This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.
|Traceback (most recent call last):
| File "certdata2pem.py", line 125, in <module>
| cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1
...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
| File "/certdata2pem.py", line 31, in <module>
| from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'
More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."
Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 25bc66eb40)
This driver is backported from the v6.0 which deals with
"linux,default-trigger" in leds core. For kernel 5.4 we need
leds-bcm63138 to read trigger on its own.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This update mac80211 to version 5.10.168-1. This includes multiple
bugfixes. Some of these bugfixes are fixing security relevant bugs.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 4ae86b3358)
The original commit removed the upstreamed patch 010-padlock.patch, but
it's not on OpenWrt 21.02, so it doesn't have to be removed.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
fixes the problem that the banana pi m2 berry cannot connect to wifi and cannot be used as an access point
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit ff2bb16730)
Signed-off-by: LizenzFass78851 <82592556+LizenzFass78851@users.noreply.github.com>
As of upstream Linux commit 0fe1e96fef0a ("powerpc/pci: Prefer PCI
domain assignment via DT 'linux,pci-domain' and alias"), the PCIe
domain address is no longer numbered by the lowest 16 bits of the PCI
register address after a fallthrough. Instead of the fallthrough, the
enumeration process accepts the alias ID (as determined by
`of_alias_scan()`). This causes e.g.:
9000:00:00.0 PCI bridge: Freescale Semiconductor Inc P1020E (rev 11)
9000:01:00.0 Network controller: Qualcomm Atheros AR958x 802.11abgn ...
to become
0000:00:00.0 PCI bridge: Freescale Semiconductor Inc P1020E (rev 11)
0000:01:00.0 Network controller: Qualcomm Atheros AR958x 802.11abgn ...
... which then causes the sysfs path of the netdev to change,
invalidating the `wifi_device.path`s enumerated in
`/etc/config/wireless`.
One other solution might be to migrate the uci configuration, as was
done for mvebu in commit 0bd5aa89fc ("mvebu: Migrate uci config to
new PCIe path"). However, there are concerns that the sysfs path will
change once again once some upstream patches[^2][^3] are merged and
backported (and `CONFIG_PPC_PCI_BUS_NUM_DOMAIN_DEPENDENT` is enabled).
Instead, remove the aliases and allow the fallthrough to continue for
now. We will provide a migration in a later release.
This was first reported as a Github issue[^1].
[^1]: https://github.com/openwrt/openwrt/issues/10530
[^2]: https://lore.kernel.org/linuxppc-dev/20220706104308.5390-1-pali@kernel.org/t/#u
[^3]: https://lore.kernel.org/linuxppc-dev/20220706101043.4867-1-pali@kernel.org/Fixes: #10530
Tested-by: Martin Kennedy <hurricos@gmail.com>
[Tested on the Aerohive HiveAP 330 and Extreme Networks WS-AP3825i]
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
(cherry picked from commit 7f4b4c29f3)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
This was done by running these commands:
./scripts/kconfig.pl '+' target/linux/generic/config-5.4 /dev/null > target/linux/generic/config-5.4-new
mv target/linux/generic/config-5.4-new target/linux/generic/config-5.4
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
OpenWrt provides kmod-asn1-decoder for CONFIG_ASN1 but selecting it
doesn't really work as expected. Kernel symbol is hidden and can be
actually selected only as a dependency. That works well for in-kernel
stuff but fails for external modules requiring ASN1 like ksmbd.
Modify kernel Kconfig to make CONFIG_ASN1 always selectable. It's
required to satisfy ksmbd dependencies cleanly (without hack like
selecting unrelated modules).
Link: http://lists.openwrt.org/pipermail/openwrt-devel/2023-January/040298.html
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Allign dl_github_archieve.py to 8252511dc0
change. On supported system the sigid bit is applied to files and tar
archieve that on tar creation. This cause unreproducible tar for these
system and these bit should be dropped to produce reproducible tar.
Add the missing option following the command options used in other
scripts.
Fixes: 75ab064d2b ("build: download code from github using archive API")
Suggested-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 5f1758ef14)
Add driver for NVM Express block devices, ie. PCIe connected SSDs.
Targets which allow booting from NVMe (x86, maybe some mvebu boards come
to mind) should have it built-in, so rootfs can be mounted from there.
For targets without NVMe support in bootloader or BIOS/firmware it's
sufficient to provide the kernel module package.
On targets having the NVMe driver built-in the resulting kmod package
is an empty dummy. In any case, depending on or installing kmod-nvme
results in driver support being available (either because it was already
built-in or because the relevant kernel modules are added and loaded).
