aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* wolfssl: bump to 5.2.0Eneas U de Queiroz2022-04-114-9/+7
| | | | | | | | | | | | | | | | | Fixes two high-severity vulnerabilities: - CVE-2022-25640: A TLS v1.3 server who requires mutual authentication can be bypassed. If a malicious client does not send the certificate_verify message a client can connect without presenting a certificate even if the server requires one. - CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS v1.3 server can have its certificate heck bypassed. If the sig_algo in the certificate_verify message is different than the certificate message checking may be bypassed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit e89f3e85eb1c1d81294e5d430a91b0ba625e2ec0)
* zlib: backport security fix for a reproducible crash in compressorPetr Štetiar2022-03-242-1/+344
| | | | | | | | | | | | | | | | Tavis has just reported, that he was recently trying to track down a reproducible crash in a compressor. Believe it or not, it really was a bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs. Tavis has reported it upstream, but it turns out the issue has been public since 2018, but the patch never made it into a release. As far as he knows, nobody ever assigned it a CVE. Suggested-by: Tavis Ormandy <taviso@gmail.com> References: https://www.openwall.com/lists/oss-security/2022/03/24/1 Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit b3aa2909a79aeff20d594160b207a89dc807c033) (cherry picked from commit 3965dda0fa70dc9408f1a2e55a3ddefde78bd50e)
* openssl: bump to 1.1.1nMartin Schiller2022-03-161-2/+2
| | | | | | | | | | | | | | This is a bugfix release. Changelog: *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli. (CVE-2022-0778) *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3. Signed-off-by: Martin Schiller <ms@dev.tdt.de> (cherry picked from commit e17c6ee62770005e398364ee5d955c9a8ab6f016)
* wolfssl: fix API breakage of SSL_get_verify_resultPetr Štetiar2022-02-221-0/+26
| | | | | | | | | | | | | | | | | | | Backport fix for API breakage of SSL_get_verify_result() introduced in v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return X509_V_OK when used on LE powered sites or other sites utilizing relaxed/alternative cert chain validation feature. After an update to v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA error and thus rendered all such connection attempts imposible: $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org" Downloading 'https://letsencrypt.org' Connecting to 18.159.128.50:443 Connection error: Invalid SSL certificate Fixes: #9283 References: https://github.com/wolfSSL/wolfssl/issues/4879 Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit b9251e3b407592f3114e739231088c3d27663c4c)
* wolfssl: update to 5.1.1-stableSergey V. Lobanov2022-02-135-144/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump from 4.8.1-stable to 5.1.1-stable Detailed release notes: https://github.com/wolfSSL/wolfssl/releases Upstreamed patches: 001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch - https://github.com/wolfSSL/wolfssl/commit/fa8f23284d4689c2a737204b337b58d966dcbd8c 002-Update-macro-guard-on-SHA256-transform-call.patch - https://github.com/wolfSSL/wolfssl/commit/f447e4c1fa4c932c0286fa0331966756e243db81 Refreshed patches: 100-disable-hardening-check.patch 200-ecc-rng.patch CFLAG -DWOLFSSL_ALT_CERT_CHAINS replaced to --enable-altcertchains configure option The size of the ipk changed on aarch64 like this: 491341 libwolfssl4.8.1.31258522_4.8.1-stable-7_aarch64_cortex-a53.ipk 520322 libwolfssl5.1.1.31258522_5.1.1-stable-1_aarch64_cortex-a53.ipk Tested-by: Alozxy <alozxy@users.noreply.github.com> Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com> Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in> (cherry picked from commit 93d91197b98463277b601ec2653351666a4ca4bd)
* libs/wolfssl: add SAN (Subject Alternative Name) supportSergey V. Lobanov2022-02-122-2/+8
| | | | | | | | | | x509v3 SAN extension is required to generate a certificate compatible with chromium-based web browsers (version >58) It can be disabled via unsetting CONFIG_WOLFSSL_ALT_NAMES Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in> (cherry picked from commit dfd695f4b9f364a7c7db646d2cada10fdf304f02)
