Fixes CVE-2023-33476:
ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable
to Buffer Overflow. The vulnerability is caused by incorrect
validation logic when handling HTTP requests using chunked transport
encoding. This results in other code later using attacker-controlled
chunk values that exceed the length of the allocated buffer,
resulting in out-of-bounds read/write.
Signed-off-by: Robert Högberg <robert.hogberg@gmail.com>
Gettext is a prerequisite to build OpenWrt according to:
https://openwrt.org/docs/guide-developer/toolchain/install-buildsystem
but github automated tests fail without this explicit dependency:
2023-06-19T08:02:45.1940511Z checking for py module gzip ... ok
2023-06-19T08:02:45.1968662Z checking for /builder/staging_dir/host/bin/pkg-config ...ok
2023-06-19T08:02:45.1998491Z ERROR: no gettext binaries found
2023-06-19T08:02:45.1999746Z checking for xgettext ... fail
2023-06-19T08:02:45.2008403Z make[2]: *** [Makefile:263: /builder/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/tvheadend-2023-06-05/.configured_a17fb5ef857664f03cd0ce37cc5ea591] Error 1
Signed-off-by: Marius Dinu <m95d+git@psihoexpert.ro>
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.
Manually pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Automatically compute and substitute current values for all
$(AUTORELEASE) instances as this feature is deprecated and shouldn't be
used.
The following temporary change was made to the core:
diff --git a/rules.mk b/rules.mk
index 57d7995d4fa8..f16367de87a8 100644
--- a/rules.mk
+++ b/rules.mk
@@ -429,7 +429,7 @@ endef
abi_version_str = $(subst -,,$(subst _,,$(subst .,,$(1))))
COMMITCOUNT = $(if $(DUMP),0,$(call commitcount))
-AUTORELEASE = $(if $(DUMP),0,$(call commitcount,1))
+AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
all:
FORCE: ;
And this command used to fix affected packages:
for i in $(cd feeds/packages; git grep -l PKG_RELEASE:=.*AUTORELEASE | \
sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
make package/$i/download
done
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
- Updated to latest version
- Removed upstreamed patches
- Refreshed patches
Project changelog:
1.3.2 - Released 30-Aug-2022
--------------------------------
- Improved DNS rebinding attack protection.
- Added Samsung Neo QLED series (2021) support.
- Added webm/rm/rmvb support.
1.3.1 - Released 11-Feb-2022
--------------------------------
- Fixed a potential crash in SSDP request parsing.
- Fixed a configure script failure on some platforms.
- Protect against DNS rebinding attacks.
- Fix an socket leakage issue on some platforms.
- Minor bug fixes.
Signed-off-by: Andrew Sim <andrewsimz@gmail.com>
See commit 07730ff3 "treewide: add support for "lto" in PKG_BUILD_FLAGS"
on the main repository.
Note: Some packages only added `-flto` to CFLAGS and not LDFLAGS. This
fixes it and properly enables LTO.
Signed-off-by: Andre Heider <a.heider@gmail.com>
See commit da370098 "treewide: add support for "gc-sections" in
PKG_BUILD_FLAGS" on the main repository.
Note: This only touches packages which use all three parts
(-ffunction-sections, -fdata-sections and -Wl,--gc-sections) enabled by
this build flag. Some packages only use a subset, and these are left
unchanged for now.
Signed-off-by: Andre Heider <a.heider@gmail.com>
See commit 5c545bdb "treewide: replace PKG_USE_MIPS16:=0 with
PKG_BUILD_FLAGS:=no-mips16" on the main repository.
Signed-off-by: Andre Heider <a.heider@gmail.com>
- aesdec: Fix padding removal for per-buffer-padding=FALSE
- aesdec test failing in gst-plugins-bad
- alphacombine: Add missing query handler for gaps
- avfdeviceprovider: do not leak the properties
- avfvideosrc: Report latency when doing screen capture
- d3d11screencapturesrc: Specify PAR 1/1 to template caps
- d3d11videosink: Fixing focus lost on desktop layout change
- d3d11videosink: Call ShowWindow() from window thread
- d3d11videosink: Fix deadlock when parent window is busy
- d3d11videosink: Always clear back buffer on resize
- decklink: reset calculation of time_mapping to fix clipping HDMI video
- directshow: Fix build error with glib 2.75 and newer
- dvbsubenc: Forward GAP events as-is if we wouldn't produce an end packet and...
