Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [04-Jun-2024]
* Fixed potential use after free after SSL_free_buffers() is called.
[CVE-2024-4741]
* Fixed checking excessively long DSA keys or parameters may be very slow.
[CVE-2024-4603]
* Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
exploit certain server configurations to trigger unbounded memory growth that
would lead to a Denial of Service. [CVE-2024-2511]
* New atexit configuration switch, which controls whether the OPENSSL_cleanup
is registered when libcrypto is unloaded. This can be used on platforms
where using atexit() from shared libraries causes crashes on exit
Signed-off-by: John Audia <therealgraysky@proton.me>
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Update to the latest upstream release to include recent improvements and
bugfixes, and simplify use of PKG_SOURCE_VERSION.
Link: https://github.com/libbpf/libbpf/releases/tag/v1.4.3
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Without this patch, GCC 14 incorrectly complains about the following error:
In file included from /home/user/workspace/mbedtls/library/ctr_drbg.c:13:
In function ‘mbedtls_xor’,
inlined from ‘ctr_drbg_update_internal’ at /home/user/workspace/mbedtls/library/ctr_drbg.c:372:5:
/home/user/workspace/mbedtls/library/common.h:235:17: error: array subscript 48 is outside array bounds of ‘unsigned char[48]’ [-Werror=array-bounds=]
235 | r[i] = a[i] ^ b[i];
| ~^~~
/home/user/workspace/mbedtls/library/ctr_drbg.c: In function ‘ctr_drbg_update_internal’:
/home/user/workspace/mbedtls/library/ctr_drbg.c:335:19: note: at offset 48 into object ‘tmp’ of size 48
335 | unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
| ^~~
In function ‘mbedtls_xor’,
inlined from ‘ctr_drbg_update_internal’ at /home/user/workspace/mbedtls/library/ctr_drbg.c:372:5:
/home/user/workspace/mbedtls/library/common.h:235:24: error: array subscript 48 is outside array bounds of ‘const unsigned char[48]’ [-Werror=array-bounds=]
235 | r[i] = a[i] ^ b[i];
| ~^~~
/home/user/workspace/mbedtls/library/ctr_drbg.c: In function ‘ctr_drbg_update_internal’:
/home/user/workspace/mbedtls/library/ctr_drbg.c:333:57: note: at offset 48 into object ‘data’ of size [0, 48]
333 | const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN])
| ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘mbedtls_xor’,
inlined from ‘ctr_drbg_update_internal’ at /home/user/workspace/mbedtls/library/ctr_drbg.c:372:5:
/home/user/workspace/mbedtls/library/common.h:235:14: error: array subscript 48 is outside array bounds of ‘unsigned char[48]’ [-Werror=array-bounds=]
235 | r[i] = a[i] ^ b[i];
| ~~~~~^~~~~~~~~~~~~
/home/user/workspace/mbedtls/library/ctr_drbg.c: In function ‘ctr_drbg_update_internal’:
/home/user/workspace/mbedtls/library/ctr_drbg.c:335:19: note: at offset 48 into object ‘tmp’ of size 48
335 | unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
| ^~~
This change adds a basic check to silence the warning until a solution is worked on upstream.
As this check is already used by another compiler, it shouldn't cause any issues for us.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Add "linux64-loongarch64-openwrt" into openssl configurations to enable
building on loongarch64 machines.
Signed-off-by: Weijie Gao <hackpascal@gmail.com>
These options are not available in mbedtls 3.6.0 and selecting them
causes an error.
MBEDTLS_CERTS_C was removed in:
1aec64642c
MBEDTLS_XTEA_C was removed in:
10e8cf5fef
MBEDTLS_SSL_TRUNCATED_HMAC was removed in:
4a7010d1aa
Fixes: 0e06642643 ("mbedtls: Update to version 3.6.0")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Changes:
- new URL for sources (old address is dead)
- daemon and utils from packages feed are merged in here
- only build once
- no need to update at the same time in both places
- update to v3.1.4
- removed unneeded patches
- added audisp-syslog
- removed audispd (no longer exists)
- rename and move to package/utils/audit
- update new path in one dependent package
Signed-off-by: Marius Dinu <m95d+git@psihoexpert.ro>
This adds support for mbedtls 3.6.0.