* wolfssl: enable ECC Curve 25519 by defaultStan Grishin2022-02-121-1/+1
| | | | | | | | * fixes https://github.com/openwrt/packages/issues/16652 see https://github.com/openwrt/packages/issues/16674#issuecomment-934983898 Signed-off-by: Stan Grishin <stangri@melmac.net> (cherry picked from commit 05a7af9ca0dd9c42eafbca5aa988b141e0e06053)
* ustream-ssl: update to Git version 2022-01-16Hauke Mehrtens2022-02-121-4/+4
| | | | | | | 868fd88 ustream-openssl: wolfSSL: Add compatibility for wolfssl >= 5.0 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit e74529552cf8fa16bd40b3db9d5cc82a913a49b4)
* mbedtls: Update to version 2.16.12Hauke Mehrtens2022-02-121-2/+2
| | | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * Zeroize several intermediate variables used to calculate the expected value when verifying a MAC or AEAD tag. This hardens the library in case the value leaks through a memory disclosure vulnerability. For example, a memory disclosure vulnerability could have allowed a man-in-the-middle to inject fake ciphertext into a DTLS connection. * Fix a double-free that happened after mbedtls_ssl_set_session() or mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED (out of memory). After that, calling mbedtls_ssl_session_free() and mbedtls_ssl_free() would cause an internal session buffer to be free()'d twice. CVE-2021-44732 The sizes of the ipk changed on MIPS 24Kc like this: 182454 libmbedtls12_2.16.11-2_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 57f38e2c827e3be71d8b1709073e366afe011985)
* ustream-ssl: variants conflict with each otherKarel Kočí2022-01-161-1/+3
| | | | | | | | | This adds conflicts between variants of libustream pacakge. They provide the same file and thus it should not be possible to install them side by side. Signed-off-by: Karel Kočí <karel.koci@nic.cz> (cherry picked from commit 219e17a35088a90eea664fbb4c66549d701a3cb4)
* openssl: bump to 1.1.1mEneas U de Queiroz2022-01-032-3/+3
| | | | | | | | | | | | | | This is a bugfix release. Changelog: *) Avoid loading of a dynamic engine twice. *) Fixed building on Debian with kfreebsd kernels *) Prioritise DANE TLSA issuer certs over peer certs *) Fixed random API for MacOS prior to 10.12 Patches were refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit def9565be632b316c82ffc5a7b28c789e9df75b4)
* tcpdump: libpcap: Remove http://www.us.tcpdump.org mirrorHauke Mehrtens2021-12-291-2/+1
| | | | | | | | | | | The http://www.us.tcpdump.org mirror will go offline soon, only use the normal download URL. Reported-by: Denis Ovsienko <denis@ovsienko.info> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 18bdfc803bef00fad03f90b73b6e65c3c79cb397) Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> [rebased for OpenWrt 21.02 branch]
* libpcap: add rpcapd as packageStephan Schmidtmer2021-11-051-1/+20
| | | | | | | | | | | | | | This enables building of rpcapd and adds it as a package. It is a daemon that allows remote packet capturing from another machine. E.g. Wireshark can talk to it using the Remote Capture Protocol (RPCAP). https://www.tcpdump.org/manpages/rpcapd.8.html Compile and run tested: OpenWrt 21.02.0-rc4 r16256-2d5ee43dc6 on x86/64 and mvebu/cortexa9 Signed-off-by: Stephan Schmidtmer <hurz@gmx.org> (cherry picked from commit 891c8676a1602d31adf3ab9f913664ae0d3b4029)
* wolfssl: fix compile when enable-devcrypto is setIvan Pavlov2021-10-231-0/+22
| | | | | | | | fixing linking error when --enable-devcrypto=yes fixes: 7d92bb050961 wolfssl: update to 4.8.1-stable Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com> (cherry picked from commit be3e260f92643a841f4f83b03cbb07b9a26cff66)
* wolfssl: remove --enable-sha512 configure switchAndre Heider2021-10-231-2/+2
| | | | | | | | | | | It's the default anyway and this just looks confusing, as if it wasn't. Switch to AUTORELEASE while at it. The binary size is unchanged. Signed-off-by: Andre Heider <a.heider@gmail.com> (cherry picked from commit 7cb5af30f48d6788cd471138820a772610a7f8e0)
* wolfssl: always build with --enable-reproducible-buildAndre Heider2021-10-231-0/+1
