Commit graph

566 commits

Author SHA1 Message Date
Kevin Darbyshire-Bryant
69ac637fbb mbedtls: update to 2.6.0 CVE-2017-14032
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
2017-09-11 01:56:14 +02:00
Matthias Schiffer
f12a5b8f6d
uclient: update to 2017-09-06
24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses
83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-09-06 15:46:03 +02:00
Lucian Cristian
b90fb5ffe1 openssl: update to version 1.0.2l
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
2017-07-28 23:07:17 +02:00
Stijn Tintel
462ca4e059 zlib: use default Build/Configure rule
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-07-14 08:45:55 +02:00
Stijn Tintel
b3cba687a4 lzo: use default Build/Configure rule
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-07-14 08:45:40 +02:00
Daniel Golle
2be603783b ncurses: add libnucrses-dev package
It's needed to use the SDK and IB on an OpenWrt/LEDE host.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-07-08 23:19:31 +02:00
Magnus Kroken
329f6a96b7 mbedtls: update to 2.5.1
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:56:07 +02:00
Daniel Golle
04063820e8 libreadline: add host-build
Also make sure that the PKG_NAME and folder name are equal.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-06-24 14:38:14 +02:00
Yousong Zhou
77dc6a2ae7 libunwind: update to version 1.2.1
Changes since 1.2

    a77b0cd Bump version to v1.2.1
    5f354cb mips/tilegx: Add missing unwind_i.h header file
    620d1c3 Add aarch64 getcontext functionality.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-06-19 14:43:09 +08:00
Felix Fietkau
98634205fd libubox: update to the latest version, fixes a runqueue use-after-free bug
7237302 md5: add "const" qualifier to the "file" argument
fa9937c json_script: enable custom expr handler callback
368fd26 uloop: allow specifying a timeout for uloop_run()
6a7fb7d runqueue: fix use-after-free bug
4bc3dec uloop: fix a regression in timeout handling
fd57eea uloop: allow passing 0 as timeout to uloop_run

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-06-17 11:51:41 +02:00
Florian Fainelli
484f768dfa elfutils: Pass -Wno-unused-result to silence warnings as errors
elfutils turns on -Werror by default, and patch 100-musl-compat.patch
changes how strerror_r is used and we no longer use the function's
return value. This causes the following build error/warning to occur
with glibc-based toolchains:

dwfl_error.c: In function 'dwfl_errmsg':
dwfl_error.c:158:18: error: ignoring return value of 'strerror_r',
declared with attribute warn_unused_result [-Werror=unused-result]
       strerror_r (error & 0xffff, s, sizeof(s));
                  ^
cc1: all warnings being treated as errors

Fixing this would be tricky as there are two possible signatures for
strerror_r (XSI and GNU), just turn off unused-result warnings instead.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-05-26 15:42:03 -07:00
Felix Fietkau
e6d4235ae5 json-c: disable implicit fallthrough warning (gcc 7)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-05-25 19:01:07 +02:00
Yousong Zhou
5d48dc1146 libunwind: update to 1.2
Addresses CVE-2015-3239: Off-by-one error in the dwarf_to_unw_regnum
function in include/dwarf_i.h in libunwind 1.1 allows local users to
have unspecified impact via invalid dwarf opcodes.

Upstream stable-v1.2 fixed the missing unwind_i.h issue but no new
tarball is released yet

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-22 11:07:40 +08:00
Luiz Angelo Daros de Luca
ccc54b2935 elfutils: bump to 0.169
Removed patches (now upstream):
- 004-maybe-uninitialized.patch
- 007-fix_TEMP_FAILURE_RETRY.patch

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2017-05-18 07:59:56 +02:00
Daniel Engberg
74395d97a9 libs/libnftnl: Update to 1.0.7
Update libnftnl to 1.0.7

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-05-16 17:22:58 +02:00
Florian Fainelli
c258bc781f toolchain: Package libgomp
Some external toolchains may be configured to enable OpenMP. Provide a
package for these libraries which can be used by other packages.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-05-11 13:42:55 -07:00
Daniel Engberg
7dc2a581b9 libs/libpcap: Rework URLs
Add mirror and use main site as last resort.
Source: http://www.tcpdump.org/mirrors.html

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-22 09:16:23 +01:00
Daniel Engberg
480a6aec98 libs/openssl: Refresh mirror list
Refresh mirror list, some doesn't offer OpenSSL and add main site as last resort.
Source: https://www.openssl.org/source/mirror.html

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-22 09:16:23 +01:00
Daniel Engberg
cc5721c3b8 lzo: Update to 2.10
Update lzo to 2.10

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-20 08:25:49 +01:00
Alexey Brodkin
51d9ac61c7 libnl: Fix building with uClibc
uClibc doesn't implement strerror_l() and thus libnl starting from
3.2.29 couldn't be compiled with it any longer, see
6c2d111177

To work-around that problem we'll just do a check on strerror_l()
availability during configuration and if it's not there just fall back
to locale-less strerror().

