The file contains the the /usr/lib path from the toolchain directory and
not from the target directory. The /usr/lib directory for the toolchain
is empty and the shared library is not in the specified paths. On RISCV
the linker of util-linux was finding the libncursesw.so in my host
system, tried to link against it and failed. Fix the .pc file.
Fixes: #15942
Co-authored-by: Thomas Weißschuh <thomas@t-8ch.de>
Link: https://github.com/openwrt/openwrt/pull/16018
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 91573ac145)
Link: https://github.com/openwrt/openwrt/pull/16390
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this release is Moderate.
This release incorporates the following bug fixes and mitigations:
* Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
* Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535)
Added github releases url as source mirror
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16332
(cherry picked from commit 62d3773bf1)
Link: https://github.com/openwrt/openwrt/pull/16346
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This contains a fix for:
CVE-2024-45157:
Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
Link: https://github.com/openwrt/openwrt/pull/16367
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes multiple security problems:
* [Medium] CVE-2024-1544
Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls.
* [Medium] CVE-2024-5288
A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations.
* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS.
* [Low] CVE-2024-5991
In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.
* [Medium] CVE-2024-5814
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection.
* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received.
* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt.
Unset DISABLE_NLS to prevent setting the unsupported configuration
option --disable-nls which breaks the build now.
Link: https://github.com/openwrt/openwrt/pull/15948
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 3a0232ffd3)
This contains a fix for:
CVE-2024-28960: An issue was discovered in Mbed TLS 2.18.0 through 2.28.x
before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto
API mishandles shared memory.
(cherry picked from commit 360ac07eb9)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Currently, the build option to enable/disable engine support isn't
reflected in the final '/etc/ssl/openssl.cnf' config. It assumes `engines`
is always enabled, producing an error whenever running any
commands in openssl util or programs that explicitly use settings
from '/etc/ssl/openssl.cnf'.
```
➤ openssl version
FATAL: Startup failure (dev note: apps_startup()) for openssl
307D1EA97F000000:error:12800067:lib(37):dlfcn_load:reason(103):crypto/dso/dso_dlfcn.c:118:filename(libengines.so):
Error loading shared library libengines.so: No such file or directory
307D1EA97F000000:error:12800067:lib(37):DSO_load:reason(103):crypto/dso/dso_lib.c:152:
307D1EA97F000000:error:0700006E:lib(14):module_load_dso:reason(110):crypto/conf/conf_mod.c:321:module=engines, path=engines
307D1EA97F000000:error:07000071:lib(14):module_run:reason(113):crypto/conf/conf_mod.c:266:module=engines
```
Build should check for the `CONFIG_OPENSSL_ENGINE` option, and comment out `engines`
if not explicitly enabled.
Example:
```
[openssl_init]
providers = provider_sect
```
After this change, openssl util works correctly.
```
➤ openssl version
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/15661
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 31ec4515c3)
Link: https://github.com/openwrt/openwrt/pull/15873
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [04-Jun-2024]
* Fixed potential use after free after SSL_free_buffers() is called.
[CVE-2024-4741]
* Fixed checking excessively long DSA keys or parameters may be very slow.
[CVE-2024-4603]
* Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
exploit certain server configurations to trigger unbounded memory growth that
would lead to a Denial of Service. [CVE-2024-2511]
* New atexit configuration switch, which controls whether the OPENSSL_cleanup
is registered when libcrypto is unloaded. This can be used on platforms
where using atexit() from shared libraries causes crashes on exit
Signed-off-by: John Audia <therealgraysky@proton.me>
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
(cherry picked from commit bac2f1bed6)
Link: https://github.com/openwrt/openwrt/pull/15873
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes multiple security problems:
* [High] CVE-2024-0901 Potential denial of service and out of bounds
read. Affects TLS 1.3 on the server side when accepting a connection
from a malicious TLS 1.3 client. If using TLS 1.3 on the server side
it is recommended to update the version of wolfSSL used.
