- Feb 28, 2022
-
-
Peter Korsgaard authored
Signed-off-by:
Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit eeb8c004daf3e09eecdc62af993c74a118e5e5f9) Signed-off-by:
-
Fabrice Fontaine authored
Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Update license (md5crypt removed, bcrypt relicensed to BSD-3-Clause: https://github.com/openssh/openssh-portable/commit/a5ab4882348d26addc9830a44e053238dfa2cb58 https://github.com/openssh/openssh-portable/commit/158bf854e2a22cf09064305f4a4e442670562685 https://github.com/openssh/openssh-portable/commit/c0459588b8d00b73e506c6095958ecfe62a4a7ba) https://www.openssh.com/txt/release-8.9 Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
-
Francois Perrad authored
see https://www.gnutls.org/security-new.html#GNUTLS-SA-2022-01-17 Signed-off-by:
Francois Perrad <francois.perrad@gadz.org> Signed-off-by:
-
Fabrice Fontaine authored
Fix CVE-2022-0554: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2. Signed-off-by:
-
Bernd Kuhls authored
Release notes: https://www.samba.org/samba/history/samba-4.15.5.html Fixes CVE-2021-44141, CVE-2021-44142 & CVE-2022-0336. Signed-off-by:
Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by:
-
Fabrice Fontaine authored
Fix CVE-2021-46665, CVE-2021-46664, CVE-2021-46661, CVE-2021-46668, CVE-2021-46663, CVE-2022-24052, CVE-2022-24051, CVE-2022-24050, CVE-2022-24048, CVE-2021-46659, CVE-2021-35604, CVE-2021-46667, CVE-2021-46662, CVE-2021-2372, CVE-2021-2389 and CVE-2021-46658 Update hash of README.md (changes not related to license: https://github.com/MariaDB/server/commit/773a07b65517327add6348c045cee14bdf489fe0) https://mariadb.com/kb/en/mariadb-10334-release-notes/ https://mariadb.com/kb/en/mariadb-10333-release-notes/ https://mariadb.com/kb/en/mariadb-10332-release-notes/ https://mariadb.com/kb/en/mariadb-10331-release-notes/ Signed-off-by:
-
Fabrice Fontaine authored
Fix the following security issues (i.e. CVE-2021-37706, CVE-2021-41141, CVE-2021-43804, CVE-2021-43845, CVE-2022-21722 and CVE-2022-21723): - Potential integer underflow upon receiving STUN message (GHSA-2qpg-f6wf-w984) - Use after free of dialog set (GHSA-ffff-m5fm-qm62) - Missing unreleased of locks in failure cases (GHSA-8fmx-hqw7-6gmc) - Potential out-of-bounds read when parsing RTCP BYE message (GHSA-3qx3-cg72-wrh9) - Prevent OOB read for RTCP XR block (GHSA-r374-qrwv-86hh) - Potential buffer overflow in pjsua_player_create(), pjsua_recorder_create(), pjmedia_wav_player_create(), and pjsua_call_dump() (GHSA-qcvw-h34v-c7r9) - Potential out-of-bound read during RTP/RTCP parsing (GHSA-m66q-q64c-hv36) - Prevent OOB read in multipart parsing (GHSA-7fw8-54cv-r7pm) - Use after free of dialog set (GHSA-ffff-m5fm-qm62) https://github.com/pjsip/pjproject/releases/tag/2.12 Signed-off-by:
-
Fabrice Fontaine authored
Fix the following security issues: - [CVE-2022-23308] Use-after-free of ID and IDREF attributes - Use-after-free in xmlXIncludeCopyRange - Fix Null-deref-in-xmlSchemaGetComponentTargetNs - Fix memory leak in xmlXPathCompNodeTest - Fix null pointer deref in xmlStringGetNodeList - Fix several memory leaks found by Coverity https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.9.13 Signed-off-by:
-
Fabrice Fontaine authored
Fix the following build failure raised on uclibc and musl since the addition of libexecinfo package in commit eea8ba44: /home/buildroot/autobuild/instance-0/output-1/host/lib/gcc/riscv64-buildroot-linux-uclibc/10.3.0/../../../../riscv64-buildroot-linux-uclibc/bin/ld: ../../libwinpr/libwinpr2.so.2.5.0: undefined reference to `backtrace_symbols_fd' Fixes: - http://autobuild.buildroot.org/results/095c33098a6e59ff664080e03baf1a3c92b4265f Signed-off-by:
-
Fabrice Fontaine authored
