CVE-2022-1304 only affects e2fsprogs 1.46.5.
The mentioned patch was removed in 6a21733f when bumping to 1.47.0.
Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
CVE-2021-38185 affects cpio <= 2.13.
The mentioned patches were removed in b0306d94 when bumping to 2.14.
Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL.
Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Fix CVE-2023-36664: Artifex Ghostscript through 10.01.2 mishandles
permission validation for pipe devices (with the %pipe% prefix or the |
pipe character prefix).
- Fix CVE-2023-38559: A buffer overflow flaw was found in
base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This
issue may allow a local attacker to cause a denial of service via
outputting a crafted PDF file for a DEVN device with gs.
- Fix CVE-2023-38560: An integer overflow flaw was found in
pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may
allow a local attacker to cause a denial of service via transforming a
crafted PCL file to PDF format.
https://ghostscript.readthedocs.io/en/gs10.02.0/News.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit 7dd27cbe5b (support/download: add support to exclude svn
externals) introduced an improperly formatted list item. That was
carried over with bf2d7f8f53 (package/pkg-generic: don't download svn
externals by default).
Fix that.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bugfixes and updates.
Containerd v1.7.x comes with new features including container sandboxing.
https://github.com/containerd/containerd/releases/tag/v1.7.6
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Since 3341ceb1e5 (package/gdb: zlib is mandatory, not optional), zlib
has become a mandatory dependencies of the gdb package.
However, zlib is only needed for the debugger, gdb itself, while the
server, gdbserver, does not use it.
This means that, when building an SDK to be later reused as an external
toolchain, the zlib headers and libraries are present in the sysroot of
the toolchain, tainting the toolchain and making it unsuitable to be
reused.
As Julien noticed, for example, tcl will try and link with zlib if
available, and at build time it is. But at runtime, it is not, and thus
tclsh fails to run; see 7af8dee3a8 (package/tcl: add mandatory
dependency to zlib)
When we only need to build gdbserver, we still need to configure and
build the whole gdb distribution, which means we call the top-level
configure script; that script has no option to disable the detection
of zlib: it wants to either use a system one, or it will build the
bundled one.
So, when we only build gdbserver, we tell configure to not use a system
zlib. This triggers the build of the bundled one, but it is not linked
with gdbserver so in the end it is not used on the target.
Reported-by: Julien Olivain <ju.o@free.fr>
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
HOST_PROG_SHUTDOWN currently references a file that doesn't exist. Fix
by setting it to /usr/libexec/petitboot/bb-kexec-reboot, which this
package already installs but doesn't use.
Signed-off-by: Reza Arbab <arbab@linux.ibm.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Tcl changed its zlib handling in upstream commit [1]. Before this
commit, the HAVE_ZLIB macro was defined only if a zlib headers/library
was found. After that commit, the HAVE_ZLIB macro is unconditionally
defined. The only change is that: if a working zlib library is found
in the toolchain sysroot, it is used. Otherwise, the package will use
a shipped version in [2]. See also [3] and [4].
This tcl commit is included in Buildroot since commit 7fda943b43
"tcl: bump to version 8.6.1".
In Buildroot, we prefer to not use bundled libraries wherever possible,
so add an unconditional dependency to zlib.
Further notes:
This behavior leads to runtime failures, when the package is compiled
with toolchains including zlib in their sysroot. This is because at
configuration time, the package will detect zlib in the sysroot and
link against it, but the library files won't be installed on target.
This happen to be the case with Bootlin toolchains such as [5], as they
also contaions gdbserver, and since 3341ceb1e5 (package/gdb: zlib is
mandatory, not optional), we also build zlib even if only gdbserver is
built (gdbserver does not use zlib, so that's a bug in our gdb
packaging).
This toolchain also happen to be the one used in basic configurations
of the runtime test infrastructure (this issue was found while
attempting to write a runtime test for tcl).
In such cases, running "tclsh" command fails with error message:
tclsh: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory
libtcl library also miss its dependency.
ldd /usr/lib/libtcl8.6.so
libz.so.1 => not found
libm.so.6 => /lib/libm.so.6 (0xb6dad000)
libc.so.6 => /lib/libc.so.6 (0xb6c65000)
/lib/ld-linux.so.3 (0xb6f6c000)
[1] 6f3dea45ce
[2] https://github.com/tcltk/tcl/tree/core-8-6-13/compat/zlib
[3] https://github.com/tcltk/tcl/blob/core-8-6-13/unix/configure.in#L172
[4] https://github.com/tcltk/tcl/blob/core-8-6-13/unix/Makefile.in#L240
[5] https://toolchains.bootlin.com/downloads/releases/toolchains/armv5-eabi/tarballs/armv5-eabi--glibc--stable-2023.08-1.tar.bz2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix CVE-2023-26463: strongSwan 5.9.8 and 5.9.9 potentially allows remote
code execution because it uses a variable named "public" for two
different purposes within the same function. There is initially
incorrect access control, later followed by an expired pointer
dereference. One attack vector is sending an untrusted client
certificate during EAP-TLS. A server is affected only if it loads
plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS,
EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.
https://github.com/strongswan/strongswan/blob/5.9.11/NEWShttps://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix CVE-2023-40225: HAProxy through 2.0.32, 2.1.x and 2.2.x through
2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15,
2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty
Content-Length headers, violating RFC 9110 section 8.6. In uncommon
cases, an HTTP/1 server behind HAProxy may interpret the payload as an
extra request.
https://www.mail-archive.com/haproxy@formilux.org/msg43864.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex()
caused by a maliciously crafted file may lead to an application crash.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issue:
CVE-2023-38039: HTTP headers eat all memory
When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.
