Commit Graph

1271 Commits

Author SHA1 Message Date
Hauke Mehrtens
d773fe5411 mbedtls: Update to version 2.28.4
This only fixes minor problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-08-11 11:03:08 +02:00
Ivan Pavlov
92602f823a openssl: update to 3.0.10
Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
 * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
 * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
 * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2023-08-09 21:03:59 +03:00
Nick Hainke
a8c84b550b libtracefs: update to 1.7.0
ChangeLog:
aebab37 libtracefs: version 1.7
a3237c3 libtracefs: Add initial support for meson
b25019f libtarcefs doc: Add tracefs_kprobe_destroy() to index man page
4c2194f libtracefs doc: State that tracefs_dynevent_create() is needed for tracefs_kprobe_alloc()
df53d43 libtracefs Documentation: Add missing prototypes in top level man page
9a2df4a libtracefs: Update version to 1.7.dev
18ede68 libtracefs: Add tracefs_kprobe_destory() API
309b1ba libtracefs tests: Add helper function to destroy dynamic events
53dce80 tracefs: Add tracefs_time_conversion() API
5ea4128 libtracefs: Add tracefs_find_cid_pid() API
857dd3e libtracefs/utest: Fix crashing of synth test when synths exist
6332309 libtracefs/utest: Do not use synth for test_synth element
25cd206 libtracefs: Clarify the tracefs_synth_create() man page
6b6d43f libtracefs: Do not allow tracefs_synth_set_instance() on created synth
c860f93 libtracefs: Documentation for tracefs_synth_set_instance
0039173 libtracefs: New API to set synthetic event instance
e97c311 libtracefs: Do not segfault in tests if synthetic events are not configured
185019c libtracefs: Add tracefs_instance_tracers() API
6775d23 libtracefs: Do not use hwlat tracer and fdb_delete event for tests
5a1a01e libtracefs: Add stacktrace to tracefs_sql()
b1b234e libtracefs: Unit test for tracefs_instance_reset()
dd620f4 libtracefs: Documentation for tracefs_instance_reset()
789e82d libtracefs: New API to reset ftrace instance

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-08-01 13:29:40 +02:00
Nick Hainke
85efbbcf06 libtraceevent: update to 1.7.3
ChangeLog:
dd14818 libtraceevent: version 1.7.3
0b9a34e libtraceevent: Handle printf '%+d" case
eba4a41 libtraceevent: Add initial support for meson
1d8ddb9 libtraceevent: Handle %c

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-08-01 13:29:40 +02:00
Jo-Philipp Wich
4af0a72a65 libnl-tiny: update to latest Git HEAD
8667347 build: allow passing SOVERSION value for dynamic library

Also adjust packaging of the library to only ship the SOVERSION
suffixed library object, to allow for concurrent installation of
ABI-incompible versions in the future.

Fixes: #13082
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2023-07-27 12:03:12 +02:00
Christophe Sokol
906616d201 openssl: opt-out of lto usage
This fixes building with USE_LTO enabled:

