* [PATCH] libcap: Update to version 2.67
@ 2023-03-27 21:27 Adolf Belka
2023-03-27 21:27 ` [PATCH] newt: Update to version 0.52.23 Adolf Belka
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Adolf Belka @ 2023-03-27 21:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 4493 bytes --]
- Update from version 2.66 to 2.67
- Update of rootfile
- Changelog
Release notes for 2.67
Replace use of fgrep with grep -F (POSIX grep flags preferred by GNU grep) - patch
from David Seifert.
Added SPDX identifiers to License file(s). Hopefully this will help the various
robots out there correctly identify the longstanding licenses for libcap and friends.
(Bug: 216609 reported by Günther Noack)
Started down the rabbit hole of trying to address (Bug: 216610 reported by Günther
Noack on behalf of Michael Stapelberg)
The basic issue is how to link C code with Go psx without using CGo. This is all
a low level hackery. If you are interested, browse the source.
Correct for bad whatis entries in man pages (this was throwing a Debian build test,
detail)
Also reviewed man pages and addressed cross linkage issues (Bug: 216585)
Cleaned up some README.md files (made a github mirror now just so I can
automatically render them).
Changed meaning of DYNAMIC=no builds.
This now builds everything with static linking except for libc. The reason for
this exception is explained in the commit message.
Inserted demonstration exploit code in capso.so to support article.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
config/rootfiles/common/libcap | 9 +++++++--
lfs/libcap | 8 ++++----
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/config/rootfiles/common/libcap b/config/rootfiles/common/libcap
index f0518d6aa..194fc7f19 100644
--- a/config/rootfiles/common/libcap
+++ b/config/rootfiles/common/libcap
@@ -1,8 +1,8 @@
lib/libcap.so.2
-lib/libcap.so.2.66
+lib/libcap.so.2.67
#lib/libpsx.so
#lib/libpsx.so.2
-lib/libpsx.so.2.66
+lib/libpsx.so.2.67
#lib/pkgconfig/libcap.pc
#lib/pkgconfig/libpsx.pc
lib/security/pam_cap.so
@@ -32,6 +32,7 @@ usr/lib/libcap.so
#usr/share/man/man3/cap_get_file.3
#usr/share/man/man3/cap_get_flag.3
#usr/share/man/man3/cap_get_mode.3
+#usr/share/man/man3/cap_get_nsowner.3
#usr/share/man/man3/cap_get_pid.3
#usr/share/man/man3/cap_get_proc.3
#usr/share/man/man3/cap_get_secbits.3
@@ -59,10 +60,14 @@ usr/lib/libcap.so
#usr/share/man/man3/cap_mode.3
#usr/share/man/man3/cap_mode_name.3
#usr/share/man/man3/cap_new_launcher.3
+#usr/share/man/man3/cap_prctl.3
+#usr/share/man/man3/cap_prctlw.3
+#usr/share/man/man3/cap_proc_root.3
#usr/share/man/man3/cap_set_fd.3
#usr/share/man/man3/cap_set_file.3
#usr/share/man/man3/cap_set_flag.3
#usr/share/man/man3/cap_set_mode.3
+#usr/share/man/man3/cap_set_nsowner.3
#usr/share/man/man3/cap_set_proc.3
#usr/share/man/man3/cap_set_secbits.3
#usr/share/man/man3/cap_setgroups.3
diff --git a/lfs/libcap b/lfs/libcap
index f81b13c99..9eab679ff 100644
--- a/lfs/libcap
+++ b/lfs/libcap
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 2.66
+VER = 2.67
THISAPP = libcap-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = e79bf10c6a3dbffe96dc97aad0bed67caa0b3805d9dcaff1e4a8a833396ee5c6da4f7f0d321b254e99a00073bc39021b9f3a4b350d93094d0df4d74889b3ca56
+$(DL_FILE)_BLAKE2 = bd9be22e439397a3c1726093cfee2410df93773b3139d50a1cdc10daecb666ddb9b64daded6e0ec9f2fd6defd16ea156dbd66bd55360ea266131f31ea0f0e989
install : $(TARGET)
@@ -75,7 +75,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && make GOLANG=no
cd $(DIR_APP) && make install GOLANG=no
rm -vf /lib/libcap.so
- ln -svf /lib/libcap.so.2.66 /usr/lib/libcap.so
+ ln -svf /lib/libcap.so.2.67 /usr/lib/libcap.so
chmod +x /lib/libcap.so.*
@rm -rf $(DIR_APP)
@$(POSTBUILD)
--
2.40.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] newt: Update to version 0.52.23
2023-03-27 21:27 [PATCH] libcap: Update to version 2.67 Adolf Belka