- dvbsubenc: Write Display Definition Segment if a non-default width/height is used
- h265decoder: Do not abort when failed to prepare ref pic set
- h264parser: Fix a typo in pred_weight_table parsing.
- mediafoundation, d3d11: Fix memory leak and make leak tracer happy
- mpegts: Handle when iconv doesn't support ISO 6937 (e.g. musl libc)
- mpegts: Check continuity counter on section streams
- mpegts: Revert "mpegtspacketizer: memcmp potentially seen_before data"
- mpegtspacketizer: memcmp potentially seen_before data
- mpegtsdemux: Always clear packetizer on DISCONT push mode
- srt: various fixes - improve stats and error handling
- rtmp2: Improve error messages
- rtmp2sink: Correctly return GST_FLOW_ERROR on error
- vulkan: Fix static linking on macOS
- webrtcbin: also add rtcp-fb ccm fir for video mlines by default
- webrtc/nice: fix small leak of split strings
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
- flacparse: Fix handling of headers advertising 32bps
- qt5: deactivate context if fill_info fails
- qt5: initialize GError properly in gst_qt_get_gl_wrapcontext()
- qtdemux: check return value from gst_structure_get in PIFF box
- qtdemux: use unsigned int types to store result of QT_UINT32
- qtmux: Prefill mode fixes
- oss4: Fix debug category initialization
- multiudpsink: allow binding to IPv6 address
- rtpjitterbuffer tests: Cast drop-messages-interval type properly (fixing it on 32-bit architectures)
- rtspsrc: fix seek event leaks
- rtspsrc: Don't replace 404 errors with "no auth protocol found"
- rtspsrc: Only EOS on timeout if all streams are timed out/EOS
- rtspsrc: Fix usage of IPv6 connections in SETUP
- splitmuxsrc: don't queue data on unlinked pads
- v4l2: Fix SIGSEGV on 'change state' during 'format change'
- v4l2videodec: Fix activation of internal pool
- wavparse: Avoid occasional crash due to referencing freed buffer.
- wavparse: Fix crash that occurs in push mode when header chunks are corrupted in certain ways.
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
- audioconvert, audioresample, audiofilter: fix divide by 0 for input buffer without caps
- cdparanoia: Ignore compiler warning coming from the cdparanoia header
- oggdemux, parsebin: More leak fixes
- opengl: fix automatic dispmanx detection for rpi4
- opengl: Fix usage of eglCreate/DestroyImage
- opengl: Fix static linking on macOS
- opusdec: Various channel-related fixes
- textrender: Negotiate caps on a GAP event if none were negotiated yet
- textrender: Don't blindly forward all events and don't blindly forward all events
- timeoverlay: fix pad leak
- oggdemux: Don't leak incoming EOS event
- subparse: Fix non-closed tag handling.
- videodecoder: Only post latency message if it changed
- videoscale: buffer meta handling fixes (NULL-terminate array of valid meta tags)
- videosink: Don't return unknown end-time from get_times()
- Bump core requirement in 1.20 branch to 1.20.4
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
- allocator: Copy allocator name in gst_allocator_register()
- miniobject: support higher refcount values
- pads: Fix non-serialized sticky event push, e.g. instant change rate events
- padtemplate: Fix annotations
- systemclock: Use futex_time64 syscall on x32 and other platforms that always...
- Fix build of 1.20 branch with Meson 0.64.1 for those who have hotdoc installed on their system.