| | | | | | | | | | | | This gates out anything that might introduce semantically frivolous jitter, maximizing chance of identical object files. The binary size shrinks by 8kb: 1244352 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f Signed-off-by: Andre Heider <a.heider@gmail.com> (cherry picked from commit c76300707e8d705d9efc7ed4bb1b7449d0a5fe00)
* wolfssl: update to 4.8.1-stableIvan Pavlov2021-10-225-18/+24
| | | | | | | | | | | | | | Changes from 4.7.0: Fix one high (OCSP verification issue) and two low vulnerabilities Improve compatibility layer Other improvements and fixes For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com> (cherry picked from commit 7d92bb0509615550b98e2dc71091073c8258d564) [Added patch to allow compilation with libtool 2.4] Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: fix build with GCC 10 on 32 x86 targetsStijn Tintel2021-10-221-0/+123
| | | | | | | Backport upstream patch to fix build with GCC 10 on 32 x86 targets. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit 718a4f47806da8f68cb8f1fe2ebecf403e14ae96)
* ncurses: add tmux terminfoJitao Lu2021-10-211-1/+3
| | | | | | | | | | | They're preferred terminal descriptions for tmux, with additional support to some special characters and italic fonts. More info can be found at: https://github.com/tmux/tmux/wiki/FAQ Fixes: FS#3404 Signed-off-by: Jitao Lu <dianlujitao@gmail.com> (cherry picked from commit 917126ff4cfb1ea4795cfc93820ed5d304b084c3)
* ncurses: add screen-256color terminfoPaul Spooren2021-10-211-1/+2
| | | | | | | | The terminfo is required by the popular terminal multiplexer screen and tmux, offer it by default as the size impact is minimal with 885 Bytes. Signed-off-by: Paul Spooren <mail@aparcar.org> (cherry picked from commit 6a6b5a677e8c245f6c82ad40cc718e614aa9f7a1)
* ncurses: split long line of supported terminfoPaul Spooren2021-10-211-1/+12
| | | | | | | | The terminfo files were all in one row which is terrible to read. Split them over multiple lines to improve readability. Signed-off-by: Paul Spooren <mail@aparcar.org> (cherry picked from commit 75ea474b9002c758e9a23023f7636258a467704c)
* wolfssl: bump PKG_RELEASEDavid Bauer2021-10-191-1/+1
| | | | | | Fixes commit 4b212b1306a9 ("wolfssl: build with WOLFSSL_ALT_CERT_CHAINS") Signed-off-by: David Bauer <mail@david-bauer.net>
* wolfssl: build with WOLFSSL_ALT_CERT_CHAINSAndre Heider2021-10-171-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | "Alternate certification chains, as oppossed to requiring full chain validataion. Certificate validation behavior is relaxed, similar to openssl and browsers. Only the peer certificate must validate to a trusted certificate. Without this, all certificates sent by a peer must be used in the trust chain or the connection will be rejected." This fixes e.g. uclient-fetch and curl connecting to servers using a Let's Encrypt certificate which are cross-signed by the now expired DST Root CA X3, see [0]. This is the recommended solution from upstream [1]. The binary size increases by ~12.3kb: 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f [0] https://github.com/openwrt/packages/issues/16674 [1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793 Signed-off-by: Andre Heider <a.heider@gmail.com> [bump PKG_RELEASE] Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3)
* openssl: bump to 1.1.1lEneas U de Queiroz2021-08-282-5/+4
| | | | | | | | | | | | This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 7119fd32d397567931e63dbbf72014e95624018f)
* mbedtls: update to 2.16.11Rosen Penev2021-08-081-3/+3
| | | | | | | | | | Switched to AUTORELEASE to avoid manual increments. Release notes: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11 Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit fcfd741eb83520e496eb09de5f8b2f2b62792a80)
