Difuse/telephony
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #234 from micmac1/libs-for-15.05

Browse source 
Libs for 15.05
This commit is contained in:
Jiri Slachta 2018-01-11 19:45:05 +01:00 committed by GitHub
commit 005ef6633a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 191 additions and 247 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
libs/iksemel/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=iksemel
PKG_VERSION:=1.4
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://iksemel.googlecode.com/files/
@ -31,7 +31,7 @@ define Package/libiksemel
CATEGORY:=Libraries
TITLE:=Iksemel Jabber Library
URL:=http://code.google.com/p/iksemel/
DEPENDS:= +libgnutls +libtasn1 +libgcrypt +libgpg-error
DEPENDS:=+libgnutls
endef
define Package/libiksemel/description
@ -41,21 +41,6 @@ in ANSI C except the network code (which is POSIX compatible), thus
highly portable.
endef
TARGET_CFLAGS += $(FPIC)
TARGET_LDFLAGS += \
-Wl,-rpath-link,$(STAGING_DIR)/usr/lib \
-lgnutls -lgcrypt -lgpg-error
define Build/Configure
$(call Build/Configure/Default, \
--enable-shared \
--enable-static \
--with-libgnutls-prefix="$(STAGING_DIR)/usr" \
, \
LIBS="$(TARGET_LDFLAGS)" \
)
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include/
$(CP) $(PKG_INSTALL_DIR)/usr/include/iksemel.h $(1)/usr/include/

