Bash's malloc relies on sbrk which is implemented as a fail-only stub in
musl. Presently, it is disabled when configured for static
libs. Instead, default to using libc malloc.
Fixes:
# bash
bash: xmalloc: locale.c:81: cannot allocate 18 bytes (0 bytes allocated)
Signed-off-by: Daniel Sabogal <dsabogalcc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 43552504c8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-1000367 - Potential overwrite of arbitrary files on Linux
On Linux systems, sudo parses the /proc/[pid]/stat file to determine the
device number of the process's tty (field 7). The fields in the file are
space-delimited, but it is possible for the command name (field 2) to
include spaces, which sudo does not account for. A user with sudo
privileges can cause sudo to use a device number of the user's choosing by
creating a symbolic link from the sudo binary to a name that contains a
space, followed by a number.
If SELinux is enabled on the system and sudo was built with SELinux support,
a user with sudo privileges may be able to to overwrite an arbitrary file.
This can be escalated to full root access by rewriting a trusted file such
as /etc/shadow or even /etc/sudoers.
For more details, see: https://www.sudo.ws/alerts/linux_tty.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fddb760946)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The external toolchain code has some logic to calculate the correct name
for the dynamic linker symbolic link that needs to be created when the
musl C library is being used. There was already some handling for the
mipsel+soft-float case, but not for the mips+soft-float case. Due to
this, the symbolic link was incorrectly named, and programs were
referencing an non-existing file.
Reported-by: Florent Jacquet <florent.jacquet@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit a6a4a8b2ef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-7650: Two errors in the "asn1_find_node()" function
(lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to
cause a stacked-based buffer overflow by tricking a user into processing a
specially crafted assignments file via the e.g. asn1Coding utility.
For more details, see:
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-11/
Or the 1.4.11 release mail (no mail about 1.4.12, but identical to 1.4.11 +
a soname fix):
https://lists.gnu.org/archive/html/help-libtasn1/2017-05/msg00003.html
Remove 0001-configure-don-t-add-Werror-to-build-flags.patch and autoreconf
as that patch is now upstream.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2fb7cbeb74)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-7650: Pattern based ACLs can be bypassed by clients that set
their username/client id to ‘#’ or ‘+’. This allows locally or remotely
connected clients to access MQTT topics that they do have the rights to.
The same issue may be present in third party authentication/access control
plugins for Mosquitto.
For more details, see:
https://mosquitto.org/2017/05/security-advisory-cve-2017-7650/
Remove 0001-Remove-lanl-when-WITH_ADNS-is-unset.patch as that patch is now
upstream.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9e9dee2534)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- This version requires a patch (sent upstream) to remove -lanl from
all Linux builds as this library is only needed for adns support
- sha512 must be computed locally as eclipse.org does not give it for
this version
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d098e18d14)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a number of security issues: CVE-2017-7607, CVE-2017-7608,
CVE-2017-7609, CVE-2017-7610, CVE-2017-7611, CVE-2017-7612, CVE-2017-7613.
Rebase patches, and convert to git format.
Remove --disable-werror; unrecognized configure option.
Use upstream provided hash.
Cc: Stefan Fröberg <stefan.froberg@petroprogram.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 27e0626e99)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported by Bernd [1], using POST_EXTRACT to copy
linux_syscall_support.h break the legal-info target when
google-breakpad package is selected:
/usr/bin/install: cannot stat '/home/bernd/buildroot/buildroot/output/ost/usr/i586-buildroot-linux-uclibc/sysroot/usr/include/linux_syscall_support.h': No such file or directory
This is because linux_syscall_support.h is installed by a dependency
of google-breakpad, and dependencies are only guaranteed to be
available for the configure step of a package. To fix this, we use a
PRE_CONFIGURE hook instead of POST_EXTRACT hook.
[1] http://lists.busybox.net/pipermail/buildroot/2017-May/192844.html
Reported-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 557f8d649d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When the mono package is installed, the autotools installer installs
the /etc/mono files to the target. A post_install hook then copies
over the mono libraries to the target as well as the host /etc/mono
files which overrides the target files. The target specific mono
configuration file (/etc/mono/config) is overridden with the host
settings. This causes mono on the target to be unable to locate target
specific .so files as it overrides the changes enacted by the patches
for the package.
Signed-off-by: Dustin Johnson <dustin.r.johnson@gmail.com>
Tested-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Reviewed-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Acked-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 675101b0fe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The .mk file for the mono package contains out of date configuration
options. The --disable-gtk-doc option is no longer available in
configure. Moonlight is no longer supported in Mono and the
--with-moonlight=no option is no longer required.