The 3.6 version is the next LTS version of mbedtls.
This version supports TLS 1.3.
This switches to download using git. The codeload tar file misses some
git submodules.
Add some extra options added in mbedtls 3.6.0.
The size of the compressed ipkg increases:
230933 bin/packages/mips_24kc/base/libmbedtls13_2.28.7-r2_mips_24kc.ipk
300154 bin/packages/mips_24kc/base/libmbedtls14_3.6.0-r1_mips_24kc.ipk
The removed patch was integrated upstream.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes multiple security problems:
* [High] CVE-2024-0901 Potential denial of service and out of bounds
read. Affects TLS 1.3 on the server side when accepting a connection
from a malicious TLS 1.3 client. If using TLS 1.3 on the server side
it is recommended to update the version of wolfSSL used.
* [Med] CVE-2024-1545 Fault Injection vulnerability in
RsaPrivateDecryption function that potentially allows an attacker
that has access to the same system with a victims process to perform
a Rowhammer fault injection. Thanks to Junkai Liang, Zhi Zhang, Xin
Zhang, Qingni Shen for the report (Peking University, The University
of Western Australia)."
* [Med] Fault injection attack with EdDSA signature operations. This
affects ed25519 sign operations where the system could be susceptible
to Rowhammer attacks. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang,
Qingni Shen for the report (Peking University, The University of
Western Australia).
Size increased a little:
wolfssl 5.6.6:
516880 bin/packages/mips_24kc/base/libwolfssl5.6.6.e624513f_5.6.6-stable-r1_mips_24kc.ipk
wolfssl: 5.7.0:
519429 bin/packages/mips_24kc/base/libwolfssl5.7.0.e624513f_5.7.0-stable-r1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This contains a fix for:
CVE-2024-28960: An issue was discovered in Mbed TLS 2.18.0 through 2.28.x
before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto
API mishandles shared memory.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
f9a28a9ce864 ustream-ssl: poll connection on incomplete reads
3c49e70c4622 ustream-ssl: increase number of read buffers
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This reverts commit a9e22ffa50.
After doing a clean rebuild, it turns out that this change is not necessary
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Update to the latest upstream release to include recent improvements and
bugfixes, and update copyright. Remove MAKE_VARS usage in Makefile and drop
001-cflags.patch which are no longer needed. Also add flags to disable LTO,
mistakenly dropped earlier.
Link: https://github.com/libbpf/libbpf/releases/tag/v1.4.0
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
e209a4ced1d8 add strdupa macro for compatibility
af1962b9a609 uclient: add helper function for getting ustream-ssl context/ops
488f1d52cfd2 http: add helper function for checking redirect status
b6e5548a3ecc uclient: defer read notifications to uloop timer
352fb3eeb408 http: call ustream_poll if not enough read data is available
e611e6d0ff0b add ucode binding
ddb18d265757 uclient: add function for getting the amount of pending read/write data
980220ad1762 ucode: fix a few ucode binding issues
6c16331e4bf5 ucode: add support for using a prototype for cb, pass it to callbacks
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When using zst instead of xz, the hash changes. This commit fixes the
hash for packages and tools in core.
Signed-off-by: Paul Spooren <mail@aparcar.org>
On Fedora 40 system, some compile error happens when
building iconv-ostream.c. Linking to libiconv-full
fixes this.
Signed-off-by: Yanase Yuki <dev@zpc.st>
The PKG_MIRROR_HASH was wrong (again), likely due to an old set of tools
which did not contain the downgrade of xz.
Ref 2070049 unetd: fix PKG_MIRROR_HASH
Fix 89c594e libubox: update to Git HEAD (2024-03-29)"
Signed-off-by: Paul Spooren <mail@aparcar.org>
a2fce001819e CI: add build test run
12bda4bdb197 CI: add CodeQL workflow tests
eb9bcb64185a ustream: prevent recursive calls to the read callback
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Different from OPKG, APK uses a deterministic version schema which chips
the version into chunks and compares them individually. This enforces a
certain schema which was previously entirely flexible.
