Commit Graph

1369 Commits

Author SHA1 Message Date
Rosen Penev
d7a76fc351 readline: fix pkgconfig usage
ncurses is built with wide support enabled, which enables libncursesw.
The problem is, the ncurses build system only supplies ncursesw or
ncurses.pc but not both. The other problem is, the readline build tests
for libncurses before the w variant, making its pc file unusable as
there is no ncurses.pc file to satisfy the Required: ncurses section.

Just override the library.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15864
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-07-08 09:44:21 +02:00
Rosen Penev
1b141cb3d1 ncurses: enable pc files in the host build
Needed for things such as readline that depend on ncurses.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15864
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-07-08 09:44:21 +02:00
Sean Khan
31ec4515c3 openssl: conditionally disable engine section
Currently, the build option to enable/disable engine support isn't
reflected in the final '/etc/ssl/openssl.cnf' config. It assumes `engines`
is always enabled, producing an error whenever running any
commands in openssl util or programs that explicitly use settings
from '/etc/ssl/openssl.cnf'.

```
➤ openssl version
FATAL: Startup failure (dev note: apps_startup()) for openssl
307D1EA97F000000:error:12800067:lib(37):dlfcn_load:reason(103):crypto/dso/dso_dlfcn.c:118:filename(libengines.so):
Error loading shared library libengines.so: No such file or directory
307D1EA97F000000:error:12800067:lib(37):DSO_load:reason(103):crypto/dso/dso_lib.c:152:
307D1EA97F000000:error:0700006E:lib(14):module_load_dso:reason(110):crypto/conf/conf_mod.c:321:module=engines, path=engines
307D1EA97F000000:error:07000071:lib(14):module_run:reason(113):crypto/conf/conf_mod.c:266:module=engines
```

Build should check for the `CONFIG_OPENSSL_ENGINE` option, and comment out `engines`
if not explicitly enabled.

Example:
```
[openssl_init]
providers = provider_sect
```

After this change, openssl util works correctly.

```
➤ openssl version
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
```

Signed-off-by: Sean Khan <datapronix@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/15661
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-06-22 16:31:23 +02:00
Carlos Miguel Ferreira
76c863fe60
libquadmath: Add libquadmath to the toolchain
This commit makes the libquadmath library available to the GCC
toolchain. This library is important for libraries such as
Boost.charconv

Signed-off-by: Carlos Miguel Ferreira <carlosmf.pt@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15637
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-06-17 13:12:29 +02:00
John Audia
bac2f1bed6 openssl: update to 3.0.14
Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [04-Jun-2024]

* Fixed potential use after free after SSL_free_buffers() is called.
  [CVE-2024-4741]
* Fixed checking excessively long DSA keys or parameters may be very slow.
  [CVE-2024-4603]
* Fixed an issue where some non-default TLS server configurations can cause
  unbounded memory growth when processing TLSv1.3 sessions. An attacker may
  exploit certain server configurations to trigger unbounded memory growth that
  would lead to a Denial of Service.  [CVE-2024-2511]
* New atexit configuration switch, which controls whether the OPENSSL_cleanup
  is registered when libcrypto is unloaded. This can be used on platforms
  where using atexit() from shared libraries causes crashes on exit

Signed-off-by: John Audia <therealgraysky@proton.me>

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
2024-06-08 23:29:31 +02:00
Tony Ambardar
56b15913af libbpf: Update to v1.4.3
Update to the latest upstream release to include recent improvements and
bugfixes, and simplify use of PKG_SOURCE_VERSION.

