Merge pull request #10975 from paulfertser/bump-openocd

openocd: update to current master, allow building without USB
5 years ago · d1cc51cd1a
--- a/utils/openocd/Makefile
+++ b/utils/openocd/Makefile
@ -8,14 +8,15 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=openocd
 PKG_SOURCE_VERSION:=0.10.0
 PKG_VERSION:=v$(PKG_SOURCE_VERSION)
 PKG_RELEASE:=2
 PKG_SOURCE_URL:=@SF/openocd
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.bz2
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_SOURCE_VERSION)
 PKG_HASH:=7312e7d680752ac088b8b8f2b5ba3ff0d30e0a78139531847be4b75c101316ae
 PKG_SOURCE_VERSION:=v0.10.0-1000-gdb23c13d
 PKG_VERSION:=$(PKG_SOURCE_VERSION)
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE_URL:=git://git.code.sf.net/p/openocd/code
 PKG_MIRROR_HASH:=6f8c0ecf240427654ad5e911b44f78996da931209280f4a19c1215802ff14638
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
@ -26,6 +27,8 @@ PKG_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
 PKG_FIXUP:=autoreconf
 PKG_CONFIG_DEPENDS:=CONFIG_PACKAGE_openocd_with_usb
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/nls.mk
@ -34,7 +37,18 @@ define Package/openocd
  CATEGORY:=Utilities
  TITLE:=OpenOCD Utility
  URL:=http://openocd.sf.net/
  DEPENDS:=+libusb-1.0 +libusb-compat +libftdi1 +hidapi
  DEPENDS:=+PACKAGE_openocd_with_usb:libusb-1.0 \
 	+PACKAGE_openocd_with_usb:libusb-compat \
 	+PACKAGE_openocd_with_usb:libftdi1 \
 	+PACKAGE_openocd_with_usb:hidapi
 endef
 define Package/openocd/config
  if PACKAGE_openocd
 	config PACKAGE_openocd_with_usb
 		bool "Build with support for USB adapters."
 		default y
  endif
 endef
 define Package/openocd/description
@ -55,13 +69,21 @@ the GNU GDB program (and the others who talk GDB protocol, e.g. IDA
 Pro).
 endef
 define Build/Prepare
 	$(call Build/Prepare/Default)
 	-$(RM) $(PKG_BUILD_DIR)/guess-rev.sh
 endef
 CONFIGURE_ARGS += \
 	--prefix="/usr" \
 	--disable-werror \
 	MAKEINFO=true \
 	$(if $(CONFIG_PACKAGE_openocd_with_usb),,PKG_CONFIG=false) \
 	--enable-dummy \
 	--enable-sysfsgpio
 TARGET_CFLAGS += -DRELSTR=\\\"-$(PKG_VERSION)-$(PKG_RELEASE)-OpenWrt\\\"
 define Build/Compile
        +$(MAKE_VARS) \
        $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(MAKE_PATH)
--- a/utils/openocd/patches/100-bind-localhost-only.patch
+++ b/utils/openocd/patches/100-bind-localhost-only.patch
@ -1,45 +0,0 @@
 Subject: Bind to IPv4 localhost by default
 Origin: other, http://openocd.zylin.com/#/c/4331/2
 Last-Update: 2018-01-18
 From f8630b0b15e30dc6c51270006a4e075c79cf466a Mon Sep 17 00:00:00 2001
 From: Paul Fertser <fercerpav@gmail.com>
 Date: Sat, 13 Jan 2018 16:22:10 +0300
 Subject: [PATCH] server: bind to IPv4 localhost by default
 Since OpenOCD basically allows to perform arbitrary actions on behalf of
 the running user, it makes sense to restrict the exposure by default.
 If you need network connectivity and your environment is safe enough,
 use "bindto 0.0.0.0" to switch to the old behaviour.
 Change-Id: I4a4044b90d0ecb30118cea96fc92a7bcff0924e0
 Signed-off-by: Paul Fertser <fercerpav@gmail.com>
 ---
 diff --git a/doc/openocd.texi b/doc/openocd.texi
 index 7f5b72e..5c7f465 100644
 --- a/doc/openocd.texi
 +++ b/doc/openocd.texi
@@ -7017,7 +7017,7 @@
 @deffn Command bindto [name]
 Specify address by name on which to listen for incoming TCP/IP connections.
 -By default, OpenOCD will listen on all available interfaces.
 +By default, OpenOCD will listen on the loopback interface only.
 @end deffn
 @anchor{targetstatehandling}
 diff --git a/src/server/server.c b/src/server/server.c
 index 1e52e97..ea1e898 100644
 --- a/src/server/server.c
 +++ b/src/server/server.c
@@ -259,7 +259,7 @@
 		c->sin.sin_family = AF_INET;
 		if (bindto_name == NULL)
 -			c->sin.sin_addr.s_addr = INADDR_ANY;
 +			c->sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
 		else {
 			hp = gethostbyname(bindto_name);
 			if (hp == NULL) {
--- a/utils/openocd/patches/101-cve-2018-5704-css-fix.patch
+++ b/utils/openocd/patches/101-cve-2018-5704-css-fix.patch
@ -1,47 +0,0 @@
 Subject: Prevent some forms of Cross Protocol Scripting attacks
 Author: Andreas Fritiofson <andreas.fritiofson@gmail.com>
 Origin: other, http://openocd.zylin.com/#/c/4335/
 Bug-Debian: https://bugs.debian.org/887488
 Last-Update: 2018-01-18
 From 3a223ca3ebc7ac24d7726a0cd58e5695bc813657 Mon Sep 17 00:00:00 2001
 From: Andreas Fritiofson <andreas.fritiofson@gmail.com>
 Date: Sat, 13 Jan 2018 21:00:47 +0100
 Subject: [PATCH] CVE-2018-5704: Prevent some forms of Cross Protocol Scripting attacks
 OpenOCD can be targeted by a Cross Protocol Scripting attack from
 a web browser running malicious code, such as the following PoC:
 var x = new XMLHttpRequest();
 x.open("POST", "http://127.0.0.1:4444", true);
 x.send("exec xcalc\r\n");
 This mitigation should provide some protection from browser-based
 attacks and is based on the corresponding fix in Redis:
 https://github.com/antirez/redis/blob/8075572207b5aebb1385c4f233f5302544439325/src/networking.c#L1758
 Change-Id: Ia96ebe19b74b5805dc228bf7364c7971a90a4581
 Signed-off-by: Andreas Fritiofson <andreas.fritiofson@gmail.com>
 Reported-by: Josef Gajdusek <atx@atx.name>
 ---
 diff --git a/src/server/startup.tcl b/src/server/startup.tcl
 index 64ace40..dd1b31e 100644
 --- a/src/server/startup.tcl
 +++ b/src/server/startup.tcl
@@ -8,3 +8,14 @@
 	# one target
 	reset halt
 }
 +
 +proc prevent_cps {} {
 +	echo "Possible SECURITY ATTACK detected."
 +	echo "It looks like somebody is sending POST or Host: commands to OpenOCD."
 +	echo "This is likely due to an attacker attempting to use Cross Protocol Scripting"
 +	echo "to compromise your OpenOCD instance. Connection aborted."
 +	exit
 +}
 +
 +proc POST {args} { prevent_cps }
 +proc Host: {args} { prevent_cps }