Commit Graph

1000 Commits

Author SHA1 Message Date
Rui Salvaterra
2434a57dd7 elfutils: fix building with GCC 11
Add a patch to fix building with GCC 11, which triggers new warnings by
enabling -Warray-parameter by default.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-07-25 13:52:38 +02:00
Petr Štetiar
8307da3dbd treewide: unmark selected packages nonshared
This partially reverts changes done in commit 72cc44958e ("treewide:
mark selected packages nonshared") as it removes the nonshared flag, but
keeps the PKG_RELEASE as the PKG_RELEASE bump while adding nonshared
flag was incorrect.

Unmark uci, ubus, libubox, lua, libnl-tiny and libjson-c as nonshared
packages as this fix attempt didn't worked out. Currently the
imagebuilder is broken again:

 openwrt-imagebuilder-21.02.0-rc3-ipq40xx-generic.Linux-x86_64$ make image PROFILE=avm_fritzbox-7530 PACKAGES=luci-ssl-openssl
 ...
 Collected errors:
  * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for luci-mod-status
  * pkg_hash_fetch_best_installation_candidate: Packages for luci-mod-status found, but incompatible with the architectures configured
  * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for rpcd-mod-iwinfo
  * pkg_hash_fetch_best_installation_candidate: Packages for rpcd-mod-iwinfo found, but incompatible with the architectures configured
  * satisfy_dependencies_for: Cannot satisfy the following dependencies for luci-ssl-openssl:
  * 	libiwinfo20210430
  * opkg_install_cmd: Cannot install package luci-ssl-openssl.

Everything because iwinfo's ABI was changed two times since rc3 release:

 +IWINFO_ABI_VERSION:=20210430
 +IWINFO_ABI_VERSION:=20210420

Since iwinfo is marked as nonshared, it wasn't built by phase2 builders, but
luci-mod-status was already updated 2 times since rc3 and was thus rebuilt by
phase2 builders:

 d1d452ed2fb3 luci-mod-status: don't set '-' hostname when creating static lease
 95b3633055c1 luci-mod-status: switch to html table for wlan channel analysis

So now luci-mod-status depends on libiwinfo20210430 but only
libiwinfo20210106 can be downloaded. This is first part of the fix, in
the upcoming commit Jo is going to remove nonshared flag from iwinfo
package as well.

References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035736.html
References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035741.html
Acked-by: Jo-Philipp Wich <jo@mein.io>
Reported-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-07-02 18:12:15 +02:00
Karel Kočí
219e17a350 ustream-ssl: variants conflict with each other
This adds conflicts between variants of libustream pacakge.
They provide the same file and thus it should not be possible to install
them side by side.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
2021-06-21 18:48:03 -10:00
Rosen Penev
3dabb62581 treewide: remove PKG_INSTALL from CMake packages
It's already default with cmake.mk

Found with:

git grep PKG_INSTALL\: | cut -d ':' -f 1 | sort -u > ins
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 ins cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Rosen Penev
2e745e9be6 treewide: remove BUILD_PARALLEL from CMake packages
It's already default. The only exception is mt76 which has Ninja
disabled.

Found with:

git grep BUILD_PARALLEL | cut -d ':' -f 1 | sort -u > par
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 par cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Hannu Nyman
72cc44958e treewide: mark selected packages nonshared
Mark uci, ubus, libubox, lua, libnl-tiny and libjson-c
as nonshared packages. This helps to keep coherent dependencies
if these ABI versioned packages are later updated.

Before this commit it is possible to get missing dependencies
in target-specific nonshared packages (like iwinfo) that depend
on these shared ABI versioned packages. If these are later updated
and rebuilt, only the new ABI version will be available for download,
while the target-specific packages in releases continue to depend on
the old ABI version.

After this commit the packages are built along the other nonshared
packages by the phase1 images buildbot and will be available at the
target/ download directories instead of packages/base dir. That will
help to keep a coherent set available.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2021-06-13 23:58:15 +02:00
Rosen Penev
09de28090c package: fix cmake packages build with ninja
+= is needed for CMAKE_OPTIONS.

mt76 needs Ninja disabled as the kernel stuff uses normal make.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-12 10:46:39 +02:00
Ivan Pavlov
b1baa01f14 wolfssl: add support for OpenVPN
Support for wolfSSL has been upstreamed to the master OpenVPN branch
in f6dca235ae560597a0763f0c98fcc9130b80ccf4, so we can use wolfSSL
directly in OpenVPN. So no more needed differnt SSL engine for OpenVPN
in systems based on wolfSSL library
Compiled && tested on ramips/mt7620, ramips/mt7621

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2021-05-23 15:11:38 +02:00
David Bauer
ef9b103107 wolfssl: always export wc_ecc_set_rng
Since commit 6467de5a8840 ("Randomize z ordinates in scalar
mult when timing resistant") wolfssl requires a RNG for an EC
key when the hardened built option is selected.

wc_ecc_set_rng is only available when built hardened, so there
is no safe way to install the RNG to the key regardless whether
or not wolfssl is compiled hardened.