@ 2023-03-27 21:27 ` Adolf Belka
2023-03-27 21:27 ` [PATCH] openssh: Update to version 9.3p1 Adolf Belka
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2023-03-27 21:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 7659 bytes --]
- Update from version 0.52.21 to 0.52.23
- Update of rootfile
- Changelog
0.52.23
- fix automatic height of menu/list in whiptail (broken in 0.52.22)
- fix automatic width of whiptail --yesno box
- fix automatic width in whiptail with unicode characters
- fix automatic width with whiptail --noitem and --notags options
- fix spacing with longer tags in whiptail
- avoid overlapping backtitle in whiptail with automatic height
0.52.22
- fix crash in whiptail with new libpopt
- switch from usleep to nanosleep (Rosen Penev)
- fix libnewt.pc to enable static linking (Alexey Sheplyakov)
- fix LDFLAGS order in snack linking (Sam James)
- use CFLAGS when compiling snack
- improve configure.ac (Thomas Kuehne)
- install header and libnewt.pc with shared library (Michael Olbrich)
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
config/rootfiles/common/newt | 54 +-----------------------------------
lfs/newt | 6 ++--
2 files changed, 4 insertions(+), 56 deletions(-)
diff --git a/config/rootfiles/common/newt b/config/rootfiles/common/newt
index 39c90521f..b3d9a581b 100644
--- a/config/rootfiles/common/newt
+++ b/config/rootfiles/common/newt
@@ -3,58 +3,38 @@ usr/bin/whiptail
#usr/lib/libnewt.a
#usr/lib/libnewt.so
usr/lib/libnewt.so.0.52
-usr/lib/libnewt.so.0.52.21
+usr/lib/libnewt.so.0.52.23
#usr/lib/pkgconfig/libnewt.pc
#usr/lib/python3.10/site-packages/_snack.so
#usr/lib/python3.10/site-packages/snack.py
-#usr/share/locale/ar
-#usr/share/locale/ar/LC_MESSAGES
#usr/share/locale/ar/LC_MESSAGES/newt.mo
-#usr/share/locale/as
-#usr/share/locale/as/LC_MESSAGES
#usr/share/locale/as/LC_MESSAGES/newt.mo
#usr/share/locale/ast/LC_MESSAGES/newt.mo
#usr/share/locale/bal
#usr/share/locale/bal/LC_MESSAGES
#usr/share/locale/bal/LC_MESSAGES/newt.mo
#usr/share/locale/bg/LC_MESSAGES/newt.mo
-#usr/share/locale/bn
-#usr/share/locale/bn/LC_MESSAGES
#usr/share/locale/bn/LC_MESSAGES/newt.mo
-#usr/share/locale/bn_IN
-#usr/share/locale/bn_IN/LC_MESSAGES
#usr/share/locale/bn_IN/LC_MESSAGES/newt.mo
#usr/share/locale/bs/LC_MESSAGES/newt.mo
#usr/share/locale/ca/LC_MESSAGES/newt.mo
#usr/share/locale/cs/LC_MESSAGES/newt.mo
-#usr/share/locale/cy
-#usr/share/locale/cy/LC_MESSAGES
#usr/share/locale/cy/LC_MESSAGES/newt.mo
#usr/share/locale/da/LC_MESSAGES/newt.mo
#usr/share/locale/de/LC_MESSAGES/newt.mo
-#usr/share/locale/dz
-#usr/share/locale/dz/LC_MESSAGES
#usr/share/locale/dz/LC_MESSAGES/newt.mo
#usr/share/locale/el/LC_MESSAGES/newt.mo
#usr/share/locale/eo/LC_MESSAGES/newt.mo
#usr/share/locale/es/LC_MESSAGES/newt.mo
#usr/share/locale/et/LC_MESSAGES/newt.mo
#usr/share/locale/eu/LC_MESSAGES/newt.mo
-#usr/share/locale/fa
-#usr/share/locale/fa/LC_MESSAGES
#usr/share/locale/fa/LC_MESSAGES/newt.mo
#usr/share/locale/fi/LC_MESSAGES/newt.mo
#usr/share/locale/fr/LC_MESSAGES/newt.mo
#usr/share/locale/ga/LC_MESSAGES/newt.mo
#usr/share/locale/gl/LC_MESSAGES/newt.mo
-#usr/share/locale/gu
-#usr/share/locale/gu/LC_MESSAGES
#usr/share/locale/gu/LC_MESSAGES/newt.mo
-#usr/share/locale/he
-#usr/share/locale/he/LC_MESSAGES
#usr/share/locale/he/LC_MESSAGES/newt.mo
-#usr/share/locale/hi
-#usr/share/locale/hi/LC_MESSAGES
#usr/share/locale/hi/LC_MESSAGES/newt.mo
#usr/share/locale/hr/LC_MESSAGES/newt.mo
#usr/share/locale/hu/LC_MESSAGES/newt.mo
@@ -62,47 +42,25 @@ usr/lib/libnewt.so.0.52.21
#usr/share/locale/id/LC_MESSAGES/newt.mo
#usr/share/locale/it/LC_MESSAGES/newt.mo
#usr/share/locale/ja/LC_MESSAGES/newt.mo
-#usr/share/locale/ka
-#usr/share/locale/ka/LC_MESSAGES
#usr/share/locale/ka/LC_MESSAGES/newt.mo
#usr/share/locale/km
#usr/share/locale/km/LC_MESSAGES
