Staging tree of Imre Kaloz https://git.openwrt.org/openwrt/staging/kaloz/atom?h=master 2018-01-27T15:46:45Z 2018-01-27T15:46:45Z Julien Dusser 2018-01-08T22:47:06Z urn:sha1:df0bd42fdeb76c9bc51b816c3df699db123c0024 Introduce a configuration option to build a "hardened" OpenWrt with ASLR PIE support. Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR) by building Position Independent Executables (PIE). This new option protects against "return-to-text" attacks. Busybox need a special care, link is done with ld, not gcc, leading to unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE. If other failing packages were found, PKG_ASLR_PIE:=0 should be added to their Makefiles. Original Work by: Yongkui Han <yonhan@cisco.com> Signed-off-by: Julien Dusser <julien.dusser@free.fr> 2018-01-18T07:04:18Z Dirk Brenken 2018-01-12T11:57:39Z urn:sha1:ef8cd6be1eab8bfeca77b1117b7a22c35dbae2ec This PR adds optional fstrim support Signed-off-by: Dirk Brenken <dev@brenken.org> 2018-01-10T20:27:32Z Jo-Philipp Wich 2018-01-05T09:46:06Z urn:sha1:fe920d01bb7a4bb57f7d5cab15d4ee8abc5211d7 Remove LEDE_GIT references in favor to the new name-agnostic PROJECT_GIT variable. Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2018-01-05T09:42:34Z Kevin Darbyshire-Bryant 2018-01-04T20:07:59Z urn:sha1:4e800716ac9718699e981e2fa6ec4b3dc2e91aa9 Refresh patches to tidy up fuzz. No functional changes Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> 2018-01-05T09:35:51Z Kevin Darbyshire-Bryant 2018-01-04T21:22:38Z urn:sha1:b61a648e4adff13e08caca1eaf44ea3e03ae4dc8 Refresh patches to tidy up fuzz. No functional changes Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> 2018-01-02T06:51:39Z Roman Yeryomin 2017-12-17T18:30:42Z urn:sha1:2277cd1249a6952228f36b768beea117c91123a0 This is needed for procd init script protection to work. flock adds 4248 bytes to stripped busybox binary. Signed-off-by: Roman Yeryomin <roman@advem.lv> 2018-01-02T06:14:08Z John Crispin 2018-01-01T10:46:03Z urn:sha1:7c0a2bc93077f52c033e406864b34af3a4fab245 In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. Fixes: FS#1181 - CVE-2017-16544: Backport the patch from: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 https://nvd.nist.gov/vuln/detail/CVE-2017-16544 Signed-off-by: Derek Werthmuller <thewerthfam@gmail.com> Signed-off-by: John Crispin <john@phrozen.org> 2017-12-28T11:26:23Z Matthias Schiffer 2017-12-10T17:04:53Z urn:sha1:20c349f68ca108d8b20363efbf5fa698e8446009 Unconditionally pass TARGET_CPPFLAGS (not passed at all before) and TARGET_LDFLAGS (passed only in certain non-default configuration before the Makefile streamlining). Without these flags, hardening options (PKG_FORTIFY_SOURCE and PKG_RELRO) were not actually applied to busybox. The addition of these flags increases the size of the stripped busybox binary by about 6KB (~4KB with fortify headers, ~2KB with "-znow -zrelro") with the default hardening options PKG_FORTIFY_SOURCE_1 and PKG_RELRO_FULL. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> 2017-12-28T11:24:25Z Matthias Schiffer 2017-12-10T17:01:42Z urn:sha1:a10fae113349f120486c86fc616948b5b6f1a76e Use default Build/Install steps where possible. No binary change in default configuration, so PKG_RELEASE is not incremented. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> 2017-12-24T08:03:01Z John Crispin 2017-12-19T19:49:06Z urn:sha1:5bbd493e669d91730aa445da3024c7c43065460c f40f84c support PantechMode d8dc335 support Quanta and Blackberry modes 333e486 fix support for Option modems Signed-off-by: John Crispin <john@phrozen.org>