Link: https://github.com/libbpf/libbpf/releases/tag/v1.4.3
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2024-06-08 14:21:40 +02:00
Rany Hany
a41747ac8e mbedtls: fix build on GCC 14
Without this patch, GCC 14 incorrectly complains about the following error:

In file included from /home/user/workspace/mbedtls/library/ctr_drbg.c:13:
In function ‘mbedtls_xor’,
    inlined from ‘ctr_drbg_update_internal’ at /home/user/workspace/mbedtls/library/ctr_drbg.c:372:5:
/home/user/workspace/mbedtls/library/common.h:235:17: error: array subscript 48 is outside array bounds of ‘unsigned char[48]’ [-Werror=array-bounds=]
  235 |         r[i] = a[i] ^ b[i];
      |                ~^~~
/home/user/workspace/mbedtls/library/ctr_drbg.c: In function ‘ctr_drbg_update_internal’:
/home/user/workspace/mbedtls/library/ctr_drbg.c:335:19: note: at offset 48 into object ‘tmp’ of size 48
  335 |     unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
      |                   ^~~
In function ‘mbedtls_xor’,
    inlined from ‘ctr_drbg_update_internal’ at /home/user/workspace/mbedtls/library/ctr_drbg.c:372:5:
/home/user/workspace/mbedtls/library/common.h:235:24: error: array subscript 48 is outside array bounds of ‘const unsigned char[48]’ [-Werror=array-bounds=]
  235 |         r[i] = a[i] ^ b[i];
      |                       ~^~~
/home/user/workspace/mbedtls/library/ctr_drbg.c: In function ‘ctr_drbg_update_internal’:
/home/user/workspace/mbedtls/library/ctr_drbg.c:333:57: note: at offset 48 into object ‘data’ of size [0, 48]
  333 |                                     const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN])
      |                                     ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘mbedtls_xor’,
    inlined from ‘ctr_drbg_update_internal’ at /home/user/workspace/mbedtls/library/ctr_drbg.c:372:5:
/home/user/workspace/mbedtls/library/common.h:235:14: error: array subscript 48 is outside array bounds of ‘unsigned char[48]’ [-Werror=array-bounds=]
  235 |         r[i] = a[i] ^ b[i];
      |         ~~~~~^~~~~~~~~~~~~
/home/user/workspace/mbedtls/library/ctr_drbg.c: In function ‘ctr_drbg_update_internal’:
/home/user/workspace/mbedtls/library/ctr_drbg.c:335:19: note: at offset 48 into object ‘tmp’ of size 48
  335 |     unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
      |                   ^~~

This change adds a basic check to silence the warning until a solution is worked on upstream.
As this check is already used by another compiler, it shouldn't cause any issues for us.

Signed-off-by: Rany Hany <rany_hany@riseup.net>
2024-05-31 10:33:06 +02:00
Tony Ambardar
d44d35f106 libbpf: Update to v1.4.2
Update to the latest upstream release to include recent improvements and
bugfixes.

Link: https://github.com/libbpf/libbpf/releases/tag/v1.4.2
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2024-05-21 08:02:55 +02:00
Felix Fietkau
1a2c171909 mbedtls: export cmake files
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-05-07 12:50:27 +02:00
Tony Ambardar
8cf28cc6a5 libbpf: Update to v1.4.1
Update to the latest upstream release to include recent improvements and
bugfixes.

Link: https://github.com/libbpf/libbpf/releases/tag/v1.4.1
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2024-05-06 22:41:31 +02:00
Pascal Ernster
064d4a8083 libxml2: update to 2.12.6
Release Notes:
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.6

Changelog (taken from the release notes):
- Regressions
  - parser: Fix detection of duplicate attributes in XML namespace
  - xmlreader: Fix xmlTextReaderConstEncoding
  - html: Fix htmlCreatePushParserCtxt with encoding
  - xmllint: Return error code if XPath returns empty nodeset

Compile-tested: x86_x64, Q35 VM, OpenWRT SNAPSHOT r26135-a8bfdf2ed4d9
Run-tested: x86_x64, Q35 VM, OpenWRT SNAPSHOT r26135-a8bfdf2ed4d9
Signed-off-by: Pascal Ernster <git@hardfalcon.net>
2024-05-05 21:45:52 +02:00
Weijie Gao
3f28c422ba libunwind: add support for loongarch64
Modify package depends to allow building for loongarch64.
Also fix for building with musl.

Signed-off-by: Weijie Gao <hackpascal@gmail.com>
2024-05-04 14:14:24 +08:00
Weijie Gao
33cd87079b openssl: add linux64-loongarch64 into the targets list
Add "linux64-loongarch64-openwrt" into openssl configurations to enable
building on loongarch64 machines.

