This fixes the following security problems:
CVE-2016-7440: Software AES table lookups do not properly consider cache-bank access times
CVE-2016-7439: Software RSA does not properly consider cache-bank monitoring
CVE-2016-7438: Software ECC does not properly consider cache-bank monitoring
SWEET32 Attack
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Support for MIPS toolchains without FPU support was added upstream,
so remove our patch.
patches/310-mips-link-tool.patch was a backport form this version of valgrind
src/abort.c is not referenced anywhere
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes the following security problems:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Move the revision info to the VERSION_CODE variable and default VERSION_NUMBER
to CURRENT for master branch builds.
Also introduce a new menuconfig option CONFIG_VERSION_CODE which allows users
to override the revision value put into VERSION_CODE and adjust the template
files used by the base-files package to accomodate for the changed semantics.
While we're at it, also adjust the various URLs to match the current web site.
After this commit, the relevent files will look like the examples given below:
# cat /etc/openwrt_version
r2398+1
# cat /etc/openwrt_release
DISTRIB_ID='LEDE'
DISTRIB_RELEASE='CURRENT'
DISTRIB_REVISION='r2398+1'
DISTRIB_CODENAME='reboot'
DISTRIB_TARGET='x86/64'
DISTRIB_DESCRIPTION='LEDE Reboot CURRENT r2398+1'
DISTRIB_TAINTS='no-all override'
# cat /usr/lib/os-release
NAME="LEDE"
VERSION="CURRENT, Reboot"
ID="lede"
ID_LIKE="lede openwrt"
PRETTY_NAME="LEDE Reboot CURRENT"
VERSION_ID="current"
HOME_URL="http://lede-project.org/"
BUG_URL="http://bugs.lede-project.org/"
SUPPORT_URL="http://forum.lede-project.org/"
BUILD_ID="r2398+1"
LEDE_BOARD="x86/64"
LEDE_TAINTS="no-all override"
LEDE_DEVICE_MANUFACTURER="LEDE"
LEDE_DEVICE_MANUFACTURER_URL="http://lede-project.org/"
LEDE_DEVICE_PRODUCT="Generic"
LEDE_DEVICE_REVISION="v0"
LEDE_RELEASE="LEDE Reboot CURRENT r2398+1"
On a release branch, those files would look like:
# cat /etc/openwrt_version
r2399
# cat /etc/openwrt_release
DISTRIB_ID='LEDE'
DISTRIB_RELEASE='16.12-CURRENT'
DISTRIB_REVISION='r2399'
DISTRIB_CODENAME='test_release'
DISTRIB_TARGET='x86/64'
DISTRIB_DESCRIPTION='LEDE Test Release 16.12-CURRENT r2399'
DISTRIB_TAINTS='no-all override'
# cat /usr/lib/os-release
NAME="LEDE"
VERSION="16.12-CURRENT, Test Release"
ID="lede"
ID_LIKE="lede openwrt"
PRETTY_NAME="LEDE Test Release 16.12-CURRENT"
VERSION_ID="16.12-current"
HOME_URL="http://lede-project.org/"
BUG_URL="http://bugs.lede-project.org/"
SUPPORT_URL="http://forum.lede-project.org/"
BUILD_ID="r2399"
LEDE_BOARD="x86/64"
LEDE_TAINTS="no-all override"
LEDE_DEVICE_MANUFACTURER="LEDE"
LEDE_DEVICE_MANUFACTURER_URL="http://lede-project.org/"
LEDE_DEVICE_PRODUCT="Generic"
LEDE_DEVICE_REVISION="v0"
LEDE_RELEASE="LEDE Test Release 16.12-CURRENT r2399"
On a release tag, those files would look like:
# cat /etc/openwrt_version
r2500
# cat /etc/openwrt_release
DISTRIB_ID='LEDE'
DISTRIB_RELEASE='17.02.1'
DISTRIB_REVISION='r2500'
DISTRIB_CODENAME='mighty_unicorn'
DISTRIB_TARGET='x86/64'
DISTRIB_DESCRIPTION='LEDE Mighty Unicorn 17.02.1 r2500'
DISTRIB_TAINTS='no-all override'
# cat /usr/lib/os-release
NAME="LEDE"
VERSION="17.02.1, Mighty Unicorn"
ID="lede"
ID_LIKE="lede openwrt"
PRETTY_NAME="LEDE Mighty Unicorn 17.02.1"
VERSION_ID="17.02.1"
HOME_URL="http://lede-project.org/"
BUG_URL="http://bugs.lede-project.org/"
SUPPORT_URL="http://forum.lede-project.org/"
BUILD_ID="r2500"
LEDE_BOARD="x86/64"
LEDE_TAINTS="no-all override"
LEDE_DEVICE_MANUFACTURER="LEDE"
LEDE_DEVICE_MANUFACTURER_URL="http://lede-project.org/"
LEDE_DEVICE_PRODUCT="Generic"
LEDE_DEVICE_REVISION="v0"
LEDE_RELEASE="LEDE Mighty Unicorn 17.02.1 r2500"
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Felix Fietkau <nbd@nbd.name>
Not all kmod packages depends on kmod-ipt-compat-xtables, but this
kernel config option is required for building the whole package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Commit 2728512 ("e2fsprogs: List all libraries explicitly") forced the
e2fsprogs build system to link libcom_err.so in various places.
