* [Buildroot] [git commit] libcroco: bump to version 0.6.12
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=7daae8362be2060527fe1429fa640c325b477d27
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libcroco/libcroco.hash | 4 ++--
package/libcroco/libcroco.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/libcroco/libcroco.hash b/package/libcroco/libcroco.hash
index edf0b1f..83d2ffe 100644
--- a/package/libcroco/libcroco.hash
+++ b/package/libcroco/libcroco.hash
@@ -1,2 +1,2 @@
-# From http://ftp.acc.umu.se/pub/gnome/sources/libcroco/0.6/libcroco-0.6.11.sha256sum
-sha256 132b528a948586b0dfa05d7e9e059901bca5a3be675b6071a90a90b81ae5a056 libcroco-0.6.11.tar.xz
+# From http://ftp.acc.umu.se/pub/gnome/sources/libcroco/0.6/libcroco-0.6.12.sha256sum
+sha256 ddc4b5546c9fb4280a5017e2707fbd4839034ed1aba5b7d4372212f34f84f860 libcroco-0.6.12.tar.xz
diff --git a/package/libcroco/libcroco.mk b/package/libcroco/libcroco.mk
index 5ea0b77..612fd1f 100644
--- a/package/libcroco/libcroco.mk
+++ b/package/libcroco/libcroco.mk
@@ -5,7 +5,7 @@
################################################################################
LIBCROCO_VERSION_MAJOR = 0.6
-LIBCROCO_VERSION = $(LIBCROCO_VERSION_MAJOR).11
+LIBCROCO_VERSION = $(LIBCROCO_VERSION_MAJOR).12
LIBCROCO_SITE = http://ftp.gnome.org/pub/gnome/sources/libcroco/$(LIBCROCO_VERSION_MAJOR)
LIBCROCO_SOURCE = libcroco-$(LIBCROCO_VERSION).tar.xz
LIBCROCO_INSTALL_STAGING = YES
^ permalink raw reply related
* [Buildroot] [git commit] package/xenomai: fallback to http
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=2af19b0143ab0b4412304b27e488fd084dd3de25
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
The https protocol return:
"ERROR 503: Service Temporarily Unavailable"
Fixes:
http://autobuild.buildroot.net/results/120/12034603c46c8bd69590c88bbfe85261460b699c
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/xenomai/xenomai.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/xenomai/xenomai.mk b/package/xenomai/xenomai.mk
index 4844fff..c1477d9 100644
--- a/package/xenomai/xenomai.mk
+++ b/package/xenomai/xenomai.mk
@@ -11,7 +11,7 @@ else
BR_NO_CHECK_HASH_FOR += $(XENOMAI_SOURCE)
endif
-XENOMAI_SITE = https://xenomai.org/downloads/xenomai/stable
+XENOMAI_SITE = http://xenomai.org/downloads/xenomai/stable
XENOMAI_SOURCE = xenomai-$(XENOMAI_VERSION).tar.bz2
XENOMAI_LICENSE = GPL-2.0+ with exception (headers), LGPL-2.1+ (libraries), GPL-2.0+ (kernel), GFDL-1.2+ (docs), GPL-2.0 (ipipe patch, can driver)
# GFDL is not included but refers to gnu.org
^ permalink raw reply related
* [Buildroot] [git commit] imagemagick: add upstream security fix for CVE-2017-7606
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=665560856edfcdd18b2053e26bc8a44754dffca2
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
This is not yet part of any release.
coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of
representable values of type unsigned char" undefined behavior issue, which
might allow remote attackers to cause a denial of service (application
crash) or possibly have unspecified other impact via a crafted image.
For more details, see:
https://blogs.gentoo.org/ago/2017/04/02/imagemagick-undefined-behavior-in-codersrle-c/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...ub.com-ImageMagick-ImageMagick-issues-415.patch | 52 ++++++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/package/imagemagick/0001-https-github.com-ImageMagick-ImageMagick-issues-415.patch b/package/imagemagick/0001-https-github.com-ImageMagick-ImageMagick-issues-415.patch
new file mode 100644
index 0000000..943679e
--- /dev/null
+++ b/package/imagemagick/0001-https-github.com-ImageMagick-ImageMagick-issues-415.patch
@@ -0,0 +1,52 @@
+From b218117cad34d39b9ffb587b45c71c5a49b12bde Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 31 Mar 2017 15:24:33 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/415
+
+Fixes CVE-2017-7606
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ coders/pnm.c | 2 +-
+ coders/rle.c | 5 +++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/coders/pnm.c b/coders/pnm.c
+index 9a1221d79..c525ebb8f 100644
+--- a/coders/pnm.c
++++ b/coders/pnm.c
+@@ -1979,7 +1979,7 @@ static MagickBooleanType WritePNMImage(const ImageInfo *image_info,Image *image,
+ pixel=ScaleQuantumToChar(GetPixelRed(image,p));
+ else
+ pixel=ScaleQuantumToAny(GetPixelRed(image,p),
+- max_value);
++ max_value);
+ }
+ q=PopCharPixel((unsigned char) pixel,q);
+ p+=GetPixelChannels(image);
