On Windows, refuse paths that start with \\ ... as that might cause an
unexpected SMB connection to a given host name.
Ref: PR#2730
Ref: https://curl.haxx.se/docs/CVE-2019-15601.html
Suggested-by: Jerome Benoit <jerome.benoit@sap.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Before 2019.01 version was introduced patch, which changes cache
routines: 93b283d4 ("ARM: CPU: arm926ejs: Consolidate cache
routines to common file"). Unfortunately that patch make ethernet
and usb in kirkwood broken.
This patch backport commit 599f7aa5 ("ARM: kirkwood: disable dcache
for Kirkwood boards"), which are fix for that problem.
Fixes: dc08514e6d ("uboot-kirkwood: update to 2019.01")
Run tested: pogoplugv4
Tested-by: Cezary Jackiewicz <cezary@eko.one.pl> [nsa310]
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
It's known that ZBT sells 256M variants of these routers. As a result,
our images won't be able to boot on these routers.
This commit removes memory node for them. With previously backported
memory detection patch, kernel is able to detect memory size itself.
Fixes: FS#3053
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
kmod-usb-dwc2 and kmod-usb-ledtrig-usbport are not target default packages, and
Belkin F7C027 does not have a USB port anyway. Just drop it.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 1dedad2a00)
This service file has been misplaced from the very beginning.
Fixes: dcc34574ef ("oxnas: bring in new oxnas target")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 01961f163d)
f4d759b dhcp.c: further improve validation
Further improve input validation for CVE-2020-11752
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9e7d11f3e2)
cdac046 dns.c: fix input validation fix
Due to a slight foobar typo, failing to de-reference a pointer, previous
fix not quite as complete as it should have been.
Improve CVE-2020-11750 fix
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9f7c8ed078)
Fix the test for an enabled sysntp initscript in dnsmasq.init, and get
rid of "test -o" while at it.
Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an
RTC-less ath79 router. dnssec-no-timecheck would be clearly missing
from /var/etc/dnsmasq.conf.* while the router was still a few days in
the past due to non-working DNSSEC + DNS-based NTP server config.
The fix was tested with the router in the "DNSSEC broken state": it
properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp
was able to resolve the server name to an IP address, and set the system
time. DNSSEC was then enabled by SIGINT through the ntp hotplug hook,
as expected.
A missing system.ntp.enabled UCI node is required for the bug to show
up. The reasons for why it would be missing in the first place were not
investigated.
Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
(cherry picked from commit 556b8581a1)
Building libpcap with high number (64) of simultaneous jobs fails:
In file included from ./fmtutils.c:42:0:
./ftmacros.h:106:0: warning: "_BSD_SOURCE" redefined
#define _BSD_SOURCE
<command-line>:0:0: note: this is the location of the previous definition
./gencode.c:67:10: fatal error: grammar.h: No such file or directory
#include "grammar.h"
^~~~~~~~~~~
compilation terminated.
Makefile:99: recipe for target 'gencode_pic.o' failed
So fix this by less intrusive way by disabling the parallel builds for
this package.
Ref: FS#3010
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with
high severity, assigned CVE-2020-1967.
Ref: https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 3773ae127a)
ab7a39a umdns: fix unused error
45c4953 dns: explicitly endian-convert all fields in header and question
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 22ae8bd50e)
(cherry picked from commit 17c4593e63f5847868f2c38185275199d37d379a)
gcc 8 & 9 appear to be more picky with regards access alignment to
packed structures, leading to this warning in dns.c:
dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer
(alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer
(alignment 2) may result in an unaligned pointer value
[-Werror=address-of-packed-member]
261 | uint16_t *swap = (uint16_t *) q;
Work around what I think is a false positive by turning the warning off.
Not ideal, but not quite as not ideal as build failure.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 02640f0147)
(cherry picked from commit a10b6ec1c8cd6d14a3b76a2ec3d81442b85f7321)
Don't move strings anymore to /bin/strings to avoid clash with
busybox /usr/bin/strings but move it to /usr/bin/binutils-strings.
Use ALTERNATIVES support to install it as /usr/bin/strings
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 5f126c541a)
Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters
Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 02fcbe2f3d)
Armada 370 processors have only 16 double-precision registers. The
change introduced by 8dcc108760 ("toolchain: ARM: Fix toolchain
compilation for gcc 8.x") switched accidentally the toolchain for mvebu
cortexa9 subtarget to cpu type with 32 double-precision registers. This
stems from gcc defaults which assume "vfpv3-d32" if only "vfpv3" as mfpu
is specified. That change resulted in unusable image, in which kernel
will kill userspace as soon as it causing "Illegal instruction".
