- Drop --without-x (now unrecognized)
- Fix CVE-2023-40745: LibTIFF is vulnerable to an integer overflow. This
flaw allows remote attackers to cause a denial of service (application
crash) or possibly execute an arbitrary code via a crafted tiff image,
which triggers a heap-based buffer overflow.
- Fix CVE-2023-41175: A vulnerability was found in libtiff due to
multiple potential integer overflows in raw2tiff.c. This flaw allows
remote attackers to cause a denial of service or possibly execute an
arbitrary code via a crafted tiff image, which triggers a heap-based
buffer overflow.
https://libtiff.gitlab.io/libtiff/releases/v4.6.0.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e96b1c4b0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patches (already in version)
- tests can be disabled since version 1.2.3 and
e2e3d6b14e
- docs can be disabled since version 1.2.3 and
af6c10e8be
- Fix CVE-2023-46228: zchunk before 1.3.2 has multiple integer overflows
via malformed zchunk files to lib/comp/comp.c, lib/comp/zstd/zstd.c,
lib/dl/multipart.c, or lib/header.c.
https://github.com/zchunk/zchunk/compare/1.2.2...1.3.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8716942ca6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️zchunk:zchunk is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/detail/480C0B83-3109-49EE-9E06-7866A54878CA
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3499c75ccf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
git.code.sf.net is available over HTTPS, so use that for security and
consistency with the other packages.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 99d525028f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
git.code.sf.net is available over HTTPS, so use that for security and
consistency with the other packages.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f2a590750f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that we have HTTPS support for sources.buildroot.net (through Lets
encrypt / Cloudflare), it makes sense to default to it for our backup site.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 05296ced36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The host-riscv64-elf-toolchain package was missing a hash file, add it now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit cf2dcaa1ec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The host-mxsldr package was missing a hash file, add it now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit fefcfddc5e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
MiniZip in zlib through 1.3 has an integer overflow and resultant
heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long
filename, comment, or extra field. NOTE: MiniZip is not a supported part
of the zlib product.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit de7bc4ada2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️libtom:libtommath is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/detail/F0D99614-AA27-4713-ADD2-103647C8838B
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 17ffb91551)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2023-44487: The HTTP/2 protocol allows a denial of service
(server resource consumption) because request cancellation can reset
many streams quickly, as exploited in the wild in August through October
2023.
Fix CVE-2023-35945: nghttp2 fails to release memory when PUSH_PROMISE or
HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails
with a fatal error. For example, if GOAWAY frame has been received, a
HEADERS frame that opens new stream cannot be sent.
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqghttps://github.com/nghttp2/nghttp2/security/advisories/GHSA-6pcr-v3hg-752phttps://github.com/nghttp2/nghttp2/compare/v1.41.0...v1.57.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 07c44afc8d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator
Following the fix for CVE-2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncator’s chars() and words() methods
(with html=True) were revised and improved. However, these regular
expressions still exhibited linear backtracking complexity, so when given a
very long, potentially malformed HTML input, the evaluation would still be
slow, leading to a potential denial of service vulnerability.
The chars() and words() methods are used to implement the truncatechars_html
and truncatewords_html template filters, which were thus also vulnerable.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a security release, fixing a number of important issues.
https://forum.suricata.io/t/suricata-6-0-15-released/4068/2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5ef8369d98)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
commit 21d52e52d8 (package/pkg-utils.mk: break hardlinks in global
{TARGET, HOST}_DIR on per-package build) was recently reverted, so we
are back to a situation where it is possible for packages and post-build
scripts to modify files in-place, and thus impact files in any arbitrary
per-package directory, which may break things on rebuild for example.
21d52e52d8 was too big a hammer, but we can still apply the reasoning
from it, to the aggregation of the final target and host directories.
This solves the case for post-build scripts at least. We leave the case
of inter-package modification aside, as it is a bigger issue that will
need more than just copying files around.
We use --hard-links, so that hard-links in the source (the PPD), are
kept as new hard-links (i.e. "copy" of hard-links) in the destination.