aarch64-openwrt-linux-musl-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/build_dir/target-aarch64_cortex-a53_musl/openssl-3.0.9=openssl-3.0.9 -ffunction-sections -fdata-sections -flto=auto -fno-fat-lto-objects -Wformat -Werror=format-security -DPIC -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -DPIC -fPIC -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/build_dir/target-aarch64_cortex-a53_musl/openssl-3.0.9=openssl-3.0.9 -ffunction-sections -fdata-sections -flto=auto -fno-fat-lto-objects -Wformat -Werror=format-security -fPIC -fstack-protector-strong -fPIC -fuse-ld=bfd -flto=auto -fuse-linker-plugin -fPIC -specs=/include/hardened-ld-pie.specs -znow -zrelro -L. -Wl,-z,defs -Wl,-znodelete -shared -Wl,-Bsymbolic  -Wl,-z,now -Wl,-z,relro -L/staging_dir/toolchain-aarch64_cortex-a53_gcc-13.1.0_musl/usr/lib -L/staging_dir/toolchain-aarch64_cortex-a53_gcc-13.1.0_musl/lib -Wl,--gc-sections \
	-o providers/legacy.so -Wl,--version-script=providers/legacy.ld \
	providers/legacy-dso-legacyprov.o \
	providers/liblegacy.a providers/libcommon.a -lcrypto -ldl -pthread
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `legacy_get_params':
<artificial>:(.text.legacy_get_params+0xd4): undefined reference to `ossl_prov_is_running'
ld.bfd: <artificial>:(.text.legacy_get_params+0xd8): undefined reference to `ossl_prov_is_running'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `legacy_teardown':
<artificial>:(.text.legacy_teardown+0x4): undefined reference to `ossl_prov_ctx_get0_libctx'
ld.bfd: <artificial>:(.text.legacy_teardown+0x8): undefined reference to `ossl_prov_ctx_get0_libctx'
ld.bfd: <artificial>:(.text.legacy_teardown+0x34): undefined reference to `ossl_prov_ctx_free'
ld.bfd: <artificial>:(.text.legacy_teardown+0x38): undefined reference to `ossl_prov_ctx_free'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `OSSL_provider_init':
<artificial>:(.text.OSSL_provider_init+0x14): undefined reference to `ossl_prov_ctx_new'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x18): undefined reference to `ossl_prov_ctx_new'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x84): undefined reference to `ossl_prov_ctx_set0_libctx'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x88): undefined reference to `ossl_prov_ctx_set0_libctx'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x98): undefined reference to `ossl_prov_ctx_set0_handle'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x9c): undefined reference to `ossl_prov_ctx_set0_handle'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_kdfs+0x10): undefined reference to `ossl_kdf_pbkdf1_functions'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_ciphers+0x10): undefined reference to `ossl_cast5128ecb_functions'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_ciphers+0x30): undefined reference to `ossl_cast5128cbc_functions'
[...]
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_digests+0x10): undefined reference to `ossl_md4_functions'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_digests+0x30): undefined reference to `ossl_ripemd160_functions'
collect2: error: ld returned 1 exit status

Signed-off-by: Christophe Sokol <christophe@wk3.org>
2023-07-26 10:34:07 +02:00
Nick Hainke
fabd891569 nettle: update to 3.9.1
Announcement:
https://lists.gnu.org/archive/html/info-gnu/2023-06/msg00000.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-07-19 15:25:35 +02:00
Tony Ambardar
1d5e7b85cc libbpf: Update to v1.2.2
Update to the latest upstream release to include recent bugfixes:

Link: https://github.com/libbpf/libbpf/compare/v1.2.0...v1.2.2
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2023-07-18 23:02:47 +02:00
Nick Hainke
e57a752217 libnftnl: update to 1.2.6
Release Notes:
https://lists.netfilter.org/pipermail/netfilter-announce/2023/000250.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-07-18 14:37:19 +02:00
Nick Hainke
0e83b5e6cc wolfssl: update to 5.6.3
Release Notes:
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.0-stable
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.2-stable
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.3-stable

Refresh patch:
- 100-disable-hardening-check.patch

Backport patch:
- 001-fix-detection-of-cut-tool-in-configure.ac.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-07-07 17:38:38 +02:00
Hauke Mehrtens
513bcfdf78 libnl-tiny: update to latest git HEAD
d433990 Make struct nla_policy and struct nlattr const

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-07-01 12:07:05 +02:00
Jitao Lu
51f57e7c2d openssl: passing cflags to configure
openssl sets additional cflags in its configuration script. We need to
make it aware of our custom cflags to avoid adding conflicting cflags.

Fixes: #12866
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
2023-06-14 21:16:15 +08:00
Mathew McBride
203deef82c
wolfssl: change armvirt reference to armsr
armvirt target has been renamed to armsr (Arm SystemReady).

Signed-off-by: Mathew McBride <matt@traverse.com.au>
2023-06-10 21:30:23 +02:00
Ivan Pavlov
6348850f10 openssl: update to 3.0.9
CVE-2023-2650 fix
Remove upstreamed patches

Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
 * Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms (CVE-2023-1255)
 * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
 * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
 * Limited the number of nodes created in a policy tree (CVE-2023-0464)

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2023-06-09 13:33:27 +02:00
Felix Fietkau
b6e0a24c49 libubox: update to the latest version
b09b316aeaf6 blobmsg: add blobmsg_parse_attr function
eac92a4d5d82 blobmsg: add blobmsg_parse_array_attr
ef5e8e38bd38 usock: fix poll return code check
6fc29d1c4292 jshn.sh: Add pretty-printing to json_dump
5893cf78da40 blobmsg: Don't do at run-time what can be done at compile-time
362951a2d96e uloop: fix uloop_run_timeout
75a3b870cace uloop: add support for integrating with a different event loop

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-06-04 18:38:03 +02:00
Tianling Shen
a0d7193425 openssl: fix uci config for built-in engines
Built-in engine configs are added in libopenssl-conf/install stage
already, postinst/add_engine_config is just duplicating them, and
due to the lack of `config` header it results a broken uci config:

> uci: Parse error (invalid command) at line 3, byte 0

```
config engine 'devcrypto'
        option enabled '1'
engine 'devcrypto'
        option enabled '1'
        option builtin '1'
```

Add `builtin` option in libopenssl-conf/install stage and remove
duplicate engine configuration in postinst/add_engine_config to
fix this issue.

Fixes: 0b70d55a64 ("openssl: make UCI config aware of built-in engines")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-06-03 21:15:11 +02:00
Linhui Liu
4c5a9da869 selinux-policy: update to 1.2.5
30d503a uci jsonfilter: pipe and leak
e13cb64 rpcd leds
144781f jsonfilter, luci, ubus
1210762 rpcd and all agents get fd's leaked
ab9227c rpcd
2f99e0e luci rpcd
b43aaf3 rpcd (enable/disable services) luci peeraddr
f20f03e rpcd
7bc74f6 rpcd reads all subj state and luci-bwc leaks
9634b17 adds inotify perms to anon_inode
3d3c17c adds bare anon_inode (linux 5.15)
7104b20 dnsmasq and luci
0de2c66 luci,rpcd, ucode, wpad
14f5cf9 luci and ucode
e3ce84c rpcd, ucode and cgiio loose ends
96a2401 misc updates
9fe0490 initscript: remove redundant rules
71bd77e allow all init scripts to log to logd
f697331 sandbox: make ttydev handling more robust
a471877 simplify pty tty console access
f738984 sandbox: also remove TIOSCTI from all ttydevs

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-31 22:00:48 +02:00
Petr Štetiar
12494f5b8a
pcre2: fix host compilation of libselinux by enabling PIC
libselinux-3.5 fails to compile in Fedora 38 container due to the
following:

 cc -O2 -I/openwrt/staging_dir/host/include -I/openwrt/staging_dir/hostpkg/include -I/openwrt/staging_dir/target-x86_64_musl/host/include -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -I/openwrt/staging_dir/hostpkg/include -L/openwrt/staging_dir/host/lib -L/openwrt/staging_dir/hostpkg/lib -L/openwrt/staging_dir/target-x86_64_musl/host/lib -Wl,-rpath=/openwrt/staging_dir/hostpkg/lib -shared -o libselinux.so.1 avc.lo avc_internal.lo avc_sidtab.lo booleans.lo callbacks.lo canonicalize_context.lo checkAccess.lo check_context.lo checkreqprot.lo compute_av.lo compute_create.lo compute_member.lo compute_relabel.lo compute_user.lo context.lo deny_unknown.lo disable.lo enabled.lo fgetfilecon.lo freecon.lo freeconary.lo fsetfilecon.lo get_context_list.lo get_default_type.lo get_initial_context.lo getenforce.lo getfilecon.lo getpeercon.lo init.lo is_customizable_type.lo label.lo label_db.lo label_file.lo label_media.lo label_support.lo label_x.lo lgetfilecon.lo load_policy.lo lsetfilecon.lo mapping.lo matchmediacon.lo matchpathcon.lo policyvers.lo procattr.lo query_user_context.lo regex.lo reject_unknown.lo selinux_check_securetty_context.lo selinux_config.lo selinux_internal.lo selinux_restorecon.lo sestatus.lo setenforce.lo setexecfilecon.lo setfilecon.lo setrans_client.lo seusers.lo sha1.lo stringrep.lo validatetrans.lo -L/openwrt/staging_dir/hostpkg/lib -lpcre2-8 -lfts -ldl -Wl,-soname,libselinux.so.1,--version-script=libselinux.map,-z,defs,-z,relro
 /usr/bin/ld: /openwrt/staging_dir/hostpkg/lib/libpcre2-8.a(pcre2_compile.c.o): relocation R_X86_64_32S against symbol `_pcre2_ucd_stage1_8' can not be used when making a shared object; recompile with -fPIC
 /usr/bin/ld: failed to set dynamic section sizes: bad value

So lets fix it by enabling build of host static library with the
position independent code option enabled.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2023-05-28 08:58:07 +02:00
Zoltan HERPAI
a0840ecd53 openssl: add linux-riscv64 into the targets list
Add "linux-riscv64-openwrt" into openssl configurations to enable building
on riscv64.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2023-05-28 13:19:11 +02:00
Tony Ambardar
afe1bf11f2 bpftools: update, split off bpftool and libbpf packages
My original bpftools package made "variant" builds of bpftool and libbpf
as a convenience, since both used the same local kernel sources with the
same versioning. This is no longer the case, since the commit below
switched to using an out-of-tree build mirror hosting repos for each.

Replace bpftools with separate bpftool and libbpf packages, each simplified
and correctly versioned. Also fix the broken libbpf ABI introduced in the
same commit. Existing build .config files are not impacted.

Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2023-05-24 21:17:20 +02:00
Nick Hainke
c520d682f0 libxml2: update to 2.11.4
Release Notes:
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-22 18:52:59 +02:00
Nick Hainke
78c45c1e59 libcap: update to 2.69
Release Notes:
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe

Fixes: CVE-2023-2602 CVE-2023-2603
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-22 18:51:31 +02:00
Nick Hainke
aa28e91404 nettle: update to 3.9
Changelog:
26cd0222fd/NEWS

Refresh patch:
- 100-portability.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-20 21:02:18 +02:00
Linhui Liu
c0ef48814e pcre2: switch to Github Releases and bump to 10.42
The mirror at SourceForge is an unofficial mirror and no longer maintained.

ChangeLogs:
https://github.com/PCRE2Project/pcre2/blob/pcre2-10.42/ChangeLog

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-20 13:20:53 +08:00
Nick Hainke
f73d011810 libjson-c: import patch to fix compilation on macos
Fixes errors in the form of:
  /Users/user/src/openwrt/openwrt/build_dir/hostpkg/json-c-0.16/json_util.c:63:35: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
  const char *json_util_get_last_err()
                                    ^
                                     void
  1 error generated.
  ninja: build stopped: subcommand failed.

Reported-by: Paul Spooren <mail@aparcar.org>
Suggested-by: Paul Spooren <mail@aparcar.org>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-19 13:43:18 +02:00
Nick Hainke
4b950bc5f4 libxml2: update to 2.11.3
Changelog:
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.0
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.1
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.2
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.3

Fixes: CVE-2023-28484 CVE-2023-29469
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 16:16:20 +02:00
Tianling Shen
48ed07bc0b treewide: replace AUTORELEASE with real PKG_RELEASE
Based on Paul Fertser <fercerpav@gmail.com>'s guidance:
Change AUTORELEASE in rules.mk to:
```
AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
```

then update all affected packages by:
```
for i in $(git grep -l PKG_RELEASE:=.*AUTORELEASE | sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
	make package/$i/clean
done
```

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-05-18 11:35:29 +02:00
Linhui Liu
91c75c3124 libselinux: update to 3.5
Switch from libpcre to libpcre2. While working on it remove the double
defined HOST_BUILD_DEPENDS section.

Release Notes:
https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt
https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
[depend on libpcre2]
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 10:14:13 +02:00
Linhui Liu
d641963f1b libsemanage: update to 3.5
Release Notes:
https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt
https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-18 10:14:13 +02:00
Linhui Liu
bd0dce62b1 libsepol: update to 3.5
Release Notes:
https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt
https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-18 10:14:13 +02:00
Nick Hainke
e3e6652a55 pcre: move package to packages feed
With the update of selinux no package depends anymore on pcre in the
base repository. Move it to packages feed.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 10:14:13 +02:00
Nick Hainke
c39b0646f3 pcre2: import pcre2 from packages feed
pcre2 is needed by newer selinux versions, so it needs to be in the base
repository.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 10:14:13 +02:00
Robert Marko
6b17e19ad8
libbsd: fix compilation with musl 1.2.4
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.

_LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used
to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.

Fixes: fff878c5bc ("toolchain/musl: update to 1.2.4")
Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-05-16 14:31:14 +02:00
Robert Marko
6ff12094cd
libselinux: fix compilation with musl 1.2.4
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.

_LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used
to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-05-15 20:39:21 +02:00
Michael Pratt
0779c47be6
gettext-full: link to local libunistring
Configure gettext to require and link
to our local libunistring explicitly.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-15 16:14:44 +02:00
Michael Pratt
0288415877
gettext-full: add missing link to libunistring
Running autoreconf or autogen.sh is causing
the gettext-runtime subdirectory to have a configure script
that looks for and attempts to link to an external libunistring.
However, the macros and symbols for supporting that configuration
are not present in this subdirectory yet.

This results in some host machines to not build the
included libunistring objects for libgrt,
but at the same time, also not input the proper flag to the linker
for linking to an external library when it is found or even when
explicitly setting configuration to use a prefix for libunistring,
resulting in the common linking failure "undefined reference".

Some similar (and old...) upstream commits do the same thing,
but only for gettext-tools and libgettextpo.

Ref: ae943bcc1 ("Link with libunistring, if it exists.") # gettext.git
Ref: 61e21a72f ("Avoid link error in programs that use libgettextpo.") # gettext.git
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-15 16:14:44 +02:00
Michael Pratt
d3c3b79c1e
libunistring: add from packages feed
Add libunistring in order to link to gettext
and other packages directly
instead of the built-in substitute for it.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-15 16:14:41 +02:00
Michael Pratt
d167adbc44
gettext-full: bootstrap to local gnulib source
Using the local gnulib source during autogen.sh
allows for fine-grained control over the macros
and source files for use with gettext
but part of gnulib instead of gettext,
without having to wait for a release
or deal with gnulib as a git submodule.

This is an alternative to running autoreconf.

It also removes the need to patch macros
in the case where there is a conflict
between the source and our aclocal directory.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:31 +02:00
Michael Pratt
d95d5d2a3a
gettext-full: link to local libxml2
Some users have reported that gettext builds
are attempting to link to libxml2
while it was supposed to be configured
to use it's own built-in substitute.

Configure gettext to require and link
to our local libxml2 explicitly.

Add a patch to revert upstream commit 87927a4e2
which forces libtextstyle to use the built-in libxml,
no matter what the configuration is,
making that option configurable again
after the configure script is regenerated.

Reported-by: Tianling Shen <cnsztl@immortalwrt.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:30 +02:00
Michael Pratt
f7fbe77115
gettext-full: set gperf as build prerequisite
Require gperf to be built before gettext.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:29 +02:00
Michael Pratt
9b0b46985c
libxml2: add from packages feed
Add libxml2 which can be used to build gettext
instead of the old built-in substitute for it.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:29 +02:00
Michael Pratt
ca8577f930
gettext-full: override SUBDIRS variable with Makefile
Instead of editing the SUBDIRS variable with a patch,
it can be overriden at the end of the command line when invoking Make.

This tool has a series of recursive Makefiles in each subdirectory,
therefore SUBDIRS is set to a pattern of Make functions
so that the result is variable depending on the current subdirectory
that Make is being invoked in.

Some of the subdirectories don't have a Makefile and are just storing files
for another subdirectory Makefile target,
therefore we have to place a fake Makefile that does nothing.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:29 +02:00
Eneas U de Queiroz
1c5cafa3eb openssl: fix low-severity CVE-2023-1255
This applies commit 02ac9c94 to fix this OpenSSL Security Advisory
issued on 20th April 2023[1]:

Input buffer over-read in AES-XTS implementation on 64 bit ARM
(CVE-2023-1255)
==============================================================

Severity: Low

Issue summary: The AES-XTS cipher decryption implementation for 64 bit
ARM platform contains a bug that could cause it to read past the input
buffer, leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64
bit ARM platform can crash in rare circumstances. The AES-XTS algorithm
is usually used for disk encryption.

The AES-XTS cipher decryption implementation for 64 bit ARM platform
will read past the end of the ciphertext buffer if the ciphertext size
is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the
memory after the ciphertext buffer is unmapped, this will trigger a
crash which results in a denial of service.

