Fabrice Fontaine [Thu, 25 Jun 2020 22:00:58 +0000 (00:00 +0200)]
package/libvncserver: security bump to version 0.9.13
- Drop all patches (already in version)
- Fix CVE-2018-21247: An issue was discovered in LibVNCServer before
0.9.13. There is an information leak (of uninitialized memory contents)
in the libvncclient/rfbproto.c ConnectToRFBRepeater function.
- Fix CVE-2019-20839: libvncclient/sockets.c in LibVNCServer before
0.9.13 has a buffer overflow via a long socket filename.
- Fix CVE-2019-20840: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/ws_decode.c can lead to a crash because of
unaligned accesses in hybiReadAndDecode.
- Fix CVE-2020-14396: An issue was discovered in LibVNCServer before
0.9.13. libvncclient/tls_openssl.c has a NULL pointer dereference.
- Fix CVE-2020-14397: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/rfbregion.c has a NULL pointer dereference.
- Fix CVE-2020-14398: An issue was discovered in LibVNCServer before
0.9.13. An improperly closed TCP connection causes an infinite loop in
libvncclient/sockets.c.
- Fix CVE-2020-14399: An issue was discovered in LibVNCServer before
0.9.13. Byte-aligned data is accessed through uint32_t pointers in
libvncclient/rfbproto.c.
- Fix CVE-2020-14400: An issue was discovered in LibVNCServer before
0.9.13. Byte-aligned data is accessed through uint16_t pointers in
libvncserver/translate.c.
- Fix CVE-2020-14401: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/scale.c has a pixel_value integer overflow.
- Fix CVE-2020-14402: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/corre.c allows out-of-bounds access via
encodings.
- Fix CVE-2020-14403: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/hextile.c allows out-of-bounds access via
encodings.
- Fix CVE-2020-14404: An issue was discovered in LibVNCServer before
0.9.13. libvncserver/rre.c allows out-of-bounds access via encodings.
- Fix CVE-2020-14405: An issue was discovered in LibVNCServer before
0.9.13. libvncclient/rfbproto.c does not limit TextChat size.
Fabrice Fontaine [Thu, 25 Jun 2020 21:40:11 +0000 (23:40 +0200)]
package/ngircd: security bump to version 26
- Fix CVE-2020-14148: The Server-Server protocol implementation in
ngIRCd before 26~rc2 allows an out-of-bounds access, as demonstrated
by the IRC_NJOIN() function.
- Fix a static build failure with openssl thanks to
https://github.com/ngircd/ngircd/commit/ad86a41eeed9f85d74bb50a25fa0bf4515aaf3af
- Update indentation in hash file (two spaces)
Stefan Sørensen [Thu, 25 Jun 2020 07:09:52 +0000 (09:09 +0200)]
package/bind: security bump to version 9.11.20
Fixes the following security issue:
* CVE-2020-8619: It was possible to trigger an INSIST failure when a
zone with an interior wildcard label was queried in a certain
pattern.
- Get official tarball and its hash
- Update indentation in hash file (two spaces)
This is a fairly important release which includes performance
improvements and new major CLI features. It also fixes a few corner
cases, making it a recommended upgrade.
Since commit 'package/rpi-firmware: fix startup file names' ([1]) the
start and fixup file names are normalized to start.elf/fixup.dat,
adjust the rpi4 genimage config files accordingly.
Fixes:
ERROR: file(rpi-firmware/fixup4.dat): stat(.../images/rpi-firmware/fixup4.dat) failed: No such file or directory
ERROR: vfat(boot.vfat): could not setup rpi-firmware/fixup4.dat
package/cups-filters: fix build without dejavu font
Since version 1.27.3, cups-filters needs dejavu (even if it is only used
for test programs):
https://github.com/OpenPrinting/cups-filters/commit/1d66106e5ae45407b01459cb112ee09752166dba
Add a patch to avoid this build failure when cross-compiling and set
test font path to /dev/null to avoid setting TESTFONT to an incorrect
host path
Matt Weber [Tue, 14 Jul 2020 20:02:02 +0000 (15:02 -0500)]
package/python-urllib3: security bump to 1.25.9
Fixes CVE-2020-7212 (1.25.2 - 1.25.7)
The _encode_invalid_chars function does not remove duplicate percent
encodings in the _percent_encodings array, which combined with the
normalization step could take O(N^2) time to compute for a URL of
length N. This results in a marginally higher CPU consumption
compared to the potential linear time achieved by deduplicating
the _percent_encodings array.
