staging/dangole/tools/patch, branch main Staging tree of Daniel Golle https://git-03.infra.openwrt.org/openwrt/staging/dangole/atom?h=main 2024-05-23T09:49:03Z tools: refresh all patches 2024-05-23T09:49:03Z Rosen Penev 2024-05-18T19:14:20Z urn:sha1:337b0c80cbbb2c76e80f9f970b03decedcd4c827 Refresh all tools patches now that tools/refresh correctly works. CI now checks for them and actively complain if tools have unrefreshed patches. Signed-off-by: Rosen Penev <rosenp@gmail.com> [ reword commit message ] Link: https://github.com/openwrt/openwrt/pull/15524 Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> tools: prefer gz or bz2 tarballs 2024-04-06T09:24:18Z Robert Marko 2024-04-03T17:12:57Z urn:sha1:bab3ae2ee7656600a185f4cef11cef94389023af In the light of recent XZ events, and fundamental XZ issues lets work on moving away from using XZ. So, use gz compressed tarballs as sources whenever possible. dwarves only offers bz2 compressed tarballs, so use those as size difference is minor compared to XZ. Signed-off-by: Robert Marko <robimarko@gmail.com> dwarves tools/patch: apply patch for EACCES on xattr copy 2022-11-20T17:44:43Z Thomas Weißschuh 2022-11-09T04:17:00Z urn:sha1:0d375de10dac3160c65c264bb91a5137ef4c0817 When compiling OpenWRT on a compressed btrfs volume the build fails in libtool. The file `libltdl/config/ltmain.m4sh` from `libtool-2.4.2.tar.xz` is missing write permissions, therefore patch falls back to copying the file and patching that. During this patch tries to preserve all file attribute on the new copy. However the attribute `btrfs.compression` is privileged and btrfs return EACCES. While patch ignores multiple other error codes during the copy of xattr copy it is not prepared for EACCES and aborts. EACCES should be ignored the same way as the other errors. Build log: ``` ... Applying ./patches/000-relocatable.patch using plaintext: patching file libltdl/config/general.m4sh patching file libtoolize.in patching file libtoolize.m4sh patching file libltdl/m4/libtool.m4 Applying ./patches/100-libdir-fixes.patch using plaintext: patching file libltdl/config/ltmain.m4sh File libltdl/config/ltmain.sh is read-only; trying to patch anyway patching file libltdl/config/ltmain.sh patch: setting attribute btrfs.compression for btrfs.compression: Permission denied Patch failed! Please fix ./patches/100-libdir-fixes.patch! ``` Link: https://lists.gnu.org/archive/html/bug-patch/2022-11/msg00000.html Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de> tools: add Host/Uninstall where possible 2022-10-19T22:33:22Z Rosen Penev 2022-09-28T08:23:56Z urn:sha1:a63805b25f99e609d575ee920baae269fb58794c This cleans staging_dir when calling tool/x/clean. Signed-off-by: Rosen Penev <rosenp@gmail.com> tools/patch: apply upstream patch for cve-2019-13638 2019-08-13T08:00:10Z Russell Senior 2019-08-11T20:57:08Z urn:sha1:bcfd1d76852974170780dbe368e6194dbb0e123e GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156. https://nvd.nist.gov/vuln/detail/CVE-2019-13638 Signed-off-by: Russell Senior <russell@personaltelco.net> tools/patch: apply upstream patch for CVE-2019-13636 2019-07-30T08:16:16Z Russell Senior 2019-07-29T19:09:09Z urn:sha1:995bcc532943639f3df36dbcaa361f9167f9f4d5 In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c. https://nvd.nist.gov/vuln/detail/CVE-2019-13636 Signed-off-by: Russell Senior <russell@personaltelco.net> tools/patch: Add fedora patch for crashing git style patches 2018-11-01T16:16:52Z Rosen Penev 2018-10-31T23:55:14Z urn:sha1:32fc41baabc9e83a045a7a805b0d91a030cfbd3c https://lists.gnu.org/archive/html/bug-patch/2018-10/msg00000.html I assume a CVE number will be assigned soon. Signed-off-by: Rosen Penev <rosenp@gmail.com> tools: patch: Add missing CVE-2018-6951 fix 2018-10-16T10:51:10Z Rosen Penev 2018-10-15T17:17:29Z urn:sha1:a6bd9d0cb652686453604b762e80a35d023908c4 uscan reports a new CVE now that PKG_CPE_ID was added. Reordered patches by date. Signed-off-by: Rosen Penev <rosenp@gmail.com> [re-title commit & refresh patches] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> tools: patch: Fix build by not modifing Makefile.am 2018-10-14T14:47:15Z Hauke Mehrtens 2018-10-14T14:42:45Z urn:sha1:759f111f8d7f2d9f5f12713fc6f48ce6422997ec A new test case was adding in one of the patches fixing a problem, this also included a change in the test/Makefile.am to add this test case. The build system detected a change in the Makefile.am and wants to regenerate the Makefile.in, but this fails because automake-1.15 is not installed yet. As automake depends on patch being build first, make sure we do not modify the Makefile.am. This fixes build problem seen by the build bots. Fixes: 4797dddfde6 ("patch: apply upstream cve fixes") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> patch: apply upstream cve fixes 2018-10-14T12:36:09Z Russell Senior 2018-10-14T09:34:32Z urn:sha1:4797dddfde6a8ffdbdcb4e5b5e137b0a00313f62 Apply two upstream patches to address two CVEs: * CVE-2018-1000156 * CVE-2018-6952 Add PKG_CPE_ID to Makefile. Build tested on apm821xx and ar71xx. Signed-off-by: Russell Senior <russell@personaltelco.net>