- bump version to 7.1.2
- update license hash ('standardize license' [0] to the exact text as
SPDX provides [1])
[0] d64eddae7d
[1] https://spdx.org/licenses/BSD-3-Clause.html
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
See changelog https://github.com/vsergeev/python-periphery/blob/master/CHANGELOG.md
Update the license hash for a change in copyright years:
-Copyright (c) 2015-2020 vsergeev / Ivan (Vanya) A. Sergeev
+Copyright (c) 2015-2021 vsergeev / Ivan (Vanya) A. Sergeev
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
(compiled with OpenSSL support) is vulnerable to remote OOB write attack via
connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write
attack via connection request after exhausting memory pool.
- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server
7.0 is vulnerable to remote OOB write attack via connection request after exhausting
memory pool.
See https://github.com/cesanta/mongoose/releases/tag/7.2
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Security fix for CVE-2021-21334:
https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4
Other changes:
- Fix container create in CRI to prevent possible environment variable leak between containers
- Update shim server to return grpc NotFound error
- Add bounds on max oom_score_adj value for shim's AdjustOOMScore
- Update task manager to use fresh context when calling shim shutdown
- Update Docker resolver to avoid possible concurrent map access panic
- Update shim's log file open flags to avoid containerd hang on syscall open
- Fix incorrect usage calculation
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- disable simd, openssl, xxhash, zstd, lz4, asm options
- update COPYING hash (add openssl and xxhash license
enhancement):
In addition, as a special exception, the copyright holders give
permission to dynamically link rsync with the OpenSSL and xxhash
libraries when those libraries are being distributed in compliance
with their license terms, and to distribute a dynamically linked
combination of rsync and these libraries. This is also considered
to be covered under the GPL's System Libraries exception.
For details see [1].
[1] https://download.samba.org/pub/rsync/NEWS#3.2.3
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Cc: Baruch Siach <baruch@tkos.co.il>
[yann.morin.1998@free.fr: add 'with exception' to _LICENSE (Baruch)]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- update patch 0001-Prefer-ext-static-libs-when-default-library-static.patch
(use get_option(OptionKey()) instead of get_builtin_option())
- rebase patch 0002-mesonbuild-dependencies-base.py-add-pkg_config_stati.patch
For details see [1].
[1] https://mesonbuild.com/Release-notes-for-0-57-0.html
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This reverts commit b5e8f1c147. Indeed,
this commit does not fix the build failure as c_std=c99 is already set
in default_options in meson.build.
The issue is that this parameter is not used for native executables
since meson 0.51.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
[yann.morin.1998@free.fr: move license fix to its own commit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The license is BSD-2-Clause, not MIT.
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
[yann.morin.1998@free.fr: split off into its own commit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Switch to meson-package as configure is not shipped in the official
tarball anymore
- Drop host-m4 dependency (only needed in maintainer mode)
- Disable examples and XML validation (enabled by default)
- Drop LIBSIGC_INSTALL_TARGET_FIXUP as documentation is disabled by
default
- Update web page in Config.in
- Update indentation in hash file (two spaces)
https://github.com/libsigcplusplus/libsigcplusplus/blob/2.10.6/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Changelog ([1]):
1.7.14 (Sep 3, 2020)
Fixes:
optimize the way to find tail node, see #503
Fix WError error on macosx because NAN is a float. Thanks @sappo, see #484
Fix some bugs in detach and replace. Thanks @miaoerduo, see #456
[1] https://github.com/DaveGamble/cJSON/blob/master/CHANGELOG.md
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Changelog ([1]):
Changes in 23.4
===============
* killall: Dynamically link to selinux and use security attributes
* pstree: Do not crash on missing processes !21
* pstree: fix layout when using -C !24
* pstree: add time namespace !25
* pstree: Dynamically link to selinux and use attr
* fuser: Get less confused about duplicate dev_id !10
* fuser: Only check pathname on non-block devices !31
Changes in 23.3
===============
* killall: check also truncated 16 char comm names Debian #912748
* fuser: Return early if have nulls !18
* peekfd: Add support for ARM64 !19
* pstree: Add color by age #21
* fuser: Use larger inode sizes #16
[1] https://gitlab.com/psmisc/psmisc/-/blob/master/ChangeLog
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- update COPYING.txt hash (update copyright year)
Changelog ([1]):
2020-10-12: Version 7.4.2
* New Friulian translation of the messages.
* Updated Dutch, German, Serbian, Traditional Chinese, and Ukrainian
translations.
[1] https://sourceforge.net/projects/dos2unix/files/dos2unix/7.4.2/
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit 03fa36df7e (package/avrdude: Switch to upstream)
unconditionally enabled linuxspi on the assumption that it is available
since linux-2.6.22.