* [Med] CVE-2024-1545 Fault Injection vulnerability in
RsaPrivateDecryption function that potentially allows an attacker
that has access to the same system with a victims process to perform
a Rowhammer fault injection. Thanks to Junkai Liang, Zhi Zhang, Xin
Zhang, Qingni Shen for the report (Peking University, The University
of Western Australia)."
* [Med] Fault injection attack with EdDSA signature operations. This
affects ed25519 sign operations where the system could be susceptible
to Rowhammer attacks. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang,
Qingni Shen for the report (Peking University, The University of
Western Australia).
Size increased a little:
wolfssl 5.6.6:
516880 bin/packages/mips_24kc/base/libwolfssl5.6.6.e624513f_5.6.6-stable-r1_mips_24kc.ipk
wolfssl: 5.7.0:
519429 bin/packages/mips_24kc/base/libwolfssl5.7.0.e624513f_5.7.0-stable-r1_mips_24kc.ipk
(cherry picked from commit f475a44c03)
Link: https://github.com/openwrt/openwrt/pull/15872
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
On Fedora 40 system, some compile error happens when
building iconv-ostream.c. Linking to libiconv-full
fixes this.
Signed-off-by: Yanase Yuki <dev@zpc.st>
(cherry picked from commit 63dd14b906)
Link: https://github.com/openwrt/openwrt/pull/15627
Signed-off-by: Robert Marko <robimarko@gmail.com>
Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]
* Fixed PKCS12 Decoding crashes
([CVE-2024-0727])
* Fixed Excessive time spent checking invalid RSA public keys
([CVE-2023-6237])
* Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
CPUs which support PowerISA 2.07
([CVE-2023-6129])
* Fix excessive time spent in DH check / generation with large Q parameter
value ([CVE-2023-5678])
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
(cherry picked from commit 44cd90c49a)
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for following security issues:
* Timing side channel in private key RSA operations (CVE-2024-23170)
Mbed TLS is vulnerable to a timing side channel in private key RSA
operations. This side channel could be sufficient for an attacker to
recover the plaintext. A local attacker or a remote attacker who is
close to the victim on the network might have precise enough timing
measurements to exploit this. It requires the attacker to send a large
number of messages for decryption.
* Buffer overflow in mbedtls_x509_set_extension() (CVE-2024-23775)
When writing x509 extensions we failed to validate inputs passed in to
mbedtls_x509_set_extension(), which could result in an integer overflow,
causing a zero-length buffer to be allocated to hold the extension. The
extension would then be copied into the buffer, causing a heap buffer
overflow.
Fixes: CVE-2024-23170, CVE-2024-23775
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
Signed-off-by: orangepizza <tjtncks@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [formal fixes]
(cherry picked from commit 920414ca88)
Activate the secp521r1 ecliptic curve by default. This curve is allowed
by the CA/Browser forum, see
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.1-redlined.pdf#page=110
This increases the size of libmbedtls12_2.28.5-1_aarch64_generic.ipk by
about 400 bytes:
Without:
252,696 libmbedtls12_2.28.5-1_aarch64_generic.ipk
With:
253,088 libmbedtls12_2.28.5-2_aarch64_generic.ipk
Fixes: #13774
Acked-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 3c17cdbc36)
Some packages (like wavemon >= 0.9.4) depend on libnl-cli. Add support
for this part of the lib. libnl-cli itself depends on libnl-genl and
libnl-nf. On MIPS, this component adds 81kB.
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
(punctuation correction and reorganisation of commit message)
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 4bdd1c1a13)
Some packages (like wavemon >= 0.9.4) depend on libnl-cli. Add support
for this part of the lib. libnl-cli itself depends on libnl-genl and
libnl-nf. On MIPS, this component adds 81kB.