Signed-off-by: Weijie Gao <hackpascal@gmail.com>
2024-05-04 14:14:24 +08:00
Weijie Gao
6eafcd86b8 toolchain: Disable libtsan and liblsan sanitizer on loongarch64
libtsan and liblsan are not supported by glibc on loongarch64

Signed-off-by: Weijie Gao <hackpascal@gmail.com>
2024-05-04 14:14:24 +08:00
Hauke Mehrtens
adc29202c2 mbedtls: Remove Kconfig options removed from mbedtls 3.6.0
These options are not available in mbedtls 3.6.0 and selecting them
causes an error.

MBEDTLS_CERTS_C was removed in:
1aec64642c

MBEDTLS_XTEA_C was removed in:
10e8cf5fef

MBEDTLS_SSL_TRUNCATED_HMAC was removed in:
4a7010d1aa

Fixes: 0e06642643 ("mbedtls: Update to version 3.6.0")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-04-29 01:32:36 +02:00
Marius Dinu
ff0bb196eb libaudit: update to 3.1.4, join with daemon and utils, rename
Changes:
- new URL for sources (old address is dead)
- daemon and utils from packages feed are merged in here
  - only build once
  - no need to update at the same time in both places
- update to v3.1.4
  - removed unneeded patches
  - added audisp-syslog
  - removed audispd (no longer exists)
- rename and move to package/utils/audit
  - update new path in one dependent package

Signed-off-by: Marius Dinu <m95d+git@psihoexpert.ro>
2024-04-29 00:53:43 +02:00
Weijie Gao
f9e3fb59c7 libunwind: update to 1.8.1
Rebased patches:
- 003-fix-missing-ef_reg-defs-with-musl.patch
- 004-ppc-musl.patch

Signed-off-by: Weijie Gao <hackpascal@gmail.com>
2024-04-28 23:32:08 +02:00
Hauke Mehrtens
0e06642643 mbedtls: Update to version 3.6.0
This adds support for mbedtls 3.6.0.
The 3.6 version is the next LTS version of mbedtls.
This version supports TLS 1.3.

This switches to download using git. The codeload tar file misses some
git submodules.

Add some extra options added in mbedtls 3.6.0.

The size of the compressed ipkg increases:
230933 bin/packages/mips_24kc/base/libmbedtls13_2.28.7-r2_mips_24kc.ipk
300154 bin/packages/mips_24kc/base/libmbedtls14_3.6.0-r1_mips_24kc.ipk

The removed patch was integrated upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-04-28 21:42:37 +02:00
Fabrice Fontaine
a4f723e04e package/libs/libjson-c: fix PKG_CPE_ID
cpe:/a:json-c:json-c is the correct CPE ID for libjson-c:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3🅰️json-c:json-c

Fixes: c61a239514 (add PKG_CPE_ID ids to package and tools)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15292
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-04-27 23:44:20 +02:00
Fabrice Fontaine
27d1ebb46a package/libs/pcre2: fix PKG_CPE_ID
cpe:/a:pcre:pcre2 is the correct CPE ID for pcre2:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3🅰️pcre:pcre2

Fixes: c39b0646f3 (pcre2: import pcre2 from packages feed)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2024-04-27 12:05:43 +02:00
Tony Ambardar
098bde1f3e gettext-full: update to 0.22.5
Release Announcement:
https://savannah.gnu.org/news/?group_id=425

Refresh:
- 200-libunistring-missing-link.patch

Tested-by: Georgi Valkov <gvalkov@gmail.com> # MacOS
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2024-04-25 21:33:51 +02:00
Hauke Mehrtens
f475a44c03 wolfssl: Update to 5.7.0
This fixes multiple security problems:
 * [High] CVE-2024-0901 Potential denial of service and out of bounds
   read. Affects TLS 1.3 on the server side when accepting a connection
   from a malicious TLS 1.3 client. If using TLS 1.3 on the server side
   it is recommended to update the version of wolfSSL used.