Ref: https://forum.openwrt.org/t/gcc-was-broken-on-mvebu-armada-370-device-after-commit-on-2019-03-25/43272
Fixes: 8dcc108760 ("toolchain: ARM: Fix toolchain compilation for
gcc 8.x")
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
(cherry picked from commit 2d61f8821c)
Tegra 2 processors have only 16 double-precision registers. The change
introduced by 8dcc108760 ("toolchain: ARM: Fix toolchain compilation
for gcc 8.x") switched accidentally the toolchain for tegra target to cpu
type with 32 double-precision registers. This stems from gcc defaults
which assume "vfpv3-d32" if only "vfpv3" as mfpu is specified. That
change resulted in unusable image, in which kernel will kill userspace as
soon as it causing "Illegal instruction".
Ref: https://forum.openwrt.org/t/gcc-was-broken-on-mvebu-armada-370-device-after-commit-on-2019-03-25/43272
Fixes: 8dcc108760 ("toolchain: ARM: Fix toolchain compilation for
gcc 8.x")
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
(cherry picked from commit 43d1d88510)
Backport Device Tree change first added in kernel 4.19 to enable the SPI
device on ClearFog devices by default. This is tested and working in
snapshot builds with kernel 5.4+, include the change in future 19.07
patch releases.
Signed-off-by: Joel Johnson <mrjoel@lixil.net>
This adds the board name from ar71xx to support upgrade without
-F for the TP-Link TL-WA901ND v2.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 508462a399)
This reverts commit c38074de92.
Since ZyXEL Keenetic has actually 8 MiB flash as fixed in the
previous patch, we can re-enable it.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
ZyXEL Keenetic has 8MB flash, but OpenWrt uses only 4MB.
This commit fixes the problem.
WikiDevi page [1] says that ZyXEL Keenetic has FLA1: 8 MiB, there is
an article with specs [2] (in Russian).
[1] https://wikidevi.wi-cat.ru/ZyXEL_Keenetic
[2] https://3dnews.ru/608774/page-2.html
Fixes: FS#2487
Fixes: a7cbf59e0e ("ramips: add new device ZyXEL Keenetic as kn")
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
(cherry picked from commit fea232ae8f)
This prepares support for models XAP-1610 and XWR-3150. Flashing
requires using Luxul firmware version:
1) 8.1.0 or newer for XAP-1610
2) 6.4.0 or newer for XWR-3150
and uploading firmware using "Firmware Update" web UI page.
Signed-off-by: Dan Haab <dan.haab@legrand.com>
(cherry picked from commit c459a6bf48)
1. Use functions for cleaner code
2. Always execute WAN interface generic code
Before this change WAN interface code wasn't executed on all devices due
to an early "exit 0".
Acked-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit b51ea43f90)
Use "truncate" to adjust size of existing file instead of "dd" which
required creating a copy. This saves space on tmpfs. It may be as low
as 2.1 MiB when using OpenWrt default user space and way more (20+ MiB)
when flashing vendor firmware.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 8abefc8896)
It's needed for optimized sysupgrade. On host machine this change
increased busybox size by 4096 B.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 547f1ec25a)
Image building process was missing "asus-trx" step which resulted in raw
TRX files (without ASUS footer with device id).
Fixes: 0b9de8daa7 ("bcm53xx: add profiles for all other (SoftMAC) devices")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 0493d57e04)
There were two changes between 1.1.1e and 1.1.1f:
- a change in BN prime generation to avoid possible fingerprinting of
newly generated RSA modules
- the patch reversing EOF detection we had already applied.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit af5ccfbac7)
This device seems to be identical to the TL-WDR4300, just with
different release date/region and TPLINK_HWID.
Support is added based on the ar71xx implementation.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 676ca94c3c)
This updates the shared-lib patch to the recent version from debian
found here:
https://salsa.debian.org/rfrancoise/libpcap/-/blob/debian/1.9.1-2/debian/patches/shared-lib.diff
This patch makes it include missing/strlcpy.o to the shared library
which is needed for OpenWrt glibc builds, otherwise there is an
undefined symbol and tcpdump and other builds are failing.
Fixes: 44f11353de ("libpcap: update to 1.9.1")
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Code was attempting to determine the size of the file
before it was actually known and allocating insufficient
memory space. Images above a certain size caused a
segmentation fault. Moving the calloc() ensured ensured
that large images didn't result in a buffer overflow on
memcpy().
Signed-off-by: Michael T Farnworth <michael@turf.org>
[fixed name in From to match one in SoB]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit b468353a37)
Commit 432ec292cc ("rpcd: add respawn param") has introduced infinite
restarting of the service which could be reached over network. This is
not recommended security practice as it might give potential adversary
infinite number of tries in case there might be some issue in the rpcd
or its surrounding stack.
So lets remove the currently bogus `respawn_retry` variable (it wasn't
possible to override it anyway), reverting to the previous default max.
of 5 service restarts which could be now overriden via system's UCI
settings if desired.