Fix CVE-2021-44718, CVE-2022-23408, CVE-2022-25638 and CVE-2022-25640 https://www.wolfssl.com/docs/security-vulnerabilities https://github.com/wolfSSL/wolfssl/blob/v5.2.0-stable/ChangeLog.md Signed-off-by:
-
Fabrice Fontaine authored
Extract from NEWS: - Changes in v2021.08 - Security Fixes - Changes in v2021.07 - Security Fixes https://gitlab.freedesktop.org/libopenraw/exempi/-/blob/2.6.1/NEWS Signed-off-by:
-
Fabrice Fontaine authored
Fix CVE-2022-24130: xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text. Update hash of COPYING (update in year) https://invisible-island.net/xterm/xterm.log.html#xterm_371 Signed-off-by:
-
Fabrice Fontaine authored
Fix CVE-2021-4190, CVE-2022-0581, CVE-2022-0582, CVE-2022-0583, CVE-2022-0585 and CVE-2022-0586 https://www.wireshark.org/security/wnpa-sec-2021-22.html https://www.wireshark.org/security/wnpa-sec-2022-01.html https://www.wireshark.org/security/wnpa-sec-2022-02.html https://www.wireshark.org/security/wnpa-sec-2022-03.html https://www.wireshark.org/security/wnpa-sec-2022-04.html https://www.wireshark.org/security/wnpa-sec-2022-05.html Signed-off-by:
-
- Feb 23, 2022
-
-
James Hilliard authored
Fixes: http://autobuild.buildroot.net/results/8bf/8bfc2abe3ab7a0b53aa717c800a4c7a3c964f426 Signed-off-by:
James Hilliard <james.hilliard1@gmail.com> Signed-off-by:
Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
-
Fabrice Fontaine authored
Set FRR_XREF_NO_NOTE to avoid the following build failures with microblazeel, nds32 and xtensa raised since bump to version 8.1 in commit ca2753fd: _clippy.ELFAccessError: virtual address (538157256) not found in program headers [...] /tmp/ccFGv94v.s:13: Error: can't resolve `__start_xref_array' {*UND* section} - `L0' {.note.FRR section} /tmp/ccFGv94v.s:14: Error: can't resolve `__stop_xref_array' {*UND* section} - `L0' {.note.FRR section} Here is an extract of https://github.com/FRRouting/frr/blob/7347a4859d4b984cea0aef769a16622d3f02e44f/lib/xref.h: "the following blurb emits an ELF note indicating start and end of the xref array in the binary. This is technically the "correct" entry point for external tools reading xrefs out of an ELF shared library or executable. ... FRR itself does not need this note to operate correctly, so if you have some build issue with it just add -DFRR_XREF_NO_NOTE to your build flags to disable it." In other words, this is only *possibly* needed for another package that wants to extracts the xrefs. We currently don't have anything that depends on frr in-tree, and it's not even installed in staging, so it's hard to check, but it seems pretty unlikely that this is really needed. Fixes: - http://autobuild.buildroot.org/results/3cdb50f5e5a1b3f37a6edcd4276fcbf015e28828 - http://autobuild.buildroot.org/results/a3cc0b5090a1faa2bca9c8dfe0fec9b6a918ba4d - http://autobuild.buildroot.org/results/694cc65478a82ec93d2074252892036855cdc49d Signed-off-by:
-
Fabrice Fontaine authored
Fix the following build failure with glibc < 2.25 raised since bump to version 5.63 in commit d4c6cf4b: plugins/autopair.c:20:24: fatal error: sys/random.h: No such file or directory #include <sys/random.h> ^ Fixes: - http://autobuild.buildroot.org/results/6b8870d12e0804d6154230a7322c49416c1dc0e2 Signed-off-by:
-
Fabrice Fontaine authored
Disable sampling profiler on musl to avoid the following build falure raised since bump to version 5.212.0-alpha4 in commit df0b0fe6: /home/buildroot/autobuild/instance-0/output-1/build/qt5webkit-5.212.0-alpha4/Source/JavaScriptCore/heap/MachineStackMarker.cpp:686:2: error: #error Need a way to get the frame pointer for another thread on this platform 686 | #error Need a way to get the frame pointer for another thread on this platform | ^~~~~ Fixes: - http://autobuild.buildroot.org/results/87f52db7f8ebefa4c1ae3dd70d4a7a460f9aca35 Signed-off-by:
