Backport upstream patch to have reproducible FAT signatures.
This should enable reproducibility for x86 EFI images.
Signed-off-by: Paul Spooren <mail@aparcar.org>
List of changes since previous release from 2018 is quite long:
* Fix crc32.c to compile local functions only if used.
* Check for cc masquerading as gcc or clang in configure.
* Remove destructive aspects of make distclean.
* Separate out address sanitizing from warnings in configure.
* Eliminate use of ULL constants.
* Add fallthrough comments for gcc.
* Clean up minizip to reduce warnings for testing.
* Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
* minizip warning fix if MAXU32 already defined. (gvollant)
* Replace black/white with allow/block. (theresa-m)
* Fix indentation in minizip's zip.c.
* Improve portability of contrib/minizip.
* Correct typo in blast.c.
* Change macro name in inflate.c to avoid collision in VxWorks.
* Clarify gz* function interfaces, referring to parameter names.
* Fix error in comment on the polynomial representation of a byte.
* Fix memory leak on error in gzlog.c.
* Avoid adding empty gzip member after gzflush with Z_FINISH.
* Explicitly note that the 32-bit check values are 32 bits.
* Use ARM crc32 instructions if the ARM architecture has them.
* Add use of the ARMv8 crc32 instructions when requested.
* Correct comment in crc32.c.
* Don't bother computing check value after successful inflateSync().
* Use atomic test and set, if available, for dynamic CRC tables.
* Speed up software CRC-32 computation by a factor of 1.5 to 3.
* Add crc32_combine_gen() and crc32_combine_op() for fast combines.
* Add tables for crc32_combine(), to speed it up by a factor of 200.
* Fix the zran.c example to work on a multiple-member gzip file.
* Add gznorm.c example, which normalizes gzip files.
* Show all the codes for the maximum tables size in enough.c.
* Clarify that prefix codes are counted in enough.c.
* Use inline function instead of macro for index in enough.c.
* Clean up code style in enough.c, update version.
* Use a macro for the printf format of big_t in enough.c.
* Use a structure to make globals in enough.c evident.
* Assure that the number of bits for deflatePrime() is valid.
* Fix a bug that can crash deflate on some input when using Z_FIXED.
* Correct the initialization requirements for deflateInit2().
* Emphasize the need to continue decompressing gzip members.
* Add legal disclaimer to README.
* Fix deflateEnd() to not report an error at start of raw deflate.
* Remove old assembler code in which bugs have manifested.
* Make the names in functions declarations identical to definitions.
* Avoid an undefined behavior of memcpy() in _tr_stored_block().
* Avoid undefined behaviors of memcpy() in gz*printf().
* Avoid an undefined behavior of memcpy() in gzappend().
* Avoid the use of ptrdiff_t.
* Handle case where inflateSync used when header never processed.
* Don't compute check value for raw inflate if asked to validate.
* Add address checking in clang to -w option of configure.
* Return an error if the gzputs string length can't fit in an int.
* Small speedup to inflate [psumbera].
* Update use of errno for newer Windows CE versions.
* Avoid some conversion warnings in gzread.c and gzwrite.c.
* Have Makefile return non-zero error code on test failure.
* Avoid a conversion error in gzseek when off_t type too small.
* Fix CLEAR_HASH macro to be usable as a single statement.
* Fix bug when window full in deflate_stored().
* Limit hash table inserts after switch from stored deflate.
* Permit a deflateParams() parameter change as soon as possible.
* Cygwin does not have _wopen(), so do not create gzopen_w() there.
Removed 006-fix-compressor-crash-on-certain-inputs.patch which was
hotfix for CVE-2018-25032 and is now included in this release.
This release is not available on @SF (yet?) so the sources are now
pulled from GitHub.
Fixes: CVE-2018-25032
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.
Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.
Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Zip always try to generate new encryption header depending on execution
time and process id, which is far from being reproducible. This commit
changes the zip srand() seed to a predictable value to generate
reproducible random bytes for the encryption header. This will compromise
the goal of secure archive encryption, but it would not be a big problem
for our purpose.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Remove "--mtime" option introduced in commit 18c9faa032 ("tools: zip:
add option for reproducible archives") and instead fetch SOURCE_DATE_EPOCH
environment variable directly in the code.
