1. 28 May, 2017 1 commit
  2. 27 May, 2017 6 commits
  3. 26 May, 2017 2 commits
  4. 25 May, 2017 3 commits
  5. 24 May, 2017 1 commit
  6. 23 May, 2017 3 commits
  7. 22 May, 2017 3 commits
  8. 21 May, 2017 6 commits
    • Peter Korsgaard's avatar
      libminiupnpc: add upstream security fix for CVE-2017-8798 · a0c4cf0f
      Peter Korsgaard authored
      CVE-2017-8798: Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221
      through v2.0 allows remote attackers to cause a denial of service or
      possibly have unspecified other impact.
      
      For more details including a PoC, see:
      https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798
      
      
      
      Signed-off-by: default avatarPeter Korsgaard <peter@korsgaard.com>
      a0c4cf0f
    • Ryan Coe's avatar
      mariadb: security bump to version 10.1.23 · e6213e8e
      Ryan Coe authored
      Fixes:
      
      CVE-2017-3302 - Crash in libmysqlclient.so in Oracle MySQL before 5.6.21 and
      5.7.x before 5.7.5 and MariaDB through 5.5.54, 10.0.x through 10.0.29,
      10.1.x through 10.1.21, and 10.2.x through 10.2.3.
      
      CVE-2017-3313 - Vulnerability in the MySQL Server component of Oracle MySQL
      (subcomponent: Server: MyISAM). Supported versions that are affected are
      5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to
      exploit vulnerability allows low privileged attacker with logon to the
      infrastructure where MySQL Server executes to compromise MySQL Server.
      Successful attacks of this vulnerability can result in unauthorized access
      to critical data or complete access to all MySQL Server accessible data.
      
      CVE-2017-3308 - Vulnerability in the MySQL Server component of Oracle MySQL
      (subcomponent: Server: DML). Supported versions that are affected are 5.5.54
      and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable"
      vulnerability allows low privileged attacker with network access via
      multiple protocols to compromise MySQL Server. While the vulnerability is
      in MySQL Server, attacks may significantly impact additional products.
      Successful attacks of this vulnerability can result in unauthorized
      ability to cause a hang or frequently repeatable crash (complete DOS) of
      MySQL Server.
      
      CVE-2017-3309 - Vulnerability in the MySQL Server component of Oracle MySQL
      (subcomponent: Server: Optimizer). Supported versions that are affected are
      5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily
      "exploitable" vulnerability allows low privileged attacker with network
      access via multiple protocols to compromise MySQL Server. While the
      vulnerability is in MySQL Server, attacks may significantly impact
      additional products. Successful attacks of this vulnerability can result
      in unauthorized ability to cause a hang or frequently repeatable crash
      (complete DOS) of MySQL Server.
      
      CVE-2017-3453 - Vulnerability in the MySQL Server component of Oracle MySQL
      (subcomponent: Server: Optimizer). Supported versions that are affected are
      5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily
      "exploitable" vulnerability allows low privileged attacker with network
      access via multiple protocols to compromise MySQL Server. Successful attacks
      of this vulnerability can result in unauthorized ability to cause a hang or
      frequently repeatable crash (complete DOS) of MySQL Server.
      
      CVE-2017-3456 - Vulnerability in the MySQL Server component of Oracle MySQL
      (subcomponent: Server: DML). Supported versions that are affected are 5.5.54
      and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable"
      vulnerability allows high privileged attacker with network access via
      multiple protocols to compromise MySQL Server. Successful attacks of this
      vulnerability can result in unauthorized ability to cause a hang or
      frequently repeatable crash (complete DOS) of MySQL Server.
      
      CVE-2017-3464 - Vulnerability in the MySQL Server component of Oracle MySQL
      (subcomponent: Server: DDL). Supported versions that are affected are 5.5.54
      and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable"
      vulnerability allows low privileged attacker with network access via
      multiple protocols to compromise MySQL Server. Successful attacks of this
      vulnerability can result in unauthorized update, insert or delete access to
      some of MySQL Server accessible data.
      
      And a number of important, but non-security related fixes:
      
      MDEV-12602: Fixed some race conditions in InnoDB encryption
      
      MariaDB Backup alpha introduced
      
      Galera wsrep library updated to 25.3.20
      
      For details, see the release notes:
      https://mariadb.com/kb/en/mariadb/mariadb-10123-release-notes/
      
      
      
      [Peter: drop COPYING.LESSER and add a reference to the bugtracker issue
      	explaining why]
      Signed-off-by: default avatarRyan Coe <bluemrp9@gmail.com>
      Signed-off-by: default avatarPeter Korsgaard <peter@korsgaard.com>
      e6213e8e
    • Peter Korsgaard's avatar
      dropbear: security bump to version 2017.75 · 8644a83b
      Peter Korsgaard authored
      Fixes:
      
      - CVE-2017-9078: A double-free in the server could be triggered by an
        authenticated user if dropbear is running with -a (Allow connections to
        forwarded ports from any host) This could potentially allow arbitrary code
        execution as root by an authenticated user.  Affects versions 2013.56 to
        2016.74.  Thanks to Mark Shepard for reporting the crash.
      