Signed-off-by: Dustin Johnson <dustin.r.johnson@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 2ba4fee836)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2017-3302 - Crash in libmysqlclient.so in Oracle MySQL before 5.6.21 and
5.7.x before 5.7.5 and MariaDB through 5.5.54, 10.0.x through 10.0.29,
10.1.x through 10.1.21, and 10.2.x through 10.2.3.
CVE-2017-3313 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: MyISAM). Supported versions that are affected are
5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to
exploit vulnerability allows low privileged attacker with logon to the
infrastructure where MySQL Server executes to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized access
to critical data or complete access to all MySQL Server accessible data.
CVE-2017-3308 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DML). Supported versions that are affected are 5.5.54
and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable"
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. While the vulnerability is
in MySQL Server, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server.
CVE-2017-3309 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily
"exploitable" vulnerability allows low privileged attacker with network
access via multiple protocols to compromise MySQL Server. While the
vulnerability is in MySQL Server, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result
in unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
CVE-2017-3453 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily
"exploitable" vulnerability allows low privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3456 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DML). Supported versions that are affected are 5.5.54
and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable"
vulnerability allows high privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3464 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are 5.5.54
and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable"
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized update, insert or delete access to
some of MySQL Server accessible data.
And a number of important, but non-security related fixes:
MDEV-12602: Fixed some race conditions in InnoDB encryption
MariaDB Backup alpha introduced
Galera wsrep library updated to 25.3.20
For details, see the release notes:
https://mariadb.com/kb/en/mariadb/mariadb-10123-release-notes/
[Peter: drop COPYING.LESSER and add a reference to the bugtracker issue
explaining why]
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e6213e8ee6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
- CVE-2017-9078: A double-free in the server could be triggered by an
authenticated user if dropbear is running with -a (Allow connections to
forwarded ports from any host) This could potentially allow arbitrary code
execution as root by an authenticated user. Affects versions 2013.56 to
2016.74. Thanks to Mark Shepard for reporting the crash.
- CVE-2017-9079: Dropbear parsed authorized_keys as root, even if it were a
symlink. The fix is to switch to user permissions when opening
authorized_keys.
A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file. This information disclosure is to an already
authenticated user. Thanks to Jann Horn of Google Project Zero for
reporting this.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8644a83bd8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The libc-compat.h first appeared in kernel version 3.12. Trying to build a
musl toolchain using earlier headers leads to the following failure:
/bin/sed: can't read .../output/host/usr/arm-buildroot-linux-musleabi/sysroot/usr/include/linux/libc-compat.h: No such file or directory
package/pkg-generic.mk:266: recipe for target '.../output/build/toolchain/.stamp_staging_installed' failed
Don't apply the sed patch to older headers.
Reported-by: Florent Jacquet <florent.jacquet@free-electrons.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4d1c2c82e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In configuration where target architecture == host architecture, and
libgpg-error is installed system-wide with development files, the build
of cppcms fails with:
/home/test/buildroot/output/host/usr/bin/x86_64-amd-linux-gnu-g++ --sysroot=/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -Wall -Wextra -DNDEBUG CMakeFiles/base64_test.dir/tests/base64_test.cpp.o -o base64_test -L/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib -Wl,-rpath,/home/test/buildroot/output/build/cppcms-1.0.5:/home/test/buildroot/output/build/cppcms-1.0.5/booster:/usr/lib -rdynamic libcppcms.so.1.0.5 booster/libbooster.so.0.0.3 -lpthread /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libpcre.so /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libdl.so /home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libz.so
/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpg_err_set_errno@GPG_ERROR_1.0'
/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpgrt_lock_init@GPG_ERROR_1.0'
/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpgrt_lock_destroy@GPG_ERROR_1.0'
/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpg_err_code_from_syserror@GPG_ERROR_1.0'
/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpg_err_code_from_errno@GPG_ERROR_1.0'
/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpgrt_lock_unlock@GPG_ERROR_1.0'
/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpg_strerror@GPG_ERROR_1.0'
/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpg_strsource@GPG_ERROR_1.0'
/home/test/buildroot/output/host/usr/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libgcrypt.so: undefined reference to `gpgrt_lock_lock@GPG_ERROR_1.0'
The problem comes from the
"-Wl,-rpath,/home/test/buildroot/output/build/cppcms-1.0.5:/home/test/buildroot/output/build/cppcms-1.0.5/booster:/usr/lib"
option, which tells the linker to search for libraries in /usr/lib.