Ref: https://sourceforge.net/p/infozip/patches/25/
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2-relnotes.txt
```
It includes the following security fix
* In some situations the X.509 verifier would discard an error on an
unverified certificate chain, resulting in an authentication bypass.
Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
```
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Remove macOS stuff. Upstream has fixed it in the same way.
Add SOL_TCP define. Taken from elsewhere in the code.
Refreshed patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switched to CMake for faster compilation and greater parallel
friendliness.
Added CMake options from the packages feed.
This release fixes various CVEs.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switched to building with meson as it's faster and does not need a
dependency on cmake, which takes a long time to build.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Refresh 2to3 patch. Upstream partially did this against some older
python version. This is still needed.
Refreshed other patches to be python3 safe.
Remove uClibc patches as only musl is present now.
Refresh others.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
706e9cc tplink-safeloader: support for Archer A6 v3 JP
497726b firmware-utils: support checksum for AVM fritzbox wasp SOCs
2ca6462 iptime-crc32: add support for AX8004M
57d0e31 tplink-safeloader: TP-Link EAP615-Wall v1 support
8a8da19 tplink-safeloader: add TL-WPA8631P v3 support
eea4ee7 tplink-safeloader: add TP-Link Archer A9 v6 support
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
- Call pager with original LANG environment variable
- Consistently complain early if no series file is found
- Fix handling of symbolic links by several commands
- Tighten the patch format parsing
- Reuse the shell (performance)
- Document the series file format further
- Document that quilt loads /etc/quilt.quiltrc
- configure: Make stat configurable
- series: Minor optimizations
- setup: Don't obey the settings of any englobing .pc
- setup: Default to fast mode
- quilt.el: Fix documentation of quilt-pc-directory
- quilt.el: Load /etc/quilt.quiltrc if ~/.quiltrc doesn't exist
- quilt.el: Fix quilt-editable when QUILT_PATCHES_PREFIX is set
Refresh patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[add changelog]
Signed-off-by: Paul Spooren <mail@aparcar.org>
Makes sure that Ninja from staging_dir is used and nowhere else.
Reported by reproducible builds project. Builds have been failing ever
since tools/cmake started using Ninja.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switched to building with meson as it's faster and does not need a
dependency on cmake, which takes a long time to build.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Changelog:
backend_startup_project
Add a man page backend to refman
extract_objects() supports generated sources
Python 3.6 support will be dropped in the next release
Warning if check kwarg of run_command is missing
meson rewrite can modify extra_files
meson rewrite target <target> info outputs target's extra_files
Visual Studio 2022 backend
Support for CMake <3.14 is now deprecated for CMake subprojects
Added support for sccache
install_symlink function
Signed-off-by: Rosen Penev <rosenp@gmail.com>
0c15cad iptime-naspkg: add image header tool for ipTIME NAS series
872c87c iptime-crc32: add image header tool for new ipTIME models
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
6c95945 ptgen: add Chromium OS kernel partition support
8e7274e cros-vbutil: add Chrome OS vboot kernel-signing utility
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
On macOS, system binaries silently drop the environment variables for injecting
extra shared libraries (used by fakeroot). This is done for security reasons.
Work around this by building bash from source, so that it gets an ad-hoc signature
and does not have these restrictions
Signed-off-by: Felix Fietkau <nbd@nbd.name>
On ARM macOS, injecting extra shared libraries does not work for system
binaries. This causes fakeroot to fail for chown calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Changelog:
- upstream now needs OpenSSL in order to be able to sign FITs. See:
commit cb9faa6f98ae ("tools: Use a single target-independent config to enable OpenSSL")
- removes upstream patches.
Link: cb9faa6f98
Tested-by: Sergey V. Lobanov <sergey@lobanov.in>
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Fixed -no-pie compilation warning on MacOS
Fixed errors related to using absolute addressing on MacOS arm64
Based on upstream patch from Jessica Clarke and suggestions from Ronny Kotzschmar
Link to original patch and discussion:
3b142045e8
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
change meson binary to use py extension. Fixes issue with meson's
symbolextractor using the host python instead of the system one.