+diff --git a/coders/rle.c b/coders/rle.c
+index 2318901ec..ec071dc7b 100644
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -271,7 +271,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ p=colormap;
+ for (i=0; i < (ssize_t) number_colormaps; i++)
+ for (x=0; x < (ssize_t) map_length; x++)
+- *p++=(unsigned char) ScaleShortToQuantum(ReadBlobLSBShort(image));
++ *p++=(unsigned char) ScaleQuantumToChar(ScaleShortToQuantum(
++ ReadBlobLSBShort(image)));
+ }
+ if ((flags & 0x08) != 0)
+ {
+@@ -476,7 +477,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ for (x=0; x < (ssize_t) number_planes; x++)
+ {
+ ValidateColormapValue(image,(size_t) (x*map_length+
+- (*p & mask)),&index,exception);
++ (*p & mask)),&index,exception);
+ *p=colormap[(ssize_t) index];
+ p++;
+ }
+--
+2.11.0
+
^ permalink raw reply related
* [Buildroot] [git commit] package/bullet: bump to version 2.86.1
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=a086213b397c59bd4282ce4f002abb6c656bb40b
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/bullet/bullet.hash | 2 +-
package/bullet/bullet.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/bullet/bullet.hash b/package/bullet/bullet.hash
index cccc425..c6a45c2 100644
--- a/package/bullet/bullet.hash
+++ b/package/bullet/bullet.hash
@@ -1,2 +1,2 @@
# Locally calculated
-sha256 6e157c0b50373bc0e860de27f06397827bb28a4205bc568ae79d76a0f919ed62 bullet-2.85.1.tar.gz
+sha256 c058b2e4321ba6adaa656976c1a138c07b18fc03b29f5b82880d5d8228fbf059 bullet-2.86.1.tar.gz
diff --git a/package/bullet/bullet.mk b/package/bullet/bullet.mk
index 920ea87..3e8fae3 100644
--- a/package/bullet/bullet.mk
+++ b/package/bullet/bullet.mk
@@ -4,7 +4,7 @@
#
################################################################################
-BULLET_VERSION = 2.85.1
+BULLET_VERSION = 2.86.1
BULLET_SITE = $(call github,bulletphysics,bullet3,$(BULLET_VERSION))
BULLET_INSTALL_STAGING = YES
BULLET_LICENSE = Zlib
^ permalink raw reply related
* [Buildroot] [git commit] python-web2py: security bump to version 2.14.6
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=a534030c6e67ff0319f8af2b55fe977a06f17dfd
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
CVE-2016-4806 - Web2py versions 2.14.5 and below was affected by Local File
Inclusion vulnerability, which allows a malicious intended user to
read/access web server sensitive files.
CVE-2016-4807 - Web2py versions 2.14.5 and below was affected by Reflected
XSS vulnerability, which allows an attacker to perform an XSS attack on
logged in user (admin).
CVE-2016-4808 - Web2py versions 2.14.5 and below was affected by CSRF (Cross
Site Request Forgery) vulnerability, which allows an attacker to trick a
logged in user to perform some unwanted actions i.e An attacker can trick an
victim to disable the installed application just by sending a URL to victim.
CVE-2016-10321 - web2py before 2.14.6 does not properly check if a host is
denied before verifying passwords, allowing a remote attacker to perform
brute-force attacks.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-web2py/python-web2py.hash | 2 +-
package/python-web2py/python-web2py.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/python-web2py/python-web2py.hash b/package/python-web2py/python-web2py.hash
index 3de8dbf..9c1de90 100644
--- a/package/python-web2py/python-web2py.hash
+++ b/package/python-web2py/python-web2py.hash
@@ -1,2 +1,2 @@
# sha256 locally computed
-sha256 7e22a5624d8d2909e165110f0bec6b43ee36ff6834d689f4027e06dece662031 python-web2py-R-2.12.3.tar.gz
+sha256 6079aeaa352ec51e0da5e6abc71fa74cdb3a781e06a311b5826618624362a7b2 python-web2py-R-2.14.6.tar.gz
diff --git a/package/python-web2py/python-web2py.mk b/package/python-web2py/python-web2py.mk
index 7fe9f82..9aadb30 100644
--- a/package/python-web2py/python-web2py.mk
+++ b/package/python-web2py/python-web2py.mk
@@ -4,7 +4,7 @@
#
################################################################################
-PYTHON_WEB2PY_VERSION = R-2.12.3
+PYTHON_WEB2PY_VERSION = R-2.14.6
PYTHON_WEB2PY_SITE = $(call github,web2py,web2py,$(PYTHON_WEB2PY_VERSION))
PYTHON_WEB2PY_LICENSE = LGPL-3.0
PYTHON_WEB2PY_LICENSE_FILES = LICENSE
^ permalink raw reply related
* [Buildroot] [git commit] minicom: security bump to version 2.7.1
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=027a0d5b61326da318fb916ff52324b9f238d768
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Fixes CVE-2017-7467 - minicom and prl-vzvncserver vt100.c escparms[] buffer
overflow.