Unfortunately, the krb5 package also ships a libcom_err.so with a totally
different ABI and puts it into the global staging directory which causes
e2fsprogs to pick up this wrong library, leading to the following failure:
LD blkid
../lib/libext2fs.so: undefined reference to `_et_list'
collect2: error: ld returned 1 exit status
Makefile:504: recipe for target 'blkid' failed
Change the SYSLIBS specification to explicitely link libcom_err.so.0.0
which in order to work around the problem.
In the long run, the libcom_err clash between e2fsprogs and krb5 needs to
be solved properly.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
"service" is a simple wrapper that will allow to call init.d scripts
current method: # /etc/init.d/network reload
with the wrapper: # service network reload
If the wrapper is called without arguments or with a wrong init script name, it will print an error and list the content of /etc/init.d/ folder
Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
Based on the submission to the uboot-lantiq repo by Martin Blumenstingl.
Use the ddr_settings.h from the GPL tarball. The NAND boot optimized
one (with memory tuning enabled) doesn't work for the UART boot image.
Use the same mtd layout as the stock u-boot. Add add UBI support.
Use the leds to indicate boot status like it is done with the stock
u-boot. Switch on the red power led if kernel image can't be loaded.
Otherwise switch the green led on.
Make only the ramboot u-boot available. Only this image is required for
the first installation of LEDE.
Signed-off-by: Mathias Kresin <dev@kresin.me>
These properties allow overriding the settings from the EEPROM
which indicate whether a band is enabled or not.
Setting this property is only needed when the RF circuit does not
support the 2.4GHz or 5GHz band while it is enabled nevertheless in the
EEPROM.
These patches will be replaced with a future upstream version which
will introduces an ieee80211 device tree property to disable bands.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
There are two types of swapping the EEPROM data in the ath9k driver.
Before this series one type of swapping could not be used without the
other.
The first type of swapping looks at the "magic bytes" at the start of
the EEPROM data and performs swab16 on the EEPROM contents if needed.
The second type of swapping is EEPROM format specific and swaps
specific fields within the EEPROM itself (swab16, swab32 - depends on
the EEPROM format).
With this series the second part now looks at the EEPMISC register
inside the EEPROM, which uses a bit to indicate if the EEPROM data
is Big Endian (this is also done by the FreeBSD kernel).
This has a nice advantage: currently there are some out-of-tree hacks
(in OpenWrt and LEDE) where the EEPROM has a Big Endian header on a
Big Endian system (= no swab16 is performed) but the EEPROM itself
indicates that it's data is Little Endian. Until now the out-of-tree
code simply did a swab16 before passing the data to ath9k, so ath9k
first did the swab16 - this also enabled the format specific swapping.
These out-of-tree hacks are still working with the new logic, but it
is recommended to remove them. This implementation is based on a
discussion with Arnd Bergmann who raised concerns about the
robustness and portability of the swapping logic in the original OF
support patch review, see [0].
After a second round of patches (= v1 of this series) neither Arnd
Bergmann nor I were really happy with the complexity of the EEPROM
swapping logic. Based on a discussion (see [1] and [2]) we decided
that ath9k should use a defined format (specifying the endianness
of the data - I went with __le16 and __le32) when accessing the
EEPROM fields. A benefit of this is that we enable the EEPMISC based
swapping logic by default, just like the FreeBSD driver, see [3]. On
the devices which I have tested (see below) ath9k now works without
having to specify the "endian_check" field in ath9k_platform_data (or
a similar logic which could provide this via devicetree) as ath9k now
detects the endianness automatically. Only EEPROMs which are mangled
by some out-of-tree code still need the endian_check flag (or one can
simply remove that mangling from the out-of-tree code).
[0] http://www.spinics.net/lists/linux-wireless/msg152634.html
[1] https://marc.info/?l=linux-wireless&m=147250597503174&w=2
[2] https://marc.info/?l=linux-wireless&m=147254388611344&w=2
[3] 50719b56d9/sys/dev/ath/ath_hal/ah_eeprom_9287.c (L351)
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
These patches add support for configuring ath9k based devices via
devicetree. This was tested on PCI(e) based devices. This should work
for AHB based devices as well (adding more AHB specific properties may
still be needed) as soon as the ath79 platform is ready to populate the
ath9k wmac via devicetree.
This patchset was accepted upstream, more information can be found on
the linux-wireless list:
https://www.spinics.net/lists/linux-wireless/msg155474.html
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
The ESP algorithms in CBC mode require echainiv, so have kmod-ipsec
depend on kmod-crypto-echainiv.
See upstream commit 32b6170ca59ccf07d0e394561e54b2cd9726038c.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This constant was always defined to 0, and recently got removed in
upstream commit a07ea4d9941af5a0c6f0be2a71b51ac9c083c5e5 ("genetlink: no
longer support using static family IDs")
Fixes libnl-tiny builds with latest upstream kernels.
Fixes: d723f2573a ("libnl-tiny: remove include/linux overrides to fix various build issues")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Update fuse+libfuse to upstream 2.9.7. Drop the patch for CVE-2015-3202,
which is already integrated in the newer version. Rework the other patches.
Also switch PKG_SOURCE from @SF to libfuse's github releases.
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
The 10.1 includes a good many stability fixes related to the effort of
backporting upstream 10.2 firmware. Also enables 802.1q vlan support.
Successfully tested on apu2.
The 10.4 firmwares including new backported code as well as stability
fixes. 10.4 has been tested on Fedora x86-64 platforms, but not on LEDE
specifically since I had issues compiling LEDE for my 9980/9984 AP hardware.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Packages that do a killall <cmd> with the same name as the init script
will fail the prerm step when the service isn't running. Do make them
removable without having to restart the service, ignore the return code.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
To make sure we properly restart services on upgrade we need to
call the prerm script of the old package, in case the init script
changes (or vanishes).
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Properly stop/start services on upgrade, but don't change the enabled
state.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Allow scripts from the package to be upgraded to be aware of being
upgraded.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
The host-side build of grub2 requires this sometimes.
This will re-generate the ./configure script from configure.ac.
I don't know the conditions of how this reproduces, it just
sometimes appears, and sometimes doesn't.
Build error
```
<lede-dir>/build_dir/target-x86_64_musl-1.1.15_yogi/host/grub-2.02~beta2/build-aux/missing: line 81: aclocal-1.14: command not found
WARNING: 'aclocal-1.14' is missing on your system.
You should only need it if you modified 'acinclude.m4' or
'configure.ac' or m4 files included by 'configure.ac'.
The 'aclocal' program is part of the GNU Automake package:
<http://www.gnu.org/software/automake>
It also requires GNU Autoconf, GNU m4 and Perl in order to run:
<http://www.gnu.org/software/autoconf>
<http://www.gnu.org/software/m4/>
<http://www.perl.org/>
Makefile:3962: recipe for target 'aclocal.m4' failed
```
Adding PKG_FIXUP adds sanity (i.e. autoreconf is used for host & target
builds) over just using HOST_FIXUP.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Use fwtool to extract it, only require metadata to be present if the
platform sysupgrade script sets REQUIRE_IMAGE_METADATA=1
Image metadata is in JSON format and contains a list of supported
devices, along with version information that could be displayed by a UI
later before the actual upgrade happens.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This will be used to append extra information to images which allows the
system to verify if an image is compatible with the system.
The extra data is appended to the end of the image, where it will be
ignored when upgrading from systems that do not process this data yet:
If the image is a squashfs or jffs2 image, the extra data will land
after the end-of-filesystem marker, where it will be overwritten once
the system boots for the first timee.
If the image is a sysupgrade tar file, tar will simply ignore the extra
data when unpacking.
The layout of the metadata/signature chunks is constructed in a way
that the last part contains just a magic and size information, so that
the tool can quickly check if any valid data is present without having
to do a pattern search throughout the full image.
Chunks also contain CRC32 information to detect file corruption, even
when the image is not signed.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
SafeLoader is image format used by some TP-LINK devices. This tool
allows extracting selected partitions out of it. It can be used for
sysupgrade.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