However, avrdude unconditionally uses GPIO and includes linux/gpio.h,
which is only available since kernel 4.6 and:
3c702e9987
Add a Kconfig option, enabled by default for backward compatibility, to
drive whether to enable or disable SPI support.
Fixes:
- http://autobuild.buildroot.org/results/962a7fcff1e54a0550eafa0cbca780ba8bc8409e
Note: weirdly enough, GPIO support does not use linux/gpio.h; rather it
uses sysfs.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: add a Kconfig option]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Details: https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
As detailed in commit 7e64a050fb, it is
difficult to utilize the upstream patches directly, so a number of
patches include changes to generated files so that we don't need invoke
the gentpl.py script.
In addition to the security fixes, these required patches has been
backported:
f76a27996 efi: Make shim_lock GUID and protocol type public
04ae030d0 efi: Return grub_efi_status_t from grub_efi_get_variable()
ac5c93675 efi: Add a function to read EFI variables with attributes
d7e54b2e5 efi: Add secure boot detection
The following security issues are fixed:
CVE-2020-14372 grub2: The acpi command allows privileged user to load crafted
ACPI tables when Secure Boot is enabled
CWE-184
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
GRUB2 enables the use of the command acpi even when Secure Boot is signaled by
the firmware. An attacker with local root privileges to can drop a small SSDT
in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT
then gets run by the kernel and it overwrites the kernel lock down configuration
enabling the attacker to load unsigned kernel modules and kexec unsigned code.
Reported-by: Máté Kukri
*******************************************************************************
CVE-2020-25632 grub2: Use-after-free in rmmod command
CWE-416
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload
a module used as dependency without checking if any other dependent module is
still loaded. This leads to an use-after-free scenario possibly allowing an
attacker to execute arbitrary code and by-pass Secure Boot protections.
Reported-by: Chris Coulson (Canonical)
*******************************************************************************
CVE-2020-25647 grub2: Out-of-bound write in grub_usb_device_initialize()
CWE-787
6.9/CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
grub_usb_device_initialize() is called to handle USB device initialization. It
reads out the descriptors it needs from the USB device and uses that data to
fill in some USB data structures. grub_usb_device_initialize() performs very
little bounds checking and simply assumes the USB device provides sane values.
This behavior can trigger memory corruption. If properly exploited, this would
lead to arbitrary code execution allowing the attacker to by-pass Secure Boot
mechanism.
Reported-by: Joseph Tartaro (IOActive) and Ilja van Sprundel (IOActive)
*******************************************************************************
CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline
CWE-121
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
grub_parser_split_cmdline() expands variable names present in the supplied
command line in to their corresponding variable contents and uses a 1kB stack
buffer for temporary storage without sufficient bounds checking. If the
function is called with a command line that references a variable with a
sufficiently large payload, it is possible to overflow the stack buffer,
corrupt the stack frame and control execution. An attacker may use this to
circumvent Secure Boot protections.
Reported-by: Chris Coulson (Canonical)
*******************************************************************************
CVE-2020-27779 grub2: The cutmem command allows privileged user to remove
memory regions when Secure Boot is enabled
CWE-285
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The GRUB2's cutmem command does not honor Secure Boot locking. This allows an
privileged attacker to remove address ranges from memory creating an
opportunity to circumvent Secure Boot protections after proper triage about
grub's memory layout.
Reported-by: Teddy Reed
*******************************************************************************
CVE-2021-3418 - grub2: GRUB 2.05 reintroduced CVE-2020-15705
CWE-281
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
The GRUB2 upstream reintroduced the CVE-2020-15705. This refers to a distro
specific flaw which made upstream in the mentioned version.
If certificates that signed GRUB2 are installed into db, GRUB2 can be booted
directly. It will then boot any kernel without signature validation. The booted
kernel will think it was booted in Secure Boot mode and will implement lock
down, yet it could have been tampered.
This flaw only affects upstream and distributions using the shim_lock verifier.
Reported-by: Dimitri John Ledkov (Canonical)
*******************************************************************************
CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The option parser in GRUB2 allows an attacker to write past the end of
a heap-allocated buffer by calling certain commands with a large number
of specific short forms of options.
Reported-by: Daniel Axtens (IBM)
*******************************************************************************
CVE-2021-20233 grub2: Heap out-of-bound write due to mis-calculation of
space required for quoting
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu
rendering code performs a length calculation on the assumption that expressing
a quoted single quote will require 3 characters, while it actually requires
4 characters. This allow an attacker to corrupt memory by one byte for each
quote in the input.
Reported-by: Daniel Axtens (IBM)
*******************************************************************************
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
If PER_PACKAGE_DIRECTORIES=Y and using host-make package (because
BR2_FORCE_HOST_BUILD=Y or local make is too old) .stamp_dotconfig
target needs per-package/uboot/host/bin/host-make that doesn't
exist yet.
Add host-make into UBOOT_KCONFIG_DEPENDENCIES.
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
opkg-utils is a collection of bash and python scripts which require
additional commands/tools be available for the bash scripts. The full
list of dependencies that the opkg-util scripts require is:
bash
binutils
bzip2
coreutils
diffutils
findutils
grep
gzip
lz4
python3
sed
tar
xz
The Buildroot manual requires a few packages (bash, binutils, bzip2,
gzip, sed and tar) to be installed on the host system, so we need not
add those. Additionally, and even though they are not in that list,
that grep and find are also required (we already make extensive use of
both everywhere, so it is as good as them being in the list).
We have a host variant for coreutils, but only for systems that do not
already have a recent-enough one, i.e. that provides 'realpath' and
'ln --relative'. opkg-utils uses neither, so can rely on the ones on the
system.
Only add dependencies on the remaining host tools: diffutils, lz4, and
xz.
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
[yann.morin.1998@free.fr:
- drop excessive dependencies,
- reword the commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
opkg-utils is a package that only provides bash and python scripts.
Upon further inspection of the Makefile for the package, invoking
`make` only ever builds the manpage. The previous commit dropped the
installation of the manpage. This makes the build step unnecessary so
remove it.
Add a comment to explain the situation
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When `make install` is run to install the opkg-utils scripts, it also
invokes building of the man page for opkg-build. The generation of the
man page requires `pod2man` executable which is a part of perl.
Since buildroot does not support man pages in the host directory,
patch the opkg-utils Makefile to separate the installation of man
pages and utility scripts.
With the options to install man pages and utils separately, only
install the opkg-utils scripts.
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Aufs has been deprecated for the purposes of Docker/containers since overlay2
became the mainline kernel module of choice.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Changelog according to [1]:
sysvinit (2.99) released; urgency=low
* Fixed typos and missing underlines in shutdown manual page.
Corrections provided by Helge Kreutzmann.
[1] https://fossies.org/linux/sysvinit/doc/Changelog
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- update COPYING file hash (URL update from http to https)
For details see [1].
[1] https://fossies.org/linux/bison/ChangeLog
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Upstream has not released an xz-compressed tarball this time,
so switch back to the gz-compressed one...
For details see [1].
[1] https://github.com/dosfstools/dosfstools/releases/tag/v4.2
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
go1.16.1 (released 2021/03/10) includes security fixes to the archive/zip and
encoding/xml packages.
go1.16.2 (released 2021/03/11) includes fixes to cgo, the compiler, linker, the
go command, and the syscall and time packages.
https://golang.org/doc/devel/release.html#go1.16
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
applications calling mbedtls_mpi_sub_abs() directly are affected:
all calls inside the library were safe since this function is
only called with |A| >= |B|.
- Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
value the function might fail to write a private RSA keys of the
largest supported size.
- Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout() when given a file descriptor that is
beyond FD_SETSIZE.
- Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code.
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: fix the hash after upstream mess-up]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The previous course has ended, announce the next one.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since bump to version 5.1 in commit
9e778b044c, seventh patch wrongly defines
wcdequote_pathname as static which will result in the following build
failure:
smatch.c:(.text+0x22f0): undefined reference to `wcdequote_pathname'
Fixes:
- http://autobuild.buildroot.org/results/d83f5d260dccd38984ec6fdb340835ca928bb687
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With the start-stop-daemon enabled (instead of the busybox applet),
stopping transmission emits spurious warnings:
$ /etc/init.d/S92transmission stop
Stopping bittorrent client transmission-daemon...
start-stop-daemon: warning: this system is not able to track process names
longer than 15 characters, please use --exec instead of --name.
Update our startup script to match what was done upstream 9 years ago:
https://trac.transmissionbt.com/ticket/4724https://trac.transmissionbt.com/wiki/Scripts/initd?action=diff&version=24&old_version=23
Partially fixes:
- https://bugs.busybox.net/show_bug.cgi?id=13576
Reported-by: ingineru_de_sistem@yahoo.com
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
- reword commit log
- add reference to upstream ticket and changeset
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
In Buildroot, the SSP flags are passed via the wrapper, and only flags
supported by the toolchain will be used.
Add patch to remove '-fstack-protector-strong' compile flag.
Fixes:
.../aarch64-buildroot-linux-uclibc/bin/ld: runlevel.o: in function `main':
runlevel.c:(.text.startup+0x4): undefined reference to `__stack_chk_guard'
.../aarch64-buildroot-linux-uclibc/bin/ld: cannot find -lssp_nonshared
.../aarch64-buildroot-linux-uclibc/bin/ld: cannot find -lssp
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