We intentionally use a .py extension here so that meson launches
additional python scripts with the same build host python interpreter as
itself is running under (and not the host package one once it becomes
available)
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Added patch for MacOS without 32 bit inodes support
(__DARWIN_ONLY_64_BIT_INO_T is true)
This patch based on discussion https://github.com/archmac/bootstrap/issues/4
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
The llvm-bpf-$version.tar.xz might be absent. For example `make clean` executed, CONFIG_TARGET changed.
This commit can only guarantee that the target file can be built when tools/compile is explicitly called rather than $(tools/stamp-compile).
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
A define dealing with builtin type is wrong. A gnulib update fixes
this, but that requires a new cpio version.
Refresh other patch.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Remove the then unnecessary patch doing exactly that individually.
See also 09465d80 "u-boot.mk: always link host libraries static".
Signed-off-by: Andre Heider <a.heider@gmail.com>
This can be used for adding the toolchain to an existing tree without having
to build it from scratch.
Enable building the toolchain + tarball by default on buildbot
Signed-off-by: Felix Fietkau <nbd@nbd.name>
7073760 ramips: add support for TP-Link RE305 v3
86739f2 Add more missing include for byte swap operations
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
isl.gforge.inria.fr has been dead since early this month [1]. Switch to
libisl.sourceforge.io for the time being.
[1] https://groups.google.com/g/isl-development/c/JGaMo2VUu_8
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
For some reason, the generated configure script fails to properly set up
the internal preprocessor command variable, causing the host OS check for
Darwin to fail after the last update.
Explicitly setting CPP fixes this issue
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Update install procedure based on upstream feedback. Normally, meson is
to be installed with pip. But as pip is not mandated by the build
system, it cannot be used. Upstream provides a nice script to pack meson
automatically.
Moved src/ to files/. No need to copy to BUILD_DIR.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
f9ad6b3 Add more missing includes for byte swap operations
Basically stop it exploding on MacOS
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Includes following changes:
db65821f006c cmake: fix missing install target
3a0cfc856991 Add initial GitLab CI support
8f47adea6f87 Add missing includes for byte swap operations
fbafae9f8037 Convert to CMake based project
Additionaly moves source code into separate Git project repository and
converts the package build to utilize CMake.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[rmilecki: rebase, update to the latest repo git & rm -r src]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
TP-Link CPE710-v1 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on the AP152 reference board
Specifications:
- SoC: QCA9563-AL3A MIPS 74kc @ 775MHz, AHB @ 258MHz
- RAM: 128MiB DDR2 @ 650MHz
- Flash: 16MiB SPI NOR Based on the GD25Q128
- Wi-Fi 5Ghz: ath10k chip (802.11ac for up to 867Mbps on 5GHz wireless
data rate) Based on the QCA9896
- Ethernet: one 1GbE port
- 23dBi high-gain directional 2×2 MIMO antenna and a dedicated metal
reflector
- Power, LAN, WLAN5G Blue LEDs
- 3x Blue LEDs
Flashing instructions:
Flash factory image through stock firmware WEB UI or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 30-40 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP address:192.168.0.254
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[convert to nvmem, fix MAC assignment in 11-ath10k-caldata]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Add additional header information required for newer
bootloaders found on DIR-2660-A1 & A2.
Also remove the MTD splitter compatible from the second firmware
partition, as OpenWrt only supports handling of the first one.
Signed-off-by: Alan Luck <luckyhome2008@gmail.com>
[rephrase commit message, remove removal of read-only flags]
Signed-off-by: David Bauer <mail@david-bauer.net>
This breaks the package builds using the SDK.
The targets all build fine, but the package builder fails on many
packages. The package builder uses the OpenWrt SDK.
This reverts commit c377d874be.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This updates libtool to its current release, from 2015. Current patches
were renumbered and given a description text. The fix in
160-passthrough-ssp.patch is no longer needed.
A patch to speed up build was cherry-picked, and another openwrt
specific patch was needed to not use quotes in $(SHELL), to acommodate
our "SHELL=/usr/bin/env bash" usage.
The already present call to ./bootstrap ensures that generated files are
refreshed, so the patches are applied only to their sources. Also, that
bootstrap call was adjusted to run at the appropriate time when QUILT=1.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
meson is a next generation build system designed to have good defaults,
simpler build files, and fast compilation.
It is built upon python and uses ninja for compilation. The latter
provides fast by default (parallel) and problem free compilation.
There are over 40 packages already successfully using meson. The next
commit will convert pkgconf to use meson compilation.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
ccaaab1c04 says that this is in the
codebase because of libsigc++, which is not in the codebase anymore.
Neither in base nor in packages. It doesn't seem to be needed by
anything else either. GNOME packages have transitioned to using meson,
which does not use m4 files.
Tested local compile with CONFIG_ALL. No problems seen.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Starting with v3 of the vendor firmware for the TP-Link EAP235-Wall v1,
downgrades to firmware versions below v3 as not allowed. Since OpenWrt
uses version 0.0.0 as a default, this causes the factory install to fail
on devices with a recent firmware. This failure is associated by the
following message on the device's serial console:
EAP235/230-Wall forbid fw reverted from 3.x.x to lower version!
Vendor firmware (v3) also uses build and release numbers to compare
images, so identical version numbers are very unlikely to cause issues.
Bump the firmware version to 3.0.0 to ensure users can install OpenWrt
on their devices.
Reported-by: Colton Conor <colton.conor@gmail.com>
Tested-by: Colton Conor <colton.conor@gmail.com>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Some devices using the safeloader firmware format require a minimum or
specific version to be set in the soft-version metadata partition.
Currently only custom text values can be provided, but not all device
firmware support this format.
Modify the device info struct to allow for more well-defined types of
soft-version overwrites, and provide a few macros for easy value
initialisation. Requires all existing values to be updated to match the
new structure.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
[Adapt TL-WA1201-V2 entry too]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The structured soft-version partition has a field which contains a
(source) revision number. Factory images used to include this, but
it was accidentaly removed during an earlier refactoring.
Include the source revision number again in the generated soft-version
partition. Additionaly, also show this revision number when printing
image info.
Fixes: 1a211af2cb ("firmware-utils: tplink-safeloader: refactor meta-partition generation")
Signed-off-by: Sander Vanheule <sander@svanheule.net>
This was missed because scancode license scanner was confused by a
slightly different than expected license text (96,75% license score).
License text included "file" instead of "library" in the main part of
the licensing info. It also used "The GNU C Library" instead of the
standard "This library" in 2nd and 3rd paragraphs.
The first paragraph clearly mentions LGPL-2.1-or-later and the use of
"file" instead of "library" should not affect licensing.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This device is a wireless access point working on the 2.4 GHz and 5 GHz
band, based on Qualcomm/Atheros QCA9563 + QCA9886.
Specification
- 775 MHz CPU
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- QCA9563: 2.4 GHz 3x3
- QCA9886: 5 GHz
- AR8033: 1x 1 Gbs Ethernet
- 4x LED, WPS factory reset and power button
- bare UART on PCB (accessible through testpoints)
Methods for Flashing:
- Apply factory image in OEM firmware web-gui. Wait a minute after the
progress bar completes and restart the device.
- Sysupgrade on top of existing OpenWRT image
- Solder wires onto UART testpoints and attach a terminal.
Boot the device and press enter to enter u-boot's menu. Then issue the
following commands
1. setenv serverip your-server-ip
setenv ipaddr your-device-ip
2. tftp 0x80060000 openwrt-squashfs.bin (Rembember output of size in
hex, henceforth "sizeinhex")
3. erase 0x9f030000 +"sizeinhex"
4. cp.b 0x80060000 0x9f030000 0x"sizeinhex"
5. reboot
Recover:
- U-boot serial console
Signed-off-by: Robert Balas <balasr@iis.ee.ethz.ch>
[convert to nvmem]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>