Commit Graph

14999 Commits

Author SHA1 Message Date
Jo-Philipp Wich
82fbd85747 libubox: backport blobmsg_check_array() fix
Fixes: FS#2833
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 955634b473)
2020-02-27 22:25:59 +01:00
Petr Štetiar
4c1779ac2c ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 215598fd03)
Fixes: CVE-2020-8597
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-26 16:42:06 +01:00
Jo-Philipp Wich
cd262f59cb Revert "ppp: backport security fixes"
This reverts commit cc78f934a9 since it
didn't contain a reference to the CVE it addresses. The next commit
will re-add the commit including a CVE reference in its commit message.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-26 16:41:48 +01:00
Jo-Philipp Wich
ed3c3048b8 uhttpd: update to latest Git HEAD
2ee323c file: poke ustream after starting deferred program

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 04069fde19)
2020-02-26 16:23:05 +01:00
Petr Štetiar
cc78f934a9 ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 215598fd03)
2020-02-20 09:39:31 +01:00
Jo-Philipp Wich
05062462f1 hostapd: remove erroneous $(space) redefinition
The $(space) definition in the hostapd Makefile ceased to work with
GNU Make 4.3 and later, leading to syntax errors in the generated
Kconfig files.

Drop the superfluous redefinition and reuse the working $(space)
declaration from rules.mk to fix this issue.

Fixes: GH#2713
Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469
Reported-by: Karel Kočí <cynerd@email.cz>
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Tested-by: Shaleen Jain <shaleen@jain.sh>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 766e778226)
2020-02-08 11:54:23 +01:00
Jo-Philipp Wich
6bfde67581 OpenWrt v18.06.7: revert to branch defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-01-29 17:13:25 +01:00
Jo-Philipp Wich
1b5c116233 OpenWrt v18.06.7: adjust config defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-01-29 17:13:21 +01:00
Jo-Philipp Wich
ca47026b7d opkg: update to latest Git HEAD
80d161e opkg: Fix -Wformat-overflow warning
c09fe20 libopkg: fix skipping of leading whitespace when parsing checksums

Fixes: CVE-2020-7982
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit c69c20c667)
2020-01-29 17:06:05 +01:00
Hauke Mehrtens
cc0a54e332 libubox: backport security patches
This backports some security relevant patches from libubox master. These
patches should not change the existing API and ABI so that old
applications still work like before without any recompilation.
Application can now also use more secure APIs.

The new more secure interfaces are also available, but not used.

OpenWrt master and 19.07 already have these patches by using a more
recent libubox version.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-27 21:44:28 +01:00
Martin Schiller
ebafb746f0 lantiq: ltq-ptm: vr9: fix skb handling in ptm_hard_start_xmit()
Call skb_orphan(skb) to call the owner's destructor function and make
the skb unowned.

This is necessary to prevent sk_wmem_alloc of a socket from overflowing,
which leads to ENOBUFS errors on application level.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit 996f02e5ba)
2020-01-26 22:12:54 +01:00
Magnus Kroken
f51d1c3b7c mbedtls: update to 2.16.4
Fixes side channel vulnerabilities in mbed TLS' implementation of ECDSA.

Release announcement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12

Fixes:
 * CVE-2019-18222: Side channel attack on ECDSA

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 6e96fd9047)
2020-01-26 20:25:47 +01:00
Matthias Schiffer
ab9d1bf608
ethtool: fix PKG_CONFIG_DEPENDS
Add missing CONFIG_ prefix.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 41c19dd542)
2020-01-07 21:42:48 +01:00
Hauke Mehrtens
46c2674225 OpenWrt v18.06.6: revert to branch defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-06 21:50:26 +01:00
Hauke Mehrtens
8004e3f2c6 OpenWrt v18.06.6: adjust config defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-06 21:50:22 +01:00
Hauke Mehrtens
97e9be4e3a e2fsprogs: Fix CVE-2019-5094 in libsupport
This adds the following patch from debian:
https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=debian/stable&id=09fe1fd2a1f9efc3091b4fc61f1876d0785956a8
libsupport: add checks to prevent buffer overrun bugs in quota code

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 0062aad8ec)
2020-01-01 20:55:17 +01:00
Josef Schlehofer
85c4d374c2 openssl: update to version 1.0.2u
Fixes CVE-2019-1551 (rsaz_512_sqr overflow bug) on x86_x64

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2020-01-01 16:57:32 +01:00
Sungbo Eo
e242125d71 kernel: fix *-gpio-custom module unloading
Unloading and reloading the modules fails, as platform_device_put() does not
release resources fully.

root@OpenWrt:/# insmod i2c-gpio-custom bus0=0,18,0,5
[  196.860620] Custom GPIO-based I2C driver version 0.1.1
[  196.871162] ------------[ cut here ]------------
[  196.880517] WARNING: CPU: 0 PID: 1365 at fs/sysfs/dir.c:31 0x80112158
[  196.893431] sysfs: cannot create duplicate filename '/devices/platform/i2c-gpio.0'
...
[  197.513200] kobject_add_internal failed for i2c-gpio.0 with -EEXIST, don't try to register things with the same name in the same directory.

This patch fixes it by replacing platform_device_put() to
platform_device_unregister().

Fixes: da77408537 ("i2c-gpio-custom: minor bugfix")
Fixes: 3bc81edc70 ("package: fix w1-gpio-custom package (closes #6770)")

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit a22b7a60d9)
2019-12-23 01:07:23 +01:00
Jo-Philipp Wich
b901563611 uhttpd: update to latest Git HEAD
5f9ae57 client: fix invalid data access through invalid content-length values
6b03f96 ubus: increase maximum ubus request size to 64KB
91fcac3 uhttpd: Fix multiple format string problems

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit f34f9a414d)
2019-12-22 22:56:23 +01:00
Felix Fietkau
2152722bd3 netifd: add support for suppressing the DHCP request hostname by setting it to *
dnsmasq (and probably other DHCP servers as well) does not like to hand out
leases with duplicate host names.
Adding support for skipping the hostname makes it easier to deploy setups
where it is not guaranteed to be unique

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit fd8ca8deb3)
2019-12-22 22:52:01 +01:00
Hauke Mehrtens
1cbde3eb9c mac80211: Adapt to changes to skb_get_hash_perturb()
The skb_get_hash_perturb() function now takes a siphash_key_t instead of
an u32. This was changed in commit 55667441c84f ("net/flow_dissector:
switch to siphash"). Use the correct type in the fq header file
depending on the kernel version.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
(cherry picked from commit eaa047179a)
2019-12-07 19:46:22 +01:00
Sungbo Eo
7863a8f302 base-files: config_generate: split macaddr with multiple ifaces
netifd does not handle network.@device[x].name properly if it
contains multiple ifaces separated by spaces. Due to this, board.d
lan_mac setup does not work if multiple ifaces are set to LAN by
ucidef_set_interface_lan.

To fix this, create a device node for each member iface when
running config_generate instead. Those are named based on the
member ifname:

  ucidef_set_interface_lan "eth0 eth1.1"
  ucidef_set_interface_macaddr "lan" "yy:yy:yy:yy:yy:01"

will return

  config device 'lan_eth0_dev'
        option name 'eth0'
        option macaddr 'yy:yy:yy:yy:yy:01'

  config device 'lan_eth1_1_dev'
        option name 'eth1.1'
        option macaddr 'yy:yy:yy:yy:yy:01'

ref: https://github.com/openwrt/openwrt/pull/2542

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
[always use new scheme, extend description, change commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 298814e6be)
2019-11-26 17:04:17 +01:00
Rafał Miłecki
e6a7eacfea mac80211: brcmfmac: fix PCIe reset crash and WARNING
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit cde8c2f2fb)
2019-11-18 15:23:56 +01:00
Michal Cieslakiewicz
79fd7593a2 ar71xx: update uboot-envtools for Netgear WNR routers
Boards added: WNR1000v2, WNR2000v3, WNR2200, WNR612v2, WNDR4300.
Boards changed: WNDR3700 (u-boot env size is 2 sectors not 1).

Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
(cherry picked from commit 1105290049)
2019-11-12 16:31:09 +01:00
Jo-Philipp Wich
69bc68b46b OpenWrt v18.06.5: revert to branch defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-11-08 20:32:31 +01:00
Jo-Philipp Wich
5e4533cdd4 OpenWrt v18.06.5: adjust config defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-11-08 20:32:24 +01:00
Jo-Philipp Wich
9d401013fc ustream-ssl: backport fix for CVE-2019-5101, CVE-2019-5102
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit c5d5cdb759)
2019-11-05 15:12:18 +01:00
Yousong Zhou
700f66ae95 kernel: mark kmod-usb-serial-wwan as hidden
The kconfig symbol is an invisible one since its introduction.  It is
not supposed to be enabled on its own.