#usr/share/locale/km/LC_MESSAGES/newt.mo
-#usr/share/locale/kn
-#usr/share/locale/kn/LC_MESSAGES
#usr/share/locale/kn/LC_MESSAGES/newt.mo
#usr/share/locale/ko/LC_MESSAGES/newt.mo
-#usr/share/locale/ku
-#usr/share/locale/ku/LC_MESSAGES
#usr/share/locale/ku/LC_MESSAGES/newt.mo
#usr/share/locale/lt/LC_MESSAGES/newt.mo
#usr/share/locale/lv/LC_MESSAGES/newt.mo
-#usr/share/locale/mg
-#usr/share/locale/mg/LC_MESSAGES
#usr/share/locale/mg/LC_MESSAGES/newt.mo
-#usr/share/locale/mk
-#usr/share/locale/mk/LC_MESSAGES
#usr/share/locale/mk/LC_MESSAGES/newt.mo
-#usr/share/locale/ml
-#usr/share/locale/ml/LC_MESSAGES
#usr/share/locale/ml/LC_MESSAGES/newt.mo
-#usr/share/locale/mr
-#usr/share/locale/mr/LC_MESSAGES
#usr/share/locale/mr/LC_MESSAGES/newt.mo
#usr/share/locale/ms/LC_MESSAGES/newt.mo
#usr/share/locale/nb/LC_MESSAGES/newt.mo
-#usr/share/locale/nds
-#usr/share/locale/nds/LC_MESSAGES
#usr/share/locale/nds/LC_MESSAGES/newt.mo
-#usr/share/locale/ne
-#usr/share/locale/ne/LC_MESSAGES
#usr/share/locale/ne/LC_MESSAGES/newt.mo
#usr/share/locale/nl/LC_MESSAGES/newt.mo
-#usr/share/locale/nn
-#usr/share/locale/nn/LC_MESSAGES
#usr/share/locale/nn/LC_MESSAGES/newt.mo
-#usr/share/locale/pa
-#usr/share/locale/pa/LC_MESSAGES
#usr/share/locale/pa/LC_MESSAGES/newt.mo
#usr/share/locale/pl/LC_MESSAGES/newt.mo
#usr/share/locale/pt/LC_MESSAGES/newt.mo
@@ -113,20 +71,12 @@ usr/lib/libnewt.so.0.52.21
#usr/share/locale/sl/LC_MESSAGES/newt.mo
#usr/share/locale/sq/LC_MESSAGES/newt.mo
#usr/share/locale/sr/LC_MESSAGES/newt.mo
-#usr/share/locale/sr(a)latin
-#usr/share/locale/sr(a)latin/LC_MESSAGES
#usr/share/locale/sr(a)latin/LC_MESSAGES/newt.mo
#usr/share/locale/sv/LC_MESSAGES/newt.mo
#usr/share/locale/ta/LC_MESSAGES/newt.mo
-#usr/share/locale/te
-#usr/share/locale/te/LC_MESSAGES
#usr/share/locale/te/LC_MESSAGES/newt.mo
-#usr/share/locale/tg
-#usr/share/locale/tg/LC_MESSAGES
#usr/share/locale/tg/LC_MESSAGES/newt.mo
#usr/share/locale/th/LC_MESSAGES/newt.mo
-#usr/share/locale/tl
-#usr/share/locale/tl/LC_MESSAGES
#usr/share/locale/tl/LC_MESSAGES/newt.mo
#usr/share/locale/tr/LC_MESSAGES/newt.mo
#usr/share/locale/uk/LC_MESSAGES/newt.mo
@@ -134,8 +84,6 @@ usr/lib/libnewt.so.0.52.21
#usr/share/locale/wo
#usr/share/locale/wo/LC_MESSAGES
#usr/share/locale/wo/LC_MESSAGES/newt.mo
-#usr/share/locale/xh
-#usr/share/locale/xh/LC_MESSAGES
#usr/share/locale/xh/LC_MESSAGES/newt.mo
#usr/share/locale/zh_CN/LC_MESSAGES/newt.mo
#usr/share/locale/zh_TW/LC_MESSAGES/newt.mo
diff --git a/lfs/newt b/lfs/newt
index 51ec5f99a..fa2254d2e 100644
--- a/lfs/newt
+++ b/lfs/newt
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 0.52.21
+VER = 0.52.23
THISAPP = newt-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = a0d6a15f87fe04dc535e65fcd28606cd666142d006a53b6ee0c8387a6295215e44f1815ac56ceb56b561ca9b5bc8f3cab2d04b5decd62642f46b744333dc7e34
+$(DL_FILE)_BLAKE2 = 55046155d02a406ac618f9c1a1f668e6794b6875e4d9083e3d5da32fe008df3deb79eddadfce40c193346b7a705b8c5c18e7bb7076e8ea8729f35384fa944a97
install : $(TARGET)
--
2.40.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] openssh: Update to version 9.3p1
2023-03-27 21:27 [PATCH] libcap: Update to version 2.67 Adolf Belka
2023-03-27 21:27 ` [PATCH] newt: Update to version 0.52.23 Adolf Belka
@ 2023-03-27 21:27 ` Adolf Belka
2023-04-18 21:12 ` Peter Müller
2023-03-27 21:27 ` [PATCH] pciutils: Update to version 3.9.0 Adolf Belka
2023-03-27 21:27 ` [PATCH] slang: Update to version 2.3.3 Adolf Belka
3 siblings, 1 reply; 6+ messages in thread
From: Adolf Belka @ 2023-03-27 21:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 5698 bytes --]
- Update from version 9.2p1 to 9.3p1
- Update of rootfile not required
- Removal of patch as this was only required for i586 builds which are no longer done in
IPFire
- Changelog
9.3p1 (2023-03-15)
This release fixes a number of security bugs.
