Commit Graph

1775 Commits

Author SHA1 Message Date
Petr Štetiar
b3aa2909a7 zlib: backport security fix for a reproducible crash in compressor
Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.

Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.

Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-24 08:15:24 +01:00
Rosen Penev
9c290ad498 tools/ccache: update to 4.6
Full changelog: https://ccache.dev/releasenotes.html#_ccache_4_6

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-13 19:24:13 +01:00
Rosen Penev
9a44bc78b4 tools/fakeroot: update to 1.28
Refreshed patches.

Upstream says there's only a bugfix for GNU Hurd.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-13 19:24:13 +01:00
Rosen Penev
f88a6da020 tools/cmake: update to 3.22.3
Seems to be mostly pthread fixes.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-13 19:24:13 +01:00
Rosen Penev
7f92046dff tools/mtools: update to 4.0.38
No real changelog available.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-13 19:24:13 +01:00
Rosen Penev
cca5367f27 tools/expat: enable DTD
Fixes gdb usage, which depends on it.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-13 10:10:30 +01:00
Rosen Penev
3150e8bf3e tools/expat: update to 2.4.7
Mostly a bug fix to the bug fix to CVE-2022-25236

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-13 10:10:30 +01:00
Sungbo Eo
4f3a565f5d tools: zip: make encrypted archives reproducible
Zip always try to generate new encryption header depending on execution
time and process id, which is far from being reproducible. This commit
changes the zip srand() seed to a predictable value to generate
reproducible random bytes for the encryption header. This will compromise
the goal of secure archive encryption, but it would not be a big problem
for our purpose.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-03-09 15:38:23 +09:00
Sungbo Eo
39d06472eb tools: zip: fetch SOURCE_DATE_EPOCH directly
Remove "--mtime" option introduced in commit 18c9faa032 ("tools: zip:
add option for reproducible archives") and instead fetch SOURCE_DATE_EPOCH
environment variable directly in the code.

Ref: https://sourceforge.net/p/infozip/patches/25/
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-03-09 15:38:23 +09:00
Felix Fietkau
545cabee9e tools/fakeroot: restore macos bugfix that was dropped during the last update
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-05 16:58:58 +01:00
Josef Schlehofer
495c4f4e19 tools/libressl: update to version 3.4.2
Release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2-relnotes.txt

```
It includes the following security fix

  * In some situations the X.509 verifier would discard an error on an
    unverified certificate chain, resulting in an authentication bypass.
    Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
```

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-03-01 00:08:08 +01:00
Huangbin Zhan
4a19cf3bc7 tools/mkimage: update to 2022.01
- enable dot config
- enable openwrt verbose
- add bison as dependency to avoid failure
```
  bison -oscripts/kconfig/zconf.tab.c -t -l scripts/kconfig/zconf.y
bison: /builder/shared-workdir/build/staging_dir/host/share/bison/m4sugar/m4sugar.m4: cannot open: No such file or directory
```

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
2022-03-01 00:08:08 +01:00
Rosen Penev
40f91f6a2f tools/fakeroot: update to 1.27
Remove macOS stuff. Upstream has fixed it in the same way.

Add SOL_TCP define. Taken from elsewhere in the code.

Refreshed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-01 00:08:08 +01:00
Rosen Penev
4e13229dd1 tools/expat: update to 2.4.6
Switched to CMake for faster compilation and greater parallel
friendliness.

Added CMake options from the packages feed.

This release fixes various CVEs.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-01 00:08:08 +01:00
Rosen Penev
c8fdca4f6f tools/findutils: update to 4.9.0
Add compilation fix for Ubuntu 20.04. Provided by upstream maintainer:

https://github.com/openwrt/packages/issues/17912#issuecomment-1046726426

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-01 00:08:08 +01:00
Rosen Penev
94dd68ff73 tools/zstd: update to 1.5.2
Switched to building with meson as it's faster and does not need a
dependency on cmake, which takes a long time to build.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-01 00:08:08 +01:00
Rosen Penev
2d5f03205a tools/ccache: add cmake dependency
This will be needed for the next commit as ccache's cmake dependency is
satisfied by zstd currenly.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-01 00:08:08 +01:00
Rosen Penev
03f55708cb tools/cmake: update to 3.22.2
Mostly random Python 3.10 fixes.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-01 00:08:08 +01:00
Rosen Penev
63e530a519 tools/mtools: update to 4.0.37
No changelog is available.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-01 00:08:08 +01:00
Rosen Penev
c8b7065f61 tools/mklibs: update to 0.1.45
Refresh 2to3 patch. Upstream partially did this against some older
python version. This is still needed.

Refreshed other patches to be python3 safe.

