This fixes CVE-2021-32672
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f03ad7e0a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Repeat after me: "Forcing the value of <pkg>_DEPENDENCIES inside a
conditional is the root of all evil."
Repeat after me: "Forcing the value of <pkg>_DEPENDENCIES inside a
conditional is the root of all evil."
Repeat after me: "Forcing the value of <pkg>_DEPENDENCIES inside a
conditional is the root of all evil."
Repeat after me: "Forcing the value of <pkg>_DEPENDENCIES inside a
conditional is the root of all evil."
Enough? :-)
Due to this mistake, any other GDB_DEPENDENCIES defined before this
assignment were lost. For example, the host-flex host-bison added
inside the GDB_FROM_GIT==y condition were ignored if
BR2_PACKAGE_GDB_DEBUGGER.
Fixes the build of all ARC configurations that have
BR2_PACKAGE_GDB_DEBUGGER enabled.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 97f3ad7af3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since I'm the upstream maintainer and we use it for $DAYJOB, I'll adopt.
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 96db7735f7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog (for details see [1]):
- Fix for memory corruption issue when listening to same node (#99)
[1] https://github.com/RidgeRun/gst-interpipe/releases/tag/1.1.6
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 49381c4f59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Select BR2_PACKAGE_WOLFSSL_ALL as suggested by upstream in
https://github.com/curl/curl/issues/7745 to fix the following build
failure raised since bump to version 7.79.1 in commit
6d6842130b456499d3ff230a3b70cec756cbccd1:
/home/giuliobenetti/autobuild/run/instance-3/output-1/host/lib/gcc/riscv64-buildroot-linux-uclibc/10.3.0/../../../../riscv64-buildroot-linux-uclibc/bin/ld: ../lib/.libs/libcurl.so: undefined reference to `wolfSSL_ERR_clear_error'
Fixes:
- http://autobuild.buildroot.org/results/2956c8fb91a16d2ab59fb1c7babec46a6c8399e5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 36ac5b0b0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- SQUID-2020:12 Out-Of-Bounds memory access in WCCPv2
(CVE-2021-28116 aka ZDI-CAN-11610)
Due to an out of bounds memory access Squid is vulnerable to an
information leak vulnerability when processing WCCPv2 messages.
This problem allows a WCCPv2 sender to corrupt Squids list of
known WCCP routers and divert client traffic to attacker
controlled routers.
This attack is limited to Squid proxy with WCCPv2 enabled and
IP spoofing of a router IP address configured as trusted in
squid.conf.
For more details, see the advisory:
http://lists.squid-cache.org/pipermail/squid-announce/2021-October/000136.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6263c1f9a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog (since 2021.04.21):
47007d0 wireless-regdb: update regulatory database based on preceding changes
e983a25 Update regulatory rules for Ecuador (EC)
a0bcb88 wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz
cdf854d wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz
a4468e8 wireless-regdb: update regulatory database based on preceding changes
86cba52 wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US
6fa2384 wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US
9839e1e wireless-regdb: recent FCC report and order allows 5850-5895 immediately
42dfaf4 wireless-regdb: update 5725-5850 MHz rule for GB
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 95f3fc514c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-41617: sshd in OpenSSH 6.2 through 8.x before 8.8, when
certain non-default configurations are used, allows privilege escalation
because supplemental groups are not initialized as expected. Helper
programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may
run with privileges associated with group memberships of the sshd
process, if the configuration specifies running the command as a
different user.
https://www.openssh.com/txt/release-8.8https://www.openssh.com/txt/release-8.7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 29b6114acf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-meld3 is not a dependency since bump to version 4.1.0 in commit
5da3e1a3e6 and
d09d843493
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cd5dc168e9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 96464f7562)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This package uses meson-package infrastracture, so we don't need to
explicitly pass its additional CFLAGS to some variable. The only thing we
need to pass them is to use MESA3D_CFLAGS, because in package/pkg-meson.mk
we have:
$(2)_CFLAGS ?= $$(TARGET_CFLAGS)
that makes the work automatically, where $(2) is exactly the package name,
though $(2)_CFLAGS expands to MESA3D_CFLAGS.
So let's remove the MESA3D_CONF_OPTS += -DCMAKE_C_FLAGS="$(MESA3D_CFLAGS)"
line that has been added by mistake.
Note: this doesn't fix any bug, but remove an unnecessary and ambiguos line
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4383fde622)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mesa3d uses very big switch statements, which causes the build to fail
on m68k, beause the offsets there are only 16-bit.
We fix that by using -mlong-jump-table-offsets on m68k, to use 32-bit
offsets for switch statements, but this is only available starting with
gcc 7 [0] [1].
Fixes:
http://autobuild.buildroot.net/results/60c4653c2a93125edbdd0beb43cd47301643464a/
Note: we have two packages that select mesa3d, but:
package/intel-mediadriver/
-> already depends on x86_64, so implies !m68k
package/x11r7/xdriver_xf86-video-imx-viv/
-> imx is an ARM, but xdriver_xf86-video-imx-viv is missing
a depends on BR2_arm (although the comments do have that
dependency). However, it depends on other imx related
packages, and they depend on either arm or aarch64, so
that implies !m68k.
As such, we do not need to propagate that new dependency.
[0] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=57583#c15
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=57583#c16
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr:
- add comment
- reword commit log, add BZ references, add non-propagation notes
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2fe3a8f81b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Traditional VT-10x terminals (and their emulators) [0] have a "magic
margins" feature that enables the last character position to be updated
without scrolling the screen: whenever a character is printed on the
last column, the cursor stays over the character, instead of moving to
the next line.
The Busybox shell, ash, attempts to defeat this feature by printing
CR,LF right after echoing a character to the last column.[1] This
doesn't play well with emulator.py. The run() method of the Emulator
class captures the output of the emulated system and assumes the first
line it reads is the echo of the command, and all subsequent lines are
the command's output. If the line made by the command + shell prompt is
longer than 80 characters, then it is echoed as two or more lines, and
all but the first one are mistaken for the command's output.
We fix this by telling the emulated system that we are using an
ultra-wide terminal with 29999 columns. Larger values would be ignored
and replaced by the default, namely 80 columns.[2]
[0] https://vt100.net/docs/vt100-ug/chapter3.html - DECAWM
[1] https://git.busybox.net/busybox/tree/libbb/lineedit.c?h=1_34_0#n412
[2] https://git.busybox.net/busybox/tree/libbb/xfuncs.c?h=1_34_0#n258
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Co-authored-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit eb3ee3078a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.16.9 (released 2021-10-07) includes a security fix to the linker and
misc/wasm directory, as well as bug fixes to the runtime and to the
text/template package.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
zlib is an optional dependency since bump to version 7.60 in commit
c4faf1d4d1 and
0c142333bb.
If it is not disabled, nmap will build its own zlib version which can
result in the following build failure:
/home/giuliobenetti/autobuild/run/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/i686-buildroot-linux-uclibc/9.3.0/../../../../i686-buildroot-linux-uclibc/bin/ld: attempted static link of dynamic object `libz.so.1.2.11'
Fixes:
- http://autobuild.buildroot.org/results/da9469e24390c94fe74f133152dc320c21872159
- http://autobuild.buildroot.org/results/53034d8dd506bc033dc92343f9a37cd4ac8b2142
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e991c2cba6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mips_32 is not supported by ffmpeg and it tries to build with loongson3
SIMD support that leads to build failure due to:
/tmp/ccFO2LRa.s: Assembler messages:
/tmp/ccFO2LRa.s:15314: Error: opcode not supported on this processor: mips32 (mips32) `dmult $2,$6'
/tmp/ccFO2LRa.s:15316: Error: opcode not supported on this processor: mips32 (mips32) `dsrl $2,$2,32'
So let's --disable-asm to prevent using those unsupported opcodes for every
mips architecture according to Arnout.
Fixes:
http://autobuild.buildroot.net/results/f01/f01d9cedec8e1b371308d0f7af561a75883fa27c/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 4e822fcadf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Compiling on Ubuntu 20.04 generates this:
./util.c: In function ‘file_write_dep’
./util.c:54:18: warning: ‘..config.tmp’ directive writing 12 bytes into a region of size between 1 and 4097 [-Wformat-overflow=]
54 | sprintf(buf, "%s..config.tmp", dir);
| ^~~~~~~~~~~~
./util.c:54:2: note: ‘sprintf’ output between 13 and 4109 bytes into a destination of size 4097
54 | sprintf(buf, "%s..config.tmp", dir);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
and similar warnings on confdata.c, lines 778, 989, 995, 1000, 1007,
1040, 1046 and 1054. Avoid the warnings by enlarging the destination
buffer of fprintf().
Normally, we want changes to kconfig to be reflected by patches in
support/kconfig/patches. This makes it easier to resync with upstream
kconfig. However, in this case, everything that is changed here is
already changed completely (and differently) upstream, so there is no
added value in keeping the patch.
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 324612d68e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-41054: tftpd_file.c in atftp through 0.7.4 has a buffer
overflow because buffer-size handling does not properly consider the
combination of data, OACK, and other options.
- Update hash of license file (license replaced with current version of
the GPL text:
bf22ccaef3)
https://sourceforge.net/p/atftp/code/ci/v0.7.5/tree/Changelog
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f39ae602ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2021-3013 does not impact any buildroot versions of ripgrep as it is
a Windows-only exploit targeting ripgrep versions earlier than 13. It
can be safely ignored on our LTS branches.
https://nvd.nist.gov/vuln/detail/CVE-2021-3013
Signed-off-by: Sam Voss <sam.voss@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 641beb3217)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When booting under EFI, grub2 will output a nice and shiny boot menu,
using extended ASCII characters (in the [0x80..0xFF] range), namely
CP437 [0], on the assumption that the VGA BIOS is a real one and has the
corresponding (and only!) font, as is the case on real hardware.
However, when run in our runtime test infrastructure, this triggers the
infamous python UnicodeDecodeError exception:
Traceback (most recent call last):
[...]
emulator.login()
File "[...]/buildroot/support/testing/infra/emulator.py", line 89, in login
index = self.qemu.expect(["buildroot login:", pexpect.TIMEOUT],
File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 340, in expect
return self.expect_list(compiled_pattern_list,
File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 369, in expect_list
return exp.expect_loop(timeout)
File "/usr/lib/python3/dist-packages/pexpect/expect.py", line 111, in expect_loop
incoming = spawn.read_nonblocking(spawn.maxread, timeout)
File "/usr/lib/python3/dist-packages/pexpect/pty_spawn.py", line 485, in read_nonblocking
return super(spawn, self).read_nonblocking(size)
File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 178, in read_nonblocking
s = self._decoder.decode(s, final=False)
File "/usr/lib/python3.8/codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xda in position 0: invalid continuation byte
Grub2 is not wrong in emitting those chars, and basically we should not
expect the packages we test to always emit correct UTF-8 sequences; at
the very least, this should not cause the test infra to fail.
We fix that by telling pexpect.spawn to "fix" such invalid sequences by
replacing them with the suitable Unicode character, U+FFFD REPLACEMENT
CHARACTER.
[0] https://en.wikipedia.org/wiki/Code_page_437
[1] https://docs.python.org/3/library/codecs.html#error-handlers
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[yann.morin.1998@free.fr:
- don't change encoding, use codec_errors
- rewrite commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d6d7cbb8e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BR2_TOOLCHAN_USES_UCLIBC -> BR2_TOOLCHAIN_USES_UCLIBC
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b03ea972ae)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BR2_TOOLCHAN_USES_UCLIBC -> BR2_TOOLCHAIN_USES_UCLIBC
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 71ce29eff3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When parsing and adding modules the refpolicy build system checks their
validity using xmllint. By default the host system version is used and
if not found an error is displayed but the build is not stopped. This
leads to interesting issues where modules are not added correctly to
modules.conf[1] (other possible issues are likely).
Fix this by adding a dependency on host-libxml2 and explicitly use the
xmllint binary built by Buildroot.
[1] https://lore.kernel.org/buildroot/20210830114531.2285178-1-jose.pekkarinen@unikie.com/
Tested-by: José Pekkarinen <jose.pekkarinen@unikie.com>
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5141cee109)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Plus, indent with two spaces in the hash file.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
(cherry picked from commit 1c543c729e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use --with-ncurses and --without-ncurses options which are available
since version 0.88 and
4e2a948a16
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit edb65b4e6d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixing a number of regressions:
- Fixed a regression in Django 3.2 that caused a crash validating "NaN"
input with a forms.DecimalField when additional constraints, e.g.
max_value, were specified (#32949).
- Fixed a bug in Django 3.2 where a system check would crash on a model with
a reverse many-to-many relation inherited from a parent class (#32947).
- Fixed a regression in Django 3.2 that caused the incorrect offset
extraction from fixed offset timezones (#32992).
https://docs.djangoproject.com/en/3.2/releases/3.2.6/https://docs.djangoproject.com/en/3.2/releases/3.2.7/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f71e240229)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The various micropython ports may include code licensed under different
licenses compared to the core micropython. List these in MICROPYTHON_LICENSE.
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 4dc40c21ea)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libcap is an optional dependency which is enabled by default since
version 0.88 and
2ff8de3102
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit 3d99699f82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While creating the initial package file a wrong dependency was chosen.
This package really depends on jsoncpp, not json-for-modern-cpp:
f724c5934c
This bug was found while testing per-package directories.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
(cherry picked from commit 2d8e452895)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release clears CVE-2021-40530 and fixes a problem with ChaCha20
AVX2 implementation. The CVE was due to ElGamal encryption using a work
estimate to size encryption exponents instead subgroup order. The
ChaCha20 issue was due to mishandling a carry in the AVX2 code path. The
ChaCha20 issue was difficult to duplicate, so most users should not
experience it.
https://github.com/weidai11/cryptopp/releases/tag/CRYPTOPP_8_6_0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d714137722)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Syslinux use some python scripts during the build and they
are using python interpreter by default. It fail to build
when there is no python interpreter on the host.
[...]/syslinux-6.03/com32/cmenu/menugen.py
make[6]: python: No such file or directory
Since Syslinux 5.00, we can override the python interpreter
used during the build:
https://repo.or.cz/syslinux.git/commitdiff/4dec62ce9c2c0d170f21b3ae2d7c618eb7a30c05
Add the missing host-python3 dependency and override
it in SYSLINUX_BUILD_CMDS.
Fixes:
https://gitlab.com/kubu93/buildroot/-/jobs/1614446766
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[yann.morin.1998@free.fr: fix check-package]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6ccfd40711)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since v2.2 release (commits 8cc36aec912 "doc: De-duplicate readme and
license files" and 9f1622b018ab "doc: Move content out of readme and
create new index page "), the license.rst file at the root of the git
repo is only telling to look at docs/license.rst file.
Let's point the ARM_TRUSTED_FIRMWARE_LICENSE_FILES to the correct file
and modify the .hash file accordingly.
The comment has also been wrong since we bumped from version 1.4 to 2.2
in commit a757d173f1 (boot/arm-trusted-firmware: bump to version
2.2). Drop referencing an explicit version, so that is is never wrong
again.
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
[yann.morin.1998@free.fr: also fix the comment.]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8354176915)
[Peter: update hash for v2.4]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 2cfdf8b8a2 (boot/mv-ddr-marvell: Bump to HEAD as of 20201207)
forgot to update the hash a a source file that we use as license file.
Fixes: #14221
Reported-by: nyanyamiau@gmail.com
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: D. Olsson <hi@senzilla.io>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f05136090d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libcap is an optional dependency which is enabled by default since
version 0.7.1 and
669c53e335
and can be explicitly enabled or disabled since version 0.9.0 and
af36fbe756
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c3712a86ad)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In filesystems, variables must be prefixed with ROOTFS_, to avoid
ckashing with packages of the same name.
