Commit Graph

1940 Commits

Author SHA1 Message Date
Kevin Darbyshire-Bryant
a7506c0e2b dnsmasq: backport official fix for CVE-2017-13704
Remove LEDE partial fix for CVE-2017-13704.

Backport official fix from upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
2017-09-07 08:11:49 +02:00
Kevin Darbyshire-Bryant
a006b48c04 dnsmasq: forward.c: fix CVE-2017-13704
Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.

answer_request() is called with an invalid edns packet size provided by
the client.  Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"

The client that exposed the problem provided a payload udp size of 0.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-30 21:12:49 +02:00
Daniel Engberg
ae3c55666d tcpdump: Update to 4.9.1
Fixes:
 * CVE-2017-11108: Fix bounds checking for STP.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-08-15 18:31:10 +02:00
Hans Dedecker
b67b316dd1 dnsmasq: backport remove ping check of configured dhcp address
Remove ping check in DHCPDISCOVER case as too many buggy clients leave
an interface in configured state causing the ping check to fail.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-08 14:44:36 +02:00
Hauke Mehrtens
7ab8bf126e curl: fix CVE-2017-7407 and CVE-2017-7468
This fixes the following security problems:
* CVE-2017-7407: https://curl.haxx.se/docs/adv_20170403.html
* CVE-2017-7468: https://curl.haxx.se/docs/adv_20170419.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-07-28 23:49:39 +02:00
Hans Dedecker
699e3127c5 dnsmasq: backport patch fixing DNS failover (FS#841)
Backport upstream dnsmasq patch fixing DNS failover when first servers
returns REFUSED in strict mode; fixes issue FS#841.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-12 22:06:48 +02:00
Hans Dedecker
91d41b6305 dnsmasq: backport tweak ICMP ping logic for DHCPv4
Don't start ping-check of address in DHCP discover if there already
exists a lease for the address. It has been reported under some
circumstances android and netbooted windows devices can reply to
ICMP pings if they have a lease and thus block the allocation of
the IP address the device already has during boot.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-01 13:53:53 +02:00
Hans Dedecker
cca765f64c dhcpv6: add missing dollar sign in dhcpv6 script (FS#874)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-29 10:02:14 +02:00
Magnus Kroken
57289ae640 openvpn: update to 2.4.3
Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:57:11 +02:00
Hans Dedecker
8f254e9c27 Revert "dnsmasq: don't point --resolv-file to default location unconditionally"
This reverts commit 78edfff530.

This breaks local dns resolving in case noresolv=1 as resolv.conf is not
populated anymore with 127.0.0.1 as resolvfile does not equal
/tmp/resolv.conf.auto anymore.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-19 22:07:44 +02:00
Kevin Darbyshire-Bryant
c16326cfed dropbear: fix service trigger syntax error
The classic single '&' when double '&&' conditional was meant.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-17 13:50:27 +02:00
Jo-Philipp Wich
e78a641f52 umdns: remove superfluous include in init script
The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.

Additionally, the network.sh helper is not actually used.

Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 01:29:51 +02:00
Jo-Philipp Wich
cdfc6788a9 dnsmasq: bump to 2.77
This is a cumulative backport of multiple dnsmasq update commits in master.

Drops three LEDE specific patches which are included upstream and another
patch which became obsolete. Remaining LEDE specific patches are rebased.

Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 00:25:08 +02:00
Alberto Bursi
9e20cc56b9 dnsmasq: make tftp root if not existing
If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2017-06-02 00:09:14 +02:00
Karl Vogel
ebf46d2c5b dnsmasq: use logical interface name for dhcp relay config
The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
2017-06-02 00:07:02 +02:00
Philip Prindeville
78edfff530 dnsmasq: don't point --resolv-file to default location unconditionally
If noresolv is set, we should not generate a --resolv-file parameter.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [minor cleanup]
2017-06-02 00:06:24 +02:00
Jo-Philipp Wich
22478bf473 samba: bump PKG_RELEASE
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 17:40:21 +02:00
Jo-Philipp Wich
757353c3a0 firewall: resync with master
Update to latest Git HEAD in order to import a number of fixes and other
improvements:

a4d98ae options: remove stray continue statement
3d2c18a options: improve handling of negations when parsing space separated values
0e5dd73 iptables: support -i, -o, -s and -d in option extra
4cb06c7 ubus: increase ubus network interface dump timeout
e5dfc82 iptables: add exception handling
f625954 firewall3: add check_snat() function
7d3d9dc firewall3: display the section type for UBUS rules
53ef9f1 firewall3: add UBUS support for include scripts
5cd4af4 firewall3: add UBUS support for ipset sections
02d6832 firewall3: add UBUS support for forwarding sections
0a7d36d firewall3: add UBUS support for redirect sections
d44f418 firewall3: add fw3_attr_parse_name_type() function
e264c8e firewall3: replace warn_rule() by warn_section()
6039c7f firewall3: check the return value of fw3_parse_options()
c328d1f build: use -Wno-format-truncation instead of -Wno-error=format-truncation
e06e537 utils: replace sprintf use with snprintf to avoid overflows
533f834 build: disable the format-truncation warning error to fix gcc 7 build errors
e751cde zones: drop outgoing invalid traffic in masqueraded zones
d596f72 rules: fix UCI context in error reporting
1d0564c ubus: fix interface name and proto lookup
82ccd9e firewall3: fix handling of UTC times
1949e0c iptables: support xtables API > 11

Fixes FS#548, FS#640, FS#806, FS#811.

Ref: https://forum.lede-project.org/t/nat-leakage-on-tl-wr1043nd-v4/1712

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 16:18:31 +02:00
Matthias Schiffer
4bd3b8f8b0 mac80211, hostapd: always explicitly set beacon interval
One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).

Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.

Fixes FS#619.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-05-27 14:24:13 +02:00
Nick Lowe
e194e1b3c8 hostapd: add legacy_rates option to disable 802.11b data rates.
Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)

The basic_rate option and supported_rates option are filtered based on this.

The rationale for the change, stronger now than in 2014, can be found in:

https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx

The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]
2017-05-27 14:24:13 +02:00
Kevin Darbyshire-Bryant
dd19a41520 dropbear: bump to 2017.75
- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-05-24 18:04:51 +02:00
Stijn Tintel
51db1f5a9a samba: fix CVE-2017-7494
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 3f0d3d12da)
2017-05-24 15:41:30 +02:00
Rafał Miłecki
1165c0ae0d umdns: update to the version 2017-05-22
This includes following changes:
0e8b948 Support specifying instance name in JSON file
49fdb9f Support PTR queries for a specific service
26ce7dc Allow filtering with instance name in service_reply
920c62a Store instance name in the struct service
ff09d9a Rename service_name function to the service_instance_name
64f78f1 Rename mdns_hostname variable to the umdns_host_label

Previous package update pulled commit 70c66fbbcde86 ("Fix sending
replies to PTR questions") which introduced a regression which this
update fixes.

Fixes: 474c31a20d ("umdns: update to the version 2017-03-21")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-05-22 12:11:29 +02:00
Jo-Philipp Wich
aba1b3cbd1 openvpn: update to v2.4.2
Update to version 2.4.2 in order to address two potential Denial-of-Service
vectors in OpenVPN.

CVE-2017-7478 - Don't assert out on receiving too-large control packets
CVE-2017-7479 - Drop packets instead of assert out if packet id rolls over

Ref: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.2
Ref: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-12 11:57:01 +02:00
Felix Fietkau
53e751e303 openvpn: add myself as maintainer
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-05-12 11:57:01 +02:00
Daniel Engberg
d40e2efa94 OpenVPN: Update to 2.4.1
Update OpenVPN to 2.4.1
Remove 200-small_build_enable_occ.patch as it's included upstream.
Refresh patches
Add mirror and switch to HTTPS

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-05-12 11:57:00 +02:00
Martin Schiller
98491a9ae9 openvpn: add extra respawn parameters
This change protects the openvpn instances to be marked as "in a crash
loop" and thereby the connection retries will run infinitely.

When the remote site of an openvpn connection goes down for some time
(network failure etc.) the openvpn instance in an openwrt/lede device
should not stop retrying to establish the connection.