Always export wc_ecc_set_rng so tools such as hostapd can install
RNG regardless of the built settings for wolfssl.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-21 15:43:57 +02:00
Felix Fietkau
04d21604fd libubox: update to the latest version
870acee325fe tests: cram: test_base64: fix failing tests
4d8995e91d56 tests: cram: test_base64: really fix failing tests
551d75b5662c libubox: tests: add more blobmsg/json test cases
a0dbcf8b8f96 tests: add blob-buffer overflow test
b36a3a90098d blob: fix exceeding maximum buffer length
b8abed749423 utils.h: add fallthrough macro
b14c4688612c json_script: fix unannotated fall-through warning

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-18 12:52:52 +02:00
Baptiste Jonglez
1ec6fc4dcb uclient: update to Git version 2021-05-14
6a6011d uclient-http: set eof mark when content-length is 0
19571e4 tests: fix help usage test for uclient built with sanitizer
c5fc04b tests: fix help usage test

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2021-05-14 23:40:42 +02:00
Leonardo Mörlein
b993b68b6c build: introduce $(MKHASH)
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if

    make TOPDIR="$(pwd)" -C "$pkgdir" compile

was called manually. In most of the cases, I just saw warnings like this:

    make: Entering directory '/home/.../package/gluon-status-page'
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    [...]

While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.

After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
2021-05-13 15:13:15 +02:00
Rosen Penev
0ec8c793f5 libsemanage: fix pkgconfig paths
The pkgconfig file currently points to host paths.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-04-15 11:54:14 +01:00
Stijn Tintel
0f7f4de6ba libcap: bump to 2.48
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-05 18:20:45 +03:00
Stijn Tintel
dd91ba0d62 libcap: drop invalid copyright header
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-05 18:20:40 +03:00
Stijn Tintel
427acb71fc libcap: import from packages feed
Having libcap in OpenWrt base allows us to enable libcap support in
other packages in base.

In lldpd, this would allow the monitor process to drop its privileges
instead of running as root, improving security. It will also allow us to
drop our patch to disable libcap.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-05 18:20:29 +03:00
Hauke Mehrtens
1371910b76 uclient: update to Git version 2021-04-03
83efca2 tests: fix possibly longer start of HTTP server
64e00d6 uclient-fetch: document missing options

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-03 19:06:09 +02:00
Paul Spooren
6a6b5a677e ncurses: add screen-256color terminfo
The terminfo is required by the popular terminal multiplexer screen and
tmux, offer it by default as the size impact is minimal with 885 Bytes.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-03-29 13:47:55 -10:00
Paul Spooren
75ea474b90 ncurses: split long line of supported terminfo
The terminfo files were all in one row which is terrible to read.
Split them over multiple lines to improve readability.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-03-29 13:47:19 -10:00
Eneas U de Queiroz
0bd0de7d43 openssl: bump to 1.1.1k
This version fixes 2 security vulnerabilities, among other changes:

 - CVE-2021-3450: problem with verifying a certificate chain when using
   the X509_V_FLAG_X509_STRICT flag.

 - CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
   crafted renegotiation ClientHello message from a client.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-03-26 19:57:20 +01:00
Kevin Darbyshire-Bryant
bbb9c1c2be Revert "openssl: refresh patches"
This reverts commit e27ef2da0d.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-03-26 09:12:12 +00:00
Kevin Darbyshire-Bryant
e27ef2da0d openssl: refresh patches
Tidy up some patch fuzz.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-03-26 09:03:32 +00:00
Tony Ambardar
9390e20dba elfutils: enable building with MIPS16
Building with MIPS16 was disabled in 2013 due to an issue with GCC TLS:
https://dev.archive.openwrt.org/ticket/13572. But after the problematic
GCC version was retired, this change wasn't revisited.

Re-enable MIPS16 builds to reduce average elfutils library sizes ~10%.
This was compile-tested on malta/mips32be and malta/mips32le, and linked
with iproute2 for run-testing. Package sizes follow:

Library  MIPS16:=0  MIPS16:=1
-------  ---------  ---------
libelf1    43217      37492
libasm1    12481      11658
libdw1    229723     205793

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2021-03-25 22:48:10 -10:00
Philip Prindeville
7fae64cc06 libnfnetlink: quote $(FPIC) on command line
When $(FPIC) gets expanded on the command line (for instance
when setting environment variables for libtool, configure, or
make) we can't count on it not needing quoting (i.e. it could
contain multiple flags separated with spaces).

