Commit Graph

1166 Commits

Author SHA1 Message Date
Felix Fietkau
0a4a0c7193 libubox: update to the latest version
ea56013409d5 jshn.sh: add json_add_fields function for adding multiple fields at once

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:12:23 +02:00
Chukun Pan
ffd29a55c3 libnl-tiny: update to the latest version
c42d890 build static library
28c44ca genl_family: explicitly null terminate
                     strncpy destination buffer

This fixes the compilation with gcc 12.

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2022-10-09 22:52:48 +02:00
Daniel Cousens
3bd04767ba
build: prefer HTTPS if available (for packages)
Changes PKG_SOURCE_URL's for arptables, bsdiff, dnsmasq,
fortify-headers, ipset, ipset-dns, libaudit, libpcap, libressl,
lua, lua5.3, tcpdump and valgrind, to HTTPS

Signed-off-by: Daniel Cousens <github@dcousens.com>
2022-10-05 17:37:07 +02:00
Petr Štetiar
f1b7e1434f treewide: fix security issues by bumping all packages using libwolfssl
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.

So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-03 17:52:06 +02:00
Nick Hainke
4f70380ff1 libtracefs: update to 1.5.0
Changes:
93f4d52 libtracefs: version 1.5
bc857db libtracefs: Add tracefs_u{ret}probe_alloc to generic man page
db55441 libtracefs: Add tracefs_debug_dir() to generic libtracefs man page
d2d5924 libtracefs: Add test instructions for openSUSE
4a7b475 libtracefs: Fix test suite typo
ee8c644 libtracefs: Add tracefs_tracer_available() helper
799d88e libtracefs: Add API to set custom tracing directory
1bb00d1 libtracefs: allow pthread inclusion overrideable in Makefile
04651d0 libtracefs sqlhist: Allow pointers to match longs
9de59a0 libtracefs: Remove double free attempt of new_event in tracefs_synth_echo_cmd()
0aaa86a libtracefs: Fix use after free in tracefs_synth_alloc()
d2d5340 libtracefs: Add missed_events to record
9aaa8b0 libtracefs: Set the number of CPUs in tracefs_local_events_system()
56a0ba0 libtracefs: Return negative number when tracefs_filter_string_append() fails
c5f849f libtracefs: Set the long size of the tep handle in tracefs_local_events_system()
5c8103e revert: 0de961e74f96 ("libtracefs: Set visibility of parser symbols as 'internal'")

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
cef2ec62ab libtraceevent: update to 1.6.3
Changes:
fda4ad9 libtraceevent: version 1.6.3
d02a61e libtraceevent: Add man pages for tep_plugin_kvm_get/put_func()
6643bf9 libtraceevent: Have kvm_exit/enter be able to show guest function
a596299 libtraceevent: Add tep_print_field() to check-manpages.sh deprecated
065c9cd libtraceevent: Add man page documentation of tep_get_sub_buffer_size()
6e18ecc libtraceevent: Add man page for tep_plugin_add_option()
6738713 libtraceevent: Add some missing functions to generic libtraceevent man page
deefe29 libtraceevent: Include meta data functions in libtraceevent man pages
cf6dd2d libtraceevent: Add tep_get_function_count() to libtraceevent man page
5bfc11e libtraceevent: Add printk documentation to libtraceevent man page
65c767b libtraceevent: Update man page to reflect tep_is_pid_registered() rename
7cd173f libtraceevent: Add check-manpages.sh
fd6efc9 libtraceevent: Documentation: Correct typo in example
5c375b0 libtraceevent: Fixing linking to C++ code
7839fc2 libtraceevent: Makefile - set LIBS as conditional assignment
c5493e7 libtraceevent: Remove double assignment of val in eval_num_arg()
efd3289 libtraceevent: Add warnings if fields are outside the event

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
d327466149 popt: update to 1.19
Add patch to fix compilation:
- 100-configure.ac-remove-require-gettext-version.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
04119d7cce libcap: update to 2.66
4f96e67 Up the release version to 2.66
60ff008 Fix typos in the cap_from_text.3 man page.
281b6e4 Add captrace to .gitignore file
09a2c1d Add an example of using BPF kprobing to trace capability use.
26e3a09 Clean up getpcaps code.
fc804ac getpcaps: catch PID parsing errors.
fc437fd Fix an issue with bash displaying an error.
7db9589 Some more simplifications for building
27e801b Fix for "make clean ; make -j48 test"

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Petr Štetiar
ec8fb542ec wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.