We do not have a package named 'ext2', so we currently have no clash,
but it is still better that the variables be properly namespaced.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit db7d786140)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Static build with musl fails since bump to version 2020.04 in commit
fe97212976 because LDFLAGS, which contains
-static, is not passed resulting in the following build failure:
/tmp/instance-1/output-1/host/lib/gcc/arm-buildroot-linux-musleabihf/10.3.0/../../../../arm-buildroot-linux-musleabihf/bin/ld: /tmp/instance-1/output-1/host/lib/gcc/arm-buildroot-linux-musleabihf/10.3.0/libgcc.a(_dvmd_lnx.o): in function `__aeabi_ldiv0':
/tmp/instance-1/output-1/build/host-gcc-final-10.3.0/build/arm-buildroot-linux-musleabihf/libgcc/../../../libgcc/config/arm/lib1funcs.S:1499: undefined reference to `raise'
collect2: error: ld returned 1 exit status
Fixes:
- http://autobuild.buildroot.org/results/d71aba27ff0c7711f2cb67261183506f25217a5f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 84a2723568)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ee8b680816 ("utils/scanpypi: use python3 explicitly") started to use python3,
thus compatibility can be removed:
from __future__ import print_function
from __future__ import absolute_import
Tested with python3 -m py_compile.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit d50290764e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile
1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
https://nvd.nist.gov/vuln/detail/CVE-2021-3246
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit cb18218ad1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-22945: UAF and double-free in MQTT sending
When sending data to an MQTT server, libcurl could in some circumstances
erroneously keep a pointer to an already freed memory area and both use
that again in a subsequent call to send data and also free it again.
https://curl.se/docs/CVE-2021-22945.html
- CVE-2021-22946: Protocol downgrade required TLS bypassed
A user can tell curl to require a successful upgrade to TLS when speaking
to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or
CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl).
This requirement could be bypassed if the server would return a properly
crafted but perfectly legitimate response.
This flaw would then make curl silently continue its operations without
TLS contrary to the instructions and expectations, exposing possibly
sensitive data in clear text over the network.
https://curl.se/docs/CVE-2021-22946.html
- CVE-2021-22947: STARTTLS protocol injection via MITM
When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data
securely using STARTTLS to upgrade the connection to TLS level, the server
can still respond and send back multiple responses before the TLS upgrade.
Such multiple "pipelined" responses are cached by curl. curl would then
upgrade to TLS but not flush the in-queue of cached responses and instead
use and trust the responses it got before the TLS handshake as if they
were authenticated.
Using this flaw, it allows a Man-In-The-Middle attacker to first inject
the fake responses, then pass-through the TLS traffic from the legitimate
server and trick curl into sending data back to the user thinking the
attacker's injected data comes from the TLS-protected server.
Over POP3 and IMAP an attacker can inject fake response data.
https://curl.se/docs/CVE-2021-22947.html
In addition, 7.79.1 fixes a number of regressions in 7.79.0:
https://daniel.haxx.se/blog/2021/09/22/curl-7-79-1-patched-up-and-ready/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 6d6842130b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The file access protection built into Ghostscript proved insufficient for
the "%pipe%" PostScript device, when combined with Ghostscript's requirement
to be able to create and control temporary files in the conventional
temporary file directories (for example, "/tmp" or "/temp). This exploit is
restricted to Unix-like systems (i.e., it doesn't affect Windows). The most
severe claimed results are only feasible if the exploit is run as a "high
privilege" user (root/superuser level) \u2013 a practice we would discourage
under any circumstances.
For more details, see the advisory:
https://ghostscript.com/CVE-2021-3781.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 4e415b4164)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which
allows remote attackers to discover cleartext credentials because they may
appear in SNI data.
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
Upstream unfortunately does not provide a public VCS (only source
snapshots), so fetch the security patch from Debian.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5bb9d79f27)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Includes a number of bugfixes and the security fixes up to xsa-384:
https://xenproject.org/downloads/xen-project-archives/xen-project-4-14-series/xen-project-4-14-3/
Drop the now upstream
0002-libs-foreignmemory-Fix-osdep_xenforeignmemory_map-prototype.patch, and
renumber the remaining patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 69e4493fb1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Backport the following security fix from the upstream 21.1 release fixing
CVE-2021-3572:
https://github.com/pypa/pip/pull/9827
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cf949134b7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A gdbinit file passed via '-x' will be read _after_ parsing any
object/core file passed on the command-line. In cross-compilation context,
this is particularly a problem when loading a core file, because without the
'sysroot' specified in the gdbinit file, it will give a lot of warnings,
like:
warning: .dynamic section for "/lib/libstdc++.so.6" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/librt.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libm.so.6" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libgcc_s.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libc.so.6" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/ld-linux.so.2" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libanl.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libdl.so.2" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libpthread.so.0" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/usr/lib/libz.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libnss_files.so.2" is not at the expected address (wrong library or version mismatch?)
warning: Could not load shared library symbols for 17 libraries, e.g. [...]
Use the "info sharedlibrary" command to see the complete listing.
Do you need "set solib-search-path" or "set sysroot"?
In contrast, the '-ix' option will load the specified gdbinit file _before_
parsing object/core files. This will remove said warnings.
See also: https://sourceware.org/bugzilla/show_bug.cgi?id=28330
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e1ee121cae)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To avoid spending some time to build the x86_64 toolchain (~20min),
switch to corei7 cpu (Nahalem) and use the prebuilt Bootlin toolchain.
We have to use the "stable" Bootlin toolchain to use the same kernel version
for the toolchain kernel headers and the running kernel.
With the "bleeding-edge" toolchain we have the "kernel too old" issue
(running kernel 4.19 vs kernel headers 5.4)
Runtime tested locally.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 521b6f8550)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Switch from the Buildroot internal toolchain for armv5 to
the prebuilt Bootlin external toolchain.
The test doesn't require to build a toolchain, there was
no prebuilt glibc toolchain recent enough at the time this
test has been introduced.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 184d20404e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This test already use builtin kernel provided by the testsuite infra:
self.emulator.boot(arch="armv7",
kernel="builtin",
options=["-initrd", img])
But a second kernel is build from the its defconfig. This second kernel
is not used by the test.
The TestRust (using BR2_PACKAGE_HOST_RUST=y) is really long to build,
save some cpu time by removing the kernel build.
This unused kernel (based on 4.11.3 release) doesn't even build with
host gcc >= 10.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f6d438d59f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The kernel 4.19.79 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
The issue was fixed in 4.19.114 [2]
Bump to the latest 4.19.x version.
[1] https://gcc.gnu.org/gcc-10/porting_to.html
[2] http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=621f2ded601546119fabccd1651b1ae29d26cd38
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 883d5a2f3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The kernel 5.5.7 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
But we can't just update this test to the next linux kernel LTS 5.10.y since
the minimum gcc version has been updated to gcc 4.9 since 5.8 kernel [2]
and the Sourcery CodeBench ARM 2014.05 is used (gcc 4.8 based).
Enable arm cortex A9 and VFP support to switch to the ARM arm prebuilt
toolchain (the Bootlin toolchain could be used).
While at it use the prebuilt buildin kernel for the vexpress target
recently updated to 5.10.7.
Fixes:
https://gitlab.com/kubu93/buildroot/-/jobs/1564202094
[1] https://gcc.gnu.org/gcc-10/porting_to.html
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6ec4476ac82512f09c94aff5972654b70f3772b2
[3] 3cf2782906
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e0ad7c6411)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The kernel 4.16.7 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
Bump to the next LTS release.
[1] https://gcc.gnu.org/gcc-10/porting_to.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 73278c8a70)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The kernel 4.16.7 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
Bump to the next LTS release.
[1] https://gcc.gnu.org/gcc-10/porting_to.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e0a64dfc0e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The kernel 4.11.3 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
Bump to the next LTS release.
[1] https://gcc.gnu.org/gcc-10/porting_to.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 69de111c46)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The kernel 4.11.3 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
Bump to the next LTS release.
[1] https://gcc.gnu.org/gcc-10/porting_to.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 322b40405e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add simple mixer python bindings to build when "Python support for
alsa-lib" is active. smixer-python is the only python module which
exists in alsa-lib. It is compatible with Python2 and Python3.
Signed-off-by: Illia Bitkov <illia.bitkov@mind.be>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit fde3bf94b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Added patch fixes linkage of libgc with external libtomic-ops.
Mono uses bundeled bdwgc which doesn't link external libatomic-ops.
Patch is a fix cherry-picked from bdwgc upstream.
Problem found on ARMv5 processors, on newer ARM processors
it uses header based functions and doesn't need built library.
Error:
/home/buildroot/autobuild/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/9.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: ../../external/bdwgc/.libs/libgc.a(gc.o): in function `GC_steal_mark_stack':
gc.c:(.text+0x2020): undefined reference to `AO_store_full_emulation'
Fixes:
http://autobuild.buildroot.net/results/ebc54e5dea63aca21a4072d294fdede41de559c7http://autobuild.buildroot.net/results/6d10a4bd43fbc9c1d3fa26d5eef394c8023cb85f
Signed-off-by: Illia Bitkov <illia.bitkov@mind.be>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7b5a13eb3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If the toolchain does not have threads (e.g. br-arm-full-nothread),
compilation fails:
In file included from /home/fail/br-test-pkg/br-arm-full-nothread/build/libressl-3.3.3/crypto/cryptlib.c:117:
/home/fail/br-test-pkg/br-arm-full-nothread/build/libressl-3.3.3/crypto/../include/compat/pthread.h:114:15: fatal error: pthread.h: No such file or directory
114 | #include_next <pthread.h>
| ^~~~~~~~~~~
compilation terminated.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit da8f069d74)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Port the following upstream commit:
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/591/diffs?commit_id=0148a15da1616a868d71abe1b56e3f28cc79533c
This fixes the following build error on mips with GCC10:
CCLD libint10.la
buildroot/output/host/lib/gcc/mips64el-buildroot-linux-gnu/10.3.0/../../../../mips64el-buildroot-linux-gnu/bin/ld: .libs/helper_mem.o:(.bss+0x0): multiple definition of `IOPortBase'; .libs/helper_exec.o:(.bss+0x0): first defined here
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 2e52de40d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The AKA backend for 3GPP2 requires libgmp (see
https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf). Since
the AKA backend for 3GPP2 is included by BR2_PACKAGE_STRONGSWAN_EAP,
when selecting a crypto backend different from
BR2_PACKAGE_STRONGSWAN_GMP, there is no guarantee the gmp package is
selected as well. When doing so, make fails since the package is in the
dependency chain but not selected:
$ make
Makefile:585: *** gmp is in the dependency chain of strongswan that has added it to its _DEPENDENCIES variable without selecting it or depending on it from Config.in. Stop.
make: *** [Makefile:23: _all] Error 2
To fix this, select BR2_PACKAGE_GMP when selecting BR2_PACKAGE_STRONGSWAN_EAP.
Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 363613a698)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Trace-cmd needs -fPIC for Sparc64 platform otherwise it fails on linking,
so add -fPIC to CFLAGS when building for such platform.
Fixes;
http://autobuild.buildroot.net/results/c59/c596f6308b7f4d44d9ba009ed0c395396fc72f47/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b1942c8e47)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
AM_ICONV is not needed since drop of autoreconf in commit
03fbb81b8b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit aa90237546)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-28902: In function read_yin_container() in libyang <= v1.0.225,
it doesn't check whether the value of retval->ext[r] is NULL. In some
cases, it can be NULL, which leads to the operation of
retval->ext[r]->flags that results in a crash.
- CVE-2021-28903: A stack overflow in libyang <= v1.0.225 can cause a denial
of service through function lyxml_parse_mem(). lyxml_parse_elem()
function will be called recursively, which will consume stack space and
lead to crash.
- CVE-2021-28904: In function ext_get_plugin() in libyang <= v1.0.225, it
doesn't check whether the value of revision is NULL. If revision is NULL,
the operation of strcmp(revision, ext_plugins[u].revision) will lead to a
crash.
- CVE-2021-28905: In function lys_node_free() in libyang <= v1.0.225, it
asserts that the value of node->module can't be NULL. But in some cases,
node->module can be null, which triggers a reachable assertion (CWE-617).
- CVE-2021-28906: In function read_yin_leaf() in libyang <= v1.0.225, it
doesn't check whether the value of retval->ext[r] is NULL. In some cases,
it can be NULL, which leads to the operation of retval->ext[r]->flags that
results in a crash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 800bf65adc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-39272: Fetchmail before 6.4.22 fails to enforce STARTTLS session
encryption in some circumstances, such as a certain situation with IMAP
and PREAUTH.
https://www.fetchmail.info/fetchmail-SA-2021-02.txt
Update COPYING hash for a clarification of the license situation with
openssl 3.x (which is Apache 2.0 licensed):
8eed56c21c
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6041702a24)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
only build --with-boost when both required modules (filesystem and system) are
also selected.
Fixes:
http://autobuild.buildroot.net/results/4fbf2a63f9ddfbc540ce7dabd10964b311477c06
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5572b2e531)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2021-29221 is a Windows specific issue:
A local privilege escalation vulnerability was discovered in Erlang/OTP
prior to version 23.2.3. By adding files to an existing installation's
directory, a local attacker could hijack accounts of other users running
Erlang programs or possibly coerce a service running with "erlsrv.exe" to
execute arbitrary code as Local System. This can occur only under specific
conditions on Windows with unsafe filesystem permissions.
So ignore it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e7c2eaf929)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2021-40529: The ElGamal implementation in Botan through 2.18.1, as
used in Thunderbird and other products, allows plaintext recovery because,
during interaction between two cryptographic libraries, a certain
dangerous combination of the prime defined by the receiver's public key,
the generator defined by the receiver's public key, and the sender's
ephemeral exponents can lead to a cross-configuration attack against
OpenPGP
For more details, see the upstream bug and issue writeup:
- https://github.com/randombit/botan/pull/2790
- https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 31c94080d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-37701: Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning using symbolic links
- CVE-2021-37712: Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning using symbolic links
- CVE-2021-37713: Arbitrary File Creation/Overwrite on Windows via
insufficient relative path sanitization
- CVE-2021-39134: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
- CVE-2021-39135: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e3bdcdd596)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit edb6d5f00b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 02bf32ca01)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 598c852077)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit fc3e9ba25a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 931c6e2a70)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f8e9c7470b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e2bfdc4f18)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 40e02dccd5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6e6d6185dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 50cc9ab544)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 374b8f5845)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 97fddaa3df)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Named failed to check the opcode of responses when performing zone
refreshes, stub zone updates, and UPDATE forwarding. This could lead to an
assertion failure under certain conditions and has been addressed by
rejecting responses whose opcode does not match the expected value. [GL #2762]
For details, see the release notes:
https://downloads.isc.org/isc/bind9/9.11.35/RELEASE-NOTES-bind-9.11.35.html
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6977ee6e0e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This bump contains a single change to fix the following build failure
with Microblaze raised since bump to version 4.4.25 in commit
a071bec0a0cd928443223132d47564c90bc64713:
lib/crypt-gensalt-static.c:33:1: error: symver is only supported on ELF platforms
33 | SYMVER_crypt_gensalt;
| ^~~~~~~~~~~~~~~~~~~~
Update hash of LICENSING due to new file being added with
4ab5f672ebhttps://github.com/besser82/libxcrypt/blob/v4.4.26/NEWS
Fixes:
- http://autobuild.buildroot.org/results/4766bfce9813b7f321369ec45298d16cd6dc251a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 30479788f1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As the github repository has changed from github.com/AdoptOpenJDK/ to
github.com/adoptium, both versions are updated in the same patch.
Security fixes
JD K-8256157: Improve bytecode assembly
JDK-8256491: Better HTTP transport
JDK-8258432, CVE-2021-2341: Improve file transfers
JDK-8260453: Improve Font Bounding
JDK-8260960: Signs of jarsigner signing
JDK-8260967, CVE-2021-2369: Better jar file validation
JDK-8262380: Enhance XML processing passes
JDK-8262403: Enhanced data transfer
JDK-8262410: Enhanced rules for zones
JDK-8262477: Enhance String Conclusions
JDK-8262967: Improve Zip file support
JDK-8264066, CVE-2021-2388: Enhance compiler validation
JDK-8264079: Improve abstractions
JDK-8264460: Improve NTLM support
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit baaf71b9bb)
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- pthread_getname_np not available with musl libc, add patch to disable
usage for musl (patch inspired/ported from [1])
Fixes:
- http://autobuild.buildroot.net/results/ed372a4a8e50d9e20be589eeda40c92888d709bc
platform/default/thread.cpp: In function ‘std::string mbgl::platform::getCurrentThreadName()’:
platform/default/thread.cpp:14:5: error: ‘pthread_getname_np’ was not declared in this scope; did you mean ‘pthread_setname_np’?
