Removed upstreamed patch: 010-padlock.patch
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
Inline the preinst.arm-ce script. Support for including was added in
make 4.2 and is not working with older make versions.
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
In Action "DescribeSubDomainRecords", define argument “Line” to the specific "defalut". This is for someone who have two or more same domain names but in different dns request source(ISP), but return more than 1 record will goto print "地址需要修改". For document of aliyun API, set a Line parament can solve this issue because most of users just have one ISP for each domain and its value was set as "default".
* bump qca-nss-dp and ssdk ssdk-shell to 12.1
* [qca-ssdk] delete 0008 patch as 12.1 version do not need this
* [ipq807x]: Add support for tplink-tl-er2260t(basic)
* remove unused parts in 2260t.dts
* NSS:bump nss-drv64 to 12.1r2 (may affect ipq806x)
* fix nss-dp source_url
* qca-ssdk: refresh ssdk patch
The of_mmc_spi.o resource is provider agnostic in kernels greater 5.13
and does not depend anymore on CONFIG_OF.
Fixes: #10769
Suggested-by: John Thomson <git@johnthomson.fastmail.com.au>
Signed-off-by: Nick Hainke <vincent@systemli.org>
* build: fix incomplete initramfs compression options
Requires: tools/lz4, tools/lzop
complete the wiring so that these options work:
* `CONFIG_KERNEL_INITRAMFS_COMPRESSION_LZO`
* `CONFIG_KERNEL_INITRAMFS_COMPRESSION_LZ4`
Signed-off-by: Tony Butler <spudz76@gmail.com>
[remove blocking dependencies for separate ramdisk, fix lzop options]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* include: sync with upstream
* toolchain/binutils: add support for version 2.40
Release notes:
https://sourceware.org/pipermail/binutils/2023-January/125671.html
Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
* toolchain/gcc: switch to version 12 by default
Also fix build error with gcc 12.
* toolchain/nasm: update to 2.16.01
ChangeLog:
Version 2.16.01
_This is a documentation update release only._
(*) Fix the creation of the table of contents in the HTML version of
the documentation.
Version 2.16
(*) Support for the `rdf' format has been discontinued and all the
RDOFF utilities has been removed.
(*) The `--reproducible' option now leaves the filename field in the
COFF object format blank. This was always rather useless since
it is only 18 characters long; as such debug formats have to
carry their own filename information anyway.
(*) Fix handling of MASM-syntax reserved memory (e.g. `dw ?') when
used in structure definitions.
(*) The preprocessor now supports functions, which can be less
verbose and more convenient than the equivalent code implemented
using directives. See section 4.4.
(*) Fix the handling of `%00' in the preprocessor.
(*) Fix incorrect handling of path names affecting error messages,
dependency generation, and debug format output.
(*) Support for the RDOFF output format and the RDOFF tools have
been removed. The RDOFF tools had already been broken since at
least NASM 2.14. For flat code the ELF output format
recommended; for segmented code the `obj' (OMF) output format.
(*) New facility: preprocessor functions. Preprocessor functions,
which are expanded similarly to single-line macros, can greatly
simplify code that in the past would have required a lengthy
list of directives and intermediate macros. See section 4.4.
(*) Single-line macros can now declare parameters (using a `&&'
prefix) that creates a quoted string, but does _not_ requote an
already quoted string. See section 4.2.1.
(*) Instruction table updated per public information available as of
November 2022.
(*) All warnings in the preprocessor have now been assigned warning
classes. See appendix A.
(*) Fix the invalid use of `RELA'-type relocations instead of `REL'-
type relocations when generating DWARF debug information for the
`elf32' output format.
(*) Fix the handling `at' in `istruc' when the structure contains
local labels. See section 5.9.2.
(*) When assembling with `--reproducible', don't encode the filename
in the COFF header for the `coff', `win32' or `win64' output
formats. The COFF header only has space for an 18-character
filename, which makes this field rather useless in the first
place. Debug output data, if enabled, is not affected.
(*) Fix incorrect size calculation when using MASM syntax for non-
byte reservations (e.g. `dw ?'.)
(*) Allow forcing an instruction in 64-bit mode to have a (possibly
redundant) REX prefix, using the syntax `{rex}' as a prefix.
(*) Add a `{vex}' prefix to enforce VEX (AVX) encoding of an
instruction, either using the 2- or 3-byte VEX prefixes.
(*) The `CPU' directive has been augmented to allow control of
generation of VEX (AVX) versus EVEX (AVX-512) instruction
formats, see section 7.11.
(*) Some recent instructions that previously have been only
available using EVEX encodings are now also encodable using VEX
(AVX) encodings. For backwards compatibility these encodings are
not enabled by default, but can be generated either via an
explicit `{vex}' prefix or by specifying either `CPU LATEVEX' or
`CPU NOEVEX'; see section 7.11.
(*) Document the already existing `%unimacro' directive. See section
4.5.12.
(*) Fix a code range generation bug in the DWARF debug format
(incorrect information in the `DW_AT_high_pc' field) for the ELF
output formats. This bug happened to cancel out with a bug in
older versions of the GNU binutils linker, but breaks with other
linkers and updated or other linkers that expect the spec to be
followed.
(*) Fix segment symbols with addends, e.g. `jmp _TEXT+10h:0' in
output formats that support segment relocations, e.g. the `obj'
format.
(*) Fix various crashes and hangs on invalid input.
Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
* toolchain: musl: Fix symbol loading in gdb
Fix DT_DEBUG handling on MIPS in musl libc.
With this change gdb will load the symbol files for shared libraries on MIPS too.
This patch was taken from this thread: https://www.openwall.com/lists/musl/2022/01/09/4
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
* tools: sync with upstream
* build: fix issues with targets installed via feeds
- fix including modules.mk when a target is being replaced
- fix calling make targets from target/linux
Signed-off-by: Felix Fietkau <nbd@nbd.name>
* package: sync with upstream
Signed-off-by: Tony Butler <spudz76@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Co-authored-by: Tony Butler <spudz76@gmail.com>
Co-authored-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
Co-authored-by: Felix Fietkau <nbd@nbd.name>
Make use of the definitions from trusted-firmware-a.mk to build the
Trusted firmware arm. This fixes the build with binutils 2.39.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Co-authored-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit add basic support for Photonicat Board.
Flash into lede:
Run first: dd if=openwrt-xxx.img of=/dev/mmcblk0
Then brush the img file to sdcard and insert it,
the system will boot from above.
Note:
Since rockchip does not release any code to power up their
device, disabled emmc for now until we can remove rkbin.
* Update Makefile
Add Support For Rocktech MPC1903
* Add support for Rocktech MPC1903
* Add support for Rocktech MPC1903
* Update armv8.mk
* Add support for Rocktech MPC1903
* Add support for Rocktech MPC1903
* Update armv8.mk
* Update rk3399-mpc1903.dts
* Add support for Rocktech MPC1903
* Update rk3399-mpc1903.dts
* Add support for Rocktech MPC1903
* Add support for Rocktech MPC1903
* Update armv8.mk
* Delete mpc1903.bootscript
* Add rk3399-mpc1903.dts
* Add support for Rocktech MPC1903
Support for MT7981 and MT7986 has been merged, remove patches.
Tested on a couple of MT7986, MT7622 and MT7623 boards.
MIPS builds are untested.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Upstream in commit 34a1dee6bc44 ("net: usb: asix: ax88772: add generic
selftest support") in version 5.14 added dependency on generic selftest
functionality and armvirt/64 when compiled with ALL_KMODS=y reports following:
Package kmod-usb-net-asix is missing dependencies for the following libraries:
mdio_devres.ko
selftests.ko
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Upstream in commit 3e1e58d64c3d ("net: add generic selftest support") in
version 5.13 added generic selftests module and usb-net-asix already
depends on it, in version 5.18 via commit 1710b52d7c13 ("net: usb:
smsc95xx: add generic selftest support") it will be used by
usb-net-smsc95xx as well.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This fixes a security problem in ksmbd. It currently has the
ZDI-CAN-18259 ID assigned, but no CVE yet.
Backported from:
8824b7af40cc4f3b5a6a
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Make it possible to setup default WAN interface for devices with built-in LTE
modems, using QMI or MBIM.
Signed-off-by: Andrey Butirsky <butirsky@gmail.com>
Reviewed-by: Lech Perczak <lech.perczak@gmail.com>
These will be used to give WLAN PHYs a specific name based on path specified
in board.json. The platform board.d script can assign a specific order based
on available slots (PCIe slots, WMAC device) and device tree configuration.
This helps with maintaining config compatibility in case the device path
changes due to kernel upgrades.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add a separate firmware package to avoid installing the MT7615 firmware
on all MT7622 target devices by default. Now we only add MT7615 firmware
packages for devices that use MT7615E. This commit also removes the
explicit dependency on kmod-mt7615e to refine the package dependency.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
The mt7915e driver supports MT7915, MT7916 and MT7986 chips. And Only
MT7915 series chips need the MT7915 firmware. To save storage, extract
them from the common code package and create a new package to provide
the firmware.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
The kmod-mt7615-common package does not contain any code that
related to mt7915e Wi-Fi6 driver, so remove it.
Tested on ramips/mt7621: SIM SIMAX1800T
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
* mpc85xx: add support for cpu type 8548
8540 cpu type corresponds to e500v1 core while
8548 cpu type corresponds to e500v2 core
See https://www.nxp.com/products/processors-and-microcontrollers/legacy-mpu-mcus/powerquicc-processors:POWERQUICC_HOME#powerquicc-iii-mpc85xx
and https://www.nxp.com/docs/en/application-note/AN2807.pdf .
Co-authored-by: Josef Schlehofer <josef.schlehofer@nic.cz>
Co-authored-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Šimon Bořek <simon.borek@nic.cz>
* tree-wide: Do not use package librt and libpthread
The libraries libpthread, libdl, libutil, libanl have been integrated
into the libc library in version 2.34. it is not needed to explicitly
link them any more.
Most of the functions have been moved from the librt.so into libc.so
some time ago already.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* toolchain/binutils: backport stable patches
Add the patches with real changes from the binutils 2.39 stable branch.
I am not aware that we ran into any of these problems, but I think it is
better to take the existing stable patches.
They were exported like this:
git format-patch binutils-2_39...origin/binutils-2_39-branch
I removed the patches changing the version numbers only.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* toolchain/binutils: switch to version 2.39 by default
This was build tested with all core packages on all targets
successfully.
This was run tested on the following systems:
* lantiq/xrx200 musl
* sunxi/cortex53 musl
* x86/64 musl
* x86/64 glibc
Some trusted firmware arm builds needed some fixes to build with
binutils 2.39, this was merged before.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* tools: Improve diffability/maintainability
There's no purpose to squish multiple tools into a single line (and
spread those out over multiple lines). It might look 'nice' in certain
conditions, but it's annoying to maintain.
For example, but not limited to:
* adding/removing tools, causes hard to read diffs
* Duplicates are harder to spot
* Sorting can not be (easily?) automated
With this proposed change, the above annoyances go away. Inserting a new
tool can be done with a single line-change-diff, sorting can be done by
any editor (in vi, select, :sort for example) and dupes are much easier
to spot.
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
* rules: drop -Wno-error additional flags from default TARGET_CFLAGS
We currently enable -Wno-error=unused-but-set-variable and
-Wno-error=unused-result by default on every compile package.
While this is (relatively) unharmful, we should follow other project
direction and starts enforcing good code quality. For example the linux
kernel recently started to enforce Wall by default and clean code is
mandatory for inclusion.
Drop for good these flags and and make it mandatory to correctly handle
return values at least with a warning log if they are not strictly error
condition.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* bridger: update to the latest version
def7755c459d add missing copyright headers
f68307fd96d7 add hairpin mode support
9ee8f433ba4e nl: do not pass NDA_VLAN with vid=0
978c1f9eed07 add support for the bridge port isolated flag
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Šimon Bořek <simon.borek@nic.cz>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Co-authored-by: Šimon Bořek <simon.borek@nic.cz>
Co-authored-by: Josef Schlehofer <josef.schlehofer@nic.cz>
Co-authored-by: Pali Rohár <pali@kernel.org>
Co-authored-by: Hauke Mehrtens <hauke@hauke-m.de>
Co-authored-by: Olliver Schinagl <oliver@schinagl.nl>
Co-authored-by: Christian Marangi <ansuelsmth@gmail.com>
Co-authored-by: Felix Fietkau <nbd@nbd.name>