This contributes to limiting the size of target/.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Herve Codina <herve.codina@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Herve Codina <herve.codina@bootlin.com>
(cherry picked from commit 23edf9837c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 21d52e52d8 (package/pkg-utils.mk: break hardlinks in global
{TARGET, HOST}_DIR on per-package build) stopped hardlink the source and
destination when rsyncing per-package directory, on the rationale that
modifying files in-place after the rsync would also modify the original
file, and that break foo-rebuild and can cause issues with post-build
scripts.
However, what 21d52e52d8 did not envision, is that copying instead of
hard-linking has two nasty side effects:
- the size increase for the build directory increase with the number
of packages and with the depth of th dependency chains for those
packages: a (relatively small) build that was previously totalling
~13GiB in output/, now totals north of 122GiB, an almost 10-time
increase;
- the build time increases, as it takes more time to read+write files
than it takes to create a new link to a file; the same build saw an
increase of build time from 5min 10s to 7min 30s, a 45% increase.
These regressions are both serious, so revert the change; we'll come up
with a stopgap measure in follow-up commits.
This reverts commit 21d52e52d8.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Herve Codina <herve.codina@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Herve Codina <herve.codina@bootlin.com>
(cherry picked from commit 8f1487d6fa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes: 487761a5b2 ("package/xdg-dbus-proxy: bump to version 0.1.5")
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d4fc46f751)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Version 0.1.5 mainly fixes handling of paths with more than 255
characters. Release notes:
https://github.com/flatpak/xdg-dbus-proxy/releases/tag/0.1.5
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 487761a5b2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The relocate-sdk.sh script does not work correctly when
BR2_PER_PACKAGE_DIRECTORIES is enabled. relocate-sdk.sh expects
everything to point at $HOST_DIR, but each package will be pointing at
its $(O)/per-package/*/host.
Use the same command for scrubing host paths during the build, to scrub
to the final host directory location.
Signed-off-by: Brandon Maier <Brandon.Maier@collins.com>
Acked-by: Charles Hardin <ckhardin@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 25e60fbe1c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following static build failure with libgpgme raised since at
least bump to version 2.2.9 in commit
7a2afdb7b1:
/home/autobuild/autobuild/instance-11/output-1/host/lib/gcc/sh4a-buildroot-linux-musl/11.3.0/../../../../sh4a-buildroot-linux-musl/bin/ld: /home/autobuild/autobuild/instance-11/output-1/host/sh4a-buildroot-linux-musl/sysroot/usr/lib/libgpgme.a(assuan-support.o): in function `my_usleep':
assuan-support.c:(.text+0x260): undefined reference to `__assuan_usleep'
Fixes:
- http://autobuild.buildroot.org/results/0680dbc95601fcd8cdf07b926ea5e9be2079c7bf
- http://autobuild.buildroot.org/results/b4f2d1ad77fb8b97accc4150d8249de145cb9cf4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b518b0f161)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes a typo by dropping off the spurious x in ensure.
Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3381a08433)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following musl build failure raised since bump to version 5.9.4
in commit 868603755c:
large_fd_set.c: In function 'LFD_SET':
../include/net-snmp/net-snmp-config.h:1614:30: error: unknown type name 'unknown'; did you mean 'union'?
1614 | #define NETSNMP_FD_MASK_TYPE unknown
| ^~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/394ebf93621c33dc2ddf370297268e6de9de7c9a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dad81003c9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 0c82f3f635 (package/gcc: remove powerpc conditional patching
logic), the macro defining the conditional patch was removed, but it was
still referenced and expanded in the apply-patches hook.
Drop that now.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 84cdd92f01)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2023-39325: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and immediately
resets them can cause excessive server resource consumption. While the
total number of requests is bounded to the http2.Server.MaxConcurrentStreams
setting, resetting an in-progress request allows the attacker to create a
new request while the existing one is still executing.
go1.20.10 (released 2023-10-10) includes a security fix to the net/http
package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