This commit fixes that by asking CMake to not add any rpath when
building cppcms.
Fixes:
http://autobuild.buildroot.net/results/a7eb1ede552ae14f409cfd7bd877bcf25ca69a74/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 15423bd46e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#9871
gzip reads default command line options from the environment variable GZIP.
The fbgrab Makefile internally also uses a GZIP make variable to know what
command to use to compress the manpage. Unfortunaly make will export the
value of this make variable to the environment if GZIP is already present in
the enviroment, confusing gzip (as 'gzip' isn't a valid command line argument).
This can either be triggered by users having GZIP set in their environment
(E.G. for custom options), or by enabling BR2_REPRODUCIBLE, where we use
this feature to force the -n option (to not store name/timestamp) to gzip.
We don't really need to compress the manpage as it isn't installed anyway,
so work around the issue by only building the fbgrab application.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit be8d1efd1e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
rabbitmq-c currently fails to build in a number of static linking
situations, due to two issues:
- CMake FindOpenSSL module is buggy. Even though it uses pkg-config,
it doesn't use the information returned by pkg-config, and
therefore doesn't know about second order libraries that need be
part of the link for static linking to succeed. Due to this, -lz is
not passed, and therefore rabbitmq-c fails when linking against
libssl/libcrypto. This issue has been reported to upstream CMake at
https://gitlab.kitware.com/cmake/cmake/issues/16885.
- popt might use libintl, but CMake doesn't know about that. For
autotools based packages, we typically work around this by passing
LIBS=, but CMake apparently has no equivalent to LIBS=.
To workaround this, we only use the OpenSSL and Popt optional
dependencies in dynamic linking situations.
Fixes:
http://autobuild.buildroot.net/results/798dbe5e5fd0463bb2066cb115656795144c327f/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit beb6524225)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-8779: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc
through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC
data size during memory allocation for XDR strings, which allows remote
attackers to cause a denial of service (memory consumption with no
subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
For more details, see:
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/
Backport upstream fix to version 0.2.3 and unconditionally include syslog.h
to fix a build issue when RPCBIND_DEBUG is disabled (which it is in
Buildroot).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 954509fb84)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit [1] added check package to bluez_utils dependencies without
selecting it at Kconfig level.
Fixes:
Makefile:535: *** check is in the dependency chain of bluez_utils that has added it to its _DEPENDENCIES variable without selecting it or depending on it from Config.in.
[1] 8554be9f82
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 00f6de5fc7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Running foo-source-check on packages retrieved from git fails.
This is because there is no associated stamp file, so we do not have a
rule-assignment that sets PKG for foo-source-check.
But it does not make sense to have a stamp file at all, because
source-check is not supposed to change anything: the status after is
exactly the same as before; nothing is downlaoded, so there is no
progress (whatsoever) to memorise.
Fix that by just defining PKG in the source-check rule definition.
Fixes#9796.
Reported-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 4c0aacbc31)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When building on a systemd-based host for a systemd-based target, gpsd's
buildsystem will try to tell systemd to reload the its configuration and
recreate the entire dependency tree of services.
Of course, this can not work when run as a user:
>>> gpsd 3.16 Installing to target
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ===
Authentication is required to reload the systemd state.
Authenticating as: root
Password:
In fact, this does not even mean anything in cross-compilation.
Fortunately, upstream has already fixed their sin, so we backport it
(tweaked to apply onto 3.16).
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 0d0fcfa443)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
kvm-unit-tests uses the following code on x86/x86-64:
static inline u64 scale_delta(u64 delta, u64 mul_frac)
{
u64 product, unused;
__asm__ (
"mul %3"
: "=d" (product), "=a" (unused) : "1" (delta), "rm" ((u64)mul_frac) );
return product;
}
The "mul" instruction does not have a suffix that indicates the width of
the data being multiplied. When the data is passed in a register, there
is no need to specify the width, but with some gcc versions, the data is
passed as a memory reference, and therefore the assembler does not know
the width of the data to be multiplied. It causes the following build
failure:
x86/hyperv_clock.c: Assembler messages:
x86/hyperv_clock.c:21: Error: no instruction mnemonic suffix given and no register operands; can't size instruction
Since the data being multiplied is 64 bit, we explicitly specify the
instruction as being "mulq".
Fixes:
http://autobuild.buildroot.net/results/a4a65d01f049db83a93de92660f228dd18532625/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit bdadcf593d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
EFL's elput selects libinput but forgot to propagate its dependencies.