With the current limit of 5 retries, there is a user interaction
required, which isn't really what you want when the device should
simply do everything to keep the vpn connection up.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-05-12 11:57:00 +02:00
Yousong Zhou
bc58099802 openvpn: move list of params and bools to a separate file
So that future patches for addition/removal of them can be more
readable

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-12 11:57:00 +02:00
Hans Dedecker
d8cfebaa50 dnsmasq: support dhcp_option config as a list
Configuring dhcp_option as an option does not allow the usage of white
spaces in the option value; fix this by supporting dhcp_option as a list
config while still supporting the option config to maintain backwards
compatibility

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-09 22:39:41 +02:00
Hans Dedecker
503e496366 odhcpd: update to version 2017-04-28 (FS#595)
9268ca6 ndp: don't trigger IPv6 ping when neighbor entry is invalid
2b3355f ndp: fix adding proxy neighbor entries
7dff5b4 ndp: fix wrong interface name in syslog message
a54afb5 dhcpv6-ia: Fix segfault when writing DHCPv4 leases in state file
c0e9dbf ubus: don't segfault when there're no leases

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-02 22:08:32 +02:00
Hans Dedecker
c266641acf odhcpd: update to version 2017-04-21
570069d ubus: rework dumping IPv6 and IPv4 leases
4e579c4 dhcpv6-ia: simplify logic to write statefile and dhcpv6 logging

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-02 22:08:21 +02:00
Hans Dedecker
c2999ef592 odhcpd: update to version 2017-03-29 (FS#635)
3d9f406 rework IPv6 dns address selection (FS#635)
bc6c3ac ndp: keep an exact copy of IPv6 interface addresses
6eb1e01 ndp: code cleanup
eea7d03 rework IPv6 address dump logic
24d21c7 ndp: add syslog debug tracing

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-13 13:55:57 +02:00
Florian Fainelli
a532aaa2aa odhcpd: update to version 2017-02-28
Brings in the following change:

9eac2a896341 dhcpv6-ia: Check lockf return value

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-04-13 13:55:57 +02:00
Hans Dedecker
425c6d0462 odhcpd: update to version 2017-02-21
1b630f8 router: don't announce prefixes with valid lifetime equal to 0
ba0cac0 router: fix arithmetic exception fault
3495f17 router: allow RA prefix lifetime being set to leasetime value (FS#397)
e437ce9 treewide: simplify dhcp leasetime checking
942fb33 router: support ra_mininterval and ra_lifetime uci parameters (FS#397)
f913337 router.h: fix alignment style
4dc7edb Revert "odhcpd.h: fix alignment style"
62ea54f odhcpd.h: fix alignment style
a898ee5 config: make loglevel configurable via uci (FS#481)
51c756c odhcpd: display correct default log level in usage text
68ee0b5 treewide: define and use macro IN6_IS_ADDR_ULA
fa57225 ndp: deregister netlink event socket for non recoverable errors
ac70d28 odhcpd: fix white space errors

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-13 13:55:57 +02:00
Hauke Mehrtens
298c40fd34 odhcpd: fix sha256 sum
The sha256sum added in commit b8567cb44e ("odhcpd: update to git HEAD
version (FS#396)") does not match the sha256sum of the file on the mirror or
when I clone it. Update the sha256 sum to the correct value.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
2017-03-30 22:00:48 +02:00
Yousong Zhou
910a9430a0 firewall: document rules for IPSec ESP/ISAKMP with 'name' option
These are recommended practices by REC-22 and REC-24 of RFC6092:
"Recommended Simple Security Capabilities in Customer Premises Equipment
(CPE) for Providing Residential IPv6 Internet Service"

Fixes FS#640

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-03-28 17:46:30 +08:00
Matthias Schiffer
1b94737824
iw: enable MESH ID in scan output
Make scan output useful for 802.11s meshes. The common print_ssid function
is used, so this doesn't add any additional code.

Based-on-patch-by: Jan-Tarek Butt <tarek@ring0.de>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-03-25 14:55:10 +01:00
Rafał Miłecki
474c31a20d umdns: update to the version 2017-03-21
This includes following changes:
480d7bc Fix sending unicast questions on cache expire
a0403cd Keep source sockaddr for every cached DNS record
1478293 Fix code freeing cached non-A(AAA) records too early
9f1cc22 Fix replying to "QU" questions received on unicast interface
943bedb Fix reading port of incoming packets
c725494 Use MCAST_PORT define for port 5353
ce7e9e9 Use one define for DNS-Based Service Discovery service name
e1bacef Drop entries cached for interface we're going to delete
496aeba Fix comment typo in cache_gc_timer
f89986b Fix refreshing cached A(AAA) records that expire

Previous updates made umdns work as expected on startup but there were
still many bugs. They were mostly related to runtime - cache management
and requests + responses. E.g. umdns was never able to send question on
DNS record expire. It was also ignoring all incoming unicast questions.

Since these issues are quite serious it makes sense to backport this
update to the stable branch.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-03-24 06:51:45 +01:00
Rafał Miłecki
ba076ebbc5 umdns: update to the version 2017-03-14
This includes 3 cleanups:
fd5a160 Don't cache hosts as services
80dd246 Refresh DNS records A and AAAA directly
6515101 Access cached records (instead of services) to read list of hosts

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-03-24 06:51:44 +01:00
Yousong Zhou
0f23e80c27 iproute2: fix ip monitor can't work when NET_NS is not enabled
The bug appeared in v4.1.0 and was fixed since v4.8.0

Fixes FS#620

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-03-19 12:42:16 +08:00
Hauke Mehrtens
111cf1b9f3 curl: fix CVE-2017-2629 SSL_VERIFYSTATUS ignored
This fixes the following security problem:
https://curl.haxx.se/docs/adv_20170222.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-03-13 22:51:20 +01:00
Rafał Miłecki
0eed4a61b9 umdns: update to the 2017-03-10 version
This fixes crash in interface_start caused by freeing interface in
interface_free without stopping a timeout.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-03-10 13:09:54 +01:00
Jo-Philipp Wich
20a2db83de ppp: propagate master peerdns setting to dynamic slave interface
Honour the parent interfaces peerdns option when spawning a virtual DHCPv6
interface in order to avoid pulling in IPv6 DNS servers when the user opted
to inhibit peer DNS servers in the configuration.

Fixes #597.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-03-07 11:27:27 +01:00
Hsing-Wang Liao
21903d056e wireless-tools: Change download url to github
Signed-off-by: Hsing-Wang Liao <kuoruan@gmail.com>
2017-03-01 20:37:37 +01:00
Kevin Darbyshire-Bryant
1b2a54b5cd iftop: bump to latest upstream
Drops a LEDE carried patch now upstream.
Convert to autotools.
A number of nits fixed upstream (dns & short packet handling most
notable)

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-03-01 20:37:37 +01:00
Ben Kelly
3d52251df4 swconfig: Bugfix switch_port uci option parsing
When not defining 'device' or 'vlan' in relevant switch_port uci
sections, behaviour is inconsistent due to *devn, *port and *vlan
pointers not being zero initialized.

Signed-off-by: Ben Kelly <ben@benjii.net>
2017-03-01 20:37:37 +01:00
Felix Fietkau
df041b6520 netifd: fix stopping netifd + interfaces
stop() is overwritten by rc.common, so implement stop_service instead.
While at it, remove the now unnecessary restart() override

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-03-01 20:37:37 +01:00
Ansuel Smith
00e4f6fd36 ebtables: update to last commit
Refreshed patches

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2017-03-01 20:37:36 +01:00
Daniel Albers
8aa92deaf6 hostapd: mv netifd.sh hostapd.sh
same name for the file on the host and target

Signed-off-by: Daniel Albers <daniel.albers@public-files.de>
2017-03-01 20:37:36 +01:00
Ulrich Weber
3983b4ad0f ppp: honor ip6table for IPv6 PPP interfaces
as we do for IPv4 PPP interfaces. When we create the
dynamic IPv6 interface we should inherit ip6table from
main interface.

Signed-off-by: Ulrich Weber <ulrich.weber@riverbed.com>
2017-03-01 20:37:36 +01:00