Resolves FS#1821

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry picked from commit 4bf9bec361)
2019-10-30 12:47:17 +00:00
Yousong Zhou
b2fba59f10 iptables: bump PKG_RELEASE
Package content changed with the previous two cherry-picks

  dff0b2104d kernel: netfilter: Add nf_tproxy_ipv{4,6} and nf_socket_ipv{4,6}
  a2fe698a40 kernel: Added required dependencies for socket match.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-10-24 10:41:07 +00:00
Oldřich Jedlička
a2fe698a40 kernel: Added required dependencies for socket match.
This applies to kernel 4.10 and newer.

See 8db4c5be88

The above commit added to kernel 4.10 added new dependency
for building the NETFILTER_XT_MATCH_SOCKET (xt_socket.ko)
module. The NF_SOCKET_IPVx options (both of them) need to
be enabled in order to build the NETFILTER_XT_MATCH_SOCKET
module. Without the change the module is not built.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
(cherry picked from commit 66e875a070)
(required for fixing FS#2531)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-10-24 10:30:02 +00:00
DENG Qingfang
3b8db97a52 tcpdump: update to 4.9.3
Fixed CVEs:
	CVE-2017-16808
	CVE-2018-10103
	CVE-2018-10105
	CVE-2018-14461
	CVE-2018-14462
	CVE-2018-14463
	CVE-2018-14464
	CVE-2018-14465
	CVE-2018-14466
	CVE-2018-14467
	CVE-2018-14468
	CVE-2018-14469
	CVE-2018-14470
	CVE-2018-14879
	CVE-2018-14880
	CVE-2018-14881
	CVE-2018-14882
	CVE-2018-16227
	CVE-2018-16228
	CVE-2018-16229
	CVE-2018-16230
	CVE-2018-16300
	CVE-2018-16301
	CVE-2018-16451
	CVE-2018-16452
	CVE-2019-15166
	CVE-2019-15167

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
(cherry picked from commit 394273c066)
2019-10-19 15:26:35 +02:00
DENG Qingfang
96a87b90ef libpcap: update to 1.9.1
Fixed CVEs:
	CVE-2018-16301
	CVE-2019-15161
	CVE-2019-15162
	CVE-2019-15163
	CVE-2019-15164
	CVE-2019-15165

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
(cherry picked from commit 44f11353de)
2019-10-19 15:26:19 +02:00
Syrone Wong
a857fc2ded libpcap: update to 1.9.0
001-Fix-compiler_state_t.ai-usage-when-INET6-is-not-defi.patch dropped due to upstream
002-Add-missing-compiler_state_t-parameter.patch dropped due to upstream

202-protocol_api.patch dropped due to implemented upstream by another way
upstream commit: 55c690f6f8
and renamed via: 697b1f7e9b

ead is the only user who use the protocol api, we have to use the new api since libpcap 1.9.0

Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
2019-10-19 15:25:45 +02:00
Hauke Mehrtens
45a2c0f309 hostapd: Fix AP mode PMF disconnection protection bypass
This fixes
* CVE-2019-16275 AP mode PMF disconnection protection bypass
https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit a6981604b3)
2019-09-21 21:16:22 +02:00
Hauke Mehrtens
e289a4133c hostapd: SAE/EAP-pwd side-channel attack update
Fixes this security problem:
* SAE/EAP-pwd side-channel attack update
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7bed9bf10f)
2019-09-21 21:16:07 +02:00
Magnus Kroken
a63edb4691 mbedtls: update to 2.16.3
Remove 300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch,
the issue has been fixed upstream.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 49d96ffc5c)
2019-09-21 21:11:21 +02:00
Josef Schlehofer
2698157d54 mbedtls: Update to version 2.16.2
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
(cherry picked from commit a2f54f6d5d)
2019-09-21 21:10:44 +02:00
Eneas U de Queiroz
952bafa03c openssl: bump to 1.0.2t, add maintainer
This version fixes 3 low-severity vulnerabilities:

- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
                 CMS_decrypt_set1_pkey

Patches were refreshed, and Eneas U de Queiroz added as maintainer.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-09-20 20:50:07 +02:00
Rafał Miłecki
5880dd48d5 mac80211: brcmfmac: backport the last 5.4 changes
This makes brcmfmac use the same wiphy after PCIe reset to help user
space handle corner cases (e.g. firmware crash).

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit f39f4b2f6d)
2019-09-16 09:25:29 +02:00
Rafał Miłecki
7393ce8d87 mac80211: brcmfmac: backport more kernel 5.4 changes
Patch getting RAM info got upstreamed. A debugging fs entry for testing
reset feature was added.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 681acdcc54)
2019-09-09 12:57:56 +02:00
Josef Schlehofer
f6de1fa6c6 bzip2: Fix CVE-2019-12900
More details about this CVE:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2019-09-03 12:55:00 +02:00
Koen Vandeputte
4b5c77ca2f ath9k: backport dynack improvements
Close cooperation with Lorenzo Bianconi resulted
in these patches which fix all remaining seen issues
when using dynack.

Fix link losses when:
- Late Ack's are not seen or not present
- switching from too low static coverage class to dynack on a live link

These are fixed by setting the Ack Timeout/Slottime to
the max possible value for the currently used channel width when
a new station has been discovered.

When traffic flows, dynack is able to adjust to optimal values
within a few packets received (typically < 1 second)

These changes have been thoroughly tested on ~60 offshore devices
all interconnected using mesh over IBSS and dynack enabled on all.

Distances between devices varied from <100m up to ~35km

[move patches to correct folder + renumber]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
(cherry picked from commit f6e8ba0238fe349b7529357793e2fb18635819ed)
2019-08-28 13:10:08 +02:00
Jan Pavlinec
564d81e944 iptables: patch CVE-2019-11360 (security fix)
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2019-08-17 17:23:17 +02:00
Luiz Angelo Daros de Luca
5e3b21c916 musl: ldso/dlsym: fix mips returning undef dlsym
This happens only the second time a library is loaded by dlopen().
After lib1 is loaded, dlsym(lib1,"undef1") correctly resolves the undef
symbol from lib1 dependencies. After the second library is loaded,
dlsym(lib2,"undef1") was returning the address of "undef1" in lib2
instead of searching lib2 dependencies.

Backporting upstream fix which now uses the same logic for relocation
time and dlsym.

Fixes openwrt/packages#9297

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2019-08-17 17:23:17 +02:00
Eneas U de Queiroz
2df2b75208 wolfssl: fixes for CVE-2018-16870 & CVE-2019-13628
CVE-2018-16870: medium-severity, new variant of the Bleichenbacher
attack to perform downgrade attacks against TLS, which may lead to
leakage of sensible data. Backported from 3.15.7.

CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes
when performing ECDSA signing operations. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack. Backported from 4.1.0.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-08-17 17:23:17 +02:00
Rosen Penev
28dc34f249 xfsprogs: Replace valloc with posix_memalign
Fixes compilation under uClibc-ng.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit e49b6bb618)
2019-08-14 09:12:52 +02:00
Rosen Penev
24967a6c42 libbsd: Fix compilation under ARC
The 8 year old file does not have any ARC definitions.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
[updated content of the patch with version sent to upstream]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 395bef4bba)
2019-08-14 09:12:23 +02:00
Rosen Penev
30815d65d2 nftables: Fix compilation with uClibc-ng
Missing header for va_list.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[updated with upstream version of the patch]
(cherry picked from commit 2f97797471)
2019-08-14 09:12:23 +02:00
Jo-Philipp Wich
0a4a82a431 config: introduce separate CONFIG_SIGNATURE_CHECK option
Introduce a new option CONFIG_SIGNATURE_CHECK which defaults to the value
of CONFIG_SIGNED_PACKAGES and thus is enabled by default.

This option is needed to support building target opkg with enabled
signature verification while having the signed package lists disabled.

Our buildbots currently disable package signing globally in the
buildroot and SDK to avoid the need to ship private signing keys to
the build workers and to prevent the triggering of random key generation
on the worker nodes since package signing happens off-line on the master
nodes.

As unintended side-effect, updated opkg packages will get built with
disabled signature verification, hence the need for a new override option.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f565f276e2)
2019-08-07 07:54:27 +02:00
Jo-Philipp Wich
8a83892662 packages: apply usign padding workarounds to package indexes if needed
Since usign miscalculates SHA-512 digests for input sizes of exactly
64 + N * 128 + 110 or 64 + N * 128 + 111 bytes, we need to apply some
white space padding to avoid triggering the hashing edge case.

While usign itself has been fixed already, there is still many firmwares
in the wild which use broken usign versions to verify current package
indexes so we'll need to carry this workaround in the forseeable future.

Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Ref: https://git.openwrt.org/5a52b379902471cef495687547c7b568142f66d2
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit e1f588e446)
2019-08-07 07:23:51 +02:00