Mostly backports by a Red Hat employee as 0.62 and newer demands Python
3.7+. Same reason 0.61 is kept here.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit d60cfa5a9e)
Release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.3-relnotes.txt
```
It includes the following security fix:
* A malicious certificate can cause an infinite loop.
Reported by and fix from Tavis Ormandy and David Benjamin, Google.
```
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 25534d5cc2)
mkimage limits the length of the file paths in can deal with to 256
characters. Turns out that in automated builds by asu we break this
limit, so increase it to 1024 characters.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 3fbf9689b6)
Changelog:
- upstream now needs OpenSSL in order to be able to sign FITs. See:
commit cb9faa6f98ae ("tools: Use a single target-independent config to enable OpenSSL")
- removes upstream patches.
Link: cb9faa6f98
Tested-by: Sergey V. Lobanov <sergey@lobanov.in>
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit b6385a3668)
Fixed -no-pie compilation warning on MacOS
Fixed errors related to using absolute addressing on MacOS arm64
Based on upstream patch from Jessica Clarke and suggestions from Ronny Kotzschmar
Link to original patch and discussion:
3b142045e8
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
(cherry picked from commit 8261b85844)
Remove the then unnecessary patch doing exactly that individually.
See also 09465d80 "u-boot.mk: always link host libraries static".
Signed-off-by: Andre Heider <a.heider@gmail.com>
(cherry picked from commit e37dffbf35)
Remove "--mtime" option introduced in commit 18c9faa032 ("tools: zip:
add option for reproducible archives") and instead fetch SOURCE_DATE_EPOCH
environment variable directly in the code.
Ref: https://sourceforge.net/p/infozip/patches/25/
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 39d06472eb)
Improvements since the 4.0.38 release are:
- Rename strtoi to strosi (string to signed int). The strtoi
function on BSD does something else (returns an intmax, not
an int)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Override python to use the one in host instead of hostpkg. There's no
need to use the latter.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 19f3fcc884)
Backport upstream patch to have reproducible FAT signatures.
This should enable reproducibility for x86 EFI images.
Signed-off-by: Paul Spooren <mail@aparcar.org>
List of changes since previous release from 2018 is quite long:
* Fix crc32.c to compile local functions only if used.
* Check for cc masquerading as gcc or clang in configure.
* Remove destructive aspects of make distclean.
* Separate out address sanitizing from warnings in configure.
* Eliminate use of ULL constants.
* Add fallthrough comments for gcc.
* Clean up minizip to reduce warnings for testing.
* Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
* minizip warning fix if MAXU32 already defined. (gvollant)
* Replace black/white with allow/block. (theresa-m)
* Fix indentation in minizip's zip.c.
* Improve portability of contrib/minizip.
* Correct typo in blast.c.
* Change macro name in inflate.c to avoid collision in VxWorks.
* Clarify gz* function interfaces, referring to parameter names.
* Fix error in comment on the polynomial representation of a byte.
* Fix memory leak on error in gzlog.c.
* Avoid adding empty gzip member after gzflush with Z_FINISH.
* Explicitly note that the 32-bit check values are 32 bits.
* Use ARM crc32 instructions if the ARM architecture has them.
* Add use of the ARMv8 crc32 instructions when requested.
* Correct comment in crc32.c.
* Don't bother computing check value after successful inflateSync().
* Use atomic test and set, if available, for dynamic CRC tables.
* Speed up software CRC-32 computation by a factor of 1.5 to 3.
* Add crc32_combine_gen() and crc32_combine_op() for fast combines.
* Add tables for crc32_combine(), to speed it up by a factor of 200.
* Fix the zran.c example to work on a multiple-member gzip file.
* Add gznorm.c example, which normalizes gzip files.
* Show all the codes for the maximum tables size in enough.c.
* Clarify that prefix codes are counted in enough.c.
* Use inline function instead of macro for index in enough.c.
* Clean up code style in enough.c, update version.
* Use a macro for the printf format of big_t in enough.c.
* Use a structure to make globals in enough.c evident.
* Assure that the number of bits for deflatePrime() is valid.
* Fix a bug that can crash deflate on some input when using Z_FIXED.