14 | pthread_getname_np(pthread_self(), name, sizeof(name));
| ^~~~~~~~~~~~~~~~~~
| pthread_setname_np
[1] e64dd67f43/srcpkgs/qt5/patches/0014-musl-set_thread_name_np.patch
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: add uClibc]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4c8ec58504)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before
1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in
kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b9646b18bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-33193: A crafted method sent through HTTP/2 will bypass
validation and be forwarded by mod_proxy, which can lead to request
splitting or cache poisoning. This issue affects Apache HTTP Server
2.4.17 to 2.4.48.
https://github.com/apache/httpd/blob/2.4.49/CHANGES
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 868367222b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 148e695e37 (package/kodi: bump version to 19.0-Matrix) extended
the set of required libraries for various "platform" backends, by
selecting those libraries from the blind options. For example, we have:
config BR2_PACKAGE_KODI_PLATFORM_SUPPORTS_GBM
bool
default y
depends on [...]
select BR2_PACKAGE_LIBINPUT
[...]
However, that option is true as soon as the requirements are met (the
depends on), even when Kodi itself is not enabled.
This means that extra libraries are pulled in to the build, even when
not required.
We fix that by moving the actual selects to the main symbol, along with
the proper conditions. This means that we have two lines that select
libxbcommon, under two different conditions; we could make that a single
select, but the codition would need to be on two lines anyway, so meh...
This is not an ideal solution, because it is a bit ugly, but:
1) adding three new blind options just for the select is kinda extreme
and superfluous;
2) our Kodi packaging is already a bit ugly anyway.
Fixes: #14206
Reported-by: Thomas Ruschival <t.ruschival@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
(cherry picked from commit b80c488d04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with gcc 4.8 raised since bump to
version 0.6.23 in commit e2f805097611b4828d2cba6168472aac6dedeafe:
exif-gps-ifd.c: In function 'exif_get_gps_tag_info':
exif-gps-ifd.c:62:3: error: 'for' loop initial declarations are only allowed in C99 mode
for (int i = 0; i < sizeof(exif_gps_ifd_tags) / sizeof(ExifGPSIfdTagInfo); ++i) {
^
exif-gps-ifd.c:62:3: note: use option -std=c99 or -std=gnu99 to compile your code
Fixes:
- http://autobuild.buildroot.org/results/7dd222e06d1e6611449fb8fe7516817c9ad43d65
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 039de9a291)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-23437 Raise ValueError if color specifier is too long
- Fix 6-byte OOB read in FliDecode
- Update indentation in hash file (two spaces)
https://github.com/python-pillow/Pillow/releases/tag/8.3.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a7919e68a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-40145: ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD
Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE:
the vendor's position is "The GD2 image format is a proprietary image
format of libgd. It has to be regarded as being obsolete, and should
only be used for development and testing purposes."
- Drop patch (already in version)
- Update hash of COPYING (duplicate merged and title added with
82d26095056013c7bcf6)
https://github.com/libgd/libgd/releases/tag/gd-2.3.3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a052ecb5b8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix several issues found by Covscan in the testsuite. These include:
- CWE-170: String not null terminated (STRING_NULL)
- CWE-188: Reliance on integer endianness (INCOMPATIBLE_CAST)
- CWE-190: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
- CWE-569: Wrong sizeof argument (SIZEOF_MISMATCH)
- CWE-573: Missing varargs init or cleanup (VARARGS)
- CWE-687: Argument cannot be negative (NEGATIVE_RETURNS)
- Update hash of LICENSING due to files being updated with:
44e9eb57b4578271c377https://github.com/besser82/libxcrypt/blob/v4.4.25/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a071bec0a0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-3770: vim is vulnerable to Heap-based Buffer Overflow
- Update hash of README.txt due to changes not related to license:
f2a44e5c4889a9c159f2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c3198cd414)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-3634: A flaw has been found in libssh in versions prior to
0.9.6. The SSH protocol keeps track of two shared secrets during the
lifetime of the session. One of them is called secret_hash and the other
session_id. Initially, both of them are the same, but after key
re-exchange, previous session_id is kept and used as an input to new
secret_hash. Historically, both of these buffers had shared length
variable, which worked as long as these buffers were same. But the key
re-exchange operation can also change the key exchange method, which can
be based on hash of different size, eventually creating "secret_hash" of
different size than the session_id has. This becomes an issue when the
session_id memory is zeroed or when it is used again during second key
re-exchange.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 88cb451446)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patches (already in version)
- Fix some more denial of service (compute time or stack exhaustion)
counter-measures added that avoid minutes of decoding time with
malformed files found by OSS-Fuzz
https://github.com/libexif/libexif/releases/tag/v0.6.23
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e2f8050976)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
protobuf moved from the google org to protocolbuffers in 2018.
There is a redirect but we should use the official url.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 107103ef91)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a7864c4ff4)
[Peter: drop 5.13.x / 5.14.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openjdk needs host gcc >= 4.9 since bump to version 16.0.1+9 in commit
057e27029c and
2a8f92e7e7:
configure: Using gcc BuildC compiler version 4.8.5 [cc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)]
configure: Using gcc BuildC++ compiler version 4.8.5 [g++ (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)]
configure: Using gcc build linker version 2.27 [GNU ld version 2.27-44.base.el7]
[...]
g++: error: unrecognized command line option '-std=c++14'
Add a dependency on host gcc >= 4.9 for the OpenJDK 16 version only, so
that users can still use OpenJDK 11 on older distributions.
Fixes:
- http://autobuild.buildroot.org/results/7072308d148ccb8237180729551df65c87a76f11
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: limit the dependency to OpenJDK 16]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0e5a1f7757)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Force relative file path resolution of DEVELOPERS file entries to use
forward-slash separators since pattern matching assumes forward slashes.
This is to help permit uses invoking `get-developers` on Platforms where
`os.sep` may not be a forward slash.
Signed-off-by: James Knight <james.d.knight@live.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit eb75d71b80)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix MKIMAGE_ARCH handling to avoid the following build failure:
/home/buildroot/autobuild/instance-0/output-1/build/host-uboot-tools-2021.07/tools/mkimage -C none -A openrisc -T script -d /home/buildroot/autobuild/instance-0/output-1/boot_script.txt /home/buildroot/autobuild/instance-0/output-1/build/host-uboot-tools-2021.07/tools/boot.scr
Invalid architecture, supported are:
alpha Alpha
arc ARC
arm ARM
arm64 AArch64
avr32 AVR32
blackfin Blackfin
ia64 IA64
invalid Invalid ARCH
m68k M68K
microblaze MicroBlaze
mips MIPS
mips64 MIPS 64 Bit
nds32 NDS32
nios2 NIOS II
or1k OpenRISC 1000
powerpc PowerPC
riscv RISC-V
s390 IBM S390
sandbox Sandbox
sh SuperH
sparc SPARC
sparc64 SPARC 64 Bit
x86 Intel x86
x86_64 AMD x86_64
xtensa Xtensa
Strangely enough, we only have autobuilder failures since July 2021 even
as or1k has been used since the addition of openriscv support in 2012:
3ddcaccda3
For x86_64, we incorrectly mangle it to x86.
Finally, the comment about mips64 is wrong: mips64 *is* a valid
archtecture, and we anyway had no code to tweak that case.
Fixes:
- http://autobuild.buildroot.org/results/c3f0f2a3fb87d74bfdaccf9b94c66f0b5bae7520
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: extend commit log for mips64 and x86_64]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5e8804d4e4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following static build failure on musl which is raised because
the "Check for directory libraries" in configure wrongly adds -DNO_DIR
when no directory library is needed:
/tmp/instance-0/output-1/host/bin/arm-buildroot-linux-musleabihf-gcc -c -D_FILE_OFFSET_BITS=64 -O2 -g0 -static -I. -DUNIX -DUIDGID_NOT_16BIT -DBZIP2_SUPPORT -DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT -DNO_MKTIME -DNO_DIR -DHAVE_DIRENT_H -DHAVE_TERMIOS_H unix/unix.c
unix/unix.c:70:14: error: conflicting types for 'DIR'
70 | typedef FILE DIR;
| ^~~
Fixes:
- http://autobuild.buildroot.org/results/83a6e0c8c4ad026cb0261246e3b1a80d754454bd
Patch not sent upstream since upstream is dead.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ea0a4c610d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
environment-setup uses BASH_SOURCE which is bash specific. For other
shells, this variable is empty, leading to an error message and empty
SDK_PATH.
Zsh Uses $0. Unfortunately POSIX is not specifying how exactly $0
should behave when in sourced (or using special dot utility). So other
shell support have to be implemented in different manner.
Signed-off-by: Krzysztof Kanas <kkanas@fastmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 65cee90cc3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the website depends on the webserver being enabled we should
add a config option for it and make the website depend on that.
We should also ensure that the mongoose(webserver) config is present.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 25b0645aa4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This needs to be set properly so that services work correctly.
Enable disable automatically based on BR2_PACKAGE_SYSTEMD state.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 85062dcefc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This ensures all tools/libraries will be properly installed.
Update SWUPDATE_BUILD_CMDS param ordering for consistency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 08de8f500e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The swupdate services do not depend on
BR2_PACKAGE_SWUPDATE_INSTALL_WEBSITE, so install them unconditionally.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit cbeaef0f95)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In buildroot, stripping for the target is configured and implemented
with the global `BR2_STRIP_strip` option that drive the stripping in
the target-finalize step.
So, we explicitly disable stripping at build time for swupdate.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1833c710ce)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
alsa unconditionally uses seq since version 0.2.90 and
818fb9e904
which will result in the following build failure since commit
a6d88d3ba5e30e11f4d726f341bc56c1be7c71c9:
In file included from ../spa/plugins/alsa/alsa-seq-bridge.c:44:
../spa/plugins/alsa/alsa-seq.h:71:2: error: unknown type name 'snd_seq_addr_t'
71 | snd_seq_addr_t addr;
| ^~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/65e3a9185b3b84ad78cd05f788f741b8734d2bbc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6409ea4c22)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The URL pointing to phytec.de is obsolete and not even used by
Buildroot.
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit fde22d8c77)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
sox also provides one or more libraries with headers, so also install
sox to staging.
Signed-off-by: Adrian Amaglio <nainformatique@gresille.org>
[Giulio: reword commit log]
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr:
- further refine commit log
- move assignment in a more sensible location
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b6ff11fd9d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gr-pager (labeled 'gr-flex' in our menuconfig) is not available since
bump to version 3.8.0.0 in commit 0d6a7b2981 (package/gnuradio: bump
to version 3.8.0.0) and upstream commit:
2d2caa205f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5045cab63d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-40346: An integer overflow exists in HAProxy 2.0 through 2.5 in
the htx_add_header() can be exploited to perform an HTTP request smuggling
attack, allowing an attacker to bypass all configured http-request HAProxy
ACLs and possibly other ACLs.
For more details, see the advisory:
https://www.mail-archive.com/haproxy@formilux.org/msg41114.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/4d48694dd5c19ddfc2bdc9639bf26c3182678639/
Git-style patches with renames are not supported by apply-patches.sh on
stable, so regenerate the patch with --no-renames. The header file has
changed post-1.17.2, so rebase the patch on the release to fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip
package, as well as bug fixes to the archive/zip, go/internal/gccgoimporter,
html/template, net/http, and runtime/pprof packages.
https://golang.org/doc/devel/release#go1.16.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1279d2b132)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Explicitly indicate the file encoding to UTF-8 for the DEVELOPERS
document. This prevents Unicode decoding errors when printing E-Mail
entries with Unicode characters on systems using an alternative default
encoding (e.g. 'CP1252').
This corrects the following observed error:
$ ./utils/get-developers outgoing/*
Traceback (most recent call last):
File "utils\get-developers", line 105, in <module>
__main__()
File "utils\get-developers", line 47, in __main__
devs = getdeveloperlib.parse_developers()
File "...\buildroot\utils\getdeveloperlib.py", line 239, in parse_developers
for line in f:
File "...\Python<ver>\lib\encodings\cp1252.py", line 23, in decode
return codecs.charmap_decode(input,self.errors,decoding_table)[0]
UnicodeDecodeError: 'charmap' codec can't decode byte 0x81 in position 6659: character maps to <undefined>
Signed-off-by: James Knight <james.d.knight@live.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9f127cc420)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Mosquitto 2.0.12 is a security and bugfix release, notably:
* Fix possible DoS in the broker with MQTTv5
* Fix CVE-2020-13849
* Fix CVE-2021-34434
Read the full announcement on
https://mosquitto.org/blog/2021/08/version-2-0-12-released/
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d333eab3f0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build with python 2 is broken since bump to version 0.22.0 in commit
0adb141d342707ca9a478f57f187e38d5bb716f2:
error: File "/usr/lib/python2.7/site-packages/pyudev/_ctypeslib/utils.py", line 54
lib = cdll.LoadLibrary(f'lib{name}.so')
^
SyntaxError: invalid syntax
Fixes:
- http://autobuild.buildroot.org/results/8b35ca6910dfd881953968f8d88ac842d57c9262
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 57aa6e718f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following uclibc build failure raised since at least bump to
version 0.11.0 in commit 0bc9c89612cc1f41f9a64f6e889f8bcd8a871e30:
In file included from ../include/wlr/types/wlr_data_device.h:13,
from ../types/data_device/wlr_drag.c:7:
../include/wlr/types/wlr_seat.h:221:18: error: field 'last_event' has incomplete type
221 | struct timespec last_event;
| ^~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/3501ceb4290638b2f6d70aaa4d8ce74feec3a525
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit 301502b7f7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure on riscv32:
In file included from thread/qmutex_linux.cpp:45,
from thread/qmutex.cpp:804:
thread/qfutex_p.h: In function 'int QtLinuxFutex::_q_futex(int*, int, int, quintptr, int*, int)':
thread/qfutex_p.h:116:30: error: '__NR_futex' was not declared in this scope; did you mean '_q_futex'?
116 | int result = syscall(__NR_futex, addr, op | FUTEX_PRIVATE_FLAG, val, val2, addr2, val3);
| ^~~~~~~~~~
| _q_futex
Fixes:
- http://autobuild.buildroot.org/results/ffedfc000029072d5d724e98ab4551fe973658ce
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit 050be3ad35)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The configure script fails to detect libpcap in static build because it
does not take into account the libnl dependency on link. As a result the
configure script silently disables mausezahn build even when
BR2_PACKAGE_NETSNIFF_NG_MAUSEZAHN is enabled. Add upstream patch to use
pkg-config for libpcap link flags.
Cc: Joris Lijssens <joris.lijssens@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit de39a17f71)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to
avoid a potential race condition.
- bpo-41180: Add auditing events to the marshal module, and stop raising
code.__init__ events for every unmarshalled code object. Directly
instantiated code objects will continue to raise an event, and audit event
handlers should inspect or collect the raw marshal data. This reduces a
significant performance overhead when loading from .pyc files.
- bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to
get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This
copy is most used on Windows and macOS.
- bpo-43124: Made the internal putcmd function in smtplib sanitize input for
presence of \r and \n characters to avoid (unlikely) command injection.
https://www.python.org/downloads/release/python-397/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c8bf903e7a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with fortran raised since bump to
version 4.0.0 in commit 366e7f1ecb and
99730f798b:
checking size of Fortran type(test_mpi_handle)... (cached) 4
checking alignment of Fortran type(test_mpi_handle)... configure: error: Can not determine alignment of type(test_mpi_handle) when cross-compiling
Fixes:
- http://autobuild.buildroot.org/results/86ffde2f67ffc0bfaeebe72fe742a5c241bc580b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fc7eaf3bee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Though several cross-compilation patches exist in buildroot's nginx
package dir they do not seem to address endianness.
The test program generated by the configure script compiles but fails
to run (as it is built for another architecture) but the script does
not distinguish between the failure to run the program and an
indication of certain endianness. As such the fallback of big-endian
is used. This setting then causes http2 headers (anything not in the
static dictionary) to come out as undecipherable trash on 64bit
targets (see ngx_http_v2_huff_encode_buf()).
This commit includes a patch to the configure script to allow a
`--force-endianness=big|little` flag as well as setting that flag in
buildroot's package makefile.