Security
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
problem was found by the Coverity static analyzer.
New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
outputting SSHFP fingerprints to allow algorithm selection. bz3493
* sshd(8): add a `sshd -G` option that parses and prints the
effective configuration without attempting to load private keys
and perform other checks. This allows usage of the option before
keys have been generated and for configuration evaluation and
verification by unprivileged users.
Bugfixes
* scp(1), sftp(1): fix progressmeter corruption on wide displays;
bz3534
* ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
of private keys as some systems are starting to disable RSA/SHA1
in libcrypto.
* sftp-server(8): fix a memory leak. GHPR363
* ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
compatibility code and simplify what's left.
* Fix a number of low-impact Coverity static analysis findings.
These include several reported via bz2687
* ssh_config(5), sshd_config(5): mention that some options are not
first-match-wins.
* Rework logging for the regression tests. Regression tests will now
capture separate logs for each ssh and sshd invocation in a test.
* ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
says it should; bz3532.
* ssh(1): ensure that there is a terminating newline when adding a
new entry to known_hosts; bz3529
Portability
* sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
mmap(2), madvise(2) and futex(2) flags, removing some concerning
kernel attack surface.
* sshd(8): improve Linux seccomp-bpf sandbox for older systems;
bz3537
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
lfs/openssh | 5 ++---
...SH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch | 13 -------------
2 files changed, 2 insertions(+), 16 deletions(-)
delete mode 100644 src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
diff --git a/lfs/openssh b/lfs/openssh
index 89f486a79..5a18edd70 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -24,7 +24,7 @@
include Config
-VER = 9.2p1
+VER = 9.3p1
THISAPP = openssh-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21
+$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d
install : $(TARGET)
@@ -71,7 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
cd $(DIR_APP) && ./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
diff --git a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch b/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
deleted file mode 100644
index 5199872d9..000000000
--- a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -Naur openssh-8.2p1.org/sandbox-seccomp-filter.c openssh-8.2p1/sandbox-seccomp-filter.c
---- openssh-8.2p1.org/sandbox-seccomp-filter.c 2020-04-10 18:14:56.152309584 +0200
-+++ openssh-8.2p1/sandbox-seccomp-filter.c 2020-04-10 21:05:45.827921765 +0200
-@@ -253,6 +253,9 @@
- #endif
- #ifdef __NR_clock_nanosleep_time64
- SC_ALLOW(__NR_clock_nanosleep_time64),
-+#else
-+ /* on i586 glibc call syscall 407 which is not defined */
-+ SC_ALLOW(407),
- #endif
- #ifdef __NR_clock_gettime64
- SC_ALLOW(__NR_clock_gettime64),
--
2.40.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] pciutils: Update to version 3.9.0
2023-03-27 21:27 [PATCH] libcap: Update to version 2.67 Adolf Belka
2023-03-27 21:27 ` [PATCH] newt: Update to version 0.52.23 Adolf Belka
2023-03-27 21:27 ` [PATCH] openssh: Update to version 9.3p1 Adolf Belka
@ 2023-03-27 21:27 ` Adolf Belka
2023-03-27 21:27 ` [PATCH] slang: Update to version 2.3.3 Adolf Belka
3 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2023-03-27 21:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2997 bytes --]
- Update from version 3.8.0 to 3.9.0
- Update of rootfile
- Changelog
3.9.0.
* We decode Compute Express Link (CXL) capabilities.
* The tree mode of lspci is now compatible with filtering options.
* When setpci is used with a named register, it checks whether
the register is present in the particular header type.
* Linux: The intel-conf[12] back-ends prefer to use ioperm() instead
of iopl() to gain access to I/O ports.
* Windows: We have two new back-ends thanks to Pali Rohár.