* treewide: unmark selected packages nonsharedPetr Štetiar2021-07-023-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This partially reverts changes done in commit 72cc44958ef4 ("treewide: mark selected packages nonshared") as it removes the nonshared flag, but keeps the PKG_RELEASE as the PKG_RELEASE bump while adding nonshared flag was incorrect. Unmark uci, ubus, libubox, lua, libnl-tiny and libjson-c as nonshared packages as this fix attempt didn't worked out. Currently the imagebuilder is broken again: openwrt-imagebuilder-21.02.0-rc3-ipq40xx-generic.Linux-x86_64$ make image PROFILE=avm_fritzbox-7530 PACKAGES=luci-ssl-openssl ... Collected errors: * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for luci-mod-status * pkg_hash_fetch_best_installation_candidate: Packages for luci-mod-status found, but incompatible with the architectures configured * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for rpcd-mod-iwinfo * pkg_hash_fetch_best_installation_candidate: Packages for rpcd-mod-iwinfo found, but incompatible with the architectures configured * satisfy_dependencies_for: Cannot satisfy the following dependencies for luci-ssl-openssl: * libiwinfo20210430 * opkg_install_cmd: Cannot install package luci-ssl-openssl. Everything because iwinfo's ABI was changed two times since rc3 release: +IWINFO_ABI_VERSION:=20210430 +IWINFO_ABI_VERSION:=20210420 Since iwinfo is marked as nonshared, it wasn't built by phase2 builders, but luci-mod-status was already updated 2 times since rc3 and was thus rebuilt by phase2 builders: d1d452ed2fb3 luci-mod-status: don't set '-' hostname when creating static lease 95b3633055c1 luci-mod-status: switch to html table for wlan channel analysis So now luci-mod-status depends on libiwinfo20210430 but only libiwinfo20210106 can be downloaded. This is first part of the fix, in the upcoming commit Jo is going to remove nonshared flag from iwinfo package as well. References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035736.html References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035741.html Acked-by: Jo-Philipp Wich <jo@mein.io> Reported-by: Nick Hainke <vincent@systemli.org> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 8307da3dbdaff13d5ce99f8aefa32f5b7a2e18e6)
* libusb: Fix parsing of descriptors for multi-configuration devicesGeorgi Valkov2021-06-263-1/+91
| | | | | | | | | | | | | | | | Prerequisite patch: Correct a typo in the Changelog and clean up a stray file Fix changes in libusb which introduced a regression: Commit e2be556bd2 ("linux_usbfs: Parse config descriptors during device initialization") introduced a regression for devices with multiple configurations. The logic that verifies the reported length of the configuration descriptors failed to count the length of the configuration descriptor itself and would truncate the actual length by 9 bytes, leading to a parsing error for subsequent descriptors. Signed-off-by: Georgi Valkov <gvalkov@abv.bg> (cherry picked from commit 4b37e3bc2b2a079c996b6d97b8d3dbbd4ba6eb62)
* wolfssl: always export wc_ecc_set_rngDavid Bauer2021-06-212-1/+51
| | | | | | | | | | | | | | | | Since commit 6467de5a8840 ("Randomize z ordinates in scalar mult when timing resistant") wolfssl requires a RNG for an EC key when the hardened built option is selected. wc_ecc_set_rng is only available when built hardened, so there is no safe way to install the RNG to the key regardless whether or not wolfssl is compiled hardened. Always export wc_ecc_set_rng so tools such as hostapd can install RNG regardless of the built settings for wolfssl. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit ef9b103107aebd1a54f4360af3d9cf28d0544f13)
* treewide: mark selected packages nonsharedHannu Nyman2021-06-143-3/+8
| | | | | | | | | | | | | | | | | | | | | Mark uci, ubus, libubox, lua, libnl-tiny and libjson-c as nonshared packages. This helps to keep coherent dependencies if these ABI versioned packages are later updated. Before this commit it is possible to get missing dependencies in target-specific nonshared packages (like iwinfo) that depend on these shared ABI versioned packages. If these are later updated and rebuilt, only the new ABI version will be available for download, while the target-specific packages in releases continue to depend on the old ABI version. After this commit the packages are built along the other nonshared packages by the phase1 images buildbot and will be available at the target/ download directories instead of packages/base dir. That will help to keep a coherent set available. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> (cherry picked from commit 72cc44958ef4e0df1a152178514c92899d6a957a)
* libubox: update to the latest versionFelix Fietkau2021-05-261-3/+3
| | | | | | | | | | | | | 870acee325fe tests: cram: test_base64: fix failing tests 4d8995e91d56 tests: cram: test_base64: really fix failing tests 551d75b5662c libubox: tests: add more blobmsg/json test cases a0dbcf8b8f96 tests: add blob-buffer overflow test b36a3a90098d blob: fix exceeding maximum buffer length b8abed749423 utils.h: add fallthrough macro b14c4688612c json_script: fix unannotated fall-through warning Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit 04d21604fd72f337c8a0410d13b3d878914b7e7e)
* libubox: update to git HEADDaniel Golle2021-05-261-3/+3
| | | | | | | 2e52c7e libubox: fix BLOBMSG_CAST_INT64 (do not override BLOBMSG_TYPE_DOUBLE) Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit c82cc4407adebd683593d8f0b71d10e694ff8804)
* uclient: update to Git version 2021-05-14Baptiste Jonglez2021-05-171-3/+3
| | | | | | | | | 6a6011d uclient-http: set eof mark when content-length is 0 19571e4 tests: fix help usage test for uclient built with sanitizer c5fc04b tests: fix help usage test Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> (cherry picked from commit 1ec6fc4dcba16045a6bfcc493bdbe892de1265a9)
* uclient: update to Git version 2021-04-03Hauke Mehrtens2021-05-171-3/+3
| | | | | | | | 83efca2 tests: fix possibly longer start of HTTP server 64e00d6 uclient-fetch: document missing options Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 1371910b76f021486810b18f371b3dc528d952ea)
* libnfnetlink: quote $(FPIC) on command linePhilip Prindeville2021-04-121-2/+2
| | | | | | | | | | | When $(FPIC) gets expanded on the command line (for instance when setting environment variables for libtool, configure, or make) we can't count on it not needing quoting (i.e. it could contain multiple flags separated with spaces). Fixes: dc31191ec3e5 ("build: make sure asm gets built with -DPIC") Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> (cherry picked from commit 7fae64cc065738b73a1dddc2fc28adde36c1ae3d)
* libunwind: Add MIPS64 dep checkDonald Hoskins2021-03-291-1/+1
| | | | | | | | | | | | libunwind dependency check does not allow for MIPS64 arch. Add MIPS64 awareness. libunwind seems to support MIPS64 without issues, it was limited by the dep arch check in the Makefile. Used to compile Suricata6/Rust locally without issue. Signed-off-by: Donald Hoskins <grommish@gmail.com> (cherry picked from commit ea6d4bdde20a3fecbfc44b99f53373e1d0666e34)
* openssl: bump to 1.1.1kEneas U de Queiroz2021-03-272-24/+23
| | | | | | | | | | | | | This version fixes 2 security vulnerabilities, among other changes: - CVE-2021-3450: problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag. - CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 0bd0de7d43b3846ad0d7006294e1daaadfa7b532)
* mbedtls: update to 2.16.10Magnus Kroken2021-03-212-13/+13
| | | | | | | | | | | | | | | | | | | | This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues. Security fixes: * Fix a buffer overflow in mbedtls_mpi_sub_abs() * Fix an errorneous estimation for an internal buffer in mbedtls_pk_write_key_pem() * Fix a stack buffer overflow with mbedtls_net_poll() and mbedtls_net_recv_timeout() * Guard against strong local side channel attack against base64 tables by making access aceess to them use constant flow code Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10 Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit dbde2bcf60b5d5f54501a4b440f25fe7d02fbe5d)
* libsemanage: update to version 3.2Dominick Grift2021-03-151-3/+3
| | | | | | | | | | | | | | c35919a7 libsemanage: sync filesystem with sandbox 5b05e829 Revert "libsemanage/genhomedircon: check usepasswd" edae9275 libsemanage: Free contents of modkey in semanage_direct_remove ce46daab libsemanage/genhomedircon: check usepasswd 6ebb35d2 libsemanage: Bump libsemanage.so version c08b73d7 libsemanage: Drop deprecated functions b46406de libsemanage: Remove legacy and duplicate symbols Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> (cherry picked from commit 4670492ad72e54e0608ef5f92d7066c1c7fa8f45) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libselinux: update to version 3.2Dominick Grift2021-03-151-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 