- Update from 4.17.0.3 to 4.19.0.1
- Changelog
v4.19.0.1 - Release date: 2023-02-02
Rebased with official coreboot repository commit 2ccbcc5
Removed configuration and mainboard files for apu1 due to the board being dropped from upstream coreboot
See: https://github.com/pcengines/coreboot/compare/v4.17.0.3...v4.19.0.1
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org>
- Update from version 0.15.1 to 0.16.0
- Update of rootfile
- According to the forked elinks developer if parallel build is required then meson
should be used for the build. With make they don't believe that it ever ran in
parallel mode.
- This patch modifies the build from autotools to meson and updates the version.
- Parallel build option added back in to meson/ninja flow.
- The build requires git to be present so git moved to just before elinks in make.sh
- Changelog
ELinks 0.16.0
* detect xterm on my computer
ELinks 0.16.0rc1
* alternative mujs engine for js
* bump mozjs to 102
* experimental XHR implementation
* macros in exmode #196
* removed infinite loop, which occurred under BSD #197
* optional terminal hyperlinks in dumps #198
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 20221108 to 20230214
- Update of rootfile
- Changelog - details can be found in the releasenote.md file in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 2.12.1 to 2.13.0
- Update of rootfile
- Changelog
CHANGES BETWEEN 2.12.1 and 2.13.0 (2023-Feb-09)
I. IMPORTANT CHANGES
- The demo program `ftinspect` has been completely updated and much
enhanced. It now combines the functionality of almost all other
graphical FreeType demo programs into a single application based
on the Qt framework. This was Charlie Jiang's GSoC 2022 project.
- The 'COLR' v1 API is now considered as stable.
https://learn.microsoft.com/en-us/typography/opentype/spec/colr
III. MISCELLANEOUS
- For OpenType Variable Fonts, `avar` table format 2.0 is now
supported. The code was contributed by Behdad Esfahbod.
Note that this is an extension supported on recent Apple platforms
and by HarfBuzz, but not yet in the OpenType standard! See
https://github.com/harfbuzz/boring-expansion-spec/blob/main/avar2.md
for the specification. To deactivate it, define the configuration
macro 'TT_CONFIG_OPTION_NO_BORING_EXPANSION'.
- A new API `FT_GlyphSlot_Slant` to slant a glyph by a given angle
has been added. Note that this function is part of `ftsynth.h`,
which is still considered to be in alpha stage.
- TrueType interpreter version 38 (also known as 'Infinality') that
was first introduced about 10 years ago in FreeType 2.4.11 is now
deprecated and slated to be removed in the next version. TrueType
interpreter version 40 has been FreeType's default version for six
years now and provides an excellent alternative. This is the last
FreeType version with TT_INTERPRETER_VERSION_38 and
TT_INTERPRETER_VERSION_40 treated differently.
- The only referenced but never documented configuration macro
`FT_CONFIG_OPTION_NO_GLYPH_NAMES` has been removed.
- The `ftbench` demo program got a new command line option `-e` to
set a charmap index.
- Specifying a point size is now optional for the demo programs
`ftgrid`, `ftmulti`, `ftstring`, and `ftview`. If not given, a
default size is used.
- For `ftgrid`, `ftstring`, and `ftview`, option `-e` now also
accepts a numeric value to set a charmap index.
- In `ftstring`, it is now possible to set the displayed text
interactively by pressing the 'Enter' key.
- `ftmulti` can now handle up to 16 design axes.
- To avoid reserved identifiers that are globally defined, the
auto-hinter debugging macros (which are only available if
`FT_DEBUG_AUTOFIT` is defined)
```
_af_debug_disable_horz_hints
_af_debug_disable_vert_hints
_af_debug_disable_blue_hints
_af_debug_hints
```
have been renamed to
```
af_debug_disable_horz_hints_
af_debug_disable_vert_hints_
af_debug_disable_blue_hints_
af_debug_hints_
```
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.14.4 to 1.14.6
- Update of rootfile
- The Denial of service issue mentioned first in the changelog is not applicable to IPFire
as the build is done without asserts enabled.
- Changelog
dbus 1.14.6 (2023-02-08)
Denial of service fixes:
• Fix an incorrect assertion that could be used to crash dbus-daemon or
other users of DBusServer prior to authentication, if libdbus was compiled
with assertions enabled.
We recommend that production builds of dbus, for example in OS distributions,
should be compiled with checks but without assertions.
(dbus#421, Ralf Habacker; thanks to Evgeny Vereshchagin)
Other fixes:
• When connected to a dbus-broker, stop dbus-monitor from incorrectly
replying to Peer method calls that were sent to the dbus-broker with
a NULL destination (dbus#301, Kai A. Hiller)
• Fix out-of-bounds varargs read in the dbus-daemon's config-parser.
This is not attacker-triggerable and appears to be harmless in practice,
but is technically undefined behaviour and is detected as such by
AddressSanitizer. (dbus!357, Evgeny Vereshchagin)
• Avoid a data race in multi-threaded use of DBusCounter
(dbus#426, Ralf Habacker)
• Fix a crash with some glibc versions when non-auditable SELinux events
are logged (dbus!386, Jeremi Piotrowski)
• If dbus_message_demarshal() runs out of memory while validating a message,
report it as NoMemory rather than InvalidArgs (dbus#420, Simon McVittie)
• Use C11 _Alignof if available, for better standards-compliance
(dbus!389, Khem Raj)
• Stop including an outdated copy of pkg.m4 in the git tree
(dbus!365, Simon McVittie)
• Documentation:
· Consistently use Gitlab bug reporting URL (dbus!372, Marco Trevisan)
• Tests fixes:
· Fix the test-apparmor-activation test after dbus#416
(dbus!380, Dave Jones)
Internal changes:
• Fix CI builds with recent git versions (dbus#447, Simon McVittie)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
The developers do not provide a changelog, this time I couldn't
even find a comment.
All I can say:
Running her on Core 172. No seen problems.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
- Update from version 7.0.0.11 to 7.0.4
- Update of rootfile
- Changelog
updated language flags, catch abortcompile throw in non-ragel progs
7.0.3
This version of colm includes a critical fix for big-endian system. Fixes#61.
expect colm version 0.14.6 and version bump ragel to 7.0.3
7.0.2
Latest colm includes bugfixes for refcounting, which fixes a ragel issue with includes #58.
expect colm 0.14.5 and version bump to 7.0.2
7.0.1
removed accidental commit of ragel/.exrc
7.0.0.12
implemented NfaClear in asm codegen
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.13.0.6 to 0.14.7
- Update of rootfile
- patch from colm commit fc61ecb required to fix bug of make looking for static and
dynamic libs even if one of them was disabled
- Changelog is not available in source tarball or on website etc. Changes have to be
reviewed by the commits https://github.com/adrian-thurston/colm/commits/0.14.7
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.6.12 to 1.7.23
- Update of rootfile
- Changelog
Most changes are related to additional printers except for
1.7.10
* Fixed the problem that epson-escpr-wrapper filter would crash
when cupsRasterReadHeader failed.
1.7.7.2
* Supported new model.
* Fixed an issue of filter crash when FIFO I/O was closed.
1.7.0
* Supported new models.
* Applied Privacy Statement.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 6.4.34 to 6.4.36
- Update of rootfile nor required
- Changelog
fetchmail-6.4.36 (released 2023-01-28, 31710 LoC):
(in alphabetical order of language codes):
* cs: Petr Pisar [Czech]
* es: Cristian Othón Martínez Vera [Spanish]
* fr: Frédéric Marchal [French]
* ja: Takeshi Hamasaki [Japanese]
* pl: Jakub Bogusz [Polish]
* ro: Remus-Gabriel Chelu [Romanian]
* sq: Besnik Bleta [Albanian]
* sv: Göran Uddeborg [Swedish]
fetchmail-6.4.35 (released 2023-01-04, 31707 LoC):
* Fetchmail now warns about OpenSSL before 1.1.1s or 3.0.7,
and rejects wolfSSL older than 5.5.1.
(in reverse alphabetical order of language codes so as not to prefer people):
* sv: Göran Uddeborg [Swedish]
* eo: Keith Bowes [Esperanto]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 2022e to 2022g
- Update of rootfile
- Changelog is too large to include here. See the NEWS file in the source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- rngd removed from initscripts lfs and rootfiles due to change of rng-tools to addon
Fixes: Bug#12900
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
- This patch is to move the rng-tools package from a core package to an addon. With the
kernel changes from 5.6 rngd is no longer needed to create the required kernel entropy.
- The results from HRNG's via rngd are used with an XOR after the entropy is
collected by the kernel. So the HWRNG output is used to dilute the kernel random number
data, which is already merged from several sources.
- Based on the above and @Paul's request in the bug report to have rng-tools kept as an
addon this patch set is submitted for consideration to keep rng-tools but as an addon.
- move rng-tools rootfile from common to packages
- Modify rng-tools lfs from core package to addon package
- Create rng-tools pak to install and uninstall - creating rc.d links for start & stop.
- Move rngd initscript from system to packages directory.
- Installed into my vm testbed and confirmed that it works. No rngd daemon installed
from iso install. After addon install rngd is present and running. Added various files
to be able to test the services wui page. rngd shows up and can be turned off and on
Fixes: Bug#12900
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
For details see:
https://github.com/lsof-org/lsof/blob/master/00DIST#L5471
"4.98.0 January 22, 2023
Fix two potential null pointer access bug when gethostbyname2()
returns an empty address list
Add support for older automake versions (on e.g. CentOS 7)
Migrate testing scripts and programs to autotools
Extend CI to build on more Linux distros
[linux] Fix handling of empty command name, closing #246.
Add test from #246, where lsof returns stale command name when the
command name is empty. If getting command name failed, return
NULL instead of empty string
Add --with/without-libtirpc option to autotools-based build
system and automatically detect libtirpc by default
Add -H switch to print human readable size, e.g. 123.4K (#260)
[linux] Fix implicit declaration error when HASPTYEPT is undefined
Add support for musl libc-based Linux distros
Add --enable-security argument to configure to allow only the
root user to list all open files
Add --enable-no-sock-security argument to configure to allow
anyone to list anyone else's socket files when combined with
--enable-security
[linux] Always enable 64 bit off_t in configure.ac
[netbsd] Import patches from pkgsrc and port autotools-based build system to NetBSD
[netbsd] Fix lock status reading"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://github.com/htop-dev/htop/blob/main/ChangeLog
"What's new in version 3.2.2
* CPUMeter now can show frequency in text mode
* Add option to render distribution path prefixes shadowed
* DiskIOMeter converts to bytes per second (not per interval)
* DiskIOMeter uses complete units, including missing "iB/s"
* DiskIOMeter indicates read and write in meter mode
* NetworkIOMeter converts to packets per second, shows packet rate
* Allow continued process following when changing display settings
* Update the panel header when changing to another tab
* Drop margin around the header if there are no meters
* Use Unicode replacement character for non-printable characters
* Default color preset uses bold blue for better visibility
* Update the Panel header on sort order inversions ('I')
* Toggle the header meters with pound key
* Fix ScreenPanel to handle quitting the panel while renaming
* Add fallback for HOME environment variable using passwd database
* Replace meaningless ID column with FD column in lock screen
* Use device format in the lock screen matching the files screen
* On Linux, improvements to file-descriptor lock detection
* On Linux, further distinguish systemd states in the SystemdMeter
* On Linux, improvements to cgroup and container identification
* On Linux, support openat(2) without readlinkat(2) platforms
* On Darwin, fix current process buffer handling for busy systems
* On DragonFly BSD, fix incorrect processor time of processes
* On FreeBSD, fix an issue with the memory graph not showing correctly
* On FreeBSD, add support for displaying shared memory usage
* On PCP, use pmLookupDescs(3) if available for efficiency
* On PCP, normalize generic columns values for consistent display
* On PCP, changes preparing for configurable, dynamic screens
* Handle invalid process columns from the configuration file
* Avoid undefined behaviour with deeply nested processes
* Fix crash when removing the currently active screen
* Prevent possible crash on a very early error path
* Include automake for Debian/Ubuntu
* Restore non-mouse support
* Reject unsupported command line arguments
* Document idle process state
* Clarify M_TRS/M_DRS columns"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
"ClamAV 1.0.1 is a critical patch release with the following fixes:
CVE-2023-20032: Fixed a possible remote code execution
vulnerability in the HFS+ file parser. The issue affects versions
1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
Thank you to Simon Scannell for reporting this issue.
CVE-2023-20052: Fixed a possible remote information leak
vulnerability in the DMG file parser. The issue affects versions
1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
Thank you to Simon Scannell for reporting this issue.
Fix an allmatch detection issue with the preclass bytecode hook."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 4.3 to 4.4
- Update of rootfile
- the $(MAKETUNING) option does not work with the elinks build with version 4.4 A linked
patch has been created for the removal of that option from the elinks lfs file.
- Changelog
Version 4.4 (31 Oct 2022)
A complete list of bugs fixed in this version is available here:
https://sv.gnu.org/bugs/index.php?group=make&report_id=111&fix_release_id=109&set=custom
* WARNING: Deprecation!
The following systems are deprecated in this release:
- OS/2 (EMX)
- AmigaOS
- Xenix
- Cray
In the NEXT release of GNU Make, support for these systems will be removed.
If you want to see them continue to be supported, contact <bug-make@gnu.org>.
* WARNING: Future backward-incompatibility!
In the NEXT release of GNU Make, pattern rules will implement the same
behavior change for multiple targets as explicit grouped targets, below: if
any target of the rule is needed by the build, the recipe will be invoked if
any target of the rule is missing or out of date. During testing some
makefiles were found to contain pattern rules that do not build all targets;
this can cause issues so we are delaying this change for one release cycle
to allow these makefiles to be updated. GNU Make shows a warning if it
detects this situation: "pattern recipe did not update peer target".
* WARNING: Backward-incompatibility!
GNU Make now uses temporary files in more situations than previous releases.
If your build system sets TMPDIR (or TMP or TEMP on Windows) and deletes the
contents during the build, or uses restrictive permissions, this may cause
problems. You can choose an alternative temporary directory only for use by
GNU Make by setting the new MAKE_TMPDIR environment variable before invoking
make. Note that this value CANNOT be set inside the makefile, since make
needs to find its temporary directory before the makefiles are parsed.
* WARNING: Backward-incompatibility!
Previously each target in a explicit grouped target rule was considered
individually: if the targets needed by the build were not out of date the
recipe was not run even if other targets in the group were out of date. Now
if any of the grouped targets are needed by the build, then if any of the
grouped targets are out of date the recipe is run and all targets in the
group are considered updated.
* WARNING: Backward-incompatibility!
Previously if --no-print-directory was seen anywhere in the environment or
command line it would take precedence over any --print-directory. Now, the
last setting of directory printing options seen will be used, so a command
line such as "--no-print-directory -w" _will_ show directory entry/exits.
* WARNING: Backward-incompatibility!
Previously the order in which makefiles were remade was not explicitly
stated, but it was (roughly) the inverse of the order in which they were
processed by make. In this release, the order in which makefiles are
rebuilt is the same order in which make processed them, and this is defined
to be true in the GNU Make manual.
* WARNING: Backward-incompatibility!
Previously only simple (one-letter) options were added to the MAKEFLAGS
variable that was visible while parsing makefiles. Now, all options are
available in MAKEFLAGS. If you want to check MAKEFLAGS for a one-letter
option, expanding "$(firstword -$(MAKEFLAGS))" is a reliable way to return
the set of one-letter options which can be examined via findstring, etc.
* WARNING: Backward-incompatibility!
Previously makefile variables marked as export were not exported to commands
started by the $(shell ...) function. Now, all exported variables are
exported to $(shell ...). If this leads to recursion during expansion, then
for backward-compatibility the value from the original environment is used.
To detect this change search for 'shell-export' in the .FEATURES variable.
* WARNING: New build requirement
GNU Make utilizes facilities from GNU Gnulib: Gnulib requires certain C99
features in the C compiler and so these features are required by GNU Make:
https://www.gnu.org/software/gnulib/manual/html_node/C99-features-assumed.html
The configure script should verify the compiler has these features.
* New feature: The .WAIT special target
If the .WAIT target appears between two prerequisites of a target, then
GNU Make will wait for all of the targets to the left of .WAIT in the list
to complete before starting any of the targets to the right of .WAIT.
This feature is available in some other versions of make, and it will be
required by an upcoming version of the POSIX standard for make.
Different patches were made by Alexey Neyman <alex.neyman@auriga.ru> (2005)
and Steffen Nurpmeso <steffen@sdaoden.eu> (2020) that were useful but the
result is a different implementation (closer to Alexey's idea).
* New feature: .NOTPARALLEL accepts prerequisites
If the .NOTPARALLEL special target has prerequisites then all prerequisites
of those targets will be run serially (as if .WAIT was specified between
each prerequisite).
* New feature: The .NOTINTERMEDIATE special target
.NOTINTERMEDIATE disables intermediate behavior for specific files, for all
files built using a pattern, or for the entire makefile.
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* New feature: The $(let ...) function
This function allows user-defined functions to define a set of local
variables: values can be assigned to these variables from within the
user-defined function and they will not impact global variable assignments.
Implementation provided by Jouke Witteveen <j.witteveen@gmail.com>
* New feature: The $(intcmp ...) function
This function allows conditional evaluation controlled by a numerical
comparison.
Implementation provided by Jouke Witteveen <j.witteveen@gmail.com>
* New feature: Improved support for -l / --load-average
On systems that provide /proc/loadavg (Linux), GNU Make will use it to
determine the number of runnable jobs and use this as the current load,
avoiding the need for heuristics.
Implementation provided by Sven C. Dack <sdack@gmx.com>
* New feature: The --shuffle command line option
This option reorders goals and prerequisites to simulate non-determinism
that may be seen using parallel build. Shuffle mode allows a form of "fuzz
testing" of parallel builds to verify that all prerequisites are correctly
described in the makefile.
Implementation provided by Sergei Trofimovich <siarheit@google.com>
* New feature: The --jobserver-style command line option and named pipes
A new jobserver method is used on systems where mkfifo(3) is supported.
This solves a number of obscure issues related to using the jobserver
and recursive invocations of GNU Make. This change means that sub-makes
will connect to the jobserver even if they are not marked as recursive.
It also means that other tools that want to participate in the jobserver
will need to be enhanced as described in the GNU Make manual.
You can force GNU Make to use the simple pipe-based jobserver (perhaps if
you are integrating with other tools or older versions of GNU Make) by
adding the '--jobserver-style=pipe' option to the command line of the
top-level invocation of GNU Make, or via MAKEFLAGS or GNUMAKEFLAGS.
To detect this change search for 'jobserver-fifo' in the .FEATURES variable.
* Some POSIX systems (*BSD) do not allow locks to be taken on pipes, which
caused the output sync feature to not work properly there. Also multiple
invocations of make redirecting to the same output file (e.g., /dev/null)
would cause hangs. Instead of locking stdout (which does have some useful
performance characteristics, but is not portable) create a temporary file
and lock that. Windows continues to use a mutex as before.
* GNU Make has sometimes chosen unexpected, and sub-optimal, chains of
implicit rules due to the definition of "ought to exist" in the implicit
rule search algorithm, which considered any prerequisite mentioned in the
makefile as "ought to exist". This algorithm has been modified to prefer
prerequisites mentioned explicitly in the target being built and only if
that results in no matching rule, will GNU Make consider prerequisites
mentioned in other targets as "ought to exist".
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* GNU Make was performing secondary expansion of all targets, even targets
which didn't need to be considered during the build. In this release
only targets which are considered will be secondarily expanded.
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* If the MAKEFLAGS variable is modified in a makefile, it will be re-parsed
immediately rather than after all makefiles have been read. Note that
although all options are parsed immediately, some special effects won't
appear until after all makefiles are read.
* The -I option accepts an argument "-" (e.g., "-I-") which means "reset the
list of search directories to empty". Among other things this can be used
to prevent GNU Make from searching in its default list of directories.
* New debug option "print" will show the recipe to be run, even when silent
mode is set, and new debug option "why" will show why a target is rebuilt
(which prerequisites caused the target to be considered out of date).
Implementation provided by David Boyce <David.S.Boyce@gmail.com>
* The existing --trace option is made equivalent to --debug=print,why
* Target-specific variables can now be marked "unexport".
* Exporting / unexporting target-specific variables is handled correctly, so
that the attribute of the most specific variable setting is used.
* Special targets like .POSIX are detected upon definition, ensuring that any
change in behavior takes effect immediately, before the next line is parsed.
* When the pipe-based jobserver is enabled and GNU Make decides it is invoking
a non-make sub-process and closes the jobserver pipes, it will now add a new
option to the MAKEFLAGS environment variable that disables the jobserver.
This prevents sub-processes that invoke make from accidentally using other
open file descriptors as jobserver pipes. For more information see
https://savannah.gnu.org/bugs/?57242 and https://savannah.gnu.org/bugs/?62397
* A long-standing issue with the directory cache has been resolved: changes
made as a side-effect of some other target's recipe are now noticed as
expected.
* GNU Make can now be built for MS-Windows using the Tiny C tcc compiler.
Port provided by Christian Jullien <eligis@orange.fr>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
This removes support for building IPFire for 32 bit ARM architectures.
This has been decided in August 2022 with six months notice as there are
not very many users and hardware is generally not available any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- libtirpc is required for lsof to work from CU172 onwards. rpc.h is no longer available
from glibc. This would normally cause the lsof build to fail but libtirpc as an addon
is built before lsof and so is present in the build and lsof is linked to it.
When running lsof it fails as the linked libtirpc library is not present unless it has
been installed as an addon.
- This patch converts the libtirpc lfs from an addon to a core program and moves the
rootfile from the packages directory to the common directory.
- Tested out on my vm testbed. With CU172 lsof fails to run due to the missing libtirpc
With the build based on this patch installed lsof works normally again.
- Disabled the static library build in the configure options and updated the rootfile
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Fixes: Bug#13015
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
