transcoding
When audio frames are given to the audio transcoding support in Asterisk the
number of samples are examined and as part of this a message is output to
indicate that no samples are present. A change was done to suppress this
message for a particular scenario in which the message was not relevant. This
change assumed that information about the origin of a frame will always exist
when in reality it may not.
https://downloads.asterisk.org/pub/security/AST-2019-005.pdf
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 965e26fd99)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2019-15846: Local or remote attacker can execute programs with
root privileges
For details, see the advisory:
https://exim.org/static/doc/security/CVE-2019-15846.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f2c8428bde)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a number of bugs:
- If files are created while e4defrag is running, it's quite possible for
succeed_cnt to be larger than total_count, in which case the number of
failures (calculated via total_count - succeed_cnt) will overflow and
become a very large unsigned number. (Addresses Debian Bug: #888899)
- Fix e2fsck so it can correctly handle directories > 2 GiB when the
largedir feature is enabled.
- Fix mke2fs's hugefile creation so that we correctly reserve enough
metadata blocks for a given file system size. Otherwise for certain
unfortunately sized disks/partitions, the hugefile creation would fail.
(Addresses Google Bug: 123239032)
- Fix the libext2fs library to be more robust against invalid block group
descriptors to prevent e2fsprogs from crashing (or possibly being p0wned)
by maliciously modified file systems. (Addresses Google Bugs: 119171089,
119929050)
- Fix mke2fs and debugfs so they can correctly copy in files > 2 GiB.
- Fix debugfs so its stat command can correct supportly display directory
sizes > 2 GiB.
- Fix memory leaks in debugfs, mke2fs, and e2freefrag.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps cups to version 2.2.11 so that an upstream fix will
apply cleanly.
The upstream fix corrects a build failure when GZIP is set in the
build environment, as it is for buildroot's reproducible builds, as
shown below:
gzip: /bin/gzip.gz: Permission denied
gzip: /bin/gzip.gz: Permission denied
Makefile:114: recipe for target 'install-data' failed
The patch will be included upstream in version 2.2.12.
Fixes:
- http://autobuild.buildroot.net/results/c4e0f6a3c79c9cb083a08f811b7d4838efef50f9/
Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8a698b7313)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The cherry-pick from master introduced a space-before-tab error. This is
reported by check-package.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/287919259
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes#12181
The security fix for CVE-2018-15599 broke the norootlogin (-w) handling when
pam support is enabled. Add an upstream patch to fix it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://www.samba.org/samba/history/samba-4.9.13.html
Fixes CVE-2019-10197
Combination of parameters and permissions can allow user
to escape from the share path definition.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the URL and add a new patch. Quoting changelog [1]:
unzip (6.0-25) unstable; urgency=medium
* Apply one more patch by Mark Adler:
- Do not raise a zip bomb alert for a misplaced central directory.
This should allow Firefox to build again. Closes: #932404.
Reported by Peter Green. Hopefully CVE-2019-13232 is fixed now.
-- Santiago Vila <sanvila@debian.org> Sat, 27 Jul 2019 18:01:36 +0200
[1] https://sources.debian.org/data/main/u/unzip/6.0-25/debian/changelog
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a1a7dff4f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/71f/71f711d30ddc9edc8da0d1a60636e7a13b546ebe/
Commit a0b032ad85 (package/qemu: security bump to version 3.1.1)
bumped the version but didn't update the patch subdirectory name, so the
patches were now ignored.
This was then backported to 2019.02.x / 2019.05.x where the sub directory
did not exist - So the patches _WHERE_ used, but failed to apply as patch
0002 is now upstream.
Fix that by removing the patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop subdirectory]
(cherry picked from commit c796c83037)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit 1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed[1] is merged, a
new build failure occurs when selecting packages which needs
python-numpy as dependency.