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
(punctuation correction and reorganisation of commit message)
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 4bdd1c1a13)
Changes:
6b2533c0 libnl-3.8.0 release
1558bd62 build: replace old "NOTE" in configure output and add summary
f66383a4 build: avoid aclocal warning about missing "m4" directory
e4402a4c build: run `autoupdate` for AM_PROG_LIBTOOL
5761b6af build: add "-Wno-portability" to AC_INIT_AUTOMAKE()
661f10a1 license: fix/adjust license for "src/nl-cls-add.c"
c8fcb412 license: fix/adjust license for "src/nl-addr-{add,delete,list}.c"
e3e6fd6d tests: use thread-safe localtime_r() instead of localtime()
f520471c lib/xfrm: use thread-safe gmtime_r() instead of gmtime()
be5add72 tests: avoid srandom()/random() in favor of _nltst_rand_u32()
40578a62 lib: use getprotobyname_r(), getprotobynumber_r() if available
8ee8b05f lib: fix error handling in nl_str2ip_proto()
09f03f29 tests: check nl_str2ip_proto()
74bffbf6 route: fix documentation comment for nl_nh_group_info
59f8db0d clang-format: add "-l" alias for option in "tools/clang-format.sh"
935cc90a clang-format: ignore reformatting commit in ".git-blame-ignore-revs"
53da4712 clang-format: reformat files with new format
65c43bfe clang-format: update ".clang-format" from linux kernel
4c39a2ce include: use <linux/$file> instead of <linux-private/linux/$file>
a1e9fb3d include/linux: add all linux headers that we use
d37ffe15 include/linux: update all linux headers
1af767a8 include: add missing "extern "C"" specifier to public headers
e0a5d12b all: drop "extern "C"" from internal code
d9a1e0ce build: add "check-local-build-headers" test target to build public headers
02b87012 build: add a "check-local" build target
f9413915 include: fix headers "include/netlink/route/{netconf.h,route/qdisc/red.h}" to be self-contained
680df173 idiag: "fix" license for "idiag-socket-details" tool
2f210d9a github: test build on alpine:latest for musl
dcc4c0a5 Revert "gitignore: ignore patch files"
39106309 github: add test for linking with mold and fail on unknown versions
f475c3b2 route/nh: drop not implemented "nh" API from headers
4c681e77 build: fix exporting symbol rtnl_link_info_ops_get
260c9575 include: don't explicitly include headers from "nl-default.h"
98c1e696 tests: cleanup include of netlink headers
42bec462 build: cleanup default include list in Makefile.am
4c1a119a include: include private linux headers with explicit path
ca063725 python: add make target for python build
25c90193 python: drop unused "python/netlink/fixes.h"
3f3da7fd gitignore: ignore python build artifacts
61ef5609 gitignore: ignore generated doc files
298c5dc6 include: drop "netlink-private/netlink.h" and move declarations
862eed54 all: cleanup includes and use "nm-default.h"
2b3cd741 include: add "nl-default.h" header
8952ce6f build: move "lib/defs.h" to "include/config.h"
1010776d include: split and drop "netlink-private/types.h"
d1d57846 include: rename "nl-shared-core" to "nl-priv-dynamic-core"
fc91c4f8 include: rename "nl-hidden-route" to "nl-priv-dynamic-route"
9bb6f770 include: rename "nl-intern-route" to "nl-priv-static-route"
b5195db9 genl: rename private header "nl-priv-genl.h" to "nl-genl.h"
0eacf658 include: make "netlink/route/link/{inet,inet6}.h" self-contained
ad014ad1 route/tc: avoid unalinged access in rtnl_tc_msg_parse()
05bd6366 add support for TC action statistics
776fc5a6 lib: move "include/netlink-private/object-api" to include/nl-shared-core
fad34560 lib: move "include/netlink-private/cache-api" to include/nl-shared-core
ed2be537 route: move "include/netlink-private/route/link/sriov.h" to lib/route/link-sriov.h
97f61eda lib: move "include/netlink-private/socket.h" to lib/nl-core.h
96e1cc5b route: move "include/netlink-private/route/nexthop-encap.h" to lib/route
391e03d3 route: merge "include/netlink-private/tc.h" to lib/route/tc-api.h
7fc4f5b3 route: move rtnl_tc_build_rate_table() to "tc-api.h"
cf41e14d route: move "include/netlink-private/route/tc-api.h" to lib/route
db810cfb route: move hidden symbols from "include/netlink-private/route/tc-api.h"
ff08e618 build: don't add lib/route to include directory for all libs
eb8da16d include: move "include/netlink-private/route/link/api.h" to lib/route
8b2074aa include: move "include/netlink-private/route/utils.h" to nl-intern-route
fd470c06 include: move "include/netlink-private/route/mpls.h" to "lib/mpls.h"
78056ad2 genl: add comment about wrongly exported symbol genl_resolve_id()
befc4ab4 include: move "include/netlink-private/genl.h" to "lib/genl/nl-priv-genl.h"
f6c26127 nl-aux: add "include/nl-aux-{core,route}" headers
2da8481b base: move "netlink-private/utils.h" to "base/nl-base-utils.h"
d3e9b513 include/utils: move nl-auto base defines to "utils.h"
543b9f8f clang-format: reformat "include/netlink-private/nl-auto.h"
aa565460 route: cleanup ATTR_DIFF() macros
beba5a18 cli: add nl-nh-list utility
780d06ae route: add nh type
1b6433d9 neigh: add support of NHID attribute
e0140c5f include: import kernel headers "linux/{neighbour,nexthop,rtnetlink}.h"
eef06744 utils: add static-assert for signedness of arguments of _NL_CMP_DIRECT() macro
679c4c51 cli: use <netlink-private/utils.h> in cli and _nl_{init,exit}
a9c5de52 lib: use _nl_{init,exit} instead of __{init,exit}
102f9bd2 include/private: add _nl_init/_nl_exit macros
6782678e include/private: drop unused __deprecated macro
a0535a58 all: use "_nl_packed" macro instead of "__attribute__((packed))"
8c9f98cf all: rework ATTR_DIFF() macros to not generate attribute names
ca34ad52 lib: handle negative and zero size in nla_memcpy()
859b89dc include: drop now unused min()/max()/min_t()/max_t() macros
2e0ae977 all: use _NL_{MIN,MAX}() macros
57c451fa utils: add various helpers to "include/netlink-private/utils.h"
a9a9dcea style: format "include/netlink-private/utils.h" with clang-format
590e8a61 tools: improve failure message with "tools/clang-format.sh -n"
06dc5ae0 github: fix format checking with clang-format
7738f239 route/trivial: sort entries in "libnl-route-3.sym" asciibetically
fc805c56 route/bond: Add support for link_info for bond
6af26981 lib: accept NULL argument in nla_nest_cancel() for robustness
e9662091 macsec: Drop offload capability validation check
35a68109 github: update flake8 linter to not explicitly select checks
9a266405 python: add ".flake8" file for configuring "flake8"
e6b934a5 python: fix flake8 warnings E712
2cea738b python: fix flake8 warnings E711
d561096c python: fix flake8 warnings E302
29b06d0f python: fix flake8 warnings E741
4dc1f498 python: fix flake8 warnings F841
f4875c69 python: fix flake8 warnings W605
9a3d91df python: fix flake8 warnings F401
6baf2339 clang-format: add "tools/clang-format-container.sh" script
ee2876e3 github: add test for checking clang-format style
45c7aae3 clang-format: add "tools/clang-format.sh" script
02e0fd3f github: check python-black code formatting in github actions
2dd53895 build: add ".git-blame-ignore-revs" file for "blame.ignoreRevsFile" git config
3c753e3c python: reformat all Python files with python-black
298ee58e python add "pyproject.toml" for configuring black
a0e4b7f9 github: skip Python flake8 test with clang build
c4240c0b github: run "Build Release" test also with clang
143cee1d bridge: fix bridge info parsing
96bbe55c test-cache-mngr: Flush output after object dumps
cf5dcbcd test-cache-mngr: Add option to print timestamps