This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.

Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Fixes: CVE-2022-39173
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Tested-by: Kien Truong <duckientruong@gmail.com>
Reported-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:53:56 +02:00
Petr Štetiar
a0cd133fde Revert "wolfssl: fix TLSv1.3 RCE in uhttpd by using latest 5.5.1-stable release"
This reverts commit a596a8396b as I've
just discovered private email, that the issue has CVE-2022-39173
assigned so I'm going to reword the commit and push it again.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:53:12 +02:00
Petr Štetiar
8ad9a72cbe wolfssl: refresh patches
So they're tidy and apply cleanly.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:36:19 +02:00
Petr Štetiar
a596a8396b wolfssl: fix TLSv1.3 RCE in uhttpd by using latest 5.5.1-stable release
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.

This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.

Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:36:19 +02:00
Kevin Darbyshire-Bryant
dafa663012 sysfsutils: Define START early in file
The luci ucode rewrite exposed the definition of START as being over 1K
from start of file.  Initial versions limited the search for START &
STOP to within the 1st 1K of a file.  Whilst the search has been
expanded, it doesn't do any harm to define START early in the file like
all other init scripts seen so far.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-09-26 17:58:32 +01:00
Eneas U de Queiroz
d08c9da43c
wolfssl: prefer regular libwolfssl over cpu-crypto
Rename libwolfssl-cpu-crypto to libwolfsslcpu-crypto so that the
regular libwolfssl version comes first when running:
opkg install libwolfssl

Normally, if the package name matches the opkg parameter, that package
is preferred.  However, for libraries, the ABI version string is
appended to the package official name, and the short name won't match.
Failing a name match, the candidate packages are sorted in alphabetical
order, and a dash will come before any number.  So in order to prefer
the original library, the dash should be removed from the alternative
library.

Fixes: c3e7d86d2b (wolfssl: add libwolfssl-cpu-crypto package)
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-09-25 15:19:10 +02:00
Eneas U de Queiroz
50d0b41b38
wolfssl: ABI version shouldn't depend on benchmark
Move CONFIG_PACKAGE_libwolfssl-benchmark from the top of
PKG_CONFIG_DEPENDS to after PKG_ABI_VERSION is set.

This avoids changing the ABI version hash whether the bnechmark package
package is selected or not.

Fixes: 05df135cac (wolfssl: Rebuild when libwolfssl-benchmark gets changes)
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-09-25 15:19:07 +02:00
Daniel Golle
1c785d2567 packages: libusb: add package 'fxload' (from libusb examples)
The 'fxload' tool contained in the examples provided with libusb is
actually useful and turns out to be the only way to load firmware into
some rather ancient EZ-USB microcontrollers made by Cypress (formerly
Anchor Chips).
The original 'fxload' tool from hotplug-linux has been abandonned long
ago and requires usbfs to be mounted in /proc/bus/usb/ (like it was in
Linux 2.4...).
Hence the best option is to package the modern 'fxload' from the libusb
examples which (unsurprisingly) uses libusb and works on modern
systems.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-09-17 00:44:08 +01:00
Eneas U de Queiroz
c3e7d86d2b
wolfssl: add libwolfssl-cpu-crypto package
libwolfssl-cpu-crypto is a variant of libwolfssl with support for
cryptographic CPU instructions on x86_64 and aarch64.

On aarch64, wolfSSL does not perform run-time detection, so the library
will crash when the AES functions are called.  A preinst script attempts
to check for support by querying /proc/cpuinfo, if installed in a
running system.  When building an image, the script will check the
DISTRIB_TARGET value in /etc/openwrt_release, and will abort
installation if target is bcm27xx.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-09-16 08:30:26 +02:00
Ilya Katsnelson
e8135247c1
libcap: use more compatible shebang
Patch a script to use a shebang that works on systems that don't have
a /bin/bash, e.g. NixOS or GuixSD.

Signed-off-by: Ilya Katsnelson <me@0upti.me>
2022-09-14 00:06:18 +02:00
Nick Hainke
f42e24f19d libbsd: update to 0.11.6
Update to latest version. Needs libmd.