As spotted by Thomas Petazzoni during review of
https://patchwork.ozlabs.org/project/buildroot/patch/20200713215943.2240412[email protected],
oracle-mysql uses its bundled version of zlib if it is not found on the
system
So explictly disable zlib if needed and add a patch fixing build
failures without it
package/gvfs: bump to version 1.44.1, switch to meson
- Remove all patches (already in version)
- Move to meson-package
- Add new gsettings-desktop-schemas mandatory dependency
- gdu option doesn't exist anymore:
https://gitlab.gnome.org/GNOME/gvfs/-/commit/1db029df72bcd50dd877d388c2e0934d8ed3d321
- Use new gcrypt otion
- systemd-login option has been replaced by logind option
- avahi option has been replaced by dnsd option
- gtk3 optional dependency has been removed since
https://gitlab.gnome.org/GNOME/gvfs/-/commit/dff13283c943c8b10265bd3925d86f17cdc4be6f
- Disable new sftp backend:
https://gitlab.gnome.org/GNOME/gvfs/-/commit/44d45dca5d1ab2369fa7e5c2789b31c51e44f985
- Disable fuse (depends on fuse3 which is not available on buildroot)
- Remove gvfs-less workaround (not installed anymore)
- Update indentation of hash file
Etienne Carriere [Fri, 29 May 2020 14:27:40 +0000 (16:27 +0200)]
package/optee-test: bump to version 3.9.0
Bump OP-TEE Test package version to OP-TEE release 3.9.0.
Drop patch on scripts/file_to_c.py that is merged in 3.9.0.
Add patch from [1] for related issue found in 3.9.0 xtest tool.
Add patch to default disable xtest regression test 1027 and 1028 that
mandate changes in Linux kernel OP-TEE driver that are not available
in mainline, at least as of Linux kernel v5.7.
Etienne Carriere [Fri, 29 May 2020 14:27:38 +0000 (16:27 +0200)]
boot/optee-os: bump to version 3.9.0
Bump OP-TEE OS package version to OP-TEE release 3.9.0.
Update patch on pydrypto/pycryptodome to match 3.9.0.
Add patch on CFG_OPTEE_REVISION_MINOR that was not updated in release
3.9.0 and fixed only few commits above.
Joris Offouga [Sat, 27 Jun 2020 17:41:16 +0000 (19:41 +0200)]
package/swupdate: bump version to 2020.04
See full changelog : https://github.com/sbabic/swupdate/releases/tag/2020.04
Since commit
https://github.com/sbabic/swupdate/commit/82a157e35e9d01599e3c5818caa568899c17e6d2,swupdate
only supports using libubootenv to manipulate the U-Boot environment,
and no longer directly using the U-Boot tools, so we adjust the
Config.in help text and .mk logic accordingly.
