03e1f2cc2a
Changes between 3.0.8 and 3.0.9 [30 May 2023] * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical numeric text form. For gigantic sub-identifiers, this would take a very long time, the time complexity being O(n^2) where n is the size of that sub-identifier. ([CVE-2023-2650]) To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT IDENTIFIER to canonical numeric text form if the size of that OBJECT IDENTIFIER is 586 bytes or less, and fail otherwise. The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at most 128 sub-identifiers, and that the maximum value that each sub- identifier may have is 2^32-1 (4294967295 decimal). For each byte of every sub-identifier, only the 7 lower bits are part of the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with these restrictions may occupy is 32 * 128 / 7, which is approximately 586 bytes. Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 *Richard Levitte* * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can trigger a crash of an application using AES-XTS decryption if the memory just after the buffer being decrypted is not mapped. Thanks to Anton Romanov (Amazon) for discovering the issue. ([CVE-2023-1255]) *Nevine Ebeid* * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]). The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case compared to 3.0.7. The new fix uses existing constant time code paths, and restores the previous performance level while fully eliminating all existing timing side channels. The fix was developed by Bernd Edlinger with testing support by Hubert Kario. *Bernd Edlinger* * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. ([CVE-2023-0466]) *Tomáš Mráz* * Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. ([CVE-2023-0465]) *Matt Caswell* * Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. ([CVE-2023-0464]) *Paul Dale* Removed upstreamed patches. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Project ImmortalWrt
ImmortalWrt is a fork of OpenWrt, with more packages ported, more devices supported, better performance, and special optimizations for mainland China users.
Compared the official one, we allow to use hacks or non-upstreamable patches / modifications to achieve our purpose. Source from anywhere.
Default login address: http://192.168.1.1 or http://immortalwrt.lan, username: root, password: none.
Download
Built firmware images are available for many architectures and come with a package selection to be used as WiFi home router. To quickly find a factory image usable to migrate from a vendor stock firmware to ImmortalWrt, try the Firmware Selector.
If your device is supported, please follow the Info link to see install instructions or consult the support resources listed below.
Development
To build your own firmware you need a GNU/Linux, BSD or MacOSX system (case sensitive filesystem required). Cygwin is unsupported because of the lack of a case sensitive file system.
Requirements
To build with this project, Ubuntu 20.04 LTS is preferred. And you need use the CPU based on AMD64 architecture, with at least 4GB RAM and 25 GB available disk space. Make sure the Internet is accessible.
The following tools are needed to compile ImmortalWrt, the package names vary between distributions.
- Here is an example for Ubuntu users:
-
Method 1:
Setup dependencies via APT
sudo apt update -y sudo apt full-upgrade -y sudo apt install -y ack antlr3 asciidoc autoconf automake autopoint binutils bison build-essential \ bzip2 ccache clang cmake cpio curl device-tree-compiler ecj fastjar flex gawk gettext gcc-multilib \ g++-multilib git gnutls-dev gperf haveged help2man intltool lib32gcc-s1 libc6-dev-i386 libelf-dev \ libglib2.0-dev libgmp3-dev libltdl-dev libmpc-dev libmpfr-dev libncurses5-dev libncursesw5 \ libncursesw5-dev libpython3-dev libreadline-dev libssl-dev libtool lld llvm lrzsz mkisofs msmtp \ nano ninja-build p7zip p7zip-full patch pkgconf python2.7 python3 python3-pip python3-ply \ python-docutils python3-pyelftools qemu-utils re2c rsync scons squashfs-tools subversion swig \ texinfo uglifyjs upx-ucl unzip vim wget xmlto xxd zlib1g-dev -
Method 2:
sudo bash -c 'bash <(curl -s https://build-scripts.immortalwrt.eu.org/init_build_environment.sh)'
-
Note:
- Do everything as an unprivileged user, not root, without sudo.
- Using CPUs based on other architectures should be fine to compile ImmortalWrt, but more hacks are needed - No warranty at all.
- You must not have spaces or non-ascii characters in PATH or in the work folders on the drive.
- If you're using Windows Subsystem for Linux (or WSL), removing Windows folders from PATH is required, please see Build system setup WSL documentation.
- Using macOS as the host build OS is not recommended. No warranty at all. You can get tips from Build system setup macOS documentation.
- For more details, please see Build system setup documentation.
Quickstart
- Run
git clone -b <branch> --single-branch --filter=blob:none https://github.com/immortalwrt/immortalwrtto clone the source code. - Run
cd immortalwrtto enter source directory. - Run
./scripts/feeds update -ato obtain all the latest package definitions defined in feeds.conf / feeds.conf.default - Run
./scripts/feeds install -ato install symlinks for all obtained packages into package/feeds/ - Run
make menuconfigto select your preferred configuration for the toolchain, target system & firmware packages. - Run
maketo build your firmware. This will download all sources, build the cross-compile toolchain and then cross-compile the GNU/Linux kernel & all chosen applications for your target system.
Related Repositories
The main repository uses multiple sub-repositories to manage packages of different categories. All packages are installed via the ImmortalWrt package manager called opkg. If you're looking to develop the web interface or port packages to ImmortalWrt, please find the fitting repository below.
- LuCI Web Interface: Modern and modular interface to control the device via a web browser.
- ImmortalWrt Packages: Community repository of ported packages.
- OpenWrt Routing: Packages specifically focused on (mesh) routing.
- OpenWrt Video: Packages specifically focused on display servers and clients (Xorg and Wayland).
Support Information
For a list of supported devices see the OpenWrt Hardware Database
Documentation
Support Community
- Support Chat: group @ctcgfw_openwrt_discuss on Telegram.
- Support Chat: group #immortalwrt on Matrix.
License
ImmortalWrt is licensed under GPL-2.0-only.
Acknowledgements
 |
 |