Old size:
37615	libbsd0_0.10.0-1_aarch64_cortex-a53.ipk
new size (libmd linked static):
38514	libbsd0_0.11.6-1_aarch64_cortex-a53.ipk

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-11 01:30:11 +02:00
Nick Hainke
89a3987607 libmd: add library providing message digest functions
This library is needed by >= libbsd-0.11.3.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-11 01:30:11 +02:00
Nick Hainke
7cae914939 libunwind: update to 1.6.2
Remove upstreamed:
- 001-Don-t-force-exec_prefix-lib64-libdir-on-ppc64.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-07 04:22:40 +01:00
Nick Hainke
d40948b35d libsepol: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:48 +01:00
Nick Hainke
17dd8c7305 libselinux: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:48 +01:00
Nick Hainke
79f3e6e2c1 libnfnetlink: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:45 +01:00
Nick Hainke
7ea924d74f libmnl: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:44 +01:00
Nick Hainke
5bc8e5a5a9 libnl: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:41 +01:00
Nick Hainke
f93795cd90 jansson: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:40 +01:00
Nick Hainke
2091a76d34 libusb: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:38 +01:00
Nick Hainke
f9a502c721 libcap: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:34:52 +01:00
Nick Hainke
e7661c64c3 nettle: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:34:26 +01:00
Ivan Pavlov
3d88f26d74 wolfssl: bump to 5.5.0
Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch

Some low severity vulnerabilities fixed
OpenVPN compatibility fixed (broken in 5.4.0)
Other fixes && improvements

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2022-09-02 21:56:25 +02:00
Nick Hainke
bae87942bc nettle: update to 3.8.1
Release Notes:
https://lists.gnu.org/archive/html/info-gnu/2022-07/msg00010.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-31 23:25:39 +02:00
Nick Hainke
f15137c455 readline: update to 8.1.2
Update to latest version.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-31 23:25:39 +02:00
Hauke Mehrtens
05df135cac wolfssl: Rebuild when libwolfssl-benchmark gets changes
This forces a rebuild of the wolfssl package when the
libwolfssl-benchmark OpenWrt package gets activated or deactivated.
Without this change the wolfssl build will fail when it compiled without
libwolfssl-benchmark before and it gets activated for the next build.

Fixes: 18fd12edb8 ("wolfssl: add benchmark utility")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-28 21:42:26 +02:00
Nick Hainke
85c0cef461 popt: update to 1.18
Changes from popt 1.16:
- fix an ugly and ancient security issue with popt failing to drop privileges on alias exec from a SUID/SGID program
- perform rudimentary sanity checks when reading in popt config files
- collect accumulated misc fixes (memleaks etc) from distros
- convert translations to utf-8 encoding
- convert old postscript documentation to pdf
- dust off ten years worth of autotools sediment
- reorganize and clean up the source tree for clarity
- remove the obnoxious splint annotations from the sources

Switch to new mirror:
http://ftp.rpm.org/popt/releases/

Switch URL to:
https://github.com/rpm-software-management/popt

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-28 18:29:10 +02:00
Nick Hainke
ce28f303e8 libnftnl: update to 1.2.3
Changes:
817c8b6 build: libnftnl 1.2.3 release
84d12cf build: fix clang+glibc snprintf substitution error

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-28 18:29:10 +02:00
Hauke Mehrtens
f3870546a5 mbedtls: update to version 2.28.1
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.1
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.

The build problem was reported upstream:
https://github.com/Mbed-TLS/mbedtls/issues/6243

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-28 12:37:54 +02:00
Petr Štetiar
f443e9de70 zlib: backport null dereference fix
The curl developers found test case that crashed in their testing when
using zlib patched against CVE-2022-37434, same patch we've backported
in commit 7df6795d4c ("zlib: backport fix for heap-based buffer
over-read (CVE-2022-37434)"). So we need to backport following patch in
order to fix issue introduced in that previous CVE-2022-37434 fix.

References: https://github.com/curl/curl/issues/9271
Fixes: 7df6795d4c ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-08-09 08:08:08 +02:00
Jo-Philipp Wich
737671bcce jansson: revert ABI version bump
The soversion of the shipped libjansson.so library didn't change, so the
ABI version change is unwarranted and leads to opkg file clashes.