* Correct the initialization requirements for deflateInit2().
* Emphasize the need to continue decompressing gzip members.
* Add legal disclaimer to README.
* Fix deflateEnd() to not report an error at start of raw deflate.
* Remove old assembler code in which bugs have manifested.
* Make the names in functions declarations identical to definitions.
* Avoid an undefined behavior of memcpy() in _tr_stored_block().
* Avoid undefined behaviors of memcpy() in gz*printf().
* Avoid an undefined behavior of memcpy() in gzappend().
* Avoid the use of ptrdiff_t.
* Handle case where inflateSync used when header never processed.
* Don't compute check value for raw inflate if asked to validate.
* Add address checking in clang to -w option of configure.
* Return an error if the gzputs string length can't fit in an int.
* Small speedup to inflate [psumbera].
* Update use of errno for newer Windows CE versions.
* Avoid some conversion warnings in gzread.c and gzwrite.c.
* Have Makefile return non-zero error code on test failure.
* Avoid a conversion error in gzseek when off_t type too small.
* Fix CLEAR_HASH macro to be usable as a single statement.
* Fix bug when window full in deflate_stored().
* Limit hash table inserts after switch from stored deflate.
* Permit a deflateParams() parameter change as soon as possible.
* Cygwin does not have _wopen(), so do not create gzopen_w() there.
Removed 006-fix-compressor-crash-on-certain-inputs.patch which was
hotfix for CVE-2018-25032 and is now included in this release.
This release is not available on @SF (yet?) so the sources are now
pulled from GitHub.
Fixes: CVE-2018-25032
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.
Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.
Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Remove macOS stuff. Upstream has fixed it in the same way.
Add SOL_TCP define. Taken from elsewhere in the code.
Refreshed patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switched to CMake for faster compilation and greater parallel
friendliness.
Added CMake options from the packages feed.
This release fixes various CVEs.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switched to building with meson as it's faster and does not need a
dependency on cmake, which takes a long time to build.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Refresh 2to3 patch. Upstream partially did this against some older
python version. This is still needed.
Refreshed other patches to be python3 safe.
Remove uClibc patches as only musl is present now.
Refresh others.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2-relnotes.txt
```
It includes the following security fix
* In some situations the X.509 verifier would discard an error on an
unverified certificate chain, resulting in an authentication bypass.
Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
```
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 495c4f4e19)
Changelog:
backend_startup_project
Add a man page backend to refman
extract_objects() supports generated sources
Python 3.6 support will be dropped in the next release
Warning if check kwarg of run_command is missing
meson rewrite can modify extra_files
meson rewrite target <target> info outputs target's extra_files
Visual Studio 2022 backend
Support for CMake <3.14 is now deprecated for CMake subprojects
Added support for sccache
install_symlink function
Signed-off-by: Rosen Penev <rosenp@gmail.com>
change meson binary to use py extension. Fixes issue with meson's
symbolextractor using the host python instead of the system one.
We intentionally use a .py extension here so that meson launches
additional python scripts with the same build host python interpreter as
itself is running under (and not the host package one once it becomes
available)
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- Call pager with original LANG environment variable
- Consistently complain early if no series file is found
- Fix handling of symbolic links by several commands
- Tighten the patch format parsing
- Reuse the shell (performance)
- Document the series file format further
- Document that quilt loads /etc/quilt.quiltrc
- configure: Make stat configurable
- series: Minor optimizations
- setup: Don't obey the settings of any englobing .pc
- setup: Default to fast mode
- quilt.el: Fix documentation of quilt-pc-directory
- quilt.el: Load /etc/quilt.quiltrc if ~/.quiltrc doesn't exist
- quilt.el: Fix quilt-editable when QUILT_PATCHES_PREFIX is set
Refresh patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[add changelog]
Signed-off-by: Paul Spooren <mail@aparcar.org>
Makes sure that Ninja from staging_dir is used and nowhere else.
Reported by reproducible builds project. Builds have been failing ever
since tools/cmake started using Ninja.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
6c95945 ptgen: add Chromium OS kernel partition support
8e7274e cros-vbutil: add Chrome OS vboot kernel-signing utility
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
