When compiling OpenWRT on a compressed btrfs volume the build fails in
libtool.
The file `libltdl/config/ltmain.m4sh` from `libtool-2.4.2.tar.xz` is
missing write permissions, therefore patch falls back to copying the
file and patching that. During this patch tries to preserve all file
attribute on the new copy.
However the attribute `btrfs.compression` is privileged and btrfs return
EACCES.
While patch ignores multiple other error codes during the copy of xattr
copy it is not prepared for EACCES and aborts.
EACCES should be ignored the same way as the other errors.
Build log:
```
...
Applying ./patches/000-relocatable.patch using plaintext:
patching file libltdl/config/general.m4sh
patching file libtoolize.in
patching file libtoolize.m4sh
patching file libltdl/m4/libtool.m4
Applying ./patches/100-libdir-fixes.patch using plaintext:
patching file libltdl/config/ltmain.m4sh
File libltdl/config/ltmain.sh is read-only; trying to patch anyway
patching file libltdl/config/ltmain.sh
patch: setting attribute btrfs.compression for btrfs.compression: Permission denied
Patch failed! Please fix ./patches/100-libdir-fixes.patch!
```
Link: https://lists.gnu.org/archive/html/bug-patch/2022-11/msg00000.html
Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
GNU patch through 2.7.6 is vulnerable to OS shell command injection that
can be exploited by opening a crafted patch file that contains an ed style
diff payload with shell metacharacters. The ed editor does not need to be
present on the vulnerable system. This is different from CVE-2018-1000156.
https://nvd.nist.gov/vuln/detail/CVE-2019-13638
Signed-off-by: Russell Senior <russell@personaltelco.net>
In GNU patch through 2.7.6, the following of symlinks is mishandled in
certain cases other than input files. This affects inp.c and util.c.
https://nvd.nist.gov/vuln/detail/CVE-2019-13636
Signed-off-by: Russell Senior <russell@personaltelco.net>
uscan reports a new CVE now that PKG_CPE_ID was added.
Reordered patches by date.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[re-title commit & refresh patches]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Apply two upstream patches to address two CVEs:
* CVE-2018-1000156
* CVE-2018-6952
Add PKG_CPE_ID to Makefile.
Build tested on apm821xx and ar71xx.
Signed-off-by: Russell Senior <russell@personaltelco.net>
Bump GNU patch in tools from 2.7.1 to 2.7.5.
Change download URL to use @GNU alias.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 44760
following patch allows to build images for Qemu ARM on
OpenBSD 5.2 amd64 and FreeBSD 9.1 amd64.
Mostly small pieces of code changes to get things right on the
specific platform.
Updated the README to describe better, which tools on the host
are required. Added some kind of prepare scripts to install needed
tools on BSD via packages.
Signed-off-by: Waldemar Brodkorb <mail@waldemar-brodkorb.de>
SVN-Revision: 35900