Remove uClibc patches as only musl is present now.

Refresh others.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-01 00:08:08 +01:00
Stijn Tintel
0dc3566a3b firmware-utils: bump to git HEAD
002cfaf firmware-utils: fix compilation with macOS

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-28 13:12:00 +02:00
Stijn Tintel
73dfc9e7d9 firmware-utils: bump to git HEAD
706e9cc tplink-safeloader: support for Archer A6 v3 JP
  497726b firmware-utils: support checksum for AVM fritzbox wasp SOCs
  2ca6462 iptime-crc32: add support for AX8004M
  57d0e31 tplink-safeloader: TP-Link EAP615-Wall v1 support
  8a8da19 tplink-safeloader: add TL-WPA8631P v3 support
  eea4ee7 tplink-safeloader: add TP-Link Archer A9 v6 support

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-27 12:01:22 +02:00
Rosen Penev
628970a195 tools/meson: update to 0.61.2
Seems to be minor bugfixes with Cygwin and Windows.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-02-26 13:44:14 +01:00
Rosen Penev
68a20d8631 tools/quilt: update to 0.67
- Call pager with original LANG environment variable
  - Consistently complain early if no series file is found
  - Fix handling of symbolic links by several commands
  - Tighten the patch format parsing
  - Reuse the shell (performance)
  - Document the series file format further
  - Document that quilt loads /etc/quilt.quiltrc
  - configure: Make stat configurable
  - series: Minor optimizations
  - setup: Don't obey the settings of any englobing .pc
  - setup: Default to fast mode
  - quilt.el: Fix documentation of quilt-pc-directory
  - quilt.el: Load /etc/quilt.quiltrc if ~/.quiltrc doesn't exist
  - quilt.el: Fix quilt-editable when QUILT_PATCHES_PREFIX is set

Refresh patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
[add changelog]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2022-02-25 14:12:39 +01:00
Paul Spooren
1e2549045c tools: use https for bc mirrors
All mirrors offer encrypted downloads, use it.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2022-02-24 15:36:28 +01:00
Rosen Penev
0d25db7f17 tools/cmake: add MAKE config variable
Makes sure that Ninja from staging_dir is used and nowhere else.

Reported by reproducible builds project. Builds have been failing ever
since tools/cmake started using Ninja.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-02-11 12:04:09 +01:00
Jo-Philipp Wich
af79853c73 Revert "tools/zstd: update to 1.5.2"
This reverts commit 8de901ccf7.

Apparently this update breaks tools building.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 09:03:19 +01:00
Rosen Penev
8de901ccf7 tools/zstd: update to 1.5.2
Switched to building with meson as it's faster and does not need a
dependency on cmake, which takes a long time to build.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-02-07 00:03:27 +01:00
Rosen Penev
fb6cf22866 tools/meson: update to 0.61.1
Changelog:

backend_startup_project
Add a man page backend to refman
extract_objects() supports generated sources
Python 3.6 support will be dropped in the next release
Warning if check kwarg of run_command is missing
meson rewrite can modify extra_files
meson rewrite target <target> info outputs target's extra_files
Visual Studio 2022 backend
Support for CMake <3.14 is now deprecated for CMake subprojects
Added support for sccache
install_symlink function

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-02-03 23:16:00 +01:00
Sungbo Eo
536a8021c3 firmware-utils: bump to git HEAD
0c15cad iptime-naspkg: add image header tool for ipTIME NAS series
872c87c iptime-crc32: add image header tool for new ipTIME models

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-01-29 23:49:39 +09:00
Daniel Golle
ebeb003470
firmware-utils: update to git HEAD of 2022-01-28
6c95945 ptgen: add Chromium OS kernel partition support
 8e7274e cros-vbutil: add Chrome OS vboot kernel-signing utility

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-28 13:00:25 +00:00
Felix Fietkau
3869ccbcc8 tools: build bash on macOS and use it for ipkg-build
On macOS, system binaries silently drop the environment variables for injecting
extra shared libraries (used by fakeroot). This is done for security reasons.
Work around this by building bash from source, so that it gets an ad-hoc signature
and does not have these restrictions

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-01-27 13:38:48 +01:00
Felix Fietkau
1d4750fd50 tools/coreutils: build chown
On ARM macOS, injecting extra shared libraries does not work for system
binaries. This causes fakeroot to fail for chown calls

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-01-27 13:38:48 +01:00
Felix Fietkau
53ebacacf9 tools/fakeroot: fix unresolved symbols on arm64 macOS
The $INODE64 symbol variants are not present, since the base system
always uses 64-bit file offsets

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-01-27 13:38:48 +01:00
Hauke Mehrtens
f1d4c77766 firmware-utils: update to latest master
d885b49 tplink-safeloader: support Archer C6v3.0 (BR)

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-16 21:56:51 +01:00
Matthias Schiffer
9e15dea36e
firmware-utils: update to latest master
84dbf8ee49f5 tplink-safeloader: fix Archer A7v5 factory flashing from vendor fw > v1.1.x

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2022-01-14 23:13:23 +01:00
Josef Schlehofer
4b587f2561 tools/cmake: update to version 3.22.1
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2021-12-31 15:38:56 +01:00
Huangbin Zhan
b6385a3668 tools/mkimage: update to 2021.10
Changelog:

 - upstream now needs OpenSSL in order to be able to sign FITs. See:
commit cb9faa6f98ae ("tools: Use a single target-independent config to enable OpenSSL")

 - removes upstream patches.

Link: cb9faa6f98
Tested-by: Sergey V. Lobanov <sergey@lobanov.in>
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-12-27 13:51:41 +01:00
Sergey V. Lobanov
8261b85844 tools/mkimage: fix build on MacOS arm64
Fixed -no-pie compilation warning on MacOS
Fixed errors related to using absolute addressing on MacOS arm64

Based on upstream patch from Jessica Clarke and suggestions from Ronny Kotzschmar

Link to original patch and discussion:
3b142045e8

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2021-12-06 23:36:35 +01:00
Rosen Penev
75093d1b1d tools/meson: update to 0.60.1
change meson binary to use py extension. Fixes issue with meson's
symbolextractor using the host python instead of the system one.

We intentionally use a .py extension here so that meson launches
additional python scripts with the same build host python interpreter as
itself is running under (and not the host package one once it becomes
available)

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-12-05 18:49:14 +01:00
Sergey V. Lobanov
8fedc17d01 tools/fakeroot: fix build on MacOS arm64
Added patch for MacOS without 32 bit inodes support
(__DARWIN_ONLY_64_BIT_INO_T is true)

This patch based on discussion https://github.com/archmac/bootstrap/issues/4

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2021-12-02 14:43:41 +01:00
Rafał Miłecki
51d4e85068 firmware-utils: bump to the latest master
56e8e19 otrx: support TRX from stdin when extracting
a37ccaf otrx: support unsorted partitions offsets
1fa145e otrx: extract shared code opening & parsing TRX format
0fbc135 oseama: support extracting entity to stdout
58c9d5d oseama: allow reading from stdin
4ecefda otrx: allow validating TRX from stdin
cf01e69 otrx: avoid unneeded fseek() when calculating CRC32
fa35379 tplink-safeloader: add EAP225 v1 support
f4d1263 build, cmake: switch OPENSSL_CRYPTO_LIBRARY -> OPENSSL_CRYPTO_LIBRARIES
cd3f6ee build, cmake: add quotes for FW_UTIL variable arguments

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-12-02 09:14:09 +01:00
Rosen Penev
d1c7df9c4b tools/ccache: update to 4.5.1
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-26 21:33:09 +01:00
Rosen Penev
a18047de45 tools/cmake: update to 3.22.0
Refreshed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-26 21:27:50 +01:00
Felix Fietkau
340c2ed2ef tools/llvm-bpf: move tarball packing to target/llvm-bpf
This ensures that the tarball is regenerated after make clean or after switching
to a different target

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-22 12:00:40 +01:00
Felix Fietkau
203c86f061 tools/llvm-bpf: include host os/arch in tarball name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-21 13:47:18 +01:00
Huangbin Zhan
1126855911 tools/llvm-bpf: make sure llvm-bpf.tar.gz is created
The llvm-bpf-$version.tar.xz might be absent. For example `make clean` executed, CONFIG_TARGET changed.
This commit can only guarantee that the target file can be built when tools/compile is explicitly called rather than $(tools/stamp-compile).

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
2021-11-21 13:47:18 +01:00
Felix Fietkau
848499c1cf tools: include the value of CONFIG_SDK_LLVM_BPF in the stampfile
tools/llvm-bpf needs to be checked if the value changes

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-21 13:47:18 +01:00
Rosen Penev
9211af712f tools/cpio: fix compilation with clang
A define dealing with builtin type is wrong. A gnulib update fixes
this, but that requires a new cpio version.

Refresh other patch.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:25 +01:00
Andre Heider
e37dffbf35 tools/mkimage: pass --static via PKG_CONFIG_EXTRAARGS
Remove the then unnecessary patch doing exactly that individually.

See also 09465d80 "u-boot.mk: always link host libraries static".

Signed-off-by: Andre Heider <a.heider@gmail.com>
2021-11-06 14:22:26 +01:00