 * [Med] CVE-2024-1545 Fault Injection vulnerability in
   RsaPrivateDecryption function that potentially allows an attacker
   that has access to the same system with a victims process to perform
   a Rowhammer fault injection. Thanks to Junkai Liang, Zhi Zhang, Xin
   Zhang, Qingni Shen for the report (Peking University, The University
   of Western Australia)."

 * [Med] Fault injection attack with EdDSA signature operations. This
   affects ed25519 sign operations where the system could be susceptible
   to Rowhammer attacks. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang,
   Qingni Shen for the report (Peking University, The University of
   Western Australia).

Size increased a little:
wolfssl 5.6.6:
516880 bin/packages/mips_24kc/base/libwolfssl5.6.6.e624513f_5.6.6-stable-r1_mips_24kc.ipk
wolfssl: 5.7.0:
519429 bin/packages/mips_24kc/base/libwolfssl5.7.0.e624513f_5.7.0-stable-r1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-04-24 23:01:03 +02:00
Hauke Mehrtens
360ac07eb9 mbedtls: Update to 2.28.8
This contains a fix for:
CVE-2024-28960: An issue was discovered in Mbed TLS 2.18.0 through 2.28.x
before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto
API mishandles shared memory.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-04-24 22:24:11 +02:00
Felix Fietkau
ea609fe486 uclient: update to Git HEAD (2024-04-19)
e8780fa7792a uclient: fix http regression

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-19 20:06:47 +02:00
Felix Fietkau
a339894691 uclient: update to Git HEAD (2024-04-19)
704c78111a92 uclient-http: use ustream_ssl without ustream_fd

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-19 18:00:23 +02:00
Felix Fietkau
7334337064 ustream-ssl: update to Git HEAD (2024-04-19)
524a76e5af78 ustream-ssl: add support for using a fd instead of ustream as backing

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-19 18:00:23 +02:00
Felix Fietkau
66019e456f uclient: update to Git HEAD (2024-04-18)
c2bf660d88ec lib: add log_msg callback to get more detailed log messages
9adb4ca5219d uclient-fetch: add uclient / ustream-ssl log messages (enabled via -v)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-18 22:27:51 +02:00
Felix Fietkau
8992767956 ustream-ssl: update to Git HEAD (2024-04-18)
f9a28a9ce864 ustream-ssl: poll connection on incomplete reads
3c49e70c4622 ustream-ssl: increase number of read buffers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-18 22:27:50 +02:00
Felix Fietkau
e4453d1f81 ustream-ssl: update to Git HEAD (2024-04-18)
60d8fbb5e669 mbedtls: handle session tickets for TLS 1.3
ac42af7981ae mbedtls: add ifdefs to fix legacy compatibility
af7c3532ad49 mbedtls: another cosmetic ifdef fix

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-18 13:18:48 +02:00
Felix Fietkau
d4742de1d7 Revert "elfutils: fix a missing typedef in the last update"
This reverts commit a9e22ffa50.
After doing a clean rebuild, it turns out that this change is not necessary

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-15 22:05:24 +02:00
Felix Fietkau
a9e22ffa50 elfutils: fix a missing typedef in the last update
Fixes perf

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-15 13:46:05 +02:00
Tony Ambardar
e609b7486f elfutils: update to 1.91
Release Notes:
https://sourceware.org/pipermail/elfutils-devel/2024q1/006876.html

Refresh patch:
- 005-build_only_libs.patch

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2024-04-14 17:38:09 +02:00
Tony Ambardar
5b07c37dfa libbpf: Update to v1.4.0
Update to the latest upstream release to include recent improvements and
bugfixes, and update copyright. Remove MAKE_VARS usage in Makefile and drop
001-cflags.patch which are no longer needed. Also add flags to disable LTO,
mistakenly dropped earlier.