One uses the NT SysDbg interface, the other uses kldbgdrv.sys
(which is a part of the Microsoft WinDbg tool).
* Windows: We support building libpci as a DLL. Also, Windows
binaries now include meta-data with version.
* Hurd: The Hurd back-end works again.
* mmio-conf1(-ext): Added a new back-end implementing the intel-conf1
interface over MMIO. This is useful on some ARM machines, but it
requires manual configuration of the MMIO addresses.
* As usually, updated pci.ids to the current snapshot of the database.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
config/rootfiles/common/pciutils | 2 +-
lfs/pciutils | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/pciutils b/config/rootfiles/common/pciutils
index 6d5cc55a4..067f269f3 100644
--- a/config/rootfiles/common/pciutils
+++ b/config/rootfiles/common/pciutils
@@ -1,7 +1,7 @@
bin/lspci
bin/setpci
lib/libpci.so.3
-lib/libpci.so.3.8.0
+lib/libpci.so.3.9.0
sbin/update-pciids
#usr/include/pci
#usr/include/pci/config.h
diff --git a/lfs/pciutils b/lfs/pciutils
index e01559b1e..fdfeb4838 100644
--- a/lfs/pciutils
+++ b/lfs/pciutils
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 3.8.0
+VER = 3.9.0
THISAPP = pciutils-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 7339189f7115af31ccc19663d54e12ef966fbcd75c6b6b4c28c8ddcaafa3e233313ca14300ef70100edb00f5f2e1e767af9d6527a9d836edd07b598f0a40f4f4
+$(DL_FILE)_BLAKE2 = 59d2a151b114691980b8f0a0bfdf8e48b9e1a0a9976df6dbc94962c251d8bfc61e7bd3b0f3c47a4295f52b5df67ad0e44ed6f2e6a87728e213e4ef0b8a55c028
install : $(TARGET)
--
2.40.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] slang: Update to version 2.3.3
2023-03-27 21:27 [PATCH] libcap: Update to version 2.67 Adolf Belka
` (2 preceding siblings ...)
2023-03-27 21:27 ` [PATCH] pciutils: Update to version 3.9.0 Adolf Belka
@ 2023-03-27 21:27 ` Adolf Belka
3 siblings, 0 replies; 6+ messages in thread
From: Adolf Belka @ 2023-03-27 21:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 13239 bytes --]
- Update from version 2.3.2 to 2.3.3
- Update of rootfile
- Changelog
2.3.3
1. src/slposdir.c: stat_file now support open file descriptors, in
addition to filenames.
2. src/sltoken.c: Ignore the \r character in multiline strings that
appear to have CRLF line terminators. (Manfred Hanke)
3. *.tm: minor documentation updates
4. src/slang.h: SLANG_VERSION_STRING was missing the "pre" prefix.
5. src/sltermin.c: Added support for TERMINFO_DIRS (based upon a patch
forwarded by Jörg Thalheim)
6. src/slarray.c: src/slarray.c: some integer overflow checks were
resulting undefined behavior (reported by Sergey)
7. modules/csv.sl: Strip leading/trailing whitespace from column names
8. src/slsmg.c,sldisply.c: Removed static buffers with sizes dependent
upon SLTT_MAX_SCREEN_ROWS/COLS in favor of dynamically allocated
ones.
9. modules/chksum-module: added CRC-8,16,32 checksums to the chksum module
10. modules/csv.sl: An error message in the form of a dollar-string
was not marked as such.
11. modules/csv.sl: Added support for empty CSV files
12. src/sltime.c: The timegm function will ignore the tm_wday and
tm_yday fields, and instead use the tm_mon and tm_mday fields.
13. modules/mkfiles/makefile.all: Added a target for chksum_crc.o for
win32/64 platforms (see change #9)
14. modules/chksum-module.c: The memset function was used with the
wrong structure size causing a buffer overflow on 32 bit systems.
15. src/terminfo/parsecaps.sl: Tweaked an auto-generated comment
produced by parsecaps.sl to produce a more deterministic build
(Ian Rogers).
16. src/slarray.c: Changed two instances of index errors to throw an
IndexError exception instead of InvalidParmError exception.
17. src/slposdir.c; The statvfs function was returning a struct with
duplicated f_bsize fields.
18. *.c: In switch statements, changed the /* drop */ comment to /*
fall through */ to avoid gcc-8 warnings.
19. modules/csv.sl: If a comment string appears at the start of a line
forming a multiline string, then treat it as part of the string.
20. slsh/lib/timestamp.sl: Added a function timestamp_parse that parses
strings such as `Thu May 14 18:05:05 2020` and returns the number
of seconds since the Unix epoch.
21. src/slregexp.c: Added \D (non-digit), \s (whitespace), and \S
(non-whitespace).