Signed-off-by: Nevo Hed <nhed+buildroot@starry.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e205b5ec18)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Michael Fischer <mf@go-sys.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2ee1063136)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://sourceforge.net/p/fetchmail/mailman/message/37333073/
"It contains the security fix for CVE-2021-36386 of 6.4.20, and fixes
a regression/a bug that causes log message truncation/run-together
prominently visible with --logfile that was introduced into 6.4.20."
Updated note for CVE-2021-36386:
https://sourceforge.net/p/fetchmail/mailman/message/37333078/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b8a1d969b9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes of this bugfix release:
https://www.samba.org/samba/history/samba-4.14.7.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 630e85f8f5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with nodejs raised since bump to version
12.22.5 in commit 7038b029d8c8774eca6d7888d6642d7e84ff5165:
../src/cares_wrap.cc:42:11: fatal error: ares_nameser.h: No such file or directory
42 | # include <ares_nameser.h>
| ^~~~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/a0f867d5e765fc1aa052de5e53ed350b3b20743f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a9ca15cf92)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- NodeJS passes NULL for addr and 0 for addrlen to
ares_parse_ptr_reply() on systems where malloc(0) returns NULL. This
would cause a crash.
- If ares_getaddrinfo() was terminated by an ares_destroy(), it would
cause a crash
- Crash in sortaddrinfo() if the list size equals 0 due to an unexpected
DNS response
- Expand number of escaped characters in DNS replies as per RFC1035 5.1
to prevent spoofing follow-up
- Perform validation on hostnames to prevent possible XSS due to
applications not performing valiation themselves
https://c-ares.haxx.se/changelog.html#1_17_2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6be5219c41)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit 39d334faa5 (package/pkg-qmake: add <pkg>_SYNC_QT_HEADERS
support), the qmake-package infra recognises said variable but the
manual has the wrong variable name, which is missing the "_QT" part.
We fix that by amending the manual to document the proper variable name.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ac2db5eb2e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix build of xen with 64 bites time_t:
/tmp/instance-0/output-1/build/xen-4.14.2/tools/qemu-xen/hw/input/virtio-input-host.c: In function 'virtio_input_host_handle_status':
/tmp/instance-0/output-1/build/xen-4.14.2/tools/qemu-xen/hw/input/virtio-input-host.c:198:28: error: 'struct input_event' has no member named 'time'
198 | if (gettimeofday(&evdev.time, NULL)) {
| ^
Fixes:
- http://autobuild.buildroot.org/results/136ce42f44bf48d3db4eda7b1548bf7ac1b97d51
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7ba9967287)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This version bump is needed to pass the ATF test with
hardening option enabled (-fstack-protector-strong)
With the version v2.2, ATF fail due to undefined references:
./build/juno/release/bl2u/arm_tzc400.o: In function `arm_tzc400_setup':
arm_tzc400.c:(.text.arm_tzc400_setup+0x10): undefined reference to `__stack_chk_guard'
arm_tzc400.c:(.text.arm_tzc400_setup+0x18): undefined reference to `__stack_chk_guard'
arm_tzc400.c:(.text.arm_tzc400_setup+0xb8): undefined reference to `__stack_chk_guard'
arm_tzc400.c:(.text.arm_tzc400_setup+0xcc): undefined reference to `__stack_chk_fail'
Since commit ccac9a5bbb, Buildroot no
longer forces ENABLE_STACK_PROTECTOR. However, we rely on the ATF build
system to handle it correctly, and this wasn't the case in v2.2.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/1524842591
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e5494f1fac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When BR2_REPRODUCIBLE is set and host-coreutils needs to be built, the
fakedate script installed to 'host/bin/date' will be overwritten by
host-coreutils.
Besides, we do not need our host-coreutils for 'date' at all; we really
rely on the host system to provide it.
Unconditionally disable installing the 'date' binary in host-coreutils.
Note that we explicitly request only ln and realpath to be installed,
but the coreutils buildsystem does not strictly obey to that, as was
already noticed in 885e6fdb8a (package/coreutils: introduce a host
variant), which added that comment above HOST_COREUTILS_CONF_OPTS:
# Explicitly install ln and realpath, which we *are* insterested in.
# A lot of other programs still get installed, however, but disabling
# them does not gain much at build time, and is a loooong list that is
# difficult to maintain...
So, we also update that comment to explain why we still anyway disable
installation of 'date'.
Signed-off-by: Conrad Ratschan <conrad.ratschan@collins.com>
[yann.morin.1998@free.fr:
- unconditionally disable installing date
- extend comment and commit log to explain why we need
--enable-no-install-program=date despite the existing
--enable-install-program=ln,realpath
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bdf7929109)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build fails since bump to version 3.1.7 in commit
011f31ee24 because config.h.in is older
than aclocal.m4:
make[1]: Entering directory '/tmp/instance-4/output-1/build/ipmiutil-3.1.7'
(CDPATH="${ZSH_VERSION+.}:" && cd . && autoheader)
/bin/bash: autoheader: command not found
Fixes:
- http://autobuild.buildroot.org/results/2005af881726473f2cda176e90c1e41e4baea67c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5f9d65fb46)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure without /usr/bin/msgfmt raised since the
addition of ushare in commit 74097fd659154499612f21fabeda4e3e7c8fdbfc:
make[3]: Entering directory `/home/buildroot/autobuild/run/instance-3/output-1/build/ushare-2.1/po'
/usr/bin/msgfmt -c --statistics -o fr.gmo fr.po
make[3]: /usr/bin/msgfmt: Command not found
To fix this build failure, set GMSGFMT to $(HOST_DIR)/bin/msgfmt and
don't build po files if NLS is disabled
Fixes:
- http://autobuild.buildroot.org/results/9f6b5b8f38386135bacd2d8f6e97c1fea77bbe69
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c4e1a07510)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gcc 10.x is now used by default but the kernel 4.18.10 used by
pc_x86_64_{efi,bios}_defconfig doesn't build with it.
Bump the kernel to 4.19.204 release that contains a lot of
fixes for newer gcc.
Fixes:
https://gitlab.com/kubu93/buildroot/-/jobs/1525741062https://gitlab.com/kubu93/buildroot/-/jobs/1525741060
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 206c098f78)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Previously, alsa-plugins would not work if alsa-utils was installed
after it. This happened because:
1. alsa-plugins copies some files $(TARGET_DIR)/usr/share/alsa/alsa.conf.d
2. alsa-utils removes these files during installation ( rm -rf $(TARGET_DIR)/usr/share/alsa/;)
The `rm -rf` command was originally added as part of the fix for
https://bugs.buildroot.org/show_bug.cgi?id=1573 11 years ago.
The intention might have been to allow for unconfiguring some options
and then rebuilding alsa-utils. However, this is a scenario that does
not work anyway.
The simplest fix for the `alsa-plugins` compatibility issue appears to
be to remove the `rm -rf` command.
Signed-off-by: Gleb Mazovetskiy <glex.spb@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 3454bc9924)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Maxime has not been contributing to Buildroot for several years, so it
doesn't make sense to keep him in the DEVELOPERS file and make us
think that those packages are being maintained and to Cc: him on
patches affecting those packages.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit a29124febf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-36976: libarchive 3.4.1 through 3.5.1 has a use-after-free
in copy_string (called from do_uncompress_block and process_block).
https://github.com/libarchive/libarchive/releases/tag/v3.5.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit a223dd4aef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Find libxcryt through pkg-config to avoid the following build failure:
/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/riscv64-buildroot-linux-musl/10.2.0/../../../../riscv64-buildroot-linux-musl/bin/ld: .libs/passverify.o: in function `.L30':
passverify.c:(.text+0x368): undefined reference to `crypt_checksalt'
Fixes:
- http://autobuild.buildroot.org/results/20b14e222b35c2d1269960075832b784ba81aa1a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2962697039)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add libxcrypt optional dependency and fix the following build failure
with libxcrypt and uclibc-ng raised since the addition of libxcrypt in
commit 464bbe26ff5fb9e5bfe26a26ea65c700b90598f5:
/home/buildroot/autobuild/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabihf/9.3.0/../../../../arm-buildroot-linux-uclibcgnueabihf/bin/ld: unix_chkpwd-passverify.o: in function `verify_pwd_hash':
passverify.c:(.text+0xab4): undefined reference to `crypt_checksalt'
Fixes:
- http://autobuild.buildroot.org/results/65d68b7c9c7de1c7cb0f941ff9982f93a49a56f8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit fc16e06f28)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gcc 10.x is now used by default but the kernel 4.19 used by
test_docker_compose doesn't build with it.
Bump the kernel to 4.19.204 release that contains a lot of
fixes for newer gcc.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5d60e07e27)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gcc bug 99140 has been fixed on gcc 8.x but reappeared on gcc 9.x while
it's been fixed on gcc 10.x+. So let's update
BR2_TOOLCHAIN_HAS_GCC_BUG_99140 accordingly.
Fixes:
http://autobuild.buildroot.net/results/c55/c55f50a8d657695f0d5492c32efa666254cd7f99/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fe4e06d317)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This package has -fPIC gcc option set by default but we can't use it on
m68k_cf since it doesn't support it throwing a gcc build failure. So let's
disable it by passing -fno-PIC.
Fixes:
http://autobuild.buildroot.net/results/b92980a563fe7ee331e70f288ce041be0bf29d40/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 2a48a6ee9d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure on riscv32:
../src/util/futex.h: In function 'sys_futex':
../src/util/futex.h:39:19: error: 'SYS_futex' undeclared (first use in this function); did you mean 'sys_futex'?
39 | return syscall(SYS_futex, addr1, op, val1, timeout, addr2, val3);
| ^~~~~~~~~
| sys_futex
Fixes:
- http://autobuild.buildroot.org/results/692700a5f967760a0b8cd358b1712f1d5a7b681e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 3298e67ac6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build with kmsdrm is broken since bump to version 2.0.14 in commit
5e0da5c40d. Indeed, first patch was
already applied in this version:
9354aea198
but upstream made other changes that requires EGL so add an upstream
patch to fix the build failure
Moreover, run autogen.sh instead of autoreconf as it breaks the build
and is not recommended by upstream:
https://github.com/libsdl-org/SDL/pull/4214
Fixes:
- http://autobuild.buildroot.org/results/355c7e5092e7641d8b04ecb550e2671d70720bd2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Arnout: add dependency on host-autoconf]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 9aae755440)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
kmsdrm needs GBM (and so mesa3d) since its addition in version 2.0.6:
56363ebf61
If libgbm is not found, kmsdrm will be silently disabled
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5bb4e281c0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported by Toolchain-builder project [1], the microblaze glibc
toolchain creates a system that doesn't boot when FORTIFY_SOURCE is
enabled: the init process hangs.
Also, hardening features may not be wanted or possible for such
slow soft-core cpus [2].
Note: for completeness, BR2_RELRO_PARTIAL was manually tested and it
does boot.
[1] https://gitlab.com/bootlin/toolchains-builder/-/jobs/1467624500
[2] http://lists.busybox.net/pipermail/buildroot/2021-June/312416.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 2e94aeed1a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
GNU cpio through 2.13 allows attackers to execute arbitrary code via a
crafted pattern file, because of a dstring.c ds_fgetstr integer overflow
that triggers an out-of-bounds heap write. NOTE: it is unclear whether
there are common cases where the pattern file, associated with the -E
option, is untrusted data.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 89857df2d1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps Linux CIP RT to version 4.19.198-cip54-rt21
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 835ea5b94c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps Linux CIP to version 4.19.198-cip54.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 595209da93)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 46b8fb7500 indeed if
libressl is selected as the openssl provider, the BR2_PACKAGE_OPENSSL
conditition will always be used and the BR2_PACKAGE_LIBRESSL condition
will never be triggered. Moreover, libressl provides a pkg-config file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit da4d8fc407)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-39240: An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3
before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme
and path portions of a URI have the expected characters. For example, the
authority field (as observed on a target HTTP/2 server) might differ from
what the routing rules were intended to achieve.
- CVE-2021-39241: An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2
before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method
name may contain a space followed by the name of a protected resource. It
is possible that a server would interpret this as a request for that
protected resource, such as in the "GET /admin? HTTP/1.1 /static/images
HTTP/1.1" example.
- CVE-2021-39242: An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3
before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an
attacker-controlled HTTP Host header, because a mismatch between Host and
authority is mishandled.
For more details, see the advisory:
https://www.mail-archive.com/haproxy@formilux.org/msg41041.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since I've dealt and deal with toolchain bugs and their work-around
very often add myself to toolchain topic(toolchain/) as well as
package/binutils and package/gcc.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8d0fcab128)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The language detection is falling back to the host system
Fortran compiler. An example of this is in RHEL7.9
(gcc4.8.5 20150623 (Red Hat 4.8.5-44)).
This patch bypasses detection and points to the location
where the compiler would be installed (if present). In the
cases where it doesn't exist, the detection falls through
and leaves Fortran disabled.
Fixes:
http://autobuild.buildroot.net/results/8354da225d1e5e337aa7ea62a7e6524fb5f1135f/
Signed-off-by: Matthew Weber <matthew.weber@collins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9f59154245)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The user shouldn't see the comment on the python2 menu.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bf0b9048f2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The user shouldn't view the comment on the python2 menu.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6a932714d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add TARGET_NLS_DEPENDENCIES and host-gettext dependency to avoid the
following build failure in a per-package-directorie build with
host-cairo raised because fontconfig installs its ITS files in the wrong
directory (i.e. outside of gettext-tiny symlink):
mkdir -p /tmp/instance-0/output-1/per-package/host-cairo/host
rsync -a --link-dest=/tmp/instance-0/output-1/per-package/host-fontconfig/host/ /tmp/instance-0/output-1/per-package/host-fontconfig/host/ /tmp/instance-0/output-1/per-package/host-cairo/host
rsync -a --link-dest=/tmp/instance-0/output-1/per-package/host-freetype/host/ /tmp/instance-0/output-1/per-package/host-freetype/host/ /tmp/instance-0/output-1/per-package/host-cairo/host
rsync -a --link-dest=/tmp/instance-0/output-1/per-package/host-libglib2/host/ /tmp/instance-0/output-1/per-package/host-libglib2/host/ /tmp/instance-0/output-1/per-package/host-cairo/host
cannot delete non-empty directory: share/gettext
could not make way for new symlink: share/gettext
This only happens with per-package directories because then the rsync is
done. Otherwise the fontconfig installation will simply follow the
symlink.
The error of course exists for target as well, but doesn't occur in
autobuilders since it already fails for host.
Fixes:
- http://autobuild.buildroot.org/results/00e29958cecfffa4e994ab549637117dd8f55c30
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 93351fa0b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build fails because of the following circular dependency:
fontconfig -> util-linux -> udev -> systemd -> polkit ->
gobject-introspection -> cairo -> fontconfig
which results in the following build failure:
checking for UUID... no
checking where uuid functions comes from... configure: error:
*** uuid is required. install util-linux.
To break it, apply the same ugly workaround that was applied for
libglib2 and cryptsetup until a better solution is found:
https://patchwork.ozlabs.org/project/buildroot/patch/20201101150619.1709959-1-fontaine.fabrice@gmail.com/
Fixes:
- http://autobuild.buildroot.org/results/2c6ef073e7e98e13daa409e1ea6130e9abd32c87
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit eb05822259)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
commit f79a420825 (package/busybox/udhcpc.script: support RFC3442
static routes) used 'set --' clobbering the positional arguments, causing
the action argument to not be correctly forwarded to hook scripts for the
renew / bound cases if static routes are provided by the server.
As a workaround, save the action argument at the beginning of the script and
use that when calling hook scripts.
Reported-by: 王琦 <wangwangqi2011@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 94c41eef61)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update LIBARGTABLE2_VERSION to reflect what is used by
https://release-monitoring.org
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5a3d1f34bc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update IOZONE_VERSION to reflect what is used by
https://release-monitoring.org
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1e75050bbb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3.34.1 is the version used by https://release-monitoring.org as well as
NVD NIST database so add SQLITE_TAR_VERSION and drop
SQLITE_CPE_ID_VERSION
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3943b6f003)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The release contains a bugfix to fix the make install of the python
module after build changes introduced in this release RC1.