142826a3 libselinux: fix segfault in add_xattr_entry() 398d2cee libselinux: rename gettid() to something which never conflicts with the libc 8f0f0a28 selinux(8,5): Describe fcontext regular expressions 9cc6b5cf libselinux/getconlist: report failures 156dd0de libselinux: update getseuser e2dca5df libselinux: accept const fromcon in get_context API da4829d0 libselinux: Always close status page fd 45b15c22 selinux(8): explain that runtime disable is deprecated 3c16aaef selinux(8): mark up SELINUX values c2a58cc5 libselinux: LABEL_BACKEND_ANDROID add option to enable db0f2f38 libselinux: Add build option to disable X11 backend 4a142ac4 libsepol: Bump libsepol.so version d23342a9 libselinux: convert matchpathcon to selabel_lookup() 7ef5b185 libselinux: Change userspace AVC setenforce and policy load messages to audit format. f5d644c7 libselinux: Add additional log callback details in man page for auditing. 075f9cfe libselinux: Fix selabel_lookup() for the root dir. a4149e0e libselinux: Add new log callback levels for enforcing and policy load notices. a63f93d8 libselinux: initialize last_policyload in selinux_status_open() ef902db9 libselinux: safely access shared memory in selinux_status_updated() 9e4480b9 libselinux: Remove trailing slash on selabel_file lookups. 21fb5f20 libselinux: use full argument specifiers for security_check_context in man page e7abd802 libselinux: fix build order 05bdc031 libselinux: use kernel status page by default Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> (cherry picked from commit b1fc2b5b0be61d994d6a0429fd78331c0c57639a) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libsepol: update to version 3.2Dominick Grift2021-03-151-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | a9e0004f libsepol: invalidate the pointer to the policydb if policydb_init fails 6238e025 libsepol/cil: fix NULL pointer dereference in cil_fill_ipaddr b69d77bc libsepol/cil: handle SID without assigned context when writing policy.conf 0861c659 libsepol: Validate policydb values when reading binary policy 8f5409cf libsepol: Create function ebitmap_highest_set_bit() 0451adeb libsepol/cil: Destroy disabled optional blocks after pass is complete 32f8ed3d libsepol/cil: introduce intermediate cast to silence -Wvoid-pointer-to-enum-cast 4662bdc1 libsepol/cil: be more robust when encountering <src_info> 6b561058 libsepol/cil: fix NULL pointer dereference with empty macro argument 0d0e47c7 libsepol/cil: Fix integer overflow in the handling of hll line marks 1b36ace2 libsepol: include header files in source files when matching declarations 1f1fa9d4 libsepol: uniformize prototypes of sepol_mls_contains and sepol_mls_check 72a88d75 libsepol: remove unused files eba0ffee libsepol/cil: Fix heap-use-after-free when using optional blockinherit 1048f8d3 libsepol/cil: unlink blockinherit->block link when destroying a block b3202918 libsepol/cil: fix memory leak when a constraint expression is too deep f0d98f83 libsepol/cil: Fix heap-use-after-free in __class_reset_perm_values() 5d021d66 libsepol/cil: Update symtab nprim field when adding or removing datums 34bd9a9d libsepol: destroy filename_trans list properly bdf4e332 libsepol/cil: fix NULL pointer dereference when parsing an improper integer b7ea65f5 libsepol/cil: destroy perm_datums when __cil_resolve_perms fails 228c06d9 libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit a25d9104 libsepol/cil: constify some strings e2d01842 libsepol/cil: propagate failure of cil_fill_list() 6c8fca10 libsepol/cil: do not add a stack variable to a list 38a09b74 libsepol/cil: fix NULL pointer dereference when using an unused alias 3c357285 libsepol/cil: remove useless print statement 90809674 libsepol/cil: always destroy the lexer state d16a1e46 libsepol/cil: Use the macro FLAVOR() whenever possible 2aac859a libsepol/cil: Use the macro NODE() whenever possible d317b470 libsepol/cil: Remove unnecessary assignment in cil_resolve_name_keep_aliases() 9b9761cf libsepol/cil: Remove unused field from struct cil_args_resolve e257d4c7 libsepol/cil: Get rid of unnecessary check in cil_gen_node() ebba2b00 libsepol/cil: cil_tree_walk() helpers should use CIL_TREE_SKIP_* 89dab467 libsepol: free memory when realloc() fails 2d353bd5 libsepol/cil: Give error for more than one true or false block 4a142ac4 libsepol: Bump libsepol.so version 506c7b95 libsepol: Drop deprecated functions ae58e84b libsepol: Get rid of the old and duplicated symbols c97d63c6 libsepol: silence potential NULL pointer dereference warning 64387cb3 libsepol: drop confusing BUG_ON macro 521e6a2f libsepol/cil: fix signed overflow caused by using (1 << 31) - 1 a152653b libsepol/cil: Fix neverallow checking involving classmaps 734e4beb libsepol/cil: Validate conditional expressions before adding to binary policy 685f577a libsepol/cil: Validate constraint expressions before adding to binary policy 8206b8cb libsepol: implement POLICYDB_VERSION_COMP_FTRANS 42ae834a libsepol,checkpolicy: optimize storage of filename transitions Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> (cherry picked from commit 2a1bdde0d05dd97aa58da546d15197409d481bb3) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* zlib: properly split patchesAdrian Schmutzler2021-02-254-502/+501
| | | | | | | | | | | This package had two patches (with two headers etc.) in one file, which would have quilt merging them during a refresh. Separate these patches into two files, as the original intent seems to be having them separate. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 221eefaf6b301043c491aab8815fcfa24e8a5583)
* openssl: update package sourcesDavid Bauer2021-02-241-3/+5
| | | | | | | | | | | | | OpenSSL downloads itself are distributed using Akamai CDN, so use these sources as the highest priority. Remove a stale mirror which seems to be offline for a longer time already. Add fallbacks to the old release path also for the mirrors. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 10e84bde369d7cfb60d6ac6ee5c7211474bd4179)
* wolfssl: fix Ed25519 typo in config promptChristian Lamparter2021-02-241-1/+1
| | | | | Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (cherry picked from commit 09e66112f1ea9f5838ce80533f3850523dc30230)
* wolfssl: bump to v4.7.0-stableEneas U de Queiroz2021-02-245-92/+4
| | | | | | | | | | | | | | | Biggest fix for this version is CVE-2021-3336, which has already been applied here. There are a couple of low severity security bug fixes as well. Three patches are no longer needed, and were removed; the one remaining was refreshed. This tool shows no ABI changes: https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0 Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit d1dfb577f1c0d5b1f1fa35000c9ad7abdb7d10ed)
* openssl: bump to 1.1.1jEneas U de Queiroz2021-02-171-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes 4 security vulnerabilities/bugs: - CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support SSLv2, but the affected functions still exist. Considered just a bug. - CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. - CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. - Fixed SRP_Calc_client_key so that it runs in constant time. This could be exploited in a side channel attack to recover the password. The 3 CVEs above are currently awaiting analysis. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 482c9ff289c65480c8e7340e1740db24c62f91df)
* build: reorder more BuildPackages lines to deal with ABI_VERSIONFelix Fietkau2021-02-161-2/+3
| | | | | | | | After the ABI version rework, packages need to be declared in the order of their dependencies, so that dependent packages will use the right ABI version Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 75455b75a7ee)
* wolfssl: use libtool patch for PKG_ABI_VERSIONFelix Fietkau2021-02-151-1/+1
| | | | | | Makes it unnecessary to patch .so files after build Signed-off-by: Felix Fietkau <nbd@nbd.name>
* libubox: use build system variable to specify ABI versionFelix Fietkau2021-02-151-4/+5
| | | | | | This removes the need to patch it afterwards Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wolfssl: use dynamic ABI_VERSION depending on the configuration and package ↵Felix Fietkau2021-02-151-1/+3
| | | | | | version Signed-off-by: Felix Fietkau <nbd@nbd.name>
* libubox: use PKG_ABI_VERSIONFelix Fietkau2021-02-151-1/+4
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>