22. src/slstrops.c: Added a compiled regexp cache
23. src/slstdio.c: Added trim qualifier to the fgetlines intrinsic:
;trim=1 ==> trim trailing whitespace
;trim=2 ==> trim leading whitespace
;trim=3 ==> trim leading and trailing whitespace
24. slsh/lib/timestamp.sl: When matching a regexp to a timestamp,
start with the RE that was used in the previous match.
25. Another timestamp RE tweak to pickup additional irregular forms
26. modules/csv.sl: If a CSV file has a byte-order mark (BOM), ignore it.
27. src/sldisply.c: Increased the buffer size for the SLtt_tgoto
function to allow for larger terminfo strings
28. modules/Makefile.in: Added STATS_OBJS to the clean target
29. src/slstrops.c: The is_substr function was not handling a NULL
argument
30. slsh/lib/timestamp.sl: Corrected a regular expression for a
timestamp with "Z" as the timezone.
31. modules/csv-module.c: Fields with an embedded \r were not being
properly handled.
32. src/slarray.c: Improved the speed of multi-dimensional array
indexing by about a factor of 2
33. slsh/lib/timestamp.sl: The computation of leap days was incorrect
for some years
34. src/slang.h: Added `typedef void (*SLFVOID_STAR)(void)', which
will replace FVOID_STAR in version 3. The library code was
updated to use this.
35. slsh/lib/fswalk.sl: Added an optional callback argument to the
fswalk that is called when leaving a directory.
36. modules/termios-module.c: Avoid a potential problem with the
tcgetpgrp intrinsic in the unlikely case that sizeof(pid_t) is
larger than sizeof(int).
37. src/slarray.c: Simplified the range checking in the
linear_get_data_addr function and removed unused code.
38. Updated the copyright year
39. slsh/lib/fswalk.sl: Change #35 regression: The get_stat function
was being called with the wrong number of arguments.
40. src/slarith.c: Additional binary arithmetic optimizations involving
arrays of char and short.
41. src/slang.c,slarray.c: Added qualifier support to the array_map
function.
42. src/slang.c: Flagged the use of an uninitialized variable as soon
as it is accessed ("pushed") rather than waiting until it is used
("popped"). Fixed a bug in slsh/lib/setfuns.sl:union that was
detected by this change.
43. src/sl-feat.h: Floating point support by the interpreter is now
required. The library has not compiled without it for a long
time. As such, this option is no longer available.
44. */test/*.sl: Surrounded regression test code that makes use of
complex numbers with `#ifexists Complex_Type' so that they run
when the interpreter is compiled without complex variable support.
45. src/slarray.c: The _pSLarray1d_push_elem needed to be exposed when
compiling the interpreter without optimization.
46. src/slarith.c,...: Rewrote the various macros used by this file to
simplify the code, permit better optimization, and easier
maintenance. Some of the loops were also unrolled.
47. src/slarray.c: Made the array bounds index checking code more
uniform for better readability.
48. src/slarray.c: The previous change introduced a bug that caused
array indexing with no (empty) indices to fail.
49. modules/chksum-module.c: When a CRC object went out of scope
without being closed, it would leave its value on the stack.
50. slsh/lib/process.sl: If the file descriptor that is used to
communicate messages from the child process back to the parent is
requested by the caller, then dup an unused one. To facilitate
testing, two additional hooks were added: exit_hook and exec_hook.
51. slsh/lib/cmdopt.sl: If a command line option is associated with a
callback function, and the value of the command line argument is
optional, pass the default value to the callback if not given on
the command line.
52. modules: Added cumulant function to the stats module; updated
regression scripts/unit tests for better code coverage; fixed a
bug in the _zlib_inflate_reset function where deflateReset was
being called instead of inflateReset.
53. slsh/lib: Updated unit/regression tests for better coverage
54. slsh/lib/print.sl: Use >= instead of > when comparing the number
of screen rows to determine if the pager should be used.
55. modules/chksum-module: Added sha224, sha256, sha384, and sha512
algorithms kindly provided by Jakob Stierhof
56. modules/chksum-module: Added HMAC message authentication code
algorithm (Jakob Stierhof)
57. modules/mkfiles/makefile.all: Added chksum_sha2 to the non-Unix
makefile.
58. src/slgetkey.c: Use memmove instead of SLMEMCPY to avoid issues
with coping to an overlapping buffer. (William Ahern)
59. modules/pcre.sl: The options qualifier was not being properly
handled by the pcre_matches function.
60. src/_slang.h,etc: replaced the dependence of the internal
_pSLang_get_run_stack* functions, which return absolute pointers,
in favor of relative offsets.
61. src/slang.c: Made the run-time stack dynamically growable up to a
maximum configured size.
62. modules/: Documentation updates
63. src/: Added _set_bos/f_compile_hook functions to specify a
function to get called when a statement or function gets compiled.
64. src/sllimits.h: Reduced the initial stack size to a value similar
to what it was before change #61.
