This project is mirrored from git://git.buildroot.net/buildroot.
Pull mirroring updated .
- Oct 02, 2022
-
-
Peter Korsgaard authored
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
- Sep 30, 2022
-
-
Fabrice Fontaine authored
Tinyproxy commit 84f203f and earlier does not process HTTP request lines in the process_request() function and is using uninitialized buffers. This vulnerability allows attackers to access sensitive information at system runtime. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit eedd93f0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Lang Daniel authored
libgbm isn't output/target specific, only one version is included in gpu-core/usr/lib/libgbm.so. Similarly only gbm.pc is included and not gbm_x11.pc. Signed-off-by: Daniel Lang <d.lang@abatec.at> Reviewed-by: Gary Bisson <gary.bisson@boundarydevices.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 711ec0ce) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Joel Stanley authored
This uses a newer firmware implementation that is much faster at booting. It is supported as of Qemu 7.0. Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 1fca0982) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Yann E. MORIN authored
Currently, with a configuration with an internal toolchain, and no other package is selected [0], especially when one wants to generate an SDK or a pre-built, pre-installed toolchain, running 'make' will only build glibc (and its dependencies), and not the full toolchain, as one would have expected, so there would be no host-final-gcc. The reason is that 'toolchain' is a virtual package, so it is excluded from PACKAGES, the list of packages enabled in the configuration. so it is not a dependency of target-finalize, and so nothing pulls it in the build. The reason for excluding virtual packages from that list is not obvious. When virtual packages were introduced in 74398244 (packages: add infrastructure for virtual packages), there was no BR2_PACKAGE_FOO symbol for virtual packages (but there was BR2_PACKAGE_HAS_FOO), so there was no telling that the virtual package was enabled, like we had for the other kinds of packages (normal, bootloader, toolchain, or linux kernel). That caused issues, so in f674c428 (core/pkg-virtual: do not check they are neabled [sic]), and then 3e1b33a5 (pkg-generic: improve incorrectly used package detection), we explicitly excluded the virtual packages from causing a build failure when something depended on them, as we could not yet now whether a virtual package was actually enabled or not. Then, in 842ba7ec (pkg-generic: fix rdepends and phony targets of virtual packages), we eventually associated a virtual package to is BR2_PACKAGE_HAS_FOO, which allows treating virtual packages like the other kinds of packages. There, we explicitly kept virtual packages out of the list, though (the reasoning was that virtual packages install nothing in host/ or target/, so they do not directly contribute to the final content, so we do not need to rsync them, so this was an optimisation). However, virtual packages are in fact actual generic packages, and it is possible for virtual packages to actually provide content for the final image. Even though we do not have any virtual package that has actual _INSTALL_CMDS, we still have udev that provides a user for example; virtual packages in br2-external trees may also very well provide install commands (e.g. to install files common to their various implementations). So, there is currently no technical reason to exclude virtual packages from PACKAGES, the list of packages enabled in the configuration. Drop the excluding condition, and always add enabled package, whatever their kind, to the list of enabled packages. [0] defconfig to reproduce the issue: BR2_INIT_NONE=y BR2_SYSTEM_BIN_SH_NONE=y # BR2_PACKAGE_BUSYBOX is not set # BR2_PACKAGE_IFUPDOWN_SCRIPTS is not set # BR2_TARGET_ROOTFS_TAR is not set Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 02fe7c74) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Thomas Petazzoni authored
Our current heirloom-mailx package is affected by CVE-2014-7844. It has been fixed by a Debian patch 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch, but it does rely on other Debian patches as well. Instead of bringing those patches locally, we just update the package to use version 12.5-5 from Debian, including its patches. The local patch 0001-Patched-out-SSL2-support-since-it-is-no-longer-suppo.patch is removed as it is part of the Debian patches. The remaining patch 0002-fix-libressl-support.patch is renumbered. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 15972770) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Baruch Siach authored
Update the listed versions to match current status since commit b4d9b515 ("configs/solidrun_macchiatobin: bump BSP components"). All components are now from upstream so no need to state that for each one. Cc: Sergey Matyukevich <geomatsi@gmail.com> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3f0ee529) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Michael Klein authored
