OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2017.08 2017-08-11T20:06:36+00:00 2017-08-11T20:06:36+00:00 Thomas Petazzoni thomas.petazzoni@free-electrons.com 2017-08-11T18:32:01+00:00 urn:sha1:6361a50e3f813c81d49636ee92a427442b9a2160 Since the bump to 7.55.0, libcurl fails to build on a number of uncommon architectures (ARC, OpenRISC, etc.). This is due to upstream commit 73a2fcea0b4adea6ba342cd7ed1149782c214ae3 ("includes: remove curl/curlbuild.h and curl/curlrules.h"), which makes libcurl rely on more architecture-specific related defines in include/curl/system.h. This commit therefore adds a patch that fixes the 32-bit vs. 64-bit detection for all architecture, using gcc's __SIZEOF_LONG__ definition. It has been tested successfully with test-pkg on all 47 toolchain configurations. Fixes: http://autobuild.buildroot.net/results/bf26c08cf3267214278674472f931603f69951ae/ (and many similar issues) Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-08-11T10:42:34+00:00 Baruch Siach baruch@tkos.co.il 2017-08-10T17:35:45+00:00 urn:sha1:d88c79090add53947dc3290fb61d51f2b630301c Fixes: glob: do not parse after a strtoul() overflow range (CVE-2017-1000101) tftp: reject file name lengths that don't fit (CVE-2017-1000100) file: output the correct buffer to the user (CVE-2017-1000099) Switch to .tar.xz to save bandwidth. Add reference to tarball signature. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> 2017-07-31T17:10:08+00:00 Adam Duskett Aduskett@gmail.com 2017-07-31T13:53:50+00:00 urn:sha1:5dccd7249e7dacceb370b0282592d504876e460e The check-package script when ran gives warnings on text wrapping on all of these Config files. This patch cleans up all warnings related to the text wrapping for the Config files starting with lib in the package directory. The appropriate indentation is: <tab><2 spaces><62 chars> See http://nightly.buildroot.org/#writing-rules-config-in for more information. Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-07-02T21:35:46+00:00 Naoki Matsumoto n-matsumoto@melcoinc.co.jp 2017-06-26T01:34:23+00:00 urn:sha1:d80110a635c23aac17dabf2e58b580470749a2c9 The curl license is a MIT/X derivative license, but has a distinct identifier in SPDX, so use that: https://spdx.org/licenses/curl.html [Peter: reword commit message] Signed-off-by: Naoki Matsumoto <n-matsumoto@melcoinc.co.jp> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-06-21T20:42:54+00:00 Adam Duskett Aduskett@gmail.com 2017-06-21T20:30:53+00:00 urn:sha1:c52d50336eb6c51eb9d590cebdee72623d76dd51 Signed-off-by: Adam Duskett <aduskett@codeblue.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-20T21:13:07+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2017-04-19T09:07:42+00:00 urn:sha1:034e95e51e7dbe97a11d708c7762ff64861ec705 Security fixes: - CVE-2017-7468: switch off SSL session id when client cert is used Full changelog: https://curl.haxx.se/changes.html Removing 0001-CVE-2017-7407.patch. It's included in this release: https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-12T19:14:01+00:00 Baruch Siach baruch@tkos.co.il 2017-04-11T17:56:12+00:00 urn:sha1:08bf26bb34f87b6820e07b2858bb4fe49eef9048 CVE-2017-7407: --write-out out of buffer read https://curl.haxx.se/docs/adv_20170403.html Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-03-10T20:52:40+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2017-03-10T17:17:22+00:00 urn:sha1:07db6fa6e83560a6901a74685024d45872da68d7 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-02-23T20:35:11+00:00 Peter Korsgaard peter@korsgaard.com 2017-02-22T07:25:05+00:00 urn:sha1:c5f5d9fa4e378f3b81f51284e32ee1c23ab2a575 Fixes CVE-2017-2629 - curl SSL_VERIFYSTATUS ignored >From the advisory (http://www.openwall.com/lists/oss-security/2017/02/21/6): Curl and libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension (using the `CURLOPT_SSL_VERIFYSTATUS` option). When telling curl to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server doesn't support the extension, or fails to provide said proof, curl is expected to return an error. Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. Contrary to how it used to function and contrary to how this feature is documented to work. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-02-01T21:01:50+00:00 Judd Meinders judd.meinders@rockwellcollins.com 2017-01-31T17:26:53+00:00 urn:sha1:4ac8510e127e337c14ac501f78b45ebbe9814327 This patch enables a config to set --enable-verbose during the configuration of libcurl. The option is triggered by setting BR2_PACKAGE_LIBCURL_VERBOSE. Signed-off-by: Judd Meinders <judd.meinders@rockwellcollins.com> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>