Patch for libnl is alreadfy merged upstream, see
e15966ac7f
and once the next libnl release happens this one must be removed from
Lede/OpenWrt.

Signed-off-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: John Crispin <john@phrozen.org>
Cc: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-16 11:28:28 +01:00
Hauke Mehrtens
b6a8b43dd2 toolchain: add musl libc.so to external toolchain
musl provides a /lib/libc.so file which should be integrated into the libc
package when the external toolchain with musl is used.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2017-03-15 22:31:11 +01:00
Hauke Mehrtens
7b52278154 mbedtls: update to version 2.4.2
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-03-13 20:04:32 +01:00
Florian Fainelli
7f0c95a7df toolchain: Allow external toolchains to specify libthread-db
We need to let external toolchains be able to specify the path and
specification file to the libthread-db POSIX thread debugging shared
libraries.

This fixes GDB not being able to be installed because it is depending on
libthread-db:

Collected errors:
 * satisfy_dependencies_for: Cannot satisfy the following dependencies
 * for gdb:
 *      libthread-db *
 * opkg_install_cmd: Cannot install package gdb.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-03-04 11:19:56 -08:00
Florian Fainelli
9e740fa5a5 openssl: Use mkhash for STAMP_CONFIGURED
The current way of creating a STAMP_CONFIGURED filename for OpenSSL can
lead to an extremely long filename that makes touch unable to create it,
and fail the build.

Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a
shortert stamp file,

Fixes #572

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-03-01 17:19:52 -08:00
Ted Hess
23dff07148 libubox: Update to latest version
9d6305a utils: Change calloc_a() to return size_t aligned pointers

Signed-off-by: Ted Hess <thess@kitschensync.net>
2017-02-24 15:32:47 -05:00
Martin Schiller
fdfde3eb21 libpcap: add optional netfilter support
This is needed to use the nflog interface with tcpdump

Signed-off-by: Martin Schiller <mschiller@tdt.de>
2017-02-22 22:52:30 +01:00
Felix Fietkau
7df0069bb5 mbedtls: add --function-sections and --data-sections to CFLAGS
This allows binaries that links these libraries statically to be reduced
by using --gc-sections on link

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-21 16:05:03 +01:00
Felix Fietkau
315498c163 libubox: fix host build on macOS
Use the defaults instead of a custom non-portable Host/Install section

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-20 14:57:20 +01:00
Jo-Philipp Wich
84ceca5148 libubox: add host build
Our opkg fork requires libubox to build, so add a host build for it.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-02-19 19:08:46 +01:00
Felix Fietkau
6c44ac286b libpcap: remove feature dependencies on kmod-* packages
USB support could be built into the kernel as well

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-17 14:09:21 +01:00
Alexey Brodkin
a3408a5271 toolchain/uclibc: Bump version to 1.0.22
Important change was made in 1.0.18: all sub-libs were merged
in one and only libc similarly to musl.

See [1] for more details.

To support that we had to remove refences to those sub-libs like
libpthread, libcrypt, libdl, libm, libutil etc.

[1] http://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/commit/?id=29ff9055c80efe77a7130767a9fcb3ab8c67e8ce

Signed-off-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
2017-02-11 15:38:39 +01:00
Ben Kelly
da0b9110fc uclibc++: patch bugfix erase() on derived __base_associative
When calling erase() on a containers derived from __base_associative
(e.g. multimap) and providing a pair of iterators a segfault will
occur.

Example code to reproduce:

	typedef std::multimap<int, int> testmap;
	testmap t;
	t.insert(std::pair<int, int>(1, 1));
	t.insert(std::pair<int, int>(2, 1));
	t.insert(std::pair<int, int>(3, 1));
	t.erase(t.begin(), t.end());

Signed-off-by: Ben Kelly <ben@benjii.net>
2017-02-09 12:26:55 +01:00
Felix Fietkau
da93c15fd2 libubox: update to the latest version
Adds the following changes:

de3f14b uloop: add uloop_cancelling function
3b6181b utils: fix build on Mac OS X 10.12
7f671b1 blobmsg: add support for double
0fe1374 utils: add helper functions useful for allocating a ring buffer
8fc1c30 libubox: replace strtok with _r version.
4a9f74f libubox: allow reading out the pid of uloop process in lua
372e1e6 uloop: remove useless epoll data assignment
f9db1cb libubox: allow reading out the remaining time of a uloop timer in Lua