This release contains a number of bug fixes. There is a crash fix for
broken internal structures in stream reuse, that is used when many TCP
or TLS upstream connections are made. Also a number of features are added.
https://github.com/NLnetLabs/unbound/releases/tag/release-1.13.2
Signed-off-by: Kyle Harding <kyle@balena.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit aaad2ab8e3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.16.7 (released 2021-08-05) includes a security fix to the
net/http/httputil package, as well as bug fixes to the compiler, the
linker, the runtime, the go command, and the net/http package.
https://golang.org/doc/devel/release#go1.16
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 825eec010c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sven has privately asked to no longer receive notifications related to
this package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 829ecf7d79)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD)
through 2.3.2 allows remote attackers to cause a denial of service
(out-of-bounds read) via a crafted TGA file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0eebfba388)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
textview_uri_security_check in textview.c in Claws Mail before 3.18.0,
and Sylpheed through 3.7.0, does not have sufficient link checks before
accepting a click.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 634dcbd50d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This affects the package jszip before 3.7.0. Crafting a new zip file
with filenames set to Object prototype values (e.g __proto__, toString,
etc) results in a returned object with a modified prototype instance.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 921830e92d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pass crypto_backend option to avoid the following build failure raised
since bump to version 0.72 in commit
cd1d56bcde and
86a1274534:
/tmp/instance-7/output-1/per-package/perl-net-ssh2/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/9.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: cannot find -lssl
/tmp/instance-7/output-1/per-package/perl-net-ssh2/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/9.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: cannot find -lcrypto
Fixes:
- http://autobuild.buildroot.org/results/25747ec239e0b92775aa883e4f531f77d45f352e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3d8ce1975f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failures on arc and riscv32:
latency.c: In function 'display':
latency.c:326:21: error: format '%ld' expects argument of type 'long int', but argument 2 has type 'time_t' {aka 'long long int'} [-Werror=format=]
326 | ("RTT| %.2ld:%.2ld:%.2ld (%s, %Ld us period, "
| ~~~~^
| |
| long int
| %.2lld
327 | "priority %d)\n", dt / 3600,
| ~~~~~~~~~
| |
| time_t {aka long long int}
altency.c: In function ‘display’:
altency.c:262:21: error: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘time_t’ {aka ‘long long int’} [-Werror=format=]
262 | ("RTT| %.2ld:%.2ld:%.2ld (%s, %Ld us period, "
| ~~~~^
| |
| long int
| %.2lld
263 | "priority %d)\n", dt / 3600,
| ~~~~~~~~~
| |
| time_t {aka long long int}
Fixes:
- http://autobuild.buildroot.org/results/448efe22e8fe058a1b354a3c124874e30b9ce138
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 74196b7d05)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-latomic was added to extralibs to fix static build of ffmpeg in commit
fc8798197b. However, extralibs is not
added to libavformat.pc resulting in the following static build failure
of motion:
/home/buildroot/autobuild/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/9.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: /home/buildroot/autobuild/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libavformat.a(fifo.o): in function `fifo_init':
/home/buildroot/autobuild/instance-1/output-1/build/ffmpeg-4.4/libavformat/fifo.c:519: undefined reference to `__atomic_store_8'
So add a patch to add extralibs (and so -latomic) to all pkg-config
files
Fixes:
- http://autobuild.buildroot.org/results/62ec618e40081a250b8129ec6f5a178eb06fba1d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f30bd1eb69)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure on musl raised since bump to version
3.0.9 in commit 28b4947ed8f53c4edfbf8fef9304dc76480c01ca:
In file included from /tmp/instance-5/output-1/build/bullet-3.09/src/LinearMath/btScalar.h:289,
from /tmp/instance-5/output-1/build/bullet-3.09/src/LinearMath/btVector3.h:19,
from /tmp/instance-5/output-1/build/bullet-3.09/src/LinearMath/btConvexHullComputer.h:18,
from /tmp/instance-5/output-1/build/bullet-3.09/Extras/VHACD/src/VHACD.cpp:28:
/tmp/instance-5/output-1/build/bullet-3.09/Extras/BulletRobotics/../../Extras/VHACD/inc/vhacdMutex.h: In constructor 'VHACD::Mutex::Mutex()':
/tmp/instance-5/output-1/build/bullet-3.09/Extras/BulletRobotics/../../Extras/VHACD/inc/vhacdMutex.h:97:54: error: 'PTHREAD_MUTEX_RECURSIVE_NP' was not declared in this scope; did you mean 'PTHREAD_MUTEX_RECURSIVE'?
97 | VHACD_VERIFY(pthread_mutexattr_settype(&mutexAttr, PTHREAD_MUTEX_RECURSIVE_NP) == 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/79cd2024b3dfc8d3e896cdacf67fb891df81ca6e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 05442cd784)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure on musl raised since the addition of the
package in commit eb91fa730c5d92202c38514345e86315e138944c:
/tmp/instance-1/output-1/build/ogre-1.12.0/OgreMain/src/OgreStringConverter.cpp: In static member function 'static bool Ogre::StringConverter::parse(const String&, Ogre::int32&)':
/tmp/instance-1/output-1/build/ogre-1.12.0/OgreMain/src/OgreStringConverter.cpp:253:22: error: 'strtol_l' was not declared in this scope; did you mean 'strtold_l'?
253 | ret = (int32)strtol_l(val.c_str(), &end, 0, _numLocale);
| ^~~~~~~~
| strtold_l
Fixes:
- http://autobuild.buildroot.org/results/491f89e45610a7752c0700ac02b80a92b7876ec3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 84333281cd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
qt5declarative builds qmltyperegistrar for the host as part of its build
process.
When building qt target packages (which is the case for qt5declarative),
-spec devices/linux-buildroot-g++ is passed to qmake in QT5_QMAKE
variable and this spec currently has -latomic in its LIBS.
This -latomic makes it to the build of the host build of
qmltyperegistrar which is not useful.
This was discovered on Fedora 34 where libatomic is not pulled with gcc
package, therefore was missing on the host machine.
This makes sure that -latomic is not added for host build of qt
packages.
Fixes: 7d286be4f9 ("package/qt5base: link with -latomic when needed")
Cc: Quentin Schulz <foss@0leil.net>
Suggested-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2d991fd7b2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 5f432df7e2 ("boot/arm-trusted-firmware: change
ENABLE_STACK_PROTECTOR value when disabled") set
ENABLE_STACK_PROTECTOR=0 when disabled. But since we pass this value as
MAKE_OPT, the internal ATF logic that sets ENABLE_STACK_PROTECTOR again
based on its initial value breaks. This leads to build failure:
make[1]: *** [/builds/buildroot.org/buildroot/output/build/arm-trusted-firmware-v2.4/build/a80x0_mcbin/release/libc/assert.o] Error 1
aarch64-buildroot-linux-uclibc-gcc.br_real: error: unrecognized command-line option ‘-fstack-protector-0’; did you mean ‘-fstack-protector’?
Move ENABLE_STACK_PROTECTOR to make environment instead to allow make to
change its value.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1497663294
Cc: Dick Olsson <hi@senzilla.io>
Cc: Sergey Matyukevich <geomatsi@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ccac9a5bbb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit
cf176128ec ("boot/arm-trusted-firmware:
add SSP option"), we are passing ENABLE_STACK_PROTECTOR=none when we
want to disable SSP usage in TF-A. While this works fine in recent
versions of TF-A, older versions such as TF-A will end up passing
-fstack-protector-none in this situation, which fails as this is not a
valid gcc option (the valid gcc option is -fno-stack-protector).
To solve this, we pass ENABLE_STACK_PROTECTOR=0 which was in older
TF-A versions used to say "don't do anything with SSP", and is also
still supported in newer versions of TF-A.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1478738580
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5f432df7e2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the folllowing build failure with uclibc-ng which is raised since
bump to version 1.34 in commit 27fffea6db7358af20f5a3a8faa174d3b782d61f:
In file included from ./sys/random.h:40,
from getrandom.c:22:
/tmp/instance-0/output-1/per-package/tar/host/x86_64-buildroot-linux-uclibc/sysroot/usr/include/sys/random.h:27:35: error: unknown type name 'size_t'
27 | extern int getrandom(void *__buf, size_t count, unsigned int flags)
| ^~~~~~
/tmp/instance-0/output-1/per-package/tar/host/x86_64-buildroot-linux-uclibc/sysroot/usr/include/sys/random.h:8:1: note: 'size_t' is defined in header '<stddef.h>'; did you forget to '#include <stddef.h>'?
7 | #include <features.h>
+++ |+#include <stddef.h>
8 |
Fixes:
- http://autobuild.buildroot.org/results/f40e09d621ab5ba66dd97138dec174acfb7fda2a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2e16ecfa99)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Correct RUBY_VERSION_EXT after commit be9783951d (package/ruby: security
bump to version 3.0.1):
ls output/target/usr/lib/ruby/
3.0.0 site_ruby vendor_ruby
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 73e570a290)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
- CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
- CVE-2021-31799: A command injection vulnerability in RDoc
For more details, see the announcement:
https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c91e82b25f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js is vulnerable to a use after free attack where an attacker might
be able to exploit the memory corruption, to change process behavior.
Drop 0002-Fix-build-with-ICU-68.patch as this is now fixed upstream since
https://github.com/nodejs/node/commit/e459c79b02
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ca92d31cff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2021-33574: The mq_notify function has a potential use-after-free
issue when using a notification type of SIGEV_THREAD and a thread
attribute with a non-default affinity mask.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Includes fixes for the recent "Sequoia" seq_file vulnerability
(CVE-2021-33909):
https://lwn.net/Articles/863729/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 79e230178b)
[Peter: drop 5.13.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure on riscv32:
system/base/target.scm:132:16: In procedure triplet-pointer-size:
unknown CPU word size "riscv32"
Fixes:
- http://autobuild.buildroot.org/results/6705630c1484239ec8b73d57ebc2e2570fbfc8f8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 55f1afe6db)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig needs wchar, thread debugging, and udev support to be
able to use all the packages it enables.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1478738516
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 28803d38e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since bump to version 0.22.3 in commit b6576a458c (package/mpd: bump
to version 0.22.3), mpd needs gcc >= 8, as documented in their manual
[0], to avoid the following build failure with gcc 7.3.1:
/tmp/instance-7/output-1/host/opt/ext-toolchain/aarch64-linux-gnu/include/c++/7.3.1/bits/stl_tree.h:2091:28: error: no matching function for call to 'std::_Rb_tree<std::__cxx11::basic_string<char>, std::pair<const std::__cxx11::basic_string<char>, std::__cxx11::basic_string<char> >, std::_Select1st<std::pair<const std::__cxx11::basic_string<char>, std::__cxx11::basic_string<char> > >, std::less<std::__cxx11::basic_string<char> >, std::allocator<std::pair<const std::__cxx11::basic_string<char>, std::__cxx11::basic_string<char> > > >::_M_get_insert_unique_pos(std::pair<std::basic_string_view<char>, std::basic_string_view<char> >::first_type&)'
= _M_get_insert_unique_pos(_KeyOfValue()(__v));
~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/4888d99404cc4273349ab036035c5ff7e086b83e
[0] https://mpd.readthedocs.io/en/stable/user.html#compiling-from-source)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: reword commit log to reference the manual]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8f7d7d9d86)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gobject-introspection is an optional dependency (enabled by default)
since the addition of the package in commit
ea64e05a1b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cb340dfbdc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gobject-introspection is an optional dependency (enabled by default)
since version 1.26.0 and
2aa0badc79
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit af34a67be6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The pixman package exhibits gcc bug 101737 when built for the SH4
architecture with optimization enabled, which causes a build failure.
As done for other packages in Buildroot work around this gcc bug by
setting optimization to -O0 if BR2_TOOLCHAIN_HAS_GCC_BUG_101737=y.
Also let's add PIXMAN_CFLAGS and pass the Codesourcery work around CFLAGS
to it for consistency like we do for the rest of the packages.
Fixes:
http://autobuild.buildroot.net/results/b20/b20869bbb48edb1f0a847ea9e2e1a0462d6350be/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit a8a9b12766)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Highly parallel host-python3 builds sometimes fail with:
Exception in thread Thread-1:
Traceback (most recent call last):
File "/tmp/instance-3/output-1/host/lib/python3.9/threading.py", line 973, in _bootstrap_inner
self.run()
File "/tmp/instance-3/output-1/host/lib/python3.9/concurrent/futures/process.py", line 317, in run
result_item, is_broken, cause = self.wait_result_broken_or_wakeup()
File "/tmp/instance-3/output-1/host/lib/python3.9/concurrent/futures/process.py", line 376, in wait_result_broken_or_wakeup
worker_sentinels = [p.sentinel for p in self.processes.values()]
File "/tmp/instance-3/output-1/host/lib/python3.9/concurrent/futures/process.py", line 376, in <listcomp>
worker_sentinels = [p.sentinel for p in self.processes.values()]
RuntimeError: dictionary changed size during iteration
During the compile_all.py step of host-python3. This issue is reported
upstream at https://bugs.python.org/issue43498, and while not yet
fixed upstream, a PR was proposed with a possible fix for it. Seems
the PR seems reasonable, let's give it a chance and see if it improves
the situation.
Hopefully Fixes:
http://autobuild.buildroot.net/results/ae6c4ab292589a4e4442dfb0a1286349a9bf4d29/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e17946b409)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
xlib_libxshmfence unconditionally uses SYS_futex which raises the
following build failure on riscv32:
xshmfence_futex.h:58:17: error: 'SYS_futex' undeclared (first use in this function); did you mean 'sys_futex'?
58 | return syscall(SYS_futex, addr1, op, val1, timeout, addr2, val3);
| ^~~~~~~~~
| sys_futex
Fixes:
- http://autobuild.buildroot.org/results/b3523e35fde0fac04b96a6278cbc6ffdfe56f7d1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e39ad96136)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer
overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and
Pl_AES_PDF::finish) when a certain downstream write fails.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 96865f02d4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Replace libjson by jsoncpp for C++ dependency which was wrongly added
by commit 74fc60a267
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f23129ee1e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure raised since bump to version 3.4.7 in
commit bb75c4b541fac144b53b63248e235f22ba1d25ad:
/tmp/instance-5/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/9.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: ui/qt/CMakeFiles/qtui.dir/sequence_diagram.cpp.o: undefined reference to symbol '__atomic_compare_exchange_4@@LIBATOMIC_1.0'
/tmp/instance-5/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/9.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: /tmp/instance-5/output-1/host/sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line
Fixes:
- http://autobuild.buildroot.org/results/6617ee0e0046a0452a1515b89e9c704b1c125ec4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0344be5299)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Change sources location from bintray to github since bintray doesn't
work anymore.
Use commit hash for version instead of git tag to avoid breaking
existing source caches.
Signed-off-by: Daniil Stas <daniil.stas@posteo.net>
Cc: Baruch Siach <baruch@tkos.co.il>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7332bc6eb0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
GCC 11 defaults to C++17. Fix the following build failure with gcc 11:
In file included from _internal/Source/JSONDefs.h:12,
from _internal/Source/JSONDebug.h:4,
from _internal/Source/JSONNode.h:4,
from _internal/Source/JSONNode.cpp:1:
_internal/Source/JSONDefs/GNU_C.h:58:28: error: ISO C++17 does not allow dynamic exception specifications
58 | #define json_throws(x) throw(x)
| ^~~~~
Fixes:
- http://autobuild.buildroot.org/results/1e66dff705bbb38e7e0f0e5864ce794b4345dcc6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ff55c323af)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build with libmaxminddb is broken since bump to version 3.0.5 in commit
464d0be380 because of
785958f9b5
So revert this commit until upstream answer to comment to
https://github.com/SpiderLabs/ModSecurity/issues/2131
Reverting this commit requires autoreconfiguring, which itself causes
lots of warnings as configure.ac queries git to know the version of
various parts of libmodsecurity. However, it turns out that those
versions are only used to be displayed in the output of the configure
script, which is quite useless. The only one that is referenced
elsewhere is LIBINJECTION_VERSION, but it's in fact a different thing:
it is defined by others/libinjection/src/libinjection_sqli.c.
The only variable that was AC_SUBST() and therefore visible elsewhere
was MSC_GIT_VERSION, but it is not used anywhere in the code base,
except in the configure script itself.
Note that one patch is 0001 and the other 0003, because there was
already a 0002 patch.
Fixes:
- http://autobuild.buildroot.org/results/4c639fd967faa06f8ae362bacd38f3409c47267c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 94b6fbd582)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use pkg-config to find numa to avoid the following build failure when
checking for numa_available:
configure:9667: checking for numa_available in -lnuma
configure:9692: /tmp/instance-7/output-1/host/bin/microblazeel-linux-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -static -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -static conftest.c -lnuma >&5
/tmp/instance-7/output-1/host/opt/ext-toolchain/bin/../lib/gcc/microblazeel-buildroot-linux-uclibc/9.3.0/../../../../microblazeel-buildroot-linux-uclibc/bin/ld: /tmp/instance-7/output-1/host/microblazeel-buildroot-linux-uclibc/sysroot/usr/lib/libnuma.a(libnuma.o): in function `numa_node_to_cpus_v1':
(.text+0x2a80): undefined reference to `__atomic_fetch_and_1'
/tmp/instance-7/output-1/host/opt/ext-toolchain/bin/../lib/gcc/microblazeel-buildroot-linux-uclibc/9.3.0/../../../../microblazeel-buildroot-linux-uclibc/bin/ld: /tmp/instance-7/output-1/host/microblazeel-buildroot-linux-uclibc/sysroot/usr/lib/libnuma.a(libnuma.o): in function `numa_node_to_cpus_v2':
(.text+0x2ddc): undefined reference to `__atomic_fetch_and_1'
collect2: error: ld returned 1 exit status
Fixes:
- http://autobuild.buildroot.org/results/577a63432fba2f9ae1ed2c6c2a77c5ce54ac5521
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 3be90cd5b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
GCC 11 defaults to C++17. Fix the following build failure with gcc 11:
In file included from details/shared-ptr/base.cxx:5:
../odb/details/shared-ptr/base.hxx:38:49: error: ISO C++17 does not allow dynamic exception specifications
38 | operator new (std::size_t, odb::details::share) throw (std::bad_alloc);
| ^~~~~
Fixes:
- http://autobuild.buildroot.org/results/cfd5f92f0aa923815edba5fbfcd5b7b312d9d40e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 69d2d1d91e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with gcc 11:
In file included from ../include/loki/SmartPtr.h:33,
from SmartPtr.cpp:20:
../include/loki/SmallObj.h: At global scope:
../include/loki/SmallObj.h:462:57: error: ISO C++17 does not allow dynamic exception specifications
462 | static void * operator new ( std::size_t size ) throw ( std::bad_alloc )
|
Fixes:
- http://autobuild.buildroot.org/results/768727160beaca5df3ef18be29cfbaa3ced67ad5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0239ea5615)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-22235: Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6
and 3.2.0 to 3.2.14 allows denial of service via packet injection or
crafted capture file
https://www.wireshark.org/security/wnpa-sec-2021-06.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bb75c4b541)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- [High] OCSP verification issue when response is for a certificate with
no relation to the chain in question BUT that response contains the
NoCheck extension which effectively disables ALL verification of that
one cert.
- [Low] OCSP request/response verification issue. In the case that the
serial number in the OCSP request differs from the serial number in
the OCSP response the error from the comparison was not resulting in a
failed verification.
- [Low] CVE-2021-24116: Side-Channel cache look up vulnerability in
base64 PEM decoding for versions of wolfSSL 4.5.0 and earlier.
Versions 4.6.0 and up contain a fix and do not need to be updated for
this report.
https://github.com/wolfSSL/wolfssl/blob/v4.8.1-stable/ChangeLog.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6427f12bba)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with gcc 11:
In file included from ../../ibrdtn/data/PrimaryBlock.h:30,
from ../../ibrdtn/data/Serializer.h:27,
from ../../ibrdtn/data/Block.h:29,
from ../../ibrdtn/data/Bundle.h:27,
from ../../ibrdtn/api/Client.h:26,
from Client.cpp:22:
/tmp/instance-0/output-1/host/bin/../arm-buildroot-linux-gnueabihf/sysroot/usr/include/ibrcommon-1.0/ibrcommon/thread/Mutex.h:43:40: error: ISO C++17 does not allow dynamic exception specifications
43 | virtual void trylock() throw (MutexException) = 0;
| ^~~~~
Fixes:
- http://autobuild.buildroot.org/results/c2d9033c68b5c1407d2cf87b98dff61958b8e7b6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 581687e34b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with gcc 11:
In file included from ../../ibrcommon/data/BLOB.h:25,
from BLOB.cpp:22:
../../ibrcommon/thread/Mutex.h:43:40: error: ISO C++17 does not allow dynamic exception specifications
43 | virtual void trylock() throw (MutexException) = 0;
| ^~~~~
Fixes:
- http://autobuild.buildroot.org/results/7a9a4319916efe8cd7e04b8686a9ae0b233b017a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 867e7a040c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
01.org url is permission denied. There seems to be no project page
anymore. Use kernel.org repo with cleaner https url.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 88556ef3b4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
These minor releases include a security fix according to the new security policy (#44918).
crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters.
net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker
in a privileged network position without access to the server certificate's private key, as long as a trusted
ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with
Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
This is CVE-2021-34558.
View the release notes for more information:
https://golang.org/doc/devel/release.html#go1.16.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 806b26950d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
fail2ban is a daemon to ban hosts that cause multiple authentication
errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0
through 0.11.2, there is a vulnerability that leads to possible remote
code execution in the mailing action mail-whois. Command `mail` from
mailutils package used in mail actions like `mail-whois` can execute
command if unescaped sequences (`\n~`) are available in "foreign" input
(for instance in whois output). To exploit the vulnerability, an
attacker would need to insert malicious characters into the response
sent by the whois server, either via a MITM attack or by taking over a
whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a
workaround, one may avoid the usage of action `mail-whois` or patch the
vulnerability manually.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6a7decee50)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
code.bulix.org no longer exists, suggest paste.ack.tf instead, as an
example.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0a954d4412)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8e789e96bb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The project URL is 404. Link to github instead.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1431dbf9b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Starting with nmap 7.91, ncat segfaults on an attempt to use it for a
Unix-domain socket (`ncat -U path`). The fix has been committed to nmap
in r38121.
Signed-off-by: Alexey Neyman <stilor@att.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2f99483a59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit e43c050944 introduced two flake8
errors:
utils/scanpypi:300:26: E231 missing whitespace after ','
utils/scanpypi:302:9: F841 local variable 'setup' is assigned to but never used
The first one is easily fixed. The second one needs a little bit of
explanation. Before commit e43c0509, the return value of
imp.load_module() was used to be able to explicitly call the 'setup'
function in it in case the metadata was not populated. Since that
commit, calling that function is no longer needed, since setup.py is
executed in exactly the same way as when it's run from the command line,
so if that doesn't work, it's completely broken anyway. Therefore, we
can simply discard the return value of imp.load_module().
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f982f70434)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix a denial of service attack against the KDC encrypted challenge
code [CVE-2021-36222].
- Fix a memory leak when gss_inquire_cred() is called without a
credential handle.
- Update indentation in hash file (two spaces)
- Update hash of NOTICE (update in year:
9cbfdf65e1)
https://web.mit.edu/kerberos/krb5-1.18/krb5-1.18.4.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b65220f566)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In case the setup.py file of a python package does not directly call the
'setup' method, utils/scanpypi was hoping there be a 'main' function which
would do the work, normally called via a construct like:
if __name__ == '__main__':
main()
However, this construct is nonstandard, and there are packages in PyPI which
call 'setup()' directly from the 'if' statement, without a main() method.
But scanpypi does not actually need to make such assumption: when loading
the module, it can decide the name to be '__main__', just as if setup.py
would be loaded interactively.
Additionally, remove some logic seemingly related to the previous trick of
calling 'main'. There should not be a problem in keeping already loaded
modules in sys.modules, as this is the purpose of sys.modules.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e43c050944)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Even though the directory containing a package's setup.py was added to
sys.path, some setup.py implementations rely on the fact that it is placed
in sys.path[0].
An example package is 'cram' which failed to be added with scanpypi:
Traceback (most recent call last):
File "utils/scanpypi", line 756, in <module>
main()
File "utils/scanpypi", line 703, in main
package.load_setup()
File "utils/scanpypi", line 303, in load_setup
setup = imp.load_module('setup', s_file, s_path, s_desc)
File "/usr/lib/python3.8/imp.py", line 234, in load_module
return load_source(name, filename, file)
File "/usr/lib/python3.8/imp.py", line 171, in load_source
module = _load(spec)
File "<frozen importlib._bootstrap>", line 702, in _load
File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 783, in exec_module
File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
File "/tmp/scanpypi-2pzc5wb_/python-cram/cram-0.7/setup.py", line 44, in <module>
long_description=long_description(),
File "/tmp/scanpypi-2pzc5wb_/python-cram/cram-0.7/setup.py", line 20, in long_description
return open(os.path.join(sys.path[0], 'README.rst')).read()
FileNotFoundError: [Errno 2] No such file or directory: '.../buildroot/utils/README.rst'
The corresponding code from cram's setup.py is:
def long_description():
"""Get the long description from the README"""
return open(os.path.join(sys.path[0], 'README.rst')).read()
Indeed, the Python documentation says:
https://docs.python.org/3.8/library/sys.html#sys.path
"...
As initialized upon program startup, the first item of this list,
path[0], is the directory containing the script that was used to invoke
the Python interpreter.
..."
Fix this by inserting explicitly at index 0 instead of appending to
sys.path.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ad042904f4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
host-flex is needed to avoid the following build failure since bump to
version 4.14.3 in commit 7df2611e9e due to
942c0d2128
Checking for flex
Checking for program 'flex' : not found
Embedded Heimdal build requires flex but it was not found. Install flex or use --with-system-mitkrb5 or --with-system-heimdalkrb5
Fixes:
- http://autobuild.buildroot.org/results/b9ed8be51a0eef77d6e48755861ae266c3b9f811
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0ba7a0fd52)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add upstream patches to fix the following build failure with suricata
raised since bump to version 6.0.3 in commit
4c429c3f8c
checking for libnetfilter_log/libnetfilter_log.h... no
configure: error: libnetfilter_log.h not found ...
Fixes:
- http://autobuild.buildroot.org/results/0b960f40b5d7e4bb0c4ba20638fe66a9e0964ab3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3529c0c3f5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Include upstream patch to fix build failure with suricata raised since
bump to version 6.0.3 in commit 4c429c3f8c
Fixes:
- http://autobuild.buildroot.org/results/0b960f40b5d7e4bb0c4ba20638fe66a9e0964ab3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2ce779f918)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 54edfa0c92)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When enabling Python 3 support in gdb < 10, gdb segfaults at startup.
The issue is was resolved by the following upstream gdb commit,
present since gdb 10.1:
commit c47bae859a5af0d95224d90000df0e529f7c5aa0
Author: Kevin Buettner <kevinb@redhat.com>
Date: Wed May 27 20:05:40 2020 -0700
Fix Python3.9 related runtime problems
[...]
This commit backports this fix to all relevant gdb versions supported
in Buildroot.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5609c63f0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- overwrite cross-compiled mariadb_config executable (used from the
mysql_config script) by a native/host compiled one
Fixes (qt5base configure):
Trying source 0 (type mysqlConfig) of library mysql ...
+ .../host/aarch64-buildroot-linux-gnu/sysroot/usr/bin/mysql_config --version
> .../host/aarch64-buildroot-linux-gnu/sysroot/usr/bin/mysql_config: line 100: \
.../host/aarch64-buildroot-linux-gnu/sysroot/usr/bin/mariadb_config: cannot execute binary file: Exec format error
with
$ file host/aarch64-buildroot-linux-gnu/sysroot/usr/bin/mariadb_config
host/aarch64-buildroot-linux-gnu/sysroot/usr/bin/mariadb_config: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 5.10.0, with debug_info, not stripped
Reported-by: Scott Bartolett <SBartolett@thorlabs.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 11b4552d8a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- rebase 001-add-extra-check-for-librt.patch
- for changelog see [1], [2]
Fixes:
CMake Error at libmariadb/cmake/ConnectorName.cmake:30 (ENDMACRO):
Flow control statements are not properly nested.
Call Stack (most recent call first):
libmariadb/CMakeLists.txt:423 (INCLUDE)
[1] https://mariadb.com/kb/en/mariadb-10329-changelog/
[2] https://mariadb.com/kb/en/mariadb-10330-changelog/
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3dae174e7e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported by Toolchain-builder project [1], the system doesn't
boot when PIC/PIE is enabled for glibc based toolchain (the init
process hang).
Also, hardening features may not be wanted or possible for such
slow soft-core cpus [2].
Like for NiosII, disable BR2_PIC_PIE.
[1] https://gitlab.com/bootlin/toolchains-builder/-/pipelines/318038406
[2] http://lists.busybox.net/pipermail/buildroot/2021-June/312416.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d120f84460)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The nios2 architecture is already excluded from PIC/PIE due to issues,
and we're going to also exclude Microblaze, so let's introduce a
BR2_PIC_PIE_ARCH_SUPPORTS hidden boolean to facilitate adding this new
architecture exclusion.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 70dd4bd156)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some external packages call pg_config to determine the installed
PostgreSQL cflags_sl option. Add this output to Buildroots own
pg_config, so these packages correctly compile.
Default value is defined at src/template/linux as:
Extra CFLAGS for code that will go into a shared library
CFLAGS_SL="-fPIC"
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ed4cfbb773)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-paramiko has a dependency on C++ support, which was added in
commit 2d7b73cf75 in 2016.
When python-pysftp was added in commit
3b920487ba in 2020, this C++ dependency
was not propagated, even though python-pysftp selects python-paramiko.
This commit fixes this issue by propagating the dependency, which
fixes this warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON_PARAMIKO
Depends on [n]: (BR2_PACKAGE_PYTHON [=n] || BR2_PACKAGE_PYTHON3 [=y]) && BR2_PACKAGE_PYTHON3 [=y] && BR2_INSTALL_LIBSTDCPP [=n]
Selected by [y]:
- BR2_PACKAGE_PYTHON_PYSFTP [=y] && (BR2_PACKAGE_PYTHON [=n] || BR2_PACKAGE_PYTHON3 [=y]) && BR2_PACKAGE_PYTHON3 [=y]
That occurs with configuration with C++ disabled, but python-pysftp
enabled.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8d1a72866a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch replace matchpathcon calls in the auditd init script by
calls to selabel_lookup. Indeed, matchpathcon is now deprecated, and
this causes warning during the boot process.
Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 90dd1d6178)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Polkit source does not come with non-systemd init script. Add one that is
modeled after package/busybox/S01syslogd.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 82712c5862)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
host-python3 is needed to avoid the following build failure since bump
to version 6.12.0.90 in commit 4be06fa8aa
and
0f47ea5d80:
checking for a Python interpreter with version >= 3.2... none
configure: error: no suitable Python interpreter found
Fixes:
- http://autobuild.buildroot.org/results/6a185e69fe8e123ba26c26b69091d001656693c7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 285eb82395)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes of this bugfix release:
https://www.samba.org/samba/history/samba-4.14.5.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 145133a6f5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Support for chrony is added by the services/chronyd module in the
SELinux refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6d4c9437c6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Support for clamav is added by the services/clamav module in the SELinux
refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c70f31b6ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Support for boinc is added by the services/boinc module in the SELinux
refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit aa460c23dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gobject-introspection is an optional dependency (which is enabled by
default) since at least version 219 and
43a593b5b4
Fixes:
- http://autobuild.buildroot.org/results/3bedc9fa3b14939825fb9cdebc6977057c3f6118
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 99278e5208)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog ([1]):
- Abyss: fix bug: wild memory reference when server times out waiting for
request header. Introduced with Release 1.44 (December 2015).
[1] http://xmlrpc-c.sourceforge.net/change_super_stable.html
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0e22d2101e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Support for bind is added by the services/bind module in the SELinux
refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c7fd40c7d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Support for apache is added by the services/apache module in the
SELinux refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bd91d7826e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Support for tor is added by the services/tor module in the SELinux
refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1f9090b6b4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Support for avahi is added by the services/avahi module in the SELinux
refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 952c42e3e7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Support for dnsmasq is added by the services/dnsmasq module in the
SELinux refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 68d886c4ea)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Support for bird is added by the services/bird module in the SELinux
refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 459d725db0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The configure script uses pkg-config to detect the location of
tmpfiles.d but imposes an unspecified ordering dependency with systemd.
Instead of relying on systemd being built before cryptsetup, set the
directory path explcitly, and ensure it is not set when systemd-tmpfiles
is disabled.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a2e93a802c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Link with TARGET_NLS_LIBS if needed to avoid the following build
failure:
/home/buildroot/autobuild/run/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/xtensa-buildroot-linux-uclibc/9.3.0/../../../../xtensa-buildroot-linux-uclibc/bin/ld: lib/libgranite.so.5.4.0.p/meson-generated_Application.c.o: in function `_vala_array_free.constprop.0':
Application.c:(.text+0x340): undefined reference to `libintl_bindtextdomain'
Fixes:
- http://autobuild.buildroot.org/results/d754cb776a1e11031cef4e66d45619aad5c4575d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 82a5ffca28)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove duplicated entries for brcmfmac4366b-pcie.bin and
brcmfmac4366c-pcie.bin (present since addition with
commit ca6e3f4b90)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1ba6a30905)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e5db5a472e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Do not include the build date when creating reproducible builds.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 083b48194f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
opus dependency is handled twice since commit
f33f7a4f64
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 929c977afb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-20201: A flaw was found in spice in versions before
0.14.92. A DoS tool might make it easier for remote attackers to cause a
denial of service (CPU consumption) by performing many renegotiations
within a single connection.
https://gitlab.freedesktop.org/spice/spice/-/tags/v0.15.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b784f1bc0f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e93cf29a70)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch is not needed since bump to version 1.7 in commit
6274f41913 and
94e9a082d7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f6461f6fc8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
comment message for gqrx is always displayed. This is due to an invert
dependency: GQRX depends on !BR2_STATIC_LIBS so comment must depends
on BR2_STATIC_LIBS.
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d9512b08a4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add patches to fix building on hosts that provide gcc version < 5
(i.e. 4.9), otherwise they fail due to missing default '-std=gnu11' option
on variable declaration inside for loops.
The patch is pending upstream:
https://sourceware.org/pipermail/binutils/2021-June/116884.html
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 747e2eed88)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
One of the files have CRLF line endings, which have been lost in the
process, causing build issues. Also, we update the upstream status of
the patch.
Fixes:
http://autobuild.buildroot.net/results/31744f8476819c725f8c0024529515bb8059582d/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a6a1810711)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build without SSP fails since bump to version 0.27.4 in commit
bcace42942
This is due to the fact that
bbe0b70840
removed the wrong GCC_ prefix from HAS_FSTACK_PROTECTOR_STRONG variable
Fixes:
- http://autobuild.buildroot.org/results/ae4635899124c602c70d2b342a76f95c34aa4a3d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b18d9d6191)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE so that files are actually concatenated
as described in the help text.
Signed-off-by: Mirza Kapetanovic <mirza.kapetanovic@gmail.com>
Reviewed-by: Matthew Weber <matthew.weber@collins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d8f5a017b8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add missing stdarg.h include for va_list/va_start/va_end.
Fixes:
- http://autobuild.buildroot.net/results/88f4ea971875b1a5eb88662326d9343341eaaea2
microtek.c: In function ‘MDBG_INIT’:
microtek.c:163:3: error: unknown type name ‘va_list’
163 | va_list ap;
| ^~~~~~~
microtek.c:78:1: note: ‘va_list’ is defined in header ‘<stdarg.h>’; did you forget to ‘#include <stdarg.h>’?
77 | #include "microtek.h"
+++ |+#include <stdarg.h>
78 |
microtek.c:164:3: warning: implicit declaration of function ‘va_start’; did you mean ‘sane_start’? [-Wimplicit-function-declaration]
164 | va_start(ap, format);
| ^~~~~~~~
| sane_start
microtek.c:165:54: warning: passing argument 4 of ‘vsnprintf’ makes pointer from integer without a cast [-Wint-conversion]
165 | vsnprintf(_mdebug_string, MAX_MDBG_LENGTH, format, ap);
| ^~
| |
| int
In file included from ../include/sane/sanei_config.h:50,
from microtek.c:70:
.../host/x86_64-buildroot-linux-uclibc/sysroot/usr/include/stdio.h:359:57: note: expected ‘__va_list_tag *’ but argument is of type ‘int’
359 | const char *__restrict __format, __gnuc_va_list __arg)
| ~~~~~~~~~~~~~~~^~~~~
microtek.c:166:3: warning: implicit declaration of function ‘va_end’ [-Wimplicit-function-declaration]
166 | va_end(ap);
| ^~~~~~
and
sm3600-scanutil.c: In function ‘debug_printf’:
sm3600-scanutil.c:69:3: error: unknown type name ‘va_list’
69 | va_list ap;
| ^~~~~~~
sm3600-scanutil.c:48:1: note: ‘va_list’ is defined in header ‘<stdarg.h>’; did you forget to ‘#include <stdarg.h>’?
47 | #include "sm3600-scantool.h"
+++ |+#include <stdarg.h>
48 |
sm3600-scanutil.c:75:3: warning: implicit declaration of function ‘va_start’; did you mean ‘sane_start’? [-Wimplicit-function-decla
ration]
75 | va_start(ap,szFormat);
| ^~~~~~~~
| sane_start
sm3600-scanutil.c:76:28: warning: passing argument 3 of ‘vfprintf’ makes pointer from integer without a cast [-Wint-conversion]
76 | vfprintf(stderr,szFormat,ap);
| ^~
| |
| int
In file included from ../include/sane/sanei_config.h:50,
from sm3600.c:70:
.../host/x86_64-buildroot-linux-uclibc/sysroot/usr/include/stdio.h:339:23: note: expected ‘__va_list_tag *’ but argument is of type
‘int’
339 | __gnuc_va_list __arg);
| ~~~~~~~~~~~~~~~^~~~~
In file included from sm3600.c:94:
sm3600-scanutil.c:77:3: warning: implicit declaration of function ‘va_end’ [-Wimplicit-function-declaration]
77 | va_end(ap);
| ^~~~~~
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7bb4f886ab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2016-4983 is an issue in a postinstall script in the dovecot rpm,
which is part of the Red Hat packaging and not part of upstream dovecot
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 948e71689a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2019-15513 was fixed upstream in 2015 with commit
19e29ffc15dbd958e8e6a648ee0982c68353516f, which is older than the commit
we currently use in LIBUCI_VERSION.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: reword comment and commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 46273a8eb9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 2eaa6d0f36 (boot/uboot: fix uboot building host tools on x86
architecture) added use of $(PKG_CONFIG_HOST_BINARY), but forgot to add
the corresponding build-ordr dependency.
Add this missing depenency now.
Additionally, the associated test had an explicit host pkgconf enbled in
its configuration. This is superfluous now that uboot properly depends
on host-pkgconf, so drop that from the test.
Note: it hapenned to work, because host-pkgconf, when explicitly enabled
in the configuration, and without per-package directories, would build
before uboot and thus be available. This would fail with PPD, though,
and thus would break for TLPB.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d0edfec1e2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The make all command run the tools/makefile on the process.
This makefile use "pkg-config" command to support static link.
The issue is the use of pkg-config configured for crosscompiling
to build binaries tools for host architecture.
To fix it, I add pkg-config environment variable to configure it for host.
Add a test to avoid future regress on the build of U-boot.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[yann.morin.1998@free.fr:
- fix mixed space-TAB indentation
- fix check-package
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2eaa6d0f36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Avahi 0.8 allows a local denial of service (NULL pointer dereference and
daemon crash) against avahi-daemon via the D-Bus interface or a "ping
.local" command.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit dd7b9fa02b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
PuTTY through 0.75 proceeds with establishing an SSH session even if it
has never sent a substantive authentication response. This makes it
easier for an attacker-controlled SSH server to present a later spoofed
authentication prompt (that the attacker can use to capture credential
data, and use that data for purposes that are undesired by the client
user).
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1352b59eb2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 56b28d3ee1 (mpg123: bump to version 1.13.1) added the
--disable-lfs-alias option, without explaining why it was needed.
However, this causes undefined references for apps that want to link
against mpg123.
The help for that option is pretty explicit that this is a dangerous
option to use:
disable alias wrappers for largefile bitness (mpg123_seek_32 or
mpg123_seek_64 in addition to mpg123_seek, or the other way around;
It is a mess, do not play with this!)
The default is that it is enabled, so leave it at it.
Signed-off-by: Bruno Marie <gameblabla@protonmail.com>
[yann.morin.1998@free.fr: rework commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 49e436f482)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gobject-introspection is an optional dependency which is enabled by
default since version 0.1.8 and
0388646bdb
Fixes:
- http://autobuild.buildroot.org/results/1cba7aa233e19472a69ffc2d8f7324d363a22deb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit aade2fd293)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Various security, performance, accuracy and stability issues have been
fixed, including a critical evasion assigned CVE-2021-35063.
https://forum.suricata.io/t/suricata-6-0-3-and-5-0-7-released/1489
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4c429c3f8c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes the following CVEs:
- CVE-2021-3570 linuxptp: missing length check of forwarded messages
- CVE-2021-3571 linuxptp: wrong length of one-step follow-up in transparent clock
See mailing list post for details: https://sourceforge.net/p/linuxptp/mailman/message/37315519/
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a7f3dc0a02)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-33503: An issue was discovered in urllib3 before 1.26.5.
When provided with a URL containing many @ characters in the authority
component, the authority regular expression exhibits catastrophic
backtracking, causing a denial of service if a URL were passed as a
parameter or redirected to via an HTTP redirect.
https://github.com/urllib3/urllib3/blob/1.26.6/CHANGES.rst
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56a105f9fb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build is broken with gcc 10 since bump to version 2.0.22 in commit
cadb8f2f317bf37c13aea98ac1c81bf8566aad92:
/tmp/instance-1/output-1/host/lib/gcc/powerpc-buildroot-linux-uclibc/10.3.0/../../../../powerpc-buildroot-linux-uclibc/bin/ld: kexec/arch/ppc/kexec-elf-ppc.o:(.sbss+0x0): multiple definition of `ramdisk'; kexec/arch/ppc/kexec-ppc.o:(.sbss+0x0): first defined here
Fixes:
- http://autobuild.buildroot.org/results/22932529f925630ec6db3c6a4eaebbda68b3fc16
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 487c7ba95d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We have a chicken and egg problem: validation of DNSSEC signatures
doesn't work without a correct clock, but to set the correct clock we
need to contact NTP servers which requires resolving a hostname, which
would normally require DNSSEC validation.
Let's break the cycle by excluding NTP hostname resolution from
validation for now.
Details:
abf4e5c1d3
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c2db53caca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When building openal we were seeing the assert failure:
/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/or1k-buildroot-linux-uclibc/9.3.0/../../../../or1k-buildroot-linux-uclibc/bin/ld: CMakeFiles/OpenAL.dir/al/source.cpp.o:
pc-relative relocation against dynamic symbol alSourcePausev
/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/or1k-buildroot-linux-uclibc/9.3.0/../../../../or1k-buildroot-linux-uclibc/bin/ld: CMakeFiles/OpenAL.dir/al/source.cpp.o:
pc-relative relocation against dynamic symbol alSourceStopv
/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/or1k-buildroot-linux-uclibc/9.3.0/../../../../or1k-buildroot-linux-uclibc/bin/ld: CMakeFiles/OpenAL.dir/al/source.cpp.o:
pc-relative relocation against dynamic symbol alSourceRewindv
/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/or1k-buildroot-linux-uclibc/9.3.0/../../../../or1k-buildroot-linux-uclibc/bin/ld: CMakeFiles/OpenAL.dir/al/source.cpp.o:
pc-relative relocation against dynamic symbol alSourcePlayv
collect2: error: ld returned 1 exit status
So add patches to fix this binutils assert link failure on OpenRisc.
It's been suggested upstream and it's pending here:
https://sourceware.org/pipermail/binutils/2021-July/117334.html
Fixes:
http://autobuild.buildroot.net/results/c96/c96f2600f227d6c76114b9fbc41f74a57e40415a/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e3b3432fc0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
================================================================================
Redis 6.2.5 Released Wed Jul 21 16:32:19 IDT 2021
================================================================================
Upgrade urgency: SECURITY, contains fixes to security issues that affect
authenticated client connections on 32-bit versions. MODERATE otherwise.
Fix integer overflow in BITFIELD on 32-bit versions (CVE-2021-32761).
An integer overflow bug in Redis version 2.2 or newer can be exploited using the
BITFIELD command to corrupt the heap and potentially result with remote code
execution.
See https://github.com/redis/redis/blob/6.2.5/00-RELEASENOTES
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f4b1cda061)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release. For details, see the NEWS file:
https://github.com/GNOME/gtk/blob/3.24.29/NEWS
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 767ed6b72e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release. For details, see the NEWS file:
https://github.com/GNOME/pango/blob/1.48.7/NEWS
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 98caa3077b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release. From NEWS:
This is bugfix release, fixing bugs that could make the RSA
decryption functions crash on invalid inputs.
Upgrading to the new version is strongly recommended. For
applications that want to support older versions of Nettle,
the bug can be worked around by adding a check that the RSA
ciphertext is in the range 0 < ciphertext < n, before
attempting to decrypt it.
https://lists.gnu.org/archive/html/info-gnu/2021-06/msg00002.html
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2e5cb51680)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop unneeded select on pcre which has been added by commit
d35873ab0c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4f2629973a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following static build failure with nginx raised since bump of
libmodsecurity to version 3.0.5 in commit
464d0be380c84ac7c3f1684e49153c3868280d7e:
/home/buildroot/autobuild/instance-2/output-1/host/lib/gcc/xtensa-buildroot-linux-uclibc/10.3.0/../../../../xtensa-buildroot-linux-uclibc/bin/ld: /home/buildroot/autobuild/instance-2/output-1/host/bin/../xtensa-buildroot-linux-uclibc/sysroot/usr/lib/libmodsecurity.a(libmodsecurity_la-transaction.o): in function `std::basic_streambuf<char, std::char_traits<char> >::sbumpc() [clone .isra.0]':
transaction.cc:(.text+0x40): undefined reference to `std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose()'
Fixes:
- http://autobuild.buildroot.org/results/e5a9eb8448980f1c5cafe97180b7d1f48ddf02ca
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 489cbfd7df)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security Impacting Issues
Handle URI received with uri-fragment
[@martinhsv]
- Drop patches (already in version) and so drop autoreconf
- Static linking is supported since
f76a1a667b
- Update indentation in hash file (two spaces)
https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 464d0be380)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop AC_CHECK_FILE workaround as it is not needed since version 3.0.4:
8af8cad907
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 82f5293d73)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Unfortunately, this e-mail is boucing:
<ycardaillac@sepro-group.com>: host
seprogroup-com01c.mail.protection.outlook.com[104.47.9.36] said: 550 5.4.1
Recipient address rejected: Access denied. AS(201806281)
[VE1EUR03FT036.eop-EUR03.prod.protection.outlook.com] (in reply to RCPT TO
command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
And remove myself from freescale related parts
Signed-off-by: André Zwing <nerv@dawncrow.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix CVE-2020-13949: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC
clients could send short messages which would result in a large memory
allocation, potentially leading to denial of service.
- Disable javascript and nodejs which have been added with
61d502075b
- Update hash of LICENSE, license for windows-specific files added:
98854c4874https://github.com/apache/thrift/blob/v0.14.1/CHANGES.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7ecbb956e2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
WITH_QT4 has been dropped since version 0.13.0 and
1735542542
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5675f09e58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
host-e2fsprogs package overwrites the fsck program and some
manpages previously installed by host-util-linux package.
This patch simply disables fsck in host-e2fsprogs.
host-e2fsprogs is used to build final ext{2,3,4} images.
The missing host-e2fsprogs fsck tool (filesystem integrity check
tool) in HOST_DIR should not lead to issues.
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7b7c8cc672)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some packages such as python-idna has a LICENSE.md file:
https://github.com/kjd/idna/blob/master/LICENSE.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 60aa896904)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0f01b69885)
[Peter: drop rename as berkeleydb patch not in branch]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4899d9ec1b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix some clang issues due to illegal pointers, thanks to Stefan Weil.
- Fix memory leak caught by oss-fuzz, thanks to Dmitry Baryshkov.
- Fix bugs unveiled by Static Analysis, reported by Simo Sorce.
- LICENSE has been renamed to COPYING since
a72a8d1ef1https://gitlab.com/gnutls/libtasn1/-/blob/v4.17.0/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b36ad03063)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-33560: Libgcrypt before 1.8.8 and 1.9.x before 1.9.3
mishandles ElGamal encryption because it lacks exponent blinding to
address a side-channel attack against mpi_powm, and the window size is
not chosen appropriately. (There is also an interoperability problem
because the selection of the k integer value does not properly consider
the differences between basic ElGamal encryption and generalized ElGamal
encryption.) This, for example, affects use of ElGamal in OpenPGP.
https://dev.gnupg.org/T5305
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 878b57ca3b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2021-3565: A flaw was found in tpm2-tools in versions before 5.1.1
and before 4.3.2. tpm2_import used a fixed AES key for the inner wrapper,
potentially allowing a MITM attacker to unwrap the inner portion and reveal
the key being imported. The highest threat from this vulnerability is to
data confidentiality.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patch (already in version)
- Use --disable-tests which is available since
7e2c1e6ac1https://github.com/hyperrealm/libconfig/releases/tag/v1.7.3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1b4aa6442a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When grub2 (i386-pc) is built with -O2 or -O3 it is unable to boot
and the system will reboot in a loop.
Tony Battersby has bisected [0] the error down to this security bugfix:
boot/grub2/0132-kern-parser-Fix-a-stack-buffer-overflow.patch
There is also a bug report by Peter Seiderer about this [1].
As discussed on the mailing list [2], this patch introduces a workaround
in the grub2.mk overriding the global optimization settings with -Os
which results in a booting system.
References:
[0] https://savannah.gnu.org/bugs/?60458
[1] https://bugs.busybox.net/show_bug.cgi?id=13586
[2] http://lists.busybox.net/pipermail/buildroot/2021-May/311524.html
Signed-off-by: Andreas Hilse <andreas.hilse@googlemail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7cb51d4843)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Besides libFLAC, also build libFLAC++ when C++ support is enabled.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4937dda893)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python2 contains a bundled copy of libffi which is currently out of sync with
the latest libffi release. There is an option to use a system libffi, buildroot
already uses it for the target python2 build and for python3. In python3, the
bundled copy doesn't exist anymore and the system-provided libffi is required.
The bundled copy currently fails to build on aarch64 host due to a missing
definition of AARCH64_CALL_CONTEXT_SIZE. This define was removed from the
headers in recent libffi releases and the host compiler might be including the
system headers before the bundled headers.
To solve this and since buildroot already relies on system libffi for target
python2 and python3 anyway, switch host python2 to use system libffi.
Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b31f7bc958)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot sets appropriate ENABLE_STACK_PROTECTOR build flag value based
on the toolchain global BR2_SSP_* options, and all packages are built
with that setting.
However it might not be always convenient to automatically infer TF-A
stack protection from the toolchain features. For instance, secure
memory constraints may become an issue and all the extra TF-A features
need to be tuned or disabled in order to shrink TF-A firmware image.
Besides, for any value other than "none", TF-A platform specific hook
'plat_get_stack_protector_canary' must be implemented. However this hook
is not implemented by all the platforms supported by TF-A. For instance,
Allwinner currently does not provide such a hook.
Add an new option that a user can toggle to enable or disable SSP in
their ATF build. If enabled, the SSP level is automatically inherited
from the global setting.
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
[yann.morin.1998@free.fr: simplify logic with a single boolean]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit cf176128ec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The build of gesftserver in an environment without Python fails with:
checking for Python 2.4 or better... configure: error: cannot find Python 2.4 or better
However, it turns out that Python is only needed for tests, which we
don't run/use in Buildroot, so we can safely build gesftpserver
without Python.
Signed-off-by: Andreas Naumann <anaumann@ultratronik.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 422fd73fad)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is to make sure that host packages that depend on `host-gawk` and that use
`awk` end up using `gawk`, instead of the `awk` symlink installed on the host
system.
On recent Debian-based distributions, `awk` is still symlinked to `mawk` [1].
[1] https://bugs.launchpad.net/ubuntu/+source/mawk/+bug/1841654
Signed-off-by: Hubert Lacote <hubert.lacote@youview.com>
Co-authored-by: Hubert Lacote <hubert.lacote@youview.com>
Co-authored-by: Vicente Olivert Riera <vincent.olivert.riera@youview.com>
[yann.morin.1998@free.fr: move after the target symlink hook]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 150038166f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 04a0094f0e (configs/stm32f469_disco: fix kernel bootup) changed
the defconfig to build a vfat image, but forgot to add dosfstools/mtools
host utilities needed for this.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6dd9e246a7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
================================================================================
Redis 6.2.4 Released Tue July 1 12:00:00 IST 2021
================================================================================
Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. MODERATE otherwise.
Fix integer overflow in STRALGO LCS (CVE-2021-32625)
Read the whole release note on:
https://github.com/redis/redis/blob/6.2.4/00-RELEASENOTES
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d56fa94092)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Versions 2.0.11 and 1.6.15 of Mosquitto has been released.
These are a security and bugfix releases.
Read the full announcement on the blog:
https://mosquitto.org/blog/2021/06/version-2-0-11-released/
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit efa4f3d0b4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Django 3.2.4 fixes two security issues and several bugs in 3.2.3.
- CVE-2021-33203: Potential directory traversal via ``admindocs``
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
https://github.com/django/django/blob/3.2.4/docs/releases/3.2.4.txt
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7c69da6295)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-22222: Infinite loop in DVB-S2-BB dissector in Wireshark
3.4.0 to 3.4.5 allows denial of service via packet injection or crafted
capture file
https://www.wireshark.org/security/wnpa-sec-2021-05.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5cf8520840)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libressl defaults to $prefix/etc/ssl for its "openssldir" setting, E.G.
the location where configuration files and certificates are searched:
openssl version -d
OPENSSLDIR: "/usr/etc/ssl"
Change it to /etc/ssl so it matches openssl and the expectations of packages
dealing with certificates (ca-certificates, libcurl, p11-kit)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b0f0b4c4bc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From this version, tests can be disabled, so we pass
"tests=false" as a Meson option.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0e0abdb034)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable -Werror to avoid the following build failure with -DNDEBUG
raised since commit 5a8c50fe05
/srv/storage/autobuild/run/instance-2/output-1/build/openswan-3.0.0/programs/rsasigkey/rsasigkey.c:524:6: error: variable 'success' set but not used [-Werror=unused-but-set-variable]
524 | int success;
| ^~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/327a0f2b8f0c51bcbb3edb1c3671870d593e93b9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit cc1c8c3bb1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The patch introduced in commit 8e3d620251 (package/ffmpeg: Fix build for
mips) uses "defined(HAVE_SYS_AUXV_H)". However, ffmpeg configure is not GNU
autoconf, and it defines the symbol to 0 when not found. Use
HAVE_SYS_AUXV_H without defined() instead.
Fixes:
http://autobuild.buildroot.net/results/da0/da03909291e97c525eb1f53dfc743a1897f59d6e/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f5c0c74ebe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c6a4d7bed8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop upstreamed patch fix-port-forwarding-with-ipv6.
Upstream commit: d29a55c6c344a536089d6b1bcd92be9cdea20641
Signed-off-by: Christian Stewart <christian@paral.in>
Tested-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 49df508007)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As described by [1], the kernel generated by the configuration for the
STM32f469 Discovery board is buggy. Using a newer kernel, as suggested
by [1], increases the dtb and Kernel image size. In particular, the
5.12 version of the kernel generates a dtb and a kernel image whose sum
exceeds the 2 MByte of the flash module.
So I decided to replace the afboot-stm32 bootloader in the flash with
U-boot to easily boot the system from sdcard without having to worry
about the size of dtb, kernel and rootfs generated by the configuration.
This solution allows you to fix the kernel boot issue and makes it
possible to use its future versions.
[1] http://buildroot-busybox.2317881.n4.nabble.com/Bug-11746-New-stm32f469-didn-t-work-correctly-td219644.html
Signed-off-by: Dario Binacchi <dariobin@libero.it>
Acked-by: Christophe Priouzeau <christophe.priouzeau@foss.st.com>
Tested-by: Christophe Priouzeau <christophe.priouzeau@foss.st.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout:
- specify headers version explicitly, even though it's default;
- bump kernel to 5.12.11]
(cherry picked from commit 04a0094f0e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A (target [0]) package can independently declare installing in various
locations: target, staging, or images. The default is to only install
in target.
When a package opts out from installing to target, but does not opts
in to install in any other location, the package is not downloaded,
extracted, patched, configured, nor built at all. As a consequence, none
of the per-step instrumentation is executed, specifically the listing
of files before/after the package sequence.
Down the line, the package infra does not cope well with that situation,
because the gathering-install step, the one that synchronises all the
optional target, staging, or images install steps, still gets run.
And as #13836 shows, this does not go well:
/bin/sh: /home/tbuild/myboard/build/foo/.files-list.after: No such file or directory
make[1]: *** [/home/tbuild/myboard/build/foo/.stamp_installed] Error 1
make: *** [_all] Error 2
So, we should have ensured that the gathering-install step itself
depends on the build step, which would have solved the issue.
However, this bug really illustrates a more fundamental issue: does it
even make sense to have a package that installs nothing in any location?
Indeed, why even bother with that package to begin with if it will not
provide anything at all?
It turns out that yes, this makes sense. We have some packages, that
do not install anything at all, and do not even build anything; they are
there just to ensure that we can download something that will ultimately
be used by another package. This is the case for example for packages
that provide linux extensions, like aufs [1].
Additionally, some ugly out-of-tree packages could conceivably install
things during the build (or even configure!) steps. That's not unheard
of... [2]
So, the solution is to ensure that the gathering-install step does
depend on the build step, to trigger the proper dependency chain and
have the instrumentation hooks properly run even in that degenerate
case.
Fixes: #13836
[0] a host package can't opt out of installing anything.
[1] that one is actually missing AUFS_INSTALL_TARGET = NO, so this
hides the issue.
[2] even us are not 100% clean on that topic: gcc will install files in
staging and target as part of the same step (not the build, granted,
but still...)
Reported-by: "Weber, Matthew L Collins" <Matthew.Weber@collins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@collins.com
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ee5e14ff17)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Until commit 5c07dfcc1a
BR2_PACKAGE_LVM2_STANDARD_INSTALL would default to y. Indeed, the
default read:
default y if !BR2_PACKAGE_LVM2_DMSETUP_ONLY # legacy 2013.11
Since the legacy symbol is normally not selected, this defaults to y.
Commit 5c07dfcc1a inadvertedly removed the
entire line instead of just the condition.
Fixes: https://bugs.busybox.net/show_bug.cgi?id=13846
For-stable: 2021.02, 2021.05
Cc: dominique.tronche@atos.net
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6d758f59e6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-six is not a dependency since drop of python 2 in version 0.47.0:
d3fdde41af
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 37d3d24cc2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The descriptions in this package have grown pretty confusing over time.
Try to make this a bit more consistent and up-to-date.
* drop references to old kernel versions not supported by BR anymore
* Remove "Bluez 5.x" string from options
* consistently use the term "plugin" (plugins implement profiles)
* make mentioned profile appreviations upper-case
* make descriptions closer to the ones in BlueZ Readme [0]
* make clear that "tests" refers to the python test scripts
[0] https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/README?h=5.58
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout:
- remove more 5.x references;
- Use official spelling BlueZ in main help text]
(cherry picked from commit 371f2aa0ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add myself to DEVELOPERS as maintainer of fb-test-app.
Suggested-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b805e9d536)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
remove merged patches
Bugfix release, fixing a number of issues:
- Make enum type registration thread safe
- Do not install skipped test files [Jan Tojnar]
- Fix GIF initialization [Simon McVittie]
- Always run GIF loader tests [Simon McVittie]
- Fix leaks discovered via ASan [Simon McVittie]
- Expose GdkPixbufLoader API via introspection [Paolo Borelli]
- Fix revert-to-previous first frame behaviour for GIF files [Robert Ancell, #166]
- Link to libintl if needed [Fabrice Fontaine]
- Improve support for using gdk-pixbuf as a subproject [Xavier Claessens]
- Fix build with GModule disabled [Fabrice Fontaine]
- Use gi-docgen to generate the API reference from introspection data
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 54ba3be13b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openssl is an optional dependency which is enabled by default since at
least 2007 and
4c17f25c0f
Enable DES, MD4 and RC4 in openssl to fix build failure raised since
commit a83d41867c
Fixes:
- http://autobuild.buildroot.org/results/d73b477bd2064aee076f9debfd8d3346c63ba657
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: squash the two commits together]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b7a5b9d06d)
[Peter: drop openssl options]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The comment has been introduced by commit [1] where the latest
gdb version has been used when cross-gdb is not enabled.
But since then the gdb package doesn't use the latest gdb version when
cross-gdb is not enabled. It's the "stable" version.
[1] https://git.buildroot.net/buildroot/commit/?id=fda818390b5e6a585608f4523356eafa0c587f53
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 4de251ea41)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
perl-crypt-openssl-rsa inherits the dependency on openssl indirectly
from perl-crypt-openssl-random. Hwvere, perl-crypt-openssl-rsa needs
the openssl libraries for itself, so it must explicitly depend on it.
So far, this was totally unconsequential, but since commit a83d41867c
(package/libopenssl: add option to enable some features), features can
be configured out, of which RMD160 that perl-crypt-openssl-rsa needs.
If we were to add the select to that option (in a followup commit),
without a dependency to openssl, that would be very confusing in the
future.
So, add the explicit dependency now.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7c636d9c66)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly
validates certificate with host mismatch vulnerability. A remote,
unauthenticated attacker could exploit the flaw by performing a
man-in-the-middle attack using a valid certificate for another hostname
which could compromise confidentiality and integrity of data transmitted
using rsync-ssl. The highest threat from this vulnerability is to data
confidentiality and integrity. This flaw affects rsync versions before
3.2.4.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: add a comment explaining what patch fixes this CVE]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5d5c619410)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-28651: Denial of Service in URN processing
Due to a buffer management bug Squid is vulnerable to a Denial of service
attack against the server it is operating on.
This attack is limited to proxies which attempt to resolve a "urn:"
resource identifier. Support for this resolving is enabled by default in
all Squid.
https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4
- CVE-2021-28652: Denial of Service issue in Cache Manager
Due to an incorrect parser validation bug Squid is vulnerable to a Denial
of Service attack against the Cache Manager API.
https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447
- CVE-2021-28662: Denial of Service in HTTP Response Processing
Due to an input validation bug Squid is vulnerable to a Denial of Service
against all clients using the proxy.
https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h
- CVE-2021-31806, CVE-2021-31807, CVE-2021-31808: Multiple Issues in HTTP
Range header
Due to an incorrect input validation bug Squid is vulnerable to
a Denial of Service attack against all clients using the proxy.
https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf
- CVE-2021-33620: Denial of Service in HTTP Response processing
Due to an input validation bug Squid is vulnerable to a Denial of Service
against all clients using the proxy.
https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d94c42b93e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release. From the release notes:
Some backports of important fixes to the 1.25 series, for very conservative
people.
libmpg123: Backport bit reservoir CRC fix from 1.26
libmpg123: Backport part2_3_length regression fix (bug 312).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d495593de1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-06-11 13:50:06 +02:00
601 changed files with 9143 additions and 2141 deletions
Fix the following build failure on musl (which does not provide
PTHREAD_MUTEX_RECURSIVE_NP):
In file included from /tmp/instance-5/output-1/build/bullet-3.09/src/LinearMath/btScalar.h:289,
from /tmp/instance-5/output-1/build/bullet-3.09/src/LinearMath/btVector3.h:19,
from /tmp/instance-5/output-1/build/bullet-3.09/src/LinearMath/btConvexHullComputer.h:18,
from /tmp/instance-5/output-1/build/bullet-3.09/Extras/VHACD/src/VHACD.cpp:28:
/tmp/instance-5/output-1/build/bullet-3.09/Extras/BulletRobotics/../../Extras/VHACD/inc/vhacdMutex.h: In constructor 'VHACD::Mutex::Mutex()':
/tmp/instance-5/output-1/build/bullet-3.09/Extras/BulletRobotics/../../Extras/VHACD/inc/vhacdMutex.h:97:54: error: 'PTHREAD_MUTEX_RECURSIVE_NP' was not declared in this scope; did you mean 'PTHREAD_MUTEX_RECURSIVE'?