Which requires they be propagated further to a second sub-option, then
to a third one.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@openwide.fr>
[Thomas: fix typoes.]
[Peter: fix more typoes]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 31bd2b46a8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default, qwt build a shared library, but when BR2_STATIC_LIBS is set
compilation failed with errors like :
__uClibc_main.c:(.text+0x164): undefined reference to `__fini_array_end'
__uClibc_main.c:(.text+0x168): undefined reference to `__fini_array_start'
__uClibc_main.c:(.text+0x16c): undefined reference to `__fini_array_start'
This patch disable QwtDll to build a static library when BR2_STATIC_LIBS=y.
fix:
http://autobuild.buildroot.net/results/739/739406bb8073d1861933872a47802954d9767634/
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 11c619058e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Three security vulnerabilities have been closed by this release:
CVE-2017-7484: selectivity estimators bypass SELECT privilege checks
CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable
CVE-2017-7486: pg_user_mappings view discloses foreign server passwords
More details: https://www.postgresql.org/about/news/1746/
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit e2bb446ff5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
efibootmgr was built with -fshort-wchar, which causes gcc to use
2-byte wchar_t instead of the normal 4-byte wchar_t. But this doesn't
work anymore with gcc 6.x, as it causes a build failure:
/home/test/autobuild/run/instance-3/output/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-gnueabihf/6.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: warning: efibootmgr.o uses 2-byte wchar_t yet the output is to use 4-byte wchar_t; use of wchar_t values across objects may fail
/home/test/autobuild/run/instance-3/output/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-gnueabihf/6.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: warning: efi.o uses 2-byte wchar_t yet the output is to use 4-byte wchar_t; use of wchar_t values across objects may fail
/home/test/autobuild/run/instance-3/output/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-gnueabihf/6.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: warning: unparse_path.o uses 2-byte wchar_t yet the output is to use 4-byte wchar_t; use of wchar_t values across objects may fail
Upstream solution was do simply drop -fshort-wchar:
https://github.com/rhinstaller/efibootmgr/commit/3466fd05c8c6f1052e0426d64eed40f8a88fd78f
So this commit simply backports this upstream patch.
Fixes:
http://autobuild.buildroot.net/results/87c3ff2427331eb9ab31c9eb685fe80954a0a98f/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 3e254b82c7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The LUAPATH variable is only used when installing the lua module, and
cmake knows very well how to do out-of-tree isntalls, so there is no
reason to include the staging path in LUAPATH, which will cause our
post-install sanity checks to kick in and whine:
libubox: installs files in /home/lhk/workspace/orangepi/host/usr/a
rm-buildroot-linux-gnueabihf/sysroot//home/lhk/workspace/orangepi
As for libuci, just pass the runtime LUAPATH.
Fixes#9856
Reported-by: linhuikui@gmail.com
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit be3645a58a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There was already a post-build hook to delete the /var/lib/dbus symlink
created by buildroot after the package's own installation, to prevent
a dbus installation error during "make dbus-rebuild". However, this
misses the case for when one might delete the .stamp_target_installed
file manually, outside of dbus-rebuild. This can be fixed by changing
the post-build hook to a pre-install hook. This seems appropriate,
since it is really addressing an installation issue, not a build issue.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c2d6c4ac32)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
lutok is a lua module, so it depends on ! static libs. However, the
dependency is implicit, being done because the lua modules are sourced
globally under an if-block, and thus it is not easy to find that
dependency.
Propagate that dependency to kyua, which was missing it (because it is
not a lua module, so was missing the dependency).
[Peter: also update toolchain comment]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Sebastien Bourdelin <sebastien.bourdelin@savoirfairelinux.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a65da16f63)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This allows a static build of picocom when BR2_STATIC_LIBS=y but the toolchain
provides static and shared libraries.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit add51b89bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Removing clear and reset from the busybox config when the ncurses tools
are enabled is not really needed.
Since commit 802bff9c42, the busybox install will not overwrite
existing programs. Therefore, the tools will be installed correctly
regardless of the order of the build:
- if busybox is built first, the clear and reset apps are installed,
but they will be overwritten by ncurses;
- if ncurses is built first, it will install the clear and reset apps,
and busybox will no longer install them.
We prefer not to modify the busybox configuration when not strictly
necessary, because it is surprising for the user that his configuration
is not applied. Clearly, it's not ideal that busybox is configured with
redundant apps, but if the user wants to shrink it, it's possible to
provide a custom config.
