buildroot/package, branch 2017.02.2

busybox: no need to disable clear and reset

2017-05-01T21:59:39+00:00

Removing clear and reset from the busybox config when the ncurses tools are enabled is not really needed. Since commit 802bff9c42, the busybox install will not overwrite existing programs. Therefore, the tools will be installed correctly regardless of the order of the build: - if busybox is built first, the clear and reset apps are installed, but they will be overwritten by ncurses; - if ncurses is built first, it will install the clear and reset apps, and busybox will no longer install them. We prefer not to modify the busybox configuration when not strictly necessary, because it is surprising for the user that his configuration is not applied. Clearly, it's not ideal that busybox is configured with redundant apps, but if the user wants to shrink it, it's possible to provide a custom config. This partially reverts commit 33c72344a8686a136c1da6a056ed6c0945bbf8b7. Cc: Matthew Weber Cc: Danomi Manchego Signed-off-by: Arnout Vandecappelle (Essensium/Mind) Tested-by: Matt Weber Signed-off-by: Peter Korsgaard (cherry picked from commit 200282e2070ec0405184378c3cfb4e04ab26c5d8) Signed-off-by: Peter Korsgaard

linux-headers: bump 4.4.x series to 4.4.65

2017-05-01T20:43:16+00:00

Signed-off-by: Peter Korsgaard (cherry picked from commit 0d18d1d9c0dd8173eee918b30761548c19b6bfdc) Signed-off-by: Peter Korsgaard

linux-headers: bump 3.18.x series to 3.18.51

2017-05-01T18:58:08+00:00

Signed-off-by: Peter Korsgaard

freetype: add upstream security fixes for CVE-2017-8105 and CVE-2017-8287

2017-05-01T07:20:14+00:00

Add upstream post-2.7.1 commits (except for ChangeLog modifications) fixing the following security issues: CVE-2017-8105 - FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c. CVE-2017-8287 - FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c. Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni (cherry picked from commit 6d557ac0133618fe4fe1d417bf584e21ef208871) Signed-off-by: Peter Korsgaard

package/samba4: bump version to 4.5.8

2017-05-01T07:17:16+00:00

Version bump includes a regression fix: https://www.samba.org/samba/history/samba-4.5.8.html Signed-off-by: Bernd Kuhls Signed-off-by: Thomas Petazzoni (cherry picked from commit 67c25f897dd61802ea97c83619ca5dace8ba7c27) Signed-off-by: Peter Korsgaard

ghostscript: add upstream security fixes for CVE-2017-8291

2017-05-01T06:38:47+00:00

CVE-2017-8291 - Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017. For more details, see https://bugzilla.suse.com/show_bug.cgi?id=1036453 Signed-off-by: Peter Korsgaard (cherry picked from commit 874becfd019bc8f4e126684d08c4164e984b11c3) Signed-off-by: Peter Korsgaard

python-django: security bump to version 1.10.7

2017-04-28T12:53:27+00:00

Fixes the following security issues: Since 1.10.3: CVE-2016-9013 - User with hardcoded password created when running tests on Oracle Marti Raudsepp reported that a user with a hardcoded password is created when running tests with an Oracle database. CVE-2016-9014 - DNS rebinding vulnerability when DEBUG=True Aymeric Augustin discovered that Django does not properly validate the Host header against settings.ALLOWED_HOSTS when the debug setting is enabled. A remote attacker can take advantage of this flaw to perform DNS rebinding attacks. Since 1.10.7: CVE-2017-7233 - Open redirect and possible XSS attack via user-supplied numeric redirect URLs It was discovered that is_safe_url() does not properly handle certain numeric URLs as safe. A remote attacker can take advantage of this flaw to perform XSS attacks or to use a Django server as an open redirect. CVE-2017-7234 - Open redirect vulnerability in django.views.static.serve() Phithon from Chaitin Tech discovered an open redirect vulnerability in the django.views.static.serve() view. Note that this view is not intended for production use. Cc: Oli Vogt Signed-off-by: Peter Korsgaard (cherry picked from commit 3a66a81b7a9db8e45f15fa63cc0670d158003d5a) Signed-off-by: Peter Korsgaard

linux-headers: bump 4.{4,9,10}.x series

2017-04-28T12:51:53+00:00

[Peter: drop 4.10.x bump] Signed-off-by: Vicente Olivert Riera Signed-off-by: Peter Korsgaard (cherry picked from commit 431bd936a154c16cab8dcf18563641949eed1cb1) Signed-off-by: Peter Korsgaard

libnl: add upstream security fix

2017-04-28T12:43:28+00:00

CVE-2017-0553: An elevation of privilege vulnerability in libnl could enable a local malicious application to execute arbitrary code within the context of the Wi-Fi service https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1511855.html Signed-off-by: Baruch Siach Signed-off-by: Peter Korsgaard (cherry picked from commit 5efbd573c0a4df751e038a927c09af5aac1a233e) Signed-off-by: Peter Korsgaard

tiff: add upstream security fixes

2017-04-28T12:33:20+00:00

Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing the following security issues: CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Signed-off-by: Peter Korsgaard (cherry picked from commit 030fe340af365b834c15142f862e0de6d5f95737) Signed-off-by: Peter Korsgaard