Fabrice Fontaine [Sun, 28 Jun 2020 10:26:47 +0000 (12:26 +0200)]
package/bridge-utils: bump to version 1.7
- Update site to get latest release
- Add a deprecated note in Config.in:
https://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git/commit/?id=ab8a2cc330253321be7bc69dea88bfaa3d48415e
- Drop patch, not needed since:
https://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git/commit/?id=7b421143d1427e17380ff5bf93ef8fc718428c83
- Update indentation in hash file (two spaces)
Updated license hash due to upstream commits adding copyright holders
and bumping the copyright year:
https://git.tartarus.org/?p=simon/putty.git;a=history;f=LICENCE;h=3e1d146289644749b3578f610c74715fa1c6bf0d;hb=HEAD
EXIV2_ENABLE_BUILD_SAMPLES has been renamed into EXIV2_BUILD_SAMPLES
since version 0.27 and
https://github.com/Exiv2/exiv2/commit/60d436c96960fa314e2d12d017440253ce280d51
- Update first patch
- Drop second patch, not needed since
http://developer.intra2net.com/git/?p=libftdi;a=commitdiff;h=0209a3633dc877a577af07d883eb5059e22f6a91
- Drop third, fourth and fifth patches (already in version)
- Drop patch (already in version)
- Add zstd optional dependency, available since version 2.10.0 and
https://github.com/nmoinvaz/minizip/commit/1f4758bd7f979a56b33667fbbcdb0305e8b4173f
- Use the new MZ_LIBBSD option available since version 2.10.0 and
https://github.com/nmoinvaz/minizip/commit/29fcb4768050fbbf02d572a24a4e2ad29d51b60d
package/agentpp: fix build when BR2_PACKAGE_SNMPPP_SNMPV3 disabled
Agent++ 4.3.1 does not build if SNMPv3 is disabled due to incorrect #ifdef
clauses, esulting in errors such as:
../include/agent_pp/notification_originator.h:232:39: error: 'snmpCommunityEntry' has not been declared
void set_snmp_community_entry(snmpCommunityEntry* communityEntryRef) {
^
../include/agent_pp/notification_originator.h:296:32: error: 'nlmLogEntry' has not been declared
void set_nlm_log_entry(nlmLogEntry* nlmLogEntryRef) {
^
../include/agent_pp/notification_originator.h:321:9: error: 'nlmLogEntry' does not name a type
nlmLogEntry* _nlmLogEntry;
^
Aaron Sierra [Tue, 14 Jul 2020 01:24:59 +0000 (20:24 -0500)]
package/x11r7/xfont_font-*: make outputs reproducible
Prior to gzip 1.10, the compression pipeline used with PCF fonts was
not reproducible due to the implicit -N/--name injecting a timestamp:
$ cat /path/to/file | gzip > /path/to/file.gz
This updates Portable Compiled Format font packages to have a host-gzip
dependency, so gzip version 1.10 or newer will reliably be used.
This change does not affect encodings, which use a seemingly
synonymous compression pipeline, but that happens to be reproducible
with gzip versions at least as old as version 1.3.13:
Makefile: add /etc/bash_completion.d to non-bash purge
Currently, we delete /usr/share/bash-completion when bash is not enabled.
We need to delete /etc/bash_completion.d too. For example, the jo package
installs files there:
Makefile: delete debug libs when debug is not enabled
Some toolchains, like the Linaro gcc7 toolchains, now install libstdc++ debug
library symbols to /lib/debug, which can be as large as the library itself.
This commit removes the extra debug content if debugging is not enabled.
Robert Hancock [Tue, 14 Jul 2020 03:38:48 +0000 (21:38 -0600)]
package/gpsd: bump version to 3.20
Removes BR2_PACKAGE_GPSD_PPS config option, since PPS functionality is
no longer optional and always enabled in gpsd's SCons configuration.
Removed passing ntpshm=y to SCons since that feature is also no longer
optional.
Added a patch adapted from changes merged upstream post-3.20 to fix a
build failure during cross-compilation when checking sizeof(time_t)
and where shared libraries were being linked with ld rather than g++.
Thomas Petazzoni [Mon, 13 Jul 2020 21:12:25 +0000 (23:12 +0200)]
package/parprouted: bump version to 0.7
This was supposed to be part of fce71d09fb139ed2b29ad1f3158da50731c7ca48, which introduced the
parprouted package, but due to a missed "git commit --amend", it
wasn't included in this commit, so let's add it now.
- Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
- Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
private key that didn't include the uncompressed public key), as well
as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with
a NULL f_rng argument. An attacker with access to precise enough
timing and memory access information (typically an untrusted operating
system attacking a secure enclave) could fully recover the ECC private
key.
- Fix issue in Lucky 13 counter-measure that could make it ineffective
when hardware accelerators were used (using one of the
MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13
attack to be possible in those configurations, allowing an active
network attacker to recover plaintext after repeated timing
measurements under some conditions.