This partially reverts commit 33c72344a8.
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 200282e207)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add upstream post-2.7.1 commits (except for ChangeLog modifications) fixing
the following security issues:
CVE-2017-8105 - FreeType 2 before 2017-03-24 has an out-of-bounds write
caused by a heap-based buffer overflow related to the
t1_decoder_parse_charstrings function in psaux/t1decode.c.
CVE-2017-8287 - FreeType 2 before 2017-03-26 has an out-of-bounds write
caused by a heap-based buffer overflow related to the
t1_builder_close_contour function in psaux/psobjs.c.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6d557ac013)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-8291 - Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass
and remote command execution via a "/OutputFile (%pipe%" substring in a
crafted .eps document that is an input to the gs program, as exploited in
the wild in April 2017.
For more details, see https://bugzilla.suse.com/show_bug.cgi?id=1036453
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 874becfd01)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
Since 1.10.3:
CVE-2016-9013 - User with hardcoded password created when running tests on
Oracle
Marti Raudsepp reported that a user with a hardcoded password is created
when running tests with an Oracle database.
CVE-2016-9014 - DNS rebinding vulnerability when DEBUG=True
Aymeric Augustin discovered that Django does not properly validate the Host
header against settings.ALLOWED_HOSTS when the debug setting is enabled. A
remote attacker can take advantage of this flaw to perform DNS rebinding
attacks.
Since 1.10.7:
CVE-2017-7233 - Open redirect and possible XSS attack via user-supplied
numeric redirect URLs
It was discovered that is_safe_url() does not properly handle certain
numeric URLs as safe. A remote attacker can take advantage of this flaw to
perform XSS attacks or to use a Django server as an open redirect.
CVE-2017-7234 - Open redirect vulnerability in django.views.static.serve()
Phithon from Chaitin Tech discovered an open redirect vulnerability in the
django.views.static.serve() view. Note that this view is not intended for
production use.
Cc: Oli Vogt <oli.vogt.pub01@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3a66a81b7a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing
the following security issues:
CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (divide-by-zero error and application crash) via a crafted TIFF
image, related to libtiff/tif_read.c:351:22.
CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (divide-by-zero error and application crash) via a crafted TIFF
image, related to libtiff/tif_ojpeg.c:816:8.
CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (heap-based buffer over-read) or possibly have unspecified other
impact via a crafted TIFF image, related to "READ of size 512" and
libtiff/tif_unix.c:340:2.
CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (heap-based buffer over-read) or possibly have unspecified other
impact via a crafted TIFF image, related to "READ of size 8" and
libtiff/tif_read.c:523:22.
CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer
overflow in the tools/tiffcp resulting in DoS or code execution via a
crafted BitsPerSample value.
CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7
has a left-shift undefined behavior issue, which might allow remote
attackers to cause a denial of service (application crash) or possibly have
unspecified other impact via a crafted image.
CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata
is properly initialized, which might allow remote attackers to obtain
sensitive information from process memory via a crafted image.
CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in
tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (memory leak) via a crafted image.
CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7
allows remote attackers to cause a denial of service (divide-by-zero error
and application crash) via a crafted image.
CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers
to cause a denial of service (divide-by-zero error and application crash)
via a crafted image.
CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit
type long" undefined behavior issue, which might allow remote attackers to
cause a denial of service (application crash) or possibly have unspecified
other impact via a crafted image.
CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might
allow remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted image.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 030fe340af)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2017-7867 - International Components for Unicode (ICU) for C/C++ before
2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow
related to the utf8TextAccess function in common/utext.cpp and the
utext_setNativeIndex* function.
CVE-2017-7868 - International Components for Unicode (ICU) for C/C++ before
2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow
related to the utf8TextAccess function in common/utext.cpp and the
utext_moveIndex32* function.
Upstream: http://bugs.icu-project.org/trac/changeset/39671
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0135204868)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2017-7585 - In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to cause a
stack-based buffer overflow via a specially crafted FLAC file.
CVE-2017-7586 - In libsndfile before 1.0.28, an error in the "header_read()"
function (common.c) when handling ID3 tags can be exploited to cause a
stack-based buffer overflow via a specially crafted FLAC file.
CVE-2017-7741 - In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to cause a
segmentation violation (with write memory access) via a specially crafted
FLAC file during a resample attempt, a similar issue to CVE-2017-7585.