Cc: Jo-Philip Wich <jow@mein.io>
Cc: Florian Eckert <fe@dev.tdt.de>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: 432ec292cc ("rpcd: add respawn param")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 52e6fb1369)
We must ensure that host ncurses is build before host readline.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
(cherry picked from commit ecef29b294)
In order to build squashfskit with GCC10, this backport from upstream is needed.
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
[increase PKG_RELEASE]
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
(cherry picked from commit be4ed1db18)
There is a restriction in the number of parameters(10) that may be passed to
the SetupHostCommand macro so continually adding explicit gcc'n' version
checks ends up breaking the compiler check for the later versions and
oddballs like Darwin as was done in 835d1c68a0 which added gcc10.
Drop all the explicitly specified gcc version checks. If a suitable gcc
compiler is not found, it may be specified at the dependency checking
stage after which that version will be symlinked into the build staging
host directory.
eg. 'CC=gccfoo CXX=g++foo make prereq'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 1fb3c003d6)
Lets add GCC 10 detection to the build system as distributions like Fedora 32 have started shipping with it.
Some tools like mtd-utils need work to compile under GCC10, but that will be next step.
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
(cherry picked from commit 835d1c68a0)
This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e. It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443
Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read(). Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct. Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.
The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 2e8a4db9b6)
Since commit 557f11b3a20f ("instance: provide error feedback if ujail
binary is missing") worrying log spam of the form "unable to find
/sbin/jail ..." may be encountered.
This corresponds with the changes done in the upstream commit
bcb86554f1b4 ("instance: add 'requirejail' attribute").
Ref: https://forum.openwrt.org/t/openwrt-19-07-2-service-release/57066
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Without this patch, when using rev 3 of the Atheros AR9344 SoC, the
gigabit switch (AR8327) does not work or works very erratically.
This is a re-spin of http://patchwork.ozlabs.org/patch/419857/ with a
different PLL value, according to the feedback from several users
(including myself) as shown here:
https://openwrt.org/toh/mikrotik/rb2011uias#tracking_reported_experience_with_suggested_patch_for_the_5_gige_ports
Performance is acceptable: testing L3 forwarding without NAT yields a
performance of 370 Mbit/s (iperf3 TCP) and 41 Kpps (iperf3 UDP with 64
bytes payload). Both tests show that 100% of CPU time is spent on softirq.
A similar fix for a different device (RB2011) was added in e457d22261
("Make GBit switch work on RB2011").
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
(cherry picked from commit 247043c968)
This ports support for the TL-WA860RE v1 range extender from ar71xx
to ath79.
Specifications:
Board: AP123 / AR9341 rev. 3
Flash/RAM: 4/32 MiB
CPU: 535 MHz
WiFi: 2.4 GHz b/g/n
Ethernet: 1 port (100M)
Two external antennas
Flashing instructions:
Upload the factory image via the vendor firmware upgrade option.
Recovery:
Note that this device does not provide TFTP via ethernet like many
other TP-Link devices do. You will have to open the case if you
require recovery beyond failsafe.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Sebastian Knapp <sebastian4842@outlook.com>
(cherry picked from commit 385f4868bc)
This ports support for the TL-WA850RE v1 range extender from ar71xx
to ath79.
Specifications:
Board: AP123 / AR9341 rev. 3
Flash/RAM: 4/32 MiB
CPU: 535 MHz
WiFi: 2.4 GHz b/g/n
Ethernet: 1 port (100M)
Flashing instructions:
Upload the factory image via the vendor firmware upgrade option.
Recovery:
Note that this device does not provide TFTP via ethernet like many
other TP-Link devices do. You will have to open the case if you
require recovery beyond failsafe.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 6eaea3a8ba)
Use power led for device status.
The status led behavior has already been fixed in af28d8a539
("ath79: add support for GL.iNet GL-AR750S") when porting the
device to ath79. This fixes it for ar71xx as well.
Signed-off-by: Jan Alexander <jan@nalx.net>
[minor commit title/message adjustments]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit d394c354ee)
Build of the brcm2708 subtarget currently fails with the following error
message:
arch/arm/lib/memset_rpi.S: Assembler messages:
arch/arm/lib/memset_rpi.S:65: Error: garbage following instruction
-- `orr DAT0,DAT0,lsl#8'
arch/arm/lib/memset_rpi.S:67: Error: garbage following instruction
-- `orr DAT0,DAT0,lsl#16'
scripts/Makefile.build:427: recipe for target 'arch/arm/lib/memset_rpi.o'
failed
Using the assembly notation from master fixes this error.
Signed-off-by: David Bauer <mail@david-bauer.net>
Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions.
The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended
to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute.
Also enable --script-arp if has_handlers returns true.
Signed-off-by: Jordan Sokolic <oofnik@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
This version includes bug and security fixes, including medium-severity
CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit dcef8d6093)