- Aug 29, 2020
-
-
Peter Korsgaard authored
Signed-off-by:
Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 1549e0b60751eab41e2d51899981d43d602275af) [Peter: drop Makefile changes] Signed-off-by:
-
Fabrice Fontaine authored
Commit 8f5a9f59 forgot to drop SYNC4 from comment Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
-
Titouan Christophe authored
Mosquitto 1.6.11 is a bugfix release, read the whole announcement on http://mosquitto.org/blog/2020/08/version-1-6-11-released/ Mosquitto 1.6.12 is a security and bugfix release, read http://mosquitto.org/blog/2020/08/version-1-6-12-released/ >From the 1.6.11 changelog of the client library: mosquitto_loop_start() now sets a thread name on Linux, FreeBSD, NetBSD, and OpenBSD. Closes #1777. This is done with pthread_setname_np; so mosquitto now requires BR2_TOOLCHAIN_HAS_THREADS_NPTL when built with threading support. 2 reverse dependencies use the threaded API, but they already depend on BR2_TOOLCHAIN_HAS_THREADS_NPTL: * domoticz [1] (we add a comment for mosquitto) * shairport-sync [2] [1] https://github.com/domoticz/domoticz/blob/2020.1/main/mosquitto_helper.cpp#L344 [2] https://github.com/mikebrady/shairport-sync/blob/3.3.6/mqtt.c#L227-L229 Signed-off-by:
Titouan Christophe <titouan.christophe@railnova.eu> Signed-off-by:
-
Titouan Christophe authored
In 4fc62e1e, we removed arch/toolchain dependencies from the mosquitto library (MMU, !STATIC, SYNC4), and moved them to the mosquitto broker only. All the packages modified here only need the mosquitto library, so they shouldn't have those depends anymore; but this was never done before. Signed-off-by:
-
Fabrice Fontaine authored
Fixes: - http://autobuild.buildroot.org/results/21098180d386890025ed5cdd243bf5a9b444c5cf Signed-off-by:
-
Fabrice Fontaine authored
Drop patch (already in version) http://www.haproxy.org/download/2.2/src/CHANGELOG Signed-off-by:
-
Fabrice Fontaine authored
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt Signed-off-by:
-
Fabrice Fontaine authored
Fixes: - http://autobuild.buildroot.org/results/b93ce5430bf22ddda94ee30882a883348617f5b1 Signed-off-by:
-
Fabrice Fontaine authored
Disable audit for host package to avoid getting the following error if it is found on host: [84/662] Generating audit_type-list.txt with a meson_exe.py custom command In file included from <command-line>:32: ./../src/basic/missing_audit.h:7:10: fatal error: libaudit.h: No such file or directory 7 | #include <libaudit.h> | ^~~~~~~~~~~~ Fixes: - http://autobuild.buildroot.org/results/67782c225c08387c1bbcbea9eee3ca12bc6577cd Signed-off-by: -
Fabrice Fontaine authored
Build with cryptsetup and without libblkid will fail on: ../src/shared/dissect-image.c:1336:34: error: 'N_DEVICE_NODE_LIST_ATTEMPTS' undeclared (first use in this function) 1336 | for (unsigned i = 0; i < N_DEVICE_NODE_LIST_ATTEMPTS; i++) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ This bug has been reported upstream: https://github.com/systemd/systemd/pull/16901 and is not an issue for the target variant as libblkid is select by BR2_PACKAGE_UTIL_LINUX_MOUNT As cryptsetup does not seem needed for host-systemd, just disable it Fixes: - http://autobuild.buildroot.org/results/67782c225c08387c1bbcbea9eee3ca12bc6577cd Signed-off-by: -
Yann E. MORIN authored
As 18f6c261 just did to silence the file lists commands, switch to using $(Q) instead of a plain @, to silence the commands. Using $(Q) will allow to debug the commands with V=1. We keep @ for the calls to MESSAGE, though. The commands that are not currently silenced are left as-is, and they can be converted to being silent in a followup patch, if need be, Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by:
-
Paul Cercueil authored
If the modules directory that corresponds to the version of the kernel being built has been deleted, don't try to run depmod, which will obviously fail. This can happen for instance when the modules are stripped from the main root filesystem, and placed into a separate filesystem image, so that the root filesystem and the kernel can be updated separately. Signed-off-by:
Paul Cercueil <paul@crapouillou.net> Signed-off-by:
-
Peter Korsgaard authored
Commit 98a6f1fc (fs/cpio: make initramfs init script survive 'console=' kernel argument) dropped the explicit /dev/console execs for fd 0,1,2, as they fail when booted with console= and aren't really needed as the kernel will setup fd 0,1,2 from /dev/console before executing the initramfs anyway. Not doing this unfortunately confuses glibc's ttyname_r(3) implementation (used by E.G. busybox/coreutils 'tty'), causing it to fail with ENOENT as it does a fstat on fd 0 and tries to match up st_ino / st_dev against the entries in /dev (since glibc 2.26): commit 15e9a4f378c8607c2ae1aa465436af4321db0e23 Author: Christian Brauner <christian.brauner@canonical.com> Date: Fri Jan 27 15:59:59 2017 +0100 linux ttyname and ttyname_r: do not return wrong results If a link (say /proc/self/fd/0) pointing to a device, say /dev/pts/2, in a parent mount namespace is passed to ttyname, and a /dev/pts/2 exists (in a different devpts) in the current namespace, then it returns /dev/pts/2. But /dev/pts/2 is NOT the current tty, it is a different file and device. Detect this case and return ENODEV. Userspace can choose to take this as a hint that the fd points to a tty device but to act on the fd rather than the link. Signed-off-by:
Serge Hallyn <serge@hallyn.com> Signed-off-by:
Christian Brauner <christian.brauner@ubuntu.com> The reason it fails is that we manually mount devtmpfs on /dev in /init, so the /dev/console used by the kernel (in rootfs) is not the same file as /dev/console at runtime (in devtmpfs). Notice: Once logged in, tty does work correctly. Presumably login reopens stdin/stdout/stderr. To fix this, re-add the exec of /dev/console for fd 0,1,2, but only do so if possible. Because of the above mentioned shell behaviour (specified by POSIX [0]), perform this check in a subshell. [0] https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_20_01 Signed-off-by:
-
Fabrice Fontaine authored
- Bug fix release: https://linuxcontainers.org/fr/lxc/news - Drop patch (already in version) Signed-off-by:
-
Fabrice Fontaine authored
- Fix CVE-2020-14349: It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication. - Fix CVE-2020-14350: It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23. https://www.postgresql.org/docs/12/release-12-4.html Signed-off-by:
-
Fabrice Fontaine authored
SERVER-47733 SymmetricEncryptorWindows shouldn’t pad when update is called https://docs.mongodb.com/manual/release-notes/4.2-changelog/#id1 Signed-off-by:
-
Thomas Petazzoni authored
Since commit 0e2be4db ("package/pkg-generic: make file list logic parallel build compatible"), the commands executed at the every end of the build to assemble the list of files installed by the different packages are visible in the make output. They are quite noisy, and clutter the output. The other commands in target-finalize are also hidden using "@", so we should also do the same for those commands. But that hurts debuggability, so we use $(Q) (the existing '@'s can be changed in a followup patch). Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com> [yann.morin.1998@free.fr: use '$(Q)', not '@'] Signed-off-by:
-
Peter Korsgaard authored
Fixes the following security issues: CVE-2020-15810: HTTP(S) Request Smuggling Due to incorrect data validation Squid is vulnerable to HTTP Request Smuggling attacks against HTTP and HTTPS traffic. This leads to cache poisoning. https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m CVE-2020-15811: HTTP(S) Request Splitting Due to incorrect data validation Squid is vulnerable to HTTP Request Splitting attacks against HTTP and HTTPS traffic. This leads to cache poisoning. https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv CVE-2020-24606: Denial of Service processing Cache Digest Response Due to Improper Input Validation Squid is vulnerable to a Denial of Service attack against the machine operating Squid. https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg Signed-off-by:
-
Fabrice Fontaine authored
wolfSSL version 4.5.0 contains 6 vulnerability fixes: 2 fixes for TLS 1.3, 2 side channel attack mitigations, 1 fix for a potential private key leak in a specific use case, 1 fix for DTLS including those 3 CVEs: - Fix CVE-2020-12457: An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher_spec (CCS) message processing logic for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service. - Fix CVE-2020-15309: An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Local attackers can conduct a cache-timing attack against public key operations. These attackers may already have obtained sensitive information if the affected system has been used for private key operations (e.g., signing with a private key). - Fix CVE-2020-24585: An issue was discovered in the DTLS handshake implementation in wolfSSL before 4.5.0. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application. Also update hash of LICENSING as well as WOLF_LICENSE due to later verbage update with https://github.com/wolfSSL/wolfssl/commit/970391319beb023680eccd0e447e76834dbb4808 https://www.wolfssl.com/docs/security-vulnerabilities/ Signed-off-by:
-
Fabrice Fontaine authored
Fix CVE-2020-17498: In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression. https://www.wireshark.org/security/wnpa-sec-2020-10.html Signed-off-by:
-
- Aug 28, 2020
-
-
Fabrice Fontaine authored
Fixes: - http://autobuild.buildroot.org/results/02828f2d9956d1e3727774b5045790aa3611428d Signed-off-by:
-
Fabrice Fontaine authored
Fixes: - http://autobuild.buildroot.org/results/2641cea0483c5f6b65ece8016d546ee9bea0d7d1 Signed-off-by:
-
Peter Korsgaard authored
Signed-off-by: -
Peter Korsgaard authored
Fixes the following security issue: CVE-2016-10228: An infinite loop has been fixed in the iconv program when invoked with the -c option and when processing invalid multi-byte input sequences. Reported by Jan Engelhardt. Signed-off-by: -
Fabrice Fontaine authored
openal uses std::max_align_t since version 1.20.0 and https://github.com/kcat/openal-soft/commit/585b0cf3bed7d1c5720633eb7e5358a9fca865f6 As a result, it is affected by https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56019 and the build with gcc <= 4.8 will fail on: /home/buildroot/autobuild/instance-2/output-1/build/openal-1.20.1/common/almalloc.cpp: In function 'void* al_malloc(size_t, size_t)': /home/buildroot/autobuild/instance-2/output-1/build/openal-1.20.1/common/almalloc.cpp:20:45: error: 'max_align_t' is not a member of 'std' alignment = std::max(alignment, alignof(std::max_align_t)); ^ Fixes: - http://autobuild.buildroot.org/results/589c7853ce334c7502f7cd4cdbcaaf3c6840f43b Signed-off-by:
-
Adam Duskett authored
Many of the mender CLI commands use systemctl commands to get information about the daemon, such as the PID (IE: systemctl show -p MainPID mender-client). As seen above, these commands expect the service file to be named "mender-client" instead of "mender." As such, in the current state, running a forced update check in the CLI will result in the following error: failed to force updateCheck: could not find the PID of the mender daemon. Changing the name of mender.service to mender-client.service fixes the issue. Signed-off-by:
Adam Duskett <Aduskett@gmail.com> Signed-off-by:
-
Peter Korsgaard authored
Signed-off-by: -
Yann E. MORIN authored
On Ubuntu 18.04, make-4.1 emits spurious, incorrect "entering/leaving" messages, which end up in the LINUX_VERSION_PROBED variable: printf 'probed linux version: "%s"\n' "$(LINUX_VERSION_PROBED)" probed linux version: "make[1]: Entering directory '/home/buildroot' 4.19.78-linux4sam-6.2 make[1]: Leaving directory '/home/buildroot/output/build/linux-linux4sam_6.2'" First, the messages are displayed even though we do explicitly pass --no-print-directory -s. Second, the entering and leaving messages are not about the same directory! This *only* occurs in the following conditions: - the user has the correct 0022 umask, - top-level parallel is used (with or without PPD), - initial -C is specified as well. $ umask 0022 $ make -j16 -C $(pwd) [...] depmod: ERROR: Bad version passed make[1]: [...] (yes, 'make[1]:' is the string depmod is trying, and fails, to parse as a version string). If any of the three conditions above is removed, the problem no longer occurs. Here's a table of the MAKEFLAGS: | 0002 | 0022 | ----+-------+------------------------------------------------+--------------------------+ | no-j | --no-print-directory -- | | noC | +------------------------------------------------+--------------------------+ | -j16 | -j --jobserver-fds=3,4 --no-print-directory -- | -j --jobserver-fds=3,4 | ----+-------+------------------------------------------------+--------------------------+ | no-j | --no-print-directory -- | w | -C | +------------------------------------------------+--------------------------+ | -j16 | -j --jobserver-fds=3,4 --no-print-directory -- | w -j --jobserver-fds=3,4 | ----+-------+------------------------------------------------+--------------------------+ 0002: umask == 0002 0022: umask == 0022 no-j: no -j flag -j16: -j16 flag noC: no -C flag -C : -C /path/of/buildroot/ Only the bottom-right-most case fails... This behaviour goes against what is documented: https://www.gnu.org/software/make/manual/make.html#g_t_002dw-Option 5.7.4 The ‘--print-directory’ Option [...] you do not need to specify this option because ‘make’ does it for you: ‘-w’ is turned on automatically when you use the ‘-C’ option, and in sub-makes. make will not automatically turn on ‘-w’ if you also use ‘-s’, which says to be silent, or if you use ‘--no-print-directory’ to explicitly disable it. So this exactly describes our situation; yet 'w' is added to MAKEFLAGS. Getting rid of the 'w' flag makes the build succeed again, so that's what we do here (bleark, icky)... Furthermore, the documented way to override MAKEFLAGS is to do so as a make parameter: https://www.gnu.org/software/make/manual/make.html#Options_002fRecursion 5.7.3 Communicating Options to a Sub-make [...] If you do not want to pass the other flags down, you must change the value of MAKEFLAGS, like this: subsystem: cd subdir && $(MAKE) MAKEFLAGS= However, doing so does not fix the issue. So we resort to pass the modified MAKEFLAGS via the environment (bleark, icky)... Fixes: #13141 Reported-by:Laurent <laurent@neko-labs.eu> Reported-by:
Asaf Kahlon <asafka7@gmail.com> Signed-off-by:
-
Peter Korsgaard authored
Fixes the following security issues: CVE-2020-24332 If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks CVE-2020-24330 If the tcsd daemon is started with root privileges, it fails to drop the root gid after it is no longer needed CVE-2020-24331 If the tcsd daemon is started with root privileges, the tss user has read and write access to the /etc/tcsd.conf file For details, see the advisory: https://www.openwall.com/lists/oss-security/2020/05/20/3 Signed-off-by:
-
Bernd Kuhls authored
Fixes CVE-2020-14363: https://lists.x.org/archives/xorg-announce/2020-August/003056.html Signed-off-by:
Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by:
-
Bernd Kuhls authored
Fixes CVE-2020-14345, CVE-2020-14346, CVE-2020-14361 & CVE-2020-1436: https://lists.x.org/archives/xorg-announce/2020-August/003058.html Removed patch 0002, not needed anymore due to upstream commit https://cgit.freedesktop.org/xorg/xserver/commit/configure.ac?h=server-1.20-branch&id=c601c8faf54ff9e3bcbc653421828d71042deef7 Build-tested with wayland: checking for a useful monotonic clock ...... checking whether CLOCK_MONOTONIC is declared... yes guessing yes Removed patch 0007, included in upstream release. Rebased and renumbered remaining patches. Reformatted license hashes. Signed-off-by:
-
- Aug 27, 2020
-
-
Fabrice Fontaine authored
- Fix CVE-2019-5163: An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher and a local_address, arbitrary UDP packets can cause a FATAL error code path and exit. An attacker can send arbitrary UDP packets to trigger this vulnerability. - Fix CVE-2019-5164: An exploitable code execution vulnerability exists in the ss-manager binary of Shadowsocks-libev 3.3.2. Specially crafted network packets sent to ss-manager can cause an arbitrary binary to run, resulting in code execution and privilege escalation. An attacker can send network packets to trigger this vulnerability. Also update indentation in hash file (two spaces) Signed-off-by:
-
Fabrice Fontaine authored
Commit b006cc37 forgot to add the OPENJPEG_IGNORE_CVES entry Signed-off-by:
-
Fabrice Fontaine authored
Hopefully, this should fix the following error on one of the autobuilders: png: no [The C/C++ header for libpng (png.h) could not be found. You may need to install the development package.] Fixes: - http://autobuild.buildroot.org/results/afddcc44b2fb7983244f24542bfae921869e4ab8 Signed-off-by: -
Fabrice Fontaine authored
Fixes: - http://autobuild.buildroot.org/results/9c777af97fe50143c6a68f0170fc86c87d8ead3f Signed-off-by:
-
Fabrice Fontaine authored
Signed-off-by:
-
Gwenhael Goavec-Merou authored
gnuradio-runtimeTargets.cmake and gnuradio-pmtTargets.cmake are filled using CMAKE_INSTALL_PREFIX for INSTALL_INTERFACE. Since CMAKE_INSTALL_PREFIX, in buildroot, is set to /usr, these files contains path to host system. With BR2_COMPILER_PARANOID_UNSAFE_PATH package using gnuradio fails with: arm-linux-gnueabihf-g++: ERROR: unsafe header/library path used in cross-compilation: '-isystem' '/usr/include' By simply providing 'include', produced .cmake contains: INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include" instead of INTERFACE_INCLUDE_DIRECTORIES "/usr/include" [Upstream status: https://github.com/gnuradio/gnuradio/pull/3737] Fix (many) gr-osmosdr build failure: - http://autobuild.buildroot.net/results/66b76c07f15bb3e6db697c47796ae3dd15ecf4b9/ Signed-off-by:Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com> Signed-off-by:
-
Heiko Thiery authored
Signed-off-by:
Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by:
-
Fabrice Fontaine authored
Fix CVE-2020-15389: jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be triggered if there is a mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free may also be possible. This is related to calling opj_image_destroy twice. Signed-off-by:
-
Fabrice Fontaine authored
Fix CVE-2020-12762: json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. Also update indentation in hash file (two spaces) Signed-off-by:
-