65. src/slarrfun.c: array_swap was returning a copy of the input array
when when swapping an array element with itself (bug reported by
Jakob Stierhof)
66. modules/csv.sl: If _csv_decode_row fails, include in the error
message the line number of the file where the error was detected
67. modules/socket-module.c: Corrected an error message for the bind
function
68. Updated the copyright year
69. Added slcov script which generates lcov-compatible code coverage
data
70. autoconf/aclocal.m4: Updated to v0.3.4.1
71. slsh/Makefile.in: Changed the order of the linker flags to avoid a
linking problem on MacPorts (Ryan Schmidt)
72. slsh/lib/cmdopt.sl: Corrected a usage message
73. src/slposio.c: Added the flock function for the creation of
advisory locks
74. src/slcurses.h: Added 'extern "C"' to enable the file to be used
in C++ programs; also marked some variables as dynamically
exportable by using SL_EXTERN (Gisle Vanem)
75. src/slstrops.c: "%0*" was being flagged as invalid by the sprintf
function (Jakob Stierhof)
76. modules/csv.sl: When writing a CSV file with a single row, convert
any scalar data values to single element arrays.
77. src/Makefile.in, slsh/Makefile.in: Addressed some dependency
problems found by `make --shuffle` that were causing parallel
builds to fail (Sergei Trofimovich)
78. src/slarray.c: Flag out-of-range indexing of indefinite ranges
involving negative indexes, e.g., x = [1]; y = x[[-2:]];
Previousely this resulted in y = [1,1] instead of an error.
79. modules/csv.sl: Avoid indexing an empty array with a negative
index (detected by change #78)
80. src/slarray:c: #78 was flagging x[[:-2]] as invalid instead of
producing an empty array for x=[1]
81. src/slarray.c: Tweaked the handling of negative indices in
indefinite ranges such that x[[:-i]] will produce an empty array
wheneve i > length(x)
82. src/sltermin.c: Added support for so-called user-defined terminfo
extensions. In particular, if the terminfo file defines RGB=true,
then truecolor support will be enabled.
83. src/sldisply.c: The Has_True_Color variable was not defined for 32
bit systems
84. modules/csv.sl: Improved read speed for large CSV files
85. src/test/posixio.sl: Do not test the flock function using an NFS
mounted direcory, which requires lockd to be running on the server
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
config/rootfiles/common/slang | 5 ++++-
lfs/slang | 6 +++---
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/slang b/config/rootfiles/common/slang
index 072e1baf4..223458e14 100644
--- a/config/rootfiles/common/slang
+++ b/config/rootfiles/common/slang
@@ -4,7 +4,7 @@
#usr/include/slcurses.h
#usr/lib/libslang.so
usr/lib/libslang.so.2
-usr/lib/libslang.so.2.3.2
+usr/lib/libslang.so.2.3.3
#usr/lib/pkgconfig/slang.pc
#usr/lib/slang
#usr/lib/slang/v2
@@ -118,6 +118,7 @@ usr/lib/slang/v2/modules/zlib-module.so
#usr/share/slsh/help/sockfuns.hlp
#usr/share/slsh/help/statsfuns.hlp
#usr/share/slsh/help/structfuns.hlp
+#usr/share/slsh/help/timestamp.hlp
#usr/share/slsh/histogram.sl
#usr/share/slsh/iconv.sl
#usr/share/slsh/json.sl
@@ -144,6 +145,7 @@ usr/lib/slang/v2/modules/zlib-module.so
#usr/share/slsh/scripts
#usr/share/slsh/scripts/jpegsize
#usr/share/slsh/scripts/lsrpm
+#usr/share/slsh/scripts/slcov
#usr/share/slsh/scripts/sldb
#usr/share/slsh/scripts/slprof
#usr/share/slsh/scripts/slstkchk
@@ -166,5 +168,6 @@ usr/lib/slang/v2/modules/zlib-module.so
#usr/share/slsh/structfuns.sl
#usr/share/slsh/sysconf.sl
#usr/share/slsh/termios.sl
+#usr/share/slsh/timestamp.sl
#usr/share/slsh/varray.sl
#usr/share/slsh/zlib.sl
diff --git a/lfs/slang b/lfs/slang
index 49d8da500..cafbb7310 100644
--- a/lfs/slang
+++ b/lfs/slang
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 2.3.2
+VER = 2.3.3
THISAPP = slang-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = e923a431e6273f1783c40dc09b2e324ace22e41a163fd46dcb8ab16c9ef27f190651df8da24432edc75890b83cd95051a835d5e582385bb23e36cd8ae18e6d24
+$(DL_FILE)_BLAKE2 = 2f304b25e807fe38b544479f4a6e98723816d08cda576177a270df736d7db8992a478f980333afc10a7bc0b5dc5508e49b33a13de02f0466f065efdfa3b7b351
install : $(TARGET)
--
2.40.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] openssh: Update to version 9.3p1
2023-03-27 21:27 ` [PATCH] openssh: Update to version 9.3p1 Adolf Belka
@ 2023-04-18 21:12 ` Peter Müller
0 siblings, 0 replies; 6+ messages in thread
From: Peter Müller @ 2023-04-18 21:12 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 6019 bytes --]
As always, thank you very much!