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2021-03-19 13:37:51 -10:00
Magnus Kroken
dbde2bcf60 mbedtls: update to 2.16.10
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.

Security fixes:
* Fix a buffer overflow in mbedtls_mpi_sub_abs()
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem()
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code

Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2021-03-16 21:17:02 +01:00
Rosen Penev
6cd13be014 gettext-full: disable nameless locale define
It seems some packages like transmission and json-glib fail with it
enabled.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-03-14 19:25:32 -10:00
Tony Ambardar
29e2be69c4 elfutils: remove host build from target package
Commit f4da28c301 ("elfutils: Add host build") supplied a libelf host
library to fix a glib2 host build error, but this need was later removed
by b6212c8769 ("glib2: don't use libelf during host build").

More importantly, there are already two sources for libelf host libraries:
OpenWRT build prerequisites [1] and tools/libelf. A third is not needed.

Ref [1]: https://openwrt.org/docs/guide-developer/build-system/install-buildsystem#prerequisites

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2021-03-13 21:33:22 +00:00
Dominick Grift
4670492ad7 libsemanage: update to version 3.2
c35919a7 libsemanage: sync filesystem with sandbox
5b05e829 Revert "libsemanage/genhomedircon: check usepasswd"
edae9275 libsemanage: Free contents of modkey in semanage_direct_remove
ce46daab libsemanage/genhomedircon: check usepasswd
6ebb35d2 libsemanage: Bump libsemanage.so version
c08b73d7 libsemanage: Drop deprecated functions
b46406de libsemanage: Remove legacy and duplicate symbols

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-08 21:27:35 +00:00
Dominick Grift
b1fc2b5b0b libselinux: update to version 3.2
142826a3 libselinux: fix segfault in add_xattr_entry()
398d2cee libselinux: rename gettid() to something which never conflicts with the libc
8f0f0a28 selinux(8,5): Describe fcontext regular expressions
9cc6b5cf libselinux/getconlist: report failures
156dd0de libselinux: update getseuser
e2dca5df libselinux: accept const fromcon in get_context API
da4829d0 libselinux: Always close status page fd
45b15c22 selinux(8): explain that runtime disable is deprecated
3c16aaef selinux(8): mark up SELINUX values
c2a58cc5 libselinux: LABEL_BACKEND_ANDROID add option to enable
db0f2f38 libselinux: Add build option to disable X11 backend
4a142ac4 libsepol: Bump libsepol.so version
d23342a9 libselinux: convert matchpathcon to selabel_lookup()
7ef5b185 libselinux: Change userspace AVC setenforce and policy load messages to audit format.
f5d644c7 libselinux: Add additional log callback details in man page for auditing.
075f9cfe libselinux: Fix selabel_lookup() for the root dir.
a4149e0e libselinux: Add new log callback levels for enforcing and policy load notices.
a63f93d8 libselinux: initialize last_policyload in selinux_status_open()
ef902db9 libselinux: safely access shared memory in selinux_status_updated()
9e4480b9 libselinux: Remove trailing slash on selabel_file lookups.
21fb5f20 libselinux: use full argument specifiers for security_check_context in man page
e7abd802 libselinux: fix build order
05bdc031 libselinux: use kernel status page by default

