perl-crypt-openssl-rsa inherits the dependency on openssl indirectly
from perl-crypt-openssl-random. Hwvere, perl-crypt-openssl-rsa needs
the openssl libraries for itself, so it must explicitly depend on it.
So far, this was totally unconsequential, but since commit a83d41867c
(package/libopenssl: add option to enable some features), features can
be configured out, of which RMD160 that perl-crypt-openssl-rsa needs.
If we were to add the select to that option (in a followup commit),
without a dependency to openssl, that would be very confusing in the
future.
So, add the explicit dependency now.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7c636d9c66)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7f4429dd90)
[Peter: drop 5.11.x/5.12.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-28651: Denial of Service in URN processing
Due to a buffer management bug Squid is vulnerable to a Denial of service
attack against the server it is operating on.
This attack is limited to proxies which attempt to resolve a "urn:"
resource identifier. Support for this resolving is enabled by default in
all Squid.
https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4
- CVE-2021-28652: Denial of Service issue in Cache Manager
Due to an incorrect parser validation bug Squid is vulnerable to a Denial
of Service attack against the Cache Manager API.
https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447
- CVE-2021-28662: Denial of Service in HTTP Response Processing
Due to an input validation bug Squid is vulnerable to a Denial of Service
against all clients using the proxy.
https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h
- CVE-2021-31806, CVE-2021-31807, CVE-2021-31808: Multiple Issues in HTTP
Range header
Due to an incorrect input validation bug Squid is vulnerable to
a Denial of Service attack against all clients using the proxy.
https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf
- CVE-2021-33620: Denial of Service in HTTP Response processing
Due to an input validation bug Squid is vulnerable to a Denial of Service
against all clients using the proxy.
https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d94c42b93e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release. From the release notes:
Some backports of important fixes to the 1.25 series, for very conservative
people.
libmpg123: Backport bit reservoir CRC fix from 1.26
libmpg123: Backport part2_3_length regression fix (bug 312).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d495593de1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since putty is only affected by this CVE on Windows, ignore it in the
stable branch. Branch master is not affected anymore already, due to
newer version which got fixed.
Signed-off-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The domain for their email is now a parking-site, and mails are not
delivered anymore.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 48235e6fc5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-33195: The LookupCNAME, LookupSRV, LookupMX, LookupNS, and
LookupAddr functions in net, and their respective methods on the Resolver
type may return arbitrary values retrieved from DNS which do not follow
the established RFC 1035 rules for domain names. If these names are used
without further sanitization, for instance unsafely included in HTML, they
may allow for injection of unexpected content. Note that LookupTXT may
still return arbitrary values that could require sanitization before
further use
- CVE-2021-33196: The NewReader and OpenReader functions in archive/zip can
cause a panic or an unrecoverable fatal error when reading an archive that
claims to contain a large number of files, regardless of its actual size
- CVE-2021-33197: ReverseProxy in net/http/httputil could be made to forward
certain hop-by-hop headers, including Connection. In case the target of
the ReverseProxy was itself a reverse proxy, this would let an attacker
drop arbitrary headers, including those set by the ReverseProxy.Director
- CVE-2021-33198: The SetString and UnmarshalText methods of math/big.Rat
may cause a panic or an unrecoverable fatal error if passed inputs with
very large exponents
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libmpv-static and libmpv-shared are disabled by default resulting in the
following build failure when building with gl but without rpi, wayland
or x11:
Checking for OpenGL without platform-specific code (e.g. for libmpv) : libmpv-shared not found
Checking for OpenGL context support : gl-cocoa not found
You manually enabled the feature 'gl', but the autodetection check failed.
Here is an extract of wscript:
} , {
'name': '--plain-gl',
'desc': 'OpenGL without platform-specific code (e.g. for libmpv)',
'deps': 'libmpv-shared || libmpv-static',
'func': check_true,
}, {
'name': '--gl',
'desc': 'OpenGL context support',
'deps': 'gl-cocoa || gl-x11 || egl-x11 || egl-drm || '
+ 'gl-win32 || gl-wayland || rpi || '
+ 'plain-gl',
'func': check_true,
'req': True,
'fmsg': "No OpenGL video output found or enabled. " +
"Aborting. If you really mean to compile without OpenGL " +
"video outputs use --disable-gl.",
}, {
Enabling both the shared and static libraries is not allowed by mpv, so
we consider the BR2_STATIC_LIBS to be static, and otherwise (i.e.
BR2_SHARED_LIBS and BR2_SHARED_STATIC_LIBS) to be shared.