Link: https://github.com/libbpf/libbpf/releases/tag/v1.4.0
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2024-04-13 11:20:41 +02:00
Felix Fietkau
5e0587b8d1 uclient: update to Git HEAD (2024-04-05)
e209a4ced1d8 add strdupa macro for compatibility
af1962b9a609 uclient: add helper function for getting ustream-ssl context/ops
488f1d52cfd2 http: add helper function for checking redirect status
b6e5548a3ecc uclient: defer read notifications to uloop timer
352fb3eeb408 http: call ustream_poll if not enough read data is available
e611e6d0ff0b add ucode binding
ddb18d265757 uclient: add function for getting the amount of pending read/write data
980220ad1762 ucode: fix a few ucode binding issues
6c16331e4bf5 ucode: add support for using a prototype for cb, pass it to callbacks

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-07 23:29:59 +02:00
Felix Fietkau
507b0286d9 ustream-ssl: update to Git HEAD (2024-04-07)
7621339d7694 mbedtls: fix build on non-linux systems
268050964b08 ustream-mbedtls: add missing psa_crypto_init call
956fba242ac0 add callbacks for debug messages
9fdf3fb87af5 mbedtls: add TLS 1.3 ciphers
28c4c1e6471b mbedtls: disable TLS 1.3 in client mode when skipping verification
d61493a44204 mbedtls: add missing ifdef for build with disabled debug

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-07 20:01:09 +02:00
Paul Spooren
b3c1c57a35 treewide: update PKG_MIRROR_HASH to zst
When using zst instead of xz, the hash changes. This commit fixes the
hash for packages and tools in core.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2024-04-06 11:24:18 +02:00
Yanase Yuki
63dd14b906 gettext-full: link libiconv when building host pkg
On Fedora 40 system, some compile error happens when
building iconv-ostream.c. Linking to libiconv-full
fixes this.

Signed-off-by: Yanase Yuki <dev@zpc.st>
2024-04-05 15:08:38 +02:00
Paul Spooren
b906a9c78e libubox: fix PKG_MIRROR_HASH of 2024-03-29
The PKG_MIRROR_HASH was wrong (again), likely due to an old set of tools
which did not contain the downgrade of xz.

Ref 2070049 unetd: fix PKG_MIRROR_HASH
Fix 89c594e libubox: update to Git HEAD (2024-03-29)"

Signed-off-by: Paul Spooren <mail@aparcar.org>
2024-04-04 22:39:27 +02:00
Felix Fietkau
4ef13c4a49 libxml2: add host build dependency on libiconv-full
Fixes build on macOS

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-04 13:45:46 +02:00
Felix Fietkau
89c594e8b2 libubox: update to Git HEAD (2024-03-29)
a2fce001819e CI: add build test run
12bda4bdb197 CI: add CodeQL workflow tests
eb9bcb64185a ustream: prevent recursive calls to the read callback

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-04 11:15:03 +02:00
Felix Fietkau
766ec55966 mbedtls: copy psa includes in InstallDev
They are required for some of the crypto API

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-03 22:42:46 +02:00
Paul Spooren
e8725a932e treewide: use APK compatible version schema
Different from OPKG, APK uses a deterministic version schema which chips
the version into chunks and compares them individually. This enforces a
certain schema which was previously entirely flexible.

 - Releases are added at the very and end prefixed with an `r` like
`1.2.3-r3`.
- Hashes are prefixed with a `~` like `1.2.3~abc123`.
- Dates become semantic versions, like `2024.04.01`
- Extra tags are possible like `_git`, `_alpha` and more.

For full details see the APK test list:
https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/master/test/version.data