Also stop shipping an unversioned library symlink while we're at it as
it only needed at compile/link time and leading to file level clashes
between packages on future ABI bumps.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-08-09 00:20:09 +02:00
Nick Hainke
6d84e78cd9 libtracefs: add Linux kernel trace file system library
Needed by trace-cmd.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-06 19:58:46 +02:00
Nick Hainke
b108810601 libtraceevent: add Linux kernel trace event library
Needed by trace-cmd.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-06 19:58:46 +02:00
Nick Hainke
0cb1ce9748 elfutils: update to 0.187
Changes:
debuginfod: Support -C option for connection thread pooling.

debuginfod-client: Negative cache file are now zero sized instead of
                   no-permission files.

addr2line: The -A, --absolute option, which shows file names including
           the full compilation directory is now the default.  To get the
           old behavior use the new option --relative.

readelf, elflint: Recognize FDO Packaging Metadata ELF notes

libdw, debuginfo-client: Load libcurl lazily only when files need to
                         be fetched remotely. libcurl is now never
                         loaded when DEBUGINFOD_URLS is unset. And when
                         DEBUGINFOD_URLS is set, libcurl is only loaded
                         when the debuginfod_begin function is called.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-06 19:58:46 +02:00
Petr Štetiar
7df6795d4c zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow
in inflate in inflate.c via a large gzip header extra field. NOTE: only
applications that call inflateGetHeader are affected. Some common
applications bundle the affected zlib source code but may be unable to
call inflateGetHeader.

Fixes: CVE-2022-37434
References: https://github.com/ivd38/zlib_overflow
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-08-06 15:00:08 +02:00
Mark Mentovai
beeb49740b libmnl: fix build when bash is not located at /bin/bash
This fixes the libmnl build on macOS, which ships with an outdated bash
at /bin/bash. During the OpenWrt build, a modern host bash is built and
made available at staging_dir/host/bin/bash, which is present before
/bin/bash in the build's PATH.

This is similar to 8f7ce3aa6d, presently appearing at
package/kernel/mac80211/patches/build/001-fix_build.patch.

Signed-off-by: Mark Mentovai <mark@mentovai.com>
2022-07-31 20:30:20 +02:00
Boris Krasnovskiy
d94c94d795 ustream-ssl: prevent unused crypto lib dependencies from being compiled
Prevented unused crypto lib dependencies from being compiled

Signed-off-by: Boris Krasnovskiy <borkra@gmail.com>
2022-07-31 00:11:21 +02:00
John Audia
c2aa816f28 wolfssl: fix math library build
Apply upstream patch[1] to fix breakage around math libraries.
This can likely be removed when 5.5.0-stable is tagged and released.

Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B

1. https://github.com/wolfSSL/wolfssl/pull/5390

Signed-off-by: John Audia <therealgraysky@proton.me>
2022-07-31 00:11:21 +02:00
Nick Hainke
7455457893 libcap: update to 2.65
Changes:
a47d86d Up the release version to 2.65
fc99e56 Include more signatures in pgp.keys.asc.
52288cc Close out this comment in the go/Makefile
eb0f1df Prevent 'capsh --user=xxx --' from generating a bash error.
9a95791 Improve documentation for cap_get_pid and cap_reset_ambient.
21d08b0 Fix syntax error in DEBUG protected setcap.c code.
9425048 More useful captree usage string and man page.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-30 23:50:44 +02:00
Nick Hainke
97daddffd0 libcap: update to 2.64
Changes:
38cfa2e Up the release version to 2.64
7617af6 Avoid a deadlock in forked psx thread exit.
fc029cb Include LIBCAP_{MAJOR,MINOR} #define's in sys/capability.h
ceaa591 Clarify how the cap_get_pid() argument is interpreted.
15cacf2 Fix prctl return code/errno handling in libcap.
aae9374 Be explicit about CGO_ENABLED=1 for compare-cap build.
66a8a14 psx: free allocated memory at exit.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-30 23:50:44 +02:00
Jo-Philipp Wich
0063e3421d wolfssl: make shared again
Disable the usage of target specific CPU crypto instructions by default
to allow the package being shared again. Since WolfSSL does not offer
a stable ABI or a long term support version suitable for OpenWrt release
timeframes, we're forced to frequently update it which is greatly
complicated by the package being nonshared.

People who want or need CPU crypto instruction support can enable it in
menuconfig while building custom images for the few platforms that support
them.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-07-30 12:21:54 +02:00
Hauke Mehrtens
d1b5d17d03 wolfssl: Do not activate HW acceleration on armvirt by default
The armvirt target is also used to run OpenWrt in lxc on other targets
like a Raspberry Pi. If we set WOLFSSL_HAS_CPU_CRYPTO by default the
wolfssl binray is only working when the CPU supports the hardware crypto
extension.

Some targets like the Raspberry Pi do not support the ARM CPU crypto
extension, compile wolfssl without it by default. It is still possible
to activate it in custom builds.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-07-20 17:02:45 +02:00