bd570952 test-cache-mngr: Add an option to iterate over all supported address families
bf80da90 test-cache-mngr: Add dump interval options
80febeea test-cache-mngr: Add an option to control which oo_dump function is used
6519a917 route/link: prevent segfault in af_request_type()
a68260f8 github: fix installing python dependencies via pip
39c04bc7 build: drop redundant "autogen.sh" call from "tools/build_release.sh"
d411b88d build: change proper working directory in "doc/autogen.sh"
2fa73ce0 build: ensure "autogen.sh" scripts fail on error
fc786296 gitignore: ignore "*~" files
4c4e614b docs: rtnl_link_put() 'releases' instead of 'returns'
336b15dc include/linux: update copy of kernel header "linux/ipv6.h"
e2cacc26 route/link: improve handling of IFLA_INET6_CONF
ec8c493c route/link: remove rtnl_link_inet6_set_conf() API
e790f8ad route/link: various fixes for rtnl_link_inet6_get_conf() API
d83c6d54 route/link: add accessor API for IPv6 DEVCONF
9167504d bridge: drop unnecessary goto in bridge_info_parse()
984d6e93 bridge: don't normalize the u8 argument in rtnl_link_bridge_set_vlan_filtering() to boolean
3662a5da bridge: expose rtnl_link_bridge_get_vlan_protocol() in host byte order
5a1ef219 bridge: fix parsing vlan-protocol in bridge_info_parse()
ad1c2927 bridge: minor cleanups in "bridge_info.c"
1c74725a bridge: use SPDX license identifiers in bridge_info files
26ca549d bridge: reformat bridge_info file with clang-format
08dc5d9c bridge: extend libnl with options needed for VLAN aware forwarding
7391a38e bridge: Add support for link_info of a bridge
1f1e8385 route/vlan: drop unnecessary "else" in vlan_put_attrs()
2bc30e57 route/vlan: fix error handling in 'lib/route/link/vlan.c'
8273d6ce build: add comments to linker version scripts about the version tags
6ac7a812 doc: fix typo
07d274ab doc: fix typo
0461a425 attr: reject zero length addresses
8d40d9eb route: construct all-zero addresses for default route destination
25d42a4f addr: allow constructing all-zero addresses
0c0aee82 addr: create an all-zero addresses when parsing "any" or "default"
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 4e5d45f1e6)
This fixes building with USE_LTO enabled.
<artificial>:(.text+0x4194): relocation R_MIPS16_26 against `cil_printf.lto_priv.0' cannot be used when making a shared object; recompile with -fPIC
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: non-dynamic relocations refer to dynamic symbol memcmp
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: failed to set dynamic section sizes: bad value
collect2: error: ld returned 1 exit status
Signed-off-by: Anari Jalakas <anari.jalakas@gmail.com>
(cherry picked from commit 1925a183a3)
This fixes building with USE_LTO enabled:
<artificial>:(.text.exit+0x6e): relocation R_MIPS16_26 against `pthread_key_delete' cannot be used when making a shared object; recompile with -fPIC
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: non-dynamic relocations refer to dynamic symbol stpcpy
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: failed to set dynamic section sizes: bad value
collect2: error: ld returned 1 exit status
Signed-off-by: Anari Jalakas <anari.jalakas@gmail.com>
(cherry picked from commit 2a33d26d21)
Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363)
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit e4ebc7b566)
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining package which have a CPE ID.
Not every package has CPE id.
Related: https://github.com/openwrt/packages/issues/8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows. ([CVE-2023-4807])
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
(cherry picked from commit bfd54529fa)