Signed-off-by: Paul Spooren <mail@aparcar.org>
2024-03-22 22:14:22 +01:00
Daniel Golle
5305dbbe9f glibc: don't ship /etc/localtime -> /tmp/localtime symlink
The symlink is already part of the base-files package. We don't need
to ship it with glibc again.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-03-20 23:44:10 +00:00
Liu Dongmiao
51752fa14b libevent2: make cmake use relative imported path
libevent2's cmake use absolute path, then cmake cannot find it when cross compiling:

```
-- Found libevent include directory: /builder/staging_dir/target-mips_24kc_musl/usr/include
-- Found libevent component: /builder/staging_dir/target-mips_24kc_musl/usr/lib/libevent_core.so
-- Found libevent component: /builder/staging_dir/target-mips_24kc_musl/usr/lib/libevent_extra.so
-- Found libevent component: /builder/staging_dir/target-mips_24kc_musl/usr/lib/libevent_openssl.so
-- Found libevent 2.1.12 in /builder/staging_dir/target-mips_24kc_musl/usr
CMake Error at /builder/staging_dir/target-mips_24kc_musl/usr/lib/cmake/libevent/LibeventTargets-shared.cmake:102 (message):
  The imported target "libevent::core" references the file

     "/usr/lib/libevent_core-2.1.so.7.0.1"

  but this file does not exist.  Possible reasons include:

  * The file was deleted, renamed, or moved to another location.

  * An install or uninstall procedure did not complete successfully.

  * The installation package was faulty and contained

     "/builder/staging_dir/target-mips_24kc_musl/usr/lib/cmake/libevent/LibeventTargets-shared.cmake"

  but not all the files it references.

Call Stack (most recent call first):
  /builder/staging_dir/target-mips_24kc_musl/usr/lib/cmake/libevent/LibeventConfig.cmake:168 (include)
  CMakeLists.txt:34 (find_package)
```

This patch make cmake use relative imported path, so it can find libevent.

Signed-off-by: Liu Dongmiao <liudongmiao@gmail.com>
2024-03-13 00:24:43 +00:00
Felix Fietkau
e3bb01b30e mbedtls: enable threading support
Fixes libssh, which requires it. Bump ABI_VERSION, since enabling this
option affects data structures in mbedtls include files.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-03-08 22:46:32 +01:00
Nick Hainke
c47b7571f0 libxml2: update to 2.12.5
Release Notes:
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5

Fixes: CVE-2024-25062
Signed-off-by: Nick Hainke <vincent@systemli.org>
2024-02-13 12:34:56 +01:00
Nick Hainke
8456e84891 zlib: update to 1.3.1
Release Notes:
https://github.com/madler/zlib/releases/tag/v1.3.1

Refresh patch:
- 004-attach-sourcefiles-in-patch-002-to-buildsystem.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2024-02-02 17:26:29 +01:00
Ivan Pavlov
44cd90c49a openssl: update to 3.0.13
Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]

  * Fixed PKCS12 Decoding crashes
    ([CVE-2024-0727])
  * Fixed Excessive time spent checking invalid RSA public keys
    ([CVE-2023-6237])
  * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
    CPUs which support PowerISA 2.07
    ([CVE-2023-6129])
  * Fix excessive time spent in DH check / generation with large Q parameter
    value ([CVE-2023-5678])