      - CVE-2017
      
      -9079: Dropbear parsed authorized_keys as root, even if it were a
        symlink.  The fix is to switch to user permissions when opening
        authorized_keys.
        A user could symlink their ~/.ssh/authorized_keys to a root-owned file
        they couldn't normally read.  If they managed to get that file to contain
        valid authorized_keys with command= options it might be possible to read
        other contents of that file.  This information disclosure is to an already
        authenticated user.  Thanks to Jann Horn of Google Project Zero for
        reporting this.
      
      Signed-off-by: default avatarPeter Korsgaard <peter@korsgaard.com>
      8644a83b
    • Peter Korsgaard's avatar
      8213190b
    • Peter Korsgaard's avatar
      daf1c350
    • Bernd Kuhls's avatar
  9. 19 May, 2017 2 commits
    • Baruch Siach's avatar
      toolchain: limit musl workaround to kernel headers 3.12+ · 4d1c2c82
      Baruch Siach authored
      
      
      The libc-compat.h first appeared in kernel version 3.12. Trying to build a
      musl toolchain using earlier headers leads to the following failure:
      
      /bin/sed: can't read .../output/host/usr/arm-buildroot-linux-musleabi/sysroot/usr/include/linux/libc-compat.h: No such file or directory
      package/pkg-generic.mk:266: recipe for target '.../output/build/toolchain/.stamp_staging_installed' failed
      
      Don't apply the sed patch to older headers.
      
      Reported-by: default avatarFlorent Jacquet <florent.jacquet@free-electrons.com>
      Signed-off-by: default avatarBaruch Siach <baruch@tkos.co.il>
      Signed-off-by: default avatarPeter Korsgaard <peter@korsgaard.com>
      4d1c2c82
    • Thomas Petazzoni's avatar
      cppcms: fix build on machines with libgpg-error installed · 15423bd4
      Thomas Petazzoni authored
      In configuration where target architecture == host architecture, and
      libgpg-error is installed system-wide with development files, the build
      of cppcms fails with:
      
      /home/test/buildroot/output/host/usr/bin/x86_64-amd-linux-gnu-g++  --sysroot=/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -Wall -Wextra  -DNDEBUG   CMakeFiles/base64_test.dir/tests/base64_test.cpp.o  -o base64_test  -L/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib -Wl,-rpath,/home/test/buildroot/output/build/cppcms-1.0.5:/home/test/buildroot/output/build/cppcms-1.0.5/booster:/usr/lib -rdynamic libcppcms.so.1.0.5 booster/libbooster.so.0.0.3 -lpthread /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libpcre.so /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libdl.so /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libz.so
      /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpg_err_set_errno@GPG_ERROR_1.0'
      /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpgrt_lock_init@GPG_ERROR_1.0'
      /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpgrt_lock_destroy@GPG_ERROR_1.0'
      /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpg_err_code_from_syserror@GPG_ERROR_1.0'
      /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpg_err_code_from_errno@GPG_ERROR_1.0'
      /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpgrt_lock_unlock@GPG_ERROR_1.0'
      /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpg_strerror@GPG_ERROR_1.0'
      /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpg_strsource@GPG_ERROR_1.0'
      /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpgrt_lock_lock@GPG_ERROR_1.0'
      
      The problem comes from the
      "-Wl,-rpath,/home/test/buildroot/output/build/cppcms-1.0.5:/home/test/buildroot/output/build/cppcms-1.0.5/booster:/usr/lib"
      option, which tells the linker to search for libraries in /usr/lib.
      
      This commit fixes that by asking CMake to not add any rpath when
      building cppcms.
      
      Fixes:
      
        http://autobuild.buildroot.net/results/a7eb1ede552ae14f409cfd7bd877bcf25ca69a74/
      
      
      