For more details about the issue, see the nice writeup on oss-security:
http://www.openwall.com/lists/oss-security/2017/04/18/5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/minicom/minicom.hash | 2 +-
package/minicom/minicom.mk | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/minicom/minicom.hash b/package/minicom/minicom.hash
index 33ba4ef..ca30871 100644
--- a/package/minicom/minicom.hash
+++ b/package/minicom/minicom.hash
@@ -1,2 +1,2 @@
# Locally calculated
-sha256 9ac3a663b82f4f5df64114b4792b9926b536c85f59de0f2d2b321c7626a904f4 minicom-2.7.tar.gz
+sha256 532f836b7a677eb0cb1dca8d70302b73729c3d30df26d58368d712e5cca041f1 minicom-2.7.1.tar.gz
diff --git a/package/minicom/minicom.mk b/package/minicom/minicom.mk
index 75cd0c4..cb06482 100644
--- a/package/minicom/minicom.mk
+++ b/package/minicom/minicom.mk
@@ -4,8 +4,8 @@
#
################################################################################
-MINICOM_VERSION = 2.7
-MINICOM_SITE = https://alioth.debian.org/frs/download.php/file/3977
+MINICOM_VERSION = 2.7.1
+MINICOM_SITE = https://alioth.debian.org/frs/download.php/file/4215
MINICOM_LICENSE = GPL-2.0+
MINICOM_LICENSE_FILES = COPYING
^ permalink raw reply related
* [Buildroot] [git commit] libcroco: add upstream security fixes
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=52bfb4b1ce25d870f9bab72d285f326ec7d0ad77
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
These have been added to upstream git after 0.6.12 was released.
CVE-2017-7960 - The cr_input_new_from_uri function in cr-input.c in libcroco
0.6.11 and 0.6.12 allows remote attackers to cause a denial of service
(heap-based buffer over-read) via a crafted CSS file.
CVE-2017-7961 - The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco
0.6.11 and 0.6.12 has an "outside the range of representable values of type
long" undefined behavior issue, which might allow remote attackers to cause
a denial of service (application crash) or possibly have unspecified other
impact via a crafted CSS file.
For more details, see:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...-check-end-of-input-before-reading-a-byte.patch | 62 ++++++++++++++++++++++
...02-tknzr-support-only-max-long-rgb-values.patch | 46 ++++++++++++++++
2 files changed, 108 insertions(+)
diff --git a/package/libcroco/0001-input-check-end-of-input-before-reading-a-byte.patch b/package/libcroco/0001-input-check-end-of-input-before-reading-a-byte.patch
new file mode 100644
index 0000000..831b1a7
--- /dev/null
+++ b/package/libcroco/0001-input-check-end-of-input-before-reading-a-byte.patch
@@ -0,0 +1,62 @@
+From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:13:43 +0200
+Subject: [PATCH] input: check end of input before reading a byte
+
+Fixes CVE-2017-7960
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/cr-input.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 49000b1..3b63a88 100644
+--- a/src/cr-input.c
++++ b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc)
+ *we should free buf here because it's own by CRInput.
+ *(see the last parameter of cr_input_new_from_buf().
+ */
+- buf = NULL ;
++ buf = NULL;
+ }
+
+ cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++ gulong nb_bytes_left = 0;
++
+ g_return_val_if_fail (a_this && PRIVATE (a_this)
+ && a_byte, CR_BAD_PARAM_ERROR);
+
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ if (PRIVATE (a_this)->end_of_input == TRUE)
+ return CR_END_OF_INPUT_ERROR;
+
++ nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++ if (nb_bytes_left < 1) {
++ return CR_END_OF_INPUT_ERROR;
++ }
++
+ *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+
+ if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+ if (*a_char == '\n') {
+ PRIVATE (a_this)->end_of_line = TRUE;
+ }
+-
+ }
+
+ return status;
+--
+2.11.0
+
diff --git a/package/libcroco/0002-tknzr-support-only-max-long-rgb-values.patch b/package/libcroco/0002-tknzr-support-only-max-long-rgb-values.patch
new file mode 100644
index 0000000..1a9bcd9
--- /dev/null
+++ b/package/libcroco/0002-tknzr-support-only-max-long-rgb-values.patch
@@ -0,0 +1,46 @@
+From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:56:09 +0200
+Subject: [PATCH] tknzr: support only max long rgb values
+
+Fixes CVE-2017-7961
+
+This fixes a possible out of bound when reading rgbs which
+are longer than the support MAXLONG
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/cr-tknzr.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c
+index 1a7cfeb..1548c35 100644
+--- a/src/cr-tknzr.c
++++ b/src/cr-tknzr.c
+@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+ status = cr_tknzr_parse_num (a_this, &num);
+ ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+
++ if (num->val > G_MAXLONG) {
++ status = CR_PARSING_ERROR;
++ goto error;
++ }
++
+ red = num->val;
+ cr_num_destroy (num);
+ num = NULL;
+@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+ status = cr_tknzr_parse_num (a_this, &num);
+ ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+
++ if (num->val > G_MAXLONG) {
++ status = CR_PARSING_ERROR;
++ goto error;
++ }
++
+ PEEK_BYTE (a_this, 1, &next_bytes[0]);
+ if (next_bytes[0] == '%') {
+ SKIP_CHARS (a_this, 1);
+--
+2.11.0
+
^ permalink raw reply related
* [Buildroot] [git commit] package/aircrack-ng: bump version to 1.2-rc4
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=cddb22ac2b627b9af7c52b724d5648d90c343e8e
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Removed patches applied upstream:
0001-Makefile-use-pkg-config-to-find-libpcre-it-s-more-cros.patch
http://trac.aircrack-ng.org/changeset/2445
0002-Optionally-use-LIBPCAP-for-required-libpcap-libraries.patch
http://trac.aircrack-ng.org/changeset/2446
0003-Wesside-ng-Use-termios-instead-of-sys-termios.patch
http://trac.aircrack-ng.org/changeset/2533
Added option to disable stack-protector support auto-detection in gcc.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...pkg-config-to-find-libpcre-it-s-more-cros.patch | 39 ---------------
package/aircrack-ng/0001-stack-protector.patch | 58 ++++++++++++++++++++++
...se-LIBPCAP-for-required-libpcap-libraries.patch | 33 ------------
...ide-ng-Use-termios-instead-of-sys-termios.patch | 27 ----------
package/aircrack-ng/aircrack-ng.hash | 4 +-
package/aircrack-ng/aircrack-ng.mk | 8 ++-
6 files changed, 67 insertions(+), 102 deletions(-)
diff --git a/package/aircrack-ng/0001-Makefile-use-pkg-config-to-find-libpcre-it-s-more-cros.patch b/package/aircrack-ng/0001-Makefile-use-pkg-config-to-find-libpcre-it-s-more-cros.patch
deleted file mode 100644
index 733e0c0..0000000
--- a/package/aircrack-ng/0001-Makefile-use-pkg-config-to-find-libpcre-it-s-more-cros.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 98149c7664e99cc8ce9c9b1abf2fa90d9cd68e0d Mon Sep 17 00:00:00 2001
-From: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Date: Wed, 5 Nov 2014 09:38:12 -0300
-Subject: [PATCH] Makefile: use pkg-config to find libpcre, it's more
- cross-compile friendly
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
----
-Status: Upstream http://trac.aircrack-ng.org/ticket/1526
-
-diff --git a/common.mak b/common.mak
-index 6e5694b..d875708 100644
---- a/common.mak
-+++ b/common.mak
-@@ -39,7 +39,7 @@ PCRE = true
- endif
-
- ifeq ($(PCRE), true)
--COMMON_CFLAGS += $(shell pcre-config --cflags) -DHAVE_PCRE
-+COMMON_CFLAGS += $(shell $(PKG_CONFIG) --cflags libpcre) -DHAVE_PCRE
- endif
-
- ifeq ($(OSNAME), cygwin)
-diff --git a/src/Makefile b/src/Makefile
-index f9217f9..14350b6 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -16,7 +16,7 @@ BINFILES = aircrack-ng$(EXE) airdecap-ng$(EXE) packetforge-ng$(EXE) \
-
- LIBPCRE =
- ifeq ($(PCRE), true)
-- LIBPCRE = $(shell pcre-config --libs)
-+ LIBPCRE = $(shell $(PKG_CONFIG) --libs libpcre)
- endif
-
- ifneq ($(OSNAME), cygwin) #There is yet no libpcap support for windows, so we skip the crawler
---
-2.0.4
-
diff --git a/package/aircrack-ng/0001-stack-protector.patch b/package/aircrack-ng/0001-stack-protector.patch
new file mode 100644
index 0000000..5f2bd1b
--- /dev/null
+++ b/package/aircrack-ng/0001-stack-protector.patch
@@ -0,0 +1,58 @@
+Added option to disable stack-protector support auto-detection in gcc.
+
+Downloaded from upstream commit:
+http://trac.aircrack-ng.org/changeset/2889/
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+Index: /trunk/INSTALLING
+===================================================================
+--- trunk/INSTALLING (revision 2888)
++++ trunk/INSTALLING (revision 2889)
+@@ -83,4 +83,6 @@
+ * macport: Set this flag to true to compile on OS X with macports.
+
++* stackprotector: Allows to enable/disable auto-detection of stack-protector support in gcc
++
+ Example:
+
+Index: /trunk/common.mak
+===================================================================
+--- trunk/common.mak (revision 2888)
++++ trunk/common.mak (revision 2889)
+@@ -64,4 +64,13 @@
+ ifeq ($(PCRE), true)
+ COMMON_CFLAGS += $(shell $(PKG_CONFIG) --cflags libpcre) -DHAVE_PCRE
++endif
++
++STACK_PROTECTOR = true
++ifeq ($(stackprotector), false)
++ STACK_PROTECTOR = false
++endif
++
++ifeq ($(STACKPROTECTOR), false)
++ STACK_PROTECTOR = false
+ endif
+
+@@ -235,12 +244,14 @@
+ endif
+
+-ifeq ($(GCC_OVER49), 0)
+- ifeq ($(GCC_OVER41), 1)
+- COMMON_CFLAGS += -fstack-protector
++ifeq ($(STACK_PROTECTOR), true)
++ ifeq ($(GCC_OVER49), 0)
++ ifeq ($(GCC_OVER41), 1)
++ COMMON_CFLAGS += -fstack-protector
++ endif
+ endif
+-endif
+-
+-ifeq ($(GCC_OVER49), 1)
+- COMMON_CFLAGS += -fstack-protector-strong
++
++ ifeq ($(GCC_OVER49), 1)
++ COMMON_CFLAGS += -fstack-protector-strong
++ endif