- meson: fix check for pthread_setname_np()
- -Wimplicit-function-declaration in pthread_setname_np check (missing GNUSOURCE)
- gst-inspect: Don't leak list
- concat: Properly propagate EOS seqnum
- fakesrc: avoid time overflow with datarate
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
Fixes this error:
cfgfile.c:26:10: fatal error: libxml/xmlmemory.h: No such file or directory
26 | #include <libxml/xmlmemory.h>
| ^~~~~~~~~~~~~~~~~~~~
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
this Makefile still used `CONFIG_GCC_USE_VERSION_*` to select various
compilation options, for GCC versions that are antiquated
convert to parsing the major from the `CONFIG_GCC_VERSION` which will
always exist and can also be used with range logic
intent seemed to be:
* `-flto` for "not =10" (or newer, probably)
* no additional options for "=10" (and newer, probably)
GCC 11 or 12 would likely revert to the default (not =10) option,
because 10 was the newest at the time, and 11 and 12 are "not 10"
unsure of what actually works, perhaps `-flto` works in all versions by
now (possibly early gcc 10 bug workaround?)
GCC 11 will have been using `-flto` anyway by the current logic and I
guess it must be working or there would have been changes
Signed-off-by: Tony Butler <spudz76@gmail.com>
this Makefile still used `CONFIG_GCC_USE_VERSION_*` to select various
compilation options, for GCC versions that are antiquated
convert to parsing the major from the `CONFIG_GCC_VERSION` which will
always exist and can also be used with range logic
intent seemed to be:
* `-flto` for "not =10" (or newer, probably)
* no additional options for "=10" (and newer, probably)
GCC 11 or 12 would likely revert to the default (not =10) option,
because 10 was the newest at the time, and 11 and 12 are "not 10"
unsure of what actually works, perhaps `-flto` works in all versions by
now (possibly early gcc 10 bug workaround?)
GCC 11 will have been using `-flto` anyway by the current logic and I
guess it must be working or there would have been changes
Signed-off-by: Tony Butler <spudz76@gmail.com>
Building for arc, mips and powerpc platforms fails if -O3 and LTO optimizations are enabled. This patch removes that option for everything other than arm and x86_64. These are known to work.
Fixes issue #19923.
Also fixes a typo in the description.
Signed-off-by: Marius Dinu <m95d+git@psihoexpert.ro>
- EPG database switched from v2 to v3. This commit updates OpenWrt init script to use the new database file.
- EPG database symlink created by OpenWrt config option is overwritten with a real file by tvheadend.
The latest tvheadend commit included here fixes that.
Signed-off-by: Marius Dinu <m95d+git@psihoexpert.ro>
This fixes a timing issue causing a playlist to be streamed as-fast-as-
possible until memory exhaustion, finally crashing ices and making it
basically useless.
This problem occurred in the timing code in src/common/timing/ and is
probably related to libc header changes because ices 2.0.2 worked up until
OpenWrt 21.02.3 (at least) but failed in OpenWrt 22.03.2.
Signed-off-by: Tilman Vogel <tilman.vogel@web.de>
The previous solution overwrote the provide from ``define
Package/libffmpeg/Default``, but that's not what was wanted.
Thus libffmpeg-full should provide three packages libffmpeg,
libffmpeg-mini and libffmpeg-audio-dec
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Motivation of this change is that full variants provides the mini
variant and as well audio-dec package, thus you can not install both as
it fails with the following output:
Collected errors:
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavcodec.so.58
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavcodec.so.58.91.100
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavdevice.so.58
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavdevice.so.58.10.100
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavformat.so.58
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavformat.so.58.45.100
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavutil.so.56
But that file is already provided by package * libffmpeg-full
* check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavutil.so.56.51.100
But that file is already provided by package * libffmpeg-full
* opkg_install_cmd: Cannot install package libffmpeg-audio-dec.
Let's change it to:
Installing libffmpeg-audio-dec (4.3.4-1) to root...
Collected errors:
* check_conflicts_for: The following packages conflict with libffmpeg-audio-dec:
* check_conflicts_for: libffmpeg-full *
* opkg_install_cmd: Cannot install package libffmpeg-audio-dec.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