-
Neal Frager authored
Add a U-Boot config fragment to set the correct control device tree file for each board, rather than using the default (zcu100). Signed-off-by:
Neal Frager <neal.frager@xilinx.com> Tested-by:
-
Fabrice Fontaine authored
fbdev raises the following build failure since bump to version 10.0.0 in commit f67a6e9b and https://gitlab.freedesktop.org/wayland/weston/-/commit/6338dbd5816689b2f08f48b359a972e16ff038d8: ../output-1/build/weston-10.0.0/meson.build:133:7: ERROR: Tried to access unknown option 'backend-fbdev'. Drop fbdev to avoid this build failure as upstream is reluctant to properly fix this issue by renaming the fbdev option in stable release: https://gitlab.freedesktop.org/wayland/weston/-/merge_requests/791 Fixes: - http://autobuild.buildroot.org/results/e669a6237c19783c627169c819d7372e20daaf54 Signed-off-by:
-
Fabrice Fontaine authored
upstream advocated that DRM backend can be built without GBM: https://gitlab.freedesktop.org/wayland/weston/-/merge_requests/791 so drop dependencies on BR2_PACKAGE_MESA3D_OPENGL_EGL || BR2_PACKAGE_IMX_GPU_VIV_OUTPUT_WL to allow DRM to be the default backend when fbdev will be removed in the follow-up patch Signed-off-by:
-
Peter Korsgaard authored
U-Boot looks for the environment variable DEVICE_TREE and uses its value if set instead of the CONFIG_DEFAULT_DEVICE_TREE configuration option since v2021.01, more specifically commit c0f1ebe9c1b9745e (binman: Allow selecting default FIT configuration) - So unexport it like we do for other "troublesome" environment variables to ensure consistent behaviour. Reported-by:
Neal Frager <nealf@xilinx.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
- Feb 22, 2022
-
-
Adrian Perez de Castro authored
This is a minor maintenance release. The release incorporates "0001-Fix-musl-compilation-by-adding-TEMP_FAILURE_RETRY.patch", which can now be removed. Release notes: https://github.com/flatpak/xdg-dbus-proxy/releases/tag/0.1.3 Signed-off-by:
Adrian Perez de Castro <aperez@igalia.com> Signed-off-by:
-
Fabrice Fontaine authored
This release mostly fixes (security related) bugs including: - Fix 12 decoder bugs found by oss-fuzz, including CVE-2020-0499 - Fix encoder bug CVE-2021-0561 Also: - Replace first patch which was reverted by https://github.com/xiph/flac/commit/4fbb6d4f2ecf2a96c17ea9880108409f852c08a9 - Disable stack protection (enabled by default since https://github.com/xiph/flac/commit/f706f2832270a0b7851cdffe62ad37acda9423fe) - Drop md5 which is not provided anymore - Update indentation in hash file (two spaces) https://github.com/xiph/flac/releases/tag/1.3.4 Signed-off-by:
-
Romain Naour authored
# python sample_python_txtorcon.py Traceback (most recent call last): File "/root/sample_python_txtorcon.py", line 1, in <module> import txtorcon # noqa File "/usr/lib/python3.10/site-packages/txtorcon/__init__.py", line 11, in <module> File "/usr/lib/python3.10/site-packages/txtorcon/router.py", line 10, in <module> File "/usr/lib/python3.10/site-packages/txtorcon/util.py", line 17, in <module> File "/usr/lib/python3.10/site-packages/twisted/internet/defer.py", line 42, in <module> ModuleNotFoundError: No module named 'typing_extensions' python typing_extensions is required since python-twisted 22.1.0 [1] Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/2116202537 [1] https://github.com/twisted/twisted/commit/6e768da0a10c8ab42a57a1c0fa505ebe2d8bfb30 Signed-off-by:Romain Naour <romain.naour@gmail.com> Signed-off-by:
-
- Feb 21, 2022
-
-
Peter Korsgaard authored
Fixes https://gitlab.com/buildroot.org/buildroot/-/jobs/2088684091 python sample_python_pyyaml_dec.py Traceback (most recent call last): File "/root/sample_python_pyyaml_dec.py", line 5, in <module> data = yaml.load(serialized) TypeError: load() missing 1 required positional argument: 'Loader' yaml.load() requires a loader argument since the move to version 6.0: https://github.com/yaml/pyyaml/pull/561 The test does not need the extra functionality of load(), so instead move to the recommended safe_load(). Signed-off-by:
-
- Feb 20, 2022
-
-
Peter Korsgaard authored
Signed-off-by: -
Fabrice Fontaine authored
XDRIVER_XF86_VIDEO_TDFX_CONF_OPTS is wrongly overridden in a conditional since commit 7614ca03 Signed-off-by:
-
Fabrice Fontaine authored
XDRIVER_XF86_VIDEO_SAVAGE_CONF_OPTS is wrongly overridden in a conditional since commit c38103f2 Signed-off-by:
-
Fabrice Fontaine authored
XDRIVER_XF86_VIDEO_R128_CONF_OPTS is wrongly overridden in a conditional since commit 082b6531 Signed-off-by:
-
Fabrice Fontaine authored
XDRIVER_XF86_VIDEO_MACH64_CONF_OPTS is wrongly overridden in a conditional since commit cf26ae7d Signed-off-by:
-
Fabrice Fontaine authored
Fix CVE-2022-21699: IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade. Also update indentation in hash file (two spaces) https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x Signed-off-by:
-
Fabrice Fontaine authored
host-librsvg install a gdk-pixbuf module (aka plugin). As such, it needs to update [0] the modules cache (a kind of registry of which modules are installed and what the can handle). To that effect, it calls the utility gdk-pixbuf-queryloaders, which generates the cache of existing modules. gdk-pixbuf-queryloaders, from the gdk-pixbuf package, has been configured to be relocatable. However, it still embeds the path to where it was instaled, and thus where to look modules from. If it is run from its install location, then gdk-pixbuf-queryloaders looks modules in that location, and generates a modules cache with relative paths; otherwise, it still looks at that location, but generates a cache with absolute paths. In the later case, it will miss the modules that have not been installed by gdk-pixbuf itself. In the case of host-librsvg, that will miss the fact that librsvg just happened to have installed a module. Further down the road, packages that depend on host-librsvg, will get their PPD prepared, the path fixup hook run, so that the cache properly points to the current package's PPD, but the cache will not include the SVG module, which causes failures to load CVG images: Can't load file: Unrecognized image file format So, we need to tell gdk-pixbuf-queryloaders where the module path is, which restores the relativity of the paths it reports, by specifying the modules path pointing to the current package's PPD, passed in the environement variable GDK_PIXBUF_MODULEDIR. We need to do that at install time, so that the SVG module is properly listed in the cache, so that dependees can use it. A temporary cache is also generated at build time, but its usefullness is dubious; it seem to only be used by the test tool, which we do not run. However, for consistency-sake, we also fix that. Fixes: - http://autobuild.buildroot.org/results/0e00059b09b4445eaaec1030997883187c6a80d6 [0] This will trigger file-overwrite detection in the future... But we currently do not have infrastructure to properly handle such a cache. Signed-off-by: -
Fabrice Fontaine authored
XDRIVER_XF86_VIDEO_ATI_CONF_OPTS is wrongly overridden in a conditional since commit daa433bf Signed-off-by:
-
Fabrice Fontaine authored
Replace PYTHON_VERSION_MAJOR by PYTHON3_VERSION_MAJOR now that python2 has been dropped Signed-off-by:
-
Fabrice Fontaine authored
Replace PYTHON_VERSION_MAJOR by PYTHON3_VERSION_MAJOR now that python2 has been dropped. It should be noted that PYTHON_SITE_PKG was wrongly set since the addition of the package in commit 4470bc99 Signed-off-by:
-
Fabrice Fontaine authored
This release fixes a regression introduced by one of the security fixes in 2.4.5. https://blog.hartwork.org/posts/expat-2-4-6-released https://github.com/libexpat/libexpat/blob/R_2_4_6/expat/Changes Signed-off-by:
-
Fabrice Fontaine authored
Fix CVE-2022-21712: twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds. Update hash of license file (author added and update in year: https://github.com/twisted/twisted/commit/13aa59746a73769b05a51c2198b28f5602dd382f https://github.com/twisted/twisted/commit/adfdf23477abfcd09a867347993fc1d207cfb4dd https://github.com/twisted/twisted/commit/7e65fbeed3d74a4eb1c40d7a6df5651782becbc8) https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx https://github.com/twisted/twisted/releases/tag/twisted-22.1.0 Signed-off-by:
-
Adrian Perez de Castro authored
Make webkitgtk enable color management support if the lcms2 package has been selected. Signed-off-by:
-
Adrian Perez de Castro authored
Update to a new major release which brings in improvements, a number of new features, and security fixes. Release notes: https://webkitgtk.org/2021/09/22/webkitgtk2.34.0-released.html https://webkitgtk.org/2021/10/21/webkitgtk2.34.1-released.html https://webkitgtk.org/2021/11/24/webkitgtk2.34.2-released.html https://webkitgtk.org/2021/12/20/webkitgtk2.34.3-released.html https://webkitgtk.org/2022/01/21/webkitgtk2.34.4-released.html https://webkitgtk.org/2022/02/09/webkitgtk2.34.5-released.html https://webkitgtk.org/2022/02/17/webkitgtk2.34.6-released.html Security advisories: https://webkitgtk.org/security/WSA-2021-0007.html https://webkitgtk.org/security/WSA-2022-0001.html https://webkitgtk.org/security/WSA-2022-0002.html https://webkitgtk.org/security/WSA-2022-0003.html Some of the new features require additional dependencies: HTTP/2 requires libsoup3, which is not yet packaged in Buildroot, and disabled at the moment (with -DUSE_SOUP2=ON, to keep using libsoup2); and the color management support needs LCMS2 (which will be enabled in a follow-up patch.) Options SILENCE_CROSS_COMPILATION_NOTICES and ENABLE_GRAPHICS_CONTEXT_GL do not exist anymore, and their usage is dropped. Signed-off-by:
-
Fabrice Fontaine authored
gdk-pixbuf is based on plugins (modules in gdk-pixbuf parlance) that are provided either by the gdk-pixbuf package itself, or be installed by third-party packages, like librsvg. At runtime, those plugins get loaded by helper function in the gdk-pixbuf library. The location where to find those modules is currently hard-coded at build time, to the location where gdb-pixbuf is installed.. This means that host-packages that install image-conversion utilities will try to look in the path where gdk-pixbuf was installed. With per-package directories, this fails to find any module that was installed bu a third-party package. For example, the module for loading an SVG provided by librsvg, so it is not present in the PPD of gdk-pixbuf, and thus loading an SVG (e.g. to convert it to another format, like adwaita-icon-theme does) will fail with: Can't load file: Unrecognized image file format However, gdk-pixbuf can be configured so as to look for the modules relative to where the program is run from, rather than hard-coding the location at build time. This is exactly what we need in the PPD case Additionally, even without PPD, this would fail in a similar manner in the SDK, as that can be relocated too. So we unconditionally enable the relocatable option, but only for the host variant (there is no reason to enable it for the target, as it is not going to be relocated). Fixes: - http://autobuild.buildroot.org/results/0e00059b09b4445eaaec1030997883187c6a80d6 Signed-off-by:
-