Any .pyc files generated by the pycompile script during target finalization are currently counted in the "Unknown" package, because packages-file-list.txt only contains the source .py file. If a .py file is added to filesdict, add the corresponding .pyc file as well. Signed-off-by: Michael Klein <m.klein@mvz-labor-lb.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Petr Vorel authored
It was fixed for musl during conversion to the new API in 0f519d0da (released in 20220527). Signed-off-by: Petr Vorel <petr.vorel@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 68c32ce3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Thomas Petazzoni authored
This issue was reported by Firas Khalil Khana on a Github pull request at https://github.com/buildroot/buildroot/pull/113/ . There is no --disable-static in m4. Research in the dark corners of the Git history has shown that it was apparently added by Peter Korsgaard back in 2009, in commit 3467cf73 ("m4: cleanup"). At this time, the version of m4 used was 1.4.9, but even looking at the tarball of this old release shows that the ./configure did not support --disable-static. So let's drop this option. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit bddc64e8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Yann E. MORIN authored
Commit bf446513 (ncurses: fix hanging installation due to old version of tic) introduced the build of the host tic, to be used by the target ncurses. That commit purportedly built a static tic, but that is (at least now) wrong: there is nothing that makes the build of tic static. Initially, host-ncurses was configured with --without-shared, but that only drives whether to generate shared libs or not, it does not drive whether to do a shared or static link of executables. And in any case, in af23d762 (ncurses: enable shared library build on the host) we explicitly stopped requesting the build of a static library, to instead require the build of a shared library. So, we never had a statically linked tic ever. Furthermore, we override the _BUKLLD_CMDS, but we do not provide any _INSTALL_CMDS. As a consequence, the full ncurses is installed, not just tic. And since we override the _BUILD_CMDS, the libraries are not built, so they get built during the install step. And we do indeed need the libraries (host-gettext needs them), and not just tic. So, just drop our custom _BUILD_CMDS and just build the whole package with the default settings. We keep the explicit use of --with-shared, as this is not the standard flag (--enable-shared) and it is not obvious what the default is. The set of files installed before and after this change is exactly the same, and tic still is an "ELF 64-bit LSB shared object" with a RUNPATH that still correctly points to $(HOST_DIR)/lib To be noted: there is no regressin in build time either, since we were already building everything anyway. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 8b15de20) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Giulio Benetti authored
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 71d35a41) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Giulio Benetti authored
By default package rtl8812au-aircrack-ng uses CONFIG_PLATFORM_I386_PC that define -DCONFIG_LITTLE_ENDIAN and this can't be overridden since the USER_EXTRA_CFLAGS are assigned to EXTRA_CFLAGS in the beginning of Makefile while -DCONFIG_LITTLE_ENDIAN is assigned later. Instead of using the default CONFIG_PLATFORM_I386_PC let's set it to 'n' and let's use the same defines it uses: -DCONFIG_IOCTL_CFG80211 -DRTW_USE_CFG80211_STA_EVENT This way -DCONFIG_BIG_ENDIAN can be define without the conflict of being defined with with the default -DCONFIG_LITTLE_ENDIAN. Let's also add Linux config FIXUPS to build the module correctly. Fixes: http://autobuild.buildroot.net/results/2e4ee705d0e2b728f102aac4e6729f11ef22be36/ Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 003ed345) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
- Sep 29, 2022
-
-
Kyle Harding authored
Fixes the following security issue: CVE-2022-3204: The NRDelegation Attack can exploit resolvers by having a malicious delegation with a considerable number of non responsive nameservers. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound 1.16.3 includes fixes for better performance when under load. https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt Signed-off-by: Kyle Harding <kyle@balena.io> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 5560bc6c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
v3.21 (2022-06-13) xt_ECHO: support flowi6_to_flowi_common starting Linux 5.10.121 v3.20 (2022-04-10) Support for Linux 5.17 v3.19 (2022-02-01) bumped minimum supported kernel version from 4.15 to 4.16 xt_condition: make mutex per-net xt_ipp2p: add IPv6 support xt_ECHO, xt_TARPIT: do not build IPv6 parts if kernel has IPv6 build-time disabled v3.18 (2021-03-11) xt_pknock: fix a build failure on ARM 32-bit https://fossies.org/linux/privat/xtables-addons-3.21.tar.xz/xtables-addons-3.21/doc/changelog.rst Fixes: - http://autobuild.buildroot.org/results/b8f5f65cec1bd5c859f4a1fae4508900df362add Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 6e6ccf06) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Giulio Benetti authored