+ endif
+
diff --git a/package/aircrack-ng/0002-Optionally-use-LIBPCAP-for-required-libpcap-libraries.patch b/package/aircrack-ng/0002-Optionally-use-LIBPCAP-for-required-libpcap-libraries.patch
deleted file mode 100644
index c92bb8d..0000000
--- a/package/aircrack-ng/0002-Optionally-use-LIBPCAP-for-required-libpcap-libraries.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 1abf7a6aad3d7931de2c01b578f62986b75de2f5 Mon Sep 17 00:00:00 2001
-From: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Date: Tue, 11 Nov 2014 16:23:42 -0300
-Subject: [PATCH] Optionally use LIBPCAP for required libpcap libraries
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
----
-Status: Reported http://trac.aircrack-ng.org/ticket/1528
-
-diff --git a/src/Makefile b/src/Makefile
-index 14350b6..7bd4271 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -23,6 +23,7 @@ ifneq ($(OSNAME), cygwin) #There is yet no libpcap support for windows, so we sk
- HAVE_PCAP = $(shell ld -lpcap 2> /dev/null && echo yes)
- ifeq ($(HAVE_PCAP), yes) #cannot link with -lpcap, skip crawler
- BINFILES += besside-ng-crawler$(EXE)
-+ LIBPCAP = -lpcap
- endif
- endif
-
-@@ -168,7 +169,7 @@ besside-ng$(EXE): $(OBJS_BS) $(LIBOSD)
- $(CC) $(CFLAGS) $(LDFLAGS) $(OBJS_BS) -o $(@) $(LIBS) $(LIBSSL) -lz $(LIBPCRE)
-
- besside-ng-crawler$(EXE): $(OBJS_BC)
-- $(CC) $(CFLAGS) $(LDFLAGS) $(OBJS_BC) -o $(@) -lpcap
-+ $(CC) $(CFLAGS) $(LDFLAGS) $(OBJS_BC) -o $(@) $(LIBPCAP)
-
- makeivs-ng$(EXE): $(OBJS_MI)
- $(CC) $(CFLAGS) $(LDFLAGS) $(OBJS_MI) -o $(@) $(LDFLAGS)
---
-2.0.4
-
diff --git a/package/aircrack-ng/0003-Wesside-ng-Use-termios-instead-of-sys-termios.patch b/package/aircrack-ng/0003-Wesside-ng-Use-termios-instead-of-sys-termios.patch
deleted file mode 100644
index a10ee45..0000000
--- a/package/aircrack-ng/0003-Wesside-ng-Use-termios-instead-of-sys-termios.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 42de9f800056601443ac12edbba7bd5802740db2 Mon Sep 17 00:00:00 2001
-From: Thomas d'Otreppe <tdotreppe@aircrack-ng.org>
-Date: Wed, 8 Apr 2015 01:25:07 +0000
-Subject: [PATCH] Wesside-ng: Use termios instead of sys/termios.
-
-git-svn-id: http://svn.aircrack-ng.org/trunk at 2533 28c6078b-6c39-48e3-add9-af49d547ecab
-Signed-off-by: Romain Naour <romain.naour@openwide.fr>
----
- src/wesside-ng.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/wesside-ng.c b/src/wesside-ng.c
-index 711d8b7..f44438a 100644
---- a/src/wesside-ng.c
-+++ b/src/wesside-ng.c
-@@ -33,7 +33,7 @@
-
- #include <sys/types.h>
- #include <sys/socket.h>
--#include <sys/termios.h>
-+#include <termios.h>
- #include <sys/ioctl.h>
- #include <sys/stat.h>
- #include <sys/wait.h>
---
-2.4.3
-
diff --git a/package/aircrack-ng/aircrack-ng.hash b/package/aircrack-ng/aircrack-ng.hash
index 1ed27fc..e210ad2 100644
--- a/package/aircrack-ng/aircrack-ng.hash
+++ b/package/aircrack-ng/aircrack-ng.hash
@@ -1,3 +1,3 @@
# From http://www.aircrack-ng.org/downloads.html
-sha1 b5ff7d0fffb72095311bbe8824ab98aaac62db8f aircrack-ng-1.2-rc1.tar.gz
-md5 c2f8648c92f7e46051c86c618d4fb0d5 aircrack-ng-1.2-rc1.tar.gz
+sha1 2b2fbe50fedb606b3bd96a34d49f07760e8e618a aircrack-ng-1.2-rc4.tar.gz
+md5 3bbc7d5035a98ec01e78774d05c3fcce aircrack-ng-1.2-rc4.tar.gz
diff --git a/package/aircrack-ng/aircrack-ng.mk b/package/aircrack-ng/aircrack-ng.mk
index 8cf1f47..b728624 100644
--- a/package/aircrack-ng/aircrack-ng.mk
+++ b/package/aircrack-ng/aircrack-ng.mk
@@ -4,7 +4,7 @@
#
################################################################################
-AIRCRACK_NG_VERSION = 1.2-rc1
+AIRCRACK_NG_VERSION = 1.2-rc4
AIRCRACK_NG_SITE = http://download.aircrack-ng.org
AIRCRACK_NG_LICENSE = GPL-2.0+
AIRCRACK_NG_LICENSE_FILES = LICENSE
@@ -24,6 +24,12 @@ AIRCRACK_NG_MAKE_OPTS += libnl=true
AIRCRACK_NG_DEPENDENCIES += libnl
endif
+ifeq ($(BR2_TOOLCHAIN_HAS_SSP),y)
+AIRCRACK_NG_MAKE_OPTS += STACK_PROTECTOR=true
+else
+AIRCRACK_NG_MAKE_OPTS += STACK_PROTECTOR=false
+endif
+
ifeq ($(BR2_PACKAGE_LIBPCAP),y)
AIRCRACK_NG_DEPENDENCIES += libpcap
AIRCRACK_NG_MAKE_OPTS += HAVE_PCAP=yes \
^ permalink raw reply related
* [Buildroot] [git commit] busybox: no need to disable clear and reset
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=200282e2070ec0405184378c3cfb4e04ab26c5d8
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Removing clear and reset from the busybox config when the ncurses tools
are enabled is not really needed.
Since commit 802bff9c42, the busybox install will not overwrite
existing programs. Therefore, the tools will be installed correctly
regardless of the order of the build:
- if busybox is built first, the clear and reset apps are installed,
but they will be overwritten by ncurses;
- if ncurses is built first, it will install the clear and reset apps,
and busybox will no longer install them.