- Releases are added at the very and end prefixed with an `r` like
`1.2.3-r3`.
- Hashes are prefixed with a `~` like `1.2.3~abc123`.
- Dates become semantic versions, like `2024.04.01`
- Extra tags are possible like `_git`, `_alpha` and more.
For full details see the APK test list:
https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/master/test/version.data
Signed-off-by: Paul Spooren <mail@aparcar.org>
libevent2's cmake use absolute path, then cmake cannot find it when cross compiling:
```
-- Found libevent include directory: /builder/staging_dir/target-mips_24kc_musl/usr/include
-- Found libevent component: /builder/staging_dir/target-mips_24kc_musl/usr/lib/libevent_core.so
-- Found libevent component: /builder/staging_dir/target-mips_24kc_musl/usr/lib/libevent_extra.so
-- Found libevent component: /builder/staging_dir/target-mips_24kc_musl/usr/lib/libevent_openssl.so
-- Found libevent 2.1.12 in /builder/staging_dir/target-mips_24kc_musl/usr
CMake Error at /builder/staging_dir/target-mips_24kc_musl/usr/lib/cmake/libevent/LibeventTargets-shared.cmake:102 (message):
The imported target "libevent::core" references the file
"/usr/lib/libevent_core-2.1.so.7.0.1"
but this file does not exist. Possible reasons include:
* The file was deleted, renamed, or moved to another location.
* An install or uninstall procedure did not complete successfully.
* The installation package was faulty and contained
"/builder/staging_dir/target-mips_24kc_musl/usr/lib/cmake/libevent/LibeventTargets-shared.cmake"
but not all the files it references.
Call Stack (most recent call first):
/builder/staging_dir/target-mips_24kc_musl/usr/lib/cmake/libevent/LibeventConfig.cmake:168 (include)
CMakeLists.txt:34 (find_package)
```
This patch make cmake use relative imported path, so it can find libevent.
Signed-off-by: Liu Dongmiao <liudongmiao@gmail.com>
Fixes libssh, which requires it. Bump ABI_VERSION, since enabling this
option affects data structures in mbedtls include files.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]
* Fixed PKCS12 Decoding crashes
([CVE-2024-0727])
* Fixed Excessive time spent checking invalid RSA public keys
([CVE-2023-6237])
* Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
CPUs which support PowerISA 2.07
([CVE-2023-6129])
* Fix excessive time spent in DH check / generation with large Q parameter
value ([CVE-2023-5678])
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Changelog:
edddd80 Release libbsd 0.11.8
dd0bdb5 test: Close all descriptors before initializing them for closefrom()
0813f37 build: Check out-of-tree builds in CI
df116b5 Adjust strlcpy() and strlcat() per glibc adoption
ecb44e1 Do not add a pointer to the NULL constant
459b7f7 Do not confuse code analyzers with out-of-bounds array access look alike
a44f885 test: Fix short-lived memory leak
3f5ca0a build: Add a coverage regex to the CI job
9d3e59a man: Use VARIANTS instead of ALTERNATIVES in libbsd(7)
f02562d man: Markup function references with Xr instead of Fn
b7367c9 build: Add missing dash to macro title bar
6777eb6 pwcache: Do not declare uidtb and gidtb when not used
d4e0cdc fgetln: Include <stdio.h> after <sys/*>
f41d6c1 build: Refactor GNU .init_array support check into a new m4 function
30b48ed build: Refactor linker script detection into a new m4 function
d0d8d01 build: Do not provide prototypes for arc4random() on Solaris
cf61ebb build: Do not build the progname module if it is not needed
73b25a8 build: Sort entries alphabetically
5434ba1 build: Conditionalize wcslcpy() and wcslcat() functions on macOS
dc1bd1a build: Conditionalize only id-from-name functions not the entire pwcache
edc746e build: Conditionalize getprogname()/setprogname on macOS
8f998d1 progname: Include <procinfo.h> if available
d08163b build: Check whether we need libperfstat on AIX
1186cf8 build: Annotate droppable functions for musl on next SOVERSION bump
6385ccc build: Conditionalize bsd_getopt() on macOS
c120681 Move the version script comments before the symbols
9fa0676 Port getprogname() to AIX
92337b1 Make getprogname() porting mandatory
90b7f3a test: Do not use /dev/null as compiler output file
426bf45 build: Add generated *.sym files to .gitignore
21d12b0 build: On macOS do not build functions provided by the system
bc65806 build: Select whether to include funopen() in the build system
8b7a4d9 build: Move Windows OS detection to the OS features section
ccbfd1c build: Remove __MUSL__ definition from configure
e0976d7 build: Add a new libbsd_strong_alias() macro and switch users to it
49c7dd1 build: Only emit link warnings for ELF objects
8622767 build: Use an export symbols file if there is no version script support
8f61036 build: Add -no-undefined libtool flag
ae7942b build: Do not override the default DEPENDENCIES for libbsd
a5faf17 Only use <stdio_ext.h> if present
06e8a1b Define _NSIG if it is not defined by the system
44824ac Declare environ if the system does not do so
1fb6c3f Use lockf() when flock() is not available
fe16f38 test: Use open_memstream() only if available
7c652a9 test: Do not hardcode root:root user and group names
ed2eb31 test: Fix closefrom() test on macOS
0f8bcdf test: Fix closefrom() test to handle open file descriptor limits
07192b3 test: Disable blank_stack_side_effects() on non-Hurd systems
ca3db5e build: Do not enable ASAN for musl CI pipelines
ff46386 man: Add HISTORY section to arc4random(3bsd)
4c6da57 man: Switch arc4random(3bsd) man page from OpenBSD to NetBSD
830dd88 doc: Remove written-by attribution
257800a build: Add support for sanitizer compiler flags
536a7d4 test: Exempt blank_stack_side_effects() from sanitizer checks
7ed5de0 test: Import explicit_bzero() sanitizer support changes from OpenBSD
05a802a test: Fix memory leaks in fpurge test
5962e03 man: Fix BSD and glibc versions
59a21c7 man: Update STANDARDS and HISTORY sections
7b4ebd6 include: Adjust closefrom() per glibc adoption
0dfbe76 build: Switch to debian:latest Docker image
dec783d build: Fix version script linker support detection
fe21244 include: Use __has_builtin to detect __builtin_offsetof support
ec88b7b funopen: Replace off64_t with off_t in funopen_seek()
2337719 man: Prune unneeded <sys/types.h> include in setproctitle(3)
5dea9da build: Improve C99 compatibility of __progname configure check
b9bf42d build: Enable -Wall for automake
e57c078 build: Add missing AM_PROG_AR macro call to configure.ac
80f1927 build: Fix configure.ac indentation
b7a8bc2 build: Require automake 1.11
e508962 build: Do not require funopen() to be ported
00b538f build: Terminate lists in variables with «# EOL»
5cfa39e build: Use «yes» instead of «true» for AC_CHECK_FUNCS cache value
Signed-off-by: Nick Hainke <vincent@systemli.org>
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for following security issues:
* Timing side channel in private key RSA operations (CVE-2024-23170)
Mbed TLS is vulnerable to a timing side channel in private key RSA
operations. This side channel could be sufficient for an attacker to
recover the plaintext. A local attacker or a remote attacker who is
close to the victim on the network might have precise enough timing
measurements to exploit this. It requires the attacker to send a large
number of messages for decryption.
* Buffer overflow in mbedtls_x509_set_extension() (CVE-2024-23775)
When writing x509 extensions we failed to validate inputs passed in to
mbedtls_x509_set_extension(), which could result in an integer overflow,
causing a zero-length buffer to be allocated to hold the extension. The
extension would then be copied into the buffer, causing a heap buffer
overflow.