This fix a build issue[2] by adding the correct reverse dependencies
to the following packages :
- gnuradio (for python support)
- opencv3 (for python support)
- piglit
- python-matplotlib
So :
- adding to every listed packages
`depends on !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)`
and add a comment to explain what happend.
[1] https://git.buildroot.net/buildroot/commit/?id=1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed
[2] http://autobuild.buildroot.org/results/b76/b76b6cf9602bcf5df69a7276762eab54cf74007b
Signed-off-by: Alexandre PAYEN <alexandre.payen@smile.fr>
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Damien DUVAL <damien.duval@smile.fr>
Cc: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a546b87d5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a minor release which includes fixes for CVE-2019-8644,
CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8676,
CVE-2019-8678, CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, and
CVE-2019-8688.
This release also contains many build fixes, a few media playback
improvements, and a Web compatibility fix. For a complete list,
the full release notes at:
https://webkitgtk.org/2019/08/28/webkitgtk2.24.4-released.html
The detailed security advisory can be found at:
https://webkitgtk.org/security/WSA-2019-0004.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 046b09f776)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Added all hashes provided by upstream and license hash.
Fixes a crash on 32bit archs.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 09472e11dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream does not provide a sha512 hash anymore.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 53e1150671)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116876.html
Fixes
* CVE-2019-11500: ManageSieve protocol parser does not properly handle
NUL byte when scanning data in quoted strings, leading to out of
bounds heap memory writes. Found by Nick Roessler and Rafi Rubin.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 77b2dd9a53)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116874.html
Fixes
* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes. Found by Nick Roessler and Rafi Rubin.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4afd405eff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Switched _SITE to dovecot.org according to release notes:
https://dovecot.org/pipermail/dovecot-news/2019-July/000412.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f24cb3414f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib
in Python 3.x through 3.7.3. CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the query string after a ?
character) followed by an HTTP header or a Redis command.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e941599f69)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-16872: A flaw was found in qemu Media Transfer Protocol (MTP). The
code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and
directories in usb_mtp_object_readdir doesn't consider that the underlying
filesystem may have changed since the time lstat(2) was called in
usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write
access to the host filesystem shared with a guest can use this property to
navigate the host filesystem in the context of the QEMU process and read any
file the QEMU process has access to. Access to the filesystem may be local
or via a network share protocol such as CIFS.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a0b032ad85)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security fixes:
CVE-2019-13057: Fixed slapd to restrict rootDN proxyauthz to its own databases
CVE-2019-13565: Fixed slapd to initialize SASL SSF per connection
Full changelog:
https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
[Peter: fix sha256 hash line]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ca2dea3b75)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://www.videolan.org/developers/vlc-branch/NEWS
Fixes the following security bugs:
* Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
* Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
* Fix a read buffer overflow in the FAAD decoder
* Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
* Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
* Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
* Fix a use after free in the ASF demuxer (CVE-2019-14533)
* Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
* Fix a null dereference in the dvdnav demuxer
* Fix a null dereference in the ASF demuxer (CVE-2019-14534)
* Fix a null dereference in the AVI demuxer
* Fix a division by zero in the CAF demuxer (CVE-2019-14498)
* Fix a division by zero in the ASF demuxer (CVE-2019-14535)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ad9efda578)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes green-flickering bug with Windows AMD drivers:
https://forum.videolan.org/viewtopic.php?p=492405#p492405
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4e5b439758)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
Security: when using HTTP/2 a client might cause excessive memory
consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
CVE-2019-9516).
For details, see the advisory:
https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 24309ef4ab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0574e8166e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The license file hash has been modified due to copyright year updates:
- * Copyright (C) 2002-2018 Igor Sysoev
- * Copyright (C) 2011-2018 Nginx, Inc.
