Merge branch 'next' into temp-c168-development

config/rootfiles/common/libloc

@@ -1,6 +1,7 @@
 usr/bin/location
 #usr/bin/location-importer
 #usr/include/libloc
+#usr/include/libloc/address.h
 #usr/include/libloc/as-list.h
 #usr/include/libloc/as.h
 #usr/include/libloc/compat.h
@@ -18,7 +19,7 @@ usr/bin/location
 #usr/lib/libloc.la
 #usr/lib/libloc.so
 usr/lib/libloc.so.1
-usr/lib/libloc.so.1.0.1
+usr/lib/libloc.so.1.0.2
 usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/Location.pm
 #usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Location
 #usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Location/.packlist

config/rootfiles/oldcore/167/filelists/elinks

@@ -0,0 +1 @@
+../../../common/elinks

config/rootfiles/oldcore/167/filelists/files

@@ -1,7 +1,10 @@
 etc/collectd.conf
 etc/inittab.d
+etc/rc.d/init.d/collectd
 etc/rc.d/init.d/firewall
+etc/rc.d/init.d/mountfs
 etc/rc.d/init.d/pakfire
+etc/rc.d/init.d/partresize
 etc/sysctl.conf
 lib/udev/network-hotplug-bridges
 srv/web/ipfire/cgi-bin/connections.cgi
@@ -10,6 +13,7 @@ srv/web/ipfire/cgi-bin/getrrdimage.cgi
 srv/web/ipfire/cgi-bin/ids.cgi
 srv/web/ipfire/cgi-bin/location-block.cgi
 usr/lib/firewall/rules.pl
+usr/lib/perl5/site_perl/5.32.1/Net/IP.pm
 usr/local/bin/backupiso
 usr/sbin/unbound-dhcp-leases-bridge
 var/ipfire/backup/include

config/rootfiles/oldcore/167/filelists/libloc

@@ -0,0 +1 @@
+../../../common/libloc

config/rootfiles/oldcore/167/filelists/vnstat

@@ -0,0 +1 @@
+../../../common/vnstat

config/rootfiles/oldcore/167/filelists/xz

@@ -0,0 +1 @@
+../../../common/xz

config/rootfiles/oldcore/167/update.sh

@@ -26,11 +26,61 @@
 
 core=167
 
+exit_with_error() {
+    # Set last succesfull installed core.
+    echo $(($core-1)) > /opt/pakfire/db/core/mine
+    # force fsck at next boot, this may fix free space on xfs
+    touch /forcefsck
+    # don't start pakfire again at error
+    killall -KILL pak_update
+    /usr/bin/logger -p syslog.emerg -t ipfire \
+	"core-update-${core}: $1"
+    exit $2
+}
+
 # Remove old core updates from pakfire cache to save space...
 for (( i=1; i<=$core; i++ )); do
 	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
 done
 
+
+KVER="xxxKVERxxx"
+
+# Backup uEnv.txt if exist
+if [ -e /boot/uEnv.txt ]; then
+    cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+fi
+
+# Do some sanity checks.
+case $(uname -r) in
+    *-ipfire*)
+	# Ok.
+	;;
+    *)
+	exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+	;;
+esac
+
+# Check diskspace on root
+ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $ROOTSPACE -lt 100000 ]; then
+    exit_with_error "ERROR cannot update because not enough free space on root." 2
+    exit 2
+fi
+
+# Remove the old kernel
+rm -rf /boot/System.map-*
+rm -rf /boot/config-*
+rm -rf /boot/ipfirerd-*
+rm -rf /boot/initramfs-*
+rm -rf /boot/vmlinuz-*
+rm -rf /boot/uImage-*
+rm -rf /boot/zImage-*
+rm -rf /boot/uInit-*
+rm -rf /boot/dtb-*
+rm -rf /lib/modules
+
 # Remove files
 rm -rvf \
 	/bin/setserial \
@@ -272,7 +322,6 @@ rm -rvf \
 	/usr/lib/libxslt.so \
 	/usr/lib/pango \
 	/usr/lib/perl5/site_perl/5.30.0 \
-	/usr/lib/perl5/site_perl/5.32.1/Net/IP.pm \
 	/usr/lib/python3.8/ensurepip/_bundled/pip-19.2.3-py2.py3-none-any.whl \
 	/usr/lib/python3.8/idlelib/Icons/idle.icns \
 	/usr/lib/python3.8/lib2to3/Grammar3.8.1.final.0.pickle \
@@ -337,6 +386,13 @@ hardlink -c -vv /lib/firmware
 # Regenerate all initrds
 dracut --regenerate-all --force
 
+# Replace /etc/mtab by symlink as mount no longer writes it
+rm -vf /etc/mtab
+ln -vs /proc/self/mounts /etc/mtab
+
+# Export the location database again and reload the firewall engine
+/usr/local/bin/update-location-database
+
 # Rebuild IPS rules
 perl -e "require '/var/ipfire/ids-functions.pl'; &IDS::oinkmaster();"
 /etc/init.d/suricata reload
@@ -362,6 +418,20 @@ if [ -e "/opt/pakfire/db/installed/meta-nano" ] && [ -e "/opt/pakfire/db/meta/me
 		/opt/pakfire/db/rootfiles/nano
 fi
 
+# remove lm_sensor config after collectd was started
+# to reserch sensors at next boot with updated kernel
+rm -f  /etc/sysconfig/lm_sensors
+
+# Upadate Kernel version uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+    sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# call user update script (needed for some arm boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+    /boot/pakfire-kernel-update ${KVER}
+fi
+
 # This update needs a reboot...
 touch /var/run/need_reboot
 

lfs/cdrom

@@ -149,7 +149,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Clear mtab (prevents .journal problems)
 	rm -vf /etc/mtab
-	echo > /etc/mtab
+	ln -s /proc/self/mounts /etc/mtab
 
 	# Create filelist for packaging.
 	BUILDTARGET="$(BUILDTARGET)" BUILD_ARCH="$(BUILD_ARCH)" KVER="$(KVER)" \

lfs/libloc

@@ -24,8 +24,8 @@
 
 include Config
 
-VER        = 0.9.11
-DB_DATE    = 2022-02-16
+VER        = 0.9.13
+DB_DATE    = 2022-04-12
 
 THISAPP    = libloc-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -43,8 +43,8 @@ objects = $(DL_FILE) \
 $(DL_FILE)                    = https://source.ipfire.org/releases/libloc/$(DL_FILE)
 location-$(DB_DATE).db.xz     = https://location.ipfire.org/databases/1/archive/location-$(DB_DATE).db.xz
 
-$(DL_FILE)_BLAKE2 = 46df0dc058235ede47c103c9be5882f50b688c80613c2bdf6f3bc40a2effff67e3ef77cd28142dc3b3fb832689a345e8840fe466738e7ae151698e98c17a68ed
-location-$(DB_DATE).db.xz_BLAKE2 = 9ba0ae5bbabef1a0f692cee11515796d754b2f83aa21c2a2730b4d04249606fe00df856dad08fbdfdad3fad6b06c902b36e3a7717181ce0fac4738b46737b5b4
+$(DL_FILE)_BLAKE2 = 5fccd6f0564899499939c63af8975f20b1f7d5267a8cf6c15e14ab377b9d5c008ae5e154c804ac6a1106471aaeebac97dc4ebe6b70fc1e59f416fe2cc02c52a7
+location-$(DB_DATE).db.xz_BLAKE2 = 8634405ddba8c38d4512ec586722faaeccb295b8bfe7778e52e7bb60dfe804c6a3ae201d04a43d200e1118cf5fed05ef3eada59e2dd6386fe37023274ccb6795
 
 install : $(TARGET)
 

lfs/stage2

@@ -87,7 +87,8 @@ endif
 	cp -rvf $(DIR_SRC)/config/etc/* /etc;
 	[ ! -d "$(DIR_SRC)/config/etc-$(BUILD_ARCH)" ] || cp -rvf $(DIR_SRC)/config/etc-$(BUILD_ARCH)/* /etc
 	cp -rvf $(DIR_SRC)/config/lib/* /lib;
-	touch /etc/{fs,m}tab
+	touch /etc/fstab
+	ln -s /proc/self/mounts /etc/mtab
 	echo "$(NAME) v$(VERSION) - $(SLOGAN)" >  /etc/issue
 	echo "===============================" >> /etc/issue
 	echo "\n running on \s \r \m"          >> /etc/issue

lfs/xz

@@ -75,6 +75,7 @@ $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -p1 -i $(DIR_SRC)/src/patches/xzgrep-ZDI-CAN-16587.patch
 	cd $(DIR_APP) && ./configure --prefix=$(PREFIX)
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install

src/initscripts/system/collectd

@@ -27,7 +27,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/main/settings)
 scan_for_sensors() {
 	touch /var/lock/sensors_search
 	# pre scan and try to load modules
-	"yes" | /usr/sbin/sensors-detect > /dev/null
+	"yes" | /usr/sbin/sensors-detect > /dev/null 2>&1
 	if [ -e /etc/sysconfig/lm_sensors ]; then
 
 		# Module load
@@ -38,7 +38,7 @@ scan_for_sensors() {
 	fi
 
 	# Final scan
-	"yes" | /usr/sbin/sensors-detect > /dev/null
+	"yes" | /usr/sbin/sensors-detect > /dev/null 2>&1
 
 	if [ ! -e /etc/sysconfig/lm_sensors ]; then
 		echo "#No Sensors detected " > /etc/sysconfig/lm_sensors

src/initscripts/system/mountfs

@@ -31,12 +31,6 @@ case "${1}" in
 		# Remove fsck-related file system watermarks.
 		rm -f /fastboot /forcefsck
 
-		boot_mesg "Create /etc/mtab..."
-		> /etc/mtab
-		mount -f / || failed=1
-		(exit ${failed})
-		evaluate_retval
-
 		# This will mount all filesystems that do not have _netdev in
 		# their option list.  _netdev denotes a network filesystem.
 		boot_mesg "Mounting remaining file systems..."

src/initscripts/system/partresize

@@ -30,12 +30,6 @@ case "${1}" in
 			mount -o remount,rw / > /dev/null
 			evaluate_retval
 
-			boot_mesg "Create /etc/mtab..."
-			> /etc/mtab
-			mount -f / || failed=1
-			(exit ${failed})
-			evaluate_retval
-
 			# check if serial console enabled
 			scon="off";
 			if [ ! "$(grep "console=ttyS0" /proc/cmdline)" == "" ]; then

src/patches/xzgrep-ZDI-CAN-16587.patch

@@ -0,0 +1,94 @@
+From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Tue, 29 Mar 2022 19:19:12 +0300
+Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
+
+Malicious filenames can make xzgrep to write to arbitrary files
+or (with a GNU sed extension) lead to arbitrary code execution.
+
+xzgrep from XZ Utils versions up to and including 5.2.5 are
+affected. 5.3.1alpha and 5.3.2alpha are affected as well.
+This patch works for all of them.
+
+This bug was inherited from gzip's zgrep. gzip 1.12 includes
+a fix for zgrep.
+
+The issue with the old sed script is that with multiple newlines,
+the N-command will read the second line of input, then the
+s-commands will be skipped because it's not the end of the
+file yet, then a new sed cycle starts and the pattern space
+is printed and emptied. So only the last line or two get escaped.
+
+One way to fix this would be to read all lines into the pattern
+space first. However, the included fix is even simpler: All lines
+except the last line get a backslash appended at the end. To ensure
+that shell command substitution doesn't eat a possible trailing
+newline, a colon is appended to the filename before escaping.
+The colon is later used to separate the filename from the grep
+output so it is fine to add it here instead of a few lines later.
+
+The old code also wasn't POSIX compliant as it used \n in the
+replacement section of the s-command. Using \<newline> is the
+POSIX compatible method.
+
+LC_ALL=C was added to the two critical sed commands. POSIX sed
+manual recommends it when using sed to manipulate pathnames
+because in other locales invalid multibyte sequences might
+cause issues with some sed implementations. In case of GNU sed,
+these particular sed scripts wouldn't have such problems but some
+other scripts could have, see:
+
+    info '(sed)Locale Considerations'
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Thanks to Jim Meyering and Paul Eggert discussing the different
+ways to fix this and for coordinating the patch release schedule
+with gzip.
+---
+ src/scripts/xzgrep.in | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
+index b180936..e5186ba 100644
+--- a/src/scripts/xzgrep.in
++++ b/src/scripts/xzgrep.in
+@@ -180,22 +180,26 @@ for i; do
+          { test $# -eq 1 || test $no_filename -eq 1; }; then
+       eval "$grep"
+     else
++      # Append a colon so that the last character will never be a newline
++      # which would otherwise get lost in shell command substitution.
++      i="$i:"
++
++      # Escape & \ | and newlines only if such characters are present
++      # (speed optimization).
+       case $i in
+       (*'
+ '* | *'&'* | *'\'* | *'|'*)
+-        i=$(printf '%s\n' "$i" |
+-            sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
+-            ');;
++        i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
+       esac
+-      sed_script="s|^|$i:|"
++
++      # $i already ends with a colon so don't add it here.
++      sed_script="s|^|$i|"
+ 
+       # Fail if grep or sed fails.
+       r=$(
+         exec 4>&1
+-        (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
++        (eval "$grep" 4>&-; echo $? >&4) 3>&- |
++            LC_ALL=C sed "$sed_script" >&3 4>&-
+       ) || r=2
+       exit $r
+     fi >&3 5>&-
+-- 
+2.35.1
+