However, curl did not have a limit on the size or quantity of headers it
would accept in a response, allowing a malicious server to stream an endless
series of headers to a client and eventually cause curl to run out of heap
memory.
https://curl.se/docs/CVE-2023-38039.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security vulnerabilities:
CVE-2022-23537: Heap buffer overflow when decoding STUN message in pjproject
Possible buffer overread when parsing a specially crafted STUN message with
unknown attribute. The vulnerability affects Asterisk users using ICE
and/or WebRTC.
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix the following build failure with uclibc but without MMU raised since
commit 223596c75d:
/home/autobuild/autobuild/instance-6/output-1/host/riscv64-buildroot-linux-uclibc/bin/ld.real: ./.libs/libcrun.a(libcrun_la-container.o): in function `.L0 ':
container.c:(.text+0x4e7c): undefined reference to `fork'
Fixes:
- http://autobuild.buildroot.org/results/f19482753e9262ec806cf550619170467a144daf
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Mutt 2.2.12 was released on September 9, 2023. This is a bug-fix
release, fixing two crash bugs. One is possible by viewing a crafted
message header, so upgrading is strongly recommended.
Fix CVE-2023-4874: Null pointer dereference when viewing a specially
crafted email in Mutt >1.5.2 <2.2.12
Fix CVE-2023-4875: Null pointer dereference when composing from a
specially crafted draft message in Mutt >1.5.2 <2.2.12
http://www.mutt.org/
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Old links are no longer working, so use new links instead.
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop patch and disable libseccomp when building statically to avoid the
following build failure raised since commit
29834d8a12:
src/seccomp_notify.c: In function 'seccomp_notify_plugins_load':
src/seccomp_notify.c:136:42: warning: implicit declaration of function 'dlopen'; did you mean 'popen'? [-Wimplicit-function-declaration]
136 | ctx->plugins[s].handle = dlopen(it, RTLD_NOW);
| ^~~~~~
| popen
src/seccomp_notify.c:136:53: error: 'RTLD_NOW' undeclared (first use in this function)
136 | ctx->plugins[s].handle = dlopen(it, RTLD_NOW);
| ^~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/13d3b46990720bba8621c922b5dce54ab650e96d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Does not install systemd unit if nodm or xdm is enabled.
Signed-off-by: Yanghao Cheng <yanghao.cheng@aioi-atg.com>
[yann.morin.1998@free.fr:
- don't use $(or ...)
- slightly reword comment
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
xdm package also installs a init script that utimately starts X server
Signed-off-by: Yanghao Cheng <yanghao.cheng@aioi-atg.com>
[yann.morin.1998@free.fr:
- don't use $(or ...)
- slightly reword comment
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
tests.package.test_python_pytest.TestPythonPy3Pytest runtime tests fails
now with following error:
======================================================================
FAIL: test_run (tests.package.test_python_pytest.TestPythonPy3Pytest.test_run)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/buildroot/support/testing/tests/package/test_python.py", line 137, in test_run
self.run_sample_scripts()
File "/buildroot/support/testing/tests/package/test_python_pytest.py", line 18, in run_sample_scripts
self.assertRunOk(cmd, timeout=self.timeout)
File "/buildroot/support/testing/infra/basetest.py", line 89, in assertRunOk
self.assertEqual(
AssertionError: 1 != 0 :
Failed to run: python -m pytest sample_python_pytest.py
output was:
Traceback (most recent call last):
File "<frozen runpy>", line 189, in _run_module_as_main
File "<frozen runpy>", line 148, in _get_module_details
File "<frozen runpy>", line 112, in _get_module_details
File "/usr/lib/python3.11/site-packages/pytest/__init__.py", line 5, in <module>
File "/usr/lib/python3.11/site-packages/_pytest/_code/__init__.py", line 2, in <module>
File "/usr/lib/python3.11/site-packages/_pytest/_code/code.py", line 36, in <module>
File "/usr/lib/python3.11/site-packages/pluggy/__init__.py", line 16, in <module>
File "/usr/lib/python3.11/site-packages/pluggy/_manager.py", line 10, in <module>
File "/usr/lib/python3.11/importlib/metadata/__init__.py", line 8, in <module>
File "/usr/lib/python3.11/zipfile.py", line 6, in <module>
ImportError: libz.so.1: cannot open shared object file: No such file or directory
Fix that by adding BR2_PACKAGE_PYTHON3_ZLIB dependency.
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Alexander Egorenkov <egorenar-dev@posteo.net>
[yann.morin.1998@free.fr: split long _DEPENDENCIES line]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Old link is no longer working, so use new link instead.
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix CVE-2023-35790: An issue was discovered in dec_patch_dictionary.cc
in libjxl before 0.8.2. An integer underflow in patch decoding can lead
to a denial of service, such as an infinite loop.
https://github.com/libjxl/libjxl/releases/tag/v0.8.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Julien Olivain <ju.o@free.fr>
Tested-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Improved accuracy of MARK timer, optional, default: 20 minutes.
- Fix sub-second faking of kernel timestamps
- Fix reading kernel logs from /proc/kmsg, regression in v2.4.0.
Only relevant to really old kernels (pre 4.4?) or systems with
static device nodes and no auto-devtmpfs mounting in kernel
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Sync w/ OpenBSD upstream
- Fix key bindings, Home/End
- Fix buffer overflow on no match in i-search
- Fix mark reset
- Usability:
- persistent help in status bar
- F1 toggle quick-help buffer
- F2 save
- F3/F4 macro start/end + run, like GNU Emacs
Full ChangeLog https://github.com/troglobit/mg/releases/tag/v3.7
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- add upstream patch for Unordered available on the Release Page.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