If an attacker can control the size and location of the ciphertext
buffer being decrypted by an application using AES-XTS on 64 bit ARM,
the application is affected. This is fairly unlikely making this issue a
Low severity one.

1. https://www.openssl.org/news/secadv/20230420.txt

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-29 12:33:44 +02:00
Nick Hainke
b64c471b8e libpcap: update to 1.10.4
Changes:
https://git.tcpdump.org/libpcap/blob/104271ba4a14de6743e43bcf87536786d8fddea4:/CHANGES

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-22 02:35:19 +02:00
Matthias Schiffer
4f1c2e8dee
uclient: update to Git version 2023-04-13
007d94546749 uclient: cancel state change timeout in uclient_disconnect()
644d3c7e13c6 ci: improve wolfSSL test coverage
dc54d2b544a1 tests: add certificate check against letsencrypt.org

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2023-04-13 20:51:05 +02:00
Hauke Mehrtens
d679b15d31 mbedtls: Update to version 2.28.3
This only fixes minor problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3

The 100-fix-compile.patch patch was merged upstream, see:
https://github.com/Mbed-TLS/mbedtls/issues/6243
https://github.com/Mbed-TLS/mbedtls/pull/7013

The code style of all files in mbedtls 2.28.3 was changed. I took a new
version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this
pull request: https://github.com/Mbed-TLS/mbedtls/pull/6475

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-10 13:36:26 +02:00
Nick Hainke
0c53801968 libcap: update to 2.68
Release Notes:
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.vdh3d47czmle

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-08 15:52:56 +02:00
Eneas U de Queiroz
c3cb2d48da
openssl: fix CVE-2023-464 and CVE-2023-465
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:

- Excessive Resource Usage Verifying X.509 Policy Constraints
  (CVE-2023-0464)
  Severity: Low
  A security vulnerability has been identified in all supported versions
  of OpenSSL related to the verification of X.509 certificate chains
  that include policy constraints.  Attackers may be able to exploit
  this vulnerability by creating a malicious certificate chain that
  triggers exponential use of computational resources, leading to a
  denial-of-service (DoS) attack on affected systems.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

- Invalid certificate policies in leaf certificates are silently ignored
  (CVE-2023-0465)
  Severity: Low
  Applications that use a non-default option when verifying certificates
  may be vulnerable to an attack from a malicious CA to circumvent
  certain checks.
  Invalid certificate policies in leaf certificates are silently ignored
  by OpenSSL and other certificate policy checks are skipped for that
  certificate.  A malicious CA could use this to deliberately assert
  invalid certificate policies in order to circumvent policy checking on
  the certificate altogether.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466.  It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.

Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-07 11:26:26 +02:00
Eneas U de Queiroz
0dc5fc8fa5
openssl: add legacy provider
This adapts the engine build infrastructure to allow building providers,
and packages the legacy provider.  Providers are the successors of
engines, which have been deprecated.

The legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool.

Even though these algorithms are implemented in a separate package,
their removal makes the regular library smaller by 3%, so the build
options will remain to allow lean custom builds.  Their defaults will
change to 'y' if not bulding for a small flash, so that the regular
legacy package will contain a complete set of algorithms.

The engine build and configuration structure was changed to accomodate
providers, and adapt to the new style of openssl.cnf in version 3.0.

There is not a clean upgrade path for the /etc/ssl/openssl.cnf file,
installed by the openssl-conf package.  It is recommended to rename or
remove the old config file when flashing an image with the updated
openssl-conf package, then apply the changes manually.

An old openssl.cnf file will silently work, but new engine or provider
packages will not be enabled.  Any remaining engine config files under
/etc/ssl/engines.cnf.d can be removed.

On the build side, the include file used by engine packages was renamed
to openssl-module.mk, so the engine packages in other feeds need to
adapt.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00
Eneas U de Queiroz
0b70d55a64
openssl: make UCI config aware of built-in engines
Engines that are built into the main libcrypto OpenSSL library can't be
disabled through UCI.  Add a 'builtin' setting to signal that the engine
can't be disabled through UCI, and show a message explaining this in
case buitin=1 and enabled=0.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00