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
> - Update from version 9.2p1 to 9.3p1
> - Update of rootfile not required
> - Removal of patch as this was only required for i586 builds which are no longer done in
> IPFire
> - Changelog
> 9.3p1 (2023-03-15)
> This release fixes a number of security bugs.
> Security
> This release contains fixes for a security problem and a memory
> safety problem. The memory safety problem is not believed to be
> exploitable, but we report most network-reachable memory faults as
> security bugs.
> * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
> per-hop destination constraints (ssh-add -h ...) added in OpenSSH
> 8.9, a logic error prevented the constraints from being
> communicated to the agent. This resulted in the keys being added
> without constraints. The common cases of non-smartcard keys and
> keys without destination constraints are unaffected. This problem
> was reported by Luci Stanescu.
> * ssh(1): Portable OpenSSH provides an implementation of the
> getrrsetbyname(3) function if the standard library does not
> provide it, for use by the VerifyHostKeyDNS feature. A
> specifically crafted DNS response could cause this function to
> perform an out-of-bounds read of adjacent stack data, but this
> condition does not appear to be exploitable beyond denial-of-
> service to the ssh(1) client.
> The getrrsetbyname(3) replacement is only included if the system's
> standard library lacks this function and portable OpenSSH was not
> compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
> only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
> problem was found by the Coverity static analyzer.
> New features
> * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
> outputting SSHFP fingerprints to allow algorithm selection. bz3493
> * sshd(8): add a `sshd -G` option that parses and prints the
> effective configuration without attempting to load private keys
> and perform other checks. This allows usage of the option before
> keys have been generated and for configuration evaluation and
> verification by unprivileged users.
> Bugfixes
> * scp(1), sftp(1): fix progressmeter corruption on wide displays;
> bz3534
> * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
> of private keys as some systems are starting to disable RSA/SHA1
> in libcrypto.
> * sftp-server(8): fix a memory leak. GHPR363
> * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
> compatibility code and simplify what's left.
> * Fix a number of low-impact Coverity static analysis findings.
> These include several reported via bz2687
> * ssh_config(5), sshd_config(5): mention that some options are not
> first-match-wins.
> * Rework logging for the regression tests. Regression tests will now
> capture separate logs for each ssh and sshd invocation in a test.
> * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
> says it should; bz3532.
> * ssh(1): ensure that there is a terminating newline when adding a
> new entry to known_hosts; bz3529
> Portability
> * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
> mmap(2), madvise(2) and futex(2) flags, removing some concerning
> kernel attack surface.
> * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
> bz3537
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> lfs/openssh | 5 ++---
> ...SH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch | 13 -------------
> 2 files changed, 2 insertions(+), 16 deletions(-)
> delete mode 100644 src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
>
> diff --git a/lfs/openssh b/lfs/openssh
> index 89f486a79..5a18edd70 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 9.2p1
> +VER = 9.3p1
>
> THISAPP = openssh-$(VER)
> DL_FILE = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21
> +$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d
>
> install : $(TARGET)
>
> @@ -71,7 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
> cd $(DIR_APP) && ./configure \
> --prefix=/usr \
> --sysconfdir=/etc/ssh \
> diff --git a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch b/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
> deleted file mode 100644
> index 5199872d9..000000000
> --- a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
> +++ /dev/null
> @@ -1,13 +0,0 @@
> -diff -Naur openssh-8.2p1.org/sandbox-seccomp-filter.c openssh-8.2p1/sandbox-seccomp-filter.c
> ---- openssh-8.2p1.org/sandbox-seccomp-filter.c 2020-04-10 18:14:56.152309584 +0200
> -+++ openssh-8.2p1/sandbox-seccomp-filter.c 2020-04-10 21:05:45.827921765 +0200
> -@@ -253,6 +253,9 @@
> - #endif
> - #ifdef __NR_clock_nanosleep_time64
> - SC_ALLOW(__NR_clock_nanosleep_time64),
> -+#else
> -+ /* on i586 glibc call syscall 407 which is not defined */
> -+ SC_ALLOW(407),
> - #endif
> - #ifdef __NR_clock_gettime64
> - SC_ALLOW(__NR_clock_gettime64),
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-04-18 21:12 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-27 21:27 [PATCH] libcap: Update to version 2.67 Adolf Belka
2023-03-27 21:27 ` [PATCH] newt: Update to version 0.52.23 Adolf Belka
2023-03-27 21:27 ` [PATCH] openssh: Update to version 9.3p1 Adolf Belka
2023-04-18 21:12 ` Peter Müller
2023-03-27 21:27 ` [PATCH] pciutils: Update to version 3.9.0 Adolf Belka
2023-03-27 21:27 ` [PATCH] slang: Update to version 2.3.3 Adolf Belka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox