Resolves:
support/testing/tests/core/test_hardening.py:25:42: E231 missing whitespace after ','
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is the same toolchain that was previously distributed by Linaro. [1]
Switch default toolchain as this toolchain supersed the Linaro AArch64-BE toolchain.
Only x86_64 host are supported, so keep Linaro toolchain for x86 host.
[1] https://developer.arm.com/open-source/gnu-toolchain/gnu-a/downloads
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is the same toolchain that was previously distributed by Linaro. [1]
Switch default toolchain as this toolchain supersed the Linaro AArch64 toolchain.
Only x86_64 host are supported, so keep Linaro toolchain for x86 host.
Tested with qemu_aarch64_virt_defconfig.
[1] https://developer.arm.com/open-source/gnu-toolchain/gnu-a/downloads
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is the same toolchain that was previously distributed by Linaro. [1]
Switch default toolchain as this toolchain supersed the Linaro ARM toolchain.
Only x86_64 host are supported, so keep Linaro toolchain for x86 host.
Tested with qemu_arm_vexpress_defconfig.
[1] https://developer.arm.com/open-source/gnu-toolchain/gnu-a/downloads
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The board is well supported in upstream projects so let's update kernel
and U-Boot to the latest and greatest versions.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Erico Nunes <nunes.erico@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-10873: A vulnerability was discovered in SPICE before version
0.14.1 where the generated code used for demarshalling messages lacked
sufficient bounds checks. A malicious client or server, after
authentication, could send specially crafted messages to its peer which
would result in a crash or, potentially, other impacts.
Drop patches as they are now upstream.
Add host-pkgconf as the configure script uses pkg-config. Drop removed
--disable-automated-tests configure flag.
Add optional opus support, as that is now supported and needs to be
explicitly disabled to not use. Explicitly disable optional gstreamer
support for now as the dependency tree is fairly complicated.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The board is well supported in upstream projects so let's update kernel
and U-Boot to the latest and greatest versions.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Fabio Estevam <festevam@gmail.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, when a custom user table and a package define the same user,
the settings from the package takes precedence over the ones from the
custom user table.
However, it makes sense to allow the settings from the custom user table
take precedence. For example, it would allow redirecting the user's
home directory to an alternate location (e.g. away from tmp and into a
partition that is persistent).
The support/scripts/mkusers script will only retain settings from the
latest definition it finds.
Thus, by passing the custom user table after the package defined users,
it is possible to override the package provided user definitions.
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Drop patch #1; applied upstream.
Drop patch #2; not needed since we don't autoreconf, and the issue is
fixed upstream anyway.
Add license hash.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The license heading in source files includes the "or any later"
language.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove patch since the new version supports Python 3.7
Change in LICENSE: addition of a developer to the list (hash updated).
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 45498bbc62 (mdadm: also install mdmon) enabled build of hte
mdmon utility. This utility requires USE_PTHREADS make variable
undefined to build when threads are not supported.
Fixes:
http://autobuild.buildroot.net/results/4bd/4bdd03b1d8f30ef32177727aae46d8cf54fbc35e/
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-14501: An out-of-bounds read flaw exists in
parse_file_info in archive_read_support_format_iso9660.c in libarchive
3.3.2 when extracting a specially crafted iso9660 iso file, related to
archive_read_format_iso9660_read_header.
Drop upstream patches.
Use upstream provided tarball hash.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a minimal RISC-V 64-bit autobuild configuration for the
internal toolchain with glibc.
Signed-off-by: Mark Corbin <mark.corbin@embecosm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
U-Boot has a copy of dtc in-tree. However, it has a bug in its build
system which could result in both one of the in-tree dtc include files
and the same host-installed include file to be #included.
Normally, that wouldn't be a problem, because (a) the two include files
are compatible, so it doesn't matter which one you include, and (b) the
include guards are the same in both, so only one of them really does
get included. However, upstream dtc has changed the include guards,
removing the leading underscore. Therefore, now the header file does
get included twice, which leads to multiple definitions like:
/builds/buildroot.org/buildroot/output/host/include/libfdt.h:1790:19: error: redefinition of 'fdt_appendprop_cell'
static inline int fdt_appendprop_cell(void *fdt, int nodeoffset,
^~~~~~~~~~~~~~~~~~~
In file included from tools/fdt_host.h:11:0,
from tools/imagetool.h:24,
from tools/atmelimage.c:8:
tools/../include/libfdt.h:1656:19: note: previous definition of 'fdt_appendprop_cell' was here
static inline int fdt_appendprop_cell(void *fdt, int nodeoffset,
^~~~~~~~~~~~~~~~~~~
To fix this, patch (host) dtc to accept the old include guard as well,
which restores the old behaviour. This patch is probably not
upstreamable, since it's really a hack to work around an issue in
U-Boot. Note that it has been fixed upstream, but Buildroot supports
building older versions of U-Boot as well.
Note that the problem may still occur if you have libdtc-dev installed
on the host. However, now there is a simple workaround: enable
BR2_TARGET_UBOOT_NEEDS_DTC.
Note that a similar problem also occurs with the beaglebone fork of the
kernel. It's not clear if it has been fixed there.
Signed-off-by: Lothar Felten <lothar.felten@gmail.com>
[Arnout: rewrite commit message, rewrap patch commit message]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Catch the commonly used options of SSP, Relro, and fortify.
Using the package targets of busybox and lighttpd. This
can easily be expanded to a larger list.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A note is added to tie off the discussion on why moving _FORTIFY_SOURCE
related flags into the toolchain wrapper doesn't currently work.
- Currently -D_FORTIFY_SOURCE and optimizations are passed through
CFLAGS
- Packages like linux-tools ignore CFLAGS entirely and some
autotools toolchain testing cases dependent on not using
CFLAGS.
- If FORTIFY_SOURCE is passed through the wrapper, then linux-tools
will no longer be able to ignore it, because it's enforced at a
lower-level and since the optimization -Os/g/1/2/3 are via CFLAGS,
there is no optimization flag set. Therefore linux-tools will do
all its configuration tests with FORTIFY_SOURCE forcefully enabled
at the wrapper level, but no optimization enabled, and consequently
tests will fail.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Migrate the stack protection flag management into the wrapper.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The RELRO/PIE flags are currently passed via CFLAGS/LDFLAGS and this patch
proposes moving them to the toolchain wrapper.
(1) The flags should _always_ be passed, without leaving the possibility
for any package to ignore them. I.e, when BR2_RELRO_FULL=y is used
in a build, all executables should be built PIE. Passing those
options through the wrapper ensures they are used during the build
of all packages.
(2) Some options are incompatible with -fPIE. For example, when
building object files for a shared libraries, -fPIC is used, and
-fPIE shouldn't be used in combination with -fPIE. Similarly, -r
or -static are directly incompatible as they are different link
time behaviors then the intent of PIE. Passing those options
through the wrapper allows to add some "smart" logic to only pass
-fPIE/-pie when relevant.
(3) Some toolchain, kernel and bootloader packages may want to
explicitly disable PIE in a build where the rest of the userspace
has intentionally enabled it. The wrapper provides an option
to key on the -fno-pie/-no-pie and bypass the appending of RELRO
flags.
The current Kernel and U-boot source trees include this option.
8438ee76b06ace36e19a
If using PIE with a older Kernel and/or U-boot version, a backport of these
changes might be required. However this patchset also uses the
__KERNEL__ and __UBOOT__ defines as a way to disable PIE.
NOTE: The current implementation via CFLAGS/LDFLAGS has caused some
build time failures as the conditional logic doesn't yet exist in
Buildroot:
https://bugs.busybox.net/show_bug.cgi?id=11206https://bugs.busybox.net/show_bug.cgi?id=11321
Good summary of the most common build failures related to
enabling pie: https://wiki.ubuntu.com/SecurityTeam/PIE
[Peter: minor cleanups]
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit:
https://git.buildroot.net/buildroot/commit/?id=13722d58f77d0e9fea9eefc50bf083d19f835433
Patch "0003-configure-Invert-AC_CHECK_LIB-EVP_md5-.-without-lz-w.patch"
was intended to fix AC_CHECK_FUNCS() failure on openssl functions. This
was due to missing -lz during static linking.
But the patch is wrong and results in explicitly linking against -lz in
both shared and static build.
This makes no sense, since shared linking has transitive dependency so
it doesn't need to list -lz after -lssl, -lssl is enough.
Differently static linking needs -lz to be listed after -lssl.
So the real cause of previous build failure:
http://autobuild.buildroot.net/results/881/881139fb049738b16609d39ad5a49bd77ff6b4aa/
is that when AC_CHECK_FUNCS(), $LIBS variable is overwritten with
$LIBCRYPTO without taking into accout previous $LIBS content(i.e. where
-lz is present). This results in AC_CHEC_FUNCS() to fail while trying to
statically link without listing -lz.
Then:
- Remove current "0003-configure-Invert-AC_CHECK_LIB-EVP_md5-.-without-lz-w.patch"
- Add patch "0003-configure-fix-AC_CHECK_FUNCS-EVP_sha224-EVP_sha384-..patch"
where add $LIBS content to tail of new $LIBS variable like this:
LIBS="$LIBCRYPTO $LIBS"
NOTE: $LIBS is at the end to ensure static linking to work correctly.
- Add patch 0004-configure-fix-AC_CHECK_FUNCS-TLS_method-TLSv1_method.patch
where add $LIBS content to tail of new $LIBS variable like this:
LIBS="-lssl $LIBCRYPTO $LIBS"
NOTE: $LIBS is at the end to ensure static linking to work correctly.
This way AC_CHECK_FUNCS(), when static linking, try to link with -lz too
appending it at the end of linking library list.
And after every AC_CHECK_FUNCS(), previously saved $LIBS variable gets
back to its original value(i.e. containing -lz if present) resulting in
having or not -lz appended to library list according to static or
shared build.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 550c42509c "package/vlc: fix
linking with tremor" fixed build with BR2_PACKAGE_TREMOR and without
BR2_PACKAGE_LIBVORBIS. However, it breaks build if BR2_PACKAGE_TREMOR
and BR2_PACKAGE_LIBVORBIS are both enabled.
Indeed, by overiding VORBIS_LIBS by -lvorbisidec, link of
codec/.libs/libvorbis_plugin_la-vorbis.o with -lvorbis
failed because VORBIS_LIBS is normally used to save "-logg
-lvorbis -lvorbisenc":
PKG_ENABLE_MODULES_VLC([VORBIS], [], [ogg vorbis >= 1.1 vorbisenc >= 1.1], [Vorbis decoder and encoder], [auto])
So replace fourth patch by an upstreamable patch which uses pkg-config
to set TREMOR_LIBS if tremor is found instead of "hacking" VORBIS_LIBS
Fixes:
- http://autobuild.buildroot.org/results/85a7bb1996b78dee037d5900b124cbdf5b66a6ac
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Upstream is now Python 3 only.
Quoting the maintainer [1]: "the last version of crossbar with python 2
support: pip install crossbar==18.4.1".
[1] https://github.com/crossbario/crossbar/issues/1332
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Asaf Kahlon <asafka7@gmail.com>
Cc: Mauro Condarelli <mc5686@mclink.it>
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Location module for QtQuick depends on this library, which was not
being copied in the build rule.
Signed-off-by: Alexander 'z33ky' Hirsch <1zeeky@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Linux tarball checksum was recently updated, including the one for
version 4.9.133. The checksum for this particular version of Linux
misses one character which lead to a build issue as the checksum does
not match:
ERROR: linux-4.9.133.tar.xz has wrong sha256 hash:
ERROR: expected: 3730fc025ba330a6f4908a6a1e4cb86d821000c84167721680ccf1b37b26563
ERROR: got : 53730fc025ba330a6f4908a6a1e4cb86d821000c84167721680ccf1b37b26563
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
This patch fixes it.
Fixes: 0064c7b251 ("{linux, linux-headers}: bump 4.{4, 9, 14, 18}.x series")
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Tested-by: Ricardo Martincoski <ricardo.martincoski@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tk Open Systems has sponsored the Buildroot Association to organize
the Buildroot Developers Meeting.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When threads support is missing the ntp build system builds the
work_fork code. This code added call to set_user_group_ids() that is
under HAVE_DROPROOT, which is disabled when libcap is not built.
Add a patch fixing that.
Fixes:
http://autobuild.buildroot.net/results/ab9/ab9ceff1151b8b5e6b9fa77d39c0f9b0cac1a080/
Cc: Artyom Panfilov <apanfilov@spectracom.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-10933: authentication bypass vulnerability in the server
code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in
place of the SSH2_MSG_USERAUTH_REQUEST message which the server would
expect to initiate authentication, the attacker could successfully
authenticate without any credentials.
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
Drop an upstream patch.
Cc: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Config.in for glibc is a blind option and not part of the menu for
a user to select (the pkg is used for the Buildroot toolchain build),
however this patch adds the link for completeness of the pkg-stats
report and for future scripting which will generate xml updates of the
package's Common Product Enumeration (used for vunerability checking).
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
