[pull] master from buildroot:master #279
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
Release note: https://download.samba.org/pub/rsync/NEWS#3.4.0 Fixes the following vulnerabilities: CVE-2024-12084: Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling Description: A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. CVE-2024-12085: Info Leak via Uninitialized Stack Contents Description: A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. CVE-2024-12086: Rsync Server Leaks Arbitrary Client Files Description: A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client. CVE-2024-12087: Path Traversal Vulnerability in Rsync Description: A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client. CVE-2024-12088: --safe-links Option Bypass Leads to Path Traversal Description: A flaw was found in rsync. When using the `--safe-links` option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory. CVE-2024-12747: Race Condition in Rsync Handling Symbolic Links Description: A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation. For more details, see the advisory: https://www.openwall.com/lists/oss-security/2025/01/14/3 Signed-off-by: Peter Korsgaard <[email protected]> [Julien: add link to release note] Signed-off-by: Julien Olivain <[email protected]>
This patch bumps the zynqmp_zcu102_defconfig to Linux kernel 6.6.60. Signed-off-by: Neal Frager <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
This patch bumps the zynqmp_zcu104_defconfig to Linux kernel 6.6.60. Signed-off-by: Neal Frager <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
This patch bumps the zynqmp_zcu106_defconfig to Linux kernel 6.6.60. Signed-off-by: Neal Frager <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
This patch bumps the versal_vck190_defconfig to Linux kernel 6.6.60. Signed-off-by: Neal Frager <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
This patch bumps the versal_vek280_defconfig to Linux kernel 6.6.60. Signed-off-by: Neal Frager <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
This patch bumps the versal_vpk180_defconfig to Linux kernel 6.6.60. Signed-off-by: Neal Frager <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
curlpp is broken since the bump of libcurl to 8.10.0 in commit [1].
This patch backport a pull request from upstream from [2] to solve it.
Fixes:
https://autobuild.buildroot.org/results/4a4d3b248898f0e73620fcb1a7a94dcfb6e6866e/
[1] https://gitlab.com/buildroot.org/buildroot/-/commit/d68b999787a0e0838c3bb2d5966f11d8a349a49b
[2] jpbarrette/curlpp#178
Signed-off-by: Thomas Bonnefille <[email protected]>
[Julien:
- reword patch title one liner
- add link to commit which introduced the issue
- add link to the upstream pull request
]
Signed-off-by: Julien Olivain <[email protected]>
Upstream changelog: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.50.1/NEWS?ref_type=tags Release downloads have moved to gitlab.freedesktop.org, see [1, 2]. Drop patch included upstream. [1] https://lists.freedesktop.org/archives/networkmanager/2024-December/000364.html [2] https://download.gnome.org/sources/NetworkManager/IMPORTANT-NetworkManager-releases-moved.txt Signed-off-by: Fiona Klute (WIWA) <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Commit [1] "toolchain/toolchain-external/toolchain-external-synopsys-arc: mark as broken" disabled BR2_TOOLCHAIN_EXTERNAL_SYNOPSYS_ARC by adding a depends on BR2_BROKEN. This symbol does not exist and generates check-symbol failures, see [2]. This commit fixes this issue by introducing the BR2_BROKEN hidden symbol that will be used to track those known to be broken features. This symbol will help to track features that were broken for too long and remove them. Fixes: [2] [1] https://gitlab.com/buildroot.org/buildroot/-/commit/11a8cdd2bbbd0ef4adf600e4792d75f6f2122ec8 [2] https://gitlab.com/buildroot.org/buildroot/-/jobs/8840476511 Reviewed-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
The nios2 architecture was deprecated in gcc-14 and has been removed in the upcoming gcc-15 [1][2]. Our last and only nios2 defconfig "qemu_nios2_10m50_defconfig" was removed in 2024.11 due to nios2 removal from Qemu 9.1.0 [3]. Remove nios2 testing from Buildroot autobuilders. [1] https://sourceware.org/pipermail/binutils/2024-April/133675.html [2] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e876acab6cdd84bb2b32c98fc69fb0ba29c81153 [3] f96b4c1 Cc: Thomas Petazzoni <[email protected]> Cc: Peter Korsgaard <[email protected]> Cc: Julien Olivain <[email protected]> Cc: Arnout Vandecappelle <[email protected]> Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Nios2 will be removed from Buildroot, so Bootlin toolchains will no longer provide nios2 toolchain in further releases. Cc: Thomas Petazzoni <[email protected]> Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
We are going to remove nios2 support, so remove the Bootlin nios2 external toolchain. Remove this toolchain from the Buildroot testsuite. Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Doing so, we remove nios2 support from the internal toolchain backend. Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Buildroot internal toolchain backend for nios2 was removed, so remove nios2 handling for gcc package. Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
The nios2 architecture was deprecated in gcc-14 and has been removed in the upcoming gcc-15 [1][2]. Our last and only nios2 defconfig "qemu_nios2_10m50_defconfig" was removed in 2024.11 due to nios2 removal from Qemu 9.1.0 [3]. This patch only definitively hides the symbol. When all references to it are removed (to come in followup patches), we'll eventually remove the symbol altogether. [1] https://sourceware.org/pipermail/binutils/2024-April/133675.html [2] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e876acab6cdd84bb2b32c98fc69fb0ba29c81153 [3] f96b4c1 Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Remaining "nios2" strings come from existing patches that are not removed with along with BR2_nios2 symbol. Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
The nios2 architecture was deprecated in gcc-14 and has been removed in the upcoming gcc-15 [1][2]. This commit removes nios2 from the architecture entry. [1] https://sourceware.org/pipermail/binutils/2024-April/133675.html [2] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e876acab6cdd84bb2b32c98fc69fb0ba29c81153 Signed-off-by: Romain Naour <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.1)
Can you help keep this open source service alive? 💖 Please sponsor : )