+ * Copyright (C) 2002-2019 Igor Sysoev
+ * Copyright (C) 2011-2019 Nginx, Inc.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 05ca4c1343)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Add a patch to fix cross-compilation
- Fix the following CVEs:
- SQUID-2019:6 (CVE-2019-13345), Jul 12, 2019
Fixed from 4.8
Multiple Cross-Site Scripting issues in cachemgr.cgi
- SQUID-2019:5 (CVE-2019-12527), Jul 12, 2019
Fixed from 4.8
Heap Overflow issue in HTTP Basic Authentication processing
- SQUID-2019:3 (CVE-2019-12525), Jul 12, 2019
Fixed from 4.8
Denial of Service in HTTP Digest Authentication processing
- SQUID-2019:2 (CVE-2019-12529), Jul 12, 2019
Fixed from 4.8
Denial of Service in HTTP Basic Authentication processing
- SQUID-2019:1 (CVE-2019-12824), Jul 12, 2019
Fixed from 4.8
Denial of Service issue in cachemgr.cgi
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7792c4f1bc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2019-14697: musl libc 1.1.23 and earlier x87 float stack imbalance
For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2019/08/05/6
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit da3b34bd0a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
/etc/quagga is listed in QUAGGA_PERMISSIONS, but is only created when
some of the quagga sub-options are enabled. When none of those
sub-options are enabled, /etc/quagga is not created, causing a build
failure when the filesystem images are created:
makedevs: line 1: recursive failed for /home/thomas/projets/outputs/quagga-minimal/build/buildroot-fs/tar/target/etc/quagga: No such file or directory
Since it is too cumbersome to maintain which sub-options exactly lead
to /etc/quagga being created, simply create /etc/quagga
unconditionally. It will simply be empty when the quagga package
doesn't install anything in it.
For the record, here is the list of files installed in /etc/quagga
when all quagga sub-options are enabled:
bgpd.conf.sample bgpd.conf.sample2 isisd.conf.sample
ospf6d.conf.sample ospfd.conf.sample pimd.conf.sample
ripd.conf.sample ripngd.conf.sample vtysh.conf.sample
zebra.conf.sample
Fixes:
http://autobuild.buildroot.net/results/cdb66589909fd3996186f7db7d1f19a3b03d58a0/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 939c0187ca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
0.49.4, has a heap-based buffer overflow because a certain
"Private->RunningCode - 2" array index is not checked. This will lead
to a denial of service or possibly unspecified other impact.
- Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
triggers a divide-by-zero exception in the decoder function DGifSlurp
in dgif_lib.c if the height field of the ImageSize data structure is
equal to zero.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d7926d7cb5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 3e5926555b ("package/{mesa3d,
mesa3d-headers}: bump version to 17.1.2"), the dependency of VC4 on
BR2_arm was changed to BR2_ARM_CPU_HAS_NEON, which the reasoning that
upstream commit
https://cgit.freedesktop.org/mesa/mesa/commit/?h=17.1&id=4d30024238efa829cabc72c1601beeee18c3dbf2
made NEON mandatory. However, this commit (including its commit log)
clearly shows that there is compile-time detection on whether you're
using ARMv6 or ARMv7, and simply says there is no runtime detection
for that (which usually isn't very important in the context of
Buildroot). So, the VC4 driver can be used on ARMv6
RaspberryPis. Therefore, this commit reverts to the BR2_arm
dependency.
Note: while there are some ARMv7 without NEONs, all ARMv7 RaspberryPi
platforms do have NEON, so the compile-time checks done in the VC4
driver are good enough.
Fixes:
https://bugs.busybox.net/show_bug.cgi?id=12126
Cc: Sahaj Sarup <sahajsarup@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 350cb0d32e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The pigpio package installs programs and libraries to target, but does
not install the libraries and its headers to staging, while they may
be used by other packages. Let's install them, as was requested in bug
Fixes:
https://bugs.busybox.net/show_bug.cgi?id=11741
Cc: vishalbhalani89@gmail.com
Cc: ivan.nazarenko@gmail.com
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 589b8cb7e2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: drop 5.x bump]
(cherry picked from commit bd30a142c8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