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2024-02-02 08:46:52 +03:00
Nick Hainke
097f0f035e libbsd: update to 0.11.8
Changelog:
edddd80 Release libbsd 0.11.8
dd0bdb5 test: Close all descriptors before initializing them for closefrom()
0813f37 build: Check out-of-tree builds in CI
df116b5 Adjust strlcpy() and strlcat() per glibc adoption
ecb44e1 Do not add a pointer to the NULL constant
459b7f7 Do not confuse code analyzers with out-of-bounds array access look alike
a44f885 test: Fix short-lived memory leak
3f5ca0a build: Add a coverage regex to the CI job
9d3e59a man: Use VARIANTS instead of ALTERNATIVES in libbsd(7)
f02562d man: Markup function references with Xr instead of Fn
b7367c9 build: Add missing dash to macro title bar
6777eb6 pwcache: Do not declare uidtb and gidtb when not used
d4e0cdc fgetln: Include <stdio.h> after <sys/*>
f41d6c1 build: Refactor GNU .init_array support check into a new m4 function
30b48ed build: Refactor linker script detection into a new m4 function
d0d8d01 build: Do not provide prototypes for arc4random() on Solaris
cf61ebb build: Do not build the progname module if it is not needed
73b25a8 build: Sort entries alphabetically
5434ba1 build: Conditionalize wcslcpy() and wcslcat() functions on macOS
dc1bd1a build: Conditionalize only id-from-name functions not the entire pwcache
edc746e build: Conditionalize getprogname()/setprogname on macOS
8f998d1 progname: Include <procinfo.h> if available
d08163b build: Check whether we need libperfstat on AIX
1186cf8 build: Annotate droppable functions for musl on next SOVERSION bump
6385ccc build: Conditionalize bsd_getopt() on macOS
c120681 Move the version script comments before the symbols
9fa0676 Port getprogname() to AIX
92337b1 Make getprogname() porting mandatory
90b7f3a test: Do not use /dev/null as compiler output file
426bf45 build: Add generated *.sym files to .gitignore
21d12b0 build: On macOS do not build functions provided by the system
bc65806 build: Select whether to include funopen() in the build system
8b7a4d9 build: Move Windows OS detection to the OS features section
ccbfd1c build: Remove __MUSL__ definition from configure
e0976d7 build: Add a new libbsd_strong_alias() macro and switch users to it
49c7dd1 build: Only emit link warnings for ELF objects
8622767 build: Use an export symbols file if there is no version script support
8f61036 build: Add -no-undefined libtool flag
ae7942b build: Do not override the default DEPENDENCIES for libbsd
a5faf17 Only use <stdio_ext.h> if present
06e8a1b Define _NSIG if it is not defined by the system
44824ac Declare environ if the system does not do so
1fb6c3f Use lockf() when flock() is not available
fe16f38 test: Use open_memstream() only if available
7c652a9 test: Do not hardcode root:root user and group names
ed2eb31 test: Fix closefrom() test on macOS
0f8bcdf test: Fix closefrom() test to handle open file descriptor limits
07192b3 test: Disable blank_stack_side_effects() on non-Hurd systems
ca3db5e build: Do not enable ASAN for musl CI pipelines
ff46386 man: Add HISTORY section to arc4random(3bsd)
4c6da57 man: Switch arc4random(3bsd) man page from OpenBSD to NetBSD
830dd88 doc: Remove written-by attribution
257800a build: Add support for sanitizer compiler flags
536a7d4 test: Exempt blank_stack_side_effects() from sanitizer checks
7ed5de0 test: Import explicit_bzero() sanitizer support changes from OpenBSD
05a802a test: Fix memory leaks in fpurge test
5962e03 man: Fix BSD and glibc versions
59a21c7 man: Update STANDARDS and HISTORY sections
7b4ebd6 include: Adjust closefrom() per glibc adoption
0dfbe76 build: Switch to debian:latest Docker image
dec783d build: Fix version script linker support detection
fe21244 include: Use __has_builtin to detect __builtin_offsetof support
ec88b7b funopen: Replace off64_t with off_t in funopen_seek()
2337719 man: Prune unneeded <sys/types.h> include in setproctitle(3)
5dea9da build: Improve C99 compatibility of __progname configure check
b9bf42d build: Enable -Wall for automake
e57c078 build: Add missing AM_PROG_AR macro call to configure.ac
80f1927 build: Fix configure.ac indentation
b7a8bc2 build: Require automake 1.11
e508962 build: Do not require funopen() to be ported
00b538f build: Terminate lists in variables with «# EOL»
5cfa39e build: Use «yes» instead of «true» for AC_CHECK_FUNCS cache value

Signed-off-by: Nick Hainke <vincent@systemli.org>
2024-01-30 10:39:21 +01:00
orangepizza
920414ca88
mbedtls: security bump to version 2.28.7
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for following security issues:

* Timing side channel in private key RSA operations (CVE-2024-23170)

  Mbed TLS is vulnerable to a timing side channel in private key RSA
  operations. This side channel could be sufficient for an attacker to
  recover the plaintext. A local attacker or a remote attacker who is
  close to the victim on the network might have precise enough timing
  measurements to exploit this. It requires the attacker to send a large
  number of messages for decryption.

* Buffer overflow in mbedtls_x509_set_extension() (CVE-2024-23775)

  When writing x509 extensions we failed to validate inputs passed in to
  mbedtls_x509_set_extension(), which could result in an integer overflow,
  causing a zero-length buffer to be allocated to hold the extension. The
  extension would then be copied into the buffer, causing a heap buffer
  overflow.

Fixes: CVE-2024-23170, CVE-2024-23775
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
Signed-off-by: orangepizza <tjtncks@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [formal fixes]
2024-01-29 09:28:41 +00:00