Fixes CVE-2018-1000858: Cross Site Request Forgery with arbitrary HTTPS
GET requests via HTTP redirect.
https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-12020: Unsanitized file names might cause injection of
terminal control characters into the status output of gnupg.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-9234: Unenforced configuration allows for apparently
valid certifications actually signed by signing subkeys.
Remove --disable-doc from configure options. We pass this options to all
autotools packages.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit e82fadab23 (gnupg2: bump to version 2.2.0) added a configure
option to keep the old 'gpg2' executable name to avoid conflict with the
gnupg package. It turns out that gnupg depends on !BR2_PACKAGE_GNUPG2
since commit 2cadb26e6d (gnupg: make gnupg and gnupg2 mutually
exclusive). Drop this configure option.
Rename the config option that controls the removal of gpgv2, now gpgv,
to match the new name. Add legacy config symbol handling.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Switch to https download for firewall compatibility and security.
As upstream now defaults to 'gpg' for the main binary name, keep the
'gpg2' name as in previous releases, to avoid conflict with the gnupg
package.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
gnupg2 removed gnulib in version 2.1.1. The workaround for non-wchar
toolchains introduced in commit 8a87887095 (gnupg2: fix build on
non-wchar toolchains), is no longer needed.
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Romain Naour <romain.naour@openwide.fr>
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
gnupg2 migrated to libusb-1.0 in version 2.1.12.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The check-package script when ran gives warnings on ordering issues
on all of these Config files. This patch cleans up all warnings
related to the ordering in the Config files for packages starting with
the letter g in the package directory.
The appropriate ordering is: type, default, depends on, select, help
See http://nightly.buildroot.org/#_config_files for more information.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for GPLv3/GPLv3+ is GPL-3.0/GPL-3.0+.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv3\>/GPL-3.0/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Also add host-pkgconf to detect sqlite support, otherwise
checking pkg-config is at least version 0.9.0...
./configure: line 7981: /home/buildroot/br2/output/host/usr/bin/pkg-config: No such file or directory
no
[...]
checking for SQLITE3... no
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This patch is based on a patch sent by Vicente Olivert Riera and commented by
Arnout Vandecappelle [1].
- Bump version to 1.23
- Add a hook to fix cross-compilation
- Fix license and license files
- Remove patch applied upstream
- Add a BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS variable
- Propagate the dependencies using that variable:
* package/cppcms
* package/crda
* package/gnupg2
- package/gcr
- package/midori
* package/kodi
* package/libaacs
* package/libassuan
* package/libgcrypt
* package/libgpgme
* package/libksba
* package/libmicrohttpd
- package/janus-gateway
- package/kodi
- package/ola
- package/systemd
* package/libssh
* package/libssh2
- package/php-ssh2
* package/netatalk
* package/network-manager
* package/ntfs-3g
* package/opkg
* package/php-gnupg
* package/rng-tools
* package/strongswan
* package/vpnc
[1] http://patchwork.ozlabs.org/patch/416427/
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
[Thomas:
- rebase on master
- changing systemd no longer needed, as it no longer selects
libgcrypt.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Maxime:
- rebase on master
- bump to new version
- propagate dependencies to missing packages]
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
[Thomas:
- fix hash file.
- change the way to handle the various arch so that it works properly
for uClibc.
- add nios2 arch support.
- Maxime Hadjinlian learned some basic Emacs-fu to do the final fixups
of this commit.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
When libusb-compat was compiled before, gnupg2 will use it as optional
dependency:
$ output/host/usr/bin/x86_64-linux-readelf -a output/target/usr/libexec/scdaemon | grep NEEDED
[...]
0x0000000000000001 (NEEDED) Shared library: [libusb-0.1.so.4]
[...]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
gnupg2 still tries to run test even if it tries to avoid it in
cross-compilation.
Really disable running the tests.
Since that requires a complete autoreconf, the existing patch against
configure is turned into a patch against the m4 macro.
since we autoreconf, we slightly patch configure.ac to not emit git
errors on stderr because it is not in a git tree.
[Thomas: rename patch 0000 to 0004, as suggested by Arnout.]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-1606: Use after free, resulting from failure to skip invalid packets
CVE-2015-1607: memcpy with overlapping ranges, resulting from incorrect
bitwise left shifts
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Autogenerated from rename-patch.py (http://patchwork.ozlabs.org/patch/403345)
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The gnupg2 configure script checks whether <stdint.h> complies with
C99. When doing this, it expects a number of WCHAR_* definitions to be
present, which is not the case on non-wchar capable toolchains. The
gnupg2 configure script then concludes that <stdint.h> is not
C99-compliant and generates its own, which causes some build failures
related to intmax_t being not defined.
Since wchar is not actually used in gnupg2, this commit fixes this
problem by forcing gnupg2 to think that our <stdint.h> is
C99-compliant.
Fixes:
http://autobuild.buildroot.org/results/40f/40fff3bc304e1a83524f28be8f6afc2e217281ad/
And lots of similar issues. Thanks a lot for Romain Naour for the
initial investigation and lots of discussion on IRC about this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Romain Naour <romain.naour@openwide.fr>
This is to improve build reproducibility.
[Thomas: add --with-readline and --without-readline options to
explicitly enable/disable readline usage.]
Signed-off-by: Romain Naour <romain.naour@openwide.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This is to improve build reproducibility.
[Thomas: add --enable-bzip2 --with-bzip options.]
Signed-off-by: Romain Naour <romain.naour@openwide.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
gnupg2 needs a toolchain with locale support or a package which provides
a suitable iconv implementation (libiconv). Otherwise it will fail at
the configure phase with an error like this one:
*** It is now required to build with support for iconv
*** Please install a suitable iconv implementation.
Fixes:
http://autobuild.buildroot.net/results/8c9/8c93c28533dfebffa8b2e34b1421d3fa3cdeb278/
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Reviewed-by: Markos Chandras <Markos.Chandras@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2014-4617 (The do_uncompress function in g10/compress.c
allows context-dependent attackers to cause a denial of service
(infinite loop) via malformed compressed packets, as demonstrated by an
a3 01 5b ff byte sequence.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas: use libpthsem instead of pth, remove !uclibc dependency,
minor formatting fixes in the .mk file.]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Reviewed-by: Markos Chandras <Markos.Chandras@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