We prefer not to modify the busybox configuration when not strictly
necessary, because it is surprising for the user that his configuration
is not applied. Clearly, it's not ideal that busybox is configured with
redundant apps, but if the user wants to shrink it, it's possible to
provide a custom config.
This partially reverts commit 33c72344a8686a136c1da6a056ed6c0945bbf8b7.
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/busybox/busybox.mk | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 689830e..a536ed2 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -148,17 +148,6 @@ define BUSYBOX_MUSL_TWEAKS
endef
endif
-ifeq ($(BR2_PACKAGE_NCURSES_TARGET_PROGS),y)
-# Ncurses package overlaps:
-# /usr/bin/clear
-# /usr/bin/reset -> /usr/bin/tset (symlink)
-#
-define BUSYBOX_DISABLE_NCURSES_PROGS
- $(call KCONFIG_DISABLE_OPT,CONFIG_CLEAR,$(BUSYBOX_BUILD_CONFIG))
- $(call KCONFIG_DISABLE_OPT,CONFIG_RESET,$(BUSYBOX_BUILD_CONFIG))
-endef
-endif
-
define BUSYBOX_INSTALL_UDHCPC_SCRIPT
if grep -q CONFIG_UDHCPC=y $(@D)/.config; then \
$(INSTALL) -m 0755 -D package/busybox/udhcpc.script \
@@ -240,7 +229,6 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
$(BUSYBOX_SET_WATCHDOG)
$(BUSYBOX_SET_SELINUX)
$(BUSYBOX_MUSL_TWEAKS)
- $(BUSYBOX_DISABLE_NCURSES_PROGS)
endef
define BUSYBOX_CONFIGURE_CMDS
^ permalink raw reply related
* [Buildroot] [git commit] package/ccid: bump version to 1.4.26
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=d9f19462fb06674e1c6bbb20e454b975684dd3a0
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Changed _SITE according to
http://lists.alioth.debian.org/pipermail/pcsclite-muscle/Week-of-Mon-20170102/000780.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/ccid/ccid.hash | 5 +++--
package/ccid/ccid.mk | 6 +++---
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/package/ccid/ccid.hash b/package/ccid/ccid.hash
index a0e91da..3e1e962 100644
--- a/package/ccid/ccid.hash
+++ b/package/ccid/ccid.hash
@@ -1,2 +1,3 @@
-# From http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/c/ccid/ccid_1.4.18-1.dsc
-sha256 5fdba97a2d2eb1c652b7dd4aa0bb8cee4814bab0cf61aecb84b32b57272541aa ccid_1.4.18.orig.tar.bz2
+# From http://cdn-fastly.deb.debian.org/debian/pool/main/c/ccid/ccid_1.4.26-1.dsc
+sha1 20e22c23b8458548a6b572b044e5dbe4ecdc42e5 ccid_1.4.26.tar.bz2
+sha256 3267bf708ab780c02f01f6241b7c7277cb892d30fd1179a9926a8cc0ca40be2f ccid_1.4.26.tar.bz2
diff --git a/package/ccid/ccid.mk b/package/ccid/ccid.mk
index cfe6d39..7fbf025 100644
--- a/package/ccid/ccid.mk
+++ b/package/ccid/ccid.mk
@@ -4,9 +4,9 @@
#
################################################################################
-CCID_VERSION = 1.4.18
-CCID_SOURCE = ccid_$(CCID_VERSION).orig.tar.bz2
-CCID_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/c/ccid
+CCID_VERSION = 1.4.26
+CCID_SOURCE = ccid_$(CCID_VERSION).tar.bz2
+CCID_SITE = https://alioth.debian.org/frs/download.php/file/4205
CCID_LICENSE = LGPL-2.1+
CCID_LICENSE_FILES = COPYING
CCID_INSTALL_STAGING = YES
^ permalink raw reply related
* [Buildroot] [git commit] package/acpica: bump version to 20170303
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=7fe176da86912220402c8fb47db3e3c9c780d98a
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/acpica/acpica.hash | 2 +-
package/acpica/acpica.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/acpica/acpica.hash b/package/acpica/acpica.hash
index 71c110b..d69279e 100644
--- a/package/acpica/acpica.hash
+++ b/package/acpica/acpica.hash
@@ -1,2 +1,2 @@
# locally computed hash
-sha256 dfb33db5599bd48134dbd6e50c8804099be0cf1c35d98975a6cb84dabca78b67 acpica-unix2-20161117.tar.gz
+sha256 b2d81e84107ac9a02be86ea43cbea7afa8fd4b4150270bc88c2d4c9fea0b8aad acpica-unix2-20170303.tar.gz
diff --git a/package/acpica/acpica.mk b/package/acpica/acpica.mk
index ebfa4b6..37e4941 100644
--- a/package/acpica/acpica.mk
+++ b/package/acpica/acpica.mk
@@ -4,7 +4,7 @@
#
################################################################################
-ACPICA_VERSION = 20161117
+ACPICA_VERSION = 20170303
ACPICA_SOURCE = acpica-unix2-$(ACPICA_VERSION).tar.gz
ACPICA_SITE = https://acpica.org/sites/acpica/files
ACPICA_LICENSE = BSD-3-Clause or GPL-2.0
^ permalink raw reply related
* [Buildroot] [git commit] package/acsccid: bump version to 1.1.4
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=ff75225568eea04a92e8cf5173be59635dc3e3dd
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/acsccid/acsccid.hash | 6 +++---
package/acsccid/acsccid.mk | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/acsccid/acsccid.hash b/package/acsccid/acsccid.hash
index 1bfe9e4..24d2fa7 100644
--- a/package/acsccid/acsccid.hash