CVE-2017-7742 - In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to cause a
segmentation violation (with read memory access) via a specially crafted
FLAC file during a resample attempt, a similar issue to CVE-2017-7585.
Dop undocumented patch adjusting SUBDIRS in Makefile.in as it no longer
applies. Instead pass --disable-full-suite to disable man pages,
documentation and programs, as that was presumably the reason for the patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c363e070d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is not yet part of any release.
coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of
representable values of type unsigned char" undefined behavior issue, which
might allow remote attackers to cause a denial of service (application
crash) or possibly have unspecified other impact via a crafted image.
For more details, see:
https://blogs.gentoo.org/ago/2017/04/02/imagemagick-undefined-behavior-in-codersrle-c/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 665560856e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
These have been added to upstream git after 0.6.12 was released.
CVE-2017-7960 - The cr_input_new_from_uri function in cr-input.c in libcroco
0.6.11 and 0.6.12 allows remote attackers to cause a denial of service
(heap-based buffer over-read) via a crafted CSS file.
CVE-2017-7961 - The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco
0.6.11 and 0.6.12 has an "outside the range of representable values of type
long" undefined behavior issue, which might allow remote attackers to cause
a denial of service (application crash) or possibly have unspecified other
impact via a crafted CSS file.
For more details, see:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 52bfb4b1ce)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2016-4806 - Web2py versions 2.14.5 and below was affected by Local File
Inclusion vulnerability, which allows a malicious intended user to
read/access web server sensitive files.
CVE-2016-4807 - Web2py versions 2.14.5 and below was affected by Reflected
XSS vulnerability, which allows an attacker to perform an XSS attack on
logged in user (admin).
CVE-2016-4808 - Web2py versions 2.14.5 and below was affected by CSRF (Cross
Site Request Forgery) vulnerability, which allows an attacker to trick a
logged in user to perform some unwanted actions i.e An attacker can trick an
victim to disable the installed application just by sending a URL to victim.
CVE-2016-10321 - web2py before 2.14.6 does not properly check if a host is
denied before verifying passwords, allowing a remote attacker to perform
brute-force attacks.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a534030c6e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The 4.7.2 release brings a number of bugfixes and improvements:
https://www.xenproject.org/downloads/xen-archives/xen-project-47-series/xen-472.html
Including fixes for the following security issues:
XSA-191: x86 null segments not always treated as unusable (CVE-2016-9386)
XSA-192: x86 task switch to VM86 mode mis-handled (CVE-2016-9382)
XSA-193: x86 segment base write emulation lacking canonical address checks
(CVE-2016-9385)
XSA-194: guest 32-bit ELF symbol table load leaking host data (CVE-2016-9384)
XSA-195: x86 64-bit bit test instruction emulation broken (CVE-2016-9383)
XSA-196: x86 software interrupt injection mis-handled
(CVE-2016-9377 CVE-2016-9378)
XSA-197: qemu incautious about shared ring processing (CVE-2016-9381)
XSA-198: delimiter injection vulnerabilities in pygrub
(CVE-2016-9379 CVE-2016-9380)
XSA-199: qemu ioport array overflow (CVE-2016-9637)
XSA-200: x86 CMPXCHG8B emulation fails to ignore operand size override
Files (CVE-2016-9932)
XSA-201: ARM guests may induce host asynchronous abort
(CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818)
XSA-202: x86 PV guests may be able to mask interrupts (CVE-2016-10024)
XSA-203: x86: missing NULL pointer check in VMFUNC emulation (CVE-2016-10025)
XSA-204: x86: Mishandling of SYSCALL singlestep during emulation
(CVE-2016-10013)
XSA-207: memory leak when destroying guest without PT devices
XSA-208: oob access in cirrus bitblt copy (CVE-2017-2615)
XSA-209: cirrus_bitblt_cputovideo does not check if memory region is safe
(CVE-2017-2620)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The warning currently reads:
No board defconfig name specified, check your
BR2_TARGET_UBOOT_DEFCONFIG setting.
It should read:
No board defconfig name specified, check your
BR2_TARGET_UBOOT_BOARD_DEFCONFIG setting.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b7f095920a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-5461 - Out-of-bounds write in Base64 encoding in NSS. Might cause
remote arbitrary code execution
(https://access.redhat.com/errata/RHSA-2017:1100).
CVE-2017-5462 - DRBG flaw in NSS
Drop 0001-cross-compile.patch and TARGET* variables. Upstream Makefile now
allows override of CC, so use TARGET_CONFIGURE_OPTS instead.
Drop upstream 0003-it-uninitialized-fix.patch.
Renumber the remaining patch.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 09b8e1079e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security Fixes:
- rndc "" could trigger an assertion failure in named. This flaw is
disclosed in (CVE-2017-3138). [RT #44924]
- Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed in
CVE-2017-3137. [RT #44734]
- dns64 with break-dnssec yes; can result in an assertion failure. This
flaw is disclosed in CVE-2017-3136. [RT #44653]
- If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server
crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
- A coding error in the nxdomain-redirect feature could lead to an
assertion failure if the redirection namespace was served from a
local authoritative data source such as a local zone or a DLZ instead
of via recursive lookup. This flaw is disclosed in CVE-2016-9778.
[RT #43837]
- named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
- named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
- named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
- It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
Full release notes:
ftp://ftp.isc.org/isc/bind9/9.11.0-P5/RELEASE-NOTES-bind-9.11.0-P5.html
Also, remove --enable-rrl configure option from bind.mk as it doesn't
exist anymore.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 1727ea972b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While testing minetest with libhiredis library, the game crached due to
missing libhiredis.so.0.13 library.
The hiredis.mk doesn't use "make install" because "make install" depends
on building both the shared and static libraries, which fails in
static-only scenarios.
However, the installation logic in hiredis.mk is bogus: it installs the
library as libhiredis.so, while its SONAME is libhiredis.so.0.13. We fix
this by using the same logic as the one done by the package "make
install" process: install the library as libhiredis.so.0.13, and create
libhiredis.so as a symbolic link to it.
While at it:
- Install the library 0755, this is more common.
- Do not create $(TARGET_DIR)/usr/lib, since $(INSTALL) -D will create
the necessary directories for the destination path.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: rework to use the same installation logic as the one from
hiredis "make install".]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 96daacb720)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Select the fsck required by systemd provided by util-linux. This
prevents ending up with fsck from busybox, which is incompatible
with systemd.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 3fddb73ffd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In 2010 commit 32d319e6f "gst-plugins-base: ensure <stdint.h> is used"
introduced a typo (missing backslash) that made the code ineffective.
It can be confirmed by looking at the output of:
$ make printvars | grep '^GST_PLUGINS_BASE_CONF_ENV\|^FT2_CONFIG'
FT2_CONFIG=/bin/false ac_cv_header_stdint_t="stdint.h"
GST_PLUGINS_BASE_CONF_ENV=
Add the missing backslash to fix the code.
While at it, fix the indentation to use one tab instead of two.
The (end of the) diff of config.log confirms the code is still needed
when the host has freetype-config installed:
@@ -1674,10 +1674,8 @@
configure:21882: checking for emmintrin.h
configure:21882: result: no
configure:21894: checking for stdint types
-configure:21917: /tmp/gst/output/host/usr/bin/i686-pc-linux-gnu-gcc -std=gnu99 -c conftest.c >&5
-configure:21917: $? = 0
configure:21961: result: stdint.h (shortcircuit)
-configure:22348: result: make use of stdint.h in _stdint.h (assuming C99 compatible system)
+configure:22348: result: make use of stdint.h in _stdint.h
configure:22359: checking for localtime_r
configure:22359: /tmp/gst/output/host/usr/bin/i686-pc-linux-gnu-gcc -std=gnu99 -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c >&5
configure:22359: $? = 0
@@ -2468,8 +2466,7 @@
Package 'freetype2', required by 'world', not found
configure:31257: result: no
configure:31298: checking for freetype-config
-configure:31316: found /usr/bin/freetype-config
-configure:31329: result: /usr/bin/freetype-config
+configure:31329: result: /bin/false
configure:31339: checking for FreeType - version >= 2.0.9
configure:31427: result: yes
configure:32250: creating ./config.status
@@ -2789,7 +2786,7 @@
ac_cv_objext='o'
ac_cv_path_EGREP='/bin/grep -E'
ac_cv_path_FGREP='/bin/grep -F'
-ac_cv_path_FT2_CONFIG='/usr/bin/freetype-config'
+ac_cv_path_FT2_CONFIG='/bin/false'
ac_cv_path_GMSGFMT='/tmp/gst/output/host/usr/bin/msgfmt'
ac_cv_path_GREP='/bin/grep'
ac_cv_path_MSGFMT='/tmp/gst/output/host/usr/bin/msgfmt'
@@ -2818,7 +2815,6 @@
ac_cv_prog_cxx_g='yes'
ac_cv_prog_make_make_set='yes'
ac_cv_stdint_message='using gnu compiler i686-pc-linux-gnu-gcc (Sourcery CodeBench Lite 2012.09-62) 4.7.2'
-ac_cv_stdint_result='(assuming C99 compatible system)'
ac_cv_sys_file_offset_bits='no'
ac_cv_sys_largefile_CC='no'
ac_cv_sys_largefile_source='no'
@@ -2965,9 +2961,9 @@
EXEEXT=''
FFLAGS=' -Os '
FGREP='/bin/grep -F'
-FT2_CFLAGS='-I/usr/include/freetype2'
-FT2_CONFIG='/usr/bin/freetype-config'
-FT2_LIBS='-lfreetype'
+FT2_CFLAGS=''
+FT2_CONFIG='/bin/false'
+FT2_LIBS=''
GCOV=''
GCOV_CFLAGS=''
GCOV_LIBS=''
Detected by check-package.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit c07a46b0ce)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Until now, the host toolchain was used to build syslinux, as it was
not possible to build a 32-bit syslinux with a x86-64 toolchain.
However, syslinux requires gnu-efi, and gnu-efi is built using the
target toolchain. Mixing different toolchains doesn't work well, so
this commit changes the syslinux package to use the target toolchain
for syslinux as well. This is made possible by patches
0003-Fix-ldlinux.elf-Not-enough-room-for-program-headers-.patch and
0004-memdisk-Force-ld-output-format-to-32-bits.patch.
Since syslinux also contains some utilities that have to run on the
host, those have to continue being built with the host toolchain,
which requires patch 0005-utils-Use-the-host-toolchain-to-build.patch.
Patch 0006-lzo-Use-the-host-toolchain-for-prepcore.patch is about
building prepcore, another utility with the host toolchain as it is
required at build-time.
This was tested using a Buildroot's built x86_64 toolchain, and
checked that the output binaries are 32-bits. It was tested as well if
they actually boot on hardware.
Signed-off-by: Benoît Allard <benoit.allard@greenbone.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6e432d5ecb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In preparation for the addition of more patches to the syslinux
package, reformat the two existing patches as proper Git formatted
patches.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 34da6a65ad)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
According to PEP 370 Python will also search for the packages in the
user site-packages directory. This can affect build reproducibility.
The solution is to use PYTHONNOUSERSITE=1 for all Python packages,
i.e. both host and target variants.
Fixes bug #9791.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f5da1951ad)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
License.html now just contains the string:
The ICU license is now in plain text format, see <a href="./LICENSE">LICENSE</a>.
Update links and software appropriately.
So refer directly to that file instead.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit d2ea2479e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
LICENSE.TXT gives an overview and explains in detail that freetype is dual
licensed under the FTL and GPLv2+, so also include it in the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 2843b970e7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Our patch adding nios2 support to libnspr uses the built-in compiler
define "nios2". However, this doesn't work with C++11, where only the
__nios2__ define is available. Since __nios2__ is always available,
use that instead:
$ ./output/host/usr/bin/nios2-linux-gcc -dM -E - < /dev/null | grep -E "( nios2 | __nios2__ )"
$ ./output/host/usr/bin/nios2-linux-gcc -std=c++11 -x c++ -dM -E - < /dev/null | grep -E "( nios2 | __nios2__ )"
Patch 0001-nios2.patch is therefore changed to use __nios2__ (the rest
of the change noise is due to using quilt to format the patch). Patch
0002-microblaze.patch is simply updated to apply correctly on top of
the modified 0001-nios2.patch.
This fixes the build of the poppler library on nios2. It is built with
-std=c++11, and includes nspr headers (through nss), causing a build
issue.
Fixes:
http://autobuild.buildroot.net/results/9fee58076157d814616fa0da51afde8da21a8973/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 9a521546ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Due to a mistake, the Microblaze patch was adding another #elif
defined(nios2), which doesn't make any sense. This commit gets rid of
it.
The rest of the noise in the change is due to the use of quilt to
generate the patches.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 7039c4d456)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-04-24 10:46:25 +02:00
180 changed files with 3604 additions and 437 deletions
comment "ltp-testsuite needs a glibc or uClibc toolchain w/ threads"
comment "ltp-testsuite needs a glibc or uClibc toolchain w/ NPTL"
depends on !BR2_nios2
depends on BR2_USE_MMU
depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_TOOLCHAIN_USES_MUSL
depends on !BR2_TOOLCHAIN_HAS_THREADS_NPTL || BR2_TOOLCHAIN_USES_MUSL
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.