Today CVE-2020-7221 was publicly discussed on oss-sec [1]. MariaDB
upstream had not mentioned this CVE in their last release notes. The CVE
is related to auth-pam and the possibility of a local mariadb to root
user exploit in the mysql_install_db script.
Upstream has made amendments to the script, but according to the oss-sec
posts the folder permissions were not updated as they should have been.
In OpenWrt the script mysql_install_db is actually patched to never run
the commands in question. This has been this way since MariaDB 10.4 was
made available.
Still, the directory permissions set by the postinstall script are too
lax. To quote the discoverer of the issue, Matthias Gerstner from Suse,
they exhibit "the dangerous situation of a setuid-root binary residing
in a directory owned by an unprivileged user".
This commit fixes this by changing the permissions to the following:
root:mariadb 0750 /usr/lib/mariadb/plugin/auth_pam_tool_dir
This way the setuid-root binary is only available to root and the
mariadb user, while at the same time the mariadb user has no ownership
of the directory.
[1] https://seclists.org/oss-sec/2020/q1/55
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This exporter exposes information of the connected stations acquired
from hostapd. These contain additional information compared to the
existing station exporter, however they require a full build of hostapd
/ wpad.
Signed-off-by: David Bauer <mail@david-bauer.net>
- Migrate libusb dependency back to libsane
(virtually all useful backends for OpenWrt would need it anyway)
- Disabled new usb-record-replay feature (avoid libxml2 dep)
- Disabled new escl backend (network-only backend are not too useful
for OpenWrt and it requires libcurl, libnetsnmp, libavahi and libxml2)
- Workaround sane-daemon/postinst installation on Imagebuild
- Enabled backends kvs40xx and mustek_usb2 (fixed upstream)
- Fix bigendian compilation
(https://gitlab.com/sane-project/backends/-/merge_requests/329)
- Fix missing std::round() for uclibc
(https://gitlab.com/sane-project/backends/issues/237)
- Fixes FS#2685: coldplug was running before usblp was loaded. Now
it grants access do usblp when a device using it is plugged.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Fixed license information.
Removed patch requiring autoreconf and replaced with a configure variable.
Removed faulty patch that broke systems without a disabled crypt size hack.
Replaced with using a SED command as well as bcrypt, which works in musl.
Removed su patch and converted it to a SED command in the Makefile.
Added new shadow utilities.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Rename "zip" to "infozip" to avoid name collision, as the same
zip package has been introduces to the build tools as zip.
Buildbot does not like that.
Reference to #10985 and #11089 as well as
ad8c2d6099
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
This happens during compilation:
Enabling network
./etc/init.d/prometheus-node-exporter-lua: line 7: /lib/functions/network.sh: No such file or directory
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This is conflicting with tools/zip where the HostBuild is specified.
This should allow the zip package to show up.
Several cleanups were also performed for consistency between packages.
Added PKG_BUILD_PARALLEL:=1 for faster compilation.
Remove PKG_CHECK_FORMAT_SECURITY. Patched the issue instead.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Latest fft-eval has some extra features such as ath11k support, double precision in json signal calculation, and cleanups (batctl references, minor bugfixes, etc )
This commit is a version and makefile update. Now the native project Makefile do the job (compilation and linking).
Signed-off-by: Kirill Lukonin <klukonin@gmail.com>
New patches (both for SConstruct):
* Do not import from distutils. Since Python support/modules are not
built, there is no need to import from distutils. (Importing from
distutils may prevent the package from being built on systems without
a full distutils module, e.g. Debian with python3-minimal.)
I have added back the import in places where it may be helpful to
have, if scons is run manually.
Fixes#10993.
* Do not check the size of time_t. The way this is done is to compile
and run a test program; this fails when cross-compiling[1].
This doesn't appear to affect any functionality (other than missing a
compile-time warning that things will fail in 2038 if time_t is too
small).
[1]: https://gitlab.com/gpsd/gpsd/issues/48
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
DEPENDS attribute makes canutils fail on installation procedure
Removing it makes a successful build
Signed-off-by: Paulo Machado <pffmachado@yahoo.com>
The regular Makefile is totally broken and does not pass CFLAGS. This
breaks compilation with PKG_ASLR_PIE and also does not pass -Os.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The last OpenOCD release was 3 years ago, plenty of new functionality
was added since then. Two security-related patches went in too.
While at it, add a menuconfig option to allow building without any USB
dependencies, useful for devices counting on sysfsgpio to access
targets.
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Fix the dependency declaration by removing the unnecessary/illegal
commas:
> WARNING: Makefile 'package/feeds/packages/smartmontools/Makefile' has a dependency on 'smartd,', which does not exist
> WARNING: Makefile 'package/feeds/packages/smartmontools/Makefile' has a dependency on 'nail,', which does not exist
> tmp/.config-package.in:153368:warning: ignoring unsupported character ','
> tmp/.config-package.in:153373:warning: ignoring unsupported character ','
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Updated URL list. Changed to HTTPS also.
Added PKG_BUILD_PARALLEL for faster compilation.
Added PKG_INSTALL as is standard with most packages.
Small optimization to shell script.
Added two patches to fix compilation. Refreshed the other one.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fix PKG_LICENSE
Switch to standard PKG_INSTALL to simplify the Makefile.
Add PKG_BUILD_PARALLEL for faster compilation.
Add URL.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
A separate package which depdens on msmtp and nail is introduced.
Once more packages provide `sendmail` and `mail` interfaces, this
dependency can be made more flexible.
Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
saned requires write access scanner USB bus for its process and
to usblp/bind in order to rebind multifunctional printers back
to usblp (for printing with p910nd).
A hotplug script monitor new USB devices for scanners. Scanners
are detected by searching /usr/share/sane/<vendor>-<backend>.usbid
for the device product_id.
The package saned creates user saned:scanners. Access is granted to
group scanners.
The default xinetd conf was updated to run as saned:scanner.
sane-daemon pkg now has a postinst trigger that runs udevtrigger for
granting perms where there are connected scanners during installation.
Existing hotplug scripts from hplip were removed. They were mostly
useless.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
cxxabi.h is a useless header that libcxx does not include.
Remove indent on postint script. It should be on the same as the above
section.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Busybox in default uses SHA512 as well.
On big ditribution this default is sourced from PAM. That means that
shadow reads pam settings and uses that. OpenWrt in most cases does not
have PAM installed and in such case shadow fallbacks to its own default
which is DES. This just changes that default to SHA512 which is
consistent with rest of the system.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
The postrm script was missing shebang. Postrm scripts are packaged and
executed directly and not sourced by default script (as in case of prerm
and postinst).
Also move some indents around to not confuse reader. The section in
postinst was indented to same level as grep "condition" but is on same
level as initial grep (not part of that "condition").
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
usbmuxd must be ran for many of the idevice tools. Added an init
script to make this easier.
Added myself as maintainer.
Fix PKG_CVE_ID.
Added config directory.
Placed in a submenu for easier readability.
Add extra tool
Signed-off-by: Rosen Penev <rosenp@gmail.com>