+++ b/package/acsccid/acsccid.hash
@@ -1,3 +1,3 @@
-# From https://sourceforge.net/projects/acsccid/files/acsccid/1.1.1/
-sha1 ae340256bbba36032a903c9f89883297a31ca340 acsccid-1.1.1.tar.bz2
-md5 26dc34141188e64fa2b3545032060357 acsccid-1.1.1.tar.bz2
+# From https://sourceforge.net/projects/acsccid/files/acsccid/1.1.4/
+sha1 8c0b42ff79032289731916d18a2698b258dfd6a2 acsccid-1.1.4.tar.bz2
+md5 ac77b3aeae0a11723c96c7f98769490e acsccid-1.1.4.tar.bz2
diff --git a/package/acsccid/acsccid.mk b/package/acsccid/acsccid.mk
index 2fd2033..06a0418 100644
--- a/package/acsccid/acsccid.mk
+++ b/package/acsccid/acsccid.mk
@@ -4,7 +4,7 @@
#
################################################################################
-ACSCCID_VERSION = 1.1.1
+ACSCCID_VERSION = 1.1.4
ACSCCID_SOURCE = acsccid-$(ACSCCID_VERSION).tar.bz2
ACSCCID_SITE = http://downloads.sourceforge.net/acsccid
ACSCCID_LICENSE = LGPL-2.1+
^ permalink raw reply related
* [Buildroot] [git commit] package/libgpgme: bump version to 1.9.0
From: Peter Korsgaard @ 2017-04-26 7:20 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=0250b40b7423a374b622590ea1fb30d0ead90cae
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Removed configure option --with-gpg, it was removed upstream in 2013:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commitdiff;h=02ba35c1b6a2cbb3361b2f2ad507c53564b2be0b#patch3
[Peter: drop comment referring to --with-gpg option]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libgpgme/libgpgme.hash | 2 +-
package/libgpgme/libgpgme.mk | 5 ++---
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/package/libgpgme/libgpgme.hash b/package/libgpgme/libgpgme.hash
index 5ef7b0e..cf7c505 100644
--- a/package/libgpgme/libgpgme.hash
+++ b/package/libgpgme/libgpgme.hash
@@ -1,2 +1,2 @@
# Locally calculated after checking pgp signature
-sha256 d0abe1449395315eac37e4e45076bbb82732cedf94210937b37776e10cdc2bb6 gpgme-1.7.1.tar.bz2
+sha256 1b29fedb8bfad775e70eafac5b0590621683b2d9869db994568e6401f4034ceb gpgme-1.9.0.tar.bz2
diff --git a/package/libgpgme/libgpgme.mk b/package/libgpgme/libgpgme.mk
index 09b6fbe..5af2b5e 100644
--- a/package/libgpgme/libgpgme.mk
+++ b/package/libgpgme/libgpgme.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBGPGME_VERSION = 1.7.1
+LIBGPGME_VERSION = 1.9.0
LIBGPGME_SITE = ftp://ftp.gnupg.org/gcrypt/gpgme
LIBGPGME_SOURCE = gpgme-$(LIBGPGME_VERSION).tar.bz2
LIBGPGME_LICENSE = LGPL-2.1+
@@ -13,8 +13,7 @@ LIBGPGME_INSTALL_STAGING = YES
LIBGPGME_DEPENDENCIES = libassuan libgpg-error
LIBGPGME_LANGUAGE_BINDINGS = cl
-# libgpgme, needs to know the gpg binary path on the target.
-LIBGPGME_CONF_OPTS = --with-gpg=/usr/bin/gpg \
+LIBGPGME_CONF_OPTS = \
--with-gpg-error-prefix=$(STAGING_DIR)/usr \
--with-libassuan-prefix=$(STAGING_DIR)/usr \
--disable-gpgsm-test \
^ permalink raw reply related
* [Buildroot] [PATCH] uclibc: update to 1.0.24
From: Peter Korsgaard @ 2017-04-26 7:19 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170422225732.GA21566@waldemar-brodkorb.de>
>>>>> "Waldemar" == Waldemar Brodkorb <wbx@openadk.org> writes:
> Fixes aarch64 C++ issue. Removes old implementations for fnmatch/regex.
> Allow long double wrappers for all architectures.
> Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] package/bullet: bump to version 2.86.1
From: Peter Korsgaard @ 2017-04-26 7:13 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170425213202.5399-1-romain.naour@gmail.com>
>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:
> Signed-off-by: Romain Naour <romain.naour@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] package/xenomai: fallback to http
From: Peter Korsgaard @ 2017-04-26 7:13 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170425212612.4612-1-romain.naour@gmail.com>
>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:
> The https protocol return:
> "ERROR 503: Service Temporarily Unavailable"
> Fixes:
> http://autobuild.buildroot.net/results/120/12034603c46c8bd69590c88bbfe85261460b699c
> Signed-off-by: Romain Naour <romain.naour@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] imagemagick: add upstream security fix for CVE-2017-7606
From: Peter Korsgaard @ 2017-04-26 7:12 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170425153554.27006-1-peter@korsgaard.com>
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> This is not yet part of any release.
> coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of
> representable values of type unsigned char" undefined behavior issue, which
> might allow remote attackers to cause a denial of service (application
> crash) or possibly have unspecified other impact via a crafted image.
> For more details, see:
> https://blogs.gentoo.org/ago/2017/04/02/imagemagick-undefined-behavior-in-codersrle-c/
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH 2/2] libcroco: bump to version 0.6.12
From: Peter Korsgaard @ 2017-04-26 7:11 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170425141700.30077-2-peter@korsgaard.com>
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH 1/2] libcroco: add upstream security fixes
From: Peter Korsgaard @ 2017-04-26 7:11 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170425141700.30077-1-peter@korsgaard.com>
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> These have been added to upstream git after 0.6.12 was released.
> CVE-2017-7960 - The cr_input_new_from_uri function in cr-input.c in libcroco
> 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service
> (heap-based buffer over-read) via a crafted CSS file.
> CVE-2017-7961 - The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco
> 0.6.11 and 0.6.12 has an "outside the range of representable values of type
> long" undefined behavior issue, which might allow remote attackers to cause
> a denial of service (application crash) or possibly have unspecified other
> impact via a crafted CSS file.
> For more details, see:
> https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] python-web2py: security bump to version 2.14.6
From: Peter Korsgaard @ 2017-04-26 7:11 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170425134423.3313-1-peter@korsgaard.com>
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> CVE-2016-4806 - Web2py versions 2.14.5 and below was affected by Local File
> Inclusion vulnerability, which allows a malicious intended user to
> read/access web server sensitive files.
> CVE-2016-4807 - Web2py versions 2.14.5 and below was affected by Reflected
> XSS vulnerability, which allows an attacker to perform an XSS attack on
> logged in user (admin).
> CVE-2016-4808 - Web2py versions 2.14.5 and below was affected by CSRF (Cross
> Site Request Forgery) vulnerability, which allows an attacker to trick a
> logged in user to perform some unwanted actions i.e An attacker can trick an
> victim to disable the installed application just by sending a URL to victim.
> CVE-2016-10321 - web2py before 2.14.6 does not properly check if a host is
> denied before verifying passwords, allowing a remote attacker to perform
> brute-force attacks.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] minicom: security bump to version 2.7.1
From: Peter Korsgaard @ 2017-04-26 7:11 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170425114434.1728-1-peter@korsgaard.com>
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2017-7467 - minicom and prl-vzvncserver vt100.c escparms[] buffer
> overflow.
> For more details about the issue, see the nice writeup on oss-security:
> http://www.openwall.com/lists/oss-security/2017/04/18/5
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] busybox: no need to disable clear and reset
From: Peter Korsgaard @ 2017-04-26 7:10 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170424201323.30582-1-arnout@mind.be>
>>>>> "Arnout" == Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> writes:
> Removing clear and reset from the busybox config when the ncurses tools
> are enabled is not really needed.
> Since commit 802bff9c42, the busybox install will not overwrite
> existing programs. Therefore, the tools will be installed correctly
> regardless of the order of the build:
> - if busybox is built first, the clear and reset apps are installed,
> but they will be overwritten by ncurses;
> - if ncurses is built first, it will install the clear and reset apps,
> and busybox will no longer install them.
> We prefer not to modify the busybox configuration when not strictly
> necessary, because it is surprising for the user that his configuration
> is not applied. Clearly, it's not ideal that busybox is configured with
> redundant apps, but if the user wants to shrink it, it's possible to
> provide a custom config.
> This partially reverts commit 33c72344a8686a136c1da6a056ed6c0945bbf8b7.
> Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
> Cc: Danomi Manchego <danomimanchego123@gmail.com>
> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Committed, thanks!
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] docker-engine: project rename to moby
From: Peter Korsgaard @ 2017-04-26 7:09 UTC (permalink / raw)
To: buildroot
In-Reply-To: <CA+h8R2p-m7ZpxetdLYU+Gnr7uB2YL7KqU3Z-M0-CpX=mWm=7VA@mail.gmail.com>
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:
Hi,
> What does this mean for Docker in buildroot? Well, I can't even find a
> repository link for "docker-ce" on the website, only links to
> "download Docker from the Docker Store," which is really concerning to
> say the least. It seems the entire Docker project still exists in the
> Moby repo, and they are proceeding in development on the same codebase
> there (working on a v17.05.0-ce-rc1 release at the moment). For now, I
> don't think we should or can change anything. We may need to re-name
> "docker-engine" in the future or add a "moby" package.
> I'll keep an eye on how things progress.
Thanks for the heads up! I also saw the announcement and it is indeed
all quite confusing.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH 1/1] package/aircrack-ng: bump version to 1.2-rc4
From: Peter Korsgaard @ 2017-04-26 7:07 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170421141233.24645-1-bernd.kuhls@t-online.de>
>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:
> Removed patches applied upstream:
> 0001-Makefile-use-pkg-config-to-find-libpcre-it-s-more-cros.patch
> http://trac.aircrack-ng.org/changeset/2445
> 0002-Optionally-use-LIBPCAP-for-required-libpcap-libraries.patch
> http://trac.aircrack-ng.org/changeset/2446
> 0003-Wesside-ng-Use-termios-instead-of-sys-termios.patch
> http://trac.aircrack-ng.org/changeset/2533
> Added option to disable stack-protector support auto-detection in gcc.
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH 1/1] package/pcsc-lite: bump version to 1.8.20
From: Peter Korsgaard @ 2017-04-26 7:06 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170421135351.8992-1-bernd.kuhls@t-online.de>
>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox