staging/noltari/package/libs, branch master

openssl: fix variable reference in conffiles

2023-03-06T21:11:36Z

Fix the trivial abscence of $() when assigning engine config files to the main libopenssl-config package even if the corresponding engines were not built into the main library. This is mostly cosmetic, since scripts/ipkg-build tests the file's presence before it is actually included in the package's conffiles. Fixes: 30b0351039 "openssl: configure engine packages during install" Signed-off-by: Eneas U de Queiroz

openssl: fix sysupgrade failure with devcrypto

2023-03-06T21:09:13Z

The bump to 3.0.8 inadvertently removed patches that are needed here, but were not adopted upstream. The most important one changes the default value of the DIGESTS setting from ALL to NONE. The absence of this patch causes a sysupgrade failure while the engine is in use with digests enabled. When this happens, the system fails to boot with a kernel panic. Also, explicitly set DIGESTS to NONE in the provided config file, and change the default ciphers setting to disable ECB, which has been recommended for a long time and may cause trouble with some apps. The config file change by itself is not enough because the config file may be preserved during sysupgrade. For people affected by this bug: You can either: 1. remove, the libopenssl-devcrypto package 2. disable the engine in /etc/config/openssl; 3. change /etc/ssl/engines.cnf.d/devcrypto.cnf to set DIGESTS=NONE; 4. update libopenssl-devcrypto to >=3.0.8-3 However, after doing any of the above, **you must reboot the device before running sysupgrade** to ensure no running application is using the engine. Running `/etc/init.d/openssl restart` is not enough. Fixes: 7e7e76afca "openssl: bump to 3.0.8" Signed-off-by: Eneas U de Queiroz

ncurses: add alacritty terminfo

2023-02-26T00:12:02Z

Add terminfo file for the terminal emulator alacritty. https://github.com/alacritty/alacritty Signed-off-by: Tobias Hilbig

ustream-ssl: update to Git version 2023-02-25

2023-02-25T17:37:26Z

498f6e2 ustream-mbedtls: Use getrandom() instead of /dev/urandom Signed-off-by: Hauke Mehrtens

libcap: update to 2.67

2023-02-24T23:14:38Z

Release notes: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.o8papfkfh1x9 While working on it, remove $(AUTORELEASE). Tested-by: Linhui Liu liulinhui36@gmail.com # Xiaomi AX3600 Signed-off-by: Nick Hainke

openssl: fix powerpc & arc libatomic dependencies

2023-02-22T14:05:06Z

PowerPC CONFIG_ARCH is defined as powerpc, not ppc. Fix that in the DEPENDS condition. Arc needs to be built with libatomic. Change the OpenSSL configuration file, and add it to the libatomic DEPENDS condition. Fixes: 7e7e76afca "openssl: bump to 3.0.8" Signed-off-by: Eneas U de Queiroz

openssl: bump to 3.0.8

2023-02-20T10:24:17Z

This is a major update to the current LTS version, supported until 2026-09-07. Changelog: https://github.com/openssl/openssl/blob/openssl-3.0.8/CHANGES.md Signed-off-by: Eneas U de Queiroz

elfutils: fix build with GCC 11

2023-02-18T18:55:37Z

GCC 11 doesn't know about -Wno-error=use-after-free and aborts compilation. Fixes: 2748c45d "elfutils: Ignore wrong use-after-free error" Signed-off-by: Andre Heider

openssl: bump to 1.1.1t

2023-02-11T23:08:29Z

Removed upstreamed patch: 010-padlock.patch Changes between 1.1.1s and 1.1.1t [7 Feb 2023] *) Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. (CVE-2023-0286) This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. [Hugo Landau] *) Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215) [Viktor Dukhovni, Matt Caswell] *) Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. (CVE-2022-4450) [Kurt Roeckx, Matt Caswell] *) Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304) [Dmitry Belyavsky, Hubert Kario] Signed-off-by: John Audia

wolfssl: fix build with make < 4.2

2023-02-03T11:18:19Z

Inline the preinst.arm-ce script. Support for including was added in make 4.2 and is not working with older make versions. Fixes: https://github.com/openwrt/openwrt/issues/11866 Signed-off-by: Chen Minqiang