- Add a patch to fix build without fork in src/dhcpcd.c. This
regression was introduced in upstream commit 3063ebb6c8ac7c96196fa923cdd5f7c0384de23b, which was merged in dhcpcd
9.0.0. Therefore, Buildroot is affected since we bumped from 8.0.3
to 9.1.4 in commit 809f548e79c6c099f1fa3e3728d90842be7059a7, which
was applied after 2020.05
- Disable privsep as it unconditionally uses fork (privsep has been
enabled by default since version 9.0.0 and
https://github.com/rsmarples/dhcpcd/commit/3a4c2e5604d72151b06ed365aa71493740a3ad75)
* fix off-by-one bug in MPD_HOST parser
* add function mpd_lookup_replay_gain_mode()
* identify messages with length over the buffer limit
* support MPD protocol 0.16
- replay gain
* support MPD protocol 0.19
- idle events "neighbor" and "mount"
* support MPD protocol 0.20
- rangeid
* support MPD protocol 0.21
- command "tagtypes all"
Fix CVE-2020-15466: It may be possible to make Wireshark consume
excessive CPU resources by injecting a malformed packet onto the wire or
by convincing someone to read a malformed packet trace file.
- Fix CVE-2020-4030: In FreeRDP before version 2.1.2, there is an out of
bounds read in TrioParse. Logging might bypass string length checks
due to an integer overflow.
- Fix CVE-2020-4031: In FreeRDP before version 2.1.2, there is a
use-after-free in gdi_SelectObject. All FreeRDP clients using
compatibility mode with /relax-order-checks are affected.
- Fix CVE-2020-4032: In FreeRDP before version 2.1.2, there is an
integer casting vulnerability in update_recv_secondary_order. All
clients with +glyph-cache /relax-order-checks are affected.
- Fix CVE-2020-4033: In FreeRDP before version 2.1.2, there is an out of
bounds read in RLEDECOMPRESS. All FreeRDP based clients with sessions
with color depth < 32 are affected.
- Fix CVE-2020-11095: In FreeRDP before version 2.1.2, an out of bound
reads occurs resulting in accessing a memory location that is outside
of the boundaries of the static array
PRIMARY_DRAWING_ORDER_FIELD_BYTES.
- Fix CVE-2020-11096: In FreeRDP before version 2.1.2, there is a global
OOB read in update_read_cache_bitmap_v3_order. As a workaround, one
can disable bitmap cache with -bitmap-cache (default).
- Fix CVE-2020-11097: In FreeRDP before version 2.1.2, an out of bounds
read occurs resulting in accessing a memory location that is outside
of the boundaries of the static array
PRIMARY_DRAWING_ORDER_FIELD_BYTES.
- Fix CVE-2020-11098: In FreeRDP before version 2.1.2, there is an
out-of-bound read in glyph_cache_put. This affects all FreeRDP clients
with `+glyph-cache` option enabled.
- Fix CVE-2020-11099: In FreeRDP before version 2.1.2, there is an out
of bounds read in license_read_new_or_upgrade_license_packet. A
manipulated license packet can lead to out of bound reads to an
internal buffer.
parprouted is a daemon for transparent IP (Layer 3) proxy ARP
bridging. This is useful for creation of transparent firewalls
and bridging networks with different MAC protocols. Also,
unlike standard bridging, proxy ARP bridging allows to bridge
Ethernet networks behind wireless nodes without using WDS or
layer 2 bridging.
Paul Cercueil [Sun, 12 Jul 2020 19:57:12 +0000 (21:57 +0200)]
package/sdl_image: disable dynamic loading of libraries
The thing with Buildroot, is that we know in advance what will be in the
root filesystem. Therefore, we don't need SDL_image to probe for the
presence of libpng, libjpeg, libtiff or libwebp and dynamically load
them; SDL_image can be linked to them directly at compilation time.