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit dbe53352e3)
These have long been obsolete. For reference, here's the Linux version where
each symbol has been dropped:
CONFIG_IP6_NF_QUEUE - 3.5
CONFIG_IP6_NF_TARGET_LOG - 3.4
CONFIG_IP_NF_MATCH_DSCP - 2.6.19
CONFIG_NF_CONNTRACK_IPV4 - 4.19
CONFIG_NF_CONNTRACK_IPV6 - 4.19
CONFIG_NF_CONNTRACK_RTCACHE - out-of-tree, superseded by flow offloading
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
(cherry picked from commit d7956c5728)
The isdn4linux drivers and subsystem was removed in kernel 5.3, remove
the kernel package also from OpenWrt.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit db55dea5fc)
The ulog iptables target was removed with kernel 3.17, remove the kernel
and also the iptables package in OpenWrt too.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2a0284fb03)
The w1_ds2760.ko driver was merged into the ds2760_battery.ko driver.
The driver was removed and this package was never build any more.
This happened with kernel 4.19.
Remove this unused package.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5808973d14)
The rtc-pt7c4338.ko was never upstream under this name, the driver was
removed from OpenWrt some years ago, remove the kmod-rtc-pt7c4338
package too.
Fixes: 74d00a8c38 ("kernel: split patches folder up into backport, pending and hack folders")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5ccf4dcf88)
When a new tag for a release is created, the just checkout repo from
github actions will already have such tag locally created.
This will result in git fetch --tags failing with error rejecting the
remote tag with (would clobber existing tag).
Add -f option to overwrite any local tags and always fetch them from
remote.
Fixes: e24a1e6f6d ("CI: build: add support for external toolchains from stable branch")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit f655923b36)
It isn't used at the moment but let's fix it anyway.
This fixes:
CC drivers/net/dsa/ocelot/felix.o
drivers/net/dsa/ocelot/felix.c:646:22: error: initialization of 'enum dsa_tag_protocol (*)(struct dsa_switch *, int, enum dsa_tag_protocol)' from incompatible pointer type 'enum dsa_tag_protocol (*)(struct dsa_switch *, int)' [-Werror=incompatible-pointer-types]
.get_tag_protocol = felix_get_tag_protocol,
^~~~~~~~~~~~~~~~~~~~~~
for users enabling CONFIG_NET_DSA_MSCC_FELIX.
Fixes: 1f5024aa73 ("kernel: backport b53/bcm_sf2 changes from v5.6")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Fix cannot build: Reference to non-existent node or label
"macaddr_factory_e000" dtb compilation error.
The cherry-pick had to be reworked to use the old mtd-mac-address way as
openwrt-21.02 still wasn't migrated to nvmem implementation.
Fixes: d604032c2a ("ramips: fix GB-PC1 and GB-PC2 device support")
Fixes: #11654Fixes: #11385
Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
[ rework commit message, add more fixes tag ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This backports a commit from upstream dnsmasq to fix CVE-2022-0934.
CVE-2022-0934 description:
A single-byte, non-arbitrary write/use-after-free flaw was found in
dnsmasq. This flaw allows an attacker who sends a crafted packet
processed by dnsmasq, potentially causing a denial of service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 002a99eccd)
Add support for EON EN25QX128A spi nor flash with no flags as it does
support SFDP parsing.
Fixes: #9442
Tested-by: Szabolcs Hubai <szab.hu@gmail.com> [ramips/mt7621: xiaomi_mi-router-4a-gigabit]
(cherry picked from commit d7876daf65)
[ apply the same patch to 5.4 kernel ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Fixed -no-pie compilation warning on MacOS
Fixed errors related to using absolute addressing on MacOS arm64
Based on upstream patch from Jessica Clarke and suggestions from Ronny Kotzschmar
Link to original patch and discussion:
3b142045e8
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
(cherry picked from commit 8261b85844)
We don't need to checkout feed and install feeds for kernel tests. This
saves up to 2 minutes for each target kernel build test.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 925e2a155e)
On cache hit, skip sdk adapt to external toolchain. This is needed because we
cache the already extracted sdk and that is already adapted to be used
as external toolchain.
Rerunning the adap step will result in the test to fail for missing file
as the file are already got wrapped to the external toolchain format.
Fixes: 42f0ab028e ("CI: build: fix use of sdk as toolchain")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 99eaedfe39)
Updating CMake to latest patched version 3.19.8 which is fixing issue with ccache.
Related issue: https://github.com/openwrt/openwrt/issues/8555
Compile-tested: arm64
Signed-off-by: Adam Konrad <git@adamkonrad.com>
The toolchain included in a sdk have a different format than an external
toolchain tar.
Since sdk is a more integrated setup doesn't use and include wrapper bin
that use the external toolchain config and use an alternative and more
standard way to include all the toolchain headers.
External toolchain use wrapper.sh to append the configured include
header when each tool is called.
Fix the sdk toolchain by reverting their own sdk wrapper scripts and to
simulate an external toolchain build copying what is done in the
toolchain target makefile.
This handle compilation error and warning caused by not using fortify
header on building packages.
Fixes: 006e52545d ("CI: build: add support to fallback to sdk for external toolchain")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 42f0ab028e)
When we use the internal toolchain USE_SSTRIP will be selected by
default for musl libc and USE_STRIP when glibc is used. Do the same when
an external toolchain is used. USE_GLIBC will also be set for external
toolchain builds based on the EXTERNAL_TOOLCHAIN_LIBC_USE_GLIBC setting.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 9403810c02)
Expose the SDK options for binary stripping to the menuconfig. This
way, packages can easily be built with debug symbols using the SDK.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit bb817bb4b8)
Since kernel and packages workflow now use a shared build workflow, they
also need to react on changes on these shared workflow.
Fix this and add these shared workflow to the event paths to check.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 644175c29c)
The current match logic doesn't handle test for push events related to
stable release (example openwrt-22.03) but only fork with the related
prefix (example openwrt-22.03-fixup)
Fix wrong matching and while at it also add extra checks to other
matching (check if the branch name actually start with the requested
prefix)
Fixes: e24a1e6f6d ("CI: build: add support for external toolchains from stable branch")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit e3cf2b84e5)
The current match logic doesn't handle test for push events related to
stable release (example openwrt-22.03) but only fork with the related
prefix (example openwrt-22.03-fixup)
Fix wrong matching and while at it also add extra checks to other
matching (check if the branch name actually start with the requested
prefix)
Fixes: abe8a48242 ("CI: build: add support for per branch tools container")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 65c3d19c4b)
The label used for stable branch is in the form of
release/[0-9][0-9].[0-9][0-9]
Currently we apply the name of the target branch as the label, fix this
and correctly use the current label.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit af8bc8e51b)
Add support to tag pr targeting stable branch matching the simple regex
of openwrt-[0-9][0-9].[0-9][0-9]. The tag that will be added will match
the pr target branch.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b67d284e93)
Move the kernel versions and hash to dedicated files.
This makes kernel bump quicker and fix some annoying
problem with rebasing when multiple kernel bump are proposed.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[Rebased on top of current master]
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
(cherry picked from commit 0765466a42)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[Rebased on top of current openwrt-21.02]
Package with whitespace in their build directory are not correctly
removed when CONFIG_AUTOREMOVE is enabled. This is caused by xargs that
use whitespace as delimiters. To handle this use \0 as the delimiter and
set find to use \0 as the delimiter.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit dccee21792)
Add support to use sdk as external toolchain if the packaged external
toolchain tar is not found on openwrt servers for build shared workflow.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b59ac2a7d0)
Add support to use external toolchains from stable branch if we are
testing commit targeting stable openwrt branch in kernel and packages
workflow.
With pr the target branch is parsed and the right toolchain is used.
To use the stable toolchain for local testing the branch needs to have
the prefix openwrt-[0-9][0-9].[0-9][0-9]- (example openwrt-21.02-fixup)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit e24a1e6f6d)
Add support in build shared workflow for per branch tools container.
With pr the target branch is parsed and the right container is used.
To use the stable container for local testing the branch needs to have
the prefix openwrt-[0-9][0-9].[0-9][0-9]- (example openwrt-21.02-fixup)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit abe8a48242)
Add support to push per branch container tools.
For anything not official stick to latest tag that correspond to test
run from master.
If we are testing something for one of the openwrt stable branch, parse
the branch name or the tag and push dedicated tools containers.
To use the stable container for local testing the branch needs to have
the prefix openwrt-[0-9][0-9].[0-9][0-9] (example openwrt-21.02-fixup)
Any branch that will match this pattern openwrt-[0-9][0-9].[0-9][0-9]
will refresh the tools container with the matching tag.
(example branch openwrt-22.03 -> tools:openwrt-22.03)
(example branch openwrt-22.03-test -> tools:openwrt-22.03)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 75550771ae)
Christian Lamparter