Fixes:
- http://autobuild.buildroot.org/results/590d2a8b6746ef071dfb439e42b636f81dbdc35d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- expand config log about shared/static icompatibility
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8601137c08)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with gcc 11:
/data/buildroot-autobuilder/instance-0/output-1/build/qt5base-5.15.2/include/QtCore/../../src/corelib/global/qfloat16.h:300:7: error: 'numeric_limits' is not a class template
300 | class numeric_limits<QT_PREPEND_NAMESPACE(qfloat16)> : public numeric_limits<float>
| ^~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/9a7a987af40b8408ccdfcae4890008c7090b41a1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 128901c80a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable -Werror to avoid the following build failure:
<command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
MEDIA_BUILD_FATAL_WARNINGS option is available since version 18.2.0 and
6932fc0ffb
Fixes:
- http://autobuild.buildroot.org/results/52638d95312e464626d1c4047b3b26d4f57a1cd2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e93eaf7248)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add -std=c++11 to fix the following build failure with gcc 11:
/data/buildroot-autobuilder/instance-0/output-1/host/include/cutl/shared-ptr/base.hxx:34:41: error: ISO C++17 does not allow dynamic exception specifications
34 | operator new (std::size_t, cutl::share) throw (std::bad_alloc);
| ^~~~~
Fixes:
- http://autobuild.buildroot.org/results/9cbb8be7a1d8ac5913fbc5e2a78c4c45b5daf8e2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ac9855e761)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building efibootmgr with a musl toolchain is possible.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b7d6149b68)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable dc3dd on riscv32 because of the size of time_t (riscv32 has
never had a 32-bit time, and has always been 64-bit from the onset):
In file included from getdate.y:40:
verify.h:132:30: error: negative width in bit-field 'verify_error_if_negative_size__'
132 | (struct { unsigned int verify_error_if_negative_size__: (R) ? 1 : -1; }))
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
verify.h:138:61: note: in expansion of macro 'verify_true'
138 | # define verify(R) extern int (* verify_function__ (void)) [verify_true (R)]
| ^~~~~~~~~~~
getdate.y:116:1: note: in expansion of macro 'verify'
116 | verify (LONG_MIN <= TYPE_MINIMUM (time_t) && TYPE_MAXIMUM (time_t) <= LONG_MAX);
| ^~~~~~
Fixes:
- http://autobuild.buildroot.org/results/267151dec9d2328a5f8c61ddf224219a4f617e5c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6b9d2ab455)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add Libs.private to libraw.pc to fix the following static build failure
with imagemagick which is raised since commit
2f47cfade4:
/home/giuliobenetti/autobuild/run/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/9.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: /home/giuliobenetti/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libjasper.a(jpg_enc.c.o): in function `jpg_encode':
jpg_enc.c:(.text+0x1f4): undefined reference to `jpeg_stdio_dest'
Fixes:
- http://autobuild.buildroot.org/results/88e43a1ea2059a684e50b0f5f2af407e8c6df2e1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit cb3b89e4cd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-33516: An issue was discovered in GUPnP before 1.0.7 and
1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web
server can exploit this vulnerability to trick a victim's browser into
triggering actions against local UPnP services implemented using this
library. Depending on the affected service, this could be used for data
exfiltration, data tempering, etc.
Replace patch by upstream commit as current patch doesn't apply cleanly
https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536https://gitlab.gnome.org/GNOME/gupnp/-/blob/gupnp-1.2.6/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 94a3b3f062)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disabling tests will fix the following build failures on riscv32:
select_poll_epoll.c:408:16: note: each undeclared identifier is reported only once for each function it appears in
select_poll_epoll.c: In function 'ppoll_fds_ulong_max':
select_poll_epoll.c:440:16: error: 'SYS_ppoll' undeclared (first use in this function); did you mean 'SYS_tkill'?
440 | ret = syscall(SYS_ppoll, ufds, ULONG_MAX, NULL, NULL);
| ^~~~~~~~~
| SYS_tkill
select_poll_epoll.c: In function 'pselect_invalid_fd':
select_poll_epoll.c:488:16: error: 'SYS_pselect6' undeclared (first use in this function); did you mean 'SYS_semctl'?
488 | ret = syscall(SYS_pselect6, fd + 1, &rfds, NULL, NULL, NULL, NULL);
| ^~~~~~~~~~~~
| SYS_semctl
Fixes:
- http://autobuild.buildroot.org/results/dd39188a7191efa512a51f18f4c34d9ee711a6a7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 2df1c10ba7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove patch 001 as it has been fixed upstream.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 97bec5b4cc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
vlc unconditionally uses __NR_futex resulting in the following build
failure on riscv32:
linux/thread.c:53:20: error: '__NR_futex' undeclared (first use in this function)
53 | return syscall(__NR_futex, addr, op, val, to, addr2, val3);
| ^~~~~~~~~~
A patch that fixes this was submitted upstream, but rejected [1].
Fixes:
- http://autobuild.buildroot.org/results/be0f2243919d7a052b33118d8a901c922f8d88e7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[1] https://patches.videolan.org/patch/30581/
(cherry picked from commit cc86b866ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure on riscv32:
lib/internal.h:331:20: error: '__NR_io_getevents' undeclared (first use in this function); did you mean 'io_getevents'?
331 | return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
| ^~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/c828d4330a8888fe8db4299dc2f20759947f329f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5a075b47a8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
unscd unconditionally uses __NR_clock_gettime which will raise the
following build failure on riscv32:
nscd-0.54.c:339:14: error: '__NR_clock_gettime' undeclared (first use in this function); did you mean 'clock_gettime'?
339 | if (syscall(__NR_clock_gettime, CLOCK_MONOTONIC, &ts))
| ^~~~~~~~~~~~~~~~~~
| clock_gettime
Fixes:
- http://autobuild.buildroot.org/results/eb77b18f268d8e59c407f757662117a33d3f9ee3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 34173da168)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add -std=c++11 to fix the following build failure with gcc 11:
In file included from shared-ptr/base.cxx:5:
../cutl/shared-ptr/base.hxx:34:41: error: ISO C++17 does not allow dynamic exception specifications
34 | operator new (std::size_t, cutl::share) throw (std::bad_alloc);
| ^~~~~
Fixes:
- http://autobuild.buildroot.org/results/60a39d402a0d051c92aa11421b7a14f7729a0380
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 4d6ca0a8ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Recently in Buildroot the option BR2_PIC_PIE has been enabled by default along
with other hardening features [1]. Since then the nios2 defconfig
qemu_nios2_10m50_defconfig is failing to boot due to a segfault in init program:
Run /init as init process
with arguments:
/init
with environment:
HOME=/
TERM=linux
Failed to execute /init (error -12)
See Buildroot build log and Qemu runtime test log in build artifacts [2].
Analyzing one of the binary with strace show that the problem occur
very early when starting the new process:
# strace ./busybox
execve("./busybox", ["./busybox"], 0x7f91ce90 /* 10 vars */) = -1 ENOMEM
(Cannot allocate memory)
+++ killed by SIGSEGV +++
Several binutils/glibc/gcc version has been tested without any success.
The issue has been reported to the glibc mailing list but it can be a linker
or kernel bug [3].
For the Buildroot 2021.05 release, disable BR2_PIC_PIE until the problem is
found and fixed.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1285145889
[1] https://git.buildroot.net/buildroot/commit/?id=810ba387bec3c5b6904e8893fb4cb6f9d3717466
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/1285145889
[3] https://sourceware.org/pipermail/libc-alpha/2021-May/126912.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 6b4b63a571)
[Peter: backport to 2021.02.x to stop users from manually enabling BR2_PIC_PIE]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following:
- CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in
wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision
discovery requests. It could result in denial of service or other impact
(potentially execution of arbitrary code), for an attacker within radio
range.
Signed-off-by: Sam Voss <sam.voss@collins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 93b8d601bc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2021-25217: A buffer overrun in lease file parsing code can be used to
exploit a common vulnerability shared by dhcpd and dhclient
For details, see the advisory:
https://kb.isc.org/docs/cve-2021-25217
Update the LICENSE hash for a change of copyright years.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cebf2b91b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Due to the recent events at Frenode [0], the channel has become a bit
unreliable (much spammed), and users have started to move away already,
as quite a few other projects have moved their IRC presence away from
Freenode.
There are a few alternatives. The first to spring to mind, is the new
Libera.Chat network [1], managed by the previous Freenode staff, so we
could expect quite a good experience there. However, it is a very young
network. The second well known alternative is the long-established OFTC,
which has been very reliable in its 20 years of existence.
So, let's move to OFTC, just because it has a track-record of robustness
(which Libera.Chat still has to build, for being young).
Note: there are a lot of other IRC networks, some very good too, but we
probably would be much off-topic on most of them.
[0] https://lwn.net/Articles/856543/
[1] https://libera.chat/
[2] https://www.oftc.net/
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Acked-by: Matthew Weber <matthew.weber@collins.com>
Acked-by: Heiko Thiery <heiko.thiery@gmail.com>
Acked-By: Vincent Fazio <vfazio@xes-inc.com>
Acked-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit fe3cb7978a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-22897: schannel cipher selection surprise
https://curl.se/docs/CVE-2021-22897.html
- CVE-2021-22898: TELNET stack contents disclosure
https://curl.se/docs/CVE-2021-22898.html
- CVE-2021-22901: TLS session caching disaster
https://curl.se/docs/CVE-2021-22901.html
Unconditionally disable the ldap(s) options. These require external
libraries, but the options were ignored if the needed libraries weren't
available. This is now changed to be a fatal error since
dae382a1a1
Additionally, add a post-7.77.0 upstream patch to fix compilation with
bearssl.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: annotate the patch, that it is a backport]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit eae15d62c6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