Add initial support for RK3399 based rockpi-4 targets (model A, B, C)
with below features:
- Custom U-Boot 2020.07-rc4
https://github.com/amarula/u-boot-amarula.git
branch rock-pi
- Linux 5.4.46
- GPT partition layout is being used
- Default packages from buildroot
Add initial support for RK3399PRO SOM based rockpi-n10 target
with below features:
- Custom U-Boot 2020.07-rc4
https://github.com/amarula/u-boot-amarula.git
branch rock-pi
- Linux 5.7.2
- GPT partition layout is being used
- Default packages from buildroot
support/script/pkg-stats: handle exception when version comparison fails
With python 3, when a package has a version number x-y-z instead of
x.y.z, then the version returned by LooseVersion can't be compared
which raises a TypeError exception:
Traceback (most recent call last):
File "./support/scripts/pkg-stats", line 1062, in <module>
__main__()
File "./support/scripts/pkg-stats", line 1051, in __main__
check_package_cves(args.nvd_path, {p.name: p for p in packages})
File "./support/scripts/pkg-stats", line 613, in check_package_cves
if pkg_name in packages and cve.affects(packages[pkg_name]):
File "./support/scripts/pkg-stats", line 386, in affects
return pkg_version <= cve_affected_version
File "/usr/lib64/python3.8/distutils/version.py", line 58, in __le__
c = self._cmp(other)
File "/usr/lib64/python3.8/distutils/version.py", line 337, in _cmp
if self.version < other.version:
TypeError: '<' not supported between instances of 'str' and 'int'
This patch handles this exception by adding a new return value when
the comparison can't be done. The code is adjusted to take of this
change. For now, a return value of CVE_UNKNOWN is handled the same way
as a CVE_DOESNT_AFFECT return value, but this can be improved later
on.
Ramon Fried [Mon, 6 Jul 2020 09:37:43 +0000 (12:37 +0300)]
package/bitwise: new package
Bitwise is multi base interactive calculator supporting dynamic base
conversion and bit manipulation. It's a handy tool for low level
hackers, kernel developers and device drivers developers.
This package contains the Boost ODB profile library. The Boost profile
provides support for persisting Boost smart pointers, containers, and
value types with the ODB system.
This package contains the MySQL ODB runtime library. Every application
that includes code generated for the MySQL database will need to link
to this library.
Adam Duskett [Mon, 6 Jul 2020 15:30:38 +0000 (17:30 +0200)]
package/libodb-pgsql: new package
This package contains the PostgreSQL ODB runtime library.
Every application that includes code generated for the PostgreSQL
database will need to link to this library.
Signed-off-by: Adam Duskett <[email protected]>
[Kamel: Fix incorrect license, remove unneeded dependency on host-odb] Signed-off-by: Kamel Bouhara <[email protected]> Signed-off-by: Thomas Petazzoni <[email protected]>
Adam Duskett [Mon, 6 Jul 2020 15:30:37 +0000 (17:30 +0200)]
package/libodb: new package
This package contains the common ODB runtime library. Every application
that includes code generated by the ODB compiler will need to link to this
library.
Signed-off-by: Adam Duskett <[email protected]>
[Kamel:
- Fix incorrect license
- Remove unneeded dependency on host-odb] Signed-off-by: Kamel Bouhara <[email protected]> Signed-off-by: Thomas Petazzoni <[email protected]>
Adam Duskett [Mon, 6 Jul 2020 15:30:36 +0000 (17:30 +0200)]
package/odb: new package
ODB is an open-source, cross-platform, and cross-database
object-relational mapping (ORM) system for C++. It allows you to
persist C++ objects to a relational database without having to deal
with tables, columns, or SQL and without manually writing any mapping
code.
ODB supports MySQL, SQLite, PostgreSQL, Oracle, and Microsoft SQL
Server relational databases as well as C++98/03 and C++11 language
standards. It also comes with optional profiles for Boost and Qt
which allow you to seamlessly use value types, containers, and smart
pointers from these libraries in your persistent C++ classes.
This package is used for auto-generating ODB specific header files
into useable code that can be linked against a seperate libodb and a
specific libodb database library. As such, it is only needed as a
host program and is not user selectable.
Some packages requires support on the build machine to create gcc
plugins. This commit adds a blind option,
BR2_NEEDS_HOST_GCC_PLUGIN_SUPPORT, which such packages can
select. When this option is enabled, the logic in support/dependencies
verifies that everything needed on the build machine to build gcc
plugins is available.
projects / buildroot-mgba.git / log