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit e385856f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Peter Seiderer authored
No review/patches from my side the last few months, so drop my DEVELOPERS entry. Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 094e87c8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
http://git.haproxy.org/?p=haproxy-2.6.git;a=blob;f=CHANGELOG;h=5e4ca2c913fa117587652a6a08844e3e2e3b62eb;hb=987a4e248bbccf4bffe955b27ccfbcbb626348c2 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit ac70f179) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
https://github.com/pupnp/pupnp/blob/release-1.14.13/ChangeLog Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit a9ee25b0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
James Hilliard authored
Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 0de119a1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
James Hilliard authored
Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit a09768a3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Nicola Di Lieto authored
This new version includes https://github.com/ndilieto/uacme/commit/9f3e5eae05ee4170872807cd2d7736072b04f8e5 which fixes the build with mbedtls 2.x. Fixes: http://autobuild.buildroot.org/results/8fa4f0d2821796be312b366be2f095be07dd7b1e Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit c5131e5d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Nicola Di Lieto authored
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit de34ba06) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Giulio Benetti authored
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 5b6f4728) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Giulio Benetti authored
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 4dc0b17f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Francois Perrad authored
Signed-off-by: Francois Perrad <francois.perrad@gadz.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 537ea85f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Francois Perrad authored
Signed-off-by: Francois Perrad <francois.perrad@gadz.org> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit cbddb02f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Joachim Wiberg authored
Signed-off-by: Joachim Wiberg <troglobit@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 48810c22) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Quentin Schulz authored
The patches have been used by Alpine for 5 months now and they were posted on the Busybox mailing list mid-July with no review or comment. According to Ariadne Conill[1] - though NVD CVSS 3.x Base Score seems to disagree - this has a low security impact so we could probably just wait for upstream to merge the patches or implement it the way they want. Considering those patches have been public for 5 months and upstream hasn't acted until now, let's take the patches from the mailing list anyway as there's no indication the CVEs will be fixed upstream soon. [1] https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661 Cc: Quentin Schulz <foss+buildroot@0leil.net> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 4a03d171) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Quentin Schulz authored
This fixes CVE-2022-30065 by backporting a patch from the master branch. Cc: Quentin Schulz <foss+buildroot@0leil.net> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit c367b2dc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit d7561a8c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Peter Korsgaard authored
As explained in bug #14796, there are situations where the seccomp based sandboxing in openssh can get confused, leading to connection issues. As explained by Thomas in the bug report: glibc does not care about the kernel headers when deciding whether to try the clock_gettime64() syscall or not: it always use it, and if that fails at runtime, it falls back to clock_gettime(). This is how glibc ends up using clock_gettime64() even if your kernel does not support it. On the other hand, the OpenSSL seccomp code relies on kernel headers to decide whether the clock_gettime64() syscall should be in the allowed list of syscalls or not. So when you are in a situation where glibc is recent, but your kernel is older, you get into precisely the problem you have: glibc tries to use clock_gettime64, but OpenSSH seccomp configuration prevents that, which does not allow glibc to gracefully fallback to clock_gettime (as seccomp is configured to kill the process on filter violations). As a workaround, add a _OPENSSH_SANDBOX option (defaulting to y) to decide if sandboxing should be used or not. --with-sandbox expects the type of sandboxing to use, and if not specified, will use the first one available in a list: pledge, systrace, darwin, seccomp, capsicum, rlimit. On Linux, only seccomp and rlimit are available, and rlimit probably does not bring much security-wise, so in all practical matters, on Linux, sandboxing uses seccomp or there is no sandboxing, so let's just disable sandboxing when we do not want to use seccomp, and let configure detect seccomp when we request sandboxing. Fixes (works around) #14796 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> [yann.morin.1998@free.fr: add § about sandboxing types] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit f204766b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Yann E. MORIN authored
Commit af494d92 (utils/genrandconfig: disable libopenssl without atomics) intorduced a code-style issue that flake8 does not like: $ make check-flake8 utils/genrandconfig:253:8: E713 test for membership should be 'not in' 1 E713 test for membership should be 'not in' Fixes: af494d92 https://gitlab.com/buildroot.org/buildroot/-/jobs/3045260108 Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit fa538315) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Peter Korsgaard authored
Commit b936a95d (package/openssh: bump to version 9.0p1) dropped the patch touching m4/openssh.m4, but forgot to remove autoreconf. Fix that. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 7719e452) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
libopenssl needs atomic or the build will fail (e.g. on sparcv8 without libatomic): ${LDCMD:-/nvmedata/autobuild/instance-7/output-1/host/bin/sparc-buildroot-linux-uclibc-gcc} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O0 -g2 -g2 -L. \ -o apps/openssl apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_client.o apps/s_server.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/storeutl.o apps/ts.o apps/verify.o apps/version.o apps/x509.o \ apps/libapps.a -lssl -lcrypto -ldl /nvmedata/autobuild/instance-7/output-1/host/lib/gcc/sparc-buildroot-linux-uclibc/10.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: ./libssl.so: undefined reference to `__atomic_fetch_sub_4' It should be noted that openssl3 has added OPENSSL_DEV_NO_ATOMICS but "this is intended for internal development only, to check the refcounting is properly coded. It should never become a configuration option, hence the name of the macro.": https://github.com/openssl/openssl/commit/503d4745a115b82db01c1fb22baaddb153d27cdb Atomics are not available in Buildroot if: - architecture is 32 bit and something other than ARM or xtensa, and - GCC < 4.8 or no threads or FLAT. The nothreads case can theoretically happen in many different situations, but in practice nobody disables threads. So the only interesting case is the FLAT case. Since ARM and RISC-V 64 both have atomics intrinsics, that leaves just m68k NOMMU as FLAT. So this is truly a corner case. The proper solution would be to patch GCC to also provide libatomic in those cases. - For nothreads, atomics are in fact not needed, so libatomic can simply be implemented as stubs. - For FLAT, it's probably just a matter of having a match to uclinux in libatomic/configure.tgt. Again, though, this happens only in such niche cases that it's not worth working on it. Fixes: - http://autobuild.buildroot.org/results/bce526d538f43a541fdfbc0c9b4a7cecebbbc539 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> (cherry picked from commit af494d92) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
libexpat before 2.4.9 (which is still not released) has a use-after-free in the doContent function in xmlparse.c. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit d8c044f5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
Fix CVE-2022-29187: Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks. https://github.com/git/git/blob/v2.31.4/Documentation/RelNotes/2.31.4.txt Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 15293e03) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
James Hilliard authored
This needs to be set based on BR2_PACKAGE_LLVM_RTTI being set. Fixes: - http://autobuild.buildroot.net/results/e2ebc9a73ed421aa6be44fe41bb5224cc12f699d Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit a7f854bc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
Lang Daniel authored
The logic implemented in e745c0b9 to stop makedevs from recursively running chmod() on dangling symlinks excluded everything that isn't a symlink. Other file types or directories are skipped/ignored. Logic has been updated to exit the function if mode shouldn't be changed or if path is a dangling symlink. Signed-off-by: Daniel Lang <d.lang@abatec.at> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d6d8d60e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-
- Sep 28, 2022
-
-
Fabrice Fontaine authored
Fix the following build failure with sh4{a,eb,aeb} probably raised since the addition of the package in commit e43da7bb: ERROR: Unknown or unidentifiable processor "sh4a" Fixes: - http://autobuild.buildroot.org/results/fb6885a8a299f20ed77e4c10b330d2a2a7853931 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit dbff193c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-