Fixes: CVE-2024-23170, CVE-2024-23775
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
Signed-off-by: orangepizza <tjtncks@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [formal fixes]
6339204c212b CMakeLists.txt: bump minimum cmake version
c1be505732e6 udebug: fix crash in udebug_entry_vprintf with longer strings
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Changes:
67f3b2a libtracefs: version 1.8
8a1322f libtracefs utest: Add tests to use mapping if supported
0a65b79 libtracefs: Add tracefs_mapped_is_supported() API
805f650 libtracefs: Call mmap ioctl if a refresh happens
cf7e2a5 libtracefs: Fix tracefs_mmap() kbuf usage
3a26b26 libtracefs: Have nonblock tracefs_cpu reads set errno EAGAIN
2b5bb09 libtracefs: Have tracefs_mmap_read() include subbuf meta data
dee0448 libtracefs: Have mapping work with the other tracefs_cpu* functions
28eebc1 libtracefs: Have tracefs_cpu_flush(_buf)() use mapping
065d914 libtracefs: Use mmapping for iterating raw events
1124e0e libtracefs: Use tracefs_cpu_*_buf() calls for iterator
f43b293 libtracefs: Unmap mmap mapping on tracefs_cpu close
0d24516 libtracefs Documentation: Fix tracefs_cpu_snapshot_open() man pages
5ff31c0 libtracefs Documentation: Add tracefs_follow_events_clear() to main man page
0c7d9f7 libtracefs: Add man pages for tracefs_snapshot_*() functions
b2dc3e0 libtracefs sql: Rename TIMESTAMP_USECS_DELTA to TIMESTAMP_DELTA_USECS
585ec77 libtracefs: Force off trace mmapping
2ed14b5 libtracefs: Add ring buffer memory mapping APIs
173ffc0 libtracefs meson: Add option to disable samples
a55e2e8 libtracefs meson: Add option to disable documentation
93e20af libtracefs: Fix tracefs_instance_reset to clear synthetic events
a1ecbff libtracefs utest: Add more tests to test tracefs_sql()
975c37c libtracefs utest: Add matches to trace_sql() tests
0567e2d libtracefs synthetic: Handle hashed name variables
fcb3a83 libtracefs synthetic: Remove multiple adding of action in tracefs_synth_save()
a9dae65 libtracefs: Fix sqlhist used uninitialized error
fe7a467 libtracefs: Add updating and reading snapshot buffers
1ad57ab libtracefs: Add PID filtering API
d8726bf libtracefs: Also clear max_graph_depth on reset
eb4dd60 libtracefs: Add TIMESTAMP_USECS_DELTA to simplify SQL timestamp compares
8c57eb4 libtracefs: Add tracefs_instance_set/get_subbuf_size()
9bafb21 libtracefs: Add API to extract ring buffer statistics
141d25e libtracefs: Add tracefs_load_headers() API
ef3fae7 libtracefs: Add kerneldoc comments to tracefs_instance_set_buffer_size()
31acfe1 libtracefs utest: Add test to test tracefs_instance_set/get_buffer_percent()
3e6d975 libtracefs: Add tracefs_instance_clear() API
c4efaaf libtracefs: Add tracefs_instance_get/set_buffer_percent()
1e1cc54 libtracefs: Add API to read tracefs_cpu and return a kbuffer
7d395b1 libtracefs: Add tracefs_instance_file_write_number()
e34cbd8 libtracefs: Increase splice to use pipe max size
1f50965 libtracefs: Add API to remove followers from an instance or toplevel
576ee0b libtracefs: Reset tracing before and after unit tests
118b694 libtracefs: Free dynamic event list in utest
5159973 libtracefs: Free tracing_dir in case of remount
df563eb libtracefs: Free buf in clear_func_filter()
3cbac37 libtracefs: Free "missed_followers" of instance
0cbe56e libtracefs testing: Use one tep handle for most tests
adac30f libtracefs Documentation: Fix tracefs_event_file_exists() issues
07ab199 libtracefs: Pass enum value where expected instead of int
bb299b4 libtracefs: fix cscope makefile rule
420d677 libtracefs: Free "followers" when freeing instance
3f436fc libtracefs: Fix documentation of tracefs_trace_pipe_stream() flags
1fde9df libtracefs: Add explicit pthread dependency to meson
d1989ae tracefs-perf: Add missing headers for syscall() and SYS_* defines
Signed-off-by: Nick Hainke <vincent@systemli.org>