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Reviewed-by: default avatarRomain Naour <romain.naour@gmail.com>
      Signed-off-by: default avatarPeter Korsgaard <peter@korsgaard.com>
      15423bd4
  10. 17 May, 2017 12 commits
  11. 16 May, 2017 1 commit
    • Peter Seiderer's avatar
      qt5declarative: fix examples compile without OpenGL support · 4b4fc27e
      Peter Seiderer authored
      Fixes [1]:
      
         main.cpp:(.text._ZN11QQmlPrivate10createIntoI6FbItemEEvPv[_ZN11QQmlPrivate10createIntoI6FbItemEEvPv]+0x18): undefined reference to `QQuickFramebufferObject::QQuickFramebufferObject(QQuickItem*)'
         .obj/main.o: In function `QQmlPrivate::QQmlElement<FbItem>::~QQmlElement()':
         main.cpp:(.text._ZN11QQmlPrivate11QQmlElementI6FbItemED2Ev[_ZN11QQmlPrivate11QQmlElementI6FbItemED5Ev]+0x5c): undefined reference to `vtable for QQuickFramebufferObject'
         .obj/main.o: In function `QQmlPrivate::QQmlElement<FbItem>::~QQmlElement()':
         main.cpp:(.text._ZN11QQmlPrivate11QQmlElementI6FbItemED0Ev[_ZN11QQmlPrivate11QQmlElementI6FbItemED0Ev]+0x64): undefined reference to `vtable for QQuickFramebufferObject'
         .obj/main.o:(.data.rel.ro._ZTVN11QQmlPrivate11QQmlElementI6FbItemEE[_ZTVN11QQmlPrivate11QQmlElementI6FbItemEE]+0x48): undefined reference to `QQuickFramebufferObject::isTextureProvider() const'
         .obj/main.o:(.data.rel.ro._ZTVN11QQmlPrivate11QQmlElementI6FbItemEE[_ZTVN11QQmlPrivate11QQmlElementI6FbItemEE]+0x4c): undefined reference to `QQuickFramebufferObject::textureProvider() const'
         .obj/main.o:(.data.rel.ro._ZTVN11QQmlPrivate11QQmlElementI6FbItemEE[_ZTVN11QQmlPrivate11QQmlElementI6FbItemEE]+0xb4): undefined reference to `QQuickFramebufferObject::geometryChanged(QRectF const&, QRectF const&)'
         .obj/main.o:(.data.rel.ro._ZTVN11QQmlPrivate11QQmlElementI6FbItemEE[_ZTVN11QQmlPrivate11QQmlElementI6FbItemEE]+0xb8): undefined reference to `QQuickFramebufferObject::updatePaintNode(QSGNode*, QQuickItem::UpdatePaintNodeData*)'
         .obj/main.o:(.data.rel.ro._ZTVN11QQmlPrivate11QQmlElementI6FbItemEE[_ZTVN11QQmlPrivate11QQmlElementI6FbItemEE]+0xbc): undefined reference to `QQuickFramebufferObject::releaseResources()'
         .obj/moc_fbitem.o: In function `FbItem::qt_metacast(char const*)':
         moc_fbitem.cpp:(.text+0x70): undefined reference to `QQuickFramebufferObject::qt_metacast(char const*)'
         .obj/moc_fbitem.o: In function `FbItem::qt_metacall(QMetaObject::Call, int, void**)':
         moc_fbitem.cpp:(.text+0x80): undefined reference to `QQuickFramebufferObject::qt_metacall(QMetaObject::Call, int, void**)'
         .obj/moc_fbitem.o: In function `FbItem::~FbItem()':
         moc_fbitem.cpp:(.text._ZN6FbItemD2Ev[_ZN6FbItemD5Ev]+0x38): undefined reference to `vtable for QQuickFramebufferObject'
         .obj/moc_fbitem.o: In function `FbItem::~FbItem()':
         moc_fbitem.cpp:(.text._ZN6FbItemD0Ev[_ZN6FbItemD0Ev]+0x40): undefined reference to `vtable for QQuickFramebufferObject'
         .obj/moc_fbitem.o:(.data.rel.ro+0x8): undefined reference to `typeinfo for QQuickFramebufferObject'
         .obj/moc_fbitem.o:(.data.rel.ro+0x58): undefined reference to `QQuickFramebufferObject::isTextureProvider() const'
         .obj/moc_fbitem.o:(.data.rel.ro+0x5c): undefined reference to `QQuickFramebufferObject::textureProvider() const'
         .obj/moc_fbitem.o:(.data.rel.ro+0xc4): undefined reference to `QQuickFramebufferObject::geometryChanged(QRectF const&, QRectF const&)'
         .obj/moc_fbitem.o:(.data.rel.ro+0xc8): undefined reference to `QQuickFramebufferObject::updatePaintNode(QSGNode*, QQuickItem::UpdatePaintNodeData*)'
         .obj/moc_fbitem.o:(.data.rel.ro+0xcc): undefined reference to `QQuickFramebufferObject::releaseResources()'
         .obj/moc_fbitem.o:(.data.rel.ro+0xf0): undefined reference to `QQuickFramebufferObject::staticMetaObject'
      
      [1] http://autobuild.buildroot.net/results/64a/64a198397736db12b73c1f693dbe1c47d73b53da
      
      
      
      Signed-off-by: default avatarPeter Seiderer <ps.report@gmx.net>
      Signed-off-by: default avatarPeter Korsgaard <peter@korsgaard.com>
      4b4fc27e