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-04 10:19:15 +01:00
Florian Fainelli
200d932322 toolchain: Broaden the executable loader pattern
Some toolchains will produce executables with an interpreter that is e.g:
ld.so.1 (typically a symbolic link). Due to our current LIBC_SPEC_FILE value,
we would not be able to copy this symbolic link/file over to the rootfs and
executables would fail to load. Extend the search pattern to include all
ld*.so* files that could be needed.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-01-29 11:51:02 -08:00
Hauke Mehrtens
12db207e9b openssl: update to version 1.0.2k
This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-01-27 23:38:17 +01:00
Jo-Philipp Wich
f798776188 libtool: don't clobber host libtool infrastructure
The libtool target package stages its files into the host staging directory
and moves the libltdl library parts from there into the target staging
directory afterwards.

By doing so, the package essentially renders the host libtool infrastructure
unusable, leading to the below error in subsequent package builds:

    libtoolize: $pkgltdldir is not a directory: `.../hostpkg/share/libtool`

Prevent this problem by using a dedicated libltdl install prefix in order to
avoid overwriting and moving away preexisting files belonging to tools/libtool.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-01-22 00:40:38 +01:00
Matthias Schiffer
421a6d314a
gettext-full: fix to use $STAGING_DIR_HOSTPKG instead of $STAGING_DIR/host
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-01-19 00:05:10 +01:00
Daniel Engberg
da5d060ac9 zlib: Update to 1.2.11
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback

Note: SF doesn't carry the 1.2.11 update yet.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-01-16 19:52:07 +01:00
Domagoj Pintaric
b5b83706be mbedtls: add static files in staging_dir
Signed-off-by: Domagoj Pintaric <domagoj.pintaric@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
2017-01-16 11:41:54 +01:00
Matthias Schiffer
0d8381aea3
ncurses: revert $(STAGING_DIR_HOSTPKG) to $(STAGING_DIR)/host where appropriate
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-01-14 18:58:44 +01:00
Felix Fietkau
bd68ddbda4 polarssl: remove package
The mbedTLS 1.3 branch has been EOL since end of 2016 and now all
remaining users have been converted.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-13 12:08:08 +01:00
Jo-Philipp Wich
b95494baed gettext-full: avoid using iconv for host builds
The gettext-full host build might pick up iconv-stub host build  headers
during the build, leading to stray linker errors with unresolved references
to libiconv_open(), libiconv() and libiconv_close().

Since we're not needing iconv support on the host, pass the appropriate
cache variables to configure to prevent detection and linking of iconv.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-01-11 03:48:30 +01:00
Matthias Schiffer
77beaf2ec9
package: replace $(STAGING_DIR)/host with $(STAGING_DIR_HOSTPKG)
Cleanup to prepare for changing STAGING_DIR_HOSTPKG. The actual change of
STAGING_DIR_HOSTPKG (i.e., moving the host packages back into a common, not
target-specific directory) will be done after the first LEDE release, but
the cleanup will also be useful for projects like Gluon.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-01-10 22:15:37 +01:00
Daniel Engberg
dfe93c20ec libnl: Update to 3.2.29
Update libnl to 3.2.29

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-01-10 08:26:42 +01:00
Hauke Mehrtens
e9f0b75976 cyassl: update to wolfssl version 3.10.0
This fixes a low level security vulnerability.
Deactivate MIPS16 support, crypto code gets much slower with MIPS16.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-01-10 00:10:15 +01:00
Felix Fietkau
3e7b894ac0 ustream-ssl: remove legacy polarssl support
The old polarssl 1.3 branch is EOL since end of 2016, and the package
for it will be removed soon.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-09 14:35:09 +01:00
Felix Fietkau
f0353c5e8c mbedtls: re-enable CFB support
It is safe and required by some software, e.g. shadowsocks

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-09 10:59:30 +01:00
Felix Fietkau
355e150065 mbedtls: re-enable RC4 support (needed by transmission and others)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-08 18:22:23 +01:00
Magnus Kroken
186cd4533d zlib: update to 1.2.10
* Fix bug in deflate_stored() for zero-length input
* Fix bug in gzwrite.c that produced corrupt gzip files

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-01-07 19:35:22 +01:00
Luiz Angelo Daros de Luca
0bb474652e elfutils: bump to 0.168
Other changes:
- Project moved to sourceware.org
- musl patch where cleaned up and submitted upstream
- TEMP_FAILURE_RETRY macro fixed and submitted upstream

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[Jo-Philipp Wich: add missing .patch extension to 007-fix_TEMP_FAILURE_RETRY]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-01-03 14:32:35 +01:00