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-08 21:27:35 +00:00
Dominick Grift
2a1bdde0d0 libsepol: update to version 3.2
a9e0004f libsepol: invalidate the pointer to the policydb if policydb_init fails
6238e025 libsepol/cil: fix NULL pointer dereference in cil_fill_ipaddr
b69d77bc libsepol/cil: handle SID without assigned context when writing policy.conf
0861c659 libsepol: Validate policydb values when reading binary policy
8f5409cf libsepol: Create function ebitmap_highest_set_bit()
0451adeb libsepol/cil: Destroy disabled optional blocks after pass is complete
32f8ed3d libsepol/cil: introduce intermediate cast to silence -Wvoid-pointer-to-enum-cast
4662bdc1 libsepol/cil: be more robust when encountering <src_info>
6b561058 libsepol/cil: fix NULL pointer dereference with empty macro argument
0d0e47c7 libsepol/cil: Fix integer overflow in the handling of hll line marks
1b36ace2 libsepol: include header files in source files when matching declarations
1f1fa9d4 libsepol: uniformize prototypes of sepol_mls_contains and sepol_mls_check
72a88d75 libsepol: remove unused files
eba0ffee libsepol/cil: Fix heap-use-after-free when using optional blockinherit
1048f8d3 libsepol/cil: unlink blockinherit->block link when destroying a block
b3202918 libsepol/cil: fix memory leak when a constraint expression is too deep
f0d98f83 libsepol/cil: Fix heap-use-after-free in __class_reset_perm_values()
5d021d66 libsepol/cil: Update symtab nprim field when adding or removing datums
34bd9a9d libsepol: destroy filename_trans list properly
bdf4e332 libsepol/cil: fix NULL pointer dereference when parsing an improper integer
b7ea65f5 libsepol/cil: destroy perm_datums when __cil_resolve_perms fails
228c06d9 libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit
a25d9104 libsepol/cil: constify some strings
e2d01842 libsepol/cil: propagate failure of cil_fill_list()
6c8fca10 libsepol/cil: do not add a stack variable to a list
38a09b74 libsepol/cil: fix NULL pointer dereference when using an unused alias
3c357285 libsepol/cil: remove useless print statement
90809674 libsepol/cil: always destroy the lexer state
d16a1e46 libsepol/cil: Use the macro FLAVOR() whenever possible
2aac859a libsepol/cil: Use the macro NODE() whenever possible
d317b470 libsepol/cil: Remove unnecessary assignment in cil_resolve_name_keep_aliases()
9b9761cf libsepol/cil: Remove unused field from struct cil_args_resolve
e257d4c7 libsepol/cil: Get rid of unnecessary check in cil_gen_node()
ebba2b00 libsepol/cil: cil_tree_walk() helpers should use CIL_TREE_SKIP_*
89dab467 libsepol: free memory when realloc() fails
2d353bd5 libsepol/cil: Give error for more than one true or false block
4a142ac4 libsepol: Bump libsepol.so version
506c7b95 libsepol: Drop deprecated functions
ae58e84b libsepol: Get rid of the old and duplicated symbols
c97d63c6 libsepol: silence potential NULL pointer dereference warning
64387cb3 libsepol: drop confusing BUG_ON macro
521e6a2f libsepol/cil: fix signed overflow caused by using (1 << 31) - 1
a152653b libsepol/cil: Fix neverallow checking involving classmaps
734e4beb libsepol/cil: Validate conditional expressions before adding to binary policy
685f577a libsepol/cil: Validate constraint expressions before adding to binary policy
8206b8cb libsepol: implement POLICYDB_VERSION_COMP_FTRANS
42ae834a libsepol,checkpolicy: optimize storage of filename transitions

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-08 21:27:35 +00:00
Daniel Golle
c82cc4407a
libubox: update to git HEAD
2e52c7e libubox: fix BLOBMSG_CAST_INT64 (do not override BLOBMSG_TYPE_DOUBLE)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-02 19:16:04 +00:00
Donald Hoskins
ea6d4bdde2 libunwind: Add MIPS64 dep check
libunwind dependency check does not allow for MIPS64 arch.  Add MIPS64 awareness.

libunwind seems to support MIPS64 without issues, it was limited by the dep arch
check in the Makefile.

Used to compile Suricata6/Rust locally without issue.

Signed-off-by: Donald Hoskins <grommish@gmail.com>
2021-03-01 00:34:23 +01:00
Rosen Penev
b77f21c98a libpcap: update to 1.10.0
Simplify cmake option handling by putting everything in blocks.

Add openssl patch as there's no easy way to disable.

Rebase the skip manpages patch.

Remove the monitor mode patch as it no longer applies.

Remove flex patch as normal Makefile is no longer used.

Remove USB path patch. While it is deprecated, the codepath is never
taken. /sys/bus/usb/devices is checked before hand. If it exists, the
function does stuff and returns. Additionally, this path is used
elsewhere in the code.

Refresh other patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-03-01 00:34:23 +01:00
Adrian Schmutzler
221eefaf6b zlib: properly split patches
This package had two patches (with two headers etc.) in one file,
which would have quilt merging them during a refresh.

Separate these patches into two files, as the original intent seems
to be having them separate.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-24 14:08:29 +01:00
Rosen Penev
fb83efb626 pcre: disable C++ bindings
Nothing uses them. Allows to simplify the Makefile.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-24 00:30:40 +01:00
Eneas U de Queiroz
12a80e44b9 openssl: always build with GOST engine support
The packages feed has a proposed package for a GOST engine, which needs
support from the main openssl library.  It is a default option in
OpenSSL.  All that needs to be done here is to not disable it.

Package increases by a net 1-byte, so it is not really really worth
keeping this optional.

This commit also includes a commented-out example engine configuration
in openssl.cnf, as it is done for other available engines.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-23 21:10:56 +01:00
Eneas U de Queiroz
d1dfb577f1 wolfssl: bump to v4.7.0-stable
Biggest fix for this version is CVE-2021-3336, which has already been
applied here.  There are a couple of low severity security bug fixes as
well.

Three patches are no longer needed, and were removed; the one remaining
was refreshed.

This tool shows no ABI changes:
https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-23 21:10:56 +01:00
Georgi Valkov
4b37e3bc2b libusb: Fix parsing of descriptors for multi-configuration devices
Prerequisite patch:
Correct a typo in the Changelog and clean up a stray file

Fix changes in libusb which introduced a regression:
Commit e2be556bd2 ("linux_usbfs: Parse config descriptors during device
initialization") introduced a regression for devices with multiple
configurations. The logic that verifies the reported length of the
configuration descriptors failed to count the length of the
configuration descriptor itself and would truncate the actual length by
9 bytes, leading to a parsing error for subsequent descriptors.

Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
2021-02-21 10:12:10 -10:00
Christian Lamparter
09e66112f1 wolfssl: fix Ed25519 typo in config prompt
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-02-20 11:11:13 +01:00
David Bauer
10e84bde36 openssl: update package sources
OpenSSL downloads itself are distributed using Akamai CDN, so use these
sources as the highest priority.

Remove a stale mirror which seems to be offline for a longer time
already.

Add fallbacks to the old release path also for the mirrors.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-02-20 01:26:40 +01:00
Eneas U de Queiroz
482c9ff289 openssl: bump to 1.1.1j
This fixes 4 security vulnerabilities/bugs:

- CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support
  SSLv2, but the affected functions still exist. Considered just a bug.

- CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and
  EVP_DecryptUpdate may overflow the output length argument in some
  cases where the input length is close to the maximum permissable
  length for an integer on the platform. In such cases the return value
  from the function call will be 1 (indicating success), but the output
  length value will be negative.

- CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to
  create a unique hash value based on the issuer and serial number data
  contained within an X509 certificate. However it was failing to
  correctly handle any errors that may occur while parsing the issuer
  field (which might occur if the issuer field is maliciously
  constructed). This may subsequently result in a NULL pointer deref and
  a crash leading to a potential denial of service attack.

- Fixed SRP_Calc_client_key so that it runs in constant time. This could
  be exploited in a side channel attack to recover the password.

The 3 CVEs above are currently awaiting analysis.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-17 09:24:47 +01:00
Rosen Penev
b59905f045 gettext-full: update to 0.21
Add m4 patch to avoid conflict with tools/autoconf-archive.

Add build parallel as it seems to work now.

Remove a bunch of uClibc-ng hacks as it is not in the tree anymore.

Format security patch was fixed upstream.

Refreshed other patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-16 19:27:55 -10:00
Felix Fietkau
d02088762a build: reorder more BuildPackages lines to deal with ABI_VERSION
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-16 11:29:38 +01:00
Felix Fietkau
26a899e3e8 wolfssl: use libtool patch for PKG_ABI_VERSION
Makes it unnecessary to patch .so files after build

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 18:47:19 +01:00
Felix Fietkau
0a497c4640 libubox: use build system variable to specify ABI version
This removes the need to patch it afterwards

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 18:47:19 +01:00
Felix Fietkau
f378d81da6 wolfssl: use dynamic ABI_VERSION depending on the configuration and package version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 07:40:47 +01:00
Felix Fietkau
a933c26852 libubox: use PKG_ABI_VERSION
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 07:40:45 +01:00
Hauke Mehrtens
304df2836a Revert "wolfssl: use dynamic ABI_VERSION depending on the configuration and package version"
This fixes the build on MIPS BE like ath25 and ath79 target.
We get this error message when linking libwolfssl:
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: skipping incompatible /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so when searching for -lwolfssl
mips-openwrt-linux-musl/bin/ld: cannot find -lwolfssl
collect2: error: ld returned 1 exit status

This reverts commit 2591c83b34.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-15 01:15:49 +01:00
Hauke Mehrtens
505a808302 Revert "libubox: use PKG_ABI_VERSION"
This fixes the build on MIPS BE like ath25 and ath79 target.
We get this error message when linking libubox:
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: skipping incompatible /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so when searching for -lubox

This reverts commit f421fefa8a.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-15 01:15:49 +01:00
Felix Fietkau
2591c83b34 wolfssl: use dynamic ABI_VERSION depending on the configuration and package version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-14 19:41:52 +01:00