163
libs/iksemel/patches/001-missing-macros.patch
View file

@ -1,163 +0,0 @@
--- /dev/null
+++ b/gnutls.m4
@@ -0,0 +1,160 @@
+dnl Autoconf macros for libgnutls
+dnl $id$
+
+# Modified for LIBGNUTLS -- nmav
+# Configure paths for LIBGCRYPT
+# Shamelessly stolen from the one of XDELTA by Owen Taylor
+# Werner Koch 99-12-09
+
+dnl AM_PATH_LIBGNUTLS([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
+dnl Test for libgnutls, and define LIBGNUTLS_CFLAGS and LIBGNUTLS_LIBS
+dnl
+AC_DEFUN([AM_PATH_LIBGNUTLS],
+[dnl
+dnl Get the cflags and libraries from the libgnutls-config script
+dnl
+AC_ARG_WITH(libgnutls-prefix,
+ [ --with-libgnutls-prefix=PFX Prefix where libgnutls is installed (optional)],
+ libgnutls_config_prefix="$withval", libgnutls_config_prefix="")
+
+ if test x$libgnutls_config_prefix != x ; then
+ if test x${LIBGNUTLS_CONFIG+set} != xset ; then
+ LIBGNUTLS_CONFIG=$libgnutls_config_prefix/bin/libgnutls-config
+ fi
+ fi
+
+ AC_PATH_PROG(LIBGNUTLS_CONFIG, libgnutls-config, no)
+ min_libgnutls_version=ifelse([$1], ,0.1.0,$1)
+ AC_MSG_CHECKING(for libgnutls - version >= $min_libgnutls_version)
+ no_libgnutls=""
+ if test "$LIBGNUTLS_CONFIG" = "no" ; then
+ no_libgnutls=yes
+ else
+ LIBGNUTLS_CFLAGS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --cflags`
+ LIBGNUTLS_LIBS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --libs`
+ libgnutls_config_version=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version`
+
+
+ ac_save_CFLAGS="$CFLAGS"
+ ac_save_LIBS="$LIBS"
+ CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
+ LIBS="$LIBS $LIBGNUTLS_LIBS"
+dnl
+dnl Now check if the installed libgnutls is sufficiently new. Also sanity
+dnl checks the results of libgnutls-config to some extent
+dnl
+ rm -f conf.libgnutlstest
+ AC_TRY_RUN([
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+
+int
+main ()
+{
+ system ("touch conf.libgnutlstest");
+
+ if( strcmp( gnutls_check_version(NULL), "$libgnutls_config_version" ) )
+ {
+ printf("\n*** 'libgnutls-config --version' returned %s, but LIBGNUTLS (%s)\n",
+ "$libgnutls_config_version", gnutls_check_version(NULL) );
+ printf("*** was found! If libgnutls-config was correct, then it is best\n");
+ printf("*** to remove the old version of LIBGNUTLS. You may also be able to fix the error\n");
+ printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n");
+ printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n");
+ printf("*** required on your system.\n");
+ printf("*** If libgnutls-config was wrong, set the environment variable LIBGNUTLS_CONFIG\n");
+ printf("*** to point to the correct copy of libgnutls-config, and remove the file config.cache\n");
+ printf("*** before re-running configure\n");
+ }
+ else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_VERSION ) )
+ {
+ printf("\n*** LIBGNUTLS header file (version %s) does not match\n", LIBGNUTLS_VERSION);
+ printf("*** library (version %s)\n", gnutls_check_version(NULL) );
+ }
+ else
+ {
+ if ( gnutls_check_version( "$min_libgnutls_version" ) )
+ {
+ return 0;
+ }
+ else
+ {
+ printf("no\n*** An old version of LIBGNUTLS (%s) was found.\n",
+ gnutls_check_version(NULL) );
+ printf("*** You need a version of LIBGNUTLS newer than %s. The latest version of\n",
+ "$min_libgnutls_version" );
+ printf("*** LIBGNUTLS is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n");
+ printf("*** \n");
+ printf("*** If you have already installed a sufficiently new version, this error\n");
+ printf("*** probably means that the wrong copy of the libgnutls-config shell script is\n");
+ printf("*** being found. The easiest way to fix this is to remove the old version\n");
+ printf("*** of LIBGNUTLS, but you can also set the LIBGNUTLS_CONFIG environment to point to the\n");
+ printf("*** correct copy of libgnutls-config. (In this case, you will have to\n");
+ printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n");
+ printf("*** so that the correct libraries are found at run-time))\n");
+ }
+ }
+ return 1;
+}
+],, no_libgnutls=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"])
+ CFLAGS="$ac_save_CFLAGS"
+ LIBS="$ac_save_LIBS"
+ fi
+
+ if test "x$no_libgnutls" = x ; then
+ AC_MSG_RESULT(yes)
+ ifelse([$2], , :, [$2])
+ else
+ if test -f conf.libgnutlstest ; then
+ :
+ else
+ AC_MSG_RESULT(no)
+ fi
+ if test "$LIBGNUTLS_CONFIG" = "no" ; then
+ echo "*** The libgnutls-config script installed by LIBGNUTLS could not be found"
+ echo "*** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in"
+ echo "*** your path, or set the LIBGNUTLS_CONFIG environment variable to the"
+ echo "*** full path to libgnutls-config."
+ else
+ if test -f conf.libgnutlstest ; then
+ :
+ else
+ echo "*** Could not run libgnutls test program, checking why..."
+ CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
+ LIBS="$LIBS $LIBGNUTLS_LIBS"
+ AC_TRY_LINK([
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+], [ return !!gnutls_check_version(NULL); ],
+ [ echo "*** The test program compiled, but did not run. This usually means"
+ echo "*** that the run-time linker is not finding LIBGNUTLS or finding the wrong"
+ echo "*** version of LIBGNUTLS. If it is not finding LIBGNUTLS, you'll need to set your"
+ echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point"
+ echo "*** to the installed location Also, make sure you have run ldconfig if that"
+ echo "*** is required on your system"
+ echo "***"
+ echo "*** If you have an old version installed, it is best to remove it, although"
+ echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH"
+ echo "***" ],
+ [ echo "*** The test program failed to compile or link. See the file config.log for the"
+ echo "*** exact error that occured. This usually means LIBGNUTLS was incorrectly installed"
+ echo "*** or that you have moved LIBGNUTLS since it was installed. In the latter case, you"
+ echo "*** may want to edit the libgnutls-config script: $LIBGNUTLS_CONFIG" ])
+ CFLAGS="$ac_save_CFLAGS"
+ LIBS="$ac_save_LIBS"
+ fi
+ fi
+ LIBGNUTLS_CFLAGS=""
+ LIBGNUTLS_LIBS=""
+ ifelse([$3], , :, [$3])
+ fi
+ rm -f conf.libgnutlstest
+ AC_SUBST(LIBGNUTLS_CFLAGS)
+ AC_SUBST(LIBGNUTLS_LIBS)
+])
+
+dnl *-*wedit:notab*-* Please keep this as the last line.

28
libs/iksemel/patches/001-pkgconfig-gnutls.patch Normal file
View file

@ -0,0 +1,28 @@
Last-Update: 2013-07-29
Forwarded: not-needed
Origin: upstream, commit:4652af9cf119145af3a90c632f8a6db215946784
Bug-Iksemel: https://code.google.com/p/iksemel/issues/detail?id=20
Author: Dmitry Smirnov <onlyjob@member.fsf.org>
Description: use pkgconfig for checking gnutls
--- a/configure.ac
+++ b/configure.ac
@@ -44,9 +44,17 @@
AC_SEARCH_LIBS(recv,socket)
AC_CHECK_FUNCS(getopt_long)
AC_CHECK_FUNCS(getaddrinfo)
-AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls"))
+dnl Check GNU TLS
+PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.0.0, have_gnutls=yes, have_gnutls=no)
+if test "x$have_gnutls" = "xyes"; then
+ LIBGNUTLS_CFLAGS="$GNUTLS_CFLAGS"
+ LIBGNUTLS_LIBS="$GNUTLS_LIBS"
+ AC_SUBST(LIBGNUTLS_CFLAGS)
+ AC_SUBST(LIBGNUTLS_LIBS)
+ AC_DEFINE(HAVE_GNUTLS, 1, [whether to use GnuTSL support.])
+fi
dnl Check -Wall flag of GCC
if test "x$GCC" = "xyes"; then
if test -z "`echo "$CFLAGS" | grep "\-Wall" 2> /dev/null`" ; then

38
libs/iksemel/patches/002-secure_gnutls_options.patch Normal file
View file

@ -0,0 +1,38 @@
Last-Update: 2015-10-28
Bug-Upstream: https://github.com/meduketto/iksemel/issues/48
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204
From: Marc Dequènes (duck) <duck@duckcorp.org>
Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers).
--- a/src/stream.c
+++ b/src/stream.c
@@ -62,13 +62,9 @@
static int
handshake (struct stream_data *data)
{
- const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
- const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
- const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
- const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
- const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
+ const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2";
int ret;
if (gnutls_global_init () != 0)
return IKS_NOMEM;
@@ -79,13 +75,9 @@
if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
gnutls_certificate_free_credentials (data->cred);
return IKS_NOMEM;
}
- gnutls_protocol_set_priority (data->sess, protocol_priority);
- gnutls_cipher_set_priority(data->sess, cipher_priority);
- gnutls_compression_set_priority(data->sess, comp_priority);
- gnutls_kx_set_priority(data->sess, kx_priority);
- gnutls_mac_set_priority(data->sess, mac_priority);
+ gnutls_priority_set_direct(data->sess, priority_string, NULL);
gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);

65
libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch
View file

@ -1,65 +0,0 @@
From 6b213b593c5b499679506a8c169ff3f0f4d6a34f Mon Sep 17 00:00:00 2001
From: John Papandriopoulos <jpap@users.noreply.github.com>
Date: Thu, 20 Aug 2015 16:55:39 -0700
Subject: [PATCH] Use of newer gnutls_priority_set_direct API
---
configure.ac | 1 +
src/stream.c | 13 +++++++++++++
2 files changed, 14 insertions(+)
diff --git a/configure.ac b/configure.ac
index 91e69e3..281a044 100644
--- a/configure.ac
+++ b/configure.ac
@@ -46,6 +46,7 @@ AC_CHECK_FUNCS(getopt_long)
AC_CHECK_FUNCS(getaddrinfo)
AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls"))
+AM_PATH_LIBGNUTLS(,AC_CHECK_FUNCS(gnutls_priority_set_direct))
dnl Check -Wall flag of GCC
if test "x$GCC" = "xyes"; then
diff --git a/src/stream.c b/src/stream.c
index e8a1e8c..7d19a82 100644
--- a/src/stream.c
+++ b/src/stream.c
@@ -63,11 +63,20 @@ tls_pull (iksparser *prs, char *buffer, size_t len)
static int
handshake (struct stream_data *data)
{
+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
+ const char *priorities =
+ "NONE"
+ ":+VERS-TLS1.0:+VERS-SSL3.0"
+ ":+RSA"
+ ":+3DES-CBC:+ARCFOUR-128"
+ ":+SHA1:+SHA256:+SHA384:+MD5";
+#else
const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
+#endif
int ret;
if (gnutls_global_init () != 0)
@@ -80,11 +89,15 @@ handshake (struct stream_data *data)
gnutls_certificate_free_credentials (data->cred);
return IKS_NOMEM;
}
+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
+ gnutls_priority_set_direct (data->sess, priorities, NULL);
+#else
gnutls_protocol_set_priority (data->sess, protocol_priority);
gnutls_cipher_set_priority(data->sess, cipher_priority);
gnutls_compression_set_priority(data->sess, comp_priority);
gnutls_kx_set_priority(data->sess, kx_priority);
gnutls_mac_set_priority(data->sess, mac_priority);
+#endif
gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
--
2.1.4

2
libs/libosip2/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libosip2
PKG_VERSION:=4.1.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=@GNU/osip

69
libs/libosip2/patches/002-CVE-2016-10324_CVE-2016-10325_CVE-2016-10326_CVE-2017-7853.patch Normal file
View file

@ -0,0 +1,69 @@
Upstream patches by Aymeric Moizard <amoizard@gmail.com>:
7e0793e15e21f68337e130c67b031ca38edf055f
1d9fb1d3a71cc85ef95352e549b140c706cf8696
b9dd097b5b24f5ee54b0a8739e59641cd51b6ead
1ae06daf3b2375c34af23083394a6f010be24a45
--- libosip2-4.1.0.orig/src/osipparser2/osip_body.c
+++ libosip2-4.1.0/src/osipparser2/osip_body.c
@@ -417,6 +417,14 @@ osip_body_to_str (const osip_body_t * bo
}
if ((osip_list_size (body->headers) > 0) || (body->content_type != NULL)) {
+ if (length < tmp_body - ptr + 3) {
+ size_t len;
+
+ len = tmp_body - ptr;
+ length = length + 3 + body->length; /* add body->length, to avoid calling realloc often */
+ ptr = osip_realloc (ptr, length);
+ tmp_body = ptr + len;
+ }
tmp_body = osip_strn_append (tmp_body, CRLF, 2);
}
if (length < tmp_body - ptr + body->length + 4) {
--- libosip2-4.1.0.orig/src/osipparser2/osip_message_parse.c
+++ libosip2-4.1.0/src/osipparser2/osip_message_parse.c
@@ -812,6 +812,12 @@ msg_osip_body_parse (osip_message_t * si
if ('\n' == start_of_body[0] || '\r' == start_of_body[0])
start_of_body++;
+ /* if message body is empty or contains a single CR/LF */
+ if (end_of_body <= start_of_body) {
+ osip_free (sep_boundary);
+ return OSIP_SYNTAXERROR;
+ }
+
body_len = end_of_body - start_of_body;
/* Skip CR before end boundary. */
--- libosip2-4.1.0.orig/src/osipparser2/osip_message_to_str.c
+++ libosip2-4.1.0/src/osipparser2/osip_message_to_str.c
@@ -378,6 +378,13 @@ _osip_message_to_str (osip_message_t * s
/* A start-line isn't required for message/sipfrag parts. */
}
else {
+ size_t message_len = strlen(tmp);
+ if (_osip_message_realloc (&message, dest, message_len + 3, &malloc_size) < 0) {
+ osip_free (tmp);
+ *dest = NULL;
+ return OSIP_NOMEM;
+ }
+
message = osip_str_append (message, tmp);
osip_free (tmp);
message = osip_strn_append (message, CRLF, 2);
--- libosip2-4.1.0.orig/src/osipparser2/osip_port.c
+++ libosip2-4.1.0/src/osipparser2/osip_port.c
@@ -1462,8 +1462,10 @@ osip_clrncpy (char *dst, const char *src
char *p;
size_t spaceless_length;
- if (src == NULL)
+ if (src == NULL || len == 0) {
+ *dst = '\0';
return NULL;
+ }
/* find the start of relevant text */
pbeg = src;

2
libs/libsrtp/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libsrtp
PKG_VERSION:=1.4.4
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=srtp-$(PKG_VERSION).tgz
PKG_SOURCE_URL:=@SF/srtp

39
libs/libsrtp/patches/1009_CVE-2013-2139.patch Normal file
View file

@ -0,0 +1,39 @@
Description: CVE-2013-2139: buffer overflow in application of crypto profiles
Origin: backport,
https://github.com/cisco/libsrtp/pull/27,
https://github.com/cisco/libsrtp/commit/8884f4d8eb4ca7122dfcbd640b933b98ef4bab80,
https://github.com/cisco/libsrtp/commit/8e47faf0f5b90672c7ebf2f0cf0562ee81a8b621,
https://github.com/cisco/libsrtp/commit/0acbb039c12b790621839facf56bfedbd071b74d
Bug: https://github.com/cisco/libsrtp/issues/24
Bug-Debian: http://bugs.debian.org/711163
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2014-01-02
--- a/srtp/srtp.c
+++ b/srtp/srtp.c
@@ -1807,15 +1807,12 @@
switch(profile) {
case srtp_profile_aes128_cm_sha1_80:
crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
- crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
break;
case srtp_profile_aes128_cm_sha1_32:
crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
- crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
break;
case srtp_profile_null_sha1_80:
crypto_policy_set_null_cipher_hmac_sha1_80(policy);
- crypto_policy_set_null_cipher_hmac_sha1_80(policy);
break;
/* the following profiles are not (yet) supported */
case srtp_profile_null_sha1_32:
@@ -1838,6 +1835,8 @@
crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
break;
case srtp_profile_aes128_cm_sha1_32:
+ /* We do not honor the 32-bit auth tag request since
+ * this is not compliant with RFC 3711 */
crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
break;
case srtp_profile_null_sha1_80:

13
libs/libsrtp/patches/1010-CVE-2015-6360-1.patch Normal file
View file

@ -0,0 +1,13 @@
Index: srtp-1.4.4~dfsg/srtp/srtp.c
===================================================================
--- srtp-1.4.4~dfsg.orig/srtp/srtp.c 2016-01-17 19:49:52.000000000 +0100
+++ srtp-1.4.4~dfsg/srtp/srtp.c 2016-01-17 22:50:43.000000000 +0100
@@ -938,6 +938,8 @@
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
enc_start += (ntohs(xtn_hdr->length) + 1);
}
+ if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
+ return err_status_parse_err;
enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
- ((enc_start - (uint32_t *)hdr) << 2));
} else {